ML18151A143: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(StriderTol Bot change)
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
| issue date = 04/30/1990
| issue date = 04/30/1990
| title = Analysis of Core Damage Frequency:Surry,Unit 1,INTERNAL Events
| title = Analysis of Core Damage Frequency:Surry,Unit 1,INTERNAL Events
| author name = BERTUCIO R C, JULIUS J A
| author name = Bertucio R, Julius J
| author affiliation = EI SERVICES, INC., SANDIA NATIONAL LABORATORIES
| author affiliation = EI SERVICES, INC., SANDIA NATIONAL LABORATORIES
| addressee name =  
| addressee name =  
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:r ------------
{{#Wiki_filter:}}
Analysis of
* NUREG/CR-4550 SAND86-2084 Vol. 3, Rev. 1, Part 1 Core Damage Frequency:
Surry, Unit 1 Internal Events Prepared by R. C. Bertucio, J. A. Julius Sandia National Laboratories Prepared for U.S. Nuclear Regulatory Commission
* (/' 90060801 75900430 PDR ADOCJ'I. 05000280 P PDR \ :
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited In NRC publications will be available from one of the following sources: 1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555 2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082
: 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited In NRC publications, It Is not Intended to be exhaustive.
Referenced documents available for Inspection and copying for a fee from the NRC Public Document Room Include NRC correspondence and Internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, Inspection and Investigation notices; Licensee Event Reports; dor reports and correspondence; Commission papers; and applicant and licensee documents and spondence.
The following documents In the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRG-sponsored conference proceedings, and NRC booklets and brochures.
Also available are Regulatory Guides, NRC regulations In the Code of Federal Regulations, and Nuc/.ear Regulatory Commission Issuances.
Documents available from the National Technical Information Service Include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy sion, forerunner agency to the Nuclear Regulatory Commission.
Documents av all able from public and special technical libraries Include all open literature items, such as bc.oks, journal and periodical articles, and transactions.
Federal Register notices, federal and state tion, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-N RC conference ceedings are available for purchase from the organization sponsoring the publication cited. Single copies of NRC draft reports are available free, to the extent of supply. upon written request to the Office of Information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555. Coples of Industry codes and standards used In a substantive manner In the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for ence use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, If they are American National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018. DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, or any oftheir employees, makes any warranty, expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. *
* r i ti ll I ) I 1, (i [I ( f 1 ',i 1' ,,I ' (1 { I l: I l
* Analysis of Core Damage Frequency:
Surry, Unit 1 Internal Events Manuscript Completed:
February 1990 Date Published:
April 1990 Prepared by R. C. Bertucio,
* J. A Julius* Program Manager: A L. Camp Principal Investigator:
W.R. Cramond Team Leader: R. C. Bertucio*
Sandia National Laboratories Albuquerque, NM 87185 *E. I. Services Kent, WA 98031 Prepared for Division of Systems Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN Al228 NUREG/CR-4550 SAND86-2084 Vol. 3, Rev. 1, Part 1 ___J ABSTRACT This document contains the accident sequence analyses of internally initiated events for the Surry Nuclear Station, Unit 1. This is one of the five plant analyses conducted as part of the NUREG-1150 effort by the Nuclear Regulatory Commission.
NUREG-1150 documents the risk of a selected group of nuclear power plants. The work performed and described here is an extensive reanalysis of that published in: November 1986 as NUREG/CR-4550, Volume 3. It addresses comments from numerous reviewers and significant changes to the plant systems .and procedures made since the first report. The uncertainty analysis and presentation of results are also much improved.
The context and detail of this report are directed toward PRA practitioners who need to know how the work was performed and the details for use in further studies. The mean core damage frequency at Surry was calculated to be 4.0E-5 per year, with a 95% upper bound of l.3E-4 and 5% lower bound of 6.8E-6 per year. Station blackout type accidents (loss of all AC power) were the largest contributors to the core damage . frequency, accounting for approximately 68% of the total. The next type of dominant contributors were Loss of Coolant Accidents (LOCAs). These sequences account for 15% of core damage frequency.
No other type of sequence accounts for more than 10% of core damage frequency.
The numerical results are dominated by the frequency of loss of offsite power, probabilities for non-recovery of off site power, and diesel generator failure probabilities.
Considerable effort was expended on the modeling of station blackout sequences, including the development of a reactor coolant pump seal LOCA model through elicitation of expert judgment.
The study results can also be used to show the benefit of cross ties of important systems, between the two . units at* the Surry Station. This report evaluates core damage frequency from internally initiated events. The consequences of these accidents are evaluated and reported under separate cover. Core damage sequences from externally initiated
_events are reported in Part 3 of this volume. iii 
*
* Section 1. CONTENTS EXECUTIVE
 
==SUMMARY==
......................................
1-1 1.1 OBJECTIVES
.......................................
1-1 1. 2 APPROACH .........................................
1-1 1. 3 RESULTS ..........................................
1-2
 
==1.4 CONCLUSION==
S
..........
-............................
1-7 1.4.1 1.4.2 1.4. 3 1.4.4 1.4.5 1.4.6 Plant Specific Conclusions
................
1-8 Accident Sequence Conclusions
.............
1-9 Plant Damage State Conclusions
............
1-10 Uncertainty Considerations
................
1-11 Comparison to Reactor Safety Study ........ 1-11 Other Insights ............................
1-12 2 . PROGRAM SCOPE ..........................................
2 -1 3 . PROGRAM REVIEW ..........................................
3 -1 3.1 SENIOR CONSULTANT GROUP ...........................
3-1 3.2 QUALITY CONTROL GROUP .............................
3-1 3. 3 UTILITY INTERFACE
.................................
3 -2 3.4 UNCERTAINTY REVIEW PANEL ..........................
3-2 3. 5 PEER REVIEW PANEL .................................
3-2 3.6 AMERICAN NUCLEAR SOCIETY COMMITTEE
................
3-3 3. 7 PUBLIC COMMENTS ...................................
3-3 4. TASK DESCRIPTIONS
.................................
-...... 4. 1-1 4. 1 TASK FLOW CHART ...................................
: 4. 1-1 4.2 PLANT FAMILIARIZATION
.............................
4.2-1 4.2.1 Initial Plant Visit ........................
4.2-1 4.2.2 Information Obtained .......................
4.2-2 4.2.3 Subsequent Plant Visit During Reanalysis Phase ...........................
: 4. 2-2 4.3 INITIATING EVENT IDENTIFICATION AND GROUPING ..........................................
: 4. 3-1 4.3.1 Initiating Event Identification
............
4.3-1 4.3.2 Support System Failures ....................
4.3-1 4.3.3 Special Initiators
.........................
4.3-12 4.3.4 Final Initiating Event Selection
...........
4.3-14 4.3.5 Ground Rules in Initiating Event Selection
..................................
4.3-15 V Section 4.4 4.5 CONTENTS (Continued)
EVENT TREE ANALYSIS ...............................
: 4. 4-1 4.4.1 Ground Rules and Limitations
...............
4.4-2 4.4.2 T 1 (Loss of Offsite Power) Event Tree .................................
4.4-11 4.4.3 T 2 (Loss of Main Feedwater)
Event Tree .................................
4.4-23 4.4.4 T 3 (Turbine Trip with MFW Available)
Event Tree .................................
: 4. 4-26 4.4.5 T 5 (Loss of DC Bus) Event Tree .............
4.4-30 4.4.6 T 7 (Steam Generator Tube Rupture) 4.4.7 4.4.8 4.4.9 4.4.10 4.4.11 Event Tree .................................
4.4-33 A (Large LOCA) Event Tree ..................
4.4-38 S 1 (Medium LOCA) Event Tree ................
4.4-41 S 2 (Small LOCA) Event Tree .................
4.4-44 S 3 (Very Small LO-CA) Event Tree ............
: 4. 4-48 Anticipated Transients Without Scram Event Tree .................................
4.4-51 PIANT DAMAGE STATE DEFINITION
.....................
4.5-1 4.5.1 Event Tree/Plant Damage State Analysis Process ...........................
: 4. 5-1 4.5.2 Definitions of the Plant Damage 4.5.3 4.5.4 State Indicators
...........................
4.5-2 Plant Damage State Analysis ................
4.5-5 Regrouping of Plant Damage States ..........
4.5-13 4. 6 SYSTEM ANALYSIS ...................................
: 4. 6-1 4.6.1 System Modeling and Scope ..................
4.6-1 4.6.2 Accumulator Model ..........................
4.6-5 4.6.3 Auxiliary Feedwater System Model ...........
4.6-19 4.6.4 Charging Pump Cooling System Model .........
4.6-26 4.6.5 Component Cooling Water System Model ....... 4.6-32 4.6.6 Consequence Limiting Control System 4.6.7 4.6.8 4.6.9 4.6.10 4.6.11 4.6.12 Model ......................................
: 4. 6-37 Containment Spray System Model .............
4.6-41 Emergency Power System Model. ..............
: 4. 6-45 High Pressure Injection/Recirculation System Model. ..............................
: 4. 6-53 Inside Spray Recirculation System Model ......................................
: 4. 6-62 Low Pressure Injection/Recirculation System :t-!odel ... * ............................
: 4. 6-67 Outside Spray Recirculation System Model ......................................
4.6-73 4.6.13 Power Conversion System Model ..............
4.6-77 vi *
* Section CONTENTS (Continued) 4.6.14 Primary Pressure Relief System Model ......................................
: 4. 6-80 4.6.15 Reactor Protection System Model ............
4.6-84 4.6.16 Recirculation Mode Transfer System Model ......................................
4.6-85 4.6.17 Residual Heat Removal System Model ......................................
: 4. 6-89 4.6.18 Safety Injection Actuation System Model ......................................
: 4. 6-93 4.6.19 Service Water System Model. .............
* ... 4.6-96 4.7 ANALYSIS OF DEPENDENT FAILURES ....................
4.7-1 4.7.1 Subtle Interactions
........................
4.7-1 4.7.2 Common Cause Analysis ......................
4.7-7 4.8 HUMAN RELIABILITY ANALYSIS ........................
4.8-1 4.8.1 Summary of Methodology and Scope ...........
4.8-1 4.8.2 Human Actions Analyzed .....................
4.8-2 4.8.3 Analysis of Pre-Initiator Errors ...........
4.8-2 4.8.4 Analysis of Post-Initiator Operator Actions ....................................
: 4. 8-3 4. 8. 5 Innovative Recovery.*
.......................
: 4. 8-14 4. 9 DATA BASE DEVELOPMENT
.............................
: 4. 9 -1 4.9.1 Sources of Information for Data Base ....... 4.9-1 4.9.2 Limitations in the Data Base ...............
4.9-2 4.9.3 Data Base Description
...*..................
4.9-2 4.9.4 Plant Specific Analysis and Use of Generic Data ...............................
: 4. 9-2 4.10 ACCIDENT SEQUENCE QUANTIFICATION
..................
4.10-1 4.10.1 General Approach ..........................
4.10-1 4.10.2 Identification of Sequences Analyzed ...... 4.10-2 4.10.3 Application of Operator Recovery Actions ..................................
*.4.10-17 4.10.4 Assessment of Impact of Operator Actions ...............*...................
4 .10-26 4.11 PLANT DAMAGE STATE QUANTIFICATION
.................
4.11-1 4.11.1 Quantification of Containment Heat Removal ...................................
4 .11-1 4.11.2 Quantification of Containment Isolation Failure .........................
: 4. 11-1 4.11.3 Quantification of Plant Damage States ..... 4.11-3 vii CONTENTS (Continued)
Section 4;12 UNCERTAINTY/SENSITIVITY ANALYSIS ..................
4.12-1 4.12.1 Sources and Treatment of Uncertainties
.... 4.12-1 4.12.2 Development of Parameter Distributions
.... 4.12-2 4.12.3 Elicitation of Expert Opinion .............
4.12-2 5 . 0 RESULTS .*..............................................
5 -1 5.1 CHARACTERIZATION OF CORE DAMAGE FREQUENCY AND UNCERTAINTY AT SURRY .........................
5-1 5. 2 ACCIDENT SEQUENCE RESULTS ........ * ................
5-16 5.3 5.2.1 Accident Sequences SBO-BATT and
* SBO-BATT2
...............................
5-16 5.2.2 Accident Sequences SBO-SLOCA and 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.20 5.2.21 5.2.22 PLANT 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 SBO-SLOCA2
...............................
5-18 Accident Sequences SBO-L and SBO-L2 ...... 5-19 Accident Sequence V .....................
5-20 Accident Sequences SBO-Q and SBO-Q2 ...... 5-21 Accident Sequence S 1 H 1 ***..**.....*...*.*
5-22 Accident Sequences T 7 0nQs and T 7 0nQQ 8 *...* 5-23 Accident Sequence T 2 LD 2 ...*..**.***...*..
5-23 Accident Sequence S 1 D 1 ***....*..*.*...*..
5-24 Accident Sequence TKRZ ...................
5-24 Accident Sequence AH 1 ****.**.*****.....*.
5-24 Accident Sequence T 2 LP ...................
5-25 Accident Sequence S 1 D 6 ******************.
5-25 Accident Sequence AD 5 ********************
5-26 Accident Sequence TKRD 4 **.*****.***..**..
5-26 Accident Sequence S 3 D 1 ***.****..*.**.**..
5-26 Accident Sequence S 2 D 1 **.*********.*.*..*
5-27 Accident Sequence AD 6 ********************
5-27 Accident Sequence T 7 D 1 0n .................
5-27 Accident Sequences T 5 ALP and T 5 BLP ........ 5-27 Accident Sequence T 7 L 3 ***.*..*...**....*.
5-28 Accident Sequence T 7 KR ...................
5-28 DAMAGE STATE GROUP RESULTS .................
5-29 Plant Damage State Group 1 ...............
5-29 Plant Damage State Group 2 ...............
5-32 Plant Damage State Group 3 ...............
5-33 Plant Damage State Group 4 ...............
5-33 Plant Damage State Group 5 ...............
5-34 Plant Damage State Group 6 ...............
5-34 Plant Damage State Group 7 ...............
5-34 5 .4 IMPORTANCE MEASURES ..............................
5-35 5.5 COMPARISON OF RESULTS WITH WASH-1400
.............
5-40 viii *
* CONTENTS (Continued)
Section Page 6. CONCLUSIONS
............................................
6-1 6.1 PLANT-SPECIFIC CONCLUSIONS
.......................
6-2 6.2 ACCIDENT SEQUENCE CONCLUSIONS
....................
6-3 6.3 UNCERTAINTY CONSIDERATIONS
.......................
6-4 6.4 COMPARISON TO REACTOR SAFETY STUDY ...............
6-4 6. 5 OTHER INSIGHTS ...................................
6-5 7 REFERENCES
..............................................
7 -1
* ix Figure 1-1 1-2 4.1-1 4.4-1 4.4-2 4.4-3 4.4-4 4.4-5 4.4-6 4.4-7 4.4-8 4.4-9 4.4-10 4.4-11 4.4-12 4.5-1 4.5-2 4.5-3 4.5-4 4.5-5 4.5-6 4.5-7 4.5-8 4.6-1 4.6-2 4.6-3 4.6-4 4.6-5 4.6-6 4.6-7 4.6-8 4.6-9 4.6-10 4.6-11 4.6-12 4.6-13 4.6-14 4.6-15 4.6-16 FIGURES Contribution of Accident Groups for Surry ..............
1-5 Surry Core Damage Frequency Uncertainty Distribution and Density ...............................
1-6 PRA Task Flow Chart .....................................
4.1-2 Event Tree for Ti -Loss of Offsite Power ...............
4.4-14 Event Tree for Ti 5 -Station Blackout at Unit 1 ..................................................
: 4. 4-15 Event Tree for Tis -Station Blackout at Both Units 4.4-16 Event Tree for T 2 -Loss of Main Feedwater
..............
4.4-25 Event Tree for T 3 -Turbine Trip with MFW ...............
4.4-29 Event Tree for T 5 -Loss of DC Bus ......................
4.4-33 Event Tree for T 7 -~Steam Generator Tube Rupture .................................................
: 4. 4-36 Event Tree for A -Large LOCA ...........................
4.4-40 Event Tree for Si -Medium LOCA .........................
4.4-43 Event Tree for S 2 -Small LOCA ..........................
: 4. 4-47 Event Tree for S 3 -Very Small LOCA .....................
4.4-50 Event Tree for Tk -Anticipated Transient Without Scram ...........................................
4.4-55 Bridge Tree for Tis -Station Blackout at Unit 1 ..................................................
4 . 5 -8 Bridge Tree for Tis -Station Blackout at Both Units ..............................................
4.5-9 Bridge Tree for T 2 -Loss of Main Feedwater
.............
4.5-10 Bridge Tree for T 7 -Steam Generator Tube Rupture .................................................
: 4. 5-11 Bridge Tree for A -Large LOCA ..........................
4.5-12 Bridge Tree for Si -Medium LOCA ........................
: 4. 5-14 Bridge Tree for S 2 -Small LOCA .........................
4.5-15 Bridge Tree for S 3 -Very Small LOCA ....................
4.5-16 Accumulator System Simplified Sketch ....................
4.6-18 AFW System Simplified Sketch ............................
4.6-20 AFW System Dependency Diagram ...........................
4.6-22 CPC System Simplified Sketch ............................
4.6-28 CPC System Dependency Diagram ...........................
4.6-29 CCW System Simplified Sketch ............................
4.6-33 CCW System Dependency Diagram ...........................
4.6-35 Simplified CLCS Logic Diagram ...........................
4.6-38 CSS Simplified Sketch ...................................
4.6-42 CSS Dependency Diagram ..................................
4.6-43 EPS Simplified Sketch ...................................
4.6-47 HPI/HPR System Simplified Sketch ........................
4.6-55 HPI/HPR System Dependency Diagram .......................
4.6-57 ISR System Simplified Sketch ............................
4.6-63 ISR System Dependency Diagram ...........................
4.6-64 LPI/LPR System Simplified Sketch ........................
4.6-69 X *
* Figure 4.6-17 4.6-18 4.6-19 4.6-20 4.6-21 4.~-22 4.6-23 4.6-24 4.6-25 4.6-26 4.6-27 5-1 5-2 FIGURES (Continued)
LPI-LPR System Dependency Diagram .......................
4.6-70 OSR System Simplified Sketch ............................
4.6-74 OSR System Dependency Diagram ...........................
4.6-75 PPRS System Simplified Sketch ...........................
4.6-81 Primary Pressure Relief System Dependency Diagram .................................................
: 4. 6-82 Simplified RMT System Logic Diagram .....................
4.6-87 RHR System Simplified Sketch ............................
4.6-90 RHR System Dependency Diagram ...........................
4.6-91 Components Dependent on SIAS for Automatic Actuation
...............................................
: 4. 6-95 SWS Simplified Sketch ...................................
4.6-97 Service Water System Dependency Diagram .................
4.6-99 Uncertainty Distribution for Surry Core Damage Frequency
...............................................
5 -2 Density Estimation for Surry Core Damage Frequency
.............
: .................................
5-3 xi 1-1 1-2 4.2-1 4.2-2 4.2-3 4.2-4 4.2-5 4.2-6 4.3-1 4.3-2 4.3-3 4.3-4 4.3-5 4.3-6 4.4-1 4.4-2 4.4-3 4.4-4 4.4-5 4.4-6 4.4-7 4.4-8 4.4-9 4.4-10 4.4-11 4.4-12 4.4-13 4.5-1 TABLES
* Dominant Accident Sequences by Initiating Event Type .........
; ........................................
1-4 Comparison of NUREG/CR-4550, Revision 1 and W'ASH-1400 Sequences
....................................
1-13 List of Requested Information/Drawings/
Procedures
.............................................
: 4. 2-3 Information Prepared by the Surry PRA Team Prior to Plant Visit ...................................
: 4. 2-5 Typical Questions on System Design and Operation
..............................................
: 4. 2-6 Components for Plant Specific Failure Data .............
4.2-7 Events for Human Reliability Analysis ...................
4.2-8 Request for Most Up-To-Date Analysis in Following Areas ..................................................
: 4. 2 -9 Initiating Event Categories Used in the Surry PRA ..................................................
: 4. 3-2 Sources of Initiating Event Candidates
.................
4.3-3 Summary of Loss of Support Systems as Initiators
....... 4.3-5 Summary of Transient Initiating Events .................
4.3-16 Summary of LOCA Initiating Events ......................
4.3-19 Important Ground Rules for Initiating Event Selection
..............................................
4.3-20 Event Tree Headings ....................................
: 4. 4-3 Part 1: Description of Events ....................
4.4-3
* Part 2: Definition of Events .....................
4.4-6 General Event Tree and Success Criteria Ground Rules ...........................................
: 4. 4-8 T 1 Transient Success Criteria Summary Information
............................................
: 4. 4-12 LOSP/SBO Analysis Cases ................................
4.4-17 T 2 Transient Success Criteria Summary Information
.............................................
4.4-24 T 3 Transient Success Criteria Summary Information
............................................
4-4-27 T 5 Transient Success Criteria Summary Information
............................................
: 4. 4-31 T 7 Transient Success Criteria Summary Information
............................................
: 4. 4-34 Large LOCA Success Criteria Summary Information
............................................
4 .4-39 Medium LOCA Success Criteria Summary Information
............................................
: 4. 4-42 Small LOCA Success Criteria Summary Information
............................................
: 4. 4-45 Very Small LOCA Success Criteria Summary Information
............................................
4.4-49 ATW'S Success Criteria Summary Information
..............
4.4-53 Category Definitions for PDS Indicators
................
4.5-3 xii 4.5-2 4.5-3 4.6-1 4.6-2 4.6-3 4.6-4 4.6-5 4.6-6 4.6-7 4.6-8 4.6-9 4.6-10 4.6-11 4.6-12 4.6-13 4.6-14 4.6-15-4.6-16 4.6-17 4.6-18 4.6-19 4.7-1 4.8-1 4.8-2 4.8-4 4.8-5 4.9-1 4.9-2 4.9-3 4. 9-4 4.9-5 4.9-6 4.9-7 4.10-1 4.10-2 \4.10-3 4.10-4 4.10-5 4.11-1 4.11-2 4.11-3 TABLES (Continued)
Surry Dominant Core Damage Sequence Point Estimate Frequency
..............................................
4 . 5 -6 Sources of Dominant Core Damage Sequences
..............
4.5-7 Systems Included in the Surry System Analysis ..........
4.6-2 System, Component, and Event Identifiers
...............
4.6-6 Sys tern Identifiers
................................
: 4. 6 -6 Component Identifiers
.............................
4.6-9 Failure Mode Codes ......................
_. ..............
: 4. 6 -12 Symbols and Abbreviations Used in the Schematics._
...... 4.6-14 AFW Component Status and Dependency Summary ............
4.6-23 -CPC Component Status and Dependency Summary ............
4.6-30 CCW Component Status and Dependency Summary ............
4.6-36 Component Dependencies on CLCS .........................
4.6-39 CSS Component Status and Dependency Summary ............
4.6-44 AC/DC power Supplies and Dependencies
..................
4.6-49 HPI/HPR Component Status and Dependency Summary ........ 4.6-58 !SR Component Status and Dependency Summary ............
4.6-65 LPI/LPR Component Status and Dependency Summary ........ 4.6-71 OSR Component Status and Dependency Summary ............
4.6-76 PPRS Component Status and Dependency Summary ...........
4.6-83 Components Actuated by RMT .............................
4.6-88 RHR Component Status and Dependency Summary ............
4.6-92 SIAS Actuation Parameters
..............................
4.6-94 SWS Component Status and Dependency Summary ............
4.6-100 Surry Common Cause Failures ............................
4.7-10 Human Actions Quantified in the S~rry PRA ..............
4.8-15 Ground Rules for Calculation of Common Miscalibration Error Probabilities
.....................
4.8-17 Allowable Times for Operator Action ....................
4.8-24 Ground Rules for Surry HRA .............................
4.8-26 Plant Specific Data Used in Accident Sequence Quantification
.........................................
: 4. 9-3 Initiating Event Data ..................................
4.9-4
* BETA Factor Summary Table ..............................
4.9-5 Human Reliability Analysis Summary .....................
4.9-6 Recovery Factor Summary ................................
4.9-11 Miscellaneous Event Table ..............................
4.9-18 Surry Data Table .......................................
4.9-20 Accident Sequence Quantified Before Recovery ...........
4.10-4 Recovery Factors ...........
: ...........................
4.10-18 Dominant Accident Sequences Prior to Recovery ..........
4.10-27 Accident Sequences Quantified Before and After Recovery ...............................................
4 .10-23 Impact of Operator Actions .............................
4.10-50 Plant Damage State Assignment of Dominant Core Damage Sequences
.......................................
4.11-4 Plant Damage States Above lE-9 .... \ ....................
4.11-7 Frequencies of Plant Damage State Groups ...............
4.11-8 xiii 5-1 5-2 5-3 5-4 5.:.6 5-7 5-8 5-9 TABLES (Continued)
* Top Cut Sets Contributing to the Surry Total Core Damage Frequency
..............................
; ....... 5 -6 Description of Important Surry Events .................
5-9 Surry Accident Sequence Core Damage Frequencies
....... 5-17 Surry Dominant Accident Sequences Included in Each Plant Damage State ...............................
5-30 Surry Risk Reduction Important Events .................
5-37 Surry Risk Increase Important Events ..................
5-38 Surry Uncertainty Importance Important Events .........
5-39 Comparison of Core Damage Frequencies by Event Type ..................................................
5-41" xiv FOREWORD This is one of numerous documents that support the preparation of the NUREG-1150 document by the NRG Office of Nuclear Regulatory Research.
Figure 1 illustrates the front-end documentation.
There are three interfacing programs at Sandia National Laboratories performing this work: the Accident Sequence Evaluation Program (ASEP), the Severe Accident Risk Reduction Program (SARRP), and the Phenomenology and Risk Uncertainty Evaluation Program (PRUEP). The Zion PRA was performed at Idaho National Engineering Laboratory and Brookhaven National Laboratory.
Table 1 is a list of the original primary documentation and the corresponding revised documentation.
There are several items that should be noted. First, in the original NUREG/CR-4550 report, Volume 2 was to be a summary of the internal analyses.
This report was deleted. In Revision 1, Volume 2 now is the expert judgment elicitation covering all plants. Volumes 3 and 4 include external events analyses for Surry and Peach Bottom, respectively.
The revised NUREG/CR-4551 covers the analysis included in the original NUREG/CR-4551 and NUREG/CR-4700.
However, it is different from NUREG/CR-4550 in that the results from the expert judgment elicitation are given in four parts to Volume 2 with each part covering one category of issues. The accident progression event trees are given in the appendices for each of the plant analyses.
Originally, NUREG/CR-4550 was published without the designation "Draft for Comment." Thus, this revision of NUREG/CR-4550 is designated Revision 1. The label Revision 1 is used consistently on all volumes except Volume 2, which was not part of the original documentation.
NUREG/CR-4551 was originally published as a "Draft for Co~ent" so, in its final form, no Revision 1 designator is required to distinguish it from the previous documentatation.
There are several other reports published in association with NUREG-1150.
These are: NUREG/CR-5032, SAND87-2428, Modeling Time to Recovery and Initiating Event Frequency for Loss of Off-site Power Incidents at Nuclear Power Plants, R. L. Iman and S. C. Hora, Sandia National Laboratories, Albuquerque, NM, January 1988. NUREG/CR-4840, SAND88-3102, Recommended Procedures for External Event Risk Analyses for NUREG-1150, M. P. Bohn and J. A. Lambright, Sandia National Laboratories, Albuquerque, NM, November 1989. xv 
"]'.11.X * ((ETHOOOLOGY < 2. . -EXPERT PANEL RESULTS < PROJECT STAFF RESULTS ,1 N z C :::an ITI C C) ::a <en ....... rr, INTERNAL EVENTS APPENDIX n 0 C: :::0 C -::D *> * ::D .;:r. 3: w< en U,):lo u, G") c:: .,, C:HT1 M .. "tJ G") .,, INTERNAL EVENTS -a C :::a ::a ::a ,,, rr, INTERNAL EVENTS APPENDIX m 0 "" <O <0~ t-tC o :Im ::r:, ..... VI l"l'1 -> . t-tZ ~o(') -t on ~:J: Z-< C C C ..... 0 n en C INTERNAL EVENTS m (") 3: <0 "" INTERNAL EVENTS APPENXIX 0 C: c:: z =-o -t z s: > u,,< -c: -t > Z:z, m M :J: :a m 0 (') C> z z INTERNAL EVENTS 5!2 I -t <C>C> a, -.,, INTERNAL EVENTS APPENXIX =-en C 0 C: :a -u, ::a :-,> 0 -t 0,.,, z z C 0 C ::a ~ERNAL EVENTS z "" G") <N c:: I o-..... :-0 ::r:, ..... ....,z u, m Q . "K MANAGEMEITT G) I .. .. "" U1 < > 0 >r-znc:: c::n:> :::0 H -t ITICH C"') l'T1 0 DOCUMENTATION
,:zz n-t :::0 0 I :::0 "Tl ~H u, v, VI u, l'T1 .... v,< l'T1 :::0 l'T1 Table 1. NUREG-1150 Analysis Documentation Original Documentation NUREG/CR-4550 Analysis of Core Damage Frequency From Internal Events NUREG/CR-4551 Evaluation of Severe Accident Risks and the Potential for Risk Reduction NUREG/CR-4700 Containment Event Analysis for Potential Severe Accidents Volume l Methodology Volume l *surry Unit l 2 Summary (Not Published) 2 Sequoyah Unit l 3 Surry Unit l 3 Peach Bottom Unit 2 Volume l 2 3 4 Surry Unit l Sequoyah Unit l Peach Bottom Unit 2 Grand Gulf Unit 1 4 Peach Bottom Unit 2 4 Grand Gulf Unit l s Sequoyah Unit l 5 Zion Unit 1 6 Grand Gulf Unit l 7 Zion Unit 1 Revised Documentation NUREG/CR-4550, Revision 1 Analysis of Core Damage Frequency Volume 1 Methodology 2 Part l Expert Judgment Elicit. Expert Panel Part 2 Expert Judgment Elicit.--Project Staff 3 Part 1 Surry Unit l Internal Events Part 2 Surry Unit l Internal Events App. Part 3 Surry Unit l External Events 4 Part 1 Peach Bottom Unit 2 Internal Events Part 2 Peach Bottom Unit 2 Internal Events App. Part 3 Peach Bottom Unit 2 External Events 5 Part l Sequoyah Unit l Internal Events Part 2 Sequoyah Unit 1 Internal Events App. 6 Part 1 Grand Gulf Unit l Internal Events Part 2 Grand Gulf Unit 1 Internal Events App. 7 Zion Unit 1 Internal Events NUREG/CR-4551, Evaluation of Severe Accident Risks Volume 1 Methodology 2 Part 1 Expert Judgment Elicit.--In-vessel Part 2 Expert Judgment Elicit.--Containment Part 3 Expert Judgment Elicit.--Structural Part 4 Expert Judgment Elicit.--Source-Term Part 5 Expert Judgment Elicit.--Supp.
Cale. Part 6 Expert Judgment Elicit.--Proj.
Staff Part 7 Expert Judgment Elicit.--Supp.
Cale. Part 8 Expert Judgment Elicit.--MACCS Input 3 Part l Surry Unit 1 Anal. and Results Part 2 Surry Unit 1 Appendices 4 Part 1 Peach Bottom Unit 2 Anal. and Results Part 2 Peach Bottom Unit 2 Appendices 5 Part l Sequoyah Unit 2 Anal. and Results Part 2 Sequoyah Unit 2 Appendices 6 Part l Grand Gulf Unit 1 Anal. and Results Part 2 Grand Gulf Unit 1 Appendices 7 Part 1 Zion Unit l Anal. and Results Part 2 Zion Unit l Appendices NUREG/CR-4772, SAND86-1996, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, A. D. Swain III, Sandia National Laboratories, Albuquerque, NM, February 1987. NUREG/CR-5263, SAND88-3100, The Risk Management Implications of NUREG-1150 Methods and Results, A. C. Camp et al. , Sandia National Laboratories, Albuquerque, NM, December 1988. A Human Reliability Analysis for the ATWS Accident Sequence with MSIV Closure at the Peach Bottom Atomic Power Station, A-3272, W. J. Luckas, Jr. et al., Brookhaven National Laboratory, Upton, NY, 1986. A brief flow chart for the documentation is given in Figure 2. Any related supporting documents to the back-end NUREG/CR-4551 analyses are delineated in NUREG/CR-4551.
A complete list of the revised NUREG/CR-4550, volumes and parts is given below. General NUREG/CR-4550, Volume 1, Revision l, SAND86-2084, Analysis of Core Damage Frequency:
Methodology Guidelines for Internal Events. NUREG/CR-4550, Volume 2, SAND86-2084, Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation on Internal Events Issues Part 1: Expert Panel Results, Part 2: Project Staff Results. Parts 1 and 2 of Volume 2, NUREG/CR-4550 are bound together.
This volume was not part of the original documentation and was first published in April 1989 and distributed in May 1989 with the title: Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation.
In retrospect, a more descriptive title would be: Analysis of Core Damage Frequency:
Expert Judgment Elicitation on Internal Events Issues. NUREG/CR-4550, Volume 3, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency:
Surry Unit 1 Internal Events. NUREG/CR-4550, Volume 3, Revision l, Part 2,* SAND86-2084, Analysis of Core Damage Frequency:
Surry Unit. 1 Internal Events Appendices.
NUREG/CR-4550, Volume 3, Revision 1, Part 3, SAND86-2084, Analysis of Core Damage Frequency:
Surry Unit 1 External Events. / xviii 
>: I-'* >:
* FRONT-END ANALYSIS NUREG/CR-4550 REVISION l SURRY UNIT I PLANT DAHAGE STATE FREQIIEtlCIES RISK REDIICTltiN AND UNCERTAINTY HEASURES ,_ NUREO/CR-4550 REVISION l VOL. l HETIIODOLOGY I-._ ,_ NUREO/CR-4550 REVISION.l VOL. 2 EXPERT OPINION NUREO/CR-4840 EXTERNAL EVENTS HETIIODS NUREG/CR-4172 URA PROCEDURES NUREC/CR-5032 LOSP IE FREQ AND RECOVERY BACK-EHD ANALYSIS NUREG/CR-4551 SURRY UNl'f I ACCIDENT PROGRESSION I I I I AND RISK I BACK-END SUPPORT I DOCUHENTATION HUREO-1150 _SURRY E t[ACII BOTTON ~~i9YQHII_
"""m~Af!D GUIJ: ._ZION Figure 2. Surry Related Documentation.
Peach Bottom NUREG/CR-4697, EGG-2464, Containment Venting Analysis for the Peach Bottom Atomic Power Station, D. J .* Hansen et al., Idaho National Engineering Laboratory (EG&G Idaho, Inc_.) February 1987. NUREG/CR-4550, Volume 4, Revision 1, Part l, SAND86-2084, Analysis of Core Damage Frequency:
Peach Bottom Unit 2 Internal Events. NUREG/CR-4550, Volume 4, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency:
Peach Bottom Unit 2 Internal Events Appendices.
NUREG/CR-4550, Volume 4, Revision 1, Part 3, SAND86-2084, Analysis of Core Damage Frequency:
Peach Bottom Unit 2 External Events. Sequoyah NUREG/CR-4550, Volume 5, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency:
Sequoyah Unit 1 Internal Events. NUREG/CR-4550, Volume 5, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency:
Sequoyah Unit 1 Internal Events Appendices.
Grand Gulf NUREG/CR-4550, Volume 6, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency:
Grand Gulf Unit 1 Internal Events. NUREG/CR-4550, Volume 6, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency:
Grand Gulf Unit 1 Internal Events Appendices.
NUREG/CR-4550, Volume 7, Revision 1, EGG-2554, Analysis of Core Damage Frequency:
Zion Unit 1 Internal Events. xx ACC ACP ACU ACX ADS AFW' AHU ANS AOV ARF ASEP ASME ATWS BAC BAT BCL BDC BNL BOP cc CCF CCU ccw CD CDS CET CFC CGC CHP CHR CHW CIS CKV CLCS, CLS CPC CR CRB CRD CRH CRM csc CSI CSR cs CST CV eve ACRONYMS AND INITIALISMS accumulators ac power air cleaning unit air cooling heat exchanger automatic depressurization system auxiliary feedwater system or emergency feedwater system air heating unit American Nuclear Society air operated valve air return fan system Accident Sequence Evaluation Program American Society of Mechanical Engineers anticipated transient without scram ac electrical bus boric acid transfer Battelle Columbus Laboratory de electrical bus Brookhaven National Laboratory balance of plant component cooling common cause fault containment atmosphere cleanup component cooling water core damage condensate system containment event tree containment emergency fan cooler system containment combustible gas control charging pump system containment heat removal chilled water system containment isolation system check valve consequence limiting control system charging pump cooling control room circuit breaker control rod drive hydraulically driven control rod motor driven control rod closed cycle cooling containment spray injection containment spray recirculation containment spray condensate storage tank check valve chemical and volume control xxi DCP DG, DGN OHR DWS ECA ECCS EDP EHV EI EP EPG EPS EPV ESF ESW FHS FMEA FRP FRV FSAR FW HCI HCS HOV HEP HP! HPR HPT HRA HSW HTX, HX HVAC IAS ICC res IE INEL ISO ISR LCI LCS LER LFT-SET LHS LHSI LOCA LOSP de power diesel generator decay heat removal drywell (wetwell) spray emergency contingency actions emergency core cooling system engine driven pump emergency heating, ventilation, and air conditioning system Energy International emergency procedures emergency procedures guidelines emergency power system explosive valve engineered safety feature actuation system essential service water system fuel handling system Failure Mode and Effect Analysis functional restoration procedures flow regulating valve Final Safety Analysis Report feedwater high pressure coolant injection high pressure core spray hydraulic valve human error probability high pressure safety injection high pressure recirculation Human Performance Technologies human reliability analysis high pressure service water heat exchanger heating, ventilation, and air conditioning instrument air system instrumentation and control circuit ice condenser system initiating event Idaho National Engineering Laboratory isolation condenser system inside containment spray recirculation system low pressure coolant injection low pressure core spray licensee event report large fault tree -small event tree Latin Hypercube Sampling Code low head safety injection loss of coolant accident
* loss of offsite power xxii
* LP! LPR LWR MCC MCW' MDFW'P MDP MFW' MG MOV MSIV MSS MTC NHV NPSH NRC NSSS OEP ORNL OSR PCS PDS PLG PORV PPRS, PPS PRA PRUEP PTS PWR QCG RBC RC! RCP RCS RGW' RHR RLW' RMT RO RPS RTND RV RW'ST SAIC SAROS low pressure safety injection low pressure recirculation light water reactor motor control center main circulating water motor driven feedwater pump motor driven pump main. feedwater motor generator motor operated valve main steam isolation valve main steam system moderator temperature coefficient normal heating, ventilation, and air conditioning net positive suction head Nuclear Regulatory Commission nuclear steam supply system onsite electric power Oak Ridge National Laboratory outside containment spray recirculation power conversion system plant damage state Pickard, Lowe, and Garrick power operated relief valve primary pressure relief system probabilistic risk assessment PRA Uncertainties Estimation Program pressurized thermal shock pressurized water reactor quality control group reactor building cooling water reactor core isolation cooling reactor coolant pump reactor coolant system radioactive gaseous waste residual heat removal radioactive liquid waste recirculation mode transfer reactor operator reactor protection system reference temperature for transition to nil ductility relief valve refueling water storage tank Science Applications International Corporation Safety & Reliability Optimization Services xxiii *:~ ...
SARRP SBO SCG SDC SETS SG SGS SGT SGTR SI SIAS, SIS SLC SNIA sov SPC SPM SRO SRV STA sv SW, sws TBC TCV TDAFWP TDP TEMAC TM! TSV Severe Accident Risk Reduction Program station blackout senior consultant group shutdown cooling Set Equation Transformation System steam generator steam generator.system standby gas treat~ent steam generator tube rupture safety injection safety injection actuation system standby liquid control Sandia National Laboratory Albuquerque solenoid operated valve suppression pool cooling suppression pool makeup senior reactor operator safety relief valve shift technical advisor safety valve service water system turbine building cooling water testable check valve turbine driven auxiliary feedwater pump turbine driven pump Top Event Matrix Analysis Code Three Mile Island turbine stop valve VCT volume control tank VEPCO Virginia Electric Power Company WOG Westinghouse Owners Group ATWS Rulemaking Comments XV, XVM manual valve xxiv
* ACKNOWLEDGEMENTS The authors with to acknowledge the following individuals for their contribution to the Surry Analysis.
Mr. Joe Logan, of the Surry Power Station, for promptly providing the necessary information to develop a comprehensive plant model. Ms. Sharon Brown for her diligent efforts to review the document and to ensure consistency among the PWR analyses.
Mrs. Diane Jones for her technical assistance, especially the system level failure modes and effects analyses.
Mr. Marc Quillici for his work on the draft report and guidance in the fault tree analysis, particularly the use of the SETS computer code. XXV 
* *
* 1. EXECUTIVE
 
==SUMMARY==
This document presents the final results of one of several studies that provided information to the Nuclear Regulatory Commission Office of Nuclear Regulatory Research about Light 'Water Reactor (L'WR) risk. The Office of Research used the results of this work, along with other input, to prepare NUREG-1150.
Cl) Risk from a selected group of five nuclear power plants is examined in NUREG-1150 by incorporating the results of wide-ranging research efforts that have taken place over the past several years. Surry Unit 1 was chosen as one of the five plants to be analyzed to accomplish regulatory goals. The Surry Nuclear Power Plant contains two units of 788 megawatts (electrical) capacity and is located near Surry in Virginia.
The reactors are each housed in a large dry subatmospheric containment.
The Surry plant was previously analyzed in the Reactor Safety Study. CZ> Other plants chosen for analysis are Peach Bottom, Sequoyah, Grand Gulf, and Zion. 1.1 Objectives The primary objective was to perform an analysis to support the NUREG-1150 project that is as near to a state-of-the-art, Level 1 Probabilistic Risk Assessment (PRA) as possible.
Corresponding Level 2 and Level 3 analyses have also been performed and documented.
External events were analyzed and are reported in Part 3 of this volume. Direct objectives of the analysis were to identify potential, significant system failures, to provide insights of value to utilities with plants of this type, and to support a detailed methodology that can be used by others, including utilities.
The perspective gained from NUREG-1150 will be used to support the NRC' s resolution of severe accident regulatory issues. This document presents the Level 1 part of the risk equation--the frequency of scenarios involving system failures which lead to severe core damage as a result of internal initiators.
Core damage is defined as a significant core uncovery occurrence with reflooding of the core not imminently expected.
The result is a prolonged uncovery of the core, which leads to damaged fuel and a release of fission products from the fuel. 1.2 Approach A standard but focused Level 1 PRA approach formed the basis for this analysis.
Event trees were constructed, the top events were modeled using large fault trees, and the results were quantified using the Set Equation Transformation System (SETS) C49) and The Top Event Matrix Analysis Code (TEMAC) C44) computer codes. An abundance of information pertinent to probabilistic study was available on Surry, resulting from previous probabilistic studies of the plant. This enabled the Surry PRA team to focus on aspects of the plant 1-1 which had been shown to be important in the past or were the topic of current safety issues. Effort was not expended on areas or issues that had been shown to be unimportant in the past. Also, if the analyst determined that a system could be represented adequately using a simplified model, rather than a detailed fault tree, the simplified approach was used. However, if the analyst determined that a system was important enough to warrant detailed modeling, then the appropriate modeling techniques were used. In regard to the PRA methodology, several areas merit comment. First, a human reliability analysis was performed on operator actions that surfaced in the PRA as potentially significant.
Second, plant-specific data were used whenever possible.
Third, a recovery analysis was performed after the initial quantification of accident sequences to assure proper credit was given for operator intervention during the accident.
Fourth, an extensive uncertainty analysis was performed which required determining the uncertainty on the failure probabilities for basic events in the models. Finally, in some cases, no firm data existed to support failure probability development, so expert judgment was formally elicited from people with extensive experience on each issue in question.
This final item is the subject of Volume 2 of NUREG/CR-4550.
The Level 1 results were grouped into plant damage states to provide a form suitable for input to the back-end accident progression event trees. A plant damage state is a grouping of accident sequences or parts of accident sequences that have similar characteristics such as vessel pressure, timing, containment response, and system failures which provides the necessary input for the accident progression event tree used in the Level 2 analysis.
In order to maintain high quality, this work was reviewed by four different groups: an independent Senior Consultant Group, an independent Quality Control Group, Sandia staff and management, and the NRC. In addition, the staff at Virginia Power were given an opportunity to review this work at various stages. VEPCO' s comments were addressed in this analysis, as were numerous comments received from the NRC, the public and the nuclear industry.
1.3 Results The internal events portion of the Surry PRA identified twenty-eight core damage sequences which comprise the internal events core damage model. The criteria for inclusion of sequences in the core damage model are all sequences with a final point estimate frequency greater than 1. OE-7 /yr and all station blackout sequences with a point estimate frequency greater than l.OE-9/yr.
The importance of station blackout sequences to risk made it desirable to provide complete coverage of all accident sequences.
The extension was allowed for station blackout sequences because they were combined into three sequence groups, thus making it easier to include the smaller sequences.
The accident grouping by initiating event type, showing the contribution of each type to total 1-2 * * **
* core damage frequency, is shown in Table 1-1. The contributions of these accident groups to the total frequency is shown graphically in Figure 1-1. The internal events core damage model yielded a sampled mean* frequency*
of 4. OE-5 per reactor year. The cumulative distribution function for the core damage model and the density function are shown in Figure 1-2. These two functions are based on the results of a statistical sample of 1000 points with some smoothing employed in the generation of the density function.
The important statistical parameters of the core damage frequency distribution are listed below. Mean Standard Deviation 95% Upper 75% Upper Median 25% Lower 5% Lower 4.0E-5/yr 5.8E-5 1. 3E-4/yr 4.SE-5/yr 2.3E-5/yr
: 1. 3E-5/yr 6.8E-6/yr In addition to the 28 sequences included in the core damage model, there were 10 fully quantified accident sequences that have point estimate frequencies less than lE-7/yr. These sequences have a combined frequency of 2. 2E-7. In addition, there were 43 partially quantified sequences with point estimate frequencies in the range of SE-10 to lE-8. These sequences were partially quantified in that they were not subject to recovery analysis.
They were minimal contributors without recovery actions, and therefore not subject to further evaluation.
An event importance analysis was done on the comprehensive core damage model. In this analysis, the relative importance of each basic event, with respect to three measures, is calculated.
These three measures are risk reduction, risk increase, and uncertainty.
The risk reduction measure is the absolute amount by which core damage frequency is reduced, if the event in question had a probability of zero (i.e., never happened).
The most important event for risk reduction is the loss of offsi te power initiating event. This result is consistent with the dominance of station blackout in the core damage model. The next most important event for risk reduction is the failure of diesel generator number 1 to start. This result is particularly interesting in view of _ the AC power supply system at Surry. The Surry Nuclear Station is a unit site which is supplied with three diesel generators for emergency power. Each unit has a dedicated diesel and the third diesel is a swing diesel, which can align to either unit. The diesel generator model for this study aligns DG3 (the swing diesel) to Unit 2 in the event that the dedicated Unit 2 diesel (DG2) has failed. In order to make DG3 more
* As used here, the term mean value implies that the failure distribution of selected basic events is used (i.e., propagated through the sequence calculations) to determine the sequence frequencies, which are then summed to determine the core damage frequency.
The term point estimate implies that the failure probability of each basic event is represented by a single value . 1-3 Table 1-1 Dominant Accident Sequences by Initiating Event Type LOSP LOCA Initiating Event Type Interfacing LOCA Transient ATWS Steam Generator Tube Rupture Damage Mean Core Frequency
<lyr) % 2.7E-5 6.0E-6 1. 6E-6 2.0E-6 1. 6E-6 1. 8E-6 4.0E-5 of Total 68% 15% 4% 5% 4% 4% available to Unit 1, the reliability of DG2 must be improved in addition to the reliability of DG3. Therefore, DGl ranks as the highest single importance event. The third highest ranking event for risk reduction is the failure to recover offsite power within seven hours of loss of offsi te power initiating event. The top fifteen events for risk reduction importance are all involved with station blackout sequences.
This result is consistent with the dominance of blackout type core damage sequences.
Similar information was generated for risk increase measures.
Risk increase is derived by calculating the core damage frequency with a given event probability set equal to 1.0, the maximum event probability value. The meaning of risk increase can be thought of as the resulting core damage frequency if the system, train or component is not available (e.g., always failed). The event with the highest risk increase measure is failure of the reactor protection system. The event with the next highest risk increase measure is related to the unavailability of the Refueling Water Storage Tank (RWST). The next group of three events are all common cause failures of the auxiliary feedwater system. The next group of four events involves check valve failures in the high pressure injection system. These represent single point failures in the suction and discharge piping. The third measure_involves the relative importance of data uncertainties.
Uncertainty importance is calculated in a' different manner than risk reduction or risk increase.
To assess uncertainty importance, . an uncertainty calculation is made, holding the value of a particular event 1-4
* 50% .............
..... .... ........ . ...... ... . **********
.. ****** ............... . ........ .... **************
**********
................. . ... ******* ****************
... . ************
................... . *************
................... . .. ***********************
.......... . ***********************
............. . ... ****** ***** ....................... . ... . ********************
........ ******* .... ********************
................ . . ... ***********
.......................... . ..... ... *****************
.........
******** . .. ... .... ***********
...........
***********
.. **********************
................
***** .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... *****************
....................... . ***********
..................................... . . ... ...... ..... .. . ..... ... . .. . .. . . . . . ........... . .. .........
....... ... .. . .. . . . . .. . . . . . .. ....... ... . . : : : : ~: \: \: ~: \: ~: ~: \: ~: ~: \: \: '.: ~: \: ~: ~: \: \: \: ~: ~: \: ~: ~: ~: \: \: ~: \: \: \: ~: \: \: \: \: ~: \: \: ~: ~: ~: ~: \: \: ~: ~: ~: \: '.:: .. .. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::~$.t:::::::::::::::::::::::::::::::::::::::::::.
...................................
***********
............ . ..... .... .. ... ... . ........ .... *****************
............ . ...... .........
..........
.... .........
***** ..... ************ . ...... .... .... .... ....... *********************
............. . ...... ..... ******* ..................
**********
.............. . ************
................................................. . ...... .. ... ... .... .... .. . .... ....... .. ..... .................. . .. .... .........
........ ... ..........
.... .... .. . . . ***********
.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... ****** .................................................. . . . . .. .........
..... .. .. . . ...... ... . .. . . . ... . .. . ..... ....... ... . . . . .. ****** ................................................... . ::::::::::::u:uu::::u:cuc:::::::tu:::::::::::u:r::::::u:::::::uc:::::::u:r:::t 4% 5% ( ...........
............ . . . ........... . . . . . ........... . . . . . ........... . 8% 15% 50% ............. . . . ... . . . .. . . . . ... . . . . . . . .. . . .. .. ...........
... . . . .. . ***** ................ . . ***** ................ . . . . ... . . ... . . ... . . . . . . . . . . . . ***** ................. . . . . . ... . . ... .. ........ .. . . . 1:::::::}I LOSP
* LOCA
* V/SGTR TRANSIENT D ATWS LOSP Q INTERFACING SYSTEM LOCA (V) . . . . .. . . . . ... .. ....... ... . . . .............................
.. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.. .-:-:,:-:,:,:-:-:-:-:-:-:-:-:-:-:-:-:-:
:-**.*: :-:-:,:,:,:,:-:-:-
f.c0l STEAM GENERATOR
= TUBE RUPTURE (SGTR) 86% D SMALL LOCA CTI LARGE LOCA LOCA 14% 27% STATION BLACKOUT (SBO) L:.:::J BATI DEPL ht/:! SEAL LOCA SBO
* SHORT TERM SBO Figure 1-1. Contribution of Accident Groups for Surry. 1-5 C u M u L A T I V E p R 0 8 A 8 I L I T y D E N s l T y 1.0 95% 0.9 0.8 Mean *-*-----*----0.7 0.6 0.5 Median 0.4 0.3 0.2 0.1 5% 0.0 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY . Figure 1-2. Surry Core Damage Frequency Uncertainty Distribution and Density. 1-6 * * * 
*
* constant.
The upper and lower bounds of the uncertainty calculation are compared to the upper and lower bounds when all parameters are considerep random variables.
The uncertainty importance calculations show that the diesel generator failure rates and loss of offsite power initiating event frequencies contribute the most to the overall statistical uncertainty.
1.4 Conclusions One of the major purposes of the Surry analysis was to provide an updated perspective on our understanding of the risks from the plant relative to the results of the WASH-1400 analysis.
It has been determined that changes to the plant design and its operating procedures, the evolution of Probabilistic Risk Assessment (PRA) methodology, and an increasing understanding of severe accidents have all had an impact on the perspectives on the dominant risks for Surry. This study concludes that station blackout (loss of all AC power) accidents are the dominant contributors to core damage. They account for approximately two-thirds of the internal events core damage frequency.
This result is partially due to certain features of the Surry electric power systems, which are discussed below, and may not be applicable to other plants. The station blackout analysis for this study was much more rigorous than that of WASH-1400.
All aspects of electric power modeling, plant response modeling, and development of event probabilities have been significantly improved over those used in WASH-1400.
The higher frequencies for station blackout are considered a more accurate assessment of the event than previous analyses.
Loss of coolant accidents inside containment are the second most dominant accident group, accounting for approximately one-seventh of internal events core damage frequency.
The prominence of this accident group is greatly reduced over the results of WASH-1400, which was completed in 1975. This is due to three factors: (1) improved operator procedures and training which direct operator intervention to mitigate LOCAs at an early stage and provide direction for coping with subsequent system failures, (2) the installation of several cross ties between the two Surry units that provide back-up systems to cope with emergency core cooling system failures, and (3) improved understanding and knowledge of -containment systems performance, which has led to less constraining success criteria for containment systems. As with the station blackout conclusions, some of these improvements are specific to the Surry plant and may not be applicable .to other PWRs. Loss of coolant accidents in interfacing systems outside of containment represent a moderate contribution to core damage, at four percent of the total, but are important contributors to risk because they may represent a direct release path to the environment.
The understanding of these events is relatively unchanged since WASH-1400.
In the ensuing years, the calculated frequency has been reduced due to more frequent check valve test intervals, and recently increased due to the inclusion of common cause failures in the quantification . 1-7 The general reactor transient category (other than loss of offsite *power) accounts for six percent of core damage frequency.
This category was a negligible contributor in WASH-1400.
However, the current understanding and phenomenology of loss of feedwater events is more comprehensive than in WASH-1400.
Anticipated transients without scram (ATWS) contribute approximately four percent to internal events core damage frequency.
Their frequency has been reduced from that calculated in WASH-1400, due in part to equipment
-modifications required by the ATWS Rulemaking and by improved procedures and operator training for this event. Steam generator tube rupture (SGTR) also accounts for approximately four percent of core damage frequency.
This event was not analyzed in WASH-1400. To date, however, at least five steam generator tube failure events have been large enough to require an Emergency Core Cooling System (ECCS) response and mitigation.
Tube ruptures are a form of interfacing LOCAs, and thus may be very important to risk, even though they do not dominate core damage frequency.
It is therefore appropriate to include these initiating events in the PRA. 1.4.1 Plant Specific Conclusions As previously stated, the core damage frequency is dominated by station blackout events. There are many individual contributors to these scenarios, and it is not possible to identify a single issue or event that drives the frequency calculations.
The individual contributors are discussed below. The frequency of loss of offsite power at Surry was calculated to be 7. 7E-2 per year using a combination of generic and site-specific data. This is better than average for U.S. nuclear plants, but is higher than expected if only the Surry specific experience of zero failures in 15 years were considered.
The calculation includes experience from other plants with switchyard configurations similar to Surry, which have experienced loss of offsite power. The calculation of probabilities for non-recovery of offsite power are also based on experience at other plants with similar switchyard configurations.
Since probabilities for loss and non-recovery of offsite power appear in every station blackout cut set, reduction of these probabilities could have an important effect on core damage frequency.
Events for diesel generator failure are also in each and every blackout sequence cut set. The probability for diesel failure to start was calculated from plant specific data to be 2.2E-2/demand.
This value is also slightly better than average for U.S. nuclear plants. The electric power configuration at Surry, however, provides three diesels for a unit site. This offers reduced redundancy compared to most other nuclear plants and tends to increase the probability of station blackout occurrence.
The AC power availability reduction resulting from the swing diesel configuration is overcome to a significant extent by the provision 1-8
* of cross ties between the charging systems and auxiliary feedwater systems at both units. Alternative sources of AC power at the Surry site were not included in the station blackout models. A gas turbine generator is at the Surry site, but current supporting systems and administrative procedures preclude its timely use during a station blackout.
The plant response to station blackout at Surry is similar to that of other PWRs. The dominant type of blackout sequence represents core uncovery due to long term battery depletion.
The battery depletion time was assessed to be 4 hours, which is typical for PWRs. The next most dominant sequence is the reactor coolant pump seal LOCA sequence.
A generic model for Westinghouse reactor coolant pumps was developed in ference 40 and used in this study. It predicts a significant probability of severe seal degradation, starting at 1 1/2 hours from loss of seal cooling. Core uncovery is predicted to occur about 2 hours after onset of seal failure, unless AC power is restored and safety injection is provided within that time. Examination of the contributors to loss of coolant accidents provides insights regarding the Surry plant. The LOCA-induced core damage frequency for this study was significantly reduced over that of WASH-1400, particularly for the small LOCA events. This occurred in spite of a tenfold increase in the small LOCA initiating event frequency.
Plant modifications occurring since WASH-1400, which allow for cross tie of the high pressure safety injection systems, auxiliary feedwater systems, and refueling water storage tanks at each unit contributed significantly to this reduction in frequency.
In addition, Surry has a three tier system of emergency procedures which provide explicit instruction to utilize these cross ties. The.Technical Specifications for these systems address component operability based on the operational status of both units, thus ensuring availability to the other unit even though the primary unit's status may not require it. The system cross ties available at Surry provide a reliable alternative for recovery of system failures.
1.4. 2 Accident Sequence Conclusions As previously noted, there are twenty-eight accident sequences in the Surry core damage model. These sequences are listed in Table 5-2 in section 5.0 of this report. The number of sequences in a PRA model and their relative size is strongly influenced by the PRA methodology utilized and the level of detail of the analysis.
The relative contribution of various types of sequences for a specific plant can provide insight into the types of accident scenarios which are important at that plant. As discussed earlier, the Surry units are provided with cross -tie capability between the AFWs, HPis, and RWSTs at each unit. These cross ties provide a recovery potential which is not available at many other plants. The sequence profile reflects the importance of these cross ties. 1-9 The highest single sequence is long term station blackout at Unit 1, leading to battery depletion and consequently loss of instrwnentation and control power. As this sequence represents a blackout at Unit 1, with power available at Unit 2, reactor coolant pump seal cooling can be provided by the Unit 2 charging system, via the HP! cross tie. Thus, the risk of seal failure is averted, and the battery depletion scenario dominates.
The next highest sequence represents the seal failure scenario during station blackout.
This sequence represents a single unit blackout with failure to provide seal cooling via the cross tie. This can be due to equipment failure or operator error. Without cooling, the seals are at risk early in the sequence.
Seal failure is predicted to occur between 1-1/2 to 2-1/2 hours. If AC power is not restored in an additional two hours, core uncovery occurs. The fourth most dominant sequence represents the same scenario except that the sequence is a two-unit blackout, and seal cooling is unavailable due to loss of AC power at Unit 2. The other two prominent blackout sequences represent early (initial) failures of the auxiliary feedwater system or failure of the pressurizer PORVs to reclose after
* opening. Failure to restore AC power within a limited time leads to core uncovery.
Examining the twenty sequences below lE-6 indicates that long term sequences (which allow time for recovery) are not represented.
Specifically, there are no sequences representing small breaks with failure of ECCS recirculation.
This is due to two considerations.
First, emergency operating procedures direct operator intervention in a small break to cooldown and depressurize the reactor coolant system, thus minimizing the break flow. Second, the system cross ties enable the operators to recover from system failures.
The LOCA sequences that do contribute to the core damage model are the large breaks with failures in both injection and recirculation, and small breaks with failures in injection.
The common aspect of these accident categories is that they are fast moving sequences, happening early in time to the initiator, thus leaving little time for operator intervention or recovery.
Two types of transient sequences are prominent:
loss of all feedwater and ATWS sequences.
Loss of all feedwater sequences at Surry probably have lower frequencies than at most plants, due to the AFW cross tie. The ATWS sequences are short and fast acting, leaving little time for recovery.
1.4. 3 Plant Damage State Conclusions The core damage sequences in the plant model were combined into seven plant damage states for purposes of accident progression event tree analysis.
The plant damage state grouping is very similar to the sequence grouping shown in Table 1-1, except that station blackout has been divided into two groups; a fast blackout group representing the loss 1-10
* of AFW sequences, and a slow blackout group representing all other blackout sequences.
1.4.4 Uncertainty Considerations The process of developing a probabilistic model of a nuclear power plant involves the combination of many individual events (initiators, hardware failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total frequency of core damage. After development, such a model also can be used to assess the importance of the individual events. The sequence cut set* models supporting this study have been analyzed using several importance measures.
The results of the analyses using an uncertainty importance measure are summarized below. For this measure, the relative contribution of the uncertainty of individual events to
* the uncertainty in total core damage frequency is calculated.
Using this measure; the following events wer~ found to be most important:
* Diesel generator fail to start
* Diesel generator fail to run for six hours Loss of offsite power initiating event
* Interfacing LOCA
* Unfavorable moderator temperature co-efficient during ATWS
* Nonrecovery of offsite AC power after initial loss 1.4.5 Comparison to Reactor Safety Study In the 13 years between the Reactor Safety Study (WASH-1400) analysis of Surry and the present study, both the Surry plant configuration and the understanding of reactor operation and safety have changed. WASH-1400 calculated a total core damage frequency from internal events of 5.SE-5. This study calculated a total core damage frequency from internal events of 4.0E-5. It should be noted when comparing the,two that the WASH-1400 value for core damage frequency is a point estimate, based on the sum of individual sequence median values, while this study' s value is the calculated mean of a distribution.
The modifications in plant configuration at Surry reduce the frequency of comparable WASH-1400 sequences to 1. 7E-5, but consideration of seal LOCAs, steam generator tube rupture, and more detailed evaluation of station blackout, combine to increase the total core damage frequency to 4. OE-5. Some of the significant differences and similarities between this study and WASH-1400 are presented below:
* Reactor coolant pump seal LOCAs during station blackout are important in the present study, but not in WASH-1400.
* Station blackout followed by loss of AFW was important in both studies.
* Every accident sequence is the sum of one or more combinations of events that lead to core damage. These combinations of events are the detailed scenarios of the minimum sequence of failures (component and human) that result in core damage and are defined as "cut sets." 1-11
* ATWS sequences are not directly comparable due to increased ledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations.
* Understanding of interfacing LOCAs is relatively unchanged, while the frequency is slightly reduced. A reduction in the event frequency, due to increased valve testing frequency, was countered by inclusion of dependent failures in the quantification.
* The frequency of LOCA sequences, followed by failure of ECCS systems, is significantly lower in the present study than WASH-1400.
* The enhanced understanding of containment cooling phenomena and containment failure scenarios used in this study led to a significantly reduced dependence on containment cooling systems for the prevention of core damage. Table 1-2 summarizes the comparable core damage frequencies of the dominant sequences for both studies. 1.4.6 Other Insights Throughout the performance of a PRA, it is common to identify interactions and dependencies which were previously unexpected.
insight is discussed below. component One such The station blackout analysis revealed a unique interactive dependency which leads to an unexpectedly high probability of a non-isolable faulted steam generator during blackout.
Were this se*ries of events to . occur, they would not prevent the ability to provide steam generator heat removal, but would require additional actions to stabilize the AFW supply, may act as a precursor to AFW failure, and generally could add to the stress level and complexity of the event. The interactive dependency is manifested during station blackout, because all power *is lost to both the steam generator level control valves and the steam generator atmospheric relief valves. The level control valves are located inside containment, are powered from a 480 VAC bus, are normally open.,. and fail open on loss of power. The atmospheric relief valves are powered from a semi-vital bus which loses all power upon station blackout.
Thus, during a blackout, steam relief will be through the steam generator safety valves until such time as flow paths to the condenser can be established via manual local valve line-ups.
This was estimated to be accomplished shortly after one hour. During this time, it was estimated that each SRV would open every 20 minutes, for a total of nine openings.
This number of openings gives a relatively high probability of failure to reclose. Shou;J.d the safety valve fail to reclose, it is not isolable, and will lead to an uncontrolled blowdown of that steam generator.
The feedwater supply to that SG is not isolable either, because the level control valves fail open. 1-12 * 
*
* Table 1-2 Comparison of NUREG/CR-4550, Revision 1 and WASH-1400 Sequences General Accident Type Station Blackout (Slow) Station Blackout (Fast) Anticipated Transient Without Scram Transients Interfacing LOCA Loss of Coolant Accidents Steam Generator Tube Rupture NUREG/CR-4550, Revision Mean (Median) Frequencies Cl) 2.2E-5 (8.2E-6) 4.8E-6 (1.3E-6) 1. 6E-6 (4.2E-7) 1.2E-6 (6.9E-7) 1. 6E-6 (4.9E-8) 6.0E-6 (3.SE-6) 1. 7E-6 (6.6E-7) 1 Approximate WASH-1400 Median Frequency 3E-6 4E-6 6E-6 4E-6 2.9E-5 4.0E-5 (l.SE-5) Total 4.6E-5 (1) Sum of means (or medians) of individual plant damage states Entrance into containment to manually close the valves would be very difficult during a blackout.
Consequently, no credit was allowed in the analysis.
The AFW configuration at Surry is such that the level control valves represent the only way to isolate auxiliary feedwater to a single steam generator.
Thus, under these conditions, the faulted SG would continue to be *fed and continue to blowdown.
This event does not prevent the ability* to. provide steam generator heat removal. However, it is an undesirable event* which would add to the complexity of steam generator feed control, possibly increasing the probability of feed flow failure due to human error, lack of condensate, or possible phenomenological considerations.
2.0 PROGRAM SCOPE The Surry Probabilistic Risk Assessment (PRA) was conducted during two periods. During the first period, the objective was to complete a near state-of-the-art PRA in a short time.* This was accomplished, and following a review and some revisions, the PRA was published as NUREG/CR-4550, Volume 3 in November 1986. This report received extensive distribution and considerable review. In* response to the comments from reviewers and especially the ti. S. Nuclear Regulatory Commission (NRC), the utility industry, and Virginia Electric Power Company, an update of the report was initiated.
During the interim period, several changes were made to the plant and additional system and procedural details were examined.
The result is the significantly revised analysis presented in this document, NUREG/CR-4550, Volume 3, Revision 1, Parts 1 and 2. This report combines the tasks performed in the original analysis with the tasks accomplished during the revised analysis.
While the original objective was to perform a fast efficient PRA, it became necessary due to comments and criticism to examine additional details and to refine the models and techniques during the revised analysis.
One target in the analysis was to reduce conservatism as much as possible.
This resulted in much more than a six-month effort. To give the reader a perspective of the scope of this work, a list of PRA tasks is given below describing what was done in this analysis.
The level of detail is compared to a "state-of-the-art" PRA for each task and graded as (1) improved the-art, (2) state-of-the-art, (3) slightly abbreviated, (4) abbreviated and (5) not analyzed.
* Plant Familiarization Analysis--Information was collected from past Surry studies and the Final Safety Analysis Report (FSAR) and put together in an initial set of event trees, fault trees, and questions for plant personnel.
The pre-visit information gathering took a month. One week was spent at the plant gathering information first hand and regular contact with utility personnel was maintained throughout the course of the study. A confirmatory visit near the end of the first analysis and a subsequent v-isit during the revised analysis were conducted.
Several changes were made to the event trees, and a few changes were made to the fault trees. (Slightly abbreviated to state-of the-art).
* Ace ident Sequence Initiating Event Analysis --Initiating event information (internal events only) from past studies and plant; specific records were used. A thorough search for support system initiators was conducted.
During the revised analysis, these initiating events were reviewed.
Loss of component cooling water, loss of instrument air, loss of 120 VAC vital instrumentation bus, and steam generator tube rupture were re-evaluated.
The frequency and recovery factor for loss of offsite power was improved.
the-art) 2-1
* Accident Sequence Event Tree Analysis--Because the plant has been studied thoroughly, functional event trees were not developed.
Past studies and current containment analyses were used to identify the event tree headings necessary to model all reactor and containment functions.
No significant shortcuts were used to develop the system event trees. Nevertheless, several refinements were made in the revised analysis. (Improved state-of-the-art)
* System Analysis--The level of modeling detail was at the discretion of the analyst. If the system could be shown to be relatively unimportant, or if a detailed model would have taken an unreasonable amount of time, simplifications were made. If the system was considered important, a detailed modeling effort was undertaken.
The models . are therefore a combination of detailed fault trees, abbreviated fault trees, Boolean expressions, and "black box" models. Fault trees for several systems were added in the revised analysis.
The level of detail in many existing fault trees was also increased.
Common cause failures were included in the fault trees rather than applying such failures by hand to the cut sets. Fault trees. were expanded from "train level" modeling (called pipe segments in the earlier reports) to individual components.
Power dependencies were expanded from the train level to the motor control center level. This was done to a large extent for the benefit of the external events analyses, which use the internal events analysis models. (Ranges from abbreviated to state-of-the-art, depending on the system)
* Dependent and Subtle Failure Analysis--A significant effort was made to identify, model, and quantify dependent failures.
Intersystem dependencies were identified and modeled in the system analysis.
Subtle interactions found in past PRAs were reviewed for their applicability to Surry. A Licensee Event Report (LER) review of Surry was made to identify any unexpected interactions or common cause failures. (Slightly abbreviated to state-of-the-art).
* Human Reliability Analysis (HRA)--An abbreviated HRA procedure was developed (26) specifically for this program. An HRA specialist was present during the initial plant visit in order to determine performance shaping factors for the Surry plant. This was ultimately not possible due to the limited time allowed for this task. During the recovery analysis conducted in the revised analysis, each human error event was carefully tabulated, described, and re-evaluated.
Only errors of omission were considered in this analysis. (Slightly abbreviated)
* Data Base Analysis--A data specialist was present during the initial plant visit. As with the HRA specialist, time constraints limited the data search. However, a reasonable amount of plant specific data was collected.
In the revised analysis, additional plant specific data was obtained for components shown to be important in the initial analysis.
Where plant specific data was lacking, generic data was used. (Slightly abbreviated) 2-2 * * 
* *
* Accident Sequence Quantification Analysis--A two stage event tree process and a two stage quantification process was used to reduce the number of sequences which required detailed quantification.
No significant shortcuts were taken in this area. All the accident sequences with potential for being greater than lE-7 were analyzed in detail. (State-of-the-art)
* Plant Damage State Analysis--Issues from the accident progression event trees were identified by the back-end analysts for the front-end analysts to evaluate.
This evaluation resulted in the binning of core damage cut sets into plant damage states. (Improved state-of-the-art)
* Physical Process of Reactor Meltdown Accidents--Past thermal hydraulic calculations and calculations performed by the NUREG-1150 accident progression analysts were used as required. (State-of-the-art)
* Radionuclide Release and Transport--This was handled by the NUREG-1150 source term analysts.
* Environmental Transport and Consequence Analysis--This was handled by the NUREG-1150 consequence analysts.
* Seismic Risk Analysis --This is considered in Part 3 of Volume 3. (State-of-the-art)
* Fire Risk Analysis--This is considered in Part 3 of Volume 3. (Slightly Abbreviated)
* Flood Risk Analysis--This is considered in Part 3 of Volume 3. (Slightly Abbreviated)
* Other External Hazards (e.g .. Tornadoes)--This is considered in Part 3 of Volume 3. (Slightly abbreviated)
* Treatment of Uncertainties--Statistical uncertainty in the failure data, uncertainty associated with the application of the failure data, and uncertainty caused by modeling assumptions and success criteria were all treated in the analysis.
In the original analysis, uncertainty was handled to a large extent by sensitivity studies. In the revised analysis, uncertainty was incorporated directly into the data. Expert opinion elicitations were conducted on issues that could significantly affect uncertainty.
Furthermore, several model and informational issues from the original analysis were resolved by additional study. (Improved state-of-the-art)
In addition to the comparison of this analysis to a state-of-the-art PRA, it is informative to identify some things that PRAs do not normally treat. The following list of items not normally treated in PRAs is taken with some modification from NUREG-lllS.C4) 2-3
* Partial Failures
* Design Adequacy
* Adequacy of Test and Maintenance Practices
* Effect of Aging on Component Reliability (also burn-in phenomena)
* Adequacy of Equipment Qualification
* Environmentally-Related Common Cause
* Similar Parts-Related Common Cause
* Sabotage The Surry PRA incorporated innovative operator accident response actions into the accident sequence recovery analysis.
In this aspect the PRA is improved over the state-of-the-art.
Innovative operator accident response was treated uniformly by all PRA teams using guidelines developed from a poll of experts. 2-4 
*
* 3. PROGRAM REVIEW To assure quality, two groups were chartered with the responsibility of reviewing the work and providing timely feedback.
Because the time available to complete the tasks in the original analysis was short, these reviews had to be intense, and Probabilistic Risk Assessment (PRA) team response time had to be almost instantaneous.
In the revised analysis, more time was available, but the review meetings were still intense and informative.
In addition to their review, public comments were received by the NRG and three other groups reviewed the work for their specific purposes.
3.1 Senior Consultant Group The purpose of the Senior Consultant Group (SCG) was to provide a broad scope review of the methods and results of the reference.
plant PRAs. This high-level review was to further assure the validity and applicability of the products.
However, the SCG was not expected to provide detailed quality control or assurance of the products.
This group did not meet during the revised analysis.
The 3.2 The members of the SCG are listed below:
* Dennis C. Bley, PL&G
* Michael P. Bohn, SNL
* Gregory J. Kolb, SNL
* Joseph A. Murphy, NRG
* William E. Vesely, SAIC (formerly of BCL) Quality Control Group goals of the Quality Control Group (QCG) were the following:
* to provide guidance regarding the methodologies to be utilized in the PRAs,
* to ensure the consistent application of the methodologies by all PRA teams, and
* to ensure the technical adequacy of the work These goals were met via periodic review meetings with the PRA teams. At these meetings, the QCG discussed the methodologies and reviewed, in detail, all technical work performed.
The QCG was composed of the individuals listed below; also shown is each individual's technical specialty:
* Gregory J. Kolb, SNL (QCG team leader, systems analysis, original analysis only)
* Gareth W. Parry, NUS (uncertainty analysis, systems analysis, reliability data) 3-1 3.3
* John Wreathal, SAIC (human reliability analysis, revised analysis only)
* Barbara J. Bell, formerly of BCL (human reliability analysis)
* Arthur C. Payne, Jr., SNL (systems analysis, reliability data, back-end interface)
* Eddie A. Krantz, INEL (systems analysis, original analysis only)
* David M. Kunsman, SNL (systems analysis, back-end interface)
* Gary Boyd, SAROS (systems analysis, back-end interface)
Utility Interface A constant interface was maintained with the utility throughout the duration of the original analysis.
The Surry team leader was in constant contact with Surry engineering and plant personnel to ask questions and verify information.
The Surry contacts also reviewed the results presented in the first draft of the study and provided comments that were considered in the revised analysis.
The same close interface was carried through the revised analysis.
The utility support was extremely helpful. 3.4 Uncertainty Review Panel This panel was formed at the request of the NRG to consider the way in which uncertainty had been analyzed in the draft NUREG-1150 and the supporting documents.
A three-day meeting was held on April 20-22, 1987, where a number of contributors to NUREG-1150 were invited to make presentations to the panel, as were others who were known to have views that were important to the assessment.
The panel addressed all areas of the uncertainty methodology including the statistical methods used, the way the results were presented, and especially the use of expert judgment.
As a result of the panel's findings, significant changes were made to the analysis [50]. The most important improvement was in the elicitation of expert judgment, which became a major effort in the revised analysis for both the front-end and back-end analyses.
3.5 Peer Review Panel After the publication of the draft NUREG-1150 and the supporting end and back-end documents, the NRG Commissioners recommended a peer review because of the potential importance of these documents to the NRG' s regulatory process. Lawrence Livermore National Laboratory was selected to coordinate this effort. Although this review panel was initiated by the NRG, it functioned independently.
3-2 * * 
*
* Fourteen members were selected including national and international experts in the fields of nuclear reactor safety, probabilistic risk assessment, and severe accident phenomenology.
The individuals represented academics, research laboratories, electric utilities and consulting companies.
The first phase of their review was to address the draft documentation.
The second phase is to review the final NUREG-1150 and related documentation including this report. At least five formal meetings were held during the first phase, and testimony was given by numerous people, including the Surry analysts.
The findings are given in Reference
: 41. In general, the panel had a number of comments on NUREG-4550, and those comments relevant to the study have been addressed.
3.6 American Nuclear Society Committee Many members of the American Nuclear Society (ANS) felt that the society should express its view regarding a document such as NUREG-1150 that has the potential to influence the perception of accident risks associated with nuclear power plants and have an impact on the regulatory process. Thus, the President of the ANS appointed a special committee to follow and comment upon the documentation and progress of the NUREG-1150 program. Their findings and recommendations on the draft NUREG-1150 are found in Reference
: 42. These findings and recommendations were based on a review of the February 1987 draft NUREG-1150, and the supporting documents, a review of the public comments, briefings by the NRG staff and others, and visits to Sandia National Laboratories by the Chairman and Vice Chairman to observe the expert review panel process and to discuss the ongoing analysis leading to the revised documeni.
3.7 Public Comments During the several months when public comments were solicited, a number (approximately SO) of individuals and organizations performed detailed reviews of the NUREG-1150 related documentation.
Their comments were extensive.
These comments were submitted to the NRG and sorted by subject. Those comments applicable to the front-end analysis and, in particular, the Surry analysis, were reviewed by the analysts and considered to the extent possible during the revised analysis . 3-3 
*
* 4.0 TASK DESCRIPTIONS This section contains information on the major tasks performed for this study. Section 4.1 provides a task flow chart which shows the interrelationship of the individual tasks. The remaining subsections within Section 4 address each individual task as it applied to the Surry analysis.
Section 5 provides the information covered by the last :task entitled ''Interpretation of Results." 4.1 Task Flow Chart The major tasks performed for this study are indicative of the general tasks performed in any Level 1 PRA. Figure 4.1-1 displays the major tasks carried out in this analysis and shows the primary information flow paths between each task. The entire process has been performed twice. The first time was during_ the initial analysis which began in July 1985 and resulted in the first draft of this report, printed in October.1986.
Following comment and review period, the entire process was performed again i11 order to update the analysis and respond to comments received on the first draft. The following subsections reflect the combined effort for both the first draft phase and the reanalysis for each of the major tasks. Reference 3 provides more detailed descriptions of the methodology used in carrying out each task. The reader is referred to that volume and the subsections which follow in order to obtain a comprehensive description of .how the Surry analysis was conducted
* 4.1-1.
l, ! IHITIA11NQ EVBIT IEQUENCE ACCIDENT UNCERTAINTY/
1DEN11RCA 110N AND EVENT TREE SEQUENCE BENS11IVl1Y INTERPRETATION GROUPING ANALYSIS QUANTIFICA 110N ANALYSIS .--------LOCAII i----PASTl'RAo
*IIETSCODE i--TEMAC i--. OF -TRANSIENTII
-NUREO I l!IO C<llfTAINIIIEHT
* RECOVERY ACTIONS
* PAIIAMETEII VALUE UNCERTAlllY RESULTS -IIUPPORT l!YSTBI IIITIATOa ANALYSES
* MODELIIG UNCERTAIHTY J '~ l'UNT f-UARIZA110N IIYSTEMS ANALYllll -FSARo I 0 PASTPRA0
* DETAILED FAULTmEEs I
* OTHER STUtlES -SIIIPURED FAULT TREES
* LERo
* PUNT VlllT . auCK OOX MODELS * ' DEPENDENT FAILURES DATA BASE HUMAN ANALYSIS DEVELOPMENT IITERFACE ANALYSIS 0 INlERSYIITEM DEPENDENCES
-._ -* PLANT SPECIFIC COMMal CAUSE
* PUNT SPECIRC DATA
* ASEP SCREENING PROCEDURE
-* GENEIIC C~ CAUSE
* GENERIC DATA
* PUNT SPECIFIC PRE-ACCIDENT
* SUBTlE IHTEIIAC110N9 ANO POST ACCIDENT ANALYSIS t Figure 4.1-1. PRA Task Flow Chart . * * 
*
* 4.2 Plant Familiarization In order to assure that the analysis reflected the Surry Unit 1 plant, a plant zation task was performed.
During this effort, the analysts became familiar with the specific design, operational, and'* historical performance aspects of the unit. The initiating event experience*, the models, failure data, and human reliability analysis are based on Surry specific inputs. The performance of this task constituted two plant visits; one plant visit initially and one near the end of the revised analysis.
Prior to the initial plant visit, the Surry PRA team reviewed previous fault tree and event tree analyses applicable to Surry, the fault tree and event tree sections of WASH-1400 and the sections of the Surry Final Safety Analysis Report applicable to the systems of interest.
Preliminary event trees, system fault trees, and simplified system schematics were constructed and preliminary success criteria and dependency matrices were developed to identify specific areas where information was needed to develop accurate models. Based on these initial activities, a package was prepared and sent to the plant identifying the plant specific information and da.ta that was required, and a sampling of generic and specific questions concerning system design and operation that had arisen due to our initial review. The following sections provide brief descriptions of the plant visit and the information obtained during the visit. 4.2.1 Initial Plant Visit A one week plant visit was arranged to meet with plant personnel.
Among the many areas of discussion were plant and system modeling questions, collection of system design and operational information,
* discussion of transient sequence progressions, and the operators responses to these events. The PRA plant visit team included a human factors specialist, a containment analyst, and a failure-data specialist.
During the visit the team had discussions with the Surry supervisor of System Safety, the Operator Training Coordinator, and the head of Human Performance Engineering.
In addition, individual members of the PRA team talked with reactor operators, the Shift Technical Advisor, and members of the maintenance engineering staff. Discussions centered on gaining a clear understanding of 'the following items:
* The normal and emergency configurations and operation of the various systems of interest.
* System ihterdependencies.
* Design and operational procedure changes implemented at the plant, within the last 5 years.
* Operational problem areas identified by plant personnel which might impact the analysis.
* The. automatic and manual actions taken in response to various emergency conditions.
* The availability of plant specific operational data * . The emergency procedures which addressed actions identified by the PRA analysts as important actions were "walked through" with operations personnel.
4.2-1 The following tables provide a summary of the information requested from the Surry personnel prior to the plant visit: Table 4.2-1 identifies the plant specific information, drawings, and procedures requested based on the initial familiarization.
Table 4~2-2 identifies the information prepared by the PRA team prior to the plant visit which was to be reviewed for accuracy during the plant visit. Table 4.2-3 presents a preliminary set of questions provided to the plant personnel prior to the plant visit*. Table 4.2-4 identifies the list of plant specific failure data requested.
Table 4.2-5 provides the preliminary list of events considered to require human reliability analysis for which information was required.
Table 4.2-6 identifies those areas in which the most recent analytical results were desired. 4.2.2 Information Obtained A. complete set of the current Surry p1pmg and instrumentation drawings, w1rmg diagrams, and logic diagrams were provided by the Surry staff. Also, the Surry staff provided copies of the Surry Emergency Procedures, Abnormal Procedures, Emergency
* Contingency Action Procedures, Functional Restoration Procedures, current technical specifications, and several sections from the current revision of the Surry. FSAR including the current list of equipment actuated by emergency safeguards signals, a list of emergency safeguards actuation functions, the list of major pipJng penetrations through containment, including line status, isolation requirements, post accident positions, etc., and safety injection control board indications.
The Surry personnel also provided the analysis team with the requested plant specific failure data and insight into the operational philosophy at the Surry plant. 4.2.3 Subsequent Plant Visit During the Reanalysis Phase In March 1988, a subsequent visit was made to the Surry plant to determine timing tors and to confirm changes made in the reanalysis phase of the PRA *. _One day was spent at the Surry plant. The trip provided operator response information, timing, and vative recovery for several sequences.
A plant tour provided insights for the recovery analysis.
Additional plant specific data was also obtained for the diesel generators, charging pump cooling service water strainers, and containment spray recirculation heat exchanger service water valves. The results of the trip were incorporated at the priate levels in the revi$ed analysis.
4~2-2 *
* Table 4.2-1 List of Requested Information/Drawings/Procedures PROCEDURES FOR THE FOLLOWING EVENTS 1. Loss of Station Power 2. Station Blackout 3. Reactor Coolant System Depressurization through Secondary Steaming 4. Loss of One AC Safe.ty Bus (4160 V) 5. Loss of One DC Bus 6. Loss of Main Feedwater (MFW) 7. Loss of MFW and Auxiliary Feedwater (AFW) at One Unit (including procedures for feed and bleed or cross-connect of AFW between Units 1 and 2) 8. Turbine Trip 9. Loss of Component Cooling Water 10. Loss of Charging Pump Cooling Water System 11. Low Pressurizer Water Level 12. Loss of One 120 VAC Vital Bus 13. SIAS Actuation
: 14. Low or High Reactor Coolant System Pressure ELEMENTARY WIRING DIAGRAMS 1. AC/DC Distribution System 2. Emergency AC (including DC power supply for diesel generator start) 3. SIAS 4. Consequence Limiting System SIMPLIFIED LOGIC DIAGRAMS 1. Consequence Limiting System 2. SIAS 3. Diesel Generator Load Sequencers
: 4. AFW Initiation 4.2-3 Table 4.2-1 (Cont'd) List of Requested Information/Drawings/Procedures
* LOAD LISTS FOR EMERGENCY BUS -AND MOTOR CONTROL CENTER (AC &: DC) PIPING&: INSTRUMENTATION DIAGRAMS 1. NSSS 2. Residual Heat Removal 3. Emergency Core Cooling Systems (LPI + HPI + ACC) 4. Containment Spray 5. Containment Recirculation Spray 6. sws 7. .Charging Pump Cooling System 8. MFW 9. AFW 10. Main Steam 11. Component Cooling Water System 12. Auxiliary Building Heating, Ventilation, and Air Conditioning (HVAC) 13. Turbine Building HVAC 14. Circulating Water System 15. Chemical Volume and Control System LAYOUT DRAWINGS 1. Reactor Building 2. Auxiliary Building 3. Turbine Building LIST OF POST -TMI MODIFICATIONS AT SURRY 4.2-4 
*
* Table 4.2-2 Information Prepared by the Surry PRA Team Prior to Plant Visit A. System Success Criteria Matrix
* Defines system success criteria for each initiating event B. System Dependency Matrix
* Identifies dependencies at the train level between line systems (HPI, CSI, AFW, etc.) and support systems (AC power, DC power, SIAS, etc.) C. Simplified Schematics for the Following Systems:
* High pressure injection/charging
* Low pressure injection
* Containment spray injection
* Containment recirculation
* Auxiliary f eedwa ter
* Charging pump cooling water system
* Service' water system These schematics will be indicative of the level of detail of the system models. D. Preliminary Event Trees
* Desire review of assumptions, sequence timing, and phenomenology . 4~2-5 Table 4.2-3 Typical Questions on System Design and Operation GENERAL QUESTIONS/INFORMATION
: 1. Normal and actuation position of all ECCS valves. 2. List of components actuated by each train of SIAS, CLCS, and CIS. 3. Pump cooling requirements for AFW, HPI, LPI, CSI, CR (room cooling, seal cooling, motor cooling, etc.). SPECIFIC QUESTIONS
: 1. What function do the cooljng coils on the LPI pump inlets provide (SIS Unit 1 Sheet 1), and are they required for pump operation?
: 2. 3. What is the function o~ the line from the RWST supply line to the LPI pumps (3/4" -SI-55-153)?
How many emergency service water pumps ar~ there; three for each unit or three total?
* 4. Are the batteries, fuel oil system, etc., for the emergency service water pumps dedicated?
: 5. For valves, which power is removed (e.g., MOV 1869B), how is it removed, and how easy is it to restore? 6. Is power removed from HPI valve MOV 1842? 7. What is the normal operating position of LPI valve MOV 1890C? 8. Is there an HPI cross-connect betw ...... ': Units 1 and 2? 9. ** What isolation signals does MOV 1370 seal injection valve receive? 1 4~2-6 * * * 
*
* Table 4.2-4 Components for Plant Specific Failure Data Component Boron Injection Tank Isolation Valves Main Condenser Isolation Valves Diesel Generators Emergency Service Water Pumps High Pressure Injection/Charging Pump Charging Pump Cooling Water Pumps AC/DC Buses Batteries Turbine-Drive Auxiliary Feedwater Pump Inside Containment Recirculation Pumps 4.2-7 Desirable Reliability Characteristics Cycles/Yr Failures/Cycle Potential Common Cause Cycles/Yr Failures/Cycle Potential Common Cause Outage Time for Test & Maintenance Probability (Fail to Start) Probability (Fail.to Run) Probability (Fail to Start) Probability (Fail to Run) Probability (Fail to Run) Probal:>ility (Fail to Start) Probability (Fail to Run) Probability (Fail to Start) Probability (Short to Ground) Other Failure Types Probability (Unavailable on Demand) Outage Time for Test & Maintenance Probability (Fail to Start) Failure History (From Test)
Table 4.2-5 Events for Human Reliability Analysis
* Feed and Bleed
* Reactor Coolant System Depressurization by Secondary Steaming
* Cross-Connect of Auxiliary Feedwater from Unit 2
* Anticipated Transient Without Scram (Failure of Boration or Manual Scram)
* Switchover to High Pressure Recirculation for Small Loss-of-Coolant Accident
* Diesel Generator Sharing During Loss of Offsite Power
* DC Battery Test 4~2-8 *
* Table 4.2-6 Request for Most Up-to-Date Analysis in Following Areas
* Anticipated Transient Without Scram
* Feed and Bleed
* Reactor Coolant System Depressurization Through Secondary Steaming
* Station Blackout (Battery Depletion Time and Auxiliary Feedwater Pump Cooling Requirement)
* Charging Pump Cooling Water Requirements
* Reactor Coolant Pump Seal Cooling Water Requirements (and Seal LOCA Sizes) 4.3 Initiating*Event Identification and Grouping Initiating event (IE) identification and grouping were performed for Surry in accordance with the methodology in Reference
: 3. This task involved the identification of potentially significant initiators at nuclear plants, identifying the applicability of them to the Surry plant, and grouping the initiators into categories based on similar plant response and similar success criteria for successful initiator mitigation.
As discussed in Reference 3, it is not the intent of a focused PRA _to explicitly evaluate (i.e~*, perform event sequence quantification) every possible initiating event. The intent is rather to evaluate those initiators which have previously been shown to be important and to ensure that all other potential initiators can be adequately represented by those initiators chosen for explicit evaluation.
As such, the IE identification for this study was based on a three part evaluation.
First, initiators which were shown in previous studies to be important
* contributors to core damage or risk were automatically included for evaluation.
Second, loss of support systems were examined on an individual basis to determine*
if they should be included as initiating events. And thirci, plant specific evaluations of system configurations were done to determine if certain events* which were not important at other plants may be important at Surry due to unique spatial or systemic dependencies between those initiators and mitigating systems. The final list of initiating events which formed the basis for accident sequence quantification and their frequencies is shown in Table 4.3-1. The selection of these events is described in the following sections.
Section 4.3.1 identifies the sources used to search for initiators which have been previously shown to be important and thus were automatically included.
Section 4.3.2 discusses the evaluation of support system failures.
Section 4.3.3 discusses the evaluation of special initiators.
Section 4.3.4 presents the final list of IEs identified for Surry and those initiators omitted from detailed evaluation in the study. Finally, Section 4.3.5 is a summary of important assumptions and groundrules in the initiating event selection.
4.3.1 Initiating Event Identification Table 4.3-2 lists the sources used to identify initiating event candidatt:s.
Each candidate in the source list was reviewed for it~ impact on plant operation.
Initiators which caused demand for automatic reactor trip were retained for further evaluation and grouping _(e.g., loss of main feedwater or loss of flow in one RCS loop). Initiators which would not be expected to lead to an imminent (less than 10 minutes) reactor trip were retained for grouping or eliminated on the basis of equipment which was failed by the initiator.
Initiators which failed front line or support systems, and could eventually lead to reactor shutdowns were generally retained for grouping.
Some of these were addressed in the
* support system evaluation, while others were evaluated on an individual basis. Initiators which would not cause reactor shutdown directly or indirectly were eliminated.
Initiators which could possibly lead to shutdown through Technical Specification violations were not included.
Manual shutdowns for refueling or administrative reasons were not evaluated in this study. Initiators retained for event tree analysis were grouped into categories based on plant response and success criteria required for successful mitigation.
4.3.2 Support System Failures A list of systems at Surry which provide support services to components in front line safety systems and norm.ally operating systems was developed.
Each of these systems was viewed as a potential initiator.
A Failure Mode and Effect Analysis (FMEA) was 4.3-1 Table 4.3-1 Initiating Event Categories Used in the Surry PRA
* Abbreviation Description*
* Frequency
(/Yr) Tl Loss of Offsite Power 7.7E-2 T2 Transients with Loss of MFW 9.4E-1 T3 Transients with MFW Initially Available 7.3 T.5A Non-Recoverable Loss of DC Bus A .5.0E-3 T.5B Non-Recoverable Loss of DC Bus B .5.UE-3 T7 Steam Generator Tube Rupture 1.0E-2 A Large LOCA, 6 11 -29" .5.0E-4 S1 Medium LOCA, 2 11-6 11 1.0E-3 S2 Small LOCA, l /2" -2" 1.0E-3 S3 Very Small LOCA, less than 1/2" 1.3E-2 V Interfacing LOCA 1.6E-6
* Mean Values
* 413-2
* Table 4.3-2 Sources of Initiating Event Candidates
: 1. Search of LE.Rs at Surry Unit 1 and Unit 2 from 1979 to 1987. 2. NURE.G/CR-3862,0
: 2) Development of Transient Initiating Event Frequencies for Use in PRA, May 198.5. 3. List of Subtle Interactions Supplied by SANDIA.
* 4. Questions during plant familiarization trip * .5. Review of past PRAs on PWRs. 6. List of Potential Initiators from ASE.P Methodology.(3)
* Letter from F. T. Harper and G. J. Kolb to PRA ezpert1, "Subtle Interactlon1 Fo1111d in Pait PRAs and* PIA-Related Studle1," July 2, 198S.
completed on each support system to . determine if failure of the entire system or portions of it would lead to reactor trip. These FMEAs are presented in Appendix D of this report. Loss of support a system was explicitly included as a separate initiating event, if four criteria were met. First, loss of the system must lead to an imminent reactor trip, either through a direct or indirect action. Secor:id, loss of the system must fail front line systems (those systems used to respond to 5eactor trips), third, it must potentially have a core damage frequency above 10-/yr*, and finally, it must not clearly be covered by another initiating event group. The results of this investigation, showing the resolution for each support system are summarized in Table 4.3-3. A brief discussion of some of these evaluations is given below. 1) Loss of Service Water (Low Intake Canal Level) The service water system at Surry is a free flow, gravity fed system which depends on a differential water level between the intake canal and discharge canal to provide the driving head for service water flow.. The intake canal is approximately 1-1/2 miles long and normally contains 45 million gallons of water. The normal height differential between the intake and discharge canals is about 27 feet. Eight circulating water pumps of 210,000 gpm each constantly supply water to the canal. The major load on the canal during plant operation is the condenser cooling requirements, which account for approximately 1.6E+6 gal/min if both units are generating at full power. Should the canal have insufficient water inventory, the plant's ultimate heat sink would be unavailable.
It was concluded (within the scope of this study) that the only identifiable event with any significant frequency, which could lead to insufficient canal level, is~ station blackout Closs of all _AC power). During station blackout, power is lost to the condenser isolation valves and canal drainage is estimated to occur _in 30 minutes. Therefore, insufficient canal level was included as a possible occurrence during station blackout, but was not considered as a separate initiating event. During normal operation, a balance is maintained in the canal between the circulating water pump supply and the condenser discharge.
Other loads in the canal are minimal compared to these cooling requirements.
Emergency service water pumps of 45,000 gpm capacity are provided.
This capacity matches the safety related loads. During normal operation, if the canal level drops below 18 feet (from a usual 27 feet), the turbines and reactors at both units will receive trip signals, and the condenser waterboxes will be isolated* (supplied by lE power). Therefore, any postulated failures, during normal operation which alter the canal balance would be terminated when the canal level reached 18 feet. Failure to isolate one or more of the condensers would cause continued canal outflow*;
but consideration of overall effect on canal level must include the amount of inflow available from the circulating water pumps. If all condensers isolate, the residual level in the canal is sufficient to supply safety related 4.3-4
* c:., I C,I Support System Loss Considered DC Bus lA DC Bus 1B 480 VAC Bus lH 480 VAC Bus lHl-1 Table 4.3-3
 
==SUMMARY==
OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Impact on Normal Operation Reactor trip due to MSIV closure, or RPS failure Reactor trip due to MSIV closure, or RPS failure No direct
* impact No di r.ect impact Attendant Important System Fail tires Loss of switchgear for Train A, loss of MFW, turbine bypass Loss of switchgear for Train B, loss of MFW, turbine bypass Loss of Train A ECCS pumps Loss of many Train A ECCS valves and some small non safety pumps Estimated Annual Frequency
* 5E-3 5E-3 5E-3 5E-3 Resolution T5A Initiating Event T 5 B Initiating Event Not included as an initiating event. Although it disables standby ECCS equipment, it doesn't cause a transient nor cause direct or indirect reactor trip Not included as an initiating event. Loss of power to ECCS valves will not cause a transient nor a reactor trip. With the exception of the HPI-SW and HPI-CC pumps, none of the pumps perform a core cooling related function.
All functions can be performed by redundant pumps. No direct or indirect reactor trip.
Support System Loss Considered*
4160 VAC Bus lH 4160 VAC Bus lJ 480 VAC Bus lJl 480 VAC Bus lJl-1 120 VAC VB I 120. VAC VB II ...
* I . 120 VAC VB III 120 VAC VB IV Containment Instrument Air Outside Instrument Air Component Cooling Water Table 4.3-3 (Cont'd) SUtl4ARY OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Impact on Normal Attendant Important Estimated Annual Operation System Failures Frequency No direct impact Loss of Train A ECCS 5E-3 Loss of Train A charging Loss of 480 VAC lH Loss of 480 VAC lHl-1 Same as H Train Counterpart Turbine runback Reduced redundancy 5E-3 Reactor trip likely in some instrumentation Loss Cooling to 1 RCP Same as VB I 5E-3 Immediate reactor shutdown Same as VB II Same as VB II No direct impact Loss of pressurizer spray .01 Loss of containment vacuum pumps Reactor shutdown on Loss of MFW .01 MSIV closure Loss of turbine bypass Loss of SG-ADV Reactor shutdown on Loss of Containment 2E-3 loss of RCP cooling Instrument Air Loss of RHR -shutdown coolinq Resolution Not included as an initiator.
See resolution for 480 VAC buses. Represented by T 2 initiators Represented by T 2 initiators Not included as an initiator because does not lead to imminent reactor trip Represented as T2 initiator Included as T 3 initiator.
Many loss of CCW recoverable using Unit 2 components. recoverable loss of CCW estimated at 2E-4.
* Support System Loss Considered Bearing Cooling Water System HVAC HPI-SW -train "'" . HPI-SW -both I -.J trains at Unit 1 HPI-CC -1 train Tabl -3 (Cont'd)
 
==SUMMARY==
OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Impact on Normal Attendant Important Estimated Annual Operation System Failures Frequency Reactor trip on Loss of MFW 2E-3 Loss of MFW Loss of Turbine Bypass Loss of Outside. Instrument Air None None None None 1.0 Loss of Charging None .03 Pump Cooling None None .3 Resolution Included as T 2 initiator Not included as an initiator .Redundant train available.
Not an initiator Core damage frequency from this initiator estimated to be less than lE-7/yr. Not explicitly included in study. See Appendix D for calculation.
Redundant train available.
Not an initiator Support System Loss Considered HPI-CC both trains at Unit 1 Service Water Canal Table 4.3-3 (Cont'd)
 
