|
|
| (3 intermediate revisions by the same user not shown) |
| Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:r NUREG/CR-4550 SAND86-2084 Vol. 3, Rev. 1, Part 1 Analysis of | | {{#Wiki_filter:}} |
| * Core Damage Frequency:
| |
| Surry, Unit 1 Internal Events Prepared by R. C. Bertucio, J. A. Julius Sandia National Laboratories Prepared for U.S. Nuclear Regulatory Commission
| |
| *(/' 90060801 75900430 PDR P
| |
| ADOCJ'I. 05000280 PDR
| |
| \
| |
| :
| |
| | |
| ti 1.
| |
| AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited In NRC publications will be available from one of the following sources:
| |
| The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555
| |
| * ~
| |
| ~
| |
| l I
| |
| )
| |
| : 2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, I DC 20013-7082 1,
| |
| : 3. The National Technical Information Service, Springfield, VA 22161 (i
| |
| [I Although the listing that follows represents the majority of documents cited In NRC publications, It Is not Intended to be exhaustive.
| |
| (
| |
| Referenced documents available for Inspection and copying for a fee from the NRC Public Document Room Include NRC correspondence and Internal NRC memoranda; NRC Office of Inspection and Enforcement f 1 bulletins, circulars, information notices, Inspection and Investigation notices; Licensee Event Reports; ven-
| |
| ',i dor reports and correspondence; Commission papers; and applicant and licensee documents and corre-1' spondence. ,,I The following documents In the NUREG series are available for purchase from the GPO Sales Program:
| |
| formal NRC staff and contractor reports, NRG-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations In the Code of Federal Regulations, and Nuc/.ear Regulatory Commission Issuances.
| |
| Documents available from the National Technical Information Service Include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.
| |
| Documents av all able from public and special technical libraries Include all open literature items, such as bc.oks, journal and periodical articles, and transactions. Federal Register notices, federal and state legisla-tion, and congressional reports can usually be obtained from these libraries.
| |
| Documents such as theses, dissertations, foreign reports and translations, and non-N RC conference pro-r ceedings are available for purchase from the organization sponsoring the publication cited.
| |
| i Single copies of NRC draft reports are available free, to the extent of supply. upon written request to the Office of Information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission,
| |
| '(1 Washington, DC 20555.
| |
| {
| |
| I Coples of Industry codes and standards used In a substantive manner In the NRC regulatory process are l:
| |
| maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for refer- I l
| |
| ence use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, If they are American National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.
| |
| DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.
| |
| Neither the United States Government nor any agency thereof, or any oftheir employees, makes any warranty, expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use
| |
| * by such third party would not infringe privately owned rights.
| |
| | |
| NUREG/CR-4550 SAND86-2084 Vol. 3, Rev. 1, Part 1 Analysis of Core Damage Frequency:
| |
| Surry, Unit 1 Internal Events Manuscript Completed: February 1990 Date Published: April 1990 Prepared by R. C. Bertucio,
| |
| * J. A Julius*
| |
| Program Manager: A L. Camp Principal Investigator: W.R. Cramond Team Leader: R. C. Bertucio*
| |
| Sandia National Laboratories Albuquerque, NM 87185
| |
| *E. I. Services Kent, WA 98031 Prepared for Division of Systems Research
| |
| * Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN Al228
| |
| ___J
| |
| | |
| ABSTRACT This document contains the accident sequence analyses of internally initiated events for the Surry Nuclear Station, Unit 1. This is one of the five plant analyses conducted as part of the NUREG-1150 effort by the Nuclear Regulatory Commission. NUREG-1150 documents the risk of a selected group of nuclear power plants. The work performed and described here is an extensive reanalysis of that published in: November 1986 as NUREG/CR-4550, Volume 3. It addresses comments from numerous reviewers and significant changes to the plant systems .and procedures made since the first report. The uncertainty analysis and presentation of results are also much improved. The context and detail of this report are directed toward PRA practitioners who need to know how the work was performed and the details for use in further studies.
| |
| The mean core damage frequency at Surry was calculated to be 4.0E-5 per year, with a 95% upper bound of l.3E-4 and 5% lower bound of 6.8E-6 per year. Station blackout type accidents (loss of all AC power) were the largest contributors to the core damage . frequency, accounting for approximately 68% of the total. The next type of dominant contributors were Loss of Coolant Accidents (LOCAs). These sequences account for 15%
| |
| of core damage frequency. No other type of sequence accounts for more than 10% of core damage frequency.
| |
| The numerical results are dominated by the frequency of loss of offsite power, probabilities for non-recovery of off site power, and diesel generator failure probabilities. Considerable effort was expended on the modeling of station blackout sequences, including the development of a reactor coolant pump seal LOCA model through elicitation of expert judgment. The study results can also be used to show the benefit of cross ties of important systems, between the two . units at* the Surry Station.
| |
| This report evaluates core damage frequency from internally initiated events. The consequences of these accidents are evaluated and reported under separate cover. Core damage sequences from externally initiated
| |
| _events are reported in Part 3 of this volume.
| |
| iii
| |
| * CONTENTS Section
| |
| : 1. EXECUTIVE
| |
| | |
| ==SUMMARY==
| |
| ...................................... 1-1 1.1 OBJECTIVES ....................................... 1-1
| |
| : 1. 2 APPROACH ......................................... 1-1
| |
| : 1. 3 RESULTS .......................................... 1-2
| |
| | |
| ==1.4 CONCLUSION==
| |
| S .......... -............................ 1-7 1.4.1 Plant Specific Conclusions ................ 1-8 1.4.2 Accident Sequence Conclusions ............. 1-9 1.4. 3 Plant Damage State Conclusions ............ 1-10 1.4.4 Uncertainty Considerations ................ 1-11 1.4.5 Comparison to Reactor Safety Study ........ 1-11 1.4.6 Other Insights ............................ 1-12
| |
| : 2. PROGRAM SCOPE .......................................... 2 -1
| |
| : 3. PROGRAM REVIEW .......................................... 3 -1 3.1 SENIOR CONSULTANT GROUP ........................... 3-1 3.2 QUALITY CONTROL GROUP ............................. 3-1
| |
| : 3. 3 UTILITY INTERFACE ................................. 3 - 2 3.4 UNCERTAINTY REVIEW PANEL .......................... 3-2
| |
| : 3. 5 PEER REVIEW PANEL ................................. 3-2 3.6 AMERICAN NUCLEAR SOCIETY COMMITTEE ................ 3-3
| |
| : 3. 7 PUBLIC COMMENTS ................................... 3- 3
| |
| : 4. TASK DESCRIPTIONS ................................. -. ..... 4. 1-1
| |
| : 4. 1 TASK FLOW CHART ................................... 4. 1-1 4.2 PLANT FAMILIARIZATION ............................. 4.2-1 4.2.1 Initial Plant Visit ........................ 4.2-1 4.2.2 Information Obtained ....................... 4.2-2 4.2.3 Subsequent Plant Visit During Reanalysis Phase ........................... 4. 2-2 4.3 INITIATING EVENT IDENTIFICATION AND GROUPING .......................................... 4. 3-1 4.3.1 Initiating Event Identification ............ 4.3-1 4.3.2 Support System Failures .................... 4.3-1 4.3.3 Special Initiators ......................... 4.3-12 4.3.4 Final Initiating Event Selection ........... 4.3-14 4.3.5 Ground Rules in Initiating Event Selection .................................. 4.3-15
| |
| * V
| |
| * CONTENTS (Continued)
| |
| Section 4.4 EVENT TREE ANALYSIS ............................... 4. 4-1 4.4.1 Ground Rules and Limitations ............... 4.4-2 4.4.2 T1 (Loss of Offsite Power)
| |
| Event Tree ................................. 4.4-11 4.4.3 T2 (Loss of Main Feedwater)
| |
| Event Tree ................................. 4.4-23 4.4.4 T3 (Turbine Trip with MFW Available)
| |
| Event Tree ................................. 4. 4- 26 4.4.5 T5 (Loss of DC Bus) Event Tree ............. 4.4-30 4.4.6 T7 (Steam Generator Tube Rupture)
| |
| Event Tree ................................. 4.4-33 4.4.7 A (Large LOCA) Event Tree .................. 4.4-38 4.4.8 S1 (Medium LOCA) Event Tree ................ 4.4-41 4.4.9 S2 (Small LOCA) Event Tree ................. 4.4-44 4.4.10 S3 (Very Small LO-CA) Event Tree ............ 4. 4-48 4.4.11 Anticipated Transients Without Scram Event Tree ................................. 4.4-51 4.5 PIANT DAMAGE STATE DEFINITION ..................... 4.5-1 4.5.1 Event Tree/Plant Damage State Analysis Process ........................... 4. 5-1 4.5.2 Definitions of the Plant Damage State Indicators ........................... 4.5-2 4.5.3 Plant Damage State Analysis ................ 4.5-5 4.5.4 Regrouping of Plant Damage States .......... 4.5-13
| |
| : 4. 6 SYSTEM ANALYSIS ................................... 4. 6-1 4.6.1 System Modeling and Scope .................. 4.6-1 4.6.2 Accumulator Model .......................... 4.6-5 4.6.3 Auxiliary Feedwater System Model ........... 4.6-19 4.6.4 Charging Pump Cooling System Model ......... 4.6-26 4.6.5 Component Cooling Water System Model ....... 4.6-32 4.6.6 Consequence Limiting Control System Model ...................................... 4. 6-37 4.6.7 Containment Spray System Model ............. 4.6-41 4.6.8 Emergency Power System Model. .............. 4. 6-45 4.6.9 High Pressure Injection/Recirculation System Model. .............................. 4. 6-53 4.6.10 Inside Spray Recirculation System Model ...................................... 4. 6-62 4.6.11 Low Pressure Injection/Recirculation System :t-!odel ... *............................ 4. 6-67 4.6.12 Outside Spray Recirculation System Model ...................................... 4.6-73 4.6.13 Power Conversion System Model .............. 4.6-77 vi
| |
| * CONTENTS (Continued)
| |
| Section 4.6.14 Primary Pressure Relief System Model ...................................... 4. 6-80 4.6.15 Reactor Protection System Model ............ 4.6-84 4.6.16 Recirculation Mode Transfer System Model ...................................... 4.6-85 4.6.17 Residual Heat Removal System Model ...................................... 4. 6-89 4.6.18 Safety Injection Actuation System Model ...................................... 4. 6-93 4.6.19 Service Water System Model. ............. *... 4.6-96 4.7 ANALYSIS OF DEPENDENT FAILURES .................... 4.7-1 4.7.1 Subtle Interactions ........................ 4.7-1 4.7.2 Common Cause Analysis ...................... 4.7-7 4.8 HUMAN RELIABILITY ANALYSIS ........................ 4.8-1 4.8.1 Summary of Methodology and Scope ........... 4.8-1 4.8.2 Human Actions Analyzed ..................... 4.8-2 4.8.3 Analysis of Pre-Initiator Errors ........... 4.8-2 4.8.4 Analysis of Post-Initiator Operator Actions .................................... 4. 8- 3
| |
| : 4. 8. 5 Innovative Recovery.* ....................... 4. 8-14
| |
| : 4. 9 DATA BASE DEVELOPMENT ............................. 4. 9 -1 4.9.1 Sources of Information for Data Base ....... 4.9-1 4.9.2 Limitations in the Data Base ............... 4.9-2 4.9.3 Data Base Description ...*.................. 4.9-2 4.9.4 Plant Specific Analysis and Use of Generic Data ............................... 4. 9-2 4.10 ACCIDENT SEQUENCE QUANTIFICATION .................. 4.10-1 4.10.1 General Approach .......................... 4.10-1 4.10.2 Identification of Sequences Analyzed ...... 4.10-2 4.10.3 Application of Operator Recovery Actions .................................. *.4.10-17 4.10.4 Assessment of Impact of Operator Actions ...............*................... 4 .10-26 4.11 PLANT DAMAGE STATE QUANTIFICATION ................. 4.11-1 4.11.1 Quantification of Containment Heat Removal ................................... 4 .11-1 4.11.2 Quantification of Containment Isolation Failure ......................... 4. 11-1 4.11.3 Quantification of Plant Damage States ..... 4.11-3 vii
| |
| * CONTENTS (Continued)
| |
| Section 4;12 UNCERTAINTY/SENSITIVITY ANALYSIS .................. 4.12-1 4.12.1 Sources and Treatment of Uncertainties .... 4.12-1 4.12.2 Development of Parameter Distributions .... 4.12-2 4.12.3 Elicitation of Expert Opinion ............. 4.12-2 5.0 RESULTS .*.............................................. 5 -1 5.1 CHARACTERIZATION OF CORE DAMAGE FREQUENCY AND UNCERTAINTY AT SURRY ......................... 5-1
| |
| : 5. 2 ACCIDENT SEQUENCE RESULTS ........* ................ 5-16 5.2.1 Accident Sequences SBO-BATT and
| |
| * SBO-BATT2 ............................... 5-16 5.2.2 Accident Sequences SBO-SLOCA and SBO-SLOCA2 ............................... 5-18 5.2.3 Accident Sequences SBO-L and SBO-L2 ...... 5-19 5.2.4 Accident Sequence V ..................... 5-20 5.2.5 Accident Sequences SBO-Q and SBO-Q2 ...... 5-21 5.2.6 Accident Sequence S1H1 * * * . . * * . . . . . * . . . * .
| |
| * 5-22 5.2.7 Accident Sequences T70nQs and T70nQQ8 * . . .
| |
| * 5-23 5.2.8 Accident Sequence T2 LD 2 . . . * . . * * . * * * . . . * . . 5-23 5.2.9 Accident Sequence S1D1 * * * . . . . * . . * . * . . . * . . 5-24 5.2.10 Accident Sequence TKRZ ................... 5-24 5.2.11 Accident Sequence AH 1 ****.**.*****.....*. 5-24 5.2.12 Accident Sequence T2LP ................... 5-25 5.2.13 Accident Sequence S1 D6 * * * * * * * * * * * * * * * * * * . 5- 25 5.2.14 Accident Sequence AD 5 * * * * * * * * * * * * * * * * * * *
| |
| * 5-26 5.2.15 Accident Sequence TKRD 4 * * . * * * * * . * * * . . * * . . 5-26 5.2.16 Accident Sequence S3D1 * * * . * * * * . . * . * * . * * . . 5-26 5.2.17 Accident Sequence S2D1 **.*********.*.*..* 5-27 5.2.18 Accident Sequence AD 6 * * * * * * * * * * * * * * * * * * *
| |
| * 5-27 5.2.19 Accident Sequence T7D10n ................. 5-27 5.2.20 Accident Sequences T5ALP and T5 BLP ........ 5-27 5.2.21 Accident Sequence T7L3 * * * . * . . * . . . * * . . . . * . 5-28 5.2.22 Accident Sequence T7KR ................... 5-28 5.3 PLANT DAMAGE STATE GROUP RESULTS ................. 5-29 5.3.1 Plant Damage State Group 1 ............... 5-29 5.3.2 Plant Damage State Group 2 ............... 5-32 5.3.3 Plant Damage State Group 3 ............... 5-33 5.3.4 Plant Damage State Group 4 ............... 5-33 5.3.5 Plant Damage State Group 5 ............... 5-34 5.3.6 Plant Damage State Group 6 ............... 5-34 5.3.7 Plant Damage State Group 7 ............... 5-34 5 .4 IMPORTANCE MEASURES .............................. 5-35 5.5 COMPARISON OF RESULTS WITH WASH-1400 ............. 5-40 viii
| |
| * CONTENTS (Continued)
| |
| Section Page
| |
| : 6. CONCLUSIONS ............................................ 6-1 6.1 PLANT-SPECIFIC CONCLUSIONS ....................... 6-2 6.2 ACCIDENT SEQUENCE CONCLUSIONS .................... 6-3 6.3 UNCERTAINTY CONSIDERATIONS ....................... 6-4 6.4 COMPARISON TO REACTOR SAFETY STUDY ............... 6-4
| |
| : 6. 5 OTHER INSIGHTS ................................... 6- 5 7 REFERENCES .............................................. 7 -1
| |
| * ix
| |
| | |
| FIGURES Figure 1-1 Contribution of Accident Groups for Surry .............. 1-5 1-2 Surry Core Damage Frequency Uncertainty Distribution and Density ............................... 1-6 4.1-1 PRA Task Flow Chart ..................................... 4.1-2 4.4-1 Event Tree for Ti - Loss of Offsite Power ............... 4.4-14 4.4-2 Event Tree for Ti 5 - Station Blackout at Unit 1 .................................................. 4. 4-15 4.4-3 Event Tree for Tis - Station Blackout at Both Units 4.4-16 4.4-4 Event Tree for T2 - Loss of Main Feedwater .............. 4.4-25 4.4-5 Event Tree for T3 - Turbine Trip with MFW ............... 4.4-29 4.4-6 Event Tree for T5 - Loss of DC Bus ...................... 4.4-33 4.4-7 Event Tree for T7 - ~Steam Generator Tube Rupture ................................................. 4. 4-36 4.4-8 Event Tree for A - Large LOCA ........................... 4.4-40 4.4-9 Event Tree for Si - Medium LOCA ......................... 4.4-43 4.4-10 Event Tree for S2 - Small LOCA .......................... 4. 4-47 4.4-11 Event Tree for S3 - Very Small LOCA ..................... 4.4-50 4.4-12 Event Tree for Tk - Anticipated Transient
| |
| * Without Scram ........................................... 4.4-55 4.5-1 Bridge Tree for Tis - Station Blackout at Unit 1 .................................................. 4 . 5 - 8 4.5-2 Bridge Tree for Tis - Station Blackout at Both Units .............................................. 4.5-9 4.5-3 Bridge Tree for T2 - Loss of Main Feedwater ............. 4.5-10 4.5-4 Bridge Tree for T7 - Steam Generator Tube Rupture ................................................. 4. 5-11 4.5-5 Bridge Tree for A - Large LOCA .......................... 4.5-12 4.5-6 Bridge Tree for Si - Medium LOCA ........................ 4. 5-14 4.5-7 Bridge Tree for S2 - Small LOCA ......................... 4.5-15 4.5-8 Bridge Tree for S3 - Very Small LOCA .................... 4.5-16 4.6-1 Accumulator System Simplified Sketch .................... 4.6-18 4.6-2 AFW System Simplified Sketch ............................ 4.6-20 4.6-3 AFW System Dependency Diagram ........................... 4.6-22 4.6-4 CPC System Simplified Sketch ............................ 4.6-28 4.6-5 CPC System Dependency Diagram ........................... 4.6-29 4.6-6 CCW System Simplified Sketch ............................ 4.6-33 4.6-7 CCW System Dependency Diagram ........................... 4.6-35 4.6-8 Simplified CLCS Logic Diagram ........................... 4.6-38 4.6-9 CSS Simplified Sketch ................................... 4.6-42 4.6-10 CSS Dependency Diagram .................................. 4.6-43 4.6-11 EPS Simplified Sketch ................................... 4.6-47 4.6-12 HPI/HPR System Simplified Sketch ........................ 4.6-55 4.6-13 HPI/HPR System Dependency Diagram ....................... 4.6-57 4.6-14 ISR System Simplified Sketch ............................ 4.6-63 4.6-15 ISR System Dependency Diagram ........................... 4.6-64 4.6-16 LPI/LPR System Simplified Sketch ........................ 4.6-69 X
| |
| * Figure 4.6-17 4.6-18 FIGURES (Continued)
| |
| LPI-LPR System Dependency Diagram ....................... 4.6-70 OSR System Simplified Sketch ............................ 4.6-74 4.6-19 OSR System Dependency Diagram ........................... 4.6-75 4.6-20 PPRS System Simplified Sketch ........................... 4.6-81 4.6-21 Primary Pressure Relief System Dependency Diagram ................................................. 4. 6-82 4.~-22 Simplified RMT System Logic Diagram ..................... 4.6-87 4.6-23 RHR System Simplified Sketch ............................ 4.6-90 4.6-24 RHR System Dependency Diagram ........................... 4.6-91 4.6-25 Components Dependent on SIAS for Automatic Actuation ............................................... 4. 6-95 4.6-26 SWS Simplified Sketch ................................... 4.6-97 4.6-27 Service Water System Dependency Diagram ................. 4.6-99 5-1 Uncertainty Distribution for Surry Core Damage Frequency ............................................... 5 - 2 5-2 Density Estimation for Surry Core Damage Frequency ............. : ................................. 5-3 xi
| |
| | |
| 1-1 TABLES Dominant Accident Sequences by Initiating Event Type ......... ; ........................................ 1-4 Comparison of NUREG/CR-4550, Revision 1 and
| |
| * 1-2 W'ASH-1400 Sequences .................................... 1-13 4.2-1 List of Requested Information/Drawings/
| |
| Procedures ............................................. 4. 2- 3 4.2-2 Information Prepared by the Surry PRA Team Prior to Plant Visit ................................... 4. 2-5 4.2-3 Typical Questions on System Design and Operation .............................................. 4. 2-6 4.2-4 Components for Plant Specific Failure Data ............. 4.2-7 4.2-5 Events for Human Reliability Analysis ................... 4.2-8 4.2-6 Request for Most Up-To-Date Analysis in Following Areas .................................................. 4. 2 - 9 4.3-1 Initiating Event Categories Used in the Surry PRA .................................................. 4. 3-2 4.3-2 Sources of Initiating Event Candidates ................. 4.3-3 4.3-3 Summary of Loss of Support Systems as Initiators ....... 4.3-5 4.3-4 Summary of Transient Initiating Events ................. 4.3-16 4.3-5 Summary of LOCA Initiating Events ...................... 4.3-19 4.3-6 Important Ground Rules for Initiating Event 4.4-1 4.4-2 Selection .............................................. 4.3-20 Event Tree Headings .................................... 4. 4- 3 Part 1: Description of Events .................... 4.4-3 Part 2: Definition of Events ..................... 4.4-6 General Event Tree and Success Criteria Ground Rules ........................................... 4. 4-8
| |
| * 4.4-3 T1 Transient Success Criteria Summary Information ............................................ 4. 4-12 4.4-4 LOSP/SBO Analysis Cases ................................ 4.4-17 4.4-5 T2 Transient Success Criteria Summary Information ............................................. 4.4-24 4.4-6 T3 Transient Success Criteria Summary Information ............................................ 4-4-27 4.4-7 T5 Transient Success Criteria Summary Information ............................................ 4. 4-31 4.4-8 T7 Transient Success Criteria Summary Information ............................................ 4. 4-34 4.4-9 Large LOCA Success Criteria Summary Information ............................................ 4 .4-39 4.4-10 Medium LOCA Success Criteria Summary Information ............................................ 4. 4-42 4.4-11 Small LOCA Success Criteria Summary Information ............................................ 4. 4-45 4.4-12 Very Small LOCA Success Criteria Summary Information ............................................ 4.4-49 4.4-13 ATW'S Success Criteria Summary Information .............. 4.4-53 4.5-1 Category Definitions for PDS Indicators ................ 4.5-3 xii
| |
| | |
| TABLES (Continued) 4.5-2 Surry Dominant Core Damage Sequence Point Estimate Frequency .............................................. 4 . 5 - 6 4.5-3 Sources of Dominant Core Damage Sequences .............. 4.5-7 4.6-1 Systems Included in the Surry System Analysis .......... 4.6-2 4.6-2 System, Component, and Event Identifiers ............... 4.6-6 Sys tern Identifiers ................................ 4. 6 -6 Component Identifiers ............................. 4.6-9 4.6-3 Failure Mode Codes ...................... _. .............. 4. 6 -12 4.6-4 Symbols and Abbreviations Used in the Schematics._ ...... 4.6-14 4.6-5 AFW Component Status and Dependency Summary ............ 4.6-23 4.6-6 -CPC Component Status and Dependency Summary ............ 4.6-30 4.6-7 CCW Component Status and Dependency Summary ............ 4.6-36 4.6-8 Component Dependencies on CLCS ......................... 4.6-39 4.6-9 CSS Component Status and Dependency Summary ............ 4.6-44 4.6-10 AC/DC power Supplies and Dependencies .................. 4.6-49 4.6-11 HPI/HPR Component Status and Dependency Summary ........ 4.6-58 4.6-12 !SR Component Status and Dependency Summary ............ 4.6-65 4.6-13 LPI/LPR Component Status and Dependency Summary ........ 4.6-71 4.6-14 OSR Component Status and Dependency Summary ............ 4.6-76 4.6 PPRS Component Status and Dependency Summary ........... 4.6-83 4.6-16 Components Actuated by RMT ............................. 4.6-88 4.6-17 RHR Component Status and Dependency Summary ............ 4.6-92 4.6-18 SIAS Actuation Parameters .............................. 4.6-94 4.6-19 SWS Component Status and Dependency Summary ............ 4.6-100 4.7-1 Surry Common Cause Failures ............................ 4.7-10 4.8-1 Human Actions Quantified in the S~rry PRA .............. 4.8-15 4.8-2 Ground Rules for Calculation of Common Miscalibration Error Probabilities ..................... 4.8-17 4.8-4 Allowable Times for Operator Action .................... 4.8-24 4.8-5 Ground Rules for Surry HRA ............................. 4.8-26 4.9-1 Plant Specific Data Used in Accident Sequence Quantification ......................................... 4. 9-3 4.9-2 Initiating Event Data .................................. 4.9-4 4.9-3
| |
| * BETA Factor Summary Table .............................. 4.9-5
| |
| : 4. 9-4 Human Reliability Analysis Summary ..................... 4.9-6 4.9-5 Recovery Factor Summary ................................ 4.9-11 4.9-6 Miscellaneous Event Table .............................. 4.9-18 4.9-7 Surry Data Table ....................................... 4.9-20 4.10-1 Accident Sequence Quantified Before Recovery ........... 4.10-4 4.10-2 Recovery Factors ........... : ........................... 4.10-18
| |
| \4.10-3 Dominant Accident Sequences Prior to Recovery .......... 4.10-27 4.10-4 Accident Sequences Quantified Before and After Recovery ............................................... 4 .10-23 4.10-5 Impact of Operator Actions ............................. 4.10-50 4.11-1 Plant Damage State Assignment of Dominant Core Damage Sequences ....................................... 4.11-4 4.11-2 Plant Damage States Above lE-9 .... \ .................... 4.11-7 4.11-3 Frequencies of Plant Damage State Groups ............... 4.11-8 xiii
| |
| | |
| TABLES (Continued) 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency .............................. ; ....... 5 - 6
| |
| * 5-2 Description of Important Surry Events ................. 5-9 5-3 Surry Accident Sequence Core Damage Frequencies ....... 5-17 5-4 Surry Dominant Accident Sequences Included in Each Plant Damage State ............................... 5-30 5.:.6 Surry Risk Reduction Important Events ................. 5-37 5-7 Surry Risk Increase Important Events .................. 5-38 5-8 Surry Uncertainty Importance Important Events ......... 5-39 5-9 Comparison of Core Damage Frequencies by Event Type .................................................. 5-41" xiv
| |
| | |
| FOREWORD This is one of numerous documents that support the preparation of the NUREG-1150 document by the NRG Office of Nuclear Regulatory Research.
| |
| Figure 1 illustrates the front-end documentation. There are three interfacing programs at Sandia National Laboratories performing this work:
| |
| the Accident Sequence Evaluation Program (ASEP), the Severe Accident Risk Reduction Program (SARRP), and the Phenomenology and Risk Uncertainty Evaluation Program (PRUEP). The Zion PRA was performed at Idaho National Engineering Laboratory and Brookhaven National Laboratory.
| |
| Table 1 is a list of the original primary documentation and the corresponding revised documentation. There are several items that should be noted. First, in the original NUREG/CR-4550 report, Volume 2 was to be a summary of the internal analyses. This report was deleted. In Revision 1, Volume 2 now is the expert judgment elicitation covering all plants.
| |
| Volumes 3 and 4 include external events analyses for Surry and Peach Bottom, respectively.
| |
| The revised NUREG/CR-4551 covers the analysis included in the original NUREG/CR-4551 and NUREG/CR-4700. However, it is different from NUREG/CR-4550 in that the results from the expert judgment elicitation are given in four parts to Volume 2 with each part covering one category of issues. The accident progression event trees are given in the appendices for each of the plant analyses.
| |
| Originally, NUREG/CR-4550 was published without the designation "Draft for Comment." Thus, this revision of NUREG/CR-4550 is designated Revision 1.
| |
| The label Revision 1 is used consistently on all volumes except Volume 2, which was not part of the original documentation. NUREG/CR-4551 was originally published as a "Draft for Co~ent" so, in its final form, no Revision 1 designator is required to distinguish it from the previous documentatation.
| |
| There are several other reports published in association with NUREG-1150.
| |
| These are:
| |
| NUREG/CR-5032, SAND87-2428, Modeling Time to Recovery and Initiating Event Frequency for Loss of Off-site Power Incidents at Nuclear Power Plants, R. L. Iman and S. C. Hora, Sandia National Laboratories, Albuquerque, NM, January 1988.
| |
| NUREG/CR-4840, SAND88-3102, Recommended Procedures for External Event Risk Analyses for NUREG-1150, M. P. Bohn and J. A. Lambright, Sandia National Laboratories, Albuquerque, NM, November 1989.
| |
| xv
| |
| | |
| "]'.11.X
| |
| * ((ETHOOOLOGY EXPERT PANEL RESULTS
| |
| ~-
| |
| <
| |
| .2.
| |
| <
| |
| PROJECT STAFF RESULTS ~
| |
| ,1 N z
| |
| C
| |
| :::an ITI C C) ::a
| |
| ....... rr, n INTERNAL EVENTS APPENDIX 0
| |
| <en C:
| |
| :::0 C -::D
| |
| * ::D
| |
| *> w<
| |
| .,,
| |
| .;:r. 3:
| |
| U,):lo en u, G")
| |
| . .,,
| |
| C:HT1 c::
| |
| M G") "tJ C
| |
| ::a
| |
| :::a
| |
| ,,, rr,
| |
| ::a INTERNAL EVENTS m
| |
| -a
| |
| "" <O INTERNAL EVENTS APPENDIX <0~
| |
| o- :Im 0
| |
| t-tC
| |
| ::r:,
| |
| ...... VI l"l'1 t-tZ on
| |
| ~o(')
| |
| ~:J:
| |
| >
| |
| -t Z-<
| |
| C C ..... C n
| |
| C INTERNAL EVENTS en m
| |
| 0 3: <0
| |
| (")
| |
| z"" INTERNAL EVENTS APPENXIX 0
| |
| =-o C: c::
| |
| >
| |
| -t
| |
| -t u,,<
| |
| >
| |
| :J:
| |
| -c:
| |
| Z:z,
| |
| :a m z
| |
| s:
| |
| m M
| |
| 0 z INTERNAL EVENTS
| |
| (') C>
| |
| 5!2 z
| |
| .,,C I
| |
| -t
| |
| ::a INTERNAL EVENTS APPENXIX 0
| |
| <C>C>
| |
| :-,> C:
| |
| 0,.,, Cz
| |
| :a =-
| |
| a, -
| |
| -u, 0
| |
| en
| |
| -t z
| |
| C
| |
| ::a 0
| |
| z
| |
| ~
| |
| ""
| |
| G")
| |
| I
| |
| ~ERNAL EVENTS <N o- c::
| |
| .....
| |
| ..... :-0
| |
| ....,z ::r:,
| |
| u,
| |
| .
| |
| Q m
| |
| ""<
| |
| " K MANAGEMEITT
| |
| ~ ..
| |
| G)
| |
| I U1
| |
| >r- > 0 znc::
| |
| c::n:>
| |
| :::0 H -t ITICH C"') l'T1 0
| |
| ,:zz DOCUMENTATION n-t
| |
| :::0 0 I :::0 "Tl
| |
| ~H u, v, VI u, ~ l'T1
| |
| .... v,<
| |
| l'T1
| |
| :::0 l'T1
| |
| | |
| Table 1.
| |
| NUREG-1150 Analysis Documentation Original Documentation NUREG/CR-4550 NUREG/CR-4551 NUREG/CR-4700 Analysis of Core Damage Frequency Evaluation of Severe Accident Containment Event Analysis From Internal Events Risks and the Potential for for Potential Severe Accidents Risk Reduction Volume l Methodology Volume l *surry Unit l Volume l Surry Unit l 2 Summary (Not Published) 2 Sequoyah Unit l 2 Sequoyah Unit l 3 Surry Unit l 3 Peach Bottom Unit 2 3 Peach Bottom Unit 2 4 Peach Bottom Unit 2 4 Grand Gulf Unit l 4 Grand Gulf Unit 1 s Sequoyah Unit l 5 Zion Unit 1 6 Grand Gulf Unit l 7 Zion Unit 1 Revised Documentation NUREG/CR-4550, Revision 1 NUREG/CR-4551, Evaluation Analysis of Core Damage Frequency of Severe Accident Risks Volume 1 Methodology Volume 1 Methodology 2 Part l Expert Judgment Elicit. Expert Panel 2 Part 1 Expert Judgment Elicit.--In-vessel Part 2 Expert Judgment Elicit.--Project Staff Part 2 Expert Judgment Elicit.--Containment 3 Part 1 Surry Unit l Internal Events Part 3 Expert Judgment Elicit.--Structural Part 2 Surry Unit l Internal Events App. Part 4 Expert Judgment Elicit.--Source-Term Part 3 Surry Unit l External Events Part 5 Expert Judgment Elicit.--Supp. Cale.
| |
| 4 Part 1 Peach Bottom Unit 2 Internal Events Part 6 Expert Judgment Elicit.--Proj. Staff Part 2 Peach Bottom Unit 2 Internal Events App. Part 7 Expert Judgment Elicit.--Supp. Cale.
| |
| Part 3 Peach Bottom Unit 2 External Events Part 8 Expert Judgment Elicit.--MACCS Input 5 Part l Sequoyah Unit l Internal Events 3 Part l Surry Unit 1 Anal. and Results Part 2 Sequoyah Unit 1 Internal Events App. Part 2 Surry Unit 1 Appendices 6 Part 1 Grand Gulf Unit l Internal Events 4 Part 1 Peach Bottom Unit 2 Anal. and Results Part 2 Grand Gulf Unit 1 Internal Events App. Part 2 Peach Bottom Unit 2 Appendices 7 Zion Unit 1 Internal Events 5 Part l Sequoyah Unit 2 Anal. and Results Part 2 Sequoyah Unit 2 Appendices 6 Part l Grand Gulf Unit 1 Anal. and Results Part 2 Grand Gulf Unit 1 Appendices 7 Part 1 Zion Unit l Anal. and Results Part 2 Zion Unit l Appendices
| |
| | |
| NUREG/CR-4772, SAND86-1996, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, A. D. Swain III, Sandia National Laboratories, Albuquerque, NM, February 1987.
| |
| NUREG/CR-5263, SAND88-3100, The Risk Management Implications of NUREG-1150 Methods and Results, A. C. Camp et al. , Sandia National Laboratories, Albuquerque, NM, December 1988.
| |
| A Human Reliability Analysis for the ATWS Accident Sequence with MSIV Closure at the Peach Bottom Atomic Power Station, A- 3272, W. J.
| |
| Luckas, Jr. et al., Brookhaven National Laboratory, Upton, NY, 1986.
| |
| A brief flow chart for the documentation is given in Figure 2. Any related supporting documents to the back-end NUREG/CR-4551 analyses are delineated in NUREG/CR-4551. A complete list of the revised NUREG/CR-4550, volumes and parts is given below.
| |
| General NUREG/CR-4550, Volume 1, Revision l, SAND86-2084, Analysis of Core Damage Frequency: Methodology Guidelines for Internal Events.
| |
| NUREG/CR-4550, Volume 2, SAND86-2084, Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation on Internal Events Issues Part 1: Expert Panel Results, Part 2:
| |
| Project Staff Results.
| |
| Parts 1 and 2 of Volume 2, NUREG/CR-4550 are bound together. This volume was not part of the original documentation and was first published in April 1989 and distributed in May 1989 with the title: Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation. In retrospect, a more descriptive title would be: Analysis of Core Damage Frequency: Expert Judgment Elicitation on Internal Events Issues.
| |
| NUREG/CR-4550, Volume 3, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency: Surry Unit 1 Internal Events.
| |
| NUREG/CR-4550, Volume 3, Revision l, Part 2,* SAND86-2084, Analysis of Core Damage Frequency: Surry Unit. 1 Internal Events Appendices.
| |
| NUREG/CR-4550, Volume 3, Revision 1, Part 3, SAND86-2084, Analysis of Core Damage Frequency: Surry Unit 1 External Events.
| |
| /
| |
| xviii
| |
| | |
| *FRONT-END ANALYSIS BACK-EHD ANALYSIS NUREG/CR-4550 NUREG/CR-4551 REVISION l PLANT DAHAGE STATE FREQIIEtlCIES SURRY ACCIDENT PROGRESSION SURRY UNl'f I UNIT I ~ RISK REDIICTltiN AND AND RISK UNCERTAINTY HEASURES I
| |
| I I
| |
| ,_ NUREO/CR-4550 REVISION l I VOL. l HETIIODOLOGY I BACK-END SUPPORT I DOCUHENTATION I- NUREO/CR-4550 REVISION.l
| |
| >: VOL. 2 EXPERT OPINION _SURRY I-'*
| |
| >:
| |
| E t[ACII BOTTON HUREO-
| |
| ._ NUREO/CR-4840 EXTERNAL 1150 ~~i9YQHII_
| |
| EVENTS HETIIODS """m~Af!D GUIJ:
| |
| ._ZION
| |
| ,_ NUREG/CR-4172 URA PROCEDURES NUREC/CR-5032 LOSP IE FREQ AND RECOVERY Figure 2. Surry Related Documentation.
| |
| | |
| Peach Bottom NUREG/CR-4697, EGG-2464, Containment Venting Analysis for the Peach Bottom Atomic Power Station, D. J .* Hansen et al., Idaho National Engineering Laboratory (EG&G Idaho, Inc_.) February 1987.
| |
| NUREG/CR-4550, Volume 4, Revision 1, Part l, SAND86-2084, Analysis of Core Damage Frequency: Peach Bottom Unit 2 Internal Events.
| |
| NUREG/CR-4550, Volume 4, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency: Peach Bottom Unit 2 Internal Events Appendices.
| |
| NUREG/CR-4550, Volume 4, Revision 1, Part 3, SAND86-2084, Analysis of Core Damage Frequency: Peach Bottom Unit 2 External Events.
| |
| Sequoyah NUREG/CR-4550, Volume 5, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency: Sequoyah Unit 1 Internal Events.
| |
| NUREG/CR-4550, Volume 5, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency: Sequoyah Unit 1 Internal Events Appendices.
| |
| Grand Gulf NUREG/CR-4550, Volume 6, Revision 1, Part 1, SAND86-2084, Analysis of Core Damage Frequency: Grand Gulf Unit 1 Internal Events.
| |
| NUREG/CR-4550, Volume 6, Revision 1, Part 2, SAND86-2084, Analysis of Core Damage Frequency: Grand Gulf Unit 1 Internal Events Appendices.
| |
| NUREG/CR-4550, Volume 7, Revision 1, EGG-2554, Analysis of Core Damage Frequency: Zion Unit 1 Internal Events.
| |
| xx
| |
| | |
| ACRONYMS AND INITIALISMS ACC accumulators ACP ac power ACU air cleaning unit ACX air cooling heat exchanger ADS automatic depressurization system AFW' auxiliary feedwater system or emergency feedwater system AHU air heating unit ANS American Nuclear Society AOV air operated valve ARF air return fan system ASEP Accident Sequence Evaluation Program ASME American Society of Mechanical Engineers ATWS anticipated transient without scram BAC ac electrical bus BAT boric acid transfer BCL Battelle Columbus Laboratory BDC de electrical bus BNL Brookhaven National Laboratory BOP balance of plant cc component cooling CCF common cause fault CCU containment atmosphere cleanup ccw component cooling water CD core damage CDS condensate system CET containment event tree CFC containment emergency fan cooler system CGC containment combustible gas control CHP charging pump system CHR containment heat removal CHW chilled water system CIS containment isolation system CKV check valve CLCS, CLS consequence limiting control system CPC charging pump cooling CR control room CRB circuit breaker CRD control rod drive CRH hydraulically driven control rod CRM motor driven control rod csc closed cycle cooling CSI containment spray injection CSR containment spray recirculation cs containment spray CST condensate storage tank CV check valve eve chemical and volume control xxi
| |
| | |
| DCP de power DG, DGN diesel generator OHR decay heat removal DWS drywell (wetwell) spray ECA emergency contingency actions ECCS emergency core cooling system EDP engine driven pump EHV emergency heating, ventilation, and air conditioning system EI Energy International EP emergency procedures EPG emergency procedures guidelines EPS emergency power system EPV explosive valve ESF engineered safety feature actuation system ESW essential service water system FHS fuel handling system FMEA Failure Mode and Effect Analysis FRP functional restoration procedures FRV flow regulating valve FSAR Final Safety Analysis Report FW feedwater HCI high pressure coolant injection HCS high pressure core spray HOV hydraulic valve HEP human error probability HP! high pressure safety injection HPR high pressure recirculation HPT Human Performance Technologies HRA human reliability analysis HSW high pressure service water HTX, HX heat exchanger HVAC heating, ventilation, and air conditioning IAS instrument air system ICC instrumentation and control circuit res ice condenser system IE initiating event INEL Idaho National Engineering Laboratory ISO isolation condenser system ISR inside containment spray recirculation system LCI low pressure coolant injection LCS low pressure core spray LER licensee event report LFT-SET large fault tree - small event tree LHS Latin Hypercube Sampling Code LHSI low head safety injection LOCA loss of coolant accident
| |
| * LOSP loss of offsite power xxii
| |
| * LP! low pressure safety injection LPR low pressure recirculation LWR light water reactor MCC motor control center MCW' main circulating water MDFW'P motor driven feedwater pump MDP motor driven pump MFW' main. feedwater MG motor generator MOV motor operated valve MSIV main steam isolation valve MSS main steam system MTC moderator temperature coefficient NHV normal heating, ventilation, and air conditioning NPSH net positive suction head NRC Nuclear Regulatory Commission NSSS nuclear steam supply system OEP onsite electric power ORNL Oak Ridge National Laboratory OSR outside containment spray recirculation PCS power conversion system PDS plant damage state PLG Pickard, Lowe, and Garrick PORV power operated relief valve PPRS, PPS primary pressure relief system PRA probabilistic risk assessment PRUEP PRA Uncertainties Estimation Program PTS pressurized thermal shock PWR pressurized water reactor QCG quality control group RBC reactor building cooling water RC! reactor core isolation cooling RCP reactor coolant pump RCS reactor coolant system RGW' radioactive gaseous waste RHR residual heat removal RLW' radioactive liquid waste RMT recirculation mode transfer RO reactor operator RPS reactor protection system RTND reference temperature for transition to nil ductility RV relief valve RW'ST refueling water storage tank *:~
| |
| ...
| |
| SAIC Science Applications International Corporation SAROS Safety & Reliability Optimization Services xxiii
| |
| | |
| SARRP Severe Accident Risk Reduction Program SBO station blackout SCG senior consultant group SDC shutdown cooling SETS Set Equation Transformation System SG steam generator SGS steam generator.system SGT standby gas treat~ent SGTR steam generator tube rupture SI safety injection SIAS, SIS safety injection actuation system SLC standby liquid control SNIA Sandia National Laboratory Albuquerque sov solenoid operated valve SPC suppression pool cooling SPM suppression pool makeup SRO senior reactor operator SRV safety relief valve STA shift technical advisor sv safety valve SW, sws service water system TBC turbine building cooling water TCV testable check valve TDAFWP turbine driven auxiliary feedwater pump TDP turbine driven pump TEMAC Top Event Matrix Analysis Code TM! Three Mile Island TSV turbine stop valve VCT volume control tank VEPCO Virginia Electric Power Company WOG Westinghouse Owners Group ATWS Rulemaking Comments XV, XVM manual valve xxiv
| |
| * ACKNOWLEDGEMENTS The authors with to acknowledge the following individuals for their contribution to the Surry Analysis.
| |
| Mr. Joe Logan, of the Surry Power Station, for promptly providing the necessary information to develop a comprehensive plant model.
| |
| Ms. Sharon Brown for her diligent efforts to review the document and to ensure consistency among the PWR analyses.
| |
| Mrs. Diane Jones for her technical assistance, especially the system level failure modes and effects analyses.
| |
| Mr. Marc Quillici for his work on the draft report and guidance in the fault tree analysis, particularly the use of the SETS computer code.
| |
| XXV
| |
| * 1. EXECUTIVE
| |
| | |
| ==SUMMARY==
| |
| | |
| This document presents the final results of one of several studies that provided information to the Nuclear Regulatory Commission Office of Nuclear Regulatory Research about Light 'Water Reactor (L'WR) risk. The Office of Research used the results of this work, along with other input, to prepare NUREG-1150. Cl) Risk from a selected group of five nuclear power plants is examined in NUREG-1150 by incorporating the results of wide-ranging research efforts that have taken place over the past several years.
| |
| Surry Unit 1 was chosen as one of the five plants to be analyzed to accomplish regulatory goals. The Surry Nuclear Power Plant contains two units of 788 megawatts (electrical) capacity and is located near Surry in Virginia. The reactors are each housed in a large dry subatmospheric containment. The Surry plant was previously analyzed in the Reactor Safety Study. CZ> Other plants chosen for analysis are Peach Bottom, Sequoyah, Grand Gulf, and Zion.
| |
| 1.1 Objectives The primary objective was to perform an analysis to support the NUREG-1150 project that is as near to a state-of-the-art, Level 1 Probabilistic Risk Assessment (PRA) as possible. Corresponding Level 2 and Level 3
| |
| * analyses have also been performed and documented. External events were analyzed and are reported in Part 3 of this volume.
| |
| Direct objectives of the analysis were to identify potential, significant system failures, to provide insights of value to utilities with plants of this type, and to support a detailed methodology that can be used by others, including utilities. The perspective gained from NUREG-1150 will be used to support the NRC' s resolution of severe accident regulatory issues.
| |
| This document presents the Level 1 part of the risk equation- -the frequency of scenarios involving system failures which lead to severe core damage as a result of internal initiators. Core damage is defined as a significant core uncovery occurrence with reflooding of the core not imminently expected. The result is a prolonged uncovery of the core, which leads to damaged fuel and a release of fission products from the fuel.
| |
| 1.2 Approach A standard but focused Level 1 PRA approach formed the basis for this analysis. Event trees were constructed, the top events were modeled using large fault trees, and the results were quantified using the Set Equation Transformation System (SETS) C49) and The Top Event Matrix Analysis Code (TEMAC) C44) computer codes.
| |
| * An abundance of information pertinent to probabilistic study was available on Surry, resulting from previous probabilistic studies of the plant. This enabled the Surry PRA team to focus on aspects of the plant 1-1
| |
| | |
| which had been shown to be important in the past or were the topic of current safety issues. Effort was not expended on areas or issues that had been shown to be unimportant in the past. Also, if the analyst determined that a system could be represented adequately using a simplified model, rather than a detailed fault tree, the simplified approach was used. However, if the analyst determined that a system was important enough to warrant detailed modeling, then the appropriate
| |
| * modeling techniques were used.
| |
| In regard to the PRA methodology, several areas merit comment. First, a human reliability analysis was performed on operator actions that surfaced in the PRA as potentially significant. Second, plant-specific data were used whenever possible. Third, a recovery analysis was performed after the initial quantification of accident sequences to assure proper credit was given for operator intervention during the accident. Fourth, an extensive uncertainty analysis was performed which required determining the uncertainty on the failure probabilities for basic events in the models. Finally, in some cases, no firm data existed to support failure probability development, so expert judgment was formally elicited from people with extensive experience on each issue in question. This final item is the subject of Volume 2 of NUREG/CR-4550.
| |
| The Level 1 results were grouped into plant damage states to provide a form suitable for input to the back-end accident progression event trees.
| |
| A plant damage state is a grouping of accident sequences or parts of
| |
| * accident sequences that have similar characteristics such as vessel pressure, timing, containment response, and system failures which provides the necessary input for the accident progression event tree used in the Level 2 analysis.
| |
| In order to maintain high quality, this work was reviewed by four different groups: an independent Senior Consultant Group, an independent Quality Control Group, Sandia staff and management, and the NRC. In addition, the staff at Virginia Power were given an opportunity to review this work at various stages. VEPCO' s comments were addressed in this analysis, as were numerous comments received from the NRC, the public and the nuclear industry.
| |
| 1.3 Results The internal events portion of the Surry PRA identified twenty-eight core damage sequences which comprise the internal events core damage model.
| |
| The criteria for inclusion of sequences in the core damage model are all sequences with a final point estimate frequency greater than 1. OE- 7 /yr and all station blackout sequences with a point estimate frequency greater than l.OE-9/yr. The importance of station blackout sequences to risk made it desirable to provide complete coverage of all accident sequences. The extension was allowed for station blackout sequences because they were combined into three sequence groups, thus making it easier to include the smaller sequences. The accident grouping by initiating event type, showing the contribution of each type to total 1-2
| |
| **
| |
| | |
| core damage frequency, is shown in Table 1-1. The contributions of these accident groups to the total frequency is shown graphically in Figure 1-1. The internal events core damage model yielded a sampled mean*
| |
| frequency* of 4. OE-5 per reactor year. The cumulative distribution function for the core damage model and the density function are shown in Figure 1-2. These two functions are based on the results of a statistical sample of 1000 points with some smoothing employed in the generation of the density function. The important statistical parameters of the core damage frequency distribution are listed below.
| |
| Mean 4.0E-5/yr Standard Deviation 5.8E-5 95% Upper 1. 3E-4/yr 75% Upper 4.SE-5/yr Median 2.3E-5/yr 25% Lower 1. 3E-5/yr 5% Lower 6.8E-6/yr In addition to the 28 sequences included in the core damage model, there were 10 fully quantified accident sequences that have point estimate frequencies less than lE-7/yr. These sequences have a combined frequency of 2. 2E- 7. In addition, there were 43 partially quantified sequences with point estimate frequencies in the range of SE-10 to lE-8. These sequences were partially quantified in that they were not subject to recovery analysis. They were minimal contributors without recovery actions, and therefore not subject to further evaluation.
| |
| An event importance analysis was done on the comprehensive core damage model. In this analysis, the relative importance of each basic event, with respect to three measures, is calculated. These three measures are risk reduction, risk increase, and uncertainty. The risk reduction measure is the absolute amount by which core damage frequency is reduced, if the event in question had a probability of zero (i.e., never happened). The most important event for risk reduction is the loss of offsi te power initiating event. This result is consistent with the dominance of station blackout in the core damage model. The next most important event for risk reduction is the failure of diesel generator number 1 to start. This result is particularly interesting in view of
| |
| _ the AC power supply system at Surry. The Surry Nuclear Station is a two-unit site which is supplied with three diesel generators for emergency power. Each unit has a dedicated diesel and the third diesel is a swing diesel, which can align to either unit. The diesel generator model for this study aligns DG3 (the swing diesel) to Unit 2 in the event that the dedicated Unit 2 diesel (DG2) has failed. In order to make DG3 more
| |
| * As used here, the term mean value implies that the failure distribution of selected basic events is used (i.e., propagated through the sequence calculations) to determine the sequence frequencies, which are then summed to determine the core damage frequency. The term point estimate implies that the failure probability of each basic event is represented
| |
| * by a single value .
| |
| 1-3
| |
| | |
| Table 1-1 Dominant Accident Sequences by Initiating Event Type Mean Core Initiating Event Type Damage Frequency <lyr) % of Total LOSP 2.7E-5 68%
| |
| LOCA 6.0E-6 15%
| |
| Interfacing LOCA 1. 6E-6 4%
| |
| Transient 2.0E-6 5%
| |
| ATWS 1. 6E-6 4%
| |
| Steam Generator Tube Rupture 1. 8E-6 4%
| |
| 4.0E-5 available to Unit 1, the reliability of DG2 must be improved in addition to the reliability of DG3. Therefore, DGl ranks as the highest single importance event. The third highest ranking event for risk reduction is the failure to recover offsite power within seven hours of loss of offsi te power initiating event. The top fifteen events for risk reduction importance are all involved with station blackout sequences.
| |
| This result is consistent with the dominance of blackout type core damage sequences.
| |
| Similar information was generated for risk increase measures. Risk increase is derived by calculating the core damage frequency with a given event probability set equal to 1.0, the maximum event probability value.
| |
| The meaning of risk increase can be thought of as the resulting core damage frequency if the system, train or component is not available (e.g., always failed). The event with the highest risk increase measure is failure of the reactor protection system. The event with the next highest risk increase measure is related to the unavailability of the Refueling Water Storage Tank (RWST). The next group of three events are all common cause failures of the auxiliary feedwater system. The next group of four events involves check valve failures in the high pressure injection system. These represent single point failures in the suction and discharge piping.
| |
| The third measure_involves the relative importance of data uncertainties.
| |
| Uncertainty importance is calculated in a' different manner than risk reduction or risk increase. To assess uncertainty importance, . an uncertainty calculation is made, holding the value of a particular event 1-4
| |
| | |
| ..... .............
| |
| .... ........ .
| |
| ..........
| |
| .. ******
| |
| ........ ... **************
| |
| . ********** .
| |
| ...............
| |
| **********
| |
| ...
| |
| ************
| |
| .................
| |
| ******* ****************
| |
| ................... .... ..
| |
| .. *************
| |
| ***********************
| |
| *********************** ................... ........... ...
| |
| .............
| |
| ...
| |
| ... ****** ***** .......................
| |
| ******************** ........ ******* ..
| |
| .....
| |
| .....
| |
| . ********************
| |
| ... ***********
| |
| ... ***************** .......................... ................
| |
| ......... ******** .
| |
| . ..
| |
| . . ... ....
| |
| . . . . .***********
| |
| **********************
| |
| . . . ***************** . . . . . . . . . . ........... . . . . . . . . . . ***********
| |
| . ................ . . . . . . ***** . . . . . ....
| |
| . . ..
| |
| ..
| |
| .....
| |
| ***********
| |
| . ... ...... .....
| |
| ......... .....................................
| |
| ....... .. .... ..... .. ....
| |
| ....................... ....... ......
| |
| .. . . . ... . . .... . . ...... . . .............
| |
| .
| |
| . ::::~: \: \: ~: \: ~: ~: \: ~: ~: \: \: '.: ~: \: ~: ~: \: \: \: ~: ~: \: ~: ~: ~: \: \: ~: \: \: \: ~: \: \: \: \: ~: \: \: ~: ~: ~: ~: \: \: ~: ~: ~: \: '.:: ..
| |
| ......
| |
| ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::~$.t:::::::::::::::::::::::::::::::::::::::::::.
| |
| ................................... *********** ............ 1:::::::}I LOSP
| |
| ......
| |
| ......
| |
| ....
| |
| ...... .........
| |
| .... ....
| |
| .....
| |
| .. ... .... ... . ........
| |
| .......... ....... .... .... *****************
| |
| .........
| |
| ********************* ***** ..................
| |
| ********** ************...
| |
| ............
| |
| .............. ....
| |
| ************
| |
| ...... .. ... ******* ..................
| |
| .................................................
| |
| .... .... .. . ....... ..................
| |
| ..
| |
| ......
| |
| ....
| |
| . . . . . .........
| |
| .******
| |
| . . .
| |
| ... ........
| |
| . . . ...
| |
| . . ...................................................
| |
| ... . .. . . . . . .. .
| |
| ....
| |
| ..........
| |
| . . . . . ..
| |
| ..... .. .. . . ...... ... . .. . . . ... . .. . ..... ....... ... ...
| |
| . .
| |
| .. .....
| |
| ..... . . . . . . . . . ***********
| |
| .... . ..
| |
| . . . . . . . . . . . . . . . ...
| |
| ......... .........
| |
| ****** ...................................................
| |
| * LOCA
| |
| ::::::::::::u:uu::::u:cuc:::::::tu:::::::::::u:r::::::u:::::::uc:::::::u:r:::t
| |
| * V/SGTR 4%
| |
| ~ TRANSIENT 5% D ATWS 8%
| |
| ...........
| |
| ( 15%
| |
| . .............
| |
| . ...........
| |
| ........... ...
| |
| 50% .. . . . . . ............
| |
| 50%
| |
| . . .......
| |
| .
| |
| *****
| |
| .................
| |
| . . . .. . *****
| |
| ...
| |
| *****
| |
| ... .
| |
| .
| |
| . . .....
| |
| ...........................
| |
| .
| |
| .
| |
| ................
| |
| ...
| |
| . .... . . . .... ...
| |
| . . . . . . ....
| |
| .................
| |
| ... .... ........
| |
| . . . .. . .
| |
| . . ... . . . . . . . . .. .
| |
| .. ......
| |
| LOSP Q INTERFACING SYSTEM
| |
| . . .
| |
| .............................
| |
| . . ... ....... ...
| |
| LOCA (V) .. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ..
| |
| .-:-:,:-:,:,:-:-:-:-:-:-:-:-:-:-:-:-:-: :-**.*: :-:-:,:,:,:,:-:-:-
| |
| =
| |
| f.c0l STEAM GENERATOR TUBE RUPTURE (SGTR)
| |
| LOCA 14%
| |
| 27%
| |
| 86% ~ STATION BLACKOUT (SBO)
| |
| L:.:::J BATI DEPL D SMALL LOCA ht/:! SEAL LOCA SBO
| |
| * CTI LARGE LOCA
| |
| * SHORT TERM SBO Figure 1-1. Contribution of Accident Groups for Surry.
| |
| 1-5
| |
| * 1.0 95%
| |
| C u 0.9 M
| |
| u 0.8 L Mean
| |
| *-*- -- - -*----
| |
| A T 0.7 I
| |
| V 0.6 E Median 0.5 p
| |
| R 0.4 0
| |
| 8 0.3 A
| |
| 8 I 0.2 L
| |
| I 0.1 5%
| |
| T y 0.0 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY
| |
| * D E
| |
| N s
| |
| l T
| |
| y 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY
| |
| . Figure 1-2. Surry Core Damage Frequency Uncertainty Distribution and Density.
| |
| 1-6
| |
| * constant. The upper and lower bounds of the uncertainty calculation are
| |
| * compared to the upper and lower bounds when all parameters are considerep random variables. The uncertainty importance calculations show that the diesel generator failure rates and loss of offsite power initiating event frequencies contribute the most to the overall statistical uncertainty.
| |
| 1.4 Conclusions One of the major purposes of the Surry analysis was to provide an updated perspective on our understanding of the risks from the plant relative to the results of the WASH-1400 analysis. It has been determined that changes to the plant design and its operating procedures, the evolution of Probabilistic Risk Assessment (PRA) methodology, and an increasing understanding of severe accidents have all had an impact on the perspectives on the dominant risks for Surry.
| |
| This study concludes that station blackout (loss of all AC power) accidents are the dominant contributors to core damage. They account for approximately two-thirds of the internal events core damage frequency.
| |
| This result is partially due to certain features of the Surry electric power systems, which are discussed below, and may not be applicable to other plants. The station blackout analysis for this study was much more rigorous than that of WASH-1400. All aspects of electric power modeling, plant response modeling, and development of event probabilities have been significantly improved over those used in WASH-1400. The higher frequencies for station blackout are considered a more accurate assessment of the event than previous analyses.
| |
| Loss of coolant accidents inside containment are the second most dominant accident group, accounting for approximately one-seventh of internal events core damage frequency. The prominence of this accident group is greatly reduced over the results of WASH-1400, which was completed in 1975. This is due to three factors: (1) improved operator procedures and training which direct operator intervention to mitigate LOCAs at an early stage and provide direction for coping with subsequent system failures, (2) the installation of several cross ties between the two Surry units that provide back-up systems to cope with emergency core cooling system failures, and (3) improved understanding and knowledge of
| |
| - containment systems performance, which has led to less constraining success criteria for containment systems. As with the station blackout conclusions, some of these improvements are specific to the Surry plant and may not be applicable .to other PWRs.
| |
| Loss of coolant accidents in interfacing systems outside of containment represent a moderate contribution to core damage, at four percent of the total, but are important contributors to risk because they may represent a direct release path to the environment. The understanding of these events is relatively unchanged since WASH-1400. In the ensuing years, the calculated frequency has been reduced due to more frequent check valve test intervals, and recently increased due to the inclusion of common cause failures in the quantification .
| |
| * 1-7
| |
| | |
| The general reactor transient category (other than loss of offsite *power) accounts for six percent of core damage frequency. This category was a negligible contributor in WASH-1400. However, the current understanding and phenomenology of loss of feedwater events is more comprehensive than in WASH-1400.
| |
| Anticipated transients without scram (ATWS) contribute approximately four percent to internal events core damage frequency. Their frequency has been reduced from that calculated in WASH-1400, due in part to equipment
| |
| - modifications required by the ATWS Rulemaking and by improved procedures and operator training for this event.
| |
| Steam generator tube rupture (SGTR) also accounts for approximately four percent of core damage frequency. This event was not analyzed in WASH-1400. To date, however, at least five steam generator tube failure events have been large enough to require an Emergency Core Cooling System (ECCS) response and mitigation. Tube ruptures are a form of interfacing LOCAs, and thus may be very important to risk, even though they do not dominate core damage frequency. It is therefore appropriate to include these initiating events in the PRA.
| |
| 1.4.1 Plant Specific Conclusions As previously stated, the core damage frequency is dominated by station blackout events. There are many individual contributors to these scenarios, and it is not possible to identify a single issue or event that drives the frequency calculations. The individual contributors are discussed below.
| |
| The frequency of loss of offsite power at Surry was calculated to be
| |
| : 7. 7E-2 per year using a combination of generic and site-specific data.
| |
| This is better than average for U.S. nuclear plants, but is higher than expected if only the Surry specific experience of zero failures in 15 years were considered. The calculation includes experience from other plants with switchyard configurations similar to Surry, which have experienced loss of offsite power. The calculation of probabilities for non-recovery of offsite power are also based on experience at other plants with similar switchyard configurations. Since probabilities for loss and non-recovery of offsite power appear in every station blackout cut set, reduction of these probabilities could have an important effect on core damage frequency.
| |
| Events for diesel generator failure are also in each and every blackout sequence cut set. The probability for diesel failure to start was calculated from plant specific data to be 2.2E-2/demand. This value is also slightly better than average for U.S. nuclear plants. The electric power configuration at Surry, however, provides three diesels for a two-unit site. This offers reduced redundancy compared to most other nuclear plants and tends to increase the probability of station blackout occurrence. The AC power availability reduction resulting from the swing diesel configuration is overcome to a significant extent by the provision 1-8
| |
| * of cross ties between the charging systems and auxiliary feedwater systems at both units.
| |
| Alternative sources of AC power at the Surry site were not included in the station blackout models. A gas turbine generator is at the Surry site, but current supporting systems and administrative procedures preclude its timely use during a station blackout.
| |
| The plant response to station blackout at Surry is similar to that of other PWRs. The dominant type of blackout sequence represents core uncovery due to long term battery depletion. The battery depletion time was assessed to be 4 hours, which is typical for PWRs. The next most dominant sequence is the reactor coolant pump seal LOCA sequence. A generic model for Westinghouse reactor coolant pumps was developed in re-ference 40 and used in this study. It predicts a significant probability of severe seal degradation, starting at 1 1/2 hours from loss of seal cooling. Core uncovery is predicted to occur about 2 hours after onset of seal failure, unless AC power is restored and safety injection is provided within that time.
| |
| Examination of the contributors to loss of coolant accidents provides insights regarding the Surry plant. The LOCA-induced core damage frequency for this study was significantly reduced over that of WASH-1400, particularly for the small LOCA events. This occurred in spite of a tenfold increase in the small LOCA initiating event frequency. Plant modifications occurring since WASH-1400, which allow for cross tie of the high pressure safety injection systems, auxiliary feedwater systems, and refueling water storage tanks at each unit contributed significantly to this reduction in frequency. In addition, Surry has a three tier system of emergency procedures which provide explicit instruction to utilize these cross ties. The.Technical Specifications for these systems address component operability based on the operational status of both units, thus ensuring availability to the other unit even though the primary unit's status may not require it. The system cross ties available at Surry provide a reliable alternative for recovery of system failures.
| |
| 1.4. 2 Accident Sequence Conclusions As previously noted, there are twenty-eight accident sequences in the Surry core damage model. These sequences are listed in Table 5-2 in section 5.0 of this report. The number of sequences in a PRA model and their relative size is strongly influenced by the PRA methodology utilized and the level of detail of the analysis. The relative contribution of various types of sequences for a specific plant can provide insight into the types of accident scenarios which are important at that plant.
| |
| As discussed earlier, the Surry units are provided with cross -tie capability between the AFWs, HPis, and RWSTs at each unit. These cross ties provide a recovery potential which is not available at many other plants. The sequence profile reflects the importance of these cross ties.
| |
| 1-9
| |
| * The highest single sequence is long term station blackout at Unit 1, leading to battery depletion and consequently loss of instrwnentation and control power. As this sequence represents a blackout at Unit 1, with power available at Unit 2, reactor coolant pump seal cooling can be provided by the Unit 2 charging system, via the HP! cross tie. Thus, the risk of seal failure is averted, and the battery depletion scenario dominates.
| |
| The next highest sequence represents the seal failure scenario during station blackout. This sequence represents a single unit blackout with failure to provide seal cooling via the cross tie. This can be due to equipment failure or operator error. Without cooling, the seals are at risk early in the sequence. Seal failure is predicted to occur between 1-1/2 to 2-1/2 hours. If AC power is not restored in an additional two hours, core uncovery occurs. The fourth most dominant sequence represents the same scenario except that the sequence is a two-unit blackout, and seal cooling is unavailable due to loss of AC power at Unit 2.
| |
| The other two prominent blackout sequences represent early (initial) failures of the auxiliary feedwater system or failure of the pressurizer PORVs to reclose after
| |
| * opening. Failure to restore AC power within a limited time leads to core uncovery.
| |
| Examining the twenty sequences below lE-6 indicates that long term sequences (which allow time for recovery) are not represented.
| |
| Specifically, there are no sequences representing small breaks with failure of ECCS recirculation. This is due to two considerations.
| |
| First, emergency operating procedures direct operator intervention in a small break to cooldown and depressurize the reactor coolant system, thus minimizing the break flow. Second, the system cross ties enable the operators to recover from system failures.
| |
| The LOCA sequences that do contribute to the core damage model are the large breaks with failures in both injection and recirculation, and small breaks with failures in injection. The common aspect of these accident categories is that they are fast moving sequences, happening early in time to the initiator, thus leaving little time for operator intervention or recovery.
| |
| Two types of transient sequences are prominent: loss of all feedwater and ATWS sequences. Loss of all feedwater sequences at Surry probably have lower frequencies than at most plants, due to the AFW cross tie. The ATWS sequences are short and fast acting, leaving little time for recovery.
| |
| 1.4. 3 Plant Damage State Conclusions The core damage sequences in the plant model were combined into seven plant damage states for purposes of accident progression event tree analysis. The plant damage state grouping is very similar to the sequence grouping shown in Table 1-1, except that station blackout has been divided into two groups; a fast blackout group representing the loss 1-10
| |
| | |
| of AFW sequences, and a slow blackout group representing all other blackout sequences.
| |
| 1.4.4 Uncertainty Considerations The process of developing a probabilistic model of a nuclear power plant involves the combination of many individual events (initiators, hardware failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total frequency of core damage. After development, such a model also can be used to assess the importance of the individual events. The sequence cut set* models supporting this study have been analyzed using several importance measures. The results of the analyses using an uncertainty importance measure are summarized below. For this measure, the relative contribution of the uncertainty of individual events to
| |
| * the uncertainty in total core damage frequency is calculated. Using this measure; the following events wer~ found to be most important:
| |
| * Diesel generator fail to start
| |
| * Diesel generator fail to run for six hours Loss of offsite power initiating event
| |
| * Interfacing LOCA
| |
| * Unfavorable moderator temperature co-efficient during ATWS
| |
| * Nonrecovery of offsite AC power after initial loss 1.4.5 Comparison to Reactor Safety Study In the 13 years between the Reactor Safety Study (WASH-1400) analysis of Surry and the present study, both the Surry plant configuration and the understanding of reactor operation and safety have changed. WASH-1400 calculated a total core damage frequency from internal events of 5.SE-5.
| |
| This study calculated a total core damage frequency from internal events of 4.0E-5. It should be noted when comparing the,two that the WASH-1400 value for core damage frequency is a point estimate, based on the sum of individual sequence median values, while this study' s value is the calculated mean of a distribution. The modifications in plant configuration at Surry reduce the frequency of comparable WASH-1400 sequences to 1. 7E-5, but consideration of seal LOCAs, steam generator tube rupture, and more detailed evaluation of station blackout, combine to increase the total core damage frequency to 4. OE- 5. Some of the significant differences and similarities between this study and WASH-1400 are presented below:
| |
| * Reactor coolant pump seal LOCAs during station blackout are important in the present study, but not in WASH-1400.
| |
| * Station blackout followed by loss of AFW was important in both studies.
| |
| * Every accident sequence is the sum of one or more combinations of events that lead to core damage. These combinations of events are the detailed scenarios of the minimum sequence of failures (component and human) that result in core damage and are defined as "cut sets."
| |
| 1-11
| |
| * ATWS sequences are not directly comparable due to increased know-ledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations.
| |
| * Understanding of interfacing LOCAs is relatively unchanged, while the frequency is slightly reduced. A reduction in the event frequency, due to increased valve testing frequency, was countered by inclusion of dependent failures in the quantification.
| |
| * The frequency of LOCA sequences, followed by failure of ECCS systems, is significantly lower in the present study than WASH-1400.
| |
| * The enhanced understanding of containment cooling phenomena and containment failure scenarios used in this study led to a significantly reduced dependence on containment cooling systems for the prevention of core damage.
| |
| Table 1-2 summarizes the comparable core damage frequencies of the dominant sequences for both studies.
| |
| 1.4.6 Other Insights
| |
| * Throughout the performance of a PRA, it is common to identify component interactions and dependencies which were previously unexpected. One such insight is discussed below.
| |
| The station blackout analysis revealed a unique interactive dependency which leads to an unexpectedly high probability of a non-isolable faulted steam generator during blackout. Were this se*ries of events to . occur, they would not prevent the ability to provide steam generator heat removal, but would require additional actions to stabilize the AFW supply, may act as a precursor to AFW failure, and generally could add to the stress level and complexity of the event.
| |
| The interactive dependency is manifested during station blackout, because all power *is lost to both the steam generator level control valves and the steam generator atmospheric relief valves. The level control valves are located inside containment, are powered from a 480 VAC bus, are normally open.,. and fail open on loss of power. The atmospheric relief valves are powered from a semi-vital bus which loses all power upon station blackout. Thus, during a blackout, steam relief will be through the steam generator safety valves until such time as flow paths to the condenser can be established via manual local valve line-ups. This was estimated to be accomplished shortly after one hour. During this time, it was estimated that each SRV would open every 20 minutes, for a total of nine openings. This number of openings gives a relatively high probability of failure to reclose. Shou;J.d the safety valve fail to reclose, it is not isolable, and will lead to an uncontrolled blowdown of that steam generator. The feedwater supply to that SG is not isolable either, because the level control valves fail open.
| |
| 1-12
| |
| * Table 1-2 Comparison of NUREG/CR-4550, Revision 1 and WASH-1400 Sequences
| |
| * General Accident Type NUREG/CR-4550, Revision 1 Approximate WASH-1400 Mean (Median) Median Frequencies Cl) Frequency Station Blackout (Slow) 2.2E-5 (8.2E-6)
| |
| Station Blackout (Fast) 4.8E-6 (1.3E-6) 3E-6 Anticipated Transient 1. 6E-6 (4.2E-7) 4E-6 Without Scram Transients 1.2E-6 (6.9E-7) 6E-6 Interfacing LOCA 1. 6E-6 (4.9E-8) 4E-6 Loss of Coolant Accidents 6.0E-6 (3.SE-6) 2.9E-5 Steam Generator Tube Rupture 1. 7E-6 (6.6E-7)
| |
| Total 4.0E-5 (l.SE-5) 4.6E-5 (1) Sum of means (or medians) of individual plant damage states
| |
| | |
| Entrance into containment to manually close the valves would be very difficult during a blackout. Consequently, no credit was allowed in the analysis. The AFW configuration at Surry is such that the level control valves represent the only way to isolate auxiliary feedwater to a single steam generator. Thus, under these conditions, the faulted SG would continue to be *fed and continue to blowdown.
| |
| This event does not prevent the ability* to. provide steam generator heat removal. However, it is an undesirable event* which would add to the complexity of steam generator feed control, possibly increasing the probability of feed flow failure due to human error, lack of condensate, or possible phenomenological considerations.
| |
| | |
| 2.0 PROGRAM SCOPE The Surry Probabilistic Risk Assessment (PRA) was conducted during two periods. During the first period, the objective was to complete a near state-of-the-art PRA in a short time.* This was accomplished, and following a review and some revisions, the PRA was published as NUREG/CR-4550, Volume 3 in November 1986. This report received extensive distribution and considerable review. In* response to the comments from reviewers and especially the ti. S. Nuclear Regulatory Commission (NRC),
| |
| the utility industry, and Virginia Electric Power Company, an update of the report was initiated. During the interim period, several changes were made to the plant and additional system and procedural details were examined. The result is the significantly revised analysis presented in this document, NUREG/CR-4550, Volume 3, Revision 1, Parts 1 and 2.
| |
| This report combines the tasks performed in the original analysis with the tasks accomplished during the revised analysis. While the original objective was to perform a fast efficient PRA, it became necessary due to comments and criticism to examine additional details and to refine the models and techniques during the revised analysis. One target in the re-analysis was to reduce conservatism as much as possible. This resulted in much more than a six-month effort. To give the reader a perspective of the scope of this work, a list of PRA tasks is given below describing what was done in this analysis. The level of detail is compared to a "state-of-the-art" PRA for each task and graded as (1) improved state-of-the-art, (2) state-of-the-art, (3) slightly abbreviated, (4) abbreviated and (5) not analyzed.
| |
| * Plant Familiarization Analysis- -Information was collected from past Surry studies and the Final Safety Analysis Report (FSAR) and put together in an initial set of event trees, fault trees, and questions for plant personnel. The pre-visit information gathering took a month. One week was spent at the plant gathering information first hand and regular contact with utility personnel was maintained throughout the course of the study. A confirmatory visit near the end of the first analysis and a subsequent v-isit during the revised analysis were conducted. Several changes were made to the event trees, and a few changes were made to the fault trees. (Slightly abbreviated to state-of the-art).
| |
| * Ace ident Sequence Initiating Event Analysis - - Initiating event information (internal events only) from past studies and plant; specific records were used. A thorough search for support system initiators was conducted. During the revised analysis, these initiating events were reviewed. Loss of component cooling water, loss of instrument air, loss of 120 VAC vital instrumentation bus, and steam generator tube rupture were re-evaluated. The frequency and recovery factor for loss of offsite power was improved. (State-of-the-art) 2-1
| |
| | |
| *
| |
| * Accident Sequence Event Tree Analysis- -Because the plant has been studied thoroughly, functional event trees were not developed. Past studies and current containment analyses were used to identify the event tree headings necessary to model all reactor and containment functions. No significant shortcuts were used to develop the system event trees. Nevertheless, several refinements were made in the revised analysis. (Improved state-of-the-art)
| |
| * System Analysis--The level of modeling detail was at the discretion of the analyst. If the system could be shown to be relatively unimportant, or if a detailed model would have taken an unreasonable amount of time, simplifications were made. If the system was considered important, a detailed modeling effort was undertaken. The models . are therefore a combination of detailed fault trees, abbreviated fault trees, Boolean expressions, and "black box" models.
| |
| Fault trees for several systems were added in the revised analysis.
| |
| The level of detail in many existing fault trees was also increased.
| |
| Common cause failures were included in the fault trees rather than applying such failures by hand to the cut sets. Fault trees. were expanded from "train level" modeling (called pipe segments in the earlier reports) to individual components. Power dependencies were expanded from the train level to the motor control center level. This was done to a large extent for the benefit of the external events analyses, which use the internal events analysis models. (Ranges from abbreviated to state-of-the-art, depending on the system)
| |
| * Dependent and Subtle Failure Analysis- -A significant effort was made to identify, model, and quantify dependent failures. Intersystem dependencies were identified and modeled in the system analysis.
| |
| Subtle interactions found in past PRAs were reviewed for their applicability to Surry. A Licensee Event Report (LER) review of Surry was made to identify any unexpected interactions or common cause failures. (Slightly abbreviated to state-of-the-art).
| |
| * Human Reliability Analysis (HRA)- -An abbreviated HRA procedure was developed (26) specifically for this program. An HRA specialist was present during the initial plant visit in order to determine performance shaping factors for the Surry plant. This was ultimately not possible due to the limited time allowed for this task. During the recovery analysis conducted in the revised analysis, each human error event was carefully tabulated, described, and re-evaluated.
| |
| Only errors of omission were considered in this analysis. (Slightly abbreviated)
| |
| * Data Base Analysis--A data specialist was present during the initial plant visit. As with the HRA specialist, time constraints limited the data search. However, a reasonable amount of plant specific data was collected. In the revised analysis, additional plant specific data was obtained for components shown to be important in the initial analysis. Where plant specific data was lacking, generic data was used. (Slightly abbreviated) 2-2
| |
| *
| |
| | |
| *
| |
| * Accident Sequence Quantification Analysis- -A two stage event tree process and a two stage quantification process was used to reduce the number of sequences which required detailed quantification. No significant shortcuts were taken in this area. All the accident sequences with potential for being greater than lE-7 were analyzed in detail. (State-of-the-art)
| |
| * Plant Damage State Analysis- -Issues from the accident progression event trees were identified by the back-end analysts for the front-end analysts to evaluate. This evaluation resulted in the binning of core damage cut sets into plant damage states. (Improved state-of-the-art)
| |
| * Physical Process of Reactor Meltdown Accidents--Past thermal hydraulic calculations and calculations performed by the NUREG-1150 accident progression analysts were used as required. (State-of-the-art)
| |
| * Radionuclide Release and Transport--This was handled by the NUREG-1150 source term analysts.
| |
| * Environmental Transport and Consequence Analysis--This was handled by the NUREG-1150 consequence analysts.
| |
| * Seismic Risk Analysis - -This is considered in Part 3 of Volume 3.
| |
| (State-of-the-art)
| |
| * Fire Risk Analysis--This is considered in Part 3 of Volume 3.
| |
| (Slightly Abbreviated)
| |
| * Flood Risk Analysis--This is considered in Part 3 of Volume 3.
| |
| (Slightly Abbreviated)
| |
| * Other External Hazards (e.g .. Tornadoes)--This is considered in Part 3 of Volume 3. (Slightly abbreviated)
| |
| * Treatment of Uncertainties- -Statistical uncertainty in the failure data, uncertainty associated with the application of the failure data, and uncertainty caused by modeling assumptions and success criteria were all treated in the analysis. In the original analysis, uncertainty was handled to a large extent by sensitivity studies. In the revised analysis, uncertainty was incorporated directly into the data. Expert opinion elicitations were conducted on issues that could significantly affect uncertainty. Furthermore, several model and informational issues from the original analysis were resolved by additional study. (Improved state-of-the-art)
| |
| In addition to the comparison of this analysis to a state-of-the-art PRA, it is informative to identify some things that PRAs do not normally treat. The following list of items not normally treated in PRAs is taken with some modification from NUREG-lllS.C4)
| |
| * 2-3
| |
| * Partial Failures
| |
| * Design Adequacy
| |
| * Adequacy of Test and Maintenance Practices
| |
| * Effect of Aging on Component Reliability (also burn-in phenomena)
| |
| * Adequacy of Equipment Qualification
| |
| * Environmentally-Related Common Cause
| |
| * Similar Parts-Related Common Cause
| |
| * Sabotage The Surry PRA incorporated innovative operator accident response actions into the accident sequence recovery analysis. In this aspect the PRA is improved over the state-of-the-art. Innovative operator accident response was treated uniformly by all PRA teams using guidelines developed from a poll of experts.
| |
| 2-4
| |
| : 3. PROGRAM REVIEW To assure quality, two groups were chartered with the responsibility of reviewing the work and providing timely feedback. Because the time available to complete the tasks in the original analysis was short, these reviews had to be intense, and Probabilistic Risk Assessment (PRA) team response time had to be almost instantaneous. In the revised analysis, more time was available, but the review meetings were still intense and informative. In addition to their review, public comments were received by the NRG and three other groups reviewed the work for their specific purposes.
| |
| 3.1 Senior Consultant Group The purpose of the Senior Consultant Group (SCG) was to provide a broad scope review of the methods and results of the reference. plant PRAs.
| |
| This high-level review was to further assure the validity and applicability of the products. However, the SCG was not expected to provide detailed quality control or assurance of the products. This group did not meet during the revised analysis.
| |
| The members of the SCG are listed below:
| |
| * Dennis C. Bley, PL&G
| |
| * Michael P. Bohn, SNL
| |
| * Gregory J. Kolb, SNL
| |
| * 3.2
| |
| *
| |
| * Joseph A. Murphy, NRG William E. Vesely, SAIC (formerly of BCL)
| |
| Quality Control Group The goals of the Quality Control Group (QCG) were the following:
| |
| * to provide guidance regarding the methodologies to be utilized in the PRAs,
| |
| * to ensure the consistent application of the methodologies by all PRA teams, and
| |
| * to ensure the technical adequacy of the work These goals were met via periodic review meetings with the PRA teams. At these meetings, the QCG discussed the methodologies and reviewed, in detail, all technical work performed.
| |
| The QCG was composed of the individuals listed below; also shown is each individual's technical specialty:
| |
| * Gregory J. Kolb, SNL (QCG team leader, systems analysis, original analysis only)
| |
| *
| |
| * Gareth W. Parry, NUS (uncertainty analysis, systems analysis, reliability data) 3-1
| |
| * John Wreathal, SAIC (human reliability analysis, revised analysis only)
| |
| * Barbara J. Bell, formerly of BCL (human reliability analysis)
| |
| * Arthur C. Payne, Jr., SNL (systems analysis, reliability data, back-end interface)
| |
| * Eddie A. Krantz, INEL (systems analysis, original analysis only)
| |
| * David M. Kunsman, SNL (systems analysis, back-end interface)
| |
| * Gary Boyd, SAROS (systems analysis, back-end interface) 3.3 Utility Interface A constant interface was maintained with the utility throughout the duration of the original analysis. The Surry team leader was in constant contact with Surry engineering and plant personnel to ask questions and verify information. The Surry contacts also reviewed the results presented in the first draft of the study and provided comments that were considered in the revised analysis. The same close interface was carried through the revised analysis. The utility support was extremely helpful.
| |
| 3.4 Uncertainty Review Panel This panel was formed at the request of the NRG to consider the way in which uncertainty had been analyzed in the draft NUREG-1150 and the supporting documents. A three-day meeting was held on April 20-22, 1987,
| |
| * where a number of contributors to NUREG-1150 were invited to make presentations to the panel, as were others who were known to have views that were important to the assessment. The panel addressed all areas of the uncertainty methodology including the statistical methods used, the way the results were presented, and especially the use of expert judgment.
| |
| As a result of the panel's findings, significant changes were made to the analysis [50]. The most important improvement was in the elicitation of expert judgment, which became a major effort in the revised analysis for both the front-end and back-end analyses.
| |
| 3.5 Peer Review Panel After the publication of the draft NUREG-1150 and the supporting front-end and back-end documents, the NRG Commissioners recommended a peer review because of the potential importance of these documents to the NRG' s regulatory process. Lawrence Livermore National Laboratory was selected to coordinate this effort. Although this review panel was
| |
| * initiated by the NRG, it functioned independently.
| |
| 3-2
| |
| | |
| Fourteen members were selected including national and international
| |
| * experts in the fields of nuclear reactor safety, probabilistic risk assessment, and severe accident phenomenology. The individuals represented academics, research laboratories, electric utilities and consulting companies. The first phase of their review was to address the draft documentation. The second phase is to review the final NUREG-1150 and related documentation including this report. At least five formal meetings were held during the first phase, and testimony was given by numerous people, including the Surry analysts. The findings are given in Reference 41. In general, the panel had a number of comments on NUREG-4550, and those comments relevant to the study have been addressed.
| |
| 3.6 American Nuclear Society Committee Many members of the American Nuclear Society (ANS) felt that the society should express its view regarding a document such as NUREG-1150 that has the potential to influence the perception of accident risks associated with nuclear power plants and have an impact on the regulatory process.
| |
| Thus, the President of the ANS appointed a special committee to follow and comment upon the documentation and progress of the NUREG-1150 program.
| |
| Their findings and recommendations on the draft NUREG-1150 are found in Reference 42. These findings and recommendations were based on a review of the February 1987 draft NUREG-1150, and the supporting documents, a review of the public comments, briefings by the NRG staff and others, and visits to Sandia National Laboratories by the Chairman and Vice Chairman to observe the expert review panel process and to discuss the ongoing analysis leading to the revised documeni.
| |
| 3.7 Public Comments During the several months when public comments were solicited, a number (approximately SO) of individuals and organizations performed detailed reviews of the NUREG-1150 related documentation. Their comments were extensive. These comments were submitted to the NRG and sorted by subject. Those comments applicable to the front-end analysis and, in particular, the Surry analysis, were reviewed by the analysts and considered to the extent possible during the revised analysis .
| |
| * 3-3
| |
| * 4.0 TASK DESCRIPTIONS This section contains information on the major tasks performed for this study. Section 4.1 provides a task flow chart which shows the interrelationship of the individual tasks.
| |
| The remaining subsections within Section 4 address each individual task as it applied to the Surry analysis. Section 5 provides the information covered by the last :task entitled
| |
| ''Interpretation of Results."
| |
| 4.1 Task Flow Chart The major tasks performed for this study are indicative of the general tasks performed in any Level 1 PRA. Figure 4.1-1 displays the major tasks carried out in this analysis and shows the primary information flow paths between each task. The entire process has been performed twice. The first time was during_ the initial analysis which began in July 1985 and resulted in the first draft of this report, printed in October.1986. Following a-comment and review period, the entire process was performed again i11 order to update the analysis and respond to comments received on the first draft. The following subsections reflect the combined effort for both the first draft phase and the reanalysis for each of the major tasks. Reference 3 provides more detailed descriptions of the methodology used in carrying out each task. The reader is referred to that volume and the subsections which follow in order to obtain a comprehensive description of .how the Surry analysis was conducted*
| |
| * 4.1-1.
| |
| | |
| IHITIA11NQ EVBIT l,
| |
| IEQUENCE
| |
| !
| |
| ACCIDENT UNCERTAINTY/
| |
| 1DEN11RCA110N AND EVENT TREE SEQUENCE BENS11IVl1Y GROUPING ANALYSIS QUANTIFICA 110N ANALYSIS INTERPRETATION
| |
| .------- -LOCAII i--- -PASTl'RAo
| |
| - NUREO I l!IO C<llfTAINIIIEHT
| |
| *IIETSCODE i- -TEMAC
| |
| * PAIIAMETEII VALUE UNCERTAlllY i--. OF
| |
| - TRANSIENTII
| |
| * RECOVERY ACTIONS RESULTS
| |
| - IIUPPORT l!YSTBI IIITIATOa ANALYSES
| |
| * MODELIIG UNCERTAIHTY J '~
| |
| l'UNT f-UARIZA110N IIYSTEMS ANALYllll
| |
| -FSARo I 0 PASTPRA0 ~
| |
| * DETAILED FAULTmEEs
| |
| * OTHER STUtlES
| |
| * LERo - SIIIPURED FAULT TREES I
| |
| * PUNT VlllT . auCK OOX MODELS DEPENDENT * '
| |
| -
| |
| HUMAN
| |
| -
| |
| FAILURES DATA BASE ANALYSIS DEVELOPMENT IITERFACE ANALYSIS
| |
| ._
| |
| 0 INlERSYIITEM DEPENDENCES
| |
| * PLANT SPECIFIC COMMal CAUSE
| |
| * PUNT SPECIRC DATA
| |
| * ASEP SCREENING PROCEDURE
| |
| * PUNT SPECIFIC PRE-ACCIDENT
| |
| -
| |
| * GENEIIC C ~ CAUSE
| |
| * GENERIC DATA ANO POST ACCIDENT ANALYSIS
| |
| * SUBTlE IHTEIIAC110N9 t
| |
| Figure 4.1-1. PRA Task Flow Chart .
| |
| * *
| |
| * 4.2 Plant Familiarization In order to assure that the analysis reflected the Surry Unit 1 plant, a plant familiari-zation task was performed. During this effort, the analysts became familiar with the specific design, operational, and'* historical performance aspects of the unit. The initiating event experience*, the models, failure data, and human reliability analysis are based on Surry specific inputs. The performance of this task constituted two plant visits; one plant visit initially and one near the end of the revised analysis.
| |
| Prior to the initial plant visit, the Surry PRA team reviewed previous fault tree and event tree analyses applicable to Surry, the fault tree and event tree sections of WASH-1400 and the sections of the Surry Final Safety Analysis Report applicable to the systems of interest. Preliminary event trees, system fault trees, and simplified system schematics were constructed and preliminary success criteria and dependency matrices were developed to identify specific areas where information was needed to develop accurate models. Based on these initial activities, a package was prepared and sent to the plant identifying the plant specific information and da.ta that was required, and a sampling of generic and specific questions concerning system design and operation that had arisen due to our initial review. The following sections provide brief descriptions of the plant visit and the information obtained during the visit.
| |
| 4.2.1 Initial Plant Visit A one week plant visit was arranged to meet with plant personnel. Among the many areas of discussion were plant and system modeling questions, collection of system design and operational information, *discussion of transient sequence progressions, and the operators responses to these events. The PRA plant visit team included a human factors specialist, a containment analyst, and a failure-data specialist. During the visit the team had discussions with the Surry supervisor of System Safety, the Operator Training Coordinator, and the head of Human Performance Engineering. In addition, individual members of the PRA team talked with reactor operators, the Shift Technical Advisor, and members of the maintenance engineering staff.
| |
| Discussions centered on gaining a clear understanding of 'the following items:
| |
| * The normal and emergency configurations and operation of the various systems of interest.
| |
| * System ihterdependencies.
| |
| * Design and operational procedure changes implemented at the plant, within the last 5 years.
| |
| * Operational problem areas identified by plant personnel which might impact the analysis.
| |
| * The. automatic and manual actions taken in response to various emergency conditions.
| |
| * The availability of plant specific operational data *
| |
| *
| |
| . The emergency procedures which addressed actions identified by the PRA analysts as important actions were "walked through" with operations personnel.
| |
| 4.2-1
| |
| | |
| The following tables provide a summary of the information requested from the Surry personnel prior to the plant visit:
| |
| Table 4.2-1 identifies the plant specific information, drawings, and procedures requested
| |
| * based on the initial familiarization.
| |
| Table 4~2-2 identifies the information prepared by the PRA team prior to the plant visit which was to be reviewed for accuracy during the plant visit.
| |
| Table 4.2-3 presents a preliminary set of questions provided to the plant personnel prior to the plant visit*.
| |
| Table 4.2-4 identifies the list of plant specific failure data requested.
| |
| Table 4.2-5 provides the preliminary list of events considered to require human reliability analysis for which information was required.
| |
| Table 4.2-6 identifies those areas in which the most recent analytical results were desired.
| |
| 4.2.2 Information Obtained A. complete set of the current Surry p1pmg and instrumentation drawings, w1rmg diagrams, and logic diagrams were provided by the Surry staff. Also, the Surry staff provided copies of the Surry Emergency Procedures, Abnormal Procedures, Emergency
| |
| * Contingency Action Procedures, Functional Restoration Procedures, current technical specifications, and several sections from the current revision of the Surry. FSAR including the current list of equipment actuated by emergency safeguards signals, a list of emergency safeguards actuation functions, the list of major pipJng penetrations through containment, including line status, isolation requirements, post accident positions, etc., and safety injection control board indications. The Surry personnel also provided the analysis team with the requested plant specific failure data and insight into the operational philosophy at the Surry plant.
| |
| 4.2.3 Subsequent Plant Visit During the Reanalysis Phase In March 1988, a subsequent visit was made to the Surry plant to determine timing fac-tors and to confirm changes made in the reanalysis phase of the PRA *. _One day was spent at the Surry plant. The trip provided operator response information, timing, and inno-vative recovery for several sequences. A plant tour provided insights for the recovery analysis. Additional plant specific data was also obtained for the diesel generators, charging pump cooling service water strainers, and containment spray recirculation heat exchanger service water valves. The results of the trip were incorporated at the appro-priate levels in the revi$ed analysis.
| |
| 4~2-2
| |
| * Table 4.2-1 List of Requested Information/Drawings/Procedures PROCEDURES FOR THE FOLLOWING EVENTS
| |
| : 1. Loss of Station Power
| |
| : 2. Station Blackout
| |
| : 3. Reactor Coolant System Depressurization through Secondary Steaming
| |
| : 4. Loss of One AC Safe.ty Bus (4160 V)
| |
| : 5. Loss of One DC Bus
| |
| : 6. Loss of Main Feedwater (MFW)
| |
| : 7. Loss of MFW and Auxiliary Feedwater (AFW) at One Unit (including procedures for feed and bleed or cross-connect of AFW between Units 1 and 2)
| |
| : 8. Turbine Trip
| |
| : 9. Loss of Component Cooling Water
| |
| : 10. Loss of Charging Pump Cooling Water System
| |
| : 11. Low Pressurizer Water Level
| |
| : 12. Loss of One 120 VAC Vital Bus
| |
| : 13. SIAS Actuation
| |
| : 14. Low or High Reactor Coolant System Pressure ELEMENTARY WIRING DIAGRAMS
| |
| : 1. AC/DC Distribution System
| |
| : 2. Emergency AC (including DC power supply for diesel generator start)
| |
| : 3. SIAS
| |
| : 4. Consequence Limiting System SIMPLIFIED LOGIC DIAGRAMS
| |
| : 1. Consequence Limiting System
| |
| : 2. SIAS
| |
| : 3. Diesel Generator Load Sequencers
| |
| : 4. AFW Initiation 4.2-3
| |
| * Table 4.2-1 (Cont'd)
| |
| List of Requested Information/Drawings/Procedures LOAD LISTS FOR EMERGENCY BUS -AND MOTOR CONTROL CENTER (AC &: DC)
| |
| PIPING&: INSTRUMENTATION DIAGRAMS
| |
| : 1. NSSS
| |
| : 2. Residual Heat Removal
| |
| : 3. Emergency Core Cooling Systems (LPI + HPI + ACC)
| |
| : 4. Containment Spray
| |
| : 5. Containment Recirculation Spray
| |
| : 6. sws
| |
| : 7. .Charging Pump Cooling System
| |
| : 8. MFW
| |
| : 9. AFW
| |
| : 10. Main Steam
| |
| : 11. Component Cooling Water System
| |
| : 12. Auxiliary Building Heating, Ventilation, and Air Conditioning (HVAC)
| |
| : 13. Turbine Building HVAC
| |
| : 14. Circulating Water System
| |
| : 15. Chemical Volume and Control System LAYOUT DRAWINGS
| |
| : 1. Reactor Building
| |
| : 2. Auxiliary Building
| |
| : 3. Turbine Building LIST OF POST -TMI MODIFICATIONS AT SURRY 4.2-4
| |
| | |
| Table 4.2-2 Information Prepared by the Surry PRA Team Prior to Plant Visit A. System Success Criteria Matrix
| |
| * Defines system success criteria for each initiating event B. System Dependency Matrix
| |
| * Identifies dependencies at the train level between front-line systems (HPI, CSI, AFW, etc.) and support systems (AC power, DC power, SIAS, etc.)
| |
| * C. Simplified Schematics for the Following Systems:
| |
| * High pressure injection/charging
| |
| * Low pressure injection
| |
| * Containment spray injection
| |
| * Containment recirculation
| |
| * Auxiliary f eedwa ter
| |
| * Charging pump cooling water system
| |
| * Service' water system These schematics will be indicative of the level of detail of the system models.
| |
| D. Preliminary Event Trees
| |
| * Desire review of assumptions, sequence timing, and phenomenology
| |
| * . 4~2-5
| |
| * Table 4.2-3 Typical Questions on System Design and Operation GENERAL QUESTIONS/INFORMATION
| |
| : 1. Normal and actuation position of all ECCS valves.
| |
| : 2. List of components actuated by each train of SIAS, CLCS, and CIS.
| |
| : 3. Pump cooling requirements for AFW, HPI, LPI, CSI, CR (room cooling, seal cooling, motor cooling, etc.).
| |
| SPECIFIC QUESTIONS
| |
| : 1. What function do the cooljng coils on the LPI pump inlets provide (SIS Unit 1 Sheet 1), and are they required for pump operation?
| |
| : 2. What is the function o~ the line from the RWST supply line to the LPI pumps (3/4" -
| |
| 3.
| |
| 4.
| |
| SI-55-153)?
| |
| How many emergency service water pumps ar~ there; three for each unit or three total?
| |
| * Are the batteries, fuel oil system, etc., for the emergency service water pumps
| |
| * dedicated?
| |
| : 5. For valves, which power is removed (e.g., MOV 1869B), how is it removed, and how easy is it to restore?
| |
| : 6. Is power removed from HPI valve MOV 1842?
| |
| : 7. What is the normal operating position of LPI valve MOV 1890C?
| |
| : 8. Is there an HPI cross-connect betw ...... ': Units 1 and 2?
| |
| : 9.
| |
| * What isolation signals does MOV 1370 seal injection valve receive?
| |
| 1 4~2-6
| |
| * Table 4.2-4
| |
| * Components for Plant Specific Failure Data Desirable Reliability Component Characteristics Boron Injection Tank Isolation Cycles/Yr Valves Failures/Cycle Potential Common Cause Main Condenser Isolation Valves Cycles/Yr Failures/Cycle Potential Common Cause Diesel Generators Outage Time for Test &
| |
| Maintenance Probability (Fail to Start)
| |
| Probability (Fail.to Run)
| |
| Emergency Service Water Pumps Probability (Fail to Start)
| |
| Probability (Fail to Run)
| |
| High Pressure Injection/Charging Probability (Fail to Run)
| |
| Pump Probal:>ility (Fail to Start)
| |
| Charging Pump Cooling Water Pumps Probability (Fail to Run)
| |
| Probability (Fail to Start)
| |
| AC/DC Buses Probability (Short to Ground)
| |
| Other Failure Types Batteries Probability (Unavailable on Demand)
| |
| Turbine-Drive Auxiliary Outage Time for Test &
| |
| Feedwater Pump Maintenance Probability (Fail to Start)
| |
| Inside Containment Recirculation Failure History (From Pumps Test)
| |
| * 4.2-7
| |
| | |
| Table 4.2-5 Events for Human Reliability Analysis
| |
| *
| |
| * Feed and Bleed
| |
| * Reactor Coolant System Depressurization by Secondary Steaming
| |
| * Cross-Connect of Auxiliary Feedwater from Unit 2
| |
| * Anticipated Transient Without Scram (Failure of Boration or Manual Scram)
| |
| * Switchover to High Pressure Recirculation for Small Loss-of-Coolant Accident
| |
| * Diesel Generator Sharing During Loss of Offsite Power
| |
| * DC Battery Test 4~2-8
| |
| | |
| Table 4.2-6 Request for Most Up-to-Date Analysis in Following Areas
| |
| * Anticipated Transient Without Scram
| |
| * Feed and Bleed
| |
| * Reactor Coolant System Depressurization Through Secondary Steaming
| |
| * Station Blackout (Battery Depletion Time and Auxiliary Feedwater Pump Cooling Requirement)
| |
| * *
| |
| * Charging Pump Cooling Water Requirements Reactor Coolant Pump Seal Cooling Water Requirements (and Seal LOCA Sizes)
| |
| | |
| 4.3 Initiating*Event Identification and Grouping Initiating event (IE) identification and grouping were performed for Surry in accordance with the methodology in Reference 3. This task involved the identification of potentially significant initiators at nuclear plants, identifying the applicability of them to the Surry plant, and grouping the initiators into categories based on similar plant response and similar success criteria for successful initiator mitigation. As discussed in Reference 3, it is not the intent of a focused PRA _to explicitly evaluate (i.e~*, perform event sequence quantification) every possible initiating event. The intent is rather to evaluate those initiators which have previously been shown to be important and to ensure that all other potential initiators can be adequately represented by those initiators chosen for explicit evaluation. As such, the IE identification for this study was based on a three part evaluation. First, initiators which were shown in previous studies to be important
| |
| * contributors to core damage or risk were automatically included for evaluation. Second, loss of support systems were examined on an individual basis to determine* if they should be included as initiating events. And thirci, plant specific evaluations of system configurations were done to determine if certain events* which were not important at other plants may be important at Surry due to unique spatial or systemic dependencies between those initiators and mitigating systems.
| |
| The final list of initiating events which formed the basis for accident sequence quantification and their frequencies is shown in Table 4.3-1. The selection of these events is described in the following sections. Section 4.3.1 identifies the sources used to search for initiators which have been previously shown to be important and thus were automatically included. Section 4.3.2 discusses the evaluation of support system failures. Section 4.3.3 discusses the evaluation of special initiators. Section 4.3.4 presents the final list of IEs identified for Surry and those initiators omitted from detailed evaluation in the study. Finally, Section 4.3.5 is a summary of important assumptions and groundrules in the initiating event selection.
| |
| 4.3.1 Initiating Event Identification Table 4.3-2 lists the sources used to identify initiating event candidatt:s. Each candidate in the source list was reviewed for it~ impact on plant operation. Initiators which caused demand for automatic reactor trip were retained for further evaluation and grouping
| |
| _(e.g., loss of main feedwater or loss of flow in one RCS loop). Initiators which would not be expected to lead to an imminent (less than 10 minutes) reactor trip were retained for grouping or eliminated on the basis of equipment which was failed by the initiator.
| |
| Initiators which failed front line or support systems, and could eventually lead to reactor shutdowns were generally retained for grouping. Some of these were addressed in the
| |
| * support system evaluation, while others were evaluated on an individual basis. Initiators which would not cause reactor shutdown directly or indirectly were eliminated.
| |
| Initiators which could possibly lead to shutdown through Technical Specification violations were not included. Manual shutdowns for refueling or administrative reasons were not evaluated in this study. Initiators retained for event tree analysis were grouped into categories based on plant response and success criteria required for successful mitigation.
| |
| 4.3.2 Support System Failures A list of systems at Surry which provide support services to components in front line safety systems and norm.ally operating systems was developed. Each of these systems was viewed as a potential initiator. A Failure Mode and Effect Analysis (FMEA) was 4.3-1
| |
| | |
| Table 4.3-1 Abbreviation Initiating Event Categories Used in the Surry PRA Description* Frequency *(/Yr)
| |
| * Tl Loss of Offsite Power 7.7E-2 T2 Transients with Loss of MFW 9.4E-1 T3 Transients with MFW Initially Available 7.3 T.5A Non-Recoverable Loss of DC Bus A .5.0E-3 Non-Recoverable Loss of DC Bus B .5.UE-3 T.5B T7 Steam Generator Tube Rupture 1.0E-2 A Large LOCA, 611 - 29" .5.0E-4 S1 Medium LOCA, 211-6 11 1.0E-3 S2 Small LOCA, l /2" - 2" 1.0E-3 S3 Very Small LOCA, less than 1/2" 1.3E-2 V Interfacing LOCA 1.6E-6
| |
| * Mean Values 413-2
| |
| * Table 4.3-2 Sources of Initiating Event Candidates
| |
| : 1. Search of LE.Rs at Surry Unit 1 and Unit 2 from 1979 to 1987.
| |
| : 2. NURE.G/CR-3862,0 2) Development of Transient Initiating Event Frequencies for Use in PRA, May 198.5.
| |
| : 3. List of Subtle Interactions Supplied by SANDIA. *
| |
| : 4. Questions during plant familiarization trip *
| |
| .5. Review of past PRAs on PWRs.
| |
| : 6. List of Potential Initiators from ASE.P Methodology.( 3)
| |
| *
| |
| * Letter from F. T. Harper and G. J. Kolb to PRA ezpert1, "Subtle Interactlon1 Fo1111d in Pait PRAs and*
| |
| PIA-Related Studle1," July 2, 198S.
| |
| | |
| completed on each support system to . determine if failure of the entire system or portions of it would lead to reactor trip. These FMEAs are presented in Appendix D of this report. Loss of support a system was explicitly included as a separate initiating event, if four criteria were met. First, loss of the system must lead to an imminent reactor trip, either through a direct or indirect action. Secor:id, loss of the system must fail front line systems (those systems used to respond to 5eactor trips), third, it must potentially have a core damage frequency above 10- /yr*, and finally, it must not clearly be covered by another initiating event group.
| |
| The results of this investigation, showing the resolution for each support system are summarized in Table 4.3-3. A brief discussion of some of these evaluations is given below.
| |
| : 1) Loss of Service Water (Low Intake Canal Level)
| |
| The service water system at Surry is a free flow, gravity fed system which depends on a differential water level between the intake canal and discharge canal to provide the driving head for service water flow.. The intake canal is approximately 1-1/2 miles long and normally contains 45 million gallons of water. The normal height differential between the intake and discharge canals is about 27 feet. Eight circulating water pumps of 210,000 gpm each constantly supply water to the canal. The major load on the canal during plant operation is the condenser cooling requirements, which account for approximately 1.6E+6 gal/min if both units are generating at full power.
| |
| Should the canal have insufficient water inventory, the plant's ultimate heat sink would be unavailable. It was concluded (within the scope of this study) that the only identifiable event with any significant frequency, which could lead to insufficient canal level, is~
| |
| station blackout Closs of all _AC power). During station blackout, power is lost to the condenser isolation valves and canal drainage is estimated to occur _in 30 minutes. Therefore, insufficient canal level was included as a possible occurrence during station blackout, but was not considered as a separate initiating event.
| |
| During normal operation, a balance is maintained in the canal between the circulating water pump supply and the condenser discharge. Other loads in the canal are minimal compared to these cooling requirements. Emergency service water pumps of 45,000 gpm capacity are provided. This capacity matches the safety related loads.
| |
| During normal operation, if the canal level drops below 18 feet (from a usual 27 feet), the turbines and reactors at both units will receive trip signals, and the condenser waterboxes will be isolated* (supplied by lE power). Therefore, any postulated failures, during normal operation which alter the canal balance would be terminated when the canal level reached 18 feet. Failure to isolate one or more of the condensers would cause continued canal outflow*; but consideration of overall effect on canal level must include the amount of inflow available from the circulating water pumps. If all condensers isolate, the residual level in the canal is sufficient to supply safety related 4.3-4
| |
| | |
| Table 4.3-3
| |
| | |
| ==SUMMARY==
| |
| OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Support System Impact on Normal Attendant Important Estimated Annual Resolution Loss Considered Operation System Fail tires Frequency
| |
| * DC Bus lA Reactor trip due Loss of switchgear for 5E-3 T5A Initiating Event to MSIV closure, or Train A, loss of MFW, RPS failure turbine bypass DC Bus 1B Reactor trip due Loss of switchgear for 5E-3 T5B Initiating Event to MSIV closure, or Train B, loss of MFW, RPS failure turbine bypass 480 VAC Bus lH No direct *impact Loss of Train A ECCS 5E-3 Not included as an pumps initiating event.
| |
| Although it disables standby ECCS equipment, it doesn't cause a
| |
| *c:., transient nor cause I
| |
| C,I direct or indirect reactor trip 480 VAC Bus lHl-1 No di r.ect impact Loss of many Train A 5E-3 Not included as an ECCS valves and some initiating event. Loss small non safety pumps of power to ECCS valves will not cause a transient nor a reactor trip. With the exception of the HPI-SW and HPI-CC pumps, none of the pumps perform a core cooling related function. All functions can be performed by redundant pumps. No direct or indirect reactor trip.
| |
| | |
| Table 4.3-3 (Cont'd)
| |
| SUtl4ARY OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Support System Impact on Normal Attendant Important Estimated Annual Resolution Loss Considered* Operation System Failures Frequency 4160 VAC Bus lH No direct impact Loss of Train A ECCS 5E-3 Not included as an Loss of Train A charging initiator. See Loss of 480 VAC lH resolution for 480 VAC Loss of 480 VAC lHl-1 buses.
| |
| 4160 VAC Bus lJ 480 VAC Bus lJl Same as H Train Counterpart 480 VAC Bus lJl-1 120 VAC VB I Turbine runback Reduced redundancy 5E-3 Represented by T2 Reactor trip likely in some instrumentation initiators 120. VAC VB II Loss Cooling to 1 RCP Same as VB I 5E-3 Represented by T2
| |
| ...* Immediate reactor initiators I shutdown
| |
| . 120 VAC VB III Same as VB II 120 VAC VB IV Same as VB II Containment No direct impact Loss of pressurizer spray .01 Not included as an Instrument Air Loss of containment vacuum initiator because does pumps not lead to imminent reactor trip Outside Reactor shutdown on Loss of MFW .01 Represented as T2 Instrument Air MSIV closure Loss of turbine bypass initiator Loss of SG-ADV Component Cooling Reactor shutdown on Loss of Containment 2E-3 Included as T3 Water loss of RCP cooling Instrument Air initiator. Many loss Loss of RHR - shutdown of CCW recoverable using coolinq Unit 2 components. Non-recoverable loss of CCW estimated at 2E-4.
| |
| * Tabl -3 (Cont'd)
| |
| | |
| ==SUMMARY==
| |
| OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Support System Impact on Normal Attendant Important Estimated Annual Resolution Loss Considered Operation System Failures Frequency Bearing Cooling Reactor trip on Loss of MFW 2E-3 Included as T2 Water System Loss of MFW Loss of Turbine Bypass initiator Loss of Outside.
| |
| Instrument Air HVAC None None Not included as an initiator HPI-SW - train None None 1.0 .Redundant train available. Not an initiator
| |
| ."'"
| |
| ~
| |
| Core damage frequency I
| |
| -.J HPI-SW - both Loss of Charging None .03 trains at Unit 1 Pump Cooling from this initiator estimated to be less than lE-7/yr. Not explicitly included in study. See Appendix D for calculation.
| |
| HPI-CC - 1 train None None .3 Redundant train available. Not an initiator
| |
| | |
| Table 4.3-3 (Cont'd)
| |
| | |
| ==SUMMARY==
| |
| OF LOSS OF SUPPORT SYSTEMS AS INITIATORS Support System Impact on Normal Attendant Important Estimated Annual Resolution Loss Considered Operation System Fai 1u res Frequency HPI-CC both trains Loss Charging Pump None 1.3E-3 Core damage frequency at Unit 1 Cooling
| |
| * from this initiator estimated to be less than lE-7/yr. Not explictly included in study. See Appendix D for calculation.
| |
| Service Water Canal Reactor Trip Loss of all heat sink No vents greater than 7
| |
| 10- within the scope of the study could be postulated
| |
| * loads for about 16 hours even if there is no more inflow into the
| |
| * canal. Trip on low canal level, with subsequent condenser isolation is a contributor to the turbine trip initiating event category*, but does not represent a unique systemic failure state of the plant.
| |
| Failure to isolate the waterboxes upon low canal level was a low probability event for the *case when canal inflow was available (i.e.,
| |
| offsite power available). Insufficient canal level was therefore not considered an initiating* event, but was addressed in the context of station blackout.
| |
| The impact of environmental events such as marine growth, or seismic events, on canal inventory were not included in this evaluation.
| |
| : 2) Loss of a 120 VAC Instrumentation Bus Surry has four vital instrumentation buses, each of which receives power from an uninterruptible power supply. Loss of any one bus will leaa to reactor trip through loss of cooling to a reactor coolant pump or turbine runback which could potentially cause a reactor trip due to the inability to control all reactor parameters within trip limits. Loss of a single vital bus causes reduced redundancy of some safety related instrumentation, but does not cause the unavailability of any ECCS equipment. Loss of only one vital bus is therefore, a minimal contri-butor to the loss of main feedwater event category (T 2). Since each vital bus has an independent power supply, a simultaneous failure of multiple power supplies would be needed to fail a vital bus*. No common mode failure of multiple buses could be identified.
| |
| : 3) Loss of Component Cooling Water (CCW)
| |
| Loss of CCW at Surry was determined to be relatively insignificant as a separate initiator. Loss of CCW will cause loss of cooling to the reactor cooling pump (RCP) motors and thermal barrier~ and will eventually lead to loss of containment instrument air (outside instrument air will not be affected, as it is cooled by the bearing cooling water system) *. Loss of CCW will not cause a direct reactor trip but will lead to immediate reactor shutdown due to the required tripping of the RCPs upon loss of cooling.
| |
| Loss of CCW is important at Surry only in that it fails a redundant source of RCP seal cooling. Although loss of CCW does fail the residual heat removal (RHR) system at Surry, it does not fail the ECCS, because they are separate, independent systems. Loss of CCW was not included .as a separate initiator for the following reasons:
| |
| * Loss of CCW does not fail RCP seal injection flow.
| |
| * Loss of CCW does not fail MFW or any other S)'stem which is required to maintain the plant in hot shutdown. *
| |
| * Non-recoverable loss of CCW is estimated at 2E-4 as an initiator. It is functionally **equivalent to a T3 W condition 4.3-9
| |
| | |
| *
| |
| (transients with MFW initially available with loss of CCW)
| |
| * T3 W, as calculated by the fault trees is about 5E-4. The seal vulnerable condition caused by T3o 3W was calctllated at 1.5E-8. Loss of CCW as an initiator would be expected to lead to a seal vulnerable condition, with a frequency of 6E-9/yr, based on the T 3o 3W results. *
| |
| : 4) Loss of Instrument Air The subatmospheric containment design at Surry, results in the need for two independent instrument air systems. One system supplies loads inside containment and one supplies loads outside containment.
| |
| Both systems were examined for potential as initiating events.
| |
| The FMEA evaluation shows that loss of containment instrument air would not result in a plant trip. In addition, the only important function which would be disabled by loss of containment instrument air is the pressurizer spray function (both normal and auxiliary).
| |
| Although the PORVs inside containment are air operated, they are supplied with nitrogen bottles to provide motive force when instrument air is unavailable. For these reasons, loss of containment instrument air was not considered as an initiator for Surry.
| |
| Loss of outside instrument air was also examined to determine its potential as an initiating event. Loss of outside instrument air will result in reactor trip due to MSIV closure. In addition, loss of outside instrument air will cause:
| |
| : 1. CCW to containment.is.isolated. ,
| |
| : 2. Service water to containment fan coolers is isolated.
| |
| : 3. A false low water level signal in the SG is generated.
| |
| : 4. A false low water level signal in the SW canal is generated.
| |
| : 5. MFW regulator valves and bypass valves fail closed.
| |
| : 6. Steam admission valves to the turbine driven AFW pump fail open, thereby starting pump.
| |
| : 7. .Atmospheric dump valves on SG will be unavailable.
| |
| : 8. Steam dump to the condenser will be unavailable.
| |
| Loss of outside instrument air was considered as a potential initiator from two aspects; as a precursor to a seal vulnerable copdition and as a precursor to loss of all feedwater.
| |
| Loss of instrument air is a precursor to a seal vulnerable condition because it isolates CCW to the RCP thermal barrier, thus faHing one method of seal cooling. Should seal injection flow fail prior to restoration of air, a seal vulnerable condition would exist. In addition, RCS cooldown and depressurization is not possi~e until instrument air is restored*. A conservative estimate of 10- /yr was used for loss of the entire outside air system. An estimate of 3E-5 was used for the probability of failure of seal injection flow in the next 24 yours. This considers that thr:ee pumps ar.e available *to provide flow and seal injection flow is operating at the time of loss of instrument air. The probability of a seal wlnerable condition due to loss of air is therefore 3E-7/yr. There are still two recovery actions 4.3-10
| |
| | |
| *
| |
| . which are appliable in this situation. HPI flow can be cross connected from Unit 2, or localized repair to the instrument air system could be completed to restore necessary functions. The potential for these two recovery actions, combined with :.t.n estimated frequency of 3E-7 /yr for the seal vulnerable condition, led to the dismissal of loss of IA as an important precursor to seal LOCA.
| |
| Loss of outside instrument air is also functionally equivalent to a loss of main feedwater transient (T 2l, with an additional limitation on SG heat r~moval in that heat must be removed by the SG-SV until manual, local steam relief can be aligned. All safety functions which are required after a reactor trip can be provided without outside instrument air.
| |
| * Because loss of outside instrument air is functionally equivalent to a T2 transient initiator, and the frequency of loss of outside instrument air (estimated at .01 per year for loss of the total system) is much lower than that of T2 (about 1 per yearl, loss.of outside instrument air was not included *as a separate initiating event but considered to be represented by the loss of main feedwater category.
| |
| : 5) Loss of a 4160 VAC or 480 VAC Bus A non-recoverable loss of a single 4160V or 480V bus was analyzed to determine its potential as an initiating event. The analysis revealed that such an event may result in loss of one train of normally operating systems, or standby systems. However, these events were shown not to cause a direct or indirect reactor trip without.additional equipment failures. For that reason, they were not included as separate initiators. In NUREG/CR-4550 Volume 3, Rev. O, loss of a 480V bus was considered as a separate initiator because a loss of 480V would cause loss of a 120 VAC instrumentation bus. However, the current Surry design provides uninterruptible power supplies to the instrumentation buses, thereby eliminating this interaction.
| |
| : 6) Loss of Charging Pump Cooling Charging pump cooling at Surry is provided by a small dedicated cooling water system. The only loads on this system are the charging pump cooling loads. The system has two independent, redundant trains which are supplied with emergency power. Unit 2 has an identical system and the like trains at each unit can be cross tied.
| |
| Either train of service water can supply both charging pumps.
| |
| Complete loss of charging pump service water has occurred in the past at Surry. The charging pumps operated in the normal charging mode for more than an hour without exceeding bearing temperature limits. Charging pump cooling is required when the charging pumps operate in the safety injection mode. But it is indicated from past experience that loss of cooling will not led directly to a loss of the charging pump.
| |
| Loss of all charging pumps would be a potential initiator because they provide RCP seal cooling, boron injection, auxiliary pressurizer spray, 4.3-11
| |
| * RCS inventory control and safety injection flow. However, loss of HPI-SW does_ not necessarily lead to loss of charging pumps. This consideration, plus an evaluation nf how many additional failures must occur to result in core uncovery, led to the dismissal of this event as a separate initiator.
| |
| : 7) Loss* of HV AC Loss of HVAC loads were examined on an individual basis. The most critical portion was considered to be that part of the system that cools the control room and the switchgear room underneath it. These rooms are on the same HVAC. In both cases*, it was concluded that opening the doors in both rooms could control temperatures to acceptable levels.
| |
| 4.3.3 Special Initiators Three events at Surry were determined to be important enough for investigation, but ultimately were not evaluated using event trees.
