NUREG/CR-4050, Forwards NUREG/CR-4050,NRC Review of Facility PRA Study & Evaluation of Unisolated LOCA Outside Drywell in Shoreham Nuclear Power Station. No Safety Issue Identified Needing Immediate Action
| ML20195C881 | |
| Person / Time | |
|---|---|
| Site: | Shoreham File:Long Island Lighting Company icon.png |
| Issue date: | 05/23/1986 |
| From: | Caruso R Office of Nuclear Reactor Regulation |
| To: | Leonard J LONG ISLAND LIGHTING CO. |
| References | |
| RTR-NUREG-CR-4050 NUDOCS 8605300674 | |
| Download: ML20195C881 (26) | |
Text
{{#Wiki_filter:/ %,t
~
UNITED STATES E NUCLEAR REGULATORY COMMISSION
- h. , WASHINGTON, D. C. 20555 l
..... ItAY 2 31986 Docket No. 50-322 Mr. John D. Leonard, Jr.
Vice President - Nuclear Operations Long Island Lighting Company Shoreham Nuclear Power Station P.O. Box 618 Wading River, New York 11792
Dear Mr. Leonard:
SUBJECT:
PROBABILISTIC RISK ASSESSMENT - SHOREHAM NUCLEAR POWER STATICN The NRC staff and its contractor, the Brookhaven National Laboratory (BNL), have completed their review of the probabilistic risk assessment (PRA) study s for the Shoreham Nuclear Power Station. The Shoreham PRA study considers only internal events (including internal flooding but excluding fires), and does not consider external events such as earthquakes. An ex-plant consecuences analysis has not yet been submitted, but it will be evaluated when it is received. The " front-end" of the PRA study, which generates the frequency of core-melt events, was reviewed by the staff with technical assistance from BNL. The "back-end" of the PRA study, which concerns the containment failure and radio-nuclide release analysis, is also being reviewed by the staff and BNL. The Shoreham PRA estimated a " core-vulnerable" frequency instead of a core melt frequency, or a severe core damage frequency. Some unspecified fraction of " core-vulnerable" events could be arrested before core melt occurred. However, no estimate of this fraction is given, and it appears difficult to estimate. The staff equates a " core-vulnerable" frequency to severe core damage frequency. The total severe core damage freg ency at Shoreham estimated by you in the Shoreham PRA study is about 5x10 / reactor-year. The NRC staff estimate, based on BNL analyses, is about 1.4x10 / reactor-year.
. The dominant accident sequences (those of high severe core damage frequency or of high consequences) are:
(1) Anticipated Transients Without Scram (ATWS) Sequences ATWS sequences at Shoreham are estimated by BNL to contribute significantly to the total severe core damage frequency (about 33%). The reasons are discussed in Enclosure 1. However, we believe that the implementation of the ATWS rule requirements and the revision of the ATWS procedures would reduce the severe core damage frequency due to ATWS events. (2) Unisolated Loss of Coolant Accidents (LOCAs) in the Reactor Building BNL estimates that the severe core damage frequency due to high-energy line reaks (HELBs) or interfacing LOCAs in the reactor building is about 2x10~g/ reactor-year.The consequences of these events are estimated to be high because there is a bypass of the containment. 8605300674 DR 860523 p ADOCK 05000322 PDR w___ _
[ - , 4 . (3) Loss of Offsite Power-(LOOP) Sequences . re core damage frequency due to LOOP sequences BNL estimates that the ham is about sevg/ reactor-year. The LILC0 estimate is about 3x10-at Shorg/ 1.1x10- reactor-year. However, with the installation of additional qualified diesel generators, there would be a smaller contribution to I the overall severe core damage frequency due to LOOP events. Station blackout events are also being addressed a part of the ongoing work related to Unresolved Generic Issue (USI) A-44, " Station Blackout." 4 (4) Flooding Sequences
; The mean value of the severe core damage frequency _ of accidents initiated ,
j- .by flooding 51nthereactorbuildingatShorehamisestimatedgyBNLtobe j about 2x10 / reactor-year. The LILC0 estimate is about 4x10 / reactor-year.
+
Based on our review, we identified some potential deficiencies in the Shoreham alarm response procedure for mitigating a flood. The resolution
! of this issue has been discussed in r.revious letters to you, and is further ; discussed in Enclosure 1.
l (5) Reactor' Water Level Instrumentation Failure Sequences ; BNL estimates that reactor water level instrumentation failure contributes 1
; about 1.2x10-5/ reactor-year to th total severe core damage frequency.
l TheLILC0estimateisabout4x10g/ reactor-year. We note that Shoreham is adding new level transmitters to the existing system and modifying the l power supplies for initiation of ECC. systems. With these changes, there , 4 would.be a smaller contribution to the overall severe core damage frequency due to reactor water level instrumentation failure. The adequacy of the i Shoreham reactor water level instrumention is also being evaluated as -part of Generic Issue 50, " Reactor Vessel Level Instrumentation in BWRs". I Based on our review findings, we have not identified any safety issue that needs
- immediate action. Our overall impression is that the Shoreham PRA study is a
! good and comprehensive piece of work within its stated scope. . 7 4 ! With respect to the Shoreham containment response and radionuclide release j analyses, BNL has completed a preliminary review and submitted it to the NRC l staff. The BNL final review is. expected to be completed soon. The scope of j the final back-end review is discussed in Enclosure 1. l
- l. Sincerely, R ru P oject Manager ..
l BWR Project Directorate No. 4 l Division of BWR Licensing.
Enclosures:
i
- 1. Final Review of Shoreham PRA Study DISTRIBUTION
, 2. "A Review of the Shoreham Nuclear Power DocketLFileR
~"
M0'Brien
! Station Probabilistic Risk Assessm.e.nt,"- NRC POR RCaruso
- j. BNL,' June 1985 'LPDR RLo
- 3. "An Evaluation of Unisolated LOCA Outside PDf4 Rdg. ACRS (10) ;
the Drywell in the Shoreham Nuclear Power RBernero Station," BNL, June 1985 Bordenick,0 ELD JPartlow
)
cc: See next page i BGrimes PD PM PD#4 PD#4/D p EJ6rdan RC o:lb RLo WButler 05 /86 05/Q 86- 05/1,7 86
~ . - - . - . . . . . - - . -_. - ,- . .- - . - - -
V i ; l (3) Loss of Offsite Power (LOOP) Sequences '
- re core damage frequency due to LOOP sequences
! BNLestimatesthatthesevg/ ham is about 3x10- reactor-year. The LILC0 estimate is about atShorg/ 1.1x10- reactor-year.- However, with the. installation of additional
- qualified diesel generators, there would be a smaller contribution to
- the overall severe core damage frequency due to LOOP events. Station i blackout events are also being addressed a part of the ongoing work i
related to Unresolved Generic Issue (USI) A-44, " Station Blackout." ' (4) Flooding Sequences
, The mean value of the severe core damage frequency of accidents initiated
- by flooding 5inthereactorbuildingatShorehamisestimatedgyBNLtobe
, about 2x10 / reactor-year. The LILC0 estimate is about 4x10 / reactor-year. Based on our review, we identified some potential deficiencies in the i Shoreham alarm response procedure for mitigating a flood. The resolution of this issue has been discussed in previous letters to you, and is further discussed in Enclosure 1. i (5) Reactor Water Level Instrumentation Failure Sequences , BNL estimates that reactor water level instrumentation failure contributes about 1.2x10-5/ reactor-year to.th total severe core damage-frequency. 4 TheLILCOestimateisabout4x10-g/ reactor-year. We note that Shoreham i is adding new level transmitters to the existing system and modifying the . j power supplies for initiation of ECC systems. With these changes, there would be a smaller contribution to the overall severe core damage frequency j due to reactor water level instrumentation failure. T.he adequacy of the
- Shoreham reactor water level instrumention is also being evaluated as part of Generic Issue 50, " Reactor Vessel Level Instrumentation in BWRs".
- Based on our review findings, we have not identified any safety issue that needs immediate action. Our overall impression is that the Shoreham PRA study is a
+ good and comprehensive piece of work within its stated scope. l With respect to.the Shoreham containment response and radionuclide release
- analyses, BNL has completed a preliminary review and submi_tted it to the NRC i staff. The BNL final review is expected to be completed soon. The scope of the final back-end review is discussed in Enclosure 1.
l Si e l R. Caruso, Project Manager i BWR Project Directorate No. 4 j Division of BWR Licensing l -
Enclosures:
- 1. Final Review of Shoreham PRA Study )
j 2. "A Review of the Shoreham Nuclear Power ! Station Probabilistic Risk Assessment," 1 ! BNL, June 1985 - ! 3. "An Evaluation of Unisolated LOCA Outside ! the Drywell in the.Shoreham Nuclear Power Station," BNL, June 1985 cc: See next page .
Mr. John D. Leonard, Jr. Shoreham Nuclear Power Station Long Island Lighting Company (list 1) cc: Stephen B. Latham, Esq. Gerald C. Crotty, Esq. John F. Shea, III, Esq. Ben Wiles, Esq. Twomey, Latham & Shea Counsel to the Governor Attorneys at Law Executive Chamber Post Office Box 398 State Capitol 33 West Second Street Albany, New York 12224 Riverhead, New York 11901 Herbert H. Brown, Esq. Alan S. Rosenthal, Esq., Chairman Lawrence Coe Lanpher, Esq. Atomic Safety & Licensing Appeal Board Karla J. Letsche, Esq. U.S. Nuclear Regulatory Commission Kirkpatrick & Lockhart Washington, D.C. 20555 1900 M Street, NW - 8th Floor Washington, D.C. 20036 W. Taylor Reveley, III, Esq. - Hunton & Williams Dr. Monroe Schneider 707 East Main Street North Shore Committee Post Office Box 1535 Post Office Box 231 Richmond, Virginia 23212 Wading River, New York 11792 Howard A. Wilber Fabian G. Palomino, Esq. Atomic Safety & Licensing Appeal Board Special Counsel.to the Governor U.S. Nuclear Regulatory Comission Executive Chamber - State Capitol ~ Washington, D.C. 20555 Albany, New York 12224 Atomic Safety & Licensing Board Panel Anthony F. Earley, Jr. , Esq. U.S. Nuclear Regulatory Commission General Counsel Washington, D.C. 20555 Long Island Lighting Company 175 East Old County Road Atomic Safety & Licensing Appeal Board Hicksville, New York 11801 Panel U.S. Nuclear Regulatory Comission Mr. Lawrence Britt Washington, D.C. 20555 Shoreham Nuclear Power Station Post Office Box 618 Gary J. Edles, Esq. Wading River, New York 11792 Atomic Safety & Licensing Appeal Board U.S. Nuclear Regulatory Comission Martin Bradley Ashare, Esq. Washington, D.C. 20555 Suffolk County Attorney H. Lee Dennison Building Richard M. Kessel Veteran's Memorial Highway Chairman & Executive Director Hauppauge, New York 11788 New York State Consumer Protection Board i Room 1725 Resident Inspector 250 Broadway Shoreham NPS New York, New York 10007 U.S. Nuclear Regulatory Comission Post Office Box B Jonathan D. Feinberg, Esq. Rocky Point, New York 11778 New York State Department of Public Service Regional Administrator, Region I l Three Empire State Plaza U.S. Nuclear Regulatory Comission -! Albany, New York 12223 631 Park Avenue l King of Prussia, Pennsylvania 19406 i
. - - ~~ - . = ,
u Shoreham (1) cc: i Robert Abrams, Esq. Mr. Francis J. Gluchowski Attorney General of the State Assistant Town Attorney of New York Town of Brookhaven ATTN: Peter Bienstock, Esq. Department of Law Department of Law 475 East Main Street State of New York Patchogue, New York 11772 ' Two World Trade Center Room 46-14 l New York, New York 10047 Mr. William Steiger j Plant Manager Shoreham Nuclear Power Station Post Office Box 628 Wading River, New York 11792 MHB Technical Associates 1723 Hamilton Aenue - Suite K l San Jose, California 95125 Honorable Peter Cohalan
; Suffolk County Executive , County Executive / Legislative Building Veteran's Memorial Highway
- Hauppauge, New York 11788 Mr. Jay Dunkleberger New York State Energy Office Agency Building 2 Empire State Plaza Albany, New York 12223
, Ms. Nora Bredes Shoreham Opponents Coalition , 195 East Main Street i Smithtown, New York 11787
- Chris Nolin New York State Assembly Energy Committee 626 Legislative Office Building Albany, New York 12248 Peter S. Everett, Esq.
l Hunton & Williams l 2000 Pennsylvania Avenue, NW l Washington, D.C. 20036 ) S
f Enclosure 1 NRC Staff Review of Shoreham PRA Study
Background
By letter dated June 24, 1983, the Long Island Lighting Company (LILCO)
; submitted to the NRC a probabilistic risk assessment (PRA) study of Shoreham I Nuclear Power Station. The PRA was a self-motivated undertaking by LILC0 which was intended to provide basic data to LILCo management concerning the
, plant response to accidents beyond the normal design basis. The PRA was submitted for staff review as a result of a commitment made by LILC0 during the Shoreham operating license hearings. , Sumary of Results The Shoreham PRA estimates that the total severe core damage frequency at Shoreham is about 5x10-5/ reactor-year. Strictly speaking, the Shoreham PRA estimated a " core-vulnerable" frequency, not a severe core damage frequency. j Some unspecified fraction of " core-vulnerable" events could be arrested before l core melt occurred. However, no estimate of this fraction is given, and it appears difficult to estimate. The staff has equated " core-vulnerable" frequency to severe core damage frequency. The estimate of severe core damage frequency from the staffs contractor, Brookhaven National Laboratory (BNL), is 1.4x10~4/ reactor-year. A comparison of LILCO and BNL estimates for the severe
- core damage frequencies due to var.ious events is as follows
i LILCO BNL f Anticipated Transients 33%* 32% ). Without Scram (ATWS) Loss of Offsite Power 20% 21% Transients 24% 16%
~
i Flooding 7% 14% l l .
2-LILCO BNL Reactor Water Level 7% 9% Instrumentation Failure Loss of Coolant Accident 4% 1% (LOCA) Inside Containment Total Severe Core Damage Frequency 5.5x10-5/RY 1.4x10-4/RY In addition, BNL has estimated that the severe core damage frequency due to high-energy line breaks (HELBs) or interfacing LOCAs in the reactor building is about 2x10-7/ reactor-year. The consequences of a core damage due to a HELB or an interfacing LOCA are estimated to be high because there is a bypass of containment. i ] There are several conservatisms in the BNL analysis of ATWS events. For example, the BNL analysis did not include the implementation of the automatic depressuriza-tion system (ADS) manual inhibit switch. In addition, the BNL analysis did not consider that LILC0 would increase the capacity of standby liquid. control system (SLCS) from 43 gpm to an equivalent of 86 gpm, in accordance with the ATWS rule, If these considerations are included in the BNL analysis, the contribution of ATWS events to the total severe core damage frequency would be lower. Internal Event Review The severe core damage sequences in the Shoreham PRA study were divided into five classes, depending on the timing relationship between the onset of core damage and the onset of containment failure: l (1) Class I sequences involve a loss of coolant makeup to the reactor core where core damage occurs before the containment fails.
* "i4 ~'
- -_.----g- yw _.. ww w --
g 'w # ~
i (2) Class II sequences involve sequences where long-term heat removal of the containment is lost and the containment fails before core damage occurs. (3) Class III sequences involve severe core damage sequences due to LOCAs in the containment. (4) Class IV sequences involve severe core damage sequences due to ATWS initiators. (5) Class V sequences involve LOCA sequences outside the containment with bypass of the containment. LILC0 estimates that the total severe core damage frequency due to accident sequences at Shoreham is about 5.5x10-5/ reactor-year. LILC0 estimates that Class I (loss of core makeup) sequences contribute about 58% to the total severe core damage frequency, Class II (loss of containment heat removal) sequences contribute about 15% to the total frequency, and Class IV (ATWS) sequences contribute about 25% to the total frequency. In comparison with the LILC0 estimates, BNL estimates that Class I, II, and IV sequences contribute about 59%, 9% and 32% to the total frequency, respectively. A discussion of the dominant accident sequences follows. Loss of Offsite Power Events (LOOP) l Loop events are important accident initiators because they may be followed by subsequent failures of the emergency diesel generators, thus leading to station blackout sequences. The staff has noted that the high-pressure makeup systems
at Shoreham, such as the high-pressure coolant injection (HPCI) system, the reactor core isolation cooling (RCIC) system, and the Automatic Depressurization System (ADS), require DC power, and the low-pressure makeup systems such as the low-pressure coolant injection (LPCI) system and low-pressure core spray (LPCS) system also require AC power. In addition, operation of the drywell coolers also requires AC power. The Shoreham PRA study estimates that the severe core damage frequency due to a LOOP event is about 1.1x10-5/ reactor-year, which is about 20% of the total severe core damage frequency. The BNL estimate is about 3.0x10-5/ reactor-year. The difference between the two estimates is due to the following considerations. (1) The Shoreham PRA study estimates that the LOOP event frequency is 0.08/ reactor-year. This estimate was based on the LOOP events _ occurring in fossil plants from 1965 to 1981. The estimate was obtained by dividing five LOOP events (four actual events plus one hypothesized incipient event) by 61.5 plan't-years. BNL used the nuclear plant data on LOOP events recently published in NSAC-80, " Loss of Offsite Power at U. S. Nuclear Power Plants Through 1983," July, 1984. Using this data base and assuming that a plant taken randomly from the Northeast Power Coordin-ating Council is representative of the Shoreham plant, BNL estimates a LOOP event frequency at Shoreham of 0.15/ reactor-year. The staff believes the BNL estimate is more appropriate. However, we ' note that NUREG-1032 (draft report for comment) " Evaluation of Station Blackout Accident at Nuclear Power Plants," May 1985, gives estimates of the frequency of losses of . O
offsite power exceeding a given number of hours which are comparable to, and somewhat lower than, those used in the Shoreham PRA, for all times less than about 13 hours. (2) In comparison with the Shoreham PRA study, BNL used higher failure probabilities for the station batteries for the later time portions of the accident sequences (4 hours from the beginning of the accident).
- BNL noted that the batteries were sized to provide DC power for 2 hours. l Additional time can be obtained only if operators are successful in removing a sufficient number of loads from the DC buses. Therefore,
! BNL used higher failure probabilities for the batteries between 4 and 10 hours and assumed that the batteries are unavailable after i0 hours. The Shoreham PRA study assumed that the batteries would last 24 hours to provide control power for HPCI and RCIC. (3) BNL identified a significant contribution from a LOOP sequence which was underestimated in the Shoreham PRA study. This sequence assumes that during a LOOP event, offsite power is not recovered in 15 hours from the beginning of the event and the residual heat removal (RHR) system is lost , between 15 hours and 18 hours (the dominant failure mode of RHR is a common-mode failure-to-run of the diesels). This sequence, which con-tributes about 1.4x10-6/ reactor-year to the total severe core damage ' frequency, is one of the most important sequences in Class II (long-term containment heat removal failure) events.
. - - . . - - __ _ y, v--- e ,,
(4) BNL noted that during a LOOP event in which two diesel generators are unavailable, the reactor water level readings are lost in the control recm because the level indications are not powered by DC sources. Even > though HPCI ard RCIC may be initiated, because they have DC backup power supplies, an operator would have difficulty following procedures and controlling the HPCI flow rate without level indication. Loss of level indication toge'ther with an operator failure to keep the core covered may lead to a severe core damage state. BNL estimates that this sequence contributes about.1x10-5/ reactor-year to the total severe core damage frequency. BNL believes that this sequence has the highest frequency among the Class I (loss of core makeup) sequences. The staff believes that LILCO did not appropriately model this sequence in the PRA study. Finally, we believe that there is some conservatism in the BNL Analysis of LOOP events for the following _ reasons: (1) The diesel generator data used in the Shoreham and BNL analyses is based on generic data originating from the licensee event reports (LERs) given in NUREG-CR-1362, " Data Summaries of Licensee Event Departed Diesel Generators ad U. S. Commerical Nuclear Power Plants," March 1980. As a result of problems with the TDI diesel generators at Shoreham, LILC0 is in::talling additional, permanent, qualified diesel generators manufactured l
~
by a different vendor. A 20 MW Pratt and Whitney gas turbine with black start capability and four temporary mobile 2.5 MW EMD diesel generators are also on site.' If these power sources, and the TDI diesel generators, 1 1
l i remain after the new diesel generators are installed, there would be considerably more redundancy of power sources, and there would be a smaller contribution to the overall severe core damage frequency due to LOOP events. The susceptibility of Shoreham to a station blackout is also being addressed in the ongoing work related to Unresolved Generic Issue (USI) A-44, " Station Blackout." ATWS Events Operator actions are extremely important in mitigating ATWS events. The most important operator actions include: (1) Reduction of the core water level in order to reduce the reactor power. At the same time, the operator must provide adequate makeup to the core to prevent core damage. (2) Actuation of the standby liquid control system (SLCS) because the system is not automatically initiated. (3) Maintaining the suppression pool temperature by initiating RHR suppression pool cooling. (4) Preventing ADS and LPCI/LPCS from actuating because the cold water f.om the LPCI/LPCS may dilute the boron concentration in the reactor and add reactivity to the core. In order to do this, the operator may have to use the ADS manual inhibit switch to prevent actuations of ADS. I I 9
Different ATWS event trees are developed for such different initiators as a turbine trip with bypass event, a loss of feedwater event, a loss of main condenser event, and a main steam isolation valve (MSIV) closure event. Among these initiators, the MSIV closure event is the most severe because the turbine bypass system, which can dissipate 25% of the reactor power, is lost at the beginning of the event. As a result, less reactor heat is removed from the primary system and the times available for operator actions are less. The LILC0 estimate of the severe core damage frequency due to ATWS events is about 1.8x10-5/ reactor-year. The BNL estimate is about 5.9x10-5/ reactor-year . The staff believes that the BNL. estimate of the ATWS severe core damage frequency is conservative forothe following reasons: (1) In order to meet the requirements stated in the new ATWS regulation (10 CFR 50.62), Shoreham is required to upgrade its SLCS capacity'from 43 gpm to the equivalent of 86 gpm. The implementation of this modifi-cation would significantly reduce the ATWS severe core camage frequency. (2) The Shoreham ATWS procedures reviewed by BNL were prepared according to Revision 18 of the Generic Procedure Guidelines which have been reviewed and approved by the staff. The latest Revision 3 of the Generic Precedure Guidelines is an improvement over Revision 18. LILCO nas committed to follow the latest revision of the Generic Procedure Guidelines in the next revision of the ATWS procedures. With the implementation of the revised ATWS procedure, the probability of operator error would be reduced. This would reduce the ATWS severe core damage frequency. , 4 n e
<J r
.g.
(3) The staff believes that there are conservatisms in the success criteria for mitigating ATWS events stated in the Shoreham PRA study. For example, for an ATWS event initiated by a MSIV closure event, the success criteria in the Shoreham PRA study states that having only 1 RHR train operable is unacceptable for suppression pool cooling, thus implying that fuel damage may occur and suppression pool temperature may be excessive. However, the staff believes that it is possible to maintain suppression pool temperature with 1 RHR train and therefore the success criteria in 1 the PRA study may be too conservative. The BNL analysis does not take into account the conservatism in the success criteria. (4) The transient initiator frequencies used in the Shoreham PRA study are mostly based on the data in EPRI Report NP-801, " Anticipated Transients - A Reappraisal," July, 1978. The transient initiator frequencies used in the BNL analysis of ATWS events are based on EPRI Report NP-2230, " Anti-cipated Transients - A Reappraisal," January, 1982, which contains the updated data for BWRs. We note that the data in NP-2230 reflects the fact that most BWR-4 plants use the reactor water level at level 2 to close MSIVs. However, the MSIV closure setpoint at Shoreham has been lowered from level 2 to level 1. If other BWR-4 plants had used level'l for MSIV closure, the initiator frequencies of isolation transients should have been less than the frequencies based on the data in NP-2230. This I is because there is about 8 feet of water between level 1 and level 2 which allows operators more time to prevent an isolation event. There-fore the transient initiator frequencies in the BNL analysis of the ATWS events appear to be conservative.
~ .
i (5) In response to the requirement stated in NUREG-0737, Item II.K.3.18, "Modificatica of ADS Logic - Feasibility for Increased Diversity for Some Ev'ent Sequences," LILC0 has installed a manual switch for inhibiting actuation of ADS in addition to the two minute timer reset switch. Therefore, instead of repeatedly pushing the timer reset button before the timer runs out, the operators can use the manual inhibit switch to prevent tgtuation of ADS. We celieve that with the manual ADS inhibit switch svailable, the probability that the gperator will not prevent an automatic ADS actuation during ATWS events is reduced. As a final note, once Shoreham conforms to the requirements stated in the ATWS rule and' increases the SLCS capacity from 43 gpm to an e'quivalent of 86 , gpm, the regulatory analysis of ATWS events for the ATWS rule will be applicable. a In that case, the severe core damage f'requency due to ATWS events at Shoreham would be about 1x10-5/ reactor-year which corresponds to a BWR plant with alternate rod insertion and manual SLCS capacity of 86 gpm. LOCA Outside Containment Two important sets of accident sequences involve LOCAs outside the containment into the reactor building. They are (1) interfacing LOCAs and (2) HPCI/RCIC/
)
reactor water cleanup (RWCU) line breaks. I e
Interfacing LOCAs An interfacing LOCA is a break in a low-pressure piping system due to intrusion of high-pressure primary fluid. The low-pressure systems are generally separated from the primary system by a testable check valve and motor-operated valves (MOVs). If the valves open because of human errors or valve failure, an inter-facing LOCA may occur. The Shoreham PRA study estimates that the severe core
~
damage frequency due to an interfacing LOCA is about 3.7x10-8/ reactor-year. s The ENL analysis estimates that the severe core damage frequency 'due to an interfacing LOCA is about 1.5x10-7/ reactor-year. BNL obtained its estimate as follows: . (1) Using the LER data relating to interfacing LOCA in BWRs, BNL estimated that the frequency of a testable check valve being left in open position i is 2x10-2/ reactor-year. (2) BNL assumed that a MOV may spuriously open with a probability of 1.5x10-4/ reactor-year. (3) BNL assumed that th'e conditional probability of a rupture in a low pressure system due to intrusion of the primary fluid is 10-1 . 1 (4) The failure probability of the condensate system to provide core makeup i was assumed to be 0.5. By multiplying the above probability values together, BNL estimated that the initiating frequency of an interfacing LOCA is about 3x10-7/ reactor-year and the severe core damage frequency is about 1.5x10-7/ reactor-year. A
Two.addititnal considerations may affect the BNL est1 rates of se;ere core damage frequency due to an interfacing LOCA. (1) The BNL analysis gives credit for the use of the condensate system in mitigating the effects of an interfacing LOCA. If the condensate system cannot mitigate a large interfacing LOCA, the severe core damage frequency due to an interfacing LOCA at Shoreham would increase by a fact'or of two. The staff has reviewed the possibility that the safety of water
- f. rom the con.1ensate system might bypass the core and be lost through the break. In the case of a break in the following locations, a partial or complete loss of the condensate system flow might occur:
RHR letdown line RHR/LPCI injection line RWCU line from the reactor coolant system Feedwater line in the reactor building HPCI and RCIC pump discharge line RWCU return to the main feedwater line In the case of other line breaks, the water from the condensate system would provide a significant source of cooling. (2) The BNL analysis assumes that the MOVs which are the isolation valves between the primary system and the low-pressure emergency core cooling (ECC) systems, are stroked during testings only at refueling outages.
i i 1 1 If the American Society of Mechanical Engineers (ASME)/ inservice i inspection (ISI)/ inservice testing (IST) program for Shoreham requires that the MOVs be tested more frequently, then the BNL analysis may be non-conservative. HPCI/RCIC/RWCU Line Break A release of the primary coolant outside the prim?ry containment into the reactor building due to a high-energy line brecs in the HPCI, RCIC, or RWCU system may damage safety systems and components in the reactor building. Two concerns associated with this event were identified during the review: (1) The reacter building at Shoreham is an open annulus and there is little separation between the safety components. (2) The isolation valves in the HPCI/RCIC/RWCU lines may not be able to close under blowdown conditions initiated by a break. The preliminary BNL review of the Shoreham PRA study did not explicitly address the RWCU line break because the RWCU line is 6" in diameter and is much smaller than the HPCI line, which is 10" in diameter. If a WWCU line break were to occur, there would be more time for the operators to take recovery action than there would be for a HPECI break. However, the RWCU line is always open, so the advantage of having a normally closed outboard isolation valve, as is the the case with the HFCI line, is lost. e
For the final analysis, BNL examined other line breaks in the reactor building, in additien to b' eaks r in NPCI. RCIC and RWCU systems. In general, other lines are less than 4" in diameter and there would be greater time for the operator to take recovery action. BNL performed a sensitivity analysis and developed estimates of severe core damage frequencies due to these breaks, assuming that the isolation valves fail to isolate during blowdown conditions (the probability of the valve failing to close in this case would be 1). Our findings are as follows: (i) We estimate that the severe core damage frequency due to HPCI/RCIC line breaks is about 2x10-7/ reactor-year, if the inboard isolation valve fails to isolate. The contribution of the HPCI line break dominates because the RCIC line 1-s only 3" in diameter. The operator has more time' to depres-surize the reactor and recovery is more likely for the RCIC break. (ii) We estimate that the severe core damage frequency due to a RWCU line break is about 2x10 / reactor-year, if all isolation valves in the RWCU line fail to isolate. (iii)The outboard isolation valves in the HPCI/RCIC lines are normally closed at Shoreham, while in most BWRs the outboard isolation valves are open. Moreover, the piping between the two isolation valves at Shoreham is of the " break-exclusion" type, and is 'astimated to have an order of magnitude lower failure probability than other primary piping. The estimate of the severe core damage frequency at Shoreham due to a HPCI line break takes into account these two considerations.
~
(iv) We note that the BNL analysis of the HPCI line break gives credit for . use of the condensate system. The possibility that the break may cause a failure of the ability to use the condensate system was investigated. The only identified dependency was the effect of the steam environment on the motor control centers (MCCs) for valves in the feedwater line; these MCCs are located in the reactor building annulus. However, it was found that these MCCs would very likely not be affected for several reasons. They are at a higher elevation than the HPCI line; they are , on opposite sides of the containment; and they are in enclosed cubicles, and are protected from the environmental conditions in the reactor building. (v) The flow rate of 1000 gpm which would be provided from the condensate storage tank could provide significant mitigation of a large interfacing LOCA. However, a break in (1) the.RHR letdown line, (2) the RHR/LPCI injection line, (3) the RWCU line from the reactor coolant system, or (4) the main feedwater line in the reactor building, could result in a partial or complete loss of this condensate flow. (vi) In response tQ the staff's concern about the operability of the HPCI, RCIC, and RWCU isolation valves the licensee submitted additional infor-mation in letters dated June 28, 1985 (SNRC-1185) and November 16, 1985 (SNRC-1213). The letters document an evaluation of the valves by the licensee to verify that.all documentation concerning the procurement and testing of the valves is correct, and that the valves have the capability to isolate as required.
1 ~ The licensee reported that the correct design criteria from the purchase i specification were used by the valve vendor for the sizing calculations for the original selection of motor operators. The motor operator sizing calculations indicate that the valves have the capability of closing
- against the anticipated differential pressure in a guillotine line break, 2
and that the maximum thrust capacity of the actuators exceeds the total stem thrust required. l, The licensee provided copies of the calculations for the actuator design as received from the vendor. The staff noted that the date on the calculation sheets is 1985. The licensee stated that this was necessary to clarify a complicated format that had originally been used in 1975. The vendor verified j that the information provided in the new format is an accurate representation 1 of the original calculations, and the original documentation is available for audit. The review of the original vendor records shows that all valves ! identified were tested for opening under appropriate differential pressure
- i. t conditions. Additionally, full f, low tests at 1500 psi differential pressure on an 8" valve of similar design were successfully performed for another utility. The tests provide evidence of the satisfactory performance of each I
valve against the differential pressure. The licensee has also verified the identification numbers of the tested valve actuators and the operator size as shown on the test reports.during field
- walkthroughs to support the environmental qualification effort. This activity 1
\
served to cerify the design records. No motor data were found to exceed the limitorque design rating, and the actual voltage type and rating given in the test reports were verified against the original design records. Based on this information, the staff has concluded that the isolation valves will shut, if called upon as a result of a break in the HPCI, RCIC, and RWCU systems. (vii)We believe that an unisolated LOCA in the reactor building due to a HELB or an interfacing LOCA may have high consequences because there is a bypass of the containment. Finally, we believe that if a HELB occurs and isolation valves initiall'y cannot close, the reactor will depressurize rapidly. The operators would also manually actuate the safety / relief valves (SRVs) or the ADS to depressurize the reactor in order to make use of condensate systems to flood the reactor. The operators may then try to close the isolation valves again. It is more likely that the valves would close at that time because the differential pressures across the valves would drop significantly after the reactor is depressurized and the forces which would resist closure of the valves would consequently be lower. This consideration is not included in our analysis. Reactor Water Level Measurement Instrumentation Failure The design of the reactor water level measurement system at Shoreham as described in ths PRA study includes the following features:
I i l
\
l (1) There are two reference legs for all safety instrumentation. (Reference leg side A and side B.) l (2) There are four level transmitters for initiating HPCI, RCIC and ADS. i (3) The 125V DC bus A provides power for the two transmitters on side A. The 125V DC bus 8 provides power for the other two transmitters on side B. 4 The Shoreham PRA study analyzed accident sequences initiated by leakage from a reference leg (causing a false high indication of water level) with an additional failure in the other reference leg due to operator maintenance error, loss of a DC bus, miscalibration of instrumentation, or random failure of instrumentation. The Shoreham PRA study estimates that reactor water level I instrumentation tailure contributes about 4x10-0/ reactor-year to the total severe core damage frequency. The BNL estimate is about 1.2x10-5/ reactor-year. The discrepancy between the Shoreham and the BNL estimates is due to the following considerations: (1) BNL used two LER events in which reference leg failure occurred during maintenance when the reactor was at power. The estimate of the operator error causing failure of another reference leg during maintenance used by BNL was much higher than the estimate used by the licensee. Therefore, the accident sequence of a given reference leg break together with another reference leg failure due to maintenance error contributes about 2x10-6j reactor-year to the total severe core damage frequency. 1 a
-- .- , p - -
, , , , , . . - , ,,,..---,e - y..
19 - (2) The Shoreham PRA study combined miscalibration error probability for the water level instrumentation on the alternate leg with the failure probabilities of hardware components such as differential pressure cells in developing the event tree for loss of water level instrumentation. However, the BNL analysis treats each contribution separately and this results in higher estimates of severe core damage frequency. After completing the review of the reactor water level instrumentation system described in the Shoreham PRA, the staff learned that the licensee was modifying - the reactor water level instrumentation system. Four new level transmitters will be added to the existing system and the initiation for HPCI will be separated from the initiation of RCIC, ADS, and LPCI/LPCS. In addition, HPCI will be powered by DC bus B only and RCIC will be powered by DC bus A only. The staff has not re-evaluated the PRA results in light of these modifications. However, we believe that they would definitely reduce the severe core damage frequency due to reactor water level instrumentation failure. Flooding The staff has previously reported the results of its flooding analysis, in Section 3.12 of Supplement 7 to NUREG-0420, dated September,1984. BNL estimates that the mean value of the severe core damage frequency of accidents initiated by flooding in the reactor building at Shoreham is 2x10-5/ reactor-year. The licensee's estimate of the severe core damage frequency due to flooding is 4x10-6/ reactor-year. e
.-. -y -
---y ,
l l 1 l l The staff found the assumptions and methodology in the Shoreham flooding , ) analysis to be reasonable for the most part. However, BNL used more recent LER data and a different model in reevaluating the flood initiating frequency. A Markov process model was used to determine flood initiating frequency, and 4 time phased event trees were used to account for the effects of flooding to different levels. Since there are uncertainties in the BNL analysis, especially in the human error probabilities, an uncertainty analysis was performed using the SAMPLE program. The 95% upper limit on the severe core damage frequency of accidents initiated by flooding is estimated to be 7.5x10 5/ reactor-year. 4 The staff has concluded that the flooding sequences do not contribute signif-4 icantly to the total severe core damage frequency. However, our review identified i some potential deficiencies in the Shoreham alarm response procedures for mitigating a flood. Because the BNL analysis assumes good alarm-response pro-cedures in estimating human error probabilities, the severe core damage frequency may be higher than estimated unless the precedures are revised. Containment Response and Radionuclide Release Analysis The review of the containment response and radionuclide release (back-end) 4 analyses in the Shoreham PRA study is an ongoing effort by the staff, assisted by BNL. The staff has completed its preliminary review of the Shoreham con-tainment response and radionuclide release analyse:. 1
2. 21 - The staff has determined that additional work is needed by BNL to evaluate the containment response under severe accident conditions. This would include an evaluation of possible failure locations of containment due to overpres-surization failure. The location of failure is a key element for assessing potential pool decontamination factors. Therefore, the BNL Review effort has been expanded to include the performance of independent calculations to determine the structural behavior of the containment and the likely failure modes of the containment under severe accident conditions and to perform an assessment of i other important issues such as pool thermal hydraulics, secondary containment I failure, and pool bypass given secondary containment failure. i 3 i
- e
. ENCLOSURE 2 ,
NUREG/CR-4050 BNL-NUREG-51836
,, A REVIEW ~OF THE.SHOREHAM NUCLEAR POWER STATI.ON PROBABILISTIC RISK ASSESSMENT (INTERNAL EVENTS AND CORE DAMAGE FREQUENCY)
D. ILBERG, K. SHIV, N. HANAN, E. ANAVIM MANUSCRIPT COMPLETED - MAY 1985 DATE PUBLISHED - JUNE.1985 RISK EVALUATION GROUP
~
DEPARTMENT OF NUCLEAR ENERGY BROOKHAVEN NATIONAL LABORATORY UPTON, NEW YORK 11973 PREPARED FOR , U.S. NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555~ UNDER CONTRACT N0. DE-AC02-76CH00016 NRC FIN N0. A-3740
^
. _ _ . _ . - ~'...
'NUREG/CR-4050 '
BNL-NUREG-51836 , A REVIEW 0F THE SHOREHAM' NUCLEAR POWER STATION . . PROBABILISTIC RISK ASSESSMENT (INTERNAL EVENTS AND CORE DAMAGE FREcuExcY) D. ILBERG, K. SHIU, N.- HANAN' , E. ANAVIM DATE PUBLISHED - JUNE 1985 - DEPARTMENT OF NUCLEAR ENERGY, BROOKHAVEN NATIONAL LABORATORY UPTON, NEW YORK 11973 l PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION ; WASHINGTON, D.C. 20555 - 1
. _ . _ . . _ _ _ _ . . _ . ~ . . _
._ ._ .. . . _ . . . _ ~ - . . _ - - - -
5 ABSTRACT j
' A review of the Probabilistic Risk Assessment of the Shoreham Nuclear Power Station was conducted with the broad objective of evaluating its risks in relation to those identified in the Reactor Safety Study (WASH-1400). The scope of the review was limited to the " front end" part, i.e., to the evalua-tion of the frequencies of states in which core damage may occur. Further-4 more, the review'. considered only internally generated accidents, consistent j with the scope of- the PRA. The review included an assessment of the assump- ; ,tions and methods used in 'the Shoreham study. It also encompassed a re-evalu- )
ation of the main.' results within the scope and general methodological frame-i
,w ork of the Shoreham PRA, including both qualitative and quantitative a.nalyses i of accident initiators, data bases, and accident sequences which result in initiation of core damage. Specific comparisons are given between the Shore-ham s.tudy, the resrlts of. the present review, and the WASH-1400 BWR, for the ! core damage frequency. The effect of modeling uncertainties was considered by i
a limited sensitivity study so as to show how the results would change if j other assumptions were made. This review provides an independently assessed point value estimate of core damage frequency and describes the major contrib-utors, by frontline systems and by accident sequences. I 1 i 1 i E l l; i i 4
- i11 .
I
. -,-- - _ , --- ~ . ,. . - - _._._,,.m._ .._ - m. ~, - . - . - . , . - , , . _ , _ _ . - . - _ , - . . . _ , _ _ --._.. --
,4- - _ _ - .
r 1 ! . CONTENTS \ j
- Page 3
l ABSTRACT................................................................ iii LIST OF FIGURES......................................................... x .i LIST.0F TABLES.......................................................... xi j ACKNOWLEDGMENT.......................................................... xv
- NOMENCLATURE.....................................................~....... xvii i -
1 E XE C UT I V E S UMAR Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . . 1 i
1.0 INTRODUCTION
............................................ .......... 8 1 j 1.1 Background.................................................... 8
- 1.2 Cbjective, Scope, and Approach to Review...................... 8 l 1.3 Organization of Report........................................ 10
- 1.4 Re f eren ces t o Sect i on 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 l
2.0 PLANT M00ELING..................................................... 12 2.1 Saf ety Functi ons and Corres pondi ng Sys tems . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Saf ety Functi ons and Front l ine Sys tems . . . . . . . . . . . . . . . . . 12 4 2.1.2 Success Criteria f or the Frontl ine Systems . . . . . . . . . . . . . 14 2.1.2.1 ' Success Criteria for LOCA Initiators. .. . . . .. .. 14 ! 2.1.2.2 Success Criteria for Transient Initiators..... 16 3 2.1.2.3 Success Criteria for ATWS Initiators.......... 17 2.1.3 Su p p o rt Sys t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.3.1 El ect ric Power Sys t em (EPS ) . . . . . . . . . . . . . . . . . . . 18 j 2.1.3.2 Emergency Servi ce Water (ESW) . . . . . . . . . . . . . . . . . 19 l 2.1.3.3 Plant Air and Compressed Nitrogen Systems..... 19
\
l 5 2.2 In i t i a t i ng Ev e n ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1 SNP S Ini t i at o rs ' Se l ect i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1.1 LOCA In i t i a t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 4 2.2.1.2 Trans ient wi th Success ful Scram. . . . . . . . . . . . . . . 20 2.2.1.3 ATWS: Anticipated Transient Without Scram.... 21 2.2.2 Comparison with Reactor Safety Study and Other PRAs.... 21 2.2.2.1 Comparison with RSS-BWR....................... 21 2.2.2.2 Compa ri s on wi th RSSMAP Grand Gul f . . . . . . . . . . . . . 22 2.2.2.3 Comparison with the Big Rock Point (BRP) PRA.. 22 2.2.2.4 Comparis on with LGS and GESSAR PRAs . . . . . . . . . . . 23 2.3 BNL Assessment of the SNPS-PRA In'itiating Events and - I Su c c es s Cr i t e r i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4 Re f e renc es t o Secti on 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-3.0 ACCIDENT SEQUENCE 0EFINITION....................................... 40 3.1 Introduction.................................................. 3.1.1 The General 40 . Methodology................................ 40
- 3.1.2 Functiona l Event Tree De vel opment . . . . . . . . . . . . . . . . . . . . . . 41 i
l
. _ _ .,_- ~ 'e . - .-
Page 3.5 Ref e rences t o Secti on 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 APPENDIX 3A Changes Made to SNPS-PRA .Faul t Trees . . . . . . . . . . . . . . . . . . 72 4.0 DATA ASSESSMENT.................................................... 81
, 4.1 Frequenci es of ' In i t iating Even ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 .
4.1.1 Initiating Event Frequencies used in SNPS-PRA.......... 81 4.1.2 BNL Ass es'sment of the Initiator Frequencies.. .. . ..... .. 82 4.1.3 Los s of' 0f f s ite Power Ini ti ato r. . . . . . . . . . . . . . . . . . . . . . . . 86 4.1.4 Recover.y of Offsite Power.............................. 87 4.1.5 Conclusion............................................. 88 4.2 Component Unavailabi11 ties.................................... 88 4.2.1 S N P S Da t a 84 s e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.2.2 Data Assessment for Diesel Generator Availability...... 89 4.3 Huma n Er ror P roba b i l i t i es . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
. 4.4 Re f e ren c es t o Secti on 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.0
SUMMARY
OF ACCIDENT. SEQUENCE QUANTIFICATION AND IDENTIFICATION OF DOMINANT CONTRIBUTORS TO CORE DAMAGE FREQUENCIES............... 105 5.1 Modifications Made by BNL in the Accident Sequences Qu a n t i f i ca t i o n .' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5 5.1.1 Overview of the SNPS Approach to Accident . Sequence Quanti fi cati on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.1.2 BNL Modifications to the Accident Sequence..... . .. .. .. 106 5.2 Summary of the Results of the BNL Review in Com with
~
the SNPS-PRA...................................parison .............. 108 5.2.1 Summa ry of the Res u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.2.1.1 Loss of Coolant Accident Inside Drywell...... 109 5.2.1.2 Anticipated Transients Without Scram. ....... . 109 5.2.1.3 Trans ients with Successful Scram. . . . . . . . . . . . . 110 5.2.1.4 Los s of Of f s i te AC Power. . . . . . . . . . . . . . . . . . . . . 111 5.2.1.5 Excessive Release of Water at Reactor Bu.i l di ng El evati on 8. . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2.1.6 Level Instrumentation: Loss of Reference Le and Los s of Drywel l Cool ing. . . . . . . . . . . . . . . . .g . 112 5.2.1.7 In t erf ac ing L0CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 5.2.2 Domi nant Sequences i n BNL Revi ew. . . . . . . . . . . . . . . . . . . . . . 114 5.3 A Li mi ted Se ns i ti vi ty Stu dy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4 Ref erences to Section 5 and Appendi ces . . . . . . . . . . . . . . . . . . . . . . . 118 - vil
- 1 i
, CONTENTS 1
Page
; ABSTRACT................................................................ iii LIST OF FIGURES.........................................................
x
; LIST.0F TABLES.......................................................... xi ACKNOWLEDGMENT.......................................................... xv
- NOME NC LATU R E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ~. . . . . . . x v i i i EXECUTIVE
SUMMARY
....................................................... 1
1.0 INTRODUCTION
....................................................... . 8 1.1 Background.................................................... 8
) 1.2 Objecti ve . Scope. and App roach to Review. . . . . . . . . . . . . . . . . . . . . . 8 1.3 Organization of Report........................................ 10 1.4 Ref e ren c es t o Sect i on 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 i
2.0 PLANT M00ELING............................'......................... 12
; 2.1 Saf ety Functi ons and Corres pondi ng Sys tems . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Saf ety Functi ons and Front l ine . Sys tems . . . . . . . . . . . . . . . . .
i 12 2.1.2 Success Criteria for the Frontline Systems. .. .. . .. . . . .. 14 i 2.1.2.1 ' Success Criteria for LOCA Initiators. ... .. .. .. 14 2.1.2.2 Success Criteria for Transient Initiators..... 16
- 2.1.2.3 Success Criteria for ATWS Initiators.......... 17
; 2.1.3 Su p p o rt Sys t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1 2.1.3.1 El ectric Power Sys tem (EPS) . . . . . . . . . . . . . . . . . . . 18 l 2.1.3.2 Emergen cy Servi ce Wa ter (ESW ) . . . . . . . . . . . . . . . . . 19 l 2.1.3.3 Plant Air and Compressed Nitrogen Systems..... 19
\ 5 2.2 Initiating Events............................................. 19 2.2.1 SNPS In i t i a t ors ' Se l ecti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1.1 LOCA In i t i a t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 2.2.1.2 Trans i ent wi th Succes s f ul Scram. . . . . . . . . . . . . . . 20 i 2.2.1.3 ATWS: Anticipated Transient Without Scram.... 21 l 2.2.2 Comparison with Reactor Safety Study and Other PRAs.... 21 i 2.2.2.1 Comparison with RSS-BWR....................... 21 ( 2.2.2.2 Compa ri s on wi th RSSHAP Grand Gul f . . . . . . . . . . . . . 22 i 2.2.2.3 Comparison with the Big Rock Point (BRP) PRA.. 22 ! 2.2.2.4 Comparison with LGS and GESSAR PRAs . . . . . . . . . . . 23 4 I 2.3 BNL Assessment of the SNPS-PRA In'itiating Events and - l Su c c es s Cr i t e r i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 23 2.4 References to Section 2....................................... 25 5 3.0 ACCIDENT SEQUENCE DEFINITION....................................... 40 i 3.1 Introduction.................................................. 3.1.1 Th e Ge n e r a l Me t h o d o l o gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 40 3.1.2 Functional Event Tree Development...................... 41 y g-2 .
Page 3.1.3 Qualitative Dependence Analysis........................ 42 3.1.3.1 Sys t em Functi ona l Dependences . . . . . . . . . . . . . . . . . 42 3.1.3.2 Sys t em Phys i c a l Dependences . . . . . . . . . . . . . . . . . . . 44 3.1.3.3 System Human ~ Induced Dependences . . . . . . . . . . . . . . 44 3.1.3. 4 ' Component Functi onal Dependences . . . . . . . . . . . . . . 45 3.1.3.5 Component Phys i ca l Dependences . . . . . . . . . ' . . . . . . . 45 3.1.3.6 Component Human Interaction Dependences....... 46 3.2 Qualitati ve Description of'" Functional Event Trees.. .. .... ..... 46 3.2.1 Tu rb i ne Tr 1 p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.2.2 MSIV Closure / Loss of Condenser / Loss of Feedwater 3.2.3 Transient.............................................. 47 Inadvertent Op en Sa fety-Rel ief Val ve. . . . . . . . . . . . . . . . . . . 47 3.2.4 Ma n u a l .Sh u t d own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.2.5 L os s of Of f s i t e Pow'e r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2.6 Comparison with the. Treatment of Transients in RSS and LGS-PRAs......................................... 48 3.2.7 LOCA Ev en t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 48 3.2.8 A TWS E v en t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 49 3.2.9 Ot he r Even t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2.10 Summary of the Qualitative Review of Functional Eve n t T r ees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3 Sy s t em Fa u l t Tr e es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3.1 Sys t em , Faul t Trees Ana lys i s in SNPS-PRA. . . . . . . . . . . . . . . . 51 3.3.2 Summary of 8NL Modif.ications to SNPS System Fault Tree and Their impact....................................... 54 3.3.2.1 Reactor Core Is ol ati on Cool i ng. . . . . . . . . . . . . . . . 54 3.3.2.2 High Pressure Coolant Injection System........ 55 3.3.2.3 Aut oma ti c Dep res s u ri zati on Sys tem. . . . . . . . . . . . . 56 3.3.2.4 Boolean Combination of High Pressure ' Injection Function and the ADS Function....... 56 3.3.2.5 Low Pres s u re Co re Sp ray . . . . . . . . . . . . . . . . . . . . . . . 58 3.3.2.6 Low Pres s u re Cool ant Injecti on. . . . . . . . . . . . . . . . 59 3.3.2.7 Boolean Combination of LPCI and LPCS.......... 59 3.3.2.8 Se rv i c e Wa t e r Sys t em. . . . . . . . . . . . . . . . . . . . . . . . . . 60
- 3. 3. 2. 9 Res i dua l Hea t Remova l Sys t em. . . . . . . . . . . . . . . . . . 61 3.3.2.10 RCIC in the Steam Condensing Mode and RHR..... 62
- 3. 3. 2.11 The El ectric Power Sys tem. . . . . . . . . . . . . . . . . . . . . 62 3.3.2.12 Feedwat.er System.............................. 63 3.3.2.13 Condensate System............................. 63 3.3.2.14 Power Conversion System....................... 64 3.3.3 Summary of the Review of Fault Tree Analysis and its Impact on Core Damage Frequency. . . . . . . . . . . . . . . . . . . . . . . . 65 3.4 Human Performance Analysis.................................... 66 3.4.1 Co gn i t i v e Hu ma n Er ro rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4.2 Procedura l Human Erro rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 I
vi
- i
, _ _ , _ _ , _ , _ _ _ _ - -.-----r-- ~- ~ - - ~ ~ - - - - - ' ~ ' ' ~ "4~~~"-~ ' " ' * " ~ " ~ ~ ~ ~~ '
^
- .- l
- i 1
Page i 3.5 References to.Section 3....................................... 66
- APPENDIX 3A Changes Made to SNPS-PRA .Faul t Trees . . . . . . . . . . . . . . . . . . 72 4.0 DATA ASSESSMENT....................................................
81 l , 4.1 Frequenci es of l In i t ia ti ng Even ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 - 4.1.1 Initiating Event Frequencies used in SNPS-PRA.......... 81 4.1.2 BNL Ass es'sment of the Ini tiator Frequencies . . . . . . . . . . . . 82 4.1.3 Loss of' 0f fs i te Power In i ti ator. . . . . . . . . . . . . . . . . . . . . . . . 86 4.1.4 Recovery of Offsite Power.............................. 87 1 4.1.5 Conclusion............................................. 88 4.2 Component Unavailabilities.................................... 88 4 I 4.2.1 S N P S Da t a Ba s e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.2.2 Data Assessment for Diesel Generator Availability...... 89 4.3 Human Er ro r P roba b i l i t i es . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.4 Ref e rences t o Sect i on 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.0
SUMMARY
OF ACCIDENT. SEQUENCE QUANTIFICATION AND IDENTIFICATION OF DOMINANT CONTRIBUTORS TO CORE DAMAGE FREQUENCIES............... 105 5.1 Modifications Made by BNL in the Accident Sequences Qu a n t i f i ca t i o n .' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5
; 5.1.1 Overview of the SNPS Approach to Accident ,.
Sequence Quanti fi cati on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.1.2 BNL Modifications to the Accident Sequence............ 106 5.2 Summary of the Results of the BNL Review in Com with
~
the SNPS-PRA...................................parison .............. 108 5.2.1 Summa ry of the Res u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.2.1.1 Loss of Coolant Accident Inside Drywell...... 109 5.2.1.2 Anticipated Transients Without Scram......... 109 5.2.1.3 Transients with Successful Scram............. 110 5.2.1.4 Loss of Offsite AC Power..................... 111 5.2.1.5 Excessive Release of Water at Reactor Bu,i ldi n g El eva ti on 8. . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2.1.6 Level Instrumentation: Loss of Reference Le and Los s of Drywel l Cool ing. . . . . . . . . . . . . . . . .g.. 112 5.2.1.7 Interfacing L0CA............................. 113 5.2.2 Dominant Sequences in BNL Review...................... 114 5.3 A Li mi ted Sens i ti vi ty Stu dy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4 Ref erences to Section 5 and Appendi ces . . . . . . . . . . . . . . . . . . . . . . . 118 i i l 6' vii *
- ...~ _ . . . . - . . . _ _ m. . . __.. . ._
. _ _ - y l
q
~ '
, Page APPENDIX SA. ANTICIPATED TRANSIENT WITH SUCCESSFUL SCRAN SEQUENCES.... 137 5A.1 Tu rbi ne Tri p Tra ns i en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 5A.1.1 Background............................................... 138 ,
5A.1.2 ,The FW and PCS Availability (Q and W" Functions)......... 139 5A.1.3 The Res ul ts of the BNL Revised Event Trees . . . . . . . . . . . . . . . . 140 5A.1.4 The Special Case of Common Mode Miscalibration of Level . 14 0 l Ins t rumen t a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . SA.2 Ma nu a l Shu t down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 5A.3 MS I V Cl os u re Tra n s i en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7 5A . 3.1 . Ba ck g r ou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7 5A.3.2 The Resul ts of the BNL Revised Event Tree. . . . . . . . . . . . . . . . 157 SA.4 Los s of . Fee dwa t e r Tra ns i ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3 5A.4.1 ' Background............................................... 163 5A.4.2 The Resul ts of the BNL Revised Event Tree. . . . . . . . . . . . . . . . 163 - SA.5 Los s of Condens e r Vacu um Tra ns i ent . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . 16 9 5A.5.1 Ba c k g r ou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9 SA.5.2 The Resul ts of the BNL Revised Event Trees . . . . . . . . . . . . . . . 169 SA.6 Inadvertent Open Rel i ef Val ve Trans i ent. . . . . . . . . . . . . . . . . . . . . . . . . . 174 5A.6.1 Ba c k g r ou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4 5A.6.2 The Resul ts of the BNL Revised Event Trees . . . . . . . . . . . . . . . 174 APPENDIX 58. LOSS OF 0FFSITE POWER WITH SUCCESSFUL SCRAM.............. 182 APPEN0!X SC. LOSS OF COOLANT ACCIDENTS................................ 196 . SC.1 LOCA Ins i de ' 0 rywe l l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 5C.1.1 Ba c k g r o u n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 5C.1.2 BNL Revi s ed Event Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9 SC.2 Loss of Cool ant Acci dent Outs i de Contai nment. . . . . . . . . . . . . . . . . . . . . 199 5C.2.1 Main Steam Line Break Within Reactor Building............ 200 SC.2.2 Feedwater Line Break Contribution........................ 201 SC . 2. 3 HPCI/RCIC Steam Li ne Break Contri bution. . . . . . . . . . . . . . . . . . 202
- 5C.2.4 Interfacing LOCA Frequency............................... 203 SC.2.5 Comparison of the Contribution from Steam Line Breaks and f rom Interf aci ng L0C A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 SC.2.6 Core Damage Frequency for Large LOCA Outside Containment. 208 APPEN0!X 50. ANTICIPATED TRANSIENT WITHOUT SCRAM (ATWS)............... 212 50.1 Summa ry of Shoreham ATWS Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 50.2 Qual i tati ve Revi ew of the SNPS ATWS Event Trees . . . . . . . . . . . . . . . . . . 214 viii W
. .c_ ,_.. _- .
Page 50.3 Summa ry of Phys i cal Analys i s Resul ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 50.3.1 ATWS Acci dent Ch ron o l o gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 50.3.2 D i s cu s s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 50.4 Qu a n t i t a ti ve ' Re v i ew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
,50.5 Di s cus s i on of Res ul ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . '222 50.6 Su mma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
! APPENDIX SE. REACTOR WATER LEVEL INSTRUMENT LINE FAILURE.............. 253 SE.1 Background....................................................... 253 SE.2 Operator Error Causing Leak on the Second Reference Leg.......... 255 SE.3 Los s of a Si n g l e DC Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 5 SE.4 Miscalibration of Water Level Instrumentation on the Al t e rn a t e Le g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 SE.5 Fail ure of Di f ferenti al Pressu re Cel 1. . . . . . . . . . . . . . . . . .'. . . . . . . . . . 256 SE.6 Failure of Level 1 or 2 Rel ays and Slaves . . . . . . . . . . . . . . . . . . . . . . . . 257 i SE.7 Con c l u d i n g R ema r k s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 1 APPENDIX SF. IMPACT OF HI GH DR YWELL TEMPERATURE SEQUENCES. . . . . . . . . . . . . 277 i SF.1 Los s of Drywel l Cool i ng. Ini ti ator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 . 5F.2 Transients or LOCAs with Subsequent Loss of Drywell Cooling...... 278 SF.2.1 Tra n s i e 1 t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 SF.2.2 Water Level Measurement Implication of Losing Offsite and Onsite AC Power...................................... 280 SF.2.3 Loss of Coolant Accidents with Loss of Drywell Cooling... 282
- APPENDIX SG. EVENT TREE ANALYSIS OF OTHER POSTULATED ACCIDENT 1
INITIATORS............................................... 293 i SG.1' Event Tree Evaluation of Sequences Following a Postulated Release of Excessive Water in Elevation 8 of the SNPS Reactor Building... 293 5G.1.1 Fl ood In i tia ti on Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 5G.1.2 Evaluation of Core Damage Frequency...................... 295 SG.1.3 Su mma ry o f t h e R e s u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 SG.2 Loss of 125 V DC Emergency Bus Divis ion I (11).. . .. . . . . . . . . . .. .. . 299 i 5G.3 Loss, of Reactor Buil ding Service Water Ini tiator. . . .. . . . . . . .. . . . . 303 ix i'
-n ....n..--..... ... .. . . . . . . . . . _ . . .
u... . a .. LIST OF FIGURES Fi gure Page 0.1 Summary of the Results of the Event Tree Quantification Displayed by Class of Postulated Core Damage Condition.......... 5 0.2 Comparison of the SNPS-PRA and the.BNL Review Contributing Accident Sequences to the Calculated Core Damage Frequency (per Reactor Year) Due to the Ident.ified Accident Se Cont ri bu t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............
. . qu en ces 6 4.1 Event tree Diagram of Accident Sequences Following a Turbine Tri p Ini ti ator From Hi gh Powe r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.1 Summary of the Results of the Event Tree Quantification Displayed by Class of Postulated Core Damage Condition.......... 121 5.2 Comparison of the SNPS-PRA and the BNL Review Contributing Accident Sequences to the Calculated Core Damage Frequency (per Reactor Year) Due to the Identified Accident Se Co n t r i b u t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............
. . . . q u e n c e122 5.3 Comparison of the Contributions of Various Accident Sequences to the Calculated Frequency of Core Melt (from WASH-1400) and to the Calculated Frequency of Core Vulnerable Conditions (from the Sh o re h am An a l ys i s ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3 5D.1 Event Tree Diagram of Accident Sequences Following a Turbine Tri p Ini ti ator From Hi gh Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 5D.2 Event Tree Diagram for Postulated ATWS Accident Sequences Following Turbine Trip W/ Bypass Available. . . . . . . . . . . . . . . . . . . . . . 226 50.3 Event Tree Diagram for Postulated ATWS Accident Sequences Following a MSIV C1osure....................................... 228 50.4 Event Tree Diagram for Postulated ATWS Accident Sequences Fol l owi n g a Los s o f Fee dwa t e r. . . . . . . . . . . .' . . . . . . . . . . . . . . . . . . . . . . 23 0 5D.5 Event Tree Diagram for Postulated ATWS Accident Sequences Fol l owi ng a los s of Of fs i te Powe r. . . . . . . . . . . . . . . . . . . . . .~. . . . . . . . 23 2 SD.6 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an Inadvertent Open Rel i ef Va1 ve. . . . . . . . . . . . . . . . . . . . . 234 50.7 Reactor Core Thermal Power vs RPV Water Level--Redy Estimates..
- 235 50.8 Event Tree Diagram of Accident Sequences Following a Turbine Tri p (B NL Re v i ew ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 6 SE.1 Reactor Vessel Level Instrumentation Orientation............... 258 SE.2 Fault Tree for Operator Error Causes Failure of A Reference Leg....................................lternate ............... 259 SE.3 Leak in a Single Reference Leg Coupled with Other Failures..... 261 i,
l X
- - - _: # ~--....... -
LIST OF TABLES . Table Page 0.1 Comparison of SNPS-PRA and BNL Review Results.................... 7 2.1 Sa fety Functions Required for Ini tiating Events . . . . . . . . . . . . . . . . . . 26 4 2.2 Safety Functions for Shoreham Nuclear Power Station.............. 26
! 2.3 Frontline Systems for Shoreham Nuclear Power Station............. 27 2.4 Comparison of SNPS, LGS, and RSS-BWR Safety Sys tems . . . . . . . . . . . . . . 28 2.5 Sumary of Success Criteria for the Mitigating Systems........... 29
- 2. 6 LOCA Su c c es s Cri t e ri a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
' 2.7 SNPS-PRA Success. Criteria for ATWS Accident Sequences Based on Modi fi cati ons Imp l emented at Sho reham. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
, 2.8 BNL-Review Sucess Criteria for ATWS Accident Sequences Based on i Modi f i ca ti ons Imp l emented at Sho reham. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 l 2.9 Support Systems for Shoreham Nuclear Power Station. . . . . .. . . . . . . . . 34 , 2.10 El ect ri c Power Sys t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.11 Sumary of the Categories of BWR Transients Used in SNPS-PRA ' to Classify Operating Experience Data on Anticipated Transients.. 36 ' i 2.12 BWR Trans i ents (Reactor Sa f ety Study ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.13 Initiating Events for BRP PRA for Which Event Trees Were De v e l op e d . . . . . . . . . . . . . . . . . . . . . . . . . . .' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1 Point Estimates of SNPS S BNL Review.. . .. . ... ... .. .ystem Unavitilability Compared to '
........................................ 68 3.2 Huma n Errors Mode l ed in Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.3 Major Human Errors Modeled in System Faul t Trees . . . . . . . . . . . . . . . .. 70 3A.1 BNL Changes in SNPS-PRA Fau l t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.1~ Frequency of Initiating Events................................... 96 1
4.2 SNPS-PRA and BNL Results for Initiator Frequency and Sources
- of Differences................................................... 98 -
4.3 Sumary of Quantification for Exposin ' i to Primary System Pressure...........g the Low Pressure System
............................ 99 1 4.4 Sumary of the Historical Data on the LILCO Grid for Loss of Of f s i te Powe r Inc i den t s . . . . . . . . . . . . .' . . . . . . . . . . . . . . . . . . .-. . . . . . . . . 10 0
- 4. 5 Experiential Evidence from Plants of the Northeast Power '
Coodinating Council (NPCC) Loss of Of fs ite Power. . . . . . . . . . . . . . . . 101 4.6 LOOP Initiator Frequency Considered in SNPS-PRA and BNL Review.. 102 4.7 Recove ry Time Di s tri buti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.8 Comparison Between SNPS-PRA Diesel Generator Data and Other 5.1 E v a l u a t i on s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 . .4. . Comparison of SNPS-PRA and BNL Review Results................... 124 i 5.2 Core Dama ge Frequen cy f or LOCA in Drywel l In i ti ato rs . . . . . . . . . . . . 12 5 4 5.3 Co re Dama ge Frequency f o r ATWS. . . . . . . . . . . .' . . . . . . . . . . . . . . . . . . . . . . . 125 i 5.4 Core Damage Frequency for Trans ient Initiators . . . . . . . . . . . . . . . . . . '
; 126 5.5 Core Damage Frequency I'or Loss of Offsite AC Power Initiator.... 127 :
- 5.6 Core Damage for Excessive Release of Water in Reactor Buildin Elevation 8 Initiator........................................g....
1 127 5.7 Core Damage Frequency for Level Instrumentation and Dr Coo l i n g Fa i l u re In i t i a tors . . . . . . . . . . . . . . . . . . . . ........... . . . . . . . .ywe 128 ll - l 5.8 Core Damage Frequency for LOCA Outside Containment Init 12 9 i 5.9 Cl as s ! Domi n ant Sequ ences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i a 130 t o r. . . . 5.10 Cl a s s I I Domi n a n t Sequ en c es . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... ......... 131 5.11 Cl as s V Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . 131 5.12 Cl as s I I I Domi nant Sequences . . . . . . . .'. . . . . . . . . . . . . . . . .............. . . . . . . . . . . . 132 l 1 Xi %
- - . . - _ - - - ---.- -- - - - - - -- - - - - -,--- - - -- - - - - ~ - ~ - ~~ ' ~ ~ ^ ~
I
.... -._ _. .. , ..- c -. - - - - - - .. - -- Table , Page 5.13 Cl as s IV Domi n ant Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2 5.14 Summary Tabte of Dominant Accident Sequences Leading to Core Damage Conditions , Ranked by Frequency (per Reactor Year)....... 133 5.15 Res u l ts f rom a Limi ted Sens i ti vi ty Study. . . . . . . . . . . . . . . .~. . . .'. . . . 13 5 5A.1 Functional Level Event Tree Description for FW and PCS Recovery Proba bi l i ty (Tu rbi ne Tri p ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 - SA.2 Event Tree Diagram for Sequences- Following a Turbine Trip Initiator....................................................... 147 5A.3 Functional Level Event Tree for FW and PCS Recovery Probability ( Ma nu a l Shu t down ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2 5A.4 Event Tree Diagram for Sequences Following a Manual Shutdown.... 155 5A.5 Functional Level Event Tree Description for FW and PCS Recovery Proba bi l i ty .(MS IV Cl os u re) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 SA.6 Event Tree Diagram for Sequences Following a MSIV Closure 5A.7 Initiator....................................................... 161 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following a Loss of FW Transient: Short-Term
- a nd Lon g -Te rm Reco ve ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 ,
5A.8 Event Tree Diagram for Sequences Following a Loss of Feedwater 5A.9 Initiator....................................................... 167 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following a Loss of Condenser Initiator.......... 170 5A.10 Event Tree Diagram for Se Vacuum. . . . . . . . . . . . . . . . . . .quences Fol l owi ng a Los s of Condens er
........................................ 172 5A.11 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following an 10RV........:....................... 175 5A.12 Event Tree Diagram for Sequences Following 10RV.. . .. ... .. .. .... . .~ 178 58.1 Time Phase Event Tree Otagram for LOOP Initiator.. .. .. . . . ... .. . . 185 5C.1 Event Tree Diagram for Se L0CA. . . . . . . . . . . . . . . . . . . . .quences Fol l owi ng La rge and Medium
........................................ 198 SC.2 LOCA Contri buti ons to Co re Dama ge Frequenci es . . . . . . . . . . . . . . . . . . . 199
~
SC.3 LER Sumari es f or Interf aci ng LOCA Events . . . . . .. . . . . . . . . . . . . . . . . 206 SC .4 Event Tree Diagram for Sequences Following Large LOCA Outside Containment............................................. 211 50.1 Transient with Failure to Scram Emergency Procedure.......... 23 7 50.2 BNL ATWS In i ti ator Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ... 240 50.3 Comparison of Conditional Frequency of Core Damage Based on BNL a nd SNPS ATWS Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 0 50.4 Core Damage Frequency of BNL Ravised ATWS Event Trees with SNPS Initiator Frequency............................................. 241 50.5 Core Damage. Frequency Based on BNL Revised ATWS Event Tree with BNL In i ti at or Frequen cy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 50.6 Event Tree Diagram for Postulated ATWS Sequences Following Tu r b i n e T r 1 p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
. 50.7 Functional Level Event Tree for the Control of RPV Level-1...... 244 -
50.8 Event Tree Otagram for Postulated ATWS Se MS IV Cl os u re. . . . . . . . . . . . . . . . . . . . . . ........................
. . . . . .quences Fol l owi ng 245 50.9 Event Tree Diagram for Postulated ATWS Sequences Following LOOP., 247 -
50.10 Event Tree Diagram for Postulated ATWS Sequences Followin Los s o f feedwa t e r. . . . . . . .,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ ..g 249 Xii
=
.. - ... .... a -- -
iw. -. . . - , -- Table Page 50.11 Event Tree Diagram for Postulated ATWS Sequences Following 10RV.. 251 SE.1 Level Ins t rument As s i gnments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 ; SE.2 Event Tree Diagram for Sequences Following Reactor Water Level Ins t rumen t L i ne Lea k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 5F.1 Drywell and Suppression Pool Temperature Following a Shutdown f rom Trans i ent Wi thout DHR or PCS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 SF.2 Loss of Drywell Cooling Event Tree Quantification Description....i 285 5F.3 Event Tree Diagram for Isolation Transients with Loss of SF.4 Drywell Cooling.................*..................................,287 Loss of Offsite Power Event Tree with Water Level . Measurement Implications.................................... ..... 289 SF.5 Event Tree Diagram for Loss of Coolant and Loss of Dr Cooling..............................................ywell ............ 291 5G.1 Summary of the P'ostulated Sequence Initiators Associated with the Potential Release of Water in the Reactor Building El e v a t i on 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 l SG.2 Core Damage' Frequencies f or Fl oodi ng Ini ti ators . . . . . . . . . . . . . . . . . . 298 l SG.3 Event Tree D.i agram for Los s of 125 V DC Bus . . . . ,. . . . . . . . . . . . . . . . . . 301 1 5G.4 Conditional Probability "T" the RBSWS or TBSWS WouId be i Avail able Foll owi ng Loss of RBSWS Ini ti ator. . . . . . . . . . . . . . . . . . . . . . 306 i 5G.5 Event Tree Diagram for Loss of Reactor Building Service Water l Initiator........................................................ 307 k s l
, xiii i
. . _ . _ . . ,_ . . ,:a.. .u.... _ . . . . .__
I
\
i ACKNOWLEDGMENT . The authors wish to thank their colleagues in the Department of Nuclear Energy at Brookhaven National !.abcratory for many enlightening discussions and comments throughout this project. In particular, the help of Xenneth Perkins in the review of success criteria is much. appreciated. The work was performed for the Reliability and Risk Assessment Branch (RRAB) of the U. S. Nuclear Regulatory Commission. Mr. Ed Chow of RRA8 was i the technical monitor of the project. The authors wish to acknowledge Ashok l -Thadant, Chief, RRAB, and Arthur Busilk and Ed Chow (RRAB) for constructive comments on the preliminary and the final drafts of this report. Finally, we would like. to express our appNaciation to Cheryl Conrad . Marguerite Marsch, and Nancy Nelson for an excellent job in typing this document. ( e t I l j , t i i i j . xv . 3
4 -
. . l l
I NOMENCLATURE A large LOCA ADS Automatic Depressurization System A ot Large LOCA outside Containment ARI Alternate Rod Inser' tion
~
ATWS Anticipated Transie,nt Without Scram
-B o LOCA - Induced Loss' of Offsite Power BWR Boiling Water Reactor C Scram C
A Alternate Rod Insertion .