==SUMMARY==
OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Impact on Normal Operation Loss Charging Pump Cooling
* Reactor Trip Attendant Important System Fai 1 u res None Loss of all heat sink Estimated Annual Frequency 1.3E-3 Resolution Core damage frequency from this initiator estimated to be less than lE-7/yr. Not explictly included in study. See Appendix D for calculation.
No 7 vents greater than 10-within the scope of the study could be postulated
*
* loads for about 16 hours even if there is no more inflow into the canal. Trip on low canal level, with subsequent condenser isolation is a contributor to the turbine trip initiating event category*, but does not represent a unique systemic failure state of the plant. Failure to isolate the waterboxes upon low canal level was a low probability event for the *case when canal inflow was available (i.e., offsite power available).
Insufficient canal level was therefore not considered an initiating*
event, but was addressed in the context of station blackout.
The impact of environmental events such as marine growth, or seismic events, on canal inventory were not included in this evaluation.
: 2) Loss of a 120 VAC Instrumentation Bus Surry has four vital instrumentation buses, each of which receives power from an uninterruptible power supply. Loss of any one bus will leaa to reactor trip through loss of cooling to a reactor coolant pump or turbine runback which could potentially cause a reactor trip due to the inability to control all reactor parameters within trip limits. Loss of a single vital bus causes reduced redundancy of some safety related instrumentation, but does not cause the unavailability of any ECCS equipment.
Loss of only one vital bus is therefore, a minimal butor to the loss of main feedwater event category (T 2). Since each vital bus has an independent power supply, a simultaneous failure of multiple power supplies would be needed to fail a vital bus *. No common mode failure of multiple buses could be identified.
: 3) Loss of Component Cooling Water (CCW) Loss of CCW at Surry was determined to be relatively insignificant as a separate initiator.
Loss of CCW will cause loss of cooling to the reactor cooling pump (RCP) motors and thermal barrier~ and will eventually lead to loss of containment instrument air (outside instrument air will not be affected, as it is cooled by the bearing cooling water system) *. Loss of CCW will not cause a direct reactor trip but will lead to immediate reactor shutdown due to the required tripping of the RCPs upon loss of cooling. Loss of CCW is important at Surry only in that it fails a redundant source of RCP seal cooling. Although loss of CCW does fail the residual heat removal (RHR) system at Surry, it does not fail the ECCS, because they are separate, independent systems. Loss of CCW was not included .as a separate initiator for the following reasons:
* Loss of CCW does not fail RCP seal injection flow.
* Loss of CCW does not fail MFW or any other S)'stem which is required to maintain the plant in hot shutdown.
*
* Non-recoverable loss of CCW is estimated at 2E-4 as an initiator.
It is functionally
**equivalent to a T3 W condition 4.3-9 (transients with MFW initially available with loss of CCW)
* T3 W, as calculated by the fault trees is about 5E-4. The seal vulnerable condition caused by T 3 o 3 W was calctllated at 1.5E-8. Loss of CCW as an initiator would be expected to lead to a seal vulnerable condition, with a frequency of 6E-9/yr, based on the T 3 o 3 W results.
* 4) Loss of Instrument Air The subatmospheric containment design at Surry, results in the need for two independent instrument air systems. One system supplies loads inside containment and one supplies loads outside containment.
Both systems were examined for potential as initiating events. The FMEA evaluation shows that loss of containment instrument air would not result in a plant trip. In addition, the only important function which would be disabled by loss of containment instrument air is the pressurizer spray function (both normal and auxiliary).
Although the PORVs inside containment are air operated, they are supplied with nitrogen bottles to provide motive force when instrument air is unavailable.
For these reasons, loss of containment instrument air was not considered as an initiator for Surry. Loss of outside instrument air was also examined to determine its potential as an initiating event. Loss of outside instrument air will result in reactor trip due to MSIV closure. In addition, loss of outside instrument air will cause: 1. CCW to containment.is.isolated. , 2. Service water to containment fan coolers is isolated.
: 3. A false low water level signal in the SG is generated.
: 4. A false low water level signal in the SW canal is generated.
: 5. MFW regulator valves and bypass valves fail closed. 6. Steam admission valves to the turbine driven AFW pump fail open, thereby starting pump. 7. .Atmospheric dump valves on SG will be unavailable.
: 8. Steam dump to the condenser will be unavailable.
Loss of outside instrument air was considered as a potential initiator from two aspects; as a precursor to a seal vulnerable copdition and as a precursor to loss of all feedwater.
Loss of instrument air is a precursor to a seal vulnerable condition because it isolates CCW to the RCP thermal barrier, thus faHing one method of seal cooling. Should seal injection flow fail prior to restoration of air, a seal vulnerable condition would exist. In addition, RCS cooldown and depressurization is not possi~e until instrument air is restored*.
A conservative estimate of 10-/yr was used for loss of the entire outside air system. An estimate of 3E-5 was used for the probability of failure of seal injection flow in the next 24 yours. This considers that thr:ee pumps ar.e available
* to provide flow and seal injection flow is operating at the time of loss of instrument air. The probability of a seal wlnerable condition due to loss of air is therefore 3E-7/yr. There are still two recovery actions 4.3-10 * 
* . which are appliable in this situation.
HPI flow can be cross connected from Unit 2, or localized repair to the instrument air system could be completed to restore necessary functions.
The potential for these two recovery actions, combined with :.t.n estimated frequency of 3E-7 /yr for the seal vulnerable condition, led to the dismissal of loss of IA as an important precursor to seal LOCA. Loss of outside instrument air is also functionally equivalent to a loss of main feedwater transient (T 2 l, with an additional limitation on SG heat r~moval in that heat must be removed by the SG-SV until manual, local steam relief can be aligned. All safety functions which are required after a reactor trip can be provided without outside instrument air.
* Because loss of outside instrument air is functionally equivalent to a T 2 transient initiator, and the frequency of loss of outside instrument air (estimated at .01 per year for loss of the total system) is much lower than that of T 2 (about 1 per yearl, loss.of outside instrument air was not included *as a separate initiating event but considered to be represented by the loss of main feedwater category.
: 5) Loss of a 4160 V AC or 480 V AC Bus 6) A non-recoverable loss of a single 4160V or 480V bus was analyzed to determine its potential as an initiating event. The analysis revealed that such an event may result in loss of one train of normally operating systems, or standby systems. However, these events were shown not to cause a direct or indirect reactor trip without.additional equipment failures.
For that reason, they were not included as separate initiators.
In NUREG/CR-4550 Volume 3, Rev. O, loss of a 480V bus was considered as a separate initiator because a loss of 480V would cause loss of a 120 V AC instrumentation bus. However, the current Surry design provides uninterruptible power supplies to the instrumentation buses, thereby eliminating this interaction.
Loss of Charging Pump Cooling Charging pump cooling at Surry is provided by a small dedicated cooling water system. The only loads on this system are the charging pump cooling loads. The system has two independent, redundant trains which are supplied with emergency power. Unit 2 has an identical system and the like trains at each unit can be cross tied. Either train of service water can supply both charging pumps. Complete loss of charging pump service water has occurred in the past at Surry. The charging pumps operated in the normal charging mode for more than an hour without exceeding bearing temperature limits. Charging pump cooling is required when the charging pumps operate in the safety injection mode. But it is indicated from past experience that loss of cooling will not led directly to a loss of the charging pump. Loss of all charging pumps would be a potential initiator because they provide RCP seal cooling, boron injection, auxiliary pressurizer spray, 4.3-11 RCS inventory control and safety injection flow. However, loss of HPI-SW does_ not necessarily lead to loss of charging pumps. This consideration, plus an evaluation nf how many additional failures must occur to result in core uncovery, led to the dismissal of this event as a separate initiator.
: 7) Loss* of HV AC Loss of HVAC loads were examined on an individual basis. The most critical portion was considered to be that part of the system that cools the control room and the switchgear room underneath it. These rooms are on the same HVAC. In both cases*, it was concluded that opening the doors in both rooms could control temperatures to acceptable levels. 4.3.3 Special Initiators Three events at Surry were determined to be important enough for investigation, but ultimately were not evaluated using event trees. 1) High Energy Pipe .. Rupture in AFW Ro*om The room at Surry which houses the AFW pumps also serves as a through area for the main steam lines and the feedwater lines. In addition to the piping, the AFW room contains three MSIVs, three main steam non-return valves*, three steam generator atmospheric dump valves, fifteen steam generator relief valves*, one small decay heat relief valve and three main feedwater check valves. There are a total of 28 valves in the room. The concern is that rupture'of a valve body or steam-water line could flood the room with steam and/or water, thereby failing all three AFW pumps. Rupture of any component except the main feedwa ter check valves would be functionally equivalent to a T 3 L sequence.
Main feedwater would still be available and the AFW cross connect from Unit 2 would still be available.
Rupture of the check valves would be equivalent to a T 2 L, with AFW available from Unit 2. None of the flow control valves or p,umps necessary for MFW at Unit 1 or AFW at Unit 2 are in the Unit 1 AFW room. The decision not to include this initiator in the study was based on comparison of the estimated frequency of valve rupture, the frequency of T 3L and T 2 L, and their ".:ontribution to core damage frequency.
Using a failure probability of lE-9/hr for rupture, the annual quency of valve-or pipe rupture is estimated to be on the order of 3E-4. A large enough break must be .postulated so that all three AFW pumps fail due to flooding or an overheated environment.
The AFW pumps are at the bottom of the room and the steam lines are at the top. An incident during the early years of plant operation resulted in a steam release to the room; *however, it was not severe enough to heat up the lower portions of the room. The frequency of severe valve/pipe rupture was estimated as follows: (28 Vlv*l E-9/hr + 6 pipe seg
* lE-10/hr
* 8760/yr = 2.5E-4 4.3-12 * 
*
* T 3 L as quantified with fault tree analysis is about 2E-3/yr. There were no sequences with T 3 L greater than lE-7 /yr. Rupture of a steam line at 3E-4/yr is therefore expected to be an insignificant contributor to core damage. T 2 L as quantified with fault trees is about 3E-4/yr. Feedwater rupture (equivalent to T 2 L) is estimated to be '5E-'5/yr.
T 2 L sequences contribute about l.'5E-6/yr.
This would mean that rupture of a feedwa ter line in this room would be a small, but not negligible contributor to core damage frequency.
The results of this calculation are greatly influenced by the value used for valve/pipe rupture. This event was not explicitly included in the core damage frequency, but should be periodically reevaluted as pipe rupture data is improved.
The frequency of this event is judged to be comparable to the quency of other sequences which result in the same systemic failure state and which were evaluated in the study (e.g., T 3 L sequences).
Steam line or PW line rupture in the AFW room was therefore not explicitly included in the quantification, but should be periodically reevaluated as pipe rupture data is improved.
: 2) Interfacing LOCA 3) Interfacing LOCAs were included in the study and were quantified as an initiating event. However, because they lead directly to core damage without the presence of any additional failures, it was not necessary to evaluate these events through the use of event trees. Interfacing LOCAs were evaluated as an expert exlicitatfon issue. The analysis is discussed in Reference
: 40. The calculated mean frequency was found to be l.6E-6/yr.
Reactor Vessel Rupture Previous PRA studies (References 2, 7, 10) have explicitly quantified reactor vessel rupture as an initiating event. It is postulated to be of a size and location that it leads directly to core damage. The quencies prevfously calculated were from 1 E-7 /yr to 1.1 E-6/yr. These studies did not identify a specific failure mechanism for this event. The frequency calculation was based on statistical evaluation of torical data, whic\_1s zero disruptive failures in ASME pressure vessels since 1942. With the exceptiop of pressurized thermal shock, no specific failure mechanisms (such as thermal cycling, fatigue, overpressure) have .been identified, which can be evaluated with a structured frequency calculation.
The calculation of a frequency is therefore based on interpretation of the existing data. References 2, 7, and 10 have done this, and the median value for rupture was calculated in the low lE-7 /yr range. Error factors on this median value are a subjective matter. Reference 10 postulated an errir factor which resulted in the calculation of a mean value of 10-/yr
* 4.3-13 Without postulating particular reactor vessel rupture scenarios, it is not possible to. identify any interactions with containment systems. Presuming all containment systems would be nominally available after a reactor vessel rupture, a single sequence that was in the lE-7 -lE-6 range would be a very small contributor to risk at typical PWRs. Pressurized thermal shock (PTS) has been identified as a credible mechanism for reactor vessel failure in PWRs with certain levels of copper in the vessel welds. As accumulated neutron fluence on the welds increases, the ductility of the weld decreases.
If severe overcooling transients occur or conditions occur where the reactor is pressurized at low temperatures, catastrophic weld failure can occur. The p~obability of reactor vessel failure depends on
* Weld material composition, particularly copper
* Accumulated neutron fluence at each weld * . Frequency and severity of overcooling transients These factors vary for each plant. A key parameter is the reference tem8,erature for transition to nil ductility (RTND). A temperature of 270 F has been established for Surry as the temperature below which transition to nil ductility is of minimal concern.~
Reference 6 calculates the frequency of core damage from PTS for a hypothetical H.B. Robinson reactor vessel to be lE-8/yr. The actual copper content *of the Robinson reactor vessel is so low, that it was not possible to derive a statistically significant core damage quency due to PTS. The copper content' was increased in the study models to the point where a RTND of 270&deg;F was calcul.ated for the end of licensed life (32 effective full power years). This allows for the calculation of statistically significant conditional probabilities of core damage, given an overcooling transient.
The RTND at EOL for Surry Unit 1 is 269&deg;F when calculated in accordance with lOCFR.50.61, and 260&deg;F when calculated in accordance with Regulatory Guide 1.99, Rev. 2. Since H.B. Robinson is of similar design to Surry, the frequency and severity of overcooling transients are expected to be similar. Because the calculated RTND for Surry is less than the 270&deg;F used in the Robinson analysis, it is concluded that core damage due to PTS at Surry is expected to be minimal compared to core damage from other causes. In conclusion, it was determined that under the worst possible ditions, reactor vessel rupture is a small contributor to core damage ( < 1 %) and a negligible contributor to risk. With the exception of PTS, no specific credible mechanism for reactor vessel failure has been postulated.
calculation of a frequency based on historical experience is limiting due to the lack of failures.
PTS for Surry has been estimated to be in the lE-8/yr range. Reactor vessel rupture was therefore not explicitly included as an initiator.
4.3.4
* Final Initiating Event Selection The final list of initiating events which were explicitly analyzed and became the basis for accident s~uence quantification is shown-in Table 4.3-1. These events and the initiator
* Pe~aonal cC111111UDi,catl~
with Johnaon, USRRC, July 1988 4.3-14 * *
* categories which they represent are further expanded upon in Table 4.3-4 for transients and Table 4.3-5 for LOCAs. The three common transient initiator categories of loss of offsite power (T ), loss of main feedwater (T 2), and turbine trip with main feedwater initially available
\T 3) were selected for event tree analysis and accident sequence quantification.
These transient categories are commonly analyzed by PRA studies. The T 2 and T 3 category can be used to represent many other initiator categories.
Table 4.~-4 gives a summary of the initiator types that are represented by each category.
Loss of a 480 VAC electrical bus was designated T 4 , and slated to be an initiating event, when the reanalysis began. Originally, loss of a 480 VAC bus caused a reactor trip through the loss of a vital bus, while it also disabled safety systems necessary to respond to a transient.
Since the start of this study however, modifications have been done at the plant in order to provide each vital bus with an uninterruptible power supply. Loss of a 480 VAC bus no longer causes a reactor trip and therefore does not qualify as an initiating event. Loss of. a DC bus will cause a reactor trip and disables an entire train of safety equipment.
It was included as T 5* Loss of HPI service water was also originally included as an initiator, due to constraining success criteria, which had its loss leading to loss of the charging system. Further evaluation of the problem indicated that the charging pumps are able to operate in the normal charging mode for up to four hours in the absence of HPI service water, without exceeding bearing temperatures.
Recovery options are available to restore HPI service water to Unit 1 from Unit 2, or to provide charging flow to Unit 1 from charging pumps at Unit 2. These would provide continued charging flow and prevent reactor shutdown.
Finally, in the event reactor shutdown is inevitable, an independent system (CCW) is still available to provide RCP seal cooling; the most important affected function in this cas 7. The probability of core damage due to loss of HPI-SW was estimated to be below 10-/yr. For these reasons, T 6 was not included as a specific initiator for Revision 1. Steam generator tube rupture was included as a specific initiating event due to its unique mitigation criteria.
The frequency is based on historical experience of 5* events in 500 PWR years. The LOCA initiating event selection is summarized in Table t: .* 3-5. Four sizes of LOCAs were chosen, based on the success criteria for successful mitigation.
The frequency of the three largest size brfflks are estimated based on a review of past PRAs and the ASEP Methodology Document.
The frequency of the very small breaks includes contributions from inadvertantly open PORVs, small pipe breaks, component leakages at flanges and welds, and reactor coolant pump seal LOCAs. The frequency is derived from a review of References 12, 37, and 39. Backup calculations for this frequency derivation are shown in Appendix D of this report. 4.3.5 Groundrules In Initiating Event Selection Groundrules which apply only to the selection of initiating events are shown in Table 4.3-6. Some groundrules used in the event tree analysis may indirectly impact initiating event identification.
The complete list of event tree groundrules appears in Section 4.4.1. 4.3-15 Initiating Event Category Tl Closs of OffsJte Power> T2 Closs of Ma J n Feedwater>
T3 CTurbJne Trlp WJth MFW AvaJJ able) Table 4.3-4 Sunmary of Transient Initiating Events Representative Initiators Included Jn lnltJatJng Event Category Failure of Offslte Power Grld Loss of Station Reserve Power Loss of Power to the Swltchyard Failure of Main FW HJ SG Water Level I n advertent S I Main Steam LJne Break Loss Loss of Instrument Alr Loss of Bearing O:>oJlng Water Turbine Trip Reactor Tr Ip Loss of Load MSIV Closure Loss of Component Cooling Water Loss of Turbine ControJ Annual Frequency (Mean Value) 7. 7E-2 9.4E-1 7.3 Comments This group constitutes Jnltlators which Interrupt the offslte power source to the 4160V pJant buses. Frequency.derJ~ed from NUREG-5032.
Cl,i Thls group constitutes JnJtJators which either Isolate CtrJp> the MFW pumps or cau$e a failure Jn the hotweJl -FW fJow path. See Note 1. Frequency derived from Surry speclflc data JJsted Jn NUREG/CR-3862.
Cl 2) Thls group constitutes all Initiators which cause reactor trlp but do not fall MFW or any other front line or support system. See Note 2. Frequency derived fran Surry speclflc data listed In NUREG/CR-3862.Cl
: 2)
* Initiating Event Category T5A -T5B -(Loss of a OC Bus) T7 (Steam Generator Tube Rupture) Table 4.3-Sunmary of Transient Initiating Events Representative Initiators lncJuded In Initiating Event Category Short on OC Bus DoubJe Ended Rupture of a SlngJe SG Tube AnnuaJ Frequency (Mean VaJ ue) 5E-3 1E-2
* Comments Initiator Is non-recoverabJe Joss of a OC bus. Fre~uency taken fran NI.REG/CR-4550, en VoJ. 1. See Note 3. Frequency aerlved from 5 SGTR events In approxlmateJy 500 PWR years, u.s. exper.Jence through Dec. 1987. Surry 2 -Nov. 1972 -200 gpn Point Beach 1 -Feb. 1975 -125 gpm Prairie lsJand -Oct. 1979*-380 gpm R.E. Ginni.-AprlJ 1982 -700 gpm North An,i *. -July 1987 -600 gpm NOTES TO TABLE 4.3-4 1. Surry has electric driven MFW pumps. Thus, MFW would be available at Surry for any initiators such as MSIV closure, loss of turbine bypass, etc., which would fail MFW at plants with turbine driven MFW pumps. 2. At Surry, any reactor trip above .50% power will cause the MFW regulating valves
* to close. FW mini-flow lines to the condenser will open, while the FW pumps stay on. AFW will start on lo-SG level. If AFW starts successfully, operator will secure MFW. If AFW does not come ori, operator can feed SGs with MFW pumps by opening FRV bypass (4" line). MFW pumps are electric driven. 3. Loss of DC bus will cause loss of all switchgear at the associated 4160 VAC and 480 VAC buses. ~witchgear breakers are* failed as is, so pumps that are running will continue to run (i.e~, Charging pump and CCW). Loss of a DC bus will cause reactor trip and a half SI signal (but pumps on affected buses will not activate).
Failure probability represents shorts in the bus work. Shorts in the loads or interruptions in power were not included.
These events are generally recoverable in a very short period of time.
* Initiating Event Category A le 4.3-5 Sunmary LOCA Initiating Events Representative Initiators Included in Initiating Event Category Large LOCAs Medium LOCAs Small LOCAs, Open PORVs Very Small LOCAs, Spontaneous Seal LOCAs Annual Frequency (Mean Value) 5E-4 lE-3 lE-3 1.3E-2 Comments Large LOC,As, equivalent diameter greater than 6 inches. Frequency obtained from reference
: 3. Medium LOCAs, equivalent diameter between 2 and 6 inches. Fr~quency obtained from reference
: 3. Small LOCAs, equivalent diameter between 2 inches and 1/2 inch. Includes tent open PORVs. Frequency obtained frorn reference
: 3. Very small LOCAs, less than 1/2 inch equivalent diameter, including LOCAs initiated by random failure of one RCP seal. See Appendix D for calculation of the frequency Table 4.3-6 Important Groundrules for Initiating Event Selection
: 1. All initiators are analyzed from high power operation.
For ATWS quantification, it was necessary to introduce a split fraction for high power and low power events. 2. Initiators from shutdown were not included.
: 3. Manual shutdowns for administrative reasons, Technical Specification violations, or refueling were not included.
: 4. Overcooling transients were not evaluated as a special class of events, with unique mitigation requirements.
: 5. External events (seismic, tidal, atmospheric) leading to the loss of service water intake canal level were not included.
: 6. Common cause failure of multiple cooling water* systems due to marine growth were not included.
4~3-20 *
* 4.4 Event *Tree Analysis The process. by which initiating events were identified and grouped is described in Section 4.3. Table 4.3-1 lists the initiators used in this study. This section presents and discu~es the first stage of the two stage event tree analysis process used for the Surry study. The first stage analyzed the potential for core damage in terms of the ways that safety and non-safety systems could respond to the initiating events. This stage addressed only the various paths to core damage, without particular regard to the detailed status of the containment or its systems. The status of ment systems was evaluated only in the context that their failure could lead to core damage. This was addressed via events CS and CV. The event. CS represents the failure of containment systems: failure of the CSS (containment.
spray system), ISR (inside spray recirculation), or OSR (outside spray recirculation).
For sequences without steam generator heat removal available, ment systems failure will eventually lead to containment overpressure and failure due to loss of containment heat removal. For sequences with steam generator heat removal available, Sandia calculations showed that containment pressure would rise above design pressure, but would stabilize well below the failure pressure.
Steam generator heat removal requires a. full RCS inventory in a pressurized state and the availability of auxiliary feedwater.
These conditions can only be fulfilled for s 2 and S~ LOCAs and transients.
Therefore, for these initiators, containment overpressure failure requires failure of containment systems and high pressure recirculation or auxiliary feedwater.
Event CV assesses the potential for core damage caused by the secondary effects of tainment failure. A core vulnerable state is an interim state of a sequence in which cooJant makeup is successfully being supplied to the core, but containment heat removal has failed. In such cases, core damage can occur under certain conditions after containment failure. Such scenarios could occur as follows. First, the containment fails due to the pressurization caused by the lost heat removal capability.
Then the ECCS may fail by one or more of the following mechanisms:
* Pipe failure caused by wall movement.
* Pipe failure due to missile generation.
* Plugging of the sump.
* Loss of sump inventory.
* Insufficient net positive suction head due to loss of subcooling.
Should containment failure not produce any of these events, core cooling can be provided indefinitely.
The likelihood of core damage given containment failure was estimated through an internal elicitation of the Level II analysis.
The probability was calculated to be 0.02 for Surry. See Appendix A.1 of this report for the calculation of this number. The event trees used in the first stage analysis identified all possible core damage sequences.
All core damage sequences which were quantified to be greater than lE-7/yr after recovery actions had been included, were included as dominant sequences.
The resultant dominant core damage sequences were input to the second stage event tree analysis, which is presented in Section 4.5. This provided a detailed containment response analysis and carried the sequences to the various plant damage states
* 4.4-1 All of the event trees used in the first stage analysis are presented and discussed in Sections 4.4.2 through 4.4.11. These include special event trees that were used to evaluate ATWS and station. blackout.
Section 4.4.1 provides a discussion of general groundrules and limitations of the event tree analysis.
4.4.1 Groundrules and Limitations This section discusses the event tree development process used in this study to assess the potential for core damage. It also lists the important groundrules used in developing the event trees. The small-event-tree/large-fault-tree approach was used to define the accident ces. Rather than using functional event trees in this study, Surry transient responses and prior PRAs of similar reactor types were reviewed to identify the event tree headings necessary to properly model all reactor functions.
The success criteria were similarly developed from reviewing prior PRAs; (References 7-11) plant specific Surry analyses, and current Battelle and Sandia analyses.
Table 4.4-1 provides a complete list of the event tree headings and their event tree definitions.
All sequences identified as resulting in core damage were quantified using the tative results obtained from the fault trees developed in the systems analyses, as discussed in Section 4.6. All non-blackout sequences having frequencies less than lE-7/yr after the initial quantification were dropped from further consideration.
All blackout sequences and all non-blackout sequences above lE-7/yr were further analyzed for poten-tial operator recovery actions, and the sequences were requantified.
Non;.blackout
* sequences less than lE-7/yr and blackout sequences less than lE-9/yr after the recovery analysis were dropped from further consideration.
The remaining sequences constitute . the dominant core damage sequences.
This process and the results are presented in Section 4.10. Once the dominant core damage sequences had been identified, the event trees were expanded in the stage two analysis (see Section 4 * .5) to include the containment systems responses for those particular sequences.
The dominant sequences in that analysis were assigned to plant damage states in accordance with the groundrules given in Section 4 * .5. The criterion for dominance in the plant damage state analysis was a cutoff frequency of lE-'Hyr. The general groundrules that formed the basis for the event tree analyses are listed in Table 4.4-2. Additional groundrules that apply to specific event trees are described in the corresponding event tree sections of the report. In a number of the event trees studied in the following sections, it was found that a sequence may produce conditions of a nature similar to those analyzed in some other event tree. For example, in the very small LOCA (S 3) event tree, sequence 22 represents a condition in which relief valves in the RCS open and fail to reclose. This results in a leak condition very similar to that covered by the small LOCA (S 2). Rather than repeat the entire s 2 event tree within s 3 , a notation is made in s 3 to transfer to the S 2 event tree for the rest of the analysis.
Thus, the total frequency of sequence 22 in tne s 3 event tree is added to the initiator frequency evaluated from all causes for the s 2 event tree. The results obtained from that event tree effectively complete the analysis
* of the s 3 event tree sequence 22 in the s 2 event tree. 4.4;..2
* Abbr. Heading A LARGE LOCA cs CONT SYS CV CORE VULNR TOCO Dl HPI D2 HPI D3 SEAL COOL D4 HPI
* D.5 ACC D6 LPI Hl LPR H2 HPR K RPS L AFW L2 AFW L3 AFW M MFW NRl NRAC ONE HOUR NR7 NRAC SEVEN HOURS Table 4.4-1 Event Tree Headings Part 1: Description of Events Description of Event Initiating.Event (IE) -large LOCA (6" to 29") Top level event for containment heat removal Includes CSS, JSR, and OSR system functions Probability of core damage for core wlnerable states (the core is being cooled but containment cooling has failed) Failure of charging pump system in high pressure injection mode Failure of charging pump system in feed and bleed Failure of charging pump system in seal injection flow mode Failure of charging pump system in emergency bora tion mode Failure of accumulators in injection mode Failure of low pressure safety injection system in injection mode Failure of low pressure safety injection system in recirculation mode Failure of charging pump system in high pressure recirculation mode Failure of reactor protection system Failure of auxiliary feedwater system for transients with reactor trip Failure of auxiliary feedwater system for ATWS Auxiliary feedwater:
failure of 1/3 AFW pumps to 1/2 SGs in SGTR Failure of main f eedwa ter Fail to recover offsite power within 1 hour Fail to recover offsite power within 7 hours 4.4-3 Table 4.4-1 (Cont'd) Event Tree Headings Part 1: Description of Events Abbr. Heading Description of Event --0 OPER DEPRES Operator fails to depressurize RCS during station blackout OD OPER DEPRES Operator fails to depressurize RCS during small break initiators and steam genera tor tube rupture p PRV Failure of both PORVs to open for feed and bleed Pl PRV Failure of one POR V to open for s 2 L sequences P2 PRV RCS pressure relief fails in response to ATWS PL PWR LEVEL Power level less than 25% of rated power Q RCI Failure of pressurizer SRV /POR V to close after transient QC RCI failure of POR V to reclose after very small LOCA * (SI causes relief valve to open) QS SGI Loss of steam generator integrity via a relief valve,AFW steam line, decay heat removal line, or blowdown line. R MAN SCRAM Failure to effect manual reactor trip Sl MEDIUM IE --medium LOCA (2" to 6 11) LOCA S2 SMALL LOCA IE -small LOCA (1 /2" to 2 11) S3 VERY SMALL IE --very small LOCA (less than 1/2") LOCA SL RCP SEAL RCP seal leakage, greater than 2 lb/sec/pump LOCA T TBT Turbine trip subsequent to ATWS Tl LOSP IE -loss of offsite power TlS SBO Station blackout T2 LOSS OF MFW IE -loss of main feedwa ter T3 TURB TRIP IE --turbine trip with MFW available
* W/MFW 4.4-4
* Table 4.4-1 (Cont'd) Event Tree Headings Part 1: Description of Events Abbr. Heading Description
*of Event T5 LOSS OF DC IE. -loss of DC bus BUS T7 SGTR IE. -steam generator tube rupture TK ATWS Anticipated transient without reactor scram w ccw Failure of component cooHng water to thermal barriers of all reactor cooling system pumps W2 SE.AL COOL Failure to cool RCS pump seals from Unit 2 CCW FM U2 W3 RHR Residual heat removal in shutdown cooling mode z MTC UNF Presence of "unfavorable" moderator temperature
* coefficient
--critical value greater than -7 pcm/0 P Zl MTC LOW Presence of very low moderator temperature coefficient
--critical value less than -20 pcm/0 P C K Table 4.4-1 (Cont'd) Event Tree Headings Part 2: Definition of Events Less than 1/2 CSS trains taking suction from RWST and injecting into associated containment spray sparger. Less than 1/3 high pressure injection pumps taking suction from RWST and injecting through MOV 1867 C/D into 1 of 3 RCS cold legs. Initiated by SI signal. Same as Dp except must be initiated by operator.
Less than 1/3 charging pumps injecting through MOV 1370. Less than 1/3 charging pumps injecting through the normal charging lines, with the boric acid transfer pumps on fast speed and MOV 13,o open, and one PORV open, within 10 minutes from initiator.
SI alignment not required.
For A, less than 2/2 accumulators injecting into their associated cold legs. For s 1 , less than 2/3 accumulators injecting into their associated cold legs. Less than 1/2 LPI trains taking suction from the R WST and injecting through MOV 1890C to 1/3 RCS cold legs. Less than 1/2 ISR trains, taking suction from the sump and injectjng through associated spray sparger, with service water being provided to the secondary side of the heat exchanger.
Less than 1/2 OSR trains, taking suction from the sump and injecting through associated spray sparger, with service water being provided to the secondary side of the heat exchanger.
Less than 1/2 LPR pumps taking suction from the sump and injecting to MOV l 890C, or injecting to the charging pump suction. Plus switch to hot leg recirculation at .16 hours for A and s 1 LOCAs. Less than 1/3 charging pumps taking suction from the LPR discharge and injecting through MOV 1867 C/D. Failure of automatic insertion of sufficient control rods to produce subcriticality at hot shutdown.
Less than 1/3 AFW pumps aelivering water-to 1/3 steam generators.
Less than 2 AFW motor driven pumps or 1 AFW turbine driven pump delivering flow to 2 of 3 steam genera tors. Less than 1/3 AFW pumps delivering water to 1/2 steam generators.
4.4-6 * * *
* M p Q Os
* R T w z Table 4.4-1 (Cont'd) Event Tree Headings Part 2: Definition of Events Failure of at least 1 main feedwater pump delivering flow to at least one steam generator, or failure of source of water from the hotwell or CST which is sufficient for 24 hours. Failure of exactly 2 PORVs and associated block valves to open, initiated by manual action. Failure of 1 of 2 PORVs and associated block valves open, initiated by manual action. Failure of at least 3 SRVs to open, or 2 SRVs and 2 PORVs and associated block valves to open, in response to RCS pressure rise from ATWS, within 2 minutes of scram signal.
* Failure of pressurizer PORVs to reclose or be manually isolated after a transient.
For T 1-SBO, failure of a SG SRV to reclose after lifting. For T 7 , failure of SG integrity via:
* SG SRV
* SG PORV
* Decay heat release path
* Steam supply to AFW turbine driven pump
* Blowdown line Failure of manual reactor trip caused by pushing the manual scram control, or disconnecting power to the CRDM MG sets, within 2 minutes of initiator.
Failure of automatic turbine stop valve closure or automatic MSIV closure or manual TSV clo~ure or manual MSIV closure within 30 seconds of failed scram signal. Failure of component cooling water supplied to the lower bearing heat exchanger of all reactor coolant pumps. Failure of Unit 2 to supply HPI or CCW to the Unit 1 RCP seals following SBO at Unit 1. Less than 1/2 RHR pumps cooled by 1/2 heat exchangers supplied to 1/2 RCS loops. Existence of a moderator temperature coefficient considered to be less negative than -7 pcm/&deg;F. Existence of a moderator temperature coefficient considered to be more negative than -20 pcm/&deg;F. 4.4-7 Table 4.4-2 General Event Tree And Success Criteria Groundrules
: 1. All successful sequences are carried to the point where stable hot shutdown conditions exist or stable long term cooling conditions exist. In general, sequences were terminated at 24 hours. 2. RCS inventory makeup is not required if RCS integrity is maintained.
This implies that normal pressurizer water level is sufficient to accommodate RCS inventory shrinkage from full power to hot shutdown, or if ai:iy inventory makeup is required, the probability of failing to pr9vide it is negligible.
: 3. Boration of the reactor is not required if hot shutdown temperatures and RCS integrity are maintained*.
: 4. RCS pressure control using sprays is addressed only for small breaks and steam generator tube rupture events. RCS volume control via normal makeup and letdown is not addressed for any initiator.
: 5. CCW to the thermal barrier in the RCP lower bearing or RCP seal injection flow is sufficient to provide seal cooling. -6. Operator must initiate feed and bleed by opening HPI injection valves to cold legs and connecting pump suction to RWST. An automatic actuation signal will not necessarily occur-in TML-type seqnences.
: 7. During transients with scram, primary pressure relief is assumed to never be required.
This means the SR.Vs (code safeties) are never required to open. However, pressure may rise to POR V setpoints, thus prompting a PORV opening if the POR V is not blocked. Should this happen, there is a requirement for the POR V to reclose or be isolated in order to maintain RCS integrity.
: 8. PORV demand probabilities were used as follows: Transients from high power with loss of a DC power bus Loss of off site power Transients from high power with all instrumentation and power buses operable Transients from low power Station Blackout demand probability
= .1 demand probability
= .1 demand probability
= 0.014 demand probability=
0.0 demand probability
= 1.0 The derivation of PORV demand rate f<>r various transients was bat~a)on operating experience with Westinghouse reactors, as reported in WCAP-9804
* T 2 and T 3 type transients are common enough that it was possible to get sufficient PORV opening data to estimate a demand rate. For these transients, a demand rate of 4.4-8
: 9. 10. 11. 12. 13. 14.
* Table 4.4-2 (Cont'd) General Event Tree And Success Criteria Groundrules 0.014/transient was used. T 5 transients were of particular interest because these transients cause loss of an instrumentation bus as well as disable various pumps and valves. For T 5 type transients, very little data exists, and it was.difficult to postulate a demand rate based on actual data. Therefore, a value of .!/transient was estimated.
For station blackout sequences*, the demand probability was estimated at LO', because of the unavailability of the SG-atmospheric dump valves due to loss of non-vital power. Secondary side steam relief would be through the SG safety valves. The increased cold leg temperature
*in the primary would likely be enough to cause pressurizer PORV demand. Non-isolable stuck open POR V sequences are transferred to the s 2 LOCA tree. Switchover to HPR with containment heat removal provided by sprays is required for long term heat removal after feed and bleed. The RHR system at Surry is inside containment and not qualified for use in LOCA environments.
For small or very small LOCAs, success of the containment spray system is not required to provide containment pressure suppression, containment heat removal, or containment sump water inventory.
Analysis showed that blowdown and continued steaming from the RCS, natural condensation processes, and the non-safety grade fan coolers would provide sufiicient sump inventory for operation of the recirculation spray system.1
* The fan coolers are not isolated until a containment high pressure signal is reached. During the injection phase of a LOCA, ISR and OSR pumps need subcooling of their pump suctions in order to provide adequate net positive suction head. If suction water cooling is not available, the pumps are judged to fail. ISR suction subcooling is provided by diversion of ISR flow downstream of the heat exchanger.
OSR suction subcooling is provided by diversion of flow from the CSS. Plant personnel indicated that VEPCO performed a "safety-grade" analysis which showed that only one train of the recirculation sprays (i.e., one outside train or one inside train) is necessary to provide containment heat removal. One spray train is not sufficient to meet lOCFRlOO criteria, but it will prevent containment overpressure.
The one spray train criterion was used in the event tree models. If ISR succeeds, OSR is not required.
In addition, OSR requires CSS during the early phase in order to meet suction subcooling net positive suction head requirements.
If CSS fails, OSR is not available.
Surry personnel indicated that MFW regulating valves close after virtually all transients above 50% power due to plant control logic. The MFW pumps (electric-driven) remain running, and MFW is available to the operator if AFW fails. Letter from P. Cybulskis, BCL, to F. E. Haskin, Sandia National Laboratories, "SARRP Source Term Analysis for Surry Design," July 1985. 4.4-9 Table 4.4-2 (Cont'd) General E.vent Tree And Success Criteria Groundrules 1.5. E.vents subsequent to loss of a DC bus are: a) Loss of DC bus causes loss of switchgear at the associated 4160 VAC and 480 VAC buses, b) Loss of one DC bus disables one train of CLS Hi-Hi, c) Loss of one DC bus causes false CLS Hi, which causes one train of SIAS to actuate, and d) Loss of one DC bus causes reactor trip without PCS. 16. JSR and OSR trains were modeled to include the heat exchanger and service water to the heat exchanger.
JSR and OSR start removing heat 2 and .5 minutes after a CLS Hi-Hi. In order for JSR pumps to have adequate NPSH in the early time frame, service water must be available to the associated JSR heat exchanger.
In order for OSR pumps to have adequate NPSH in the early time frame, CSS must operate. 17. Accumulators were required for s 1 because analysis could not be found to prove otherwise.
The large LOCA assumption that one accumulator discharge is lost out the break is not applicable to S1. 18. In instances where seal injection flow is unavailable, it is also considered that feed and bleed is unavailable.
The predominant cause of loss of seal injection flow is loss of HPI, which would also fail feed and bleed. 19. If loss of all feedwater occurs, feed and bleed operation must be utilized.
Because this violates RCS integrity, seal cooling and seal LOCA questions are not asked in these sequences.
: 20. Cross-connect of any system from Unit 2 is treated in the recovery analysis.
: 21. After reactor trlp, MFW regulating valves are expected to close. AFW will receive signal to start on low SG water level. Procedures and plant personnel indicate that AFW is the preferred source of SG inventory.
AFW therefore appears on the event tree before MFW (i.e., PCS). 22. Mitigation requirements associated with RCS overcooling are not addressed.
: 23. Seal LOCAs as initiating events, caused by local faults in one seal are included in the Sl initiator category.
The break flow for this size LOCA is small enough that containment sprays will not activate as long as fan coolers are available.
Charging flow is the only drain on the R WST. The S3 sequence timing assumes the reactor can be depressurized, cooled down and put in the closed cycle cooling mode before the R WST is empty, if AFW and HPI are available.
: 24. For s 1 sequences, the RCS pressure at the time of recirculation is low enough that the LPR system is capable of recirculation.
This is consistent with the requirement for accumulators in s 1 (see /117). It was considered that if the break was large enough to depressurize below the accumulator injection point (600 psig) during the inltial phase of the LOCA, the RCS would be sufficiently depressurized for LPR operation by the time recirculation was required.
4.4-10
* Some of the event tree_s included in Rev. 0 of this study were found not to be necessary for this revised analysis.
They are:
* T4 -Loss of AC bus
* T6 -Loss of Charging Pump Cooling Water System
* RCP seal LOCA due to loss of seal cooling In the case of T 4 , a subsequent change in the electrical power distribution sys~em at Surry was made such that the loss of an AC bus no longer causes a reactor trip. With regard to the loss of Charging Pump Cooling, it was concluded that this event (described in Section 4.3) also does not cause a reactor trip. With respect to the RCP seal LOCA, this event tree was used to evaluate loss of seal cooling in non station blackout events, but was eliminated.
An analysis of the initiators that led to an RCP seal LOCA wlnerable condition showed only T 1 to be greater than lE-7. Application of the probability of an RCP seal LOCA reduced the initiator below lE-7 and the RCP seal LOCA event tree was deleted. 4.4.2 T 1 (Loss of Offsite Power) Event Tree This section presents and discusses the event trees for the offsite power initiating event. This event is identified by the symbol T 1 in the event tree. 4.4.2.1 Success Criteria Success criteria for the T 1 event tree are shown in Table 4.4-3. Loss of offsite power will de-energize the normal and emergency 4160V buses, which will de-energize all lower level buses. The DC buses and the vital buses would be available, unless random failures of these buses were postulated.
The reactor protection system will de-energize, thus signaling the control rods to insert. The main feedwater and condensate system will be unavailable for the duration of the event. The T 1 event will affect both Unit l and Unit 2. Should DG 2 (dedicated to Unit 2) fail to start or run, DG 3 would be aligned to Unit 2, thereby making it unavailable for Unit 1. In the event that both DG l and DG 2 fail to start, DG 3 was always assumed to align to Unit 2. Sequences in which DG l was unavailable and DG 3 was either unavailable or aligned to Unit 2 were evaluated using a separate station blackout (SBO) event tree. The primary purpose of the SBO event trees is to facilitate the modeling and timing of events including operator actions and AC power recovery.
The four primary functions required in response to T 1 ace reactor scram, primary system integrity, auxiliary feedwater, and RCP seal cooling. If all these functions are provided, the transient is mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of PORVs to reclose transfers to the S2 LOCA tree. Failure to provide RCP seal cooling results in a seal wlnerable condition which is evaluated separately.
Failure to provide AFW leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and open two POR Vs lec:1ds to core damage. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. These sequences are developed on the tree. 4.4-11 Table 4.4-3 T1 TRANSIENT SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION INITIATOR:
T 1 -LOSP REACT~ CORE HEAT SUBCRITICALITY REMOVAL, EARLY RCS INTEGRITY CONTAINMENT PRESSURE SUPPRESSION EARLY RPS 1/3 AFW Pumps 1/3 Charging Pump In Seal Injection 1/3 Charging Pumps and and PORV Reclose 2 PORVs Open ( If opened) ( In Feed OR and Bleed>'" CCW to R~ Thermal Barrier In all R~ and PORV Reclose (If opened) 1/2 css OR 1/2 ISR and SWS to associated CSR HX CORE HEAT REMOVAL, LATE 1/3 HPR and 1/2 LPR CONTAINMENT PRESSURE SUPPRESSION LATE 1/2 ISR and SWS to associated HX OR 1/2 OSR and SWS to associated HX COMMENTS I
* OSR needs CSS In Injection to provide NPSH. 2. ISR needs SWS In Inject Ion to provide ,~PSH. 3. Secondary steam rel let assumed aval I able. 4. AFW to I SG sufficient
: 5. No RCS Pressure ty rellef required If scram. How~ver, PORV may open. 6. Fallure of RCS Integrity goes to s 2*tree. 7. If AFW and RCS Integrity are provided, tainment heat removal and core heat removal late are not required.
* 4~4.2.2 Discu~ion of Sequences The event trees for T 1 are shown in Figures 4.4-1 through 4.4-3. The event trees do not use the traditional WASH-1400 graphic conv~ntions for indicating decision points. Decision points are indicated by a vertical drop. The success path is. represented by a straight line with the failure path dropping vertically below the straight line at the leading edge of the ev.ent. A straight line through the event with no choice indicates a question was not asked. Important functional and phenomenological dependencies as well as groundrules and limitations are stated in the general groundrules found in Table 4~4-2. Three different event trees were used to evaluate the loss of offsite power initiating event:
* LOSP (assumes at least one diesel available at Unit 1)
* SBO at Unit 1
* SBO at both units The diesel generator conditions associated with each event tree are shown in Table 4.4-4. The T 1 event tree represents sequences where at least one diesel is available at Unit 1. Sequence 1 represents successful mitigation of the initiator; diesel generators start, auxiliary feedwa ter is available, and the charging system provides seal injection flow to the RCP seals. The plant is in a stable condition and attention can be directed to restoration of the offsite power. Sequence 2 is similar to 1, except that seal injection flow from the charging system is unavailable.
RCP seal cooling is provided by CCW to the thermal barrier heat exchangers.
Sequence 3 represents a condition with no seal cooling available.
Both CCW to the thermal barriers and seal injection flow have failed. Auxiliary feedwater is available, however, and all essential safety functions are being provided at the time seal cooling is lost. This represents a seal vulnerable condition and is handled with the seal LOCA model. The RCP seal LOCA model is detailed in Appendix D.5. Sequence quantification (Section 4.10) indicated that there are no significant contributors to the T1D 3 W state that do not involve loss of all AC power. Those events are handled through the station blackout quantification.
Combinations of failures involving component failures or partial power failures, combined with component failures make no significant contribution to the T1D 3 W seal vulnerable state. Sequence 4 represents failure of all steam generator heat removal, but successful core cooling via feed and bleed, using one charging pump and opening of both PORVs. ECCS recirculation from the sump and successful operation of the containment spray lation heat exchangers provide long term cooling. Sequen~es 5 and 6 lead to core damage through the failure to provide long term feed and bleed cooling in the recirculation mode. Sequence 5 is due to failure of the high pressure recirculation system, and Sequence 6 is due to failure of the low pressure recirculation system. Sequences 7 through 10 represent the occurrence of a core vulnerable state and its sible outcomes.
A core vulnerable state occurs when containment heat removal fails after feed and bleed is initiated.
Coolant makeup to the core is being provided and heat is being removed from the RCS through the PORVs. However, containment heat removal (CHR) has failed, thereby leading to gradual containment pressure increase.
Should the containment pressure increase continue, unmitigated by containment venting or restoration of CHR systems, containment overpressure failure will occur. Events occurring during containment failure could cause failure of ECCS systems, which in turn would lead to core damage. This is represented by Sequence 10. Sequence 7 represents containment failure, but survival of the ECCS and continued core cooling. Sequences 8 4.4-13 
,. t .... ... LOSP RPS T1 *K RCI AFW SEAL COOL -Q *L -03 I I -----------------------------------
ccw -w HPI PRV CONT CORE LPR HPR SYS VULNR TO CD -02 *P -cs -cv *H1 *H2 I I I I Figure 4.4.:.1 Event Tree for T1 -Loss of Offsite Power i 1 i 1 Sequence I CORE I COMMENTS I 1. T1 OK 2. T1*03 OK 3. T1*03*W SEAL VULN 4. T1*L OK 5. T1*L*H2 CM 6. T1*L*H1 CM 7. T1*L*CS OK 8. T1*L*CS*H2 CM 9. T1*L*CS*H1 CM 0. T1*L*CS*CV CM 1. T1*L*P CM 2. T1*L*02 CM 3. T1-Q GO TO S2 4. T1 *K GO TO ATWS SBO NRAC-RCI SGI Af\.l AT HALF UNIT1 HOUR T1S -Q-QS-L I I I
* NRAC-SEAL OPER. RCP NRAC-NRAC-ONE COOL DPRES SEAL SEAL SEVEN HOUR FM U2 LOCA LOCA HOURS NR1 W2-o-SL-NRS NR7 I I I I I I I I I I I I I Figure 4.4-2 Event Tree for Tis -Station Blackout at Unit 1
* Sequence I CORE I 1. T1S OK 2. T1S-OK 3. T1S-NR7 CM 4. T1s-wi-OK 5. T1S-W2-NR7 CM 6. T1S-W2-SL*
OK 7. T1S-W2*SL-NRS CM 8. T1S-M2-0-OK 9. T1S-W2-0-NR7 CM 1 O. T1S-W2-0*SL*
OK 1 1. T1S-W2-0-SL-NRS CM 1 2. T1S-L CM 1 3. T1S-QS-OK 1 4. T1S-QS-NR7 CM 1 5. T1S-QS*W2-OK , 6. T1S-QS-W2*NR7 CM 1 7. T1S-QS-W2-SL-OK 1 8. T1S-QS-l.J2-SL-NRS CM 1 9. T1S-QS*L CM ?, O. T1S-Q-OK ., -1. T1S*Q*NR1 CM ., -2. T1S-Q-L CM , 3. T1S-Q-QS-OK ., -4. T1S-Q-QS-NR1 CM ., 5. T1S-Q-QS-L CM SBO NRAC-RCI SGI AFW BOTH HALF TDP UNITS HOUR FM U1 T1S -Q-QS-L I I I
* NRAC-OPER. RCP NRAC-NRAC-ONE HOUR NR1 DPRES SEAL SEAL SEVEN LOCA LOCA HOURS o-SL-NRS NR7 Sequence 1. T1S I I I 2. T1S-3. T1S-NR7 4. T1S-SL-5. T1S-SL-NRS I I I 6. T1S-O-7. T1S-O-NR7
: 8. T1S-O-SL-9. T1S-O-SL-NRS 1 o. T1S-L 1 I I 1 1 1
* T1S-QS-2. T1S-QS-NR7
: 3. T1S-QS-SL-I 1 4. T1S-QS-SL-NRS 1 5. T1S-QS-L 1 6. T1S-Q-1 7. T1S-Q-NR1 1 8. T1S-Q-L 1 9. T1S-Q-QS-., o. T1S-Q-QS-NR1
., 1. T1S-Q-QS-L Figure 4.4-3 Event Tree for Tis -Station Blackout at Both Units I CORE I OK OK CM OK CM OK CM OK CM CM OK CM OK CM CM OK CM CM OK CM CM
* Table 4.4-4
* LOSP/SBO Analysis Cases DG /13 Condition SBO@ SBO@ DG /11 DG 112 Unit /I State LOSP Unit 1 Both Units s s X s F 2 s X s F NA F X s F NA M X s M 2 s X s M NA F X F s 1 s X F s NA F X F s NA M X F F 2 s X F F NA F X F F NA M X F M 2 s X F M NA F X M s 1 s X M s NA F X M F 2 s X M F NA F X Notes:
* F DG fails to start or fails to run M -DG out for maintenance S Success NA -Not applicable Power status at Unit 2 was of interest only to determine the availability of cross connectable systems. Assessment of the probability of core damage at Unit 2 was not done
* 4 4-17 and 9 represent containment failure, followed by ECCS failure dtie to causes other than containment failure. Sequence 11 represents failure of steam generator heat removal followed by failure to establish feed and bleed cooling, due to failure to open both PORVs. Sequence 12 is similar to 11, except feed and bleed core cooling fails due to failure to establish safety injection flow with the charging system. Sequence 13 represents transient induced LOCAs caused by a transient related POR V demand, followed by fail&#xb5;re to reclose PORV. This condition transfers to the s 2 event tree for further evaluation.
Sequence 14 is an ATWS condition and transfers to the ATWS tree for further evaluation.
Station blackout (SBO) was evaluated with separate event trees, because of the menology and special events that can occur during an SBO. These are discussed here as a prelude to the detailed discussion of each sequence.
The important considerations during a station .blackout are the preservaton of RCS inventory, the controlled supply of water to the steam generators, and the extension of battery life as long as possible~
These considerations, as they apply to the Surry plant, are discussed below. RCP* Seal LOCA -The RCP seal LOCA model in Reference 40 was used to develop specific leak rates, probabilities~
and times to seal failure. The model predicts two dominant seal failure scenarios.
The dominant path predicts a 250 gpm leak developing in each pump at 1 1/2 hours after loss of all seal cooling. This path has a probability of .53. The next most dominant path has a probability of .13. This path is a 61 gpm leak developing in each pump at 1 1/2 hours, growing to a 250 gpm leak at 2 1/2 hours (after loss of seal cooling).
There is also a .27 probability of limited leakage in each pump throughout the entire loss of cooling event. Limited leakage is defined as less than 21 gpm per pump. This is considered a success state with respect to seal leakage, because 21 gpm per pump can be tolerated throughout the SBO event without causing core uncovery.
All other seal leak sequences combine to account for 7%. The development of this model is presented in Appendix D of this report. RCP seal LOCA will cause core uncovery unless safety injection flow is restored within a requisite time. Time to core uncovery depends on the. leak size. Times to core uncovery for each le~k path are also developed in Appendix D. RCS Cooldown
* and
* Depressurization
-The emergency opera ting procedures at Surry direct the operators to cooldown and depressurize the RCS in a long-term station blackout.
Depressurization serves the dual purpose of reducing the risk of seal LOCA, due to reduced pressure and temperature on the seals, and reducing RCS leak rate, should
* any leak paths develop. The time at which cooldown and depressurization should be initiated and the rate at which it would proceed are not specified in the emergency procedures, other than to limit the cooldown to less than 50&deg;r' /hour. Discussions with the Surry operations staff indicate that one hour after the initiating event is a reasonable estimate for the start of cooldown.
Cooldown at Surry is to be accomplished by manual line up of valves in the steam system to allow bypass of the MSIVs, a controlled blowdown of steam into the main condenser, and a venting of the condenser to the atmosphere.
This line up will take on the order of 20-30 minutes to accomplish.
* After cooldown is started, depressurization of the RCS will occur as a natural process, resulting from the decrease in specific volume of the RCS inventory as the average RCS temperature decreases.
Depressurization will be aided by inventory loss due to normal leakage through the RCP seals. Significant depressurization will not occur before 2 to 3 4.4-18 
* *
* hours. Because of the predicted seal response to loss of cooling, this timing for depressurization is not early enough to provide any significant benefit to the seals. The seal LOCA model development (Ref. 40) does not predict benefit from depressurization until approximately 4 hours, at which time there is already a high probability of seal failure. Thus, in the station blackout modeling, RCS cooldown and depressurization was not considered to have any impact on the development of seal LOCAs. RCS depressurization did however, have an effect on the allowed time to recover AC power. Depressurization would reduce the RCS outflow and thus extend the time to core uncovery.
This effect was included in the SBC modeling.
PORV Demand and RCS Integrity
-An important function to provide during station blackout is to preserve RCS inventory until AC power can be restored.
A PORV which fails to reclose after a demand represents a LOCA. This path is particularly important at Surry due to the high PORV demand probability during a SBO. PORV demand is ted to occur during SBO due to the method of steam generator heat removal. The steam generator atmospheric relief valves at Surry are not supplied with emergency power. They are powered by a semi-vital bus, which will be de-energized in the event of an SBO. Steam relief from the steam generators will be from the safety valves, which operate at a higher pressure than the atmospheric relief valves. Thus the SG water temperature will increase, which in turn will lead to an increase.
in RCS cold leg temperature.
This will in turn lead to an RCS pressure rise which will likely cause a PORV demand. Secondary Side lntefity -As discussed in the PORV section, the atmospheric relief valves at Surry will e inoperable in a station blackout due to unavailability of control power. Steam relief will be through the safety valves. Should they fail to reclose, it will produce an uncontrolled depressurization in one steam generator.
One SV on each SG was estimated to open every 20 minutes for one hour, when manual alignment of steam relief would be in place. This is a total of 9 safety valve demands. Due to particular design features at Surry, the faulted SG was considered to not be isolable during a SBO. AFW to the faulted SG can not be isolated because the AFW level control valves to each individual SG are inside containment.
In a SBC, they would remain in an open position.
No credit was allowed for entry into the Surry containment during an SBC. The sequence of events after a faulted SG was considered.
The SG with the stuck open valve would depressurize, causing an overcooling transient.
Flow to the faulted SG from the turbine driven (TD) pump would increase, limited by cavitating venturis in the AFW line. The faulted SG would be fed preferentially to the good SGs due to the pressure difference.
The overcooling transient was not considered capable of causing recriticality, due to the expected dump of the accumulators should the RCS pressure decrease below 600 psig. Recriticality would not be an expected problem until the temperature was down to the mid 300&deg;F range. A cooldown of this magnitude would be accompanied by a RCS depressurization due to inventory shrinkage.
Accumulator dump will occur at 600 psi, thereby providing sufficient boron injection to maintain subcriticali ty. The faulted SG would lead to higher than expeded AFW use and the operator would need to manually align the backup condensate source to the primary CST in order to ensure continued AFW supply. As the transient continued, the opera tor could throttle the TD feedwater pump and thus reduce the severity of the transient.
Throttling of the AFW pump would be done to prevent SG overfill, but on the other hand, the SG tubes must remain covered. 4.4-19 Steam supply to the TD pump would be maintained by the good steam genera tors. The steam lines from each SG to the TD pump are headered together, with check valves in each steam line. In the event of a faulted SG, the pressure in the steam lines of the two .good SG would backseat the check valve and provide a high pressure source of steam for th~ TD pump *. Although the good SGs would receive little flow from the TD pump, after the RCS cooled down below the SG water temperature, there would be no outflow from the good SGs, other than steam flow to the TD pump, which is a minimal drain on the inventory.
In sequences with a faulted SG, two potential interactions were identified but ultimately could not be quantified.
They were a) that a faulted SG may cause rapid primary system depressuriz~tion which may lead to an extended RCP seal life, and b) that core uncovery may occur sooner than three_ hours after battery depletion if one SG was faulted. During the development of the seal LOCA model, specific depressurization rates were not aviimJ>le for inclusion in the model. Opinions were elicited from a panel of experts and all considered that substantial cooldown and depressurization would need to occur in order to significantly improve seal performance.
The expected .depressur tion rates for the faulted SG scenario are not considered sufficient to provide the necessary amount of pressure and temperature reduction_
to make a significant impact on seal performance.
It was ~oncluded that the level of discrimination in the models was not sufficient to support quantification of this interaction.
The potential impact of including this interaction would be to lower the probability of seal LOCA, and thus lower the seai LOCA core damage frequency.
However, the frequency of the long term battery depletion sequence would be increased.
Quantification of the second potential interaction was similarly difficult.
The selection of three hours as a reasonable time period between loss of DC power and AC power restoration is largely subjective and is subject to considerable uncertainty.
Modeling of this interaction would tend to decrease the allowable time for AC power restoration, and thus increase the core damage frequency.
The two excluded interactions would tend to cancel each other if they were to be modeled. An estimate was made that if both of these interactions were included at their maximum effectiveness, there would be no overall increase in total core damage frequency, although long term battery depletion would be favored over seal LOCA. Battery Depletion
-A critical event for timing purposes in SBO evaluation is battery depletion.
The batteries at Surry are designed for a two hour load discharge in post LOCA conditions.
This was considered a nominal starting point for estimation of depletion time for the SBO sequences.
Battery depletion time could be extended with shedding of nonessential loads from the bus. Specific procedures for load shedding are not in place in Surry, so it was difficult to quantify the advantage gained from this practice.
Discussions with Surry operations staff led to the agreement that four hours was a reasonable time to expect battery depletion in an SBO sequence.
Depletion of the vital batteries will leave the plant with no instrumentation or control power. Although manual control and operation of the turbine driven AFW pump is possible without DC power, the lack of instrumentation in the RCS or the steam generators would ultimately limit the ability to maintain core cooling. It was estimated that an additional three hours would be available to restore AC power after battery depletion in order to prevent core uncovery.
4.4-20 *
* Operation of the bus feeder breakers in the absence of DC power was examined*.
The bus breakers will remain as is upon the loss of DC power*. Manual operation of the breakers is possible through the use of spring loaded jacking mechanisms~
Al though the absence of DC power would complicate the recovery of AC power, the additional time required to operate the breakers manually is small compared to the uncertainty in the three hour period from battery depletion to core uncovery.
The event tree for a Unit 1 station blackout is shown in Figure 4.4-2. This event tree is used to evaluate those situations where Unit 1 has no AC power, but Unit 2 is supplied by one operable diesel. This diesel could be DG 2, supplying the H bus or DG 3 supplying the J bus. For quantification purposes, it was assumed the H bus was operable.
No power asymmetries were identifed which would invalidate this practice~
The functional requirements for mitigation of this event are the same as for other transients.
Entry into this event tree presumes reactor scram is successful.
ATWS events are addressed in the T 1 event tree. The first sequence represents restoration of AC power to the plant buses within 30 minutes. Thirty minutes is used because it is the time required to deplete SG inventory to unacceptable*
levels if AFW is unavailable.
Conversely, it can be presumed that failure to provide any safety functions (except subcriticality) for the first thirty minutes after a loss of offsite power will not lead to core damage. Restoration of power within 30 minutes can result in successful mitigation of the transient, regardless of other failures in that time period. Sequence 2 represents successful mitigation of a long term station blackout.
The pressurizer PORV recloses, thus maintaining RCS integrity.
The steam generator safety valves reclose, thus maintalning steam genera tor inventory.
The turbine driven AFW pump starts and provides makeup to the steam generators.
RCP seal cooling from Unit 2 is provided via seal injection flow from the Unit 2" charging system or CCW to the thermal barrier from the operable CCW pump. The Unit 2 charging system and CCW depend on service water as a heat sink. The Surry service water system is a gravity flow system. A 45 million gallon intake canal supplies the service water loads, with the largest load being the main condensers (400,000 gpm per condenser).
In the event of blackout at both units, there is no power to refill the intake canal or to isolate the four main condensers (two per unit). This leads to a conservative estimate of canal drainage in 30 minutes. If the SBO occurs at only one unit, canal drain time increases to one hour. Availability of seal cooling from Unit 2 . considers the unavailability of systems at Unit 2 due to insufficient water level in the intake canal. RCS depressurization in sequence 2 is inconsequential because a seal LOCA is averted, due to the provision of seal cooling from Unit 2. Seal LOCAs are similarly not questioned because of successful seal cooling from Unit 2. The *final heading questions successful restoration of AC power within seven hours. Sequence 2 represents successful recovery of offsite AC power prior to battery depletion and core uncovery.
Sequence 3 represents failure to recover AC power in seven hours. Core uncovery is due to loss of SG heat removal due to inability to adequately control AFW. Sequences 4 through 11 delineate possible sequence outcomes when seal cooling from Unit 2 is unavailable.
Failure of s~al cooling can be due to human error, component failure or insufficient canal inventory to provide service water. Sequence 4-represents successful cooldown and depressurization of the RCS, successful functioning of the seals (i.e., leakage is limited to 21 gpm per pump) and recovery of offsite AC power prior to seven hours. Sequence .5 represents successful functioning of the seals but failure to 4.4-21 recover offsite AC power within seven hours. Sequence 6 represents restoration of offsite AC power prior to core uncovery caused by a seal LOCA~ This sequence includes two dif fer~nt success states. One state is where Ac;, power is restored prior to onset of a seal LOCA, and thus the need for SI flow is avoided. The other is one in which AC power is not restored prior to a seal LO~A, a seal LOCA occurs*, but AC power (and HPI flow) is restored prior to core uncovery.
Sequence 7 is a seal LOCA with failure to recover offsite AC power pri~r to core uncovery~
The headings .are stated in terms of recovery of AC power. Successful mitigation also requires the restoration of HPI flow. However, as shown in Appendix D, of this report, the non-recovery probability for AC power dominates over the failure probabilities due to human error and equipment failure. Sequences 8 through 11 are analogous to Sequences 4 through 7, except that the RCS has remained at high pressure throughout the sequence.
Failure to depressurize can be due to operator error or equipment failure. The only impact on the sequence progression is that in the event of a seal LOCA, core uncovery occurs sooner, and thus the time to AC power recovery is smaller, and non-recovery probabilities are higher. Thus, the value for NRS success in Sequence 7 is lower than the value for NRS in Sequence 11. Sequence 12 represents the failure of auxiliary feedwater to be available.
The event tree was structured to question initial unavailability.
If AFW is not* available, degraded SG heat removal requires the initiation of feed and bleed by 3.5 minutes. This timing was based on the Westinghouse EPG analysis.
Recovery of AC power beyond a half hour, leaves insufficient time to initiate feed and bleed cooling to avoid core uncovery.
Longer term recovery for other failures, such as failure of the AFW turbine driven pump to run, were included on an individual cut set basis in the recovery analysis.
Sequences 13 through 19 involve the loss of steam generator secondary side integrity due to the
* sticking open of a steam generator safety valve. This event was considered to have two potential impacts on sequence delineation.
One is that blowdown through the faulted SG will cause increased TD pump flow, thereby causing faster depletion of CST -Tank 1 A. In order to assure a continued supply of condensate for the potential
.5 hour duration of the turbine-driven pump, operators must manually line up CST-Tank 2 to Tank lA. The other impact is that in the event of a faulted SG and failure of the auxiliary feedwater pump at Unit 1, no credit for recovery of AFW from Unit 2 was allowed. Sequence 13 represents successful mitigation of the SBO, including the faulted SG. Long term AFW is provided, along with seal cooling from Unit 2. Sequence 14 is a long term, depressurized sequence with failure to recover AC power prior to seven hours. Sequences 1.5 and 16 represent failure to provide seal cooling from Unit 2, but avoidance of a seal LOCA. Operator depressurization is not asked because the faulted SG automatically provides RCS cooldown.
As discussed previously, the standard seal LOCA model and battery depletion models were used in these sequences.
Sequence 1.5 represents recovery of AC power prior to a seal LOCA. Sequence 16 represents avoidance of a seal LOCA, but failure to recover AC power in seven hours. Sequence 17 is recovery of AC power prior to, or within an allowable time after a seal LOCA. Sequence 18 is occurrence of a seal LOCA and failure to recover offsite power prior to core uncovery.
Sequence 19 represents loss of steam genera tor integrity and simultaneous loss of auxiliary feedwa ter. No recovery actions of any type were considered for this sequence due to the complexity of SG inventory control in this sequence.
Sequences 20 through 2.5 represent a stuck open pressurizer PORV. As previously discussed, the PORV demand probability for station blackout is 1.0, due to the unavailability of the SG atmospheric dump valves. Should a PORV fail to reclose, it is not isolable until AC power is restored to the block valve. If AC power is restored and the block valve is closed, the LOCA is terminated.
Sequence 20 represents this scenario.
Sequence 21 represents failure to restore AC power and isolate the block valve prior to 4.4-22 
,
* core uncovery.
Sequence 22 represents a stuck open POR V combined with a simultaneous
_ _ loss of auxiliary feed}Vater.
These events combinJLto reduce the allo_wable_recover.y.:_time_
to less than 1/2 hour. Sequences 24 and 25 are similar to 21 and 22, except for the additional failure of the steam generator safety valve to reclose.
* Two Unit Station Blackout -The event tree for station blackout at both units is shown in Figure 4.4-3. This condition is caused by unavailability of all three diesel generators upon loss of offsite power. The dual unit blackout tree differs from a single unit blackout tree only in that seal cooling from Unit 2 is not on the tree. Due to the unavailability of AC power at Unit 2, CCW and seal injection flow are not available from Unit 2. 4.4.3 T 2 (Loss of Main Feedwater)
Event Tree This section presents and discusses the event tree for the loss of main feedwater initiating event. This event is identified by the symbol T 2 in the event tree. 4.'1.3.1 Success Criteria Success criteria for the T 2 event tree are shown in Table 4.4-5. Loss of main feedwater results in low steam generator water level, which causes demand for a reactor scram, as well as a signal for AFW to start. POR V demand for this class of initiators is considered to be a random occurrence, due to degraded control system performance or degraded balance of plant (BOP) component performance.
The probability of PORV demand was assigned a value of .014 for high power initiators only, based on historical Westinghouse experience.
The four primary functions required in response to T 2 are reactor scram, primary system integrity, auxiliary feedwater, and RCP seal coolmg. If all of these functions are provided, the transient is mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of POR Vs to reclose transfers fo the s 2 LOCA tree. Failure to provide RCP seal cooling is a seal vulnerable condition.
Failure to provide AFW leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and to open two PORVs leads to core damage. Successful feed and bleed-cooling leads to a demand for containment heat removal systems and reactor coQlant recirculation systems. These sequences are developed on the event tree. 4.4.3.2 Discussion of Sequences The event tree for T 2 is shown in Figure 4.4-4. The important functional and phenomenological depenclencies as well as groundrules and limitations are stated in the general groundrules found in Table 4.4-2. The first sequence represents successful stabilizati.on of the reactor at hot shutdown.
If reactor scram is successful, AFW starts and provides water to at least one of three steam generators.
Heat removal is through the atmospheric dump valves as the initiating event is considered to have failed the power conversion system. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot shutdown.
This is considered successful termination of the initiator, and no further system availability questions are asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal vulner~l:;>le 4.4-23 Table 4.4-5 T2 TRANSIENT SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION INITIATOR:
T 2 -Loss MFW CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY RPS 1/3 AFW Pumps 1/3 Charging Pump OR In Seal 1nJectlon 1/3 Charg*lng Pumps and and PORV Reclose 2 PORVs Open (If opened) (In Feed . OR and Bleed) CCW to RCP Thermal Barrier In al I RCP and PORV Reclose ( If opened) 1/2 css OR 1/2 1SR and SWS to associated CSR HX CONTA1NMENT CORE HEAT PRESSURE SUPPRESS10N, REMOVAL, LATE LATE 1/3 I-PR 1/2 1SR and SWS and to assoc I ated HX 1/2 LPR OR. 1/2 OSR and SWS to associated HX COMMENTS .1. OSR needs CSS In Injection to provide NPSH. 2. 1SR needs SWS In I nJect Ion to provide NPS*H. 3. Secondary steam re 11 ef assumed aval lable. 4. AFW to 1 SG sufficient
: 5. No RCS Pressure rel lef required If scram. However PORV may open. 6. Failure of RCS Integrity goes to s 2* 7. 1f AFW and RCS Integrity are provided, con-talnment heat removal and core heat removal late are not required.
LOSS RPS RCI AFW SEAL ccw OF COOL MFW T2 -K -Q -L -D3 -w I I
* HPI PRV CONT CORE LPR HPR SYS VULNR TO CD -D2 -P -cs -CV -H1 -H2 I I I I Figure 4.4-4 Event Tree for T 2 -Loss of Main Feedwater I
* I I Sequence I CORE I COMMENTS I 1
* T2 OK 2. T2-D3 OK 3. T2-D3-W SEAL VULN 4. T2-L OK 5. T2-L-H2 CM 6. T2-L-H1 CM 7. T2-L-CS OK 8. T2-L-CS-H2 CM 9. T2-L-CS-H1 CM 1 0. T2-L-CS-CV CM 1 1 1 1 1
* T2-L-P CM i 2. T2-L-D2 CM GO TO S2 I 3. T2-Q 4. T2-K GO TO ATWS condition.
All critical safety functions are being provided, but RCP seal cooling is not available.
The potential for this sequence to lead to core damage depends on the susceptibilit9' of the seals to failure after loss of all cooling and potential recovery options to restore seal cooling prior to seal failure. The seal failure evaluation will be done on an individual sequence basis, should the quantification show this state to be important.
Sequence 4 represents loss of auxiliary feedwater, but successful feed and bleed cooling, using containment heat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation.
Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 5, except that the low pressure recirculation systems are unavailable.
Sequences 7 through 10 represent successful feed and bleed cooling, but failure of containment heat removal. In Sequence 7, containment failure does not lead to structural or phenomenological failure of the ECCS and core cooling is successful.
Sequences 8 and 9 represent ECCS survival of the containment failure, but failure due to random other causes. Sequence 10 represents ECCS failure due to containment failure. Thus, Sequence 10 represents containment failure prior to core damage. Sequences 11 and 12 represent failure to initiate feed and bleed cooling after loss of a:uxiliary feedwater.
In Sequence U, feed and bleed fails due to failure of 2 of 2 PORVs to open, while in Sequence 12, feed and bleed fails due to failure to establish safety . injection flow. Sequence 13 is a transient induced LOCA, which transfers to the S tree for further
* evaluation; and Sequence 14 is ATWS, which transfers to the A TW~ tree for further evaluation.
4.4.4 T 3 (Turbine Trip with MFW Available)
Event Tree This section presents and discusses the event tree for the turbine trip initiating event group in which the main feedwater remains available.
Transients in which one or both MFW pumps remain available are considered.
This event is identified by the symbol T 3 in the event tree. 4.4.4.1 Success Criteria Success criteria for the T 3 event tree are shown in Table 4.4-6. This initiating event group represents a turbine trip, followed by a demand for reactor trip. PORV demand for this class of initiators is considered to be a random occurrence, due to degraded control system performance or degraded balance of plant component performance.
The probability of PORV demand was assigned a value of .014, for high power initiators only, based on historical Westinghouse experience.
The MFW control system at Surry is such that if the reactor trip breakers are closed and TAVE is less than .543&deg;F, the main feedwater regulating valves will close, the miniflow lines will open, and the MFW pumps will stay on. This was judged to be the course of all T 3 initiating events. Although the MFW pumps are isolated from the steam generators, ttiey remain a viable source of SG inventory makeup, should AFW be unavailable.
AFW is the preferred source of SG makeup, but MFW pumps can easily be used by opening the feedwater regulating valve bypass valve. Because AFW is the preferred source of SG makeup, it appears on the tree before main feedwater.
4.4 ... 26 T3 TRANSIENT sue INITIATOR:
Turbine Trip with MFW available, T 3 CONTMNMENT ble 4.4-6 CRITERIA
 
==SUMMARY==
INFORMATION CONT An NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS~ON, CORE HEAT PRESSURE SUPPRESS~ON, SUBCR1T1CAL1TY REMOVAL, EARLY RPS 1/3 AFWP OR 1/2MFW OR 1/3 Charging Pump and 2 PORVs Open ( In Feed and Bleed) 1NTEGR1TY EARLY Any Open PORVs Rectose ELSE Transfer to s 2 Event Tree RCP Seal tn1'egrl1y 1/3 Charging Pump In Seat 1njectlon Flow OR CCW to Thermal Barrier of At I RCPs 1/2 css OR 1 /2 1 SRand SWS to Associated CSR HX REMOVAL, LATE LATE 1/3 HPR and 1/2 LPR 1/2 ~SR and sws to Associated HX OR 1/20SR and SWS to Associated HX . COMMENTS 1. PORVs chat te'nged I at rate of 11/70 transients fpr T 1* ' I 2. Comments 1-7 1 for for T 1 appty 1 to this lnltlatrr* . I 3. Core heat rer:noval, late and containment I atmospheric heat removal are ~equlred I only when feed and I bleed Is demanded or RCS Integrity I Is lost. 1 I I i I Four primary functions were required to successfully mitigate the T 3 events. These
* functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling. If all these functions are provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of POR Vs to reclose transfers to the s 2 LOCA tree. Failure to provide RCP seal cooling leads to a seal vulnerable condition.
Failure to provide feedwater leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and open two POR Vs leads to core damage. Successful feed and bleed and cooling leads to a demand for containment systems and coolant recirculation systems. 4.4.4.2 Discussion of Sequences The event tree for T 3 is shown in Figure 4.4-5. The important functional and phenomenological depenclencies as well as general assumptions and limitations are stated in Table 4.4-2. The first sequence represents successful stabilization of the reactor at hot shutdown.
Reactor scram is successful.
AFW starts and provides water to at least one of three steam generators.
Heat removal is via the steam dumps to the condenser.
Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot shutdown.
This is considered successful termination and no further system availability questions are asked. Particularly, the availability of RHR which is necessary to reach cold shutdown is not asked. Sequence 2 is also a success state, with seal cooling
* being provided by CCW to the thermal barrier. Sequence 3 is a* seal vulnerable condition.
All critical safety functions are being provided, but RCP seal cooling is not available.
The potential for this sequence to lead to core damage depends on the susceptibility of seals to failure after loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. The seal vulnerable evaluation will be done on an individual sequence basis, should the quantification show this state to be important.
Sequence 4 represents stable hot shutdown with SG inventory being provided by main feedwater, after failure of auxiliary feedwater.
This is a success state similar to Sequence 1, except of a much lower probability.
Questions of seal cooling were not asked on this branch, because the additional sequences would be subsets of Sequences 2 and 3. Sequence 5 represents loss of auxiliary feedwater and all main feedwater, but successful feed and bleed cooling, using containment
~eat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation.
Sequence 6 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 7 is similar to 6, except that the low pressure recirculation systems are unavailable.
Sequences 8 through 11 represent successful feed and bleed cooling, but failure of containment heat removal. In Sequence 8, containment failure does not lead to -structural or phenomenological failure of the ECCS and core cooling is successful.
Sequences 9 and 1 O represent ECCS survival of the containment failure, but failure due to random other causes. Sequence 11 represents ECCS failure due to containment failure. Thus, Sequence 11 represents containment failure prior to core damage. 4.4-28 *
* TURB RPS RCI AHJ MF\.J SEAL TRIP COOL \.J HFI.J T3 -K -a -L -M -D3 I I I CC\.J HPI PRV CONT CORE LPR -\.J SYS VULNR TO CD -D2 -P -cs -CV -H 1 I I Figure 4.4-5 Event Tree for T3 -Turbine Trip wit.h MFW HPR -H2 I I 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Sequence T3 T3-D3 T3-D3-\.J T3-L T3-L-M T3-L-M-H2 T3-L-M-H1 T3-L""M-CS T3-L-M-CS-H2 T3-L-M-CS-H1 T3-L-M-CS-CV 13-L-M-P T3-L-M-D2 T3-Q T3-K I CORE I OK OK OK OK CM CM OK CM CM CM CM CM I COMMENTS I i SEAL VU~N I II I GO TO S2 GO TO AT\.IS I I I I I I Sequences 12 and 13 represent failure to initiate feed and bleed cooling after loss of auxiliary feedwater.
In Sequence 12 feed and bleed fails due to failure of 2 of 2 PORVs
* to open, while in Sequence 13, feed and bleed fails due to failure to establish safety injection flow. Sequence 14 is a transient induced LOCA, which transfers to the S tree for further evaluation; and Sequence 15 is ATWS, which transfers to the ATWS tree for further evaluation.
4.4.5 T 5 (Loss of DC Bus) Event Tree This section presents and discusses . the event tree for the loss of a DC bus as an initiating event. This event is identified by the symbol T in the event tree. The event tree was quantified for two specific initiators, loss of Dc5 bus 1-A (T 5 A) and loss of DC bus 1-B (T 5 B), however a single event tree is applicable to both. The specific initiators were postulated to be non-recoverable shorts in the buses. Interruptions in power supply to the buses and load shorts on the buses were considered to be recoverable in a relatively short time period and were therefore not included in this initiating event category.
4.4.5.1 Success Criteria Success criteria for T 5 event tree are shown in Table 4.4-7. The success criteria are identical to T 1 and T 2* The specific failures of the initiator do not create any unique success criteria; however, they do create unique conditions for the evaluation of sequences.
Loss of a DC bus will cause MSIV closure, false signals in the instrumentation systems, and the immediate unavailability of some equipment.
Loss of a DC bus will cause a low intake canal level which will cause turbine trip, and a low steam generator level signal which will cause a reactor trip. Loss of a DC bus will also start the turbine driven AFW pump due to the fail open condition of one steam admission valve. In addition, loss of a DC bus will cause a CLS Hi and resultant SIAS actuation of one train. The major impact on the plant systems is through the loss of control_power to the affected buses. The circuit breakers will fail as is, so that operating pumps remain on, while non-operating pumps become unavailable.
Manual loading of pumps onto buses was not considered in the analysis.
Inadvertant safety injection will occur and may challenge a PORV unless controlled by the operator.
Four primary functions are required to successfully mitigate these events. These functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling. If all these functions are provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the A TWS tree. Failure of POR Vs to reclose transfers to the s 2 LOCA tree. Failure to provide RCP seal cooling leads to a seal vulnerable condition.
Failure to provide feedwater leads to a demand for "feed and bleed" cooling. Failure to provided charging flow and open two POR Vs leads to core damage. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. 4.4-30 * 
..
* t .W .... able 4.4-7 T5 TRANSIENT SU CRITERIA
 
==SUMMARY==
INFORMATION T 5 -Loss of DC Bus CONTMNMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, SIJ3CR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY RPS 1/3 AFW Pumps 1/3 Charging Pump OR In Seal fojectlon 1/3 Charging Pumps and and PORV Reclose 2 PORVs Open (If opened) ( In Feed OR and Bleed) CCW to RCP Thermal Barrier In al I RCP dnd PORV Reclose (If opened) EARLY 1/2 css OR 1 /2 1 SRand SWS to associated CSR HX CORE HEAT REMOVAL, LATE 1/3 HPR and 1/2 LPR CONTMNMENT PRESSURE SUPPRESS10N, LATE 1/2 1SR and SWS to associated HX OR 1/2 OSR and SWS to associated HX :
* COMMENTS 1
* OSR needs CSS 1 In Injection*
I to provide ' NPSH. 2. 1SR needs SWS In Injection
: to provide NPSH. 3. Secondary steam rel lef assumed aval I able
* 4. AFW to 1 SG sufficient
: 5. No RCS Pressure rel lef required If scram. Ho~ever I PORV may open*. 6. Fallure of RCS Integrity goes to s 2 tree. 7. 1 f AFW and RC,S Integrity are provided, tainment heat removal and core heat removal late are not requl'red.
4.4.5.2 Discussion of Sequences The event tree for T .5. is shown in Figure 4.4-6. The important functional and
* phenomenological depenclencies as well as general assumptions and limitations are stated in Table 4.4-2. The first sequence represents successful stabilization of the reactor at hot shutdown.
Reactor scram is successful.
AFW starts and provides water to at least one of three steam generators.
Heat removal is through the atmospheric dump valves as the initiating event will have failed the power conversion system. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is in hot shutdown.
This is considered successful termination and no further system availability questions are asked. Particularly, the availability of RHR which is necessary to reach cold shutdown is not asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal wlnerable condition.
All critical safety functions are being provided, but RCP seal cooling is not available.
The potential for this sequence to lead to core damage depends on the susceptibility of the seals to failure after loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. This state will be evaluated on an individual basis, if the quantification shows it to be significant.
Sequence 4 represents loss of auxiliary feedwater, but successful feed and bleed cooling, using containment heat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation.
Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 5, except that the low pressure recirculation systems are unavailable.
Sequences 7 through 10 represent successful feed and bleed cooling, .but failure of containment heat removal. In Sequence 7, containment failure does not lead to structural or phenomenological failure of the ECCS and core cooling is successful.
Sequences 8 and 9 represent ECCS survival of the containment failure, but failure due to other random causes. Sequence 10 represents ECCS failure due to containment failure. Thus, Sequence 10 represents containment failure prior to core damage. Sequences 11 and 12 represent failure to initiate feed and bleed cooling after loss of auxiliary feedwater.
In Sequence 11, feed and bleed fails due to failure of 2 of 2 PORVs to open, while in Sequence 12, feed and bleed fails due to failure to establish safety injection flow. . Sequence 13 is a transient induced LOCA, which transfers to the s 2 tree for further evaluation, and Sequence 14 is ATWS, which transfers to the ATWS tree for further evaluation.
4.4.6 T 7 (Steam Generator Tube Rupture) Event Tree This section presents and discusses the event tree for the steam generator tube rupture (SGTR) initiating eve~t. This event is identified by the symbol T 7 in the event tree. Success criteria for T 7 event tree are shown in Table 4.4-8. This iriitiator is unique from other transient initiators because it causes a breach of the primary pressure boundary into the secondary side pressure boundary.
Success criteria involved with integrity of the. primary pressure boundary now become entangled with the necessity to preserve the secondary side pressure boundary.
The primary system and the ruptured steam generator 4.4-32 LOSS RPS RCI AHi SEAL CCU OF DC COOL BUS TS -K -Q -L -D3 -u I I HPI PRV CONT CORE LPR SYS VULNR TO CD -D2 -P -cs -CV -H1 I I I I Figure 4.4-6 Event Tree for Ts_ Loss of DC Bus HPR -H2 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Sequence TS T5-D3 T5-D3-W TS-L T5-L-H2 T5-L-H1 TS-L-CS T5-L-CS-H2 T5-L-CS-H1 TS-L-CS-CV TS-L-P TS-L-D2 TS-Q TS-K I CORE I COMMENTS I OK OK SEAL VULN OK CM CM OK CM CM CM CM CM GO TO S2 GO TO ATUS INITIATOR:
T 7 -SGTR REACTOR CORE HEAT SUBCR1T1CAL1TY REMOVAL, EARLY RPS 1/3 AFW Pumps to 1/2 SGs Table 4.4-8 T 7 TRANSIENT SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION RCS 1NTEGR1TY CONTA1NMENT PRESSURE SUPPRESS10N, EARLY Depressurlze RCS to less than SG-RV setpolnt and Isolate
* MS1V
* SG Slowdown llne
* Steam llne to TD pump
* Steam I lne to
* DHR valve N/A CORE HEAT REMOVAL, LATE 1/3 AFW Pumps to 1/2 SGs CONTA1tf.1ENT PRESSURE SUPPRESS10N, LATE N/A COMMENTS 1. Definition of RCS boundary expanded to Include SG; hence, SG tegr lty must be cons I dared too. 
* *
* form a continuous pressure boundary and must be maintained at pressures consistent with the secondary side criteria.
Normally open effluent lines to the steam generator must be isolated, because they now represent open effluent lines to the primary system. 4.\.6.1 Success Criteria This initiating event begins with a complete double ended rupture in a single steam generator tube, which allows* primary coolant to flow into the secondary coolant system. The three primary functions required in response to T 1 are reactor scram, core heat removal, and opera tor control of RCS pressure.
If all of these functions are provided, the transient is mitigated at an early stage. Operator control of RCS pressure requires RCS cooldown using heat removal through the good steam generators, and depressurization of the primary system using pressurizer spray or POR V opening. Failure to trip the reactor (either automatically or manually) causes the pressure in the reactor coolant system to increase, possibly resulting in the rupture of additional st~am generator tubes and an increase in .the flow from the RCS to the secondary coolant system. The ATWS induced pressure increase in the primary is counterproductive to the RCS depressurization which is required to mitigate tube rupture. Because of the plexity of this sequence, and the limited analytical data available to support evaluation, steam generator tube rupture with failure to scram was categorized as a core damage sequence.
4.4.6.2 Discussion of Sequences The event tree for T 7 is shown in Figure 4.4-7. The important functional and phenomenological dependencies as well as assumptions and limitations are stated in the general assumptions found in Table 4.4-2. The steam generator tube rupture initiator is a double ended rupture of a single tube which results in an RCS outflow that requires an equivalent makeup flow of about 600 gpm. Actuation of SI will occur on low pressurizer pressure, shortly after the initiator.
Turbine trip, MFW isolation and start of AFW will occur on the SI signal. The operator is instructed to identify and isolate the ruptured steam genera tor. Isolation of the ruptured SG involves closure of the MSIV, AFW inlet valve, steam generator blowdown line and turbine driven pump steam admission valve. Complete isolation will not occur until the RCS pressure is reduced to less than the SG pressure.
The water level in the ruptured SG will continue to rise due to'the influx of water from the break. Pressure in this SG will also rise as the average steam generator water temperature increases.
The operator is then directed to cooldown the RCS as rapidly as possible using the good steam generators and then depressurize the RCS using p.ressurizer sprays or opening a PORV, to reduce the pressure in the RCS to below the pressure in the ruptured SG. This will terminate the breakflow from the RCS and stablize the reactor. The operator then has to cooldown the ruptured steam generator and place the reactor in cold shutdown.
At the point in the event, when the pressure in the RCS is less than the pressure in the ruptured SG, the ruptured SG is isolated, and AFW is being provided to the good SGs, all the success criteria defined by this analysis are satisfied.
Modeling of those systems . necessary to put the reactor in cold shutdown, and provide for cooldown of the ruptured SG were not modeled in the event tree
* Sequence 1 represents successful mitigation of the initiator.
Primary and secondary side pressures have been equalized, thus mitigating breakflow.
SG integrity (and thus RCS 4.4-35 SGTR RPS HPI. AHJ T7 -K -D1 -L3
* OPER. RCI SGI LPR DPRES -OD -Q -QS -H1 I I I I I I I HPR -H2 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. Sequence T7 T7-QS T7-Q T7-Q-H1 T7-Q-QS T7-Q-QS-H1 T7-0D T7-0D-QS T7-0D.-Q T7-0D-Q-H2 T7-0D-Q-H1 T7-0D-Q-QS T7-L3 T7-D1 T7-D1-QS T7-D1-Q T7-D1-0D T7-D1-L3 T7-K Figure 4.4-7 Event Tree for T7 -. Steam Generator Tube Rupture I CORE I OK OK OK CM CM CM OK CM OK CM CM CM CM OK CM CM CM CM CM 
* .. integrity) have been maintained, and heat removal is provided by the good steam generators.
Sequence 2 represents a failure of steam generator integrity.
It was classified a: safe state, although it violates the success criteria, because the timing of this sequence extends it well past the 24 hour mission time for evaluation.
This sequence includes successful depressurization of the primary system within 45 minutes of the initiating event. The leak rate would be reduced substantially below the initial 600 gpm leak rate. Reducton of the leak rate to 200 gpm would extend the R WST depletion time. to about 27 hours. Reduction to 100 gpm would extend the R WST depletion time to 53 hours. Should a loss of SG integrity occur after primary depressurization, the likelihood of not being able to mitigate a 100 gpm leak for over 50 hours was considered exceedingly small. Sequence 3 represents loss of primary system integrity (i.e., stuck open PORV), but successful coolant recirculation from the containment sump using LPR. POR V demand probability for this sequence was estimated to be .25, which includes the possibility of intentional POR V opening to aid primary system pressure reduction.
Secondary side integrity is maintained throughout the sequence, thus preserving coolant inventory and enabling long term coolant recirculation.
Heat removal is through the steam generators.
SI flow in response to the PORV failure will empty the RWST, causing switchover to recirculation from the sump. Because the reactor has previously been depressurized to 1000 psi in response to the tube rupture, it was estimated it could be further depressurized to allow low pressure recirculation in the event that high pressure recirculation failed. High pressure recirculation is therefore not necessary.
Sequence 4 is similar to Sequence 3 except that failure to switch to low pressure recirculation from the sump results in core damage. This sequence is recoverable at Surry by cross connecting of the R WST from Unit 2, and continued safety injection.
Sequence 5 represents unmitigated loss of coolant inventory from the steam generator which ultimately prevents required recirculation from the sump.
* The loss of RCS integrity early in the event forces coolant recirculation from the sump while the loss of SG integrity results in continued loss of coolant inventory to the atmosphere.
Eventual inventory depletion in the sump will result in cavitation of the LPR pumps, thus leading to core uncovery.
This sequence can be recovered through refilling the R WST or cross connect to the other unit's RWST. Sequence 6 is similar to 5, but represents failure of coolant recirculation due to failures in the low pressure recirculation system. Recovery of this sequence is possible through continued safety injection using the water sources from Unit 2. This extends the sequence well beyond the 24 hour mission time which the analysis is based upon. Becau~ the operator has previously depressurized in Sequences 3 through 6, breakflows are low enough to provide substantial time for operator recovery actions to provide alternate sources of coolant injection.
In Sequences 7 through 12 the operator has failed to depressurize the reactor and thus inventory loss rates are much higher. Sequence 7 represents a mitigated SGTR with failure to depressurize the reactor. The probability of this state is exceedingly small, due to the provision of safety valves on the steam generator.
At a minimum, all of these SVs would have to fail closed in order to fulfill the requirements of this state. Sequence 8 is similar to Sequence 2, except that breakflows are higher. Failure of the operator to depressurize, combined with loss of SG integrity causes the eventual depletio11 of the R WST inventory through the unisolated SG. Recirculation from the sump is not possible, but refilling of the RWST would delay core uncovery.
Sequence 9 is a safe state because the retention of SG integrity allows preservation of coolant 4.4-37 inventory and continued emergency coolant recir~ulation from the sump. The stuck open
* relief valve which occurred early in the sequence forces the requirement for recirculation .from the sump. High pressure recirculation is required because of the . previous operator failure to depressurize the reactor. Sequences 10 and 11 represent failure of coolant recirculation due to faults in the HPR/LPR systems. Sequence 12 represents a simultaneous loss of RCS integrity and SG integrity.
Continued safety injection is necessary to maintain RCS inventory.
But the loss of SG integrity causes diversion of the coolant inventory outside the containment.
The previous failure to depressurize the reactor results in high reactor pressure and thus maintains large discharge rates. Questions of LPR and HPR availability were not asked at this juncture, because sump inventory would not be sufficient to establish recirculation.*
Sequence 13 is a tube rupture with loss of auxiliary feedwater.
Response to loss of AFW in other transients is to initiate feed and bleed cooling. But, feed and bleed requires sustained pressure in the primary system, which is counter to requirements of SG tube rupture mitigation.
Due to limited previous evaluation of these circumstances, SG tube rupture with loss of all feedwater was considered a core damage sequence.
Sequence 14 represents a recoverable failure of safety injection.
Early in the sequence, safety injection fails in response to the low pressurizer pressure.
This is similar to an unmitigated LOCA, except that restoration of RCS integrity is possible if the operator performs rapid cooldown and depressurization of the primary. At the point where primary and secondary pressures are equal, the RCS outflow is terminated and thus there is no more need for coolant makeup. If these actions occur in a short enough time frame such that core covery is maintained and RCS inventory is sufficient to support steam generator heat removal, this represents an acceptable core cooling state. Sequence 15 leads to core uncovery through the combination of loss of SG integrity and failure of safety injection.
Inventory loss is through the SG without the capability to makeup inventory.
Sequence 16 is similar, except inventory loss is through the izer *PORV. Sequence 17 represents failure to depressurize the RCS to limit leakage. Continued breakflow through the ruptured tube leads to core uncovery.
Sequence 19 is an A TWS sequence, as discussed in the previous section. A TWS was not considered mitigatible when combined with a tube rupture. 4.4.7 A (Large LOCA) Event Tree This section presents and discusses the event tree for the large LOCA initiating event. This event is identified by the symbol A in the event tree and covers break sizes ranging from 6 to 29 inches. 4.4.7.1 Success Criteria The success criteria for the large LOCA event tree are shown in Table 4.4-9. 4.4.7 .2 Discussion of Sequences The event tree for large LOCAs is shown in Figure 4.4-8. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2. 4.4-38 
,. t cc
* INITIATOR:
Large LOCA, A REACTOR CORE HEAT SUBCR1T1CAL1TY REMOVAL, EARLY Not Required 1/2 LP1 and 2/2 ACX
* Table 4.4-9 LARGE LOCA SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION CONT A1 NMENT CONTA1 tf.1ENT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, 1NTEGR1TY EARLY REMOVAL, LATE LATE See Comments 1/2 css 1/2 LPR 1/2 *1sR and OR and SWS to 1/21SR Switch Injection Associated HX and SWS Po Int to Hot Leg OR to Associated at 16 hr. 1/2 OSR and CSR HX SWS to Associated HX
* COMMENTS 1. 1njectlon of LP1 Into one RCS loop was considered ficient. 2. Reactor critical lty Is not expllcltly quired. 1t RPS tails, the reactor will be maintained subcrltlcal by jection of RWST Inventory.
: 3. RCS Integrity Is lost as a result of the Initiator.
LARGE ACC LPI LOCA A 06 I 'f', ,i:::. I . .is. 0 CONT CORE LPR SYS VULNR TO CD -cs -CV -H1 Sequence I 1. A 2. A-H1 3. A-CS I l 4. A-CS-H1 5. A-CS,;.CV
: 6. A-06 7. A-05 Figure 4.4-8 Event Tree for A -Large LOCA I CORE_ I OK CM OK CM CM CM CM 
*
* Sequence 1 represents a completely successful response to the initiator in which all systems function as intended.
The accumulators inject water immediately to modate the initial high volume surge of water from the* reactor cooling system. Low pressure injection subsequently provides the high volume, low pressure flow required for col\'tinued core cooling. The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels, and recirculation cooling is established from the containment sump to *provide long term cooling. Sequence 2 leads to core damage because of a failure to provide low pressure recirculation cooling. No other system can provide the volume of flow needed under large LOCA conditions.
Sequences 3, 4, and 5 represent the occurrence of a core wlnerable state and its possible outcomes.
A core vulnerable state occurs when containment heat removal fails after core cooling has been established by low pressure injection.
Under such circumstances, heat is being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary.
As a result, the pressure and temperature in. the containment rise due to the lost containment heat removal (CHR) capability.
If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment
*overpressure failure will occur. Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 5. Sequence 3 represents containment failure, but the ECCS survives and continues to cool the core. Sequence 4 represents containment failure together with independent failure of the ECCS (i.e., due to causes other -than the containment failure).
Sequence 6 represents failure of the ECCS to respond early in the scenario to provide the high volume, low pressure injection flow needed to cool the core, thereby leading to core damage. In Sequence 7 the accumulators fail to inject water immediately as the pressure in the reactor coolant system drops suddenly as a result of the large break in the cooling system pressure boundary.
This sudden loss of coolant inventory causes core damage. 4~4.8 s 1 (Medium LOCA) Event Tree This section presents and discusses the event tree for the medium LO_CA initiating event. This event is identified by the symbol s 1 in the event tree and covers leak sizes ranging from 2 to 6 inches. 4.4.8.1 Success Criteria Success criteria for medium LOCAs are shown in Table 4.4-10. Success criteria for s 1 are distinctively different A and s 2* These differences were derived from requirements for AFW, accumulators, HPI/R and LPI/R. The s 1 events will maintain the reactor moderately pressurized during the early time frame, thus requiring early inventory makeup from HPI. As the pressure declines.
the accumulators and LPI are required.
A requirement for high pressure recirculation is not necessary, because pressure will be below shutoff head for LHSI pumps at the time of recirculation.
4.4.8.2 Discussion of Sequences The event tree for medium LOCAs is shown in Figure 4.4-9. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2. 4.4-41
: 1. INITIATOR:
Medium LOCA, s 1 REACTOR CORE HEAT SI.BCR1T1CAL1TY REMOVAL, EARLY Not Required 1/3 Charging Pump and 1/2 LP1 and 2/3 ACC
* Table 4.4-10 MEDIUM LOCA SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION CONTA1NMENT RCS PRESSURE SUPPRESS10N, 1NTEGR1TY EARLY See Comments 1/2 CSS OR 1/21SR and SWS to Associated CSR HX CONTA1NMENT CORE HEAT PRESSURE SUPPRESS10N, REMOVAL, LATE LATE COMMENTS 1/2 LPR 1/2 1SR 1. 1/2 Injection and Sw Itch Inject Ion pol nt to hot I eg at 16 hr. and SWS to Associated HX OR 1/2 OSR and sws to Assoc I ated HX 11 nes adequate for LP1. 2. 2/3 Injection I Ines adequate for I-P1. 3. Reactor sub-cr It lca I ltly Is not expllcltly quired. 1f RPS fal Is, the reactor wlll be maintained subcrltlcal by Injection of RWST Inventory.
: 4. RCS Integrity Is lost as a result of the Initiator
*
* INTER HPI ACC CONT MEDIA SYS LOCA S1 -D1 -D5 -cs CORE LPI LPR VULNR TO CD -CV -D6 -H1 Sequence I I 1. S1 2. S1-H1 3. S1-D6 I I 4. S1-CS 5. S1-CS-H1 6. S1-CS-D6 7. S1-CS-CV 8. S1-D5 9. S1-D1 Figure 4.4-9 Event Tree for S1 -Medium LOCA
* I CORE I OK CM CM OK CM CM CM CM CM Sequence 1 represents a compJetely successful response to the initiator in which all systems function as intended.
High pressure injection immediately provides the high* pressure initial flow required for core cooling. The accumulators inject water to. accommodate the initial high-volume surge of water from the reactor cooling system. The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels, and low pressure injection and recirculation cooling are established to provide long term cooling. . Sequence 2 leads to core damage because of a failure to provide low pressure lation cooling. No other system can provide the volume of flow needed under the low pressure conditions that follow a medium LOCA. Sequence 3 denotes failure to establish low pressure injection, which is required before enough water accumulates in the tainment sump to allow recirculation cooling. Sequences 4, 5, 6, and 7 represent the occurrence of a core vulnerable state and its possible outcomes.
A core wlnerable state occurs when containment heat removal (CHR) fails after core cooling has been established by high pressure injection.
Under such circumstances, heat is being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary.
As a result, the pressure and temperature in the containment rise due to the failed containment heat removal capability.
If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment pressure failure will occur. Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 7. Sequence 4 represents containment failure, but the ECCS survives and continues to cool the core. Sequences 5 and 6 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
In Sequence 8 the accumulators fail to inject water immediately as the pressure in the reactor coolant system drops suddenly as a result of the medium break in the cooling system pressure boundary.
This sudden loss of coolant inventory causes core damage. Sequence 9 represents failure of the ECCS to respond early in the scenar~o to provide the high pressure injection flow needed to cool the core, thereby leading to core damage. 4.4.9 s 2 (Small LOCA) Event Tree This section presents and discusses the event tree for the small LOCA initiating event. This event is identified by the symbol s 2 in the event tree and covers leak sizes ranging from 1/2 to 2 inches. 4.4.9.1 Success Criteria Success criteria for s 2 LOCAs are shown in Table 4.4-11. s 2 success criteria are a combination of transient and LOCA type criteria.
The break is not sufficient to depressurize the reactor, so that large volume ECCS systems are not effective.
Thus the need for control rod insertion, because the ECCS boration function will not be performed in a timely manner. AFW is required for successful s 2 mitigation, because the break size itself is not sufficient to carry away decay heat and reactor coolant pump heat. The Surry RCPs do
* not shut off on receipt of an SIAS signal. If AFW is unavailable, "feed and bleed" cooling is viable if the operator opens one PORV. 4.4-44 
*
* I UI
* INITIATOR:
Small LOCA, s 2 REACTOR COR.E HEAT SUBCR1T1CAL1TY REMOVAL, EARLY RPS 1/3 Charging Pump and 1/3 AFW Pump OR 1/3 Charging Pump and 1 PORV Opened
* e 4.4-11 SMALL LOCA SUCCE ITERIA
 
==SUMMARY==
INFORMATION
* CONTA1NMENT CONTA1NMENT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS See Comments See Comment 3 1/3 I-PR 1/2 1SR and t. Fal lure of RPS and 1/2 LPR SWS to Associated HX OR 1/2 OSR and SWS to Associated HX OR 1/3 AFW and 1/3 HPR and 1/2 LPR transfers to ATWS tree. 2. RCS Integrity Is lost as a result of the Initiator.
: 3. Containment pressu*re suppression Is not required In the earl'l time (23) frame.
4.4. 9.2
* Discussion of Sequences The event tree for s 2 is shown in Figure 4.4-10. The important functional and phenomenological depenclencies as well as general assumptions and limitations are stated in !fable 4.4-2. Sequence 1 represents a completely successful response to the initiator in which all systems function as intended.
The reactor protection system successfully scrams the reactor. High pressure injection provides the initial high pressure flow required to replace the lost inventory.
The auxiliary feedwater system provides core heat removal via the steam generators.
The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels. The operator successfully depressurizes the RCS, and recirculation cooling is established to provide long term cooling, using the low pressure recirculation systems. Low pressure recirculation from the sump was required for successful mitigation, because shutdown cooling on RHR may not be possible due to break location.
Sequence 2 leads to core damage because of a failure to provide low pressure recirculation cooling. Sequence 3 represents successful mitigation after the failure of the operator to depressurize the RCS. Failure to depressurize the RCS leads to the requirement for high pressure recirculation.
If either low or high pressure recirculation fails, core damage results as indicated by Sequences 4 and 5. Sequences 6 through 11 cover the case in which the containment heat removal systems fail after core inventory is being maintained via high pressure injection and core cooling
* has been established by the AFW system. Whether or not this can lead to a core wlnerable state depends on whether or not the operator depressurizes the RCS. If operator depressurization occurs, SG heat removal is not effective and a core vulnerable state can occur. Under such circumstances, heat is gradually being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary.
As a result, the pressure and temperature in the containment rise gradually due to the lost containment heat removal (CHR) capability.
If the containment pressure continues to increase without being mitigated by conta.inment venting or restoration of CHR systems, containment overpressure failure will occur. Continued heat removal through the steam genera tors has b~ shown to be sufficient to prevent containment overpressure failure in these cases * *~ Events occurring during containment failure could cause ECCS failure. which would lead to core damage. Such a scenario is represented by Sequence 8. Sequence 6 represents containment failure, but the ECCS survives and continues to cool the core. Sequence 7 reptesents containment failure
* together with the independent failure of the ECCS (i.e., due to causes other than the containment failure).
If the operator keeps the RCS pressurized and thus supports steam generator heat removal (as represented by Sequence*s 9, 10, and 11), then the containment overpressure failure is averted, even though containment heat removal systems have failed. Under such circumstances the containment is not expected to fail, and the "CV" question is not asked. Sequence 9 represents successful functioning of the ECCS in the recirculation mode. Sequences 10 and 11 represent ECCS failure, which results in core damage. Sequences 12 through 19 address the sequences with auxiliary feedwater failure. If AFW is lost, core cooling can be accomplished by opening a PORV to increase the breakflow.
* Now sufficient water is lost from the RCS to carry away all decay heat. The charging
* pump is known to be successful at this point in the event tree. Sequence 19 represents failure of either PORV to open. Sequences 12 through 18 address the potential for a core
* Refer to Appendix A, Section A.1.2. 4.4-46
* SMALL RPS HPI AFW PRV CONT LOCA SYS S2 -K -D1 -L .::p1 -cs , .. .. * !
* OPER CORE LPR HPR DPRES VUlNR TO CD -OD -CV -'H1 -H2 Sequence 1. S2 2. S2-H1 3. S2-0D 4. S2-0D-H2 5. S2-0D-H1 6. S2-CS 7. S2-CS-H1 8. S2-CS-CV 9. S2-CS-OD 10. S2-CS-OD-H2
: 11. S2-CS-0D-H1
: 12. S2-L 13. S2-L-H2 14. S2-L-H1 15. S2-L-CS 16. S2-L-CS-H2
: 17. S2-L-CS-H1
: 18. S2-L-CS-CV
: 19. S2-L-P1 o. S2-D1 1
* S2-K Figure 4.4-1 O Event Tree for 82 -Small LOCA
* I CORE I COMMENTS I OK CM OK CM CM OK CM CM OK CM CM OK CM CM OK CM CM CM CM CM CM GO* TO AHIS vulnerable state due to failure of CHR. A core vulnerable state occurs when containment heat removal fails after feed and bleed core cooling has been established.
Under such circumstances,.
heat is being transferred from the core to the containment.
The pressure and temperature in the containment rise due to the lost containment heat removal capability.
If the containment pressure continues to increase without being mitigated by containment venting or rest9ration of CHR systems, containment overpressure failure will occur. Events occurring during containment -failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 18. Sequence 15 represents containment failure, but the ECCS survives and continues to cool the core. Sequences 16 and 17 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
In Sequence 20 the ECCS fails to respond to the small LOCA initiator and to provide the initial high pressure injection flow needed to cool the core. In Sequence 21 the RPS fails to scram the reactor, which transfers to the A TWS event tree for further analysis.
4.4.10 s 3 (Very Small LOCA) Event Tree This section presents and discusses the event tree for the very small LOCA initiating event. This event is identified by the symbol s 3 in the event tree. This group of LOCAs includes spontaneous seal LOCAs and very small breaks, with leak sizes equivalent to less than approximately 1/2 inch break. 4.4.10.1 Success Criteria The .success criteria for s 3 are shown in Table 4.4-12. They are very similar to the s 2 criteria.
However, timing considerations due to the impact of the very small leak rate have a significant iml""'.Ct on the recirculation requirements.
Heat removal from the RCS by the AFW combined with the containment fan coolers and natural cooling/condensation processes are expected to maintain*
containment pressure well below the spray actuation point. Containment fan coolers are normally operating and are not isolated until a containment Hi-Hi pressure signal is received.
With only the HPI flow draining the R WST, s 3 breaks could remain in the injection phase for a long time. If the operator takes action to depressurize the RCS, thus reducing the leak rate from the RCS, the reactor can be depressurized and in cold shutdown long before depletion of RWST inventory forces a switch to recirculation.
4.4.10.2 Discussion of Sequences The event tree for s 3 is shown in Figure 4.4-11. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2. Sequence 1 represents a completely successful response to the initiator in which all systems function as intended.
The reactor protection system successfully scrams the reactor. High pressure injection provides the high pressure initial flow required for continued core cooling. The RCS relief valves reclose if opened, auxiliary feedwater cooling is initiated, the opera tor depressurizes the RCS, and residual heat removal (RHR) system is available to provide shutdown cooling. The RHR system at Surry is a separate system (non-safety grade) used for long-term shutdown cooling. 4.4-48
* ble 4.4-12 VERY SMALL LOCA SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION INITIATOR:
s 3 -Very Small LOCA CONTA1NMENT CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE RPS 1/3 Charging Pump See Comments See Comment 5 1/3 HPR 1/2 1SR and and and sws to 1/3 AFW Pump 1/2 LPR Associated OR OR HX 1/3 Charging Pump Operator OR and Depressur lzes 1/2 OSR and 2 PORVs Opened RCS and SWS to OR 1/2 RHR Associated 1/2 MFW Pumps OR HX Operator OR Depressurlzes 1/3 AFW and RCS and 1/3 HPR and 1/2 LPR 1/2 LPR
* COMMENTS 1. Failure of RPS transfers to ATWS tree. 2. For s 3 , If AFW and charging flow are available, the operator can depressurlze the RCS and go on closed cycle cool Ing before the RWST Is emptied, thereby, eliminating the requirement for reclrculatlon.
: 3. 1f containment fan coolers are available It was assumed that spray ac~uatlon set point would not be reached. 4. RCS Integrity Is lost as a result of the Initiator.
: 5. Containment pressure suppres_s I on not required In the early time frame. 
~ERY RPS HPI RCI AHJ MHI PRV SMALL LOCA S3 -1( -D1 -QC -L -M -P CONT CORE OPER RHR LPR HPR SYS VULNR DPRES TO CD -cs -CV -OD -\.13 -H1 -H2 I I I I I I I I I I I I I Figure 4.4-11 Event Tree for S3 -Very Small LOCA 1 1 1 1 1 1 1 1 1 1 ., ., .., -., ., 1. 2. 3. 4. 5. 6. 7. 8. 9. o. 1. 2. 3. 4. 5. 6. 7. B. 9. o. 1. 2. 3. 4. Sequence S3 S3-W3 S3-W3-H1 S3-00 S3-00-H2 S3-00-H1 S3-L S3-L-H1 S3-L-\J3 S3-L-\J3-H1 S3-L-OD S3-L-OD-H2 S3-L-OD-H1 S3-L-M S3-L-M-H2 S3-L-M-H1 S3-L-M-CS S3-L-M-CS-H2 S3-L-M-CS-H1 S3-L-M-CS-CV S3-L-M-P S3-QC S3*D1 S3-K I CORE I COMMENTS I OK OK CM OK CM CM OK CM OK CM OK CM CM OK CM CM OK CM CM CM CM GO TO S2 CM GO TO AT\JS
* Sequence 2 addresses the case where residual heat removal system is unavailable and low pressure recirculation cooling is required to provide long term core cooling. If LPR fails (as in Sequence 3), then core damage will result. ~quences 4, 5, and 6 address the cases where the operator does not depressurize the RCS. Continued blowdown leads to RWST depletion which forces recirculation.
Sequence 4 represents successful switch to high pressure recirculation.
Sequences 5 and 6 represent core damage due to failure of high and low pressure recirculation.
Sequences 7 through 21 represent all cases in which the primary mode of steam generator feedwater supply is lost. In Sequences 7 through 13, main feedwater supplies steam generator feed flow. These sequences have much the same characteristics as Sequences 1 through 6. Sequences 14 through 21 address the case that both AFW and MFW have been lost. In this instance, it is necessary to establish feed and bleed cooling. Both POR V's must open to allow water to flow from the RCS, to remove decay heat. A single charging pump is required to supply makeup to replenish the POR V discharge.
If feed and bleed cooling is lost (sequence 21), then core damage results. Sequence 14 represents successful feed and bleed cooling followed by long term cooling in the recirculation mode. If either high pressure or low pressure recirculation cooling is lost (as in sequences 15 and 16), then core damage results. Sequences 17 through 20 represent the occurrence of a core vulnerable state during successful feed and bleed cooling. A core vulnerable state occurs when containment heat removal fails after core cooling has been established in the feed and bleed mode. Under such circumstances, heat is being transferred from the core to the containment. (A core wlnerable state cannot occur in Sequences 2 through 13 in the event tree because an insufficient amount of hot water is transferred into the containment to cause overpressure.)
As a result, the pressure and temperature in the containment rise due to the lost containment heat removal capability.
If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment overpressure failure will occur. Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 20. Sequence 17 represents containment failure, but the ECCS survives and continues to cool. the core. Sequences 18 and 19 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
Sequence 22 represents the case in which SI flow causes the RCS relief valves to open, and one of the valves fails to reseat. This leads to a larger LOCA size, which requires analysis via the small LOCA event tree (Section 4.4.9) ... In Sequence 23 the ECCS fails to respond to the LOCA initiating event and to provide the initial high pressure injection flow needed to cool the core. In Sequence 24 the RPS fails to scram the reactor, which transfers to the A TWS event tree for further analysis.
4.4.11 Anticipated Transients Without Scram Event Tree ATWS events for Surry were evaluated using a special event tree. Sequences with failure to scram were transferred from other event trees to the ATWS tree. This section discusses the ATWS evaluation.
4.4-51 4.4.11.1 ATWS Model Development and Success Criteria Definition The principal A TWS analytical work which has been used by the industry to determine phenomenolo&9)issues and success criteria for Westinghouse plants was published in WCAP-8330.
Subsequent ATWS evaluations have produced refinements in some phenomenological areas and have generated more analytical results to support alternate success criteria.
The intent of this study was to develop an ATWS model which included all phenomological issues previously identified and which was based on consensus success criteria.
A review was performed of previous ATWS analyses from the following sources: (28) NUREG-0460(3 0) SECY 0~3 Zion PRA 8 Indian Point PRA (l l) Seabrook PRA l 9.J Millstone-3 PRA (lO) W -Owners Gr9UR ATWS Rulemaking Commentl 3 0 NUREG -10ool 2'JJ Based on this review, the success criteria in Table 4.4-13 were developed.
The basis for selecting the success criteria for this study are discussed below. The document review indicated a significant distinction in success criteria for transients initiated at high power and* those initiated from low power. Zion, Indian Point. and Seabrook used 8096 as the demarcation line for high and low power, while Millstone and the WOG used 2596. The relationship between power level and pressure rise is not well enough documented in the references to select which power level is appropriate.
This study chose 2596, because the initiating event data reviewed in Section 4.3 of this report was correlated to 2596. The final frequency of high power transients calculated for this study is 5.9/yr, which is slightly larger than the value of 3.6/yr used in the WOG comments and 4.0/yr used in SECY 293. Selection of success criteria for this study was based on not allowing RCS pressure to exceed 3200 psi. This value was chosen because it corresponas to stress level C limits of the ASME Code. Peak RCS pressure is related to the value of the reactor's moderator temperature cient (MTC) at the time of A TWS. There exists a critical value of MTC, above which there is insufficient negative feedback to maintain RCS pressure below 3200 psi less of relief valve operation.
For this study, the important parameter is the percent of time** the MTC is above the critical value (less negative), rather than the critical MTC value itself. However, it appears the critical MTC value is -7pcm/&deg;F.
Based on the document review, an upper bound value of 0.05 and a lower bound value of 0.001 was selected for the percent of time unfavorable MTC exists. Relating these to 95th centiles of a log normal, translates to a mean value of 0.014 with an error factor of 7. Transients initiated from low power have no restrictions on MTC. Pressure can be maintained below 3200 psi for transients initiated from low power, regardless of MTC, if relief valve opening is successful.
In addition, NUREG-0460 develops the further discrimination that if MTC is very
* negative, reactivity feedback is great enough to maintain pressure below 3200 psi, even 4.4-.52 EVENT: ATWS REACTOR SUBCR tT tcAL tTY CORE HEAT REMOVAL, EARLY Manual Insertion of control rods by operator OR Emergency boratlon using 1 charg~ng pump, tak~ng suction from Boric Acid Tank, discharging through the charg1ng llne and remaining at elevated temperature to maintain subcr1tl cal Uy. 2 AFW r.DP OR 1 AFW TDP Table 4.4-13 ATWS SUCCESS CRITERIA
 
