ML20141N298: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 3,635: | Line 3,635: | ||
Memorandum to D. !1 berg, Brookhaven National Laboratory August 21, 1984 (Based on Ref. 8 above and Ref. 4 of Section 2). - | Memorandum to D. !1 berg, Brookhaven National Laboratory August 21, 1984 (Based on Ref. 8 above and Ref. 4 of Section 2). - | ||
: 17. " Assessment of BWR Mitigation of ATWS," GE Report NEDE-24222. Vols.1 and 2, December 1979. | : 17. " Assessment of BWR Mitigation of ATWS," GE Report NEDE-24222. Vols.1 and 2, December 1979. | ||
: 18. Knuth (KMC) to Graves (NRC), " Supplement ATWS Evaluations," letter dated December 2, 1982. | : 18. Knuth (KMC) to Graves (NRC), " Supplement ATWS Evaluations," {{letter dated|date=December 2, 1982|text=letter dated December 2, 1982}}. | ||
: 19. Harrington, R. M. , and Hodge, S. A., "ATWS at Browns Ferry Unit One-- | : 19. Harrington, R. M. , and Hodge, S. A., "ATWS at Browns Ferry Unit One-- | ||
Accident Sequence Analysis," ORNL/TM-8902, NUREG/CR-3470, July 1984. | Accident Sequence Analysis," ORNL/TM-8902, NUREG/CR-3470, July 1984. |
Latest revision as of 07:40, 12 December 2021
ML20141N298 | |
Person / Time | |
---|---|
Site: | 05000000, Shoreham |
Issue date: | 05/29/1985 |
From: | Reich M BROOKHAVEN NATIONAL LABORATORY |
To: | George Thomas NRC |
Shared Package | |
ML20140B832 | List:
|
References | |
FOIA-85-772 NUDOCS 8603060097 | |
Download: ML20141N298 (2) | |
Text
{{#Wiki_filter:V g , . ..' . . . . . . _ _ _ . _ - h " S. " i' ; )j i BROOKHAVEN NATIONdL LABORATORY I- I ! I\.1.l l ASSOCIATED UNIVERSITIES, INC. Structural Analysis Olvision Upton. Long island. New Vork 11973 i Department of Nuclear Energy Building 129 (516) 282s 2448 FT5 666/
! . May 29, 1985 !t George Thomas .
Mail Stop P-1151 i Phillips Building 1 7920 Norfolk Avenue U.S. Bethesda, Nuclear MDReh814ulatory 2 Commission
- f, Dear Mr. Thomas
;; . As discussed with you in Bethesda, MD, on My 21, 1985, our preliminary review of the 1982 5 tone.8 Webster Engineering Corporation Report entitled, J ') " Ultimate Pressure capacity of shoreham Primary containment", Appendix M.
indicates that the report does not prvyJde enough details for us to determine i i whether the prediction of all failure do' des, in particular the shear failure at the basemat rglinder junction, have been properly considered in the analysis. In order for us to arrive at a more conclusive determination, we request that you obtain the following information: ,, [ (1) The detailed calculations performed by Stone & Webster for the above mentioned report. i I
, (2) Pertinent structural design details of the containment. In partic- , i ular, the reactor containment structural arrangements section thru j walls roof plan; base details; drywell bulkhead and ring beam region. These drawings should also include details pertaining to l all reinforcements and the linear.
1 j . 1 i
- 0603060097 060106 i PDR FOIA PDR
- GHOLLY O5-772 ,
i
- l .
ll
F
\ .
ie r .
- l. .
I - 2- May 29, 1985 G. Thomas Finally, for the evaluation of leakage, we require the calculations made by Stone & Webster as well as the structural drawing pertaining to thet (a) Drywell Head 'i (b) Equipment Hatches and Personnel Locks . (c) Purge Valves (d) Other lauge diameter penetration. In order to carry out our review in a timely manner, we require the above i information as soon as possible. Sine re y yours [ . g Dr, r i heti:h d S ructt ral Analysis Division
.' RH/dv cc: K. Perkins "" 7. Pratt ' .
j . i r l
~
s e 60
, ,- - t s.. -- . . .: .. .. . . . :. . - . . . - . u-ENCLOSURE 2 .
l NUREG/CR-4050 BNL-NUREG-51836 l l i i
~
l , A REVIEW 0F THE.SHOREHAM NUCLEAR POWER STATION PROBABILISTIC RISK ASSESSMENT (INTERNAL EVENTS AND CORE DAMAGE FREQUENCY) D. ILBERG, K. SHIU, N. HANAN, E. ANAVIM MANUSCRIPT COMPLETED - MAY 1985 i DATE PUBLISHED - JUNE 1.985 RISK EVALUATION GROUP '
~
DEPARTMENT OF NUCLEAR ENERGY j BROOKHAVEN NATIONAL LABORATORY l l UPTON, NEW YORK 11973 i L PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION , WASHINGTON, D.C. 20555 UNDER CONTRACT H0. DE-AC02-76CH00016 NRC FIN NO. A-3740
'* .l!. . - - . . . - . . . . -... _ : .. ; .~_ . . . .. . _
l
'NUREG/CR-4050 -
BNL-NUREG-51836 , l A REVIEW 0F THE SHOREHAM' NUCLEAR POWER STATION l , PROBABILISTIC RISK ASSESSMENT l (INTERNAL EVENTS AND CORE DAMAGE FREQUENCY) ' l D. ILBERG, K. SHIU, HANAN, E. ANAVIM
.. DATE PUBLISHED - JUNE 1985 .
DEPARTMENT OF NUCLEAR ENERGY, BROOKHAVEN NATIONAL LABORATORY UPTON, NEW YORK 11973 PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 - 84 l L- _ _
_ . _ . . _ _ . _ _ _ . _ _ _ _ _ _ - . _ . . - _ . _ - . _ . . . . _ . .~__._ - _ _ _ _ . _ . _ . . . . i
- a. . . -
w-. .y ~. i. i i j I - -
- f. -
A85 TRACT A review of the Probabilistic Risk Assessment of the Shoreham Nuclear Power Station was conducted with the broad objective of evaluating its risks in relation to those identified in the Reactor Safety Study (WASH-1400). The scope of the review was limited to the " front end" part, i.e., to the evalua- '
! tion of the frequencies of states in which core damage may occur. Further- . . t more. 'the review'. considered only internally generated accidents, consistent '
i with the scope of the PRA. The review included an assessment of the assump- ! ,tions and methods;used in the Shorehan study. It also encompassed a re-evalu-ation of the main results. within the scope and general methodological frame-work of the Shoreham PRA, including both qualitative and quantitative analyses - of accident initiators, data bases, and accident sequences which result in initiation of core damage. Specific comparisons are given between the' Shore-l, - ham study, the results of. the present review, and the WASH-1400 BWR, for the l' core damage frequency. The effect of modeling uncertainties was considered by a limited sensitivity study so as to show how the results would change if , i other assumptions were made. This review provides an independently assessed i point value estimate of core damage frequency and describes the major contrib-j utors, by frontline systems and by accident sequences.
! l 1 l 1
l I l I I 4 n
! I j +
) i j . 1 s
} ,
l 1 d I 4 i .
, ._ . . . .. . w --- u ; s.. a _. w -- '
_.~-.-..-- l
, CONTENTS Page A8STRACT...............................................................1ii LIST OF FIGURES......................................................... x
- LIST OF TA8LES.......................................................... x1 i
ACKN0Wl.EDGMENT.......................................................... xv NOM E NC L AT U R E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .'. . . . . '. . . . . . . x v i i l E XE C UT I V E S UMA R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . 1 l
1.0 INTRODUCTION
............................................ .......... 8 1.1 Background.........................- 8 1.2 Objecti ve , Scope. and App roach to Revi ew. . . . . . . . . . . . . . . . . . . . . . 8 l 1.3 Organization of Report........................................ 10 1.4 References to Section 1....................................... 10 2.0 PLANT M00ELING............................'......................... 12 2.1 Sa f ety Functi ons and Corres pondi ng Sys tems . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Sa f ety Functi ons and Fron t l ine Sys tems . . . . . . . . . . . . . . . . . . 12 2.1.2 Success Criteria for the Frontline Systems............. 14 2.1.2.1 ' Success Criteria for LOCA Initiators.......... 14 2.1.2.2 Success Criteria for Transient Initiators..... 16 2.1.2.3 Success Criteria for ATWS Initiators.......... 17 2.1.3 Supp o r t Sys t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.3.1 El ect ri c Powe r Sys tem (EPS ) . . . . . . . . . . . . . . . . . . . 18 2.1.3.2 Emergency Service Wa ter (ESW) . . . . . . . . . . . . . . . . . 19 i 2.1.3.3 Plant Air and Compressed Nitrogen Systems..... 19 - 2.2 Initiating Events............................................. 19 - 2.2.1 SNPS Ini ti a to rs ' Sel ecti on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1.1 LOC A In i t i a t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 2.2.1.2 Trans ient wi th Success ful Scram. . . . . . . . . . . . . . . 20 2.2.1.3 ATWS: Anticipated Transient Without Scram.... 21 2.2.2 Comparison with Reactor Safety Study and Other PRAs.... 21 2.2.2.1 Comparison with RSS-BWR....................... 21 2.2.2.2 Comp a ri s on wi th R SSMAP Gra nd Gu l f . . . . . . . . . . . . . 22 2.2.2.3 Comparison with the Big Rock Point (BAP) PRA.. 22 2.2.2.4 Comparison with LGS and GESSAR PRAs... ... . .. .. 23 2.3 BNL Assessment of the SNPS-PRA Initiating Events and j Su c c es s Cr i t e r i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4 Re f e ren c es t o Sec t i on 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.0 ACCIDENT SEQUENCE DEFINIT!0N....................................... 40 3.1 Introduction.................................................. 3.1.1 The Gene ra l Me t h o do l o gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 40 3.1.2 Functional Event Tree Development...................... 41 y i
.ns_ , - + - - _."
l -
-Page .
3.1.3 Qualitative Dependence Analysis........................ 42
, 3.1.3.1 Sys tem Fu nctional Dependences . . . . . . . . . . . . . . . . 42 3.1.3.2 Sys t em Phys i ca l . Dependences . . . . . . . . . . . . . . . . . . . 44 3.1.3.3 Sys tem Human Induced Dependences . . . . . . . . . . . . . . 44 3.1. 3. 4 ' Component Functi ona l Dependences . . . . . . . . . . . . . . 45 3.1.3.5 Component Phys i cal Dependences . . . . . . . . . . . . . . . . 45 ,
3.1.3.6 Component Human Interaction Dependences....... 46 3.2 Qualitative Description of ' Functional Event Trees............. 46 3.2.1 Tu rb i n e Tr i p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
' 3.2.2 MS!V Closure / Loss of Condenser / Loss of Feedwater ' Tr4Rstent.............................................. 47 3.2.3 Inadvertent Open Sa fety-Rel ief Val ve. . . . . . . . . . . . . . . . . . . 47 3.2.4 Manual . Shutdown........................................ 47 3.2.5 Los s of Of f s i te Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 -
3.2.6 Comparison with the. Treatment of Transients in RSS , a nd LG S- P R As . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2.7 L OC A E v e n t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2.8 A TW S E v e n t Tr e es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.2.9 Ot he r E vent Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2.10 Summary of the Qualitative Review of Functional Eve n t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3 Sys t em Fa u l t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3.1 Sys t em . Faul t Trees Ana lys i s i n SNPS-PRA. . . . . . . . . . . . . . . . 51 3.3.2 Summary of SNL Modif.f cations to SNPS S , a nd The i r Impact. . . . . . . . . . . . . . . . . . .................
. . . .ys tem Faul t Tree 54 -
3.3.2.1 Reactor Core Is olation Coo 11ng. . . .. . . . . . . . . . . . 54 3.3.2.2 _High. Pressure Coolant Injection System........ 55 - i 3.3.2.3 Au t oma t i c Dep res s u ri zat i on Sys t em. . . . . . . . . . . . . 56 3.3.2.4 Boolean Combination of High Pressure ~ Injection Function and the ADS Function....... 56 3.3.2.5 Low Press u re Core Sp ray. . . . . . . . . . . . . . . . . . . . . . . 58
' 3.3.2.8 Low Pres s u re Cool ant Injection. . . . . . . . . . . . . . . . 59 3.3.2.7 Boolean Combination of LPCI and LPCS.......... 59 3.3.2.8 Servi ce Wa ter Sys tem. . . . . . . . . . . . . . . . . . . . . . . . . . 60
- 3. 3. 2. 9 Res i dual Heat Removal Sys tem. . . . . . . . . . . . . . . . . . 61 3.3.2.10 RCIC in the Steam Condensing Mode and RHR..... 62
- 3. 3. 2.11 The El ect ri c Power Sys tem. . . . . . . . . . . . . . . . . . . . . 62
- 3. 3. 2.12. Feedwa te r Sys t em. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 z
' 3.3.2.13 Condensate System............................. 63
- 3. 3. 2.14 Power Conve rs i on Sys tem. . . . . . . . . . . . . . . . . . . . . . . 64 3.3.3 Summary of the Review of Fault Tree Analysis and its ,
Impact on Core Damage Frequency........................ 65 3.4 Huma n Pe rf o rma n ce An a lys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4.1 Co gn i t i ve Hu ma n Er rors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.4.2 Procedu ra l Human Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 I . I vi i l i !
. . . . . . . . -. .. .. . . . . . . . . . . . .~ . . ..4 . . . . .
g , is-
- .= .. . . . -
~- t ,_ - . 'Page '
3.5 Re f e re n :e s t o .Se c t i o n 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 APPENDIX 3A Changes Made to SNPS-PRA Faul t Trees . . . . . . . . . . . . . . . . . . 72 4.0 DATA ASSESSMENT.................................................... 81
, 4.1 Frequenci es of ! In i t i ating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Initiating Event Frequencies used in SNPS-PRA..........
4.1.1 81 4.1.2 BNL Asses'sment of the Initiator Frequencies............ 82 4.1.3 Los s of' 0f f s i te Powe r Ini ti ato r. . . . . . . . . . . . . . . . . . . . . . . . 86 4.1.4 Recove ry of Of f s i te Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.1.5 Conclusion............................................. 88 4.2 Component Unava11 abilities.................................... 88 - 4.2.1 S N P S Da t a 8a s e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 ' 4.2.2 Data Assessment for Olesel Generator Availability...... 89 4.3 Human Error Probabilities...................................... 90 . 4.4 Re f e ren ces t o Sec t i on 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.0
SUMMARY
OF ACCIDENT. SEQUENCE QUANTIFICATION AND 10ENTIFICAT!0N 0F DOMINANT CONTRIBUTORS TO CORE DAMAGE FREQUENCIES............... 105 5.1 Modifications Made by BNL in the Accident Sequences Quantification.'.............................................. 105 ,. 5.1.1 Overview of the SNPS Approach to Accident , Sequence Qua nti fi cat ion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5 5.1.2 BNL Modifications to the Accident Sequence....' ....... . 106 5.2 Summary of the Results of the BNL Review in Com ^ the SNPS-PR A. . . . . . . . . . . . . . . . . . . . . . . . . . . . ............... . . . . . .p a ri s on 108 wi th 5.2.1 Summa ry of t he Res u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.2.1.1 Loss of coolant Accident Inside Drywe11...... 109 5.2.1.2 Anticipated Transients Without Scram......... 109 5.2.1.3 Trans ients with Success fu l Scram. . . . . . . . . . . . . 110 5.2.1.4 Los s of Of f s i te AC Power. . . . . . . . . . . . . . . . . . . . . 111 5.2.1.5 Excessive Release of Water at Reactor Bu i l di ng El eva ti on 8. . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2.1.6 Level Instrumentation: Loss of Reference Le and Loss of Drywell Cool ing. . . . . . . . . . . . . . . . .g. 112 5.2.1.7 Interfacing L0CA............................. 113 5.2.2 Dominant Sequences i n 8NL Review. . . . . . . . . . . . . . . . . . . . . . 114 .'
- 5. 3 A Li mi t ed Se ns i ti vi ty Stu dy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4 Re f erences to Section 5 and App endi ces . . . . . . . . . . . . . . . . . . . . . . . 118 vil I
.. .. _ ... . _ m .. . . . . . . - m c._ , , _ _ _
Page APPENDIX SA. ANTICIPATED TRANSIENT WITH SUCCESSFUL SCRAli SEQUENCES.... 137 5A.1 Tu rb i n el Tr i p Tra n s i en t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8 5A .1.1 . Ba c k g rou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8 5A.I.2 .The FW and PCS Availability (Q and W" Functions)......... 139 5A.1.3 The Res ul ts of the BNL Revised Event Trees . . . . . . . . . . . . . . . 140
, 5A.1.4 ;The Special Case of Common Mode Miscalibration of Lev'e l . ; Instrumentation.......................................... 140 SA.2 Ma n u a l . Shu t d ow n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 5A'.3 MS IV Cl os u re Trans i ent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7 5 A . 3.1 Ba c k g r ou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7 SA.3.2 The Resul ts of the BNL Revised Event Tree. .. ... .. . . . . . ... 157 5A.4 Los s of. Fee dwa ter Trans i ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3 5A . 4.1 ' Ba ck g rou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3 5A.4.2 The Results of the BNL Revised Event Tree.. .. . . . . . . . .. .. . 163 SA.5 Los s of Condens er Va cu um Tra ns i ent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 5A.5.1 Ba c k g rou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9 5A.S.2 The Resul ts of the BNL Revis ed Event Trees . . . . . . . . . . . . .. . 169 SA.6 Inadve rtent Open Rel i ef Val ve Trans i ent. . . . . . . . . . . . . . . . . . . . . . 17 4 5 A . 6.1 . Ba ck g rou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... .... 174 5A.6.2 . The Results of the BNL Revised Event Trees .. . .. . . ... . . . .. 174 SCRAM..............
APPENDIX 5B. LOSS OF OFFSITE POWER WITH SUCCESSFUL 182 APPENDIX SC. LOSS OF COOLANT ACCIDENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 . SC.1 LOCA I ns i de D rywe l l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6 5C.1.1 Ba c k g rou n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 SC.1.2 BNL Revi s ed Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... . . . . . . . 199 5C.2 Loss of Coolant Acci dent Outs ide Conta inment. . . . . . . . . . . . . . . . . . . . . 199 5C.2.1 Main Steam Line Break Within Reactor Building............ 200 # SC.2.2 Feedwater Li ne Break Contri buti on . . . . . . . . . . . . . . . . . . . . . . . . 201 SC.2.3 HPCI/RCIC Steam Line Break Contribution. ... .... ....... . . . 202 5C.2.4 Interf aci ng LOCA Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
, SC.2. 5 Comparison of the Contribution from Steam Line Breaks and from Interfacing L0CA................................. 208 , 5C.2.6 Core Damage Frequency for Large LOCA Outside Containment. 208 ,
APPENDIX 50. ANTICIPATED TRANSIENT WI THOUT SCRAM (ATWS ) . . . . . . . . . . . . . . . 212 - 50.1 Summa ry of Shoreham ATWS Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 50.2 Qual itati ve Revi ew of the SNPS . ATWS Event Trees . . . . . . . . . . . . . . . . . . 214 viii
- 1
.a.
cg. . :. . i w _.