! C E Electrical Failure to Scram Cy Scram Initiation Cg Mechanical Failure to Scram C
2 One Standby Liquid Control Loop C 21 Sec nd Standby Liquid Control Loop, given C 2 CD Core Damage - CDFT. Core Damage Fault . Tree CET Containment Event Tree CM2B Comon Mode Failure of 2 Batteries (Divis' ions 1 and 2) . CM3B Commo'n Mode Failure.of 3 Batteries (Divisions 1, 2, and 3) - CM2D Common Mode Failure of 2 Diesel Generators- (Divisions 1 and 2) CM3D Common Mode Failure of 3 Diesel Generators CRD Control Rod Drive D Failure of Diesel Generators and Failure to Recover of Division I or II Diesel in 2 hours DHR Decay Heat Removal ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EPG Imergency Procedure Guidelines - EPS Electrical Power System ESF Engineered Safeguard Features ESWS Essential Service Water System FSAR Final Safety Analysts Report , , FT Fault Tree ' FTA Fault Tree' Analysis xvit '
1 NOMENCLATURE (Continued) FW Feedwater G Orywell Heat Removal HEP Human Error Probability HPCI High Pressure Core Injection System I Recovery of Offsite power in 30 minutes
,II Recovery' of Of'fsite power in 2 hours -
III Recovery of- Offsite Power in 4 hours IV Recovery of Offsite power in 10 hours .- IORY Inadvertent Open' Relief Valve
- L Level Control and~ Stable Cooling Established LOCA Loss of Coolant Accident LOOP Loss of.0ffsite Power LPCI Lew Pressure Coolant Injection LPCS Low Pressure Core Spray -
M Maintain ~ Reactor Pressure M 3 Manual Shutdown MOV Motor Operated Valve - MSIV Main Steam Isolation Valve NPCC Northeast Power Coordinating Council - - NPSH Net Positive Suction Head P ._ Safety Relief Valve Reclose PA or D ADS inhibit - P 1 One Stuck Open Relief Valve (50RV) P 2 Two or more SORY
~
FCS Power Conversion System Q 'Feedwater System _ R Redundant Reactivity Control System RB Resctor Building -
/ RBCLCW Reactor Building Closed Loop Cooling Water s Reactor Building Standdby Ventilation System
~
RBSVS. RCIC Reactor Core Isolation Cooling RCIC SC RCIC in Steam Condensing Mode - RHR Residual Heat Removal System . RHRHX RHR Heat Exchanger , xviii t l
\ .
.=...... . a. . '. =. .. . . NOMENCLATURE (Continued) RPT: Recirculation Pump Trip RPV Reactor Pressure Vessel S t Intermediate LOCA in Drywell S 2 Small LOCA in Drywell SDV- Scram Discharge Volume
.SJA2 Steam Jet Air Ejector SNPS Shoreham Nuclear Power'Sta' tion S.0RV Stuck Open Relief Valve SRV Safety Relief Valve SWS.- Service Water System (or RBSWS = Reactor Building SWS)
TBSWS. Turbine Building Service Water System ' T C Loss of Condenser
- T D Loss of a DC bus (Division 1 or 2)
T E L ss of Offsite Power Tp Loss of Fee'dwater- . T FA Isolation ATWS Tg Inadvertent Open Relief Valve . Tg MSIV Closure Transient - T MT-Loss of Drywell Coolers , T Loss of a Reference Leg in Reactor Water Level Measurement System R T 3y Loss of Service Water System T T Turbine Trip .
~
TAF Top of Active Fuel U High Pressure Injection Function i V' Reactor Core Isolation Cooling System 1 U High Pressure Core Injection System V Low Pressure Injection Function V C Condensate Injection V 4 Low Pressure Core Cooling Systems (includes LPCI and LPCS) l X Depressurization (via Automatic Depressurization System or Manual) W Containment Heat Removal Function (includes Residual Heat Removal System and Power Conversion System) W' RHR or RCIC in Steam Condensing Mode W Power Conversion System Z The function of "MSIV reopened in the long term" xix i
~
, y
.z
~
. . l l
1
~
EXECUTIVE
SUMMARY
This review of the Probabilistic Risk Assessment of the Shoreham Nuclear Power Station was conducted by Brookhaven National Laboratory under the spon-sorship of the U.S. Nuclear Regulatory Commission. The review of the inter-nally generated plant accident sequences which could potentially lead to core damage began in December 1983 and was concluded at the end of October 1984. Two draft versions of this report were published (November and December 1984) with the objective of soliciting comments. This version of the report l's the
,, final report incorporating commen'.s from the NRC, the utility staff, and con-sultants. The broad objective of the review was to evaluate the core damage frequ'ency as calculated in the Shoreham Probabilistic Risk Assessment in rela-tion to that identified in the Reactor Safety Study (WASH-1400). The review by Brookhaven included an assessment of the assumptions and methods used in the Shoreham study. The review also included a re-evaluation of the main results within the scope and general methodological framework of the Shoreham study. This included both . qualitative and quantitative analyses of acciden't initiators, some of the data bases, and accident sequences which result in the initiation of core damage.
The review process included a meeting with the. Shoreham owner and its consultants, a site visit, and one formal round of (written) questions and answers . The utility and 'its consultants were helpful and cooperative throughout the course of the review. The Shoreham PRA package was quite com-prehensive as originally submitted, and there was no significant need to aug-ment' the information by . additional submittals. Finally, comments were received from the NRC and the utility, and they were discussed with BNL in an additional meeting. , The main conclusions of this review are the following: -
- a. Within Rs stated scope, the Shoreham study is a good and comprehen-sive piece of work. The utility produced a study which used the basic approach and techniques of the Reactor Safety Study (event .
tree / fault tree methodology), but which accounted for plant-specific design differences between Shoreham and the Reactor Safety Study plant and included, in some instances, some additional details beyond those provided in the Reactor Safety Study.
- b. The Brookhaven reviewers believe that the Shoreham study can be updated within its present framework and structure, by taking into account the specific recommended changes in modeling and data, as well as comments found in the main body of this review report.
- c. The reviewers found that some of the analyses in the Shoreham study were rather non-conservative, i.e., led to an underestimation of core daatage frequencies. In several instances ; this may have resulted feci insufficient justification to support an analysis or quantifica-tion of data. In some other parts of the study, the analysis was determined to be conservative, and more realistic alternatives have been put forth. However, the results of this review show that, over- -
all, more assumptions and modeling were judged to be non-conservative. than conservative. 1 t
_ -..- - - 7 _ n. .: . .c.na.
.~n--, .
~
. 1 i
- d. Item. c notwithstanding, BNL found that, in general, the $NPS-PRA
' approach incidded considerable detail and was an attempt to address .
the modeling of the accident sequences and their quantification as realistically as possible, based on the specific 'Shoreham designs and procedures and on past . nuclear power plant experiente. ;
. I
- e. Most of the BNL comments on the SNP$-PRA, and mest of the BNL modifi
- cations, relate to accident sequence quantification. In many instances, error, lack of supportive evidence in the PRA, or new information from LERs or other sources were the reasons for SNL modi-fications to invent tree quantification. Overall the modifications resulted in l'arge changes in the ranking of domthant accident sequences in the BNL. revised results. Even though the overall change in core damage frequency is by a factor of L5, it includes both i increases and decreases in individual sequences, so that a different ranking of dominant sequences was generated 1.n the -BNL re-assessment.
- f. Within. the pebpective of the foregoing coments, the Shoreham study constitutes a . very useful tool for identifying accident seqdences that may lead to initiation of core damage. The PRA, as well as our revi ew, reveals a hierarchy of contributors to the frequency of a
, variety of corp damage states and indicates possible weaknesses t. hat may require additional evaluations. Furthermore, the study could be
'used in implementing a program aimed at prevention of the important ,
accident sequences. The review did' not include an evaluation of the cost-benefit tradeoffs of any strategies or programs in this area,
! and therefore no conclusion is drawn in this regard. ,
- g. The main quantitative results of the BNL revision along with the results of the Shoreham study are given in Table 0.1, as fr.equencies per plant-year, of operation. The table shows that the BNL revision results are higher by a factor of three than the SNPS-PRA results.
l The main contributors appear to come from ATWS, LOOP, transients with scram, and internal flood initiators. Interfacing LOCA was deter-mined to be about half an order of magnitude higher than the SNPS-PRA ' estimate.
- h. The difference between the Shoreham and Brookhaven point value esti-mates for the core damage frequency can be attributed mainly to the '
1 following factors: .
- 1. Based on an updated source of experiential data, the BNL review assessed an increase in the transient initiator frequencies which affected the ATWS sequence contribution and the MSIV closure and turbine trip transients.
- 2. The BNL re-assessment of the LOOP frequency is 0.15 per year for '
the Shoreham site compared with 0.08 per year in the SNPS-PRA. This increase is partly counterbalanced by higher LOOP recovery probabilities derived from a more recent evaluation of LERs used in the BNL're-assessment. l 2
- 5. . ~ . - -- .. . u - , . . . ---=.a - - .= . a
^
- A .-
i
~
3.
~
Loss of instrumentation indications in the control. room. also contributed 'to the increase in the BNL assessed LOOP initiated core damage frequency.
= .
44 BNL calculated a higher frequency for the " excessive release of water in the reactor building" initiator (about a factor of four). A inore elaborate tin'e-phased model considering the early failurs o.f HPCI and RCIC also cdntributsd to the increase.
- 5. A more refined treatment of the' level instrumentation reference leg leakage and the yarfous failure inndet enabled the identifici- -
tion of sevaral new secuences that were not included iri the SNPS-PRA. These new sequences increased the total core aamage con-tribution from this initiator. Since the origir:a1 submittal of this review, ENL 'nas been informed that additional level of ~ measuring instrumentations art talng adNed at Shoreham. Based on , an informal assessmenc, it !s judged thdt this instrumentation will substant'lally decrsa$e the frequencies of most of the new sequences identified by BNL.
- 6. Revised ATW5 functional event- trqres were developed considering Shoreham plant-specific information. The m&jer enntributton to the Jncrease comes front the SNL initiator frequencies. Changes from event:tret modification resultad in only 4 amaller ir. crease.
- 1. Figurt 0.1 depicts the SNPS-PRA ar.d iBNL results accordiAg te the five classes of core damage states con $1dered in the SNPS-PRA. Class III (tite class related to LOCA cequtnces) exhibited only slight changes, ;
&nd Class IV (related to the ATWS sequences) increased the mist, fer the reasens h(1) and h(6) glyen above. The Class I core damage state increased niainly becausi of the increase:f contribution est;icated .by B*tt for LOOP frec;u6ncy, excessive releast of water, ..and tPansients. '
Class II core ela!nage fraquendy w6s also chenged. This class does not lead to core damage
- in all cases; in niany cases it results in con.
tainment failutet, w ith the core continuing to be cooled. The f nerease in Clast II is attributed to the inclusion of additional
' Sequences BNL ccusidered th the loss of service water and the LOOP trar41ents . Loss of con-denser vacuum also centributed to the increase in class II frecuency., Finally, the interfacing LOCA fre-quency was based in the BNL revie.i on seyeral precursor events of.
this type, rather than oh L&R valve data. This treatment resulted in an increase in the initfating frequency of this event.
*The Shortihirs 'PRA used the term " core vu'!Herable" rather than " core damage" i because damage to t!;e core will not ioccur for all sequences in Class II.
However, they h.tve extended this terminology to all bther cidsses as well. BNL believes that it is more apprcpriate to retain the terr >inology " core damage" for all classes (in order to be consistent witn terminology in previous PRAs), Jnd t0 note separately those sp6cial cases where core d4 mage may not occur.
^r_ ^; ; . . c.' .~ -
n-
^ '
c.. 2 .__ - n . ;m - - - f
- j. Figure 0.2 provides an alternative means of presenting the results.
It shows that in general the BNL and SNPS-PRA resul.ts are in agree-ment -with . respect to..the main class of contributors. The difference
. in the relative contribution of ATWS and transients is not as great as might be expected.because a significant fraction of the SNPS ATWS
; , core damage . frequency was added to the transients rather than included in the "ATWS class IV" part of the pie chart. BNL consid-ered all ATWS sequences that result in core damage to lead eventually to Class IV* core damage.
; The BNL review concluded that if improvements are to be considered, the
- . greatest impact may be achieved in the following areas:
. a. Since the submittal of the SNPS-PRA, BNL was informed that additional
' systems have been added to the onsite emergency system. Conceivably this may help to reduce the contribution to core damage from LOOP events and total loss of level instrumentation.
.w .M .. ..
- b. Staggered procedures with respect to calibration of the most impor-4 tant sensors. Actuation of the high and low pressure systems from another redundant pair-of RPV water level sensors different from the four N091 level sensors currently employed. BNL was informed, after this review was completed, that indeed this design change is being implemented. Thus, if detailed information and a PRA update were submitted for review, the BNL assessment might well change.
. c. Treatment ~of ~ sequences related to' the interfacing LOCA and excessive release of water. Review of emergency procedures may be one example.
- d. Treatment of the ATWS s'equences. Review' of emergency ATWS procedures
- may be one example. However, BNL identified some need for additional N-i generic physical analyses of ATWS if better understanding of opera-tors' response time is desired.
BNL concluded that the results of the SNPS-PRA, taking into account BNL ^ review considerations, provide an effective framework for further studies of the Shoreham plant design and operation and for evaluating modifications in those areas. A final comment is in order regarding any possible comparison between the results of the' SNPS-PRA and results of some other similar PRAs. Superficial i numerical differences cannot be relied upon as indicators of relative core - damage frequency; some earlier PRAs, in adhering more closely to WASH-1400 thinking, have provided results which are to some extent not as realistic in the non-conservative direction as those of the Shoreham PRA, which has advanced the conceptual basis in the direction of greater realism. Compari-sons between PRAs should be made only in light of a clear understanding of where realistic credit has been taken for mitigating systems and where differ'- ent assumptions have been applied. A major goal of this review has been to indicate where the SNPS-PRA has made advances in this area.
- *See Appendix 0 for details. The basis. for the BNL assumption is that there -
is a lack of time for, the operator to inhibit ADS, as level 1 is reached promptly. 4 i
. - . . . . - ... _ .L s . . _ _ _.. _. . d 10*I -
- M SNPS-PRA
[ l BNL-REVIEW to 3 . 3,, 1.4E-4 ftad_
- 8.2E-5 -----------.,- 4.5E-5 - - - - - - - -
i .u.s [ 3.21.! [ E g m ;. Ju 1.2E-5 1.4E-5
= 15?? - -
g to.i - gg,3 s.it.4 - -
- .ws p,?1bue w er a,_a;
. &cJ.E. 'r g 3 .g3 yha'1b;4 54
- c n*
!g
$'hg 5 g
j[#12 1.6 -6 { l . ji
, to 4 - yJ:R$
M3
. sy.
p ". W'-= +
- (;* _
a K4 1 .% 3 trumc; M.i.a c FN2 m% w- .,
*h.
- . 95..
et.
. me 2.0E-7 E6!
i(g%.- x -4 w s gsc t q,- - g
!e to 7 -=$srim **
WM "73 MThi f. I5Wut F l. J (FAQ YLp% "% wiF? 2%% Uk RQ wh %{~M!C
.&c 8 F=$ hw Yvl$$
fy?24 N' h??sa
~
e F%m. f
; gW a pr;22 " d to 8 - s -wee + ypEr;E 'Mi pe vrn. n. ;he '
'er$$
fn-55 Mi Wi7n
*,$4 vi Es# ' MWf ,
~
g
*FMQ1- 1- %rrwd- h"~%t twc Gift W(s?#..
asp
*- .;ctl s,
!=;a YiW M+r.n.m uk; g,,,
a"rf"f? rm c .wrr W;L5' 8 ~T e* **%_ E"f.. s. ' . ,. _d - l CLA13 i C.A13 !! CLASS !!! CLA13 tY CLA13 i TOTJL CLA13 0F CCM 7ta,3tueLE C=c!Tia.ss Figure 0.1 Summary of the Results of.the Event Tree 1 Quantification Displayed by Class of '
. Postulated Core Damage Condition.
5 t
i SNPS-PRA i Pean = 5.5 10 / Reactor Year ' (Core vulnerable) Mean . 1.4x10'4/ Reactor Year
*(Core Damage) 5fRVICE EAii8 ' Be WATIS
- LEVEL TW'"
- TQUV/TQUI 33 UAl[4 LIVIL '\ ATW5(CLASSIV) x
' NN '
j , TQuY/TQUt 10$P
- r
/
N S IE e isT1000 tiDC * - eC'* 88 t!K
~
/ R i LOC 4 f (LOOG C StevlCC" n*" M4?lt LOCf*
r
't05P separated out. ATW5 Cl455 I included "Cintes I and li LD$P Clais I
" Classes i and 11 *
'"Anttetrated toasteat and LOCAS *alf .
- "*saticvPated treassent class it
,e., ... ..,.a i, <, . . . ,- .. - - u 1 m u i> l Figure 0.2 Comparison of the SNPS-PRA and the BNL Review Contrib6 ting Accident Sequences to the Calculated Core Danwie Frequency (per Reacter Year) Due to the identified Accident-Sequence Contributlirs.
T U
Summary Table 0.1 Comparison of SNPS-PRA and ~BNL. Review Results i I Accident Core Damage (CD) Class Sequence Initiator I II** III IV V CD Loss of Coolant SNFS 1.0E-6 1.0E-6 2.0E-6 Accidents BNL 5.3E-7 1.3E-6 1.8E-6 (LOCA)
. Anticipated SNPS 4.0E-6 i 2.1E-9 1.4E-5 1.8E-5 Transient With- SNL
- 2.8E-8 4.5E-5 4.5E-5 out Scram (ATWS)
Less of Offsite SNPS 9.9E-6 1.1E-6 1.1E-5 AC Power (LOOP) BNL ,2.9E-5 1.4E-6 3.0E-5 Transients SNPS 8.7EU6 4.8C-5 1.3E-5 (Turbine Trip BNL 1.5E-5 6.4E-6 2.2E-5 Manuil Shutdown, i MSIY and other) Level. SNPS 3.8E-6 1.2E-7 5.25-9 3.9E-6 Instrumencation BNL 1.2E-5 2.55-8 1.5E-7 1.2E-5 (Reference 1eg and drywell - 7 coo.l lnc) Flooding at SNPSl 3.1E.-6 7.8E-7 3.9E-6 Elevation 8 BNL ' t. 80 2.0E-6 i of Reacter Bldg. ' 2.0E-5 .- LCCA Outside SNPS 3.7E-8 3.7E-8 { q Drywell BNL 2.0E-7 2.0E-7 _ Loss of Service SNPS 3.0E-6 7.7E-7 3.8E-6 Water, or DC BNL 7.6E-6 2.4E-6 1.0E-5 Bus > ' TOTAL SNPS 3.2Z-S 8.5E-6 1.0E-6 1.4E-5 3.7E,8 5.5E-5 i BNL 8.2E-5 1.3E-5 1.5E-6 4 $E-5 4.2E-7 1.4E 4
*In BNL review all ATWS sequences are assumed to lead to core damage class IV. This is based in part on the judgment that the cperator will not be able to inhtbit ADS.
** Class II leads in many cases to centainment failure without loss of core cooling. Therefore, only a part of Class II results in core damage.
L 7 i
- .- ...-- . - +
~
9
- 1. INTRODUCTION -
This sectif on explains why a probabilistic risk assessment (PRA) was performed for the Shoreham Nuclear Power Station (SNPS), how the review of the PRA was performed by Brookhaven National Laboratory (BNL), and how this report is organized. 1.1 Back' ground The Shoreham PRA 1
,2 is a self-motivated undertaking by the Long Island Lighting Company (LILCO), the owner and operator of the Shoreham facility.
1.ILCO initiated and managed the PRA study in . order to provide basic data to its risk management program by evaluating the plant response beyond the normal design basis. LILCO's intention is to make use of PRA methodology to better assess the Shoreham design relative to postulated accident sequences and 'their resulting public risk. The PRA, in its first revision form, was submitted on June 24, 1983. The NRC contracted with BNL to perform an 'in-depth review of the PRA, which began in December 1983. The Shoreham PRA was prepared according to NRC guidelines, and is similar to the Limerick .or GESSAR PRAs 3 with respect to scope, methodology, and data. Like the two other PRAs reviewed by 3NL 5 .6, it was carried out with the basic approach and techniques of the RSS7 . However, plant specific feat'ures and design information were used. In many instances, more detailed modeling and recent data such as LER information were incorporated. The SNPS-PRA s study also addressed t'he comments on RSS made by the Lewis Comittee , and LILCO reflected these comments in the SNPS-PRA as they thought appropriate.
' The 'BNL review was concluded at the end of October 1984 S6me o'f the minor sequences were ' reviewed to a lesser depth than the significant ones.
' For example, in some cases if an in-depth, time consuming review was expected to result in much less than a factor of two change in core damage frequency of a particular sequence, it was not undertaken. On the other hand, based on the SNPS-PRA itself and on reviewers' experience with other PRAs, several addi- ' tional sequences were found to contribute to the core damage frequency and were included in the BNL re-assessment. In summary, most of the SNPS-PRA sequences were reviewed, and several modifications, additions, or subtractions were made, as shown in the rest of this report. The current report (May 1985) supersedes two previous drafts issued for soliciting comments (November, December 1984). This final report incorporates comments made on the previous drafts by NRC and by LILCO. { I 1.2 Objective, Scoce, and Approach to Review
' The broad objective of the BNL review of the SNPS-PRA was to evaluate qualitatively and ' quantitatively the assessment of the important accident sequ ences that are internally generated and lead to core damage initiation.
To be consistent with the SNPS-PRA scope, the review excluded internally l generated fires, but it included an assessment of the externally generated -l LOOP accident initiator. To carry .out this objective, BNL reviewed the E 8
_j .,,,._ _ assumptions and methods of the SNPS-PRA witnin its stated scope. This review . included reevaluation of' the important accident sequences that may lead to core damage, their respective frequency of occurrence, the total frequency of ! core damage initiation, and the impact of several changes made in the assump-tions on the total frequency calculated for the baseline case. In particular, ; the review included evaluations of accident initiators, data, and development and quantification of accident sequences. :
' This review of the " internally" generated accident sequences with respect to the frequency of core damage constitutes part of the work' on the SNPS-PRA
- done by BNL for the NRC. Other BNL reviews consider the core melt phenome-nology and the containment analysis, ~and will De reported separately.
. The review was performed over a one year period in two phases. In Phase ,
I, an overall review was performed and a list of questions was sent to the util'ity. These were discussed in a meeting held in December 1983 between NRC, BNL, and LILCO. The review process benefitted from tnis ' productive meeting. LILCO and its consultants were entirely cooperative in providing the information needed to gain a detailed understanding of 'the PRA for the in-depth review process. Responses and additional information were submitted in May 19849 . ~A report 2, "Revi ew of Shorenam Water Level Measurement Sy stem" prepared for LILCO by S. Levy, Inc., was also part of the response package. BNL included this report in its PRA review package; whenever the SNPS-PRA is mentioned in this review, this report should be considered part of it. Phase I of tne review included an in-depth re-evaluation of the sequences following a release of excessive water into Elevation 8 of the Shorenam reac-tor building 10 The report summarizing this ' review was . submitted to NRC in April 1984. Participating in Phase I were Kelyin Shiu, Yang-Ho Sun, Eshagh Anavim, and Ioannis A. Papazoglou. Phase II of the review took place from June to October 1984. An in-depth review of the accident sequence modeling and systems, as well as the . , data used in tne SNPJ-PRA, was performed. This is summarized in the following i chapters of this report. Dan Ilberg, Kelvin Shiu, Nelson Hanan, and Eshagh Anavim participated in this phase. The most important sequences were reviewed, as mentioned above. Thos e sequences are reassessed and the results are presented in appendices to Sec-tion 5 of this report. The quantification and sequence modification are-explained whenever they deviated from the original SNPS-PRA with the inten-tion, of providing sufficient detail to enable otners to follow the review considerations. The review of the fault trees was based on conparison with the Limerick fault trees, taking into acccunt the BNL review of the latter and the coments in the BNL Limerick PRA reviewS . The SNPS-PRA included more explicit modeling of functional dependences in the event trees by increasing thei r detail. Based on the above, and based on the result of a previous review 5 indicating that Core Damage Fault Tree (CDFT) modified the results by about a factor of two, it was determined that this approach if applied to SNPS-PRA would change the net result by a smaller factor. Hence, BNL judged . that a C0FT app' roach was unnecessary for SNPS-PRA. Functional ldvel event trees were utilized by BNL to account for the dependence between the short and 9
.,, , _ _ _ - _ _ , _ , . . _ _ _ ,. , _ _ _ _ _ . . . _ _ . _ ,-_.__m. , . . , . _ _ , , , , - , , , _ , . . , , , , . _ _ _ _ ,
__mm.. . -
- .. . - .: . __ . . . - z .a - . . -
- m- -
long term PCS functions (Q function vs . W and Z functions), because this seemed to be treated non-realistically (see Appendix 5A) on most event trees. l The scope of this review did not include uncertainty and importance anal-ys es . Nevertheless, in several instances it seemed that, besides the baseline assumption, other assumptions could be made if properly substantiated. The j impact of these different assumptions on the results was assessed in a limited ' sensitivity analysis, summarized in section 5.3, which provides some addition-al insight on range of core damage frequency values that could potentially be generated for the SNPS-PRA. j The SNPS-PRA should be cited for its comprehensiveness and self-con-tained nature which facilitated an in-depth peer review. 1 1.3 Organization of Report Section 2 provides a. description of plant modeling which includes identi-fication of initiating events that result in challenging of the safety systems of the plant, and a discussion of safety functions and systems important to preventing or mitigating core damage events. Section 3 contains a description of accident sequence definition, and a discussion of both the BNL revised and the SNPS-PRA event tree / fault tree approaches. -Section 4 is a review of the SNPS data, including the numerical values for the initiating event frequencies used in the SNPS-PRA and the BNL assessment, and the numerical values for some of the parameters necessary for quantification of accident sequences (i .e. , for LOOP time p,hased sequences). Section 5 covers accident sequences quanti-fication, a brief description of the SNPS-PRA approach to quantification, the BNL modifications to the quantification, and the revised core damage frequen-cies. It also describes a limited sensitivity study checking the influences of a few of the assumptions on the core damage frequencies calculated for the baseline case.
- Appendices to Section 5 provide more detailed discussions of the event trees reviewed and include the SNL modifications along with their bases.
These appendices should help others to review our considerations. - 1.4 References to Section 1
- 1. "Probabilistic Risk Assessment Shoreham Nuclear Power Station Long Island Lighting Company, Final Report", Science Applications, Inc., June 24,
.- 1983.
- 2. " Review of Shoreham Water Level Measurement. System, Revision 1", S. Levy, Inc., SLI-8221, November 1982.
i 3. "Probabilistic Risk Assessment Limerick Generating Station", Philadelphia Electric Co., Docket No. 50-352, 353, Revision 5, September 1982.
- 4. "Probabilistic Risk Assessment BWR/6 Standard Plant". General Electric Co., Docket No. 50-447.
l
- 5. Papazoglou, I. A., et al., "A Review of the Limerick Generating Station Probabilistic Risk Ass es sment", Brookhaven National Laboratory. -
NUREG/CR-3028, February 1983. 10
-- ._ se_ . _ _ , . _w. ,,. -- . .. . _ . _._,__,,_.--.--_,y. , - , _ , . . . , . , ..-_w ..m,,.-._,._.,-p ___r
~
._ . .. _ a._._-.. ..
. l l
- 6. Hanan, N.', et al. , "A Review of. BWR/6 St.andard Plant Probabilistic Risk Ass essment, Vol. 1 Internal Events and Core Damage Frequency", Brook-haven National Laboratory, NUREG/CR-4135P, May 1985.
- 7. Reactor Safety Study: "An Assessment of Accident Risks in U. S. Commer-cial Nuclear Power Plants", WASH-1400, NUREG/74-014, October 1975.
- 8. Lewis, H. W., Chairman, " Risk Assessment Review Group Report to the U.S.
Nuclear Regulatory Commission", NUREG/CR-0400, September 1978.
. 9. LILCO's Response to Questions on Shoreham's Probabilistic Risk Assess-ment, Long Island Lighting Company, SNRC-1021, May 1984.
- 10. Shiu, K., et al., "A Review- of the Sequences Following Release of Exces-sive Water in Elevation 8 of the Reactor Building in the Shoreham Nuclear Power Station", Brookhaven National Laboratory, NUREG/CR-4049, November 1984. .
~
o O e e 11
. ~~
^
__ . : -. i
- 2. PLANT MODELING The plant modeling part of the SNPS-PRA covers the identification of the initiating events that can lead to core damage, the safety functions important to preventing or mitigating core damage events, and the systems directly per-forming each of the safety functions, as well as the assessment of the success .
criteria of the safety functions and the systems. These systems are referred
- I to as frontline systems. In addition, the plant modeling includes the identi-fication of the support .s' ystems for each frontline system, i.e., the systems I required for the functiori of the frontline systems.
This section has th~ree parts. Subsection 2.1 describes the safety func-tions , the corresponding frontline and support systems, and their success criteria' and provides a comparison with the Reactor Safety Study 1 and LGS-PRA2 . Subsection 2.2 discusses the particular initiating events and their partition. into groups containing events having the same success criteria for the frontline systems. In both subsections, the SNPS-PRA assumptions are reviewed, evaluated, and compared with those of the Reactor Safety Study ~ (RSS). Subsection 2.3 is a summary of BNL's assessment. . 2.1 Safety Functions and Corresponding Systems 2.1.1 Safety Functions and Frontline Systems The safety functions important to preventing or mitigating the conse-quences of core damage following an initiating event are given in Table 2.1. These functions can be further subdiv.ided for the SNPS into the functions given in Table 2.2, each of which is directly performed by one or more front-line systems. The frontline systems for the SNPS are given in Table 2.3, and in Table 2.4 they are compared with the corresponding systems of the BWR plant. analyzed in the Reactor *fSafety Study (RSS-BWR) and in the LGS-PRA. A short description of SNPS frontline systems and their differences from those in the
- RSS-BWR and LGS follows.
Reactor Protection System (RPS) - The SNPS has incorporated several - design changes, as recommenoeo oy- Alternate 3 of NUREG-0460 3 , to reduce the probability of a failure to scram: a) Alternate rod insertion (ARI) - this system is effective in reducing electrical common-mode failure to scram. (Similar to LGS, dissimilar to RSS). b) Diverse and redundant water level sensors for the Scram Discharge Volume (SOV) - this is expected to reduce the chance of an occurrence similar to that at the Browns Ferry plant. (Similar to LGS, dissimi-l lar to RSS.) c) MSIV closure on reactor level I rather than level 2. Standby Liquid Control (SLC) - The SNPS system is different from the Alternate 3 descrioed in NUREG-0460, which requires two automatically initi-ated SLC pumps with 86 GPM (43 GPM per pump). It includes two. SLC pumps (43 GPM each) manually initiated, with only one pump working at any time. The RSS-BWR has two similar manually actuated SLC pumps. The LGS has three SLC 12
- - - .a .
pumps having automatic. initiation rather than manual, allowing for two pumps injection of 86 GPM. Reactor Core Isolation Cooling (RCIC) - There are no major differences between the SNPS, the LGS, and RSS-8WR designs. SNPS RCIC flow rate is, how-ever, 400 GPM compared with 600 GPM in the other two BWRs. This is a 10% reduction in flow rate corresponding to the power difference between the reactors. High Pres'sure Coolant Injection (HPCI) - The major difference is that, -
- for SNPS and the RSS-BWR, HPCI injects into a feedwater line, whereas for the LGS, HPCI injection is split between the core spray injection line and the feedwater line.
Control Rod Drive (CRD) - There are no major differences between the SNPS, the LGS, and RSS-8WR designs. No credit to this system.is given in the PRA or BNL ~ assessment., even though it may provide successf.ul high pressure
; injection two hours after initiation of several transients. The effect is' not i very large' (see Table 5.15).
Automatic Deoressurization System (ADS) - The SNPS-ADS system has three separate compressed gas supplies; tnese are (1) compressed nitrogen, (2) plant air backup,.and (3). accumulators (see Table 2.4). It incorporates the follow-ing additional features beyond the RSS-BWR or, LGS-PRA*: a) SNPS has an automatic initiation of ADS upon low level signal (level 1). b) SNPS has indd .idual accumulators to store pneumatic energy for each SRV operation. Each accumulator is sized to provid.e five actuations. c) Each SRV has two solenoid pilot valves. d) After receipt of the automatic ADS initiation signal, a timer pro-vides two minutes delay to allow operator to inhibit before actual - ADS initiation. Low Pressure Coolant Injection (LPCI) a) The SNPS and the RSS-BWR LPCI system primary mode is to inject water into the recirculation loops to ensure injection into the intact loop. The LGS LPCI system injects water directly into the core shroud through four separate injection lines. b) The LGS pumps can pump saturated water. The RSS-BWR LPCI pumps have net positive suction head (NPSH) requirements which may not always be met and could lead to pump failure. This is particularly irhportant if there is excessive containment leakage. The SNPS-PRA states that the LPCI NPSH appears to be marginal at saturated pool temperature 1 and containment atmospheric pressure. However, calculations show the NPSH to be adequate. I
LG5 nas recently modified its ADS initiation. logic.
-) l i
13 l t
,,,,--r- w---, - ,- - - . - - , . - - - - - .- _.m,,,?-,,,, - ,- -, e,-. ,e-- - - - - - - - - - ---r --
w e
l Low ' Pressure Core S' pray (LPCS) - The SNPS and LGS core spray pumps can pump saturatec water. . The R5S-BWR pumps have NPSH requirements which may not always be met. All three plants have two redundant loops, but the SNPS uti-lizes one pump per loop whereas the others have two pumps per loop.
, Residual Heat Removal (RHR) - The major differences between the SNPS, RSS-BWR, and LG5 RHR systems are: (1) two RHR heat exchangers for LGS and SNPS, compared with four RHR heat exchangers for the RSS-BWR and (2) credit was taken for the steam condensing mode
- of RHR only in the SNPS-PRA. The SNPS and LGS pumps cannot pump saturated water. However, .i f saturation condi-tions exist in the reactor pressure vessel only, both plants can still pump.
! Containment Sprays - All three reactors have a manually actuated contain-ment spray system tnat can spray either the.drywell or the wetwell volumes.
'2.1.2 Success Critieria for the Frontline Systems The SNPS-PRA conside'rs four general classes of initiating events:
- 1) Loss-of-coolant accidents (LOCAs), ,
- 2) Transients with successful scram,
- 3) Anticipated transients without scram (ATWS), ,
- 4) Low frequency transients of special interest.
The choice of initiating events is discussed in detail in Section 2.2. The success criteria for the systems available to provide successful ter-4 mination of an initiating event without leading to core damage are summarized
'.in Tables 2.5 and 2.7 (taken from the SNPS-PHA report). They are defined in -
terms of the minimum number of systems required to prevent excessive fuel clad
, temperature and to remove decay heat. The success criteria used in the SNPS-PRA represent " realistic" requirements and do not necessarily correspond to
- Final Safey Analysis Report (FSAR) criteria and/or predictions. The SNPS -
criteria were developed in part from vendor deterministic . analyses"> 5
! Here the SNPS-PRA departs from the Reactor Safety Study, wnere FSAR criteria were used. In tne following three subsections tne success criteria assumed in the SNPS-PRA are compared with those in the RSS and the LGS-PRA for tne first three major classes of initiating events, and BNL review comments or changes j to SNPS success criteria are given. The fourth class (low frequency tran-j sients), has the same success criteria as do the anticipated transients anc is )
covered in Section 2.1.2.2. 2.1.2.1 Success Criteria for LOCA Initiators Table 2.6 conpares the success criteria for LOCA initiating events (with successful scram) for the SNPS, LGS, and RSS-BWR. It 'shows the required
*Shorenam coes not regularly use the steam condensing mode. Section 5.3 shows the effect on Class II core damage wnen no credit is given to the steam j condensing mode (see Table 5-15).
- 14
. _ . , . , . . - - . __.i.--__..,_,..,,._ --- . . _ , - --..m. _ . . . - , - , . , , - , . - - , , , - - - . . . , . . - -,m -w-,. , - - . - . . -
._ .;.;. .-. f
' systems for both st6am and liquid breaks as a' function o'f the break size. j Major differences are as follows: 1
- 1. The RSS distinguishes between injection and recirculation phases for large breaks in which only low pressure systems are adequate. This results in a stricter requirement for the injection phase for the '
RSS-BWR than that for SNPS.
- 2. The RSS-BWR requires operation of four ADS valves for depressuriza-tion following.small and medium break LOCA vs. three ADS valves for
.. the SNPS.
- 3. In the small LOCA case, the SNPS takes credit for successful hi gh -
press.ure injection using the feedwater system when the MSIVs remain open or can be reopened within 30 minutes.
- 4. In the LOCA cases, the RSS-BWR and the LGS-PRA require only one LPCS pump or one LPCI pump to operate for successful low pressure injec-tion. For the SNPS, in addition to the above, injection with one condensate pump is also considered a success.. (In the BNL review, the condensate pump is assumed to be a success for medi.um or small LOCA only). , .
- 5. The SNPS analysis takes credit for the PCS as a means of long-term cooling for the small and medium LOCA based on successful reopening of one or more MSIVs. The LGS-PRA also takes credit for PCS in the case of small and medium LOCAs, but the RSS does not.
- 6. The RSS-BWR analysis takes credit fgr one CRD pump as a means of injection for steam breaks of less than 1 in. diameter or liquid breaks of less than 0.6 in. diameter. The SMPS-PRA and LGS-PRA took no credit for CRD pump injection. ~
Table 2.6 shows that the LOCA succe.;s criteria for the three plants are in general agreement; use of the PCS for injection and long-term cooling of . the core is the most notable difference between the SNPS and the RSS-BWR. Table 2.4 shows that HPCI and LPCI are sized in proportion to each plant's thermal power (smaller by a factor of 0.75 for SNPS than for LGS or RSS-BWR). However, the RCIC is rated 10% less for the SNPS than the equivalent flow rate in LGS or RSS-BWR if their RCIC were scaled down by- the 0.75 power ratio factor. For its re-assessment, BNL in general accepted the SNPS LOCA success cri-teria given in Table 2.5. One exception is for large LOCA liquid line breaks connecting to the RPV below the top of the core. Due to the lack of support-ing results of a best-estimate analysis for core cooling given a large LOCA and a condensate pump injection of 1000 gpm, BNL can only provide a limited assessment of the adequacy of condensate pump injection. Based on engineering judgement, the following success criteria were applied by BNL for the large LOCA citse: ) (1) Large LOCA break is above the core: Condensate pump injection of - 1 1000 gpm is successful.
- 15 ,
__ . w . _. u ._- _ . .
" ~
.(2) Large LOCA break is below the core: Condensate pun'p' injection of 1000 9pm is unsuccessful.
The basis for the Juagement of adequate ccoling in tne first case stems from the assumption that the core will be covered in this case, and only ' steam will be able to discharge througn tne creak. The steaming rate corresponds to tne decay heat of the core which can be replenished by the 1000 gpm injection. The BNL judbement for case (2) is that the makeup capability of 1000 gpm to the notwell would not be sufficient for compensating the flow out of the break and steaming out of the assumed open AOS.
~
The success criteria for the diff.erent$ types of LOCA can be de' fine'd also
- in terms of system effectiveness rather than according to break size:
Large LON: No ADS is required. Hign pressure injection, as well as PCS, is inoperable. The concensate pump would be capable about 1000 gpm for long duration, which is assumed
.1 sufficient for large break (Liquid) (e.g., larger than 10"+).
Medium LOCA: ADS is needed as well as HPCI, but RCIC is not an effective injection mode. The effectiveness of PCS is unclear, and two assumptions are used in the sensitivity study (see Sec-tion 5.3 in' Table 5.15; 'tne impact is seen to be small.). The . baseline gives credit for PCS in medium LOCA for both injection and long term neat removal. Small LOCA: ADS is needed, and RCIC is effective as well as the PCS. The' LOCA initiating events were furtner subdivided to LOCAs inside and outside drywell. lhe latter 1'nclude the following:
- 1. Steamline or main feedwater breaks outside containment (within the reactor building).
~
- 2. Breaks in the HPCI/RCIC steam supply or pump discharge lines.
- 3. Interfacing LOCAs in low pressure systems.
The success criteria for tnese cases remain uncnanged. 2.1.2.2 Success Criteria for Transient Initiators The success criteria for transient initiating events (with successful scram) for the SNPS-PRA, given in Table 2.5, are similar to those for the LGS and RSS-BWR, with tne following exceptions.
- 1. For transient initiators, the RSS-BWR applies the small LOCA success ,
criteria given in the FSAR. It is noted in RSS, (page I-67) that ! these criteria were selected in attempt to be conservative. Tne SNPS l and LGS use more realistic analysis. (deterministic analysis performed by the vendor) as their basis. 9 16 t
' ~-
.wr
. .c .
c ~ I
- 2. The RSS-BWR requires operation of four' ADS valves out of five for depressurization following a transient in which low pressure injection systems are required; the LGS requires only two out of seven; the SNPS requires three out of seven. These differences have little impact on ADS unavailability because the dominant contributors are loss of nitrogen ' supply, maintenance, calibration errors , and other commonalities of all ADS valves.
The more realistic success criteria used in the SNPS-PRA for the tran-I sient initiators are considered reasonable on the basis of NED0-24708". One exception is the assuription .that RCIC is capable of supplying adequate vessel water makeup to an isolated reactor with two stuck open relief valves. The validity of this assumption remains to be verified. The BNL assessment assumes that in the case of a transient with coin-cident two stuck open relief valves (2 SORVs), RCIC would not be effective, the reactor will depressurize in less than 2 hours, and low pressure injection , will be required later on. This' is similar.to the medium LOCA case. However, relatively more credit to the ' PCS is given in the transient with 2 SORVs i sequences. 2.1.2.3 Success Criteria for ATWS Initiators This, section presents the SNPS-PRA and the BNL reassessed success cri- )' teria for ATWS initiators. There are no comparable criteria for the RSS-BWR since ATWS was not evaluated in as much detail. Table 2.7 gives the Shoreham ATWS success criteria for six ini tiators , listed in the first column. The other columns indicate the failure of various mitigation functions, with "A" denoting an acceptable condition and "N" an
. unacceptable one. These success criteria are derived from a GE report 3 and a KMC letter 10..
BNL reviewed these two documents to determine the applicability and the j reasonableness of the results as they relate to SNPS. The GE report was pre- -: J pared on a generic basis, analyzing the BWR-4 Mark I plant, with the assump-tion of an automatic SLC system that can deliver 86 GPM of boron to the core upon actuation. This is to be compared with the Shoreham design in , which SLC initiation is manual and the maximum baron injection rate into the t core is 43 GPM. Given the critical nature of the SLC initiation time and the amount of boron that can be injected into the core, the GE report provides 1 only limited insights in the determination of the SNPS ATWS success criteria. The KMC letter gives the results of an analysis modeling a generic BWR-4 reactor with a Mark I containment. It also includes some sensitivity results ) on the effects upon suppression pool temperature of 43 GPM versus 86 GPM SLC system injection rate and of the time delay in initiating the SLC system. It discusses the reasoning behind the selection of a maximum suppression pool temperature limit of 285'F. ~This limit should be contrasted with the 240*F cited in the SNPS-PRA, where 240*F is considered to be an unacceptable plant condition. Both documents assume in their calculation that the RHR system would be operational within a short time, in the range of 3 to 11 minutes. ~ l; i 1 , 17
- . . . , - . - - - - - , . . . . ,., .,--.----u - - . . . ,-.-----*y. - , , , , , , . , -
, ,*- ,--, - + - -
_- - .~ -- - . _ _ , _ - _ Because of- the lack of detailed results of the ATWS analysis, BNL can provide only limit'ed assessment of the adequacy of the ATWS success criteria. Revisions made to the criteria are based on the two documents used in the SNPS-PRA and on engineering judgment. SNPS plant specific information in these areas and additional information pertifient to the determination of these criteria could potentially affect the results. The revised set- of ATWS success criteria given in Table 2.8 is basically the same as that of the SNPS-PRA except for two areas. The first is the success of the decay heat removal system. The SNPS criteria indicate t. hat since the condenser is available, the operability of the RHR should,be optional. BNL is hf the opinion that tne info'rmation in tne two referenced documents does not provide enough detail to support the assumption that the condenser with one or no RHR loops is sufficient to maintain suppression pool temperature for a turbine trip event. If there is immediate feedwater runback ' and tne reactor power level is reduced quickly, by lowering the water level, to below the maximum cundenser limit without a MSIV closure, the SNPS-PRA criteria appe'ars to De reasonable. If, however, feedwater runback .does not occur.immediately or if tne water level is maintained high, then excessive neat (for whi'ch containment heat removal needs to be provided) would be dis-charged into the suppression pool, making the success of RHR loops critical. In the BNL revised criteria, failure of any RHR loop is assumed to be- an unsuccessful sequence. In a related way, the SNPS loss of feedwater ATWS success criteria stipu-lated that failure of one RHR loop is considered to be a successful event. In this case, feedwater is automatically terminated _ by the initiating event, and the reactor power can be accommodated by the condenser only if the water level inside the vessel is furtner lowered; otherwise, the power level may still be i a few percent above the condenser limit. BNL ,also assumed in the re-assess-ment of accident sequences that all RHR loops mst be operational for contain-
~
ment heat removal purposes. BNL also considers the results from analyses insufficient to justify 'tne allowed SLC initiation time of 2 to 30 minutes; in f act,_ evidence appears to ~ indicate the contrary. BNL assumes that if' the SLC system is initiatied within a 10 minute period, then the accident sequence is considered success-ful. A discussion of the physical analysis performed for an ATWS accident sequence appears in Appendix 50.3. , 2.1.3 Support Systems Each of the main systems supporting the frontline systems in the SNPS-PRA, listed in Table 2.9, is briefly discussed here. 2.1.3.1 Electric Power System (EPS) ! Three subsystems of the EPS are considered in accordance with thei r impact on frontline systems: l i I 1. Of fsite Power: SNPS has three incoming offsite transmission lines. ~ I It has two separated switchyards. 18 l .:
iT b. _ l l
- 2. AC emergency power subsystem of the EPS: The SNPS-PRA analysis is based on the availability of three diesel generators and a gas turbine without black start onsite*, available to supply po'w er to three emergency AC bus divisions, but only two divisions supply most of the redundant safety systems as division III basically supplies power to two out of four LPCI, SWS, and RHR pumps.
- 3. . DC-EPS: Three DC divisions with batteries are provided, but division III supplies' two out ,of four RHR or LPCI actuation only. ,
. The EPS for SNPS, LGS, and RSS-BWR are compared in Table 2.10.
l 2.1.3.2 Emergency Service Water (ESW) i Apparently, the LGS ESWS has more redundancy than the SNPS-PRA SWS, as shown by the partial. comparison in Table 2.4; other backup systems are avail-l able in the plants such as normal NSW in LGS and TBSWS in SNPS. 2.1.3.3 ' Plant Air and Compressed Nitrogen Systems The redundancy of the plant air and nitrogen systems in the SNPS and LGS is comparable with that in the RSS-BWR, as seen in Table 2.4. 2.2 Initiating Events This discussion of the initiating events that could challenge the safety systems is divided into three parts. The first describes the approach used in the SNPS-PRA, the second compares this with the LGS and RSS-BWR approaches , and the third presents the results of the BNL review with respect to the choice of initiating events. The SNPS-PRA considers four. general classes of initiating events :
- a. Loss-of-Coolant Accidents (LOCAs),
- b. Transients with successful scram,
- c. Anticipated transients without scram (ATWS),
- d. Other low frequency accident initiators. ,
l 2.2.1 SNPS Initiators ' Selection
- 2. 2'.1.1 LOCA Irritiators The .LOCA initiators are subdivided into three grcups according to . the
- equivalent size of the break and the corrr
- sponding success criteria for the frontline systems: .
1
*The onsite AC emergency power subsystem has been upgraded since the SNPS-PRA was prepared. The BNL review refers to the original configuration. ,
)> 19
. t - .-. . _ - - , . . . _ _ - - _ ._~_ - . - . . _ .-. .- -
(-
- a. Large LOCAs - equivalent break size ' diameter about 4 in, or more, for liquid or steam breaks.
- b. Medium LOCAs - 1 in. < equivalent diameter < 4 in., for liquid break; 1.7 in < equivalent diameter < 4 in., for steam break,
- c. Small LOCAs - equivalent break size diameter about 1 in or less for liquid break and about 1.7 inch or less for steam break.
. The LOCA initiators are fucther subdivided into two groups, by break l location: outside drywell within reactor building, and within drywell.
, 2.2.1.2 Transient with Successful Scram The transient initiators for wK ream is successful are divided into seven groups, where the transiente a ch group impose the same success requirements on the frontline systems
- 1. Transients that result in turbine trip.
- 2. Transients caused by MSIV' closure which ' lead to . isolation of the reactor vessel from the main condenser. I
- 3. Transients following loss of feednater flow.
- 4. Transients resulting from loss, of condenser.
- 5. Transients resulting from loss of offsite power.
~
- 6. Transients resulting from inadvertent open relief valve (IORV).
- 7. Orderly and controlled manual shutdown.
The transient initiators in these groups were 'obtained from an EPRI sur- . veys of operating experience with BWRs in which 37 were identified. These are listed in Table 2.11 and categorized into the first six groups. This categorization of the transient initiators has been reviewed and is considered acceptable. A recent change in the SNPS control logic (for ATWS purposes) helps to show the advantage of the more detailed grouping of the , isolation initiators. The MSIV closure set point has been moved from reactor level 2 (10 ft above top of active fuel (TAF)] to reactor level 1 (2 ft-above ! TAF). As a result the frequency of a transient with subsequent MSIV closure 1 on low level may decrease because more time for operator recovery actions i would be available. The separation of isolation transients into MSIV closure, l loss of feedwater, and loss of condenser events allows a more realistic model-ing of feedwater recovery between level 2 and level 1. Credit for such a change in the control logic could hardly impact the plant PRA unless the number of transient groups is increased to differentiate between the various isolation transients. The MSIV closure transient is a more severe challenge than turbine trip or loss of feedwater flow. On the other hand, as will be seen in Section 5.2, 20
~ ^
--..-.~.-.....- .
;a .. - ... :-
- w. .m . . . . ..
loss of condenser is more severe than MSIV closure. The groupings resulted in a smaller contribution from the isolation transients, because the more severe loss of condenser transient has only one third the frequency of isolation transients. This grouping allows also for more meaningful feedback from LERs. 2.2.1.3 ATWS: Anticipated Transient Without Scram If the reactor protection system fails to scram the reactor after an initiating event i'n' any of the first six transient groups, then an ATWS results. Six groups of ATWS initiators were, therefore, considered.
- 1. Turbine trip ATWS
- 2. MSIV closure ATWS
- 3. Loss of feedwater flow ATWS
- 4. Loss'of condenser ATWS ,
- 5. Loss of offsite power ATWS
- 6. IORY ATWS.
For the ATWS sequence evaluation and quantification, initiators 2 and 4 were eventually combined. The completeness of the list of initiating events considered in the SNPS-PRA was evaluated by comparisons with the Reactor Safety Study land other BWR-PRAs 2 ,7, a ,9, 2.2.2 Comparison with Peactor Safety Study and Other PRAs 2.2.2.1 Comoarison with RSS-BWR In the RSS, all transient initiating events were grouped together afid a - single event tree was developed. The 15 likely transient initiators con-sidered in the RSS (Table 2.12) are all included in the SNPS-PRA list. Worst case assumptions were made about the required responses and availability of the frontline systems in the single transient event tree of the RSS; the SNPS-PRA approach of creating seven groups of transient initiators is a more real-istic approach. Furthermore, in the RSS, a failure to scram leads directly to core damage, whereas , in the SNPS-PRA, each failure to scram is classified into one of the ATWS groups and a detailed plant response is cons.idered. In , this regard also,' the SNPS-PRA is more realistic than the RSS. I For the LOCA initiators, the SNPS-PRA considers three groups according to I the equivalent break size, as does the RSS. Interfacing LOCA is considered in the SNPS in greater detail than in the RSS-BWR. Additional attention is given to the effects of LOCA in the reactor building (see Appendix SC.2). The reactor vessel rupture initiator is handled the same way in both studies. That is, large and mediu.m-size ruptures are considered to be among _ the large and medium LOCA initiators, respectively, and massive reactor vessel. 21 t
ruptures are considered to be within suppression pool capability in most cases and cause it to breach with a small probability. BNL did not review this initiator frequency. Thus, overall, the handling of the initiating events in the SNPS-PRA is more detailed and realistic than in the RSS. 2.2.2.2 Comparison with RSSMAP Grand Gulf The Grand Gulf study considered two transient initiatior groups, one i consisting of the loss of offsite power and one covering all others. A single [ event tree was then used to model the plant response tot the two transient initiating events , considered. LOCA initiators were first partitioned according to two break sizes and then a single event tree was developed to represent the entire spectrum of break sizes. It follows that' the :SNPS-PRA treatment of initiating events is more detailed and realistic than that of the Grand Gulf Study. 2.2.2.3 Comparison with the Big Rock Point (BRP) PRA8 In the BRP study, the selection of initiating events was based on. a review of plant and industry experience for precursors to significant accident sequences . Failures that would require an active response of the plant were classified as transients, loss-of-coolant accidents, or anticipated transients without scram. External events, although treated in the BRP study, are not included in the comparison in order to be consistent with the scope of the SNPS-PRA. Table 2.13 shows the initiating evgnts for which BRP event trees were developed and their frequencies.
- For the initiating events considered in the BRP PRA and not treated ;
separately in many past PRAs, the following remarks are made: '
. Loss of ins trument air initiator. This was given a frequency of -
6x10-'/yr and was found to contribute less than 5% to the total core melt frequency in the BRP PRA. In the SNPS, failures due to loss of compressed air are treated in the system fault trees.- The use of accumulators for providing at least five ADS actuations for each SRV valve and the use of backup air supply resulted in system unavailabil-ity of -3x10 ", which contributes -7% to core damage frequency, in both the PRA and the BNL review. Steam line break outside containment. According to the RSS, the asso-ciated accident sequences leading to core damage are several orders of magnitude smaller than that of the sequences covered in the large LOCA tree. In the BRP PRA, it is 0.2% of the total core damage frequency. In the SNPS-PRA these sequences are studied in detail (see Appendix SC.2), and they contribute only =0.02%. 22
. . . . . - e..- .. -. S ^h a .
9 2.2.2.4 Compar'ison with LGS 5 and GESSAR8 PRAs
. These two PRAs include more detailed selection of initiating events than do the RSS-BWR, Grand Gulf, and BRP-PRAs discussed previously, yet the ShPS-PRA includes all the initiating events of these two PRAs. In particu-lar, the following are considered in greater detail than in' the LGS-PRA, and in many cases, also in the GESSAR PRA.
- a. LOCAs : ,
- 1. Interfacing system LOCA is treated hn detail. ,
- 2. A treatment of steam line or main feedwater breaks outside containment (within the Reactor Building).
- 3. A treatment of breaks in the HPCI/RCIC steam supply or pump dis-s charge lines.
- b. Transients with Successful Scram Iso'1ation transients were separated to:
- 1. MSIY closure.
- 2. Loss' of feedwater flow.
- 3. Loss of condenser.
- c. Transient without Scram .
- 1. Loss of feedwater flow was treated separately from other -
isolation ATWS.
- d. Other Low Frecuency Accident Initiators :
- 1. Loss of a reference leg leading to loss of measured water level.
- 2. Loss of drywell cooling.
- 3. Loss of a DC bus.
4 Loss of the service water system.
- 5. Reactor building elevation 8 flooding-following a postulated release of excessive water.
Like other BWR PRAs , the SNPS-PRA does not discuss tne failure of RCP seal following a station blackout. 2.3 BNL Assessment of the SNPS-PRA Initiating Events and Success Criteria
. As seen in the. preceding section, the SHFS-PRA has gone into great detail in the selection of initiating events. This has resulted in a more realistic analysis that more closely follows the progression of the accident sequence.
23
e
. .. - .. ^ ::.:- . . . .
It avoids the need to assume mitigating systems failure based on the worst case response to the most severe initiator within a lumped group of initia-tors . Furthermore, the addition of special treatment of low frequency initia-ting events improves the insight into the sources of the contributors to core damage frequency in this plant. This last group of separately treated initia-tors is responsible, for one-fourth of the SNPS core damage frequency. BNL has accepted the list of initiating events and ~ grouping of the.SNPS- ' PRA' without significant changes. The increased detail in the initiators ' required a similar increase in the use of data and modeling to determine the
. frequencies of the initiating events and their course of progression. The +
SNPS approaches to accident sequence definition and data assessment are the subject of the next two sections and are given along with the BNL comments and independent assessment. BNL, in general, accepted the success criteria used by the SNPS-PRA. Tne same frontline and support systems used by SNPS are also used in BNL's re-assessment described below. Note that credit for the CRD system was not taken in either assessment even though it might be shown to be a conservative assumption. However, the impact on core damage frequency is small, as seen from Table 5.15-, which sh.ows the impact of credit given 'to CR0 system. The changes made by BNL with respect to success criteria are the follow- ' l ing:
- 1. RCIC is assumed incapable of preventing core uncovery in case of two stuck open relief valves.
- 2. HPCI is successful for two hours in the above case, but later only low pressure injection will be effective. However, at that time ADS would not be required. *
- 3. In the original Table 2.5, which is taken from the SNPS-PRA, it is
- stated that condensate injection or PCS would not be considered for :
Medium or large LOCA, but the corresponding SNPS-PRA event trees take . some credit for these systems (see note 5 in Table 2.5). This credit results in some decrease of the Class IIIC core damage state '(see Appendix SC.1 and Table 5.15). BNL accepted this success criteria for small, medium, and large break LOCAs where the break is above the core. However, additional analyses need be provided to substantiate credit given in SNPS-PRA for the liquid line large breaks at or below core level. Also, the procedures for replenishing hot well' inventory should be provided. l 4 Failure of any RHR loop is ' assumed to be an unsuccess f ul ATWS
. sequence for turbine trip and loss of feedwater initiators. Addi -
tional SNPS plant specific analyses pertinent to the determination of the increase in suppression pool temperature during ATWS events could potentially affect these criteria.
- 5. SLC initiation time between 2 and 10 minutes is considered a success-ful ATWS sequence. Results of analysis are insufficient to justify i the allowed time period between 2 and 30 minutes used. in the SNPS-PRA.
24 L_ _..,_-
C
- I
~ '
2.4 ' References to Section 2
- 1. Reactor Safety. Study- "An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants", WASH-1400, NUREG/75-014, October 1975.
- 2. "Probabilistic Risk Asses'sinent Limerick Generating Station", Philadelphia
- Electric Company, Occket No. 50-352, 353, Rev. 5, September 1982.
- 3. ' "Anticipate'd Transient Without Scram for Light Water Reactors ", U.S.
- Nuclear Regulatory Commission, NUREG-0460. ,
- 4. Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors , GE Report NED0-24708, December 1980;
- 5. " Assessment. of BWR Mitigation .of ATWS", GE. Report NEDE-24222, Vols.1 &
2, December 1979. .
- 6. " Anticipated Transients Without Scram: A Reappraisal, Part 3--Frequency of Anticipated Transients", EPRI NP-2230, January 1982 (SNPS-PRA used the previous edition of this report--EPRI NP-801,19.*8).
- 7. -Hatch, S. W., " Reactor Safety Study Methodology ' Application Program:
. Grand Gulf #1 BWR Power Plant", NUREG/CR-1659/4 of 4, October 1981.
- 8. " Consumer Power Company Probabilistic Risk Assessment of Big Rock Point Plant", October 1981.
- 9. "Probabilistic Risk Assessment BWR/6 Standard Plant", General Electric
! Company, Docket 50-447. .
- 10. . Knuth (XMC) to Graves (NRC), " Supplement ATWS Eval uati ons ," letter -
dated December 2, 1982.
- 11. Private cccinunication with LILCO personnel (1984).
6 I e , . 25 i q t n+
m_ ,
- l Tabl e - 2.1 Safety Functions Requiredo f' r Initiating Events
- 1) Rende,r reactor subcritical
- 2) Protect reactor coolant system from overpressure failure
- 3) Remove decay and sensible heat from core
- 4) Protect containment from overpressure
, 5) Scrub' radioactivity from containment atmosphere
- Table 2.2 Safety Functions for Shoreham Nuclear Power Station
- 1) Render reactor subcritical
- 2) Protect reactor coolant system from overpre.ssure failure
- 3) High pressure injection'of coolant into core 4). Depressurization
- 5) Low pressure injection of coolant into core
- 6) Drywell heat removal -
- 7) Containment heat removal ,
- 8) Scrub radioactivity from containment atmosphere *
*Not considered in the review summarized in this report.
e 26
~- ~,-- -- .- ,ma
.:..-.- ..... . w .-
t 1 Table 2.3 Frontline Systems for Shoreham.Euclear Power Station Safety Function . Frontline Systems ,
- 1) ' Reactor 'subcriticality 1) Reactor protection system
- 2) Recirculation pump trip 3)., Alternate rod insertion
- 4) Standby liquid control
. 2) Reactor coolant system ' 5) 11 Safety relief valves (SRV) ,
. overpressure protection
- 3) High pressure injectipn 6) RCIC
- 7) HPCI,
- 8) CRO*
- 9) .Feedwater system with power conversion system
- 4) Depressurization 10)' Adtomatic depressurization system (7 of the 11 SRVs used for this function)
- 11) Manual depressurization
- 5) ' Low pressure injection 12) LPCI
- 13) LPCS '- s
- 14) Condensate pumps '
. i
- 6) Drywell heat removal. 15) Drywell coolers
- 15) Cont.ainment sprays
^
- 7) Containment heat removal .
- 17) RHR '
- 18) PCS
- 19) Suppression pool ,
- 8) Scrub radioactivity from 20). Suppression poo1* '
containment atmosphere 21) ' Containment spray *
*This system was non considered in the PR/. front end' analysis, sa
.e t
/
st t e mW v ,. : ; '
),, , ,a f . - :
- k.
Table 2.4. Compa.rison of SNPS, LGS, and RSS-BWR Safety Systems SNPS LGS RSS-BWR Power (MWT) 2436 ~ 3293' 3293 Containment MK-II (concrete Mk-II- (concrete with MK-I (free standing with steel liner) -steel liner) steel)
# Relief 11 SRVs 14 SRVs 11 SRVs val ves
# Safety ---
--- 2 valves RCIC 400 gpm 600 gpm 600 gpm HPCI 4250 gpm 5600 gpm minimum 5000 gpm LPCI 4 pumps, 10,000 4 pumps, 10,000 gpm 4 pumps, 10,000 gpm gpm.per pump per pump with 4
~
per pump with 2 with 2 loops loops loops LPCS 2 loops, 4725 gpm 2' loops, 6350 gpm 2 loops', 6250 gpm per loop with per loop with 2 per loop with 2 1 pump per loop pumps per loop pumps per loop ADS Valves 7 SRVs 5 SRVs 5 relief valves RHRHX 2, cooled by SWS 2, cooled by RHRSW 4, cooled by HPSW EDG 3 4 . 4, shared by 2
, units RPS _Has ARI, RPT Has ARI, RPT Has RPT SLC 2 pumps, manual- 3 pumps, automatic 2 pumps, manual actuation, 43 gpm actuation, 43 gpm actuation per pump (one per pump (2 pumps pump at a time) at'a time)
RHR 2 loops with 2 2 loops with 2100% --- pumps (100%) per pumps per loqp. Each loop. Each pro- loop serves 1 RHRHX vides 7700' gpm. for each unit (i.e., Each loop serves shared between units) 1 RHRHX. HPWS --- --- 4 pumps, 100% each - no cross-connection with other unit con-siuered ESW 2 100% loops with 2 100% loops with 2 1 100% pump per unit 2 50% capacity 50% capacity pumps pumps per loop, per loop. Shared Each pump 8000 gpm. between units. FW and . 2 turbine-driven 3 turbine-driven feed 3 turbine-driven Condensate feed pumps. 2 elec- pumps and 3 electric- feed pumps and 3 tric condensate and driven condensate electric-driven con- - booster pumps. pumps. - densate pumps. Containment Manually actuated, Manually actuated, Manually actuated, Sprays sprays either the sprays either the sprays either the drywell or wetwell, drywell or wetwell. 'drywell or wetwell. Plant Air Compressed nitrogen Compressed nitrogen Compressed air and and plant air backup plant air backup. plant air backup Compressed and accumulators and accumulators Nitrogey (allowing five (allowing five SRV ~ . SRV actuations). ac,tuations). 28
Table 2.5(1) Summary of Success Criteria for the Mitigating Systems..' Tabulated as a Function of Accident Initiators (LOCAs and Transients with Successful Scram)- Success Criteria Containment i Accident Initiator Coolant Injection - Heat Removal Large LOCA: 1 of 4 LPCI Pumps 1 RHR Steam Break > 0.08 ft 2 OR , 2 1 of 2 Core Spray Liquid Break > 0.1 ft Pumps OR s (5,7) 1 Condensate Pump Medium LOCA: HPCI 1 RHR OR OR Steam Break (5) 0.016 to 0.08 ft2 1 of 4. LPCI Pumpsh PCS Liquid Break OR I 2 0.004 to 0.1 ft 1 of 2 CS Pumps i and . OR ) (2) 1 Condensate -
! ADS (5) - - '
Pump Small LOCA: HPCI PCS OR OR RCIC 1 RHR OR OR Steam Break <0.016 ft2 1 Feedwater Pump RCIC OR in-Steam 2 Liquid Break < 0.004 ft 1 of 2 CS Pumps 3 condensing OR and mode (0) 1 of 4 LPCI Pumps > (2) OR I ADS 1 Condensate Pump i
)
29 t
Table 2.5 Continued , Success Criteria Containment Accident Initiatoi- Coolant Injection Heat Removal Transient Same as Small LOCA Same as small (Including Transient LOCA
+ 1 SORV)
IORY . Same as Small LOCA Same as small t LOCA~ s (3) 3 Transient + 2 SORVs 1 of 2 CS Pumps l 1 RHR OR j -and OR 1 of 4 LPCI Pumps ) (4) PCS OR l ADS - 1 Condensate Pump I (1)This is Table 1.5.2 of the SNPS-PRA, but corrections made according to their use in the PRA-event trees (5) includes ,
~
(2) ADS requires operation of only 'three safety / relief valves for adequ' ate depressurization. * ( )This line added by BNL reviewers and is different from SNPS-PRA. - (4)Feedwater or HPCI and the ADS functions are required, in this case, only , for the first 2 to 3 hours. After this, RPV pressure is assumed below 100 psi. . (5)These are corrections made to the original SNPS-PRA Table 1.5.2 based on the actual use in the PRA-event trees. (0)This option, considered in SNPS-PRA, is not regularly used by SNPS. The
- effect of this change is.given in Section 5.3, Table 5.15. .
N)BNL considered condensate pump injection unsuccessful for large LOCA l because the replenishing capability of the hotwell is about 1000 gpm, l which may not suffice. 1 - d 30 i-
Table 2.6 LOCA Success Criteria-Equivalent SNPS - LGS RSS4BWR Break Size Steam. Liquid ' Staam Lfguid $tet.t Liquid 31ameter , A*' A* OA* For 'trljection 4/4 CS a/4 LPCI 1/4 LPCI or 13.5 in. - or
- or 3/4 LPCI and 2/4 CS
' 1/2 CS or 2/4 CS .
Condensate < For Recir:tilation . and and 1/4 C5 of 1 RHR i RHR 1/4 LPCI and 8.5 in. . . , yrlR 1 Sl+ HDCI T (4 1 1/4 1PCIor{SRVs) e or l ADS ' 1/4 CS s 4.7 in. - m and : 52** l 4.3 in. - -
.1 l l HPC: 1 RHN 3.8 in. - 3;+ gpgg 3;+ HPCI or
- or $ or I' RCIC 1/4 LPCI l AGS [ of 2.5 in. - or i (3 6 1/4orL7CI"{ (2 ADS ' .
1/2 CS ("$RVs) 2/4 CS lSRVs) or I 1/4or LPCI 'l (4 SRVs) { condensate'" ard and ? ADS 1.7 in. . .
, PCS L I
32** 1 RNR S2** or 1/4 CS ' HPCI HPCI 1 MR and : or cr or 1.0 in. - RCIC PCS RCIC , (S2** 1 RHA or or i FW FW l 0.85 in. - or or 1 1/4 LPCI ' 1/4 LPCI I ADS CR0 or ADS ' or \ f,2 PUNP 0.6 in.- 1/2 CS (3 2/4 CS hS.RVs) _- or SRVs) aM - Condensates PCS of 1 RHR _ and PCS or 1 RHR 4 A: Large LOCA. *S1: Medt:= LOCA. S2: Sull LOCA 31
,.n . . ~ . - - . . , . -
i
. t 1
U
, i U
4 Table 2.7 SNPS-PRA: Success Criteria for ATWS Accident '
- Based on Modifications Implemented at Shorehamguences i
INAll%1till RLlNh(D
;. Isaill All 46 Rftdaf[2 (003 Assi Nf0tK10 SUPP9(55104 eMt I Alf litxtijega PGOL Clyttf4G (Wisal polmed pyg ggggg Ollas Alus 6LAltheC5 i l'8JtCillWe fu fle & I Stat 80lil Aldts aft.lff apf A05 (b) NPCI en fu Siluis off isPCI limittil[8 AI LEV (L 8 e l-hily (teitaat It A N ll N ll Il 1
Il N* i ItapulpdI "I IrlP NI 'I A N A .A N 11 N , Ne 1454W n A N 11 N. N A 11 Ne Itali faf (Jff.5llf M A N ll f P(M4A N N A N ,IIe 4 05G of M A liflPAltN 11 A 11 N N N lie .
- ,t.
b8'*% W A i. flMdit 14*.,1 et te It g Il N ll N lie A =
- N 4 Accept.ble last Acceptable (5.setensful);
(glot successfug).acceptable legilles s.o significant fissil elamage snel sigspression pool lemperatieres less than 240*f. e Ts.ese evaluattuns neglect operatar action to stop the laPCI free everfilling the vessel. If such action i.ere taken in 10 minutes af ter level resuvery line putential was dilutlose. appasent to she operatur. successful shutdoun would probably be maintained since the encess boron provided enould be greater than (a) Cu.Jinnatibn> of failurus esot shuun on the above table as acceptable shoisid be conslJered unacceptable. These saaccess criteria can be used to , evaluat,e 84a4s s r less. the suuus.ful states of 414 plant folloulag an AlW5 free less than 251 pouur. Note that itPI is not required for seeluences from 251
. s it.)