==SUMMARY==
INFORMATION RCS tNTEGRtTY All SRV, PORV must reclose RCS PRESSURE RELtEF TurMne Trfp OR MS tv 71 osure AND 3 SRVs OR 2 SRVs and 2 PORVs COMMENTS 1. Entry Into the ATWS tree assumes the RPS fa~led. 2. AFW must be suppl led to 2 of 3 SG. 3. tf MTC <-20 pcm/&deg;F no pressure reUef required.
: 4. tf MTC >-7 pcm!&deg;F pressure rellef not poss1ble.
: 5. Turbine Tr1p not requ1red for low power 1nltlators, or 1f MTC Is very low. 6. MTC criteria apply to h1gh power only.
if multiple relief valves fail to open. Failure of pressure relief under conditions of very low MTC is therefore considered a negligible
*contributor to core damage. The amount of time a very low MTC exists was taken as 0.5, from NUREG-0460.
NUREG-0460, SECY-83-293, Zion, Indian Point, Millstone and the WOG comments all required turbine trip for transients from high power in order to prevent core damage. Thus, turbine trip was required for all loss of main feedwater events from high power except when very low MTC exists. Failure to trip the turbine may lead to overcooling of the RCS cold legs which would add positive reactivity to the core. This would aggravate the ongoing ATWS and lead to overpressurization of the RCS, regardless of the pressure relief capacity that was available.
Turbine trip was not required for transients from low power. Primary pressure relief requires three SRVs. Since PORVs at Surry are approximately 1/2 the capacity of SR Vs, two SR Vs and two POR Vs were also allowed. This relief capacity was sufficient to maintain pressure below 3200 psi, if MTC was below -7 pcm/&deg;F and turbine trip was successful.
Emergency boration and SG inventory makeup were required for all ATWS events, regardless of power level. SG inventory could be supplied by MFW or 700 gpm flow from AFW. These criteria are consistent with the Zion PRA study. NUREG-0460, Zion, Indian Point, Seabrook and the WOG allow mitigation of stuck open relief valves under certain conditions.
SECY-83-293 did not address these failures.
This study considered that stuck open relief valves during ATWS would be safely mitigated if HPI was successful.
Failure of a POR V or SRV to reclose would lead to a demand for HPR for long term core cooling. HPR would not be required until the R WST was ted, at which time the reactor would be subcritical due to previous boration.
The branch for Q s then represents a transfer to the s 2 LOCA tree. 4.4.11.2 ATWS Event Tree and Phenomenology The ATWS event tree is shown in Figure 4.4-12. The headings were developed to include all of the essential phenomenological considerations which were discussed in the previous section. Containment systems were not included on the event tree because A TWS events do not impair the operability of any containment system. Each of the headings on the tree is discussed below. R -Manual Reactor Trip -This is the first heading on the tree. If the operator manually scrams the reactor, A TWS is over and there are no further unique mitigative requirements.
Manual re.actor scram must occur with one minute. It is accomplished by opening the reactor trip breakers.
This can be done by de-energizing the shunt trip from the control room or removing power at the motor-generatoJ set. PL -Power Level -This heading does not represent an action or a system failure, but is a logic model convenience to delineate different success criteria for the high and low power condition.
Z -Moderator Temperature Coefficient
-As with the power level heading, this is a logic model convenience to delineate the three conditions of MTC. The use of two headings, z 1 and Z, separates the:: tree into three regimes. z 1 is very low moaerator temperature coefficient (less than -20pcm/F) and Z is unfavorable MTC (greater than -7pcm/F).
4.4-54 AT\JS MRT PWR MTC MTC TBT LEVEL LO\J UNF TK -R -PL z -T I PRV AFW RCV HPI -P2 -L2 -Q -D4 Sequence 1. TK I I I 2. TK-R 3. TK-R-D4 4. TK-R-Q 5. TK-R-Q-D4
: 6. TK-R-L2 7. TK-R-P2 8. TK-R-T 9. TK-R-Z 1 I I 1 1 I 1 o. TK-R-21 1. TK-R-Z1-D4
: 2. TK-R-21-Q
: 3. TK-R-Z1-Q-D4 1 4. TK-R-Z1-L2 1 I I 1 1 I 1 5. TK-R-PL 6. TK-R-PL-D4
: 7. TK-R-PL-Q
: 8. TK-R-PL-Q-D4 1 9. TK-R-PL-L2
., o. TK-R-PL-P2 Figure 4.4-12 Event Tree for Tk -Anticipated Transient Without Scram I CORE I COMMENTS I OK OK CM OK GO TO S2 CM CM CM CM CM OK CM OK GO TO S2 CM CM OK CM OK GO TO S2 CM CM CM T -Turbine* Trip -This heading identifies the requirement to trip the turbine within one minute of the initiating event. P 2 -Primary *Pressure Relief -This heading identifies the need for the SR Vs and PORVs to open to maintain pressure below 3200 psi. L 2 -AFW -This heading represents a requirement for SG inventory makeup. This can be met by enhanced AFW. No credit was given for MFW following ATWS. 0 -R VC -This requirement is for all relief valves to reclose after the initial pressure spike subsides.
If a PORV or SR V fails to reclose, it causes a requirement for HPI flow from SI or charging pumps. D 4/D 2 -HPI -This heading represents the need for emergency bora tion, using the HPI pumps and boric acid transfer pumps (D 4). o 2 is required for those sequences where a relief valve has failed to reclose. Success ofr1PI, drawing suction from the RWST will provide subcriticality as well as inventory makeup. 4.4.11.3 ATWS Sequences Sequence 1 represents the case in which the operator responds to ATWS and is able to manually trip the reactor. If this cannot be accomplished, then the remaining sequences in the event tree address the possible alternative responses of the plant to such a situation.
Sequence 2 represents failure to effect manual scram, almost entirely due to mechanical failures of the reactor protection system which can not be mitigated by manual scram. Sequence 2 is from high power with MTC in a high, but mitigable range. Turbine trip occurs, either manually or due to circuitry that was not failed by the ATWS initiator.
Turbine trip prevents overcooling and thus does not exacerbate the existing reactivity imbalance.
Primary pressure increases to the point where POR Vs and SVs are demanded.
Sequence 2 represents successful opening of sufficient relief valves to maintain pressure below 3200 pst Auxiliary feedwater starts and maintains SG water levels. Emergency boration is successful in establishing subcriticality and all relief valves reclose after the pressure subsides.
The sequence ends in stable hot shutdown with the reactor subcritical on boron. In Sequence 3, emergency boration is not successful.
The reactor remains pressurized at some value higher than the RV set points. Continu~d power generation maintains this pressure and causes continued discharge through the relief valves. Due to the elevated primary pressure, the charging pumps can not maintain RCS inventory, thus leading to degraded core cooling and core damage. Sequence 4 represent~
failure of the safety relief valves or POR Vs to reclose, after boration has been successful.
Although subcriticality is achieved in this sequence, there remains a continual need for coolant makeup. This sequence transfers to the s 2 tree for evaluation of HPR, LPR, and containment systems. Sequence 5 leads to core cfamage in a similar manner to Sequence 3. Sequence 6 represents failure of enhanced AFW. Loss of steam generator heat removal will cause the primary pressure to increase above 3200 psi in spite of successful relief valve opening. The continued maintenance of pressure above the shutoff head of the charging pumps will prevent boron injection.
Unreplaced loss of inventory will lead to core damage. 4.4-56 Sequence 7 rep_resents insufficient pressure relief in the RCS. Primary pressure will exceed 3200 psi. Potential outcomes of this sequence are a LOCA caused elsewhere due to the pressure and plastic deformation of the check valves on the injection lines; thereby preventing any inventory makeup. Sequence 8 is failure of turbine trip. The resultant overcooling will add reactivity to the core, thus aggravating the existing reactivity balance. Sequence 9 represents those small percentages_
of times that the core parameters (MTC) are such that ATWS can not be mitigated at all. Sequences 10 through 14 represent the percentage of time that MTC is so low that turbine trip, and relief valve operation are not necessary to _control primary pressure below 3200 psi. Emergency boration and AFW are required, just as in Sequences 2 through :5. Sequences 15 through 20 represent ATWS initiated from low power~, thereby eliminating the concern about MTC and turbine trip. Sequences 15 through 20 are similar to 2 through 7. 4.4-57
* 4.5 Plant Darnage *State* Definition The process by which initiating events were identified and grouped is described in Section 4.3, and the initiators used in this study are listed in Table 4.3-1. Section 4.4 discussed the first stage of the two stage event tree analysis process~ The first stage identified the dominant event sequences that lead to core damage. This secti(?n ses the second stage of the event tree analysis process, the plant damage state fication.
This stage delineates the dominant core damage sequences into plant damage states (PDSs). The plant damage state analysis for this study involved the identification of detailed PDS categories using a seven-state indicator.
The resultant number of plant damage states, using the seven state indicators was inefficient and cumbersome for the containment event tree quantification process. Therefore, the seven state indicators were grouped into a more manageable number of entities, called plant damage state groups. The frequencies of the seven state indicators were used to calculate split fractions which were used in the containment event tree quantification.
An overview of the plant damage state analysis is presented in Section 4.5.1, followed in Section 4.5.2 by descriptions of the seven indicators used to define the plant damage states. The PDS analyses for the dominant core damage sequences is described in Section 4.5.3. The final grouping into seven plant damage state groups is discussed in Section 4.5.4. 4.5.1 Event Tree/Plant Damage State Analysis Process The event trees developed in Section 4.4 generate the first part of the information needed to assess the severity of accident consequences
-namely, whether or not core damage occurs.. Core damage is the most significant mechanism for releasing radionuclides from the core. The safety implications of non-core-damage accidents are negligible by comparison.
The event trees shown in Section 4.5.3 generate the second part of the information needed to assess the severity of accident consequences
--namely, the degree to which the containment systems remain operable as a means of preventing or reducing the amount of radionuclide release following a core damage condition.
The event trees developed in Section 4.4 include only those events and systems needed to detennine whether or not the accident sequences would lead to core damage --whether by direct or indirect means. This consideration was particularly important with r.~spect to the containment systems. It was recognized that failures of containment syste~s can put the plant in a core vulnerable state in which it is possible, under certain circumstances, for core damage to be caused indirectly as a consequence of the containment failures.
However, under such conditions, it is not necessary to know which containment system (or which combination of containment systems) failed --only that some form of failure occurred.
Thus, the status of the containment systems was simplified for the stage one event tree analysis by using only a single top event, CS, to track all forms of containment heat removal failure. Additional event tree headings were added to further delineate containment spray and containment heat removal systems. For those cases, where the existing fault tree structure was not sufficient to distinctly identify a unique PDS, split fractions were developed through individual analysis of the fault trees for those systems in question.
Thus, top events for the following containment systems had to be specified.
4.5-1 C Containment spray system (CSS) F 1 Inside spray recirculation (ISR) F2 Outside spray recirculation (OSR) 4 * .5.2 Definitions of the Plant Damage State Indicators A total of seven indicators were used to identify a plant damage state. The seven indicators address the following issues: Status of RCS at onset of core damage Status of ECCS Status of containment heat removal capability Status of AC power RWST injection capability Steam generator heat removal capability Status of RCP seal cooling An eighth indicator was originally used to indicate the status of containment isolation.
However, the analysis of containment isolation failure showed it to be independent of events in the core damage sequences.
This indicator was eliminated and status of tainment isolation is entered directly on the containment event tree as an independent event. Each of these indicators is discussed below, in the order in which they appear in the individual PnS designators.
: 1) Status of RCS at Onset of Core Damage For the purposes of containment analysis, it is important to know the pressure of the reactor coolant system and its integrity at the time of vessel failure. The vessel failure referred to is that caused by the onset of core damage. The expected RCS pressure was related to RCS integrity in this analysis.
Eight categories of the RCS integrity status were identified and related to the initiating events, as shown in Table 4 * .5-1. It should be pointed out that, although the first character in the PDS designator:
is commonly referred to as the initiating event, the way that it was used in the containment event tree (CET) analysis is to indicate the integrity of the RCS at the onset of core damage. Hence, the first character in ~he PDS designator may differ from the sequence initiating event. For example, if the initiating event is a transient such as a loss of offsite power, and if an RCP seal failure occurs before the onset of core damage, then the CET would treat this case as a small break in classifying the status of the RCS. 2) Status of ECCS Another key indicator for the. containment analysis is the past and present status of high and low pressure injection or recirculation cooling. Five categories were identified relative to the ECCS, as shown in Table 4 * .5-1. 4 * .5-2 *
* 1. 2. 3. 4. 5. 6. 7.
* Table 4.5-1 Category Definitions for PDS Indicators Status of RCS at Onset of Core Damage T no break (transh:mt)
A large LOCA (6" to 29") Sl medium LOCA (2" to 6") S2 small LOCA (1/2" to 2") S3 very small LOCA (less than 1/2") G steam generator tube rupture with SG integrity H steam generator tube rupture without SG integrity V interfacing LOCA Status of ECCS I B R N L operated in injection only operated in injection, now operating in recirculation not operating, but recoverable not opera ting and not recoverable HPI failed, but LPI operable if pressure is reduced Status of Containment Heat Removal Capability Y opera ting or operable if/when needed R not operating, but recoverable N never operated, not recoverable . S sprays operable, but no CHR (no SW to HXs) Status of AC Power Y available R not available, but recoverable N not available, not recoverable R WST Injection Capability
\ Y fully injected into containmel\lt R not fully injected, but could ti,e injected with power recovery N not fully injected, cannot be injected in future Steam Generator HeafRemoval Capability X at least one AFWS operating, SGS not depressurized Y at least one AFWS operating, SGS depressurized C steam driven pump operated until battery depletion, electric driven pump recoverable with* power recovery --SGS not depressur ized D steam driven pump operated until battery depletion, electric driven pump recoverable with power recovery --SGS depressur ized S steam driven pump failed at beginning, electric driven pump recoverable with power recovery N no AFWS operating, no AFWS recoverable Status of RCP Seal Cooling I Y operating R not opera ting, but recoverable N not opera ting and not recoverable 4.5-3
: 3) Status of Containment Heat Removal Capability The third key indicator for containment analysis is whether or not containment heat removal is available.
For plant damage state definition, this was defined to be the availability of at least one recirculation spray trai11, with service water being supplied to the heat exchanger.
The alternate means of containment heat removal (via AFW) included in the first stage event tree analysis would not be available after vessel failure. Four categories were used for this indkator.
For this indicator it was not necessarily possible to identify a unique state from the sequence outcome. Split fractions were developed to partition containment failure states into PD states. 4) Status of AC Power The fourth key indicator identified for the containment analysis is to know whether or not the AC power needed for safety systems is available.
Two status categories were identified for this indicator.
: 5) R WST Injection Capability Another key indicator for the containment analysis is to know whether or not the reactor cavity is full of water. After comparing the RCS volume with the cavity volume, it was determined that, in order to assure that the cavity is full of water~ the R WST must be fully injected into the containment.
That is, no partial credit was taken for R WST injection.
Three categories were identified for this indicator.
* 6) Steam Generator Heat Removal Capability The sixth key indicator for containment analysis is knowing the status of the AFW system and its ability to provide steam generator heat removal. Six status categories were used for this indicator.
: 7) Status of RCP Seal Cooling The last key indicator concerns the availability of cooling to the RCS pump seals, which provides a direct measure of the ability to preserve the reactor coolant pressure boundary at the reactor coolant pump seals. Three status categories were used for this indicalor.
The category status identified for each of the seven PDS indicators are listed in Table 4 * .5-1. Considering the number of choices for each of the seven PDS indicators, there are potentially 25,920 different plant damage states. Even if it is estimated that half of those are logically impossible or nullsets, this leaves a total of about 12,000 admissible plant damage states. Rather than attempting to estimate the frequency for each of the approximately 12,000
* PDSs, the approach taken was to partition all core damage sequences greater than
* lE-7 /yr to the appropriate plant damage stak~. All PDSs with frequencies greater than 1 E-7 /y.r were retained for containment.
event tree analysis.
PDSs with frequencies 
* *
* between lE-9/yr and lE-7/yr were compared to the PDSs above lE-7~ If any PDS between lE-9 and lE-7 represented a substantially more severe containment state than any of the PDSs above lE-7 /yr, it was retained for further analysis.
The results were also checked to be sure that the total resultant PDS frequency compares to the total core damage frequency.
4.5.3 Plant Damage State Analysis This section describes the plant damage state analysis of each sequence.
There were 37 individual core damage sequences, with point estimate frequency above 1 E-7 /yr after recovery actions were included.
Each of these were delineated into plant damage states. The 37 sequences and their point foot mean value) estimate frequencies are shown in Table 4 * .5-2. The distribution of sequences amongst initiator types is shown in Table 4 * .5-3. Because there are no non-SBC Tl events in the dominant sequences, a bridge tree was not developed for T 1
* There are 7 station blackout sequences above 1 E-7 /yr. Eleven of them involve one unit station blackout and six involve a dual unit station blackout.
A bridge tree was not necessary for blackout sequences because all containment systems are inoperable.
PDS initiators could be assigned by inspection of the cut sets and selection of the appropriate indicators.
The bridge trees are shown as a formality in Figures 4.5-1 and 4.5-2. The dominant core damage sequences are indicated on the event tree and assigned to plant damage states as shown
* The two dominant T 2 sequences are T 4 LD 2 and T 2 LP. The containment response tree for T 2 is $hown in Figure 4 * .5-3. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for these two sequences are shown on the event tree. There are five dominant T 7 sequences.
The containment response tree for T 7 is shown in Figure 4 * .5-4. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate the operability of containment systems. The T 7 0 0 Q 5 and T 7 0n00s sequences represent loss of steam generator integrity, which violates containment for these sequences.
Questions of containment integrity were the ref ore not asked for these sequences.
They were assigned to a single plant damage state without further delineation of containment system operability.
The PDS delineation of the other sequences to their dominant states are shown in Figure 4 * .5-4. There are three dominant large LOCA sequences.
They are AD.5~ AH1, and AD6. The containment response tree is shown in Figure 4 * .5-.5. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for these three sequences are shown on the event tree
* 4.5-5 Table 4.5-2 Surry Dominant Sequence Point Estimate Frequency Annual Percent Frequency
* of Accident Segyence (Per Rx-Yr) Total T1S1-NR7 5.2E-06 15.6% T1S1-QS-L 3.7E-06 11.1% T1Sl-W2-SL-NRS 2.7E-06 8.1% T1S1-QS-NR7 1.9E-06 5.7% T1SB-SL-NRS 1.SE-06 5.4% T1S1-Q-NR1 1.4E-06 4.2% T7-0D-QS 1. 4E-06 4.2% Sl-Hl 1. 3E--06 3.9% V 1.2E-06 3.6% T1S1-QS-W2-SL-NRS 1.lE-06 3.3% Sl-D6 9.4E-07 2.8% A-D5 8.5E-07 2.5% TK-R-Z 8.4E-07 2.5% Sl-Dl 8.lE-07 2.4% T2-L-P 7.7E-07 2.3% T2-L-D2 7.2E-07 2.1% T1SB-QS-SL-NRS 7.lE-07 2 .1% A-Hl 6.7E-07 2.0% S3-Dl 6.3E-07 1.9% TK-R-D4 5.GE-07 1. 7% T1Sl-Q-QS-NR1 5.lE-07 1.5% A-D6 4.7E-07 1.4% S2-Dl 4.3E-07 1. 3% TlSB-QS-L 3.SE-07 1.1% T1Sl-L 3.SE-07 1.1% T1Sl-W2-NR7 3.0E-07 0.9% TlSB-Q-NRl 2.GE-07 0.8% T1SB-L 2.5E-07 0.7% T1SB-NR7 2.0E-07 0.6% T7-0l-0D 1.9E-07 0.6% T1Sl-W2-0D-SL-NRS 1.5E-07 0.4% T5A-L-P 1.4E-07 0.4% T5B-L-P 1.4E-07 0.4% T1Sl-QS-W2-NR7 1.2E-07 0.4% T7-0D-Q-QS 1.2E-07 0.4% T7-K 1.0E-07 0.3% T7-L3 1.0E-07 0.3% Total Core Damage Frequency 3.3E-05
* Note: The individual and total frequencies listed are sequence point estimates developed using the propagation of event mean values and are not sequence mean values. 4.H* *
* Initiating Tl T1Sl T1SB T2 T3 T5 T7 A Sl S2 S3 TK V Total
* Table 4.5-3 Sources Of Dominant Core Damage Sequences Event Number of Dominant Description Core Damage Sequences Loss of offsite power with o an operable DG Unit 1 station Blackout (SBO) Unit 1 and Unit 2 SBO Loss MFW Turbine Trip Loss DC Bus SGTR Large LOCA Medium LOCA Small LOCA Very Small LOCA ATWS Interfacing LOCA 4.5-7 11 6 2 0 2 5 3 3 1 1 2 37 SBO NRAC-RCI SGI AF\I NRAC-AT HALF ONE UNIT1 HOUR HOUR T1S -Q-QS-L NR1 I I I I I
* SEAL OPER. RCP NRAC-COOL DPRES SEAL SEAL FM U2 LOCA LOCA W2-o-SL-NRS I I I I I I I I I I I NRAC-SEVEN HOURS NR7 1 1 1 1 1 1 1 1 1 1 ., ., -., -., ., -'..) Sequence 1. T1S 2. T1S-3. T1S-NR7 4. T1S-W2-5. T1S-W2-NR7
: 6. T1S-W2-SL-
: 7. T1S-W2-SL-NRS
: 8. T1S-W2-0-9. T1S-W2-0-NR7
: 0. T1S-W2-0-SL-
: 1. T1S-W2-0-SL-NRS
: 2. T1S-L 3. T1S-QS-4. T1S-QS-NR7
: 5. T1S-QS-W2-
: 6. T1S-QS-W2-NR7
: 7. T1S-QS-W2-SL
: 8. T1S-QS-W2-SL-NRS
: 9. T1S-QS-L O. T1S-Q-1. T1S-Q-NR1
: 2. T1S-Q-L 3. T1S-Q-QS-4. T1S-Q-QS-NR1
: 5. T1S-Q-QS-L Figure 4.5-1 Bridge Tre.e for T1 8-Station Blackout for Unit 1 I CORE I PL DAMAGE ST I OK OK CM TRRR-RDY OK CM TRRR-RDR OK CM S3RRR-RDR OK CH TRRR-RCR OK CH S3RRR-RCR CM TRRR-RSR OK CH TRRR-RDY OK CH TRRR-RDR OK CM S3RRR-RDR CM TRRR-RSR OK CM S2RRR-RCR CM TRRR-RSR OK CH S2RRR-RDR CM
* C,IJ I cc SBO BOTH UNITS T1S I NRAC-RCI SGI HALF HOUR -Q-QS-AFW NRAC-OPER. RCP NRAC-NRAC-TOP ONE DPRES SEAL ' SEAL SEVEN FM U1 HOUR LOCA LOCA HOURS L NR1 o-SL-NRS NR7 I I I I I I 1 1 I I 1 1 I 1 1 1 I 1 1 1 I ., ') Figure 4.5-2 Bridge Tree for Tis -Station Blackout at Both Units 1. 2. 3. 4. 5. 6. 7. B. 9. o. 1. 2. 3. 4. 5. 6. 7. 8. 9. o. 1. Sequence T1S T1S-T1S-NR7 T1S-SL-T1S-SL-NRS T1S-O-T1S-O-NR7 T1S-O-SL-T1S-O-SL-NRS T1S-L T1S-QS-T1S-QS-NR7 T1S-QS-SL-T1S-QS-SL-NRS T1S-QS-L T1S-Q-T1S-Q-NR1 T1S-Q-L T1S-Q-QS-T1S-Q-QS-NR1 T1S-Q-QS-L I CORE I Pl DAMAGE ST_ I OK OK CM TRRR-RDR OK CM S3RRR-RDR OK CM TRRR-RCR *OK CM S3RRR-RCR CM TRRR-RSR OK CM TRRR-RDR OK CM S3RRR-RDR CM TRRR-RSR OK CM S2RRR-RCR CM TRRR-RSR OK CM S2RRR-RDR CM 
. c.n I I-' 0 LOSS ~F MFIJ T2
* RPS RCI -K -a Afl.l SIF CCY HPI -L -D3 -Y -D2 I I PRV css !SR OSR CORE LPR VULNR TO CD -P -c -Fl -F2 -CV -Hl I I I I I I I I Figure 4.5-3 Bridge Tree for Tz -Loss of Main Feedwater HPR -H2 Sequence I CORE I PL DAMAGE ST I 1. T2 OK 2. T2-D3 OK 3. T2-D3-IJ SEAL VULN 4. T2-L OK 5. T2-L-H2 CM 6. T2-L-H1 CM 7. T2-L-F1 OK 8. T2-L-F1-H2 CM 9. T2-L-F1-H1 CM 1 0. T2-L-F1-F2 OK 1 1. T2-L-F1-F2-CV CM 1 2. T2-L-C OK 1 3. T2-L-C-H2 CM 1 4. T2-L-C-H1 CM 1 5. T2-L-C-F1 OK 1 6. T2-L-C-F1-CV CM 1 7. T2-L-P CM TBYY-YNY 1 8. T2-L-P-F1 CM 1 9. T2-L-P-F1-F2 CM ., 0. T2-L-P-C CM '] 1. T2-L-P-C-F1 CM .., -2. T2-L-D2 CM TLYY-YNY '] 3. T2-L-D2-F1 CM .., -4. T2-L-D2-F1-F2 CM '] 5. -T2-L-D2-C CM .., -6. T2-L-D2-C-F1 CM '] 7. T2-Q CM ., -8. T2-K GO TO ATIJS SGTR RPS HPI AF\J css ISR T7 -K -D1 -L3 -c . -F1 I I I OSR OPER. RCI SGI LPR HPR DPRES -F2 -OD -Q -as -H1 -H2 I I I I I I I Table 4.5-4 Bridge Tree for T7 -Steam Generi;i.tor Tube Rupture Sequence I CORE I PL DAMAGE ST I 1. T7 OK 2. T7-QS OK 3. T7-Q OK 4. T7-Q-H1 CM 5. T7-Q-QS CM 6. T7-Q-QS-H1 CM 7. T7-00 OK 8. T7-00-QS CM HINY-NXY 9. T7-00-Q OK 1 o. T7-00-Q-H2 CM 1 1
* T7-0D-Q-H1 CM 1 2. T7-0D-Q-QS CM HINY-YXY 1 3. T7-L3 CM GLYY-YNY 1 4. T7-L3-F1 CM 1 5. T7-L3-F1-F2 CM 1 6. T7-L3-C CM 1 7. T7-L3-C-F1 CM 1 8. T7-D1 OK 1 9. T7-D1-QS CM '.) o. T7-D1-Q CM ') -1. T7-D1-0D CM GLYY-YXY ') -2. T7-D1-L3 CM '.) 3. T7-K CM GLYY-YXY LARGE ACC LPI css JSR LOCA A -OS c -F1 I I I I I I
* OSR CORE LPR VULNR TO CD -F2 -CV -H1 Sequence I 1. A 2. A-H1 I I I I 3. A-F1 4. A-F1-H1 5. A-F1-F2 6. A-F1-F2-H1
: 7. A-F1-F2-CV I 8. A-C 9. A-C-H1 1 I 1 0. A-C-F1 1. A-C-F1-CV 1 2. A-06 1 I 1 3. A-D6-F1 4. A-D6-F1-F2 1 5. A-06-C 1 6. A-D6-C-F1 1 7. A-05 1 I 1 8. A-DS-F1 9. A-D5-F1-F2
') 0. A-05-C "' -1. A-DS-C*F1 Figure 4.5-5 Bridge Tree for A -Large LOCA
* I COREi PL DAMAGE ST I OK CM AIYY-YYN OK CM OK CM AINY-YYN CM OK CM OK CM CM ANYY-YYN CM CM CM CM ANNY-NYN CM ALYY-YYY CM CM CM CM There are three dominant intermediate LOCA sequences.
They are s 1 D, SH 1 , and S1 D6. The containment response tree is shown in Figure 4.5-6. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for those three sequences are shown on the event tree. s 2 D 1 is the only dominant small LOCA sequence.
The containment response tree for s 2 is shown in Figure 4.5-7. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for s 2 n 1 are shown on the event tree. S 3 D1 is the only dominant sequence for the s 3 initiating event category.
The containment response tree is shown in Figure 4.5-8. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for s 3 n 1 are shown on the event tree. . There are two dominant ATWS sequences.
They are TKRD 4 and TKRZ, where T is a combined transient initiator.
A containment response tree for ATWS was not necessary in order to evaluate plant damage states. The failures which lead to core damage during A TWS are independent of the containment systems. Containment system failure can be evaluated independently from the core damage sequence evaluation.
4.5.4 Regrouping of Plant Damage States The individual plant damage states were placed into seven plant damage state groups in order to facilitate the quantification of the containment event tree. The grouping of the PDSs is shown in Table 4.5.4. PDS Group 1 consists of six Slow Blackout PDSs. In these accidents, offsite power is lost and the diesel generators fail to start or run. The steam-turbine-driven AFW pump is available until the batteries are depleted, thus failing power for instruments and controls.
Battery depletion is estimated to take about 4 hours. For some sequences in group 1, the RCP seals may fail or the PORVs may stick open. Thus, the six PDSs in this group have the RCS in different conditions when core damage begins. In two of the PDSs in this group, the RCS is intact at the time of core uncovering.
Another two of the PDSs have Srsize breaks (failures of the reactor coolant pump seals), and the final two PDSs in this group have Si-size breaks (stuck-open POR Vs). The difference between the two "T" PDSs in Group -1 is whether there is cooling to the RCP seals. The difference between the two 11 S 3 11 PDSs is whether the secondary system is depressurized before the core uncovers and while the AFW is operating.
PDS Group 3 consists solely of TRRR-RSR -Fast Blackout.
In this accident, auxiliary feedwater fails to start and run. The dominant failures occur early in the sequence, thus the "fast" blackout nomenclature.
Core damage occurs before the RCP seals are likely to fail. PDS Group 2 consists of seven LOCA PDSs. Four of the PDSs have an A-size break, and two of the PDSs have an Si-size break. There is one PDS with an S 2-size break and one PDS with an S3-size break. Four of the PDSs in this group have the LPIS operating.
In PDS ALYY-YYY, the accumulators have failed and the LPIS is operating successfully (all 4.5-13 MED HPI ACC css ISR LOCA S1 -D1 -D5 -c -F1 OSR CORE LPI LPR VULNR TO CD -F2 -CV -D6 -H1 I I I I I I I I I 1 1 1 1 1 1 1 1 1 1 ") ... -.... -1. 2. 3. 4. 5. 6. 7. 8. 9. o. 1. 2. 3. 4. 5. 6. 7. 8. 9. o. 1. 2. Sequence 51 S1-H1 S1-D6 S1-F1 S1-F1-H1 S1-F1-D6 S1-F1-F2 S1-F1-F2-H1 S1-F1-F2-D6 S1-F1-F2-CV S1-C S1-C-H1 S1-C-D6 S1-C-F1 S1-C-F1-D6 S1-C-F1-CV S1-D5 S1-D1 S1-D1-f1 S1-D1-F1-f2 S1-D1-C S1-D1-C-f1 Figure 4.5-6 Bridge Tree for S1 -Medium LOCA I CORE I PL DAMAGE ST I OK CM CM OK CM CH OK CM CM CM OK CM CM OK CM CM CM CM CM CM CM CM S1.IYY-YYN S1NYY-YYN S11NY-YYN S1LYY-YYN S1LNY-NYN SHALL RPS HPI AFW PRV LOCA S2 -1( -Dt -L -Pt css ISR CSR OPER CORE LPR DPRES VULNR TO CD -c -Ft -F2 CV -Ht l l l I I I l I l I I I I I l I I T HPR -H2 Sequence t. S2 2. S2-Ht i=__= 3. S2-00 L__ 1 1 1 1 1 1 1 1 c::_j 2 -L_i .. --4. S2-00-H2 5. S2-00-Ht 6. S2-Ft 7. S2-Ft-Ht 8. S2-Ft-OO 9. S2-Ft-OO-H2 O. S2-Ft-OO-Ht
: t. S2-Ft-F2 2. S2-Ft-F2-Ht
: 3. S2-F1-F2-CV
: 4. S2-C 5. S2-C-Ht 6. s2-c-oo 7. S2-C-OD-H2
: 8. S2-C-OD-Ht
: 9. S2-C-Ft O. S2-C-Ft-CV
: t. S2-L 2. S2-L-H2 3. S2-L-H.t 4. S2-L-Ft 5. S2-L-Ft-H2
: 6. S2-L-Ft-Ht
: 7. S2-L-Ft-F2
: 8. S2-L-Ft-F2-CV L......._j, 9. S2-L-C O. S2-L-C-H2
: t. S2-L-C-Ht . ... 2. S2-L-C-Ft 3. S2-L-C-Ft-cv
.. 4. S2-L-Pt ., 5. S2-L-Pt-F1
.. 6. S2-L-Pt-Ft-F2
.. 7. S2-L-Pt-F1-F2-CV
.. 8. S2-L-Pt-C
.. 9. S2-Dt . O. S2-Dt-Ft ' t. S2-Dt-Ft-F2 . 2. S2-D1-C 3. S2*Dt-C-Ft
' 4. S2-Dt-C-Ft-F2 . 5. S2-K Figure 4.5-7 Bridge Tree for S2 -Small LOCA
* CORE PL DAMAGE ST OK CH OK CH CH 01( CH OK CH CH 01( CH S21NY-YYN CH OK CH OK CH CH OK CH OK CM CH OK CH CM OK CH OK CH CH OK CH CH CM QI( CH CM CH S2LYY-YYN CH CM CH CH CH S2LNY-NYN GO TO ATWS I\IERY RPS HPI RCI AFW MFW SMALL LOCA S3 -K -D1 -QC -L -M PRV css JSR OSR CORE OPER RHR VULNR DPRES TO CD -P -c -F1 -F2 -CV -OD -W3 I I I I I I I I Figure 4.5-8 Bridge Tree for S3 -Very Small LOCA LPR -H1 I I I I I I I HPR -H2 I I I I 1 1 1 1 1 1 1 1 1 1 :, ., ., ., .. ., .. Sequence 1. S3 2. S3-W3 3. S3-W3-H1 4. S3-0D 5. S3-0D-H2 6. S3-0D-H1 7. S3-L 8. S3-L-H1 9. S3-L-W3 O. S3-L-W3-H1
: 1. S3-L-OD 2. S3-L-OO-H2
: 3. S3-L-OD-H1
: 4. S3-L-M 5. S3-L-M*H2
: 6. S3-L-M-.H1
: 7. S3-L-M-F1
: 8. S3-L-M-F1*F2
: 9. S3-L-M-F1-F2-CV O. S3-L-M-C 1. S3-L-M-C*H2
: 2. S3*-L-M-C-H1
: 3. S3-L-M-C-F1
: 4. S3-L-M-C*F1-CV
: 5. S3-L-M-P 6. S3-QC 7. S3-D1 8. S3-D1-F1 "] "I 9. S3-D1*F1-F2 O. S3-D1-C , 1. S3-D1*C*F1 "I 2. S3-K I CORE I PL DAMA~E ST I OK OK ~M OK CM CM OK CM OK CM OK CM CM OK CM CM OK OK CM OK CM CM OK CH CH GO TO S2 CM S3LYY*YYN CH CH CM CM S3LNY-NYN GO TO ATWS
* Table 4 * .5-4 Plant Damage State Groups for Surry Group Plant Damage Number Group Name States 1 Slow Blackout TRRR,..RDY S 3 RRR-RDR S 2 RRR-RDR TRRR-RDR S 2 RRR-RCR S 3 RRR-RCR 2 LOCAs S 1 IYY-YYN s 1 NYY-YYN AIYY-YYN S 1 LYY-YYN ALYY-YYY S 3 LYY-YYN S 2 LYY-YYN ANYY-YYN 3 Fast Blackout TRRR-RSR 4 Event V V 5 Transients TBYY-YNY TLYY-YNY 6 ATWS S 3 NYY-YXN TLYY-YXY GLYY-YXY 7 SGTRs HINY-NXY GLYY-YXY GLYY-YNY HINY-YXY 4.5-17 trains). For an A break, the success criteria require both accumulator injection and LPIS operation.
Thus, even though the RCS pressure is low and the LPIS is injecting water successfully, core damage has been* assumed. In PDS S 1 LYY-YYY, HPIS has failed and the LPIS is operating successfully (all trains). For an S 1 break, the success criteria require HPI early in the accident and LPIS operation later. In this PDS also, the RCS pressure is low and the LPIS is injecting water successfully, but core damage has been assumed since the success criteria have not been met. In PDS S 2 LYY-YYY and S 3 LYY-YYY, the break does not depressurize the RCS enough to allow LPI. Thus the accident will progress to vessel failure at a pressure too high to allow LPI unless a large induced break occurs or the'primary system is deliberately depressurized.
Group 4 consists solely of Event V. This is a large break in low pressure piping :following the failure of the two check valves that isolate the low pressure piping from the RCS. The break. is outside containment in the auxiliary building, so the break both fails the RCS pressure boundary and bypasses the containment.
Group 5 consists of two PDSs that have failure of both AFW and bleed and feed. This PDS group is called Transients.
In PDS TBYY-YNY, both LPI and HPI are available and the PORVs are not opened. In PDS TLYY-YNY, only LPI is available.
All AFW is failed and bleed and feed is not possible because the HPIS is failed. As all sources of feedwater are lost, it is not possible to depressurize the RCS. Some plants have procedures for emergency feed of the steam generators using fire water. These efforts were given little chance of success for two reasons. Many of the failures contributing to the sequence are operator errors, thus compounding the probability of subsequent errors. Secondly, the timing of the sequence leaves very little time to establish fire water to the SG, given previous failed attempts to restore feedwater and establish feed and bleed.
tion of these two factors resulted in not allowing credit for further recovery from these sequences.
Similarly, no credit was given for depressurizing the RCS after the onset of core damage in PDS Group 5. Since there is RCP seal cooling and SGTRs are not very likely, the only effective means of depressurizing the RCS are the PORVs/SRVs sticking open or the failure of the hot leg/surge line. If the RCS pressure decreases to the low range, the LPIS will inject. Group 6 contains the three ATWS PDSs. They differ in the status of the RCS at the time the core uncovers, whether the ECCS worked in the injec-. tion phase, and in whether cooling for the RCP seals is operating or failed. In this group also, the LPIS is available in some of the PDSs, and will inject of the RCS reaches low pressure.
Group 7 consists of three PDSs that are initiated by SGTRs and which do not have scram failures.
HINY-NXY is an SGTR with stuck-open SRVs in the secondary system. GIYY-YNY has the RCS PORVs open, since the operators are attempting to keep the core cooled by feed and bleed. It might have been denoted (G-S 2) IYY-RNYY.
HINY-NXY has no RWST water being injected into the containment.
In the other two PDSs, while some of the water lost from the RCS goes out of the containment through the SGTR, much more water is lost out of the PORVs and eventually into the containment.
4.5-18 * * * 
* *
* 4.6 System Analysis The approach used to perform the system analysis was previously described in Section 4.2. Section 4.6.1 provides an introduction into the modeling of the systems performed in the Surry analysis, the general groundrules.
used in the constr.uction of the fault trees, and the nomenclature used in the analysis.
Sections 4.6.2 through 4.6.19 describe the modeling effort for each system. These subsections contain a system description, identification of interfaces and dependencies*, a discussion of operational constraints, a description of the models developed, specific assumptions used in modeling, and a discussion of the operational experience for each of the systems. The systems which were modeled in the Surry study are shown in Table 4.6-1. 4.6.1 System Modeling and Scope System models were developed for each of the Unit 1 front line systems identified in the event tree headings and for all support systems required to operate these front line systems. Actuation systems, power conversion systems, and some Unit 2 systems were modeled by means of Boolean expressions which were incorporated into the sequence analysis at the appropriate levels. Fault tree models were constructed for all of the fluid delivery systems. Fault tree models were developed with top events corresponding to the success criteria used in the event tree analysis.
Some systems have different success criteria in different circumstances, and hence different top events. In general, only Unit 1 systems were modeled. Some Unit 2 systems were modeled for use in the Station Blackout sequences.
Modeling of the systems was performed at the component level. Electrical power dependencies were developed to the motor control center level. Common cause failures were included in the fault trees (see Section 4.7). Operator actions were included in the fault trees for isolated actions related to operation of a single system. Throughout the system analysis process, groundrules and assumptions were made. Assumptions about a specific system are provided in the specific system write-ups.
The following general groundrules apply throughout the system analysis:
: 1. Control power (for closing breakers) for pumps is from the DC bus associated with the AC motive power bus, i.e., DC control power for pumps powered from the lH buses is from DC Bus lA and pumps powered from tne lJ buses is from DC Bus lB. 2. All control power for AC motor operated valves is supplied via a down transformer directly from the valve's motive power source. 3. For the purpose of calculating tallure probabilities, pump and valve breakers and control circuits are assumed to be .part of the component.
Failure probabilities for "command faults" are included in the basic component failure rates. 4. Flow diversion through pathways less than one-third of the original pipe size are not considered to result in system functional failure, for . open systems. 5
* Room cooling and component cooling requirements were evaluated for the syste~s analyzed.
None of the systems required room cooling for success. 4.6-1 
. SYSTEM Accumulators Auxiliary Feedwater Charging Pump Cooling Component Cooling Water Consequence Limiting Control Containment Spray Emergency Power
* Table 4.6-1 Systems Included In The Surry System Analysis TYPE OF MODEL Fault Tree Fault Tree/ Boolean Expression Fault Tree Fault Tree/ Boolean Expression Boolean Expression Fault Tree Fault Tree
* COMMENTS Two top events modeled. Three top events modeled. Unit 2 was modeled as a Boolean equation for station blackout sequences.
Three top events modeled for the three interfaces with the HPI/HPR fault trees. One top event modeled. F.ault tree only includes those portions of the Unit 1 CCW system necessary to provide cooling flow to the RCP thermal barriers and RHR system. A Boolean expression was developed for the Unit 2 CCW system. Two events modeled. Boolean expressions were developed to model CLCS dependencies on power. Generic failure data used on train l eve l
* One top event modeled. Sixteen events modeled for the interfaces with other front line and support systems. The power interfaces of components were modeled to the 480 VAC motor control center and 125 VDC bus level in the front line and support system fault trees * * 
. 0\ I w
* SYSTEM High Pressure Injection/Recirculation Inside Spray Recirculation Low Pressure Injection/Recirculation Outside Spray Reci rcul at ion Power Conversion Main Feedwater Steam Generators Turbine Bypass and Main Condenser . Primary Pressure Relief Table 4.6-1 (Cont'd) Systems Included In The Surry System Analysis TYPE OF MODEL Fault Tree/ Boolean Expression Fault Tree Fault Tree Fault Tree "Black Box" Model Boolean Expression Abbreviated Fault Tree Fault Tree/ Boolean,Expression/ "Black Box 11 Model COMMENTS Four top events modeled for injection supplied from Unit 1. One top event modeled for recirculation from Unit 1. Unit 2 supply to the RCP seals was modeled as a Boolean equation.
One top event modeled. One top event modeled for injection.
Two top events modeled for reci rcul at ion. One top event modeled. One top event modeled. Surry has electric driven MFW pumps. They were assumed to be unaffected by most BOP failures.
MFW was assumed to be operable only for T 3 , s 3* Two top events modeled. Two top events modeled. Three top events modeled in fault trees. One top event modeled by a Boolean equation.
One top event as a 11 Black B0x 11 model.
SYSTEM Reactor Protection Recirculation Mode Transfer Residual Heat Removal Safety Injection Actuation Service Water
* Table 4.6-1 (Cont'd) Systems Included In The Surry System Analysis TYPE OF MODEL "Black Box" Model Boolean Expression Fault Tree Boolean Expression Fault Tree COMMENTS Two top events modeled. Generic data from NUREG-1000 was used for the RPS. Two events modeled. Boolean expressions were developed to model RMT system dependencies on power. Generic failure data used on train level. One top event modeled. Two events modeled. Boolean expressions were developed to model SIAS power dependencies.
Generic failure data used on train level. Four events modeled for the four interfaces with the ISR and OSR fault trees * *
* 6. In general, only one term for unavailability due to test and maintenance (T &M) was included per system train. This was done to prevent "double counting" of T &M actions which may in fact be done simultaneously.
The T&M values of pumps were used because their frequency is normally much larger than that of valves. 7. Mispositioning of valves prior to the initiating event was not considered in the cases where the valve position is annunciated in the control room or the valve received an automatic open signal from an actuation system. (See Section 4.7.1). 8. Plugging of normally open valves in normally operating systems was evaluated as negligible compared to other train faults. 9. Instrument air failure was included as an undeveloped event in the fault trees of systems that depended on instrument air. Fault tree analysis was not performed on the instrument air system. In order to ensure that naming of failure events was oone consistently throughout the fault tree coding process, a standard coding scheme was established.
This consistency was necessary to ensure that the dependencies and interfaces between the systems were properly accounted for when the individual system fault trees were merged with their support systems and the merged fault trees linked together to perform the accident sequence quantification.
In addition, the standard coding scheme provides the analyst or reviewer a traceability of the events from the cutsets resulting from the accident sequence quantification to the individual fault trees. The standard coding scheme developed utilized a sixteen character identifier.
Each individua'l event code was composed of four parts, a system identifier, an event or component type identifier, a failure mode code, and a unique event identifier.
Each of these parts was separated by a dash for readability.
The system identifier was composed of -three characters which were selected to readily_convey the system to the reader. The list of system identifiers is provided in Table 4.6-2. The event or component type identifier was composed of three characters which identify the component type if a component fault, or the event type if other than a component fault. The list of event or component identifiers is included in Table t6-t The failure mode code was composed of two characters which identifies the failure mode associated with the fault. The list of failure mode codes is included in Table 4.6-3. The unique event identifier was composed of up to five characters which utilize a portion of the utility ID for a component or in the c:ase of non-component faults or grouped faults, conveys information about the fault type. The list of symbols used in the schematics is shown in Table 4.6-4. 4~6.2 Accumulator Model The accumulators provide an initial influx of borated water to reflood the reactor core following a large loss of coolant accident (LOCA) or a medium LOCA on the upper end of the LOCA size definition.
The accumulators are a front line safety system designed to provide core heat removaf. The following sections provide a physical description of the accumulators, identify the inte~faces and dependencies of the accumulators with other front line and support systems, list any operational constraints on the accumulators, provide a description of the fault tree model constructed for the accumultors, identify the specific assumptions made in the analysis' of the accumulators, and describe the operational experience available for the accumulators.
System Identifier ACC ACP ARP ADS AFW CPC CHP eve CHW csc ccw CDS CLS CCU CGC CFC CIS CSR css CRD DCP DWS EHV ESP ESW FHS HCI HCS HPR HPI Table 4.6-2 System, Component, and Event Identifiers Part 1: System Identifiers System Name Accumulators AC Power System Air Return Fan System Automatic Depressurization System Auxiliary Feedwater System or Emergency Feedwater System Charging Pump Cooling System Charging Pump System Chemical and Volume Control System Chilled Water System Closed Cycle Cooling System Component Cooling Water System Condensate System Consequence Limiting Control System Containment Atmosphere Cleanup Containment Combustible Gas Control Containment Emergency Fan Cooler System Containment Isolation System Containment Spray Recirculation System Containment Spray System Control Rod Drive System DC Power System Drywell (Wetwell)
Spray Mode of RHR System Emergency Heating, Ventilation*, and Air Conditioning System Engineered Safety Feature Actuation System Essential Service Water System Fuel Handling System High Pressure Coolant Injection System High Pressure Core Spray System High Pressure Recirculation System High Pressure Safety Injection System 4.6-6 * *
* System Identifier HSW ICS ISR IAS ISO LCI LCS LPR LPI MCW MFW MSS NHV OE.P OSR PCS PPS RGW RLW RBC RCS RCI. RPS RMT RHR SIS sws soc SGT SLC Table 4.6-2 (Continued)
System, Component, and Event Identifiers Part 1: System Identifiers Continued System Name High Pressure Service Water System Ice Condenser System Inside Containment Spray Recirculation System Instrument Air System Isolation Condenser System Low Pressure Coolant Injection System Low Pressure Core Spray System Low Pressure Recirculation System Low Pressure Safety Injection System Main Circulating Water System (main condenser cooling water) Main Feedwater System Main Steam System Normal Heating, Ventilation, and Air Conditioning System Onsite Electric Power System Outside Containment Spray Recirculation System Power Conversion System Primary Pressure Relief System (POR V /SRV) Radioactive Gaseous Waste System Radioactive Liquid Waste System Reactor Building Cooling Water System Reactor Coolant System Reactor Core Isolation Cooling System Reactor Protection System Recirculation Mode Transfer System Residual Heat Removal System Safety Injection Actuation System Service Water System Shutdown Cooling Mode of RHR Standby Gas Treatment System Standby Liquid Coptrol System 4.6-7 System Identifier SPC SPM TBC Table 4.6-2 (Contimed)
System, Component, and Event Identifiers Part 1: System Identifiers Contimed System Name Suppression Pool Cooling System (or suppression pool cooling mode of the RHR system) Suppression Pool Makeup System Turbine Building Cooling Water System 4.6-8 *
* Table 4.6-2 (Continued)
System, Component, and Event Identifiers Part 2: Component Identifiers Component Air Cooling Heat Exchanger Sensor/Transmitter Units: Flow Level Physical Position Pressure Radiation Temperature Flux Circuit Breaker Calculational Unit Electrical Cable Signal Conditioner Control Rods: Hydraulically Driven Motor Driven Ducting Motor Driven Compressor Motor Driven Fan Fuse Diesel Genera tor Hydrogen Recombiner Unit Heat Exchanger Inverter Electrical Isolation Device Air Cleaning Unit Load/Relay Unit Logic Unit Local Power Supply Motor Genera tor Unit Motor Operated*Damper 4.6-9 Identifier ACX ASF ASL ASO ASP ASR AST ASX CRB CAL CBL CND CRH CRM DCT MDC FAN FUS DGN HRU HTX INV ISO ACU LOD LOG LPS MGN MOD Table 4.6-2 (Contimed)
System, Component, and Event Identifiers Part 2: Compment Identifiers Continued Component Pumps: Engine Driven Motor Driven Turbine Driven Manual Control Switch Rectifier Transfer Switch Transformer Tank Bistable Trip Unit Air Heating Unit Electrical Bus -DC Electrical Bus -AC Manual Damper Pneumatic/Hydraulic Damper Battery Valves: Check Valve Hydraulic Valve Safety /Relief Valve Solenoid Operat~d Valve Motor Operated Valve Manual Valve Air Operated Valve Testable Check Valve Explosive Valve Filter Instrumentation and Control Circuit Strainer Heater Element 4.6-10
* Identifier EDP MDP TDP xsw REC TSW TFM TNK TXX AHU BDC BAC
* XDM PND BAT CKV HDV SRV sov MOV XVM AOV TCV EPV FLT ICC STR HTR 
*
* Table 4.6-2 (Continued)
System, Component, and Event Identifiers Part 2: Component Identifiers Continued Event Pipe Segment Fault Pipe Train Fault Actuation Segment Fault Actuation Train Fault AC Electrical Train Fault DC Electrical Train Fault Human Error Common Cause Fault Miscellaneous Aggregation of Faults 4.6-11 Identifier PSF PTF ACS ACT TAC TDC XHE CCF VFC Failure Mode Valves, Contacts, Dampers Fail to Transfer Table 4.6-3 Failure Mode Codes* Normally Open, Fail Open Normally Open, Fail Closed (Position)
Normally Closed, Fail Closed Normally Closed, Fail Open Valves, Filters, Orifices, Nozzles Plugged Pumps, Motors, Diesels, Turbines, Fans, Compressors Fail to Start Fail to Continue Running Sensors, Signal Conditioners, Bistable Fail High Fail Low No Output Segments, Trains and Miscellaneous Agglomerations Loss of Flow, No Flow Loss of Function Actuation Fails No Power, Loss of'Power Failure (for miscellaneous fault agglomerations not based on segments or trains) Hardware Battery, Bus, Transformer No Power, Loss of Power Short Open Code FT 00 oc cc co PG FS FR HI LO NO LF FC FA LP VF HW LP ST OP *Events or components shown are only suggestions.
The failure modes listed may be used for any applicable event or component type. 4~6-12 *
* Failure Mode Tank, Pipes, Seals, Tubes Leak Rupture Human Errors Fail to Operate M iscalibra te Table 4.6-3 (Contiooed)
Failure Mode Codes* Fail to Restore .from Test or Maintenance Normal Operations (unavailable due to planned activity):
Maintenance Test Test and Maintenance Code LK RP FO MC RE *MA TE TM
* Events or components shown are only suggestions.
The failure modes listed may be used for any applicable event or component type. 4.6-13 5-I><]-+ s*~. s~. 5-i"t-+ 5-i~t-+ s~. s ,if .. ~re so+ \/VV )"-1 /l\ /l\ /l\ i Table 4.6-4 Synix>ls & . Alilreviatioos Used in the Sclenatics Normally Open Manual Valve Normally Closed Manual Valve Normally .Open Motor Operated Valve Normally Closed Motor Operated Valve Motor Driven Butterfly Valve Testable Check Valve Normally Open Air Operated Valve Normally Closed Air Operated Valve Normally Closed Explosive Valve Three Way Valve (Safety) Relief Valve (Normally Closed) Check Valve Heat Exchanger Or Cooler Motor Driven Pump Turbine Driven Pump Positive Displacement Pump Heater Spray Header Orifice Flange 4.6-14
* Q Table 4.6-4 ~ls & Abbreviations Strainer used in the Schematics (COntirtuedl Fan Compressor Tank Reactor Steam Generator UPPER COMPARTMENT Containment 1------1 ._ Ice Condenser LOWER COMPARTMENT
...._c:==3.=:=:::::=--Containment Sump S'r-------.*
Fluid Line )"-;,,-~~~---;,,-;/
....... ~---* Air Line Duct Work 4.6-15 Table 4.6-4 Syni:x)ls.
& Al:in-eviations Used in .the Schematic::>> (Continued}
Diesel Generator
@J Charger I = I Battery [!] Inverter I!] Transfer Switch Bus LO Locked Operi LC Locked Closed 
*
* 4.6.2.1 Accumulator Description The accumulator system consists of three tanks filled with borated water and pressurized with nitrogen.
Each of the accumulators is connected to one of the reactor coolant system (RCS) cold legs by a line containing a normally open motor operated valve and two check valves in series. The check valves serve as isolation valves during normal reactor operation and open to empty the contents of the accumulator when the RCS pressure falls below 6.50 psig. A simplified schematic of the accumulators is shown in Figure 4.6-1. 4.6.2.2 Accumulator Interfaces and Dependencies The accumulators are dependent on the nitrogen system to maintain a head on the accumulators.
The nitrogen is supplied by dedicated local nitrogen bottles and the accumulators are fully instrumented to indicate an abnormal pressure condition.
Due to the small fault exposure time of four hours, this dependency was not further developed.
The accumulators are initially filled with borated water from the refueling water storage tank (RWST). The accumulators are filled and the valves are closed. Instrumentation verifies that the level remains above a minimum value. Therefore, no dependencies were modeled between the accumulators and the R WST. 4.6.2.3 Accumulator Operational Constraints Technical Specifications require that all three accumulators be operable.
If one accumulator becomes inoperable, i.e., low level or low pressure, it must be restored within four hourso This limits the fault exposure time such that the probability of the associated faults are negligible and were not further developed.
4.6.2.4 Accumulator Logic Model The success criteria for the accumulators vary depending on the application in the event tree analysis.
The success criterion for the accumulators following a large LOCA, which conservatively assumed a cold leg break, is injection of the contents of the two accumulators associated with the intact cold legs into the RCS. The success criterion for the accumulators following a medium LOCA is injection of the contents of two or more accumulators*
into the RCS. These success criteria are translated into the following top events associated with the large and medium LOCA size breaks, respectively:
D.5 (A LOCA) D.5 (S 1 LOCA) Failure of one or more of the accumulators located in* the intact cold legs to inject their contents into the RCS. Failure of two or more of the accumulators to inject their contents into the RCS. The fault trees developed for these top events are shown in Appendix B. The specific assumptions used to develop the accumulator fault trees are included in the following section
* 4.6-17 
> (") (") s:: 3 s:: ..... p:i ..+ 0 .., 00 l'rj <.<: .... .;. tll aq r+ s::
* CD "1 C') 3 CD I .;. co 00 * .... C') 3 I 'C ..... .... .... .... CD 0. 00 ;:,;" CD r+ (") ::r
* FROM RWST FC 1-S1-TK-1A 1865 A 1-S1 -TK-18 1865 B 1-S1 -TK -1C 1865 C CV107 CV128 CV145 LOOP1 COLD LEG CV109 LOOP2 COLD LEG CV130 LOOP3 COLD LEG CV147 * 
*
* 4.6.2 * .5 Assumptions in Accumulator Model In addition ~o the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
The specific assumptions made in the analysis of the accumulators were as follows: 1. For the large LOCA analysis, the cold leg break was assumed to be in Loop 1, failing one accumulator immediately.
: 2. Due ~o the short fault exposure times, redundant valving ments, the use of fail closed valves, and the redundant alarm and pressure indications; faults leading to level or pressure reduction in the accumulators were not postulated.
The only faults postulated were demand type faults. 4.6.2.6 Accumulator Operating Experience No pertinent plant specific operational experience of the Surry accumulators was found. 4.6.3 Auxiliary Feedwater System Model The auxiliary feedwater (AFW) system provides feedwater to the steam genera tors (SG) to remove core heat from the primary system after reactor trip. The AFW system is a front line safety system. The following sections provide a physical description of the AFW, identify the interfaces and dependencies of the AFW with other front line and support systems, list any operational constraints on the AFW, provide a description of the fault tree model constructed for the AFW, identify the AFW specific assumptions*, and describe the operational experience available for the AFW. 4.6.3.1 AFW System Description The Surry AFW system is a three train system, with two electric motor driven pumps and one steam turbine driven pump. The electric motor driv,en AFW pumps have a capacity of 3.50 gpm, and the turbine driven AFW pump has a capacity of 700 gpm. Each pump draws a suction through an independent line from the 110,000 gallon condensate storage tank (CST). Additionally, a 300,000 gallon CST, a 100,000 gallon emergency makeup tank, and the fire main can be used as water supplies for the AFW pumps. Each AFW pump discharges to two parallel headers. Each of these headers can provide auxiliary feedwater flow to any or all of the three steam generators.
Flow froJll each header to any one SG is through a normally open motor operated valve (MOV) and a locked open manual valve in series, paralleled with a line from the other header. These lines feed one line containing a check valve which joins the main feedwater line to a steam generator.
A simplified schematic of the AFW is shown in Figure 4.6-2. The motor driven AFW pumps automatically start on receipt of a safety injection actuation signal, trip of main feedwater pumps, low steam generator level in any steam generator, or loss of offsite power. The turbine driven AFW pump automatically starts on receipt of indication of low steam generator level in two of the three steam generators or undervoltage of any of the three main RCS pumps. These signals also ensure that the system MOVs are in the correct position *
* CV 151 LO XV 144 300,000 GAL CST HEADER B TO UNIT 2 AFW SYSTEM MOY FW 260A PS 84 PS 84 CV 133 CV 131 CV 138 CV 136 ~-l--l-~~-+-....+1i,.+1'-++-
.... +-FROM FIRE MAIN PS 83 ~--l--+1.....,--+--+-'-+---
-FROM EMERGENCY MAKEUP SYSTEM CV309 CV310 CVSB PS92 Q () ... ... IDoi, ..,,._ ;; ;:; u.o. u. 0. CV89 PS91 PS99 AOVMS 102B PS98 AOVMS102A TURBINE DRIVE FOR PUMP TDPFW2 IIOVFW160B r----tillit----
..... FROM UNIT 2 MOVFW160A AFW PUMPS L-....L-----v"F---....L--91Ti111t--
..... CV273 *
* 4.6.3.2 AFW System Interfaces and Dependencies The AFW system is dependent on the AC power buses for motive power to the AFW motor driven pumps, and motive and control power to the AFW MOVs. The AFW system is also dependent on the DC power buses for control power to the electric motor driven AFW pumps*, and the SIAS for actuation of the AFW pumps. The turbine driven pump turbine inlet valves require instrument air and DC power for control, however*, on loss of either instrumer:it air or DC power the valves fail open allowing steam flow to the pump turbine. Hence, no dependencies were modeled in these cases to represent system success. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-3 and the component status and dependency summary in Table 4.6-.5. 4.6.3.3 AFW System Operational Constraints Technical Specifications require both motor driven feedwater pumps to be operable at all times and the turbine driven pump to be operable when the reactor is above 10 percent power. However, one pump may be removed from service for maintenance for a short period of time. This is incorporated into the model of the AFW by allowing only one AFW pump to be initially unavailable due to test or maintenance activities.
Technical Specifications also require that when Unit 1 is at power, a Unit 2 AFW pump be operational.
This is important when considering AFW from Unit 2 in the recovery analysis.
4.6.3.4 AFW System Logic Model The success criteria for the Surry AFW system vary depending on the application in the event tree analysis.
The success criterion for the AFW following all events except an Anticipated Transient Without Scram (ATWS) or Steam Generator Tube Rupture (SGTR) is flow from any one AFW pump to any of the three steam generators.
The success criterion for AFW following an ATWS event is flow from both motor driven AFW pumps or flow from the turbine driven pump to two steam generators.
The success criteria for AFW following a SGTR event is flow from any one AFW pump to any one of two intact steam genera tors. These success criteria translate into the following top event in the AFW fault trees. L -Insufficient flow to at least one of three steam generators from at least one AFW pump. -Insufficient flow to at least two steam generators from at least .two motor driven AFW pumps or one turbine driven AF.W pump. -Insufficient flow to at least one of the two intact steam generators from at least one AFW pump. The fault tre~s developed for these top events are shown in Appendix B. Note that upon loss of offsite power followed by failure of the diesel generators (station blackout), only the turbine driven AFW pump is available.
Failure of Unit 2's turbine *driven AFW pump was modeled as a Boolean expression for use in the station blackout analy.sis.
This Boolean expression is shown in Appendix B. The specific assumptions used to develop the AFW fault trees are included in the following section.
* 4.6-21 TRAIN 2 AFW SYSTEM TRAIN 3A TRAIN 38 AC 1Ht----t------~~+------+---
EMERGENCY POWER 1J i----+--------+-------+-~~-
DC 1At---t-------,F-A--+------+---
EMERGENCY POWER 1 B 1-------------------+-~--
Figure 4. 6-3 AFW System Dependency Diagram 4.6-22 * *
* Table 4.6-.5 AFW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: l-FW-P-2 Standby 2/3 Lo SG Level, Main Steam RCS Pump Under-voltage 1-FW-P-3A Standby SIS-A, Loss 4160V Bus lH, of MFW DC Bus lA Lo SG Level, Loss of Offsite Power 1-FW-P-3B Standby SIS-B, Loss 4160V Bus lJ, of MFW DC Bus lB Lo SG Level, Loss of Off site Power (LOSP) MOVs: 151A NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act. 151B NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act. 151C NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act. 151D NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act. 151E NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act. 151F NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act. 160A NC/FAI R. Manual MCC-2Hl-2 160B NC/FAI R. Manual MCC-2Jl-2
* 260A NC/PAI R. Manual MCC-lHl-2 260B NC/FAI R. Manual MCC-lJl-2 4.6-23 Table 4.6-.5 (Contimed)
AFW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES AOVs: MS102A NC/FO 2/3 SG low level Instrument Air or LOSP to DC Bus lA* station service buses MS102B NC/FO 2/3 SG low level Instrument Air or LOSP to DC Bus lB* station service buses *
* On loss of instrument air and DC power, valves fail in safe position (i.e., open) resulting in steam flow to AFW pump turbine. N 2 bottles provided for control of AFW pump in the event of loss of air.
* 4.6-24
* 4.6.3.5 Assumptions in AFW System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of this analysis.
The specific assumptions made in the AFW analysis were as follows: 1. Failures 0&#xa3; parallel manual valves in the pump discharge lines and in the lines from the headers to the main feedwater lines were not tulated since the valves are &#xa3;low tested following maintenance, precluding inadvertent closure 0&#xa3; the valves. Also, the probability of plugging is negligible in comparison with other system faults. 2. The lube oil cooler associated with each AFW pump was considered to be part of the pump and as such its failures were accounted
&#xa3;or in the pump failure rates. 3. Opening of the steam admission valves to the turbine driven pump is all that is required to start the pump. DC power and/or instrument air were not considered to be required since their loss will result in opening of the valves. 4. In the absence of instrument air or DC power the turbine driven pump will operate at maximum speed. Initially, speed control 0&#xa3; the turbine driven pump is not required to prevent SG overfill, due to the amount of inventory which must be supplied.
The turbine driven AFW pump can be manually controlled in the absence 0&#xa3; DC power or instrument air by manually throttling the turbine steam inlet valves, or by throttling the pump discharge valves (151A, B, C, D, E, F). It was determined that i&#xa3; steam generator water level indication was available, the probability 0&#xa3; overfilling the steam generators was very small compared to other ways to fail the turbine driven AFW pump *. 5. Failure of the Unit 2
* cross connect in the open position was dered to fail the Unit 1 AFW system due to the flow diversion to the operating unit. The operating unit would be at a lower pressure and hence would receive the majority 0&#xa3; the &#xa3;low. The postulated failure was for the valve to be open while indicating closed. The diagnosis of the problem would be difficult for the Unit 1 operators and the addi"." tional flow ftom the AFW flow to Unit 2 would not be ea.sily detected.
: 6. The use of the Unit 2 AFW pump cross connect, the 300,000 gallon CST, the emergency makeup tank, or the &#xa3;ire main as a backup to the CST were considered as recovery actions in the accident sequence analysis as necessary, and were not included in the fault trees directly.
: 7. For the steam generator tube rupture event tree, the tube rupture was postulated to be in Loop 1, SG A. 8. During station blackout sequences it was judged that the turbine driven AFW pump must be available from Unit 2 in order to cross connect with Unit 1. 4.6-2.5
: 9. It was considered that the Unit 2 AFW system is symmetric to the Unit 1 AFW system. This was used in modeling the Unit 2 AFW turbine driven pump during SBO. 10 The turbine driven pump discharges the turbine exhaust steam directly to the atmosphere so that a condensate pump is not required for the AFW turbine. It was judged that the steam exhaust would not impede an operator's manual control of the turbine. 4.6.3.6 AFW System Operating Experience Review of the Surry AFW operating experience revealed that a problem with steam binding of AFW pumps had occurred due to backleakage of relatively hot main feedwater through the system check valves. The backleakage resulted in steam accumulation in the AFW lines and failure of two pumps. Since the event, the affected check valves were reworked and plant changes made, including removal of the insulation from the. AFW pump discharge lines to facilitate steam condensation and requiring a check of the pump outlet pipe temperatures once every shift. No further incidents have occurred since. However, due to the potential for common cause multiple pump failures this failure mode has been included in the system models. See Appendix D.1 for the development of this data. Plant specific operational data derived from plant records of the AFW pumps was used in the analysis.
See Appendix D.1 for the development of this data. 4.6.4 Charging Pump Cooling System Model The charging pump cooling (CPC) system is a support system which provides lube oil cooling and seal cooling to the three charging pumps in the high pressure injection/recirculation (HPI/HPR) system. The following sections provide a physical description of the CPC system*, identify the interfaces and dependencies of the CPC system with the front line systems and other support systems, list any operational constraints on the CPC system, provide a description of the fault tree model constructed for the CPC system, identify the CPC system specific assumptions, and describe the operational experience available for the CPC system. 4.6.4.1 CPC System Description The Surry CPC system provides two specific cooling functions for the charging pumps, lube oil cooling and seal cooling. The CPC system is composed of two subsystems, the charging pump service water system and the charging pump cooling water system. The charging pump service water system is an open cooling $ystem which provides cooling to the lube oil coolers and to the intermediate seal coolers in the charging pump cooling water system. The charging pump cooling water system is a closed cycle system which provides.
cooling to the charging pump seal coolers.
* The charging pump service water system is an open cycle system composed of two 100% capacity pump trains. Each provides flow to one intermediate seal cooler and all three charging pump lube oil coolers. Flow is drawn from the main condenser inlet lines through independent lines by the charging pump service water pumps. Upstream of each pump are two separate, independent strainer assemblies.
Each pump discharges through two check valves. Downstream of the check valves the flow is split with a portion of the
* flow directed to an intermediate seal cooler and the other portion directed to a common header feeding the lube oil coolers. From this header, flow is directed through the lube 4.6-26 oil coolers for the operating charging pumps. Temperature control valves control the flow through the lube oil coolers to prevent overcooling of the lube oil. The service water flow is discharged to the discharge canal. The charging pump cooling water system is a closed cycle system composed of two 10096 capacity pump trains. Each pump train contains a charging pump cooling water pump and an intermediate seal cooler which provide cooling water. to the charging pump seal coolers. Each pump draws suction from the outlet of either of the two intermediate seal coolers and discharge to a common header. The common header provides flow to the seal coolers for each charging pump. Two seal coolers in parallel are provided for each charging pump. The discharge of the seal coolers is returned to the intermediate seal coolers where it is cooled by the charging pump service water system. Makeup to the charging pump cooling water system to account for seal leakage is provided by a surge tank which is supplied by the component cooling water system. A simplified schematic of the CPC system is shown in Figure 4.6-4. One of the charging pump service water pumps and one of the charging pump cooling water pumps are normally in operation.
Upon indication of low discharge pressure of one of the pumps, the parallel pump receives a signal to start. With the exception of the pumps and the lube oil cooler temperature control valves, all other components in the system are manually actuated.
4.6.4.2 CPC System Interfaces and Dependencies The CPC system interfaces with the HPI/HPR system at the charging pumps. The CPC system is dependent on the AC power buses for motive and control power to the charging pump service water and cooling water pumps. Although the CPC system is dependen.t on the component cooling water system for the ultimate makeup to the charging pump seal cooling surge tank, no dependency was modeled since a sufficient supply* of makeup is available due to the initial inventory in the surge tank. Also, the location of the surge tank would result in gravity flow of component cooling water into the surge tank even in the event of loss of the component cooling water system. The lube oil cooler temperature control valves require instrument air as well DC power for control, however on loss of either instrument air or DC power the valves fail open allowing flow to the coolers. Hence, no dependencies were modeled in these cases. The CPC service water system is dependent on sufficient level in the service water intake canal. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-.5 'and the component status and dependency summary in Table 4.6-6. 4.6.4.3 CPC System Operational Constraints The only operational constraint rutilized in 1. the CPC system model results from the normal operation of one charging pump. Since one charging pump is in operation at all times, one charging pump service water pump, one charging pump cooling water pump and the associated coolers must be in operation also. 4.6.4.4 CPC System Logic Model The CPC system is a support system for the charging pumps in the HPI/HPR system. The top events identified for* the CPC system . represent
'the modeled interfaces of the CPC system with the HPI/HPR system. The developed events contained in the HPI/HPR fault trees correspond to the following top events: . , " , . 4.6-27 FROM UNIT 1 CONDENSER LINE XV302 -STR1A FROM UNIT 2 CONDENSER LINE XV305 XV306 -STR18 i ~-i* 1 &deg;' I N ..... 00 .... . 111 &deg;' .... I a XV773 XV773 11) XV695 & SEAL COOLERS XV444 CROSS CONNECT W/ UNIT 2 XV267 STR2A MDPSW10A 108 CV108 XV109 XV261 STR28 MDPSW10B TO UNIT 2 XV441 CH. PMP COOLING PS111 MDPCC2B 2B PS10 XV781 XV783 TO SURGE TANK XV782 XV116 XV121 XV171 PS102 XV122 XV118 PS103 XV120 XV119 XV110 PS10B XV780 XV931 XV7611 XV115 1B HXSW1B XV127 XV169 PS104 HXCHSA AOVSW108A SA XV117 PS105 HXCH58 AOVSW1088 58 XV123 XV124 PS106 HXCHSC AOVSW108C SC XV132 XV165 XV786 MDPCC2A PS118 XV785 XV779 1A HXSW1A XVn~ XV131 INTERMEDIATE SEAL COOLERS XV167 XV168 XV170 PS107 xv,211 CV130
* AC EMERGENCY POWER
* PUMP 10A CHARGING PUMP SERVICE WATER SYSTEM PUMP 108 1Hl--------------~~---------------t---~
CHARGING PUMP CPC SYSTEM SERVICE WATER SYSTEM CHARGING PUMP COOLING WATER SYSTEM Figure 4. 6-5 AC EMERGENCY POWER CPC System Dependency Diagram 4.6-29 CHARGING PUMP COOLING WATER SYSTEM PUMP 2A PUMP 28 1Hl----~~----------,i--~
Table 4.6-6 CPC Component Status And Dependency Summary
* COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-SW-P-lOA 1 Standby, Standby pumps MCC-lHl-1 1 Normally start on low Operating header pressure 1-SW-P-lOB MCC-lJl-1 1-CC-P-2A 1 Standby, MCC-lHl-1 1-CC-P-2B 1 Normally MCC-lJl-1 Operating MOVs: SW108A 1 NO corresponding to Open on increased running charging pump lube oil temperature, others closed. SW108B Valves fail open on loss of DC power SW108C or instrument air. 4.6-30 CPCA -Insufficient cooling to charging pump A from the CPC system. CPCB -lnsuff icient cooling to charging pump B from the CPC system. CPCC -lnsuf ficient cooling to charging pump C from the CPC system. The fault trees developed for these top events are shown in Appendix B. For both the HPI/HPR modes of operation*, the tree structure of CPC system models is identical.
However, in the sequence quantification task, HPI/HPR mission times as appropriate were used to compute the time dependent failure rates and those failures resulting in failure of the CPC system during the injection phase were deleted from the recirculation sequences.
Appendix D.1 shows the -mission times used in the various sequences.
4.6.4.5 Assumptions in CPC System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.l, several system specific assumptions were made in the cour-se of the analysis.
The specific assumptions made in the CPC system analysis were as follows: 1. Charging pump service water to the intermediate seal cooler was not required for successful operation of the charging pump seal coolers. 2. As noted in Section 4.6.9, charging pump A was considered to be normally operating.
Therefore, for the CPC system, the temperature control valve on the associated lube oil cooler is open while the temperature control valves on the other two coolers are closed. 3. The temperature control valves fail open on loss of air or DC power. 4. The temperature control valves are controlled from a temperature signal from the charging pump lube oil and it was judged that a signal to open will occur soon after pump startup. 5. The postulated operating configuration of the CPC system is that the A train charging pump service water and* cooling water pumps are operating.
: 6. One of the two redundant charging pump seal coolers for each charging pump would provide sufficient seal cooling. 7. Loss of CPC was estimated to lead to unavailability (whether shutdown or failure) of the charging pumps within 10 minutes, if the charging pumps were in the ~fety injection mode. 8. The use of the Unit 2 CPC cross connect was considered as a recovery action in the accident sequence analysis if necessary, and was not included in the fault trees. 9. The Unit 2 CPC system is symmetric to the Unit 1 system. This deration was used when modeling CPC from Unit 2. 4.6-31 4.6.4.6 CPC System Operating Experience Operatio~al experience from the CPC system indicates that the charging pump service water pump inlet strainers are susceptible to plugging since the fluid is raw brackish water direct from the intake canal. This was identified as an area which potentially could result in a common cause failure of both trains of the CPC system. The strainer assemblies have been replaced (Summer of 1984) with a different design of strainer (duplex r.trainer).
The impact of this design change on the plugging failure rate is developed in Appendix D.1. . . Inadvertent operation of the charging pump cooling water system with charging pump service water isolated from the intermediate seal coolers has occurred~
However, it resulted in no damage to the charging pump seals. Flow was maintained in the cooling water system during the time of isolation.
Based on this operational exprience, loss of charging pump service water to the intermediate seal coolers was not included in the system models as a failure mode for the CPC system. 4.6.5 Component Cooling Water System Model The component cooling water (CCW) system is a closed cycle cooling system which vides cooling to many, varied systems including the Residual Heat Removal (RHR) and the Reactor Coolant System (RCS). The CCW system, as defined for this analysis, includes only that portion of the CCW system required to provide cooling water to the reactor coolant pump (RCP) thermal barriers and to the Residual Heat Removal System. The following sections provide a physical description of the portions of the CCW system necessary for the analysis, identify the interfaces and dependencies of the CCW system with the front line systems and other support systems, list any operational straints on the CCW system*, provide a description of the fault tree model constructed for the CCW system, identify the CCW system specific assumptions, and describe the operational experience available for the CCW system. 4.6.5.1 CCW System Description The CCW system at the Surry station is a single sy~tem which provides CCW to both units. Of primary interest to ths study were those components normally providing CCW to Unit 1. These components consist of two CCW pumps in parallel and two CCW heat exchangers.
The CCW system is a closed cycle system. The CCW pumps take suction from the return line from the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers; and are headered together at their discharges.
The header feeds the two CCW heat exchangers arranged in parallel.
The discharge of th~ heat exchangers is delivered to the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers.
After cooling these loads, the flow is returned to the CCW pump suction. .Makeup to the CCW system is provided from a S\Jrge tank in the system. A simplified schematic of the portions of the CCW system required for thermal barrier cooling is shown in Figure 4.6-6. One CCW pump and heat exchanger are normally in operation.
In the event of failure of either component, the parallel component is manually *placed in service. Following a loss of offsite power, the stub buses powering the CCW pumps are shed from the emergency buses and must be manually reconnected to restore power to the CCW pumps. The tainment isolation valve on the thermal barrier cooling water outlet closes on loss of instrument air or receipt of a CLCS hi-hi signal, resulting in loss of flow to the thermal barriers.
4.6-32 1-CC-852 SURGE TANK 1-CC-546 1-CC-554 1-CC-553 I-CC-PIS 1-CC-560 UNIT2 CROSSTIE 1-CC-563 l*CC-564 sws sws UNIT2 CROSSTIE OUTSIDE CONTAINMENT INSIDE CONTAINMENT FO RHR PUMP A/ HEAT EXCHANGER A RHR PUMP Bl HEAT EXCHANGER B TV-CC107 (Cls-HI HI-CLOSE)
F.C.
4.6.5.2 CCW System Interfaces and Dependencies The CCW system is dependent on the AC power buses for motive power for the CCW pumps and the DC power buses for control power to the CCW pumps and the thermal barrier throttle valves. Also, the CCW system is dependent on. the instrument air system for motive power to the thermal barrier throttle valves. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-7 and the component status and dependency summary in Table 4.6-7. 4.6.5.3 CCW System Operational Constraints Following a loss of offsite power, the stub buses which power the CCW pumps are automatically shed and must be manually reloaded on the main bus by the operator to restore power to the pumps. 4.6.5.4 CCW System Logic Model The success criterion for the Surry Unit 1 CCW system is that continued CCW flow is provided to the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers following reactor shutdown.
This success criterion translates into the following top event in the CCW system fault trees: W Failure to provide Unit 1 CCW flow to all RCS pumps thermal barrier coolers, RHR pumps, and RHR heat exchangers.
The success criterion for Unit 2 CCW is that continued CCW flow is provided to the RCS pump thermal barriers following station blackout at Unit 1. This translates into the following top event. w 2 -Failure to provide Unit 2 CCW flow to RCS pumps thermal barrier during station blackout.
The fault tree developed for top event W is shown in Appendix B. Failure of CCW supplied from Unit 2 during Station Blackout (W 2) was modeled as a Boolean expression and is shown in Appendix B. The specific assumptions used to develop the CCW system fault tree are included in the following section. 4.6.5.5 Assumptions in CCW System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
These specfic assumptions.
made in the CCW system analysis were as follows: 1. The postulated normal operational configuration is that CCW pump A and CCW heat exchanger A are in service. 2. The service water valves to the normally operating heat exchanger are open, manual valves with flow through them and the service water system is a gravity flow system. Therefore, no faults were postulated for the service water interface with the system. 4.6.5.6 CCW System Operating Experience .No pertinent plant specific operational experience of the Surry CCW system was found. 4.6-34 
*
* CCWTO RCS PUMP THERMAL BARRIER PUMP 1A PUMP 18 AC 1Ht---+~~-----i--
EMERGENCY POWER 1Ji----+------~-+--
INSTRUMENT AIR Figure 4. 6-7 CCW System Dependency Diagram 4.6-35 Table 4.6-7 CCW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-CC-P-lA Normally Operating R. Manual 4160V Stub lH 1-CC-P-lB Standby R. Manual 4160V Stub lJ AOVs: TV-CC-107 NO/FC Close on Instrument Air CLS-Hi-Hi
* 4.6-36 
*
* 4.6.6 Consequence Limiting Control System Model The consequence limiting control system (CLCS) automatically actuates the containment safeguards-systems following receipt of indicated hi-hi (25 psia) containment pressure.
The CLCS is a support system for the Containment Spray, Inside Spray Recirculation, and Outside Spray Recirculation front line systems. A review of the CLCS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis.
The following sections provide a brief physical description of the CLCS, identify the interfaces and dependencies of the CLCS with front line and other support systems, list any operational constraints on the CLCS, provide a description of the model used to incorporate the CLCS into the analysis, identify the CLCS specific assumptions, and describe the operational experience available for the CLCS. 4.6.6.1 CLCS Description The .Surry CLCS is composed of four containment pressure sensors, each feeding a signal comparator.
The output of each signal comparator is input into two separate three out of four logic trains. These logic trains automatically actuate the containment safeguards system components.
A simplified CLCS logic diagram is shown in Figure 4.6-8. 4.6.6.2 CLCS Interfaces and Dependencies The CLCS is dependent on the vital instrumentation buses and the DC buses for operation of the primary sensors and the relay logic network. The DC dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vital instrumentation bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the CLCS train unavailabilities and hence no additional models were constructed.
Specific components in the Containment Spray, Inside Spray Recirculation, Outside Spray Recirculation and containment spray Service Water systems are dependent on the CLCS for automatic actuation.
These specific dependencies are listed in Table 4.6-8. The Safety Injection Actuation system also utilizes some of the CLCS sensors. 4.6.6.3 CLCS Operational Constraints No specific operational constraints were identified for the CLCS. 4.6.6.4 CLCS Logic Model Boolean equations were developed to incorporate the CLCS DC power dependencies into the models used in the sequence quantification.
The following Boolean equations were used to incorporate these dependencies for the T 1 , T 5 A, and T 58 initiating events: CLS-ACT-FA-2A
= CLS-ACT-FA-CLS2A
+ DCP-TDC-LP-BUSlA.
CLS-ACT-FA-2B
= CLS-ACT-FA-CLS2B
+ DCP-TDC-LP-BUS1B.
CLS-ACT-F A-CLS2A and CLS-ACT-F A-CLS2B represent the CLCS train A and B generic unavailabilities.
The CLCS related events included in the front line system fault trees were coded with the system identifier CLS throughout the fault tree and sequence analysis.
4.6-37 PT PT PT PT PS-LM100A1 SIGNAL COMPARATOR 1----VB 1-1 l PS-LM100B1 SIGNAL COMPARATOR VB 1-11 PS-LM100C1 I 3/4 ~-----=-,--*
RELAY ff ,:A:~~ TRAIN A --------------
TRAIN B SIGNAL COMPARATOR.,..._._
VB1-III PS-LM100D1 SIGNAL COMPARATOR VB 1-IV 3/4 RELAY MATRIX 28 125 Vdc-B Figure 4. 6-8 Simplified CLCS Logic Diagram 4.6-38
* Table 4.6-8
* Component Dependencies On CLCS Relay Pumps MOVs Other Train A CR-CLS-lAl 1-RS-P-lA SW-103A 1-CS-P-lA SW-101A CW-106A CR-CLS-2A2 1-RS-P-2A RS-155A CS-lOOA CS-101A CR-CLS-2A3 CW-106C SW-1030 RS-156A CR-CLS-2A4 CW-100B DG Ill CS-lOlC CR-CLS-2A5 CW-1000 CR-CLS-2A6 TV-MS101A TV-MS101C CR-CLS-2A7 TV-MS101B 4.6-39 Relay Train 8 CR-CLS-2Bl CR-CLS-2B2 CR-CLS-2B3 CR-CLS-2B4 CR-CLS-2B5 CR-CLS-2B6 CR-CLS-2B7 Table 4.6-8 (Continued)
Component Dependencies On CLCS Pumps MOVs 1-RS-P-lB SW-103B 1-CS-P-lB
* SW-101B SW-106B 1-RS-P-2B RS-155B CS-100B CS-101B CW-106D SW-103C RS-156B CW-lOOA CS-101D CW-lOOC 4.6-40
* Other BKR 25J3 -Block Close DG 113
* BKR 25J3 -Trip TV-MS-101A TV-MS-lOlC TV-MS-101B 4.6.6.5 Assumptions in CLCS System Model
* No system specific assumptions were made in the CLCS analysis.
4.6.6.6 CLCS Operating Experience
* No pertinent plant specific operational experience of the Surry CLCS was found. 4.6.7 Containment Spray System Model The containment spray system (CSS) provides the initial containment pressure reduction following an accident by spraying cool water from the refueling water storage tank (R WST) to condense steam ~n the containment.
The CSS is a front line system designed to protect the containment.
In addition, the CSS performs a support function for the outside spray recirculation system as discussed in Section 4.6.12. The following sections provide a physical description of the CSS, identify the interfaces and dependencies of the CSS with other front line and support systems, list any operational constraints on the CSS, provide a description of the fault tree model constructed for the CSS, identify the CSS specific assumptions, and describe the operational experience available for the CSS. 4.6.7 .1 CSS Description The Surry CSS is composed of two 100% capacity spray injection trains. The CSS has no recirculation or sump cooling capability.
Each spray train draws water from the refueling water storage tank through independent suction lines. Each CSS pump takes suction through a normally open motor operated valve (MOV) and an in-line filter assembly.
Each CSS pump discharges through a pair of normally closed MOVs arranged in parallel and through a check valve to its associated containment spray header. Both CSS pumps also feed a common third spray header (loc~ted on the outside of the crane wall) through separate check valves. A simplified schematic of the CSS is shown in Figure 4.6-9. The CSS automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals open the pump inlet and outlet valves and start the CSS pumps. An agastat timer in the pump start ciruit delays pump start for 30 seconds after receipt of the signal. 4.6.7 .2 CSS Interfaces and Dependencies The CSS interfaces with the high and low pressure injection systems at the common refueling water storage tank. The CSS is dependent on the R WST for fluid inventory.
The CSS system also depends on the AC power buses for motive power to *the CSS pumps and motive and control power tO" the MOVs in the CSS, the DC power buses for control power to the CSS pumps, and the CLCS for actuation of the CSS components.
These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-10 and the component status and dependency summary listing in Table 4.6-9. 4.6.7 .3 CSS Operational Constraints The only operational constraint utilized in the development of the CSS model is that Technical Specifications require one train of the CSS be operable at all times, i.e., only one train can be removed from service for maintenance at any one time. This is incorporated into the model of the CSS *by allowing only one CSS pump to be initially unavailable due to test or maintenance activities.
4.6-41 RWST XV8 CV? XV15 CV14 MDPCSIA (1-CS-P-1 A) MOVCS100A PSSO , 1-CS-FL-1A PS51 MOVCS1018 PS53 MOVCS101A CV13 MOVCS101D PS55 MDPCSIB (1-CS-P-1 B) * * 
,s:,. CONSEQUENCE O'I LIMITING I CONTROL ,s:,. SYSTEM w AC EMERGENCY POWER DC EMERGENCY POWER A B 1H 1J 1A 1B CONTAINMENT SPRAY SYSTEM CSS PUMP A DISCHARGE CONSEQUENCE A LIMITING CONTROL SYSTEM B AC 1H EMERGENCY POWER 1J Figure 4. 6-10 CSS Dependency Diagram
* CSS PUMP B DISCHARGE CONSEQUENCE A LIMITING CONTROL SYSTEM B AC 1H EMERGENCY POWER 1J Table 4.6-9 CSS Component Status And Dependency Summary
* COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-CS-P-lA Standby CLS Hi-Hi-2A 480V Bus lH DC Bus lA CLS Hi-Hi-2A 1-CS-P-lB Standby CLS Hi-Hi-2B 480V Bus lJ DC Bus lB CLS Hi-Hi-2B MOVs: CSlOOA NO/PAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CSlOOB NO/FAI CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B CSlOlA NC/FAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CS101B NC/FAI. CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B CSlOlC NC/FAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CSlOlD NC/FAI CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B ** 4.6-44
* 4.6.7 .4 CSS Logic Model The success criterion for the Surry CSS is the same for each application in the event tree analysis.
The success criterion is one of the two CSS train~ provide flow to any one tainment spray header. This translates into the following top event in the CSS fault tree: C -Insufficient flow from 1 of 2 CSS pumps to the spray headers. The fault tree developed for this top event is shown in Appendix B. The specific assumptiqns used to develop the CSS fault tree are included in the following section. 4.6.7 .5 Assumptions in CSS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
The specific assumptions made in the CSS analysis were as follows: 1. Flow to *any one of the two major spray headers was considered to be system success..
Flow to only the crane wall header was not dered sufficient.
However, it is not possible to get flow to the crane wall header without getting flow to one of the other headers. 2. The probability of plugging a sufficient number of nozzles in a spray header to significantly degrade performance was considered to be negligible.
: 3. Manual valves XV8 and XV15 in the recirculation pathway to the R WST are normally closed valves which are not indicated in the control room. During testing of the CSS pumps they are opened. The recirculation lines are large enough that they are assessed to tute a flow diversion, thus failing the CSS train if open. If the* CSS were demanded during pump testing or if the valves were not reclosed.
following testing, the associated CSS train would fail. 4.6.7 .6 CSS Operating Experience No pertinent plant specific operational experience of the Surry CSS was found. 4.6.8 Emergency Power System Model The emergency power system (EPS) provides AC and DC power to safety related components following reactor scram. The EPS is a support system that interfaces with nearly all front line systems. The following sections provide a physical description of the EPS, identify the interfaces and dependencies of the EPS with front line and other support systems, list any operational constraints on the EPS, provide a description of the model used to incorporate the EPS in the analysis, describe the EPS specific assumptions, and identify the operational experience available for the EPS. 4.6.8.1 EPS Description The EPS at Unit 1 consists of two 4160 VAC buses, four 480 VAC buses, four 120 VAC vital instrumentation buses, two 125 VDC buses, one dedicated and one shared diesel generator, and their associated motor control centers, breakers, transformers, uninterruptable power supplies, and batteries.
The EPS at Unit 2 is symmetric to Unit 1. 4.6-45 The following description applies to the EPS at Unit 1. Since the EPS is symmetrical at
* Unit 2*, the description is equally applicable with the appropriate change of designator (2H for lH, 2J for lJ). Each 4160 VAC bus is normally powered from offsite power sources. Upon loss of offsite power the supply breakers open, the diesel generators start .ind their associated DG output breakers close to load the diesels on the emergency buses. Surry has three diesel generators*, one dedicated to each unit and a third swing diesel generator shared by the units. The dedicated diesel at Unit 1 is attached to the lH 4160 VAC bus while the swing diesel can be connected to the lJ (Unit 1) or 2J Unit 2 4160 V AC buses. In the event that the swing diesel is demanded by both units, the diesel will be aligned to the unit at which an SIAS or CLCS hi-hi exists. If signals exist at both units, the diesel will be aligned to the unit whose breaker closes first. Each diesel is a self con~ined, self cooled unit with its own battery for starting power. The diesel battery is independent of the station batteries.
The 4160 VAC buses provide power to the large pumps such as the high pressure injection pumps, the stub buses which each power one CCW and residual heat removal pump, and the 480 V AC buses through tranformers.
The stub bus is shed on undervol tage on the main bus. The following description applies to the lH related buses. Since the lH and lJ related buses are symmetrical, the description is equally applicable to the lJ related buses with the appropriate changes to the designators.
The lH 4160 VAC bus feeds two 480 VAC buses OH and lH-1) through transformers.
The lH 480 VAC bus is primarily used to power pumps such as the A train low pressure injection pump. The lH-1 480 VAC bus feeds two motor control centers (MCCs). MCC lHl-1 and lHl-2, provide power to a multitude of motor operated valves (MOVs) and small pumps such as the charging pump cooling pumps. MCC lHl-1 and lHl-2 also vide power to two uninterruptible power supplies used to charge DC battery lA, and to power the 1-I and 1-Ill 120 VAC vital instrumentation buses.
* The lA 125 VDC bus provides control power to the switchgear for the pumps powered from the lH buses. The lA 125 VDC bus is powered from a 480 VAC b1.,1s, as noted above, and in the event of loss of the AC power source, is powered from DC battery lA. A simplified electrical diagram of the EPS, includi"ng the relevant portions of the uninterruptible power supply, is included in Figure 4.6-11. Table 4.6-10-summarizes the normal and alternate power source for each EPS bus and component and identifies any dependencies for the EPS, components.
4.6.8.2 EPS Interfaces and Dependencies The EPS interfaces with almost all of the systems required for safe shutdown of the reactor following an abnormal event. Specific dependencies of these systems on the EPS are detailed in each of the applicable system sections.
Dependencies between the EPS components are included in Table 4.6-10. 4.6.8.3 EPS Operational Constraints The Surry EPS design does not require load sequencers for reloading of the buses following loss of offsite power due to the use of time delays included in the start circuitry for many of the required pumps. 4.6-46 * 
* * ,?-f'ss I VITAL 120 AC 1-1 ,.~,c NORMAL 4160 V BUSES (NOT ANAL VZED FURTHER) A I I SWITCHYARD TOUNIT2 4160V 480V FE~ FE9~ BATTERV1A VITAL 120AC 1-111 *~4 *~3 ~~eusef
* 1 ,&#xa5;1-11 I VITAL 120AC 1-11 Pigm:e 4. 6-11 BATTERY1B VITAL 120AC 1-IV DS S:IJll)J :I fied S1catx::h 4.r-17 ,&#xa5;1-IV I 24 MCC 1J1-1 MCC 1J1-2 T FE9B~ . T FE9~ UPS 181 TRANSFORMER TRANSFORMER 480V 120V 1B1-1 1B1-2 /_...____
DC BUS INV INVERTER UPSB1 NOTE: UPS 181 SHOWN. UPS 1 A 1, 1 A2., 1 B2 ARE SIMILAR 1-~ I VITAL BUS 1-11 Figure 4.6-11 (Cont'd) El?S Sllll?lified Sketch. 4.6-48
* BUS/ NORMAL CCJ.IPONENT FEED 4160V -1A Station Generator 1B 1C 4160V -1H Offslte grid, via RSS <Orange Bus> transfer fran C 4160V 1H-Stub 4160 -1H 4160V -1J Offslte grid, via RSS <Purple Bus> transfer*A
* I 4160V 1J-$tub 4160V-1J \0 DG 11, DG 13 NA Table 4.6-10 AC/DC Power Supplies And Dependencies ALTERNATE FEED Offslte grid, via RSS transfer fran A, B, c. DG 11 None DG 13 None NA DEPENDENCY/CCJ.1MENTS None of the ASEP systems are provided power by these buses. Not lncQuded fn electrlc power model. Swltchgear*power provided by DC battery A. Stub bus contains 1 CCW pump and 1 RHR plBllp* Bus Is sh~d fran main bus on UV on main bus. Switchgear power provided by DC battery B. DG#3 may be required by Unit 2
* Stub bus contains 1 CCW pump and 1 RHR pt111p. Bus Is shed shed fran main bus on UV on main bus. No Dependencies.
DGs are seQf contained.
Each DG has a dedicated battery to start ft. Self cooled. Upon LOSP, DGH3 wit~ aQfgn to either unit, depending on whose breaker closes first. If SIS or CLS HI-HJ sfgnaQ exists at a unit, that un-lt wf H get DG #3.
BUS/ COMPONENT 480V -1H 480V -1H1 480V -1 J 480V -1 J1 MCC 1H1-1, MCC 1H1-2 MCC 1J1-1, MCC 1 J1-2 ""' 120V AC VitaJ I Bus 1-1 0) I CJI 0 120V AC VttaJ Bus 1-11 120V AC VitaJ Bus 1-111 120V AC VttaJ Bus 1-IV DC Bus A DC Bus B NORMAL FEED 4160V 1H 4160V 1H 4160 1J 416.0 lJ 480V 1H1 480V 1 J1 MCC 1H1-1, MCC 1H1-2 DC Bus A MCC 1J1-1, MCC 1J1-2, DC Bus B MCC 1H1-1, MCC 1H1-2, DC Bus A MCC 1J1-1, MCC 1 Jl-2 DC Bus B MCC 1H1-1, MCC 1H1-2 vta untnterrruptabJe power suppJies 1A1, 1A2 MCC 1J1-1, MCC 1J1-2 vta untnterruptabJe power suppJ ies* 181, 182 Table 4.6-10 (Continued)
AC/DC Power Supplies And Dependencies None None None None None None None None None None Battery A Battery B ALTERNATE FEED
* DEPENDENCY/COMMENTS Swttchgear for p1J11ps is s111 -pJied by DC battery A. Swttchgear for pumps ts s111 -pJled by DC battery B. VitaJ bus suppJied by an unlnterruptabJe power supply fed by three sources. Whfchever source had the hlghest voltage wiJJ power the vttaJ bus VttaJ bus suppJied by an untnterruptabJe power suppJy fed by three sources. Whlchever source has the highest voJtage wiJJ power the vttaJ bus VitaJ bus suppJlJed by an unlnterruptabJe power suppJy fed by three sources. Whlchever source has the hlghest voltage wf.JJ power the vitaJ bus VitaJ bus suppJted by an untnterruptabJe power suppJy fed by three sources. Whichever source has the highest voJtage wtJI power the vttaJ bus Technical Specifications require all three diesel genera tors to be operable.
However, one diesel may be taken out of service for a limited period of time. This was incorporated into the anf'.lysis by excluding any combination of unavailability of more than one diesel generator due to maintenance activities.
4.6.8.4 EPS Logic Model The EPS is a support system that interfaces with almost all front line safety systems and support systems. The events identified for the EPS system represent the modeled interfaces of the E.PS system with the system requiring electrical power. These interfaces were modeled to the Motor Control Center level. The fault trees modeling these events are located in Appendix B. The developed events contained in the fault trees correspond to the following:
ACP-TAC-LP-4KV1H ACP-TAC-LP-4KV1J ACP-T AC-LP-STBl H ACP-TAC-LP-STBlJ ACP-TAC-LP-lHl-1 ACP-TAC-LP-lHl-2 ACP-TAC-LP-lJl-1 ACP-TAC-LP-lJl-2 ACP-T AC-LP-4801 H ACP-TAC-LP-4801J ACP-T AC-LP-BUS!
I ACP-TAC-LP-BSlil ACP-T AC-LP-BSill ACP-T AC-LP-BSlIV DCP-TDC-LP-BUSlA DCP-TDC .... LP-BUSlB Failure of 4160 VAC Bus lH Failure of 4160 VAC Bus lJ Failure of 4160 VAC Stub Bus lH Failure of 4160 VAC Stub Bus lJ Failure of 480 VAC MCC lHl-1 Failure of 480 VAC MCC lHl-2 Failure of 480 VAC MCC lJl-1 Failure of 480 V AC MCC 1 J 1-2 Failure of 480 V AC Bus 1 H Failure of 480 VAC Bus lJ Failure of 120 VAC Vital Instrumentation Bus 1-1 Failure of 120 VAC Vital Instrumentation Bus 1-11 Failure of 120 V AC Vital Instrumentation Bus 1-Ill Failure of 120 VAC Vital Instrumentation Bus 1-IV Failure of 12.5 VDC Bus lA Failure of 12.5 VDC Bus lB The EPS model described above only models the EPS at Unit 1, with the dedicated diesel generator at Unit 1 and the swing diesel generator included.
The model was used in conjunction with the other fault trees developed.
SE;parate Boolean expressions were developed to model Station Blackout (SBO) initiating event frequencies for SBO at Unit 1 only, and SBO at Units 1 and 2. Both Station Blackout equations take into account all three diesel generators on the site.
* Station blackout*at Unit 1 (SBO-Ul) was defined as failure of diesel generator 1 and 3 to provide power to Unit 1 following a loss of offsite power. As stated,.in the assumptions, diesel genera tor 3 was assumed to be unavailable if diesel genera tor 2 failed. The frequency of SBO-Ul was calculated from the following Boolean equation: SBO-Ul = Loss of Offsite Power* ((OEP-DGN-FS-DGOl
+ OEP-DGN-FR-DGOl
+ OE.P-DGN-MA-DGOl
+ OE.P-CRB-FT-1.5H3)
* (OE.P-DGN-FS-DG02
+ OE.P-DGN-FR-DG02
+ OE.P-DGN-MA-DG02
+ OE.P.;.CRB-FT-2.5H3
+ OE.P-DGN-FS-DG03
+ OE.P-DGN-FR-DG03
+ OE.P-DGN-MA-DG03
+ OEP-CRB-FT-1.5J3)
+ OEP-DGN-FS*BET A2DG)). Double test and maintenance activities were removed from the resultant product. Also, complementary events were included, as necessary, to,be sure that SB0-U1U2 was not a subset of SBO-Ul. The resultant SBO-Ul expression is shown in Appendix B.
Station blackout at Units 1 and 2 (SBO-UlU2) was defined a!!, failure of all three diesel generators following a loss .of offsite power. The frequency of SBO-U 1 U2 was calculated from the following Boolean equation:
SBO-U 1 U2 = Loss of Offsite Power * ((OEP-DGN-FS-DGOl
+ OEP-DGN-FR-DGOl
+ OEP-DGN-MA.:.DGOl
+ OEP-CRB-FT-15H3)
* (OEP-DGN-FS-DG02
+ OEP-DGN-FR-DG02
+ OEP-DGN-MA-DG02
+ OEP-CRB-FT-25H3)
* (OEP-DGN-FS-DG03
+ OEP-DGN-FR-DG03
+ OEP-DGN-MA-DG03
+ OEP-CRB-FT-1.5J3)
+ (OEP-DGN-FS*BET A3DG)). . Double and triple test and maintenance activities were removed from the resultant product. The fault trees described above and the expanded Boolean expressions for station blackout are shown in Appendix B. The specific assumptions used to develop the EPS fault trees are included in the following section. 4.6.8 * .5 Assumptions in EPS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
These specific assumptions made in the EPS analysis were as follows: 1. Failure of diesel generator 2 would result in the inability of diesel generator 3 to supply to Unit 1. Note that this assumption is vative because if diesel generator 2 failed to run, but had a successful start, then diesel generator 3 could have been aligned to Unit 1 initially.
: 2. Diesel generator mission time was 6 hours for loss offsite power (T 1) events. See Appendix D for discussion.
: 3. The stub buses must be manually reloaded on the main buses following a loss of offsite power. 4. Battery depletion time was assessed to be 4 hours. 5. Cross connecting of buses was not considered.
: 6. Shorts in buses and motor control centers were postulated to fail only their respective bus or MCC and not fail the power source to the bus or MCC. 7. Actuation failures for diesel genera tors were not explicitly included.
The failure probability for DG fail to start was considered to include actuation failures.
4.6.8.6 EPS Operating Experience Plant specific data for diesel generator failure to start was obtained from Surry plant test data. The data development of diesel generator failure to start probability is shown in Appendix D.1. 4.6-.52 4.6.9 High Pressure Injection/Recirculation System Model The Surry charging system provides normal coolant makeup to the reactor coolant system (RCS) and cooling flow to the. reactor coolant pump (RCP) seals under normal operating conditions.
The high pressure injection/recirculation (HPI/HPR) system uses the same charging_
pumps to provide primary coolant injection and* recirculation following an accident, as well as maintaining flow to the RCP seals. The HPI system also functions to deliver boric acid to the RCS from the boric acid transfer system if emergency boration is required.
The HPI/HPR system is a. front line system designed to provide coolant makeup, core heat removal early and late, or emergency boration for shutdown.
The following sections provide a physical description of the HPI/HPR system, identify interfaces and dependencies of the HPI/HPR system with other front line and support systems, list any operational constraints on the HPI/HPR system*, provide a description of the fault tree model constructed for the HPI/HPR system, identify any HPI/HPR system specific assumptions, and describe the operational experience available for the HPI/HPR system. 4.6.9.1 HPI/HPR System Description Under normal operating conditions, one of the three charging pumps provides normal RCS makeup and cooling to the RCP seals by taking suction from the volume control tank (VCT) through two motor operated valves (MOVs) in series. Upon indication of a loss of RCS coolant or steam line break (i.e., low pressurizer level, high containment pressure~
high pressure differential between main steam header and any steam lihe, or high steam flow with low average coolant temperature or low steam line pressure), the safety injection actuation system (SIAS) initiates emergency coolant injection.
Emergency coolant injection differs from normal coolant makeup in three ways. First, the suction source is the refueling water storage tank (RWST) rather than the Volume Control Tank (VCT). Second, the pump discharge is directed to the cold legs instead of the Loop 2 hot leg. Finally, the emergency injection flow is from two pumps and is not throttled.
The SIAS signals the normal charging line isolation valves to close; the standby charging pumps to start, the valves from the VCT to close, the normally open pump inlet and outlet MOVs to open, and a parallel set of normally closed MOVs to open to provide suction from the R WST. Also on receipt of an SIAS signal, a parallel set of normally closed MOVs open to provide flow from the pump discharge header to the three RCS cold legs. An additional path to the RCS cold legs through a manually operated, normally closed MOV ,is also available.
Flow through this line to the RCS is treated as a recovery action. The line to the RCP seals remains open throughout the event. The HPI system may also be used in the "feed and bleed" cooling mode to provide core heat removal early. The only difference in this mode of operation from that discussed above is that a SIAS signal is not necessarily generated so the HPI system must be manually placed in service. In the recirculation mode of operation, the HPR is used to provide core heat removal late in an accident sequence.
The charging pumps draw suction from the discharge of the low pressure safety injection pumps in the low pressure recirculation (LPR) system. Upon receipt of a low R WST level signal, the recirculation mode transfer (RMT) system signals the charging pump suction valves from the R WST to close and the suction valves from the LPR pump discharges to open. The HPR pumps discharge to the cold leg or the hot leg during recirculation.
4.6-.53 In the emergency boration mode, the HPI is used for emergency shutdown of the tor. The HPI functions as described in the HPI description above with the exception that the boric acid transfer (BAT) pumps deliver boric acid from the BAT tanks to the charging pump suction header. To perform this operation, the operator must switch the normally operating BAT pump to fast _speed operation and open the MOV allowing flow \nto the charging pump suction header. To enhance boric acid addition to the RCS, the emergency procedure cans for the RCS power operated relief valves be opened (to provide pressure reduction).
A simplified schematic of the HPI/HPR system, including the relevant portions of the BAT system is presented in Figure 4.6-12 4.6.9.2 HPI/HPR System Interfaces and Dependencies The HPI system interfaces with the containment spray system and the low pressure injection system at the common R WST via a shared valve. The HPR system interfaces with the low pressure recirculation system at the recirculation suction valves for the HPR. The HPI system is dependent on the R WST for fluid inventory, and the charging pump cooling system for charging pump seal cooling and lube oil cooling. The HPI system is also dependent on the AC power buses for motive power to the HPI pumps and motive and control power to the MOVs in the HPI system, the DC power buses for control power to the HPI pumps, and the SIAS for actuation of the HPI components.
The HPR system is dependent on the low pressure recirculation system for fluid inventory, and the charging pump cooling system for charging pump seal cooling and lube oil cooling. The HPR system is also dependent on the AC power buses for motive power to the HPR pumps and motive and control power to the MOVs in the HPR system*,the DC power buses for trol power to the HPR pumps, and the RMT for actuation of the HPR switchover from injection.
Additionally, for the emergency boration mode of HPI operation, the HPI is dependent on the primary pressure relief system to provide sufficient pressure reduction to allow for the timely injection of boric acid. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-13 and the component status and dependency summary in Table 4.6-11. 4.6.9.3 HPI/HPR System Operational Constraints Technical Specifications require two charging pumps to be operable at all times. This is incorporated into the model of the HPI by allowing only one charging pump to be initially unavailable due to test or maintenance activities.
Technical Specifications also require that when Unit 1 is at power, at least one HPI/HPR pump at Unit 2 must be operable.
This is incorporated when considering Unit 2 in the recovery analysis.
The Surry HPI/HPR system is limited to the simultane~us operation of two of the three charging pumps. Further, the two operating pumps must be powered from different 4160 VAC buses. The third charging pump is placed in the "pull locked" position, i.e., the switch is placed in the off position.
In this position, the pump is considered to be operable since the pump remains aligned to an AC bus and an SIAS actuation signal is present. Once the switch is returned to the "auto" position, if the SIAS signal has not been cleared, the pump will automatically start. 4.6. 9.4 HPI/HPR System Logic Models The success criteria for the Surry HPI/HPR vary depending on the application in the event tree analysis.
The success criteria for the HPI modes of operation require flow from any one of three charging pumps to the RCS cold legs in response to a LOCA 4.6-54
* i :,:::J C/l t'Ij I-<: t:/l I-'* rt 1 ,i,.. &deg;' C/l ,i,.. I ~-u, &deg;' u, I-' I I\) I-'* a (1) ff p' PS1 XV15X TO LOW HEAD SI PUMPS CV410 PS2 XV24 NORMAL CHARGING LINE PS23 ,-!-P_,,S:.,,2"'-1
___ _..,.__---.---~J---
TO COLD LEGS MOV1867D CV225 PS22 MOV1867C '----P-S-14---..,..-----TO HOT LEGS M0V18S9B AOV1160 ,--------------r-------------r-----:-"::-'."'."-----.-----,---1
... --.TO XV278 1-------1-----------.----~l---------..-----1---c;l<:l---15'<:l--1><}-CC--+TO MOV128SA MOV1287A MOV128SB MOV1287B CV258 MOV1370 FO XV277 MOV128SC MOV1287C UNIT 2 1----->+--
CHARGING PUMP XV728 CROSSTIE RCP SEALS FC LOOP FILL HEADER CV224 H"'4--""-TO MOV1842 MOV1869A COLD LEGS L---4;,;,,..--TO PS15 PS11 FROM VCT HOT LEGS CV25 MDPCH1A UNIT 2 ADV102A RWST CROSSTIE PS3 PSS PSS AOV102B MOV1115D MOV1267A M0V12S7B FROM LOW HEAD PS7 PSS PS9 PS10 M0V12S9A MOV1269B MOV1270A MOV1270B FROM BAT PUMPS l l MOV1115E MOV1115C SI PUMP 18 --.--1"4--..J MOV1863B PS4 L---------------L------------....L...--4"4--
-FROM LOW HEAD SI MOV 1863A PUMP 1A NOTE: PIPE SEGMENT (PSXX) REFERS TO PIPING AND COMPONENTS BETWEEN NODES BAT TANK 1A MDPCH2A (1-CH -P -2A) TO BORIC ACID BLENDER TO CHARGING PUMP SUCTIONS BAT TANK 18 MDPCH28 (1-CH -P -28) MOV 1350 FAI FROMVCT Figure 4.6-12 (Cont'd) HPI/HPR System Simplified Sketch 4.6-56 * * * 
* *
* SAFETY INJECTION ACTUATION SYSTEM AC EMERGENCY POWER DC EMERGENCY POWER CHARGING PUMP TRAIN 1A HPI HPR PUMP TRAINS PUMP PUMP TRAIN TRAIN 18 ,c SAFETY INJECTION ACTUATION SYSTEM AC EMERGENCY POWER A 8 1H 1J HPI/HPR DISCHARGE TO COLD LEGS MOVl867C MOV1867D LPR SUPPLY TO HPR PUMP COOLING SYSTEM SAFETY INJECTION ACTUATION SYSTEM AC EMERGENCY POWER A 8 1H 1J RWST SUPPLY TO HPI MOV11158 LPI/LPR PUMP MOV1115D TRAIN RECIRCULATION MODE TRANSFER SYSTEM AC EMERGENCY POWER Figure 4. 6-13 A 8 A 8 1H 1J LPR SUPPLY FROM PUMP 1A HPI/HPR System Dependency,Diagram 4.6-57 LPR SUPPLY FROM PUMP 18 Table 4.6-11 HPJ/HPR Component Status And Dependency Summary
* COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-CH-P-lA Normally Operating SIS-A 4160 V Bus IH, SIS-A, DC Bus 1 A, CPC System 1-CH-P-lB Standby SIS-B 4160V Bus lJ, SIS-B, DC Bus 1 B, CPC System 1-CH-P-lC Locked Out in CR SIS-A, B 4160V Bus lH, lJ, SIS-A, -B, DC Bus lA, lB, CPC System MOVs: 1115B NC/PAI SIS-A, RMT-A MCC lHl-2, SIS-A, RMT-A 11150 NC/PAI SIS-B, RMT-B MCC lJl-2, SIS-B, RMT-B 1115C NO/PAI SIS-A MCC lHl-2, SIS-A
* 1115E NO/PAI SIS-B MCC lJl-2, SIS-B 1267A NO/PAI R. Manual MCC lHl-2 1269A NO/PAI R. Manual MCC lJl-2 1270A NO/PAI R. Manual MCC lHl-2 1267B LO/PAI R. Manual MCC lHl-2 1269B LO/PAI R. Manual MCC lJl-2 1270B LO/FAI R. Manual MCC lJl-2 1286A NO/PAI R. Manual MCC lHl-2 1287A NO/PAI R. Manual MCC lHl-2 1286B NO/PAI R. Manual MCC lJl-2 1287B NO/FAI R. Manual MCC lJl-2 1286C NO/PAI R. Manual MCC lHl-2 1287C NO/PAI R. Manual MCC lJl-2
* 1370 NO/PAI R. Manual MCC lHl-2 4.6-58
* Table 4.6-11 (Continued)
HPI/HPR Component Status And Dependency Summary COMPONENT NORMAL *STATUS ACTUATION DEPENDENCIES MOVs: 1289A NO/PAI R. Manual MCC lHl-2, SIS-A 1289B NO/PAI R. Manual MCC lJl-2, SIS-B 1867C NC/PAI R. Manual MCC lHl-1, SIS-A 1867D NC/PAI R. Manual MCC lJl-1, SIS-B 1842 NC/PAI R. Manual MCC lHl-2 1869A LC/PAI R. Manual MCC lHl-1 1869B LC/PAI R. Manual MCC lJl-1 1863A NC/PAI RMT-A MCC lHl-2, RMT-A 1863B NC/PAI RMT-B MCC lJl-2, RMT-B AOVs: TV SI-102A NC/PO R. Manual Instrument Air, DC Bus lA TV SI-102B NC/PO R. Manual Instrument Air, DC Bus lB 4.6-.59 (automatic actuation), flow from any one of three charging pumps to the RCS cold legs in the **feed and bleed" mode (manual actuation), flow from any one of the three charging pumps to the RCP seals, or flow from any one of three charging pumps to the RCS with flow from one of two BAT pumps operating at fast speed (emergency boration mode). These success criteria translate into the following top events in the HPI fault trees: Failure to provide sufficient high pressure flow to the cold legs from at least one charging pump, given demand for automatic actuation.
Failure to provide sufficient high pressure flow to the cold legs from at least one charging pump*, given no demand for automatic actuation.
Failure to continue to provide seal injection flow from at least one charging pump. Failure to provide sufficient emergency boration flow. The success criterion for the HPR mode of operation is continued flow from any one of the three charging pumps taking suction from the discharge of the low pressure recirculation system, given successful low pressure recirculation system operation._
This success criterion translates into the following top event in the HPR fault tree. Insufficient flow from at least one charging pump in the recirculation mode, given successful operation of the low pressure recirculation system. The fault trees developed for these top events are shown in Appendix B. The fault trees were developed for failure of the Unit 1 HPI/HPR system. A Boolean expression was developed for the Unit 2 HPI system to model RCP seal cooling from Unit 2 during station blackout.
This Boolean equation is shown in Appendix B. The specific assumptions used to develop the HPI/HPR fault trees are included in the following section. 4.6.9.5 Assumptions irt HPI/HPR System Models In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
The specific assumptions made in the. HPI/HPR analysis were as follows: 1. Initial charging pump configuration considered in the analysis is that pump lA is operating, pump lB is in standby and pump lC is "pull locked" and aligned to the 1 H bus. 2. Charging pumps are rotated regularly during normal operation to achieve balanced service times.
* 3. Failure to close the normal charging flow line does not constitute a flow diversion pathway. 4.6-60 
*
* 4. Minimum flow lines on the charging pump discharge do not represent a significant flow diversion pathway due to flow restriction orifices
* 5. Room cooling is not required for the charging pumps due to the open communication with a large open area, resulting in long heat-up times. The plant ran the charging pumps successfully for several years before installing an air cooling system for the charging pumps. 6. The probability of all three parallel cold leg injection lines, each with two check valves and a locked open manual valve, failing to permit flow is considered negligible compared to other system faults. 7. Valves 1115B and 1115D are interlocked with valves 1115C and 1115E such that B and D will not open if C. or E are not closed. However, the C and E valves are provided with redundant limit switches and the probability of all four limit switches failing was considered negligible compared to the valve failure probabilities.
: 8. Switchover to the RWST from the VCT will occur upon indication of low VCT level regardless of the presence or absence of an SIAS signal. 9. When charging pump lC is not operating (pull locked), it is aligned to be powered from the bus powering the operating charging pumps. Pump lC is not considered as the standby pump during normal operation except in the case of outage of the lA or lB charging pumps. 10. Use of MOV 1842 for cold leg injection, the cross connect with the Unit 2 RWST, and the cross connect of the Unit 2 charging pumps were treated as recovery actions in the accident sequence analysis as necessary.
: 11. For the emergency boration analysis, one boric acid transfer pump is normally operating and the manual valving arrangement is such that only the running pump can provide flow without manual realignment.
Since the time period of interest is 10 minutes, no recovery actions for manual realignment were postulated.
: 12. Sufficient emergency boration can be accomplished through either the normal charging flow path or through the injection flow ,.path. 13. No SIAS signal was assumed to occur in those cases where emergency boration was required.
: 14. No faults were postulated in the normal flow line to the RCS pump seals since the line is normally in use and the valves fail in the position such that they allow flow to the seals. 15. Regardless of the status of an SIAS signal, the standby charging pump will automatically start on loss of the operating charging pump. 16. The HPI/HPR pumps are lubricated off of a shaft driven oil pump during normal operation.
The HPI/HPR Auxiliary oil pump is used on system startup. It was judged that failure of the auxiliary oil pump would not fail the HPI/HPR pump. 4.6-61
: 17. It was considered that the Unit 2 HPI/HPR system is symmetrical to the Unit 1 HPI/HPR system. This consideration was used when modeling HPI from Unit 2~ 4-.6~ 9*.6 HPI/HPR System Operating Experience Since the Surry HPI/HPR system includes the normally opera ting charging pumps, significant operat.ing experience was available from plant da:ta to justify the use of plant specific failure data for the charging pumps. No other applicable operating experience was found for the HPJ/HPR system. See Appendix D for development of the plant specific data. 4.6.10 Inside Spray Recirculation System Model The inside spray recirculation OSR) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water from the containment sump and spraying the water into the containment atmosphere.
Heat is removed from the sump water through service water cooled heat exchangers.
The JSR system is a front line system designed to protect the containment.
The following sections provide a physical description of the JSR system, identify the interfaces and dependencies of the JSR system with other front line and support systems, list any operational constraints on the JSR system, provide a description of the fault tree model constructed for the ISR system, identify the JSR specific assumptions, and describe the operational experience available for the JSR system. 4.6.10.1 ISR Description The Surry ISR system is composed of two independent 100% capacity recirculation spray trains. Each spray train draws water from the containment sump through independent suction strainers and lines. The JSR and outside spray recirculation (OSR) systems draw from the same sump, although the sump is compartmentalized and each ISR train has a separate sump compartment.
Each ISR system pump discharges to a service water heat exchanger.
The cooled water is then directed to an independent spray header. In order to ensure adequate net positive suction head for the JSR pumps during the initial phases of a loss of coolant accident (LOCA), a recirculation line diverts a small amount of the cooled ISR flow back to the sump, dose to the pump inlet. A simplified schematic of the ISR system is shown in Figure 4.6-14. The ISR system automatically starts on receipt of a hi-hi (2.5 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals start the ISR pumps. An agastat timer in the pump start circuit delays pump start for two minutes to ensure adequate sump inventory in the design basis scenario, and the correct diesel genera tor loading sequence in the event of loss of offsite power. 4.6.10.2 ISR System Interfaces and Dependencies The ISR system is dependent on the injection systems for sump inventory and the service water system for cooling of the sump water. The ISR system also depends on the AC power buses for motive power to the ISR pumps, the DC power buses for control power to the ISR pumps, and the CLCS for actuation of the JSR pumps. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-1.5 and the component status and dependency summary in Table 4.6-12. 4.6-62
* PS60 HXRS1A *
* PS61 sws HXRS1B Figure 4.6-14 ISR System Simplified Sketch 4.6-63 sws TRAIN 1A ISR SYSTEM TRAIN 18 CONSEQUENCE Al----4-+4--------~-+--~
LIMITING CONTROL SYSTEM Bi----+------~~--
AC 1Hi----+-+-'!~-----t---
EMERGENCY POWER 1 J 1---+-------+-~--
DC 1Ai---..... -+-,~--------+----
EMERGENCY POWER 1 B ~--""'-------.~~-
SERVICE WATER SYSTEM Figure 4. 6-15 ISR System Dependency Diagram 4.6-64 * * 
* *
* COMPONENT Pumps: 1-RS-P-lA 1-RS-P-1B Table 4.6-12 ISR Component Status And Dependency Summary NORMAL STATUS Standby Standby 4.6-65 ACTUATION CLS-Hi-Hi 2 min. time delay CLS-Hi-Hi 2 min. time delay DEPENDENCIES 480V Bus lH, CLS-Hi-Hi-2A, DC Bus lA 480V Bus lJ, CLS-Hi-Hi-2B, DC Bus lB 4.6.10.3 JSR System Operational Constraints The only operational constraint utilized for the JSR system model is that Technical Specifications require one train of the JSR system be operable at all times, i.e~, only one vain can be removed from service for maintenance at any one time. This is incorporated into the model of the JSR system by allowing only one JSR pump to be initially unavailable due to test or maintenance activities.
4.6.10.4 JSR System Logic Model The success criterion for the Surry JSR system is the same for each application in the event tree analysis.
The success criterion is that at least one of the two JSR trains provides flow to its containment spray header with service water being supplied to the heat exchanger.
This translates into the following top event in the ISR fault tree: F 1 -Insufficient flow or cooling from at least one ISR train. The fault tree developed for this top event is shown in the Appendix B. The specific assumptions used to develop the JSR fault tree are included in the following section. 4.6.10.5 Assumptions in ISR System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
The specific assumptions made in the ISR system analysis were as follows: 1. The ISR pumps are environmentally qualified for a post-LOCA atmosphere and as such do not require room cooling. 2. Due to flow restriction orifices, the recirculation lines to the sump do not constitute flow diversion pathways.
: 3. If cooled flow from the recirculation line* is not provided to the pump suction during the early phases of a LOCA sufficient net positive suction head is not available to the ISR pumps and the pumps were estimated to fail. Plugging of the lines is considered negligible.
: 4. The probability of plugging of sufficient nozzles in a spray header to prevent an ISR system train from performing its function was dered negligible.
4.6.10.6 ISR Operating Experience Plant specific operational data derived from monthly pump test records 0&#xa3; the ISR pumps indicated a significant difference from the generic data. Therefore plant-specific data was used in the analysis.
The development of the plant specific data is shown in Appendix D.1. 4.6-66 * *
* 4.6.11 Low Pressure Injection/Recirculation System Model The Surry low pressure/injection recirculation (LPI/LPR)
S!'Stem provides emergency coolant injection and recirculation following a loss of coolant accident when the reactor coolant system (RCS) depressurizes below 180 psig. In addition to the direct recirculation of coolant during the recirculation phase once the RCS is depressurized, the LPR discharge provides the suction source for the high pressure recirculation system (HPR) following drainage of the refueling water storage tank (RWST). The LPI/LPR system is a front line system designed to provide coolant makeup and core heat removal. The following sections provide a physical description of the LPI/LPR system, identify the interfaces and dependencies of the LPI/LPR system with other front line and support systems, list any operational constraints on the LPI/LPR system, provide a description of the fault tree model constructed for the LPI/LPR system, identify the LPI/LPR system specific assumptions, and describe the operational experience available for the LPI/LPR system. 4.6.11. l LPI/LPR Description The Surry LPI/LPR system is composed of two 100% capacity pump trains. In the injection mode, the pump trains share a common suction header from the R WST. Each pump draws suction from the header through a normally open motor operated valve (MOV), check valve, and locked open manual valve in series. Each pump discharges through a check valve and normally open MOV in series to a common injection header. The injection header contains a locked open MOV and branches to three separate lines, one to each cold leg. Each of the lines to the cold legs contain two check valves in series to provide isolation from the high pressure RCS. The LPI/LPR system is not cooled by any other system. In the recirculation mode, the pump trains draw suction from the containment sump through a parallel.
arrangement of suction lines to a common header.. Flow from tfte suction header is drawn through a normally closed MOV and check valve. in series. Discharge of the pumps is directed to either the cold legs through the same lines used for injection or to a parallel set of headers which feed the charging pumps, depending on the RCS pressure.
In the hot leg injection mode, system operation is identical to horm~l recirculation with the exception that the normally open cold leg injection valve must be remote manually closed and one or more normally closed hot leg recirculation valves must be remote manually opened. Upon indication of a loss of RCS coolant or a main steam line break (i.e., low pressurizer level, high containment pressure, high pressure differential between main steam header and any steam line or high steam flow with low average coolant temperature or low steam line pressure), the safety injection actuation system (SIAS) initiates LPI tion. The SIAS signals the low pressure pumps to start. All valves are normally aligned to their injection position.
If primary system pressure remains above the LPI pump shutoff head, the pumps will discharge to the R WST ihrough two normally open minimum flow recirculation lines until the RCS pressure is sufficiently reduced to allow inflow. Upon receipt of a low R WST level signal, the recirculation mode transfer system (RMT) signals the low pressure pump suction valves from the R WST and the valves in the minimum flow recirculation lines to the R WST to close, and the suction valves from the containment sump to open.
* 4.6-67 At approximately 16 hours following the start of the accident, the emergency procedures call for switchover from cold leg ~ecirculation to hot leg recirculation.
The operato.r must restore power to valves 1890 A, B, and C, open 1890 A and B, and close 1890C. A simplified schematic of the LPI/LPR system is shown in Figure 4.6-16. 4.6.11.2 LPI/LPR Interfaces and Dependencies The LPI system interfaces with the containment spray system and the high pressure injection system at the common R WST via a shared valve. The LPI system is dependent on the R WST for fluid inventory and the SIAS for actuation of the LPI components.
The LPR system interfaces with the high pressure recirculation system at the recirculation suction valves for the HPR. Both the LPI and LPR systems depend on the AC power buses for motive power to the LPI/LPR pumps, and motive and control power to the MOVs in the LPI/LPR system, and the DC power buses for control power to the LPI/LPR pumps. The LPR system is dependent on the injection systems f.or sump inventory and the RMT for actuation of the LPR switchover from injection.
These dependencies and specific train assignment are shown in the system dependency diagram in Figure 4.6-17 and the component status and dependency summary in Table 4.6-13. The net positive suction head (NPSH) requirements for the LPI/LPR pumps are met ing the recirculation phase of a LOCA, given that the RWST.contents have been injected into containment.
For those containment vulnerable sequences, where containment fails due to overpressure, it was determined that NPSH requirements do not prevent LPR operation, not only throughout the overpressure period, but after containment failure. 4.6.11.3 LPI/LPR Operational Constraints The only operational constraint utilized in the LPI/LPR system model is that Technical Specifications require both trains of the LPI/LPR system to be operable at all times. This is incorporated into the model of the LPI/LPR system by allowing only LPI/LPR pump to be initially unavailable due to test or maintenance activities.
4.6.11.4 LPI/LPR Logic Models The success criteria for the Surry LPI/LPR vary depending on the application in the event tree analysis.
The success criterion for the LPI mode of operation is flow from one or more low pressure pumps to the RCS cold legs in response to a loss of primary coolant inventory.
This success criterion translates into the following top event in the LPI fault tree: Insufficient flow from at least one low pressure pump to the cold legs. The success criteria for the LPR modes of operation are continued flow from either of the two low pressure pumps to the cold legs and switchover to hot leg recirculation at 16 hours or sufficient flow from either of the two low pressure pump.s to the charging pump suction header.
* 4.6-68 PS42 NO/FAI 1BBSC NO/FAI PS1 TO CHARGING 18858 PUMP INLET HEADER NO/FAI FROM HPI XV15X LO NC-FAI PS40 1885D I 18638 NO/FAI POWER 6"-Sl-50-1502 HOT LEG LOOP 3 TO HPI 1BBSA REMOVED PS 47 PS33 NCIFAI 6"-Sl-48-1502 HOT LEG LOOP 2 18908 CV228 FROM HPI .. If XV48 NO FAI CV47 POWER COLD LEG LOOP 1 PS35 REMOVED CV79 NO/FAI 18608 PS38 COLD LEG LOOP 2 If .. NC CVS& CV242 CV82 FAI PS45 1864A COLD LEG LOOP 3 '&deg; . . PS34 CV243 eves h i CV46A 6"-Sl-49-1502 HOT LEG LOOP 1 i 0\ 1890A CV229 1862A PS30 XV57 (1-SI-P-1 A) PS39 PS46 FROM MDPSl1A 1863A HPI I NC-FAI TO CHARGING SUMP PUMPS 
,a:. SAFETY A . O'\ INJECTION I ACTUATION B -...J SYSTEM 0 AC 1H EMERGENCY POWER 1J DC 1A EMERGENCY POWER 1B RECIRCULATION A MODE TRANSFER SYSTEM B PUMP TRAIN 1A LPI/LPR PUMP TRAINS PUMP TRAIN 1B AC EMERGENCY POWER 1H 1J PUMP1ATO 6" Sl-49-1502 Figure 4. 6-17 LPI/LPR TO HOT LEGS PUMP 1ATO 6" Sl-48-1502 PUMP1BTO 6" Sl-49-1502 LPI/LPR System Dependency Diagram PUMP1B TO 6" Sl-48-1502
* Table 4.6-13
* LPI/LPR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-SI-P-lA Standby SIS-A 480V Bus lH, DC Bus IA, SIS-A 1-SI-P-lB Standby SIS-B 480V Bus lJ, DC Bus lB SIS-B MOVs: 1862A NO/FAI R. Manual, RMT-A MCC-lHl-2, RMT-A 1862B NO/FAI R. Manual, RMT-B MCC-IJl-2, RMT-B 1864A NO/FAI R. Manaul MCC-lHl-2 1864B NO/FAI R. Manual MCC-lJl-2 1890A NC/FAI R. Manual MCC-lHl-2 1890B NC/FAI R. Manual MCC-lJl-2 1890C NO/FAI R. Manual MCC-lHl-2 1885A NO/FAI RMT-A MCC-lHl-2, RMT-A 1885B NO/FAI RMT-B MCC-lJl-2, RMT-B 1885C NO/FAI RMT-A MCC-lHl-2, RMT-A 1885D NO/FAI RMT-B MCC-lJl-2, RMT-B 1860A NC/PAI RMT.-A MCC-lHl-2, RMT-A 1860B NC/PAI RMT-B MCC-lJl-2, RMT-B 1863A NC/FA.I RMT-A MCC-lHl-2, RMT-A 1863B NC/PAI RMT-B MCC-IJ!.;.2, RMT-B
* 4.6-71 These success criteria translate into the following top events in the LPR fault trees: H1 (A, S1, (LPR-LH Fault Tree) H l (s 2 , s 3 LOCAs) -(LPR..:HH Fault Tree) Insufficient flow from at least one low pressure pump to the cold legs from the containment sump or failure to switch to hot leg recirculation at 16 hours. lnsu.fficient flow from at .least one low pressure pump to the charging pump suction header from the containment sump. The fault trees developed for these top events are shown in the Appendix B. The specific assumptions used to develop the LPI/LPR fault trees are included in the following section. * *
* 4.6.11 * .5 Assumptions in LPI/LPR System Models In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis.
The specific assumptions made in the analysis of the LPI/LPR system were as follows: 1. Failure to close the minimum flow recirculation lines to the RWST during the recirculation phase of a LOCA does not result in failure of the LPI/LPR system due to flow diversion.
Failure to close mini-flow lines would result in a minimal flow diversion back to the R WST, which could easily be rectified.
: 2. Failure of the minimum flow recirculation lines to allow flow during the injection phase, (i.e*., plugged or closed valves), thereby providing pump protection following an SIAS signal at high RCS pressures was not postulated.
Failure was not postulated since the valves are mally open, lighted and alarmed in the control room if out of normal position, and both lines must fail. The only potential failure mode is plugging and is considered to be statistically negligible, due to the testing frequency.
: 3. Room cooling for the low pressure pumps is not required.
: 4. Failure of the LPI due to failure of low pressure pump seal coolers was considered negligible compared to other LPI failures.
The seal coolers have a natural circulation air cooler and draw seal water from the pump suction * .5. All LPI/LPR MOVs, with the exception of valves 1864A and 1864B, have position indication in the control room. The valve positions are lighted and alarmed to indicate misalignment of the LPI/LPR system. Therefore inadvertent mispositioning of the MOVs was not postulated in the analysis.
: 6. Plugging failures due to debris in the sump were included in two ways. First, a common cause failure due to sump plugging was tulated for all systems which rely on the sump, and second, random plugging of sump suction valves was included.
4.6-72 *
* 4.6.11.6 LPI/LPR Operating Experience No pertinent plant specific operational experience of the Surry LPI/LPR system was found. 4.6.12 Outside Spray Recirculation System Model The outside spray recirculation (OSR) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water from the containment sump and spraying the water into the containment atmosphere Heat is removed from the sump water through service water cooled heat exchangers.
The OSR system is a front line system designed to protect the containment.
The following sections provide a phyi;ical description of the OSR system, identify the interfaces and dependencies of the OSR system with other front line and support systems, list an operational constraints on the OSR system, provide a description of the fault tree model constructed for the OSR system, identify the OSR system specific assumptions, and describes the operational experience available for the OSR system. 4.6.12.1 OSR System Description The Surry OSR system is composed of two independent, 100% capacity recirculation spray trains. The spray trains draw water from the containment sump through two parallel suction strainers and lines-which--are headered together.
The OSR and Inside spray recirculation (ISR) systems draw from the same sump, although the sump is compartmentalized.
Each OSR train has its own separate compartment.
Each OSR system pump has an individual suction line from the header with a normally open motor operated valve (MOV). Each pump discharges through a normally open MOV, check valve, and a service water heat exchanger.
The cooled water is then directed to an independent spray header. In order to ensure adequate net positive suction head for the OSR system pumps during the early phase of a loss of coolant accident (LOCA), a line is provided which diverts a small amount of the cool CSS flow to the sump, close to the pump suction strainers.
A simplified schematic of the OSR system is shown in Figure 4.6-18. The OSR system automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals start the OSR system pumps and ensure that the pump inlet and discharge valves are open. An agastat timer in the pump start circuit delays pump start for five minutes to ensure adequate sump inventory and the correct diesel generator loading sequence in the event of loss of offsite power. 4.6.12.2 OSR System Interfaces and Deper:idencies The OSR system is dependent on the injection systems for sump inventory, the containment spray system.(C:SS) for adequate net positive suction head (NPSH) during the early phase of a large LOCA, and the service water system for cooling of the sump water. The NPSH related dependency on the CSS was conservatively used for all size LOCAs, not only the large LOCA. The OSR system also depends on the AC power buses for motive power to the OSR system p~mps a~d motive and contrql power to the OSR system MOVs, the DC power buses for col')trol power to the OSR system pumps, and the CLCS for actuation of the OSR system pumps. These dependencies and specific train assignments are shown. in the system dependency diagram in Figure 4.6-19 and the component status and dependency summary in Table 4.6-14. 4.6-73 MOVRS156B CV11 MOVRS156A PS72 PS71 MDPRS28 MDPRS2A MOVRS155B HXRS1D CV17 FROM CSS ..L _L sws HXRS1C sws * 
*
* TRAIN 2A OSR SYSTEM TRAIN 28 CONSEQUENCE LIMITING CONTROL SYSTEM Bi----i-------F-+-~-
AC 1Ht---+-i-+------+---
EMERGENCY POWER 1J .---+-------E-+-+--
DC 1Ai---~~-------'---
EMERGENCY POWER 18------------
SERVICE WATER SYSTEM CONTAINMENT SPRAY SYSTEM Figure 4. 6-19 OSR System Dependency Diagram 4.6-75 Table 4.6-14
* OSR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-RS-P-2A Standby CLS-Hi-Hi-2A 480V Bus 1 H, DC Bus 1 A, 5 min time CLS-Hi-Hi-2A, CSS delay 1-RS-P-2B Standby CLS-Hi-Hi-2B 480V Bus lJ, DC Bus lB, 5 min time CLS-Hi-Hi-2B, CSS delay MOVs: RS155A NO/FAI CLS-Hi-Hi-2A MCC lHl-2, CLS-Hi-Hi-2A RS155B NO/FAI CLS-Hi-Hi-2B MCC-lJl-2, CLS-Hi-Hi-2B RS156A NO/FAI CLS-Hi-Hi-2A MCC-lHl-2,
* CLS-Hi-Hi-2A RS156B NO/FAI CLS-Hi-Hi-2B MCC-lJl-2, CLS-Hi-Hi-2B
* 4.6-76
* 4.6.12.3 OSR System Operational Constraints The only operational constraints utilized for the OSR system model is that Technical Specifications require both trains of the OSR system be operable at all times. This is incorporated into the model of the OSR system by allowing only one OSR system pump to be initially*
unavailable due to test or maintenance activities.
4.6.12.4 OSR System Logic Model The success criterion for the Surry OSR system is the same for each application in the event tree analysis.
The success criterion is that at least one of the two OSR system trains provides flow to its containment spray header, with service water provided to the heat exchanger.
This translates into the following top event in the OSR system fault tree: F 2 -Insufficient flow and cooling from at least one OSR system trains. The fault tree developed for this top event is shown in Appendix B. The specific assumptions used to develop the OSR system fault tree are included in the following section. 4.6.12.5 Assumptions in OSR System Model In addition to the general modeling assumptions made in the analysis anc:f previously discussed in Section 4.6.1, several system specific assumptions were made in the course of this analysis.
The specific assumptions made in the CSR system analysis area as follows: 1. Room cooling is not required for operation of the OSR system pumps due to their location in an area where there is open communication to a large area resulting in long heat-up times. 2. CSS flow to the sump region in the area of the OSR pump suction is required to provide adequate net positive suction head to the OSR system pumps during the time of CSS operation.
: 3. The probability of plugging of sufficient nozzles in a spray header to prevent an OSR system train from performing its function is considered negligible.
4.6.12.6 OSR System Operating Experience No pertinent plant specific operational experience of the Surry OSR system was found. 4.6.13 Power Conversion System Model The power conversion system (PCS) can be used to provide feedwater and remove heat from the steam generators following a transient.
The following sections provide a physical description of the PCS, identify the interfaces and dependencies of the PCS with other front line and support systems, list any operational constraints on the PCS, provide a description of the model used in the analysis of the PCS, identify the PCS specific assumptions, and describe the operational experience available for the PCS. 4.6-77 4.6.13.1 PCS Description Three different aspects of the PCS were modeled for this study: the steam generators (SG) secondary side, portions of the main steam system, and main feedwater (MFW). The steam generators, upstream of the containment isolation valves, were analyzed for possible loss of SG integrity.
In addition to the relief paths discussed below, the following paths provide a potential loss of SG integrity should they fail to isolate: a) steam can flow from the steam generator through a manual isolation valve and check valve to the steam supply for the AFW turbine driven pump, b) flow from the SG blowdown line through the blowdown coolers to the Blowdown Treatment system, and c) flow from a higher pressure SG to a lower pressure SG via a check valve failing to seat in the header which supplies the decay heat removal valve. The SG relief system is composed of five code safety relief valves and one power ated relief valve (PORV) for each steam generator.
The SG relief valves were modeled for the station blackout and steam generator tube rupture transients.
The PORVs provide SG pressure relief at a set point below the SR Vs. Each POR V is provided with a manually operated block valve which is normally open unless a PORV is leaking. The POR Vs automatically open on high SG pressure or are manually opened at the direction of the operator.
All of the relief valves are upstream of the main steam header containment isolation valves and all discharge directly to atmosphere outside of the containment.
A portion of the main steam system was analyzed for the operator depressurization and cooldown fault trees. That portion consisted of two separate steam flowpaths:
steam dumped to the main condensers and steam dumped to the atmosphere.
Steam flows to the main condenser via one of two turbine bypass valves during cooldown.
The pheric cooldown path uses the SG PORV, if it is available.
The MFW portion consists of the main feedwater pumps, the condensate pumps, the densate booster pumps, and the hotwell inventory.
Because Surry has electric driven MFW pumps, it is possible to supply feedwater using the MFW system, without having the turbine bypass and steam condensing systems available.
The inventory of the hotwell (with the condensate storage tank as a backup supply) was calculated to be sufficient for all mission times of interest.
The feedwater regulating valves will close after a reactor scram, due to plant control logic. The feedwater pumps remain on, and the miniflow valves will open. Feedwater can then be provided to the SGs, through the feedwater regulating valve bypass valve. 4.6.13.2 PCS Interfaces and Dependencies The PCS is dependent on DC power and instrument air. However, the system was not explicitly modeled and the dependencies were not developed further than that required on the initiating event level. 4.6.13.3 PCS Operational Constraints No operational constraints were identified for the Surry PCS. 4.6.13.4 PCS Logic Model The success criteria for the Surry PCS varied depending on the application in the event tree analysis.
The success criterion for the steam generator portion of the PCS was 4.6-78
* isolation of all SG effluent lines following a SGTR. Boolean equations were developed to model these events. This success criteria translated in.to the following top events. Failure to isolate the SG following a steam generator tube rupture. This includes the POR V and SR V Ufting and failing to reclose, failure to isolate the SG blowdown line, failure to isolate the steam supply to the AFW turbine driven pump, from the ruptured SG and failure to stop flow via the decay heat removal line. -Failure of one or more SG relief valves to reclose after opening during station blackout.
The success criterion for main feedwater portion of the PCS is restoration of flow from one or more main feedwater pumps to one or more steam generators.
The following failure event was quantified using the generic failure rates for the equipment and actions required to restore flow as a ''black box" model of the top event. M Failure of at least one main feedwater pump to provide flow to at least one steam generator.
The success criterion for the main steam system portion of PCS system used in plant cooldown is flow from at least one SG via any one of the atmospheric or condensor paths. This translates into the following top events in the On fault trees. Failure to cooldown and depressurize the reactor coolant system (RCS) from at least one SG. Event On consists of fault tree On for LOCAs and on-SG for SGTR.
* Fault tree On is failure to cooldown from at least one of three SGs. Fault tree on-SG is failure to cooldown and depressur.ize the RCS from at least one of two SGs.
* The fault trees and Boolean equations developed for these top events are shown in Appendix B~ The derivation of the failure probability*
&#xa3;or event M is developed*
in Appendix n.t The specific assumptions used to develop the fault trees ahd equations are included in the following section. 4.6.13 * .5 Assumptions in PCS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specifc assumptions were made in the course of this analysis.
The specific assumptions made in the PCS system analysis were: t Feedwater regulating valves were assumed to close after all reactor trips. 2. The steam generator with the tube rupture was postulated as SG "A". 4.6.13.6 PCS Operating Experience The Surry operation experience with the; SG-PORVs indicated that each block valve is closed approximately 1.5% of the time during reactor operation due to leaking PORVs. This experience was included in the analysis.
4.6-79 4.6.14 Primary Pressure Relief System Model The primary pressure relief system (PPRS) provides protection from overpressurization of the primary system to ensure that primary integrity is maintained.
The PPRS also provides the means to reduce the reactor coolant system (RCS) pressure if necessary.
i'he PPRS is a front line system designed to control pressure and aid in core heat removal during "feed and bleed" cooling. The following sections provide a physical description of the PPRS, ident_ify the interfaces and dependencies of the PPRS with other front line and support systems, list any operational constraints on the PPRS, provide a description of the fault tree model constructed for the PPRS, identify the PPRS specific assumptions, and describe the operational experience available for the PPRS. 4.6.14.1 PPRS Description The Surry PPRS is composed of three code safety relief valves (SRV) and two power operated relief valves (PORVs). The code safety valves were important only in the anticipated transient without scram (ATWS) analysis.
The PORVs provide RCS pressure relief at a set point below the SR Vs. The POR Vs discharge to the pressurizer relief tank. Each PORV is provided with a motor operated block valve. A simplified schematic of the PPRS is shown in Figure 4.6-20. The PORVs automatically open on high RCS pressure or are manually opened at the discretion of the operator.
The block valves are normally open unless a PORV is leaking. 4.6.14.2 PPRS Interfaces and Dependencies The PPRS is dependent on the AC power buses for motive and control power to the PORV block valves, DC power for control power to the PORVs, and the containment air system for motive power to the PORVs. However, the PORVs are provided with air bottles sized to provide approximately 80 openings of each valve. Therefore, no dependencies on the containment air system were included in the system models. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-21 and the component status and dependency summary in Table 4.6-15. The SRVs have no dependencies on any other plant system. 4.6.14.3 PPRS Operational Constraints No operational constraints were identified for the PPRS. 4.6.14.4 PPRS Logic Model The success criteria for the Surry PPRS vary depending on the application in the event tree analysis.
The success criterion for the PPRS following a transient event demanding PORV opening is that the PORVs successfully reclose. The success criterion for the PPRS following a very small loss of coolant accident (LOCA) demanding the PORV opening is also that the PORVs successfully reclose. The PORV is likely to be demanded during a very small LOCA if the operator fails to control emergency injection flow. These success criteria translate into the following top events: Q One or more POR Vs fail to reclose following a transient.
One or more PORVs fail to reclose during a very small LOCA. 4.6-80 *
* TO PRESSURIZER RELIEF TANK 1-RC-TK-2 6" SV 1551A PRESSURIZER 6" sv 15518 6" 6" SV 1551 C 4" MOV 1535 MOV 1536 FC PCV 1456 FC PCV 1455C
* PRIMARY PRESSURE RELIEF SYSTEM FLOW PATH THRU PORV 1455C FLOW PATH THRU PORV 1456 DC 1A...._--~--------------
EMERGENCY POWER 1 B ...._-------~-
AC 1H----------------.__._-
EMERGENCY POWER 1 J i-----"~-------
Figure 4.6-21 Primary Pressure Relief System Dependency Diagram 4.6-82 * *
* Table 4.6-1.5
* PPRS Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES PORVs: PCV-1455C NC Opens on high RCS . DC Bus lA,. pressure, or at Containment air discretion of operator.
PCV-1456 NC DC Bus lB, Containment air MOVs: 1535 Normally open, unless R. Manual MCC-lHl-2 POR V is leaking. 1 block valve closed 3096 of time 1536 R. Manual MCC-lJl-2 SRVs: 1551A NC Automatic None 1551B NC Automatic None 1551C NC Automatic None The success criteria for the PPRS system to operate on demand are considered next. The success criterion for PPRS following a transient and failure of the AFW system is that both PORVs successfully open on demand.. One support system function was also identified for the PPRS in the fault tree for emergency boration mode of the high pressure injection system (HPI) operation.
The success criterion for the PPRS following a small LOCA with failure of the AFW system and for the support system function provided to HPI.in the. emergency boration mode is that one or more PORVs successfully open on demand. The success criterion for ATWS is that 3 SRVs or 2 SRVs and 2 PORVs open. The PPRS .related events are coded with the designator PPS in the fault tree and sequence analysis.
These success criteria translate into the following top events in the PPRS fault trees: P Failure of 2 of 2 PORVs to open to support feed and bleed. Failure of at least one POR V to open on demand (Note: also serves as a developed event in the D 4 fault tree). P 2 Failure of at least 2 SRVs or failure of 1 SRV and 1 PORV. The fault trees developed for top events P, P 1 , and P 2 and the Boolean equation for Q are shown in Appendix B. Appendix D.l shows the derivation of the probability for event Oc* 4.6.14.5 Assumptions in PPRS System Model No system specific assumptions were made in the course of the PPRS analysis.
4.6.14.6 PPRS Operating Experience The Surry operation experience with the PORVs and their block valves indicated that each block valve is closed approximately 30% of the time during reactor operation, due to leaking PORVs. This experience was included in the analysis.
4.6.15 Reactor Protection System Model The reactor protection system (RPS) is designed to automatically scram the reactor follow~ng recei~t of indicaJions of abn?rmal conditions.
The St12'I;Y RPS was not modeled for this anwrrts. Generic data derived from NUREG-1000 and the NRC ATWS Rulemaking, was used in the analysis.
4.6.15.1 RPS System Description The RPS is an actuation system that receives signals from several different types of sensors. The sensor signals are combined in various logic matrices which function to trip the control rod drive mechanisms' supply circuit breakers, (also called the scram breakers).
In addition to the sensor signals automatically tripping the scram breakers, a circuit is installed that allows the scram breakers to be manually tripped from the control room. For redundant protection, the Surry manual scram circuit also trips the motor generator set which is the power source to the scram breakers.
4.6.15.2 RPS System Interfaces and Dependencies
* The RPS system is dependent on the vital AC instrumentation and DC buses for power to. the sensors and logic network. These dependencies were not modeled. The combinations 4.6-84 of bus failures required to fail the RPS is negligible compared to the RPS system availability.
The only components dependent on the RPS system are the scram breakers which supply power to the control rod drive mechanisms.
4.6.15.3 Operational Constraints No specific operational constraints were identified for the RPS. 4.6.15.4 RPS Logic Model The RPS was modeled as a "black box" system using generic data from NUREG-1000 and the NRC ATWS Rulemaking guidelines.
The success criterion is insertion of sufficient number of control rods to make the reactor subcritical.
Two top events were modeled for the two methods of scram*, automatic and manual. The automatic scram unavailability of 6E-.5 was calculated using the generic data described above. The contribution representing mechanical faults is lE-5 and the contribution from electrical faults is .5E-.5. Mechanical faults include rods binding within their channels and rod drive mechanisms failing to disengage~
Electrical faults include contact pairs sticking shut and failure of relays and trip coils. The success criterion translates into the following top event: K -Failure of the RPS to shutdown the reactor by automatic scram. The manual scram unavailability was based on human error probabilities applied in very of the mechanical and electrical faults. Mechanical faults were considered to be non-recoverable.
Electrical faults were considered to all be recoverable (due to the MG set breaker trip circuit).
The operator error probability for this action is 2.7E-3 and is discussed in Section 4.8. The success criterion translates into the following top event: R -Failure of the RPS to shutdown the reactor by manual scram. 4.6.1.5.5 Assumptions in the RPS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, an important system configuration assumption was made. The circuit which manually trips the motor generator supplying the power to the scram kers has not yet been installed as of the preparation date of this report. It is budgeted and scheduled for completion during the next refueling outage. The system was analyzed as if the circuit had been installed.
4.6.15.6 RPS Operating Experience No pertinent plant specific operational experience of the Surry RPS was found. 4.6.16 Recirculation Mode Transfer System Model The recirculation mode transfer (RMT) system automatically initiates the switchover of the suction of the low pressure injection pumps from the refueling water storage tank (R WST) to the containment sump upon low R WST level. The RMT also automatically initiates the switchover of the suction of the high pressure injection pumps from the R WST to the low pressure injection pump discharges on low R WST level. The RMT is a support system for the actuation of the injection and recirculation front line systems. A review of the RMT system design was performed to verify that the system trains were 4.6-8.5 symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis.
The following sections provide a brief physical description of the RMT system, identify tl}e interfaces and dependencies of the RMT system with front line and other support systems, list any operational constraints on the RMT system, provide a description of the model used to incorporate the RMT system into the analysis*, identify the RMT system specific assumptions, and describe the operational experience available for the RMT system. 4.6.16.1 RMT System Description The Surry *RMT system is composed of four independent RWST level sensors, each feeding two separate two out of four relay matrices.
These two relay matrices automatically actuate the components required to perform the switchover to the recirculation mode of the low and high pressure systems~ A simplified RMT system logic diagram is shown in Figure 4.6-22. 4.6.16.2 RMT System Interfaces and Dependencies The RMT system is dependent on the vital AC instrumentation buses for power to the level sensors and to the relay logic. These dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vital bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the RMT system train unavailabilities and hence no additional models were constructed.
Specific components in the low and high pressure injection/recirculation systems are dependent on the RMT system for automatic actuation to their recirculation position.
These specific dependencies are listed in Table 4.6-16. 4.6.16.3 RMT System Operational Constraints No specific operational constraints were identified for the RMT system. 4.6.16.4 RMT System Logic Model Boolean equations were developed to incorporate the RMT system AC power dependencies into the models used in the sequence quantification.
The following Boolean equations were used to incorporate these dependencies for the T 1 initiating event: RMT-ACT-FA-A
= RMT-ACT-FA-RMTSA
+ RMT-CCF-FA-MSCAL
+ ACP-TAC-LP-BUSll.
RMT-ACT-FA-B
= RMT-ACT-FA-RMTSB
+ RMT-CCF-Ff.\-MSCAL
+ ACP-TAC-LP-BSlIV.
RMT-ACT-FA-RMT~A and RMT-ACT-FA-RMTSB represent the RMT train A and B generic unavailabilities.
Common cause miscalibration of the RWST level sensors was also included in the RMT system models for all initiating events. 4.6.16.5 Assumptions in RMT System Model No system specific assumptions were made in the RMT system analysis.
4.6.16.6 RMT System Operating Experience No pertinent plant specific operational experience of the Surry RMT system was found.
* 4.6-86 
.i:,.. . &deg;' I 00 -...J
* t:J) ~-I-' I-'* Hi I-'* a ! ~-00 '< CD m i .i:,.. . &deg;' I &sect; I\.) I\.) I-'* () 0 I-'* Ill 1 LT ~R-CS100A1 120 VAC 2/4 RELAY --*MATRIX OPEN 1863A CLOSE 1885A TRAIN A CLOSE 1885C __ _. OPEN 1860A VB1-I ~R-CS100A21 LT 2 MIN TD 1---..CLOSE 1862~--fci\___---R-CS100B1 CLOSE LCV-11156 VB 1-11 ~R-CS100B2 l L __ ---------------------
--_ --OPEN 1863B CT . m --------fcs\___----R-CS100C1 L---RELAY l---.--MCL~S~
1eese___ TRAIN B VB 1-111 ~R-CS100C2
-+ MATRIX CLOSE 1885D ~R-cs, ** o, 1 r ... VAC VB 1-IV ~R-CS100D2
=='._I OPEN 1860B --------L-..-*C 2 MIN TD )l-----1*~1 CLOSE ~62!_ __ CLOSE LCV-1115D Train A Train 8 Table 4.6-16 Components Actuated By RMT COMPONENT MOV1863A MOV1885A MOV1885C MOV1860A*
MOV1862A*
LCV-1115B MOV1863B MOV1885B MOV1885D *
* MOV1860B MOV1862B*
* LCV-1115D
* Provided with a 2-minute time delay for actuation.
4.6-88 OPERATION OPEN CLOSE CLOSE OPEN CLOSE CLOSE OPEN CLOSE CLOSE OPEN CLOSE CLOSE * * 
*
* 4.6.17 Residual Heat Removal System Model The residual heat removal (RHR) system provides shutdown cooling when the reactor coolant system (RCS) depressurizes below 450 psig and cools below 350&deg;F. The RHR is a front line system (although non safety grade) designed to provide long term decay heat removal. The following sections provide a physical description of the RHR system, identify the interfaces and dependencies of the RHR system with other front line and support systems, list any operational constraints on the RHR system, identify the RHR system specific assumptions, and describe the operational experience available for the RHR system. 4.6.17 .1 RHR System Description The Surry RHR system is composed of two pumps and two Rl-fR heat exchangers in parallel.
The RHR pumps take suction from the RCS loop 1 hot leg through two normally shut motor operated valves (MOVs) and a manual isolation valve. The discharge of the pumps is headered together and feeds two heat exchangers arranged in parallel.
The RHR pumps and heat exchangers are cooled by component cooling water (CCW). An air operated valve (AOV) controls bypass flow around the heat exchangers, another controls flow through the heat exchangers.
The two AOVs work together to control the cooldown rate of the RCS. The discharge of the flow control valves feeds into the SI/accumulator piping and is delivered to the RCS loop 2 and loop 3 cold legs. Each path has a normally shut MOV isolating the RHR from the high pressure RCS during normal plant operations.
Make-up to the RHR system is provided by the RCS. A simplified schematic of the RHR system is shown in Figure 4.6-23
* The RHR is manually initiated.
An interlock prevents opening the RHR isolation MOVs until RCS pressure is below 450 psig. One RHR pump and heat exchanger are normally in operation.
In the event of failure of either component, the parallel component is manually placed in service~ Following a loss of offsite power, the stub buses powering the RHR pumps are shed from the emergency buses and must be manually reconnected to restore power to the RHR pumps. 4.6.17 .2 RHR System Interfaces and Dependencies The RHR system is dependent on AC power buses for motive power for the RHR pumps and control power to the MOVs in the RHR system, and the DC buses for control power to the RHR pumps and the heat exchanger throttle valves. Additionally, the RHR system requires the instrument air system for motive power to the heat exchanger throttle valves. The RHR system is dependent on the RCS to supply sufficient net positive suction head. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-24 and the component status and dependency summary in Table 4.6-17. 4.6.17 .3 RHR System Operational Constraints Prior to placing the RHR system in service, RCS pressure must be below 450 psig and RCS temperature must be below 350&deg;F. Following a loss of offsite power, the stub buses which power the RHR pumps are automatically shed and must be manually reloaded as the main bus by the operator to restore power to the pumps.
* 4.6-89 14" PS 1 14" 14" PS2 1-RH-P-1A (CCWCOOLS)
RHRPUMPS SEALS RH-2 1-RH-P-18 PS3 29" LOOP 1 HOT LEG 10" 10" COMPONENT COOLING WATER RH-E1B PS5 FCV 1605 PS6 MOV100 TO RWST ~RV1721 TO .. PZR RELIEF 4" TANK 12" MOV 1720A MOV 17208 29" LOOP2 COLD LEG 12" 29" LOOP3 COLD LEG RESIDUAL HEAT REMOVAL SYSTEM PUMP 1A PUMP 18 AC 1H--~--~~~~~----
EMERGENCY POWER 1 J i-----+------~-
DC EMERGENCY POWER 1 Bi---------~-
Figure 4.6-24 RHR System Dependency Diagram 4.6-91 Table 4.6-17
* RHR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-RH-P-lA Standby R. Manual 4160V Stub lH 1-RH-P-lB Standby R. Manual 4160V Stub lJ MOVs: 1700 NC/PAI R. Manual MCC-lHl-2 1701 NC/PAI R. Manual MCC-lJl-2 1720A NC/PAI R. Manual MCC-lHl-2 1720B NC/PAI R. Manual MCC-lJl-2 AOVs: PCV-1605 NO/PC Instrument Air HCV-1758 NO/PC Instrument Air 4.6-92 
*
* 4.6.17.4 RHR System Logic Model The success criterion for the Surry RHR system is that continued RHR :flow is provided :from one o:f two pumps through one o:f two heat exchangers to the RCS following reactor shutdown, cooldown to 4.50 psig, 3.50&deg;F. This success criterion translates into the following top event in the RHR system :fault tree: W 3 Failure to provide su:f:ficient RHR :flow to the RCS. The :fault tree developed for this top event is shown in Appendix B. The specific assumptions made in the RHR system analysis are included in the :following section. 4.6.17 * .5 Assumptions in RHR System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, one system specific assumptions was made in the course o:f the analysis.
: 1. Although not environmentally qualified, it was assumed that the RHR pumps and MOVs will operate under containment conditions o:f a very small LOCA. This is based on the sizing and compartmentalization o:f the containment, the size o:f the LOCA (very small), and the :fact that AFW and containment
:fan coolers are initially removing heat :from the containment.
4.6.17.6 RHR System Operating Experience No pertinent plant specific operational experience o:f the Surry RHR system was found. 4.6.18 Safety Injection Actuation System Model The safety injection actuation system (SIAS) automatically initiates the high and low pressure injection systems :following a_n indication o:f the need for primary coolant makeup. The SIAS is a support system for the automatic initiation o:f the injection, :front line systems. A review o:f the SIAS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability o:f the system. Generic system unavailability data was used in the analysis.
4.6.18.1 SIAS Description The Surry SIAS is composed o:f two independent trains used to automatically actuate the low and high pressure injection systems and the motor driven AFW pumps. The signals which actuate SIAS are shown in Table 4.6-18. 4.6.18.2 SIAS Interfaces and Dependencies The SIAS is dependent on the AC vital instrumentation buses and the DC buses :for operation o:f the relay logic network. These dependencies were modeled in the analysis :for loss o:f power initiating events. In non loss o:f power events, the power bus :failure rates are negligible in comparison with the SIAS train unavailabilities.
Specific components in the low and high pressure injection systems and the motor driven AFW pumps are dependent on the SIAS for automatic actuation.
These specific dependencies are illustrated in Figure 4.6-2.5. 4.6-93 Train A * * *
* Train B * * *
* Table 4.6-18 SIAS Actuation Parameters Signals Low Pressurizer Level High Containment Pressure High AP Between Main Steam Header and Any Steam Line High Steam Flow in 2/3 Lines Coincident With: . Low T AVG in 2/3 Loops OR Low Steam Line Pressure in 2/3 Lines Low Pressurizer Level High Containment Pressure High AP Between Main Steam Headers and Any Steam Line High Steam Flow in 2/3 Lines Coincident With: Low TA VG in 2/3 Loops OR Low Steam Line Pressure in 2/3 Lines 4.6-94 2/3 Sensors Required for SIAS Actuation (LC459A-XA, LC460A-XA, LC461A-XA) 1/1 CLCS Hi 2/3 1/2 Per Line 1 Per Line 1 Per Line 2/3 (LC459X-XB, LC460X-XB, LC461X-XB) 1/1 from CLCS Hi 2/3 1/2 Per Line 1 Per Line 1 Per Line * * * 
* *
* 125 voe A l 120 VAC l RELAY LOGIC NETWORK 125 voes l 120 VAC i RELAY LOGIC NETWORK MOV-1865A Chg Pp C MOV-1289A MOV-1865A LCV-W1-1115B LCV-W1-1115C MOV-1867C OG#1 Chg Pp A AFWP-JA LHSI P #1 TRAIN A MOV-1865B Chg Pp C LCV-W1_;1115E LCV-W1-1115D MOV-1865C MOV-1289B MOV-1867D . OG #3 Chg Pp B AFWP-JA LHSI P #2 TRAIN B Figure 4. 6-25 Components Dependent on SIAS For Automatic Actuation 4.6-95 4.6.18.3 SIAS Operational Constraints No specific operational constraints were identified for the SIAS. 4.6.18.4 SIAS Logic Model Boolean expression were developed to incorporate the SIAS power dependencies into the models used in the sequence quantification.
The following Boolean equations were used to incorporate these dependencies for the T 1 , T 5 A, and T 58 initiating events: SIS-ACT-FA=
SIS-ACT-FA-SISA
+ ACP-TAC-LP-BUSll
+ DCP-TDC-LP-BUSlA.
SIS-ACT-FB
= SIS-ACT-FA-SISB
+ ACP-TAC-LP-BSllV
+ DCP-TDC-LP-BUS1B.
SIS-ACT-F A-SISA and SIS-ACT-F A-SISB represent the SIAS train A and B generic unavailabilities.
Common cause failure of SIAS due to miscalibration of sensors was not included because there are several different types of sensors. Common cause bration of one type of sensor (the temperature sensors for example) still leaves two other types of sensors available (pressure detectors and differential pressure detectors).
The SIAS related events included in the front line system fault trees were coded with the system identifier SIS throught the fault tree and sequence analysis.
4.6.18.5 Assumptions in SIAS System Model No system specific assumptions were made in the SIAS analysis.
4.6.18.6 SIAS Operating Experience No pertinent plant specific operational experience of the Surry SIAS was found. 4.6.19 Service Water System Model The service water system (SWS), as defined for this analysis, is a support system which provides cooling to the heat exchangers in the inside spray recirculation (ISR) system and outside spray recirculation (OSR) system. The SWS provides heat removal from the containment following an accident.
The following sections provide a physical description of the SWS, identify the interfaces and dependencies of the SWS with the front line systems and other support systems, list any operational constraints on the SWS, provide a description of the fault tree model constructed for the SWS, identify the SWS specific assumptions, and describe the operational experience available for the SWS. 4.6.19.1 SWS Description The Surry SWS is a gravity flow system. The service water supply to the containment spray heat exchangers consists of two parallel inlet lines which provide service water from the main condenser cooling pipes each through two normally closed motor operated valves (MOVs) in parallel to individual headers. The headers each provide flow to one ISR and OSR heat exchanger.
The two headers are cross connected by two normally open MOVs in series such that flow from either inlet line can be used to cool all four ISR and OSR heat exchangers.
Service water flows through each heat exchanger and discharges through a normally open MOV to two headers which flow to the discharge tunnel. A simplified schematic of the SWS is shown in Figure 4.6-26. 4.6-96 * * 
* *
* ISR HXRS1D HXRS1C HXRS1B HXRS1A PS65 PS64 PS63 PS62 I MOVSW104D MOVSW104C MOVSW104B MOVSW104A Ii ..
* MOVSW105D MOVSW105C MOVSW105B MOVSW105A T MOV MOV '&deg; ..... SW106A SWi 068 I~ TO DISCHARGE TUNNEL PS66 PS69 MOVSW103C PS68 FROM PS70 MOVSW103B INTAKE MOVSW103D PS67 CANAL MOVSW103A The SWS automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals open the header inlet valves. No other actions are required to place the SWS in service.
* t.6.19.2 SWS Interfaces and Dependencies The SWS interfaces with the JSR and OSR systems at the respective heat exchangers for these systems. The SWS is dependent on the AC power buses for motive and control power to the system MOVs and on the CLCS for opening of the header inlet valves. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-27 and the component status and dependency summary in Table 4.6-19. 4.6.19.3 SWS Operational Constraints No specific operational constraints were identified for the SWS. 4.6.19.4 SWS Logic Model The SWS is a support system for the ISR and OSR. The top events identified for the SWS represent the modeled interfaces of the SWS with the ISR and OSR. The developed events contained in the ISR system and OSR system fault trees correspond to the following top events: SWSl SWS2 SWS5 SWS6 Insufficient SWS flow through JSR train A cooler (HX-RSlA).
Insufficient SWS flow through ISR train B cooler (HX-RSlB).
Insufficient SWS flow through OSR train A cooler (HX-RSlC).
Insufficient SWS flow through OSR train B cooler (HX-RS1D).
These events are developed completely in the ISR and OSR fault trees. The fault trees can be found in Appendix B. 4.6.19.5 Assumptions in SWS Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, one system specific assumption was made in the course of the analysis.
The specific assumption made in the SWS analysis follows: 1. Air binding of the service water side of the heat exchangers was not included in the models. Vent pipes with check valves are provided for each heat exchanger.
The pipes are vented outside, above the water level of the intake canal. 4.6.19.6 SWS Operating Experience
* A review of the Surry SWS operational experience identified a potential for common cause failure of the service water valves to the heat exchangers.
Once during annual testing of the system all four valves on Unit 1 failed to open when actuated from the control room. Testing of the Unit 2 valves resulted in failure of 3 of the 4 to open. The valves were manually opened. Several of the valves were found to be heavily corroded due to exposure to the brackish water. Based on this incident, the potential for common cause failure of both the ISR system and OSR system due to exposure to the brackish
* service water was included in the SWS model. This data is developed in Appendix D.1. 4.6-98 
* *
* CONSEQUENCE LIMITING CONTROL SYSTEM AC EMERGENCY POWER FLOW . THRU MOVSW103A SERVICE WATER SYSTEM FLOW THRU MOVSW103B FLOW .THRU MOVSW103C FLOW THRU MOVSW1030 Bt-----+-----+-f-j----+-~--....,...--+---
Figure 4.6-27 Service Water System Dependency Diagram 4.6-99 Table 4.6-19 SWS Component Status And Dependency Summary
* COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES MOVs: SW104A NO/FAI R. Manual MCC-lHl-2 SW105A NO/FAI R. Manual MCC-lHl-2 SW104B NO/FAI R. Manual MCC-lJl-2 SW105B NO/FAI R. Manual MCC-lJl-2 SW106A NO/FAI R. Manual MCC-lHl-2 SW106B NO/FAI R. Manual MCC-lJl-2 SW103A NC/FAI CLS-Hi-Hi-2A MCC-lHl-1, CLS-Hi-Hi-2A SW103B NC/FAI CLS-Hi-Hi-2B MCC-lJl-1, CLS-Hi-Hi-2B SW103C NC/FAI CLS-Hi-Hi-2B MCC-lJl-1, CLS-Hi-Hi-2B SW103D NC/FAI CLS-Hi-Hi-2A MCC-lHl-1, CLS-Hi-Hi-2A SW104C NO/FAI R. Manual MCC-lHl-2 SW105C NO/FAI R. Manual MCC-lHl-2 SW104D NO/FAI R. Manual MCC-lJl-2 SW105D NO/FAI R. Manual MCC-lJl-2
* *
* 4.7 Analysis Of Dependent Failures Dependent failures were treated in two ways. Dependent failures due to functional dependencies and support dependencies were identified and modeled in the event trees and fault trees. Discussion of these efforts is found in the event tree and fault tree sections (Sections 4.4 and 4.6 respectively).
Dependent failures which are not explicitly modeled as functional dependencies or support dependencies were included in the study as a result of three specific efforts. They were:
* Dependencies which involve dependent failures due to phenomenological dependencies or unforeseen design interactions were called "subtle interactions" in this study. Subtle interactions found in past PRAs were reviewed for their applicability to Surry.
* An LER review of Surry was made to identify any unexpected interactions or common cause failures which have occurred at the plant.
* Beta factors for common cause failures were systematically included in fault tree development.
Common cause failures were modeled for dundant pumps, MOVs, and diesel generators.
In addition, for those systems not modeled in detail (i.e., actuation systems, control systems, and the power conversion system), a review of the system designs and interfaces was performed to determine whether there were any peculiarities in the system design which would result in unexpected interactions with other systems or would be expected to result in significant differences in the failure rate of the system from the generic system failure rate. The actuation systems at Surry (i.e., SIAS, CLCS, and the RMT system), are each composed of two symmetrical trains. Power train separation was maintained for each of the actuation systems and no instances were identified where series components requiring actuation within a system train were actuated by different actuation system trains. The emergency power system trains are also symmetrical and there are no crossties between buses. The remainder of this section is divided as follows: Subsection 4.7 .1 discusses the review and resolution of subtle interactions found in past PR As; Subsection 4.7 .2 presents the results of the LER search and discusses the method of application of beta factors. 4.7.1 Subtle Inter.actions As discussed above, a lis~ of potential subtle interactions were identified
* by this PRA program, based on past operating experience and PRA analyses.
Each of these items were examined with respect to the specific Surry design to determine whether or not similar interactions exist at Surry. The applicability of each of the items in the list to the Surry design and the resolution of those items which were found to be applicable are discussed below. DG Load Sequencer Failures Diesel genera tor *load sequencers are designed to strip off non-essential loads from the emergency buses following loss of offsite power (LOSP). The design of such a circuit usually involves redundant means to strip all loads following a LOSP. However, such circuits may not always contain redundant means for subsequently reloading essential loads. In such a case failure of the load sequencing circuit could potentially result in common cause failure of multiple systems following a LOSP
* Letter from G. J. Boyd (Safety and Reliability Optimization Services, Inc.) to F. T. Harper (Sandia National Laboratories), "Topics of Concern for PRAs of ASEP Plants," June 18, 1985. Letter from F
* T. Harper and G. J. Kolb to PRA experts, "Subtle Interactions Found in Past PRAs and PRA-Related Studies," July 2, 1985. 4.7-1 Surry does not use load sequencers to reload the emergency power buses following diesel generator start. Load sequencing is accomplished by time delay relays in most of the safety loads. The HPI and LPI pumps remain on the bus. CSS, ISR, OSR, and the AFW pumps all have time delays in their start circuitry (30 sec., 2 min, 5 min., 1 min., respectively).
Some non-safety loads are loaded on "stub" buses. The stub buses are normally powered from the emergency buses but are shed on undervoltage.
Reloading is manual. No indication of increased unavailability due to the time delay relays was found. The potential for failure to shed the stub bus loads resulting in trip of the diesel generators was considered to be negligible in comparison to the diesel generator failure rates. Sneak Circuits The RCIC system at one Boiling Water Reactor was found to contain a sneak circuit which could result in an unintended isolation of the RCIC pump. This could occur during a loss of offsite power and subsequent energization of the RCIC steam leak detection circuit. Three subtle design aspects lead to the occurrence of this failure mode: (1) the RCIC system contains a steam leak detection isolation circuit, (2) the isolation circuitry is deenergized given a loss of offsite power (i.e., the circuitry is not fed by a non-interruptable backed vital AC power supply), and (3) the isolation circuit contains a seal-in circuit. No essential systems at Surry have isolation circuits.
In particular, the Surry AFW system employs cavitating venturis to limit flow through a steam line break. Therefore, this potential interaction was not considered to be applicable.
Bus Switching Problems Two subtle aspects concerning bus switching have been identified at one power plant: (1) a safety-related DC power supply is also beir;ig used to perform a bus switching operation in the switchyard and safety-related loads are normally powered from the unit transformer rather than from offsite power, and (2) a safety-related AC bus does not have a diesel directly powering it; it must rely on diesel power from another bus via a breaker which only closes given a loss of off site power. All systems of interest, with the exception of PCS are powered from offsite power sources rather than from the main station generator.
Except for the stub bus arrangement discussed above under DG Load Sequencer Failures, the Surry design does not include bus-to-bus cross feeds. Therefore, this potential interaction was not considered to be applicable.
Pump Room Cooling Several aspects concerning pump room cooling must be considered in a PRA systems analysis.
First, a given plant's design may be such that, given loss of room cooling, the maximum room temperature remains below the temperature for which a pump and its control circuits are qualified.
A system analyst may, therefore, conclude 4.7-2 * *
* that the room cooling for the pumps is not required.
However, in some cases, a room temperature signal is used to trip the pump. The potential for reaching this temperature given loss of the room cooler should be examined.
Second, pump room coolers are often standby systems that actuate only upon actuation of the pump through a slave relay or by a thermostat.
In either case, test procedures should be such that all of the actuation circuit is verified to function properly.
Finally, credit for opening pump room doors for cooling the room given failure of the room cooler should only be taken after considering administrative controls and technical specifications which may prohibit such action. During the fault tree analysis, room cooling requirements were evaluated for all pumps. The result was that room cooling is not required for any of the pumps important in the Surry analysis.
Therefore, the potential interactions involving room cooling were not considered to be applicable.
Voltage Droop Prior to LOSP This interaction derives from an event at Indian Point. Loss of offsite power occurred in such a way that there was a "long" period of slowly declining voltage before power was completely lost. The voltage "droop" led to blown fuses. This interaction was not incorporated into the Surry study, because sufficient data on the magnitude and length of previous voltage droops are not available.
It is therefore not* possible to predict the probability of fuse failure and thus incorporate this interaction into the system models. Terminal Blocks in Containment A terminal block is located in an electrical junction box and is used to connect wire ends within a circuit. Many types of terminal blocks may not perform adequately on a steam environment.
Instrument errors can occur in circuits that contain terminal blocks when exposed to a high temperature ( 100&deg;c) saturated steam environment.
Such instrumentation failures can potentially prevent ECCS actuation following loss of coolant accidents.
All circuit junctions for an environmentally qualified system within containment are made by Raychem Splicing.
No terminal blocks are used. Therefore, this potential interaction was not considered to be applicable.
Inadvertant Isolation of all Feed Flow *to SGs At Surry, MFW is isolated on an SIAS signal. The AFW system has no isolation circuits.
Cavitating venturis are used to limit flow to the steam generators in the event of a maih steam line break or otherwise faulted SG. Therefore, this potential interaction was not considered to be applicable~
4.7-3 Use of Alternate Core Cooling Methods Alternate core cooling methods were included in the Surry analysis.
Feed and bleed cooling using HPI and the PORVs was included in the event tree analysis.
Use of the cross connects from Unit 2 to provide HPI and AFW flow to Unit 1 were also included as backup core cooling methods. Primary depressurization through secondary blowdown was also included in the Surry analysis.
Steam Binding of AFW Pumps Due *to Leaking FW Valves Steam binding of the AFW pumps has occurred at Surry. The check valves which provide isolation from the main feedwater lines are swing disc check valves which were found to have steam cuts in the seat/disc face allowing backleakage of main feedwater.
The upstream check valves are not isolation valves and are expected to allow a limited amount of backleakage.
This backleakage resulted in a steam accumulation in the piping and pumps and steam binding of the pumps. The valves with the steam cuts were repaired and reinstalled.
Insulation was removed from the AFW piping to facilitate condensation of any steam which may collect and a shiftly check of the AFW pump outlet piping temperatures was instituted.
No further occurrences have been reported, however the potential for* steam binding still exists but at a much lower rate due to the preventive measure taken by the plant. Therefore, the AFW fault trees include this failure mode. Air Binding of Cooling Water Systems The failure or partial failure of cooling water systems has occurred because of air binding caused by leaks in a load being cooled. Plant air compressors usually are cooled by some cooling water system. Air inleakage into the cooling water system can cause failure of multiple systems because of air binding and loss of cooling. The instrument air compressors at Surry are cooled by the* bearing cooling water system and the component cooling *water system. Both cooling water systems are closed cycle systems. The bearing cooli~g water system was not modeled in this study. The component cooling water system was modeled in this study, but air binding was not explicitly included in' the fault tree models. Common cause failure of the pumps due to all causes was included.
The value of the beta factor could potentially include contributions from air binding. A review of Surry licensee event reports (LERs) revealed two ces of low Charging Pump Cooling (CPC) service water pressure caused by air binding. Improper venting of the CPC service water strainers was the source of the air. This failure mode was included in the* Surry analysis.
It is described in more detail in this section and in Appendix D. Steam-Line Break Isolation Circuitry Steam-driven systems sometimes have isolation circuitry to protect against steam-line breaks. This circuitry uses temperature readings as an indication of a line break and may include all locations containing the steam piping. Therefore, when assessing the need for room cooling, the cooling requirements of areas where temperature 4.7-4 * * * 
*
* measurements are taken must be examined.
The turbine driven auxiliary feedwater pump at Surry does not have this type of circu,i try. Passive Component Failures This type of interaction involves component failure modes that might not otherwise be modeled (e~g., valve failure because of steam/disc separation, pipe breakage, blockage).
These failures should be added to the models particularly where the impact of failure affects multiple trains of equipment.
Additionally, these events can be potential initiating events. Several areas were identified in which a single passive failure could result in the failure of multiple systems. These events were modeled in each of the applicable systems to assure that the commonality would be reflected in the accident sequence evaluation.
Isolation of Nonessential Cooling Water Loads This interaction may occur if nonessential portions of safety-related cooling systems are not isolated.
Because such a failure can result in inadequate cooling of the essential loads, care should be taken when determining the impact of potential diversion paths from support cooling systems. Two potential cases were identified in which failure to isolate nonessential cooling loads could impact safety system operation
* Failure to shed the stub bus, which powers the component cooling water and RHR pumps, following LOSP could potentially result in diesel generator trip when it is loaded on the bus, however the failure rate associated with the failure to shed the stub bus is considered to be small with respect to the diesel generator failure rate. Following LOSP, failure to close the condenser circulating valves will result in drainage of the intake canal. Drainage of the intake canal has been included in the station blackout model. Cross-tied Pumps' Discharge Check Valve Failures This type of failure occurs when the discharge check valve in one train of a two-train, cross-tied system fails open. Various problems can result 'from this interaction, including functional failure of the system because of back flow, inabiUty to actuate an idle pump because of the stuck-open valve, or system rupture from attempted actuation of an idle pump with a stuck-open valve. System failure caused by excessive backflow through pump discharge check valves in cross-tied pumps resulting in flow diversion through the idle pump was explicitly included in the fault tree models. Failures Following Station Blackout The treatment of reactor coolant pump seal failure and battery depletion during a station blackout *has varied among past PRAs and can be plant specific.
Both failures can adversely affect the capability to cool the plant. 4.7-5 RCP seal LOCA occurrence was included in the station blackout models~ No long term tests have been performed on the Surry battee4fs*
Battery depletion time of four hours was based on :3226. Dependent Events* Based* on -Operating Experience There have been a number of recent activities to better scope out the problem of dependent and common cause events. Probably the best current collection of actual event~5 that are in the nuclear data base are compiled in EPR.I NP-:3967
* While there is considerable controversy on how to account for common cause events, the report clearly demonstrates the inaccuracy of models that do not specifically treat common cause events. While it has been a frequent criticism that quantification of these events leads to numbers but not indication of how to improve plants, a review of the events in EPRI NP-:3967 will demonstrate that causes are known for a large percentage of these events. A review of Surry LERs showed past incidences of common cause failure. These were included as explicit events in the fault tree analysis, using probabilities derived from plant specific experience.
Beta factors based on EPRI NP-:3967 were included in the fault tree analysis for the diesel generators, MOVs, and the HPI, LPI, CSS, OSR, AFW, and SWS pumps. Main Feedwater Availability After Turbine Trip The unavailability of main feedwater after reactor trip is highly plant specific.
The consequences of this interaction will vary depending on whether the loss is total or partial and the potential for recovery.
Due to control logic at Surry, following any reactor trip from greater than .50% power, the MFW regulating valves close. The MFW pumps continue to run, however. Therefore, MFW was nominally available in the event of AFW failure for T 3 initiating events.
* Refill of Dry Steam Genera tors During loss of steam generator feed events, it is necessary to provide an alternate source of feedwater prior to substantial tube uncovery to avoid potential problems associated with recovering dry tubes. Upon loss of AFW at Unit 1, AFW at Unit 2 would be used for SG makeup and then MFW at Unit 1. These alternate systems can be brought on line prior to steam generator dryout. Refilling of dry steam genera tors was not explicitly addressed in the study. Main/ Auxiliary Feedwater Commonalities No significant commonalities between the MFW and AFW systems were identified.
Therefore, this potential interaction was not further addressed.
PORV Unavailability Due to Block Valve Closure Discussions with plant personnel indicated that Surry operates with one or more pressurizer POR V blocked about .50% of the time. They also said both PORVs are blocked about .5% of the time. Using these 4.7-6 * * 
*
* values as approximations and assuming each PORV was independent of the other, it was calculated that each PORV was blocked 30% of the time. Therefore, approximately 10% of the time both PORV block valves are closed, 40% of the time one PORV block valve is closed and one is open, and approximately 50% of the time both PORV block valves are open. These conditions were included in the models for the PORVs. Turbine Drive Pump Failure due to Water Carry Over Overfilling of the steam generators and the resultant carry over of water into the turbine driven AFW pump turbine was considered to be a low probability event for most transients if instrumentation was available.
Potential for SG overfill was included in the station blackout analysi_s.
During station blackout, control of the AFW turbine driven pump was assumed to be maintained as long as DC power was available.
Following battery depletion, SG level instrumentation would be lost and steam generator overfill could occur at approximately 1 hour later. Normal Operating Configuration The normal operating configuration of Surry was used in the study. In cases where an alternate configuration produced more severe results, the percent of time that Surry operated in this alternate configuration was estimated, based on discussions with plant personnel.
The more severe results associated with the alternate figuration were included, based on the percentage of time the plant spent in that configuration.
In cases where the normal operating configuration produced the most severe results, these results were used 100% of the time. Locked Door Dependencies This interaction involves power supplies to security systems and their failure mode
* on loss of power. The potential concern here is that power failures could restrict access to equipment which was necessary to respond to the power loss. Discussions with plant personnel indicated that in loss of power narios, key-locked doors and other powered security restrictive measures did not compromise operator access to equipment.
Access restrictions during loss of power events were therefore not included in the study. 4.7 .2 Common Cause Analysis Common cause events were explicitly included in the fault tree models of systems. Common cause failures were identified in two ways. First, a search of the Surry LERs identified plant specific instances of common cause. Three events were identified by this LER s_earch. They were included in the fault tree models at the appropriate levels. The three events were* common cause f~ilure of CPC pumps or strainers, common cause failure of containment spray heat exchanger service water valves and steam binding of three auxiliary feedwater pumps. These events are discussed below
* 4.7-7
: 1) Common Cause*Fa'ilure*
of Charging*Pump Cooling Water Strainers*
An LER search of Surry Units 1 and 2, from 1980-1984 (inclusive) yielded frequent incidents of low pump discharge pressure in the HPI service water system~ Low pump discharge pressure was caused by plugged strainers*~
increas~ water demand from the air conditioning system, or a combination of both. For the purposes of this study, low pump discharge pressure was assumed to result in insufficient HPI pump cooling, although the LER survey did not indicate that HPI pump unavailability ever resulted from the service water incidences.
Prior to 1985, there were three instances where both HPI-SW pumps serving the same unit had low discharge pressur.e.
In 1984, the "Y" type strainer was replaced with a duplex strainer.
After 1985, no occurrences of strainer plugging were observed, but there were two instances where the strainers caused the CPC service water system to fail. In each of these instances improper venting of the strainers caused air binding in the CPC service water system and a loss of service water flow. A common cause failure probability based on all five events -was developed.
Details are shown in Appendix D of this report~ The fault tree models assumed this condition would lead to rapid HPI pump unavailability unless corrective action was taken by the opera tors. Corrective actions for this failure include: a) reducing SW air conditioning loads, b) bypassing the filters, and c) supplying HPI cooling from Unit 2 SW pumps. 2) Steam Binding *of AFW *Pumps A review of the Surry AFW operating experience revealed that a problem with steam binding of AFW pumps had occur~ed due to backleakage of main feedwater through the system check valves. The backleakage resulted in steam accumulation in the AFW lines and unavailability of two. pumps. Since the event, the affected check valves were rebuilt and plant changes were made, including removal of the insulation from the AFW pump discharge lines to facilitate steam condensation and requiring a check of pump outlet pipe temperature once every shift. No further incidents have occurred.
However, due to the* potential for common cause multiple pump failures, this failure mode has been included in the system models. This failure probability was assessed to be lE-4/demand.
Details of the calculation are shown in Appendix D. 3) Common Cause Failure of CSR Service Water Valves A review of the Surry SWS operational experience identified a potential for common cause failure of the service water containment spray valves to the heat exchangers.
During annual testing of the system all four valves on Unit 1 failed to open when activated from the control room. Similar testing of the Unit 2 valves resulted in failure of 3 of the 4 valves at Unit 2 to open. All valves were subsequently manually opened. Several of the valves were found to be heavily corroded due to exposure to brackish water. Immediately subsequent to this incident, in 1982, testing frequency 4.7-8 of these valves was increased.
In 1986, the SW valves were replaced with a new valve design. No failures have occurred since the new valves were installed.
No instances of multiple failures have occurred since 1982. Based on this incident, the potential for failure of both the ISR system and OSR system due to common cause failure of the service water valves was included in the SWS model. Details of this calculation are found in Appendix D. To account for other potential common cause faults, common cause failure of redundant components were systematically included in the fault tree analysis.
Table 4.7-1 lists these events. and the plant srffiific events. The values used for the beta factors were derived from EPRI NP-3967. The common cause methodo&y and the beta factor guidelines are detailed in the ASEP methodology document.
The groundrules for application of beta factors are summarized below: 1. Common cause failures were only postulated within a system, not across system boundaries.
: 2. Common cause failures were only postulated within a system to redundant components and identical failure modes. 3. Random independent failure of multiple components were included in system models in addition to the potential common cause failures.
4.7-9
* Event Identifier AFW-CCF-FS-FW3AB AFW-CCF-FT-102AB AFW-CCF-11T-202AB AFW-CCF-LK-2STMB AFW-CCF-LK-STMBD CPC-CCF-FT-8BC CPC-CCF-P.G-STRAB CSS-CCF-FS-CS1AB CSS-CCF-FT-lOlAB CSS-CCF-FT-101CD DCP-CCF-LP-BT lAB HPI-CCF-FS-CH1BC HPI-CCF-FT-115BD HPI-CCF-FT-867CD Table 4.7-1 Surry Common Cause Failures Description Failure to start motor driven Auxiliary Feedwater pumps 3A and 3B. Failure of Unit 1 steam valves 102A and 102B to open, supplying the turbine driven Auxiliary Feedwater pump at Unit 1. Failure of Unit 2 steam valves 202A and 202B to open, supplying the turbine driven Auxiliary Feedwater pump at Unit 2. Leakage past check valves causing steam binding of the Auxiliary Feedwater pumps at Unit 2. Leakage past check valves causing steam binding of the Auxiliary Feedwater pumps at Unit 1. Failure of air operated valves CPC TV-CC-108B and TV-CC-108C to open. Failure of the Charging Pump Cooling system service water suction strainers due to loss of flow. Failure of the Containment Spray System pumps to start. Failure of the motor operated valves 101A and l01B to open. Failure of the motor operated valves lOlC and 101D to open. Failure of the 125V DC Batteries 1A and lB. Failure of High Pressure Injection pumps lB and lC to start. Failure of motor operated valves ll 15B and 1 l 15D to open. Failure of motor operated valves 1867C and 1867D to open. 4.7-10
* Event *Identifier IAS-CCF-LF-1 NAIR ISR-CCF-FS-RSl AB LPI-CCF-FS-Sll AB LPR-CCF-FT
-860AB LPR-CCF-FT-862AB LPR-CCF-FT-863AB LPR-CCF-FT
-890AB LPR-CCF-PG-SUMP MCW-CCF-VF-INLVL MCW-CCF-VF-SBO MSS-CCF-FT-OlABC MSS-CCF-FT-TVAB OEP-CCF-FS-DG 123 OEP-CCF-FS-DG13.
OSR-CCF-FS-RS2AB PPS-CCF-FT-1.53.56 Table 4.7-1 (Cont'd) Surry Common Cause Failures Description Failure of instrument air to all air operated valves Failure of the Inside Spray Recirculation pumps to start. Failure of the Low Pressure Safety Injection pumps to start. Failure of motor operated valves 1860A and 1860B to open. Failure of motor operated valves 1862A and 1862B to close. Failure of motor operated valves 1863A and 1863B to open. Failure of motor operated valves 1890A and 1890B to open. Plugging of both containment sump compartments.
Insufficient intake canal level to supply service water, for all sequences except station blackout.
Insufficient intake canal level during station blackout.
Failure of all three steam generator power operated relief valves to open. Failure of the turbine bypass valves to open.
* Failure of all three diesel genera tors to start on demand. Failure of diesel generators Ill and /13 to start. Failure of the Outside Spray Recirculation system pumps to start. Failure of motor operated valves 1.53.5 and 1.536 (POR V blocking valves) to open. 4.7-11 Event Identifier PPS-CCF-FT-PORV PPC-CCF-FT-SRVS RCS-CCF-FT-4.5.5AB RHR-CCF-FS-MDPAB RHR-CCF-FT-720AB RMT-CCF-F A-MSCAL SWS-CCF-FT-3ABCD Table 4.7-1 (Cont'd) Surry Common Cause Failures Description Failure of the Reactor Coolant system power operated relief valves to open. Failure of the Reactor Coolant system safety relief valves to open. Failure of the pressurizer spray valves to open. Failure of the Residual Heat Removal system pumps to start. Failure. of motor operated valves 1720A and 1720B to open. Failure of the Recirculation Mode Transfer system actuation signal due to miscalibration of the R WST level detectors.
Failure of service water isolation valves 103A, 103B, 103C, and 103D to open. *
* 4.8 Human* Reliability Analysis This section presents the re*sults of the human reliability analysis (HRA) performed for this study. Included in this section is a discussion of the human actions which were identified, the methods and assumptions used in their evaluation, and the final human error probabilities used in the accident sequence quantification.
Detailed calculations of the human reliability analysis are found in Appendix C of this report. sec*tion 4.8.1 discusses the scope and references the methodology.
Section 4.8.2 lists the human actions which were analyzed.
Section 4.8.3 presents and discusses the important results of the pre-initiator human reliability analysis.
Section 4.8.4 presents and discusses the results of the post-initiator human reliability analysis.
Section 4.8.5 discusses the innovative recovery actions which were considered.
4.8.1 Summary of Methodology and Scope Human reliability analysis for this study was performed in accordance with References 27 and 36. The HR.A was divJded into two overall categories of actions: pre-initiator errors and post-initiator errors. Pre-initiator error analysis was entirely concerned with miscalibration errors and equipment restoration errors. Human actions which lead to these errors were done under normal plant operating conditions with stress levels appropriate for everyday work environments.
The calculation of error probabilities for these actions was concerned with the adequacy of the maintenance and inspection procedures, the dependence of related tasks, and the administrative redundancy of restoration procedures.
The other category of human errors was post-initiator errors. Post-initiator error analysis was concerned with human errors made in
* response to the mitigation of an initiating event. The human actions from which these errors derive were procedure directed.
calculation*
of error probabilities for these actions was p"rimarily concerned with the amount of time available to complete the task, the stress level under which the task was performed, and the amount of redundant verification that was possible within the allowable time period. Modeling of human interactions with the plant systems was done during the fault tree analysis, the event tree analysis, and most importantly, the accident sequence recovery analysis.
Human actions .can be directly defined at the fault tree level and* the event tree level. But due to the way that fault trees and event trees were linked togeJ:her to create failure expressions for an entire accident sequence, it is not necessarily possible to identify all human actions until the sequence level cut sets have been generated.
When using the large fault tree-small event tree (LFT-SET) approach, the most common place for identification of human interactions was in the accident sequence recovery analysis which was done after the initial accident sequence Boolean -reduction and quantification.
In the LFT-SET process, this was the first time that minimal cut sets to an entire ,core damage sequence could be viewed. Thus, all the information was available, within the context of a single cut set to determine the alternatives for function restoration and the allowable timing for restoration.
Search for possible recovery actions was directed by the emergency operating procedures applicable to the particular sequence.
These recovery actions involved restoration of system operability or initiation .of an alternative system to provide or to mitigate the failed function.
4.8-1 
----------------------------
All human errors identified were errors of omission.
These were defined as instances
* where an operator was required to correctly perform a task in 'order to ensure the proper functioning of a system. If this task was not performed correctly in any way, the system looses its ability to function.
4.8.2 Human Actions Analyzed As discussed in the previous section, identification of human interactions was done at the fault tree level, event tree level,
* and in the accident sequence recovery analysis.
Operator actions were of two categories:
pre-initiator actions*, which are restoration and miscalibration errors, and post-initiator actions*, which involve diagnosis*, operation and manipulation of systems and components.
To identify pre-initiator errors, restoration errors were postulated to occur for each pump and valve after each surveillance action on the system in question.
The restoration errors were screened before quantification to eliminate those that were considered to be negligible in comparison to other system failures.
Only those errors which survived the screening were quantified and explicitly included in the fault tree models. The use of a screening quantification was made possible by the utilization of a Class I tagging system at Surry. A Class I tagging system refers to the administrative tracking system used to restore inoperable components to service. A Class I system is one in which at least two independent verifications are performed before declaring the system operable.
At Surry, the responsibility for returning components to service rests with a different organization than those responsible for completion of test and maintenance.
After the maintenance staff restores the system to operable condition, two independent verifications are performed by a different organization before the component is declared operable.
During the initial plant visit to the Surry site, the HRA analyst on the PRA team verified that the system was administered and practiced as planned~ Screening criteria were as follows: Valve restoration errors were not explicitly included in the fault trees if:
* Valve position is annunciated in the control room.
* Valve position is indicated in the control room and the indication is checked every 24 hours.
* The valve is flow tested as part of restoration to service.
* The valve receives an automatic actuation signal.
* Common cause restoration errors were not postulated if redundant trains of the same system were tested on a staggered basis. After the screening criteria were implemented, only one pre-initiator restoration error was quantified.
It is listed in Table 4.8-1. Post-initiator errors were identified and collected at three levels of analysis.
They were all retained for quantification.
The list of operator actions is shown in Table 4.8-1. Each operator action appearing in a specific sequence has timing considerations, and other conditional circumstances which may make the quantification of the error probability unique to that sequence.
Thus, multiple quantifications of one event were common. 4.8.3 Analysis of Pre-Initiator Errors As discussed*
in the previous subsection, only two pre-initiator errors survived the
* screening process to be quantified.
Each of these is discussed below. 4.8-2
* 4.8.3.1 Pre-Initiator Restoration Errors Events for mispositioned valves, were identified by the system fault tree analysis.
These events could occur as a result of failure to restore valves after monthly pump testing or failure during power ascension to restore valves that were closed for maintenance during cold shutdown.
Some systems have valve configurations that do not require alteration for pump testing. Consequently, valve misposition errors for these systems were considered negligible compared to other causes of system failure~ . Because all pump testing at Surry is staggered, no common cause misposition errors were identified.
The restoration error for failure to restore containment spray pump test lines was quantified in accordance with Reference
: 27. A basic error probability of 3E-2 was used with a single verification error of lE-1, as prescribed in Item. III, Table .5-3, Reference
: 27. 4.8.3.2 Pre-Initiator Miscalibration Errors Common cause miscalihratfon of sensors in the ECCS actuation systems was postulated for each se.t of common sensors. The impact on the actuation system *was evaluated.
It was determined that in only one instance would common miscalibration . of redundant sensors fail an entire actuation system with no secondary indications available to the operator.
This was for the RWST water level sensors in the RMTS. In all other cases, alternate protective functions are available, or alternate instrumentation is available to alert the operator to the need for actuation.
Table 4.8-2 shows the guidelines ahd procedure for evaluation and quantification of these events. The miscalibration of sensors was explicitly included in the Boolean equation for the RMTS. Miscalibration of the RWST water level sensors was calculated to be 3.0E-4.
* 4.8.4 Analysis of Post-Initiator Operator Actions The complete list of post-initiator human actions identified throughout this study is listed in Table 4.8-1. The actions along with their event identifiers used in the system models are shown in the table. These actions can be classified into two general ca gories, for the purpose of quantification.
They are skill based actions. and rule based actions.
* 4.8.4.1 Quantification of Skill Based Actions Skill based actions are those that are performed from memory. They represent skills acquired through training and practice.
The performance of these tasks is not considered to be significantly affected by stress level, previous events, or timing. The HRA guide suggests that skill-based actions have an error probability of 2.7E-3 each. Reduction of the overall error probability due to verification or checking by a second person is not applicable to skilled-based
~ctions.
* An error probability of 2.7E-3 was assigned to all skill based actions, independently of the context in which they appeared, stress level, timing, or previously committed tor errors. Rule-based
*actions, however, were always quantified ba'sed on the context in which they appeared.
Error probabilities for rule based actions were based on stress level, timing, adequacy of procedures, and control room staffing.
Error probabilities for
* rule-based actions were also shifted upward due to a previously committed error in the sequence of events. The amount the HEP increased primarily depended on the time be-tween the first error and the second action. . * .* _ 4.8-3 Classification of actions as skill-based or rule-based was. based on the structure of the emergency procedures and operator training.
The Surry system of emergency procedures follows the generic Westinghouse guidelines.
There are three major sets of emergency procedures:
emergency procedures (EP), tional restoration procedures (FRP), emergency contingency actions (ECA). They are related as follows. The EPs are event oriented procedures.
There are four basic sets, with several subsets to each set. The four sets are:
* reactor trip or safety injection
* loss of reactor or secondary coolant
* faulted steam generator isolation
* steam generator tube rupture These procedures are the primary set of procedures for mitigation of all transients and LOCAs. The operator is trained to make a
* preliminary diagnosis of an event, and to select one of these series of EPs. The FRPs are a series of six procedures which provide instructions for restoration of a critical safety function.
The six series involve: * * * * *
* loss of subcriticality loss of core cooling loss of secondary heat removal potential pressurized thermal shock containment integrity reactor vessel inventory These functions are normally provided during reactor operation and will continue to be provided regardless of any single component failure. The shift technical advisor (ST A) will monitor several parameters involved with the preservation of these functions.
Should these parameters range out of acceptable limits, the ST A will be directed to the appropriate functional restoration procedure.
This procedure is followed until the lost function is restored.
The third set of procedures are the ECAs. These are event oriented procedures for severe cases of multiple equipment failures, which can be specifically diagnosed.
There are four sets of ECAs:
* Loss of all AC Power
* Loss of Emergency Coolant Recirculation
* Uncontrolled Depressurization of all Steam Generators
* SGTR with Loss of Reactor Coolant The first 11 steps of EP 1.0 represent immediate actions after a scram. They will be done from memory without references to a written procedure.
They represent a sal set of actions for any initiating event which are necessary to. tend to immediate concerns after a reactor trip and to form the basis for a diagnosis of the initiator.
Some of these actions are repeated at the beginning of other procedures.
4.8-4 * * * 
*
* These steps involve verification of reactor trip, turbine trip~ AC power, SI flow if needed*, AFW if needed*, and containment isolation.
If the desired response is not obtained, the operator is trained to perform immediate manual activation of these systems. 'The PRA events which represent these immediate actions are listed as skill based actions in Table 4&deg;.8-1.
* Manual actuation errors were handled with one additional discrimination.
For cases where only one train of actuation failed, the actuation of the other train would be sufficient indication that the questioned system was required.
For these cases, the skill based HEP applies. For cases where both trains of actuation failed, two types of indications were considered available to the operator:
instrumentation from other systems and whether or not previous safety system actuation had occurred.
For example, for CLS Hi failure, the operator would have some indication that CLS Hi should actuate, if SIAS was actuated previously in the scenario~
For those cases, if alternate indication was present, the HEP was calculated from the upper joint diagnosis error in Figure 7-1 of Reference 27, corresponding to the time available for action. If no alternate indication was present, no recovery was allowed. The upper joint HEP was chosen because indirect indications are available to the operator, rather than the more direct indications in the previous case. 4.8.4.2 Quantification of Rule Based Actions The rule based actions are identified as such in Table 4.8-1. All actions except two can be related to one of five types of sequences.
The other two were quantified as independent events. The results of the HRA are summarized in Table 4.8-3. Events noted with a subscript are the human error probability contribution to a .recovery event with the same identifier, which also has a hardware failure contribution.
Events without a subscript represent a pure operator error which is input directly into the core damage models. This table shows the important conditions pertaining to each operator action. These are the type of cable error probabilities (action, diagnosis, skill based), the stress level (moderate or high), and type of action (dynamic or step by step). The allowable time for diagnosis is also shown, along with the diagnosis error where app.licable.
The detailed work sheets supporting these calculations are shown in Appendix C of this report. The methodology is summarized here. (1) Identification of the sequence failures and the accident conditions.
(2) Based on the cut set (and sequence), the timing of the events (i.e, occurrences, failures, alarms, indications, etc.) was established.
(3) Based on the cut set (and sequence), the symptoms and therefore the possible recovery actions (and required activities) were identified.
(4) The time available to the operator to diagnose and perform the* action (and activities) was established.
(5) The probability of the operator failing to properly diagnose the accident was determined.
This considered such things as operator training, simulator exercise, etc
* 4.8-.5 (6) The of recovery action (whether 'dynamic' or step') was determined considering such things as the plant using symptom oriented procedures, operator training, etc. (7) The stress-level of the operator was determined considering such things as time available, difficulty of the action, training, number and timing of equipment failures, etc. (8) The probability of the operator failing to perform the recovery action was evaluated.
For each of the major types of events, a discussion of timing, and procedures is given below. Important timing considerations are shown in Table 4. 8-4 and ground rules applicable to staffing and operator responses are shown in Table 4.8-5. 4.8.4.3 HRA of Operator Actions During ATWS Five operator actions could potentially be required during an ATWS sequence, depending on the particular course of the sequence.
An HRA was performed for ATWS in which these actions were evaluated as a sequential series using a consistent set of diagnosis errors and cognitive assumptions.
These five events are, in order: * * * *
* Scenario Manual reactor scram Turbine trip, if not done automatically Start AFW, if not started automatically Open block valve on PORV within two minutes, if PORV isolated previous to initiator Emergency borate, if manual scram failed For the purposes of the HRA, the starting point for the ATWS event is defined to be the first indication in the control room that either a) one or more RPS trip parameters have been exceeded, b) one or more reactor trip breakers have been de-energized, or c) at least one train of RPS logic has been tripped. This is the first indication the operator would have that control rod insertion should have occurred, but did not. The possibility that an ATWS could occur without one of the above indications was not considered.
These indications would be accompanied by several control board status changes, including many annunciators.
These indications would direct the operator toward reactor scram. The operator must trip the turbine within one minute, if it does not trip automatically.
The operator must also start multiple AFW pumps within one minute, it it does not start automatically.
The operator will also attempt to manually scram the reactor by activating the manual scram circuit which de-energizes the shunt trip and removes power from the control rod drive motor generator 4.8-6 * * * 
*
* sets.* Manual scram must be accomplished in the first two minutes in order to be effective in altering the course of the transient.
At approximately two minutes, the maximum pressure increase will occur, thereby demanding the pressure mitigation functions.
The SRVs, and PORVs if not blocked, will open automatically.
_If manual scram is unsuccessful, the operator must shut the reactor down using emergency boration.
This involves opening a valve from the boric acid transfer (BAT) pumps to the HPI suction and switching the BAT pump to fast speed. The operator is also instructed to open a PORV to reduce RCS pressure and thereby enhance HPI flow .
* This plant was analyzed under the incorrect assumption that power is removed from the CRD motor generator sets upon manual scram. Modifications to change the configuration at both units and render the assumption correct are scheduled for late 1990 and early 1991. 4.8-6a
* Procedures*
and Training All operator actions during ATWS are clearly specified in individual steps in procedure FRP S. l. However, due to the fast acting nature of an ATWS, the opera tors would nof have time to take a procedure from the file. All ATWS actions must be performed from memory. The initial actions which m~y occur during all reactor trips are considered skill based actions. These are turbine trip, reactor trip, and AFW start. Emergency boration and opening a block valve would only happen after an ATWS and are considered rule based actions. Operator training at Surry instructs the operators to immediately verify subcriticality on every transient~
Whenever an operator sees indication of scram or partial scram, the operator is instructed to look at the rod position indicators and if they are not all lit red, activate manual scram, turbine trip, and then start AFW*. These actions are a routine part of any reactor scram. Timing of Operator Actions Manual reactor trip, manual turbine trip, and manual start of AFW would all be performed as soon as the operator could look at the rod position and reach the control panel. All three controls (scram, turbine trip, and AFW start) are close together.
Timing for these actions is considered to be within one minute. Opening the block valve for the PORV will occur after the operator realizes manual scram has failed. It must occur within two minutes to be effective in mitigation of the initial pressure spike. Emergency boration will be attempted within 10 minutes. Calculated HEPs The immediate operator actions during ATWS are skilled based. Opening the block valve for the PORV and emergency boration, are considered to be ruled based actions. HEP for the skill based actions were assigned a value of 2.7E-3 each. Opening of the PORV block valve within two minutes to help mitigate the,pressure rise is dominated by diagnosis error. The lower bound HEP for 2 minutes in Figure 7-1 of Reference 27 was used. Three actions are necessary to initiate emergency boration:
* Open Valve 1350
* Switch BAT pump to fast speed
* Open a PORV These actions were considered as a single action for purposes of quantification.
The verification HEP used for this sequence is assigned the same value as the initial HEP, that being 3.2E-2. This is unusual in that it represents a completely independent person performing the task. However*, use of such a low number was considered justified for this sequence because of the attention and training devoted to ATWS since the Salem ATWS incident.
A basic error rate of .032 (Item 3*, Table 8-.5, Reference.
: 27) and a verification error of .032 were used. The overall HEP for failure to borate is 1 E.-3
* 4.8-7 4.8.4~4 HRA for Loss of Steam Generator Cooling Events Five human actions could potentially be required in loss of SG cooling scenarios, depending on the particular scenario and which equipment was failed. The HRA for these events considered that all five actions would be performed sequentially, as directed by procedur~.
The operator would follow procedures step by step until the sequence was mitigated.
The five potential actions are: .
* Manual start of AFW, if it failed to actuate
* Restore MFW, if possible
* Align AFW from Unit 2 if not able to get AFW or MFW from Unit 1
* Establish HPI if AFW-Unit 2 fails
* Open PORVs to allow feed and bleed Scenario The scenario for this sequence begins with feedwater makeup to the steam generator being unavailable.
Water level in the steam generator is decreasing.
For purposes of HRA model development, it was determined that the operator would have 30 minutes from reactor trip before there is inadequate heat removal through the steam tors. If feedwater to the SGs had not been restored by that time, operators would initiate feed and bleed cooling. There are three ways to provide steam generator feed at Surry: AFW at Unit 1, MFW at Uriit 1, and AFW at Unit 2. The operator would attempt these in order of preference, as directed by procedures.
Procedures*
*and Training All of the actions listed above are explicitly directed by procedures.
A pathway through the procedures was identified as follows. The operator would start EP 1.00 (re.actor trip) within 10 minutes of trip. If no SI signal is present (which should be the case), the operator is directed to EP 1.01 (Recovery from reactor trip) where in step .3, the operator is directed to establish feedwater with either MFW or AFW from Unit 1. If neither of these are available, the operator could cross
* connect AFW from Unit 2 in anticipation of the direction to the FRP, or try and restore Unit 1 systems, holding off on Unit 2 until the ST A was directed to the FRP by inadequate feed flow. Functional Restoration Procedure H.1. is applicable to this sequence.
Step 2 of FRP H.1 directs a cross connect of AFW from Unit 2. This action can be done entirely from the main control room. If this fails, the operator is directed to try to restore MFW or depressurize the SGs and use the condensate pumps to supply feed flow. If these fail, steps 10 through 1.5 of FRP H.1 direct the operator to go to feed and bleed. Timing The timing. considerations of the HRA model required AFW to be restored within 30 minutes. If this was not possible, feed and. bleed cooling must be in place by 4.5 minutes*.
Manual start of AFW is a simple operation which could be done quickly. Cross connect of AFW from
* Unit 2 involves opening two valves in the <;;ross header, closing six valves in the Unit 2 di~~harge headers a!nd starting an AFW pump. This was estimated to require 5 to 10 minutes. Initiation of feed:and bleed also requires 10 minutes. It involves opening the HPI suction and discharge valves and opening the PORVs. 4.8-8 * * 
*
* Calculated HEPs Diagnosis error was not postulated for the actions associated with restoration of steam generator feed*. These actions are all clearly directed by procedure, and the sequence tirping allows adequate time to get to the appropriate steps. Feed and bleed, on the other hand was assigned a diagnosis error when it was necessitated by a previous operator error to restore steam generator feed. Diagnosis error was not postulated for feed and bleed when it was necessitated by mechanical failures of AFW or MFW. Each individual action was assigned an initial error probability of .032 (Item 3, Table 8-.5, Reference
: 27) and a verification factor of .32 (Item 6*, Table 8-.5, Reference 27). For all feed and bleed actions, necessitated by previous operator error, the basic HEPs were increased by a factor of two to account for time stress. Feed and bleed is only attempted in response to loss of steam generator feed, which implies previous actions to restore feed flow were attempted and failed. Time stress is present when previous actions have failed and a new action is being done within the original time constraints.
4.8.4.5 HRA of Operator Actions During Small Break Sequences Six human actions are of interest during small break sequences in response to loss of injection or recirculation.
An HRA was done for these sequences which evaluated these actions as a sequential series of events. One of these actions, RCS cooldown and depressurization, is directed as a standard procedure for all small breaks and was thus included in the integrated HRA. Scenario Small break sequences are considered to be initiated on reactor trip caused by low RCS pressure.
Most of these sequences will be accompanied by an SI signal. Normal sequence of events would be for HPI to automatically actuate and provide makeup flow. But, for various reasons ECCS may fail in injection or recirculation.
The possible recovery actions associated with these initial loss of HPI sequences are:
* Isolate PORV if LOCA is caused by stuck open PORV.
* Start charging pump C (standby pump) if pumps A and B are not running.
* Open alternate injection path through MOV 1842, or MOV 1869A and 1869B.
* Align HPI from Unit 2.
* Cross connect the RWST from Unit 2 to ECCS at Unit 1. All of these events would not necessarily apply to the same sequence.
But the operator may attempt one or more of these corrective actions until the coolant makeup function was restored.
Procedures and Training All of these actions are explicitly called out in the Surry procedures.
Depending on the particular initiator, different pathways through the procedures can be postulated.
If the break is large enough to initiate an SI signal, the operator would be in EP 1.0 or EP 2.0. If a reactor trip on low pressurizer pressure occurs with no SI, or low pressurizer pressure occurs with no reactor trip*, the operator could be in procedures EP 1.01 or AP-42 respectively.
Both of. these procedures call for manual SIAS, if needed, and manual starting of the standby charging pump, if needed. If SI flow from the charging system fails, monitoring of the core status trees would direct the operator to FRP C.2. In this procedure the operator is instructed to open valves in the alternate injection paths and if flow is still not available, cross connect HPI from Unit 2. Loss of coolant recirculation is addressed directly in ECA 2.0. In this procedure the . operator is directed to cross connect charging pumps or -the RWST from Unit 2 as necessary to restore coolant makeup to Unit 1. Timing The key timing parameter for these actions is the time to core uncovery.
Restoration of HPI flow or isolation of the break up to the time of core uncovery was considered sufficient to prevent core damage. Core uncovery times were estimated for each of the initiator types (Si, s 2 , s 3 , TQ). They varied from 1.5 minutes for s 1 to 2 hours for s 3* See Appendix D for tne derivation of core uncovery times. . . The first three operator actions in the series are simple actions and can be performed in a very short time, from the control room.* In order to cross connect HPI flow from Unit 2 however, an opera tor must leave the control room to manually open/close valves in the charging pump area. It was estimated that cross connect of HPI would require 1.5 to 20 minutes. Considering that the decision to use it would not come until 1.5 to 20 minutes after* reactor trip these timing constraints made HPI cross connect unavailable for use in the s 1 and s 2 LOCAs. Calculation of HEPs Failure to isolate a stuck open POR V was considered a skill based action and assigned a probability of 2.7E-3. Starting of the standoy charging pump and opening the alternate injection paths were also considered to be skill based actions, as defined in Reference 27 and were consequently assigned an HEP of 2.7E-3. Cross connect of HPI from Unit 2 was considered to be a rule based action and was considered to require diagnosis.
This derives from the cross connect being directed in the FRPs, which are not directly referenced from the EPs. The lowest level C series FRP which specifies cross connect of HPI from Unit 2 is C.2. This procedure will not be entered until subcooling is less than 30&deg;F and core outlet T /C are greater than 700&deg;F or Reactor Vessel Level indicates less than 4296. By the time these conditions occur, the required 20 minutes to cross con~ect HPI before core uncovery may not be available.*
Therefore, it was postulated that the need to cross connect would have to be diagnosed before the procedures directed it to happen. Cross connect of HPI requires opening valves outside the control room to be coordinated with pump operation in the control room. The cross connect operation w~s considered to be three operations: (a) isolating the charging pump at Unit 2, (b) starting the charging pump at Unit 2, and (c) opening the c~oss tie valves in the au.xiliary building.
Each of these were assigned a basic HEP of .032, with a verification of .32. 4.8-10 *
* 4.8.4.6 Operator Actions During Loss of Offsite Power and Station Blackout
* Several operator actions appear in the loss of offsite power trees and the blackout model. station *
* Some of these actions appear singularly and some appear with others in the same cut set. Where two operator actions appear in the same cut set, they were analyzed as a coupled pair of events, including consideration of relationships between the two events for dependency and timing. A discussion of each individual event is presented below. Restore* Stub Bus At Surry, the RHR pump and the CCW pump are on a separate bus from the main 4160V emergency bus. It is called a stub bus. It is normally powered from the main 4160V bus, but is load shed after a loss of offsite power event. It is not automatically reconnected, but must be manually reloaded onto the main bus by the operator.
Under no circumstances is CCW needed in the T 1 models at less than one hour. This was quantified as a procedure directed, step 6y step action, under moderate stress, with a single verification.
The error probability was l.lE-2. Align Alternate Source of Condensate to CST The primary source of condensate for the AFW system is a 100,000 gallon tank lA). This is nominally sufficient for the duration of a station blackout event. But, in the event an SG becomes faulted, the increased AFW flow would require the provision of additional condensate.
This can be provided by aligning a 300,000 gallon tank (TNK-2) to the TNK-lA. In addition to opening one valve between the two tanks, a valve between the hotwell and TNK-2 must be closed in order to assure continued inventory in TNK-2. These actions are modeled as procedure directed, step by step, with moderate stress. These actions are manual local actions. They were modeled as two separate actions*, of .032 each, with no verification due to the local condition.
Isolation of a Condenser Water Box Surry has a gravity fed service water system which relies on the head difference between the intake canal and the discharge canal. The intake canal is resupplied with water by the circulating water pumps. During loss of offsite power the circulating water pumps are unavailable.
In the event that a condenser fails to isolate, the outflow through the condenser is greater than the makeup provided by the diesel driven emergency service water pumps. Canal drainage may occur before the restoration of offsite power, depending o~ the number of condensers that fail to isolate and the time at which power is restored.
In any event, it is possible to assure water inventory for HPI service water loads by isolating the condenser inlet valve on the particular service water pipe which provides suction for the HPI-SW pumps. The wash through from the emergency service water pumps would be sufficient to maintain the pipe full and provide a suction source for the HPI service water. Each condenser isolation valve is provided with a hand wheel, located in the turbine building.
The action was modeled as a step by step, rule based action, including a diagnosis error to diagnose th~ need for such an isolation and to select the appropriate service water line for tsolation.
4.8-11 Cooldowrrand*Depre*ssurize the RCS The ECAs at Surry cali for depressurization of the secondary side of the steam generators during a station blackout.
This is a procedure directed action, modeled as four independent steps, each with an overall HEP of ~011. This action is done through manual, local valve line ups. Although the actions occur locally, a verification error was applied to each step, because of the central focus of primary depressurization during a station blackout.
Cross connect AFW 'from Un'it*2 In the event that AFW fails during a station blackout, cross connect of AFW from Unit 2 is the only available recovery option. The actions required for this event are just like those discussed in Section 4.8.4.4, but the operation is complicated by the unavailability of power to all the valves at Unit 1 and the additional constraint that both units are affected by a T 1 event and thus both units require AFW. For the case of a single unit blackout, cross connect of AFW was credited, if two AFW pumps were available at Unit 2 (i.e., a MDP and the TDP). Cross-connect of AFW would require isolation of the *unit 2 AFW _system, at the pump discharge headers, into two separate parts, one to feed each. unit. A diagnosis error was included to consider this alternate method of cross connect. For the two unit blackout, cross connect of AFW implies feeding SGs at both units with
* one turbine driven pump. Partitioning of flow would have to be done via manual throttling of the discharge header valves, in order to balance the pressure drops between
* piping in both units and thus balance the flows between units. This was considered a dynamic action, and accorded a higher HEP. Cross*connect*oJ*Seal*Injectl'on**fronr*unit*2 During a one unit station blackout, it is possible to use the operable charging pump at Unit 2 to provide seal injection flow to both units. The actions for alignment of this system are the same as discussed in Section 4.8.4.5, but unavailability of AC power causes the need to balance flows with manual valve throttling.
These actions were considered dynamic actions and accorded appropriate HEPs. 4.8.4.7 HRA of Operator Actions During Steam Generator Tube Rupture (SGTR) The steam generator tube rupture event requires operator actions to cooldown and depressurize the RCS in order to safely mitigate this initiator.
Failure to equalize primary and secondary pressure will lead to continued influx of primary inventory to the SG. The water will boil off to the condenser or blow through the relief valve if the MSIVs are closed. Since the scenario modeled in this study assumes the operator will identify the ruptured SG ~nd close the MSIV, failure to equalize primary and secondary pressures will lead to a steam generator relief valve demand within an hour. Continued failure to depressurize and control safety injection flow will cause continued relief valve demands, possibly leading to the valve passing water. Should the valve fail to reclose after passing steam, or water, uncontrolled blowdown would occur *. The faulted steam generator now requires additional operator actions to safely mitigate the sequence.
Depending on the particular failures which lead to loss of secondary side integrity, operator actions to isolate the SG or depressurize the RCS to atmospheric are required
* 4.8-12 *
* Other SGTR _ sequences involve the failure of AFW, the failure of HPI, and the failing open of a pressurizer PORV. For SGTR sequences involving loss of AFW, the operator must cross connect AFW or restore main feedwater in order to initiate and maintain cooldown which is required for clepressuriza.tion
*. A~ the postulated tube rupture is large enough to cause an SI signal, MFW will be isolated.
Although th.e MSIVs can be expected to remain open, the Slsignal must be overridden to restore MFW. The other important sequence involves failure of HPI to provide SI flow. The most direct operator recovery is to cross connect HPI from Unit 2. However, if the operator depressurizes the RCS, the break flow will stop and SI flow is no longer needed. Scenario Steam generator tube rupture sequences are considered to begin with a simultaneous double ended rupture of a single steam generator tube. Very closely in time thereafter, an SI signal will occur on low pressurizer pressure.
The immediate concern for the operator, after identifying the event as a steam generator tube rupture, is to identify the ruptured SG, isolate the ruptured SG and then initiate cooldown of the RCS and depressurization of the RCS to equalize pressures in the RCS and ruptured SG~ For the purposes of timing in this HRA model, it was considered that cooldown of the RCS must begin by 15 minutes after the tube rupture in order to have pressure equalized by 40 minutes and thus prevent pressurization of the ruptured SG, which would cause the relief valve to lift. In the extreme case of depressurization failure with no control of SI flow, the relief valve would continue to be demanded.
At some point, the break flow would become subcooled with respect to the SG relief valve set point. Now the SG will fill with water until the dryers and separators are covered. The next relief valve demand will result in the valve passing water. The valve was considered to fail open after passing water. Therefore, in the extreme, failure to depressurize within 40 minutes without subsequent action in the near term to correct the mistake would lead directly to a loss of SG integrity due to failure of safety valves to reclose after passing subcooled water. Loss of SG integrity can also occur from failure of other lines to isolate. Loss of SG integrity, however, does not lead directly to core damage. A time period of at least 10 hours is available to recover from such an event. Applicable recovery options were to a) depressurize the reactor to atmospheric, b) depressurize the reactor to such a point that leakage is minimal and can be matched by R WST refill, or c) provide isolation of the faulted paths, if possible, via closure of isolation valves. For sequence T 7 L 3 (loss of AFW), the operator must provide AFW from Unit 2 or recover MFW in sufficient time to proceed with cooldown and depressurization.
The residual SG inventory is sufficient to start cooldown.
The HRA model considered that alternate feed would need to be in place within 20 minutes in order to continue cooldown *. In sequence T 7 D 1 , the operator *must recover HPI flow within 2 hours, based on initial break flow size, to prevent core uncovery.
However, if the operator depressurizes the primary to less than secondary pressure, the break flow will cease and there is no need to recover HPI flow. The timing for required depressurization in this sequence was assumed to be the same as for the sequences when i-IPI succeeds, although there may in fact be more time to depressurize.
This sequence is not significant, compare9 to other SGTR sequences so it was not expedient to engage in additional analysis for this sequence.
Modeling of the T 7 n 1 sequence considered the failed HPI flow to be the primary focus of attention and the SGTR to be the secondary focus, until HPI flow was restored.
4.8-13
* Procedures*
and Training Operator ac;:tions for steam generator tube rupture are directed by EP 4.0 series. The operator may initiate EP 4.0 based on diagnosis of a SGTR, or he may initially respond with EP 1.0 (Reactor Trip/SI).
Step 22 of EP 1.0 directs the operator to check for tured tubes and directs him to EP 4.0. Recovery from a faulted SG is covered by EP 3.0. Calculated HEPs Operator actions associated with cooldown and depressurization were considered to be step by step actions under moderate stress. Although depressurization and cooldown are procedure directed, a diagnosis error was included for tube rupture sequences, because it was considered that there is insufficient time for the operator to select EP 1.0 and work through the procedure to the cross reference to EP 4.0 and initiate depressurization . within 15 minutes. The operator must select the SGTR procedure after reactor trip in order to be ready to initiate cooldown at 15 minutes, thus the need for a diagnosis error in the overall HEP. The HRA for the long term recovery actions in resonse to a faulted-ruptured SG contained subjective decisions concerning how low the error probability should be. The situation is that an initial operator error was committed, thus increasing the probability of future operator errors, but the time period is long enough to justify a very low HEP. In the final decision, the ASEP HRA guidelines on HEPs were invoked. These resulted in the calculation of l.4E-2 for recovery after initial error. 4.8.5 Innovative Recovery One possible innovative recovery action was identified, that being to gag a stuck open SG safety valve while the system was pressurized.
* For steam generator tube rupture sequences with a subsequent loss of steam generator integrity, the timing of the sequence allows approximately 10 hours to mitigate the inventory loss before depletion.
of the RWST. Mitigation is possible through two methods, a) depressurization to a low enough pressure that flow is minimal and tolerable orb) to reestablish SG integrity by closure of an isolation valve. A special case is presented when the loss of integrity is due to a failed safety valve, because the safety valves are not isolable.
For some sequences, such as those with tube rupture and subsequent loss of instrument air, depressurization is not possible.
These sequences may initially appear to be unrecoverable, but given the 10 hour time period to RWST depletion, consideration was given to innovative recovery actions. One in ticular was to gag the relief valve, while it was blowing down. The questions in determining its probability were the physical realities of the environment under which this action could be done, rather than the probability of t~4h&#xa5;eneration of the tion. Following the guidelines for innovative recovery probabilities, a failure probability of 3E-1 was used. 4.8-14 *
* TABLE 4.8-1 HUMAN ACTIONS QUANTIFIED IN THE SURRY PRA Identifier Used 1n System Models A. Pre Initiator Action Restoration of CSS Valves after pump test Miscalibration of RWST Water Level Sensors B. Post Initiator Actions
* B.1 Skill-Based Actions Manual Activation of SI Manual Activation of CLCS Manual Activation of RMTS Manual Activation of AFW Manual Reactor Trip Open alternate injection path for SI flow Manual start charging pump C Close PORV block valve Manual turbine trip B.2 Rule Based Actions B.2.1 LOSP Sequences Restore Stub Bus Align back-up source of condensate to CST Isolate condenser water boxes Cooldown and depressurize RCS Cross connect AFW from Unit 2 cross connect seal injection flow from Unit 2 4.8-15 CSS-XVM-RE-XV15 CSS-XVM-RE-XV8 RMT-CCF-FA-MSCAL SIS-XHE-FO-MANSl SIS-XHE-FO-MANS2 SIS-XHE-FO-MANS3 CLS-XHE-FO-MAN-A CLS-XHE-FO-MANS1 CLS-XHE~FO-MANS2 RMT-XHE-FO-MANS2 AFW-XHE-FO-MNACT R HPI-XHE-FO-ALT HPI-XHE-FO-ALTIN HPI-XHE-FO-ALTI3 HPI-XHE-FO-ALTS3 HPI-XHE-FO-PLLCK PPS-MOV-FC-OPER PCS-XHE-FO-TBTRP ACP-XHE-FO-STBBS AFW-XHE-FO-CST2 MCW-CCF-VF-SBO 0 AFW-XHE-FO-U1SBO AFW-XHE-FO-U2SBO REC-XHE-FO-SCOOL TABLE 4.8-1 BUMAN ACTIONS QUANTIFIED IN THE SURRY PRA Identifier Used in System Models B.2.2 SGTR Sequences Cooldown and depressurize RCS Isolate faulted steam generator B.2.3 Loss of Steam Generator Cooling Sequences Cross connect AFW from Unit 2 Initiate feed and bleed cooling Fail to Restore Main Feedwater B.2.4 ATWS Sequences Initiate emergency boration Open pressurizer PORV, Block Valve B.2.5 Small Break Sequences cross connect HPI from Unit 2 Cross connect RWST from Unit 2 Cooldown and depressurize the RCS B.2.6 Others Realign HPI-SW to bypass failed strainer Reconfigure to hot leg recirculation Manual Activation of RMTS 4.6-16 RCS-XHE-FO-DPRT7 RCS-XHE-FO-DPT7D REC-XHE-FO-DPRES MSS-XHE-FO-BLOCK MSS-XHE-FO-ISAFW MSS-XHE-FO-ISBDN MSS-XHE-FO-ISDHR AFW-XHE-FO-UNIT2 HPI-XHE-FO-FDBLD PPS-XHE-FO-PORVS PPS-XHE-FO-lPORV M PPS-XHE-FO-EMBOR PPS-XHE-FO-UNBLK HPI-XHE-FO-UN2Hl HPI-XHE-FO-UN2S2 HPI-XHE-FO-UN2S3 HPI-XHE-F0-20DH2 HPI-XHE-F0-30DH2 Incorporated in above category.
RCS-XHE-FO-DPRES CPC-XHE-FO-CMNS2 CPC-XHE-FO-SMNS1 CPC-XHE-FO-SMNS2 CPC-XHE-FO-REALN LPR-XHE-FO-HOTLG RMT-XHE-FO-MAN-A RMT-XHE-FO-MANS1
* * *
* 1. 2. Table 4.8-2 Groundrules For Calculation of Common Miscalibratiori Error Probabilities Common cause miscalibration errors postulated for CLS Hi-Hi, CLS Hi, SIAS, and RMTS. Miscalibration of enough sensors to fail both trains of the actuation system was of interest.
Logic arrangements for each actuation were considered.
: 3. Probability of common cause miscalibration was calculated in accordance with Reference
: 27. 4. Miscalibration of sensor or bistable possible.
Miscalibration is necessarily of significant magnitude and in the failure position, in order to provide entirely false information.
4.8-17 TABLE 4.8-3
 