.- n .. .. ~
s ' 1 l l Page I 50.3 Summa ry of Phys i cal Analysi s Res ul ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 , 50.3.1 ATWS Acci dent Chronol o gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 1 50.3.2 D i s cu s s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 50.4 Qu a n t i t s t i ve 'Re v i ew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
, 50:5 Di s cus s i on of Res u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . '222 50.6 Su mma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 3 APPENDIX SE. REACTOR WATER LEVEL INSTRUMENT LINE FAILURE.............. 253 SE.1 Background....................................................... 253 SE.2 Operator Error Causing Leak on the Second Reference Leg.......... 255 SE.3 Los s of a S i n g l e DC B u s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,. . . . 2 5 5 SE.4 Miscalibration of Water Level Instrumentation on the Alternate Leg.................................................... 256 SE.5 Fa il ure of Di f f erenti al Press ure Cel 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 SE.6 Failure of Level 1 or 2 Rel ays and Sl aves . . . . . . . . . ... . . . . .. . . . . . . 257 SE.7 Co n c l u d i n g R ema rks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 7 APPENDIX SF. IMPACT SF HIGH DRYWELL TEMPERATURE SEQUENCES............. 277 SF.1 Loss of Drywel l Cool i ng Ini ti ato r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 7 5F.2 Transients or LOCAs with Subsequent Loss of Drywell Cooling...... 278 SF.2.1 Tr a ns i en t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7 8 SF.2.2 Water Level Measurement Implication of Losin -
and Ons i te AC Power. . . . . . . . . . . . . . . . . . . . . ............. . . . .g Of fs i te 280 SF.2.3 Loss of Coolant Accidents with Loss of Drywell Cooling... 282 APPENDIX SG. EVENT TREE ANALYSIS OF OTHER POSTULATED ACCIDENT INITIATORS............................................... 293 SG.1 Event Tree Evaluation of Sequences Following a Postulated Release of Excessive Water in Elevation 8 of the SNPS Rea.ctor Building... 293 SG.1.1 Fl ood In i t i a t ion Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 ' SG.1.2 Evaluation of Core Damage Frequency...................... 295 5G.1.3 Su mma ry of t h e Re s u l ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 9 5 5G.2 Loss of 125 V DC Emergency Bus Di vis ion I (11).. .... ..... . . . . . .. . 299 5G.3 Loss of Reactor Building Service Water Initiator................. 303 1x t
- C.- _. . .
c
.. .a;., z_ _ ;. 4 I
LIST OF FIGURES !
. Figure , pag, 0.1 Summary of the Results of the Event. Tree Quantification Displayed by Class of Postulated Core Damage Condition.......... 5 0.2 Comparison of the SNPS-PRA and the.8NL Review Contributing Accident Sequences to the Calculated Core Damage Frequency (per Reactor Year) Due to the Ident Contri butors . . . . . . . . . . . . . . . . . . . . ............................. . . . i fi ed Ac c i dent Sequences 6 4.1 Event tree Diagram of Accident Sequences Following a Turbine l ' ,'.
Tri p In i ti ator From Hi gh Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.1 Summary of the' Results of the Event Tree Quantification Displaytd by Class of Postulated Co're Damage Condition......... 121 5.2 Comparison of the SNPS-PRA and th'e BNL Review Contributing Accident Sequences to the Calculated Core Damage Frequency (per Reactor Year) Due to the Identified Accident Se Co n t r i bu t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............
. . . qu en ce 122 5.3 Comparison of the Contributions of .Various Accident Sequences to the Calculated Frequency of Core' Melt (from WASH-1400) and to the Calculated Frequency of Core Vu.Inerable Conditions (from the Sh o reh am An a l ys i s ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 12 3 50.1 Event Tree Diagram of Accident Sequences Following a Turbine Tri p Ini ti ator From Hi gh Power. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5 50.2 Event Tree Diagram for Postulated ATWS Accident Sequences Fol l owi ng Tu rbi ne Trip W/Byp as s Ava i l a bl e. . . . . . . . . . . . . . . . . . . . . . 226 50.3 Event Tree Diagram for Postulated ATWS Accident Se Fol l owi ng a MSIV C1 os u re. . . . . . . . . . . . . . . . . . . . . . . . ...............quences 228 5D.4 Event Trae Diagram for Postulated ATWS Accident Sequences Fol l owi n g a Los s of Fee dwa t e r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 SD.5 Event Tree Diagram for Postulated ATWS Accident Sequences ~~
Fol l owi ng a Los s of Offs i te Power. . . . . . . . . . . . . . . . . . . . . .'. . . . . . . . 232 SD.6 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an Inadvertent Open Rel ief Va1 ve. . . . . . . . . . . . . . . . . . . . . 234 SD.7 Reactor Core Thermal Power vs RPV Water Level--Redy Estimates.. 235 ~ 50.8 Event Tree Diagram of Accident Sequences Following a Turbine Tr i p (B NL Re v 1 ew ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 36 SE.1 Reactor Vessel Level Instrumentation Orientation............... 258 SE.2 Fault Tree for Operator Error Causes Failure of Alternate Reference Leg.................................................. 259 SE.3 Leak in a Single Reference Leg Coupled with Other Failures..... 261 i i i 8 . i a j X t I
= _- --_. _ . _
'MT i_. ~ . _M
__- . (._, n . ' LIST OF TABLES Table Page 0.1 Comparis on of SNPS-PRA and BNL Revi ew Res ul ts . . . . . . . . . . . . . . . . . . . . 7 2.1 Sa fety Funct i ons Requ i red for Ini t i a t i ng Events . . . . . . . . . . . . . . . . . . 26 2.2 Safety Functions for Shoreham Nuclear Power Station.............. 26 2.3 Frontline Systems for Shoreham Nuclear Power Station............. 27 2.4 Comp a ris on of SNPS , LGS , and RSS-BWR Sa fety Sys tems . . . . . . . . . . . . . . 28 2.5 Summary of Success Criteria for the Mitigatin 29
- 2. 6 LOCA Su cces s Cri t e ri a . . . . . . . . . . . . . . . . . . ..................... . . . . . g Sys t ems . . . .31 .......
' 2.7 SNPS-PRA Success Criteria for ATWS Accident Sequences Based on ' Modi fi cati ons Imp l emented at Shoreham. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.8 BNL-Review Sucess Criteria for ATWS Accident Sequences Based on Modi fi cati ons Imp l emented at Shoreham. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.9 Support Systems for Shoreham Nuclear Power Station............... 34 2.10 El ec t ri c Powe r Sys t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.11 Summary of the Categories of BWR Transients Used in SNPS-PRA to Classify Operating Experience Data on Anticipated Transients.. 36 2.12 BWR Trans i ents (Rea ctor Sa fety Study ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.13 Initiating Events for BRP PRA for Which Event Trees Were De ve l op e d . . . . . . . . . . . . . . . . . . . . . . . . . . .' . . . . . . . . . . . . . . . . . '. . . . . . . . . . . . 39
- 3.1 Point Estimates of SNPS System Unavillabilit Compared to BNL Review..................................y..................... 68 3.2 Human Errors Model ed i n Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.3 Ma j o r Huma n Erro rs Model ed i n Sys te'm Fa u l t Trees . . . . . . . . . . . . . . . . . 70 3A.1 BNL Chan ges i n SNPS-PRA Faul t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.1 Frequency of Initiating 4.2 SNPS-PRA and BNL Results for Initiator F Events................................... 96 of Di f ferences . . . . . . . . . . . . . . . . . . . . . . . . . .requency and Sou rces
............... .........
- 98 .
4.3 Summary of Quantification for Exposin - to Primary System Pressure...........g the Low Pressure System
............................ 99 4.4 _ Summary of the Historical Data on the LILC0 Grid for Loss of 4.5 Of f s i te Powe r In ci den ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 .
Experiential Evidence from Plants of the Northeast Power ~ Coodi nating Council (NPCC) Loss of Of fsite Power. . . . . . . . . . . . . . . . 101 4.6 LOOP Initiator Frequency Considered in SNPS-PRA and BNL Rev 102 4.7 Recovery Time Dis t ri bu t i ons . . . . . . . . . . . . . . . . . . . . . . . . . . .......'103 . . . . . i ew . . 4.8 Comparison Between SNPS-PRA Diesel Generator Data and Other 5.1 Evaluations..................................................... Compa ris on of SNPS-PRA and BNL Re vi ew Res ul ts . . . . . . . . . . . . . . . . . . . 104 124 5.2 Core Damage Frequency for LOCA in Drywell Initiators........... 12 5 5.3 Core Dama ge Frequency f or ATWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 5.4 Core Damage Frequency for Trans ient Ini ti ators . . . . . . . . . . . . . . . . . . 126 - 5.5 Core Damage Frequency for Loss of Offsite AC Power Initiator.... 127 5.6 Core Damage for Excessive Release of Water in Reactor Building 5.7 El eva ti on 8 In i t i a t or. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12. 7 ' Core Damage Frequency for Level Instrumentation and Dr Co o l i n g Fai l u re In i ti a t o rs . . . . . . . . . . . . . . . . . . . . ........... . . . . . . .ywe128 ll 5.8 Core Damage Frequency for LOCA Outside Containment I 5.9 129 Cl ass I Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . ............ . . . . .ni t i ator. 130 ... 5.10 Cl as s II Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . . . . . l 131 5.11 Cl as s Y Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 5.12 Cl as s 111 Domi nan t Sequences . . . . . . . . . . . . . . . . . . . . . . . . . ........... ........... ; 132
)
x1 t
.... . :. .n . . . ~ . - -- ' -- - -+, , . 1 . . 1 1 -
l . 1
\
1 Table , Page 5.13 Cl as s IV Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 5.14 Summary Tab 1'e of Dominant Accident Sequences Leading to Core t 2 Damage Conditions, Ranked by Frequency (per Reactor Year)....... 133 l 5.15 Res ul ts f rom a Limi ted Sens i t i vi.ty Study. . . . . . . . . . . . . . . .'. . . . . . . . 13 5 5A.1 Functional Level Event Tree Description for FW and PCS i
. Recovery Probabi l i ty (Tu rbi ne Tri p ). . . . . . . . . . . .'. . . . . . . . . . . . . . . . . 143 ;
SA.2 Event Tree Diagram for Sequences Following a Turbine Trip ; Initiator....'................................................... 147 : SA.3 Functional Level Event Tree for FW and PCS Recovery Probability l ! (Manual. Shutdown)............................................... 152 : SA.4 Event Tree Diagram for Sequences Following a Manual Shutdown.... 155
, 5A.5 Functional Level Event Tree Description for FW and PCS Recovery Probabi l i ty .(MS IV Cl os u re ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 4 SA.6 Event Tree Diagram for Sequences Following a MSIV Closure .
I n i t i a t o r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 . 5A.7 Functional Level Event Tree for the Probability of FW and PCS !, Unavailability Following a Loss of FW Transient: Short-Term a nd Lon g -Te r~m Rec ove ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 ' SA.8 Event Tree Diagram for Sequences Following a Loss of Feedwater 5A.9 Initiator....................................................... 167 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following a Loss of Condenser Initiator.......... 170 . SA.10 Event Tree Diagram for Se . i
- Va cu um. . . . . . . . . . . . . . . ..... . . . . quences Fol l owi n g a Los s of Condens e r
.................................. 172 SA.11 Functional Level Event Tree for the Probability of FW and PCS Unava i l abi l i ty Fol l owi ng an 10RV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5
- 5A.12 Even t Tree Di a gram for Sequences Fol l owi n g 10RV. . . . . . . . . . . . . . . . . .' 178 -
~!
] 58.1 Time Phase Event Tree Diagram for LOOP Initiator................ 185 ! SC.1 Event Tree Diagram for Se i L0C A. . . . . . . . . . . . . . . . . ...... . . .quences Fol lowi ng La rge and Medium
.................................. 198
. SC.2 LOCA Contri buti ons to Co re Dama ge Frequenc i es . . . . . . . . . . . . . . . . . . . 199 - SC.3 LER Summari es f or Interf aci ng LOCA Events . . . . . . . . . . . . . . . . . . . . . . . 206 l , SC.4 Event Tree Diagram for Sequences Following Large LOCA ' 1 Ou ts i de Cont a i nment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 50.1 Transient with Failure to Scram Emer i, 5D.2 BNL ATWS Ini ti ator Frequency. . . . . ............................. . . gency Procedu re. . . . . . . . .240 . . . . 237
- . 50.3 Conparison of Conditional Frequency of Core Damage Based on, L
50.4 BNL and SNPS ATWS Event Trees................................... Core Damage Frequency of BNL Revised ATWS Event Trees with SNPS 240 I n i t i a t o r Freq uen cy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 l l 50.5 Core Damage Frequency Based on BNL Revised ATWS Event Tree with t BNL Initiator Frequency......................................... 241 ' 5D.6 Event Tree Diagram for Postulated ATWS Sequences Following Tu rb i ne Tr i p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 2
. 50.7 Functional Level Event Tree for the Control of RPV Level-1...... 244 -
50.8 Event Tree Diagram for Postulated ATWS Se MSIV Cl os u re. . . . . . . . . . . . . . . . . . . . . . . . . . . . .quences Fol l owi ng
.. . .. . .................. 245 1 SD.9 Event Tree Diagram for Postulated ATWS Sequences Following LOOP., 247
- 50.10 Event Tree Diagram for Postulated ATWS Sequences Followin
! Los s of Feedwa te r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... g 249 t xii t 9 e O
, , ,egp , . . *.. == ?* d'* * * * * ,rw-. --o__.r.,,---w-m.-,.,,,-,.r -,--.-,,r---m------,-e~, --,~,,--ww-=,-mm .-_.-.,,-ew.,m-.----n-e-e.v-,. -.i,-.m,.c.,, ,,,,,,ne,,rew-,n
~
L__.-..'=- -
. .:.s '" ' ' :w ' ' ~~ .... , --- a -' s a ---
Table Page 50.11 Event Tree Diagram for Postulated ATWS Sequences Following 10RV.. 251 SE.1 Level Ins t rument As s ignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 SE.2 Event Tree Diagram for Sequences Following Reactor Water Level Ins t rumen t Li ne Lea k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3 SF.1 Drywell and Suppression Pool Temperature Following a Shutdown f rom Trans i ent Wi thout DHR or PCS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 SF.2 Loss of Drywell Cooling Event Tree Quantification Description....; 285
- SF.3 Event Tree Diagram for Isolation Transients with Loss of D rywe l l Co o l i n g . . . . . . . . . . . . . . . . .'. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 7 5F.4 Loss of Offsite Power Event Tree with Water Level ,
Me a s u r eme n t I mp l i c a t i o ns . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . ., . 28 9 SF.5 Event Tree Diagram for Loss of Coolant and Loss of Dr ' C o o l i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............
. . . . . . . . . ywe291 ll SG.1 Summary of the Postulated Sequence Initiators Associated with the Potential Release of Water in the Reactor Building Elevation 8...................................................... 297 SG.2 Core Damage' Frequencies for Flooding Initiators.................. 298 SG.3 Event Tree Diagram for Loss of 125 V DC Bus . . . . .. . . . . . . . . . . . . . . . . .- 301 SG.4 Conditional Probability "T" the RBSWS or TBSWS Would be '
Avail abl e Foll owing Loss of RBSWS Ini ti ato r. . . . . . . . . . . . . . . . . . . . . . 306 SG.5 Event Tree Diagram for Loss of Reactor Building Service Witer Initiator........................................................ 307 e
- 9 9 e
e d l 1 xiii g
- .; .er . :sd ' ' d l. . . - ~. . - - -
ACKNOWLEDGMENT The authors wish to thank their colleagues in the Department of Nuclear Energy at Brookhaven National Laboratory for many enlightening discussions and comments throughout this project. In particular, the help of Kenneth Perkins in the review of success criteria is much. appreciated. The work was performed for the Reliability ;and Risk Assessment Branch (RRAB) of the U. S. Nuclear Regulatory Commission. Mr. Ed Chow of RRAB was the technical monitor of the project. The authors wish to acknowledge Ashok
-Thadani, Chief, RRAB, and Arthur Busiik and Ed Chow (RRAB) for constructive comments on the preliminary and the final drafts of this report.
Finally, we would like. to express our app'r'eciation to Cheryl Conrad,. Marguerite Ma rs ch, and Nancy Nelson for an excellent job in typing this document. M XV e
. . , . _ , . , . _ ,- , -w+--- .-
~ . ' ,_ ... ' : :. ' .. ,G . '. - _ ' , NOMENCLATURE A Large LOCA ADS Automatic Depressurization System A
out Large LOCA outside Containment ARI Alternate Rod Inser' tion ATWS Anticipat(d 'Transie'nt Without Scram
~ -B o LOCA - Induced Loss' of Offsite Power BWR Boiling Water Reactor C Scram C
A Alternate Rod Insertion C E Electrical Failure to Scram , Cg Scram Initiation Cg Mechanical Failure to Scram C 2 One Standby Liquid Control Loop C 21 Sec nd Standby Liquid Control Loop, given C 2 CD Core Damage CDFT Core Damage Fault Tree CET Containment Event Tree CM28 Comon Mode Failure of 2 Batteries (Divisions 1 and 2) ,- CH3E. Commo'n Mode Failure.of 3 Batteries (Divisions 1, 2, and 3) -
'CM20 Common Mode Failure of 2 Diesel Generators ~ (Divisions 1 and 2)
CH30 Common Mode Failure of 3 Diesel Generators CRD Control Rod Drive D Failure of Diesel Generators and Failure to Recover of Division I or II Diesel in 2 hours DPR Decay Heat Removal. ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EPG Emergency Procedure Guidelines EPS Electrical Power System ESF Engineered Safeguard Features ' ESWS Essential Service Water System FSAR Final Safety Analysis Report FT Fault Tree i FTA Fault Tree' Analysis xvii ' _ _ . _ . __ . . _- . - _ -. _ ..___ f__.. _ __ _ _. . . _ _ _ - - -
NOMENCLATURE (Continued) . FW Feedwater G Drywell Heat Removal HEP Human Error Probability
- 4 HPCI High Pressure Core Injection System ,
- I Recovery; of Offsite power in 30 minutes
,II Recovery' of Offsite power in 2 hours -
III Recovery of Offsite Power in 4 hours
~
IV Recovery of Offsite power in 10 hours - IORY Inadvertent Open' Relief Valve '
. L Level Control and Stable Cooling Established '
LOCA Loss of Coolant Accident LOOP Loss of.0ffsite Power LPCI Low Pressure Coolant Injection . LPCS Low Pres'sure Core Spray M Maintain Reactor Pressure M 3 Manual Shutdown MOV Motor Operated Valve MSIV Main Steam Isolation Valve t l NPCC Northeast Power Coordinating Council
- NPSH Net Positive Suction Head -
P ' Safety Relief Valve Reclose
- Pg or D ADS inhibit -
P g One Stuck Open Relief Valve (SORV)
~
P 2 Two or more SORY PCS Power Conversion System , Q Feedwater System <. R Redundant Reactivity Control System RB Reactor Building RBCLCW Reactor Building Closed Loop Cooling Water ,
,, RBSVS Reactor Building Standdby Ventilation System v ! RCIC Reactor Core Isolation Cooling 4
RCIC SC RCIC in Steam Condensing Mode
- RHR Residual Heat Removal System kHRHX RHR Heat Exchanger q xviii g
,t .