58 0 lusti.attua is a asumul operation 6Ailch shanald las performed in the tiens frase of 2 to M,. minutes. " ' (t) stC taillallun a6.y lw: , an.3 iss kuter tan Le u.ute olleJ..lelayed for a eclatively long parlod of Lisan (l.a. hours) If sufficient tusibleie bypass capability entsts (i.e. > 251) , (.11 t jggisgy j,pjg_t.inal.leruJ .tceptable if line feedustir can be controllest at a relatively low flame so finat steamlag fleid rates are below bypas j ! (c) t All iloi. ahn.)ec transimni3. in a usleculatlun fluw outside of acceptable llenits ae's treated as leading stoare a tus blaie tripfeeduater all increasing a 1 6 I
r
?
, t. Table 2.8 BNL Review: Success Criteria for ATWS Accident Sequences
, Based on Mosjifications Implemented at Shoreham(a) .
(f tt(I of rel(ItilAL Assutil004AL IAltlanti (In AJditlen to AAl f ailure) g suAtailt asi itannIn attae'En (0:4 ANT N(Ott'10 $UPPN(5510ts Inlil Alltat. (Mt i Alf litJf tlleil P60t. (OfstilaG OilEE Alus itAlleC5 (UElei pg g *,,tga Put55taf l'ut CIIlWI fu (u A 1 Slet 80Ill Attits p(Lltf PI A05 larcg CA FW Salui$ ofF ' (g,) ggig g 1888188IIS AI LEVEL R 6 Ir.t v at A N 88 N al Il N lit t's ditmE I "I liestsise.! MI 'I A( I Il N N al 88 30 81 ' IFIP Itav 4 18 3 II 38 M A 18 lie , (.,, Itan is Off-LIII gg A g al' s al A, II 11 6 P(HE R (J cd . . . . _ . . . . . - . . _ . . . . _ . ._ liln he g g g ll OriAltet gg Q 3 11 II Ile
. .- .. . . . . . .. - =__
I du '* It 4 (Ot:06 la'at u A N g Il N N It 11e 1 7 A =. Acceptable (Suu ussful) aueptable tagilles seu signifIcant final elamage anel sigepression pool temperatieres less than 240*f.
, n it.t Au=ptable (isot successful). .
1 e lhese evaluations sie.31ect operator actiuo to stop the HPCI from overfilling the vessel. If such action were taken 'In 10 minutes af ter level rutovery was appaeunt to the a,peratur. successful shutdoun would probably be sialatained since the eacess boren provided would be greater than tha g.utential dilutions, t (4) foni.t.suatloeis of failurus not slaussi un the stauwe table as atteptable should be considered unacceptablg. These success criteria can be used to evaluat,a paa.e er less. the suuun.ful states of ti.e plasit folloulnes an AIWS from less alian 25g pr. Isote titat it I is not required for seetuences from 258 th) :J C isettlattua is a maiuul apes ation sdalcle shiuald I.e perforued in lise*tless (nee of 2 to go minutes. (I SIC lattiallun muy t.4 JulayuJ fur a eclatively lon.J tws-led of time if sufficient tuabisse bypass capability entsts (i.e., a 251)
...a Ima ier ca. t ci i.oined. ;
(d3 hj.M % ' u % .'"a' ' d""d * """' ' ' 8 ' "'" '" *'" ' "" '* "" ' '* "
- d * * * " ' * * ' b ' *" " " '" ' "* * ' ' * ** ' ** ' '" ' *" '" br* * * *
() All si..u (line. tu tuttitulaslun lluw outside of acceptable limits are treated as leading to a tushine trip as are all increasing feeenter teamstmuta. I l ' i .O
._ . _ . . . ..__.___.._u.- J-- . _ ._, _ - Table 2.9 Suppcrt Systems for Shoreham fluclear Power Station Frontline Syttem Supoort Systems l
- 1) Reactor Protection System 1) AC/DC - Electric ' Power Systen (EPS)
- 2) Alternate Rcd Insertf or. 1) AC/DC - Electric Power System I
- 3) Standby Liquid Control 1) AC/DC ~ Electric Pcwer System
- 4) R' e circulation pump trip 1) AC/DC - Offsite Power
- 5) High Pressure Core Injection. HPCI 1) DC* - Electric Power System
- 2) Condensate Storage Tank .
- 6) Reactor Core Isolation Cooling, 1) DC - Electric Fower System RCIC :2) Condensate Storage Tank j
~
- 7) Feedwater System 1) AC/SC - Offsite Power
- 8) Automatic Gepressurization Systen 1) DC* - Electric Power System (7 SRV's used for this function) 2) Compressed Nitsogen System /?lant Air Sys ten
- 9) fManual Depressurization 1) OC - Electric Pcwer Systan
- 2) Cogressec Nitrogen System / Plant Air Systec
- 10) Low Pressure Core Injection.. LPCI 1) AC/DC Electric Pcwer System ,
- 2) Service Water System ;
- 11) Low Pressure Core Spray, LPCS 1) AC/DC Electric Power System
~
- 2) Service Water System .
- 12) Condensate Pumps 1) AC - Offsite Power
- 2) Co6densate Storage Tank ,
- 13) Residual Heat Removal, RHR 1) AC ' Electric Power S) Stem
- 2) Service Water System .
- 14) Power Conversion System, PCS 1) AC/DC Offsite Power ~ f
- 15) Room Coolers 1) AC - C"fsite Pcwer (Manual Transfer to EPS) *
- 2) Service Water Systen
- 16) Suppression Pool ----- '
- 17) Containment Sprays 1) AC - Electric Power System
- 2) Service Water System
- ADS is dependent on the cperatice of one LPCI or LPCS puep, which is unavailable upon loss of AC power.
O E 4 4 34 i
~ ' ~
. Table 2.10 Electric Power . Systems SNPS RSS-BWR LGS a) Three diesel generators Two diesel Four diesel generators / unit generators / unit t
- No bus ties - Inter unit bus tie - no inter unit bus ties b) Three load divisions Two load divisio..s/ unit Four load
, _ division / unit c) Three ESF divisions: Two ESF divisions Four ESF divisions
- Two main divisiera
- One division for 2/4 LFCI and RHR d.) Three 125 V CC Class 1E Four 125 Y bC Class 1E Four 125 V DC Class buses. Two of them buses between two IE buses for each '
feed-ing nest ESFs. units, unit.
- No bus ties - With bus tie - No bus ti.e
- One battery . One battery - Two battery enarger/ battery charger / battery chargers / battery e) Two 138 'KV and one One 230 KV and one Three 500 KV and 69 Kt/ incoming lines 13.8 XV incoming lines two 230 KV incoming lines
- Two separata - One switchyard - Two separate switchyards ,
switchyards l l i i i f 4 4 35-l
4 Table 2.11 Summary of the Categories of BWR Transients Used in SNPS-PRA to Classify Operating Experience Data on Anticipated Transients *
. Transient' Initiator Group **
- 1. Electric Load Rejection TT
- 2. Electric Load Rejection with Turbine Bypass Valve Failure TC
- 3. Turbine Trip TT
- 4. Turbine Trip with Turbine Bypass Valve Failuce TC
- 5. Main Steam Isolation Valve Closure TM
- 6. Inadvertent Closure of One MSIV (Rest Open) TT
- 7. Partial MSIY Closure TT
- 8. Loss of normal Condenser Vacuum TC
- 9. Pressure Regulator Fails Open TT
! 10. Pressure Regulator Fails Closed TT
- 11. Inadvertent Opening of a Safety / Relief Valve (Stuck) TI
- 12. Turbine Bypass Fails Open , TT
- 13. - Turbine Bypass or Control Valves Cause Increased Pressure TT (Closed) .
- 14. Recirculation Control Failure -- Increasing Flow TT .
- 15. Recirculation Control Failure -- Decreasing Flow TT
- 16. Trip of One Recirculation Pump TT
- 17. Trip of All Recirculation Pumps TT
- 18. Abnormal Startup of Idle Recirculation Pump -. TT
- 19. Recirculation Pump Seizure TT
- 20. Feedwater -- Increasing Flow at Power TT i 21. Loss of Feedwater Heater TT i
l . 36
Table 2.11 Continued. Transient Initiator . Group **
- 22. Loss of All Feedwater Flow . Tp
- 23. Trip of One Feedwater Pump (or Condensate Pump) TT
- 24. Feedwater -- Low Flow T.T
- 25. Low Feedwater Flow During Startup or Shutdown TT j 26. High Feedwater Flow During Startup or Shutdowrt TT 1 27. Rod Withdrawal at Power TT
- 28. High Flux Due to Rod Withdrawal at Startup TT
- 29. Inadvertent Insertion of Rod or Rods -
TT
- 30. Detected Fault in Reactor Protection System . TT
- 31. Loss of Offsite Power TE
- 32. Loss of Auxiliary Power (Loss of Auxiliary Transformer) TT
]
- 33. Inadvertent Startup of HPCI/HPCS TT
- 34. Scramd' ue to Plant Occurrences TT
- 35. Spurious Trip via Instrumentation, RPS Fault TT . -
- 36. Manual Scram -- No Out-of-Tolerance Condition Ty i
i 37. Cause Unknown TT .
*From EPRI-SAI Study6 ,
**T T - Turbine Trip TM - MSIV Closure .
TC - Loss of Condenser TI - Inadvertent Open Relief Valve TE - Loss of Offsite Power Tp - Loss of Feedwater Flow i 'l l 37
. t , . . _ , - . - . . . , - - , - _ _ ,__s..__..y___
____7 _
,_e_ y _-._,,_-,_,,._,_.,m- _ ,- - - , ,r-.-.7.,_ _
._<r,- - - . - ,.__.my_ - - . ~ '
e . . -. . .-. ~.- . - . .. . Table 2.12 BWR Transients (Reactor Safety S,tudy Table I.4-12) Likely Initiating Events
- 1. Rod Withdrawal at Power
- 2. Feedwater Controller Failure - Max. Demand
- 3. Recirculation Flow Control Failure (Increasing Flow)
- 4. Startup of . Idle Recirculation Pump
- 5. Loss of Feedwater Heating
- 6. Inadvertent HPCI Pump Start
- 7. Loss of Auxiliary Power
- 8. Loss of Feedwater Flow
- 9. Electric Load Rejection (Turbine Valve Closure)
- 10. Turbine' Trip (Stop Valve Closure)
- 11. Main Steam Line Control Valve Closure
- 12. Recirculation Flow Control Failure (Decreasing Flow)
, 13. Recirculation Pump Trip (One Pump)
. 14. Recirculation Pump. Seizure
- 15. T-G Pressure Regulator Failure - Rapid Opening 38
12 w - _ . _ . . 2 --
. I
~
Table 2.13 Initiating Events for BRP PRA 'for
. Which Event Trees Were Developed
- Frequency
; Initiating Event (per year)
Turbine Trip 1.4 Loss of Main Condenser.- 6.0x10- 2 S'purious Closure of MSIV 6.0x10-2 Loss of Feedwater 1.6x10-1 Loss of Offsite Power 1.3x10-l' s Loss of Instrument Air 6.0x10-2 , Spurious Opening of Turbine Bypass Val ve , _ 1.0x10-1 . S'purious Opening of RDS Isolation Valve 1.2x10-3 i . Spurious Closure of Both Recirculation Line Valves 1.7x10- 2 , Stuck-Open Safety Valve . 2.6x10 4 Interfacing LOCA 1.98x10-3 . High Energy Line Break in Recirculation Pump Room 3. 9x10- 7
~
, High Energy Line Break
- in Pipe Tunnel- 3.8x10-6 4 Small LOCA 1.0x10-3 1
Medium LOCA 1.0x10-" Large LOCA 1.0x10-5 Small Steam Line Break Inside Containment 1.0x10-3 f Medium Steam Line Break ' Inside Containment 1.0x10-4 i 39 l 1
- ~^
L- .2 L.
~
e
- 3. ACCIDENT SEQUENCE DEFINITION The introduction to this section presents the general methodology used in-the SNPS-PRA and an overview' of BNL comments. Sections 3.2, 3.3, and 3.4, provide a discussion and the major conclus. ions of the review on the following-topics: the SNPS-PRA accident sequence definition and the qualitative description of the event trees; the system fault trees that were used in the SNPS-PRA; and the various aspects of human performance analysis that entered into the risk assessment. .
- 3.1 Introduction 3.1.1 The General Methodology To assess the various accident s equences , i.e., the combinations of system failure events . that, following the initiating events, lead: to core i damage, the SNPS-PRA used an approach based on the event tree and fault tree ,
techniques. This approach differs, however, from that utilized in the Reactor Sa f ety Study in the following way. In addition to using . functional and i systemic event trees and system fault trees, the SNPS-PRA employed three vari-ations of these techniques , namely, the time-phased systemic event trees , the functional fault trees, and the functional-level event trees. The logic employed in the SNPS-PRA for the definition of the accident sequences is as follows: a) Twenty one functional event trees were developed for the different acci- ' dent initiators (see Table 4.1) considered in the SNPS-PRA. A functional event tree depicts combinations of safety functions that can lead to a i safe core condition or core damage, or constitute an initiating event for some other kind of potential accident. The SNPS-PRA functional event trees employ a finer safety function decomposition than that of the RSS functional event trees. For example, the coolant makeup function was decomposed into high pressure and low pressure makeup (see also Table 2.2). The combinations of the failed safety functions in these trees - (tree paths) that can lead to core damage constitute the accident sequences for the SNPS-PRA. The quantification of each branch point in the functional event trees was done with the help of functional fault trees, functional-level event trees, and system f ault trees. Table 5A.2 in Appendix SA is an example of a functional event tree developed in the SNPS-PRA. b) For certain functions in the functional event trees, functional fault trees were developed. In these latter trees, the top event is the failure of a particular function and this failure is further decomposed into fail-ures of the. frontline system which perforns this function. For other functions in the functional event trees, functional level event trees were developed. These trees depict combinations of system successes and fail- , ures that can lead to a success or failure of the function in question. Figure SE.2 is an example of a functional fault tree. Table SA.1 is an t l example of a functional level event tree. l c) For some functions in the functional event' trees -- those entailing sys- { .tems that can be recovered (if failed) during the course of the accident ' 40 i I
-- - . - - - . _ . - - .. -.- - -- - w
~_ '_2" - " :_.-
~
-- time-phased event trees were constructed in the SNPS-PRA. The headings
, of these event trees are the states of the involved systems at various instants of time, e.g., unavailability of AC power one half hour after ,
4 initiation of the accident. This approach is equivalent to discretizing ! the recovery times of the various systems, and it thus allows for incor- i poration of recovery in the analysis. The main application is in the loss ! of offsite power event tree, e.g., Table 58.1. BNL, in addition, used a time-phased event tree in the evaluation of the loss o'f service water sys-f tem initiator. ,
. d) Unavail bilities for some systems in the funct'ional event trees, the func-
, tional fault trees, and the time-phased systemic event trees were obtained by developing system fault trees.
Functional fault trees, functional-level event trees, and time-phas ed 3 event trees were employed in the SNPS-PRA to account for dependences among
; frontline systems (through . shared hardware or comon support systems) and to account for the possibility of recovery of systems that were unavailable .at the initiation of the accident.
~
4 The various types of logic trees employed 1n the SNP.S-PRA along with the modeling of human errors and of dependences are further di.scussed in Section
- 3.3 below. The functional event trees, in particular, are discussed in l Section 3.2. Coments on the modeling of human performance, which has also i been extensively used in part of the PRA, appear in Section 3.4.
l 3.1.2 Functional Event Tree Development a
- In general the functional event trees start with an initiator, followed j by i the subcriticality function. If the reactor is not subcritical, the
! sequence is transferred to the .ATWS group of functional event trees. .-
Transfers are made also to LOCA event trees or to other event trees for
- continuation. For sequences in which there is a successful insertion of control rods, other functions are evaluated, including adequate pressure control, coolant injection, depressurization, containment heat removal, and .
4 others . The end points of the functional event trees in the SNPS-PRA can be
- one.of the following
a) Successful shutdown and cooldown. b) Loss of coolant makeup core damage (for transients) Class I c) Loss of containment heat removal and drywell failure Class II while coolant makeup is available to the core (All) d) Accident sequences follcwing LOCA resulting in core damage Class III
- (LOCA) e) Accident sequences involving failure to insert negative Class IV
- reactivity leading to a containment failure due to high
! containment pressure (ATWS) i ' . f) Unisolated LOCA outside containment resulting in core damage- Class V
. with drywell bypass '
I
! 41 l 1
....m.
. --m _.
g) Transfer to other sequences which .will then result [in one of the above six end points. , , A successful shutdown and cooldown i.s -defined in the SNPS-PRA as condi-tions such that the reactor reacnes hot stable shutdown. This is character-ized by conditions such as: reactor is subcritical; pressure in the reactor is stabilized; temperatures in the fuel and reactor are within all limits; containment and suppression pool cooling are maintained; and reactor pressure vessel. level is controlled. , 3.1.3 Qualitative Dependence Analysis [ This section provides an overview of the' dependence modeling used in the SNPS-PRA and of the review comments and modif~ications.by BNL. Detailed dis-cussions on the quantification of these dependences appear in Sections 3.3 (fault-trees) and in the Appendices to Section 5, in wnich the quantification of the SNPS-PRA accident sequences is discussed. fapazoglou et al.1 give details on the various types of dependences, wnicn can be classified as 1) functional, 2) . physical, and 3) human induced dependences. Note that these are not mutually exclusive. A finer resolution yields the following six categories: 1) system functional dependences, 2) system physical dependences, 3) system humanly induced dependences, 4) com-ponent functional dependences, 5) component physical dependences, and 6) com-ponent humanly induced dependences. 3.1.3.1 System Functional Depe'ndences This type of dependence can be enaracterized by a functional relationsnip between two or more systems. Functional dependences due to " process coupling" (i .e. , input-output relationships) are best modeled in the functional event trees. These dependences were in general properly addressed in the SNPS-PRA. Most noted examples are: a) HPCI, RCIC dependence on suppression pool water temperature. , b) HPCI, RCIC, LPCI, and LPCS dependence on the ECCS equipment area tempera-ture in Elevation 8 of the reactor building in case of LOCA outside con-tai nment. c) Water level measurement system dependence on crywell temperature anc reactor vessel pressure. d) Failure of ADS safety relief valves due to excessively hign drywell pres-sure. . No significant omissions were found in the PRA. In one case, however, a
" process coupling" was assumed which is not correct in most incidents. The SNPS-PRA assumed that HPCI, LPCI, and LFCS would be initiated automatically by high drywell pressure (1.7 psi) or low reactor water level signal. This is true for LOCA or ATWS situations, but for most transients (all transients apart from loss of offsite power and loss of drywell cooling, wnich amount to approximately 4% of tne total tra'sient n frequency) and for manual shutdowns it will take at least one hour after the initiation of the event (see Table 5F.1) i 42 l
[ .
^
w- - 1 l
'to reach the *high drywell pressure setpoint (1.7 psi). Thus, in these events l all ECCS injection systems depend only on the reacter four water level trans-mitters (N091A, 8, C, D) for their automatic initiation *. Consequently, the l miscalibration of these four transmitters wculd cause the automatic initiation failure of the high and low pressure systems following a transient (s ee Appendix 5A.1.4).
'Another case of dependence included in the BNL review is the tripping of the drywell cool ers . If these coolers are not recovered within 10 to 15 mi'nutes, then the drywell temperature is expected to rise quickly, reaching a drywell' pressure of 1.7 psi. This will cause the isolation of 'all drywell coolers, mal 41ng recovery more difficult.
In the event that containment heat removal (i.e. RHR cooling of the sup-
; pression pool) is delayed for two hours or more, the drywell pressure is also expected to reach 1.7 psi, tripping the drywell coolers , and in about 15 addi-i tional minutes the drywell temperature is expected to rise to =300*F, which i
may be sufficient to impact level measurements if RPY should be at low pres-sure at that time. However, as shown in Appendix 5F, this dependence is of moderate significance. Functional dependences due to," hardware coupling" were also treated in j the SNPS-PRA. These dependences are best treated by combining all the system fault-trees of related systems, and subsequently performing Boolean reduction )) of the resulting " super tree." This .has been done for several functions only in the SNPS-PRA (e.g., RCIC - HPCI - ADS: see Table 3.1 for complete list). The best way,. as stated above however, is to combine all the systems fault trees on the same accident sequence leading to core damage, and perform their liddTean reduction. was not done by SNPS-PRA. Treatment by this It was donecorein~damage BNL pastfaultreviews trees 2,(C0FT)
, . In approach this BNL review, the CDFT app' roach was judged to be unnecessary because of the follow-ing features of the. SNPS-PRA:
.a ) detailed treatment of functional dependences in the functional level event trees ; .
b) the Boolean reduction for some of the functions; c) treatment of frontline system dependences on support systems such as
- AC Power,
- DC Power,
- Service Water System, and
- Drywell Cooling; and d) transfer of support system unavailabilities during transients to initi-4 ators treating the loss of the support systems.
The most notable examples of functional dependences included in the SNPS-PRA functional event trees are the following:
*Shoreham is currently adding level instrumentation, and isolating the HPCI initiation from the.other ECCS equipment. This may reduce significantly the -
- probability of losing automatic initiation of ECCS.
' 43 1 .. 1
b_- _. R . ._ _ _ .. _ . - _ ... _ .1._ i a) Shared hardware between the low pressure coolant injection system (LPCI) and the RHR system, , b) Shared hardware between' systems within the same function, such as HPCI with RCIC and LPCI with LPCS (shared water level instrumentation). c) RCIC in injection phase and in steam condensing mode. d) A system failure as part of .the initiating event and its unavailability as a preventing frontline syst'em. An example is the assumed unavailability of feedwater injection when the initiator was loss of. condenser, and an increase in unavailability of PCS for this case. e) PCS and the condensate pump's injection. ! f) HPCI and RCIC failure due to loss of DC power 4 to 10 hours after station blackout. ' i As in to the case of " process coupling," BNL modifications to the func-i tional event trees were related largely to the quantification of dependence. Most dependences were. judged to be taken into account by SNPS-PRA. However; the degradation of the Power Conversion System (PCS or the W" function) due to
, feedwater system f a1 Ture in the injection phase (the Q function) was not j always treated consistently, or was not sufficiently supported. Because of the large number of transients, in almost any of which the recoveries of PCS ! and MSIV were evaluated to'have somewhat different probabilities, BNL decided.
I to employ functional level event trees 'using consistent' sets of values for their quantification. This BNL approach to the treatment of dependence i between Q and W" functions is discussed in Appendix 5A. It has some impact on ] the frequency of Class'II core damage.
- 3.1.3.2 System Physical Dependences This type of dependence was treated in the SNPS-PRA in an appropriate
- way. Important examples are the following
- -
a) The effect of loss of containment heat removal on drywell temperature and ' i pressure, which affects other systems such as drywell integrity. ; ) b) Loss of room cooling resulting from station blackout or loss of service water system. { c) Effect of flooding on ECCS systems located in reactor building. No significant omission was found in the review. i 3.1.3.3 System Human Induced Dependences These dependences were also addressed to a limited extent. They include , operator cognitive errors. Examples of dependences appearing in the SNPS-PRA are the following: a) Failure to inhibit ADS in an ATWS event. . i 44
- . , - I
.--c, r ~n,, , . - - . . . - . , -
, . . - . - , . . - - - . - , . - , , - . , - - . - - - ,w-. - - - va - s . - . . ,- - .
a -
~
l . l b) Failure to initiate feedwater runback in an ATWS event. c) Failure to reduce water level and maintain it above level 1* in the' case of ATWS. d) Failure to depressurize, flood the reactor vessel and maintain level 3 in cases of conflicting water level measurement readings. e) Delaying depressurization in blackout events. Maintaining pressure con . sistent with HPCI and RCIC operational pressure, and suppression pool tem-
- perature.
f) Failure to control HPCI and RCIC flow when level instrumentation is un-available during a blackout event.
- 9) Failure to control condensate flow rate. in case of a large LOCA.
It is seen that tne SNPS-PRA in many cases included cognit.ive errors of operators (see also Table 3.2). Errors of commission, that is, the turning off of a system contrary to procedures, were excluded from the SNPS-PRA anal-ysis, as in past PRAs. However, if control room information was unavailable or conflicting, a prooability for cognitive error of commission was considered in the SNPS-PRA. An example is the act of early erroneous depressurization by the cperator in the event of loss of a reference leg in the water level ' mea-surement system (see Ref. 4, page 0-14 Figure 0-6). BNL judged it reasonable to assume erroneous acts of commission wnen information is conflicting and wnen procedures exist which suggest depressurization in a case of other simi-lar conditions. Appendix C of Ref. 4, which deals with core damage frequency contributed by tne water level measurement system, deals mainly with quantifi-cation of tnis kind of dependency. BNL accepted many of these treatments (see Secticn 3.4 and Appendices SE and 5F), sometimes with quantification enanges, and in some instances with a model change. . 3.1.3.4 Comoonent Functional Dependences This type of dependence was implicitly addressed in the SNPS-PRA in that tne fault trees were oeveloped up to a point where no functional dependence exists between the basic events (component f ailures). 4 3.1.3.5 Component Physical Oeoendences The SNPS-PRA nas included on some of the f ault trees basic events related to physical dependence in the plant. Some examples of physical dependences in tne fault tree analysis are tne following: ! a) Contamination of all SRVs' solenoid valves of the ADS system. b) Suppression pool water unavailability due to common-mode f ailure clogged strainers.
' Level 1 (ratner tnan TAF) is suggested in the SNPS-PRA and response (52 to BNL questions.9 .
8 , 45 t
i [ 3.1.3.6 Component Human Iriteraction Dependences . The SNPS-PRA includes a large number of miscalibration errors and mainte- l nance errors. Miscalibrations appear on almost every fault tree and contrib- ~ ute significantly to system unavailabilities (some examples are shown in Table j 3.3). 3.2 Qualitative Description of Functional Event Trees * , Th.e functional event trees used in the SNPS-PRA p'rovide a logical method i
' ' for developing and displaying accident sequences which may follow an initia'- !
ting event. In the following subsections some of the'more important function- l l al event trees of SNPS are discussed qualitatively and the major modifications "
- made by BNL are presented. ,
l 3.2.1 Turbine Trip (T T) (Appendix 5A.1) f 4 j This type of transient presents the least chalienge to the plant apart from manual shutdown. Both feedwater available and feedwater unavailable ' cases are considered in the event tree. The turbine trip functional event ! tree (see Table 5A.2) comprises thirteen safety functions. The failure of the
. first function, reactor subcriticality (C), results in an ATWS event which is j more appropriately addressed in the turbine trip ATWS functional event tree '
shown and discussed in Appendix 50. After the reactor has attained subcriti-cality, failure to acconmiodate that pressure surge caused by the transient due , to failure of safety relief valves (SRVs) to open (M) is conservatively i i assumed to result in a large LOCA event. The success and the failure of the SRVs to reclose lead to two different, yet similar, sequence paths.
!' Both branches are then evaluated for the high pressure system functions, viz., the (
1 feedwater function, Q, and the HPCI or RCIC functior:, V. The Q function in ! ) the SNPS-PRA includes different recovery assumption for each of the cases' of ,! the turbine trip--with and without two. SORVs. The Q function is evaluated in ! the BNL review on the basis of the SNPS-PRA general approach and data, with a i j functional level event tree used to model the recovery of feedwater and the l PCS in half an hour (see example in Table SA.1). If the high pressure , i functions are successful , core damage may not occur, provided that the , l l containment heat removal function is successful. If it happens that both high ! j pressure functions fail, then, before the timely ADS actuation function, X, is J evaluated, the SNPS-PRA provides the operator a "second chance" to recover ! feedwater. This is also included in the Q function of the BNL functional i j level event tree, rather than in the functional event tree as done in the ! 4 SNPS-PRA. The ADS function automatically depressurizes the RPV upon reaching ; j level 1. Next, the low pressure injection, V, is modeled, and can provide > l successful injection. This function in the SNPS-PRA is given in detail by the I i separation into LPCS, LPCI, and condensate injection. Failure of the contain- 1
- ment heat removal function (W) or the low pressure injection or the timely AOS !
- actuation function leads to core damage. The W function in the SNPS PRA has j
; two subfunctions: RHR with RCIC steam condensing mode, W', and PCS, W". The l PCS is included in BNL functional level event tree. i l
46 l l 1 I
j.__- _. =- __.m. I . 1 i . f . l 3.2.2 MSIV Closure / Loss of Condenser / Loss of Feedwater Transient (T M , TC> > TF ) (Appendix 5A.3, 5A.4, 5A.5) - i i i These types of transients lead to a inore significant challenge to the ! plant than do the turbine trip transients. .The MSIV functional event tree is ,
- identical in structure to that of the turbine trip because of the similarities
- in the required response of the safety functions of the plant to mitigate the - ,
l events. The only difference between the two functional event trees resides in i j the reduced unavailabilities of the feedwater/ power conversion system both for. i high pressure injection and for the long-term containment heat removal func- - 1 , tions. This is due to the more significant challenge to the p1' ant from a MSIV closure initiator, .as noted earlier. The loss of condenser .(T C ) is similar j to MSIV closure, but has no recovery of FW in the short term, and low avail- > j ability of the PCS in the long term. It is more severe than MSIV closure. 4 The differences are more. clearly seen from comparison of the functional level j event trees of the BNL approach (Tables SA.5 and SA.9). Loss of FW (T F ) is 1 the weakest challenge of the three, and the SNPS-PRA treats it also sepa-rately. l 3.2.3 Inadvertent Open Safety-Relief Valve (T I) (Appendix 5A.6) l 4 This transient was treated separately because the. operator must recognize i i the event and manually scram the reactor. Additionally, the containment con- '
! ditions 'are different from those during other transients because of the higher j total heat addition to the suppression pool at the time of plant shutdown, i which places a more significant demand on the containment heat removal func-j tion. The SNPS-PRA also assumes that MSIV closure occurs in all IORY cases. ;
t l The principal distinction of this tree stems from the three branches ! 4 depicted for the timely scram initiator functioh, c' - c" (see Table 5A.12 in -
! Appendix'5A.6). The top branch represents a successfur timely scram in which . } no additional .requ.irement is placed .on the cooling of the suppression pool.
1 The center branch denotes the scenario in wnich the reactor is scrammed prior i' to the suppression pool . reaching a temperature requiring prompt RHR system i operation and PCS recovery. The third branch is equivalent to failure to . scram the reactor prior to exceeding the containment heat removal capability I and is transferred to the ATWS event tree analysis. The feedwater/PCS system ; is not evaluated in this tree because operational data indicate that during an i 10RV event the MSIVs may close, thus causing all decay heat to enter the sup-4 pression pool. BNL gave credit to MSIV reopening for long term containment j heat removal as in the cases of two SORVs or medium LOCA (see Appendix 5A.6). ] 3.2.4 Manual Shutdown (Ms) (Appendix 5A.2)
, This event tree accounts for challenges to the plant resulting from a j controlled manual shutdown -- not a scram but a manual control rod insertion j in a slow, orderly manner. Examples of such shutdowns are scheduled or forced maintenance outages and refueling outages. ! Operating experience indicates that because of the controlled nature of j the transient, the SRVs are not challenged. Therefore, only the high pressure
] injection function,* timely ADS actuation, low pressure injection function, and the contiainment heat removal functions are evaluated. Failure of the high pressure functions, and failure of the timely ADS actuation function, X, or 47 a .
.- .-. =-
_ - - - -.. - - . .- - - _ .... . .- ~ the low piessure injection function would lead to core-damage. Failure of the containment heat removal function results in the loss of drywell. No changes were made to this event tree. . However, a functional level event tree was prepared to treat the dependences between the FW/PCS system in the injection and containment heat removal phases. 3.2.5 Loss of Offsite Power (T,E) (Appendix 58) This transient provides unique initial conditions for accident sequences because of the loss of. AC power and the resulting demand for the diesel gener- . ators. The initial condition .of loss of AC power affects the majority of the frontlin'e systems since AC power is needed for most plant systems. This tree has been time phased for.the coolant injection and containment heat removal functions to account for recovery of AC power. BNL modified the SNPS-PRA event tree mainly with respect to containment heat. removal, which was treated by BNL on the ' LOOP event tree rather than transferred to the MSIV closure event tree. 3.2.6 Comparison with the Treatment of Transients in RSS and LGS-PRAs The transient event tree. in the RSS (Figure I 4-16 in WASH-1400) was a single tree used by the RSS for all anticipated transients requiring reactor , shutdowns from power operation. l The SNPS-PRA approach is considered to be a significant improvement over the one-transient event tree in the RSS. The use of separate event trees for MSIV closure (TM )/ loss of condenser (Tc)/ loss of feedwater (T F ) in the SNPS-PRA is an improvement over LGS-PRA. The RSS analyzed the loss of offsite power transient by using the same transient event tree. The SNPS-PRA added more detail over this simplified approach in 1ts loss of offsite power (TE) event tree. This is considered to be a significant improvement. The use of .- the T[ tree in the SNPS-PRA is another improvement over the RSS approach. . The RSS concluded that these types of transients are insignificant to the frequency of core damage.
~
3.2.7 LOCA Event Trees (A, $1 , S 2) (Appendix SC.1) For the LOCA-initiating events the SNPS-PRA developed three functional event trees corresponding to the three break size categories (large, medium, small) as was done in the RSS. The small LOCA event tree is almost identical to the transient event trees, and in particular to the case of IORV. The medium LOCA is similar to the small LOCA; the only differences are that RCIC is not sufficient to prevent core uncovery, and that high RPV pressure decreases with time. In the case of large LOCA only low pressure injection systems can supply coolant injection. The LOCA event trees used in the SNPS analysis are slightly different from those used in the RSS. The three event trees model the different effects on the reactor and the different success criteria required as' a function of LOCA break size and location (liquid or steam break). The large LOCA event tree handles the breaks that depressurize the reactor, and the two smaller LOCA trees handle the breaks that do not cause immediate reactor depressuriza-tion.
, y 48 e
i
; a .. . . .. . - .
..- x .: a . w The SNPS-PRA large LOCA event tree (shown in Table SC.1) differs. from the one used in the RSrS. It contains the.same systems and has the same structure as the RSS event tree with the exception of the containment leakage (G), and core cooling functions (F).
The medium LOCA and small LOCA* event trees for SNPS-PRA (Appendix SC, Table SC.1) also differ from the RSS small LOCA event trees. Vapor suppression (D), and containment leakage (G) were eliminated since their effect is small and treated in the Containment Event Tree (CET). Since the plant's reaction to a small LOCA is similar to a transient, the small . LOCA *
, ev,ent tree resembles a transient event tree (IORV).
LOCA outside containment.was considered in detail in the~ SNPS-PRA. The event tree is basicaly similar to that for a large LOCA. Only large LOCA was considered to be a significant problem because of the short time available for preventing core damage .(Appendix SC.2).. 3.2.8 ATWS Event Trees (TT . M, TI , T F, T )E (Appendix 50) ' The SNPS-ATWS event trees handle those transients which do not result in successful scram. These trees include analysis of the five major transient groups (turbine trip, loss of feedwater, MSIV closure, IORV, and loss of offsite power). Thus, there are five ATWS event trees:
- 1) Turbine trip - In the event of a turbine trip with failure to scram, two scenarios have been developed in the SNPS to model the plant response.
The first case assumes that, given the. turbine trips, the turbine bypass , remains open. The condenser and feedwater are available. However, should 6 the turbine bypass fail, or should feedwater trip off line or the condenser not be available, the SNPS-PRA
- assumes that the situation is similar to either a total loss of condenser heat sink or a MSIV closure or a loss of, feedwater event. These. second case events are treated in the respective ATWS functional event tree.
- 2) MSIV closure / loss of caridenser - This group includes those transients that challenge the plant in a manner which results in a closure of all MSIVs or a loss of condenser. Also included are the turbine trips that i were shown to result in either MSIV closure or loss of condenser.
- 3) Loss of feedwater - This initiator includes the events that are characterized by a loss of feedwater with condenser available. The events include loss of feedwater initiators and transfers from turbine trip and MSIV closure.
~
- 4) Loss of offsite power - The single initiator is loss of offsite power with ATWS.
- 5) 10RV - The single initiator is inadvertent opening of a SRV with ATWS.
*Small LOCA event tree is similar to IORV with a successful early shutdown ,
(Table SA.12). 49 w , - - - - - - . . - . , , - - - - _ . - - - - - - . . . , . . - - .-
~~ ._ - - .. . ._
These types of ATWS event trees were not used in the RSS. The SNPS-PRA use of these trees yields a detailed analysis of ATWS mitigating function, and this constitutes a realistic, less conservative approach to the evaluation of the ATWS contribution to the core-damage frequency and to the total risk. 3.2.9 Ot,aer Event Trees ; The SNPS-PRA studies several low frequency events in separate event trees , some cf which were not studied either in the RSS-BWR or in 'past BWR-PRAs :
. a) Lo'ss. of a DC bus (Appendix 56.2) !
b) Release of excessive water at elevation 8 (Appendix SG.1) c) Loss of ' service water systems (Appendix SG.3) d) Loss of drywell cooling (Appendix 5F) e) Loss of a reference leg (Appendix 5E). BNL made no significant changes in its revised trees for case (a). In all other cases the changes were significant and are discussed in the respective appendices to Section 5. The main changes made are listed below. j a) Time phase event tree treatment of the release of water at elevation 8. b) Addition of functional level event trees for RBSWS and TBSWS recovery in ; the case of loss of service water transient. The event tree was revised : and time-phas ed, and the "GOLX" function was removed because it is insignificant to this event. All these changes resulted in a simpler event tree. . c) For the case of loss of drywell cooling, the number of event trees was reduced by combining all the contributions from transient without isola- . tion into the loss of drywell cooling initiator event tree. This was ' similar to'the transfer by SNPS-PRA of the contribution from transients to the support system event trees, e.g., loss of the SWS tree, d) The event tree for loss of drywell cooling was not changed significantly. In the BNL re-assessment the SNPS-PRA "0" function was omitted and only the "L" function preserved. Quantification changes were m' ore significant. e) The LOOP event tree with loss of drywell cooling was significantly , changed. The SNPS-PRA. included the G function, which seemed unwarranted for this case (Table 5F.4). This sequence was found to be a very impor-tant contributor to SNPS-PRA core damage frequency because of loss of almost all control room level information. ' f) For the case of loss of reference leg, again significant changes were made. The event of random failure of an additional level measurenvmt channel was separated. into three constituents, which' increased signifi-cantly the contribution' from this .branen of the event tree compared with j the SNPS-PRA (Table SE.2). , l i 50
;. - ~ . _ _ .
~ W..
^
3.2.10 Summary of'the Oualitative Review of Functional Event Trees The S?'PS-PRA presents a very detailed and elaborate study of the various types of accident sequences applicable to the SNPS plant specific conditions which could conceivably occur within the plant. BNL concurs with the overall approach used in the development of the functional event trees, and these trees are basically adopted in BNL's re-assessment of the majority of the sequences. In most cases only minor improvement were made, and basically the 1 same structure was used in the BNL revised trees. On the other hand, quanti-fication of accident sequences by UNL led to modifications in many of these
- trees,. as discussed in Section 5. Irt a few cases the event trees ' structure was revised more significantly, as disc::ssed above and shown in detail in Appendices to Section 5. The most important such cases are the following:
a) ATWS event' trees, b) Release of water at elevation 8, c) Loss of a reference leg, d) Loss of service water system. 1 Comparison with past BWR-PRAs showed that a more detailed functional event tree. analysis was performed in the SNPS-PRA for several low frequency events, most notably loss of drywell cooling and loss of a reference leg. 3.3 System Fault Trees 3.3.1 System Fault Trees Analysis in SNPS-PRA , The system level fault trees are compiled in a separate volume (Volume - IV) of the Shoreham Nuclear Power Plant (SNPS) PRA. The cutsets for these fault trees are given in Appendix J of the PRA, along with the identification of the most important cutset contributors to each system. The data for the fault trees' quantification are provided in Appendix A.2 (component failure - rate data), Appendix A.3 (human error failure rates), and Appendix A.4 (quantification of system unavailabilities due to maintenance). BNL reviewed this information along with the fault trees. The review of these data appears in Section 4.2; here only some more pertinent comments about the analyzed fault trees are presented. The following system fault trees are given in the PRA: l
- 1. Reactor Core Isolation Cooling (RCIC), '
- 2. High Pressure Coolant Injection (HPCI),
- 3. Service Water (SW),
- 4. Standby Liquid Control (SLC),
- 5. Residual Heat Removal (RHR),
- 6. Reactor Building Closed Loop Cooling Water (RBCLCW),
51 t
t i l l 7. Electrical ' Power: Emergency.AC and DC, -
- 8. Core Spray (CS), .
1
- 9. Low Pressure Coolant Injection (LPCI),
I 10. Automatic Depressurization System (ADS), .j- 11. Reactor Building Standby Ventilation System (R85VS) . and CRAC Chilled Water, j -
- 12. Feedwater (FW), ,
l
- 13. RCIC/ Steam Condensing Mode (RCICSC),
- 14. Condensate, 3
! 15. Scram System *, l 16. Diesel Generator *. I 1 i I The BNL comments in Ref. 2 were used in the review of the SNPS-PRA fault ! trees. Hence, the following coments (see Section 3.3.2 below) refer in part , to how, SNPS has taken into account the previous comments in the new SNPS trees, and indicate which recomendation of Ref. 2 are still in effect, as ) well as including comments generated in the present review.
- The following systems have not been analyzed in detailed fault trees:
- 1. Plant Air. and Compressed Nitrogen Systems: A subtree for this sup-i port system was developed as part 'of the ADS fault tree. '
The j details are developed to the subsystem level rather than the compo- -!
; 'nent level as in the other system fault trees. This will be further t j discussed as part of the ADS tree. '
I j 2. Reactor Protection System *: The unavailability of the scram system
- i
- is based on NRC studies 5 and the analysis made by SNPS in Appendix i A.7 of the PRA. The small tree given in the PRA is not quantified j and includes only a part of the RPS. .
4 L 1
- 3. Diesel Generators *: A fault tree was constructed, but the analysis j is based on the information gathered from LERs. This information is ,
- reviewed in Section 4.2.2, below, and hence this system is not '
j discussed further here. 4 Drywell Coolers: This system was not included separately in the j fault tree analysis. A probability of 1.0 for human failure to t recover this system after a high drywell pressure isolation (actuated I on 1.7 psi) was used by thelSNPS-PRA and BNL. A probability of 0.7 j for human failure to initiate this system after its isolation (on j i *The quant 1rication of these system fault trees was not used in the probabil-l 1stic analysis. .The trees were constructed and included to provide j supplemental 1nformation regarding possible systems interactions. .I . ! 52 l d l a 4 ,
*y
- A
. J 1evel 1) was considered by BNL whenever credit for this system was given in the PRA. A hardware failure probabilitj of 6.6x10-" was calculated based on a functional fault tree in the SNFS-PRA for use during transients. '
- 5. Suppression Pool and Condensate Storage Tank (Supply of Cooling Water to Safety Injection Sys tems ): The unavailability of these ,
sources of cooling water is. analyzed as a subtree mainly on the HPCI fault tree. The failure probability was calculated in the SNPS-PRA as 7.x10-3 and 3.x10 " for , suppression pool and condensate storage
, tank, respectively.
- 6. Containment Spray: The system was not analyzed separately, but it '
is a part of the RHR/LPCI system, which was modeled and analyzed. A probability of 0.05 for h'uman failure to in1:f ate was used whenever ' some credit was taken for 'this system; this is apparently higher than the probability of its hardware unavailability. j 7. Turbine Building Service Water System: The system was not analysed i separately. It is stated in the PRA (Appendix J), that the. system fault tree models were constructed by SNPS for general application without regard to any specif-ic transient event sequence and therefore do not < include transient depen-dences. The changes made to ' system unavailabilities due to the impact of the i transient initiator or the specific event sequences are discussed in the pre-i sentation of the system level event trees, in Appendices to Section 5 of this report. The result of the fault tree analysis performed by SNPS is summarized , in Tables J.4-1 of the PRA, which is reproduced in columns 1 and 2 of Tab?e 3.1. Column 3 shows BNL review results for the trees that were jedged important and were reviewed in detail. - In general, most of the system fault trees appear to be reasonably complete and accurate, but BNL made some additions and modifications. These changes are discussed in the following subsection, and their quantitative - effect is summarized in Table 3.1. Their impact on the , core damage frequency is small, amounting to a few percent (see Table 3.1 'and Section 3.3.3 for further details). The trees are resolved down to the component level. The level of resolution is determined by the availability of data and by the possibility that further resolution will uncover existing dependences. The level of resolution in the trees is consistent with state-of-the-art PRA practice. The fault trees were developed to allow each component either to operate as designed or to fail (no partial failure). This approach is conservative, but it is consistent with the present PRA state-of-the-art. The folicwing items were excluded from the analysis of the failure of a component (or system) as being outside the scope of the PRA: a) External events , l b) Sabotage, c) Operator errors of commission, i l 1 53 l t '
d). Most .locatiion-dependent common-mode f ailures , such as fires,8 but l location-dependent CMFsu d' e to internal flooding were included and are discussed in Appendix *.5G.I. + Manual operation of coolant injection, if required, was assumed to have a , l 30-minute grace period. This appears to De justified by thermal hydraulic ; calculations7 . For large land medium LOCAs and for ATWS events, however, less
; time is assumed for manual restoration of injection. The f ailure rates used in the fault trees were point values and were meant to represent the average over the plant lifetime ~ (i.e., wear-in and weer-out rates were averageo into the failure rates) . Note that .the risk during the first year of pl ant operation may De higher than the average risk over the plant lifetime because .
7 of a higher Initiator frequency and higher failure rate .during the wear-in , j period. Failure rates are further discussed in Section 4.2. , The dependences within a system were treated by using the same alpha- , l j numeric designator for. a component that appears several times in the tree.
> For systems within the s'ame function for example, HPCI and RCIC for the ;
i function of High Pressure Coolant Injection, this method was also used to I allow for doolean manipulation of functions. The SNPS-PRA, in general, pro- - 3 perly used tnis method. ' BNL's review, however, found that this designation 7 was not followed consistently in all cases, and cnanges were made to correct 7 I discrepancies as listed in tne next section and in Table 3A.1. ;
)
l In summary, the SNPS-PP.A has made a good and ' detailed systematic fault . tree analysis that provides a model of the system (as seen in tne next section). lhe SNPS-PRA has provided analyses of several fault-grees in , , addition to those done in RSS-BWR and LGS-PRA. It will be shown in the next i , section that several BNL comments in the LGS-PRA review 2 were taken into j account in the fault trees of SNPS. - t i ! 3.3.2 Summary of BNL Modifications to SNPS System Fault Trees and Thei r *
. *i i Impact -
4 The following is a list of the main modifications that were made to the
- SNPS fault trees and resulted in changes of the system unavailabilities. The .
' unavailabilities derived in the SNPS-PRA, along with those suggestea by this ! review, are summarized in Table 3.1. Appendix 3A lists all changes or ; comments on SNPS system fault trees recommended by the BNL review. The BNL review of the system f ault trees was based on comparisons with the LGS-PRA and information for FSAR. The review did not, however, go to a i level of examining specific equipment differences that warrant a change in , failure rates; only design features using generic failure rate data were i , considered. . ! j 3.3.2.1 Reactor Core isolation Cooling (RCIC) ! Several improvements were made in the SNPS-PRA fault tree. For example, ! l the turbine subsystem, which is a dominant contributor to RCIC, was treated in i some more detail. In doing so, however, sometimes lesser failure rates were i ! used. The lube oil (turoine auxiliaries) in SNPS-PRA is an example of a case ! l in wnich the f ailure rate was reduced by a factor of approximately 4, compared 4 l with that in the L35-RCIC tree and SNPS-HPCI turbine auxiliaries subtrse. - i ! i i 54 4 ) l . . i
- - - - - . - . ..---.n_ . - _ , . - , . _ . - , _ - , - - , - , , - - , - - , - - - . - - - - - . - .
( - - - - - -
.~.n.- .M.'U.a'a h .' uy M.: Y( -v- . ' '
.L.. '. : .J . - - a . .'.:s.E .a
}s .
'b b# * ,
l - y ' . l l , However, the event'" loss of flow through turbine driven pump" remained overall quite similar in all cases. BNL increased the' lube oil (turbine adiliarf es) unavailability ir ; .RCIC turbine subtree from 1x10-3 to 3.6x10-3 'to make it consistent with thE liPCI tree and LGS tree. To perform a study of /whether
'there were specific equipment considerations to reduce this failure rate by a
]f actor of approximately 4 was not considered Oo be within the scepe of the
. review. Alother dtitinct change in the SNPS RCIC fault-tree ~ is the increase (4pproximately tenfold relative to a past f.3A) in failure rate of sensor in the " false sisqalifailurn mcde that ws gifen a valup of fi6x10-3 for 10 sensors. Thus, " false staam pipe area high temp signal"' constitutes one third of RCIC-unajailability., The high failure rf:e 1mplies a low frequency surveillance t'est of thase sensors, and further implies that a favorable change in this frequency .or procedures may be able to decrease the RCIC unavailability. Investigating the exact nature of the difference between the past PRA and SNPS in quantf fying the failure rate of these sensors was agafn considered outside the scope of the review. .
~
> s t Table 3A.1 of Appqndix 3A lists the changes or comments on;>.te RCIC' fault ,
3 tres. No one of thea r.auses any significant change to RCIC_ unav%11 ability. q However, some of them are; CMF of both HPCI and RCIC- ~~ i .
)
-a. Chan~ged name of Niscalibration "too high" of level 8 trip sSnsors, to >
properly acecunU,ffor commonality with HPCI level 3 trip (RCIC'No. 5. j in Table JAJ1), , -
- b. Steam leakage from HPCI or RCIC steamline may cause their isolation'. J
{"HCOWON" event included in the BNL review, RCICTNo.1). The effect of these conunon-mode failures of RCIC and HPCI is di. cussed in Section 3.3.2.4 belowv , . 3.3.2.2 High Pretsur_e Care Injection System (HPCI) r E The turbine subs.ystem is modeled in detail, as .is the auto % tic transfer J from CST to suppression p'ool suction. The overall unavailability of HPCI is within a reasonable range. The SNPS-PRA is more realistic than the LGS-PRA by treating the probability of failure-to-start on subsequent starts as compar-able with that on initial start. A factor of 1/3 was used in SNPS-PRA com-pared with 1/10 in the LGS-PRA. Table 3A.1 of Appendix 3A lists changes and ~ comments on the HPCI fault tree. They do not impact significantly the HPCI unavailability, but have some ig act on the HPCI/RCIC CMFs. a) The failure of the shaft-driven lube oil pump, which is included on the fault tree, was also added to the list of cutsets resulting in a small f ncrease of JiPCI unavailability from 0.096 to 0.1 (HPCI No. 5). b) The high drywell pressure signal to idtiate HPCI wab deleted for m transient initiators (HPCI No. 1). Thus , miscalibration of wate- j - level sensor becou.s a significant contributor to CMF of HPCQRCJC M ' and ADS not considered in the SNPS-PRA (see Section 3.3.24Qr,quan-r tification). s ys
- +- 7
( v l c) The nar,e of the miscalibration event 'of. HPCI turyine pressGre tef p r . set poirit was changed to conform to tha same RCIC event (HPCI No. 7).j ' - c .
, r. g a y l .y
. 55 : , ' " gl n
J ^ y9 a m- _ _ _ _ _ . ___ _ _. ___,. _. -_ . .Q_
1 . l - d) "HCOMMON" included. See comment .(b) for RCIC (HPCI No. 5). 3.3.2.3 Abtomatic Depressurization System (ADS) . The three consnents of Ref. 2 were ta:en into account by improvements in , the SNPS-ADS fault trees: ' a) The common-mode' failure of all ADS valve solenoids due to contami-nated nitrogen gas supply was included in the SN.PS-AOS tree (1x10 ). ,
, b) No credit is given to human action to recover n[itrogen gas supply if main supply or accumulators were lost.
c) A common-mode miscalibration of all pressure s'ensors in CS and RHR discharge lines was assumed,3 but with reduced probability - 5x10-5 instead of 2x10 8 The 2x10- is for non-staggered calibration. For staggered calibration of different systems, the .value of 5x10-3 seems . to be realistic. In addition, this value is rightly multiplied by operator failure to initiate ADS manually (0.1). i
) On the basis of these improvements, BNL accepted this unavailability of l ADS (8.4x10 ").
The CMF miscalibration of level 1 was correctly denoted by the same name in HPCI and RCIC. The operator manual initiation was given a different name from the high pressure injection manual initiation, as expected. No cnanges
.were made to the ADS fault tree.
r 3.3.2.4 Boolean Combination of High Pressure Injection Function (U) and the AD5 Function (UX). . . The SNPS introduced this feature in .its PRA to account for. dependences i between safety functions. Basically, the "su'per"-trees of several systems were evaluated in the SNPS-PRA and cutsets for the super-trees were examined. The results of this Boolean reduction were used in the event tree quantifica- .i tion. This diminished the need for the core damage fault tree (CDFT) approach which BNL has used in its past reviews . 2,3 However, the review of the Booleari combination of the U function (HPCI and RCIC) and of the UX function (HPCI, RCIC and ADS) revealed some significant omissions, which are discussed here. U-Function The results of the SNPS-PRA analysis are given in Tables J.4-16 of PRA-Appendix J. Only two CMF contributions to U are identified there: a) Both HPCI and RCIC are unavailable because of maintenance (plant technical specifications require a shutdown within 12 hours). Fail-urs probability = 1.4x10 ". b) Failure of a level transmitter or miscalibration (high above level 8 set point), which causes the failure of HPCI and RCIC trip on high water level (L8) and leads to gross moisture carry-over in the steam - supply lines, as well as damaging both HPCI and RCIC turbines. 56
.:" . . L .-- .. c-~ w w :.:.c . . . . . . .
1 The SNPS-PRA incorrectly estimated the probability of this CMF to be 1.36x10 3 In our review only miscalibration was considered, leading to 0.2x10 3 (0.2 taken for operator error rather than 0.1 as in SNPS-PRA). BNL added the following four commonalities: c) Common miscalibration of level 2 transmitters leading to the failure of level 2 autoinitiation of HPCI and RCIC. The failure probability is 2x10-3 x 0.1 = 2x10-* (where the 0.1 is due to operator failure). d) Miscalibration of level 8 trip sensors (below the nominal level 8 set point) leading to repetition of turbine pump trips on both HPCI and RCIC: 2x10 3 x 0.5 = 1x10 3 e) Miscalibration'of turbine pressure trip set points for both RCIC and HPCI: 2x10-3 x 0.5 = 1x10-3 (suggested by SNPS-PRA, see RCIC FTA, but not caluclated). . f) Steam leakage from HPCI or RCIC steam line causing their isolation -
"HCOMMON" = 1x10-3 ,
The SNPS-PRA summed up the commonalities of HPCI and RCIC to the total of 9x10 3 (see Table 3.1). This does not follow from Table J.4-16, where a total of only 7.8x10 3 is shown.* According to the six commonalities listed above, the total is 0.01. This is the BNL value for the "U" function. UX-Function , The results of the SNPS-PRA analysis' are given in Table J.4-17 of Ap- - pendtx J. One CMF contributi.on of all three systems to UX was identified there, see (a) below, and two additional CMFs of two out of the three systems, see (b, c): I a) Loss of all Division I and II electric power supplies. Failure prob-ability is 3.2x10-s, b) Combinations of dominant cut sets of HPCI with failures of level instrumentation, and operator actions which defeat both automatic and manual initiation of RCIC and A05. Failure rate is 4.0x10-8 c) Combination of dominant cut set of ADS with failure to isolate HPCI and RCIC on level 8 Fail-ure rate is 1.3x10-8(leading to carryover in the steam lines). The total of CMF contributions becomes 8.5E-6, which is consistent with the values in the event trees . However, some additional contribution for other ADS cut sets combined with other* HPCI and RCIC cut sets (failing independently) was not included.
*The combinations of dominant,cutsets of HPCI and RCIC result in 6.3x10-3 57 t
i l . _ . _ . - -. - . . - , - . , . - . .-- .--
. ,. .; - T.;---- 77 . ._
i
. The SNPS-PRA incorrectly estimated, however, the CMF of item (b . In -I this case HPCI is assumed to be initiated by high drywell pressure s)ignal.
This is true. only for LOCA or ATWS. For transients
- and manual shutdcwns no high drywell pressure is expected in less than 1 hour after the incident initiation, and therefore initiation of HPCI will fall manually and auto-matically too. This increases this commonality (see item (b) above) by a fac-tor of 5 (2x10 3x0.1x0.1 = 2x10 5). ,'
In the judgment of BNL, 91lven proper stagge' ring procedures for level ! instrume'ntation, the value of 2x10-3 for miscalibration would be too high by a
, factor of 10 or more. Therefore . BNL did not change the UX quantification on the transient and manual shutdown event trees. The special case of mise.ali- -
1 bration is not Ignored, however, an'd is discussed irl Appendix $A.1.4 It is a significant contributor to core damage frequency, but it can be easily elimi-nated by appropriate procedures'. The calculated commonality .of HPCI, RCIC, and AOS in the BNL review becomes : HPCI/RCIC comonalities with ADS cut sets which are independent: 7x10 3x6x10 " = 4x10 6 Item (a) - loss of all Division I and II electric power: - 3x10 5 Item (b) - miscalibration of level instrumentation (corrected): a 2xiG-8
. 9x10-'
Where 7x10-3 and 6x10 4 are the unavallaoilities of "u" and "x" respect-ively after items (4) and (b) are tubtracted. The event trees values were not changeti to reflect this small increase.
^
3.3.2.5 Low Pressure Core Spray LPCS or CS) The core spray system is, in general, adequately modeled in the SNPS-PRA fault tree for this system. The small_ number of changes - mace by SNt. tend to have counterbalancing effects, so that the LPCS unavailability remained . unchanged in the BNL review (See' faDie 3.1). The main changes are at follows: a) The LPCS system will not initiate on high drywell pressure in case of a transie9.t sequence. When this is eliminated from the fault tree a new cut set appears,4"HHU7200XI * (LHU5000XI + LHij6000XI)*, which prooability is 2x10 (The LHU5000XI and LHU6000XI should be AHU1990XI, see Table 3A.1 LPCS nc. 5.) - b) The probability of the event " suppression pool water unavailability due to clogged strainers" is incorrectly included in the SNP5-PRA analysis as 2.6x10 ", which is correct foe a single clogged strainer. In the BNL review, a value of 5x10-5 for CMF of all strainers is used, whicn is consistent with the SNPS4RA HPCI fault tree. (LPCS No. 2) c) The SNPS-PRA states that valves LMV05ADPI and LMV05BDPI. are tested only during refueling rather than on a quarterly basis. This .
- Apart from loss of drywell cooling and loss of offsite power.
58
~
. _ . - _. ._ ; ._ _ d -Z- _.__,m.. ._.s_. .. _..1,
-. _ 2 ..
increased their failure rate Jfrem cx10-8 to 9,3x10 3 by adding - 1.6x10d /hr x 8760 hr x 3/4 x 1/2
- 5.3x104 ,
However, in Appendix J the LPCS unavailability was calculated on the basis of 4x10 3 This was corrected in the BNL review, which resulted in an addition of.1.5x10 " to the LPCS unavailability. Since'these changes cause only 4% ihcrease in the BNL re-quantification of the LPCS unavailability, the SNFS-PRA unavailabliity value was used also in the BNL review. Table 3A.1 in Appenaix 3A describes the changes to the .
. SNPSeLPCS fault tree.
3.3.2.6 Low Pressure Coolant Iniection (LPCl) The LPCI is, in general, ade';uately modeled in the SfiPS-PRA' fault trees. The small number of changes made'.by BNL tend to counterbalancing effects. As seen in Table 3.1, the SNL review practically did not change the LPCI unavail. ability. Tne ' main changes are very similar to these in the LPCS fault trse,
' discussed above:
a) The LPCI will not initiate on high drywell pressure to case of tran-sient sequences (same as' item (a) of LPCS). , b) CMF of clogged suppression pccl strainers is included (same as' item (b) of LPCS). c) The operator failure to thitiate manually the LPCI is assumed to be dominated by the failure of the operator to initiate A05 if it failed to initiate automatically (Table JA.1., LPCI No. 2). These changes -(see also T4ble 3A.1 of Appendix 3A) did net result in any - significant effect on LPCI unavailability. They do, however, affect signif- ' icantly the unavailability of the low pressure injection function which com-bines both LPCI anc LPCS, as discussed in the next section. 3.3.2.7 BooieanCombinationo[LPCIandLPCS(V), 4 The main contributors to the failure of LPCI and LPCS are miscalibration of all reactor vessel pressure transmittsrs (N097A 8, C, and D) of ths LPCI and miscalibration of differential pressure transmitters (OPIs fl005A and B) of the LPCS. They are not dependent if these channels are calibrated separately one from the other. Mcwever, miscalibration of all N091 level transmitters is a commonality of both system, at least under conditions prevailtag during transient sequences. This commonality was not included in the SNPS-FRA, as explained before. The comcnalities of LPCI and LPCS are as follows (mest of - them are included in the SNPS-Pita list of Appendix J Table J.4-18): I a) Miscalibration of level transmitters and operator failure to initiate manually (mentfoned above) 2x10" b) CMF of clogged suppression pool strainers 5x10 3 c) Suppression pool water unavailability due to maintenance ! (ITM) or due to -high water temperature (ITX200KWI) 2x10-3 59 4 t (
d) Combinations of manual system shutoffs on high reactor vessel level with failures subsequently to restart the systems when needed 3x10 4
- e) Combinations of dominant cut sets of both systems
((3x103 x 2x10 3) 6x10-6 Since these contributions sum up to a value only 7% less than the 6.2x10 " ,used in the SNPS-PRA, the value was not changed in the BNL review. 3.3.2.8 Service Water System (SWS) There are two serv. ice water systems : - a ). Reactor Building Servige Water System (RBSWS),
- b) Turbine Building Service Water System (TBSWS).
- Oni) the RBSWS was modeled in a fault tree.. It' is discussed here.
The SWS is a safety related system designed as a two-loop system, and the SNPS-PRA fault tree was constructed accordingly. The CMFs of both loops are the main contributors to SWS unavailability. The following main contributions J to SWS unavailability were evaluated in the SNPS-PRA: a) Both service water loops in maintenance 1.4x10 " l b) Failure of all four SWS pumps 3.5x10-5 c) Combination of excess leakage in one loop with failure to isolate the opposite loop , 0.3x10-5 , d) Combination of one loop in maintenance with two pump failures in the oppos.ite loop 0.2x10-5 . e) Loss of water supply to screen well 3x10-5 These resulted in the unavailability of 2.1x10 " for SWS in the SNPS-PRA.
.BNL considers this analysis to be realistic apart from item (a), which is conservative (yet is right for inclusion in the initiating event frequency for SWS). The only change in the BNL review was the omission of item (e) because it is due to external events, which are excluded from the PRA scope. (This is recognized in note No.1 on the SWS fault tree, but not carried out.) How-ever,5the fault tree also includes event WFL 480 HEI which was quantified as 5x10- and stands for "All pumps suction clogged." This event is not included in the SNPS-PRA list of cut sets given in Appendix J Table J.4-5, but it is included in the BNL review. Thus, the SWS unavailability in the BNL review is 2.3x10 ".
LERs 8 include precursors of the event of clogged strainers for all SWS loops ' suction. A real event has not occurred in a BWR. The value 5x10-5 is judged to be conservative. BNL did not change this value because SNPS, being situated on Long Island Sound, is considered more susceptible to this failure mode than an average nuclear power plant. ~ 60 l l
..... _ _ _ . . . n.._- . . . . .. ..
' Table 3A.1 'in Appendix 3A shows the two changes to the SWS fault trees discussed above.
3.3.2.9 Residual Heat Removal (RHR) System Even though a fault tree was separately developed for RHR, the SNPS-PRA does not present its cut sets in Appendix J. Another problem is that Table J.4-1 gives a value of 4.8x10 4 for RHR unavailability, which is inconsistent with SNPS-PRA functional event trees. This apparently arose from an error in the RHR fault tree (as explained below) which SNPS-PRA corrected. in a .later
- revision of the PRA and did not correct in Appendix J. -
BNL review fcund the following contributors to RHR unavailability,- based on the SNPS-PRA fault tree for RHR: . a) Both pump loops-in maintenance 1.4x10-4 b) Failure of all 4 RHR pumps 3.5x10-s
. c) . Suppression pool water is unavailable due to clogged 5x10-5 strainers F
d) Combinations of one loop in maintienance'with two ' pump failures in the opposite loop 0.4x10-5 e) 'Both heat exchanger bypass valves fail open (valves F048A and B) l'.6x10-3 f) Both MOVs at RHR heat exchanger outlett fail closed
. (MOV 34A and B on the SWS side) 2x10-5 g) Fail.ure of SWS system (maintenance of both loops and failure of SWS pumps are excluded'because the turbine building SWS would be able to provide the cooling water) 5.5x10-5 These contributions sum to 3.2x10 " for the RHR unavailability. Using a 20-hour repair time with MTTR = 19 hours results in 3.2x10-4 x exp(20/19) 1.1x10 4 This value is used in BNL reassessment. The same value is also used by SNPS, but not enough information is included to support its derivation.
Two changes were made by BNL to the SNPS-RHR fault trees. These are detailed in Table 3A.1 of Appendix 3A. Finally, it should be noted that the above RHR unavailability assumes ' either that PCS was available for several hours following an accident sequence or that RHR was initiated to cool the suppression pool during the first 10 hours after the initiation of an accident sequence. When these conditions are not met and suppression pool cooling starts 20 hours after a transient or LOCA ) initiation, the suppression pool temperature will reach temperatures above ' 200*F and the RBCLCW system would be needed to cool RHR pump seals in order to prevent their failure. This increases the RHR unavailability by 2x10-4 (to a value of 3x10 4 rather than 1.1x10-4), if the operator is successful in 61 i
s aligning the systen.. ' This dependency was not included because of its small ! impact on the overall Class 11 core damage frequency. 3.3.2.10 RCIC in the Steam tendensinc Mode and RHR No changes were mede to the SNP$-PRA fault tree of RCIC in the steam cen-densing mode. The unavailability of this system is evaluated as 0.14 However, in the FRA this system is always used in the same function with the . RHR. 'Thus, the Boolean recuction of tne RHR and the RCIC in the stearx con- ' densing moce is of interest. This was not presented in the FRA Appendix J. The result of tnis Boolean recut.tton is given without its derivation in Table J.4-1. The value of 6.Sx10-5 seems to be based on an earlier evaluation of RHR unavailabilf ty of 4.8x10-4 lhe coricitional failure procability of -RCIC
'in steam condensing mode given RhR nas failed is C.4 [= 6.Sx10-5 (4.'8x10-4 /
x0.35)]. . The commonalities of RHR and the RCIC in the steam condensing mode are as follows: a) The unavailability of the SWS (with credit to TBSWS) 6.5x10-8 . b) Botn MOVs at RF.R heat excnanger outlets fati closed (MOV 33.A and B) . 2.ux10-5 c) Botn RHR neat excnanger bypass valves f ail open (valves . F048A and B) 1.5.x 10-5 The probability of indepencent failure of botn systems is 1.4x10-1 x 3.2x10-" - 4x10-5; when tne 20-nour repair prcbasility of eg(-20/19) is applied to the sum of ' the values above, the unavailability obtained is . 4.5x10-5 This is T.ess by a f actor of 0.4
- nan the R'tiR unavailacility of . ,
1.1x10-". The SNPS-PRA aisc applied 'a factor of 0 A hnd used the value 4.4x10-5 for the function of RHR with RCIC in tne steam condensing moce. The same value was used also'in the SNL reassessment, based on the acove discus-sion and derivation. 3.3.2.11 The Electr e Power System (EPS) . The fault tree of this system includes two top events: a) Loss of power from 480 V Bus Divi-sion I, II, or III. This was found oy SNPS-PRA to be 1.4x10-". b) Loss of 125 V DC Bus Division I, II, cr III. This was found oy SNFS-PRA to be 3.7x10-*. , The unavailability of a DC 'ous can be estinated from c7perating experi- . ence. NUREG-0666 evaluates the loss of a DC cus as 6x10-3 per year, whicn is about 1>0 6/n r. Thus, the unavailability cf a DC bus evaluated in the SNPS-PRA represents a mission time longer tnan the 24 haces used in general in fault tree quantification. This is apparently so Decause the loss of a DC cus does not necessarily cause reactor snutdown in tne SNPS, and the plant can continue to operate for a few days. However, the unavailability has very small impact on the fault trees of other systems. The effect of the loss of a DC bus is
~
52
.--....r-,u - - - . . . . - . . . . . . - - ...a . . . . . . . . , .. -
evaluated as 'a separate initiating even,t in the SNPS-PRA, and this accident ' i sequence is reviewed in Aependix 5G.2.
- The .BNL review did not change the fault tree for the EPS.
3.3.2.12 Feedwater Systen . The SNPS-PRA tree of this system was prepared in detail. A review of the tree with respect to previous BNL comments 2 shows that the fault tree has the. features BNL consicered important, such a;s the following: a) Failure of the operator to stalt the mechanical vacuum pump .if the SJAE is unavailable (quantified with 0.1 failure probability) b) Common-mode miscalibration of iEth reactor level channels, causing a spurious level- 8 trip of the fee'dwater system (2x10-3) , c) Most of the other BNL concerns2- ! The dominant contribution to the failure of the system is failure of the operator to control the system during long-term coolant injection. This was 3 quantified The less of the as condenser 2.5x10-2,vacuum which amountsis another important to. 50f. ofcontributor the feedwater(2.5x10-unavailability) ,1 On the basis of the above remarks, no significant changes were' made to the feedwater system fault tree. . 3.3.2.13 Condensate System The SNPS-PRA developed a separate detailed fault tree for the condensate system. Unlike the feedwater system, the con'densate system shows no clear relationship between the list of cut sets (Table J.4-15) and the fault tree. The main contributions to the condensate system unavailability derived from
- the PRA fault tree and cut sets in Appendix J are listed below, with some examples of inconsistencies:
a) The main contribution comes from the failure of the operator to pro-vide long-term makeup water to the condenser (0.025). This does not appear on the fault tree. b) Simultaneous failure of both condensate pumps or- both condensate booster pumps (= 4x10 3). This appears on the feedwater system fault tree and is developed in a different way on the condensate system fault tree. 1 c) Flow control instruments fail to supply signal ,or supply false signal-to train A and B. This contributes = 4x10-4 to the condensate It appears on the fault tree but is not shown in the unavailability. cut sets list. ! d) Event " ERUPT' is considered in the fault tree and stands for " rupture of piping / heat exchanger." This 1.1x10 contribution is not in the cut sets list. 63 i
e) Loss of offs'ite power duct'ng the mission tiine for the system (= . 10-3). This item appears both in the fault tree and the cut sets list. It is apparent that the value given in Table J.4-1 of the PRA (0.12 for the condensate unavailability) has an error. The unavailability is about 0.03. This unavailability is dominated by the operator error to provide long-term makeup' water to the condenser. In the BNL re-assessment, the system unavailability is also dominated by ~ , operator response. However,'different values for the operator error are used for short-term responses. ' A value of 0.1 is . assumed for failure of the operator to: a) Control the flow rate of the condensate pumps so that it will match the rate of condenser makeup flow rate of about 1000 gpm. b) Verify the s'u ccessful initiation and operation of the condenser makeup from the Conifensate Storage Tank (CST), which is automatic.* 3.3.2.14 Power Conversion S'istem (PCS) No fault tree is given for this system in particular.* Major parts of this system are included in the feedwater and condensate systems fault trees. The PCS includes also the MSIV, the condenser, the turbine bypass, and the circulating water system. The feedwater and condensate system fault trees represent these additional systems by undeveloped events (which are not resolved to the component level). The SNPS-PRA based the PCS unavailability on experiential data, which result in an Qnavailability of 1.1x10-2 Using a recovery probability of 0.45 in 15 hours (repair with MTTR = 19 hours) it derived a value of 0.005 for PCS (see response No. 8 in Ref. 9). In the BNL re-assessment, the fault trees for the condensate and _ feedwater were used to estimate hardware unavailabilities for the PCS: a) MSIV hardware failure 0.0005 b) Circulating Water System hardware failure (including failure to run) 04001 c) Condensate System Control failures contribution 0.0003 d) Condensate sys-tem pumps and valves failure contribution (including failure to run) 0.0003 e) Steam Jet Air Ejector or Mechanical Vacuum Pump 0.002 Total 0.004 "Mr. Dick Paccione (LILCO), Private communcation with BNL (1984). G e 64
.a .