==SUMMARY==
OF HRA RESULTS IDENTIFIER SEQUENCE TYPE 1 STRES~ LEVEL ACTIO~ TYPE DIAGN0SIS4 ACTION ERROR MEAN ACP-XHE-FO-STBBS Tl A-(PD) MOD SBS .011 1.lE-2 AFW-XHE-FO-CST2HRA SBO A-(PD) MOD SBS .064 6.4E-2 AFW-XHE-FO-MNACT ALL SB .;.. __ 2.66E-3 AFW-XHE-FO-UlSBOHRA SBO-Ul A+REDIAG.
MOD SBS MED@ 20 MIN .022 4.BE-2 .026 AFW-XHE-FO-U2SBO SBO-Ul/U2 A-(PD) MOD SBS+DYN .011 + .064 7.SE-2 AFW-XHE-FO-UNIT2HRA T1,T2,T3 S2,S3,T7 A-(PD) MOD SBS .033 3.3E-2 .. SB
* CLS-XHE-FO-MAN-A A 2.66E-3 ' ... 00 CLS-XHE-FO-MANSl S1 SB 2.66E-3 CLS-XHE-FO-MANS2 S2 SB 2.66E-3 CPC-XHE-FO-CMNS2 S2 A+D MOD SBS UB @ 30 MIN .011 3.76E-2 .0266 CPC~XHE-FO-REALNHRA ALL A+D MOD SBS UB @ 30 MIN
* 032 5.86E-2 .0266 CPC-XHE-FO-SMNS1 S1 A+D MOD SBS UB @ 30 MIN .011 3.76E-2 .0266 CPC-XHE-FO-SMNS2 S2 A+D MOD SBS UB @ 30 MIN .011 3.76E-2 .0266 ** * *
* TABLE 4.8-3 (Continued)
 