r I
.i .. . t. - . : . . . _ _ . . .. . 2 . . . _ - . - _ . . . . NOMENCLATURE (Continued) RPT' Recirculation Pump Trip RPV Reactor Pressure Yessel S t Intermediate LOCA in Drywell S 2 Small LOCA in Drywell SDV- Scram Discharge Volume
,SJAf Steam Jet Air Ejector SNPS Shoreham Nuclear Power Sta' tion SORV Stuck Open Relief Valve SRV- Safety Relief Valve SWS- Service Water System (or RBSWS = Reactor Building SWS)
TBSWS. Turbine Building Service Water System T C Loss of Condenser T D Loss of a DC bus (Division 1 or 2) T E Loss of Offsite Power Tp Loss of Feedwater-T FA Isolation AWS Tg Inadvertent Open Relief Valve T MSIV Closure Transient M T MT Loss of Drywell Coolers T Loss of a Reference Leg in Reactor Water Level Measurement System R T 39 Loss of Service Water System T T Turbine Trip- ~ TAF Top of Active Fuel U High Pressure Injection Function O' Reactor Core Isolation Cooling System l U High Pressure Core Injection System l V Low Pressure Injection Function V C Condensate Injection V Low Pressure Core Cooling Systems (includes LPCI and LPCS) 4 X Depressurization (via Automatic Depres'surization System or Manual) ' W Containment Heat Removal Function (includes Residual Heat Removal System and Power Conversion System) W' RHR or RCIC in Steam Condensing Mode W Power Conversion System Z The function of "MSIV reopened in the long term" XIX %
I , _' - *{ _ ,, 4 EXECUTIVE
SUMMARY
This review of the Probabilistic Risk Assessment of the Shoreham Nuclear Power Station was conducted by Brookhaven National Laboratory under the spon-sorship of the U.S. Nuclear Regulatory Commission. The review of the inter-nally generated plant accident sequences which could potentially lead 'to core damage began in December 1983 and was concl ,. at the end of October 1984. l Two draft versions of this report were published (November and December 1984) ! with the objective of soliciting comments. This version of the report 1's the
, final report incorporating comments from the NRC, the utility staff, and con, 4 sultants. The broad objective of the review was to evaluate the core damage frequ'ency as calculated in the Shoreham Probabilistic Risk Assessment in rela-tion to that identified in the Reactor Safety Study (WASH-1400). The review
- t ,
by Brookhaven included an assessment of the assumptions and methods used in the Shoreham study. The review also included a re-evaluation of the train ' t results within the scope and general methodological framework of the Shoreham study. This included both -qualitative and quantitative analyses of acciden't initiators, some of the data bases, and accident sequences which result in the initiation of core damage. The review process included a meeting with the. Shoreham owner and its consultants, a site visit, and one formal round of (written) questions and answers . The utility and 'its consultants were helpful and cooperative throughout the course of the review. The Shoreham P,tA package was quite com-prehensive as originally submitted, and there was no significant need to aug-ment' the information by. additional submittals. Finally, comments were received from the NRC and the utility, and they were discussed with BNL in an additional meeting. The main conclusions of this review are the following: .-
- a. Within it.s stated scope, the Shoreham study is a good and comprehen-sive piece of work. The utility produced a study which used the basic approach and techniques of the Reactor Safety Study (event .
l tree / fault tree methodology), but which accounted for plant-specific ' design differences between Shoreham and the Reactor Safety Study plant and includea, in some instances, some additional , details beyond those provided in the Reactor Safety Study. i
- b. The Brookhaven reviewers believe that the Shoreham study can be
} updated within its present framework and structure, by taking into account the specific recommended changes in modeling and data, as well as comments found in the main body of this review report.
- c. The reviewers found that some of the analyses in the Shoreham study were rather non-conservative, i.e., led to an underestimation of core damage frequencies. In several instances, this may have resulted '
- from insufficient justification to support an analysis or quantifica-tion of data. In some other parts of the study,' the analysis was determined to be conservative, and more realistic alternatives have been put forth. However, the results of this review show that, over-all, more assumptions and modeling were judged to be non-conservative than conservative.
I t
_- - - -- -- . -- _ . -. . _ - ~ ._ _ _-
. _ _ _ _ . . . m __ ___s -- - - u_, a ~ .- - . . _ ' ~
l ,
- d. Item c notwithstanding, BNL found that, in general, the SNPS-PRA
'appr'oach incitided considerable detail and was an attempt to address .
, the modeling of the accident sequences and their quantification as realistically as possible, based on the specific Shoreham designs and i procedures and on past nuclear power plant experience.
- e. Most of the BN'l comments on the SNPS-PRA, and most of the BNL modif t -
cations, relate to accident sequence quantification. In many 3 instances, error, lack of supportive evidence in the PRA, or new information fr'on LERs or other sources were the reasons for BNL modi-fications to hvent tree quantification. Overall 'the modifications resulted in large changes in the ranking of dominant accident sequences in the BNL revised results. Even though the overall change l in core da.aage frequency is by a factor of 2.5, it includes both increases and ; decreases in individual sequences, so that a 'different ranking of dominant sequences was generated 1.n the BNL re-assessment.
- f. Within. the pebpective of the foregoing connents, the Shoreham study constitutes a . very useful tool for identifying accident sequences fl that may lead to initiation of core damage. The PRA, as well as our revi ew, reveals a hierarchy of contributors to the frequency of a 7
variety of cor.e' damage states and indicates possible weaknesses that _may require additional evaluations. Furthermore, the study could be used in implementing a program aimed at prevention of the important accident sequences. The review did' not include an evaluation of the cost-benefit tradeoffs of any strategies or programs in this ~ area, and therefore no conclusion is drawn in this regard. ,
- g. The main quantitative results of the BNL revision along with the results of the Shoreham study are given in Table 0.1, as fr.equencies
, 'per plant-year. of operation. The table shows that the BNL revision - I
~ results are higher by a factor of three than the SNPS-PRA results. -
The main contributors appear to come from ATWS, LOOP, transients with
; scram, and internal flood initiators. Interfacing LOCA was deter-mined to be about half an order of magnitude higher than the SNPS-PRA -
ll l estimate.
- h. The difference between the Shoreham and Brookhaven point value esti- t 1 mates for the core damage frequency can be attributed mainly to the following factors: '
l 1
- 1. Based on an updated source of experiential data, the BNL review assessed an increase in the transient initiator frequencies which affected the ATWS sequence contribution and the MSIV closure and turbine trip transients.
- 2. The BNL re-assessment of the LOOP frequency is 0.15 per year for .,
the Shoreham site compared with 0.08 per year in the SNPS-PRA. This increase is partly counterbalanced by higher LOOP recovery - l probabilities derived from a more recent evaluation of LERs used i l In the BNL're-assessment. i' l 2 i i l 1 I -
r l .l!.',,Z!. T .- u . ; *. -.._ . . .- ; . : . - . . .l . '_O [
- 3. Loss of instrumentation indications in the' control room' also
' contributed 'to the increase in the BNL assessed LOOP initiated core damage frequency. I 4. BNL calculated a higher frequency for the " excessive release of r water in the reactor building" initiator (about a' factor of four). A more elaborate time. phased model considering the early failure of HPCI and RCIC also contributed to the increase. . 5. A more refined treatment of the'1evel instrumentation reference leg leakage and the various failure modes . enabled the identifica'-
- tion of several new sequences that were not included in the SNPS-
; PRA. These new sequences increased the total core damage con-tribution from this initiator. Since the original submittal of this review, BNL has been informed that additional level of .
measuring instrumentations are being added at Shoreham. Based on an informal assessment, it is judged that this instrumentation I will substantially decrease the frequencies of most of' the new sequences . identified by BNL. ! 6. Revised ATWS functional event trees were developed considering i Shoreham plant-specific information. The major contribution to the increase comes from the BNL initiator frequencies. Changes , i from event: tree modification resulted in only a smaller increase. ; j 1. Figure 0.1 depicts the SNPS-PRA and .BNL results according to the five i i classes of core damage states considered in the SNPS-PRA. Class III (the class related to LOCA sequences) exhibited only slight changes, 1 and Class IV (related to the ATWS sequences) increased the most, for l the reasons h(1) and h(6) given above. The Class I core damage stat,e
! increased mainly because of the increased contribution estimated by -
BNL for LOOP frequency, excessive release of water, and transients. 1 l Class II core damage frequency was also changed. This class does not t lead to core damage
- in all cases; in many cases it results in con- l
} tainment failure, with the core continuing to be cooled. The
- increase in Class II is attributed to the inclusion of additional sequences BNL considered in the loss of service water and the LOOP transients. Loss of condenser. vacuum also contributed to the increase in class II frequency. Finally, the interfacing LOCA fre-j quency was based in the BNL review on several precursor events of.
this type, rather than on LER valve data. This treatment resulted in l an increase in the initiating frequency of this event.
- *The Shoreham PRA used the term " core vulnerable" rather than " core demage"
+
because damage to the core will not occur for all sequences in Class II. However, they have extended this terminology to all other classes as well. - BNL believes that it is more appropriate to retain the terminology " core damage" for all classes (in order to be consistent with terminology in previous PRAs), and to note separately those special cases where core damage may not occur. l i 3 1 1 -
--.,-.---L.---
. N- -r . - .- ;. = . .
- j. Figure 0.2 provides an alternative means of presenting the results.
It shows that in general the BNL and SNPS-PRA resul.ts are in agree-ment-with: respect to the main class of contributors. The difference in the relative contribution of ATWS and transients is not as great as might be expected because a significant fraction of the SNPS ATWS core damage frequency was added to the transients rather than included in the "ATWS class IV" part of the pie chart. BNL consid-ered all ATWS sequences that result in core damage to lead eventually to Class IV* core damage.
; The BNL review concluded that if improvements are to be considered, the . greatest impact may. be ..,
achieved in the following areas:
. a. Since the submittal of the SNPS-PRA, BNL was informed that additional ' systems have been added to the onsite emergency system. Conceivably this may- help to : reduce the contribution to core damage from LOOP events and total loss of level instrumentation. .:: .:..- 'ad. :. .. . . . .
- b. Staggered procedures with respect to calibration of the most impor-tant sensors. Actuation of the high and low pressure systems from another redundant pair of RPV water level sensors different from the four N091 level sensors currently employed. BNL was informed, after this review was completed, that indeed this design change is being implemented. Thus, if detailed information and a PRA update were submitted for' review, the BNL assessment might well change.
- c. Treatment 'of ' sequences related to~ the interfacing LOCA and excessive release of water. Review of emergency procedures may be one example,
- d. Treatment of the ATWS s'equences. Review of emergency ATWS procedures may be one example. However, BNL identified some need for additional ,
generic physical analyses of ATWS if better understanding of opera-tors' response time is desired. BNL concluded that the results of the SNPS-PRA, taking into account BNL ~ review considerations, provide an effective framework for further studies of the Shoreham plant design and operation and for evaluating modifications in those areas. A final comment is in order regarding any possible comparison between the results of the SNPS-PRA and results of some other similar PRAs. Superficial numerical differences cannot be relied upon as indicators of relative core damage frequency; some earlier PRAs, in adhering more closely to WASH-1400 thinking, have provided results which are to some extent not as realistic in the non-conservative direction as those of the Shoreham PRA, which has advanced the conceptual basis in the direction of greater realism. Compari-sons between PRAs should be made only in light of a clear understanding of , where realistic credit has been taken for mitigating systems and where differ-ent assumptions nave been applied. A major goal of this review has been to d indicate where the SNPS-PRA has made advances in this area. { *See Appendix D for details. The basis. for the BNL assumption is that there is a lack of time for the operator to inhibit ADS, as level 1 is reached l promptly. j i 4 % t .
. l
. a -*. < i l 10*I - ." C SNPS-PRA
. I l BNI.-REVIEW ga s . .
I
- 1.4E-4 io-' -. _ 8.2E 5 ------------- 4.5E-5 - - - - - - - - --
g,, 3.n.i ' E p icT 1.3E-5
! M:'
1.4E-5 ,g(
=
g 1.-s - 6:(.,c s.tr.4 W - E5 a '.415-
.sm . r ..s-
- .n e @
' , hs q j r. pas-vaa .$
1.6E-6 h c
~^
gh I n.4 - _YF.7 ep 5 dY-1
- a.4 1.?f.4
- 4 a d 3 "# '-
- EQ:6..; .r(4 " iT i
2.ot-7 LTef. - 2 w w? p.u ., w.
.cu. . e a~ .a. -
ufik E to ' - edili EI "E. e~,h3i
!M. ;,b t sc.m h,_ tM Vm$id$ *gthi yc ;' sw-* 7 e '
gif~ r.;f
%%,R $ ofi utd;;r n':
y;u;.M 15 3 ,,
%t W,zd ftr wer se y .T . 'g s c 4"f -
ta-* - gy3:cr gy Sit
.gg 4G4 '%
- ~
tti, ; *
, 4i
- i pas
- q? 5g
, $,r p.:; - ;
su,e u. s n.
@i%y ',.= . ,
s b!?f: es}u), G hh. %+I.g 1}2
,,,, E /fe_ , .,
CU.11 1 Cu 11 !! CLASS !!! Ct.A&& tv Cuss t TOTAL. CUSS OF Ctag pa usam e Cor'Ttens Fiqure 0.1 Summary of the Results of the Event Tree Quantirication Displayed by Class of ' Postulated Core Damage Condition. i I 1 l l 5 t
l i t i p BNL Review me. . s.sano'5/neacter fear d ' (Core vulnera61el m . i.4 no /aeactor year '
- (Core Damage)
J.
! 5tavlCE ungla ' as Warta LEVEL m' ** i TQW/TQUI as waggs ' I , , LEVfL ATW5(CLASSIV) .
LO57 TOW /TQUg+ LO5P* 1 m 704R 'gt ' As Otos FL000 . LOCA 5tR91CE** yy+++ Wat(R LOCf*
*LDSP separated out. ATW5 Class I included . " Classes I and Il +LOSP Class I g "* Anticipated transient and LOCAs only . ' M* Anticipated translent class II icers ee.e rectis tron the data erneated tn Table 3.5-5) i Figure 0.2 Comparison of the SNPS-PRA and the BNL Review Contributing Accident Sequences to the -
Calculated Core Damage Frequency (per Reactor Year) Due to the Identified Accident i; Sequence Contributors. j .
- z. . - . , . . . . . .. .. .. . :
- l Sum' mary Table 0.1 Comparison of SNPS-PRA and-BNL Review Results Accident Core Damage (CD) Class Sequence Initiator I II** III IV V CD Loss of Coolant SNPS 1.0E-6 1.0E-6 2.0E-6 Accidents BNL 5.3E-7 1.3E-6 ' 1.8E-6 '
(LOCA) -
. Anticipated SNPS 4.0E-6 2.1E-9 1.4E-5 1.8E-5 .
Transient With- BNL
- 2.8E-8 4.5E-5 4.5E-5 out Scram (ATWS)
Loss of Offsite SNPS 9. 9E.-6 1.1E-6 1.1E-5 AC Power (LOOP) BNL 2.9E-5 1.4E-6 3.0E-5 . Transients SNPS 8.7E-6 4.8E-6 1.3E-5 * (Turbine Trip BNL 1.5E-5 6.4E-6 2.2E-5 Manual Shutdown, MSIV and other) Level SNPS 3.8E-6 1.2E-7 5.2E-9 3.9E-6 Instrumentation BNL 1.2E-5 2.5E-8 1.5E-7 1.2E-5 l (Referenceleg and drywell cooling) . j j Flooding at SNPS 3.1E-6 7.8E-7 3.9E-6 ; Elevation 8 BNL 1.8E-5 2.0E-6 2.0E-5 of Reactor Bldg.
- LOCA Outside SNPS 3.7E-8 3.7E-8 Orywell BNL 2.0E-7 2.0E-7 .
Loss of Service SNPS 3.0E-6 7.7E-7 3.8E-6 Water, or DC BNL 7.6E-6 2.4E-6 1.0E-5 Bus TOTAL 3.2E-5 8.5E-6 SNPS 1.0E-6 1.4E-5 3.7E-8 5.5E-5 BNL 8.2E-5 1.3E-5 1.5E-6 4.5E-5 4.2E-7 1.4E-4
*In BNL review all ATWS sequences are assumed to lead to core damage class IV. This is based in part on the judgment that the operator will not be able to inhibit ADS. ** Class !! leads in many cases to containment failure without loss of core '
cooling. Therefore, only a part of Class II results in core damage. ' l, e l
)
7 i
<a -
ue o .
- 1. INTRODUCTION .
This sectilon explains why a probabilistic risk assessment (PRA) was performed for the Shoreham Nuclear Power Station (SNPS), how the review of the PRA was performed by Brookhaven National Laboratory (BNL), and how this report is organized. 1.1 Back' ground The Shoreham PRA 1
,2 is a self-motivated undertaking by the Long Island Lighting Company (LILCO), the owner and operator of the Shoreham facility.
1.ILCO initiated and managed the PRA study in .ordei to provide basic data to its risk management program by evaluating the plant response beyond the normal design basis. LILCO's intention is to make use of PRA methodology to better assess the Shoreham design relative to postulated accident sequences and 'their resulting public risk. The PRA, in its first revision form, was submitted on June 24, 1983. The NRC contracted with BNL to perform an 'in-depth review of the PRA, which began in December 1983.
- The Shoreham PRA was prepared according to NRC guidelines, and is similar 3
to the Limerick -or GESSAR PRAs . with respect to scope, methodology, and data. Like the two other PRAs reviewed by BNL 5 ,6, it was carried out. with the basic approach and techniques of the RSS7 . However, plant specific feat'ures and design information were used. In many instances, more detailed modeling and recent data such as LER information were incorporated. The SNPS-PRA 8 study also addressed t'he coments on RSS made by the Lewis Committee , and LILCO reflected these comments in the SNPS-PRA as they thought appropriate.
' The BNL review was concluded at the end of October 1984. Some of the -
minor sequences were reviewed to a lesser depth than the significant ones. For example, in some cases if an in-depth, time consuming review was expected to result in much less than a factor of two change in core damage' frequency of a particular sequence, it was not undertaken. On the other hand, based on the -
- SNPS-PRA itself and on reviewers' experience with other PRAs, several addi-tional sequences were found to contribute to the core damage frequency and were included in the BNL re-assessment. In summary. most of the SNPS-PRA sequences were reviewed, and several modifications, additions, or subtractions l were made, as shown in the rest of this report.
The current report (May 1985) supersedes two previous drafts issued for soliciting comments (November, December 1984). This final report incorporates comments made on the previous drafts by NRC and by LILCO. ' i 1.2 Ob.fective. Scope, and Approach to Review I The broad objective of the BNL review of the SNPS-PRA was to evaluate ' qualitatively and quantitatively the assessment of the important accident sequences that are internally generated and lead to 'core damage initiation. To be consistent with the SNPS-PRA scope, the review excluded internally
- generated fires , but it included an assessment of the externally generated LOOP accident initiator. To carry .out this objective, BNL reviewed the 8 %j t
'~' '*~ '
assumptions and methods of the SMPS-PRA witnin its stated scope. This review included reevaluation of' the important accident sequences that may lead to core damage, their respective frequency of occurrence, the total frequency of core damage initiation, and the %act of several changes made in the assump-tions on the total frequency calculated for tne baseline case. In particular, the review included evaluations of accident initiators, data, and development and quantification of accident sequences.