| |
| : 1) High Energy Pipe.. Rupture in AFW Ro*om The room at Surry which houses the AFW pumps also serves as a pass-through area for the main steam lines and the feedwater lines. In addition to the piping, the AFW room contains three MSIVs, three main steam non-return valves*, three steam generator atmospheric dump valves, fifteen steam generator relief valves*, one small decay heat relief valve and three main feedwater check valves. There are a total of 28 valves in the room. The concern is that rupture'of a valve body or steam-water line could flood the room with steam and/or water, thereby failing all three AFW pumps.
| |
| Rupture of any component except the main feedwa ter check valves would be functionally equivalent to a T3L sequence. Main feedwater would still be available and the AFW cross connect from Unit 2 would still be available. Rupture of the check valves would be equivalent to a T2L, with AFW available from Unit 2. None of the flow control valves or p,umps necessary for MFW at Unit 1 or AFW at Unit 2 are in the Unit 1 AFW room. The decision not to include this initiator in the study was based on comparison of the estimated frequency of valve rupture, the frequency of T 3L and T2L, and their ".:ontribution to core damage frequency.
| |
| Using a failure probability of lE-9/hr for rupture, the annual fre-quency of valve- or pipe rupture is estimated to be on the order of 3E-4. A large enough break must be .postulated so that all three AFW pumps fail due to flooding or an overheated environment. The AFW pumps are at the bottom of the room and the steam lines are at the top. An incident during the early years of plant operation resulted in a steam release to the room; *however, it was not severe enough to heat up the lower portions of the room. The frequency of severe valve/pipe rupture was estimated as follows:
| |
| (28 Vlv*l E-9/hr + 6 pipe seg
| |
| * lE-10/hr
| |
| * 8760/yr = 2.5E-4 4.3-12
| |
| * T3L as quantified with fault tree analysis is about 2E-3/yr. There were no sequences with T3L greater than lE-7 /yr. Rupture of a steam line at 3E-4/yr is therefore expected to be an insignificant contributor to core damage.
| |
| T 2L as quantified with fault trees is about 3E-4/yr. Feedwater rupture (equivalent to T2L) is estimated to be '5E-'5/yr. T2L sequences contribute about l.'5E-6/yr. This would mean that rupture of a feedwa ter line in this room would be a small, but not negligible contributor to core damage frequency. The results of this calculation are greatly influenced by the value used for valve/pipe rupture. This event was not explicitly included in the core damage frequency, but should be periodically reevaluted as pipe rupture data is improved.
| |
| The frequency of this event is judged to be comparable to the fre-quency of other sequences which result in the same systemic failure state and which were evaluated in the study (e.g., T3L sequences).
| |
| Steam line or PW line rupture in the AFW room was therefore not explicitly included in the quantification, but should be periodically reevaluated as pipe rupture data is improved.
| |
| : 2) Interfacing LOCA Interfacing LOCAs were included in the study and were quantified as an initiating event. However, because they lead directly to core damage without the presence of any additional failures, it was not necessary to evaluate these events through the use of event trees.
| |
| Interfacing LOCAs were evaluated as an expert exlicitatfon issue.
| |
| The analysis is discussed in Reference 40. The calculated mean frequency was found to be l.6E-6/yr.
| |
| : 3) Reactor Vessel Rupture Previous PRA studies (References 2, 7, 10) have explicitly quantified reactor vessel rupture as an initiating event. It is postulated to be of a size and location that it leads directly to core damage. The fre-quencies prevfously calculated were from 1E-7 /yr to 1.1 E-6/yr. These studies did not identify a specific failure mechanism for this event.
| |
| The frequency calculation was based on statistical evaluation of his-torical data, whic\_1s zero disruptive failures in ASME pressure vessels since 1942. With the exceptiop of pressurized thermal shock, no specific failure mechanisms (such as thermal cycling, fatigue, overpressure) have .been identified, which can be evaluated with a structured frequency calculation. The calculation of a frequency is therefore based on interpretation of the existing data.
| |
| References 2, 7, and 10 have done this, and the median value for rupture was calculated in the low lE-7 /yr range. Error factors on this median value are a subjective matter. Reference 10 postulated an errir factor which resulted in the calculation of a mean value of 10- /yr *
| |
| * 4.3-13
| |
| * Without postulating particular reactor vessel rupture scenarios, it is not possible to. identify any interactions with containment systems.
| |
| Presuming all containment systems would be nominally available after a reactor vessel rupture, a single sequence that was in the lE lE-6 range would be a very small contributor to risk at typical PWRs.
| |
| Pressurized thermal shock (PTS) has been identified as a credible mechanism for reactor vessel failure in PWRs with certain levels of copper in the vessel welds. As accumulated neutron fluence on the welds increases, the ductility of the weld decreases. If severe overcooling transients occur or conditions occur where the reactor is pressurized at low temperatures, catastrophic weld failure can occur. The p~obability of reactor vessel failure depends on
| |
| * Weld material composition, particularly copper
| |
| * Accumulated neutron fluence at each weld
| |
| * . Frequency and severity of overcooling transients These factors vary for each plant. A key parameter is the reference tem8,erature for transition to nil ductility (RTND). A temperature of 270 F has been established for Surry as the temperature below which transition to nil ductility is of minimal concern.~
| |
| Reference 6 calculates the frequency of core damage from PTS for a hypothetical H.B. Robinson reactor vessel to be lE-8/yr. The actual copper content *of the Robinson reactor vessel is so low, that it was not possible to derive a statistically significant core damage fre-quency due to PTS. The copper content' was increased in the study models to the point where a RTND of 270°F was calcul.ated for the end of licensed life (32 effective full power years). This allows for the calculation of statistically significant conditional probabilities of core damage, given an overcooling transient. The RTND at EOL for Surry Unit 1 is 269°F when calculated in accordance with lOCFR.50.61, and 260°F when calculated in accordance with Regulatory Guide 1.99, Rev. 2. Since H.B. Robinson is of similar design to Surry, the frequency and severity of overcooling transients are expected to be similar. Because the calculated RTND for Surry is less than the 270°F used in the Robinson analysis, it is concluded that core damage due to PTS at Surry is expected to be minimal compared to core damage from other causes.
| |
| In conclusion, it was determined that under the worst possible con-ditions, reactor vessel rupture is a small contributor to core damage
| |
| ( < 1%) and a negligible contributor to risk. With the exception of PTS, no specific credible mechanism for reactor vessel failure has been postulated. calculation of a frequency based on historical experience is limiting due to the lack of failures. PTS for Surry has been estimated to be in the lE-8/yr range. Reactor vessel rupture was therefore not explicitly included as an initiator.
| |
| 4.3.4
| |
| * Final Initiating Event Selection The final list of initiating events which were explicitly analyzed and became the basis for accident s~uence quantification is shown- in Table 4.3-1. These events and the initiator
| |
| * Pe~aonal cC111111UDi,catl~ with Johnaon, USRRC, July 1988 4.3-14
| |
| *
| |
| * categories which they represent are further expanded upon in Table 4.3-4 for transients and Table 4.3-5 for LOCAs.
| |
| The three common transient initiator categories of loss of offsite power (T ), loss of main feedwater (T 2), and turbine trip with main feedwater initially available \T 3) were selected for event tree analysis and accident sequence quantification. These transient categories are commonly analyzed by PRA studies. The T2 and T 3 category can be used to represent many other initiator categories. Table 4.~-4 gives a summary of the initiator types that are represented by each category.
| |
| Loss of a 480 VAC electrical bus was designated T4, and slated to be an initiating event, when the reanalysis began. Originally, loss of a 480 VAC bus caused a reactor trip through the loss of a vital bus, while it also disabled safety systems necessary to respond to a transient. Since the start of this study however, modifications have been done at the plant in order to provide each vital bus with an uninterruptible power supply. Loss of a 480 VAC bus no longer causes a reactor trip and therefore does not qualify as an initiating event.
| |
| Loss of. a DC bus will cause a reactor trip and disables an entire train of safety equipment. It was included as T 5
| |
| * Loss of HPI service water was also originally included as an initiator, due to constraining success criteria, which had its loss leading to loss of the charging system. Further evaluation of the problem indicated that the charging pumps are able to operate in the normal charging mode for up to four hours in the absence of HPI service water, without exceeding bearing temperatures. Recovery options are available to restore HPI service water to Unit 1 from Unit 2, or to provide charging flow to Unit 1 from charging pumps at Unit 2. These would provide continued charging flow and prevent reactor shutdown.
| |
| Finally, in the event reactor shutdown is inevitable, an independent system (CCW) is still available to provide RCP seal cooling; the most important affected function in this cas . The probability of core damage due to loss of HPI-SW was estimated to be below 10-7/yr. For these reasons, T 6 was not included as a specific initiator for Revision 1.
| |
| Steam generator tube rupture was included as a specific initiating event due to its unique mitigation criteria. The frequency is based on historical experience of 5* events in 500 PWR years.
| |
| The LOCA initiating event selection is summarized in Table t:.* 3-5. Four sizes of LOCAs were chosen, based on the success criteria for successful mitigation. The frequency of the three largest size brfflks are estimated based on a review of past PRAs and the ASEP Methodology Document. The frequency of the very small breaks includes contributions from inadvertantly open PORVs, small pipe breaks, component leakages at flanges and welds, and reactor coolant pump seal LOCAs. The frequency is derived from a review of References 12, 37, and 39. Backup calculations for this frequency derivation are shown in Appendix D of this report.
| |
| 4.3.5 Groundrules In Initiating Event Selection Groundrules which apply only to the selection of initiating events are shown in Table 4.3-6. Some groundrules used in the event tree analysis may indirectly impact initiating event identification. The complete list of event tree groundrules appears in Section 4.4.1.
| |
| 4.3-15
| |
| | |
| Table 4.3-4 Sunmary of Transient Initiating Events Initiating Representative Initiators Annual Event Included Jn lnltJatJng Frequency Category Event Category (Mean Value) Comments Tl Failure of Offslte Power Grld 7. 7E-2 This group constitutes Jnltlators Closs of OffsJte Loss of Station Reserve Power which Interrupt the offslte power Power> Loss of Power to the Swltchyard source to the 4160V pJant buses.
| |
| Frequency.derJ~ed from NUREG-5032. Cl,i T2 Failure of Main FW 9.4E-1 Thls group constitutes JnJtJators Closs of Ma Jn HJ SG Water Level which either Isolate CtrJp> the Feedwater> Inadvertent S I MFW pumps or cau$e a failure Jn Main Steam LJne Break Loss the hotweJl - FW fJow path.
| |
| Loss of Instrument Alr See Note 1. Frequency derived Loss of Bearing O:>oJlng Water from Surry speclflc data JJsted Jn NUREG/CR-3862. Cl 2 )
| |
| T3 Turbine Trip 7.3 Thls group constitutes all CTurbJne Trlp Reactor Tr Ip Initiators which cause WJth MFW Loss of Load reactor trlp but do not AvaJJ able) MSIV Closure fall MFW or any other front Loss of Component Cooling Water line or support system.
| |
| Loss of Turbine ControJ See Note 2. Frequency derived fran Surry speclflc data listed In NUREG/CR-3862.Cl 2 )
| |
| * Table 4.3-Sunmary of Transient Initiating Events
| |
| * Initiating Representative Initiators AnnuaJ Event lncJuded In Initiating Frequency Category Event Category (Mean VaJ ue) Comments T5A - Short on OC Bus 5E-3 Initiator Is non-recoverabJe Joss of a OC T5B - bus. Fre~uency taken fran NI.REG/CR-4550, (Loss of a OC VoJ. 1. en See Note 3.
| |
| Bus)
| |
| T7 DoubJe Ended Rupture of a SlngJe 1E-2 Frequency aerlved from 5 SGTR events (Steam Generator SG Tube In approxlmateJy 500 PWR years, u.s.
| |
| Tube Rupture) exper.Jence through Dec. 1987.
| |
| Surry 2 - Nov. 1972 - 200 gpn Point Beach 1 - Feb. 1975 - 125 gpm Prairie lsJand - Oct. 1979*- 380 gpm R.E. Ginni.- AprlJ 1982 - 700 gpm North An,i *. - July 1987 - 600 gpm
| |
| | |
| NOTES TO TABLE 4.3-4
| |
| : 1. Surry has electric driven MFW pumps. Thus, MFW would be available at Surry for any initiators such as MSIV closure, loss of turbine bypass, etc., which would fail MFW at plants with turbine driven MFW pumps.
| |
| : 2. At Surry, any reactor trip above .50% power will cause the MFW regulating valves
| |
| * to close. FW mini-flow lines to the condenser will open, while the FW pumps stay on. AFW will start on lo-SG level. If AFW starts successfully, operator will secure MFW. If AFW does not come ori, operator can feed SGs with MFW pumps by opening FRV bypass (4" line). MFW pumps are electric driven.
| |
| : 3. Loss of DC bus will cause loss of all switchgear at the associated 4160 VAC and 480 VAC buses. ~witchgear breakers are* failed as is, so pumps that are running will continue to run (i.e~, Charging pump and CCW). Loss of a DC bus will cause reactor trip and a half SI signal (but pumps on affected buses will not activate).
| |
| Failure probability represents shorts in the bus work. Shorts in the loads or interruptions in power were not included. These events are generally recoverable in a very short period of time.
| |
| * le 4.3-5 Sunmary LOCA Initiating Events Initiating Representative Initiators Annual Event Included in Initiating Frequency Category Event Category (Mean Value) Comments A Large LOCAs 5E-4 Large LOC,As, equivalent diameter greater than 6 inches. Frequency obtained from reference 3.
| |
| Medium LOCAs lE-3 Medium LOCAs, equivalent diameter between 2 and 6 inches. Fr~quency obtained from reference 3.
| |
| Small LOCAs, Open PORVs lE-3 Small LOCAs, equivalent diameter between 2 inches and 1/2 inch. Includes inadver-tent open PORVs. Frequency obtained frorn reference 3.
| |
| Very Small LOCAs, Spontaneous Seal LOCAs 1.3E-2 Very small LOCAs, less than 1/2 inch equivalent diameter, including LOCAs initiated by random failure of one RCP seal. See Appendix D for calculation of the frequency
| |
| | |
| Table 4.3-6 Important Groundrules for Initiating Event Selection
| |
| : 1. All initiators are analyzed from high power operation. For ATWS quantification, it was necessary to introduce a split fraction for high power and low power events.
| |
| : 2. Initiators from shutdown were not included.
| |
| : 3. Manual shutdowns for administrative reasons, Technical Specification violations, or refueling were not included.
| |
| : 4. Overcooling transients were not evaluated as a special class of events, with unique mitigation requirements.
| |
| : 5. External events (seismic, tidal, atmospheric) leading to the loss of service water intake canal level were not included.
| |
| : 6. Common cause failure of multiple cooling water* systems due to marine growth were not included.
| |
| 4~3-20
| |
| * 4.4 Event *Tree Analysis The process. by which initiating events were identified and grouped is described in Section 4.3. Table 4.3-1 lists the initiators used in this study.
| |
| This section presents and discu~es the first stage of the two stage event tree analysis process used for the Surry study. The first stage analyzed the potential for core damage in terms of the ways that safety and non-safety systems could respond to the initiating events. This stage addressed only the various paths to core damage, without particular regard to the detailed status of the containment or its systems. The status of contain-ment systems was evaluated only in the context that their failure could lead to core damage. This was addressed via events CS and CV.
| |
| The event. CS represents the failure of containment systems: failure of the CSS (containment. spray system), ISR (inside spray recirculation), or OSR (outside spray recirculation). For sequences without steam generator heat removal available, contain-ment systems failure will eventually lead to containment overpressure and failure due to loss of containment heat removal. For sequences with steam generator heat removal available, Sandia calculations showed that containment pressure would rise above design pressure, but would stabilize well below the failure pressure. Steam generator heat removal requires a. full RCS inventory in a pressurized state and the availability of auxiliary feedwater. These conditions can only be fulfilled for s2 and S~ LOCAs and transients. Therefore, for these initiators, containment overpressure failure requires failure of containment systems and high pressure recirculation or auxiliary feedwater.
| |
| Event CV assesses the potential for core damage caused by the secondary effects of con-tainment failure.
| |
| A core vulnerable state is an interim state of a sequence in which cooJant makeup is successfully being supplied to the core, but containment heat removal has failed. In such cases, core damage can occur under certain conditions after containment failure.
| |
| Such scenarios could occur as follows. First, the containment fails due to the over-pressurization caused by the lost heat removal capability. Then the ECCS may fail by one or more of the following mechanisms:
| |
| * Pipe failure caused by wall movement.
| |
| * Pipe failure due to missile generation.
| |
| * Plugging of the sump.
| |
| * Loss of sump inventory.
| |
| * Insufficient net positive suction head due to loss of subcooling.
| |
| Should containment failure not produce any of these events, core cooling can be provided indefinitely. The likelihood of core damage given containment failure was estimated through an internal elicitation of the Level II analysis. The probability was calculated to be 0.02 for Surry. See Appendix A.1 of this report for the calculation of this number.
| |
| The event trees used in the first stage analysis identified all possible core damage sequences. All core damage sequences which were quantified to be greater than lE-7/yr after recovery actions had been included, were included as dominant sequences. The resultant dominant core damage sequences were input to the second stage event tree analysis, which is presented in Section 4.5. This provided a detailed containment response analysis and carried the sequences to the various plant damage states *
| |
| * 4.4-1
| |
| | |
| All of the event trees used in the first stage analysis are presented and discussed in Sections 4.4.2 through 4.4.11. These include special event trees that were used to evaluate ATWS and station. blackout. Section 4.4.1 provides a discussion of general groundrules and limitations of the event tree analysis.
| |
| 4.4.1 Groundrules and Limitations This section discusses the event tree development process used in this study to assess the potential for core damage. It also lists the important groundrules used in developing the event trees.
| |
| The small-event-tree/large-fault-tree approach was used to define the accident sequen-ces. Rather than using functional event trees in this study, Surry transient responses and prior PRAs of similar reactor types were reviewed to identify the event tree headings necessary to properly model all reactor functions. The success criteria were similarly developed from reviewing prior PRAs; (References 7-11) plant specific Surry analyses, and current Battelle and Sandia analyses.
| |
| Table 4.4-1 provides a complete list of the event tree headings and their event tree definitions.
| |
| All sequences identified as resulting in core damage were quantified using the quanti-tative results obtained from the fault trees developed in the systems analyses, as discussed in Section 4.6. All non-blackout sequences having frequencies less than lE-7/yr after the initial quantification were dropped from further consideration. All blackout sequences and all non-blackout sequences above lE-7/yr were further analyzed for poten-tial operator recovery actions, and the sequences were requantified. Non;.blackout
| |
| * sequences less than lE-7/yr and blackout sequences less than lE-9/yr after the recovery analysis were dropped from further consideration. The remaining sequences constitute .
| |
| the dominant core damage sequences. This process and the results are presented in Section 4.10.
| |
| Once the dominant core damage sequences had been identified, the event trees were expanded in the stage two analysis (see Section 4*.5) to include the containment systems responses for those particular sequences. The dominant sequences in that analysis were assigned to plant damage states in accordance with the groundrules given in Section 4*.5. The criterion for dominance in the plant damage state analysis was a cutoff frequency of lE-'Hyr.
| |
| The general groundrules that formed the basis for the event tree analyses are listed in Table 4.4-2. Additional groundrules that apply to specific event trees are described in the corresponding event tree sections of the report.
| |
| In a number of the event trees studied in the following sections, it was found that a sequence may produce conditions of a nature similar to those analyzed in some other event tree. For example, in the very small LOCA (S3) event tree, sequence 22 represents a condition in which relief valves in the RCS open and fail to reclose. This results in a leak condition very similar to that covered by the small LOCA (S2). Rather than repeat the entire s2 event tree within s3, a notation is made in s to transfer to the 3
| |
| S2 event tree for the rest of the analysis. Thus, the total frequency of sequence 22 in tne s3 event tree is added to the initiator frequency evaluated from all causes for the s2 event tree. The results obtained from that event tree effectively complete the analysis
| |
| * of the s3 event tree sequence 22 in the s2 event tree.
| |
| 4.4;..2
| |
| | |
| Table 4.4-1
| |
| * Abbr. Heading Event Tree Headings Part 1: Description of Events Description of Event A LARGE Initiating.Event (IE) - large LOCA (6" to 29")
| |
| LOCA cs CONT SYS Top level event for containment heat removal Includes CSS, JSR, and OSR system functions CV CORE VULNR Probability of core damage for core wlnerable states TOCO (the core is being cooled but containment cooling has failed)
| |
| Dl HPI Failure of charging pump system in high pressure injection mode D2 HPI Failure of charging pump system in feed and bleed D3 SEAL COOL Failure of charging pump system in seal injection flow mode D4 HPI Failure of charging pump system in emergency bora tion mode
| |
| * D.5 D6 ACC LPI Failure of accumulators in injection mode Failure of low pressure safety injection system in injection mode Hl LPR Failure of low pressure safety injection system in recirculation mode H2 HPR Failure of charging pump system in high pressure recirculation mode K RPS Failure of reactor protection system L AFW Failure of auxiliary feedwater system for transients with reactor trip L2 AFW Failure of auxiliary feedwater system for ATWS L3 AFW Auxiliary feedwater: failure of 1/3 AFW pumps to 1/2 SGs in SGTR M MFW Failure of main f eedwa ter NRl NRAC ONE HOUR Fail to recover offsite power within 1 hour NR7 NRAC SEVEN Fail to recover offsite power within 7 hours HOURS 4.4-3
| |
| | |
| Table 4.4-1 (Cont'd)
| |
| Event Tree Headings Part 1: Description of Events Abbr. Heading Description of Event
| |
| - -
| |
| 0 OPER DEPRES Operator fails to depressurize RCS during station blackout OD OPER DEPRES Operator fails to depressurize RCS during small break initiators and steam genera tor tube rupture p PRV Failure of both PORVs to open for feed and bleed Pl PRV Failure of one POR V to open for s2L sequences P2 PRV RCS pressure relief fails in response to ATWS PL PWR LEVEL Power level less than 25% of rated power Q RCI Failure of pressurizer SRV/POR V to close after transient failure of POR V to reclose after very small LOCA
| |
| * QC RCI (SI causes relief valve to open)
| |
| QS SGI Loss of steam generator integrity via a relief valve,AFW steam line, decay heat removal line, or blowdown line.
| |
| R MAN SCRAM Failure to effect manual reactor trip Sl MEDIUM IE -- medium LOCA (2" to 611)
| |
| LOCA S2 SMALL LOCA IE - small LOCA (1 /2" to 211)
| |
| S3 VERY SMALL IE -- very small LOCA (less than 1/2")
| |
| LOCA SL RCP SEAL RCP seal leakage, greater than 2 lb/sec/pump LOCA T TBT Turbine trip subsequent to ATWS Tl LOSP IE - loss of offsite power TlS SBO Station blackout T2 LOSS OF MFW IE - loss of main feedwa ter T3 TURB TRIP W/MFW IE -- turbine trip with MFW available 4.4-4
| |
| *
| |
| * Table 4.4-1 (Cont'd)
| |
| Event Tree Headings Part 1: Description of Events Abbr. Heading Description *of Event T5 LOSS OF DC IE. - loss of DC bus BUS T7 SGTR IE. - steam generator tube rupture TK ATWS Anticipated transient without reactor scram w ccw Failure of component cooHng water to thermal barriers of all reactor cooling system pumps W2 SE.AL COOL Failure to cool RCS pump seals from Unit 2 CCW FM U2 W3 RHR Residual heat removal in shutdown cooling mode z MTC UNF Presence of "unfavorable" moderator temperature
| |
| * coefficient -- critical value greater than -7 pcm/0 P Zl MTC LOW Presence of very low moderator temperature coefficient -- critical value less than -20 pcm/ 0 P
| |
| | |
| Table 4.4-1 (Cont'd)
| |
| * Event Tree Headings Part 2: Definition of Events C Less than 1/2 CSS trains taking suction from RWST and injecting into associated containment spray sparger.
| |
| Less than 1/3 high pressure injection pumps taking suction from RWST and injecting through MOV 1867 C/D into 1 of 3 RCS cold legs. Initiated by SI signal.
| |
| Same as Dp except must be initiated by operator.
| |
| Less than 1/3 charging pumps injecting through MOV 1370.
| |
| Less than 1/3 charging pumps injecting through the normal charging lines, with the boric acid transfer pumps on fast speed and MOV 13,o open, and one PORV open, within 10 minutes from initiator. SI alignment not required.
| |
| For A, less than 2/2 accumulators injecting into their associated cold legs.
| |
| For s1, less than 2/3 accumulators injecting into their associated cold legs.
| |
| Less than 1/2 LPI trains taking suction from the R WST and injecting through MOV 1890C to 1/3 RCS cold legs.
| |
| Less than 1/2 ISR trains, taking suction from the sump and injectjng through associated spray sparger, with service water being provided to the secondary side of the heat exchanger.
| |
| Less than 1/2 OSR trains, taking suction from the sump and injecting through
| |
| * associated spray sparger, with service water being provided to the secondary side of the heat exchanger.
| |
| Less than 1/2 LPR pumps taking suction from the sump and injecting to MOV l 890C, or injecting to the charging pump suction. Plus switch to hot leg recirculation at .16 hours for A and s1 LOCAs.
| |
| Less than 1/3 charging pumps taking suction from the LPR discharge and injecting through MOV 1867 C/D.
| |
| K Failure of automatic insertion of sufficient control rods to produce subcriticality at hot shutdown.
| |
| Less than 1/3 AFW pumps aelivering water- to 1/3 steam generators.
| |
| Less than 2 AFW motor driven pumps or 1 AFW turbine driven pump delivering flow to 2 of 3 steam genera tors.
| |
| Less than 1/3 AFW pumps delivering water to 1/2 steam generators.
| |
| 4.4-6
| |
| * Table 4.4-1 (Cont'd)
| |
| * Event Tree Headings Part 2: Definition of Events M Failure of at least 1 main feedwater pump delivering flow to at least one steam generator, or failure of source of water from the hotwell or CST which is sufficient for 24 hours.
| |
| p Failure of exactly 2 PORVs and associated block valves to open, initiated by manual action.
| |
| Failure of 1 of 2 PORVs and associated block valves open, initiated by manual action.
| |
| Failure of at least 3 SRVs to open, or 2 SRVs and 2 PORVs and associated block valves to open, in response to RCS pressure rise from ATWS, within 2 minutes of scram signal.
| |
| * Q Failure of pressurizer PORVs to reclose or be manually isolated after a transient.
| |
| Os For T 1-SBO, failure of a SG SRV to reclose after lifting.
| |
| For T7 , failure of SG integrity via:
| |
| * *
| |
| *
| |
| *
| |
| *
| |
| * SG SRV SG PORV Decay heat release path Steam supply to AFW turbine driven pump Blowdown line R Failure of manual reactor trip caused by pushing the manual scram control, or disconnecting power to the CRDM MG sets, within 2 minutes of initiator.
| |
| T Failure of automatic turbine stop valve closure or automatic MSIV closure or manual TSV clo~ure or manual MSIV closure within 30 seconds of failed scram signal.
| |
| w Failure of component cooling water supplied to the lower bearing heat exchanger of all reactor coolant pumps.
| |
| Failure of Unit 2 to supply HPI or CCW to the Unit 1 RCP seals following SBO at Unit 1.
| |
| Less than 1/2 RHR pumps cooled by 1/2 heat exchangers supplied to 1/2 RCS loops.
| |
| z Existence of a moderator temperature coefficient considered to be less negative than -7 pcm/°F.
| |
| Existence of a moderator temperature coefficient considered to be more negative than -20 pcm/°F.
| |
| 4.4-7
| |
| | |
| Table 4.4-2 General Event Tree And Success Criteria Groundrules
| |
| : 1. All successful sequences are carried to the point where stable hot shutdown conditions exist or stable long term cooling conditions exist. In general, sequences were terminated at 24 hours.
| |
| : 2. RCS inventory makeup is not required if RCS integrity is maintained. This implies that normal pressurizer water level is sufficient to accommodate RCS inventory shrinkage from full power to hot shutdown, or if ai:iy inventory makeup is required, the probability of failing to pr9vide it is negligible.
| |
| : 3. Boration of the reactor is not required if hot shutdown temperatures and RCS integrity are maintained*.
| |
| : 4. RCS pressure control using sprays is addressed only for small breaks and steam generator tube rupture events. RCS volume control via normal makeup and letdown is not addressed for any initiator.
| |
| : 5. CCW to the thermal barrier in the RCP lower bearing or RCP seal injection flow is sufficient to provide seal cooling. -
| |
| : 6. Operator must initiate feed and bleed by opening HPI injection valves to cold legs and connecting pump suction to RWST. An automatic actuation signal will not necessarily occur-in TML-type seqnences.
| |
| : 7. During transients with scram, primary pressure relief is assumed to never be required. This means the SR.Vs (code safeties) are never required to open.
| |
| However, pressure may rise to POR V setpoints, thus prompting a PORV opening if the POR V is not blocked. Should this happen, there is a requirement for the POR V to reclose or be isolated in order to maintain RCS integrity.
| |
| : 8. PORV demand probabilities were used as follows:
| |
| Transients from high power with loss of a DC power bus demand probability = .1 Loss of off site power demand probability = .1 Transients from high power with all instrumentation and power demand probability = 0.014 buses operable Transients from low power demand probability= 0.0 Station Blackout demand probability = 1.0 The derivation of PORV demand rate f<>r various transients was bat~a)on operating experience with Westinghouse reactors, as reported in WCAP-9804
| |
| * T2 and T3 type transients are common enough that it was possible to get sufficient PORV opening data to estimate a demand rate. For these transients, a demand rate of 4.4-8
| |
| | |
| Table 4.4-2 (Cont'd)
| |
| General Event Tree And Success Criteria Groundrules 0.014/transient was used. T5 transients were of particular interest because these transients cause loss of an instrumentation bus as well as disable various pumps and valves. For T5 type transients, very little data exists, and it was.difficult to postulate a demand rate based on actual data. Therefore, a value of .!/transient was estimated. For station blackout sequences*, the demand probability was estimated at LO', because of the unavailability of the SG-atmospheric dump valves due to loss of non-vital power. Secondary side steam relief would be through the SG safety valves. The increased cold leg temperature *in the primary would likely be enough to cause pressurizer PORV demand.
| |
| : 9. Non-isolable stuck open POR V sequences are transferred to the s2 LOCA tree.
| |
| : 10. Switchover to HPR with containment heat removal provided by sprays is required for long term heat removal after feed and bleed. The RHR system at Surry is inside containment and not qualified for use in LOCA environments.
| |
| : 11. For small or very small LOCAs, success of the containment spray system is not required to provide containment pressure suppression, containment heat removal, or containment sump water inventory. Analysis showed that blowdown and continued steaming from the RCS, natural condensation processes, and the non-safety grade fan coolers would provide sufiicient sump inventory for operation of the recirculation spray system.1
| |
| * The fan coolers are not isolated until a containment high pressure signal is reached.
| |
| : 12. During the injection phase of a LOCA, ISR and OSR pumps need subcooling of their pump suctions in order to provide adequate net positive suction head. If suction water cooling is not available, the pumps are judged to fail. ISR suction subcooling is provided by diversion of ISR flow downstream of the heat exchanger. OSR suction subcooling is provided by diversion of flow from the CSS.
| |
| : 13. Plant personnel indicated that VEPCO performed a "safety-grade" analysis which showed that only one train of the recirculation sprays (i.e., one outside train or one inside train) is necessary to provide containment heat removal. One spray train is not sufficient to meet lOCFRlOO criteria, but it will prevent containment overpressure. The one spray train criterion was used in the event tree models. If ISR succeeds, OSR is not required. In addition, OSR requires CSS during the early phase in order to meet suction subcooling net positive suction head requirements.
| |
| If CSS fails, OSR is not available.
| |
| : 14. Surry personnel indicated that MFW regulating valves close after virtually all transients above 50% power due to plant control logic. The MFW pumps (electric-driven) remain running, and MFW is available to the operator if AFW fails.
| |
| * Letter from P. Cybulskis, BCL, to F. E. Haskin, Sandia National Laboratories, "SARRP Source Term Analysis for Surry Design," July 1985.
| |
| 4.4-9
| |
| | |
| Table 4.4-2 (Cont'd)
| |
| General E.vent Tree And Success Criteria Groundrules 1.5. E.vents subsequent to loss of a DC bus are:
| |
| a) Loss of DC bus causes loss of switchgear at the associated 4160 VAC and 480 VAC buses, b) Loss of one DC bus disables one train of CLS Hi-Hi, c) Loss of one DC bus causes false CLS Hi, which causes one train of SIAS to actuate, and d) Loss of one DC bus causes reactor trip without PCS.
| |
| : 16. JSR and OSR trains were modeled to include the heat exchanger and service water to the heat exchanger. JSR and OSR start removing heat 2 and .5 minutes after a CLS Hi-Hi. In order for JSR pumps to have adequate NPSH in the early time frame, service water must be available to the associated JSR heat exchanger. In order for OSR pumps to have adequate NPSH in the early time frame, CSS must operate.
| |
| : 17. Accumulators were required for s1 because analysis could not be found to prove otherwise. The large LOCA assumption that one accumulator discharge is lost out the break is not applicable to S1.
| |
| : 18. In instances where seal injection flow is unavailable, it is also considered that feed and bleed is unavailable. The predominant cause of loss of seal injection flow is loss of HPI, which would also fail feed and bleed.
| |
| : 19. If loss of all feedwater occurs, feed and bleed operation must be utilized. Because this violates RCS integrity, seal cooling and seal LOCA questions are not asked in these sequences.
| |
| : 20. Cross-connect of any system from Unit 2 is treated in the recovery analysis.
| |
| : 21. After reactor trlp, MFW regulating valves are expected to close. AFW will receive signal to start on low SG water level. Procedures and plant personnel indicate that AFW is the preferred source of SG inventory. AFW therefore appears on the event tree before MFW (i.e., PCS).
| |
| : 22. Mitigation requirements associated with RCS overcooling are not addressed.
| |
| : 23. Seal LOCAs as initiating events, caused by local faults in one seal are included in the Sl initiator category. The break flow for this size LOCA is small enough that containment sprays will not activate as long as fan coolers are available. Charging flow is the only drain on the R WST. The S3 sequence timing assumes the reactor can be depressurized, cooled down and put in the closed cycle cooling mode before the RWST is empty, if AFW and HPI are available.
| |
| : 24. For s1 sequences, the RCS pressure at the time of recirculation is low enough that the LPR system is capable of recirculation. This is consistent with the requirement for accumulators in s1 (see /117). It was considered that if the break was large
| |
| * enough to depressurize below the accumulator injection point (600 psig) during the inltial phase of the LOCA, the RCS would be sufficiently depressurized for LPR operation by the time recirculation was required.
| |
| 4.4-10
| |
| | |
| Some of the event tree_s included in Rev. 0 of this study were found not to be necessary for this revised analysis. They are:
| |
| * T4 - Loss of AC bus
| |
| * T6 - Loss of Charging Pump Cooling Water System
| |
| * RCP seal LOCA due to loss of seal cooling In the case of T4, a subsequent change in the electrical power distribution sys~em at Surry was made such that the loss of an AC bus no longer causes a reactor trip. With regard to the loss of Charging Pump Cooling, it was concluded that this event (described in Section 4.3) also does not cause a reactor trip. With respect to the RCP seal LOCA, this event tree was used to evaluate loss of seal cooling in non station blackout events, but was eliminated. An analysis of the initiators that led to an RCP seal LOCA wlnerable condition showed only T 1 to be greater than lE-7. Application of the probability of an RCP seal LOCA reduced the initiator below lE-7 and the RCP seal LOCA event tree was deleted.
| |
| 4.4.2 T 1 (Loss of Offsite Power) Event Tree This section presents and discusses the event trees for the offsite power initiating event. This event is identified by the symbol T 1 in the event tree.
| |
| 4.4.2.1 Success Criteria Success criteria for the T1 event tree are shown in Table 4.4-3. Loss of offsite power will de-energize the normal and emergency 4160V buses, which will de-energize all lower level buses. The DC buses and the vital buses would be available, unless random failures of these buses were postulated.
| |
| The reactor protection system will de-energize, thus signaling the control rods to insert. The main feedwater and condensate system will be unavailable for the duration of the event.
| |
| The T 1 event will affect both Unit l and Unit 2. Should DG 2 (dedicated to Unit 2) fail to start or run, DG 3 would be aligned to Unit 2, thereby making it unavailable for Unit
| |
| : 1. In the event that both DG l and DG 2 fail to start, DG 3 was always assumed to align to Unit 2. Sequences in which DG l was unavailable and DG 3 was either unavailable or aligned to Unit 2 were evaluated using a separate station blackout (SBO) event tree. The primary purpose of the SBO event trees is to facilitate the modeling and timing of events including operator actions and AC power recovery.
| |
| The four primary functions required in response to T 1 ace reactor scram, primary system integrity, auxiliary feedwater, and RCP seal cooling. If all these functions are provided, the transient is mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of PORVs to reclose transfers to the S2 LOCA tree. Failure to provide RCP seal cooling results in a seal wlnerable condition which is evaluated separately.
| |
| Failure to provide AFW leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and open two POR Vs lec:1ds to core damage.
| |
| Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. These sequences are developed on the tree.
| |
| 4.4-11
| |
| | |
| Table 4.4-3 T1 TRANSIENT SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION INITIATOR: T1 - LOSP CONTAINMENT CONTAINMENT REACT~ CORE HEAT RCS PRESSURE SUPPRESSION CORE HEAT PRESSURE SUPPRESSION SUBCRITICALITY REMOVAL, EARLY INTEGRITY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 css 1/3 HPR 1/2 ISR and SWS I
| |
| * OSR needs CSS
| |
| ~ In Seal Injection OR and to associated HX In Injection 1/3 Charging Pumps and 1/2 ISR and SWS 1/2 LPR OR to provide and PORV Reclose to associated 1/2 OSR and SWS NPSH.
| |
| 2 PORVs Open ( If opened) CSR HX to associated HX
| |
| ( In Feed OR 2. ISR needs SWS and Bleed>'" CCW to R~ In Inject Ion Thermal Barrier In to provide all R~ ,~PSH.
| |
| and PORV Reclose 3. Secondary steam (If opened) rel let assumed aval Iable.
| |
| : 4. AFW to I SG sufficient
| |
| : 5. No RCS Pressure safe-ty rellef required If scram. How~ver, PORV may open.
| |
| : 6. Fallure of RCS Integrity goes to s *tree.
| |
| 2
| |
| : 7. If AFW and RCS Integrity are provided, con-tainment heat removal and core heat removal late are not required.
| |
| * 4~4.2.2 Discu~ion of Sequences The event trees for T1 are shown in Figures 4.4-1 through 4.4-3. The event trees do not use the traditional WASH-1400 graphic conv~ntions for indicating decision points.
| |
| Decision points are indicated by a vertical drop. The success path is. represented by a straight line with the failure path dropping vertically below the straight line at the leading edge of the ev.ent. A straight line through the event with no choice indicates a question was not asked. Important functional and phenomenological dependencies as well as groundrules and limitations are stated in the general groundrules found in Table 4~4-2.
| |
| Three different event trees were used to evaluate the loss of offsite power initiating event:
| |
| * LOSP (assumes at least one diesel available at Unit 1)
| |
| * SBO at Unit 1
| |
| * SBO at both units The diesel generator conditions associated with each event tree are shown in Table 4.4-4.
| |
| The T 1 event tree represents sequences where at least one diesel is available at Unit 1.
| |
| Sequence 1 represents successful mitigation of the initiator; diesel generators start, auxiliary feedwa ter is available, and the charging system provides seal injection flow to the RCP seals. The plant is in a stable condition and attention can be directed to restoration of the offsite power. Sequence 2 is similar to 1, except that seal injection flow from the charging system is unavailable. RCP seal cooling is provided by CCW to the thermal barrier heat exchangers. Sequence 3 represents a condition with no seal cooling available. Both CCW to the thermal barriers and seal injection flow have failed. Auxiliary feedwater is available, however, and all essential safety functions are being provided at the time seal cooling is lost. This represents a seal vulnerable condition and is handled with the seal LOCA model. The RCP seal LOCA model is detailed in Appendix D.5. Sequence quantification (Section 4.10) indicated that there are no significant contributors to the T1D 3W state that do not involve loss of all AC power.
| |
| Those events are handled through the station blackout quantification. Combinations of failures involving component failures or partial power failures, combined with component failures make no significant contribution to the T1D 3W seal vulnerable state.
| |
| Sequence 4 represents failure of all steam generator heat removal, but successful core cooling via feed and bleed, using one charging pump and opening of both PORVs. ECCS recirculation from the sump and successful operation of the containment spray recircu-lation heat exchangers provide long term cooling. Sequen~es 5 and 6 lead to core damage through the failure to provide long term feed and bleed cooling in the recirculation mode. Sequence 5 is due to failure of the high pressure recirculation system, and Sequence 6 is due to failure of the low pressure recirculation system.
| |
| Sequences 7 through 10 represent the occurrence of a core vulnerable state and its pos-sible outcomes. A core vulnerable state occurs when containment heat removal fails after feed and bleed is initiated. Coolant makeup to the core is being provided and heat is being removed from the RCS through the PORVs. However, containment heat removal (CHR) has failed, thereby leading to gradual containment pressure increase. Should the containment pressure increase continue, unmitigated by containment venting or restoration of CHR systems, containment overpressure failure will occur. Events occurring during containment failure could cause failure of ECCS systems, which in turn would lead to core damage. This is represented by Sequence 10. Sequence 7 represents containment failure, but survival of the ECCS and continued core cooling. Sequences 8 4.4-13
| |
| | |
| --- -
| |
| LOSP RPS RCI AFW SEAL ccw HPI PRV CONT CORE LPR HPR COOL SYS VULNR TO CD T1 *K -Q *L -03 -w -02 *P -cs -cv *H1 *H2 Sequence I CORE I COMMENTS I
| |
| : 1. T1 OK I 2. T1*03 OK I 3. T1*03*W SEAL VULN
| |
| : 4. T1*L OK I I 5.
| |
| 6.
| |
| T1*L*H2 T1*L*H1 CM CM
| |
| : 7. T1*L*CS OK
| |
| ,. I I 8.
| |
| 9.
| |
| T1*L*CS*H2 T1*L*CS*H1 CM CM
| |
| .......t ~ 0.
| |
| i 1.
| |
| T1*L*CS*CV T1*L*P CM CM
| |
| : 12. T1*L*02 CM i 3. T1-Q GO TO S2
| |
| : 14. T1 *K GO TO ATWS Figure 4.4.:.1 Event Tree for T1 -
| |
| Loss of Offsite Power
| |
| | |
| SBO NRAC- RCI SGI Af\.l
| |
| * NRAC- SEAL OPER. RCP NRAC- NRAC-
| |
| * AT HALF ONE COOL DPRES SEAL SEAL SEVEN UNIT1 HOUR HOUR FM U2 LOCA LOCA HOURS T1S - Q- QS- L NR1 W2- o- SL- NRS NR7 Sequence I CORE I
| |
| : 1. T1S OK I 2. T1S- OK I
| |
| I I
| |
| : 3. T1S-NR7
| |
| : 4. T1s-wi-CM OK I I
| |
| : 5. T1S-W2-NR7
| |
| : 6. T1S-W2-SL*
| |
| CM OK
| |
| : 7. T1S-W2*SL-NRS CM
| |
| : 8. T1S-M2 OK I
| |
| I I
| |
| : 9. T1S-W2-0-NR7 1O. T1S-W2-0*SL*
| |
| CM OK
| |
| : 11. T1S-W2-0-SL-NRS CM
| |
| : 12. T1S-L CM
| |
| : 13. T1S-QS- OK I
| |
| I I
| |
| : 14. T1S-QS-NR7
| |
| ,
| |
| : 15. T1S-QS*W2-CM OK I I
| |
| : 6. T1S-QS-W2*NR7
| |
| : 17. T1S-QS-W2-SL-CM OK
| |
| : 18. T1S-QS-l.J2-SL-NRS CM
| |
| : 19. T1S-QS*L CM
| |
| .,O. T1S-Q- OK
| |
| ?,
| |
| I 1. T1S*Q*NR1 CM
| |
| -.,
| |
| -, 2. T1S-Q-L CM
| |
| : 3. T1S-Q-QS- OK I .,4. T1S-Q-QS-NR1 CM
| |
| -
| |
| ., 5. T1S-Q-QS-L CM Figure 4.4-2 Event Tree for Tis -
| |
| Station Blackout at Unit 1
| |
| | |
| SBO NRAC- RCI SGI AFW NRAC- OPER. RCP NRAC- NRAC-BOTH HALF TDP ONE DPRES SEAL SEAL SEVEN UNITS HOUR FM U1 HOUR LOCA LOCA HOURS T1S - Q- QS- L NR1 o- SL- NRS NR7 Sequence I CORE I
| |
| : 1. T1S OK I 2. T1S- OK I
| |
| I I
| |
| : 3. T1S-NR7
| |
| : 4. T1S-SL-CM OK
| |
| : 5. T1S-SL-NRS CM
| |
| : 6. T1S-O- OK I
| |
| I I
| |
| : 7. T1S-O-NR7
| |
| : 8. T1S-O-SL-CM OK
| |
| : 9. T1S-O-SL-NRS CM 1o. T1S-L CM 11
| |
| * T1S-QS- OK I
| |
| I I 12.
| |
| 13.
| |
| 14.
| |
| T1S-QS-NR7 T1S-QS-SL-T1S-QS-SL-NRS CM OK CM
| |
| : 15. T1S-QS-L CM
| |
| : 16. T1S-Q- OK I 17. T1S-Q-NR1 CM
| |
| : 18. T1S-Q-L CM I ., o. T1S-Q-QS-19.
| |
| T1S-Q-QS-NR1 OK CM
| |
| ., 1. T1S-Q-QS-L CM Figure 4.4-3 Event Tree for Tis -
| |
| * Station Blackout at Both Units
| |
| | |
| Table 4.4-4 LOSP/SBO Analysis Cases
| |
| * DG /11 DG 112 Unit /I DG /13 State LOSP Condition SBO@
| |
| Unit 1 SBO@
| |
| Both Units s s X s F 2 s X s F NA F X s F NA M X s M 2 s X s M NA F X F s 1 s X F s NA F X F s NA M X F F 2 s X F F NA F X F F NA M X F M 2 s X F M NA F X M s 1 s X M s NA F X M F 2 s X M F NA F X Notes:
| |
| F DG fails to start or fails to run M - DG out for maintenance S Success NA - Not applicable Power status at Unit 2 was of interest only to determine the availability of cross connectable systems. Assessment of the probability of core damage at Unit 2 was not done *
| |
| * 4 4-17
| |
| | |
| and 9 represent containment failure, followed by ECCS failure dtie to causes other than containment failure.
| |
| Sequence 11 represents failure of steam generator heat removal followed by failure to establish feed and bleed cooling, due to failure to open both PORVs. Sequence 12 is similar to 11, except feed and bleed core cooling fails due to failure to establish safety injection flow with the charging system. Sequence 13 represents transient induced LOCAs caused by a transient related POR V demand, followed by failµre to reclose PORV. This condition transfers to the s2 event tree for further evaluation.
| |
| Sequence 14 is an ATWS condition and transfers to the ATWS tree for further evaluation.
| |
| Station blackout (SBO) was evaluated with separate event trees, because of the pheno-menology and special events that can occur during an SBO. These are discussed here as a prelude to the detailed discussion of each sequence. The important considerations during a station .blackout are the preservaton of RCS inventory, the controlled supply of feed-water to the steam generators, and the extension of battery life as long as possible~
| |
| These considerations, as they apply to the Surry plant, are discussed below.
| |
| RCP* Seal LOCA - The RCP seal LOCA model in Reference 40 was used to develop Surry-specific leak rates, probabilities~ and times to seal failure. The model predicts two dominant seal failure scenarios. The dominant path predicts a 250 gpm leak developing in each pump at 1 1/2 hours after loss of all seal cooling. This path has a probability of
| |
| .53. The next most dominant path has a probability of .13. This path is a 61 gpm leak developing in each pump at 1 1/2 hours, growing to a 250 gpm leak at 2 1/2 hours (after loss of seal cooling). There is also a .27 probability of limited leakage in each pump throughout the entire loss of cooling event. Limited leakage is defined as less than 21 gpm per pump. This is considered a success state with respect to seal leakage, because 21 gpm per pump can be tolerated throughout the SBO event without causing core uncovery. All other seal leak sequences combine to account for 7%. The development of this model is presented in Appendix D of this report. RCP seal LOCA will cause core uncovery unless safety injection flow is restored within a requisite time. Time to core uncovery depends on the. leak size. Times to core uncovery for each le~k path are also developed in Appendix D.
| |
| RCS Cooldown *and
| |
| * Depressurization - The emergency opera ting procedures at Surry direct the operators to cooldown and depressurize the RCS in a long-term station blackout. Depressurization serves the dual purpose of reducing the risk of seal LOCA, due to reduced pressure and temperature on the seals, and reducing RCS leak rate, should
| |
| * any leak paths develop. The time at which cooldown and depressurization should be initiated and the rate at which it would proceed are not specified in the emergency procedures, other than to limit the cooldown to less than 50°r' /hour. Discussions with the Surry operations staff indicate that one hour after the initiating event is a reasonable estimate for the start of cooldown.
| |
| Cooldown at Surry is to be accomplished by manual line up of valves in the steam system to allow bypass of the MSIVs, a controlled blowdown of steam into the main condenser, and a venting of the condenser to the atmosphere. This line up will take on the order of 20-30 minutes to accomplish.
| |
| * After cooldown is started, depressurization of the RCS will occur as a natural process, resulting from the decrease in specific volume of the RCS inventory as the average RCS temperature decreases. Depressurization will be aided by inventory loss due to normal leakage through the RCP seals. Significant depressurization will not occur before 2 to 3 4.4-18
| |
| | |
| hours. Because of the predicted seal response to loss of cooling, this timing for depressurization is not early enough to provide any significant benefit to the seals. The
| |
| * seal LOCA model development (Ref. 40) does not predict benefit from depressurization until approximately 4 hours, at which time there is already a high probability of seal failure. Thus, in the station blackout modeling, RCS cooldown and depressurization was not considered to have any impact on the development of seal LOCAs. RCS depressurization did however, have an effect on the allowed time to recover AC power.
| |
| Depressurization would reduce the RCS outflow and thus extend the time to core uncovery. This effect was included in the SBC modeling.
| |
| PORV Demand and RCS Integrity - An important function to provide during station blackout is to preserve RCS inventory until AC power can be restored. A PORV which fails to reclose after a demand represents a LOCA. This path is particularly important at Surry due to the high PORV demand probability during a SBO. PORV demand is expec-ted to occur during SBO due to the method of steam generator heat removal. The steam generator atmospheric relief valves at Surry are not supplied with emergency power.
| |
| They are powered by a semi-vital bus, which will be de-energized in the event of an SBO. Steam relief from the steam generators will be from the safety valves, which operate at a higher pressure than the atmospheric relief valves. Thus the SG water temperature will increase, which in turn will lead to an increase. in RCS cold leg temperature. This will in turn lead to an RCS pressure rise which will likely cause a PORV demand.
| |
| Secondary Side lntefity - As discussed in the PORV section, the atmospheric relief valves at Surry will e inoperable in a station blackout due to unavailability of control power. Steam relief will be through the safety valves. Should they fail to reclose, it will produce an uncontrolled depressurization in one steam generator. One SV on each SG
| |
| * was estimated to open every 20 minutes for one hour, when manual alignment of steam relief would be in place. This is a total of 9 safety valve demands.
| |
| Due to particular design features at Surry, the faulted SG was considered to not be isolable during a SBO. AFW to the faulted SG can not be isolated because the AFW level control valves to each individual SG are inside containment. In a SBC, they would remain in an open position. No credit was allowed for entry into the Surry containment during an SBC.
| |
| The sequence of events after a faulted SG was considered. The SG with the stuck open valve would depressurize, causing an overcooling transient. Flow to the faulted SG from the turbine driven (TD) pump would increase, limited by cavitating venturis in the AFW line. The faulted SG would be fed preferentially to the good SGs due to the pressure difference. The overcooling transient was not considered capable of causing recriticality, due to the expected dump of the accumulators should the RCS pressure decrease below 600 psig. Recriticality would not be an expected problem until the temperature was down to the mid 300°F range. A cooldown of this magnitude would be accompanied by a RCS depressurization due to inventory shrinkage. Accumulator dump will occur at 600 psi, thereby providing sufficient boron injection to maintain subcriticali ty.
| |
| The faulted SG would lead to higher than expeded AFW use and the operator would need to manually align the backup condensate source to the primary CST in order to ensure continued AFW supply. As the transient continued, the opera tor could throttle the TD feedwater pump and thus reduce the severity of the transient. Throttling of the AFW
| |
| * pump would be done to prevent SG overfill, but on the other hand, the SG tubes must remain covered.
| |
| 4.4-19
| |
| | |
| Steam supply to the TD pump would be maintained by the good steam genera tors. The steam lines from each SG to the TD pump are headered together, with check valves in each steam line. In the event of a faulted SG, the pressure in the steam lines of the two
| |
| .good SG would backseat the check valve and provide a high pressure source of steam for th~ TD pump *. Although the good SGs would receive little flow from the TD pump, after the RCS cooled down below the SG water temperature, there would be no outflow from the good SGs, other than steam flow to the TD pump, which is a minimal drain on the inventory.
| |
| In sequences with a faulted SG, two potential interactions were identified but ultimately could not be quantified. They were a) that a faulted SG may cause rapid primary system depressuriz~tion which may lead to an extended RCP seal life, and b) that core uncovery may occur sooner than three_ hours after battery depletion if one SG was faulted.
| |
| During the development of the seal LOCA model, specific depressurization rates were not aviimJ>le for inclusion in the model. Opinions were elicited from a panel of experts and all considered that substantial cooldown and depressurization would need to occur in order to significantly improve seal performance. The expected .depressur iza-tion rates for the faulted SG scenario are not considered sufficient to provide the necessary amount of pressure and temperature reduction_ to make a significant impact on seal performance. It was ~oncluded that the level of discrimination in the models was not sufficient to support quantification of this interaction. The potential impact of including this interaction would be to lower the probability of seal LOCA, and thus lower the seai LOCA core damage frequency. However, the frequency of the long term battery depletion sequence would be increased.
| |
| Quantification of the second potential interaction was similarly difficult. The selection of three hours as a reasonable time period between loss of DC power and AC power restoration is largely subjective and is subject to considerable uncertainty. Modeling of this interaction would tend to decrease the allowable time for AC power restoration, and thus increase the core damage frequency.
| |
| The two excluded interactions would tend to cancel each other if they were to be modeled. An estimate was made that if both of these interactions were included at their maximum effectiveness, there would be no overall increase in total core damage frequency, although long term battery depletion would be favored over seal LOCA.
| |
| Battery Depletion - A critical event for timing purposes in SBO evaluation is battery depletion. The batteries at Surry are designed for a two hour load discharge in post LOCA conditions. This was considered a nominal starting point for estimation of depletion time for the SBO sequences. Battery depletion time could be extended with shedding of nonessential loads from the bus. Specific procedures for load shedding are not in place in Surry, so it was difficult to quantify the advantage gained from this practice. Discussions with Surry operations staff led to the agreement that four hours was a reasonable time to expect battery depletion in an SBO sequence. Depletion of the vital batteries will leave the plant with no instrumentation or control power. Although manual control and operation of the turbine driven AFW pump is possible without DC power, the lack of instrumentation in the RCS or the steam generators would ultimately limit the ability to maintain core cooling. It was estimated that an additional three hours would be available to restore AC power after battery depletion in order to prevent
| |
| * core uncovery.
| |
| 4.4-20
| |
| * Operation of the bus feeder breakers in the absence of DC power was examined*. The bus breakers will remain as is upon the loss of DC power*. Manual operation of the breakers is possible through the use of spring loaded jacking mechanisms~ Al though the absence of DC power would complicate the recovery of AC power, the additional time required to operate the breakers manually is small compared to the uncertainty in the three hour period from battery depletion to core uncovery.
| |
| The event tree for a Unit 1 station blackout is shown in Figure 4.4-2. This event tree is used to evaluate those situations where Unit 1 has no AC power, but Unit 2 is supplied by one operable diesel. This diesel could be DG 2, supplying the H bus or DG 3 supplying the J bus. For quantification purposes, it was assumed the H bus was operable. No power asymmetries were identifed which would invalidate this practice~
| |
| The functional requirements for mitigation of this event are the same as for other transients. Entry into this event tree presumes reactor scram is successful. ATWS events are addressed in the T 1 event tree. The first sequence represents restoration of AC power to the plant buses within 30 minutes. Thirty minutes is used because it is the time required to deplete SG inventory to unacceptable* levels if AFW is unavailable.
| |
| Conversely, it can be presumed that failure to provide any safety functions (except subcriticality) for the first thirty minutes after a loss of offsite power will not lead to core damage. Restoration of power within 30 minutes can result in successful mitigation of the transient, regardless of other failures in that time period.
| |
| Sequence 2 represents successful mitigation of a long term station blackout. The pressurizer PORV recloses, thus maintaining RCS integrity. The steam generator safety valves reclose, thus maintalning steam genera tor inventory. The turbine driven AFW pump starts and provides makeup to the steam generators. RCP seal cooling from Unit 2 is provided via seal injection flow from the Unit 2" charging system or CCW to the thermal barrier from the operable CCW pump.
| |
| The Unit 2 charging system and CCW depend on service water as a heat sink. The Surry service water system is a gravity flow system. A 45 million gallon intake canal supplies the service water loads, with the largest load being the main condensers (400,000 gpm per condenser). In the event of blackout at both units, there is no power to refill the intake canal or to isolate the four main condensers (two per unit). This leads to a conservative estimate of canal drainage in 30 minutes. If the SBO occurs at only one unit, canal drain time increases to one hour. Availability of seal cooling from Unit 2
| |
| . considers the unavailability of systems at Unit 2 due to insufficient water level in the intake canal.
| |
| RCS depressurization in sequence 2 is inconsequential because a seal LOCA is averted, due to the provision of seal cooling from Unit 2. Seal LOCAs are similarly not questioned because of successful seal cooling from Unit 2. The *final heading questions successful restoration of AC power within seven hours. Sequence 2 represents successful recovery of offsite AC power prior to battery depletion and core uncovery. Sequence 3 represents failure to recover AC power in seven hours. Core uncovery is due to loss of SG heat removal due to inability to adequately control AFW.
| |
| Sequences 4 through 11 delineate possible sequence outcomes when seal cooling from Unit 2 is unavailable. Failure of s~al cooling can be due to human error, component failure or insufficient canal inventory to provide service water. Sequence 4- represents successful cooldown and depressurization of the RCS, successful functioning of the seals (i.e., leakage is limited to 21 gpm per pump) and recovery of offsite AC power prior to seven hours. Sequence .5 represents successful functioning of the seals but failure to 4.4-21
| |
| | |
| recover offsite AC power within seven hours. Sequence 6 represents restoration of offsite AC power prior to core uncovery caused by a seal LOCA~ This sequence includes two dif fer~nt success states. One state is where Ac;, power is restored prior to onset of a seal LOCA, and thus the need for SI flow is avoided. The other is one in which AC power is not restored prior to a seal LO~A, a seal LOCA occurs*, but AC power (and HPI flow) is restored prior to core uncovery. Sequence 7 is a seal LOCA with failure to recover offsite AC power pri~r to core uncovery~ The headings .are stated in terms of non-recovery of AC power. Successful mitigation also requires the restoration of HPI flow.
| |
| However, as shown in Appendix D, of this report, the non-recovery probability for AC power dominates over the failure probabilities due to human error and equipment failure.
| |
| Sequences 8 through 11 are analogous to Sequences 4 through 7, except that the RCS has remained at high pressure throughout the sequence. Failure to depressurize can be due to operator error or equipment failure. The only impact on the sequence progression is that in the event of a seal LOCA, core uncovery occurs sooner, and thus the time to AC power recovery is smaller, and non-recovery probabilities are higher. Thus, the value for NRS success in Sequence 7 is lower than the value for NRS in Sequence 11.
| |
| Sequence 12 represents the failure of auxiliary feedwater to be available. The event tree was structured to question initial unavailability. If AFW is not* available, degraded SG heat removal requires the initiation of feed and bleed by 3.5 minutes. This timing was based on the Westinghouse EPG analysis. Recovery of AC power beyond a half hour, leaves insufficient time to initiate feed and bleed cooling to avoid core uncovery.
| |
| Longer term recovery for other failures, such as failure of the AFW turbine driven pump to run, were included on an individual cut set basis in the recovery analysis. Sequences 13 through 19 involve the loss of steam generator secondary side integrity due to the
| |
| * sticking open of a steam generator safety valve. This event was considered to have two potential impacts on sequence delineation. One is that blowdown through the faulted SG will cause increased TD pump flow, thereby causing faster depletion of CST-Tank 1A. In order to assure a continued supply of condensate for the potential .5 hour duration of the turbine-driven pump, operators must manually line up CST-Tank 2 to Tank lA. The other impact is that in the event of a faulted SG and failure of the auxiliary feedwater pump at Unit 1, no credit for recovery of AFW from Unit 2 was allowed. Sequence 13 represents successful mitigation of the SBO, including the faulted SG. Long term AFW is provided, along with seal cooling from Unit 2. Sequence 14 is a long term, depressurized sequence with failure to recover AC power prior to seven hours.
| |
| Sequences 1.5 and 16 represent failure to provide seal cooling from Unit 2, but avoidance of a seal LOCA. Operator depressurization is not asked because the faulted SG automatically provides RCS cooldown. As discussed previously, the standard seal LOCA model and battery depletion models were used in these sequences. Sequence 1.5 represents recovery of AC power prior to a seal LOCA. Sequence 16 represents avoidance of a seal LOCA, but failure to recover AC power in seven hours. Sequence 17 is recovery of AC power prior to, or within an allowable time after a seal LOCA.
| |
| Sequence 18 is occurrence of a seal LOCA and failure to recover offsite power prior to core uncovery. Sequence 19 represents loss of steam genera tor integrity and simultaneous loss of auxiliary feedwa ter. No recovery actions of any type were considered for this sequence due to the complexity of SG inventory control in this sequence. Sequences 20 through 2.5 represent a stuck open pressurizer PORV. As previously discussed, the PORV demand probability for station blackout is 1.0, due to the unavailability of the SG atmospheric dump valves. Should a PORV fail to reclose, it is not isolable until AC power is restored to the block valve. If AC power is restored and the block valve is closed, the LOCA is terminated. Sequence 20 represents this scenario.
| |
| Sequence 21 represents failure to restore AC power and isolate the block valve prior to 4.4-22
| |
| | |
| ,
| |
| * core uncovery. Sequence 22 represents a stuck open POR V combined with a simultaneous
| |
| _ _ loss of auxiliary feed}Vater. These events combinJLto reduce the allo_wable_recover.y.:_time_
| |
| to less than 1/2 hour. Sequences 24 and 25 are similar to 21 and 22, except for the additional failure of the steam generator safety valve to reclose.
| |
| Two Unit Station Blackout - The event tree for station blackout at both units is shown in Figure 4.4-3. This condition is caused by unavailability of all three diesel generators upon loss of offsite power. The dual unit blackout tree differs from a single unit blackout tree only in that seal cooling from Unit 2 is not on the tree. Due to the unavailability of AC power at Unit 2, CCW and seal injection flow are not available from Unit 2.
| |
| 4.4.3 T 2 (Loss of Main Feedwater) Event Tree This section presents and discusses the event tree for the loss of main feedwater initiating event. This event is identified by the symbol T2 in the event tree.
| |
| 4.'1.3.1 Success Criteria Success criteria for the T 2 event tree are shown in Table 4.4-5.
| |
| Loss of main feedwater results in low steam generator water level, which causes demand for a reactor scram, as well as a signal for AFW to start. POR V demand for this class of initiators is considered to be a random occurrence, due to degraded control system performance or degraded balance of plant (BOP) component performance. The probability of PORV demand was assigned a value of .014 for high power initiators only, based on historical Westinghouse experience.
| |
| The four primary functions required in response to T are reactor scram, primary system 2
| |
| integrity, auxiliary feedwater, and RCP seal coolmg. If all of these functions are provided, the transient is mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of POR Vs to reclose transfers fo the s2 LOCA tree. Failure to provide RCP seal cooling is a seal vulnerable condition.
| |
| Failure to provide AFW leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and to open two PORVs leads to core damage.
| |
| Successful feed and bleed- cooling leads to a demand for containment heat removal systems and reactor coQlant recirculation systems. These sequences are developed on the event tree.
| |
| 4.4.3.2 Discussion of Sequences The event tree for T2 is shown in Figure 4.4-4. The important functional and phenomenological depenclencies as well as groundrules and limitations are stated in the general groundrules found in Table 4.4-2.
| |
| The first sequence represents successful stabilizati.on of the reactor at hot shutdown. If reactor scram is successful, AFW starts and provides water to at least one of three steam generators. Heat removal is through the atmospheric dump valves as the initiating event is considered to have failed the power conversion system. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot
| |
| * shutdown. This is considered successful termination of the initiator, and no further system availability questions are asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal vulner~l:;>le 4.4-23
| |
| | |
| Table 4.4-5 T2 TRANSIENT SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION INITIATOR: T2 - Loss MFW CONTA1NMENT CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 css 1/3 I-PR 1/2 1SR and SWS .1. OSR needs CSS OR In Seal 1nJectlon OR and to assoc I ated HX In Injection 1/3 Charg*lng Pumps and 1/2 1SR and SWS 1/2 LPR OR. to provide and PORV Reclose to associated 1/2 OSR and SWS NPSH.
| |
| 2 PORVs Open (If opened) CSR HX to associated HX (In Feed . OR 2. 1SR needs SWS and Bleed) CCW to RCP In I nJect Ion Thermal Barrier In to provide al I RCP NPS*H.
| |
| and PORV Reclose 3. Secondary steam
| |
| ( If opened) re 11 ef assumed aval lable.
| |
| : 4. AFW to 1 SG sufficient
| |
| : 5. No RCS Pressure rel lef required If scram. However PORV may open.
| |
| : 6. Failure of RCS Integrity goes to s2 *
| |
| : 7. 1f AFW and RCS Integrity are provided, con-talnment heat removal and core heat removal late are not required.
| |
| | |
| I
| |
| *
| |
| * I LOSS RPS RCI AFW SEAL ccw HPI PRV CONT CORE LPR HPR OF COOL SYS VULNR MFW TO CD I T2 -K -Q -L -D3 -w -D2 -P -cs -CV -H1 -H2 Sequence I CORE I COMMENTS I 1
| |
| * T2 OK I 2. T2-D3 OK I 3. T2-D3-W SEAL VULN
| |
| : 4. T2-L OK I
| |
| I 5. T2-L-H2
| |
| : 6. T2-L-H1 CM CM
| |
| : 7. T2-L-CS OK I
| |
| I 8. T2-L-CS-H2
| |
| : 9. T2-L-CS-H1 CM CM
| |
| : 10. T2-L-CS-CV CM 1 1
| |
| * T2-L-P CM i
| |
| : 12. T2-L-D2 CM
| |
| : 13. T2-Q GO TO S2 I
| |
| : 14. T2-K GO TO ATWS Figure 4.4-4 Event Tree for T 2 -
| |
| Loss of Main Feedwater
| |
| | |
| condition. All critical safety functions are being provided, but RCP seal cooling is not available. The potential for this sequence to lead to core damage depends on the susceptibilit9' of the seals to failure after loss of all cooling and potential recovery options to restore seal cooling prior to seal failure. The seal failure evaluation will be done on an individual sequence basis, should the quantification show this state to be important.
| |
| Sequence 4 represents loss of auxiliary feedwater, but successful feed and bleed cooling, using containment heat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 5, except that the low pressure recirculation systems are unavailable.
| |
| Sequences 7 through 10 represent successful feed and bleed cooling, but failure of containment heat removal. In Sequence 7, containment failure does not lead to structural or phenomenological failure of the ECCS and core cooling is successful.
| |
| Sequences 8 and 9 represent ECCS survival of the containment failure, but failure due to random other causes. Sequence 10 represents ECCS failure due to containment failure.
| |
| Thus, Sequence 10 represents containment failure prior to core damage.
| |
| Sequences 11 and 12 represent failure to initiate feed and bleed cooling after loss of a:uxiliary feedwater. In Sequence U, feed and bleed fails due to failure of 2 of 2 PORVs to open, while in Sequence 12, feed and bleed fails due to failure to establish safety .
| |
| injection flow.
| |
| Sequence 13 is a transient induced LOCA, which transfers to the S tree for further
| |
| * evaluation; and Sequence 14 is ATWS, which transfers to the A TW~ tree for further evaluation.
| |
| 4.4.4 T 3 (Turbine Trip with MFW Available) Event Tree This section presents and discusses the event tree for the turbine trip initiating event group in which the main feedwater remains available. Transients in which one or both MFW pumps remain available are considered. This event is identified by the symbol T 3 in the event tree.
| |
| 4.4.4.1 Success Criteria Success criteria for the T 3 event tree are shown in Table 4.4-6.
| |
| This initiating event group represents a turbine trip, followed by a demand for reactor trip. PORV demand for this class of initiators is considered to be a random occurrence, due to degraded control system performance or degraded balance of plant component performance. The probability of PORV demand was assigned a value of .014, for high power initiators only, based on historical Westinghouse experience.
| |
| The MFW control system at Surry is such that if the reactor trip breakers are closed and TAVE is less than .543°F, the main feedwater regulating valves will close, the miniflow lines will open, and the MFW pumps will stay on. This was judged to be the course of all T 3 initiating events. Although the MFW pumps are isolated from the steam generators, ttiey remain a viable source of SG inventory makeup, should AFW be unavailable. AFW is the preferred source of SG makeup, but MFW pumps can easily be used by opening the feedwater regulating valve bypass valve. Because AFW is the preferred source of SG makeup, it appears on the tree before main feedwater.
| |
| 4.4...26
| |
| | |
| ble 4.4-6 T3 TRANSIENT sue CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION INITIATOR: Turbine Trip with MFW available, T3 CONTMNMENT CONTAn NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS~ON, CORE HEAT PRESSURE SUPPRESS~ON, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE . COMMENTS RPS 1/3 AFWP Any Open PORVs 1/2 css 1/3 HPR 1/2 ~SR and 1. PORVs chat te'nged I
| |
| OR Rectose OR and sws to at rate of 11/70 1/2MFW ELSE 1/2 1SRand SWS 1/2 LPR Associated transients fpr T1*
| |
| OR Transfer to to Associated HX '
| |
| I 1/3 Charging s2 Event CSR HX OR 2. Comments 1-7 for 1
| |
| Pump Tree 1/20SR for T1 appty to 1
| |
| and RCP Seal tn1'egrl1y and SWS this lnltlatrr*
| |
| 2 PORVs Open 1/3 Charging to Associated
| |
| . I
| |
| ( In Feed and Pump In HX 3. Core heat rer:noval, Bleed) Seat 1njectlon late and containment I
| |
| Flow atmospheric heat OR removal are ~equlred I
| |
| CCW to Thermal only when feed and I
| |
| Barrier of At I bleed Is demanded RCPs or RCS Integrity I
| |
| Is lost. 1 I
| |
| I iI
| |
| | |
| Four primary functions were required to successfully mitigate the T 3 events. These
| |
| * functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling. If all these functions are provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of POR Vs to reclose transfers to the s2 LOCA tree. Failure to provide RCP seal cooling leads to a seal vulnerable condition.
| |
| Failure to provide feedwater leads to a demand for "feed and bleed" cooling. For feed and bleed, failure to provide charging flow and open two POR Vs leads to core damage.
| |
| Successful feed and bleed and cooling leads to a demand for containment systems and coolant recirculation systems.
| |
| 4.4.4.2 Discussion of Sequences The event tree for T 3 is shown in Figure 4.4-5. The important functional and phenomenological depenclencies as well as general assumptions and limitations are stated in Table 4.4-2.
| |
| The first sequence represents successful stabilization of the reactor at hot shutdown.
| |
| Reactor scram is successful. AFW starts and provides water to at least one of three steam generators. Heat removal is via the steam dumps to the condenser. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot shutdown. This is considered successful termination and no further system availability questions are asked. Particularly, the availability of RHR which is necessary to reach cold shutdown is not asked. Sequence 2 is also a success state, with seal cooling
| |
| * being provided by CCW to the thermal barrier. Sequence 3 is a* seal vulnerable condition. All critical safety functions are being provided, but RCP seal cooling is not available. The potential for this sequence to lead to core damage depends on the susceptibility of seals to failure after loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. The seal vulnerable evaluation will be done on an individual sequence basis, should the quantification show this state to be important.
| |
| Sequence 4 represents stable hot shutdown with SG inventory being provided by main feedwater, after failure of auxiliary feedwater. This is a success state similar to Sequence 1, except of a much lower probability. Questions of seal cooling were not asked on this branch, because the additional sequences would be subsets of Sequences 2 and 3.
| |
| Sequence 5 represents loss of auxiliary feedwater and all main feedwater, but successful feed and bleed cooling, using containment ~eat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. Sequence 6 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 7 is similar to 6, except that the low pressure recirculation systems are unavailable.
| |
| Sequences 8 through 11 represent successful feed and bleed cooling, but failure of containment heat removal. In Sequence 8, containment failure does not lead to -
| |
| structural or phenomenological failure of the ECCS and core cooling is successful.
| |
| Sequences 9 and 1O represent ECCS survival of the containment failure, but failure due to random other causes. Sequence 11 represents ECCS failure due to containment failure. Thus, Sequence 11 represents containment failure prior to core damage.
| |
| 4.4-28
| |
| *
| |
| * TURB RPS RCI AHJ MF\.J SEAL CC\.J HPI PRV CONT CORE LPR HPR TRIP COOL SYS VULNR
| |
| \.J HFI.J TO CD I T3 -K -a -L -M -D3 -\.J -D2 -P -cs -CV - H1 -H2 Sequence I CORE I COMMENTS I I
| |
| : 1. T3 OK i I 2. T3-D3 OK I 3. T3-D3-\.J SEAL VU~N
| |
| : 4. T3-L OK I 5. T3-L-M OK I
| |
| I 6. T3-L-M-H2
| |
| : 7. T3-L-M-H1 CM CM I
| |
| II
| |
| : 8. T3-L""M-CS OK I
| |
| I 9. T3-L-M-CS-H2
| |
| : 10. T3-L-M-CS-H1 CM CM I
| |
| : 11. T3-L-M-CS-CV CM
| |
| : 12. 13-L-M-P CM
| |
| : 13. T3-L-M-D2 CM
| |
| : 14. T3-Q GO TO S2
| |
| : 15. T3-K GO TO AT\.IS Figure 4.4-5 Event Tree for T3 -
| |
| Turbine Trip wit.h MFW I
| |
| I I
| |
| I I
| |
| | |
| Sequences 12 and 13 represent failure to initiate feed and bleed cooling after loss of auxiliary feedwater. In Sequence 12 feed and bleed fails due to failure of 2 of 2 PORVs
| |
| * to open, while in Sequence 13, feed and bleed fails due to failure to establish safety injection flow.
| |
| Sequence 14 is a transient induced LOCA, which transfers to the S tree for further evaluation; and Sequence 15 is ATWS, which transfers to the ATWS tree for further evaluation.
| |
| 4.4.5 T5 (Loss of DC Bus) Event Tree This section presents and discusses .the event tree for the loss of a DC bus as an initiating event. This event is identified by the symbol T in the event tree. The event tree was quantified for two specific initiators, loss of Dc5 bus 1-A (T 5A) and loss of DC bus 1-B (T 5 B), however a single event tree is applicable to both. The specific initiators were postulated to be non-recoverable shorts in the buses. Interruptions in power supply to the buses and load shorts on the buses were considered to be recoverable in a relatively short time period and were therefore not included in this initiating event category.
| |
| 4.4.5.1 Success Criteria Success criteria for T 5 event tree are shown in Table 4.4-7. The success criteria are identical to T and T 2* The specific failures of the initiator do not create any unique 1
| |
| success criteria; however, they do create unique conditions for the evaluation of sequences.
| |
| Loss of a DC bus will cause MSIV closure, false signals in the instrumentation systems, and the immediate unavailability of some equipment. Loss of a DC bus will cause a low intake canal level which will cause turbine trip, and a low steam generator level signal which will cause a reactor trip. Loss of a DC bus will also start the turbine driven AFW pump due to the fail open condition of one steam admission valve.
| |
| In addition, loss of a DC bus will cause a CLS Hi and resultant SIAS actuation of one train. The major impact on the plant systems is through the loss of control_power to the affected buses. The circuit breakers will fail as is, so that operating pumps remain on, while non-operating pumps become unavailable. Manual loading of pumps onto buses was not considered in the analysis. Inadvertant safety injection will occur and may challenge a PORV unless controlled by the operator.
| |
| Four primary functions are required to successfully mitigate these events. These functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling. If all these functions are provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of POR Vs to reclose transfers to the s2 LOCA tree. Failure to provide RCP seal cooling leads to a seal vulnerable condition.
| |
| Failure to provide feedwater leads to a demand for "feed and bleed" cooling. Failure to provided charging flow and open two POR Vs leads to core damage. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems.
| |
| 4.4-30
| |
| *
| |
| | |
| :
| |
| * able 4.4-7 T5 TRANSIENT SU CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION T5 - Loss of DC Bus CONTMNMENT CONTMNMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SIJ3CR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 css 1/3 HPR 1/2 1SR and SWS 1* OSR needs CSS 1 OR In Seal fojectlon OR and to associated HX In Injection*
| |
| I 1/3 Charging Pumps and 1/2 1SRand SWS 1/2 LPR OR to provide '
| |
| and PORV Reclose to associated 1/2 OSR and SWS NPSH.
| |
| 2 PORVs Open (If opened) CSR HX to associated HX
| |
| ( In Feed OR 2. 1SR needs SWS and Bleed) CCW to RCP In Injection :
| |
| Thermal Barrier In to provide al I RCP NPSH.
| |
| dnd PORV Reclose 3. Secondary steam
| |
| *
| |
| .
| |
| t (If opened) rel lef assumed aval Iable *
| |
| : 4. AFW to 1 SG
| |
| ....
| |
| .W sufficient
| |
| : 5. No RCS Pressure rel lef required If scram. Ho~ever I
| |
| PORV may open*.
| |
| : 6. Fallure of RCS Integrity goes to s 2 tree.
| |
| : 7. 1f AFW and RC,S Integrity are provided, con-tainment heat removal and core heat removal late are not requl'red.
| |
| | |
| 4.4.5.2 Discussion of Sequences The event tree for T .5. is shown in Figure 4.4-6. The important functional and
| |
| * phenomenological depenclencies as well as general assumptions and limitations are stated in Table 4.4-2.
| |
| The first sequence represents successful stabilization of the reactor at hot shutdown.
| |
| Reactor scram is successful. AFW starts and provides water to at least one of three steam generators. Heat removal is through the atmospheric dump valves as the initiating event will have failed the power conversion system. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is in hot shutdown. This is considered successful termination and no further system availability questions are asked. Particularly, the availability of RHR which is necessary to reach cold shutdown is not asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal wlnerable condition. All critical safety functions are being provided, but RCP seal cooling is not available. The potential for this sequence to lead to core damage depends on the susceptibility of the seals to failure after loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. This state will be evaluated on an individual basis, if the quantification shows it to be significant.
| |
| Sequence 4 represents loss of auxiliary feedwater, but successful feed and bleed cooling, using containment heat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 5, except that the low pressure recirculation systems are unavailable.
| |
| Sequences 7 through 10 represent successful feed and bleed cooling, .but failure of containment heat removal. In Sequence 7, containment failure does not lead to structural or phenomenological failure of the ECCS and core cooling is successful.
| |
| Sequences 8 and 9 represent ECCS survival of the containment failure, but failure due to other random causes. Sequence 10 represents ECCS failure due to containment failure.
| |
| Thus, Sequence 10 represents containment failure prior to core damage.
| |
| Sequences 11 and 12 represent failure to initiate feed and bleed cooling after loss of auxiliary feedwater. In Sequence 11, feed and bleed fails due to failure of 2 of 2 PORVs to open, while in Sequence 12, feed and bleed fails due to failure to establish safety injection flow. .
| |
| Sequence 13 is a transient induced LOCA, which transfers to the s2 tree for further evaluation, and Sequence 14 is ATWS, which transfers to the ATWS tree for further evaluation.
| |
| 4.4.6 T (Steam Generator Tube Rupture) Event Tree 7
| |
| This section presents and discusses the event tree for the steam generator tube rupture (SGTR) initiating eve~t. This event is identified by the symbol T7 in the event tree.
| |
| Success criteria for T7 event tree are shown in Table 4.4-8. This iriitiator is unique from other transient initiators because it causes a breach of the primary pressure boundary into the secondary side pressure boundary. Success criteria involved with integrity of t h e .
| |
| primary pressure boundary now become entangled with the necessity to preserve the secondary side pressure boundary. The primary system and the ruptured steam generator 4.4-32
| |
| | |
| LOSS RPS RCI AHi SEAL CCU HPI PRV CONT CORE LPR HPR OF DC COOL SYS VULNR BUS TO CD TS -K -Q -L -D3 -u -D2 -P -cs -CV -H1 -H2 Sequence I CORE I COMMENTS I
| |
| : 1. TS OK I 2. T5-D3 OK I 3. T5-D3-W SEAL VULN
| |
| : 4. TS-L OK I
| |
| I 5. T5-L-H2
| |
| : 6. T5-L-H1 CM CM OK
| |
| : 7. TS-L-CS I
| |
| I 8. T5-L-CS-H2
| |
| : 9. T5-L-CS-H1 CM CM
| |
| : 10. TS-L-CS-CV CM
| |
| : 11. TS-L-P CM
| |
| : 12. TS-L-D2 CM
| |
| : 13. TS-Q GO TO S2
| |
| : 14. TS-K GO TO ATUS Figure 4.4-6 Event Tree for Ts_
| |
| Loss of DC Bus
| |
| | |
| Table 4.4-8 T7 TRANSIENT SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION INITIATOR: T7 - SGTR CONTA1NMENT CONTA1tf.1ENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 AFW Pumps Depressurlze N/A 1/3 AFW Pumps N/A 1. Definition of to RCS to less to RCS boundary 1/2 SGs than SG-RV 1/2 SGs expanded to setpolnt Include SG; and hence, SG l_n-Isolate tegr lty must
| |
| * MS1V be cons Idared
| |
| * SG Slowdown llne too.
| |
| * Steam llne to TD pump
| |
| * Steam I lne to
| |
| * DHR valve
| |
| * form a continuous pressure boundary and must be maintained at pressures consistent with the secondary side criteria. Normally open effluent lines to the steam generator must be isolated, because they now represent open effluent lines to the primary system.
| |
| 4.\.6.1 Success Criteria This initiating event begins with a complete double ended rupture in a single steam generator tube, which allows* primary coolant to flow into the secondary coolant system. The three primary functions required in response to T1 are reactor scram, core heat removal, and opera tor control of RCS pressure. If all of these functions are provided, the transient is mitigated at an early stage. Operator control of RCS pressure requires RCS cooldown using heat removal through the good steam generators, and depressurization of the primary system using pressurizer spray or POR V opening.
| |
| Failure to trip the reactor (either automatically or manually) causes the pressure in the reactor coolant system to increase, possibly resulting in the rupture of additional st~am generator tubes and an increase in .the flow from the RCS to the secondary coolant system. The ATWS induced pressure increase in the primary is counterproductive to the RCS depressurization which is required to mitigate tube rupture. Because of the com-plexity of this sequence, and the limited analytical data available to support evaluation, steam generator tube rupture with failure to scram was categorized as a core damage sequence.
| |
| 4.4.6.2 Discussion of Sequences
| |
| * The event tree for T7 is shown in Figure 4.4-7. The important functional and phenomenological dependencies as well as assumptions and limitations are stated in the general assumptions found in Table 4.4-2.
| |
| The steam generator tube rupture initiator is a double ended rupture of a single tube which results in an RCS outflow that requires an equivalent makeup flow of about 600 gpm. Actuation of SI will occur on low pressurizer pressure, shortly after the initiator.
| |
| Turbine trip, MFW isolation and start of AFW will occur on the SI signal. The operator is instructed to identify and isolate the ruptured steam genera tor. Isolation of the ruptured SG involves closure of the MSIV, AFW inlet valve, steam generator blowdown line and turbine driven pump steam admission valve. Complete isolation will not occur until the RCS pressure is reduced to less than the SG pressure. The water level in the ruptured SG will continue to rise due to'the influx of water from the break. Pressure in this SG will also rise as the average steam generator water temperature increases.
| |
| The operator is then directed to cooldown the RCS as rapidly as possible using the good steam generators and then depressurize the RCS using p.ressurizer sprays or opening a PORV, to reduce the pressure in the RCS to below the pressure in the ruptured SG. This will terminate the breakflow from the RCS and stablize the reactor. The operator then has to cooldown the ruptured steam generator and place the reactor in cold shutdown.
| |
| At the point in the event, when the pressure in the RCS is less than the pressure in the ruptured SG, the ruptured SG is isolated, and AFW is being provided to the good SGs, all the success criteria defined by this analysis are satisfied. Modeling of those systems .
| |
| necessary to put the reactor in cold shutdown, and provide for cooldown of the ruptured SG were not modeled in the event tree *
| |
| * Sequence 1 represents successful mitigation of the initiator. Primary and secondary side pressures have been equalized, thus mitigating breakflow. SG integrity (and thus RCS 4.4-35
| |
| | |
| SGTR RPS HPI. AHJ OPER. RCI SGI LPR HPR DPRES T7 -K -D1 -L3 -OD -Q -QS -H1 -H2 Sequence I CORE I
| |
| : 1. T7 OK I I
| |
| : 2. T7-QS
| |
| : 3. T7-Q
| |
| : 4. T7-Q-H1 OK OK CM
| |
| : 5. T7-Q-QS CM I 6. T7-Q-QS-H1 CM
| |
| : 7. T7-0D OK I I
| |
| : 8. T7-0D-QS
| |
| : 9. T7-0D.-Q CM OK I 10. T7-0D-Q-H2
| |
| : 11. T7-0D-Q-H1
| |
| : 12. T7-0D-Q-QS CM CM CM
| |
| : 13. T7-L3 CM
| |
| : 14. T7-D1 OK I 15. T7-D1-QS
| |
| : 16. T7-D1-Q
| |
| : 17. T7-D1-0D CM CM CM
| |
| : 18. T7-D1-L3 CM
| |
| : 19. T7-K CM Figure 4.4-7 Event Tree for T7 -
| |
| . Steam Generator Tube Rupture
| |
| *
| |
| | |
| .. integrity) have been maintained, and heat removal is provided by the good steam
| |
| * generators. Sequence 2 represents a failure of steam generator integrity. It was classified a: safe state, although it violates the success criteria, because the timing of this sequence extends it well past the 24 hour mission time for evaluation. This sequence includes successful depressurization of the primary system within 45 minutes of the initiating event. The leak rate would be reduced substantially below the initial 600 gpm leak rate. Reducton of the leak rate to 200 gpm would extend the R WST depletion time. to about 27 hours. Reduction to 100 gpm would extend the R WST depletion time to 53 hours. Should a loss of SG integrity occur after primary depressurization, the likelihood of not being able to mitigate a 100 gpm leak for over 50 hours was considered exceedingly small.
| |
| Sequence 3 represents loss of primary system integrity (i.e., stuck open PORV), but successful coolant recirculation from the containment sump using LPR. POR V demand probability for this sequence was estimated to be .25, which includes the possibility of intentional POR V opening to aid primary system pressure reduction. Secondary side integrity is maintained throughout the sequence, thus preserving coolant inventory and enabling long term coolant recirculation. Heat removal is through the steam generators. SI flow in response to the PORV failure will empty the RWST, causing switchover to recirculation from the sump. Because the reactor has previously been depressurized to 1000 psi in response to the tube rupture, it was estimated it could be further depressurized to allow low pressure recirculation in the event that high pressure recirculation failed. High pressure recirculation is therefore not necessary. Sequence 4 is similar to Sequence 3 except that failure to switch to low pressure recirculation from the sump results in core damage. This sequence is recoverable at Surry by cross connecting of the R WST from Unit 2, and continued safety injection.
| |
| Sequence 5 represents unmitigated loss of coolant inventory from the steam generator which ultimately prevents required recirculation from the sump.
| |
| * The loss of RCS integrity early in the event forces coolant recirculation from the sump while the loss of SG integrity results in continued loss of coolant inventory to the atmosphere. Eventual inventory depletion in the sump will result in cavitation of the LPR pumps, thus leading to core uncovery. This sequence can be recovered through refilling the R WST or cross connect to the other unit's RWST. Sequence 6 is similar to 5, but represents failure of coolant recirculation due to failures in the low pressure recirculation system. Recovery of this sequence is possible through continued safety injection using the water sources from Unit 2. This extends the sequence well beyond the 24 hour mission time which the analysis is based upon.
| |
| Becau~ the operator has previously depressurized in Sequences 3 through 6, breakflows are low enough to provide substantial time for operator recovery actions to provide alternate sources of coolant injection. In Sequences 7 through 12 the operator has failed to depressurize the reactor and thus inventory loss rates are much higher.
| |
| Sequence 7 represents a mitigated SGTR with failure to depressurize the reactor. The probability of this state is exceedingly small, due to the provision of safety valves on the steam generator. At a minimum, all of these SVs would have to fail closed in order to fulfill the requirements of this state.
| |
| Sequence 8 is similar to Sequence 2, except that breakflows are higher. Failure of the operator to depressurize, combined with loss of SG integrity causes the eventual depletio11 of the R WST inventory through the unisolated SG. Recirculation from the sump is not possible, but refilling of the RWST would delay core uncovery. Sequence 9 is a safe state because the retention of SG integrity allows preservation of coolant 4.4-37
| |
| | |
| inventory and continued emergency coolant recir~ulation from the sump. The stuck open
| |
| * relief valve which occurred early in the sequence forces the requirement for recirculation .from the sump. High pressure recirculation is required because of the .
| |
| previous operator failure to depressurize the reactor. Sequences 10 and 11 represent failure of coolant recirculation due to faults in the HPR/LPR systems.
| |
| Sequence 12 represents a simultaneous loss of RCS integrity and SG integrity. Continued safety injection is necessary to maintain RCS inventory. But the loss of SG integrity causes diversion of the coolant inventory outside the containment. The previous failure to depressurize the reactor results in high reactor pressure and thus maintains large discharge rates. Questions of LPR and HPR availability were not asked at this juncture, because sump inventory would not be sufficient to establish recirculation.*
| |
| Sequence 13 is a tube rupture with loss of auxiliary feedwater. Response to loss of AFW in other transients is to initiate feed and bleed cooling. But, feed and bleed requires sustained pressure in the primary system, which is counter to requirements of SG tube rupture mitigation. Due to limited previous evaluation of these circumstances, SG tube rupture with loss of all feedwater was considered a core damage sequence.
| |
| Sequence 14 represents a recoverable failure of safety injection. Early in the sequence, safety injection fails in response to the low pressurizer pressure. This is similar to an unmitigated LOCA, except that restoration of RCS integrity is possible if the operator performs rapid cooldown and depressurization of the primary. At the point where primary and secondary pressures are equal, the RCS outflow is terminated and thus there is no more need for coolant makeup. If these actions occur in a short enough time frame such that core covery is maintained and RCS inventory is sufficient to support steam generator heat removal, this represents an acceptable core cooling state.
| |
| Sequence 15 leads to core uncovery through the combination of loss of SG integrity and failure of safety injection. Inventory loss is through the SG without the capability to makeup inventory. Sequence 16 is similar, except inventory loss is through the pressur-izer *PORV. Sequence 17 represents failure to depressurize the RCS to limit leakage.
| |
| Continued breakflow through the ruptured tube leads to core uncovery.
| |
| Sequence 19 is an ATWS sequence, as discussed in the previous section. A TWS was not considered mitigatible when combined with a tube rupture.
| |
| 4.4.7 A (Large LOCA) Event Tree This section presents and discusses the event tree for the large LOCA initiating event.
| |
| This event is identified by the symbol A in the event tree and covers break sizes ranging from 6 to 29 inches.
| |
| 4.4.7.1 Success Criteria The success criteria for the large LOCA event tree are shown in Table 4.4-9.
| |
| 4.4.7 .2 Discussion of Sequences The event tree for large LOCAs is shown in Figure 4.4-8. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2.
| |
| 4.4-38
| |
| | |
| *
| |
| * Table 4.4-9 LARGE LOCA SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION
| |
| * INITIATOR: Large LOCA, A CONTA1 NMENT CONTA1 tf.1ENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS Not Required 1/2 LP1 See Comments 1/2 css 1/2 LPR 1/2 *1sR and 1. 1njectlon of and OR and SWS to LP1 Into one 2/2 ACX 1/21SR Switch Injection Associated HX RCS loop was and SWS Po Int to Hot Leg OR considered suf-to Associated at 16 hr. 1/2 OSR and ficient.
| |
| CSR HX SWS to Associated HX 2. Reactor sub-critical lty Is not expllcltly re-quired. 1t RPS
| |
| ,. tails, the reactor will be maintained t
| |
| cc subcrltlcal by In-jection of RWST Inventory.
| |
| : 3. RCS Integrity Is lost as a result of the Initiator.
| |
| | |
| LARGE ACC LPI CONT CORE LPR LOCA SYS VULNR TO CD A 06 -cs -CV -H1 Sequence I CORE_ I
| |
| : 1. A OK I I l
| |
| 2.
| |
| 3.
| |
| A-H1 A-CS CM OK I 4.
| |
| 5.
| |
| A-CS-H1 A-CS,;.CV CM CM
| |
| 'f', 6. A-06 CM
| |
| ,i:::.
| |
| I.
| |
| : 7. A-05 CM
| |
| .is.
| |
| 0 Figure 4.4-8 Event Tree for A -
| |
| Large LOCA
| |
| | |
| Sequence 1 represents a completely successful response to the initiator in which all systems function as intended. The accumulators inject water immediately to accom-
| |
| * modate the initial high volume surge of water from the* reactor cooling system. Low pressure injection subsequently provides the high volume, low pressure flow required for col\'tinued core cooling. The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels, and recirculation cooling is established from the containment sump to *provide long term cooling.
| |
| Sequence 2 leads to core damage because of a failure to provide low pressure recirculation cooling. No other system can provide the volume of flow needed under large LOCA conditions.
| |
| Sequences 3, 4, and 5 represent the occurrence of a core wlnerable state and its possible outcomes. A core vulnerable state occurs when containment heat removal fails after core cooling has been established by low pressure injection. Under such circumstances, heat is being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary. As a result, the pressure and temperature in.
| |
| the containment rise due to the lost containment heat removal (CHR) capability. If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment *overpressure failure will occur.
| |
| Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 5. Sequence 3 represents containment failure, but the ECCS survives and continues to cool the core.
| |
| Sequence 4 represents containment failure together with independent failure of the ECCS (i.e., due to causes other -than the containment failure).
| |
| Sequence 6 represents failure of the ECCS to respond early in the scenario to provide the
| |
| * high volume, low pressure injection flow needed to cool the core, thereby leading to core damage. In Sequence 7 the accumulators fail to inject water immediately as the pressure in the reactor coolant system drops suddenly as a result of the large break in the cooling system pressure boundary. This sudden loss of coolant inventory causes core damage.
| |
| 4~4.8 s1 (Medium LOCA) Event Tree This section presents and discusses the event tree for the medium LO_CA initiating event. This event is identified by the symbol s1 in the event tree and covers leak sizes ranging from 2 to 6 inches.
| |
| 4.4.8.1 Success Criteria Success criteria for medium LOCAs are shown in Table 4.4-10. Success criteria for s1 are distinctively different A and s2* These differences were derived from requirements for AFW, accumulators, HPI/R and LPI/R.
| |
| The s events will maintain the reactor moderately pressurized during the early time 1
| |
| frame, thus requiring early inventory makeup from HPI. As the pressure declines. the accumulators and LPI are required. A requirement for high pressure recirculation is not necessary, because pressure will be below shutoff head for LHSI pumps at the time of recirculation.
| |
| 4.4.8.2 Discussion of Sequences The event tree for medium LOCAs is shown in Figure 4.4-9. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2.
| |
| 4.4-41
| |
| | |
| Table 4.4-10 MEDIUM LOCA SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION INITIATOR: Medium LOCA, s1 CONTA1NMENT CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SI.BCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS Not Required 1/3 Charging Pump See Comments 1/2 CSS 1/2 LPR 1/2 1SR 1. 1/2 Injection and OR and and SWS 11 nes adequate 1/2 LP1 1/21SR Sw Itch Inject Ion to Associated for LP1.
| |
| and and SWS pol nt to hot Ieg HX 2/3 ACC to Associated at 16 hr. OR 2. 2/3 Injection
| |
| : 1. CSR HX 1/2 OSR and I Ines adequate sws to for I-P1.
| |
| Assoc I ated HX
| |
| : 3. Reactor sub-cr It lca I ltly Is not expllcltly re-quired. 1f RPS fal Is, the reactor wlll be maintained subcrltlcal by Injection of RWST Inventory.
| |
| : 4. RCS Integrity Is lost as a result of the Initiator *
| |
| *
| |
| | |
| *
| |
| * INTER HPI ACC CONT CORE LPI LPR MEDIA SYS VULNR LOCA TO CD S1 -D1 -D5 -cs -CV -D6 -H1 Sequence I CORE I
| |
| : 1. S1 OK I
| |
| I 2. S1-H1
| |
| : 3. S1-D6 CM CM
| |
| : 4. S1-CS OK I
| |
| I 5. S1-CS-H1
| |
| : 6. S1-CS-D6
| |
| : 7. S1-CS-CV CM CM CM
| |
| : 8. S1-D5 CM
| |
| : 9. S1-D1 CM Figure 4.4-9 Event Tree for S1 -
| |
| Medium LOCA
| |
| | |
| Sequence 1 represents a compJetely successful response to the initiator in which all systems function as intended. High pressure injection immediately provides the high*
| |
| pressure initial flow required for core cooling. The accumulators inject water to.
| |
| accommodate the initial high-volume surge of water from the reactor cooling system.
| |
| The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels, and low pressure injection and recirculation cooling are established to provide long term cooling. .
| |
| Sequence 2 leads to core damage because of a failure to provide low pressure recircu-lation cooling. No other system can provide the volume of flow needed under the low pressure conditions that follow a medium LOCA. Sequence 3 denotes failure to establish low pressure injection, which is required before enough water accumulates in the con-tainment sump to allow recirculation cooling.
| |
| Sequences 4, 5, 6, and 7 represent the occurrence of a core vulnerable state and its possible outcomes. A core wlnerable state occurs when containment heat removal (CHR) fails after core cooling has been established by high pressure injection. Under such circumstances, heat is being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary. As a result, the pressure and temperature in the containment rise due to the failed containment heat removal capability. If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment over-pressure failure will occur. Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 7. Sequence 4 represents containment failure, but the ECCS survives and continues to cool the core. Sequences 5 and 6 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
| |
| In Sequence 8 the accumulators fail to inject water immediately as the pressure in the reactor coolant system drops suddenly as a result of the medium break in the cooling system pressure boundary. This sudden loss of coolant inventory causes core damage.
| |
| Sequence 9 represents failure of the ECCS to respond early in the scenar~o to provide the high pressure injection flow needed to cool the core, thereby leading to core damage.
| |
| 4.4.9 s2 (Small LOCA) Event Tree This section presents and discusses the event tree for the small LOCA initiating event.
| |
| This event is identified by the symbol s2 in the event tree and covers leak sizes ranging from 1/2 to 2 inches.
| |
| 4.4.9.1 Success Criteria Success criteria for s LOCAs are shown in Table 4.4-11. s2 success criteria are a 2
| |
| combination of transient and LOCA type criteria. The break is not sufficient to depressurize the reactor, so that large volume ECCS systems are not effective. Thus the need for control rod insertion, because the ECCS boration function will not be performed in a timely manner.
| |
| AFW is required for successful s2 mitigation, because the break size itself is not sufficient to carry away decay heat and reactor coolant pump heat. The Surry RCPs do
| |
| * not shut off on receipt of an SIAS signal. If AFW is unavailable, "feed and bleed" cooling is viable if the operator opens one PORV.
| |
| 4.4-44
| |
| * INITIATOR: Small LOCA, s2 SMALL LOCA SUCCE*
| |
| CONTA1NMENT e 4.4-11 ITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION CONTA1NMENT
| |
| * REACTOR COR.E HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 Charging Pump See Comments See Comment 3 1/3 I-PR 1/2 1SR and t. Fal lure of RPS and and SWS to transfers to 1/3 AFW Pump 1/2 LPR Associated HX ATWS tree.
| |
| OR OR 1/3 Charging Pump 1/2 OSR and 2. RCS Integrity Is and SWS to lost as a result 1 PORV Opened Associated HX of the Initiator.
| |
| OR 1/3 AFW and 3. Containment 1/3 HPR and pressu*re 1/2 LPR suppression Is
| |
| *
| |
| * not required In I
| |
| UI the earl'l time frame.
| |
| (23)
| |
| | |
| 4.4. 9.2
| |
| * Discussion of Sequences The event tree for s2 is shown in Figure 4.4-10. The important functional and phenomenological depenclencies as well as general assumptions and limitations are stated in !fable 4.4-2.
| |
| * Sequence 1 represents a completely successful response to the initiator in which all systems function as intended. The reactor protection system successfully scrams the reactor. High pressure injection provides the initial high pressure flow required to replace the lost inventory. The auxiliary feedwater system provides core heat removal via the steam generators. The containment heat removal systems successfully maintain containment pressures and temperatures at acceptable levels. The operator successfully depressurizes the RCS, and recirculation cooling is established to provide long term cooling, using the low pressure recirculation systems. Low pressure recirculation from the sump was required for successful mitigation, because shutdown cooling on RHR may not be possible due to break location.
| |
| Sequence 2 leads to core damage because of a failure to provide low pressure recirculation cooling. Sequence 3 represents successful mitigation after the failure of the operator to depressurize the RCS. Failure to depressurize the RCS leads to the requirement for high pressure recirculation. If either low or high pressure recirculation fails, core damage results as indicated by Sequences 4 and 5.
| |
| Sequences 6 through 11 cover the case in which the containment heat removal systems fail after core inventory is being maintained via high pressure injection and core cooling
| |
| * has been established by the AFW system. Whether or not this can lead to a core wlnerable state depends on whether or not the operator depressurizes the RCS. If operator depressurization occurs, SG heat removal is not effective and a core vulnerable state can occur. Under such circumstances, heat is gradually being transferred from the core to the containment via the water flowing through the opening in the RCS pressure boundary. As a result, the pressure and temperature in the containment rise gradually due to the lost containment heat removal (CHR) capability. If the containment pressure continues to increase without being mitigated by conta.inment venting or restoration of CHR systems, containment overpressure failure will occur. Continued heat removal through the steam genera tors has b~ shown to be sufficient to prevent containment overpressure failure in these cases * *~ Events occurring during containment failure could cause ECCS failure. which would lead to core damage. Such a scenario is represented by Sequence 8. Sequence 6 represents containment failure, but the ECCS survives and continues to cool the core. Sequence 7 reptesents containment failure
| |
| * together with the independent failure of the ECCS (i.e., due to causes other than the containment failure). If the operator keeps the RCS pressurized and thus supports steam generator heat removal (as represented by Sequence*s 9, 10, and 11), then the containment overpressure failure is averted, even though containment heat removal systems have failed. Under such circumstances the containment is not expected to fail, and the "CV" question is not asked. Sequence 9 represents successful functioning of the ECCS in the recirculation mode. Sequences 10 and 11 represent ECCS failure, which results in core damage.
| |
| Sequences 12 through 19 address the sequences with auxiliary feedwater failure. If AFW is lost, core cooling can be accomplished by opening a PORV to increase the breakflow.
| |
| Now sufficient water is lost from the RCS to carry away all decay heat. The charging
| |
| * pump is known to be successful at this point in the event tree. Sequence 19 represents failure of either PORV to open. Sequences 12 through 18 address the potential for a core
| |
| * Refer to Appendix A, Section A.1.2.
| |
| 4.4-46
| |
| * SMALL RPS HPI AFW PRV CONT
| |
| * OPER CORE LPR HPR
| |
| * LOCA SYS DPRES VUlNR TO CD S2 -K -D1 -L .::p1 -cs -OD -CV -'H1 -H2 Sequence I CORE I COMMENTS I
| |
| : 1. S2 OK
| |
| : 2. S2-H1 CM
| |
| : 3. S2-0D OK
| |
| : 4. S2-0D-H2 CM
| |
| : 5. S2-0D-H1 CM
| |
| : 6. S2-CS OK
| |
| ,. 7. S2-CS-H1 CM
| |
| : 8. S2-CS-CV CM
| |
| .
| |
| * 9.
| |
| 10.
| |
| 11.
| |
| S2-CS-OD S2-CS-OD-H2 S2-CS-0D-H1 OK CM CM
| |
| !
| |
| ~ 12. S2-L OK
| |
| : 13. S2-L-H2 CM
| |
| : 14. S2-L-H1 CM
| |
| : 15. S2-L-CS OK
| |
| : 16. S2-L-CS-H2 CM
| |
| : 17. S2-L-CS-H1 CM
| |
| : 18. S2-L-CS-CV CM
| |
| : 19. S2-L-P1 CM
| |
| : o. S2-D1 CM 1* S2-K CM GO* TO AHIS Figure 4.4-1 O Event Tree for 82 -
| |
| Small LOCA
| |
| | |
| vulnerable state due to failure of CHR. A core vulnerable state occurs when containment heat removal fails after feed and bleed core cooling has been established. Under such circumstances,. heat is being transferred from the core to the containment. The pressure and temperature in the containment rise due to the lost containment heat removal capability. If the containment pressure continues to increase without being mitigated by containment venting or rest9ration of CHR systems, containment overpressure failure will occur. Events occurring during containment -failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 18.
| |
| Sequence 15 represents containment failure, but the ECCS survives and continues to cool the core. Sequences 16 and 17 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
| |
| In Sequence 20 the ECCS fails to respond to the small LOCA initiator and to provide the initial high pressure injection flow needed to cool the core. In Sequence 21 the RPS fails to scram the reactor, which transfers to the ATWS event tree for further analysis.
| |
| 4.4.10 s3 (Very Small LOCA) Event Tree This section presents and discusses the event tree for the very small LOCA initiating event. This event is identified by the symbol s3 in the event tree. This group of LOCAs includes spontaneous seal LOCAs and very small breaks, with leak sizes equivalent to less than approximately 1/2 inch break.
| |
| 4.4.10.1 Success Criteria The .success criteria for s3 are shown in Table 4.4-12. They are very similar to the s2 criteria. However, timing considerations due to the impact of the very small leak rate have a significant iml""'.Ct on the recirculation requirements.
| |
| Heat removal from the RCS by the AFW combined with the containment fan coolers and natural cooling/condensation processes are expected to maintain* containment pressure well below the spray actuation point. Containment fan coolers are normally operating and are not isolated until a containment Hi-Hi pressure signal is received. With only the HPI flow draining the R WST, s3 breaks could remain in the injection phase for a long time.
| |
| If the operator takes action to depressurize the RCS, thus reducing the leak rate from the RCS, the reactor can be depressurized and in cold shutdown long before depletion of RWST inventory forces a switch to recirculation.
| |
| 4.4.10.2 Discussion of Sequences The event tree for s3 is shown in Figure 4.4-11. The important functional and phenomenological dependencies as well as general assumptions and limitations are stated in Table 4.4-2.
| |
| Sequence 1 represents a completely successful response to the initiator in which all systems function as intended. The reactor protection system successfully scrams the reactor. High pressure injection provides the high pressure initial flow required for continued core cooling. The RCS relief valves reclose if opened, auxiliary feedwater cooling is initiated, the opera tor depressurizes the RCS, and residual heat removal (RHR) system is available to provide shutdown cooling. The RHR system at Surry is a separate system (non-safety grade) used for long-term shutdown cooling.
| |
| 4.4-48
| |
| * INITIATOR: s3 - Very Small LOCA ble 4.4-12 VERY SMALL LOCA SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION
| |
| * CONTA1NMENT CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE SUPPRESS10N, CORE HEAT PRESSURE SUPPRESS10N, SUBCR1T1CAL1TY REMOVAL, EARLY 1NTEGR1TY EARLY REMOVAL, LATE LATE COMMENTS RPS 1/3 Charging Pump See Comments See Comment 5 1/3 HPR 1/2 1SR and 1. Failure of RPS and and sws to transfers to 1/3 AFW Pump 1/2 LPR Associated ATWS tree.
| |
| OR OR HX 1/3 Charging Pump Operator OR 2. For s3 , If AFW and and Depressur lzes 1/2 OSR and charging flow are 2 PORVs Opened RCS and SWS to available, the operator OR 1/2 RHR Associated can depressurlze the 1/2 MFW Pumps OR HX RCS and go on closed Operator OR cycle cool Ing before Depressurlzes 1/3 AFW and the RWST Is emptied, RCS and 1/3 HPR and thereby, eliminating 1/2 LPR 1/2 LPR the requirement for reclrculatlon.
| |
| : 3. 1f containment fan coolers are available It was assumed that spray ac~uatlon set point would not be reached.
| |
| : 4. RCS Integrity Is lost as a result of the Initiator.
| |
| : 5. Containment pressure suppres_s Ion not required In the early time frame.
| |
| | |
| ~ERY RPS HPI RCI AHJ MHI PRV CONT CORE OPER RHR LPR HPR SMALL SYS VULNR DPRES LOCA TO CD S3 -1( -D1 -QC -L -M -P -cs -CV -OD -\.13 -H1 -H2 Sequence I CORE I COMMENTS I
| |
| : 1. S3 OK I 2. S3-W3 OK I 3. S3-W3-H1 CM
| |
| : 4. S3-00 OK I
| |
| I 5. S3-00-H2
| |
| : 6. S3-00-H1
| |
| : 7. S3-L CM CM OK I
| |
| I I
| |
| : 8. S3-L-H1
| |
| : 9. S3-L-\J3 CM OK 1o. S3-L-\J3-H1 CM
| |
| : 11. S3-L-OD OK I
| |
| I 12. S3-L-OD-H2
| |
| : 13. S3-L-OD-H1 CM CM
| |
| : 14. S3-L-M OK I
| |
| I 15. S3-L-M-H2
| |
| : 16. S3-L-M-H1 CM CM
| |
| : 17. S3-L-M-CS OK I
| |
| I 1B. S3-L-M-CS-H2
| |
| .,19. S3-L-M-CS-H1 CM CM
| |
| : o. S3-L-M-CS-CV
| |
| ., 1. S3-L-M-P CM CM
| |
| ..,
| |
| -., 2. S3-QC GO TO S2
| |
| : 3. S3*D1 CM
| |
| ., 4. S3-K GO TO AT\JS Figure 4.4-11 Event Tree for S3 -
| |
| Very Small LOCA
| |
| | |
| Sequence 2 addresses the case where residual heat removal system is unavailable and low
| |
| * pressure recirculation cooling is required to provide long term core cooling. If LPR fails (as in Sequence 3), then core damage will result.
| |
| ~quences 4, 5, and 6 address the cases where the operator does not depressurize the RCS. Continued blowdown leads to RWST depletion which forces recirculation.
| |
| Sequence 4 represents successful switch to high pressure recirculation. Sequences 5 and 6 represent core damage due to failure of high and low pressure recirculation.
| |
| Sequences 7 through 21 represent all cases in which the primary mode of steam generator feedwater supply is lost. In Sequences 7 through 13, main feedwater supplies steam generator feed flow. These sequences have much the same characteristics as Sequences 1 through 6.
| |
| Sequences 14 through 21 address the case that both AFW and MFW have been lost. In this instance, it is necessary to establish feed and bleed cooling. Both POR V's must open to allow water to flow from the RCS, to remove decay heat. A single charging pump is required to supply makeup to replenish the POR V discharge. If feed and bleed cooling is lost (sequence 21), then core damage results. Sequence 14 represents successful feed and bleed cooling followed by long term cooling in the recirculation mode. If either high pressure or low pressure recirculation cooling is lost (as in sequences 15 and 16), then core damage results.
| |
| Sequences 17 through 20 represent the occurrence of a core vulnerable state during successful feed and bleed cooling. A core vulnerable state occurs when containment heat removal fails after core cooling has been established in the feed and bleed mode. Under such circumstances, heat is being transferred from the core to the containment. (A core wlnerable state cannot occur in Sequences 2 through 13 in the event tree because an insufficient amount of hot water is transferred into the containment to cause overpressure.) As a result, the pressure and temperature in the containment rise due to the lost containment heat removal capability. If the containment pressure continues to increase without being mitigated by containment venting or restoration of CHR systems, containment overpressure failure will occur. Events occurring during containment failure could cause ECCS systems to fail, which would lead to core damage. Such a scenario is represented by Sequence 20. Sequence 17 represents containment failure, but the ECCS survives and continues to cool. the core. Sequences 18 and 19 represent containment failure together with independent failure of the ECCS (i.e., due to causes other than the containment failure).
| |
| Sequence 22 represents the case in which SI flow causes the RCS relief valves to open, and one of the valves fails to reseat. This leads to a larger LOCA size, which requires analysis via the small LOCA event tree (Section 4.4.9) ... In Sequence 23 the ECCS fails to respond to the LOCA initiating event and to provide the initial high pressure injection flow needed to cool the core. In Sequence 24 the RPS fails to scram the reactor, which transfers to the ATWS event tree for further analysis.
| |
| 4.4.11 Anticipated Transients Without Scram Event Tree ATWS events for Surry were evaluated using a special event tree. Sequences with failure to scram were transferred from other event trees to the ATWS tree. This section discusses the ATWS evaluation.
| |
| 4.4-51
| |
| | |
| 4.4.11.1 ATWS Model Development and Success Criteria Definition The principal ATWS analytical work which has been used by the industry to determine phenomenolo&9)issues and success criteria for Westinghouse plants was published in WCAP-8330. Subsequent ATWS evaluations have produced refinements in some phenomenological areas and have generated more analytical results to support alternate success criteria. The intent of this study was to develop an ATWS model which included all phenomological issues previously identified and which was based on consensus success criteria.
| |
| A review was performed of previous ATWS analyses from the following sources:
| |
| (28)
| |
| NUREG-0460( 30) 0 SECY ~3 Zion PRA 8 Indian Point PRA(l l)
| |
| Seabrook PRAl 9.J Millstone-3 PRA(lO)
| |
| W - Owners Gr9UR ATWS Rulemaking Commentl 3 0 NUREG - 10ool 2'JJ Based on this review, the success criteria in Table 4.4-13 were developed. The basis for selecting the success criteria for this study are discussed below.
| |
| The document review indicated a significant distinction in success criteria for transients initiated at high power and* those initiated from low power. Zion, Indian Point. and Seabrook used 8096 as the demarcation line for high and low power, while Millstone and the WOG used 2596. The relationship between power level and pressure rise is not well enough documented in the references to select which power level is appropriate. This study chose 2596, because the initiating event data reviewed in Section 4.3 of this report was correlated to 2596. The final frequency of high power transients calculated for this study is 5.9/yr, which is slightly larger than the value of 3.6/yr used in the WOG comments and 4.0/yr used in SECY 293.
| |
| Selection of success criteria for this study was based on not allowing RCS pressure to exceed 3200 psi. This value was chosen because it corresponas to stress level C limits of the ASME Code.
| |
| Peak RCS pressure is related to the value of the reactor's moderator temperature coeffi-cient (MTC) at the time of ATWS. There exists a critical value of MTC, above which there is insufficient negative feedback to maintain RCS pressure below 3200 psi regard-less of relief valve operation. For this study, the important parameter is the percent of time** the MTC is above the critical value (less negative), rather than the critical MTC value itself. However, it appears the critical MTC value is -7pcm/°F. Based on the document review, an upper bound value of 0.05 and a lower bound value of 0.001 was selected for the percent of time unfavorable MTC exists. Relating these to 95th per-centiles of a log normal, translates to a mean value of 0.014 with an error factor of 7.
| |
| Transients initiated from low power have no restrictions on MTC. Pressure can be maintained below 3200 psi for transients initiated from low power, regardless of MTC, if relief valve opening is successful.
| |
| In addition, NUREG-0460 develops the further discrimination that if MTC is very
| |
| * negative, reactivity feedback is great enough to maintain pressure below 3200 psi, even 4.4-.52
| |
| | |
| Table 4.4-13 ATWS SUCCESS CRITERIA
| |
| | |
| ==SUMMARY==
| |
| INFORMATION EVENT: ATWS RCS REACTOR CORE HEAT RCS PRESSURE SUBCR tT tcAL tTY REMOVAL, EARLY tNTEGRtTY RELtEF COMMENTS Manual Insertion 2 AFW r.DP All SRV, PORV TurMne Trfp 1. Entry Into the ATWS tree assumes of control rods by OR must reclose OR the RPS fa~led.
| |
| operator 1 AFW TDP MS tv 71osure OR AND 2. AFW must be suppl led to 2 of 3 SG.
| |
| Emergency boratlon 3 SRVs using 1 charg~ng OR 3. tf MTC <-20 pcm/°F no pressure pump, tak~ng suction 2 SRVs and 2 PORVs reUef required.
| |
| from Boric Acid Tank, discharging through the 4. tf MTC >-7 pcm!°F pressure charg1ng llne and rellef not poss1ble.
| |
| remaining at elevated temperature to maintain 5. Turbine Tr1p not requ1red subcr1tl cal Uy. for low power 1nltlators, or 1f MTC Is very low.
| |
| : 6. MTC criteria apply to h1gh power only.
| |
| | |
| if multiple relief valves fail to open. Failure of pressure relief under conditions of very low MTC is therefore considered a negligible *contributor to core damage. The amount of time a very low MTC exists was taken as 0.5, from NUREG-0460.
| |
| NUREG-0460, SECY-83-293, Zion, Indian Point, Millstone and the WOG comments all required turbine trip for transients from high power in order to prevent core damage.
| |
| Thus, turbine trip was required for all loss of main feedwater events from high power except when very low MTC exists. Failure to trip the turbine may lead to overcooling of the RCS cold legs which would add positive reactivity to the core. This would aggravate the ongoing ATWS and lead to overpressurization of the RCS, regardless of the pressure relief capacity that was available. Turbine trip was not required for transients from low power.
| |
| Primary pressure relief requires three SRVs. Since PORVs at Surry are approximately 1/2 the capacity of SR Vs, two SR Vs and two POR Vs were also allowed. This relief capacity was sufficient to maintain pressure below 3200 psi, if MTC was below -7 pcm/°F and turbine trip was successful.
| |
| Emergency boration and SG inventory makeup were required for all ATWS events, regardless of power level. SG inventory could be supplied by MFW or 700 gpm flow from AFW. These criteria are consistent with the Zion PRA study.