==SUMMARY==
OF HRA RESULTS IDENTIFIER SEQUENCE TYPE 1 STRES~ LEVEL ACTION TYPE 3 DIAGNOSIS 4 ACTION ERROR MEAN HPI-XHE-FO-ALTHRA S1,S2 SB 2.66E-3 HPI-XHE-FO-ALTINHRA S1,S2 SB 2.66E-3 HPI-XIIE-FO-ALTI3HRA
-CONTROL ROOM S3,T7D1 SB 2.66E-3 -LOCAL S3,T7D1 A MOD SBS .064 6.4E-2 HPI-XHE-FO-AUTS3HRA
-CONTROL ROOM S3,T7D1 SB 2.66E-3 -LOCAL S3,T7D1 A MOD SBS .064 6.4E-2 HPI-XHE-FO-FDBLD f-ALL L MECH A-(PD) MOD SBS .011 1.lE-2 00 I ALL L XHE A+D TIME STRESS SBS MED@ 20 MIN .011
* 4 7.lE-2 I-' <:O .0266 HPI-XHE-FO-PLLCK ALL SB 2.66E-3 HPI-XllE-FO-UN2HlHRA S2H1 A MOD, SBS .011 * .132 1. 45E-3 S3W3H1 TIME STRESS HPI-XHE-FO-UN2S2HRA S2D1 A+D MOD SBS 2ND EVENT .033 3.0E-1 MED@ 20 MIN .266 HPI-XHE-FO-UN2S3HRA S3D1 A+D MOD SBS 2ND EVENT .033 3.4E-2 T7D1 MED@ 125 MIN 5.2E-4 TABLE 4.8-3 (Continued)
 
==SUMMARY==
OF HRA RESULTS IDENTIFIER SEQUENCE TYPE 1 STRES~ LEVEL ACTION TYPE~ DIAGNOSIS 4 ACTION ERROR MEAN HPI-XHE-F0-20DH2HRA S20DH2 A+D MOD, SBS MED@ 30 MIN .011 * .132 4.llE-3 S20DH1 TIME STRESS .00266 HPI-XHE-F0-30DH2HRA S30DH2 A+D MOD, SBS MED@ 125 MIN .011 * .132 l.97E-3 S30DH1 TIME STRESS 5.2E-4 LPR-XHE-FO-HOTLG A,S 1 A LOW SBS {. 02 *
* 02) .1 4.00E-5 MHRA T3 SB 2.66E-3 MCW-CCF-VF-SBOHRA SBO A+D MOD SBS UB@ 30 MIN .032 5.86E-2 .i:,. .0266 . 00 I MSS-XHE~FO-BLOCK T7 A-(PD) MOD SBS
* 032 6.4E-2 NI 0 HEP increased by a factor of two to account for potentially inhibiting environment.
MSS-XHE-FO-ISAFWHRA T7 A-(PD) MOD SBS Must depressurize or isolate: 3.4E-3 HEP conditional on previous failure to depressurize MSS-XHE-FO-ISBDN T7 A-(PD) MOD SBS Must depressurize or isolate: 3.4E-3 HEP conditional on previous failure to depressurize 0 SBO A-(PD) MOD SBS .044 4.4E-2 PCS-XHE-FO-TBTRP ATWS SB 2.66E-3 TABLE 4.8-3 (Continued)
 
==SUMMARY==
OF HRA RESULTS IDENTIFIER SEQUENCE TYPE 1 STRES~ LEVEL ACTION .TYPE 3 DIAGNOSIS 4 ACTION* ERROR MEAN PPS-MOV-FC-OPER ALL SB 2.66E-3 PPS-XHE-FO-EMBOR ATWS A MOD SBS 1. OE-3 1. OE-3 PPS-XHE-FO-PORVS ALL L MECH A-(PD) MOD SBS .011 1. lE-2 ALL L XHE A-(PD) TIME STRESS SBS .011
* 4 4.4E-2 PPS-XHE-FO-UNBLK ATWS A+D MOD SBS LB@ 2 MIN .032 2.JE-1 .20 RHRA ATWS SB 2.66E-3 ,I::. RCS-XHE-FO-DPRES S2,S3 A-(PD) MOD SBS .022 2.2E-2 . 00 I NI .... RCS-XHE-FO-DPRT7 T7 A+D MOD SBS LB@ 15 MIN .022 2.9E-2 .0068 RCS-XHE-FO-DPT7D T7D1 A+D MOD DYN 2ND EVENT .064
* 2 4.02E-1 MED@ 20 MIN .266 REC-XHE-FO-DPRES T7 A-(PD) MOD SBS HEP conditional on previous 1. 40E-2 failure to depressurize REC-XHE-FO-SCOOL SBO-Ul A-(PD) MOD DYN .0614 + .064 1. 25E-1 RMT-XHE-FO-MAN-A A A-(PD) EXT SBS .064 6.4E-2 *RMT-XHE-FO-MANS1 S1 A-(PD) EXT SBS .064 6.4E-2 IDENTIFIER RMT-XHE-FO-MANS2 SIS-XHE-FO-MANS1 SIS-XHE-FO-MANS2 SIS-XHE-FO-MANS3 SEQUENCE S2 S1 Sl Sl TYPE 1 SB SB SB SB TABLE 4.8-3 (Continued)
 
==SUMMARY==
OF HRA RESULTS STRES~ LEVEL ACTION TYPE 3 DIAGNOSIS 4 ACTION ERROR MEAN 2.66E-3 2.66E-3 2.66E-3 2.66E-3
* NOTES TO TABLE 4.8-3: 1. TYPE: A A+D A-(PD) A+REDIAG.
SB 2. STRESS LEVEL: EXT MOD LOW Action. Action plus diagnosis.
Procedure directed action. Action plus rediagnosis.
Skill based. Extreme stress. Moderate stress. Low stress. TIME STRESS Stress from time constraints.
J. ACTION TYPE: DYN SBS SBS+DYN 4. DIAGNOSIS:
DEPRESS LB MED MIN UB Dynamic actions. Step by step actions. Step by step and dynamic actions. Depressurize.
Lower bound. Median. Minutes. Upper bound.
Table 4.8-4 Allowable Times for Operator Action Maximum Allowable Reference Restoration Recovery Action Sequence Tim~ Time Source Restore SG Cooling TML Rx Trip 30m W-EPG ATWS Initiator 60s WCAP 8330 Initiate Feed &. Bleed TML Rx Trip 45m W-EPG Restore HPI Flow TQD t(Q) 60m See Appendix D s 2 o Rx Trip 35m s 1 o Rx Trip 20m s 3 o Rx Trip 2 hr Emergency Boration ATWS Initiator 10m WCAP 8330 Isolate PORV TQD t(Q) 60m NUREG 1032 Restore HPI and TML Rx Trip 60m NUREG 1032 SG Cooling Depressurize RCS SGTR Rx Trip 40m 4.8-24
* Action Manual Sera m Turbine Trip Open POR V Block Manual RMT *
* Table 4.8-4 (Continued)
Allowable Times for Opera tor Action Maximum Reference Allowable Sequence Time Time ATWS Initiator 2m ATWS Initiator lm ATWS Initiator 90s A RMT Signal .5m (18% RWST) Sl RMT Signal 9m (18% RWST) 4_.8-25 Source WCAP-8330 WCAP-8330 Estimate Calculated Calculated Table 4.8-.5 Groundrules For Surry HRA 1. One SRO and one RO for Unit 1 assumed in the control room at all times. 2. Actions done outside the control room could be performed by any plant personnel except Unit 1 SRO, RO, and ST A. All actions outside the control room require at least 10 minutes transit time. 3. ST A assumed to be in the control room within 10 minutes of any reactor scram. 4. SRO/RO will initiate EPs or ECAs * .5. Upon arrival in the. control room, ST A will monitor parameters of critical safety functions in accordan<:e with CSF status trees. If these parameters exceed predetermined limits, the operators will. be. directed to a functional restoration procedure.
*
* 6. HRA based on procedure revisions current in March 1988. 7. If operator finds improper equipment status during SI verification or CLS Hi-Hi verfication, it is assumed he will take immediate action from the control room or immediately dispatch someone to restore equipment to desired status outside the control room. 8. Opera tor will read each step of each required procedure.
: 9. Operator will read all procedure steps correctly.
: 10. In the HRA models, if any single action is credited and postulated to fail three times, no further credit is given for that action. 11. As a guideline; minimum diagnosis errors of lE-4 for the short term (about 2 hrs) and 1 E-.5 for the long term were imposed. Lower error probabilities were used only if convincing circumstances could justify their use. . 12. As a guideline, overall error probabilities less than lE-4 were not used unless justified by convincing circumstances.
.4.8-26 * * 
*
* 4. 9 Data Base Development The following sections identify the sources used to establish the data base for quantification of the Surry sequen~es, assumptions used in the data development, limitations .associated with the data, and provide a complete listing of all values used in the Surry sequence*
quantification and importance/uncertainty analyses.
4.9.1 Sources of Information for Oat~ Base The data in the Surry data base includes both plant specific and generic data. Where sufficient plant specifk operational data was available for important components or where potential plant specific common cause failures were identified, plant specific data was used. Table 4.9-1 summarizes the. plant specific data used in the quantification.
The derivation of the plant specific data is detailed in Appendix D. Dat~l}<>r nearly 8:1~ ~ther individu~l components
~ere ~erived from t~e ASEP generic data base
* Probab1hbes of actuabon 0~stem-tram failure were derived from the ASEP generic data.
* NUREG/CR.;.2728
*and the Zion Probabilistic Safety
* Studyl 8) supplemented the generic data base.
* Certain events that have little or no data (including experimental data) proved to be important in the final results. For these events, a panel of experts was polled to pro~<o, the best estimate of probabilities and distribution types for that particular event. There* were two types of panels involved in this process, internal and external.
The internal panel was used for events of lesser importance, and consisted of selected sentatives from the probabilistic risk assessment (PRA) teams and Sandia analysts.
The external panel consisted of utility, vendor, and PRA representatives.
For the Surry analysis, external elicitations were conducted on the reactor coolant pump seal LOCA model and interfacing LOCA. Initiating event frequencies were derived from several sources and are listed in Table 4.9-2. The frequency of loss of offsite ~y~er (TJ) and associated power recovery factors were based on data from NUREG-5032.
* A iscussion of this analysis is in Appendix D. Frequencies for initiating event category T (turbine trip with MFW available) and T 2 (loss of main (le;_jdwater)
* were derived from Surry specific data listed . in NUREG/CR-3862.
The frequency of T 5 (loss of DC electrical bus) was derived from generic data for the postulated faults leaaing to the loss of the bus. Loss of Coolant . Accident (LOCA) initiating event frequencies were developed based on a survey of freque*ncies used for similar sizes LOCAs in previous PWR PRAs. The. s 3 (Very Small LOCA) and steam generator tube rupture T 7 initiating event frequencies were calculated based on a review of PWR operating history. Anticipated Transient Withouf ~cram initiating event frequencies were developed using the guidelines of NUREG-1000.
2 Values for the beta_ factors ~,d in the accident sequence quantification were derived in 'NUREG/CR-4550*, Volume 1. Table. 4.9-3 summarizes these beta factors. Plant sped~ fie beta factors were developed for the Charging Pump Cooling .Service Water Strainers and Service Water motor operated valves isolating the recirculation spray heat gers. Application of the beta factors is discussed in Section 4.7. Operator actions identified in the fault trees and recovery actions in the accident sequence quantification were evaluated(fflng the human error probabilities (HEPs) in A.O. Swain's ASEP HRA Procedures~
The evaluation of these probabilities is detailed in Section 4.8. Table 4.9-4 summarizes the HEP data, describing the events and showing the diagnosis and action error contributions.
4.9-1 The subscript
'HRA' denotes that this is the human error contribution to a recovery
* factor with the same identifier.
Events without subscripts are HRA contributions that have no hardware contributions and thus represent the total unavailability.
Probabilities for failure to perform recovery actions have a human error component and a hardware failure component.
Generally, both elements are represented in the recovery event. Sometimes the hardware element is stated as a separate event, and sometimes the human error elerrient or the the hardware element dominates the recovery probability so much that the non-dominant element is . ignored. Table 4.9-5 summarizes the recovery factors. The table shows how the HEPs are combined with hardware unavailabilities to form recovery factors~ The hardware unavailability is summed with the associated human error. In cases where two recovery options are available, the total unavailability of the first option is multiplied by the sum of the alternate path human and hardware errors. Human error for the alternate action is increased to account for the previous failure. Diagnosis error is added to the resultant product~ Discussions of the recovery factors and the contributors to the hardware unavailability are included in Section 4.10. 4.9.2 Limitations in the Data Base No specific limitations were identified in the Surry data base. 4.9.3 Data Base Description The data used to calculate point estimates of the accident sequence frequencies were mean values. The distributions of the values are as described above. Table 4.9-6 provides a summary of miscellaneous event data; values used for "black box" top events
* in the event trees. A complete listing of all values used in the fault tree and accident sequence quantification is provided.
in Table 4.9-7. Each fault, initiating event, or beta factor used in the quantification is listed, along with the fault identifier or event tree identifier, a description of the id~ntifier, the mean value, error factor, source of the data, and any applicable comments.
The uncertainty and importance analyses also used these mean values, distribution types, and error factors. 4.9.4 Plant Specific Analysis and Use of Generic Data Plant specific data was used whan it was available.
Plant specific failure rates were not used if the component in question had experienced less than two failures.
4.9-2 *
* Table 4.9-1 PLANT SPECIFIC DATA USED IN ACCIDENT SEQUENCE QUANTIFICATION Failure Rate Failure Event (Mean Value) Error Factor CPC Service Water 8.0E-3/demand 3.5 Pump Fail to Start CPC Service Water 1.7E-4/hr 3 Pump Fail to Run CPC Service Water 2.63E-1 3 Common Cause Failure of 2 Strainers Plugged (Beta) Charging Pump Fail 4.0E-3/demand 3.5 to Start Charging Pump Fail to Run 6.8E-5/hr 3 Inside Spray 3.8E-2/ demand 3 Recirculation Pump Fail to Start SWS Inlet Valves 2.lE-1 3 to the Recirculation Spray Heat Exchangers Common Cause Failure of Motor Operated Valves to Transfer (Beta) Motor Driven AFW Pump 6.3E-3/demand 3 Fail to Start Turbine Driven AFW 1.lE-2/demand 10 Pump Fail to Start Diesel Genera tor 2.2E-2/demand 3 Fail to Start POR V Block Valve Closed l.5E-l/demand None Due to Leaking POR V (point estimate)
POR V Block Valve Fails 4.0E-2/ demand 3 to Transfer on Demand
* 4*_9_3 IDENTIFIER A S1 S2 S3 T TN ,i:,. . Tl cc I ,i:,. T 2 T3 T5A T5B T7 Table 4.9-2 INITIATING EVENT DATA MEAN FREQUENCY DESCRIPTION
(/RX-YEAR)
Large LOCA, 0>6" 5.0E-4 Medium LOCA, 2"<0<6" 1.0E-3 Sma 11 LOCA, 1/2" <0<2" 1.0E-3 Very Small LOCA, D<l/2" Spontaneous 1.3E-2 Transient Initiating Events, Requiring 6.60 Reactor Scram High Power Transient Initiating Events, 5.90 Requiring Reactor Scram Loss of Offsite Power 7.7E-2 Loss of Main Feedwater 0.94 Turbine Trip with Main Feedwater 7.30 Available Loss of 125V DC Bus 1~ 5.0E-3 Loss of 125V DC Bus 1B 5.0E-3 Steam Generator Tube Rupture l.OE-2 ERROR FACTOR 10 10 10 10 3 3 Special, Plant Specific Distribution 3 3 10 10 5 SOURCE/COMMENTS Survey of Previous PWR Studies Conducted in NUREG/CR-4550 Volume 1. See Appendix D.2 NUREG/CR-3862 Assumed high power fraction = .9 See Appendix D.3 NUREG/CR-3862 NUREG/CR-3862 ASEP Generic Survey of Industry Literature and LERs Yielded 5 Steam Generator Tube Rupture Incidents
*
* able 4.9-3
* BETA FACTOR
 
==SUMMARY==
TABLE Unavail. Error. Event Identifier Event Description Mean Factor Source BETA-BATT BETA FOR 2 Batteries 8.00E-3 3 ASEP GENERIC BETA-2DG BETA FOR 2 Diesel Generators 3.80E-2 3 ASEP GENERIC BETA-3DG BETA FOR 3 Diesel Generators 1.BOE-2 3 ASEP GENERIC BETA-AFW BETA FOR 2 AFW Motor Driven Pumps 5.60E-2 3* ASEP GENERIC BETA-CSS BETA FOR 2 CSS Motor Driven Pumps 1.lOE-1 3 ASEP GENERIC BETA-HP! BETA FOR 2 HPI Motor Driven Pumps 2.lOE-1 3 ASEP GENERIC BETA-LP! BETA FOR 2 LPI Motor Driven Pumps 1.SOE-1 3 ASEP GENERIC BETA-STR BETA FOR 2 Strainers 2.63E-1 3 PLANT SPECIFIC ~* BETA-AOV BETA FOR 2 Air Operated Valves l.OOE-1 3 ASEP GENERIC . BETA-2MOV BETA FOR 2 Motor Operated Valves 8.80E-2 3 ASEP GENERIC cc I BETA-SWMOV BETA FOR 4 SWS Motor Operated Valves 2. lOE-1 3 PLANT SPECIFIC BETA-SRVs BETA FOR 2 Safety Relief Valves 7.00E-2 3 ASEP GENERIC Identifier Sequence ACP-XHE-FO-STBBS Tl AFW-XHE-FO-CST2HRA SBO AFW-XHE-FO-MNACT ALL AFW-XHE-FO-UlSBOHRA SBO-Ul .. AFW-XIIE-FO-U2SBO SBO-UlU2
* I AFW-XIIE-FO-UNIT2HRA T1,T2,T3 S2,S3,T7 CLS-XIIE-FO-MAN-A A CLS-XIIE-FO-MANSl Sl CLS-XIIE-FO-MANS2 S2 CPC-XHE-FO-CMNS2 S2 CPC-XHE-FO-REALNnRA ALL CPC-XIIE-FO-SMNS1 s,
* TAB1'E 4.9-4 HUMAN RELIABILITY ANALYSIS
 
==SUMMARY==
-----Unavailabilities Description Diagnostics Error Action Error OPERATOR FAILS TO RECONNECT STUB BUS (LOSP ONLY) orERATOR FAILS TO CROSS NECT UNIT 2 CST OPERATOR FAILS TO MANUALLY ACTUATE AFW OPERATOR FAILS TO CROSS NECT AFW, SBO AT UNIT 1 OPERATOR FAILS TO CROSS NECT AFW, SBO AT UNITS 1 AND 2 OPERATOR FAILS TO CROSS NEC'r AFW, TRANSIENTS OPERATOR FAILS TO RECOVER CLCS ACTUATION,A LOCA OPERATOR FAILS TO RECOVER CLCS ACTUATION ,s 1 LOCA OPERATOR FAILS TC)" RECOVER CLCS ACTUATION, s 2 LOCA OPERATOR FAivS TO MANUALLY ACTUATE CPC MOP OPERATOR FAILS TO ALIGN CPC SW *ro UNIT 2 OPERATOR FAILS MANUAL ACTUATION O.F CPC SWS MOP * .011 .064 Skill Based .026 .022 7.5E-2 .033 Skill Based Skill Based Skill Based .0266 .011 .0266
* 032 .0266 .011 Total l.lE-2 6.4E-2 2.66E-3 4.BE-2 7.SE-2 3.3E-2 2.66E-3 2.66E-3 2.66E-3 3.76E-2 5.86E-2 3.76E-2 *
* Identifier Sequence CPC-XHE-FO-SMNS2 llPI-XHE-FO-ALTnRA HPI-XHE-FO-ALTIHHRA IIPI-XHE-FO-ALTI311RA.
-CONTROL ROOM -LOCAL .HPI-XHE-FO-ALTSJIIRA
-CON'fROL ROOM -LOCAL IIPI-XHE-FO-FDBLD HPI-XHE-FO-PLLCK HPI-XIIE-FO-UN2HlnRA llPI-XHE-FO-UN2S2HRA HPI-XIIE-FO-UN2SJHRA ALL L MECH ALL L XHE ALL TABLE 4.9-4 (Continued)
JIUMAN RELIABILITY ANALYSIS BUM.MARY * ~~~~Unavailabilities (Means)~~~~~
Description Diagnostics Error Action Error OPERATOR FAILS M1\NlJAL UATION OF CPC SWS MDP OPERATOR FAILS 'l'O RECOVER COMMON CAUSE FAILURE OF UPI DISCHARGE MOVs OPEHATOR FAILS TO RECOVF.R RANDOM INDEPENDEN'f FAILURE OF HPI DISCHARGE MOVs OPERATOR FAILS TO RECOVER RANDOM IHDEPENUEN'r FAILURE OF HPI DISCHARGE MOVs OPERATOR FAILS TO RECOVER COMMON CAUSE FAILURE OF HPI DISCHARGE MOVs OPERATOR FAILS TO ES'l'ABLISII FEED AHD BLEED COOLING OPERATOR FAILS TO REMOVE PULL LOCK CONDITION OPERA'l'OR FAILS TO CROSS CONNECT UPI TO UNIT 2 FOR S 2 111/S3H1/
S3W3ll1 .0266 .0266 OPERATOR FAILS 'l'O cnoss CONNEC'r . 266 IIPI 'l'O UNIT 2 FOR S 2 D1 OPEHATOR FAILS 'l'O cnoss CONNEC'l'
: 5. 2E-4 IIPI 'l'O UNI'l' 2 FOR s 3 o 1/'1'7D1 .011 Skill Based Skill Based Skill Based .064 Skill Based .064 .011 .044 Skill Based .00145 .033 .033 Total J.76E-2 2.66E-J 2. 66E-J , / 2.66E-J 6.4E-2 2.66E-J 6.4E-2 1.lE-2 7.lE-2 2.66E-3 1.45E-J J.OE-1 J.4E-2 
.i:,. . \0 I 00 Identifier Sequence HPI-XIIE-F0-20D112nRA HPI-XHE-F0-30DH2nRA LPR-XHE-FO-IIOTLG MCW-CCF-VF-SBOnnA SBO-Ul MSS-XHE-FO-BLOCK MSS-XHE-FO-ISAFWIIRA MSS-XHE-FO-ISBDN MSS-XHE-FO-ISDHR 0 SBO .S-XIIE-FO-TB'l'RP A'l'WS TABLE 4.9-4 (Continued)
HUHJ\B RELIABILITY ANALYBIB BUHMARY ~~~~-Unavailabilities (Means)~~~~~
Description Diagnostics Error Action Error Total OPERATOR FAILS 'l'O CROSS NECT IIPI TO UNIT 2 FOR s 2 0DH1/ S20DH2 . OPERATOR FAILS TO CROSS NECT HPI TO UNIT 2 FOR S 3 0D1ll/ S30DH2 OPERATOR FAILS TO ALIGN FOR no*r LEG RECIRCULATION FAILURE TO RESTORE MAIN WATER OPERATOR FAILS TO CLOSE MAIN CONDENSOR ISOLATION VALVES-SBO OPERATOR FAILS TO 'l'ERMINATE FLOW FROM STUCK OPEN SG PORV OPERATOR FAILS 'l'O 'l'ERMIHATE FLOW FROM AFW TDP S'l'EAM LINE DURING SG'l'R OPERA'l'OR FAILS 'l'O 'l'ERMIHA'l'E FLOW FROM SG DLOWDOWN LINE DURING SGTR OP FAILS 'l'O !SOL S'l'M FLOW VIA DECAY IIEA'l' REMOVAL BY COOLDOWN OPERATOR FAILS TO DEPRESSURIZE RCS DURING SBO OPERATOR FAI TURBINE 'l'RIP MAIN .00266
* 00145 5.2E-4
* 00145 4.00E-5 Skill Based .0266 .032 HEP increased by a factor of two to account for potentially inhibiting environment.
Must depressurize or isolate: HEP conditional on previous failure to depressurize.
Must depressurize or isolate: HEP conditional on previous failure to depressurize.
* 014 .044 4.llE-3 l.97E..;.3 4.00E-5 5.86E-2 6.4E-2 3.4E-J J.4E-3 1.4E-2 4.4E-2 Skill Based ~-66E-3
* Identifier PPS-MOV-FC-OPER PPS-XHE-FO-EMBOR PPS-XHE-FO-lPORV PPS-XHE-FO-PORVS PPS-XHE-FO-UNBLK RCS-XIIE-FO-DPRES RCS-XIIE-FO-DPRT7 RCS-XHE-FO-DPT7D REC-XHE-FO-DPRES REC-XHE-FO-SCOOL Sequence ALL ATWS ALL L MECH ALL L XHE ATWS ATWS SBO-Ul TABLE 4.9-4 (Continued)
JIUMJ\N RELIABILITY ANALYSIS
 
==SUMMARY==
~~~~Unavailabilities (Means)~~~~~
Description Diagnostics Error Action Error OPERATOR FAILS TO CLOSE RCS PORV BLOCK ~ALVE OPERA'fOR FAILS 'l'O CORRECTLY EMERGENCY BORATE OPERATOR FAILS TO OPEN 1 PORV FOR S2 FEED/BLEED OPERATOR FAILS TO OPEN BOTH PORVs FOR FEED AND BLEED OPERATOR FAILS TO OPEN PORV BLOCK VALVE FAILURE TO MANUALLY SCRJ\M THE REACTOR OPERA'fOR FAILS TO DEPRESSURIZE/
COOL RCS OPERA1.'0R FAILS TO DEPRESSURIZE/
COOL RCS DURING SGTR OPERATOR FAILS TO DEPRESSURIZE/
COOL RCS DURING T7D1 .0266 .0068 .266 Skill Based 1. OE-3 .044 .011 .044 .23 Skill Based
* 022 .022 0.128 OPERATOR FAILS TO DEPRES-HEP conditional on previous SURIZE RCS IN RECOVERY FM SGTR failure to depressurize.
OPERATOR FAILS TO COOL RCP .125 SEALS DURING SBO Total 2.66E-3
* l.OE-3 7.lE-2 1.lE-2 4.4E-2 2.JE-1 2.66E-3 2. 2E-2 . 2.9E-2 4.02E-1 1. 40E-2 1.,25E-1 TABLE 4.9-4 (Continued)
JIUM.1\N RELI.l\DILITY .l\N.l\LYSIB
 
==SUMMARY==
~~~~-Unavailabilities (Means)~~~~~
Identifier Sequence Description Diagnostics Error Action Error Total RMT-XIIE-FO-MAN-A A OPERATOR FAILS TO RECOVER RM'r .064 6.4E-2 ACTUATION FAILURE RMT-XHE-FO-MANSl Sl OPERATOR FAILS TO RECOVER .064 6.4E-2 RMT ACTUATION FAILURE RMT-XHE-FO-MANS2 S2 OPERATOR FAILS TO RECOVER Skill Based 2.66E-3 RMT ACTUATION FAILURE SIS-XHE-FO-MANSl Sl OPERATOR FAILS TO RECOVER Skill Based 2.66E-3 SIS ACUTUATION FAILURE .. SIS-XHE-FO-MANS2 S1 OPERATOR FAILS 'l'O RECOVER Skill Based 2.66E-3
* CD SIS ACTUATION FAILURE I 0 Identlfier AFW-XHE-FO-CST2 AFW-XHE-FO-MNACT AFW-XHE-FO-UlSBO AFW-XHE-FO-U2SBO AFW-XHE-FO-UNIT2 CLS.-XIIE-FO-MAN-A CLS-XHE-FO-MANSl CLS-XIIE-FO-MANS2 CPC-XUE-FO-CMNS2
*
* TABLE 4.9-5 RECOVERY FACTOR
 
==SUMMARY==
~~-Unavailabilities (Means)~~~~
Human Hardware Total Error Failure 6.5E-2 6.4E-2 1.0E-3 2.7E-3 2.7E-3 8.2E-2 4.8E-2 J.4E-2 7.5E-2 7.5E-2 J.GE-2 J.JE-2 2.lE-J 2.7E-J 2.7E-J ------2.7E-J 2.7E-3 ------2.7E-J 2.7E-J ------J.BE-2 J.BE-2 ------Description FAILURE TO CROSS CONNECT TO UNIT 2 AFW CONDENSATE STORAGE TANK. FAILURE TO RECOVER AFW ACTUATION BY MANUAL ACTUATION OF AFW PUMPS AND VALVES. FAILURE TO RECOVER AFW BY CROSS CONNECTING TO UNIT 2 DURING STATION BLACKOUT AT UNIT 1. OPERATOR FAILS TO CROSS CONNECT AFW TO UNIT 2 DURING STATION BLACKOUT AT UNITS 1 AND 2. FAILURE TO RECOVER AFW BY CRQSS CONNECTING TO UNIT 2. FOR ALL SEQUENCES EXCEPT STATION BLACKOU'r.
FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING A LARGE LOSS OF COOLANT ACCIDENT (A LOCA). FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (S 1 LOCA). FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING SMALL LOSS OF COOLANT ACCIDENT (S 2 LOCA). FAILURE TO RECOVER CPC BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT.
Identifier CPC-XHE-FO-REALN CPC-XHE-FO-SMNSl CPC-XHE-FO-SMNS2 HPI-XHE-FO-ALT HPI-XHE-FO-ALTIN HPI-XHE-FO-ALTIJ HPI-XIIE-FO-ALTSJ
* TABLE 4.9-5 (Continued)
RECOVERY FACTOR
 
==SUMMARY==
~~-Unavailabilities (Means)~~~~
Human Hardware Total Error Failure *1.0E-2 5.9E-2 J.BE-2 J.BE-2 J.BE-2 J.BE-2 6.lE-1 2.7E-3 5.7E-3 2.7E-J 7.0E-4 CONTROL RM 2.7E-3 LOCAL 6.4E-2 7.4E-2 CONTROL RM 2.7E-3 LOCAL 6. 4E-2 1. lE-2 6.lE-1 J.OE-3 3.0E-3 5.BE-2 6.lE-1 5.BE-2 Description FAILURE TO RECOVER CPC SERVICE WATER BY CROSS CONNECTING TO UNIT 2. FAILURE TO RECOVER CPC SERVICE WATER BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT.
FAILURE TO RECOVER CPC SERVICE WATER BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT.
FAILURE TO RECOVER HPI FOLLOWING COMMON CAUSE FAILURE OF THE HPI DISCHARGE MOTOR OPERATED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR ALL BUT THE VERY SMALL LOSS OF COOLANT ACCIDENT (S 3 LOCA) SEQUENCES.
FAILURE TO RECOVER HPI FOLLOWING RANDOM DEPENDENT FAILURE OF THE HPI DISCHARGE MOTOR OPERATED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR ALL BUT s 3 SEQUENCES.
FAILURE TO RECOVER HPI FOLLOWING RANDOM DEPENDENT FAILURE OF 'l'IIE HPI DISCHARGE MOTOR OPERA'l'ED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR s 3 LOCA SEQUENCES.
FAILURE TO RECOVER HPI FOLLOWING COMMON CAUSE FAILURE OF THE HPI DISCHARGE MOTOR OPERA-TED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR s 3 LOCA SEQUENCES
*
* Identifier HPI-XHE-FO-UN2Hl HPI-XHE-FO-UN2S2 HPI-XHE-FO-UN2SJ HPI-XHE-F0-20DH2 HPI-XIIE-FO-JODil2 MSS-XIIE-FO-BLOCK TABLE 4.9-5 (Continued)
RECOVERY FACTOR
 
==SUMMARY==
~~-Unavailabilities (Means)~~~~
Human Hardware Total Error Failure l.6E-J J.lE-1 4.4E-2 4.JE-3 2.lE-3 6.4E-2 RWST 1.lE-2 HPI L JE-1 J.OE-1 J.4E-2 RWST l.JE-1 IIPI LlE-2 DIAGNOSIS 2.7E-J RWST 1. JE-1 HP! 1. lE-2 DIAGNOSIS 5.2E-4 6.4E-2 3.0E-4 9.BE-3 9.BE-3 9.BE-3 9.BE-3 J.OE-4 ------9.BE-3 J.OE-4 ------Description FAILURE TO RECOVER LPR BY CROSS CONNECTING TO UNI'f 2 RWS'l' QR BPI SYS'l'EM.
FOR S2 AND S3 LOW PRESSURE RECIRCULATION FAILURE WHERE 'l'HE OPEHATOR SUCCEEDED IN RCS DEPRESSURIZA'l'ION.
FAILURE 1'0 RECOVER BPI BY CROSS CONNECTING TO UNI'f 2 IIPI SYSTEM DU.RING AN s 2 LOCA HIGH PRESSURE INJECTION FAILURE. FAILURE 1'0 RECOVER HPI BY CROSS CONNECTiNG TO UNIT 2 IIPI SYSTEM. FOR AN s 3 LOCA AND S1'EAM GENERATOR TUBE RUPTURE (SGTR) HIGH PRESSURE INJECTION FAILURE. FAILURE TO RECOVER IIPI BY CROSS CONNECTING TO UNIT 2 RWST OR IIPI SYSTEM. FOR s 2 HIGH AND LOW PRESSURE RECIRCUL1\.1'IOH FAILURE WHERE THE OPERATOR FAILED TO DEPRESSURIZE THE RCS. FAILURE 1'0 RECOVER HPI BY CROSS CONNECTIN.G TO UNIT 2 RWST OR HP! SYS1'EM. FOR S 3 HIGH AND LOW PRESSURE RECIRCULATION FAILURE WHERE THE OPERA'fOR FAILED TO DEPRESSURIZE THE RCS. FAILURE TO RECOVER STUCK OPEN SG PORV BY S*HU'l''l'ING
'l'HE BLOCK VALVE.
Identifier MSS-XHE-FO-ISAFW MSS-XHE-FO-ISBDN NRAC-150MIN NRAC-201MIN NRAC-216MIN NRAC-234MIN NRAC-246MIN NRAC-258MIN TABLE 4.9-5 (Continued)
RECOVERY FACTOR
 
==SUMMARY==
~---Unavailabilities (Means)--------
Human Ila rd ware Total Error Failure 6.BE-6 3.4E-3 2.0E-3 3.4E-3 3.4E-3 2.lOE-1 2.lOE-1 1..50E-1 1.50E-1 1. JBE-1 1. JBE-1 l.23E-1 1.23E-1 1.15E-1 1.15E-1 1.0BE-1 1.0BE-1 Description FAILURE TO RECOVER SG INTEGRITY BY ISOLATING THE STEAM LINE FROM THE SG WITH AN SGTR TO THE AFW TURBINE DRIVEN PUMP. HARDWARE IS FAILURE OF 1 OF 2 CHECK VALVES TO SEAT. DUE TO PARTICULAR CHARACTERISTICS OF THE BOOLEAN EQUATION FOR Qs, IT WAS DESIRABLE TO INCLUDE THE FAILURE PROBABILITY OF SG INTEGRITY IN THE RECOVERY EVENT. THE TWO PROBABILITIES ARE MULTIPLIED.
THIS EVENT REPRESENTS THE PROBABILITY OF LOSS OF SG.INTEGRITY THROUGH THE AFW STEAM LINE AND FAILURE TO RECOVER. FAILURE TO RECOVER SG INTEGRITY BY ISOLATING THE BLOWDOWN LINE FROM THE SG WITH AN SGTR. FAILURE '1'0 RECOVER AC POWER WITHIN 150 MINUTES LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER WITHIN 201 MINUTES OF LOSS OF OFFSITE POWER. FAILURE '1'0 RECOVER AC POWER WITHIN 216 MINUTES OF LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER WITHIN 234 MINUTES OF LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER WITHIN 246 MINUTES OF LOSS OF OFFSITE POWER. FAILURE 'l'O RECOVER AC POWER WITHIN 258 MINUTES OF .LOSS OF OFFSITE POWER.
Identifier NRAC-HALFHR NRAC-lHR NRAC-7HR NRAC-24HR-AVG R REC-XHE-FO-DGEN REC-XHE-FO-DGHWB
.9-5 (Continued)
RECOVERY FACTOR
 
==SUMMARY==
~~-Unavailabilities (Means)~~~~
Human Hardware Total Error Failure 6.00E-1 4.40E-1 5.00E-2 1.94E-1 6.lE-2 1.7E-1 9.0E-1 6.0E-1 1. 000* 2.7E-J 6.00E-1 4.40E-1 5.00E-2 l.94E-1 6.lE-2 l.OE-5 5.0E-5 9.0E-1 6.0E-1 Description FAILURE TO RECOVER AC POWER WITHIN 30 MINUTES OF LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER WITHIN 60 MINUTES OF LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER WITHIN 7 HOURS OF LOSS OF OFFSITE POWER. FAILURE TO RECOVER AC POWER; TIME AVERAGED OVER THE FIRST 6 HOURS. FAILURE TO RECOVER AC POWER; TIME AVERAGED OVER THE FIRST 24 HOURS. FAILURE TO RECOVER RPS FAILURE BY MANUAL SCRAM. *THIS CANNOT BE INTERPRETED AS A HUMAN ERROR, BUT MUST BE IN'l'ERPRETED AS THE PROBABILITY THAT HUMAN ACTION IS EFFECTIVE.
MANUAL SCRAM IS INEFFECTIVE AGAINST MECHANICAL FAILURES OF THE RPS WHICH ACCOUNT FOR lE-5, WHILE ELECTRICAL FAILURES ACCOUNT FOR SE-5. FAILURE TO RECOVER A DIESEL GENERATOR WITHIN 1 HOUR. FAILURE TO RECOVER A DIESEL GENERATOR WITHIN 6 HOURS OF A HARDWARE OR COMMON CAUSE FAULT.
Identifier REC-XHE-FO-DGHWS REC-XIIE-FO-DG'l'MB REC-XIIE-FO-DG'l'MS
'f-REC-XHE-FO-DPRES co I a:, REC-XIIE-FO-GAGRV RM'l'-XIIE-FO-MAN-A RM'f-XIIE-FO-MJ\NS 1 RM'l'-XHE-FO-MANS 2 TABLE 4.9-5 (Continued)
RECOVERY FACTOR
 