~ This review of the " internally" generated accident sequences with respect to the frequency of core damage constitutes part of the work' on the SNPS-PRA - done by BNL for the NRC. Other BNL reviews consider the core melt phenome-nology and the containment analysis, and will be reported separately. . The review was performed over a one year period in two phases. In Phase ,
I, an overall review was performed and a list of questions was sent to tne utility. These were discussed in a meeting held in December 1983 between NRC, BNL, and LILCO. The review process benefitted from this productive meeting. LILCO and its consultants were entirely cooperative in providing the information needed to gain a detailed understanding of 'the PRA for the in-depth review process. - ' Responses and additional information were submitted in May 19849 . 'A report 2, " Review of Shorenam Water Level Measurement System" prepared for LILCO by S. Levy, Inc., was also part of the response package. BNL included this report in its PRA review package; whenever the SNPS-PRA is mentioned in this review, this report should be considered part of it. Phase I of tne review included an in-depth re-evaluation of the sequences following a release of excessive water into Elevation 8 of the Shorenam reac-l tor building". The report summarizing this review was . submitted to NRC in
! April 1984 Participating in Phase I were Kelyin Shiu, Yang-Ho Sun, Eshagh
! Anavim, and Ioannis A. Papazoglou. Phase II of the review took place from June to October 1984 An i n-depth review of the accident sequence modeling and systems, as well as the , data used in the SNPS-PRA, was performed. This is sumarized in the following chapters of this report. Dan Ilberg, Kelvin Shiu, Nelson Hanan, and Eshagh Anavia participated in this phase. The most important sequences were reviewed, as mentioned above. Those sequences are reassessed and the results are presented in appendices to Sec-tion 5 of this report. The quantification and " sequence modification are explained whenever they deviated from the original SNPS-PRA with the inten-tion, of providing sufficient detail to enable others to follow the review considerations. The review of the fault trees was based on comparison with the Limerick fault trees, taking into account the BNL review of the latter and
- the coments in the BNL Limerick PRA review3 . The SNPS-PRA included more I explicit modeling of functional dependences in the event trees by increasing -
! their detail. Based on the above, and based on the result of a previous review 3 indicating that Core Damage Fault Tree (CDFT) modified the results by about a f actor of two, it was determined that this approach if applied to SNPS-PRA would change the net result Dy a smaller factor. Hence, BNL judged that a CDFT approach was unnecessary for SNPS-PRA. Functional livel event trees were utilized by BNL to account for the dependence between the short and 9
~.r. . , . . - _ . . - . . _ _ . . . . _. m .a. g o' sa _. l .. - . ~
long term PCS functions (Q function vs. W and Z functions), because this seemed to be treated non-realistically (see Appendix SA) on most event trees. The scope of this review did not include uncertainty and importance anal-yses. Nevertheless, in several instances it seemed that, besides the baseline assumption, other assumptions could be made if properly substantiated. The impact of these different assumptions on the results was assessed in a limited sensitivity analysis, summarized in section 5.3, which provides some addition-al insight on range of core damage frequency va. lues that could potentially be generated for the SNPS-PRA. The SNPS-PRA should be cited for its comprehensiveness and sel f-con-tained nature which facilitated an,in-depth peer. review.
- 1.3 Organization of Report Section 2 provides a, description of plant modeling which includes identi-fication of initiating events that result in challenging of the safety systems of the plant, and a discussion of safety functions and systems important to preventing or mitigating core damage events. Section 3 contains a description of accident sequence definition, and a discussion of both the BNL revised and the SNPS-PRA event tree / fault tree approaches. . Section 4 is a review of the SNPS data, including the numerical values for the initiating event frequencies used in the SNPS-PRA and the BNL assessment, and the numerical values for some of the parameters necessary for quantification of accident sequences (i .e. ,
for LOOP time p,hased sequences). Section 5 covers accident sequences quanti-fication, a brief description of the SNPS-PRA approach to quantification, the BNL modifications to the quantification, and the revised core damage frequen-cies. It also describes a limited sensitivity study checking the influences of a few of the assumptions on the core damage frequencies calculated for,the baseline case. ' Appendices to Section 5 provide more detailed discussions of the event trees reviewed and include the BNL modifications along with their bases. j These appendices should help others to review our considerations.. - 1.4 References to Section 1 '
- 1. "Probabilistic Risk Assessment Shoreham Nuclear Power Station Long Island Lighting Company, Final Report ", Science Applications, Inc., June 24, 1983.
- 2. " Review of Shoreham Water Level Measurement. System Revision 1", S. Levy, Inc., SLI-8221, November 1982.
- 3. "Probabilistic Risk Assessment Limerick Generating Station", Philadelphia Electric Co., Docket No. 50-352, 353, Revision 5, September 1982.
- 4. "Probabilistic Risk Assessment BWR/6 Standard Plant", General Electric Co., Docket No. 50-441. '
( 5. Papazoglou, I. A., et al., "A Review of the Limerick Generating Station - ( Probabilistic Risk As sessment", Brookhaven National Laboratory, NUREG/CR3028, February 1983. ( . 10 t
_ s'
'~
f :. . ...
- 6. Hanan, N.', et al., "A Review of. BWR/6 Standard Plant Probabilistic Risk Assessment, Vol. 1 Internal Events and Core Damage Frequency", Brook-haven National Laboratory, NUREG/CR-4135P, May 1985.^
- 7. Reactor Safety Study: "An Assessment of Accident Risks in U. S. Commer-cial Nuclear Power Plants", WASH-1400, NUREG/74-014, October 1975.
- 8. Lewis, H. W., Chairman, " Risk Assessment Review Group Report to the U.S.
Nuclear Regulatory Commission", NUREG/CR-0400, September 1978.
. 9. LILCO's Response to Questions on Shoreham's Probabilistic Risk Assess-ment, Long Island Lighting Company, SNRC-1021, May 1984.
- 10. Shiu, K., et al., "A Review- of the Sequences Following Release of Exces-sive Water in Elevation 8 of the Reactor Building in the Shoreham Nuclear Power Station", Brookhaven National Laboratory, NUREG/CR-4049, November 1984. .
4 4 e 9 e l 11 1 l
. .c .2 .. . . . -- 4 -
_. us.,r ,-- , l 1 l . 2. a PLANT MODELING .l i i The plant modeling part of the SNPS-PRA covers the identification of the -
~
initiating events that can lead to core damage, the safety functions important
; to preventing or mitigating core damage events, and the systems directly per- > forming each of the safety functions, as well as the assessment of the success l<
criteria of the safety functions and the systems. . These systems are referred to as frontline systems. . In addition, the plant modeling includes the identi-fication of the support. systems for each frontline system, i.e., the systems
~ .' j ! required for the function, of the frontline systems.
This section has th'rde parts. Subsection 2.1 describes the safety func-tions, the corresponding frontline and support systems , and their success i criteria' and 'provides a comparison with the Reactor Safety Study! and LGS- , PRA2 . Subsection 2.2 discusses the partfcular initiating events and their - partition. into groups containing events having the same success criteria for
, th,e frontline systems. In both subsections, the SNPS-PRA assumptions are e reviewed, evaluated, and compared with those of the Reactor Safety Study' i+
(RSS). Subsection 2.3 is a summary of BNL's assessment. . r
! 2.1 Safety Functions and Corresponding Systems 2.1.1 Safety Functions and Frontline Systems .
The safety functions important to preventing or mitigating the conse - quences of core damage following an initiating event are given in Table 2.1. These functions can be further subdivided for the SNPS into the functions i given in Table 2.2, each of which is directly performed by one or more front-
! line systems. The frontline systems for the SNPS are given in Table 2.3, and in Table 2.4 they are. compared with the corresponding systems of the BWR plant. L j analyzed in the Reactor" Safety Study (RSS-8WR) and in the LGS-PRA. . A short .- , description of SNPS frontline systems and their differences from' those in the
- RSS-BWR and LGS follows.
1 Reactor Protection System (RPS) - The SNPS has incorporated several . l, design changes, as recommended by Alternate 3 of NUREG-0460 3
, to reduce the l' probability of a failure to scram: ~
l a) Alternate rod insertion (ARI) - this system is effective in reducing . l electrical common-mode failure to scram. (Similar to LGS, dissimilar to RSS). b) Diverse and redundant water level sensors for the Scram Discharge i Volume (SDV) - this is expected to reduce the chance of an occurrence i similar to that at the Browns Ferry plant. (Similar to LGS, dissimi- ' l lar to RSS.) [ c) MSIV closure on reactor level 1 rather than level 2. ., f Standby Liquid Control (SLC) - The SNPS system is different from the i Alternate 3 described in NUREG-0460, which requires two automatically initi-ated SLC pumps with 86 GPM (43 GPM per pump). It includes two. SLC pumps (43 . l GPM each) manually initiated, with 'only one pump working at any time. The RSS-BWR has two similar manually actuated SLC pumps. The LGS has three SLC 12 t
.t* .- re . ,~ . . . . , .. . - . . , , , - , , , . - , - - _ - - - , , - - - - - . - - - - ~ . - . , . - - . , . . . - - - . . - , , . - - - , . . - - - , _ - , , _ . - , ~ _ . _ - ,
p_f " _. .L..'- _ ...__.z . :__ - . , _ _ pumps having automatic initiation rather tha'n manual, allowing for two ' pumps injection of 86 GPM. ! Reactor Core Isolation Cooling (RCIC) - There are no major differences between the SNP5, the LG5, and RSS-BWR designs. SNPS RCIC flow rate is, how-ever, 4C0 GPM compared with 600 GPM in the other two BWRs. This is a 10". reduction in flow rate . corresponding to the power difference between the ! reactors. , l High Pres'sure Coolant Injection (HPCI) - The major difference is that, -
- for SNP5 and the R55-BWR, HPCI Injects into a feedwater line, whereas for the '
2 LGS, HPCI injection is split between the core spray injection line and the feedwater line. Control Rod Drive (CRD) - There are no major differences between the SNPS, the LG5, and RSS-BWR designs. No credit to this system.is given in the PRA or BNL assessment, even though it may provide successf.ul high pressure
~
injection two hours after initiation of several transients. The effect is' not : very large' (see Table 5.15). Automatic Depressurization System (ADS) - The SNPS-ADS system has tnree separate compressed gas supplies; these are (1) compressed nitrogen, (2) plant
~
air backup,.and (3). accumulators (see Table 2.4). . It incorporates the follow , ing additional features beyond the RSS-BWR g LGS-PRA*: a) SNPS has an automatic initiation of ADS upon low level signal (level i 1). l l b) SNPS has individual accumulators to store pneumatic energy for each SRV operation. Each accumulator is sized to provide five actuations. c) Each SRV has two solenoid pilot valves. d) After receipt of the automatic ADS initiation signal, a timer pro-vides two minutes delay to allow operator to inhibit before actual - ADS initiation. low Pressure Coolant Injection (LPCI) a) The SNPS and the RSS-BWR LPCI system primary mode is to inject water
- into the recirculation loops to ensure injection into the intact
- loop. The LGS LPCI system injects water directly into the core shroud through four separate injection lines.
b) The LGS pumps can pump saturated water. The RSS-BWR LPCI pumps have ! net positive suction head (NPSH) requirements which may not always be met and could lead to pump failure. This is particularly important if there is excessive containment leakage. The SNPS-PRA states that ' the LPCI NPSH appears to be marginal at saturated pool temperature
- and containment atmospheric pressure. However, calculations show the NPSH to be adequate.
*LG5 nas recently modified its ADS initiation. logic.
l i 13 t ;
. l l
1, Low' Pressure Core Sbray (LP_CS) - The SNPS and LGS core spray pumps can . 4 pump saturated water., The R55-BWR pugs have NPSH requirements which may not , always be met. All three plants nave two redundant loops, but the SNPS uti- , lizes one pump per 1 cop whereas the others have two pugs per loop. Residual Heat Removal (RHR) - The major differences between -the SNPS, l, RSS-BWM, and LG5 RHR s'ystems are: (1) two RHR heat exchangers for LGS and j $NPS, compared with four RHR heat exchangers for the RSS-BWR and (2) credit was taken for the stea.t condensing mode
- of RHR only in the SNPS-PRA. The .
3 -SNPS and LGS pumps cannot pump saturated water. However. .if saturation condi- ?. tions exist in the reactor pressure vessel only, both plants can still pump. ! l., - l Containment Sprays - All three reactors have a manually actuated contain-1 ment spray system tnat can spray either the drywell or the wetwell volumes.
'2.1.2 Success Crit'eria for the Frontline Systems , .j l The SNPS-PRA considers four general classes of initiating events: [
i t '
- 1) Loss-of-coolant accidents (LOCAs) .. ,
i 2) Transients with successful scram, i 3) Anticipated transients without scram (ATWS), . , , j- '
- 4) Low frequency transients of special interest.
j The choice of initiating events is discussed in detail in Section 2.2. i l The success criteria for the systems available to provide successful ter- , mination of an initiating event without leading to core damage are summarized ' j 'in Tables 2.5 and 2.7 (taken from the SNPS-PHA report). They are defined i'n . i terms of the minimum number of systems required to prevent excessive fuel clad , tegerature and to remove decay heat. The success criteria used in the SNPS-PRA represent " realistic" requirements and do not necessarily correspond to i Final Safey Analysis Report (FSAR) criteria and/or predictions. The SNPS - ! criteria were developed in part from vendor deterministic analyses % 5 l Here the SNPS-PRA departs from the Reactor Safety Study, where FSAR criteria j were used. In the following three subsections the success criteria assumed in j the SNPS-PRA are cogared with those in the RSS and the LGS-PRA for the first three major classes of initiating events, and SNL review comments or changes ' to SNPS success criteria are given. The fourth class (low f requency tran-s sients), has the same success criteria as do the anticipated transients and is i' covered in Section 2.1.2.2. , ) 2.1.2.1 Success Criteria for LOCA Initiators , Table 2.6 cogares the success criteria for LOCA initiating events (with successful scram) for the 5NPS, LGS, and RSS-BWR. It shows the required - i i
- shoreham does not regularly use the steam condensing mode. Section 5.3 shows ;
the effect on Class 11 core damage wnen no credit is given to the steam ; ! condensing mode (see Table 5-15). ! i i 14 j i f
_ __n _ .
s - '5 . L. _ _;. J ^ ~
systems for both steam and liquid breaks as a' function of the break size. Major differences are as follows:
- 1. The RSS distinguishes between injection and recirculation phases for large breaks in which only low pressure systems are adequate. This results in a stricter requirement for the injection phase for the RSS-BWR than that for SNPS.
- 2. The RSS-BWR requires operation of four ADS valves for depressuriza- ,
tion following.small and medium break LOCA vs. three ADS valves for
. the SNPS. ,
- 3. In the small LOCA case, the SNPS takes credit for successful high pressure injection using the feedwater system when the MSIVs remain open or can be reopened within 30 minutes.
- 4. In the LOCA cases, the RSS-8WR and the LGS-PRA require on'ly one LPCS pump or one LPCI pug to operate for successful low pressure injec-tion. For the SNPS, in addition to the above, injection with one condensate pug is also considered a success, (In the BNL review, the condensate pump is assumed to be a success for medi.um or small LOCA only). , . .
- 5. The SNPS analysis takes credit for the PCS as a means of long-term cooling for the small and medium LOCA based on successful reopening of one or more MSIVs. The LGS-PRA also takes credit for PCS in the case of small and medium LOCAs, but the RSS does not.
- 6. The RSS-BWR analysis takes credit for one CR0 pump as a means of injection for steam breaks of less than 1 in. diameter or liquid breaks of less than 0.6 in, diameter. The SNPS-PRA and LGS-PRA took .-
no credit for CRD pump injection. - Table 2.6 shows that the LOCA success criteria for the three plants are in general agreement; use of the PCS for injection and long-term cooling of . the core is the most notable difference between the SNPS and the RSS-BWR. Table 2.4 shows that HPCI and LPCI are sized in proportion to each plant's thermal power (smaller by a factor of 0.75 for SNPS than for LGS or RSS-BWR). However, the RCIC is rated 107, less for the SNPS than the equivalent flow rate in LGS or RSS-BWR if their RCIC were scaled down by the 0.75 power ratio factor. For its re-assessment, BNL in general accepted the SNPS LOCA success cri-teria given in Table 2.5. One exception is for large LOCA liquid line breaks connecting to the RPV below the top of the core. Due to the lack of support-ing results of a best-estimate analysis for core cooling given a large LOCA i and a condensate pump injection of 1000 gpm, BNL can only provide a limited assMsment of the adequacy of condensate pump injection. Based on engineering ' judgement, the following success criteria were applied by BNL for the large LOCA case: (1) Large LOCA break is above~ the core: Condensate pump injection of 1000 gpm is successful. 15 T l
. 1
_ . u. -- __ ..e -
.u _ .a_ g
! . (2) Large LOCA break is below the core: . Condensate pump' injection of 1000 gpm is unsuccessful. < , The basis for the judgement of adequate cooling in the first case stems from the assumption that the core will be covered in this case, and only ' steam will ce able to discharge through tne break. The steaming rate corresponds to the ; decay heat of the core which can be replenished by the 1000 gpm injection. The BNL judgement for case (2) is that the makeup capability of 1000 gpm to the hotwell d would not be sufficient for compensating the flow out of the break and steaming out of the assumed open ADS. , The success criteria for the different'ctypes of LOCA can be de' fine'd also
- in terms of system effectiveness rather thari according to break size
- .
Large LOCA: No ADS is required. High pressure injection, as well as PCS, is inoperable. The condensate pump would be capable of about 1000 gpm for long du ration, which is assumed - insufficient for large break (Liquid) (e.g. , larger than - ' 10"+). . , i Medium LOCA: ADS is needed as well as HPCI, but RCIC is not an effective injection mode. The effectiveness of PCS is unclear, and d two assumptions are used in the sensitivity study (see Sec-
; tion 5.3 in Table 5.15; 'tne impact is seen to be small). ,
The baseline gives credit for PCS in medium LOCA for both ;
- injection and long term neat removal. .
i Small LOCA: ADS is needed, and RCIC is effective as well as the PCS. The' LOCA initiating events were furtner subdivided to LOCAs inside and j;ji* outside drywell. The, latter 1'nclude the following: -
* . t 1 1. Steamline or main feedwater breaks outside containment -(within the i
reactor building).
~
1
- 2. Breaks in the HPCI/RCIC steam supply or pump discharge lines.
- 3. Interfacing LOCAs in low pressure systems. l The success criteria for these cases remain uncnanged. .
i 2.1.2.2 Success Criteria for Transient Initiators
- i. '
The success criteria for transient initiating events (with successful t scram) for the SNPS-PRA, given in Table 2.5, are similar to those for the LGS and RSS-BWR, with tne following exceptions. i- 1. For transient initiators, the RSS-BWR applies the small LOCA success , ! criteria given in the FSAR. It is noted in RSS, (page I-67) that
; these criteria were selected in attempt to be conservative. The SNPS ! and LGS use more realistic analysis (deterministic analysis performed by the vendor) as their basis.
O j 16 [ ! I i
- ._ -._.- _ .- L - -_r__ X ,::L _' . .. r ~~ ~L. , :: 2
- ~_ - - __- - . - ---. . . - . . . . - - . - - - . - - . -.
4 y ,
,q. w.