| |
| NUREG-0460, Zion, Indian Point, Seabrook and the WOG allow mitigation of stuck open relief valves under certain conditions. SECY-83-293 did not address these failures. This study considered that stuck open relief valves during ATWS would be safely mitigated if HPI was successful. Failure of a POR V or SRV to reclose would lead to a demand for HPR for long term core cooling. HPR would not be required until the R WST was deple-ted, at which time the reactor would be subcritical due to previous boration. The branch for Q s then represents a transfer to the s2 LOCA tree.
| |
| 4.4.11.2 ATWS Event Tree and Phenomenology The ATWS event tree is shown in Figure 4.4-12. The headings were developed to include all of the essential phenomenological considerations which were discussed in the previous section. Containment systems were not included on the event tree because ATWS events do not impair the operability of any containment system.
| |
| Each of the headings on the tree is discussed below.
| |
| R - Manual Reactor Trip - This is the first heading on the tree. If the operator manually scrams the reactor, A TWS is over and there are no further unique mitigative requirements. Manual re.actor scram must occur with one minute. It is accomplished by opening the reactor trip breakers. This can be done by de-energizing the shunt trip from the control room or removing power at the motor-generatoJ set.
| |
| PL - Power Level - This heading does not represent an action or a system failure, but is a logic model convenience to delineate different success criteria for the high and low power condition.
| |
| Z - Moderator Temperature Coefficient - As with the power level heading, this is a logic model convenience to delineate the three conditions of MTC. The use of two headings, z1 and Z, separates the:: tree into three regimes. z1 is very low moaerator temperature coefficient (less than -20pcm/F) and Z is unfavorable MTC (greater than -7pcm/F).
| |
| 4.4-54
| |
| | |
| AT\JS MRT PWR MTC MTC TBT PRV AFW RCV HPI LEVEL LO\J UNF TK -R -PL -21 -z -T -P2 -L2 -Q -D4 Sequence I CORE I COMMENTS I
| |
| : 1. TK OK I 2. TK-R OK I
| |
| I I
| |
| : 3. TK-R-D4
| |
| : 4. TK-R-Q CM OK GO TO S2
| |
| : 5. TK-R-Q-D4 CM
| |
| : 6. TK-R-L2 CM
| |
| : 7. TK-R-P2 CM
| |
| : 8. TK-R-T CM
| |
| : 9. TK-R-Z CM 1o. TK-R-21 OK I
| |
| I I
| |
| : 11. TK-R-Z1-D4
| |
| : 12. TK-R-21-Q CM OK GO TO S2
| |
| : 13. TK-R-Z1-Q-D4 CM
| |
| : 14. TK-R-Z1-L2 CM
| |
| : 15. TK-R-PL OK I
| |
| I I
| |
| : 16. TK-R-PL-D4
| |
| : 17. TK-R-PL-Q CM OK GO TO S2
| |
| : 18. TK-R-PL-Q-D4 CM TK-R-PL-L2 CM
| |
| .,19.
| |
| : o. TK-R-PL-P2 CM Figure 4.4-12 Event Tree for Tk -
| |
| Anticipated Transient Without Scram
| |
| | |
| T - Turbine* Trip - This heading identifies the requirement to trip the turbine within one minute of the initiating event.
| |
| P 2 - Primary *Pressure Relief - This heading identifies the need for the SR Vs and PORVs to open to maintain pressure below 3200 psi.
| |
| L2 - AFW - This heading represents a requirement for SG inventory makeup. This can be met by enhanced AFW. No credit was given for MFW following ATWS.
| |
| 0 - R VC - This requirement is for all relief valves to reclose after the initial pressure spike subsides. If a PORV or SR V fails to reclose, it causes a requirement for HPI flow from SI or charging pumps.
| |
| D4/D2 - HPI - This heading represents the need for emergency bora tion, using the HPI pumps and boric acid transfer pumps (D 4). o 2 is required for those sequences where a relief valve has failed to reclose. Success ofr1PI, drawing suction from the RWST will provide subcriticality as well as inventory makeup.
| |
| 4.4.11.3 ATWS Sequences Sequence 1 represents the case in which the operator responds to ATWS and is able to manually trip the reactor. If this cannot be accomplished, then the remaining sequences in the event tree address the possible alternative responses of the plant to such a situation.
| |
| Sequence 2 represents failure to effect manual scram, almost entirely due to mechanical failures of the reactor protection system which can not be mitigated by manual scram.
| |
| Sequence 2 is from high power with MTC in a high, but mitigable range. Turbine trip occurs, either manually or due to circuitry that was not failed by the ATWS initiator.
| |
| Turbine trip prevents overcooling and thus does not exacerbate the existing reactivity imbalance. Primary pressure increases to the point where POR Vs and SVs are demanded. Sequence 2 represents successful opening of sufficient relief valves to maintain pressure below 3200 pst Auxiliary feedwater starts and maintains SG water levels. Emergency boration is successful in establishing subcriticality and all relief valves reclose after the pressure subsides. The sequence ends in stable hot shutdown with the reactor subcritical on boron.
| |
| In Sequence 3, emergency boration is not successful. The reactor remains pressurized at some value higher than the RV set points. Continu~d power generation maintains this pressure and causes continued discharge through the relief valves. Due to the elevated primary pressure, the charging pumps can not maintain RCS inventory, thus leading to degraded core cooling and core damage.
| |
| Sequence 4 represent~ failure of the safety relief valves or POR Vs to reclose, after boration has been successful. Although subcriticality is achieved in this sequence, there remains a continual need for coolant makeup. This sequence transfers to the s2 tree for evaluation of HPR, LPR, and containment systems. Sequence 5 leads to core cfamage in a similar manner to Sequence 3.
| |
| Sequence 6 represents failure of enhanced AFW. Loss of steam generator heat removal will cause the primary pressure to increase above 3200 psi in spite of successful relief valve opening. The continued maintenance of pressure above the shutoff head of the charging pumps will prevent boron injection. Unreplaced loss of inventory will lead to core damage.
| |
| 4.4-56
| |
| | |
| Sequence 7 rep_resents insufficient pressure relief in the RCS. Primary pressure will exceed 3200 psi. Potential outcomes of this sequence are a LOCA caused elsewhere due to the pressure and plastic deformation of the check valves on the injection lines; thereby preventing any inventory makeup.
| |
| Sequence 8 is failure of turbine trip. The resultant overcooling will add reactivity to the core, thus aggravating the existing reactivity balance.
| |
| Sequence 9 represents those small percentages_ of times that the core parameters (MTC) are such that ATWS can not be mitigated at all.
| |
| Sequences 10 through 14 represent the percentage of time that MTC is so low that turbine trip, and relief valve operation are not necessary to _control primary pressure below 3200 psi. Emergency boration and AFW are required, just as in Sequences 2 through :5.
| |
| Sequences 15 through 20 represent ATWS initiated from low power~, thereby eliminating the concern about MTC and turbine trip. Sequences 15 through 20 are similar to 2 through 7.
| |
| 4.4-57
| |
| | |
| 4.5 Plant Darnage *State* Definition
| |
| * The process by which initiating events were identified and grouped is described in Section 4.3, and the initiators used in this study are listed in Table 4.3-1. Section 4.4 discussed the first stage of the two stage event tree analysis process~ The first stage identified the dominant event sequences that lead to core damage. This secti(?n discus-ses the second stage of the event tree analysis process, the plant damage state identi-fication. This stage delineates the dominant core damage sequences into plant damage states (PDSs).
| |
| The plant damage state analysis for this study involved the identification of detailed PDS categories using a seven-state indicator. The resultant number of plant damage states, using the seven state indicators was inefficient and cumbersome for the containment event tree quantification process. Therefore, the seven state indicators were grouped into a more manageable number of entities, called plant damage state groups. The frequencies of the seven state indicators were used to calculate split fractions which were used in the containment event tree quantification.
| |
| An overview of the plant damage state analysis is presented in Section 4.5.1, followed in Section 4.5.2 by descriptions of the seven indicators used to define the plant damage states. The PDS analyses for the dominant core damage sequences is described in Section 4.5.3. The final grouping into seven plant damage state groups is discussed in Section 4.5.4.
| |
| 4.5.1 Event Tree/Plant Damage State Analysis Process The event trees developed in Section 4.4 generate the first part of the information needed to assess the severity of accident consequences - namely, whether or not core damage occurs.. Core damage is the most significant mechanism for releasing radionuclides from the core. The safety implications of non-core-damage accidents are negligible by comparison.
| |
| The event trees shown in Section 4.5.3 generate the second part of the information needed to assess the severity of accident consequences -- namely, the degree to which the containment systems remain operable as a means of preventing or reducing the amount of radionuclide release following a core damage condition.
| |
| The event trees developed in Section 4.4 include only those events and systems needed to detennine whether or not the accident sequences would lead to core damage -- whether by direct or indirect means. This consideration was particularly important with r.~spect to the containment systems. It was recognized that failures of containment syste~s can put the plant in a core vulnerable state in which it is possible, under certain circumstances, for core damage to be caused indirectly as a consequence of the containment failures. However, under such conditions, it is not necessary to know which containment system (or which combination of containment systems) failed -- only that some form of failure occurred. Thus, the status of the containment systems was simplified for the stage one event tree analysis by using only a single top event, CS, to track all forms of containment heat removal failure. Additional event tree headings were added to further delineate containment spray and containment heat removal systems. For those cases, where the existing fault tree structure was not sufficient to distinctly identify a unique PDS, split fractions were developed through individual analysis of the fault trees for those systems in question. Thus, top events for the following containment systems had to be specified.
| |
| 4.5-1
| |
| * C Containment spray system (CSS)
| |
| F1 Inside spray recirculation (ISR)
| |
| F2 Outside spray recirculation (OSR) 4*.5.2 Definitions of the Plant Damage State Indicators A total of seven indicators were used to identify a plant damage state. The seven indicators address the following issues:
| |
| Status of RCS at onset of core damage Status of ECCS Status of containment heat removal capability Status of AC power RWST injection capability Steam generator heat removal capability Status of RCP seal cooling An eighth indicator was originally used to indicate the status of containment isolation.
| |
| However, the analysis of containment isolation failure showed it to be independent of events in the core damage sequences. This indicator was eliminated and status of con-tainment isolation is entered directly on the containment event tree as an independent event.
| |
| Each of these indicators is discussed below, in the order in which they appear in the individual PnS designators.
| |
| : 1) Status of RCS at Onset of Core Damage For the purposes of containment analysis, it is important to know the pressure of the reactor coolant system and its integrity at the time of vessel failure. The vessel failure referred to is that caused by the onset of core damage. The expected RCS pressure was related to RCS integrity in this analysis. Eight categories of the RCS integrity status were identified and related to the initiating events, as shown in Table 4*.5-1.
| |
| It should be pointed out that, although the first character in the PDS designator: is commonly referred to as the initiating event, the way that it was used in the containment event tree (CET) analysis is to indicate the integrity of the RCS at the onset of core damage.
| |
| Hence, the first character in ~he PDS designator may differ from the sequence initiating event. For example, if the initiating event is a transient such as a loss of offsite power, and if an RCP seal failure occurs before the onset of core damage, then the CET would treat this case as a small break in classifying the status of the RCS.
| |
| : 2) Status of ECCS Another key indicator for the. containment analysis is the past and present status of high and low pressure injection or recirculation cooling. Five categories were identified relative to the ECCS, as shown in Table 4*.5-1.
| |
| 4*.5-2
| |
| | |
| Table 4.5-1
| |
| * Category Definitions for PDS Indicators
| |
| : 1. Status of RCS at Onset of Core Damage T no break (transh:mt)
| |
| A large LOCA (6" to 29")
| |
| Sl medium LOCA (2" to 6")
| |
| S2 small LOCA (1/2" to 2")
| |
| S3 very small LOCA (less than 1/2")
| |
| G steam generator tube rupture with SG integrity H steam generator tube rupture without SG integrity V interfacing LOCA
| |
| : 2. Status of ECCS I operated in injection only B operated in injection, now operating in recirculation R not operating, but recoverable N not opera ting and not recoverable L HPI failed, but LPI operable if pressure is reduced
| |
| : 3. Status of Containment Heat Removal Capability Y opera ting or operable if/when needed R not operating, but recoverable N never operated, not recoverable .
| |
| S sprays operable, but no CHR (no SW to HXs)
| |
| : 4. Status of AC Power Y available R not available, but recoverable N not available, not recoverable
| |
| : 5. R WST Injection Capability \
| |
| Y fully injected into containmel\lt R not fully injected, but could ti,e injected with power recovery N not fully injected, cannot be injected in future
| |
| : 6. Steam Generator HeafRemoval Capability X at least one AFWS operating, SGS not depressurized Y at least one AFWS operating, SGS depressurized C steam driven pump operated until battery depletion, electric driven pump recoverable with* power recovery -- SGS not depressur ized D steam driven pump operated until battery depletion, electric driven pump recoverable with power recovery -- SGS depressur ized S steam driven pump failed at beginning, electric driven pump recoverable with power recovery N no AFWS operating, no AFWS recoverable
| |
| : 7. Status of RCP Seal Cooling I
| |
| * Y operating R not opera ting, but recoverable N not opera ting and not recoverable 4.5-3
| |
| : 3) Status of Containment Heat Removal Capability The third key indicator for containment analysis is whether or not containment heat removal is available. For plant damage state definition, this was defined to be the availability of at least one recirculation spray trai11, with service water being supplied to the heat exchanger. The alternate means of containment heat removal
| |
| *
| |
| (via AFW) included in the first stage event tree analysis would not be available after vessel failure. Four categories were used for this indkator. For this indicator it was not necessarily possible to identify a unique state from the sequence outcome. Split fractions were developed to partition containment failure states into PD states.
| |
| : 4) Status of AC Power The fourth key indicator identified for the containment analysis is to know whether or not the AC power needed for safety systems is available. Two status categories were identified for this indicator.
| |
| : 5) R WST Injection Capability Another key indicator for the containment analysis is to know whether or not the reactor cavity is full of water. After comparing the RCS volume with the cavity volume, it was determined that, in order to assure that the cavity is full of water~ the R WST must be fully injected into the containment. That is, no partial credit was taken for R WST injection. Three categories were identified for this indicator.
| |
| * 6) Steam Generator Heat Removal Capability The sixth key indicator for containment analysis is knowing the status of the AFW system and its ability to provide steam generator heat removal. Six status categories were used for this indicator.
| |
| : 7) Status of RCP Seal Cooling The last key indicator concerns the availability of cooling to the RCS pump seals, which provides a direct measure of the ability to preserve the reactor coolant pressure boundary at the reactor coolant pump seals. Three status categories were used for this indicalor.
| |
| The category status identified for each of the seven PDS indicators are listed in Table 4*.5-1.
| |
| Considering the number of choices for each of the seven PDS indicators, there are potentially 25,920 different plant damage states. Even if it is estimated that half of those are logically impossible or nullsets, this leaves a total of about 12,000 admissible plant damage states.
| |
| Rather than attempting to estimate the frequency for each of the approximately 12,000 PDSs, the approach taken was to partition all core damage sequences greater than
| |
| * lE-7 /yr to the appropriate plant damage stak~. All PDSs with frequencies greater than 1E-7 /y.r were retained for containment. event tree analysis. PDSs with frequencies
| |
| | |
| between lE-9/yr and lE-7/yr were compared to the PDSs above lE-7~ If any PDS
| |
| * between lE-9 and lE-7 represented a substantially more severe containment state than any of the PDSs above lE-7 /yr, it was retained for further analysis. The results were also checked to be sure that the total resultant PDS frequency compares to the total core damage frequency.
| |
| 4.5.3 Plant Damage State Analysis This section describes the plant damage state analysis of each sequence. There were 37 individual core damage sequences, with point estimate frequency above 1E-7 /yr after recovery actions were included. Each of these were delineated into plant damage states.
| |
| The 37 sequences and their point foot mean value) estimate frequencies are shown in Table 4*.5-2. The distribution of sequences amongst initiator types is shown in Table 4*.5-3.
| |
| Because there are no non-SBC Tl events in the dominant sequences, a bridge tree was not developed for T 1* There are 7 station blackout sequences above 1E-7 /yr. Eleven of them involve one unit station blackout and six involve a dual unit station blackout. A bridge tree was not necessary for blackout sequences because all containment systems are inoperable. PDS initiators could be assigned by inspection of the cut sets and selection of the appropriate indicators.
| |
| The bridge trees are shown as a formality in Figures 4.5-1 and 4.5-2. The dominant core damage sequences are indicated on the event tree and assigned to plant damage states as
| |
| * shown
| |
| * The two dominant T2 sequences are T LD 2 and T2LP. The containment response tree for 4
| |
| T2 is $hown in Figure 4*.5-3. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for these two sequences are shown on the event tree.
| |
| There are five dominant T7 sequences. The containment response tree for T7 is shown in Figure 4*.5-4. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate the operability of containment systems.
| |
| The T70 0 Q5 and T70n00s sequences represent loss of steam generator integrity, which violates containment for these sequences. Questions of containment integrity were the ref ore not asked for these sequences. They were assigned to a single plant damage state without further delineation of containment system operability. The PDS delineation of the other sequences to their dominant states are shown in Figure 4*.5-4.
| |
| There are three dominant large LOCA sequences. They are AD.5~ AH1, and AD6. The containment response tree is shown in Figure 4*.5-.5. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for these three sequences are shown on the event tree *
| |
| * 4.5-5
| |
| | |
| Table 4.5-2 Surry Dominant Sequence Point Estimate Frequency Annual Percent Frequency
| |
| * of Accident Segyence (Per Rx-Yr) Total T1S1-NR7 5.2E-06 15.6%
| |
| T1S1-QS-L 3.7E-06 11.1%
| |
| T1Sl-W2-SL-NRS 2.7E-06 8.1%
| |
| T1S1-QS-NR7 1.9E-06 5.7%
| |
| T1SB-SL-NRS 1.SE-06 5.4%
| |
| T1S1-Q-NR1 1.4E-06 4.2%
| |
| T7-0D-QS 1. 4E-06 4.2%
| |
| Sl-Hl 1. 3E--06 3.9%
| |
| V 1.2E-06 3.6%
| |
| T1S1-QS-W2-SL-NRS 1.lE-06 3.3%
| |
| Sl-D6 9.4E-07 2.8%
| |
| A-D5 8.5E-07 2.5%
| |
| TK-R-Z 8.4E-07 2.5%
| |
| Sl-Dl 8.lE-07 2.4%
| |
| T2-L-P 7.7E-07 2.3%
| |
| T2-L-D2 7.2E-07 2.1%
| |
| T1SB-QS-SL-NRS 7.lE-07 2 .1%
| |
| A-Hl 6.7E-07 2.0%
| |
| S3-Dl 6.3E-07 1.9%
| |
| TK-R-D4 5.GE-07 1. 7%
| |
| T1Sl-Q-QS-NR1 5.lE-07 1.5%
| |
| A-D6 4.7E-07 1.4%
| |
| S2-Dl 4.3E-07 1. 3%
| |
| TlSB-QS-L 3.SE-07 1.1%
| |
| T1Sl-L 3.SE-07 1.1%
| |
| T1Sl-W2-NR7 3.0E-07 0.9%
| |
| TlSB-Q-NRl 2.GE-07 0.8%
| |
| T1SB-L 2.5E-07 0.7%
| |
| T1SB-NR7 2.0E-07 0.6%
| |
| T7-0l-0D 1.9E-07 0.6%
| |
| T1Sl-W2-0D-SL-NRS 1.5E-07 0.4%
| |
| T5A-L-P 1.4E-07 0.4%
| |
| T5B-L-P 1.4E-07 0.4%
| |
| T1Sl-QS-W2-NR7 1.2E-07 0.4%
| |
| T7-0D-Q-QS 1.2E-07 0.4%
| |
| T7-K 1.0E-07 0.3%
| |
| T7-L3 1.0E-07 0.3%
| |
| Total Core Damage Frequency 3.3E-05
| |
| * Note: The individual and total frequencies listed are sequence point estimates developed using the propagation of
| |
| * event mean values and are not sequence mean values.
| |
| 4.H*
| |
| * Table 4.5-3 Sources Of Dominant Core Damage Sequences Number of Dominant Initiating Event Description Core Damage Sequences Tl Loss of offsite power with o an operable DG T1Sl Unit 1 station Blackout (SBO) 11 T1SB Unit 1 and Unit 2 SBO 6 T2 Loss MFW 2 T3 Turbine Trip 0 T5 Loss DC Bus 2 T7 SGTR 5 A Large LOCA 3 Sl Medium LOCA 3 S2 Small LOCA 1 S3 Very Small LOCA 1 TK ATWS 2 V Interfacing LOCA Total 37
| |
| * 4.5-7
| |
| | |
| SBO NRAC- RCI SGI AF\I NRAC- SEAL OPER. RCP NRAC- NRAC-AT HALF ONE COOL DPRES SEAL SEAL SEVEN UNIT1 HOUR HOUR FM U2 LOCA LOCA HOURS T1S - Q- QS- L NR1 W2- o- SL- NRS NR7 Sequence I CORE I PL DAMAGE ST I
| |
| : 1. T1S OK I 2. T1S- OK I
| |
| I I 3.
| |
| 4.
| |
| T1S-NR7 T1S-W2-CM OK TRRR-RDY I I 5.
| |
| 6.
| |
| T1S-W2-NR7 T1S-W2-SL-CM OK TRRR-RDR
| |
| : 7. T1S-W2-SL-NRS CM S3RRR-RDR
| |
| : 8. T1S-W2 OK I
| |
| I I 10.
| |
| : 9. T1S-W2-0-NR7 T1S-W2-0-SL-CH OK TRRR-RCR
| |
| : 11. T1S-W2-0-SL-NRS CH S3RRR-RCR
| |
| : 12. T1S-L CM TRRR-RSR
| |
| : 13. T1S-QS- OK I
| |
| I I 14.
| |
| 15.
| |
| T1S-QS-NR7 T1S-QS-W2-CH OK TRRR-RDY I I 16.
| |
| 17.
| |
| T1S-QS-W2-NR7 T1S-QS-W2-SL CH OK TRRR-RDR
| |
| : 18. T1S-QS-W2-SL-NRS CM S3RRR-RDR
| |
| .,19. T1S-QS-L CM TRRR-RSR I ., O.1.
| |
| T1S-Q-T1S-Q-NR1 OK CM S2RRR-RCR
| |
| .,- 2. T1S-Q-L CM TRRR-RSR
| |
| -.,
| |
| : 3. T1S-Q-QS- OK I ., 4. T1S-Q-QS-NR1 CH S2RRR-RDR
| |
| -'..)
| |
| : 5. T1S-Q-QS-L CM Figure 4.5-1 Bridge Tre.e for T1 8 -
| |
| Station Blackout for Unit 1
| |
| * SBO NRAC- RCI SGI AFW NRAC- OPER. RCP NRAC- NRAC-BOTH HALF TOP ONE DPRES SEAL ' SEAL SEVEN UNITS HOUR FM U1 HOUR LOCA LOCA HOURS T1S - Q- QS- L NR1 o- SL- NRS NR7 Sequence I CORE I Pl DAMAGE ST_ I
| |
| : 1. T1S OK I 2. T1S- OK I
| |
| I I
| |
| : 3. T1S-NR7
| |
| : 4. T1S-SL-CM OK TRRR-RDR
| |
| : 5. T1S-SL-NRS CM S3RRR-RDR
| |
| : 6. T1S-O- OK I
| |
| I I
| |
| : 7. T1S-O-NR7 B. T1S-O-SL-CM
| |
| *OK TRRR-RCR
| |
| : 9. T1S-O-SL-NRS CM S3RRR-RCR
| |
| ~ 1o. T1S-L CM TRRR-RSR C,IJ I
| |
| cc 1 1. T1S-QS- OK I
| |
| I I
| |
| : 12. T1S-QS-NR7
| |
| : 13. T1S-QS-SL-CM OK TRRR-RDR
| |
| : 14. T1S-QS-SL-NRS CM S3RRR-RDR
| |
| : 15. T1S-QS-L CM TRRR-RSR
| |
| : 16. T1S-Q- OK I 17. T1S-Q-NR1 CM S2RRR-RCR
| |
| : 18. T1S-Q-L CM TRRR-RSR
| |
| : 19. T1S-Q-QS- OK I ., o. T1S-Q-QS-NR1 CM S2RRR-RDR
| |
| ')
| |
| : 1. T1S-Q-QS-L CM Figure 4.5-2 Bridge Tree for Tis -
| |
| Station Blackout at Both Units
| |
| | |
| LOSS RPS RCI Afl.l SIF CCY HPI PRV css !SR OSR CORE LPR HPR
| |
| ~F VULNR MFIJ TO CD T2 -K -a -L -D3 -Y -D2 -P -c -Fl -F2 -CV -Hl -H2 Sequence I CORE I PL DAMAGE ST I
| |
| : 1. T2 OK I 2. T2-D3 OK I 3. T2-D3-IJ SEAL VULN
| |
| : 4. T2-L OK I
| |
| I 5.
| |
| 6.
| |
| 7.
| |
| T2-L-H2 T2-L-H1 T2-L-F1 CM CM OK I
| |
| I 8.
| |
| 9.
| |
| T2-L-F1-H2 T2-L-F1-H1 CM CM
| |
| : 10. T2-L-F1-F2 OK I 11. T2-L-F1-F2-CV CM
| |
| : 12. T2-L-C OK
| |
| .
| |
| ~
| |
| c.n I I 13. T2-L-C-H2 CM I
| |
| I-'
| |
| : 14. T2-L-C-H1 CM 0 15. T2-L-C-F1 OK I 16. T2-L-C-F1-CV CM
| |
| : 17. T2-L-P CM TBYY-YNY
| |
| : 18. T2-L-P-F1 CM T2-L-P-F1-F2 CM
| |
| .,19.
| |
| : 0. T2-L-P-C CM
| |
| ']
| |
| : 1. T2-L-P-C-F1 CM
| |
| .., 2. T2-L-D2 CM
| |
| - TLYY-YNY
| |
| ']
| |
| : 3. T2-L-D2-F1 CM
| |
| ..,
| |
| - 4. T2-L-D2-F1-F2 CM
| |
| ']
| |
| : 5. -T2-L-D2-C CM
| |
| .., 6. T2-L-D2-C-F1 CM
| |
| -
| |
| ']
| |
| : 7. T2-Q CM
| |
| .,- 8. T2-K GO TO ATIJS Figure 4.5-3 Bridge Tree for Tz -
| |
| Loss of Main Feedwater
| |
| * SGTR RPS HPI AF\J css ISR OSR OPER. RCI SGI LPR HPR DPRES T7 -K -D1 -L3 -c . - F1 -F2 -OD -Q -as -H1 -H2 Sequence I CORE I PL DAMAGE ST I
| |
| : 1. T7 OK I I
| |
| : 2. T7-QS
| |
| : 3. T7-Q OK OK
| |
| : 4. T7-Q-H1 CM
| |
| : 5. T7-Q-QS CM I 6. T7-Q-QS-H1 CM
| |
| : 7. T7-00 OK I I
| |
| : 8. T7-00-QS
| |
| : 9. T7-00-Q CM OK HINY-NXY I 1o. T7-00-Q-H2 11
| |
| * T7-0D-Q-H1 CM CM
| |
| : 12. T7-0D-Q-QS CM HINY-YXY
| |
| : 13. T7-L3 CM GLYY-YNY I 14. T7-L3-F1 CM I 15. T7-L3-F1-F2 CM
| |
| : 16. T7-L3-C CM I 17. T7-L3-C-F1 CM
| |
| : 18. T7-D1 OK I 19. T7-D1-QS
| |
| '.)
| |
| : o. T7-D1-Q CM CM CM GLYY-YXY
| |
| - 1. T7-D1-0D
| |
| ')
| |
| - 2. T7-D1-L3 CM
| |
| ')
| |
| '.)
| |
| : 3. T7-K CM GLYY-YXY Table 4.5-4 Bridge Tree for T7 -
| |
| Steam Generi;i.tor Tube Rupture
| |
| | |
| LARGE ACC LPI css JSR OSR CORE LPR LOCA VULNR TO CD A -OS c -F1 -F2 -CV -H1 Sequence I COREi PL DAMAGE ST I
| |
| : 1. A OK I
| |
| I I
| |
| : 2. A-H1
| |
| : 3. A-F1 CM OK AIYY-YYN I I
| |
| : 4. A-F1-H1
| |
| : 5. A-F1-F2 CM OK I 6. A-F1-F2-H1
| |
| : 7. A-F1-F2-CV CM CM AINY-YYN
| |
| : 8. A-C OK I
| |
| I I
| |
| : 9. A-C-H1
| |
| : 10. A-C-F1 CM OK
| |
| : 11. A-C-F1-CV CM
| |
| : 12. A-06 CM ANYY-YYN I 13. A-D6-F1 CM I 14. A-D6-F1-F2 CM
| |
| : 15. A-06-C CM I 16. A-D6-C-F1 CM ANNY-NYN
| |
| : 17. A-05 CM ALYY-YYY I 18. A-DS-F1 CM I 19. A-D5-F1-F2 CM
| |
| ')
| |
| : 0. A-05-C CM I
| |
| - 1. A-DS-C*F1
| |
| "' CM Figure 4.5-5 Bridge Tree for A -
| |
| Large LOCA
| |
| *
| |
| * There are three dominant intermediate LOCA sequences. They are s1D, SH 1, and S1 D6. The containment response tree is shown in Figure 4.5-6. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for those three sequences are shown on the event tree.
| |
| s2D 1 is the only dominant small LOCA sequence. The containment response tree for s2 is shown in Figure 4.5-7. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for s2n 1 are shown on the event tree.
| |
| S3D1 is the only dominant sequence for the s3 initiating event category. The containment response tree is shown in Figure 4.5-8. It is similar to the core damage tree except that event CS has been expanded into three headings to delineate operability of individual containment systems. The dominant plant damage states for s3n 1 are shown on the event tree. .
| |
| There are two dominant ATWS sequences. They are TKRD 4 and TKRZ, where T is a combined transient initiator. A containment response tree for ATWS was not necessary in order to evaluate plant damage states. The failures which lead to core damage during ATWS are independent of the containment systems. Containment system failure can be evaluated independently from the core damage sequence evaluation.
| |
| 4.5.4 Regrouping of Plant Damage States The individual plant damage states were placed into seven plant damage state groups in order to facilitate the quantification of the containment event tree.
| |
| The grouping of the PDSs is shown in Table 4.5.4.
| |
| PDS Group 1 consists of six Slow Blackout PDSs. In these accidents, offsite power is lost and the diesel generators fail to start or run. The steam-turbine-driven AFW pump is available until the batteries are depleted, thus failing power for instruments and controls. Battery depletion is estimated to take about 4 hours. For some sequences in group 1, the RCP seals may fail or the PORVs may stick open. Thus, the six PDSs in this group have the RCS in different conditions when core damage begins.
| |
| In two of the PDSs in this group, the RCS is intact at the time of core uncovering.
| |
| Another two of the PDSs have Srsize breaks (failures of the reactor coolant pump seals),
| |
| and the final two PDSs in this group have Si-size breaks (stuck-open POR Vs). The difference between the two "T" PDSs in Group -1 is whether there is cooling to the RCP seals. The difference between the two 11S311 PDSs is whether the secondary system is depressurized before the core uncovers and while the AFW is operating.
| |
| PDS Group 3 consists solely of TRRR-RSR - Fast Blackout. In this accident, auxiliary feedwater fails to start and run. The dominant failures occur early in the sequence, thus the "fast" blackout nomenclature. Core damage occurs before the RCP seals are likely to fail.
| |
| PDS Group 2 consists of seven LOCA PDSs. Four of the PDSs have an A-size break, and two of the PDSs have an Si-size break. There is one PDS with an S2-size break and one PDS with an S3-size break. Four of the PDSs in this group have the LPIS operating. In PDS ALYY-YYY, the accumulators have failed and the LPIS is operating successfully (all 4.5-13
| |
| | |
| MED HPI ACC css ISR OSR CORE LPI LPR LOCA VULNR TO CD S1 -D1 -D5 -c -F1 -F2 -CV -D6 -H1 Sequence I CORE I PL DAMAGE ST I
| |
| : 1. 51 OK I
| |
| I 2. S1-H1
| |
| : 3. S1-D6 CM CM S1.IYY-YYN S1NYY-YYN
| |
| : 4. S1-F1 OK I
| |
| I 5. S1-F1-H1
| |
| : 6. S1-F1-D6 CM CH
| |
| : 7. S1-F1-F2 OK I
| |
| I 8. S1-F1-F2-H1
| |
| : 9. S1-F1-F2-D6 CM CM S11NY-YYN 1o. S1-F1-F2-CV CM
| |
| : 11. S1-C OK I
| |
| I 12. S1-C-H1
| |
| : 13. S1-C-D6 CM CM
| |
| : 14. S1-C-F1 OK I 15. S1-C-F1-D6 CM
| |
| : 16. S1-C-F1-CV CM
| |
| : 17. S1-D5 CM
| |
| : 18. S1-D1 CM S1LYY-YYN
| |
| : 19. S1-D1-f1 CM
| |
| ")
| |
| : o. S1-D1-F1-f2 CM
| |
| ... 1. S1-D1-C
| |
| - CM
| |
| -.... 2. S1-D1-C-f1 CM S1LNY-NYN Figure 4.5-6 Bridge Tree for S1 -
| |
| Medium LOCA
| |
| | |
| SHALL RPS LOCA S2 -1(
| |
| HPI
| |
| -Dt AFW
| |
| -L PRV
| |
| -Pt css
| |
| -c ISR
| |
| -Ft CSR OPER CORE
| |
| -F2 DPRES VULNR
| |
| -00 TO CD
| |
| -CV l
| |
| LPR
| |
| -Ht HPR
| |
| -H2
| |
| : t. S2 Sequence CORE PL DAMAGE ST OK
| |
| * l 2. S2-Ht
| |
| : 3. S2-00 i=__= 4. S2-00-H2 CH OK l 5. S2-00-Ht CH CH
| |
| : 6. S2-Ft 01(
| |
| I I 7. S2-Ft-Ht
| |
| : 8. S2-Ft-OO CH OK L__ 9. S2-Ft-OO-H2 I 1O. S2-Ft-OO-Ht CH CH 1t. S2-Ft-F2 01(
| |
| l I 12. S2-Ft-F2-Ht
| |
| : 13. S2-F1-F2-CV CH CH S21NY-YYN
| |
| : 14. S2-C OK I
| |
| l ~~
| |
| : 15. S2-C-Ht
| |
| : 6. s2-c-oo CH OK I 7. S2-C-OD-H2
| |
| : 18. S2-C-OD-Ht CH CH
| |
| : 19. S2-C-Ft OK I ~
| |
| O. S2-C-Ft-CV CH
| |
| : t. S2-L OK c::_j I 2. S2-L-H2
| |
| : 23. S2-L-H.t
| |
| -4. S2-L-Ft CM CH OK I L_i5. S2-L-Ft-H2
| |
| .
| |
| ~
| |
| : 6. S2-L-Ft-Ht CH CM
| |
| : 7. S2-L-Ft-F2 OK l - 8. S2-L-Ft-F2-CV CH
| |
| - 9. S2-L-C L......._j,O. S2-L-C-H2 OK I .
| |
| ...2.t. S2-L-C-Ft S2-L-C-Ht CH CH OK I
| |
| .., 3. S2-L-C-Ft-cv CH
| |
| ~
| |
| : 4. S2-L-Pt CH
| |
| : 5. S2-L-Pt-F1 CM
| |
| . 6. S2-L-Pt-Ft-F2 T . 7. S2-L-Pt-F1-F2-CV QI(
| |
| CH
| |
| .. 8. S2-L-Pt-C CM
| |
| . 9. S2-Dt CH S2LYY-YYN
| |
| . O. S2-Dt-Ft CH
| |
| .
| |
| ' t. S2-Dt-Ft-F2
| |
| : 2. S2-D1-C CM CH
| |
| : 3. S2*Dt-C-Ft CH S2LNY-NYN
| |
| .
| |
| ' 4. S2-Dt-C-Ft-F2
| |
| : 5. S2-K CH GO TO ATWS Figure 4.5-7 Bridge Tree for S2 -
| |
| Small LOCA
| |
| | |
| I\IERY RPS HPI RCI AFW MFW PRV css JSR OSR CORE OPER RHR LPR HPR SMALL VULNR DPRES LOCA TO CD S3 -K -D1 -QC -L -M -P -c -F1 -F2 -CV -OD -W3 -H1 -H2 Sequence I CORE I PL DAMA~E ST I
| |
| : 1. S3 OK I 2. S3-W3 OK I 3. S3-W3-H1 ~M
| |
| : 4. S3-0D OK I
| |
| I 5.
| |
| 6.
| |
| S3-0D-H2 S3-0D-H1 CM CM
| |
| : 7. S3-L OK I
| |
| I I 8.
| |
| 9.
| |
| S3-L-H1 S3-L-W3 CM OK 1O. S3-L-W3-H1 CM
| |
| : 11. S3-L-OD OK I
| |
| I 12.
| |
| 13.
| |
| S3-L-OO-H2 S3-L-OD-H1 CM CM
| |
| : 14. S3-L-M OK I
| |
| I 15.
| |
| 16.
| |
| S3-L-M*H2 S3-L-M-.H1 CM CM
| |
| : 17. S3-L-M-F1 OK I 18. S3-L-M-F1*F2 OK I 19. S3-L-M-F1-F2-CV CM
| |
| :,
| |
| I I ., O. S3-L-M-C OK I 1. S3-L-M-C*H2 CM I I
| |
| ., 2.
| |
| ~
| |
| 3.
| |
| 4.
| |
| S3*-L-M-C-H1 S3-L-M-C-F1 S3-L-M-C*F1-CV CM OK CH
| |
| .,5. S3-L-M-P CH
| |
| .
| |
| .,6. S3-QC GO TO S2
| |
| : 7. S3-D1 CM S3LYY*YYN
| |
| . 8. S3-D1-F1 CH I "]
| |
| : 9. S3-D1*F1-F2 CH "I
| |
| O. S3-D1-C CM
| |
| , 1. S3-D1*C*F1 CM S3LNY-NYN "I
| |
| : 2. S3-K GO TO ATWS Figure 4.5-8 Bridge Tree for S3 -
| |
| Very Small LOCA
| |
| * Table 4 *.5-4 Plant Damage State Groups for Surry Group Plant Damage Number Group Name States 1 Slow Blackout TRRR,..RDY S3RRR-RDR S2RRR-RDR TRRR-RDR S2RRR-RCR S3RRR-RCR 2 LOCAs S 1IYY-YYN s1NYY-YYN AIYY-YYN S 1LYY-YYN ALYY-YYY S3 LYY-YYN S2 LYY-YYN ANYY-YYN 3 Fast Blackout TRRR-RSR 4 Event V V 5 Transients TBYY-YNY TLYY-YNY 6 ATWS S3 NYY-YXN TLYY-YXY GLYY-YXY 7 SGTRs HINY-NXY GLYY-YXY GLYY-YNY HINY-YXY 4.5-17
| |
| * trains). For an A break, the success criteria require both accumulator injection and LPIS operation. Thus, even though the RCS pressure is low and the LPIS is injecting water successfully, core damage has been*
| |
| assumed. In PDS S 1 LYY-YYY, HPIS has failed and the LPIS is operating successfully (all trains). For an S1 break, the success criteria require HPI early in the accident and LPIS operation later. In this PDS also, the RCS pressure is low and the LPIS is injecting water successfully, but core damage has been assumed since the success criteria have not been met. In PDS S2 LYY-YYY and S 3 LYY-YYY, the break does not depressurize the RCS enough to allow LPI. Thus the accident will progress to vessel failure at a pressure too high to allow LPI unless a large temperature-induced break occurs or the'primary system is deliberately depressurized.
| |
| Group 4 consists solely of Event V. This is a large break in low pressure piping :following the failure of the two check valves that isolate the low pressure piping from the RCS. The break. is outside containment in the auxiliary building, so the break both fails the RCS pressure boundary and bypasses the containment.
| |
| Group 5 consists of two PDSs that have failure of both AFW and bleed and feed. This PDS group is called Transients. In PDS TBYY-YNY, both LPI and HPI are available and the PORVs are not opened. In PDS TLYY-YNY, only LPI is available. All AFW is failed and bleed and feed is not possible because the HPIS is failed.
| |
| * As all sources of feedwater are lost, it is not possible to depressurize the RCS. Some plants have procedures for emergency feed of the steam generators using fire water. These efforts were given little chance of success for two reasons. Many of the failures contributing to the sequence are operator errors, thus compounding the probability of subsequent errors. Secondly, the timing of the sequence leaves very little time to establish fire water to the SG, given previous failed attempts to restore feedwater and establish feed and bleed. Considera-tion of these two factors resulted in not allowing credit for further recovery from these sequences. Similarly, no credit was given for depressurizing the RCS after the onset of core damage in PDS Group 5.
| |
| Since there is RCP seal cooling and SGTRs are not very likely, the only effective means of depressurizing the RCS are the PORVs/SRVs sticking open or the failure of the hot leg/surge line. If the RCS pressure decreases to the low range, the LPIS will inject.
| |
| Group 6 contains the three ATWS PDSs. They differ in the status of the RCS at the time the core uncovers, whether the ECCS worked in the injec-.
| |
| tion phase, and in whether cooling for the RCP seals is operating or failed. In this group also, the LPIS is available in some of the PDSs, and will inject of the RCS reaches low pressure.
| |
| Group 7 consists of three PDSs that are initiated by SGTRs and which do not have scram failures. HINY-NXY is an SGTR with stuck-open SRVs in the secondary system. GIYY-YNY has the RCS PORVs open, since the operators are attempting to keep the core cooled by feed and bleed. It might have been denoted (G-S 2 ) IYY-RNYY.
| |
| into the containment.
| |
| HINY-NXY has no RWST water being injected In the other two PDSs, while some of the water lost from the RCS goes out of the containment through the SGTR, much more water is lost out of the PORVs and eventually into the containment.
| |
| 4.5-18
| |
| * 4.6 System Analysis
| |
| * The approach used to perform the system analysis was previously described in Section 4.2. Section 4.6.1 provides an introduction into the modeling of the systems performed in the Surry analysis, the general groundrules. used in the constr.uction of the fault trees, and the nomenclature used in the analysis. Sections 4.6.2 through 4.6.19 describe the modeling effort for each system. These subsections contain a system description, identification of interfaces and dependencies*, a discussion of operational constraints, a description of the models developed, specific assumptions used in modeling, and a discussion of the operational experience for each of the systems. The systems which were modeled in the Surry study are shown in Table 4.6-1.
| |
| 4.6.1 System Modeling and Scope System models were developed for each of the Unit 1 front line systems identified in the event tree headings and for all support systems required to operate these front line systems. Actuation systems, power conversion systems, and some Unit 2 systems were modeled by means of Boolean expressions which were incorporated into the sequence analysis at the appropriate levels. Fault tree models were constructed for all of the fluid delivery systems. Fault tree models were developed with top events corresponding to the success criteria used in the event tree analysis. Some systems have different success criteria in different circumstances, and hence different top events. In general, only Unit 1 systems were modeled. Some Unit 2 systems were modeled for use in the Station Blackout sequences.
| |
| * Modeling of the systems was performed at the component level. Electrical power dependencies were developed to the motor control center level. Common cause failures were included in the fault trees (see Section 4.7). Operator actions were included in the fault trees for isolated actions related to operation of a single system.
| |
| Throughout the system analysis process, groundrules and assumptions were made.
| |
| Assumptions about a specific system are provided in the specific system write-ups. The following general groundrules apply throughout the system analysis:
| |
| : 1. Control power (for closing breakers) for pumps is from the DC bus associated with the AC motive power bus, i.e., DC control power for pumps powered from the lH buses is from DC Bus lA and pumps powered from tne lJ buses is from DC Bus lB.
| |
| : 2. All control power for AC motor operated valves is supplied via a step-down transformer directly from the valve's motive power source.
| |
| : 3. For the purpose of calculating tallure probabilities, pump and valve breakers and control circuits are assumed to be .part of the component. Failure probabilities for "command faults" are included in the basic component failure rates.
| |
| : 4. Flow diversion through pathways less than one-third of the original pipe size are not considered to result in system functional failure, for
| |
| . open systems.
| |
| * 5* Room cooling and component cooling requirements were evaluated for the syste~s analyzed. None of the systems required room cooling for success.
| |
| 4.6-1
| |
| | |
| Table 4.6-1 Systems Included In The Surry System Analysis SYSTEM TYPE OF MODEL COMMENTS Accumulators Fault Tree Two top events modeled.
| |
| Auxiliary Feedwater Fault Tree/ Three top events modeled. Unit 2 Boolean Expression was modeled as a Boolean equation for station blackout sequences.
| |
| Charging Pump Cooling Fault Tree Three top events modeled for the three interfaces with the HPI/HPR fault trees.
| |
| Component Cooling Fault Tree/ One top event modeled. F.ault Water Boolean Expression tree only includes those portions of the Unit 1 CCW system necessary to provide cooling flow to the RCP thermal barriers and RHR system. A Boolean
| |
| .
| |
| ~
| |
| expression was developed for the Unit 2 CCW system.
| |
| Boolean Expression Two events modeled. Boolean expressions Consequence were developed to model CLCS dependencies Limiting Control on power. Generic failure data used on train l eve l
| |
| * Containment Spray Fault Tree One top event modeled.
| |
| Emergency Power Fault Tree Sixteen events modeled for the interfaces with other front line and support systems.
| |
| The power interfaces of components were modeled to the 480 VAC motor control center and 125 VDC bus level in the front line and support system fault trees *
| |
| * * *
| |
| * Table 4.6-1 (Cont'd)
| |
| Systems Included In The Surry System Analysis SYSTEM TYPE OF MODEL COMMENTS High Pressure Fault Tree/ Four top events modeled for injection Injection/Recirculation Boolean Expression supplied from Unit 1. One top event modeled for recirculation from Unit 1. Unit 2 supply to the RCP seals was modeled as a Boolean equation.
| |
| Inside Spray Fault Tree One top event modeled.
| |
| Recirculation Low Pressure Fault Tree One top event modeled for Injection/Recirculation injection. Two top events modeled for reci rcul at ion.
| |
| .
| |
| ~
| |
| 0\ Outside Spray I
| |
| w Fault Tree One top event modeled.
| |
| Reci rcul at ion Power Conversion Main Feedwater "Black Box" Model One top event modeled.
| |
| Surry has electric driven MFW pumps.
| |
| They were assumed to be unaffected by most BOP failures. MFW was assumed to be operable only for T3 , s3*
| |
| Steam Generators Boolean Expression Two top events modeled.
| |
| Turbine Bypass and Abbreviated Two top events modeled.
| |
| Main Condenser Fault Tree
| |
| . Primary Pressure Relief Fault Tree/ Three top events modeled in Boolean,Expression/ fault trees. One top event modeled "Black Box Model 11 by a Boolean equation. One top event 11 as a Black B0x model.
| |
| 11
| |
| | |
| Table 4.6-1 (Cont'd)
| |
| Systems Included In The Surry System Analysis SYSTEM TYPE OF MODEL COMMENTS Reactor Protection "Black Box" Model Two top events modeled. Generic data from NUREG-1000 was used for the RPS.
| |
| Recirculation Mode Boolean Expression Two events modeled. Boolean Transfer expressions were developed to model RMT system dependencies on power. Generic failure data used on train level.
| |
| Residual Heat Removal Fault Tree One top event modeled.
| |
| Safety Injection Boolean Expression Two events modeled. Boolean Actuation expressions were developed to model SIAS power dependencies.
| |
| Generic failure data used on train level.
| |
| Service Water Fault Tree Four events modeled for the four interfaces with the ISR and OSR fault trees *
| |
| * *
| |
| : 6. In general, only one term for unavailability due to test and maintenance (T &M) was included per system train. This was done to prevent "double counting" of T&M actions which may in fact be done simultaneously. The T&M values of pumps were used because their frequency is normally much larger than that of valves.
| |
| : 7. Mispositioning of valves prior to the initiating event was not considered in the cases where the valve position is annunciated in the control room or the valve received an automatic open signal from an actuation system. (See Section 4.7.1).
| |
| : 8. Plugging of normally open valves in normally operating systems was evaluated as negligible compared to other train faults.
| |
| : 9. Instrument air failure was included as an undeveloped event in the fault trees of systems that depended on instrument air. Fault tree analysis was not performed on the instrument air system.
| |
| In order to ensure that naming of failure events was oone consistently throughout the fault tree coding process, a standard coding scheme was established. This consistency was necessary to ensure that the dependencies and interfaces between the systems were properly accounted for when the individual system fault trees were merged with their support systems and the merged fault trees linked together to perform the accident sequence quantification. In addition, the standard coding scheme provides the analyst or reviewer a traceability of the events from the cutsets resulting from the accident sequence quantification to the individual fault trees.
| |
| The standard coding scheme developed utilized a sixteen character identifier. Each individua'l event code was composed of four parts, a system identifier, an event or component type identifier, a failure mode code, and a unique event identifier. Each of these parts was separated by a dash for readability. The system identifier was composed of -three characters which were selected to readily_convey the system to the reader. The list of system identifiers is provided in Table 4.6-2. The event or component type identifier was composed of three characters which identify the component type if a component fault, or the event type if other than a component fault. The list of event or component identifiers is included in Table t6-t The failure mode code was composed of two characters which identifies the failure mode associated with the fault. The list of failure mode codes is included in Table 4.6-3. The unique event identifier was composed of up to five characters which utilize a portion of the utility ID for a component or in the c:ase of non-component faults or grouped faults, conveys information about the fault type. The list of symbols used in the schematics is shown in Table 4.6-4.
| |
| 4~6.2 Accumulator Model The accumulators provide an initial influx of borated water to reflood the reactor core following a large loss of coolant accident (LOCA) or a medium LOCA on the upper end of the LOCA size definition. The accumulators are a front line safety system designed to provide core heat removaf. The following sections provide a physical description of the accumulators, identify the inte~faces and dependencies of the accumulators with other front line and support systems, list any operational constraints on the accumulators, provide a description of the fault tree model constructed for the accumultors, identify
| |
| * the specific assumptions made in the analysis' of the accumulators, and describe the operational experience available for the accumulators.
| |
| * Table 4.6-2 System, Component, and Event Identifiers Part 1: System Identifiers System Identifier System Name ACC Accumulators ACP AC Power System ARP Air Return Fan System ADS Automatic Depressurization System AFW Auxiliary Feedwater System or Emergency Feedwater System CPC Charging Pump Cooling System CHP Charging Pump System eve Chemical and Volume Control System CHW Chilled Water System csc Closed Cycle Cooling System ccw Component Cooling Water System CDS Condensate System CLS Consequence Limiting Control System CCU Containment Atmosphere Cleanup CGC Containment Combustible Gas Control CFC Containment Emergency Fan Cooler System CIS Containment Isolation System CSR Containment Spray Recirculation System css Containment Spray System CRD Control Rod Drive System DCP DC Power System DWS Drywell (Wetwell) Spray Mode of RHR System EHV Emergency Heating, Ventilation*, and Air Conditioning System ESP Engineered Safety Feature Actuation System ESW Essential Service Water System FHS Fuel Handling System HCI High Pressure Coolant Injection System HCS High Pressure Core Spray System HPR High Pressure Recirculation System HPI High Pressure Safety Injection System 4.6-6
| |
| *
| |
| * Table 4.6-2 (Continued)
| |
| System, Component, and Event Identifiers Part 1: System Identifiers Continued System Identifier System Name HSW High Pressure Service Water System ICS Ice Condenser System ISR Inside Containment Spray Recirculation System IAS Instrument Air System ISO Isolation Condenser System LCI Low Pressure Coolant Injection System LCS Low Pressure Core Spray System LPR Low Pressure Recirculation System LPI Low Pressure Safety Injection System MCW Main Circulating Water System (main condenser cooling water)
| |
| MFW Main Feedwater System MSS Main Steam System NHV Normal Heating, Ventilation, and Air Conditioning System OE.P Onsite Electric Power System OSR Outside Containment Spray Recirculation System PCS Power Conversion System PPS Primary Pressure Relief System (POR V/SRV)
| |
| RGW Radioactive Gaseous Waste System RLW Radioactive Liquid Waste System RBC Reactor Building Cooling Water System RCS Reactor Coolant System RCI. Reactor Core Isolation Cooling System RPS Reactor Protection System RMT Recirculation Mode Transfer System RHR Residual Heat Removal System SIS Safety Injection Actuation System sws Service Water System soc Shutdown Cooling Mode of RHR SGT Standby Gas Treatment System SLC Standby Liquid Coptrol System 4.6-7
| |
| * Table 4.6-2 (Contimed)
| |
| System, Component, and Event Identifiers Part 1: System Identifiers Contimed System Identifier System Name SPC Suppression Pool Cooling System (or suppression pool cooling mode of the RHR system)
| |
| SPM Suppression Pool Makeup System TBC Turbine Building Cooling Water System 4.6-8
| |
| * Table 4.6-2 (Continued)
| |
| System, Component, and Event Identifiers Part 2: Component Identifiers Component Identifier Air Cooling Heat Exchanger ACX Sensor/Transmitter Units:
| |
| Flow ASF Level ASL Physical Position ASO Pressure ASP Radiation ASR Temperature AST Flux ASX Circuit Breaker CRB Calculational Unit CAL Electrical Cable CBL Signal Conditioner CND Control Rods:
| |
| Hydraulically Driven CRH Motor Driven CRM Ducting DCT Motor Driven Compressor MDC Motor Driven Fan FAN Fuse FUS Diesel Genera tor DGN Hydrogen Recombiner Unit HRU Heat Exchanger HTX Inverter INV Electrical Isolation Device ISO Air Cleaning Unit ACU Load/Relay Unit LOD Logic Unit LOG Local Power Supply LPS Motor Genera tor Unit MGN Motor Operated*Damper MOD 4.6-9
| |
| | |
| Table 4.6-2 (Contimed)
| |
| Component System, Component, and Event Identifiers Part 2: Compment Identifiers Continued Identifier
| |
| * Pumps:
| |
| Engine Driven EDP Motor Driven MDP Turbine Driven TDP Manual Control Switch xsw Rectifier REC Transfer Switch TSW Transformer TFM Tank TNK Bistable Trip Unit TXX Air Heating Unit AHU Electrical Bus - DC BDC Electrical Bus - AC Manual Damper Pneumatic/Hydraulic Damper Battery BAC XDM PND BAT
| |
| * Valves:
| |
| Check Valve CKV Hydraulic Valve HDV Safety /Relief Valve SRV Solenoid Operat~d Valve sov Motor Operated Valve MOV Manual Valve XVM Air Operated Valve AOV Testable Check Valve TCV Explosive Valve EPV Filter FLT Instrumentation and Control Circuit ICC Strainer STR Heater Element HTR 4.6-10
| |
| * Table 4.6-2 (Continued)
| |
| System, Component, and Event Identifiers Part 2: Component Identifiers Continued Event Identifier Pipe Segment Fault PSF Pipe Train Fault PTF Actuation Segment Fault ACS Actuation Train Fault ACT AC Electrical Train Fault TAC DC Electrical Train Fault TDC Human Error XHE Common Cause Fault CCF Miscellaneous Aggregation of Faults VFC
| |
| * 4.6-11
| |
| | |
| Table 4.6-3 Failure Mode Failure Mode Codes*
| |
| Code
| |
| * Valves, Contacts, Dampers Fail to Transfer FT Normally Open, Fail Open 00 Normally Open, Fail Closed (Position) oc Normally Closed, Fail Closed cc Normally Closed, Fail Open co Valves, Filters, Orifices, Nozzles Plugged PG Pumps, Motors, Diesels, Turbines, Fans, Compressors Fail to Start FS Fail to Continue Running FR Sensors, Signal Conditioners, Bistable
| |
| * Fail High HI Fail Low LO No Output NO Segments, Trains and Miscellaneous Agglomerations Loss of Flow, No Flow LF Loss of Function FC Actuation Fails FA No Power, Loss of'Power LP Failure (for miscellaneous fault agglomerations VF not based on segments or trains)
| |
| Hardware HW Battery, Bus, Transformer No Power, Loss of Power LP Short ST Open OP
| |
| *Events or components shown are only suggestions. The failure modes listed may be used for any applicable event or component type.
| |
| 4~6-12
| |
| | |
| Table 4.6-3 (Contiooed)
| |
| Failure Mode Codes*
| |
| Failure Mode Code Tank, Pipes, Seals, Tubes Leak LK Rupture RP Human Errors Fail to Operate FO Miscalibra te MC Fail to Restore .from Test or Maintenance RE Normal Operations (unavailable due to planned activity):
| |
| Maintenance *MA Test TE Test and Maintenance TM
| |
| * Events or components shown are only suggestions. The failure modes listed may be used for any applicable event or component type.
| |
| 4.6-13
| |
| | |
| Table 4.6-4 Synix>ls & . Alilreviatioos Used in the Sclenatics 5-I><]-+ Normally Open Manual Valve s*~. Normally Closed Manual Valve
| |
| ~ Normally .Open Motor Operated Valve s~. Normally Closed Motor Operated Valve 5-i"t-+ Motor Driven Butterfly Valve 5-i~t-+ Testable Check Valve
| |
| ~ Normally Open Air Operated Valve s~. Normally Closed Air Operated Valve s ,if .. Normally Closed Explosive Valve
| |
| ~ Three Way Valve
| |
| ~re
| |
| ~
| |
| (Safety) Relief Valve (Normally Closed)
| |
| Check Valve Heat Exchanger Or Cooler so+ Motor Driven Pump
| |
| ~ Turbine Driven Pump Positive Displacement Pump
| |
| ~
| |
| \/VV Heater
| |
| )"-1 /l\ /l\ /l\ i Spray Header Orifice Flange 4.6-14
| |
| | |
| Table 4.6-4
| |
| ~ls & Abbreviations Strainer used in the Schematics (COntirtuedl Fan Q Compressor Tank Reactor Steam Generator UPPER COMPARTMENT Containment 1------1 ._ Ice Condenser LOWER COMPARTMENT
| |
| ...._c:==3.=:=:::::=--Containment Sump S'r-------.* Fluid Line
| |
| * )"-;,,-~~~---;,,-;/.......~---* Air Line Duct Work 4.6-15
| |
| | |
| Table 4.6-4 Syni:x)ls. & Al:in-eviations Used in .the Schematic::>>
| |
| (Continued}
| |
| Diesel Generator
| |
| @J Charger I=I Battery
| |
| [!] Inverter I!] Transfer Switch Bus LO Locked Operi LC Locked Closed
| |
| | |
| 4.6.2.1 Accumulator Description The accumulator system consists of three tanks filled with borated water and pressurized with nitrogen. Each of the accumulators is connected to one of the reactor coolant system (RCS) cold legs by a line containing a normally open motor operated valve and two check valves in series. The check valves serve as isolation valves during normal reactor operation and open to empty the contents of the accumulator when the RCS pressure falls below 6.50 psig. A simplified schematic of the accumulators is shown in Figure 4.6-1.
| |
| 4.6.2.2 Accumulator Interfaces and Dependencies The accumulators are dependent on the nitrogen system to maintain a head on the accumulators. The nitrogen is supplied by dedicated local nitrogen bottles and the accumulators are fully instrumented to indicate an abnormal pressure condition. Due to the small fault exposure time of four hours, this dependency was not further developed.
| |
| The accumulators are initially filled with borated water from the refueling water storage tank (RWST). The accumulators are filled and the valves are closed. Instrumentation verifies that the level remains above a minimum value. Therefore, no dependencies were modeled between the accumulators and the RWST.
| |
| 4.6.2.3 Accumulator Operational Constraints Technical Specifications require that all three accumulators be operable. If one accumulator becomes inoperable, i.e., low level or low pressure, it must be restored
| |
| * within four hourso This limits the fault exposure time such that the probability of the associated faults are negligible and were not further developed.
| |
| 4.6.2.4 Accumulator Logic Model The success criteria for the accumulators vary depending on the application in the event tree analysis. The success criterion for the accumulators following a large LOCA, which conservatively assumed a cold leg break, is injection of the contents of the two accumulators associated with the intact cold legs into the RCS. The success criterion for the accumulators following a medium LOCA is injection of the contents of two or more accumulators* into the RCS. These success criteria are translated into the following top events associated with the large and medium LOCA size breaks, respectively:
| |
| D.5 (A LOCA) Failure of one or more of the accumulators located in* the intact cold legs to inject their contents into the RCS.
| |
| D.5 (S 1 LOCA) Failure of two or more of the accumulators to inject their contents into the RCS.
| |
| The fault trees developed for these top events are shown in Appendix B. The specific assumptions used to develop the accumulator fault trees are included in the following section*
| |
| * 4.6-17
| |
| | |
| FROM 1-S1-TK-1A RWST FC LOOP1
| |
| > COLD LEG
| |
| (")
| |
| (") 1865 A CV107 CV109 s::
| |
| 3 s::
| |
| .....
| |
| p:i
| |
| ..+
| |
| ..,
| |
| 0 1-S1 -TK-18 00 l'rj
| |
| <.<: ....
| |
| tll aq
| |
| .;.
| |
| *C') r+
| |
| CD "1 s::
| |
| I 3 CD
| |
| ~ .;. LOOP2 co 00 *
| |
| .... C')
| |
| COLD LEG
| |
| 'C 3 ~
| |
| I
| |
| ................. 1865 B CV128 CV130 CD 0.
| |
| 00
| |
| ;:,;"
| |
| CD r+ 1- S1 -TK -1C
| |
| (")
| |
| ::r LOOP3 COLD LEG 1865 C CV145 CV147
| |
| * 4.6.2 *.5 Assumptions in Accumulator Model
| |
| * In addition ~o the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the analysis of the accumulators were as follows:
| |
| : 1. For the large LOCA analysis, the cold leg break was assumed to be in Loop 1, failing one accumulator immediately.
| |
| : 2. Due ~o the short fault exposure times, redundant valving arrange-ments, the use of fail closed valves, and the redundant alarm and pressure indications; faults leading to level or pressure reduction in the accumulators were not postulated. The only faults postulated were demand type faults.
| |
| 4.6.2.6 Accumulator Operating Experience No pertinent plant specific operational experience of the Surry accumulators was found.
| |
| 4.6.3 Auxiliary Feedwater System Model The auxiliary feedwater (AFW) system provides feedwater to the steam genera tors (SG) to remove core heat from the primary system after reactor trip. The AFW system is a front line safety system. The following sections provide a physical description of the AFW, identify the interfaces and dependencies of the AFW with other front line and support systems, list any operational constraints on the AFW, provide a description of the fault tree model constructed for the AFW, identify the AFW specific assumptions*, and describe the operational experience available for the AFW.
| |
| 4.6.3.1 AFW System Description The Surry AFW system is a three train system, with two electric motor driven pumps and one steam turbine driven pump. The electric motor driv,en AFW pumps have a capacity of 3.50 gpm, and the turbine driven AFW pump has a capacity of 700 gpm. Each pump draws a suction through an independent line from the 110,000 gallon condensate storage tank (CST). Additionally, a 300,000 gallon CST, a 100,000 gallon emergency makeup tank, and the fire main can be used as water supplies for the AFW pumps. Each AFW pump discharges to two parallel headers. Each of these headers can provide auxiliary feedwater flow to any or all of the three steam generators. Flow froJll each header to any one SG is through a normally open motor operated valve (MOV) and a locked open manual valve in series, paralleled with a line from the other header. These lines feed one line containing a check valve which joins the main feedwater line to a steam generator.
| |
| A simplified schematic of the AFW is shown in Figure 4.6-2.
| |
| The motor driven AFW pumps automatically start on receipt of a safety injection actuation signal, trip of main feedwater pumps, low steam generator level in any steam generator, or loss of offsite power. The turbine driven AFW pump automatically starts on receipt of indication of low steam generator level in two of the three steam generators or undervoltage of any of the three main RCS pumps. These signals also ensure that the system MOVs are in the correct position *
| |
| * 300,000 GAL CST CV 151 LO XV 144 HEADER B CVSB CV89 PS92 PS91 TO UNIT 2 AFW SYSTEM PS 84 PS99 PS98 AOVMS AOVMS102A MOY 102B FW 260A
| |
| ... ...
| |
| Q ()
| |
| IDoi, ..,,._
| |
| ;; ;:;
| |
| u.o. u. 0.
| |
| TURBINE DRIVE PS 84 CV 133 CV 131 FOR PUMP TDPFW2 CV 138 CV 136
| |
| ~-l--l-~~-+-....+1i,.+1'-++-. . . . +- FROM FIRE MAIN PS 83 IIOVFW160B
| |
| ~--l--+1.....,--+--+-'-+--- - FROM EMERGENCY r----tillit---- .....
| |
| MAKEUP SYSTEM CV309 CV310 FROM UNIT 2 MOVFW160A AFW PUMPS L-....L-----v"F---....L--91Ti111t-- .....
| |
| CV273
| |
| * 4.6.3.2 AFW System Interfaces and Dependencies The AFW system is dependent on the AC power buses for motive power to the AFW motor driven pumps, and motive and control power to the AFW MOVs. The AFW system is also dependent on the DC power buses for control power to the electric motor driven AFW pumps*, and the SIAS for actuation of the AFW pumps. The turbine driven pump turbine inlet valves require instrument air and DC power for control, however*, on loss of either instrumer:it air or DC power the valves fail open allowing steam flow to the pump turbine. Hence, no dependencies were modeled in these cases to represent system success. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-3 and the component status and dependency summary in Table 4.6-.5.
| |
| 4.6.3.3 AFW System Operational Constraints Technical Specifications require both motor driven feedwater pumps to be operable at all times and the turbine driven pump to be operable when the reactor is above 10 percent power. However, one pump may be removed from service for maintenance for a short period of time. This is incorporated into the model of the AFW by allowing only one AFW pump to be initially unavailable due to test or maintenance activities.
| |
| Technical Specifications also require that when Unit 1 is at power, a Unit 2 AFW pump be operational. This is important when considering AFW from Unit 2 in the recovery analysis.
| |
| * 4.6.3.4 AFW System Logic Model The success criteria for the Surry AFW system vary depending on the application in the event tree analysis. The success criterion for the AFW following all events except an Anticipated Transient Without Scram (ATWS) or Steam Generator Tube Rupture (SGTR) is flow from any one AFW pump to any of the three steam generators. The success criterion for AFW following an ATWS event is flow from both motor driven AFW pumps or flow from the turbine driven pump to two steam generators. The success criteria for AFW following a SGTR event is flow from any one AFW pump to any one of two intact steam genera tors.
| |
| These success criteria translate into the following top event in the AFW fault trees.
| |
| L - Insufficient flow to at least one of three steam generators from at least one AFW pump.
| |
| - Insufficient flow to at least two steam generators from at least .two motor driven AFW pumps or one turbine driven AF.W pump.
| |
| - Insufficient flow to at least one of the two intact steam generators from at least one AFW pump.
| |
| The fault tre~s developed for these top events are shown in Appendix B. Note that upon loss of offsite power followed by failure of the diesel generators (station blackout), only the turbine driven AFW pump is available. Failure of Unit 2's turbine *driven AFW pump was modeled as a Boolean expression for use in the station blackout analy.sis. This Boolean expression is shown in Appendix B. The specific assumptions used to develop the AFW fault trees are included in the following section.
| |
| * 4.6-21
| |
| * AFW SYSTEM
| |
| * TRAIN TRAIN TRAIN 2 3A 38 AC 1Ht----t------~~+------+---
| |
| EMERGENCY POWER 1J i----+--------+-------+-~~-
| |
| DC 1At---t-------,F-A--+------+---
| |
| EMERGENCY POWER 1B 1-------------------+-~--
| |
| Figure 4. 6-3 AFW System Dependency Diagram 4.6-22
| |
| | |
| Table 4.6-.5
| |
| * COMPONENT AFW Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| l-FW-P-2 Standby 2/3 Lo SG Level, Main Steam RCS Pump Under-voltage 1-FW-P-3A Standby SIS-A, Loss 4160V Bus lH, of MFW DC Bus lA Lo SG Level, Loss of Offsite Power 1-FW-P-3B Standby SIS-B, Loss 4160V Bus lJ, of MFW DC Bus lB Lo SG Level, Loss of Off site Power (LOSP)
| |
| MOVs:
| |
| 151A NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act.
| |
| 151B NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act.
| |
| 151C NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act.
| |
| 151D NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act.
| |
| 151E NO/FAI Open signal same MCC-lHl-2 as Pump 3A Act.
| |
| 151F NO/FAI Open signal same MCC-lJl-2 as Pump 38 Act.
| |
| 160A NC/FAI R. Manual MCC-2Hl-2 160B NC/FAI R. Manual MCC-2Jl-2
| |
| * 260A NC/PAI R. Manual MCC-lHl-2 260B NC/FAI R. Manual MCC-lJl-2 4.6-23
| |
| | |
| Table 4.6-.5 (Contimed)
| |
| AFW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES AOVs:
| |
| MS102A NC/FO 2/3 SG low level Instrument Air or LOSP to DC Bus lA*
| |
| station service buses MS102B NC/FO 2/3 SG low level Instrument Air or LOSP to DC Bus lB*
| |
| station service buses
| |
| *
| |
| * On loss of instrument air and DC power, valves fail in safe position (i.e., open) resulting in steam flow to AFW pump turbine. N2 bottles provided for control of AFW pump in the event of loss of air.
| |
| 4.6-24
| |
| * 4.6.3.5 Assumptions in AFW System Model
| |
| * In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of this analysis. The specific assumptions made in the AFW analysis were as follows:
| |
| : 1. Failures 0£ parallel manual valves in the pump discharge lines and in the lines from the headers to the main feedwater lines were not pos-tulated since the valves are £low tested following maintenance, precluding inadvertent closure 0£ the valves. Also, the probability of plugging is negligible in comparison with other system faults.
| |
| : 2. The lube oil cooler associated with each AFW pump was considered to be part of the pump and as such its failures were accounted £or in the pump failure rates.
| |
| : 3. Opening of the steam admission valves to the turbine driven pump is all that is required to start the pump. DC power and/or instrument air were not considered to be required since their loss will result in opening of the valves.
| |
| : 4. In the absence of instrument air or DC power the turbine driven pump will operate at maximum speed. Initially, speed control 0£ the turbine driven pump is not required to prevent SG overfill, due to the amount of inventory which must be supplied. The turbine driven AFW pump can be manually controlled in the absence 0£ DC power or instrument air by manually throttling the turbine steam inlet valves, or by throttling the pump discharge valves (151A, B, C, D, E, F). It was determined that i£ steam generator water level indication was available, the probability 0£ overfilling the steam generators was very small compared to other ways to fail the turbine driven AFW pump *.
| |
| : 5. Failure of the Unit 2 *cross connect in the open position was consi-dered to fail the Unit 1 AFW system due to the flow diversion to the operating unit. The operating unit would be at a lower pressure and hence would receive the majority 0£ the £low. The postulated failure was for the valve to be open while indicating closed. The diagnosis of the problem would be difficult for the Unit 1 operators and the addi"."
| |
| tional flow ftom the AFW flow to Unit 2 would not be ea.sily detected.
| |
| : 6. The use of the Unit 2 AFW pump cross connect, the 300,000 gallon CST, the emergency makeup tank, or the £ire main as a backup to the CST were considered as recovery actions in the accident sequence analysis as necessary, and were not included in the fault trees directly.
| |
| : 7. For the steam generator tube rupture event tree, the tube rupture was postulated to be in Loop 1, SG A.
| |
| : 8. During station blackout sequences it was judged that the turbine driven AFW pump must be available from Unit 2 in order to cross connect with Unit 1.
| |
| 4.6-2.5
| |
| | |
| *
| |
| : 9. It was considered that the Unit 2 AFW system is symmetric to the Unit 1 AFW system. This was used in modeling the Unit 2 AFW turbine driven pump during SBO.
| |
| 10 The turbine driven pump discharges the turbine exhaust steam directly to the atmosphere so that a condensate pump is not required for the AFW turbine. It was judged that the steam exhaust would not impede an operator's manual control of the turbine.
| |
| 4.6.3.6 AFW System Operating Experience Review of the Surry AFW operating experience revealed that a problem with steam binding of AFW pumps had occurred due to backleakage of relatively hot main feedwater through the system check valves. The backleakage resulted in steam accumulation in the AFW lines and failure of two pumps. Since the event, the affected check valves were reworked and plant changes made, including removal of the insulation from the. AFW pump discharge lines to facilitate steam condensation and requiring a check of the pump outlet pipe temperatures once every shift. No further incidents have occurred since.
| |
| However, due to the potential for common cause multiple pump failures this failure mode has been included in the system models. See Appendix D.1 for the development of this data.
| |
| Plant specific operational data derived from plant records of the AFW pumps was used in the analysis. See Appendix D.1 for the development of this data.
| |
| 4.6.4 Charging Pump Cooling System Model The charging pump cooling (CPC) system is a support system which provides lube oil cooling and seal cooling to the three charging pumps in the high pressure injection/recirculation (HPI/HPR) system. The following sections provide a physical description of the CPC system*, identify the interfaces and dependencies of the CPC system with the front line systems and other support systems, list any operational constraints on the CPC system, provide a description of the fault tree model constructed for the CPC system, identify the CPC system specific assumptions, and describe the operational experience available for the CPC system.
| |
| 4.6.4.1 CPC System Description The Surry CPC system provides two specific cooling functions for the charging pumps, lube oil cooling and seal cooling. The CPC system is composed of two subsystems, the charging pump service water system and the charging pump cooling water system. The charging pump service water system is an open cooling $ystem which provides cooling to the lube oil coolers and to the intermediate seal coolers in the charging pump cooling water system. The charging pump cooling water system is a closed cycle system which provides. cooling to the charging pump seal coolers.
| |
| The charging pump service water system is an open cycle system composed of two 100%
| |
| capacity pump trains. Each provides flow to one intermediate seal cooler and all three charging pump lube oil coolers. Flow is drawn from the main condenser inlet lines through independent lines by the charging pump service water pumps. Upstream of each pump are two separate, independent strainer assemblies. Each pump discharges through two check valves. Downstream of the check valves the flow is split with a portion of the
| |
| * flow directed to an intermediate seal cooler and the other portion directed to a common header feeding the lube oil coolers. From this header, flow is directed through the lube 4.6-26
| |
| | |
| oil coolers for the operating charging pumps. Temperature control valves control the flow through the lube oil coolers to prevent overcooling of the lube oil. The service water flow is discharged to the discharge canal.
| |
| The charging pump cooling water system is a closed cycle system composed of two 10096 capacity pump trains. Each pump train contains a charging pump cooling water pump and an intermediate seal cooler which provide cooling water. to the charging pump seal coolers. Each pump draws suction from the outlet of either of the two intermediate seal coolers and discharge to a common header. The common header provides flow to the seal coolers for each charging pump. Two seal coolers in parallel are provided for each charging pump. The discharge of the seal coolers is returned to the intermediate seal coolers where it is cooled by the charging pump service water system. Makeup to the charging pump cooling water system to account for seal leakage is provided by a surge tank which is supplied by the component cooling water system.
| |
| A simplified schematic of the CPC system is shown in Figure 4.6-4.
| |
| One of the charging pump service water pumps and one of the charging pump cooling water pumps are normally in operation. Upon indication of low discharge pressure of one of the pumps, the parallel pump receives a signal to start. With the exception of the pumps and the lube oil cooler temperature control valves, all other components in the system are manually actuated.
| |
| 4.6.4.2 CPC System Interfaces and Dependencies The CPC system interfaces with the HPI/HPR system at the charging pumps. The CPC system is dependent on the AC power buses for motive and control power to the charging pump service water and cooling water pumps. Although the CPC system is dependen.t on the component cooling water system for the ultimate makeup to the charging pump seal cooling surge tank, no dependency was modeled since a sufficient supply* of makeup is available due to the initial inventory in the surge tank. Also, the location of the surge tank would result in gravity flow of component cooling water into the surge tank even in the event of loss of the component cooling water system. The lube oil cooler temperature control valves require instrument air as well DC power for control, however on loss of either instrument air or DC power the valves fail open allowing flow to the coolers. Hence, no dependencies were modeled in these cases. The CPC service water system is dependent on sufficient level in the service water intake canal. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-.5 'and the component status and dependency summary in Table 4.6-6.
| |
| 4.6.4.3 CPC System Operational Constraints The only operational constraint rutilized in 1. the CPC system model results from the normal operation of one charging pump. Since one charging pump is in operation at all times, one charging pump service water pump, one charging pump cooling water pump and the associated coolers must be in operation also.
| |
| 4.6.4.4 CPC System Logic Model The CPC system is a support system for the charging pumps in the HPI/HPR system. The top events identified for* the CPC system .represent 'the modeled interfaces of the CPC system with the HPI/HPR system. The developed events contained in the HPI/HPR fault trees correspond to the following top events: . , " , .
| |
| 4.6-27
| |
| | |
| XV444 CROSS CONNECT W/ UNIT 2
| |
| -
| |
| FROM UNIT 1 XV116 XV121 XV127 XV169 XV168 CONDENSER LINE XV302 XV267 PS104 HXCHSA AOVSW108A STR1A XV171 SA STR2A MDPSW10A PS102 XV122 XV117 XV170 PS105 XV118 HXCH58 AOVSW1088 PS103 58
| |
| -
| |
| FROM UNIT 2 108 CV108 XV109 XV120 XV123 XV124 XV305 XV306 XV261 PS106
| |
| ~
| |
| CONDENSER LINE XV119 HXCHSC AOVSW108C STR18 SC STR28 MDPSW10B
| |
| ~ TO UNIT 2 XV441 CH. PMP COOLING XV115 PS107 i ~- XV110 CV130 xv,211 1
| |
| ~
| |
| °'NI i*..... PS111 00 ....111 .
| |
| ~ MDPCC2B 2B PS10 XV781 PS10B XV780
| |
| .... °'I XV773 a ~
| |
| XV773 XV783 TO SURGE TANK XV931 1B HXSW1B
| |
| ~
| |
| 11)
| |
| XV695 XV782 XV7611 XV132 XV165
| |
| & MDPCC2A PS118 XV786 XV785 1A HXSW1A XV779 XVn~ XV131 XV167 INTERMEDIATE SEAL COOLERS SEAL COOLERS
| |
| * CHARGING PUMP SERVICE WATER SYSTEM PUMP PUMP 10A 108 1Hl--------------~~---------------t---~
| |
| AC EMERGENCY POWER
| |
| * CHARGING PUMP COOLING WATER SYSTEM CPC PUMP PUMP SYSTEM 2A 28 CHARGING PUMP 1Hl----~~----------,i--~
| |
| AC EMERGENCY SERVICE WATER 1----+-1-~- POWER SYSTEM CHARGING PUMP COOLING WATER 1----~+--
| |
| SYSTEM Figure 4. 6-5 CPC System Dependency Diagram 4.6-29
| |
| | |
| Table 4.6-6 COMPONENT CPC Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES
| |
| * Pumps:
| |
| 1-SW-P-lOA 1 Standby, Standby pumps MCC-lHl-1 1 Normally start on low Operating header pressure 1-SW-P-lOB MCC-lJl-1 1-CC-P-2A 1 Standby, MCC-lHl-1 1-CC-P-2B 1 Normally MCC-lJl-1 Operating MOVs:
| |
| SW108A 1 NO corresponding to Open on increased running charging pump lube oil temperature, others closed.
| |
| SW108B Valves fail open on loss of DC power SW108C or instrument air.
| |
| 4.6-30
| |
| | |
| CPCA - Insufficient cooling to charging pump A from the CPC system.
| |
| CPCB - lnsufficient cooling to charging pump B from the CPC system.
| |
| CPCC - lnsufficient cooling to charging pump C from the CPC system.
| |
| The fault trees developed for these top events are shown in Appendix B. For both the HPI/HPR modes of operation*, the tree structure of CPC system models is identical.
| |
| However, in the sequence quantification task, HPI/HPR mission times as appropriate were used to compute the time dependent failure rates and those failures resulting in failure of the CPC system during the injection phase were deleted from the recirculation sequences. Appendix D.1 shows the -mission times used in the various sequences.
| |
| 4.6.4.5 Assumptions in CPC System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.l, several system specific assumptions were made in the cour-se of the analysis. The specific assumptions made in the CPC system analysis were as follows:
| |
| : 1. Charging pump service water to the intermediate seal cooler was not required for successful operation of the charging pump seal coolers.
| |
| : 2. As noted in Section 4.6.9, charging pump A was considered to be normally operating. Therefore, for the CPC system, the temperature control valve on the associated lube oil cooler is open while the temperature control valves on the other two coolers are closed.
| |
| : 3. The temperature control valves fail open on loss of air or DC power.
| |
| : 4. The temperature control valves are controlled from a temperature signal from the charging pump lube oil and it was judged that a signal to open will occur soon after pump startup.
| |
| : 5. The postulated operating configuration of the CPC system is that the A train charging pump service water and* cooling water pumps are operating.
| |
| : 6. One of the two redundant charging pump seal coolers for each charging pump would provide sufficient seal cooling.
| |
| : 7. Loss of CPC was estimated to lead to unavailability (whether shutdown or failure) of the charging pumps within 10 minutes, if the charging pumps were in the ~fety injection mode.
| |
| : 8. The use of the Unit 2 CPC cross connect was considered as a recovery action in the accident sequence analysis if necessary, and was not included in the fault trees.
| |
| : 9. The Unit 2 CPC system is symmetric to the Unit 1 system. This consi-deration was used when modeling CPC from Unit 2.
| |
| 4.6-31
| |
| | |
| 4.6.4.6 CPC System Operating Experience Operatio~al experience from the CPC system indicates that the charging pump service water pump inlet strainers are susceptible to plugging since the fluid is raw brackish water direct from the intake canal. This was identified as an area which potentially could result in a common cause failure of both trains of the CPC system. The strainer assemblies have been replaced (Summer of 1984) with a different design of strainer (duplex r.trainer). The impact of this design change on the plugging failure rate is developed in Appendix D.1. . .
| |
| Inadvertent operation of the charging pump cooling water system with charging pump service water isolated from the intermediate seal coolers has occurred~ However, it resulted in no damage to the charging pump seals. Flow was maintained in the cooling water system during the time of isolation. Based on this operational exprience, loss of charging pump service water to the intermediate seal coolers was not included in the system models as a failure mode for the CPC system.
| |
| 4.6.5 Component Cooling Water System Model The component cooling water (CCW) system is a closed cycle cooling system which pro-vides cooling to many, varied systems including the Residual Heat Removal (RHR) and the Reactor Coolant System (RCS). The CCW system, as defined for this analysis, includes only that portion of the CCW system required to provide cooling water to the reactor coolant pump (RCP) thermal barriers and to the Residual Heat Removal System. The following sections provide a physical description of the portions of the CCW system necessary for the analysis, identify the interfaces and dependencies of the CCW system with the front line systems and other support systems, list any operational con-straints on the CCW system*, provide a description of the fault tree model constructed for the CCW system, identify the CCW system specific assumptions, and describe the operational experience available for the CCW system.
| |
| 4.6.5.1 CCW System Description The CCW system at the Surry station is a single sy~tem which provides CCW to both units. Of primary interest to ths study were those components normally providing CCW to Unit 1. These components consist of two CCW pumps in parallel and two CCW heat exchangers. The CCW system is a closed cycle system. The CCW pumps take suction from the return line from the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers; and are headered together at their discharges. The header feeds the two CCW heat exchangers arranged in parallel. The discharge of th~ heat exchangers is delivered to the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers.
| |
| After cooling these loads, the flow is returned to the CCW pump suction. .Makeup to the CCW system is provided from a S\Jrge tank in the system. A simplified schematic of the portions of the CCW system required for thermal barrier cooling is shown in Figure 4.6-6.
| |
| One CCW pump and heat exchanger are normally in operation. In the event of failure of either component, the parallel component is manually *placed in service. Following a loss of offsite power, the stub buses powering the CCW pumps are shed from the emergency buses and must be manually reconnected to restore power to the CCW pumps. The con-tainment isolation valve on the thermal barrier cooling water outlet closes on loss of instrument air or receipt of a CLCS hi-hi signal, resulting in loss of flow to the thermal barriers.
| |
| 4.6-32
| |
| | |
| SURGE TANK OUTSIDE CONTAINMENT INSIDE CONTAINMENT 1-CC-546 UNIT2 UNIT2 CROSSTIE CROSSTIE sws FO 1-CC-554 1-CC-852 1-CC-553 TV-CC107 (Cls-HI HI-CLOSE)
| |
| I-CC-PIS F.C.
| |
| 1-CC-563 l*CC-564 1-CC-560 sws RHR PUMP A/ HEAT EXCHANGER A RHR PUMP Bl HEAT EXCHANGER B
| |
| | |
| 4.6.5.2 CCW System Interfaces and Dependencies The CCW system is dependent on the AC power buses for motive power for the CCW pumps and the DC power buses for control power to the CCW pumps and the thermal barrier throttle valves. Also, the CCW system is dependent on. the instrument air system for motive power to the thermal barrier throttle valves. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-7 and the component status and dependency summary in Table 4.6-7.
| |
| 4.6.5.3 CCW System Operational Constraints Following a loss of offsite power, the stub buses which power the CCW pumps are automatically shed and must be manually reloaded on the main bus by the operator to restore power to the pumps.
| |
| 4.6.5.4 CCW System Logic Model The success criterion for the Surry Unit 1 CCW system is that continued CCW flow is provided to the RCS pump thermal barriers, RHR pumps, and RHR heat exchangers following reactor shutdown.
| |
| This success criterion translates into the following top event in the CCW system fault trees:
| |
| W Failure to provide Unit 1 CCW flow to all RCS pumps thermal barrier coolers, RHR pumps, and RHR heat exchangers.
| |
| The success criterion for Unit 2 CCW is that continued CCW flow is provided to the RCS pump thermal barriers following station blackout at Unit 1. This translates into the following top event.
| |
| w2 - Failure to provide Unit 2 CCW flow to RCS pumps thermal barrier during station blackout.
| |
| The fault tree developed for top event W is shown in Appendix B. Failure of CCW supplied from Unit 2 during Station Blackout (W 2) was modeled as a Boolean expression and is shown in Appendix B. The specific assumptions used to develop the CCW system fault tree are included in the following section.
| |
| 4.6.5.5 Assumptions in CCW System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. These specfic assumptions. made in the CCW system analysis were as follows:
| |
| : 1. The postulated normal operational configuration is that CCW pump A and CCW heat exchanger A are in service.
| |
| : 2. The service water valves to the normally operating heat exchanger are open, manual valves with flow through them and the service water system is a gravity flow system. Therefore, no faults were postulated for the service water interface with the system.
| |
| 4.6.5.6 CCW System Operating Experience
| |
| .No pertinent plant specific operational experience of the Surry CCW system was found.
| |
| 4.6-34
| |
| * CCWTO RCS PUMP THERMAL BARRIER PUMP PUMP 1A 18
| |
| * AC EMERGENCY 1Ht---+~~-----i--
| |
| POWER 1Ji----+------~-+--
| |
| INSTRUMENT AIR Figure 4. 6-7 CCW System Dependency Diagram 4.6-35
| |
| | |
| Table 4.6-7 CCW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| 1-CC-P-lA Normally Operating R. Manual 4160V Stub lH 1-CC-P-lB Standby R. Manual 4160V Stub lJ AOVs:
| |
| TV-CC-107 NO/FC Close on Instrument Air CLS-Hi-Hi 4.6-36
| |
| *
| |
| * 4.6.6 Consequence Limiting Control System Model The consequence limiting control system (CLCS) automatically actuates the containment safeguards- systems following receipt of indicated hi-hi (25 psia) containment pressure.
| |
| The CLCS is a support system for the Containment Spray, Inside Spray Recirculation, and Outside Spray Recirculation front line systems. A review of the CLCS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis.
| |
| The following sections provide a brief physical description of the CLCS, identify the interfaces and dependencies of the CLCS with front line and other support systems, list any operational constraints on the CLCS, provide a description of the model used to incorporate the CLCS into the analysis, identify the CLCS specific assumptions, and describe the operational experience available for the CLCS.
| |
| 4.6.6.1 CLCS Description The .Surry CLCS is composed of four containment pressure sensors, each feeding a signal comparator. The output of each signal comparator is input into two separate three out of four logic trains. These logic trains automatically actuate the containment safeguards system components. A simplified CLCS logic diagram is shown in Figure 4.6-8.
| |
| 4.6.6.2 CLCS Interfaces and Dependencies
| |
| * The CLCS is dependent on the vital instrumentation buses and the DC buses for operation of the primary sensors and the relay logic network. The DC dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vital instrumentation bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the CLCS train unavailabilities and hence no additional models were constructed. Specific components in the Containment Spray, Inside Spray Recirculation, Outside Spray Recirculation and containment spray Service Water systems are dependent on the CLCS for automatic actuation. These specific dependencies are listed in Table 4.6-8. The Safety Injection Actuation system also utilizes some of the CLCS sensors.
| |
| 4.6.6.3 CLCS Operational Constraints No specific operational constraints were identified for the CLCS.
| |
| 4.6.6.4 CLCS Logic Model Boolean equations were developed to incorporate the CLCS DC power dependencies into the models used in the sequence quantification. The following Boolean equations were used to incorporate these dependencies for the T 1, T 5A, and T58 initiating events:
| |
| CLS-ACT-FA-2A = CLS-ACT-FA-CLS2A + DCP-TDC-LP-BUSlA.
| |
| CLS-ACT-FA-2B = CLS-ACT-FA-CLS2B + DCP-TDC-LP-BUS1B.
| |
| CLS-ACT-F A-CLS2A and CLS-ACT-F A-CLS2B represent the CLCS train A and B generic unavailabilities. The CLCS related events included in the front line system fault trees were coded with the system identifier CLS throughout the fault tree and sequence analysis.
| |
| 4.6-37
| |
| | |
| PT PS-LM100A1 SIGNAL COMPARATOR 1----
| |
| VB 1-1 l I
| |
| ~-----=-,--* 3/4 ff ,:A:~~
| |
| RELAY PT PS-LM100B1 SIGNAL COMPARATOR VB 1-11 TRAIN A
| |
| --------------
| |
| TRAIN B PT PS-LM100C1 SIGNAL COMPARATOR.,..._._
| |
| VB1-III ~ 3/4 RELAY MATRIX 28 PT 125 Vdc-B PS-LM100D1 SIGNAL COMPARATOR VB 1-IV Figure 4. 6-8 Simplified CLCS Logic Diagram 4.6-38
| |
| * Table 4.6-8
| |
| * Component Dependencies On CLCS Relay Pumps MOVs Other Train A CR-CLS-lAl 1-RS-P-lA SW-103A 1-CS-P-lA SW-101A CW-106A CR-CLS-2A2 1-RS-P-2A RS-155A CS-lOOA CS-101A CR-CLS-2A3 CW-106C SW-1030 RS-156A CR-CLS-2A4 CW-100B DG Ill CS-lOlC CR-CLS-2A5 CW-1000 CR-CLS-2A6 TV-MS101A TV-MS101C CR-CLS-2A7 TV-MS101B 4.6-39
| |
| | |
| Table 4.6-8 (Continued)
| |
| Component Dependencies On CLCS
| |
| * Relay Pumps MOVs Other Train 8 CR-CLS-2Bl 1-RS-P-lB SW-103B 1-CS-P-lB
| |
| * SW-101B SW-106B CR-CLS-2B2 1-RS-P-2B RS-155B CS-100B CS-101B CR-CLS-2B3 CW-106D BKR 25J3 -
| |
| SW-103C Block Close RS-156B
| |
| * CR-CLS-2B4 CW-lOOA DG 113 CS-101D BKR 25J3 -
| |
| Trip CR-CLS-2B5 CW-lOOC CR-CLS-2B6 TV-MS-101A TV-MS-lOlC CR-CLS-2B7 TV-MS-101B 4.6-40
| |
| | |
| 4.6.6.5 Assumptions in CLCS System Model
| |
| * No system specific assumptions were made in the CLCS analysis.
| |
| 4.6.6.6 CLCS Operating Experience No pertinent plant specific operational experience of the Surry CLCS was found.
| |
| 4.6.7 Containment Spray System Model The containment spray system (CSS) provides the initial containment pressure reduction following an accident by spraying cool water from the refueling water storage tank (R WST) to condense steam ~n the containment. The CSS is a front line system designed to protect the containment. In addition, the CSS performs a support function for the outside spray recirculation system as discussed in Section 4.6.12. The following sections provide a physical description of the CSS, identify the interfaces and dependencies of the CSS with other front line and support systems, list any operational constraints on the CSS, provide a description of the fault tree model constructed for the CSS, identify the CSS specific assumptions, and describe the operational experience available for the CSS.
| |
| 4.6.7 .1 CSS Description The Surry CSS is composed of two 100% capacity spray injection trains. The CSS has no recirculation or sump cooling capability. Each spray train draws water from the refueling water storage tank through independent suction lines. Each CSS pump takes suction through a normally open motor operated valve (MOV) and an in-line filter
| |
| * assembly. Each CSS pump discharges through a pair of normally closed MOVs arranged in parallel and through a check valve to its associated containment spray header. Both CSS pumps also feed a common third spray header (loc~ted on the outside of the crane wall) through separate check valves. A simplified schematic of the CSS is shown in Figure 4.6-9.
| |
| The CSS automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals open the pump inlet and outlet valves and start the CSS pumps. An agastat timer in the pump start ciruit delays pump start for 30 seconds after receipt of the signal.
| |
| 4.6.7 .2 CSS Interfaces and Dependencies The CSS interfaces with the high and low pressure injection systems at the common refueling water storage tank. The CSS is dependent on the R WST for fluid inventory.
| |
| The CSS system also depends on the AC power buses for motive power to *the CSS pumps and motive and control power tO" the MOVs in the CSS, the DC power buses for control power to the CSS pumps, and the CLCS for actuation of the CSS components. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-10 and the component status and dependency summary listing in Table 4.6-9.
| |
| 4.6.7 .3 CSS Operational Constraints The only operational constraint utilized in the development of the CSS model is that Technical Specifications require one train of the CSS be operable at all times, i.e., only one train can be removed from service for maintenance at any one time. This is incorporated into the model of the CSS *by allowing only one CSS pump to be initially unavailable due to test or maintenance activities.
| |
| 4.6-41
| |
| | |
| MOVCS1018 PS53 RWST MOVCS101A CV13 MOVCS101D PS55 XV8 CV?
| |
| XV15 CV14 MDPCSIA MDPCSIB (1-CS-P-1 A) (1-CS-P-1 B)
| |
| MOVCS100A PSSO
| |
| , 1-CS-FL-1A PS51
| |
| * CONTAINMENT CSS PUMP CSS PUMP SPRAY B DISCHARGE A DISCHARGE SYSTEM
| |
| ,s:,. CONSEQUENCE CONSEQUENCE A CONSEQUENCE A A LIMITING LIMITING O'I LIMITING CONTROL CONTROL CONTROL B I B B SYSTEM
| |
| ,s:,. SYSTEM SYSTEM w
| |
| 1H AC 1H AC 1H AC EMERGENCY EMERGENCY EMERGENCY POWER 1J POWER 1J POWER 1J DC 1A EMERGENCY POWER 1B Figure 4. 6-10 CSS Dependency Diagram
| |
| | |
| Table 4.6-9 COMPONENT CSS Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES
| |
| * Pumps:
| |
| 1-CS-P-lA Standby CLS Hi-Hi-2A 480V Bus lH DC Bus lA CLS Hi-Hi-2A 1-CS-P-lB Standby CLS Hi-Hi-2B 480V Bus lJ DC Bus lB CLS Hi-Hi-2B MOVs:
| |
| CSlOOA NO/PAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CSlOOB NO/FAI CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B CSlOlA NC/FAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CS101B NC/FAI. CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B CSlOlC NC/FAI CLS Hi-Hi-2A MCC-lHl-2 CLS Hi-Hi-2A CSlOlD NC/FAI CLS Hi-Hi-2B MCC-lJl-2 CLS Hi-Hi-2B 4.6-44
| |
| **
| |
| | |
| 4.6.7 .4 CSS Logic Model The success criterion for the Surry CSS is the same for each application in the event tree analysis. The success criterion is one of the two CSS train~ provide flow to any one con-tainment spray header. This translates into the following top event in the CSS fault tree:
| |
| C- Insufficient flow from 1 of 2 CSS pumps to the spray headers.
| |
| The fault tree developed for this top event is shown in Appendix B. The specific assumptiqns used to develop the CSS fault tree are included in the following section.
| |
| 4.6.7 .5 Assumptions in CSS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the CSS analysis were as follows:
| |
| : 1. Flow to *any one of the two major spray headers was considered to be system success.. Flow to only the crane wall header was not consi-dered sufficient. However, it is not possible to get flow to the crane wall header without getting flow to one of the other headers.
| |
| : 2. The probability of plugging a sufficient number of nozzles in a spray header to significantly degrade performance was considered to be negligible.
| |
| : 3. Manual valves XV8 and XV15 in the recirculation pathway to the R WST are normally closed valves which are not indicated in the control room. During testing of the CSS pumps they are opened. The recirculation lines are large enough that they are assessed to consti-tute a flow diversion, thus failing the CSS train if open. If the* CSS were demanded during pump testing or if the valves were not reclosed.
| |
| following testing, the associated CSS train would fail.
| |
| 4.6.7 .6 CSS Operating Experience No pertinent plant specific operational experience of the Surry CSS was found.
| |
| 4.6.8 Emergency Power System Model The emergency power system (EPS) provides AC and DC power to safety related components following reactor scram. The EPS is a support system that interfaces with nearly all front line systems. The following sections provide a physical description of the EPS, identify the interfaces and dependencies of the EPS with front line and other support systems, list any operational constraints on the EPS, provide a description of the model used to incorporate the EPS in the analysis, describe the EPS specific assumptions, and identify the operational experience available for the EPS.
| |
| 4.6.8.1 EPS Description The EPS at Unit 1 consists of two 4160 VAC buses, four 480 VAC buses, four 120 VAC
| |
| * vital instrumentation buses, two 125 VDC buses, one dedicated and one shared diesel generator, and their associated motor control centers, breakers, transformers, uninterruptable power supplies, and batteries. The EPS at Unit 2 is symmetric to Unit 1.
| |
| 4.6-45
| |
| | |
| The following description applies to the EPS at Unit 1. Since the EPS is symmetrical at
| |
| * Unit 2*, the description is equally applicable with the appropriate change of designator (2H for lH, 2J for lJ). Each 4160 VAC bus is normally powered from offsite power sources. Upon loss of offsite power the supply breakers open, the diesel generators start
| |
| .ind their associated DG output breakers close to load the diesels on the emergency buses. Surry has three diesel generators*, one dedicated to each unit and a third swing diesel generator shared by the units. The dedicated diesel at Unit 1 is attached to the lH 4160 VAC bus while the swing diesel can be connected to the lJ (Unit 1) or 2J Unit 2 4160 VAC buses. In the event that the swing diesel is demanded by both units, the diesel will be aligned to the unit at which an SIAS or CLCS hi-hi exists. If signals exist at both units, the diesel will be aligned to the unit whose breaker closes first. Each diesel is a self con~ined, self cooled unit with its own battery for starting power. The diesel battery is independent of the station batteries. The 4160 VAC buses provide power to the large pumps such as the high pressure injection pumps, the stub buses which each power one CCW and residual heat removal pump, and the 480 VAC buses through tranformers. The stub bus is shed on undervol tage on the main bus.
| |
| The following description applies to the lH related buses. Since the lH and lJ related buses are symmetrical, the description is equally applicable to the lJ related buses with the appropriate changes to the designators.
| |
| The lH 4160 VAC bus feeds two 480 VAC buses OH and lH-1) through transformers. The lH 480 VAC bus is primarily used to power pumps such as the A train low pressure injection pump. The lH-1 480 VAC bus feeds two motor control centers (MCCs). MCC lHl-1 and lHl-2, provide power to a multitude of motor operated valves (MOVs) and small pumps such as the charging pump cooling pumps. MCC lHl-1 and lHl-2 also pro-vide power to two uninterruptible power supplies used to charge DC battery lA, and to power the 1-I and 1-Ill 120 VAC vital instrumentation buses.
| |
| * The lA 125 VDC bus provides control power to the switchgear for the pumps powered from the lH buses. The lA 125 VDC bus is powered from a 480 VAC b1.,1s, as noted above, and in the event of loss of the AC power source, is powered from DC battery lA.
| |
| A simplified electrical diagram of the EPS, includi"ng the relevant portions of the uninterruptible power supply, is included in Figure 4.6-11. Table 4.6 summarizes the normal and alternate power source for each EPS bus and component and identifies any dependencies for the EPS, components.
| |
| 4.6.8.2 EPS Interfaces and Dependencies The EPS interfaces with almost all of the systems required for safe shutdown of the reactor following an abnormal event. Specific dependencies of these systems on the EPS are detailed in each of the applicable system sections. Dependencies between the EPS components are included in Table 4.6-10.
| |
| 4.6.8.3 EPS Operational Constraints The Surry EPS design does not require load sequencers for reloading of the buses following loss of offsite power due to the use of time delays included in the start circuitry for many of the required pumps.
| |
| 4.6-46
| |
| *
| |
| * A II SWITCHYARD TOUNIT2
| |
| ,.~,c NORMAL 4160 V BUSES (NOT ANALVZED FURTHER) 4160V 480V
| |
| * FE~ FE9~
| |
| *~4 *~3
| |
| ~~eusef 1
| |
| * BATTERV1A BATTERY1B
| |
| ,?-f'ss ,¥1-11 ,¥1-IV I I I VITAL VITAL VITAL VITAL 120 AC 120AC 120AC 120AC 1-1 1-111 1-11 1-IV Pigm:e 4. 6-11 DS S:IJll)J :I fied S1catx::h 4.r-17
| |
| | |
| MCC 1J1-1 MCC 1J1-2 FE9B~
| |
| T . T FE9~
| |
| UPS 181 TRANSFORMER TRANSFORMER 480V 1B1-1 1B1-2 120V 24
| |
| /_...____
| |
| DC BUS INVERTER INV UPSB1 NOTE: UPS 181 SHOWN.
| |
| UPS 1A1, 1A2., 1B2 ARE SIMILAR 1-~
| |
| I VITAL BUS 1-11 Figure 4.6-11 (Cont'd)
| |
| El?S Sllll?lified Sketch.
| |
| 4.6-48
| |
| * Table 4.6-10 AC/DC Power Supplies And Dependencies BUS/ NORMAL ALTERNATE CCJ.IPONENT FEED FEED DEPENDENCY/CCJ.1MENTS 4160V - 1A Station Generator Offslte grid, via RSS transfer fran None of the ASEP systems are 1B A, B, c. provided power by these buses.
| |
| 1C Not lncQuded fn electrlc power model.
| |
| 4160V - 1H Offslte grid, via RSS DG 11 Swltchgear*power provided by
| |
| <Orange Bus> transfer fran C DC battery A.
| |
| 4160V 1H-Stub 4160 - 1H None Stub bus contains 1 CCW pump and 1 RHR plBllp* Bus Is sh~d fran main bus on UV on main bus.
| |
| 4160V - 1J Offslte grid, via RSS DG 13 Switchgear power provided by
| |
| <Purple Bus> transfer*A DC battery B. DG#3 may be
| |
| ~
| |
| * required by Unit 2
| |
| * I
| |
| \0 4160V 1J-$tub 4160V-1J None Stub bus contains 1 CCW pump and 1 RHR pt111p. Bus Is shed shed fran main bus on UV on main bus.
| |
| DG 11, DG 13 NA NA No Dependencies. DGs are seQf contained. Each DG has a dedicated battery to start ft.
| |
| Self cooled. Upon LOSP, DGH3 wit~ aQfgn to either unit, depending on whose breaker closes first. If SIS or CLS HI-HJ sfgnaQ exists at a unit, that un-lt wf H get DG #3.
| |
| | |
| Table 4.6-10 (Continued)
| |
| AC/DC Power Supplies And Dependencies BUS/ NORMAL ALTERNATE COMPONENT FEED FEED DEPENDENCY/COMMENTS 480V - 1H 4160V 1H None Swttchgear for p1J11ps is s111 -
| |
| 480V - 1H1 4160V 1H None pJied by DC battery A.
| |
| 480V - 1J 4160 1J None Swttchgear for pumps ts s111 -
| |
| 480V - 1J1 416.0 lJ None pJled by DC battery B.
| |
| MCC 1H1-1, 480V 1H1 None MCC 1H1-2 MCC 1J1-1, 480V 1J1 None MCC 1J1-2 120V AC VitaJ MCC 1H1-1, MCC 1H1-2 None VitaJ bus suppJied by an unlnterruptabJe
| |
| ""'I
| |
| : 0) Bus 1-1 DC Bus A power supply fed by three sources. Whfchever source I
| |
| CJI had the hlghest voltage wiJJ power the vttaJ bus 0
| |
| 120V AC VttaJ MCC 1J1-1, MCC 1J1-2, None VttaJ bus suppJied by an untnterruptabJe power Bus 1-11 DC Bus B suppJy fed by three sources. Whlchever source has the highest voJtage wiJJ power the vttaJ bus 120V AC VitaJ MCC 1H1-1, MCC 1H1-2, None VitaJ bus suppJlJed by an unlnterruptabJe power Bus 1-111 DC Bus A suppJy fed by three sources. Whlchever source has the hlghest voltage wf.JJ power the vitaJ bus 120V AC VttaJ MCC 1J1-1, MCC 1Jl-2 None VitaJ bus suppJted by an untnterruptabJe power Bus 1-IV DC Bus B suppJy fed by three sources. Whichever source has the highest voJtage wtJI power the vttaJ bus DC Bus A MCC 1H1-1, MCC 1H1-2 Battery A vta untnterrruptabJe power suppJies 1A1, 1A2 DC Bus B MCC 1J1-1, MCC 1J1-2 Battery B vta untnterruptabJe
| |
| * power suppJ ies* 181, 182
| |
| | |
| Technical Specifications require all three diesel genera tors to be operable. However, one diesel may be taken out of service for a limited period of time. This was incorporated into the anf'.lysis by excluding any combination of unavailability of more than one diesel generator due to maintenance activities.
| |
| 4.6.8.4 EPS Logic Model The EPS is a support system that interfaces with almost all front line safety systems and support systems. The events identified for the EPS system represent the modeled interfaces of the E.PS system with the system requiring electrical power. These interfaces were modeled to the Motor Control Center level. The fault trees modeling these events are located in Appendix B. The developed events contained in the fault trees correspond to the following:
| |
| ACP-TAC-LP-4KV1H Failure of 4160 VAC Bus lH ACP-TAC-LP-4KV1J Failure of 4160 VAC Bus lJ ACP-TAC-LP-STBl H Failure of 4160 VAC Stub Bus lH ACP-TAC-LP-STBlJ Failure of 4160 VAC Stub Bus lJ ACP-TAC-LP-lHl-1 Failure of 480 VAC MCC lHl-1 ACP-TAC-LP-lHl-2 Failure of 480 VAC MCC lHl-2 ACP-TAC-LP-lJl-1 Failure of 480 VAC MCC lJl-1 ACP-TAC-LP-lJl-2 Failure of 480 VAC MCC 1J 1-2 ACP-T AC-LP-4801 H Failure of 480 VAC Bus 1H ACP-TAC-LP-4801J Failure of 480 VAC Bus lJ ACP-T AC-LP-BUS! I Failure of 120 VAC Vital Instrumentation Bus 1-1 ACP-TAC-LP-BSlil Failure of 120 VAC Vital Instrumentation Bus 1-11 ACP-T AC-LP-BSill Failure of 120 VAC Vital Instrumentation Bus 1-Ill ACP-T AC-LP-BSlIV Failure of 120 VAC Vital Instrumentation Bus 1-IV DCP-TDC-LP-BUSlA Failure of 12.5 VDC Bus lA DCP-TDC. . LP-BUSlB Failure of 12.5 VDC Bus lB The EPS model described above only models the EPS at Unit 1, with the dedicated diesel generator at Unit 1 and the swing diesel generator included. The model was used in conjunction with the other fault trees developed. SE;parate Boolean expressions were developed to model Station Blackout (SBO) initiating event frequencies for SBO at Unit 1 only, and SBO at Units 1 and 2. Both Station Blackout equations take into account all three diesel generators on the site.
| |
| * Station blackout*at Unit 1 (SBO-Ul) was defined as failure of diesel generator 1 and 3 to provide power to Unit 1 following a loss of offsite power. As stated,.in the assumptions, diesel genera tor 3 was assumed to be unavailable if diesel genera tor 2 failed. The frequency of SBO-Ul was calculated from the following Boolean equation:
| |
| ~
| |
| SBO-Ul = Loss of Offsite Power*
| |
| ((OEP-DGN-FS-DGOl + OEP-DGN-FR-DGOl + OE.P-DGN-MA-DGOl + OE.P-CRB-FT-1.5H3) *
| |
| (OE.P-DGN-FS-DG02 + OE.P-DGN-FR-DG02 + OE.P-DGN-MA-DG02 + OE.P.;.CRB-FT-2.5H3 +
| |
| OE.P-DGN-FS-DG03 + OE.P-DGN-FR-DG03 + OE.P-DGN-MA-DG03 + OEP-CRB-FT-1.5J3) +
| |
| OEP-DGN-FS*BET A2DG)).
| |
| Double test and maintenance activities were removed from the resultant product. Also, complementary events were included, as necessary, to,be sure that SB0-U1U2 was not a subset of SBO-Ul. The resultant SBO-Ul expression is shown in Appendix B.
| |
| | |
| Station blackout at Units 1 and 2 (SBO-UlU2) was defined a!!, failure of all three diesel generators following a loss .of offsite power. The frequency of SBO-U 1U2 was calculated from the following Boolean equation:
| |
| SBO-U 1U2 = Loss of Offsite Power *
| |
| ((OEP-DGN-FS-DGOl + OEP-DGN-FR-DGOl + OEP-DGN-MA.:.DGOl + OEP-CRB-FT-15H3) *
| |
| (OEP-DGN-FS-DG02 + OEP-DGN-FR-DG02 + OEP-DGN-MA-DG02 + OEP-CRB-FT-25H3) *
| |
| (OEP-DGN-FS-DG03 + OEP-DGN-FR-DG03 + OEP-DGN-MA-DG03 + OEP-CRB-FT-1.5J3) +
| |
| (OEP-DGN-FS*BET A3DG)). .
| |
| Double and triple test and maintenance activities were removed from the resultant product.
| |
| The fault trees described above and the expanded Boolean expressions for station blackout are shown in Appendix B. The specific assumptions used to develop the EPS fault trees are included in the following section.
| |
| 4.6.8 *.5 Assumptions in EPS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. These specific assumptions made in the EPS analysis were as follows:
| |
| : 1. Failure of diesel generator 2 would result in the inability of diesel generator 3 to supply to Unit 1. Note that this assumption is conser-vative because if diesel generator 2 failed to run, but had a successful start, then diesel generator 3 could have been aligned to Unit 1 initially.
| |
| : 2. Diesel generator mission time was 6 hours for loss offsite power (T 1) events. See Appendix D for discussion.
| |
| : 3. The stub buses must be manually reloaded on the main buses following a loss of offsite power.
| |
| : 4. Battery depletion time was assessed to be 4 hours.
| |
| : 5. Cross connecting of buses was not considered.
| |
| : 6. Shorts in buses and motor control centers were postulated to fail only their respective bus or MCC and not fail the power source to the bus or MCC.
| |
| : 7. Actuation failures for diesel genera tors were not explicitly included.
| |
| The failure probability for DG fail to start was considered to include actuation failures.
| |
| 4.6.8.6 EPS Operating Experience Plant specific data for diesel generator failure to start was obtained from Surry plant test data. The data development of diesel generator failure to start probability is shown in Appendix D.1.
| |
| 4.6-.52
| |
| | |
| 4.6.9 High Pressure Injection/Recirculation System Model The Surry charging system provides normal coolant makeup to the reactor coolant system (RCS) and cooling flow to the. reactor coolant pump (RCP) seals under normal operating conditions. The high pressure injection/recirculation (HPI/HPR) system uses the same charging_ pumps to provide primary coolant injection and* recirculation following an accident, as well as maintaining flow to the RCP seals. The HPI system also functions to deliver boric acid to the RCS from the boric acid transfer system if emergency boration is required. The HPI/HPR system is a. front line system designed to provide coolant makeup, core heat removal early and late, or emergency boration for shutdown.
| |
| The following sections provide a physical description of the HPI/HPR system, identify interfaces and dependencies of the HPI/HPR system with other front line and support systems, list any operational constraints on the HPI/HPR system*, provide a description of the fault tree model constructed for the HPI/HPR system, identify any HPI/HPR system specific assumptions, and describe the operational experience available for the HPI/HPR system.
| |
| 4.6.9.1 HPI/HPR System Description Under normal operating conditions, one of the three charging pumps provides normal RCS makeup and cooling to the RCP seals by taking suction from the volume control tank (VCT) through two motor operated valves (MOVs) in series.
| |
| Upon indication of a loss of RCS coolant or steam line break (i.e., low pressurizer level, high containment pressure~ high pressure differential between main steam header and any steam lihe, or high steam flow with low average coolant temperature or low steam line pressure), the safety injection actuation system (SIAS) initiates emergency coolant injection. Emergency coolant injection differs from normal coolant makeup in three ways. First, the suction source is the refueling water storage tank (RWST) rather than the Volume Control Tank (VCT). Second, the pump discharge is directed to the cold legs instead of the Loop 2 hot leg. Finally, the emergency injection flow is from two pumps and is not throttled. The SIAS signals the normal charging line isolation valves to close; the standby charging pumps to start, the valves from the VCT to close, the normally open pump inlet and outlet MOVs to open, and a parallel set of normally closed MOVs to open to provide suction from the R WST. Also on receipt of an SIAS signal, a parallel set of normally closed MOVs open to provide flow from the pump discharge header to the three RCS cold legs. An additional path to the RCS cold legs through a manually operated, normally closed MOV ,is also available. Flow through this line to the RCS is treated as a recovery action. The line to the RCP seals remains open throughout the event. The HPI system may also be used in the "feed and bleed" cooling mode to provide core heat removal early. The only difference in this mode of operation from that discussed above is that a SIAS signal is not necessarily generated so the HPI system must be manually placed in service.
| |
| In the recirculation mode of operation, the HPR is used to provide core heat removal late in an accident sequence. The charging pumps draw suction from the discharge of the low pressure safety injection pumps in the low pressure recirculation (LPR) system. Upon receipt of a low R WST level signal, the recirculation mode transfer (RMT) system signals the charging pump suction valves from the R WST to close and the suction valves from the LPR pump discharges to open. The HPR pumps discharge to the cold leg or the hot leg during recirculation.
| |
| 4.6-.53
| |
| | |
| In the emergency boration mode, the HPI is used for emergency shutdown of the reac-tor. The HPI functions as described in the HPI description above with the exception that the boric acid transfer (BAT) pumps deliver boric acid from the BAT tanks to the charging pump suction header. To perform this operation, the operator must switch the normally operating BAT pump to fast _speed operation and open the MOV allowing flow
| |
| \nto the charging pump suction header. To enhance boric acid addition to the RCS, the emergency procedure cans for the RCS power operated relief valves be opened (to provide pressure reduction).
| |
| A simplified schematic of the HPI/HPR system, including the relevant portions of the BAT system is presented in Figure 4.6-12 4.6.9.2 HPI/HPR System Interfaces and Dependencies The HPI system interfaces with the containment spray system and the low pressure injection system at the common R WST via a shared valve. The HPR system interfaces with the low pressure recirculation system at the recirculation suction valves for the HPR. The HPI system is dependent on the R WST for fluid inventory, and the charging pump cooling system for charging pump seal cooling and lube oil cooling. The HPI system is also dependent on the AC power buses for motive power to the HPI pumps and motive and control power to the MOVs in the HPI system, the DC power buses for control power to the HPI pumps, and the SIAS for actuation of the HPI components. The HPR system is dependent on the low pressure recirculation system for fluid inventory, and the charging pump cooling system for charging pump seal cooling and lube oil cooling. The HPR system is also dependent on the AC power buses for motive power to the HPR pumps and motive and control power to the MOVs in the HPR system*,the DC power buses for con-trol power to the HPR pumps, and the RMT for actuation of the HPR switchover from injection. Additionally, for the emergency boration mode of HPI operation, the HPI is dependent on the primary pressure relief system to provide sufficient pressure reduction to allow for the timely injection of boric acid. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-13 and the component status and dependency summary in Table 4.6-11.
| |
| 4.6.9.3 HPI/HPR System Operational Constraints Technical Specifications require two charging pumps to be operable at all times. This is incorporated into the model of the HPI by allowing only one charging pump to be initially unavailable due to test or maintenance activities. Technical Specifications also require that when Unit 1 is at power, at least one HPI/HPR pump at Unit 2 must be operable.
| |
| This is incorporated when considering Unit 2 in the recovery analysis.
| |
| The Surry HPI/HPR system is limited to the simultane~us operation of two of the three charging pumps. Further, the two operating pumps must be powered from different 4160 VAC buses. The third charging pump is placed in the "pull locked" position, i.e., the switch is placed in the off position. In this position, the pump is considered to be operable since the pump remains aligned to an AC bus and an SIAS actuation signal is present. Once the switch is returned to the "auto" position, if the SIAS signal has not been cleared, the pump will automatically start.