==SUMMARY==
~~-Unavailabilities (Means)~~~~
Human Hardware Total Error Failure 8.0E-1 8.0E-1 5.0E-1 5.0E-1 7.0E-1 ------7.0E-1 1. 4E-2 1.4E-2 ------3.0E-1 ------3.0E-1 6.4E-2 6.4E-2 ------6.4E-2 6.4E-2 ------2.7E-J 2.7E~3 ------Description FAILURE 'l'O RECOVER A DIESEL GENERATOR WITHIN 3 HOURS OF A HARDWARE OR COMMON CAUSE FAULT. FAILURE TO RECOVER A DIESEL GENERATOR FROM 'l'ES'r AND MAINTENANCE UNAVAILABILITY WITHIN 6 HOURS. FAILURE 'l'O RECOVER A DIESEL GENERATOR FROM TEST AND MAINTENANCE UNAVAILABILITY WITHIN 3 HOURS. FAILURE TO COOLDOWN ANO OEPRESSURIZE THE RCS, IN THE LONG TERM AF'fER FAILURE TO DEPRESSUR-IZE WITHIN 45 MINUTES OF A STEAM GENERATOR TUBE RUPTURE. FAILURE 'l'O RECOVER SG IH'l'EGRITY BY GAGGING S'fUCK OPEN RELIEF VALVES. FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A LARGE LOSS OF COOLANT ACCIDENT (A LOCA). FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA). FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA).
Identifier SIS-XHE-FO-MANSl SIS-XHE-FO-MANS2 SWS-XHE-FO-OPEN Tl\DL -s (Continued)
* RECOVERY FACTOR BUHMARY ~~-Unavailabilities (Means)~.~~~
Human Hardware Total Error Failure 2.7E-3 2.7E-3 2.7E-3 2.7E-3 2.4E-1 2.4E-1 Description FAILURE 'l'O RECOVER SIS BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA) * . FAILURE TO RECOVER SIS BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA). FAILURE TO RECOVER COMMON CAUSE FAILURE OF '1.'HE CONTAINMENT SPRAY* HEAT EXCHANGER MOVs. LOCALLY OPEN OR REPAIR THE VALVE.
Event Id CV K M 0 QS-SBO R TABLE 4.9-6 SURRY MISCELLANEOUS EVENT TABLE Event Description HPR/LPR FAILURE DUE TO CONTAINMENT OVER PRESSURE FAILURE, CAUSED BY LOSS OF CON'l'AINMENT HEAT REMOVAL FAILURE OF RPS TO TRIP THE REACTOR FAILURE TO RESTORE MAIN FEEDWA'l'ER, AFTER TURBINE TRIP Unavail. (Mean) 2.00E-2 6.00E-5 2.90E-J OPERATOR FAILS TO DEPRESSURIZE RCS DURING SBO 4.90E-2 PROBABILITY OF INITIAL REACTOR POWER BELOW 25% 1.00E-1 OPERATOR FAILS TO CON'l'ROL HPI AFTER A SMALL 1. 20E-4 BREAK LEADING TO LOSS OF RCS IN'l'EGRI'l'Y DUE TO PORV S'l'UCK OPEN ( INCLUDES PROBABILITY OF FAILURE TO ISOLATE PORV) FAILURE OF SG SRV TO RESEAT DURING SBO 'l'RANSIEN'l' 2.7E-1 FAILURE 'l'O MANUALLY 'l'RIP 'l'IIE REAC'l'OR FOLLOWING
: 1. 70E-1 RPS FAILURE SLOCA-NRACSL-LT CONDITIONAL PROBABILITY OF CORE UUCOVERY DURING AN SBO DUE 'l'O RCP SEAL LOCI\ AND RECOVERY OF AC ,POWER; RCS DEPR~SSURIZED AFTER THE BREAK 9.20E-2 Dist. Type EF POINT EST* LOG NOR 5 LOG NOR 10 MAX ENT
* POIN'l' EST
* Source/ Comments SEE APPENDIX A.1 NUREG-1000 SEE SECT. 4.10.3 SEE SECT. 4.10.3 PLANT SPECIFIC LOG NOR 10 SEE APPENDIX D.6 POINT EST* MAX ENT
* POINT EST* SEE APPENDIX D. 6 SEE SECT 4.10.3 SEE APPENDIX D.5
* Event Id Event Description TABLE 4.9-6 (Continued)
BURRY MI8CELL1\NEOUB EVENT TABLE Unavail. (Mean) SLOCA-NRACSL-S'r CONDITIONAL PROBJ\BILI1'Y OF CORE UNCOVERY 9. 90E-2 z DURING AN SBO DUE 'l'O RCP SEAL LOCI\ 1\NU NON-RECOVERY OF AC POWER; RCS IS NOT DEPRESSURI-ZED AF'l'ER 'fHE BREAK ABSENCE OF "FAVORABLE" MODERA'l'OR
'l'EMPERA'fURE COEFFICIENT VERY LOW MODERATOR TEMPERATURE COEFFICIENT
: 1. 40E-2 5.00E-1
* Dist. 'l'ype Source/ EF Comments POIN'r EST
* LOG NOR 7 POINT EST* SEE APPENDIX D.5 SEE SECT 4.4 SEE SECT 4.4 Event Id A ACC-CKV-FT-CV107 ACC-CKV-FT-CV109 ACC-CKV-FT-CV128 ACC-CKV-FT-CV130 ACC-CKV-FT-CV145 ACC-CKV-FT-CV147 ACC-MOV-PG-1865A f-ACC-MOV-PG-1865B c.c ACC-MOV-PG-1865C I N) 0 ACP-BAC-ST-1111 ACP-BAC-ST-1111-1 ACP-BAC-ST-1111-2 ACP-BAC-ST-lJl ACP-DAC-ST-lJl-1 ACP-BAC-ST-lJl-2 ACP-BAC-ST-2111 ACP-BAC-S'r-2111-1 ACP-BAC-ST-480111 ACP-BAC-ST-4801J ACP-BAC-ST-4KV1H ACP-BAC-ST-4KV1J ACP-BAC-S'r-4 KV2 II ACP-BAC-ST-STBlH ACP-BAC-ST-STBlJ ACP-BAc-s*r-S'l'B2 II ACP-BAC-S'l'-VBlI ACP-BAC-ST-VBlII ACP-BAC-ST-VlIII ACP-BAC-ST-VB1IV
* TABLE 4.9-7 SURRY DATA TABLE Failure Event Description Rate LARGE LOSS OF COOLANT ACCIDENT 5E-4/YR CHECK VLV CV107 FAILS TO OPEN 1. OE-4/D CHECK VLV CV109 FAILS TO OPEN 1. OE-4/D CHECK VLV CV128 FAILS TO OPEN 1. OE-4/D CHECK VLV CV130 FAILS TO OPEN 1. OE-4/D CHECK VLV CV145 FAILS TO OPEN 1. OE-4/D CHECK VLV CV147 FAILS TO OPEN 1. OE-4/D ACC MO'l'OR OPERATED VLV 1.865A PLUGGED 1.0E-7/IIR ACC MO'l'OR OPERA'l'ED VLV l865B PLUGGED l.OE-7/HR ACC MOTOR OPERATED VLV l865C PLUGGED l.OE-7/HR 480V AC BUS 1111 BUSWORK FAILURE 9.0E-5/D 480V AC MCC 1111-1 BUSWORK FAILURE 9. OE-5/D 480V AC MCC lHl-2 BUSWORK FAILURE 9.0E-5/D 480V AC BUS lJl BUSWORK FAILURE 9. OE-5/D 480V AC MCC lJl-1 BUSWORK FAILURE 9.0E-5/D 480V AC MCC lJl-2 BUSWORK FAILURE 9.0E-5/D 480V AC BUS 2111 BUSWORK FAILURE 9.0E-5/D 480V AC MCC 2111-1 BUSWORK FAILURE 9.0E-5/D 480V AC BUS 111 BUSWORK FAILURE 9.0E-5/D 480V AC BUS lJ BUSWORK FAILURE 9.0E-5/D 4160V AC BUS lH BUSWORK FAILURE 9.0E-5/D 4160V AC BUS lJ BUSWORK FAILURE 9. OE-5/D 4160V AC BUS 211 BUSWORK FAILURE 9.0E-5/D 4160V AC STUB BUS 111 BUSWORK FAILURE 9.0E-5/D 4160V AC STUB BUS lJ BUSWORK FAILURE 9.0E-5/D 4160V AC S'l'UB BUS 211 BUSWORK FAILURE 9. OE-5/IJ VITAL BUS 11 BUSWORK FAILURE 9.0E-5/D VI'l'AL BUS 111 BUSWORK FAILURE 9.0E-5/D VI'l'AL BUS 1111 BUSWORK FAILURE 9.0E-5/D VITAL BUS 1IV BUSWORK FAILURE 9.0E-5/D Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 5.00E-4 LOG NOR 10 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEH l.OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN lBmo 6.50E-4 LOG NOR 3 ASEP GEN !Brno 6.50E-4 LOG NOR 3 ASEP GEN lBmo 6.50E-4 LOG NOR 3 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN ~.OOE-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN *
* Event Id ACP-CRB-C0-14111 ACP-CRB-C0-141113 ACP-CRB-C0-14H14 ACP-CRB-C0-141115 ACP-CRB-C0-14Jl ACP-CRB-C0-14Jll ACP-CRB-C0-14J14 ACP-CRB-C0-14J16 ACP-CRB-C0-15117 ACP-CRB-C0-15118 ACP-CRB-C0-15119
'f-ACP-CRB-C0-15J7 co ACP-CRB-C0-15J8 I NI ACP-CRB-C0-15J9 I-" ACP-CRB-C0-1I35 ACP-CRB-CO-lII ACP-CRB-CO-III35 ACP-CRB-CO-llV ACP-CRB-C0-24B ACP-CRB-C0-241114 ACP-CRB-C0-241115 ACP-CRB-C0-25117 ACP-CRB-C0-25119 ACP-CRB-CO-FE9AE ACP-CRB-CO-FE9AF ACP-CRB-CO-FE9AJ ACP-CRB-CO-FE9AK ACP-CRB-CO-FE9BE ACP-CRB-CO-FE9BF ACP-CRB-CO-FE9BJ ACP-CRB-CO-FE9BK ACP-INV-110-UPSAl ACP-INV-NO-UPSA2 ACP-INV-NO-UPSBl ACP-INY-NO-UPSB2 TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Description Rate AC CIRCUIT BREAKER 14111 XFERS OPEN 2.9E-5/D AC CIRCUI'r BREAKER 141113 XFERS OPEN 2.9E-5/0 AC CIRCUIT BREAKER 14H14 XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 141115 XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 14Jl XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 14Jll XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 14J14 XFERS OPEN 2.9E-5/0 AC CIRCUIT BREAKER 14.Jl6 XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 15117 XFERS OPEN 2.9E-5/D AC CIRCUI'r BREAKER 15118 XFERS OPEN 2.9E-5/D AC CIRCUI'l' BREAKER 15119 XFERS OPEN 2.9E-5/0 AC CIRCUI'r BREAKER 15J7 XFERS OPEH 2.9E-5/D AC CIRCUI'f BREAKER 15J8 XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 15J9 XFERS OPEN 2.9E-5/D VITAL BUS lI AC CKT BRKR 35 XFERS OPEN 2.9E-5/0 AC CIRCUIT BREAKER TO lII XFERS OPEN 2.9E-5/0 V'l'AL BUS 1111 AC CKT BRKR 35 XFERS OPEN 2.9E-5/0 AC CIRCUIT BREAKER TO lIV XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 24B XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 241114 XFERS OPEH 2.9E-5/D AC CIRCUI'r BREAKER 241115 XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER 25117 XFERS OPEN 2. 9E-5/D AC CIRCUI'l' BREAKER 25119 XFERS OPEN 2. 9E-5/0 AC CIRCUIT BREAKER FE9AE XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER FE9AF XFERS OPEN 2. 9E-5/0 AC CIRCUI'r BREAKER FE9AJ XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER FE9AK XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER FE9BE XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER FE9BF XFERS OPEN 2.9E-5/D AC CIRCUI'r BREAKER FE9BJ XFERS OPEN 2.9E-5/D AC CIRCUIT BREAKER FE9BK XFERS OPEN 2. 9E-5/D UPS lAl INVERTER OU'l'PUT FAILS 4.0E-2/D UPS 11\2 IHVER'fER OU'l'PU'r FAILS 4.0E-2/D UPS lBl IHVER'fER OUTPU'l' FAILS 4.0E-2/D UPS 1B2 INVERTER OUTPUT FAILS 4.0E-2/D
* Unavail.8 Dist. Source/ Time (Mean) 'l'ype EF Comments 2.90E-5 LOG HOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG HOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5* LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG. NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN .2. 90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG.NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 *LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEH 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG HOR 3 ASEP GEH 2.90E-5 LOG NOR 3 ASEP GEN 2.90E-5 LOG NOR 3 ASEP GEN 4.00E-2 LOG NOR 3 ASEP GEN 4.00E-2 LOG NOR 3 ASE}' GEN 4.00E-2 LOG HOR 3 ASEP GEN 4.00E-2 LOG NOR 3 ASEP GEN Event Id ACP-REC-NO-UPSAl ACP-REC-NO-UPSA2 ACP-REC-NO-UPSB1 ACP-REC-NO-UPSB2 ACP-TFM-NO-lAl-1 ACP-TFM-NO-lAl-2 ACP-TFM-N0-1A2-l ACP-TFM-N0-1A2-2 ACP-TFM-NO-lBl-1 ACP-'l'FM-N0-1Bl-2
'f-ACP-TFM-N0-1B2-1 c:c I ACP-TFM-N0-1B2-2 ts:! ts:! ACP-TFM-N0-111 ACP-TFM-N0-1111 ACP-TFM-NO-lJ ACP-TFM-NO-lJl ACP-'l'FM-N0-2Hl ACP-XHE-FO-STBBS AFW-AC'l'-FA-PMPJA AFW-1\C'l'-FA-PMPJ B AFW-AC'f-FA-VLVA AFW-AC'l'-FA-VLVB AFW-AOV-FT AFW-AOV-FT-l02A AFW-AOV-FT-102B AFW-AOV-F'l'-202A AFW-AOV-FT-2028 TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate UPS !Al REC'fIFIER OU'fPUT FAILURE 4.0E-4/D UPS 1A2 REC'f!FIER OUTPU'l' FAILURE 4.0E-4/D UPS 1Bl REC'l'IFIER OU'fPU'l' FAILURE 4.0E-4/IJ UPS 1B2 RECTIFIER OUTPUT FAILURE 4.0E-4/D FAILURE OF UPS lA XFORMER PWR FM 1111-1 1. 7E-6/IIR FAILURE OF UPS lA XFORMER PWR FM 1111-2 1. 7E-6/HR FAILURE OF UPS lA XFOHMER PWR FM 1H2-l 1. 7E-6/HR FAILURE OF UPS lA XFOHMER PWR FM 1112-2 1. 7E-6/IIR FAILURE OF UPS lB XFORMER PWR FM lJl-1 1. 7E-6/HR FAILURE OF UPS lB XFORMER PWR FM lJl-2 1. 7E-6/IIR FAILURE OF UPS lB XFORMER PWR FM 1J2-l 1. 7E-6/HR FAILURE OF UPS 18 XFORMER PWR FM 1J2-2 1. 7E-6/IIR FAILURE OF POWER XFORMER 'l'O, BUS 111 1. 7E-6/IIR FAILURE OF POWER XFORMER TO DUS 1111 1.7E-6/IIR FAILURE OF POWER XFORMER TO BUS lJ 1.7E-6/IIR FAILURE OF POWER XFORMER TO BUS lJl 1. 7E-6/HR FAILURE OF POWER XFORMER TO BUS 2111 1. 7E-6/HR OP FAILS 'l'O RECONN S'l'UB BUS (LOSP ONLY) 1.4E-2/D NO ACTUATION SIGNAL TO AFW PMP JA 6.0E-4/D NO AC'l'UATION SIGNAL 'l'O AFW . Pl*IP 3 B 6.0E-4/D NO AC'l'UATION SIGNAL 'l'O AOV-MS102A 6.0E-4/D NO AC'l'UA'l'ION SIGNAL 'l'O AOV-MS102B 6.0E-4/D AIR OPERATED VLV FAILS 'l'O OPEN 1. OE-3/D AIR OPERA'l'ED VLV MS102A FAILS 'l'O OPEN 1. OE-3/D AIR OPERA'l'ED VLV MS102B FAILS 'l'O OPEN 1.0E-3/D AIR OPERATED VLV MS202A FAILS.TO OPEN 1.0E-3/D AIR OPERA'l'ED VLV MS202B FAILS TO OPEN 1.0E-3/D Unavail.8 Dist. Source/ 'l'ime (Mean) Type EF Comments 4.00E-4 LOG NOR 3 ASEP GEN 4.00E-4 LOG NOR 3 ASEP GEN 4.00E-4 LOG NOR 3 ASEP GEN 4.00E-4 LOG NOR 3 ASEP GEN 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 24hr 4.00E-5 LOG NOR 3 ZION PRA 1. 40E-2 LOG NOR 10 RECOVERY 6.00E-4 LOG NOR 5 NOTE (C) 6.00E-4 LOG NOR 5 NOTE (C) 6.00E-4 LOG NOR 5 NOTE (C) 6.00E-4 LOG NOR 5 NOTE (C) 1. OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN
* Event Id 1\FW-1\0V-PG-1021\
1\FW-AOV-PG-1028 AFW-AOV-PG-2021\
AFW-AOV-PG-202B AFW-CCF-FS-FW3AB AFW-CCF-F'f-10 2AB AFW-CCF-FT-202AB
'f" AFW-CCF-LK-2STMB
(.0 AFW-CCF-LK-S'l'MBD I I:,.:) AFW-CKV-F'f-CV27 AFW-CKV-F'l'-CV58 AFW-CKV-F'l'-CV89 AFW-CKV-FT-CV131 AFW-CKV-FT-CV133 AFW-CKV-FT-CV136 AFW-CKV-FT-CV138 AFW-CKV-FT-CV142 AFW-CKV-FT-CV157 AFW-CKV-F'l'-CV172 AFW-CKV-FT-CV176 AFW-CKV-FT-CV178 1\FW-CKV-F'l'-CVlD2 AFW-CKV-F'l'-CV2 3 2 J\FW-CKV-F''l'-CV2 3 J AFW-CKV-F'l'-CV236 AFW-CKV-FT-CV238 AFW-CKV-FT-CV242 TABLE 4.9-7 (Continued)
BURRY DAT.A TABLE Failure Event Description Rate 1\IR OPERA'l'ED VLV MS102A PLUGGED 1. OE-7/IIR AIR OPERATED VLV MS102B PLUGGED l.OE-7/IIR AIR OPERATED VLV MS202A PLUGGED *1. OE-7 /HR AIR OPERATED VLV MS202B PLUGGED 1.0E-7/HR CC FAILURE OF AFW MOTOR DRIVEN PMPS (AFW-MDP-FS
* BETA-AFW)
CC FAILURE OF MS102A AND B TO OPEN (AFW-AOV-FT
* BE'l'A-AOV)
CC FAILURE OF MS202A AND B TO OPEN (AFW-AOV-FT
* BETA-1\0V)
UNDE'fEC'l' LEAKAGE TflRU U2 CV S'l'M BIND UNDE'fEC'f LEAKAGE TIIRU CV27, CV58, CV89 CHECK VLV CV27 FAILS 'l'O OPEH 1.0E-4/D CHECK VLV CV58 FAILS TO OPEN 1. OE-4/D CHECK VLV CV89 Fl\ILS 'l'O OPEN 1.0E-4/D CHECK VLV CV131 FAILS 'l'O OPEN 1. OE-4/D CHECK VLV CVlJJ Fl\ILS 'l'O OPEH 1. OE-4/D CHECK VLV CV136 FAILS 'l'O OPEN 1. OE-4/D CHECK VLV CV138 FAILS 'l'O OPEN 1. OE-4/D CHECK VLV CV142 FAILS TO OPEN 1. OE-4/D CHECK VIN CV157 FAILS 'l'O OPEN 1. OE-4/D CHF.CK VLV CV172 FAILS 'l'O OPEN 1..0E-4/D CHECK VIN CV176 FAIIJS 'l'O OPEH 1.0E-4/D CHECK VLV CV178 FAILS *ro OPEN 1.0E-4/D CHECK VLV CV182 FAILS 'l'O OPEN 1. OE-4/D CHECK VLV CV232 FAILS 'l'O OPEN 1. OE-4/0 CHECK VLV CV233 FAILS 'l'O OPEN 1. OE-4/0 CHECK VLV CV236 FAILS 'l'O OPEN 1.0E-4/0 CHECK VLV CV238 Fl\ILS 'l'O OPEN 1.0E-4/0 CHECK VLV CV242 FAILS 'l'O OPEN 1. OE-4/0
* Unavail.8 Dist. Source/ Time (Mean) Type EF Comments lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR J ASEP GEN 3.50E-4 NOTE (D) l.OOE-4 NOTE (D) 1.00E-4 NOTE (D) l.OOE-4 LOG NOR 30 NOTE (C) 1.00E-4 LOG NOR 30 NOTE (C) 1. OOE-4 LOG NOR 3 ASEP GEN 1.00E-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEH 1.00E-4 LOG NOR J ASEP GEN 1. OOE-4 LOG HOR 3 ASEP GEN l.OOE-4 LOG HOR J ASEP GEN 1.00E-4 LOG HOR J ASEP GEN 1. OOE-4 LOG HOR 3 ASEP GEN l.OOE-4 LOG HOR 3 ASEP GEN 1.00E-4 LOG HOR J ASEP GEN 1.00E-4 LOG HOR 3 ASEP GEN 1. OOE-4 LOG NOR J ASEP GEN 1.00E-4 LOG HOR J ASEP GEN l.OOE-4 LOG HOR J ASEP GEN 1.00E-4 LOG HOR J ASEP GEN 1. OOE-4 LOG NOR J ASEP GEN Event Id AFW-CKV-OO-CV142 AFW-CKV-OO-CV157 AFW-CKV-OO-CV172 AFW-CKV-OO-CV272 AFW-MDP-FR-3AlllR AFW-MDP-FR-3A6llR AFW-MDP-FR-3A24H AFW-MDP-FR-3BlHR AFW-MDP-FR-3B6IIR AFW-MDP-FR-382411 AFW-MDP-FS . AFW_;.MDP-FS-FWJA cc I AFW-MDP-FS-FWJB N) AFW-MDP-MA-FWJA AFW-MDP-MA-FW3B 1\FW-MOV-FT-2601\
AFW-MOV-F'r-260B 1\FW-MOV-PG-1511\
1\FW-MOV-PG-151B AFW-MOV-PG-151C AFW-MOV-PG-151D AFW-MOV-PG-151E AFW-MOV-PG-151F AFW-PSF-FC-XCONN AFW-TDP-FR-2P111R AFW-'l'DP-FR-2P611R AFW-TDP-FR-611RU2 AFW-TDP-FR-2P24H TA*BLE *4 .-9-7 .{Con-tlnued)
SURRY *DATA*TABLE Failure Event Description Rate B1\CKFLOW THROUGH CV142 1. OE-3/D B1\CKFLOW
'l'HROUGH CV157 l.OE-3/D BJ\CKFLOW
'l'HROUGH CV172 1.0E-3/D BACKFLOW THROUGH CV272 1.0E-3/D MDP AFW 31\ FAILS TO RUN 1 HOUR 3.0E-5/HR MDP AFW 31\ FAILS TO RUN 6 HRS 3.0E-5/HR MDP AFW 31\ FAILS TO RUN FOR 24 HRS 3.0E-5/HR MOP AFW 38 FAILS TO RUN 1 HOUR 3.0E-5/HR MDP AFW 38 FAILS 'l'O RUN 6 HRS 3. OE-5/IIR MDP AFW 38 FAILS TO RUN 24 HRS 3.0E--5/HR APW MDP FAILS TO STAR'r 6.3E-3/D MOP AFW JA FAILS 'l'O S'l'AR'r 6.JE-3/D MDP AFW 3B FAILS TO START 6. JE-3/D TEST AND MAINT ON AFW MDP JA 2.0E;..3/D TEST AND MAINT ON AFW MDP 3B 2.0E-3/D MOTOR OP VLV FW2601\ FAILS 'l'O OPEN 3. OE-3/D MOTOR OP VLV FW260B FAILS 'l'O OPEN 3. OE-3/D
* MOTOR OPERA'l'ED VLV FW151A PLUGGED l.OE-7/IIR MO'l'OR OPERJ\'l'ED VLV FW151B PLUGGED 1. OE-'-7 /IIR MO'l'OR OPERA'rED VLV FW151C PLUGGED l.OE-7/IIR MO'l'OR OPERA'l'ED VLV FW151D PLUGGED l.OE--7/IIR MO'rOR OPERA'l'ED VLV FW151E PLUGGED 1.0E-7/IIR MOTOR OPERA'l'ED VLV FW151F PLUGGED 1. OE-7/HR FLOW DIVERSION .TO*UNIT2' THRU XCONN 1.5E-4/D AFW TOP 2P FAILS 'l'o* RUN FOR 1 HR 5.0E-3/IIR AFW TOP 2P FAILS 'l'O RUN FOR 6 HRS 5. OE-3/IIR UNIT 2 AFW 'l'DP FAILS TO RUN FOR 6 -HRS 5. OE-3/IIR AFW TDP 2P FAILS TO RUN FOR 24 HRS 5.0E-3/HR Unavail.8 Dist. Source/ Time (Mean) 'l'ype EF Comments 1.00E-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 1hr 3.00E-5 LOG NOR 10 ASEP GEN 6hr 1.BOE-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 1hr 3.00E-5 LOG NOR 10 ASEP GEN 6hr 1.BOE-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 6.30E-3 LOG NOR 3 PSD 6.JOE-3 LOG NOR 3 PSD 6.JOE-3 LOG NOR 3 PSD 2.00E-3 LoG NOR 10 ASEP GEN 2.00E-3 LoG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN lmo 4.00E-5 LOG HOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN l.50E-4 LOG NOR 3 NOTE (C) 1hr 5.00E-3 LOG HOR 10 ASEP GEN 6hr 3.00E-2 LOG HOR 10 ASEP GEN 6hr 3.00E-2 LOG HOR 10 ASEP GEN 24hr 1. 20E-1 MAX ENTk
* ASEP GEN ' .,.,j TABL 7 (Continued)
* SURRY DATA TABLE Failure Unavaii.8 Dist. Source/ Event Id Event Description Rate Time (Mean) Type EF Comments AFW-TDP.:.FS-FW2 TURBINE DRIVEN AFW PMP FAILS TO START 1.lE-2/D 1.lOE-2 LOG NOR 10 PSD AFW-TDP-FS-U2FW2 AFW TOP FW2 AT UNIT 2 FAILS TO START 1.lE-2/D 1. lOE-2 LOG NOR 10.PSD AFW-TDP-MA-FW2 TEST AND MAINT ON AFW TDP 2 l.OE-2/D 1. OOE-2 LOG NOR 10 ASEP GEN AFW-TDP-MA-U2FW2 TEST AND MAINT ON AFW UNIT b,TDP 2 1.0E-2/D l.OOE-2 LOG NOR 10 ASEP GEN I AFW-TNK-VF-cs*r INSUF WATER AVAIL FM 110,000 GAL CST l.OE-6/D l.OOE-6 LOG NOR 3 NOTE (C) AFW-TNK-VF-U2CST INSUF WATER AVA!~ AFW UNIT2 CST 1.0E-6/D 1.00E-6 LOG NOR 3 NOTE (C) AFW-XIIE-FO-CST2 FAILURE OF OP TO XCONN UNIT2 CST 6.SE-2/D 6.SOE-2 MAX ENTk
* HRA AFW-XHE-FO-MNACT FAILURE OF OP TO MANUALLY ACTUATE AFW 2.7E-3/D 2.70E-3 LOG NOR 10 HRA AFW-XHE-FO-UlSBO OP FAILS TO XCONN AFW SBO AT UNIT 1 B.2E-2/D B.20E-2 MAX ENTk
* RECOVERY AFW-XHE-FO-U2SBO OP FAILS TO XCONN AFW SBO AT Ul/U2 7.SE-2/D 7.50E-2 MAX ENTk
* HRA ,,,. AFW-XHE-FO-UNIT2 OP FAILS TO XCONN AFW, TRANSIENTS 3.6E-2/D 3.60E-2 MAX ENTk
* HRA . cc I t,:i AFW-XVM-PG-XV120 MANUAL VLV XV120 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN Cl AFW-XVM-PG-XV153 MANUAL VLV XV153 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XVlSB MANUAL VLV XVlSB PLUGGED 1.0E-7/HR lrno 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV16B MANUAL VLV XV16B PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV183 MANUAL VLV XV183 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV253 MANUAL VLV XV253 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XVB7 MANUAL VLV XVB7 PLUGGED l.OE-7/HR lrno 4.00E-5 LOG NOR lo ASEP GEN ALOCA OCCURENCE OF A LARGE (A) LOCA 1.00 1.00 NOTE (L) BE'rA-AOV BE'fA FOR cc FAILURE -OF 2 OR FIORE AOVs 1. OOE-1 LOG NOR 3 ASEP GEN BETA-AFW BE'l'A FOR cc FAILURE OF AFW MDPs 5.60E-2 LOG NOR 3 ASEP ~EN BETA-BA'l'T BE'fA FOR cc FAILURE OF BA 'l''I'ERI ES B.OOE-3 LOG NOR 3 ASEP GEN BETA-CSS BE'fA FOR cc FAILURE OF CSS MDPs 1. lOE-1 LOG NOR 3 ASEP GEN BETA-2DG BE'l'A FOR cc FAILURE OF 2 DGs 3.BOE-2 LOG NOR 3 ASEP GEN BE'l'A-3DG BE'l'A FOR cc FAILURE OF 3 DGs 1. BJE-2 LOG NOR 3 ASEP GEN BE'l'A-HPI BE'fA FOR cc FAILURE OF BPI MDPs 2.lOE-1 MAX ENTk
* ASEP GEN BE'l'A-LPI BETA FOR cc FAILURE OF LP! MDPs 1.SOE-1 LOG NOR 3 ASEP GEN BETA-2MOV BETA FOR cc FAILURE OF 2 MOVs B.BOE-2 LOG NOR 3 ASEP GEN
* l Q) Event Id BETA-SRV BETA-STR BETA-SWMOV CCW-CKV-FT-CV557 CCW-CKV-00-5630 CCW-CKV-00-56302 CCW-CKV-OO~CV557 CCW-UTX-LK-ElA CCW-HTX-LK-U2ElA CCW-HTX-MA-ElB CCW-HTX-PG-ElA CCW-HTX-PG-ElB CCW-IITX-PG-U2E1A CCW-MDP-FR-CCPlA
*ccw-MDP-FR-CCPlB CCW-MDP-FR-CCP2A CCW-MDP-FS-CCPlB.
CCW-MDP-FS-CCP2A CCW-MDP-MA-CCPlB CCW-MDP-MA-,,CCP2A
* TABLE 4.9-7 (Continued)
BURRY DATA TABLE Event Description BETA FOR CC FAILURE OF SRVs BETA FOR CC FAILURE OF STRAINERS BETA FOR CC FAILURE OF SWS MOVs CHECK VLV CV557 FAILS TO CLS CV 5630 FAILS TO SHUT, CAUSE BKFLW CV 563U2 FAILS 'l'O SHUT, CAUSE BKFLW CV CV557 FAILS TO SHUT, CAUSE BKFLW CCW HEAT EXCHANGER ElA LEAKS CCW UNIT 2 HEAT EXCHANGER ElA PLUGGED TEST AND MAINT HT EXCHANGER ElB ccw HEAT EXCHANGER ElA PLUGGBD ccw HEAT EXCHANGER ElB PLU~GED ccw UNIT 2 HEAT EXCHANGEE ElB PLUGGED 1-cc-P-lA FAILS TO RUN FOR 24 HRS MOP CC-PlB FAILS TO RUN FOR 24 HRS MOP CC-P2A FAILS TO RUN FOR 6 HRS MDP CC-PlB FAILS '1'0 START ON DEMAND MDP CC-P2A FAILS TO START ON DEMAND TEST AND MAINT ON MDP CC:!-PlB TEST AND MAINT ON MDP CC-PlA Failure Rate l.OE-4/D 1.0E-3/D 1.0E-3/D 1.0E-3/D 3.0E-6/HR 3.0E-6/HR 2.0E-4/D 5. ?E-6/HR 5.?E-6/HR 5.?E-6/HR 3.0E-5/HR 3.0E-,,5/HR 3.0E-5/HR
: 3. OE-3/D 3.0E-3/D 2.0E-3/D 2.0E-3/D Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 24hr 24hr 24hr 24hr 24hr 24hr 24hr 6hr 7.00E-2 2.63E-1 2.lOE-1 l.OOE-4 1. OOE-3 l.OOE-3 l.OOE-3 7.20E-5 7.20E-5 2.00E-4 1. 40E-4 1. 40E-4 1. 40E-4 7.20E-4 7.20E-4 l.BOE-4 3.00E-3 3.00E-3 2.00E-3 2.00E-3 LOG NORk3 ASEP GEN MAX ENT
* PSD MAX ENTk
* PSD LOG NOR 3 ASEP GEN LOG NOR 3 ASEP GEN LOG NOR 3 ASEP GEN LOG NOR 3 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN Event Id CCW-XVM-PG-5BOU2 CCW-XVM-PG-583U2 CCW-XVM-PG-XV580 CCW-XVM-PG-XV583 CCW-XVM-PG-XV584 CCW-XVM-PG-XV587 CLS-ACT-FA-CLS2A CLS-ACT-FA-CLS2B CLS-XIIE-FO-Ml\N-A
':"' CLS-XHE-FO-MANSl co CLS-XHE-FO-MANS2 I -.:i CON-VFC-RP-COREM CPC-AOV-F'f CPC-AOV-F'f-108B CPC-AOV-FT-lOBC CPC-AOV-FT-208C CPC-CCF-FT-BBC CPC-CCF-LF-STRlH CPC-CCF-LF-STRJH CPC-CCF-LF-STRAB CPC-CCF-LF-STR6H TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate Ml\NUAL VLV XV5BO(U2)
PLUGGED 1.0E-7/HR MANUAL VLV XV583(U2)
PLUGGED 1.0E-7/HR MANUAL VLV XV580 PLUGGED 1.0E-7/HR MANUAL VLV XV58,3 PLUGGED l.OE-7/HR Ml\NUAL VLV XV584 PLUGGED l.OE-7/HR MANUAL VLV XV587 PLUGGED 1.0E-7/HR NO SIGNAL FROM CLCS ACT TRAIN A 1. 6E-J/D NO SIGNAL FROM CLCS ACT TRAIN B 1.6E-3/D OP FAILS TO RECOVER CLCS ACT,A LOCA .2. 7E-3/D OP FAILS TO RECOVER CLCS ACT,s 1 LOCA 2.7E-3/D OP FAILS TO RECOVER CLCS ACT,S 2 LOCA 2. 7E-3/D LPR,HPR FAILS DUE TO CONT FAILURE, 2.0E-2/D PROBABILITY FOR EVENT CV CPC AIR OPERA'fED VALVE FAILS TO OPEN 1. OE-3/D AOV TV-CC-lOBB FAILS TO OPEN l.OE-3/D AOV TV-CC-lOBC FAILS TO OPEN l.OE-3/D AOV TV-CC-20BC FAILS TO OPEN 1.0E-3/D CC FAILURE OF TV-10BB/10BC (CPC-AOV-FT*BETA-AOV)
CC PLUG STRAINERS 2A & 2B W/IN 1 HR (CPC-STR-PG-lll*BETA-STR)
CC PLUG OF STRAINERS 2A & 2B W/IN 3 HRS (CPC-S'l'R-PG-JH*BE'fA-STR)
* CC PLUG OF STRAINERS 2A & 2B W/IN 6 HRS (CPC-STR-PG-JH*BETA-STR)
CC PLUG OF STRAINERS 2A & 2B W/IN 6 HRS (CPC-STR-PG-6H*BETA-STR)
* Unavail.8 Dist. Source/ Time (Mean) Type EF comments lmo 4.00E-5 LOG NOR J ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR J ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN 1. 60E...;3 LOG NOR 5 ASEP GEN 1.GOE-3 LOG NOR 5 ASEP GEN 2.70E-3 LOG NOR 10 HRA 2.70E-3 LOG NOR 10 HRA 2.70E-3 LOG NOR 10 HRA 2.00E-2 NOTE (E) l.OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN l.OOE-4 NOTE (D) 1hr 7.90E-6 NOTES (D,F) Jhr 2.40E-5 NOTES (D,F) 6hr 4.70E-5 NOTES (D,F) 6hr 4.70E-5 NOTES (D,F)
Event Id CPC-CCF-LF-S'l'RlB CPC-CCF-LF-STR24 CPC-CKV-FT-CV104 CPC-CKV-FT-CVlOB CPC-CKV-FT-CV262 CPC-CKV-FT-CV752
.,.. CPC-CKV-OO-CV113
:t CPC-CKV-OO-CV764
* CPC-ICC-FA-CCPBS CPC-ICC-FA-SWPBS CPC-ICC ... FA-TCVBB CPC-ICC-FA-TCVBC CPC-MDP-FR-CC2A3 CPC-MOP-FR-CC2A6 CPC-MDP-FR-2CC2A CPC-MDP-FR-CC2A CPC-MDP-FR-CC2B CPC-MOP-FR-CC283 CPC-MDP-FR-CC2B6 CPC-MOP-FR-CCAJH CPC-MOP-FR-CCJ\6H CPC-MDP-FR-CCJ\18 CPC-MDP-FR-CCA24 CPC-MUP-FR-CCBJH CPC-MDP-FR-CCB611 CPC-MOP-FR-CCB18 CPC-MOP-FR-CCB24
* TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Description Rate CC PLUG OF S'fRAINERS 21\ & B W/IN 18 HRS (CPC-STR-PG-lBH*BETA-STR)
CC PLUG OF STRAINERS 2A & B W/IN 24 HRS (CPC-STR-PG-24H*BETA-STR)
CPC CKV CV104 FAILED TO OPEN 1. OE-4/D CHECK VLV CVlOB FAILS TO OPEN 1. OE-4/D CHECK VLV CV262 FAILS TO OPEN 1. OE-4/D CHECK VLV CV752 FAILS TO OPEN l.OE-4/D CK VLV CV113 FAILS TO SHUT,CAUSE BKFLW 1. OE-3/D CK VLV CV764 FAILS TO SHUT,CAUSE BKFLW 1.0E-3/D NO ACT SIG TO START CPC PMP 2B 3.2E-4/D NO ACT SIG TO START SW PMP lOB 3.2E-4/D NO ACT SIG TO LUBE OIL COOLING TCVBB 1. 6E-3/D NO ACT SIG TO LUBE OIL COOLING TCV8C 1. 6E~3/D MOP CC2A FAILS TO RUN FOR 3 HRS 3.0E-5/HR MDP CC2A FAILS TO RUN FOR 6 HRS 3.0E-5/HR MOP CC2A U2 FAILS TO RUN FOR 6 HRS 3.0E-5/HR MDP CC2A FAILS TO RUN FOR 24 HRS 3.0E-5/IIR MDP CC2B 'FAILS TO RUN FOR 24 HRS 3.0E-5/HR MOP CC2B FAILS TO RUN FOR 3 HRS J,OE-5/HR MDP CC2B FAILS TO RUN FOR 6 HRS 3.0E-5/HR MOP CCA FAILS TO RUN FOR 3 HRS 3.0E-5/HR MDP CCA FAILS TO RUN FOR 6 HRS 3.0E-5/HR MDP CCA FAILS TO RUN FOR 18 HRS 3. OE-5/IIR MDP CCA FAILS 'l'O RUN FOR 24 HRS 3.0E-5/HR MDP CCB FAILS 'l'O RUN FOR J HRS 3.0E-5/llR MDP CCB FAILS TO RUN FOR 6 HRS 3.0E-5/HR MDP CCB FAILS TO RUN FOR 18 HRS 3.0E-5/HR MDP CCB FAILS TO RUN FOR 24 HRS J.OE-5/HR
* Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 18hr l.40E-4 NOTES (D, F) 24hr l.90E-4 NOTES (D,F) 1. OOE-4 LOG NOR 3 ASEP GEN 1.00E-4 LOG NOR 3 ASEP GEN 1.00E-4 LOG NOR 3 ASEP GEN 1.00E-4 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEN 3.20E-4 LOG NOR 5 NOTE (C) 3.20E-4 LOG NOR 5 NOTE (C) l.60E-3 LOG NOR 5 NOTE (C) l.60E-3 LOG NOR 5 NOTE (C) 3hr 9.00E-5 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 3hr 9.00E-5 LOG HOR 10 ASEP GEN 6hr l.80E-4 LOG NOR 10 ASEP GEN 3hr 9.00E-5 LOG NOR 10 ASEP GEN 6hr 1. BOE-4 LOG NOR 10 ASEP GEN 18hr 5,40E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 3hr 9.00E-5 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 18hr 5.40E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN * 
.-------------------------------------
-----Event Id CPC-MDP-FR-SWA311 CPC-MDP-FR-SWA6H CPC-MDP-FR-SWlOA CPC-MDP-FR-SW20A CPC-MDP-FR-SWA18 CPC-MDP-FR-SWJ\24 CPC-MDP-FR-SWB311 CPC-MDP-FR-SWB6ll CPC-MDP-FR-SW10B .i::,. CPC-MDP-FR-SWB18 . CPC-MDP-FR-SWB24 tO I N) tO CPC-MDP-FS-2CC2A CPC-MDP-FS-CC2B CPC-MDP-FS-SWlOA CPC-MDP-FS-SW10B CPC-MDP-FS-SW20A CPC-MDP-MA-CC28 CPC-MDP-MA-SW10B CPC-STR-PG-lllR CPC-STR-PG-311R CPC-S'1'R-PG-6IIR CPC-S'I'R-PG-1811R CPC-S'l'R-PG-2411H CPC-S'l'R-PG-ll\3 IIR CPC-S'l'R-PG-ll\611H CPC-STR-PG-1AU26 CPC-S'l'R-PG-11\1811 CPC-S'l'R-PG-1A2 411 CPC-STR-PG-l8311R CPC-S'l'R-PG-1B6HR CPC-S'I'R-PG-1Bl811 CPC-S'I'R-PG-182411 TABLE 4.9-7 (Continued)
BURRY D1\T1\ TABLE Failure Event Description Rate MIJP SWA FAILS 'I'O RUN FOR 3 HRS 1. 6E-4/IIR MDP SWA FAILS 'l'O RUN FOR 6 HRS 1. 6E-4/HR MDP SWlOA FAILS TO RUN FOR 24 HRS 1. 6E-4/HR MDP SW20A FAILS 'l'O RUN FOR 6 HRS l.6E-4/HR MDP SWA FAILS TO RUN FOR 18 HRS 1. 6E-4/IIR MDP SW/\ FAILS 'I'O RUN FOR 24 !IRS 1. 6E-4/JIR MDP SWB FAILS TO RUN FOR 3 HRS l.6E-4/IIR MDP SWB FAILS 'I'O RUN FOR 6 HRS 1. 6E-4/IIR MDP SWlOB FAILS 'I'O RUN FOR 24 HRS 1. 6E-4/IIR MOP SW8 FAILS 'l'O RUN FOR 18 HRS 1. 6E-4/IIR MDP SWB FAILS 'l'O RUN FOR 24 HRS l.6E-4/IIR MDP UNIT 2 CC2A FAILS TO START 3.0E-3/D MVP CC2B FAILS TO START 3.0E-3/IJ MDP SWlOA FAILS 'l'O STAR'!' 8.0E-3/D MDP SWlOB FAILS TO STAR'!' 8.0E-3/D MOP SW20A FAILS 'l'O S'l'ART 8.0E-3/D 'I'ES'I' AND MAIN'!' ON MIJP CC2B 2.0E-3/D 'I'ES'I' AND MAIN'!' ON MOP SW10B 2.0E-3/D CPC STRAINER PLUGGED W/IN 1 IIR 3. OE-5/IIR CPC S'l'RAINER PLUGGED W/IN 3 !IRS 3. OE-5/IIH CPC STRAINER PLUGGED W/IN 6 HRS 3. OE-5/IIR CPC STRAINER PLUGGED W/IH 18 HRS 3.0E-5/IIR CPC S'l'RAINER PLUGGED W/IN 24 HRS 3. OE-5/IIR CPC STRAINER lA PLUGGED W/IN 3 HHS 3.0E-5/IIH CPC S'l'RAINER lA PLUGGED W/ IN 6 !IRS 3.0E-5/IIH CPC S'l'RAINER lA UNI'l' 2 PLUG W/ IN 6 HRS 3.0E-5/IIR CPC STRAINER lA PLUGGED W/IN 18 !IRS 3. OE-5/IIR CPC S'l'Rl\lNER 11\ PLUGGED W/IN 24 IIRS 3. OE-5/IIH CPC STRAINER 18 PLUGGED W/IN 3 HRS 3. OE-5/IIH CPC S'I'RAIN ER lB PLUGGED W/IN 6 HRS 3.0E-5/IIR CPC STRAINER 18 PLUGGED W/IN 18 HRS 3. OE-5/IIH CPC S'I'RAINER lB PLUGGED W/IN 24 HRS 3.0E-5/HR
* Unavail.8 Dist. Source/ 'l'ime (Mean) 'l'ype EF Comments 3hr 4.80E-4 LOG NOR 3 PSD 6hr 9.60E-4 LOG NOR 3 PSD 24hr 3.80E-3 LOG NOR 3 PSD 6hr 9.60E-4 LOG NOR 3 PSD 18hr 2.90E-3 LOG NOR 3 PSD 24hr 3.80E-3 LOG NOR 3 PSD 3hr 4.80E....:4 LOG NOR 3 PSD 6hr 9.60E-4 LOG NOR 3 PSD 24hr 3.80E-3. *LOG NOR 3 PSD 18hr 2.90E-3 LOG NOR 3 PSD 24hr 3.80E-3 LOG NOR 3 PSD 3.00E-3 LOG HOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 8.00E-3 LOG NOR 3.5 PSD 8.00E-3 LOG NOR 3.5 PSD 8.00E-3 LOG NOR 3.5 PSD 2.00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10 ASEP GEN 1hr 3.00E-5 LOG NOR 10 IREP 3hr 9.00E-5 LOG NOR 10 IREP 6J1r 1. 80E-4 LOG NOR 10 IREP 18hr 5.40E-4 LOG NOR 10 IREP 24hr 7.20E-4 LOG NOR 10 IREP 3hr 9.00E-5 LOG NOR 10 IREP 6hr 1. OOE-4 LOG NOR 10 IREP 6hr 1. 80E-4 LOG NOR 10 IREP 18hr 5.40E-4 LOG HOR 10 IREP 24hr 7.20E-4 LOG NOR 10 !REP Jhr 9.00E-5 LOG NOR 10 !REP 6hr 1. 80E-4 LOG NOR 10 !REP 18hr 5.40E-4 LOG NOR 10 IREP 24hr 7.20E-4 LOG NOR 10 !REP Event Id CPC-STR-PG-2A311R CPC-STR-PG-2A611R CPC-STR-PG-2AU26 CPC-S'l'R-PG-2Al811 CPC-STR-PG-2A2411 CPC-STR-PG-283HR CPC-STR-PG-28611R CPC-STR-PG-281811 CPC-S'l'R-PG-2 82 411 CPC-STR-PG-STRlA CPC-S'l'R-PG-S'l'R1B CPC-STR-PG-STR2A CPC-STR-PG-S'l'H.2 B ':'" c:c CPC-XIIE-FO-CMNS2 I w CPC-XIIE-FO-REALN 0 CPC-XIIE-"FO-SMNSl CPC-XIIE-FO-SMNS2 CPC-XVM-PG-XV109 CPC-XVM-PG-XV117 CPC-XVM-PG-XV118 CPC-XVM-PG-XV119 CPC-XVM-PG-XV120 CPC-XVM-PG-XV122 CPC-XVM-PG-XV123 CPC-XVM-PG-XV124 CPC-XVM-PG-XV125 CPC-XVM-PG-XV126 CPC~XVM-PG-XV170 CPC-XVM-PG-XV171 CPC-XVM-PG-XV172 CPC-XVM-PG-XV17J CPC-XVM-PG-XV261 CPC-XVM-PG-XV305 TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate CPC S'l'RAINER 2A PLUGGED W/IN 3 HR 3. OE-5/IIR CPC S'l'RAINER 2A PLUGGED W/IN 6 HRS 3. OE-5/IIR UNIT 2 CPC S'l'RAINER 2A PLUG W/IN 6 HRS 3. OE-5/IIR CPC S'l'RAINER 2A PLUGGED W/IN 18 HRS 3. OE-5/IIR CPC S'l'RAINER 2A PLUGGED W/IN 24 HR 3.0E-5/HR CPC S'l'RAINER 28 PLUGGED W/IN 3 HRS 3, OE-5/IIR CPC S'l'RAINER 28 PLUGGED W/IN 6 HRS 3.0E-5/IIR CPC S'l'RAINER 2B PLUGGED W/IN 18 HRS 3.0E-5/HR CPC S'l'RAINER 28 PLUGGED W/IN 24 HRS 3.0E-5/HR STRAINER lA PLUGGED W/IN 6 HRS 3.0E-5/IIR S'l'RAINER 18 PLUGGED W/IN 6 HRS 3.0E-5/IIR S'l'Rl\INER 2A PLUGGED W/IN 6 HRS 3.0E-5/HR STRAINER 28 PLUGGED W/IN 6 HRS 3.0E-5/HR OP FAILS 'l'O MANUALLY ACT CPC MDP 3. 8E-2/D OP FAILS 'l'O ALIGN CPC SW 'l'O UNI'I'2 7.0E-2/D OP FAILS MAN AC'l' CPC SWS MOP 3.BE-2/D OP FAILS MAN AC'l' CPC SWS MDP 3.BE-2/D MANUAL VLV XV109 PLUGGED 1. OE-7/HR MANUAL VLV XV117 PLUGGED 1. OE-7 /HR MANUAL VLV XVllB PLUGGED 1,0E-7/IIR MANUAL VLV XV119 PLUGGED 1. OE-7/HR MANUAL VLV XV120 PLUGGED 1.0E-7/IIR MANUAL VLV XV122 PLUGGED 1,0E-7/tlR MANUAL VLV XV123 PLUGGED l,OE-7/IIR MANUAL VLV XV124 PLUGGED 1,0E-7/IIH MANUAL VLV XV125 PLUGGED l,OE-7/IIR MANUAL VLV XV126 PLUGGED 1,0E-7/IIR MANUAL VLV XV170 PLUGGED 1.0E-7/IIH MANUAL VLV XV171 PLUGGED 1. OE-7/IIR MANUAL VLV XV172 PLUGGED 1,0E-7/IIR MANUAL VLV XV173 PLUGGED 1.0E-7/IIR MANUAL VLV XV261 PLUGGED 1.0E-7/IIR MANUAL VLV XV305 PLUGGED 1.0E-7/HR Unavail.8 Uist. Source/ *rime (Mean) Type EF Comments 3hr 9.00E-5 LOG NOR 10 !REP 6hr l.80E-4 LOG NOR 10 !REP 6hr 1. 80E-4 LOG NOR 10 !REP 18hr 5. 40E-4 LOG NOR 10 !REP 24hr 7.20E-4 LOG NOR 10 !REP 3hr 9.00E-5 LOG NOR 10 !REP 6hr l,80E-4 LOG NOR 10 !REP 18hr 5.40E-4 LOG NOR 10 !REP 24hr 7.20E-4 LOG NOR 10 !REP 6hr 1. 80E-4 LOG NOR 10 !REP -6hr 1. 80E-4 LOG NOR 10 !REP 6hr 1. BOE-4 LOG NOR 10 !REP 6hr 1. 80E-4 LOG NOR 10 !REP ENTk 3.80E-2 MAX
* HRA ENTk
* 7.00E-2 MAX RECOVERY ENTk 3.BOE-2 MAX
* HRA 3.BOE-2 MAX ENTk
* HRA lwk 8,40E-6 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lwk 8.40E-6 LOG NOR 3 ASEP GEN lwk B,40E-6 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lmo 4,00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lwk 8.40E-6 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN l.mo 4.00E-5 LOG NOR 3 ASEP GEN lwk B.40E-6 LOG NOR 3 ASEP GEN lwk 8.40E-6 LOG NOR 3 ASEP GEN TABLE .9-7 (Continued)
SURRY DATA TABLE Event Id CPC-XVM-PG-XV306 CPC-XVM-PG-XV701 CPC-XVM-PG-XV781 Event Description MANUAL VLV XV306 PLUGGED MANUAL VLV XV701 PLUGGED MANUAL VLV XV781 PLUGGED CSS-CCF-FS-CS1AB CC FAIL OF CSS MDPS TO START (CPC-MDP-FS*BETA-CSS)
CSS-CCF-FT-lOlAB CC FAIL OF CSS MOVS lOlA AND l01B (CPC-MOV-FT*BETA-2MOV)
CSS-CCF-FT-lOlCD CC FAIL OF CSS MOVS lOlC AND 101D (CPC-MOV-FT*BETA-2MOV)
Failure Rate 1.0E-7/HR 1.0E-7/HR l.OE-7/HR Unavai1.8 Dist. Source/ Time (Mean) Type EF Comments lwk B.40E-6 lmo 4.00E-5 lmo 4.00E-5 3.JOE-4 2.60E-4 2.60E-4 LOG NOR 3 LOG NOR 3 LOG NOR 3 ASEP GEN ASEP GEN ASEP GEN NOTE (D) NOTE (D) NOTE (D) CSS-CKV-FT-CV13 CIIECK VLV CV13 FAILS TO. OPEN ON DEMAND l.OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN CSS-CKV-FT-CV24 CHECK VLV CV24 FAILS TO OPEN ON DEMAND 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN CSS-FLT-PG-CS1A . FILTER FLCS1A PLUGGED J.OE-5/HR 1hr J.OOE-5 LOG NOR 10 IREP CSS-FLT-PG-CS1B FILTER FLCS1B PLUGGED J.OE-5/HR 1hr 3.00E-5 LOG NOR 10 !REP CSS-MDP-FR-lAlllR CSS MDP lA FAILS TO RUN FOR 1 HOUR CS_S-MDP-FR-1BlllR CSS MDP lB FAILS TO RUN FO.R 1 HOUR CSS-MDP-FS CSS-MDP-FS-CS1A CSS-MDP-Fs.:.cs1B CSS-MDP-MA-CS1A CSS-MDP-MA-CS1B CSS-MOV-FT CSS-MOV-FT-lOlA CSS-MOV-FT-101B CSS-MOV-FT-lOlC CSS-MOV-FT-lOlD CSS-MOV-PG-lOOA CSS-MOV-PG-lOOB CONT SPRAY PUMP FAILS TO STAR'r ON DMD CSS MOP lA FAILS 'l'O S'l'AR'f ON DEMAND CSS MDP lB FAILS 'l'O S'rAR'f ON DEMAND 'l'EST AND MAIN'!' ON CSS MDP lA TEST AND MAINT ON CSS MOP lB MOV FAILS TO OPEN ON DEMAND MOV 101A FAILS TO OPEN ON DEMAND MOV l01B FAILS TO OPEN ON DEMAND MOV lOlC FAILS TO OPEN ON DEMAND MOV l01D FAILS TO OPEN ON DEMAND MOTOR OPERATED VLV lOOA PLUGGED MOTOR OPERATED VLY lOOB PLUGGED J.OE-5/HR 1hr J.OOE-5 LOG NOR 10 ASEP GEN J.OE-5/HR 1hr 3.00E-5 LOG NOR 10 ASEP GEN J. OE-3/D 3.0E-3/D J.OE-3/D 2.0E-3/D 2.0E-3/D J.OE-3/D J. OE-3/D J.OE-3/D J.OE-3/D J.OE-3/D J.OOE-3 3.00E-3 3.00E-3 2.00E-3 2.00E-3 J.OOE-3 J.OOE-3 J.OOE-3 J.OOE-3 J.OOE-3 LOG NOR 10 ASEP~GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN l.OE-7/HR Jmo l.OOE-4 LOG NOR 3 ASEP GEN l.OE-7/HR Jmo l.OOE-4 LOG NOR 3 ASEP GEN Event Id CSS-XVM-RE-XV8*
CSS-XVM...;RE..:xv1s CVC-MDP-FR-2A1HR D ..
* DCP-BAT-LP
'f DCP-BAT-LP-BATlA w DCP-BAT-LP-BATlB N DCP-BDC-ST-BUSlA DCP-BDC-ST-BUSlB DCP-CCF-LP-BTlAB DCP-CRB-C0-19 DCP-CRB-C0-20 DCP-CRB-C0-23 DCP-CRB-C0-24 OGN-FTO HPI-CCF-FS-ClllBC HPI-CCF-FT-115BD HPI-CCF-FT-867CD TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate MAN VLV xve LEFT OPEN AFTER PMP TEST 3. OE-3/D MAN VLV XV15 LEFT OPEN AFTER PMP TEST 3. OE-3/D 'BORIC ACID XFER I PMP FAILS TO RUN 1 HR J.OE-5/HR DEMAND PROB FOR INTERFACING WCA 5.0E-1/D FAIJ,,URE OF BATTERY POWER ON DEMAND 1.0E-6/HR FAILURE OF BATTERY lA POWER ON DEMAND 1.0E-6/HR FAILURE OF BATTERY lB POWER ON DEMAND 1.0E-6/HR 125V DC BUS lA BUSWORK FAILURE 9.0E-5/D 125V DC BUS lB BUSWORK FAILURE 9.0E-5/D CC FAILURE OF BATTERIES lA AND lB (DCP-BAT-LP*BETA-BATT)
DC CIRCUIT BREAKER 19 XFERS OPEN 2. 9E-5/D DC CIRCUIT BREAKER 20 XFERS OPEN 2.9E-5/D DC CIRCUIT BREAKER 23 XFERS OPEN 2.9E-5/D DC CIRCUIT BREAKER 24 XFERS OPEN 2.9E-5/D DG #J UNAVAIL, DG 2 FAIL TO S'l'ART/RUN J. 4E-2/D CC FAIL TO START MOPS CHlB,ClllC (HPI-MDP-FS*BETA-HPI)
CC FAIL OF MOVS 1115B AND ll15D (HPI-MOV;_FT*BETA-2MOV)
CC FAIL OF HP.I MOVS 1867C, 18670 (HPI-MOV-FT*BETA-2MOV)
Unavail. B Dist. Source/ Time (Mean) Type EF comments 3.00E-3 LOG NOR 10 HRA J.OOE-3 WG NOR 10 HRA 1hr J.OOE-5 WG NOR 10 ASEP GEN 5.00E-1 POINT EST NOTE (G) 2mo 7.20E-4 LOG NOR J ASEP GEN 2mo 7.20E-4 WG NOR J ASEP GEN 2mo 7.20E-4 WG NOR J ASEP GEN 9.00E-5 LOG NOR 5 ASEP GEN 9.00E-5 WG NOR 5 ASEP GEN 5.80E-6 NOTE (D) 2.90E-5 LOG NOR j ASEP GEN 2.90E-5 LOG NOR J ASEP GEN 2.90E-5 LOG HOR J ASEP GEN 2.90E-5 WG NOR J ASEP GEN J.40E-2 WG NOR J NOTE (C) 8.40E-4 NOTE (D) 2.60E-4 NOTE (D) 2.60E-4 NOTE (D)
Tl\BL -7 (Continued)
* BURRY D1\T1\ Tl\DLE Failure Unavail.8 Dist. Source/ Event Id Event Description Hate *rime (Mean) Type EF Comments HPI-CKV-F'f-CV25 CHECK VLV CV25 FAILS TO OPEN. 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-F'f-CV2 2 5 CHECK VLV CV225 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-F'l'-CV2 67 CHECK VLV CV267 FAILS 'l'O OPEN 1. OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN HPI-CKV-FT-CV276 CHECK VLV CV276 FAILS 'l'O OPEN 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN IIPI-CKV-FT-276U2 CHECK VLV UNIT2 CV276 FAILS TO OPEN 1.0E~4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-FT-CV410 CHECK VLV CV410 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-00-258U2 UNI'f2 CV258 FAILS 'l'O SHUT, CAUSE BKFLW l.OE-3/D l.OOE-:3 LOG NOR 3 ASEP GEN HPI-CKV-00-267U2 UNI'l'2 CV267 FAILS 'l'O SHlJ'f, CAUSE BKFLW l.OE-3/IJ
: 1. OOE-3 LOG NOR 3 ASEP GEN HPI-CKV-00-276U2 UNIT2 CV276 FAILS TO SHUT, CAUSE BKFLW l.OE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN HPI-CKV-OO-CV258 CK VLV CV258 FAILS 'l'O SHU'l', CAUSE BKFLW l.OE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN .i:,. HPI-MDP-FR-1A3HR CHRGNG PMP CHlA FAILS 'l'O RUN FOR J ,ms 6. JE-5/IIR 3hr 2.00E-4 LOG NOR 2.9 PSD to HPI-MDP-FR-1A611R CIIRGNG PMP CHlA FAILS 'l'O RUN FOR 6 HRS 6. JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD I HPI-MIJP-FR-1A24ll CIIRGNG PMP ClllA FAILS 'l'O RUN FOR 24 IIRS 6. JE-5/JIR 24hr 1. 60E-3 LOG NOR 2.9 PSD w w IIPI-MDP-FR-1B3IIR CHRGNG PMP CH1B FAILS 'l'O RUN FOR 3 !IRS 6. JE-5/IIR 3hr 2.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1B6IIR CHRGNG PMP ClllB FAILS 'l'O RUN FOR 6 HRS 6. JE-5/JIR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1B24Il CIIRGNG PMP CH1B FAILS 'l'O RUN FOH 24 HRS 6. JE-5/IIR 24hr l.60E-3 LOG NOR 2.9 PSD IIPI-MDP-FR-1C311R CHRGNG PMP ClllC FAILS 'l'O RUN FOR 3 HRS 6.3E-5/HR 3hr 2.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1C611R CHRGNG PMP ClllC FAILS 'l'O mm FOR 6 HRS 6. JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD IIPI-MIJP-FR-1C1211 CIIRGNG PMP ClllC FAILS TO RUN FOR 12 HRS 6. JE-5/IIR 12hr 8.00E-4 LOG NOR 2.9 PSD llPI-MDP-FR-lC2411 CIIRGNG PMP ClllC FAILS 'l'O RUN FOR 24 IIRS 6. JE-5/IIR 24hr 1.60E-3 LOG NOR 2.9 PSD IIPI-MDP-FR-2A611R CIIG PMP U2 Cll2A FAILS 'l'O RUN FOR 6 HRS 6. 3E-5/llR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-2C6IIR CHG PMP U2 Cll2C FAILS TO RUN FOR 6 HRS 6.JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FS CHARGING PUMP FAILS 'l'O S'l'l\R'l' ON DEMAND 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-FS-Cllll\
CHARGING PMP ClllA FAILS TO STAR'!' ON DMD 4.0E-3/D .,.. 4.00E-3 LOG NOR 3.5 PSD IIPI-MUP-FS-ClllB CHARGING PMP ClllB FAILS 'l'O STJ\R'l' ON DMD 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD IIPI-MUP-FS-ClllC CHARGING PMP ClllC FAILS 'l'O START ON DMD 4, OE-3/D 4.00E-3 LOG NOR 3.5 PSD BPI-MUP-FS-Cll2A U2 CHARGING PMP Cll21\ FAILS TO S'l'J\R'f 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-FS-Cll2C U2 CIIJ\RGING PMP Cll2C FAILS TO S'l'ART 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-MA-Cll1B
'l'EST AND MAIN'!' ON IIPI MDP CH1B 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN HPI-MDP-MA-ClllC
'l'EST AND MJ\INT ON BPI MDP CHlC 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN HPI-MDP-MA-CH2C TEST AND MAIN'f ON HPI UNI'f2 MOP CH2C 2.0E-3/D 2,00E-3 LOG NOR 10 ASEP GEN Event Id HPI-MOV-FT HPI-MOV-FT-1115B HPI-MOV-FT-1115C HPI.-MOV-FT-1115D HPI-MOV-F'f-1115E HPI-MOV-FT-1350 HPI-MOV-FT-1867C HPI-MOV-FT-18670 JIPI-MOV-PG-1115B HPI-MOV-PG-1115D
':'" HPI-MOV-PG-1269A c:.c I IIPI-MOV-PG-1270A c..:, .i::,. HPI-MOV-PG-1286B HPI-MOV-PG-1286C HPI-MOV-PG-1350 IIPI-MOV-PG-1867C HPI-MOV~PG-1867D HPI-XJIE-FO-AL'f BPI -XIIE-FO-AL'l'I N HPI-XIIE-FO-AI,'fI 3 HPI-XIIE-FO-AL'l'SJ HPI-XIIE-FO-FIJBLD JIPI-XIIE-FO-PLLCK JIPI-XIIE-FO-UN2111 IIPI-XIIE-FO-UN 2 S 2 HPI-X1IE-FO-Ull2S3 IIPI-XIIE-F0-201Jll2 HPI-XHE-F0-30Dll2 HPI-XVM-PG-XV24 TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Description Rate HPI MOTOR OP VALVE FAILS 'l'O TRANSFER 3.0E-3/D HPI MOV 1115B FAILS TO OPEN ON DEMAND 3.0E-3/D HPI MOV 1115C FAILS TO CLOSE 3.0E-3/D JIPI MOV 1115D FAILS TO OPEN ON DEMAND 3. OE-3/D HP! MOV 1115E FAILS TO CLOSE 3.0E-3/D HP! MOV 1350 FAILS TO OPEN 3.0E-3/D IIPI MOV 1867C FAILS TO OPEN ON DEMl\ND 3.0E-3/D IIPI MOV 18670 FAILS TO OPEN ON DEMAND 3.0E-3/D IIPI MOV 1115B PLUGGED 1.0E-7/IIR HP! MOV 1115D PLUGGED 1. OE-7/HR IIPI MOV 1269A PLUGGED 1. OE-7/IIR IIPI MOV 1270A PLUGGED l.OE-7/HR HP! MOV 1286B PLUGGED l.OE-7/JIR IIPI MOV 1286C PLUGGED 1. OE-7/HR HP! MOV 1350 PLUGGED l.OE-7/HR HP! MOV 1B67C PLUGGED 1. OE-7/IIR HP! MOV 1867D PLUGGED 1. OE-7/HR OP FAILS '1'0 REC CCF OF HPI ,DISCH MOV 6.IE-I/0 OP FAILS *ro REC HP! VIA ALT PATH 5.7E-3/D OP FAILS 'l'O REC If PI VIA AL'f PATIi FOR S3 7.0E-4/D OP FAILS TO REC CCF OF IIPI DISCH MOV 7.4E-2/D OP FAILS TO ESTAB FEED & BLEED 7. lE-2/D OP FAILS TO REMOVE PULL LOCK CONDITION 2.7E-3/D OP FAILS *ro XCONN IIPI.FM U2 FOR S 2/S 3 Hl 1. 6E-3/IJ OP FAILS '1'0 XCONN HPI FM U2 FOR S 2 DI 3.lE-1/D OP FAILS 'l'O XCONN HPI FM U2 FOR S 3 D 1 4.4E-2/D OP FLS 'l'O XCONN JIPI FM U2 FOR S 2 0ull 1/H 2 .4.JE-3/D OP FLS 'l'O XCONN HPI FM U2 FOR S 3 0Dlll/H 2 2.lE-3/D MANUAL VLV XV24 PLGGED lE-7/HR
* Unavail.8 Dist. Source/ Time (Mean) 'l'ype EF Comments 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN J.OOE-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN Imo 4.00E-5 LOG NOR 3 ASEP GEN Imo 4.00E-5 LOG NOR 3 ASEP GEN Imo 4.00E-5 LOG NOR 3 ASEP GEN Imo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN 6.IOE-I MAX ENTk
* RECOVERY 5.70E-3 LOG NOR 10 RECOVERY 7.00E-4 LOG NOR 10 RECOVERY 7.40E-2 MAX EN'rk
* RECOVERY 7.lOE-2 MAX ENTk
* HRA 2.70E-3 LOG NOR 10 HRA l.60E-3 LOG NOR 10 RECOVERY 3.lOE-1 MAX ENTk
* RECOVERY 4.40E-2 MAX ENTk
* RECOVERY 4.JOE-3 MAX ENTk
* RECOVERY 2.lOE-3 LOG NOR 10 RECOVERY lmo 4.00E-5 LOG NOR 3 ASEP GEN Event Id HPR-MDP-FR-J\1811R HPR-MDP-FR-B1811R HPR-MDP-FR-Cl211R HPR-MDP-FR-Cl8HR IAS-AOV-LK-CC107 IAS-AOV-OC-CC107 IAS-AOV-PG-CC107 ,i,. . IAS-CCF-LF-INAIR I c,:, <:)l IE-A IE-Sl IE-S2 IE-SJ IE-T IE-Tl IE-'1'2 IE-'1'3 IE-T5A IE-'I'5B IE-T7 IE-'I'N IE-V-'I'RJ\IN-1 IE-V-'l'RAIN-2 IE-V-'I'RAIN-3 ISR-CCF-FS-RSll\D ISR-MDP-FR-RSll\
ISR-MDP-FR-RS1B Event Description TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Rate 'l'ime ----CHARGING MDP-ClllA FAILS 'l'O RUN 18 HR 6. 8E-5/IIR 18hr CHARGING MDP-Cll1B FAILS TO RUN 18 IIR 6. 8E-5/IIR 18hr CHARGING MDP-ClllC FAILS 'l'O RUN 12 HR 6. 8E-5/IIR 12hr CHARGING MDP-ClllC FAILS 'I'O RUN 18 HR 6.8E-5/IIR 18hr INSTH.UMEN'l' AIR LEAK 'l'O TV-CC-107 2.4E-5/D AOV 'l'V-CC-107
'l'RANSFERS CLOSED 7.5E-7/D AOV TV-CC-107 PLUGGED lE-7/HR lmo LOSS OF INSTRUMENT AIR 'l'O ALL AOVs 2. 7E-5/D LARGE LOSS OF COOLANT ACCIDENT 5E-4/YR MEDIUM LOSS OF COOLAN'l' ACCIDENT lE-3/YR SMALL LOSS OF COOLANT ACCIDENT lE-3/YR VERY SMALL LOSS OF COOLANT ACCIDENT 1. JE-2/YR FULL PWR XIEN'l' EVEN'!' REQUIRING RX SCRAM 6. 6E-O/YR LOSS OF OFFSI'l'E POWER 7.7E-2/YR LOSS OF MAIN FEEIJWJ\'l'ER
: 9. 4E-1/YR TURBINE '!'RIP WI'l'll MAIN FEEDWA'l'ER AVAIL 7.JE-0/YR LOSS OF DC BUS lA 5E-3/YR LOSS OF DC BUS lB, 5E-3/YR STEAM GENERATOR TUBE RUPTURE lE-2/YR IIIGII PWR XIEN'l' EVEN'!' REQUIRING RX SCRAM 5.9E-O/YR IN'l'ERFACING LOCA FM RCS LOOP 1 TO LPI 4.0E-7/YR IN'I'ERFACING LOCA FM RCS LOOP 2 TO LPI 4.0E-7/YR INTERFACING LOCA FM RCS LOOP J TO LPI 4.0E-7/YR CCFAII, 'l'O S'l'AR'l' ISR PMPS ( ISR-MDP-FS
"'BE'I'J\-CSS)
!SR MO'l'OR DRIVEN PMP RSlA FAILS 'l'O RUH JE-5/IIR 24hr ISR MOTOR DRIVEN PMP RS1B FAILS 'l'O RUN JE-5/HR 24hr Unavail.8 Dist. Source/ (Mean) 'l'ype EF Comments 1. 20E-3 LOG NOR 2.9 PSD 1. 20E-3 LOG HOR 2.9 PSD 8.00E-4 LOG NOR 2.9 PSD 1. 20E-3 LOG NOR 2.9 PSD 2.40E-5 LOG NOR 3 NOTE (C) 7.50E-7 LOG NOR 3 NOTE (C) 4.00E-5 LOG NOR 3 ASEP GEN 2.70E-5 LOG NOR 10 NOTE (C) 5.00E-4 LOG NOR 10 ASEP GEH 1.00E-3 LOG NOR 10 ASEP GEN l.OOE-3 LOG NOR 10 ASEP GEN 1. JOE-2 LOG NOR 10 SECT 4.3.4 6.60E-O LOG NOR 3 NUREG-3862 7.70E-2 SPECIAL -NUREG-5032 9.40E-1 LOG NOR 3 NUREG-5032 7.JOE-0 LOG NOR -NUREG-3862 5.00E-3 LOG NOR 10 ASEP GEN 5.00E-3 LOG NOR 10 ASEP GEN l.OOE-2 LOG NOR 5 SECT 4.3.4 5.90E-O LOG NOR 3 NUREG-3862 4.00E-7 POINT EST NOTE (G) 4.00E-7 POIHT EST NOTE (G) 4.00E-7 POINT EST NOTE (G) 4.20E-J NOTE (D) 7.20E-4 LOG NOR 10 ASEP GEN 7.20E-4 LOG NOR 10 ASEP GEN Event Id ISR-MDP-FS ISR-MDP-FS-RSlA ISR-MDP-FS-RS1B ISR-MDP-MA-RS1A ISR-MDP-MA-RS1B ISR-STR-PG-RSll\S
':'" ISR-STR-PG-RS1BS co I i:..:, O') K LOSP LOSP-6HR LPI-CCF-CKVSI241 LPI-CCF-CKVSI242 LPI-CCF-CKVSI243 LPI-CCF-FS-SilAB LPI-CKV-FT-CV46A LPI-CKV-FT-CV46B LPI-CKV-F'l'-CV50 LPI-CKV-F'l'-CV58 LPI-CKV-F'l'-CV82 LPI-CKV-F'l'-CV85 LPI-CKV-F'l'-CV241 KV-F'l'-CV24 2 V-F'l'-CV243 TABLE 4.9-7 (Continued)
BURRY Dl\TA TABLE Failure Event Description Rate ISR MOTOR DRIVEN PUMP FAILS 'l'O S'l'AR'l' 3.8E-2/D !SR MOTOR DRIVEN PUMP FAILS TO START 3,8E-2/D !SR MO'l'OR DRIVEN PUMP FAILS 'l'O STAR'!' 3. 8E-2/D '!'EST AND MJ\IN'l' ON MDP RSll\ 2E-3/D '!'EST AND MAIN'!' ON MDP RS1B 2E-3/D ISR STRAINER RSlAS PLUGGED 3E-5/HR ISR STRAINER RS1BS PLUGGED JE-5/HR FAILURE OF RPS TO SCRAM '!'HE RX 6E-5/D LOSS OF OFFSI'l'E W/IN 24 HRS OF INI'I' 2.16E-4/D LOSS OF OFFSI'l'E PWR W/IN 6 HRS OF INI'l' 7.60E-5/D DEP FAIL CKV SI241 GIVEN UPS'l'REAM RP DEP FAIL CKV SI242 GIVEN UPSTREAM RP DEP FAIL CKV SI243 GIVEN UPS'l'RE/\M RP CCFAIL OF MOPS SilA AND ~I1B (LPI-MDP-FS*BETA-LPI)
CHECK VLV CV46A FAILS 'l'O OPEN lE-4/D CHECK VLV CV46B FAILS '1'0 OPEN lE-4/D CHECK VLV CV50 FAILS TO OPEN lE-4/D CHECK VLV CV58 FAILS TO OPEN lE-4/D CHECK VLV CV82 FAILS 'l'O OPEN lE-4/D CHECK VLV CV85 FAILS 'l'O OPEN lE-4/D CHECK VLV CV241 FAILS *ro OPEN lE-4/D CHECK VLV CV242 FAILS 'l'O OPEN lE-4/0 CHECK VLV CV243 FAILS 'l'O OPEN lE-4/0 Unavail.8 Dist. Source/ Time (Mean) 'l'ype EF Comments 3,80E-2 LOG NOR 3.8 PSD 3.80E-2 LOG NOR 3.8 PSD 3,80E-2 LOG NOR 3.8 PSD 2,00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10 ASEP GEN 24hr 7,20E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 6.00E-5 LOG NOR 5 NUREG-1000 2.20E-4 SPECIAL 5 ASEP GEN 7.60E-5 SPECIAL J ASEP GEN 5.20E-3 NOTE (G) 5.20E-3 NOTE (G) 5.20E-3 NOTE (G) 4.50E-4 NOTE (D) l.OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN 1.00E-4 LOG NOR 3 ASEP GEN l,OOE-4 LOG HOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 A GEN 1.00E-4 LOG NOR 3 EN -----
Event Id LPI-CKV-F'l'-SI79 LPI-CKV-F'I'-SI82 LPI-CKV-FT-SI85 LPI-CKV-FT-S241 LPI-CKV-F'l'-S242 LPI-CKV-FT-S243 LPI-CKV-OO-CV50 LPI-CKV-OO-CV58 LPI-CKV-RP-SI79
'f" LPI-CKV-RP-SI82 tC LPI-CKV-RP-SI85 I LPI-CKV-RP-SI241 w -.;:i LPI-CKV-RP-SI242 LPI-CKV-RP-SI243 LPI-MDP-FR-lAJOM LPI-MDP-FR-lAlllR LPI-MDP-FR-1A3HR LPI-MDP-FR-1A611R LPI-MDP-FR-1B30M LPI-MDP-FR-1B1IIR LPI-MDP-FR-1B3IIR LPI-MOP-FR-1B611R LPI-MOP-FR-A611R LPI-MDP-FR-Al8HR LPI-MDP-FR-A2111R LPI-MDP-FR-A2411R LPI-MDP-FR-B611R LPI-MDP-FR-B1811R LPI-MDP-FR-B2 lllR LPI-MDP-FR-B24HR TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Description Rate FAILURE OF CV SI79 'l'O CLOSE 3.0lE-3/D FAILUHE OF CV SI82 '1'0 CLOSE 3.0lE-3/D FAILURE OF CV SI85 'I'D CLOSE 3.0lE-3/lJ FAILURE OF CV SI241 'l'O CLOSE 3.0lE-3/U FAILURE OF CV SI242 TO CLOSE 3.0lE-3/lJ FAILURE OF CV SI243 'l'O CLOSE 3.0lE-3/D CHECK VLV CV50 FLS ,'l'O snu*r, CAUSE BKFLW lE-3/D CHECK VLV CV58 FLS TO SHUT,CAUSE BKFLW lE-3/0 RUPTURE OF LPI CKV SI79 RUP'l'URE OF LPI CKV SI82 RUP'l'URE OF LPI CKV SI85 RUPTURE OF LPI CKV SI241 RUPTURE OF LPI CKV SI242 RUPTURE OF LPI CKV SI243 LPI MDP SilA FAILS 'l'O RUN FOR 30 MIN 3E-5/IIR LPI MDP SilA FAILS TO RUN FOR 1 HR JE-5/HR LPI MDP SilA FAILS TO RUN FOR 3 HRS JE-5/HH. LPI MDP SilA FAILS TO RUN FOR 6 IIRS JE-5/IIR LPI MOP SllB FAILS 'l'O RUN FOR 30 MIN JE-5/HR LPI MDP SI1B FAILS TO RUN FOR 1" HR 3E-5/IIR LPI MDP SI1B FAILS 'I'D RUN FOR 3 HRS JE-5/IIR LPI MOP SilB FAILS TO RUN FOR 6 HRS JE-5/IIR LPI MDP SilA FAILS 'l'O RUN FOR 6 HRS JE-5/HR LPI MDP SilA FAILS TO RUN 18 HRS JE-5/HR LPI MOP SilA FAILS 'l'O RUN FOR 21 HRS JE-5/HR LPI MDP SilA FAILS 'l'O RUN FOR 24 HRS JE-5/HR LPI MDP SilB FAILS 'l'O RUN FOR 6 HRS JE-5/HR LPI MDP SilB FAILS TO RUN 18 HRS JE-5/HR LPI MDP SilB FAILS 'l'O RUN FOR 21 HRS JE-5/HR LP! MOP SilB FAILS TO RUN FOR 24 HRS JE-5/IIR Unavail.8 Dist. Source/ Time (Mean) Type EF comments 3.0lE-3 NOTE (G) 3.0lE-3 NOTE (G) 3.0lE-3 NOTE (G) 3.0lE-3 NOTE '(G) 3~01E-3 NOTE (G) 3.0lE-3 NOTE (G) 1. OOE-3 LOG HOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEH 3.64E-5 POINT EST NOTE (G) 3.64E-5 POINT EST NOTE (G) 3.64E-5 POINT EST NOTE (G) 3.64E-5 POINT EST NOTE (G) 3.64E-5 POINT EST NOTE (G) 3.64E-5 POINT EST NOTE (G) .5hr 1.50E-5 LOG NOR 10 ASEP GEN 1hr 3.00E-5 LOG NOR 10 ASEP GEN 3hr 9.00E-5 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN .5hr 1.50E-5 LOG NOR 10 ASEP GEN 1hr 3.00E-5 LOG NOR 10 ASEP GEN 3hr 9.00E-5 *LOG NOR 10 ASEP GEH 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 18hr 5.40E-4 LOG NOR 10 ASEP GEN 21hr 6.JOE-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 6hr 1. 80E-4 LOG NOR 10 ASEP GEN 18hr 5.40E-4 LOG NOR 10 ASEP GEN 21hr 6.JOE-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN Event Id LPI-MDP-FS LPI-MDP-FS-SilA LPI-MDP-FS-SI18 LPI-MDP-MA-SilA LPI-MDP-MA-SI18 LPI-MOV-PG-18621\
LPI-MOV-PG-18628 LPI-MOV-PG-18641\
tf' LPI-MOV-PG-18648 tC LPI-MOV-PG-1890C I 00 LPI-XVM-PG-XV48 LPI-XVM-PG-XV57 LPR-CCF-FT-860AB LPR-CCF-FT-8621\B LPR-CCF-FT-863A8 LPR-CCF-FT-890A8 LPR-CCF-PG-SUMP LPR-CKV-FT-CV47 LPR-CKV-FT-CV56 LPR~CKV-FT-CV228 LPR-CKV-FT-CV229 TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate LPI MOTOR DRIVEN PUMP FAILS TO S'l'J\R'f JE-3/D LPI MDP SilA FAILS TO STAR'l' ON DEMAND JE-3/D LPI MDP SI18 FAILS TO START ON DEMAND JE-3/D 'l'EST AND MAINT ON LPI MDPSilA 2E-3/D TEST AND MAINT ON LPI MDPSI1B 2E-3/D LPI MOTOR OPER VLV 1862A PLUGGED lE-7/HR LPI MOTOR OPER VLV 18628 PLUGGED lE-7/HR LPI MO'l'OR OPERATED VLV 1864A PLUGGED lE-7/flR LPI MOTOR OPERA'l'ED VLV 18648 PLUGGED lE-7/HR LPI MO'rOR OPERA'l'ED VLV 1890C PLUGGED lE-7/HR MANUAL VLV XV48 PLUGGED lE-7/HR MANUAL VLV XV57 PLUGGED lE-7/HR CC FAIL OF MOV 1860A/B (LPR-MOV-FT*BETA-2MOV)
CC FAIL OF MOV 18621\/8 (LPR-MOV-FT*8ETA-2MOV)
CC FAIL OF MOV 18631\/8 (LPR-MOV-FT*BETA-2MOV)
CC FAIL OF MOV 1890A/8 (LPR-MOV-FT*BETA-2MOV)
PLUGGING OF THE CONTAINMENT SUMP 5E-5/D CHECK VLV CV47 FAILS TO OPEN lE-4/D CHECK VLV CV56 FAILS TO OPEN lE-4/D CHECK VLV CV228 FAILS *ro OPEN lE-4/IJ CHECK VLV CV229 FAILS TO OPEN lE-4/D Unavail.8 Dist. Source/ *rime (Mean) Type EF Comments 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEH lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN 2.60E-4 NOTE (D) 2.60E-4 NOTE (D) 2.60E-4 NOTE (D) 2.60E-4 NOTE (D) 5.00E-5 LOG NOR 100 ZION PRA 1. OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN Event Id LPR-MOV-FT LPR-MOV-FT-1860A LPR-MOV-FT-1860B LPR-MOV-FT-1862A LPR-MOV-FT-18628 LPR-MOV-FT-1863A LPR-MOV-FT-18638 LPR-MOV-FT-1890A LPR-MOV-FT-1890B LPR-MOV-PG-1863A
':'" LPR-MOV-PG-18638 co LPR-MOV-PG-l890A I LPR-MOV-PG-1890B w co LPR-XIIE-FO-HOTLG M MCW-CCF-VF-INLVL MCW-CCF-VF-SBO MSS-AOV-FC-lOlA MSS-AOV-FC-lOlB MSS-AOV-FC-lOlC MSS-AOV-F'f MSS-AOV-FT-TVBDA MSS-AOV-FT-TV80B MSS-1\0V-FT-lOIA MSS-AOV-FT-1018 MSS-1\0V-F'l'-lOlC TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate LPR MOTOR OPERA'l'ED VLV FAILS TO TRNSFER JE-3/D LPR MOTOR OPER VLV 1860A FAILS TO"OPEN JE-3/D LPR MOTOR OPER VLV l860B FAILS TO OPEN JE-3/D LPR MOTOR OPER VLV 1862A FAILS TO CLOSE 5.2E-3/D LPR MOTOR OPER VLV l862B FAILS TO CLOSE 5.2E-3/D LPR MOTOR OPER VLV 1863A FAILS TO OPEN JE-3/D LPR MOTOR OPER VLV l863B FAILS TO OPEN JE-3/D LPR MOTOR OPER VLV 1890A FAILS TO OPEN JE-3/D LPR MOTOR OPER VLV 1890B FAILS TO OPEN JE-3/D LPR MOTOR OPER VLV 1863A PLUGGED lE-7/IIR LPR MOTOR OPER VLV 1863B PLUGGED lE-7/IIR LPR MOTOR OPER VLV 1890A PLUGGED lE-7/HR LPR MOTOR OPERATED VLV l890B PLUGGED lE-7/HR OP FAILS TO ALIGN FOR HOT LEG RECIRC 4E-5/D FAILURE TO RESTORE MAIN FEEDWATER 2.9E-3/D INSUF INTAKE CANAL LVL DURING NRML OPS lE-9/D OP FAILS TO CLS COND !SOL VLV FOR SBO 6E-2/D SG PORV lOIA BLOCK VLV SHUT PRIOR 'l'O IE 1. 5E-1/D SG PORV 1018 BLOCK VLV SHUT PRIOR TO IE 1. 5E-1/D SG PORV lOlC BLOCK VLV SHUT PRIOR TO IE 1.5E-1/D SG BLWDWH !SOL BLOCK VLV FAILS TO SHUT lE-3/D SG BLWDWN ISOL 'l'VBDA FAILS TO snu*r IE-3/D SG BLWDWN ISOL 'l'V8DB FAILS TO snu*r lE-3/D SG PORV 1011\ FAILS 'l'O OPEN ON DEMAND lE-3/D SG PORV 1018 FAILS TO OPEN ON DEMAND lE-3/D SG PORV lOlC FAILS TO OPEN ON DEMAND lE-3/D Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 3.00E-3 LOG NOR 10 ASEP GEN J.OOE-3 LOG NOR 10 ASEP GEN J.OOE-3 LOG NOR 10 ASEP GEN 5.20E-3 LOG NOR 10 NOTE (C) 5.20E-3 LOG NOR 10 NOTE (C) 3.00E-3 LOG NOR 10 ASEP GEN J.OOE-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 18mo 6.60E-4 LOG NOR 3 ASEP GEN 18mo 6.60E-4 LOG HOR 3 ASEP GEN lBmo 6.60E-4 LOG NOR 3 ASEP GEN 18mo 6.60E-4 LOG NOR J ASEP GEN 4.00E-5 LOG NOR 10 HRA 2.90E-3 LOG NOR 10 RECOVERY 1. OOE-9 LOG NOR 10 NOTE (C) 6.00E-2 MAX ENTk
* NOTE (C) 1.50E-1 POINT EST PSD 1. 50E-1 POINT EST PSD 1.50E-1 POINT EST PSD 1. OOE-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG HOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG HOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 
,i::,. . co I ,i::,. 0 TABLE 4.9-7 (Continued)
SURRY DATA TABLE Event Id MSS-AOV-PG-lOlA MSS-AOV-PG-1018 MSS-AOV-PG-lOlC Event Description SG PORV 101A PLUGGED SG PORV 1018 PLUGGED SG PORV lOlC PLUGGED MSS-CCF-FT-OlABC cc FAIL o.F SG PORVs TO OPEN (MSS-AOV-FT*BETA-SRV)
MSS-CCF-F'f-'l'VAB CC FAIL OF TURB BYP VLVs 'l'O OPEN (MSS-AOV-FT*BETA-AOV)
Failure Rate lE-7/HR lE-7/HR lE-7/HR MSS-CKV-FT-SGDHR BKFLW 'l'HRU 1 OF 2 SG DECAY HEAT RMVL CV 2E-3/D MSS-SOV-00-0DADV MSS-SOV-00-SGADV MSS-SRV-00-0DSRV MSS-SRV-00-SGSRV SG PORV FLS 'l'O SHUT, SGTR W/0 OP DPHESS SG PORV FAILS *ro SHU'r, SGTR W/DPHESS SG SRV FAILS 'l'O SHUT, SGTR W/0 DPHESS SG SRV FAILS TO SHU'l', SGTR W/DPRESS MSS-XIIE-FO-BLOCK FAILURE OF OP 'l'O TERMINA'l'E FLOW FROM STUCK OPEN SG PORV MSS-XIIE-FO-ISAFW FAILURE OF OP 'l'O 'l'ERMINA'l'E FLOW FROM TDP STM LINE DURING SGTR MSS-XHE-FO-ISBlJN FAILURE OF OP 'l'O TERMINATE FLOW FROM SG BLWDWN LINE DURING SG'l'R MSS-XIIE-FO-ISDHR OP FAILS 'l'O ISOL STM FLOW VIA DECAY HEAT REMOVAL BY COOLDOWN 1. 00/D JE-2/D 1. 00/D JE-2/D 6.4E-2/D 6.BE-6/D 3. 4E-3/D 1. 4E-2/D NOTDG NOTDG-CCF NO'fL-SBOUl NO'l'L-SB0U1U2 NOTO 'l'HE '!'HIRD DG SUCCEEDS, SUPPLIES U2 FOR SBO SUCCESS OF 'l'HE JRlJ DG AF'l'ER CC FAILURE OF 2 -AFW SUCCESS DURIHG SBO A'l' UNI'l' 1 ONLY NOTQ QS 2 AFW SUCCESS DURING SBO AT UNITS 2 AND 2 OP SUCCEEDS IN DEPRESSURIZATION DURING SBO RCS PORV RESHU'l' DURING SBO ALL SG PORV RESIIU'l' DURING SBO SEAL COOLING FM UNIT2 SUCCES~ SBO Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 4.00E-5 4.00E-5 4.00E-5 7.00E-5 l.OOE-4 LOG NOR 3 LOG NOR 3 LOG NOR 3 ASEP GEN ASEP GEN ASEP GEN NOTE (D) NOTE (D) 2.00E-3 LOG NOR 3 NOTE (C) l.OOE-0 3.00E-2 1. OOE-0 3.00E-2 POINT EST LOG NOR 10 POINT EST LOG NOR 10 NOTE (H) ASEP GEN NOTE (H) ASEP GEN 6.40E-2 MAX ENTk
* RECOVERY 6.BOE-6 LOG NOR 10 RECOVERY 3.40E-3 LOG NOR 10 RECOVERY l.40E-2 LOG NOR 10 RECOVERY 9.70E-1 5.20E-1 9.93E-1 9.6BE-1 9.51E-1 9.73E-1 7.JOE-1 8.lSE-1 POINT EST POINT EST POINT EST POINT EST POINT EST POINT EST POINT EST POINT EST NOTE (I) NOTE (I) NOTE (I) NOTE (I) NOTE (I) NOTE (I) NOTE (I) E (I) 
* *
* TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Unavail.8 Dist. Source/ Event Id Event Description Rate 'l'ime (Mean) Type EF Comments NRAC-l50MIN NON-RECOVERY l\.C PWR W/IN 150 MIN OF LOSP 2.lOE-1 SPECIAL -NUREG-5032 NRAC-201MIN NON-RECOVERY AC PWR W/IN 201 MIN OF LOSP 1. SOE-1 SPECIAL -NUREG-5032 NRAC-216MIN NON-RECOVERY AC PWR W/IN 216 MIN OF LOSP 1. 3BE-1 spECIAL -NUREG-5032 NRAC-234MIN NON-RECOVERY AC PWR W/IN 234 MIN OF LOSP 1.23E-l SPECIAL -NUREG-5032 NR1\C-246MIN NON-RECOVERY AC PWR W/IN 246 MIN OF LOSP 1.15E-1 SPECIAL -NUREG-5032 NRAC-25BMIN NON-RECOVERY AC PWR W/IN 258 MIN OF LOSP 1. OBE.-1 SPECIAL -NUREG-5032 NRAC-HALFHR NON-RECOVERY AC PWR W/IN 30 MIN OF LOSP 6.00E-1 SPECIAL -NUREG-5032 NRAC-lllR NON-RECOVRY l\.C PWR W/IN 1 HR OF LOSP 4.40E-:J_
SPECIAL -NUREG-5032 NRAC-7HR NON-RECOVRY AC PWR W/IN 7 HRS OF LOSP 5.00E-2 'SPECIAL -NUREG-5032
""" ' NRAC-6HR-AVG NON-RECOVERY OF AC PWR W/IN 6 HRS OF LOSP, 1. 94E-l SPECIAL -NOTE (C) co I """ AVG W/TDP-FR 6 HRS r-' NRAC-24HR-AVG NON-RECOVERY OF AC PWR W/IN 24 HRS, AVG 6.lOE-2 SPECIAL -NOTE (C) W/'l'DP-FR 24 HRS POINT EST NSLOCA SUCCESSFUL FUNCTION RCP SEALS DURING SBO 2.70E-1 NOTE (I) 0 OP FAILS 'l'O DEPRESS RCS DURING SBO 4. 9E-2/D 4.90E-2 MAX ENTk* RECOVERY OEP-Bl\C-S'l'-FDHD mrnERVE S'l'A SRVC FEEDER D BUSWOHK FAILS 9E-5/D 9.00E-5 LOG NOR 5 ASEP GEN OEP-BAC-S'l'-FIJRF RESERVE S'l'A SRVC FEEDER F BUSWORK FAILS 9E-5/D 9.00E-5 LOG NOR 5 ASEP GEN OEP-CCF-FS-DG123 CC FAIL TO START ALL 3 DGs 4.00E-4 NOTE (D) (OEP-IJGN-FS*BETA-3DG)
OEP-CCF-FS-DG12 CC FAIL 'l'O START 1 & 2 DG 8.40E-4 NOTE (D) ( OEP-DGN-FS
* BE'l'A-2 DG) OEP-CCF-FS-DG13 CC FAIL TO S'l'AR'l' 1 & 3 DG B.40E-4 NOTE (D) (OEP-DGN-FS*BETA-2DG)
OEP-CCF-FS-DG23 CC FAIL 'l'O S'l'ART 2 & 3 DG B,40E-4 NOTE (D) (OEP-DGN-FS*BETA-2DG)
OEP-CRB-F'l'-15113 DIESEL GEN #1 CKT BRKR 15113 FLS 'l'O CLS 3E-3/D 3.00E-3 LOG NOR 10 !REP OEP-CRB-F'l'-15J3 DIESEL GEN #3 CKT BRKR 15J3 FLS TO CLS 3E-3/D 3.00E-3 LOG NOR 10 IREP OEP-CRB-F'l'-25113 DIESEL GEN #2 CK'l' BRKR 25H3 FLS 'l'O CLS 3E-3/D 3.00E-3 LOG NOR 10 !REP L_
Event Id OEP-DGN-FC-DG3U2 OEP-DGN-FR-DGOl OEP-DGN-FR-DG02 OEP-DGN-FR-DG03 OEP-DGN-FR-611DG1 OEP-DGN-FR-611DG2 OEP-DGN-FR-611DG3 OEP-DGN-FS c.c OEP-DGN-FS-DGOl I OEP-DGN-FS-DG02
""' N) OEP-DGN-FS-DG03 OEP-DGN-MA-DGOl OEP-DGN-MA-DG02 OEP-DGN-MA-DG03 OSR-CCF-FS-RS2AB OSR-CKV-FT-CVll OSR-CKV-F'l'-CVl 7 OSR-MDP-FR-A2411R OSR-MDP-FR-B2411R OSR!...MDP-FS OSR-MDP-FS-RS2A OSR-MDP-FS-RS2D OSR-MDP-MA-RS2A -MDP-MA-RS2B TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate DIESEL GEN #3 UNAVAIL, ALIGNED TO UNI'l'2 3.4E-2/D DG #1 FAILS TO RUN FOR 1 HR 2E-3/HR DG #2 FAILS TO RUN FOR 1 HR 2E-3/IIR DG #3 FAILS 'l'O RUN FOR 1 HR 2E-3/HR DG #1 FAILS TO RUN FOR 6 HRS 2E-3/HR DG #2 FAILS TO RUN FOR 6 HRS 2E-3/HR DG #3 FAILS 'l'O RUN FOR 6 HRS 2E-3/HR DIESEL GENERATOR FAILS TO START 2. 2E-2/D DIESEL GENERA'l'OR
#1 FAILS 'l'O S'l'AR'l' 2.2E-2/D DitSEL GENERATOR
#2 FAILS TO STAR'l' 2. 2E-2/D DIESEL GENERATOR
#3 FAILS TO S'l'AR'l'
: 2. 2E-2/D TEST AND MAIN ON DIESEL GENERATOR
#1 6E-3/D 'l'ES'l' AND MAIN ON DIESEL GENERA'l'OR
#2 6E-3/D 'l'ES'l' AND MAIN ON DIESEL GENERA'l'OR.
#3 6E-3/D CCFAIL TO START OSR MDPS (OSR-MDP-FS*BETA-CSS)
CHECK VLV CVll FAILS TO OPEN lE-4/D CHECK VLV CV17 FAILS TO OPEN lE-4/D OSR MDP RS2A FAILS TO RUN 24 HRS 3E-5/IIR OSR MDP RS2B FAILS 'l'O RUN 24 HRS 3E-5/IIR OSR MDP FAILS 'l'O STJ\R'l' ON DEMAND 3E-3/D OSR MDP RS2A FAILS 'l'O S'l'AR'l' ON DEMAHD 3E-3/D OSR MOP RS2D FAILA 'l'O S'l'AR'l' ON DEMAND JE-3/D 'l'EST AND MAINT on*osR. MDP RS2A 2E-3/D 'l'ES'l' AND MAINT ON,OSR MOP RS 2E-3/D Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 3.40E-2 LOG NOR 3 NOTE (C) 1hr 2.00E-3 LOG NOR 10 ASEP GEN 1hr 2.00E-3 LOG NOR 10 ASEP GEN 1hr 2.00E-3 LOG NOR 10 ASEP GEN 6hr 1. 20E-2 LOG NOR 10 ASEP GEN 6hr 1.20E-2 LOG NOR 10 ASEP GEN 6hr l.20E-2 LOG NOR 10 ASEP GEN 2.20E-2 LOG NOR 3 PSD 2.20E-2 LOG NOR 3 PSD 2.20E-2 LOG NOR 3 PSD 2.20E-2 LOG \ NOR 3 PSD 6.00E-3 LOG NOR 10 ASEP GEN 6.00E-3 LOG NOR 10 ASEP GEN 6.00E-3 LOG NOR 10 ASEP GEN 3.30E-4 NOTE (D) l.OOE-4 LOG UOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 3.00E-3 LOG HOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10 ASEP GEN 2.00E-3 LOG NOR 10.P GEN
* Event Id OSR-MOV-PG-155A OSR-MOV-PG-1558 0SR-MOV-PG-156A OSR-MOV-PG-1568 OSR-STR-PG-RS2A OSR-STR-PG-RS2B f-PCS-AOV-F'r tO PCS-AOV-F'r-BYPA I ,i:::,. PCS-AOV-FT-BYPB w PCS-AOV-FT-MS'l'VA PCS-AOV-FT-MSTVB PCS-AOV-PG-BYP-A PCS-AOV-PG-BYP-B PCS-AOV-PG-MS'l'VA PCS-AOV-PG-MSTVB PCS-CCF-FT-TRBYP PCS-XHE-FO-TB'l'RP PL PORV-BLK PORV-NOT-BLK
* TABLE 4.9-7 (Continued)
SURRY DATA TABLE Failure Event Description Rate OSR MOTOR OPER VLV 155A PLUGGED lE-7/IIR OSR MOTOR OPER VLV 1558 PLUGGED lE-7/IIR OSR MOTOR OPER VLV 156A PLUGGED lE-7/IIR OSR MOTOR OPER VLV 1568 PLUGGED lE-7/HR OSR MOP RS2A SUMP STRAINER PLUGGED 3.0E-5/IIR OSR MOP RS2B SUMP STRAINER PLUGGED 3.0E-5/HR PCS AIR OPERATED VLV FAILS TO TRANSFER lE-3/0 VLV TO TURB BYP FAILS TO OPEN lE-3/D VLV TO TURB BYP FAILS TO OPEN lE-3/D SG MSTVA FAILS TO OPEN lE-3/D SG MSTVB FAILS TO OPEN lE-3/0 VLV TO TURB BYP A PLUGGED lE-7/HR VLV 'l'O TURB BYP B PLUGGED lE-7/HR SG 101A MSTV PLUGGED lE-7/HR SG l01B Ms*rv PLUGGED lE-7/HR CC FAIL OF TURB BYP VLVS ( PCS-AOV-F'l'*
BE'l'A-AOV)
OP FAILS TO TRIP MAIN '!'URBINE
: 2. 7E-3/D PROB OF INITIAL POWER BELOW 25% l.OE-1/0 SG PORV IS BLOCKED PRIOR TO IE 1. 5E-1/D SG PORV IS NOT BLOCKED PRIOR TO IE 8. 5E-1/D Unavai!.8 Dist. Source/ Time (Mean) Type EF Comments 4.00E-5 LOG NOR 3 ASEP GEN 4.00E-5 LOG NOR 3 ASEP GEN 4.00E-5 LOG NOR 3 ASEP GEN 4.00E-5 LOG NOR 3 ASEP GEN 24hr 7.20E-4 LOG NOR 10 !REP 24hr 7.20E-4 LOG NOR 10 !REP 1.00E-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN l.OOE-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN 1. OOE-4 NOTE (D) 2.70E-3 LOG NOR 10 HRA 1. OOE-1 POINT EST SECT 4.4.11 1. 50E-1 MAX ENTk
* PSD B.50E-1 MAX ENTk
* PSD Event Id PORV-DEMAND PORV-DMD-T2-'1'3 PPS-CCF-FT-15356 PPS-CCF-FT-PORV PPS-CCF-F'l'-SRVS PPS-MOV-FC-1535 PPS-MOV-FC-1536 f" PPS-MOV-FC-OPER tC I PPS-MOV-FT PPS-MOV-F'l'-153 5 PPS-MOV-F'l'-1536 PPS-MOV-00-1535 PPS-MOV-00-1536 PPS-MOV-PG-1535 PPS-MOV-PG-1536 PPS-SOV-FT PPS-SOV-FT-1455C PPS-SOV-F'l'-1456 PPS-SOV-00-1455C PPS-SOV-00-1456 PPS-SRV-F'l' PPS-SRV-FT-1551A PPS-SOV-FT-1551B PPS-SOV-FT-1551C
* TABLE 4.9-7 (continued)
BURRY DATA TABLE Failure Event Description Rate PROB THAT A RCS PORV IS DEMANDED ('1'1) PROB THAT A RCS PORV IS DEMANDED (T2' T 3) CC FAIL OF PORV BLKING VLVS (PPS-MOV-FT*BETA-2MOV)
CC FAIL OF THE RCS PORVS TO OPEN (PPS-SOV-FT*BETA-SRV)
CC FAIL OF 'l'IIE RCS SH.VS 'l'O OPEN (PPS-SRV-FT*BETA-SRV)
BLOCK VLV SIIU'l' DUE 'l'O LEAKING PORV BLOCK VLV SIIU'l' DUE TO LEAKING PORV OP FAILS TO CLOSE RCS PORV BLK VLV 2.70E-3/D .PORV BLOCK VALVE FAILS 'l'O OPEN 4E-2/D PORV BLOCK VLV 1535 FAILS 'l'O OPEN 4E-2/D PORV BLOCK VLV 1536 FAILS 'l'O OPEN 4E-2/D MOV BLK VLV 1535 FAILS TO SIIU'l' 4E-2/D MOV BLK VLV 1536 FAILS TO SIIU'l' 4E-2/D PORV BLOCK VLV 1535 PLUGGED lE-7/IIR PORV BLOCK VLV 1536 PLUGGED lE-7/IIR PORV PCV FAILS 'l'O OPEN ON DEMAND lE-3/D PORV PCV 1455C FAILS 'l'O OPEN ON DEMAND lE-3/D PORV PCV 1456 FAILS TO OPEN ON DEMAND lE-3/D RCS PORV 14 55C FAILS 'l'O RECLOSE JE-2/D RCS PORV 1456 FAILS TO RECLOSE JE-2/D RCS SRV FAILS TO OPEN ON DEMAND lE-3/D RCS SRV A FAILS .'l'O OPEN ON DEMAND lE-3/D RCS SRV B FAILS TO OPEN ON DEMAND lE-3/D RCS SRV C FAILS TO OPEN ON DEMAND lE-3/D Unavail.B Dist. Source/ Time (Mean) Type EF Comments 4.lOE-2 MAX ENTk
* NOTE (H) 5.70E-3 LOG NOR 10 NOTE (H) 3.50E-3 NOTE (D) 7.00E-5 NOTE (D) 7.00E-5 NOTE (D) 3 *. OOE-1 POINT EST PSD 3.00E-1 POINT EST PSD 2.70E-3 LOG NOR 10 HRA 4,00E-2 LOG NOR 3 PSD 4,00E-2 LOG NOR 3 PSD 4.00E-2 LOG NOR 3 PSD 4.00E-2 LOG NOR 3 PSD 4.00E-2 LOG NOR 3 PSD 4.00E-5 LOG NOR 3 ASEP GEN 4.00E-5 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN L OOE-3 LOG NOR 3 ASEP GEN 3.00E-2 LOG NOR 10 ASEP GEN 3.00E-2 LOG NOR 10 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 1,00E-3 LOG NOR 3 ASEP GEN 1.00E-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 
. cc I C,11 L__
* TADL -7 (Continued)
SURRY DATA TABLE Event Id Event Description PPS-XIIE-FO-EMBOR OP FAILS TO CORRECTLY EMERGENCY BORATE PPS-XIIE-FO-lPORV OP FAILS TO OPEN 1 PORV PPS-XJIE-FO-PORVS FAILURE OF OP TO B'l'II PORVS FOR FD/BLD PPS-XIIE-FO-UNBLK OP FAILS 'l'O UNBLOCK PORV DURING ATWS QC RCS INTEG FAILS DUE TO PORV STUCK OPEN QS-SBO SG SRV/PORV STICK OPEN DURING SBO QS-UNIT2 UNIT 2 SG RELIEF STUCK OPEN DURING SBO R FAILURE TO MANUAL SCRAM THE RX RCP-LOCJ\-750-90M 750 GPM RCP SEJ\L LOCA AT 90 MIN RCP-LOCA-467-150 18JGPM INCSNG TO 750 GPM RCP SEAL LOCA RCP-LOCJ\-183-150 183 GPM RCP SEAL LOCA AT 150 MIN RCP-LOCA-183-210 183 GPM RCP SEJ\L LOCI\ AT 210 MIN RCP-LOCJ\-1440-90 1440 GPM RCP SEJ\L LOCA J\T 90 MIN RCP-LOCJ\-561-150 372 GPM INCSHG 'l'O 750 GPM ncP SEAL LOCA RCP-LOCA-183-90 183 GPM RCP SEAL LOCA AT 90 MIN RCS-AOV-FT FAILURE OF RCS AIR OPERATED VALVE RCS-AOV-F'l'-14 551\ FAILURE OF PZR SPRAY VLV 14551\ 'l'O OPEH RCS-AOV-FT-1455B FAILURE OF PZR SPRAY VLV 14558 TO OPEN RCS-CCF-FT-455AB CC FAIL OF PZR SPRAY VLVS 'l'O OPEN (RCS-AOV-FT*BETA-AOV)
RCS-FCV-FT-AUXSP FAIUJRE OF AUX SPRAY VLV TO OPEN RCS-MDP-FR-RCPlA REAC'fOR COOLAtl'l' PMPS FAIL TO RUN 1 HR RCS-MDP-FR-RCPlC REACTOR COOLANT PMPS FAIL TO RUN 1 Ill\ Failure Unavail.8 Dist. Source/ Rate *rime (Mean) 'l'ype EF Comments l.OE-3/0 7.lE-2/U 4. 4E-2/D 2. JE-1/D 1.2E-4/D 2.7E-1/D l.6E-1/D 1. 7E-1/D 5. JOE-1/0 l.27E-1/D 1.61E-2/D l.61E-2/D 4.JE-3/D 4. OE-3/D 1.4E-2/D lE-3/D lE-3/D lE-3/D lE-3/D JE-5/IIR JE-5/HR -1hr 1hr 1.00E-3 7.lOE-2 4.40E-2 2.JOE-1 l.20E-4 2.70E-1 l.60E-1 1.70E-1 5.JOE-1 1. 27E-1 1. 61E-2 1. 61E-2 4.JOE-3 4.00E-3 l.40E-2 1.00E-3 1.00E-3 1.00E-3 1.00E-4 1.ooE-J J.OOE-5 J.OOE;..5 LOG NOR 10 HRA MJ\X EttTk
* HRA MAX ENTk
* HRA LOG NOR 10 HRA LOG NOR 10 NOTE (C) MAX ENTk
* NOTE (C) MAX ENTk
* NOTE (C) MAX ENTk
* RECOVERY SPECIAL NOTE (M) SPECIAL NOTE (M) SPECIAL NOTE (M) SPECIAL NOTE (M) SPECIAL NOTE (M) SPECIAL NOTE (M)* SPECIAL NOTE (M) LOG NOR J ASEP GEN LOG NOR J ASEP GEN LOG NOR J ASEP GEN -NOTE (D) LOG NOR J ASEP GEN LOG NOR 10 ASEP GEN LOG NOR 10 ASEP GEN Event Id RCS-PORV-D1DMD RCS-PORV-DMD RCS-PORV-ODMD RCS-XIIE-FO-DPRES RCS-XIIE-FO-DPR'l'7 RCS-XHE-FO-DPT7D REC-XIIE-FO-DGEH REC-XHE-FO-DGHWB REC-XHE-FO-DGIIWS
':"' REC-XHE-FO-DGTMB c:c REC-XHE-FO-DGTMS I .i::. REC-XHE-FO-DPRES O') REC-XHE-FO-GAGRV REC-XHE_-FO-SCOOL RHR-AOV-OC-1758 RIIR-AOV-00-1605 RIIR-ASF-PG-1605 RHR-CCF-FS-MDPAB RHR-CCF-FT-720AB RHR-CKV-FT-CV5 RHR:*CKV-FT-CVll RHR-CKV-FT-RC23 RIIR-CKV-FT-RC24 TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Descr-iption Rate RCS PORV DEMAND DURING Dl FAILURE, SGTR l.25E-1/D RCS PORV DEMAND DURING SGTR 5.00E-2/IJ RCS PORV DEMAND FOR SGTR W/0 DEPRESS 5.00E-1/D OP FAILS TO DEPRSS/COOL RCS FOR s 2 , S 2. 2E-2/D OP FAILS 'l'O DEPRSS/COOL RCS DURIN.G SG'l,R 2.9E-2/D OP FAILS TO DEPRESS/COOL RCS FOR T 7 D 1 4. OE-1/D OP FAILS 'l'O RECOVER A DG WITHIN 1 HR 9E-1/D OP FAILS TO REC A DG FM HW FAIL IN 6 HR 6E-1/D OP FAILS TO REC A DG FM HW FAIL IN 3 IIR BE-1/D OP FAILS TO REC A DG FM 'I'M FAIL IN 6 HR 5E-1/D OP FAILS TO REC A DG FM 'I'M FAIL IN 3 HR 7E-l/D OP FAILS 'l'O DEPRESS RCS IN REC FM SGTR 1. 4_E-2/D OP FAILS TO GAG SHU'r S'l'UCK OPEN RELIEF JE-1/D OP FAILS TO GE'f SEAL COOL DURING SBO l.25E-l/U IICV-1758 XFERS SHUT 7.5E-7/D FCV-1605 XFERS FULL OPEN AND STICKS 2. 4E-6/D mm FLOW ORIFICE PLUGGED JE-4/D CC FAIL OF MDP lA & lB TO START ( RHR-MDP-FS
* BE'fA-LPI) cc FAIL OF mm MOVS l720A,l720B (RIIR-MOV-FT*BE'fA-2MOV)
CHECK VLV CV5 FAILS TO OPEN lE-4/D CHECK VLV CVll FAILS TO OPEN lE-4/D CHECK VLV CV RC23 FAILS TO OPEN lE-4/D CHECK VLV CV RC24 FAILS TO OPEN lE-4/D
* Unavail.8 Dist. Source/ 'l'ime (Mean) Type EF Comments 1. 25E-l MAX ENTk
* NOTE (C) 5.00E-2 MAX ENT:
* NOTE (C) 5.00E-1 MAX ENT
* NOTE (C) 2.20E-2 MAX ENTk
* HRA 2.90E-2 MAX ENT:
* HRA 4.00E-1 MAX ENT
* HRA 9.00E-1 MAX EHTk
* ASEP GEN 6.00E-1 MAX EltTk
* ASEP GEN 8.00E-1 MAX ENTk
* ASEP GEN 5.00E-1 MAX ENT:
* ASEP GEH 7.00E-1 MAX
* ASEP GEN ENT 1. 40E-2 LOG NOR 10 HRA 3.00E-1 MAX ENTk
* HRA 1. 25E-1 MAX ENTk
* HRA 7.50E-7 LOG NOR 3 NOTE (C) 2.40E-6 LOG NOR 10 NOTE (C) 3.00E-4 LOG NOR 3 !REP 4.50E-4 NOTE (D) 2.60E-4 NOTE (D) 1.00E-4 LOG NOR 3 ASEP GEN 1. OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR 3 ASEP GEN l.OOE-4 LOG NOR J ASEP GEN *
* Event Id RIIR-CKV-00-CVll RIIR-CKV-OO-CV5 RHR-HTX-LK-ElA RHR-HTX-LK-E1B RHR-HTX-PG-ElA RHR-HTX-PG-ElB RIIR-MDP-FR-1\2 4 IIR RHR-MDP-FR-B24HR RIIR-MDP-FS
""' RIIR-MDP-FS-RIIRlJ\ . c.o RHR-MDP-FS-RHR1B I ""' -:J RIIR-MOV-F'l'-1700 RIIR-MOV-F'l'-1701 RIIR-MOV-F'l'-17201\
RIIR-MOV-FT-17208 RIIR-MOV-PG-1700 RIIR-MOV-PG-1701 RIIR-MOV-PG-1720A RIIR-MOV-PG-1720B RHR-SRV-C0-1721 RIIR-XVM-PG-XV2 RIIR-XVM-PG-XV6 RIIR-XVM-PG-XV8 RIIR-XVM-PG-XV12 RIIR-XVM-PG-XV15 R1IR-XVM-PG-XV19 R1IR-XVM-PG-XV20 RIIR-XVM-PG-XV24 TABL~-7 (Continued)
BURRY DATA TABLE Failure Event Description Rate BJ\CKFLOW THROUGH CVll lE-3/D BACKFLOW THROUGH CV5 lE-3/D RIIR HEAT EXCHANGER ElA TUBE LEAKS JE-6/HR RHR HEAT EXCHANGER ElB TUBE LEAKS JE-6/HR RIIR HEAT EXCHANGER Ell\ PLUGGED 5. 7E-6/IIR RHR HEAT EXCHANGER E1B PLUGGED 5.7E-6/HR RIIR MDP 11\ FAILS TO RUN 24 HRS JE-5/HR rum MDP 18 FAILS 'l'O RUN 2 4 HRS JE-5/HR RIIR MO'l'OR DRIVEN PUMP FAILS TO S'l'J\R'l' JE-3/D mm MOP 11\ FJ\ILS 'l'O STJ\R'l' ON DEMJ\tlD JE-3/D RIIR MOP lB FAILS TO S'l'AR'l' ON DEMAND JE-3/D mm MOV 1700 FJ\ILS 1'0 OPEU ON DEMJ\UD JE-3/D mm MOV 1701 FAILS 'l'O OPEN ON DEMJ\HD JE-3/U mm MOV 17201\ FJ\ILS TO OPEN ON DEMAND JE-3/U RHR MOV 17208 FAILS TO OPEN ON DEMAND JE-3/D RIIR MOTOR OPERATED VLV 1700 .. PLUGGED l.E-7 /IIR HIIR MOTOR OPER VJN 1701 PLUGGED lE-7 /HR mm MOTOR OPERATED VLV 1720A PLUGGED lE-7/IIR RIIR MOTOR OPERATED VLV 1720B PLUGGED lE-7/HR SRV-1721 RELIEF VLV INADVER'l'EN'l' OPEN 3.9E-6/HR MANUJ\L VLV XV2 PLUGGED lE-7/IIR MANUAL VLV XV6 PLUGGED lE-7/IIR Ml\NUJ\L Vl,V XV8 PLUGGED lE-7/IIR MJ\NUAL VLV XV12 PLUGGED lE-7 /HR MJ\HUAL VLV XV15 PLUGGED lE-7 /IIR MANUJ\L VLV XV19 PLUGGED lE-7/IIR MANUAL VLV XV20 PLUGGED lE-7/IIR MANUAL VLV XV24 PLUGGED lE-7/IIR
* Unavail.8 Dist. Source/ Time (Mean) Type EF Comments 1.00E-3 LOG NOR 3 ASEP GEN 1. OOE-3 LOG NOR 3 ASEP GEN 24hr 7.20E-5 LOG NOR 10 ASEP GEN 24hr 7.20E-5 LOG NOR 10 ASEP GEN 24hr 1.40E-4 LOG HOR 10 ASEP GEH 24hr 1. 40E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 24hr 7.20E-4 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG HOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN 3.00E-3 LOG NOR 10 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4. 40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN 24hr 9.36E-5 LOG NOR 10 IEEE 500 lyr 4.40E-4 LOG HOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG HOR 3 ASEP GEN lyr 4.40E-:-4 LOG HOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN lyr 4.40E-4 LOG NOR 3 ASEP GEN Event Id RMT-ACT-FA-RMTSA RMT-ACT-FA-RMTSB RMT-CCF-FA-MSCAL RMT-XHE-FO-MAN-A RMT-XHE-FO-MANSl RMT-XHE-FO-MANS2 RW'f-TNK-LF-RWST tf>' c.o I ,j::,. 00 Sl S2 S3 SBO-PORV-DMD SBO-SGSRV-DMD SG'rR-SGADV-DMD SG'l'R-SGADV-ODMD SG'l'R-SGSRV-DMD SGTR-SGSRV-ODMD1 SGTR-SGSRV-0DMD2 SIS-AC'r-FA-SISA SIS-AC'f-FA-SISB SIS-XIIE-FO-MANSl SIS-XIIE-FO-MANS2
* TABLE 4.9-7 (Continued)
BURRY DATA TABLE Event Description NO SIGNAL FROM RMTS ACT TRAIN A NO SIGNAL FROM RM'l'S ACT TRAIN B cc FAIL RMTS DUE TO MISCALIBRA'l'ION OP FAILS TO RECOVER RM'l'S AC'!' FAILURE OP FAILS TO RECOVER RMTS *,AC'!' FAILURE OP FAILS TO RECOVER RM'fS ACT FAILURE INSUF WATER AVAILABLE FM THE RWS'l' MEDIUM LOSS OF COOLANT ACCIDENT SMALL LOSS OF COOLANT ACCIDENT VERY SMALL LOSS OF COOLANT ACCIDENT PER VLV RCS PORV DEMAND PROB DURING SBO SG PORV NUMBER OF DEMANDS DURING SBO SG'rR SG PORV DEMAND DURING SG'l'R SG'l'R SG PORV DEMAND W/0 DEPR~SS SG'l'R SG SRV DEMAND PROB W/PORV BLOCKED SG'l'R SG SRV DMD W/0 DEPRESS/PORV BLOCKED SG'l'R SG SRV DEMAND W/0 DEPRESS NO SIGNAL FROM SIS AC'f TRAIN A NO SIGNAL FROM SIS ACT TRAIN B OP FAILS TO RECOVER SIS ACT FAIL, Sl OP FAILS 'l'O RECOVER SIS ACT FAIL, S2 Failure Rate 1. 6E-3/D 1. 6E-3/D 3E-4/D 6.40E-2/D 6.40E-2/D
: 2. 70E-3/D 2. 7E-6/D lE-3/YR lE-3/YR 1. 3E-2/YR 3.0E-1/D l.00/D 3.0E-1/D 1. 00/0 1.5E-1/D 1.6E-3/D 1. 6E-3/D 2. 7E-3/D 2. 7E-3/D Unavail.B Dist. Source/ Time (Mean) 'l'ype EF Comments 1. 60E-3 LOG NOR 5 ASEP GEN l.60E-3 LOG NOR 5 ASEP GEN 3.00E-4 LOG NOR 10 HRA 6.40E-2 MAX ENTk
* HRA 6.40E-2 MAX ENTk
* HRA 2.70E-3 LOG NOR 10 HRA 2.70E-6 LOG NOR 10 ZION PRA l.OOE-3 LOG NOR 10 ASEP GEN 1. OOE-3 LOG NOR 10 }\SEP GEN 1. 30E".'"2 LOG NOR 10 SECT 4.3.4 4.50E-1 MAX ENTk
* NOTE (C) 9.00E-0 POINT EST NOTE (C) 3.00E-1 MAX ENTk
* NOTE (C) 1.00 MAX ENTk
* NOTE (C) 3.00E-1 MAX EttTk
* NOTE (C) 1.00E-0 MAX ENTk
* NOTE (C) 1. 50E-1 MAX ENTk
* NOTE (C) l.60E-3 LOG NOR 5 ASEP GEN 1. 60E-3 LOG NOR 5 AESP GEN 2.70E-3 LOG NOR 10 HRA 2.70E-3 LOG NOR 10 HRA
* Event Id SLOCA-NRl\CSL-L'f SLOCA-NRJ\CSL-ST SWS-CCF-FT-JABCD SWS-MOV-F'l'-103A SWS-MOV-FT-103B SWS-MOV-FT-l03C SWS-MOV-FT..:.103D If:>. SWS:-MOV-M1\-103A . co SWS-MOV-MA-103B I SWS-MOV-MA-l03C co SWS-MOV-MA-1030 SWS-MOV-PG-104A SWS-MOV-PG-1048 SWS-MOV-PG-l04C SWS-MOV-PG-1040 SWS-MOV-PG-1051\
SWS-MOV-PG-1058 SWS-MOV-PG-105C SWS-MOV-PG-105D SWS-MOV-PG-1061\
SWS-MOV-PG-1068 SWS-XIIE-FO-OPEN SWS-PSF-LF-XCONN TABLE .9-7 (Continued)
BURRY DATA TABLE Failure Event Description, Rate SEAL LOCI\, NON-REC l\C PWR, SEC DPRESS SEAL LOCA, NON-REC AC PWR, NO DPRESS CC FAIL OF SWS !SOL MOVS l03A,B,C,D (SWS-MOV-FT
* BETA-SWMOV) sws MOTOR OP VLV 1031\ FAILS TO OPEN JE-3/D SWS MOTOR OP VLV l03B FAILS TO OPEN JE-3/D sws MOTOR OP VLV l03C FAILS TO OPEN JE-3/D sws MO'rOR OP VLV lOJD FAILS TO OPEN JE-3/D 'l'ES'l' AND MAINT sws MOV 1031\ 2E-4/D 'l'ES'1 1 AND MAINT SWS MOV l03B 2E-4/D '!'EST AND MAINT sws MOV l.03C 2E-4/D TEST AND MAINT sws MOV l03D 2E-4/D sws MOTOR OPER VLV 1041\ PLUGGED lE-7/IIR sws MOTOR OPER VLV l04B PLUGGED lE-7/IIR sws MOTOR OPER VLV 104C PLUGGED lE-7/IIR SWS MOTOR OPER VLV l04D PLUGGED lE-7/IIR SWS MOTOR OPER VLV 1051\ PLUGGED lE-7/IIR sws MOTOR OPER VLV l05B PLUGGED lE-7 /IIR sws MOTOR OPER VLV l05C PLUGGED lE-7/IIR sws MO'l'OR OPER VLV 1050 Pl,UGGED lE-7/IIR SWS MO'l'OR OPER VLV 1061\ PLUGGED lE-7/IIH sws MOTOR OPER VLV l06D PLUGGED lE:-7/IIR OPER FAILS TO OPEN SPRAY IIX MOV 2. 4E-1/D FAUL'l'S IN SWS HEAIJER XCONN 2E-4/D
* Unavail. 8 Dist. Source/ Time (Mean) Type EF Comment.s 9.20E-2 POINT EST NOTE (C) 9.90E-2 POINT EST NOTE (C) 6.JOE-4 NOTES (D,J) 3.00E .. 3 LOG NOR 10 NOTE (J) 3.00E-3 LOG NOR 10 NOTE (J) 3.00E-3 ,LOG HOR 10 NOTE (J) 3.00E-3 LOG NOR 10 NOTE (J) 2.00E-4 LOG NOR 10 ASEP GEN 2.00E-4 LOG NOR 10 ASEP GEN 2.00E-4 LOG HOR 10 ASEP GEN 2.00E-4 LOG NOR 10 ASEP GEN lBrno 6.50E-4 LOG NOR 3 ASEP GEN 18mo 6.50E-4 LOG NOR 3 ASEP GEN 18rno 6.50E-4 LOG NOR 3 ASEP GEN 18rno 6.50E-4 LOG NOR 3 ASEP GEN 18mo 6.50E-4 LOG NOR 3 ASEP GEN l8mo 6.50E-4 LOG HOR 3 ASEP GEN lBmo 6.50E-4* LOG NOR 3 ASEP GEN 18mo 6.50E-4 LOG NOR 3 ASEP GEN l8mo 6.50E-5 LOG NOR 3 ASEP GEN lOmo 6.50E-5 LOG NOR 3 ASEP GEN 2.40E-1 POINT EST HRA 2.00E-4 LOG NOR 3 NOTE (C)
Event Id* SWS-XVM-PG-37U2 SWS-XVM-PG-39U2 SWS-XVM-PG-XV33 SWS-XVM-PG-XV35 SWS-XVM-PG-XV37 SWS-XVM-PG-XV39 T 'l'l T2 'f" TJ c.c T5A I T5B <:Jl 0 T7 'l'N UNIT2-LOW-POWER V-'l'RJ\IN-1 V-TRAIN-2 V-TRAIN-3 z Zl TABLE 4.9-7 (Continued)
BURRY DATA TABLE Failure Event Descr~ption Rate MANUAL VLV XVJJ PLUGGED lE-7/IIR MANUAL VLV XV39 PLUGGED lE-7/IIR MANUAL VLV XV33 PLUGGED lE-7/HR MANUAL VLV XV35 PLUGGED lE-7/IIR MANUAL VLV XV37 PLUGGED lE-7/IIR MANUAL VLV XV39 PLUGGED lE-7/IIR FULL PWR XIENT EVEN'f REQUIRING RX SCRAM 6.6E-O/YR LOSS OF OFFSI'l'E POWER 7.7E-2/YR LOSS OF MAIN FEEDWATER 9.4E-1/YR
'!'URBINE
'l'RIP WI'l'H MAIN FEEDWATER AVAIL 7.JE-0/YR LOSS OF DC BUS lA 5E-3/YR LOSS OF DC BUS 18 5E-3/YR STEAM GENERATOR TUBE RUPTURE lE-2/YR HIGH PWR XIENT EVENT REQUIRING RX SCRAM 5.9E-U/YR UNIT 2 LESS '!'HAN 10% PWR PRIOR TO IE I N'l'ERF ACING LOCJ\ FM RCS LOOP 1 TO LPI 4.0E-7/YR IN'l'ERFACING LOCA FM RCS LOOP 2 'l'O LPI 4.0E-7/YR INTERFACING LOCA FM RCS LOOP 3 'l'O LPI 4.0E-7/YR UNFAVORABLE MODERATOR
'I'EMP COEFFICIEN'l'
: 1. 4E-2/D VERY LOW MODERATOR TEMP COEFFICIENT 5.0E-1/D Unavail.B Dist. Source/ 'l'irne (Mean) Type EF Comments lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lmo 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN lrno 4.00E-5 LOG NOR 3 ASEP GEN 6.GOE-0 LOG NOR 3 NUREG-3862 7.70E-2 SPECIAL -NUREG-5032 9.40E-1 LOG HOR 3 NUREG-3862 7.JOE-0 LOG NOR 3 NUREG-3862 5.00E-3 LOG NOR 10 ASEP GEN 5.00E-3 LOG NOR 10 ASEP GEN l.OOE-2 LOG NOR 5 SECT 4.3.4 5.90E-O LOG NOR 3 NUREG-3862 3.50E-l POINT EST PSD 4.0E-7 POINT EST NOTE (G) 4.0E-7 POINT EST NOTE (G) 4.0E-7 POINT EST NOTE (G) 1. 40E-2 LOG NOR 7 SECT 4.4.11 5.00E-1 MAX ENTk* SECT 4.4.11 NO'l'ES 'l'O SURRY lJA'l'A '!'ABLE A. Abbreviations used in the Surry Uata '!'able: AC'l' = Actuation AOV = Air Operated Valve ASEP GEN= ASEP Generic Data, Reference J BKFLW = Backflow BRKR = Breaker CC(F) = Common cause (Failure)
CK'l' = circuit CLS = Close COND = Main Condenser CON'!' = Containment COOL= Cooling CST = Condensate Storage 'l'ank CV= Check Valve D = Demand DEP = Dependent DG = Diesel Generator DISCH= Discharge DIST= Distribution DMD= Demand DPRESS = Depressurize EF = Error Factor FD/BLD = Feed and Bleed Cooling FLS = Fails FM= From IIR(S) = Hour(s) JIRA= Human Reliability Analysis, Section 4.8 IIW = Hardware IE= Initiating Event IEEE 500 = IEEE Standard 500-1984, Ref. 15 IHSUF = Insufficient INV'l'R = Inverter !REP= Interim Reliability Evaluation Program Procedures Guide, Ref. 14 !SOL= Isolation LOCA = Loss of Coolant Accident LOG NOR= Log Normal Distribution LOSP = Loss of Off-site Power MAINT = Maintenance Ml\N = Manual MOP= Motor Driven Pump MN= Main MO= Month MOV = Motor Operated Valve NUREG-3862
= NUREG/CR-3862, Ref. 12 NUREG-5032
= NUREG/CR-5032, Ref. 13 OP= Operator OPN = Open PMP = Pump PORV = Power Operated Relief Valve PROB= Probability PSD = Plant Specific Data (App. D.6) PWR = Power REC= Recovery RECIRC = Recirculation RECOVERY=
Recovery Analysis, Sec. 4.10.3 RP= Rupture RX= Reactor SBO = Station Blackout SEC= Secondary&deg; SEC'!' = Section SG = Steam Generator SG'l'R = Steam Generator Tube Rupture SIG= Signal SRV = Safety Relief Valve S'l'A = station S'l'M = Steam TDP = Turbine Driven Pump TM= Test and Maintenance
'!'RN = 'l.'rain Ul = Unit 1 U2 = Unit 2 UHAVAIL = Unavailable vr.,v. = Valve W/IN = Within W/0 = Without XCONN = Cross Connect XFERS = Transfers XF'ORMER = Transformer XIEN'l' = Transient YR= Reactor-Year ZION= Zion Probabilistic Safety Study, Reference 8
NOTES TO SURRY ~ATA TABLE (Continued)
B. Unavailabilities were calculated from failure rates as follows: For Time intervals in hours: Unavailability=
Failure Rate* Time. For Time intervals in other than hours (weeks, months, years): Unavailabilty
= 1/2 (Failure Rate* Time). c. A derived value. See Appendix D.6 for the derivation.
D. The common cause unavailability is listed here. It is calculated from the BETA factor and basic failure rates as shown. The uncertainty analysis used the distribution type and error factor associated with the BETA factor and the basic event when events were correlated.
E. The probability of Emergency Core Cooling system's failure due to containment failure is obtained through analysis of the containment event tree. This event was included in the core vulnerable sequence cut sets and represents event tree heading CV. See Appendix A.1 for the derivation.
F. Plant specific data was reviewed concerning Charging Pump Cooling (CPC) strainers.
The resultant CPC strainer rate was determined to be equal to the generic failure rate. However, a plant specific BETA of 2.63E-1 was calculated for.common cause failure of CPC strainers 2A and 2B. See Appendix D. 6 for details.
* G. Point estimate derived from expert elicitation on interfacing loss of coolant accidents.
II. Internal elicitation on relief valve demand probabilities during transients.
I. Complementary probability (point estimate).
J Plant specific data was reviewed concerning Service Water motor operated valves (MOVs). The resultant Service Water MOV failure rate was determined to equal the generic MOV failure rate. However, a plant specific BE'l'A of 2. lE-1 was calculated for common cause failure of SWS-MOV-103A, B, c, and D. See Appendix D.6 for details. K. Maximum entropy distribution with a lower bound of one-tenth the failure rate and an upper bound of 1.0, or ten times the failure rate, whichever is lower. 
*
* NOTES TO SURRY DATA TABLE (Continued)
L. External event used to "switch" on and off portions of a fault tree. M. Reactor Coolant Pump seal loss of coolant accident leak rates, start time of the leak, probabilities and distributions were determined by elicitation of an expert panel. See Appendix 0.5 for details.
4.10 Accident*
Sequence 'Quantlfica tion 4.10.1 General Approach The accident sequences that result in core damage at the Surry nuclear station are identified by the event trees in Section 4.4. The quantification process for each accident sequence is discussed in this
* section. The sequences were quantified by combining the Boolean equations derived from the system models, using the event tree logic structure associated with the particular sequence.
The resultant equations were reduced to the form of minimal cut sets. System successes were explicitly included in the sequence logic. The sequence minimal cut sets were quantified using the point estimates of mean values for event failure probabilities.
The process was performed in five major steps.
* Solution and quantification of individual event models
* Quantification of partial sequences
* Quantification of full sequences
* Sequence recovery
* Final quantification The first step consisted of generation and quantification of the cut set equations for individual events. These events correspond to the event tree headings~
Most of the events are top events on the fault trees, but some are Boolean equations.
The support systems were merged with the front line system and a fault tree equation was generated for the top event. This equation was truncated on a cut set probability of lE-10. (Note, this does not include an initiation frequency).
No cut sets were truncated on order. . ' Systems represented by black box models were quantified independently.
Black box models were used for single events where the system unavailability is from an established data base. A system represented by a black box model does not share any dependencies with other systems in the accident sequence quantification and can be directly porated into every sequence cut set~ The next step included quantification of partial sequence expressions to determine ther any sequences could be eliminated from further quantification.
This elimination was determined based on a screening value of lE-7/yr for non blackout sequences and lE-9/yr for station blackout sequences.
If a partial sequence quantification could be shown to result in a frequency of less tha~ lE-7, all sequences containing this subsequence were eliminated from further analysis.
Partial quantification also served to provide interim products for full sequence quantification.
The partial quantifications were truncated at .5E-10 cut set probability.
The next step was complete quantification of all sequences, including the initiating event frequency.
This quantification was truncated at .5E-10. Those sequences less than lE-7 OE-9 for blackout sequences) at this juncture were classified as non-dominant and no ,further analysis was performed on them. For those sequences above lE-7, recovery actions were added on a cut set or sequence
* level, as applicable.
The sequences were then requantified.
Station blackout sequences were combined into eight groups. Those sequences with frequency above lE-7 at this point in the quantification were included in the dominfl]!
4\<jcident sequences.
The dominant sequences were then quantified using TEMAC ' to determine the quency distribution of each sequence and the total core damage model. The following sections discuss the sequence quantification process, list the sequences quantified, and identify plant specific quantification issues, such as probability cutoff values and recovery factors. 4.10-1 4.10.2 Identification of Sequences Analyzed The quantification of accident sequences was performed using a three-stage tion approach, building upon small quantification efforts until recovered sequences (where necessary) were quantified.
As discussed above, the individual system models were initially quantified.
This process was performed with the support system (e.g., electrical power, cooling, etc.) models linked into the appropriate front-line system models to give the system minimal cut sets. A probability cutoff or truncation value of lE-10 was used for the single system quantification.
All cut sets greater than lE-10 were retained at this point. The system minimal cut sets were then reviewed for accuracy as a quality assurance check. Next, these system models were linked together using the SETS computer code<49) to form portions of entire accident sequences.
The event trees shown in Section 4.4 were used to define which systems were combined.
The event trees were also used to explicitly account for successes of certain systems when forming these partial sequence Boolean equations.
Additionally, depending on the sequence under consideration, certain failures were precluded based on the sequence definition.
An example of this would be quantification of AFW in a station blackout accident.
In linking the AFW model to the electric power model, diesel generator failure probabilities were set to 1.0, thus failing the motor-driven pumps. In this particular sequence, AFW operation is dependent on the turbine-driven pump success. Mean data values were applied to the basic events. Until the final quantification, only point estimates of sequence frequencies were calculated, based on the propagation of mean values. The mean value was not calculated for the sequences -until the final quantification step (i.e., for those sequences that passed all the quantification screening steps). In doing the partial sequence quantifications, the portion of the sequence expression that was chosen to be initially quantified was not arbitrarily selected.
Generally, that portion of the accident sequence expression was the same for several of the sequences chosen. In the cases of similar sequences which differed only due to the initiating event, and the capabilities of the systems involved were not impacted by the initiating event, one sequence quantification was performed and the frequency of the other sequence was derived by using the ratio of the initiating event frequencies.
These partial sequence expressions were then examined to determine if the resulting total frequency was lE-7 or greater, once the initiator frequency (which can be greater than 1.0) and any "black box" model constants were included with the expression.
This process assumed that any remaining system failures occurred with a probability of 1.0. Any of the partial sequences that could be shown to result in a frequency lower than lE-7 were eliminated from further analysis.
In addition to combinations of systems that were frequently repeated in the event trees, sequences involving failure of two systems which included common interfaces or dependencies were also chosen for initial quantification.
The rationale in these cases is that dependencies between two or more systems can of ten cause the sequence frequency to be comparable to single system frequencies.
4.10-2
* An example of partial sequence quantification is shown by the combination of the AFW (L) and LPR (H 1) systems. The partial sequence combination of LH l occurs in several sequences where AFW fails, feed and bleed succeeds in the inJection phase, but recirculation from the sump fails to provide long term cooling. Accident Sequence Sequence Number T2-6 T3-7 S2-13 S3-8 Sequence Boolean* Equation "T2*/K*/Q*L*/D2*/P*/CS*H1 T3*/K*/Q*L*M*/D 3*/D 2*/P*/CS*H1 S2*/K*/Dl
*L*/Pl */CS*Hl S3*/K*/Dl*Qc*L*/0D*/W 3*H1 After quantifying L*H 1 initially, a hand calculation including the initiatiRg event anq constants was performed to evaluate whether further quantification was necessary.
This hand calculation assumed all other systems fail with a probability of* 1.0. In this example, L-H 1 was quantified to be 4.7E-7. A frequency for T 2
* L-H l of 4.4E-7 was then calculatecl (0.94
* 4.7E-7). At this point, sequence T 2 LH 1 was retained.
Similarly, T 3 LMH 1 was calculated, including the nblack box" constant for"M. T 3 LMH 1 equaled lE-8 and was eliminated.
Two areas of caution must be noted in partial sequence quantification to ensure that sequences are not screened out in error *. First, the sequence with the longest mission time for each system involved should be used. From the example above, L had a mission
* time of 24 hours in T 2 , T 3 , and s 3 , but 6 hours in s 2* The mission time for H 1 was shorter for T 2* Partiaf sequence quantification was done with an L mission time of 24 hours and an H 1 mission time of 24 hours, to ensure that none of the "fail to run" cut sets were lost. Additionally, using ratios of initiating events applies only to initiating events independent of the systems involved.
From the example above, the loss of offsite power and loss of DC bus initiators (T_1 LH 1 , and T 5 AtH 1 , and T 5 sLH 1) had to be quantified separately to account for the effoct of the initiators on the systems. The second area of caution is in combining system models that contain operator errors. The resultant equation will have cut sets which contain multiple human errors. Multiplying human error probabilities together independently may underestimate the overall operator error for a single sequence.
Event Cs, from the event trees, is failure of the containment systems. It represents either the combination of CSS and ISR (C-F 1) or ISR and OSR (F 1-F 2). During the partial sequence quantification, both combinations were quantified.
Since F 1-F 2 was nearly two orders of magnitude higher than C-F 1 , the failure probability and cut sets of event Cs were assumed to be the F 1-F 2 combination during the initial screening.
Truncation of sequence equations based on cut set frequency and cut set order is commonly done during the accident sequence quantification in order to reduce the sequence cut sets to a manageable level while reta,ining the major contributors to sequence frequency.
In the Surry accident sequence quantification, no sequence equation truncation on cut set order was performed.
Sequence equations were truncated on cut. set frequency.
Sequence cut sets whose frequency was less than 5.0E-10 were discarded from the sequence equation.
Based on the results of the initial sequence quantifications, these cutoff values were determined to be acceptable.
The result of the above step-by-step process was identification of those sequences with core damage frequencies of lE-7 or greater after the initial quantification.
Table 4.10-1 lists the accident sequences eliminated and retained at this point in the quantification 4.10-3 Accident Sequence '1'1 LH2 T 1 LH 1 T 1 LCsll 2 T1LCsCv T 1 LP T 1 LD 2 Sequence Number Tl-3 Tl-5 Tl-6 Tl-B Tl-9 'l'l-10 'l'l-11 Tl-12 T 1 Q: Tl-13 *r 1 QH 1 S2-2 'l'l-14 TABLE 4.10-1 ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Sequence Boolean Equation lmnual Sequence Frequency Expression Quantified Tl*/K*/Q*/L*D3*W LOSS OF OFFSITE POWER 2.0E-06 All 'l'l * /K* /Q* L* /D2 * / P* /CS* /Ill *112 Tl*/K*/Q*L*/D2*/P*/CS*Hl 7.GE-08 9.6E-OB Tl*/K*/Q*L*/D2*/P*CS*/CV*/Hl*H2 NA 'l'l * /K*/Q*L* /D2 * /P*CS* /CV*lll Tl*/K*/Q*L*/D2*/,P*CS*CV Tl*/K*/Q*L*/D2*P
'fl*/K*/Q*L*D2 NA 3.BE-10 2.GE-06 1. 9E-06 All All All All All 'l'R.l\NSFER TO SMALL LOSS OF COOLAN'l' ACCIUEN'l' (S2) '1'1*/K*Q*/Dl*/L*/CS*/OD*lll
: 1. JE-08 All Sequence Comments/Source Eliminated Of Information No Yes Yes Yes Yes Yes No No Yes Reactor Coolant Pump (RCP) seal vulnerable.
Subset of T 1 LH 2 which is <lE-7. Subset of T 1 LH 1 which is <lE-7. All other nations with S will be below this. 'l'R.l\NSFER
'l'O AN'l'ICIPA'l'ED
'l'RANSIEN'l' WI'l'HOU'l' SCRAM (A'l'WS) 
':"' ..... 0 I C,11
* Accident Sequence Sequence Number TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Sequence Boolean Equation STATION Annual Sequence Expression Sequence Comments/Source Frequency Quantified Eliminated Of Information BLACKOUT (SBO) SBO-BA'fT (UNI'J.'1 ONLY) : l.2E-05 All No T 1 s-NR7 *r1s-J Tl*/Q*/QS*/L*/W 2*NR7 8.5E-06 All No T 1 s-W 2-NR7 TlS-5 Tl*/Q*/QS*/L*W 2*/0*/SL*NR7 4.7E-07 All No T 1 s-W 2-o-NR7 TlS-9 Tl*/Q*/QS*/L*W 2*0*/SL*NR7 2.2E-08 All No T 1 s-QS-NR7 TlS-14 Tl*/Q*QS*/L*/W 2*NR7 J.lE-06 All No T 1 s-QS-W 2-NR7 TlS-16 Tl*/Q*QS*/L*W 2*/SL*NR7 l.9E-07 All No SBO-SLOCA (UNI'fl ONLY): 4.BE-06 All No T 18-W2-SL-NRS
* 'l'lS-7 Tl*/Q*/QS*/L*W 2*/0*SL*NRS J.JE-06 All No T 18-W2-0-SL-NRS TlS-11 'l'l*/Q*/QS*/L*W 2 *O*SL*NRS
: 1. 9E-07 All No T 18-QS-W2-SL-NRS TlS-18 Tl*/Q*QS*/L*W 2*SL*NRS l.JE-06 All No SBO-L (UNITl ONLY): 5.0E-05 All No T1s~L *r1s-12 Tl*NRAC-HALFHR*/Q*/QS*L 4.lE-06 All No T 18-QS-L TlS-19 Tl*NRAC-IIALFHR*/Q*QS*L 4.6E-05 All No 
.;:. . ,.... 0 I O') TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Accident Sequence Sequence Number Sequence Boolean Equation Tl*NRAC-HALFHR*Q*/QS*L T 1 s-Q-QS-L TlS-25 Tl*NRAC-HALFHR*Q*QS*L SBO-Q (UNI'l'l ONLY) : T 1 s-Q-NR1 TlS-21 Tl*Q*/QS*/L*NRl T -Q-QS-NRl . lS TlS-24 'l'l*Q*QS*/L*NRl SB0-BATT2 (UNITS 1 AND 2): T 1 s-NR7 TlS-3 Tl*/Q*/QS*/L*/O*/SL*NR7 T 1 s-O-NR7 TlS-7 T 1 s-QS-NR7 TlS-12 Tl*/Q*/QS*/L*O*/SL*NR7 Tl*/Q*QS*/L*/SL*NR7 SBO-SLOc;b.LillNI'l'S 1 AND~: T 1 s-SL-NRS TlS-5 Tl*/Q*/QS*/L*/O*SL*NRS T 1 s-O-SL-NRSTlS-g Tl*/Q*/QS*/L*O*SL*NRS Annual Sequence Frequency 8.lE-08 <5E-10 2.lE-06 1.5E-06 5.7E-07 5.lE-07 3.4E-07 1. 4E-08 l.6E-07 3.JE-06 2.JE-06 l.2E-07 Expression Quantified All All All All All All All All All All All All Sequence Comments/Source Eliminated Of Information No Retained, tial important risk contributor due to station blackout.
Yes No cut sets were retained using a 5E-10 truncation value
* No No No No No No No No No No See TlS-22 comment. See TlS-22 comment.
L___ *
* TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Accident.
Sequence Sequence Number Sequence Boolean Equation Annual Sequence Frequency Expression Sequence Comments/Source Quantified Eliminated Of Information T 1 s-QS-SL-NRS TlS-14 Tl*/Q*QS*/L*SL*NRS SB0-L2 (UNITS 1 AND 2): T 1 s-L 'l'lS-10 Tl*NRAC-HALFHR*/Q*/QS*L TlS-15 T 1 s-Q-L TlS-18 T1s-Q-QS-L TlS-21 Tl*NRAC-HALFHR;*/Q*QS*L Tl*NRAC-HALFHR*Q*/QS*L Tl*NRAC-HALFHR*Q*QS*L SB0-Q2 (UNITS 1 1\ND 2): T 1 s-Q~NR1 TlS-17 Tl*Q*/QS*/L*NRl T 1 s-Q-QS-NR1 TlS-20 'l'l*Q*QS*/L*NRl LOSS OF T 2 D 3 W '1'2-3 T2*/K*/Q*/L*D3*W T 2 LH 2 T2-5 T2 * /K* /Q*L*/D2 */P* /CS* /Ill *112 T 2 LH 1 T2-6 T2*/K*/Q*L*/D2*/P*/CS*Hl B.9E-07 6.JE-06 7.JE-07 5.6E-06 l.5E-08 <5E-10* 3.9E-07 2.9E-07 l.OE-07 MAIN FEEDWATER l.9E-09 2.4E-08 4.4E-07 T 2 Lc 8 H 2 'r2-8 'r2 */K* /Q*L* /D2 * /P*CS* /CV*/111 *112 NA All All All All All All 1\11 All All Partial All All No No No No No Yes No No No Yes Yes No See TlS-22 comment. See TlS-25 comment. See TlS-22 comment. RCP Seal vulnerable.
PDS for T 2 LH 2*
TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source . Seguence Number Seguence Boolean Eguation Freguenc~
Quantified Eliminated Of Information T 2 LCsHl T2-9 T2*/K*/Q*L*/D2*/P*CS*/CV*Hl NA PDS for T2LH1* T2LCsCv T2-10 T2*/K*/Q*L*/D2*/P*CS*CV 3.6E-09 All *Yes *T 2 LP T2-ll T2*/K*/Q*L*/D2*P 2.2E-05 All No T 2 LD 2 '1'2-12 T2*/K*/Q*L*D2 2.0E-05 All No T2Q: '1'2-13 TRANSFER TO S2 T2Qll1 S2-2 T2*/K*Q*/D1*/L*/CS*/OD*Hl
: 1. 7E-08 All No See Tl-13 comment. ,i::,. T2QD1 S2-19 T2*/K*Q*D1 l.2E-08 All Yes . ..... 0 I T 2 K 00 T2-14 'l'RANSFER TO A'l'WS MAIN TURBINE TRIP WITHOUT LOSS OF MAIN FEEDHATER T 3 D 3 W T3-3 T3*/K*/Q*/L*D3*W 1.5E-08 All Yes RCP Seal vulnerable.
T 3 LMH 2 T3-6 T3*/K*/Q*L*M*/D3*/D2*/P*/CS*
5.5E-10 All Yes /111*112 T 3 LMH 1 T3-7 T3*/K*/Q*L*M*/DJ*/D2*/P*/CS*Hl 1.0E-08 All Yes T 3 LMc 5 n 2 TJ-9 T3*/K*/Q*L*M*/D3*/D2*/P*CS*
NA PDS for T 3 LMH 2* /CV*/111*112 T 3 LMc 5 n 1 T3-10 T3*/K*/Q*L*M*/D3*/D2*/P*CS*
NA PDS for T 3 LMH 1* /CV*Hl T3LMCsCv '1'3-11 T3*/K*/Q*L*M*/D3*/D2*/P*CS*CV 1.0E-10 Partial Yes 
*
* TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguenc:ll:
Quantified Eliminated Of Information T 3 LMP TJ-12 T3*/K*/Q*L*M*/D3*/D2*P 4.4E-07 All No T 3 LMD 2 TJ-13 TJ*/K*/Q*L*M*/03*02 4.5E-07 All No T 3 LMo 3 TJ-14 T3*/K*/Q*L*M*D3 8.BE-10 All Yes T3Q: TJ-15 TRANSFER TO S2 T3QH1 S2-2 TJ*/K*Q*/Dl*/L*/CS*/OD*lll
: 1. JE-07 All No T3QD1 S2-19 T3*/K*Q*Dl 9.5E-OB Partial Yes See Tl-13 comment. ""' T3QOoll1 S2-5 T3*/K*Q*/D1*/L*/CS*OD*Hl 2.BE-09 Partial Yes . t--' 0 T 3 K TJ-16 TRANSFER TO ATWS I tO LOBB OF DC DUB Loss of DC Bus lA: 'I'5AD3W '1'5-3 T5A*/K*/Q*/L*D3*W
<5E-10 All Yes RCP Seal vulnerable.
T5ALH2 T5-5 T5A*/K*/Q*L*/D2*/P*/CS*/H1*H2
<5E-10 Partial Yes See TlS-25 comment. T5ALH1 TS-6 T5A*/K*/Q*L*/D2*/P*/CS*Hl 7.GE-08 Partial Yes T5ALCsH2 '1'5-8 T5A*/K*/Q*L*/D2*/P*CS*/CV*/Hl*H2 NA PDS for T5ALH2* T5ALCsH1 T5-9 T5A*/K*/Q*L*/D2*/P*CS*/CV*Hl NA PDS for T5ALH1* T5ALCsCv T5-10 T5A*/K*/Q*L*/D2*/P*CS*CV 8.4E-11 All Yes T5ALl> T5-11 T5A*/K*/Q*L*/D2*P 3.BE-06 All No T5ALD2 T5-12 T5A*/K*/Q*L*D2 2.5E-07 All No 
,i::,. ' ,..... 0 I ,..... 0 Accident Sequence Loss of T5aD3W T5aLH2 T5aLH1 T5aLCsH2 T5aLCsH1 T5aLCsCv T 58 LP T5aLD2 DC Sequence Number T5-14 Bus 18: T5-3 T5-5 '1'5-6 T5-8 T5-9 T5-10 T5-ll '1'5-12 '1'5-13 T5BQ: '1'50Qll1 S2-2 T50K T5-14
* TADLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Sequence Boolean Equation 'l'RANSFER
'l'O S2 T5A*/K*Q*/D1*/L*/CS*/00*H1 TRANSFER TO ATWS T5B*/K*/Q*/L*D3*W T5B*/K*/Q*L*/D2*/P*/CS*/H1*H2 T5B*/K*/Q*L*/D2*/P*/CS*H1 Annual Sequence J:'requency 7.2E-09 <5E-10 <5E-10 7.6E-08 T5B*/K*/Q*L*/D2*/P*CS*/CV*/ll1*ll2 NA T5B*/K*/Q*L*/D2~/P*CS*/CV*H1 NA T5B*/K*/Q*L*/D2*/P*CS*CV 8.4E-ll T5B*/K*/Q*L*/D2*P 3.BE-06 T5B*/K*/Q*L*D2 2.7E-07 'l'R.l\NSFER
'l'O S2 T5B*/K*Q*/D1*/L*/CS*/OD*ll1
<5E-10 TRANSFER TO ATWS Expression Quantified Partial All Partial Partial All All All Partial Sequence Comments/Source Eliminated Of Information Yes See Tl-13 comment. Yes RCP Seal vulnerable.
Yes See TlS-25 comment. Yes PDS for T5BLll2. PDS for T5sLll1* Yes No No Yes See Tl-13 comment. 
':'" ..... 0 I ..... ..... Accident Sequence T7Qll1 T7QQS T7QQsH1 T700Qs T70oQll2 T70oQll1 T70oQQS T7L3 T7D1Qs T7D1Q T7D10D T7D1L3 T 7 K Sequence Number T7-4 T7-5 T7-6 T7-8 T7-10 T7-11 '1'7-12 T7-13 T7-16 T7-17 T7-18 '1'7-19 T7-20
* TABLE 4.10-1 (Continued)
ACCI,DENT SEQUENCES QUANTIFIED BEFORE RECOVER! Sequence Boolean Equation Annual Sequence Frequency Expression Sequence Comments/Source Quantified Eliminated Of Information STEAM GENERATOR TUBE RUPTURE (SGTR) T7*/K*/D1*/L3*/0D*Q*/QS*ll1 T7*/K*/D1*/L3*/0D*Q*QS T7*/K*/D1*/L3*/0D*Q*QS*H1 T7*/K*/D1*/L3*0D*/Q*QS T7*/K*/D1*/L3*0D*Q*/QS*/111*112 T7*/K*/D1*/L3*0D*Q*/QS*H1 T7*/K*/D1*/L3*0D*Q*QS
'l'7*/K*/D1*L3 T7*/K*D1*/L3*/0D*/Q*QS T7*/K*D1*/L3*/0D*Q T7*/K*D1*/L3*0D
'r7*/K*D1*L3 T7*K (ATWS) 2.6E-09 1. 7E-08 3.4E-11 6.2E-04 1. BE-10 7.5E-10 7.9E-07 2.9E-06 1.4E-07 7.lE-09 3.7E-06 4.lE-09 6.0E-07 All All All All All All All All All All All All All Yes Yes Yes No Yes Yes No No No Yes No Yes No Evaluated ly, Does not fer to the ATWS tree.
Tl\BLE 4.10-1 (Continued)
ACCIDENT BEQUENCEB QUl\NTIFIED BEFORE RECOVERY 1\nnual Accident Sequence Sequence Expressi.on Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguency:
Quantified Eliminated Of Information Ll\RGE LOBB OF COOLANT ACCIDENT (l\ LOCl\J AH 1 A-2 A*/D5*/D6*/CS*Hl 7.0E-07 All No -ACslll A-4 A*/D5*/D6*CS*/CV*H1 NA PDS for AH1* ACsCv A-5 A*/D5*/D6*CS*CV 6.BE-09 All 0 Yes AD 6 A-6 A*/D5*D6 4.7E-07 All No f--" All 0 AD 5 A-7 A*D5 8.SE-07 No I f--" N) MEDIUM LOBS OF COOLANT ACCIDENT (Sl LOCl\J S1H1 Sl-2 S1*/D1*/D5*/CS*/D6*H1
: 1. 4E-06 All No S1D6 Sl-3 Sl*/Dl*/D5*/CS*D6 9.4E-07 All No S1Csll1 Sl-5 Sl*/D1*/D5*CS*/CV*/D6*H1 NA PDS for S1H1* S1CsD6 Sl-6 Sl*/D1*/D5*CS*/CV*D6 NA Yes PDS for S1D6. S1CsCv Sl-7 Sl*/Dl*/D5*CS*CV 1.SE-08 All Yes S1D5 Sl-8 Sl*/Dl*D5 2.2E-09 All Yes S1D1 Sl-9 Sl*Dl 9.SE-07 All No * * 
* *
* TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguency Quantified Eliminated Of Information SMALL LOSS OF COOLANT ACCIDENT (B2 LOCAi S2H1 S2-2 S2*/K*/D1*/L*/CS*/OD*Hl 1.6E-06 All No S200Il2 S2-4 S2*/K*/D1*/L*/CS*OD*/H1*H2 9.JE-09 All Yes S200B1 S2-5 S2*/K*/D1*/L*/CS*OD*Hl 3.0E-08 All Yes S2CsH1 S2-7 S2*/K*/D1*/L*CS*/OD/CV*Hl NA PDS for S2H1* tf" S2Cs00H2 S2-9 S2*/K*/D1*/L*CS*OD*/H1*H2 NA PDS for S2H2* f--L 0 1-f--L S2CsOoll1 S2-10 S2*/K*/Dl*/L*CS*OD*Hl NA PDS for S200B1
* c:,,, s 2 LH 2 S2-12 S2*/K*/D1*L*/P1*/CS*/Hl*H2 2.GE-11 All Yes S2LH1 S2-13 S2*/K*/D1*L*/Pl*/CS*H1 5.4E-10 All Yes s 2 Lc 8 B 2 S2-15 S2 * /K*/Dl *L*/Pl *CS* /CV* /Ill *H2 NA PDS for S2LH2* s 2 Lc 8 u 1 S2-16 S2*/K*/D1*L*/P1*CS*/CV*H1 NA PDS for S2LH1* S2LCsCv S2-17 S2*/K*/D1*L*/Pl*CS*CV
<5E-10 All Yes See TlS-25 comment. s 2 LP 1 S2-18 S2*/K*/D1*L*Pl 3.0E-08 All Yes S2D1 S2-19 S2*/K*D1 9.BE-07 All No s 2 K S2-20 TRANSFER TO ATWS TABLE 4.10-1 (Continued)
ACCIDENT BEQUENCEB QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguenc~
Quantified Eliminated Of Information VERY BMALL LOSS OF COOLANT ACCIDENT {93 LOCAi S3W3H1 SJ-3 S3*/K*/D1*/QC*/L*/OD*W3*lll 3.7E-07 All No S30oll2 SJ-5 S3*/K*/D1*/QC*/L*OD*/Hl*H2
: 1. JE-07 All No S30oH1 SJ-6 SJ* /K* /Dl * /QC* /L*OD*Hl 4.5E-07 All No S 3 LH 1 SJ-8 SJ*/K*/Dl*/QC*L*/OD*/WJ*Hl 7.0E-09 All Yes s 3 Lw 3 n 1 SJ-10 S3*/K*/D1*/QC*L*/OD*W3*Hl
<5E-10 All Yes See TlS-25 comment. . ..... 0 I S 3 Lo 0 H 2 SJ-12 S3*/K*/Dl*/QC*L*OD*/Hl*H2
<5E-l0 All Yes See TlS-25 comment. ..... S 3 Lo 0 n 1 SJ-13 SJ*/K*/Dl*/QC*L*OD*Hl
<5E-10 All Yes See TlS-25 comment. s 3 LMH 2 SJ-15 S3*/K*/Dl*/QC*L*M*/P*/CS*
: 1. 7E-08 All Yes /111*112 s 3 LMH 1 SJ-16 S3*/K*/Dl*/QC*L*M*/P*/CS*Hl 5.9E-08 All Yes S 3 LMc 5 H 2 SJ-18 S3*/K*/Dl*/QC*L*M*/P*CS*CV*
NA Yes PDS for S3LMH2. /Hl*H2 s 3 LMc 8 11 1 SJ-19 SJ*/K*/Dl*/QC*L*M*/P*CS*CV*lll NA Yes PDS for s 3 LMH 1* S3LMCsCv SJ-20 SJ*/K*/Dl*/QC*L*M*/P*CS*CV
<5E-10 All Yes See TlS-25 comment. S 3 LMP SJ-21 SJ*/K*/Dl*/QC*L*M*P
<5E-10 All Yes See TlS-25 comment.
* Accident Sequence EVENT V TKRD 4 TKRQD 4 TKRL 2 TKRP 2 Sequence Number SJ-23 SJ-24 V-1 TK-3+ 'rK-11+ 'l'K-16 'l'K-5+ TK-13+ 'l'K-18+ 'l'K-6+ 'l'K-14+ 'l'K-19 'l'K-7+
* TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Sequence Boolean Equation TRANSFER TO THE S2 TREE S3*/K*/Dl*QC*Hl Annual Sequence Frequency Expression Sequence Comments/Source Quantified Eliminated Of Information 7.0E-10 All SJ*/K*Dl 1.6E-05 All TRANSFER TO ATWS INTERFACING LOSS OF COOLANT ACCIDENT (V) INTERFACING LOCA SEQUENCE 1.2E-06 All ANTICIPATED TRANSIENT WITHOUT SCRAM T*K*R*D4 5.7E-07 All T*K*R*Q*D4
<5E-10 All 'l'*K*R*L2 6.BE-08 All 'l'*K*R*P2 9.6E-09 All Yes No No No Yes Yes Yes All other nations with S will be below lhis.
Accident Sequence TKRT TKRZ NO'fE:
* Sequence Number TK-B TK-9 TABLE 4.10-1 (Continued)
ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Sequence Expression Sequence Sequence Boolean Equation Frequency Quantified Eliminated T*K*R*/PL*/Zl*/Z*T 9.6E-OB All Yes T*K*R*Z B.4E-07 All No Comments/Source Of Information All branches on the ATWS event tree have been included in these six branches.
* * 
*
* process. Those sequences where quantification was performed on (1) partial sequence expressions and (2) the full sequence expression are also identified~
4.10.3 Application of Operator Recovery Actions The sequences with a frequency of 1 E-7 or greater were identified in Table 4.i 0-1. Those sequences not eliminated were then fully quantified; that is, the initiator and the remaining system failures and successes were incorporated into the accident sequence expression.
The tiext major step performed in the quantification process was opera tor recovery analysis.
The recovery analysis was conducted in four major steps:
* Identification of those recovery actions applicable to an entire sequence. (i.e., applicable to every cut set within the sequence).
* Identification of the individual failures within a cut set and determining the appropriate recovery actions for the cut set.
* Calculation of the probabilities for failure to complete recovery actions~
* Quantification of the recovery actions in the accident sequences (i.e., incorporate the non-recovery probabilities into the cut sets). Some recovery actions were applied on a sequence level. These typically involved cross connection of failed mechanical systems to operable Unit 2 systems or recovery of off site power. After applying recovery actions to a sequ~nce, each of the cut sets was examined to ensure that the action was appropriate.
Recovery actions were then sidered at the cut set level. Recovery actions were included if they were directly stated in the emergency or abnorm~l procedures, or could be expected to result directly from a procedural step or group o*f steps and sufficient time existed to allow diagnosis and completion of the action. Some credit was allowed for recovery actions not specifically identified in the plant procedures.
This type of recovery is termed "innovative recovery".
The rationale behind allowing f~r actions not procedurally identified was to give credit to the recovery that the *plant's accident response team could provide in long term accident sequences.
The single event identifi~d as innovative recovery in the Surry analysis is isolation of a stuck open safety relief valve by gagging it shut. The following discussion identifies the plant specific recovery actions and the associated failure event codes, their applications, and limitations on their application to the Surry cut sets and sequences.
Table 4.10.::.2 summarizes the recovery factors and details the hardware and human error contributions.
The human error portions are discussed in detail in Section 4.8.4. :Alignment*
of Unit 2 AFW *Flow to Unit 1 A cross connect of the Unit 1 and Unit 2 AFW systems allows flow from the Uriit 2 AFW pumps to be provided to the discharge headers of the Unit 1 AFW system. *one of two motor operated valves in parallel must be opened by the opera tor and the. Unit 2 AFW system must be manually started to provide flow through the cross connect. In additon, the injection valves to Unit 2 SGs must be closed to divert flow to Unit 1. The dominant failures of the Unit 1 AFW system were common cause failure of all three pumps or flow diversion of Unit 1 AFW to Unit 2, through an inadvertently open cross-connect valve; neither of which would result in the inability to perform this recovery action. There
* were three different variations of this recovery action, one for all transients except station blackout (SBO), one for SBO at Unit 1 only, and one for SBO at both units. 4.10-17 
,la-' I-' 0 I I-' 00 Identifier ACP-XHE-FO-STBBS AFW-XIIE-FO-CS'l'2 AFW-XHE-FO-MNACT AFW-XHE-FO-UlSBO AFW-XHE-FO-U2SBO AFW-XIIE-FO-UNIT2 CLS-XHE-FO-MAN-A CLS-XIIE-FO-MANSl CLS-XIIE-FO-MANS2 CPC-XIIE:...FO-CMNS2 CPC-XHE-FO~REALN CPC-XIIE-FO-SMNSl .C-XIIE-FO-SMNS2 Total Unavailability
: 1. 4E-2 6.5E-2 2.7E-J 8.2E-2 7.5E-2 J.6E-2 2.7E-3 2.7E-J 2.7E-3 J.BE-2 7.0E-2 J.BE-2 J.BE-2 TABLE 4.10-2 RECOVERY FACTORS Human Error 1. lE-2 6.4E-2 2.7E-3 4.BE-2 7.5E-2 J.JE-2 2.7E-3 2.7E-J 2.7E-J J.BE-2 5.9E-2 J.BE-2 J.BE-2 Hardware Failure J.OE-3 1. OE-3 J.4E-2 J.lE-3 1.lE-2 Hardware Comments CIRCUIT BREAKER FAILS TO TRANSFER.
MANUAL VALVES FAIL TO TRANSFER.
NO HARDWARE INVOLVED.
UNIT2 < 10% (.35)
* MDP-FS/FR
+ UNIT2 > 10% (.65)
* TDP-FS/FR.
HARDWARE IS EXPLICITLY INCLUDED IN '!'HE SBO SEQUENCES AS A BOOLEAN EXPRESSION.
AFW-CKV-FT/PG-CV273
+ 2
* MOV-FT-25l*(MOV-FT-160
+ FT-ISOL) + CCF-FT-160A/B
+ UNIT2 < 10% (.35)
* MDP-FS. NO HARDWARE INVOLVED.
NO HARDWARE INVOLVED.
NO HARDWARE INVOLVED.
NO HARDWARE INVOLVED.
CPC-MUP-FS
+ CPC-MDP-MA
+ CPC-MDP-FR-10 HOURS. NO HARDWARE INVOLVED.
NO HARDWARE INVOLVED.
Total Identifier Unavailability HPI-XIIE-FO-ALT 6.lE-1 HPI-XIIE-FO-AL'l'IN 5.7E-3 HPI-XIIE-FO-AL'l'IJ 7.0E-4 HPI-XHE-FO-ALTSJ 7.4E-2 ':"' t--" 0 I HPI-XHE-FO-UN2Hl l.6E-3 t--" tO HPI-XHE-FO-UN2S2 3.lE-1 HPI-XHE-FO-UN2SJ 4.4E-2 IIPI-XIIE-F0-20DH2 4.JE-3 HPI-XHE-F0-30DH2 2.lE-3 MCW-CCF-VF-SBO 6.0E-2 ( FAILURE TO RES'l'ORE CANAL LEVEL)
* TABLE 4.10-2 (Continued)
RECOVER! FACTORO Human Hardware Error Failure 2.7E-3 6.lE-1 2.7E-3 3.0E-3 2.7E-3 J.OE-3 6.4E-2 5.BE-2 2.7E-3 6.lE-1 6.4E-2 5.BE-2 1.lE-2 3.0E-4 1. JE-1 9.BE-3 3.0E-1 9.BE-3 3.4E-2 9.BE-3 1. JE-1 9.BE-3 1. lE-2 3.0E-4 2.7E-3 ------1. JE-1 9.BE-3 1.lE-2 3.0E-4 5.2E-4 ------5.9E-2 9.0E-4 Hardware Comments RA'rIO OF BE'rAJ/BE'l'A2.
HPI-MOV-F'r-1842 FROM CONTROL ROOM. IIPI-MOV-FT-1842 FROM CONTROL ROOM* IIPI-F'r-1867C/D LOCAL OPENING. IIPI-MOV-F'r-1842 FROM CONTROL ROOM
* HPI-FT-1867C/D LOCAL OPENING. FAILURE TO CROSS CONNECT RWST
* FAILURE TO CROSS CONNECT HP!. HPI-MDP-FS/FR/MA-CHlC
+ I1PI-CKV-FT/PG-CV276
+ IIPI-MOV-FT-278
+ I-1PI-MOV-FT-286C/287C.
HPI-MDP-FS/FR/MA-CIUC
+ HPI-CKV-FT/PG-CV276
+ HPI-MOV-FT-278
+ HPI-MOV-FT-286C/287C.
FAILUHF; 'l'O x-comrncT IIPI
* FAILURE '1 1 0 X-CONNECT RWST PLUS AN OVERALL DIAGNOSIS ERROR. FAILURE 'l'O X-CONtrnc*r BPI
* FAILUHE 'l'O X-CONNECT RWST PLUS AN OVERALL DIAGNOSIS ERROR. DIESEL-PUMP-FS
* DIESEL-PUMP-FS Identifier MSS-XHE-FO-ISAFW MSS-XHE-FO-BLOCK MSS-XHE-FO-ISBDN NRAC-150 MIN ,i::,. . f--" NRAC-201 MIN 0 I I:,:) 0 NRAC-216 MIN NRAC-234 MIN NRAC-246 MIN NRAC-258MIN NRAC-HALFHR NRAC-lllR NRAC-711R NRAC-6HR-AVG NRAC-24HR-AVG 0
* Total Unavailability 6.BE-6 6.4E-2 3.4E-J 2.lOE-1 l.50E-1 1. JBE-1 l.2JE-l 1.15E-1 1. OBE-1 6.00E-1 4.40E-1 5.00E-2 1. 94E-1 6.lOE-2 4.9E-2 TABLE 4.10-2 (Continued)
RECOVERY FACTORS Human Error Har.dware Failure J.4E-J 2.0E-3 FAILURE 6.4E-2 J.4E-3 ------------2.lOE-1 l.50E-1 1. JBE-1 1. 2JE-1 1.15E-1 1. OBE-1 6.00E-1 4.40E-1 5.00E-2 1. 94E-1 6.lOE-2 SEA'!' Hardware Comments OF 1 OF 2 CHECK VALVES TO 4.4E-2 5.0E-3 GENERIC HARDWARE ESTIMATE.
*
* TABLE 4.10-2 (Continued)
RECOVERY FACTORS Total Human Hardware Identifier Unavailabiliti:
Error Failure Hardware Comments R 1. 7E-1 1.0000 1. OE-5 R = (1.00)
* MECIIANCICAL ( 1. OE-5) + 2.7E-3 5.0E-5 (2.7E-3)
* ELEC'l'RICAL (5.0E-5).
REC-XHE-FO-DGEN 9.0E-1 ------9.0E-1 REC-XHE-FO-DGHWB 6.0E-1 ------6.0E-1 REC-XHE-FO-DGHWS B.OE-1 ------8.0E-1 ""' REC-HXE-FO-DGTMS 5.0E-1 ------5.0E-1 . I-' 0 REC-XHE-FO-DGTMS 7.0E-1 7.0E-1 I ------N) I-' REC-XHE-FO-DPRES 1.4E-2 1. 4E-2* ------HARDWARE IS INCLUDED IN OD FAULT TREE. REC-XHE-FO-GAGRV J,OE-1 ------JE-1 INNOVATIVE RECOVERY.
RMT-XHE-FO-MAN-A 6.4E-2 6.4E-2 ------NO HARDWARE INVOLVED.
\ RMT-XHE-FO-MANSl 6.4E-2 6.4E-2 ------NO HARDWARE INVOLVED.
RMT-XHE-FO-MANS2 2.7E-3 2.7E-3 ------NO HARDWARE INVOLVED.
SIS-XHE-FO-MANSl 2,7E-3 2.7E-3 ------NO HARDWARE INVOLVED.
SIS-XllE-FO-MANS2 2,7E-3 2,7E-3 ------NO HARDWARE INVOLVED.
SWS-XHE-FO-OPEN 2.4E-l ------2.4E-1 AFW-XHl!-FO-UNIT2~
This event was used for all sequences where AFW was needed, but not for station blackout.
The unavailability was determined to be 3.6E-2. The total unavailability breaks down into an operator contribution of 3'.3E-2 and hardware faults 3E-3'. This event was not applied during SBO sequences*.
AFW-XHE-FO-UlS80.
The unavaila~ility of AFW from Unit 2 following SBO at Unit 1 was calculated to be 8.2E-2, with 4.8E-2 attributable to human error. The hardware unavailability was 3.4E-2. AFW-XHE-FO-U2S80.
The unavailability of AFW from Unit 2 following SBO at both Units 1 and 2 was determined to be 7 .5E-2. This was all due to human error, since the hardware contributions were explicitly modeled in the L-Sl30U1U2 Boolean equation (Appendix B). Manual Actuation
*of Auxiliary Feedwater Systems AFW-XHE-FO-MNACT.
The AFW system can be manually actuated upon failure of automatic actuation to occur. The operator must diagnose the failure of automatic actuation and manually start the AFW pumps and steam supply to the turbine-driven pump. The failure to manually initiate AFW was assessed to be 2~7E-3, which consists of opera tor failure to diagnose the problem and perform the action. This recovery factor was applied to all cut sets involving failure of the AFW to automatically initiate the purnps and steam supply valves to the turbine-driven pumps. This recovery factor was not applied to cut sets where both trains of actuation failed in the same cut set. Manual Bypass*of*the*CPC*System Service*Water Strainers CPC-XHE-FO-REALN.
In the event that flow is lost through the CPC system service water strainers, the operator_
can bypass the strainer assembly by providing service water from the Unit 2 CPC system. To perform this operation, the operator must diagnose the problem prior to failure of the charging pumps, manually open the valves required to cross connect the systems, and ensure that sufficient flow is available from the Unit 2 CPC system. A time of 10 minutes was allowed to cpmplete this operation based on the estimated time a charging pump could operate without cooling. This assessment is conservative because most of the strainer loss of flow occurrences which have .happened at the plant involved strainer plugging and not an abrupt loss of service water. Decrease in service water was gradual. The failure to perform these actions was assessed to 7.0E-2, of. which 2.7E-2 was diagnosis error, 3.2E-2 actuation error, and 1.lE-2 hardware faults. This recovery action was applied to all cut sets which included long term failures of the CPC service water system. No recovery of strainers was applied to the short term sequences due to the relatively short time available and the number of other operator actions required in the short term. Manual*Actuation of Charging*Pump
*cooling *systems CPC-XHE-FO-CMNS2, CPC-XHE-FO-SMNS2, CPC-XHE-FO-SMNS1.
The CPC can be manually actuated upon failure of automatic actuation to occur. The operator must diagnose the failure of automatic actuation and manually actuate the service water and cooling water subsystems prior to failure of the HPI pumps. CPC discharge pressure and HPI pump temperature indications would alert the operator to the need for actuation of the CPC systems. The failure to manually initiate CPC was assessed to be 3.8E-2, which consists of operator failure to diagnose the problem and perform the action. This 4.10:..22
* recovery fac~or was applied to all the cut sets involving failure of the CPC to automati:..
cally initiate.
This &#xa3;actor was not applied to failure of both CPC actuation trains in the same cut set~ *
* Manual Actuation*
of Containment Safeguards
*systems CLS-XHE-FO-MAN.
The CLCS can be manually actuated upon failure of automatic actuation to occur. The operator inust diagnose the failure of automatic actuation and manually actuate the injection and recirculation spray systems prior to zation of the containment.
Containment pressure and temperature indications and the likely presence of a CLCS-HI signal would alert the operator to the need for actuation of the spray systems. The failure to manually initiate CLCS was assessed to be 2.7E-3 which consists of operator failure to diagnose the problem and perform the action. This recovery factor was applied to all the cut sets involving failure of the CLCS to automatically initiate the spray systems. This &#xa3;actor was not applied to failure of both CLCS actuation trains in the same cut set. Recovery of SGTR by *Plant* Cooldown a:nd*Depressur'iz-ation REC-XHE-FO-DPRES.
Following a steam generator tube rupture (SGTR) event, the operator will cooldown and depressurize the plant to stop the leak. Should the cooldown and depressurization fail, either due to human error or hardware faults, several hours still remain before core damage~ This recovery event accounts for recovery of the initial human error for failure to depressurize.
Several hours into the event, additional control room staff can be assumed to be available, and credit is given for their cooldown and ~epressurization of the plant~ An unavailability of L4E-2 was calculated for this event, with no contribution from hardware faults. The unavailability is a human error probability conditional on previous failure to depressurize.
Recovery of a DieseI*Generator
*following Station*Btackout Diesel generator failures included all of the miscellaneous dedicated support systems quired for successful diesel operation.
In many cases, failure of the diesel generator could be recovered.
Recovery of the diesel gei:iera tors was applied only to SBO sequences.
The probability for recovery was estimated based on the timing involved:
time from the start of SBO to time when the diesels would be needed to prevent core damage. Recovery probabilities were based on ASEP generic data. Ali'gnment of Unit *2 HPI 'Flow to Unit 1 A cross connect of the Unit 1 and Unit 2 HPI systems allows flow from the Unit 2 ing pump C to be provided to the discharge line of the Unit 1 C train charging pump. Two manual valves in series must be locally opened by the operator.
It was assumed that the Unit 2 C train charging pt!mp must be started to provide flow through the cross connect. HPI-XHE-FO-UN2S3.
The unavailability for s 3 , T 7 , and TQ sequences was determined to be 4.4E-2, of which 3.4E-2 is due to operator error and 9.8E-3 is due to hardware failures.
This recovery factor was applied to those cut sets in sequences involving failures of HPI due to faults upstream of the Unit 1 charging pump discharges.
This recovery factor w~s .not applied to sequences involving S1 or s 2 LOCAs, due to the timing considerations.
A separate recovery factor was applied to 52 LOCAs. No recovery credit was given to the s 1 LOCAs because th~ time required to diagnose the need for and make operational the cross connect was longer than the estimated time 4.10-23 between the failure of HPI and the onset of core damage~ More discussion of these timing considerations is found in Section 4~&". HPI-XHE--P~UN2S2~
This recovery factor is applicable to s 2 events*. It is similar to HPI-XHE-F0-UN2S3 previously described.
The only difference is that a human error probability of 3.0E-1 was used to account for the lin:iited
_time available for diagnosis of the event. The total unavailability for this event .is 3.lE-1. HPI-XHE-FO-UN2Hl.
This recovery factor is recovery of Unit* 1 Low Pressure Recirculation (S2 and S3) by cross connecting Unit 2 HPI (as described above) or by cross connecting to ttie Unit 2 R WST. The total unavailability for this event (1.6E-3) is the failure of both recovery paths. The respective human error probabilities were summed with the hardware unavailability to determine the failure probability of each path~ Failure of the operator to cross connect HPI was evaluated to be 1.3E-1, summed with a hardware unavailability of 9.8E-3. Failure of the operator to cross connect RWST (1.lE-2) was combined with a hardware unavailability of 3.0E-4. HPI-XHE-F0-20DH2.
This recovery factcor is similar to HPI-XHE-FO-UN2Hl described previously.
The only difference is that this event occurs after a previous operator error. An additional diagnosis error (2.6E-3) was added to account for failure to recognize the previous error. This factor was used to recover s 2 o 0 H2 and S20nH 1 sequences.
HPI-XHE-F0-30DH2.
This recovery factor is identical to HPI-XHE-F0-20DH2, described above, except that the diagnosis error is smaller (5.2E-4) due to the extended timing of the sequence.
Opening *of Al tema te
* Cold 'Leg High Pressure*
Injection Valve An alternate cold leg injection_
valve (MOV-1842) is available to provide flow to the cold legs from the charging pumps. The operator must manually open the valve from the control room to provide flow to the cold legs. In sequences where the timing permitted, local valve operation was credited*.
The operator action was determined to be skill based for operation from the control room~ An action error of 3.2E-2 was applied to local operation.
This recovery factor was applied to those cut sets in sequences involving failures of HPI due to faults in the pa_rallel injection valve arrangement (MOV-1876C and MOV-1867D).
However, recovery actions were not included in the loss of offsite power cut sets which include failure of DG /11 since MOV-1842 is powered from MCC lHl-2 which would be powered from diesel genera tor II 1. HPI-XHE-PO-AL TIN. This event is recovery of HPI following random independent failure of the HPI discharge motor-operated valves (MOVs). It is used in s 2 where timing dictates it must be done from the control room. It was not applied to s 3 and Tz sequences.
This action involv~s opening of the cold leg injection valve from the control room. A hardware error of 3.0E-3 for the MOV failing to open was combined with a human error probability of 2.7E-3 to yield a total unavailability of 5.7E-3. HPI-XHE-FO-ALTI3.
This event is similar to HPI-XHE-FO-AL TIN described above. This event is used only in S3 and T 7 sequences, where the timing permits local operation of the valve. The hardware contribution was derived from the failure to locally open one of two valves that had previously failed to open automatically.
The failure probability for each valve was .24. Ccmbining the failure to open the valves from the control room with the failure to locally operate the valves (6.4E-2 human error + 5.8E-2 hardware unavailability) results in a total eve.nt unavailability of 7.0E-4. 4.10-24 HPI-XHE.-FO-AL T. This event is recovery of HPI following common cause failure of the HPI discharge MOVs. It was used in s 2 where timing dictates it be done from the control room. It was not applied to s 3 and 17 sequences.
The ''hardware" unavailability is the ratio of the beta factor for three valves to fail by common cause over the beta factor for two valves to fail by common cause, or 6JE-1. The human error probability is 2~7E-3, resulting in a total event unavailability of 6.lE-1. HPI-XHE-FO-AL TS3. This event is similar to HPI-XHE-FO-AL T, but is used on S3 and T 7 where timing allows for local valve operation.
The hardware failure probability for local opening is .24 per valve. A human error probability of 6.4E-2 is first combined with a hardware unavailability of 5.8E-2, for local operation; and then combined with a failure to actuate from the control room (.61) leads to a total event unavailability of 7.4E-2. Recovery of Offsite Power Within* One* Hour NRAC-lHR~
The probability of failure to restore offsite power within one ho!,.lr was assessed to be 0.44 based on a plant specific calculation from NUREG/CR-5032.(l3J This recovery factor was applied to all cut sets in T 1 sequences which included diesel generator failures.
Manual Initiation
*of *switchover from ln'jection to Recirculation RMT-XHE-FO-MAN.
The RMT system can be manually actuated upon failure of matic actuation to occur. The operator must diagnose the failure of automatic actuation and manually actuate switchover in the short period of time available during the drop in RWST level from 18% to 2%. This was calculated to be 9 minutes for S1 and 5 minutes for A LOCA. The failure to manually initiate recirculation switchover was assessed to be 2.7E-3 for s 2 LOCA and 6.4E-2 for A and ~1 LOCAs, which consist entirely of failure to diagnose the problem in the allowable time. The 2.7E-3 value was also conservatively applied to s 3 LOCAs. This recovery factor was applied to all of the cut sets involving failure of ttie RMT system to automatically initiate switchover.
This recovery factor was not applied to failure of both RMT actuation trains A and B in the same cut set, since there is no indication that actuation failed. Recovery from a Stuck Open SG* Safety*Relief Valve REC-XHE-FO-GAGRV.
In the event of a stuck open SG safety relief valve, the only means an operator ha~ for isolating the valve is to gag it. Gagging a safety relief valve falls under the guidelines of innovative recovery.
It is not directly listed in the Surry procedures, but Surry opera tors specified this recovery action to a stuck open SG safety relief valve scenario.
An unavailability of 0.3 was assigned to this event.
* Manual Opening of SWS Valves to the 'ISR' and OSR Coolers SWS-XHE-FO-OPEN.
Following the common cau~e failure of the service water valves on the ISR and OSR heat exchangers to open, the 9perator would be expected to attempt to manually open the valves locally, using a hand-wheel.
Another option would be to repair the valve opera tor. The fai,lure of the opera tor to be able to open one or more of the valves was judged to be 0.24. This failure to recover event consists entirely of hardware faults, as the human error probability to diagnose the situation was. assessed to be very low. This value reflects a subjective assessment of the inability to open at least one valve manually, given an initial common cause failure of all four valves. This event was applied to all cut sets which include the common cause failure of the valves. The ISR 4.10-25 suction head, caused by insufficient suction cooling. The OSR pumps however, would still be operating and could provide containment heat removal once the service water valves were opened. These recovery.
factors were applied to each of the sequences in Table 4~10-1 that were retained after the, initial s_creening*.
Table 4.10-3 details the application of the reco.very factors to these sequences.
Once the recovery terms were incorporated into the accident sequence cut set sions, the sequences were requantified~
Those resulting in a frequency of lE-7 or greater were retained for the final quantification.
The final quantification consjsted of a sequence and total core damage frequency point estimates, means, tJncertanties, and importance measures using the mean data values, evaluated with TEMAC computer code. Table 4.10-4' lists those sequences eliminated and those retained after th~ recovery analysis quantification~
4.10.4 Assessment of the Impact of Operator Actions Applying operator actions independently often does not accurately model the conditions projected for a given accident sequence.
Multiple operator actions combined into a single cut set can result in underestimating the cut set and sequence frequency.
To verify that the quantification and recovery process did not produce artifically low estimates of cut set frequencies, two additional quantification runs were made following the fihal quantification.
The first run set all operator actions to 1.0. In the second run only the opera tor contributions to the recovery factors were set to 1.0. Both runs were conducted on all of the sequences quantified by SETS. The results of these two runs and the final quantification point estimates are shown in Table 4.10-5. 4.10-26 Accident Sequence Sequence Number Tl-3 Tl-11 Tl-12 TABLE 4.10-3 Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery Tl*/K*/Q*/L*DJ*W Tl*/K*/Q*L*/D2*"P Tl*/K*/Q*L*D2 LOSS OF OFFSITE POWER NRAC-1.5HR w2* AFW-XHE-FO-MNACT AFW-XHE-FO-UNIT2 NRAC-HALFHR NRAC-24HR-AVG AFW-XHE-FO-MNACT AFW-XHE-FO-UNI'r2 Actions/Comments Recovery of AC power within 1.5 hours. Applied to all cut sets. Recovery of seal cooling by cross conn~cting to Unit 2. Same as event W2 in the station blackout event tree. Applied to all cut sets. Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed. Cross connect to Unit 2 AFW, applied to all cut sets. Recovery of AC power within one half hour. Applied to cut sets with diesel generator failure, except where the AFW failure was 'l'urbine Driven Pump fail to run. Time averaged recovery of AC power. Applied to cut sets with diesel generator failure, combined with AFW failure of Turbine Driven Pump fail to run. Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed. Cross connect to Unit 2 AFW, applied to all cut sets.
I . . 0 I 00 Accident Sequence Sequence Number Tl-14 SBO-BATT (UNIT! ONLY): TABLE. 4 .10-3 (Continued)
Dominant Accident sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery CPC-XHE-FO-REALN NRAC-HALFHR N.RAC-24HR-AVG Actions/Comments Cross connect to Unit 2 CPC, applied to cut sets where the CPC Service Water strainers or pumps failed. Recovery of AC power within one half hour. Applied to cut sets with diesel generator failure, except where the AFW failure was Turbine Driven Pump failed to run. Time averaged recovery of AC power
* Applied to cut sets with diesel generator failure, combined with AFW failure of rurbine Driven Pump fail to run. TRANSFER TO ANTICIPA'l'ED TRANSIENT WITHOUT SCRAM (ATWS) STATION BLACKOUT (SBO) T 1 s-NR7 TlS-3 Tl*/Q*/QS*/L*/W2*NR7 REC-XIIE-FO-DGJIWB Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 6 hour time frame.
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Accident Sequence Sequence Number T 1 s-W 2-NR7 TlS-5 T 1 s-W 2-o-NR7 TlS-9 T 1 s-QS-NR7 TlS-14 T 1 s-QS-W 2-NR7 TlS-16 Sequence Boolean Equation Tl*/Q*/QS*/L*W2*/0*/SL*NR7 Tl*/Q*/QS*/L*W2*0*/SL*NR7 Tl*/Q*QS*/L*/W2*NR7 Tl*/Q*QS*/L*W2*/SL*NR7 SBO-SLOCA (UNIT! ONLY): '!'1 s-W 2:-SL-NRS TlS-7 Tl*/Q*/QS*/L*W2*/0*SL*NRS Applicable Recovery REC-XHE-FO-DGTMB Same as T1S-NR7. \ Same as.1T1S-NR7.
Same as T1S-NR7. Same as TlS-NR7. REC....,XIIE-FO-DGIIWS REC-XI-IE-FO-DGTMS Actions/Comments Recov.ery from diesel generator unavailability due to maintenance.
Applied to cut sets with diesel test and tenance unless a hardware recovery was already added. 6 hour time frame. Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. J hour time frame. Recovery from diesel generator unavailability due to tenance. Applied to cut sets with diesel test and tenance, unless a hardware recovery was already added. 3 hour time frame. 
""' . 0 I c...:, 0 Accident Sequence Sequence Number T 1 s-W 2-o-SL-NRS TlS-11 T1s-QS-W 2-SL-NRS TlS-18 SBO-L (UN!Tl ONLY): TABLE 4.10-3 (Continued)
Dominant Accident sequences Prior To Recovery Sequence Boolean Equation Tl*/Q*/QS*/L*W2*0*SL*NRS Tl*/Q*QS*/L*W2*SL*NRS Applicable Recovery Same as T1S-W2-SL-NRS.
Same as TlS-W2-SL-NRS.
Actions/comments T 1 s-L TlS-12 Tl*NRAC-HALFHR*/Q*/QS*L AFW-XIIE-FO-UlSBO NRAC-6HR-AVG Cross connect of.AFW from Unit 2, applied to all cut sets. REC-XHE-FO-DGEN TlS-19 Tl*NRAC-HALFHR*/Q*QS*L AFW-XHE-FO-CST2 NRAC-lllR Time averaged recovery of AC power, Applied to cut sets with AFW Turbine Driven Pump fail to run, replacing NRAC-HALFHR.
Recovery from diesel generator faults applied to cut sets with. diesel fail to start, ance, or common cause diesel failure. 1 hour time frame. QS fails AFW due to SG inventory depletion.
Recovery is possible by aligning the CST from Unit 2. Applied to cut sets as an tional single point AFW failure. SG inventory depletion due to QS does not occur until after 1 hr. NRAC-lllR applied to all cut sets* with AFW-XIIE-FO-CST2 failure, replacing NRAC~HALFHR in the original quantification. 
*
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Accident Sequence Sequence Number TlS-22 SB0-0 (UNITl ONLY): Sequence Boolean Equation Tl*NRAC-HALFHR*Q*/QS*L T1s-Q-NRl TlS-21 Tl*Q*/QS*/L*NRl T 18-Q-QS-NR1 TlS-24 Tl*Q*QS*/L*NRl SB0-BATT2 (UNITS 1 AND 2): T 18-NR7 TlS-3 Tl*/Q*/QS*/L*/O*/SL*NR7 Applicable Recovery NRAC-6HR-AVG REC-XHE-FO-DGEH Actions/Comments Time averaged recovery of AC power. Applied to cut sets with AFW Turbine Driven Pump fail to run, replacing NRAC-HALFHR.
Recovery from diesel generator faults applied to cut sets with diesel fail to start, ance, or common cause diesel failure. 1 hour time frame. Same as T1S-L (above). REC-XHE-FO-DGEN Same as TlS-Q-NRl.
REC-XHE-FO-DGHWB Recovery from diesel generator faults applied to cut sets with diesel fail to start*, nance, or common cause diesel failure. 1 hour time frame. Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 6 hour time frame. 
""' . ..... 0 I c.,:, N) Accident Sequence T 1 s-O-NR7 T 18-QS-NR7 SB0-SLOCA2 T 18-SL-NRS Sequence Number TlS-7 TlS-12 {UNI'fS 1 TlS-5 T 18-0-SL-NRS TlS-9
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation Tl*/Q*/QS*/L*O*/SL*NR7 Tl*/Q*QS*/L*/SL*NR7 AND 2): Tl*/Q*/QS*/L*/O*SL*NRS Tl*/Q*/QS*/L*O*SL*NRS Applicable Recovery REC-XHE-FO-DGTMB Actions/Comments Recovery from diesel generator unavailability due to tenance. Applied to cut sets with diesel test and tenance, unless a hardware recovery was already added. 6 hour time frame. Same as TlS-NR7 in SB0-BATT2.
Same as TlS-NR7 in SB0-BATT2.
REC-XHE-FO-DGHWS REC-XIIE-FO-DG'l'MS Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 3 hour time frame. Recovery from diesel generator unavailability due to maintenance.
Applied to cut sets with diesel test and maintenance, unless a hardware recovery was already added. J hour time frame. Same as TlS-SL-NRS in SB0-SLOCA2.
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Accident Sequence Sequence Number Tis-QS-SL-NRS TlS-14 Sequence Boolean Equation Tl*/Q*QS*/L*SL*NRS SB0-L2 (UNITS 1 AND 2): T 1 s-L TlS-10 Tl*NRAC-HALFHR*/Q*/QS*L T 18-QS-L T1s-Q-L TlS-15 TlS-18 Tl*NRAC-HALFHR*/Q*QS*L Tl*NRAC-HALFHR*Q*/QS*L SB0-02 CUN ITS 1 AND 2) : T 18-Q-NR1 TlS-17 Tl*Q*/QS*/L*NRl Applicable Recovery Actions/Comments Same as TlS-SL-NRS in SBO-SL0CA2.
AFW-XHE-FO-U2SBO NRAC-6HR-AVG REC-XHE-FO-DGEN Cross connect of AFW from Unit 2, applied to all cut sets. This recovery action is included in the boolean equation for L2*. L2 includes hardware faults in addition to the operator error identified as AFW-XHE-FO-U2SBO.
Time averaged recovery of AC power Applied to cut sets with AFW Turbine Driven Pump fail to run. replacing NRAC-HALFHR.
Recovery from diesel generator faults applied to cut sets with diesel fail to start, ance, or common cause diesel failure. 1 hour time frame. Same as T1S-QS-L in SBO-L (above). Same as TlS-L in SB0-L2 (above). REC-XIIE-FO-DGEN Recovery from diesel generator faults applied to cut sets with diesel fail to start, maintenance, or common cause diesel failure. 1 hour time frame. 
.i:,. f--1 0 I c,,; .i:,. Accident Sequence Sequence Number T 1 s-Q-QS-NR1
*ris-20 T 2 LH 1 T2-6 *r 2 LP T2-ll T 2 Q: T2-13 T 2 QB 1 S2-2 '1'2-14 TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation 'rl*Q*QS*/L*NRl Applicable Recovery Actions/Comments Same as TlS-Q-QS-NRl in SBO-Q. LOSS OF Hl\IN FEEDWATER T2*/K*/Q*L*/D2*/P*/CS*Hl
'1'2 */K*/Q*L*/D2
*P '1'2 */K*/Q*L*D2 TRANSFER 'l'O S2 '1'2 * /K*Q*lll 'l'RANSFER
'l'O A'l'WS AFW-XllE-FO-MNAC'l' AFW-XIIE-FO-UNIT2 AFW-XIIE-FO-MNACT AFW-XIIE-FO-UNIT2 AFW-XIIE-FO-UNIT2 HPI-XIIE-FO-UN2Bl RM'r-XHE-FO-MANS2 Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed. cross connect to Unit 2 AFW, applied to all cut sets. Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed. Cross connect to Unit 2 AFW, applied to all cut sets. Cross connect to Unit 2 AFW, applied to all cut sets. Cross connect to Unit 2 HP! or RWST, applied to all cut sets. Recovery of RM'r by manual tion. Applied to RMT actuation faults.
ti::. . .... 0 I CTI Accident Sequence T 3 LMP T 3 LMD 2 T3Q: T3QH1 T3QD1 Sequence Number TJ-12 TJ-13 TJ-15 S2-2 S2-19
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery Actions/Comments MAIN TURBINE TRIP WITHOUT LOBB OF MAIN FEEDWATER T3*/K*/Q*L*M*/D3*/D2*P AFW-XHE-FO-UNIT2 T3*/K*/Q*L*M*/DJ*D2 AFW-XHE-FO-UNIT2
'l'RANSFER TO .S2 TJ*/K*Q*Hl HPI-XHE-FO-UN2Hl TJ*/K*Q*Dl CPC-:-XHE-FO-REALN CPC-XIIE-FO-SMNS2 HPI-XHE-FO-UN2S2 IIPI-XIIE-FO-ALT Cross connect to Uriit 2 AFW, applied to all cut sets. cross connect to Unit 2 AFW, applied to all cut sets. Cross connect to Unit 2 HPI or RWST, applied to all cut sets
* cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC service water strainers or pumps failed. Manual actuation of CPC service water system, applied to CPC service water actuation faults. Cross connect to Unit 2 HPI, applied to all cut sets ing CPC system failure and HP! failures upstream of the HP! pumps (not including the RWST). Not applied to failure of both actuation trains. Recovery of HP! discharge HOV common cause failure by opening the alternate path. 
... * .... ,. w en Accident Sequence T 3 K Loss of DC TsALP T5ALD2 T5AK Loss of DC T 58 LP T59LD2 T59K
* Sequence Number TJ-16 Bus lA: T5-ll T5-12 T5-14 Bus lB: T5-ll T5-12 T5-14 TABLE 4.10-3 (Continued) l)ominant Accident Sequences Prior To Recovery Sequence Boolean Equation TRANSFER TO A'l'WS T5A*/K*/Q*L*/D2*P T5A*/K*/Q*L*D2 TRANSFER TO ATWS T5B*/K*/Q*L*/D2*P T5B*/K*/Q*L*D2 TRANSFER TO ATWS Applicable Recovery HPI~XHE-FO-ALTIN SIS-XHE-FO-MANS2 LOSS OF DC BUS AFW-XHE-FO-UNIT2 AFW-XllE-FO-UNIT2 AFW-XHE-FO-UNIT2 AFW-XHE-FO-UNIT2 Actions/Comments Recovery of HPI discharge MOV random failure by opening the alternate path. (MOV 1842) Manual actuation of SIS system, applied to SIS actuation faults. Not applied to failure of both actuation trains. cross connect to Unit 2 AFW, applied to all cut sets. Cross connect to Unit 2 AFW, applied to all cut sets. Cross connect to Unit 2 AFW, applied to all cut sets. cross connect to Unit 2 AFW, applied to all cut sets. *
* Accident Sequence Sequence Number T7-a* T7-12
* TABLE 4.10-3 (Continued)
Dominant Accident sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery Actions/Comments STEAM GENERATOR TUBE RUPTURE (BGTR) T7*/K*/D1*/LJ*OD*/Q*QS T7*/K*/D1*/LJ*OD*Q*QS MSS-XHE-FO-BLOCK MSS-XHE-FO-ISAFW MSS-XHE-FO-ISBDN REC-XHE-FO-DPRES REC-XHE-FO-GAGRV MSS-XHE-FO-BLOCK MSS-XHE-FO-ISAFW MSS-XIIE-FO-ISBDN Recovery of a stuck open SG PORV by shutting the block valV!!* Applied when the SG ADV sticks open. Recovery of SG integrity by isolating the AFW turbine driven pump steam supply line. Recovery of SG integrity by isolating the blowdown line. Applied to random and common cause blowdown faults. Recovery by cool down and urizing the RCS. Recovery of a stuck open SG SRV by gagging the relief valve.,. Applied when the SG SRV sticks open. Recovery of a stuck open SG PORV
* by shutting the block valve. Applied when the SG ADV sticks open. Recovery of SG integrity by ting the AFWturbine driven pump steam supply line. Recovery of SG integrity by ting the blowdown line. Applied to random and common cause down faults. 
* * .... i' w CID Accident Sequence
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Number Sequence-Boolean Equation I T7-1J T7*/K*/Dl*LJ T7-16 T7*/K*Dl*/LJ*/OD*/Q*QS T7-18 T7-20 '1'7*/K*Dl*/LJ*OD T7*K (ATWS) Applicable Recovery AFW-XHE-FO-UNIT2 CPC-XHE-FO-REALN HPI-XIIE-FO-UN2SJ HPI-XllE-FO-AL'l'SJ HPI-XHE-FO-ALTIN R Actions/Comments Cross connect to Unit 2 AFW, applied to all cut sets. cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC service water strainers or pumps failed . Cross connect to Unit 2 HPI, applied to all cut sets ing CPC system failure and HPI failures upstream of the HPI pumps (not including the RWST). Not applied to failure of both actuation trains. Recovery of HPI discharge MOV common cause failure by opening the alternate path. Recovery of HP! discharge MOV random failure by opening the alternate path. Recovery of failure of automatic scram by manual reactor trip, applied to all cut sets * * 
. ..... 0 I t.,.:, cc
* Accident Sequence AD 6 AD 5 S1H1 Sequence Number A-2 A-6 A-7 Sl-2 Sl-3 Sl-9 *
* TABLE 4.10-3 (Continued)
Dominant Accident sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery Actions/Comments LARGE LOBB OF COOLANT ACCIDENT (A LOCA) A*/D5*/D6*/CS*Hl A*/D5*D6 A*D5 RMT-XHE-FO-MAN-A Recovery of RMT by manual tion. Applied to RMT actuation faults. None applied. None applied. MEDIUM LOSS OF COOLANT ACCIDENT (Bl LOCA) Sl*/D1*/D5*/CS*/D6*H1 Sl*/Dl*/D5*/CS*D6 Sl*Dl R>>T-XHE-FO-MANSl HPI-XHE-FO-AL'f HPI-XHE-FO-AL'l'IN SIS-XllE-FO-MANSl Recovery of RMT by manual tion. Applied to RMT actuation faults. None applied. Recovery of HPI discharge MOV common cause failure by opening the alternate path. Recovery of UPI discharge MOV random failure by opening the alternate path. Recovery of SIS by manual tion. Applied to SIS actuation faults. Not applied to failure of both actuation trains. 
,. .... I Q Accident Sequence
* Sequence Number S2-2 S2-19 TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation Applicable Recovery Actions/Comments SMALL LOSS OF COOLANT ACCIDENT (82 LOCAi S2*/K*/Dl*/L*/CS*/OD*Hl S2*/K*Dl HPI-XHE-FO-UN2Hl RMT-XHE-FO-MANS2 CPC-XHE-FO-REALN CPC-XHE-FO-SMNS2 HPI-XIIE-FO-UN2S2 IIPI-XHE-FO-ALT HPI-XHE-FO-ALTIN Cross connect to Unit 2 HPI or RWST, applied to all cut sets. Recovery of RMT by manual tion. Applied to RMT actuation faults. cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC Service Water strainers or pumps failed. Not applied to failure of both actuation trains Manual actuation of CPC service water system, applied to CPC service water actuation faults. Cross connect to Unit 2 HPI, applied to all cut sets involving CPC system failure and HPI failures upstream of the HPI pumps (not including the RWST). Not applied to failure of both actuation trains. Recovery of HPI discharge MOV common cause failure by opening the alternate path. Recovery of HPI discharge MOV random failure by opening the alternate path
* Accident sequence Sequence Number S2-20 S3-3 SJ-5 SJ-6 SJ-23
* TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation TRANSFER TO ATWS Applicable Recovery SIS-XllE-FO-MANS2 Actions/Comments Manual actuation of SIS system, applied to SIS actuation faults. Not applied to failure of both actuation trains. VERY SMALL LOSS OF COOLANT ACCIDENT (S3 LOCA) S3*/K*/D1*/QC*/L*/OD*W3*Hl HPI-XllE-FO-UN2Hl S3*/K*/D1*/QC*/L*OD*/H1*ll2 HPI-XHE-F0-20DH2 S3*/K*/D1*/QC*/L*OD*Hl HPI-XHE-F0-20DH2 S3*/K*D1 CPC-XHE-FO-REALN CPC-XHE-FO-SMNS2 CPC-XHE-FO-CMNS2 cross connect to Unit 2 HPI or RWST, applied to all cut sets. cross connect to Unit 2 HPI or RWST, applied to all cut sets. Cross connect to Unit 2 HPI or RWST, applied to all cut,.sets.
Cross connect to Unit 2 CPC vice water system. Applied to cut sets where the CPC service water strainers or.pumps failed. Manual actuation of CPC service water system, applied to CPC service water actuation faults. Manual actuation of CPC cooling water system, applied to CPC cooling water actuation faults *.
Accident Sequence EVEN'!' V TKRD 4 TKRZ
* Sequence Number SJ-24 N/A TK-3 TK-9 TABLE 4.10-3 (Continued)
Dominant Accident Sequences Prior To Recovery Sequence Boolean Equation TRANSFER TO ATWS Applicable Recovery IIPI-XHE-FO-UN2S3 HPI-XHE-FO-ALTI3 IIPI-XHE-FO-ALTIN Actions/Comments cross connect to Unit 2 HPI, applied to all cut sets ing CPC system failure and HPI failures upstream 9f the RPI pumps. (not including the RWST) Not applied to failure of both actuation trains. Recovery of BPI.discharge MOV common cause f~ilure by opening the alternate path. Recovery of HPI discharge MOV random failure*by opening the alternate path. INTERFACING LOSS OF *cooLANT ACCIDENT (V) INTERFACING LOCA SEQUENCE None applied. ANTICIPATED TRANSIENT WITHOUT SCRAM T*K*R*D4 T*K*R*Z --*-------------
None applied. None applied.
* Accident Sequence Sequence Number Tl-3 Tl-11 Tl-12 Table 4.10-4 Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY
(/RX-YR) Before After Sequence Boolean Equation Recovery Recovery Tl*/K*/Q*/L*DJ*W Tl*/K*/Q*L*/D2*P Tl*/K*/Q*L*D2 LOBB OF OFF9ITE POWER 2.0E-06 2.6E-06 'l.9E-06 1. 2E-7 7.5E-B 6.4E-B STATION BLACKOUT (BBO) Sequence Comments/Source Eliminated of Information Yes Yes Yes Sequence frequency shown is RCP seal vulnerable. lication of the probability for a RCP seal LOCA (.73) leading to core damage results in a sequence frequency of B.BE-8. The RCP seal LOCA lity derivation is shown in Appendix Q SBO-BATT (UNITl ONLY): l.2E-05 B.5E-06 4.7E-07 7. 68'-6 5.2E-6 3.0E-7 No No No T1s-NR7 TlS-3 T 1 s-W 2-NR7 TlS-5 Tl*/Q*/QS*/L*/W 2*NR7 Tl*/Q*/QS*/L*W 2*/0*/SL*NR7 
. .... 0 I Accident Sequence T 1 s-QS-NR7 Sequence Number TlS-14 T 1 s-QS-W 2-NR7 'l'lS-16 Table 4.10-4 (CONTINUED)
Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY
(/RX-YR) Before After Sequence Boolean Equation Recovery Recovery Tl*/Q*/QS*/L*W 2*0*/SL*NR7 2.2E-OB 8.9E-9 Tl*/Q*QS*/L*/W 2*NR7 3.lE-06 l.9E-6 Tl*/Q*QS*/L*W2*/SL*NR7 1.9E-07 1. 2E-7 Sequence Comments/Source Eliminated of Information No Retained, potential important risk con-tributor due to station blackout.
No No SBO-SLOCA (UNI'l'l ONLY): 4.BE-06 3.9E-6 No T 1 s-W2-SL-NRS TlS-7 Tl*/Q*/QS*/L*W2*/0*SL*NRS 3.JE-06 2.7E-6 No T 15-W2-0-SL-NRS
*r1s-11 Tl*/Q*/QS*/L*W2*0*SL*NRS
: 1. 9E-07 1.5E-7 No T 1 s-QS-W2-SL-NRS TlS-18 Tl*/Q*QS*/L*W2*SL*NRS 1.JE-06 1.lE-6 No SBO-L (UNI'l'l ONLY): 5.0E-05 3.5E-6 No 'l'1s-L TlS-12 Tl*NRAC-IIALFIIR*/Q*/QS*L 4.lE-06 3.5E-7 No T 1 s-QS-L 'l'lS-19 '1'1 *NRAC-IIALFIIR*
/Q*QS
* L 4.6E-05 3.2E-6 No T1s-Q-L TlS-22 Tl*NRAC-HALFIIR*Q*/QS*L 8,lE-08 7.JE-8 No * 
.;:.. . I-' 0 I .;:.. <:)I Table 4.10-4 (CONTINUED)
Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY
{/RX-YR) Accident Sequence Sequence Number SBO-Q (UNIT! ONLY): TlS-21 T 1 s-Q-QS-NR1
'l'lS-24 Sequence Boolean Equation Tl*Q*/QS*/L*NRl
'l'l*Q*QS*/L*NRl SBO-BATT2
{UNITS 1 AND 2): T 15-NR7 T 1 s-O-NR7 TlS-3 TlS-7 T1s-QS-NR7 TlS-12 Tl*/Q*/QS*/L*/O*/SL*NR7 Tl*/Q*/QS*/L*O*/SL*NR7 Tl*/Q*QS*/L*/SL*NR7 SBO-SLOCA2 (UNI'l'S 1 AND 2) : T1s-SL-NRS TlS-5 Tis-o...:.sL-NRS TlS-9 T 1 s-QS-SL-NRS TlS-14 Tl*/Q*/QS*/L*/O*SL*NRS
'1'1*/Q*/QS*/L*O*SL*NRS Tl*/Q*QS*/L*SL*NRS SB0-L2 (UNITS 1 AND 2): TlS-10 'l'l*NRAC-HALFHR*/Q*/QS*L Before After Recovery Recovery 2.lE-06 1. 5E-06 5.7E-07 5.lE-07 J.4E-07 1. 4E-08 l.6E-07 J.JE-06 2.JE-06 1.2E-07 8.9E-07 6.JE-06 7.JE-07 1. 9E-6 l,4E-6 5.lE-7 J.OE-7 2.0E-7 8.4E-9 9.JE-8 2.6E-6 1. BE-6 9.7E-B 7.lE-7 6.JE-7 2,5E-7 Sequence Comments/Source Eliminated of Information No No No No No No No No No No No No No See TlS-9 comment. See TlS-9 comment. See TlS-9 comment. 
. I-' 0 I cr:, Accident Sequence Sequence Number T 1 s-QS-L TlS-15 T1s-Q-L TlS-18 Table 4.10-4 (CONTINUED)
Accident Bequences Quantified Before and After Recovery SEQUENCE FREQUENCY
(!RX-YR) Defore After Sequence Sequence Boolean Equation Recovery Recovery Eliminated Tl*NRAC-HALFHR*/Q*QS*L 5.6E-06 3.BE-7 No Tl*NRAC-HALFHR*Q~/QS*L 1.5E-08 1.4E-8 No SB0-02 (UNITS 1 AND 2): 3.9E-07 2.9E-07 3.5E-7 2.6E-7 No No TlS-17 T 1 s-Q-QS-NR1 TlS-20 T 2 LH 1 T 2 LP 'l'2LD2 T2-6 T2-ll '1'2-12 TJ-12 TJ-13 Tl*Q*/QS*/L*NRl Tl*Q*QS*/L*NRl l.OE-07 9.2E-8 LOSS OF MAIN FEEDWATER T2*/K*/Q*L*/D2*/P*/CS*lll T2*/K*/Q*L*/D2*P
'1'2*/K*/Q*L*D2 4.4E-07 2.2E-05 2.0E-05 1.4E-8 7.7E-7 7.2E-7 No Yes No No MAIN TURBINE TRIP WITHOUT LOSS OF MAIN FEEDWATER T3 * /K*/Q*L*M*/D3
*/D2 **P T3*/K*/Q*L*M*/D3*D2
* 4.4E-07 4.5E-07 1.6E-8 1.6E-8 Yes Yes / Comments/Source of Information See TlS-9 comment. See TlS-9 comment. 
... * .... I -:a Accident Sequence Sequence Number T 3 Q: TJ-15 T3QH 1 S2-2 Loss of DC Bus lA: TsALP TS-11 T5ALD2 TS-12 Loss of DC Bus lB: T 58 LP TS-11 T5aLD2 TS-12 T70oQS T7-8 T70oQQ9 T7-12 T7L3 T7-1J T7D1Qs T7-16 Table 4.10-4 (CONTINUED)
Accident sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (IRX-YR) Sequence Boolean Equation TRANSFER TO S2 TJ*/K*Q*/Dl*/L*/CS*/OD*Hl T5A*/K*/Q*L*/D2*P T5A*/K*/Q*L*D2 T5B*/K*/Q*L*/D2*P T5B*/K*/Q*L*D2 Before After Recovery Recovery 1. JE-07 <5E-10 LOSS OF DC BUS 3.BE-06 l.4E-7 2.5E-07 9.0E-9 J.BE-06 1.4E-7 2.7E-07 9.0E-9 STEAM GENERATOR TUBE RUPTURE (SGTR) T7*/K*/D1*/L3*0D*/Q*QS 6.2E-04 1.4E-6 T7*/K*/D1*/LJ*OD*Q*QS 7.9E-07 l.2E-7 T7*/K*/D1*LJ 2.9E-06 1. OE-7 T7*/K*D1*/LJ*/OD*/Q*QS 1.4E-07 4.BE-9 Sequence Comments/Source Eliminated of Information Yes No Yes No Yes No No No Yes 
,i::,. . t--' 0 I ,i::,. 00 Accident Sequence Sequence Number T7-18 '1'7-20 A-2 A-6 A-7 Sl-2 Sl-J Sl-9 S2-2 S2-19 Table 4.10-4 (CONTINUED)
Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY
(/RX-YR) Before After Sequence Boolean Equation Recovery Recovery Sequence Comments/Source Eliminated of Information T7*/K*D1*/LJ*OD T7*K (ATWS) J.7E-06 6.0E-07 l.9E-:--7 l.OE-7 LARGE LOSS OF COOLANT ACCIDENT (A LOCA) A*/D5*/D6*/CS*Hl A*/D5*D6 A*OS 7.0E-07 4.7E-07 8.SE-07 6.7E-7 4.7E-7 8.SE-7 MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA) Sl*/Dl*/05*/CS*/06*111 Sl*/Dl*/D5*/CS*D6 Sl*Ol l.4E-06 9.4E-07 9.SE-07 l.JE-6 9.4E-7 8.lE-7 SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA). S2 * /K* /01 */L* /CS*/OD*lll S2*/K*D1 1. 6E-06 9.BE-07 2.4E-9 4.JE-7 No No No No No No No No Yes No Evaluated ately. Does not transfer to the ATWS tree. 
.i,.. . .... 0 I .i,.. cc
* Accident Sequence ~J 0 o 11 2 S30oH1 S3D1 EVENT V TKRD 4 TKRZ Sequence Number SJ-3 SJ-5 SJ-6 SJ-23 V-1 'l'K-3 'l'K-9 Table 4.10-4 (CONTINUED)
Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY
(/RX-YR)
* Before After Sequence Boolean Equation Recovery Recovery Sequence Comments/Source Eliminated of Information VERY SMALL LOSS OF COOLANT ACCIDENT (S3 LOCA) SJ*/K*/Dl*/QC*/L*/OD*WJ*Hl S3*/K*/D1*/QC*/L*OD*/H1*H2 SJ*/K*/Dl*/QC*/L*OD*Hl SJ*/K*Dl J.7E-07 L JE-07 4.5E-07 1.GE-05 5.9E-10 <5E-10 4.GE-9 6.JE-7 INTERFACING LOSS OF COOLANT ACCIDENT (V) INTERFACING LOCA SEQUENCE 1.2E-06 1.2E-6 ANTICIPATED TRANSIENT WITHOUT SCRAM T*K*R*D4 T*K*R*Z 5.7E-07 8.4E-07 5.7E-7 8.4E-7 Yes Yes Yes No No
* No No Table 4.10-5
* IMPACT OF OPERATOR ACTIONS -------Core Damage Frequency* (Per Rx-Yr)-------
All HEPs and Accident All HEPs Recovery Factors Only Recovery Factors Sequence Set to 1.0 Set to 1.0 Set to Final Values DOMINANT SEQUENCES AD 5 8.SE-7 8.SE-7 8.SE-7 AD 6 4.7E-7 4.7E-7 4.7E-7 AH1 5.0E-4 7.0E-7 6.7E-7 S1D1 9.SE-7 9.SE-7 8.lE-7 S1Ds 9.4E-7 9.4E-7 9.4E-7 S1H1 l.OE-3 l.4E-6 l.3E-6 SzD1 9.BE-7 9.BE-7 4.3E-7 S3D1 1. 6E-5 1. 6E-5 6.3E-7 T 2 LP 2.9E-4 2.2E-5 7.7E-7 T2LD2 2.8E-4 2.0E-5 7.2E-7 T 5 ALP 3.8E-6 3.8E-6 1. 4E-7 T 5 BLP 3.8E-6 3.8E-6 1. 4E-7 T 7 D10n 9.lE-6* 3.7E-6 1. 9E-7 T7L3 2.9E-6 2.9E-6 1. OE-7
* T 7 KR 6.0E-7 6.0E-7 1. OE-7 T700Qs l.OE-2 6.2E-4 l.4E-6 T 7 0nQQ 5 6.6E-4 7.9E-7 1. 2E-7 TKRZ 5.0E-6 8.4E-7 8.4E-7 TKRD 4 4.0E-4 5.7E-7 5.7E-7 V l.2E-6 1. 2E-6 l.2E-6 SBO-BATT 1. 9E-5 l.6E-5 7.6E-6 SBO-SLOCA 5.7E-5 2.8E-5 3.9E-6 SBO-L 5.lE-5 5.0E-5 3.SE-6 SBO-Q 2.lE-6 2.lE-6 l.9E-6 SBO-BATT2 4.SE-7 5.0E-7 3.0E-7 SBO-SLOCA2 3.4E-6 3.3E-6 2.7E-6 SBO-L2 6.3E-6 6.3E-6 6.3E-7 SBO-Q2 4.0E-7 3.9E-7 3.SE-7 Sub-Total
: 1. 3E-2 8.lE-4 3.4E-5 NON-DOMINANT SEQUENCES AF 1 F 2 Cv 6.8E-9 6.8E-9 2.3E-9 AF 1 F 2 H 1 2.SE-8 2.SE-8 2.SE-8 AD 6 C l.4E-9 l.4E-9 l.3E-9 S1F1F2Cv 1. 4E-8 l.4E-8 4.0E-9 S1F1F2H1 S.OE-8 5.0E-8 5.0E-8 S 1 D 1 C 2.7E-9 2.7E-9 2.7E-9 SzH1 1. 6E-6 1. 6E-6 2.4E-9
* SzOnH1 l.6E-6 3.0E-8 1. 3E-10 4.10-50 
*
* Accident Sequence S20oH2 S2F1F2H1 s 3 o 1 c S3QcH1 S30oH1 S30oH2 T 1 LD 2 T1LH2 T 1 LP T1QH1 T1QH2 T 2 LF 1 F 2 T2LH1 T2QD1 T2QHP T 3 LM T5ALD2 T5BLD2 T7D1Qs T~QS T L 2 TKRT Total TABLE 4.10-5 (Continued)
IMPACT OF OPERATOR ACTIONS ~-----Core Damage Frequency* (Per Rx-Yr)~-----
Al-1 HEPS and All HEPs Recovery Factors Only Recovery Factors Set to 1.0 Set to 1.0 Set to Final Values 4.6E-7 9.3E-9 4.0E-11 5.0E-8 5.0E-8 5.0E-8 3.5E-8 3.5E-8 3.5E-8 7.0E-10 7.0E-10 1. lE-12 2.lE-5 4.5E-7 4.6E-9 6.0E-6 1. 3E-7 2.7E-10 2.6E-5 1.9E-6 6.4E-8 7.6E-8 7.6E-8 7.6E-8 2.6E-5 2.6E-6 7.8E-8 9.8E-8 1.3E-8 1.3E-8 2.7E-9 2.7E-9 2.7E-9 1. 8E-7 1. 8E-7 8.2E-9 4.4E-7 4.4E-7 1. 4E-8 2.lE-6 1. 2E-8 3.7E-9 1.7E-8 1.7E-8 1.7E-8 2.4E-4 4.4E-7 1.6E-8 3.6E-6 2.5E-7 9.0E-9 3.6E-6 2.7E-7 9.0E-9 1.4E-7 1. 4E-7 4.8E-9 4.3E-7 1.7E-8 1.7E-8 9.9E-8 6.8E-8 6.8E-8 2.0E-4 9.0E-8 9.0E-8 1. 4E-2 8.2E-4 3.5E-5 *Point estimates based on the propagation of mean values. 4.10-51 4.11 Plant Damage State Quantification
* The dominant accident sequences were delineated into plant dafoage states, as described in Section 4.5. This section discus.ses the quantification of those plant damage states. Quantification of plant damage states involved calculation of failure probabilities for containment heat removal and containment isolation.
All other plant damage state indicators could be identified by inspection of the sequences.
4.11.1 Quantification of Containment Heat Removal In order to quantify the plant damage states, it was necessary to calculate the probability of failure of containment heat removal. It was also necessary to develop a split fraction for states with and without sprays. Failure of containment heat removal without sprays occurs due to failures of pumps and containment spray valves. Failure of containment heat removal with ~prays operable occurs when the service water valves to the heat exchangers fail to open. This will prevent heat removal from containmenf, but will allow the operable spray pumps to continue to pump hot water from the sump. Failure of the service water valves will fail the ISR pumps however*, due to the subcooling dependency during the early phases of the event. This dependency has been previously discussed in Section 4.6. The OSR pumps have the same NPSH-subcooling relationship, but they are dependent on the containment spray system for subcooling.
By the time the R WST is depleted and the CSS stops, there is sufficient water in the sump so that sufficient NPSH is available to allow the OSR pumps to operate. Containment heat removal can fail due to event CF 1 or event F 1 F 2* Analysis of the CF 1 partial sequence results in a failure probability of 1.2E-5 before recovery of actuation failures.
Note, this is an independent assessment of these events and can not necessarily be multiplied by other failure combinations as if the events were independent.
For many of the sequence quantifications, resolving of Boolean equations is necessary.
The failure probability after recovery of actuation failures is 6.5E-6. All of this frequency represents failure states without operable sprays. The failure probability of F 1 F 2 , as an independent event, is 6.9E-4, without recovery and 2.lE-4 after recovery.
These failure probabilities are dominated by the common cause failure of the service water valves on the spray heat exchangers.
This event is 6.3E-4 without recovery and 1.5E-4 after recovery.
Of the 2.lE-4 frequency, 71 % represents states wl1ere the OSR pumps will be operating and can provide spray action, although containment heat removal will not be available.
* 4.11.2 Quantification of Containment Isolation Failure Failure to isolate containment is an important factor in determining release categories for core damage accidents.
Quantification of failure of containment isolation must use success criteria that are compatible with the back-end analysis.
It also must realistically model containment operations which could possibly affect isolabili ty, such as containment purge, containment entry, and undetected failure of the containment boundary.
The containment shell itself as well as penetrations must be included in the evaluation.
Two types of failure modes must be included in the calculation of containment isolation failure. One type of failure represents loss of integrity of the containment building due *to events such as leaky penetrations, and failed welds. Fault tree analysis is not well suited to evaluate this type of failure. The other type of failure involves unisolated lines 4.11-1 in communication with the containment atmosphere, due to failure of both isolation valves to close. Fault tree analysis is well suited to evaluate this type of failure. Calculation of the probability of containment isolation failure was based on evaluation of historical experience rather than fault tree analysis.
References 47 and 48 analyze over 3400 LERs related to failure of containment isolation components.
These events often represent failure of one containment isolation valve and often these valves are on line's that are not in open contact with the containment atmosphere.
These types of failures do not represent a true loss of containment isolation, but rather a failure of the containment isolation system to operate. Reference 48 evaluates the data to count only those failures in lines open to the containment atmosphere and calculates the probability of two valves failing simultaneously in the same line. This would represent a true probability for failure of containment isolation.
Reference 48 derives a probability of 7E-2 for large leakage, where large is defined as greater than 100 times the allowable leakage during an Integrated Leak Rate Test (La). This definition of large leakage calculates to be about 6% per day. Reference 47 uses results of Integrated Leak Rate Tests to calculate a probability of containment isolation failure. They calculate a failure probability of 3.3E-2 for PWRs for the largest leak size, that being a leak area of .6 square inches. For the Surry containment, this corresponds to a leak rate of about 15% per day at ILRT test pressure.
Both of these estimates are of limited applicability to for the Surry analysis, for reasons discussed below. For the purpose of the back-end analysis, leak rates are divided into three categories, as shown below: Leak Rate No significant depressurization.
Depressurize in 2~4 hours Depressurize in less than 4 hours Hole Size L ( .1 ft 2 .1 ft 2 ( L < lft 2 L) l ft 2 As can be seen, even the "large" leak sizes used by References 47 and 48 are much smaller than that needed to be significant to the back-end analysis.
The only leak paths available to produce such a leak size are simultaneous opening of both sides of the airlock or normal containment purging combined with the failure of the purge lines to isolate upon an accident.
These have been estimated at .5E.-.5 and .5E-3 respectively by Reference
: 47. These leak paths are not applicable to a subatmospheric containment stich as Surry. The Surry containment is maintained at about 9.5 psia during normal operation.
Containment pressure is under TechnicalSpecification and under no circun::stances can it go above 11 psia. Containment vacuum is ma-intained by a vacuum pump, which takes suction from the containment atmosphere through a two inch line. Containment purging is not done during power operation.
Any failure of a size sufficient to be of interest to the back-end analysis could not go un-detected due to the containment pressure requirements.
It was therefore considered that failure -of containment isolation at Surry of sufficient magnitude to be interest to the back-end analysis was negligable.
4.11-2 * 
* *
* 4.11.3 Quantification of Plant Damage States The plant damage state quantification was done in a similar manner to the sequence quantification, except that the additional recovery actions were not applied. Table 4.11-1 shows the PDS assignment for each sequence, and the point estimate frequencies.
Table 4.11-2 shows the resultant PDS frequencies for all PDSs greater than lE-9/yr. Each plant damage state with a point estimate frequency greater than lE-7/yr was passed along to the containment analysis portion of this study. Plant damage states with frequencies between lE-9 and lE-7 were examined to determine whether any state resented substantially more severe containment conditions than any of the PDSs which were above lE-7/yr. This was not the case. Consequently, no plant damage states above lE-7 /yr were included in the containment analysis.
Uncertainty analysis, using TEMAC, was also performed on each of the plant damage state groups. These results are shown in Table 4.11-3.
* 4.11-3 Sequenc~ AD 5 Table 4.11-1 Plant Damage State Assignment of Dominant Core Damage Sequences PDS Point Estimate Frequency ALYY-YYY 8.5E-7 ALNY;_yyy 5.5E-ll ANNY-NYY 2.3E-12 ALSY-YYY l.3E-10 ANYY-YYN 4.6E-7 ANNY-YYN 3.0E-11 ANNY-NYN l.4E-9 ANSY-YYN 7.0E-11 AIYY-YYN 6.5E-7 AINY-YYN 2.5E-8 AISY-YYN 1.0E-10 s 1 IYY-YYN l.3E-6 S1INY-YYN 5.0E-8 s 1 ISY-YYN 2.0E-10 S1LYY-YYN 8.lE-7 s 1 LNY-YYN 5.2E-11 s 1 LSY-YYN 1.2E-10 s 1 NNY-NYN 2.7E-9 S1NYY-YYN 9.lE-7 s 1 NNY-NYN 2.7E-9 s 1 NNY-YYN 6.lE-11 s 1 NSY-YYN 1.4E-10 S 2 LYY-YYN 4.2E-7 s 2 LNY-YY~ 2.8E-11 s 2 NNY-NYN 2.7E-9 s 2 LSY-YYN 6.4E-11 S 3 LYY-YYN 5.9E-7 s 3 LNY-YYN 4.3E-11 S3LSY-YYN 9.9E-11 s 3 NNY-NYN 3.5E-8 4.11:..4 
*
* Sequence TKRZ Table 4.11-1 (Continued)
Plant Damage State Assignment of Dominant Core Damage Sequences PDS Point* Estimate*
F'reguencf S3NYY-YXN 8.4E-7 S 3 NNY-YXN .5.4E-ll S3NNY-NXN 2.3E-l2 s 3 NSY-YXN l.3E-10 TLYY-YXY t7E-7 TLNY-YXY 3.7E-ll TLSY-YXY 8~.5E-11 TNNY-NXY L.5E-10 TLYY-YNY 7.2E-7 TLNY-YNY 4.7E-11 TNNY-NNY 2.9E-11 TLSY-YNY 1.lE-10 TBYY-YNY 7.7E-7 TBNY-YNY .5.0E-11 TBNY-NNY 2.lE-12 TBSY-YNY 1.2E-10 HINY-NXY 1.4E-6 GLYY-YNY 1.0E-7 GNNY-YNY 3.&E-13 GLSY-YNY 1 * .5E-11 GLYY-YXY 1.9E-7 GNNY-NXY 3.7E-10 GLNY-YXY 1.lE-11 GLSY-YXY 3.7E-10 GLYY-YXY 1.0E-7 GLNY-YXY 6 * .5E-12 GNNY-NXN 2.7E-13 GLSY-YXY l * .5E-11 HINY-YXY 1.2E-7 4.11-.5 Table 4.11-1 (Continued)
Plant Damage State Assignment of Dominant Core Damage Sequences
* Sequence *pt,s Point* "l:.stimate
* Freguencf T 5 ALP TBYY-YNY 1.4E-7 TBNY-YNY 9.lE-12 TBNY-NNY t&E-13 TBSY-YNY 2.2E-ll T 58 LP TBYY-YNY l.4E-7 TBYY-YNY 9JE-12 TBNY-NNY 3.&E-13 TBSY-YNY 2.2E-11 Ttsi-NR7 TRRR-RDY 5.2E-6 T 1si-OS-L TRRR-RSR 3.2E-6 T tsi-W2-SL-NRS S3RRR-RDR 2.7E-6 T1si-0S-NR7 TRRR-RDY l.9E-6 T 158-SL-NRS S3RRR-RDR 1.&E-6 T 1s10-NR1 S2RRR-RCR 1.4E-6 T1si-L TRRR-RSR 3.&E-7 Ttsi-W2-NR7 TRRR-RDR 3.0E-7 T1ss-Q-NRl S 2 RRR-RCR 2.6E-7 T 1SB-L TRRR-RSR 2.5E-7 T lSBNR7 TRRR-RDR 2.0E-7 T ts10-QS-NR1 S 2 RRR-RDR 5.lE-7 T 158-QS-SL-NRS S3RRR-RDR 7JE-7 T1ss-OS-L TRRR-RSR 3.&E-7 T 151-QS-W2-SL-NRS S3RRR-RDR l.lE-6 T 1Sl-W2-0D-SL-NRS S3RRR-RCR l.5E-7 T1s10S-W2-NR7 TRRR-RDR l.2E-7 4.11-6 
*
* Table 4.11-2 Plant Damage States Above lE-9 Plant Dama~e State AINY-YYN AIYY-YYN ANNY-NYN ANYY-YYN ANYY-YYY GLYY-YNY GLYY-YXY HINY-YXY HINY-NXY S1INY-YYN S 1 IYY-YYN S 1 LYY-YYN S 1 NNY-NYN S 1 NYY-YYN S 2 NNY-NYN S 2 LYY-YYN SzRRR-RCR S 2 RRR-RDR S 3 NYY-YXN S3NNY-NYN S 3 LYY-YYN S3RRR-RCR S3RRR-RDR TBYY-YNY TLYY-YXY TLYY-YNY TRRR-RDR TRRR-RDY TRRR-RSR TRRR-RCR V 4.11-7 Point Estimate Frequency 2.SE-8 6.SE-7 1. 4E-9 4.6E-7 8.SE-7 1. OE-7 2.9E-7 1. 2E-7 l.4E-6 5.0E-8 1. 3E-6 8.lE-7 2.7E-9 9.lE-7 2.7E-9 4.2E-7 l.7E-6 5.lE-7 8.4E-7 3.SE-8 5.9E-7 2.SE-7 6.3E-6 l. lE-6 5.7E-7 7.2E-7 6.2E-7 7.lE-6 4.2E-6 1. 7E-8 1. 2E-6 3.3E-5 Table 4.11-3 Frequencies of Plant Damage State Groups
* Group Plant Damage Number Group* Name*
* States .5% Median Mean* 9:5% 1 Slow Blackout TRRR-RDY 6.lE-7 8.2E-6 2.2E-.5 9 * .5E-.5 s 3 RRR-RDR S2RRR-RDR TRRR-RDR S2RRR-RCR S2RRR-RCR 2 LOCAs S1IYY-YYN S1NYY-YYN 1.2E-6 3.8E-6 6.0E-6 1.6E-.5 AIYY-YYN S1LYY-YYN ALYY-YYY S3LYY-YYN S2LYY-YYN ANYY-YYN 3 Fast Blackout TRRR-RSR 1.lE-7 1.7E-6 .5.4E-6 2.3E-.5 4 Event V V 3.8E-11 4.9E-8 1.6E-6 .5.3E-6 Transients TBYY-YNY 7.2E-8 6.9E-7 2.lE-6 6.0E-6 TLYY-YNY 6 ATWS S 3 NYY-YXN 3.2E-8 4.2E-7 1.6E-6 .5.9E-6 TLYY-YXY GLYY-YXY 7 SGTRs HINY-NXY GLYY-YXY 1.2E-7 7.4E-7 1.&E-6 6.0E-6 GLYY-YNY HINY-YXY 4.11-8 
* *
* 4.12 Uncertainty Analysis This section discusses the sources and treatment of uncertainty for the Surry study. Uncertairtty in the analysis is always expressed as a quantitative bounding of the central value. Uncertainty can derive from the selection of the data base used to determine parameter values, modeling assumptions, and completeness of the analysis.
Numerical uncertainty due to statistical variation is easy to express. Uncertainty in the parameter values is propagated through the quantification process so that the core damage and risk estimates can be supplied with numerical bounds. Modeling uncertainties reflect a degree of belief and are intrinsically more difficult to quantify.
4.12.1 Sources and Treatment of Uncertainties Two types of uncertainty were addressed in the Surry study: parameter value tainty and modeling uncertainty.
The parameters of interest are those of the probability models for the basic events of the logic models. They include failure rates, component unavailabilities, initiating event frequencies, and human error probabilities.
The essential difference between the parameter value uncertainty and modeling uncertainty is the following:
parameters can take on any of a continuous range of values, and the fact that there is uncertainty as to which value is correct does not change the structure of the logic model. Investigation of modeling uncertainties, on the other hand, requires that discrete modeling hypotheses be proposed and the different hypotheses may well lead to different logic models. Sources of parameter uncertainty include lack of data on component failure modes, interpretation of data and component performance records, and the use of industry-wide data for plant specific analyses.
Modeling uncertainty reflects limitations of knowledge regarding phenomenological impacts on component performance, physical propagation of accident progression through the plant systems, and human response to abnormal conditions.
* Parameter value uncertainties have been handled in this study by defining a probability distribution on the value of each parameter such that the nth percentile of the tion represents the value below which the analyst has, a degree of belief of n/100 that the true value lies. This subjective approach to the representation of uncertainty makes the propagation of parameter value uncertainty through the sequence quantification process mathematkally straightforward, using stratified Monte Carlo (e.g., Latin Hypercube Sample) or other sampling techniques.*
The uncertainty ranges used for the distributions are based on generic estimates.
These range factors consider those factors which may affect the failure properties of the component in the different u,:;es and environments.
The range also considers plant-to-plant variation.
Modeling uncertainties are treated by defining discrete or continuous probability butions over the different modeling hypotheses.
Previous studies have incorporated modeling uncertainties into their analyses by performing sensitivity analyses on several issues to identify which modeling hypotheses are most significant.
The method used for the Surry analysis, for selected issues, was to elicit from a panel of experts, modeling judgments which weigh the various hypotheses for each modeling uncertainty.
The . variability in model propriety can then be quantified and propagated through the accident sequence quantification.
This method results in the. inclusion of the various hypo~heses in the final core* damage and risk estimates.
The expert elicitation pro.cess used i(). .the NUREG-1150 plant analyses is described in NURE.G/CR-4550, Revision 1, Volume 2. OJ 4.12-1 I~ 4.12.2 Development of Parameter Distributions Probabilistic distributions for parameter values were* developed from several sources of information including plant specific data, industry-wide data summaries and analyses, past PRAs, and formal and informal expert opinion elicitation.
If sufficient plant specific data was available for a particular component failure mode, then the mean value of that parameter distribution was based on the plant specific data. Generic estimates were used for the error factors. Often*, sufficient plant data did not exist for some parameters, so generic estimates and uncertainty models based on industry data were used for many parameter values. When generic parameter estimates were used in the Surry analysis, they were derived from the ASEP Generic Data Base in the methodology document 3~or the supporting analysis of NUREG-1150, NUREG/CR-4550, Revision 1, Volume 1. Expert opinion elicitations from project staff, documented in NUREG/CR-4550, Revision 1, Volume 2, Part 2, were used to assess parameter uncertainties which could not be modeled from plant specific or generic data. The recovery probability for offsite AC power and initiating event frequencies for loss of offsite power were modeled by industry data with a composite statistical model which combined ~robability models for plant centered, grid, and weather related losses together.(!
The plant centered model was adjusted to be site specific and include Surry specific historical experience.
The grid/weather portion was adjusted to include Surry historical experience.
Derivation of the T 1 initiating event frequency is shown in Appendix D.3. Human error probabilities and uncertainties were developed by apf}lf ng the rules for Human &;&#xa5;ability Assessment (HRA) from NUREG/CR-1278 and NUREG/ CR-4772. These rules recommend using log normal distributions to model HRA parameter uncertainty.
However, some adjustment to this recommendation was made for events with mean values greater than 2E-2, and error factors greater than 10, and also events with mean values greater t~ lE-1, and error factors greater than 3. The Latin Hypercube Samplffi) (LHS) code , which is used with the Top Event Matrix Analysis Code (TEMAC) , calculates probability distributions to the 99t~ percentile.
Using the mean and error factor recommended for certain HRA results, log normal distributions were developed, which had 99th quantiles greater than 1.0. For these parameters, the_ distribution was changed to a maximum entropy distribution, with the maximum value defined as either 1.0 or the mean multiplied by the range factor, whichever is less. The minimum value was defined by dividing the mean by the range factor. 4.12.3 Elicitation of Expert Opinion Modeling uncertainty was treated using the elicitation of expert 4 cminion. This process and its results are discussed in Volume 2 of NUREG/CR-4550.
The elicitation of expert opinion was done in two phases. The first phase was a formal process where a panel of nationally recognized PRA experts were convened to assess the ten most ficant modeling issues. The second phase was a less formal process where the project staff were elicited*.
Issues not covered by the expert panel, but still deemed significant, were put before the analysts working on the various plant analyses.
The informal elicitations followed the same methods and rules as the expert panel process
* 4.12-2 *
* The formal expert panel elicitations are documented, in Volume 2, Part 1 of NUREG/CR-4.5.50, Revision 1. Among the ten issues reviewed by the panel, three of them were applicable to the Surry analysis.
These are:
* Reactor Coolant Pump Seal LOCA Model
* Common cause failures in interfacing LOCA
* Application of Innovative Recovery The* informal elicitation process also involved several issues applicable to the Surry analysis.
These were:
* Common Cause Beta Factor Uncertainty Ranges
* Common Cause Factors for AOVs
* SG Safety Valve Demand and Closure Probabilities These issues and their resolutions are documented in Volume 2, Part 2 of NUREG/CR-4.5.50, Revision 1, but are briefly summarized below. The reactor coolant pump seal LOCA model predicts the development of leakage from RCP seals after Joss of seal cooling. The elicitations were done to predict timing and leakage rates necessary for quantification of core uncovery probabilities.
The ment of the leak paths is detailed in Appendix D of this report, but the results can be summarized here. The seal LOCA model predicts seal stability up to 1 * .5 hours from loss of seal cooling. At that time, there is a 70% chance of developing significant seal leakage. The most predominate leak path, which has a .53% chance of occurring, results in a total RCS leak rate (from all three pumps) of 7.50 gpm. The seals continue to degrade up to 4 1/2 hours from loss of cooling, when the total probability of significant leakage is 73%, with a 67% chance of leakage greater than 7.50 gpm. By 4 1/2 hours, RCS cooldown and depressurization would have minimized seal LOCA risk. The interfacing LOCA issue was put to elicitation because there was no appropriate failure data for check valve rupture and common cause checkvalve rupture. The tion process was used to develop probabilities for check valve rupture, leakage, and dependent failures.
The expert panel confirmed that the only two credible scenarios for interfacing LOCA in the LPI/LPR system at Surry, were rupture of two check valves in series, or the undetected failure of one check val_ve to r~lease upon startup, followed by rupture of the other during pressuriz.ed operation.
The double rupture scenario could be random or could include a dependent failure of the second valve. The annual frequency of this event was calculated to be 1.6E-6. Approximately one third is due to the upon-startup scenario and two thirds is due to dependent-check-valve-failure scenario.
The random rupture scenario was insignificant compared to the other two scenarios.
Innovative recovery actions were postulated for two types of sequences.
The recovery actions were to vent containment*
in the event of long term loss of containment heat removal, or to gag a -stuck open secondary relief valve in a steam generator tube rupture sequence.
These are discussed in section 4.8 . .5. The uncertainty ranges for the common cause Beta factors used in the plant analyses were scrutinized by revff~ing the common cause data in the Fleming common cause analysis, EPRI NP-3967 , for misclassification of data. The conclusion of the tion was that the existing common cause uncertainty models accounted for any reasonable misclassification of the data. 4.12-3 The Fleming report did not have an analysis for AOVs, so the uncertainty model for common cause AOVs was assessed as part of the formal elicitations.
Based on the results in EPRI NP-3967 for several types of valves and valves as a total family of components, a common cause Beta factor model of a log normal distribution with a mean of o'.1 and an !error factor of 3 was developed.
Failure of a steam generator safety or relief valve to reclose during a steam generator tube rupture is identified as an important contributor to core damage. In order to calculate the probability of this event, two other probabilities must be known, the demand probability for the relief valve to open and the probability for failure to reclose. These questions were put to elicitation.
The results of the elicitation considered that the valve demand probability is related to the operator's ability to control SI flow and to cooldown and depressurize the reactor. The elicitation also considered that failure to perform these actions would not only lead to relief valve demand, but would cause conditions leading to the passage of two phase flow out .of the relief valves. The probability of a relief valve failing to reclose, after passing two phase flow, is generally considered to be much higher than the nominal failure probability.
In deciding to quantify these considerations, the panel considered that, in th.e extreme, failure to control SI and RCS pressure would guarantee a relief valve demand, and also lead to passage of two phase flow or subcooled water through the relief valve. Also, in the extreme of numerous demands, continued passage of subcooled water would cause the relief valve to fail open. 4.12.4 Quantification of Accident Sequence Uncertainty The uncertainty of the parameter values was propagated through the accident sequence models using two computer codes. A Latin Hypercube Sampling (LHS) algorithm was used to generate the samples f<f43ill of the parameter valves. The LHS algorithm is documented in NUREG/CR-3624.
The Top Event Matrix Analysis Code (TEMAC) was used to quantify the uncertainty of the accident sequence equation using the pafq/ljeter samples generated by the LHS code. TEMAC is documented in NUREG/CR-4598.
LHS is a constrained Monte Carlo technique which forces the tails of the distribution to be sampled. The LHS code is also flexible in that it can sample a variety of random variable distributions.
Furthermore, parameter distributions for similar events were . correlated.
For example, if two similar components (e.g., MOV XX-FTO and MOV YY-FTO) are modeled from the same probability distribution, then the sampling of these two distributions was perfectly correlated.
* For basic events which are modeled with very similar but slightly different distriblltions (e.g.*, MOV XX fails to remain closed for 100. hours and MOV YY fails to remain closed for 200 hours), the LHS code permits an induced correlation between the samples. However*, LH.S does not allow the correlation coefficient for this case to be equal to 1.0. LHS did permit sampling with a coefficient of 0.99 in these cases. TEMAC uses the LHS parameter samples and the accident sequence equations (cut sets) as input to quantify the core damage estimates.
TEMAC generates a sample of the dent sequence frequency, a point estimate of the frequency, and various importance measures and ranking for the base events. The TEMAC users manual, NUREG/CR-4598, describes the code's calculations and output in detail. A brief description of the calculations generated for Surry is given below. These results for Surry are presented in Section 5.0 of this report. 4.12-4
* Descriptive Statistics for the Top Event The following descriptive statistics are considered in TEMAC for the top event cies and e~ch accident sequence~
and plant damage state:
* Size of the LHS sample
* The nominal estimate of the top event (quantified with all base events and initiating events set equal to a user-specified nominal value)
* Mean of the sample *
* Standard deviation of the sample
* 0.5, 0.25, 0.5o*, 6.7 5*, and 0~95 quantiles of the sample The entire sample of the top event generated by TE.MAC is plotted to show the tive probability distribution and probability density functions of the frequency.
These are given in Section 5.1. Risk Reduction by Basic and Initiating Events Risk reduction is a measure of the change in top event frequency due to a proportional change in the base event probability.
This measure yields a ranking of the base events by importance, or contribution, to top event frequency.
The risk reduction figure of merit is analogous to the potential reduction in the top event frequency, if a base event bility is quantified as 0.0, or perfectly reliable.
This measure is useful in identifying which components, human actions, maintenance practices, and initiating events should be the focus of efforts to improve reliability and reduce risk. Uncertainty intervals for risk reduction are also calculated
*. These are the 0.05 and 0.95 quantiles of the risk reduction calculations generated by performing n such calculations over* the LHS matrix base and initiating events samples (n being the size of the Latin hypercube sample). The risk reduction uncertainty intervals show the uncertainty in a base event's contribution to risk due to the. uncertainty of the top event frequency.
Initiating events are ranked rately from base events. Risk*Increase by Ba:se Event Risk increase (sometimes called risk achievement) can 'be thought of as the increase in risk that results should a particular base event's probability be set equal to 1.0. This measure is meaningful only for probabilities and, therefore, is not used for initiating events that can have frequencies greater than 1.0. This measure is useful to assess which elements of the risk model are the most crucial for maintaining risk at current levels. An increase in component unavailability or human error probabili.ty for the highest ranking events will have the largest impact on increasing core damage frequency.
Uncertainty intervals for risk increase are also calculated.
Uncertainty Importance The uncertainty importance measure focuses on the contribution to the variance of the frequency of the top event attributable to each. of the base and initiating events that jointly constitute the top event. In particular, if F is a composite of these events, where F represents the frequency of the top event, it is reasonable to expect a reduction in the Var(F) if the value of an event, X.', is known with certainty.
If x. is known with tainty, then the variance of Fis corlditional on the specific value of ~j and is denoted by 4*.12-.5 Var(F I Xi). Moreover, the conditional reduction in the variance ascertaining the true value of the event X; is expressed as Var(F) -Var(FIX;).
of F attributable to The unconditional variance of F, Var(F), can be expressed in terms of the expected value of the conditional variance, Ex. [ Var(FIX-)] , and the variance of the conditional expec-tation, Varxj [ E(FIX;)] , as follows: J Var(F) = Ex. [ Var(FIX;)]
+ Varx. [ E(FIX;)] J J or Var(F) -Ex. [var(FIX;)]
= Varx. [E(FIX;)-]
J J The square root of the left-hand side of the above equation is the measure referred to as uncertainty importance for event X;* The uncertainty importance meast,1re requ~*res cal1lating the variance of a conditional expectation of a random varaiable, Varx. E(FI X,) If the random variable has a tailed distribution, such as occurs when log ormal istribut~ons are used with large error factors, then its variance is extremely difficult to estimate.
This estimation problem is directly attributable to the scale of the numbers involved.
The scaling problem can be overcome by performing uncertainty importance calculations based on a logarithmic scale for the top event frequencies.
The log scale produces a reliable ordering of the events and expresses the results in terms of log-based risk.
* However, the log-based uncertainty importance calculations do not readily translate back to a linear scale; thus, the uncertainty importance calculations in TEMAC are given only in terms of log-based risk. TEMAC does, however, provide the analyst with information that aids in the interpretation of the results of the log-based uncertainty importance calculation.
This is accomplished by computing the ratio, R 05 , of the .05 quantile of the distribution of the top event frequency when X; is held constant at its mean value, to the * .05 quantile of the top event frequency when Xi is not held constant.
A similar ratio, R.95 , is calculated by TEMAC for the .95 quantiles. . If R 05 and R 95_are both greater than 1.0, then the distribution of the frequency of the top event with Xi held constant at its mean value has shifted to the right, or shows an overall higher level of risk. On the other hand, if R 05 and R 95 are both less than l.O, then the distribution of the frequency of the top event with Xf held c<;>nstant at its mean value has shifted to the left, or shows an overall lower level of risk. If R 05 >1.0 and R 95 1.0, then the overall uncertainty in the distribution of the top event frequency has decreased.
Likewise, if R 05<1.0 and -R~95 >1.0, then the overall uncertainty in the distribution of the top event frequency has increased.
Presentation of Cut Set Results
* The TEMAC results for this study are summarized.
in section 5.0 and are presented in full in Appendix E~ TEMAC prints out a ranked listing of the cut sets of the top event equation.
The cut sets are ranked by their frequency.
For each cut set, TEMAC shows the number of the cut set (this is simply determined by the order-in which the cut sets are read into TEMAC, there is no implication between rank and number), the order of thie cut set (number of events in the c:ut set), the frequency of the cut set, the cumulativ normalized cut set frequency, and a listing of the cut set. The cumulative normalized 4.12-6
* cut set frequency for a particular cut set shows what fraction of the top event frequency is modeled by that cut set and all other higher ranked cut sets. This measure is convenient for review and screening of a top event equation.
It tells the analyst which cut sets of the equation can be eliminated from further consideration and still retain some minimum threshold of the top event frequency (e~g~, 99%)~ TEMAC also writes the top event equation with the cut sets in o-rder by frequency to an output file~ This ranked structuring of the input equation is useful if it is desired to screen out low frequency cut sets from further TEMAC analyses
* 4.12-7
: 5. RESULTS This section presents the Probabilistic Risk Assessment final (PRA) results of the for NUREG-1150.
revised Surry These results include the dominant core damage sequences, their frequencies and contributors, corresponding plant damage state frequencies, and the uncertainty and importance calculations for the comprehensive plant model where all of the accident sequences were combined into one uncertainty analysis.
In addition, a comparison of these results with those of YASH-1400 are presented.
The same type of information is given for each accident sequence and plant damage state. Additional information is given for the total core damage frequency (i.e., the statistics, the risk reduction importance measure, the risk increase importance measure, the uncertainty-importance measure, and the top cut sets). Further detail can be found in Appendix E. A brief explanation of the computer code producing the results is given in Section 4 .12.
* Section 5 .1 presents the frequency and uncertainty results of the comprehensive plant model. Section 5. 2 describes the core damage sequences on an individual basis and identifies their dominant contributors.
Section 5.3 discusses the individual plant damage states. Section 5.4 describes the importance measures for the comprehensive plant model discussed in Section 5.1. Section 5.5 compares the results of this study with the results of YASH-1400.
Differences in results due to plant modific.ations, failure data, and study methodology are discussed.
5.1 Characterization of Core Damage Frequency and Uncertainty at Surry This study resulted in the identification of 28 core damage sequences which *comprise the internal events core damage model.* Each of these accident sequences is discussed in Section 5.2. The internal events core damage model yielded a sampled mean frequency of 4.0E-5 per reactor year. The cumulative distribution function for the core damage model is shown in Figure 5-1. The probability density function is shown in Figure 5-2. The important statistical parameters of the core damage frequency distribution are listed below. Appendix E shows the corresponding statistics for each individual, dominant accident sequence and plant damage state. These statistics were generated with a sample size of 1000. Mean Standard Deviation 95% Upper 75% Upper Median 25% Lower 5% Lower 5-1 4.0lE-5/yr 5.78E-S 1. 31E-4/yr 4.52E-5/yr 2.31E-5/yr
: 1. 34E-5/yr 6.75E-6/yr 1.0 C u 0.9 M u 0.8 L A 0.7 T I 0.6 V E 0.5 u, p I R 0.4 N 0 B 0.3 A B 0.2 I L 0.1 I T V 0.0 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY Figure 5-1. Uncertainty Distributio for Surry Core Damage Frequency.
D E N s I T y 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY Figure 5-2. Density Estimation for Surry Core Damage Frequency.
The comprehensive core damage model represents all accident sequences with frequencies greater than lE-7/yr. The point estimate frequency of the comprehensive model, which was calculated by simple propagation of mean values for basic event probabilities, is 3.3E-5/yr.
There were 10 fully quantified accident sequences that have point estimate frequencies less than lE-7/yr. These sequences have a combined frequency of 2.2E-7. In addition, there were 43 partially quantified sequences with point estimate frequencies in the range of SE-10 to lE-8. These sequences were partially quantified in that they were not subject to recovery analysis.
They were minimal contributors without recovery actions, and therefore not subject to further evaluation.
If each of these sequences was estimated to have a recovered frequency of 3E-9, these sequences would represent a total frequency of l.3E-7. Thus, the total contribution of nondominant sequences is estimated to be 3. SE-7, which accounts for a very small percentage of the core damage frequency.
The models and data used in this study are the most representative analyses that could be supported by the state-of-the-art in reactor safety research.
Sensitivity studies of alternate models or hypotheses were not used in this revised analysis.
All modeling issues were reexamined since the original analysis, and the important modeling issues were resolved through elicitation of expert opinion. The resultant distributions incorporate alternative hypotheses within the uncertainty bounds. Grouping the accident sequences by types of events shows that station blackout contributes 68 percent of the mean core damage frequency; loss of coolant accidents inside containment account for 15 percent, LOGAs in interfacing systems account for 4 percent, loss of main feedwater accounts for 5 percent, steam generator tube rupture accounts for 4 percent, and anticipated transients without scram accounts for 4 percent. Reviewing the group of total core damage frequency cut sets shows that a large percentage of the total core damage frequency is contributed by a small number of cut sets. There were 2774 dominant cut sets in the final Surry internal events analysis.
The contribution to the total core damage frequency for the cumulative number of cut sets is shown below. % of Total Gore Cumulative Number Damage Frequency of Gut Sets 30% 20 50% 49 60% 72 70% 110 80% 181 90% 344 95% 551 99% 1152 100% 2274 5-4
* The top twenty cut sets, comprising 30 percent of the total core damage frequency, are presented in Table 5-1. For each cut set, Table 5-1 lists the events in the cut set, the point estimate frequency, the percent of the total point estimate frequency, and the corresponding accident sequence and plant damage state. Descriptions of* the events contained in the top cut sets and the associated mean unavailability are displayed in Table 5-2. The values for cut set frequency in this table are point estimates, based on multiplication of mean values for each event. The top 20 cut sets are discussed individually.
The top cut set is l.17E-6. No other cut sets are above lE-6/yr. The single highest cut set, which accounts for 3. 5 percent of total CDF is loss of off site power followed by common cause failure of all diesels, leading to station blackout at Units 1 and 2. The seals on all three reactor coolant pumps fail at 90 minutes after the blackout, due to loss of all cooling. Failure to recover AC power by 3 1/2 hours after the event leads to core uncovery.
The second most dominant cut set represents an ATW'S sequence, where mitigation is not possible.
Due to the presence of an unfavorably high moderator temperature coefficient, the primary system pressure rise is not able to be controlled to less than 3200 psi. The third, fourth, sixth and sixteenth through nineteenth ranking cut sets involve a long term station blackout at Unit 1. These cut sets total 3.18E-6, accounting for 9.6 percent of total core damage frequency.
These sequences represent failure of two diesels, causing station blackout at Unit 1, but an operable diesel at Unit 2. Cross connect of the charging system from Unit 2 provides RCP seal injection flow and thus prevents seal failure. Battery depletion will occur at approximately four hours. Failure to recover AC power in seven hours leads to core uncovery, due to inability to control auxiliary feedwater.
The fifth and seventh cut sets represent a steam generator tube rupture, followed by failure of the operator to control primary pressure.
Continued inflow of primary coolant into the SG causes relief valve demand and eventual water carry over into the steam line through the relief valve. Subsequent failure of the relief valve to reclose leads to continued discharge of the RCS inventory to the atmosphere.
Continued failure to depressurize the reactor leads to RWST inventory depletion and subsequent core uncovery.
The eighth, tenth, and eleventh cut sets involve intermediate LOCAs followed by ECCS failure, in injection or recirculation.
The ninth cut set is a station blackout seal LOCA sequence, very similar to cut set #1, except with the additional failure of a steam generator safety valve to reclose. The next three cut sets each represent an interfacing LOCA in the low pressure injection system. The fifteenth cut set represents loss of all steam generator feedwater flow, followed by failure to initiate feed and bleed cooling. The twentieth cut set is a large LOCA followed by failure of one accumulator to inject into an intact cold leg. 5-5 l I Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency Pt. Est % of Total Pt. Accident Freq. Est. Frequency Cut Set Sequence PDS Group 1. 1.2E-6 3.5 IE-Tl* BETA-3DG
* NOTL-SBOU1U2
* NOTQ
* SBO-SLOCA2 PDS-1 NRAC-216M
* /0
* OEP-DGN-FS
* /QS-SBO
* RCP-LOCA-750-90M
* REC-XHE-FO-DGHW'S
+ 2. 8.4E-7 2.5 IE-TN* K
* R
* Z + TKRZ PDS-6 3. 6.2E-7 1. 9 IE-Tl* /DGN-FTO
* NOTL-SBOUl
* NOTQ
* SBO-BATT PDS-1 NOTW2
* NRAC-7HR
* OEP-DGN-FS-DGOl
* OEP-DGN-FS-DG02
* /QS-SBO
* REC-XHE-FO-DGHW'B
+ V, 4. 6.2E-7 1. 9 IE-Tl* /DGN-FTO
* NOTL-SBOUl
* NOTQ
* PDS-1 I SBO-BATT 0\ NOT2
* NRAC-7HR
* OEP-DGN-FS-DGOl
* OEP-DGN-FS-DG03
* /QS-SBO
* REC-XHE-FO-DGHW'B
+ 5. 6.lE-7 1.8 IE-T7
* MSS-SRV-00-PDSRV
* RCS-XHE-FO-DPRT7
* T7-0D-QS PDS-7 PORV-BLK
* REC-XHE-FO-DPRES
* SGTR-SGSRV-0DMD1
+ 6. 5.8E-7 1.8 IE-Tl* BETA-2DG
* NOTDG-CCF
* NOTL-SBOUl
* SBO-BATT PDS-1 NOTQ
* NOTW2
* NRAC-7HR
* OEP-DGN-FS
* /QS-SBO
* REC-XHE-FO-DGHW'B
+ 7. 5.2E-7 1. 6 IE-T7
* MSS-SRV-00-0DSRV
* RCS-XHE-FO-DPRT7
* T7-0D-QS PDS-7 PORV-NOT-BLK*
SGTR-SGSRV-0DMD2*
REC-XHE-FO-DPRES+
: 8. 4.6E-7 1.4 IE-Sl
* BETA-2MOV
* LPR-MOV-FT-1862A
+ Sl-Hl PDS-2 * *
* Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency (Continued)
Pt. Est % of Total Pt. Accident Freq. Est. Frequency Cut Set Sequence PDS Group 9. 4.5E-7 1.4 IE-51
* BETA-3DG
* NOTL-SBOU1U2
* NOTQ
* SBO-SLOCA2 PDS-1 NRAC-216M
* OEP-DGN-FS
* RCP-LOCA-750-90M
* QS-SBO
* REC-XHE-FO-DGHWS
+ 10. 4.5E-7 1.4 IE-Sl
* BETA-LPI
* LPI-MDP-FS
+ Sl-D6 PDS-2 11. 4.4E-7 1. 3 IE-Sl
* LPI-MOV-PG-1890C
+ Sl-D6 PDS-2 12. 4.0E-7 1. 2 IE-V-TRAIN-1
+ V PDS-4 V1 13. 4.0E-7 I 1.2 IE-V-TRAIN-2
+ V PDS-4 -...J 14. 4.0E-7 1.2 IE-V-TRAIN-3
+ V PDS-4 15. 3.6E-7 1.1 IE-T2
* AFW-PSF-FC-XCONN
* AFW-XHE-FO-UNIT 2
* T2-L-P PDS-5 HPI-XHE-FO-FDBLD
+ 16. 3.4E-7 1.0 IE-Tl* /DGN-FTO
* NOTL-SBOUl
* NOTQ
* NOTW2
* SBO-BATT PDS-1 NRAC-7HR
* OEP-DGN-FR~6HDG1
* OEP-DGN-FS-DG03
* /QS-SBO
* REC-XHE-FO-DGHWB
+ 17. 3.4E-7 1.0 IE-Tl* /DGN-FTO
* NOTL-SBOUl
* NOTQ
* NOTW2
* SBO-BATT PDS-1 NRAC-7HR
* OEP-DGN-FT-6HDG3
* OEP-DGN-FS-DGOl
* /QS-SBO
* REC-XHE-FO-DGHWB
\ V, I 00 19. 20.
* Pt. Est Freq. 3.4E-7 3.3E-7 Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency (Concluded)
% of Total Pt. Accident Est. Frequency Cut Set Sequence PDS Group 1.0 IE-Tl* /DGN-FTO
* NOTL-SBOUl
* NOTQ
* NOTW2
* SBO-BATT PDS-1 NRAC-7R
* OEP-DGN-FR-6HDG1
* OEP-DGN-FS-DG02
* /QS-SBO
* REC-XHE-FO-DGHWB
+ 1.0 IE-A* ACC-MOV-PG-186SB
+ A-DS PDS-2 * 
*
* Event ID. ACC-CKV-FT-CV128 ACC-CKV-FT-CV130 ACK-CKV-FT-CV145 ACC-CKV-FT-CV147 ACC-MOV-PG-1865B ACC-MOV-PG-1865C ACP-BAC-ST-lHl ACP-BAC-ST-lHl-2 ACP-BAC-ST-4801J ACP-BAC-ST-4KV1H ACP-TFM-NO-lHl AFW-CCF-LK-STMBD AFW-CKV-00-CV142 AFW-CKV-00-CV147 AFW-CKV-00-CV172 AFW-MDP-FS AFW-MDP-FS-FW3A AFW-MDP-FS-FW3B AFW-MDP-MA-FW3A AFW-MDP-MA-FW3B AFW-PSF-FC-XCONN AFW-TDP-FR-2P6HR AFW-TDP-FR-6HRU2 AFW-TDP-FS-FW2 AFW-TDP-FS-U2FW2 AFW-TDP-MA-FW2 AFW-TNK-VF-CST AFW-XHE-FO-CST2 AFW-XHE-FO-UlSBO AFW-XHE-FO-UNIT2 Table 5-2 Description of Important Surry Events Event Descriptionl CHECK VLV CV128 FAILS TO OPEN CHECK VLV CV130 FAILS TO OPEN CHECK VLV CV145 FAILS TO OPEN CHECK VLV CV147 FAILS TO OPEN ACC MOTOR OPERATED VLV 1865B PLUGGED ACC MOTOR OPERATED VLV 1865C PLUGGED 480V AC BUS lHl BUSWORK FAILURE 480V AC MCC lHl-2 BUSWORK FAILURE 480V AC BUS lJ BUSWORK FAILURE 4160V AC BUS lH BUSWORK FAILURE FAILURE OF POWER XFORMER TO BUS lHl UNDETECT LEAKAGE THRU CV27, CV58, CV89 BACKFLOW THROUGH CV142 BACKFLOW THROUGH CV157 BACKFLOW THROUGH CV172 APW MDP FAILS TO START MDP AFW 3A FAILS TO START MDP AFW 3B FAILS TO START TEST AND MAINTAIN ON AFW MDP 3A TEST AND MAINTAIN ON AFW MDP 3B FLOW DIVERSION TO UNIT 2 THRU XCONN AFW TDP 2P FAILS TO RUN FOR 6 HRS UNIT 2 AFW TDP FAILS TO RUN FOR 6 HRS TURBINE DRIVEN AFW PMP FAILS TO START AFW TDP FW2 AT UNIT 2 FAILS TO START TEST AND MAINT ON AFW TDP 2 INSUF WATER AVAIL FM 110,000 GAL CST FAILURE TO OP TO XCONN UNIT 2 CST OP FAILS TO XCONN AFW SBO AT UNIT 1 OP FAILS TO XCONN AFW, TRANSIENTS 5-9 Unavail. (Mean) 1.00E-4 1. OOE-4 1. OOE-4 l.OOE-4 6.SOE-4 6.SOE-4 9.00E-5 9.00E-5 9.00E-5 9.00E-5 4.00E-5 l.OOE-4 1.00E-3 1.00E-3 1. OOE-3 6.30E-3 6.30E-3 6.30E-3 2.00E-3 2.00E-3 1. SOE-4 3.00E-2 3.00E-2 1.lOE-2 1. lOE-2 1.00E-2 1. OOE-6 6.SOE-2 8.20E-2 3.60E-2 Table 5-2 Description of Important Surry Events (Cont.) Event ID. BETA-AFW BETA-2DG BETA-3DG BETA-HP! BETA-LP! BETA-2MOV BETA-SRV BETA-STR CPC-MDP-FR-CCA24 CPC-MDP-FR-SWA3H CPC-'1-IDP-FR-SWA24 CPC-MOP-FR-SWB24 CPC-MOP-FS-SWlOB CPC-MOP-MA-CC28 CPC-MDP-MA-SWlOB CPC-STR-PG-lHR CPC-STR-PG-3HR CPC-STR-PG-6HR CPC-STR-PG-24 HR CPC-STR-PG-2A3HR CPC-XHE-FO-REALN DCP-BDC-ST-BUSlA DCP-BDC-ST-BUSlB HPI-CKV-FT-CV25 HPI-CKV-FT-CV225 HPI-CKV-FT-CV410 HPI-CKV-00-CV258 HPI-MDP-FR-1A6HR HPI-MOP-FS HPI-MOV-FT HPI-MOV-FT-lllSB HPI-MOV-FT-lllSC Event Descriptionl BETA FOR CC FAILURE OF AFW MDPs BETA FOR CC FAILURE OF 2 DGs BETA FOR CC FAILURE OF 3 dgS BETA POR CC FAILURE OF HPI MDPs BETA FOR CC FAILURE OF LPI MOPs BETA FOR CC FAILURE OF 2 MOVs BETA FOR CC FAILURE OF SRVs BETA FOR CC FAILURE OF STRAINERS MDP CCA FAILS TO RUN FOR 24 HRS MDP SWA FAILS TO RUN FOR 3 HRS MOP SWA FAILS TO RUN FOR 24 HRS MOP SWB FAILS TO RUN FOR 24 HOURS MOP SWlOB FAILS TO START TEST AND MAINT ON MOP CC2B TEST AND MAINT ON MOP SWlOB CPC STRAINER PLUGGED W/IN 1 HR CPC STRAINER PLUGGED W/IN 3 HRS CPC STRAINER PLUGGED W/IN 6 HRS* CPC STRAINER PLUGGED W/IN 24 HRS CPC STRAINER 2A PLUGGED W/IN 3 HRS OP FAILS TO ALIGN CPC SW TO UNIT2 125V DC BUS lA BUSWORK FAILURE 125V DC BUS lB BUSWORK FAILURE CHECK VLV CV25 FAILS TO OPEN CHECK VLV CV225 FAILS TO OPEN CHECK VLV CV410 FAILS TO OPEN CK VLV CV258 FAILS TO SHUT, CAUSE BKFLW CHRGNG PMP CHlA FAILS TO RUN FOR 6 HRS CHARGING PUMP FAILS TO START ON DEMAND HPI MOTOR OP VALVE FAILS TO TRANSFER HPI MOV 1115B FAILS TO OPEN ON DEMAND HP! MOV lllSC FAILS TO CLOSE 5-10
* Unavail. (Mean) 5.60E-2 3.80E-2 1.80E-2 2.lOE-1 1. SOE-1 8.80E-2 7.00E-2 2.63E-l 7.20E-4 4.80E-4 3.80E-3 3.80E-3 8.00E-3 2.00E-3 2.00E-3 3.00E-5
* 9.00E-5 1.80E-4* 7.20E-4 9.00E-5 7.00E-2 9.00E-5. 9.00E-5 l.OOE-4 1. OOE-4 1.00E-4 1. OOE-3 4.00E-4 4.00E-3 3.00E-3 3.00E-3 3.00E-3 *
* Table 5-2 Description of Important Surry Events (Cont.) Event ID, HPI-MOV-FT-1115D HPI-MOV-FT-1115E HPI-MOV-FT-1867C HPI-MOV-FT-1867D HPI-XHE-FO-ALT HPI-XHE-FO-ALTIN HPI-XHE-FO-FDBLD HPI-XHE-FO-UN2S2 HPI-XHE-FO-UN2S3 HPI-XVM-PG-XV24 IAS-CCF-LF-INAIR IEE-Tl IE-T2 IE-T7 IE-TN IE-V-TRAIN-1 IE..:V-TRAIN-2 IE-V-TRAIN-3 K LPI-CKV-00-CVSO LPI-CKV-00-CV58 LPI-MDP-FR-A21HR LPI-MDP-FR-A24HR LPI-MDP-FR-B2iHR LPI-MDP-FR-B24HR LPI-MDP-FS LPI-MDP-FS-SilA LPI-MDP-FS-SI1B LPI-MDP-MA-SI1A LPI-MDP-MA-SI1B LPI-MOV-PG-1890C Event Descriptionl HPI MOV 1115D FAILS TO OPEN ON DEMAND HPI MOV 1115E FAILS TO CLOSE HPI MOV 1867C FAILS TO OPEN ON DEMAND HPI MOV 1867D FAILS TO OPEN ON DEMAND OP FAILS TO REC CCF OF HPI DISCH MOV OP FAILS TO REC HPI VIA ALT PATH OP FAILS TO ESTAB FEED & BLEED OP FAILS TO XCONN HPI TO U2 FOR S 2 D 1 OP FAILS TO XCONN HPI TO U2 FOR S 3 D 1 MANUAL VLV XV24 PLGGED LOSS OF INSTRUMENT AIR TO ALL AOVs LOSS OF OFFSITE POWER LOSS OF MAIN FEEDWATER STEAM GENERATOR TUBE RUPTURE HIGH PWR XIENT EVENT REQUIRING RX SCRAM INTERFACING LOCA FM RCS LOOP 1 TO LPI INTERFACING LOCA FM RCS LOOP 2 TO LPI INTERFACING LOCA FM RCS LOOP 3 TO LPI FAILURE OF RPS TO SCRAM THE RX CHECK VLV CV50 FLS TO SHUT, CAUSE BKFLW CHECK VLV CV58 FLS TO SHUT, CAUSE BKFLW LPI MDP SilA FAILS TO RUN FOR 21 HRS LPI MDP SilA FAILS TO RUN FOR 24 HRS LPI MDP SilB FAILS TO RUN FOR 21 HRS LPI MOP SilB FAILS TO RUN FOR 24 HRS LPI MOTOR DRIVEN PUMP FAILS TO START LPI MDP SilA FAILS TO START ON DEMAND LPI MDP SilB FAILS TO START ON DEMAND TEST AND MAINT ON LPI MDPSilA *TEST AND MAINT ON LPI MDPSilB LPI MOTOR OPERATED VLV 1890C PLUGGED 5-11 Unavail. (Mean) 3.00E-3 3.00E-3 3.00E-3 3.00E-3 6.lOE-1 5.70E-3 7.10 E-2 3.lOE-1 4.40E-2 4.00E-5 2.70E-5 7.70E-2 9.40E-l 1. OOE-2 5.90E-O 4.00E-7 4.00E-7 4.00E-7 6.00E-5 1.00E-3 1. OOE-3 6.30E-4 7.20E-4
* 6.30E-4 7.20E-4 3.00E-3 3.00E-3 3.00E-3 2.00E-3 2.00E-3 4.40E-4 I_ Table 5-2 Description of Important Surry Events (Cont.) Event ID. LPR-CCF-PG-SUMP LPR-MOV-FT-1860A LPR-MOV-FT-1860B LPR-MOV-FT-1862A LPR-MOV-FT-1862B LPR-MOV-FT-1890A LPR-MOV-FT-1890B LPR-XHE-FO-HOTLG MCW-CCF-VF-SBO MSS-CKV-FT-SGDHR MSS-SOV-00-0DADV MSS-SRV-00-0DSRV MSS-XHE-FO-BLOCK
~SS-XHE-FO-ISAFW MS-XHE-FO-ISDHR NOTDG NOTDG-CCF NOTL-SBOUl NOTL-SBOU1U2
*NOTQ NOTW2 NRAC-150MIN NRAC-201MIN NRAC-216MIN NRAC-234MIN NRAC-246MIN NRAC-258MIN NRAC-HALFHR Event Descriptionl PLUGGING OF THE CONTAINMENT SUMP LPR MOV 1860A FAILS TO OPEN MOTOR OPER VLV 1860B FAILS TO OPEN LPR MOTOR VLV 1862A FAILS TO CLOSE LPR MOTOR VLV 1862B FAILS TO CLOSE LPR MOTOR OPER VLV 1890A FAILS TO OPEN LPR MOTOR OPER VLV 1890B FAILS TO OPEN OP FAILS TO ALIGN FOR HOT LEG RECIRC OP FAILS TO CLS COND !SOL VLV FOR SBO BKFLW THRU 1 OF 2 SG DECAY HEAT RMVL CV SG PORV FLS TO SHUT, SGTR W/0 OP DPRESS SG SRV FAILS TO SHUT, SGTR W/0 DPRESS FAILURE OF OP TO TERMINATE FLOW FROM STUCK OPEN SG PORV FAILURE OF OP TO TERMINATE FLOW FROM TDP STM LINE DURING SGTR OP FAILS TO !SOL STM FLOW VIA DECAY HEAT REMOVAL BY COOLDOWN SUCCESS OF THE 3RD DG SUCCESS OF 3RD DG AFTER CC FAILURE OF 2 AFW SUCCESS DURING SBO AT UNIT 1 ONLY AFW SUCCESS DURING SBO AT UNITS 1 AND 2 RCS PORV RESHUT DURING SBO SEAL COOLING FM UNIT2 SUCCESS FOR SBO NON-RECOVER AC PWR W/IN 150 MIN OF LOSP NON-RECOVER AC PWR W/IN 201 MIN OF LOSP NON-RECOVER AC PWR W/IN 216 MIN OF LOSP NON-RECOVER AC PWR W/IN 234 MIN OF LOSP NON-RECOVER AC PWR W/IN 246 MIN OF LOSP NON-RECOVER AC PWR W/IN 258 MIN OF LOSP NON-RECOVER AC PWR W/IN 30 MIN OF LOSP 5-12 Unavail. (Mean) 5.00E-5 3.00E-3 3.00E-3 5.20E-3 5.20E-3 3.00E-3 3.00E-3 4.00E-5 6.00E-2 2.00E-3. 1. OOE-0 1. OOE-0 6.40E-2 6.SOE-6 l.40E-2 9.70E-1 5.20E-1 9.93E-1 9.68E-1 9.7E3-l 8.15E-1 2.lOE-1 1. 50E-1 1. 38E-1 l.23E-1 l.15E-1 1. OSE-1 6.00E-1 * 
* *
* Table 5-2 Description of Important Surry Events (Cont.) Event ID. HRAC-lHR NRAC-7HR NRAC-6HR-AVG NSLOCA 0 OEP-CRB-FT~15H3 OEP-CRB-FT-15J3 OEP-DGN-FR-6HDG1 OEP-DGN-FT-6HDG2 OEP-DGN-FR-6HDG3 OEP-DGN-FS OEP-DGN-FS-DGOl OEP-DGN-FS-DG02 OEP-DGN-FS-DG03 OEP-DGN-MA-DGOl OEP-DGN-MA-DG02 OEP-DGN-MA-DG03 PROV-BLK PORV-NOT-BLK PPS-Mov.:FC-1535 PPS-MOV-FC-1536 PPS-MDV-FT PPS-MOV-FT-1535 PPS-MOV-FT-1536 PPS-SOV-00-1455C PPS-XHE-FO-EMBOR PPS-XHE-FO-PORVS QS-SBO R Event Descriptionl NON-RECOVER AC PWR W/IN 1 HR OF LOSP NON-RECOVER AC PWR W/IN 7 HRS OF LOSP NON-RECOVER AC PWR W/IN 6 HRS OF LOSP SUCCESSFUL FUNCTION RCP SEALS DURING SBO OP FAILS TO DEPRESS RCS DURING SBO DIESEL GEN #l CKT B~ 1.5Hs FLS TO CLS DIESEL GE~ #3 -CK-r-JfRKR 15J3 FLS TO CLS DG #l FAILS TO RUN FOR 6 HRS DG #2 FAILS TO RUN FOR 6 HRS DG #3 FAILS TO RUN FOR 6 HRS DIESEL GENERATOR FAILS TO START DIESEL GENERATOR
#l FAILS TO START DIESEL GENERATOR
#2 FAILS TO START DIESEL GENERATOR
#3 FAILS TO START TEST AND MAIN ON DIESEL GENERATOR
#l TEST AND MAIN ON DIESEL GENERATOR
#2 TEST AND MAIN ON DIESEL GENERATOR
#3 PROB A RCS PORV IS BLOCKED PRIOR TO IE PROB RCS PORV IS NOT BLOCKED PRIOR TO IE BLK VLV MDV 1535 SHUT DUE TO LKING PORV BLK VLV MDV 1536 SHUT DUE TO LKING PORV PORV BLOCK VALVE FAILS TO OPEN PORV BLOCK VLV 1535 FAILS TO OPEN PORV BLOCK VLV 1536 FAILS TO OPEN RCS PORV 1455C FAILS TO RECLOSE OP FAILS TO CORRECTLY EMERGENCY BORATE FAILURE OF OP TO BTH PORVS FOR FD/BLD SG SRV/PORV STICK OPEN DURING SBO FAILURE TO MANUAL SCRAM THE RX 5-13 Unavail. (Mean) 4.40E-1 5.00E-2 1. 94E-1 2.70E-1 ti..-90E-2 3.00E-3 3.00E-3 1. 20E-2 1. 20E-2 1. 20E-2 2.20E-2 2.20E-2 2.20E-2 2.20E-2 6.00E-3 6.00E-3 6.00E~3 1.50E-1 8.50E-l 3.00E-1 3.00E-1 4.00E-2 4.00E-2 4.00E-2 3.00E-2 1.00E-3 4.40E-2 2.70E-1 1. 70E-1 Table 5-2 Description of Important Surry Events (Cone.) Event ID. RCP-LOCA-750-90M RCP-LOCA-467-150 RCP-LOCA-183-150 RCP-LOCA-183-210 RCP-LOCA-1440-90 RCP-LOCA-561-150 RCP-LOCA-183-90 RCS-XHE-FO-DPRT7 RCS-XHE-FO-DPT7D REC-XHE-FO-DGEN REC-XHE-FO-DGHWB REC-XHE-FO-DGHWS REC-XHE-FO-DGTMB REC-XHE-FO-DGTMS REC-XHE-FO-DPRES REC-XHE-FO-GAGRV REC-XHE-FO-SCOOL RMT-ACT-FA-RMTSA RMT-ACT-FA-RMTSB RMT-CCF-FA-MSCAL RMT-XHE-FO-MANSl RWT-TNK-LF-RWST SBO-PORV-DMD SGTR-SGADV-ODMD SGTR-SGSRV-ODMDl SGTR-SGSRV-ODMD2 SIS-ACT-FA-SISA SIS-ACT-FA-SISB Event Descriptionl 750 GPM RCP SEAL LOCA AT 90 MIN 183 GPM INCSNG TO 750 GPM RCP SEAL.LOCA 183 GPM RCP SEAL LOCA AT 150 MIN 183 GPM RCP SEAL LOCA AT 210 MIN 1440 GPM RCP SEAL LOCA AT 90 MIN 372 GPM INCSNG TO 750 TPM RCP SEAL LOCA 183 GPM RCP SEAL LOCA AT 90 MIN OP FAILS TO DEPRESS/COOL RCS DURING SGTR OP FAILS TO DEPRESS/COOL RCS FOR T 7 D 1 OP FAILS TO RECOVER A DG WITHIN 1 HR OP FAILS TO REC A DG FM HW FAIL IN 6 HR OP FAILS TO REC A DG FM HW FAIL IN 3 HR OP FAILS TO REC A DG FM TM FAIL IN 6 HR OP FAILS TO REC A DG FM TM IN 3 HR OP FAILS TO DEPRESS RCS IN REC FM SGTR OP FAILS TO GAG SHUT STUCK OPEN RELIEF OP FAILS TO COOL RCP SEALS DURING NO SIGNAL FROM RMTS ACT TRAIN A NO SIGNAL FROM RMTS ACT TRAIN B SBO CC FAIL RMTS DUE TO MISCALIBRATION OP FAILS TO RECOVER RMTS ACT FAILURE INSUF WATER AVAILABLE FM THE RWST RCS PORV DEMAND PROB DURING SBO SGTR SG PORV DEMAND W/0 DEPRESS SGTR SG SRV DMD W/0 DEPRESS/INJECTION SGTR SG SRV DEMAND W/0 DEPRESS NO SIGNAL FROM SIS ACT TRAIN A NO SIGNAL FROM SIS ACT TRAIN B Unavail. (Mean) 5.30E-l 1. 27E-l 1.61E-2 l.61E-2 4.30E-3 4.00E-3 l.40E-2 2.90E-2 4.00E-1 9.00E-1 6.00E-1 8.00E-1 5.00E-1 7.00E-1 l.40E-2 3.00E-1 1. 25E-l l.60E-3 1. 60E-3 3.0E-4 6.40E-2 2.70E-6 4.50E-l 1.00 l.OOE-0 1. 50E-l 1. 60E-3 -1. 60E-3 z UNFAVORABLE MODERATOR TEMP COEFFICIENT l.40E-2 5-14 * * *
* Notes to Description of Important Surry Events 1. Abbreviations used in the Description of Important Surry Events: ACT= Actuation AOV -Air Operated Valve ASEP Gen= ASEP Generic Data BRKR = Breaker CC(F) = Common Cause (Failure)
CKT = Circuit CLS = Close COND = Main Condenser CONT= Containment CST= Condensate Storage Tank CV= Check Valve D = Demand DG = Diesel Generator DISCH= Discharge DIST= Distribution DMD= Demand DPRESS = Depressurize EF = Error Factor FD/BLD = Feed and Bleed Cooling FLS = Fails FM= From HR(S) = Hour(s) HRA = Human Reliability Analysis HW = Hardware IE= Initiating Event IEEE 500 = IEEE Standard 500-1984 INSUF = Insufficient INVTR = Inverter IREP Interm Reliability Eval. Program Procedures Guide ISOL Isolation LOSP Loss of Offsite Power LOG NOR= ~og Normal Distribution MAINT = Maintenance MAN= Manual MDP = Motor Driven Pump MN Main MO= Month 5-15 MOV = Motor Operated Valve NUREG-3862
= NUREG/CR-3862 OP= Operator OPN = Open PMP = Pump PORV = Power Oper. Relief Vlv. PROB= Probability PSD = Plant Spec. Data (App. D) PWR = Power REC= Recovery RECIRC = Recirculation RECOVERY=
Recovery Analysis RP= Rupture RX= Reactor SBO = Station Blackout SECT= Section SIG= Signal SG = Steam Generator SGTR = Steam Generator Tube Rupture SRV Safety Relief Valve STA Station STM Steam TDP Turbine Driven Pump TM= Test and Maintenance TRN = Train Ul = Unit 1 U2 = Unit 2 UNAVAIL = Unavailable VLV = Valve W/IN = Within W/0 = Without XCONN = Cross Connect XFERS = Transfers XFORMER = Transformer XIENT = Transient YR= Reactor-Year ZION= Zion Probabilistic Safety Study 5.2 Accident Sequence Results Table 5-3 shows the 28 core damage sequences which have a mean value greater than 1. OE-7 and displays the corresponding statistical bounds. Three of the sequences each contribute more than 10 percent of the total core damage frequency.
Grouping the sequences by initiator shows the following contributions to the total core damage frequency.
* * * *
* Station Blackout 68% (total) Battery Depletion RCP Seal Loss or Coolant Accident Auxiliary Feedwater Failure Stuck Open Power Operated Relief Valve Loss of Coolant Accidents Loss of Main Feedwater Steam Generator Tube Rupture Anticipated Transient Without Scram 27% 21% 13% 6% 19% 5% 4% 4% The following subsections discuss each of the dominant sequences, provide a listing of the dominant cut sets, and show key events. Definitions of the associated terms have been previously provided in Table 5-2 in Section 5 .1. Accident sequences are presented in order of mean core damage frequency (GDF), with the highest frequency sequence discussed first. 5.2.1 Accident Sequences SBO-BATT and SBO-BATT2 SBO-BATT SBO-BATT-2
: 1. 05E-5 mean GDF 4.30E-7 mean GDF 26.0% of the Total GDF 1.1% of the Total GDF These sequences represent station blackout (SBO) foll9wed by battery depletion.
The single unit and double unit SBO were modeled as separate sequences, but are discussed here together.
Both sequence 3. are initiated by a loss of offsite power (T 1) for greater than 1/2 hour. Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1. Failure of all three site diesel generators results in station blackout at Units 1 and 2. The loss of all AC power does not affect instrumentation at the start of the SBO. The class lE batteries initially supply power to the 120 VAC vital instrumentation power. This instrumentation is necessary to monitor plant temperature and pressure.
Long term station blackout leads to battery depletion and subsequent loss of the vital instrumentation.
Station blackout results in the unavailability of the high pressure injection system (D 1), the containment spray system (C), the inside spray recirculation system (F 1), the outside spray recirculation system (F 2), and the auxiliary feedwater motor driven pumps. In these sequences, following station blackout, the turbine driven AFW pump successfully starts and continues to run. If AC power is not recovered, battery depletion was considered to occur after approximately 4 hours. This results in loss of all instrumentation and control power. 5-16 *
* Table 5-3 Surry Accident Sequence Core Damage Frequencies Accident % of Seguence DescriJ?tion 5% Median Mean 95% Total SBO-BATT STATION BIACKOUT (Ul) -BATTERY DEPLETION 2.4E-7 3.3E-6 l. lE-5 4.lE-5 26.0 SBO-SLOCA STATION BIACKOUT (SBO) (Ul) -RCP SEAL LOCA 0 l.OE-6 5.3E-6 2.0E-5 13.l SBO-L STATION BIACKOUT (Ul) -AFW FAILURE 7.9E-8 l.3E-6 4.7E-6 2.lE-5 11.6 SBO-SLOCA2 STATION BIACKOUT (Ul, U2) --RCP SEAL LOCA 0 l. lE-6 3.3E-6 l.4E-5 8.2 SBO-Q STATION BIACKOUT (Ul) -STUCK OPEN PORV 9.lE-9 3.R3-7 2.2E-6 8.7E-6 5.4 S1H1 MEDIUM LOCA -RECIRCUIATION FAILURE l. lE-7 7.7E-7 1. 7E-6 5.6E-6 4.2 V INTERFACING LOCA 3.8E-ll 4.9E-8 1. 6E-6 5.3E-6 4.0 T10nQ11 SGTR -NO DEPRESS. -SG INTEGRITY FAILS 3.4E-8 3.7E-7 1.4E-6 5.lE-6 3.5 T2LD2 LOSS OF MFW/AFW -FEED AND BLEED FAILS l.4E-8 2.0E-7 9.8E-7 2.SE-6 2.4 S1D1 MEDIUM LOCA -INJECTION FAILURE l. lE-7 4.6E-7 8.6E-7 2.4E-6 2.1 TKRZ ATWS -UNFAVORABLE MOD. TEMP. COEFF. 6.3E-9 1. SE-7 8.2E-7 3.2E-6 2.0 \.J1 AH1 LARGE LOCA -RECIRCUIATION FAILURE 6.3E-8 3.8E-7 8.2E-7 3.0E-6 2.0 I T2LP LOSS OF MFW/AFW -FEED AND BLEED FAILS 2.3E-8 2.6E-7 7.4E-7 2.6E-6 1.8 I-' -...J S1Ds MEDIUM LOCA -INJECTION FAILURE 4.2E-8 2.3E-7 6.7E-7 2.2E-7 1. 7 SBO-Li SBO (Ul, U2) -AFW FAILURE 1. 7E-8 2.3E-7 6.SE-7 2.6E-6 1.6 ADs LARGE LOCA -ACCUMUIATOR FAILURE l. lE-7 4.6E-7 6.4E-7 1.8E-6 1.6 TKRD 4 ATWS -EMERGENCY BORATION FAILURE 9.SE-9 1. SE-7 6.4E-7 2.8E-6 1.6 S3D1 VERY SMALL LOCA -INJECTION FAILURE 4.2E-8 2.7E-7 6.3E-7 2.4E-6 1.5 S2D1 SMALL LOCA -INJECTION FAILURE 4.2E-8 2.3E-7 4.4E-7 1.4E-6 1.1 SBO-BATT2 SBO (Ul, U2) -BATTERY DEPLETION 0 0 4.3E-7 1. 7E-6 1.1 SB0-Q2 SBO (Ul, U2) -STUCK OPEN PORV 1. 8E-9 5.9E-8 3.2E-7 1. 3E-6 0.8 ADs LARGE LOCA -INJECTION FAILURE 2.lE-8 1. 2E-7 3.lE-7 l. lE-6 0.8 T 7 D 1 0n SGTR -INJECTION FAILURE -NO DEPRESS 6.6E-9 7.0E-8 2.lE-7 7.7E-7 0.5 T 5 ALP LOSS OF DC BUS-FAIL AFW-NO FEED AND BLEED l. lE-9 2.6E-8 1. 3E-7 4.SE-7 0.3 T 58 LP LOSS OF DC BUS-FAIL AFW-NO FEED AND BLEED l. lE-9 2.6E-8 1. 3E-7 4.SE-7 0.3 T7~ SGTR -AFW FAILURE 4.8E-9 4.lE-8 l. lE-7 3.4E-7 0.3 T70nQQs SGTR-NO DPRESS-SG INTEG FAILS, PORV FAILS 8.8E-10 2.lE-8 l. lE-7 5.0E-7 0.3 T 7 KR SGTR -ATWS 3.2E-9 3.4E-8 1. OE-7 4.0E-7 0.2 TOTAL CORE DAMAGE FREQUENCY 4.0E-5 100 The plant can not be maintained in a stable condition indefinitely without instrumentation or control power. Consistent with NUREG/CR-3226, c 4 > a time frame of approximately 3 hours-was allowed for restoration of AC power, before core uncovery would occur. Use of a gas turbine generator located on the site was considered, but not included in the station blackout model due to the administrative controls and procedures associated with it. Relocating portable diesel generators to the site was considered as an "innovative recovery" action, but was not included in the blackout model due to the timing involved.
The SBO-BATT (single unit*blackout) sequence has the highest frequency of all of the accident sequences, accounting directly for 26. 0 percent of the total core damage frequency.
The SBO-BATT sequence discussed here is actually a grouping of five individual sequences on the station blackout event tree. The commonality among the sequences is that ,core uncovery results from battery depletion.
The five sequences contain other failures, which are successfully mitigated and thus do not have a bearing on the final outcome. The constituent sequences are detailed in Section 4.10. The major contributor, at 54 percent of the SBO-BATT frequency, is T 15-NR7, loss of offsite power followed by non-recovery
* of AC power at seven hours. The next highest contributor is station blackout followed by a stuck open steam generator relief valve, and non-recovery of AC power. This scenario represents 20 percent of the SBO-BATT frequency.
A similar senario which, additionally, includes failure of reactor coolant pump seal cooling from Unit 2 but successful functioning of the seals, contributes 18 percent of the SBO-BATT frequency.
SBO-BATT2 (two unit blackout) consists of three separate sequences which have similar scenarios.
For the SBO-BATT and SBO-BATT2 sequences, the dominant contributors are diesel generator failures and non-recovery of offsite AC power, including common cause failure of the diesel generators to start. Another prominent event in these sequences is a stuck open SG relief valve. The stuck op.en safety valve was evaluated as not having a detrimental impact on the course of the sequence.
The major identifiable impact was the need for backup condensate sources. 5.2.2 Accident Sequences SBO-SLOCA and SBO-SLOCA2 SBO-SLOCA SBO-SLOCA2 5.3E-6 mean CDF 3.3E-6 mean CDF 13.1% of the Total CDF 8.2% of the Total CDF These sequences represent station blackout with a reactor coolant puinp seal LOCA. The single unit and double unit blackout were modeled as separate sequences, but are discussed here together.
Both sequences are initiate_d by a loss of offsite power (T 1). Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1. Failure of all three site diesel generators results in station blackout at Units 1 and 2. Station blackout results in the unavailability of the Unit 1 high pressure injection system (D 1), the auxiliary feedwater motor 5-18 * * 
*
* driven pumps, the containment spray system (C), the inside spray recirculation system (F 1), and the outside spray recirculation system (F2) Loss of all AC power results in a loss of seal injection flow to the reactor coolant pumps (RCPs) and a loss of component cooling water to the RCP thermal barriers.
This condition results in vulnerability of the RCP seals to failure. For SBO at Unit 1 alone, seal cooling can be provided by Unit 2. Station blackout at both units fails seal cooling from Unit 2. The probability of the occurrence of a seal LOCA was modeled probabilistically as a function of time following total loss of seal cooling. The RCP seal LOCA model was developed through elicitation of a panel of experts and is detailed in Appendix D. The time to core uncovery following onset of a seal LOCA was a function of the leak rate, and whether or not the operator took action to depressurize the reactor. The SBO-SLOCA and SBO-SLOCA2 sequences discussed here are actually a grouping of three individual sequences from the SBO event trees. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from a seal LOCA with failure to restore AC Power in time to reestablish HP! flow prior to core uncovery.
The individual sequences may involve other failures which are successfully mitigated and have no substantial bearing on the course of the sequence.
The highest contributing sequence to SBO-SLOCA involves station blackout, followed by failure to provide seal cooling from Unit 2. This can be due to hardware failures or operator errors. In the two unit blackout, seal cooling from Unit 2 is not questioned.
RCP seal degradation starts at 1-1/2 hours from loss of all cooling. Operator depressurization can prolong the time to core uncovery, but is generally considered to occur too late to prevent seal degradation.
Failure to recover AC power in sufficient time leads to core uncovery.
The next highest frequency sequence involves the same sequence, but with a stuck open steam generator (SG) power operated relief valve. As in the BATT sequences, the effect of a stuck open SG relief valve was not critical.
The third contributing sequence is similar to the first one, except that depressurization of the RCS is not accomplished.
Important contributors to the seal LOCA scenarios are failure to restore AC power after seal LOCA and failure of the operator to provide seal cooling from Unit 2. 5.2.3 Accident Sequences SBO-L and SBO-L2 SBO-L SBO-L2 4.7E-6 Mean CDF 9.0E-8 Mean CDF 11.6% of the Total CDF 1.6% of the Total CDF These sequences represent station blackout followed by failure of the auxiliary feedwater (AFW) system. The single unit and double unit blackout were modeled as separate sequences, but are discussed here together.
Both sequences are initiated by a loss of offsite power (T 1). Unavailability of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1. Failure of all three s*ite diesel 5-19 generators results in station blackout at Units 1 and 2. Core uncovery in this sequence is caused by failure of the AFW system. Station blackout also results in the unavailability of the high pressure injection system (D 1), the containment spray system (C), the inside spray recirculation system (F 1) and the outside spray recirculation system (Fz). These sequences involve station blackout followed by failure of the turbine driven AFW pump train. Recovery of AFW using the turbine driven pump train at Unit 2 was included.
All core heat removal is unavailable after failure of AFW. For station blackout at Unit 1 alone, it was assessed that one HPI pump at Unit 2 would not be sufficient to provide feed and bleed cooling through the cross connect while at the same time provide charging flow to Unit 2. Core uncovery was estimated to occur at approximately 1 hour if AFW and HPI flow had not been restored by that time. Restoration of AC (offsite) power was required 1/2 hour prior to the time HPI could be restored.
The 1/2 hour time lag was included in the recovery model to allow for restoration of plant power, intake canal water inventory, component cooling water, and other required support systems, prior to restoration of HPI flow. The SBO-L and SBO-L2 sequences discussed here are actually a grouping of three individual sequences on the station blackout event tree. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from failure of auxiliary feedwater.
The individual sequences may involve other failures which may affect timing of recovery actions, but have no other bearing on the course of the sequence.
Station blackout at Unit l, followed directly by fai.lure of AFW only accounts for 10 percent of the SBO-L frequency.
Blackout at Unit 1 followed by a stuck open steam generator (SG) relief valve plus AFW failure contributes 90 percent to the SBO-L frequency.
In sequences that involved a stuck open SG relief valve, operators were required to connect the main condensate storage tank to the AFW water source. This is required in order for sufficient inventory to be available to supply the additional feed required due to faulted SG. For station blackout at Units 1 and 2, the sequence with the stuck open SG relief accounts for 60 percent of the SBO-L2 frequency.
The dominant failure mode for AFW, when a SG relief is stuck open, is failure to cross connect to the back up condensate storage tank. The dominant failure modes of the turbine driven AFW pump are the failure of the pump to initially start or unavailability of the pump due to maintenance activities.
5.2.4 Accident Sequence V l.6E-6 Mean GDF 4.0% of the Total GDF Event V sequence is an interfacing systems LOCA which bypasses containment.
The V sequence results from a failure of any one of the three pairs of check valves in series which are used to isolate the high pressure reactor ...:.oolant system (RCS) from the low pressure injection 5-20 * 
*
* system. The resultant flow into the low pressure system is assumed to result in failure (rupture) of the low pressure piping or components outside the containment boundary.
Although core inventory makeup by the high pressure systems is initially available, inability to switch to recirculation would eventually lead to core damage. Due to the location of the postulated system failure, all containment safeguards are bypassed.
The configuration of the low pressure injection (LPI) discharge lines at Surry involves a single injection line, rated for low pressure which has an open motor operated valve (MOV) in it. Downstream of the MOV, the piping is rated for high pressure conditions.
The single line divides into three lines with each going to an RCS cold leg. Each high pressure line has two check valves. Small leakage past these two valves will flow to the refueling water storage tank (RWST) through the LPI pump mini-flow recirculation lines. The most restrictive point in this path is a inch line. It was estimated that check valve leakage on the order of 100 gpm could be diverted to the RWST without any risk of LPI system overpressure.
The failure modes of interest for event V, are those that produce sudden, large back leakages through the two high pressure check valves in any of the three cold leg injection lines. This was postulated to occur in two ways: A. Rupture of valve internals on both valves. "Rupture" connotes catastrophic loss of structural integrity.
Rupture of both valves could occur independently or common cause failures could be postulated.
Rupture of both valves would need to occur between test periods. B. Failure of one valve to close upon repressurization, combined with rupture of the other valve. The leak test for these valves .at Surry must be done when the reactor is in cold shutdown.
There is no assurance the valve remains closed on subsequent repressurizations or throughout the test period. If one valve sticks in the open position, the other valve is the only boundary between the high and low pressure piping. Failure of two valves to close would be detected upon startup, and was not included as a possible failure mode. The quantification of this sequence was subject to the expert elicitation process. C40) The opinions of a panel of experts was elicited to obtain the failure probabilities and uncertainty distributions for each of these events. The results of the elicitation are presented in Reference
: 40. 5.2.5 Accident Sequences SBO-Q and SBO-Q2 SBO-Q SBO-Q2 2.2E-6 Mean CDF 3.2E-7 Mean CDF 5-21 5.4% of the Total CDF 0.8% of the Total CDF 
... --* --* _,,_, . These sequences represent station blackout with a stuck open pressurizer PORV. The single unit and double unit SBO were modeled separately, but are discussed here together.
Both sequences are initiated by a loss 'of offsite power (T 1) for greater than 1/2 hour. Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1. Failure of all three site diesel generators results in station blackout at Units 1 and 2. Station blackout results in the unavailability of the high pressure injection system (D 1), the containment spray system (C), the auxiliary feedwater motor driven pumps, the inside spray recirculation system (F 1), and the outside spray recirculation system (Fz). These sequences involve station blackout with a stuck open pressurizer PORV, and failure to restore power in one hour. Due to the blackout condition all core coolant makeup is unavailable as are the PORV block valves. Consequently, the continued discharge of the p:i;-imary coolant would lead to core uncovery if AC power had not been restored, and the block valve had not been isolated by one hour. Restoration of AC power within 1 hour and subsequent isolation of the block valve is the dominant recovery action for these sequences.
The SBO-Q and SBO-Q2 sequences discussed here are actually a grouping of two individual sequences on the station blackout event tree. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from a stuck open PORV with failure to restore AC power and close the block valve prior to core uncovery.
The individual sequences involve other failures which do not have substantial bearing on the course of the sequence.
The highest frequency sequence in this group is loss of offsite power followed by a stuck open RCS PORV and non-recovery of AC power within one hour. This scenario contributes 74 percent to the SBO-Q and SBO-Q2 sequences.
The other scenario is station blackout with a stuck open SG and RCS PORV followed by non-recovery of AC power. 5.2.6 Accident Sequence S 1 H 1 1. 7E-6 Mean CDF 4.2% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 2"<D<6" (S 1) followed by failure of the low pressure recirculation system (H 1). This sequence consists of a medium loss of coolant accident (LOCA), success of the high pressure injection system, depressurization of the primary system through the break, success of the low pressure injection system, and subsequent failure of the low pressure system in the recirculation phase. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. The dominant contributors to failure of low pressure recirculation are the common cause failure of the refueling water storage tank (RWST) 5-22 * 
*
* isolation valves to close, common cause failure of the sump suction valves to open, common cause failure of the discharge isolation valves to the hot legs to open, or miscalibration of the RWST level sensors. l.4E-6 Mean CDF l.lE-7 Mean CDF 3.5% of the Total CDF 0.3% of the Total CDF These sequences are initiated by a steam generator tube rupture (T 7), followed by failure to depressurize the RCS (0 0) leading to loss of steam generator integrity (Q 8). Subsequent failure to depressurize and limit the leakage leads to continued blowdown through the steam generator and eventual core uncovery.
Additionally, the T 7 0 0 QQ 8 sequence has a stuck open pressurizer PORV. The PORV is postulated to be opened in order to provide RCS pressure reduction.
Its failure to close and the subsequent failure of the block valve to close result in this scenario.
An important event in this sequence is the initial failure of the operator to depressurize soon after the tube rupture. This leads to a relief valve demand in the SGs. The SG safety valve will be demanded if the power operated relief valve is blocked. Subsequent failure of the SV to rec lose leads to direct loss of RCS inventory to the atmosphere.
Demand probabilities and closure probabilities for the SG relief valves were determined through a process of expert elicitation.
The results are listed in Appendix D. Failure of subsequent efforts to recover the sequence by RCS depressurization or isolation of the relief valve lead to RWST inventory depletion and eventual core uncovery.
5.2.8 Accident Sequence T 2 LD 2 9.8E-7 Mean CDF 2.4% of the Total CDF This sequence is initiated by a loss of main feedwater (T 2), followed by failure of the auxiliary feedwater (AFW) system (L), and failure of feed and bleed cooling, due to failure of the high pressure injection system. The loss of main feedwater places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW system which includes failure to cross connect AFW from Unit 2, causes a demand for feed and bleed cooling. Feed and bleed cooling fails due to operator error or hardware failures in the high pressure injection system. Success criteria, require that the HPI system be manually actuated and supply flow from one of three pumps. All containment systems would be available, however the steam generators are unavailable as a heat sink due to loss of AFW. The resultant heat up and boil off of primary coolant leads to core damage. The dominant contributors to failure of Unit 1 AFW are undetected flow diversion to Unit 2 through the AFW cross connect or the common cause failure of all three AFW pumps due to steam binding resulting from check valve leakage. The dominant contributor to failure of AFW from Unit 2 is 5-23 operator error. The dominant contributor to failure of feed and bleed is the operator failure to initiate the charging system. 5.2.9 Accident Sequence S 1 D 1 8.6E-7 Mean CDF 2.1% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 2"<D<6" (S 1) followed by failure of the high pressure injection system (D 1). This sequence involves a medium loss of coolant accident (LOCA) and failure of core coolant makeup. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. The dominant contributors to failure of high pressure injection are hardware failures of the check valves in the common suction and discharge line of all three injection pumps, common cause loss of flow through strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HPI suction and discharge lines. 5.2.10 Accident Sequence TKRZ 8.2E-7 Mean CDF 2.0% of the Total CDF This sequence is initiated by a transient from high power (T), followed by a failure of the reactor protection system (RPS) to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and the presence of an unfavorable moderator temperature coefficient (Z). This sequence is initiated by a high power transient and failure of the RPS to scram the reactor. Manual reactor scram fails due to operator error or much more likely, physical failures of the* control rods or drives which prevent their insertion.
The presence of an unfavorable moderator temperature coefficient (MTC) will cause a severe primary system pressure rise which is assumed to result in failure of the reactor coolant boundary integrity. "Unfavorable" MTC is defined as sufficient to cause the pressure rise to exceed service level C stress limits of the HPI injection valves. This was considered to cause plastic deformation and loss of operability.
Inability to provide coolant injection leads to core damage. 5.2.11 Accident Sequence AH 1 8.2E-7 Mean CDF 2.0% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 6"<D<29", and is followed by failure of the low pressure recirculation system (H 1). 5-24 * 
*
* This sequence involves a large loss of coolant accident (LOCA), success of the low pressure injection system, and subsequent failure of the low pressure system in the recirculation phase. All containment heat removal systems are available but the continued heat up and boil off of coolant leads to core damage. The dominant contributors to failure of low pressure recirculation are the common cause failure of the refueling water storage tank (RWST) isolation valves to close, common cause failure of the sump suction valves to open, common cause failure of the discharge isolation valves to the hot legs to open, or miscalibration of the RWST level sensors. 5.2.12 Accident Sequence T 2 LP 7.4E-7 Mean CDF 1.9% of the Total CDF This sequence is initiated by a loss of main feedwater (T 2), followed by failure of the auxiliary feedwater (AFW) system (L), and failure of feed and bleed cooling due to insufficient opening of the power operated relief valves (PORVs). The loss of main feedwater initiator places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW system, including failure of the cross connect from Unit 2, causes a demand for feed and bleed cooling. Injection flow is available in this sequence, but various failures prevent one of the two PORVs from opening. Success criteria requires that two PORVs open for successful feed and bleed. All containment systems would be available, however the steam generators are unavailable as a heat sink due to loss of AFW. The resultant heat up and eventual boil off of the primary coolant leads to core damage. The dominant contributors to AFW failure are undetected flow diversion to Unit 2 through the AFW cross connect, or the common cause failure of all three AFW pumps due to steam binding resulting from check valve leakage. The dominant contributor to failure of AFW cross connect from Unit 2 is operator error. The dominant contributor to failure of feed and bleed is operator failure to open the PORVs, closely followed by mechanical failures of the PORV block valves and PORVs. 5.2.13 Accident Sequence S 1 D 6 6.7E-7 Mean CDF 1.7% of the Total CDF This sequence is initiated by a leak in the reactor coolant system piping in the range of 2 "<D<6" and is followed by failure of the low pressure injection system (D 6). This sequence involves a medium loss of coolant accident (LOCA) and subsequent failure of the low pressure injection system. All containment heat removal systems are available, but the continued heat up and boil off of coolant leads to core damage. The dominant contributors to failure of low pressure injection are common cause failure of the LP! 5-25 pumps to start or plugging of the normally open LP! injection valve (MOV-1890C). 5.2.14 Accident Sequence AD 5 6.4E-7 Mean CDF 1.6% of the Total CDF This sequence involves a large loss of coolant accident (LOCA) followed by failure of the accumulators (D 5). All other systems are operable.
Failure of the accumulators to provide borated makeup wa.ter leads to core damage. The dominant contributors are plugging of any of the motor operated isolation valves C1865B, 1865C) in the intact loops. 5.2.15 Accident Sequence TKRD 4 6.4E-7 Mean CDF 1.6% of the Total CDF This sequence is initiated by a transient requiring reactor scram (T), followed by a failure of the reactor protection system (RPS) to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and failure of emergency boration using the boric acid transfer pumps and the charging pumps (D 4). This sequence is initiated by a transient requiring scram and failure of the RPS to scram the reactor. In addition, manual reactor scram fails due to either operator error or much more likely, physical failure of the
* control rods or drives which prevent their insertion.
The dominant contributor to failure of emergency boration is failure of flow through the PORVs due to the block valves being shut and failing to open. 5.2.16 Accident Sequence S 3 D 1 6.3E-7 Mean CDF 1.5% of the Total CDF This sequence is initiated by a very small loss of coolant accident (LOCA) (less than 1/2" equivalent diameter) followed by failure of high pressure injection (D 1). The dominant contributors to this sequence are common cause failure of MOV-1867C and MOV-1867D in the HP! discharge line, and failure to recover by the use of alternate injection path through MOV-1842.
Failure of MOV-1115B and MOV-1115D in the suction line also contribute significantly.
Surry is better equipped to mitigate very small LOCAs than some plants due to the ability to cross connect high pressure injection (HP!) from Unit 2 and the refueling water storage tank (RWST) from Unit 2. Core damage frequency from all S 3 initiators is less than predicted by previous studies due to the current understanding and expectation that very small LOCAs will not result in actuation of the containment spray system. This minimizes the probability that RWST depletion will result in the need for ECCS recirculation.
5-26 * 
*
* 5.2.17 Accident Sequence S 2 D 1 4.4E-7 Mean GDF 1.1% of the Total GDF This sequence is initiated by a break in the reactor coolant system piping in the range l/2"<D<2" (S 2), followed by failure of the high pressure injection system (D 1). This sequence is initiated by a small loss of coolant accident (LOCA) and failure of core coolant makeup. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. The dominant contributors to failure of high pressure injection are hardware failures of the check valves in the common suction and discharge line of all three charging pumps, common cause loss of flow through strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HPI discharge line. 5.2.18 Accident Sequence AD 6 3.lE-7 Mean GDF 0.8% of the Total GDF This sequence is initiated by a break in the reactor coolant system piping in the range of 6"<D<29", followed by failure of the low pressure injection system (D 6). This sequence involves a large loss of coolant accident and subsequent failure of 'the low pressure injection system (LPI). All containment heat removal systems are available but the continued heat up and boil off of coolant leads to core damage. The dominant contributors to failure of low pressure injection are common cause failure of the LPI pumps to start or plugging of the normally open LPI discharge valve (MOV-1890C).
2.lE-7 Mean GDF 0.5% of the Total GDF This sequence is initiated by a steam generator tube rupture (T 7), followed by failure of high pressure injection (D 1), and failure to depressurize the RCS (0 0) in order to terminate the breakflow.
The dominant contributors to this sequence are the common cause failure of the HP! discharge valves MOV-1867C and MOV-1867D or the common cause failure of the HPI suction valves isolating the RWST, MOV-1115B and MOV-1115D. 5.2.20 Accident Sequences T 5 ALP and T 5 BLP 1.3E-7 Mean GDF 1.3E-7 Mean GDF 0.3% of the Total GDF 0.3% of the Total GDF These sequences are initiated by the loss of a DC bus (TsA, T 5 B), followed by failure of the auxiliary feedwater (AFW) system (L) , and* failure of 5-27 feed and bleed cooling due to insufficient opening of the power operated relief valves (PORVs). The loss of DC bus initiator leads to the unavailability of the main feedwater and condensate system. This places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW' system, including failure of the cross connect from Unit 2, causes a demand for feed and bleed cooling. As the initiator fails one of the two PORVs, feed and bleed is not possible.
Success criteria requires that two PORVs be opened for feed and bleed cooling. All containment systems would be available, however, the steam generators are unavailable as a heat sink due to loss of AFW'. The resultant heat up and eventual boil off of the primary coolant leads to core damage. The dominant contributors to AFW' failure are undetected flow diversion to Unit 2 through the AFW' cross connect, or the common cause failure of all three AFW' pumps due to steam binding resulting from check valve leakage. The dominant contributor to failure of the AFW' cross connect from Unit 2 is operator error. 5.2.21 Accident Sequence T 7 L 3 1.lE-7 Mean CDF 0.3% of the Total CDF This sequence is initiated by a steam generator tube rupture (T 7) followed by failure of the auxiliary feedwater system (L 3). Feed and bleed cooling is not considered a viable method of core cooling due to the existing tube rupture. Feed and bleed cooling requires sustained high pressure in the primary which is not compatible with the mitigation requirements for steam generator tube rupture. Failure to recover feed flow will lead to core uncovery.
The dominant contributors to AFW failure are the undetected flow diversion to Unit 2 through the AFW' cross connect or common cause failure of all three AFW' pumps due to steam binding resulting from check valve leakage. 5.2.22 Accident Sequence T 7 KR 1. OE-7 Mean GDF 0.2% of the Total CDF This sequence is initiated by a steam generator tube rupture (T 7), followed by failure of the reactor protection system (K), and failure of the operator to manually scram the reactor (R). Failure to trip the reactor (either automatically or manually) causes the pressure in the reactor coolant system to increase, possibly resulting in the rupture of additional steam generator tubes and an increase in the flow from the RCS to the secondary coolant system. The ATWS induced pressure increase in the primary is counter productive to the RCS depressurization which is required to mitigate tube rupture. Because of the complexity of this sequence, and the limited analytical data 5-28
* available to support evaluation, steam generator tube rupture with failure to scram was categorized as a core damage sequence.
5.3 Plant Damage State Group Results The development of plant damage states has been previously discussed in Section 4.5. The frequency of each plant damage state was calculated as described in Section 4 .11. The mapping of the dominant accident sequences into plant damage state groups is shown in Table 5-4. Table 5-5 shows the plant damage state groups, mean frequencies and the corresponding statistical bounds. The following subsections characterize the plant damage state groups, identify the sequences contributing to them, and list the dominant contributors.
A complete listing of the descriptive statistics, portance measures, and cut sets is provided in Appendix E for all plant damage state groups. 5.3.1 Plant Damage State Group 1 2.2E-5 Mean CDF 54.6% of the Total CDF Plant damage state 1 is characterized by long term station blackout sequences resulting in late core damage without any containment systems available.
There are three types of accident sequences in this plant damage state, all initiated by station blackout.
They are station blackout followed by battery depletion (SBO-BATT, SBO-BATT2);
station blackout followed by an RCP seal LOCA (SBO-SLOCA, SBO-SLOCA2), and station blackout followed by a stuck open PORV (SBO-Q, SBO-Q2). Each is discussed separately below. The station blackout battery depletion sequences contribute to 49. 6% of this plant damage state and 27 .1 percent of the total core damage frequency.
Using the event tree nomenclature, the sequences which dominate the battery depletion portion of this plant damage state are: T1su1 -NR7 T1su1-QS-NR7 31% of PDS 1 11% of PDS 1 These sequences are grouped in the SBO-BATT sequence category.
They represent station blackout events at Unit 1 with seal cooling provided from Unit 2. Battery depletion at 4 h.ours causes loss of vital instrumentation needed to control AFW' and monitor plant parameters.
These sequences result in the unavailability of emergency core cooling systems (ECCS) injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable if AC power is restored.
Prior to battery depletion, auxiliary feedwater is supplied by the turbine driven pump. The reactor coolant system is cooled down and depressurized during the sequence.
Reactor coolant pump seal cooling is provided from Unit 2. 5-29 Table 5-4 Surry Dominant Accident Sequences Included in Each Plant Damage State Percent Plant Damage State A~cident Sequences To PDS PDS-1 Long Term Blackout SBO-BATT 47.6 SBO-SLOCA 24.0 SBO-SLOCA2 15.0 SBO-Q 9.9 SBO-BATT2 2.0 SBO-Q2 1.5 PDS-2 Loss of Coolant S1H1 28.5 Accident S1D1 14.3 AH1 13.6 S1Ds 11.6 AD 5 10.9 S3D1 10.2 SzD1 7.5 AD 6 3.4 PDS-3 Short Term Blackout SBO-L 87.9 SBO-L2 12.1 PDS-4 V Event V 100.0 PDS-5 Transients T2LD2 50.0 T 2 LP 37.4 T 5 ALP 6.3 T 5 BLP 6.3 5-30 Contribution To Total CDF 26.0 13.1 8.2 5.4 1.1 .8 4.2 2.1 2.0 1. 7 1. 6 1.5 1.1 0.8 11.6 1. 6 4.0 2.4 1. 8 0.3 0.3
* Plant Damage PDS-6 ATWS PDS-7 SGTR *
* Table 5.4 (Cont'd) Surry Dominant Accident Sequences Included in Each Plant Damage State Percent State Accident Sequences To PDS TKRZ 52.6 TKRD 4 42.1 T7KR 5.3 T700Qs 76.1 T7D10o 10.9 T7L3 6.5 T70oQQ 6.5 5-31 Contribution To Total GDF 2.0 1. 6 0.2 3.5 0.5 0.3 0.3 Plant damage state 1 also includes RCP seal LOCA sequences with failure to recover AC power prior to core uncovery.
Containment systems are unavailable.
Using the event tree nomenclature, the sequences which dominate the RCP seal LOCA portion of this plant damage state are: T1su1-W2-NRSL T1su2-NRSL T1su1 -QS-W 2-NRSL T 1su2-QS -W 2 -NRSL 16% of PDS 1 11% of PDS 1 7% of PDS 1 4% of PDS 1 The subscript on the initiating event portion of the identifier specifies whether the initiator is station blackout at Unit 1 alone (T 15 u 1) or SBO at both units (T 15 u 2). The sequences are grouped in the SBO-SLOCA and SBO-SLOCA2 sequence categories.
They represent station blackout with loss of all seal cooling. In the single unit blackout, seal cooling from Unit 2 fails due to operator error and hardware faults. In the two unit blackout, unavailability of AC power fails seal cooling from both units. Auxiliary feedwater is supplied by the turbine driven pump. Reactor coolant pump seal failure occurs between 1-1/2 and 2-1/2 hours from loss of cooling. Failure to recover AC power in the allowable time ( 2 hours) leads to core uncovery.
These sequences result in the unavailability of ECCS injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable if AC power is restored.
Plant damage state 1 also includes accident sequences with station blackout followed by a stuck open pressurizer PORV, and failure to recover AC power within one hour. Using the event tree nomenclature, the sequences which dominate this plant damage state are: T1su1 -Q-NRl T1su1 -Q-QS-NRl T1su2-Q-NRl 8% of PDS 1 3% of PDS 1 2% of PDS 1 T 15 u 1 is a single unit blackout and T 15 u 2 is a dual unit blackout.
These sequences are grouped in the SBO-Q and SBO-Q2 categories respectively.
These sequences result in the unavailability of ECCS injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable when AC power is restored.
Auxiliary feedwater is available throughout the sequence from the turbine driven pump. 5.3.2 Plant Damage State Group 2 6.0E-6 Mean CDF 14.7% of the Total CDF Plant damage state 2 is characterized by loss of coolant accidents followed by failure of coolant injection or recirculation systems. Eight dominant accident sequences contribute to this plant damage state, as shown below. 5-32 
*
* Of these eight sequences, there are three general types of sequences . These are a loss of coolant accident followed by failure of coolant injection systems (D 1 , D 6); LOCA followed by failure of coolant recirculation systems (H 1); and LOCA followed by accumulator failure (Ds). In the sequence with ECCS failure in the injection mode, the contents of the refueling water storage tank are injected into the containment by the containment spray system. This provides sump inventory for operation of the containment heat removal systems. In the sequences with ECCS failure in the recirculation mode, the coolant injection phase of the accident sequence is successful, but the recirculation phase fails. The contents of the RWST are injected into containment and allow successful operation of all containment systems. In the one sequence involving accumulator failure (AD 5), the other EGGS systems are successful.
The contents of the RWST are injected into the containment and the containment systems are operable.
Failure of the accumulators to provide borated makeup water leads to core damage. 5.3.3 Plant Damage State Group 3 5.4E-6 Mean GDF 13.3% of the Total GDF Plant damage state 3 is characterized by station blackout with loss of all feedwater.
Using the event tree nomenclature, the sequences which dominate this plant damage state are: T1su1-QS-L T1su2-QS-L T1su 1-L 7% of PDS 3 T1su 2-L 5% of PDS 3 78% of PDS 3 10% of PDS 3 T 18 u 1 and T 18 u 2 represent single unit and dual unit blackout respectively.
These sequences are included in the SBO-L and SBO-L2 sequence categories.
These sequences consist of station blackout events followed by auxiliary feedwater failure. Some sequences also include faulted steam generators or stuck open pressurizer PORVs. These
* sequences result in the unavailability of ECGS injection, EGGS recirculation, and containment heat removal systems. 5.3.4 Plant Damage State Group 4 1. 6E-6 Mean CDF 4.0% of the Total GDF Plant damage state 4 is comprised entirely of interfacing loss of coolant accidents.
Only one sequence contributes to this plant damage state, 5-33 sequence V. This sequence is caused by a rupture of the two check valves in series, which provide the boundary between the reactor coolant system and the low pressure ECCS. Overpressurization of the low pressure injection system results in a rupture of that system causing a LOCA outside of the containment.
5.3.5 Plant Damage State Group 5 2.lE-6 Mean CDF 4.8% of the Total CDF Plant damage state 5 consists.
of transient initiated accident sequences followed by complete loss of core cooling. The initiating event is either a loss of main feedwater or a loss of a DC bus. The initiator is followed by a loss of AFW and a failure to provide feed and bleed core cooling. All containment systems are successful in this plant damage state. This plant damage state is dominated by the followin~
sequences:
T2LD2 T 2 LP TsALP TsBLP 5.3.6 Plant Damage State Group 6 1. 6E-6 Mean CDF 50% of PDS 5 37% of PDS 5 6.5% of PDS 5 6.5% of PDS 5 3.8% of the Total CDF Plant damage state 6 is composed of anticipated transients without scram (ATWS) A transient initiating event is followed by failure of the automatic reactor protection system and the manual scram system to shutdown the reactor. This plant damage state is comprised of the following accident sequences.
5.3.7 Plant Damage State Group 7 1. SE-6 Mean CDF 53% of PDS 6 42% of PDS 6 5% of PDS 6 4.8% of the Total CDF Plant damage state 7 consists of steam generator tube rupture accident sequences.
Plant damage state 7 is dominated by a steam generator tube rupture followed by failure to depressurize the reactor coolant system leading to a loss of steam generator integrity.
All containment systems are operable, but are bypassed as coolant flows into the faulted SG and then outside of the containment boundary.
The contents of the refueling water storage tank (RWST) are injected into the RCS, but flow through the faulted SG rather than into the containment.
The accident sequence that dominates this plant damage state is T 7 0 0 Q 5* Other contributors are T 7 D 1 0 0 , T 7 L 3 , and T 7 0 0 QQ 8* 5-34 5.4 Importance Measures In addition to the uncertainty analysis presented in Sections 5.1 through 5. 3, an event importance analysis was done on the comprehensive core damage model. In this analysis, the relative importance of each basic event, with respect to three measures, was calculated.
These three measures are risk reduction, risk increase, and uncertainty importance.
Each of these measures was evaluated for the comprehensive core damage model (total CDF), each accident sequence, and each plant damage state grouping.
The complete results can be found in Appendix E. The importance measures for the comprehensive core damage model are discussed here in the results section. Definitions for the three importance measures used are given below: Risk Reduction Risk Increase Uncertainty/Importance Importance Measures A measure of how much the core damage frequency is reduced, given that a specific event is assumed to be totally reliable (probability of failure= 0). A large value indicates that a significant reduction in the core damage frequency is possible by improving the reliability associated with that event. A measure of how much the core damage frequency is increased, given that specific event is assumed to occur (probability of failure = 1.0). Opposite of risk reduction, a large effect indicates the importance of maintaining the reliability of the specific event and not letting it get worse. A measure of how much the uncertainty in the core damage frequency is affected by the uncertainty associated with a specific event. The larger the measure, the more the uncertainty in the results is driven by the uncertainty in the value of the specific event. 5_*35 The top twenty events in terms of importance are shown in Tables 5-6, 5 -7, and 5-8. Additional events importance measures are shown in Appendix E. This table shows the top events for each type of importance measure. The table shows the event, the number of cut sets in which it occurs, its mean probability value, and risk reduction measure. The risk reduction figure is the absolute amount by which core damage frequency is reduced, if the event in question has a probability of zero (i.e., never happened).
The risk reduction rank, as well as the upper and lower bounds of the risk reduction value are shown. Note that a lower bound value of zero for risk reduction means that it is possible that no risk reduction occurs at all. Risk reduction is provided for basic events and separately for initiating events. Definitions of the events found in these tables are given in Table 5-2. The most important event for risk reduction is related to the unavailability of diesel generator number 1. DG #l is favored over DG #3, because DG #3 is a swing diesel. The electrical model for loss of offsite power aligns DG3 to* Unit 2 in the event that DG2 has failed. Therefore, in order to make DG3 more available to Unit 1, the reliability of DG2 must be improved in addition to the reliability of DG3. Therefore, DGl ranks as the highest single importance event. The other events of high importance are all involved with station blackout sequences.
This is not surprising, recognizing that SBO is the dominant type of core damage sequence.
Similar information is given for risk increase measures.
Risk increase measures are not calculated for initiating events, because these events have annual frequencies rather than probabilities.
Risk increase is calculated by setting event probability equal to 1. 0, this being the maximum upper bound for an event probability.
There is no basis for setting an initiating event frequency to 1.0, because their frequencies may be greater than 1.0 per year. The dominant event for risk increase is failure of the reactor protection system, followed by unavailability of the RWST. The meaning of risk increase can be thought of as the resulting core damage frequency if the component or system is not provided (i.e., has failure probability of 1. 0). The reactor protection system has the highest risk increase measure, followed by the RWST and then three individual failures, which fail the entire AFW system. Uncertainty importance is calculated in a different manner than risk reduction or risk increase.
To assess uncertainty importance, an uncertainty calculation is made, holding the value of a particular event constant.
The uncertainty bounds of the calculation are compared to the uncertainty bounds when all parameters are considered random variable.
The uncertainty importance shows that the diesel generators contribute the most to the overall statistical uncertainty.
5-36 Table 5-6-Surry Risk Reduction Impo ant Events
* Surry Total Core Damage Model Risk Reduction by Base Event (with associated uncertainty intervals)
Risk Base Event occur Prob, (Rank) Reduction (Rank) Lower 51 Upper 51 OEP-DGN-FS-DG01 725 2.20E-02 (79.5) 8.22E-06 ( 3.0) 2.38E-07 4.38E-05 NRAC-711R 966 5.00E-02 (80.0) 8.04E-06 ( 4.0) 2.84E-07 R.26E-05 REC-XHE-FO-DGHWB 159 8.00E-01 (14.5) 8.90E-06 ( 6.0) 2.16E-07 3.66E-05 REC-XHE-FO-DGHWS 1407 8.00E-01 (11.0) 5.98E-06 ( 7.0) O.OOE+OO 2.97E-05 REC-XHE-FO-DGEN 382 9.00E-01 ( 8.0) 5.88E-06 ( 8.0) 1.21E-07 2.67E-05 RCP-LOCA-750-90M 262 5.30E-01 (18.0) 5.20E-06 ( 9.0 O.OOE+OO 3.16E-05 NRAC-216M 200 1. 38E-01 (41. 0) 5.00E-06 (10.0) O.OOE+OO 2.99E-05 OEP-DGN-F8 299 2.20E-02 (79.5) 4.88E-06 (11.0) 2.08E-07 1.82E-05 OEP-DGN-F8-DG02 521 2.20E-02 (79.5) 4.38E-06 (12.0) 1.31E-07 2.36E-05 OEP-DGN-F8-DG03 526 2.20E-02 (79.5) 4.38E-06 (13. 0) 1. 32E-07 2.36E-05 NRAC-lHR 157 4.40E-01 (21. 0) 4.24E-06 (14.0) 5.39E-08 2.15E-05 OEP-DGN-FR-8HDG1 639 1.20E-02 (91.0) 4.08E-06 (15.0) 2.80E-08 2.97E-05 QS-SBO 2435 2.70E.01 (28.5) 3.04E-06 (17.0) 5.45E-08 1. 75E-05 Vl REC-XHE-FO-SCOOL 597 1.26E-01 (43.0) 2.89E-06 (18.0) 3.71E-08 1.61E-05 I w BETA-2MOV 25 8.80E-02 (48.0) 2.72E-06 (19.0)
* l.08E-07 8.72E-08 -..J BETA-3DG 59 1.80E-02 (83.0) 2.66E-06 (20.0) 7.41E-08 1.08E-05 OEP-DGN-FR-8HDG3 467 1. 20E-02 (91.0) 2.32E-06 (21.0) 1. 58E-08 1.87E-05 BBO-PORV-DMD 128 4.SOE-01 (20.0) 2.27E-08 (22.0) 1.17E-08 9.56E-06 BETA-2DG 271 3.80E-02 (89.0) 2.25E-08 (23.0) 8.69E-08 8.32E-08 OEP-DGN-FR-8HDG2 458 1. 20E-02 (91.0) 2.09E-08 (25.0) 1.48E-08 1.48E-05 Init. Event IE-Tl 2463 7.70E-02 ( 4.0) 2.02E-05 ( 1.0) 9.09E-07 1.12E-04 IE-Sl 57 1.00E-03 ( 9.5) 3.31E-06 ( 2.0) 3.58E-07 9.73E-06 IE-A 49 5.00E-04 (11.0) 2.lOE-06 ( 3.0) 2.80E-07 5.49E-06 IE-T7 39 1.00E-02 ( 6.0) 1. 92E-06 ( 4.0) 1.42E-07 6.12E-06 IE-T2 65 9.40E-01 ( 3.0) 1.48E-06 ( 5.0) 4.82E-08 4.88E-06 IE-lN 1 5.90E+OO ( 2.0) 8.43E-07 ( 6.0) 6.29E-09 3.16E-06 IE-S3 20 1.30E-02 ( 5;0) 6.39E-07 ( 7.0) 4.24E-08 2.35E-06 IE-T 14 6.60E+OO ( 1.0) 5.65E-07 ( 8.0) 9.48E-09 2.82E-06 IE-S2 13 1. OOE-03 ( 9.5) 4.33E-07 ( 9.0) 4.35E-08 1.39E-06 IE-V-TRAIN-3 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-11 1.82E-06 IE-V-TRAIN-2 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-11 1. 82E-06 IV-V-TRAIN-1 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-ll 1. 82E-06 IE-15B 25 5.00E-03 ( 7.5) l.38E-07 (13.5) 1.20E-09 4.52E-07 IE-15A 25 5-.00E-03 ( 7.5) 1. 38E-07 (13.5) 1. 20E-09 4.52E-07 Table 5-7 Surry Risk Increase Important Events Surry Risk Total Core Damage Model Risk Increase by Base Event (with associated uncertainty intervals)
Risk Base Event Occur Prob. (Rank) Increase (Rank) Lower 5% Upper 5% K 18 6.00E-05 (195.0) 2.52E-02 ( 1. 0) l.45E-03 9.56E-02 RWT-TNK-LF-RWST 5 2.70E-06 (207.0) 1. 95E-02 ( 2.0) 7.93E-03 3.88E-02 AFW-PSF-FC-XCONN 25 1. 50E-04 (178.0) 5.83E-03 ( 3.0) 4.48E-04 1. 89E-02 AFW-CCF-LK-STMBD 21 1. OOE-04 (181. 5) 5.82E-03 ( 4.0) 4.48E-04 1. 88E-02 AFW-TNK-VF-CST 3 1.00E-08 (208.0) 2.78E-03 ( 5.0) l.4~E-04 1. OOE-02 HPI-CKV-FT-CV225 5 1. OOE-04 (181. 5) 2.lOE-03 ( 6.0) 8. 68E-'04 4.13E-03 HPI-CKV-FT-CV25 5 1.00E-04 (181.5) 2.06E-03 ( 7.5) 7.31E-04 4.36E-03 HPI-CKV-FT-CV410 5 1. OOE-04 (181. 5) 2.08E-03 ( 7.5) 7.31E-04 4.38E-03 Vl
* HPI-XVM-PG-XV24 4 4.00E-05 (199.5) 2.06E-03 ( 9.0) 7.13E-04 4.35E-03 I LPR-CCF-PG-SUMP 5 5.00E-05 (198.0) 1. 55E-03 (10.0) 8.08E-04 3.05E-03 w (X) LPR-XHE-FO-HOTLG 2 4.00E-05 (172.0) 1. 50E-03 (11. 0) 5.89E-04 2.98E-03 RMT-CCF-FA-MSCAL 2 3.00E-04 (172.0) 1. 50E-03 (12.0) 5.89E-04 2.98E-03 LPI-MOV-PG-1890C 2 4.40E-04 (170.0) 1. 50E-03 (13.0) 5.89E-04 2.98E-03 IAS-CCF-LF-INAIR 3 2.70E-05 (205.0) 1. 38E-03 (14.0) 1. 59E-04 4.35E-03 ACC-CKV-FT-CV130 1 1.00E-04 (181.5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV128 1 1. OOE-04 (181. 5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV145 1 1.00E-04 (181.5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV147 1 l.OOE-04 (181. 5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-MOV-PG-1865B 1 6.50E-04 (182.5) 5.00E-04 (19.5) 1. 33E-04 1. 20E-03 ACC-MOV-PG-1865C 1 6.50E-04 (182.5) 5.00E-04 (19.?,) 1. 33E-04 1. 20E-03 * *
* ble 5-8 Surry Uncertaint rtance Important Events
* Surry Total Core Damage Model Uncertainty Importance by Base Event % Reduction In The Uncertainty Base Event Prob. (Rank) of Lo15 Risk (Rank) Y.05&#xa3;TE.05*
Y.95&#xa3;TE.95*
OEP-DGN-FS 299 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DG02 521 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DGOl 725 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DG03 526 2.20E-02 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FR-DG02 14 2.00E-03 (136.5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-DG03 12 2.00E-03 (136.5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-DG01 23 2.00E-03 (136. 5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-8HDG1 639 1.20E-02 ( 91. 0) 18.9 9.0) 1.14 0.80 OEP-DGN-FR-8HDG3 467 1.20E-02 C 91. 0) 18.9 9.0) 1.14 0.80 OEP-DGN-FR-8HDG2 458 1.20E-02 ( 91.0) 18.9 ( 9.0) 1.14 0.80 NRAC-7HR 988 5.00E-02 C 60.0) 5.4 C 11. 0) 1.04 0.99 NRAC-201M 62 1.50E-Ol C 38.5) 5.1 (12.0) 1. 00 1.00 NRAC-216M 200 1.38E-Ol C 41.0) 5.0 (13.0) 1.01 0.99 NRAC-234M 82 1.23E-Ol C 44.0) 5.0 (14.0) 1.00 1.00 NRAC-258M 200 1.08E-Ol ( 47.0) 4.9 (15.0) 1.00 1.00 NRAC-246M 262 1.15E-Ol C 46.0) 4.9 (16.0) 1.00 1.00 V, NRAC-HALFHR 182 6.00E-01 ( 14.5) 4.9 (17.0) 1.01 1.00 I NRAC-lHR 157 4.40-01 C 21. 0) 4.9 (18.0) 1.01 0.99 uJ \0 NRAC-150M 262 2.lOE-01 C 32.5) 4.7 (19.0) 1.00 1.00 z 1 1.40E-02 C 87.5) 4.4 (20.0 1.04 0.99 !nit. Event IE-Tl 2463 7.70E-02 4.0) 12.8 1.0) 1.19 0.99 IE-V-TRAIN-3 1 4.00E-07 13.0) 4.5 3.0) 1.16 1.00 IE-V-TRAIN-1 1 4.00-07 13.0) 4.5 3.0) 1.16 1.00 IE-V-TRAIN-2 1 4.00-07 13.0) 4.5 3.0) 1.16 1.00 IE-Sl 57 1.00E-03 9.5) 0.8 5.0) 1.04 0.99 IE-A 49 5.00-04 11.0) 0.7 6.0) 1.06 1.01 IE-TN 1* 5.90+00 2.0) 0.6 7.0) 1.01 1.01 IE-T 14 6.60E+OO 1.0) 0.4 8.0) IE-T7 39 1.00E-02 6.0) 0.4 C 9.0) IE-T2 65 9.40E-Ol 3.0) o.o (12.0) IE-S2 13 1. 00-03 9.5) a.a (12.0) IE-T5B 25 5.00E-03 7.5) a.a (12.0) IE-T5A 25 5.00-03 7.5) 0.0 (12.0) IE-S3 20 1.30E-02 5.0) a.a (12.0) *Y.xx is the .xx quantile of the top event frequency when the event is held constant at ITS mean value. TE.xx is the .xx quantile of the top event frequency when the event is not held constant.
5.5 Comparison of Results With WASH-1400 This section compares the results of this study with the Surry results of the Reactor Safety Study (RSS) (WASH-1400).
C2> A comparison of the results of these studies must recognize the differencies in PRA the-art, as well as specific changes at Surry. In the thirteen years between WASH-1400 and this study, the Surry plant design as well as the industry's understanding of reactor operation and safety issues have changed. A comparison of dominant contributors to core damage frequency between these two studies should be balanced bi a knowledge of the differences in plant design, study methodology, and success criteria.
The first comparison to be made is on the basis of total core damage frequency.
WASH-1400 calculated a total core damage frequency of 4.4E-5 per year. This study calculated 4.0E-5 per year. The frequency value used in WASH-1400 is a point estimate, based on propagation of median values for basic events, while the frequency value used in this study is the sampled mean of a distribution.
The mean values for core damage frequency in the RSS would be somewhat higher than the values stated here. Many plant and procedural modifications have been made at Surry since the RSS. These contribute to the reduction in frequency
* of comparable WASH-1400 sequences to l.7E-5. However, this study predicts a core damage frequency of 1. OE-5 due to seal LOCAs and steam generator tube rupture which were not included in the WASH-1400 analysis.
In addition, an expanded station blackout analysis resulted in identifying battery depletion and PORV sequences not included in WASH-1400, which account for a core damage frequency of L4E-5 per year. Table 5-9 presents a comparison of WASH-1400 core damage frequencies with frequencies of event groups in the current study. When comparing such frequencies, emphasis should be placed on examining the variation of the individual contributors.
The frequency of core damage due to LOCAs in this study are significantly lower than in WASH-1400. In the 13 years since the Reactor Safety Study was performed, the improved understanding of core thermal hydraulics has led to less severe emergency core cooling system success criteria for LOCAs, and qetter procedures and operator training have led to lower human error probabilities for LOCA scenarios.
Also, some of the frequency reduction between this study and the Reactor Safety Study can be attributed to the addition of an automatic sump recirculation transfer system. Transients are a small contributor to core damage frequency in this study. This category represents turbine/reactor trips with and without main feedwater followed by the subsequent loss of all core heat removal. The next category of comparison is loss of offsite power events. This category is distinguished from station blackout by having AC power available to at least one electrical division.
For both studies, this accident category involves loss of auxiliary feedwater, leading to loss of core cooling. NUREG-4550 allowed the use of feed and bleed cooling as 5-40 *
* Table 5-9 Comparison of Core Damage Frequencies by Event Type Core Damage Frequency
(/yr) Event Type NUREG/CR-4550 WASH-1400 LOCA 6.0E-6 2.9E-5 Transient 2.0E-6 lE-7 Loss of Offsite Power <l0-7 6E-6 Station Blackout 2.7E-5 3E-6 ATWS 1. 6E-6 4E-6 Interfacing LOCA 1. 6E-6 4E-6 Steam Generator Tube Rupture 1. BE-6 NA 4.0E-5 4.6E-5 an alternative method of core cooling, while the Reactor Safety Study did not. Thus the substantially lower contribution in this study. Station blackout sequences were prominent in both studies. Station blackout is defined as loss of all AC power at a unit. The Reactor Safety Study examined only auxiliary feedwater availability in its station blackout model. Consequently, the frequency is lower than for NUREG-4550, for which the station blackout models included issues of battery depletion, reactor coolant pump seal LOCA, and stuck open relief valves. Probabilities for non-recovery of offsite power were much more rigorously calculated in this study, and resulted in higher non-recovery probabilities.
The frequencies of core damage due to ATWS are similar for both studies. NUREG-4550 used much lower probabilities for human error than did the Reactor Safety Study and used higher frequencies for initiating transients.
However, NUREG-4550 developed more comprehensive success criteria for ATWS, including requirements for turbine trip and favorable moderator temperature coefficients.
The frequencies of interfacing LOCAs were lower for this study. NUREG-4550 and the Reactor Safety Study analyzed the same configuration and postulated the same failure modes but used significantly different test periods for quantification.
During the time between the performance of the* Reactor Safety Study and this study, the valve test frequency was 5-41 reduced from 5 years to approximately 1 year. postulated common cause failure of check valves, contributor to core damage frequency.
In addition, this study which were a significant Another notable change from the WASH-*1400 results is the decreased importance of containment systems in the core damage sequences.
Success criteria for containment systems for this study were based on updated analyses, which resulted in fewer constraints and dependencies of the ECCS on containment system performance.
5-42 * * 
*
 