. -. ... a .w . . .. . c n.=__.. . _ _ . . - .
This value .is used in BN'L funct'ional level event trees for the evaluation of the long-term. PCS unavailability (see Apendix SA.1). . 3.3.3 Summary of tne Review of Fault Tree Analysis 'and its Impact on Core Damage Frequency
, The BNL review did not result in significant changes to the front or sup-port system unavailabilities. It concentrated on the cut sets of safety func-tions which comb'ine several front systems. The review, also, did not signif-icantly change the unavailabilities of the safety functions. In the latter
, case, however, phe main contributors to the functions' unavailabilities were modified, i.e., . failure modes other than those,in the SNPS-PRA were found to be important in the BNL review. The changes' are as follows:
a) In S'NP'S-PRA the "U" function is dominated by miscalibration "high" of - level 8 transmitters (high above level 8 set point). In the BNL review this is a minor contributor, ai1d the main contriDutions come from miscalibrating " low" tne level 8 transmitters (below the n'ominal level 8. set point), and from miscalibration of the turbine pressura trip set points of both HPCI and RCIC. b) In the SNPS-PRA the "UX" function is dominated by loss of AC power to Divisio'ns I and II electric power supplies, failures of level instru-mentation combined with HPCI and operator failures, and level 8 mis-calibrated "high." The SNPS-PRA appears to include only some of tne contribution to the core damage frequency from the combination of the "U" and "X" functions; proper ev'aluation of UX would . increase the , SNPS-PRA result. The "UX" function is seen (Section. 3.3.2.4) to be about 50% independent f ailure of "li" and "X" in the BNL re-assessment, with the other 50% coming from loss of AC power, as in the SNPS-PRA, and from miscalioration of the level 1 instru- . mentation. - c) In the SNPS-PRA the "V g " function is dominated by suppression pool failure- to supply water. BNL found the miscalibration of level 1 ~ transmitters to be the important contributor. d) In the case of RHR combined with RCIC in the steam condensing moce,
- BNL found that, unless the turbine building service water (TBSWS) is given credit, the reactor building serv-ice water (unavailability =
2.3x10-") will dominate the unavailability of this function, and , there is little to be gained from tne RCIC steam condensing mode. The SNPS-PRA factor of 0.4 was obtained by BNL only with credit given to TBSWS (the SNPS-PRA gave credit to TBSWS in the case of loss of SWS transient, see Appendix SG.3) . e) The event of miscalibration of level 1 and 2 N091A', 8, C, and 0 transmitters, named "HHU7200XI," appears on the fault trees and affects the "UX" and "UV" functions for transient sequences. This important dependence was not addressed in the SNPS-PRA. Details are discussed in Appendix SA.1.4. 65 s
;-----.--m_... . .. ._. w The impact on core damage frequency of the ' fault trees modification is small. BNL major modifications affected the contributors to the unavailabil- ,
ity of safety functions when combining several system fault trees. However, these changes had impacts that either increased or decreased core damage frequencies, so that the overall result did not change the SNPS-PRA estimation of core damage frequencies. 3.4 Human Performance Analysis Two types of human errors. (cognitive and procedural) can contribute to the unavailability of frontline systems and impact on core-damage frequency. These are addressed in the SNPS-PRAl . 3.4.1 Cognitive Human Errors - The SNPS-PRA explicitly modeled cognitive human errors in the event trees and in the fault trees. These human errors , with a description of the required action and the time available (or assumed) .for action, are listed in Tables 3.2 and Table 3.3. The BNL review in general agreed with the qualitative modeling approach to most cognitive human errors. BNL disagreed with the model, in only a few cas es ', the most notable being the "GOL" model of the SNPS-PRA, which BNL changed to a "GL" model (see Appendix 5F for details), and loss of a reference leg, for which BNL moved some cognitive errors to an earlier stage in the BNL event tree and thus affected the core damage frequency (see Appendix SE for details). In many cases, 'however, BNL disagreed with the quantification of the human errors. . Tables 3.2 and 3.3 include BNL quantifications* for compar-ison with the SNPS-PRA values where significant changes were made. Appendix C of Ref. 4 went into great detail in modeling potential cognitive errors in the analysis of SNPS water level measurement system and is ', discussed in the detailed review in Appendices SE and SF. 3.4.2- Procedural Human Errors Procedural human errors contribute to system or component unavailabili-ties through routine procedures such as calibration testing and maintenance or normal plant operation. In most cases the SNPS-PRA followed the techniques recomended in NUREG/CR-127810 for their quantification. The BNL review !, concentrated on determining whether any, procedural human errors were omitted in the analysis; their quantification was not part of the review. Tables 3.2 and 3.3 present the most important procedural human errors covered in the SNPS-PRA. 3.5 References to Section 3
- 1. Papazoglou, I. A., et al., "Probabilistic Safety Analysis Procedure Guide," NUREG/CR-2815, September 1983.
*The quantifications shown are for illustrative purposes. The appendices include the background for these quantifications. .
66
- - . . . - u . . - , . - -. . .... . ..
I
. 2. Papazogl'ou, I. A., et al., "A Review of the Limerick Generating Station Probabilistic Risk Assessment," Brookhaven National Laboratory, NUREG/CR-3028, February .1983.
- 3. Hanan, N., et al., "A Review of BWR/6 Standard Plant Probabilistic Risk ;
Ass essment, Vol. 1, Internal Events and Core Damage Frequency," ~ i Brookhaven National Laboratory, NUREG/CR-4135P, May 1985 j
- 4. " Review of Shoreham Water Level Measurement System, Revision 1," S. Levy, Inc., SLI-8221, November 1982.
- 5. " Anticipated Transients Without Scram for Light Water Reactors ," Nuclear Regulatory Comission, NUREG-0460,1980.
. 6. Shiu, K. , Sun, Y. Anavim, E., and Papazoglou, .I. A. , "A Review of the Accident Sequences Eollowing an Excessive Release of Water at Elevation 8 of Reactor Building in the SNPS, Brookhaven National Laboratory, NUREG/CR-4049, April 1984
- 7. Additional Information ' Required for NRC Staff Generic Report on Boiling i
. Water Reactors , GE Report NED0-24708, December 1980.
i
- 8. Haried, J. A., Evaluation of Events . Involving SWS in Nuclear Power Plants ," Oak Ridge National . Laboratory, flVREG/CR-2797, November 1982.
- 9. LILCO's Response to Questions on Shoreham Probabilistic Risk Ass **sment, Long Island Lighting Company, SNRC-1021, May 1984.
- 10. Swain, A. D., and Guttmann, H. E., " Handbook - of Human Re1iabi1ity Analysis with Emphasis on Nuclear Power Plant Applications " NUREG/CR-1278, October 1980. ,
[ 67 t
- ~._ . __
. _ . . < - . . . . m_ - -- . . . _:
Table 3.'1 Point Estimates of SNPS System Unavailabil'ity l Compared to BNL Review Quantified Unavailabilities System (s ) SNPS-PRA BNL Review RCIC i687E-2 7.E-2
'9.63E-2 HPCI 1.E-1 SERVICE WATER '2.12E-4 2,3E-4 STANOBY LIQUID CONTROL 21.05E-1 1. 05.E-1 RHR '4.83E-4 3.2E-4 RBCLCW '3.99E-4 Electric Power
- 125 V DC 3.66E-4 3.7E-4 480 V AC 1.4E-4 1.4E-4 Core Spray 3.62E-3 3.6E-3 LPCI 2.68E-3 2.7E-3 ADS 8.56E-4 8.4E-4 RBSYS & CHILLERS 2.33E-4 FEEDWATER 5.46E-2 - ***
RCICSC 1.40E - 1.4E-1 1.23E'1
~
CONDENSATE - - *** - HPCI [A] RCIC** 8.99E-3 1.E-2 LPCI [A] Core Spray ** 6.~ 25E-4 6.2E-4 _ RHR [A] RCICSC** 6.8E-5+ 4.4E-5+ HPCI [A] RCIC [A] ADS ** 9.5E-6 9.E-6 HPCI [A] RCIC [A] LPCI 4.0E-6 6.25E-6 [A] Core Spray ** -
- Failure of one of the three emergency divisions.
**"[A]" represent a Boolean AND operation denoting the simultaneous failure of two or more systems.
***The fault trees were used to obtain an estimate of the PCS hardware unavailability for long-term containment heat removal. BNL used 0.004 for PCS hardware uravailability and failure to run for ten hours.
+ Include repair [exp(-20/19)]. -
68
- . - . .. . . - ~ . .
.. - .. . .. -. .. . . w.."..+
Table 3.2 Human Errors Modeled in Event Trees Quantification* Time Available SNPS BNL Symbol Description of Required Action for Action PRA Review Q Feedwater Runback (ATWS) 15 minutes 0. 3" 0. 2" CLI Reduce reactor vessel water level during ATWS. minutes --- 0.19** The SNL value includes also failure to inhibit A05. O ADS inhibit during ATWS minutes 0.5 (0.2) SLC injection initiation (ATWS) *"* 0.11 0.15 C: C' Timely manual shutdown of reactor (10RV) = 1/2 hour 0.001 0.01 Q.W* Recovery of FW and PCS, including reopening M51V . minutes in ene short and long term (Transient /LOCA) - 1/2 hour various various
. hours values ** values "
V"' Condensate pumps flow control and verification of I procer water makeup to hotwell (Transtants/small LCCA): 1/2 hour 0.01 0.1 (Large LQCAs or LOCA outside containment): minutes 0.2 0.2 I (Phase !) Timely A05 actuation when high pressure injection 1/2 hour 0.02 0.02
; failed (LOOP)
I (Phase Operator error in performing early depressuriza- hours 0.1" 0.1**
!!,!!!) tion (LOOP) 4 .
I' Maintaining reactor in deprer.surized conditions hours 0. 2 0.2 (LOOP) T
'- Successful cross tie of turbine building SWS 1/2 hour 0.26 0.24*
' ~
given RSSWS failed (Loss of SWS) L Maintaining water level 3 in reactor vessel (loss of drywell cooling)*: hours 0.005 0.001* (loss of offstte power.olackout conditions)*: 1/2 hour 0.06 0.05* - G Recovery of drywell coolers or initiation of 1/2 hour 0.05 " 0.05 " containment sprays (loss of drywell cooling)* In Erroneous actuation of AOS (Loss of reference 1/2 hour 0.01 0.01 leg transtent) H Operator recognizes the need for manual initiation 1/2 hour 0.062** 0.062 " of injection (htgn and low pressure injection) (Loss of reference leg transient)
- Only significant cases are shown. The values are failure prona0111 ties. The quantified values are illustrative. and should not be used without the bases given in the Appendices of Section 5.
" Values are sequence dependent. One example is shown.
*** 30 minutes assumed available in SNPS PRA; only 5 to 10 minutes in BNL review.
- Modeling changes were made in *his case which have larger incact than the change in quantification.
f 69 t ___ J _ ._. -- _
----._m _ . _ _ _ _ _ _ . . _ . ,.
Table 3.3 Major
- Human' Errors Modeled in System Fault Trees Time Available Quantification Description of Required Action for Action in SNPS-PRA HPCI/ RCIC
- 1. Manual actuation of HPCI upon failure 1/ 2 hour 0.1 of auto-start signal
- 2. Miscalibration of all level transmitters --- 0.002**
- 3. Miscalibration of turbine pump trip --- 0.002 exhaust: pressure transmitters
- 4. Failure to control or snutoff minutes 0.1 RCIC/HPCI before water carryover upon failure of level 8 trip
- 5. Human error failure to transfer HPCI 1/2 hour 0.1 from CST to suppression pool in time, upon failure of auto transfer
- 6. Manual actuation of HPCI upon failure 1/ 2 hour 0.1 of auto start (including auto start not reset)
ADS
- 1. Manual depressurize plant given that 1/ 2 hour 0.1 automatic depressurization has f ailed ,
l LPCS j
- 1. Failure to manually start the LPCS 1/2 hour 0.1** .
pump given that it f ailed to start automatically
- 2. Same as LPCI items .(3) and (4)
- 3. Miscalibration of reactor pressure ---
0.002 transmitters l
*0nly human errors which are included in the major cut sets of the systemic l fault trees.
** Modifications were made in BNL review ~(see Appendices or Section 4.3) 70
, Table 3.3 Continued
. Time Available Quantification Description of Required Action for Action in SNPS-PRA LPCI -
- 1. Manually start the LPCI pump giv.en that 1/2 hour O'. 1 *
- it failed to start automatically
~
- 2. Manually open pump discharge valves in 1/2 hour 0.025 alternate discharge line (same as RHR)
- 3. Operat'or fails to restart LPCI as water 1/2 hour 0.003 level decreases
- 4. Operator manually shut off LPCI on high --- 0.1 level during an accident
- 5. Miscalibration of differential pressure --- 0.002 channels Electrical P~ower
- 1. Direct power to 480-V bus is not 2 hours 0.8 restored within 2 hours RHR
- 1. Start suppression pool cooling when . hours 4x10-5., ,,
required, and correct valve misalign-ments during line-up of the system
- 2. Manually open pump discharge valves hours 0.025 .
in alternate discharge lines, given that normal discharge line valves have failed SLC
- 1. Failure to manually initiate SLC 1/2 hour ** 0.1 SWS
- 1. Failure to manually initiate SWS pump 1/2 hour 0.9 upon failure of automatic initiation i
** Modifications were made in BNL review (see Appendices or Section 4.3) 71 t
....-.u . ... . . . - - . - ._w.......- :a - a.==--------
. APPENDIX 3A CHANGES MADE TO SNPS-PRA FAULT TREES The changes to the SNPS-PRA fault trees suggested by BNL are summarized in Table 3A.1 for each system, in the followins order:
- 1. RCIC - Reactor Core Isolation System
- 2. HPCI - High Pressure Core Injection System
- 3. LPCI - Low Pressure Core Injection System
- 4. LPCS - Low Pressure Core Spray System ,
S. RHR - Residual Heat Removal System
- 6. SWS - Service Water System I- 7. RCICSC - RCIC Steam
- Condensing Mode
- 8. EPS - Electrical Power System
- 9. Feedwater System
- 10. Condensate System i
The SNPS-PRA also includes the following systemic fault trees to which BNL made no modifications: ,
- 1. ADS - Automatic Depressurization System ,
- 2. SLC - Standby Liquid Control System
- 3. R.8CLCW - Reactor Building Closed Loop Cooling Water
- 4. RBSYS and CRAC - Chilled Water
- 5. Feedwater System
- 6. EPS - Electrical Power System 72
[ Table 3A.1 BNL Changes in SNPS-PRA Fault Trees Gate Gate Input i System No. Page Name Type Value Name Description j RCIC 1 7 RTOP OR HCOMMON 10-3 This is a CHF of RCIC and HPCI.which , appears on both trees, but is ignored in the PRA evaluation without explanation. - It can be justified as a steam lea'kage from HPCI or RCIC ste'am lines or valves that cause some area temp sensors to isolate these systeas. A value of 10 3 may not be too high for a small steam leakage. It was considered in the BNL evaluation of HPCI/RCIC CHF. 2 10 RLTA 10 3 OR RLU0020WI This lobe 011' system unavailability was i judged tn he too low compared with that in past PRAs, and with the unavailabil-ity of the lube oil system of HPCI, y w which is almost 8 times as high. This - 6; event was developed in detail in the HPCI fault tree,*but here.it remained undeveloped. A value of 3.6x10-3 was .I assumed. - 3 12 HAUTO OR HSWOGIDXI S.8x10-* The SNPS-PRA tree designates this manual 4 switch as common between RCIC and HPCI. The BNL review assumed separate switches for tiPCI and RCIC. 4 20 RFTT OR RHU1000XI 2x10 3 Note 3 says.that a common-mode miscali-bration of both RCIC and HPCI exhaust !
. turbine pressure trip /shutof f sensors' can 3
conservatively be made, llowever, on the '
; HPCI tree the designator HHU002DXI (page r
- 28) is used. This was changed to the !.
same designator on both trees, and j' included as CMF of both systems. It is. ' missing in the cut set resulting from l' ; il the Boolean combination of HPCI and RCIC trees (see item below). i e
Table 3A.1 Continued Gate Gate Input ! System No. Page Name Type Name Value Description RCIC 5 21 RFFT OR HHU9Q90XI 2x10 3 This event is a cut set which is missing
. in the list of Appendix J. It is also a CHF with HPCI; however", there it is des-ignated HHU001DXI. It was changed to HHUO0lDXI on the RCIC tree, page 21.
Note that on RCIC, page 9, and HPCl, page 18, there are two other'HHU9090XI miscalibration events of level 8, but these are errors "too low". The HHUOGIDXI then designates miscalibration error of level 8 "too high". 6 22 RFLVCI OR ---- 2x10 3 BNL added input RHU2000XI to account for miscalibration of low pressure sensors, s
. giving false isolation valve closure. -
7 2T RPMDI OR RTRID 10 3 Not appearing on cut set list even though instability in turbine exhaust is a poten-tial trip mechanism in subsequent starts, the same way as it was on initial start. 8 App. J The discussion here implies that, at some page time, RCIC had 29 cut sets rather than the J-36 28 shown. This needs correction. .
, HPCI 1 5 ftFTG AND flPRESI 2x10 3 This is true for LOCA initiators, but not for transients with successful scram, in which it takes at least one hour to reach the 1.7 pst drywell pressure setpoint if -
RHR is not cooling the suppression pool. It was separated into the above two cases, so that, in case of a transient that does' not cause 'drywe'll pressure, an event HPR = 1.0 was added to the OR gate HPRESI on page 6.
.i .
I I Table 3A.1 Continued
~~
Gate Gate Input - System No. Page Name fype Name Value Description HPCI 2 9 YREF il. OR YHul000XI 10 3 ' A value of 0.05 for failure to replenish water to CST was used in BNL review. 4 3 12 HINTHAN 2.47x10 3 OR HSWOOlHWI This failure of manual switch received an
' hourly failure rate rather than the per
- demand failure ~ rate of'5.8'10-9 x given elsewhere for similar events. See HPCI fault tree, page 4, event HSWOGIDXI. .
4 15 HINTS OR HPRBD --- This event is developed on page 29 under ' the name HSPH. HPRBD changed to HSPH. *l Other similar changes should be made on these two pages.
- 5 16 HPM OR HCOMMON 10-3 Included. For description see RCIC item
?X No. 1. '
6 23 HLUBE 4.5x10 3 i OR DWI Auxiliary oil pump is used for startup of i HPCI turbine and when the turbine gains ; j speed the shaf t driven oil pump begins to i supply the hydraulic pressure. Should , t the shaf t-driven oil-pump sulfunction, ! {' causing oil pressure to. drop, the auxil-lary oil pump restarts. The fault tree. , i - nevertheless, assumes both pumps are re- ' quired and puts them in series. The cut sets of Appendix J ignore DWI for the shaft-driven, i.e. assume they are in. I' 4 i parrallel. This should be clarified. - Until then, a conservative assumption is that for long-term success of HPCI (10 hrs) both are required. . i
? t.
4 '! y
, e t A
e
, Table 3A.1 Continued Gate Gate Input -
System No. Page Name Type Name Value Description HPCI 7 24 HOT OR HMV0070QI 1.24xid" Typo error: NC' -FC should be NO-FC'. 8 28 HSPT OR HHU002DXI 2x10 4 Was changed to RHU1000XI. See RCIC item . 4 for description. . 9 34 HIND AND HCV0190PD 3.33x10 5 1) The data base value of the check ' valve failure is 10-4 per demand. There is no apparent basis to assume 1/2 of its failure rate in subsequent starts. 10 4/d was assumed. i 1
- 2) Automatic transfer to sup'pression pool suction precludes use of CST. The
!. analysis assumed the probability of i this event to equal.l.0 after 1 hr, Si when automatic transfer on high sup- ! pression pool level was assumed. How-
! ever, this is not correctly modeled in the fault tree. Event HCV0190PD
,
- should be replaced by OR gate with two inputs:' HCV0190PD for the first hour and HINAUTS for the case of the <
probability of high level in suppression pool = 1.0. 10 App. J The discussion here implies that at pg. J-36 some time HPCI had 40 cut sets rather than the 39 shown. This needs co. rec-tion. - t h o -
i ;;
. j Table 3A.1 Continued i I,
Gate Gate Input I~ System No. Page Name Type Name Value Description
.LPCS. 1 4 LILOG2 AND LPRA 2.0x10 3 Value of 1.0 was used for these inputs in and LILOG2 LPR8 + the case of transient. For LOCA and ATWS
- 5 LPRC 2.7x10 3 the value of the input remains unchanged.
, LPRD 2 2 LPCSI OR ---- ----
Added to each of these "0R" gates the LPCS2 event "LSP" which mainly stands for fall-ure of suppression pool due to clogged strainers .and which is included in the SNPS-PRA. cut sets list. (ZFL100HEI = 5x10-5). See also LPCI fault tree. page 4, and HPCI fault tree, page 11. [. ' 3 13 LDIDIS OR LMV05DPI 4x10-3 Changed to 9.3x10-3 to account for less i D' frequent testing as stated in SNPS-PRA l . note 10 to the LPCS fault tree. l 4 14 LD2 DIS OR LMV058DPI 4x10-3 Changed to 9.3x10-3 as above. r
- 5 4 LAUT0 OR LHU5000XI 0.05 Should be changed to event "AHU1990XI" 1 i and + appearing on page 13 ofsthe ADS fault I j LHU6000XI 0.05 tree. This accounts for the failure of l the operator to initiate low pressure injection manually following failure of the high pressure injection. It is assumed that. failure of the operator to.
Initiate ADS will. result in his failure i j to initiate the LPCS or LPCI, i.e., these are dependent failures. - I l-i (__ -* , _ _ _ - ~- '--
o Table 3A.1 Continued i
. Gate Gate Input System No. Page l'
. Name Type Name .Value Descript1on LPCI 1 2 DilA AND LIAUTO small The changes made by BNL to the LPCS a
tree (see LPCS No.1) will change this entry on the LPCI fault tree to - 2x10-3,
' and it.will appear.in the cut sets list ;
l of the system as "HHU7200XI x AHU1990XI," a contributing 2x10-4 to the LPCI - unavailability. q 2 2 DilA AND DHulllDXI 0.1 Changed to the event "AHU1990XI," which appears on ADS f ault tree, page 13. See comment LPCS No. 5.
~
RHR 1 4 DSTAX OR DFLOIAHEl 2.6x10-4 This is a " single strainer blockage /f all ( 1 ure" of the suppression pool strainers. M ' This should be a CMF of all strainers and be common'to'both HPCI and'RHR. It was changed to the notation "ZFL100HEI" as 'f, on the HPCI fault tree (page 11) and
, quantified as 5x10-5 2 5 DHUM OR all 4x10-5 These are operator and procedure errors entries that cause failure to align the RilR {
1 to the suppression pool. This event can be reasonable for the first few hours following an accident, but the probabil-ity of its occurring 20 hours af ter the accident sequence initiation is assumed ,' to be lower--in the 10-6 range. Hence, i it is not included in the BNL list of . contributors in Section 3.3.2.6. e l 1 1 ' p
h Table 3A.1 Continued Gate Gate input
- System No. Page Name Type Name Value Description i
SWS 1 3 WEWlA OR WATER 3x10 5 Deleted. This is an external event and, as such. is not considered in the current scope of the PRA. , i 2 3 WEWlA OR WFL480HEl 5x10-5 Included in the fault tree analysis. Even though this event appears on the SNPS-PRA fault tree, it was excluded from the. list of cut sets. BNL included it as a cut. set of SWS. , , RCIC in 1 4 RHXWA OR DHXA ---- The "DHXA" and "DHX8" are inputs trans-Steam DXH8 ferred from the RHR fault tree. These i Con- gates should transfer-in the unavailabil-i - densing ittes of Service Watet' Systems loop A and i y Mode loop 8. The cor. rect gate. names on RHR or - [, i SWS fault trees are, however, "WEWA" and *
"WEWB." This was changed by 8NL.
2 4 RHXWA OR - - - - - ---- A new gate named "WMV34ADPf" (and .
"WMV348DP!") had to be added to account for the failure of both H0V34A and NOV34B on the RHR heat exchanger outlet from the SWS side.
3 6 DHXATSP AND several several This gate has a subtree which is more ac- - curately developed in the RHR fault tree, pages 11.12, and .13. A transfer-in frne the RHR fault tree was included in the ' BNL re-assessment.. The main difference - 1 i is that event "DHU471DXI for " operator fails to manually realign flow path dis-charge to suppression pool" is missing in
, the RCIC in the steam condensing mode ;
fault tree. . J e Of
Table 3A.1 Continued i Gate Gate Input System No. Page Name Type. Name Value - Description RCIC in 4 4 RHXWA OR ---- ---- Added a new gate to the fault tree named Steam event "DMV48ADWI" (and "DMV4880WI"), Con- which appear. on page.6-of the RHR fault densing tree. This is the failure of the bypass Mode valves of the RHR heat exchanger, causing flow diversion.
~
Conden- 1 1 FLPINJ OR ---- ---- A new input was added with the name sate "FHU2120XI" and a value of 2.5x10-2, System similar to page 3 of the feedwater system fault tree. It stands for "Long-term operator actions to control conden-sate flow an'd makeup during cooldown." 03 2 8 FCPA OR ---- ---- New inputs were added "FCPA" and "FCP8" o FCPB transferred-in from page 15 of the feedwater system fault tree and also "FCPBA" and "FCP88" transferred-in from . page 17 of the feedwater system fault
- tree. l 3 14 FSJ DR several several This gate should be an "and" gate, exact- ,
. ly the same as in the feedwater system
, fault tree, page 16. 4 21 FLPHBY OR several several This gate should be an "and" gate. l 5 21 FAVTOBY AND several several This gate should he an "or" gate. , J 9 9 m- - - w - -
. _ - . .- .. . . _ _ - - . _ a. ,.a _ _. _, ,._
- 4. -
CATA~ ASSESSMENT . . . This section reviews.the numerical values of the parameters necessary for
- the cuantification of the accident sequences. Subsection 4.1 presents the SNPS-PRA frequencies for the initiating events along with the BNL assessments. Subsection 4.2 ciscusses tne SNPS-PRA data base used in the evaluation of component unavailabilities 'along with the BNL evaluation.
Comparisons with .the LGS-PRA are also presented. 4.1 Frequencies of Initiating Events ' 4.1.1 Initiating Event Frequencies Used in the SNPSJRA l The SNPS-PRA considered six groups of initiators:
- a. Transient . initiators excluding loss of offsite power ~(LOOP) witn successful scram, f ,
I
- b. Manual shutdown initiators,
, c. Lo'ss of coolant accidents (LOCAs),
. d. Transient initators without scram (ATWS), .
) e. Low frequency transient events, ,
- f. Loss of offsite power initiator.
J l The frequencies of these initiators are treated separately als.o in the BNL review as described in the following subsect. ions. The frequencies of tians'ient initiators used in the SNPS-PRA were based - on data included in an EPRI-NP-801 report 5 which summarizes experiential data obtained from twalve operating BWRs and covers plant histories up to 1978.
, The frequency of manual shutdown events was taken from an SAI report7 . -
l LOCA frequencies were based on a 1977 EPRI reports. The SNPS-PRA evaluated ; tne frequencies of large, medium, and small LOCAs inside the drywell accorcing i to that 1977 EPRI report. It also calculated the frequencies of large LOCAs I i outside containment, and of interf acing LOCAs. That first was calculated according to f ailure rates taken from WASH-1400 and pipe length and isolation
- considerations. The calculation of the latter was different from that in WASH-1400; the data are based on Ref.15, which summarizes LERs on valve fail-ure, and the analysis is similar to that in an NRC work 16, Frequencies of initiators coupled with failure to scram Sere based again on Ref. 5, with use of the same values Aerived for transients multiplied by the probability of failure to scram.
, O Low frequency transient events such as loss of DC, containment flooding, ! loss of service water, loss of reference leg in the water level measuring sys-tem, and loss of drywell cooling (see Table 4.1) were considered again on tne ~
basis of LER data, or, if the latter were unavailable, on the basis of esti-mated system failure probabilities. i , 81 < t
.a : . u : . . w. ._ : - w._ - . . :.. -
I
'The frequency of the loss of offsite AC power initiator was given plant '
specific treatment in the SNPS-PRA with use of LILC0 fossil plant LOOP experi- I ence gathered since 1965. Table 4.1 gives the frequencies used in the SNPS-PRA for the 'six groups of transient initiators, manual shutdown, the LOCA initiators , initiators coupled with a failure to scram, other low frequency transient events, and the LOOP frequency. SNPS-PRA values are compared with results of the BNL review. 4.1.2 BNL Assessment of the Initiator Frequencies
- a. Transient Initiators with Successful Scram .,
An independent assessment was conducted to determine point values and associated distributions for the frequency of each one of the transient initi-ators used in the study. The assessment is based on experiential data obtaf'ned from sixteen oper- , ating BWRs 6 and it includes both generic (i.e., characterizing the whole popu-lation) and particular (i.e., plant-specific) evaluations. The technique used is based on the "two-s tage " Bayesian approach
- first proposed and used by Kaplan l in the Zion and Indian Point PRAs 2 ,3 and as modified ' by Papazo-glou". The basic assumption of this method is that there is .a'n actual varia-bility in the frequency of each initiator within the' population, but the characteristics of. this variability are not exactly known because of limited information.
The technique calls for the assessment of a prior distribution for cer-tain parameters. This is equhalent to assessing a prior , distribution, 'for the frequency of the initiator, that characterizes the pl' ant population. prior distributions are then updated .by using experiential data. 'In ,The the present assessment, the prior distribution for the initiator that character-izes the plant population was practically log-uniform in the range of 10-"/yr l to 10+1/yr. \ ( The data were obtained from a recent EPRI reports that provides informa- I l tion on occurrences of 37 types of transients in BWRs. The data consist of J 910 events occurring over 101.5 plant-years at 16 different plants. Means, medians, and five and ninety-five percentiles have been determined for each of the 37 initiators considered and for each of the 16 different plants. For each initiator, a distribution was also generated to represent the population as a whole. This distribution best characterizes the uncertainties in the frequency of initiators for plants (such as the SNPS) that belong to the population but for which experiential data are not available. The population distributions were further combined according to the grouping previously described (Section 2, Table 2.11). Table 4.2 sumarizes and compares the results of the SNPS-PRA and those of the BNL review. The grouping of the transient initiators is indicated in parenthesis; the numbers )
~
*Because the SNPS has not started power operation, there are no plant specific -
transient data from the plant, and a one stage Bayesian approach was used by BNL. 82 *
, _ __ . .n . a . c.,e _ +
-- - -~m-
.s. .- ____ ,. .
. / ,
show the initiator sequential number as it appdars. in. EPRL NP-2230s. The groupings of the . 5NPS-PRA were not changed in tPrBRL, revfew, a
' s stated in Section 2. '
, s .: -
- % ;y The first four colur.ns of Table 4.2 shw the SNPS-PRA 'results. The next four columns show the results obtained by applying the same SNPS methodolooy to the more recent data ' source6 . The 8 two last columns,pfesent BNL results cM'g k '
tained by using the upaated source and the two-stage'Bayesiarimthe<1glogy . ; Most of the increase in BNL initiator frequenc.ies is seen~to fc/ derived -from $t the updated experience of BWR-related eventss . In the BNL+ Mdepeident assess-ment, the valuws - in the last column of Table '4.2 were upd.ylhg basispfor this choice is further explained below. Qf y , s 7 v,. , The results in Table 4.2 are generic initiator frequencies 7 At least in one case there is'some plant rMcific information that suggests a lower initi-ator frequency foy Shoreham. lithe Shoreham plant utilizes Target Rock two stage SRVs which Qrt more reliable than those SRVs which are includert in the - data base for the 10RV.. Thus, a lower 10RV frequency can be anticipated for - SNPS than used,in tne PRA or injthe BNL review. However, .the ef fect of this transient on the results is very.small, and a reduc,ed initiator frequency for 10RV would noffiiave any significant effect. The SNPS-PRA differe.6tiated between the impact of failures during the first year of plant op% ration 'amt of thost in. later, years. BNL concluded, however, that the data' base .tised5,was not sufficiently refined for this pur- ' pose. The later EPRI-NP-2230 updates 'showed that the impact of ignoring the first year of plant operating Jexperience causes a reduction of about 20% in initiator frequencies (see last two columns of Table 4.2). In addition, BNL considers the " weighted average" )pproach ot*the SNPS-PRA to result in s1all , underestimations of the initiator frequencies,.due to the lack of experience fra:i aging plants (after 30.to 40 years of operation), which may,be comparable with the' first-year frequencies .In the number of Pche.llenges' ~ ~ ' because of - increased failure rate (wear-out).
- The purpose of subtracting the data for the first year-of operation was to obtain transient initiator frequency for the evaluation of risk associated .
with Shoreham during mature plant operation. The BNL review is aimed at obtaining the average risk associated with Shorenam during the' entire lifetime of power. operation. TMs can be obtained by deriving the initiator frequency from the data of EPRI-NP-2230 for all years of operation. Note that tnis EPRI report, includes, on the average, experience from 7 years of a plant operation; thus tNe first year of operation is weighted VJ (and not 1/35 as in tne SNPS-PRA). As shown in Table 5.16 of Section 5-3, the difference between these two assumptions amounts to 10% in the total core damage frequency for SNPS. Therefore, it was judged by BNL that/the last column of Table 4.2 using tne entire data base is at this time (prior.to tne plant's first year of opera-tion) more appr>priate for the assesment.
. b.# Nanual Shkdown Initfa' tors
.The frequency of such ' initiators has a relatively low impact on core d jaige p'robability. Considering- the limited-funds and time allotted to this
. review, BNL chose not to review it in detail. The value chosen in the f ,, ae # ,
F
, 83
!-?
m, , - _ ,
--. -- - _. - _ . ~ ... . . _ - - .
SNPS-PRA, basically taken from Ref. 7, appeaas to be in the reasonable range, and it was used in the assessment. .
- c. LOCA Initiators The LOCA initiator frequencies used in the SNPS-PRA for large, medium, and small LOCA, as well as for LOCA outside containment and pressure vessel failure, appeared to be reasonable when compared with tne available data s and tnerefore were not independently assessed. The frequency of interfacing LOCA was evaluated separately in more detail ( Appendix F of the SNPS-PRA). The I SNPS data and analysis were reviewed by BNL, and the results are cogared with the SNPS-PRA data in Table 4.3 . The frequency of core damage in Class V was significantly affected by these changes; that in Classes I through IV was not. The main changes are due to the different approacnes used in the SNPS-PRA and the BNL review:
a) The SNPS-PRA used valves i'ailure rate from LERs, whereas BNL used six specific LERs, which are interfacing LOCA precursors. b) The SNPS-PRA used only leakage and rupture failure rates for MOVs. BNL also considered spurious opening. Appendix SC.2 includes further descriptions of the different approaches in the BNL review and tne SNPS-PRA.
- d. ATWS Initiators
~ ATWS initiator frequencies were derived easically from the corresponding transient initiator frequencies, with some minor exceptions. In the SNPS-PRA, turbine trip ATWS events were evaluated by using a turbine trip initiator event tree (see Figure 4.1). The tree considered whether feedwater was prop-erly controlled, whether turbine bypass was availabl'e, and whether condenser heat sink was available. Failure to balance feedwater, or failure of the tur-bine bypass or the condenser heat sink, was conservatively assumed to nave a plant response similar to that of loss of feedwater..tne MSIV closure, or loss ~
of condenser events. Figure 4.1 shows the quantification method by which the turbine trip frequency us calculated, and also the fraction of the turbine trip initiator frequency that was transferred to the other ATWS initiators. BNL analyzed the sequences following turbine trip and prepared an event tree similar to Figure 4.1 which is shown in Appendix SD Figure 5D.8. The main difference in the BNL event tree is that BNL considered it more appropri-ate to treat the feedwater runback on tne functional event trees for ATWS. ' The feedwater runback is one part of a set of procedural actions wnicn the operator has to follow progtly. These actions also include manual actuation of tne SLC syst em, reducing level and maintaining it above TAF, and ADS inhibit. In BNL's judgement, these actions are partially dependent.
.The differences in the quantification of Figures 4.1 and 50.8' result from the use BNL made of the turbine trip transient functional level event tree (Table 6A.1). The same values are used in ATWS Figure 50.8 as in Table SA.1 for the transient witn successful scram.
84
^ '
..:... - +.. r '
Th'e resulting ATWS initiators frequencies for the SNPS-PRA and the BNL review are compared in Table 4.1. For total ATWS frequency, the SNPS-PRA values of 5.49., given all power levels, and 3.87, for. power levels above 25%, are compared with BNL values of 9.61 and 7.34 respectively. The difference for power level above 25% is almost 100%. This is because EPRI-NP-801, used by SNPS-PRA, has 60% of the data f rom the first year of plant operation which includes many cases of low power testing' . EPRI-NP-2230-removed the data that belong to the time between first criticality and the start of commercial operation. Thus, in EPRI-NP-2230, only 33% of the data are from the first year of plant operation...
~
The difference between the values of SNPS-PRA and BNL for the particular initiators is also due in part to the different treatment of feedwater runback which was discussed above. In summary, it can be expected that about a factor of two difference between SNPS-PRA and BNL review results for ATWS core damage frequencies stens from the different sources of data for evaluating the initi-ator frequencies. Additional discussion is provided in Appendix 50, and in particular in Table 50.2.
- e. Low Frequency Transient Events These. events include the following:
a) Loss of DC power bus, b) Reactor water level measurement system reference line leak, c) Drywell cooler f ailure, ' d) Loss of service water, e) Excessive release of water into Elevation 8 of the reactor building (Maintenance and Rupture). . Thy frequency of loss of DC power bus initiator was based on a f UREG report 2 which takes into account DC bus related LERs and calculates a f requency of 6x10-3 per year for a bus failure. A recovery f actor of 0.5 was used on the basis of considerations from this report, which SNPS says that it implemented in its design and procedures. l The frequency of loss of a reference leg and of a drywell cooler were ' based on LERs. Loss of service water frequency was derived from the experience of no loss of service water in '400 BWR reactor-years, giving 0.0025 as a conserva-tive value. BNL used a frequency of one event in 600 reactor-years. The frequency of excessive release of wat$er in Elevation 8 was calculated quite differently in the PRA and by BNL. Shiu25 provides the details of the two approaches. The SNPS-PRA event frequency is given in Table 3.4-25 of the j PRA (page 3-263). BNL used Markov modeling and recovery considerations l 85
*l
3 different from those in the SNPS-PRA, which resultad in an increase of the total flooding initiator frequency (see Table 4.1). The retults of the BNL assessment are listed 10 Table 4.1 along with the values used in the SNPS-PRA, LGS-PRA, and RSS. Because of its importance, the frequency of the loss of offsite power initiator is discussed in detail here. 4.1.3 Loss of Offsite Power Initiator The, frequency used for the loss of offsite power initiator in the SNPS. PRA was derived from non-nuclear ' plant egerience and reflects. only Long Island Ligh~ ting Company (LILCO) foss'il-p'lant data' . The ' data cover the period January 1,1965, through January 1,1981, for LILCO plants with three or more circuits emanating fr.om them. The data con. sist of th'e.following for each plant: I {
~
~ o Years of operation during the period January 1, 1965, to January 1,1981, o ' Number of outages , 1 1
o Duration of outages. ~ Table 4.4 sumarizes the LILCO specific' grid reliability data. In total, these plants had four occurrences in 61.5 plant-years. The loss of offsite , power was calculated as follows: l TE
= occurrences + hypothesized incipient failure , !
years plant experjence TE= 4+1 = 0.08/ year . ' 61.5 The SNPS-PRA' methodology for evaluating the frequency of loss of offsite power does not consider any regional nuclear power plant experience. The SNPS-PRA - acknowledged that "the specific case applicable to SNPS is the Northeast Power Coordinating Council '(NPCC)" (SNPS-PRA, page A-192); however, this effect was not included. The BNL assessment of the frequency of the loss of .offsite power initiator and the associated uncertainties were derived from the nuclear plant experience of the NPCC, which includes New York, Massachusetts, Connect-icut, Vermont, and Maine. Fossil-plant experience was not included to remain consistent with current nuclear plant PRA practice, which does not include non-nuclear plant experience in the quantitative estimation of the frequency of loss of offsite power, and their recovery probabilities. BNL believes that both the probability of LOOP and the recovery probabilities as a function of time should be calculated from the same data base. This is done in this review as described below and in Section 4.1.4. The technique applied to assess the frequency of loss of offsite power and the associated. uncertainties is described in Subsection 4.1.2 and in more detail in Ref. 4 This ' technique takes 'into account the LOOP experience of other nuc belongs. lear The plants in theand methodology samedataelectrical used by _reliability council BNL to assess the to which LOOP SNPS frequency 86
. . - . _ . _ _ _ , _ , _ _ . . _ . . ~ . , ~. %w. .m .. . . ~ .- . . _ _ _ _ _ _ . _ . _ .
are different from those used in the SNPS-PRA and reflect 'the difference between the the SNPS-PRA and the BNL LOOP initiator assessed frequency, The results for the N?CC,.to which the SNPS belongs, were used in the BNL review. The data used were taken from Ref.10, in which the less of offsite power is categorized into four group-s. The first group includes total loss of
. offsite AC power in nuclear power plants, and this was used by BNL. However, the loss of offsite power during cold shutdown (group four in Ref. 10) was
, included by BNL in the final evaluation for LOOP frequency (Table 4.5) because the LOOP frequency should be evaluated on a yearly basis, and the mode of plant operation is irrelevant to the LOOP frequency. These events,'if caused
.- by maintenance error, are recovered immediately, and this is taken into account in the recovery probability distribution. The results of the analysis
- are given in Table 4.6.
Since the SNPS is a new plant, not yet in operation, and therefore lacks plant-specific data, the appropriate values are those characteristic of the , population of this particQiar reliability council. That is, the SNP3 should be treated as a plant taken randomly from the population of NPCC plants. BNL's judgment is that utilizing merely LILCO fossil-fuel plant experience in 1 calculating LOOP frequency, and using generic nuclear plant data for recovery -
'protabilities rather than the same set of data used for LOOP frequency, is not a consistent and realistic approach.
The mean value of 0.15 occurrences per year (see Table 4.6) was used in i
'the SNL revie'w for the frequency of the LOOP transient initiator.
k In the RSSMAP Grand Gulf PRA, this frequency - was assumed to be 0.20 occurrences per year and in the Big Rock Point PRA, 0.13 occurrences per year. In the RSS, nuclear power experience was considered for the year 1972 which included three LOOP events. These events occurred in about 150,000 operating hours, giving a point estimate for the rate of 2x10-5 failures per hour er 0.18/yr, * '-' 4.1.4 Recovery of Offsite Power The probability of recovery of offsite power, within a given time, was - assessed in the SNPS PRA by using EPRI-NP-2301 data base8. The data repre-senting tne entire population of U.S. plants was used in the SNPS evaluation. The recovery probability was simply taken as the percentage of events that were recovered in a particular time interval of interest. The BNL review used updated data taken from Ref. 10, which reconcile many of the differences between Scholl' and EPRI-23018 data. However, in BNL'sjudgment, events of type (Y* snould be included in the data base (as discussed in Section 4.1.3 above). Their recovery time was included. The number of events for the NPCC region is sufficiently large to be considered separately rather than the data from the overall U.S. population of nuclear plants. 1 In the BNL approach, the recovery times were assumed to be lognormally { dis tributed. Next, the two parameters of the lognormal distribution were
'No offsite power available during cold shutdown because of special mainte-nancg conditions that do not occur during or immediately following opera- j tion '
l \ 87 1 e
assumed to be random variables distributed according to given probability density functions. The experiential data for the 10 plants of the NPCC were updated through December 1983 (Table 4.5) and then used for a Bayesian updat-ing of the assumed prior distributions for the two parameters. Finally', by
" averaging out" the dependence of the distribution of the recovery time on the two parameters, a " Student t" distribution was obtained to represent the distribution of the recovery times.
The probability of not recovering offsite power within a given time is . calculated from the complementary cumulatjve distribution and is shown in Table 4.7 al6ng with the SNPS-PRA values. The use of data from Ref. 10. "as is" without modification resulted in a LOOP frequency of 0.13 per year; however, ,the associated recovery probabili-ties were lower than in the case discussed before. Table 5.15 compares the results of both cases and shows that they are basically giving ,the same results. Thus, the inclusion of the LOOP events occurring due to maintenance at plant shutdown does not affect the . core damage frequency results. 4.1.5 Conclusion The frequencies of the initiating events determin' deby the 'BNL approach , differ, as shown in Table 4.1, from those used in the SNPS-PRA. The BNL-assessed frequencies 'of the initiator events were used to quan-tify the accident sequences. In Section 5, the relative contributions of the initiating event frequencies to the total core damage frequency are reported. It is seen there that the changes in the ATWS frequency, LOOP initiation frequency, MSIV closure frequency, and ~ turbine trip frequency are the most important. . 4.2 Component Unavailabilities 4.2.1 SNPS Data Base
^ '
The data base used in the SNPS-PRA to quantify component failure rates in the fault tree models comes from four basic sources: o Licensee event reports (such as Ref.14 and 15), ' o General Electric BWRs operating experience data (such as those in the LGS-PRA), o The Reactor Safety Study (RSS), o IEEE reliability data for electrical components (ANSI /IEEE std. 500-1977). The priority for data selection followed the above listed order. This has resulted in many cases in which NRC LER data was used. The maintenance and test data used in the SNPS-PRA are, in general, said to be obtained from GE operating experience with BWRs. The technical 88
- - , ~
1
.,_.k .l.__ [ ..m .
%; . - I . _. ; , ... y --
specification values and the test frequencies are dervied from SNPS draf t technical specifications (February 1983). ; The' probability of diesel generator failure to " start and run" and the l 1 conditional probability that multiple diesels will fail, giv'en the probability of the first diesel failing, which were used in the SNPS-PRA, are evaluated in , its Appendix A.5. The values appear to be in the appropriate range. They t i were further reviewed by BNL (see Section 4.2.2 below), and recovery data 'of a diesel generators were also reviewed and slightly modified, j i , 4.2.2 Data Assessment for Diesel Generator Availability ; The SNPS-PRA uses data from nuclear power plant operating experience to characterize diesel generator performance in case of Loss of Offsite Power. The experiential data sources are two EPRI reports (NP-2099 and NP-2433)22,23 and the MUREG/CR-1362 reportl ". F 4 From these data, the SNPS-PRA calculates three sorts of information needed for the event-tree quantification: , 2
- 1. The probability of a single diesel generator failing to start on :
demand. .
- 2. Thit conditional probability of multiple diesel fat tures given ,that l one diesel faileau
! 3. Data on the length of time required to restore a diesel to operation
- (recovery times). i The approach used in the SNPS-PRA to obtain these data,' and the BNL i review connents and ad' opted values, are discussed in the following sections. '
- a. Probability of a Single Diesel Generator Failing to Start j The SNPS-PRA used a value of 2x10-2 per demand for the failure to start _ r 4
probability of an average diesel generator. This is an average value derived [ from assessment of LERs of 36 plants, obtained mainly from NUREG/CR-1362 b. : BNL considered the value to be a reasonable choice at the time the PRA was
- I performed. Newer data in NUREG/CR-298920, published af ter the SNPS-PRA was .
completed, support this average value. The new data include failure to start i l probabilities an average value (for of about 40 g/d.iants) 2.2x10- If aranging fractionfrom of the 3x10-3/d autostart to 6 failure 25x10-2/d is with t also considered to contribute to the overall failure to start probability, a value of 2.5x10 2/d could be used, and that is the average value cited in NUREG-CR/2989 (see their Table 9.5.19). However, this NUREG report is aimed ; at obtaining plant specific diesel generator $' unavailability ~ estimates, and ! provides abundant information for this purpose. Apparently there are plans to modify the SNPS diesel generator design configuration and hardware, but they
, were not included in the version of the PRA reviewed by BNL. Rather than using plant specific values for an evolving design, BNL decided to replace them by conservative values from tne older NUREG/CR-13621 ". The sensitivity study in Section 5.3 shows the effect of.an improved diesel-generator design i i
using NUREG/CR-2989 data as. given in Section 4.2.2b below. The value psed in
- this report is the same as that in the SNPS-PRA, 2x10 2/d. This is based, in 89
.,~,_._s . . - , , , _ _ _ , . . _ . _ . , _._.,,,_,,_a- m_.._ . - . ,,, ,. ..,... , m. , ,..... ...,_ , .e ,, -..._,,,.4,y
. .: _- . ~
~ ^
, _ - ~ .
l l l the BNL revisw, en the NUREG/CR-1362 data base with one week between tests, l and includes failure to run during the first hour (Table 20 of Ref.14). The i above discussion is sumarized in Table 4.8. , l
- b. Conditional Probabilities of Multiple Diesel Failures The SMPS-PRA used the data from plant 0 (Plant-X in LGS-PRA 17 --see their Table A.S.9), because these were t.he best single-plant applicable data. The LGS-PRA esed a value obtained by averaging plant Q, Cook, and Zion values, the RSS value, and the .NUREG/CR-1362 values. All the values are quite close, as
, seen in Table 4.8. From NUREG/CR-2989, a value for the f ailure probability of the third diesel given that two ' nave f ailed P(3/2) can be easily derived, i which is also similar to those cf the SNPS and LGS-PRAs. To derive a value for P(2/1) from NUREG/CR-2989 a specific design must be assumed. When Table A.8 is ccasidered in its entirety, the values of SNPS-PRA appear to be on the high side of the spectrum of generic type values. This is thought to be suit-acle until information on the' ShP3 specific design for upgrading is sub-mitted. Data .from NUREG/CR-2989 could be used in such a case. BNL therefore used the SNPS results, but f6r sensitivity study purposes , evaluated the following tralues:
o Failure to start on demand 1x10'-* o P(2/1) 0.11 o P(3/2) 0.40 These are examples of values derived from NUREG/CR-2989 for a design with three dedicated diesels, using average procedures and having service water c h ling. .
- c. Recovery Tines for Diesel Generators i The SNPS-PRA used the recovery data from NUREG/CR-1362 1
after comparison with Peach Bcttom data. Irt its Accendix A.5, recovery of diesel generators _
within the first half hour is argued to be uncertain, and a value of 1.0 for nonrecovery is suggested, but in the LOOP event tree, a value of 0.88 is used. A value of 0.95., whicn is consistent with Peach Bottom data and with f GS-PRA recovery data, is used in the BNL review For all other recovery times, BNL used the SNPS-PRA data, which are the sane as those in the LGS-PRA.
- d. Summary of Data for Ofesels In sumnary, the data used by BNL are not very different from those used by the SNPS-PRA. Both are generic, consistent with LER data, and quite i tonservative when a weekly testing interval is assumed.- However, the data are not plant specific. BNL recomends that, for a modified SNPS design (if submitted), the unavailability should be evaluated on the basis of data from 20 7 HUREG/CR-2989 or other comorehensive new studies. ,
l 4.3 Human Error Probabilities l As stated in Secticn 3.4, two different types of human errors--procedural and cognitive--are considered in evaluating the system unavailabilities. The l 90 e
, wa - - . - - ,, ,
-- - . . ~..____; . __ _ _ ._. _
procedural human errors were based, in most cases, on NUREG/CR-127824 and were not part of the BNL review. Major procedural errors affecting the systems' unavailability are shown in Table 3.3 along with the probabilities used in the SNPS-PRA. In most cases BNL used the same values or model (see footnote to Table 3.3); in only one case, the mi.scalibration of all sensors, did BNL use a different value for a procedural error probability. The value of 2x10-3 used for miscalibration of all sensors (event "HHU7200XI") is developed in the SNPS-PRA Appendix A.3. It is derived simi-larly to the NUREG/CR-1278 Human Error Probability (HEP) tree *, out different quantification of the HEP tree results in a more conservative estimate of'the gross miscalibration of all four level sensors. The SNPS-PRA mocal includes (Appendix A.3 page A-120): a) Use of a faulty setup such as a wrong scale or connection at an incorrect point. This was conservatively quantified by.a probability of 10-2, , I b) Technician rechecks the setup and recovers the gross miscalibration in the second sensor with a probability of 0.7. c) Technician rechecks and corrects the error in his third calibration with probability 0.3. d) All other sensors would be miscalibrated given the technican failed to de't ect the error in the. first two cases. This model resulted in a probability of 2x10-3 for gross miscalibration in the SNPS-PRA. It does not consider staggering of the calibration procedure. NUREG/ CR-127824 distinguishes between smdll and large miscalibrations. For .the small miscalibration of all four channels the probability from the tne ~ HEP tree is 5x10-", mainly because the HEP tree assumes a probability of 0.9 for step.(c). This is based on the assumption that a technician may accept a small change in the calibration for one channel, but in 9 out of 10 cases he will realize that something may have gone wrong when he finds a small change - in the second channel also. For luge miscalibration, NUREG/CR-1278 assumes that tne recheck proca-bility is 0.9 for step (b) and 0.99 for step (c). Thus the HEP tree gives a probability of 5x10-6 for large miscalibration. BNL considered the value 5x10-6 too small if special procedures are not used, but found the value 2x10-3 unrealistic for the large miscalibration needed to fail the -level 2 and level 1 auto start of HPCI, RCIC, ADS, LPCI, and LPCS. BNL considered a value smaller than 2x10-" to be realistic wnen miscalibration procedures are available that guide the technician to recheck his setup whenever he. finds a significant change in calibration to be required. The list of the major cognitive errors introcuced in the SNPS-PRA is given in Tables 3.2 and 3.3. The number of quantification changes performed "NURE6/ CRelua" August 1983 Revision, page 10.7. . 91 t
-- - :. - . .. .. . . - . ~ . . _ _
by BNL in the cognitive human errors is significant. Most of these changes are based on the judgment of the total time available to the operator and the number of additional actions he would be required to perform concurrently. In most cases they involve changes made in the event trees (see Table 3.2), , and are explained in the tables depicting the revised event trees in Appen-dices SA to SG. The remaining changes made in the cognitive errors are shown in Table 3.3 and discussed in the next paragraph. The SNPS-PRA treatment of.the manual initiation of ADS, LPCS, and LPCI, given the failure of the auto start of all three, is as follows: ADS: event "AHU1990XI" = 0.1, which stands for " Operator fails to initiate ^ ADS given auto system failure." i LPCS: events "LHU5000XI or LHU6000XI" = 0.1, which stands for " failure to manually initiate LPCS." - LPCI: event "0HU111DXI" = 0.1, which stands for " failure to manual'ly initiate LPCI." However,. these three events are not independent under all accident sequence conditions. In th'e case of the. failure of high pressure injection systems, an operator error--failing to initiate ADS--will result with high probability in the failure to initiate other safety systems. Furthermore, if the operator fails to manually initiate LPCS or LPCI, depressurization will. not occur even if the operator tries to depressurize by the ADS manually. Thus, there are two dependences: (1) functional dependence, (2) human interaction dependence which assumes that failure of the operator
- to initiate the fi rst system inplies that the operator will not respond to initiate the second either.
This latter dependence, which was recogn.ized -in SNPS-PRA Appendix A.3, was included ~ in tite BNL re-assessment. All the above different operator actions were denoted "AHU1990XI" = 0.1 in all three cases. This is also consistent with the NUREG/CR-1278z approach. The two BNL modifications to SNPS-PRA human error treatment discussed in . this subsection constitute the event of "miscalibration of all four water level transmi tters . " The impact- on core damage frequency of this event is discussed in Section 5A.1.4 of Appendix 5A. 4.4 References to Section 4
- 1. Kaplan, S. , "On a Two Stage Bayesian Procedure for Determining Failure Rates f rom the Experiential Data," PLG-0191, June 1981.
- 2. " Zion Probabilistic Safety Study," NRC Docket Nos. 50-295 and 50-304.
- 3. " Indian Point Probabilistic Safety Study," 1982. ,
- 4. Papazoglou, I. A. , Lederman, L. , and Anavim, E. , " Bayesian Analysis Under Population Variability with an Application to the Frehncy of Loss of Offsite Power and Anticipated Transients in Nuclear Power Plants," BNL Report, February 1983.
92 l
,e , - - , , - -
. - , . .-,-m, ,- , , , e-, , , . - - + , - - - , . - ,,n ,,
_ .... a_.. . ..-
- 5. " Anticipated' Transients, A Reappraisal," EPRI NP-801, July 1978.
- 6. " Anticipated Transients, A Reappraisal," EPRI NP-2230, January 1982.
- 7. "Compone~nt Failures that Lead to Manual Shutdown," SAI-180-80-PA.
- 8. " Characteristics of Pipe System Failures in LWRs," EPRI NP-438, A'ugust
~
1977.
- 9. " Losses of Offsite Power at Nuclear Power Plants: Data and Analysis,"
. EPRI-NP-2301, March 1982.
- 10. " Losses of Offsite Power at U.S. MJclear Power Plants through 1983,"
NSAC-80, July 1984. l 11. Scholl, R. F., " Loss of 'Offsite Power Survey Status Report," Revision 3, Report of the Systematic Evaluation Program Branch, Divfsion of Licen-sing, U.S. NRC.
- 12. Papazoglou, I.A. et al., "Probabilistic Safety Analysis Procedure-1 Guide", Brookhaven National Laboratory, NUREG/CR-2815, September 1983.
- 13. McLagan, G. P. et al., " Preliminary Assessment of Diesel Generator Relia-bility at Light Water. Reactors ," SAI/Annes , March 1980.
14 Poloski, J. P. and Sullivan, W. H. " Data Summaries of Licensee Event - Reports of Diesel Generators at U.S. Comercial Nuclear Power Plants , January 1,1976, to Decembe.- 31, 1978," NUREG/CR-1362, EGG-EA-5092, March 1980. , o
- 15. Hubble, W. H. and Miller, C. F., " Data Summaries of LERs on valves at U.S. Commercial Nuclear Power Plants ," NUREG/CR-1363, EGG-EA-5125, May 1980.
- 16. Rubin, M. P. , "The Probability of Intersystem LOCA; Impact Oue to Leak Testing and Operational Changes," NUREG-0677, May 1980. -
! 17. Papazoglou, I. A. et al., "A Review of the Limerick Generating Station PRA," NUREG/CR-3028, BNL-NUREG-51600, February,1983.
- 18. Wreathall, J., " Operation Action Trees, An Approach to Quantify Operator Error Probability During Accident Sequences ," NUS Report #4655, NUS '
{ Corp. , July 1982. '
- 19. Hall, R. E., Wreathall, J., and Fragola, J., " Post Event Human Decision Errors : Operator Action Tree / Time Reliabiltiy Correlation," NUREG/CR-3010, BNL-NUREG-51601, March 1983.
- 20. Battle, R. E. and Campbell, D. J., " Reliability of Emergency AC Power Systems at Nuclear Power Plants, Oak Ridge National Laboratory, NUREG/CR- l 2989, July 1983.
. - \
93 ,
. 1!
.ww .yi, . m ocx> . . .e me, my e o e .e. 6 os e .. . .m o. ...e. . e. .e . . .m
- 21. Baranowsky, A. M., Kolachzkoivski , ' A. M., and Fedele, M. A., "A Proba-bilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants ," NUREG-0666, April 1981.
- 22. Atwood, C. J. and Stevenson, J. A., " Common-Cause Fault Rates for biesel Generators : Estimates Based on LERs at U.S. Commercial NPP,- 1976-1978",
.NUREG/CR-2099, June 1982.
- 23. McClymont, A. and McLagan, G., " Diesel Generator Reliability at Nuclear Power Power Plants: Data and Preliminary Analysis"; EPRI-NP-2433, June 1982.
- 24. Swain, A. D. and Guttman, H. E. , " Handbook of Human Reliability Analysis with Emph~ asis on Nuclear Power Plant Applications," NUREG/CR-1278, October 1980 (and also Final Report, August 1983).
- 25. Shiu, K. et al., "A Review of the Sequences Following Release of Exces-sive Water in Elevation 8 of the Reactor Building in the SNPS " BNL, ,
NUREG/CR-4049, November 1984. l a O O 6 94
_ . . . . . - - . - ~ . . % L:- ' -^w ~ " A* - * ~" ~ ~ ~ ' ' "" ~
'6 It:ITIA!OR ;;;$ gr.g C ::t.sta :.stys stC;:::RY ME!*tt - FEET.:tTC2 EYFA55 MEAT 5;::t P.EMIM CLASS OF TAIP FAO* t;*;5 **
C;';iA::t- !! Ut*:CI P t./ *.*T TREOUE*;CT 705TL.uTE0 *
<!GH % !A CrEN EDT C:*:01TICM (TIR 41 CAE yR,) ng,,e:gpjgtg OR TfJ':5FER T* Q A W. O E
~
I*O T TT WITH LYPA55 0.35 Fig. 3.4 14 AT HIGH POWER
~0 TE TT WITH $YFA55 -
(10) t:0 COtTAJr.Mut . TO MSIV CLO5URE 3.09 Fig. 3.4=16 (6) 1.0 TW TT WITHOUT STPA55' ~ C *0 10*I H TWE TT WITHout 87 0.30+ (5) 1.0 (11) PA55' NO CONTAIN-
~
t10tT III NI TW 0.01 g,g LOS$ OF CONO. Fig. 3.4 -16 TA TT W!THOUT CTPt.55 0.001 M 3.2/Rm Yr (4) IIII TAE TTWITHOUTBTPA5$ 1.0 . t;0 CO:TAthrENT (3) TA0 LO55 0F CONO.
+ 1.0 0,001 rig. 3.4 16 4
- TQ LOSS CF FW 2.0 Fig. 3.4 17 W/STPA55 1 0.70 'O TCE TTWITHOUTETPA55 (13) g,g NO C0tifAlt~%%T .
T;0 wtty m gat 0.22 Fig. 3,4.;6
~
j (9) i Sased upon fatture of operator action within 12 minutes to trip the feedwater pumps and automatic sackuo
- All Turbine Trips for which bypass to the condenser is not functional, are considered to be equivalent to M51Y Closure Events.
" Asswnes 8ecircu14 tion Pues Trip for turbine trios initiated from high power (RPT failures are included in the Ref. Figs).
'
- f;:TE: This figure is used to estimate the fraction of turbine i
trio events from htgn power weten will beco e isolation events if there is a fatture to scram. i Figure 4.1 Event Tree Diagram of Accident Sequences Fo11cwing a Turbine Trip Initiator Frem High Pcwer i 95 t
7-
- Table 4.1 Frequency of Initiating Events (Mean Values /yr)
BNL Review SNPS-PRA- LGS-PRA SNPS LGS WASH-1400 Transients 9.8 9.1 13.95 13.02 11 { Turbine trip 4.49 3.98 8.01 8.17
. MSIV Closure . 0.24 1.78 0.57 1.23
, Loss of Condenser 0.41 ' Included 0.50 Included in MSIV in MSIV Loss of Feedwater 0.18 Included 0.13 Included in MSIV in MSIV Loss of Offsite Power 0.08 0.053 0.15 ' 0.'11 .
ICRV 0.09 0.07 0.25 0.25 Manual Shutdown 4.3 3.2 4.3 3.2 LOCAs Large 7.0x10 " 4.0x10 " 7x10 4 4x10 2.7x10-4 Medium 3.0x10-3 2.0x10-3 3x10-3 2x10-3 8.1x10-4 Small 8.0x10-3 1.0x10-2 8x10-3 1x10-2 2.7x10-3 Breach of the RPV 3.0x10 7 --- 3x10 7 --- Interfacing LOCA 1.8x10-7 --- 3x10 7 --- (LOCA Outside , Containment) . ATWS 5.49(3.87)* 5.92 9.61(7.34)* 9.82 Turbine Trip 2.14(.85)* 3.6 7.0(5.3)* 7.39 , MSIV Closure 0.56(0.50)* 2.2 .88(.65)* 2.01 Loss of Condenser 0.41(0.25)* Included .57(.46)* Included in MSIV in MSIV Loss of Feedwater 2.2(2.1)* Included .77(.59)* Included in MSIV in MSIV Loss of Offsite Power 0.08 0.053 0.15 0.11 IORY 0.09 0.07 0.25(.16)* 0.25
*In parentheses:
Initiators frequency, which is at above 25% power (above condenser bypass capability). Without parentheses: Initiator frequency at all power levels (0 to 100%). j 96 i
~
_ . . . . . - - - - -2.-. . . . s .a . . .
.. .__.n., . . , _ . _ ,,_,, .,_.,
O Table 4.1 Continued SNPS LGS-PRS BNL WASH-1400 Low Frequency Transients Excessive Release 6x10 8 --- 5.0x10 " --- of. Water into Elevation 8 of the Reactor Building i
. (Maintenance &
Rupture) Loss of a DC Power Bus. 3.0x10 3 --- 3.0x10-3 , Loss of all DC Power Buses 3.0x10 8 3.0x10-8 Reactor Water Level 3.6x10 2 --- 3.6x10-2 ___ Measurement System Reference-Line Leak Drywell Cooler Failure 1.0x10 2 --- 1.0x10-2 ... Loss of Service Water 2.5x10 3 --- 1.7x10 3 --- e m 0 o e 97
- _ _ _ . _ _ _ _ _ - . _ . _ _ , . . _ _ _ _ _ . _ . _ _ . _ _ _ _ _ . _ _ _ _ _ . _ , . _ _ - . ~ _ - . _ . - . _ . ._.
o Table 4.2 SNPS-PRA and BNL Results for Initiator Frequency
~
and Sources of Differences , BNL Revie'w: SNPS-PRA: BNL Review: .Two-Stage EPRI-NP-801 Data 5 EPRI-NP-2230 Data' Bayesian SNPS-PRA ist Subseq. All Years Weighted 1st Subseq. All Years Weighted Subseq. All Transient Year Years Average Average
- Year Years Avera9e Avera9e Years Yea rs*
- Loss of Condenser 1.6 0.38 0.67 0.41 1.0 0.38 0.41 0.40 0.40 '0.50 Vacuum (2,4.8)
Turbine Trip 16.9 4.14 7.3 4.46 13.4 6.39 7.39 6 59 6.85 7.89 MSIV Closure (5) 2.2 0.19 0.67 0.24 1.67 0.27 0.47 0.31 0.29 0.57 gg Loss of FW (22) 0.6 0.16 0.27 0.18 0.27 0.11 0.13 0.12 0.11 0.13 ' LOOP (31) 0.4 0.'11 0.16 0.08+ 0.13 0.12 0.12 0.08+ 0.12 0.15++ 10RV (11) 0.7 0.08 0.20 0.09 0.53 0.15 0.21 0.16 0.19 0.25 , a CRW (27, 28) 0.1 0.03 0.04 0.03 0.13 0.10 0.11 0.10 0.11 0.12 '
. Total 22.5 5.09 9.3 5.49 17.1 7.52 8.9 7.76 8.07 9.65 ;-
+8ased on SNPS grid data. '
- i
++ Based on NSAC-80 report l8
*Used in the PRA. "
**Used in the BNL review.
? t i e e
Table 4.3 Summary of Quantification for Exposing tne Low Pressure Systems to Primary System Pressure SNPS-PHA: BNL Review , SNPS-PRA: Frequency Frequency Point Estimate No. of Total Total ' System Calcul ation Interfaces Calculated Calcular 1 Per Interface (Per Rx Yr) (Per Rx Yg,_. Core Spray 4.8x10-a 2 9.6x10-a (Figure F.2-1)* RHR Head Spray 8.6x10-12 1 8.6x10-12 (Figure F.2-2) LPCI Injection 4.8x10-9 2 9.6x10-9
.(Figure F.2-3) i RHR Shutdown 1.6x10-a 1 1.6x10-8 Cooling Line l
(Figure F.2-4) ! Total --- 6 1.2x10-7 3. 0 x 10- 7* *
- Figures in Appendix F of SNPS-PRA.
. ** Calculated in Appendix SC.2 of this report fo.c the entire plant (not system by -
system). l 1
-l J
e 99 il l
~ _ _ - _ . _ ~ . -
Tabl e 4.'4 Summary of the Historical Data on the LILCO Grid for loss of Offsite Power Incidents LILCO-Specific Grid Data. Loss of OffSite Power .(1/1/65 - 1/1/81) Years of Duration Plant Operation Occurrences m inutes ) (~ Barrett 16.0' 1 222* Glenwood 16.0 1 199* Northport 13.5 0 --- Port Jefferson 16.0 2 58* 15 Total ** 61.5 4
- East Coast Blackout (11/9/65).
** Total s : 61.5 plant-yrs., 4 occurrences + 1 hypothesized incipient failure.
e O l l i 4 l 100 l
m _ _.s. _ : ,_. i.O... e;.,, Taele 4.5 Experientiai Evidence from Plants of the Northeast Power coordinating Council (NPCC) Loss of Offsite Power No. of Occurrences Years in Operation Plant Name/ - Recovery EPRI gata SNL EPRI 5NL Events" Date of Accident Time NP.23019 N$AC/80H Review NSAC/80 Review in SNL Review
- 1. Fitzpatrick 2 0 2 9.2 9.05 3/27/79 (3 min)*
10/4/78
- 2. Ginna 3/4/71 30 min
. 10/21/73 40 min 2 2 2 14.3 14.10.
- 3. Heddas Nect 4/27/68 29 min 5 5 5 15.9 16.30
- 7/15/69 9 min 7/19/72 1 min 1/19/74 20 min 6/26/76 16 min 4 Indian Point 2&3 7/20/72 55 min 1 3 3 12.2 10.5 7/13/77 6:28 nr 6/3/80 1:45 nr
- 5. Main Yankee 0 0 1 11.3 1.1.10 8/31/78 (1 min)*
- 6. Millstone 1&2 8/10/76 5 nr 1 2 2 13.2 13.10 7/21/76 5 min
. 7. Mine Mile d
Point . 11/17/73 10 sec 1 1 1 14.3 14.25
- 8. Pilgrim
- 5/10/77 2:40 hr 2/6/78 8:54 hr 2 2. 2 11.50 11.45
- 9. verent Yankee 0 0 0 11.80 11.70 -
- 10. Yankee Rowe 1
11/9/65 33 min 1 1 1 22.50 23.30
- Recovery Time.