| |
| 4.6. 9.4 HPI/HPR System Logic Models The success criteria for the Surry HPI/HPR vary depending on the application in the event tree analysis. The success criteria for the HPI modes of operation require flow from any one of three charging pumps to the RCS cold legs in response to a LOCA 4.6-54
| |
| * NORMAL CHARGING PS23 LINE ,-!-P_,,S:.,,2"'-1_ _ _ _..,.__---.---~J--- TO COLD LEGS MOV1867D CV225 PS22 MOV1867C
| |
| '----P-S-- - - . . , . . - - - - - T O HOT LEGS 14 M0V18S9B
| |
| ~ AOV1160
| |
| ,--------------r-------------r-----:-"::-'."'."-----.-----,---1FC...--.TO i:,:::J PS1 XV15X 1-------1-----------.----~l---------..-----1---c;l<:l---15'<:l--1><}-CC--+TO MOV1370 FO XV277 XV278 RCP SEALS LOOP FILL HEADER C/l t'Ij CV224 I-<: I-'* TO LOW HEAD H"'4--""-TO t:/l SI PUMPS MOV128SA MOV1287A MOV128SB MOV1287B MOV128SC MOV1287C COLD rt 1
| |
| MOV1842 LEGS
| |
| ,i,.. ~ PS2 CV410 1----->+--
| |
| UNIT 2 CHARGING PUMP MOV1869A CV258 C/l CROSSTIE
| |
| °'u,I ~-
| |
| ,i,.. XV24 XV728 FROM L---4;,;,,..--TO PS15 HOT u, LEGS I-' °'I
| |
| ~ CV25 PS11 VCT
| |
| ~
| |
| I-'*
| |
| I\) MDPCH1A l a UNIT 2 ADV102A RWST CROSSTIE PS3 FROM BAT PUMPS MOV1115E
| |
| ~
| |
| (1)
| |
| PSS PSS PS7 PSS PS9 PS10 l MOV1115C ff p'
| |
| AOV102B MOV1115D MOV1267A M0V12S7B M0V12S9A MOV1269B MOV1270A MOV1270B FROM LOW HEAD SI PUMP 18 --.--1"4--..J MOV1863B L---------------L------------....L...--4"4-- - FROM LOW HEAD SI PS4 MOV 1863A PUMP 1A NOTE: PIPE SEGMENT (PSXX) REFERS TO PIPING AND COMPONENTS BETWEEN NODES
| |
| | |
| BAT TANK 1A BAT TANK 18
| |
| * MDPCH2A MDPCH28 (1- CH - P - 2A)
| |
| (1- CH - P - 28)
| |
| * TO BORIC ACID BLENDER FROMVCT MOV 1350 TO CHARGING PUMP SUCTIONS FAI Figure 4.6-12 (Cont'd)
| |
| HPI/HPR System Simplified Sketch 4.6-56
| |
| * HPI HPR HPI/HPR PUMP DISCHARGE TRAINS TO COLD LEGS
| |
| * PUMP TRAIN 1A PUMP TRAIN 18 PUMP TRAIN
| |
| ,c MOVl867C MOV1867D SAFETY SAFETY A
| |
| INJECTION INJECTION ACTUATION ACTUATION SYSTEM 8 SYSTEM AC AC 1H EMERGENCY EMERGENCY POWER POWER 1J DC EMERGENCY POWER LPR SUPPLY TO HPR CHARGING PUMP COOLING 1--+~----~:...i..:~--~~-~~~-
| |
| SYSTEM
| |
| * RWST SUPPLY TO HPI LPR SUPPLY FROM PUMP 1A LPR SUPPLY FROM PUMP 18 LPI/LPR A PUMP TRAIN 8 MOV11158 MOV1115D RECIRCULATION A MODE TRANSFER SYSTEM 8
| |
| SAFETY A INJECTION ACTUATION 1H 8 AC SYSTEM EMERGENCY POWER 1J AC 1H EMERGENCY POWER 1J Figure 4. 6-13 HPI/HPR System Dependency,Diagram
| |
| * 4.6-57
| |
| * Table 4.6-11 HPJ/HPR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| 1-CH-P-lA Normally Operating SIS-A 4160 V Bus IH, SIS-A, DC Bus 1A, CPC System 1-CH-P-lB Standby SIS-B 4160V Bus lJ, SIS-B, DC Bus 1B, CPC System 1-CH-P-lC Locked Out in CR SIS-A, B 4160V Bus lH, lJ, SIS-A,
| |
| -B, DC Bus lA, lB, CPC System MOVs:
| |
| 1115B NC/PAI SIS-A, RMT-A MCC lHl-2, SIS-A, RMT-A 11150 NC/PAI SIS-B, RMT-B MCC lJl-2, SIS-B, RMT-B 1115C NO/PAI SIS-A MCC lHl-2, SIS-A 1115E 1267A 1269A NO/PAI NO/PAI NO/PAI SIS-B R. Manual R. Manual MCC lJl-2, SIS-B MCC lHl-2 MCC lJl-2
| |
| * 1270A NO/PAI R. Manual MCC lHl-2 1267B LO/PAI R. Manual MCC lHl-2 1269B LO/PAI R. Manual MCC lJl-2 1270B LO/FAI R. Manual MCC lJl-2 1286A NO/PAI R. Manual MCC lHl-2 1287A NO/PAI R. Manual MCC lHl-2 1286B NO/PAI R. Manual MCC lJl-2 1287B NO/FAI R. Manual MCC lJl-2 1286C NO/PAI R. Manual MCC lHl-2 1287C NO/PAI R. Manual MCC lJl-2 1370 NO/PAI 4.6-58 R. Manual MCC lHl-2
| |
| *
| |
| * Table 4.6-11 (Continued)
| |
| HPI/HPR Component Status And Dependency Summary COMPONENT NORMAL *STATUS ACTUATION DEPENDENCIES MOVs:
| |
| 1289A NO/PAI R. Manual MCC lHl-2, SIS-A 1289B NO/PAI R. Manual MCC lJl-2, SIS-B 1867C NC/PAI R. Manual MCC lHl-1, SIS-A 1867D NC/PAI R. Manual MCC lJl-1, SIS-B 1842 NC/PAI R. Manual MCC lHl-2 1869A LC/PAI R. Manual MCC lHl-1 1869B LC/PAI R. Manual MCC lJl-1 1863A NC/PAI RMT-A MCC lHl-2, RMT-A 1863B NC/PAI RMT-B MCC lJl-2, RMT-B AOVs:
| |
| TV SI-102A NC/PO R. Manual Instrument Air, DC Bus lA TV SI-102B NC/PO R. Manual Instrument Air, DC Bus lB 4.6-.59
| |
| | |
| (automatic actuation), flow from any one of three charging pumps to the RCS cold legs in the **feed and bleed" mode (manual actuation), flow from any one of the three charging pumps to the RCP seals, or flow from any one of three charging pumps to the RCS with flow from one of two BAT pumps operating at fast speed (emergency boration mode).
| |
| These success criteria translate into the following top events in the HPI fault trees:
| |
| Failure to provide sufficient high pressure flow to the cold legs from at least one charging pump, given demand for automatic actuation.
| |
| Failure to provide sufficient high pressure flow to the cold legs from at least one charging pump*, given no demand for automatic actuation.
| |
| Failure to continue to provide seal injection flow from at least one charging pump.
| |
| Failure to provide sufficient emergency boration flow.
| |
| The success criterion for the HPR mode of operation is continued flow from any one of the three charging pumps taking suction from the discharge of the low pressure recirculation system, given successful low pressure recirculation system operation._
| |
| This success criterion translates into the following top event in the HPR fault tree.
| |
| Insufficient flow from at least one charging pump in the recirculation mode, given successful operation of the low pressure recirculation system.
| |
| The fault trees developed for these top events are shown in Appendix B. The fault trees were developed for failure of the Unit 1 HPI/HPR system. A Boolean expression was developed for the Unit 2 HPI system to model RCP seal cooling from Unit 2 during station blackout. This Boolean equation is shown in Appendix B. The specific assumptions used to develop the HPI/HPR fault trees are included in the following section.
| |
| 4.6.9.5 Assumptions irt HPI/HPR System Models In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the. HPI/HPR analysis were as follows:
| |
| : 1. Initial charging pump configuration considered in the analysis is that pump lA is operating, pump lB is in standby and pump lC is "pull locked" and aligned to the 1H bus.
| |
| : 2. Charging pumps are rotated regularly during normal operation to achieve balanced service times. *
| |
| : 3. Failure to close the normal charging flow line does not constitute a flow diversion pathway.
| |
| 4.6-60
| |
| : 4. Minimum flow lines on the charging pump discharge do not represent
| |
| * a significant flow diversion pathway due to flow restriction orifices*
| |
| : 5. Room cooling is not required for the charging pumps due to the open communication with a large open area, resulting in long heat-up times. The plant ran the charging pumps successfully for several years before installing an air cooling system for the charging pumps.
| |
| : 6. The probability of all three parallel cold leg injection lines, each with two check valves and a locked open manual valve, failing to permit flow is considered negligible compared to other system faults.
| |
| : 7. Valves 1115B and 1115D are interlocked with valves 1115C and 1115E such that B and D will not open if C. or E are not closed. However, the C and E valves are provided with redundant limit switches and the probability of all four limit switches failing was considered negligible compared to the valve failure probabilities.
| |
| : 8. Switchover to the RWST from the VCT will occur upon indication of low VCT level regardless of the presence or absence of an SIAS signal.
| |
| : 9. When charging pump lC is not operating (pull locked), it is aligned to be powered from the bus powering the operating charging pumps.
| |
| Pump lC is not considered as the standby pump during normal operation except in the case of outage of the lA or lB charging pumps.
| |
| : 10. Use of MOV 1842 for cold leg injection, the cross connect with the Unit 2 RWST, and the cross connect of the Unit 2 charging pumps were treated as recovery actions in the accident sequence analysis as necessary.
| |
| : 11. For the emergency boration analysis, one boric acid transfer pump is normally operating and the manual valving arrangement is such that only the running pump can provide flow without manual realignment.
| |
| Since the time period of interest is 10 minutes, no recovery actions for manual realignment were postulated.
| |
| : 12. Sufficient emergency boration can be accomplished through either the normal charging flow path or through the injection flow ,.path.
| |
| : 13. No SIAS signal was assumed to occur in those cases where emergency boration was required.
| |
| : 14. No faults were postulated in the normal flow line to the RCS pump seals since the line is normally in use and the valves fail in the position such that they allow flow to the seals.
| |
| : 15. Regardless of the status of an SIAS signal, the standby charging pump will automatically start on loss of the operating charging pump.
| |
| : 16. The HPI/HPR pumps are lubricated off of a shaft driven oil pump
| |
| * during normal operation. The HPI/HPR Auxiliary oil pump is used on system startup. It was judged that failure of the auxiliary oil pump would not fail the HPI/HPR pump.
| |
| 4.6-61
| |
| : 17. It was considered that the Unit 2 HPI/HPR system is symmetrical to the Unit 1 HPI/HPR system. This consideration was used when modeling HPI from Unit 2~
| |
| 4-.6~ 9*.6 HPI/HPR System Operating Experience Since the Surry HPI/HPR system includes the normally opera ting charging pumps, significant operat.ing experience was available from plant da:ta to justify the use of plant specific failure data for the charging pumps. No other applicable operating experience was found for the HPJ/HPR system. See Appendix D for development of the plant specific data.
| |
| 4.6.10 Inside Spray Recirculation System Model The inside spray recirculation OSR) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water from the containment sump and spraying the water into the containment atmosphere. Heat is removed from the sump water through service water cooled heat exchangers. The JSR system is a front line system designed to protect the containment. The following sections provide a physical description of the JSR system, identify the interfaces and dependencies of the JSR system with other front line and support systems, list any operational constraints on the JSR system, provide a description of the fault tree model constructed for the ISR system, identify the JSR specific assumptions, and describe the operational experience available for the JSR system.
| |
| 4.6.10.1 ISR Description The Surry ISR system is composed of two independent 100% capacity recirculation spray trains. Each spray train draws water from the containment sump through independent suction strainers and lines. The JSR and outside spray recirculation (OSR) systems draw from the same sump, although the sump is compartmentalized and each ISR train has a
| |
| * separate sump compartment. Each ISR system pump discharges to a service water heat exchanger. The cooled water is then directed to an independent spray header. In order to ensure adequate net positive suction head for the JSR pumps during the initial phases of a loss of coolant accident (LOCA), a recirculation line diverts a small amount of the cooled ISR flow back to the sump, dose to the pump inlet. A simplified schematic of the ISR system is shown in Figure 4.6-14.
| |
| The ISR system automatically starts on receipt of a hi-hi (2.5 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals start the ISR pumps. An agastat timer in the pump start circuit delays pump start for two minutes to ensure adequate sump inventory in the design basis scenario, and the correct diesel genera tor loading sequence in the event of loss of offsite power.
| |
| 4.6.10.2 ISR System Interfaces and Dependencies The ISR system is dependent on the injection systems for sump inventory and the service water system for cooling of the sump water. The ISR system also depends on the AC power buses for motive power to the ISR pumps, the DC power buses for control power to the ISR pumps, and the CLCS for actuation of the JSR pumps. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-1.5 and the component status and dependency summary in Table 4.6-12.
| |
| 4.6-62
| |
| | |
| PS60 PS61 HXRS1A sws HXRS1B sws
| |
| *
| |
| * Figure 4.6-14 ISR System Simplified Sketch 4.6-63
| |
| | |
| ISR SYSTEM
| |
| * TRAIN TRAIN 1A 18 CONSEQUENCE Al----4-+4--------~-+--~
| |
| LIMITING CONTROL SYSTEM Bi----+------~~--
| |
| AC 1Hi----+-+-'!~-----t---
| |
| EMERGENCY POWER 1J 1 - - - + - - - - - - - + - ~ - -
| |
| DC 1Ai---.....-+-,~--------+----
| |
| EMERGENCY POWER 1B ~ - - " " ' - - - - - - - . ~ ~ -
| |
| SERVICE WATER SYSTEM Figure 4. 6-15 ISR System Dependency Diagram 4.6-64
| |
| * Table 4.6-12
| |
| * ISR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| 1-RS-P-lA Standby CLS-Hi-Hi 480V Bus lH, 2 min. time CLS-Hi-Hi-2A, delay DC Bus lA 1-RS-P-1B Standby CLS-Hi-Hi 480V Bus lJ, 2 min. time CLS-Hi-Hi-2B, delay DC Bus lB
| |
| *
| |
| * 4.6-65
| |
| | |
| 4.6.10.3 JSR System Operational Constraints The only operational constraint utilized for the JSR system model is that Technical Specifications require one train of the JSR system be operable at all times, i.e~, only one vain can be removed from service for maintenance at any one time. This is incorporated into the model of the JSR system by allowing only one JSR pump to be initially unavailable due to test or maintenance activities.
| |
| * 4.6.10.4 JSR System Logic Model The success criterion for the Surry JSR system is the same for each application in the event tree analysis. The success criterion is that at least one of the two JSR trains provides flow to its containment spray header with service water being supplied to the heat exchanger. This translates into the following top event in the ISR fault tree:
| |
| F1 - Insufficient flow or cooling from at least one ISR train.
| |
| The fault tree developed for this top event is shown in the Appendix B. The specific assumptions used to develop the JSR fault tree are included in the following section.
| |
| 4.6.10.5 Assumptions in ISR System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the ISR system analysis were as follows:
| |
| 1.
| |
| 2.
| |
| The ISR pumps are environmentally qualified for a post-LOCA atmosphere and as such do not require room cooling.
| |
| Due to flow restriction orifices, the recirculation lines to the sump do not constitute flow diversion pathways.
| |
| *
| |
| : 3. If cooled flow from the recirculation line* is not provided to the pump suction during the early phases of a LOCA sufficient net positive suction head is not available to the ISR pumps and the pumps were estimated to fail. Plugging of the lines is considered negligible.
| |
| : 4. The probability of plugging of sufficient nozzles in a spray header to prevent an ISR system train from performing its function was consi-dered negligible.
| |
| 4.6.10.6 ISR Operating Experience Plant specific operational data derived from monthly pump test records 0£ the ISR pumps indicated a significant difference from the generic data. Therefore plant-specific data was used in the analysis. The development of the plant specific data is shown in Appendix D.1.
| |
| 4.6-66
| |
| * 4.6.11 Low Pressure Injection/Recirculation System Model The Surry low pressure/injection recirculation (LPI/LPR) S!'Stem provides emergency coolant injection and recirculation following a loss of coolant accident when the reactor coolant system (RCS) depressurizes below 180 psig. In addition to the direct recirculation of coolant during the recirculation phase once the RCS is depressurized, the LPR discharge provides the suction source for the high pressure recirculation system (HPR) following drainage of the refueling water storage tank (RWST). The LPI/LPR system is a front line system designed to provide coolant makeup and core heat removal.
| |
| The following sections provide a physical description of the LPI/LPR system, identify the interfaces and dependencies of the LPI/LPR system with other front line and support systems, list any operational constraints on the LPI/LPR system, provide a description of the fault tree model constructed for the LPI/LPR system, identify the LPI/LPR system specific assumptions, and describe the operational experience available for the LPI/LPR system.
| |
| 4.6.11. l LPI/LPR Description The Surry LPI/LPR system is composed of two 100% capacity pump trains. In the injection mode, the pump trains share a common suction header from the R WST. Each pump draws suction from the header through a normally open motor operated valve (MOV), check valve, and locked open manual valve in series. Each pump discharges through a check valve and normally open MOV in series to a common injection header.
| |
| The injection header contains a locked open MOV and branches to three separate lines, one to each cold leg. Each of the lines to the cold legs contain two check valves in series to provide isolation from the high pressure RCS. The LPI/LPR system is not cooled by any other system.
| |
| In the recirculation mode, the pump trains draw suction from the containment sump through a parallel. arrangement of suction lines to a common header.. Flow from tfte suction header is drawn through a normally closed MOV and check valve. in series.
| |
| Discharge of the pumps is directed to either the cold legs through the same lines used for injection or to a parallel set of headers which feed the charging pumps, depending on the RCS pressure.
| |
| In the hot leg injection mode, system operation is identical to horm~l recirculation with the exception that the normally open cold leg injection valve must be remote manually closed and one or more normally closed hot leg recirculation valves must be remote manually opened.
| |
| Upon indication of a loss of RCS coolant or a main steam line break (i.e., low pressurizer level, high containment pressure, high pressure differential between main steam header and any steam line or high steam flow with low average coolant temperature or low steam line pressure), the safety injection actuation system (SIAS) initiates LPI opera-tion. The SIAS signals the low pressure pumps to start. All valves are normally aligned to their injection position. If primary system pressure remains above the LPI pump shutoff head, the pumps will discharge to the R WST ihrough two normally open minimum flow recirculation lines until the RCS pressure is sufficiently reduced to allow inflow.
| |
| Upon receipt of a low R WST level signal, the recirculation mode transfer system (RMT) signals the low pressure pump suction valves from the R WST and the valves in the minimum flow recirculation lines to the R WST to close, and the suction valves from the containment sump to open.
| |
| * 4.6-67
| |
| | |
| At approximately 16 hours following the start of the accident, the emergency procedures call for switchover from cold leg ~ecirculation to hot leg recirculation. The operato.r must restore power to valves 1890 A, B, and C, open 1890 A and B, and close 1890C.
| |
| A simplified schematic of the LPI/LPR system is shown in Figure 4.6-16.
| |
| 4.6.11.2 LPI/LPR Interfaces and Dependencies The LPI system interfaces with the containment spray system and the high pressure injection system at the common R WST via a shared valve. The LPI system is dependent on the R WST for fluid inventory and the SIAS for actuation of the LPI components. The LPR system interfaces with the high pressure recirculation system at the recirculation suction valves for the HPR. Both the LPI and LPR systems depend on the AC power buses for motive power to the LPI/LPR pumps, and motive and control power to the MOVs in the LPI/LPR system, and the DC power buses for control power to the LPI/LPR pumps. The LPR system is dependent on the injection systems f.or sump inventory and the RMT for actuation of the LPR switchover from injection. These dependencies and specific train assignment are shown in the system dependency diagram in Figure 4.6-17 and the component status and dependency summary in Table 4.6-13.
| |
| The net positive suction head (NPSH) requirements for the LPI/LPR pumps are met dur-ing the recirculation phase of a LOCA, given that the RWST.contents have been injected into containment. For those containment vulnerable sequences, where containment fails due to overpressure, it was determined that NPSH requirements do not prevent LPR operation, not only throughout the overpressure period, but after containment failure.
| |
| 4.6.11.3 LPI/LPR Operational Constraints The only operational constraint utilized in the LPI/LPR system model is that Technical Specifications require both trains of the LPI/LPR system to be operable at all times.
| |
| This is incorporated into the model of the LPI/LPR system by allowing only LPI/LPR pump to be initially unavailable due to test or maintenance activities.
| |
| 4.6.11.4 LPI/LPR Logic Models The success criteria for the Surry LPI/LPR vary depending on the application in the event tree analysis. The success criterion for the LPI mode of operation is flow from one or more low pressure pumps to the RCS cold legs in response to a loss of primary coolant inventory.
| |
| This success criterion translates into the following top event in the LPI fault tree:
| |
| Insufficient flow from at least one low pressure pump to the cold legs.
| |
| The success criteria for the LPR modes of operation are continued flow from either of the two low pressure pumps to the cold legs and switchover to hot leg recirculation at 16 hours or sufficient flow from either of the two low pressure pump.s to the charging pump suction header.
| |
| 4.6-68
| |
| * PS42 NO/FAI 1BBSC TO CHARGING NO/FAI PS1 18858 PUMP INLET HEADER XV15X LO NO/FAI FROM HPI I
| |
| NC-FAI PS40 1885D TO HPI 18638 NO/FAI POWER 6"-Sl-50-1502 1BBSA HOT LEG LOOP 3 REMOVED PS 47 PS33 NCIFAI 6"-Sl-48-1502 HOT LEG LOOP 2 XV48 18908 CV228 FROM HPI
| |
| .IfIf.
| |
| NO FAI CV47 POWER REMOVED COLD LEG LOOP 1 PS35 CV79 18608 PS38 NO/FAI NC CVS& COLD LEG LOOP 2 FAI CV242 CV82 PS45
| |
| '° . . 1864A h i PS34 COLD LEG LOOP 3 CV243 eves i 0\
| |
| 1862A PS30 CV46A XV57 (1-SI-P-1 A) PS39 1890A PS46 CV229 6"-Sl-49-1502 FROM HOT LEG LOOP 1 I
| |
| MDPSl1A 1863A HPI NC-FAI TO CHARGING SUMP PUMPS
| |
| | |
| LPI/LPR LPI/LPR PUMP TO HOT LEGS TRAINS PUMP PUMP PUMP 1ATO PUMP1BTO PUMP1B TO PUMP1ATO TRAIN TRAIN 6" Sl-49-1502 6" Sl-48-1502
| |
| * 6" Sl-49-1502 6" Sl-48-1502 1A 1B
| |
| .
| |
| ,a:.
| |
| O'\
| |
| SAFETY INJECTION A
| |
| I ACTUATION
| |
| -...J B 0 SYSTEM AC 1H AC 1H EMERGENCY EMERGENCY POWER 1J POWER 1J DC 1A EMERGENCY POWER 1B RECIRCULATION A MODE TRANSFER SYSTEM B Figure 4. 6-17 LPI/LPR System Dependency Diagram
| |
| | |
| Table 4.6-13
| |
| * LPI/LPR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| 1-SI-P-lA Standby SIS-A 480V Bus lH, DC Bus IA, SIS-A 1-SI-P-lB Standby SIS-B 480V Bus lJ, DC Bus lB SIS-B MOVs:
| |
| 1862A NO/FAI R. Manual, RMT-A MCC-lHl-2, RMT-A 1862B NO/FAI R. Manual, RMT-B MCC-IJl-2, RMT-B 1864A NO/FAI R. Manaul MCC-lHl-2 1864B NO/FAI R. Manual MCC-lJl-2 1890A NC/FAI R. Manual MCC-lHl-2 1890B NC/FAI R. Manual MCC-lJl-2 1890C NO/FAI R. Manual MCC-lHl-2 1885A NO/FAI RMT-A MCC-lHl-2, RMT-A 1885B NO/FAI RMT-B MCC-lJl-2, RMT-B 1885C NO/FAI RMT-A MCC-lHl-2, RMT-A 1885D NO/FAI RMT-B MCC-lJl-2, RMT-B 1860A NC/PAI RMT.-A MCC-lHl-2, RMT-A 1860B NC/PAI RMT-B MCC-lJl-2, RMT-B 1863A NC/FA.I RMT-A MCC-lHl-2, RMT-A 1863B NC/PAI RMT-B MCC-IJ!.;.2, RMT-B
| |
| * 4.6-71
| |
| | |
| These success criteria translate into the following top events in the LPR fault trees:
| |
| H1 (A, S1, Transients)- Insufficient flow from at least one low (LPR-LH Fault Tree) pressure pump to the cold legs from the containment sump or failure to switch to hot leg recirculation at 16 hours.
| |
| H l (s 2, s3 LOCAs) - lnsu.fficient flow from at .least one low (LPR..:HH Fault Tree) pressure pump to the charging pump suction header from the containment sump.
| |
| The fault trees developed for these top events are shown in the Appendix B. The specific assumptions used to develop the LPI/LPR fault trees are included in the following section. * *
| |
| * 4.6.11 *.5 Assumptions in LPI/LPR System Models In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the analysis of the LPI/LPR system were as follows:
| |
| : 1. Failure to close the minimum flow recirculation lines to the RWST during the recirculation phase of a LOCA does not result in failure of the LPI/LPR system due to flow diversion. Failure to close mini-flow
| |
| * lines would result in a minimal flow diversion back to the R WST, which could easily be rectified.
| |
| : 2. Failure of the minimum flow recirculation lines to allow flow during the injection phase, (i.e*., plugged or closed valves), thereby providing pump protection following an SIAS signal at high RCS pressures was not postulated. Failure was not postulated since the valves are nor-mally open, lighted and alarmed in the control room if out of normal position, and both lines must fail. The only potential failure mode is plugging and is considered to be statistically negligible, due to the testing frequency.
| |
| : 3. Room cooling for the low pressure pumps is not required.
| |
| : 4. Failure of the LPI due to failure of low pressure pump seal coolers was considered negligible compared to other LPI failures. The seal coolers have a natural circulation air cooler and draw seal water from the pump suction *
| |
| .5. All LPI/LPR MOVs, with the exception of valves 1864A and 1864B, have position indication in the control room. The valve positions are lighted and alarmed to indicate misalignment of the LPI/LPR system. Therefore inadvertent mispositioning of the MOVs was not postulated in the analysis.
| |
| : 6. Plugging failures due to debris in the sump were included in two ways. First, a common cause failure due to sump plugging was pos-tulated for all systems which rely on the sump, and second, random plugging of sump suction valves was included.
| |
| 4.6-72
| |
| * 4.6.11.6 LPI/LPR Operating Experience No pertinent plant specific operational experience of the Surry LPI/LPR system was found.
| |
| 4.6.12 Outside Spray Recirculation System Model The outside spray recirculation (OSR) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water from the containment sump and spraying the water into the containment atmosphere Heat is removed from the sump water through service water cooled heat exchangers. The OSR system is a front line system designed to protect the containment. The following sections provide a phyi;ical description of the OSR system, identify the interfaces and dependencies of the OSR system with other front line and support systems, list an operational constraints on the OSR system, provide a description of the fault tree model constructed for the OSR system, identify the OSR system specific assumptions, and describes the operational experience available for the OSR system.
| |
| 4.6.12.1 OSR System Description The Surry OSR system is composed of two independent, 100% capacity recirculation spray trains. The spray trains draw water from the containment sump through two parallel suction strainers and lines- which--are headered together. The OSR and Inside spray recirculation (ISR) systems draw from the same sump, although the sump is compartmentalized. Each OSR train has its own separate compartment. Each OSR system pump has an individual suction line from the header with a normally open motor operated valve (MOV). Each pump discharges through a normally open MOV, check valve, and a service water heat exchanger. The cooled water is then directed to an independent spray header. In order to ensure adequate net positive suction head for the OSR system pumps during the early phase of a loss of coolant accident (LOCA), a line is provided which diverts a small amount of the cool CSS flow to the sump, close to the pump suction strainers. A simplified schematic of the OSR system is shown in Figure 4.6-18.
| |
| The OSR system automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals start the OSR system pumps and ensure that the pump inlet and discharge valves are open. An agastat timer in the pump start circuit delays pump start for five minutes to ensure adequate sump inventory and the correct diesel generator loading sequence in the event of loss of offsite power.
| |
| 4.6.12.2 OSR System Interfaces and Deper:idencies The OSR system is dependent on the injection systems for sump inventory, the containment spray system.(C:SS) for adequate net positive suction head (NPSH) during the early phase of a large LOCA, and the service water system for cooling of the sump water. The NPSH related dependency on the CSS was conservatively used for all size LOCAs, not only the large LOCA. The OSR system also depends on the AC power buses for motive power to the OSR system p~mps a~d motive and contrql power to the OSR system MOVs, the DC power buses for col')trol power to the OSR system pumps, and the CLCS for actuation of the OSR system pumps. These dependencies and specific train assignments are shown. in the system dependency diagram in Figure 4.6-19 and the component status and dependency summary in Table 4.6-14.
| |
| 4.6-73
| |
| | |
| HXRS1D sws HXRS1C sws MOVRS156B CV11 MOVRS156A CV17 PS72 PS71 FROM CSS
| |
| ..L _L MDPRS28 MDPRS2A MOVRS155B
| |
| *
| |
| * OSR SYSTEM TRAIN TRAIN 2A 28 CONSEQUENCE A i - - - . - ~ - - - - - ~ - -
| |
| LIMITING CONTROL Bi----i-------F-+-~-
| |
| SYSTEM AC 1Ht---+-i-+------+---
| |
| EMERGENCY POWER 1J .---+-------E-+-+--
| |
| DC 1Ai---~~-------'---
| |
| EMERGENCY POWER 18------------
| |
| SERVICE WATER SYSTEM CONTAINMENT SPRAY SYSTEM Figure 4. 6-19 OSR System Dependency Diagram
| |
| * 4.6-75
| |
| | |
| Table 4.6-14 COMPONENT OSR Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES
| |
| * Pumps:
| |
| 1-RS-P-2A Standby CLS-Hi-Hi-2A 480V Bus 1H, DC Bus 1A, 5 min time CLS-Hi-Hi-2A, CSS delay 1-RS-P-2B Standby CLS-Hi-Hi-2B 480V Bus lJ, DC Bus lB, 5 min time CLS-Hi-Hi-2B, CSS delay MOVs:
| |
| RS155A NO/FAI CLS-Hi-Hi-2A MCC lHl-2, CLS-Hi-Hi-2A RS155B NO/FAI CLS-Hi-Hi-2B MCC-lJl-2, CLS-Hi-Hi-2B
| |
| * RS156A NO/FAI CLS-Hi-Hi-2A MCC-lHl-2, CLS-Hi-Hi-2A RS156B NO/FAI CLS-Hi-Hi-2B MCC-lJl-2, CLS-Hi-Hi-2B 4.6-76
| |
| *
| |
| * 4.6.12.3 OSR System Operational Constraints The only operational constraints utilized for the OSR system model is that Technical Specifications require both trains of the OSR system be operable at all times. This is incorporated into the model of the OSR system by allowing only one OSR system pump to be initially* unavailable due to test or maintenance activities.
| |
| 4.6.12.4 OSR System Logic Model The success criterion for the Surry OSR system is the same for each application in the event tree analysis. The success criterion is that at least one of the two OSR system trains provides flow to its containment spray header, with service water provided to the heat exchanger. This translates into the following top event in the OSR system fault tree:
| |
| F 2 - Insufficient flow and cooling from at least one OSR system trains.
| |
| The fault tree developed for this top event is shown in Appendix B. The specific assumptions used to develop the OSR system fault tree are included in the following section.
| |
| 4.6.12.5 Assumptions in OSR System Model In addition to the general modeling assumptions made in the analysis anc:f previously discussed in Section 4.6.1, several system specific assumptions were made in the course of this analysis. The specific assumptions made in the CSR system analysis area as follows:
| |
| : 1. Room cooling is not required for operation of the OSR system pumps due to their location in an area where there is open communication to a large area resulting in long heat-up times.
| |
| : 2. CSS flow to the sump region in the area of the OSR pump suction is required to provide adequate net positive suction head to the OSR system pumps during the time of CSS operation.
| |
| : 3. The probability of plugging of sufficient nozzles in a spray header to prevent an OSR system train from performing its function is considered negligible.
| |
| 4.6.12.6 OSR System Operating Experience No pertinent plant specific operational experience of the Surry OSR system was found.
| |
| 4.6.13 Power Conversion System Model The power conversion system (PCS) can be used to provide feedwater and remove heat from the steam generators following a transient. The following sections provide a physical description of the PCS, identify the interfaces and dependencies of the PCS with other front line and support systems, list any operational constraints on the PCS, provide a description of the model used in the analysis of the PCS, identify the PCS specific assumptions, and describe the operational experience available for the PCS.
| |
| 4.6-77
| |
| | |
| 4.6.13.1 PCS Description Three different aspects of the PCS were modeled for this study: the steam generators (SG) secondary side, portions of the main steam system, and main feedwater (MFW).
| |
| The steam generators, upstream of the containment isolation valves, were analyzed for possible loss of SG integrity. In addition to the relief paths discussed below, the following paths provide a potential loss of SG integrity should they fail to isolate: a) steam can flow from the steam generator through a manual isolation valve and check valve to the steam supply for the AFW turbine driven pump, b) flow from the SG blowdown line through the blowdown coolers to the Blowdown Treatment system, and c) flow from a higher pressure SG to a lower pressure SG via a check valve failing to seat in the header which supplies the decay heat removal valve.
| |
| The SG relief system is composed of five code safety relief valves and one power oper-ated relief valve (PORV) for each steam generator. The SG relief valves were modeled for the station blackout and steam generator tube rupture transients. The PORVs provide SG pressure relief at a set point below the SR Vs. Each POR V is provided with a manually operated block valve which is normally open unless a PORV is leaking. The POR Vs automatically open on high SG pressure or are manually opened at the direction of the operator. All of the relief valves are upstream of the main steam header containment isolation valves and all discharge directly to atmosphere outside of the containment.
| |
| A portion of the main steam system was analyzed for the operator depressurization and cooldown fault trees. That portion consisted of two separate steam flowpaths: steam dumped to the main condensers and steam dumped to the atmosphere. Steam flows to the main condenser via one of two turbine bypass valves during cooldown. The atmos-pheric cooldown path uses the SG PORV, if it is available.
| |
| The MFW portion consists of the main feedwater pumps, the condensate pumps, the con-densate booster pumps, and the hotwell inventory. Because Surry has electric driven MFW pumps, it is possible to supply feedwater using the MFW system, without having the turbine bypass and steam condensing systems available. The inventory of the hotwell (with the condensate storage tank as a backup supply) was calculated to be sufficient for all mission times of interest. The feedwater regulating valves will close after a reactor scram, due to plant control logic. The feedwater pumps remain on, and the miniflow valves will open. Feedwater can then be provided to the SGs, through the feedwater regulating valve bypass valve.
| |
| 4.6.13.2 PCS Interfaces and Dependencies The PCS is dependent on DC power and instrument air. However, the system was not explicitly modeled and the dependencies were not developed further than that required on the initiating event level.
| |
| 4.6.13.3 PCS Operational Constraints No operational constraints were identified for the Surry PCS.
| |
| 4.6.13.4 PCS Logic Model The success criteria for the Surry PCS varied depending on the application in the event tree analysis. The success criterion for the steam generator portion of the PCS was 4.6-78
| |
| * isolation of all SG effluent lines following a SGTR. Boolean equations were developed to model these events. This success criteria translated in.to the following top events.
| |
| Failure to isolate the SG following a steam generator tube rupture. This includes the POR V and SR V Ufting and failing to reclose, failure to isolate the SG blowdown line, failure to isolate the steam supply to the AFW turbine driven pump, from the ruptured SG and failure to stop flow via the decay heat removal line.
| |
| - Failure of one or more SG relief valves to reclose after opening during station blackout.
| |
| The success criterion for main feedwater portion of the PCS is restoration of flow from one or more main feedwater pumps to one or more steam generators. The following failure event was quantified using the generic failure rates for the equipment and actions required to restore flow as a ''black box" model of the top event.
| |
| M Failure of at least one main feedwater pump to provide flow to at least one steam generator.
| |
| The success criterion for the main steam system portion of PCS system used in plant cooldown is flow from at least one SG via any one of the atmospheric or condensor paths. This translates into the following top events in the On fault trees.
| |
| Failure to cooldown and depressurize the reactor coolant system (RCS) from at least one SG.
| |
| Event On consists of fault tree On for LOCAs and on-SG for SGTR.
| |
| * Fault tree On is failure to cooldown from at least one of three SGs. Fault tree on-SG is failure to cooldown and depressur.ize the RCS from at least one of two SGs.
| |
| * The fault trees and Boolean equations developed for these top events are shown in Appendix B~ The derivation of the failure probability* £or event M is developed* in Appendix n.t The specific assumptions used to develop the fault trees ahd equations are included in the following section.
| |
| 4.6.13 *.5 Assumptions in PCS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, several system specifc assumptions were made in the course of this analysis. The specific assumptions made in the PCS system analysis were:
| |
| t Feedwater regulating valves were assumed to close after all reactor trips.
| |
| : 2. The steam generator with the tube rupture was postulated as SG "A".
| |
| 4.6.13.6 PCS Operating Experience The Surry operation experience with the; SG-PORVs indicated that each block valve is closed approximately 1.5% of the time during reactor operation due to leaking PORVs.
| |
| This experience was included in the analysis.
| |
| 4.6-79
| |
| | |
| 4.6.14 Primary Pressure Relief System Model The primary pressure relief system (PPRS) provides protection from overpressurization of the primary system to ensure that primary integrity is maintained. The PPRS also provides the means to reduce the reactor coolant system (RCS) pressure if necessary.
| |
| i'he PPRS is a front line system designed to control pressure and aid in core heat removal during "feed and bleed" cooling. The following sections provide a physical description of the PPRS, ident_ify the interfaces and dependencies of the PPRS with other front line and support systems, list any operational constraints on the PPRS, provide a description of the fault tree model constructed for the PPRS, identify the PPRS specific assumptions, and describe the operational experience available for the PPRS.
| |
| 4.6.14.1 PPRS Description The Surry PPRS is composed of three code safety relief valves (SRV) and two power operated relief valves (PORVs). The code safety valves were important only in the anticipated transient without scram (ATWS) analysis. The PORVs provide RCS pressure relief at a set point below the SR Vs. The POR Vs discharge to the pressurizer relief tank. Each PORV is provided with a motor operated block valve. A simplified schematic of the PPRS is shown in Figure 4.6-20.
| |
| The PORVs automatically open on high RCS pressure or are manually opened at the discretion of the operator. The block valves are normally open unless a PORV is leaking.
| |
| 4.6.14.2 PPRS Interfaces and Dependencies The PPRS is dependent on the AC power buses for motive and control power to the PORV block valves, DC power for control power to the PORVs, and the containment air system for motive power to the PORVs. However, the PORVs are provided with air bottles sized to provide approximately 80 openings of each valve. Therefore, no dependencies on the containment air system were included in the system models. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-21 and the component status and dependency summary in Table 4.6-15. The SRVs have no dependencies on any other plant system.
| |
| 4.6.14.3 PPRS Operational Constraints No operational constraints were identified for the PPRS.
| |
| 4.6.14.4 PPRS Logic Model The success criteria for the Surry PPRS vary depending on the application in the event tree analysis. The success criterion for the PPRS following a transient event demanding PORV opening is that the PORVs successfully reclose. The success criterion for the PPRS following a very small loss of coolant accident (LOCA) demanding the PORV opening is also that the PORVs successfully reclose. The PORV is likely to be demanded during a very small LOCA if the operator fails to control emergency injection flow.
| |
| These success criteria translate into the following top events:
| |
| Q One or more POR Vs fail to reclose following a transient.
| |
| One or more PORVs fail to reclose during a very small LOCA.
| |
| 4.6-80
| |
| *
| |
| | |
| *
| |
| * TO PRESSURIZER RELIEF TANK 1-RC-TK-2 6" 6" 6" SV 1551A sv SV 1551 C 15518 6"
| |
| MOV FC 1535 PCV 4" 1456 MOV FC 1536 PCV PRESSURIZER 1455C
| |
| * PRIMARY PRESSURE RELIEF SYSTEM FLOW PATH FLOW PATH THRU PORV THRU PORV 1455C 1456 DC EMERGENCY 1A...._--~--------------
| |
| * POWER 1B . . . . _ - - - - - - - ~ -
| |
| AC 1H----------------.__._-
| |
| EMERGENCY POWER 1J i-----"~-------
| |
| * Figure 4.6-21 Primary Pressure Relief System Dependency Diagram 4.6-82
| |
| | |
| Table 4.6-1.5
| |
| * COMPONENT PORVs:
| |
| PPRS Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES PCV-1455C NC Opens on high RCS . DC Bus lA,.
| |
| pressure, or at Containment air discretion of operator.
| |
| PCV-1456 NC DC Bus lB, Containment air MOVs:
| |
| 1535 Normally open, unless R. Manual MCC-lHl-2 POR V is leaking.
| |
| 1 block valve closed 3096 of time 1536 R. Manual MCC-lJl-2 SRVs:
| |
| 1551A NC Automatic None 1551B NC Automatic None 1551C NC Automatic None
| |
| | |
| The success criteria for the PPRS system to operate on demand are considered next. The success criterion for PPRS following a transient and failure of the AFW system is that both PORVs successfully open on demand.. One support system function was also identified for the PPRS in the fault tree for emergency boration mode of the high pressure injection system (HPI) operation. The success criterion for the PPRS following a small LOCA with failure of the AFW system and for the support system function provided to HPI.in the. emergency boration mode is that one or more PORVs successfully
| |
| * open on demand. The success criterion for ATWS is that 3 SRVs or 2 SRVs and 2 PORVs open. The PPRS .related events are coded with the designator PPS in the fault tree and sequence analysis. These success criteria translate into the following top events in the PPRS fault trees:
| |
| P Failure of 2 of 2 PORVs to open to support feed and bleed.
| |
| Failure of at least one POR V to open on demand (Note: also serves as a developed event in the D 4 fault tree).
| |
| P2 Failure of at least 2 SRVs or failure of 1 SRV and 1 PORV.
| |
| The fault trees developed for top events P, P 1, and P 2 and the Boolean equation for Q are shown in Appendix B. Appendix D.l shows the derivation of the probability for event Oc*
| |
| 4.6.14.5 Assumptions in PPRS System Model No system specific assumptions were made in the course of the PPRS analysis.
| |
| 4.6.14.6 PPRS Operating Experience The Surry operation experience with the PORVs and their block valves indicated that each block valve is closed approximately 30% of the time during reactor operation, due to leaking PORVs. This experience was included in the analysis.
| |
| 4.6.15 Reactor Protection System Model The reactor protection system (RPS) is designed to automatically scram the reactor follow~ng recei~t of indicaJions of abn?rmal conditions. The St12'I;Y RPS was not modeled for this anwrrts. Generic data derived from NUREG-1000 and the NRC ATWS Rulemaking, was used in the analysis.
| |
| 4.6.15.1 RPS System Description The RPS is an actuation system that receives signals from several different types of sensors. The sensor signals are combined in various logic matrices which function to trip the control rod drive mechanisms' supply circuit breakers, (also called the scram breakers). In addition to the sensor signals automatically tripping the scram breakers, a circuit is installed that allows the scram breakers to be manually tripped from the control room. For redundant protection, the Surry manual scram circuit also trips the motor generator set which is the power source to the scram breakers.
| |
| 4.6.15.2 RPS System Interfaces and Dependencies The RPS system is dependent on the vital AC instrumentation and DC buses for power t o .
| |
| the sensors and logic network. These dependencies were not modeled. The combinations 4.6-84
| |
| | |
| of bus failures required to fail the RPS is negligible compared to the RPS system un-availability. The only components dependent on the RPS system are the scram breakers which supply power to the control rod drive mechanisms.
| |
| 4.6.15.3 Operational Constraints No specific operational constraints were identified for the RPS.
| |
| 4.6.15.4 RPS Logic Model The RPS was modeled as a "black box" system using generic data from NUREG-1000 and the NRC ATWS Rulemaking guidelines. The success criterion is insertion of sufficient number of control rods to make the reactor subcritical. Two top events were modeled for the two methods of scram*, automatic and manual.
| |
| The automatic scram unavailability of 6E-.5 was calculated using the generic data described above. The contribution representing mechanical faults is lE-5 and the contribution from electrical faults is .5E-.5. Mechanical faults include rods binding within their channels and rod drive mechanisms failing to disengage~ Electrical faults include contact pairs sticking shut and failure of relays and trip coils. The success criterion translates into the following top event:
| |
| K - Failure of the RPS to shutdown the reactor by automatic scram.
| |
| The manual scram unavailability was based on human error probabilities applied in reco-very of the mechanical and electrical faults. Mechanical faults were considered to be non-recoverable. Electrical faults were considered to all be recoverable (due to the MG set breaker trip circuit). The operator error probability for this action is 2.7E-3 and is discussed in Section 4.8. The success criterion translates into the following top event:
| |
| R - Failure of the RPS to shutdown the reactor by manual scram.
| |
| 4.6.1.5.5 Assumptions in the RPS System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, an important system configuration assumption was made. The circuit which manually trips the motor generator supplying the power to the scram brea-kers has not yet been installed as of the preparation date of this report. It is budgeted and scheduled for completion during the next refueling outage. The system was analyzed as if the circuit had been installed.
| |
| 4.6.15.6 RPS Operating Experience No pertinent plant specific operational experience of the Surry RPS was found.
| |
| 4.6.16 Recirculation Mode Transfer System Model The recirculation mode transfer (RMT) system automatically initiates the switchover of the suction of the low pressure injection pumps from the refueling water storage tank (R WST) to the containment sump upon low R WST level. The RMT also automatically initiates the switchover of the suction of the high pressure injection pumps from the RWST to the low pressure injection pump discharges on low R WST level. The RMT is a support system for the actuation of the injection and recirculation front line systems. A review of the RMT system design was performed to verify that the system trains were 4.6-8.5
| |
| | |
| symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis.
| |
| The following sections provide a brief physical description of the RMT system, identify tl}e interfaces and dependencies of the RMT system with front line and other support systems, list any operational constraints on the RMT system, provide a description of the model used to incorporate the RMT system into the analysis*, identify the RMT system specific assumptions, and describe the operational experience available for the RMT system.
| |
| 4.6.16.1 RMT System Description The Surry *RMT system is composed of four independent RWST level sensors, each feeding two separate two out of four relay matrices. These two relay matrices automatically actuate the components required to perform the switchover to the recirculation mode of the low and high pressure systems~ A simplified RMT system logic diagram is shown in Figure 4.6-22.
| |
| 4.6.16.2 RMT System Interfaces and Dependencies The RMT system is dependent on the vital AC instrumentation buses for power to the level sensors and to the relay logic. These dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vital bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the RMT system train unavailabilities and hence no additional models were constructed. Specific components in the low and high pressure injection/recirculation systems are dependent on the RMT system for automatic actuation to their recirculation position. These specific dependencies are listed in Table 4.6-16.
| |
| 4.6.16.3 RMT System Operational Constraints No specific operational constraints were identified for the RMT system.
| |
| 4.6.16.4 RMT System Logic Model Boolean equations were developed to incorporate the RMT system AC power dependencies into the models used in the sequence quantification. The following Boolean equations were used to incorporate these dependencies for the T 1 initiating event:
| |
| RMT-ACT-FA-A = RMT-ACT-FA-RMTSA + RMT-CCF-FA-MSCAL + ACP-TAC-LP-BUSll.
| |
| RMT-ACT-FA-B = RMT-ACT-FA-RMTSB + RMT-CCF-Ff.\-MSCAL + ACP-TAC-LP-BSlIV.
| |
| RMT-ACT-FA-RMT~A and RMT-ACT-FA-RMTSB represent the RMT train A and B generic unavailabilities. Common cause miscalibration of the RWST level sensors was also included in the RMT system models for all initiating events.
| |
| 4.6.16.5 Assumptions in RMT System Model No system specific assumptions were made in the RMT system analysis.
| |
| 4.6.16.6 RMT System Operating Experience No pertinent plant specific operational experience of the Surry RMT system was found.
| |
| 4.6-86
| |
| *
| |
| * 120 VAC OPEN 1863A
| |
| __
| |
| t:J)
| |
| LT CLOSE 1885A 2/4 TRAIN A
| |
| ~- ~R-CS100A1 RELAY CLOSE 1885C _.
| |
| I-'
| |
| I-'* VB1-I ~ R - C S 1 0 0 A 2 1 --*MATRIX Hi I-'*
| |
| a OPEN 1860A
| |
| .
| |
| .i:,..
| |
| °'
| |
| 00 I
| |
| -...J
| |
| ! ~-
| |
| § 00
| |
| '<
| |
| m i .°'
| |
| ~CD
| |
| .i:,..
| |
| I I\.)
| |
| LT fci\___---R-CS100B1 VB 1-11 ~ R - C S 1 0 0 B 2 lL__-----------------------_--
| |
| 2 MIN TD 1---..CLOSE 1862~--
| |
| OPEN 1863B CLOSE LCV-11156 I\.)
| |
| CT . m - -------
| |
| I-'* fcs\___----R-CS100C1 L--- RELAY l---.--MCL~S~ 1eese___ TRAIN B
| |
| ()
| |
| VB 1-111 ~ R - C S 1 0 0 C 2 -+ MATRIX CLOSE 1885D 0
| |
| I-'*
| |
| r ...
| |
| Ill 1 ~ R - c s , **o, VB 1-IV ~ R - C S 1 0 0 D 2 =='._I 1 VAC OPEN 1860B
| |
| --------
| |
| L-..-*C 2 MIN TD )l-----1*~1 CLOSE ~62!_ _ _
| |
| CLOSE LCV-1115D
| |
| | |
| Table 4.6-16 Components Actuated By RMT COMPONENT OPERATION Train A MOV1863A OPEN MOV1885A CLOSE MOV1885C CLOSE MOV1860A* OPEN MOV1862A* CLOSE LCV-1115B* CLOSE Train 8 MOV1863B MOV1885B OPEN CLOSE
| |
| * MOV1885D CLOSE MOV1860B* OPEN MOV1862B* CLOSE LCV-1115D
| |
| * CLOSE
| |
| * Provided with a 2-minute time delay for actuation.
| |
| 4.6-88
| |
| *
| |
| * 4.6.17 Residual Heat Removal System Model The residual heat removal (RHR) system provides shutdown cooling when the reactor coolant system (RCS) depressurizes below 450 psig and cools below 350°F. The RHR is a front line system (although non safety grade) designed to provide long term decay heat removal. The following sections provide a physical description of the RHR system, identify the interfaces and dependencies of the RHR system with other front line and support systems, list any operational constraints on the RHR system, identify the RHR system specific assumptions, and describe the operational experience available for the RHR system.
| |
| 4.6.17 .1 RHR System Description The Surry RHR system is composed of two pumps and two Rl-fR heat exchangers in parallel. The RHR pumps take suction from the RCS loop 1 hot leg through two normally shut motor operated valves (MOVs) and a manual isolation valve. The discharge of the pumps is headered together and feeds two heat exchangers arranged in parallel. The RHR pumps and heat exchangers are cooled by component cooling water (CCW). An air operated valve (AOV) controls bypass flow around the heat exchangers, another controls flow through the heat exchangers. The two AOVs work together to control the cooldown rate of the RCS. The discharge of the flow control valves feeds into the SI/accumulator piping and is delivered to the RCS loop 2 and loop 3 cold legs. Each path has a normally shut MOV isolating the RHR from the high pressure RCS during normal plant operations. Make-up to the RHR system is provided by the RCS. A simplified schematic of the RHR system is shown in Figure 4.6-23 *
| |
| * The RHR is manually initiated. An interlock prevents opening the RHR isolation MOVs until RCS pressure is below 450 psig. One RHR pump and heat exchanger are normally in operation. In the event of failure of either component, the parallel component is manually placed in service~ Following a loss of offsite power, the stub buses powering the RHR pumps are shed from the emergency buses and must be manually reconnected to restore power to the RHR pumps.
| |
| 4.6.17 .2 RHR System Interfaces and Dependencies The RHR system is dependent on AC power buses for motive power for the RHR pumps and control power to the MOVs in the RHR system, and the DC buses for control power to the RHR pumps and the heat exchanger throttle valves. Additionally, the RHR system requires the instrument air system for motive power to the heat exchanger throttle valves. The RHR system is dependent on the RCS to supply sufficient net positive suction head. These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-24 and the component status and dependency summary in Table 4.6-17.
| |
| 4.6.17 .3 RHR System Operational Constraints Prior to placing the RHR system in service, RCS pressure must be below 450 psig and RCS temperature must be below 350°F. Following a loss of offsite power, the stub buses which power the RHR pumps are automatically shed and must be manually reloaded as the main bus by the operator to restore power to the pumps.
| |
| * 4.6-89
| |
| | |
| COMPONENT COOLING WATER TO RWST MOV100 PS2 ~RV1721 TO
| |
| .. PZR RELIEF 4" TANK 10" 14" 1-RH-P-1A 12" CCWCOOLS)
| |
| RHRPUMPS
| |
| ( 10" SEALS PS 1 14" MOV 14" 1720A RH-2 1-RH-P-18 MOV PS3 17208 29" LOOP 1 HOT LEG RH-E1B PS5 29" 12" LOOP2 FCV COLD LEG 1605 29" PS6 LOOP3 COLD LEG
| |
| | |
| RESIDUAL HEAT REMOVAL SYSTEM PUMP PUMP 1A 18 AC 1H--~--~~~~~----
| |
| EMERGENCY POWER 1J i-----+------~-
| |
| DC 1A~~--~~~~--~
| |
| EMERGENCY POWER 1B i - - - - - - - - - ~ -
| |
| Figure 4.6-24 RHR System Dependency Diagram 4.6-91
| |
| * Table 4.6-17 RHR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps:
| |
| 1-RH-P-lA Standby R. Manual 4160V Stub lH 1-RH-P-lB Standby R. Manual 4160V Stub lJ MOVs:
| |
| 1700 NC/PAI R. Manual MCC-lHl-2 1701 NC/PAI R. Manual MCC-lJl-2 1720A NC/PAI R. Manual MCC-lHl-2 1720B NC/PAI R. Manual MCC-lJl-2 AOVs:
| |
| PCV-1605 NO/PC Instrument Air HCV-1758 NO/PC Instrument Air 4.6-92
| |
| * 4.6.17.4 RHR System Logic Model The success criterion for the Surry RHR system is that continued RHR :flow is provided
| |
| :from one o:f two pumps through one o:f two heat exchangers to the RCS following reactor shutdown, cooldown to 4.50 psig, 3.50°F. This success criterion translates into the following top event in the RHR system :fault tree:
| |
| W3 Failure to provide su:f:ficient RHR :flow to the RCS.
| |
| The :fault tree developed for this top event is shown in Appendix B. The specific assumptions made in the RHR system analysis are included in the :following section.
| |
| 4.6.17 *.5 Assumptions in RHR System Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, one system specific assumptions was made in the course o:f the analysis.
| |
| : 1. Although not environmentally qualified, it was assumed that the RHR pumps and MOVs will operate under containment conditions o:f a very small LOCA. This is based on the sizing and compartmentalization o:f the containment, the size o:f the LOCA (very small), and the :fact that AFW and containment :fan coolers are initially removing heat :from the containment.
| |
| 4.6.17.6 RHR System Operating Experience No pertinent plant specific operational experience o:f the Surry RHR system was found.
| |
| 4.6.18 Safety Injection Actuation System Model The safety injection actuation system (SIAS) automatically initiates the high and low pressure injection systems :following a_n indication o:f the need for primary coolant makeup. The SIAS is a support system for the automatic initiation o:f the injection, :front line systems. A review o:f the SIAS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability o:f the system. Generic system unavailability data was used in the analysis.
| |
| 4.6.18.1 SIAS Description The Surry SIAS is composed o:f two independent trains used to automatically actuate the low and high pressure injection systems and the motor driven AFW pumps. The signals which actuate SIAS are shown in Table 4.6-18.
| |
| 4.6.18.2 SIAS Interfaces and Dependencies The SIAS is dependent on the AC vital instrumentation buses and the DC buses :for operation o:f the relay logic network. These dependencies were modeled in the analysis
| |
| :for loss o:f power initiating events. In non loss o:f power events, the power bus :failure rates are negligible in comparison with the SIAS train unavailabilities. Specific components in the low and high pressure injection systems and the motor driven AFW
| |
| * pumps are dependent on the SIAS for automatic actuation. These specific dependencies are illustrated in Figure 4.6-2.5.
| |
| 4.6-93
| |
| * Table 4.6-18 SIAS Actuation Parameters Sensors Required Signals for SIAS Actuation Train A
| |
| * Low Pressurizer Level 2/3 (LC459A-XA, LC460A-XA, LC461A-XA)
| |
| * High Containment Pressure 1/1 CLCS Hi
| |
| * High AP Between Main Steam Header and Any 2/3 Steam Line
| |
| * High Steam Flow in 2/3 Lines Coincident With:
| |
| 1/2 Per Line
| |
| .Low T AVG in 2/3 Loops OR Low Steam Line Pressure in 2/3 Lines 1 Per Line 1 Per Line
| |
| * Train B
| |
| * Low Pressurizer Level 2/3 (LC459X-XB, LC460X-XB, LC461X-XB)
| |
| * High Containment Pressure 1/1 from CLCS Hi
| |
| * High AP Between Main Steam Headers and Any 2/3 Steam Line
| |
| * High Steam Flow in 2/3 Lines Coincident With:
| |
| 1/2 Per Line Low TAVG in 2/3 Loops 1 Per Line OR Low Steam Line Pressure 1 Per Line
| |
| * in 2/3 Lines 4.6-94
| |
| * MOV-1865A Chg Pp C 125 voe A MOV-1289A l 120 VAC RELAY LOGIC l
| |
| MOV-1865A LCV-W1-1115B LCV-W1-1115C MOV-1867C NETWORK OG#1 Chg Pp A AFWP-JA LHSI P #1 TRAIN A
| |
| * 125 voes MOV-1865B Chg Pp C l
| |
| LCV-W1_;1115E 120 VAC LCV-W1-1115D MOV-1865C i MOV-1289B RELAY MOV-1867D .
| |
| LOGIC OG #3 NETWORK Chg Pp B AFWP-JA LHSI P #2 TRAIN B
| |
| * Figure 4. 6-25 Components Dependent on SIAS For Automatic Actuation 4.6-95
| |
| * 4.6.18.3 SIAS Operational Constraints No specific operational constraints were identified for the SIAS.
| |
| 4.6.18.4 SIAS Logic Model Boolean expression were developed to incorporate the SIAS power dependencies into the models used in the sequence quantification. The following Boolean equations were used to incorporate these dependencies for the T 1, T 5A, and T 58 initiating events:
| |
| SIS-ACT-FA= SIS-ACT-FA-SISA + ACP-TAC-LP-BUSll + DCP-TDC-LP-BUSlA.
| |
| SIS-ACT-FB = SIS-ACT-FA-SISB + ACP-TAC-LP-BSllV + DCP-TDC-LP-BUS1B.
| |
| SIS-ACT-F A-SISA and SIS-ACT-F A-SISB represent the SIAS train A and B generic unavailabilities. Common cause failure of SIAS due to miscalibration of sensors was not included because there are several different types of sensors. Common cause miscali-bration of one type of sensor (the temperature sensors for example) still leaves two other types of sensors available (pressure detectors and differential pressure detectors).
| |
| The SIAS related events included in the front line system fault trees were coded with the system identifier SIS throught the fault tree and sequence analysis.
| |
| 4.6.18.5 Assumptions in SIAS System Model No system specific assumptions were made in the SIAS analysis.
| |
| 4.6.18.6 SIAS Operating Experience No pertinent plant specific operational experience of the Surry SIAS was found.
| |
| 4.6.19 Service Water System Model
| |
| * The service water system (SWS), as defined for this analysis, is a support system which provides cooling to the heat exchangers in the inside spray recirculation (ISR) system and outside spray recirculation (OSR) system. The SWS provides heat removal from the containment following an accident. The following sections provide a physical description of the SWS, identify the interfaces and dependencies of the SWS with the front line systems and other support systems, list any operational constraints on the SWS, provide a description of the fault tree model constructed for the SWS, identify the SWS specific assumptions, and describe the operational experience available for the SWS.
| |
| 4.6.19.1 SWS Description The Surry SWS is a gravity flow system. The service water supply to the containment spray heat exchangers consists of two parallel inlet lines which provide service water from the main condenser cooling pipes each through two normally closed motor operated valves (MOVs) in parallel to individual headers. The headers each provide flow to one ISR and OSR heat exchanger. The two headers are cross connected by two normally open MOVs in series such that flow from either inlet line can be used to cool all four ISR and OSR heat exchangers. Service water flows through each heat exchanger and discharges through a normally open MOV to two headers which flow to the discharge tunnel. A simplified schematic of the SWS is shown in Figure 4.6-26.
| |
| 4.6-96
| |
| | |
| * *
| |
| * ISR HXRS1D HXRS1C HXRS1B HXRS1A PS65 PS64 PS63 PS62 I
| |
| .
| |
| MOVSW104D MOVSW104C MOVSW104B MOVSW104A
| |
| * T
| |
| '°..... IiI~ MOV MOV SW106A SWi 068 MOVSW105D MOVSW105C MOVSW105B MOVSW105A TO DISCHARGE TUNNEL PS66 PS69 MOVSW103C PS68 PS70 FROM MOVSW103B INTAKE MOVSW103D PS67 CANAL MOVSW103A
| |
| | |
| The SWS automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals open the header inlet valves. No other actions are required to place the SWS in service.
| |
| * t.6.19.2 SWS Interfaces and Dependencies The SWS interfaces with the JSR and OSR systems at the respective heat exchangers for these systems. The SWS is dependent on the AC power buses for motive and control power to the system MOVs and on the CLCS for opening of the header inlet valves.
| |
| These dependencies and specific train assignments are shown in the system dependency diagram in Figure 4.6-27 and the component status and dependency summary in Table 4.6-19.
| |
| 4.6.19.3 SWS Operational Constraints No specific operational constraints were identified for the SWS.
| |
| 4.6.19.4 SWS Logic Model The SWS is a support system for the ISR and OSR. The top events identified for the SWS represent the modeled interfaces of the SWS with the ISR and OSR. The developed events contained in the ISR system and OSR system fault trees correspond to the following top events:
| |
| SWSl Insufficient SWS flow through JSR train A cooler (HX-RSlA).
| |
| * SWS2 Insufficient SWS flow through ISR train B cooler (HX-RSlB).
| |
| SWS5 Insufficient SWS flow through OSR train A cooler (HX-RSlC).
| |
| SWS6 Insufficient SWS flow through OSR train B cooler (HX-RS1D).
| |
| These events are developed completely in the ISR and OSR fault trees. The fault trees can be found in Appendix B.
| |
| 4.6.19.5 Assumptions in SWS Model In addition to the general modeling groundrules made in the analysis and previously discussed in Section 4.6.1, one system specific assumption was made in the course of the analysis. The specific assumption made in the SWS analysis follows:
| |
| : 1. Air binding of the service water side of the heat exchangers was not included in the models. Vent pipes with check valves are provided for each heat exchanger. The pipes are vented outside, above the water level of the intake canal.
| |
| 4.6.19.6 SWS Operating Experience A review of the Surry SWS operational experience identified a potential for common cause failure of the service water valves to the heat exchangers. Once during annual testing of the system all four valves on Unit 1 failed to open when actuated from the control room. Testing of the Unit 2 valves resulted in failure of 3 of the 4 to open. The valves were manually opened. Several of the valves were found to be heavily corroded due to exposure to the brackish water. Based on this incident, the potential for common cause failure of both the ISR system and OSR system due to exposure to the brackish
| |
| * service water was included in the SWS model. This data is developed in Appendix D.1.
| |
| 4.6-98
| |
| * SERVICE WATER SYSTEM FLOW . FLOW FLOW FLOW THRU THRU .THRU THRU MOVSW103A MOVSW103B MOVSW103C MOVSW1030
| |
| * CONSEQUENCE LIMITING CONTROL SYSTEM Bt-----+-----+-f-j----+-~--....,...--+---
| |
| AC EMERGENCY POWER Figure 4.6-27 Service Water System Dependency Diagram
| |
| * 4.6-99
| |
| | |
| Table 4.6-19 COMPONENT SWS Component Status And Dependency Summary NORMAL STATUS ACTUATION DEPENDENCIES
| |
| * MOVs:
| |
| SW104A NO/FAI R. Manual MCC-lHl-2 SW105A NO/FAI R. Manual MCC-lHl-2 SW104B NO/FAI R. Manual MCC-lJl-2 SW105B NO/FAI R. Manual MCC-lJl-2 SW106A NO/FAI R. Manual MCC-lHl-2 SW106B NO/FAI R. Manual MCC-lJl-2 SW103A NC/FAI CLS-Hi-Hi-2A MCC-lHl-1, CLS-Hi-Hi-2A SW103B NC/FAI CLS-Hi-Hi-2B MCC-lJl-1, CLS-Hi-Hi-2B SW103C NC/FAI CLS-Hi-Hi-2B MCC-lJl-1, CLS-Hi-Hi-2B SW103D NC/FAI CLS-Hi-Hi-2A MCC-lHl-1, CLS-Hi-Hi-2A SW104C NO/FAI R. Manual MCC-lHl-2 SW105C NO/FAI R. Manual MCC-lHl-2 SW104D NO/FAI R. Manual MCC-lJl-2 SW105D NO/FAI R. Manual MCC-lJl-2
| |
| * 4.7 Analysis Of Dependent Failures Dependent failures were treated in two ways. Dependent failures due to functional dependencies and support dependencies were identified and modeled in the event trees and fault trees. Discussion of these efforts is found in the event tree and fault tree
| |
| * sections (Sections 4.4 and 4.6 respectively). Dependent failures which are not explicitly modeled as functional dependencies or support dependencies were included in the study as a result of three specific efforts. They were:
| |
| * Dependencies which involve dependent failures due to phenomenological dependencies or unforeseen design interactions were called "subtle interactions" in this study. Subtle interactions found in past PRAs were reviewed for their applicability to Surry.
| |
| * An LER review of Surry was made to identify any unexpected interactions or common cause failures which have occurred at the plant.
| |
| * Beta factors for common cause failures were systematically included in fault tree development. Common cause failures were modeled for re-dundant pumps, MOVs, and diesel generators.
| |
| In addition, for those systems not modeled in detail (i.e., actuation systems, control systems, and the power conversion system), a review of the system designs and interfaces was performed to determine whether there were any peculiarities in the system design which would result in unexpected interactions with other systems or would be expected to result in significant differences in the failure rate of the system from the generic system failure rate. The actuation systems at Surry (i.e., SIAS, CLCS, and the RMT system), are each composed of two symmetrical trains. Power train separation was maintained for each of the actuation systems and no instances were identified where series components requiring actuation within a system train were actuated by different actuation system trains. The emergency power system trains are also symmetrical and there are no crossties between buses.
| |
| The remainder of this section is divided as follows: Subsection 4.7 .1 discusses the review and resolution of subtle interactions found in past PR As; Subsection 4.7 .2 presents the results of the LER search and discusses the method of application of beta factors.
| |
| 4.7.1 Subtle Inter.actions As discussed above, a lis~ of potential subtle interactions were identified
| |
| * by this PRA program, based on past operating experience and PRA analyses. Each of these items were examined with respect to the specific Surry design to determine whether or not similar interactions exist at Surry. The applicability of each of the items in the list to the Surry design and the resolution of those items which were found to be applicable are discussed below.
| |
| DG Load Sequencer Failures Diesel genera tor *load sequencers are designed to strip off non-essential loads from the emergency buses following loss of offsite power (LOSP). The design of such a circuit usually involves redundant means to strip all loads following a LOSP. However, such circuits may not always contain redundant means for subsequently reloading essential loads. In such a case failure of the load sequencing circuit could potentially result in common cause failure of multiple systems following a LOSP *
| |
| *
| |
| * Letter from G. J. Boyd (Safety and Reliability Optimization Services, Inc.) to F. T. Harper (Sandia National Laboratories), "Topics of Concern for PRAs of ASEP Plants," June 18, 1985.
| |
| Letter from F
| |
| * T. Harper and G. J. Kolb to PRA experts, "Subtle Interactions Found in Past PRAs and PRA-Related Studies," July 2, 1985.
| |
| 4.7-1
| |
| | |
| Surry does not use load sequencers to reload the emergency power buses following diesel generator start. Load sequencing is accomplished by time delay relays in most of the safety loads. The HPI and LPI pumps remain on the bus. CSS, ISR, OSR, and the AFW pumps all have time delays in their start circuitry (30 sec., 2 min, 5 min., 1 min., respectively). Some non-safety loads are loaded on "stub" buses. The stub buses are normally powered from the emergency buses but are shed on undervoltage. Reloading is manual.
| |
| No indication of increased unavailability due to the time delay relays was found. The potential for failure to shed the stub bus loads resulting in trip of the diesel generators was considered to be negligible in comparison to the diesel generator failure rates.
| |
| Sneak Circuits The RCIC system at one Boiling Water Reactor was found to contain a sneak circuit which could result in an unintended isolation of the RCIC pump. This could occur during a loss of offsite power and subsequent energization of the RCIC steam leak detection circuit.
| |
| Three subtle design aspects lead to the occurrence of this failure mode: (1) the RCIC system contains a steam leak detection isolation circuit, (2) the isolation circuitry is deenergized given a loss of offsite power (i.e., the circuitry is not fed by a non-interruptable battery-backed vital AC power supply), and (3) the isolation circuit contains a seal-in circuit.
| |
| No essential systems at Surry have isolation circuits. In particular, the Surry AFW system employs cavitating venturis to limit flow through a steam line break. Therefore, this potential interaction was not considered to be applicable.
| |
| Bus Switching Problems
| |
| * Two subtle aspects concerning bus switching have been identified at one power plant: (1) a safety-related DC power supply is also beir;ig used to perform a bus switching operation in the switchyard and safety-related loads are normally powered from the unit transformer rather than from offsite power, and (2) a safety-related AC bus does not have a diesel directly powering it; it must rely on diesel power from another bus via a breaker which only closes given a loss of off site power.
| |
| All systems of interest, with the exception of PCS are powered from offsite power sources rather than from the main station generator.
| |
| Except for the stub bus arrangement discussed above under DG Load Sequencer Failures, the Surry design does not include bus-to-bus cross feeds. Therefore, this potential interaction was not considered to be applicable.
| |
| Pump Room Cooling Several aspects concerning pump room cooling must be considered in a PRA systems analysis. First, a given plant's design may be such
| |
| * that, given loss of room cooling, the maximum room temperature remains below the temperature for which a pump and its control circuits are qualified. A system analyst may, therefore, conclude 4.7-2
| |
| | |
| that the room cooling for the pumps is not required. However, in
| |
| * some cases, a room temperature signal is used to trip the pump. The potential for reaching this temperature given loss of the room cooler should be examined.
| |
| Second, pump room coolers are often standby systems that actuate only upon actuation of the pump through a slave relay or by a thermostat. In either case, test procedures should be such that all of the actuation circuit is verified to function properly.
| |
| Finally, credit for opening pump room doors for cooling the room given failure of the room cooler should only be taken after considering administrative controls and technical specifications which may prohibit such action.
| |
| During the fault tree analysis, room cooling requirements were evaluated for all pumps. The result was that room cooling is not required for any of the pumps important in the Surry analysis.
| |
| Therefore, the potential interactions involving room cooling were not considered to be applicable.
| |
| Voltage Droop Prior to LOSP This interaction derives from an event at Indian Point. Loss of offsite power occurred in such a way that there was a "long" period of slowly declining voltage before power was completely lost. The voltage "droop" led to blown fuses.
| |
| This interaction was not incorporated into the Surry study, because sufficient data on the magnitude and length of previous voltage droops are not available. It is therefore not* possible to predict the probability of fuse failure and thus incorporate this interaction into the system models.
| |
| Terminal Blocks in Containment A terminal block is located in an electrical junction box and is used to connect wire ends within a circuit. Many types of terminal blocks may not perform adequately on a steam environment. Instrument errors can occur in circuits that contain terminal blocks when exposed to a high temperature ( 100°c) saturated steam environment. Such instrumentation failures can potentially prevent ECCS actuation following loss of coolant accidents.
| |
| All circuit junctions for an environmentally qualified system within containment are made by Raychem Splicing. No terminal blocks are used. Therefore, this potential interaction was not considered to be applicable.
| |
| Inadvertant Isolation of all Feed Flow *to SGs At Surry, MFW is isolated on an SIAS signal. The AFW system has no isolation circuits. Cavitating venturis are used to limit flow to the steam generators in the event of a maih steam line break or otherwise faulted SG. Therefore, this potential interaction was not considered to be applicable~
| |
| 4.7-3
| |
| | |
| Use of Alternate Core Cooling Methods Alternate core cooling methods were included in the Surry analysis.
| |
| Feed and bleed cooling using HPI and the PORVs was included in the event tree analysis. Use of the cross connects from Unit 2 to provide HPI and AFW flow to Unit 1 were also included as backup core cooling methods. Primary depressurization through secondary blowdown was also included in the Surry analysis.
| |
| * Steam Binding of AFW Pumps Due *to Leaking FW Valves Steam binding of the AFW pumps has occurred at Surry. The check valves which provide isolation from the main feedwater lines are swing disc check valves which were found to have steam cuts in the seat/disc face allowing backleakage of main feedwater. The upstream check valves are not isolation valves and are expected to allow a limited amount of backleakage. This backleakage resulted in a steam accumulation in the piping and pumps and steam binding of the pumps. The valves with the steam cuts were repaired and reinstalled. Insulation was removed from the AFW piping to facilitate condensation of any steam which may collect and a shiftly check of the AFW pump outlet piping temperatures was instituted. No further occurrences have been reported, however the potential for* steam binding still exists but at a much lower rate due to the preventive measure taken by the plant. Therefore, the AFW fault trees include this failure mode.
| |
| * Air Binding of Cooling Water Systems The failure or partial failure of cooling water systems has occurred because of air binding caused by leaks in a load being cooled. Plant air compressors usually are cooled by some cooling water system. Air inleakage into the cooling water system can cause failure of multiple systems because of air binding and loss of cooling.
| |
| The instrument air compressors at Surry are cooled by the* bearing cooling water system and the component cooling *water system. Both cooling water systems are closed cycle systems. The bearing cooli~g water system was not modeled in this study. The component cooling water system was modeled in this study, but air binding was not explicitly included in' the fault tree models. Common cause failure of the pumps due to all causes was included. The value of the beta factor could potentially include contributions from air binding.
| |
| A review of Surry licensee event reports (LERs) revealed two instan-ces of low Charging Pump Cooling (CPC) service water pressure caused by air binding. Improper venting of the CPC service water strainers was the source of the air. This failure mode was included in the* Surry analysis. It is described in more detail in this section and in Appendix D.
| |
| Steam-Line Break Isolation Circuitry Steam-driven systems sometimes have isolation circuitry to protect against steam-line breaks. This circuitry uses temperature readings
| |
| * as an indication of a line break and may include all locations containing the steam piping. Therefore, when assessing the need for room cooling, the cooling requirements of areas where temperature 4.7-4
| |
| | |
| measurements are taken must be examined. The turbine driven
| |
| * auxiliary feedwater pump at Surry does not have this type of circu,i try.
| |
| Passive Component Failures This type of interaction involves component failure modes that might not otherwise be modeled (e~g., valve failure because of steam/disc separation, pipe breakage, blockage). These failures should be added to the models particularly where the impact of failure affects multiple trains of equipment. Additionally, these events can be potential initiating events.
| |
| Several areas were identified in which a single passive failure could result in the failure of multiple systems. These events were modeled in each of the applicable systems to assure that the commonality would be reflected in the accident sequence evaluation.
| |
| Isolation of Nonessential Cooling Water Loads This interaction may occur if nonessential portions of safety-related cooling systems are not isolated. Because such a failure can result in inadequate cooling of the essential loads, care should be taken when determining the impact of potential diversion paths from support cooling systems.
| |
| Two potential cases were identified in which failure to isolate
| |
| * nonessential cooling loads could impact safety system operation*
| |
| Failure to shed the stub bus, which powers the component cooling water and RHR pumps, following LOSP could potentially result in diesel generator trip when it is loaded on the bus, however the failure rate associated with the failure to shed the stub bus is considered to be small with respect to the diesel generator failure rate. Following LOSP, failure to close the condenser circulating valves will result in drainage of the intake canal. Drainage of the intake canal has been included in the station blackout model.
| |
| Cross-tied Pumps' Discharge Check Valve Failures This type of failure occurs when the discharge check valve in one train of a two-train, cross-tied system fails open. Various problems can result 'from this interaction, including functional failure of the system because of back flow, inabiUty to actuate an idle pump because of the stuck-open valve, or system rupture from attempted actuation of an idle pump with a stuck-open valve.
| |
| System failure caused by excessive backflow through pump discharge check valves in cross-tied pumps resulting in flow diversion through the idle pump was explicitly included in the fault tree models.
| |
| Failures Following Station Blackout The treatment of reactor coolant pump seal failure and battery depletion during a station blackout *has varied among past PRAs and can be plant specific. Both failures can adversely affect the capability to cool the plant.
| |
| 4.7-5
| |
| * RCP seal LOCA occurrence was included in the station blackout models~ No long term tests have been performed on the Surry battee4fs* Battery depletion time of four hours was based on NUREG-
| |
| :3226.
| |
| Dependent Events* Based* on -Operating Experience There have been a number of recent activities to better scope out the problem of dependent and common cause events. Probably the best current collection of actual event~ that are in the nuclear data base are compiled in EPR.I NP-:3967 5* While there is considerable controversy on how to account for common cause events, the report clearly demonstrates the inaccuracy of models that do not specifically treat common cause events. While it has been a frequent criticism that quantification of these events leads to numbers but not indication of how to improve plants, a review of the events in EPRI NP-:3967 will demonstrate that causes are known for a large percentage of these events. A review of Surry LERs showed past incidences of common cause failure. These were included as explicit events in the fault tree analysis, using probabilities derived from plant specific experience.
| |
| Beta factors based on EPRI NP-:3967 were included in the fault tree analysis for the diesel generators, MOVs, and the HPI, LPI, CSS, OSR, AFW, and SWS pumps.
| |
| * Main Feedwater Availability After Turbine Trip The unavailability of main feedwater after reactor trip is highly plant specific. The consequences of this interaction will vary depending on whether the loss is total or partial and the potential for recovery.
| |
| Due to control logic at Surry, following any reactor trip from greater than .50% power, the MFW regulating valves close. The MFW pumps continue to run, however. Therefore, MFW was nominally available in the event of AFW failure for T 3 initiating events.
| |
| * Refill of Dry Steam Genera tors During loss of steam generator feed events, it is necessary to provide an alternate source of feedwater prior to substantial tube uncovery to avoid potential problems associated with recovering dry tubes.
| |
| Upon loss of AFW at Unit 1, AFW at Unit 2 would be used for SG makeup and then MFW at Unit 1. These alternate systems can be brought on line prior to steam generator dryout. Refilling of dry steam genera tors was not explicitly addressed in the study.
| |
| Main/ Auxiliary Feedwater Commonalities No significant commonalities between the MFW and AFW systems were identified. Therefore, this potential interaction was not further addressed.
| |
| PORV Unavailability Due to Block Valve Closure Discussions with plant personnel indicated that Surry operates with one or more pressurizer POR V blocked about .50% of the time. They also said both PORVs are blocked about .5% of the time. Using these 4.7-6
| |
| | |
| values as approximations and assuming each PORV was independent of the other, it was calculated that each PORV was blocked 30% of the time. Therefore, approximately 10% of the time both PORV block valves are closed, 40% of the time one PORV block valve is closed and one is open, and approximately 50% of the time both PORV block valves are open. These conditions were included in the models for the PORVs.
| |
| Turbine Drive Pump Failure due to Water Carry Over Overfilling of the steam generators and the resultant carry over of water into the turbine driven AFW pump turbine was considered to be a low probability event for most transients if instrumentation was available. Potential for SG overfill was included in the station blackout analysi_s. During station blackout, control of the AFW turbine driven pump was assumed to be maintained as long as DC power was available. Following battery depletion, SG level instrumentation would be lost and steam generator overfill could occur at approximately 1 hour later.
| |
| Normal Operating Configuration The normal operating configuration of Surry was used in the study. In cases where an alternate configuration produced more severe results, the percent of time that Surry operated in this alternate configuration was estimated, based on discussions with plant personnel. The more severe results associated with the alternate con-
| |
| * figuration were included, based on the percentage of time the plant spent in that configuration. In cases where the normal operating configuration produced the most severe results, these results were used 100% of the time.
| |
| Locked Door Dependencies This interaction involves power supplies to security systems and their failure mode
| |
| * on loss of power. The potential concern here is that power failures could restrict access to equipment which was necessary to respond to the power loss.
| |
| Discussions with plant personnel indicated that in loss of power sce-narios, key-locked doors and other powered security restrictive measures did not compromise operator access to equipment. Access restrictions during loss of power events were therefore not included in the study.
| |
| 4.7 .2 Common Cause Analysis Common cause events were explicitly included in the fault tree models of systems.
| |
| Common cause failures were identified in two ways. First, a search of the Surry LERs identified plant specific instances of common cause. Three events were identified by this LER s_earch. They were included in the fault tree models at the appropriate levels.
| |
| The three events were* common cause f~ilure of CPC pumps or strainers, common cause failure of containment spray heat exchanger service water valves and steam binding of three auxiliary feedwater pumps. These events are discussed below *
| |
| * 4.7-7
| |
| : 1) Common Cause*Fa'ilure* of Charging*Pump Cooling Water Strainers*
| |
| An LER search of Surry Units 1 and 2, from 1980-1984 (inclusive) yielded frequent incidents of low pump discharge pressure in the HPI service water system~ Low pump discharge pressure was caused by plugged strainers*~
| |
| increas~ water demand from the air conditioning system, or a combination of both. For the purposes of this study, low pump discharge pressure was assumed to result in insufficient HPI pump cooling, although the LER survey did not indicate that HPI pump unavailability ever resulted from the service water incidences.
| |
| Prior to 1985, there were three instances where both HPI-SW pumps serving the same unit had low discharge pressur.e. In 1984, the "Y" type strainer was replaced with a duplex strainer. After 1985, no occurrences of strainer plugging were observed, but there were two instances where the strainers caused the CPC service water system to fail. In each of these instances improper venting of the strainers caused air binding in the CPC service water system and a loss of service water flow. A common cause failure probability based on all five events -was developed. Details are shown in Appendix D of this report~
| |
| The fault tree models assumed this condition would lead to rapid HPI pump unavailability unless corrective action was taken by the opera tors.
| |
| Corrective actions for this failure include:
| |
| a) reducing SW air conditioning loads, b) bypassing the filters, and c) supplying HPI cooling from Unit 2 SW pumps.
| |
| : 2) Steam Binding *of AFW *Pumps A review of the Surry AFW operating experience revealed that a problem with steam binding of AFW pumps had occur~ed due to backleakage of main feedwater through the system check valves. The backleakage resulted in steam accumulation in the AFW lines and unavailability of two. pumps.
| |
| Since the event, the affected check valves were rebuilt and plant changes were made, including removal of the insulation from the AFW pump discharge lines to facilitate steam condensation and requiring a check of pump outlet pipe temperature once every shift. No further incidents have occurred. However, due to the* potential for common cause multiple pump failures, this failure mode has been included in the system models. This failure probability was assessed to be lE-4/demand. Details of the calculation are shown in Appendix D.
| |
| : 3) Common Cause Failure of CSR Service Water Valves A review of the Surry SWS operational experience identified a potential for common cause failure of the service water containment spray valves to the heat exchangers. During annual testing of the system all four valves on Unit 1 failed to open when activated from the control room. Similar testing of the Unit 2 valves resulted in failure of 3 of the 4 valves at Unit 2 to open. All valves were subsequently manually opened. Several of the valves were found to be heavily corroded due to exposure to brackish water. Immediately subsequent to this incident, in 1982, testing frequency 4.7-8
| |
| | |
| of these valves was increased. In 1986, the SW valves were replaced with a new valve design. No failures have occurred since the new valves were installed. No instances of multiple failures have occurred since 1982.
| |
| Based on this incident, the potential for failure of both the ISR system and OSR system due to common cause failure of the service water valves was included in the SWS model. Details of this calculation are found in Appendix D.
| |
| To account for other potential common cause faults, common cause failure of redundant components were systematically included in the fault tree analysis. Table 4.7-1 lists these events. and the plant srffiific events. The values used for the beta factors were derived from EPRI NP-3967. The common cause methodo&y and the beta factor guidelines are detailed in the ASEP methodology document. The groundrules for application of beta factors are summarized below:
| |
| : 1. Common cause failures were only postulated within a system, not across system boundaries.
| |
| : 2. Common cause failures were only postulated within a system to redundant components and identical failure modes.
| |
| : 3. Random independent failure of multiple components were included in system models in addition to the potential common cause failures.
| |
| 4.7-9
| |
| | |
| Table 4.7-1 Surry Common Cause Failures
| |
| * Event Identifier Description AFW-CCF-FS-FW3AB Failure to start motor driven Auxiliary Feedwater pumps 3A and 3B.
| |
| AFW-CCF-FT-102AB Failure of Unit 1 steam valves 102A and 102B to open, supplying the turbine driven Auxiliary Feedwater pump at Unit 1.
| |
| AFW-CCF-11T-202AB Failure of Unit 2 steam valves 202A and 202B to open, supplying the turbine driven Auxiliary Feedwater pump at Unit 2.
| |
| AFW-CCF-LK-2STMB Leakage past check valves causing steam binding of the Auxiliary Feedwater pumps at Unit 2.
| |
| AFW-CCF-LK-STMBD Leakage past check valves causing steam binding of the Auxiliary Feedwater pumps at Unit 1.
| |
| CPC-CCF-FT-8BC Failure of air operated valves CPC TV-CC-108B and TV-CC-108C to open.
| |
| CPC-CCF-P.G-STRAB Failure of the Charging Pump Cooling system service water suction strainers due to loss of flow.
| |
| CSS-CCF-FS-CS1AB Failure of the Containment Spray System pumps to start.
| |
| CSS-CCF-FT-lOlAB Failure of the motor operated valves 101A and l01B to open.
| |
| CSS-CCF-FT-101CD Failure of the motor operated valves lOlC and 101D to open.
| |
| DCP-CCF-LP-BT lAB Failure of the 125V DC Batteries 1A and lB.
| |
| HPI-CCF-FS-CH1BC Failure of High Pressure Injection pumps lB and lC to start.
| |
| HPI-CCF-FT-115BD Failure of motor operated valves ll 15B and 1l 15D to open.
| |
| HPI-CCF-FT-867CD Failure of motor operated valves 1867C and 1867D to open.
| |
| 4.7-10
| |
| * Table 4.7-1 (Cont'd)
| |
| Surry Common Cause Failures Event *Identifier Description IAS-CCF-LF-1 NAIR Failure of instrument air to all air operated valves ISR-CCF-FS-RSl AB Failure of the Inside Spray Recirculation pumps to start.
| |
| LPI-CCF-FS-Sll AB Failure of the Low Pressure Safety Injection pumps to start.
| |
| LPR-CCF-FT -860AB Failure of motor operated valves 1860A and 1860B to open.
| |
| LPR-CCF-FT-862AB Failure of motor operated valves 1862A and 1862B to close.
| |
| LPR-CCF-FT-863AB Failure of motor operated valves 1863A and 1863B to open.
| |
| LPR-CCF-FT -890AB Failure of motor operated valves 1890A and 1890B to open.
| |
| LPR-CCF-PG-SUMP Plugging of both containment sump compartments.
| |
| MCW-CCF-VF-INLVL Insufficient intake canal level to supply service water, for all sequences except station blackout.
| |
| MCW-CCF-VF-SBO Insufficient intake canal level during station blackout.
| |
| MSS-CCF-FT-OlABC Failure of all three steam generator power operated relief valves to open.
| |
| MSS-CCF-FT-TVAB Failure of the turbine bypass valves to open.
| |
| * OEP-CCF-FS-DG 123 Failure of all three diesel genera tors to start on demand.
| |
| OEP-CCF-FS-DG13. Failure of diesel generators Ill and /13 to start.
| |
| OSR-CCF-FS-RS2AB Failure of the Outside Spray Recirculation system pumps to start.
| |
| PPS-CCF-FT-1.53.56 Failure of motor operated valves 1.53.5 and 1.536 (POR V blocking valves) to open.
| |
| 4.7-11
| |
| | |
| Table 4.7-1 (Cont'd)
| |
| Surry Common Cause Failures Event Identifier Description PPS-CCF-FT-PORV Failure of the Reactor Coolant system power operated relief valves to open.
| |
| PPC-CCF-FT-SRVS Failure of the Reactor Coolant system safety relief valves to open.
| |
| RCS-CCF-FT-4.5.5AB Failure of the pressurizer spray valves to open.
| |
| RHR-CCF-FS-MDPAB Failure of the Residual Heat Removal system pumps to start.
| |
| RHR-CCF-FT-720AB Failure. of motor operated valves 1720A and 1720B to open.
| |
| RMT-CCF-F A-MSCAL Failure of the Recirculation Mode Transfer system actuation signal due to miscalibration of the R WST level detectors.
| |
| SWS-CCF-FT-3ABCD Failure of service water isolation valves 103A, 103B, 103C, and 103D to open.
| |
| * 4.8 Human* Reliability Analysis This section presents the re*sults of the human reliability analysis (HRA) performed for this study. Included in this section is a discussion of the human actions which were identified, the methods and assumptions used in their evaluation, and the final human error probabilities used in the accident sequence quantification. Detailed calculations of the human reliability analysis are found in Appendix C of this report.
| |
| sec*tion 4.8.1 discusses the scope and references the methodology. Section 4.8.2 lists the human actions which were analyzed. Section 4.8.3 presents and discusses the important results of the pre-initiator human reliability analysis. Section 4.8.4 presents and discusses the results of the post-initiator human reliability analysis. Section 4.8.5 discusses the innovative recovery actions which were considered.
| |
| 4.8.1 Summary of Methodology and Scope Human reliability analysis for this study was performed in accordance with References 27 and 36. The HR.A was divJded into two overall categories of actions: pre-initiator errors and post-initiator errors. Pre-initiator error analysis was entirely concerned with miscalibration errors and equipment restoration errors. Human actions which lead to these errors were done under normal plant operating conditions with stress levels appropriate for everyday work environments. The calculation of error probabilities for these actions was concerned with the adequacy of the maintenance and inspection procedures, the dependence of related tasks, and the administrative redundancy of restoration procedures.
| |
| The other category of human errors was post-initiator errors. Post-initiator error analysis was concerned with human errors made in *response to the mitigation of an initiating event. The human actions from which these errors derive were procedure directed. calculation* of error probabilities for these actions was p"rimarily concerned with the amount of time available to complete the task, the stress level under which the task was performed, and the amount of redundant verification that was possible within the allowable time period.
| |
| Modeling of human interactions with the plant systems was done during the fault tree analysis, the event tree analysis, and most importantly, the accident sequence recovery analysis.
| |
| Human actions .can be directly defined at the fault tree level and* the event tree level.
| |
| But due to the way that fault trees and event trees were linked togeJ:her to create failure expressions for an entire accident sequence, it is not necessarily possible to identify all human actions until the sequence level cut sets have been generated.
| |
| When using the large fault tree-small event tree (LFT-SET) approach, the most common place for identification of human interactions was in the accident sequence recovery analysis which was done after the initial accident sequence Boolean -reduction and quantification. In the LFT-SET process, this was the first time that minimal cut sets to an entire ,core damage sequence could be viewed. Thus, all the information was available, within the context of a single cut set to determine the alternatives for function restoration and the allowable timing for restoration. Search for possible recovery actions was directed by the emergency operating procedures applicable to the
| |
| * particular sequence. These recovery actions involved restoration of system operability or initiation .of an alternative system to provide or to mitigate the failed function.
| |
| 4.8-1
| |
| | |
| --- ---
| |
| All human errors identified were errors of omission. These were defined as instances
| |
| * where an operator was required to correctly perform a task in 'order to ensure the proper functioning of a system. If this task was not performed correctly in any way, the system looses its ability to function.
| |
| 4.8.2 Human Actions Analyzed As discussed in the previous section, identification of human interactions was done at the fault tree level, event tree level, *and in the accident sequence recovery analysis.
| |
| Operator actions were of two categories: pre-initiator actions*, which are restoration and miscalibration errors, and post-initiator actions*, which involve diagnosis*, operation and manipulation of systems and components.
| |
| To identify pre-initiator errors, restoration errors were postulated to occur for each pump and valve after each surveillance action on the system in question. The restoration errors were screened before quantification to eliminate those that were considered to be negligible in comparison to other system failures. Only those errors which survived the screening were quantified and explicitly included in the fault tree models.
| |
| The use of a screening quantification was made possible by the utilization of a Class I tagging system at Surry. A Class I tagging system refers to the administrative tracking system used to restore inoperable components to service. A Class I system is one in which at least two independent verifications are performed before declaring the system operable. At Surry, the responsibility for returning components to service rests with a different organization than those responsible for completion of test and maintenance.
| |
| After the maintenance staff restores the system to operable condition, two independent verifications are performed by a different organization before the component is declared operable. During the initial plant visit to the Surry site, the HRA analyst on the PRA team verified that the system was administered and practiced as planned~
| |
| Screening criteria were as follows: Valve restoration errors were not explicitly included in the fault trees if:
| |
| * Valve position is annunciated in the control room.
| |
| * Valve position is indicated in the control room and the indication is checked every 24 hours.
| |
| * The valve is flow tested as part of restoration to service.
| |
| * The valve receives an automatic actuation signal.
| |
| * Common cause restoration errors were not postulated if redundant trains of the same system were tested on a staggered basis.
| |
| After the screening criteria were implemented, only one pre-initiator restoration error was quantified. It is listed in Table 4.8-1.
| |
| Post-initiator errors were identified and collected at three levels of analysis. They were all retained for quantification. The list of operator actions is shown in Table 4.8-1. Each operator action appearing in a specific sequence has timing considerations, and other conditional circumstances which may make the quantification of the error probability unique to that sequence. Thus, multiple quantifications of one event were common.
| |
| 4.8.3 Analysis of Pre-Initiator Errors As discussed* in the previous subsection, only two pre-initiator errors survived the
| |
| * screening process to be quantified. Each of these is discussed below.
| |
| 4.8-2
| |
| * 4.8.3.1 Pre-Initiator Restoration Errors Events for mispositioned valves, were identified by the system fault tree analysis. These events could occur as a result of failure to restore valves after monthly pump testing or failure during power ascension to restore valves that were closed for maintenance during cold shutdown. Some systems have valve configurations that do not require alteration for pump testing. Consequently, valve misposition errors for these systems were considered negligible compared to other causes of system failure~ . Because all pump testing at Surry is staggered, no common cause misposition errors were identified.
| |
| The restoration error for failure to restore containment spray pump test lines was quantified in accordance with Reference 27. A basic error probability of 3E-2 was used with a single verification error of lE-1, as prescribed in Item. III, Table .5-3, Reference 27.
| |
| 4.8.3.2 Pre-Initiator Miscalibration Errors Common cause miscalihratfon of sensors in the ECCS actuation systems was postulated for each se.t of common sensors. The impact on the actuation system *was evaluated. It was determined that in only one instance would common miscalibration .of redundant sensors fail an entire actuation system with no secondary indications available to the operator. This was for the RWST water level sensors in the RMTS. In all other cases, alternate protective functions are available, or alternate instrumentation is available to alert the operator to the need for actuation. Table 4.8-2 shows the guidelines ahd procedure for evaluation and quantification of these events. The miscalibration of sensors was explicitly included in the Boolean equation for the RMTS. Miscalibration of the RWST water level sensors was calculated to be 3.0E-4.
| |
| * 4.8.4 Analysis of Post-Initiator Operator Actions The complete list of post-initiator human actions identified throughout this study is listed in Table 4.8-1. The actions along with their event identifiers used in the system models are shown in the table. These actions can be classified into two general ca te-gories, for the purpose of quantification. They are skill based actions. and rule based actions.
| |
| * 4.8.4.1 Quantification of Skill Based Actions Skill based actions are those that are performed from memory. They represent skills acquired through training and practice. The performance of these tasks is not considered to be significantly affected by stress level, previous events, or timing. The HRA guide suggests that skill-based actions have an error probability of 2.7E-3 each. Reduction of the overall error probability due to verification or checking by a second person is not applicable to skilled-based ~ctions.
| |
| * An error probability of 2.7E-3 was assigned to all skill based actions, independently of the context in which they appeared, stress level, timing, or previously committed opera-tor errors. Rule-based *actions, however, were always quantified ba'sed on the context in which they appeared. Error probabilities for rule based actions were based on stress level, timing, adequacy of procedures, and control room staffing. Error probabilities for rule-based actions were also shifted upward due to a previously committed error in the sequence of events. The amount the HEP increased primarily depended on the time be-
| |
| * tween the first error and the second action. . * .* _
| |
| 4.8-3
| |
| | |
| Classification of actions as skill-based or rule-based was. based on the structure of the emergency procedures and operator training.
| |
| The Surry system of emergency procedures follows the generic Westinghouse guidelines.
| |
| There are three major sets of emergency procedures: emergency procedures (EP), func-tional restoration procedures (FRP), emergency contingency actions (ECA). They are
| |
| * related as follows.
| |
| The EPs are event oriented procedures. There are four basic sets, with several subsets to each set. The four sets are:
| |
| * reactor trip or safety injection
| |
| * loss of reactor or secondary coolant
| |
| * faulted steam generator isolation
| |
| * steam generator tube rupture These procedures are the primary set of procedures for mitigation of all transients and LOCAs. The operator is trained to make a *preliminary diagnosis of an event, and to select one of these series of EPs.
| |
| The FRPs are a series of six procedures which provide instructions for restoration of a critical safety function. The six series involve:
| |
| * loss of subcriticality
| |
| *
| |
| * loss of core cooling
| |
| * loss of secondary heat removal
| |
| * potential pressurized thermal shock
| |
| * containment integrity
| |
| * reactor vessel inventory These functions are normally provided during reactor operation and will continue to be provided regardless of any single component failure. The shift technical advisor (ST A) will monitor several parameters involved with the preservation of these functions. Should these parameters range out of acceptable limits, the ST A will be directed to the appropriate functional restoration procedure. This procedure is followed until the lost function is restored.
| |
| The third set of procedures are the ECAs. These are event oriented procedures for severe cases of multiple equipment failures, which can be specifically diagnosed. There are four sets of ECAs:
| |
| * Loss of all AC Power
| |
| * Loss of Emergency Coolant Recirculation
| |
| * Uncontrolled Depressurization of all Steam Generators
| |
| * SGTR with Loss of Reactor Coolant The first 11 steps of EP 1.0 represent immediate actions after a scram. They will be done from memory without references to a written procedure. They represent a univer-sal set of actions for any initiating event which are necessary to. tend to immediate concerns after a reactor trip and to form the basis for a diagnosis of the initiator. Some
| |
| * of these actions are repeated at the beginning of other procedures.
| |
| 4.8-4
| |
| | |
| These steps involve verification of reactor trip, turbine trip~ AC power, SI flow if
| |
| * needed*, AFW if needed*, and containment isolation. If the desired response is not obtained, the operator is trained to perform immediate manual activation of these systems. 'The PRA events which represent these immediate actions are listed as skill based actions in Table 4°.8-1.
| |
| * Manual actuation errors were handled with one additional discrimination. For cases where only one train of actuation failed, the actuation of the other train would be sufficient indication that the questioned system was required. For these cases, the skill based HEP applies. For cases where both trains of actuation failed, two types of indications were considered available to the operator: instrumentation from other systems and whether or not previous safety system actuation had occurred. For example, for CLS Hi failure, the operator would have some indication that CLS Hi should actuate, if SIAS was actuated previously in the scenario~ For those cases, if alternate indication was present, the HEP was calculated from the upper joint diagnosis error in Figure 7-1 of Reference 27, corresponding to the time available for action. If no alternate indication was present, no recovery was allowed. The upper joint HEP was chosen because indirect indications are available to the operator, rather than the more direct indications in the previous case.
| |
| 4.8.4.2 Quantification of Rule Based Actions The rule based actions are identified as such in Table 4.8-1. All actions except two can be related to one of five types of sequences. The other two were quantified as independent events.
| |
| The results of the HRA are summarized in Table 4.8-3. Events noted with a subscript are the human error probability contribution to a .recovery event with the same identifier, which also has a hardware failure contribution. Events without a subscript represent a pure operator error which is input directly into the core damage models. This table shows the important conditions pertaining to each operator action. These are the type of appli-cable error probabilities (action, diagnosis, skill based), the stress level (moderate or high), and type of action (dynamic or step by step). The allowable time for diagnosis is also shown, along with the diagnosis error where app.licable. The detailed work sheets supporting these calculations are shown in Appendix C of this report. The methodology is summarized here.
| |
| (1) Identification of the sequence failures and the accident conditions.
| |
| (2) Based on the cut set (and sequence), the timing of the events (i.e, occurrences, failures, alarms, indications, etc.) was established.
| |
| (3) Based on the cut set (and sequence), the symptoms and therefore the possible recovery actions (and required activities) were identified.
| |
| (4) The time available to the operator to diagnose and perform the* action (and activities) was established.
| |
| (5) The probability of the operator failing to properly diagnose the accident was determined. This considered such things as operator training, simulator exercise, etc*
| |
| * 4.8-.5
| |
| | |
| (6)
| |
| (7)
| |
| The of recovery action (whether 'dynamic' or 'step-by-step') was determined considering such things as the plant using symptom oriented procedures, operator training, etc.
| |
| The stress-level of the operator was determined considering such things as time available, difficulty of the action,
| |
| * training, number and timing of equipment failures, etc.
| |
| (8) The probability of the operator failing to perform the recovery action was evaluated.
| |
| For each of the major types of events, a discussion of timing, and procedures is given below. Important timing considerations are shown in Table 4. 8-4 and ground rules applicable to staffing and operator responses are shown in Table 4.8-5.
| |
| 4.8.4.3 HRA of Operator Actions During ATWS Five operator actions could potentially be required during an ATWS sequence, depending on the particular course of the sequence. An HRA was performed for ATWS in which these actions were evaluated as a sequential series using a consistent set of diagnosis errors and cognitive assumptions. These five events are, in order:
| |
| *
| |
| * Manual reactor scram
| |
| * Turbine trip, if not done automatically
| |
| * Start AFW, if not started automatically
| |
| * Open block valve on PORV within two minutes, if PORV isolated previous to initiator
| |
| * Emergency borate, if manual scram failed Scenario For the purposes of the HRA, the starting point for the ATWS event is defined to be the first indication in the control room that either a) one or more RPS trip parameters have been exceeded, b) one or more reactor trip breakers have been de-energized, or c) at least one train of RPS logic has been tripped. This is the first indication the operator would have that control rod insertion should have occurred, but did not. The possibility that an ATWS could occur without one of the above indications was not considered.
| |
| These indications would be accompanied by several control board status changes, including many annunciators. These indications would direct the operator toward reactor scram. The operator must trip the turbine within one minute, if it does not trip automatically. The operator must also start multiple AFW pumps within one minute, it it does not start automatically. The operator will also attempt to manually scram the reactor by activating the manual scram circuit which de-energizes the shunt trip and removes power from the control rod drive motor generator 4.8-6
| |
| *
| |
| * sets.* Manual scram must be accomplished in the first two minutes in order to be effective in altering the course of the transient.
| |
| approximately two minutes, the maximum pressure increase will occur, thereby demanding the pressure mitigation functions.
| |
| if not blocked, will open automatically.
| |
| At The SRVs, and PORVs
| |
| _If manual scram is unsuccessful, the operator must shut the reactor down using emergency boration. This involves opening a valve from the boric acid transfer (BAT) pumps to the HPI suction and switching the BAT pump to fast speed. The operator is also instructed to open a PORV to reduce RCS pressure and thereby enhance HPI flow .
| |
| *
| |
| * This plant was analyzed under the incorrect assumption that power is removed from the CRD motor generator sets upon manual scram.
| |
| Modifications to change the configuration at both units and render the assumption correct are scheduled for late 1990 and early 1991.
| |
| 4.8-6a
| |
| | |
| Procedures* and Training All operator actions during ATWS are clearly specified in individual steps in procedure FRP S. l. However, due to the fast acting nature of an ATWS, the opera tors would nof have time to take a procedure from the file. All ATWS actions must be performed from memory. The initial actions which m~y occur during all reactor trips are considered skill based actions. These are turbine trip, reactor trip, and AFW start. Emergency boration and opening a block valve would only happen after an ATWS and are considered rule based actions.
| |
| Operator training at Surry instructs the operators to immediately verify subcriticality on every transient~ Whenever an operator sees indication of scram or partial scram, the operator is instructed to look at the rod position indicators and if they are not all lit red, activate manual scram, turbine trip, and then start AFW*. These actions are a routine part of any reactor scram.
| |
| Timing of Operator Actions Manual reactor trip, manual turbine trip, and manual start of AFW would all be performed as soon as the operator could look at the rod position and reach the control panel. All three controls (scram, turbine trip, and AFW start) are close together. Timing for these actions is considered to be within one minute.
| |
| Opening the block valve for the PORV will occur after the operator realizes manual scram has failed. It must occur within two minutes to be effective in mitigation of the initial pressure spike. Emergency boration will be attempted within 10 minutes.
| |
| Calculated HEPs The immediate operator actions during ATWS are skilled based. Opening the block valve for the PORV and emergency boration, are considered to be ruled based actions. HEP for the skill based actions were assigned a value of 2.7E-3 each.
| |
| Opening of the PORV block valve within two minutes to help mitigate the,pressure rise is dominated by diagnosis error. The lower bound HEP for 2 minutes in Figure 7-1 of Reference 27 was used.
| |
| Three actions are necessary to initiate emergency boration:
| |
| * Open Valve 1350
| |
| * Switch BAT pump to fast speed
| |
| * Open a PORV These actions were considered as a single action for purposes of quantification. The verification HEP used for this sequence is assigned the same value as the initial HEP, that being 3.2E-2. This is unusual in that it represents a completely independent person performing the task. However*, use of such a low number was considered justified for this sequence because of the attention and training devoted to ATWS since the Salem ATWS incident. A basic error rate of .032 (Item 3*, Table 8-.5, Reference. 27) and a verification error of .032 were used. The overall HEP for failure to borate is 1E.-3 *
| |
| * 4.8-7
| |
| | |
| 4.8.4~4 HRA for Loss of Steam Generator Cooling Events Five human actions could potentially be required in loss of SG cooling scenarios, depending on the particular scenario and which equipment was failed. The HRA for these events considered that all five actions would be performed sequentially, as directed by procedur~. The operator would follow procedures step by step until the sequence was mitigated. The five potential actions are: .
| |
| * Manual start of AFW, if it failed to actuate
| |
| * Restore MFW, if possible
| |
| * Align AFW from Unit 2 if not able to get AFW or MFW from Unit 1
| |
| * Establish HPI if AFW-Unit 2 fails
| |
| * Open PORVs to allow feed and bleed Scenario The scenario for this sequence begins with feedwater makeup to the steam generator being unavailable. Water level in the steam generator is decreasing. For purposes of HRA model development, it was determined that the operator would have 30 minutes from reactor trip before there is inadequate heat removal through the steam genera-tors. If feedwater to the SGs had not been restored by that time, operators would initiate feed and bleed cooling. There are three ways to provide steam generator feed at Surry: AFW at Unit 1, MFW at Uriit 1, and AFW at Unit 2. The operator would attempt these in order of preference, as directed by procedures.
| |
| * Procedures* *and Training All of the actions listed above are explicitly directed by procedures. A pathway through the procedures was identified as follows.
| |
| The operator would start EP 1.00 (re.actor trip) within 10 minutes of trip. If no SI signal is present (which should be the case), the operator is directed to EP 1.01 (Recovery from reactor trip) where in step .3, the operator is directed to establish feedwater with either MFW or AFW from Unit 1. If neither of these are available, the operator could cross
| |
| * connect AFW from Unit 2 in anticipation of the direction to the FRP, or try and restore Unit 1 systems, holding off on Unit 2 until the ST A was directed to the FRP by inadequate feed flow. Functional Restoration Procedure H.1. is applicable to this sequence. Step 2 of FRP H.1 directs a cross connect of AFW from Unit 2. This action can be done entirely from the main control room. If this fails, the operator is directed to try to restore MFW or depressurize the SGs and use the condensate pumps to supply feed flow. If these fail, steps 10 through 1.5 of FRP H.1 direct the operator to go to feed and bleed.
| |
| Timing The timing. considerations of the HRA model required AFW to be restored within 30 minutes. If this was not possible, feed and. bleed cooling must be in place by 4.5 minutes*. Manual start of AFW is a simple operation which could be done quickly. Cross connect of AFW from *Unit 2 involves opening two valves in the <;;ross header, closing six valves in the Unit 2 di~~harge headers a!nd starting an AFW pump. This was estimated to require 5 to 10 minutes. Initiation of feed:and bleed also requires 10 minutes. It involves
| |
| * opening the HPI suction and discharge valves and opening the PORVs.
| |
| 4.8-8
| |
| * Calculated HEPs Diagnosis error was not postulated for the actions associated with restoration of steam generator feed*. These actions are all clearly directed by procedure, and the sequence tirping allows adequate time to get to the appropriate steps. Feed and bleed, on the other hand was assigned a diagnosis error when it was necessitated by a previous operator error to restore steam generator feed. Diagnosis error was not postulated for feed and bleed when it was necessitated by mechanical failures of AFW or MFW.
| |
| Each individual action was assigned an initial error probability of .032 (Item 3, Table 8-.5, Reference 27) and a verification factor of .32 (Item 6*, Table 8-.5, Reference 27).
| |
| For all feed and bleed actions, necessitated by previous operator error, the basic HEPs were increased by a factor of two to account for time stress. Feed and bleed is only attempted in response to loss of steam generator feed, which implies previous actions to restore feed flow were attempted and failed. Time stress is present when previous actions have failed and a new action is being done within the original time constraints.
| |
| 4.8.4.5 HRA of Operator Actions During Small Break Sequences Six human actions are of interest during small break sequences in response to loss of injection or recirculation. An HRA was done for these sequences which evaluated these actions as a sequential series of events. One of these actions, RCS cooldown and depressurization, is directed as a standard procedure for all small breaks and was thus included in the integrated HRA.
| |
| Scenario Small break sequences are considered to be initiated on reactor trip caused by low RCS pressure. Most of these sequences will be accompanied by an SI signal. Normal sequence of events would be for HPI to automatically actuate and provide makeup flow. But, for various reasons ECCS may fail in injection or recirculation. The possible recovery actions associated with these initial loss of HPI sequences are:
| |
| * Isolate PORV if LOCA is caused by stuck open PORV.
| |
| * Start charging pump C (standby pump) if pumps A and B are not running.
| |
| * Open alternate injection path through MOV 1842, or MOV 1869A and 1869B.
| |
| * Align HPI from Unit 2.
| |
| * Cross connect the RWST from Unit 2 to ECCS at Unit 1.
| |
| All of these events would not necessarily apply to the same sequence. But the operator may attempt one or more of these corrective actions until the coolant makeup function was restored.
| |
| Procedures and Training All of these actions are explicitly called out in the Surry procedures. Depending on the particular initiator, different pathways through the procedures can be postulated.
| |
| * If the break is large enough to initiate an SI signal, the operator would be in EP 1.0 or EP 2.0. If a reactor trip on low pressurizer pressure occurs with no SI, or low pressurizer pressure occurs with no reactor trip*, the operator could be in procedures EP 1.01 or AP-
| |
| | |
| 42 respectively. Both of. these procedures call for manual SIAS, if needed, and manual starting of the standby charging pump, if needed.
| |
| If SI flow from the charging system fails, monitoring of the core status trees would direct the operator to FRP C.2. In this procedure the operator is instructed to open valves in the alternate injection paths and if flow is still not available, cross connect HPI from Unit 2.
| |
| * Loss of coolant recirculation is addressed directly in ECA 2.0. In this procedure the .
| |
| operator is directed to cross connect charging pumps or -the RWST from Unit 2 as necessary to restore coolant makeup to Unit 1.
| |
| Timing The key timing parameter for these actions is the time to core uncovery. Restoration of HPI flow or isolation of the break up to the time of core uncovery was considered sufficient to prevent core damage. Core uncovery times were estimated for each of the initiator types (Si, s2, s3, TQ). They varied from 1.5 minutes for s1 to 2 hours for s3*
| |
| See Appendix D for tne derivation of core uncovery times. . .
| |
| The first three operator actions in the series are simple actions and can be performed in a very short time, from the control room.*
| |
| In order to cross connect HPI flow from Unit 2 however, an opera tor must leave the control room to manually open/close valves in the charging pump area. It was estimated that cross connect of HPI would require 1.5 to 20 minutes. Considering that the decision to use it would not come until 1.5 to 20 minutes after* reactor trip these timing constraints made HPI cross connect unavailable for use in the s1 and s2 LOCAs.
| |
| Calculation of HEPs Failure to isolate a stuck open POR V was considered a skill based action and assigned a probability of 2.7E-3. Starting of the standoy charging pump and opening the alternate injection paths were also considered to be skill based actions, as defined in Reference 27 and were consequently assigned an HEP of 2.7E-3.
| |
| Cross connect of HPI from Unit 2 was considered to be a rule based action and was considered to require diagnosis. This derives from the cross connect being directed in the FRPs, which are not directly referenced from the EPs. The lowest level C series FRP which specifies cross connect of HPI from Unit 2 is C.2. This procedure will not be entered until subcooling is less than 30°F and core outlet T/C are greater than 700°F or Reactor Vessel Level indicates less than 4296. By the time these conditions occur, the required 20 minutes to cross con~ect HPI before core uncovery may not be available.*
| |
| Therefore, it was postulated that the need to cross connect would have to be diagnosed before the procedures directed it to happen.
| |
| Cross connect of HPI requires opening valves outside the control room to be coordinated with pump operation in the control room. The cross connect operation w~s considered to be three operations: (a) isolating the charging pump at Unit 2, (b) starting the charging pump at Unit 2, and (c) opening the c~oss tie valves in the au.xiliary building. Each of these were assigned a basic HEP of .032, with a verification of .32.
| |
| 4.8-10
| |
| * 4.8.4.6 Operator Actions During Loss of Offsite Power and Station Blackout
| |
| * Several operator actions appear in the loss of offsite power trees and the station blackout model.
| |
| Some of these actions appear singularly and some appear with others in the same cut set. Where two operator actions appear in the same cut set, they were analyzed as a coupled pair of events, including consideration of relationships between the two events for dependency and timing. A discussion of each individual event is presented below.
| |
| Restore* Stub Bus At Surry, the RHR pump and the CCW pump are on a separate bus from the main 4160V emergency bus. It is called a stub bus. It is normally powered from the main 4160V bus, but is load shed after a loss of offsite power event. It is not automatically reconnected, but must be manually reloaded onto the main bus by the operator. Under no circumstances is CCW needed in the T 1 models at less than one hour. This was quantified as a procedure directed, step 6y step action, under moderate stress, with a single verification. The error probability was l.lE-2.
| |
| Align Alternate Source of Condensate to CST The primary source of condensate for the AFW system is a 100,000 gallon tank (TNK-lA). This is nominally sufficient for the duration of a station blackout event. But, in the event an SG becomes faulted, the increased AFW flow would require the provision of
| |
| * additional condensate. This can be provided by aligning a 300,000 gallon tank (TNK-2) to the TNK-lA. In addition to opening one valve between the two tanks, a valve between the hotwell and TNK-2 must be closed in order to assure continued inventory in TNK-2.
| |
| These actions are modeled as procedure directed, step by step, with moderate stress.
| |
| These actions are manual local actions. They were modeled as two separate actions*, of
| |
| .032 each, with no verification due to the local condition.
| |
| Isolation of a Condenser Water Box Surry has a gravity fed service water system which relies on the head difference between the intake canal and the discharge canal. The intake canal is resupplied with water by the circulating water pumps.
| |
| During loss of offsite power the circulating water pumps are unavailable. In the event that a condenser fails to isolate, the outflow through the condenser is greater than the makeup provided by the diesel driven emergency service water pumps. Canal drainage may occur before the restoration of offsite power, depending o~ the number of condensers that fail to isolate and the time at which power is restored. In any event, it is possible to assure water inventory for HPI service water loads by isolating the condenser inlet valve on the particular service water pipe which provides suction for the HPI-SW pumps. The wash through from the emergency service water pumps would be sufficient to maintain the pipe full and provide a suction source for the HPI service water.
| |
| Each condenser isolation valve is provided with a hand wheel, located in the turbine building. The action was modeled as a step by step, rule based action, including a
| |
| * diagnosis error to diagnose th~ need for such an isolation and to select the appropriate service water line for tsolation.
| |
| 4.8-11
| |
| | |
| Cooldowrrand*Depre*ssurize the RCS The ECAs at Surry cali for depressurization of the secondary side of the steam generators during a station blackout. This is a procedure directed action, modeled as four independent steps, each with an overall HEP of ~011. This action is done through manual, local valve line ups. Although the actions occur locally, a verification error was applied to each step, because of the central focus of primary depressurization during a
| |
| * station blackout.
| |
| Cross connect AFW 'from Un'it*2 In the event that AFW fails during a station blackout, cross connect of AFW from Unit 2 is the only available recovery option. The actions required for this event are just like those discussed in Section 4.8.4.4, but the operation is complicated by the unavailability of power to all the valves at Unit 1 and the additional constraint that both units are affected by a T 1 event and thus both units require AFW.
| |
| For the case of a single unit blackout, cross connect of AFW was credited, if two AFW pumps were available at Unit 2 (i.e., a MDP and the TDP). Cross-connect of AFW would require isolation of the *unit 2 AFW _system, at the pump discharge headers, into two separate parts, one to feed each. unit. A diagnosis error was included to consider this alternate method of cross connect.
| |
| For the two unit blackout, cross connect of AFW implies feeding SGs at both units with one turbine driven pump. Partitioning of flow would have to be done via manual throttling of the discharge header valves, in order to balance the pressure drops between
| |
| * piping in both units and thus balance the flows between units. This was considered a dynamic action, and accorded a higher HEP.
| |
| Cross*connect*oJ*Seal*Injectl'on**fronr*unit*2 During a one unit station blackout, it is possible to use the operable charging pump at Unit 2 to provide seal injection flow to both units. The actions for alignment of this system are the same as discussed in Section 4.8.4.5, but unavailability of AC power causes the need to balance flows with manual valve throttling. These actions were considered dynamic actions and accorded appropriate HEPs.
| |
| 4.8.4.7 HRA of Operator Actions During Steam Generator Tube Rupture (SGTR)
| |
| The steam generator tube rupture event requires operator actions to cooldown and depressurize the RCS in order to safely mitigate this initiator. Failure to equalize primary and secondary pressure will lead to continued influx of primary inventory to the SG. The water will boil off to the condenser or blow through the relief valve if the MSIVs are closed. Since the scenario modeled in this study assumes the operator will identify the ruptured SG ~nd close the MSIV, failure to equalize primary and secondary pressures will lead to a steam generator relief valve demand within an hour. Continued failure to depressurize and control safety injection flow will cause continued relief valve demands, possibly leading to the valve passing water. Should the valve fail to reclose after passing steam, or water, uncontrolled blowdown would occur *. The faulted steam generator now requires additional operator actions to safely mitigate the sequence.
| |
| Depending on the particular failures which lead to loss of secondary side integrity,
| |
| * operator actions to isolate the SG or depressurize the RCS to atmospheric are required
| |
| * 4.8-12
| |
| * Other SGTR _sequences involve the failure of AFW, the failure of HPI, and the failing open of a pressurizer PORV.