==6.0 CONCLUSION==
S One of the major purposes of the Surry analysis was to provide an updated perspective on our understanding of the risks from the plant relative to the results of the WASH-1400 analysis.
It has been determined that changes to the plant design and its procedures, the evolution of Probabilistic Risk Assessment (PRA) methodology, and an increasing standing of severe accidents have all had an impact on the perspectives on the dominant risks for Surry. This study concludes that station blackout (loss of all AC power) accidents are the dominant contributors to core damage. They account for approximately two-thirds of the total core damage frequency.
This result is due to certain features of the Surry electric power systems, which are discussed below, and may not be applicable to other plants. The station blackout analysis for this study was much more rigorous than that of WASH-1400.
All aspects of electric power modeling, plant response modeling, and development of event probabilities have been significantly improved over those used in WASH-1400.
The higher* frequencies for station blackout are considered a more accurate assessment of the event than previous analyses.
Loss of coolant accidents inside containment are the second most dominant accident group, accounting for approximately one-seventh of total core damage frequency.
The prominence of this accident group is greatly reduced over the results of WASH-1400, which was completed in 1975. This is due to three factors: a) improved operator procedures and training which direct operator intervention to mitigate the event at an early stage and which provide direction for coping with subsequent system failures, b) the installation of several cross ties between the two Surry units which provides back-up systems to cope with emergency core cooling system failures, and c) improved understanding and knowledge of containment systems performance, which has led to less constraining success criteria for containment systems. As with the station blackout conclusions, some of these impr.ovements are specific to the Surry plant and may not be applicable to other PWRs. Loss of coolant accidents in interfacing systems outside of containment represent a*moderate contribution to core damage, at four percent of the total, but are important contributors to risk because they may represent a direct release path to the environment.
The understanding of these events is relatively unchanged since WASH-1400.
In the ensuing years, the calculated frequency has been reduced due to more frequent check valve test intervals, and recently increased due to the inclusion of common cause failures in the quantification.
Anticipated transients without scram (ATWS) contribute approximately four percent to total core damage frequency.
Their frequency has been reduced from that calculated in WASH-1400, due in part to equipment modifications required by the ATWS Rulemaking and by improved procedures and operator training for this event . 6-1 Steam generator tube rupture (SGTR) also accounts for approximately four percent of core damage frequency.
This event was not analyzed in WASH-1400. 6.1 Plant-Specific Conclusions As stated above, the core damage frequency is dominated by station blackout events. There are many individual contributors to these events, and it is not possible to identify a single issue or event which drives the frequency calculations.
The individual contributions are discussed below. The frequency of loss of offsite power at Surry was calculated to be 7.7E-2 per year. This is better than average for U.S. nuclear plants, but is higher than expected if only the Surry specific experience of zero failures in 15 years were considered.
The calculation includes experience from other plants with switchyard configurations similar to Surry, but which have experienced failures of off site power. The calculation of probabilities for non-recovery of offsite power are also based on experience at other plants with similar switchyard configurations.
Since probabilities for loss and non-recovery of offsite power appear in every station blackout cut set, reduction of thes_e probabilities could have an important effect on core damage frequency.
* Events for diesel generator failure are also in each and every blackout sequence cut set. The probability for diesel failure to start was calculated from plant specific data to be 2. 2E-2/demand.
This value is
* also slightly better than average for U.S. nuclear plants. The electric power configuration at Surry, however, provides three diesels for a two-unit site. This offers reduced redundancy compared to most other nuclear plants and tends to increase the probability of station blackout occurrence.
The AC power availability reduction resulting from the swing diesel configuration is overcome to a significant extent by the provision of cross ties between the charging systems and auxiliary feedwater systems at both units. Alternative sources of AC power at the Surry site were not included in the station blackout models. A gas turbine generator is at the Surry site, but current supporting systems and administrative procedures preclude its use during a station blackout.
The plant response to station blackout at Surry is similar to that of other PWRs. The dominant type of blackout sequence represents core uncovery due to long term battery depletion.
The battery depletion time was assessed to be 4 hours (see Reference 40), which is typical for PWRs. The next most dominant sequence is the reactor coolant pump seal LOCA sequence.
A generic model for Westinghouse reactor coolant pumps was developed in reference 40 and used in this study. It predicts a significant probability of severe seal degradation, starting at 1 1/2 hours from loss of seal cooling. Core uncovery is predicted to occur about 2 hours after onset of seal failure, unless AC power is restored and safety injection is provided within that time. 6-2 
*
* Examination of the contributors to loss of coolant accidents provides insights regarding the Surry plant. LOCA-induced core damage frequency for this study was significantly reduced over that of WASH-1400, particularly for the small LOCA events. This occurred in spite of a tenfold increase in the small LOCA initiating event frequency.
Plant modifications occurring since WASH-1400, which allow for cross tie of the high pressure safety injection systems, auxiliary feedwater systems, and refueling water storage tanks at each unit contributed significantly to this reduction in frequency.
In addition, Surry has a three tier system of emergency procedures which provide explicit instruction to utilize these cross ties. The Technical Specifications for the cross tied systems address component operability based on the operational status of both units, thus ensuring availability to the other unit even though the primary unit's status does not require it. The system cross ties available at Surry provide a reliable alternative for recovery of system failures.
6.2 Accident Sequence Conclusions As previously noted, there are twenty-eight accident sequences in the Surry core damage model. These sequences are listed in Table 5-2 in section 5.0 of this report. The number of sequences in a PRA model and their relative size is strongly influenced by the PRA methodology utilized and the level of detail of the analysis.
Discussion of sequence numbers and frequencies in an absolute sense is not particularly useful, but the relative contribution of various types of sequences for a specific plant can provide insight into the types of accident scenarios which are important at that plant. As discussed earlier, the Surry units are provided with cross-tie capability between the AFWs, HPis, and RWSTs at each unit. These cross ties provide a recovery potential which is not available at many other plants. The sequence profile reflects the importance of these cross ties. The highest single sequence is long term station blackout at Unit 1, leading to battery depletion and consequently loss of instrumentation and control power. As this sequence represents a blackout at Unit 1, with power available at Unit 2, reactor coolant pump seal cooling can be provided by the Unit 2 charging system, via the HPI cross tie. Thus, the risk of seal failure is averted, and the battery depletion scenario dominates.
The next highest sequence represents the seal failure scenario during station blackout.
This sequence represents a single unit blackout with failure to provide seal cooling via the cross tie. This can be due to equipment failure or operator error. Without cooling, the seals are at risk early in the sequence.
Seal failure is predicted to occur between 1 1/2 to 2 1/2 hours. If AC power is not restored in an additional two hours, core uncovery occurs. The fourth most dominant sequence sents the same scenario except that the sequence is a two-unit blackout, and seal cooling is unavailable due to loss of AC power at Unit 2 . 6-3 The other two prominent blackout sequences represent early (initial) failures of the auxiliary feedwater system or failure of the pressurizer PORVs to reclose after opening. Failure to restore AC power within a limited time leads to core uncovery.
Examining the twenty sequences below lE-6 indicates that long term sequences (which allow time for recovery) are not represented at all. ~pecifically, there are no sequences representing small breaks with failure of ECCS recirculatlon.
This is due to two considerations.
First, emergency operating procedures direct operator intervention in a small break to cooldown and depressurize the reactor coolant system, thus minimizing the break flow.
* Secondly, the system cross ties enable the operators to recover from system failures.
The LOCA sequences which do contribute to the core damage model are the large breaks with failures in both injection and recirculation, and small breaks with failures in injection.
The common aspect of.these accident categories is that they are fast moving sequences, happening early in time to the initiator, thus leaving little time for operator intervention or recovery.
r~o types of transient sequences are prominent; loss of all feedwater and ATWS sequences.
Loss of feedwater at Surry is probably lower than at most plants, due to the AFW cross tie. The ATWS sequences are short and fast acting, leaving little time for recovery.
6_. 3 Uncertainty Considerations
~e process of developing a probabilistic model of a nuclear power plant involves the combination of many individual events (initiators, hardw~re failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total frequency of core damage. After development, such a model also can be used to assess the importance of the individual events. The sequence cut set models supporting this study have been analyzed using several importance measures.
The results of the l;lnalyses using an uncertainty importance measure are summarized below. For this measure, the relative contribution of the uncertainty of t~dividual events to the uncertainty in total core damage frequency is calculated.
Using this measure, the following events were found to be most important:
* Diesel generator fail to start
* Diesel generator fail to run for six hours
* Loss of offsite power initiating event
* Interfacing LOCA
* Unfavorable moderator temperature co-efficient during ATWS
* Non recovery of offsite AC power after initial loss 6.4 Comparison to Reactor Safety Study In the thirteen years between the Reactor Safety Study (WASH-1400) analysis of Surry and the present study, both the Surry plant 6-4 * * 
* *
* configuration and the understanding of reactor operation and safety have changed. WASH-1400 calculated a total core damage frequency from internal events of 4.4E-5. This study calculated a total core damage frequency from internal events of 4. OE-5. It should be noted when comparing the two that the WASH-1400 value for core damage frequency is a point estimate, based on the sum of individual sequence median values, while this study's value is the calculated mean of a distribution.
The modifications in plant configuration at Surry reduce the frequency of comparable WASH-1400 sequences to 1. 7E-5, but consideration of seal LOGAs, steam generator tube rupture, and more detailed evaluation of station blackout, combine to increase the total core damage frequency to 4. OE-5. Some of the significant differences and similarities between this study and WASH-1400 are presented below:
* Reactor coolant pump seal LOGAs during station blackout are important in the present study, but not in WASH-1400.
* Station blackout followed by loss of AFW were important in both studies.
* ATWS sequences are not directly comparable due to increased knowledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations.
* Understanding of interfacing LOGAs is relatively unchanged, while the frequency is slightly reduced. A reduction in the event frequency, due to increased valve testing frequency, was countered by inclusion of dependent failures in the quantification.
* The LOCA sequences followed by failure of EGGS systems are significantly lower in the present study than WASH-1400.
* The enhanced understanding of containment cooling phenomena and containment failure scenarios used in this study led to a significantly reduced dependence on containment cooling systems for the prevention of core damage. 6.5 Other Insights Throughout the performance of a PRA, it is common to identify interactions and dependencies which were previously unexpected.
insight is discussed below. component One such The station blackout analysis revealed a unique interactive dependency which leads to an unexpectedly high probability of a non-isolable faulted steam generator during blackout.
Were this series of events to occur, they would not prevent the ability to provide steam generator heat remove!, but would require additional actions to stabilize the AFW 6-5 supply, and may act as a precursor to AFW failure, and generally could add to the stress level and complexity of the event. The interactive dependency is manifested during station blackout, because all power is lost to both the steam generator level control valves and the steam generator atmospheric relief valves. The level control valves are located inside containment, are powered from a 480 VAC bus, are normally open, and fail open on loss of power. The atmospheric relief valves are powered from a semi-vital bus which loses all power upon station blackout.
Thus, during a blackout, steam relief will be through the steam generator safety valves until such time as flow paths to the condenser can be established via manual local valve line-ups.
This was estimated to be accomplished shortly after one hour. During this time, it was estimated that each SRV would open every 20 minutes, for a total of nine openings.
This number of openings gives a relatively high probability of failure to reclose. Should the safety valve fail to reclose, it is not isolable, and will lead to an uncontrolled blowdown of that steam generator.
The feedwater supply to that SG is not isolable either, because the level control valves fail open. Entrance into containment to manually close the valves would be very difficult during a blackout.
Consequently, no credit was allowed in the analysis.
The AFW configuration at Surry is such that the level control valves represent the only way to isolate auxiliary feedwater to a single steam generator.
Thus, under these conditions, the faulted SG would continue to be fed and continue to blowdown.
This event does not prevent the ability to provide steam generator heat removal. However, it is an undesirable event which would add to the complexity of steam generator feed control, possibly increasing the probability of feed flow failure due to human error, lack of condensate, or possible phenomenological considerations.
6-6 * 
* * *
 