** Relative to NSAC/80.
e i 101 1-
1 1 i j e Table 4.6 LOOP Initiator Frequency Considered in SNPS-PRA and BNL Review" f l SNPS-PRA EPRI-NSAC Study l8 BNL Review NSAC/80 '( Data Base NSAC/80 Special Fossil Plant NSAC/80 NSAC/80 NSAC/80 for NPCC Data Base Case Experience Data Base for Data Base for . Data Base + 3 Add'l for Nat'l Plant NPCC Nat'l Population for NPCC Events" - Popul ation Specific j i Point Point Point Two-Stage Two-Stage Two-Stage Two-Stage Approach Estimate Estimate Estimate Bayesian Bayesian Bayesian Bayesian Data Used 5 events I in 16 events in 47 events in 16 events 19 events 47 events 18 events 2 ( 61.50 Plant 136.20 Reactor 532.70 Reactor in-136.20 in 134.85 in 532.70 in 152 Years Years Years Reactor Reactor Reactor Reactor y , Years Years Years Years LOOP 0.12/Rx 0.088/Rx 0.13/Rx 0.15/Rx 3 0.09/Rx 0.12/Rx Frequency 0.08/Rx . ' i 1 2 Four actual events and one hypothetical for some margin. - Fossil-Fuel Plant which experienced 2 events in 16.0 Plant Years is included as a hypothetical example of performance. 3 Judged by BNL to be most appropriate for the BNL review reassessment. l
" Three events were judged in BNL Review to be.conside. red as LOOP initiators even though rejected by NSAC/80 evaluation. f
~
i. 8
I' it i L i . Table 4.7 Recovery Time Distributions- ,
- SNPS-PRA BNL Review 1
National NPCC NPCC ' Recovery Cumulative Cumulative Cumulative ' Cumulative Time No. of Probability No. of - Probability No. of Probability No. of Probability q in Hours Events t of Recovery Events 2 of Recovery Events 2 of Recovery Events 3 of Recovery .,
- .c 1
(0.5 20 0.48 25 0.55 9 0.55 12 0.63 . 0.5-1.0 L i 6 0.62 7 0.68 3 0.67 3 0.73 1.0-2.0 4 0.72 7 0.80 1 0.78 ~ 1 0.81 l
- 2. 0-4. 0 2 0.77 4 0.88 1 0.86 1 0.88 b 4.0-8.0 6 0.91 3 0. 94 0.91 1
1 0.92 8.0-10. 1 0.93 1 0.95 1 0.93 1 0.93 h 10.-24. 1 0. 96 0 0.98 0 0. 96 0 0.97 ,
>24. 2 1.00 0 -1.00 0 -1.00 0 -1.00 Total 42 47 16 19 l
1 Based on EPRI-NP-2301 8 ; point estimate, ' 2 i. Based on NSAC-80 e; Student t distribution. 1 lJ 3 Based on NSAC-80 and three additional events included by BNL; Student t distribution (used in BNL - re-assessment). i 9 6 ' i
+
i' s Table 4.8 Comparison Between SNPS-PRA Diesel Generator Data and Other Evaluations . SNPS- LGS- NUREG/CR Zion
- Wash NUREG/CR BNL ,
PRA PRA -13621 " 1400 -298920 Review Failure of a Olesel 2x10 2 1.7x10 2 2x10 2 1.9x10 2 3x10 2 2.5x10 2** 2x10 2 Generator to Start , Upon Demand Probability of Second 0.19 0.23 0.42* 0.08 0.03 Plant or 0.19 Diesel Failure Given j Disign One Failed - P(2/1) Specific Probability of Third 0.63 0.55 0.17* 0.45 1.0 0.4 9* *
- 0.63 Diesel Failure Given
- Two Failed - P(3/2) {
\
Failure of a Diesel --- --- --- --- ---
~2.4 x10- 3/h 2.4 x10- 3/h i
- Generator to Run 53 (Six hours or more)
*Taken from Table A.S.9 of LGS-PRA17 .
**This is an average value, but this report deals mainly with plant or design specific evaluation.s. !
*** Derived from Table 9.6.8 of NUREG/CR-2989. (SWS, below average procedures).
O t i 4 6
'^
~
* \u . . . _ . .
l
- 5.
SUMMARY
OF ACCIDENT SE0VENCE CUANTIFICATION AND IDENTIFICATION OF DOMINANT CONTRIBUTORS TO CC'RE DAMAGE FREQUENCIES 1
- This section describes the SNPS-PRA approach
~
to quantification of the accident sequences and the BNL modifications in this approach, and presents the revised results of the BNL review. Subsection 5.1 presents the SNPS-PRA and the BNL approaches and highlights the main differences; further details , are given in Appendices 5A to SG. Subsection 5.2 presents the BNL revised 1 results compared with the SNPS-PRA results: this is the summary of results of
- this review study. Subsection 5.3 provides additional insight into the
; . results by presenting a limited sensitivity analysis with regard to some other different assumptions.
The quantification results presented are point estimates of the accident - s equence frequencies. Uncertainty analysis was outside the scope of the review. s i' 5.1 Modifications Made by BNL in the Accident Sequences Quantification } Subsection 5.1.1 describes the SNPS-PRA accident sequence quantification j approach and presents the resulting accident sequence frequencies and the
! total frequency of core damage. Subsection 5.1.2 highlights the BNL approach ! followed in the review of the SNPS-PRA, and refers to the detailed description in the Appendices. -
t
; 5.1.1 Overview of the SNPS Approach to Accident Sequence Quantification In the SNPS-PRA, accident sequences were defined in terms of combinations ; of safety function failures given the occurrence of an initiator. These
- combinations were generated w' ith the help of the functional event trees (see j .
Section 3.1.2). The brancit point probabilities in the event trees were calcu- -
- lated (as probabilities of function failures). To calculate the probability
; of each accident sequence, the failure probabilities of the functions involved in the sequence were multiplied by the frequencies of the corresponding initi-
- ators . -
The failure probabilities for the functions were derived on the basis of the system fault trees (Table 3.1) and in some cases with the help of func-tional fault trees
- and/or the functional-level event trees, or on the basis i of additional e'xplanations supplied in the'PRA.
. The unavailabilities of the frontline systems were calculated from the corresponding system fault trees (see Section 3.3). The frontline system fault trees contain failures both of frontline system hardware and of support systens , and these failures were further res olved down to the component
- level. Hardware, as well as. test, maintenance, and human error contributions i to the component unavailabilities were considered. , !
! This quantification procedure was followed for all the functions on the event trees that model the plant response to the various initiators (see
*The SNPS-PRA refers to functional fault trees in several places and states that they are developed in detail in Appendix B.10, but Appendix B.10 does not include any functional fault tree.
i 105 t
. a- .__
-8.- .. -- - - . . = :; , .. .:._ ..-
i - Section 3.1 and Appendices 5A tio SG). The accident sequences ~ of each event tree were classified into three categories: core damage sequences, non core damage . sequences , and transfers (see Section 3.1). The transfer sequences were the ones judged to be more appropriately modeled in a different function-al event tree. In addition, all the core damage sequences were divided into classes 1 according to the nature and scenario of core damage: a) Class I core damage sequences are characterized by the l'oss- of core - "~ coolant inventory makeup ano core damage before containment failure. ,
.b) Class II sequences comprise events involving loss of long-term con-l tainment heat removal function resulting in coatainment , failure which may be followed by core damage. Only part of this class will
. result in a core damage state.*
c) Class III core damage sequences are characterized by LOCA in drywell conditions. . d) Class IV are ATWS sequences with containment failure prior to core damage. i e)' Class V are sequences of LOCA outside containment, which bypass the s'uppression pool and drywell. . - The total core damage frequency is the sum of the frequencies of all the j core damage sequences. Figure 5.1, from the SNPS-PRA, shows the total core j damage frequency, as well as the frequency of each class as calculated.in the i PRA study. The largest contribution to core damage frequency is seen to be , . from Class I, loss of coolant makeupi it is larger than the sum of the contri-butions from all' the other classes. The total core damage frequency in the
! SNPS-PRA is estimated at 5.5x10 5 'per reactor year. Table 5.14 includes a summary of dominant sequences calculated in the SNPS-PRA.
i 5.1.2 BNL Modifications to the Accident Seouence , BNL comments on the SNPS-PRA approach were given in Sections 3.1 and 3.2 when functional event trees and treatment of dependencies were discussed. In . general, BNL found that the SNPS-PRA approach included considerable detail and tried to address the modeling of the accident sequences and its quantification . as realistically as possible based on the SNPS specific design and past ,
- nuclear power plants' experience. BNL agrees to the general approach used.
l Most BNL coments and modifications relate to quantification. However, some relate to the specific modeling of certain sequences. i i The BNL review of the SNPS-PRA functional event trees had two parts: ) a) A case by case review of the functional event tree accident sequence modeling. t , *In the SNPS-PRA, it is considered to be a core vulnerable state. In the BNL review, it is considered as a core damage state, even though core damage will not always occur following the containment failure.. c 106 ,1 '
, - w - -! '
< . . . . ;. . . . .. 2-i
' ~ b) A case by case review of the functional event tree quantification. Both parts of the review were based on the information provided lin the SNPS-PRA and its appendices, the SNPS-FSAR, the SNPS plant specific emergency procedures, the fault tree analysis of the systems , and the system description
- and drawings. In addition, realistic calculations of BWR plant response to transients were consulted in several GE, BNL, ORNL and other reports (refer-enced in Section 5.4 and in the previous sections). This 1.nformation made it possible to check the validity of the modeling and the ~quantification of the .
SNPS-PRA approach. It should be noted that the PRA itself included the needed
. information in many cases.
4 . i . Highlights from the results of BNL review of the functional event tree i modeling were presented in Section 3.2. Additional detail on modeling. changes and the reasoning behind them are presented in the appendices to this sec-tion. These appendices provide BNL revised functional event trees , which I include the modeling changes that were judged ig ortant and al.s o the re-quantification by BNL. Each event tree is accompanied by a table explain-ing the values used on the event trees and their sources, or the reasoning that led to their choice. All the SNPS-PRA initiators were treated. To facilitate comparisons between the SNPS-PRA and the BNL revised event trees, the appendices are ordered in the same way as the sections of the SNPS-PRA: l
~
Appendix 5A: Deals with all the transient with successfu1 scram dis-3 cussed in Section 3.4.1 of the SNPS-PRA, except loss of Offsite AC Power (Section 3.4.1.6 in the PRA), which is j dealt with in Appendix 58. Appendix 58: Loss of Offsite Power Event T,ree (PRA Section 3.4.1.6). Appendix 5C: Treats LOCA both inside and outside containment (Section .- 3.4.2 of the SNPS-PRA). Appendix 50: Treats the ATWS sequences and provides BNL revised event trees (Section 3.4.3 of the SNPS-PRA). . Appendix SE: Reviews the transients initiated by the loss of a reference leg in the water level instrumentation system (Section
, 3.4.4.3.1 of the SNPS-PRA).
Appendix 5F: Treats the case of loss of drywell cooling for all tran-sients and .for the case in which this event is the initi-ator (Section 3.4.4.3.2 of the PRA). Appendix SG.1: Presents the case of the excessive release of water at Elevation 8 of the reactor building. In this case, how-tver, reference is made to the BN' review report l of this accident sequence (Section 3.4.4 of the PRA). j Appendix SG.2: Loss of a DC bus is treated (Section 3.4.4.2 of the PRA). j Appendix SG.3: Revised tree for the case of loss of the service water sys-
] tem is presented (Section 3.4.4.4 of the PRA).
i 107 t
_ _ _ _ _ . , _ _ - - ~ _ ~....s - _...m- -
- s. _. 2._
\
The Appendices SE and 5F are an in-depth review of the report 2 " Review of , Shoreham Water Level Measurement System", f rom which Sections 3.4.4.3.1 and 3.4.4.3.2 of the ,SNPS-PRA are a summary. In general, the BNL ' review resulted in modifications related to the quantification of almost all the SNPS-PRA. The reasons behind quantification changes are explained in the tables attached to the revised event trees (s.ee Appendices 5A to SG). Each appendix provides the background information on the SNPS-PRA approach for the case, 'the general reasons for BNL modeling changes, and the results obtained. The next section focuses on the 'results, and presents the main differ-ences from the SNPS-PRA. The summary of the findings from the appendices is also given in Table 5.1, where it is ' compared with the summary of SNPS-PRA results . 5.2 Summary of the Results of the BNL Review in Comparison with the SNPS-PRA The sumary tables cf this report are presented in Section 5.2.1, along with a discussion of the results for each accident sequence group. Section 5.2.2 provides some additional tables for comparisons such as the list of dominant sequences in each core damage class and SNPS-PRA and BNL dominant i sequence lists. 5.2.1 Sumary of the Results
. 1 Table 5.1 presents a summary of the BNL review and SNPS-PRA results. It is seen that in the BNL review the core damage frequency increased by a factor of 2.5 (1.4E-4 vs. 5.5E-5/yr) as compared with.the SNPS-PRA. From Table 5.1 !
the following comments can be made: - o The major contributions to the ' increase in the revised BNL core damage frequency are due to ATWS, LOOP, Transients with Scram, and Internal Flooding initiation.
- l o The core damage frequency contribution from LOCA outside drywell is about five times as high in the BNL review as in the SNPS-PRA. Even though its contribution to total core damage frequency is very small !
(= 0.2%), it may be a very important contribution to risk. l o The contribution from transient initiators is increased by a factor of 1.7, largely because of the revised frequencies of the initiators , discussed in Section 4.1. It is important to point out that, if a common-mode miscalibration of all water level sensors, which are the only signals for the automatic initiation of HPCI, RCIC, ADS, LPCI, and LPCS in the case of a transient, with a probability of 2x10-3 as given in the SNPS-PRA (page A-121) were used, the core damage frequen-cy from transient initiation would be about 5.4x10-3 instead of 1 2.2x10-5 However, BNL previcus~ly judged that the probability used in l the SNPS-PRA for the miscalibration was not realistic, and the modifi-cation to these numbers are given in Appendix 5A.1 and in Section 4.3. o The cont toution from LOCA inside drywell remained practically the same as in the SNPS-PRA. 108 ' 1
- u. ~ * ' - '
. . . . . . = . .~.:-
, s , 0
. t Figure 5.1 shows the results by core damage classes and compares 'them with Figure 3.5-3 (Page 3-338) of the .PRA. The results summarized by groups of initiators are given in Figure 5.2 in a " pie: chart". ,
Figure 5.3, reproduced from the S' NFS-PRA, provides the BW -RSS and the
- SNPS-PRA results for comparison. *
, The main reasons for the higher BNL resul.ts are' discussed in detail in I the appendices to this section. Here a brief sununary of, the main differences is presented. q l 5.2.1.1 Loss of Coolant Accidents (LOCA) Inside Drywel'1 LOCAs are minor contributors to core damage frequency. Large and medium i LOCAs were modeled and quantified by BNL in the same way as in the SNPS-PRA. ,
i BNL used a more realistic .modeling for PCS recovery in the long term which resulted in a small decrease in the .Large and Medium' LOCA contribution to Class II sequences. In addition, for Large LOCA in liquid lines originating + at a low point in the RPV, it .was assumed that break discharge flow rates would be higher than the hotwell makeup can replenish. This leads to the 4 small increase in Class III contribution in the BNL results. Pressure vessel failure was not reviewed in detail' and its failure frequency remained unchanged. The LOCA-in-drywell initiators are the major contributors to Class III. The results of this review (Table 5.2) show little difference between the BNL and the SNPS values. . . 5.2.1.2 Anticipated Transients Without Scram (ATWS)
- The SNPS-PRA shows that ATWS sequences are a major contributor to core l damage frequency. The BNL review found that soine of the SNPS-PRA assumptions had additional implications which were not fully addressed in the PRA:
- a) Lowering water level below Level 1 has the implication of MSIV l closure and is accompanied by a high probability of operator failure j to inhibit ADS. .
! b) Manual feedwater runback was treated in the SNPS-PRA as part of the ! turbine trip initiator event tree rather than on the functional event
- tree. However, the large unavailability value used for this func-tion resulted in overestimation of some of the sequence frequencies.
i The BNL review identified three areas of concern:
- a. The ATWS physical analysis: Secause available ATWS thermal hydraulic analysis results directly applicable to a BWR-4 reactor with manual 43 GPM SLC system are limited, it is difficult to establish critical parameters that define the condition of the SNPS and the time avail-l able for operator actions. Based on the limited analyses, engineer-ing judgment was used in reviewing the SNP3 analysis and changes were l made to the SNPS event trees.
l b. The SNPS specific. ATWS emergency procedures: BNL considers the cur-rent emergency procedures to be unsatisfactory in areas of operator 109 i
- __- . . . - - ~ .- . . . . . . - . -
i control of RPV water level, ADS inhibit iunction, and PRV pressure contro1.
- c. The extent of operator action required during an ATWS event to secure the plant to hot shutdown: .The SNPS requires manual actions for most of the ATWS mitigation systems. However, the operator nas very little time to perform these tasks, which often must be done within 10 minutes after the onset of the event. This is why the Shoreham ATWS core damage frequency is about an order of magnitude larger than that of the Limerick or the GESSAR-II standard plant. It is. prudent to recognize that large uncertainties are associated with the esti-mates of human errors and therefore the ATWS core damage frequency could be very sensitive to changes in the human error procabilities.
Finally', BNL performed a realistic re-assessment of the SNPS ATWS event as shown in Appendix 50. The results indicate that, given the assumptions used, there is only a small increase due to different assumptions and modifi-cations to the event trees. The ATWS core dama using the SNPS . initiator frequencies is 2.2x10 ge frequency
, cogared with the SNPScalculated value by BNL of 1.8x10-3 (see Table 5.3). Use of the BNL initiator frequencies rai.ses the total core damage to 4.5x10-5, about a factor of 2.5 higher than the SNPS value. Note that the BNL initiator frequencies, like those in the SNPS-PRA,
, distinguish whether the plant operated above or below a plant condition' of 251, power.
5.2.1.3 Transients with Successful Scram , Apart from loss of offsite AC power, which is treated separately in the next subsection, the SNPS-PRA included separate event trees for loss of feed-water, MSIV closure, and loss of condenser transients. Table 5.4 snows that the main contrioutors to the core damage frequency are the loss of c'ondenser and the turbine trip transients, and that the increase in core damage frequen- ? cy in the BNL review is due to the different frequency of transient initia-tion, described in Section 4.1. Table 5.4 shows that for Class II, if the effect of initiating event fre-quencies is not taken into account, the SNPS-PRA and the BNL review obta1ned the sant result: 4.8E-6. However, there are two differences between the SNPS-PRA and BNL review which balanced each other: a) BNL included a dependence between Q and W functions in the functional level event trees that increased the Class II results, b) BNL assumed that for a case of successful fe~edwater injection (Q is successful) throughout the transient, no additional means of contain-ment heat removal are required. (See for example Tables 5.A.1 and 5.A.2.)
. The two 50RVs case was treated in the SNPS-PRA in great detail without any impact. BNL also found it to be a minor event, but not of negligible effect as in the PRA. BNL developed one case in detail (Table SA-2 in Appen-dix SA.1 for the turbine trip transient) to show that it has some impact and j snould not be totally ignored, as one may conclude from the SNPS-PRA results. , '
i The results for two 50RVs are calculated by BNL to be 4x10-7 in Class I, 110 f , + l - l
- . ~ . . .
- -c., .. . . . .
- a --.,w.w..,......
y , a Y f ~. , y similar to the results of- the.10RV transient with successfui early scram.
- They also contribute more than the small LOCA sequences.
.f ; Finally, the transient results of BNL ' include the impact of miscalibra-4 tion assuming the probability of gross = miscaliDration of all four level
. sensors tLbe 1/10 of the value used in the SNPS-PRA (see Section 4.3). If
+
' the.SNPS PRA value of 2x10-3 was used (whicn is judged by BNL to be unrealis-l- tically high--see Appendix 5A.1.4) the transient contributions would become i over 5.4x10.s. The BNL , review concluded that the transiant group of.initia-tors contribute 15f, to cora damage frequency.
r
~
f ' 5/2.1.4 Loss of Offsite AC Power (LOOP)
' The SNPS-PRA treated the initiator in.a detailed time phased ev'ent tree, l using fossil plant experiential data for LOOP frequency. Diesel failure fre-j - quency and recovery factors were based on nuclear power plants' LERs. The even*. tree included dependences of RCIC, LPCI, and ADS upon conditions of DC power, suppression pool temperature, and drywell temperature 'and pressure.
BNL did not change this modeling apart from the treatment of the initiator frequencies and of the loss of the containment heat removal function. The l4tter was transferred to MSIV closure in all cases, omitting the special case of recovery of diesels without recovery of offsite power for over 15 hours. l This low frequency event of non-recovery of offsite power has a probability of occurrence of 3%, which make it an additional Class II contributor 'as seen I , f rom Table 58.2 (sheet 2/5) . 9 The quantification caanges made by BNL were mainly a higher deterioration rate of the batteries between 4 and 10 hours, and the assumption of their loss at about 10 hours. J.us, HPCI and RCIC were assumed to be unavailaole after
- 10. hours in the ' 3NL < review. The SNPS-PRA did not sufficiently . support its 1 ' assumption of tne possibility that the battery will last 24 hours and allow
- for HPCI or RCIC operation for that long. Fur't hermore, several calculations of BWR suppression pool and drywell heat-up in blackout situations (or a statement in the ' SNPS-PRA itself), indicate that the drywell pressure may i reach = 60 psi at 13 to 16. hours whics.may render ADS unoperable, and lead to ~
! core damage condition earlier than 24 nours. The SNPS-PRA described in detail its level measurement system as part of its in-deptn model of the effect of loss of a reference leg of the system. This revealed tnat level instrumentation readings are lost in the control room during blackout with DC power available because they lack OC backup (initia- ; tion of HPCI and RCIC or ADS is not lost). This was not appropriately modeled l in the SNPS-PRA treatment of the interaction of LOOP and loss of level instru-mentations (see Section 3.4.4.3.2 of the PRA). This sequence was included in the BNL re-assessment as shown in Table 58.1 (sheet 2/s) and discusseo in more detail in the event tree of Table 5F-4, brancn T EIOGL. It contributes 1x10-5 to the core damage frequency because it impairs the operator ability to follow procedures (contradicting procedures) and to control HPCI without level information. . The LOOP frequency evaluated by BNL, based on a new NSAC report (NSAC/ 80--see Section 4.1.3), was .found to be 0.16 per year, and the recovery proba-eilities were those given 1n Table 4.7 column 9. BNL judges that the value 0.15 is appropriate for the SNPS, which is part of the NPCC region, a fact not 111
,,,. __- ,,_- ... -- m . - v
..,.=4 _ - --
l included in the SNPS evaluatio'n. The BNL LOOP frequency value is twice .the SNPS-PRA value. The recovery probabilities of the SNPS-PRA are significantly larger than those used by BNL. These two changes partially balanced each other. Overall, the increase in ,the BNL results for the core damage frequency is due to the quantification changes and level instrumentation and only to a lesser extent to the re-evaluation of initiating event frequencies. Diesel generator data used in the PRA were four;t reasonably conservative and reflect SNPS onsite power conditions when the PRA was submitted. New updated probabilistic evaluations of the onsite AC power were not submitted to
- BNL during its review, even though some changes were apparently taking place due to other licensing reviews, which have the potential to reduce the impact of the LOOP sequences.
As seen from Table 5.5, the loss of offsitie AC power is a ma'j or contribu-tor to the core damage frequency..and account for 25% of the total frequency. 5.2.1.5 Excessive Relea'se of Water at Reactor Building Elevation 8 , This initiator was treated in depth by BNL in a separate report l . As seen in Table 5.6, the BNL results are significantly higher, mainly because of two changes: (1) a. higher initiator frequency calculated by BNL from a more up-to-date and elaborate model, and (2) an increase in the condensate injection f ailure probability (0.1 instead of 0.01 as was used in BNL revised transient event. trees). Also, a time . phased event tree was utilized to take into account the early failure of HPCI and RCIC at a water level lower than -
- that for the LPCI/RHR or LPCS failure. This resulted in a 20% increase in the core damage frequency. More detailed results are shown in . Appendix SG.1 and in Ref. 1.
It will be seen in Section 5.2.1.7 bel'ow that BNL considered interfacing -'
- LOCA to be a significant initiator in the SNPS-PRA. This BNL result was obtais.ed from the same considerations tha~t resulted in the high core damage frequency calculated for the excessive release 'of water initiator. These con-siderations include the situation that all ECCS equipment may become compro- - '
mised in a relatively short time that does not provide the operator sufficient I time to recover. The conditional probabilities of core damage (given the initiator) for these sequences are higher than' those found in other BWR-PRAs reviewed by BHL in the past. When the combined impacts of excessive release of water at elevation 8 and the interfacing LOCA are considered together, their contribution to SNPS risk is expected to be above 20%. Their calculated core damage frequency is, however, only = 13% of the total. 5.2.1.6 Level Instrumentation: Loss of Reference Leg and Loss of Drywell Cooling These two groups of initiators related to the water level instrumentation l system were treated in greater depth than any other group. Past BWR-PRAs did ) not treat them in detail. The BNL review of these event trees is described in i Appendices SE and 5F, and the results are shown in Table 5.7. Loss of a reference leg is the major contributor to this group of initiators, and in the i BNL review its contribution was increased by a factor of 3 compared with- SNPS-
; PRA results. This increase is due to two major BNL changes: -
112 o.
~ - - - - ,ae,.w,.,.,+-, .w,-
- . . u.L .: . ..-=. . _ . - - . . . . -
I a). The' common mode failure due to maintenance of the second reference leg: BNL evaluation of this event was based on the LER data provided
.. in the PRA and on BNL judgment relat,ed to probability of a human error. These resulted in an increase of the contribution of this ~
sequence, i.e., loss of both reference legs. This event, ' loss of both reference legs, defeats the automatic initiation of all ECCS systems and leaves the operator without level information if the water level drops below level 3. b) The miscalibration of the.'two sensors on the other leg: .In this
, case the value used in the SNPS-PRA, 2x10-3, for common miscalibra-tion of two level sensors is reasonable and results in significant i
contribution to core damage frequency due to this group of initia-tors . This miscalibration, as well as the loss of .DP cell, which is similarly important, have not been correctly included in the SNPS-PRA modeling. However, modification made at Shoreham will apparently reduce the impact of this sequence.
, Loss of drywell cooling cont'ributes an additional fraction to this group of initiators. The major contributor is the loss of off-site power transient l with recovery of the diesels, but without recovery of the drywell cooling.
This was not correctly modeled by the SNPS-PRA (see~ Appendix 5F). The major contributors discussed &bove ' have -1x10-5 contributions to. SNPS core damage frequency (-77, of the total core damag'e frequency). The increase in the BNL result in this case is due mainly to the BNL modeling, which included sequences not correctly treated in the SNPS-PRA.
^ The design of the SNPS has only two " safety related" reference legs, and four level sensors supply all ECCS initiation signals. In* other plants HPCI and RCIC are initiated, at least in part, by different sets of sensors
- and have more reference legs. A GE generic ~ study of water level instrumenta-tions ll suggested improvements which have been implemented in 'the SNPS.
However, the core damage frequency calculated in the BNL review with these . improvements takan into account is comparable with the frequency in other plants before implementation of the recommended improvement. 5.2.1.7 Interfacing LOCA Despite its low frequency, this is an important initiator. The increase in BNL review recults by a factor of 5 above the SNPS-PRA value (Table 5.8), resulted partly from a change in the initiator frequency estimation and partly. from BNL's judgment that condensate injection of 1000 gpm will be insufficient for a large interfacing LOCA in the LPCI system. The modeling and quantifi-cation of the event tree were only slightly modified by BNL. . The "0.2" for condensate unavailability was based in the BNL review on different considera-tion (Appendix SC.2). The frequency increase was based on LERs, distributed
.recently by the NRCs,25, containing two precursor cases and 5 failures of testable check valves, which increase the probability of such an event. The impact of this sequence was discussed in Section 5.2.1.5 above.
*This is implemented in Shoreham in a recent design change to the Water Level Instrumentation System.
113
- - - _ _ . _ _ _ _ - - . ,__s._. _ , , . _ - , , - _ . , . . , .,__. 1--__ _ _ , . _ , _ _ . _ . ..,..,m., _ . - ~ ~ ~ . ,
_ _ _ . __ _ . ,- . . _ - _ _ . . s . e. ._.
. _ . - . . =a -- -
=
5.2.2 Dominant Sequences in BNL Review , The contributions to core damage frequency grouped according to their - initiators were listed in Table 5.1 and summarized in the preceding section. In this section the individual sequences contributing to the SNPS core damage . frequency are presented. Tables 5.9 to 5.13 list the dominant sequences con-tributing to each core: damage class. Classes I, II, and IV have large numbers ' of contributors, but for Classes II and IV more than half the total frequency is attributed to a small number of contributors. Class I has the largest ' number of small contributors. - Finally, Table '5.14 provides a comparison of ~ the dominant accident sequences in the BNL review and in the SNPS-PRA. The basic pattern in the SNPS-PRA' of having no single sequence contributing a large fraction to the total SNPS core damage frequency is seen also in the BNL results. The most ' dominant. contributors in the BNL list consist of accident sequences from each *
. of the initiation groups, ATWS, loss of off. site AC power, and excessive ,
release of, water at elevation 8. . The following are some comments on the dominant accident sequences in Table 5.14: a) 50% of core damage frequency is attributed to thirteen sequences in the SNPS-PRA, but to only ten jn the BNL review.
. b) The following sequences are dominant in both the SNPS-PRA and the BNL review:
- 1) ATWS secuence of MSIV closure.
- 2) The excessive water. release sequence. .
- 3) Loss of ,off-site power sequences ; however, several differences are noted and explained below.
- 4) The most important single contributor of the water level mea-surement, systems appears roughly in the middle of both lists, but more accident sequence contributors are included in the BNL results . i c) Important differences between the top sequences of the SNPS-PRA and those of the BNL review are as follows:
- 1) Loss of condenser contribution T(C)UX and loss of a DC bus con-tribution T(D) O(I)Q rank much higher in the SNPS-PRA than in the BNL review, but their absolute frequency is almost the same.
- 2) Loss of off. site AC power contributions appaar in both results but differ in their detailsa- The' SNPS-PRA has the time-phase III and IV contributions corresponding to failures at 4 to 10 and 10 to 24 hours into the transients. BNL has only Phase IV ranking high, but it has, in addition, tne sequences represent. .
ing water level brackout conditions; these appear hign in the BNL list and are m.issing from the SNPS-PRA. : 114 , i .
- 3) The turbine trip ATWS sequenci ranks high in the BNL review, but very low on the SNPS-PRA list. .
l l - l 4) The Loss of Serv' ice water system contribution is higher on the BNL review list. 5.3 A Limited Sensitivity Study - A limited sensitivity study was done to provide insight into the impact of changes in the assumptions used in this PRA review. It focused on the
- impact on core damage. frequency frcm two types.of changes: ,
a) Changes in a few assumptions that. represent modeling uncertainties. b) Changes in a few assumptio'ns that illustrate the particular impor tance of these- assumptions in this PRA, or the great importance of selected safety systems with regard to core damage frequency.
, The'following tests of assumptions to represent modeling uncertainties:
a) LOOP frequency and recovery probabilities: The BNL review modified
. . the data recommended in NSAC/80 for deriving LOOP frequency and recovery, probabilities, as described in Section 4.1.3 above and shown in Taoles 4.6 and 4.7. The results of the BNL review that included three additional LOOP events occurring during shutdown were compared with the results obtained by using the NSAC/80 recommended data (without modification)--see Table 5.15 line 1. The inclusion of the three LOOP events that NSAC/80 did not recomend using in the deriva-tion of LOOP frequency and recovery probabilities had a minimal
. impact on' the result. Hence, BNL co,ncluded that it is better to include these events and dbtain a complete data' base c6ntaining al'1 -
total LOOP events than to screen out events on a judgmental basis. b) The BNL review was performed with realistic assumptions that led to a probability of 2x10-' or less for gross miscalibration of all four - level sensors (see Sections 4.3 and SA.1.4). The SNPS-PRA assumed that this probability may be conservatively quantified as 2x10-3 (Appendix A.3 of the SNPS-PRA) but did not model the af fect of this assumption correctly for the case of transients. The impact of this quantification in the case of transients is shown in Table 5.15 line 2, which shows that the total SNPS-PRA core damage frequency would have been much larger if the conservative value of the PRA had been used with adequate modeling. '
~
c) The BNL review used transient-initiator frequencies based on experi-ential data from BWR plants averaged over their entire operating period fecm the date of initial commercial operation. The SNPS-PRA used a " weighted average" approach with the experience from the first year of plant operation weighing 1/35 and the subsequent experience weightng 34/35. This was done in the SNPS-PRA in order to represent the mature pidnt. However, the SNPS-PRA used an earlier data evalua-tion (from. EPRI report NP-801) rather than the updated one from NP-2230, as described in Section 4.1.2 above. The impact of remov-ing the experience of plant occurrences from the first year of 115
_ ~_ -. _ m .. . . . l, operation is snown in Table 5.15 line 3 by comparing the results from the use of columns 10 and 11 of Table 4.2. These columns were explained in Section 4.1.2 and are considered a more appropriate : modeling of the impact of the transient initiator frequencies. The results are changed by about 25% for the transient initiator frequen-cies, but by only 10% for the total core damage frequency calculated in this review. BNL considers the approach of using data from the start of commercial operation to be more appropriate and to account more realistically for a possible " wear-out" period later in a plant's lifetime, if. tne average plant risk from its. entire lifetime - is desired. ,
~
~
d) Both BNL and' the SMPS-PRA included credit for PCS and condensate systems in their analyses of medium and large LOCAs. Such credit was not taken in some past PRAs as seen by comparing the success criteria shown in Table 2.6. Table 2.5 (Table 1.5.2 in the SNPS-PRA) shows that the stated SNPS-PRA success criteria do not inc.lude credit for PCS and condensate in all cases of LOCAs (see not'e 5 to Table 2.5). The impact of the two sets of success criteria (with and witnout con-sideration of note 5 in Table 2.5) are shown in Table 6.15 line 4. Comparison of these results with the results in Table 5.2 for LOCAs shows that these assumptions have great impact on the Class III core damage frequency. The BNL review considers the inclusion of the credit for PCS and the condensate system to be more ap'propriate if realistic PRA results are desired. It is also important to consider this type of change when comparing past PRAs with the SNPS-PRA. The following tests of assumptions illustrate the importance of selected assumptions made in the PRA ,or 'tne iriportance of some safety systems in impacting the core damage frequencies in :-k particular PRA. - a) BNL basically us'ed the SNPS-PRA c,ca on diesel generator availability an:t recovery probabilities as discussed in Section 4.2.2. Modi fica-tions are being made at SNPS to the on-site AC power supply system. To illustrate the impact of a possible increase in tne availability ~ of this system, a case study is suggested in Section 4.2.2 wnicn is compared in. Table 5.15 line 5 witn tne baseline data used by the SNPS-PRA and the BNL review. It is seen that a significant reduction (10 to 15%) in the total core damage frequency can be obtained by increasing the availability of the on-site AC power supply system. . b) Explicit credit to the Turbine Building Service Water System (TBSWS) is given only in the analysis of the loss of service water transients in the SNPS-PRA. 'However, apparently credit for this system was also considered in determining the availability of the RHR and the RCIC in the steam condensing mode, as partly shown in Section 3.3. BNL found the contribution to core damage frequency of this system to have a large significance, as shown in Table 5.15 line 6. If no credit to this syst.em is given, a 20% increase in the tot al core damage frequency can be calculated. The impact in Class I is from tne loss of service water transient only and in Class Il from an increase in-the unavailabi.lities of the RHR and RCIC in steam condensing mode, for all transients including- the loss of service water transient. 116 t
- ~
- f
- - ~ ~ . . ..- . . . . . c) Credit to !!ne concensute sys6em, injection as part 5f the low pressure system injection was not given in all put PNAs, as seen from the comparison in Table 2.6 above. Furthermcre, if 1morovement 'In the availability of this sys;em cbuld De cl&imed, significant reductiqn in the contribution of some important sequences could be octained. The important impact 9f this system in tne SN95-PRA is shown in Table S.15 line 7. The results are quite linear with the availanility assumed for this system; in the case of Classes III and V an unavail-ability of 0.2 was generally a3sunred, and in the case of Class I, 0.1 and 0.2 were used (eith the average being about 0.15). BNL censiders
- that credit to the condsnsate systeni snould be given if realistic PRA results are desired. However, it is 'important to consider this credit when conparing different PRA.results.
d) Four cases related to ATW3 were studied. Lhke tne other cases, they . are given for illustration purposes only, and they shcw some of tne different contributions to core damage frequ'ency from ATWS. The case in line 8 shows the impact' of operator failyre to inhibit A05 when , low low level is reached in the RPV. The results are clearly sensi-tive to the quantification of operator error prooability. Improv.e-ments to ADS manual inhibit have teen suggested by GE and apparently applied to the SNPS recently, out credit for any improvements was not given in either the SNPS-PRA or the SNL rev.iew. The case in ling 9 shows tne effect of more reliable SLC, whien' seems to be' as large as that of ADS inhibit in the BNL model. Tne case in line 10 is also as important as ADS inhibit, An increase in the SLC system flow rate (from 46 to 86 gpm) of an equivalent increase in the boron concentration (by a factor of 2) ! will tend to allow for somewhat incre'ased time for tne operator to respond.to the ATWS incident. This results from tne assumption that ' manually putting a double capacity SLC into operation after 15 to 20 minutes instead of 10 minutes, will leaa to approximately the same total amount of power being transferred to the suppression pool and drywell . , Based on the above, the BNL event trees for kTWS were reevaluated assuming operator response required in 20 minutes instead of 10 minutes as assumed in the BNL base case. The results are shown in line 11 of Table 5.15. The estimate assumed that a nigher probabilty for feedwater runback will ensue f rom the larger response time avail-able (0.1/0.9 vs. 0.2/0.8) and that "Ug" will be 10 to 157. smaller (if "UH " is not equal to 1.0), e) The cases in lines 12 and 13 are similar and illustrate the impact of protecting one train of coolant injection from the impact of a very large flooding. They show that it may be possible to eliminate the : flooding sequences from the main list of core damage contricutors. The SNPS-PRA as well as the BNL review conservatively assumes that al.1 injection but the condensate system woulo 'ce lost in case of a large flooding. f) The RCIC i_n the steam concensing mode is not normally allowed _in SNPS operation. The emergency procedures do not, refer to it. Thus, it is 117 i nl
s 4 a cooling mode for the very special cases of severe accidents wnen all other long-term coolf ng modes failed. This was not considereo in quantifying the failure of the operator to initiate the containment heat removal mode. Line 14 snows the total impact of this syste:n in tne BNL review. g) BNL was informed after the review was completed tnat the water level l instrumentaion system is undergoing modifications to include four additional level transmitters (two on eacn reference leg) which would be u$ed to initiate HPCI level 2 and level 8 signals separately from RCIC and other ECCS systems. Furtnermore, they will be connected to tne other DC buses, so that any reference leg side would not coincide witn a single DC bus. These changes can potentially remove some of the sequences of Taole SE-2 and a significant reduction in core - damage frequency can be octained as seen in Table 5.15 line 15. h) One of the haC comments was that the Control Rod Drive (CRO) system may provide some additional ri'sk reduction. The impact of including CRD is tested in line 16. The system reliability is assumed ideal, and it is a5sumed that it 'affects all the "UX" sequences apart from the "Ux" celonging to the LOOP transient. However, the system can provide adequate core injection to remove decay heat only after about two hours of 4 transient initiation. This implies tna?. HPCI and RCIC failure to start, cr being in maintenance, are not recovered by CRu. Similarly, the miscalibration with f ailure of the operator to manuai-ly initiate injectson and failure of Divisions I and II contributions to HPCX/RCIC f ailure would fail CRD as well. The estimated impact of CRD on the "UX" sequences is shown in line 16. - tt:te that tnis limited sensitivity study was done for illustrative pur, poses caly, to provide another point of view on the results of the SNPS-PRA and the Bhl review Which are sxvnarized in Sections 5.1 and 5.2. - 5.4 Rsferences to Section 5 and Accendices 1, .Shiu , K. et al., "A Review of the Accident Sequences Following an - hcessive Reimase of Water at Elevation 8. of the Reactor Building in the Shofenam Nuclear Pow r St ati on* , Brookhaven National Laboratory , NUREG/CR-4049, November 1984.
- 2. " Review of Snorenam Water Level Measurement System, Revision 1", S. Levy, Inc.,, SLI-822L, Novemcee 1982.
- 3. "Isciation of Mactor Coolant System from Low Pressure Systems Outside Containment", Of fice of Inspection and Enforcement , NRC, IN-84-74, Septencer 28, 1984.
- 4. . Papa:oglou, [. A. et al., "A Review of the Limerick Generating Station Prctabilistic Risx Assessment", Brookhaven National Laboratory, NUREG/CR-3028, 'Feoruary 1981.
- 5. Ha.Mn, N. et al., "A Review of BWR/6 Standard Plant Probabilistic Risk.
Assessnect Vol 1 Internal Events and Core Damage Frequency", Brookhaven - Mational Laboratory, NUREG/CR-Oraf t, March 1984. 118
.i.
- ._. .. _ -. c.- . - _ .-.. : ._- . .. _ - 2
- 6. LILCO's Response tio Questions' on Shoreham's Probabilistic Risk Assess-ment, Long Island Lighting Company, SNRC-1021, May 1984
- 7. Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability",
NUREG/CR-1278, August 1983. , 8. Cook , D. H., Greene, S. R. , Harrington, R. M., and Hodge, S. A. , " Loss of , DHR Seqeunces at Browns Ferry Unit .One - Accident Sequence Analysis", NUREG/CR-2973, ORNL/TM-8532, May 1983.
- 9. Hubble . W.H. , and Miller, C. F. , " Data Summaries of LERs on Valves at U.S. Comercial Nuclear Power Plants", NUREG/CR-1363, EGG-EA-5125 May 1980.
- 10. Rubin, M. P., "The Probhbility of Intersystem LOCA; Impact Due to Leak Testing and Operational Changes", NUREG-0677, May 1980.
- 11. Burns , ' E. et al., " Inadequate Core Cooling Detection in Boiling Water Reactors ," 5. Levy Inc. , SLI-8210, No'vember 1982.
- 12. Private Communication with Shoreham personnel . ,
~
- 13. "SER ' Issue I. C. 8--Emergency Proc'edu'res Shoreham Nuclear Power Station--
Unit 1," Docket.No. 50-322 SNRC-770, September 16, 1982.
- 14. Papazoglou, I. A. et al., "Probabilistic Safety Procedures Gu i de , "
NUREG/CR-2815, September 1983.
- 15. Baranowsky, A. J., Kolachzkowski, A. M. , and Fedele, M. A., "A Probabi-listic Safety Analysis of DC Power Supply ' Requirements for Nuclear Power Plants ," NUREG-0666, ,Apri:1 1981.
- 16. Perkins , K. R., " Success Criterion for PCS with Two or More 50RV's ,"
Memorandum to D.11 berg, Brookhaven National Laboratory, August 21, 1984 (Based on Ref. 8 above and Ref. 4 of Section 2). .
- 17. " Assessment of BWR Mitigation of ATWS," GE Report NEDE-24222. Vols. I and 2, December 1979.
- 18. Knuth (KMC) to Graves (HRC), " Supplement ATWS Evaluations," letter dated December 2, 1982.
- 19. Harrington, R. M., and Hodge , S. A. , "ATWS at Browns Ferry Unit Cne--
Accident Sequence Analysis ," 0RNL/TM-8902, NUREG/CR-3470, July 1984. I
- 20. " Emergency Procedure Guidelines for BWR 1 through 6," Draft Revision 2, BWR's Owner Group, May 20,'1982.
- 21. Hsu, C. J., and Diamond, D. J., "The Effect of Downcomer Water Level and Vessel Pressure on the Reactor Power During' the Latter Phase of a BWR/4 -
MSIV Closure ATWS Event," Brookhaven National Laboratory, Draf t Report, August 1984. 119 i _ - --y,-- - , , , _ . - , ,m. - ..%., , , ,,-.-c ---
.----w-- -
s.
- 22. Chexal, B., Lagman, W. , and Heal zer, J. , " Reducing BWR Power by Water Level Control During an ATWS--A Quasi-Static Analysis,", Nuclear Safety Analysis Center and S'. Levy Inc., NSAC-69, May 1984.
- 23. " Anticipated Transient Without Scram for Light Water Reactors ," U.S.
Nuclear Regulatory Commission, NUREG-0460.
- 24. Ilberg, D. , 'and Hanan, N., "An Evaluation of Unisolated LOCA Outside Drywell in the Shoreham Nuclear Power Station," Brookhaven National Laboratory, Internal Report, May 1985.-
- 25. "AE00 Study . Finds LOCA Frequency in' BWRs is Far Higher Than 'Thought,"
Inside NRC, April 1,1985.
- 26. Harris , J. 0. (ORNL), and 'Minarick , J. . W. (SAIC), "An Evaluation of BWR Over-Pressure Incidents in Low Pressure Systems ," Preliminary Report, May 1985. .
t
*a 9
9 5 e 4 h o 9 e a 120 i
-- __ - --. , , - . . - . *g . _,-
.e. . a . . . .. . -
, . .~-
I
. 1
. o l
1
~
,,.i- ,
G SNPS-PRA 1 l BNL-REVIEW
,,.i.
{ 1.4E-4
=
lta g d - 8.2 E-5
------------- 4.5E-5 - - - - - - - -
--.5 S.3E 3.28 5 i[
a fd
+fm.;
1.3E-5 1.4E-5 r
- z g to.s --
%gg g .... 4 -
- ~1r Pa E
.garJ i
i k: EW P 'M s 1.6E-6 [ l I 5p-"4 4 l i.d . b?p g@f@ =;
* ) g'l _
8 s hlq;g.
.$%g Q g!g$1 q 2.ot-7 g2 3 l$ %z 9NG C f . , , _ ,
r
- o*' - WW ffi% F" 1*3F8 i d 36a's I;$@ :C 6778 .
h uJM 4f'; #~'"1 3 ,l'4 wa
%i W;tS + sv
~M" ;g&
g ' . h%. 3
.)
=
IM
- 80 4 -
M r% w 3 af an ML+}e
.w = - g. $,e$
M_m,- gg;jj 3.49 g77vg z . W mE 5E g;0E52 t r'#r,g:e M
*yp _
Ni?i . kYJy$ 91N - NJ Ef$ ka' ,
,,., 5 95 YE$l ON5 h$_ . . .[k ,
CLM3 I CLA83 !! CLA33 !!! class tv CLA13 : TCTAL CLAS3 OF C:: lit TUL.itRA.Lt Clll*l! TIC.15 Fiqure 5.1 Summary of the Results of the Event Tree Quantification Displayed by Class of Postulated Core Damage Condition. 12 1 t
SNPS-PRA BNL Review Mean = 5.5x10-5/ Reactor Year ~ ~ (Core Vulnerable) Mean = 1.4x10'*/ Reactor Year
'(Core Dessge) t 1ERVICE WAlta At WAfft LEVEL ,
g*H . I@N/TWI As WAlta ATW5(CLA55IV) LEVfL
- ATW5(CLA55IV)
I LD5P TSN/T@s* LO5P* < U to DC POVfR' " " , go a . == stos FLOOD LOCA SitvlC(" yy'M WAl(R LOCf'
'LOSP separated out. ATWS Class I included '
t
,LOSP Class I *
" Classes I and II .
e
*" Anticipated transient and LOCAs only " Classes I and II '
g , Anticipated transient class II , (Cerived directly free the data presented in Table 3.5-5) I Figure 5.2 Comparison of the SNPS-PRA and the BNL Review Contributing Accident Sequences to the Calculated Core Damage Frequency (per Reactor Year) Due to the Identified Accident
- Sequence Contributors. ~
s o .
o
. 5,10REllAH 1
~0 tlCAN = 5.5x10
~
PER REACTOR YEAR
, (CORE Vul.NERABLE) WAsil-1400 I -5 MEAN = 5x10 PER REACTOR VEAR -
stevin (CORE HELT) unut IW Rs W48th AIWS (G A15 IV) I'I 2'k IQl4 , i!. Iu . , 805P - IS8V/34U8 *
, ATW$a I
n E= *i,2 t w G IOCA
- Subsequent to WASil-1400 NRC evaluations of 'the potential contribution of ATWS to core melt (e.g., NUREG-0460) placed tiie frequency of ATWS in a BWR at nearly twenty times that evaluated in WAstl-1400. If this .
j were incorporated into the figure,it would be the single dominant contributor to core melt and would be i sigulficantly larger thasi the frequency of core melt calculated for Shoreham. 2 Figure 5.3 Comparison of the Contributions of Various Accident Sequences to the Calculated Frdquency - i of Core Melt (from WASil-1400) and to the Calculated frequency of Core Vulnerable Condi-tions (from the Shoreham Analysis). Area of " Pie Chart" is Proportional to Hean Frequen-cy. Reproduced from SNPS-PRA. ? .g i
. t
Summary Table 5.1 Compa~ r ison of SNPS-PRA and BNL Review Results Accident Core Damage (CD) Cla'ss Sequence Initiator I II** III IV V CD , Loss of Coolant SNPS 1.0E-6 1.0E-6 2.0E-6 Accidents BNL 5.3E-7 1.3E-6 1.8E-6 (LOCA) . Anticipated SNPS 4.0E-6 2.1E-9 1.4E-5 1.8E-5 Transient With- BNL
- 2.8E-8 4.5E-5 4.5E-5 out Scram (ATWS) ,
Loss of Offsite SNPS 9.9E-6 1.1E-6 1.1E-5 AC Power (LOOP) . BNL 2.9E-5 1. 4E-6 3.0E-b Transients SNPS 8.7E-6 4.8E-6 1.3E-5 (Turbine Trip BNL 1.5E-5 6.4E-6 2.2E-6 Manual Snutdown, MSIV and other) ', Level SNPS 3.8E-6 1.2E-7 5.2E-9 3.9E-6 inst rumentatio'n BNL 1.2E-5 2.5E-8 1.5E-7 1.2E-5 (Reference leg and drywell cooling) Flooding at SNPS 3.1E-6 7.8E-7 , 3.9E-6 Elevation 8 BNL 1.8E-5 2.0E-6 2.uE-5 ~ of Reactor Bldg. LOCA Outside SNPS 3.7E-B 3.7E-B Drywell BNL 2.0E-7 2.uE-7 , Loss of Service SNPS 3.0E-6 7.7E-7 3.8E-6 Water, or DC BNL 7.6E-6 2.4E-6 1.0E-5 Bus TOTAL SNPS 3.2E-5 8.5E-6 1.0E-6 1.4E-6 3.7E-B 5.5E-5 BNL 8.2E-5 1.3E-b 1.5E-6 4.5E-b 4.2E-7 1.4E-4
*In BNL review all ATWS sequences are assumed to lead to core damage class IV. This is based in part on the judgment that the operator will not be aDie to inhibit ADS.
** Class II leads in many cases to containment f ailure without loss of core
' cooling. Therefore, only a part of Class II,results in core damage.
124
- - ~_ . _ . , ,, . , _ _ ,
- -~-
Table 5.2 Core Damage Frequency for LOCA in Drywell Initiators l l Class II Class III Total Core Damage Frequency Frequency Frequency SNPS BNL SNPS BNL SNPS BNL Large LOCA 7.0E-7' 2.8E-7 1.8E-7 3.7E-7 v.. l 6.5E-7
- Medium LOCA 2.7E-7 2.1s-7 4,9E-7 6.1E-7 7.6E-7 8.2E-7 Small LOCA 2.4E-8 3.6E-8 1.6E-8 0.8E-8 4.0E-8 4.4E-8 Reactor Pressure 3.1E-7 3.1E-7 3.1E-7 3.1E-7 Vessel LOCA Total 1.0E- 6 5.3E-7 1.0E-6 1.3E-6 2.0E-6 1.8E-6 Table 5.3 Core Damage Frequency for ,ATWS Core Damage Frequency BNL BNL SNPS FT/ET* ALL~ .
Turbine Trip 3.5E-6 4.7E-6 2.9E-5 MSIV Closure / Loss 8.2E-6 7.2E-6 1.15-5 - of Condenser Vacuum Loss of Feedwater 4.6E-6 9.2E-6 2.6E-6 Loss of AC 7.6E-7 7.9E-7 1.4E-6 Offsite Power Inadvertent Open 3.2E-7 4.3E-7 7.1E-7 Relief Valve Total 1.8E-5 2.2E-5 4.5E-5
*BNL FT/ET denotes the results of the changes in fault trees and event trees made by BNL excluding the changes in the initiating event f requencies.
12 5 t
__.-m. i o Table 5.4 Core Dama9e Frequency for Transient-Initiators '$ f Class I Class II Total Core Damage ! Frequency freque'ncy Frequency ' ] BNL BNL BNL BNL BNL BNL SNPS FT/ET ALL SNPS FT/ET ALL SNPS FT/ET- ALL i Turbine 2.5E-6 2.9E-6' 5.2E-6 1.0E-6 8.4E-7 1.5E-6 3.5E-6 3.7E-6 6.7E-6 d Trip - Manual 1.4E-6 1.8E-6 1.8E-6 1.2E-6 9.0E-7 9.0E-7 2.5E-6 2.7E-6 2.7E-6 , Shutdown MSIV 7.4E-7 1.3E-6 2.7E-6 3.5E-7 2.4E-7 5.0E-7 1.lE-6 1.5E-6 3.2E-6 , . Closure
-. Loss of 2.0E-7 2.5E-7 1.6E-7 4.2E-8 3.'7E-8 3.0E-8 2.4E-7 4.lE-7 3.0E-7 I S? Feedwater Loss of 3.0E-6 3.8E-6 4.8E-6 2.lE-6 2.8E-6 3.4E-6 5.2E-6 6.6E-6 8.2E-6 ,
Condenser
]
! Inadvertent 6.8E-7 1.2E-7 3.3E-7 9.0E-8 2.4E-8 6.6E-8 7.7E-7 1.4E-7 4.0E-7 j 4 Open Relief
- Valve k Total 8.7E-6 1.0E-5 1.5E-5 4.8E-6 4.9E-6 6.4E-6 1.4E-5 1.5E-5 2.lE-5 e
0-s I
. . . k .. U
I' Table S.S Core Damage Freyuency for Loss of Of fsite AC Power Initiator I Class I Class 11 Total Core Damage Frequency Frequency frequency - BNL BNL BNL BNL BNL BNL SNPS FT/ ET ALL SNPS FT/ ET ALL SNPS FT/ET ALL Loss of -+ Offsite AC 9.9E-6 1.6E-S 2.9E-b 1.lE-6 0.7E-6 1.4E-6 1.lE-5 1.7E-5 3.0E-5 . Power Table 5.6 Core Damage for Excessive Helease of Water in Reactor Building Elevation 8 Initiator U
~4 i
Class ! Class 11 Total Core Damage frequency . Frequency Frequency BNL BNL BNL BNL BNL BNL ! ! SNPS FT/ ET ALL SNPS FT/ ET ALL SNPS FT/ ET ALL 'e Excessive Release of 3.lE-6 - 4E-6 1.8E-S 7.BE-7 - IE-6 2 UE-6 3.9E-6 - bE-6 2.uE-S Water at Elevation 8
- i e
I l' li c i ..
e Table 5.7 Core Damage Frequency for Level Instrumentation and Drywell Cooling Failure Initiators Class I Class III Total Core. Damage' . Frequency Frequency Frequency BNL BNL BNL BNL BNL SNPS FT/ET ALL SNPS FT/ET ALL SNPS ALL Reference leg 2.4E-6 7.3E-6 7.3E-6 2.4E-6 7.3E-6 . line leakage i Loss of Drywell Cooling (and 3.3E-7 7.4E-7 9.3E-7 . 3.3E-7 8.7E-7
- i transient l 4
contribution) ' Isolation
- Transient Loss 2.5E-8 8.2E-7 1.4E-6 3.3E-7 8.7E-7 El of Drywell ;
Cooling Loss of Offsite . AC Power with 8.4E-7 1.lE-6 1.9E-6 8.4E-7 1.9E-6 i Diesel Recovery Small and Medium ! LOCA-Loss of 2.lE-7 4.0E-7 4.0E-7 5.0E-9 1.5E-7 1.5E-7 2.lE-7 5.5E-7 { Drywell Cooling - Total 3.8E-6 1.0E-5 1.2E-5 5.0E-9 1.5E-7 1.5E-7 3.8E-6 1.2E-5 l t 1* 1 i i 1
. u. . .. . -
- ... 2&
B 4 O Tabl e ' 5.8 Core . Damage Frequency for LOCA Outside Containment Initiator Class V - Frequency BNL BHL SNPS FT/ ET ALL Interfacing LOCA 2.4E-8 7.ZE-8 1.8E-7 Steam Lines Break 1.1E-8 1.1E-8 1.5E-8 Outside Containment Feedwater Line Break 1.7E-9 1.7E-9 3.0E-9 Outside Containment Total 3.7E-8 8.5E-8 2.0E-7 9 9 6 129 l
Table 5.9 Class I Dominant Sequences *
- 1) T EIOR 1.0E-5 IB
- 2) T IVD E
6.7E-6 IB
- 3) T QUX T
5.5E-6. IA 4.2E-6 l 4) T UX C
.IA l
- 5) T EIII DUX 3.3E-6' IB
- 6) T TSUV g 2.6E-6 ID
- 7) T TSUX g 2.6E-6 IA
- 8) T QUX g 2.5E-6 IA
- 9) TE R R1 0UH 2.4E-6 IA
- 10) TE R.
QUH R2 2.2E-6 IA Total Class I = 8.2E-5'
- 11) _TDg DQ 2.2E-6 IA -
- 12) T R0 R gQUX 2.0E-6 IA
- 13) T EIGL 1.9E-6 IA
- 14) TE III OV 1.7E-6 IB -
- 15) M QUX3 1.6E-6' IA
- 16) T IOUV E
1.4E-6 ID
- 17) TE III OX 1.2E-6 IB
- 18) TEIII DUV 1.1E-6 IB
- 19) TE III 00'V 1.0E-6 IB l
- 20) T EIUV 1.0E-6 ID i
*Without the contributors from excessive release of water at Elevation 8, which would rank high on the list (1.8E-5 is the total gontribution of all
" flooding" sequences).
.l 13 0
'l
_j
at& _ . .
.x a 4 ..
Table 5.10 Class II Dominant Sequences
- 1) TW 2.5E-6 C
- 2) T EI IV W 1.4E-6
- 3) T TSW 3g 1.4E-6
- 4) T'3g TW S.8E-7 ,
- 5) T U'W C
4.2E-7 Total Class II = 1.3E-5
- 6) T TSUVW 3y 4.1E-7
- 7) T OWT 3.8E-7
- 8) T QW g 3.7E-7
- 9) M QW3 3.2E-7
- 10) AV'V"W 2.0E-7
- 11) S uY'V"W g 1.8E-7
- 12) A few contributors from excessive re- .
lease of water at Elevation 8,- ' 2x10-6 in total. - Table 5.11 Class V Dominant Sequences
- 1) A OUT V 2.0E-7 Total Class V = 2.0E-7 1
131 . t
.- _ ~ . ~-w- ~ . .. ..u..~. -
. s i
l 1
. ' Table 5.12 Class III Dominant sequences
- 1) S uV g
3.1E-7
- 2) AV 3.0E-7 Total Class III = 1.3E-6
- 3) S uX g
2.5E-7
- 4) S QEL 1.5E-7 1
Table 5.13 Class IV Dominant Sequences
- 1) T CTgKQ 9.1E-6
- 2) gg TCG H 8.3E-6
- 3) T CTgKUH 6.5E-6
- 4) T CTgKC2 4.2E-6
- 5) T CTgKUU H 3.9E-6
- 6) TCXT3g 2.4E-6 ,
- 7) T CTgKP g 1.1E-6
- 8) T CggKUU g 1.0E-6 Total Class . IV = 4.5E-5
- 9) T CggKPU g 9.1E-7
- 10) T CpgKU H 9.1E-7 .
- 11) T CEgKU g 1.1E-6
- 12) TTg C KPU H
7.5E-7
- 13) T CpgKC 2 5.7E-7
- 14) T CpgKUU g 5.1E-7
- 15) T CTgKPC 2 4.5E-7 -
- 16) TTg C KPUU H
4.2E-7 132 l
i e * , Table 5.14 Sumnary Table of Dominant Accident Sequences Leading to Core Damage Conditions, Hanked by Frequency (per Reactor Year) y Shoreham - PRA % of Total BNL - Review Core Core Sequence Damage C1 ass / Sequence Damage C1 ass / No. Designator Frequency Subclass SNPS BNL Designator ' Frequency Subclass , 1 T(M2)C(M)C(2) 6.4E-6 IV 12 7 T(T)C(M)K(Q) 1.0E-S IV j; r. 2 T(C)UX 3.lE-b IA 17 14 T(E)lDGL- 1.0E-S IB 3 T(T)QUX 2.4E-6 'IA- 22 21 FS(0)QUX ' l.0E-S* IA ~ 4 T(D)D(I)Q 2.2E-6' IA 26 27 T(M)C(M)KU(H) 8.3E-6 IV S T(E) IV DUX 2.2E-6 IB 30 32 T(T)C(H)KU(H) 6.7E-6 IV 6 FS(0)QUX 1.7E-6 10 33 37 T(E) IV U 6.7E-6 IB 7 T(E)lll(C)DV 1.SE-b IB 35 41 T(T)QUX S.SE-6 IA 8 T(F)C(M)U l.bE-6 IC . 38 44 T(T)C(M)C(2) 4.2E-6 IV 9 T(F)C(M)UD 1.SE-6 IV 41 47 T(C)UX 4.2E-6 IA < l 10 T(C)W'W" 1.SE-6 11 44 So T(T)C(M)UU(H) 3.9E-6 IV 11 M(S)QUX 1.3E-6 IA 46 52 T(E) 111 DUX 3.3E-6 IB -l ! 12 T(E)lil(A)DUV 1.2E-6 IB 48 S4 T(SW)TSUV 2.6E-6 10 ... D.
- 13 T(E)W(D) 1.lE-6 .11 50 56 T(SW)TSUX' 2.6E-6 IA -
14 T(R)RQUX 1.lE-6 IA S2 57 T(M)QUX 2.SE-6 IA p : f 15 T(F)C(M)C(2) 1.0E-6 IV b4 S9 T(C)W 2.SE-6 11 "tst mated *
- I l
*W
l I Table S.14 Continued
, Shoreham - PRA % of Total BNL - Review.
l I Core Core f Sequence Damage Class / Sequence Damage Class / No. Designator Frequency Subclass SNPS BNL Designator frequency Subclass 16 T(E)lDUV 9.9E-7 10 56 61 T(T)C(M)W 2.4E-6 IV , 17 T(TI)C(M)C(2) 9.9E-7 IV 58 63 T(R)L(RI)QUH 2.4E-6 IA 18 T(T)W'W" 3.9E-7 11 59 64 T(R)L(R2)QUH 2.2E-6 IA 19 i(E)GOL 8.4E-7 ID 60 66 T(0)D(1)Q 2.' 2E-6 IA 20 M(S)W'W" 8.2E-7 11 T(R)R0(R)QUX 2.0E-6 IA 21 T(E)luV 7.7E-7 10 T(E)lGL 1.9E-6 IA i y 22 T(M)QUX 7.2E-7 1A T(E) III DV 1.7E-6 18 23 T(1)QUX 6.7E-7 IA 1.6E-6
, M(S)QUX IA 24 T(E) 11 DU"V 6.SE-7 in- T(SW)TSW l.4E-6 11 25 T(H2)C(M)C(2)U 6.2E-7 IC T(E)I IV W 1.4E-6 11 @
- 26 T(M2)C(M) CUD 6.2E-? IV T(E) III DX 1.2E-6 IB 27 T(E)C(M)C(2) 6.UE-7 IV T(T)C(M)PC(Q) 1.lE-6 IV
[ 28 FS(C)QUX b.SE-7 10 1.1E-6 T(E)C(M)U(H) IV , l 29 T(D)4UX S.3E-7 IA , T(E) 111 DUV 1.1E-6 iB l 30 1(TI)C(M)U 5.3E-7 IC 70 72 1.0E-6 T(M)C(M)UU(H) -
.t v Total Core Damage = S.SE-S Total Core Damage = 1.4E-4 t
~ ,
.c . .
l 4 I Table 5.15 Results from a Limited Sensitivity Stucy (Only the sequences affected by the ena.1ges that are studied are included in the results shown.) Core Damage 7.seline Core Damage CD (CD) Case in CD (CD) No. Case Studied Class Frequency SNL Review Class Frequency
- 1. LOOP Initiator: MSAC/80 1- 2.9E 5 LOOP Initiator: SNL ! 2.9E-5 LOOP frequency and recovery !! 5.4E-6 Review LOOP and !! 5.CE-6
~
probabilities for NPCC
~ Total 77GT Recovery Probablities Total. 7'IGI for NPCC
- 2. Mtscalibration: Use of I 4.7E-5 Misca t teration: use ! 1.5E-5
$NPS-PRA value of 2x10 8 -
SNL-Review value of in ene 'UX* Function 2.n10-* fn tne *UX* Function
- 3. Transients + ATW5: EPRI- ! 1.0E-5 Transients + ATW5:
' 1 1.3E-5 NP-2233 Data Base Excluding !! 4.3E-6 EPRI-NP-2230 Data !! 5.5E-6 First Year of Plant's IV 4.9E-5 Base from All Years IV 5.9E-5 Emperience Total N of Plant Operation Total TIGI (BNL Review) 4 Large and Medium LOCAs: !! - Large and Meatun !! 5.7E-7 No Credit to PCS or to !!! 2.6E-6 LOCAs: Credit Given III a.1E.7 Condensate System Total T. TUT to PCS and Condensate Total TOUT
- 5. LOOP Initiator: Diesel ! 5.1E-6 LOOP Initiator: 1 2.9E-5 Data = FT5 = 0.01/d 11 6.0E 6 Diesel Data = FT5 = !! 6. 0E-6 P(2/1) = 0.11 Total T" TUT 0.02/d; P(2/1) = 0.19 Total 7."Ti"I P(3/2) = 0.40 P(3/2) = 0.63
- 6. No Credit to TB5W5 in ! 2.1E-5 the PRA Credit Given to TB5WS I 5.2E-6
!! 2.7E-5 in the PRA !! 1.3E-5 Total T"3GT ,
Total T.lGT
- 7. No Credit to Condensate ! 1.3E-4 System in the PRA Crwsit Given to 1 2.ZE-5 -
. !!! '2.1E 6 Condensate System !.!! 4.1E-7 V 2.1E-6 in the PRA Y 4.2E-7
- 8. . ATW5:. A05 Inhibit fieroved IV 1.3E-5 ATW5: A05 Innibit IV 1.9E-5 by 50% (Protability of from SNL Review f ailure decreased by factor Results '
of 2) 135 t
ma _ ' - '.=
^
~' '
~ - -
f Table 5.15 Continued . Core Damage Baseline Core Damage CD (CD) Case in CD No. Case Studied Class Frequocy (CD) BNL Review Class Frequency
- 9. ATW5: SLC fatture prona- IV 5.8E-7 ATW5: SLC failure IV blitty reduced by factor '5.8E-6 I protability same as of 10 in SNL review. !
1 ' 10. ATW5: Atomet1= FW Runeack !Y 1.0E-6 ATWS: Manually e IV 1.0E-5 Assumed, that may Reduce Initiated FW Failure Proca6111ty by , Rebau j factor of 10 .
- 11. ATW5: Increased SLC Baron IV ~ 2. 9E-5 ATW5: SLC injec- IV ~ 3.6E-5 Concentration by a factor tion of 46 gpa of 2 (or alternatively
, 86 gym SLC)
- 12. Water Aelease at Elevation I 1.8E-7 8: One LPCI Tratn Pro-Water Release a't I 1.SE-5 tected Against Flooding Elevation 8: 8NL ,
Review 1
- 13. LOCA Outside Containment: V 4.2E-9 LOCA Outstae V 4.2E-7 One LPCI Train Protected Containment: BNL Against Flooding Review la. No Credit to RCIC in the !! 9.1E-6 Credit given to 4
Steam Conef ag Mode !! 3.7E-6 Containment Heat ' j ' Removal by the RCIC Steam Conce<41ng Mode <
- 15. Level Instrumentation ! 2.1E-6 System having additional
- Level Instrumenta- ! 7.3E-6 r tion System having four level transmitters four transmitters for inoependent initIat1on-of HPCI, RCIC, and low for.Initiatton of ,
pressure ECC5
. HPCI, RCIC, and low pressure ECCS '
- 16. Issact of Inclusion of I 1.3E-5 Control Rod Drive !
Control Rod Drive System in 2.0E-5 - , System not. included the High Pressure Injection in the PRA , Function , 136 .
- =. : -.-
_ G- .
- ;y
- _.. .
. a ... : . w i APPENDIX 5A a
Ai1TICIPATED TRANSIENT WITH S!JCCESSFUL SCRAM SEQUENCE 5
- This appandix sunnerites BNL's review of the centribution of transients .
with scr:Jn to the SMPS frequency of core damage. The review covered material present#d 11 Secticns. 3.4.1.1 to 3,4.1.5 ana section 3.4,1.7 of the SNPS-PRA. The follewing transiacts are reviewed in this appendix: .
. a) Turbine Trip .
b) Manual $hutdowns c) MSIV Cicsure d) Less of Fseawater } e) Loss of Concenter Vacuum f) Inadverterit Open Relief Vulve (IORY). - The initiater frenuency for those transients was reevalsated as discussed in Section. 4.1 and su?snarized in Table 44 criovie. The fedquency of manual shutdown in the SNPS-PRA Was , judged reasenably conservative .and was not further reviewed by BNL. . The SNPg.cRA value of 4.3 shutdowns per year was ; usec in. the 2NL reassessment. Fce all other transients, the naw reevaluated frequencies cf Tabit 4.2 wees used by BNL. The SKPS-PRA attnegted to take into acc'ount mere frent)ine sys'tems ' 4 intercependence f ri the avent trees oy 19c'.*easicg the event trees ' detali. The - interdependences between HPCI and RCIC were detailed in the SNPS-FRA event trees and the same was dor:e for LOCI anc LPCS. The condensate and feedwatef-pu@s were explicitly treated in the evenc trae; the Cot!tair. ment Heat removal function wss separated into contributions from RHR, PCS, and failure to - I recover frcm a MSIY closura. These igrovemnts made the modeling of the transients' contribution to core dam 3ge in the SNPS-PRA more rsalistic. 1 The suppor+. system dependence was also treated in the SNPS-PRA. The i treatment chosen was to screen selected support systems dependences and treat them in separata event trees so as to focus their impact better Three support systems were treated in this way: a) AC Power: Transient induced Loss cf Offstte . Power (t00?), or . LOOP occurring during the transient. b) DC Powr: Loss of a DC bus, both transient-induced and in the course 1 of the transient. , c) Service Water: Loss of service water during the recovery f rom a transient. ' BHL found this treatment helpful and addeo enother suopert system to the list: , 137 i t;
,._ . _ . . . _ . _ , - :~ , _ _ _ _ - . , , _
m._~ ._ - .- ._ : __ .-- _
. -.. ._. 1 l
1 d) Drywell Cooler: Loss of drywell coolers following a transient. ' SNPS-PRA treateu this explicitly on the transient event trees rather than by the same, screening method they suggested. BNL used the i screening method for loss of drywell coolers, but differentiated ; between transients that lead to MSIV isolation and non-isolation 1
- transients (see Appendix 5F). '
Other support systems were included in the fault-trees analysis and their impact, if important, was acccunted for in the front line systems' unavaila-
. bilities. Note, however, tnat some underestis3ation of support system contri-
. bution may result when the more rigorous CDFT .f s not nsed. As stated in Section 1.2, BNL judged this uncerestimation to b'e unimportant.