| |
| For SGTR sequences involving loss of AFW, the operator must cross connect AFW or restore main feedwater in order to initiate and maintain cooldown which is required for clepressuriza.tion *. A~ the postulated tube rupture is large enough to cause an SI signal, MFW will be isolated. Although th.e MSIVs can be expected to remain open, the Slsignal must be overridden to restore MFW.
| |
| The other important sequence involves failure of HPI to provide SI flow. The most direct operator recovery is to cross connect HPI from Unit 2. However, if the operator depressurizes the RCS, the break flow will stop and SI flow is no longer needed.
| |
| Scenario Steam generator tube rupture sequences are considered to begin with a simultaneous double ended rupture of a single steam generator tube. Very closely in time thereafter, an SI signal will occur on low pressurizer pressure. The immediate concern for the operator, after identifying the event as a steam generator tube rupture, is to identify the ruptured SG, isolate the ruptured SG and then initiate cooldown of the RCS and depressurization of the RCS to equalize pressures in the RCS and ruptured SG~
| |
| For the purposes of timing in this HRA model, it was considered that cooldown of the RCS must begin by 15 minutes after the tube rupture in order to have pressure equalized by 40 minutes and thus prevent pressurization of the ruptured SG, which would cause the relief valve to lift. In the extreme case of depressurization failure with no control of SI flow, the relief valve would continue to be demanded. At some point, the break flow would become subcooled with respect to the SG relief valve set point. Now the SG will fill with water until the dryers and separators are covered. The next relief valve demand will result in the valve passing water. The valve was considered to fail open after passing water. Therefore, in the extreme, failure to depressurize within 40 minutes without subsequent action in the near term to correct the mistake would lead directly to a loss of SG integrity due to failure of safety valves to reclose after passing subcooled water. Loss of SG integrity can also occur from failure of other lines to isolate. Loss of SG integrity, however, does not lead directly to core damage. A time period of at least 10 hours is available to recover from such an event. Applicable recovery options were to a) depressurize the reactor to atmospheric, b) depressurize the reactor to such a point that leakage is minimal and can be matched by R WST refill, or c) provide isolation of the faulted paths, if possible, via closure of isolation valves.
| |
| For sequence T7L 3 (loss of AFW), the operator must provide AFW from Unit 2 or recover MFW in sufficient time to proceed with cooldown and depressurization. The residual SG inventory is sufficient to start cooldown. The HRA model considered that alternate feed would need to be in place within 20 minutes in order to continue cooldown *. In sequence T7D1, the operator *must recover HPI flow within 2 hours, based on initial break flow size, to prevent core uncovery. However, if the operator depressurizes the primary to less than secondary pressure, the break flow will cease and there is no need to recover HPI flow. The timing for required depressurization in this sequence was assumed to be the same as for the sequences when i-IPI succeeds, although there may in fact be more time to depressurize. This sequence is not significant, compare9 to other SGTR sequences so it was not expedient to engage in additional analysis for this sequence.
| |
| Modeling of the T7n 1 sequence considered the failed HPI flow to be the primary focus of attention and the SGTR to be the secondary focus, until HPI flow was restored.
| |
| 4.8-13
| |
| * Procedures* and Training Operator ac;:tions for steam generator tube rupture are directed by EP 4.0 series. The operator may initiate EP 4.0 based on diagnosis of a SGTR, or he may initially respond with EP 1.0 (Reactor Trip/SI). Step 22 of EP 1.0 directs the operator to check for rup-tured tubes and directs him to EP 4.0. Recovery from a faulted SG is covered by EP 3.0.
| |
| Calculated HEPs Operator actions associated with cooldown and depressurization were considered to be step by step actions under moderate stress. Although depressurization and cooldown are procedure directed, a diagnosis error was included for tube rupture sequences, because it was considered that there is insufficient time for the operator to select EP 1.0 and work through the procedure to the cross reference to EP 4.0 and initiate depressurization
| |
| . within 15 minutes. The operator must select the SGTR procedure after reactor trip in order to be ready to initiate cooldown at 15 minutes, thus the need for a diagnosis error in the overall HEP.
| |
| The HRA for the long term recovery actions in resonse to a faulted-ruptured SG contained subjective decisions concerning how low the error probability should be. The situation is that an initial operator error was committed, thus increasing the probability of future operator errors, but the time period is long enough to justify a very low HEP.
| |
| In the final decision, the ASEP HRA guidelines on HEPs were invoked. These resulted in the calculation of l.4E-2 for recovery after initial error.
| |
| 4.8.5 Innovative Recovery One possible innovative recovery action was identified, that being to gag a stuck open SG safety valve while the system was pressurized.
| |
| * For steam generator tube rupture sequences with a subsequent loss of steam generator integrity, the timing of the sequence allows approximately 10 hours to mitigate the inventory loss before depletion. of the RWST. Mitigation is possible through two methods, a) depressurization to a low enough pressure that flow is minimal and tolerable orb) to reestablish SG integrity by closure of an isolation valve.
| |
| A special case is presented when the loss of integrity is due to a failed safety valve, because the safety valves are not isolable. For some sequences, such as those with tube rupture and subsequent loss of instrument air, depressurization is not possible. These sequences may initially appear to be unrecoverable, but given the 10 hour time period to RWST depletion, consideration was given to innovative recovery actions. One in par-ticular was to gag the relief valve, while it was blowing down. The questions in determining its probability were the physical realities of the environment under which this action could be done, rather than the probability of t~4h¥eneration of the sugges-tion. Following the guidelines for innovative recovery probabilities, a failure probability of 3E-1 was used.
| |
| 4.8-14
| |
| * TABLE 4.8-1 HUMAN ACTIONS QUANTIFIED IN THE SURRY PRA
| |
| * A. Pre Initiator Action Restoration of CSS Valves after Identifier Used 1n System Models CSS-XVM-RE-XV15 pump test CSS-XVM-RE-XV8 Miscalibration of RWST Water Level Sensors RMT-CCF-FA-MSCAL B. Post Initiator Actions B.1 Skill-Based Actions Manual Activation of SI SIS-XHE-FO-MANSl SIS-XHE-FO-MANS2 SIS-XHE-FO-MANS3 Manual Activation of CLCS CLS-XHE-FO-MAN-A CLS-XHE-FO-MANS1 CLS-XHE~FO-MANS2 Manual Activation of RMTS RMT-XHE-FO-MANS2 Manual Activation of AFW AFW-XHE-FO-MNACT Manual Reactor Trip R Open alternate injection path for SI flow HPI-XHE-FO-ALT HPI-XHE-FO-ALTIN HPI-XHE-FO-ALTI3 HPI-XHE-FO-ALTS3 Manual start charging pump C HPI-XHE-FO-PLLCK Close PORV block valve PPS-MOV-FC-OPER Manual turbine trip PCS-XHE-FO-TBTRP B.2 Rule Based Actions B.2.1 LOSP Sequences Restore Stub Bus ACP-XHE-FO-STBBS Align back-up source of condensate to CST AFW-XHE-FO-CST2 Isolate condenser water boxes MCW-CCF-VF-SBO Cooldown and depressurize RCS 0 Cross connect AFW from Unit 2 AFW-XHE-FO-U1SBO
| |
| * AFW-XHE-FO-U2SBO cross connect seal injection flow from Unit 2 REC-XHE-FO-SCOOL 4.8-15
| |
| | |
| TABLE 4.8-1 BUMAN ACTIONS QUANTIFIED IN THE SURRY PRA B.2.2 SGTR Sequences Cooldown and depressurize RCS Identifier Used in System Models RCS-XHE-FO-DPRT7 RCS-XHE-FO-DPT7D
| |
| * REC-XHE-FO-DPRES Isolate faulted steam generator MSS-XHE-FO-BLOCK MSS-XHE-FO-ISAFW MSS-XHE-FO-ISBDN MSS-XHE-FO-ISDHR B.2.3 Loss of Steam Generator Cooling Sequences Cross connect AFW from Unit 2 AFW-XHE-FO-UNIT2 Initiate feed and bleed cooling HPI-XHE-FO-FDBLD PPS-XHE-FO-PORVS PPS-XHE-FO-lPORV Fail to Restore Main Feedwater M B.2.4 ATWS Sequences Initiate emergency boration PPS-XHE-FO-EMBOR Open pressurizer PORV, Block PPS-XHE-FO-UNBLK Valve
| |
| * B.2.5 Small Break Sequences cross connect HPI from Unit 2 HPI-XHE-FO-UN2Hl HPI-XHE-FO-UN2S2 HPI-XHE-FO-UN2S3 HPI-XHE-F0-20DH2 HPI-XHE-F0-30DH2 Cross connect RWST from Unit 2 Incorporated in above category.
| |
| Cooldown and depressurize the RCS RCS-XHE-FO-DPRES CPC-XHE-FO-CMNS2 CPC-XHE-FO-SMNS1 CPC-XHE-FO-SMNS2 B.2.6 Others Realign HPI-SW to bypass failed strainer CPC-XHE-FO-REALN Reconfigure to hot leg recirculation LPR-XHE-FO-HOTLG Manual Activation of RMTS RMT-XHE-FO-MAN-A RMT-XHE-FO-MANS1 4.6-16
| |
| * Table 4.8-2 Groundrules For Calculation of
| |
| * 1.
| |
| Common Miscalibratiori Error Probabilities Common cause miscalibration errors postulated for CLS Hi-Hi, CLS Hi, SIAS, and RMTS.
| |
| : 2. Miscalibration of enough sensors to fail both trains of the actuation system was of interest. Logic arrangements for each actuation were considered.
| |
| : 3. Probability of common cause miscalibration was calculated in accordance with Reference 27.
| |
| : 4. Miscalibration of sensor or bistable possible. Miscalibration is necessarily of significant magnitude and in the failure position, in order to provide entirely false information.
| |
| 4.8-17
| |
| | |
| TABLE 4.8-3
| |
| | |
| ==SUMMARY==
| |
| OF HRA RESULTS STRES~ ACTIO~
| |
| IDENTIFIER SEQUENCE TYPE 1 LEVEL TYPE DIAGN0SIS4 ACTION ERROR MEAN ACP-XHE-FO-STBBS Tl A-(PD) MOD SBS .011 1.lE-2 AFW-XHE-FO-CST2HRA SBO A-(PD) MOD SBS .064 6.4E-2 AFW-XHE-FO-MNACT ALL SB
| |
| .;.. __ 2.66E-3 AFW-XHE-FO-UlSBOHRA SBO-Ul A+REDIAG. MOD SBS MED@ 20 MIN .022 4.BE-2
| |
| .026 AFW-XHE-FO-U2SBO SBO-Ul/U2 A-(PD) MOD SBS+DYN .011 + .064 7.SE-2 AFW-XHE-FO-UNIT2HRA T1,T2,T3 A-(PD) MOD SBS .033 3.3E-2
| |
| ....
| |
| * CLS-XHE-FO-MAN-A S2,S3,T7 A SB 2.66E-3
| |
| '00 CLS-XHE-FO-MANSl CLS-XHE-FO-MANS2 S1 S2 SB SB 2.66E-3 2.66E-3 CPC-XHE-FO-CMNS2 S2 A+D MOD SBS UB @ 30 MIN .011 3.76E-2
| |
| .0266 CPC~XHE-FO-REALNHRA ALL A+D MOD SBS UB @ 30 MIN
| |
| * 032 5.86E-2
| |
| .0266 CPC-XHE-FO-SMNS1 S1 A+D MOD SBS UB @ 30 MIN .011 3.76E-2
| |
| .0266 CPC-XHE-FO-SMNS2 S2 A+D MOD SBS UB @ 30 MIN .011 3.76E-2
| |
| .0266
| |
| ** * *
| |
| * TABLE 4.8-3 (Continued)
| |
| | |
| ==SUMMARY==
| |
| OF HRA RESULTS STRES~ ACTION IDENTIFIER SEQUENCE TYPE 1 LEVEL TYPE 3 DIAGNOSIS 4 ACTION ERROR MEAN HPI-XHE-FO-ALTHRA S1,S2 SB 2.66E-3 HPI-XHE-FO-ALTINHRA S1,S2 SB 2.66E-3 HPI-XIIE-FO-ALTI3HRA
| |
| - CONTROL ROOM S3,T7D1 SB 2.66E-3
| |
| - LOCAL S3,T7D1 A MOD SBS .064 6.4E-2 HPI-XHE-FO-AUTS3HRA
| |
| - CONTROL ROOM S3,T7D1 SB 2.66E-3
| |
| - LOCAL S3,T7D1 A MOD SBS .064 6.4E-2 HPI-XHE-FO-FDBLD f- ALL L MECH A-(PD) MOD SBS .011 1.lE-2 00 I
| |
| I-'
| |
| ALL L XHE A+D TIME STRESS SBS MED@ 20 MIN .011
| |
| * 4 7.lE-2
| |
| <:O .0266 HPI-XHE-FO-PLLCK ALL SB 2.66E-3 HPI-XllE-FO-UN2HlHRA S2H1 A MOD, SBS .011 * .132 1. 45E-3 S3W3H1 TIME STRESS HPI-XHE-FO-UN2S2HRA S2D1 A+D MOD SBS 2ND EVENT .033 3.0E-1 MED@ 20 MIN
| |
| .266 HPI-XHE-FO-UN2S3HRA S3D1 A+D MOD SBS 2ND EVENT .033 3.4E-2 T7D1 MED@ 125 MIN 5.2E-4
| |
| | |
| TABLE 4.8-3 (Continued)
| |
| | |
| ==SUMMARY==
| |
| OF HRA RESULTS STRES~ ACTION IDENTIFIER SEQUENCE TYPE 1 LEVEL TYPE~ DIAGNOSIS 4 ACTION ERROR MEAN HPI-XHE-F0-20DH2HRA S20DH2 A+D MOD, SBS MED@ 30 MIN .011 * .132 4.llE-3 S20DH1 TIME STRESS .00266 HPI-XHE-F0-30DH2HRA S30DH2 A+D MOD, SBS MED@ 125 MIN .011 * .132 l.97E-3 S30DH1 TIME STRESS 5.2E-4 LPR-XHE-FO-HOTLG A,S 1 A LOW SBS {. 02 *
| |
| * 02) .1 4.00E-5 MHRA T3 SB 2.66E-3 MCW-CCF-VF-SBOHRA SBO A+D MOD SBS UB@ 30 MIN .032 5.86E-2
| |
| .
| |
| .i:,.
| |
| 00 I
| |
| .0266 NI MSS-XHE~FO-BLOCK T7 A-(PD) MOD SBS
| |
| * 032 6.4E-2 0
| |
| HEP increased by a factor of two to account for potentially inhibiting environment.
| |
| MSS-XHE-FO-ISAFWHRA T7 A-(PD) MOD SBS Must depressurize or isolate: 3.4E-3 HEP conditional on previous failure to depressurize MSS-XHE-FO-ISBDN T7 A-(PD) MOD SBS Must depressurize or isolate: 3.4E-3 HEP conditional on previous failure to depressurize 0 SBO A-(PD) MOD SBS .044 4.4E-2 PCS-XHE-FO-TBTRP ATWS SB 2.66E-3
| |
| | |
| TABLE 4.8-3 (Continued)
| |
| | |
| ==SUMMARY==
| |
| OF HRA RESULTS STRES~ ACTION IDENTIFIER SEQUENCE TYPE 1 LEVEL .TYPE 3 DIAGNOSIS 4 ACTION* ERROR MEAN PPS-MOV-FC-OPER ALL SB 2.66E-3 PPS-XHE-FO-EMBOR ATWS A MOD SBS 1. OE-3 1. OE-3 PPS-XHE-FO-PORVS ALL L MECH A-(PD) MOD SBS .011 1. lE-2 ALL L XHE A-(PD) TIME STRESS SBS .011
| |
| * 4 4.4E-2 PPS-XHE-FO-UNBLK ATWS A+D MOD SBS LB@ 2 MIN .032 2.JE-1
| |
| .20 RHRA ATWS SB 2.66E-3
| |
| .
| |
| ,I::.
| |
| 00 I
| |
| RCS-XHE-FO-DPRES S2,S3 A-(PD) MOD SBS .022 2.2E-2
| |
| ....
| |
| NI RCS-XHE-FO-DPRT7 T7 A+D MOD SBS LB@ 15 MIN .022 2.9E-2
| |
| .0068 RCS-XHE-FO-DPT7D T7D1 A+D MOD DYN 2ND EVENT .064
| |
| * 2 4.02E-1 MED@ 20 MIN
| |
| .266 REC-XHE-FO-DPRES T7 A-(PD) MOD SBS HEP conditional on previous 1. 40E-2 failure to depressurize REC-XHE-FO-SCOOL SBO-Ul A-(PD) MOD DYN .0614 + .064 1. 25E-1 RMT-XHE-FO-MAN-A A A-(PD) EXT SBS .064 6.4E-2
| |
| *RMT-XHE-FO-MANS1 S1 A-(PD) EXT SBS .064 6.4E-2
| |
| | |
| TABLE 4.8-3 (Continued)
| |
| | |
| ==SUMMARY==
| |
| OF HRA RESULTS STRES~ ACTION IDENTIFIER SEQUENCE TYPE 1 LEVEL TYPE 3 DIAGNOSIS 4 ACTION ERROR MEAN RMT-XHE-FO-MANS2 S2 SB 2.66E-3 SIS-XHE-FO-MANS1 S1 SB 2.66E-3 SIS-XHE-FO-MANS2 Sl SB 2.66E-3 SIS-XHE-FO-MANS3 Sl SB 2.66E-3
| |
| * NOTES TO TABLE 4.8-3:
| |
| : 1. TYPE: A Action.
| |
| A+D Action plus diagnosis.
| |
| A-(PD) Procedure directed action.
| |
| A+REDIAG. Action plus rediagnosis.
| |
| SB Skill based.
| |
| : 2. STRESS LEVEL: EXT Extreme stress.
| |
| MOD Moderate stress.
| |
| LOW Low stress.
| |
| TIME STRESS Stress from time constraints.
| |
| J. ACTION TYPE: DYN Dynamic actions.
| |
| SBS Step by step actions.
| |
| SBS+DYN Step by step and dynamic actions.
| |
| : 4. DIAGNOSIS: DEPRESS Depressurize.
| |
| LB Lower bound.
| |
| MED Median.
| |
| MIN Minutes.
| |
| UB Upper bound.
| |
| | |
| Table 4.8-4 Allowable Times for Operator Action Maximum Allowable Reference Restoration Recovery Action Sequence Tim~ Time Source Restore SG Cooling TML Rx Trip 30m W-EPG ATWS Initiator 60s WCAP 8330 Initiate Feed &. Bleed TML Rx Trip 45m W-EPG Restore HPI Flow TQD t(Q) 60m See Appendix D s2o Rx Trip 35m s1o Rx Trip 20m s3o Rx Trip 2 hr Emergency Boration ATWS Initiator 10m WCAP 8330 Isolate PORV TQD t(Q) 60m NUREG 1032 Restore HPI and TML Rx Trip 60m NUREG 1032 SG Cooling Depressurize RCS SGTR Rx Trip 40m 4.8-24
| |
| * Table 4.8-4 (Continued)
| |
| Allowable Times for Opera tor Action Maximum Reference Allowable Action Sequence Time Time Source Manual Sera m ATWS Initiator 2m WCAP-8330 Turbine Trip ATWS Initiator lm WCAP-8330 Open POR V Block ATWS Initiator 90s Estimate Manual RMT A RMT Signal .5m Calculated (18% RWST)
| |
| Sl RMT Signal 9m Calculated (18% RWST)
| |
| *
| |
| * 4_.8-25
| |
| * Table 4.8-.5 Groundrules For Surry HRA
| |
| : 1. One SRO and one RO for Unit 1 assumed in the control room at all times.
| |
| : 2. Actions done outside the control room could be performed by any plant personnel except Unit 1 SRO, RO, and ST A. All actions outside the control room require at least 10 minutes transit time.
| |
| : 3. ST A assumed to be in the control room within 10 minutes of any reactor scram.
| |
| : 4. SRO/RO will initiate EPs or ECAs *
| |
| .5. Upon arrival in the. control room, ST A will monitor parameters of critical safety functions in accordan<:e with CSF status trees. If these parameters exceed predetermined limits, the operators will. be. directed to a functional restoration procedure. * *
| |
| : 6. HRA based on procedure revisions current in March 1988.
| |
| : 7. If operator finds improper equipment status during SI verification or CLS Hi-Hi verfication, it is assumed he will take immediate action from the control room or immediately dispatch someone to restore equipment to desired status outside the control room.
| |
| : 8. Opera tor will read each step of each required procedure.
| |
| : 9. Operator will read all procedure steps correctly.
| |
| : 10. In the HRA models, if any single action is credited and postulated to fail three times, no further credit is given for that action.
| |
| : 11. As a guideline; minimum diagnosis errors of lE-4 for the short term (about 2 hrs) and 1E-.5 for the long term were imposed. Lower error probabilities were used only if convincing circumstances could justify their use. .
| |
| : 12. As a guideline, overall error probabilities less than lE-4 were not used unless justified by convincing circumstances.
| |
| .4.8-26
| |
| *
| |
| : 4. 9 Data Base Development
| |
| * The following sections identify the sources used to establish the data base for quantification of the Surry sequen~es, assumptions used in the data development, limitations .associated with the data, and provide a complete listing of all values used in the Surry sequence* quantification and importance/uncertainty analyses.
| |
| 4.9.1 Sources of Information for Oat~ Base The data in the Surry data base includes both plant specific and generic data. Where sufficient plant specifk operational data was available for important components or where potential plant specific common cause failures were identified, plant specific data was used. Table 4.9-1 summarizes the. plant specific data used in the quantification. The derivation of the plant specific data is detailed in Appendix D.
| |
| Dat~l}<>r nearly 8:1~ ~ther individu~l components ~ere ~erived from t~e ASEP generic data base
| |
| * Probab1hbes of actuabon ~stem- tram failure were derived from the ASEP generic data.
| |
| * NUREG/CR.;.2728 0 *and the Zion Probabilistic Safety
| |
| * Studyl 8) supplemented the generic data base.
| |
| * Certain events that have little or no data (including experimental data) proved to be important in the final results. For these events, a panel of experts was polled to pro~<o, the best estimate of probabilities and distribution types for that particular event.
| |
| There* were two types of panels involved in this process, internal and external. The internal panel was used for events of lesser importance, and consisted of selected repre-sentatives from the probabilistic risk assessment (PRA) teams and Sandia analysts. The external panel consisted of utility, vendor, and PRA representatives. For the Surry analysis, external elicitations were conducted on the reactor coolant pump seal LOCA model and interfacing LOCA.
| |
| Initiating event frequencies were derived from several sources and are listed in Table 4.9-2. The frequency of loss of offsite ~y~er (TJ) and associated power recovery factors were based on data from NUREG-5032.
| |
| * A iscussion of this analysis is in Appendix D. Frequencies for initiating event category T ~ (turbine trip with MFW available) and T2 (loss of main (le;_jdwater)
| |
| * were derived from Surry specific data listed . in NUREG/CR-3862. The frequency of T5 (loss of DC electrical bus) was derived from generic data for the postulated faults leaaing to the loss of the bus. Loss of Coolant
| |
| . Accident (LOCA) initiating event frequencies were developed based on a survey of freque*ncies used for similar sizes LOCAs in previous PWR PRAs. The. s3 (Very Small LOCA) and steam generator tube rupture T7 initiating event frequencies were calculated based on a review of PWR operating history. Anticipated Transient Withouf ~cram initiating event frequencies were developed using the guidelines of NUREG-1000. 2 Values for the beta_ factors ~,d in the accident sequence quantification were derived in
| |
| 'NUREG/CR-4550*, Volume 1. Table. 4.9-3 summarizes these beta factors. Plant sped~
| |
| fie beta factors were developed for the Charging Pump Cooling .Service Water Strainers and Service Water motor operated valves isolating the recirculation spray heat exchan-gers. Application of the beta factors is discussed in Section 4.7.
| |
| Operator actions identified in the fault trees and recovery actions in the accident sequence quantification were evaluated(fflng the human error probabilities (HEPs) in
| |
| * A.O. Swain's ASEP HRA Procedures~ The evaluation of these probabilities is detailed in Section 4.8. Table 4.9-4 summarizes the HEP data, describing the events and showing the diagnosis and action error contributions.
| |
| 4.9-1
| |
| | |
| The subscript 'HRA' denotes that this is the human error contribution to a recovery
| |
| * factor with the same identifier. Events without subscripts are HRA contributions that have no hardware contributions and thus represent the total unavailability. Probabilities for failure to perform recovery actions have a human error component and a hardware failure component. Generally, both elements are represented in the recovery event.
| |
| Sometimes the hardware element is stated as a separate event, and sometimes the human error elerrient or the the hardware element dominates the recovery probability so much that the non-dominant element is .ignored. Table 4.9-5 summarizes the recovery factors. The table shows how the HEPs are combined with hardware unavailabilities to form recovery factors~ The hardware unavailability is summed with the associated human error. In cases where two recovery options are available, the total unavailability of the first option is multiplied by the sum of the alternate path human and hardware errors. Human error for the alternate action is increased to account for the previous failure. Diagnosis error is added to the resultant product~ Discussions of the recovery factors and the contributors to the hardware unavailability are included in Section 4.10.
| |
| 4.9.2 Limitations in the Data Base No specific limitations were identified in the Surry data base.
| |
| 4.9.3 Data Base Description The data used to calculate point estimates of the accident sequence frequencies were mean values. The distributions of the values are as described above. Table 4.9-6 provides a summary of miscellaneous event data; values used for "black box" top events
| |
| * in the event trees. A complete listing of all values used in the fault tree and accident sequence quantification is provided. in Table 4.9-7. Each fault, initiating event, or beta factor used in the quantification is listed, along with the fault identifier or event tree identifier, a description of the id~ntifier, the mean value, error factor, source of the data, and any applicable comments. The uncertainty and importance analyses also used these mean values, distribution types, and error factors.
| |
| 4.9.4 Plant Specific Analysis and Use of Generic Data Plant specific data was used whan it was available. Plant specific failure rates were not used if the component in question had experienced less than two failures.
| |
| 4.9-2
| |
| *
| |
| * Table 4.9-1 PLANT SPECIFIC DATA USED IN ACCIDENT SEQUENCE QUANTIFICATION Failure Rate Failure Event (Mean Value) Error Factor CPC Service Water 8.0E-3/demand 3.5 Pump Fail to Start CPC Service Water 1.7E-4/hr 3 Pump Fail to Run CPC Service Water 2.63E-1 3 Common Cause Failure of 2 Strainers Plugged (Beta)
| |
| Charging Pump Fail 4.0E-3/demand 3.5 to Start Charging Pump Fail to Run 6.8E-5/hr 3 Inside Spray 3.8E-2/demand 3 Recirculation Pump Fail to Start SWS Inlet Valves 2.lE-1 3 to the Recirculation Spray Heat Exchangers Common Cause Failure of Motor Operated Valves to Transfer (Beta)
| |
| Motor Driven AFW Pump 6.3E-3/demand 3 Fail to Start Turbine Driven AFW 1.lE-2/demand 10 Pump Fail to Start Diesel Genera tor 2.2E-2/demand 3 Fail to Start POR V Block Valve Closed l.5E-l/demand None Due to Leaking POR V (point estimate)
| |
| POR V Block Valve Fails 4.0E-2/ demand 3 to Transfer on Demand
| |
| * 4*_9_3
| |
| | |
| Table 4.9-2 INITIATING EVENT DATA MEAN FREQUENCY ERROR IDENTIFIER DESCRIPTION (/RX-YEAR) FACTOR SOURCE/COMMENTS A Large LOCA, 0>6" 5.0E-4 10 Survey of Previous PWR S1 Medium LOCA, 2"<0<6" 1.0E-3 10 Studies Conducted in S2 Sma 11 LOCA, 1/2" <0<2" 1.0E-3 10 NUREG/CR-4550 Volume 1.
| |
| S3 Very Small LOCA, D<l/2" Spontaneous 1.3E-2 10 See Appendix D.2 T Transient Initiating Events, Requiring 6.60 3 NUREG/CR-3862 Reactor Scram TN High Power Transient Initiating Events, 5.90 3 Assumed high power Requiring Reactor Scram fraction = .9
| |
| .
| |
| ,i:,.
| |
| cc I
| |
| Tl Loss of Offsite Power 7.7E-2 Special, Plant See Appendix D.3
| |
| ,i:,. Specific Distribution T2 Loss of Main Feedwater 0.94 3 NUREG/CR-3862 T3 Turbine Trip with Main Feedwater 7.30 3 NUREG/CR-3862 Available T5A Loss of 125V DC Bus 1~ 5.0E-3 10 ASEP Generic T5B Loss of 125V DC Bus 1B 5.0E-3 10 T7 Steam Generator Tube Rupture l.OE-2 5 Survey of Industry Literature and LERs Yielded 5 Steam Generator Tube Rupture Incidents *
| |
| * able 4.9-3 BETA FACTOR
| |
| | |
| ==SUMMARY==
| |
| TABLE
| |
| * Unavail. Error.
| |
| Event Identifier Event Description Mean Factor Source BETA-BATT BETA FOR 2 Batteries 8.00E-3 3 ASEP GENERIC BETA-2DG BETA FOR 2 Diesel Generators 3.80E-2 3 ASEP GENERIC BETA-3DG BETA FOR 3 Diesel Generators 1.BOE-2 3 ASEP GENERIC BETA-AFW BETA FOR 2 AFW Motor Driven Pumps 5.60E-2 3* ASEP GENERIC BETA-CSS BETA FOR 2 CSS Motor Driven Pumps 1.lOE-1 3 ASEP GENERIC BETA-HP! BETA FOR 2 HPI Motor Driven Pumps 2.lOE-1 3 ASEP GENERIC BETA-LP! BETA FOR 2 LPI Motor Driven Pumps 1.SOE-1 3 ASEP GENERIC BETA-STR BETA FOR 2 Strainers 2.63E-1 3 PLANT SPECIFIC
| |
| .
| |
| ~*
| |
| cc I
| |
| BETA-AOV BETA-2MOV BETA FOR 2 Air Operated Valves BETA FOR 2 Motor Operated Valves l.OOE-1 8.80E-2 3
| |
| 3 ASEP GENERIC ASEP GENERIC
| |
| ~ BETA-SWMOV BETA FOR 4 SWS Motor Operated Valves 2. lOE-1 3 PLANT SPECIFIC BETA-SRVs BETA FOR 2 Safety Relief Valves 7.00E-2 3 ASEP GENERIC
| |
| | |
| TAB1'E 4.9-4 HUMAN RELIABILITY ANALYSIS
| |
| | |
| ==SUMMARY==
| |
| | |
| -----Unavailabilities (Means)-----
| |
| Identifier Sequence Description Diagnostics Error Action Error Total ACP-XHE-FO-STBBS Tl OPERATOR FAILS TO RECONNECT .011 l.lE-2 STUB BUS (LOSP ONLY)
| |
| AFW-XHE-FO-CST2HRA SBO orERATOR FAILS TO CROSS CON- .064 6.4E-2 NECT UNIT 2 CST AFW-XHE-FO-MNACT ALL OPERATOR FAILS TO MANUALLY Skill Based 2.66E-3 ACTUATE AFW AFW-XHE-FO-UlSBOHRA SBO-Ul OPERATOR FAILS TO CROSS CON- .026 .022 4.BE-2
| |
| .I
| |
| * AFW-XIIE-FO-U2SBO SBO-UlU2 NECT AFW, SBO AT UNIT 1 OPERATOR FAILS TO CROSS CON-NECT AFW, SBO AT UNITS 1 AND 2 7.5E-2 7.SE-2 AFW-XIIE-FO-UNIT2HRA T1,T2,T3 OPERATOR FAILS TO CROSS CONN- .033 3.3E-2 S2,S3,T7 NEC'r AFW, TRANSIENTS CLS-XIIE-FO-MAN-A A OPERATOR FAILS TO RECOVER CLCS Skill Based 2.66E-3 ACTUATION,A LOCA CLS-XIIE-FO-MANSl Sl OPERATOR FAILS TO RECOVER CLCS Skill Based 2.66E-3 ACTUATION ,s 1 LOCA CLS-XIIE-FO-MANS2 S2 OPERATOR FAILS TC)" RECOVER CLCS Skill Based 2.66E-3 ACTUATION, s 2 LOCA CPC-XHE-FO-CMNS2 S2 OPERATOR FAivS TO MANUALLY .0266 .011 3.76E-2 ACTUATE CPC MOP CPC-XHE-FO-REALNnRA ALL OPERATOR FAILS TO ALIGN CPC SW .0266
| |
| * 032 5.86E-2
| |
| *ro UNIT 2 CPC-XIIE-FO-SMNS1 s, OPERATOR FAILS MANUAL ACTUATION .0266 .011 3.76E-2 O.F CPC SWS MOP
| |
| * *
| |
| * TABLE 4.9-4 (Continued)
| |
| JIUMAN RELIABILITY ANALYSIS BUM.MARY
| |
| *
| |
| ~~~~Unavailabilities (Means)~~~~~
| |
| Identifier Sequence Description Diagnostics Error Action Error Total CPC-XHE-FO-SMNS2 OPERATOR FAILS M1\NlJAL ACT- .0266 .011 J.76E-2 UATION OF CPC SWS MDP llPI-XHE-FO-ALTnRA OPERATOR FAILS 'l'O RECOVER Skill Based 2.66E-J COMMON CAUSE FAILURE OF UPI DISCHARGE MOVs HPI-XHE-FO-ALTIHHRA OPEHATOR FAILS TO RECOVF.R Skill Based 2. 66E-J ,
| |
| RANDOM INDEPENDEN'f FAILURE /
| |
| OF HPI DISCHARGE MOVs IIPI-XHE-FO-ALTI311RA. OPERATOR FAILS TO RECOVER
| |
| - CONTROL ROOM RANDOM IHDEPENUEN'r FAILURE Skill Based 2.66E-J
| |
| - LOCAL OF HPI DISCHARGE MOVs .064 6.4E-2
| |
| .HPI-XHE-FO-ALTSJIIRA OPERATOR FAILS TO RECOVER
| |
| - CON'fROL ROOM COMMON CAUSE FAILURE OF HPI Skill Based 2.66E-J
| |
| - LOCAL DISCHARGE MOVs .064 6.4E-2 IIPI-XHE-FO-FDBLD OPERATOR FAILS TO ES'l'ABLISII ALL L MECH FEED AHD BLEED COOLING .011 1.lE-2 ALL L XHE .0266 .044 7.lE-2 HPI-XHE-FO-PLLCK ALL OPERATOR FAILS TO REMOVE PULL Skill Based 2.66E-3 LOCK CONDITION HPI-XIIE-FO-UN2HlnRA OPERA'l'OR FAILS TO CROSS CONNECT .00145 1.45E-J UPI TO UNIT 2 FOR S 2 111/S3H1/
| |
| S3W3ll1 llPI-XHE-FO-UN2S2HRA OPERATOR FAILS 'l'O cnoss CONNEC'r . 266 .033 J.OE-1 IIPI 'l'O UNIT 2 FOR S 2 D1 HPI-XIIE-FO-UN2SJHRA OPEHATOR FAILS 'l'O cnoss CONNEC'l' 5. 2E-4 .033 J.4E-2 IIPI 'l'O UNI'l' 2 FOR s 3o 1/'1'7D1
| |
| | |
| TABLE 4.9-4 (Continued)
| |
| HUHJ\B RELIABILITY ANALYBIB BUHMARY
| |
| ~~~~-Unavailabilities (Means)~~~~~
| |
| Identifier Sequence Description Diagnostics Error Action Error Total HPI-XIIE-F0-20D112nRA OPERATOR FAILS 'l'O CROSS COH- .00266
| |
| * 00145 4.llE-3 NECT IIPI TO UNIT 2 FOR s 20DH1/
| |
| S20DH2 .
| |
| HPI-XHE-F0-30DH2nRA OPERATOR FAILS TO CROSS CON- 5.2E-4
| |
| * 00145 l.97E..;.3 NECT HPI TO UNIT 2 FOR S 30D1ll/
| |
| S30DH2 LPR-XHE-FO-IIOTLG OPERATOR FAILS TO ALIGN FOR 4.00E-5 4.00E-5 no*r LEG RECIRCULATION FAILURE TO RESTORE MAIN FEED- Skill Based
| |
| .
| |
| .i:,.
| |
| \0 WATER I
| |
| 00 MCW-CCF-VF-SBOnnA SBO-Ul OPERATOR FAILS TO CLOSE MAIN .0266 .032 5.86E-2 CONDENSOR ISOLATION VALVES-SBO MSS-XHE-FO-BLOCK OPERATOR FAILS TO 'l'ERMINATE HEP increased by a factor of 6.4E-2 FLOW FROM STUCK OPEN SG two to account for potentially PORV inhibiting environment.
| |
| MSS-XHE-FO-ISAFWIIRA OPERATOR FAILS 'l'O 'l'ERMIHATE Must depressurize or isolate: 3.4E-J FLOW FROM AFW TDP S'l'EAM LINE HEP conditional on previous DURING SG'l'R failure to depressurize.
| |
| MSS-XHE-FO-ISBDN OPERA'l'OR FAILS 'l'O 'l'ERMIHA'l'E Must depressurize or isolate: J.4E-3 FLOW FROM SG DLOWDOWN LINE HEP conditional on previous DURING SGTR failure to depressurize.
| |
| OP FAILS 'l'O !SOL S'l'M FLOW VIA
| |
| * 014 1.4E-2 MSS-XHE-FO-ISDHR DECAY IIEA'l' REMOVAL BY COOLDOWN 0 SBO OPERATOR FAILS TO DEPRESSURIZE .044 4.4E-2 RCS DURING SBO
| |
| .S-XIIE-FO-TB'l'RP A'l'WS OPERATOR FAI 'l'RIP MAIN Skill Based ~-66E-3 TURBINE
| |
| * TABLE 4.9-4 (Continued)
| |
| JIUMJ\N RELIABILITY ANALYSIS
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~~~Unavailabilities (Means)~~~~~
| |
| Identifier Sequence Description Diagnostics Error Action Error Total PPS-MOV-FC-OPER ALL OPERATOR FAILS TO CLOSE RCS Skill Based 2.66E-3 PORV BLOCK ~ALVE PPS-XHE-FO-EMBOR ATWS OPERA'fOR FAILS 'l'O CORRECTLY 1. OE-3
| |
| * l.OE-3 EMERGENCY BORATE PPS-XHE-FO-lPORV OPERATOR FAILS TO OPEN 1 PORV .0266 .044 7.lE-2 FOR S2 FEED/BLEED PPS-XHE-FO-PORVS OPERATOR FAILS TO OPEN BOTH ALL L MECH PORVs FOR FEED AND BLEED .011 1.lE-2 ALL L XHE .044 4.4E-2 PPS-XHE-FO-UNBLK ATWS OPERATOR FAILS TO OPEN PORV .23 2.JE-1 BLOCK VALVE ATWS FAILURE TO MANUALLY SCRJ\M THE Skill Based 2.66E-3 REACTOR RCS-XIIE-FO-DPRES OPERA'fOR FAILS TO DEPRESSURIZE/
| |
| * 022 2. 2E-2 .
| |
| COOL RCS RCS-XIIE-FO-DPRT7 OPERA1.'0R FAILS TO DEPRESSURIZE/ .0068 .022 2.9E-2 COOL RCS DURING SGTR RCS-XHE-FO-DPT7D OPERATOR FAILS TO DEPRESSURIZE/ .266 0.128 4.02E-1 COOL RCS DURING T7D1 REC-XHE-FO-DPRES OPERATOR FAILS TO DEPRES- HEP conditional on previous 1. 40E-2 SURIZE RCS IN RECOVERY FM SGTR failure to depressurize.
| |
| REC-XHE-FO-SCOOL SBO-Ul OPERATOR FAILS TO COOL RCP .125 1.,25E-1 SEALS DURING SBO
| |
| | |
| TABLE 4.9-4 (Continued)
| |
| JIUM.1\N RELI.l\DILITY .l\N.l\LYSIB
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~~~-Unavailabilities (Means)~~~~~
| |
| Identifier Sequence Description Diagnostics Error Action Error Total RMT-XIIE-FO-MAN-A A OPERATOR FAILS TO RECOVER RM'r .064 6.4E-2 ACTUATION FAILURE RMT-XHE-FO-MANSl Sl OPERATOR FAILS TO RECOVER .064 6.4E-2 RMT ACTUATION FAILURE RMT-XHE-FO-MANS2 S2 OPERATOR FAILS TO RECOVER Skill Based 2.66E-3 RMT ACTUATION FAILURE SIS-XHE-FO-MANSl Sl OPERATOR FAILS TO RECOVER Skill Based 2.66E-3
| |
| .
| |
| *CD
| |
| ~
| |
| I SIS-XHE-FO-MANS2 S1 SIS ACUTUATION FAILURE OPERATOR FAILS 'l'O RECOVER SIS ACTUATION FAILURE Skill Based 2.66E-3 0
| |
| * TABLE 4.9-5 RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| *
| |
| ~~-Unavailabilities (Means)~~~~
| |
| Human Hardware Identlfier Total Error Failure Description AFW-XHE-FO-CST2 6.5E-2 6.4E-2 1.0E-3 FAILURE TO CROSS CONNECT TO UNIT 2 AFW CONDENSATE STORAGE TANK.
| |
| AFW-XHE-FO-MNACT 2.7E-3 2.7E-3 FAILURE TO RECOVER AFW ACTUATION BY MANUAL ACTUATION OF AFW PUMPS AND VALVES.
| |
| AFW-XHE-FO-UlSBO 8.2E-2 4.8E-2 J.4E-2 FAILURE TO RECOVER AFW BY CROSS CONNECTING TO UNIT 2 DURING STATION BLACKOUT AT UNIT 1.
| |
| AFW-XHE-FO-U2SBO 7.5E-2 7.5E-2 OPERATOR FAILS TO CROSS CONNECT AFW TO UNIT 2 DURING STATION BLACKOUT AT UNITS 1 AND 2.
| |
| AFW-XHE-FO-UNIT2 J.GE-2 J.JE-2 2.lE-J FAILURE TO RECOVER AFW BY CRQSS CONNECTING TO UNIT 2. FOR ALL SEQUENCES EXCEPT STATION BLACKOU'r.
| |
| CLS.-XIIE-FO-MAN-A 2.7E-J 2.7E-J ------ FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING A LARGE LOSS OF COOLANT ACCIDENT (A LOCA).
| |
| CLS-XHE-FO-MANSl 2.7E-J 2.7E-3 ------ FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (S 1 LOCA).
| |
| CLS-XIIE-FO-MANS2 2.7E-J 2.7E-J ------ FAILURE TO RECOVER CLCS BY MANUAL ACTUATION DURING SMALL LOSS OF COOLANT ACCIDENT (S 2 LOCA).
| |
| CPC-XUE-FO-CMNS2 J.BE-2 J.BE-2 ------ FAILURE TO RECOVER CPC BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT.
| |
| | |
| TABLE 4.9-5 (Continued)
| |
| RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~-Unavailabilities (Means)~~~~
| |
| Human Hardware Identifier Total Error Failure Description CPC-XHE-FO-REALN *1.0E-2 5.9E-2 1. lE-2 FAILURE TO RECOVER CPC SERVICE WATER BY CROSS CONNECTING TO UNIT 2.
| |
| CPC-XHE-FO-SMNSl J.BE-2 J.BE-2 FAILURE TO RECOVER CPC SERVICE WATER BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT.
| |
| CPC-XHE-FO-SMNS2 J.BE-2 J.BE-2 FAILURE TO RECOVER CPC SERVICE WATER BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT.
| |
| HPI-XHE-FO-ALT 6.lE-1 2.7E-3 6.lE-1 FAILURE TO RECOVER HPI FOLLOWING COMMON CAUSE FAILURE OF THE HPI DISCHARGE MOTOR OPERATED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR ALL BUT THE VERY SMALL LOSS OF COOLANT ACCIDENT (S 3 LOCA) SEQUENCES.
| |
| HPI-XHE-FO-ALTIN 5.7E-3 2.7E-J J.OE-3 FAILURE TO RECOVER HPI FOLLOWING RANDOM IN-DEPENDENT FAILURE OF THE HPI DISCHARGE MOTOR OPERATED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR ALL BUT s 3 SEQUENCES.
| |
| HPI-XHE-FO-ALTIJ 7.0E-4 CONTROL RM 2.7E-3 3.0E-3 FAILURE TO RECOVER HPI FOLLOWING RANDOM IN-LOCAL 6.4E-2 5.BE-2 DEPENDENT FAILURE OF 'l'IIE HPI DISCHARGE MOTOR OPERA'l'ED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR s 3 LOCA SEQUENCES.
| |
| HPI-XIIE-FO-ALTSJ 7.4E-2 CONTROL RM 2.7E-3 6.lE-1 FAILURE TO RECOVER HPI FOLLOWING COMMON CAUSE LOCAL 6. 4E-2 5.BE-2 FAILURE OF THE HPI DISCHARGE MOTOR OPERA-TED VALVES, BY USING AN ALTERNATE INJECTION PATH. FOR s 3 LOCA SEQUENCES *
| |
| * TABLE 4.9-5 (Continued)
| |
| RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~-Unavailabilities (Means)~~~~
| |
| Human Hardware Identifier Total Error Failure Description HPI-XHE-FO-UN2Hl l.6E-J RWST 1.lE-2 3.0E-4 FAILURE TO RECOVER LPR BY CROSS CONNECTING TO HPI L JE-1 9.BE-3 UNI'f 2 RWS'l' QR BPI SYS'l'EM. FOR S2 AND S3 LOW PRESSURE RECIRCULATION FAILURE WHERE
| |
| 'l'HE OPEHATOR SUCCEEDED IN RCS DEPRESSURIZA'l'ION.
| |
| HPI-XHE-FO-UN2S2 J.lE-1 J.OE-1 9.BE-3 FAILURE 1'0 RECOVER BPI BY CROSS CONNECTING TO UNI'f 2 IIPI SYSTEM DU.RING AN s 2 LOCA HIGH PRESSURE INJECTION FAILURE.
| |
| HPI-XHE-FO-UN2SJ 4.4E-2 J.4E-2 9.BE-3 FAILURE 1'0 RECOVER HPI BY CROSS CONNECTiNG TO UNIT 2 IIPI SYSTEM. FOR AN s 3 LOCA AND S1'EAM GENERATOR TUBE RUPTURE (SGTR) HIGH PRESSURE INJECTION FAILURE.
| |
| HPI-XHE-F0-20DH2 4.JE-3 RWST l.JE-1 9.BE-3 FAILURE TO RECOVER IIPI BY CROSS CONNECTING TO IIPI LlE-2 J.OE-4 UNIT 2 RWST OR IIPI SYSTEM. FOR s 2 HIGH AND DIAGNOSIS 2.7E-J ------ LOW PRESSURE RECIRCUL1\.1'IOH FAILURE WHERE THE OPERATOR FAILED TO DEPRESSURIZE THE RCS.
| |
| HPI-XIIE-FO-JODil2 2.lE-3 RWST 1. JE-1 9.BE-3 FAILURE 1'0 RECOVER HPI BY CROSS CONNECTIN.G TO HP! 1. lE-2 J.OE-4 UNIT 2 RWST OR HP! SYS1'EM. FOR S 3 HIGH AND DIAGNOSIS 5.2E-4 ------ LOW PRESSURE RECIRCULATION FAILURE WHERE THE OPERA'fOR FAILED TO DEPRESSURIZE THE RCS.
| |
| MSS-XIIE-FO-BLOCK 6.4E-2 6.4E-2 FAILURE TO RECOVER STUCK OPEN SG PORV BY S*HU'l''l'ING 'l'HE BLOCK VALVE.
| |
| | |
| TABLE 4.9-5 (Continued)
| |
| RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| ~---Unavailabilities (Means)--------
| |
| Human Ila rd ware Identifier Total Error Failure Description MSS-XHE-FO-ISAFW 6.BE-6 3.4E-3 2.0E-3 FAILURE TO RECOVER SG INTEGRITY BY ISOLATING THE STEAM LINE FROM THE SG WITH AN SGTR TO THE AFW TURBINE DRIVEN PUMP. HARDWARE IS FAILURE OF 1 OF 2 CHECK VALVES TO SEAT. DUE TO PARTICULAR CHARACTERISTICS OF THE BOOLEAN EQUATION FOR Qs, IT WAS DESIRABLE TO INCLUDE THE FAILURE PROBABILITY OF SG INTEGRITY IN THE RECOVERY EVENT. THE TWO PROBABILITIES ARE MULTIPLIED. THIS EVENT REPRESENTS THE PROBABILITY OF LOSS OF SG.INTEGRITY THROUGH THE AFW STEAM LINE AND FAILURE TO RECOVER.
| |
| MSS-XHE-FO-ISBDN 3.4E-3 3.4E-3 FAILURE TO RECOVER SG INTEGRITY BY ISOLATING THE BLOWDOWN LINE FROM THE SG WITH AN SGTR.
| |
| NRAC-150MIN 2.lOE-1 2.lOE-1 FAILURE '1'0 RECOVER AC POWER WITHIN 150 MINUTES LOSS OF OFFSITE POWER.
| |
| NRAC-201MIN 1..50E-1 1.50E-1 FAILURE TO RECOVER AC POWER WITHIN 201 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-216MIN 1. JBE-1 1. JBE-1 FAILURE '1'0 RECOVER AC POWER WITHIN 216 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-234MIN l.23E-1 1.23E-1 FAILURE TO RECOVER AC POWER WITHIN 234 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-246MIN 1.15E-1 1.15E-1 FAILURE TO RECOVER AC POWER WITHIN 246 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-258MIN 1.0BE-1 1.0BE-1 FAILURE 'l'O RECOVER AC POWER WITHIN 258 MINUTES OF .LOSS OF OFFSITE POWER.
| |
| | |
| .9-5 (Continued)
| |
| RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~-Unavailabilities (Means)~~~~
| |
| Human Hardware Identifier Total Error Failure Description NRAC-HALFHR 6.00E-1 6.00E-1 FAILURE TO RECOVER AC POWER WITHIN 30 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-lHR 4.40E-1 4.40E-1 FAILURE TO RECOVER AC POWER WITHIN 60 MINUTES OF LOSS OF OFFSITE POWER.
| |
| NRAC-7HR 5.00E-2 5.00E-2 FAILURE TO RECOVER AC POWER WITHIN 7 HOURS OF LOSS OF OFFSITE POWER.
| |
| 1.94E-1 l.94E-1 FAILURE TO RECOVER AC POWER; TIME AVERAGED OVER THE FIRST 6 HOURS.
| |
| NRAC-24HR-AVG 6.lE-2 6.lE-2 FAILURE TO RECOVER AC POWER; TIME AVERAGED OVER THE FIRST 24 HOURS.
| |
| R 1.7E-1 1. 000* l.OE-5 FAILURE TO RECOVER RPS FAILURE BY MANUAL 2.7E-J 5.0E-5 SCRAM.
| |
| *THIS CANNOT BE INTERPRETED AS A HUMAN ERROR, BUT MUST BE IN'l'ERPRETED AS THE PROBABILITY THAT HUMAN ACTION IS IN-EFFECTIVE. MANUAL SCRAM IS INEFFECTIVE AGAINST MECHANICAL FAILURES OF THE RPS WHICH ACCOUNT FOR lE-5, WHILE ELECTRICAL FAILURES ACCOUNT FOR SE-5.
| |
| REC-XHE-FO-DGEN 9.0E-1 9.0E-1 FAILURE TO RECOVER A DIESEL GENERATOR WITHIN 1 HOUR.
| |
| REC-XHE-FO-DGHWB 6.0E-1 6.0E-1 FAILURE TO RECOVER A DIESEL GENERATOR WITHIN 6 HOURS OF A HARDWARE OR COMMON CAUSE FAULT.
| |
| | |
| TABLE 4.9-5 (Continued)
| |
| RECOVERY FACTOR
| |
| | |
| ==SUMMARY==
| |
| | |
| ~~-Unavailabilities (Means)~~~~
| |
| Human Hardware Identifier Total Error Failure Description REC-XHE-FO-DGHWS 8.0E-1 8.0E-1 FAILURE 'l'O RECOVER A DIESEL GENERATOR WITHIN 3 HOURS OF A HARDWARE OR COMMON CAUSE FAULT.
| |
| REC-XIIE-FO-DG'l'MB 5.0E-1 5.0E-1 FAILURE TO RECOVER A DIESEL GENERATOR FROM
| |
| 'l'ES'r AND MAINTENANCE UNAVAILABILITY WITHIN 6 HOURS.
| |
| REC-XIIE-FO-DG'l'MS 7.0E-1 ------ 7.0E-1 FAILURE 'l'O RECOVER A DIESEL GENERATOR FROM TEST AND MAINTENANCE UNAVAILABILITY WITHIN 3 HOURS.
| |
| 'f-co I
| |
| REC-XHE-FO-DPRES 1. 4E-2 1.4E-2 ------ FAILURE TO COOLDOWN ANO OEPRESSURIZE THE RCS, IN THE LONG TERM AF'fER FAILURE TO DEPRESSUR-
| |
| ~
| |
| a:, IZE WITHIN 45 MINUTES OF A STEAM GENERATOR TUBE RUPTURE.
| |
| REC-XIIE-FO-GAGRV 3.0E-1 ------ 3.0E-1 FAILURE 'l'O RECOVER SG IH'l'EGRITY BY GAGGING S'fUCK OPEN RELIEF VALVES.
| |
| RM'l'-XIIE-FO-MAN-A 6.4E-2 6.4E-2 ------ FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A LARGE LOSS OF COOLANT ACCIDENT (A LOCA).
| |
| RM'f-XIIE-FO-MJ\NS 1 6.4E-2 6.4E-2 ------ FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA).
| |
| RM'l'-XHE-FO-MANS 2 2.7E-J 2.7E~3 ------ FAILURE 'l'O RECOVER RMT BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA).
| |
| | |
| Tl\DL -s (Continued)
| |
| RECOVERY FACTOR BUHMARY
| |
| ~~-Unavailabilities (Means)~.~~~
| |
| * Human Hardware Identifier Total Error Failure Description SIS-XHE-FO-MANSl 2.7E-3 2.7E-3 FAILURE 'l'O RECOVER SIS BY MANUAL ACTUATION DURING A MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA) * .
| |
| SIS-XHE-FO-MANS2 2.7E-3 2.7E-3 FAILURE TO RECOVER SIS BY MANUAL ACTUATION DURING A SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA).
| |
| SWS-XHE-FO-OPEN 2.4E-1 2.4E-1 FAILURE TO RECOVER COMMON CAUSE FAILURE OF
| |
| '1.'HE CONTAINMENT SPRAY* HEAT EXCHANGER MOVs.
| |
| LOCALLY OPEN OR REPAIR THE VALVE.
| |
| | |
| TABLE 4.9-6 SURRY MISCELLANEOUS EVENT TABLE Unavail. Dist. Source/
| |
| Event Id Event Description (Mean) Type EF Comments CV HPR/LPR FAILURE DUE TO CONTAINMENT OVER 2.00E-2 POINT EST* SEE APPENDIX PRESSURE FAILURE, CAUSED BY LOSS OF A.1 CON'l'AINMENT HEAT REMOVAL K FAILURE OF RPS TO TRIP THE REACTOR 6.00E-5 LOG NOR 5 NUREG-1000 M FAILURE TO RESTORE MAIN FEEDWA'l'ER, AFTER 2.90E-J LOG NOR 10 SEE SECT.
| |
| TURBINE TRIP 4.10.3 0 OPERATOR FAILS TO DEPRESSURIZE RCS DURING SBO 4.90E-2 MAX ENT
| |
| * SEE SECT.
| |
| 4.10.3 PROBABILITY OF INITIAL REACTOR POWER BELOW 25% 1.00E-1 POIN'l' EST
| |
| * PLANT SPECIFIC OPERATOR FAILS TO CON'l'ROL HPI AFTER A SMALL 1. 20E-4 LOG NOR 10 SEE APPENDIX BREAK LEADING TO LOSS OF RCS IN'l'EGRI'l'Y DUE TO D.6 PORV S'l'UCK OPEN ( INCLUDES PROBABILITY OF FAILURE TO ISOLATE PORV)
| |
| QS-SBO FAILURE OF SG SRV TO RESEAT DURING SBO 2.7E-1 POINT EST* SEE APPENDIX
| |
| 'l'RANSIEN'l' D. 6 R FAILURE 'l'O MANUALLY 'l'RIP 'l'IIE REAC'l'OR FOLLOWING 1. 70E-1 MAX ENT
| |
| * SEE SECT RPS FAILURE 4.10.3 SLOCA-NRACSL-LT CONDITIONAL PROBABILITY OF CORE UUCOVERY 9.20E-2 POINT EST* SEE APPENDIX DURING AN SBO DUE 'l'O RCP SEAL LOCI\ AND NON- D.5 RECOVERY OF AC ,POWER; RCS DEPR~SSURIZED AFTER THE BREAK
| |
| * TABLE 4.9-6 (Continued)
| |
| BURRY MI8CELL1\NEOUB EVENT TABLE
| |
| * Unavail. Dist. Source/
| |
| Event Id Event Description (Mean) 'l'ype EF Comments SLOCA-NRACSL-S'r CONDITIONAL PROBJ\BILI1'Y OF CORE UNCOVERY 9. 90E-2 POIN'r EST
| |
| * SEE APPENDIX DURING AN SBO DUE 'l'O RCP SEAL LOCI\ 1\NU NON- D.5 RECOVERY OF AC POWER; RCS IS NOT DEPRESSURI-ZED AF'l'ER 'fHE BREAK z ABSENCE OF "FAVORABLE" MODERA'l'OR 'l'EMPERA'fURE 1. 40E-2 LOG NOR 7 SEE SECT 4.4 COEFFICIENT VERY LOW MODERATOR TEMPERATURE COEFFICIENT 5.00E-1 POINT EST* SEE SECT 4.4
| |
| | |
| TABLE 4.9-7 SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments A LARGE LOSS OF COOLANT ACCIDENT 5E-4/YR 5.00E-4 LOG NOR 10 ASEP GEN ACC-CKV-FT-CV107 CHECK VLV CV107 FAILS TO OPEN 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN ACC-CKV-FT-CV109 CHECK VLV CV109 FAILS TO OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN ACC-CKV-FT-CV128 CHECK VLV CV128 FAILS TO OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN ACC-CKV-FT-CV130 CHECK VLV CV130 FAILS TO OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEH ACC-CKV-FT-CV145 CHECK VLV CV145 FAILS TO OPEN 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN ACC-CKV-FT-CV147 CHECK VLV CV147 FAILS TO OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN ACC-MOV-PG-1865A ACC MO'l'OR OPERATED VLV 1.865A PLUGGED 1.0E-7/IIR lBmo 6.50E-4 LOG NOR 3 ASEP GEN f- ACC-MOV-PG-1865B ACC MO'l'OR OPERA'l'ED VLV l865B PLUGGED l.OE-7/HR !Brno 6.50E-4 LOG NOR 3 ASEP GEN c.c ACC-MOV-PG-1865C ACC MOTOR OPERATED VLV l865C PLUGGED l.OE-7/HR lBmo 6.50E-4 LOG NOR 3 ASEP GEN I
| |
| N) 0 ACP-BAC-ST-1111 480V AC BUS 1111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-1111-1 480V AC MCC 1111-1 BUSWORK FAILURE 9. OE-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-1111-2 480V AC MCC lHl-2 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-lJl 480V AC BUS lJl BUSWORK FAILURE 9. OE-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-DAC-ST-lJl-1 480V AC MCC lJl-1 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-lJl-2 480V AC MCC lJl-2 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-2111 480V AC BUS 2111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-S'r-2111-1 480V AC MCC 2111-1 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-480111 480V AC BUS 111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-4801J 480V AC BUS lJ BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-4KV1H 4160V AC BUS lH BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-4KV1J 4160V AC BUS lJ BUSWORK FAILURE 9. OE-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-S'r-4 KV2 II 4160V AC BUS 211 BUSWORK FAILURE 9.0E-5/D ~.OOE-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-STBlH 4160V AC STUB BUS 111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-STBlJ 4160V AC STUB BUS lJ BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAc-s*r-S'l'B2 II 4160V AC S'l'UB BUS 211 BUSWORK FAILURE 9. OE-5/IJ 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-S'l'-VBlI VITAL BUS 11 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-VBlII VI'l'AL BUS 111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-VlIII VI'l'AL BUS 1111 BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN ACP-BAC-ST-VB1IV VITAL BUS 1IV BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN
| |
| * *
| |
| * TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) 'l'ype EF Comments ACP-CRB-C0-14111 AC CIRCUIT BREAKER 14111 XFERS OPEN 2.9E-5/D 2.90E-5 LOG HOR 3 ASEP GEN ACP-CRB-C0-141113 AC CIRCUI'r BREAKER 141113 XFERS OPEN 2.9E-5/0 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-14H14 AC CIRCUIT BREAKER 14H14 XFERS OPEN 2.9E-5/D 2.90E-5 LOG HOR 3 ASEP GEN ACP-CRB-C0-141115 AC CIRCUIT BREAKER 141115 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-14Jl AC CIRCUIT BREAKER 14Jl XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-14Jll AC CIRCUIT BREAKER 14Jll XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-14J14 AC CIRCUIT BREAKER 14J14 XFERS OPEN 2.9E-5/0 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-14J16 AC CIRCUIT BREAKER 14.Jl6 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-15117 AC CIRCUIT BREAKER 15117 XFERS OPEN 2.9E-5/D 2.90E-5* LOG NOR 3 ASEP GEN ACP-CRB-C0-15118 AC CIRCUI'r BREAKER 15118 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-15119 AC CIRCUI'l' BREAKER 15119 XFERS OPEN 2.9E-5/0 2.90E-5 LOG. NOR 3 ASEP GEN
| |
| 'f- ACP-CRB-C0-15J7 AC CIRCUI'r BREAKER 15J7 XFERS OPEH 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN co I
| |
| ACP-CRB-C0-15J8 AC CIRCUI'f BREAKER 15J8 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN NI I-"
| |
| ACP-CRB-C0-15J9 AC CIRCUIT BREAKER 15J9 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-1I35 VITAL BUS lI AC CKT BRKR 35 XFERS OPEN 2.9E-5/0 .2. 90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-lII AC CIRCUIT BREAKER TO lII XFERS OPEN 2.9E-5/0 2.90E-5 LOG.NOR 3 ASEP GEN ACP-CRB-CO-III35 V'l'AL BUS 1111 AC CKT BRKR 35 XFERS OPEN 2.9E-5/0 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-llV AC CIRCUIT BREAKER TO lIV XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-24B AC CIRCUIT BREAKER 24B XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-241114 AC CIRCUIT BREAKER 241114 XFERS OPEH 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-241115 AC CIRCUI'r BREAKER 241115 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-25117 AC CIRCUIT BREAKER 25117 XFERS OPEN 2. 9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-C0-25119 AC CIRCUI'l' BREAKER 25119 XFERS OPEN 2. 9E-5/0 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9AE AC CIRCUIT BREAKER FE9AE XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9AF AC CIRCUIT BREAKER FE9AF XFERS OPEN 2. 9E-5/0 2.90E-5 *LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9AJ AC CIRCUI'r BREAKER FE9AJ XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9AK AC CIRCUIT BREAKER FE9AK XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEH ACP-CRB-CO-FE9BE AC CIRCUIT BREAKER FE9BE XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9BF AC CIRCUIT BREAKER FE9BF XFERS OPEN 2.9E-5/D 2.90E-5 LOG HOR 3 ASEP GEH ACP-CRB-CO-FE9BJ AC CIRCUI'r BREAKER FE9BJ XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-CRB-CO-FE9BK AC CIRCUIT BREAKER FE9BK XFERS OPEN 2. 9E-5/D 2.90E-5 LOG NOR 3 ASEP GEN ACP-INV-110-UPSAl UPS lAl INVERTER OU'l'PUT FAILS 4.0E-2/D 4.00E-2 LOG NOR 3 ASEP GEN ACP-INV-NO-UPSA2 UPS 11\2 IHVER'fER OU'l'PU'r FAILS 4.0E-2/D 4.00E-2 LOG NOR 3 ASE}' GEN ACP-INV-NO-UPSBl UPS lBl IHVER'fER OUTPU'l' FAILS 4.0E-2/D 4.00E-2 LOG HOR 3 ASEP GEN ACP-INY-NO-UPSB2 UPS 1B2 INVERTER OUTPUT FAILS 4.0E-2/D 4.00E-2 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate 'l'ime (Mean) Type EF Comments ACP-REC-NO-UPSAl UPS !Al REC'fIFIER OU'fPUT FAILURE 4.0E-4/D 4.00E-4 LOG NOR 3 ASEP GEN ACP-REC-NO-UPSA2 UPS 1A2 REC'f!FIER OUTPU'l' FAILURE 4.0E-4/D 4.00E-4 LOG NOR 3 ASEP GEN ACP-REC-NO-UPSB1 UPS 1Bl REC'l'IFIER OU'fPU'l' FAILURE 4.0E-4/IJ 4.00E-4 LOG NOR 3 ASEP GEN ACP-REC-NO-UPSB2 UPS 1B2 RECTIFIER OUTPUT FAILURE 4.0E-4/D 4.00E-4 LOG NOR 3 ASEP GEN ACP-TFM-NO-lAl-1 FAILURE OF UPS lA XFORMER PWR FM 1111-1 1. 7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-NO-lAl-2 FAILURE OF UPS lA XFORMER PWR FM 1111-2 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-N0-1A2-l FAILURE OF UPS lA XFOHMER PWR FM 1H2-l 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-N0-1A2-2 FAILURE OF UPS lA XFOHMER PWR FM 1112-2 1. 7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-NO-lBl-1 FAILURE OF UPS lB XFORMER PWR FM lJl-1 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-'l'FM-N0-1Bl-2 FAILURE OF UPS lB XFORMER PWR FM lJl-2 1. 7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA
| |
| 'f- ACP-TFM-N0-1B2-1 FAILURE OF UPS lB XFORMER PWR FM 1J2-l 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA c:c I
| |
| ts:!
| |
| ACP-TFM-N0-1B2-2 FAILURE OF UPS 18 XFORMER PWR FM 1J2-2 1. 7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ts:! ACP-TFM-N0-111 FAILURE OF POWER XFORMER 'l'O, BUS 111 1. 7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-N0-1111 FAILURE OF POWER XFORMER TO DUS 1111 1.7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-NO-lJ FAILURE OF POWER XFORMER TO BUS lJ 1.7E-6/IIR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-TFM-NO-lJl FAILURE OF POWER XFORMER TO BUS lJl 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-'l'FM-N0-2Hl FAILURE OF POWER XFORMER TO BUS 2111 1. 7E-6/HR 24hr 4.00E-5 LOG NOR 3 ZION PRA ACP-XHE-FO-STBBS OP FAILS 'l'O RECONN S'l'UB BUS (LOSP ONLY) 1.4E-2/D 1. 40E-2 LOG NOR 10 RECOVERY AFW-AC'l'-FA-PMPJA NO ACTUATION SIGNAL TO AFW PMP JA 6.0E-4/D 6.00E-4 LOG NOR 5 NOTE (C)
| |
| AFW-1\C'l'-FA-PMPJ B NO AC'l'UATION SIGNAL 'l'O AFW .Pl*IP 3 B 6.0E-4/D 6.00E-4 LOG NOR 5 NOTE (C)
| |
| AFW-AC'f-FA-VLVA NO AC'l'UATION SIGNAL 'l'O AOV-MS102A 6.0E-4/D 6.00E-4 LOG NOR 5 NOTE (C)
| |
| AFW-AC'l'-FA-VLVB NO AC'l'UA'l'ION SIGNAL 'l'O AOV-MS102B 6.0E-4/D 6.00E-4 LOG NOR 5 NOTE (C)
| |
| AFW-AOV-FT AIR OPERATED VLV FAILS 'l'O OPEN 1. OE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN AFW-AOV-FT-l02A AIR OPERA'l'ED VLV MS102A FAILS 'l'O OPEN 1. OE-3/D 1.00E-3 LOG NOR 3 ASEP GEN AFW-AOV-FT-102B AIR OPERA'l'ED VLV MS102B FAILS 'l'O OPEN 1.0E-3/D 1.00E-3 LOG NOR 3 ASEP GEN AFW-AOV-F'l'-202A AIR OPERATED VLV MS202A FAILS.TO OPEN 1.0E-3/D 1.00E-3 LOG NOR 3 ASEP GEN AFW-AOV-FT-2028 AIR OPERA'l'ED VLV MS202B FAILS TO OPEN 1.0E-3/D 1. OOE-3 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DAT.A TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments 1\FW-1\0V-PG-1021\ 1\IR OPERA'l'ED VLV MS102A PLUGGED 1. OE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN 1\FW-AOV-PG-1028 AIR OPERATED VLV MS102B PLUGGED l.OE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN AFW-AOV-PG-2021\ AIR OPERATED VLV MS202A PLUGGED *1. OE-7 /HR lrno 4.00E-5 LOG NOR 3 ASEP GEN AFW-AOV-PG-202B AIR OPERATED VLV MS202B PLUGGED 1.0E-7/HR lrno 4.00E-5 LOG NOR J ASEP GEN AFW-CCF-FS-FW3AB CC FAILURE OF AFW MOTOR DRIVEN PMPS 3.50E-4 NOTE (D)
| |
| (AFW-MDP-FS
| |
| * BETA-AFW)
| |
| AFW-CCF-F'f-10 2AB CC FAILURE OF MS102A AND B TO OPEN l.OOE-4 NOTE (D)
| |
| (AFW-AOV-FT
| |
| * BE'l'A-AOV)
| |
| AFW-CCF-FT-202AB CC FAILURE OF MS202A AND B TO OPEN 1.00E-4 NOTE (D)
| |
| (AFW-AOV-FT
| |
| * BETA-1\0V)
| |
| 'f" AFW-CCF-LK-2STMB UNDE'fEC'l' LEAKAGE TflRU U2 CV S'l'M BIND l.OOE-4 LOG NOR 30 NOTE (C)
| |
| (.0 I AFW-CCF-LK-S'l'MBD UNDE'fEC'f LEAKAGE TIIRU CV27, CV58, CV89 1.00E-4 LOG NOR 30 NOTE (C)
| |
| ~
| |
| I:,.:)
| |
| AFW-CKV-F'f-CV27 CHECK VLV CV27 FAILS 'l'O OPEH 1.0E-4/D 1. OOE-4 LOG NOR 3 ASEP GEN AFW-CKV-F'l'-CV58 CHECK VLV CV58 FAILS TO OPEN 1. OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN AFW-CKV-F'l'-CV89 CHECK VLV CV89 Fl\ILS 'l'O OPEN 1.0E-4/D l.OOE-4 LOG NOR 3 ASEP GEN AFW-CKV-FT-CV131 CHECK VLV CV131 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN AFW-CKV-FT-CV133 CHECK VLV CVlJJ Fl\ILS 'l'O OPEH 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEH AFW-CKV-FT-CV136 CHECK VLV CV136 FAILS 'l'O OPEN 1. OE-4/D 1.00E-4 LOG NOR J ASEP GEN AFW-CKV-FT-CV138 CHECK VLV CV138 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG HOR 3 ASEP GEN AFW-CKV-FT-CV142 CHECK VLV CV142 FAILS TO OPEN 1. OE-4/D l.OOE-4 LOG HOR J ASEP GEN AFW-CKV-FT-CV157 CHECK VIN CV157 FAILS 'l'O OPEN 1. OE-4/D 1.00E-4 LOG HOR J ASEP GEN AFW-CKV-F'l'-CV172 CHF.CK VLV CV172 FAILS 'l'O OPEN 1..0E-4/D 1. OOE-4 LOG HOR 3 ASEP GEN AFW-CKV-FT-CV176 CHECK VIN CV176 FAIIJS 'l'O OPEH 1.0E-4/D l.OOE-4 LOG HOR 3 ASEP GEN AFW-CKV-FT-CV178 CHECK VLV CV178 FAILS *ro OPEN 1.0E-4/D 1.00E-4 LOG HOR J ASEP GEN 1\FW-CKV-F'l'-CVlD2 CHECK VLV CV182 FAILS 'l'O OPEN 1. OE-4/D 1.00E-4 LOG HOR 3 ASEP GEN AFW-CKV-F'l'-CV2 3 2 CHECK VLV CV232 FAILS 'l'O OPEN 1. OE-4/0 1. OOE-4 LOG NOR J ASEP GEN J\FW-CKV-F''l'-CV2 3 J CHECK VLV CV233 FAILS 'l'O OPEN 1. OE-4/0 1.00E-4 LOG HOR J ASEP GEN AFW-CKV-F'l'-CV236 CHECK VLV CV236 FAILS 'l'O OPEN 1.0E-4/0 l.OOE-4 LOG HOR J ASEP GEN AFW-CKV-FT-CV238 CHECK VLV CV238 Fl\ILS 'l'O OPEN 1.0E-4/0 1.00E-4 LOG HOR J ASEP GEN AFW-CKV-FT-CV242 CHECK VLV CV242 FAILS 'l'O OPEN 1. OE-4/0 1. OOE-4 LOG NOR J ASEP GEN
| |
| | |
| TA*BLE *4 .-9-7 .{Con-tlnued)
| |
| SURRY *DATA*TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) 'l'ype EF Comments AFW-CKV-OO-CV142 B1\CKFLOW THROUGH CV142 1. OE-3/D 1.00E-3 LOG NOR 3 ASEP GEN AFW-CKV-OO-CV157 B1\CKFLOW 'l'HROUGH CV157 l.OE-3/D l.OOE-3 LOG NOR 3 ASEP GEN AFW-CKV-OO-CV172 BJ\CKFLOW 'l'HROUGH CV172 1.0E-3/D l.OOE-3 LOG NOR 3 ASEP GEN AFW-CKV-OO-CV272 BACKFLOW THROUGH CV272 1.0E-3/D 1.00E-3 LOG NOR 3 ASEP GEN AFW-MDP-FR-3AlllR MDP AFW 31\ FAILS TO RUN 1 HOUR 3.0E-5/HR 1hr 3.00E-5 LOG NOR 10 ASEP GEN AFW-MDP-FR-3A6llR MDP AFW 31\ FAILS TO RUN 6 HRS 3.0E-5/HR 6hr 1.BOE-4 LOG NOR 10 ASEP GEN AFW-MDP-FR-3A24H MDP AFW 31\ FAILS TO RUN FOR 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN AFW-MDP-FR-3BlHR MOP AFW 38 FAILS TO RUN 1 HOUR 3.0E-5/HR 1hr 3.00E-5 LOG NOR 10 ASEP GEN AFW-MDP-FR-3B6IIR MDP AFW 38 FAILS 'l'O RUN 6 HRS 3. OE-5/IIR 6hr 1.BOE-4 LOG NOR 10 ASEP GEN AFW-MDP-FR-382411 MDP AFW 38 FAILS TO RUN 24 HRS 3.0E--5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| .
| |
| ~
| |
| cc I
| |
| AFW-MDP-FS AFW_;.MDP-FS-FWJA APW MDP FAILS TO STAR'r MOP AFW JA FAILS 'l'O S'l'AR'r 6.3E-3/D 6.JE-3/D 6.30E-3 6.JOE-3 LOG NOR 3 LOG NOR 3 PSD PSD N) AFW-MDP-FS-FWJB MDP AFW 3B FAILS TO START 6. JE-3/D 6.JOE-3 LOG NOR 3 PSD
| |
| ~
| |
| AFW-MDP-MA-FWJA TEST AND MAINT ON AFW MDP JA 2.0E;..3/D 2.00E-3 LoG NOR 10 ASEP GEN AFW-MDP-MA-FW3B TEST AND MAINT ON AFW MDP 3B 2.0E-3/D 2.00E-3 LoG NOR 10 ASEP GEN 1\FW-MOV-FT-2601\ MOTOR OP VLV FW2601\ FAILS 'l'O OPEN 3. OE-3/D 3.00E-3 LOG NOR 10 ASEP GEN AFW-MOV-F'r-260B MOTOR OP VLV FW260B FAILS 'l'O OPEN 3. OE-3/D
| |
| * 3.00E-3 LOG NOR 10 ASEP GEN 1\FW-MOV-PG-1511\ MOTOR OPERA'l'ED VLV FW151A PLUGGED l.OE-7/IIR lmo 4.00E-5 LOG HOR 3 ASEP GEN 1\FW-MOV-PG-151B MO'l'OR OPERJ\'l'ED VLV FW151B PLUGGED 1. OE-'-7 /IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN AFW-MOV-PG-151C MO'l'OR OPERA'rED VLV FW151C PLUGGED l.OE-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN AFW-MOV-PG-151D MO'l'OR OPERA'l'ED VLV FW151D PLUGGED l.OE--7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN AFW-MOV-PG-151E MO'rOR OPERA'l'ED VLV FW151E PLUGGED 1.0E-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN AFW-MOV-PG-151F MOTOR OPERA'l'ED VLV FW151F PLUGGED 1. OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN AFW-PSF-FC-XCONN FLOW DIVERSION .TO*UNIT2' THRU XCONN 1.5E-4/D l.50E-4 LOG NOR 3 NOTE (C)
| |
| AFW-TDP-FR-2P111R AFW TOP 2P FAILS 'l'o* RUN FOR 1 HR 5.0E-3/IIR 1hr 5.00E-3 LOG HOR 10 ASEP GEN AFW-'l'DP-FR-2P611R AFW TOP 2P FAILS 'l'O RUN FOR 6 HRS 5. OE-3/IIR 6hr 3.00E-2 LOG HOR 10 ASEP GEN AFW-TDP-FR-611RU2 UNIT 2 AFW 'l'DP FAILS TO RUN FOR 6 -HRS 5. OE-3/IIR 6hr 3.00E-2 LOG HOR 10 ASEP GEN AFW-TDP-FR-2P24H AFW TDP 2P FAILS TO RUN FOR 24 HRS 5.0E-3/HR 24hr 1. 20E-1 MAX ENTk
| |
| * ASEP GEN
| |
| .,.,j'
| |
| | |
| TABL 7 (Continued)
| |
| SURRY DATA TABLE
| |
| * Failure Unavaii. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments AFW-TDP.:.FS-FW2 TURBINE DRIVEN AFW PMP FAILS TO START 1.lE-2/D 1.lOE-2 LOG NOR 10 PSD AFW-TDP-FS-U2FW2 AFW TOP FW2 AT UNIT 2 FAILS TO START 1.lE-2/D 1. lOE-2 LOG NOR 10.PSD AFW-TDP-MA-FW2 TEST AND MAINT ON AFW TDP 2 l.OE-2/D 1. OOE-2 LOG NOR 10 ASEP GEN AFW-TDP-MA-U2FW2 TEST AND MAINT ON AFW UNIT b,TDP 2 1.0E-2/D l.OOE-2 LOG NOR 10 ASEP GEN I AFW-TNK-VF-cs*r AFW-TNK-VF-U2CST INSUF WATER AVAIL FM 110,000 GAL CST INSUF WATER AVA!~ AFW UNIT2 CST l.OE-6/D 1.0E-6/D l.OOE-6 1.00E-6 LOG NOR 3 LOG NOR 3 NOTE (C)
| |
| NOTE (C)
| |
| AFW-XIIE-FO-CST2 FAILURE OF OP TO XCONN UNIT2 CST 6.SE-2/D 6.SOE-2 MAX ENTk
| |
| * HRA AFW-XHE-FO-MNACT FAILURE OF OP TO MANUALLY ACTUATE AFW 2.7E-3/D 2.70E-3 LOG NOR 10 HRA AFW-XHE-FO-UlSBO OP FAILS TO XCONN AFW SBO AT UNIT 1 B.2E-2/D B.20E-2 MAX ENTk
| |
| * RECOVERY AFW-XHE-FO-U2SBO OP FAILS TO XCONN AFW SBO AT Ul/U2 7.SE-2/D 7.50E-2 MAX ENTk
| |
| * HRA
| |
| .,,,.
| |
| cc I
| |
| AFW-XHE-FO-UNIT2 OP FAILS TO XCONN AFW, TRANSIENTS 3.6E-2/D 3.60E-2 MAX ENTk
| |
| * HRA t,:i Cl AFW-XVM-PG-XV120 MANUAL VLV XV120 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV153 MANUAL VLV XV153 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XVlSB MANUAL VLV XVlSB PLUGGED 1.0E-7/HR lrno 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV16B MANUAL VLV XV16B PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV183 MANUAL VLV XV183 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XV253 MANUAL VLV XV253 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 10 ASEP GEN AFW-XVM-PG-XVB7 MANUAL VLV XVB7 PLUGGED l.OE-7/HR lrno 4.00E-5 LOG NOR lo ASEP GEN ALOCA OCCURENCE OF A LARGE (A) LOCA 1.00 1.00 NOTE (L)
| |
| BE'rA-AOV BE'fA FOR cc FAILURE -OF 2 OR FIORE AOVs 1. OOE-1 LOG NOR 3 ASEP GEN BETA-AFW BE'l'A FOR cc FAILURE OF AFW MDPs 5.60E-2 LOG NOR 3 ASEP ~EN BETA-BA'l'T BE'fA FOR cc FAILURE OF BA'l''I'ERI ES B.OOE-3 LOG NOR 3 ASEP GEN BETA-CSS BE'fA FOR cc FAILURE OF CSS MDPs 1. lOE-1 LOG NOR 3 ASEP GEN BETA-2DG BE'l'A FOR cc FAILURE OF 2 DGs 3.BOE-2 LOG NOR 3 ASEP GEN BE'l'A-3DG BE'l'A FOR cc FAILURE OF 3 DGs 1. BJE-2 LOG NOR 3 ASEP GEN BE'l'A-HPI BE'fA FOR cc FAILURE OF BPI MDPs 2.lOE-1 MAX ENTk
| |
| * ASEP GEN BE'l'A-LPI BETA FOR cc FAILURE OF LP! MDPs 1.SOE-1 LOG NOR 3 ASEP GEN BETA-2MOV BETA FOR cc FAILURE OF 2 MOVs B.BOE-2 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments BETA-SRV BETA FOR CC FAILURE OF SRVs 7.00E-2 LOG NORk3 ASEP GEN BETA-STR BETA FOR CC FAILURE OF STRAINERS 2.63E-1 MAX ENT
| |
| * PSD BETA-SWMOV BETA FOR CC FAILURE OF SWS MOVs 2.lOE-1 MAX ENTk
| |
| * PSD CCW-CKV-FT-CV557 CHECK VLV CV557 FAILS TO CLS l.OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN CCW-CKV-00-5630 CV 5630 FAILS TO SHUT, CAUSE BKFLW 1.0E-3/D 1. OOE-3 LOG NOR 3 ASEP GEN CCW-CKV-00-56302 CV 563U2 FAILS 'l'O SHUT, CAUSE BKFLW 1.0E-3/D l.OOE-3 LOG NOR 3 ASEP GEN CCW-CKV-OO~CV557 CV CV557 FAILS TO SHUT, CAUSE BKFLW 1.0E-3/D l.OOE-3 LOG NOR 3 ASEP GEN
| |
| ~
| |
| * CCW-UTX-LK-ElA CCW HEAT EXCHANGER ElA LEAKS 3.0E-6/HR 24hr 7.20E-5 LOG NOR 10 ASEP GEN l
| |
| Q)
| |
| CCW-HTX-LK-U2ElA CCW UNIT 2 HEAT EXCHANGER ElA PLUGGED 3.0E-6/HR 24hr 7.20E-5 LOG NOR 10 ASEP GEN CCW-HTX-MA-ElB TEST AND MAINT HT EXCHANGER ElB 2.0E-4/D 2.00E-4 LOG NOR 10 ASEP GEN CCW-HTX-PG-ElA ccw HEAT EXCHANGER ElA PLUGGBD 5. ?E-6/HR 24hr 1. 40E-4 LOG NOR 10 ASEP GEN CCW-HTX-PG-ElB ccw HEAT EXCHANGER ElB PLU~GED 5.?E-6/HR 24hr 1. 40E-4 LOG NOR 10 ASEP GEN CCW-IITX-PG-U2E1A ccw UNIT 2 HEAT EXCHANGEE ElB PLUGGED 5.?E-6/HR 24hr 1. 40E-4 LOG NOR 10 ASEP GEN CCW-MDP-FR-CCPlA 1-cc-P-lA FAILS TO RUN FOR 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| *ccw-MDP-FR-CCPlB MOP CC-PlB FAILS TO RUN FOR 24 HRS 3.0E-,,5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN CCW-MDP-FR-CCP2A MOP CC-P2A FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr l.BOE-4 LOG NOR 10 ASEP GEN CCW-MDP-FS-CCPlB. MDP CC-PlB FAILS '1'0 START ON DEMAND 3. OE-3/D 3.00E-3 LOG NOR 10 ASEP GEN CCW-MDP-FS-CCP2A MDP CC-P2A FAILS TO START ON DEMAND 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN CCW-MDP-MA-CCPlB TEST AND MAINT ON MDP CC:!-PlB 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN CCW-MDP-MA-,,CCP2A TEST AND MAINT ON MDP CC-PlA 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN
| |
| * TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF comments CCW-XVM-PG-5BOU2 Ml\NUAL VLV XV5BO(U2) PLUGGED 1.0E-7/HR lmo 4.00E-5 LOG NOR J ASEP GEN CCW-XVM-PG-583U2 MANUAL VLV XV583(U2) PLUGGED 1.0E-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CCW-XVM-PG-XV580 MANUAL VLV XV580 PLUGGED 1.0E-7/HR lmo 4.00E-5 LOG NOR J ASEP GEN CCW-XVM-PG-XV583 MANUAL VLV XV58,3 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CCW-XVM-PG-XV584 Ml\NUAL VLV XV584 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CCW-XVM-PG-XV587 MANUAL VLV XV587 PLUGGED 1.0E-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CLS-ACT-FA-CLS2A NO SIGNAL FROM CLCS ACT TRAIN A 1. 6E-J/D 1. 60E...;3 LOG NOR 5 ASEP GEN CLS-ACT-FA-CLS2B NO SIGNAL FROM CLCS ACT TRAIN B 1.6E-3/D 1.GOE-3 LOG NOR 5 ASEP GEN CLS-XIIE-FO-Ml\N-A OP FAILS TO RECOVER CLCS ACT,A LOCA .2. 7E-3/D 2.70E-3 LOG NOR 10 HRA
| |
| ':"' CLS-XHE-FO-MANSl OP FAILS TO RECOVER CLCS ACT,s 1 LOCA 2.7E-3/D 2.70E-3 LOG NOR 10 HRA co CLS-XHE-FO-MANS2 OP FAILS TO RECOVER CLCS ACT,S 2 LOCA 2. 7E-3/D 2.70E-3 LOG NOR 10 HRA I
| |
| ~
| |
| -.:i CON-VFC-RP-COREM LPR,HPR FAILS DUE TO CONT FAILURE, 2.0E-2/D 2.00E-2 NOTE (E)
| |
| PROBABILITY FOR EVENT CV CPC-AOV-F'f CPC AIR OPERA'fED VALVE FAILS TO OPEN 1. OE-3/D l.OOE-3 LOG NOR 3 ASEP GEN CPC-AOV-F'f-108B AOV TV-CC-lOBB FAILS TO OPEN l.OE-3/D 1.00E-3 LOG NOR 3 ASEP GEN CPC-AOV-FT-lOBC AOV TV-CC-lOBC FAILS TO OPEN l.OE-3/D l.OOE-3 LOG NOR 3 ASEP GEN CPC-AOV-FT-208C AOV TV-CC-20BC FAILS TO OPEN 1.0E-3/D 1.00E-3 LOG NOR 3 ASEP GEN CPC-CCF-FT-BBC CC FAILURE OF TV-10BB/10BC l.OOE-4 NOTE (D)
| |
| (CPC-AOV-FT*BETA-AOV)
| |
| CPC-CCF-LF-STRlH CC PLUG STRAINERS 2A & 2B W/IN 1 HR 1hr 7.90E-6 NOTES (D,F)
| |
| (CPC-STR-PG-lll*BETA-STR)
| |
| CPC-CCF-LF-STRJH CC PLUG OF STRAINERS 2A & 2B W/IN 3 HRS Jhr 2.40E-5 NOTES (D,F)
| |
| (CPC-S'l'R-PG-JH*BE'fA-STR)
| |
| CPC-CCF-LF-STRAB
| |
| * CC PLUG OF STRAINERS 2A & 2B W/IN 6 HRS 6hr 4.70E-5 NOTES (D,F)
| |
| (CPC-STR-PG-JH*BETA-STR)
| |
| CPC-CCF-LF-STR6H CC PLUG OF STRAINERS 2A & 2B W/IN 6 HRS 6hr 4.70E-5 NOTES (D,F)
| |
| (CPC-STR-PG-6H*BETA-STR)
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments CPC-CCF-LF-S'l'RlB CC PLUG OF S'fRAINERS 21\ & B W/IN 18 HRS 18hr l.40E-4 NOTES (D, F)
| |
| (CPC-STR-PG-lBH*BETA-STR)
| |
| CPC-CCF-LF-STR24 CC PLUG OF STRAINERS 2A & B W/IN 24 HRS 24hr l.90E-4 NOTES (D,F)
| |
| (CPC-STR-PG-24H*BETA-STR)
| |
| CPC-CKV-FT-CV104 CPC CKV CV104 FAILED TO OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN CPC-CKV-FT-CVlOB CHECK VLV CVlOB FAILS TO OPEN 1. OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN CPC-CKV-FT-CV262 CHECK VLV CV262 FAILS TO OPEN 1. OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN CPC-CKV-FT-CV752 CHECK VLV CV752 FAILS TO OPEN l.OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN
| |
| .,.. CPC-CKV-OO-CV113 CK VLV CV113 FAILS TO SHUT,CAUSE BKFLW 1. OE-3/D 1.00E-3 LOG NOR 3 ASEP GEN
| |
| :t* CPC-CKV-OO-CV764 CK VLV CV764 FAILS TO SHUT,CAUSE BKFLW 1.0E-3/D l.OOE-3 LOG NOR 3 ASEP GEN CPC-ICC-FA-CCPBS NO ACT SIG TO START CPC PMP 2B 3.2E-4/D 3.20E-4 LOG NOR 5 NOTE (C)
| |
| CPC-ICC-FA-SWPBS NO ACT SIG TO START SW PMP lOB 3.2E-4/D 3.20E-4 LOG NOR 5 NOTE (C)
| |
| CPC-ICC ... FA-TCVBB NO ACT SIG TO LUBE OIL COOLING TCVBB 1. 6E-3/D l.60E-3 LOG NOR 5 NOTE (C)
| |
| CPC-ICC-FA-TCVBC NO ACT SIG TO LUBE OIL COOLING TCV8C 1. 6E~3/D l.60E-3 LOG NOR 5 NOTE (C)
| |
| CPC-MDP-FR-CC2A3 MOP CC2A FAILS TO RUN FOR 3 HRS 3.0E-5/HR 3hr 9.00E-5 LOG NOR 10 ASEP GEN CPC-MOP-FR-CC2A6 MDP CC2A FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN CPC-MDP-FR-2CC2A MOP CC2A U2 FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN CPC-MDP-FR-CC2A MDP CC2A FAILS TO RUN FOR 24 HRS 3.0E-5/IIR 24hr 7.20E-4 LOG NOR 10 ASEP GEN CPC-MDP-FR-CC2B MDP CC2B 'FAILS TO RUN FOR 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN CPC-MOP-FR-CC283 MOP CC2B FAILS TO RUN FOR 3 HRS J,OE-5/HR 3hr 9.00E-5 LOG HOR 10 ASEP GEN CPC-MDP-FR-CC2B6 MDP CC2B FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr l.80E-4 LOG NOR 10 ASEP GEN CPC-MOP-FR-CCAJH MOP CCA FAILS TO RUN FOR 3 HRS 3.0E-5/HR 3hr 9.00E-5 LOG NOR 10 ASEP GEN CPC-MOP-FR-CCJ\6H MDP CCA FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr 1. BOE-4 LOG NOR 10 ASEP GEN CPC-MDP-FR-CCJ\18 MDP CCA FAILS TO RUN FOR 18 HRS 3. OE-5/IIR 18hr 5,40E-4 LOG NOR 10 ASEP GEN CPC-MDP-FR-CCA24 MDP CCA FAILS 'l'O RUN FOR 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN CPC-MUP-FR-CCBJH MDP CCB FAILS 'l'O RUN FOR J HRS 3.0E-5/llR 3hr 9.00E-5 LOG NOR 10 ASEP GEN CPC-MDP-FR-CCB611 MDP CCB FAILS TO RUN FOR 6 HRS 3.0E-5/HR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN CPC-MOP-FR-CCB18 MDP CCB FAILS TO RUN FOR 18 HRS 3.0E-5/HR 18hr 5.40E-4 LOG NOR 10 ASEP GEN CPC-MOP-FR-CCB24 MDP CCB FAILS TO RUN FOR 24 HRS J.OE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| * * *
| |
| | |
| - - - - -
| |
| TABLE 4.9-7 (Continued)
| |
| BURRY D1\T1\ TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate 'l'ime (Mean) 'l'ype EF Comments CPC-MDP-FR-SWA311 MIJP SWA FAILS 'I'O RUN FOR 3 HRS 1. 6E-4/IIR 3hr 4.80E-4 LOG NOR 3 PSD CPC-MDP-FR-SWA6H MDP SWA FAILS 'l'O RUN FOR 6 HRS 1. 6E-4/HR 6hr 9.60E-4 LOG NOR 3 PSD CPC-MDP-FR-SWlOA MDP SWlOA FAILS TO RUN FOR 24 HRS 1. 6E-4/HR 24hr 3.80E-3 LOG NOR 3 PSD CPC-MDP-FR-SW20A MDP SW20A FAILS 'l'O RUN FOR 6 HRS l.6E-4/HR 6hr 9.60E-4 LOG NOR 3 PSD CPC-MDP-FR-SWA18 MDP SWA FAILS TO RUN FOR 18 HRS 1. 6E-4/IIR 18hr 2.90E-3 LOG NOR 3 PSD CPC-MDP-FR-SWJ\24 MDP SW/\ FAILS 'I'O RUN FOR 24 !IRS 1. 6E-4/JIR 24hr 3.80E-3 LOG NOR 3 PSD CPC-MDP-FR-SWB311 MDP SWB FAILS TO RUN FOR 3 HRS l.6E-4/IIR 3hr 4.80E....:4 LOG NOR 3 PSD CPC-MDP-FR-SWB6ll MDP SWB FAILS 'I'O RUN FOR 6 HRS 1. 6E-4/IIR 6hr 9.60E-4 LOG NOR 3 PSD CPC-MDP-FR-SW10B MDP SWlOB FAILS 'I'O RUN FOR 24 HRS 1. 6E-4/IIR 24hr 3.80E-3. *LOG NOR 3 PSD
| |
| .
| |
| .i::,.
| |
| tO CPC-MDP-FR-SWB18 CPC-MDP-FR-SWB24 MOP MDP SW8 FAILS 'l'O RUN FOR 18 HRS SWB FAILS 'l'O RUN FOR 24 HRS
| |
| : 1. 6E-4/IIR l.6E-4/IIR 18hr 24hr 2.90E-3 3.80E-3 LOG LOG NOR NOR 3
| |
| 3 PSD PSD I
| |
| N) tO CPC-MDP-FS-2CC2A MDP UNIT 2 CC2A FAILS TO START 3.0E-3/D 3.00E-3 LOG HOR 10 ASEP GEN CPC-MDP-FS-CC2B MVP CC2B FAILS TO START 3.0E-3/IJ 3.00E-3 LOG NOR 10 ASEP GEN CPC-MDP-FS-SWlOA MDP SWlOA FAILS 'l'O STAR'!' 8.0E-3/D 8.00E-3 LOG NOR 3.5 PSD CPC-MDP-FS-SW10B MDP SWlOB FAILS TO STAR'!' 8.0E-3/D 8.00E-3 LOG NOR 3.5 PSD CPC-MDP-FS-SW20A MOP SW20A FAILS 'l'O S'l'ART 8.0E-3/D 8.00E-3 LOG NOR 3.5 PSD CPC-MDP-MA-CC28 'I'ES'I' AND MAIN'!' ON MIJP CC2B 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN CPC-MDP-MA-SW10B 'I'ES'I' AND MAIN'!' ON MOP SW10B 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN CPC-STR-PG-lllR CPC STRAINER PLUGGED W/IN 1 IIR 3. OE-5/IIR 1hr 3.00E-5 LOG NOR 10 IREP CPC-STR-PG-311R CPC S'l'RAINER PLUGGED W/IN 3 !IRS 3. OE-5/IIH 3hr 9.00E-5 LOG NOR 10 IREP CPC-S'1'R-PG-6IIR CPC STRAINER PLUGGED W/IN 6 HRS 3. OE-5/IIR 6J1r 1. 80E-4 LOG NOR 10 IREP CPC-S'I'R-PG-1811R CPC STRAINER PLUGGED W/IH 18 HRS 3.0E-5/IIR 18hr 5.40E-4 LOG NOR 10 IREP CPC-S'l'R-PG-2411H CPC S'l'RAINER PLUGGED W/IN 24 HRS 3. OE-5/IIR 24hr 7.20E-4 LOG NOR 10 IREP CPC-S'l'R-PG-ll\3 IIR CPC STRAINER lA PLUGGED W/IN 3 HHS 3.0E-5/IIH 3hr 9.00E-5 LOG NOR 10 IREP CPC-S'l'R-PG-ll\611H CPC S'l'RAINER lA PLUGGED W/ IN 6 !IRS 3.0E-5/IIH 6hr 1. OOE-4 LOG NOR 10 IREP CPC-STR-PG-1AU26 CPC S'l'RAINER lA UNI'l' 2 PLUG W/ IN 6 HRS 3.0E-5/IIR 6hr 1. 80E-4 LOG NOR 10 IREP CPC-S'l'R-PG-11\1811 CPC STRAINER lA PLUGGED W/IN 18 !IRS 3. OE-5/IIR 18hr 5.40E-4 LOG HOR 10 IREP CPC-S'l'R-PG-1A2 411 CPC S'l'Rl\lNER 11\ PLUGGED W/IN 24 IIRS 3. OE-5/IIH 24hr 7.20E-4 LOG NOR 10 !REP CPC-STR-PG-l8311R CPC STRAINER 18 PLUGGED W/IN 3 HRS 3. OE-5/IIH Jhr 9.00E-5 LOG NOR 10 !REP CPC-S'l'R-PG-1B6HR CPC S'I'RAIN ER lB PLUGGED W/IN 6 HRS 3.0E-5/IIR 6hr 1. 80E-4 LOG NOR 10 !REP CPC-S'I'R-PG-1Bl811 CPC STRAINER 18 PLUGGED W/IN 18 HRS 3. OE-5/IIH 18hr 5.40E-4 LOG NOR 10 IREP CPC-S'I'R-PG-182411 CPC S'I'RAINER lB PLUGGED W/IN 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 !REP
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Uist. Source/
| |
| Event Id Event Description Rate *rime (Mean) Type EF Comments CPC-STR-PG-2A311R CPC S'l'RAINER 2A PLUGGED W/IN 3 HR 3. OE-5/IIR 3hr 9.00E-5 LOG NOR 10 !REP CPC-STR-PG-2A611R CPC S'l'RAINER 2A PLUGGED W/IN 6 HRS 3. OE-5/IIR 6hr l.80E-4 LOG NOR 10 !REP CPC-STR-PG-2AU26 UNIT 2 CPC S'l'RAINER 2A PLUG W/IN 6 HRS 3. OE-5/IIR 6hr 1. 80E-4 LOG NOR 10 !REP CPC-S'l'R-PG-2Al811 CPC S'l'RAINER 2A PLUGGED W/IN 18 HRS 3. OE-5/IIR 18hr 5. 40E-4 LOG NOR 10 !REP CPC-STR-PG-2A2411 CPC S'l'RAINER 2A PLUGGED W/IN 24 HR 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 !REP CPC-STR-PG-283HR CPC S'l'RAINER 28 PLUGGED W/IN 3 HRS 3, OE-5/IIR 3hr 9.00E-5 LOG NOR 10 !REP CPC-STR-PG-28611R CPC S'l'RAINER 28 PLUGGED W/IN 6 HRS 3.0E-5/IIR 6hr l,80E-4 LOG NOR 10 !REP CPC-STR-PG-281811 CPC S'l'RAINER 2B PLUGGED W/IN 18 HRS 3.0E-5/HR 18hr 5.40E-4 LOG NOR 10 !REP CPC-S'l'R-PG-2 82 411 CPC S'l'RAINER 28 PLUGGED W/IN 24 HRS 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 !REP CPC-STR-PG-STRlA STRAINER lA PLUGGED W/IN 6 HRS 3.0E-5/IIR 6hr 1. 80E-4 LOG NOR 10 !REP -
| |
| CPC-S'l'R-PG-S'l'R1B S'l'RAINER 18 PLUGGED W/IN 6 HRS 3.0E-5/IIR 6hr 1. 80E-4 LOG NOR 10 !REP CPC-STR-PG-STR2A S'l'Rl\INER 2A PLUGGED W/IN 6 HRS 3.0E-5/HR 6hr 1. BOE-4 LOG NOR 10 !REP CPC-STR-PG-S'l'H.2 B STRAINER 28 PLUGGED W/IN 6 HRS 3.0E-5/HR 6hr 1. 80E-4 LOG NOR 10 !REP
| |
| ':'"
| |
| c:c I CPC-XIIE-FO-CMNS2 OP FAILS 'l'O MANUALLY ACT CPC MDP 3. 8E-2/D 3.80E-2 MAX ENTk
| |
| * HRA w
| |
| 0 CPC-XIIE-FO-REALN OP FAILS 'l'O ALIGN CPC SW 'l'O UNI'I'2 7.0E-2/D 7.00E-2 MAX ENTk
| |
| * RECOVERY CPC-XIIE-"FO-SMNSl OP FAILS MAN AC'l' CPC SWS MOP 3.BE-2/D 3.BOE-2 MAX ENTk
| |
| * HRA CPC-XIIE-FO-SMNS2 OP FAILS MAN AC'l' CPC SWS MDP 3.BE-2/D 3.BOE-2 MAX ENTk
| |
| * HRA CPC-XVM-PG-XV109 MANUAL VLV XV109 PLUGGED 1. OE-7/HR lwk 8,40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV117 MANUAL VLV XV117 PLUGGED 1. OE-7 /HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV118 MANUAL VLV XVllB PLUGGED 1,0E-7/IIR lwk 8.40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV119 MANUAL VLV XV119 PLUGGED 1. OE-7/HR lwk B,40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV120 MANUAL VLV XV120 PLUGGED 1.0E-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV122 MANUAL VLV XV122 PLUGGED 1,0E-7/tlR lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV123 MANUAL VLV XV123 PLUGGED l,OE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV124 MANUAL VLV XV124 PLUGGED 1,0E-7/IIH lrno 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV125 MANUAL VLV XV125 PLUGGED l,OE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV126 MANUAL VLV XV126 PLUGGED 1,0E-7/IIR lmo 4,00E-5 LOG NOR 3 ASEP GEN CPC~XVM-PG-XV170 MANUAL VLV XV170 PLUGGED 1.0E-7/IIH lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV171 MANUAL VLV XV171 PLUGGED 1. OE-7/IIR lwk 8.40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV172 MANUAL VLV XV172 PLUGGED 1,0E-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV17J MANUAL VLV XV173 PLUGGED 1.0E-7/IIR l.mo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV261 MANUAL VLV XV261 PLUGGED 1.0E-7/IIR lwk B.40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV305 MANUAL VLV XV305 PLUGGED 1.0E-7/HR lwk 8.40E-6 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE .9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavai1. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments CPC-XVM-PG-XV306 MANUAL VLV XV306 PLUGGED 1.0E-7/HR lwk B.40E-6 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV701 MANUAL VLV XV701 PLUGGED 1.0E-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CPC-XVM-PG-XV781 MANUAL VLV XV781 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN CSS-CCF-FS-CS1AB CC FAIL OF CSS MDPS TO START 3.JOE-4 NOTE (D)
| |
| (CPC-MDP-FS*BETA-CSS)
| |
| CSS-CCF-FT-lOlAB CC FAIL OF CSS MOVS lOlA AND l01B 2.60E-4 NOTE (D)
| |
| (CPC-MOV-FT*BETA-2MOV)
| |
| CSS-CCF-FT-lOlCD CC FAIL OF CSS MOVS lOlC AND 101D 2.60E-4 NOTE (D)
| |
| (CPC-MOV-FT*BETA-2MOV)
| |
| CSS-CKV-FT-CV13 CIIECK VLV CV13 FAILS TO. OPEN ON DEMAND l.OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN CSS-CKV-FT-CV24 CHECK VLV CV24 FAILS TO OPEN ON DEMAND 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN CSS-FLT-PG-CS1A . FILTER FLCS1A PLUGGED J.OE-5/HR 1hr J.OOE-5 LOG NOR 10 IREP CSS-FLT-PG-CS1B FILTER FLCS1B PLUGGED J.OE-5/HR 1hr 3.00E-5 LOG NOR 10 !REP CSS-MDP-FR-lAlllR CSS MDP lA FAILS TO RUN FOR 1 HOUR J.OE-5/HR 1hr J.OOE-5 LOG NOR 10 ASEP GEN CS_S-MDP-FR-1BlllR CSS MDP lB FAILS TO RUN FO.R 1 HOUR J.OE-5/HR 1hr 3.00E-5 LOG NOR 10 ASEP GEN CSS-MDP-FS CONT SPRAY PUMP FAILS TO STAR'r ON DMD J. OE-3/D J.OOE-3 LOG NOR 10 ASEP~GEN CSS-MDP-FS-CS1A CSS MOP lA FAILS 'l'O S'l'AR'f ON DEMAND 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN CSS-MDP-Fs.:.cs1B CSS MDP lB FAILS 'l'O S'rAR'f ON DEMAND J.OE-3/D 3.00E-3 LOG NOR 10 ASEP GEN CSS-MDP-MA-CS1A 'l'EST AND MAIN'!' ON CSS MDP lA 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN CSS-MDP-MA-CS1B TEST AND MAINT ON CSS MOP lB 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN CSS-MOV-FT MOV FAILS TO OPEN ON DEMAND J.OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN CSS-MOV-FT-lOlA MOV 101A FAILS TO OPEN ON DEMAND J. OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN CSS-MOV-FT-101B MOV l01B FAILS TO OPEN ON DEMAND J.OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN CSS-MOV-FT-lOlC MOV lOlC FAILS TO OPEN ON DEMAND J.OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN CSS-MOV-FT-lOlD MOV l01D FAILS TO OPEN ON DEMAND J.OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN CSS-MOV-PG-lOOA MOTOR OPERATED VLV lOOA PLUGGED l.OE-7/HR Jmo l.OOE-4 LOG NOR 3 ASEP GEN CSS-MOV-PG-lOOB MOTOR OPERATED VLY lOOB PLUGGED l.OE-7/HR Jmo l.OOE-4 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. B Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF comments CSS-XVM-RE-XV8* MAN VLV xve LEFT OPEN AFTER PMP TEST 3. OE-3/D 3.00E-3 LOG NOR 10 HRA CSS-XVM...;RE..:xv1s MAN VLV XV15 LEFT OPEN AFTER PMP TEST 3. OE-3/D J.OOE-3 WG NOR 10 HRA I
| |
| CVC-MDP-FR-2A1HR 'BORIC ACID XFER PMP FAILS TO RUN 1 HR J.OE-5/HR 1hr J.OOE-5 WG NOR 10 ASEP GEN DEMAND PROB FOR INTERFACING WCA 5.0E-1/D 5.00E-1 POINT EST NOTE (G)
| |
| .
| |
| D DCP-BAT-LP FAIJ,,URE OF BATTERY POWER ON DEMAND 1.0E-6/HR 2mo 7.20E-4 LOG NOR J ASEP GEN
| |
| * DCP-BAT-LP-BATlA FAILURE OF BATTERY lA POWER ON DEMAND 1.0E-6/HR 2mo 7.20E-4 WG NOR J ASEP GEN
| |
| 'f w DCP-BAT-LP-BATlB FAILURE OF BATTERY lB POWER ON DEMAND 1.0E-6/HR 2mo 7.20E-4 WG NOR J N
| |
| ASEP GEN DCP-BDC-ST-BUSlA 125V DC BUS lA BUSWORK FAILURE 9.0E-5/D 9.00E-5 LOG NOR 5 ASEP GEN DCP-BDC-ST-BUSlB 125V DC BUS lB BUSWORK FAILURE 9.0E-5/D 9.00E-5 WG NOR 5 ASEP GEN DCP-CCF-LP-BTlAB CC FAILURE OF BATTERIES lA AND lB 5.80E-6 NOTE (D)
| |
| (DCP-BAT-LP*BETA-BATT)
| |
| DCP-CRB-C0-19 DC CIRCUIT BREAKER 19 XFERS OPEN 2. 9E-5/D 2.90E-5 LOG NOR j ASEP GEN DCP-CRB-C0-20 DC CIRCUIT BREAKER 20 XFERS OPEN 2.9E-5/D 2.90E-5 LOG NOR J ASEP GEN DCP-CRB-C0-23 DC CIRCUIT BREAKER 23 XFERS OPEN 2.9E-5/D 2.90E-5 LOG HOR J ASEP GEN DCP-CRB-C0-24 DC CIRCUIT BREAKER 24 XFERS OPEN 2.9E-5/D 2.90E-5 WG NOR J ASEP GEN OGN-FTO DG #J UNAVAIL, DG 2 FAIL TO S'l'ART/RUN J. 4E-2/D J.40E-2 WG NOR J NOTE (C)
| |
| HPI-CCF-FS-ClllBC CC FAIL TO START MOPS CHlB,ClllC 8.40E-4 NOTE (D)
| |
| (HPI-MDP-FS*BETA-HPI)
| |
| HPI-CCF-FT-115BD CC FAIL OF MOVS 1115B AND ll15D 2.60E-4 NOTE (D)
| |
| (HPI-MOV;_FT*BETA-2MOV)
| |
| HPI-CCF-FT-867CD CC FAIL OF HP.I MOVS 1867C, 18670 2.60E-4 NOTE (D)
| |
| (HPI-MOV-FT*BETA-2MOV)
| |
| | |
| Tl\BL -7 (Continued)
| |
| BURRY D1\T1\ Tl\DLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Hate *rime (Mean) Type EF Comments HPI-CKV-F'f-CV25 CHECK VLV CV25 FAILS TO OPEN. 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-F'f-CV2 2 5 CHECK VLV CV225 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-F'l'-CV2 67 CHECK VLV CV267 FAILS 'l'O OPEN 1. OE-4/D 1.00E-4 LOG NOR 3 ASEP GEN HPI-CKV-FT-CV276 CHECK VLV CV276 FAILS 'l'O OPEN 1. OE-4/D l.OOE-4 LOG NOR 3 ASEP GEN IIPI-CKV-FT-276U2 CHECK VLV UNIT2 CV276 FAILS TO OPEN 1.0E~4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-FT-CV410 CHECK VLV CV410 FAILS 'l'O OPEN 1. OE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN HPI-CKV-00-258U2 UNI'f2 CV258 FAILS 'l'O SHUT, CAUSE BKFLW l.OE-3/D l.OOE-:3 LOG NOR 3 ASEP GEN HPI-CKV-00-267U2 UNI'l'2 CV267 FAILS 'l'O SHlJ'f, CAUSE BKFLW l.OE-3/IJ 1. OOE-3 LOG NOR 3 ASEP GEN HPI-CKV-00-276U2 UNIT2 CV276 FAILS TO SHUT, CAUSE BKFLW l.OE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN HPI-CKV-OO-CV258 CK VLV CV258 FAILS 'l'O SHU'l', CAUSE BKFLW l.OE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN
| |
| .i:,. HPI-MDP-FR-1A3HR CHRGNG PMP CHlA FAILS 'l'O RUN FOR J ,ms 6. JE-5/IIR 3hr 2.00E-4 LOG NOR 2.9 PSD to HPI-MDP-FR-1A611R CIIRGNG PMP CHlA FAILS 'l'O RUN FOR 6 HRS 6. JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD I
| |
| w HPI-MIJP-FR-1A24ll CIIRGNG PMP ClllA FAILS 'l'O RUN FOR 24 IIRS 6. JE-5/JIR 24hr 1. 60E-3 LOG NOR 2.9 PSD w
| |
| IIPI-MDP-FR-1B3IIR CHRGNG PMP CH1B FAILS 'l'O RUN FOR 3 !IRS 6. JE-5/IIR 3hr 2.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1B6IIR CHRGNG PMP ClllB FAILS 'l'O RUN FOR 6 HRS 6. JE-5/JIR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1B24Il CIIRGNG PMP CH1B FAILS 'l'O RUN FOH 24 HRS 6. JE-5/IIR 24hr l.60E-3 LOG NOR 2.9 PSD IIPI-MDP-FR-1C311R CHRGNG PMP ClllC FAILS 'l'O RUN FOR 3 HRS 6.3E-5/HR 3hr 2.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-1C611R CHRGNG PMP ClllC FAILS 'l'O mm FOR 6 HRS 6. JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD IIPI-MIJP-FR-1C1211 CIIRGNG PMP ClllC FAILS TO RUN FOR 12 HRS 6. JE-5/IIR 12hr 8.00E-4 LOG NOR 2.9 PSD llPI-MDP-FR-lC2411 CIIRGNG PMP ClllC FAILS 'l'O RUN FOR 24 IIRS 6. JE-5/IIR 24hr 1.60E-3 LOG NOR 2.9 PSD IIPI-MDP-FR-2A611R CIIG PMP U2 Cll2A FAILS 'l'O RUN FOR 6 HRS 6. 3E-5/llR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FR-2C6IIR CHG PMP U2 Cll2C FAILS TO RUN FOR 6 HRS 6.JE-5/IIR 6hr 4.00E-4 LOG NOR 2.9 PSD HPI-MDP-FS CHARGING PUMP FAILS 'l'O S'l'l\R'l' ON DEMAND 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-FS-Cllll\ CHARGING PMP ClllA FAILS TO STAR'!' ON DMD 4.0E-3/D .,.. 4.00E-3 LOG NOR 3.5 PSD IIPI-MUP-FS-ClllB CHARGING PMP ClllB FAILS 'l'O STJ\R'l' ON DMD 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD IIPI-MUP-FS-ClllC CHARGING PMP ClllC FAILS 'l'O START ON DMD 4, OE-3/D 4.00E-3 LOG NOR 3.5 PSD BPI-MUP-FS-Cll2A U2 CHARGING PMP Cll21\ FAILS TO S'l'J\R'f 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-FS-Cll2C U2 CIIJ\RGING PMP Cll2C FAILS TO S'l'ART 4.0E-3/D 4.00E-3 LOG NOR 3.5 PSD HPI-MDP-MA-Cll1B 'l'EST AND MAIN'!' ON IIPI MDP CH1B 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN HPI-MDP-MA-ClllC 'l'EST AND MJ\INT ON BPI MDP CHlC 2.0E-3/D 2.00E-3 LOG NOR 10 ASEP GEN HPI-MDP-MA-CH2C TEST AND MAIN'f ON HPI UNI'f2 MOP CH2C 2.0E-3/D 2,00E-3 LOG NOR 10 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) 'l'ype EF Comments HPI-MOV-FT HPI MOTOR OP VALVE FAILS 'l'O TRANSFER 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI-MOV-FT-1115B HPI MOV 1115B FAILS TO OPEN ON DEMAND 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI-MOV-FT-1115C HPI MOV 1115C FAILS TO CLOSE 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI.-MOV-FT-1115D JIPI MOV 1115D FAILS TO OPEN ON DEMAND 3. OE-3/D J.OOE-3 LOG NOR 10 ASEP GEN HPI-MOV-F'f-1115E HP! MOV 1115E FAILS TO CLOSE 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI-MOV-FT-1350 HP! MOV 1350 FAILS TO OPEN 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI-MOV-FT-1867C IIPI MOV 1867C FAILS TO OPEN ON DEMl\ND 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN HPI-MOV-FT-18670 IIPI MOV 18670 FAILS TO OPEN ON DEMAND 3.0E-3/D 3.00E-3 LOG NOR 10 ASEP GEN JIPI-MOV-PG-1115B IIPI MOV 1115B PLUGGED 1.0E-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN HPI-MOV-PG-1115D HP! MOV 1115D PLUGGED 1. OE-7/HR Imo 4.00E-5 LOG NOR 3 ASEP GEN
| |
| ':'" HPI-MOV-PG-1269A IIPI MOV 1269A PLUGGED 1. OE-7/IIR Imo 4.00E-5 LOG NOR 3 ASEP GEN c:.c I
| |
| c..:, IIPI-MOV-PG-1270A IIPI MOV 1270A PLUGGED l.OE-7/HR Imo 4.00E-5 LOG NOR 3 ASEP GEN
| |
| .i::,. HPI-MOV-PG-1286B HP! MOV 1286B PLUGGED l.OE-7/JIR Imo 4.00E-5 LOG NOR 3 ASEP GEN HPI-MOV-PG-1286C IIPI MOV 1286C PLUGGED 1. OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN HPI-MOV-PG-1350 HP! MOV 1350 PLUGGED l.OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN IIPI-MOV-PG-1867C HP! MOV 1B67C PLUGGED 1. OE-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN HPI-MOV~PG-1867D HP! MOV 1867D PLUGGED 1. OE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN HPI-XJIE- FO-AL'f OP FAILS '1'0 REC CCF OF HPI ,DISCH MOV 6.IE-I/0 6.IOE-I MAX ENTk
| |
| * RECOVERY BPI -XIIE- FO-AL'l'I N OP FAILS *ro REC HP! VIA ALT PATH 5.7E-3/D 5.70E-3 LOG NOR 10 RECOVERY HPI-XIIE-FO-AI,'fI 3 OP FAILS 'l'O REC If PI VIA AL'f PATIi FOR S3 7.0E-4/D 7.00E-4 LOG NOR 10 RECOVERY HPI-XIIE-FO-AL'l'SJ OP FAILS TO REC CCF OF IIPI DISCH MOV 7.4E-2/D 7.40E-2 MAX EN'rk
| |
| * RECOVERY HPI-XIIE-FO-FIJBLD OP FAILS TO ESTAB FEED & BLEED 7. lE-2/D 7.lOE-2 MAX ENTk
| |
| * HRA JIPI-XIIE-FO-PLLCK OP FAILS TO REMOVE PULL LOCK CONDITION 2.7E-3/D 2.70E-3 LOG NOR 10 HRA JIPI-XIIE-FO-UN2111 OP FAILS *ro XCONN IIPI.FM U2 FOR S 2/S 3Hl 1. 6E-3/IJ l.60E-3 LOG NOR 10 RECOVERY IIPI-XIIE-FO-UN 2 S 2 OP FAILS '1'0 XCONN HPI FM U2 FOR S 2 DI 3.lE-1/D 3.lOE-1 MAX ENTk
| |
| * RECOVERY HPI-X1IE-FO-Ull2S3 OP FAILS 'l'O XCONN HPI FM U2 FOR S 3 D1 4.4E-2/D 4.40E-2 MAX ENTk
| |
| * RECOVERY IIPI-XIIE-F0-201Jll2 OP FLS 'l'O XCONN JIPI FM U2 FOR S 20ull 1/H 2 .4.JE-3/D 4.JOE-3 MAX ENTk
| |
| * RECOVERY HPI-XHE-F0-30Dll2 OP FLS 'l'O XCONN HPI FM U2 FOR S 30Dlll/H 2 2.lE-3/D 2.lOE-3 LOG NOR 10 RECOVERY HPI-XVM-PG-XV24 MANUAL VLV XV24 PLGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN
| |
| * TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate 'l'ime (Mean) 'l'ype EF Comments
| |
| - ---
| |
| HPR-MDP-FR-J\1811R CHARGING MDP-ClllA FAILS 'l'O RUN 18 HR 6. 8E-5/IIR 18hr 1. 20E-3 LOG NOR 2.9 PSD HPR-MDP-FR-B1811R CHARGING MDP-Cll1B FAILS TO RUN 18 IIR 6. 8E-5/IIR 18hr 1. 20E-3 LOG HOR 2.9 PSD HPR-MDP-FR-Cl211R CHARGING MDP-ClllC FAILS 'l'O RUN 12 HR 6. 8E-5/IIR 12hr 8.00E-4 LOG NOR 2.9 PSD HPR-MDP-FR-Cl8HR CHARGING MDP-ClllC FAILS 'I'O RUN 18 HR 6.8E-5/IIR 18hr 1. 20E-3 LOG NOR 2.9 PSD IAS-AOV-LK-CC107 INSTH.UMEN'l' AIR LEAK 'l'O TV-CC-107 2.4E-5/D 2.40E-5 LOG NOR 3 NOTE (C)
| |
| IAS-AOV-OC-CC107 AOV 'l'V-CC-107 'l'RANSFERS CLOSED 7.5E-7/D 7.50E-7 LOG NOR 3 NOTE (C)
| |
| IAS-AOV-PG-CC107 AOV TV-CC-107 PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN
| |
| .