7 v; ,
, ;.4;p i .
j . . 1 2. The RSS-BWR requires operation of four' ADS valves out of five for depressurization following a transient in which low pressure injection systems are required; the LGS requires only two out of seven; the SNPS requir'es three out of seven. These differences have little impact on ADS unavailability because the duidinant contributors
- are loss of nitrogen isupply, maintenance, calibration errors, and other commonalities of all ADS valves.
i ! The more realistic success criteria used in the SNPS-PRA for the tran- ! sient initiators are considered' reasonable on the basis of NED0-24708". One exception is the assumption .that RCIC is capable of supplying adequate vessel j water makeup to an isolated reactor with two stuck open relief valves. The i i validity of this assugtion remains to be verified. ! The BNL assessment assumes that in the case of a transient with coin-
- cident two stuck open relief valves (2 SORVs), RCIC would not be effective,
- the reactor will depressurize in less than 2 hours, and low pressure injection f 1 vill be required later on.' This is similar.to the medium LOCA case. However, [
]. celatively more credit to the ' PCS is given in the transient with 2 SORVs ! sequences . . l I i 2.1.2.3 Success Criteria for ATWS Initiators . This, section presents the SNPS-PRA and the BNL reassessed success cri-i teria for ATWS initiators. There are no cogarable criteria for the RSS-8WR j since ATWS was not evaluated in as much detail. I Table 2.7 gives the Shoreham ATWS success criteria for six initiators, listed in the first column. The other columns indicate the failure of various f mitigation functiors, with "A" denoting an acceptable condition and "N" an unacceptab}e one. These success criteria are derived from a GE reports and a - KMC letter 8 - BNL reviewed these two documents to determine the applicability and the . ! reasonableness of the results as they relate to SNPS. The GE report was pre- - i pared on a generic basis, analyzing the BWR-4 Mark I plant, with the assump- { tion of an automatic SLC system that can deliver 86 GPM of boron to j the core upon ectuation. This is to be compared with the Shoreham design in
. which SLC initiation is manual and the maximum boron injection rate into the t
core is 43 GPM. Given the critical nature of the SLC initiation time and the amount of boron that can be injected into the core, the GE report provides
- only limited insights in the determination of the SNPS ATWS success criteria.
l The KMC letter gives the results of an analysis,modeling a generic BWR-4 j reactor with a Mark I containment. It also includes some sensitivity results on the effects upon suppression pool temperature of 43 GPM versus 86 GPM SLC ! system injection rate and of the time delay in initiating the SLC system. It ., discusses the reasoning behind the selection of a maximum suppression pool i temperature limit of 285'F. 'This limit should be contrasted with the 240*F
- cited in the SNPS-PRA, where 240*F is considered to be an unacceptable plant
! condition. Both documents assume in their calculation that the RHR system ! would be operational within a short time, in the range of 3 to 11 minutes. ' l . i s i 17 l t r i I .
- .._.e .- _ - _
l
~
Because of the lack of detailed results of the ATWS analysis, BNL can provide only limit'ed assessment of the adequacy of the ATWS success criteria.
- Revisions made to the criteria are based on the two documents used in the SNPS-PRA and on engineering judgment. SNPS plant specific information in these areas and additional information pertinent to the determination of these criteria could potentially affect the results. .
The revised set of ATWS success criteria given in Table 2.8 is basically the same as that of the SNPS-PRA except for two areas. . The first is the success of the decay heat removal system. The SNPS criteria indicate that since the condenser is available, the operability of the RHR should ' be . optional. BNL is of the opinion that tne info'rmation in the two referenced documents does not provide enough detail to support the assumption that the condenser with one or no RHR loops is sufficient to maintain suppression p,ool temperature for a turbine trip event. If there is.immediate feedwater runback
~
and the reactor power level is reduced quickly, by lowering the water level, to below the maximum condenser limit without a MSIV closure, the SNPS-PRA criteria appe'ars to De reasonable. If, however, feedwater runback .does not occur.immediately or if tne water level is maintained high, then excessive - neat (for wnich containment heat removal needs to be provided) would be dis-charged into the suppression pool, making the success of RHR loop , critical.
- In the BNL revised criteria, failure of any RHR loop is assumed to be an unsuccessful sequence. -
In a related way, the SNPS loss of feedwater ATWS success criteria stipu-lated that failure of one RHR loop is considered to be a successful event. In this case, feedwater is automatically terminated by the initiating event, and the reactor power can be accommodated by the condenser only if the water level insiae the vessel is furtner lowered; otherwise, the power level may still be a few percent above the condenser limit. BNL also assumed in the re-assess-ment of accident sequences that all RHR, loops asst be operational for' contain- ' ment heat removal purposes. BNL also considers tne results from analyses insufficient to justify 'the allowed SLC initiation time of 2 to 30 minutes; in fact, evidence appears to ~ indicate the contrary. BNL assumes that if the SLC system is initiatied within a 10 minute period, then the accident sequence is considered success-ful. A discussion of the physical analysis performed 5 for an ATWS accident 1 sequence appears in Appendix 50.3. 2.1.3 Support Systems Each of the main systems supporting the frontline systems in the SNPS-PRA, listed in Table 2.9, is briefly discussed here. 2.1.3.1 Electric Power System (EPS) ,, Three subsystems of the EPS are considered in accordance with thei r impact on frontline systems:
- 1. Of fsite " Power: SNPS nas three incoming offsite transmission lines. .
It has two separated switcnyards. 18 e - me go.e n . , p e* **.e edeeg a- = = .
.- . y.. ' . v : W .wy m ~.P :.; c & .. : .: $ s, .w
- . .a. n. . :. . . . -
- 2. AC emergency power subsystem of the EPS: The SNPS-PRA analysis is based on the availability of three diesel generators and a gas turbine without black start onsite", available to supply po'w er to three emergency AC bus divisions, but only two divisions supply most of the redundant safety systems as olvision III basically supplies power to tivo out of four LPCI, SWS, and RHR pumps.
3., DC-EPS: Three DC divisions with batteries are provided, but division III supplies two out ,of four RHR or LPCI actuation only.
. The EPS for SNDS, LGS, and RSS-BWR are compared in Table 2.10.
2.1.3.2 Emergency Service Water (ESW) Apparently, the LGS ESWS has more redundancy than the SNPS-PRA SWS, as shown by the partial. comparison in Table 2.4; other backup systems, are avail-able in,the plants such as normal NSW in LGS and TBSWS in SNPS. ' 2.1.3.3' Plant Air and Compressed Nitrogen Systems The redundancy of the plant air and nitrogen systems l'n the SNPS and LGS is comparable with that in the RSS-BWR, as seen in Table 2.4. - 2.2 Initiating Even'ts ' t This discussion of the initiating events that could challenge the safety systems is divided into three parts. The first describes the approach used in the SNPS-PRA, the second compares this with the LGS and RSS-BWR approaches, and the third presents the results of the BNL review with respect to the
, choice of initiating events. "
The SNPS-PRA considers fou'r general classes of initiating events:
- a. . Loss-of-Coolant Accidents (LOCAs). -
- b. Transients with successful scram,
! c. Anticipated transients without scram (ATWS), i
- d. Other low frequency accident initiators.
2.2.1 SNPS Initiators' Selection s i 2.2.1.1 LOCA Initiators t The .LOCA initiators are subdivided into three groups according to the equivalent size of the break and the corresponding success criteria for the frontline systems: ,
*The onsite AC emergency power subsystem has been upgraded since the SNPS-PRA was prepared. The BNL review refers to the original configuration.
19 t o
x- r .: .,a.:.x - r .
- . a. Large LOCAs - equivalent br;eak size ' diameter about 4 in. or more, for liquid or steam breaks.
- b. Medium LOCAs - 1 in. < equivalent diameter < 4 in., for liquid break; 1.7.in < equivalent diameter < 4 in., for steam break,
- c. Small LOCAs - equivalent break size diameter about 1 in. or less for liquid break and about 1.7 inch or less for steam break.
.. The LOCA initiittors are further subdivided into two groups , by break location: outside drywell within reactor building, and within drywell.
2.2.1.2 Transient with Successful Scram . The transient initiators for which scram is s'uccessful are divided into seven groups , where the transierits in each group impose the same success requirements on the frontline systems.
- 1. Transients that result in turbine trip. -
- 2. Transients caused by MSIV closure which ' lead to . isolation of the reactor vessel from the main condenser.
- 3. Transients following loss of feedwater flow.
- 4. Transients resulting from loss of condenser.
- 5. Transients resulting from loss of offsite power.
~
l 6. Transients resulting ft'om inadvertent opert: relief valve (IORV). j 7. Orderly and controlled manual shutdown. The transient initiators in these groups were 'obtained from an EPRI sur- . vey' of operating experience with BWRs in which 37 were identified. These are listed in Table 2.11 and categorized into the first six groups. This categorization of the transient initiators has been reviewed and is considered acceptable. A recent change in the SNPS control logic (for ATWS purposes) helps to show the advantage of the more detailed grouping of the isolation initiators. The MSIV closure set point has been moved from reactor level 2 (10 ft above top of active fuel (TAF)] to reactor level 1 (2 ft above TAF). As a result the frequency of a transient with subsequent MSIV closure on low level may decrease because more time for operator recovery actions would be available. The separation of isolation transients into MSIV closure, loss of feedwater, and loss of condenser events allows a more realistic model . ing of feedwater recovery between level 2 and level 1. Credit for such a - change in the control logic could hardly impact the plant PRA unless the number of transient groups is in reased to differentiate between the various isolation transients. , The MSIV closure transient is a more severe challenge than turbine trip ,i or loss of feedwater flow. On the other hand, as will be seen in Section 5.2, 20
. . . _ . . ,~ . . .. . . . . . _ . . .. . . .
.s ..w.- .- i.u:. - .s- '_a..w ;w r '1 G.L : + -. . ~..: = ' " ' -s loss of con' denser is more severe than MSIV closure. The groupings resulted in a smaller contribution from the isolation transients, because the more severe loss of condenser transient has only one third the frequency of isolation transients. This grouping allows also for. more meaningful feedback from LERs. -
2.2.1.3 ATWS: Anticipated Transient Without Scram If the reactor protection system fails to scram the reactor after an initiating event i'n' any of the first six transient groups, then an ATWS results. Six groups of ATWS initiators were, therefore, considered.
- 1. Turbine trip ATWS
- 2. MSIV closure ATWS
- 3. Loss of feedwater flow ATWS
- 4. Loss of condenser ATWS
- 5. Loss of offsite power ATWS .
- 6. IORV ATWS.-
For the ATWS sequence evaluation and quantification, initiators 2 and 4 were ' eventually combined. The completeness of. the list of initiating events considered in the SNPS-l PRA2 was,7, ,, gvgluated by comparisons with the Reactor Safety Study and other BWR-PRAs
'~
2.2.2 Comparison with Reactor Safety Study and Other PRAs - 2.2.2.1 Comparison with RSS-8WR In the RSS, all transient initiating events were grouped together and a ~ single event tree was developed. The 15 likely transient initiators con - ^ sidered in the RSS (Table 2.12) are all included in the SNPS-PRA list. Worst case assumptions were made about the required responses and availability of the frontline systems in the single transient event tree of the RSS; the SNPS-PRA' approach of creating seven groups of transient initiators is a more real. istic approach. Furthermore, in the RSS, a failure to scram leeds directly to core damage, whereas , in the SNPS-PRA, each failure to scram is classified into one of the ATWS groups and a detailed plant response is considered. In this regard also, the SNPS-PRA is more realistic than the RSS. For the LOCA initiators, the SNPS-PRA considers three groups according to the equivalent break size, as does the RSS. Interfacing LOCA is considered in- , the SNPS in greater detail than in the RSS-BWR. Additional attention is given to.the effects of LOCA in the reactor building (see Appendix SC.2). The reactor vessel rupture initiator is handled the same way in both studies. That is, large and mediu.m-size ruptures are considered to be among the large and medium LOCA initiators, respectively, and massive reactor vessel 21 t
.,g, w wee. + h-- h--- . ._.7
ruptures are considered to be within suppression pool capability'in most cases and cause it to breach with a small probability. BNL did not review this initiator frequency. Thus, overall, the handling of the initiating events in the SNPS-PRA is more detailed and realistic than in the RSS. 2.2.2.2 Concarison with RSSMAP Grand Gulf The Grand Gulf study ccasidered two transient initiatior groups, one consisting of the loss of offsite power and one covering all others. A single
'
- event tree was then used to model the plant response to the two transient initiating events , considered. .
LOCA initiators were l'irst partitioned according to two break sizes and then a single event tree was developed to represent the entire spectrum of' break sizes. It follows that' the :SNPS-PRA treatment of initiating events is more detailed and realistic than that of the Grand Gulf Study. 2.2.2.3 Comparison with the Big Rock Point (BRP) PRAs In the BRP study, the selection of initiating events was based on a review of plant and industry experience for precursors to significant accident sequences. Failures that would require an active response of the plant were classified as transients, loss-of-coolant accidents, or anticipated transients without scram. External events, although treated in the BRP study, are not 3 included in the comparison in order to be consistent with the scope of the SNPS-PRA. Table 2.13 shows the initiating events for which BRP event trees were developed and their frequencies. ** I For the initiating events considered in the BRP PRA and not treated separately in many past PRAs, the following remarks are made: 1, Loss of instrument air initiator. This was given a frequency of 6x10-'/yr and was found to contribute less than 5% to the total core melt frequency in the BRP PRA. In the SNPS.. failures due to loss of compressed air are treated in the, system fault trees. The use of accumulators for providing at least five ADS actuations for each SRV valve and the use of backup air supply resulted in system unavailabil-l ity of =3x10 , which contributes =7% to core damage frequency, in both the PRA and the BNL review.
- 1
- . Steam line break outside containment. According to the RSS, the asso-l c1ated accident sequences leading to core damage are several orders of magnitude smaller than that of the sequences covered in the large LOCA
- tree. In the BRP PRA, it is 0.2% of the total core damage frequency. ,
In the SNPS-PRA these sequences are studied in detail (see Appendix SC.2), and they contribute only =0.02%. i i 22 l *1 i ,
- ~
WD4p" N 1,a
- J '
j W" '/'
~
2.2.2.4 Comparison with LGS 5 and GESSARS PRAs
. These two PRAs include more detailed selection of initiating events than do the RSS-BWR, Grand Gulf, and BRP-PRAs discussed previously, yet the SNPS-PRA includes all the initiating events of these two PRAs. In particu-lar, the following are considered in greater detail than in' the LGS-PRA, and in many cases, also in the GESSAR PRA.
- a. LOCAs :
- 1. Ipterfacing system LOCA is treated in detail.
- 2. A treatment of steam line or main feedwater breaks outside containment (within the Reactor Building).
- 3. A treatment of breaks in the HPCI/RCIC steam supply or p' ump dis-charge lines. ,
- b. Transferits with Successful Scram Isolation transients were separated to:
- 1. MSIV closure.
- 2. Loss of feedwater flow.
- 3. Loss of condenser.
- c. Transient without Scram
- 1. Loss of feedwater flow was treated separately from other -
isolation ATWS.
- d. Otner Low Frequency Accident Initiators:
- 1. Loss of a reference leg leading to loss of measured water level.
- 2. Loss of drywell cooling.
- 3. Loss of a DC bus.
- 4. Loss of the service water system.
- 5. Reactor building elevation 8 flooding following a postulated release of excessive water.
Like other BWR PRAs, the SNPS-FRA does not discuss the failure of RCP seal following a station blackout. , 2.3 BNL Assessment of the SNPS-PRA Initiating Events and Success Criteria As seen in the, preceding section, the SNPS-PRA has gone into great detail . in the selection of initiating events. This has resulted in a more realistic analysis that more closely follows the progression of the accident sequence. 23 l
+
;.a ._;- = .; -n a_.- .
i
~
I lt avoids the need to assume mitigating systems' failure based on the' worst , case response to the most severe initiator within a lumped group of initia- .j i
. tors . Furthermore, the addition of special treatment of low frequency initia- . <
ting events. improves the insight into the sources .of the contributors to core . damage frequency in this plant. This lest group of separately treated initia-tors is responsible, for one-fourth of the SNPS core damage frequency. BNL has accepted the list of initiating events and grouping of the.SNPS-PRK without significant changes. The increased detail in the initiators , required a similar increase in the use of data and modeling to determine the } . . frequencies of the initiating events and their course of progression. The . SNPS approaches to accident sequence definition and data assessment are the
- subject of the next two sections and are given along with the BNL coments and i, independent assessment.
, BNL, in general, accepted the success criteria used by the SNPS-PRA. The same frontline and support systems used by SNPS are also used in BNL's' re-assessment described below. Note that credit for the CRD system was not taken in either assessment even though it might be shown to be a conservative
- i. assumption. However, the impact on core damage frequency is small, as seen -
j from Table 5.15., which shows the impact of credit given 'to CR0 system. , l The changes made by BNL with respect to success criteria are the iollow-i ing: i 1. RCIC is assumed incapable of preventing core uncovery in case of two j stuck open relief valves. 1 i 2. HPCI is successful for two hours in the above case, but later only ! low pressure injection will be effective. However, at that time ADS i would not be' required. ,
- 3. Id the original Table 2.5, which is taken fr'om the SNPS-Pita, it is *
- stated that condensate injection or PCS would not be considered for
- Medium or Large LOCA, but the corresponding SNPS-PRA event trees take .
some credit for these systems (see note 5 in Table 2.5). This credit
?
i results in some decrease of the Class II!C core damage state (see
- Appendix SC.1 and ' Table 5.15). BNL accepted this success criteria for small, medium, and large break LOCAs where the break is above the
! - core. However, additional analyses need be provided to substantiate ! credit given in SNPS-PRA for the liquid line large breaks at or below } core level. Also, the procedures for replenishing hot well' inventory j should be provided.
- 4. Failure of any RHR loop is assumed to be an unsuccessful ATWS sequence for turbine trip and loss of feedwater initiators. Addi-t tional SNPS plant specific analyses pertinent to the determination of the increase in' suppression pool temperature during ATWS events could -
7 potentially affect these criteria. 1 5. SLC initiation time between 2 and 10 minutes is considered a success-i ful ATWS sequence. Results of analysis are insufficient to justify , l the allowed time period between 2 and 30 minutes used in the SNPS- ' PRA. i ! 24 ! i
+ i' f . .. _ . . _ . . . _ . . . _ _ . . . .. . .._ f
t' p
- Je
- p .
2.4 ' References to Section 2 '
- 1. Reactor Safety Study- "An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants", WASH-1400, NUREG/75-014, October 1975.
- 2. "Probabilistic Risk Assessment Limerick Generating Station", Philadelphi'a Electric Comany, Docket No. 50-352, 353, Rev. 5, September 1982.
- 3. " Anticipated Transient Without Scram for L19 ht Water Reactors", U.S.
- Nuclear Regulatory Commission, NUREG-0460.
- 4. Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors , GE Report NEDO-24708, December 1980.
- 5. " Assessment. of BWR Mitigation .of ATWS", GE. Report NEDE-24222, Vols.1 &
2, December 1979. .
- 6. ' " Anticipated Transients Without Scram: A Reappraisal, Part 3--Frequency '
of Anticipated Transients". EPRI NP-2230, January 1982 (SNPS-PRA used the previous edition of this report--EPRI NP-801, 1978). 7.. Hatch, S. W., " Reactor Safety Study Methodology ' Application Program: Grand Gulf #1 BWR Power Plant", NUREG/CR-1659/4 of 4, October 1981.
- 8. " Consumer Power Company Probabilistic Risk Assessment of Big Rock Point Plant", October 1981.
- 9. "Probabilistic Risk Assessment BWR/6 Standard Plant", General Electric Company, Docket 50-447.
10.. Knuth (KMC) to Graves (NRC), " Supplement ATWS Ev al uati ons ," letter' - dated Decegber 2, 1982. -
- 11. Private comunication with LILCO personnel (1984).