The $NP$-PRA treatment of anticipated tran' s ients is innovative in the division of toe isoldtion transjents into separately treated initiators. This was discussed in Sectich 2.2 above. (A.1 TURBINETRIP.TRANSIE{ 5A.1.1 _Backgrourji, Tnis is the most frequent transient. The frequency of the transient is 5 per year in the SNPS-PRA and 8 per year in the BNL review. This difference was discussed in Section 4.1. Here, the modeli.ng and quantification differ- , entes between the SNPS and SNL approaches are discussed. - Following a successful screm, SRVs are opened to relieve the pressurg that is rising in the !!PV af ter the closure of the turbine stcp v61vef. If . none cf the 11 SRVs opent, then the pressure itzside the kPV will breach the pressure boundary at c wer.k .ooint and a LOCA is assumed to occur. This is , however, a small proca5111ty relatin to the large LOCA frequency, and has nc The open SRV ray fail to close cfter pressure is 5:ibstantial impact. - 4 re.laveo, A single SW may fall open w?th as high a probability as 0.1; how-4 ever, t.h15 apparently does not change the course of the tr4nsient sign $ficant-ly, because the hign pressure injection system San easily maintain prescure in - the R9Y in $pite of the small loss of conlant inventory through the stuck open relief valve. However5 given two SO2Vs , . changes in plut nehavice cre expected, in three ways: a) The RPY pressure will slowly decrease to a point At whicn high pres-sure injection may no longer be successful, this can. happen as early as four hours 16 after transient with two 10RVs initiation. b) The suppression pool will heet up slightly faster, er.d reach 200*F at about i hour rather than 2 hours or oore.
- c) At the beginning of the incident, if there la ne high pressure injec-tion, the RPV water level will decrease faster given 2 SORVs than <
gi ven none; this in turn will reduce the time for recovery of FW during the time per.iod when water level decreases from level 2 to level 1. The impact on the PCS availability, however, is small in the case of 2 - SORVs relative to none. 138
;. ~ .: ::- a .
- z- z ..-
-. -:: ~ . ,.---
The "Q" function is' discussed in detail in the next section. The' coolant injection functions and the ADS are .iodeled next on the event trees. Thei r quantification is based on the SNPS-PRA system fault trees. The unavailabili-ties were discussed in Section 3.3, when fault' trees were reviewed. The containment heat removal function includes the following:
- 1) RHR system unavailability.
~
- 2) The RCIC steam condensing mode with R85WS cooling'the RHRHX directly.
.' 3) The PCS. '. '
The RCIC steam condensing mode 'has a small contribution, considered in the SNPS-PRA to be 0.4. It might not even be this large if the RBSWS, which is common to both, is assumed to fail. and no credit is taken for interconnect-ing the turbine buildin~g service water systems. The values of 0.4 or 4.4x10-5 are explained in the discussion in Sec. tion 3.3 on RHR with RCIC in steam condensing mode. The PCS is dependent on the availability of offsite power, one circulat.- j ing pump, the condensate pump, the MSIV, the feedwater discharge valves, and l air ejection or mechanical vacuum siump. All these have a hardware failure probability assuming repair of 4.5x10-3 BNL used a value of 0.004, as explained further in Secti.on 3.3.2.14. SA.1.2 The FW and PCS Availability (0 and W" Functions) In the event of a Turbine Trip, the SNPS-PRA states that the cperator is instructed by procedure and trained to maintairi feedwater or recover it imme-diately. This inportant feature was taken into account in BNL's reevalua-tions. The recovery of feedwater function (Q) is an important function in most transients. BNL has therefore followed the approach of past BWR-PRAs 5 and constructed a functional level event tree for the Q function and tried to use it in a consistent way for all the transient events. Table SA-1 . gives the description of the functional event tree used for Q and the basis for its quantification in the turbine trip case. . The tree includes two phases : a) The Short-Term Phase: Probability that FW will be available, begin-ning 30 minutes after initiation of the transient.
~
b) The Long-Term Phase: Probability that the PCS will be available for containment heat removal,15 hours after. accident initiation. The BNL functional event trees result in probabilities for Q similar to those found in past BWR-PRAs. However, those PRAs , as well as the SNPS-PRA, assumed that the long-term PCS availability is independent of the unavailabil-ity of parts of this system at accident initiation. BNL does not consider this to be realistic. One- anomaly that may arise when considering the long-term PCS recovery to - i i be independent of failure tb recover the PCS in the'short term is that overall recovery probabilities for the transient duration become unrealistically . 139 ,
.n. - n .:....a- - ---_ - . . . . . . - - -:.. . - - . .. .... ..---. Z high. For example, failure. to recover turbine bypass valve in the short term, and then again in the long term, are related, and the probability of late recovery should decrease if early recovery already failed. The above' situation is shown in Table 5A.1, in which both the short- and long-term PCS recovery probabilities are shown on the same tree. The condi-tional probability of long-term recovery, given that short-term recovery has failed, is of the order of 10 2, which is higher by a factor of 2 than that in the SNP,S-PRA, where the. short- and long-term phases are assumed to be completely independent. This factor becomes . larger in cases of MSIV closure
, or loss of condenser transient. In fact, the SNPS-PRA assumes some dependence between the short- and long-range recovery in some other transients in a few Cas es .
The SNPS-PRA considered a dependence between ADS operation and MSIV re-covery probability, increasing the non-recovery pr'obability by a factor of two for cases in.which depressurization by ADS has occurred. This was insuf fi-ciently explained, and it was applied non-uniformly for the transients, with factors ranging from 1.4 to 3.0. The BNL approach, used with its functional level event tree, was to apply a uniform MSIV recovery probability of 0.001 for all cases (but for the case of MSIV closure see Section SA.3) based on the long period (15 hours) available for the MSIVs to recover. Unlike the SNPS-PRA, BNL did not model the MSIVs as a frontline system, but used them as a part of the PCS. , In summa ry, the BNL approach used the. functional level event tree. approach for Q and W" quantification to gain more consistency in their quanti-fication. Another change made by BNL is the assumption that, when FW injection (Q)_
.is s'uccessful, the long-term containment heat removal function is not required ..
because no decay heat would be deposited into the suppression pool throughout the transient. 5A.1.3 The Results of the BNL Revised Event Trees . The revised BNL event trees take all the above considerations into account. They are shown in Table SA.2, along with additional explanation regarding their quantification. The result of the BNL re-assessment is about twice the value in the SNPS-PRA, mainly because of the increase in initiator frequency. A small increase in BNL results is obtained from the sequences including two 50RVs. Although the contribution of this increase to the total cora damage frequency is small, it is much higher than ' estimated in the SNPS-PRA. The small increase in Class II, apart from the change in initiation frequency, results from the dependence between early and late recovery of the PCS included in the BNL re-assessment. 5A.1.4 The Special Case of Common Mode Miscalibration of Level Ins trumentation The SNPS-PRA considers a miscalibration of all water level transmitters to be an event having a probability of occurrence of 2x10-3 It does not state that procedures for staggered calibrations are available. 140 t A
. L .. . .. ; * '
..- -- ~-
~
The fault trees of the SNPS-PRA include the miscalibration error of all water level sensors as input to HPCI, RCIC, AOS, LPCI, and LPCS. . It is iden-tified on all those fault trees by the same basic ' event, namely "HHV7200XI". The fault tree model assumes that if miscalibration occurs, no automatic init-
!ation will occur in RCIC and ADS. However, on HPCI, LPCI, and LPCS fault trees, the modeling assumed automatic initiation by high drywell pressure, which is true only for LOCA or ATWS and is incorrect for all transients and manual shutdowns. Therefore, the. commonality of miscalibration for high and low pressure injection under trans,1ent conditions was not recognized in the cut sets of those fault trees and was not accounted for in the SNPS-PRA tran- . sient functional event trees.
The fault trees have included an operator action for manually starting the ECCS subsystems if automacic initiation failed. These include the follow-ing: a) HHU5000XI and HHU6000XI for operator failure to manually actuate HPCI or RCIC, b) AHU1990XI for operator failure to manually initiate AOS, c) OHU1110XI for op'erator failure to manually in'itiate LPCS, d) LHU5000XI ano LHU6000XI for operator failure to manually initiate LPCI. i Theref ore, in the SNPS-PRA fault tree analysis there exists the following cut set (see also Section 4.3): HHU7200XI * (HHU5000XI + HHU6000XI)
- AHU1990XI, which can lead to Class I core damage if feedwater injection becomes unavail-able. This event "TT Q" for the turbine trip transient is T Q = 8 x 0.082 T
= 0.66 per year.
The core damage probability for turbine trip with miscalibration then becomes TTQUX = 2x10 3 x 0.1 x 0.1 x 0.66 = 1.32x10-5, which is double the value for T QUX T calculated on the event tree of Table 5A.2 (Sheet 2). BNL considers this result conservative for the following reasons : a) A common-mode miscalibration error rate for a large miscalibration (a miscalibration of level 2 and 1 by over 10 feet is needed to uncover the core without safety system actuation) should be lower than 2x10 3.. BNL judges that a value smaller by a factor of 10 would be , more realistic if some calibration procedures emphasizing the effect of large calibration changes are used. The Handbook of Human Relia-bility (NUREG-CR/1278) gives even lower values for similar cases (see.Section 4.3). i 141
.a
_ - . _ _ , , , _ . _ ,, ,- , . . - . . , ._ -,,,-,..,,.-.,.c, ,
n = , . .
..-. _ . . - _-.a. .. -- . w .= -: ,
i b) In order for a large miscalibration to be unnoticed, the operators; must ignore a white indicator light in the control room for tiPCI hign. level trip transmitters N091 C and D. c) In order for the operator to perceive that the core is well covered' and significantly reduce core injection for a long tim.e. en addition-al miscalibration s1ust have occurred on the wide or narrbw range level transmitters, in a direction that will display high. wat.er level-in the reactor vessel. .
. . The reviewers consider the situation posed by such a gross miscalibration-to be of sufficient importance to warrant calibration procedures that require' staggered calibration such that N091 A and C would be calibrated at different, times than N091 8 and D. Such a procedure may be sufficient to 'rvduce the probability of this event to a fraction of the T QUXt . sequence ocdeled in the event tree diagram and appropriately represented by the value of UX =:3.h10-6 used from the fault tree analysis. ,
After the review w&s completet SNL was inforded th6 a modification to the level instrumentation system is underway at Snor.thait. This codification will potentially reduce the prcbability of miscalibration ay r the additica of four new level instruments for HPCI cctuatica. - 6 I e L 1 l 142 l 9. 1
. _ - . _ . - . .-. : __- w _ . ..-._ ~. :.: .-- :--. . . . ~ . . . - .
~
Table SA.1 Functional Level Event Tree Description for FW and PCS Recovery Probability (Turoine Trip) (Sheet 1 of 3) Function Probability Description /Coment Feedwater system remains 0.1 SNPS probability that the feed-on line: , water system fails to rapidly re-
. spend to the transient resulting ,
in a level 8 trip or MSIV closure. Recovery cf FW between 0.7 The SNPS probability of FW l.evel 2' and Level 1: recovery given that HPCI or RCIC. 6-10 minutes are
, does not start.
available to. the operator before level 1 signal. Tuibine controls and by- 0.011 Probability that the main turbine pass valves available: controls and bypass valves are failed or fat 1 during the tran-sient. A factor of 10 was applied since the initiating event involveo the turbine. MSIis temain ocen: Pro _bability that the MS!Vs fail to remain open during the tran-sient. 0.02 If FW system remains on line. , 0.20 If less of FW system occurs. . It may re: ult in MSI'l closure on low reacter leyel or pressure, . MSCVS reopensd: 0.1 Probability that the operator fails to reopen the MSIVs within 30 minutes of transient initia-tion. Recontry cf 'W a.id PC$r 0.01 ProbabMi'ty thet the cperator fails to recover the FW and PCS within 30 minute.< given a fatture or turbine trip. The low failure probability is ass.amed because it is a standard actior, that the operater .fs called on to perform normally, and is trained to do on s imulatcrs . l 143 l l
* * - e e
. _ _ _ . . _ .s . . .
s Table SA.1 Functional Level Event Tree Description for'FW and PCS Recovery Probability (Tu.rbine Trip) (Sheet 1 of 3 Continued) Function Probability Des criotion/ Comment Turbine Controls and By- 0.05 . Conditional recovery probability pass Valves Available - given fai. lure to recover during Long-Term: the early phase. Total f ai. lure to recover probability should not. exceed 5.~5x10 " for the transient duration. 5.5x10 4 Probabil'ity that the turbine con-trols and bypass valves are not available. System restoration is assumed. (0.5 x Estimated System ' unavailability). MSIVs Reopened - Long-Term: 0.001 . Probability that the operator fails to reopen the MSIVs during the time available following the initiation of the transient. Assumed to be 15 hours. MSIVs Reopened - Long-Term: O.01 Conditional recovery probability given failure to recover during the early phase. Total failure to recover probability during the transient assumed not to exceed 0.001. Recavery of FW and PCS: 0.001 Probability that the operator fails to recover the FW and PCS - during the time available. Assumed to be 15 hours. 0.1 Conditional recovery probability
. given failure to . recover during the early phase. Total failure to recover probability should not exceed 0.001 for the 15 hour duration.
FW and PCS Hardware: 0.004 Probabi.11ty that the FW and PCS will not be availabe to provide water to the reactor and remove decay heat to the environment. Value based on the SNPS fault trees (see Section 3.3). 144 I g . _ _ _ - _
L' a 5samt Itmee i tapes Itase { At00vtHV Leatte I sw Of fu Ismals( M54V MCDufAf l, OF Itsestaf essef . K5 5000Pte mi pgees tat SE lu4 E N g/P p(sen 4 N 8E5 0 W of Canadm1 Aft S/P N0Pt00 MCortRV g. DesL led L2 = Ll MC0vtNT CHN ( Alltatt Riort es FCS SHuMI-Itstee MCOutaf LOMr,-lines LONG-IEHet IO seues e 2 3 4 5 6 7 8 9 le il 8 e 0.98 e , g 1
- O.00ls a (3.5s-3) ,
8 0 0.99 8 a .
, 0.001 '(6 3s-5) 0'909 09 e e I
- O.9 0.9 E 0.01 , 0.00l,
' 1.6s-la 8 0.t ' 0,t 0.02 l ', 1.6s.$
l e l 8 M O9 8 o,9 0 . 0 01, ;; l e f. 0.1 0.0018 8 , o,oog g e , w A O.1 l 0.01 m * !' 1.8E-5
. . s e
i M e e' e j e 0 .0 014
. . , 3 3_g .
- l 0.9 g .0 95 9.001
' 9.5s-6 0.011 0.01 o,003 9.ss-6 .
' 3 0.1 l G.06 j 0.) a 5.os-le 0 .
e e 2
! N 0.1 8 e
- 0 003'
; ! e
- 2. 8 E-l.
l
- 0.9 ! 0.001
- ; 7.0s-5 0.7 0.07 i
- 0.001 s r- 7.0s-5'
, l 1 0.1 I 5.5s-l.
, ; j j 3.os-5 i'
. I :
- 1
- total i
. 1.05s-3 Total . Q . 0.082 '
W" = 1.05s-3/O.ud2 4
=
0.013 Table 5A.1 Functional I.evel hent Tree for the Probability of W and ICS Unave11 ability Following a Turbine Trip. Short Tem and Iond Tem Recovery Probabilities. Case of No SOHVs. * (St.eet 2 of 1) A
$65Mi I48ste StCoutRV t bNitS' re or tw ,e went "588 escovtar timesw et med ecs touieutur i; steente etsma ta as at" Alm mas ce4 t ( L2 = tt g ALCoutRT MW Rs0Ptn De FCS coest =54 st SammI-ItNet se ft(COutMV a(Orta LONG-ItHM secovent f aitimt .'
LOdG-ILHee 10 auss A
, , 3 e s 6 y e 'e to 48 L
0.98 . OK
. ,'l-@8 (3,5g.3)
. .I i OK '
0.989 , #' e
. - - (6. 3E.5) ;
0.9 . i l
- 0.9 "
t ).01
- le i) On!,
'I *I 0.02
- 1.6E-5 e
e
- OK 0.9 I
+ =
0.004 b
. o.1 : ; 0 mi '
m . *
* 's.1 ! 0.01 t .8E-5 l 5
- OK
- . i ,). onl, l
- 3.8E-5 i. -
- '*1
- ! -- 9.5E-6 si.01) .
3 0.001
, p
- 9.5E-6 s.1 l 0.05
' 5.0s-h
. 1 0.1 ,.
- 0- '
la.OE-le e . t - [1.001 e 1.0E-la ' 1.0 e
- , 0.001
,1.0E-4
! 31 1 T 58-h
! i 5.5E-5 e
l :
- Total = q = 0.112 l
- TerAL .j
= 1.2E-3 L-
- Table $k,1 Punctional Level ihrent Tree fer the Probability of W and FCS Unavailability V' = 1.2E 3/0,112 Pollowing a Turbine Trip. Short, Tern and Long Tern Recovery Probabilities.
Case of 2 ' ave. = 0.011 .{ I (Sheet 3 of 3), s
'I l
..- .. . . :. .: 1 ....
Table 5A.2 Event Tree' Diagram for Sequences Following' a Turbine Trip Initiator (Sheet 1 of 3) TT = 8.0: The frequency of turbine trip transients per year is based on the discussion in Section 4.1. C = 3.E-5: both mechanical and This is electrical).the scram It.is failure taken from probability NUREG-0a60 (23, M = 1.E-6: This is the probability assumed for failure of 11 SRVs to l open on high reactor pressure exceeding their set point.' I The failure leads to an unimportant contribution to LOCA frequency. P = 2.E-3:- The probability that 2 SRVs will be stuck in the open posi-tion (stuck open relief valve = SORV). The probability of this failure mode is 3.75x10-3/d. An average of three challenges per valve is assumed for turbine trip transient. The summation of 2 out of 7 combinations results in 2x10-3 l 0 = 0.082: This probability of failure to recover FW is evaluated in Table 5A.1. - Q = 0.11: This is the feedwater unavailability following turbine trip with 2 SORVs (see Table 5A.1 sheet 3 for derivation). U' = 0.07: The unavailability of RCIC based on the f ault . tree for the RCIC system (see Section 3.3). U" = 0.1: The unavailability of HPCI based on f ault' -tree analysis (see Section 3.3 for discussion of the fault trees of the HPCI system). U = 0.01: The value of the unavailability of RCIC and HPCI, considering their commonalities (see Section 3.3). X = 8.4E-4: The ADS unavailability as derived f rom SNPS-PRA f ault trees. V'.V" = 6.2E-4: The unavailability of LPCI and LPCS' based on their comb'ined fault tree analysis (Section 3.3). V = 0.1: The probability tnat the operator initiates or , controls the ' condensate pump within half an hour or less, following loss i e' high and low pressure injections. V = 0.02: This is the probability of aligning the condensate system in the case of 2 SORVs when this system is needed four hours into the accident, af ter the pressure in the core decreased below high pressure injection reactor pressure re,quirement. 147
-- -,- a
._ _. _ . _ - - ~ - - .,.-- _ _._ . _ . _ - - _ ,-
Table '5A.2 Event Tr'ee Diagram for Sequences Following
, a Turbine Trip Initiator (Sheet 1 of 3' Continued)
W' = 4.4E-5: The value of RHR with RCIC in steam condensing mode (see Sect ion ' 3.3) . 1.1E-4: RCIC assumed unavailable. The value represents RHR reliabil-
.' ity with, assumed repair for 20 hours (-0.36). It is
, developed in. Section 3.3 based .on SNPS-PRA fault tree analysis.
W" = 4'.E-3:
~ Unavailability of PCS if available during the turbine trip j transient (see Section. 3.3).
0.013: Conditional unavailability of. PCS given it failed to be re-covered in the first half hour of the transient (see Table SA.1). 0.011: Same as above for 2 SORVs (see Table SA.1). l e f 148
4 9 s 4 f I t ese II Altat Ot tis- lists $tset CUNIHQt COOL AMI INJECil000 CONIAlme[NI NEAI 1 Cat iTV pe serw As CA4CutAft0 fust OR PO$lut Af tp , p g g gheAlta ConstNEAll HCSC COME Itse84 Ng - DECOVE ft(ts flNELY Ptse 8N $lt Ast CALCutAl(0 CaseAGE IN IP $NVs $NVs leeMt 00- aceC te'C l AOS C$ LK1 INJacilose CON 14NSING $10ta sCE int 0L(NCV Ut 50s 4 OPE N a(Ct0510 AIELT AVAll ASLt AVAlt Alsti GN6IIAI80se AVAllAgt t GNJtCleces AVAllAhti PLUS Su MS DESIGeeAIG4 (PER Ra Wel INANSf(R , s, C u P 0 u' va a v' v' V M' ** I I le.14LS 0.011 t,qw 3.8b7 II g 0.082 1.1Lle
- A O.313 T,qu'W 5.9E-8 .II 1.1 E-14 0.07 0,033 T,QW 1.b8 II I
1.1 LI,
, 0.011
- 3. 6 E-3 C O.1
- W O.01 0.01) 8.0 2.1b) le.958 t,QtfvW W
II . O.1
?,QW is.1B-7 ID 2E-1 8.l.s-1 (SeeSheet2) t,QUX 5.5s 6 IA i 1.E-6 .
Transfer IDCA t/ 4 t,C transfer AlvS (i i table 5A.2 Event tree Diagram for Sequences ibliowing a turbine trsp Initiator (Sheet 2 of aJ) . e g 8 m
.m.... ..
. .e _. . .. .5 .._ . . - . , . .
a E._sI,ss. I - Of N* $ 3*
*s.-
;W. e e- c- r-
- a j g ** d C W C d .d-M d Ch N E N E 5 5 I g!
E 2 k $bE 3 u e e eee . F 5 i : . a .
- * .- 2
! r e L 8 5 5 g j as * --- d um d d m-=== e 8 3 3: 5 g =5 g3 ,a a a d g g { ,s g a _t d.
; a e.
3_a- - o A . . 26s: :- . o s2w3 a 3 25 * $ h? u _k - 0 $4 Wd a e 4 , 't* n d 5m i 4 . *T w
~ ~ ~
= - a ~
as 83 L 4 E a : - U g n d
* .8a_ e E -*~w y W E ~y .A y 3
= d .
]
;IEs EE. en a o e-3 as 4 as 3
_f cm - E-i* 5
- R d 8
. C I
21 5 - W3 1 a & ' sa . 3
~
- a ".:
- lig!
I s O w 58 .
- N J
25 j5 6 d
*5
$U d **
I
!~ I. ~
I Ii
~
~
E 150 4
~ '- -
l 6A.2 MANUAL SHUTUOWN Manual shutdowns ai e gradual clontrolled reactiv,ity insertion events. sThey have various reasons. The PRA lists contributors to manual shutcowns (Table 3.4.3 page 3-53). Most of them involve minimal challenges to the plant safety systems because often feecwater and PCS remain available with a very hign probability. A few of 'them result in the challenge and initiation of safety systems. An ek, orate approach could be to treat separately the many possible com-
- binations of manual snutdowns. with frontline system unavailabilities, and sum their contributions. The SNPS-PRA chose a more efficient approach even though it may be conservative. It imodeled tnree of the important ' cases of manual shutcowns with frontline systems unavailability concurrently on the same event tree:
~
(a) Manual shutdown because of condenser problems. (b) Manual shutdown because HPCI and RCIC became unavailable. (c) Manual shutdown because RHR (two loops) became unavailable. For case (a) the frequency was taken from experience (Table 3.4.3 on the
~
PRA) showing that 4% of manual shutdowns result from concenser problems. For case (b) the SNPS-PRA estimated that 1 of 100 shutdowns will be caused by HPCI and RCIC unavailability. BNL modified the frequency to 1/43 because in Appen-dix A.4 of the PRA, wnere maintenance is discussed, the PRA assumes that the same event can occur once in 10 years or 1 in 43 shutdowns. For case (c) tne PRA estimated that both RHR systems may become unavailable with a probability less than 8x10-4' per year or -2x10-" per manual shutdown., However, the initia-tion of this system may be delayed for 20 hours, and therefore a recovery ~ i factor of Q.36 accounting for repair was assumed in the BNL revised tree. Modeling all three cases on the same event tree results in overestimation i of the manual shutdown contribution to core damage frequency. The result - would most probably be much larger than the sum of the contributions of the many possible sequences of manual shutdown combined with frontline systems unavailability. The revised event tree diagram of the BNL review is shown in It shows that, even using the conservative combinations of Table 5A.4. concurrent system failure and manual shutdowns, the contributions from tnese i sequences are relatively small. ] Note also that the SNPS-PRA determined the frequency of manual shutdown, based on experience, to be 4.3 per reactor year. This is on the high side of i the range of values used in past PRAs and therefore reinforces tne conclusion that the SNPS-PRA results for manual shutdown sequences represent their con-tribution quite conservatively, i 9 151 i _ . . _ . , . __ , _ _ _ - _ = _ . , _ - _ . _ _. _ _ _ _ . _ _ . _ _ -_. _
. . . _ . __- . ..- 2. -
Table SA.3 Functional Level Event Tree for FW and PCS Recovery Probability (Manual Shutdown) (Sheet 1 of 2) . Feedwater System 0.04 According to Table 3.4-3 (page 3-53) of the Remains: Online: SNPS-PRA, in 4% of BWR manual shutdowns the cause is condenser problems. Recovery of FW 0.7 It is assumed that part of the condenser prob-
- before Level 1: lems are in the condenser support subsystem and do not interfere with feedwater injec-tion. The value of 0.7 is taken to be the same as in turbine trip.
Turbine Controls and 0.0011 Same as in the turbine trip case (Tab 1'e SA.1), Bypass Valves Available: but not multiplied by 10 because initiator event did not occur in this subsystem. ( MSIVs Remain Open: 0.02 During manual shutdown operation there .is a
- probability of MSIV closing. The same proba-t bility as in the case of turbine trip was us ed.
MSIV Reopened: 0.1 Same as in the turbine trip case. Recovery of FW and 0.01 Same as in the turbine trip case.
- PCS (short term =
30 ' minutes ): Lineup of Condensate 0.1 Probability of operator success to manually - Pumps: or control the condensate pumps within less than 0.2 30 minutes as well as validating connection of CST to hotwell. This is given as 0.1. How-ever, because a condenser problem is the cause - of the shutdown, a 10% probability that the hotwell is involved was added when the conden-ser has failed. Turbine Controls 5.5x10 The unavailability is assumed to be 0.0011 and Bypass Valves or with 0.5 probability of repair. However, if Available Long- 0.5 this system failed in the short term, then it Term: has the 0.5 probability of being repaired in the next 15 hours. . MSIV5 Reopened 0.001 This is the probability that the operator Long-Term: fails to reopen MS!V in 15 hours. Taken from SNPS-PRA event "Z" in the case of the manual shutdown tree. 0.01 If MSIV recovery failed in the short term, it is assumed that the overall failure to recover probability remains 0.001. Therefore a condi-tional probability is given. 152 4
Tabl e ' 5A.3 Functional Level Event Tree for FW and PCS
- Recovery Probability (Manual Shutdown)
(Sheet 1 of 2 Continued) Recovery of 0.036 This is based on the SNPS-PRA consideration Condenser or that 10% of the condenser problems would be Hardware in 0.001 hardware malfunctions which -have a mean time . l Long-Term: to repair of 19 hours . Therefore a recovery factor of 0.36 is used for ,1.0% of the hard-
, ware. The rest is recovered with a probabi,11ty of 0.001.
Recovery of FW 0.001 The probability that the operator fails to and PCS Long-Term recover the systems in 15 -hours during the (before 15 hours): accident. 0.1 Conditional probability given recovery has failed during the short term. FW and PCS 0.004 This is the hardware availability of the PCS Equipment and includes circulating pumps, condensate, Available: air ejector or mechanical vacuum pump, MSIV, instrumentation and control, etc. (see Section 3.3 for PCS unavailability discussion). a e O
+
153 i
~ _ ._ . . - .- - . . . . - ,
e
= c . . . . - . . -
5 4 5 4
.5 - d 5 (
.- f. 5 - . . d.. 5 4
.. f. .a a
,a *s 4'e e .
d l - g . 2 d f8 3 4 4 4 4 4 4 2 r _._ ... ... ..- ... _._ e b : 3 ,g A si , . g . 3 1I , t. .
.s
- s. .
~.
M j' i O. I j::. e s .a
*st a
a a E=- e a a le4 3 Et v *
- II ISI m. m. e
. -ef C$
jJ
, . - . ....._.. .... . .......... ......... .J.......
Isl! t
~
E$ j t M
- M * *
. . ~. .-.. e .
s e. At lsy e Ib 8 E a d. d 5 .
*j=
3 3 si i. 1.- 4 s - =l: u o o E.=a e
, .!.
- 3 i g 1[ .
- El ?-
=
?. 5 5 8'
!'s]s
=
8 4 h 3.3 g- .
,=3 .: -
Ok at"I .
- i a l. f g l
l 1 i e 154
^
~
.. .. . . _ . . . . . - .; --z. . Table 5A.'4 Event Tree Diagram for Sequences Following a Manual Shutdown (Sheet 1 of 2) M3 = 4.3: The SN'PS-PRA assess $d the frequency of manual shutdown based operating experience, and obtained this frequency. It is apparently conservative. BNL used the,same value. P = 2.E-5: The probability of challenging the SRVs is small for a manual shutdown. If challenged, they would require less valves to lift than in the case'of a turbine trip. ~ . 0 = 0.03: This value was developed in Table 5A.3. It represe-:s a case of a condenser problem which required manual shutdown. U = 0.015: The normal value for the U function is 0.01. Here it is assumed by BNL, following the rationale of the PRA, that one time in ten years the HPCI and RCIC both will be unavailable and the plant will be manually shut down. This means once in 43 shutdowns or an addition of 1/185 to the U function given 4.3 shutdowns per ye'ar. X = 8.4E-4: , Same as in turbine trip event tree. V = 6.2E-4: Same as in turbine trip event tree. V = 0.15: Because the manual shutdown is assumed to be caused by troubles in the condenser system, it is assumed that in 5% of the cases the problems will b4 in the hotwell which affects the condensate system. W' = 7.2E-5: This value for W' is obtained when a special case of manual shutdown is assumed, in whicn both RHR loops are unavailable and the plant is manually shut down. The SNPS-PRA estimates . the frequency of such an event to be 2x10 " per manual shut-down. To that a recovery factor of 0.36 is applied for 20 hours repair time. W' = 4.4E-5: The unavailability of RHR with RCIC steam condensing. or 1.1E-4: The unavailability of RHR without RCIC steam condensing. W" = 0.055: Developed by BNL in Table 5A.3. It is the conditional proba-bility of having PCS available given manual shutdown was due to condenser problems. W" = 0.004: PCS unavailability. O 155 i
m..- __ %. . . . . . m __
---a.- -,
SS =
- 3 : ~
s sg Ig51 -
~
a . a,- n e e e m e
- W # $
4 4 4 d a ggi M
*1 *
-. m - v - -
S E E. r. 5 :n j 3' S h bbb h;X E f E E EE 4 y s 5
< =
I E s v v v v 8
'* *d $ $ $ $ j II W *
- _i _i i- i .
33 5 u =5 j3 . vd . a a a F g *5 W " V 1 49 d - 4 d EfC '.."
. .' .' .' A 5 8~ A sh:5 : .
wZu*m &
- 1 8 5 := T. E C ,g
-8 - , f
} m
$cw s a u E
e a o N gd j l '9 5
- j* 4 n= 5 a s 30 8
* *. a w e
S eo g EN E : : 5 II5 "
. a
'Ut f h.
Cl E 3E .- mw k -
= =
r c 2 2 2 2 - oi o d d 2 4 5 l 3 3 3 if o l %% %
- a '
i a a fa .
-*3 SkII ex-
- E e
C . e - a
-f :s so - v h a .
4
~
f il .= i 58 '
~i Su El
- 5 s i
- - }8 - -
E ag I* 156 t
5A.3 MSIV CLOSURE TRANSIENT SA.3.1 Background The SNPS;PRA MSIV closure transient event trees are reviewed here. Con-sidered as MSIV closure transients are only those events in which the MSIV . closure was the initiating event. Cases in which MSIV. failed during the transient are ' dealt with in each. respective transient. The frequency of the initiator, discussed in Section 4.1, is 0.57 per
. year in the BNL review. To that are added the LOOP cases which are recovered early. The major contribution is 0.15x0.53, where 0.63 is the LOOP recovery probability within half an hour (see Table 4.7). Thus, the total frequency of MSIV closure transients is assumed to be 0.67. (For Class II sequences there is a slight' " double counting" because it is also ceveloped in the LOOP event tree).
Some MSIV closure events can be recovered immediately or within half an hour. The recovery probability in the BNL reassessment is evaluated by means of a functional level event tree, as shown in Table SA.S. It is based on the same functional . level event tree structure as in the turbine trip case shown in Table 5A.1., The quantification of that event tree uses the same recovery ' probabilities .shown in the Turbine Trip case. The 0.7 for the early recovery i probability of the MSIV is based on the SNPS responsa to a SNL questions, and is stated to reflect BWR experience.- 4 The results of this functional event tree are the following: (a) For MSIY closure without SORV: Q = 0.4,5: W" = 0.03 (b) For MSIV closure with 2 SORVS: Q = 0.92; W" = 0.018. The values for item (b) are calculated by using the same functional event tree. with 0.9 instead of 0.3 for failure to recover FW before hitting Level 1, which isolates the MSIVs. The two SORVs case is not further developed - because of its small contribution. The case with no 50RVs is shown in Table 5A.6 sheet 2 and the values are explained in sheet 1.
- 5A.3.2 The Results of the BNL Revised Event Tree The revised event tree shewn in Table SA.6 takes all the above considera-tions into account. The results of the BNL reassessment are higher by a factor of 3. A factor of 2 is due to the revised initiator frequency and the other 50% to the increase in 0 function developed in Table SA.S.
As in the case of turbine trip, a common miscalibration of all four level transmitters will result in an increase by a factor of 2.5 above the reported i BNL results if credit for staggered miscalibration procedures is not given. 1 Otherwise, it would constitute only a small fraction of the 8.4x10-8 consic-ered for the "UX" function in Table SA.S. This miscalibration event was
; discussed in Sections 5A.1.4 and 4.3.
i 157
.[
Tabib 5A.5 Functional Level Event Tree Description for FW and PCS ' Recovery Probability (MSIV Closure) (Sheet 1 of 2) . Recovery of FW 0.3 The SNPS-PRA event tree for the MSIV initia-before Level 1: tor uses this value. The basis is given on Page 3-72g and as stated in response #9 to BNL l questions , comes from . operating experience ) with BWRs:, , O.9 With two SORVs there is a' higher rate of level' decrease and a shorter time period to recover FW if HPCI and RCIC fail '(SNPS-PRA). Turbine Controls 0.0011 Same as Table SA.1, but not multiplied by 10, and Bypass ' Valves Available: because initiator event did not occur in this subsystem. MSIVs Remain Open: 1.0 Probability that the MSIVs fail to remain open during the transient. Here it fails and initiates the transient. ; MSIVs Reopened 0.2 Probability that the operator fails to reopen i Short-Term: the MSIVs within 30 minutes. A higher failure probability to recover is. assumed (factor of
- 10) because transient originated in 'this equipment.
Recover of FW 0.01 Same as in Turbine Trip - Table SA.I. and PCS : .. Lineup of Condensate Same as in Turbine Trip - Table SA.1. Pumps: l 1 Turbine Controls 5x10
- See comments to Table SA.1.
and Bypass Valves or Available: 0.5 The probability of recovery in 15 hours is i about 0.5, given system is in failed state. MSIVs Reopened 0.01 Long-Term: SNPS-PRA event tree for MSIV assumes 0.05 for long-term recovery of MSIV. This is because the initiating event originated from this equipment. In the BNL review, a factor of 10 was applied to the MSIV recovery probability used for a Turbine Trip initiator (which is
- 0. 001--s ee Table 5A.1), to account for this potential dependency.
0.05 Conditional probability used for long-term recovery of MSIV given failure to recover in the first 1/2 hr. 158 i
~ _ _ _ _ . _ ...- <- . . . 2-Table 5A.5 Functional Level Event Tree Description for FW and PCS Recovery Probability (MSIV Closure)'
(Sheet 1 of 2 Continued) f Recovery of FW 0.001 Same as in Table SA.I. and PCS: FW and PCS 0.004 This has been assumed- for the long-term Equipment Available: phase. Use is made of the .same value as
- assumed in Turbine Trip,.because the initiator .
did not originate from the PCS. I J . m 159 ' i
d l t
$ttal itsee I 'I MCoutkV t ece uP fu w fu itetaa #4 MSaw MCoview Of instet eE es54V eteeA#m Stiutta WP PCS EQuitietui MMaa m a64T Of CGileN$AIE WP M(FtN M COVERY W Alt tst( d Osa 44 12 - 11 MCOwlRf Ott N pt trt u PCS Seams-Itsee mECoviny tons-Ittees , tous-itass 30 pues g 3 4 3 y 6 a e le i 18 e t
I e i 0.0 I
' g 0.001 '
* . : (2.2E-3) '
0.8
- 1
- 0.9989 *09 0.9 E 0.01 j 0. 0 01 2.2s-5
- 0.i i -
01 -( ' i.0
. i 5.6s-1 l .
OK 10.9 l O'.95 *h
- 5. 3E_it .
O.7 0.2 .i
- 0,M1 1
y , )g,g, j e 0.t : 0.04 ( 7,og 3 CFb o !
+ M *
- 0. % 2.28-6 h MSIV
. 0.9 fo,g 0.* 1
, f 0.0011 . l o,og 3.9C-6
; 0.1 { 0.5
. * ' j,9c_4 1
l I* y \ i M '" A l i.2E.)
- 0.9
, . 0.001 3.0E.1 )
03 i 0 08 > 3.0E-3 i
- 0.1 4. 5E-l.
- 3,7s_l,' h i
1 = 0 - 0.45 T tal = 1. 35E-2 W" = 1.35E-2/D.I.5 ! Table 5A.5 runctional Level Event Tree for the Protability of W and Ics Unavailability Following = 0.03 , a MSIV Closure. Short Ters and Long Tenn Recovery Probabilities.
- Case of No SohVs.
(Sheet 2 of 2) ; !' 1
, . - . ~ . . - . = .. - . _. >
l
. i Table 5A.6 Event' Tree Diagram' for Sequences Following a .
MSIV Closure Initiator . l (Sheet- 1 of 2) Tg = 0.67: Frequency of MSIV closure, which includes the frequency from operating experience as derived in Section 4.1 (Table 4.2) combined with the contribution from LOOP events in which off-site power was recovered early. M = 2.E-3: The probability is assumed to be
' Failure of SRY tb reclose.
the same as in the turbine trip case. The contribution of this sequence is relatively small and 1,s not further deve- , loped. It can be evaluated if event tree similar to Table . SA.2 (sheet 3/3) is developed. , Q = 0.45: Developed on Table SA.5. s U = 0.01: Same as in the t'urbine trip event tree X = 8.4E-4: Same as in the tiurbine trip event tree V = 6.3E-5: Same as in the turbine trip event tree W' = 6.4E-5: Same as in the turbine trip event tree
= 1.1E-4: Sair.e as in the turbine trip event tree ,
W" =.0.004: Same as in the turbine trip event tree ,
= 0.03 : Conditional probability of PCS recovery given it failed in the short term. Developed in Table SA.S. - '
e
, t I
{ I 6 161
- - . - - - . . - -. . .- .. . .~. .. - ._-. - - - - - . - ..._ _ _ _ - - . - - _ _ . . - . . . . _ .. . - . _.
ame I6 Altse Ot e l t- 99et15aati- Daentot CatIL ANI INJtCIItas O Cattfy CONIAlesetsi est AI gu esw At
. CAthmAlta gest sie ettonsAlip P05tWeAll0 Ita(L V Cap 4WNSA16 BC8C Milt CG86 Rf CDet ettp sti Acidt CDei PIM- IN Silass cat 04 Alto DAaen(4 notaset lave have semens. IICl4 DE89st S5m- IfoAv arte PCs suJiclees (Oscat wStes'. PCS Sfgesten ps'f0ut uct as Sataan (rim setCatd549 Alt t u ASAst Agt $ Ava lL Aet t elAISGe ev& 4L Adt t SmitCIt01s Avalgatal pggt $g AgAlt Aglg DES 3GegnicR (Pta lta veg 1psAsesig n
~_.
- ==- r
, c i. e o v. er a
- v. v. vue Se me w..
0.55 _ l l l l i b 1.LS
'03 Tg 3 7E-7 Il '
- 6 l
l ! 0.Lq t.1E 14 I p.0) l
? Qu'W 7.05-8 II e--
ch N l 1.15-L I
" 7 P 03 1.os-8
, , r,Qint II l t i 1.15-h I ' ' y).0) 1.6L1 ! g . 0.1 l r L __ _m 0U s { 00I -
*"3 L
2.7s4 7p'W 5.1s-8 II i o.
- 6. M Y QiN 1.9E-7 ID j 2. L 1 Camil ll.lbh n centribution I nOI 2*IE-b IA '
- t. L 6 Tg 6.7E-7 Transfer
-- I4CA
- TCg 2.E-5 Transfer i AWS
(' Table 54.6 Brent free Diagram for Sequences Following a It31V Closure Initiator. (Sheet 2 of 2) , I ( 4 -m . _ . ., . , .,w . - - - ,...+.w.. ,.- , . - . - - . . . , - . v ..m - , -_ . _
_ c .; m ...-- '
. . . . . . . 4 5A.4 LOSS OF FEEDWATER TRANSIENT 5A.4.1 Background This section reviews the loss of FW transient event trees of the SNPS-PRA. Only those loss of feedwater events that initiated the transient are considered. Not considered are cases in .which this event occurrid subsequent to another initiator such as a turbine trip with Level 8 FW tri.p. Cases in which FW is lost during the transient are dealt within each respective tran-sient.
The frequency of the initiator, discussed in Section 4.1, is 0.13, which is lower than the SNPS-PRA value--estimated to be 0.18. Most . of the 1oss of FW events can, be . recovered in a short' time, as . BWR experience indicates'. This is given credit in the SNPS-PRA event' tree and by BNL. The recovery probability is evaluated in the BNL review by means of a functional level event tree, shown in Table 5A.7. This tree is consistent with trip. the other functional level event trees used for MSIV closure.or turbine The results of this evaluation are as follows: (a) For, loss of FW without SORV: Q = 0.12,.V = 0.25, W" =.0.035. (b) For loss of FW with 2 SORVs: Q = 0. 51, V ' " = 0.30, W" = 0. 03. Values. for Item (b) are calculated by using the same functional level event ' trees, with 0.5 instead of 0.1 for failure to recover FW before hitting Level.1.- The case of two SORVs was not further developed here because of its small contribution. The case with no SORY is shown in Table 5A.8 sheet 2, and the values, used are explained in sheet 1. - 5A.4.2 The Results of the BNL Revised Event Tree The revised event tree shown in Table 5A.8 takes the above background considerations into account. Most of the values are, however, similar to those in the turbine trip case. - to those of the SNPS-PRA. ThisThe results of the re-evaluation are similar is because, based on the functional level , event tree, a similar non-recovery probability to that of the SNPS-PRA is predicted by BNL (0.12 compared to 0.14). The similar Class II results are due to the compensating effects in the BNL assumptions: (1) the dependancy between W" and Q, and (2) the reduction in BNL frequency for the initiating event, and also by the assumption that after recovery of FW, there is no need ~for containment heat removal because all decay heat is transferred to the condenser. , damage This transient frequency. as a whole is a small contributor to the SNPS-PRA core 163 .
* ~~
l l l l Table SA.7 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following Loss of FW Transient: Short-Term and Long-Term Recovery Probabilities (Sheet 1 of 2) Recovery of FW 0.1 BWR operating experience indicates that for before Level 1: about 90% of the loss of FW events, the FW can be recovered. 0.5 With two SORVs, there is a higher rate of level decrease and a shorter time period to recover FW if HPCI and RCIC fail (SNPS-PRA). Turbine Control 0.0011 Same as Table 5A.3. and Bypass Valves Available: MSIVs Remain Open: 0.2 Same as Table 5A.1. MSIVs Reopened: 0.1 Same as Table 5A.1. Recovery of FW 0.01 Same as Table SA.1 if MSIV closes. If the FW and PCS: or is recovered and no subsequent failure occurs, 0.0 no further recovery of PCS is required as in the case of Turbine Trip. Lineup of Condensate: 0.1 Dominated by operator error to align the CST : or to condenser .hotwell. However, when the 0.3 recovery of PCS or FW fails, it is assumed that hardware failures in the PCS exist and a - conditional probability of 0.3 is used to account for a 1/3 probability that this is in the condensate system. Thes e assumptions _ result in an increase in condensate unavail-ability by a f actor of about 2 relative to the case of MSIV closure. The SNPS-PRA also used a factor of 2. Turbine Control 5x10 " Same as Table 5A.3. Long-Term: or 0.5 MSIVs Reopened: 0.001 Same as Table SA.1. - a j l 9 164
- , , - - . . - - , - - - , - . -,s - , . , , . - , , -
o - .. . .; . .' . . : a_c Table SA.7 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following Loss of FW Transient: Short-Term and Long-Term Recovery Probabilities (Sheet 1 of 2 Continued) . Recovery of FW 0.001 Same as in Table SA.I. However, a factor of and PCS: or 10 is applied to increase the probability of 0.3 failure t;o. recover, if FW was not recovered in
. 0.1 the early phase, because it is considered to result from the original initiating -event.
In addition. -dependences were taken into account ':and conditional probabilities were calculated so that the 0.001 recovery proba-l bility will be preserved in all sequences. FW and PCS: 0.'016 Because the transient originated in the PCS system, a factor of 4 was applied to the PCS equipment unavailability used for the Turbine Trip transient.
~
f e e D e l 1 165
n m aa aa ama a meam n U8 5' .O 5 4a 5 jm-d 5 444 5
.. ma5 e4B'da om n
- ~ aa *da saa i Jaas ;
il l 5!2 T 3 T $
- o o o
$ 3 3 o o o e o e o a o
__ __ __ _o _ __ _o_ __ __ __ y
. g .
. II -
.gg a.
8 8 a y g a g
- g o o o -
-- -- __ __ _s s 34
=! 3. ::
I- g554
- s
- - 8 .:
o 8 8 s 4 d d E:' Lj . C Zb I5 5"
-3 3a -
a a- w g , ao M 0 M
,,,,o,:
M w
~
b] z y. 23 2 . t g= - o e. s.3 " 11 .I e , , - , - o o o o o o ~. . s; a8 u. [ag . g a .--- . .
- d 9 9 E!
- e o gg
_. _ . . . . "3 m! jI .
-=
2 a e -
~ 1o ~
o 5 -
. 133 .
..a .
jlg 3
. N g
i . . 3 d d S $
$ 4 W
3Ik" 1 8 a D
. o j'a3; s. = >
e r*E: 3 d o
*T 21~ -
II 166
- ,1
. . .a . 9 . .: . _ - . .-
-- , ;. - - .... .. ;. -. . ..- u .
Table. SA.8 Event Tree Diagram for Sequences Following , a Loss of Feedwater Initiator - (Sheet 1 of 2) Tp = 0.13: . Frequency of l'oss of FW derived from operating experience as explained in Section 4.1 of this report. This is ' 307. smaller than the SNPS-PRA frequency. C = 3.E-5: . Same as in Table SA.2. M = 1.E-6: Same as in Table SA.2. - P = 2.E-3: - Same as in Table SA.2. Q = 0.1~2: Developed in Table SA.7. - s U = 0.01: Same as in Table 5A.2. X = 8.4E-4: Same as in Table 5A.2. - V.'.V" = 6.2E-4: Same as in Table 5A.2. V = 0.25: Developed in Table 5A.7.- It is assumed that part of the initiator frequency is coming from the loss of condensate system. W' = 4.4E-5 Same as in Table 5A.2. or. , 1.1E-4: W" = 0.035: Developed in Table 5A.7. A higher non-recovery probabil-ity for PCS in the long term is assumed for' this initia-tor. l l 167
SS .
==
g3 : = = pg .g 3E{ 5 -
. u .
598- ? ? * *
?" ~a J III 5 83 a $ $ ,4AsIj#*!
a a I
$li- .
a
!- > ? 5
(
- g! (
!. . . 5,
.._. 5,'.s, s s. !
s: 6 g 6 - w
== - == O g g uma = = sum em mem1 ga s,s,ga . , , ,
0
=
3 % j d d d j jW* sic w
-y Ib gS : 5 5 . :
'g2W: !$ ) S
. -a .
s . .
! 7,
~
g
- a
- e b 0
8! s 3
! i 9 e
I
. 5
^
)'N a o g -
a ~. 2: f L Ag i ., Ye< . p I 3 I I g . 4 : S 4 11ea 1=
- ~!
28 6 1 . g -i no . .-
$ 8 E
~
I. d 42 b 4
! . ! =
3 !ag g
.i =.
168 _ , ,. _ . _ -- - _ , ~ . . - ,-
-_. :. .a _
,. - . - . . . . .. q- .z .. .... 2..: ww . -
i 5A.5 ' LOSS OF CONDENSER VACUUM TRANSIENT
- 5A.5.1 Background This is an important initiator because it affec'ts both the ability to provide coolant makeup and long-term containment heat removal. Upon 1-oss of
- condenser, the turbine stop valve will close, the turbine bypass valves will -
be prevented from opening, and reactor scram, feedwater pumps trip, and MSIVs 4 closure will be initiated. The pressure buildup will be relieved through the SRVs to the suppression pool. Upon level 2 the HPCI and RCIC will start to
- maintain level and prevent leve'l 1 MSIV closure and ADS initiation.
l The feedwater is assundd to be not recoverable in this event, until
- . vacuum in the condenser is reestablished. Credit, however, is given to the j
use of the condensate. system for low pressure injection. In the case of loss j of condenser, it is assumed that 5% of the failure of condenser will affect the hotwell water supply'and will fail the condensate system. Because.the PCS is isolated, the suppression pool receives all the decay heat through the SRVs or high pressure inejetion steam turbine exhaust. The , RHR must be initiated within 20 hours, or the PCS reestablished before 15 hours . The probabi.11ty of reestablishing condenser vacuum is assumed to be exponentially distributed with 19 hours mean time to repair. This gives , for
; a 15 hour. repair time, a non-recovery probability of 0.45,:which is used in Table SA.9. This is higher than in the SNPS-PRA, where 23 ~ hours were as-i sumed. However, some calculations a appear to in'dicate that at 17 hours with-out heat removal, the drywell pressure wil.1 reach -60 psi, which can fail the l SRVs. . In addition, the PCS does not cool the suppression ' pool, but only j diverts the decay heat to the condenser. This means that if PCS is initiated j at 23 hours, the drywell may remain at conditiens close to its f ailure condi-i tions for several hours, with substantial probability of failure. BNL chose
- the 15 hours for PCS initiation 'as a success criterion for this containment i heat removal mode. The SNPS-PRA in several other cases also uses 15 hours for PCS initiation rather than the 23 hours used in the case of loss of condenser.
The SNPS-PRA has assumed that only 25% of the cases of loss of condenser I require long repair time because of hardware problems. The other 75% are ! assumed to be easily recoverable within a few hours. BNL used the same value, but did not review it. Table 5A.9 shows that an increase in this number would similarly increase the PCS unavailability for the long-term containment heat removal function, and may increase significantly the Class II contribution. 5A.S.2 The Results of the BNL Revised Event Trees j The revised event trees are given in Table 5A.10. The results of the re-assessment are higher by a factor of 1.5 higher than those of the SNPS-PRA in , both Class I and Class II. Most of the change is due to the 25% increase in
- initiating event frequency (see Section 4.1) and some is due to increased j failure to recover probabilities given in the BNL review for PCS and conden-i sate pumps. The sequences of loss of condenser are major contributors to i Class I and II. They provide about 5% of Class I and 15% of Class II contri-butions to core damage probability. ,
i l i 169 l .
Table SA.9 Functional Level Event Tree for th'e Probability of FW and PCS Unavailability Following a Loss of Condenser Initiator (Sheet 1 of 2)~ Feedwater Remains 0.0 Loss of condenser event results in feedwater On Line: trip. Feedwater Recovered:- 1.0 It i.s, asumed that condenser vacuum is .not -
. recovered within one half hour and the feed-water remains in tripped condition.-
Lineup of Condensate: 0.15 Lossiof condenser does not prevent the conden-sate. system from being realigned or from pro-viding water to the reactor vessel. . The prob-abil.ity of the. operator failure in this task is assumed to be 0.1 because of the short time avaMable and the stress conditions following the loss of high and low pressure injection. An additional 0.05 is put in because it is
~
assumed that 5% of the events of loss of con-denser will involved hotwell unavailablity. PCS Hardware: 0.25 Following the SNPS-PRA assumption, it is assumed that the fraction of condenser related scrams that could lead to a long term hardware problem is 0.25. PCS Recovery: 0.45 Failure to recover hardware problems based on MTTR = 19, and 15 hours available to recover, the PCS. The SNPS-PRA requires opening of MSIV in 15 hours (page 3-99). MSIV cannot be reopened unless condenser vacuum can be re-stored. - 0.01 Failure to recover non-hardware problems because of operator errors. A factor of 10 was applied because the initiator originated from this system. Note that hardware relia-bilicy is included in the above values and therefore is not modeled separately as in the turbine trip-tree. MSIV Reopened 0.001 See Table 5A.1. Long-Term: O 170 4
,as - p- -- -m + w, m n- -- g w- - , -
. . . L.. . :1- .w
* <---~ ~ :- ----- --- ' ~' *~^
- seent tous ascovtav Loms fem ascovm Ll4 UP Fttomargt or PCS PCS x8tv scene n ratomates co m peaft -= Mcov m nacptwo scoute onLl4 AECovtAED sectf TWWI AVAILA$lLifY LQpIS 75130 (0118 TWh8 ,PROBA4lLifY t 2 3 4 I O CK 0.0 ; -
0.001 6 354 0.75 0.01 65-3 0.85
' CK O.55 0.001 1.2E-k
'. 0.1.5 1.0 - 9.6E-2 I OK o.=1 , . ,,4 0.01 1.12-3 0.15 l
- CK t
, 0 55
).001 0.25 2.155 o
l 0 * '"I
, 1.72-2 I
e e Total . 0.12 Q . 1.0 7 . 0.15 'd" . O.12 Table 51 9 Functional Lwel Event free for the Probability of W and P:3 Unwailability Follovir4 a Loss of Condenser Initiator. (Sheet 2 of 2) i 171 t
Table 5A.10 Event Tree Diagram for Sequences Following a loss of Condenser Vacuum . (Sheet 1 of 2) T = 0.5: Frequency of Loss of Condenser in the BNL re-evaluation as C taken from Section 4.1 (Table 4.2). It is slightly higher than in the SNPS-PRA. GE experience apparently shows that recovery is possible in -50% of the cases , but the SNPS-PRA did not provide the data and did not take credit. C = 3.E-5: Same as in turbine trip event tree. M = 1.E-6: Same as in turbine trip event tree. P = 2.E-3: Same as in turbine trip event tree. The contribution of this sequence was evaluated 'and the resulting calculated frequencies for two sequences are shown on the event tree. The contributions are small, but they are an order of magnitude higher than in the SNPS-PRA. U = 0.01: Same as in turbine trip event tree. X = 8.4x10 ": Same as in turbine trip event tree. V'.V = 6.3E-4: Same as in turbine trip event tree. , e v = 0.15i The probability of failure to realign. and control the condensate pumps is assumed to include two contributors: a) 0.1 for human error, as in Table SA.8 or in the turbine trip case.
- 0.05 for a 5% possibility that the loss of condenser is l
b) the result of loss of inventory in the hotwell. . W' = 4.4E-5 Same as in turbine trip event tree. or ' 1.1E-4: W" = 0.12: Developed in the functional level event tree of Table 5A.9. l 1 l e 6 172
.)
_ _ _ . . _ , _ . . . . . _ _ _ - - _ _ . _ _ _ _ _ _ _ . _ , _ . = _ _ . . _ _ . . _ ._ _ _ _ . . . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ ~m _ . _ - - t
- l k
smale Alm Catte- Met 15tset Cominut C00tami IndClede ConIAlsestat seEAI CALIIt missueat CAttutAl(O [* pest dat - POSfutAIIe' LO5S #EtinsAtta Cests4AIG 3CSC COM Of MCDetMD Tise t T Pter 8m Sitase CatastAtto ensegg , rata usta 5 . savs sese oe- acaC esce AoS CS arcs imMCison caesseins. securect #M oufacy On vaQnes 50tase Orte M C10540 Alitf AWAILASLE ATAIL AEL E list il Allom AWAltat t anMCiles Avall Aes t Plus le PCS M5ssesniet spin as suis InAustin I c se P 0 u* er= a v' v" ***' m' kP i h . l.B 's a.12 l T 2*5 II C k 1.1ble ,
? D'W le.2b7 II i
1.1bl. 0.07 0. M
- N TW 6.6b8 II s.s 1, .
I 1.1E-36 I , p.12 g
- i 1.65-1 0.1
. 0.01 2.75-) 10.12 !
7 Uv'VN 32b7 II T UV le.7b7 ID C o,9 ti .L E-I. TgUK la.2E-6 IA , 2.E-1 ____ __ ___ _._____________________ TP'v v 6.l.E-8 II
' Tc ia a.lsa IA g,gg Tg Transfer ,, ,
LOCA TC ii Transfe r
-{
C ATVS I Tat.l. 54.10 shr.at Tr namer for s.qu.nc.. Mioutas a Lo or cona e v.cuum
. (sh $ 2 or 2) 4 h-1 .
f.~ ,
\
1 .
, 5A.6 INADVERTENT OPEN RELIEF VALVE TRANSIENT (IORV) .
SA.6.1 Background The 10RV event includes aspects of both a transient and a small LOCA. It
. starts like a small LOCA, but discharge is directed to the suppression pool, and ECCS initiation signals may come later chart in the LOCA case. -
In this case, suppression pool temperature will rise until the reactor is 1 scramed (first manually and later automatically). The HPCI and RCIC are ' receiving their lube oil cooling from the coolant flow, and, if suction is taken from the suppression pool, this function would be degraded to some
- extent. However, RCIC suction can remain on CST for almost the entire dura-
- . tion of the transient.
Another difference from other transients is the low availability of FW and PCS for this event. The SNPS-PRA states that BWR experience shows that in most 10RV cases MSIVs closure occurs in .the course of the transient. The PRA model for. this is very conservative, more conservative than that in past BWR-PR As , in contrast with the small LOCA event tree. The assumption in the PRA--that for a case of early reactor shutdown PCS will be available in 15 hours, and for a case of shutdown one hour later it would not be available for i recovery a few hours later--is apparently too conservative, and wat changed in j the BNL reassessment to reflect some probability of recCvery consistent with small LOCA.. I SA.6.2 The Results of the BNL Revised Event Trees
- i' The revised 10RV event trees are given in Table 5A.12. Several changes were made by BNL, as explained above and in Table 5A.12, sheet 1. The BNL results are lower than the SNPS-PRA values because of the additional credit given for FW and PCS in the BNL revised quantification, which balanced the l.
increase in the C' and U functions and the increase in the event f requency. The overall contribution is about 4x10 7 in the BNL review, which is about l half that in the SNPS-PRA. The frecuency of this event is calculated generi- . ! cally to be 0.25 per yeae (see Section 4.1) which apparently overestimates the j expected frequency for Shoreham. This is because it does not consider the i design change made at Shoreham using two stage Target Rock safety relief valves in order to reduce the frequency of 10RV occurrence. As can be seen , from the overall low contribution of this sequence to SNPS core damage ] frequency, the effect of such a frequency change would be relatively small in l terms of core damage frequency. i l I l 1 } \' k . 1 174 i f m ,---g,m ----,.-n,- ----,--v-,-------- ,--,-d --
.,,,,,-,,-~n.,, . - , _ - , _ , , , - - - ,.,,----,w,- -- ----r----,,,-,7,,, n-,,,,,,,,,,,,,,,,--m--,r
~ '~ ~ ~ ~ ~ ~ . - - . . . - .: . c..= .: . . ^~~ .: :* L. '.[ L . . . . . , . . . .
i Table SA.11 Functional Level kvent Tree for the Probability - t of FW and PCS Unavailability Following an IORY
, (For the Case of Timely Manual Content Rod Insertion)
(Sheet 1 of 2) Case 1: Timely Control Rod Insertior: FW Remains FW may remain.on line or fa-l. If it remains on on Line or line, it will be lost late r when MSIVs close.
. Recovery of FW: , Operating experience data indicate that the MSIVs will virtually always close during an IORY !
i event (see SNPS-PRA, page 3-134). The BNL func-tional event tree is based en this premise. Turbine Controls 0.0011 Same as in MSIV closure (Tatte 5A.5). and Bypass Valves Available: - 1 MSIV Remains Open: 1.0 See comment above.
; MSIV_ Reopens 0.1 Same as in the . turbine trip case (Table SA.1).
1 Short-Term: i
} Recovery of FW 0.01 Same as in the turbine trip cise.
i and PCS Short-Term: i l All Other. Same as in the manual shutdown case for long i Headings and term (see Table 5A.3). Quantification: . Case 2: Scram is Delayed
- MSIV Reopened 1.0 Power operation with 10RV is assumed to continue .
. Short-Term: to a point that water level become low and MSIV l closes . The SNPS-PRA assumes that - MSIV would not be reopened in the short term under condi-i tions of 10RV with delayed scram. , f a S l 4 I . I } . i 175 1 i
l
' l
- 1
, l Table 5A.11 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following an IORY For the Case of Timely Manual Control Rod Insertion)
Sheet 1 of 2 Continued) MSIV Reopened 0.1 The SNPS-PRA cons ervat-ively assumed that the Long-Term: MSIV would not be reopened also during the long term. This seems too conservative and difficult
. to explain.- In the c'ses a of 2 SORVs and small , , LOCA, the MSIV is reopened in the, long term.
Successful scram is achieved in 10RV af ter 30 minutes at most, on low level or high drywell pressure. From that time on, the transtant would be similar to the 2 SORVs or small LOCA case. BNL assumed a 0.1 recovery probability to be consistent with small LOCA. This value is higher than in the 2 50RVs case wh'ere 0.001 is assumed; however, in the case of 2 SORVs the
! heat transferred to the suppression pool is 1
small, and more time is available for recovery, so it is, consistent to have higher recovery probability for that case. .j l e g S I l . a i j - 4 ii 'l 5 . 176 ______..____________________.__.__________________________i___.________.________._._________._________________
I l Seemt ithee LonG Itase f-
=Cout T
- t. . t*
fu of fu tamteet esist MCowtay of vesssest as senem Sinutta M 8elsease selly KS igutMatui
- tuttg of Cometas5All S/P , , M(rts MCoutav osa sse L2 - s t atCostaf Ort e Morim #Altas(
K$ SecuMI-Itsese MCowtav toes-itase tesG-Items 10 ause e a 3 . , , , , , se ee 0.0 or f 0 . 0 01, i 0.9 - (3.65 3) -
. e.
09 o,9 , og , 0.01 30001 0.1 3.2b5 o,g 1.0 e 9 . 0 s - 14 0.9 or 0.1 le.0Lle 0.001
- 1.os-le ,
D 08 1.Os-) s M !
! 2.2s 6 0.9 0.5 0.001 0.0011 5.5E 1 0.001 5.5s-7
. t 0.1 0.5
. 5.5s-Is e
Total q = 0.11 a P = 0.02)
- Total 2.5b) i P
f i 0 Table 5A.11 minctional Level prent Tree for the Probattttty or w and tes unavattablitty Following an 10BY. Short asul long Tara Secovery Probabalattee. - (Sheet 2 of 2) , g e ( . 1 i
.* c
,j
- - - - - - - - - - - - - - - - ~ ..- .. .. .-.
Table SA.12 Event Tree Diagram for Seq'uence Following 10RV
. (Sheet 1 of 3)
Tg = 0.25: Taken from Table 4.2. See discussion in Section 4.1. This is three times as high as the SNPS-PRA frequency. It does not consider the Shoreham design change to two. stage Target Rock relief valves, which jould apparently reduce this frequency of occurrence.
. C' = 0.01: Timely manual control rod twtion is a key action in this transient. It is a manual operator action for which several indications and annunciators are available. However, this needs to be completed within a few minutes to prevent sup-pression pool heat up. BNL used a value taken from past PRAs , supported by functional fault trees, rather than the
. unsupported SNPS-PRA value. Furthermore, the BNL value is meant to represent a relatively fast operator response, for which feedwater recovery is possible (see next "Q").
Q = 0.11: This is developed in Table 5A.11. BNL gave credit to recov-ery of feedwater within 30 minutes if manual.. shutdown was completed early. In cases of early shutdown, BNL assumed that this transient would be similar to small LOCA or turbine trip with 2 SORVs. Q = 1.0: For late shutdown, it is assumed, as in the SNpS-PRA quanti-fication, that no recovery of MSIV will be successful in the early time f rame. Operation at full power for some time before shutdown requires immediate injection after reactor
. tripped. Operating experience indicates that MSIV would almost always be closed, and therefore the grace time for recovery of FW would be significantly less than' the 30 minutes assumed in the turbine trip transient.
~
U = 0.01: For early shutdown the normal value is used. 0.036: When shutdown is completed later, the suppress 1'on pool teg-erature is assumed to be above 140*F with some impact on HPCI availability (0.3 assumed). For RCIC, however, if the opera-tor does not transfer RCIC to suppression pool suction (0.05 for operator error) then normal availability can be assumed as long as suction centinues from CST. (RCIC = 0.07 + 0.05). X V, W': Same as in turbine trip event tree (see Table 5A.2). W" = 0.023: This is explained in the functional level event tree of Table SA.11 for the case of early shutdown. 178 l
. . ..-.1--. , .: . .. . '~'. . ..;. . 1 i
l i Table SA.12- Event Tree Diagram for Sequence Following IORY (Sheet 1 of 3 Continued) W" = 0.1: For late shutdown, BNL used a probability of 0.1 for PCS mainly because of failure to recover the MSIVs. This is made consistent with the small and medium LOCA event tree diagram (Appendix C). The SNPS-PRA assumption of no recovery in several hours is apparently too conservative if reactor shut-i down is assumed to be completed in the first hour, before -t
, suppression pool temperature exceeds 200*F. .
I
\ .
O a j . . 1 O , a 1 9 9 O 179
. 'v& _ O emse w eek GD N '-
e e 6
- .siii.]
i i
=
= -
=4 =.
Rg i . . t h N I h k 3i . a a w w e e n
. t II = .
a c 6- . 5550 cre y 4 W g M A M M P I. U ' I. E. y[ 3I _a a6 _aU. .a _a 3 3 3 v .
.e b I 5-!
b *3
- b k
5 mens mamm name amma muu seu , men - %, 4 i ,g . 111"11= i m
.a.
l _2 a o i A , - s e g aj s 3* t g I I $ -
. . 1 l'I :!
.tvil i
=
1 vag .. w a - . j i[ _s 1:I n .
~
C , .
=
f 0 or * = 98 E I . d m lig. -
.lii!
4C
. al I
'E g
flj 5 L i e
- a O
, - 3 a
ij I 2 g l* - g _ O f 6 180
- .TL -
~ . . . . .. .= T, . . .: .- . -.. . . . - _ = .. : ..:--.
a a; 3
!!Ij3:n1 : : : 2 2 og I
.G I 9 * *
- 83.a 31e . d.
( w . 4 a3 I m . ,. I II gl ' 3
?
ak e i zg 8 6 . 6 L 6 - -
# # e" g g
r E . .
.F.
j
. . . 3
~l sa su.g,3 i i i i i j j
i a a a a 5 i gi3*s 4 e a a c - - I 8 i s ts . 5 E l5Ila5 . f
- 2. 3
)
si 5 .
), a-(>. A.
I >tum, ' 4 I
! 3: E )
4 1 1 . 3 3 j ac
'. gal * ..
i - jvtj . - D
-33}
s f . b'. g .
.s g: 6 2
a i e .
- e o M
I d b W3 2 d I a y
~
I g $- ". -
- .,g: .
5 - i 5 d i 1
- g$ig & M N
g - i I 5 ':I l g :I 0 i
\
~g l _
i 8 I i 2
- 8y= -
! "a i
I I i 181 i
APPENDIX 58 - LOSS OF OFFSITE POWER WITH SUCCESSFUL SCRAM BNL's review of the contribution of Loss of Offsite Power (LOOP) initia-tor to the SNPS frequency of core damage is based mainly on Section 3.4.1.6 in the SNPS-PRA. The LOOP transient is important in the Shoreham PRA because of its high , , contribution to the frequency of core damage. This is due to of the loss of PCS when LOOP occurs and loss of other frontline systems with the failure of diesels to start or run. The SNPS-PRA analyzed the sequences following LOOP with- subsequent loss of diesel generators (blackout) in great detail using four time phases , each assuming blackout conditions not recovered at its start. Phase 1 = 0-2 hours: HPCI and RCIC essentially have their normal relia-bility. Manual ADS is required if HPCI and RCIC fails and diesels are. not recovered. The depressurization will allow the use of LPCI with the third diesel train. Suppression pool level and temperature are close to normal. Phase II = 2-4 hours: Battery is designed to supply DC power for two hours. When operator is successful in shedding out auxiliary loads from the DC power system. the batteries will easily supply the power for this phase. However, HPCI consumes more DC power than RCIC, and therefore two branches for HPCI are modeled:
. HPCI. operates from beginning of transient - higher failure proba-bility of batteries. ,
. HPCI operates only part of Phase II.
At this phase, a switchover of HPCI to suppression pool suction will , occur on high suppression pool level. The suppression pool temperature exceeds 140*F at about 2 hours, which is the design tempe ature of lube oil for HPCI and RCIC. This is more of a problem for HPCI than for RCIC because RCIC can remain or can be returned to CST suction. The drywell temperature is at -300*F from the beginning of this phase. The design of the systems, however, provides sufficient margin to operate reliably during this phase and, in general, failure rates are only moderately above normal. I Phase !!! = 4-10 hours: The probability of battery failure increases significantly during this phase. Suppression pool temperature exceeds 200*F and may reach 240*F toward the end of this phase. The sustained high temperature in the drywell may degrade the SRVs' solenold valves and is assumed to result in the failure of ADS in Phase IV if depressuriza. tion is not completed in Phase !!!. If HPCI started to provide injection before this phase, it is assumed not to survive this phase because of DC depletion and lube oil deterioration. 182 4
.. . . . . . _ _ _ . . .. a- ~- .s . - _ : a. _. However, 'if RCIC operated successfully to Phase III and failed only during this phase, it'is assumed that HPCI will be able to complete tnis pnase suc-cessfully. In general, in tnis phase, higner than normal f ailure rates for these frontline systems are assumed. Phase IV = 10-24 hours: It is assumed in the BNL review, as in previous BWR-PRAs, that batteries will be depleted during this time. The SNPS-PRA claims small probability for failures of the batteries anc possible suc-cessful operation of RCIC for the entire time phase. In addition, at times longer than 10 hours the probability of isolation of the RC.C/HPCI I steam line, due to high area temperatures may become high because .of the long time without secondary containment' cooling,w ' nile in the drywell and the suppression pool the temperatures exceed 250*F, causing a significant amount of heat to be transferred to the secondary containment. ' , The control room indicators and recorders of the reactor water levels are supplied from. RPS and instrumentation buses wnien have no DC backup. There is apparently one narrow range N0048 instrument tnat is connected to a vital AC bus inverter. Thus, the blackout conditions (even in the case that DC power is available) may result in tne loss of level information in tne control room. The HPCI in particular and the RCIC systems require level info'rmation for tneir control to prevent level 8 trips. The startup reliability of HPCI and RCIC on subsequent starts is relatively low. Thus, BNL judged that the - - f ailure of the t'njection function during a plackout situation would be about L = 0.05, which makes the sequence TE I O L one'of the most important single sequences of the SNPS. This event is furtner discussed,and the quantification explained, in Appendix SF, where the level instrumentation is reviewed. The event is presented in the SNPS-PRA (Figure 3.4-52). The frequency of the LOOP initiator in the BNL review is 0.15, and it is based on NSAC/80 data as explained in Section 4.1.3 of tnis report. The SNPS-PRA LOOP frequency is 0.083.