| |
| ,i,.
| |
| ~
| |
| IAS-CCF-LF-INAIR LOSS OF INSTRUMENT AIR 'l'O ALL AOVs 2. 7E-5/D 2.70E-5 LOG NOR 10 NOTE (C)
| |
| I c,:,
| |
| <:)l IE-A LARGE LOSS OF COOLANT ACCIDENT 5E-4/YR 5.00E-4 LOG NOR 10 ASEP GEH IE-Sl MEDIUM LOSS OF COOLAN'l' ACCIDENT lE-3/YR 1.00E-3 LOG NOR 10 ASEP GEN IE-S2 SMALL LOSS OF COOLANT ACCIDENT lE-3/YR l.OOE-3 LOG NOR 10 ASEP GEN IE-SJ VERY SMALL LOSS OF COOLANT ACCIDENT 1. JE-2/YR 1. JOE-2 LOG NOR 10 SECT 4.3.4 IE-T FULL PWR XIEN'l' EVEN'!' REQUIRING RX SCRAM 6. 6E-O/YR 6.60E-O LOG NOR 3 NUREG-3862 IE-Tl LOSS OF OFFSI'l'E POWER 7.7E-2/YR 7.70E-2 SPECIAL - NUREG-5032 IE-'1'2 LOSS OF MAIN FEEIJWJ\'l'ER 9. 4E-1/YR 9.40E-1 LOG NOR 3 NUREG-5032 IE-'1'3 TURBINE '!'RIP WI'l'll MAIN FEEDWA'l'ER AVAIL 7.JE-0/YR 7.JOE-0 LOG NOR - NUREG-3862 IE-T5A LOSS OF DC BUS lA 5E-3/YR 5.00E-3 LOG NOR 10 ASEP GEN IE-'I'5B LOSS OF DC BUS lB, 5E-3/YR 5.00E-3 LOG NOR 10 ASEP GEN IE-T7 STEAM GENERATOR TUBE RUPTURE lE-2/YR l.OOE-2 LOG NOR 5 SECT 4.3.4 IE-'I'N IIIGII PWR XIEN'l' EVEN'!' REQUIRING RX SCRAM 5.9E-O/YR 5.90E-O LOG NOR 3 NUREG-3862 IE-V-'I'RJ\IN-1 IN'l'ERFACING LOCA FM RCS LOOP 1 TO LPI 4.0E-7/YR 4.00E-7 POINT EST NOTE (G)
| |
| IE-V-'l'RAIN-2 IN'I'ERFACING LOCA FM RCS LOOP 2 TO LPI 4.0E-7/YR 4.00E-7 POIHT EST NOTE (G)
| |
| IE-V-'I'RAIN-3 INTERFACING LOCA FM RCS LOOP J TO LPI 4.0E-7/YR 4.00E-7 POINT EST NOTE (G)
| |
| ISR-CCF-FS-RSll\D CCFAII, 'l'O S'l'AR'l' ISR PMPS 4.20E-J NOTE (D)
| |
| ( ISR-MDP-FS "'BE'I'J\-CSS)
| |
| ISR-MDP-FR-RSll\ !SR MO'l'OR DRIVEN PMP RSlA FAILS 'l'O RUH JE-5/IIR 24hr 7.20E-4 LOG NOR 10 ASEP GEN ISR-MDP-FR-RS1B ISR MOTOR DRIVEN PMP RS1B FAILS 'l'O RUN JE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY Dl\TA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) 'l'ype EF Comments ISR-MDP-FS ISR MOTOR DRIVEN PUMP FAILS 'l'O S'l'AR'l' 3.8E-2/D 3,80E-2 LOG NOR 3.8 PSD ISR-MDP-FS-RSlA !SR MOTOR DRIVEN PUMP FAILS TO START 3,8E-2/D 3.80E-2 LOG NOR 3.8 PSD ISR-MDP-FS-RS1B !SR MO'l'OR DRIVEN PUMP FAILS 'l'O STAR'!' 3. 8E-2/D 3,80E-2 LOG NOR 3.8 PSD ISR-MDP-MA-RS1A '!'EST AND MJ\IN'l' ON MDP RSll\ 2E-3/D 2,00E-3 LOG NOR 10 ASEP GEN ISR-MDP-MA-RS1B '!'EST AND MAIN'!' ON MDP RS1B 2E-3/D 2.00E-3 LOG NOR 10 ASEP GEN ISR-STR-PG-RSll\S ISR STRAINER RSlAS PLUGGED 3E-5/HR 24hr 7,20E-4 LOG NOR 10 ASEP GEN ISR-STR-PG-RS1BS ISR STRAINER RS1BS PLUGGED JE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| ':'"
| |
| co I
| |
| i:..:,
| |
| O')
| |
| K FAILURE OF RPS TO SCRAM '!'HE RX 6E-5/D 6.00E-5 LOG NOR 5 NUREG-1000 LOSP LOSS OF OFFSI'l'E W/IN 24 HRS OF INI'I' 2.16E-4/D 2.20E-4 SPECIAL 5 ASEP GEN LOSP-6HR LOSS OF OFFSI'l'E PWR W/IN 6 HRS OF INI'l' 7.60E-5/D 7.60E-5 SPECIAL J ASEP GEN LPI-CCF-CKVSI241 DEP FAIL CKV SI241 GIVEN UPS'l'REAM RP 5.20E-3 NOTE (G)
| |
| LPI-CCF-CKVSI242 DEP FAIL CKV SI242 GIVEN UPSTREAM RP 5.20E-3 NOTE (G)
| |
| LPI-CCF-CKVSI243 DEP FAIL CKV SI243 GIVEN UPS'l'RE/\M RP 5.20E-3 NOTE (G)
| |
| LPI-CCF-FS-SilAB CCFAIL OF MOPS SilA AND ~I1B 4.50E-4 NOTE (D)
| |
| (LPI-MDP-FS*BETA-LPI)
| |
| LPI-CKV-FT-CV46A CHECK VLV CV46A FAILS 'l'O OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN LPI-CKV-FT-CV46B CHECK VLV CV46B FAILS '1'0 OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN LPI-CKV-F'l'-CV50 CHECK VLV CV50 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN LPI-CKV-F'l'-CV58 CHECK VLV CV58 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN LPI-CKV-F'l'-CV82 CHECK VLV CV82 FAILS 'l'O OPEN lE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN LPI-CKV-F'l'-CV85 CHECK VLV CV85 FAILS 'l'O OPEN lE-4/D 1.00E-4 LOG NOR 3 ASEP GEN LPI-CKV-F'l'-CV241 CHECK VLV CV241 FAILS *ro OPEN lE-4/D l,OOE-4 LOG HOR 3 ASEP GEN KV-F'l'-CV24 2 CHECK VLV CV242 FAILS 'l'O OPEN lE-4/0 1. OOE-4 LOG NOR 3 A GEN V-F'l'-CV243 CHECK VLV CV243 FAILS 'l'O OPEN lE-4/0 1.00E-4 LOG NOR 3 EN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF comments LPI-CKV-F'l'-SI79 FAILURE OF CV SI79 'l'O CLOSE 3.0lE-3/D 3.0lE-3 NOTE (G)
| |
| LPI-CKV-F'I'-SI82 FAILUHE OF CV SI82 '1'0 CLOSE 3.0lE-3/D 3.0lE-3 NOTE (G)
| |
| LPI-CKV-FT-SI85 FAILURE OF CV SI85 'I'D CLOSE 3.0lE-3/lJ 3.0lE-3 NOTE (G)
| |
| LPI-CKV-FT-S241 FAILURE OF CV SI241 'l'O CLOSE 3.0lE-3/U 3.0lE-3 NOTE '(G)
| |
| LPI-CKV-F'l'-S242 FAILURE OF CV SI242 TO CLOSE 3.0lE-3/lJ 3~01E-3 NOTE (G)
| |
| LPI-CKV-FT-S243 FAILURE OF CV SI243 'l'O CLOSE 3.0lE-3/D 3.0lE-3 NOTE (G)
| |
| LPI-CKV-OO-CV50 CHECK VLV CV50 FLS ,'l'O snu*r, CAUSE BKFLW lE-3/D 1. OOE-3 LOG HOR 3 ASEP GEN LPI-CKV-OO-CV58 CHECK VLV CV58 FLS TO SHUT,CAUSE BKFLW lE-3/0 l.OOE-3 LOG NOR 3 ASEP GEH LPI-CKV-RP-SI79 RUPTURE OF LPI CKV SI79 3.64E-5 POINT EST NOTE (G)
| |
| 'f" LPI-CKV-RP-SI82 RUP'l'URE OF LPI CKV SI82 3.64E-5 POINT EST NOTE (G) tC LPI-CKV-RP-SI85 RUP'l'URE OF LPI CKV SI85 3.64E-5 POINT EST NOTE (G)
| |
| I w LPI-CKV-RP-SI241 RUPTURE OF LPI CKV SI241 3.64E-5 POINT EST NOTE (G)
| |
| -.;:i LPI-CKV-RP-SI242 RUPTURE OF LPI CKV SI242 3.64E-5 POINT EST NOTE (G)
| |
| LPI-CKV-RP-SI243 RUPTURE OF LPI CKV SI243 3.64E-5 POINT EST NOTE (G)
| |
| LPI-MDP-FR-lAJOM LPI MDP SilA FAILS 'l'O RUN FOR 30 MIN 3E-5/IIR .5hr 1.50E-5 LOG NOR 10 ASEP GEN LPI-MDP- FR-lAlllR LPI MDP SilA FAILS TO RUN FOR 1 HR JE-5/HR 1hr 3.00E-5 LOG NOR 10 ASEP GEN LPI-MDP-FR-1A3HR LPI MDP SilA FAILS TO RUN FOR 3 HRS JE-5/HH. 3hr 9.00E-5 LOG NOR 10 ASEP GEN LPI-MDP-FR-1A611R LPI MDP SilA FAILS TO RUN FOR 6 IIRS JE-5/IIR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-1B30M LPI MOP SllB FAILS 'l'O RUN FOR 30 MIN JE-5/HR .5hr 1.50E-5 LOG NOR 10 ASEP GEN LPI-MDP-FR-1B1IIR LPI MDP SI1B FAILS TO RUN FOR 1" HR 3E-5/IIR 1hr 3.00E-5 LOG NOR 10 ASEP GEN LPI-MDP-FR-1B3IIR LPI MDP SI1B FAILS 'I'D RUN FOR 3 HRS JE-5/IIR 3hr 9.00E-5 *LOG NOR 10 ASEP GEH LPI-MOP-FR-1B611R LPI MOP SilB FAILS TO RUN FOR 6 HRS JE-5/IIR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN LPI-MOP-FR-A611R LPI MDP SilA FAILS 'l'O RUN FOR 6 HRS JE-5/HR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-Al8HR LPI MDP SilA FAILS TO RUN 18 HRS JE-5/HR 18hr 5.40E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-A2111R LPI MOP SilA FAILS 'l'O RUN FOR 21 HRS JE-5/HR 21hr 6.JOE-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-A2411R LPI MDP SilA FAILS 'l'O RUN FOR 24 HRS JE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-B611R LPI MDP SilB FAILS 'l'O RUN FOR 6 HRS JE-5/HR 6hr 1. 80E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-B1811R LPI MDP SilB FAILS TO RUN 18 HRS JE-5/HR 18hr 5.40E-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-B2 lllR LPI MDP SilB FAILS 'l'O RUN FOR 21 HRS JE-5/HR 21hr 6.JOE-4 LOG NOR 10 ASEP GEN LPI-MDP-FR-B24HR LP! MOP SilB FAILS TO RUN FOR 24 HRS JE-5/IIR 24hr 7.20E-4 LOG NOR 10 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate *rime (Mean) Type EF Comments LPI-MDP-FS LPI MOTOR DRIVEN PUMP FAILS TO S'l'J\R'f JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPI-MDP-FS-SilA LPI MDP SilA FAILS TO STAR'l' ON DEMAND JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPI-MDP-FS-SI18 LPI MDP SI18 FAILS TO START ON DEMAND JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPI-MDP-MA-SilA 'l'EST AND MAINT ON LPI MDPSilA 2E-3/D 2.00E-3 LOG NOR 10 ASEP GEN LPI-MDP-MA-SI18 TEST AND MAINT ON LPI MDPSI1B 2E-3/D 2.00E-3 LOG NOR 10 ASEP GEN LPI-MOV-PG-18621\ LPI MOTOR OPER VLV 1862A PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN LPI-MOV-PG-18628 LPI MOTOR OPER VLV 18628 PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEH LPI-MOV-PG-18641\ LPI MO'l'OR OPERATED VLV 1864A PLUGGED lE-7/flR lyr 4.40E-4 LOG NOR 3 ASEP GEN tf' LPI-MOV-PG-18648 LPI MOTOR OPERA'l'ED VLV 18648 PLUGGED lE-7/HR lyr 4.40E-4 LOG NOR 3 ASEP GEN tC I
| |
| LPI-MOV-PG-1890C LPI MO'rOR OPERA'l'ED VLV 1890C PLUGGED lE-7/HR lyr 4.40E-4 LOG NOR 3 ASEP GEN
| |
| ~
| |
| 00 LPI-XVM-PG-XV48 MANUAL VLV XV48 PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN LPI-XVM-PG-XV57 MANUAL VLV XV57 PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN LPR-CCF-FT-860AB CC FAIL OF MOV 1860A/B 2.60E-4 NOTE (D)
| |
| (LPR-MOV-FT*BETA-2MOV)
| |
| LPR-CCF-FT-8621\B CC FAIL OF MOV 18621\/8 2.60E-4 NOTE (D)
| |
| (LPR-MOV-FT*8ETA-2MOV)
| |
| LPR-CCF-FT-863A8 CC FAIL OF MOV 18631\/8 2.60E-4 NOTE (D)
| |
| (LPR-MOV-FT*BETA-2MOV)
| |
| LPR-CCF-FT-890A8 CC FAIL OF MOV 1890A/8 2.60E-4 NOTE (D)
| |
| (LPR-MOV-FT*BETA-2MOV)
| |
| LPR-CCF-PG-SUMP PLUGGING OF THE CONTAINMENT SUMP 5E-5/D 5.00E-5 LOG NOR 100 ZION PRA LPR-CKV-FT-CV47 CHECK VLV CV47 FAILS TO OPEN lE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN LPR-CKV-FT-CV56 CHECK VLV CV56 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN LPR~CKV-FT-CV228 CHECK VLV CV228 FAILS *ro OPEN lE-4/IJ 1. OOE-4 LOG NOR 3 ASEP GEN LPR-CKV-FT-CV229 CHECK VLV CV229 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments LPR-MOV-FT LPR MOTOR OPERA'l'ED VLV FAILS TO TRNSFER JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-1860A LPR MOTOR OPER VLV 1860A FAILS TO"OPEN JE-3/D J.OOE-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-1860B LPR MOTOR OPER VLV l860B FAILS TO OPEN JE-3/D J.OOE-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-1862A LPR MOTOR OPER VLV 1862A FAILS TO CLOSE 5.2E-3/D 5.20E-3 LOG NOR 10 NOTE (C)
| |
| LPR-MOV-FT-18628 LPR MOTOR OPER VLV l862B FAILS TO CLOSE 5.2E-3/D 5.20E-3 LOG NOR 10 NOTE (C)
| |
| LPR-MOV-FT-1863A LPR MOTOR OPER VLV 1863A FAILS TO OPEN JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-18638 LPR MOTOR OPER VLV l863B FAILS TO OPEN JE-3/D J.OOE-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-1890A LPR MOTOR OPER VLV 1890A FAILS TO OPEN JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPR-MOV-FT-1890B LPR MOTOR OPER VLV 1890B FAILS TO OPEN JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN LPR-MOV-PG-1863A LPR MOTOR OPER VLV 1863A PLUGGED lE-7/IIR 18mo 6.60E-4 LOG NOR 3 ASEP GEN LPR-MOV-PG-18638 LPR MOTOR OPER VLV 1863B PLUGGED lE-7/IIR 18mo 6.60E-4 LOG HOR 3 ASEP GEN
| |
| ':'" LPR-MOV-PG-l890A LPR MOTOR OPER VLV 1890A PLUGGED lE-7/HR lBmo 6.60E-4 LOG NOR 3 ASEP GEN co I LPR-MOV-PG-1890B LPR MOTOR OPERATED VLV l890B PLUGGED lE-7/HR 18mo 6.60E-4 LOG NOR J ASEP GEN w
| |
| co LPR-XIIE-FO-HOTLG OP FAILS TO ALIGN FOR HOT LEG RECIRC 4E-5/D 4.00E-5 LOG NOR 10 HRA M FAILURE TO RESTORE MAIN FEEDWATER 2.9E-3/D 2.90E-3 LOG NOR 10 RECOVERY MCW-CCF-VF-INLVL INSUF INTAKE CANAL LVL DURING NRML OPS lE-9/D 1. OOE-9 LOG NOR 10 NOTE (C)
| |
| MCW-CCF-VF-SBO OP FAILS TO CLS COND !SOL VLV FOR SBO 6E-2/D 6.00E-2 MAX ENTk
| |
| * NOTE (C)
| |
| MSS-AOV-FC-lOlA SG PORV lOIA BLOCK VLV SHUT PRIOR 'l'O IE 1. 5E-1/D 1.50E-1 POINT EST PSD MSS-AOV-FC-lOlB SG PORV 1018 BLOCK VLV SHUT PRIOR TO IE 1. 5E-1/D 1. 50E-1 POINT EST PSD MSS-AOV-FC-lOlC SG PORV lOlC BLOCK VLV SHUT PRIOR TO IE 1.5E-1/D 1.50E-1 POINT EST PSD MSS-AOV-F'f SG BLWDWH !SOL BLOCK VLV FAILS TO SHUT lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN MSS-AOV-FT-TVBDA SG BLWDWN ISOL 'l'VBDA FAILS TO snu*r IE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN MSS-AOV-FT-TV80B SG BLWDWN ISOL 'l'V8DB FAILS TO snu*r lE-3/D 1.00E-3 LOG HOR 3 ASEP GEN MSS-1\0V-FT-lOIA SG PORV 1011\ FAILS 'l'O OPEN ON DEMAND lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN MSS-AOV-FT-1018 SG PORV 1018 FAILS TO OPEN ON DEMAND lE-3/D l.OOE-3 LOG HOR 3 ASEP GEN MSS-1\0V-F'l'-lOlC SG PORV lOlC FAILS TO OPEN ON DEMAND lE-3/D 1.00E-3 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments MSS-AOV-PG-lOlA SG PORV 101A PLUGGED lE-7/HR 4.00E-5 LOG NOR 3 ASEP GEN MSS-AOV-PG-1018 SG PORV 1018 PLUGGED lE-7/HR 4.00E-5 LOG NOR 3 ASEP GEN MSS-AOV-PG-lOlC SG PORV lOlC PLUGGED lE-7/HR 4.00E-5 LOG NOR 3 ASEP GEN MSS-CCF-FT-OlABC cc FAIL o.F SG PORVs TO OPEN 7.00E-5 NOTE (D)
| |
| (MSS-AOV-FT*BETA-SRV)
| |
| MSS-CCF-F'f-'l'VAB CC FAIL OF TURB BYP VLVs 'l'O OPEN l.OOE-4 NOTE (D)
| |
| (MSS-AOV-FT*BETA-AOV)
| |
| .co
| |
| ,i::,. MSS-CKV-FT-SGDHR BKFLW 'l'HRU 1 OF 2 SG DECAY HEAT RMVL CV 2E-3/D 2.00E-3 LOG NOR 3 NOTE (C)
| |
| I
| |
| ,i::,.
| |
| 0 MSS-SOV-00-0DADV SG PORV FLS 'l'O SHUT, SGTR W/0 OP DPHESS 1. 00/D l.OOE-0 POINT EST NOTE (H)
| |
| MSS-SOV-00-SGADV SG PORV FAILS *ro SHU'r, SGTR W/DPHESS JE-2/D 3.00E-2 LOG NOR 10 ASEP GEN MSS-SRV-00-0DSRV SG SRV FAILS 'l'O SHUT, SGTR W/0 DPHESS 1. 00/D 1. OOE-0 POINT EST NOTE (H)
| |
| MSS-SRV-00-SGSRV SG SRV FAILS TO SHU'l', SGTR W/DPRESS JE-2/D 3.00E-2 LOG NOR 10 ASEP GEN MSS-XIIE-FO-BLOCK FAILURE OF OP 'l'O TERMINA'l'E FLOW FROM 6.4E-2/D 6.40E-2 MAX ENTk
| |
| * RECOVERY STUCK OPEN SG PORV MSS-XIIE-FO-ISAFW FAILURE OF OP 'l'O 'l'ERMINA'l'E FLOW FROM 6.BE-6/D 6.BOE-6 LOG NOR 10 RECOVERY TDP STM LINE DURING SGTR MSS-XHE-FO-ISBlJN FAILURE OF OP 'l'O TERMINATE FLOW FROM 3. 4E-3/D 3.40E-3 LOG NOR 10 RECOVERY SG BLWDWN LINE DURING SG'l'R MSS-XIIE-FO-ISDHR OP FAILS 'l'O ISOL STM FLOW VIA DECAY 1. 4E-2/D l.40E-2 LOG NOR 10 RECOVERY HEAT REMOVAL BY COOLDOWN NOTDG 'l'HE '!'HIRD DG SUCCEEDS, SUPPLIES U2 FOR SBO 9.70E-1 POINT EST NOTE (I)
| |
| NOTDG-CCF SUCCESS OF 'l'HE JRlJ DG AF'l'ER CC FAILURE OF 2 - 5.20E-1 POINT EST NOTE (I)
| |
| NO'fL-SBOUl AFW SUCCESS DURIHG SBO A'l' UNI'l' 1 ONLY 9.93E-1 POINT EST NOTE (I)
| |
| NO'l'L-SB0U1U2 AFW SUCCESS DURING SBO AT UNITS 2 AND 2 9.6BE-1 POINT EST NOTE (I)
| |
| NOTO OP SUCCEEDS IN DEPRESSURIZATION DURING SBO 9.51E-1 POINT EST NOTE (I)
| |
| NOTQ RCS PORV RESHU'l' DURING SBO 9.73E-1 POINT EST NOTE (I)
| |
| QS ALL SG PORV RESIIU'l' DURING SBO 7.JOE-1 POINT EST NOTE (I) 2 SEAL COOLING FM UNIT2 SUCCES~ SBO 8.lSE-1 POINT EST E (I)
| |
| | |
| *
| |
| * TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate 'l'ime (Mean) Type EF Comments NRAC-l50MIN NON-RECOVERY l\.C PWR W/IN 150 MIN OF LOSP 2.lOE-1 SPECIAL - NUREG-5032 NRAC-201MIN NON-RECOVERY AC PWR W/IN 201 MIN OF LOSP 1. SOE-1 SPECIAL - NUREG-5032 NRAC-216MIN NON-RECOVERY AC PWR W/IN 216 MIN OF LOSP 1. 3BE-1 spECIAL - NUREG-5032 NRAC-234MIN NON-RECOVERY AC PWR W/IN 234 MIN OF LOSP 1.23E-l SPECIAL - NUREG-5032 NR1\C-246MIN NON-RECOVERY AC PWR W/IN 246 MIN OF LOSP 1.15E-1 SPECIAL - NUREG-5032 NRAC-25BMIN NON-RECOVERY AC PWR W/IN 258 MIN OF LOSP 1. OBE.-1 SPECIAL - NUREG-5032 NRAC-HALFHR NON-RECOVERY AC PWR W/IN 30 MIN OF LOSP 6.00E-1 SPECIAL - NUREG-5032 NRAC-lllR NON-RECOVRY l\.C PWR W/IN 1 HR OF LOSP 4.40E-:J_ SPECIAL - NUREG-5032 NRAC-7HR NON-RECOVRY AC PWR W/IN 7 HRS OF LOSP 5.00E-2 'SPECIAL - NUREG-5032
| |
| """
| |
| 'co I
| |
| NRAC-6HR-AVG NON-RECOVERY OF AC PWR W/IN 6 HRS OF LOSP, 1. 94E-l SPECIAL - NOTE (C)
| |
| AVG W/TDP-FR 6 HRS
| |
| """
| |
| r-'
| |
| NRAC-24HR-AVG NON-RECOVERY OF AC PWR W/IN 24 HRS, AVG 6.lOE-2 SPECIAL - NOTE (C)
| |
| W/'l'DP-FR 24 HRS NSLOCA SUCCESSFUL FUNCTION RCP SEALS DURING SBO 2.70E-1 POINT EST NOTE (I) 0 OP FAILS 'l'O DEPRESS RCS DURING SBO 4. 9E-2/D 4.90E-2 MAX ENTk* RECOVERY OEP-Bl\C-S'l'-FDHD mrnERVE S'l'A SRVC FEEDER D BUSWOHK FAILS 9E-5/D 9.00E-5 LOG NOR 5 ASEP GEN OEP- BAC-S'l'-FIJRF RESERVE S'l'A SRVC FEEDER F BUSWORK FAILS 9E-5/D 9.00E-5 LOG NOR 5 ASEP GEN OEP-CCF-FS-DG123 CC FAIL TO START ALL 3 DGs 4.00E-4 NOTE (D)
| |
| (OEP-IJGN-FS*BETA-3DG)
| |
| OEP-CCF-FS-DG12 CC FAIL 'l'O START 1 & 2 DG 8.40E-4 NOTE (D)
| |
| ( OEP-DGN-FS
| |
| * BE'l'A-2 DG)
| |
| OEP-CCF-FS-DG13 CC FAIL TO S'l'AR'l' 1 & 3 DG B.40E-4 NOTE (D)
| |
| (OEP-DGN-FS*BETA-2DG)
| |
| OEP-CCF-FS-DG23 CC FAIL 'l'O S'l'ART 2 & 3 DG B,40E-4 NOTE (D)
| |
| (OEP-DGN-FS*BETA-2DG)
| |
| OEP-CRB-F'l'-15113 DIESEL GEN #1 CKT BRKR 15113 FLS 'l'O CLS 3E-3/D 3.00E-3 LOG NOR 10 !REP OEP-CRB-F'l'-15J3 DIESEL GEN #3 CKT BRKR 15J3 FLS TO CLS 3E-3/D 3.00E-3 LOG NOR 10 IREP OEP-CRB-F'l'-25113 DIESEL GEN #2 CK'l' BRKR 25H3 FLS 'l'O CLS 3E-3/D 3.00E-3 LOG NOR 10 !REP L_
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments OEP-DGN-FC-DG3U2 DIESEL GEN #3 UNAVAIL, ALIGNED TO UNI'l'2 3.4E-2/D 3.40E-2 LOG NOR 3 NOTE (C)
| |
| OEP-DGN-FR-DGOl DG #1 FAILS TO RUN FOR 1 HR 2E-3/HR 1hr 2.00E-3 LOG NOR 10 ASEP GEN OEP-DGN-FR-DG02 DG #2 FAILS TO RUN FOR 1 HR 2E-3/IIR 1hr 2.00E-3 LOG NOR 10 ASEP GEN OEP-DGN-FR-DG03 DG #3 FAILS 'l'O RUN FOR 1 HR 2E-3/HR 1hr 2.00E-3 LOG NOR 10 ASEP GEN OEP-DGN-FR-611DG1 DG #1 FAILS TO RUN FOR 6 HRS 2E-3/HR 6hr 1. 20E-2 LOG NOR 10 ASEP GEN OEP-DGN-FR-611DG2 DG #2 FAILS TO RUN FOR 6 HRS 2E-3/HR 6hr 1.20E-2 LOG NOR 10 ASEP GEN OEP-DGN-FR-611DG3 DG #3 FAILS 'l'O RUN FOR 6 HRS 2E-3/HR 6hr l.20E-2 LOG NOR 10 ASEP GEN OEP-DGN-FS DIESEL GENERATOR FAILS TO START 2. 2E-2/D 2.20E-2 LOG NOR 3 PSD
| |
| ~ 'l'O S'l'AR'l' 2.2E-2/D 2.20E-2 LOG NOR PSD c.c OEP-DGN-FS-DGOl DIESEL GENERA'l'OR #1 FAILS 3 I OEP-DGN-FS-DG02 DitSEL GENERATOR #2 FAILS TO STAR'l' 2. 2E-2/D 2.20E-2 LOG NOR 3 PSD
| |
| ""'
| |
| N)
| |
| OEP-DGN-FS-DG03 DIESEL GENERATOR #3 FAILS TO S'l'AR'l' 2. 2E-2/D 2.20E-2
| |
| \
| |
| LOG NOR 3 PSD OEP-DGN-MA-DGOl TEST AND MAIN ON DIESEL GENERATOR #1 6E-3/D 6.00E-3 LOG NOR 10 ASEP GEN OEP-DGN-MA-DG02 'l'ES'l' AND MAIN ON DIESEL GENERA'l'OR #2 6E-3/D 6.00E-3 LOG NOR 10 ASEP GEN OEP-DGN-MA-DG03 'l'ES'l' AND MAIN ON DIESEL GENERA'l'OR. #3 6E-3/D 6.00E-3 LOG NOR 10 ASEP GEN OSR-CCF-FS-RS2AB CCFAIL TO START OSR MDPS 3.30E-4 NOTE (D)
| |
| (OSR-MDP-FS*BETA-CSS)
| |
| OSR-CKV-FT-CVll CHECK VLV CVll FAILS TO OPEN lE-4/D l.OOE-4 LOG UOR 3 ASEP GEN OSR-CKV-F'l'-CVl 7 CHECK VLV CV17 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN OSR-MDP-FR-A2411R OSR MDP RS2A FAILS TO RUN 24 HRS 3E-5/IIR 24hr 7.20E-4 LOG NOR 10 ASEP GEN OSR-MDP-FR-B2411R OSR MDP RS2B FAILS 'l'O RUN 24 HRS 3E-5/IIR 24hr 7.20E-4 LOG NOR 10 ASEP GEN OSR!...MDP-FS OSR MDP FAILS 'l'O STJ\R'l' ON DEMAND 3E-3/D 3.00E-3 LOG HOR 10 ASEP GEN OSR-MDP-FS-RS2A OSR MDP RS2A FAILS 'l'O S'l'AR'l' ON DEMAHD 3E-3/D 3.00E-3 LOG NOR 10 ASEP GEN OSR-MDP-FS-RS2D OSR MOP RS2D FAILA 'l'O S'l'AR'l' ON DEMAND JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN OSR-MDP-MA-RS2A 'l'EST AND MAINT on*osR. MDP RS2A 2E-3/D 2.00E-3 LOG NOR 10 ASEP GEN
| |
| -MDP-MA-RS2B 'l'ES'l' AND MAINT ON,OSR MOP RS 2E-3/D 2.00E-3 LOG NOR GEN 10.P
| |
| | |
| *
| |
| * TABLE 4.9-7 (Continued)
| |
| SURRY DATA TABLE Failure Unavai!. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments OSR-MOV-PG-155A OSR MOTOR OPER VLV 155A PLUGGED lE-7/IIR 4.00E-5 LOG NOR 3 ASEP GEN OSR-MOV-PG-1558 OSR MOTOR OPER VLV 1558 PLUGGED lE-7/IIR 4.00E-5 LOG NOR 3 ASEP GEN 0SR-MOV-PG-156A OSR MOTOR OPER VLV 156A PLUGGED lE-7/IIR 4.00E-5 LOG NOR 3 ASEP GEN OSR-MOV-PG-1568 OSR MOTOR OPER VLV 1568 PLUGGED lE-7/HR 4.00E-5 LOG NOR 3 ASEP GEN OSR-STR-PG-RS2A OSR MOP RS2A SUMP STRAINER PLUGGED 3.0E-5/IIR 24hr 7.20E-4 LOG NOR 10 !REP OSR-STR-PG-RS2B OSR MOP RS2B SUMP STRAINER PLUGGED 3.0E-5/HR 24hr 7.20E-4 LOG NOR 10 !REP f- PCS-AOV-F'r PCS AIR OPERATED VLV FAILS TO TRANSFER lE-3/0 1.00E-3 LOG NOR 3 ASEP GEN tO I PCS-AOV-F'r-BYPA VLV TO TURB BYP FAILS TO OPEN lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN
| |
| ,i:::,.
| |
| w PCS-AOV-FT-BYPB VLV TO TURB BYP FAILS TO OPEN lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN PCS-AOV-FT-MS'l'VA SG MSTVA FAILS TO OPEN lE-3/D l.OOE-3 LOG NOR 3 ASEP GEN PCS-AOV-FT-MSTVB SG MSTVB FAILS TO OPEN lE-3/0 1.00E-3 LOG NOR 3 ASEP GEN PCS-AOV-PG-BYP-A VLV TO TURB BYP A PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN PCS-AOV-PG-BYP-B VLV 'l'O TURB BYP B PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN PCS-AOV-PG-MS'l'VA SG 101A MSTV PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN PCS-AOV-PG-MSTVB SG l01B Ms*rv PLUGGED lE-7/HR lmo 4.00E-5 LOG NOR 3 ASEP GEN PCS-CCF-FT-TRBYP CC FAIL OF TURB BYP VLVS 1. OOE-4 NOTE (D)
| |
| ( PCS-AOV-F'l'* BE'l'A-AOV)
| |
| PCS-XHE- FO-TB'l'RP OP FAILS TO TRIP MAIN '!'URBINE 2. 7E-3/D 2.70E-3 LOG NOR 10 HRA PL PROB OF INITIAL POWER BELOW 25% l.OE-1/0 1. OOE-1 POINT EST SECT 4.4.11 PORV-BLK SG PORV IS BLOCKED PRIOR TO IE 1. 5E-1/D 1. 50E-1 MAX ENTk PSD PORV-NOT-BLK SG PORV IS NOT BLOCKED PRIOR TO IE 8. 5E-1/D B.50E-1 MAX ENTk
| |
| * PSD
| |
| * TABLE 4.9-7 (continued)
| |
| BURRY DATA TABLE Failure Unavail.B Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments PORV-DEMAND PROB THAT A RCS PORV IS DEMANDED ('1'1) 4.lOE-2 MAX ENTk
| |
| * NOTE (H)
| |
| PORV-DMD-T2-'1'3 PROB THAT A RCS PORV IS DEMANDED (T2' T 3 ) 5.70E-3 LOG NOR 10 NOTE (H)
| |
| PPS-CCF-FT-15356 CC FAIL OF PORV BLKING VLVS 3.50E-3 NOTE (D)
| |
| (PPS-MOV-FT*BETA-2MOV)
| |
| PPS-CCF-FT-PORV CC FAIL OF THE RCS PORVS TO OPEN 7.00E-5 NOTE (D)
| |
| (PPS-SOV-FT*BETA-SRV)
| |
| PPS-CCF-F'l'-SRVS CC FAIL OF 'l'IIE RCS SH.VS 'l'O OPEN 7.00E-5 NOTE (D)
| |
| (PPS-SRV-FT*BETA-SRV)
| |
| PPS-MOV-FC-1535 BLOCK VLV SIIU'l' DUE 'l'O LEAKING PORV 3 *.OOE-1 POINT EST PSD PPS-MOV-FC-1536 BLOCK VLV SIIU'l' DUE TO LEAKING PORV 3.00E-1 POINT EST PSD f" PPS-MOV-FC-OPER OP FAILS TO CLOSE RCS PORV BLK VLV 2.70E-3/D 2.70E-3 LOG NOR 10 HRA tC I
| |
| ~ PPS-MOV-FT .PORV BLOCK VALVE FAILS 'l'O OPEN 4E-2/D 4,00E-2 LOG NOR 3 PSD
| |
| ~
| |
| PPS-MOV-F'l'-153 5 PORV BLOCK VLV 1535 FAILS 'l'O OPEN 4E-2/D 4,00E-2 LOG NOR 3 PSD PPS-MOV-F'l'-1536 PORV BLOCK VLV 1536 FAILS 'l'O OPEN 4E-2/D 4.00E-2 LOG NOR 3 PSD PPS-MOV-00-1535 MOV BLK VLV 1535 FAILS TO SIIU'l' 4E-2/D 4.00E-2 LOG NOR 3 PSD PPS-MOV-00-1536 MOV BLK VLV 1536 FAILS TO SIIU'l' 4E-2/D 4.00E-2 LOG NOR 3 PSD PPS-MOV-PG-1535 PORV BLOCK VLV 1535 PLUGGED lE-7/IIR 4.00E-5 LOG NOR 3 ASEP GEN PPS-MOV-PG-1536 PORV BLOCK VLV 1536 PLUGGED lE-7/IIR 4.00E-5 LOG NOR 3 ASEP GEN PPS-SOV-FT PORV PCV FAILS 'l'O OPEN ON DEMAND lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN PPS-SOV-FT-1455C PORV PCV 1455C FAILS 'l'O OPEN ON DEMAND lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN PPS-SOV-F'l'-1456 PORV PCV 1456 FAILS TO OPEN ON DEMAND lE-3/D L OOE-3 LOG NOR 3 ASEP GEN PPS-SOV-00-1455C RCS PORV 14 55C FAILS 'l'O RECLOSE JE-2/D 3.00E-2 LOG NOR 10 ASEP GEN PPS-SOV-00-1456 RCS PORV 1456 FAILS TO RECLOSE JE-2/D 3.00E-2 LOG NOR 10 ASEP GEN PPS-SRV-F'l' RCS SRV FAILS TO OPEN ON DEMAND lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN PPS-SRV-FT-1551A RCS SRV A FAILS .'l'O OPEN ON DEMAND lE-3/D 1,00E-3 LOG NOR 3 ASEP GEN PPS-SOV-FT-1551B RCS SRV B FAILS TO OPEN ON DEMAND lE-3/D 1.00E-3 LOG NOR 3 ASEP GEN PPS-SOV-FT-1551C RCS SRV C FAILS TO OPEN ON DEMAND lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN
| |
| *
| |
| * TADL -7 (Continued)
| |
| SURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate *rime (Mean) 'l'ype EF Comments PPS-XIIE-FO-EMBOR OP FAILS TO CORRECTLY EMERGENCY BORATE l.OE-3/0 1.00E-3 LOG NOR 10 HRA PPS-XIIE-FO-lPORV OP FAILS TO OPEN 1 PORV 7.lE-2/U 7.lOE-2 MJ\X EttTk
| |
| * HRA PPS-XJIE-FO-PORVS FAILURE OF OP TO B'l'II PORVS FOR FD/BLD 4. 4E-2/D 4.40E-2 MAX ENTk
| |
| * HRA PPS-XIIE-FO-UNBLK OP FAILS 'l'O UNBLOCK PORV DURING ATWS 2. JE-1/D 2.JOE-1 LOG NOR 10 HRA QC RCS INTEG FAILS DUE TO PORV STUCK OPEN 1.2E-4/D l.20E-4 LOG NOR 10 NOTE (C)
| |
| QS-SBO SG SRV/PORV STICK OPEN DURING SBO 2.7E-1/D 2.70E-1 MAX ENTk
| |
| * NOTE (C)
| |
| QS-UNIT2 UNIT 2 SG RELIEF STUCK OPEN DURING SBO l.6E-1/D l.60E-1 MAX ENTk
| |
| * NOTE (C)
| |
| .
| |
| ~
| |
| cc
| |
| ~
| |
| I C,11 R FAILURE TO MANUAL SCRAM THE RX 1. 7E-1/D 1.70E-1 MAX ENTk
| |
| * RECOVERY RCP-LOCJ\-750-90M 750 GPM RCP SEJ\L LOCA AT 90 MIN 5. JOE-1/0 5.JOE-1 SPECIAL NOTE (M)
| |
| RCP-LOCA-467-150 18JGPM INCSNG TO 750 GPM RCP SEAL LOCA l.27E-1/D 1. 27E-1 SPECIAL NOTE (M)
| |
| RCP-LOCJ\-183-150 183 GPM RCP SEAL LOCA AT 150 MIN 1.61E-2/D 1. 61E-2 SPECIAL NOTE (M)
| |
| RCP-LOCA-183-210 183 GPM RCP SEJ\L LOCI\ AT 210 MIN l.61E-2/D 1. 61E-2 SPECIAL NOTE (M)
| |
| RCP-LOCJ\-1440-90 1440 GPM RCP SEJ\L LOCA J\T 90 MIN 4.JE-3/D 4.JOE-3 SPECIAL NOTE (M)
| |
| RCP-LOCJ\-561-150 372 GPM INCSHG 'l'O 750 GPM ncP SEAL LOCA 4. OE-3/D 4.00E-3 SPECIAL NOTE (M)*
| |
| RCP-LOCA-183-90 183 GPM RCP SEAL LOCA AT 90 MIN 1.4E-2/D l.40E-2 SPECIAL NOTE (M)
| |
| RCS-AOV-FT FAILURE OF RCS AIR OPERATED VALVE lE-3/D 1.00E-3 LOG NOR J ASEP GEN RCS-AOV-F'l'-14 551\
| |
| RCS-AOV-FT-1455B FAILURE OF PZR SPRAY VLV 14551\ 'l'O OPEH FAILURE OF PZR SPRAY VLV 14558 TO OPEN lE-3/D lE-3/D
| |
| - 1.00E-3 1.00E-3 LOG NOR J LOG NOR J ASEP GEN ASEP GEN RCS-CCF-FT-455AB CC FAIL OF PZR SPRAY VLVS 'l'O OPEN (RCS-AOV-FT*BETA-AOV) 1.00E-4 - NOTE (D)
| |
| RCS-FCV-FT-AUXSP FAIUJRE OF AUX SPRAY VLV TO OPEN lE-3/D 1.ooE-J LOG NOR J ASEP GEN RCS-MDP-FR-RCPlA REAC'fOR COOLAtl'l' PMPS FAIL TO RUN 1 HR JE-5/IIR 1hr J.OOE-5 LOG NOR 10 ASEP GEN RCS-MDP-FR-RCPlC REACTOR COOLANT PMPS FAIL TO RUN 1 Ill\ JE-5/HR 1hr J.OOE;..5 LOG NOR 10 ASEP GEN L__
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Descr-iption Rate 'l'ime (Mean) Type EF Comments RCS-PORV-D1DMD RCS PORV DEMAND DURING Dl FAILURE, SGTR l.25E-1/D 1. 25E-l MAX ENTk
| |
| * NOTE (C)
| |
| RCS-PORV-DMD RCS PORV DEMAND DURING SGTR 5.00E-2/IJ 5.00E-2 MAX ENT: NOTE (C)
| |
| RCS-PORV-ODMD RCS PORV DEMAND FOR SGTR W/0 DEPRESS 5.00E-1/D 5.00E-1 MAX ENT
| |
| * NOTE (C)
| |
| * RCS-XIIE- FO-DPRES OP FAILS TO DEPRSS/COOL RCS FOR s 2 , S 2. 2E-2/D 2.20E-2 MAX ENTk
| |
| * HRA RCS-XIIE-FO-DPR'l'7 OP FAILS 'l'O DEPRSS/COOL RCS DURIN.G SG'l,R 2.9E-2/D 2.90E-2 MAX ENT: HRA RCS-XHE-FO-DPT7D OP FAILS TO DEPRESS/COOL RCS FOR T 7 D1 4. OE-1/D 4.00E-1 MAX ENT
| |
| * HRA
| |
| * REC-XIIE- FO-DGEH OP FAILS 'l'O RECOVER A DG WITHIN 1 HR 9E-1/D 9.00E-1 MAX EHTk
| |
| * ASEP GEN REC-XHE-FO-DGHWB OP FAILS TO REC A DG FM HW FAIL IN 6 HR 6E-1/D 6.00E-1 MAX EltTk
| |
| * ASEP GEN REC-XHE-FO-DGIIWS OP FAILS TO REC A DG FM HW FAIL IN 3 IIR BE-1/D 8.00E-1 MAX ENTk
| |
| * ASEP GEN
| |
| ':"' REC-XHE-FO-DGTMB OP FAILS TO REC A DG FM 'I'M FAIL IN 6 HR 5E-1/D 5.00E-1 MAX ENT:
| |
| * ASEP GEH c:c REC-XHE-FO-DGTMS OP FAILS TO REC A DG FM 'I'M FAIL IN 3 HR 7E-l/D 7.00E-1 MAX ENT ASEP GEN I
| |
| .i::.
| |
| O') REC-XHE-FO-DPRES OP FAILS 'l'O DEPRESS RCS IN REC FM SGTR 1. 4_E-2/D 1. 40E-2 LOG NOR 10
| |
| * HRA REC-XHE-FO-GAGRV OP FAILS TO GAG SHU'r S'l'UCK OPEN RELIEF JE-1/D 3.00E-1 MAX ENTk
| |
| * HRA REC-XHE_-FO-SCOOL OP FAILS TO GE'f SEAL COOL DURING SBO l.25E-l/U 1. 25E-1 MAX ENTk
| |
| * HRA RHR-AOV-OC-1758 IICV-1758 XFERS SHUT 7.5E-7/D 7.50E-7 LOG NOR 3 NOTE (C)
| |
| RIIR-AOV-00-1605 FCV-1605 XFERS FULL OPEN AND STICKS 2. 4E-6/D 2.40E-6 LOG NOR 10 NOTE (C)
| |
| RIIR-ASF-PG-1605 mm FLOW ORIFICE PLUGGED JE-4/D 3.00E-4 LOG NOR 3 !REP RHR-CCF-FS-MDPAB CC FAIL OF MDP lA & lB TO START 4.50E-4 NOTE (D)
| |
| ( RHR-MDP-FS
| |
| * BE'fA-LPI)
| |
| RHR-CCF-FT-720AB cc FAIL OF mm MOVS l720A,l720B 2.60E-4 NOTE (D)
| |
| (RIIR-MOV-FT*BE'fA-2MOV)
| |
| RHR-CKV-FT-CV5 CHECK VLV CV5 FAILS TO OPEN lE-4/D 1.00E-4 LOG NOR 3 ASEP GEN RHR:*CKV-FT-CVll CHECK VLV CVll FAILS TO OPEN lE-4/D 1. OOE-4 LOG NOR 3 ASEP GEN RHR-CKV-FT-RC23 CHECK VLV CV RC23 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR 3 ASEP GEN RIIR-CKV-FT-RC24 CHECK VLV CV RC24 FAILS TO OPEN lE-4/D l.OOE-4 LOG NOR J ASEP GEN
| |
| * *
| |
| * TABL~-7 (Continued)
| |
| BURRY DATA TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) Type EF Comments RIIR-CKV-00-CVll BJ\CKFLOW THROUGH CVll lE-3/D 1.00E-3 LOG NOR 3 ASEP GEN RIIR-CKV-OO-CV5 BACKFLOW THROUGH CV5 lE-3/D 1. OOE-3 LOG NOR 3 ASEP GEN RHR-HTX-LK-ElA RIIR HEAT EXCHANGER ElA TUBE LEAKS JE-6/HR 24hr 7.20E-5 LOG NOR 10 ASEP GEN RHR-HTX-LK-E1B RHR HEAT EXCHANGER ElB TUBE LEAKS JE-6/HR 24hr 7.20E-5 LOG NOR 10 ASEP GEN RHR-HTX-PG-ElA RIIR HEAT EXCHANGER Ell\ PLUGGED 5. 7E-6/IIR 24hr 1.40E-4 LOG HOR 10 ASEP GEH RHR-HTX-PG-ElB RHR HEAT EXCHANGER E1B PLUGGED 5.7E-6/HR 24hr 1. 40E-4 LOG NOR 10 ASEP GEN RIIR-MDP-FR-1\2 4 IIR RIIR MDP 11\ FAILS TO RUN 24 HRS JE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN RHR-MDP-FR-B24HR rum MDP 18 FAILS 'l'O RUN 2 4 HRS JE-5/HR 24hr 7.20E-4 LOG NOR 10 ASEP GEN RIIR-MDP-FS RIIR MO'l'OR DRIVEN PUMP FAILS TO S'l'J\R'l' JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN
| |
| .""'c.o RIIR-MDP-FS-RIIRlJ\ mm MOP 11\ FJ\ILS 'l'O STJ\R'l' ON DEMJ\tlD JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN I RHR-MDP-FS-RHR1B RIIR MOP lB FAILS TO S'l'AR'l' ON DEMAND JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN
| |
| ""'
| |
| -:J RIIR-MOV-F'l'-1700 mm MOV 1700 FJ\ILS 1'0 OPEU ON DEMJ\UD JE-3/D 3.00E-3 LOG HOR 10 ASEP GEN RIIR-MOV-F'l'-1701 mm MOV 1701 FAILS 'l'O OPEN ON DEMJ\HD JE-3/U 3.00E-3 LOG NOR 10 ASEP GEN RIIR-MOV-F'l'-17201\ mm MOV 17201\ FJ\ILS TO OPEN ON DEMAND JE-3/U 3.00E-3 LOG NOR 10 ASEP GEN RIIR-MOV-FT-17208 RHR MOV 17208 FAILS TO OPEN ON DEMAND JE-3/D 3.00E-3 LOG NOR 10 ASEP GEN RIIR-MOV-PG-1700 RIIR MOTOR OPERATED VLV 1700 . PLUGGED l.E-7 /IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN RIIR-MOV-PG-1701 HIIR MOTOR OPER VJN 1701 PLUGGED lE-7 /HR lyr 4. 40E-4 LOG NOR 3 ASEP GEN RIIR-MOV-PG-1720A mm MOTOR OPERATED VLV 1720A PLUGGED lE-7/IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN RIIR-MOV-PG-1720B RIIR MOTOR OPERATED VLV 1720B PLUGGED lE-7/HR lyr 4.40E-4 LOG NOR 3 ASEP GEN RHR-SRV-C0-1721 SRV-1721 RELIEF VLV INADVER'l'EN'l' OPEN 3.9E-6/HR 24hr 9.36E-5 LOG NOR 10 IEEE 500 RIIR-XVM-PG-XV2 MANUJ\L VLV XV2 PLUGGED lE-7/IIR lyr 4.40E-4 LOG HOR 3 ASEP GEN RIIR-XVM-PG-XV6 MANUAL VLV XV6 PLUGGED lE-7/IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN RIIR-XVM-PG-XV8 Ml\NUJ\L Vl,V XV8 PLUGGED lE-7/IIR lyr 4.40E-4 LOG HOR 3 ASEP GEN RIIR-XVM-PG-XV12 MJ\NUAL VLV XV12 PLUGGED lE-7 /HR lyr 4.40E-:-4 LOG HOR 3 ASEP GEN RIIR-XVM-PG-XV15 MJ\HUAL VLV XV15 PLUGGED lE-7 /IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN R1IR-XVM-PG-XV19 MANUJ\L VLV XV19 PLUGGED lE-7/IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN R1IR-XVM-PG-XV20 MANUAL VLV XV20 PLUGGED lE-7/IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN RIIR-XVM-PG-XV24 MANUAL VLV XV24 PLUGGED lE-7/IIR lyr 4.40E-4 LOG NOR 3 ASEP GEN
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail.B Dist. Source/
| |
| Event Id Event Description Rate Time (Mean) 'l'ype EF Comments RMT-ACT-FA-RMTSA NO SIGNAL FROM RMTS ACT TRAIN A 1. 6E-3/D 1. 60E-3 LOG NOR 5 ASEP GEN RMT-ACT-FA-RMTSB NO SIGNAL FROM RM'l'S ACT TRAIN B 1. 6E-3/D l.60E-3 LOG NOR 5 ASEP GEN RMT-CCF-FA-MSCAL cc FAIL RMTS DUE TO MISCALIBRA'l'ION 3E-4/D 3.00E-4 LOG NOR 10 HRA RMT-XHE-FO-MAN-A OP FAILS TO RECOVER RM'l'S AC'!' FAILURE 6.40E-2/D 6.40E-2 MAX ENTk
| |
| * HRA RMT-XHE-FO-MANSl OP FAILS TO RECOVER RMTS *,AC'!' FAILURE 6.40E-2/D 6.40E-2 MAX ENTk
| |
| * HRA RMT-XHE-FO-MANS2 OP FAILS TO RECOVER RM'fS ACT FAILURE 2. 70E-3/D 2.70E-3 LOG NOR 10 HRA RW'f-TNK-LF-RWST INSUF WATER AVAILABLE FM THE RWS'l' 2. 7E-6/D 2.70E-6 LOG NOR 10 ZION PRA tf>'
| |
| c.o I
| |
| ,j::,.
| |
| 00 Sl MEDIUM LOSS OF COOLANT ACCIDENT lE-3/YR l.OOE-3 LOG NOR 10 ASEP GEN S2 SMALL LOSS OF COOLANT ACCIDENT lE-3/YR 1. OOE-3 LOG NOR 10 }\SEP GEN S3 VERY SMALL LOSS OF COOLANT ACCIDENT 1. 3E-2/YR 1. 30E".'"2 LOG NOR 10 SECT 4.3.4 SBO-PORV-DMD PER VLV RCS PORV DEMAND PROB DURING SBO 4.50E-1 MAX ENTk
| |
| * NOTE (C)
| |
| SBO-SGSRV-DMD SG PORV NUMBER OF DEMANDS DURING SBO 9.00E-0 POINT EST NOTE (C)
| |
| SG'rR-SGADV-DMD SG'rR SG PORV DEMAND DURING SG'l'R 3.0E-1/D 3.00E-1 MAX ENTk
| |
| * NOTE (C)
| |
| SG'l'R-SGADV-ODMD SG'l'R SG PORV DEMAND W/0 DEPR~SS l.00/D 1.00 MAX ENTk
| |
| * NOTE (C)
| |
| SG'l'R-SGSRV-DMD SG'l'R SG SRV DEMAND PROB W/PORV BLOCKED 3.0E-1/D 3.00E-1 MAX EttTk NOTE (C)
| |
| SGTR-SGSRV-ODMD1 SG'l'R SG SRV DMD W/0 DEPRESS/PORV 1. 00/0 1.00E-0 MAX ENTk
| |
| * NOTE (C)
| |
| BLOCKED
| |
| * SGTR-SGSRV-0DMD2 SG'l'R SG SRV DEMAND W/0 DEPRESS 1.5E-1/D 1. 50E-1 MAX ENTk
| |
| * NOTE (C)
| |
| SIS-AC'r-FA-SISA NO SIGNAL FROM SIS AC'f TRAIN A 1.6E-3/D l.60E-3 LOG NOR 5 ASEP GEN SIS-AC'f-FA-SISB NO SIGNAL FROM SIS ACT TRAIN B 1. 6E-3/D 1. 60E-3 LOG NOR 5 AESP GEN SIS-XIIE-FO-MANSl OP FAILS TO RECOVER SIS ACT FAIL, Sl 2. 7E-3/D 2.70E-3 LOG NOR 10 HRA SIS-XIIE-FO-MANS2 OP FAILS 'l'O RECOVER SIS ACT FAIL, S2 2. 7E-3/D 2.70E-3 LOG NOR 10 HRA
| |
| * TABLE .9-7 (Continued)
| |
| BURRY DATA TABLE
| |
| * Failure Unavail. 8 Dist. Source/
| |
| Event Id Event Description, Rate Time (Mean) Type EF Comment.s SLOCA-NRl\CSL-L'f SEAL LOCI\, NON-REC l\C PWR, SEC DPRESS 9.20E-2 POINT EST NOTE (C)
| |
| SLOCA-NRJ\CSL-ST SEAL LOCA, NON-REC AC PWR, NO DPRESS 9.90E-2 POINT EST NOTE (C)
| |
| SWS-CCF-FT-JABCD CC FAIL OF SWS !SOL MOVS l03A,B,C,D 6.JOE-4 NOTES (D,J)
| |
| (SWS-MOV-FT
| |
| * BETA-SWMOV)
| |
| SWS-MOV-F'l'-103A sws MOTOR OP VLV 1031\ FAILS TO OPEN JE-3/D 3.00E .. 3 LOG NOR 10 NOTE (J)
| |
| SWS-MOV-FT-103B SWS MOTOR OP VLV l03B FAILS TO OPEN JE-3/D 3.00E-3 LOG NOR 10 NOTE (J)
| |
| SWS-MOV-FT-l03C sws MOTOR OP VLV l03C FAILS TO OPEN JE-3/D 3.00E-3 ,LOG HOR 10 NOTE (J)
| |
| SWS-MOV-FT..:.103D sws MO'rOR OP VLV lOJD FAILS TO OPEN JE-3/D 3.00E-3 LOG NOR 10 NOTE (J)
| |
| .
| |
| If:>.
| |
| co I
| |
| SWS:-MOV-M1\-103A SWS-MOV-MA-103B
| |
| 'l'ES'l'
| |
| 'l'ES'11 AND AND MAINT sws MOV 1031\
| |
| MAINT SWS MOV l03B 2E-4/D 2E-4/D 2.00E-4 2.00E-4 LOG LOG NOR NOR 10 10 ASEP GEN ASEP GEN
| |
| ~
| |
| co SWS-MOV-MA-l03C '!'EST AND MAINT sws MOV l.03C 2E-4/D 2.00E-4 LOG HOR 10 ASEP GEN SWS-MOV-MA-1030 TEST AND MAINT sws MOV l03D 2E-4/D 2.00E-4 LOG NOR 10 ASEP GEN SWS-MOV-PG-104A sws MOTOR OPER VLV 1041\ PLUGGED lE-7/IIR lBrno 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-1048 sws MOTOR OPER VLV l04B PLUGGED lE-7/IIR 18mo 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-l04C sws MOTOR OPER VLV 104C PLUGGED lE-7/IIR 18rno 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-1040 SWS MOTOR OPER VLV l04D PLUGGED lE-7/IIR 18rno 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-1051\ SWS MOTOR OPER VLV 1051\ PLUGGED lE-7/IIR 18mo 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-1058 sws MOTOR OPER VLV l05B PLUGGED lE-7 /IIR l8mo 6.50E-4 LOG HOR 3 ASEP GEN SWS-MOV-PG-105C sws MOTOR OPER VLV l05C PLUGGED lE-7/IIR lBmo 6.50E-4* LOG NOR 3 ASEP GEN SWS-MOV-PG-105D sws MO'l'OR OPER VLV 1050 Pl,UGGED lE-7/IIR 18mo 6.50E-4 LOG NOR 3 ASEP GEN SWS-MOV-PG-1061\ SWS MO'l'OR OPER VLV 1061\ PLUGGED lE-7/IIH l8mo 6.50E-5 LOG NOR 3 ASEP GEN SWS-MOV-PG-1068 sws MOTOR OPER VLV l06D PLUGGED lE:-7/IIR lOmo 6.50E-5 LOG NOR 3 ASEP GEN SWS-XIIE-FO-OPEN OPER FAILS TO OPEN SPRAY IIX MOV 2. 4E-1/D 2.40E-1 POINT EST HRA SWS-PSF-LF-XCONN FAUL'l'S IN SWS HEAIJER XCONN 2E-4/D 2.00E-4 LOG NOR 3 NOTE (C)
| |
| | |
| TABLE 4.9-7 (Continued)
| |
| BURRY DATA TABLE Failure Unavail.B Dist. Source/
| |
| Event Id* Event Descr~ption Rate 'l'irne (Mean) Type EF Comments SWS-XVM-PG-37U2 MANUAL VLV XVJJ PLUGGED lE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN SWS-XVM-PG-39U2 MANUAL VLV XV39 PLUGGED lE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN SWS-XVM-PG-XV33 MANUAL VLV XV33 PLUGGED lE-7/HR lrno 4.00E-5 LOG NOR 3 ASEP GEN SWS-XVM-PG-XV35 MANUAL VLV XV35 PLUGGED lE-7/IIR lmo 4.00E-5 LOG NOR 3 ASEP GEN SWS-XVM-PG-XV37 MANUAL VLV XV37 PLUGGED lE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN SWS-XVM-PG-XV39 MANUAL VLV XV39 PLUGGED lE-7/IIR lrno 4.00E-5 LOG NOR 3 ASEP GEN T FULL PWR XIENT EVEN'f REQUIRING RX SCRAM 6.6E-O/YR 6.GOE-0 LOG NOR 3 NUREG-3862
| |
| 'l'l LOSS OF OFFSI'l'E POWER 7.7E-2/YR 7.70E-2 SPECIAL - NUREG-5032 T2 LOSS OF MAIN FEEDWATER 9.4E-1/YR 9.40E-1 LOG HOR 3 NUREG-3862
| |
| 'f" TJ '!'URBINE 'l'RIP WI'l'H MAIN FEEDWATER AVAIL 7.JE-0/YR 7.JOE-0 LOG NOR 3 NUREG-3862 c.c T5A LOSS OF DC BUS lA 5E-3/YR 5.00E-3 LOG NOR 10 ASEP GEN I
| |
| <:Jl T5B LOSS OF DC BUS 18 5E-3/YR 5.00E-3 LOG NOR 10 ASEP GEN 0
| |
| T7 STEAM GENERATOR TUBE RUPTURE lE-2/YR l.OOE-2 LOG NOR 5 SECT 4.3.4
| |
| 'l'N HIGH PWR XIENT EVENT REQUIRING RX SCRAM 5.9E-U/YR 5.90E-O LOG NOR 3 NUREG-3862 UNIT2-LOW-POWER UNIT 2 LESS '!'HAN 10% PWR PRIOR TO IE 3.50E-l POINT EST PSD V-'l'RJ\IN-1 I N'l'ERF ACING LOCJ\ FM RCS LOOP 1 TO LPI 4.0E-7/YR 4.0E-7 POINT EST NOTE (G)
| |
| V-TRAIN-2 IN'l'ERFACING LOCA FM RCS LOOP 2 'l'O LPI 4.0E-7/YR 4.0E-7 POINT EST NOTE (G)
| |
| V-TRAIN-3 INTERFACING LOCA FM RCS LOOP 3 'l'O LPI 4.0E-7/YR 4.0E-7 POINT EST NOTE (G) z UNFAVORABLE MODERATOR 'I'EMP COEFFICIEN'l' 1. 4E-2/D 1. 40E-2 LOG NOR 7 SECT 4.4.11 Zl VERY LOW MODERATOR TEMP COEFFICIENT 5.0E-1/D 5.00E-1 MAX ENTk* SECT 4.4.11
| |
| | |
| NO'l'ES 'l'O SURRY lJA'l'A '!'ABLE A. Abbreviations used in the Surry Uata '!'able:
| |
| AC'l' = Actuation MO= Month AOV = Air Operated Valve MOV = Motor Operated Valve ASEP GEN= ASEP Generic Data, Reference J NUREG-3862 = NUREG/CR-3862, Ref. 12 BKFLW = Backflow NUREG-5032 = NUREG/CR-5032, Ref. 13 BRKR = Breaker OP= Operator CC(F) = Common cause (Failure) OPN = Open CK'l' = circuit PMP = Pump CLS = Close PORV = Power Operated Relief Valve COND = Main Condenser PROB= Probability CON'!' = Containment PSD = Plant Specific Data (App. D.6)
| |
| COOL= Cooling PWR = Power CST = Condensate Storage 'l'ank REC= Recovery CV= Check Valve RECIRC = Recirculation D = Demand RECOVERY= Recovery Analysis, Sec. 4.10.3 DEP = Dependent RP= Rupture DG = Diesel Generator RX= Reactor DISCH= Discharge SBO = Station Blackout DIST= Distribution SEC= Secondary° DMD= Demand SEC'!' = Section DPRESS = Depressurize SG = Steam Generator EF = Error Factor SG'l'R = Steam Generator Tube Rupture FD/BLD = Feed and Bleed Cooling SIG= Signal FLS = Fails SRV = Safety Relief Valve FM= From S'l'A = station IIR(S) = Hour(s) S'l'M = Steam JIRA= Human Reliability Analysis, Section 4.8 TDP = Turbine Driven Pump IIW = Hardware TM= Test and Maintenance IE= Initiating Event '!'RN = 'l.'rain IEEE 500 = IEEE Standard 500-1984, Ref. 15 Ul = Unit 1 IHSUF = Insufficient U2 = Unit 2 INV'l'R = Inverter UHAVAIL = Unavailable
| |
| !REP= Interim Reliability Evaluation Program vr.,v. = Valve Procedures Guide, Ref. 14 W/IN = Within
| |
| !SOL= Isolation W/0 = Without LOCA = Loss of Coolant Accident XCONN = Cross Connect LOG NOR= Log Normal Distribution XFERS = Transfers LOSP = Loss of Off-site Power XF'ORMER = Transformer MAINT = Maintenance XIEN'l' = Transient Ml\N = Manual YR= Reactor-Year MOP= Motor Driven Pump ZION= Zion Probabilistic Safety Study, MN= Main Reference 8
| |
| | |
| NOTES TO SURRY ~ATA TABLE (Continued)
| |
| B. Unavailabilities were calculated from failure rates as follows:
| |
| For Time intervals in hours:
| |
| Unavailability= Failure Rate* Time.
| |
| For Time intervals in other than hours (weeks, months, years):
| |
| Unavailabilty = 1/2 (Failure Rate* Time).
| |
| : c. A derived value. See Appendix D.6 for the derivation.
| |
| D. The common cause unavailability is listed here. It is calculated from the BETA factor and basic failure rates as shown. The uncertainty analysis used the distribution type and error factor associated with the BETA factor and the basic event when events were correlated.
| |
| E. The probability of Emergency Core Cooling system's failure due to containment failure is obtained through analysis of the containment event tree. This event was included in the core vulnerable sequence cut sets and represents event tree heading CV. See Appendix A.1 for the derivation.
| |
| F. Plant specific data was reviewed concerning Charging Pump Cooling (CPC) strainers. The resultant CPC strainer rate was determined to be equal to the generic failure rate. However, a plant specific BETA of 2.63E-1 was calculated for.common cause failure of CPC strainers 2A and 2B.
| |
| See Appendix D. 6 for details.
| |
| * G. Point estimate derived from expert elicitation on interfacing loss of coolant accidents.
| |
| II. Internal elicitation on relief valve demand probabilities during transients.
| |
| I. Complementary probability (point estimate).
| |
| J Plant specific data was reviewed concerning Service Water motor operated valves (MOVs). The resultant Service Water MOV failure rate was determined to equal the generic MOV failure rate.
| |
| However, a plant specific BE'l'A of 2. lE-1 was calculated for common cause failure of SWS-MOV-103A, B, c, and D. See Appendix D.6 for details.
| |
| K. Maximum entropy distribution with a lower bound of one-tenth the failure rate and an upper bound of 1.0, or ten times the failure rate, whichever is lower.
| |
| | |
| *
| |
| * NOTES TO SURRY DATA TABLE (Continued)
| |
| L. External event used to "switch" on and off portions of a fault tree.
| |
| M. Reactor Coolant Pump seal loss of coolant accident leak rates, start time of the leak, probabilities and distributions were determined by elicitation of an expert panel. See Appendix 0.5 for details.
| |
| | |
| 4.10 Accident* Sequence 'Quantlfica tion 4.10.1 General Approach The accident sequences that result in core damage at the Surry nuclear station are identified by the event trees in Section 4.4. The quantification process for each accident sequence is discussed in this *section. The sequences were quantified by combining the Boolean equations derived from the system models, using the event tree logic structure associated with the particular sequence. The resultant equations were reduced to the form of minimal cut sets. System successes were explicitly included in the sequence logic. The sequence minimal cut sets were quantified using the point estimates of mean values for event failure probabilities. The process was performed in five major steps.
| |
| * Solution and quantification of individual event models
| |
| * Quantification of partial sequences
| |
| * Quantification of full sequences
| |
| * Sequence recovery
| |
| * Final quantification The first step consisted of generation and quantification of the cut set equations for individual events. These events correspond to the event tree headings~ Most of the events are top events on the fault trees, but some are Boolean equations. The support systems were merged with the front line system and a fault tree equation was generated for the top event. This equation was truncated on a cut set probability of lE-10. (Note, this does not include an initiation frequency). No cut sets were truncated on order.
| |
| . '
| |
| Systems represented by black box models were quantified independently. Black box models were used for single events where the system unavailability is from an established data base. A system represented by a black box model does not share any dependencies with other systems in the accident sequence quantification and can be directly incor-porated into every sequence cut set~
| |
| The next step included quantification of partial sequence expressions to determine whe-ther any sequences could be eliminated from further quantification. This elimination was determined based on a screening value of lE-7/yr for non blackout sequences and lE-9/yr for station blackout sequences. If a partial sequence quantification could be shown to result in a frequency of less tha~ lE-7, all sequences containing this subsequence were eliminated from further analysis. Partial quantification also served to provide interim products for full sequence quantification. The partial quantifications were truncated at
| |
| .5E-10 cut set probability. The next step was complete quantification of all sequences, including the initiating event frequency. This quantification was truncated at .5E-10.
| |
| Those sequences less than lE-7 OE-9 for blackout sequences) at this juncture were classified as non-dominant and no ,further analysis was performed on them.
| |
| For those sequences above lE-7, recovery actions were added on a cut set or sequence
| |
| * level, as applicable. The sequences were then requantified. Station blackout sequences were combined into eight groups. Those sequences with frequency above lE-7 at this point in the quantification were included in the dominfl]! \<jcident sequences. The dominant sequences were then quantified using TEMAC ' 4 to determine the fre-quency distribution of each sequence and the total core damage model.
| |
| The following sections discuss the sequence quantification process, list the sequences quantified, and identify plant specific quantification issues, such as probability cutoff values and recovery factors.
| |
| 4.10-1
| |
| | |
| 4.10.2 Identification of Sequences Analyzed The quantification of accident sequences was performed using a three-stage quantifica-tion approach, building upon small quantification efforts until recovered sequences (where necessary) were quantified.
| |
| As discussed above, the individual system models were initially quantified. This process was performed with the support system (e.g., electrical power, cooling, etc.) models linked into the appropriate front-line system models to give the system minimal cut sets. A probability cutoff or truncation value of lE-10 was used for the single system quantification. All cut sets greater than lE-10 were retained at this point. The system minimal cut sets were then reviewed for accuracy as a quality assurance check.
| |
| Next, these system models were linked together using the SETS computer code< 49) to form portions of entire accident sequences. The event trees shown in Section 4.4 were used to define which systems were combined. The event trees were also used to explicitly account for successes of certain systems when forming these partial sequence Boolean equations.
| |
| Additionally, depending on the sequence under consideration, certain failures were precluded based on the sequence definition. An example of this would be quantification of AFW in a station blackout accident. In linking the AFW model to the electric power model, diesel generator failure probabilities were set to 1.0, thus failing the motor-driven pumps. In this particular sequence, AFW operation is dependent on the turbine-driven pump success.
| |
| Mean data values were applied to the basic events. Until the final quantification, only point estimates of sequence frequencies were calculated, based on the propagation of mean values. The mean value was not calculated for the sequences -until the final quantification step (i.e., for those sequences that passed all the quantification screening steps).
| |
| In doing the partial sequence quantifications, the portion of the sequence expression that was chosen to be initially quantified was not arbitrarily selected. Generally, that portion of the accident sequence expression was the same for several of the sequences chosen.
| |
| In the cases of similar sequences which differed only due to the initiating event, and the capabilities of the systems involved were not impacted by the initiating event, one sequence quantification was performed and the frequency of the other sequence was derived by using the ratio of the initiating event frequencies. These partial sequence expressions were then examined to determine if the resulting total frequency was lE-7 or greater, once the initiator frequency (which can be greater than 1.0) and any "black box" model constants were included with the expression. This process assumed that any remaining system failures occurred with a probability of 1.0. Any of the partial sequences that could be shown to result in a frequency lower than lE-7 were eliminated from further analysis.
| |
| In addition to combinations of systems that were frequently repeated in the event trees, sequences involving failure of two systems which included common interfaces or dependencies were also chosen for initial quantification. The rationale in these cases is that dependencies between two or more systems can of ten cause the sequence frequency to be comparable to single system frequencies.
| |
| 4.10-2
| |
| | |
| An example of partial sequence quantification is shown by the combination of the AFW
| |
| *
| |
| (L) and LPR (H 1) systems. The partial sequence combination of LH l occurs in several sequences where AFW fails, feed and bleed succeeds in the inJection phase, but recirculation from the sump fails to provide long term cooling.
| |
| Accident Sequence Sequence Number Sequence Boolean* Equation T2-6 "T2*/K*/Q*L*/D2*/P*/CS*H1 T3-7 T3*/K*/Q*L*M*/D 3*/D 2*/P*/CS*H1 S2-13 S2*/K*/Dl *L*/Pl */CS*Hl S3-8 S3*/K*/Dl*Qc*L*/0D*/W 3*H1 After quantifying L*H 1 initially, a hand calculation including the initiatiRg event anq constants was performed to evaluate whether further quantification was necessary. This hand calculation assumed all other systems fail with a probability of* 1.0. In this example, L-H 1 was quantified to be 4.7E-7. A frequency for T 2
| |
| * L-H l of 4.4E-7 was then calculatecl (0.94
| |
| * 4.7E-7). At this point, sequence T 2LH 1 was retained. Similarly, T 3LMH 1 was calculated, including the nblack box" constant for"M. T 3LMH 1 equaled lE-8 and was eliminated.
| |
| Two areas of caution must be noted in partial sequence quantification to ensure that sequences are not screened out in error *. First, the sequence with the longest mission time for each system involved should be used. From the example above, L had a mission
| |
| * time of 24 hours in T 2 , T 3 , and s3 , but 6 hours in s2
| |
| * The mission time for H 1 was shorter for T2
| |
| * Partiaf sequence quantification was done with an L mission time of 24 hours and an H 1 mission time of 24 hours, to ensure that none of the "fail to run" cut sets were lost. Additionally, using ratios of initiating events applies only to initiating events independent of the systems involved. From the example above, the loss of offsite power and loss of DC bus initiators (T_1 LH 1, and T AtH 1, and T 5sLH 1) had to be quantified 5
| |
| separately to account for the effoct of the initiators on the systems. The second area of caution is in combining system models that contain operator errors. The resultant equation will have cut sets which contain multiple human errors. Multiplying human error probabilities together independently may underestimate the overall operator error for a single sequence.
| |
| Event Cs, from the event trees, is failure of the containment systems. It represents either the combination of CSS and ISR (C-F 1) or ISR and OSR (F 1-F 2). During the partial sequence quantification, both combinations were quantified. Since F 1-F 2 was nearly two orders of magnitude higher than C-F 1, the failure probability and cut sets of event Cs were assumed to be the F 1-F 2 combination during the initial screening.
| |
| Truncation of sequence equations based on cut set frequency and cut set order is commonly done during the accident sequence quantification in order to reduce the sequence cut sets to a manageable level while reta,ining the major contributors to sequence frequency. In the Surry accident sequence quantification, no sequence equation truncation on cut set order was performed. Sequence equations were truncated on cut.
| |
| set frequency. Sequence cut sets whose frequency was less than 5.0E-10 were discarded from the sequence equation. Based on the results of the initial sequence quantifications, these cutoff values were determined to be acceptable.
| |
| The result of the above step-by-step process was identification of those sequences with core damage frequencies of lE-7 or greater after the initial quantification. Table 4.10-1 lists the accident sequences eliminated and retained at this point in the quantification 4.10-3
| |
| | |
| TABLE 4.10-1 ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY lmnual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information LOSS OF OFFSITE POWER Tl-3 Tl*/K*/Q*/L*D3*W 2.0E-06 All No Reactor Coolant Pump (RCP) seal vulnerable.
| |
| '1'1 LH2 Tl-5 'l'l */K* /Q* L* /D2 */ P* /CS* /Ill *112 7.GE-08 All Yes T1 LH 1 Tl-6 Tl*/K*/Q*L*/D2*/P*/CS*Hl 9.6E-OB All Yes T 1 LCsll 2 Tl-B Tl*/K*/Q*L*/D2*/P*CS*/CV*/Hl*H2 NA Yes Subset of T1 LH 2 which is <lE-7.
| |
| Tl-9 'l'l */K*/Q*L* /D2 */P*CS* /CV*lll NA Yes Subset of T 1 LH 1 which is <lE-7.
| |
| T1LCsCv 'l'l-10 Tl*/K*/Q*L*/D2*/,P*CS*CV 3.BE-10 All Yes T1 LP 'l'l-11 Tl*/K*/Q*L*/D2*P 2.GE-06 All No T 1 LD 2 Tl-12 'fl*/K*/Q*L*D2 1. 9E-06 All No T1 Q: Tl-13 'l'R.l\NSFER TO SMALL LOSS OF COOLAN'l' ACCIUEN'l' (S2)
| |
| *r 1QH 1 S2-2 '1'1*/K*Q*/Dl*/L*/CS*/OD*lll 1. JE-08 All Yes All other combi-nations with S will be below this.
| |
| 'l'l-14 'l'R.l\NSFER 'l'O AN'l'ICIPA'l'ED 'l'RANSIEN'l' WI'l'HOU'l' SCRAM (A'l'WS)
| |
| * TABLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information STATION BLACKOUT (SBO)
| |
| SBO-BA'fT (UNI'J.'1 ONLY) : l.2E-05 All No T 1 s-NR7 *r1s-J Tl*/Q*/QS*/L*/W 2 *NR7 8.5E-06 All No T 1 s-W 2 -NR7 TlS-5 Tl*/Q*/QS*/L*W 2 */0*/SL*NR7 4.7E-07 All No T 1 s-W 2 -o-NR7 TlS-9 Tl*/Q*/QS*/L*W 2 *0*/SL*NR7 2.2E-08 All No
| |
| ':"'
| |
| .....
| |
| 0 T 1 s-QS-NR7 TlS-14 Tl*/Q*QS*/L*/W 2 *NR7 J.lE-06 All No I
| |
| C,11 T 1 s-QS-W 2 -NR7 TlS-16 Tl*/Q*QS*/L*W 2 */SL*NR7 l.9E-07 All No SBO-SLOCA (UNI'fl ONLY): 4.BE-06 All No T 18 -W2-SL-NRS
| |
| * 'l'lS-7 Tl*/Q*/QS*/L*W 2 */0*SL*NRS J.JE-06 All No T 18 -W2-0-SL-NRS TlS-11 'l'l*/Q*/QS*/L*W 2 *O*SL*NRS 1. 9E-07 All No T 18 -QS-W2-SL-NRS TlS-18 Tl*/Q*QS*/L*W 2 *SL*NRS l.JE-06 All No SBO-L (UNITl ONLY): 5.0E-05 All No T1s~L *r1s-12 Tl*NRAC-HALFHR*/Q*/QS*L 4.lE-06 All No T 18 -QS-L TlS-19 Tl*NRAC-IIALFHR*/Q*QS*L 4.6E-05 All No
| |
| | |
| TABLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information Tl*NRAC-HALFHR*Q*/QS*L 8.lE-08 All No Retained, poten-tial important risk contributor due to station blackout.
| |
| T1 s-Q-QS-L TlS-25 Tl*NRAC-HALFHR*Q*QS*L <5E-10 All Yes No cut sets were retained using a 5E-10 truncation value *
| |
| .,....
| |
| .;:.
| |
| 0 I SBO-Q (UNI'l'l ONLY) : 2.lE-06 All No O')
| |
| T 1 s-Q-NR1 TlS-21 Tl*Q*/QS*/L*NRl 1.5E-06 All No T -Q-QS-NRl
| |
| . lS TlS-24 'l'l*Q*QS*/L*NRl 5.7E-07 All No SB0-BATT2 (UNITS 1 AND 2): 5.lE-07 All No T 1 s-NR7 TlS-3 Tl*/Q*/QS*/L*/O*/SL*NR7 3.4E-07 All No T1 s-O-NR7 TlS-7 Tl*/Q*/QS*/L*O*/SL*NR7 1. 4E-08 All No See TlS-22 comment.
| |
| T 1 s-QS-NR7 TlS-12 Tl*/Q*QS*/L*/SL*NR7 l.6E-07 All No See TlS-22 comment.
| |
| SBO-SLOc;b.LillNI'l'S 1 AND~: 3.JE-06 All No T 1 s-SL-NRS TlS-5 Tl*/Q*/QS*/L*/O*SL*NRS 2.JE-06 All No T1 s-O-SL-NRSTlS-g Tl*/Q*/QS*/L*O*SL*NRS l.2E-07 All No
| |
| | |
| *
| |
| * TABLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident. Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information T 1 s-QS-SL-NRS TlS-14 Tl*/Q*QS*/L*SL*NRS B.9E-07 All No SB0-L2 (UNITS 1 AND 2): 6.JE-06 All No T 1 s-L 'l'lS-10 Tl*NRAC-HALFHR*/Q*/QS*L 7.JE-07 All No TlS-15 Tl*NRAC-HALFHR;*/Q*QS*L 5.6E-06 All No T 1 s-Q-L TlS-18 Tl*NRAC-HALFHR*Q*/QS*L l.5E-08 All No See TlS-22 comment.
| |
| T1s-Q-QS-L TlS-21 Tl*NRAC-HALFHR*Q*QS*L <5E-10* All Yes See TlS-25 comment.
| |
| SB0-Q2 (UNITS 1 1\ND 2): 3.9E-07 1\11 No T 1 s-Q~NR1 TlS-17 Tl*Q*/QS*/L*NRl 2.9E-07 All No T 1 s-Q-QS-NR1 TlS-20 'l'l*Q*QS*/L*NRl l.OE-07 All No See TlS-22 comment.
| |
| LOSS OF MAIN FEEDWATER T 2 D3 W '1'2-3 T2*/K*/Q*/L*D3*W l.9E-09 Partial Yes RCP Seal vulnerable.
| |
| T 2 LH 2 T2-5 T2 * /K* /Q*L*/D2 */P* /CS* /Ill *112 2.4E-08 All Yes T 2 LH 1 T2-6 T2*/K*/Q*L*/D2*/P*/CS*Hl 4.4E-07 All No T 2 Lc8 H2 'r2-8 'r2 */K* /Q*L* /D2 * /P*CS* /CV*/111 *112 NA PDS for T 2 LH 2
| |
| * L___
| |
| | |
| TABLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source .
| |
| Seguence Number Seguence Boolean Eguation Freguenc~ Quantified Eliminated Of Information T2 LCsHl T2-9 T2*/K*/Q*L*/D2*/P*CS*/CV*Hl NA PDS for T2LH1*
| |
| T2LCsCv T2-10 T2*/K*/Q*L*/D2*/P*CS*CV 3.6E-09 All *Yes
| |
| *T 2 LP T2-ll T2*/K*/Q*L*/D2*P 2.2E-05 All No T2 LD 2 '1'2-12 T2*/K*/Q*L*D2 2.0E-05 All No T2Q: '1'2-13 TRANSFER TO S2 T2Qll1 S2-2 T2*/K*Q*/D1*/L*/CS*/OD*Hl 1. 7E-08 All No See Tl-13 comment.
| |
| ......
| |
| ,i::,.
| |
| T2QD1 S2-19 T2*/K*Q*D1 l.2E-08 All Yes 0
| |
| 00 I T2 K T2-14 'l'RANSFER TO A'l'WS MAIN TURBINE TRIP WITHOUT LOSS OF MAIN FEEDHATER T3 D3W T3-3 T3*/K*/Q*/L*D3*W 1.5E-08 All Yes RCP Seal vulnerable.
| |
| T3 LMH 2 T3-6 T3*/K*/Q*L*M*/D3*/D2*/P*/CS* 5.5E-10 All Yes
| |
| /111*112 T3 LMH 1 T3-7 T3*/K*/Q*L*M*/DJ*/D2*/P*/CS*Hl 1.0E-08 All Yes T3 LMc5 n2 TJ-9 T3*/K*/Q*L*M*/D3*/D2*/P*CS* NA PDS for T3 LMH 2 *
| |
| /CV*/111*112 T3 LMc 5 n1 T3-10 T3*/K*/Q*L*M*/D3*/D2*/P*CS* NA PDS for T3 LMH 1 *
| |
| /CV*Hl T3LMCsCv '1'3-11 T3*/K*/Q*L*M*/D3*/D2*/P*CS*CV 1.0E-10 Partial Yes
| |
| * TABLE 4.10-1 (Continued)
| |
| * ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguenc:ll: Quantified Eliminated Of Information T 3 LMP TJ-12 T3*/K*/Q*L*M*/D3*/D2*P 4.4E-07 All No T 3 LMD 2 TJ-13 TJ*/K*/Q*L*M*/03*02 4.5E-07 All No T 3 LMo 3 TJ-14 T3*/K*/Q*L*M*D3 8.BE-10 All Yes T3Q: TJ-15 TRANSFER TO S2 T3QH1 S2-2 TJ*/K*Q*/Dl*/L*/CS*/OD*lll 1. JE-07 All No T3QD1 S2-19 T3*/K*Q*Dl 9.5E-OB Partial Yes See Tl-13 comment.
| |
| .""'
| |
| t--'
| |
| T3QOoll1 S2-5 T3*/K*Q*/D1*/L*/CS*OD*Hl 2.BE-09 Partial Yes 0
| |
| I T3K TJ-16 TRANSFER TO ATWS tO LOBB OF DC DUB Loss of DC Bus lA:
| |
| 'I'5AD3W '1'5-3 T5A*/K*/Q*/L*D3*W <5E-10 All Yes RCP Seal vulnerable.
| |
| T5ALH2 T5-5 T5A*/K*/Q*L*/D2*/P*/CS*/H1*H2 <5E-10 Partial Yes See TlS-25 comment.
| |
| T5ALH1 TS-6 T5A*/K*/Q*L*/D2*/P*/CS*Hl 7.GE-08 Partial Yes T5ALCsH2 '1'5-8 T5A*/K*/Q*L*/D2*/P*CS*/CV*/Hl*H2 NA PDS for T5ALH2*
| |
| T5ALCsH1 T5-9 T5A*/K*/Q*L*/D2*/P*CS*/CV*Hl NA PDS for T5ALH1*
| |
| T5ALCsCv T5-10 T5A*/K*/Q*L*/D2*/P*CS*CV 8.4E-11 All Yes T5ALl> T5-11 T5A*/K*/Q*L*/D2*P 3.BE-06 All No T5ALD2 T5-12 T5A*/K*/Q*L*D2 2.5E-07 All No
| |
| | |
| TADLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation J:'requency Quantified Eliminated Of Information
| |
| 'l'RANSFER 'l'O S2 T5A*/K*Q*/D1*/L*/CS*/00*H1 7.2E-09 Partial Yes See Tl-13 comment.
| |
| T5-14 TRANSFER TO ATWS Loss of DC Bus 18:
| |
| ,i::,. T5aD3W T5-3 T5B*/K*/Q*/L*D3*W <5E-10 All Yes RCP Seal vulnerable.
| |
| ',.....
| |
| 0 T5aLH2 T5-5 T5B*/K*/Q*L*/D2*/P*/CS*/H1*H2 <5E-10 Partial Yes See TlS-25 comment.
| |
| ,.....I 0
| |
| T5aLH1 '1'5-6 T5B*/K*/Q*L*/D2*/P*/CS*H1 7.6E-08 Partial Yes T5aLCsH2 T5-8 T5B*/K*/Q*L*/D2*/P*CS*/CV*/ll1*ll2 NA PDS for T5BLll2.
| |
| T5aLCsH1 T5-9 T5B*/K*/Q*L*/D2~/P*CS*/CV*H1 NA PDS for T5sLll1*
| |
| T5aLCsCv T5-10 T5B*/K*/Q*L*/D2*/P*CS*CV 8.4E-ll All Yes T 58 LP T5-ll T5B*/K*/Q*L*/D2*P 3.BE-06 All No T5aLD2 '1'5-12 T5B*/K*/Q*L*D2 2.7E-07 All No T5BQ: '1'5-13 'l'R.l\NSFER 'l'O S2
| |
| '1'50Qll1 S2-2 T5B*/K*Q*/D1*/L*/CS*/OD*ll1 <5E-10 Partial Yes See Tl-13 comment.
| |
| T50K T5-14 TRANSFER TO ATWS
| |
| *
| |
| * TABLE 4.10-1 (Continued)
| |
| ACCI,DENT SEQUENCES QUANTIFIED BEFORE RECOVER!
| |
| Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information STEAM GENERATOR TUBE RUPTURE (SGTR)
| |
| T7Qll1 T7-4 T7*/K*/D1*/L3*/0D*Q*/QS*ll1 2.6E-09 All Yes T7QQS T7-5 T7*/K*/D1*/L3*/0D*Q*QS 1. 7E-08 All Yes T7QQsH1 T7-6 T7*/K*/D1*/L3*/0D*Q*QS*H1 3.4E-11 All Yes
| |
| ':'" T700Qs T7-8 T7*/K*/D1*/L3*0D*/Q*QS 6.2E-04 All No
| |
| .....
| |
| 0 I
| |
| ..... T70oQll2 T7-10 T7*/K*/D1*/L3*0D*Q*/QS*/111*112 1. BE-10 All Yes
| |
| .....
| |
| T70oQll1 T7-11 T7*/K*/D1*/L3*0D*Q*/QS*H1 7.5E-10 All Yes T70oQQS '1'7-12 T7*/K*/D1*/L3*0D*Q*QS 7.9E-07 All No T7L3 T7-13 'l'7*/K*/D1*L3 2.9E-06 All No T7D1Qs T7-16 T7*/K*D1*/L3*/0D*/Q*QS 1.4E-07 All No T7D1Q T7-17 T7*/K*D1*/L3*/0D*Q 7.lE-09 All Yes T7D10D T7-18 T7*/K*D1*/L3*0D 3.7E-06 All No T7D1L3 '1'7-19 'r7*/K*D1*L3 4.lE-09 All Yes T7K T7-20 T7*K (ATWS) 6.0E-07 All No Evaluated separate-ly, Does not trans-fer to the ATWS tree.
| |
| | |
| Tl\BLE 4.10-1 (Continued)
| |
| ACCIDENT BEQUENCEB QUl\NTIFIED BEFORE RECOVERY 1\nnual Accident Sequence Sequence Expressi.on Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguency: Quantified Eliminated Of Information Ll\RGE LOBB OF COOLANT ACCIDENT (l\ LOCl\J AH 1 A-2 A*/D5*/D6*/CS*Hl 7.0E-07 All No
| |
| -ACslll A-4 A*/D5*/D6*CS*/CV*H1 NA PDS for AH1*
| |
| ACsCv A-5 A*/D5*/D6*CS*CV 6.BE-09 All 0 Yes AD 6 A-6 A*/D5*D6 4.7E-07 All No
| |
| ~
| |
| f--"
| |
| 0 I
| |
| AD 5 A-7 A*D5 8.SE-07 All No f--"
| |
| N)
| |
| MEDIUM LOBS OF COOLANT ACCIDENT (Sl LOCl\J S1H1 Sl-2 S1*/D1*/D5*/CS*/D6*H1 1. 4E-06 All No S1D6 Sl-3 Sl*/Dl*/D5*/CS*D6 9.4E-07 All No S1Csll1 Sl-5 Sl*/D1*/D5*CS*/CV*/D6*H1 NA PDS for S1H1*
| |
| S1CsD6 Sl-6 Sl*/D1*/D5*CS*/CV*D6 NA Yes PDS for S1D6.
| |
| S1CsCv Sl-7 Sl*/Dl*/D5*CS*CV 1.SE-08 All Yes S1D5 Sl-8 Sl*/Dl*D5 2.2E-09 All Yes S1D1 Sl-9 Sl*Dl 9.SE-07 All No
| |
| * *
| |
| | |
| *
| |
| * TABLE 4.10-1 (Continued)
| |
| * ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguency Quantified Eliminated Of Information SMALL LOSS OF COOLANT ACCIDENT (B2 LOCAi S2H1 S2-2 S2*/K*/D1*/L*/CS*/OD*Hl 1.6E-06 All No S200Il2 S2-4 S2*/K*/D1*/L*/CS*OD*/H1*H2 9.JE-09 All Yes S200B1 S2-5 S2*/K*/D1*/L*/CS*OD*Hl 3.0E-08 All Yes S2CsH1 S2-7 S2*/K*/D1*/L*CS*/OD/CV*Hl NA PDS for S2H1*
| |
| tf" f--L S2Cs00H2 S2-9 S2*/K*/D1*/L*CS*OD*/H1*H2 NA PDS for S2H2*
| |
| 0 1-f--L c:,,, S2CsOoll1 S2-10 S2*/K*/Dl*/L*CS*OD*Hl NA PDS for S200B1
| |
| * s 2 LH 2 S2-12 S2*/K*/D1*L*/P1*/CS*/Hl*H2 2.GE-11 All Yes S2LH1 S2-13 S2*/K*/D1*L*/Pl*/CS*H1 5.4E-10 All Yes s 2 Lc8 B2 S2-15 S2 * /K*/Dl *L*/Pl *CS* /CV* /Ill *H2 NA PDS for S2LH2*
| |
| s 2 Lc8 u1 S2-16 S2*/K*/D1*L*/P1*CS*/CV*H1 NA PDS for S2LH1*
| |
| S2LCsCv S2-17 S2*/K*/D1*L*/Pl*CS*CV <5E-10 All Yes See TlS-25 comment.
| |
| s 2 LP1 S2-18 S2*/K*/D1*L*Pl 3.0E-08 All Yes S2D1 S2-19 S2*/K*D1 9.BE-07 All No s2 K S2-20 TRANSFER TO ATWS
| |
| | |
| TABLE 4.10-1 (Continued)
| |
| ACCIDENT BEQUENCEB QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Seguence Number Seguence Boolean Eguation Freguenc~ Quantified Eliminated Of Information VERY BMALL LOSS OF COOLANT ACCIDENT {93 LOCAi S3W3H1 SJ-3 S3*/K*/D1*/QC*/L*/OD*W3*lll 3.7E-07 All No S30oll2 SJ-5 S3*/K*/D1*/QC*/L*OD*/Hl*H2 1. JE-07 All No S30oH1 SJ-6 SJ* /K* /Dl */QC* /L*OD*Hl 4.5E-07 All No S 3 LH 1 SJ-8 SJ*/K*/Dl*/QC*L*/OD*/WJ*Hl 7.0E-09 All Yes
| |
| ......
| |
| ~ s 3 Lw 3 n1 SJ-10 S3*/K*/D1*/QC*L*/OD*W3*Hl <5E-10 All Yes See TlS-25 comment.
| |
| 0
| |
| .....I S 3 Lo 0 H2 SJ-12 S3*/K*/Dl*/QC*L*OD*/Hl*H2 <5E-l0 All Yes See TlS-25 comment.
| |
| ~
| |
| S 3 Lo 0 n1 SJ-13 SJ*/K*/Dl*/QC*L*OD*Hl <5E-10 All Yes See TlS-25 comment.
| |
| s 3 LMH 2 SJ-15 S3*/K*/Dl*/QC*L*M*/P*/CS* 1. 7E-08 All Yes
| |
| /111*112 s 3 LMH 1 SJ-16 S3*/K*/Dl*/QC*L*M*/P*/CS*Hl 5.9E-08 All Yes S 3 LMc 5 H2 SJ-18 S3*/K*/Dl*/QC*L*M*/P*CS*CV* NA Yes PDS for S3LMH2.
| |
| /Hl*H2 s 3 LMc 8 11 1 SJ-19 SJ*/K*/Dl*/QC*L*M*/P*CS*CV*lll NA Yes PDS for s 3 LMH 1
| |
| * S3LMCsCv SJ-20 SJ*/K*/Dl*/QC*L*M*/P*CS*CV <5E-10 All Yes See TlS-25 comment.
| |
| S 3 LMP SJ-21 SJ*/K*/Dl*/QC*L*M*P <5E-10 All Yes See TlS-25 comment.
| |
| * TABLE 4.10-1 (Continued)
| |
| * ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information TRANSFER TO THE S2 TREE S3*/K*/Dl*QC*Hl 7.0E-10 All Yes All other combi-nations with S will be below lhis.
| |
| SJ-23 SJ*/K*Dl 1.6E-05 All No SJ-24 TRANSFER TO ATWS INTERFACING LOSS OF COOLANT ACCIDENT (V)
| |
| EVENT V V-1 INTERFACING LOCA SEQUENCE 1.2E-06 All No ANTICIPATED TRANSIENT WITHOUT SCRAM TKRD 4 TK-3+ T*K*R*D4 5.7E-07 All No
| |
| 'rK-11+
| |
| 'l'K-16 TKRQD 4 'l'K-5+ T*K*R*Q*D4 <5E-10 All Yes TK-13+
| |
| 'l'K-18+
| |
| TKRL 2 'l'K-6+ 'l'*K*R*L2 6.BE-08 All Yes
| |
| 'l'K-14+
| |
| 'l'K-19 TKRP 2 'l'K-7+ 'l'*K*R*P2 9.6E-09 All Yes
| |
| | |
| TABLE 4.10-1 (Continued)
| |
| ACCIDENT SEQUENCES QUANTIFIED BEFORE RECOVERY Annual Accident Sequence Sequence Expression Sequence Comments/Source Sequence Number Sequence Boolean Equation Frequency Quantified Eliminated Of Information TKRT TK-B T*K*R*/PL*/Zl*/Z*T 9.6E-OB All Yes TKRZ TK-9 T*K*R*Z B.4E-07 All No NO'fE: All branches on the ATWS event tree have been included in these six branches.
| |
| * *
| |
| * process. Those sequences where quantification was performed on (1) partial sequence expressions and (2) the full sequence expression are also identified~
| |
| * 4.10.3 Application of Operator Recovery Actions The sequences with a frequency of 1E-7 or greater were identified in Table 4.i 0-1.
| |
| Those sequences not eliminated were then fully quantified; that is, the initiator and the remaining system failures and successes were incorporated into the accident sequence expression. The tiext major step performed in the quantification process was opera tor recovery analysis. The recovery analysis was conducted in four major steps:
| |
| * Identification of those recovery actions applicable to an entire sequence. (i.e., applicable to every cut set within the sequence).
| |
| * Identification of the individual failures within a cut set and determining the appropriate recovery actions for the cut set.
| |
| * Calculation of the probabilities for failure to complete recovery actions~
| |
| * Quantification of the recovery actions in the accident sequences (i.e.,
| |
| incorporate the non-recovery probabilities into the cut sets).
| |
| Some recovery actions were applied on a sequence level. These typically involved cross connection of failed mechanical systems to operable Unit 2 systems or recovery of off site power. After applying recovery actions to a sequ~nce, each of the cut sets was examined to ensure that the action was appropriate. Recovery actions were then con-
| |
| * sidered at the cut set level. Recovery actions were included if they were directly stated in the emergency or abnorm~l procedures, or could be expected to result directly from a procedural step or group o*f steps and sufficient time existed to allow diagnosis and completion of the action. Some credit was allowed for recovery actions not specifically identified in the plant procedures. This type of recovery is termed "innovative recovery". The rationale behind allowing f~r actions not procedurally identified was to give credit to the recovery that the *plant's accident response team could provide in long term accident sequences. The single event identifi~d as innovative recovery in the Surry analysis is isolation of a stuck open safety relief valve by gagging it shut.
| |
| The following discussion identifies the plant specific recovery actions and the associated failure event codes, their applications, and limitations on their application to the Surry cut sets and sequences. Table 4.10.::.2 summarizes the recovery factors and details the hardware and human error contributions. The human error portions are discussed in detail in Section 4.8.4.
| |
| :Alignment* of Unit 2 AFW *Flow to Unit 1 A cross connect of the Unit 1 and Unit 2 AFW systems allows flow from the Uriit 2 AFW pumps to be provided to the discharge headers of the Unit 1 AFW system. *one of two motor operated valves in parallel must be opened by the opera tor and the. Unit 2 AFW system must be manually started to provide flow through the cross connect. In additon, the injection valves to Unit 2 SGs must be closed to divert flow to Unit 1. The dominant failures of the Unit 1 AFW system were common cause failure of all three pumps or flow diversion of Unit 1 AFW to Unit 2, through an inadvertently open cross-connect valve; neither of which would result in the inability to perform this recovery action. There were three different variations of this recovery action, one for all transients except station blackout (SBO), one for SBO at Unit 1 only, and one for SBO at both units.
| |
| * 4.10-17
| |
| | |
| TABLE 4.10-2 RECOVERY FACTORS Total Human Hardware Identifier Unavailability Error Failure Hardware Comments ACP-XHE-FO-STBBS 1. 4E-2 1. lE-2 J.OE-3 CIRCUIT BREAKER FAILS TO TRANSFER.
| |
| AFW-XIIE-FO-CS'l'2 6.5E-2 6.4E-2 1. OE-3 MANUAL VALVES FAIL TO TRANSFER.
| |
| AFW-XHE-FO-MNACT 2.7E-J 2.7E-3 NO HARDWARE INVOLVED.
| |
| AFW-XHE-FO-UlSBO 8.2E-2 4.BE-2 J.4E-2 UNIT2 < 10% (.35)
| |
| * MDP-FS/FR +
| |
| UNIT2 > 10% (.65)
| |
| * TDP-FS/FR.
| |
| ,la-
| |
| 'I-' AFW-XHE-FO-U2SBO 7.5E-2 7.5E-2 HARDWARE IS EXPLICITLY INCLUDED 0 IN '!'HE SBO SEQUENCES AS A BOOLEAN I
| |
| I-' EXPRESSION.
| |
| 00 AFW-XIIE-FO-UNIT2 J.6E-2 J.JE-2 J.lE-3 AFW-CKV-FT/PG-CV273 + 2
| |
| * MOV-FT-25l*(MOV-FT-160 + FT-ISOL)
| |
| + CCF-FT-160A/B +
| |
| UNIT2 < 10% (.35)
| |
| * MDP-FS.
| |
| CLS-XHE-FO-MAN-A 2.7E-3 2.7E-3 NO HARDWARE INVOLVED.
| |
| CLS-XIIE-FO-MANSl 2.7E-J 2.7E-J NO HARDWARE INVOLVED.
| |
| CLS-XIIE-FO-MANS2 2.7E-3 2.7E-J NO HARDWARE INVOLVED.
| |
| CPC-XIIE:...FO-CMNS2 J.BE-2 J.BE-2 NO HARDWARE INVOLVED.
| |
| CPC-XHE-FO~REALN 7.0E-2 5.9E-2 1.lE-2 CPC-MUP-FS +
| |
| CPC-MDP-MA +
| |
| CPC-MDP-FR-10 HOURS.
| |
| CPC-XIIE-FO-SMNSl J.BE-2 J.BE-2 NO HARDWARE INVOLVED.
| |
| .C-XIIE-FO-SMNS2 J.BE-2 J.BE-2 NO HARDWARE INVOLVED.
| |
| | |
| TABLE 4.10-2 (Continued)
| |
| * RECOVER! FACTORO Total Human Hardware Identifier Unavailability Error Failure Hardware Comments HPI-XIIE-FO-ALT 6.lE-1 2.7E-3 6.lE-1 RA'rIO OF BE'rAJ/BE'l'A2.
| |
| HPI-XIIE-FO-AL'l'IN 5.7E-3 2.7E-3 3.0E-3 HPI-MOV-F'r-1842 FROM CONTROL ROOM.
| |
| HPI-XIIE-FO-AL'l'IJ 7.0E-4 2.7E-3 J.OE-3 IIPI-MOV-FT-1842 FROM CONTROL ROOM*
| |
| 6.4E-2 5.BE-2 IIPI-F'r-1867C/D LOCAL OPENING.
| |
| HPI-XHE-FO-ALTSJ 7.4E-2 2.7E-3 6.lE-1 IIPI-MOV-F'r-1842 FROM CONTROL ROOM *
| |
| ':"' 6.4E-2 5.BE-2 HPI-FT-1867C/D LOCAL OPENING.
| |
| t--"
| |
| 0 I
| |
| t--"
| |
| HPI-XHE-FO-UN2Hl l.6E-3 1.lE-2 3.0E-4 FAILURE TO CROSS CONNECT RWST
| |
| * tO 1. JE-1 9.BE-3 FAILURE TO CROSS CONNECT HP!.
| |
| HPI-XHE-FO-UN2S2 3.lE-1 3.0E-1 9.BE-3 HPI-MDP-FS/FR/MA-CHlC +
| |
| I1PI-CKV-FT/PG-CV276 +
| |
| IIPI-MOV-FT-278 +
| |
| I-1PI-MOV-FT-286C/287C.
| |
| HPI-XHE-FO-UN2SJ 4.4E-2 3.4E-2 9.BE-3 HPI-MDP-FS/FR/MA-CIUC +
| |
| HPI-CKV-FT/PG-CV276 +
| |
| HPI-MOV-FT-278 +
| |
| HPI-MOV-FT-286C/287C.
| |
| IIPI-XIIE-F0-20DH2 4.JE-3 1. JE-1 9.BE-3 FAILUHF; 'l'O x-comrncT IIPI *
| |
| : 1. lE-2 3.0E-4 FAILURE '110 X-CONNECT RWST PLUS 2.7E-3 ------ AN OVERALL DIAGNOSIS ERROR.
| |
| HPI-XHE-F0-30DH2 2.lE-3 1. JE-1 9.BE-3 FAILURE 'l'O X-CONtrnc*r BPI
| |
| * 1.lE-2 3.0E-4 FAILUHE 'l'O X-CONNECT RWST PLUS 5.2E-4 ------ AN OVERALL DIAGNOSIS ERROR.
| |
| MCW-CCF-VF-SBO 6.0E-2 5.9E-2 9.0E-4 DIESEL-PUMP-FS
| |
| * DIESEL-PUMP-FS
| |
| ( FAILURE TO RES'l'ORE CANAL LEVEL)
| |
| | |
| TABLE 4.10-2 (Continued)
| |
| RECOVERY FACTORS Total Human Har.dware Identifier Unavailability Error Failure Hardware Comments MSS-XHE-FO-ISAFW 6.BE-6 J.4E-J 2.0E-3 FAILURE OF 1 OF 2 CHECK VALVES TO SEA'!'
| |
| MSS-XHE-FO-BLOCK 6.4E-2 6.4E-2 ------
| |
| MSS-XHE-FO-ISBDN 3.4E-J J.4E-3 ------
| |
| NRAC-150 MIN 2.lOE-1 2.lOE-1
| |
| .
| |
| ,i::,.
| |
| f--"
| |
| l.50E-1 0 NRAC-201 MIN l.50E-1 I
| |
| I:,:)
| |
| 0 NRAC-216 MIN 1. JBE-1 1. JBE-1 NRAC-234 MIN l.2JE-l 1. 2JE-1 NRAC-246 MIN 1.15E-1 1.15E-1 NRAC-258MIN 1. OBE-1 1. OBE-1 NRAC-HALFHR 6.00E-1 6.00E-1 NRAC-lllR 4.40E-1 4.40E-1 NRAC-711R 5.00E-2 5.00E-2 NRAC-6HR-AVG 1. 94E-1 1. 94E-1 NRAC-24HR-AVG 6.lOE-2 6.lOE-2 0 4.9E-2 4.4E-2 5.0E-3 GENERIC HARDWARE ESTIMATE.
| |
| * *
| |
| * TABLE 4.10-2 (Continued)
| |
| * RECOVERY FACTORS Total Human Hardware Identifier Unavailabiliti: Error Failure Hardware Comments R 1. 7E-1 1.0000 1. OE-5 R = (1.00)
| |
| * MECIIANCICAL ( 1. OE-5) +
| |
| 2.7E-3 5.0E-5 (2.7E-3)
| |
| * ELEC'l'RICAL (5.0E-5).
| |
| REC-XHE-FO-DGEN 9.0E-1 ------ 9.0E-1 REC-XHE-FO-DGHWB 6.0E-1 ------ 6.0E-1 REC-XHE-FO-DGHWS B.OE-1 ------ 8.0E-1
| |
| .""'
| |
| I-'
| |
| REC-HXE-FO-DGTMS 5.0E-1 ------ 5.0E-1 0
| |
| I N)
| |
| REC-XHE-FO-DGTMS 7.0E-1 ------ 7.0E-1 I-'
| |
| REC-XHE-FO-DPRES 1.4E-2 1. 4E-2* ------ HARDWARE IS INCLUDED IN OD FAULT TREE.
| |
| REC-XHE-FO-GAGRV J,OE-1 ------ JE-1 INNOVATIVE RECOVERY.
| |
| RMT-XHE-FO-MAN-A 6.4E-2 6.4E-2
| |
| \
| |
| ------ NO HARDWARE INVOLVED.
| |
| RMT-XHE-FO-MANSl 6.4E-2 6.4E-2 ------ NO HARDWARE INVOLVED.
| |
| RMT-XHE-FO-MANS2 2.7E-3 2.7E-3 ------ NO HARDWARE INVOLVED.
| |
| SIS-XHE-FO-MANSl 2,7E-3 2.7E-3 ------ NO HARDWARE INVOLVED.
| |
| SIS-XllE-FO-MANS2 2,7E-3 2,7E-3 ------ NO HARDWARE INVOLVED.
| |
| SWS-XHE-FO-OPEN 2.4E-l ------ 2.4E-1
| |
| | |
| AFW-XHl!-FO-UNIT2~ This event was used for all sequences where AFW was needed, but not for station blackout. The unavailability was determined to be 3.6E-2. The total unavailability breaks down into an operator contribution of 3'.3E-2 and hardware faults 3E-3'. This event was not applied during SBO sequences*.
| |
| AFW-XHE-FO-UlS80. The unavaila~ility of AFW from Unit 2 following SBO at Unit 1 was calculated to be 8.2E-2, with 4.8E-2 attributable to human error. The hardware unavailability was 3.4E-2.
| |
| AFW-XHE-FO-U2S80. The unavailability of AFW from Unit 2 following SBO at both Units 1 and 2 was determined to be 7.5E-2. This was all due to human error, since the hardware contributions were explicitly modeled in the L-Sl30U1U2 Boolean equation (Appendix B).
| |
| Manual Actuation *of Auxiliary Feedwater Systems AFW-XHE-FO-MNACT. The AFW system can be manually actuated upon failure of automatic actuation to occur. The operator must diagnose the failure of automatic actuation and manually start the AFW pumps and steam supply to the turbine-driven pump. The failure to manually initiate AFW was assessed to be 2~7E-3, which consists of opera tor failure to diagnose the problem and perform the action. This recovery factor was applied to all cut sets involving failure of the AFW to automatically initiate the purnps and steam supply valves to the turbine-driven pumps. This recovery factor was not applied to cut sets where both trains of actuation failed in the same cut set.
| |
| Manual Bypass*of*the*CPC*System Service*Water Strainers CPC-XHE-FO-REALN. In the event that flow is lost through the CPC system service water strainers, the operator_ can bypass the strainer assembly by providing service water from the Unit 2 CPC system. To perform this operation, the operator must diagnose the problem prior to failure of the charging pumps, manually open the valves required to cross connect the systems, and ensure that sufficient flow is available from the Unit 2 CPC system. A time of 10 minutes was allowed to cpmplete this operation based on the estimated time a charging pump could operate without cooling. This assessment is conservative because most of the strainer loss of flow occurrences which have .happened at the plant involved strainer plugging and not an abrupt loss of service water. Decrease in service water was gradual. The failure to perform these actions was assessed to 7.0E-2, of. which 2.7E-2 was diagnosis error, 3.2E-2 actuation error, and 1.lE-2 hardware faults. This recovery action was applied to all cut sets which included long term failures of the CPC service water system. No recovery of strainers was applied to the short term sequences due to the relatively short time available and the number of other operator actions required in the short term.
| |
| Manual*Actuation of Charging*Pump *cooling *systems CPC-XHE-FO-CMNS2, CPC-XHE-FO-SMNS2, CPC-XHE-FO-SMNS1. The CPC can be manually actuated upon failure of automatic actuation to occur. The operator must diagnose the failure of automatic actuation and manually actuate the service water and cooling water subsystems prior to failure of the HPI pumps. CPC discharge pressure and HPI pump temperature indications would alert the operator to the need for actuation of the CPC systems. The failure to manually initiate CPC was assessed to be 3.8E-2, which consists of operator failure to diagnose the problem and perform the action. This 4.10:..22
| |
| | |
| recovery fac~or was applied to all the cut sets involving failure of the CPC to automati:..
| |
| * cally initiate. This £actor was not applied to failure of both CPC actuation trains in the same cut set~ *
| |
| * Manual Actuation* of Containment Safeguards *systems CLS-XHE-FO-MAN. The CLCS can be manually actuated upon failure of automatic actuation to occur. The operator inust diagnose the failure of automatic actuation and manually actuate the injection and recirculation spray systems prior to overpressuri-zation of the containment. Containment pressure and temperature indications and the likely presence of a CLCS-HI signal would alert the operator to the need for actuation of the spray systems. The failure to manually initiate CLCS was assessed to be 2.7E-3 which consists of operator failure to diagnose the problem and perform the action. This recovery factor was applied to all the cut sets involving failure of the CLCS to automatically initiate the spray systems. This £actor was not applied to failure of both CLCS actuation trains in the same cut set.
| |
| Recovery of SGTR by *Plant* Cooldown a:nd*Depressur'iz-ation REC-XHE-FO-DPRES. Following a steam generator tube rupture (SGTR) event, the operator will cooldown and depressurize the plant to stop the leak. Should the cooldown and depressurization fail, either due to human error or hardware faults, several hours still remain before core damage~ This recovery event accounts for recovery of the initial human error for failure to depressurize. Several hours into the event, additional control room staff can be assumed to be available, and credit is given for their cooldown and
| |
| ~epressurization of the plant~ An unavailability of L4E-2 was calculated for this event, with no contribution from hardware faults. The unavailability is a human error probability conditional on previous failure to depressurize.
| |
| Recovery of a DieseI*Generator *following Station*Btackout Diesel generator failures included all of the miscellaneous dedicated support systems re-quired for successful diesel operation. In many cases, failure of the diesel generator could be recovered. Recovery of the diesel gei:iera tors was applied only to SBO sequences. The probability for recovery was estimated based on the timing involved:
| |
| time from the start of SBO to time when the diesels would be needed to prevent core damage. Recovery probabilities were based on ASEP generic data.
| |
| Ali'gnment of Unit *2 HPI 'Flow to Unit 1 A cross connect of the Unit 1 and Unit 2 HPI systems allows flow from the Unit 2 charg-ing pump C to be provided to the discharge line of the Unit 1 C train charging pump.
| |
| Two manual valves in series must be locally opened by the operator. It was assumed that the Unit 2 C train charging pt!mp must be started to provide flow through the cross connect.
| |
| HPI-XHE-FO-UN2S3. The unavailability for s3, T7, and TQ sequences was determined to be 4.4E-2, of which 3.4E-2 is due to operator error and 9.8E-3 is due to hardware failures. This recovery factor was applied to those cut sets in sequences involving failures of HPI due to faults upstream of the Unit 1 charging pump discharges. This recovery factor w~s .not applied to sequences involving S1 or s2 LOCAs, due to the timing considerations. A separate recovery factor was applied to 52 LOCAs. No recovery credit was given to the s1 LOCAs because th~ time required to diagnose the need for and make operational the cross connect was longer than the estimated time 4.10-23
| |
| | |
| between the failure of HPI and the onset of core damage~ More discussion of these timing considerations is found in Section 4~&".
| |
| HPI-XHE--P~UN2S2~ This recovery factor is applicable to s2 events*. It is similar to HPI-XHE-F0-UN2S3 previously described. The only difference is that a human error probability of 3.0E-1 was used to account for the lin:iited _time available for diagnosis of the event. The total unavailability for this event .is 3.lE-1.
| |
| HPI-XHE-FO-UN2Hl. This recovery factor is recovery of Unit* 1 Low Pressure Recirculation (S2 and S3) by cross connecting Unit 2 HPI (as described above) or by cross connecting to ttie Unit 2 R WST. The total unavailability for this event (1.6E-3) is the failure of both recovery paths. The respective human error probabilities were summed with the hardware unavailability to determine the failure probability of each path~
| |
| Failure of the operator to cross connect HPI was evaluated to be 1.3E-1, summed with a hardware unavailability of 9.8E-3. Failure of the operator to cross connect RWST (1.lE-2) was combined with a hardware unavailability of 3.0E-4.
| |
| HPI-XHE-F0-20DH2. This recovery factcor is similar to HPI-XHE-FO-UN2Hl described previously. The only difference is that this event occurs after a previous operator error. An additional diagnosis error (2.6E-3) was added to account for failure to recognize the previous error. This factor was used to recover s2o 0 H2 and S20nH 1 sequences.
| |
| HPI-XHE-F0-30DH2. This recovery factor is identical to HPI-XHE-F0-20DH2, described above, except that the diagnosis error is smaller (5.2E-4) due to the extended timing of the sequence.
| |
| Opening *of Al tema te *Cold 'Leg High Pressure* Injection Valve An alternate cold leg injection_ valve (MOV-1842) is available to provide flow to the cold legs from the charging pumps. The operator must manually open the valve from the control room to provide flow to the cold legs. In sequences where the timing permitted, local valve operation was credited*. The operator action was determined to be skill based for operation from the control room~ An action error of 3.2E-2 was applied to local operation. This recovery factor was applied to those cut sets in sequences involving failures of HPI due to faults in the pa_rallel injection valve arrangement (MOV-1876C and MOV-1867D). However, recovery actions were not included in the loss of offsite power cut sets which include failure of DG /11 since MOV-1842 is powered from MCC lHl-2 which would be powered from diesel genera tor II 1.