4 g & 25 i
.. . . . . = - . ....u _ . .. . ., a .. ..,:. . . , - . r.
Table 2.1 Safety Functions Required o'f' r Initiating Events '
- 1) Rende,r reactor subcritical
- 2) Protect reactor coolant system from overpre'ssure failure
- 3) Remove decay and sensible heat from core
- 4) Protect containment from overpressure
- 5) Scrub' radioactivity from containment atmosphere
- 1 Table 2.2 Safety Functions for Shoreham Nuclear Power Station
- 1) Render reactor subcritical
- 2) Protect reactor coolant system from overpre.ssure failure
- 3) High pressure injection of coolant into core
- 4) Depressurization
- 5) Lew pressure injection of coolant into core
- 6) Drywell heat removal ,
t
- 7) Containment heat removal
- 8) Scrub radioactivity from containment atmosphere *
*Not considered in the review summarized in this report.
l I I 26
,t- ,.- . .. . .. ;,g . s . : , ,g;, -
c.. ,- s 7
= . . # . .3 _ ._
s
~
t
~
Table 2.3 Frontline Systems for Shoreham Nuclear Power Station Safety Function ' Frontline Systems .
- 1) Reactor 'subcriticality 1 2;l Reactor protection
) Recirculation pumpsystem trip 3 Alternate rod insertion 4)'1 Standby liquid control
- 2) Reactor coolant system 5) '11 Safety relief valves (SRV)
, , overpressure protection
- 3) High pressure injection RCIC 6)1 7 HPCI
"' 8,'l CRD*
- 9) Feedwater system with power
, conversion system , 4) Depressurization 10) Automatic depressurization j system (7 of the 11 SRVs used for this function)
] 11) Manual depressurization
' i
- 5) " Low pressure injection 12 LPCI 13 LPCS 14 Condensate pumps -
' 6) Orywell heat removal 15) Drywell coolers t 16) Containment sprays
- 7) Containment heat removal 17 RHR ,
'J i 18 PCS '
1
- 19) Suppression pool
- 8) Scrub radioactivity freg 20) Suppression pool * .
containment atmosphere 21) Containment spray
- 1 'Ints system was not consider ~ed in the PRA front end analysis.
i i i a 4 1 I 27
- w...... .
. . . : -. a . . , ,
Table 2.4. Compa.rt son of SNPS, LGS, and RSS-BWR Safety Systems . SNpS LGS RSS-BWR Power (MWT) 2436 3293' 3293 Containment MK-!! (concrete Mk-II-(concrete with MK-I (free standing with steel liner) steel liner) steel)
# Relief 11 SRVs 14 SRVs 11 SRVs valves # Safety --- --- 2 valves .
RCIC 400 gpm 600 gpm 600 gpm HPCI 4250 gpm 5600 gpm minimum 5000 gpm LPCI 4 pumps, 10,000 4 pumps 10,000 gpm 4 pumps, 10,000 gpm gpm per pump per pump with 4 per pump with 2 with 2 loops loops loops LPCS 2 loops, 4725 gpm 2 loops, 6350 gpm 2 loops,-6250 gpm per loop with per loop with 2 per loop with 2 1 pump per loop pumps per loop pumps per loop ADS Valves 7 SRVs 5 SRVs 5 relief valves RdRHX 2, cooled by SWS 2, cooled by RHRSW 4, cooled by HPSW EDG 3 4 4, shared by 2
. units RPS Has ARI, RPT Has ARI, RPT Has RPT SLC 2 pumps, manual- 3 pumps, automatic 2 pumps, manual actuation, 43 gpm actuation, 43 gpm actuation per pump (one per pump (2 pumps pump ac a time) at a time)
RHR 2 loops with 2 2 loops with 2100% --- pumps (100%) per pumps per loop. Each , loop. Each pro- loop serves 1 RHRHX - J vides 7700'gpm. for each unit (i.e., Each loop serves shared between units) - i 1 RHRHX. HPWS --- --- 4 pumps, 100% each , no cross-connection with other unit con-sidered ESW 2 100% loops with 2 100% loops with 2 1 100% pump per unit 2 50% capacity 50% capacity pumps pumps per loop. per loop. Shared ' Each pump 8000 gpe, between units. FW and 2 turbine-driven 3 turbine-driven feed 3 turbine-driven Condensate feed pumps. 2 elec- pumps and 3 electric- feed pumps and 3 tric condensate and driven condensate electric-driven con-booster pumps. pumps. densate pumps. Containment Manually actuated. Manually actuated, Manually actuated, Sprays sprays either the sprays either the sprays either the , drywell or wetwell. drywell or wetwell. drywell or wetwell. Plant Air Compressed nitrogen Compressed nitrogen Compressed air and and plant air backup plant air backup. plant air backup Compressed and accumulators and accumulators Nitrogen (allowing five (allowing five SRV
- SRVactuations), ac.tuations).
28 t
f'
. t .. . s.:,...,s ; n." . , s. . , .:. a a -. .- ... .,:
a.: . > - Table 2.5(I) Summary of Success Criteria for the Mitigating Systems. Tabulated as a Function of Accident Initiators (LOCAs
, and Transients with Successful Scram)-
Success Criteria Containment Accident Initiator Coolant Injection- Heat Removal ) Large LOCA: 1 of 4 LPCI Pumps 1 RHR 2 OR Steam Break 10.08 ft , )l ' . i Liquid Break 10.1 ft 2 1 of 2 Core Spray Pumps OR (5,7) 1 Condensate Pump
; l 1
Medium LOCA: HPCI 1 RHR OR OR Steam Break (5) 0.016 to 0.08 ft2 1 of 4. LPCI Pumpsi PCS Liquid Break OR i 0.004 to 0.1 ft2 1 of 2 CS Pumps i and OR (2) ; 1 Condensate ADS ~ 1 (5) - ~ Pump l I i Small LOCA: HPCI PCS ,
~
f OR OR i i RCIC 1 RHR )- OR OR , Steam Break <0.016 ft2 1 Feedwater Pump RCIC OR in-Steam Liquid Break < 0.004 ft 2 1 of 2 CS Pumps 3 condensin OR and mode (0 1 of 4 LPCI Pumps > (2) OR l AOS t 1 Condensate Pump ' i l l r l J l i 29 I
. i i l 4
- 7. . _ . . .
Table 2.5 Continued Success Criteria Containment Accident Initiator Coolant Injection Heat Removal Transient Same as Small LOCA Same as small (Including Transient LOCA
+ 1 50RV) 10RV . Same as Small LOCA Same as small LOCA (3) -
3 Transient + 2 SORVs 1 of 2 CS Pumps l 1 RHR OR q and OR 1 of 4 LPCI Pumps > (4) PCS OR I ADS 1 Condensate Pump i III This is Table 1.5.2 of the SNPS-PRA, but corrections made according to their use in the PRA-event trees (5) includes ,
~~ ~
(2) ADS requires operation of only three sa,fety/ relief valves for adequ' ate depressurization. (3)This line added by BNL reviewers and is different from SNPS-PRA. - (4)Feedwater or HPCI and the ADS functions are required, in this case, only for the first 2 to 3 hours. Af ter this, RPV pressure is assumed below 100 psi. (5)These are corrections made to the original SNPS-PRA Table 1.5.2 based on the actual use in the PRA-event trees. (0)This option, considered in SNPS-PRA, is not regularly used by SNPS. The effect of this change is given in Section 5.3, Table 5.15. (7)BNL considered condensate pump injection unsuccessful for large LOCA because the replenishing capability of the hotwell is about 1000 gpm, which may not suffice. 1 l 30 i l '
]
e::;ht . :..n ' Table 2.6 LOCA Success Criteria- , Equivalent SNPS - LGS RSS-BWR Break size Steam Liquid Steam Liquid Steam Liquid 01ameter A*' A* A*' For Injection 4/4 CS 1/4 LPCI. 1/4 LPCI or . 13.5 in. - or
- or 3/4 LPCI and 2/4 CS
' 1/2 CS or 2/4 CS Condensate For Recirculation and and 1/4 CS or 1 RHR 1 RHR 1/4 LPCI and ~8.5 in. - 1 RHR $1+ HPCI' or (4 1/4 LPCI > SRVs) or I ADS 1/4 CS [
4.7 in. - and
$2**
4.3 in. - I I HPCI 1 RHR 3.8 in. - 3t+ gpeg $g+ HPCI or or 3 or RCIC 1/4 LPCI l ADS 1/4 LPCI'l' A05 or - 2.5 in. - or I or (2 1/2 CS VSRV.s) (3 2/4 CS or i lSRVs) 1/4 LPCI '; (4 SRVs) i condensate [and and or > ADS 1.7 in. - PCS . S2** 1 RHR $2** or 1/4 CS s HPCI HPCI 1 RHR and or, or or 1.0 in. - RCIC PCS *RCIC <S2** 1 RHR or or FW FW 0.85 in. - or or 1 1/4 LPCI 1/4 LPCI lA CR0 or '[, (3 A05 or L (05 2 PUMP 0.6 in.- 1/2 CS 2/4 CS h SRVs) or SRVs) and Condensates PCS or 1 RHR and '* PCS or 1 RHR , A: Large LOCA. +S1: Medium LOCA. S2: Small LOCA 31 i
. . . . ,i
.na,...'.- .. es . *M... . s .- % .$ ' .. .. .- ,
e
= -I ma =
j 3 J l-6 i.s- ^ s kI 3 3 L. as
=*.
12 2-i
=
3
=j 2 ! s; a a a a a a e n!j s-i, i, i!
- s g -
i s
- Im} :1 5 5a E .
s -
! {l nil i:
I 1 i
= = 1 2 Ma 3 - . 1 -= 1 ..
2 m II 83g t ( 3 I ' "2 .~ % ye .: 3 S
~
kt : i1
- a. = -
1'1g. }$ - 1 1 t
==. 2 i = 3 :
g =a. h. x 3 w-4 4 iE ., i
= 1 s: a s <2 331 .yl' a
e u 5 W S=:
= . . . . . .
31
*2 3
1 c t: g . 5 e I 1 E= I' I- 2 =J 1 4 t- I I 1 :y22 2 3 : 1 s-s .-
, ,=: J:a a-* - ' 3 . *8 1
3
- i * * * = * * ), J 4s3 S E-3 I
5
$3 I ."$
I E e:$ I$ 11 2
- 3 Oc ** a : 3 g- W ~
xg 14s 34 3..
!l 3l i = { -
i 1.i%
] < '= = = = 5
- gg 2
i 11 jJ n 21 ., 14 j
= a 1
- 1 i: : 1= 4 i -
a i. -
= ] a"s : = = = = =
3
= . 33 4 I J 1 -
52
.i 3 e:
3 $E ; } :gy 51 . i J' 4 se - 81 : 2
~
4 gg ,m4 *). 3
- 1 1 , . '8 1
ls-123)3 ji
- ) 1.; ,2 } .I 8 1 i i< 1 5112 - p. -
n i j 23 1 5
$2!:
a: 2 u : ' q 1 2- - i I sses -
' =
l=
= =
- j= :
J2 -j h *j; .:' a' i !; t ,:
- e is -c s -
i 31 2: :2 2 .a
.3 1
i l
; i . -1 g l ,
3 - i 42 33, *.2s e1
.g 2.pp(J. 2 -g .: , ~
1 : :
. : . ,ugt n s = = 13 - .I. ! - !, 5:1 ,.3., r - ;i, N, ,
- 3 E
- d
- 2 d;f
- 2 a E
s .) ! TI ..
- ! W "a ] - :- .I ;
I:s, is- isgj ,s: .a.I .ta- - - ,
- It !1 - -
a . g g - 1 1 i l 32 i i t l 3 e 1 , 3....._ . . . . _ . _ , . _ . . _
l 1 i, Table 2.8 BNL Review: Success Criteria for ATWS Accideny l Based on-Modifications Implemented at Shorehaniha$equences j t gggggg ( poltellat AeasillGaAL #Altled5 (le Addittee te AAI f ailure) inau.nai 'at see sa nasesin can aar wawas sneest5seen Imiliallw. el I Air Inalclu:J rest centsas enas alus etAliest5 4 i toful pulsist ,,,g3 g agtigt SPr ABS , i '. laut G las gg fu a t aest Atle esas 8FCI es FW Saasts Off - (b) sett lanesellte At itVit 8 er lv a A a a a a a e ne ta nt'JaeE i . . . ___ ._
..llenalpM"I 0FIP g I6) g idl a g g g gg a gg , ! 888 4 m A 5 E N N A N N+ g, I
e u.s inF - 8dI-LIIt u A 3 Il a II A 11 se riest
] 'a8
(** . ~ . . . .. IM 88 ~ if L4Panttu N A k N 5 E R N No l *' 8 #*18# # 5 (Deustaraa A N g N N N se I
- r, .
A = AcceptAle (bettessfel); acceptAle implies as significant fuel desage and seopresslee peel temperatures less than 244*f. N + 16 4 Acteytale litet Successfull.
- Nse evaluatises arslect eyerater actlee te steg the trCl free everfillleg the westel. If such acties sere (dea le 30 eleastes af ter level assevury e es ayy4euet te the operater, sescressies simetehme would prehebly be meisteleed slece the escess heres provided ameneld be greater thee I the potential diletten.
(.) (une.sa.tless of fallerus met stamma == the deve tele as e6ceptete shes ld he coesidered anneccostable. these success criterte can be used to
- l c ,4Im4:4 th paaer er 1.e Isole that API is est regnered for sewes free 255
; ss.5 66ss.fel states of the plant felleuleg an Alus free less then 258 slaa=er. ,
i it.) SIC teltidtue is a -l myeraties e&lch shemid he performed le the time frame of 2 te ge eleastes. j
- .. I st< .lt4. u aseJ f <4448.:r see her temtselleJ.
,t . l. , . ,ei.t. l,l _ rt ., t - 1, - ,,0 8.et t ble. . ss c hllit. ..ists it.... . m i , . (J) gigt%(teissaderse **LertAle if the fee.hseter can be castrelled at a relatteely law flee se that staanleg flee rates are helee hypass (s) all thaetes le nestee;mlettum flems ne.tside of acceptable lletts are treated as leadlag te a turbles trip as are all lacreaslag feedseter fl.me tr.ast es. ,
h .% i i
.._. . . . . . - - . ._ .s .. y .. .a Table 2.9 Support Systems for Shoreham Nuclear Power Station -
Frontline' System Support Systems
- 1) Reactor Protection System 1) AC/DC - Electric Power System (EPS)
- 2) Alternate Rod Insertion 1) AC/DC - Electric Power System i , 3) Standby Liquid Control 1) AC/DC - Electric Power System
- 4) Recirculation pump trip 1) AC/DC - Offsite Power
- 5) High Pressure Core Injection, HPCI 1) DC* - Electric Power System
- 2) Condensate Storage Tank ,
- 6) Reactor Core Isolation Cooling, 1) DC - Electric Power System RCIC 2) Condensate Storage Tank
- 7) Feedwater System 1) AC/DC - Offsite Power
- 8) Automatic Depressurization System 1) DC* - Electric Power System (7 SRV's used for this function) 2) Compressed Nitrogen System / Plant Air System ;
- 9) Manual Depressurization 1) CC - Electric Power System
; 2) Compressed Nitrogen System / Plant Air System .
- 10) Low Pressure Core Injection,.LPCI 1) AC/DC Electric Power System
; 2) Service Water System
- 11) Low Pressure Core Spray, LPCS 1) AC/DC Electric Power System
- 2) Service Water System
- 12) Condensate Pumps 1) AC - Offsite Power *
- 2) Codden. sate Storage Tank .
- 13) Residual Heat Removal, RHR 1) AC - Electric P'ower System
- 2) Service Water System
- 14) Power Conversion System, PCS 1) AC/DC - Offsite Power l 15) Room Coolers 1) AC - Offsite Power (Manual 1 Transf ar to EPS)
- 2) Service Water System
- 16) Suppression Pool -----
- 17) Containment Sprays 1) AC - Electric Power System
- 2) Service Water System i
- ADS is dependent on the operation of one LPCI or LPCS pump, which is i
unavailable upon loss of AC power. t 5 i 34
- i 1 l
; .* ~ ..:. ': . . h: .a. x *= - .. . .. : L. w .:. - ' "'" T i
0 - I Table 2.10 Electric Power Systems ;
~
SNPS RSS-BWR LGS - a) Three diesel generators Two diesel Four diesel - generators / unit generators / unit t - No bus ties - Inter unit bus tie - no inter unit 4 bus' ties - . l b) Three load divisions Two load divisions / unit Four load - l
, division / unit .
c) Three ESF divisions: Two ESF divisions Four ESF division's ,
- Two main divisions
- - One division for 2/4 LPCI and RHR i d) Three 125 V DC Class 1E Four 125 V DC Class 1E Four 125 V DC Class j buses. Two of them buses between two IE buses for each feeding most ESFs. units. unit.
- No bus ties - With bus tie - No bus tie l - One battery - One battery - Two battery
- j charger / battery charger / battery chargers /cattery l e) Two 138'KV and one One 230 KV and one Three 500 KV and 1 69 KV incoming lines 13.8 KV incoming lines two 230 KY incoming i lines
! - Two separate - One switchyard - Two separate 1 switchyards switchyards } ' l i 4 l i 4 I t 1 i 4 I l l t
- \
i, 3 35' i 1 4 e
. - - '.._- . . .m _ _ . ._ ..._. . .. .a ,-
9 Table 2.11 Summary of the Categories of BWR Transients Used in SNPS-PRA to Classify Operating Experience Data on Anticipated Transients
- Transient' Initiator Group **
- 1. Electric Load Rejection Ti
- 2. Electric Load Rejection with Turbine Bypass Valve Failure TC
- 3. Turbine Trip TT 4 Turbine Trip with Turbine 8ypass Valve Failure TC
- 5. Main Steam Isolation Valve Closure TM t
- 6. Inadvertent Closure of One MSIV (Rest Open) TT
- 7. Partial MSIV Closure Ti
- 8. Loss of normal Condenser Vacuum TC
- 9. Pressure Regulator Fails Open TT
- 10. Pressure Regulator Fails Closed TT
- 11. Inadvertent Opening of a Safety / Relief Valve (Stuck) Tg
- 12. Turbine Bypass Fails Open .
TT
- 13. Turbine Bypass or Control Valves Cause Increased Pressure TT (Closed) .
- 14. Recirculation Control Failure -- Increasing Flow TT ,
t
- 15. Recirculation Control Failure -- Decreasing Flow TT
- 16. Trip of One Recirculation Pump Ti ,
- 17. Trip of All Recirculation Pumps Ti
~
- 18. Abnormal Startup of Idle Recirculation Pump . Ti
- 19. Recirculation Pump Seizure Ty
- 20. Feedwater -- Increasing Flow at Power TT
- 21. Los's of Feedwater Heater . TT J .
I 36 l .. .. .
.. . . . . . . . . - . ~ . . . . . _ _ . , - . . . - - - .~.