. The time phased event trees used by the SNPS-PRA for each of the aoove time phases were found to be very effective in providing a more detailed and realistic evaluation of the LOOP sequences. However, SNPS used the time phase -
event trees essentially only for the injection pnase. For tne containment neat renoval pnase it used tne MSIV closure single-time phase event tree. BNL modeled the containment heat removal function on its Phate ! event tree and found a significant contribution to Class 11 from the LOOP event, wnien was underestimated .in the SNPS approach. This contribution is from a LOOP that is not recovered before 15 hours (-3%), with recovery of diesel generators fol-lowed by their failure to run for the entire decay heat removal mission time. TheTE IV W sequence is the most important to Class II. BNL's results for cne LOOP initiator are significantly nigner than those in the SNPS-PRA. These sequences were found to be the most important for Class I states in the SNPS-PRA (PRA page 359). The BNL results are three times as hign for Class I and about 1.5 times as hign for C, lass II. The main reasons for these differences were discussed above and can be seen from the ! event tree diagrams in' Table 58.1. They are summarized in tne following list: 183
a) Loss of all AC could cause loss of water level instrument indications in control room. This can lead to less successful operation of high pressure injections. which require level information for their control. b) BNL LOOP initiator frequency is twice as high as SNPS-PRA frequency. c) BNL increased the batteries' failure probabilities for Phases III and IV relative to those in the SNPS-PRA. , d) In the review a Class 11 sequence is added for unrecovered LOOP, with f ailure of diesels to run and supply AC power-to RHR. 4 9 9
- t 6
?
e f 9 4 184
j**=***-
, m.
- ~ ~~
. ~. 6' ..sg...
~ - - - - -
{ . i - i I . j . Table 58.1 LOOP Event Tree Diagram Phase 'I (0-2 Hours') (Sheet 1 of 5) ; j Values for Sheet 2 of 5 i The probability of LOOP occurrence was discus' sed in Section TE = 0.15: 4.1.3 and shown in Table 4.6. The same data base used in ! deriving the above frequency was also used to generate the -
. LOOP recovery times, which were slightly different from those of the.SNPS-PRA (see , Table 4.7 in Section 4).
j I = 0.37: Offsite power recovery within 30 minutes. The value is de-
; rived f rom Table 4.7. The recovery probabilities in the BNL l review are somewhat larger in the short term.
i - i* 0 = 3.6E-3: Appendix A.5.~of the SNPS-PRA provides the data and basis for this diesel generator failure: probability. These data are discussed in Section 4.2.2 of 'the 8NL review. The data are 1 derived from evaluation of LERs. Even though the data base i does not go beyond 1978, it is significant and appr.opriate. i BNL used basically the same values for D. in the following l l . way: , l 1 . ] D = 0.02x0.19x0.95 = 3.6E-3. 1 i The first two numbers are from Appendix A.5 (0.02 = single I diesel failure to start and run; 0.19 = conditional j probability P(2 1]). The 0.95 value was used for DG non- , i recovery within 30 minutes. It is from another 8WR-PRA ; { review", because the basis for the 0.88 'value 'used in the . -
, SNPS-PRA is unexplained. Note that recovery of diesel gen-erator or offsite power is considered successful if only a single diesel or a single offsite 1.ine becomes available.
i This results in a small and insignificant underestimation of . failure to run probabilities because, in a fraction of the l cases, one train will be available. U' = 8.E-2 or These values are used for the RCIC system the same way as in j 7.E-2: the SNPS-PRA. The additional 0.01 in the first case is ! U" = 0.11 or included to take into account the possibility of the
- 0.1 Division I battery failing during the first two hours of
! RCIC operation. Similarly, 1.1E-1 and 1.F-1 are used for
- HPCI, with the 0.01 added for the possibility of Division II
- battery failure during the first two hour period. The value
! U = 1.1E-2 seems to account reasonably for a possible CMF of ! both Division I and II batteries and was used without change
! in the. BNL reassessment. '
4 1 j 185 ; i!
-e.-w,--v.-,,,,- ---tww-.y,wvm--,-,,9 y----- ---3..w-my,yv,.i--y--yp..
v .%., wyrww.4+=mm. f w _., m cw-ww--*,e, yy , %w- ,m w - w w-,.ew y,wey-=-,,,,y,- w -v-v w
. - .. . .- - - . . - .. ..- . ;_-~.
. l
- I i Table 58.1 LOOP Event , Tree Diagram Phase I (0-2 Hours) .
i. (Sheet 1 of 5 Continued) l
! Values for Sheet 2 of 5 (Continued)
- i X = 0.02: A timely ADS failure probability of 0.02 is used in the j SNPS-PRA to account for operator failure to initiate AOS manually when injection has failed and automatic ADS ,
j initiation is unavailable because of blackout conditions.
. The same value was used in the SNL review.
I V = 2.E-3: The value V' = 2Eb3 combines the availability of the low l pressure systems (6.3E-4) with the failure of the diesel
! . generator to run.during the next '10 to 20 hours (-1.E-3) .
1 . ! V = 0.63: The value .V =. 0. 6 3 is taken from Appendix A.5 of the j SNPS-PRA with no change (see discussion in Section 4.2.2). i This is the. conditional availability of tna Division III diesel generator, given f ailure of Divisions I and II, which ! can drive one of the LPCI pumps. q 1 IV = 0.08: Containment heat removal availability is dependent on tne j avail &bility 'of offsite power. The SNPS-PRA considered that , i , offsite power will be recovered before 15 hours a'nd trans-i ferrod all successful injection cases to ' the.MSIV closure l event tree. SNL included explicitly the conditional proba-Jl bility of. the recovery of offsite power given it was not recovered in half an hour. This is (1-0.97)/0.37 or 0.08. l W' = 3.1E-4: In the case that offsite power is recovered (= 0.08) , the PCS becomes unavailable and only,not the RHR can De utilized l from onsite AC power. The RHR failure probability is tnen 4 dominated by the failure to run probability of the l diesels. It is estimated that three hours of RHR operation ' i would be sufficient to delay ~ containment failure for many hours so that offsite power will be recovered earlier. Fo r i~ a mission time of three hours (say between 15 and 18 hours aft'er the LOOP), BNL obtained 0.0024x3(hours)x0.19x0.23x0.63
= 2.0x10-4 To that was edaad the RHR unavailability of ; 1.1E-4. - !
I i
, Phase II (2-4 Hours)
! Values for Sheet 3 of 5 1 T: Transfer-in from Phase 1. Two were employed: E (1) From RCIC success = 1.8E-4; 1' (2) From HPCI success = 1.6E-5.
! 11 = 0.51: Conditional probability 'of recovering offsite power at 2 !
hours, given f ailur's to recover it at 0.b hours. This is l I O.51 (see Table *4.7 of this review). ' l 186 1
- ,,--..~,e -.-m. ----,,-w.--,- .-,--.m.,,n.. . , . . , - . , . , . . , , , _ , . . _
__~
- :. ----a ~- '- *'
,_.c..,_.,
e l i j' Table 58.1 LOOP E' vent Tree Diagram Phase II (2-4 Hours) (Sheet 1 of 5 Continued) ' Values for Sheet 3 of 5 (Continued) ! 0 = 0.69: Conditional probability of recoveriag. diesel generators of Division I or II at 2 nours, given failure to do so at 0.5 l hours. This is 0.69 (wnich brings the value back toward the SNPS cumulative value of 0.66 given in Table A.5-8 of the '
. . .SNP,S-PRA).
! U' = 0.1: The SNPS-PRA judgment was that the RCIC conditional f ailure ' probability during this phase would be 0.05 to account for i the following possibilities:
! . Batteries deple't ed as a result of unanticipated drain.
The batteries are designed to provide power for 2 hours.
! Additional time' can be obtained only if operator is suc- < cessful in removing a sufficient number of loads from the DC buses.
- 1 U' = 0.1: . At .=1.6 houis 'the suppression pool t'emperature reache's 140*F, wnich exceeds the design lube oil cooler inlet temperature. This is a problem, aowever, only if RCIC is l transferred from CST to suppression pool suction (low probability).
1 . At =2.5 hours suppression pool water level exceeds the l high level automatic switchover set point for RCIC. RCIC { , would generally' be kept on the CST, but it requir's e oper- ,_ j ator intervention. l BNL considered that these events with higher probability l will cause RCIC failure, and a value of0.1 was used in the ~ BNL assessment. .l U" = 0.22: Two separate cases have to be considered: the HPCI failure 3 pro 0 ability given either successful operation or failure I of RCIC in Phase I. The values given in tne SNPS-PRA were l used in both cases. The value of 0.22 ' for the first case j was chcsen to account for the following considerations: , . . At =1.6 nours a suppression pool temperature of 140*F
; will be reached, which is the design temperature of HPCI lube oil.
. . At 2.5 hours an. automatic switchover of HPCI to suppression pool may be. expected. This cannot be easily bypassed.
. The potential for accumulation of water in the HPCI steam line during standby in Phase I. .
! 187 l
n; - = .: ---...- _.-. - - . . . . . . . - l e
. Table 58.1 LOOP Event' Tree Diagram Phase II (2-4 hours) ,
(Sheet 1 of 5 Continued) Values for Sheet 3 of 5 (Continued)
. The start of HPCI has a significant DC power consumption.
U" = 0.3: The value of 0.3 for the second subtree was chosen to account for the above, and for the additional consideration
. . that HPCI operation. from the initiation of the. accident has a larger potential for draining the batteries because of the higher consumption of DC power required by HPCI operation.
X = 0.02 Two value's are used on the SNPS event tree. Both are used or in the BNL assessment. Depressurization is assumed to be
= 0.1: . required by procedures down to 150 psi, so that HPCI and RCIC can still be in operation if.offsite or diesel power is
. not recovered. The value of 0.02 is the probability for the operator error in failing to depressurize the reactor manua-11y following failure of high pressure injection systems, or 1 in failing to follow depressurization procedures when the .
suppressicn pool heats up. The automatic , initiation requires AC power, because automatic ADS is conditional upon the running of one LPCI or LPCS pump. The value of 0.1 is the probability for operator error in not performing an ear?y depressurization of the reactor when high pressure i injection is successful. This early depressurization is i needed because it is considered that deteriorating environ-i mental conditions in the drywell will at later times degrade l the 'SRVs ' solenoid valves and prevent depressurization -
, needed at about 10 hours, when the battery may be expected to fail.
V = 0.63: This is the contribution of the Division !!! diesel and bat- . teries, which can be used to drive one of the low pressure
- injection pumps. The SNPS-PRA used a value of 0.56. BNL used, for consistency, the value 0.63, which is used in most other cases in the PRA, and is justified in Section 4.2.2.
1 i Values for Sheet 4 of 5 III = 0.63: Recovery of offsite power for this phase. See Table 4.7. 0 = 0.71: Recovery of OGs, which is taken from the SNPS-PRA (Appendix A.5). U'; U": The probability of RCIC failure during this phase is high because of the factors listed above (see Phase II) and the i following: 188 i
. .__m.,_m.._-_y _. - _ . . . - ,
~ ~ ~ ' - ~ ~
'=
6 ,~m.. _ _ _ . _.._.m . -
, _ _ ._ __.. a.c.w. .. . . :.m.i i
Table 58.1 LOOP Event' Tree Diagram' Phase III A or II C (4-10 Hours) (Sheet ,1 of 5 Continued) 1 Values for Sheet 4 of 5 (Continued)
! . The probability of battery depletion is higher because of i the design life, which is less than 10 hours of opera .
tion. -
- . HPCI/RCIC steam line isolation may be caused by high -
j temperature as a result of having insufficient area cool-
, ing and by steam leaks and radiative heat transfer from the suppression pool walls. This could be a significant
- problem between 6 and 13 hours after the accident initia-
! tion. A value of 0.25 for RCIC is used in the SNPS-PRA and in the BNL assessment. For HPCI a value of 0.3 'is i used if RCIC operated for the first 4 hours successful-
. ly. However, the SNPS-PRA assumed a failure of HPCI is Phase III if it was running from Phase II throughout
, , Phase III. A CMF of both HPCI and RCIC due to battery depletion is added in the BNL assessment. Its value is
- assumed to be 507,of the RCIC failure probability used in l,
the SNPS-PRA (0.13). X' = 0.2 or 0.3: Maintaining the reactor -in a depressurized condition is j required in case of high pressure. injection failure. OC . power is required for SRV operation. The failure of the i batteries , assumed by BNL to' be 0.13, would be a CMF for
. this function as well. However, when HPCI failsi in Phase III C after operating since Phase '!I, a higher AOS failure probability is used, because the failure of HPCI is caused largely by depletion of the battery due to longer use of the HPCI system. .
t } X' = 0.3 or 0.4: The difference between Phases III B or III O and III A or
- III C is due to the' judgment made in the SNPS-PRA (page j 3-116) that failure to depressurize the reactor in a period i
longer-than 2 hours would lead to the following: i a) Accelerated environmental degradation of the solenoid
- valves in the drywell preventing long-term depressuriza-l tion.
l b) Dynamic oscillation during late blowdown when high l suppression pool temperatures prevail. l O i . l 1 , 189
___.;. . m: w_ ..;.: _
' Table 58.1 LOOP Event Tree Diagram Ph'ase III A or III C (4-10 Hours)
(Sheet 1 of 5 Continued) . l Values for Sheet.4 of 5 (Continued) It was taken into account in the SNPS-PRA by increasing "X" i by a factor of 2. In 'the BNL Phase III B and III O sequences, a higher probability of failure was assigned to
. - . .the "X" . function, i.e., 0.4 rather than the 0.3 used in i . Phases III A and III C. However, in the BNL model the f oss of battery is the main factor affecting the results, and not the quantification of the ADS degradation.
. UX = 0.13: A CMF of 0.13 is assumed 'in the BNL . assessment. .This is , J chosen t.o' be 507, of the RCIC failure rate. The choice is of the failure proba-based bility of on RCIC, the HPCI, premise andthat ADS a results large part,from the depletion of the Division I and II batteries up to 10 hours af ter the ac-- cident started. An assumption of a probability.of 0.13 for loss of DC within the period from 4 to 10 hours seems rea . sonable, and is consistent with the assumption that all DC will be lost in the subsequent time per;iod between 10 and 20 hours . V = 0.63: ' The value for Division III LPCI operation is taken to be O.63 because of the dependencies between diesel generator j systems (see Section 4.2.2). 1 .
. Values for Sheet 5 of 5 U = 1.0: BNL gave no credit for RCIC or HPCI after 10 hours. This is based on the SNPS-PRA arguments (pages 3-114 to 3-130) and -
is consistent with other BWR-PRAs and their reviews, which ; assumed loss of batteries before 10 hours if no AC recovery
- was successful. In addition, the SNPS-PRA argues that the l l RCIC high turbine exhaust pressure . trip (40 psi or 26 psi above normal) would be reached at approximately 14 hours , !
and, similarly, that HPCI/RCIC steam line isolation may be caused by high area temperature (with no area cooling) be-fore 13 hours. Therefora, BNL assumed that, if AC power is not recovered at 10 hours, then a core damage state would be I reached. BNL did not distinguish between Phases III - IV E J and Phase IV as was done in. the SNPS-PRA, and combined them
- into one single Phase IV sequence.
X = 1.0: In the BNL assessment the probability of maintaining depres-surization after 10 hours was assumed to be 1.0, not 0.95.
- i i
1
- 190 I
__,~.__.__r_ _ _ . . . . . , _ ~ _ . . _ _ . . . - - . . - . - - _ . . , _ _ _ . _ . . _ , . . . , _ _ . - _ ~ _ _ . . _ . _ . . _ . _ ~ . _ . _ . . . _ - . _ _ , , , . . - _ , . _ . . . . . , . . _ . - _ . _
~ ' ~
~
_ _ . . .. ,.,. s _.
- l l
Table 58.1 LOOP Event Tree Diagram. Phase IV (10-24 Hours) (Sheet 1 of 5 Continued) Values for Sheet 5 of 5 (Continued) W' = 3.1E-4': 'hmen offsite power is hot recovered within 15 hours, only the RHR is available for containment heat removal. However, its reliability to complete'.a mission time of 3 hours (the period from 15 to 18 hours) is basically the reliability of the diesel generators, gi,ven by i 0.0024x3x0.19x0.23x0.63 = 2.0x10-4, where
. failure to run probability = 0.0024/hr,
. mission time = 3 hrs, ,
CMF failure of second diesel P(2 1) = 0.19,
. non-recovery probability of diesels within 8 hrs = 0.23,
- and
. failure probability of Division III train given Division I and II failed = 0.63.
To the 2.0E-4, the RHR unreliability of 1.1E-4 is added, to result'in 3.1E-4. , ,, P 191 -~ _ _ .__ _. . . _ . . _ _ -. , . _ .
t$ s o - y$ : : 0 0 afl 5)s El 3
!*WEi .y e a a-2y,.
. - ., m a x .= ,a .e y ,a -
- h. Q.
.n r. . .- . ..s4- . - .= -
I 5 2 7 1j 4 E g g 3 I E ~al au 2
~
c
*% ;). 2l2%%%
3 t
. 4 i E't l
; i "
1 II 58 8 v =i si3 .= *
- l
}
3
- 5. Iva -
- Es 3 a
l- $. .
=
* * -- a 3 -
z.ug , g. m
*53.g 2 ~
3 3
*, ,3 g x - d ,
s .
-e . '.
~
*2 a!G L
- s
--1 t- .
w e
. l e
)
,' *a
=g. - I .4
! 55=!
a
. 3 ej s -
i *
==
. i O jdG I-
- i II:-
" g i ge.
g s 8 s : j" .. i;= s - l = -
- H1 I d 3 5 d
l
, o . .
2 5 *
" l 3 35 22 e l
- d E 4 jf 3, -
e
.. . . ....'7 -
In:s:ia 2
. .:n a A a e - R 9 ~
3 .3au.! * . am n - s
~
'5 l w l' bha E 8 -
G f R j l E
. d
- j e h
-l I ig =
- n a
i a
- 3 j*f $ " m d
4 a 3=w %
.2 s2 4
$5W ""
i 192 4 4
- - - , -y .- ,
. - . .. . . . _ _.s. -
. 2. 3,,, u . . . , _ g . _ ,, _ _ ,, _
e 4
== 5 2 M 2 S 3
~; G '* " .
d
#5 1 : : : : 2 $
j 5l ., g , ,, g 9 ; ,; ;y $ g ;
~
dd'd225$ ,
$d2d$ -
.g e i A > m *A m m e d 4 5Em NN? Y. $$$ ' aa;aa $$$$$
5!E - * * * ; +- 4
. . .- , g .
g! a 2 R R R R o EE II
!! : : : : : : 2 : : : :
35 c r e s *; es>&r ,
=
l > 2
',; 1 l
} <
8 3 .5. M . s "It }
- n e I
w ,2
. j a
h5 1
- '8 fi 5 g a' '-..
o t e, y e, io Q e 3
,e u -- -- - +- ,~
! Ed
** *f W
s inn l I = a 5 A e'
.7 .a e
f, ** e
!p3 g3:
E b , I C c li.j - 4
. = [
x
- 5 $
d J , BD - 5 g3e$
.a,- y 3 - 1.
. 2
*8 % V.'
e d a 8 5
), m Y
- s. -
s w
-e u .-
. t. : .
s i 1 t. 4 ( d 193 i
a e e i paalman C00l *W8 ==A8888' Ctait er PHmM tot stumtat stCoutWW li t'Es tenAlle su ct to efe66M sh astet taae t Lee CaLCamast0 CoM = suwas- ease s a to acec este senes sun- pod sses seesats entenarv , emewd samune aseessas at e a==ms. mameser. minasem statsue , sea.ctson ansesnase arts as 1st en . __ vaandste g ere a, m' F k' 8
~
ti.2WS 5.8E-6 o,g g 7,III b 1.95-$ Neo IF 0.7% Tg III F h.46 . Nee H
- Ftiene III A l Tg II! DB 6.leb7 N eo IV Itaase III B
- 0.) TEIII BUV 1.18-6 Class I 3 Tg III DUE 3 35-6 Clase I 3 w
0.) e 0.33 SD 8.0E-6 b 5.95-7 y' - 0.6) . ? III B 1.5-6 N ea IV I E gag 10 'I T ,III BV 1.75-6 Class I 3 03 TE III M 1.25-6 0.no Class I B Ft.ame III C III As Pressurizal an! leCIC availablo III Ba Ihpressurized. ICIC available. It.ase III D III C Pressariatal asal ICIC unwallable. III Da Ihpa===1:est, ICIC unavailable. 4 Table 53.s Ts.e Nes prent Tsee DIsaram for ta0P Ini atos, N eo III = 1.-10 liours (Shee't le of 5) . . i
- 4 e .
O
==. . .. .'.'.C E' - _,L,%, _ a e e O n! -
=
siils s C[-a *
- u o y
4
-3~i :
W e w 2 b*. $ e b n 5s.E 4 4 g
.I D 2
M 3 M
$.I
& > *g Q-w 3
hme g~2-T .4 j- **il~ . "
~
zlt* a s3 0H dia . - gg:.l . +
.- - S i "
O C
=.;
l=
**y i
. =
a Q v. d 8 : e a
~
e" I k 1 1 1 I O l l 195 l l s:
*1 l
o . _. _ . _ _ . . . . . l
~
APPENDIX 5C
, LOSS OF COOLANT ACCIDENTS BNL's review of the contribution of Loss of Cool'nta Accident (LOCA) initiators to the SNPS frequency of core damage is based mainly o'n Section 3.4.2.of the SNPS-PRA and on Appendices A.1, A.2, and F. l 1
LOCAs are not important contributors ' to core. damage frequencies. How- ! ever, their consequences are considered to be greater than those of Class I core damage sequences and therefore their impact on risk might be higher than
- ' reflected by the frequencies sumarized in this appendix.; -
The LOCA sequences analyzed are separated into two groups: a) LOCA inside drywell (Large, Medium, Small and'RPV failure) b) LOCA outside containment (mainly large LOCA in steam lines , water lines, and interfacing system LOCA). i The frequency of group (b) is less than that of group (a), but their consequences are larger because these sequences bypass the primary containment system (drywell and suppression pool). Thus group (b) events, though having lower frequency, are more important with respect to the SNPS risk than group (a). ~ SC.1 LOCA INSIDE DRYWELL l 5C.1.1 Background ! The SNPS-PRA approach is very much similar to the RSS-8WR approach and event trees. Two types of. breaks are considered, steam line break and recir-culation line brtA. There are differences between the behavior of the reac-tor vessel pressure. and level in the two cases, but both cases can be treated by the same event tree modeling because the differences are in most cases small compared with the impact of the low pressure injection, which in both ~ cases starts within 1 minute after the assumed break, and pumps water in larger amounts than are required to fill the vessel. The SNPS-PRA chose to model the case of a recirculation line break. It assumes that the line break would render one train of LPCI unavailable. This is -modeled on tha fault tree, but has a very small effect because low pressure injection is governed by CNF (see Section 3.3.2.7), and the unavailability of one train is not important. The amount of credit given to rCS is the main difference between the BNL - I and SNPS-PRA analyses. In the large LOCA case, the SNPS-PRA gives no credit to FW and to PCS even in the long term because of the possibility for radia-tion isolation of the drywell (MSIV closure). Credit is given only to the condensate pump for injection (even if PCS is unavailable). The value of 0.2 is not explained. BNL uses the same 0.2 for the following reasons: a) The condensate pumps wil.1 remain operating, and will inject -20000 Opm into the RPV automatically when pressure becomes low as a result . 196
1 .. b - da - - l of blowdown. However, at this flow rate the hatwell water inventory will be exhausted in several minutes b). Therefore, the ceprator is required to control manually the conden- . sate injection to maintain both RPV level and hotwell inventory. c). The operator will have to replenish water to the hotwell if he failed to control condensate flow in time. Automatic water supply to hot-well from CST 1.s limited to about 1000 gpm12, and therefore the operator must take centrol of condensate flow. In the case of- a large LOCA, the 1000 gpm makeup to the condenser hotwell may not be sufficient for all large breaks. It is assumed that for all cases of breaks at an elevation higher than the core, so that steam only will be dischar_ged through the break, the above makeup rate will be sufficient. A
' flow rate of 500 gpm would be sufficient to remove decay heat by steaming.
However, when more than 500 gpm of injection water would be discharged through the break, the makeup of 1000 gpm may become insufficient. Based on some crude estimations, BNL judged that break sizes larger than 10" in diameter may require injection flow larger than the makeup to condenser can provide. ' Assuming that 50% of the large LOCA breaks would be in this category, we obtain 50% of the breaks: successful condensate injection = 0.2 50% of the breaks: unsuccessful condensate injection = 1.0
~
Thus, a value of 0.6 was used by BNL for large LOCA. ~ In the case of a medium LOCA, FW is still assumed unavailable because of MSIV closure on low level or low pressure '.1 the.RPV. More credit is, given for condensate because a flow. rate of 1000 gear may be sufficient in all cases . In this case credit is given for PCS recovery in the long term, i because no radiation from fuel failure is expected. In the case of a small LOCA, credit is given for FW short-term recovery;
~
however, PCS and condensate are treated the same as in a medium LOCA in the SNPS-PRA. .This was slighty changed in the BNL reevaluation, which treated small LOCAs the same way as the IORY transient for the case of early scram (Tables SA.11 and 5A.12). i
=
l 197 i
- ,, w ex -- .--.--,,wway----% s
- e. --r-w c r-- - - re-+g=w. -p--w-- v-n --
=-,-,,--y--ww-w *v-
si as u o o,o a - o .o o u j $l : : : 33333 : 33333
. o . ---.o .
II.; 4 I sa
- i* , 2 4e. 4 4 44 44 ~
4 a m
-a = , , . .a 1,1, .
*3 g.- 7 P P P P 'E R R3 S S
=;
a = = = I. I 3 3-i , s is 3
!8 i 5 .
'jg d *
- 4 ja' as ii p=],c u-sga .
1 1 1 d 1
=
I 5 i- I i)5I=:
= .
g
~*
* $4 @g I
s a
~ " a i 8 ti -
- g d
- 5= :
.i
~
- w
! a g - .
l3 Si - d 4 3 g , sah ., ) 4
.I C
i.. .- I=g & a - I *
& A
~
- EI*A. 8 I]I-!
=,
- 2,
' D E3 3 3 4r g e giI=E - a l ,
. = ~
C e am > l h h S g d 1 I- s J *
- m 1 # a d J. ;
e E a g!g ?. a la e a j A
.s- I 3$ ]$ -
e 198 t
-.. . . . . . .- -....a. ?- ..
. . . . . . a .:a .=
0 5C.1. 2 BNL Revised Event Tree The BNL revised event trees for large and medium LOCAs are shown in Table 5C.1. The revised event tree for a small LOCA is not given;. it would be the same as that for IORV with early scram (Table 5A.12 sheets 1 and 2). The frequency of small LOCA'is. assumed to be same as in the SNPS-PRA, 8x10-3 The effect of small LOCA therefore becomes small, less than 10 7 The BNL results for the LOCA events are similar to those of the SNPS-PRA. In fact, they are smaller for the Class II contribution and larger for
- Class III, as seen from Table SC.2. The reason for the smaller Class II values is that the SNPS-PRA used apparently old values for the "Q" function,
~
which BNL corrected for consistency with the other event trees of the, PRA. The cause of somewhat higher Class III contributions is the different quanti-fication of the condensate system injection, which was discussed above. Table SC.2 LOCA Contributions to Core damage Frequencies Class Total II III Core Damage Large SNPS 7.0E-7 1.7E-7 8.7E-7 LOCA. BNL 2.8E-7 3.8E-7 6.6E-7 Medium SNPS 2.7E-7 4.9E-7 7.6E-7 LOCA BNL 2.1E-7 6.1E-7 8.2E-7 Small SNPS 0.24E-7 0.16E-7 0.4E-7 LOCA BNL 0.36E-7 0.08E-7 0.4E-7 Reactor SNPS Pressure and 3.1E-7 3.1E-7
~
Vessel BNL LOCA Total SNPS 1.0E-6 1.0E-6 2.0E-6 BNL 5.3E-7 1.3E-6 1.8E-6 5C.2 LOSS OF COOLANT ACCIDENT OUTSIDE CONTAINMENT A LOCA outside containment has the following adverse characteristics compared with a LOCA inside drywell. a) In the event of an unisolated break, high environmental stress may be produced on equipment inside the reactor building. This may compromise ECCS operation. , l 199 i-
- - 4.- ~ . ..a . .~ .. .-- - . . . . . . ... L ..
b) In the event of an unisol'ated break, there may be a flood in the reactor building which may flood high and low pressure injection equipment and compromise their operation. c) The consequences of core damage in this situation may become signifi-cantly different because of the potential direct pathway out of the primary system, bypassing the suppression pool and drywell. Ii: has a beneficial characteristic in some cases, namely, the possibility of isolating the break in order to limit the release. The SNPS specific design makes items. (b) and (c) of special interest. However, only the core damage probability is evaluated here, not the total risk. The results are assigned a separate core damage class V, for further consequence evaluation. The SNPS-PRA evaluates the initiator frequency from thre'e sources: a) Steam line or main feedwater breaks outside containment b) Breaks in the HPCI/RCIC steam supply or pump discharge lines c) Interfacing LOCAs in low pressure systems. Case (c) is the most important contributor to LOCA outside containment. Therefore, larger uncertainties can be . tolerated in cases (a) and (b). Most of the uncertainty stems from lack cf applicable data for evaluating pipe and valve ruptures. SC.2.1 Main Steam Line Break Within Reactor Building , I l The SNPS-PRA assessed the frequency of steam line breaks in tihe small ! sections between the inboard isolation valves inside the drywell and the out-board isolation valves inside the reactor building. Breaks downstream of the outboard isolation valves will have two isolation valves between break and . RPV, which makes their contribution snall. The evaluation in the SNPS-PRA takes the following into considerations: a) Mean value for pipe rupture taken from the BWR-RSS is 8.6x10-10 per , hr/section (SNPS-PRA, page A-24). 1 b) The SNPS pipes in the reactor building steam tunnel are designated as
" break exclusion" pipes, which means that they are designed and inspected to even more stringent requirements than the primary system piping. In view of this, the SNPS-PRA applies a factor of 1/10 to the RSS-BWR failure rate. This results in 8.6x10 Il per hr/section, which is used for estimating rates of rupture in " break exclusion" l pipes, c) The valves in the subject pipe sections may,be subject to external '
leakage or rupture. The data from RSS-BWR for valve leak or rupture are used. Based on the latest LER review of valves 8 , a ratio of 1/18 for rupture / leakage is assumed. In. addition, the . valves are also . 200 3
. 1. < , .
l " break exclusion," and an additional factor of 1/10 is 'taken, which -
- results in 1.5x10-10 per hr/ valve rupture.
The BNL review notes the lack of a data' base for evaluating the rupture t
- probabilities. Considerations (a) and (b) are judged reasonable, but BNL did j not review the 1/10 assumption for " break exclusion." Consideration (c) is l; reasonable, but was judged by BNL to be more appropriate than the LER data from NUREG/CR-13638 . Thus the WASH-1400 data used in the SNPS-PRA are also I used in the BNL reassessment. The LER data 8 l indicate that only a small frac- l tion of the events may be rupture precursors and most of them are leakage that i
, cannot be considered "large LOCAs." Therefor.'e,' the factor of 0.05 was judged to be reasonable as well. Additional discussion is given in Ref. 24.
BNL evaluated the annual frequency of .s. team line breaks by calculating the frequency of pipe or valve breaks in the's,ection outside drywell:
; a) 8.6x10-ll(rupture /hr) x 24(hr) x 365(days) x 4(pipe) = 3.x10-s/yr. _
) b) 2.7x10-s(leakage /hr) x 0.05(rupture /. leakage) x 0.1 (MSIV/MOV) 1 x 24 x 365 x 4 = 5.2x10-8/yr ,
! where 0.1 is a factor of 10 for assumed bettar break resistance of the MSIV
" break exclusion" valves in the SNPS than. of an MOV from the data base (as stated in the PRA).
The inboard isolation valve in the drywell is normally open. It can be isolated and is assumed qualified for this purpose. Its failure rate' from NUREG/CR-1363 (Table 23)8 is , for BWRs , Failur,e to close 6x10-3/d. - This value is also used' by SNPS-PRA. ' The ' probability of unisolated - ! breaks then becomes: (5.2x10-s + 3x10 s) x 6x10-3 = 5.0E-8/yr. Similarly, from the section, between the outboard MSIV and the Jet Impingement Barrier, we obtain an additional contribution of 6.0x10-Syr. This brings the total calculated frequency for main steamline breaks to 5.6x10-ajyr, SC.2.2 Feedwater Line Break Contribution There are two feedwater lines 3 feet long up to the check valve in the reactor building. The failure probability of these is calculated by i 8.6x10-ll(rupture /hr) x 2(pipe) x 24(br) x 365(day) = 1.5x10-s per reactor year. 2.7x10 s x 0.055 x 0.1 x 24 x 365 x 2 = 2.6x10-s p,p ,.eactor year. The conditional probability for check valve failures is taken by BNL from the Reactor Safety Study to be 3.8x10 7/hr for BWR check valve internal leakage - 201 t
-- a: --: : .=
1
)
(mean value). This gives 3'.8x10 7 x 24 x 365 = 3.3x10-3, which' is smaller ' than the value used in the SNPS-PRA (5.8x10-3). The contribution of FW line breaks then becomes 1.4x10-a. This value is considered conservative because not all leakages through the inboard check valve are large enough to be the size of a large LOCA. SC.2.3 HPCI/RCIC Steam Line Break Contribution 1 RCIC lines are 4" and 3" in-diameter and are considered- to-be too small -
- to cause a large LOCA outside containment. Furthermore, because steam blow-down through the 4" line break will be relatively slow, the time until it will impact equipment in the containment will be relatively large. Hence, there is a significant probability that the operator will successfully follow proce- ,' ;
dures and will depressurize the reactor by ADS, routing the steam blowdown to - the suppression pool rather than to the reactor building atmosphere. In Ref. 24 it is shown that the conditional probability of core damage given medium LOCA is, by a factor of 10, smal.ler than the conditional probability in the C case of large LOCA. Therefore, th~e contribution from RCIC lines will be small relative to the contetbution to core' damage frequency from the HPCI lines. The HPCI has one 10" line, and in response No.17 to BNL questions 4 it is stated that the HPCI pipe section to the first outboard valve t's of " break ~ exclusion" pipe. Therefore, the contribution may become i 8.6x10 11 (rupture /hr) .x 24(hr) x 365(day) = 7.5x10 7/yr. ) 0.1 x 2.7x10 a x 0.055(valve rupture /hr) x 24 x 365 = 1.3x10-8
~
2.0x10-s x 8x10-3 = 1.6x10.-a , where 8x'10 3/d is the failure of the inboard valve including failure of its * ] consnand. 8 BNL assumes that this valve will be closed upon demand, because it was designed
- to isolate upon sensing the conditions of a steam line break.
~
Downstream of the outboard isolation valve, which is normally closed, 4 challenges per year of 24 hours each may be assumed. However, piping is non-break-exclusion in this part. Therefore, the contribution from these sections will become 6 (sections) x (8.6x10-10 + 2. 7x10-s x 0.055) x 4 (challenges) x 24 = 1.4x10-sfyr i 1.4x10 s x 2 x 10-3 (two isolations valves fail by CMF) = 2.8x10-S. The total frequency of a HPCI steam line break becomes 1.9x10-ajyp,
*The review cid not address the cuestion of the adequacy of isolation valve qualification. However, Section SC.2.5 below compares the contribution of HPCI steam line break to the impact from interfacing LOCA for the assumption of isolation valve failure. ~
l
- l i
202 i
___ _ __ ~- . -l . . . . - '^'..:w a -
^
= . ;. =
- a. A,,_ A ,
l i .
~
, It should be noted here that the SNP'S has the outboard isolation valve of HPCI normally closed.- In LGS, for example, the inboard and outboard valves
- are both normally op'en which increase the contribution. from the downstream piping of the HPCI system.
In addition to the HPCI/RCIC lines there are other lines that can poten-tially cause a LOCA outside drywell if their isolation valves fail: 2 (1) Reactor Water Cleanup (RWCU) system supply lines 3'" to 6" lines having, in addition to th'e inboard and out-
, These are
- board isolation vlaves, two remote operation valve-arrangements that can be used' to isolate the RWCU if a break outside drywell occurs.
1 (2) Main Steam t.ine Drain (Inboard) ! These are 3" lines. They are not considered for the same reason j that is giv'en above f or RCIC lines. ' ) (3) Main Steam Line Drain (Outboard) and MSIV Leakage Control These are 2"-3" lines and are isolated by the inboard MSIV. (4) Other small lines of size l_ess than 2" in diameter. All these lines were not further considered by BNL on the basis of the assumption that their isolation valves will close as designed. In ,such a ' case, the core damage frequency estimated for these lines (see Ref. 24) is about an order of magnitude smaller than that estimated for the large steam ! line break in the last three subsections. - 5C . 2. 4' Interfacing I'OCA Frequency - If a set of multiple failures should occur, a LOCA could be induced out-side containment in piping systems that are rated for low pressure. This is t referred to as interfacing LOCA. This section reviews Appendices F and A.2 of - the SNPS-PRA, which consider the frequency of interfacing LOCA. It has two parts : i j a) Review of SNPS-PRA approach; b) The BNL reassessment.
- The specific pipes of low pressure systems which are potentially sources
- of an interfacing LOCA are the following
j a) RHR/LPCI loops A and B. Each loop has a testable check valve and two electrically interlocked motor-operated valves (MOVs) in its injec-tion lines. The inboard MOV 37A or B (F015--normally closed) will not be cycled untill the plant is entering cold shutdown. The outer- , most of the two MOVs--MOV 36A or 8 (F017 normally open) will be cycled on a .3-month frequency. However, the BNL review considered this second MOV to be unqualified as an isolation valve. i 203
, _. __ ._ m ,. . . _ . m-. . . ~ . 4 .a . . . _ a. b) RHR reactor head spray line. This has a- check valve arid two MOVs in s eries . The MOVs are interlocked to prevent opening at pressure above 135 psi. c) RHR shutdown cooling mode line, which has two MOVs in series. The MOVs are interlocked to prevent opening at pressure above 135 psi. d) LPCS loop A and B. Each loop has a testable check valve and MOV in series in its injection lines. The MOV will be checked only during outages. SNPS procedures state that the testable check valves will be tested during refueling outages only.' ' A. A Review of the SNPS-PRA Approach The 'SNPS-PRA approach to quantification of the frequency of interfacing LOCA follows NUREG-0677" with some modifications. The data are ' valve failurg rates taken from NUREG/CR-13638 . An analysis of operator errors. led to the conclusion that the probability of MOV inadvertent opening by the operator with subsequent failure to isolate is a small contributor. The .'SNPS-PRA produced a small reduced fault-tree for each' of the four configurations of low pressure systems listed above. The _ top event is "Large LOCA in Low Pressure System Given Exposure to High Primary System Pressure." These fault trees do not allow for spurious opening of MOVs due to false sig-nals. In one case, credit is given on the tree for MOVs which are not quali-fied for isolation. This has the effect of doubling the result of the calcu-lations so that both LPCS and LPCI loop A and B contribute similarly (rather than the LPCS alone, as presented in the SNPS-PRA). The data used for the quantification of the' fault trees are taken from the NUREG/CR-1363 with needed modifications. Because MOV or check valve large ruptures did not occur, and the data available are for leakage only, a modi-fying factor had to be estimated for the fraction of large leakages or rup-tures in the entire leakage data. The SNPS-PRA assumes that this factor is -l 5%. BNL was not able to validate this value. Based on a review of LERs in NUREG/CR-1363, BNL judges that this factor may range from 0.01 to 0.15. ) 1 Nothwithstanding, BNL found the SNPS-PRA values too difficult to repro-duce, If NUREG/CR-1363 data for BWR valves are used, then by. applying the SNPS-PRA approach one may derive the following values: a) Check valve internal leakage: 1x10-s/hr x 8760(hrs) = 8.8x10-3/y r. Applying the 0.05 factor for large leakages gives 4.5x10 "/yr, which is 1.5 times the SNPS-PRA value appearing on the fault trees. b) Check valve or MOV rupture: 7x10-a/hr x 8760(hrs ) x 0.05 = 3x10-5/yr. The value used in SNPS-PRA is 6 to 7 times as high. If Reactor Safety Study data is used, then one may derive:
- a) Check valve internal leakage: 3.8x10 7/hr x 8760(hrs) = 3.3x10-3/yr a 204
-mm . - --
._,-e e '- - - . ..,-e,_.w--
-- +ye. . , .r--s-,--w-----,-f--sv- .c-,..%,- - , - , , - . - - - --,,,--,,----~r- , , , - ,
^
' ' ' ~ ^
i _ _ *l}, @ ' [.l 3 b) Check ' valve or MOV rupture: 2.7x10 s/hr x8760(hrs ) ~ x 0.05 = 1.3x10 5/yr. B. BNL Reassessment Acoroach The reassessment is based on 6 LERs circulated recently by the Office of Analysis and Evaluation of Operational Datas ,2s of the NRC. These events
' are precursors events, in which a failure of the boundary between high and low pressure systems has occurred at least temporarily. The data cover events
, that occurred over more than 15 years. BNL assumed that they are relevant to
. . the BWR reactor operating experience of 250 reactor years. Table 5C 3 pro-vides a short description of the LERs. The following is concluded from the LERs :
a) At least two cases of pressurization of the low pressure systems have occurred for a few minutes (Browns Ferry, Vermont Yankee LERs). , b) Five events are relevant to testable check valves unavailability. If one assumes 250 reactor years, then 0.02/yr is this estimation of frequency. c) During the two cases of overpressurization, the pipes did.not breach or fail. Plants returned to normal operation. (d) The events were all isolated or recovered shortly. An additional MOV has to fail in order .to challenge the low pressure system. For quantification of the MOV failure probability the following was considered: a) The condi to be 10 jional probability of spurious opening of an MOV is assumed .. This includes mainly the effect of spurious control sig-nals. This value is taken from Table A.2-1 of the SNPS-PRA (A = , 1.6x10 7/hr) . The human contribution during functional testing is assumed to be small because the operator will immediately isolate the MOV when an alarm is received, as occurred in the Browns Ferry LER i ' (Table SC.3). Furthermore, it is assumed that functional tsting will be performed only during cold shutdown (as specified in SNPS proce- , dures ). I b) The data for MOV ruptures or gross leakage seem to be 1.3x10-5/yr. l The LER data for MOV failed open (for normally closed MOVs) was 1 evaluated by the SNPS-PRA to be 1.24x10 . c) Shoreham has an interlock logic of the injection MOV and the primary system pressure. This interlock is considered to reduce the proba-bility of spurious openings by a factor of 10. Based on the above consideration, a value of 1.5x10 was used by BNL for the MOV failure to the open position. This value is considered to include the effects of operator recovery and SNPS specific procedures that require testing of the testable check valves and the MOVs, during cold shutdown. I 205
- t
-- ~ . , - . -
' Table SC.3 LER Summaries for Interfacing LOCK Events No. Plant Date/LER Descriotion of Event 1 Browns Ferry 08/14/d4 A comoination of imp roper assembly of 1 LER-84-32 testable check valve with operator error (failure to electrically disarm the MOV injection valves) caused the check valve to te open for a long period of time (since December 1983) and the J90V .ta open .. .
while' testing, compromising high/l ow' pres.sure boundary. The pressurizat. ion of the LPCS above its 500 psi design con-tinued 13 minutes without significant damage. The seal of one pump burst and sprayed steam. This is probably due to substantial design margin. Plant c6ntin-ued' power operation. Nota:. SNPS procedure 2 do not allow for testing the outboard LPCS MOV during power operation. 2 Pilgrim O'9/29/83 Durtng functional testing of HPCI system LER-83-048 Togic, personnel error occurred causing opening of both injection .MOVs. A test-able check valve was partially open be-cause of rusted stem to ac'tuator link-age. This caused overpressurization of HPCI (150 psi design pressure). This. caused no LOCA, but ruptured the giand
, seal conderiser gasket on the HPCI 'tur-bine. The overpressurization caused -the .
testable check valve to close after a short time.
~
3 Hatch 06/07/83 The testable check valve of the LPCI/RHR - to was stuck open for about 4 months. This 10/28/83 resulted from maintenance errors. LER 83-112 4 LaSalle 09/14/83 Stuck open LPCI testable check valve. LER-83-105 The operator opened one LFCI injection Also: valve during routine testing, and leakage LER 83-066 into the suppression pool occurred. The LER 82-115 plant was in cold shutdown. 206 j I ,
. . : r' ._ r . , .
Table 5C.3 LER Summaries for Interf acing LOCA Events (Continued)- No. Plant Date/LER Descriotion of Event 5 Cooper 01/21/77 During steacy state operation, while the HPCI system logic was being tested, HPCI testable check valve failed to close allowing feedwater backflow into HPCI injection line. HPCI system was iso-
' lated. A loose part was found wedged under the edge of the check valve disc preventing the valve frca seating.
- 6. Vermont 12/12/75 During monthly testing of LPCI pump and 3
T MOV, one MOV failed to respond. This was because a testable check valve was leak-ing past its seat causing an excessive dp across the MOV. Another isolation valve was closed before the test but did not shut fully. Its light indicated it was shut. Since .this MOV was thought to be shut, the second MOV 'was cycled open, and a flow pass existed from the RPV to the LPCI loop. This caused the LPCI to be overpressurized past its 450 psi design pressure. Three LPCI relief valves discharged steam and water mixture and a gasket in the RHR. heat exchanger' leaked. e G 207 t
~ . . . . . - - _- - . . -..
For a LOCA .to occur, the piping must break and the break must be large. l The SNPS-PRA states that the low pressure system piping is designed to 500 psi - by ASME code standards , with -100". . margin. It assumed that break probabil-icy will be 0.5 given high pressure. BNL estimated this probability to be ! 0.1, on the basis of the following arguments: l (1) The LERs already show two cases of a low pressure system sustain'ing ! the high pressure without significant damage, for a significant time '
.periodi (This by itself gives a factor of about 1/3.)
' (2) The los ~ pressure piping is . designed to meet' the ASME code, which includes large margins. This indicates that the two cases in which the low pressure system was pressurized for some time and did not breach. .are apparently typical and not mere chance. Ref. 26 assumes
~
that the large. margins may be evaluated as failure probability of 10 2 to' 10-*. However, it is also stated there that this evaluation
- has not yet been completed. ,
Note that .Ref. 26 predicts higher LOCA f requencies . However, SNPS procedures do not allow for testing the outboard MOVs during power operation. This can reduce .the frequency of the initiating event considerably because five of the six .LERs were cases of testing performed on MOVs during plant operation,. and. therefore may not fully apply to the SNPS. The BNL approach is summarized as follows: ! 2x10 2 (testable check valves unavailability) x 1.5x10 " (MOV. opening) x 0.1 (rupture probability) = 3x10 7/yr. SC.2.5 Comparison of the Contribution from Steam Line Breaks and from Interf acing LOCA The frequency of an unisolated HPCI steam line break was estimated in Section SC.2.3 above to be 1.9x10-s per year. This frequency includes the assumption that the inboard isolation valve on the HPCI steam line can be closed if available upon sensing the conditions of a steam line break. How- - ever, if it is postulated conservatively that this isolation valve would fail to close against the pressure conditions of the steam blowdown through the valve into the downstream break, the unisolated HPCI steam line break frequen-cy will become 3.5x10 ' per year (see Section SC.2.3). The frequency calcu-lated in Section, SC.2.4 for interfacing LOCA in the SNPS is 3x10-7 per year. It is lower by a factor of ten if no credit is given to the inboard isolation valve closure following HPCI steam line break. Thus, the SNPS-PRA results are sensitive to assumptions on HPCI isolation valve qualifications. Ref. 24 dis-cusses the case of unisolated LOCA outside containment. SC.2.6 Core Damage Frecuency for Large LOCA Outside Containment The initiators of this sequence were discussed in the previous sections. The results are: m 208
;~ .. : w ; _. .
--y - ---
. y - -- -
s Interfacing LOCA frequency = 3x10 7/ year Feecwater and Steam Line Breaks = 1x10 7/ year l
)
Total = 4x10 7/ year 4 The BNL review considers the main impacts of the LOCA outside containment to be the following: a) Adverse environmental conditions leading to degradation of motor con- { , trol centers and other electrical equipment. b) Flooding of the reactor building which has the potential to flood' ECCS pumps. The flooding of this systems can, in some cases, happen within less than 10 minutes. I c) Depletion of water from the condenser hotwell leading to insufficient water at the condensate pumps suction.
- The SPPS-PRA considers the main impact to be somewhat different:
a) Item (a) above - b) Depletion of water from the primary containmen: and suppression pool leading to insufficient water at the ECCS suction. The event tree diagram for this incident in the SCL review is the same as that in the SNPS-PRA. However, in some cases the consideration behind the quantification is different. The event tree is shown in Table SC.4. The ECCS pumps are considered to be failed because of adverse environmental conditions and flooding. . The condensate system is the main frontline system remaining in this case. BNL assumed a failure probability of 0.2 for the condensate system for the following reasons: a) The operator needs to control the condensate flow promptly in order . to reduce flooding rate, but mainly to conserve the hotwell inven- ] tory and thus avoid condensate pump failure or trip upon low hotwell level. , b) The operator should validate that automatic transfer for hotwell makeup from the CST is working. c) It is assumed that a condensate flow of 1000 gpm to the RPV, which is consistent with the CST makeup to the hotwell, is sufficient to keep the core covered even without line break isolation only for break size smaller than 10" in diameter or for breaks in pipes connecting at a high point of the RPV. (The SNL reviewers failed to find physi-cal calculations showing that for very large break LOCA [such as in the case of interfacing LOCA] the core could be successfully cooled by 1000 gpm.) Therefore, the following was assumed in BNL quantification of the condensate system injection: 209 I i . \
- . ~ . . -
For steam line breaks: ,
~v = 0.2 For feedwater line breaks v = 0.2 For LPCI interfacing LOCA v = 1.0 For LPCS interfacing LOCA v = 0.2 v' ' ' = (1x10-7[0.23 + 1.5x10 7[1.0 + 0.2)]/(4x10 7) = 0.5 .' . This value was used' in Fig. 5C.4.
The event-tree diagram shows that break isolation is dependent upon re-establishing the PCS and opening an MSIV to allow the containment heat removal function. The W' and W" functions are the following: W'- Unisolation oi' the break, with decay heat being removed through the break into the reactor building.- W" - Isolated break and PCS estab'lished for containment heat removal of decay heat, i The BNL results are 5-fold higher than the SNPS-PRA results mainly because of the use of the LER occurrences and some differences in failure rate assumed for valves and for the conde.nsate injection. The BNL review determined that the condensate system is not affected by a flood or adverse environmental conditions in the reactor building. Further-more, the outboard valves on the feedwater injection line (valves F032A and F0328) through which the condensate pumps transfer cooling water into the RPV are operated from MCCs at elevation 112'9" (40' above the main steam lines in the reactor building) which are located in separate environmentally controlled cubicles isolated from the remainder of the reactor building l. The two valves are operated by two separate MCCs located on opposite sides of the con- , l tainment.
. l l
l l 1 1 210 j l i l
\-
( ~. - If C* {'I-F l t w Loca souse contant smaction essar naammat toca i' cuisses cs csess os tacs canutasars sentes ses saousesz eneoutacy coulaneestus , core . Diss6eation 4Per as Tr8 veleerebse a,, c va v. vees u. u. .
! = !
I l l l l i j! , A ' "
. mr l .l .
i i g AfgV '
~
. OK e ,
! {
* :* e' i
j l l A gg V 'V" OK s t.0 l l ?
- ! - A ,
WIV 'VN' OK 4.0E-? ; , 0.5 - 00
- 6
- I' 1
s 1.0 s 0.1 [ ! l - A ggVVN's l.0E-8 Class II s 0.5 i
- l. ' '
, t-f ,
AggV 2.0E-7 Class V 1:10' ~ i j'
. AggC s Class V ' Cl ,
.i e . D j i
! Ta ble '5C.4 Event Tree Slagram f r Sequences' Following *-
targe LOCA 0.stside Containment I . f.~ i . [ s ! 4
.I 1 <
8
APPENDIX SD ANTICIPATED TRANSIENT WITHOUT SCRAM (ATWS) 50.1
SUMMARY
OF SHOREHAM ATWS EVENT TREES ~ The ATWS event trees developed in the SNPS-PRA are described here, with enphasis on their special features and important aspects; they are discussed in detail in Section 3.4.3 of the SNPS-PRA.. A total of five ATkS functional event < trees were developed for t'eh SNPS-
'PRA: turbine trip, MSIV closure. Loss of Feecwater, Loss of Offsite Power
, (LOOP), and 10RY. A special event tree was developed for the turbine trip , ATWS initiator (Figure SD.1). Since the purpose of this event tree is to identify properly those turbine trip initiator events that eventually result in either a loss of feedwater, a loss of condenser, or a MSIV closure, th'e event tree evaluates the availability of the following functions: feedwater runback, loss of turbine bypass valves, loss of condenser heat sink, and NSIV closure. The outputs from this event tree are scenarios that can be charac-terized as a turbine trip with bypass available, a loss of feedwater event, a loss of condenser event, or a MSIV closure event. On the basis of these results , the respective ATWS initiator frequencies are reevaluated. For instance, the ATWS turbine trip initiator frequency becomes 0.85/ year instead of 3.2/ year, and the loss of feedwater ATWS frequency is 0.08/ year rather than 2.10/ yea r. Figure 50.2 shows the SNPS ATWS turbine trip event tree. A major
- departure in the SNPS-PRA treatment of ATWS events from that in other BWR PRAs is that it separates the initiator frequency of a particular ATWS event into .
that above the 25% power level and that below the 25% power level. A case in point is the turbine trip event presented in Figure 50.2. The SNPS-PRA l reported that only 0.85 event / year can be considered to be turbine trip with bypass available and restore power . level above 25%, and the balance con-stitutes 1.3 events / year for which the reactor is operating below the 25% , power level. The rationale for selecting the value 25% is based on the con- - denser's capability to remove heat. The probability of an ATWS event occur-rence is based on the NUREG/046023 values of 1x10-s for reactor protection system (RPS) mechanical failure and 2x10-s for RPS electrical failure. The recirculation pump trip function is implemented in the SNPS and is actuated given a high reactor vessel pressure or a low reactor water level condition. , Alternate rod insertion (ARI) is also installed in the SNPS to provide a redundant means of inserting the control rods , should the RPS electrical system experience malfunction. If indeed an ATWS event is iminent, then the tree evaluates the pressure control functions: namely, the proper opening or reciosing of safety relief valves. The reactivity control function used in 3 the SNPS-PRA entails 4 different tasks: manual initiation of the SLC system, ' manual feedwater trip to minimize cold water injection into the core, lowering the reactor water level to slightly above level 1, and lastly, re-establishing ! water level and baron stxing when the SLC tank is empty. The SNPS analysis assumes that the operator will have 25 minutes to perform these tasks. The ! high pressure injection function, U, is then evaluated. ADS inhibit, D, and l water level control, UH , are also included in the event tree to model the i need to preserve the boron concentration inside the reactor vessel. Finally, - l I 212
-- , . . - - . - - - , , , - , , - , - , _ _ - < . . , . _ _ , . . _ , . , , , . , . , , , -,,--.,.n,,.n _w.--,,--+ _ . , - , , - , w, ,,,-n-- - -
. .. -_ . .:3. . : n. a..
u Y a- . the event tree considers the success cf the ' heat removal ' function through the condenser and the RHR heat exchangers. The combination of success or failure of these functions, shown in Figure 50.2, gives ris e to the definition of an ATWS accident sequence. ~ For instance, based on the success criteria defined for a turbine trip ATWS event, failure of Recirculation Pug Trip (RPT), given RPS electrical failure, results in a core damage. condition. Also, with successful RPT, failure of the ARI and the reactivity control function would still result in core damage. Part A of Figure 50.2 sh'ows these accident sequences, which are related to RPS electrical failure, and Part 8 shows sequences related to RPS mechanical fail-
' u r'es . Subsequent to the. reactivity control function, the tree evaluates the coolant injection and ADS inhibit functions, and finally the maintenance of level and containment heat removal functions.
Figure 50.3 is an ATWS event tree, similar to that for the turbine trip initiator for MSIV closure events. This tree is also divided into two parts, . for mechanical and electrical RPS failure sequences. The initiator frequency is classified into two groups according to whether the power level at the time-of reactor scram is above. or below 25%. The MSIV ATWS event tree is. identical to the turbine trip tree except that the unavailabilities of the various func-tions are different. Included in this MSIV ATWS initiator frequency is the contribution from loss of condenser ATWS events. These are grouped together and treated in the same event tree because both initiators result in a similar plant response of losing the capability for heat removal to the heat sink. The loss of feedwater ATWS event tree is shown in Figure 50.4 lhe SNPS-PRA considered two power levels, below 25% or above 25%, for this event. The main difference between this event and the turbine trip ATWS- is the unavaila-bility of feedwater. In this case, feedwater runback is not necessary. S f mi- ' la'cly, the availability pf the condenser for the loss of feedwater event dis-tinguishes this event from an MSIV ATWS event, in which the condenser is not available. Otherwise, the ATWS event tree is identical to the other two trees. The loss of offsite power ATWS event tree (Figure 50.5) is essentially the same as the MSIV ATWS ' tree. Given the onset of a LOOP event, the MSIV will close and the response of the plant to the ' initiator is similar to a MSIV event. However, a LOOP event does, in certain cases, present a more notable challenge to the system availability than the other ATWS discussed thus far because of the loss of offsite AC power. This is noted in the unavailability of the heat removal function; otherwise the two trees are identical. l ihe last ATWS event . tree developed in the SNPS-PRA is that for an IORV i event. It is similar to the others , described above, but it contains one additional function that models the failure of the high drywell pressure or high suppression pool temperature signal (Figure 50.6). Given the onset of an ! IORY transient, at the initial stage the reactor operator is instructed by the
- . procedures to manually shut down the reactor; however, failure to do so does not necessarily preclude a scram since at high drywell pressure -2 psi, an automatic scram signal is generated. The SNPS-PRA determined that failure of the suppression pool temperature and the drywell pressure instrumentation would result in the equivalent of an ATWS sequence. This is reflected in the SNPS 10RV ATWS event tree. '
, 213
1 50.2 OUALITATIVE REVIEW OF THE SNPS ATWS EVENT TREES l This discussion of the results of the BNL qualitative review of the SNPS ATWS functional event trees is focused on several topical items rather than on each ATWS initiator. Turbine Trio Initiator Event Tree - BNL's review of the SNPS turbine trip initiator event tree (Figure 50.1) indicates that the function "feedwater runs" consists- of_feedwater . runback- ... ' action by the operator in 12 minutes, so as .to preserve an orderly' shutdown with low suppression pool temperatures. It is considered to have a high like- , lihood of failure in the SNPS-PRA. Failure of this function leads to either a l loss of feedwater or a MSIV closure. However, this appears to contradict the ' definition' of plant condition given for each sequence. For instance, the sequence T is characterized by the success of feedwater runback, turbine bypass, condenser heat sink, and MSIV open. But, if feedwater runback is suc-cessful, then the T sequence should behave more like a loss of feedwater than like turbine. trip with bypass available. A similar example can be noted in the TQ sequence, where failure to runback, implying that feedwater is avail-able, results in the loss of feedwater events. One possible explanation is that the upper branch of the feedwater run function should be interp.reted as no feedwater runback. ' The SNPS-PRA states that a 0.4 operator error 'probabil-ity is assumeo for failure to manually runback feedwater and a 0.75 failure probability is used for the automatic backup feedwater trip on Level 8.
'High Power Initiator Frecuency In the SNPS-PRA, the ATWS initiator frequency is separated into two parts : that at high power plant condition, g.reater than 25% power, and that at 25% power or lower. The basis for this division is existing plant data
~
f rom BWRs. BNL did reassess the initiator data base to determine the relative con-tributions from such a grouping (see Table 50.2). BNL considered that during the normal operation of a plant, i.e., not including the initial period of - comercial operation, some percentage of plant transients would be initiated at low power, and credit shou 1 * 'e given to reflect this situation where the i condenser is adequate in removirg heat from the reactor vessel, thus allowing l additional time for the operator to initiate the SLC system. Depending on the ! nature of the data base, if, during the initial period of plant operation, , there tend to be more scram events at plant condition of 25% power 'or less, I then the estimation of this percentage can be potentially biased tc= arc the l low power events, and may not be representative of the plant over its. averaged l life. For the BNL reassessed core damage frequency, all ATWS events are ' assumed to occur at power greater than 25%, similar to the SNPS-PRA. l Water Level As described in the preceding section, the SNPS design provides a num- I ber of means for reactivity control in an ATWS event. These include injection ' l of boron into the reactor vessel by the SLC system, manual feedwater runback, and lowering of reactor water level to slightly above level 1. BNL concurs that these are important measures which can serve to reduce the reactor power. ' l 214 ! t I a
. - ._ : % a- - . . . .....w -.2..: . . . a . a .--
With regard to the task of lowering water level, the SNPS-PRA suggested in one place that the water level be maintained slightly above level 1 and in another place that the water level be maintained near the top of active fuel (TAF), and the SNPS ATWS emergency procedure guide l3 offers no insight into this apparent discrepancy, stating that the water level should be kept abo.e TAF.- In a broad sense, these statements are not contradictory, but it is left to the reader to interpret the true intent of the procedure. Furthermore, based on the physical analysis performed to support this action, an- 8% power level was cited in the SNPS-PRA. This power level corresponds to the water level at TAF. Hence, there is t at best, an uncertainty as to .the level at l
' which the reactor water must be maintained. The effects of this operator action are, discussed further in the next section.
SLC System Initiation The SNPS design has two SLC loops, each with the capacity to inject 43 GPM of so'dium pentaborate into the reactor vessel, but the maximum injection rate is 43 GPM, so that only one loop can be injecting at any one time. The system is manually actuated. A 25-minute action time is allowed by SNPS-pRA for this task. BNL reviewed the GE report NEDE 2422217 and the XMC, letter 18, and concluded that the maximum action time allowed for the reactor operator appears more likely to be about 15 minutes. j AOS Inhibit - t Since the initial submittal of tne SNPS-PRA, a modification to the ADS function (including a preliminary conceptual design drawing) was conveyed to I BNL via responses to the BNL questionss . This modification entails a manual inhibit switch for use during an ATWS event, should the reactor vessel water i level drop below level 1, and is designed to aliminate the .need for the operator to repeatedly reset the ADS timer. BNL has assessed the impact of. this modification by a sensitivity analysis given in Section 5.3. The effect i of a manual inhibit switch upon the success of low' pressure ECCS in transient events warrants more thorough investigation, since inadvertent operation of t'he switch would disable all low pressure ECCS. With regard to ATWS consider-ations, this appears to be a useful design with the benefit of reducing the - probability of failure of the operator to achieve timely inhibition of the ADS, as shown in Table 5.15 of Section 5.3. BNL found that the SNPS ATWS procedures were not clear in a few areas as to what the operator muct accomplish upon the onset. of an ATWS. A case in point is the ADS inhibit function. In the procedure, the operator is instructed to initiate either the A or 8 SLC loop given a range of plant con-ditions (see Table 50.1, item 3.6.1). The operator is further required to terminate all injection into the RPV except the CRD and HPCI or the CR0 and RCIC maintaining reactor water level above TAF (item 3.6.1.2). At this point, two scenarios are possible. The first is quite benign, in that tne reactor water level falls to a point where the operator, by controlling high pres-sure makeup, is able to maintain the water level above level 1 at all times. In the second scenario, the reactor water falls quickly even with rated high pressure injection systems, and the water level drops below level 1. The pro-l cedure does not appear to provide the instruction necessary to guide the i operator to identify the critical parameter that must be closely monitored in l reducing the. water level, and to perform the inhibit function. In item 4.2 of 215 ! t
,,--wen-------: - - . ,n -- - - , - - - ,n-,,,--gn-a - e- - --------e. , , - - - - - - - ---..--,+,----,-,e --,w ,,+-,n,- -,,e - -- v
. __ _ _ .. ...=..a=.....: - - - -- m . x -
. Table 50.1, the coerator is' only directed to manually open enough SRVs to reduce reactor pressure to between 800 and 960 psig when there is cycling of .
the SRVs. Given the critical nature of this function, f ailure of wnich is assumed to lead to core damage, perhaps this operator action warrants more attention than it has been given in the procedure guide thus far.
~
50.3
SUMMARY
OF PHYSICAL ANALYSIS RESULTS A few of the ATWS analyses performed on[BWRs, and their results, are dis-cussed here, with an emphasis on areas having more direct effects on the
' assumptions as well as the ground rules and conduct of the ATWS portion of the PRA. In reviewing ttie SNPS-PRS ATWS analysis, BNL found either a lack of detailed information on some aspects, or .information insufficient for reason-able establishment of assumptions. This deficiency will become more apparent as the discussion continues.
Section 50.3.1 provides a' chronology of' the ATWS accident sequence, and Section 50.3.2 focuses on specific areas considered to have more substantial impacts on the ATWS PRA review. 50.3.1 ATWS Accident Chronoloqy . Given the onset of a plant transient, i.he MSIV closure event is recog-nized to impose by far the most severe requirements, compared with other events on the safety systems needed for mitigation. Therefore, for this dis-i cussion MSIV closure is selected as the initiating event, and departures from the MSIV discussion will be addressed separately. This discussion will be further confined to BWR-4 reactors. i Upon closure of all MSIVs and failure of the scram system to insert the t control rods, an ATWS ~ event is in progress. ;,The ' reactor pressure rises rapid-ly causing the safety relief valves to open. Consequently, a substantial ' amount of heat is being discharged into the suppression pool. Also, the pres-sure increase in the reactor vessel initiates the recirculation pump trip. Success of such a pump trip will reduce the core power to about 50%. Because the initiating event is a MSIV closure, feedwater will also not be available. ~ Given the large amount of reactor power still being generated, the reactor water level drops rapidly, and at Level 2 .both the HPCI and RCIC systems receivj7 a signal to inject from the CST. It is predicted in the GE ATWS report trip signal. that all of these events occur within a minute after the initial RPS At two minutes, the GE analysis a~ssumes that the automatic SLC actuation timer is timed out and the SLC system begins injection into the core. A time trace of the reactor water level (Figure 4.1.3 of NEDE-24222) shows that, after the water level drops below Level 2, the HPCI and RCIC flow reduces the rate at which the level decreases until a point when the boron-from the SLC injection begins to take effect. The water level reaches a mini-mum at about 5 minutes and begins to rise again. This minimum is just short of level 1. A similar situation occurs with a turbine ' trip with bypass available i event. A time trace of the reactor water level (Figure 4.1.7 of NEDE-24222) ' shows that the time at which the water level drops taL level 2 is about 1.5 , minutes . Feedwater is assumed in the GE analysis to be run back within 1 minute after the' onset.of the event. As in the MSIV case, the SLC is assumed j . . 216 i
..., . ._ _- a.,:. -.- -
z.... w.. .a -- . . .. ~ o t'o begin . injection at. 2 minutes.. F'igure ,4.1.7 of NEDE-24222 shows that the { water level decreases at a lower rate than in the MSIV case. The analysis ' predicts that at about 5 minute the reactor water level reaches a minimum, l which is approximately 1.2 feet above level 1. l The results of the two different calculations indicate that little time, , about 5 minutes, is available for the operator to take any action to secure l the reactor. According to the SNPS specific ATWS emergency procedures (Table ; 50.1), a series of operator actions is to take place. These are of two types: l imediate and subsequent. The immediate actions include manually scraming l the reactor, tripping the recirculation pumps, initiating RHR suppression pool l
' cooling, initiating SLC, controlling water / level, and, if manpower 'is avail-able, re-scram of the reactor with operation of scram discharge high level i bypass and other vent valves and logics. Subsequent actions deal with SRV !
cycling and plant shutdown procedures. l The SNPS specific ATWS procedures make it obvious that the GE analysis is l no longer applicable to the SNPS beyond' the 5 minute time frame. An ATWS analysis of Brown Ferry Unit Onels provides some insights as to the response of the plant given that the operator' follows the ATWS emergency procedures guidelines (EPG) for BWR.20 This ATWS EPG differs in certain areas from the SNPS specific EPG.13 For instance, the BWR EPG . recommends lowering the RPV i water level to TAF; .it also allows .depressurization and use of low pressure systems. In the SNPS EPG, pressure is. supposed to be maintained between 800 to 900 psi and no credit is given for low pressure
- systems. Therefore, the ORNLLS analysis results are not directly applicable to the SNPS. ATWS situa-tion.
i The purpose of maintaining the water level below the normal water level .i is to minimize the amount of heat produced in the core. This, in turn, has ! two related effects. The first effect is reduction. of, the amount of heat
! discharged into .the suppression. pool, and this allows the second effect: ~~
additional time for the operator to actuate the SLC to inject boron into the i j j vessel. The reactor power will eventually diminish because of the boron, and ! the shutdown procedure can continue.
; 50.3. 2 Discussion !
i I This section provides a discussion of the pertinent areas that affect the l SNPS ATWS PRA. l i Water Level Control According to the SNPS specific procedure, operator control of the water ! level is important in minimizing reactor power. The SNPS-PRA states that, when the water level is at TAF, the power level is about 8%. This value is l referenced in the XMC letteria, which cites information from GE that ". . . the reactor power level when the water is at TAF should have been 8% rather than 15%. " The level to power curve included in the document s1 shows the 16% value 2 BNL.22(seeTheFigure 50.7). range of Figure power level50.7 alsoisshows at TAF curvesand between.15 obtained 20%. byIfNSAC 1 and ' the water level is maintained at Level 1 rather than TAF, then the power level ranges from about 18 to 23%. If the intention is to avoid initiating the ADS func- - tion, and to maintain the water level above Level 1, then the power level is 217 t _ .a
more'like 20 to 25f.. Because of the significant increase in the slope of the
~
curve near the TAF region, changes in water level in this region have large
. effects on reactor power.