| |
| HPI-XHE-PO-ALTIN. This event is recovery of HPI following random independent failure of the HPI discharge motor-operated valves (MOVs). It is used in s2 where timing dictates it must be done from the control room. It was not applied to s3 and Tz sequences. This action involv~s opening of the cold leg injection valve from the control room. A hardware error of 3.0E-3 for the MOV failing to open was combined with a human error probability of 2.7E-3 to yield a total unavailability of 5.7E-3.
| |
| HPI-XHE-FO-ALTI3. This event is similar to HPI-XHE-FO-AL TIN described above. This event is used only in S3 and T7 sequences, where the timing permits local operation of the valve. The hardware contribution was derived from the failure to locally open one of two valves that had previously failed to open automatically. The failure probability for each valve was .24. Ccmbining the failure to open the valves from the control room with the failure to locally operate the valves (6.4E-2 human error + 5.8E-2 hardware unavailability) results in a total eve.nt unavailability of 7.0E-4.
| |
| 4.10-24
| |
| | |
| HPI-XHE.-FO-ALT. This event is recovery of HPI following common cause failure of the HPI discharge MOVs. It was used in s2 where timing dictates it be done from the control s
| |
| room. It was not applied to 3 and 17 sequences. The ''hardware" unavailability is the ratio of the beta factor for three valves to fail by common cause over the beta factor for two valves to fail by common cause, or 6JE-1. The human error probability is 2~7E-3, resulting in a total event unavailability of 6.lE-1.
| |
| HPI-XHE-FO-ALTS3. This event is similar to HPI-XHE-FO-AL T, but is used on S3 and T7 where timing allows for local valve operation. The hardware failure probability for local opening is .24 per valve. A human error probability of 6.4E-2 is first combined with a hardware unavailability of 5.8E-2, for local operation; and then combined with a failure to actuate from the control room (.61) leads to a total event unavailability of 7.4E-2.
| |
| Recovery of Offsite Power Within* One* Hour NRAC-lHR~ The probability of failure to restore offsite power within one ho!,.lr was assessed to be 0.44 based on a plant specific calculation from NUREG/CR-5032.(l3J This recovery factor was applied to all cut sets in T 1 sequences which included diesel generator failures.
| |
| Manual Initiation *of *switchover from ln'jection to Recirculation RMT-XHE-FO-MAN. The RMT system can be manually actuated upon failure of auto-matic actuation to occur. The operator must diagnose the failure of automatic actuation and manually actuate switchover in the short period of time available during the drop in RWST level from 18% to 2%. This was calculated to be 9 minutes for S1 and 5 minutes for A LOCA. The failure to manually initiate recirculation switchover was assessed to be 2.7E-3 for s2 LOCA and 6.4E-2 for A and ~1 LOCAs, which consist entirely of failure to diagnose the problem in the allowable time. The 2.7E-3 value was also conservatively applied to s3 LOCAs. This recovery factor was applied to all of the cut sets involving failure of ttie RMT system to automatically initiate switchover. This recovery factor was not applied to failure of both RMT actuation trains A and B in the same cut set, since there is no indication that actuation failed.
| |
| Recovery from a Stuck Open SG* Safety*Relief Valve REC-XHE-FO-GAGRV. In the event of a stuck open SG safety relief valve, the only means an operator ha~ for isolating the valve is to gag it. Gagging a safety relief valve falls under the guidelines of innovative recovery. It is not directly listed in the Surry procedures, but Surry opera tors specified this recovery action to a stuck open SG safety relief valve scenario. An unavailability of 0.3 was assigned to this event.
| |
| * Manual Opening of SWS Valves to the 'ISR' and OSR Coolers SWS-XHE-FO-OPEN. Following the common cau~e failure of the service water valves on the ISR and OSR heat exchangers to open, the 9perator would be expected to attempt to manually open the valves locally, using a hand-wheel. Another option would be to repair the valve opera tor. The fai,lure of the opera tor to be able to open one or more of the valves was judged to be 0.24. This failure to recover event consists entirely of hardware faults, as the human error probability to diagnose the situation was. assessed to be very low. This value reflects a subjective assessment of the inability to open at least one valve manually, given an initial common cause failure of all four valves. This event was applied to all cut sets which include the common cause failure of the valves. The ISR 4.10-25
| |
| | |
| suction head, caused by insufficient suction cooling. The OSR pumps however, would still be operating and could provide containment heat removal once the service water valves were opened.
| |
| These recovery. factors were applied to each of the sequences in Table 4~10-1 that were retained after the, initial s_creening*. Table 4.10-3 details the application of the reco.very factors to these sequences.
| |
| Once the recovery terms were incorporated into the accident sequence cut set expres-sions, the sequences were requantified~ Those resulting in a frequency of lE-7 or greater were retained for the final quantification. The final quantification consjsted of a sequence and total core damage frequency point estimates, means, tJncertanties, and importance measures using the mean data values, evaluated with TEMAC computer code. Table 4.10-4' lists those sequences eliminated and those retained after th~
| |
| recovery analysis quantification~
| |
| 4.10.4 Assessment of the Impact of Operator Actions Applying operator actions independently often does not accurately model the conditions projected for a given accident sequence. Multiple operator actions combined into a single cut set can result in underestimating the cut set and sequence frequency. To verify that the quantification and recovery process did not produce artifically low estimates of cut set frequencies, two additional quantification runs were made following the fihal quantification. The first run set all operator actions to 1.0. In the second run only the opera tor contributions to the recovery factors were set to 1.0. Both runs were conducted on all of the sequences quantified by SETS. The results of these two runs and the final quantification point estimates are shown in Table 4.10-5.
| |
| 4.10-26
| |
| | |
| TABLE 4.10-3 Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments LOSS OF OFFSITE POWER Tl-3 Tl*/K*/Q*/L*DJ*W NRAC-1.5HR Recovery of AC power within 1.5 hours. Applied to all cut sets.
| |
| w2* Recovery of seal cooling by cross conn~cting to Unit 2. Same as event W2 in the station blackout event tree. Applied to all cut sets.
| |
| Tl-11 Tl*/K*/Q*L*/D2*"P AFW-XHE-FO-MNACT Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed.
| |
| AFW-XHE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| NRAC-HALFHR Recovery of AC power within one half hour. Applied to cut sets with diesel generator failure, except where the AFW failure was 'l'urbine Driven Pump fail to run.
| |
| NRAC-24HR-AVG Time averaged recovery of AC power.
| |
| Applied to cut sets with diesel generator failure, combined with AFW failure of Turbine Driven Pump fail to run.
| |
| Tl-12 Tl*/K*/Q*L*D2 AFW-XHE-FO-MNACT Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed.
| |
| AFW-XHE-FO-UNI'r2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| | |
| TABLE. 4 .10-3 (Continued)
| |
| Dominant Accident sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments CPC-XHE-FO-REALN Cross connect to Unit 2 CPC, applied to cut sets where the CPC Service Water strainers or pumps failed.
| |
| NRAC-HALFHR Recovery of AC power within one half hour. Applied to cut sets I . with diesel generator failure, except where the AFW failure was Turbine Driven Pump failed to
| |
| .
| |
| ~
| |
| ~ N.RAC-24HR-AVG run.
| |
| Time averaged recovery of AC power*
| |
| 0 I Applied to cut sets with diesel
| |
| ~
| |
| 00 generator failure, combined with AFW failure of rurbine Driven Pump fail to run.
| |
| Tl-14 TRANSFER TO ANTICIPA'l'ED TRANSIENT WITHOUT SCRAM (ATWS)
| |
| STATION BLACKOUT (SBO)
| |
| SBO-BATT (UNIT! ONLY):
| |
| T1s-NR7 TlS-3 Tl*/Q*/QS*/L*/W2*NR7 REC-XIIE-FO-DGJIWB Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 6 hour time frame.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| * Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments REC-XHE-FO-DGTMB Recov.ery from diesel generator unavailability due to maintenance. Applied to cut sets with diesel test and main-tenance unless a hardware recovery was already added. 6 hour time frame.
| |
| T1s-W 2 -NR7 TlS-5 Tl*/Q*/QS*/L*W2*/0*/SL*NR7 Same as T1S-NR7.
| |
| T1s-W 2 -o-NR7 \
| |
| TlS-9 Tl*/Q*/QS*/L*W2*0*/SL*NR7 Same as.1T1S-NR7.
| |
| T1 s-QS-NR7 TlS-14 Tl*/Q*QS*/L*/W2*NR7 Same as T1S-NR7.
| |
| T1s-QS-W 2 -NR7 TlS-16 Tl*/Q*QS*/L*W2*/SL*NR7 Same as TlS-NR7.
| |
| SBO-SLOCA (UNIT! ONLY):
| |
| '!' 1 s-W 2 :-SL-NRS TlS-7 Tl*/Q*/QS*/L*W2*/0*SL*NRS REC....,XIIE-FO-DGIIWS Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. J hour time frame.
| |
| REC-XI-IE-FO-DGTMS Recovery from diesel generator unavailability due to main-tenance. Applied to cut sets with diesel test and main-tenance, unless a hardware recovery was already added.
| |
| 3 hour time frame.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/comments T1s-W 2 -o-SL-NRS TlS-11 Tl*/Q*/QS*/L*W2*0*SL*NRS Same as T1S-W2-SL-NRS.
| |
| T1s-QS-W 2 -SL-NRS TlS-18 Tl*/Q*QS*/L*W2*SL*NRS Same as TlS-W2-SL-NRS.
| |
| SBO-L (UN!Tl ONLY):
| |
| T1s-L TlS-12 Tl*NRAC-HALFHR*/Q*/QS*L AFW-XIIE-FO-UlSBO Cross connect of.AFW from Unit 2,
| |
| .""'
| |
| ~
| |
| 0 NRAC-6HR-AVG applied to all cut sets.
| |
| Time averaged recovery of AC power, I
| |
| c...:,
| |
| Applied to cut sets with AFW 0 Turbine Driven Pump fail to run, replacing NRAC-HALFHR.
| |
| REC-XHE-FO-DGEN Recovery from diesel generator faults applied to cut sets with.
| |
| diesel fail to start, mainten-ance, or common cause diesel failure. 1 hour time frame.
| |
| TlS-19 Tl*NRAC-HALFHR*/Q*QS*L AFW-XHE-FO-CST2 QS fails AFW due to SG inventory depletion. Recovery is possible by aligning the CST from Unit 2.
| |
| Applied to cut sets as an addi-tional single point AFW failure.
| |
| NRAC-lllR SG inventory depletion due to QS does not occur until after 1 hr.
| |
| NRAC-lllR applied to all cut sets*
| |
| with AFW-XIIE-FO-CST2 failure, replacing NRAC~HALFHR in the original quantification.
| |
| * TABLE 4.10-3 (Continued)
| |
| * Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments NRAC-6HR-AVG Time averaged recovery of AC power.
| |
| Applied to cut sets with AFW Turbine Driven Pump fail to run, replacing NRAC-HALFHR.
| |
| REC-XHE-FO-DGEH Recovery from diesel generator faults applied to cut sets with diesel fail to start, mainten-ance, or common cause diesel failure. 1 hour time frame.
| |
| TlS-22 Tl*NRAC-HALFHR*Q*/QS*L Same as T1S-L (above).
| |
| SB0-0 (UNITl ONLY):
| |
| T1s-Q-NRl TlS-21 Tl*Q*/QS*/L*NRl REC-XHE-FO-DGEN Recovery from diesel generator faults applied to cut sets with diesel fail to start*, mai,nte-nance, or common cause diesel failure. 1 hour time frame.
| |
| T 18 -Q-QS-NR1 TlS-24 Tl*Q*QS*/L*NRl Same as TlS-Q-NRl.
| |
| SB0-BATT2 (UNITS 1 AND 2):
| |
| T 18 -NR7 TlS-3 Tl*/Q*/QS*/L*/O*/SL*NR7 REC-XHE-FO-DGHWB Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 6 hour time frame.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments REC-XHE-FO-DGTMB Recovery from diesel generator unavailability due to main-tenance. Applied to cut sets with diesel test and main-tenance, unless a hardware recovery was already added.
| |
| 6 hour time frame.
| |
| T1s-O-NR7 TlS-7 Tl*/Q*/QS*/L*O*/SL*NR7 Same as TlS-NR7 in SB0-BATT2.
| |
| .""'.....
| |
| 0 T18 -QS-NR7 TlS-12 Tl*/Q*QS*/L*/SL*NR7 Same as TlS-NR7 in SB0-BATT2.
| |
| I c.,:,
| |
| N)
| |
| SB0-SLOCA2 {UNI'fS 1 AND 2):
| |
| T18 -SL-NRS TlS-5 Tl*/Q*/QS*/L*/O*SL*NRS REC-XHE-FO-DGHWS Recovery from diesel generator hardware faults, applied to cut sets with diesel fail to start and common cause diesel failure. 3 hour time frame.
| |
| REC-XIIE-FO-DG'l'MS Recovery from diesel generator unavailability due to maintenance. Applied to cut sets with diesel test and maintenance, unless a hardware recovery was already added.
| |
| J hour time frame.
| |
| T18 SL-NRS TlS-9 Tl*/Q*/QS*/L*O*SL*NRS Same as TlS-SL-NRS in SB0-SLOCA2.
| |
| * TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments Tis-QS-SL-NRS TlS-14 Tl*/Q*QS*/L*SL*NRS Same as TlS-SL-NRS in SBO-SL0CA2.
| |
| SB0-L2 (UNITS 1 AND 2):
| |
| T1s-L TlS-10 Tl*NRAC-HALFHR*/Q*/QS*L AFW-XHE-FO-U2SBO Cross connect of AFW from Unit 2, applied to all cut sets. This recovery action is included in the boolean equation for L2*.
| |
| L2 includes hardware faults in addition to the operator error identified as AFW-XHE-FO-U2SBO.
| |
| NRAC-6HR-AVG Time averaged recovery of AC power Applied to cut sets with AFW Turbine Driven Pump fail to run.
| |
| replacing NRAC-HALFHR.
| |
| REC-XHE-FO-DGEN Recovery from diesel generator faults applied to cut sets with diesel fail to start, mainten-ance, or common cause diesel failure. 1 hour time frame.
| |
| T18 -QS-L TlS-15 Tl*NRAC-HALFHR*/Q*QS*L Same as T1S-QS-L in SBO-L (above).
| |
| T1s-Q-L TlS-18 Tl*NRAC-HALFHR*Q*/QS*L Same as TlS-L in SB0-L2 (above).
| |
| SB0-02 CUN ITS 1 AND 2) :
| |
| T18 -Q-NR1 TlS-17 Tl*Q*/QS*/L*NRl REC-XIIE-FO-DGEN Recovery from diesel generator faults applied to cut sets with diesel fail to start, maintenance, or common cause diesel failure. 1 hour time frame.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments T 1 s-Q-QS-NR1
| |
| *ris-20 'rl*Q*QS*/L*NRl Same as TlS-Q-QS-NRl in SBO-Q.
| |
| LOSS OF Hl\IN FEEDWATER T 2 LH 1 T2-6 T2*/K*/Q*L*/D2*/P*/CS*Hl AFW-XllE-FO-MNAC'l' Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed.
| |
| AFW-XIIE-FO-UNIT2 cross connect to Unit 2 AFW,
| |
| .i:,.
| |
| applied to all cut sets.
| |
| f--1 0
| |
| I c,,;
| |
| .i:,.
| |
| *r 2 LP T2-ll '1'2 */K*/Q*L*/D2 *P AFW-XIIE-FO-MNACT Manual actuation of AFW, applied to cut sets where AFW pump and valve actuation failed.
| |
| AFW-XIIE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| '1'2 */K*/Q*L*D2 AFW-XIIE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T 2Q: T2-13 TRANSFER 'l'O S2 T 2QB 1 S2-2 '1'2 */K*Q*lll HPI-XIIE-FO-UN2Bl Cross connect to Unit 2 HP! or RWST, applied to all cut sets.
| |
| RM'r-XHE-FO-MANS2 Recovery of RM'r by manual actua-tion. Applied to RMT actuation faults.
| |
| '1'2-14 'l'RANSFER 'l'O A'l'WS
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| * Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments MAIN TURBINE TRIP WITHOUT LOBB OF MAIN FEEDWATER T3 LMP TJ-12 T3*/K*/Q*L*M*/D3*/D2*P AFW-XHE-FO-UNIT2 Cross connect to Uriit 2 AFW, applied to all cut sets.
| |
| T3 LMD 2 TJ-13 T3*/K*/Q*L*M*/DJ*D2 AFW-XHE-FO-UNIT2 cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T3Q: TJ-15 'l'RANSFER TO .S2
| |
| .....
| |
| ti::.
| |
| 0 T3QH1 S2-2 TJ*/K*Q*Hl HPI-XHE-FO-UN2Hl Cross connect to Unit 2 HPI or RWST, applied to all cut sets
| |
| * I
| |
| ~
| |
| CTI T3QD1 S2-19 TJ*/K*Q*Dl CPC-:-XHE-FO-REALN cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC service water strainers or pumps failed.
| |
| CPC-XIIE-FO-SMNS2 Manual actuation of CPC service water system, applied to CPC service water actuation faults.
| |
| HPI-XHE-FO-UN2S2 Cross connect to Unit 2 HPI, applied to all cut sets involv-ing CPC system failure and HP! failures upstream of the HP! pumps (not including the RWST). Not applied to failure of both actuation trains.
| |
| IIPI-XIIE-FO-ALT Recovery of HP! discharge HOV common cause failure by opening the alternate path.
| |
| | |
| TABLE 4.10-3 (Continued) l)ominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments HPI~XHE-FO-ALTIN Recovery of HPI discharge MOV random failure by opening the alternate path. (MOV 1842)
| |
| SIS-XHE-FO-MANS2 Manual actuation of SIS system, applied to SIS actuation faults.
| |
| Not applied to failure of both actuation trains.
| |
| ...
| |
| ,.
| |
| *....
| |
| w en T3 K TJ-16 TRANSFER TO A'l'WS LOSS OF DC BUS Loss of DC Bus lA:
| |
| TsALP T5-ll T5A*/K*/Q*L*/D2*P AFW-XHE-FO-UNIT2 cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T5ALD2 T5-12 T5A*/K*/Q*L*D2 AFW-XllE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T5AK T5-14 TRANSFER TO ATWS Loss of DC Bus lB:
| |
| T 58 LP T5-ll T5B*/K*/Q*L*/D2*P AFW-XHE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T59LD2 T5-12 T5B*/K*/Q*L*D2 AFW-XHE-FO-UNIT2 cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T59K T5-14 TRANSFER TO ATWS
| |
| * *
| |
| | |
| *
| |
| * TABLE 4.10-3 (Continued)
| |
| Dominant Accident sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments STEAM GENERATOR TUBE RUPTURE (BGTR)
| |
| T7-a* T7*/K*/D1*/LJ*OD*/Q*QS MSS-XHE-FO-BLOCK Recovery of a stuck open SG PORV by shutting the block valV!!*
| |
| Applied when the SG ADV sticks open.
| |
| MSS-XHE-FO-ISAFW Recovery of SG integrity by isolating the AFW turbine driven pump steam supply line.
| |
| MSS-XHE-FO-ISBDN Recovery of SG integrity by isolating the blowdown line.
| |
| Applied to random and common cause blowdown faults.
| |
| REC-XHE-FO-DPRES Recovery by cool down and depress-urizing the RCS.
| |
| REC-XHE-FO-GAGRV Recovery of a stuck open SG SRV by gagging the relief valve.,.
| |
| Applied when the SG SRV sticks open.
| |
| T7-12 T7*/K*/D1*/LJ*OD*Q*QS MSS-XHE-FO-BLOCK Recovery of a stuck open SG PORV
| |
| * by shutting the block valve.
| |
| Applied when the SG ADV sticks open.
| |
| MSS-XHE-FO-ISAFW Recovery of SG integrity by isola-ting the AFWturbine driven pump steam supply line.
| |
| MSS-XIIE-FO-ISBDN Recovery of SG integrity by isola-ting the blowdown line. Applied to random and common cause blow-down faults.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence-Boolean Equation Recovery Actions/Comments I
| |
| T7-1J T7*/K*/Dl*LJ AFW-XHE-FO-UNIT2 Cross connect to Unit 2 AFW, applied to all cut sets.
| |
| T7-16 T7*/K*Dl*/LJ*/OD*/Q*QS CPC-XHE-FO-REALN cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC service water strainers or pumps failed .
| |
| *
| |
| *.... HPI-XIIE-FO-UN2SJ Cross connect to Unit 2 HPI, i'
| |
| w applied to all cut sets involv-CID ing CPC system failure and HPI failures upstream of the HPI pumps (not including the RWST). Not applied to failure of both actuation trains.
| |
| HPI-XllE-FO-AL'l'SJ Recovery of HPI discharge MOV common cause failure by opening the alternate path.
| |
| HPI-XHE-FO-ALTIN Recovery of HP! discharge MOV random failure by opening the alternate path.
| |
| T7-18 '1'7*/K*Dl*/LJ*OD T7-20 T7*K (ATWS) R Recovery of failure of automatic scram by manual reactor trip, applied to all cut sets *
| |
| * *
| |
| | |
| *
| |
| * TABLE 4.10-3 (Continued)
| |
| * Dominant Accident sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments LARGE LOBB OF COOLANT ACCIDENT (A LOCA)
| |
| A-2 A*/D5*/D6*/CS*Hl RMT-XHE-FO-MAN-A Recovery of RMT by manual actua-tion. Applied to RMT actuation faults.
| |
| AD 6 A-6 A*/D5*D6 None applied.
| |
| AD 5 A-7 A*D5 None applied.
| |
| ......
| |
| ~
| |
| 0 I
| |
| t.,.:,
| |
| cc MEDIUM LOSS OF COOLANT ACCIDENT (Bl LOCA)
| |
| S1H1 Sl-2 Sl*/D1*/D5*/CS*/D6*H1 R>>T-XHE-FO-MANSl Recovery of RMT by manual actua-tion. Applied to RMT actuation faults.
| |
| Sl-3 Sl*/Dl*/D5*/CS*D6 None applied.
| |
| Sl-9 Sl*Dl HPI-XHE-FO-AL'f Recovery of HPI discharge MOV common cause failure by opening the alternate path.
| |
| HPI-XHE-FO-AL'l'IN Recovery of UPI discharge MOV random failure by opening the alternate path.
| |
| SIS-XllE-FO-MANSl Recovery of SIS by manual actua-tion. Applied to SIS actuation faults. Not applied to failure of both actuation trains.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments SMALL LOSS OF COOLANT ACCIDENT (82 LOCAi S2-2 S2*/K*/Dl*/L*/CS*/OD*Hl HPI-XHE-FO-UN2Hl Cross connect to Unit 2 HPI or RWST, applied to all cut sets.
| |
| RMT-XHE-FO-MANS2 Recovery of RMT by manual actua-tion. Applied to RMT actuation faults.
| |
| ,..... S2-19 S2*/K*Dl CPC-XHE-FO-REALN cross connect to Unit 2 CPC service water system. Applied to cut sets where the CPC I
| |
| Q Service Water strainers or pumps failed. Not applied to failure of both actuation trains CPC-XHE-FO-SMNS2 Manual actuation of CPC service water system, applied to CPC service water actuation faults.
| |
| HPI-XIIE-FO-UN2S2 Cross connect to Unit 2 HPI, applied to all cut sets involving CPC system failure and HPI failures upstream of the HPI pumps (not including the RWST). Not applied to failure of both actuation trains.
| |
| IIPI-XHE-FO-ALT Recovery of HPI discharge MOV common cause failure by opening the alternate path.
| |
| HPI-XHE-FO-ALTIN Recovery of HPI discharge MOV random failure by opening the alternate path *
| |
| * TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable sequence Number Sequence Boolean Equation Recovery Actions/Comments SIS-XllE-FO-MANS2 Manual actuation of SIS system, applied to SIS actuation faults.
| |
| Not applied to failure of both actuation trains.
| |
| S2-20 TRANSFER TO ATWS VERY SMALL LOSS OF COOLANT ACCIDENT (S3 LOCA)
| |
| S3-3 S3*/K*/D1*/QC*/L*/OD*W3*Hl HPI-XllE-FO-UN2Hl cross connect to Unit 2 HPI or RWST, applied to all cut sets.
| |
| SJ-5 S3*/K*/D1*/QC*/L*OD*/H1*ll2 HPI-XHE-F0-20DH2 cross connect to Unit 2 HPI or RWST, applied to all cut sets.
| |
| SJ-6 S3*/K*/D1*/QC*/L*OD*Hl HPI-XHE-F0-20DH2 Cross connect to Unit 2 HPI or RWST, applied to all cut,.sets.
| |
| SJ-23 S3*/K*D1 CPC-XHE-FO-REALN Cross connect to Unit 2 CPC ser-vice water system. Applied to cut sets where the CPC service water strainers or.pumps failed.
| |
| CPC-XHE-FO-SMNS2 Manual actuation of CPC service water system, applied to CPC service water actuation faults.
| |
| CPC-XHE-FO-CMNS2 Manual actuation of CPC cooling water system, applied to CPC cooling water actuation faults *.
| |
| | |
| TABLE 4.10-3 (Continued)
| |
| Dominant Accident Sequences Prior To Recovery Accident Sequence Applicable Sequence Number Sequence Boolean Equation Recovery Actions/Comments IIPI-XHE-FO-UN2S3 cross connect to Unit 2 HPI, applied to all cut sets involv-ing CPC system failure and HPI failures upstream 9f the RPI pumps. (not including the RWST)
| |
| Not applied to failure of both actuation trains.
| |
| HPI-XHE-FO-ALTI3 Recovery of BPI.discharge MOV common cause f~ilure by opening the alternate path.
| |
| IIPI-XHE-FO-ALTIN Recovery of HPI discharge MOV random failure*by opening the alternate path.
| |
| SJ-24 TRANSFER TO ATWS INTERFACING LOSS OF *cooLANT ACCIDENT (V)
| |
| EVEN'!' V N/A INTERFACING LOCA SEQUENCE None applied.
| |
| ANTICIPATED TRANSIENT WITHOUT SCRAM TKRD4 TK-3 T*K*R*D4 -- *------------- None applied.
| |
| TKRZ TK-9 T*K*R*Z None applied.
| |
| *
| |
| * Table 4.10-4 Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (/RX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information LOBB OF OFF9ITE POWER Tl-3 Tl*/K*/Q*/L*DJ*W 2.0E-06 1. 2E-7 Yes Sequence frequency shown is RCP seal vulnerable. App-lication of the probability for a RCP seal LOCA (.73) leading to core damage results in a sequence frequency of B.BE-8. The RCP seal LOCA probabi-lity derivation is shown in Appendix Q Tl-11 Tl*/K*/Q*L*/D2*P 2.6E-06 7.5E-B Yes Tl-12 Tl*/K*/Q*L*D2 'l.9E-06 6.4E-B Yes STATION BLACKOUT (BBO)
| |
| SBO-BATT (UNITl ONLY): l.2E-05 7. 68'-6 No T1s-NR7 TlS-3 Tl*/Q*/QS*/L*/W 2 *NR7 B.5E-06 5.2E-6 No T 1 s-W 2 -NR7 TlS-5 Tl*/Q*/QS*/L*W 2 */0*/SL*NR7 4.7E-07 3.0E-7 No
| |
| | |
| Table 4.10-4 (CONTINUED)
| |
| Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (/RX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information Tl*/Q*/QS*/L*W 2 *0*/SL*NR7 2.2E-OB 8.9E-9 No Retained, potential important risk con-tributor due to station blackout.
| |
| T1 s-QS-NR7 TlS-14 Tl*/Q*QS*/L*/W 2 *NR7 3.lE-06 l.9E-6 No T1 s-QS-W 2 -NR7
| |
| .....
| |
| ~
| |
| 'l'lS-16 Tl*/Q*QS*/L*W2*/SL*NR7 1.9E-07 1. 2E-7 No 0
| |
| I
| |
| ~
| |
| ~
| |
| SBO-SLOCA (UNI'l'l ONLY): 4.BE-06 3.9E-6 No T1 s-W2-SL-NRS TlS-7 Tl*/Q*/QS*/L*W2*/0*SL*NRS 3.JE-06 2.7E-6 No T 15 -W2-0-SL-NRS
| |
| *r1s-11 Tl*/Q*/QS*/L*W2*0*SL*NRS 1. 9E-07 1.5E-7 No T1 s-QS-W2-SL-NRS TlS-18 Tl*/Q*QS*/L*W2*SL*NRS 1.JE-06 1.lE-6 No SBO-L (UNI'l'l ONLY): 5.0E-05 3.5E-6 No
| |
| 'l'1s-L TlS-12 Tl*NRAC-IIALFIIR*/Q*/QS*L 4.lE-06 3.5E-7 No T 1 s-QS-L 'l'lS-19 '1'1 *NRAC-IIALFIIR* /Q*QS
| |
| * L 4.6E-05 3.2E-6 No T1s-Q-L TlS-22 Tl*NRAC-HALFIIR*Q*/QS*L 8,lE-08 7.JE-8 No
| |
| * Table 4.10-4 (CONTINUED)
| |
| Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY {/RX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information SBO-Q (UNIT! ONLY): 2.lE-06 1. 9E-6 No TlS-21 Tl*Q*/QS*/L*NRl 1. 5E-06 l,4E-6 No T 1 s-Q-QS-NR1
| |
| 'l'lS-24 'l'l*Q*QS*/L*NRl 5.7E-07 5.lE-7 No
| |
| .
| |
| .;:..
| |
| I-'
| |
| SBO-BATT2 {UNITS 1 AND 2): 5.lE-07 J.OE-7 No 0
| |
| I T 15 -NR7 TlS-3 Tl*/Q*/QS*/L*/O*/SL*NR7 J.4E-07 2.0E-7 No
| |
| .;:..
| |
| <:)I T 1 s-O-NR7 TlS-7 Tl*/Q*/QS*/L*O*/SL*NR7 1. 4E-08 8.4E-9 No See TlS-9 comment.
| |
| T1s-QS-NR7 TlS-12 Tl*/Q*QS*/L*/SL*NR7 l.6E-07 9.JE-8 No See TlS-9 comment.
| |
| SBO-SLOCA2 (UNI'l'S 1 AND 2) : J.JE-06 2.6E-6 No T1s-SL-NRS TlS-5 Tl*/Q*/QS*/L*/O*SL*NRS 2.JE-06 1. BE-6 No Tis-o...:.sL-NRS TlS-9 '1'1*/Q*/QS*/L*O*SL*NRS 1.2E-07 9.7E-B No See TlS-9 comment.
| |
| T 1 s-QS-SL-NRS TlS-14 Tl*/Q*QS*/L*SL*NRS 8.9E-07 7.lE-7 No SB0-L2 (UNITS 1 AND 2): 6.JE-06 6.JE-7 No TlS-10 'l'l*NRAC-HALFHR*/Q*/QS*L 7.JE-07 2,5E-7 No
| |
| | |
| /
| |
| Table 4.10-4 (CONTINUED)
| |
| Accident Bequences Quantified Before and After Recovery SEQUENCE FREQUENCY (!RX-YR)
| |
| Accident Sequence Defore After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information T 1 s-QS-L TlS-15 Tl*NRAC-HALFHR*/Q*QS*L 5.6E-06 3.BE-7 No T1s-Q-L TlS-18 Tl*NRAC-HALFHR*Q~/QS*L 1.5E-08 1.4E-8 No See TlS-9 comment.
| |
| SB0-02 (UNITS 1 AND 2): 3.9E-07 3.5E-7 No
| |
| .
| |
| ~
| |
| I-'
| |
| TlS-17 Tl*Q*/QS*/L*NRl 2.9E-07 2.6E-7 No 0
| |
| I
| |
| ~ T 1 s-Q-QS-NR1 cr:,
| |
| TlS-20 Tl*Q*QS*/L*NRl l.OE-07 9.2E-8 No See TlS-9 comment.
| |
| LOSS OF MAIN FEEDWATER T 2 LH 1 T2-6 T2*/K*/Q*L*/D2*/P*/CS*lll 4.4E-07 1.4E-8 Yes T 2 LP T2-ll T2*/K*/Q*L*/D2*P 2.2E-05 7.7E-7 No
| |
| 'l'2LD2 '1'2-12 '1'2*/K*/Q*L*D2 2.0E-05 7.2E-7 No MAIN TURBINE TRIP WITHOUT LOSS OF MAIN FEEDWATER TJ-12 T3 * /K*/Q*L*M*/D3 */D2 **P 4.4E-07 1.6E-8 Yes TJ-13 T3*/K*/Q*L*M*/D3*D2 4.5E-07 1.6E-8 Yes
| |
| | |
| Table 4.10-4 (CONTINUED)
| |
| Accident sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (IRX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information T 3 Q: TJ-15 TRANSFER TO S2 T3QH 1 S2-2 TJ*/K*Q*/Dl*/L*/CS*/OD*Hl 1. JE-07 <5E-10 Yes LOSS OF DC BUS Loss of DC Bus lA:
| |
| ...
| |
| *.... TsALP TS-11 T5A*/K*/Q*L*/D2*P 3.BE-06 l.4E-7 No I
| |
| -:a T5ALD2 TS-12 T5A*/K*/Q*L*D2 2.5E-07 9.0E-9 Yes Loss of DC Bus lB:
| |
| T 58 LP TS-11 T5B*/K*/Q*L*/D2*P J.BE-06 1.4E-7 No T5aLD2 TS-12 T5B*/K*/Q*L*D2 2.7E-07 9.0E-9 Yes STEAM GENERATOR TUBE RUPTURE (SGTR)
| |
| T70oQS T7-8 T7*/K*/D1*/L3*0D*/Q*QS 6.2E-04 1.4E-6 No T70oQQ9 T7-12 T7*/K*/D1*/LJ*OD*Q*QS 7.9E-07 l.2E-7 No T7L3 T7-1J T7*/K*/D1*LJ 2.9E-06 1. OE-7 No T7D1Qs T7-16 T7*/K*D1*/LJ*/OD*/Q*QS 1.4E-07 4.BE-9 Yes
| |
| | |
| Table 4.10-4 (CONTINUED)
| |
| Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (/RX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information T7-18 T7*/K*D1*/LJ*OD J.7E-06 l.9E-:--7 No
| |
| '1'7-20 T7*K (ATWS) 6.0E-07 l.OE-7 No Evaluated separ-ately. Does not transfer to the ATWS tree.
| |
| .
| |
| ,i::,.
| |
| t--'
| |
| LARGE LOSS OF COOLANT ACCIDENT (A LOCA) 0 I
| |
| ,i::,.
| |
| 00 A-2 A*/D5*/D6*/CS*Hl 7.0E-07 6.7E-7 No A-6 A*/D5*D6 4.7E-07 4.7E-7 No A-7 A*OS 8.SE-07 8.SE-7 No MEDIUM LOSS OF COOLANT ACCIDENT (Sl LOCA)
| |
| Sl-2 Sl*/Dl*/05*/CS*/06*111 l.4E-06 l.JE-6 No Sl-J Sl*/Dl*/D5*/CS*D6 9.4E-07 9.4E-7 No Sl-9 Sl*Ol 9.SE-07 8.lE-7 No SMALL LOSS OF COOLANT ACCIDENT (S2 LOCA).
| |
| S2-2 S2 * /K* /01 */L* /CS*/OD*lll 1. 6E-06 2.4E-9 Yes S2-19 S2*/K*D1 9.BE-07 4.JE-7 No
| |
| * Table 4.10-4 (CONTINUED)
| |
| * Accident Sequences Quantified Before and After Recovery SEQUENCE FREQUENCY (/RX-YR)
| |
| Accident Sequence Before After Sequence Comments/Source Sequence Number Sequence Boolean Equation Recovery Recovery Eliminated of Information VERY SMALL LOSS OF COOLANT ACCIDENT (S3 LOCA)
| |
| SJ-3 SJ*/K*/Dl*/QC*/L*/OD*WJ*Hl J.7E-07 5.9E-10 Yes
| |
| ~J 0 o11 2 SJ-5 S3*/K*/D1*/QC*/L*OD*/H1*H2 L JE-07 <5E-10 Yes S30oH1 SJ-6 SJ*/K*/Dl*/QC*/L*OD*Hl 4.5E-07 4.GE-9 Yes
| |
| .....
| |
| .i,..
| |
| 0 S3D1 SJ-23 SJ*/K*Dl 1.GE-05 6.JE-7 No I
| |
| .i,..
| |
| cc INTERFACING LOSS OF COOLANT ACCIDENT (V)
| |
| EVENT V V-1 INTERFACING LOCA SEQUENCE 1.2E-06 1.2E-6 No
| |
| * ANTICIPATED TRANSIENT WITHOUT SCRAM TKRD 4 'l'K-3 T*K*R*D4 5.7E-07 5.7E-7 No TKRZ 'l'K-9 T*K*R*Z 8.4E-07 8.4E-7 No
| |
| * Table 4.10-5 IMPACT OF OPERATOR ACTIONS
| |
| -------Core Damage Frequency* (Per Rx-Yr)-------
| |
| All HEPs and Accident All HEPs Recovery Factors Only Recovery Factors Sequence Set to 1.0 Set to 1.0 Set to Final Values DOMINANT SEQUENCES AD 5 8.SE-7 8.SE-7 8.SE-7 AD 6 4.7E-7 4.7E-7 4.7E-7 AH1 5.0E-4 7.0E-7 6.7E-7 S1D1 9.SE-7 9.SE-7 8.lE-7 S1Ds 9.4E-7 9.4E-7 9.4E-7 S1H1 l.OE-3 l.4E-6 l.3E-6 SzD1 9.BE-7 9.BE-7 4.3E-7 S3D1 1. 6E-5 1. 6E-5 6.3E-7 T2LP 2.9E-4 2.2E-5 7.7E-7 T2LD2 2.8E-4 2.0E-5 7.2E-7 T5ALP 3.8E-6 3.8E-6 1. 4E- 7 T5BLP 3.8E-6 3.8E-6 1. 4E- 7 T7D10n 9.lE-6* 3.7E-6 1. 9E- 7
| |
| * T7L3 2.9E-6 2.9E-6 1. OE- 7 T7KR 6.0E-7 6.0E-7 1. OE- 7 T700Qs l.OE-2 6.2E-4 l.4E-6 T70nQQ5 6.6E-4 7.9E-7 1. 2E- 7 TKRZ 5.0E-6 8.4E-7 8.4E-7 TKRD 4 4.0E-4 5.7E-7 5.7E-7 V l.2E-6 1. 2E-6 l.2E-6 SBO-BATT 1. 9E-5 l.6E-5 7.6E-6 SBO-SLOCA 5.7E-5 2.8E-5 3.9E-6 SBO-L 5.lE-5 5.0E-5 3.SE-6 SBO-Q 2.lE-6 2.lE-6 l.9E-6 SBO-BATT2 4.SE-7 5.0E-7 3.0E-7 SBO-SLOCA2 3.4E-6 3.3E-6 2.7E-6 SBO-L2 6.3E-6 6.3E-6 6.3E-7 SBO-Q2 4.0E-7 3.9E-7 3.SE-7 Sub-Total 1. 3E-2 8.lE-4 3.4E-5 NON-DOMINANT SEQUENCES AF1F2Cv 6.8E-9 6.8E-9 2.3E-9 AF 1F2H1 2.SE-8 2.SE-8 2.SE-8 AD 6 C l.4E-9 l.4E-9 l.3E-9 S1F1F2Cv 1. 4E-8 l.4E-8 4.0E-9 S1F1F2H1 S.OE-8 5.0E-8 5.0E-8 S1D1C 2.7E-9 2.7E-9 2.7E-9
| |
| * SzH1 1. 6E-6 1. 6E-6 2.4E-9 SzOnH1 l.6E-6 3.0E-8 1. 3E-10 4.10-50
| |
| | |
| TABLE 4.10-5 (Continued)
| |
| IMPACT OF OPERATOR ACTIONS
| |
| *
| |
| ~-----Core Damage Frequency* (Per Rx-Yr)~-----
| |
| Al-1 HEPS and Accident All HEPs Recovery Factors Only Recovery Factors Sequence Set to 1.0 Set to 1.0 Set to Final Values S20oH2 4.6E-7 9.3E-9 4.0E-11 S2F1F2H1 5.0E-8 5.0E-8 5.0E-8 s 3o 1c 3.5E-8 3.5E-8 3.5E-8 S3QcH1 7.0E-10 7.0E-10 1. lE-12 S30oH1 2.lE-5 4.5E-7 4.6E-9 S30oH2 6.0E-6 1. 3E-7 2.7E-10 T 1 LD 2 2.6E-5 1.9E-6 6.4E-8 T1LH2 7.6E-8 7.6E-8 7.6E-8 T 1 LP 2.6E-5 2.6E-6 7.8E-8 T1QH1 9.8E-8 1.3E-8 1.3E-8 T1QH2 2.7E-9 2.7E-9 2.7E-9 T 2 LF 1 F 2 1. 8E-7 1. 8E-7 8.2E-9 T2LH1 4.4E-7 4.4E-7 1. 4E-8 T2QD1 2.lE-6 1. 2E-8 3.7E-9 T2QHP 1.7E-8 1.7E-8 1.7E-8 T 3 LM 2.4E-4 4.4E-7 1.6E-8 T5ALD2 3.6E-6 2.5E-7 9.0E-9 T5BLD2 3.6E-6 2.7E-7 9.0E-9 T7D1Qs 1.4E-7 1. 4E-7 4.8E-9 T~QS 4.3E-7 1.7E-8 1.7E-8 T L2 9.9E-8 6.8E-8 6.8E-8 TKRT 2.0E-4 9.0E-8 9.0E-8 Total 1. 4E-2 8.2E-4 3.5E-5
| |
| * *Point estimates based on the propagation of mean values.
| |
| 4.10-51
| |
| | |
| 4.11 Plant Damage State Quantification
| |
| * The dominant accident sequences were delineated into plant dafoage states, as described in Section 4.5. This section discus.ses the quantification of those plant damage states.
| |
| Quantification of plant damage states involved calculation of failure probabilities for containment heat removal and containment isolation. All other plant damage state indicators could be identified by inspection of the sequences.
| |
| 4.11.1 Quantification of Containment Heat Removal In order to quantify the plant damage states, it was necessary to calculate the probability of failure of containment heat removal. It was also necessary to develop a split fraction for states with and without sprays. Failure of containment heat removal without sprays occurs due to failures of pumps and containment spray valves. Failure of containment heat removal with ~prays operable occurs when the service water valves to the heat exchangers fail to open. This will prevent heat removal from containmenf, but will allow the operable spray pumps to continue to pump hot water from the sump.
| |
| Failure of the service water valves will fail the ISR pumps however*, due to the NPSH-subcooling dependency during the early phases of the event. This dependency has been previously discussed in Section 4.6. The OSR pumps have the same NPSH-subcooling relationship, but they are dependent on the containment spray system for subcooling. By the time the R WST is depleted and the CSS stops, there is sufficient water in the sump so that sufficient NPSH is available to allow the OSR pumps to operate.
| |
| Containment heat removal can fail due to event CF 1 or event F 1F 2* Analysis of the CF 1 partial sequence results in a failure probability of 1.2E-5 before recovery of actuation failures. Note, this is an independent assessment of these events and can not necessarily be multiplied by other failure combinations as if the events were independent. For many of the sequence quantifications, resolving of Boolean equations is necessary. The failure probability after recovery of actuation failures is 6.5E-6. All of this frequency represents failure states without operable sprays.
| |
| The failure probability of F 1F 2, as an independent event, is 6.9E-4, without recovery and 2.lE-4 after recovery. These failure probabilities are dominated by the common cause failure of the service water valves on the spray heat exchangers. This event is 6.3E-4 without recovery and 1.5E-4 after recovery. Of the 2.lE-4 frequency, 71 % represents states wl1ere the OSR pumps will be operating and can provide spray action, although containment heat removal will not be available.
| |
| * 4.11.2 Quantification of Containment Isolation Failure Failure to isolate containment is an important factor in determining release categories for core damage accidents. Quantification of failure of containment isolation must use success criteria that are compatible with the back-end analysis. It also must realistically model containment operations which could possibly affect isolabili ty, such as containment purge, containment entry, and undetected failure of the containment boundary. The containment shell itself as well as penetrations must be included in the evaluation.
| |
| Two types of failure modes must be included in the calculation of containment isolation failure. One type of failure represents loss of integrity of the containment building due to events such as leaky penetrations, and failed welds. Fault tree analysis is not well
| |
| * suited to evaluate this type of failure. The other type of failure involves unisolated lines 4.11-1
| |
| | |
| in communication with the containment atmosphere, due to failure of both isolation valves to close. Fault tree analysis is well suited to evaluate this type of failure.
| |
| Calculation of the probability of containment isolation failure was based on evaluation of historical experience rather than fault tree analysis.
| |
| References 47 and 48 analyze over 3400 LERs related to failure of containment isolation components. These events often represent failure of one containment isolation valve and often these valves are on line's that are not in open contact with the containment atmosphere. These types of failures do not represent a true loss of containment isolation, but rather a failure of the containment isolation system to operate. Reference 48 evaluates the data to count only those failures in lines open to the containment atmosphere and calculates the probability of two valves failing simultaneously in the same line. This would represent a true probability for failure of containment isolation.
| |
| Reference 48 derives a probability of 7E-2 for large leakage, where large is defined as greater than 100 times the allowable leakage during an Integrated Leak Rate Test (La).
| |
| This definition of large leakage calculates to be about 6% per day.
| |
| Reference 47 uses results of Integrated Leak Rate Tests to calculate a probability of containment isolation failure. They calculate a failure probability of 3.3E-2 for PWRs for the largest leak size, that being a leak area of .6 square inches. For the Surry containment, this corresponds to a leak rate of about 15% per day at ILRT test pressure.
| |
| Both of these estimates are of limited applicability to for the Surry analysis, for reasons discussed below. For the purpose of the back-end analysis, leak rates are divided into three categories, as shown below:
| |
| Leak Rate Hole Size No significant depressurization. L ( .1 ft 2 Depressurize in 2~4 hours <
| |
| .1 ft 2 ( L lft 2 Depressurize in less than 4 hours L) l ft 2 As can be seen, even the "large" leak sizes used by References 47 and 48 are much smaller than that needed to be significant to the back-end analysis.
| |
| The only leak paths available to produce such a leak size are simultaneous opening of both sides of the airlock or normal containment purging combined with the failure of the purge lines to isolate upon an accident. These have been estimated at .5E.-.5 and .5E-3 respectively by Reference 47.
| |
| These leak paths are not applicable to a subatmospheric containment stich as Surry. The Surry containment is maintained at about 9.5 psia during normal operation. Containment pressure is under TechnicalSpecification and under no circun::stances can it go above 11 psia. Containment vacuum is ma-intained by a vacuum pump, which takes suction from the containment atmosphere through a two inch line. Containment purging is not done during power operation. Any failure of a size sufficient to be of interest to the back-end analysis could not go un-detected due to the containment pressure requirements.
| |
| It was therefore considered that failure -of containment isolation at Surry of sufficient magnitude to be interest to the back-end analysis was negligable.
| |
| 4.11-2
| |
| * 4.11.3 Quantification of Plant Damage States
| |
| * The plant damage state quantification was done in a similar manner to the sequence quantification, except that the additional recovery actions were not applied. Table 4.11-1 shows the PDS assignment for each sequence, and the point estimate frequencies. Table 4.11-2 shows the resultant PDS frequencies for all PDSs greater than lE-9/yr.
| |
| Each plant damage state with a point estimate frequency greater than lE-7/yr was passed along to the containment analysis portion of this study. Plant damage states with frequencies between lE-9 and lE-7 were examined to determine whether any state rep-resented substantially more severe containment conditions than any of the PDSs which were above lE-7/yr. This was not the case. Consequently, no plant damage states above lE-7 /yr were included in the containment analysis.
| |
| Uncertainty analysis, using TEMAC, was also performed on each of the plant damage state groups. These results are shown in Table 4.11-3. *
| |
| *
| |
| * 4.11-3
| |
| | |
| Table 4.11-1 Plant Damage State Assignment of Dominant Core Damage Sequences Sequenc~ PDS Point Estimate Frequency AD 5 ALYY-YYY 8.5E-7 ALNY;_yyy 5.5E-ll ANNY-NYY 2.3E-12 ALSY-YYY l.3E-10 ANYY-YYN 4.6E-7 ANNY-YYN 3.0E-11 ANNY-NYN l.4E-9 ANSY-YYN 7.0E-11 AIYY-YYN 6.5E-7 AINY-YYN 2.5E-8 AISY-YYN 1.0E-10 s 1IYY-YYN l.3E-6 S1INY-YYN 5.0E-8 s 1ISY-YYN 2.0E-10 S1LYY-YYN 8.lE-7 s 1LNY-YYN 5.2E-11 s 1LSY-YYN 1.2E-10 s 1NNY-NYN 2.7E-9 S1NYY-YYN 9.lE-7 s 1NNY-NYN 2.7E-9 s 1NNY-YYN 6.lE-11 s 1NSY-YYN 1.4E-10 S2 LYY-YYN 4.2E-7 s 2LNY-YY~ 2.8E-11 s 2NNY-NYN 2.7E-9 s 2LSY-YYN 6.4E-11 S3LYY-YYN 5.9E-7 s 3LNY-YYN 4.3E-11 S3LSY-YYN 9.9E-11 s 3NNY-NYN 3.5E-8 4.11:..4
| |
| | |
| Table 4.11-1 (Continued)
| |
| * Sequence TKRZ Plant Damage State Assignment of Dominant Core Damage Sequences PDS S3NYY-YXN S3NNY-YXN Point* Estimate* F'reguencf 8.4E-7
| |
| .5.4E-ll S3NNY-NXN 2.3E-l2 s3NSY-YXN l.3E-10 TLYY-YXY t7E-7 TLNY-YXY 3.7E-ll TLSY-YXY 8~.5E-11 TNNY-NXY L.5E-10 TLYY-YNY 7.2E-7 TLNY-YNY 4.7E-11 TNNY-NNY 2.9E-11 TLSY-YNY 1.lE-10 TBYY-YNY 7.7E-7
| |
| * TBNY-YNY TBNY-NNY TBSY-YNY HINY-NXY
| |
| .5.0E-11 2.lE-12 1.2E-10 1.4E-6 GLYY-YNY 1.0E-7 GNNY-YNY 3.&E-13 GLSY-YNY 1*.5E-11 GLYY-YXY 1.9E-7 GNNY-NXY 3.7E-10 GLNY-YXY 1.lE-11 GLSY-YXY 3.7E-10 GLYY-YXY 1.0E-7 GLNY-YXY 6*.5E-12 GNNY-NXN 2.7E-13 GLSY-YXY l *.5E-11 HINY-YXY 1.2E-7 4.11-.5
| |
| | |
| Table 4.11-1 (Continued)
| |
| * Plant Damage State Assignment of Dominant Core Damage Sequences Sequence *pt,s Point* "l:.stimate *Freguencf T 5ALP TBYY-YNY 1.4E-7 TBNY-YNY 9.lE-12 TBNY-NNY t&E-13 TBSY-YNY 2.2E-ll T58 LP TBYY-YNY l.4E-7 TBYY-YNY 9JE-12 TBNY-NNY 3.&E-13 TBSY-YNY 2.2E-11 Ttsi-NR7 TRRR-RDY 5.2E-6 T 1si-OS-L TRRR-RSR 3.2E-6 T tsi-W2-SL-NRS S3RRR-RDR 2.7E-6 T1si-0S-NR7 TRRR-RDY l.9E-6 T 158 -SL-NRS S3RRR-RDR 1.&E-6 T 1s10-NR1 S2RRR-RCR 1.4E-6 T1si-L TRRR-RSR 3.&E-7 Ttsi-W2-NR7 TRRR-RDR 3.0E-7 T1ss-Q-NRl S2RRR-RCR 2.6E-7 T 1SB-L TRRR-RSR 2.5E-7 T lSBNR7 TRRR-RDR 2.0E-7 T ts10-QS-NR1 S2RRR-RDR 5.lE-7 T 158-QS-SL-NRS S3RRR-RDR 7JE-7 T1ss-OS-L TRRR-RSR 3.&E-7 T 151 -QS-W2-SL-NRS S3RRR-RDR l.lE-6 T 1Sl-W2-0D-SL-NRS S3RRR-RCR l.5E-7 T1s10S-W2-NR7 TRRR-RDR l.2E-7 4.11-6
| |
| * Plant Dama~e State Table 4.11-2 Plant Damage States Above lE-9 Point Estimate Frequency AINY-YYN 2.SE-8 AIYY-YYN 6.SE-7 ANNY-NYN 1. 4E- 9 ANYY-YYN 4.6E-7 ANYY-YYY 8.SE-7 GLYY-YNY 1. OE- 7 GLYY-YXY 2.9E-7 HINY-YXY 1. 2E- 7 HINY-NXY l.4E-6 S1INY-YYN 5.0E-8 S1IYY-YYN 1. 3E- 6 S1LYY-YYN 8.lE-7 S1NNY-NYN 2.7E-9 S1NYY-YYN 9.lE-7 S2NNY-NYN 2.7E-9 S2 LYY-YYN 4.2E-7 SzRRR-RCR l.7E-6 S 2 RRR-RDR 5.lE-7 S3NYY-YXN 8.4E-7 S3NNY-NYN 3.SE-8 S3LYY-YYN 5.9E-7 S3RRR-RCR 2.SE-7 S3RRR-RDR 6.3E-6 TBYY-YNY l. lE-6 TLYY-YXY 5.7E-7 TLYY-YNY 7.2E-7 TRRR-RDR 6.2E-7 TRRR-RDY 7.lE-6 TRRR-RSR 4.2E-6 TRRR-RCR 1. 7E- 8 V 1. 2E- 6 3.3E-5
| |
| * 4.11-7
| |
| | |
| Table 4.11-3 Group Number 1
| |
| Group* Name*
| |
| Frequencies of Plant Damage State Groups Slow Blackout Plant Damage
| |
| * States .5% Median Mean* 9:5%
| |
| * TRRR-RDY 6.lE-7 8.2E-6 2.2E-.5 9*.5E-.5 s3RRR-RDR S2RRR-RDR TRRR-RDR S2RRR-RCR S2RRR-RCR 2 LOCAs S1IYY-YYN S1NYY-YYN 1.2E-6 3.8E-6 6.0E-6 1.6E-.5 AIYY-YYN S1LYY-YYN ALYY-YYY S3LYY-YYN S2LYY-YYN ANYY-YYN 3 Fast Blackout TRRR-RSR 1.lE-7 1.7E-6 .5.4E-6 2.3E-.5 4 Event V V 3.8E-11 4.9E-8 1.6E-6 .5.3E-6 Transients TBYY-YNY 7.2E-8 6.9E-7 2.lE-6 6.0E-6 TLYY-YNY 6 ATWS S3NYY-YXN 3.2E-8 4.2E-7 1.6E-6 .5.9E-6 TLYY-YXY GLYY-YXY 7 SGTRs HINY-NXY GLYY-YXY 1.2E-7 7.4E-7 1.&E-6 6.0E-6 GLYY-YNY HINY-YXY 4.11-8
| |
| * 4.12 Uncertainty Analysis This section discusses the sources and treatment of uncertainty for the Surry study.
| |
| Uncertairtty in the analysis is always expressed as a quantitative bounding of the central value. Uncertainty can derive from the selection of the data base used to determine parameter values, modeling assumptions, and completeness of the analysis. Numerical uncertainty due to statistical variation is easy to express. Uncertainty in the parameter values is propagated through the quantification process so that the core damage and risk estimates can be supplied with numerical bounds. Modeling uncertainties reflect a degree of belief and are intrinsically more difficult to quantify.
| |
| 4.12.1 Sources and Treatment of Uncertainties Two types of uncertainty were addressed in the Surry study: parameter value uncer-tainty and modeling uncertainty. The parameters of interest are those of the probability models for the basic events of the logic models. They include failure rates, component unavailabilities, initiating event frequencies, and human error probabilities. The essential difference between the parameter value uncertainty and modeling uncertainty is the following: parameters can take on any of a continuous range of values, and the fact that there is uncertainty as to which value is correct does not change the structure of the logic model. Investigation of modeling uncertainties, on the other hand, requires that discrete modeling hypotheses be proposed and the different hypotheses may well lead to different logic models.
| |
| Sources of parameter uncertainty include lack of data on component failure modes,
| |
| * interpretation of data and component performance records, and the use of industry-wide data for plant specific analyses. Modeling uncertainty reflects limitations of knowledge regarding phenomenological impacts on component performance, physical propagation of accident progression through the plant systems, and human response to abnormal conditions.
| |
| * Parameter value uncertainties have been handled in this study by defining a probability distribution on the value of each parameter such that the nth percentile of the distribu-tion represents the value below which the analyst has, a degree of belief of n/100 that the true value lies. This subjective approach to the representation of uncertainty makes the propagation of parameter value uncertainty through the sequence quantification process mathematkally straightforward, using stratified Monte Carlo (e.g., Latin Hypercube Sample) or other sampling techniques.* The uncertainty ranges used for the distributions are based on generic estimates. These range factors consider those factors which may affect the failure properties of the component in the different u,:;es and environments.
| |
| The range also considers plant-to-plant variation.
| |
| Modeling uncertainties are treated by defining discrete or continuous probability distri--
| |
| butions over the different modeling hypotheses. Previous studies have incorporated modeling uncertainties into their analyses by performing sensitivity analyses on several issues to identify which modeling hypotheses are most significant. The method used for the Surry analysis, for selected issues, was to elicit from a panel of experts, modeling judgments which weigh the various hypotheses for each modeling uncertainty. The .
| |
| variability in model propriety can then be quantified and propagated through the accident sequence quantification. This method results in the. inclusion of the various hypo~heses in the final core* damage and risk estimates. The expert elicitation pro.cess used i(). .the
| |
| * NUREG-1150 plant analyses is described in NURE.G/CR-4550, Revision 1, Volume 2. OJ 4.12-1
| |
| | |
| 4.12.2 Development of Parameter Distributions Probabilistic distributions for parameter values were* developed from several sources of information including plant specific data, industry-wide data summaries and analyses, past PRAs, and formal and informal expert opinion elicitation.
| |
| If sufficient plant specific data was available for a particular component failure mode, then the mean value of that parameter distribution was based on the plant specific data. Generic estimates were used for the error factors. Often*, sufficient plant data did not exist for some parameters, so generic estimates and uncertainty models based on industry data were used for many parameter values. When generic parameter estimates were used in the Surry analysis, they were derived from the ASEP Generic Data Base in the methodology document ~or the supporting analysis of NUREG-1150, NUREG/CR-4550, Revision 1, Volume 1. 3 Expert opinion elicitations from project staff, documented in NUREG/CR-4550, Revision 1, Volume 2, Part 2, were used to assess parameter uncertainties which could not be modeled from plant specific or generic data.
| |
| The recovery probability for offsite AC power and initiating event frequencies for loss of offsite power were modeled by industry data with a composite statistical model which combined ~robability models for plant centered, grid, and weather related losses together.(! The plant centered model was adjusted to be site specific and include Surry specific historical experience. The grid/weather portion was adjusted to include Surry historical experience. Derivation of the T 1 initiating event frequency is shown in Appendix D.3.
| |
| Human error probabilities and uncertainties were developed by apf}lf ng the rules for Human &;¥ability Assessment (HRA) from NUREG/CR-1278 and NUREG/
| |
| CR-4772. These rules recommend using log normal distributions to model HRA parameter uncertainty. However, some adjustment to this recommendation was made for events with mean values greater than 2E-2, and error factors greater than 10, and also events with mean values greater t ~ lE-1, and error factors greater than 3. The Latin Hypercube Samplffi) (LHS) code , which is used with the Top Event Matrix Analysis Code (TEMAC) , calculates probability distributions to the 99t~ percentile.
| |
| Using the mean and error factor recommended for certain HRA results, log normal distributions were developed, which had 99th quantiles greater than 1.0. For these parameters, the_ distribution was changed to a maximum entropy distribution, with the maximum value defined as either 1.0 or the mean multiplied by the range factor, whichever is less. The minimum value was defined by dividing the mean by the range factor.
| |
| 4.12.3 Elicitation of Expert Opinion Modeling uncertainty was treated using the elicitation of expert cminion. This process and its results are discussed in Volume 2 of NUREG/CR-4550. 4 The elicitation of expert opinion was done in two phases. The first phase was a formal process where a panel of nationally recognized PRA experts were convened to assess the ten most signi-ficant modeling issues. The second phase was a less formal process where the project staff were elicited*. Issues not covered by the expert panel, but still deemed significant, were put before the analysts working on the various plant analyses. The informal
| |
| * elicitations followed the same methods and rules as the expert panel process
| |
| * 4.12-2
| |
| | |
| The formal expert panel elicitations are documented, in Volume 2, Part 1 of
| |
| * NUREG/CR-4.5.50, Revision 1. Among the ten issues reviewed by the panel, three of them were applicable to the Surry analysis. These are:
| |
| *
| |
| *
| |
| * Reactor Coolant Pump Seal LOCA Model Common cause failures in interfacing LOCA Application of Innovative Recovery The* informal elicitation process also involved several issues applicable to the Surry analysis. These were:
| |
| * Common Cause Beta Factor Uncertainty Ranges
| |
| * Common Cause Factors for AOVs
| |
| * SG Safety Valve Demand and Closure Probabilities These issues and their resolutions are documented in Volume 2, Part 2 of NUREG/CR-4.5.50, Revision 1, but are briefly summarized below.
| |
| The reactor coolant pump seal LOCA model predicts the development of leakage from RCP seals after Joss of seal cooling. The elicitations were done to predict timing and leakage rates necessary for quantification of core uncovery probabilities. The develop-ment of the leak paths is detailed in Appendix D of this report, but the results can be summarized here. The seal LOCA model predicts seal stability up to 1*.5 hours from loss of seal cooling. At that time, there is a 70% chance of developing significant seal leakage. The most predominate leak path, which has a .53% chance of occurring, results in a total RCS leak rate (from all three pumps) of 7.50 gpm. The seals continue to degrade up to 4 1/2 hours from loss of cooling, when the total probability of significant leakage is 73%, with a 67% chance of leakage greater than 7.50 gpm. By 4 1/2 hours, RCS cooldown and depressurization would have minimized seal LOCA risk.
| |
| The interfacing LOCA issue was put to elicitation because there was no appropriate failure data for check valve rupture and common cause checkvalve rupture. The elicita-tion process was used to develop probabilities for check valve rupture, leakage, and dependent failures.
| |
| The expert panel confirmed that the only two credible scenarios for interfacing LOCA in the LPI/LPR system at Surry, were rupture of two check valves in series, or the undetected failure of one check val_ve to r~lease upon startup, followed by rupture of the other during pressuriz.ed operation. The double rupture scenario could be random or could include a dependent failure of the second valve. The annual frequency of this event was calculated to be 1.6E-6. Approximately one third is due to the fail-to-release-upon-startup scenario and two thirds is due to dependent-check-valve-failure scenario.
| |
| The random rupture scenario was insignificant compared to the other two scenarios.
| |
| Innovative recovery actions were postulated for two types of sequences. The recovery actions were to vent containment* in the event of long term loss of containment heat removal, or to gag a -stuck open secondary relief valve in a steam generator tube rupture sequence. These are discussed in section 4.8 . .5.
| |
| The uncertainty ranges for the common cause Beta factors used in the plant analyses were scrutinized by revff~ing the common cause data in the Fleming common cause analysis, EPRI NP-3967 , for misclassification of data. The conclusion of the elicita-tion was that the existing common cause uncertainty models accounted for any reasonable misclassification of the data.
| |
| 4.12-3
| |
| | |
| The Fleming report did not have an analysis for AOVs, so the uncertainty model for common cause AOVs was assessed as part of the formal elicitations. Based on the results in EPRI NP-3967 for several types of valves and valves as a total family of components, a common cause Beta factor model of a log normal distribution with a mean of o'.1 and an
| |
| !error factor of 3 was developed.
| |
| Failure of a steam generator safety or relief valve to reclose during a steam generator tube rupture is identified as an important contributor to core damage. In order to calculate the probability of this event, two other probabilities must be known, the demand probability for the relief valve to open and the probability for failure to reclose. These questions were put to elicitation. The results of the elicitation considered that the valve demand probability is related to the operator's ability to control SI flow and to cooldown and depressurize the reactor. The elicitation also considered that failure to perform these actions would not only lead to relief valve demand, but would cause conditions leading to the passage of two phase flow out .of the relief valves. The probability of a relief valve failing to reclose, after passing two phase flow, is generally considered to be much higher than the nominal failure probability. In deciding to quantify these considerations, the panel considered that, in th.e extreme, failure to control SI and RCS pressure would guarantee a relief valve demand, and also lead to passage of two phase flow or subcooled water through the relief valve. Also, in the extreme of numerous demands, continued passage of subcooled water would cause the relief valve to fail open.
| |
| 4.12.4 Quantification of Accident Sequence Uncertainty The uncertainty of the parameter values was propagated through the accident sequence models using two computer codes. A Latin Hypercube Sampling (LHS) algorithm was used to generate the samples f<f43ill of the parameter valves. The LHS algorithm is documented in NUREG/CR-3624. The Top Event Matrix Analysis Code (TEMAC) was used to quantify the uncertainty of the accident sequence equation using the pafq/ljeter samples generated by the LHS code. TEMAC is documented in NUREG/CR-4598.
| |
| LHS is a constrained Monte Carlo technique which forces the tails of the distribution to be sampled. The LHS code is also flexible in that it can sample a variety of random variable distributions. Furthermore, parameter distributions for similar events were
| |
| .correlated. For example, if two similar components (e.g., MOV XX-FTO and MOV YY-FTO) are modeled from the same probability distribution, then the sampling of these two distributions was perfectly correlated.
| |
| * For basic events which are modeled with very similar but slightly different distriblltions (e.g.*, MOV XX fails to remain closed for 100.
| |
| hours and MOV YY fails to remain closed for 200 hours), the LHS code permits an induced correlation between the samples. However*, LH.S does not allow the correlation coefficient for this case to be equal to 1.0. LHS did permit sampling with a coefficient of 0.99 in these cases.
| |
| TEMAC uses the LHS parameter samples and the accident sequence equations (cut sets) as input to quantify the core damage estimates. TEMAC generates a sample of the acci-dent sequence frequency, a point estimate of the frequency, and various importance measures and ranking for the base events. The TEMAC users manual, NUREG/CR-4598, describes the code's calculations and output in detail. A brief description of the calculations generated for Surry is given below. These results for Surry are presented in Section 5.0 of this report.
| |
| 4.12-4
| |
| | |
| Descriptive Statistics for the Top Event
| |
| * The following descriptive statistics are considered in TEMAC for the top event frequen-cies and e~ch accident sequence~ and plant damage state:
| |
| *
| |
| * Size of the LHS sample The nominal estimate of the top event (quantified with all base events and initiating events set equal to a user-specified nominal value)
| |
| * Mean of the sample
| |
| * *Standard deviation of the sample
| |
| * 0.5, 0.25, 0.5o*, 6.7 5*, and 0~95 quantiles of the sample The entire sample of the top event generated by TE.MAC is plotted to show the cumula-tive probability distribution and probability density functions of the frequency. These are given in Section 5.1.
| |
| Risk Reduction by Basic and Initiating Events Risk reduction is a measure of the change in top event frequency due to a proportional change in the base event probability. This measure yields a ranking of the base events by importance, or contribution, to top event frequency. The risk reduction figure of merit is analogous to the potential reduction in the top event frequency, if a base event proba-bility is quantified as 0.0, or perfectly reliable. This measure is useful in identifying which components, human actions, maintenance practices, and initiating events should be the focus of efforts to improve reliability and reduce risk. Uncertainty intervals for risk reduction are also calculated*. These are the 0.05 and 0.95 quantiles of the risk reduction calculations generated by performing n such calculations over* the LHS matrix base and initiating events samples (n being the size of the Latin hypercube sample). The risk reduction uncertainty intervals show the uncertainty in a base event's contribution to risk due to the. uncertainty of the top event frequency. Initiating events are ranked sepa-rately from base events.
| |
| Risk*Increase by Ba:se Event Risk increase (sometimes called risk achievement) can 'be thought of as the increase in risk that results should a particular base event's probability be set equal to 1.0. This measure is meaningful only for probabilities and, therefore, is not used for initiating events that can have frequencies greater than 1.0. This measure is useful to assess which elements of the risk model are the most crucial for maintaining risk at current levels.
| |
| An increase in component unavailability or human error probabili.ty for the highest ranking events will have the largest impact on increasing core damage frequency.
| |
| Uncertainty intervals for risk increase are also calculated.
| |
| Uncertainty Importance The uncertainty importance measure focuses on the contribution to the variance of the frequency of the top event attributable to each. of the base and initiating events that jointly constitute the top event. In particular, if F is a composite of these events, where F represents the frequency of the top event, it is reasonable to expect a reduction in the Var(F) if the value of an event, X.', is known with certainty. If x. is known with *Cer-tainty, then the variance of Fis corlditional on the specific value of ~j and is denoted by 4*.12-.5
| |
| | |
| Var(F IXi). Moreover, the conditional reduction in the variance of F attributable to
| |
| * ascertaining the true value of the event X; is expressed as Var(F) - Var(FIX;).
| |
| The unconditional variance of F, Var(F), can be expressed in terms of the expected value of the conditional variance, Ex. [ Var(FIX-)] , and the variance of the conditional expec-tation, Varxj [ E(FIX;)] , as follows: J Var(F) = Ex. [Var(FIX;)] + Varx. [ E(FIX;)]
| |
| J J or Var(F) - Ex. [var(FIX;)] = Varx. [E(FIX;)-]
| |
| J J The square root of the left-hand side of the above equation is the measure referred to as uncertainty importance for event X;*
| |
| The uncertainty importance meast,1re requ~*res cal1lating the variance of a conditional expectation of a random varaiable, Varx. E(FI X,) ~ If the random variable has a long-tailed distribution, such as occurs when log ormal istribut~ons are used with large error factors, then its variance is extremely difficult to estimate. This estimation problem is directly attributable to the scale of the numbers involved. The scaling problem can be overcome by performing uncertainty importance calculations based on a logarithmic scale for the top event frequencies. The log scale produces a reliable ordering of the events and expresses the results in terms of log-based risk.
| |
| * However, the log-based uncertainty importance calculations do not readily translate back to a linear scale; thus, the uncertainty importance calculations in TEMAC are given only in terms of log-based risk. TEMAC does, however, provide the analyst with information that aids in the interpretation of the results of the log-based uncertainty importance calculation. This is accomplished by computing the ratio, R 05 , of the .05 quantile of the distribution of the top event frequency when X; is held constant at its mean value, to the
| |
| * .05 quantile of the top event frequency when Xi is not held constant. A similar ratio, R. 95 , is calculated by TEMAC for the .95 quantiles. .
| |
| If R 05 and R 95 _are both greater than 1.0, then the distribution of the frequency of the top event with Xi held constant at its mean value has shifted to the right, or shows an overall higher level of risk. On the other hand, if R 05 and R 95 are both less than l.O, then the distribution of the frequency of the top event with Xf held c<;>nstant at its mean value has shifted to the left, or shows an overall lower level of risk. If R 05 >1.0 and R 95 1.0, then the overall uncertainty in the distribution of the top event frequency has decreased. Likewise, if R 05 <1.0 and -R~ 95 >1.0, then the overall uncertainty in the distribution of the top event frequency has increased.
| |
| Presentation of Cut Set Results The TEMAC results for this study are summarized. in section 5.0 and are presented in full in Appendix E~ TEMAC prints out a ranked listing of the cut sets of the top event equation. The cut sets are ranked by their frequency. For each cut set, TEMAC shows the number of the cut set (this is simply determined by the order- in which the cut sets are read into TEMAC, there is no implication between rank and number), the order of cut set (number of events in the c:ut set), the frequency of the cut set, the cumulativ thie normalized cut set frequency, and a listing of the cut set. The cumulative normalized 4.12-6
| |
| | |
| cut set frequency for a particular cut set shows what fraction of the top event frequency is modeled by that cut set and all other higher ranked cut sets. This measure is convenient for review and screening of a top event equation. It tells the analyst which cut sets of the equation can be eliminated from further consideration and still retain some minimum threshold of the top event frequency (e~g~, 99%)~ TEMAC also writes the top event equation with the cut sets in o-rder by frequency to an output file~ This ranked structuring of the input equation is useful if it is desired to screen out low frequency cut sets from further TEMAC analyses *
| |
| * 4.12-7
| |
| : 5. RESULTS This section presents the final results of the revised Surry Probabilistic Risk Assessment (PRA) for NUREG-1150. These results include the dominant core damage sequences, their frequencies and contributors, corresponding plant damage state frequencies, and the uncertainty and importance calculations for the comprehensive plant model where all of the accident sequences were combined into one uncertainty analysis. In addition, a comparison of these results with those of YASH-1400 are presented.
| |
| The same type of information is given for each accident sequence and plant damage state. Additional information is given for the total core damage frequency (i.e., the statistics, the risk reduction importance measure, the risk increase importance measure, the uncertainty-importance measure, and the top cut sets). Further detail can be found in Appendix E. A brief explanation of the computer code producing the results is given in Section 4 .12.
| |
| * Section 5 .1 presents the frequency and uncertainty results of the comprehensive plant model. Section 5. 2 describes the core damage sequences on an individual basis and identifies their dominant contributors. Section 5.3 discusses the individual plant damage states.
| |
| Section 5.4 describes the importance measures for the comprehensive plant model discussed in Section 5.1. Section 5.5 compares the results of this study with the results of YASH-1400. Differences in results due to plant modific.ations, failure data, and study methodology are discussed.
| |
| 5.1 Characterization of Core Damage Frequency and Uncertainty at Surry This study resulted in the identification of 28 core damage sequences which *comprise the internal events core damage model.* Each of these accident sequences is discussed in Section 5.2. The internal events core damage model yielded a sampled mean frequency of 4.0E-5 per reactor year.
| |
| The cumulative distribution function for the core damage model is shown in Figure 5-1. The probability density function is shown in Figure 5-2.
| |
| The important statistical parameters of the core damage frequency distribution are listed below. Appendix E shows the corresponding statistics for each individual, dominant accident sequence and plant damage state. These statistics were generated with a sample size of 1000.
| |
| Mean 4.0lE-5/yr Standard Deviation 5.78E-S 95% Upper 1. 31E-4/yr 75% Upper 4.52E-5/yr Median 2.31E-5/yr 25% Lower 1. 34E-5/yr 5% Lower 6.75E-6/yr 5-1
| |
| | |
| 1.0 C
| |
| u 0.9 M
| |
| u 0.8 L
| |
| A T 0.7 I
| |
| V 0.6 E
| |
| p 0.5 u,
| |
| N I
| |
| R 0.4 0
| |
| B 0.3 A
| |
| B I 0.2 L
| |
| I 0.1 T
| |
| V 0.0 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY Figure 5-1. Uncertainty Distributio for Surry Core Damage Frequency.
| |
| | |
| D E
| |
| N s
| |
| I T
| |
| ~ y 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY Figure 5-2. Density Estimation for Surry Core Damage Frequency.
| |
| | |
| The comprehensive core damage model represents all accident sequences with frequencies greater than lE-7/yr. The point estimate frequency of the comprehensive model, which was calculated by simple propagation of mean values for basic event probabilities, is 3.3E-5/yr. There were 10 fully quantified accident sequences that have point estimate frequencies less than lE-7/yr. These sequences have a combined frequency of 2.2E-7.
| |
| In addition, there were 43 partially quantified sequences with point estimate frequencies in the range of SE-10 to lE-8. These sequences were partially quantified in that they were not subject to recovery analysis.
| |
| They were minimal contributors without recovery actions, and therefore not subject to further evaluation. If each of these sequences was estimated to have a recovered frequency of 3E-9, these sequences would represent a total frequency of l.3E-7. Thus, the total contribution of nondominant sequences is estimated to be 3. SE- 7, which accounts for a very small percentage of the core damage frequency.
| |
| The models and data used in this study are the most representative analyses that could be supported by the state-of-the-art in reactor safety research. Sensitivity studies of alternate models or hypotheses were not used in this revised analysis. All modeling issues were reexamined since the original analysis, and the important modeling issues were resolved through elicitation of expert opinion. The resultant distributions incorporate alternative hypotheses within the uncertainty bounds.
| |
| Grouping the accident sequences by types of events shows that station blackout contributes 68 percent of the mean core damage frequency; loss of coolant accidents inside containment account for 15 percent, LOGAs in interfacing systems account for 4 percent, loss of main feedwater accounts for 5 percent, steam generator tube rupture accounts for 4 percent, and anticipated transients without scram accounts for 4 percent.
| |
| Reviewing the group of total core damage frequency cut sets shows that a large percentage of the total core damage frequency is contributed by a small number of cut sets. There were 2774 dominant cut sets in the final Surry internal events analysis. The contribution to the total core damage frequency for the cumulative number of cut sets is shown below.
| |
| % of Total Gore Cumulative Number Damage Frequency of Gut Sets 30% 20 50% 49 60% 72 70% 110 80% 181 90% 344 95% 551 99% 1152 100% 2274 5-4
| |
| | |
| The top twenty cut sets, comprising 30 percent of the total core damage frequency, are presented in Table 5-1. For each cut set, Table 5-1 lists the events in the cut set, the point estimate frequency, the percent of the total point estimate frequency, and the corresponding accident sequence and plant damage state.
| |
| Descriptions of* the events contained in the top cut sets and the associated mean unavailability are displayed in Table 5-2.
| |
| The values for cut set frequency in this table are point estimates, based on multiplication of mean values for each event. The top 20 cut sets are discussed individually. The top cut set is l.17E-6. No other cut sets are above lE-6/yr. The single highest cut set, which accounts for
| |
| : 3. 5 percent of total CDF is loss of off site power followed by common cause failure of all diesels, leading to station blackout at Units 1 and
| |
| : 2. The seals on all three reactor coolant pumps fail at 90 minutes after the blackout, due to loss of all cooling. Failure to recover AC power by 3 1/2 hours after the event leads to core uncovery.
| |
| The second most dominant cut set represents an ATW'S sequence, where mitigation is not possible. Due to the presence of an unfavorably high moderator temperature coefficient, the primary system pressure rise is not able to be controlled to less than 3200 psi.
| |
| The third, fourth, sixth and sixteenth through nineteenth ranking cut
| |
| * sets involve a long term station blackout at Unit 1. These cut sets total 3.18E-6, accounting for 9.6 percent of total core damage frequency.
| |
| These sequences represent failure of two diesels, causing station blackout at Unit 1, but an operable diesel at Unit 2. Cross connect of the charging system from Unit 2 provides RCP seal injection flow and thus prevents seal failure. Battery depletion will occur at approximately four hours. Failure to recover AC power in seven hours leads to core uncovery, due to inability to control auxiliary feedwater.
| |
| The fifth and seventh cut sets represent a steam generator tube rupture, followed by failure of the operator to control primary pressure.
| |
| Continued inflow of primary coolant into the SG causes relief valve demand and eventual water carry over into the steam line through the relief valve. Subsequent failure of the relief valve to reclose leads to continued discharge of the RCS inventory to the atmosphere. Continued failure to depressurize the reactor leads to RWST inventory depletion and subsequent core uncovery.
| |
| The eighth, tenth, and eleventh cut sets involve intermediate LOCAs followed by ECCS failure, in injection or recirculation. The ninth cut set is a station blackout seal LOCA sequence, very similar to cut set #1, except with the additional failure of a steam generator safety valve to reclose. The next three cut sets each represent an interfacing LOCA in the low pressure injection system. The fifteenth cut set represents loss of all steam generator feedwater flow, followed by failure to initiate feed and bleed cooling. The twentieth cut set is a large LOCA followed by failure of one accumulator to inject into an intact cold leg.
| |
| 5-5
| |
| | |
| l Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency Pt. Est % of Total Pt. Accident Freq. Est. Frequency Cut Set Sequence PDS Group
| |
| : 1. 1.2E-6 3.5 IE-Tl* BETA-3DG
| |
| * NOTL-SBOU1U2
| |
| * NOTQ
| |
| * SBO-SLOCA2 PDS-1 NRAC-216M * /0
| |
| * OEP-DGN-FS * /QS-SBO
| |
| * RCP-LOCA-750-90M
| |
| * REC-XHE-FO-DGHW'S +
| |
| : 2. 8.4E-7 2.5 IE-TN* K
| |
| * R* Z+ TKRZ PDS-6
| |
| : 3. 6.2E-7 1. 9 IE-Tl* /DGN-FTO
| |
| * NOTL-SBOUl
| |
| * NOTQ
| |
| * SBO-BATT PDS-1 NOTW2
| |
| * NRAC-7HR
| |
| * OEP-DGN-FS-DGOl
| |
| * OEP-DGN-FS-DG02 * /QS-SBO
| |
| * REC-XHE-FO-DGHW'B +
| |
| V, I
| |
| 0\
| |
| : 4. 6.2E-7 1. 9 IE-Tl* /DGN-FTO
| |
| * NOTL-SBOUl
| |
| * NOTQ
| |
| * SBO-BATT PDS-1 NOT2
| |
| * NRAC-7HR
| |
| * OEP-DGN-FS-DGOl
| |
| * OEP-DGN-FS-DG03 * /QS-SBO
| |
| * REC-XHE-FO-DGHW'B +
| |
| : 5. 6.lE-7 1.8 IE-T7
| |
| * MSS-SRV-00-PDSRV
| |
| * RCS-XHE-FO-DPRT7
| |
| * T7-0D-QS PDS-7 PORV-BLK
| |
| * REC-XHE-FO-DPRES
| |
| * SGTR-SGSRV-0DMD1 +
| |
| : 6. 5.8E-7 1.8 IE-Tl* BETA-2DG
| |
| * NOTDG-CCF
| |
| * NOTL-SBOUl
| |
| * SBO-BATT PDS-1 NOTQ
| |
| * NOTW2
| |
| * NRAC-7HR
| |
| * OEP-DGN-FS *
| |
| /QS-SBO
| |
| * REC-XHE-FO-DGHW'B +
| |
| : 7. 5.2E-7 1. 6 IE-T7
| |
| * MSS-SRV-00-0DSRV
| |
| * RCS-XHE-FO-DPRT7
| |
| * T7-0D-QS PDS-7 PORV-NOT-BLK* SGTR-SGSRV-0DMD2* REC-XHE-FO-DPRES+
| |
| : 8. 4.6E-7 1.4 IE-Sl
| |
| * BETA-2MOV
| |
| * LPR-MOV-FT-1862A + Sl-Hl PDS-2
| |
| * *
| |
| * Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency (Continued)
| |
| Pt. Est % of Total Pt. Accident Freq. Est. Frequency Cut Set Sequence PDS Group
| |
| : 9. 4.5E-7 1.4 IE-51
| |
| * BETA-3DG
| |
| * NOTL-SBOU1U2
| |
| * NOTQ
| |
| * SBO-SLOCA2 PDS-1 NRAC-216M
| |
| * OEP-DGN-FS
| |
| * RCP-LOCA-750-90M
| |
| * QS-SBO
| |
| * REC-XHE-FO-DGHWS +
| |
| : 10. 4.5E-7 1.4 IE-Sl
| |
| * BETA-LPI
| |
| * LPI-MDP-FS + Sl-D6 PDS-2
| |
| : 11. 4.4E-7 1. 3 IE-Sl
| |
| * LPI-MOV-PG-1890C + Sl-D6 PDS-2
| |
| : 12. 4.0E-7 1. 2 IE-V-TRAIN-1 + V PDS-4 V1 I
| |
| -...J
| |
| : 13. 4.0E-7 1.2 IE-V-TRAIN-2 + V PDS-4
| |
| : 14. 4.0E-7 1.2 IE-V-TRAIN-3 + V PDS-4
| |
| : 15. 3.6E-7 1.1 IE-T2
| |
| * AFW-PSF-FC-XCONN
| |
| * AFW-XHE-FO-UNIT 2
| |
| * T2-L-P PDS-5 HPI-XHE-FO-FDBLD +
| |
| : 16. 3.4E-7 1.0 IE-Tl* /DGN-FTO
| |
| * NOTL-SBOUl
| |
| * NOTQ
| |
| * NOTW2
| |
| * SBO-BATT PDS-1 NRAC-7HR
| |
| * OEP-DGN-FR~6HDG1
| |
| * OEP-DGN-FS-DG03 *
| |
| /QS-SBO
| |
| * REC-XHE-FO-DGHWB +
| |
| : 17. 3.4E-7 1.0 IE-Tl* /DGN-FTO
| |
| * NOTL-SBOUl
| |
| * NOTQ
| |
| * NOTW2
| |
| * SBO-BATT PDS-1 NRAC-7HR
| |
| * OEP-DGN-FT-6HDG3
| |
| * OEP-DGN-FS-DGOl *
| |
| /QS-SBO
| |
| * REC-XHE-FO-DGHWB +
| |
| | |
| Table 5-1 Top Cut Sets Contributing to the Surry Total Core Damage Frequency (Concluded)
| |
| Pt. Est % of Total Pt. Accident
| |
| \ Freq. Est. Frequency Cut Set Sequence PDS Group
| |
| : 19. 3.4E-7 1.0 IE-Tl* /DGN-FTO
| |
| * NOTL-SBOUl
| |
| * NOTQ
| |
| * NOTW2
| |
| * SBO-BATT PDS-1 NRAC-7R
| |
| * OEP-DGN-FR-6HDG1
| |
| * OEP-DGN-FS-DG02 *
| |
| /QS-SBO
| |
| * REC-XHE-FO-DGHWB +
| |
| : 20. 3.3E-7 1.0 IE-A* ACC-MOV-PG-186SB + A-DS PDS-2 V,
| |
| I 00
| |
| * *
| |
| * Event ID.
| |
| Table 5-2 Description of Important Surry Events Event Descriptionl Unavail.
| |
| (Mean)
| |
| ACC-CKV-FT-CV128 CHECK VLV CV128 FAILS TO OPEN 1.00E-4 ACC-CKV-FT-CV130 CHECK VLV CV130 FAILS TO OPEN 1. OOE-4 ACK-CKV-FT-CV145 CHECK VLV CV145 FAILS TO OPEN 1. OOE-4 ACC-CKV-FT-CV147 CHECK VLV CV147 FAILS TO OPEN l.OOE-4 ACC-MOV-PG-1865B ACC MOTOR OPERATED VLV 1865B PLUGGED 6.SOE-4 ACC-MOV-PG-1865C ACC MOTOR OPERATED VLV 1865C PLUGGED 6.SOE-4 ACP-BAC-ST-lHl 480V AC BUS lHl BUSWORK FAILURE 9.00E-5 ACP-BAC-ST-lHl-2 480V AC MCC lHl-2 BUSWORK FAILURE 9.00E-5 ACP-BAC-ST-4801J 480V AC BUS lJ BUSWORK FAILURE 9.00E-5 ACP-BAC-ST-4KV1H 4160V AC BUS lH BUSWORK FAILURE 9.00E-5 ACP-TFM-NO-lHl FAILURE OF POWER XFORMER TO BUS lHl 4.00E-5 AFW-CCF-LK-STMBD UNDETECT LEAKAGE THRU CV27, CV58, CV89 l.OOE-4 AFW-CKV-00-CV142 BACKFLOW THROUGH CV142 1.00E-3 AFW-CKV-00-CV147 BACKFLOW THROUGH CV157 1.00E-3 AFW-CKV-00-CV172 BACKFLOW THROUGH CV172 1. OOE-3 AFW-MDP-FS APW MDP FAILS TO START 6.30E-3 AFW-MDP-FS-FW3A MDP AFW 3A FAILS TO START 6.30E-3 AFW-MDP-FS-FW3B MDP AFW 3B FAILS TO START 6.30E-3 AFW-MDP-MA- FW3A TEST AND MAINTAIN ON AFW MDP 3A 2.00E-3 AFW-MDP-MA-FW3B TEST AND MAINTAIN ON AFW MDP 3B 2.00E-3 AFW-PSF-FC-XCONN FLOW DIVERSION TO UNIT 2 THRU XCONN 1. SOE-4 AFW-TDP-FR-2P6HR AFW TDP 2P FAILS TO RUN FOR 6 HRS 3.00E-2 AFW-TDP-FR-6HRU2 UNIT 2 AFW TDP FAILS TO RUN FOR 6 HRS 3.00E-2 AFW-TDP-FS-FW2 TURBINE DRIVEN AFW PMP FAILS TO START 1.lOE-2 AFW-TDP-FS-U2FW2 AFW TDP FW2 AT UNIT 2 FAILS TO START 1. lOE-2 AFW-TDP-MA-FW2 TEST AND MAINT ON AFW TDP 2 1.00E-2 AFW-TNK-VF-CST INSUF WATER AVAIL FM 110,000 GAL CST 1. OOE-6 AFW-XHE-FO-CST2 FAILURE TO OP TO XCONN UNIT 2 CST 6.SOE-2 AFW-XHE-FO-UlSBO OP FAILS TO XCONN AFW SBO AT UNIT 1 8.20E-2 AFW-XHE-FO-UNIT2 OP FAILS TO XCONN AFW, TRANSIENTS 3.60E-2
| |
| * 5-9
| |
| * Table 5-2 Description of Important Surry Events (Cont.)
| |
| Unavail.
| |
| Event ID. Event Descriptionl (Mean)
| |
| BETA-AFW BETA FOR CC FAILURE OF AFW MDPs 5.60E-2 BETA-2DG BETA FOR CC FAILURE OF 2 DGs 3.80E-2 BETA-3DG BETA FOR CC FAILURE OF 3 dgS 1.80E-2 BETA-HP! BETA POR CC FAILURE OF HPI MDPs 2.lOE-1 BETA-LP! BETA FOR CC FAILURE OF LPI MOPs 1. SOE-1 BETA-2MOV BETA FOR CC FAILURE OF 2 MOVs 8.80E-2 BETA-SRV BETA FOR CC FAILURE OF SRVs 7.00E-2 BETA-STR BETA FOR CC FAILURE OF STRAINERS 2.63E-l CPC-MDP-FR-CCA24 MDP CCA FAILS TO RUN FOR 24 HRS 7.20E-4 CPC-MDP-FR-SWA3H MDP SWA FAILS TO RUN FOR 3 HRS 4.80E-4 CPC-'1-IDP- FR- SWA24 MOP SWA FAILS TO RUN FOR 24 HRS 3.80E-3 CPC-MOP-FR-SWB24 MOP SWB FAILS TO RUN FOR 24 HOURS 3.80E-3 CPC-MOP-FS-SWlOB MOP SWlOB FAILS TO START 8.00E-3 CPC-MOP-MA-CC28 TEST AND MAINT ON MOP CC2B 2.00E-3 CPC-MDP-MA-SWlOB TEST AND MAINT ON MOP SWlOB 2.00E-3
| |
| * CPC-STR-PG-lHR CPC STRAINER PLUGGED W/IN 1 HR 3.00E-5 CPC-STR-PG-3HR CPC STRAINER PLUGGED W/IN 3 HRS 9.00E-5 CPC-STR-PG-6HR CPC STRAINER PLUGGED W/IN 6 HRS* 1.80E-4*
| |
| CPC-STR-PG-24 HR CPC STRAINER PLUGGED W/IN 24 HRS 7.20E-4 CPC-STR-PG-2A3HR CPC STRAINER 2A PLUGGED W/IN 3 HRS 9.00E-5 CPC-XHE-FO-REALN OP FAILS TO ALIGN CPC SW TO UNIT2 7.00E-2 DCP-BDC-ST-BUSlA 125V DC BUS lA BUSWORK FAILURE 9.00E-5.
| |
| DCP-BDC-ST-BUSlB 125V DC BUS lB BUSWORK FAILURE 9.00E-5 HPI-CKV-FT-CV25 CHECK VLV CV25 FAILS TO OPEN l.OOE-4 HPI-CKV-FT-CV225 CHECK VLV CV225 FAILS TO OPEN 1. OOE-4 HPI-CKV-FT-CV410 CHECK VLV CV410 FAILS TO OPEN 1.00E-4 HPI-CKV-00-CV258 CK VLV CV258 FAILS TO SHUT, CAUSE BKFLW 1. OOE-3 HPI-MDP-FR-1A6HR CHRGNG PMP CHlA FAILS TO RUN FOR 6 HRS 4.00E-4 HPI-MOP-FS CHARGING PUMP FAILS TO START ON DEMAND 4.00E-3 HPI-MOV-FT HPI MOTOR OP VALVE FAILS TO TRANSFER 3.00E-3 HPI-MOV-FT-lllSB HPI MOV 1115B FAILS TO OPEN ON DEMAND 3.00E-3 HPI-MOV-FT-lllSC HP! MOV lllSC FAILS TO CLOSE 3.00E-3 5-10
| |
| * Table 5-2 Description of Important Surry Events (Cont.)
| |
| Unavail.
| |
| Event ID, Event Descriptionl (Mean)
| |
| HPI-MOV-FT-1115D HPI MOV 1115D FAILS TO OPEN ON DEMAND 3.00E-3 HPI-MOV-FT-1115E HPI MOV 1115E FAILS TO CLOSE 3.00E-3 HPI-MOV-FT-1867C HPI MOV 1867C FAILS TO OPEN ON DEMAND 3.00E-3 HPI-MOV-FT-1867D HPI MOV 1867D FAILS TO OPEN ON DEMAND 3.00E-3 HPI-XHE-FO-ALT OP FAILS TO REC CCF OF HPI DISCH MOV 6.lOE-1 HPI-XHE-FO-ALTIN OP FAILS TO REC HPI VIA ALT PATH 5.70E-3 HPI-XHE-FO-FDBLD OP FAILS TO ESTAB FEED & BLEED 7.10 E-2 HPI-XHE-FO-UN2S2 OP FAILS TO XCONN HPI TO U2 FOR S2D1 3.lOE-1 HPI-XHE-FO-UN2S3 OP FAILS TO XCONN HPI TO U2 FOR S3 D1 4.40E-2 HPI-XVM-PG-XV24 MANUAL VLV XV24 PLGGED 4.00E-5 IAS-CCF-LF-INAIR LOSS OF INSTRUMENT AIR TO ALL AOVs 2.70E-5 IEE-Tl LOSS OF OFFSITE POWER 7.70E-2 IE-T2 LOSS OF MAIN FEEDWATER 9.40E-l IE-T7 STEAM GENERATOR TUBE RUPTURE 1. OOE-2 IE-TN HIGH PWR XIENT EVENT REQUIRING RX SCRAM 5.90E-O IE-V-TRAIN-1 INTERFACING LOCA FM RCS LOOP 1 TO LPI 4.00E-7 IE..:V-TRAIN-2 INTERFACING LOCA FM RCS LOOP 2 TO LPI 4.00E-7 IE-V-TRAIN-3 INTERFACING LOCA FM RCS LOOP 3 TO LPI 4.00E-7 K FAILURE OF RPS TO SCRAM THE RX 6.00E-5 LPI-CKV-00-CVSO CHECK VLV CV50 FLS TO SHUT, CAUSE BKFLW 1.00E-3 LPI-CKV-00-CV58 CHECK VLV CV58 FLS TO SHUT, CAUSE BKFLW 1. OOE-3 LPI-MDP-FR-A21HR LPI MDP SilA FAILS TO RUN FOR 21 HRS 6.30E-4 LPI-MDP-FR-A24HR LPI MDP SilA FAILS TO RUN FOR 24 HRS 7.20E-4
| |
| * LPI-MDP-FR-B2iHR LPI MDP SilB FAILS TO RUN FOR 21 HRS 6.30E-4 LPI-MDP-FR-B24HR LPI MOP SilB FAILS TO RUN FOR 24 HRS 7.20E-4 LPI-MDP-FS LPI MOTOR DRIVEN PUMP FAILS TO START 3.00E-3 LPI-MDP-FS-SilA LPI MDP SilA FAILS TO START ON DEMAND 3.00E-3 LPI-MDP-FS-SI1B LPI MDP SilB FAILS TO START ON DEMAND 3.00E-3 LPI-MDP-MA-SI1A TEST AND MAINT ON LPI MDPSilA 2.00E-3 LPI-MDP-MA-SI1B *TEST AND MAINT ON LPI MDPSilB 2.00E-3 LPI-MOV-PG-1890C LPI MOTOR OPERATED VLV 1890C PLUGGED 4.40E-4
| |
| * 5-11
| |
| | |
| Table 5-2 Description of Important Surry Events (Cont.)
| |
| Unavail.
| |
| Event ID. Event Descriptionl (Mean)
| |
| LPR-CCF-PG-SUMP PLUGGING OF THE CONTAINMENT SUMP 5.00E-5 LPR-MOV-FT-1860A LPR MOV 1860A FAILS TO OPEN 3.00E-3 LPR-MOV-FT-1860B MOTOR OPER VLV 1860B FAILS TO OPEN 3.00E-3 LPR-MOV-FT-1862A LPR MOTOR VLV 1862A FAILS TO CLOSE 5.20E-3 LPR-MOV-FT-1862B LPR MOTOR VLV 1862B FAILS TO CLOSE 5.20E-3 LPR-MOV-FT-1890A LPR MOTOR OPER VLV 1890A FAILS TO OPEN 3.00E-3 LPR-MOV-FT-1890B LPR MOTOR OPER VLV 1890B FAILS TO OPEN 3.00E-3 LPR-XHE-FO-HOTLG OP FAILS TO ALIGN FOR HOT LEG RECIRC 4.00E-5 MCW-CCF-VF-SBO OP FAILS TO CLS COND !SOL VLV FOR SBO 6.00E-2 MSS-CKV-FT-SGDHR BKFLW THRU 1 OF 2 SG DECAY HEAT RMVL CV 2.00E-3.
| |
| MSS-SOV-00-0DADV SG PORV FLS TO SHUT, SGTR W/0 OP DPRESS 1. OOE-0 MSS-SRV-00-0DSRV SG SRV FAILS TO SHUT, SGTR W/0 DPRESS 1. OOE-0 MSS-XHE-FO-BLOCK FAILURE OF OP TO TERMINATE FLOW FROM 6.40E-2 STUCK OPEN SG PORV
| |
| ~SS-XHE-FO-ISAFW FAILURE OF OP TO TERMINATE FLOW FROM 6.SOE-6 TDP STM LINE DURING SGTR MS-XHE-FO-ISDHR OP FAILS TO !SOL STM FLOW VIA DECAY l.40E-2 HEAT REMOVAL BY COOLDOWN NOTDG SUCCESS OF THE 3RD DG 9.70E-1 NOTDG-CCF SUCCESS OF 3RD DG AFTER CC FAILURE OF 2 5.20E-1 NOTL-SBOUl AFW SUCCESS DURING SBO AT UNIT 1 ONLY 9.93E-1 NOTL-SBOU1U2 AFW SUCCESS DURING SBO AT UNITS 1 AND 2 9.68E-1
| |
| *NOTQ RCS PORV RESHUT DURING SBO 9.7E3-l NOTW2 SEAL COOLING FM UNIT2 SUCCESS FOR SBO 8.15E-1 NRAC-150MIN NON-RECOVER AC PWR W/IN 150 MIN OF LOSP 2.lOE-1 NRAC-201MIN NON-RECOVER AC PWR W/IN 201 MIN OF LOSP 1. 50E-1 NRAC-216MIN NON-RECOVER AC PWR W/IN 216 MIN OF LOSP 1. 38E-1 NRAC-234MIN NON-RECOVER AC PWR W/IN 234 MIN OF LOSP l.23E-1 NRAC-246MIN NON-RECOVER AC PWR W/IN 246 MIN OF LOSP l.15E-1 NRAC-258MIN NON-RECOVER AC PWR W/IN 258 MIN OF LOSP 1. OSE-1 NRAC-HALFHR NON-RECOVER AC PWR W/IN 30 MIN OF LOSP 6.00E-1 5-12
| |
| * I_
| |
| | |
| Table 5-2
| |
| * Description of Important Surry Events (Cont.)
| |
| Unavail.
| |
| Event ID. Event Descriptionl (Mean)
| |
| HRAC-lHR NON-RECOVER AC PWR W/IN 1 HR OF LOSP 4.40E-1 NRAC-7HR NON-RECOVER AC PWR W/IN 7 HRS OF LOSP 5.00E-2 NRAC-6HR-AVG NON-RECOVER AC PWR W/IN 6 HRS OF LOSP 1. 94E-1 NSLOCA SUCCESSFUL FUNCTION RCP SEALS DURING SBO 2.70E-1 0 OP FAILS TO DEPRESS RCS DURING SBO ti..-90E-2 OEP-CRB-FT~15H3 DIESEL GEN #l CKT B~ 1.5Hs FLS TO CLS 3.00E-3 OEP-CRB-FT-15J3 DIESEL GE~ #3 -CK-r-JfRKR 15J3 FLS TO CLS 3.00E-3 OEP-DGN-FR-6HDG1 DG #l FAILS TO RUN FOR 6 HRS 1. 20E-2 OEP-DGN-FT-6HDG2 DG #2 FAILS TO RUN FOR 6 HRS 1. 20E-2 OEP-DGN-FR-6HDG3 DG #3 FAILS TO RUN FOR 6 HRS 1. 20E-2 OEP-DGN-FS DIESEL GENERATOR FAILS TO START 2.20E-2 OEP-DGN-FS-DGOl DIESEL GENERATOR #l FAILS TO START 2.20E-2 OEP-DGN-FS-DG02 DIESEL GENERATOR #2 FAILS TO START 2.20E-2 OEP-DGN-FS-DG03 DIESEL GENERATOR #3 FAILS TO START 2.20E-2
| |
| * OEP-DGN-MA-DGOl TEST AND MAIN ON DIESEL GENERATOR #l 6.00E-3 OEP-DGN-MA-DG02 TEST AND MAIN ON DIESEL GENERATOR #2 6.00E-3 OEP-DGN-MA-DG03 TEST AND MAIN ON DIESEL GENERATOR #3 6.00E~3 PROV-BLK PROB A RCS PORV IS BLOCKED PRIOR TO IE 1.50E-1 PORV-NOT-BLK PROB RCS PORV IS NOT BLOCKED PRIOR TO IE 8.50E-l PPS-Mov.:FC-1535 BLK VLV MDV 1535 SHUT DUE TO LKING PORV 3.00E-1 PPS-MOV-FC-1536 BLK VLV MDV 1536 SHUT DUE TO LKING PORV 3.00E-1 PPS-MDV-FT PORV BLOCK VALVE FAILS TO OPEN 4.00E-2 PPS-MOV-FT-1535 PORV BLOCK VLV 1535 FAILS TO OPEN 4.00E-2 PPS-MOV-FT-1536 PORV BLOCK VLV 1536 FAILS TO OPEN 4.00E-2 PPS-SOV-00-1455C RCS PORV 1455C FAILS TO RECLOSE 3.00E-2 PPS-XHE-FO-EMBOR OP FAILS TO CORRECTLY EMERGENCY BORATE 1.00E-3 PPS-XHE-FO-PORVS FAILURE OF OP TO BTH PORVS FOR FD/BLD 4.40E-2 QS-SBO SG SRV/PORV STICK OPEN DURING SBO 2.70E-1 R FAILURE TO MANUAL SCRAM THE RX 1. 70E-1
| |
| * 5-13
| |
| | |
| Table 5-2
| |
| * Description of Important Surry Events (Cone.)
| |
| Unavail.
| |
| Event ID. Event Descriptionl (Mean)
| |
| RCP-LOCA-750-90M 750 GPM RCP SEAL LOCA AT 90 MIN 5.30E-l RCP-LOCA-467-150 183 GPM INCSNG TO 750 GPM RCP SEAL.LOCA 1. 27E- l RCP-LOCA-183-150 183 GPM RCP SEAL LOCA AT 150 MIN 1.61E-2 RCP-LOCA-183-210 183 GPM RCP SEAL LOCA AT 210 MIN l.61E-2 RCP-LOCA-1440-90 1440 GPM RCP SEAL LOCA AT 90 MIN 4.30E-3 RCP-LOCA-561-150 372 GPM INCSNG TO 750 TPM RCP SEAL LOCA 4.00E-3 RCP-LOCA-183-90 183 GPM RCP SEAL LOCA AT 90 MIN l.40E-2 RCS-XHE-FO-DPRT7 OP FAILS TO DEPRESS/COOL RCS DURING SGTR 2.90E-2 RCS-XHE-FO-DPT7D OP FAILS TO DEPRESS/COOL RCS FOR T7D1 4.00E-1 REC-XHE-FO-DGEN OP FAILS TO RECOVER A DG WITHIN 1 HR 9.00E-1 REC-XHE-FO-DGHWB OP FAILS TO REC A DG FM HW FAIL IN 6 HR 6.00E-1 REC-XHE-FO-DGHWS OP FAILS TO REC A DG FM HW FAIL IN 3 HR 8.00E-1 REC-XHE-FO-DGTMB OP FAILS TO REC A DG FM TM FAIL IN 6 HR 5.00E-1 REC-XHE-FO-DGTMS OP FAILS TO REC A DG FM TM IN 3 HR 7.00E-1 REC-XHE-FO-DPRES OP FAILS TO DEPRESS RCS IN REC FM SGTR l.40E-2 REC-XHE-FO-GAGRV OP FAILS TO GAG SHUT STUCK OPEN RELIEF 3.00E-1 REC-XHE-FO-SCOOL RMT-ACT-FA-RMTSA RMT-ACT-FA-RMTSB RMT-CCF-FA-MSCAL OP FAILS TO COOL RCP SEALS DURING SBO NO SIGNAL FROM RMTS ACT TRAIN A NO SIGNAL FROM RMTS ACT TRAIN B CC FAIL RMTS DUE TO MISCALIBRATION
| |
| : 1. 25E-l l.60E-3
| |
| : 1. 60E-3 3.0E-4
| |
| * RMT-XHE-FO-MANSl OP FAILS TO RECOVER RMTS ACT FAILURE 6.40E-2 RWT-TNK-LF-RWST INSUF WATER AVAILABLE FM THE RWST 2.70E-6 SBO-PORV-DMD RCS PORV DEMAND PROB DURING SBO 4.50E-l SGTR-SGADV-ODMD SGTR SG PORV DEMAND W/0 DEPRESS 1.00 SGTR-SGSRV-ODMDl SGTR SG SRV DMD W/0 DEPRESS/INJECTION l.OOE-0 SGTR-SGSRV-ODMD2 SGTR SG SRV DEMAND W/0 DEPRESS 1. 50E- l SIS-ACT-FA-SISA NO SIGNAL FROM SIS ACT TRAIN A 1. 60E SIS-ACT-FA-SISB NO SIGNAL FROM SIS ACT TRAIN B 1. 60E-3 z UNFAVORABLE MODERATOR TEMP COEFFICIENT l.40E-2 5-14
| |
| *
| |
| * Notes to Description of Important Surry Events
| |
| : 1. Abbreviations used in the Description of Important Surry Events:
| |
| ACT= Actuation MOV = Motor Operated Valve AOV - Air Operated Valve NUREG-3862 = NUREG/CR-3862 ASEP Gen= ASEP Generic Data OP= Operator BRKR = Breaker OPN = Open CC(F) = Common Cause (Failure) PMP = Pump CKT = Circuit PORV = Power Oper. Relief Vlv.
| |
| CLS = Close PROB= Probability COND = Main Condenser PSD = Plant Spec. Data (App. D)
| |
| CONT= Containment PWR = Power CST= Condensate Storage Tank REC= Recovery CV= Check Valve RECIRC = Recirculation D = Demand RECOVERY= Recovery Analysis DG = Diesel Generator RP= Rupture DISCH= Discharge RX= Reactor DIST= Distribution SBO = Station Blackout DMD= Demand SECT= Section DPRESS = Depressurize SIG= Signal EF = Error Factor SG = Steam Generator FD/BLD = Feed and Bleed Cooling SGTR = Steam Generator Tube FLS = Fails Rupture FM= From SRV Safety Relief Valve HR(S) = Hour(s) STA Station HRA = Human Reliability Analysis STM Steam HW = Hardware TDP Turbine Driven Pump IE= Initiating Event TM= Test and Maintenance IEEE 500 = IEEE Standard 500-1984 TRN = Train INSUF = Insufficient Ul = Unit 1 INVTR = Inverter U2 = Unit 2 IREP Interm Reliability Eval. UNAVAIL = Unavailable Program Procedures Guide VLV = Valve ISOL Isolation W/IN = Within LOSP Loss of Offsite Power W/0 = Without LOG NOR= ~og Normal Distribution XCONN = Cross Connect MAINT = Maintenance XFERS = Transfers MAN= Manual XFORMER = Transformer MDP = Motor Driven Pump XIENT = Transient MN Main YR= Reactor-Year MO= Month ZION= Zion Probabilistic Safety Study 5-15
| |
| | |
| 5.2 Accident Sequence Results Table 5-3 shows the 28 core damage sequences which have a mean value greater than 1. OE- 7 and displays the corresponding statistical bounds.
| |
| Three of the sequences each contribute more than 10 percent of the total core damage frequency. Grouping the sequences by initiator shows the following contributions to the total core damage frequency.
| |
| * Station Blackout 68% (total)
| |
| Battery Depletion 27%
| |
| RCP Seal Loss or Coolant Accident 21%
| |
| Auxiliary Feedwater Failure 13%
| |
| Stuck Open Power Operated Relief Valve 6%
| |
| * Loss of Coolant Accidents 19%
| |
| * Loss of Main Feedwater 5%
| |
| * Steam Generator Tube Rupture 4%
| |
| * Anticipated Transient Without Scram 4%
| |
| The following subsections discuss each of the dominant sequences, provide a listing of the dominant cut sets, and show key events. Definitions of the associated terms have been previously provided in Table 5-2 in Section 5 .1. Accident sequences are presented in order of mean core damage frequency (GDF), with the highest frequency sequence discussed first.
| |
| 5.2.1 SBO-BATT Accident Sequences SBO-BATT and SBO-BATT2 SBO-BATT-2
| |
| : 1. 05E-5 mean GDF 4.30E-7 mean GDF 26.0% of the Total GDF 1.1% of the Total GDF These sequences represent station blackout (SBO) foll9wed by battery
| |
| * depletion. The single unit and double unit SBO were modeled as separate sequences, but are discussed here together. Both sequence3 . are initiated by a loss of offsite power (T 1 ) for greater than 1/2 hour. Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1. Failure of all three site diesel generators results in station blackout at Units 1 and 2. The loss of all AC power does not affect instrumentation at the start of the SBO. The class lE batteries initially supply power to the 120 VAC vital instrumentation power. This instrumentation is necessary to monitor plant temperature and pressure.
| |
| Long term station blackout leads to battery depletion and subsequent loss of the vital instrumentation. Station blackout results in the unavailability of the high pressure injection system (D 1 ) , the containment spray system (C), the inside spray recirculation system (F 1 ),
| |
| the outside spray recirculation system (F 2 ) , and the auxiliary feedwater motor driven pumps.
| |
| In these sequences, following station blackout, the turbine driven AFW pump successfully starts and continues to run. If AC power is not recovered, battery depletion was considered to occur after approximately 4 hours. This results in loss of all instrumentation and control power.
| |
| 5-16
| |
| | |
| Table 5-3 Surry Accident Sequence Core Damage Frequencies
| |
| * Accident % of Seguence DescriJ?tion 5% Median Mean 95% Total SBO-BATT STATION BIACKOUT (Ul) - BATTERY DEPLETION 2.4E-7 3.3E-6 l. lE-5 4.lE-5 26.0 SBO-SLOCA STATION BIACKOUT (SBO) (Ul) - RCP SEAL LOCA 0 l.OE-6 5.3E-6 2.0E-5 13.l SBO-L STATION BIACKOUT (Ul) - AFW FAILURE 7.9E-8 l.3E-6 4.7E-6 2.lE-5 11.6 SBO-SLOCA2 STATION BIACKOUT (Ul, U2) - -RCP SEAL LOCA 0 l. lE-6 3.3E-6 l.4E-5 8.2 SBO-Q STATION BIACKOUT (Ul) - STUCK OPEN PORV 9.lE-9 3.R3-7 2.2E-6 8.7E-6 5.4 S1H1 MEDIUM LOCA - RECIRCUIATION FAILURE l. lE- 7 7.7E-7 1. 7E-6 5.6E-6 4.2 V INTERFACING LOCA 3.8E-ll 4.9E-8 1. 6E-6 5.3E-6 4.0 T10nQ11 SGTR - NO DEPRESS. - SG INTEGRITY FAILS 3.4E-8 3.7E-7 1.4E-6 5.lE-6 3.5 T2LD2 LOSS OF MFW/AFW - FEED AND BLEED FAILS l.4E-8 2.0E-7 9.8E-7 2.SE-6 2.4 S1D1 MEDIUM LOCA - INJECTION FAILURE l. lE- 7 4.6E-7 8.6E-7 2.4E-6 2.1 TKRZ ATWS - UNFAVORABLE MOD. TEMP. COEFF. 6.3E-9 1. SE- 7 8.2E-7 3.2E-6 2.0
| |
| \.J1 AH1 LARGE LOCA - RECIRCUIATION FAILURE 6.3E-8 3.8E-7 8.2E-7 3.0E-6 2.0 I
| |
| I-' T2LP LOSS OF MFW/AFW - FEED AND BLEED FAILS 2.3E-8 2.6E-7 7.4E-7 2.6E-6 1.8
| |
| -...J S1Ds MEDIUM LOCA - INJECTION FAILURE 4.2E-8 2.3E-7 6.7E-7 2.2E-7 1. 7 SBO-Li SBO (Ul, U2) - AFW FAILURE 1. 7E-8 2.3E-7 6.SE-7 2.6E-6 1.6 ADs LARGE LOCA - ACCUMUIATOR FAILURE l. lE-7 4.6E-7 6.4E-7 1.8E-6 1.6 TKRD 4 ATWS - EMERGENCY BORATION FAILURE 9.SE-9 1. SE- 7 6.4E-7 2.8E-6 1.6 S3D1 VERY SMALL LOCA - INJECTION FAILURE 4.2E-8 2.7E-7 6.3E-7 2.4E-6 1.5 S2D1 SMALL LOCA - INJECTION FAILURE 4.2E-8 2.3E-7 4.4E-7 1.4E-6 1.1 SBO-BATT2 SBO (Ul, U2) - BATTERY DEPLETION 0 0 4.3E-7 1. 7E-6 1.1 SB0-Q2 SBO (Ul, U2) - STUCK OPEN PORV 1. 8E-9 5.9E-8 3.2E-7 1. 3E-6 0.8 ADs LARGE LOCA - INJECTION FAILURE 2.lE-8 1. 2E- 7 3.lE-7 l. lE-6 0.8 T7D10n SGTR - INJECTION FAILURE - NO DEPRESS 6.6E-9 7.0E-8 2.lE-7 7.7E-7 0.5 T5ALP LOSS OF DC BUS-FAIL AFW-NO FEED AND BLEED l. lE-9 2.6E-8 1. 3E- 7 4.SE-7 0.3 T58LP LOSS OF DC BUS-FAIL AFW-NO FEED AND BLEED l. lE-9 2.6E-8 1. 3E- 7 4.SE-7 0.3 T7~ SGTR - AFW FAILURE 4.8E-9 4.lE-8 l. lE- 7 3.4E-7 0.3 T70nQQs SGTR-NO DPRESS-SG INTEG FAILS, PORV FAILS 8.8E-10 2.lE-8 l. lE- 7 5.0E-7 0.3 T7KR SGTR - ATWS 3.2E-9 3.4E-8 1. OE- 7 4.0E-7 0.2 TOTAL CORE DAMAGE FREQUENCY 4.0E-5 100
| |
| * The plant can not be maintained in a stable condition indefinitely without instrumentation or control power. Consistent with NUREG/CR-3226, c4 > a time frame of approximately 3 hours- was allowed for restoration of AC power, before core uncovery would occur.
| |
| Use of a gas turbine generator located on the site was considered, but not included in the station blackout model due to the administrative controls and procedures associated with it. Relocating portable diesel generators to the site was considered as an "innovative recovery" action, but was not included in the blackout model due to the timing involved.
| |
| The SBO-BATT (single unit*blackout) sequence has the highest frequency of all of the accident sequences, accounting directly for 26. 0 percent of the total core damage frequency. The SBO-BATT sequence discussed here is actually a grouping of five individual sequences on the station blackout event tree. The commonality among the sequences is that ,core uncovery results from battery depletion. The five sequences contain other failures, which are successfully mitigated and thus do not have a bearing on the final outcome. The constituent sequences are detailed in Section 4.10. The major contributor, at 54 percent of the SBO-BATT frequency, is T15 -NR7, loss of offsite power followed by non-recovery
| |
| * of AC power at seven hours. The next highest contributor is station blackout followed by a stuck open steam generator relief valve, and non-recovery of AC power. This scenario represents 20 percent of the SBO-BATT frequency. A similar senario which, additionally, includes failure of reactor coolant pump seal cooling from Unit 2 but successful functioning of the seals, contributes 18 percent of the SBO-BATT frequency. SBO-BATT2 (two unit blackout) consists of three separate sequences which have similar scenarios.
| |
| For the SBO-BATT and SBO-BATT2 sequences, the dominant contributors are diesel generator failures and non-recovery of offsite AC power, including common cause failure of the diesel generators to start. Another prominent event in these sequences is a stuck open SG relief valve. The stuck op.en safety valve was evaluated as not having a detrimental impact on the course of the sequence. The major identifiable impact was the need for backup condensate sources.
| |
| 5.2.2 Accident Sequences SBO-SLOCA and SBO-SLOCA2 SBO-SLOCA 5.3E-6 mean CDF 13.1% of the Total CDF SBO-SLOCA2 3.3E-6 mean CDF 8.2% of the Total CDF These sequences represent station blackout with a reactor coolant puinp seal LOCA. The single unit and double unit blackout were modeled as separate sequences, but are discussed here together. Both sequences are initiate_d by a loss of offsite power (T 1 ). Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1.
| |
| Failure of all three site diesel generators results in station blackout at Units 1 and 2. Station blackout results in the unavailability of the Unit 1 high pressure injection system (D 1 ), the auxiliary feedwater motor 5-18
| |
| * driven pumps, the containment spray system (C), the inside spray
| |
| * recirculation system (F 1 ), and the outside spray recirculation system (F2)
| |
| Loss of all AC power results in a loss of seal injection flow to the reactor coolant pumps (RCPs) and a loss of component cooling water to the RCP thermal barriers. This condition results in vulnerability of the RCP seals to failure. For SBO at Unit 1 alone, seal cooling can be provided by Unit 2. Station blackout at both units fails seal cooling from Unit
| |
| : 2. The probability of the occurrence of a seal LOCA was modeled probabilistically as a function of time following total loss of seal cooling. The RCP seal LOCA model was developed through elicitation of a panel of experts and is detailed in Appendix D. The time to core uncovery following onset of a seal LOCA was a function of the leak rate, and whether or not the operator took action to depressurize the reactor.