._...a.....____. . . _ . . . ._.__r .i...._- .___. . a .
l . Table 2.11 Continued- ' Transient Initiator . Group ** l 22. Loss of All Feedwater Flow Tp i
- 23. Trip of One Feedwater Pump (or Condensate Pump) Ti
- 24. Feedwater -- Low Flow T.T
- 25. Low Feedwater Flow During Startup or Shutdown [ , TT
- 26. High Feedwater Flow During Startup or Shutdown TT
- 27. Rod Withdrawal at Power '
TT
- 28. High Flux Due to Rod Withdrawal at Startup TT
- 29. Inadvertent Insertion of Rod or Rods TT
- 30. Detected Fault in Reactor Protection System. TT
- 31. Loss of Offsite Power TE
- 32. Loss of Auxiliary Power (Loss of Auxiliary Transformer) Ty
- 33. Inadvertent Startup of HPCI/HPCS TT 34 Scram due to Plant Occurrences TT i 35. Spurious Trip via Instrumentation, RPS Fault TT
! 36. Manual Scr*am -- No Out-of-Tolerance Condition Ty l
- 37. Cause Unknown TT ,
*From EPRI-SAI Studys ,
l **TT - Turbine Trip TM - MSIV Closure i TC - Loss of Condenser Tg - Inadvertent Open Relief Valve TE - Loss of Offsite Power TF - Loss of Feedwater Flow i I l l
- 37 l t u___ - - - - - - ... ._. . . . . _ _ _ _ _ . _ _ _ . _ ,_ m______
.. e .- .....--'... . -.
- a. - .- .. . . .
5 Table 2.12 BWR Transients (Reactor Safety Study Table 1.4-12) likely Initiating Events
- 1.
- Rod Withdrawal at Power
- 2. Feedwater Controller Failure - Max. Demand
- 3. Recirculation Flow Control Failure (Increasing Flow)
. 4. Startup of .!dle Recirculation Pump
- 5. Loss of Feedwater Heating
- 6. Inadvertent HPCI Pump Start
- 7. Loss of Auxiliary Power
- 8. Loss of Feedwater Flow
- 9. Electric Load Rejection (Turbine Valve Closure)
- 10. Turbine' Trip (Stop Valve Closure)
- 11. Main Steam Line Control Valve Closure
- 12. Recirculation Flow Control Failure (Decreasing Flow) -
- 13. Recirculation Pump Trip (One Pump)
. 14. Recirculation Pump. Seizure j 15. T-G Pressure Regulator Failure - Rapid Opening l
1 38 t
..'..'. . . ' i_.s ' *
- i *
"0.id:- - - _ _ . - . . . ' ~' - l-l '
Table 2.13 Initiating Events for BRP PRA 'for
. Which Event Trees Were Developed Frequency Initiating Event (per year)
Turbine Trip 1.4 Loss of Main Condenser: 6.0x10 2 ,
, S'purious Closure of MSIV 6.0x10 2 Loss of Feedwater l 1.6x10-1 Loss of Offsite Power 1.3x10-l' .
Loss of Instrument Air 6.0x10 2 Spurious Opening of Turbine Bypass Val ve . , 1.0x10-1 - J S'puricus Opening of RDS
! solation Valve 1.2x10-3 . Spurious Closure of Both
- Recirculation Line Valves 1.7x10 2 q
Stuck.Open Safety Valve 2.6x10-" Interfacing LOCA 1.98x10-3 ^ High Energy Line Break in Recirculation Pump Room 3. 9x10- 7 High Energy Line Break in Pipe Tunnel- 3.8x10-8 Smal1 LOCA 1.0x10 3 Medium LOCA 1.0x10-" Large LOCA 1.0x10 5 Small Steam Line Break - Inside Containment 1.0x10-3 Medium Steam Line Break Ins'ide Containment 1.0x10-" s , 39 i 1
. , _ _ . . - . . _ - . _ _ _ _ , _ _ . , . _ _ . , ..--_...,,_m....._ _.__.____,_..-,.,__iy ,-..,_____-._,,___,,__.y _ _ . _ _ _ _ , _ . _ , . , _ , . - _ _ . _ . _ , ___ , , ,.-
.J-..._.. . . ..'. -. -
w.a - . . . _ . - =_ ,
- 3. ACCIDENT SEOUENCE DEFINITION -
The introduction to this section presents the general methodology used in' the SNPS-PRA and an overview of BNL comments. Sections 3.2, 3.3, and 3.4, provide a discussion and the major conclusions of the review on the following' topics: the SNPS PRA accident sequence definition and the qualitative description of the event trees; the system fault trees that were used in the SNPS-PRA; and the various aspects of human performance analysis that entered into the risk assessment. .
- 3.1 Introduction 3.1.1 The General Methodology To assess the various accident sequences, i.e., the combinations of system failure events that, following the initiating events, lead to core damage, the SNPS-PRA used an approach based on the event tree and fault tree techniques. This approach differs, however, from that utilized in the Reactor Safety Study in the following way. In addition to using . functional and systemic event trees and system fault trees, the SNPS-PRA employed three vari-ations of these techniques , namely, the time-phaced systemic event trees , the functional fault trees, and the functional-level event trees.
The logic employed in the SNPS-PRA for the definition of the accident sequences is as follows: a) Twenty one functional event trees were developed for the different acci-dent initiators (see Table 4.1) considered in the SNPS-PRA. A functional event tree depicts combinations of safety functions that can lead to a safe co~re condition or core damage, or constitute an initiating event for some other kind of potential accident. The SNPS-PRA functional event .- trees employ a finer safety function decomposition than that of the RSS functional event trees. For example, the coolant makeup function was decomposed into high pressure and low pressure makeup (see also Table 2.2). The combinations of the failed safety functions in these trees - (tree paths) that can lead to core damage constitute the accident sequences for the SNPS-PRA. The quantification of each branch point in the functional event trees was done with the help of functional fault trees, functional-level event trees, and system fault trees. Table SA.2 in Appendix 5A is an example of a functional event tree developed in the SNPS-PRA. b) For certain functions in the functional event trees, functional fault trees were developed. In these latter trees, the top event is the failure of a particular function and this failure is further decomposed into fail-ures of the frontline system which performs this function. For other functions in the functional event trees, functional level event trees were developed. These trees depict combinations of system successes and fail- - ures that can lead to a success or failure of the function in question. Figure SE.2 is an example of a functional fault tree. Table SA.1 is an example of a functional level event tree. c) For some functions in the functional event' trees -- those entailing sys-tems that can be recovered (if failed) during the course of the accident
. 40 l
( l -. . ..-.____ - . . . . . . . . . . . . - . .-
. .__ ___ . _ _ _ _ _ _ __ _ _ _ _ _ . _ ~ _ _. . __ _ _ _ _ _ _ _ _ _
_y . . 'c a;
'+ ' "W'x 3 'y -- time, phased event trees were constructed in the. $NPS-PRA. The headings of these event trees are the states of the involved systems at various instants of time, e.g., unavailability of AC power one half hour af ter initiation of the accident. This approach is equivalent to discret1 zing i the recovery times of the various systeers, and it thus allows for incor- ! poration of recovery in the analysis. The main application is in the loss of offsite power event tree, e.g., Table 58.1. BNL, in addition, used a i time-phased event tree in the evaluation of the loss o~f service water sys-j tem initiator. . .
7 .
, d) Unavailabilities for some systems in the functional event trees, the func.
4
. tional fault trees, and the time-phased systemic event trees were obtained 4 by developing system fault trees.
Functional fault trees, functional-level event trees , and time-phased . event trees were employed in the SNPS-PRA to account for dependences among frontline systens (through shared hardware or connon support systens) and to ; 6 account for the possibility of recovery of systems that were unavailable at ., the initiation of the accident. I
; The various types of logic trees employed in the SNPS-PRA along with the ,
J modeling of human errors and of dependences are further di.scussed in Section
- 3.3 below. The functional event trees. In particular, are discussed in l j Section 3.2. Comnents on the modeling of human performance, which has also j j been extensively used in part of the PRA, appear in Section 3.4.
. 3.1.2 Functional Event Tree Development
- i In general the functional event trees start with an initiator, followed 1 by the subcriticality function. If the reactor is not subcritical, the .
sequence is transferred to the .ATWS group of functional event trees. . : Transfers are made also to LOCA event trees or to other event trees for 1 i continuation. For sequences in which there is a successful insertion of ,
! control rods, other functions are evaluated, including adequate pressure '
1 control, coolant injection, depressurization, containment heat removal, and . j others. The end points of the functional event trees in the SNPS-PRA can be one of the following: a) Successful shutdown and cooldown.
- b) Loss of coolant makeup core damage (for transients) Class !
c) Loss of containment heat removal and drywell failure Class !! I while coolant makeup is available to the core (All) j 1 d) Accident sequences following LOCA resulting in core damage Class !!! i (LOCA) e) Accident sequences involving failure to insert negative Class IV t i reactivity leading to a containment failure due to high - l
! containment pressure (ATWS) ! . l
- f) Unisolated LOCA outside containment resulting in core damage Class V ,
with drywell bypass ' ' 1 l i r 41
! i 1 .
n_ ,, n . n e - -- .n,~~----w--m----v-*-~~w-~w--~~cw ww "4'~
a-.- - g) Transfer to other sequences which will then result ,in one of - - the above six end points. - . A successful shutdown and cooldown is defined in the SNPS-PRA as condi-tions such that the reactor reacnes hot ' stable shutdown. This is character-ized by conditions such as: reactor is subcritical; pressure in the react 6r is stabilized; temperatures in the fuel and reactor are within all limits; containment and suppression pool cooling are maintained; and reactor pressure vessel, level is controlled. , 3.1.3 Qualitative Dependence Analysis , l , This section provides an overview of the' dependence modeling used in the SNPS-PRA and of the review comments and modifications by BNL. Detailed dis-cussions on the quantification of these dependences appear in Sections 3.J (fault-trees) and in the Appendices to Section 6, in which the quantification - of the SNPS-PRA accident sequences is discussed. papazoglou et 41.1 give details on the various types of dependences, wnien can ce classified as 1) functional, 2) .pnysical, and 3) human induced dependences. Note that these are not mutually exclusive. A finer resolution yields the following six categories: 1) system functional depender.ces; 2) system physical dependences, 3) system humanly induced dependences, 4) com-ponent functional dependences, 5) component pnysical dependences, and 6) com-ponent humanly induced dependences. 3.1.3.1 System Functional Depe'ndences This type of dependence can be enaracterized by a functional relationship -
. between two or more systems. Functional dependences due to " process coupling" (i .e. , input-output relationships) are best modeled in the functional event *,
trees. These dependences were in general properly addressed in the SNPS-PRA. Most noted examples are: a) HPC1, RCIC dependence on suppression pool water temperature. , b) HPCI, RCIC, LPCI, and LPCS dependence on the ECCS equipment area tempera-ture in Elevation 8 of the reactor building in case of LOCA outside con-tainment. c) Water level measurement system dependence on drywell temperature and reactor vessel pressure. d) Failure of ADS safety relief valves due to excessively h1 n 9 drywell pres-sure. ,.. .. . No significant omissions were found in the PRA. In one case, however, a
" process coupling" was assumed which is not correct in most incidents. The '
SNPS-PRA assumed that HPCI, LPCI, and LPCS would be initiated automatically by high drywell pressure (1.7 psi) or low reactor water level signal. This is true for LOCA or ATWS situations, but for most transients (all transients
, apart from loss of offsite power .and loss of drywell cooling, wnich amount to approximately 4% of tne total transient frequency) and for manual shutdowns it will take at least one hour after the initiation of the event (see Table SF.1) 42 l -
1
- ..~ .--e-. . . ~ . , . . . - . . . . . . . . ..- . . _ _ _
er *- '
~ ^ , , m.... ,y " ~'
l l' . ( -
' ' to reach the 'high drywell pressure setpoint (1.7 psi). Thus, in these events all ECCS injection systems depend only on the reactor four water level trans- *'
l . mitters (N091A, B,'C, D) for their automatic initiation *. Consequently, the i miscalibration of these four transmitters would cause the automatic initiation f
- l. failure of the high and low pressure systems following a transient (see Appendix 5A.1.4).
I l , Another case of dependence included in the BNL review is the tripping of the drywell coolers . If these coolers are not recovered within 10 to 15 mi'n utes, then the drywell temperature is expected to rise quickly, reaching a
' drywell' pressure of 1.7 gist. This will cause the isolation of 'all drywell coolers, making recovery more difficult.
J In the event that contal'nment heat removal pression pool) is delayed for two hours or more,(i.e. RHR cooling the drywell of the pressure is also sup-expected to reach 1.7 psi, tripping the drywell coolers, and in about 15 addi- j i tional minutes the drywell temperature in expected to rise to 300*F which may be sufficient to impact level measurements if RPV should be at low pres- , sure at that time. However, as shown in Appendix 5F, this dependence is of ! moderate significance. l l Functional dependences due t'o," hardware coupling" were also treated in ! the SNPS-PRA. These dependences are best treated by combining all the system ! fault-trees of related systems, and subsequently performing Boolean reduction t of the resulting " super tree." This has been done for several functions only in the SNPS-PRA (e.g., RCIC - HPCI - A05: see Table 3.1 for complete list). The best way,. as stated above however, is to com.bine all the systems fault , trees on the same accident sequence leading to core damage, and perform their ! TdoTean reduction. was not done by SNPS-PRA. Treatment by this It was done core in damage BNL past fault trees 2,(CDFT) reviews e . In approach , this BNL ' review, the CDFT approach was judged to be unnecessary because of,the follow-ing featurn of the SNPS-PRA: . - a) detailed treatment of functional dependences in the functional level event ! trees ; - , b) the Boolean reduction for some of the functions c) treatment of frontline system dependences on support systems such as !
- AC Power. - DC Power, - Service Water System, and , - Orywell Cooling; and !
d) transfer of support system unavailabilities during transients to initi-
- ators treating the loss of the support systems. '
The most notable examples of functional dependences included in the ' ' SNPS-PRA functional event trees are the following:
'5horeham is currently adding level instrumentation, and isolating the HPCI initiation from the other ECCS equipment. This may reduce significantly the ,
probability of losing automatic initiation of ECCS. 43 i 1 6
. ... .n u. u - .w m .a 2 - - _ . ...u= .
1 a) Shared hardware between the low pressure coolant injection system (LPCI) and the RHR system, b) Shared hardware' between systems within the same function, such as HPCI with RCIC and LPCI with LPCS (shared water level instrumentation). c) RCIC in injection phase and in steam condensing mode. d) A system fatture as part of .the initiating event and its unavailability as - a preventing frontline syst'em. An example is the assumed unavailability
- of feedwater injection when the initiator was loss of. condenser, and an increase in unavailability of PCS for this case. .
e) PCS and the condensate pump's injection. f) HPCI and RCIC failure due to loss of DC power 4 to 10 hours after statiok blackout. As in to the case of " process coupling," BNL modifications to the func- ! tional event trees were related largely to the quantification of dependence. Most dependences were. judged to be taken into account by SNPS-PRA. However; the degradation of the Power Conversion System (PCS or the W" function) due to - feedwater system fail'ure in the injection phase (the Q function) was not always treated consistently, or was not sufficiently supported. Because of the large number of transients, in almost any of which the recoveries of PCS and MSIV were evaluated to have somewhat different probabilities, BNL decided. to employ functional level event trees using consistent sets of values for their quantification. This BNL approach to the treatment of dependence between Q and W" functions is discussed in Appendix 5A. It has some impact on - the frequency of Class '!! core damage. . 3.1.3.2 System Physical Dependences This type of dependence was treated in the SNPS-PRA in an appropriate way. Important examples are the following: - a) The effect of loss of containment heat removal on drywell temperature and pressure, which affects other systems such as drywell integrity. . b) Loss of room cooling resulting from station blackout or loss of service water system. c) Effect of flooding on ECCS systems located in reactor building. No significant omission was found in the review. 3.1.3.3 System Human Induced Dependences j These dependences were also addressed to a limited extent. They include operator cognitive errors. Examples of dependences appearing in the SNPS-PRA
- are the following:
a) Failure to inhibit ADS in an ATWS event. . 44 . l t
. . . . . .._ .. ..J ._.- . . . . . . . . . _ . . . . .
" %, 2 '_-_ .
_ ] c. D) Failure to initiate feedwater runback in an ATWS event.' , c) Failure to reduce water level and maintain it above level 1* in the' case of ATWS. y d) Failure to depressurize, flood the reactor vessel and maintain level 3 in ' cases of. conflicting water level measurement readings. e) Delaying depressurization in blackout events. Maintaining pressure con : sistent with HPCI and RCIC operational pressure, and suppression pool tem-1 - perature. f) Failure to control HPCI and RCIC flow when level instrumentation is un $ i avai.lable curing a blackout event. ! g) Failure to control condensate flow rate. in case of a large LOCA. , it is seen that tne SNPS-PRA in many cases included cognitive errors of operators .(see also Table 3.2). Errors of commission, that is, the turning off of a system contrary to procedures, were excluded from the SNPS-PRA anal-ysis, as in past PRAs. However, if control room information was unavailable or conflicting, a probability for cognitive error of commission was considered in the SNPS-PRA. An example is the act of early erroneous depressurization by tne operator in the event of loss of a reference leg in the water level mea-surement system (see Ref. 4, page 0-14, Figure 0-6). SNL judged it reasonable i to assume erroneous acts of commission when information is conflicting and when procedures exist which suggest depressurization in a case of other simi-lar conditions. Appendix C of Ref. 4, which deals with core damage frequency contributed by the water level measurement system, deals mainly with quantifi- ' cation of this kind of dependency. BNL accepted many of these treatments. (see Section 3.4 and Appendices SE and SF), sometimes with quantification changes; ,, and in some instances with a model change. . 3.1.3.4 Component Functional Dependences
~
i This type of dependence was implicitly addressed in the SNPS-PRA in that l the fault trees were developed up to a point where no functional dependence j exists between the basic events (component f ailures). 3.1.3.5 Component Physical Dependence _s i The SNPS-PRA has included on some of the fault trees basic events related to physical dependence in the plant. Some examples of pnysical dependences in i the fault tree analysis are tne following: , a) Contamination of all SRVs' solenoid valves of the ADS system. l b) Suppression pool water unavailability cue to common-mode failure clogged , strainers.
' Level 1 (rather tnan TAF) is suggested in the SNPS-PRA and response #52 to BNL questions.' .,
45 g E e
- - _:_-_. _ . . ~ .
3.1.3.6 Component Human Interaction Dependences Th.e SNPS-PRA includes a large number of miscalibration errors and mainte-nance errors. Miscalibrations appear on almost every fault tree and contrib-ute significantly to system unavailabilities (some examples are shown in Table 3.3). , 3.2 Qualitative Description of Functional Event Trees The functional event trees used in the SNPS-PRA provide a logical method for dev. eloping and displaying accident sequences which may follow an initia'- -
ting event. In the following subsections some of the'more important function-al event trees of SNPS are discussed qualitatively and the major modifications made by BNL are presented.