Sucoression Pool Temoerature Limit The SNPS-PRA reports the suppression pool temperature limit to be 240*F; above this point, the plant condition is considered not to be acceptable. Subsequently, the XMC document i a suggested that, on the basis of GE data on minimum subcooling required for af.ficient steam condensation, the suppression' I
' pool temperature limit may be about 285'F. BNL did not assess the validity of .
either value, but it is prudent to point out that a 45* increase in the temperature limit provides significant benefit in' terms of added allowable l time for the operator to perform his task. '
)
SLC System Actuation; l The XMC calculations l'nclude a sensitivity analysis to model a BWR-4 reactor with a manually initiated 43-GPM SLC system. Three different delay l 4 initiation times were assumed in addition to the base case, which is injection ~ ] in 2 minutes after the onset of an ATWS. The reactor water level was assumed
! to be at TAF and the power level at about 8%. The maximum suppression pool temperature estimated' for a 10-minute delay of initiation is between 260* to i 270*F for the SNPS. If the delay is around 2 minutes, the maximum pool '
temperature is about 220*F. The above information on water level versus reactor power indicates that, if the water level is at TAF, the power level is more likely to be 18%. This could have a substantive impact on the suppression pool temperature. If it is further assumed that the water level is above Level 1, the time taken to reach the suppression pool, temperature limit is even shorter. As a result, the operator will have only a few minutes to initiate the SLC, thus ' making it a highly likely to fail event. j Summary 4 l In the process of establishing a basis for the SNPS ATWS success criteria i' and ATWS assumptions,.a limited number of documents were reviewed to determine the applicability of their results to the SNPS and the reasonableness of the
, analyses. A lack of detailed information was found in certain aspects of ,
these analyses; even though these are generic studies, they do not provide a i basis broad enough to' account for the range of operator actions specific to the SNPS. The areas of suppression pool temperature limit, boron mixing in the reactor plenum and its impact on delay in plant shutdown, and human action to lower reactor water level are each addressed separately. There is a lack of integrated analysis that could be used to support the SNPS specific situation and the SNPS specific EPG. ! It is assumed in the BNL reassessment of the ATWS accident sequence that i
! the water level is to be maintained between Level 1 and Level 2, and that the '
suppression pool temperature limit is 240'F. l 218 , 4 3 ,,., .c - - - - - _ . - _ . , w - . - . , . . - , , . - - . . - - . . , . . . , . . . . , . - . . , --.~,,.-~.m,+w., , .- - - . . .-
;.u a .u ,..a---..-
--.: . - q 1
50.4 OUANTITATIVEREVkEW ' The BHL reviseu ATWS event trees and ,theITW!' core damage frequency quan-tification of these crees are discussed here.'. , Turbine Trio Initiator Tree ~
~
As noted in the qualitative review of the SNPS tu' r bine trip initiator event tree, BNL made minimum changes to this tree. The unavailability, 0.'7, used by the SNPS-PRA cri the feedwater runback function was found to be high.
' BNL thought that, gives the onset of a turbi.ne trip, regardless of whether it is an ATWS event or.not,' some portion of this event will result in either a MSIV closure or" a l'oss of feedwater;or loss of condenser, 'and ' developed a revised turbine _ trip initiator event ' tree accordingly ? (Figure 50.8). The total ofstructure basic four func'tions: of this tree is s'imilar to that in the SNPS-PRA. It has a feedwater trip due to high' icvel, turbine bypass, condenser heat si,nk,= and MSIVs remain open. Consistent with that used in the transient event analy;is; a 10% probability is assumed ' for feedwater loss given a turbine trip initiator. In order to further distinguish loss cf feed-water events from MSIV closure, a 20% probability is used for failure of the MSIVs to remain open. Loss of turbine bypass or condenser heat sink resalts in MSIV closure and loss of condenser events, respectively. Given the availa-bility of the feedwater, the' bypass and the condenser, the probability that the MSIVs will not rernain open is assumed to be 0.02. The end states of this initiator event ~ tret can be clarified into four groups: turbine trip, MSIV closure, loss of condenser, and loss of feedwater, Each of these is trans-ferred to the respective ATWS functional event tree.
t Turbine Trio .,
" I
~
l In- the. reactivity conreview
*.rol offunction the SNPS- ATWS~ turbine trip event tree, BNL found the {
unavai1~ abilities, namely, RPS 'clectrical or ' .i i mechanical and X to be reasonable. failures CE and- MC , rectreulation pump trip R, ARI function, The RPS failure values are derived from NUREG-0460.j3 The R. function value reflects sensor failures, and the 10-2 value for the K function represents the failure of the diverse logic to scram the ~ l reactor. With regard to SRVs open to control pressure, M, and SRVs reclose, P, the values used are also considered to be reasonable. In general, BNL concurs with the unavailability used for the coolant injection function, U. BN: in [ the re-quantificatia'n revised the values of the remaining 4 functions b2 j 0, Ug, W), and reconstructed the event tree (Table 5D,5). l { PRA. The first part of the ATWS event tree is identical to that in the SNPS-Subsequent to the SRY reclose function, the question of feedwater run-back is evaluated. , Note that the initiator is a turbine trip event with-bypass available; the feedwater system < continues to provide feedwater f 7cw into.the reactor and to maintain the water around the ncrmal level. As ' dis - cussed above, with regard to the effect of water level on reactor power, if feedwater around 50Lis not runback, the power level with " reci rculation pump trip is This;certainly far exceeds the capability of the condenser. ,
-se $
219 t)
-J
_ _ _ - - ~ . , m. , . - ---- == - - - mw - - - ===: :- - ;==- -- Therefore, it is important to runback feedwater in a timely manner. The prob-ability of failure to runback feedwater is evaluated to be 0.2, based on the SNPS human error curves. If feedwater runback is successful in a timely manner, however, then the , RPV water level will fall below Level 2 and the probability of failure of the HPCI is assessed to be the same as that used in the ' transient event trees. RCIC is not considered to be an adequate means of providing coolant injec. tion. In the event that HPCI is successful, the event tree evaluatas the
" Control Level 1" function and the SLC function. Actually, because of the rapid progression of an ATWS event, the feedwater function, #PC1 function, Control level 1 function, and SLC function'should be considered tc take place concurrently. i It is estimated in the XNC letter that using the EPG no bicwoown case '
with a 10 minute delt.y in SLC initiation and water level at. TAF (8% core power), the suppression . pool temperature is calculated to be 221*F. SNL esti- , mated that if core power is at 18%, the 240*F pool limit will be reached. Therefore, SNL assumed that the operator is required to initiate SLC and feed-water runback within 10 minutes. Moreover, if it is above 200*?, the relia- ' bility of the HPCI will be significantly degraded because of inadequate lube oil cooling. As noted in the preceding section, without feedwater the reactor water level will quickly fall below level 2; the SNPS EPG (Table SD.1) instructs the operator to take control of water level by terminating injection and to main-tain it above TAF. Since the MSIV closure and ADS initiation is at level 1 : and the EPG contains no explicit instruction for che operator to inhicIt ADS, ' BNL assumed for this study that.the water level is to be maintainec between level 1 and level 2. The unavailability of the Control Level 1 function is
~ derived from a functional level event tres (Table SD.7). The tree first.
evaluates the likelihood that the water level will fall bclow level 1. A ' probability of 0.5 is chosen, based on review of a number of d' cuments. o The GE" report indicates that, eten with automatic SLC at 2 minutes, the water level falls to within 1.2 feet of the level 1 setpoint, but the CRNL l8 report indicates that, for a turbine trip event, water does not reach level 1. -{ The ADS inhibit value ef 0.2 is selected on the basis of engineering ! judgment aided by human error curves (Figure A.3-3 of SNPSePRA). Finally, 1 failure of the operator to maintain water level above level 1 and below level ! 2 is assigned a value of 0.1. Failure to control water level will result in core damage. l 4 The SLC manual init1'ation failure and the RHR initiation failure are ! given probabilities of 0.15 and 0.1, respectively. Failure of these functions ) also leads directly to core damage. j l Should the HPCI fail to inject given a successful feedwater runback, the RPV water will reach level 1 within a couple of minutes, causing closure of l the MSIV and actuation of the ADS if the operator fails to inhibit. For all practical purposes, no successful operator actions can be assumed in. these l short times, and therefore the control level function is assumed to fail. 220
. , . . - _ . -. _ J
_ = _ - - . m - _ _ . _ . . . . _ _ _ . _ . . . . - - - - H$IV and Loss of Condenser The NSIV closure and tne Hss of condencer ATWS cre (;roupec together and . The basis for tn-is gecup. treated in one functional event tree (T4014 50.8). ing is the similar ' plant response of tnese two types of events. In both cases, the MSIVs are closed and tne feedwater injection is lost. A major difference between tatt ANS event tree and t.';e turbine trip tree resides with the feedwater rutback function (Tabla 50.8). Since the initiator in this case has already caused the Icss of feedwater, che runbask 'fanction is not required and it fs represented is the tree with gero failure probability. Another area of difference is the level centroi functioru A functionai level event tree similar to the one develcped fer;the turuinir trip ATWS is shown in Table 50.7-case II. As discussed in the preceding section, the water level following a MSIV or a loss of c6nduser ATWS initictor reaches level 1 within one or two minut'es. Hence, the " water level treldw level IC function (Table 5D.7) is chosen to h.e unity, In fight of the situation, the ADS inhibit function is giv?n a 0.9 probaM11ty of failure. Givgo the sces:ess,cf the inhibit functiors, failure to maictaiq invei is assumed to be 0.2.
- For the St.C initiation functho, M is assumed in the etes'sessment that 5 to 10 minutes arle. avai' ace for actuating tAe system, and it is qwen an unavailability of 0.25. Sicilarly the RHR supprqsrf on peci cooling function is assignd a failure orobabi11ty of 0.2.
LOOP The loss of offsite powGr ATVS ever.t tr,.e ('able 50.9) is developed 1o. a - similar way, as the WSIV ev$ni tree. Thg plaAt and systao f espense are eco-sidered identical. loss of Faedwateg . This event tree also is s'imilar to the M5:V eveat tree except in the c:n- - trol level function, the SLC functior;, and the W function (see Table 53.10). - Becaus e of the initiatae, f eedwater is a.ut6taat(cally runback. Despite the ' loss of feed % ster, the GIV remains caen .ind the condenser is still avail-able. Therefore, the control level function, giv;n the success of coolant injection, is similar to that for turbfnn trip; tAe unavallobility is 0,13 (Table 50.7). liowever, in the svent t. hat c.oclant injettien is not success-ful, the control-level 1 'une W al level event tree evaluation sM:ws an unavailability value of almost unbly (Takle 3D.7-case III shows ttfis tree). .
$1nce, without injection, Icvel 1 is reacmed within 1 to 2 41nutes, the ADS inhibit function is also assigned a high probability of failure: 0. 9. Even in the event inhibit is Juccessful, without injection, teyd1 cannot be main-tained. t 10RV
. Table 50.11 is tr.e SM. revised IORY ATWS event tree. Cueration data indicate that the onset of an IORV event of ten precipitates a loss of feed' water; therefort, the runback function is assumed succesful. The SRV reclose function is assigred ' unity failure probability because of the initlator. A13 221
. t
s.- -m- -- - -- m -- v e i the functions other than these are also the same as iri the turbine trip event tree. 50.5 OISCUSSION OF RESULTS This section presents a discussion of the ATWS results based on the quantification of the SNL revised ATWS event trees and comparisons between the ! 8NL reassessed values and the SNPS-PRA values. l i Table 50.2 lists the BNL' ATWS initiator frequencies for six initiators. l 4 , The first column gives the SNPS ATWS . initiator frequencies at. 251 power or. ! 1
.above, and the third column gives. the initiator frequencies with power level !
i larger than 25% used in the transient analysis of this review. Transfers from l the turbine trip initiator event tree are identified and listed in. column 4; ' they are made to MSIV, loss of condenser, or loss of feedwater initiators. I The last column shows the ATWS initiator frequencies used in the BNL re- l quantification. . i To illustrate the effects of the BNL modifications to the event trees without the initiators, Table 50.3 compares the conditional frequency of core I damage based on the SNPS and BNL ATWS event trees. Only five initiators are
} listed; the loss of condenser and MSIV events are consolidated into one 4
group. The increase in conditional frequency is seen to be relatively small; no initiator shows more then a factor of 2 increase, and the MSIV case. even shows a sligWt reduction. Based on this information, it appears that, even though ShL introduced major revisions to the ATWS event trees, the - final resut ts (without the contributions from initiator frequencies and from the feedwater runback function) do nut change significantly. The results should be interpreted with the understanding that there is a lack of information from physical analysis to fully support the BNL assugtions; they are often derived on the basis of engineer 1 rig judgment. The final -results. .are also thought to be sensitive to these assumptions made in the reassessment. Moreover, the current EPG can be igroved to provide added assurance concerning the opera-tor's role in successfully mitigating an ATWS event. In the SNPS design, the i operator is greatly relied on to mitigate such an event, and his failure to follow procedure or to perform a particular task in time is the major contrib-utor to the ATWS core damage sequences. Almost all ATWS accident sequences
- are related to some form or another of operator errcr.
Table 50.4 lists core damage frequencies for the five different types of initiators, obtained by using BNL revised ATWS event trees and SNPS initiator f requencies. The first cop.umn shows the SNPS core damage frequencies for com-parison. The second and the third colwnns give the core damage frequencies for Class IV and for the ATWS induced LOCAs based on the BNL revised event trees.- The last column is the sum of the second and third, and it gives the total- core damage frequencics Based on B?tL event trees and SNPS initiator fre-quency. The increase in core damage frequency for most of the initiators is small,' less than a factor of two, and there is a slight decrease for the MSIV
- initiator, from 8.3(-4) to 7.2(-6). The overall increase in core damage
- frequency is less than a factor of two.
Table 50.5 'llsts the core damage frequencies calculated on the basis of BNL revised ATWS event trees and SNL initiator frequencies. It is similar,to Table SD.4, and includes the SNPS core damage values for reference. The Class - 222 4 I _
~"
.: . . G-~
- ~
..:. . . n. :. _ ; . ,-
~
i IV contribution and ATWS LOCA contribution from the BNL ca'culation are pre-sented. Note that there are no Class 1 ATWS accident sequences in the BNL quantification. This is because BNL judged that insufficient time is avail-able for the operator to inhibit ADS and prevent a Class IV sequence. BNL judged that most Class IV will result in a core damage due to loss of suppres- ! sion pool water. The major. contributor.to core damage comes from turbine trip l followed by MSIY events. This is to bc contrasted with the SNPS case, where MSIV is' the most dominant contributor followed by turbine trip. Note that the BNL MSIV core damage frequency, though contributing less than turbine trip, is still higher than the SNPS MSIV core damage frequency, 1.1(-5) versus 8.3(-6). The major reason for the increase is ascribed to the difference in
' ATWS initi'ator frequ*ncy. The BNL ATWS core ciamage frequency is a factor of 2.5 higher than the SNPS value.
- 50.6
SUMMARY
BNL reviewed the SNPS-PRA ATWS evaluations, both' qualitatively and quan-titatively. The assumptions and physical analysis results used in the SNPS-ATWS analysis, as well as the SNPS specific EPG, were reviewed. In general. the SNPS ATWS PRA attempted to model the events as realistic 1y as possible; areas of conservatism in pievious PRAs were explored to provide a realistic picture of the ATWS induced core damage' risk. This includes the availability of the condenser heat sink for turbine trip and loss of feedwater events and low power ATWS events. Ino general, the SNPS analysis was considered to be reasonable and useful in providing an estimate of ATWS core damage risk. In the course of the review, BNL identified three areas that warrant some ' discussion here. The first relates to the ATWS physical analysis. There
' appears to be only a limited amount of ATWS data that are directly applicable to a BWR-4 reactor with a manual 43-GPM SLC system. Consequently, it is dif-ficult to establish critical parameters that define the condition of 'the Shoreham plant and the time"available to the operator for particular actions. ' '
Based on the limited analyses, engineering judgment was used in reviewing the SNPS analysis, and changes were made to the SNPS event trees. For instance, ! these changes affect the time at which RPV water reaches level 1, the suppres- -j ' sion pool temperature limit, the effects of 43-GPM SLC on water level, and the effects of delay in actuating the SLC. BNL judges that changes to these physical parameters could have significant major impact in the assessment of ; core damage frequency. l The second area concerns the SNPS specific ATWS EPG. It is BNL's opinion that improvements in the EPG would be very beneficial in the areas of operator control of RPY water level, ADS inhibit function, and RPV pressure control. More details are needed to assist and guide the ' operator in responding to the accident at hand. , The last area relates to.the extent of operator action required during an i ATWS event to secure the plant to hot shutdown. The SNPS requires manual actions for most of the ATWS mitigation systems. However, very little time is i available to the operator to perform thase tasks; in many cases they must be done within 10 to 15 minutes after the onset of the event. This is why the
- Shoreham ATWS core damage frequency is about an order of magnitude larger than that of the Limerick or the GESSAR-II standard plant. It is prudent to recog-nize that there are large ur. certainties associated with the estimates of human l 223 1
i
7 . ... . . . . .. - _. .m m.-._---
~
l errors , and for- this reason the ATWS core damage frequency c6uld be very -! sensitive to changes in the human error probabilities. j Finally, BNL performed a realistic reassessment of the SNPS ATWS event. The results indicate that given the assumptions used, the increase due to different assumptions and modifications to the event trees is far less than a factor of 2. The ATWS core damage frequency calculated by BNL using the SNPS ' initiator frequency is 2.2(-5), compared with the SNPS-PRA value of 1.8(-5). Use of the BNL initiator frequency increases the total core damage to 4.5(-5), which .is about 2.5 times the SNPS-PRA value. . 4 b s G e e 9 224
~
a : ; _ -. - : .- . . . .: 1 IMITIATCR
~'ts:st
? C:':0!':t:A :i3tys $EC'. :ARY I
[f.t3ht F EI'*.:Ait2 D*tss MIAT $;::x Rf? AIM C:::iA::t- C: Ass OF
* *IF MC'* C':S ** !!OUIP:CI 7tL*:; fit ';t':CY C;DE :CT 20!T'ev.TZ3 9IGH Ta'IA C::::t f t::t (FIA RX C;2E TR.) Vti:.;;I?J2L!
;R ~~J':SilR T Q i A H W D E
i d 1 1.0 T TT WITH $YPA55 0.35 Ff g. 3.4 14 AT HIGH POW S
~O TI TT WITH EYF453 -
0.1 (10) -- !!0 5 E!PGL'-- TD MSIY CLD5ung 0.09 7fg. 3.4-16 (6) 1.0 TV TT WITHOUT 10*I I aa
.~0 TWE TT WITHOUT BY-0.3tP (5) 1.0 (11) Pass' No C3tTAIN.
71087 (Z) (7) TWO LOSS OF CONO. 0.01 " Fig. 3.4 -16 TA TT WtTHOUT CYPt.15 3.2/Ra Yr 0.C01 M (4) TAE TT WITHOUT SYPAS3 gg) 1.0 (12) r;0 Car;TA!!s4ENT (3) T'A 0 LOSS OF CONC. 0.001
.0 Fig. 3.4 16 LCSS OF N 2.0 TQ W/tYPASS Fig. 3.4-17 *[
0.70 '0 TQt TT WITHOUT EYPA33 (IJ) n,g NO CM TAtr."1NT 700 M517 CLO51 Jet 0.22 7i9 3.4.I6 .
' Based upon fatture of operator action witMn 12 minutes to trip the feedi.ater pumps ane automatic sachus
(
- A11 Turbine Trips for watch typass to the condenser is not functional, are tensidered to be equivalent to MSIY Closure Cvents.
i
" Assumes fetirculation 7'me Trip for turtine tries Initiated free high power (RPT failures are included in the aef. Figst
- 0TE: This figure is used to estimate the fraction of tuttine tria events from htga power wMch wt11 becone isolation events if there is a failure ta scr .
l l i
~~~
i
-- --- .F. igure do.. I Event Tree Diagram of Accident Sequencas Felicwing
)
a Turbine Trip Initiator Frem Hign Pcwer 225 il ,
- - - _ - . - - - .- . . ~ , ..1.-- . _ . _ __z a .._n.. _ . ._ _ . - ..n_ --._.w. -a _s, s - , _ , -
4
- ~
5 assonne maa.a .yg s__ mgusgygge engg ' , i:.wr,uns i.en;sa -
.r : . . ,;,
3
. 44:st gait bei se onc. aattuast aseenast saaae, its ru',
,,,,,,, aos as ta sen ,,,, a maya nt u an is, us resuant dacuen t li see.,aro m,,og gu nici. .. mas was was met 4 28 A .gu,a usi'2 *41s.
,.,3,,, , u ,
m,( yaw s
,,,, c i ,,;, r , s. v,,
,,,, .. o, u.u u s ... me in.,
,1 fi c a a a
._ i _" . __c ' ~ 8 c, e e a __ u, u inanssia l
] e,8 scg s) .. et l ""'* i-.~ b8~5 r,a sc,s t, e ciass av i 2 E -* < e,' sc,a ps, e uns av
. . - 5 I
** a ** :E1 (c n sie 3.u.so alan av
,, 8.t ; ' ' .u.
3,u .3 k ' 't i 'al sles 3.ig.a reau sc 8 ' g(gsP8 a.it.s assa av G l 8 <-* s,8 scgste .. at { h "'8 l Iki L i,i sc,c,,e r,8 gc,slau, i.x. . a uns iv aan av s,' (c gulee s.M ia cian av i ,,,,,,
,"'8 r,5(cs)tug 3.n.s c ass at i
n.af.: I I,3 gfsprus g 3.n.s nass av g a r.s i r.r I,8 (cg sy, t.et e nast av
* ,_ 1 ma g,8 gc,s g,e .4 cian av 3.u-a s.u.:
ls.r-i 't I't'I'2" '*"~' '""55 *
*Mi'E -
_1.g -a 3,g,3 t,'(csy,us g e.w.s taass sv 8 318
.g.e s.t.6
- r,1 gc, sin , taan av
- e.a ,- r ,t gg og ,,,,,. ,,, , ,,,,
s,8 (c,ek c ,sassInn a' ' lan= ' s.. sw. a - J ' ** b4se.8 as,ame the feaway of the tilA pe er 'altlater only. s i.i.i.s..is. ,o .sua.,e,.w = ,cain.i.ne. sese=: man tas44 4 la set:6en 3.e. i ..
' Figure SD.2 Event Tree Diagram for Postulated ATWS Accident Sequence 1 following a Turbine Trip w/flypass Available (Sheet .1 of 2) 9 i
. .. ; = .. . .
. _ e
=
a - == mum ==m_=m um==
.:as:s:3
- s: : : : as: : : : : n: : e :e
_. - cy y s - sese ccc : : i
.=
I" !? *??
- sxx== ixx==wm : =, sx
*Y? ?? ? ?? Yh 5- .aaaa aaeaaa se ea su W
5'
= _ *54s>%s%(%%%4%%kss 3
__ -_ - = v-
- CN i
5
-j i:- =
4 4 L F*
, - mm a --
,_is_
-. 1 .
.= a.
- : : _- :. e
. . . ..a =m Uw
,g I
2
-. y, .
- = - - _ .
518* -
- 4 4, 4 a 4 E a
_ s s
=>
8 u< 33 m
? ?
s *
? ? ?? %o Ig a a m z
- a -
a a a 5g a> C C3 _ 3_z_ *y c. % 2 3 3a-x .
- b CC E wE b En zg **
s n . a
- 55 g *w -
w _ i. g 2
- m. .:2 I C'. 6 l i *!! !
ve.
= ii 6
Jd u a e . 1 t ,. =-
" 8 t i w s _.
> 5' w-42
-4
^ 3 Wg.
- J- N
{
; g-
- M e
e ~2 a : i .- .d
= =
. - e i -:
g~ .a
; l .
v2 i. 6 l l i
- e . s_
e j 53 .- e= i a
=_ l~
. .: . u.
i _ 3 2 a x . g *.
- i r l 2*{ 1 .i !
- ls .
.* _i l 2
.L81 3 : .,
-l l m-(
15 -s:- . d':: *- t l =:1 l=== i
*a i m! 3*! l i
e 227 t ______.._...___m.__ _ . _ . _ . . _ _ _ . . _ _ . _ . _ _ _ _ . , _ _ . _ _ _ _
l 1
?
- - ~ - ~ ~ ~ ~
; i.alilitam . . . . = M!!! 8 s m!*1. . . . ._ . rus . qu!!v!!! ._ ee!L ! _.4 gargi.ec3 .;! <wasup e
l M CI8C- AeEquAlt desquait SWIIt eu er sarci f HQut Ef U #$I "I Fist Aa8 retStadt a(Milutiv v4 W1 I" " MI W "IAI irer MIts Alt 0 l H er.uiat * .t haAss. Cat
- s as01 anse sgqwggs stitlestat "IU"II8 N M8' idlP Ossie01 Casalect titteit I" "
rAgt givtg M Mile
,.s* Vaar, "' # "*" 8 r . _ . . - . - - . . . _ _ _ _.
l . I,,2. g n I t a a se t, e e a u; y a iaAtifte 6 I g2gg ggg , og 8.ef-2 3,2(f5)gg 3.0E-lo tsAss av , M.4 Ig I ICs)#g g e (ans av ! 5.f-3 Imr.ge gsg. g , gg ,,, . g,,gg ,, j vg agc g,3, ,,g., a ng ,, 8.86 g a 8.5 I gg (Cgs)te 2.St-S (3 ass is r,,a (cgste - os l.ac.: Ina (cgileu e ans av l ,n a a n geg ,3,,,, ,
'~b I n ,35 ,,
l
's.f-i s,,aggg ,3,, , n ,33 ,,
g ,,,, r,a g ,,,3,, 3,,.,, uns ,c cn l e.s y,,a ,cgsleun 3.u.ie n ass av i
- 8 iI(Cs)(a n a s.u-s aes av
-g, ,,,, b 6 E4 v,2 gt,ga , ,,,,,,, ,,,, ,,
... m ..... '. kesk/' :.*-=
..u .... aes i t E22/tavse 85 N B l .M -5 a A55 tu 2 g if -4 g gg an ,, (
T,2gg gggs, g is-4
,2 gg ,g 3, $g .g g ,, ,, g ot g
! . -> ,,, ,s. . , o .,, ,,,.
i s.. u a C
@ e .. . 44. 4. s.a so. s.4.: !
%i&.i .. % i.u sai~ 3
'I**Id!*].g _ ll fr.s Af (rst I f.r.e,1L a,
- 1 N ei m...t . .. n __ .. . _
use.i.. ___ ...___. a.11._ _ f.lL_
. )
Figure 50.3 Event Tree Diagram for Postulated ATWS Accident Sequence l Following a MSIV Closure (All Initial Power t.evels) (Slieet 1 of 2) _D
- - - - - - __ A
.. . __ - ~_._ - _ . . - -- .-
-[
jellI Asime adMsguely (ensmut Pet 11ast W Milvilf PN15ket leM(Ilell leASWEGI(ht GP(SAllh (Sd(Alleita AN4uAIC , NA(IIW1II N III ggg fW es asp (3 - (8All of MCISC. AN4 Mali (essitet (Oct Amt 64 4GI beh MAI - (At(leAllt reifteAlle Lt d i Ht( 8(At tits el(At 8' I I"EIIIU E I
,,g g aL e -
Miualle EAN.,I,IIII M1 GhA is4(186s1 fr .s va4 WhAmit iW IN A48tf t'R I E _s_ _t_ < = = = <, - - . _s _ = j asaa a ,,,,,, % s .e . InyC sa y,3Cp l.M-S (8A15 it g ta= *w 3g.4 - 8.*a. y Ig 3.M .te (gags gy M.3 .
,i,2gg ,. ,, gg ., ggggg ,,
- s. I ,#t ,e s.u.; (iAss ic
,I
, I ,IC,18 3.g.y (8A15 gg ingC 9 . u
~
-l15 2 I g
f l.M-9 n u _N (LA55 is M se at % C (t An 1g [. M.3 ] $ Iggfn M 8.M-Is CeAss gy See %ses I . I8 I Inn i 88 I.N.e (4A15 IC g o.5 I- Inn,i tus e.g.a (4Att av i
.t . ,u. . .. . -
Imm 'a 6 u-6 's4515 i i
.t.22es.va. a.as
{ M.3 ,agag,, ; 3,,,,, ,,,33 ,, 4.54 8.84 I C C4 2 6.21-7 (tA55 IC ,
,,,, I,, C, C,is 6.u.s (iAs1 iv
,,,, r,,'r, a s.n.se (4 As1 av l
]~ f,#)C 7 51-14 (BAS 5 III6 ,
, . u. s ai. A...i e.,.i t..tt
- i ... .. . .e mi., ..
l figure 50 3 Event Tree Diagram for Postulated AWS Accident' Sequence Follow-ing 4 itSIV Closure (All Initial Power Levels) (Slicet 2 of 2) t i .
! t i
i 7 . 1
G_u._n_s_w .. n u neils usiam _
.-. _Jt!L _ oggt!; gig; _,fgt , im'act6umspunh . wa.msmi '
~ ,,,,,,, ,,,. ,,, n u .c. nir.wie ein,un iuin u.i,,,, as ' = = *c i nu inous a ' * " ' " ' ===
a'
" " ' ' " ' .efo n.
sa,m m. ama me = "'"' *a5 "' it .ut ua.
',u , ".".=t.
. i- o -
Ju.
.t . 48 2 ui.au. vui nut -
*r i, a c, }~~a a a c, , e a W, u sw *.u se j
, 3,3 ltgs) .- 81
- j asma ,,
, l LLE-L Iv3 lcgsig s.w se faus 88 I I E-4 g 3l(g Eltig 4 (445 8e i 6.E.3
- te'
- :'
- g3 gg gje I .M .3 (3 Aig gy
,,,,,,, i,3 g,s). ""-* ciass e
! s , s.es s.a. ees.ea. 18,1 Ig I lf Elid g 3 0I*O IRAIS It 3 } [' *" h l I I I*O I f M-3 l'a' I' s,3 lc,rw a
~
nAss av g3 ((g )g pes, e itA11 49 ae 6 E-3 I 3 K E)fG { 3 I l.M-4 ftA11 IW {
,,g,g g3lC gs)fu 3.M-9 4 A15 IC 6
j . gI l({E)fte 3.M - 9 4 A15 It y 3 f.E I.f-?
, g3(c,sy, r.M-s taass is I ""
U g,g g Ig lC 5)C g g4 ha (RA11 IV l.u-a } i s .le* i , % l'a8Ka " 8.w.s "*55 K 2 M tr E85 gIlC5Ml$ g , g .g g g (L All SW . t ,t ,4 , 2.lWS*IF g ,g . g.
- 3 g gg,, , g,ggg ,,
j g3 l( g) 4.26-9 8mW aMA a.e l l.a.: g,3 g, ens ,, e o ass esse l*l# 1ae Shast 3
- Eesad egen the feawesy of the higl. pener lettlater only.
- Setledas tesb6es ts6p lettleser la e&Ith the operater talps issa atar per pressaae.
** (esservatlee appeseleotten becaese a laagst fracties of failures esseste .
e ee a leepa Cless I samtalhellen and aestler Class If sentrat tles. Sawmass tasated te Sattles 3.4.8 figure 50.4 Event Tree Diagrass for Postulated ATWS Accident Sequence i i 2 following a toss of feedwater (Sheet 1 of 2) , I j
]
t I
- e sus stasse
! mattgeggg (antha _,gg L ggljylly ,Jg1 saaevealias artaassem tensasasern ,
M tsac, tu enseta g, , g ! aetguaK aattsagg saeti, aos restiaasta N 8' 888 testant ,, g , e,,, as45 I" s#al l
. . . - - au t st a. ses estas F881 WM318133 I "I
..m. .
alpitilan attm M" M i
. - . . . east .stutt
( o., e *- g,1 ~ c, cg a
..a.s, . .
E 4 c2 ' " a % W .
, T,k,, -
M *
! 58 5 l __
s,ky 3.u-a nats av l 2.E4 gk g 3.u-s i stass av s.f-3
- gg sgj y,g.g aggg g, g ,g,, i g3cg8 8.M-6 hass K i*5 i,5cy. i.u.6 o ass av Eg5 cf - M I M.W-1 g3cgu I
e.2t-9 (tass IV
! - [ 2.8 4 E,3cgg 3.g -na taass et s
i ..g s.r-a i
- s si -
r,3c/o 's.u-s pass su g ,. .g i,2cje I* 5 s.w-r oan u j g 2. ,.. i,2cjm i .w-r u nss i,
~
r,3cj, a.sei..,, " i .u - 6 c ass pv s.u-2 m-s ,,u ,
'rJP -
i la s r,8gs s.u-a nass K 3.s
- __
i,Njps s.u-a n ass av j p a.t e* r,5cf 2.u-s unss is i
,,3c ,a 2.u s (eass assai 8 ~ + .6. s.. w - ,. 36 6:# , , i. u sa.a , s i,,
i . Figure 5D.4 Event Tree plagram for Po tulated ATWS Accident Se-spumce following a loss of feedwater (Slieet 2 of 2) f' ( , l .- ,
.e i
) IblllAlae PM5M etEllWIIs tM15a75 _ .-alAtlin_Ilv GEM Isag(Isa 12 3434 3 se.as ll. - LiselAlastal oc ..
.a m ,,, m ,4c. mi.. i. ,,,,,, ,a n . m, ,
,,,,,.,, ,,,, , p,, $$,a,,
ma m m.. ,, => <a an i ==n= mris = =m- .a,,, ,
,,, w ,;,,
r . . .. .,- m mt'n
- . ..., . . . -- nn., u. m..g". . <m .ati - un
. . 64.
i, 5-c,, 'r, a s a c, e s. a g e, - 141.!.54 IR i
*'~8 Ig ' It gsi - "
g ' *** ** i 3,5~ ggsw a n asi av 2.(-e j
-- Tg 6(Csg g a (tA55 le
.. "*3 asne e y 5 a (aAss av i 8 (c& )s
- a. 7 s.w.se (sass sc s tu- e6 ,s y,5 ig s gege',g g,. g,,,,g.,. gg 35 ,,
g s,'se,E)r - a . l lW. I gg lC E)N 4 ftA11 It l } I r.t e ,gs(c,g a 5 c Ass av
- s.
- -3 e
,,5 gcggg,, caAss e, o.as , s 4 (t'A55 IC N
- I vi
- I'a )tu yg0 (Cg Elfte 4 (LAli IW
! N 7 f .1 9.f-P g ig (fE)C g 2 I
- M 's tiA$$ 9v 8.00 1 M-3
, Ig g (Cg E)Cp d' stA11 le I s.87 i . . Tg 8(cttc,e t.u-o n Ass ac
- g a.as p y, u .8 5 y 5gg ggg g,g.S H A15 le I^ '
y 6 gg gggg - 4 CIA 11 IV
! / ,
[ ,,. I'E g ga 3.u.se i. ,,toca Ig, Cass 4 cgags ,,,, , u-5 es z u .i :) . j @ s.w.. ,ue i. s m i.e.: I Fjoure 50.5 Event Tree Diagram for Postulated ATWS Accident Sequence - i followingaLossofOff-Site' Power (Sheet 1of2) 1 i 1 e
~ '
, , p. e-s-99e,e.,
* ^M- >eemmespa s - . eeh y".
I e a E
- m e a. me all8l : : : : = : : : : : : : : : : E
- . :g: v,, :
. . :. .: : : .e : : :o e.: e o : : : e .: - .: : =
3.* " * - * ' ' =
- s.* = z ' q u.1 s-
- =
. . ~
g . J . . s . a f t a l e } "~ 3~. . , u
'* S- --- J.J J J J.J J J J J J J J J J JJ J
.r :%*/**:**%*/:*~%%%%%%
C-G Ei Me w I N 31 E I ~ 7 a ,.C Oh
; g- I ~
$l g'. ~I $ $ ' .
40 vs g 'II7 / ?
. e N Y$
; o == 2 v1 i
~ 4 g .
3 n . , , , , Ig = * =
- M
- e
". .. 1 g a.
I E -E = a w u- a - 3 - m ,. 5 IwI 2 4 z. Ca
- a. i b
j
- bh i ,,3 .
CC
- E E w 1
a ,, - I 15m -
. ac 4
,, = 6W
@A
*L *e= " , i
- C I
-62{ a.
3
=
i .. =- . G
' GQ
%C g 1jy.. .
t-3 ggg ; C pne Go -
- D C W L-m.
. I m I W
- e u
} sh
., s e .
l
= =
C1
- 2. !
w
-z-- ,=
- l, 4 4 32 -
- a = #l *
. 5 4
, ir ,
3 j i
$$ o ,
5 I . l i e i i l 4 $
! !! a n . i 6
4
's 2 31 3
*-'l 1 l
lm I i , i 233 i
+
.-- , _ , , -..m.-_,_ ,,_,._________c_ _ _ . _ . , . . _ _ , , ,_ ,.,.-,.c---. .______r,_r,...., ,...~,..-,._,_.-.,_-..-,-.,,,,,,m-,-,..
e 8 (m v el sl sv v a a i c s v vc v v v i i i a i i a a v v s ua av i i i i v v E v vI i a IV a at s s sue s s , s s s s s s s s s i s s s i s s s s s s s ' s s sss s s ss , $' s s s s 5 5 s s att a a a a a a a a a a a g a a a a a a a ' a a A a aesr g o nn nnnnnnn nno nnnnnnnE I anU n e I . H e e e e . e a '
- s. . s. s . a ' a a - s. - . - s i. - s. e. i.
w . a t a 8 t - w M. u. u. u. 'w. . I' 8 - s t
' u. e .
- s. u. e .
' n. s u.
a ( I
# i 4 6 i 2 s 2' 1 5 e
* , e, e u, t*
r' a
> w,. e.
ii) c c ci c i e s
) l a .
w s s, s, g ., s, sg s, sg s g s s g g
= , e, C"2 M / j "n
/
e u '$ c e ( 8 ,* g t r , , i
,c iac c t
i 3 c c c c c ( i i i ( I I t I I I
'n9,'#ac cf cf cg j i
' ir s , r i
,' ,6 ,' ,' ,
,I
, l'5
< e i iI s
s g ee S v l Ma r a . ' t a nV _ s e r n d a I'
,S
" e df I ,= ie l
i us ci e l l su a cl A s et
- Ae t o e* g ' R i
r an '
- s. S
- t c ee s n' n Wn I I' in '
T e n s* Ap i t o O t y a d a , ' , , ' , ' et M s o , , , ' , - '
't n e
- l. a ,
y
'l g
, g-
" g g
* " ae lt s
ur m t e a" e . s . t sv a n . i. i. od
.ca e s Pa fI n
u o man tsma e _ts av r eti i t c c > a tc m rg sa tI at e Nu ts i. e gn a i e. ai E iw a Do qu , l s s u a , . el e ca a , u eo
. rf T
e t c s , nn ee
, vu E q 6 ,
e , , 0
, . 5 n 3 a e.
a 3 er m g . t e j a ( i g u s H 'f c
' u 8
8 t t - s 'F 8 8 i t ' s t a t 4 a M t s . 6 . e, m e t e r E s.
, - m -
, w
, n' s
I w
,i h .s i s g,h t p :
u t g a
, r t h
]t, al .
gt g e g {i o r$ . {;2i) ' l .' ' , l 4! I
Y J
/ _. '. .
!, 3e r ' - NSAC-69
- Ref. 22 - r g -
. . . p i
fV /
/e V t-i s / VHC
- / f.* Ref. 18 ,.
l ' ' j CORE THERHAL POWER /* V NSAC-69
- / N. O BNL
- mc ef._ O n / 4 .
20 - p ,
, he . 21
, f '/,- .
j u s' of -
= O/
;1 i
4 m a. 85 M a /' I
=
./
I
- E . ..
l w d IS - l. t o
- o ,
i 1 I I f 1 't { T1F L1 1.k NORMAL j
" l1
-to i
-s I . f. 1 I . 4 !.
e 5 : RPV WATER LEVEL (FT ABOVE SEP SKIRT) - l[' ' r figure 50. 7 Reactor Core Thermal Power vs RPV Water Level - Redy Estimate 4
ND FEEDVATER INiflATOR TRIP EONDENSER MSIVs fuRBINE DuE TO TURBINC leEAT REMAIN PLANT IRIP 46] Cit LEVEL B(PASS SINK DPEN SEQUENCE CONDITIONS . FREQUENCY I O A V D - T TT with Bypass 5.33 l 02 TD HSIV Closure o.it TV 0.01 - cn 1.0 TVD Loss of 5.5E-2 Condenser 0 001 6.1 1.0 TAD HSIV Closure 5.5E-3 i to Loss of FV 0.49 j on i
-1 2
TOD HSIV Closure 012 Figure SD.8 Event Tree Diagram of Accident Sequences Following a Turbine Trip (BNL Review). ( j
= . ;_ _ m , - - - - - - . - - - - - - - - - - -
_. . 2;.; ~ c.. s.a . Table 50.1 Transient with Failure to Scram Emergency Procedure
- 1. SYMPTOMS 1.1 A valid scram signal or condition due to a reactor transient is alarmed or indicated, and all control rods do not fully insert, as indicated on the full core display, the rod position printout on the .
computer, or the four-rod display. 1.2 Reactor pressure and/or neutron flux indication increases abruptly and may go off-scale on recorders and meters. 1.3 Safety relief valves may lift.
- 2. AUTOMATIC ACTIONS s
2.1 1115 psig reactor vessel pressure and above actuates various safety relief valves. r 2.2 1120 reactor vessel pressure TRIPS the reactor recirculation pumps.
- 3. IMMEDIATE OPERATOR ACTIONS
! 3.1 Mariually scram reactor per SP 29.010.01 (Emergency Shutdown).
i
- 3.1.1 , Arm and depress manual scram pushbutton.
3.1.2 Place the 14cde switch in shutdown. i'
! 3.3.3 Verify all rods are inserted.
3.2 IF the reactor scrams ANO all rods insert, AND power is ~ de'caying, THEN continue in SP 29.010.01. 3.3 Trip the recirculation pumps. ' 3.4
- Comnence suppression pool cooling per SP 23.121.01' (Residual Heat Removal (RHR) System).
! 3.5 The following attempts to scram the .eactor are to be performed concurrently if manpower is available. 3.5.1 Ins'ert those rods not fully inserted with the , reactor manual control system as the Rod Sequence Control System (RSCS) permits. 1 I i 237
- 1
Table $D.1 Transient with Failure to Scram Emergency Procedure. (Continued) 3.5.2 Bypass the scram discharge volume high level scram switches, reset the RPS trip,'and verify the vent and drain valves open. ! 3.5.2.1 Alternately RESET the Reactor Protective System and SCRAM the reactor until all
, rods are fully inserted.
3.5.3 Confirm all scram valves are open by observation of scram valve position lights. IF not, THEN perform the following: "-" 3.5.3.1 OE-ENERGIZE RP's' subchannel logic by opening the following breakers on , IC71*PNL-001 in the relay room: a) C82A b) C82B c) CB7A i d)I C878 3.5.3.1 Vent air from the scram air system by closing valve C11-02V-0704 and opening vent valve downstream of C11-01V0-7104. .,. 3.5.3.3 Restore the breakers and air valves to normal when all scram valves are open. 3.5.4 Bypass the scram discharge volume (SDV) high level
~
scram switches, reset the RPS trip, and verify the vent and drain valves open. 3.5.4.1 IN0!VIDUALLY SCRAM Control Rods at Local i Hydraulic Control Units (HCU's) by placing 4 both NORM-TEST-5.R.I. switches to the TEST position. 3.6 IF reactor power is above 6% OR RPY level cannot be main-tained OR suppression pool te5erature reaches 110*F, THEN pe Worm the following. 3.6.1 Start either A or 8 standby liquid control pump and inject the entire contents of the tank. . 3.6.1.1 IF RWCU automatic isolation did not occur. THEN manually isolate RWCU. . 238 i s
=
.w. _ _ . . . . . ~ - .l.-- - - +.%. . :: '
- ..:. a . L- - A ^
~
Table 50.1. Transient with Failure to Scram Emergency Procedure (Continued) 3.6.1.2 Terminate all injection into the RPV with the exception of CRD and RCIC or HPCI.to maintain l ' RPV water level above the top of active fuel (TAF).
~
! 4. SUBSEQUENT OPERATOR ACTION 4.1 Verify innediate operator actions. 4.2 IF reactor pressure is causing the safety relief valves (SRV's) to cycle, THEN perform the following. i 4.2.1 Manually open enough SRV's to reduce reactor pressure
; to between 800 and 960 psig.
4.2.2 For subsequent SRV operation, the valves should be
. cycled in order to minimize local heat loading of the suppression pool.
4 2.3 If the HPCI system 1: not in service, it may be placed in full flow test to minimize SRV cycling. i 4
. O O
i . 1 1 l 239
. t
Table 50.2 BNL ATWS Initiator Frequency 0-100% Power 25-100% Poker BNL
~
Transient Transient . ATWS ATWS Initiator SNPS* Frequency Frequency Transfer Frequency ** 3 Turbine Trip .85 8.02 6.11 -- 5.33 1 ' ! MSIV .50 .57 0.41 . 24 .65 {' Loss of Condenser .25 .50 0.41 .05 .46 !, Loss of Feedwater 2.10 .13 0.10 .49 .59 . LOOP .082 .15 0.15 0 .15
^
10RV .09 .25 0.16 0 .16 Total 3.87 9.62 7.34 0.78 7.34 i 1 . *Transfer from turbine trip initiator event tree, see Figure 50.8. i +Shoreham PRA ATWS frequency from high power level, i.e., 25% power or more j (after transfer from turbine trip initiator event tree, see Figure 50.1).
- ++3NL review ATWS frequency from high power level, i.e., 25% powr or more (after transfer from turbine trip initiator event tree, Figure 50.8).
I
- j. -
Table 50.3 Comparison of Conditional Frequency of ,' Core Damage Based on SNL and SNPS ATWS -
Event Trees SNPS-PRA BNL -
Turbine Trip 4.1(-6) ~ 5.5(-6) MSIV and Loss of Condenser 1.1(-5) 9.7(-6) Loss of Feedwater - 2.3(-6) 4.4(-6) LOOP 9.3(-6) 9.6(-6). IORY 3.7(-6) 4.8(-6) I l I - l 240 i
- m. , . . . .._ . . . . _ -
+i- ..a - . . . ~ ... . = ., , -. , , ,
Table 50.4 Core Damage Frequency of 8NL Revised ATWS Event Trees with SNPS Initiator Frequency Core Damage with SNPS Initiator Frequency j SNPS BNL
. Total Class IV ATWS LOCA Tot'al
! Turbine Trip 3.5(-6) 4.7(-6) 4.7(-6), 3.4(-9) . MSIV and Loss 8.3(-6) 7.2(-6) 2.9(-9) 7.2(-6)'
. of Condenser Loss of Feedwater 4.8(-6) 9.3(-6) 8.2(-9) 9.3(-6).
LOOP 7.6(-7) 7.7(-7) 3.2(-10) 7.7(-7)~ l' IORY 3.3(-7) 4.3(-7) c 4'.3(-7), 1.8(-5) 2.2(-5). 4
~
Table 50.5 Core Damage Frequency Based on BNL Revised ATWS Event Tree with BNL Initiator Frequency Core Damage with BN.L Initiator Frequency-SNPS BNL Total Class IV ATWS LOCA Total l Turbine Trip 3.5(-6) 2.9(-5) 2.1(-8) 2.9(-5)
)
MSIV and Loss 8.3(-6) 1.1(-5) 4.4(-9) of Condenser 1.1(-5) Loss of Feedwater 4.8(-6) 2.6(-6) 2.0(-9) 2.6(-6) l LOOP 7.6(-7) 1.4(-6) 5.8(-10) 1.4(-6) j IORY 3.3(-7) 7.7(-7) e 7.1(-7) 1.8(-5) 4.5(-5) s = Less than 10(-10) . 6 4 241 e
- ,_____..___.,___....m., . _ _ _
, . . . _ . . , . , . . _ . . . . . _ . _ _ , ~ , . _ . _ _ . . , _ _ . _ , _ . _ _ - - _ . _ _ , _ _ _ _ _ - , _ _ - -
t . a ww www v t A L
, w u s ww .
w t
)
( - 2
- f 4sa o K 'st . *
< I- , , , , .
4 s ac m m - - - . . 1 M(a a, s <6 e M i s r e vt c _ Wf (e
. e n s s e e t
_ , , , e t , , e, v e mps e sa s, o E ., y m, m y ypp . e g h S a, e, s, h C 3 a, cs, T w , e 1, C 8, 5 e, g,, r, ( i 1 s s r 5 1 p
- a.
i 8 a r AV se 4D e w T e r i n b
. C S
L c r u
** T g
n 3 i n a1
. ag tv aK a
w o _ tL ' ' l l f o K w e _ m K . i c n e u r t u q _ c t r r e l e S e s J n S Ee Eb W T dns a (asuS s e A aQ
- A a < d t
e ftEE -
. a lvS E 6L e c
n Maf - - l u u SVE s _ s s
. t s
c C o n 8 m sE es
- s.
P e ntB f a EeB i
. r 4 o nv 8pI .
A C f . l m a a a a
- r g
as a i n _ a c
. s D meyD .
= ra n a -
' e ne-
< apMM ' e r
r - r T . i v sC g t
.- u eE c c
- n c L e a
c E am E v a @
- s3 6
8 6 rt as c e 4 5 0 s t P a e
. U i, u l b
n.
. mw/
g S W r T a . sto b
- ~ ,l.
.I, i I I
o Devimaan aracilVIIf CaetacL pg($$URC lgLKCTIOpf mangen fastant --= b _ a,r,c,a,n,c. e inerv rv
- S MIP N3E *W N ""I W/ pWPs53 EL C8. wg) amt M EE M MM WS M lh 8 M ME MU M N M" ins e,. cc e a a P * * "
'r % Cd l
y- I* r,nfo s*4 iv [ v., . i a e,ny, .ss av 4
- 1,w g,,
sw-s i< l 1 J E ,f ' 4 n se u u T,acy, 3 sa-.
~
av ' d 1 i,wj. ..-. ., og ?- i 4 ' f ' ,,,pv m ., .,
- j. ;
e __ _ > a i, .c,pe, sx ., .< 5 a a . _ i, cn mi iv 1
~
, . is g iep.,, .a-, i, a J 1, .ep. ..e 4 av , Ig ICp SJC 9 LW4 3,ICg EJE 9 44( 4 h' Table SD.6 Event Tree Diagram for Postulated ATWS Sequence F911owing Turbine Trip (Sheet 2 of 2) ; i i ?. + l. O
STATUS Eut VATER LEVEL Esibe4TES BELDW ABS teAINTAbt SEGUDiCE LEVEL hetISIT LEVEL Panmaan.ITY IBC Em E . , CAS.E b uy = R3s at AS4 43 at OLI l ro CASE Ib UH = ast
, . m as as CASE Iw g - 3.s u ,, .
as as l Table 5D.7 Functional Level Event Tree for the Control of RPV Level-1 [
\
e
I t
. moniasse atacTav Tv castaGL Pitf$$URC ls4 ECT90 manMa Famaec resenegas as:V weanc.
- m. naramic swrry rw . I' sass w ars ars nae, ses suas vmwr seencu c == = wrm cuca. es> smaan. a[a '" as ame cessant was rarawws t-ans wct acac trvia. s aLc arevat war =r eca vtan rLass g,
ga c,, cc e a a e e ar* w sk W ca [.' y .- y *.;;,- e
,pp. . ,,
w-. .s
^
, spra, - m-, s<
f
. syn sa o sv ,.t l ~
1 l
=-, ,
u
****3 un EfR enc 4 84 s
l' 1ppre. uc-a sv n ->' I,dCyg 19C 1. , IV '
, , ryh ac-. :,
4 . 4 00 Ig M4 $# s uppe ter upp u4 us.. - m*- Table 50.8 Event Tree Diagram for Postulated ATWS Sequences Following MSIV Closure (Sheet 1 of 2) ' 4 e s fT VV
. - - - +.4a4.b-a.-4 --Jb4A 4y e.- p.__ ----+.-*-----.._h. - - - . , , , - - -- .-,.~_,u_ .A._ .__a g -- ._ + ,4. o. --J. B--.wcmA._ .- s- * * . s . . - - - + e -
t a ggangge gggigvg]g (geIGOL PetC550stC los.ECil0M esauan raams ^ - - -- '
" 88
/=5, = Jg,. ,,,,, . k.Yt r ==.- . .,ci .ae rassen
- m. ==
star us-= -- rateraEs
==== r-
. g4 ce CC a s as e e r ir g c4 w I
% d T,argV s at -1 as 1
t T,3 Cpg EM-7 If M Tjeg e K 4 av I I - i' se 6e m T,EK Lef-4 IV - a e T,E,W W4 a# 9; ,,,., -. ,,
~
,,n .. ., ,,
1 BC LL =1 it i n .
-s,,p. sus wr
=-*
_i ,,. i44 u.. J Table 50.8 Event Tree Diagram for Postulated ATWS Sequences following MSIV Closure .(Sheet 2 of 2-) - t O
( 1I N ii iiI f t! e f. ; F . i ~ g;
.l: 1-O T
s a a s n a wt vw . w wu s v a y g u t c a t
,m we av a
w- e s u- a - . -
.- )
aa u c man s g M. e = 2 wr re s '4 u e 3 = f _ c, o _ s e m p g, o g rpr v, , p. p y ,3 s 1 _ m s a . s T , _ p v ppp s s s g g 7 g ,p y,r t e l
.- e 8
s aw a5- ^ h S u (
- wa e s *
- b P O
O c s , L m u n c -
- g u
r
- n n i e
s .e
- m. w o
a ua n nv % l m ata - .
" a l
l o
.~ f c s a
c r , e a a a c L n e 4 m u q T : c s w e w S i a su a S W ue T vsae a A a ess se d a & a e t ves s a l ive r e u K ran a svr t s u e 3 s s o . P K u s.a msm t *. r P arn ses spa a a m u, ~ n f o
~, ,
l m - a s o a r a g _ Ae a _ g _ i a _ D m c. *. _ n ieyn m *. . e o e
- z. e a c _
m nme e .
+ r
. c - _ y ( u T un _ s
~
i t v t
.~
*- n a sc s e T
c ra t . a at s v a E b9 t a s _ so r as en , e D 5 n l e w r
= a s b r s y a e t T
m l oQ t e .
< > Il 1lll
s A . s A L v w w a N w vs v a w E L m a c
)
e 2 e- o- s- 7 .- s
, .- t w-s a
t as n a M L u xe x t e c. t t a e t f o e, 2 r
" g y, cs e
p sa, K c e pyn w p n, u, u p c ycr, pt e e a M s v, s a T g 3 s, s , T 3 h S ( A 4 P O O
-- 8
- L g
C n c. a L a *
- i
. ^ ^ w e
l o im l
= a s
o f
= v a = 8 t > I =
- u s e
c c n a c ' e a u . u q e e n S i u a c S c xa e s '- A J W T p A d
- t e
n a a l t u s E M P o s s u a , s r Et e. _ f o s e
- _
4 y,_ t s e m a r ,.
, g a
i w
- D u
e . n t e a r n a
- 4 T
s t c w y n . s e s vi > E v c t c a d" c . r 9 a @ 5 D g' c n e , i - h e a m T a s s s e \ . ._ m a c e
, 4
--.. . . . . . . ~ . . .
1 en.we atacuvny rmina. Pus:ssaat ses rcisosa sesmi r m ra.v .n , , wr. n ,eenc. aeramic sart s, rw tas: ers ers is carst vm wr mamarx . cr.amn. ,,.y rwas ,, or sw arca aut s. earn ena two.ma. ataaer es mee seca acic ac trvn s et.assa. s<mariar rem um rien ya g q e u a e e a w g c, w
~n y**.*.'".
w y.*.*.*.'.*.*. w .
~. r,ac sw g t.c , av
'l{-
I as ' rp , uc . v ;-
= spa .c , u ,'
\
I
=. .
s.
*~*
y i " s,xy ac v so _;
,,6 c.
'^
s spyw s ec .. gw U r,xpe, su , u ,
-es
,, . s,syy aac-. av >
.1,x g w. i, a
ryp> . u, ,
.-* - t re,vt. . .c - .v . t
*S
-M
- l Table 50.10 Event Trea Diagre for Postulated AfWS Sequences following toss of iW (Sheet i of 2) I '
e s
- A' .e
v s messassa stEAcilvlit Casovaut PRES 5UltC led ECilass arrsassa raums 'unssaanwar arrant masP aaEasnIC sarcsv rw t oss ars ars lasP reEst VALVE ma.m.n' tassa j er rv serix ucer. amera ans riassam. acnasc as see wcs acac uurt i sLe stav umswr
'sas em ser.
arsawat rem was ram , tra c. cc a u a e e er ir g c, v
. e I
y", .t'.". . l* r,x,,=v a s ., ,,. d '
- .3,xpc, sec ., iv .
d i,x,,g . ic-1 .* t I I. J - to i. g " s,x,9 wo as . 4
- 1,xjev as-. i< e a
y,xpec, s.c-, ., a e,x,, g uc-, ,, -
- ~
,,x ,,,,, ..
a Ig x A4 S E -4. Laa 4 . Eg 4C S 3. 1 -89 ese*A Table 50.10 Event Tree Diagram for Postulated ATWS Sequences following Loss of FW (Sheet 2 of 2) 4 O
isdif talla K ACflVIII CIWilt15, IPESSURC led EC film arsaarne res. tac unsesses Sash ag g g # Bd FJ w agggangg garg g g gg NIE API ar5 leap PIE 31 vat.VC massarA , j ImtV - sgT94 Es (C f. 40sPla flB81Af5- AEQOK OS 80180 rimelem, 6d48* s'eheWi AAB 09'C4 ACaC LEVIa, 3 SLC afsgIVat. KOLE sd[C of u K.w rW g 3,6 s r, cc A a se e e er ir g, c, w l. _ _ . _ _ i., s fransfer .
> freweer
- i. i.
ere m et > trouaret t-e. I 1. [
^
asa. . {$ ro un -
~ ,
Tg yEPW 400 9 a# r,wpe, 4.C ., ... i,u,g w 4 ., i, . 1,wn, .. . ,
. {.
,,.. I' 5up .,,,
... i. -*
5 u,.
.wi
. .. 4 l'
i Table 50.11 Event Tree Diagram for Postulated Sequences following 10RV-(Sheet 1 of 2). ' o 4
m ei.ran ac e siviir conium. encssuuc i.i x c n ni = = = r. = coa.m==i 8N arcsec. I MW PsteP ABI MinIC 5 Afrit rW Pe[55. NPS arg psi [tt. VALVc w **, g- <n. aces. .s.Pr alp. . ro ien. anoic as noark mam. nic f,itefR, ste l as (Wea m'W.' i ,ci i vn. nr.E.w=. x=<=c n .rw r..c: Is t r,, r4 e a se P o is' ir g. w c4 s vr. o.c
' tre t se N
en N s,st,pv na o u s,sepc, ur i u
)
s,u,,q , .:cc s v J s,upsss, su u a
,g -4
,, - t i
Table 50.11 Event Tree Diagram for Postula'ted ATWS Sequences Following 10RV (Sheet 2 of 2) t 4
, I
t . '2 :::a - . :.. : ... .w - :. --
' APPENDIX SE REACTOR WATER LEVEt INSTRUMENT LINE FAI'.URE' SE.1 BACXGROUND The BNL review of the contribution of reactor water level instrument failure ,to SNPS core damage frequency was an evaluation of the SNPS study SLI 8221 . The accident sequences progressing from a loss of a reference leg
' initiator were f ound to be an important contribution to SNPS core damage frequency.
The SNPS study consisted of the following: 4 a) A detailed description of the water level measurement system. b) Measurement error possibilities due to variation in plant conditi'on or because of instrument line flashing. c) Vulnerability of the water level measurement system to combinations of several modes of failure, such as the failure of a reference leg by leakage with either subsequent loss of a DC bus, or additional random failure of a level measurement channel, or an additional main ~ tenance error. d) Description of the sequences leading to core damage and their quanti-fication. e) For item (d), LERs and human error studies specific to reference leg leakage sequences in the SNPS, taking into account pertinent SNPS information on control room display and annunciators. ', The design of the water measurement system
- includes the following unique features (see Figure SE-1 and Table SE-1):
a) Two reference legs, side A and side B, for all safety instrumenta-tion. b) Two DC buses (Division I and II), each feeding one side ** of the instrumentations (side A - Division I and side B - Division II).
*After the BNL review was completed, BNL was informed that Shoreham is going through a set of modifications to the Reactor Water Level Instrumentation system. The most important one is the. addition of four new level transmit-ters No. xx-A, B, C, D. The initiation for HPCI will be separated from the initiation of RCIC, ADS, and LPCI/LPCS. In addition, HPCI will be associ-ated with DC bus B only and RCIC only with OC-A.
**With the inclusion of the additional 'four level transmitters, their feed from the DC buses was rearranged so that DC-A and DC-8 feed transmitters on both side A and side B.
~
253 i
, k 1 .- _ , _ . _ - . . .- - . - - - - - -
c)* RCIC and HPCI share = their automatic actuation on level 2, origina-ting from the wide-range instrumentations N091A, N0918, N091C, N0910, having a 1 out of 2 twice logic. (A and C are on side A, B and D are on side B), d) ADS, LPCI, and LPCS' share their automatic initiation en level 1, coming from the same four instrumentations providing for level 2. e) Control room level indications are received from several other level transmitters (N081A, 'C, D - Wide Range; N004A, B, C - Narrow- Range;- NO37A, B - Fuel Zone Range). However, the transmitters are fed from AC buses, and apparently only N004A narrow-range information is fed from a vital bus having a DC backup. f) Feedwater control is normally on level- transmitter N004A (leg A) and occasionally (101.) on transmitter N0048 (leg B). , g) Turbine trip is received when 2 out of 3 transmitters reach level 8. The transmitters are N004A and C on side A and N0048 on side B. Therefore, turbine trip can result when leg A fails, but not when leg B fails. However, in case of leg B feedwater control when leg B fails, a runback to shutdown will apparently occur. In the case that feedwater control is on reference leg A and failure of reference leg 8 occurs, the reactor may continue its power operation. The SNPS study analyzed a number of transients, all resulting from a ref-erence leg leakage, with an additional failure caused by one of the following: a) Operator error, causing the second reference leg to leak due to 'a maintenance error (significant contribut,or). b) Loss of a single DC bus (affecting the other leg) (small. contribu-tor). c) Miscalibration of instrumentation on the other leg (significant con-tributor). - d) Randem failure of additional instrument channels (three different cases, one significant and two minor contributors). Each of the above sequences is discussed separately, and developed on a separate event tree, as shown in Table SE.2 Sheets 1 througn 9. , 1 The major differences between the SNPS analysis and the BNL reassessment are the following: a) Several events are treated explicitly on the BNL event trees, rather than on functional fault trees as in the SNPS-PRA.
- b) The LER failure data on the loss of one reference leg are used to calculate the pecbability of a second reference leg failure due to '
maintenance error. )
*5ee coment on previous page. -
254 e 9
-, .- - - - . - _ - - , ,_._.,.-.,# c- _ . . . _ - _ , , - . - - ._,#-_ . - , r. - - +-_ y. _ .-
.; :..' .L. : . .. '
c) Additional cases are treated separately, such as miscalibration and the mechanical failure of a differential pressure cell. These changes provided a more realistic analysis, in BNL 's view, and resulted in a higher core damage frequency. SE.2 OPERATOR ERROR CAUSING ~LEAX ON THE SECOND REFERENCE LEG ; This is shown in the BNL event tree (Table SE.2 Sheet 4). The frequency used in the BNL assessment is based on the revised functional fault tree , I (Figure 5E.2). This tree is based on the available LER data given in the PRA i which includes two events of l reference leg failure during maintenance when the ' reactor was at power operations. Appendix B of the SNPS study of water level ; instrumentation evaluates the value for the " error rate for maintenance ; errors during power operation" on the basis of two LER events; the result is ' O.000985 event / maintenance. This value is assumed by BNL to account for recovery, because reported LERs are ' generally events which have resulted in failure and were not immediately recovered. Using the value derived above, the SNPS-PRA functional fault tree (Figure 0.2 of Ref. 2)~ was revised tiy BNL as shown in Figure SE.2. In addition, the value for operator error utilizing repeatedly faulty procedures was judged low and was increased b BNL by a factor of 3 above the SNPS-PRA value. The result O R = 1.9x10-{, which is sevenfold higher than that calculated by the SNPS-PRA, is used in the BNL event tree (Table SE.2 Sheet: 4). The other details of this event sequence tree are similar to those in the SNPS-PRA. This RORQUX = 2x10 s in Class I) became a significant contributor (T R in the BNL reassessment, in contrast to the SNPS-PRA, because of the change described above. This sequence is associated with the use of two reference legs in the SNPS. design. . 5E.3 LOSS OF A SINGLE DC BUS ~ The folicwing changes were made in these sequences: a) A contribution from:the loss of a DC bus during power operation with - failed reference leg B was added by BNL (compare SNPS' Fig. 3.4-45 Sheet 2 with BNL's Table SE.2 Sheet 3, branch "B R "). The amount transferred from the " power operation subtree" to the loss of a DC bus branch is dependent on the time allowed for continuous operation,
~
which is assumed to be 24 hours (should be part of technical specifi-cations). However, the results are not sensitive to the time length ass umed. b) The event Timely Reactor Depressurization X is shown on Fig. 3.4-45 Sheet 4'of the SMPS-PRA. BNL assessed that this should appear before the injection function, because the latter cannot start automatically and thus requires an operator decision at a previous stage. If the operatori recognizes the situation correctly when he realizes that high pressure injection did not start, he will manually start HPCI or l RCIC and proceed to depressurization only if the high pressure injec-tion fails. However, if the operator fails to recognize the situa-tion and chooses the wrong procedure, or waits too long, then core , uncovery will occur before the injection phase starts. SNPS treated l 255
. t
- . , y,, ,_-.-.,,m.. .w ,.. _ - . - , . - - . -
-.,__y__,y,,_y - , , , . , ,-.y,., .,.,, ,, _
_,,,..s,y- _,,4 , , , , . . , , , - , . . . - . , _ . , . -
this failure as conditional on HPCI or RCIC failure, which underesti-mates the sequence potential contribution to core damage fr.equency by a factor of 10. The operator action tree used 'by the SNPS study was
; used, unchanged, in the BNL reassessment (Figure SE.3).
Even with the two changes described above, this sequence remains unimportant. The modifications to SNPS Water Level Instrumentatior will potentially elimi-nate this sequence. SE.4 MISCALIBRATION OF WATER LEVEL INSTRUMENTATION ON THE ALTERNATE LEG'
' The progression of this event is similar to loss of a DC bus, in creating a situation in which no automatic initiation will occur following the tran-
'sient. Thus, this sequence is described in a similar way as that for the case of the loss of a DC bus. This sequence is not explicitly modeled in the SNPS-PRA, where a failure of instrument channel is treated as one lumped case and .much significant detail is lost. The SNPS-PRA lumped failure rate of 0.016 is comprised of four contributors:
Miscalibration error = 2x10-3 Two differential, pressure cells = 2x(4.4x10-3)
. Two relays and slaves for level 1 = 2x(1.2x10-3)
Two relays and slaves for level 2 = 2x(1.2x10 3) Total 1.56x10 2 = 0.016 The SNPS-PRA treated these together in Fig. 3.4-45 . Sheet 5, but BNL treated each element separately, which resulted'in an increase in core damage frequency, as shown in Table SE.2 Sheets 6-9. However, the use of the same i, operator error probability from Fig. SE.3 is somcwhat c'onservative, because in the case of miscalibration, live indications of level are not lost as in the case of loss of a DC bus. , Note that the miscalibration error of 2x10-3 is used here for a case of the miscalibration of two channels (rather than all four channels as discussed in Section 5A.1.4) and is considered reasonable for this case. Note that the proposed modification will practically eliminate th;s sequence. SE.5 FAILURE OF DIFFERENTIAL PRESSURE CELL BNL modeled this separately in Table SE.2 Sheet 7 and found a significant contribution. The result is due to the BNL approach, in which the operator faces a decision imediately before injection because injection does not occur automatically. In this case, however, the operator apparently has a higher probability of success in choosing the right response because, in addition to l the level information from one wide-range recorder and two narrow-range indi-cators, he will receive alarms from level 2 and 1 annunciators of the remain-ing channel, which may alert him to the correct situation. Therefore, the error probability in this case is decreased to 0.013. This is based on the operator action decision. tree (Figure C-9 in the SNPS study 2and Figure 5E.3
- of this appendix). -
256 y w-, - -- -,,--p--- w , - , ,- -- n -Q---e, , , .p- -w- --r--en ,,,v-,,, ,7m,,,,---r------- r --- n or e w~m --
. . -. . .. : . . . A-. -
. .. A - .
-.. - =- :----
I l SE.6 FAILURE 0F' LEVEL l'OR 2 RELAYS AND SLAVES In this . case, only part of the automatic initiation is lost, and there-fore the plant response is not dependent on operator action, and the results are very low (Table SE.2 Sheets 8-9). ! 5E.7 CONCLUDING REMARKS
'a ) The BNL reassessment found the failure of a water level reference leg to be an important contributor to ' core damage, amounting to 10% of
. Class I frequency (in the unmodified design).
'b ) The 'BNL model is more detailed in some aspects, but all the informa-tion appears in the PRA and an SLI report , 2wh'i ch made the BNL insight and reassessment possible.
c) The 'SNPS study presents a reasonable human error < analysis , taking detailed account of the information available to the operator in each sequence. BNL finds this analysis acceptable and sometimes even con-servative (e.g., miscalibration = 2x10 see Ref. 2, Appendix C, Page C-6 and Section 4.3 of this report). BNL used almost all these human error quantifications without change (apart from those in t.he drywell cooling analysis--see Appendix SF).
'd) Miscalibration error: throdghout the SNPS-PRA the value 2x1.0-3 is consistently used for miscalibration of two or more transmitters or actuation channels. Lowering this value by using staggering pro-cedures to prevent concurrent miscalibration of more than two chan-nels can reduce the above failure rate s1gnificantly. ,
e) The modifications which' are in- progress at Shoreham tend to reduce- .. the contribution of the sequences discussed apart from those related to the use of two reference legs. 9 ! l l E 257 t
. ._ _ _ ._- - - _ _ _ . _ _ - , . _ _ _ - _ . ~ . - _ _ _ _ , . . _ _ . _ _ _ . _ - - . _ _ _ _ _ _ ..
- - - - - - , _ , - - - - - _ _ _ _ - - , _,_ - , _,_ ,y- y ,, g y,,,
O e 3 3 3
- T a
-5: I y a 5!
c : - - E
- =- 2 e, i
= I I *-
5i *
- 3$ 37 33
.3 1- *:
42 zar g< - .!=3-{E) -
==cgle:-
=p'-
- .Isss:.-r
=ss5
= 535.1:s 131.j) . f=<g1.3. 45.45 , =* E g s .5. ! i l 5 -E "
-I3 jI" u< =
I oa g t : ; 's!.* g[ g :.:..=383g
. - - i I.
I1
- 333:::. :rr.i !- : l= -
=.I I;
;8
' I IEII I :I"gME!$$$$$g 2 I 3 ,= = .' d.. . , :,. c a I i a _ :l< - . .
l
. - a
- g* I
.e u 3 as-s.
-gg =
s= _ _ .. :31
.=. 2..,
, !-i,.----ig -
-ug .
< z-
.g .,
i
- 5l -_. 1-- j.. - _ 3s3 3e i
5l< - 3 :g. , dit i
,r..y: -
=.- =.
< ,i g
5 "* l* . ::l
)
. u,
.,! n. 3 : ': ,{ ll i
\M a e_
a .c y g
~
- W! -
m g
% N
-5 .
>I i 1* 11 h .3 1 fb , -
la [asl i I J g
- . - , = i - ,,
"'"""'"'"" ' 3 $ 4 u, j dati -
i h en i la =i. o
-_, g a:
gg
-=
~3l= g- -
-ja * :gv= 2 t
< X- -._.se X 1 e
*
- W
'1 2r, 7 - 1
~
-l~g -
a 5 : l= -. ___ _.: g. w i,. g g
, . ei P :a I :ga - C
; ja -
g . -.
*a 3 -- g a=g g 3 .
e
" 3 -
8 r g----- :Io a
- l g
g5j _ g __ _-.
-s=
- g _
258 4 e
-___-._.___,__,,_,r.mr,,.,,___.._r_ -
1.-.__......._.. _..m...._ . . . . _ _ . . _ l l
.-u mtemanceannon e tsacs to uson Level}}