| |
| The SBO-SLOCA and SBO-SLOCA2 sequences discussed here are actually a grouping of three individual sequences from the SBO event trees. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from a seal LOCA with failure to restore AC Power in time to reestablish HP! flow prior to core uncovery. The individual sequences may involve other failures which are successfully mitigated and have no substantial bearing on the course of the sequence. The highest contributing sequence to SBO-SLOCA involves station blackout, followed by failure to provide seal cooling from Unit
| |
| : 2. This can be due to hardware failures or operator errors. In the two unit blackout, seal cooling from Unit 2 is not questioned. RCP seal degradation starts at 1-1/2 hours from loss of all cooling. Operator depressurization can prolong the time to core uncovery, but is generally considered to occur too late to prevent seal degradation. Failure to recover AC power in sufficient time leads to core uncovery. The next highest frequency sequence involves the same sequence, but with a stuck open steam generator (SG) power operated relief valve. As in the SBO-BATT sequences, the effect of a stuck open SG relief valve was not critical. The third contributing sequence is similar to the first one, except that depressurization of the RCS is not accomplished.
| |
| Important contributors to the seal LOCA scenarios are failure to restore AC power after seal LOCA and failure of the operator to provide seal cooling from Unit 2.
| |
| 5.2.3 Accident Sequences SBO-L and SBO-L2 SBO-L 4.7E-6 Mean CDF 11.6% of the Total CDF SBO-L2 9.0E-8 Mean CDF 1.6% of the Total CDF These sequences represent station blackout followed by failure of the auxiliary feedwater (AFW) system. The single unit and double unit blackout were modeled as separate sequences, but are discussed here together. Both sequences are initiated by a loss of offsite power (T 1 ).
| |
| Unavailability of the two diesel generators supplying Unit 1 results in
| |
| * loss of all AC power at Unit 1. Failure of all three s*ite diesel 5-19
| |
| | |
| generators results in station blackout at Units 1 and 2. Core uncovery in this sequence is caused by failure of the AFW system. Station blackout also results in the unavailability of the high pressure injection system (D 1 ), the containment spray system (C), the inside spray recirculation system (F 1 ) and the outside spray recirculation system (Fz).
| |
| These sequences involve station blackout followed by failure of the turbine driven AFW pump train. Recovery of AFW using the turbine driven pump train at Unit 2 was included. All core heat removal is unavailable after failure of AFW. For station blackout at Unit 1 alone, it was assessed that one HPI pump at Unit 2 would not be sufficient to provide feed and bleed cooling through the cross connect while at the same time provide charging flow to Unit 2. Core uncovery was estimated to occur at approximately 1 hour if AFW and HPI flow had not been restored by that time. Restoration of AC (offsite) power was required 1/2 hour prior to the time HPI could be restored. The 1/2 hour time lag was included in the recovery model to allow for restoration of plant power, intake canal water inventory, component cooling water, and other required support systems, prior to restoration of HPI flow.
| |
| The SBO-L and SBO-L2 sequences discussed here are actually a grouping of three individual sequences on the station blackout event tree. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from failure of auxiliary feedwater. The individual sequences may involve other failures which may affect timing of recovery actions, but have no other bearing on the course of the sequence. Station blackout at Unit l, followed directly by fai.lure of AFW only accounts for 10 percent of the SBO-L frequency.
| |
| Blackout at Unit 1 followed by a stuck open steam generator (SG) relief valve plus AFW failure contributes 90 percent to the SBO-L frequency. In sequences that involved a stuck open SG relief valve, operators were required to connect the main condensate storage tank to the AFW water source. This is required in order for sufficient inventory to be available to supply the additional feed required due to faulted SG. For station blackout at Units 1 and 2, the sequence with the stuck open SG relief accounts for 60 percent of the SBO-L2 frequency.
| |
| The dominant failure mode for AFW, when a SG relief is stuck open, is failure to cross connect to the back up condensate storage tank. The dominant failure modes of the turbine driven AFW pump are the failure of the pump to initially start or unavailability of the pump due to maintenance activities.
| |
| 5.2.4 Accident Sequence V l.6E-6 Mean GDF 4.0% of the Total GDF Event V sequence is an interfacing systems LOCA which bypasses containment. The V sequence results from a failure of any one of the three pairs of check valves in series which are used to isolate the high
| |
| * pressure reactor ...:.oolant system (RCS) from the low pressure injection 5-20
| |
| | |
| system. The resultant flow into the low pressure system is assumed to
| |
| * result in failure (rupture) of the low pressure piping or components outside the containment boundary. Although core inventory makeup by the high pressure systems is initially available, inability to switch to recirculation would eventually lead to core damage. Due to the location of the postulated system failure, all containment safeguards are bypassed.
| |
| The configuration of the low pressure injection (LPI) discharge lines at Surry involves a single injection line, rated for low pressure which has an open motor operated valve (MOV) in it. Downstream of the MOV, the piping is rated for high pressure conditions. The single line divides into three lines with each going to an RCS cold leg. Each high pressure line has two check valves. Small leakage past these two valves will flow to the refueling water storage tank (RWST) through the LPI pump mini-flow recirculation lines. The most restrictive point in this path is a two-inch line. It was estimated that check valve leakage on the order of 100 gpm could be diverted to the RWST without any risk of LPI system overpressure.
| |
| The failure modes of interest for event V, are those that produce sudden, large back leakages through the two high pressure check valves in any of the three cold leg injection lines. This was postulated to occur in two ways:
| |
| A. Rupture of valve internals on both valves. "Rupture" connotes catastrophic loss of structural integrity. Rupture of both valves could occur independently or common cause failures could be postulated. Rupture of both valves would need to occur between test periods.
| |
| B. Failure of one valve to close upon repressurization, combined with rupture of the other valve. The leak test for these valves
| |
| .at Surry must be done when the reactor is in cold shutdown.
| |
| There is no assurance the valve remains closed on subsequent repressurizations or throughout the test period. If one valve sticks in the open position, the other valve is the only boundary between the high and low pressure piping. Failure of two valves to close would be detected upon startup, and was not included as a possible failure mode.
| |
| The quantification of this sequence was subject to the expert elicitation process. C40) The opinions of a panel of experts was elicited to obtain the failure probabilities and uncertainty distributions for each of these events. The results of the elicitation are presented in Reference 40.
| |
| 5.2.5 Accident Sequences SBO-Q and SBO-Q2 SBO-Q 2.2E-6 Mean CDF 5.4% of the Total CDF SBO-Q2 3.2E-7 Mean CDF 0.8% of the Total CDF
| |
| * 5-21
| |
| | |
| These sequences represent station blackout with a stuck open pressurizer PORV. The single unit and double unit SBO were modeled separately, but are discussed here together. Both sequences are initiated by a loss 'of offsite power (T 1 ) for greater than 1/2 hour. Failure of the two diesel generators supplying Unit 1 results in loss of all AC power at Unit 1.
| |
| Failure of all three site diesel generators results in station blackout at Units 1 and 2. Station blackout results in the unavailability of the high pressure injection system (D 1 ), the containment spray system (C),
| |
| the auxiliary feedwater motor driven pumps, the inside spray recirculation system (F 1 ), and the outside spray recirculation system (Fz).
| |
| These sequences involve station blackout with a stuck open pressurizer PORV, and failure to restore power in one hour. Due to the blackout condition all core coolant makeup is unavailable as are the PORV block valves. Consequently, the continued discharge of the p:i;-imary coolant would lead to core uncovery if AC power had not been restored, and the block valve had not been isolated by one hour. Restoration of AC power within 1 hour and subsequent isolation of the block valve is the dominant recovery action for these sequences.
| |
| The SBO-Q and SBO-Q2 sequences discussed here are actually a grouping of two individual sequences on the station blackout event tree. The constituent sequences are detailed in Section 4.10. The commonality among the sequences is that core damage results from a stuck open PORV with failure to restore AC power and close the block valve prior to core
| |
| * uncovery. The individual sequences involve other failures which do not have substantial bearing on the course of the sequence. The highest frequency sequence in this group is loss of offsite power followed by a stuck open RCS PORV and non-recovery of AC power within one hour. This scenario contributes 74 percent to the SBO-Q and SBO-Q2 sequences. The other scenario is station blackout with a stuck open SG and RCS PORV followed by non-recovery of AC power.
| |
| 5.2.6 Accident Sequence S 1H1
| |
| : 1. 7E-6 Mean CDF 4.2% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 2"<D<6" (S 1 ) followed by failure of the low pressure recirculation system (H 1 ).
| |
| This sequence consists of a medium loss of coolant accident (LOCA),
| |
| success of the high pressure injection system, depressurization of the primary system through the break, success of the low pressure injection system, and subsequent failure of the low pressure system in the recirculation phase. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage.
| |
| The dominant contributors to failure of low pressure recirculation are the common cause failure of the refueling water storage tank (RWST) 5-22
| |
| ... - -* - -* _,,_, .
| |
| | |
| isolation valves to close, common cause failure of the sump suction valves to open, common cause failure of the discharge isolation valves to the hot legs to open, or miscalibration of the RWST level sensors.
| |
| l.4E-6 Mean CDF 3.5% of the Total CDF l.lE-7 Mean CDF 0.3% of the Total CDF These sequences are initiated by a steam generator tube rupture (T 7 ),
| |
| followed by failure to depressurize the RCS (0 0 ) leading to loss of steam generator integrity (Q 8 ) . Subsequent failure to depressurize and limit the leakage leads to continued blowdown through the steam generator and eventual core uncovery. Additionally, the T 7 0 0 QQ8 sequence has a stuck open pressurizer PORV. The PORV is postulated to be opened in order to provide RCS pressure reduction. Its failure to close and the subsequent failure of the block valve to close result in this scenario.
| |
| An important event in this sequence is the initial failure of the operator to depressurize soon after the tube rupture. This leads to a relief valve demand in the SGs. The SG safety valve will be demanded if the power operated relief valve is blocked. Subsequent failure of the SV to rec lose leads to direct loss of RCS inventory to the atmosphere.
| |
| Demand probabilities and closure probabilities for the SG relief valves were determined through a process of expert elicitation. The results are listed in Appendix D. Failure of subsequent efforts to recover the
| |
| * sequence by RCS depressurization or isolation of the relief valve lead to RWST inventory depletion and eventual core uncovery.
| |
| 5.2.8 Accident Sequence T2LD 2 9.8E-7 Mean CDF 2.4% of the Total CDF This sequence is initiated by a loss of main feedwater (T 2 ), followed by failure of the auxiliary feedwater (AFW) system (L), and failure of feed and bleed cooling, due to failure of the high pressure injection system.
| |
| The loss of main feedwater places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW system which includes failure to cross connect AFW from Unit 2, causes a demand for feed and bleed cooling. Feed and bleed cooling fails due to operator error or hardware failures in the high pressure injection system. Success criteria, require that the HPI system be manually actuated and supply flow from one of three pumps. All containment systems would be available, however the steam generators are unavailable as a heat sink due to loss of AFW. The resultant heat up and boil off of primary coolant leads to core damage.
| |
| The dominant contributors to failure of Unit 1 AFW are undetected flow diversion to Unit 2 through the AFW cross connect or the common cause failure of all three AFW pumps due to steam binding resulting from check valve leakage. The dominant contributor to failure of AFW from Unit 2 is
| |
| * 5-23
| |
| | |
| operator error. The dominant contributor to failure of feed and bleed is the operator failure to initiate the charging system.
| |
| 5.2.9 Accident Sequence S 1 D1 8.6E-7 Mean CDF 2.1% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 2"<D<6" (S 1 ) followed by failure of the high pressure injection system (D 1 ).
| |
| This sequence involves a medium loss of coolant accident (LOCA) and failure of core coolant makeup. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage.
| |
| The dominant contributors to failure of high pressure injection are hardware failures of the check valves in the common suction and discharge line of all three injection pumps, common cause loss of flow through strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HPI suction and discharge lines.
| |
| 5.2.10 Accident Sequence TKRZ 8.2E-7 Mean CDF 2.0% of the Total CDF This sequence is initiated by a transient from high power (T), followed by a failure of the reactor protection system (RPS) to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and the presence of an unfavorable moderator temperature coefficient (Z).
| |
| This sequence is initiated by a high power transient and failure of the RPS to scram the reactor. Manual reactor scram fails due to operator error or much more likely, physical failures of the* control rods or drives which prevent their insertion. The presence of an unfavorable moderator temperature coefficient (MTC) will cause a severe primary system pressure rise which is assumed to result in failure of the reactor coolant boundary integrity. "Unfavorable" MTC is defined as sufficient to cause the pressure rise to exceed service level C stress limits of the HPI injection valves. This was considered to cause plastic deformation and loss of operability. Inability to provide coolant injection leads to core damage.
| |
| 5.2.11 Accident Sequence AH 1 8.2E-7 Mean CDF 2.0% of the Total CDF This sequence is initiated by a break in the reactor coolant system (RCS) piping in the range 6"<D<29", and is followed by failure of the low pressure recirculation system (H 1 ).
| |
| 5-24
| |
| * This sequence involves a large loss of coolant accident (LOCA), success
| |
| * of the low pressure injection system, and subsequent failure of pressure system in the recirculation phase. All containment heat systems are available but the continued heat up and boil off of leads to core damage.
| |
| the low removal coolant The dominant contributors to failure of low pressure recirculation are the common cause failure of the refueling water storage tank (RWST) isolation valves to close, common cause failure of the sump suction valves to open, common cause failure of the discharge isolation valves to the hot legs to open, or miscalibration of the RWST level sensors.
| |
| 5.2.12 Accident Sequence T2LP 7.4E-7 Mean CDF 1.9% of the Total CDF This sequence is initiated by a loss of main feedwater (T 2 ), followed by failure of the auxiliary feedwater (AFW) system (L), and failure of feed and bleed cooling due to insufficient opening of the power operated relief valves (PORVs).
| |
| The loss of main feedwater initiator places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW system, including failure of the cross connect from Unit 2, causes a demand for feed and bleed cooling. Injection flow is available in this sequence, but various failures prevent one of the two PORVs from opening. Success criteria requires that two PORVs open for successful feed and bleed. All containment systems would be available, however the steam generators are unavailable as a heat sink due to loss of AFW. The resultant heat up and eventual boil off of the primary coolant leads to core damage.
| |
| The dominant contributors to AFW failure are undetected flow diversion to Unit 2 through the AFW cross connect, or the common cause failure of all three AFW pumps due to steam binding resulting from check valve leakage.
| |
| The dominant contributor to failure of AFW cross connect from Unit 2 is operator error. The dominant contributor to failure of feed and bleed is operator failure to open the PORVs, closely followed by mechanical failures of the PORV block valves and PORVs.
| |
| 5.2.13 Accident Sequence S1D6 6.7E-7 Mean CDF 1.7% of the Total CDF This sequence is initiated by a leak in the reactor coolant system piping in the range of 2 "<D<6" and is followed by failure of the low pressure injection system (D 6 ).
| |
| This sequence involves a medium loss of coolant accident (LOCA) and subsequent failure of the low pressure injection system. All containment heat removal systems are available, but the continued heat up and boil off of coolant leads to core damage. The dominant contributors to
| |
| * failure of low pressure injection are common cause failure of the LP!
| |
| 5-25
| |
| | |
| pumps to start or plugging of the normally open LP! injection valve (MOV-1890C).
| |
| 5.2.14 Accident Sequence AD 5 6.4E-7 Mean CDF 1.6% of the Total CDF This sequence involves a large loss of coolant accident (LOCA) followed by failure of the accumulators (D 5 ). All other systems are operable.
| |
| Failure of the accumulators to provide borated makeup wa.ter leads to core damage. The dominant contributors are plugging of any of the motor operated isolation valves C1865B, 1865C) in the intact loops.
| |
| 5.2.15 Accident Sequence TKRD 4 6.4E-7 Mean CDF 1.6% of the Total CDF This sequence is initiated by a transient requiring reactor scram (T),
| |
| followed by a failure of the reactor protection system (RPS) to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and failure of emergency boration using the boric acid transfer pumps and the charging pumps (D 4 ) .
| |
| This sequence is initiated by a transient requiring scram and failure of the RPS to scram the reactor. In addition, manual reactor scram fails due to either operator error or much more likely, physical failure of the
| |
| * control rods or drives which prevent their insertion. The dominant contributor to failure of emergency boration is failure of flow through the PORVs due to the block valves being shut and failing to open.
| |
| 5.2.16 Accident Sequence S3 D1 6.3E-7 Mean CDF 1.5% of the Total CDF This sequence is initiated by a very small loss of coolant accident (LOCA) (less than 1/2" equivalent diameter) followed by failure of high pressure injection (D 1 ).
| |
| The dominant contributors to this sequence are common cause failure of MOV-1867C and MOV-1867D in the HP! discharge line, and failure to recover by the use of alternate injection path through MOV-1842. Failure of MOV-1115B and MOV-1115D in the suction line also contribute significantly.
| |
| Surry is better equipped to mitigate very small LOCAs than some plants due to the ability to cross connect high pressure injection (HP!) from Unit 2 and the refueling water storage tank (RWST) from Unit 2. Core damage frequency from all S3 initiators is less than predicted by previous studies due to the current understanding and expectation that very small LOCAs will not result in actuation of the containment spray system. This minimizes the probability that RWST depletion will result in the need for ECCS recirculation.
| |
| 5-26
| |
| * 5.2.17 Accident Sequence S2D1 4.4E-7 Mean GDF 1.1% of the Total GDF This sequence is initiated by a break in the reactor coolant system piping in the range l/2"<D<2" (S 2 ) , followed by failure of the high pressure injection system (D 1 ).
| |
| This sequence is initiated by a small loss of coolant accident (LOCA) and failure of core coolant makeup. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. The dominant contributors to failure of high pressure injection are hardware failures of the check valves in the common suction and discharge line of all three charging pumps, common cause loss of flow through strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HPI discharge line.
| |
| 5.2.18 Accident Sequence AD 6 3.lE-7 Mean GDF 0.8% of the Total GDF This sequence is initiated by a break in the reactor coolant system piping in the range of 6"<D<29", followed by failure of the low pressure injection system (D 6 ) .
| |
| * This sequence involves a large loss of coolant accident and subsequent failure of 'the low pressure injection system (LPI). All containment heat removal systems are available but the continued heat up and boil off of coolant leads to core damage. The dominant contributors to failure of low pressure injection are common cause failure of the LPI pumps to start or plugging of the normally open LPI discharge valve (MOV-1890C).
| |
| 2.lE-7 Mean GDF 0.5% of the Total GDF This sequence is initiated by a steam generator tube rupture (T 7 ) ,
| |
| followed by failure of high pressure injection (D 1 ), and failure to depressurize the RCS (00 ) in order to terminate the breakflow.
| |
| The dominant contributors to this sequence are the common cause failure of the HP! discharge valves MOV-1867C and MOV-1867D or the common cause failure of the HPI suction valves isolating the RWST, MOV-1115B and MOV-1115D.
| |
| 5.2.20 Accident Sequences T5ALP and T5BLP 1.3E-7 Mean GDF 0.3% of the Total GDF 1.3E-7 Mean GDF 0.3% of the Total GDF These sequences are initiated by the loss of a DC bus (TsA, T5B), followed
| |
| * by failure of the auxiliary feedwater (AFW) system (L) , and* failure of 5-27
| |
| | |
| feed and bleed cooling due to insufficient opening of the power operated relief valves (PORVs).
| |
| The loss of DC bus initiator leads to the unavailability of the main feedwater and condensate system. This places a demand on auxiliary feedwater to remove core decay heat. Failure of the AFW' system, including failure of the cross connect from Unit 2, causes a demand for feed and bleed cooling. As the initiator fails one of the two PORVs, feed and bleed is not possible. Success criteria requires that two PORVs be opened for feed and bleed cooling. All containment systems would be available, however, the steam generators are unavailable as a heat sink due to loss of AFW'. The resultant heat up and eventual boil off of the primary coolant leads to core damage.
| |
| The dominant contributors to AFW' failure are undetected flow diversion to Unit 2 through the AFW' cross connect, or the common cause failure of all three AFW' pumps due to steam binding resulting from check valve leakage.
| |
| The dominant contributor to failure of the AFW' cross connect from Unit 2 is operator error.
| |
| 5.2.21 Accident Sequence T7 L3 1.lE-7 Mean CDF 0.3% of the Total CDF This sequence is initiated by a steam generator tube rupture (T 7 )
| |
| * followed by failure of the auxiliary feedwater system (L3 ) . Feed and bleed cooling is not considered a viable method of core cooling due to the existing tube rupture. Feed and bleed cooling requires sustained high pressure in the primary which is not compatible with the mitigation requirements for steam generator tube rupture. Failure to recover feed flow will lead to core uncovery.
| |
| The dominant contributors to AFW failure are the undetected flow diversion to Unit 2 through the AFW' cross connect or common cause failure of all three AFW' pumps due to steam binding resulting from check valve leakage.
| |
| 5.2.22 Accident Sequence T7KR
| |
| : 1. OE- 7 Mean GDF 0.2% of the Total CDF This sequence is initiated by a steam generator tube rupture (T 7 ) ,
| |
| followed by failure of the reactor protection system (K), and failure of the operator to manually scram the reactor (R).
| |
| Failure to trip the reactor (either automatically or manually) causes the pressure in the reactor coolant system to increase, possibly resulting in the rupture of additional steam generator tubes and an increase in the flow from the RCS to the secondary coolant system. The ATWS induced pressure increase in the primary is counter productive to the RCS depressurization which is required to mitigate tube rupture. Because of the complexity of this sequence, and the limited analytical data 5-28
| |
| | |
| available to support evaluation, steam generator tube rupture with failure to scram was categorized as a core damage sequence.
| |
| 5.3 Plant Damage State Group Results The development of plant damage states has been previously discussed in Section 4.5. The frequency of each plant damage state was calculated as described in Section 4 .11. The mapping of the dominant accident sequences into plant damage state groups is shown in Table 5-4. Table 5-5 shows the plant damage state groups, mean frequencies and the corresponding statistical bounds.
| |
| The following subsections characterize the plant damage state groups, identify the sequences contributing to them, and list the dominant contributors. A complete listing of the descriptive statistics, im-portance measures, and cut sets is provided in Appendix E for all plant damage state groups.
| |
| 5.3.1 Plant Damage State Group 1 2.2E-5 Mean CDF 54.6% of the Total CDF Plant damage state 1 is characterized by long term station blackout sequences resulting in late core damage without any containment systems available. There are three types of accident sequences in this plant damage state, all initiated by station blackout. They are station blackout followed by battery depletion (SBO-BATT, SBO-BATT2); station blackout followed by an RCP seal LOCA (SBO-SLOCA, SBO-SLOCA2), and station blackout followed by a stuck open PORV (SBO-Q, SBO-Q2). Each is discussed separately below.
| |
| The station blackout battery depletion sequences contribute to 49. 6% of this plant damage state and 27 .1 percent of the total core damage frequency. Using the event tree nomenclature, the sequences which dominate the battery depletion portion of this plant damage state are:
| |
| T1su1 -NR7 31% of PDS 1 T1su1-QS-NR7 11% of PDS 1 These sequences are grouped in the SBO-BATT sequence category. They represent station blackout events at Unit 1 with seal cooling provided from Unit 2. Battery depletion at 4 h.ours causes loss of vital instrumentation needed to control AFW' and monitor plant parameters.
| |
| These sequences result in the unavailability of emergency core cooling systems (ECCS) injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable if AC power is restored.
| |
| Prior to battery depletion, auxiliary feedwater is supplied by the turbine driven pump. The reactor coolant system is cooled down and depressurized during the sequence. Reactor coolant pump seal cooling is provided from Unit 2.
| |
| 5-29
| |
| | |
| Table 5-4 Surry Dominant Accident Sequences Included in Each Plant Damage State Percent Contribution Plant Damage State A~cident Sequences To PDS To Total CDF PDS-1 Long Term Blackout SBO-BATT 47.6 26.0 SBO-SLOCA 24.0 13.1 SBO-SLOCA2 15.0 8.2 SBO-Q 9.9 5.4 SBO-BATT2 2.0 1.1 SBO-Q2 1.5 .8 PDS-2 Loss of Coolant S1H1 28.5 4.2 Accident S1D1 14.3 2.1 AH1 13.6 2.0 S1Ds 11.6 1. 7 AD 5 10.9 1. 6 S3D1 10.2 1.5 SzD1 7.5 1.1 AD 6 3.4 0.8 PDS-3 Short Term Blackout SBO-L 87.9 11.6 SBO-L2 12.1 1. 6 PDS-4 V Event V 100.0 4.0 PDS-5 Transients T2LD2 50.0 2.4 T2LP 37.4 1. 8 T5ALP 6.3 0.3 T5BLP 6.3 0.3 5-30
| |
| * Table 5.4 (Cont'd)
| |
| Surry Dominant Accident Sequences Included in Each Plant Damage State Percent Contribution Plant Damage State Accident Sequences To PDS To Total GDF PDS-6 ATWS TKRZ 52.6 2.0 TKRD 4 42.1 1. 6 T7KR 5.3 0.2 PDS-7 SGTR T700Qs 76.1 3.5 T7D10o 10.9 0.5 T7L3 6.5 0.3 T70oQQ 6.5 0.3
| |
| *
| |
| * 5-31
| |
| | |
| Plant damage state 1 also includes RCP seal LOCA sequences with failure to recover AC power prior to core uncovery. Containment systems are unavailable. Using the event tree nomenclature, the sequences which dominate the RCP seal LOCA portion of this plant damage state are:
| |
| T1su1-W2-NRSL 16% of PDS 1 T1su2-NRSL 11% of PDS 1 T1su1 -QS-W2 -NRSL 7% of PDS 1 T1su2-QS -W2 -NRSL 4% of PDS 1 The subscript on the initiating event portion of the identifier specifies whether the initiator is station blackout at Unit 1 alone (T 15u1) or SBO at both units (T 15u2). The sequences are grouped in the SBO-SLOCA and SBO-SLOCA2 sequence categories. They represent station blackout with loss of all seal cooling. In the single unit blackout, seal cooling from Unit 2 fails due to operator error and hardware faults. In the two unit blackout, unavailability of AC power fails seal cooling from both units.
| |
| Auxiliary feedwater is supplied by the turbine driven pump. Reactor coolant pump seal failure occurs between 1-1/2 and 2-1/2 hours from loss of cooling. Failure to recover AC power in the allowable time
| |
| ( 2 hours) leads to core uncovery. These sequences result in the unavailability of ECCS injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable if AC power is restored.
| |
| Plant damage state 1 also includes accident sequences with station blackout followed by a stuck open pressurizer PORV, and failure to recover AC power within one hour. Using the event tree nomenclature, the sequences which dominate this plant damage state are:
| |
| T1su1 -Q-NRl 8% of PDS 1 T1su1 -Q-QS-NRl 3% of PDS 1 T1su2-Q-NRl 2% of PDS 1 T15u1 is a single unit blackout and T15u2 is a dual unit blackout. These sequences are grouped in the SBO-Q and SBO-Q2 categories respectively.
| |
| These sequences result in the unavailability of ECCS injection, ECCS recirculation, and containment heat removal systems. These systems are recoverable when AC power is restored. Auxiliary feedwater is available throughout the sequence from the turbine driven pump.
| |
| 5.3.2 Plant Damage State Group 2 6.0E-6 Mean CDF 14.7% of the Total CDF Plant damage state 2 is characterized by loss of coolant accidents followed by failure of coolant injection or recirculation systems. Eight dominant accident sequences contribute to this plant damage state, as shown below.
| |
| 5-32
| |
| * Of these eight sequences, there are three general types of sequences .
| |
| These are a loss of coolant accident followed by failure of coolant injection systems (D 1 , D6 ) ; LOCA followed by failure of coolant recirculation systems (H 1 ); and LOCA followed by accumulator failure (Ds).
| |
| In the sequence with ECCS failure in the injection mode, the contents of the refueling water storage tank are injected into the containment by the containment spray system. This provides sump inventory for operation of the containment heat removal systems.
| |
| In the sequences with ECCS failure in the recirculation mode, the coolant injection phase of the accident sequence is successful, but the recirculation phase fails. The contents of the RWST are injected into containment and allow successful operation of all containment systems.
| |
| In the one sequence involving accumulator failure (AD 5 ) , the other EGGS systems are successful. The contents of the RWST are injected into the containment and the containment systems are operable. Failure of the accumulators to provide borated makeup water leads to core damage.
| |
| 5.3.3 Plant Damage State Group 3 5.4E-6 Mean GDF 13.3% of the Total GDF Plant damage state 3 is characterized by station blackout with loss of all feedwater. Using the event tree nomenclature, the sequences which dominate this plant damage state are:
| |
| T1su1-QS-L 78% of PDS 3 T1su2-QS-L 10% of PDS 3 T1su 1-L 7% of PDS 3 T1su 2 -L 5% of PDS 3 T 18u1 and T18u2 represent single unit and dual unit blackout respectively.
| |
| These sequences are included in the SBO-L and SBO-L2 sequence categories.
| |
| These sequences consist of station blackout events followed by auxiliary feedwater failure. Some sequences also include faulted steam generators or stuck open pressurizer PORVs. These
| |
| * sequences result in the unavailability of ECGS injection, EGGS recirculation, and containment heat removal systems.
| |
| 5.3.4 Plant Damage State Group 4
| |
| : 1. 6E-6 Mean CDF 4.0% of the Total GDF Plant damage state 4 is comprised entirely of interfacing loss of coolant accidents. Only one sequence contributes to this plant damage state,
| |
| * 5-33
| |
| | |
| sequence V. This sequence is caused by a rupture of the two check valves in series, which provide the boundary between the reactor coolant system and the low pressure ECCS. Overpressurization of the low pressure injection system results in a rupture of that system causing a LOCA outside of the containment.
| |
| 5.3.5 Plant Damage State Group 5 2.lE-6 Mean CDF 4.8% of the Total CDF Plant damage state 5 consists. of transient initiated accident sequences followed by complete loss of core cooling. The initiating event is either a loss of main feedwater or a loss of a DC bus. The initiator is followed by a loss of AFW and a failure to provide feed and bleed core cooling. All containment systems are successful in this plant damage state. This plant damage state is dominated by the followin~ sequences:
| |
| T2LD2 50% of PDS 5 T2 LP 37% of PDS 5 TsALP 6.5% of PDS 5 TsBLP 6.5% of PDS 5 5.3.6 Plant Damage State Group 6
| |
| : 1. 6E-6 Mean CDF 3.8% of the Total CDF Plant damage state 6 is composed of anticipated transients without scram (ATWS) A transient initiating event is followed by failure of the automatic reactor protection system and the manual scram system to shutdown the reactor. This plant damage state is comprised of the following accident sequences.
| |
| 53% of PDS 6 42% of PDS 6 5% of PDS 6 5.3.7 Plant Damage State Group 7
| |
| : 1. SE-6 Mean CDF 4.8% of the Total CDF Plant damage state 7 consists of steam generator tube rupture accident sequences. Plant damage state 7 is dominated by a steam generator tube rupture followed by failure to depressurize the reactor coolant system leading to a loss of steam generator integrity. All containment systems are operable, but are bypassed as coolant flows into the faulted SG and then outside of the containment boundary. The contents of the refueling water storage tank (RWST) are injected into the RCS, but flow through the faulted SG rather than into the containment. The accident sequence that dominates this plant damage state is T7 0 0 Q5
| |
| * Other contributors are T 7D10 0 , T7L3 , and T 70 0QQ 8
| |
| * 5-34
| |
| | |
| 5.4 Importance Measures In addition to the uncertainty analysis presented in Sections 5.1 through
| |
| : 5. 3, an event importance analysis was done on the comprehensive core damage model. In this analysis, the relative importance of each basic event, with respect to three measures, was calculated. These three measures are risk reduction, risk increase, and uncertainty importance.
| |
| Each of these measures was evaluated for the comprehensive core damage model (total CDF), each accident sequence, and each plant damage state grouping. The complete results can be found in Appendix E. The importance measures for the comprehensive core damage model are discussed here in the results section. Definitions for the three importance measures used are given below:
| |
| Importance Measures Risk Reduction A measure of how much the core damage frequency is reduced, given that a specific event is assumed to be totally reliable (probability of failure= 0). A large value indicates that a significant reduction in the core damage frequency is possible by improving the reliability associated with that event.
| |
| Risk Increase A measure of how much the core damage frequency is increased, given that specific event is assumed to occur (probability of failure =
| |
| 1.0). Opposite of risk reduction, a large effect indicates the importance of maintaining the reliability of the specific event and not letting it get worse.
| |
| Uncertainty/Importance A measure of how much the uncertainty in the core damage frequency is affected by the uncertainty associated with a specific event.
| |
| The larger the measure, the more the uncertainty in the results is driven by the uncertainty in the value of the specific event.
| |
| 5_*35
| |
| | |
| The top twenty events in terms of importance are shown in Tables 5- 6, 5 - 7, and 5- 8. Additional events importance measures are shown in Appendix E. This table shows the top events for each type of importance measure. The table shows the event, the number of cut sets in which it occurs, its mean probability value, and risk reduction measure. The risk reduction figure is the absolute amount by which core damage frequency is reduced, if the event in question has a probability of zero (i.e., never happened). The risk reduction rank, as well as the upper and lower bounds of the risk reduction value are shown. Note that a lower bound value of zero for risk reduction means that it is possible that no risk reduction occurs at all. Risk reduction is provided for basic events and separately for initiating events. Definitions of the events found in these tables are given in Table 5-2.
| |
| The most important event for risk reduction is related to the unavailability of diesel generator number 1. DG #l is favored over DG
| |
| #3, because DG #3 is a swing diesel. The electrical model for loss of offsite power aligns DG3 to* Unit 2 in the event that DG2 has failed.
| |
| Therefore, in order to make DG3 more available to Unit 1, the reliability of DG2 must be improved in addition to the reliability of DG3.
| |
| Therefore, DGl ranks as the highest single importance event. The other events of high importance are all involved with station blackout sequences. This is not surprising, recognizing that SBO is the dominant type of core damage sequence.
| |
| Similar information is given for risk increase measures. Risk increase measures are not calculated for initiating events, because these events have annual frequencies rather than probabilities. Risk increase is calculated by setting event probability equal to 1. 0, this being the maximum upper bound for an event probability. There is no basis for setting an initiating event frequency to 1.0, because their frequencies may be greater than 1.0 per year.
| |
| The dominant event for risk increase is failure of the reactor protection system, followed by unavailability of the RWST. The meaning of risk increase can be thought of as the resulting core damage frequency if the component or system is not provided (i.e., has failure probability of
| |
| : 1. 0). The reactor protection system has the highest risk increase measure, followed by the RWST and then three individual failures, which fail the entire AFW system.
| |
| Uncertainty importance is calculated in a different manner than risk reduction or risk increase. To assess uncertainty importance, an uncertainty calculation is made, holding the value of a particular event constant. The uncertainty bounds of the calculation are compared to the uncertainty bounds when all parameters are considered random variable.
| |
| The uncertainty importance shows that the diesel generators contribute the most to the overall statistical uncertainty.
| |
| 5-36
| |
| | |
| Surry Total Core Damage Model Table 5 Surry Risk Reduction Impo ant Events Risk Reduction by Base Event (with associated uncertainty intervals)
| |
| * Risk Base Event occur Prob, (Rank) Reduction (Rank) Lower 51 Upper 51 OEP-DGN-FS-DG01 725 2.20E-02 (79.5) 8.22E-06 ( 3.0) 2.38E-07 4.38E-05 NRAC-711R 966 5.00E-02 (80.0) 8.04E-06 ( 4.0) 2.84E-07 R.26E-05 REC-XHE-FO-DGHWB 159 8.00E-01 (14.5) 8.90E-06 ( 6.0) 2.16E-07 3.66E-05 REC-XHE-FO-DGHWS 1407 8.00E-01 (11.0) 5.98E-06 ( 7.0) O.OOE+OO 2.97E-05 REC-XHE-FO-DGEN 382 9.00E-01 ( 8.0) 5.88E-06 ( 8.0) 1.21E-07 2.67E-05 RCP-LOCA-750-90M 262 5.30E-01 (18.0) 5.20E-06 ( 9.0 O.OOE+OO 3.16E-05 NRAC-216M 200 1. 38E-01 (41. 0) 5.00E-06 (10.0) O.OOE+OO 2.99E-05 OEP-DGN-F8 299 2.20E-02 (79.5) 4.88E-06 (11.0) 2.08E-07 1.82E-05 OEP-DGN-F8-DG02 521 2.20E-02 (79.5) 4.38E-06 (12.0) 1.31E-07 2.36E-05 OEP-DGN-F8-DG03 526 2.20E-02 (79.5) 4.38E-06 (13. 0) 1. 32E-07 2.36E-05 NRAC-lHR 157 4.40E-01 (21. 0) 4.24E-06 (14.0) 5.39E-08 2.15E-05 OEP-DGN-FR-8HDG1 639 1.20E-02 (91.0) 4.08E-06 (15.0) 2.80E-08 2.97E-05 QS-SBO 2435 2.70E.01 (28.5) 3.04E-06 (17.0) 5.45E-08 1. 75E-05 Vl (43.0) 2.89E-06 (18.0) 3.71E-08 1.61E-05 I REC-XHE-FO-SCOOL 597 1.26E-01 w BETA-2MOV 25 8.80E-02 (48.0) 2.72E-06 (19.0)
| |
| * l.08E-07 8.72E-08
| |
| -..J BETA-3DG 59 1.80E-02 (83.0) 2.66E-06 (20.0) 7.41E-08 1.08E-05 OEP-DGN-FR-8HDG3 467 1. 20E-02 (91.0) 2.32E-06 (21.0) 1. 58E-08 1.87E-05 BBO-PORV-DMD 128 4.SOE-01 (20.0) 2.27E-08 (22.0) 1.17E-08 9.56E-06 BETA-2DG 271 3.80E-02 (89.0) 2.25E-08 (23.0) 8.69E-08 8.32E-08 OEP-DGN-FR-8HDG2 458 1. 20E-02 (91.0) 2.09E-08 (25.0) 1.48E-08 1.48E-05 Init. Event IE-Tl 2463 7.70E-02 ( 4.0) 2.02E-05 ( 1.0) 9.09E-07 1.12E-04 IE-Sl 57 1.00E-03 ( 9.5) 3.31E-06 ( 2.0) 3.58E-07 9.73E-06 IE-A 49 5.00E-04 (11.0) 2.lOE-06 ( 3.0) 2.80E-07 5.49E-06 IE-T7 39 1.00E-02 ( 6.0) 1. 92E-06 ( 4.0) 1.42E-07 6.12E-06 IE-T2 65 9.40E-01 ( 3.0) 1.48E-06 ( 5.0) 4.82E-08 4.88E-06 IE-lN 1 5.90E+OO ( 2.0) 8.43E-07 ( 6.0) 6.29E-09 3.16E-06 IE-S3 20 1.30E-02 ( 5;0) 6.39E-07 ( 7.0) 4.24E-08 2.35E-06 IE-T 14 6.60E+OO ( 1.0) 5.65E-07 ( 8.0) 9.48E-09 2.82E-06 IE-S2 13 1. OOE-03 ( 9.5) 4.33E-07 ( 9.0) 4.35E-08 1.39E-06 IE-V-TRAIN-3 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-11 1.82E-06 IE-V-TRAIN-2 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-11 1. 82E-06 IV-V-TRAIN-1 1 4.00E-07 (13.0) 4.00E-07 (11.0) 1.27E-ll 1. 82E-06 IE-15B 25 5.00E-03 ( 7.5) l.38E-07 (13.5) 1.20E-09 4.52E-07 IE-15A 25 5-.00E-03 ( 7.5) 1. 38E-07 (13.5) 1. 20E-09 4.52E-07
| |
| | |
| Table 5-7 Surry Risk Increase Important Events Surry Risk Total Core Damage Model Risk Increase by Base Event (with associated uncertainty intervals)
| |
| Risk Base Event Occur Prob. (Rank) Increase (Rank) Lower 5% Upper 5%
| |
| K 18 6.00E-05 (195.0) 2.52E-02 ( 1. 0) l.45E-03 9.56E-02 RWT-TNK-LF-RWST 5 2.70E-06 (207.0) 1. 95E-02 ( 2.0) 7.93E-03 3.88E-02 AFW-PSF-FC-XCONN 25 1. 50E-04 (178.0) 5.83E-03 ( 3.0) 4.48E-04 1. 89E-02 AFW-CCF-LK-STMBD 21 1. OOE-04 (181. 5) 5.82E-03 ( 4.0) 4.48E-04 1. 88E-02 AFW-TNK-VF-CST 3 1.00E-08 (208.0) 2.78E-03 ( 5.0) l.4~E-04 1. OOE-02 HPI-CKV-FT-CV225 5 1. OOE-04 (181. 5) 2.lOE-03 ( 6.0) 8. 68E-'04 4.13E-03 HPI-CKV-FT-CV25 5 1.00E-04 (181.5) 2.06E-03 ( 7.5) 7.31E-04 4.36E-03 HPI-CKV-FT-CV410 5 1. OOE-04 (181. 5) 2.08E-03 ( 7.5) 7.31E-04 4.38E-03 Vl
| |
| * HPI-XVM-PG-XV24 4 4.00E-05 (199.5) 2.06E-03 ( 9.0) 7.13E-04 4.35E-03 I LPR-CCF-PG-SUMP 5 5.00E-05 (198.0) 1. 55E-03 (10.0) 8.08E-04 w 3.05E-03 (X)
| |
| LPR-XHE-FO-HOTLG 2 4.00E-05 (172.0) 1. 50E-03 (11. 0) 5.89E-04 2.98E-03 RMT-CCF-FA-MSCAL 2 3.00E-04 (172.0) 1. 50E-03 (12.0) 5.89E-04 2.98E-03 LPI-MOV-PG-1890C 2 4.40E-04 (170.0) 1. 50E-03 (13.0) 5.89E-04 2.98E-03 IAS-CCF-LF-INAIR 3 2.70E-05 (205.0) 1. 38E-03 (14.0) 1. 59E-04 4.35E-03 ACC-CKV-FT-CV130 1 1.00E-04 (181.5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV128 1 1. OOE-04 (181. 5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV145 1 1.00E-04 (181.5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-CKV-FT-CV147 1 l.OOE-04 (181. 5) 5.00E-04 (16.5) 1. 33E-04 1. 20E-03 ACC-MOV-PG-1865B 1 6.50E-04 (182.5) 5.00E-04 (19.5) 1. 33E-04 1. 20E-03 ACC-MOV-PG-1865C 1 6.50E-04 (182.5) 5.00E-04 (19.?,) 1. 33E-04 1. 20E-03
| |
| *
| |
| * Surry Total Core Damage Model Uncertainty Importance by Base Event Surry Uncertaint*
| |
| ble 5-8 rtance Important Events
| |
| *
| |
| % Reduction In The Uncertainty Base Event ~ Prob. (Rank) of Lo15 Risk (Rank) Y.05£TE.05* Y.95£TE.95*
| |
| OEP-DGN-FS 299 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DG02 521 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DGOl 725 2.20E-02 ( 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FS-DG03 526 2.20E-02 79.5) 20.7 2.5) 1.23 0.75 OEP-DGN-FR-DG02 14 2.00E-03 (136.5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-DG03 12 2.00E-03 (136.5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-DG01 23 2.00E-03 (136. 5) 18.9 8.0) 1.00 1.00 OEP-DGN-FR-8HDG1 639 1.20E-02 ( 91. 0) 18.9 9.0) 1.14 0.80 OEP-DGN-FR-8HDG3 467 1.20E-02 C 91. 0) 18.9 9.0) 1.14 0.80 OEP-DGN-FR-8HDG2 458 1.20E-02 ( 91.0) 18.9 ( 9.0) 1.14 0.80 NRAC-7HR 988 5.00E-02 C 60.0) 5.4 C11. 0) 1.04 0.99 NRAC-201M 62 1.50E-Ol C 38.5) 5.1 (12.0) 1. 00 1.00 NRAC-216M 200 1.38E-Ol C 41.0) 5.0 (13.0) 1.01 0.99 NRAC-234M 82 1.23E-Ol C 44.0) 5.0 (14.0) 1.00 1.00 NRAC-258M 200 1.08E-Ol ( 47.0) 4.9 (15.0) 1.00 1.00 NRAC-246M 262 1.15E-Ol C 46.0) 4.9 (16.0) 1.00 1.00 V, NRAC-HALFHR 182 6.00E-01 ( 14.5) 4.9 (17.0) 1.01 1.00 I NRAC-lHR 4.40-01 4.9 (18.0) 1.01 0.99 uJ 157 C 21. 0)
| |
| \0 NRAC-150M 262 2.lOE-01 C 32.5) 4.7 (19.0) 1.00 1.00 z 1 1.40E-02 C 87.5) 4.4 (20.0 1.04 0.99
| |
| !nit. Event IE-Tl 2463 7.70E-02 4.0) 12.8 1.0) 1.19 0.99 IE-V-TRAIN-3 1 4.00E-07 13.0) 4.5 3.0) 1.16 1.00 IE-V-TRAIN-1 1 4.00-07 13.0) 4.5 3.0) 1.16 1.00 IE-V-TRAIN-2 1 4.00-07 13.0) 4.5 3.0) 1.16 1.00 IE-Sl 57 1.00E-03 9.5) 0.8 5.0) 1.04 0.99 IE-A 49 5.00-04 11.0) 0.7 6.0) 1.06 1.01 IE-TN 1* 5.90+00 2.0) 0.6 7.0) 1.01 1.01 IE-T 14 6.60E+OO 1.0) 0.4 8.0)
| |
| IE-T7 39 1.00E-02 6.0) 0.4 C 9.0)
| |
| IE-T2 65 9.40E-Ol 3.0) o.o (12.0)
| |
| IE-S2 13 1. 00-03 9.5) a.a (12.0)
| |
| IE-T5B 25 5.00E-03 7.5) a.a (12.0)
| |
| IE-T5A 25 5.00-03 7.5) 0.0 (12.0)
| |
| IE-S3 20 1.30E-02 5.0) a.a (12.0)
| |
| *Y.xx is the .xx quantile of the top event frequency when the event is held constant at ITS mean value.
| |
| TE.xx is the .xx quantile of the top event frequency when the event is not held constant.
| |
| | |
| 5.5 Comparison of Results With WASH-1400 This section compares the results of this study with the Surry results of the Reactor Safety Study (RSS) (WASH-1400). C2> A comparison of the results of these studies must recognize the differencies in PRA state-of-the-art, as well as specific changes at Surry. In the thirteen years between WASH-1400 and this study, the Surry plant design as well as the industry's understanding of reactor operation and safety issues have changed. A comparison of dominant contributors to core damage frequency between these two studies should be balanced bi a knowledge of the differences in plant design, study methodology, and success criteria.
| |
| The first comparison to be made is on the basis of total core damage frequency. WASH-1400 calculated a total core damage frequency of 4.4E-5 per year. This study calculated 4.0E-5 per year. The frequency value used in WASH-1400 is a point estimate, based on propagation of median values for basic events, while the frequency value used in this study is the sampled mean of a distribution. The mean values for core damage frequency in the RSS would be somewhat higher than the values stated here. Many plant and procedural modifications have been made at Surry since the RSS. These contribute to the reduction in frequency
| |
| * of comparable WASH-1400 sequences to l.7E-5. However, this study predicts a core damage frequency of 1. OE-5 due to seal LOCAs and steam generator tube rupture which were not included in the WASH-1400 analysis. In addition, an expanded station blackout analysis resulted in identifying battery depletion and PORV sequences not included in WASH-1400, which account for a core damage frequency of L4E-5 per year.
| |
| Table 5-9 presents a comparison of WASH-1400 core damage frequencies with frequencies of event groups in the current study.
| |
| When comparing such frequencies, emphasis should be placed on examining the variation of the individual contributors. The frequency of core damage due to LOCAs in this study are significantly lower than in WASH-1400. In the 13 years since the Reactor Safety Study was performed, the improved understanding of core thermal hydraulics has led to less severe emergency core cooling system success criteria for LOCAs, and qetter procedures and operator training have led to lower human error probabilities for LOCA scenarios. Also, some of the frequency reduction between this study and the Reactor Safety Study can be attributed to the addition of an automatic sump recirculation transfer system.
| |
| Transients are a small contributor to core damage frequency in this study. This category represents turbine/reactor trips with and without main feedwater followed by the subsequent loss of all core heat removal.
| |
| The next category of comparison is loss of offsite power events. This category is distinguished from station blackout by having AC power available to at least one electrical division. For both studies, this accident category involves loss of auxiliary feedwater, leading to loss of core cooling. NUREG-4550 allowed the use of feed and bleed cooling as 5-40
| |
| *
| |
| * Table 5-9 Comparison of Core Damage Frequencies by Event Type Core Damage Frequency (/yr)
| |
| Event Type NUREG/CR-4550 WASH-1400 LOCA 6.0E-6 2.9E-5 Transient 2.0E-6 lE-7 Loss of Offsite Power <l0-7 6E-6 Station Blackout 2.7E-5 3E-6 ATWS 1. 6E-6 4E-6 Interfacing LOCA 1. 6E-6 4E-6 Steam Generator Tube Rupture 1. BE-6 NA 4.0E-5 4.6E-5 an alternative method of core cooling, while the Reactor Safety Study did not. Thus the substantially lower contribution in this study.
| |
| Station blackout sequences were prominent in both studies. Station blackout is defined as loss of all AC power at a unit. The Reactor Safety Study examined only auxiliary feedwater availability in its station blackout model. Consequently, the frequency is lower than for NUREG-4550, for which the station blackout models included issues of battery depletion, reactor coolant pump seal LOCA, and stuck open relief valves. Probabilities for non-recovery of offsite power were much more rigorously calculated in this study, and resulted in higher non-recovery probabilities.
| |
| The frequencies of core damage due to ATWS are similar for both studies.
| |
| NUREG-4550 used much lower probabilities for human error than did the Reactor Safety Study and used higher frequencies for initiating transients. However, NUREG-4550 developed more comprehensive success criteria for ATWS, including requirements for turbine trip and favorable moderator temperature coefficients.
| |
| The frequencies of interfacing LOCAs were lower for this study. NUREG-4550 and the Reactor Safety Study analyzed the same configuration and postulated the same failure modes but used significantly different test periods for quantification. During the time between the performance of the* Reactor Safety Study and this study, the valve test frequency was 5-41
| |
| * reduced from 5 years to approximately 1 year. In addition, this study postulated common cause failure of check valves, which were a significant contributor to core damage frequency.
| |
| Another notable change from the WASH-*1400 results is the decreased importance of containment systems in the core damage sequences. Success criteria for containment systems for this study were based on updated analyses, which resulted in fewer constraints and dependencies of the ECCS on containment system performance.
| |
| * 5-42
| |
| | |
| ==6.0 CONCLUSION==
| |
| S One of the major purposes of the Surry analysis was to provide an updated perspective on our understanding of the risks from the plant relative to the results of the WASH-1400 analysis. It has been determined that changes to the plant design and its procedures, the evolution of Probabilistic Risk Assessment (PRA) methodology, and an increasing under-standing of severe accidents have all had an impact on the perspectives on the dominant risks for Surry.
| |
| This study concludes that station blackout (loss of all AC power) accidents are the dominant contributors to core damage. They account for approximately two-thirds of the total core damage frequency. This result is due to certain features of the Surry electric power systems, which are discussed below, and may not be applicable to other plants. The station blackout analysis for this study was much more rigorous than that of WASH-1400. All aspects of electric power modeling, plant response modeling, and development of event probabilities have been significantly improved over those used in WASH-1400. The higher* frequencies for station blackout are considered a more accurate assessment of the event than previous analyses.
| |
| Loss of coolant accidents inside containment are the second most dominant accident group, accounting for approximately one-seventh of total core damage frequency. The prominence of this accident group is greatly reduced over the results of WASH-1400, which was completed in 1975. This is due to three factors: a) improved operator procedures and training which direct operator intervention to mitigate the event at an early stage and which provide direction for coping with subsequent system failures, b) the installation of several cross ties between the two Surry units which provides back-up systems to cope with emergency core cooling system failures, and c) improved understanding and knowledge of containment systems performance, which has led to less constraining success criteria for containment systems. As with the station blackout conclusions, some of these impr.ovements are specific to the Surry plant and may not be applicable to other PWRs.
| |
| Loss of coolant accidents in interfacing systems outside of containment represent a*moderate contribution to core damage, at four percent of the total, but are important contributors to risk because they may represent a direct release path to the environment. The understanding of these events is relatively unchanged since WASH-1400. In the ensuing years, the calculated frequency has been reduced due to more frequent check valve test intervals, and recently increased due to the inclusion of common cause failures in the quantification.
| |
| Anticipated transients without scram (ATWS) contribute approximately four percent to total core damage frequency. Their frequency has been reduced from that calculated in WASH-1400, due in part to equipment modifications required by the ATWS Rulemaking and by improved procedures and operator training for this event .
| |
| * 6-1
| |
| | |
| Steam generator tube rupture (SGTR) also accounts for approximately four
| |
| * percent of core damage frequency. This event was not analyzed in WASH-1400.
| |
| 6.1 Plant-Specific Conclusions As stated above, the core damage frequency is dominated by station blackout events. There are many individual contributors to these events, and it is not possible to identify a single issue or event which drives the frequency calculations. The individual contributions are discussed below.
| |
| The frequency of loss of offsite power at Surry was calculated to be 7.7E-2 per year. This is better than average for U.S. nuclear plants, but is higher than expected if only the Surry specific experience of zero failures in 15 years were considered. The calculation includes experience from other plants with switchyard configurations similar to Surry, but which have experienced failures of off site power. The calculation of probabilities for non-recovery of offsite power are also based on experience at other plants with similar switchyard configurations. Since probabilities for loss and non-recovery of offsite power appear in every station blackout cut set, reduction of thes_e probabilities could have an important effect on core damage frequency.
| |
| Events for diesel generator failure are also in each and every blackout sequence cut set. The probability for diesel failure to start was calculated from plant specific data to be 2. 2E-2/demand. This value is
| |
| * also slightly better than average for U.S. nuclear plants. The electric power configuration at Surry, however, provides three diesels for a two-unit site. This offers reduced redundancy compared to most other nuclear plants and tends to increase the probability of station blackout occurrence. The AC power availability reduction resulting from the swing diesel configuration is overcome to a significant extent by the provision of cross ties between the charging systems and auxiliary feedwater systems at both units.
| |
| Alternative sources of AC power at the Surry site were not included in the station blackout models. A gas turbine generator is at the Surry site, but current supporting systems and administrative procedures preclude its use during a station blackout.
| |
| The plant response to station blackout at Surry is similar to that of other PWRs. The dominant type of blackout sequence represents core uncovery due to long term battery depletion. The battery depletion time was assessed to be 4 hours (see Reference 40), which is typical for PWRs.
| |
| The next most dominant sequence is the reactor coolant pump seal LOCA sequence. A generic model for Westinghouse reactor coolant pumps was developed in reference 40 and used in this study. It predicts a significant probability of severe seal degradation, starting at 1 1/2 hours from loss of seal cooling. Core uncovery is predicted to occur about 2 hours after onset of seal failure, unless AC power is restored and safety injection is provided within that time.
| |
| 6-2
| |
| | |
| Examination of the contributors to loss of coolant accidents provides insights regarding the Surry plant. LOCA-induced core damage frequency for this study was significantly reduced over that of WASH-1400, particularly for the small LOCA events. This occurred in spite of a tenfold increase in the small LOCA initiating event frequency. Plant modifications occurring since WASH-1400, which allow for cross tie of the high pressure safety injection systems, auxiliary feedwater systems, and refueling water storage tanks at each unit contributed significantly to this reduction in frequency. In addition, Surry has a three tier system of emergency procedures which provide explicit instruction to utilize these cross ties. The Technical Specifications for the cross tied systems address component operability based on the operational status of both units, thus ensuring availability to the other unit even though the primary unit's status does not require it. The system cross ties available at Surry provide a reliable alternative for recovery of system failures.
| |
| 6.2 Accident Sequence Conclusions As previously noted, there are twenty-eight accident sequences in the Surry core damage model. These sequences are listed in Table 5-2 in section 5.0 of this report. The number of sequences in a PRA model and their relative size is strongly influenced by the PRA methodology utilized and the level of detail of the analysis. Discussion of sequence numbers and frequencies in an absolute sense is not particularly useful, but the relative contribution of various types of sequences for a
| |
| * specific plant can provide insight into the types of accident scenarios which are important at that plant.
| |
| As discussed earlier, the Surry units are provided with cross-tie capability between the AFWs, HPis, and RWSTs at each unit. These cross ties provide a recovery potential which is not available at many other plants. The sequence profile reflects the importance of these cross ties.
| |
| The highest single sequence is long term station blackout at Unit 1, leading to battery depletion and consequently loss of instrumentation and control power. As this sequence represents a blackout at Unit 1, with power available at Unit 2, reactor coolant pump seal cooling can be provided by the Unit 2 charging system, via the HPI cross tie. Thus, the risk of seal failure is averted, and the battery depletion scenario dominates.
| |
| The next highest sequence represents the seal failure scenario during station blackout. This sequence represents a single unit blackout with failure to provide seal cooling via the cross tie. This can be due to equipment failure or operator error. Without cooling, the seals are at risk early in the sequence. Seal failure is predicted to occur between 1 1/2 to 2 1/2 hours. If AC power is not restored in an additional two hours, core uncovery occurs. The fourth most dominant sequence repre-sents the same scenario except that the sequence is a two-unit blackout, and seal cooling is unavailable due to loss of AC power at Unit 2 .
| |
| * 6-3
| |
| | |
| The other two prominent blackout sequences represent early (initial) failures of the auxiliary feedwater system or failure of the pressurizer PORVs to reclose after opening. Failure to restore AC power within a limited time leads to core uncovery.
| |
| Examining the twenty sequences below lE-6 indicates that long term sequences (which allow time for recovery) are not represented at all.
| |
| ~pecifically, there are no sequences representing small breaks with failure of ECCS recirculatlon. This is due to two considerations.
| |
| First, emergency operating procedures direct operator intervention in a small break to cooldown and depressurize the reactor coolant system, thus minimizing the break flow.
| |
| * Secondly, the system cross ties enable the operators to recover from system failures.
| |
| The LOCA sequences which do contribute to the core damage model are the large breaks with failures in both injection and recirculation, and small breaks with failures in injection. The common aspect of.these accident categories is that they are fast moving sequences, happening early in time to the initiator, thus leaving little time for operator intervention or recovery.
| |
| r~o types of transient sequences are prominent; loss of all feedwater and ATWS sequences. Loss of feedwater at Surry is probably lower than at most plants, due to the AFW cross tie. The ATWS sequences are short and fast acting, leaving little time for recovery.
| |
| * 6_. 3 Uncertainty Considerations
| |
| ~e process of developing a probabilistic model of a nuclear power plant involves the combination of many individual events (initiators, hardw~re failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total frequency of core damage. After development, such a model also can be used to assess the importance of the individual events. The sequence cut set models supporting this study have been analyzed using several importance measures. The results of the l;lnalyses using an uncertainty importance measure are summarized below.
| |
| For this measure, the relative contribution of the uncertainty of t~dividual events to the uncertainty in total core damage frequency is calculated. Using this measure, the following events were found to be most important:
| |
| * Diesel generator fail to start
| |
| * Diesel generator fail to run for six hours
| |
| * Loss of offsite power initiating event
| |
| * Interfacing LOCA
| |
| * Unfavorable moderator temperature co-efficient during ATWS
| |
| * Non recovery of offsite AC power after initial loss 6.4 Comparison to Reactor Safety Study In the thirteen years between the Reactor Safety Study (WASH-1400) analysis of Surry and the present study, both the Surry plant 6-4
| |
| *
| |
| * configuration and the understanding of reactor operation and safety have changed. WASH-1400 calculated a total core damage frequency from internal events of 4.4E-5. This study calculated a total core damage frequency from internal events of 4. OE-5. It should be noted when comparing the two that the WASH-1400 value for core damage frequency is a point estimate, based on the sum of individual sequence median values, while this study's value is the calculated mean of a distribution. The modifications in plant configuration at Surry reduce the frequency of comparable WASH-1400 sequences to 1. 7E-5, but consideration of seal LOGAs, steam generator tube rupture, and more detailed evaluation of station blackout, combine to increase the total core damage frequency to
| |
| : 4. OE- 5. Some of the significant differences and similarities between this study and WASH-1400 are presented below:
| |
| * Reactor coolant pump seal LOGAs during station blackout are important in the present study, but not in WASH-1400.
| |
| * Station blackout followed by loss of AFW were important in both studies.
| |
| * ATWS sequences are not directly comparable due to increased knowledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations.
| |
| *
| |
| * Understanding of interfacing LOGAs is relatively unchanged, while the frequency is slightly reduced. A reduction in the event frequency, due to increased valve testing frequency, was countered by inclusion of dependent failures in the quantification.
| |
| * The LOCA sequences followed by failure of EGGS systems are significantly lower in the present study than WASH-1400.
| |
| * The enhanced understanding of containment cooling phenomena and containment failure scenarios used in this study led to a significantly reduced dependence on containment cooling systems for the prevention of core damage.
| |
| 6.5 Other Insights Throughout the performance of a PRA, it is common to identify component interactions and dependencies which were previously unexpected. One such insight is discussed below.
| |
| The station blackout analysis revealed a unique interactive dependency which leads to an unexpectedly high probability of a non-isolable faulted steam generator during blackout. Were this series of events to occur, they would not prevent the ability to provide steam generator heat remove!, but would require additional actions to stabilize the AFW
| |
| * 6-5
| |
| | |
| supply, and may act as a precursor to AFW failure, and generally could add to the stress level and complexity of the event.
| |
| The interactive dependency is manifested during station blackout, because all power is lost to both the steam generator level control valves and the steam generator atmospheric relief valves. The level control valves are located inside containment, are powered from a 480 VAC bus, are normally open, and fail open on loss of power. The atmospheric relief valves are powered from a semi-vital bus which loses all power upon station blackout. Thus, during a blackout, steam relief will be through the steam generator safety valves until such time as flow paths to the condenser can be established via manual local valve line-ups. This was estimated to be accomplished shortly after one hour. During this time, it was estimated that each SRV would open every 20 minutes, for a total of nine openings. This number of openings gives a relatively high probability of failure to reclose. Should the safety valve fail to reclose, it is not isolable, and will lead to an uncontrolled blowdown of that steam generator. The feedwater supply to that SG is not isolable either, because the level control valves fail open.
| |
| Entrance into containment to manually close the valves would be very difficult during a blackout. Consequently, no credit was allowed in the analysis. The AFW configuration at Surry is such that the level control valves represent the only way to isolate auxiliary feedwater to a single steam generator. Thus, under these conditions, the faulted SG would continue to be fed and continue to blowdown.
| |
| This event does not prevent the ability to provide steam generator heat removal. However, it is an undesirable event which would add to the complexity of steam generator feed control, possibly increasing the probability of feed flow failure due to human error, lack of condensate, or possible phenomenological considerations.
| |
| 6-6
| |
| *
| |
| * 7.0 1.
| |
| 2.
| |
| REFERENCES Reactor Risk Reference Document, NUREG-1150, U.S. Nuclear Regulatory Commission, 1987.
| |
| Reactor Safety Study. An Assessment of Accident Risks in U.S.
| |
| Commercial Nuclear Power Plants, U.S. Nuclear Regulatory Commission, published as WASH-1400, 1975.
| |
| : 3. Harper , F . T . , et al . , ""A""n""a:,:l,.,,y_.s""i:.:s,.__""'o-=f'--C=o=r-=e'--'D=-=a=m=a"-g"'e'--F=-=r=e""g..::uo=e:.:an~c""'y,__-=f'-"r,_,o"-=m Internal Events: Methodology Guidelines, NUREG/CR-4550, SAND86-2084, Vol. 1, Sandia National Laboratories, July 1987.
| |
| : 4. Kolaczkowski, A. M. and A. C. Payne, Station Blackout Accident Analysis, NUREG/CR-3226, SAND82-2450, Sandia National Laboratories, May 1983.
| |
| : 5. Categorization of Reactor Safety Issues from a Risk Perspective, NUREG-1115, U.S. Nuclear Regulatory Commission, March 1985.
| |
| : 6. Selby, D. L., et al., Pressurized Thermal Shock Evaluation of H.B.
| |
| Robinson Unit 2 Nuclear Power Plant, NUREG/CR-4183, Oak Ridge National Laboratory, Oak Ridge, Tennessee, September 1985.
| |
| : 7. Oconee PRA. A Probabilistic Risk Assessment of Oconee Unit 3, NSAC-
| |
| * 8.
| |
| 9.
| |
| 60, Electric Power Research Institute, June 1984.
| |
| Zion Probabilistic Safety Study, Commonwealth Edison Company, 1981.
| |
| Seabrook Station Probabilistic Safety Assessment, PLG-0300; Pickard, Lowe and Garrick, Inc., Irvine, CA, December 1983.
| |
| : 10. Millstone Unit 3 Probabilistic Safety Study, Northeast Utilities Company, August 1983.
| |
| : 11. Indian Point Probabilistic Safety Study, Power Authority of the State of New York and Consolidated Edison Co., 1982.
| |
| : 12. Mackowiak, D. P., et al., Development of Initiating Event Frequencies for Use in Probabilistic Risk Assessments, NUREG/CR-3862, EG&G Idaho Inc., May 1985.
| |
| : 13. Iman, R. L. and S. C. Hora, Modeling Time to Recovery and Initiating Event Frequency for Loss of Off-Site Power Incidents at Nuclear Power Plants, NUREG/CR-5032, SAND87-2428, January 1988.
| |
| : 14. Carlson, D. D., Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, SAND82-1100, Sandia National Laboratories, January 1983.
| |
| : 15. IEEE Guide to the Collection and Presentation of Electrical,
| |
| * Electronic, Sensing Component and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations, IEEE-Std-1984, IEEE, New York, N. Y., 1983.
| |
| 7-1
| |
| | |
| 16.
| |
| 17.
| |
| Benjamin, A., et al., Evaluation of Severe Accident Risks and the Potential for Risk Reduction:
| |
| February l987.
| |
| Surry Power Station. Unit 1, NUREG/CR-4551, SAND86-1309, Volume 1, Sandia National Laboratories, Gieske, J. A., et al., Radionuclide Release Under Specific LWR
| |
| * Accident Conditions, Volume V, PWR-Large Dry Containment Designs, BMI-2104, Volume V, Battelle Columbus Laboratories, July 1984.
| |
| : 18. Kolb, .G. J., et al., Interim Reliability Evaluation Program:
| |
| Analysis of the ANO-Unit 1 Nuclear Power Plant, NUREG/CR-2787, SAND82-0978, Sandia National Laboratories, June 1982.
| |
| : 19. Payne, A. C. , et al. , Interim Reliability Evaluation Program:
| |
| Analysis of the Calvert Cliffs Unit-1 Nuclear Power Plant, NUREG/CR-3511, SAND83'-2086, Sandia National Laboratories, August.1984.
| |
| : 20. Wood, D. C. and C. L. Gottshall, Probabilistic Analysis and Operational Data in Response to NUREG-0737, WCAP 9804, Westinghouse Electric Corp., Pittsburgh, PA, February 1981.
| |
| : 21. Unused.
| |
| : 22. Boardman, T., Leak Rate Analysis of the Westinghouse Reactor Coolant
| |
| * Pump, NUREG/CR-4294, Energy Technology Engineering Center, Canoga Park, CA, July 1985.
| |
| : 23. Unused.
| |
| : 24. Generic Implications of ATWS Events at the Salem Nuclear Power Plant, NUREG-1000, U. S. Nuclear Regulatory Commission, April 1983.
| |
| : 25. Fleming, K. N., et al., Classification and Analysis of Reactor Operating Experience Involving Dependent Events, EPRI-NP-3967, Electric Power Research Institute, June 1985.
| |
| : 26. Unused.
| |
| : 27. Swain, A. D., Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772, SAND86-1996, Sandia National Laboratories, February 1987.
| |
| : 28. Anticipated Transients Without Scram for Light Water Reactors, NUREG-0460, U. S. Nuclear Regulatory Commission, April 1978.
| |
| : 29. Westinghouse Anticipated Transients Without Trip Analysis, WCAP-8330, Westinghouse Electric Corp., Pittsburgh, PA, August 1974.
| |
| : 30. Transmittal, Dircks, W. J., to NRG Commissioners, Amendment to 10CFR50 Related to ATWS Events, SECY-83-293, U. S. Nuclear
| |
| * Regulatory Commission, July 19, 1983.
| |
| 7-2
| |
| | |
| *
| |
| : 31. Utility Group of ATWS Comments to 46 Fed. Reg. 57, 521 (1981),
| |
| submitted to Secretary of the U. S. NRC, by hand, April 23, 1982.
| |
| : 32. McClymont, A. S. and B. W. Poehlman, Loss of Offsite Power at Nuclear Power Plants: Data and Analysis, EPRI-NP-2301, Electric Power Research Institute, Palo Alto, CA, March 1982.
| |
| : 33. Kittmer, C. A., et al., Reactor Coolant Pump Shaft Seal Behavior During Station Blackout, NUREG/CR-4077, EG&G Idaho Inc., April 1985;
| |
| : 34. Fletcher, C. D. , Accident Mitigation Following a Small Break with Coincident Failure of Charging and High Pressure Injection for the Westinghouse Zion PWR, EGG-CAAD-5428, EG&G Idaho Inc., April 1981.
| |
| : 35. Battle, R. E. , Emergency Diesel Generator Operating Experience.
| |
| 1981-1983, NUREG/CR-4347, Oak Ridge National Laboratory, Oak Ridge Tennessee, Dece~ber 1985.
| |
| : 36. Swain, A. D. and H. E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, SAND80-0200, Sandia National Laboratories, Albuquerque, New Mexico, August 1985.
| |
| : 37. Wright, R. E., Steverson, J. A. and W. F. Suroff, Pipe Break Frequency Estimation for Nuclear Power Plants, NUREG/CR-4407, EG&G Idaho, Inc., May 1987.
| |
| : 38. Mosleh, A., et al., Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Volume 1, Electric Power Research Institute, Palo Alto, California, January 1988.
| |
| : 39. Azarm, M. A., Boccio, J. L. and S. Mitra, The Impact of Mechanical and Maintenance Induced Failures of Main Reactor Coolant Pump Seals on Plant Safety, NUREG/CR-4400, Brookhaven National Laboratory, Upton, New York, December 1985.
| |
| : 40. Wheeler, T. A. , Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation, NUREG/CR-4550, SAND86-2084, Volume* 2, Revision 1, Sandia National Laboratories, April 1989.
| |
| : 41. Kastenburg, W. E., et al., Findings of the Peer Review Panel on the Draft Reactor Risk Reference Document NUREG-1150, NUREG/CR-5113, Lawrence Livermore National Laboratory, Livermore, California, May 1988.
| |
| : 42. Initial Report of the Special Committee on Reactor Risk Reference Document (NUREG-1150), American Nuclear Society, April 1988.
| |
| : 43. Iman, R. L. and M. J. Shortencarier, A FORTRAN 77 Program and User's Guide for the Generation of Latin Hypercube and Random Samples for Use with Computer Models, NUREG/CR'- 3624, SAND83- 2365, Sandia National Laboratories, March 1984.
| |
| 7-3
| |
| : 44. Iman, R. L. and M. J. Shortencarier, A User's Guide to the Top Event Matrix Analysis Code (TEMAC), NUREG/CR-4598, SAND86-0960, Sandia National Laboratories, August 1986.
| |
| : 45. Analysis of Pressure Vessel Statistics from Fossil-Fueled Power Plant Service and Assessment of Reactor Vessel Reliability in Nuclear Power Plant Service, WASH-1318, U. S. Atomic Energy Commission, 1974.
| |
| 46; Unused.
| |
| : 47. Pelto, P. J., et al., Reliability Analysis of Containment Isolation Systems, NUREG/CR-4220, Pacific Northwest Laboratory, Richland, Washington, June 1985.
| |
| : 48. Serkiz, A. W., Technical Findings and Regulatory Analysis for Generic Safety Issue II.E.4.3. "Containment Integrity Check," NUREG-1273, U.S. Nuclear Regulatory Commission, April 1988.
| |
| : 49. Worrell, R. B., SETS Reference Manual, NUREG/CR-4213, SAND83-2675, Sandia National Laboratories, May 1985.
| |
| 7-4
| |
| | |
| DISTRIBUTION:
| |
| * Frank Abbey U. K. Atomic Energy Authority Wigshaw Lane, Culcheth Warrington, Cheshire, WA3 4NE ENGLAND Agustin Alonso University Politecnica De Madrid J Gutierrez Abascal, 2 28006 Madrid SPAIN Kiyoharu Abe Christopher Amos Department of Reactor Safety Science Applications International Research Corporation Nuclear Safety Research Center 2109 Air Park Road SE ToKai Research Establishment Albuquerque, NM 87106 JAERI Tokai-mura, Naga-gun Richard C. Anoba Ibaraki-ken, Project Engr., Corp. Nuclear Safety JAPAN Carolina Power and Light Co.
| |
| P. 0. Box 1551 Ulvi Adalioglu Raleigh, NC 27602 Nuclear Engineering Division Cekmece Nuclear Research and George Apostolakis Training Centre UCLA P.K.1, Havaalani Boelter Hall, Room 5532 Istanbul Los Angeles, CA 90024 TURKEY James W. Ashkar
| |
| * Bharat Agrawal USNRC-RES/AEB MS : NL/N - 344 Kiyoto Aizawa Safety Research Group Boston Edison Company 800 Boylston Street Boston, MA 02199 Donald H. Ashton Bechtel Power Corporation Reactor Research and Development 15740 Shady Grove Road Project Gaithersburg, MD 20877 PNC 9-13m 1-Chome Akasaka J. de Assuncao Mina tu-Ku Cabinete de Proteccao e Seguranca Tokyo Nuclear JAPAN Secretario de Estado de Energia Ministerio da Industria Oguz Akalin av. da Republica, 45-6° Ontario Hydro 1000.Lisbon 700 University Avenue PORTUGAL Toronto, Ontario CANADA MSG 1X6 Mark Averett Florida Power Corporation David Aldrich P.O. Box 14042 Science Applications International St. Petersburg, FL 33733 Corporation 1710 Goodridge Drive Raymond O. Bagley McLean, VA 22102 Northeast Utilities
| |
| * P.O. Box 270 Hartford, CT 06141-0270 Dist-1
| |
| | |
| Juan Bagues Kenneth S. Baskin Consejo de Seguridad Nucleare S. California Edison Company Sarangela de la Cruz 3 P.O. Box 800 28020 Madrid Rosemead, CA 91770 SPAIN J. Basselier George F. Bailey Belgonucleaire SA Washington Public Power Supply Rue du Champ de Mars 25, B-1050 System Brussels P. 0. Box 968 BELGIUM Richland, YA 99352 Werner Bastl H. Bairiot Gesellschaft Fur Reaktorsicherheit Belgonucleaire SA Forschungsgelande Rue de Champ de Mars 25 D-8046 Garching B-1050 Brussels FEDERAL REPUBLIC OF GERMANY BELGIUM Anton Bayer Louis Baker BGA/ISH/ZDB Reactor Analysis and Safety Postfach 1108 Division D-8042 Neuherberg Building 207 FEDERAL REPUBLIC OF GERMANY Argonne National Laboratory 9700 South Cass Avenue Ronald Bayer Argonne, IL 60439 Virginia Electric Power Co.
| |
| P. 0. Box 26666 H-P. Balfanz TUV-Norddeutschland Grosse Bahnstrasse 31, 2000 Hamburg 54 FEDERAL REPUBLIC OF GERMANY Richmond, VA 23261 Eric S. Beckjord Director USNRC-RES MS: NL/S-007
| |
| * Patrick Baranowsky USNRC-NRR/OEAB Bruce B. Beckley MS: llE-22 Public Service Company P.O. Box 330 H. Bargmann Manchester, NH 03105 Dept. de Mecanique Inst. de Machines Hydrauliques William Beckner et de Mecaniques des Fluides USNRC-RES/SAIB Ecole Polytechnique de Lausanne MS: NL/S-324 CH-1003 Lausanne M.E. (ECUBLENS) Robert M. Bernero CH. 1015 Lausanne Director SWITZERLAND USNRC-NMSS MS: 6A-4 Robert A. Bari Brookhaven National Laboratory Ronald Berryman [2]
| |
| Building 130 Virginia Electric Power Co.
| |
| Upton, NY 11973 P. 0. Box 26666 Richmond, VA 23261 Richard Barrett USNRC-NRR/PRAB MS: lOA-2 Dist-2
| |
| | |
| Robert C. Bertucio Gary J. Boyd NUS Corporation Safety and Reliability Optimization 1301 S. Central Ave, Suite 202 Services Kent, WA 98032 9724 Kingston Pike, Suite 102 Knoxville, TN 37922 John H. Bickel EG&G Idaho Robert J. Breen P.O. Box 1625 Electric Power Research Institute Idaho Falls, ID 83415 3412 Hillview Avenue Palo Alto, CA 94303 Peter Bieniarz Risk Management Association Charles Brinkman 2309 Dietz Farin Road, NW Combustion Engineering Albuquerque, NM 87107 7910 Woodmont Avenue Bethesda, MD 20814 Adolf Birkhofer Gesellschaft Fur Reaktorsicherheit K. J. Brinkmann Forschungsgelande Netherlands Energy Res. Fdtn.
| |
| D-8046 Garching P.O. Box 1 FEDERAL REPUBLIC OF GERMANY 1755ZG Petten NH NETHERLANDS Jrunes Blackburn Illinois Dept. of Nuclear Safety Allan R. Brown 1035 Outer Park Drive Manager, Nuclear Systems and Springfield, IL 62704 Safety Department Ontario Hydro Dennis C. Bley 700 University Ave.
| |
| Pickard, Lowe & Garrick, Inc. Toronto, Ontario M5GlX6 2260 University Drive CANADA Newport Beach, CA 92660 Robert G. Brown Roger M. Blond TENERA L.P.
| |
| Science Applications Int. Corp. 1340 Saratoga-Sunnyvale Rd.
| |
| 20030 Century Blvd., Suite 201 Suite 206 Germantown, MD 20874 San Jose, CA 95129 Simon Board Sharon Brown Central Electricity Generating EI Services Board 1851 So. Central Place, Suite 201 Technology and Planning Research Kent, WA 98031 Division Berkeley Nuclear Laboratory Ben Buchbinder Berkeley Gloucestershire, GL139PB NASA, Code QS UNITED KINGDOM 600 Maryland Ave. SW Washington, DC 20546 Mario V. Bonace Northeast Utilities Service Company R.H. Buchholz P.O. Box 270 Nutech Hartford, CT 06101 6835 Via Del Oro San Jose, CA 95119
| |
| * Dist-3
| |
| | |
| Robert J. Budnitz Annick Carnino Future Resources Associates 734 Alameda Berkeley, CA 94707 Gary R. Burdick USNRC-RES/DSR Electricite de France 32 Rue de Monceau 8EME Paris, F5008 FRANCE G. Caropreso
| |
| * MS : NL/S - 007 Dept. for Envir. Protect. & Hlth.
| |
| ENEA Cre Casaccia Arthur J. Buslik Via Anguillarese, 301 USNRC-RES/PRAB 00100 Roma MS: NL/S-372 ITALY M. Bustraan James C. Carter, III Netherlands Energy Res. Fdtn. TENERA L.P.
| |
| P.O. Box 1 Advantage Place 17552G Petten NH 308 North Peters Road NETHERLANDS Suite 280 Knoxville, TN 37922 Nigel E. Buttery Central Electricity Generating Eric Cazzoli Board Brookhaven National Laboratory Booths Hall Building 130 Chelford Road, Knutsford Upton, NY 11973 Cheshire, WA168QG UNITED KINGDOM John G. Cesare Jose I. Calvo Molins Probabilistic Safety Analysis Group Consejo de Seguridad Nuclear Sor Angela de la Cruz 3, Pl. 6 SERI Director Nuclear Licensing 5360 I-55 North Jackson, MS 39211 S. Chakraborty
| |
| * 28020 Madrid Radiation Protection Section SPAIN Div. De La Securite Des Inst. Nuc.
| |
| 5303 Wurenlingen J. F. Campbell SWITZERLAND Nuclear Installations Inspectorate St. Peters House Sen-I Chang Balliol Road, Bootle Institute of Nuclear Energy Merseyside, L20 3LZ Research UNITED KINGDOM P.O. Box 3 Lungtan, 325 Kenneth S. Canady TAIWAN Duke Power Company 422 S. Church Street J. R. Chapman Charlotte, NC 28217 Yankee Atomic Electric Company 1671 Worcester Road Lennart Carlsson Framingham, MA 01701 IAEA A-1400 Wagramerstrasse 5 Robert F. Christie P.O. Box 100 Tennessee Valley Authority
| |
| * Vienna, 22 400 W. Summit Hill Avenue, Wl0D190 AUSTRIA Knoxville, TN 37902 Dist-4
| |
| * T. Cianciolo Mat Crawford BWR Assistant Director SERI ENEA DISP TX612167 ENEUR 5360 I-55 North Rome Jackson, MS 39211 ITALY Michael C. Cullingford Thomas Cochran Nuclear Safety Division Natural Resources Defense Council IAEA 1350 New York Ave. NW, Suite 300 Wagramerstrasse, 5 Washington, D.C. 20005 P.O. Box 100 A-1400 Vienna Frank Coffman AUSTRIA USNRC-RES/HFB MS: NL/N-316 Garth Cummings Lawrence Livermore Laboratory Larry Conradi L-91, Box 808 NUS Corporation Livermore, CA 94526 16835 W. Bernardo Drive Suite 202 Mark A. Cunningham San Diego, CA 92127 USNRC-RES/PRAB MS: NL/S-372 Peter Cooper U.K. Atomic Energy Authority James J . Curry Wigshaw Lane, Culcheth 7135 Salem Park Circle Warrington, Cheshire, WA3 4NE Mechanicsburg, PA 17055 UNITED KINGDOM Peter Cybulskis C. Allin Cornell Battelle Columbus Division 110 Coquito Way 505 King Avenue Portola Valley, CA 94025 Columbus, OH 43201 Michael Corradini Peter R. Davis University of Wisconsin PRD Consulting 1500 Johnson Drive 1935 Sabin Drive Madison, WI 53706 Idaho Falls, ID 83401 E. R. Carran Jose E. DeCarlos Nuclear Technology Division Consejo de Seguridad Nuclear ANSTO Research Establishment Sor Angela de la Cruz 3, Pl. 8 Lucas Heights Research Laboratories 28016 Madrid Private Mail Bag 7 SPAIN Menai, NSW 2234 AUSTRALIA M. Marc Decreton Department Technologie James Costello CEN/SCK USNRC-RES/SSEB Boeretang 200 MS: NL/S-217A B-2400 Mal BELGIUM George R. Crane 1570 E. Hobble Creek Dr. Richard S. Denning Springville, UT 84663 Battelle Columbus Division
| |
| * Dist-5 505 King Avenue Columbus, OH 43201
| |
| | |
| Vernon Denny Adel A. El-Bassioni Science Applications Int. Corp. USNRC-NRR/PRAB 5150 El Camino Real, Suite 3 MS: lOA-2 Los Altos, CA 94303 J. Mark Elliott J. Devooget International Energy Associates, Faculte des Sciences Appliques Ltd., Suite 600 Universite Libre de Bruxelles 600 New Hampshire Ave., NW av. Franklin Roosevelt Washington, DC 20037 B-1050 Bruxelles BELGIUM Farouk Eltawila USNRC-RES/AEB R. A. Diederich MS : NL/N- 344 Supervising Engineer Environmental Branch Mike Epstein
| |
| _Philadelphia Electric Co. Fauske and Associates 2301 Market St. P. 0. Box 1625 Philadelphia, PA 19101 16W070 West 83rd Street Burr Ridge, IL 60521 Raymond DiSalvo Battelle Columbus Division Malcolm L. Ernst 505 King Avenue USNRC-RGN II Columbus, OH 43201 F. R. Farmer Mary T. Drouin The Long Wood, Lyons Lane Science Applications International Appleton, Warrington Corporation WA4 5ND 2109 Air Park Road S.E. UNITED KINGDOM Albuquerque, NM 87106 P. Fehrenback Andrzej Drozd Atomic Energy of Canada, Ltd.
| |
| Stone and Webster Chalk River Nuclear Laboratories Engineering Corp. Chalk River Ontario, KOJlPO 243 Summer Street CANADA Boston, MA 02107 P. Ficara N. W. Edwards ENEA Cre Casaccia NUTECH Department for Thermal Reactors 145 Martinville Lane Via Anguillarese, 301 San Jose, CA 95119 00100 ROMA ITALY Ward Edwards Social Sciences Research Institute A. Fiege University of Southern California Kernforschungszentrum Los Angeles, CA 90089-1111 Postfach 3640 D-7500 Karlsruhe Joachim Ehrhardt FEDERAL REPUBLIC OF GERMANY Kernforschungszentrum Karlsruhe/INR Postfach 3640 John Flack D-7500 Karlsruhe 1 USNRC-RES/SAIB FEDERAL REPUBLIC OF GERMANY MS: NLS-324 Dist-6
| |
| *
| |
| | |
| -~ George F. Flanagan Oak Ridge National Laboratory P.O. Box Y Oak Ridge, TN 37831 Karl N. Fleming John Gaunt British Embassy 3100 Massachusetts Avenue, NW Washington, DC 20008 Jim Gieseke Pickard, Lowe & Garrick, Inc. Battelle Columbus Division 2260 University Drive 505 King Avenue Newport Beach, CA 92660 Columbus, OH 43201 Terry Foppe Frank P. Gillespie Rocky Flats Plant USNRC-NRR/PMAS P. 0. Box 464, Building T886A MS: 12G-18 Golden, CO 80402-0464 Ted Ginsburg Joseph R. Fragola Department of Nuclear Energy Science Applications International
| |
| * Building 820 Corporation Brookhaven National Laboratory 274 Madison Avenue Upton, NY 11973 New York, NY 10016 James C. Glynn Wiktor Frid USNRC-RES/PRAB Swedish Nuclear Power Inspectorate MS: NL/S-372 Division of Reactor Technology P. 0. Box 27106 P. Govaerts S-102 52 Stockholm Departement de la Surete Nucleaire SWEDEN Association Vincotte avenue du Roi 157 James Fulford B-1060 Bruxelles NUS Corporation BELGIUM 910 Clopper Road Gaithersburg, MD 20878 George Greene Building 820M Urho Fulkkinen Brookhaven National Laboratory Technical Research Centre of Upton, NY 11973 Finland Electrical Engineering Laboratory Carrie Grimshaw Otakaari 7 B Brookhaven National Laboratory SF-02150 Espoo 15 Building 130 FINLAND Upton, NY 11973 J.B. Fussell H. J. Van Grol JBF Associates, Inc. Energy Technology Division 1630 Downtown West Boulevard Energieonderzoek Centrum Nederland Knoxville, TN 37919 Westerduinweg 3 Postbus 1 John Garrick NL-1755 Petten ZG Pickard, Lowe & Garrick, Inc. NETHERLANDS 2260 University Drive Newport Beach, CA 92660 Ser~io Guarro Lawrence Livermore Laboratories
| |
| * P. 0. Box 808 Livermore, CA 94550 Dist-7
| |
| | |
| Sigfried Hagen Jon C. Helton
| |
| * Kernforschungzentrum Karlsruhe Dept. of Mathematics P. 0. Box 3640 Arizona State University D-7500 Karlsruhe 1 Tempe, AZ 85287 FEDERAL REPUBLIC OF GERMANY Robert E. Henry L. Hammar Fauske and Associates, Inc.
| |
| Statens Karnkraftinspektion 16W070 West 83rd Street P.O. Box 27106 Burr Ridge, IL 60521 S-10252 Stockholm SWEDEN P. M. Herttrich Federal Ministry for the Stephen Hanauer Environment, Preservation of Technical Analysis Corp. Nature and Reactor Safety 6723 Whittier Avenue Husarenstrasse 30 Suite 202 Postfach 120629 McLean, VA 22101 D-5300 Bonn 1 FEDERAL REPUBLIC OF GERMANY Brad Hardin USNRC-RES/TRAB F. Heuser MS: NL/S-169 Giesellschaft Fur Reaktorsicherheit Forschurgsgelande R. J. Hardwich, Jr. D-8046 Garching Virginia Electric Power Co. FEDERAL REPUBLIC OF GERMANY P.O. Box 26666 Richmond, Va 23261 E. F. Hicken Giesellschaft Fur Reaktorsicherheit Michael R. Haynes Forschungsgelande UKAEA Harwell Laboratory D-8046 Garching Oxfordshire FEDERAL REPUBLIC OF GERMANY Didcot, Oxon., OXll ORA ENGLAND D. J. Higson Radiological Support Group Michael J. Hazzan Nuclear Safety Bureau Stone & Webster Australian Nuclear Science and 3 Executive Campus Technology Organisation Cherry Hill, NJ 08034 P.O. Box 153 Rosebery, NSW 2018 A. Hedgran AUSTRALIA Royal Institute of Technology Nuclear Safety Department Daniel Hirsch Bunellvagen 60 University of California 10044 Stockholm A. Stevenson Program on SWEDEN Nuclear Policy Santa Cruz, CA 95064 Sharif Heger UNM Chemical and Nuclear H. Hirschmann Engineering Department Hauptabteilung Sicherheit und Farris Engineering Umwelt Room 209 Swiss Federal Institute for Albuquerque, NM 87131 Reactor Research (EIR)
| |
| CH-5303 Wurenlingen Dist-8 SWITZERLAND
| |
| * Mike Hitchler Stephen C. Hora
| |
| * Westinghouse Electric Corp.
| |
| Savanna River Site Aiken, SC 29808 Richard Hobbins EG&G Idaho University of Hawaii at Hilo Division of Business Administration and Economics College of Arts and Sciences Hilo, HI 96720-4091 P. 0. Box 1625 J. Peter Hoseman Idaho Falls, ID 83415 Swiss Federal Institute for Reactor Research Steven Hodge CH-5303, Wurenlingen Oak Ridge National Laboratory SWITZERLAND P.O. Box Y Oak Ridge, TN 37831 Thomas C. Houghton KMC, Inc.
| |
| Lars Hoegberg 1747 Pennsylvania Avenue, NW Office of Regulation and Research Washington, DC 20006 Swedish Nuclear Power Inspectorate P.O. Box 27106 Dean Houston S-102 52 Stockholm USNRC-ACRS SWEDEN MS: P-315 Lars Hoeghort Der Yu Hsia IAEA A-1400 Taiwan Atomic Energy Council Wagranerstraase 5 67, Lane 144, Keelung Rd.
| |
| P.O. Box 100 Sec. 4 Vienna, 22 Taipei AUSTRIA TAIWAN Edward Hofer Alejandro Huerta-Bahena Giesellschaft Fur Reaktorsicherheit National Commission on Nuclear Forschurgsgelande Safety and Safeguards (CNSNS)
| |
| D-8046 Garching Insurgentes Sur N. 1776 FEDERAL REPUBLIC OF GERMANY Col. Florida C. P. 04230 Mexico, D.F.
| |
| Peter Hoffmann MEXICO Kernforschingszentrum Karlsruhe Institute for Material Kenneth Hughey [2]
| |
| Und Festkorperforsching I SERI Postfach 3640 5360 I-55 North D-7500 Karlsruhe 1 Jackson, MS 39211 FEDERAL REPUBLIC OF GERMANY Won-Guk Hwang N. J. Holloway Kzunghee University UKAEA Safety and Reliability Yongin-Kun Directorate Kyunggi-Do 170-23 Wigshaw Lane, Culcheth KOREA Warrington, Cheshire, WA34NE UNITED KINGDOM
| |
| ** Dist-9
| |
| | |
| Michio Ichikawa Jeffery Julius
| |
| * Japan Atomic Energy Research Inst. NUS Corporation Dept. of Fuel Safety Research 1301 S. Central Ave, Suite 202 Tokai-Mura, Naka-Gun Kent, WA 98032 Ibaraki-Ken, 319-1 JAPAN H. R. Jun Korea Adv. Energy Research Inst.
| |
| Sanford Israel P.O. Box 7, Daeduk Danju USNRC-AEOD/ROAB Chungnam 300-31 MS: MNBB-9715 KOREA Krishna R. Iyengar Peter Kafka Louisiana Power and Li~ht Gesellschaft Fur Reaktorsicherheit 200 A Huey P. Long Avenue Forschungsgelande Gretna, I.A 70053 D-8046 Garching FEDERAL REPUBLIC OF GERMANY Jerry E. Jackson USNRC-RES Geoffrey D. Kaiser MS: NL/S-302 Science Application Int. Corp.
| |
| 1710 Goodridge Drive R. E. Jaquith McLean, VA 22102 Combustion Engineering, Inc.
| |
| 1000 Prospect Hill Road William Kastenberg M/C 9490-2405 UGI.A Windsor, CT 06095 Boelter Hall, Room 5532 Los Angeles, CA 90024 S. E. Jensen Exxon Nuclear Company Walter Kato 2101 Horn Rapids Road Brookhaven National Laboratory Richland, WA 99352 Associated Universities, Inc.
| |
| Upton, NY 11973 Kjell Johannson Studsvik Energiteknik AB M. S. Kazimi S-611 82, Nykoping MIT, 24-219 SWEDEN Cambridge, MA 02139 Richard John Ralph L. Keeney SSM, Room 102 101 Lombard Street 927 W. 35th Place Suite 704W USC, University Park San Francisco, CA 94111 Los Angeles, CA 90089-0021 Henry Kendall D. H. Johnson Executive Director Pickard, Lowe & Garrick, Inc. Union of Concerned Scientists 2260 University Drive Cambridge, MA Newport Beach, CA 92660 Frank King W. Reed Johnson Ontario Hydro Department of Nuclear Engineering 700 University Avenue University of Virginia Bldg. Hll GS Reactor Facility Toronto
| |
| * Charlottesville, VA 22901 CANADA M5GlX6 Dist-10
| |
| | |
| Oliver D. Kingsley, Jr. Herbert J. C. Kouts
| |
| * Tennessee Valley Authority 1101 Market Street GN-38A Lookout Place Chattanooga, TN 37402 Stephen R. Kinnersly Brookhaven National Laboratory Building 179C Upton, NY 11973 Thomas Kress Oak Ridge National Laboratory Winfrith Atomic Energy P.O. Box Y Establishment Oak Ridge, TN 37831 Reactor Systems Analysis Division Winfrith, Dorchester W. Kroger Dorset DT2 8DH Institut fur Nukleare ENGLAND Sicherheitsforschung Kernforschungsanlage Julich GmbH Ryohel Kiyose Postfach 1913 University of Tokyo D-5170 Julich 1 Dept. of Nuclear Engineering FEDERAL REPUBLIC OF GERMANY 7-3-1 Hongo Bunkyo Tokyo 113 Greg Krueger [3]
| |
| JAPAN Philadelphia Electric Co.
| |
| 2301 Market St.
| |
| George Klopp Philadelphia, PA 19101 Commonwealth Edison Company P.O. Box 767, Room 35W Bernhard Kuczera Chicago, IL 60690 Kernforschungzentrum Karlsruhe
| |
| * LWR Safety Project Group (PRS)
| |
| Klaus Koberlein P. 0. Box 3640 Gesellschaft Fur Reaktorsicherheit D-7500 Karlsruhe 1 Forschungsgelande FEDERAL REPUBLIC OF GERMANY D-8046 Garching FEDERAL REPUBLIC OF GERMANY Jeffrey L. Lachance Science Applications International E. Kohn Corporation Atomic Energy Canada Ltd. 2109 Air Park Road S.E.
| |
| Candu Operations Albuquerque, NM 87106 Mississauga Ontario, LSK 1B2 H. Larsen CANADA Riso National Laboratory Postbox 49 Alan M. Kolaczkowski DK-4000 Roskilde Science Applications International DENMARK Corporation 2109 Air Park Road, S.E. Wang L. Lau Albuquerque, NM 87106 Tennessee Valley Authority 400 West Summit Hill Avenue S. Kondo Knoxville, TN 37902 Department of Nuclear Engineering Facility of Engineering Timothy J. Leahy University of Tokyo EI Services 3-1, Hongo 7, Bunkyo-ku 18'51 South Central Place, Suite 201 Tokyo Kent, WA 98031
| |
| * JAPAN Dist-11
| |
| | |
| John C. Lee J.P. Longworth Univ of Michigan, North Campus Dept. of Nuclear Engineering Ann Arbor, MI 48109 Tim Lee USNRC-RES/RPSB Central Electric Generating Board Berkeley Gloucester GL13 9PB UNITED KINGDOM Walter Lowenstein
| |
| * MS: NL/N-353 Electric Power Research Institute 3412 Hillview Avenue Mark T. Leonard P. 0. Box 10412 Science Applications Int. Corp. Palo Alto, CA 94303 2109 Air Park Road, SE Albuquerque, NM 87106 William J. Luckas Brookhaven National Laboratory Leo Lesage Building 130 Director, Applied Physics Div. Upton, NY 11973 Argonne National Laboratory Building 208, 9700 South Cass Ave. Hans Ludewig Argonne, IL 60439 Brookhaven National Laboratory Building 130 Milton Levenson Upton, NY 11973 Bechtel Western Power Company 50 Beale St. Robert J. Lutz, Jr.
| |
| San Francisco, CA 94119 Westinghouse Electric Corporation Monroeville Energy Center
| |
| * Librarian EC-E-371, P. 0. Box 355 NUMARC/USCEA Pittsburgh, PA 15230-0355 1776 I Street NW, Suite 400 Washington, DC 80006 Phillip E. MacDonald EG&G Idaho, Inc.
| |
| Eng Lin P.O. Box 1625 Taiwan Power Company Idaho Falls, ID 83415 242, Roosevelt Rd., Sec. 3 Taipei Jim Mackenzie TAIWAN World Resources Institute 1735 New York Ave. NW N. J. Liparulo Washington, DC 20006 Westinghouse Electric Corp.
| |
| P.O. Box 355 David P. Mackowiak Pittsburgh, PA 15230 Idaho Nat. Engineering Laboratory P.O. Box 1625 Y. H. (Ben) Liu Idaho Falls, ID 83415 Dept. of Mechanical Engineering University of Minnesota A. P. Malinauskas Minneapolis, MN 55455 Oak Ridge National Laboratory P.O. Box Y Bo Liwnang Oak Ridge, TN 37831 IAEA A-1400 Swedish Nuclear Power Inspectorate Giuseppe Mancini P.O. Box 27106 Commission European Comm.
| |
| S-102 52 Stockholm CEC-JRC Eraton
| |
| * SWEDEN Ispra Varese ITALY Dist-12
| |
| * Lasse Mattila James Moody Technical Research Centre of P.O. Box 641 Finland Rye, NH 03870 Lonnrotinkatu 37, P. 0. Box 169 SF-00181 Helsinki 18 S. Mori FINLAND Nuclear Safety Division OECD Nuclear Energy Agency Roger J. Mattson 38 Blvd. Suchet SCIENTECH Inc. 75016 Paris 11821 Parklawn Dr. FRANCE Rockville, MD 20852 Walter B. Murfin Donald McPherson P.O. Box 550 USNRC-NRR/DONRR Mesquite, NM 88048 MS: 12G-18 Joseph A. Murphy Jim Metcalf USNRC-RES/DSR Stone and Webster Engineering MS: NL/S-007 Corporation 245 Summer St. V. I. Nath Boston, MA 02107 Safety Branch Safety Engineering Group Mary Meyer Sheridan Park Research Community A-1, MS F600 Mississauga, Ontario L5K 1B2 Los Alamos National Laboratory CANADA Los Alamos, NM 87545 Susan J. Niemczyk Ralph Meyer 1545 18th St. NW, #112 USNRC-RES/AEB Washington, DC 20036 MS: NL/N-344 Pradyot K. Niyogi Charles Miller USDOE-Office of Nuclear Safety 8 Hastings Rd. Washington, DC 20545 Momsey, NY 10952 Paul North Joseph Miller EG&G Idaho, Inc.
| |
| Gulf States Utilities P. 0. Box 1625 P. 0. Box 220 Idaho Falls, ID 83415 St. Francisville, LA 70775 Edward P. O'Donnell William Mims Ebasco Services, Inc.
| |
| Tennessee Valley Authority 2 World Trade Center, 89th Floor 400 West Summit Hill Drive. New York, NY 10048 Wl0Dl99C-K Knoxville, TN 37902 David Okrent UCLA Jocelyn Mitchell Boelter Hall, Room 5532 USNRC-RES/SAIB Los Angeles, CA 90024 MS: NL/S-324 Robert L. Olson Kam Mohktarian Tennessee Valley Authority CBI Na-Con Inc. 400 West Summit Hill Rd.
| |
| 800 Jorie Blvd. Knoxville, TN 37902 Oak Brook, IL 60521 Dist-13
| |
| | |
| Simon Ostrach Robert D. Pollard
| |
| * Case Western Reserve University Union of Concerned Scientists 418 Glenman Bldg. 1616 P Street, NW, Suite 310 Cleveland, OH 44106 Washington, DC 20036 D. Paddleford R. Potter Westinghouse Electric Corporation UK Atomic Energy Authority Savanna River Site Winfrith, Dorchester Aiken, SC 29808 Dorset, DT2 8DH UNITED KINGDOM Robert L. Palla, Jr.
| |
| USNRC-NRR/PRAB William T. Pratt MS: lOA-2 Brookhaven National Laboratory Building 130
| |
| -ehang K. Park Upton, NY 11973 Brookhaven National Laboratory Building 130 M. Preat Upton, NY 11973 Chef du Service Surete Nucleaire et Assurance Qualite Michael C. Parker TRACTEBEL Illinois Department of Nuclear Bd. du Regent 8 Safety B-100 Bruxells 1035 Outer Park Dr. BELGIUM Springfield, IL 62704 David Pyatt Gareth Parry
| |
| * USDOE NUS Corporation MS: EH-332 910 Clopper Road Washington, DC 20545 Gaithersburg, MD 20878 William Raisin J. Pelee* NUMAEC Departement de Surete Nucleaire 1726 M St. NW IPSN Suite 904 Centre d'Estudes Nucleaires du CEA Washington, DC 20036 B.P. no. 6, Cedex F-92260 Fontenay-aux-Roses Joe Rashid FRANCE ANATECH Research Corp.
| |
| 3344 N. Torrey Pines Ct.
| |
| G. Petrangeli Suite 1320 ENEA Nuclear Energy ALT Disp La Jolla, CA 90237 Via V. Brancati, 48 00144 Rome Dale M. Rasmuson ITALY USNRC-RES/PRAB MS: NL/S-372 Marty Plys Fauske and Associates Ingvard Rasmussen 16W070 West 83rd St. Riso National Laboratory Burr Ridge, IL 60521 Postbox 49 DK-4000, Roskilde Mike Podowski DENMARK Department of Nuclear Engineering
| |
| * and Engineering Physics RPI Troy, NY 12180-3590 Dist-14
| |
| | |
| Norman C. Rasmussen Jorma V. Sandberg
| |
| * Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139 John W. Reed Finnish Ctr. Rad. Nucl. and Safety Department of Nuclear Safety P.O. Box 268 SF-00101 Helsinki FINLAND Jack R. Benjamin & Associates, Inc. G. Saponaro 444 Castro St., Suite 501 ENEA Nuclear Engineering Alt.
| |
| Mountain View, CA 94041 Zia V Brancati 4B 00144 ROME David B. Rhodes ITALY Atomic Energy of Canada, Ltd.
| |
| Chalk River Nuclear Laboratories M. Sarran Chalk River, Ontario KOJlPO United Engineers CANADA P. 0. Box 8223 30 S 17th Street Dennis Richardon Philadelphia, PA 19101 Westinghouse Electric Corporation P.O. Box 355 Marty Sattison Pittsburgh, PA 15230 EG&G Idaho P. 0. Box 1625 Doug Richeard Idaho Falls, ID 83415 Virginia Electric Power Co.
| |
| P.O.Box 26666 George D. Sauter
| |
| * Richmond, VA 23261 Electric Power Research Institute 3412 Hillview Avenue Robert Ritzman Palo Alto, CA 94303 Electric Power Research Institute 3412 Hillview Avenue Jorge Schulz Palo Alto, CA 94304 Bechtel Western Power Corporation 50 Beale Street Richard Robinson San Francisco, CA 94119 USNRC-RES/PRAB MS: NL/S-372 B. R. Sehgal Electric Power Research Institute Jack E. Rosenthal 3412 Hillview Avenue USNRC-AEOD/ROAB Palo Alto, CA 94303 MS: MNBB-9715 Subir Sen Denwood F. Ross Bechtel Power Corp.
| |
| USNRC-RES 15740 Shady Grove Road MS: NL/S-007 Location lA-7 Gaithersburg, MD 20877 Frank Rowsome 9532 Fern Hollow Way S. Serra Gaithersburg, MD 20879 Ente Nazionale per l'Energia Electtrica (ENEL)
| |
| Wayne Russell via G. B. Martini 3 SERI Rome' 5360 I-55 North ITALY Jackson, MS 39211 Dist-15
| |
| * Bonnie J. Shapiro Gary Smith Science Applications International SERI Corporation 5360 1-55 North 360 Bay Street Jackson, MS 39211 Suite 200 Augusta, GA 30901 Gary L. Smith Westinghouse Electric Corporation H. Shapiro Hanford Site Licensing and Risk Branch Box 1970 Atomic Energy of Canada Ltd. Richland, WA 99352 Sheridan Park Research Community Mississauga, Ontario L5K 1B2 Lanny N. Smith CANADA Science Applications International Corporation Dave Sharp 2109 Air Park Road SE Westinghouse Savannah River Co. Albuquerque, NM 87106 Building 773-41A, P. 0. Box 616 Aiken, SC 29802 K. Soda Japan Atomic Energy Res. Inst.
| |
| John Sherman Tokai-Mura Naka-Gun Tennessee Environmental Council Ibaraki-Ken 319-11 1719 West End Avenue, Suite 227 JAPAN Nashville, TN 37203 Leonard Soffer Brian Sheron USNRC-RES/SAIB USNRC-RES/DSR MS: NL/S-324 MS: NL/N-007 David Sommers Rick Sherry Virginia Electric Power Company JAYCOR P. 0. Box 26666 P. 0. Box 85154 Richmond, VA 23261 San Diego, CA 92138 Herschel Spector Steven C. Sholly New York Power Authority MHB Technical Associates 123 Main Street 1723 Hamilton Avenue, Suite K White- Plains, NY 10601 San Jose, CA 95125 Themis P. Speis Louis M. Shotkin USNRC-RES USNRC-RES/RPSB MS: NL/S-007 MS: NL/N- 353 Klaus B. Stadie M. Siebertz OECD-NEA, 38 Bld. Suchet Chef de la Section Surete' des 75016 Paris Reacteurs FRANCE CEN/SCK Boeretang, 200 John Stetkar B-2400 Mol Pickard, Lowe & Garrick, Inc.
| |
| BELGIUM 2216 University Drive Newport Beach, CA 92660 Melvin Silberberg USNRC-RES/DE/WNB MS: NL/S-260 Dist-16
| |
| *
| |
| * Wayne L. Stiede David Teolis Commonwealth Edison Company Westinghouse-Bettis Atomic Power P.O. Box 767 Laboratory Chicago, IL 60690 P. 0. Box 79, ZAP 34N West Mifflin, PA 15122-0079 William Stratton Stratton & Associates Ashok C. Thadani 2 Acoma Lane USNRC-NRR/SAD Los Alamos, NM 87544 MS: 7E-4 Soo-Pong Suk Garry Thomas Korea Advanced Energy Research L-499 (Bldg. 490)
| |
| Institute Lawrence Livermore National P. 0. Box 7 Laboratory Daeduk Danji, Chungnam 300-31 7000 East Ave.
| |
| KOREA P.O. Box 808 Livermore, CA 94550 W. P. Sullivan GE Nuclear Energy Gordon Thompson 175 Curtner Ave., M/C 789 Institute for Research and San Jose, CA 95125 Security Studies 27 Ellworth Avenue Tony Taig Cambridge, MA 02139 U.K. Atomic Energy Authority Wigshaw Lane, Culcheth Grant Thompson Warrington, Cheshire, WA3 4NE League of Women Voters UNITED KINGDOM 1730 M. Street, NW Washington, DC 20036 John Taylor Electric Power Research Institute Arthur Tingle 3412 Hillview Avenue Brookhaven National Laboratory Palo Alto, CA 94303 Building 130 Upton, NY 11973 Harry Teague U.K. Atomic Energy Authority Rich Toland Wigshaw Lane, Culcheth United Engineers and Construction Warrington, Cheshire, WA3 4NE 30 S. 17th St., MS 4V7 UNITED KINGDOM Philadelphia, PA 19101 Technical Library Brian J. R. Tolley Electric Power Research Institute DG/XII/D/1 P.O. Box 10412 Commission of the European Palo Alto, CA 94304 Communities Rue de la Loi, 200 Mark I. Temme B-1049 Brussels General Electric, Inc. BELGIUM P.O. Box 3508 Sunnyvale, CA 94088 David R. Torgerson Atomic Energy of Canada Ltd.
| |
| T. G. Theofanous Whiteshell Nuclear University of California, S.B. Research Establishment Department of Chemical and Nuclear Pinawa, Manitoba, ROE lLO Engineering CANADA Santa Barbara, CA 93106 Dist-17
| |
| | |
| Alfred F. Torri G. Bruce Varnado
| |
| * Pickard, Lowe & Garrick, Inc. ERC International 191 Calle Magdalena, Suite 290 1717 Louisiana Blvd. NE, Suite 202 Encinitas, CA 92024 Albuquerque, NM 87110 Klau Trambauer Jussi K. Vaurio Gesellschaft Fur Reaktorsicherheit Imatran Voima Oy Forschungsgelande Loviisa NPS D-8046 Garching SF-07900 Loviisa FERERAL REPUBLIC OF GERMANY FINLAND Nicholas Tsoulfanidis William E. Vesely Nuclear Engineering Dept. Science Applications International University of Missouri-Rolla Corporation Rolla, MO 65401-0249 2929 Kenny Road, Suite 245 Columbus, OH 43221 Chao-Chin Tung c/o H.B. Bengelsdorf J. I. Villadoniga Tallon ERC Environmental Services Co. Div. of Analysis and Assessment P. 0. Box 10130 Consejo de Seguridad Nuclear Fairfax, VA 22030 c/ Sor Angela de la Cruz, 3 28020 Madrid Brian D. Turland SPAIN UKAEA Culham Laboratory Abingdon, Oxon OX14 3DB Willem F. Vinck ENGLAND Kapellestract 25 1980 Takeo Uga Tervuren Japan Institute of Nuclear Safety BELGIUM Nuclear Power Engineering Test Center R. Virolainen 3-6-2, Toranomon Office of Systems Integration Minato-ku, Tokyo 108 Finnish Centre for Radiation and JAPAN Nuclear Safety Department of Nuclear Safety Stephen D. Unwin P.O. Box 268 Battelle Columbus Division Kumpulantie 7 505 King Avenue SF-00520 Helsinki Columbus, OH 43201 FINLAND A. Valeri Raymond Viskanta DISP School of Mechanical Engineering ENEA Purdue University Via Vitaliano Brancati, 48 West Lafayette, IN 47907 I-00144 Rome ITALY S. Visweswaran General Electric Company Harold VanderMolen 175 Curtner Avenue USNRC-RES/PRAB San Jose, CA 95125 MS: NL/S-372 Truong Vo Pacific Northwest Laboratory Battelle Blvd.
| |
| Richland, WA 99352 Dist-18
| |
| | |
| *-* . Richard Vogel Electric Power Research Institute P. 0. Box 10412 Palo Alto, CA 94303 G. Volta Pat Worthington USNRC-RES/AEB MS : NL/N - 344 John Wreathall Science Applications International Engineering Division Corporation CEC Joint Research Centre 2929 Kenny Road, Suite 245 CP No. 1 Columbus, OH 43221 1-21020 Ispra (Varese)
| |
| ITALY D. J. Wren Atomic Energy of Canada Ltd.
| |
| Ian B. Wall Whiteshell Nuclear Research Electric Power Research Institute Establishment 3412 Hillview Avenue Pinawa, Manitoba_, ROE lLO Palo Alto, CA 94303 CANADA Adolf Walser Roger Wyrick Sargent and Lundy Engineers Inst. for Nuclear Power Operations 55 E. Monroe Street 1100 Circle 75 Parkway, Suite 1500 Chicago, IL 60603 Atlanta, GA 30339 Edward Warman Kun-Joong Yoo Stone & Webster Engineering Corp. Korea Advanced Energy Research P.O. Box 2325 Institute
| |
| * Boston, MA 02107 P. 0. Box 7 Daeduk Danji, Chungnam 300-31 Norman Weber KOREA Sargent & Lundy Co.
| |
| 55 E. Monroe Street Faith Young Chicago, IL 60603 Energy People, Inc.
| |
| Dixou Springs, TN 37057 Lois Webster American Nuclear Society Jonathan Young 555 N. Kensington Avenue R. Lynette and Associates La Grange Park, IL 60525 15042 Northeast 40th St.
| |
| Suite 206 Wolfgang Werner Redmond, WA 98052 Gesellschaft Fur Reaktorsicherheit Forschungsgelande C. Zaffiro D-8046 Garching Division of Safety Studies FEDERAL REPUBLIC OF GERMANY Directorate for Nuclear Safety and Health Protection Don Wesley Ente Naz-ionale Energie Alternative IMPELL Via Vitaliano Brancati, 48 1651 East 4th Street 1-00144 Rome Suite 210 ITALY Santa Ana, CA 92701 Mike Zentner Detlof von Winterfeldt Westinghouse Hanford Co.
| |
| Institute of Safety and Systems P: 0. Box 1970 Management Richland, WA 99352 University of Southern California Los Angeles, CA 90089-0021 Dist-19
| |
| | |
| X. Zikidis 6500 A. W. Snyder
| |
| * Greek Atomic Energy Commission 6510 J. V. Walker Agia Paraskevi, Attiki 6517 M. Berman Athens 6517 M. P. Sherman GREECE 6521 L. D. Bustard 6523 W. A. von Riesemann Bernhard Zuczera 8524 J. A. Wackerly Kernforschungszentrum Postfach 3640 D-7500 Karlsruhe FEDERAL REPUBLIC OF GERMANY 1521 J. R. Weatherby 3141 s. A. Landenberger [5]
| |
| 3151 w. I. Klein 5214 D. B. Clauss 6344 E. D. Gorham 6001 D. D. Carlson 6001 R. J. Breeding 6001 D. M. Kunsman 6400 D. J. Mccloskey 6410 D. A. Dahlgren 6412 A. L. Camp 6412 s. L. Daniel 6412 T. M. Hake 6412 L. A. Miller 6412 6412 6412 6412 6412 6413 D. B. Mitchell A. C. Payne, Jr.
| |
| T. T. Sype T. A. Wheeler D. w. Whitehead T. D. Brown
| |
| * 6413 F. T. Harper [2]
| |
| 6415 R; M. Cranwell 6415 W. R. Cramond [3]
| |
| 6415 R. L. Iman 6418 J. E. Kelly 6418 K; J. Maloney 6419 M. P. Bohn 6419 J. A. Lambright 6422 D. A. Powers 6424 K. D. Bergeron 6424 J. J. Gregory 6424 D. R. Bradley 6424 D. C. Williams 6425 s. s. Dosanjh 6453 J. s. Philbin Dist-20
| |
| | |
| NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER 12-89) (A11l9ned by NRC. Add Vol., Supp., Rev.,
| |
| NRCM 1102, end Addendum Numbers, If any.)
| |
| 3201, 3202 BIBLIOGRAPHIC DATA SHEET . NUREG/CR-4550 (See instructions on the reverse)
| |
| SAND86-2084
| |
| .T~TLEANDSUBTITLE Vol. 3, Rev. 1, Part 1 alysis of Core Damag~ Frequency: Surry, Unit 1, Internal ents 3. DATE REPORT PUBLISHED MONTH YEAR A ril 1990
| |
| : 4. FIN OR GRANT NUMBER Al228
| |
| : 5. AUTHOR(S) 6. TYPE OF REPORT R. C. Bertucio, *. J. A. *Julius*
| |
| Technical
| |
| : 7. PERIOD COVERED /Inclusive Dares!
| |
| : 8. PER FORMING ORGANIZATION - NAME AND ADDRESS (If NRC, provide Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address; if contractor, provide name snd mailing address./
| |
| Sandia National Laboratories Albuquerque, NM 87185
| |
| *EI Services Kent WA 98031
| |
| : 9. SPONSOR ING ORGANIZATION*- NAME AND ADDRESS /If NRC, type "Same as above"; if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address.)
| |
| Division of Systems Research Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 fllACT (200 words or l*ui Thia .document contains the accident sequence analyses of internally initiated events for the Surry Nuclear Station, Unit 1. This is one of the five plant analyses conducted as p*rt of the NUREG-1150 effort by the Nuclear Regulatory Commi.ssion .. NUREG-1150 documents the risk of a selected group of nuclear power plants. The work performed and described here is an extensive reanalysis of that published in November 1986 as NUREG/CR~4SSO, Volume 3. It addresses comments from numerous reviewers and significant changes to th~ plant systems and procedures made since the first report. The uncertainty analysis and presentation of results are also much improved. The context and detail of this report are directed toward PRA practitioners who need to know how the work was performed and the details for use in further studies. The mean core damage frequency at Surry was calculated to be 4.0E-5,per year, with a 95% upper bound of 1.3E-4 and 5% lower bound of 6.8E-6 per year. Station blackout type accidents (loss of all AC power) were the largest contributors to the core damage.frequency, accounting for approximately 68% of .the total. The next type, of dominant contributors were Loss of Cgolant Accidents (LOCAs). These sequences account for 15% of core damage frequency .
| |
| . Ro other type of sequence accounts for more than 10% of core damage frequency.
| |
| *12. KEY WORDS/DESCRIPTORS /Lt.r words or ph,.,., th*t will *ul,t ""*arr:hers In locating the report./ 13. AVAILABILITY STATEMENT Probabilistic Risk Assessment (PRA) unlimited 14, SECURITY CLASS I Fl CATION safety analysis (This Page) uncertainty analysis accident sequence analysis unclassified (This Report) unclassified
| |
| : 15. NUMBER OF PAGES
| |
| : 16. PRICE NRC FORM 335 12-89)
| |
| | |
| UNITED STATES SPECIAL FOURTH-CLASS RATE NUCLEAR REGULATORY COMMISSION POSTAGE & FEES PAIO USNRC WASHINGTON, D.C. 20555 PERMIT No. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 , 120555139531 1 !AN
| |
| , US I\JRC-OADM DIV FOIA & PUBLICATIONS SVCS TPS POR-NUREG 1 P-223 WASHINGTON DC 20555
| |
| ~ -------
| |
| ------*-----------A-- ___ /
| |
| *,.}}
| |