==7.0 REFERENCES==
: 1. Reactor Risk Reference Document, NUREG-1150, U.S. Nuclear Regulatory Commission, 1987. 2. Reactor Safety Study. An Assessment of Accident Risks in U.S. 3. Commercial Nuclear Power Plants, U.S. Nuclear Regulatory Commission, published as WASH-1400, 1975. Harper , F . T . , et al . , ""A""n""a:,:l,.,,y_.s""i:.:s,.__""'o-=f'--C=o=r-=e'--'D=-=a=m=a"-g"'e'--F=-=r=e""g..::uo=e:.:an~c""'y,__-=f'-"r,_,o"-=m Internal Events: Methodology Guidelines, NUREG/CR-4550, SAND86-2084, Vol. 1, Sandia National Laboratories, July 1987. 4. Kolaczkowski, A. M. and A. C. Payne, Station Blackout Accident Analysis, NUREG/CR-3226, SAND82-2450, Sandia National Laboratories, May 1983. 5. Categorization of Reactor Safety Issues from a Risk Perspective, NUREG-1115, U.S. Nuclear Regulatory Commission, March 1985. 6. Selby, D. L., et al., Pressurized Thermal Shock Evaluation of H.B. 7 . 8. Robinson Unit 2 Nuclear Power Plant, NUREG/CR-4183, Oak Ridge National Laboratory, Oak Ridge, Tennessee, September 1985. Oconee PRA. A Probabilistic Risk Assessment of Oconee Unit 3, NSAC-60, Electric Power Research Institute, June 1984. Zion Probabilistic Safety Study, Commonwealth Edison Company, 1981. 9. Seabrook Station Probabilistic Safety Assessment, PLG-0300; Pickard, Lowe and Garrick, Inc., Irvine, CA, December 1983. 10. Millstone Unit 3 Probabilistic Safety Study, Northeast Utilities Company, August 1983. 11. Indian Point Probabilistic Safety Study, Power Authority of the State of New York and Consolidated Edison Co., 1982. 12. Mackowiak, D. P., et al., Development of Initiating Event Frequencies for Use in Probabilistic Risk Assessments, NUREG/CR-3862, EG&G Idaho Inc., May 1985. 13. Iman, R. L. and S. C. Hora, Modeling Time to Recovery and Initiating Event Frequency for Loss of Off-Site Power Incidents at Nuclear Power Plants, NUREG/CR-5032, SAND87-2428, January 1988. 14. Carlson, D. D., Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, SAND82-1100, Sandia National Laboratories, January 1983. 15. IEEE Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations, IEEE-Std-1984, IEEE, New York, N. Y., 1983. 7-1
: 16. Benjamin, A., et al., Evaluation of Severe Accident Risks and the Potential for Risk Reduction:
Surry Power Station. Unit 1, NUREG/CR-4551, SAND86-1309, Volume 1, Sandia National Laboratories, February l987. 17. Gieske, J. A., et al., Radionuclide Release Under Specific LWR Accident Conditions, Volume V, PWR-Large Dry Containment Designs, BMI-2104, Volume V, Battelle Columbus Laboratories, July 1984. 18. Kolb, .G. J., et al., Interim Reliability Evaluation Program: Analysis of the ANO-Unit 1 Nuclear Power Plant, NUREG/CR-2787, SAND82-0978, Sandia National Laboratories, June 1982. 19. Payne, A. C. , et al. , Interim Reliability Evaluation Program: Analysis of the Calvert Cliffs Unit-1 Nuclear Power Plant, NUREG/CR-3511, SAND83'-2086, Sandia National Laboratories, August.1984.
: 20. Wood, D. C. and C. L. Gottshall, Probabilistic Analysis and Operational Data in Response to NUREG-0737, WCAP 9804, Westinghouse Electric Corp., Pittsburgh, PA, February 1981. 21. Unused. 22. Boardman, T., Leak Rate Analysis of the Westinghouse Reactor Coolant Pump, NUREG/CR-4294, Energy Technology Engineering Center, Canoga Park, CA, July 1985. 23. Unused. 24. Generic Implications of ATWS Events at the Salem Nuclear Power Plant, NUREG-1000, U. S. Nuclear Regulatory Commission, April 1983. 25. Fleming, K. N., et al., Classification and Analysis of Reactor Operating Experience Involving Dependent Events, EPRI-NP-3967, Electric Power Research Institute, June 1985. 26. Unused. 27. Swain, A. D., Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772, SAND86-1996, Sandia National Laboratories, February 1987. 28. Anticipated Transients Without Scram for Light Water Reactors, NUREG-0460, U. S. Nuclear Regulatory Commission, April 1978. 29. Westinghouse Anticipated Transients Without Trip Analysis, WCAP-8330, Westinghouse Electric Corp., Pittsburgh, PA, August 1974. 30. Transmittal, Dircks, W. J., to NRG Commissioners, Amendment to 10CFR50 Related to ATWS Events, SECY-83-293, U. S. Nuclear Regulatory Commission, July 19, 1983. 7-2 * * *
* 31. Utility Group of ATWS Comments to 46 Fed. Reg. 57, 521 (1981), submitted to Secretary of the U. S. NRC, by hand, April 23, 1982. 32. McClymont, A. S. and B. W. Poehlman, Loss of Offsite Power at Nuclear Power Plants: Data and Analysis, EPRI-NP-2301, Electric Power Research Institute, Palo Alto, CA, March 1982. 33. Kittmer, C. A., et al., Reactor Coolant Pump Shaft Seal Behavior During Station Blackout, NUREG/CR-4077, EG&G Idaho Inc., April 1985; 34. Fletcher, C. D. , Accident Mitigation Following a Small Break with Coincident Failure of Charging and High Pressure Injection for the Westinghouse Zion PWR, EGG-CAAD-5428, EG&G Idaho Inc., April 1981. 35. Battle, R. E. , Emergency Diesel Generator Operating Experience.
1981-1983, NUREG/CR-4347, Oak Ridge National Laboratory, Oak Ridge Tennessee, Dece~ber 1985. 36. Swain, A. D. and H. E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, SAND80-0200, Sandia National Laboratories, Albuquerque, New Mexico, August 1985. 37. Wright, R. E., Steverson, J. A. and W. F. Suroff, Pipe Break Frequency Estimation for Nuclear Power Plants, NUREG/CR-4407, EG&G Idaho, Inc., May 1987. 38. Mosleh, A., et al., Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Volume 1, Electric Power Research Institute, Palo Alto, California, January 1988. 39. Azarm, M. A., Boccio, J. L. and S. Mitra, The Impact of Mechanical and Maintenance Induced Failures of Main Reactor Coolant Pump Seals on Plant Safety, NUREG/CR-4400, Brookhaven National Laboratory, Upton, New York, December 1985. 40. Wheeler, T. A. , Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation, NUREG/CR-4550, SAND86-2084, Volume* 2, Revision 1, Sandia National Laboratories, April 1989. 41. Kastenburg, W. E., et al., Findings of the Peer Review Panel on the Draft Reactor Risk Reference Document NUREG-1150, NUREG/CR-5113, Lawrence Livermore National Laboratory, Livermore, California, May 1988. 42. Initial Report of the Special Committee on Reactor Risk Reference Document (NUREG-1150), American Nuclear Society, April 1988. 43. Iman, R. L. and M. J. Shortencarier, A FORTRAN 77 Program and User's Guide for the Generation of Latin Hypercube and Random Samples for Use with Computer Models, NUREG/CR'-
3624, SAND83-2365, Sandia National Laboratories, March 1984. 7-3
: 44. Iman, R. L. and M. J. Shortencarier, A User's Guide to the Top Event Matrix Analysis Code (TEMAC), NUREG/CR-4598, SAND86-0960, Sandia National Laboratories, August 1986. 45. Analysis of Pressure Vessel Statistics from Fossil-Fueled Power Plant Service and Assessment of Reactor Vessel Reliability in Nuclear Power Plant Service, WASH-1318, U. S. Atomic Energy Commission, 1974. 46; Unused. 47. Pelto, P. J., et al., Reliability Analysis of Containment Isolation Systems, NUREG/CR-4220, Pacific Northwest Laboratory, Richland, Washington, June 1985. 48. Serkiz, A. W., Technical Findings and Regulatory Analysis for Generic Safety Issue II.E.4.3. "Containment Integrity Check," NUREG-1273, U.S. Nuclear Regulatory Commission, April 1988. 49. Worrell, R. B., SETS Reference Manual, NUREG/CR-4213, SAND83-2675, Sandia National Laboratories, May 1985. 7-4 
* *
* DISTRIBUTION:
Frank Abbey U. K. Atomic Energy Authority Wigshaw Lane, Culcheth Warrington, Cheshire, WA3 4NE ENGLAND Kiyoharu Abe Department of Reactor Safety Research Nuclear Safety Research Center ToKai Research Establishment JAERI Tokai-mura, Naga-gun Ibaraki-ken, JAPAN Ulvi Adalioglu Nuclear Engineering Division Cekmece Nuclear Research and Training Centre P.K.1, Havaalani Istanbul TURKEY Bharat Agrawal USNRC-RES/AEB MS : NL/N -344 Kiyoto Aizawa Safety Research Group Reactor Research and Development Project PNC 9-13m 1-Chome Akasaka Mina tu-Ku Tokyo JAPAN Oguz Akalin Ontario Hydro 700 University Avenue Toronto, Ontario CANADA MSG 1X6 David Aldrich Science Applications International Corporation 1710 Goodridge Drive McLean, VA 22102 Dist-1 Agustin Alonso University Politecnica De Madrid J Gutierrez Abascal, 2 28006 Madrid SPAIN Christopher Amos Science Applications International Corporation 2109 Air Park Road SE Albuquerque, NM 87106 Richard C. Anoba Project Engr., Corp. Nuclear Safety Carolina Power and Light Co. P. 0. Box 1551 Raleigh, NC 27602 George Apostolakis UCLA Boelter Hall, Room 5532 Los Angeles, CA 90024 James W. Ashkar Boston Edison Company 800 Boylston Street Boston, MA 02199 Donald H. Ashton Bechtel Power Corporation 15740 Shady Grove Road Gaithersburg, MD 20877 J. de Assuncao Cabinete de Proteccao e Seguranca Nuclear Secretario de Estado de Energia Ministerio da Industria av. da Republica, 45-6&deg; 1000.Lisbon PORTUGAL Mark Averett Florida Power Corporation P.O. Box 14042 St. Petersburg, FL 33733 Raymond O. Bagley Northeast Utilities P.O. Box 270 Hartford, CT 06141-0270 Juan Bagues Consejo de Seguridad Nucleare Sarangela de la Cruz 3 28020 Madrid SPAIN George F. Bailey Washington Public Power Supply System P. 0. Box 968 Richland, YA 99352 Kenneth S. Baskin S. California Edison Company P.O. Box 800 Rosemead, CA 91770 J. Basselier Belgonucleaire SA Rue du Champ de Mars 25, B-1050 Brussels BELGIUM Werner Bastl H. Bairiot Gesellschaft Fur Reaktorsicherheit Belgonucleaire SA Rue de Champ de Mars 25 B-1050 Brussels BELGIUM Louis Baker Reactor Analysis and Safety Division Building 207 Argonne National Laboratory 9700 South Cass Avenue Argonne, IL 60439 H-P. Balfanz TUV-Norddeutschland Grosse Bahnstrasse 31, 2000 Hamburg 54 FEDERAL REPUBLIC OF GERMANY Patrick Baranowsky USNRC-NRR/OEAB MS: llE-22 H. Bargmann Dept. de Mecanique Inst. de Machines Hydrauliques et de Mecaniques des Fluides Ecole Polytechnique de Lausanne CH-1003 Lausanne M.E. (ECUBLENS)
CH. 1015 Lausanne SWITZERLAND Robert A. Bari Brookhaven National Laboratory Building 130 Upton, NY 11973 Richard Barrett USNRC-NRR/PRAB MS: lOA-2 Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY Anton Bayer BGA/ISH/ZDB Postfach 1108 D-8042 Neuherberg FEDERAL REPUBLIC OF GERMANY Ronald Bayer Virginia Electric Power Co. P. 0. Box 26666 Richmond, VA 23261 Eric S. Beckjord Director USNRC-RES MS: NL/S-007 Bruce B. Beckley Public Service Company P.O. Box 330 Manchester, NH 03105 William Beckner USNRC-RES/SAIB MS: NL/S-324 Robert M. Bernero Director USNRC-NMSS MS: 6A-4 Ronald Berryman [2] Virginia Electric Power Co. P. 0. Box 26666 Richmond, VA 23261 Dist-2 *
* Robert C. Bertucio NUS Corporation 1301 S. Central Ave, Suite 202 Kent, WA 98032 John H. Bickel EG&G Idaho P.O. Box 1625 Idaho Falls, ID 83415 Peter Bieniarz Risk Management Association 2309 Dietz Farin Road, NW Albuquerque, NM 87107 Adolf Birkhofer Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY Jrunes Blackburn Illinois Dept. of Nuclear Safety 1035 Outer Park Drive Springfield, IL 62704 Dennis C. Bley Pickard, Lowe & Garrick, Inc. 2260 University Drive Newport Beach, CA 92660 Roger M. Blond Science Applications Int. Corp. 20030 Century Blvd., Suite 201 Germantown, MD 20874 Simon Board Central Electricity Generating Board Technology and Planning Research Division Berkeley Nuclear Laboratory Berkeley Gloucestershire, GL139PB UNITED KINGDOM Mario V. Bonace Northeast Utilities Service Company P.O. Box 270 Hartford, CT 06101 Dist-3 Gary J. Boyd Safety and Reliability Optimization Services 9724 Kingston Pike, Suite 102 Knoxville, TN 37922 Robert J. Breen Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94303 Charles Brinkman Combustion Engineering 7910 Woodmont Avenue Bethesda, MD 20814 K. J. Brinkmann Netherlands Energy Res. Fdtn. P.O. Box 1 1755ZG Petten NH NETHERLANDS Allan R. Brown Manager, Nuclear Systems and Safety Department Ontario Hydro 700 University Ave. Toronto, Ontario M5GlX6 CANADA Robert G. Brown TENERA L.P. 1340 Saratoga-Sunnyvale Rd. Suite 206 San Jose, CA 95129 Sharon Brown EI Services 1851 So. Central Place, Suite 201 Kent, WA 98031 Ben Buchbinder NASA, Code QS 600 Maryland Ave. SW Washington, DC 20546 R.H. Buchholz Nutech 6835 Via Del Oro San Jose, CA 95119 Robert J. Budnitz Future Resources Associates 734 Alameda Berkeley, CA 94707 Gary R. Burdick USNRC-RES/DSR MS : NL/S -007 Arthur J. Buslik USNRC-RES/PRAB MS: NL/S-372 M. Bustraan Netherlands Energy Res. Fdtn. P.O. Box 1 17552G Petten NH NETHERLANDS Nigel E. Buttery Central Electricity Generating Board Booths Hall Chelford Road, Knutsford Cheshire, WA168QG UNITED KINGDOM Jose I. Calvo Molins Probabilistic Safety Analysis Group Consejo de Seguridad Nuclear Sor Angela de la Cruz 3, Pl. 6 28020 Madrid SPAIN J. F. Campbell Nuclear Installations Inspectorate St. Peters House Balliol Road, Bootle Merseyside, L20 3LZ UNITED KINGDOM Kenneth S. Canady Duke Power Company 422 S. Church Street Charlotte, NC 28217 Lennart Carlsson IAEA A-1400 Wagramerstrasse 5 P.O. Box 100 Vienna, 22 AUSTRIA Annick Carnino Electricite de France 32 Rue de Monceau 8EME Paris, F5008 FRANCE G. Caropreso Dept. for Envir. Protect. & Hlth. ENEA Cre Casaccia Via Anguillarese, 301 00100 Roma ITALY James C. Carter, III TENERA L.P. Advantage Place 308 North Peters Road Suite 280 Knoxville, TN 37922 Eric Cazzoli Brookhaven National Laboratory Building 130 Upton, NY 11973 John G. Cesare SERI Director Nuclear Licensing 5360 I-55 North Jackson, MS 39211 S. Chakraborty Radiation Protection Section Div. De La Securite Des Inst. Nuc. 5303 Wurenlingen SWITZERLAND Sen-I Chang Institute of Nuclear Energy Research P.O. Box 3 Lungtan, 325 TAIWAN J. R. Chapman Yankee Atomic Electric Company 1671 Worcester Road Framingham, MA 01701 Robert F. Christie Tennessee Valley Authority 400 W. Summit Hill Avenue, Wl0D190 Knoxville, TN 37902 Dist-4 * * * 
*
* T. Cianciolo BWR Assistant Director ENEA DISP TX612167 ENEUR Rome ITALY Thomas Cochran Natural Resources Defense Council 1350 New York Ave. NW, Suite 300 Washington, D.C. 20005 Frank Coffman USNRC-RES/HFB MS: NL/N-316 Larry Conradi NUS Corporation 16835 W. Bernardo Drive Suite 202 San Diego, CA 92127 Peter Cooper U.K. Atomic Energy Authority Wigshaw Lane, Culcheth Warrington, Cheshire, WA3 4NE UNITED KINGDOM C. Allin Cornell 110 Coquito Way Portola Valley, CA 94025 Michael Corradini University of Wisconsin 1500 Johnson Drive Madison, WI 53706 E. R. Carran Nuclear Technology Division ANSTO Research Establishment Lucas Heights Research Laboratories Private Mail Bag 7 Menai, NSW 2234 AUSTRALIA James Costello USNRC-RES/SSEB MS: NL/S-217A George R. Crane 1570 E. Hobble Creek Dr. Springville, UT 84663 Dist-5 Mat Crawford SERI 5360 I-55 North Jackson, MS 39211 Michael C. Cullingford Nuclear Safety Division IAEA Wagramerstrasse, 5 P.O. Box 100 A-1400 Vienna AUSTRIA Garth Cummings Lawrence Livermore Laboratory L-91, Box 808 Livermore, CA 94526 Mark A. Cunningham USNRC-RES/PRAB MS: NL/S-372 James J . Curry 7135 Salem Park Circle Mechanicsburg, PA 17055 Peter Cybulskis Battelle Columbus Division 505 King Avenue Columbus, OH 43201 Peter R. Davis PRD Consulting 1935 Sabin Drive Idaho Falls, ID 83401 Jose E. DeCarlos Consejo de Seguridad Nuclear Sor Angela de la Cruz 3, Pl. 8 28016 Madrid SPAIN M. Marc Decreton Department Technologie CEN/SCK Boeretang 200 B-2400 Mal BELGIUM Richard S. Denning Battelle Columbus Division 505 King Avenue Columbus, OH 43201 Vernon Denny Science Applications Int. Corp. 5150 El Camino Real, Suite 3 Los Altos, CA 94303 J. Devooget Faculte des Sciences Appliques Universite Libre de Bruxelles av. Franklin Roosevelt B-1050 Bruxelles BELGIUM R. A. Diederich Supervising Engineer Environmental Branch _Philadelphia Electric Co. 2301 Market St. Philadelphia, PA 19101 Raymond DiSalvo Battelle Columbus Division 505 King Avenue Columbus, OH 43201 Mary T. Drouin Science Applications International Corporation 2109 Air Park Road S.E. Albuquerque, NM 87106 Andrzej Drozd Stone and Webster Engineering Corp. 243 Summer Street Boston, MA 02107 N. W. Edwards NUTECH 145 Martinville Lane San Jose, CA 95119 Ward Edwards Social Sciences Research Institute University of Southern California Los Angeles, CA 90089-1111 Joachim Ehrhardt Kernforschungszentrum Karlsruhe/INR Postfach 3640 D-7500 Karlsruhe 1 FEDERAL REPUBLIC OF GERMANY Dist-6 Adel A. El-Bassioni USNRC-NRR/PRAB MS: lOA-2 J. Mark Elliott International Energy Associates, Ltd., Suite 600 600 New Hampshire Ave., NW Washington, DC 20037 Farouk Eltawila USNRC-RES/AEB MS : NL/N-344 Mike Epstein Fauske and Associates P. 0. Box 1625 16W070 West 83rd Street Burr Ridge, IL 60521 Malcolm L. Ernst USNRC-RGN II F. R. Farmer The Long Wood, Lyons Lane Appleton, Warrington WA4 5ND UNITED KINGDOM P. Fehrenback Atomic Energy of Canada, Ltd. Chalk River Nuclear Laboratories Chalk River Ontario, KOJlPO CANADA P. Ficara ENEA Cre Casaccia Department for Thermal Reactors Via Anguillarese, 301 00100 ROMA ITALY A. Fiege Kernforschungszentrum Postfach 3640 D-7500 Karlsruhe FEDERAL REPUBLIC OF GERMANY John Flack USNRC-RES/SAIB MS: NLS-324 * 
-~
* George F. Flanagan Oak Ridge National Laboratory P.O. Box Y Oak Ridge, TN 37831 Karl N. Fleming Pickard, Lowe & Garrick, Inc. 2260 University Drive Newport Beach, CA 92660 Terry Foppe Rocky Flats Plant P. 0. Box 464, Building T886A Golden, CO 80402-0464 Joseph R. Fragola Science Applications International Corporation 274 Madison Avenue New York, NY 10016 Wiktor Frid Swedish Nuclear Power Inspectorate Division of Reactor Technology P. 0. Box 27106 S-102 52 Stockholm SWEDEN James Fulford NUS Corporation 910 Clopper Road Gaithersburg, MD 20878 Urho Fulkkinen Technical Research Centre of Finland Electrical Engineering Laboratory Otakaari 7 B SF-02150 Espoo 15 FINLAND J.B. Fussell JBF Associates, Inc. 1630 Downtown West Boulevard Knoxville, TN 37919 John Garrick Pickard, Lowe & Garrick, Inc. 2260 University Drive Newport Beach, CA 92660 John Gaunt British Embassy 3100 Massachusetts Avenue, NW Washington, DC 20008 Jim Gieseke Battelle Columbus Division 505 King Avenue Columbus, OH 43201 Frank P. Gillespie USNRC-NRR/PMAS MS: 12G-18 Ted Ginsburg Department of Nuclear Energy
* Building 820 Brookhaven National Laboratory Upton, NY 11973 James C. Glynn USNRC-RES/PRAB MS: NL/S-372 P. Govaerts Departement de la Surete Nucleaire Association Vincotte avenue du Roi 157 B-1060 Bruxelles BELGIUM George Greene Building 820M Brookhaven National Laboratory Upton, NY 11973 Carrie Grimshaw Brookhaven National Laboratory Building 130 Upton, NY 11973 H. J. Van Grol Energy Technology Division Energieonderzoek Centrum Nederland Westerduinweg 3 Postbus 1 NL-1755 Petten ZG NETHERLANDS Ser~io Guarro Lawrence Livermore Laboratories P. 0. Box 808 Livermore, CA 94550 Dist-7 Sigfried Hagen Kernforschungzentrum Karlsruhe P. 0. Box 3640 D-7500 Karlsruhe 1 FEDERAL REPUBLIC OF GERMANY L. Hammar Statens Karnkraftinspektion P.O. Box 27106 S-10252 Stockholm SWEDEN Stephen Hanauer Technical Analysis Corp. 6723 Whittier Avenue Suite 202 McLean, VA 22101 Brad Hardin USNRC-RES/TRAB MS: NL/S-169 R. J. Hardwich, Jr. Virginia Electric Power Co. P.O. Box 26666 Richmond, Va 23261 Michael R. Haynes UKAEA Harwell Laboratory Oxfordshire Didcot, Oxon., OXll ORA ENGLAND Michael J. Hazzan Stone & Webster 3 Executive Campus Cherry Hill, NJ 08034 A. Hedgran Royal Institute of Technology Nuclear Safety Department Bunellvagen 60 10044 Stockholm SWEDEN Sharif Heger UNM Chemical and Nuclear Engineering Department Farris Engineering Room 209 Albuquerque, NM 87131 Jon C. Helton Dept. of Mathematics Arizona State University Tempe, AZ 85287 Robert E. Henry Fauske and Associates, Inc. 16W070 West 83rd Street Burr Ridge, IL 60521 P. M. Herttrich Federal Ministry for the Environment, Preservation of Nature and Reactor Safety Husarenstrasse 30 Postfach 120629 D-5300 Bonn 1 FEDERAL REPUBLIC OF GERMANY F. Heuser Giesellschaft Fur Reaktorsicherheit Forschurgsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY E. F. Hicken Giesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY D. J. Higson Radiological Support Group Nuclear Safety Bureau Australian Nuclear Science and Technology Organisation P.O. Box 153 Rosebery, NSW 2018 AUSTRALIA Daniel Hirsch University of California A. Stevenson Program on Nuclear Policy Santa Cruz, CA 95064 H. Hirschmann Hauptabteilung Sicherheit und Umwelt Dist-8 Swiss Federal Institute for Reactor Research (EIR) CH-5303 Wurenlingen SWITZERLAND
* * 
* ** Mike Hitchler Westinghouse Electric Corp. Savanna River Site Aiken, SC 29808 Richard Hobbins EG&G Idaho P. 0. Box 1625 Idaho Falls, ID 83415 Steven Hodge Oak Ridge National Laboratory P.O. Box Y Oak Ridge, TN 37831 Lars Hoegberg Office of Regulation and Research Swedish Nuclear Power Inspectorate P.O. Box 27106 S-102 52 Stockholm SWEDEN Lars Hoeghort IAEA A-1400 Wagranerstraase 5 P.O. Box 100 Vienna, 22 AUSTRIA Edward Hofer Giesellschaft Fur Reaktorsicherheit Forschurgsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY Peter Hoffmann Kernforschingszentrum Karlsruhe Institute for Material Und Festkorperforsching I Postfach 3640 D-7500 Karlsruhe 1 FEDERAL REPUBLIC OF GERMANY N. J. Holloway UKAEA Safety and Reliability Directorate Wigshaw Lane, Culcheth Warrington, Cheshire, WA34NE UNITED KINGDOM Dist-9 Stephen C. Hora University of Hawaii at Hilo Division of Business Administration and Economics College of Arts and Sciences Hilo, HI 96720-4091 J. Peter Hoseman Swiss Federal Institute for Reactor Research CH-5303, Wurenlingen SWITZERLAND Thomas C. Houghton KMC, Inc. 1747 Pennsylvania Avenue, NW Washington, DC 20006 Dean Houston USNRC-ACRS MS: P-315 Der Yu Hsia Taiwan Atomic Energy Council 67, Lane 144, Keelung Rd. Sec. 4 Taipei TAIWAN Alejandro Huerta-Bahena National Commission on Nuclear Safety and Safeguards (CNSNS) Insurgentes Sur N. 1776 Col. Florida C. P. 04230 Mexico, D.F. MEXICO Kenneth Hughey [2] SERI 5360 I-55 North Jackson, MS 39211 Won-Guk Hwang Kzunghee University Yongin-Kun Kyunggi-Do 170-23 KOREA Michio Ichikawa Japan Atomic Energy Research Inst. Dept. of Fuel Safety Research Tokai-Mura, Naka-Gun Ibaraki-Ken, 319-1 JAPAN Sanford Israel USNRC-AEOD/ROAB MS: MNBB-9715 Krishna R. Iyengar Louisiana Power and Li~ht 200 A Huey P. Long Avenue Gretna, I.A 70053 Jerry E. Jackson USNRC-RES MS: NL/S-302 R. E. Jaquith Combustion Engineering, Inc. 1000 Prospect Hill Road M/C 9490-2405 Windsor, CT 06095 S. E. Jensen Exxon Nuclear Company 2101 Horn Rapids Road Richland, WA 99352 Kjell Johannson Studsvik Energiteknik AB S-611 82, Nykoping SWEDEN Richard John SSM, Room 102 927 W. 35th Place USC, University Park Los Angeles, CA 90089-0021 D. H. Johnson Pickard, Lowe & Garrick, Inc. 2260 University Drive Newport Beach, CA 92660 W. Reed Johnson Department of Nuclear Engineering University of Virginia Reactor Facility Charlottesville, VA 22901 Jeffery Julius NUS Corporation 1301 S. Central Ave, Suite 202 Kent, WA 98032 H. R. Jun Korea Adv. Energy Research Inst. P.O. Box 7, Daeduk Danju Chungnam 300-31 KOREA Peter Kafka Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY Geoffrey D. Kaiser Science Application Int. Corp. 1710 Goodridge Drive McLean, VA 22102 William Kastenberg UGI.A Boelter Hall, Room 5532 Los Angeles, CA 90024 Walter Kato Brookhaven National Laboratory Associated Universities, Inc. Upton, NY 11973 M. S. Kazimi MIT, 24-219 Cambridge, MA 02139 Ralph L. Keeney 101 Lombard Street Suite 704W San Francisco, CA 94111 Henry Kendall Executive Director Union of Concerned Scientists Cambridge, MA Frank King Ontario Hydro 700 University Avenue Bldg. Hll GS Toronto CANADA M5GlX6 Dist-10 * * 
* *
* Oliver D. Kingsley, Jr. Tennessee Valley Authority 1101 Market Street GN-38A Lookout Place Chattanooga, TN 37402 Stephen R. Kinnersly Winfrith Atomic Energy Establishment Reactor Systems Analysis Division Winfrith, Dorchester Dorset DT2 8DH ENGLAND Ryohel Kiyose University of Tokyo Dept. of Nuclear Engineering 7-3-1 Hongo Bunkyo Tokyo 113 JAPAN George Klopp Commonwealth Edison Company P.O. Box 767, Room 35W Chicago, IL 60690 Klaus Koberlein Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY E. Kohn Atomic Energy Canada Ltd. Candu Operations Mississauga Ontario, LSK 1B2 CANADA Alan M. Kolaczkowski Science Applications International Corporation 2109 Air Park Road, S.E. Albuquerque, NM 87106 S. Kondo Department of Nuclear Engineering Facility of Engineering University of Tokyo 3-1, Hongo 7, Bunkyo-ku Tokyo JAPAN Herbert J. C. Kouts Brookhaven National Laboratory Building 179C Upton, NY 11973 Thomas Kress Oak Ridge National Laboratory P.O. Box Y Oak Ridge, TN 37831 W. Kroger Institut fur Nukleare Sicherheitsforschung Kernforschungsanlage Julich GmbH Postfach 1913 D-5170 Julich 1 FEDERAL REPUBLIC OF GERMANY Greg Krueger [3] Philadelphia Electric Co. 2301 Market St. Philadelphia, PA 19101 Bernhard Kuczera Kernforschungzentrum Karlsruhe LWR Safety Project Group (PRS) P. 0. Box 3640 D-7500 Karlsruhe 1 FEDERAL REPUBLIC OF GERMANY Jeffrey L. Lachance Science Applications International Corporation 2109 Air Park Road S.E. Albuquerque, NM 87106 H. Larsen Riso National Laboratory Postbox 49 DK-4000 Roskilde DENMARK Wang L. Lau Tennessee Valley Authority 400 West Summit Hill Avenue Knoxville, TN 37902 Timothy J. Leahy EI Services 18'51 South Central Place, Suite 201 Kent, WA 98031 Dist-11 John C. Lee Univ of Michigan, North Campus Dept. of Nuclear Engineering Ann Arbor, MI 48109 Tim Lee USNRC-RES/RPSB MS: NL/N-353 Mark T. Leonard Science Applications Int. Corp. 2109 Air Park Road, SE Albuquerque, NM 87106 Leo Lesage Director, Applied Physics Div. Argonne National Laboratory Building 208, 9700 South Cass Ave. Argonne, IL 60439 Milton Levenson Bechtel Western Power Company 50 Beale St. San Francisco, CA 94119 Librarian NUMARC/USCEA 1776 I Street NW, Suite 400 Washington, DC 80006 Eng Lin Taiwan Power Company 242, Roosevelt Rd., Sec. 3 Taipei TAIWAN N. J. Liparulo Westinghouse Electric Corp. P.O. Box 355 Pittsburgh, PA 15230 Y. H. (Ben) Liu Dept. of Mechanical Engineering University of Minnesota Minneapolis, MN 55455 Bo Liwnang IAEA A-1400 Swedish Nuclear Power Inspectorate P.O. Box 27106 S-102 52 Stockholm SWEDEN J.P. Longworth Central Electric Generating Board Berkeley Gloucester GL13 9PB UNITED KINGDOM Walter Lowenstein Electric Power Research Institute 3412 Hillview Avenue P. 0. Box 10412 Palo Alto, CA 94303 William J. Luckas Brookhaven National Laboratory Building 130 Upton, NY 11973 Hans Ludewig Brookhaven National Laboratory Building 130 Upton, NY 11973 Robert J. Lutz, Jr. Westinghouse Electric Corporation Monroeville Energy Center EC-E-371, P. 0. Box 355 Pittsburgh, PA 15230-0355 Phillip E. MacDonald EG&G Idaho, Inc. P.O. Box 1625 Idaho Falls, ID 83415 Jim Mackenzie World Resources Institute 1735 New York Ave. NW Washington, DC 20006 David P. Mackowiak Idaho Nat. Engineering Laboratory P.O. Box 1625 Idaho Falls, ID 83415 A. P. Malinauskas Oak Ridge National Laboratory P.O. Box Y Oak Ridge, TN 37831 Giuseppe Mancini Commission European Comm. CEC-JRC Eraton Ispra Varese ITALY Dist-12 * * *
* Lasse Mattila Technical Research Centre of Finland Lonnrotinkatu 37, P. 0. Box 169 SF-00181 Helsinki 18 FINLAND Roger J. Mattson SCIENTECH Inc. 11821 Parklawn Dr. Rockville, MD 20852 Donald McPherson USNRC-NRR/DONRR MS: 12G-18 Jim Metcalf Stone and Webster Engineering Corporation 245 Summer St. Boston, MA 02107 Mary Meyer A-1, MS F600 Los Alamos National Laboratory Los Alamos, NM 87545 Ralph Meyer USNRC-RES/AEB MS: NL/N-344 Charles Miller 8 Hastings Rd. Momsey, NY 10952 Joseph Miller Gulf States Utilities P. 0. Box 220 St. Francisville, LA 70775 William Mims Tennessee Valley Authority 400 West Summit Hill Drive. Wl0Dl99C-K Knoxville, TN 37902 Jocelyn Mitchell USNRC-RES/SAIB MS: NL/S-324 Kam Mohktarian CBI Na-Con Inc. 800 Jorie Blvd. Oak Brook, IL 60521 James Moody P.O. Box 641 Rye, NH 03870 S. Mori Nuclear Safety Division OECD Nuclear Energy Agency 38 Blvd. Suchet 75016 Paris FRANCE Walter B. Murfin P.O. Box 550 Mesquite, NM 88048 Joseph A. Murphy USNRC-RES/DSR MS: NL/S-007 V. I. Nath Safety Branch Safety Engineering Group Sheridan Park Research Community Mississauga, Ontario L5K 1B2 CANADA Susan J. Niemczyk 1545 18th St. NW, #112 Washington, DC 20036 Pradyot K. Niyogi USDOE-Office of Nuclear Safety Washington, DC 20545 Paul North EG&G Idaho, Inc. P. 0. Box 1625 Idaho Falls, ID 83415 Edward P. O'Donnell Ebasco Services, Inc. 2 World Trade Center, 89th Floor New York, NY 10048 David Okrent UCLA Boelter Hall, Room 5532 Los Angeles, CA 90024 Robert L. Olson Tennessee Valley Authority 400 West Summit Hill Rd. Knoxville, TN 37902 Dist-13 Simon Ostrach Case Western Reserve University 418 Glenman Bldg. Cleveland, OH 44106 D. Paddleford Westinghouse Electric Corporation Savanna River Site Aiken, SC 29808 Robert L. Palla, Jr. USNRC-NRR/PRAB MS: lOA-2 -ehang K. Park Brookhaven National Laboratory Building 130 Upton, NY 11973 Michael C. Parker Illinois Department of Nuclear Safety 1035 Outer Park Dr. Springfield, IL 62704 Gareth Parry NUS Corporation 910 Clopper Road Gaithersburg, MD 20878 J. Pelee* Departement de Surete Nucleaire IPSN Centre d'Estudes Nucleaires du CEA B.P. no. 6, Cedex F-92260 Fontenay-aux-Roses FRANCE G. Petrangeli ENEA Nuclear Energy ALT Disp Via V. Brancati, 48 00144 Rome ITALY Marty Plys Fauske and Associates 16W070 West 83rd St. Burr Ridge, IL 60521 Mike Podowski Department of Nuclear Engineering and Engineering Physics RPI Troy, NY 12180-3590 Robert D. Pollard Union of Concerned Scientists 1616 P Street, NW, Suite 310 Washington, DC 20036 R. Potter UK Atomic Energy Authority Winfrith, Dorchester Dorset, DT2 8DH UNITED KINGDOM William T. Pratt Brookhaven National Laboratory Building 130 Upton, NY 11973 M. Preat Chef du Service Surete Nucleaire et Assurance Qualite TRACTEBEL Bd. du Regent 8 B-100 Bruxells BELGIUM David Pyatt USDOE MS: EH-332 Washington, DC 20545 William Raisin NUMAEC 1726 M St. NW Suite 904 Washington, DC 20036 Joe Rashid ANATECH Research Corp. 3344 N. Torrey Pines Ct. Suite 1320 La Jolla, CA 90237 Dale M. Rasmuson USNRC-RES/PRAB MS: NL/S-372 Ingvard Rasmussen Riso National Laboratory Postbox 49 DK-4000, Roskilde DENMARK Dist-14 * * * 
*
* Norman C. Rasmussen Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139 John W. Reed Jack R. Benjamin & Associates, Inc. 444 Castro St., Suite 501 Mountain View, CA 94041 David B. Rhodes Atomic Energy of Canada, Ltd. Chalk River Nuclear Laboratories Chalk River, Ontario KOJlPO CANADA Dennis Richardon Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, PA 15230 Doug Richeard Virginia Electric Power Co. P.O.Box 26666 Richmond, VA 23261 Robert Ritzman Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94304 Richard Robinson USNRC-RES/PRAB MS: NL/S-372 Jack E. Rosenthal USNRC-AEOD/ROAB MS: MNBB-9715 Denwood F. Ross USNRC-RES MS: NL/S-007 Frank Rowsome 9532 Fern Hollow Way Gaithersburg, MD 20879 Wayne Russell SERI 5360 I-55 North Jackson, MS 39211 Jorma V. Sandberg Finnish Ctr. Rad. Nucl. and Safety Department of Nuclear Safety P.O. Box 268 SF-00101 Helsinki FINLAND G. Saponaro ENEA Nuclear Engineering Alt. Zia V Brancati 4B 00144 ROME ITALY M. Sarran United Engineers P. 0. Box 8223 30 S 17th Street Philadelphia, PA 19101 Marty Sattison EG&G Idaho P. 0. Box 1625 Idaho Falls, ID 83415 George D. Sauter Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94303 Jorge Schulz Bechtel Western Power Corporation 50 Beale Street San Francisco, CA 94119 B. R. Sehgal Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94303 Subir Sen Bechtel Power Corp. 15740 Shady Grove Road Location lA-7 Gaithersburg, MD 20877 S. Serra Ente Nazionale per l'Energia Electtrica (ENEL) via G. B. Martini 3 Rome' ITALY Dist-15 Bonnie J. Shapiro Science Applications International Corporation 360 Bay Street Suite 200 Augusta, GA 30901 H. Shapiro Licensing and Risk Branch Atomic Energy of Canada Ltd. Sheridan Park Research Community Mississauga, Ontario L5K 1B2 CANADA Dave Sharp Westinghouse Savannah River Co. Building 773-41A, P. 0. Box 616 Aiken, SC 29802 John Sherman Tennessee Environmental Council 1719 West End Avenue, Suite 227 Nashville, TN 37203 Brian Sheron USNRC-RES/DSR MS: NL/N-007 Rick Sherry JAYCOR P. 0. Box 85154 San Diego, CA 92138 Steven C. Sholly MHB Technical Associates 1723 Hamilton Avenue, Suite K San Jose, CA 95125 Louis M. Shotkin USNRC-RES/RPSB MS: NL/N-353 M. Siebertz Chef de la Section Surete' des Reacteurs CEN/SCK Boeretang, 200 B-2400 Mol BELGIUM Melvin Silberberg USNRC-RES/DE/WNB MS: NL/S-260 Gary Smith SERI 5360 1-55 North Jackson, MS 39211 Gary L. Smith Westinghouse Electric Corporation Hanford Site Box 1970 Richland, WA 99352 Lanny N. Smith Science Applications International Corporation 2109 Air Park Road SE Albuquerque, NM 87106 K. Soda Japan Atomic Energy Res. Inst. Tokai-Mura Naka-Gun Ibaraki-Ken 319-11 JAPAN Leonard Soffer USNRC-RES/SAIB MS: NL/S-324 David Sommers Virginia Electric Power Company P. 0. Box 26666 Richmond, VA 23261 Herschel Spector New York Power Authority 123 Main Street White-Plains, NY 10601 Themis P. Speis USNRC-RES MS: NL/S-007 Klaus B. Stadie OECD-NEA, 38 Bld. Suchet 75016 Paris FRANCE John Stetkar Pickard, Lowe & Garrick, Inc. 2216 University Drive Newport Beach, CA 92660 Dist-16 * *
* Wayne L. Stiede Commonwealth Edison Company P.O. Box 767 Chicago, IL 60690 William Stratton Stratton & Associates 2 Acoma Lane Los Alamos, NM 87544 Soo-Pong Suk Korea Advanced Energy Research Institute P. 0. Box 7 Daeduk Danji, Chungnam 300-31 KOREA W. P. Sullivan GE Nuclear Energy 175 Curtner Ave., M/C 789 San Jose, CA 95125 Tony Taig U.K. Atomic Energy Authority Wigshaw Lane, Culcheth Warrington, Cheshire, WA3 4NE UNITED KINGDOM John Taylor Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94303 Harry Teague U.K. Atomic Energy Authority Wigshaw Lane, Culcheth Warrington, Cheshire, WA3 4NE UNITED KINGDOM Technical Library Electric Power Research Institute P.O. Box 10412 Palo Alto, CA 94304 Mark I. Temme General Electric, Inc. P.O. Box 3508 Sunnyvale, CA 94088 T. G. Theofanous University of California, S.B. Department of Chemical and Nuclear Engineering Santa Barbara, CA 93106 David Teolis Westinghouse-Bettis Atomic Power Laboratory P. 0. Box 79, ZAP 34N West Mifflin, PA 15122-0079 Ashok C. Thadani USNRC-NRR/SAD MS: 7E-4 Garry Thomas L-499 (Bldg. 490) Lawrence Livermore National Laboratory 7000 East Ave. P.O. Box 808 Livermore, CA 94550 Gordon Thompson Institute for Research and Security Studies 27 Ellworth Avenue Cambridge, MA 02139 Grant Thompson League of Women Voters 1730 M. Street, NW Washington, DC 20036 Arthur Tingle Brookhaven National Laboratory Building 130 Upton, NY 11973 Rich Toland United Engineers and Construction 30 S. 17th St., MS 4V7 Philadelphia, PA 19101 Brian J. R. Tolley DG/XII/D/1 Commission of the European Communities Rue de la Loi, 200 B-1049 Brussels BELGIUM David R. Torgerson Atomic Energy of Canada Ltd. Whiteshell Nuclear Research Establishment Pinawa, Manitoba, ROE lLO CANADA Dist-17 Alfred F. Torri Pickard, Lowe & Garrick, Inc. 191 Calle Magdalena, Suite 290 Encinitas, CA 92024 Klau Trambauer Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FERERAL REPUBLIC OF GERMANY Nicholas Tsoulfanidis Nuclear Engineering Dept. University of Missouri-Rolla Rolla, MO 65401-0249 Chao-Chin Tung c/o H.B. Bengelsdorf ERC Environmental Services Co. P. 0. Box 10130 Fairfax, VA 22030 Brian D. Turland UKAEA Culham Laboratory Abingdon, Oxon OX14 3DB ENGLAND Takeo Uga Japan Institute of Nuclear Safety Nuclear Power Engineering Test Center 3-6-2, Toranomon Minato-ku, Tokyo 108 JAPAN Stephen D. Unwin Battelle Columbus Division 505 King Avenue Columbus, OH 43201 A. Valeri DISP ENEA Via Vitaliano Brancati, 48 I-00144 Rome ITALY Harold VanderMolen USNRC-RES/PRAB MS: NL/S-372 G. Bruce Varnado ERC International 1717 Louisiana Blvd. NE, Suite 202 Albuquerque, NM 87110 Jussi K. Vaurio Imatran Voima Oy Loviisa NPS SF-07900 Loviisa FINLAND William E. Vesely Science Applications International Corporation 2929 Kenny Road, Suite 245 Columbus, OH 43221 J. I. Villadoniga Tallon Div. of Analysis and Assessment Consejo de Seguridad Nuclear c/ Sor Angela de la Cruz, 3 28020 Madrid SPAIN Willem F. Vinck Kapellestract 25 1980 Tervuren BELGIUM R. Virolainen Office of Systems Integration Finnish Centre for Radiation and Nuclear Safety Department of Nuclear Safety P.O. Box 268 Kumpulantie 7 SF-00520 Helsinki FINLAND Raymond Viskanta School of Mechanical Engineering Purdue University West Lafayette, IN 47907 S. Visweswaran General Electric Company 175 Curtner Avenue San Jose, CA 95125 Truong Vo Pacific Northwest Laboratory Battelle Blvd. Richland, WA 99352 Dist-18 * 
. *-*
* Richard Vogel Electric Power Research Institute P. 0. Box 10412 Palo Alto, CA 94303 G. Volta Engineering Division CEC Joint Research Centre CP No. 1 1-21020 Ispra (Varese) ITALY Ian B. Wall Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94303 Adolf Walser Sargent and Lundy Engineers 55 E. Monroe Street Chicago, IL 60603 Edward Warman Stone & Webster Engineering Corp. P.O. Box 2325 Boston, MA 02107 Norman Weber Sargent & Lundy Co. 55 E. Monroe Street Chicago, IL 60603 Lois Webster American Nuclear Society 555 N. Kensington Avenue La Grange Park, IL 60525 Wolfgang Werner Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY Don Wesley IMPELL 1651 East 4th Street Suite 210 Santa Ana, CA 92701 Detlof von Winterfeldt Institute of Safety and Systems Management University of Southern California Los Angeles, CA 90089-0021 Pat Worthington USNRC-RES/AEB MS : NL/N -344 John Wreathall Science Applications International Corporation 2929 Kenny Road, Suite 245 Columbus, OH 43221 D. J. Wren Atomic Energy of Canada Ltd. Whiteshell Nuclear Research Establishment Pinawa, Manitoba_, ROE lLO CANADA Roger Wyrick Inst. for Nuclear Power Operations 1100 Circle 75 Parkway, Suite 1500 Atlanta, GA 30339 Kun-Joong Yoo Korea Advanced Energy Research Institute P. 0. Box 7 Daeduk Danji, Chungnam 300-31 KOREA Faith Young Energy People, Inc. Dixou Springs, TN 37057 Jonathan Young R. Lynette and Associates 15042 Northeast 40th St. Suite 206 Redmond, WA 98052 C. Zaffiro Division of Safety Studies Directorate for Nuclear Safety and Health Protection Ente Naz-ionale Energie Alternative Via Vitaliano Brancati, 48 1-00144 Rome ITALY Mike Zentner Westinghouse Hanford Co. P: 0. Box 1970 Richland, WA 99352 Dist-19 X. Zikidis 6500 A. W. Snyder Greek Atomic Energy Commission 6510 J. V. Walker
* Agia Paraskevi, Attiki 6517 M. Berman Athens 6517 M. P. Sherman GREECE 6521 L. D. Bustard 6523 W. A. von Riesemann Bernhard Zuczera 8524 J. A. Wackerly Kernforschungszentrum Postfach 3640 D-7500 Karlsruhe FEDERAL REPUBLIC OF GERMANY 1521 J. R. Weatherby 3141 s. A. Landenberger
[5] 3151 w. I. Klein 5214 D. B. Clauss 6344 E. D. Gorham 6001 D. D. Carlson 6001 R. J. Breeding 6001 D. M. Kunsman 6400 D. J. Mccloskey 6410 D. A. Dahlgren 6412 A. L. Camp 6412 s. L. Daniel 6412 T. M. Hake 6412 L. A. Miller 6412 D. B. Mitchell
* 6412 A. C. Payne, Jr. 6412 T. T. Sype 6412 T. A. Wheeler 6412 D. w. Whitehead 6413 T. D. Brown 6413 F. T. Harper [2] 6415 R; M. Cranwell 6415 W. R. Cramond [3] 6415 R. L. Iman 6418 J. E. Kelly 6418 K; J. Maloney 6419 M. P. Bohn 6419 J. A. Lambright 6422 D. A. Powers 6424 K. D. Bergeron 6424 J. J. Gregory 6424 D. R. Bradley 6424 D. C. Williams 6425 s. s. Dosanjh 6453 J. s. Philbin Dist-20 NRC FORM 335 12-89) NRCM 1102, 3201, 3202 U.S. NUCLEAR REGULATORY COMMISSION BIBLIOGRAPHIC DATA SHEET (See instructions on the reverse) 1. REPORT NUMBER (A11l9ned by NRC. Add Vol., Supp., Rev., end Addendum Numbers, If any.) . NUREG/CR-4550 SAND86-2084 .T~TLEANDSUBTITLE Vol. 3, Rev. 1, Part 1 alysis of Core Damag~ Frequency:
Surry, Unit 1, Internal ents 3. DATE REPORT PUBLISHED
: 5. AUTHOR(S)
R. C. Bertucio, *. J. A.
* Julius* MONTH A ril 4. FIN OR GRANT NUMBER Al228 6. TYPE OF REPORT Technical YEAR 1990 7. PERIOD COVERED /Inclusive Dares! 8. PER FORMING ORGANIZATION
-NAME AND ADDRESS (If NRC, provide Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address; if contractor, provide name snd mailing address./
Sandia National Laboratories Albuquerque, NM 87185 *EI Services Kent WA 98031 9. SPONSOR ING ORGANIZATION*-
NAME AND ADDRESS /If NRC, type "Same as above"; if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address.)
Division of Systems Research Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 fllACT (200 words or l*ui Thia .document contains the accident sequence analyses of internally initiated events for the Surry Nuclear Station, Unit 1. This is one of the five plant analyses conducted as p*rt of the NUREG-1150 effort by the Nuclear Regulatory Commi.ssion
.. NUREG-1150 documents the risk of a selected group of nuclear power plants. The work performed and described here is an extensive reanalysis of that published in November 1986 as NUREG/CR~4SSO, Volume 3. It addresses comments from numerous reviewers and significant changes to th~ plant systems and procedures made since the first report. The uncertainty analysis and presentation of results are also much improved.
The context and detail of this report are directed toward PRA practitioners who need to know how the work was performed and the details for use in further studies. The mean core damage frequency at Surry was calculated to be 4.0E-5,per year, with a 95% upper bound of 1.3E-4 and 5% lower bound of 6.8E-6 per year. Station blackout type accidents (loss of all AC power) were the largest contributors to the core damage.frequency, accounting for approximately 68% of .the total. The next type, of dominant contributors were Loss of Cgolant Accidents (LOCAs). These sequences account for 15% of core damage frequency . . Ro other type of sequence accounts for more than 10% of core damage frequency.
*12. KEY WORDS/DESCRIPTORS
/Lt.r words or ph,.,., th*t will *ul,t ""*arr:hers In locating the report./ Probabilistic Risk Assessment (PRA) safety analysis uncertainty analysis accident sequence analysis NRC FORM 335 12-89) 13. AVAILABILITY STATEMENT unlimited 14, SECURITY CLASS I Fl CATION (This Page) unclassified (This Report) unclassified
: 15. NUMBER OF PAGES 16. PRICE UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 SPECIAL FOURTH-CLASS RATE POSTAGE & FEES PAIO USNRC PERMIT No. G-67 , 120555139531 1 !AN , US I\JRC-OADM DIV FOIA & PUBLICATIONS SVCS TPS POR-NUREG 1 P-223 WASHINGTON DC 20555 -------------*-----------A--
___ / *,.}}

Latest revision as of 20:06, 5 January 2025

Analysis of Core Damage Frequency:Surry,Unit 1,INTERNAL Events
ML18151A143
Person / Time
Site: Surry Dominion icon.png
Issue date: 04/30/1990
From: Bertucio R, Julius J
EI SERVICES, INC., SANDIA NATIONAL LABORATORIES
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
CON-FIN-A-1228 NUREG-CR-4550, NUREG-CR-4550-V3R1P1, NUREG-CR-4550P1, SAND86-2084, NUDOCS 9006080175
Download: ML18151A143 (484)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML18151A143&oldid=4988534"