3.2.1 Turbine Trip (Ty) (Appendix SA.1) This type of transient presents the least chalienge to the plant apart from manual shutdown. Both feedwater available and feedwater unavailable cases are considered in the event tree. The turbine trip functional event tree (see Table 5A.2) comprises thirteen safety functions. The failure of the first function, reactor subcriticality (C), results in an ATWS event which is more appropriately addressed in the turbine trip ATWS functional event tree shown and discussed in Appendix 50. Af ter the reactor has attained suberiti-cality, fatture to accomodate the pressure surge caused by the transient due to fatture of safety relief valves (SRVs) to open (M) is conservatively assumed to result in a large LOCA event. The success and the failure of the SRVs to reclose lead to two different, yet similar, sequence paths. Both branches are then evaluated for the high pressure system functions, viz., the feedwater function, Q, and the HPCI or RCIC function U. The Q function in the SNPS-PRA includes different recovery assumption for each of the cases' of ,. the turbine trip--with and without two. 50RVs. The Q function is evaluated in - the BNL review on the basis of the 'SNPS-PRA general approach and data, with a functional level event tree used to model the recovery of feedwater and the PCS in half an hour (see example in Table 5A.1). If the high pressure functions are successful, core damage may not occur, provided that the containment heat removal function is successful. If it happens that both high
- pressure functions fail, then, before the timely ADS actuation function, X, is i
evaluated, the SNPS-PRA provides the operator a "second chance" to recover feedwater. This is also included in the Q function of the BNL functional level event tree, rather than in the functional event tree as done in the SNPS-PRA. The AOS function automatically depressurizes the RPV upon reaching i level 1. Next, the low pressure injection, V, is modeled, and can provide successful injection. This function in the SNPS-PRA is given in detail by the separation into LPCS, LPCI, and condensate injection. Failure of the contain-ment heat removal function (W) or the low pressure injection or the timely ADS actuation function leads to core damage. The W function in the SNPS PRA has two subfunctions: RHR with RCIC Steam condensing mode, W', and PCS, W". The ., PCS is included in BNL functional level event tree. \ e 46 l .
. . . . . . . . . . ...;. ...e .-
,+...a,.- -- ;. - ' - -- a. x- :- . .. .. -
3.2.2 MSIV Closure / Loss of Condenser / Loss of Feedw' a ter Transient (T M , TC . TF ) (Appendix 5A.3, 5A.4, 5A.5) - These types of transients lead to a more significant ch'allenge to the plant than do the turbine trip transients. The MSIV functional event tree is identical in structure to that of the turbine trip because of the similarities in the required response of the safety functions of the plant to mitigate the events. The only difference between the two functional event trees resides in the reduced unavailabilities of the feedwater/ power conversion system both for, high pressure injection and for the long-term containment heat removal func- *
, tions. This is due to the more significant chailenge tio the plant from a MSIV closure initiator, ,as noted earlier. The loss of condenser ,(T C ) is similar to MSIV closure, but has no recovery of FW in the short term, and low avail-ability of the PCS in the long term. It is more severe than MSIV closure.
The differences are more. clearly seen from comparison of the functional level event trees of the BNL approach (Tables SA.5 and SA.9). Loss of FW (T F ) is the weakest challenge of the three, and the SNPS-PRA treats it also sepa- l rately. 3.2.3 Inadvertent Open Safety-Relief Valve (Tg) (Appendix SA.6) This transient was treated separately because the operator must recognize the event and manually scram the reactor. Additionally, the containment con-ditions are different from those during other transients because of the higher total heat addition to the suppression pool at the time of plant shutdown, which places a more significant demand on the containment heat removal func-tion. The SNPS-PRA also assumes that MSIV closure occurs in all IORV cases. The principal distinction of this tree stems from the three branches depicted for the timely scram initiator function, c' c" (see Table 5A.12 in Appendix'5A.6). The top branch represents a successfuf timely scram in which no additional requirement is placed .on the cooling of the suppression po.ol. - The center branch denotes the scenario in which the reactor is scrammed prior l to the suppression pool reaching a temperature requiring prompt RHR system operation and PCS recovery. The third branch is equivalent to failure to . l ', scram the reactor' prior to exceeding the containment heat removal capability and is transferred to the ATWS event tree analysis. The feedwater/PCS system is not evaluated in this tree because operational data indicate that during an 10RV event the MSIVs may close, thus causing all decay heat to enter the sup-pression pool. SNL gave credit to MSIV reopening for long term containment heat removal as in the cases of two 50RVs or medium LOCA (see Appendix SA.6). 3.2.4 Manual Shutdown (Ms) (Appendix 5A.2) This event tree accounts for challenges to the plant resulting from a controlled manual shutdown -- not a scram but a manual control rod insertion l in a slow, orderly manner. Examples of such shutdowns are scheduled or forced maintenance outages and refueling outages. - Operating experience indicates that because of the controlled nature of the transient, the SRVs are not challenged. Therefore, only the high pressure injection function, timely ADS actuation, low pressure injection function, and the contiainment heat removal functions are evaluated. Failure of the high pressure functions, and failure of the timely ADS actuation function, X, or. 47 e
# ' * * * -m e 9*d *WMmipipage e ,* g .?* p , , g g- mgg , ,,
g r,.gm _ mnn . _ _ _ . _ _ _ _ _ _ - - - - ^--
the low pressure injection function would lead to core' damage. Failure of the containment heat removal function results in the loss of drywell. No changes were made to this event tree. However, a functional level event tree was prepared to treat the dependences between the FW/PCS system in the . injection and containment heat removal phases. 3.2.5 Loss of Offsite Power (T, E) (Appendix 58) This transient provides unique initial conditions for accident sequences because of the loss of. AC power and the resulting demand for the diesel gener-ators. The initial condition .of loss of AC power affects the majority of the frontlin'e systems since AC power is needed for most plant systems. This tree has been time phased for.the coolant injection and containment heat removal functions to account for recovery of AC power. BNL modified the SNPS-PRA event tree mainly with respect to containment heat. removal, which was treated by BNL on the ' LOOP event tree rather than transferred to the MSIV closure event tree. s 3.2.6 Comparison with the Treatment of Transients in RSS and LGS-PRAs The transient event tree. in the RSS (Figure 1 4-16 in WASH-1400) was a single tree used by the RSS for all anticipated transients requiring reactor shutdowns from power operation. The SNPS-PRA approach is considered to be a significant improvement over the one-transient event tree in the RSS. The use of separate event trees for MSIV closure (TM )/ loss of condenser (TC )/ loss of feedwater (TF ) in the SNPS-PRA is an igrovement over LGS-PRA. The RSS analyzed the loss of offsite power transient by using the same transient event tree. The SNPS-PRA added more detail ove_r this simplified approach in its loss of offsite power. (TE) event tree. This is considered to be a significant improvement. The use of .- the T[ tree in the SNPS-PRA is another improvement over the RSS approach. , The RSS concluded that these types of transients are insignificant to the frequency of core damage.
~
- 3. 2'. 7 LOCA Event Trees (A, 51 , S2 ) (Appendix SC.1)
For the LOCA-initiating events the SNPS-PRA developed three functional event trees corresponding to the three break size categories (large, mediun. - small) as was done in the RSS. The small LOCA event tree is. almost identical to the transient event trees, and in particular to the case of 10RV. The medium LOCA is similar to the small LOCA; the only differences are that RCIC is not sufficient to prevent core uncovery, and that high RPV pressure decreases with time. In the case of large LOCA only low pressure injection , systems can supply coolant injection. l The LOCA event trees used in the SNPS analysis are slightly different from those used in the RSS. The three event trees model the different effects o on the reactor and the different success criteria required as a function of , LOCA break size and location (liquid or steam break). The large LOCA event tree handles the breaks that depressurize the reactor, and the two smaller LOCA trees handle the breaks that do not cause immediate reactor depressuriza-tion. 48 t
L . .s ss s . . .. v::,: '. : w u . c :.:= wM,a D x' . The SNPS-PRA large LOCA event tree (shown in Table SC.1) differs. from the one used in the RSS. It contains the.same systems and has .the same structure as the RSS event tree with the exception of the containment leakage (G), and . core cooling functions (F). The medium LOCA and small LOCA* event trees for SNPS-PRA (Appendix SC. Table SC.1) also differ from the RSS small LOCA event trees. Vapor j suppression (D), and containment leakage (G) were atliminated since their effect is small and treated in the Containment Event Tree (CET). Since the . plant's reaction to a small LOCA is similar to a transient, the small LOCA
, event tree resembles a transient event tree (IORV). ', ~ , LOCA outside containment'.was considered in detail in the' SNPS-PRA. The event tree is basicaly sistlar to that for a large LOCA. Only large LOCA was considered to be a significant problem because of the short time available for
- i preventing core damage (Appendix SC.2).. -
j . i 3.2.8 ATWS Event TreesT(T , Ig, T I , TF , T E) (Appendix 50) i- . j The SNPS-ATWS event trees handle those transients which do not result in i successful scram. These trees include analysis of the five major transient , groups (turbine trip, loss of feedwater, MSIV closure, IORV, and loss of '
! offsitepower). Thus, there are five ATWS event trees:
I i 1) Turbine trip - In the event of a turbine trip with failu'er to scram, two scenarios have been developed in the SNPS to model the plant response. The first case assumes that, given the turbine trips, the turbine bypass remains open. The condenser and feedwater are available. However, should j the turbine bypass fail, or should feedwater trip off line or the condenser not be available, the SNPS-PRA assumes that the situation is similar to either a total ' loss of condenser heat sink or a MSIV closure or ..
, a loss of, feedwater event. These. second case events are treated in the respective ATWS functional event tree.
- 2) MSIV closure / loss of coridenser - This group includes those transients that challenge the plant in a manner which results in a closure of' all i
MSIVs or a loss of condenser. Also included are the turbine trips that l l were shown to result in either MSIV closure or loss of condenser. l
- 3) Loss of feeduster - This initiator includes the events that are characterized by a loss of feedwater with condenser available. The events include loss 'of feedwater initiators and transfers from turbine trip and ;
MSIV closure.
- 4) Loss of offsite power - The single initiator is loss of offsite power with ATWS.
- 5) IORY - The single initiator is inadvertent opening of a SRV with ATWS. '
*Small LOCA event tree is similar to IORV with a successful early shutdown (Table SA.12). .
49
- i I
l
-. _;-- .-- - ----. , _ _ m . m ____m . _ . ~ - - - _ - - , _ .i
These types of ATWS event trees were not used in'the RSS. The SNPS-PRA use of these trees yields a detailed analysis of ATWS mitigating function, and this constitutes a realistic, less conservative approach to the evaluation of the ATWS contribution to the core-damage frequency and to the total risk. 3.2.9 Other Event Trees 3 The SNPS-PRA studies several low frequency events in separate event trees, some of which were not studied either in the RSS-BWR or in 'past BWR-PRAs: a) Lo'ss of a DC bus (Appendix SG.2) b) Release of excessive water at elevation 8 (Appendix SG,1) c) Loss of ' service water systems (Appendix SG,3) i d) Loss of drywell cooling (Appendix SF) , e) Loss of a reference leg (Appendix SE). BNL made no significant changes in its revised trees for case (a). In all other cases the changes were significant and are discussed in the respective appendices to Section 5. The main changes made are listed below. a) Time phase event tree treatment of the release of water at elevation 8. b) Addition of functional level event trees for RBSWS and TBSWS recovery in the case of loss of service water transient. The event tree was revised and time-phased, and the "GOLX" function was removed because it is insignificant to this event. All these changes resulted in a simpler .. event tree. . c) For the case of loss of drywell cooling, the number of event trees. was reduced by combining all the contributions from transient without isola-tion into the loss of drywell cooling initiator event tree. This was similar to the transfer by SNPS-PRA of the contribution from transients to the support system event trees, e.g., loss of the SWS tree. d) The event tree for loss of drywell cooling was not changed significantly. In the BNL re-assessment the SNPS-PRA "0" function was omitted and only the "L" function preserved. Quantification changes were more significant. e) The LOOP event tree with loss of drywell cooling was significantly changed. The SNPS-PRA included. the G function, which seemed unwarranted for this case (Table 5F.4). This sequence was found to be a very impor-tant contributor to SNPS-PRA core damage frequency because of loss of almost all control room level information. - ; , f) For the case of loss of reference leg, again significant changes were made. The event .if random failure of an additional level measurement channel was sepsrated. into three constituents, which increased signifi-cantly the contribution' from this . branch of the event tree compared with the SNPS-PRA (Table SE.2). 50 t
._.h..-. , _ .- _ _ . . . -
+
- _ .. ._ w _: V -
WM_ ' N ._
'. L , ' -
3.2.10 Summary of'the Qualitative Review of Functional Event Trees The SNPS-PRA presents a very detailed and elaborate study of the various types of accident sequences applicable to the SNPS plant specific conditions which could conceivably occur within the plant. BNL concurs with the overall approach used in the development of the functional event trees, and these trees are basically adopted in BNL's re-assessment of the majority of the sequences. In most cases only minor improvement were made, and basically- the same structure was used in the BNL revised trees. On the other hand, quanti-fication of accident sequences by BNL led to modifications in many of these
- trees,. as discussed in Section 5. In a few cases the event; trees' structure was revised more significantly, as discussed above and shown in detail in Appendices to Section 5. The most important such cases are the following:
a) ATWS event' trees, - b) Release of. water at elevation 8, c) Loss of a reference leg, d) Loss of service water system. Comparison with past BWR-PRAs showed that a more detailed functional event tree. analysis was performed in the SNPS-PRA for several low frequency events, most notably loss of drywell cooling and loss of a reference leg. 3.3 System Fault Trees 3.3.1 System Fault Trees Analysis in SNPS-PRA The system level fault trees are compiled in a separate volume (holume' - IV) of the Shorenant Nuclear' Power Plant (SNPS) PRA. The cutsets for these ' fault trees are given in Appendix J of the PRA, along with the identification of the most important cutset contributors to each system. The data for the fault -trees' quantification are provided in Appendix A.2 (component failure - rate data), Appendix A.3 (human error failure rates ), and Appendix A.4 (quantification of system unavailabilities due to maintenance). BNL reviewed this information along with the fault trees. The review of these data appears in Section 4.2; here only some more pertinent comments about the analyzed f ault trees are presented. The following system fault trees are given in the PRA:
- 1. Reactor Core Isolation Cooling (RCIC),
- 2. High Pressure Coolant Injection (HPCI),
- 3. Service Water (SW), '
- 4. Standby Liquid Control (SLC),
- 5. Residual Heat Removal (RHR),
- 6. Reactor Building Closed Loop Cooling Water (RBCLCW),
51 t m
. . 2 ~
- 7. Electrical Power: Emergency.AC a'nd DC,
- 8. Core Spray (CS),
- 9. Low Pressure Coolant . Injection (LPCI),
- 10. Automatic Depressurization System (ADS),
- 11. Reactor Building Standby Ventilation System (RBSVS) '
and CRAC Chilled Water,
- 12. Feedw'ater (FW),
- 13. RCIC/ Steam Condensing Mode (RCICSC).
- 14. Condensate,
- 15. Scram System *,
- 16. Diesel Generator *.
The BNL comments in Ref. 2 were used in the review of the SNPS-PRA fault t'rees . Hence, the following consnents (see Section 3.3.2 below) refer in part to how, SNPS has taken into account the previous comments in the new SNPS trees, and indicate which recommendation of Ref. 2 are still in effect, as well as including comments generated in the present review. The following systems have not been analyzed in detailed fault trees:
- 1. Plant Air and Compressed Nitrogen Systems: A subtree for this sup-port system was developed as part of the ADS fault tree.- The ',
detatis are developed to the subsystem level rather than the compo-
'nent level as in the other system fault trees. This will be further discussed as part of the ADS tree.
- 2. Reactor Protection System *: The unavailability of the scram system '
is based on NRC studies 5 and the analysis made by SNPS in Appendix A.7 of the PRA. The small tree given in the PRA is not quantified and includes only a part of the RPS.
- 3. Diesel Generators *: A fault tree was constructed, but the analysis is based on the information gathered from LERs. This information is reviewed in Section 4.2.2, below, and hence this system is not discussed further here.
- 4. Drywell Coolers: This system was not included separately in the -
fault tree analysis. A probability of 1.0 for human failure to recover this system after a high drywell pressure isolation (actuated on 1.7 psi) was used by the.'SNPS-PRA and BNL. A probability of 0.7 ' for human failure to initiate this system after its isolation (on
*The quantificaticn of these system fault trees was not used in the probabil -
istic analysis. .The trees were constructed and included to provide supplemental information regarding possible systems interactions.
~
52 t e, . e...m-e.. e ow e.e -
' e ge i * - * * * #9******N4'8e*-8 ' " * * - p y -<,.--,m, ,- - - - -- -
r-- ,y
\ 3 m w.r e :g _ . . {., -
. o. - j__;Mde "
t i 4 level 1) was considered by BNL whenever credit .for this system was
. given in the PRA. A hardware failure probability of 6.6x10-" was calculated based on a functional fault tree in the SNPS-PRA for use during transients.
- 5. Suppression Pool and Condensate Storage Tank (Supply of Cooling Water to Safety injection Systems): The unavailability of these sources of cooling water is : analyzed as a subtree mainly on the HPCI !
fault tre . The failure probability was calculated in the SNPS-PRA i as 7.x10- and 3.x10 " for , suppression pool and condensate storage '
,, tank, respectively.
- 6. Containment Spray: The system was not analyzed separately, but it is a part of the RHR/LPCI system, which was modeled and analyzed. A probability of 0.05 for h~uman failure to initiate was used whenever some credit was taken for :this system; this is apparently higher than the probability of its. hardware unavailability.
- 7. Turbine Building Service Water System: The system was not an'alysed separately.
It is stated in the PRA (Appendix J), that the. system fault tree models were constructed by SNPS for general application without regard to any specif-ic transient event sequence and therefore do not include transient depen-dences. The changes made to system unavailabilities due to the inpact of the transient initiator or the specific event sequences are discussed in the pre-sentation of the system level event trees in Appendices to Section 5 of this report. The result of the fault tree analysis performed by SNPS is sumarized in Tables J.4-1 of the PRA, which is reproduced in columns 1 and 2 of Tabl'e 3.1. Column 3 shows BNL review results for the trees that were judged important and were reviewed in detail. ~ J In general, most of the system fault trees appear to .be reasonably complete and accurate, but BNL made some additions and modifications. These changes are discussed in the following subsection, and their quantitative - j effect is sununarized in Table 3.1. Their impact on the core damage frequency is small, amounting to a few percent (see Table 3.1 and Section 3.3.3 for further details). The trees are resolved down to the . component level,. The level of resolution is determined by the availability of data and by the possibility that further resolution will uncover existing dependences. The i i level of resolution in the trees is consistent with state-of-the-art PRA practice. l The fault trees were developed to allow each component either to i operate as designed or to fail (no partial failure). This approach is i conservative, but it is consistent with the present PRA state-of-the-art. The following items were excluded from the analysis of the failure of a component (or system) as being outside the scope of the PRA: ' { a) External events, ' b) Sabotage, i
- c) Operator errors of commission, i
l t 53 ; I
- _ - - - _ _ . -- - _ . . .. . _ . - .-_--___,s-. - --,---.-_a
_ _ _ __ _ _ . _m . d) Most locatiion-dependent common-mode failures, such as fires, but l location-dependent CMFs due to internal flooding were includeds and ; are discussed in Appendix'5G.I. . Manual operation of coolant injection, if required, was assumed to have a 30-minute grace period. This appears to De justified by thermal hydraulic - 7 calculations . For largeland medium LOCAs and for ATWS events, however, less time is assumed for manual restoration of injection. The failure rar.es used in the fault trees were point values and were meant to represent the overage over the plant lifetime'(i.e., wear-in and wear-out rates were averaged into the failure rates). Note that .the risk during the first year of plant , operation may be higher than the average risk over the plant lifetime because , of a higher initiator frequency and higher f ailure rate during the wear-in period. Failure rates are' further discussed in Section 4.2. i The dependences within a system were treated by using the same alpha-numeric designator for a component that appears several times in the tree.
' For systems within the s'ame function, for example, HPCI and RCIC for the j
function of High Pressure Coolant Injection, this method was also used to allow for Boolean manipulation of functions. The SNPS-PRA, in general, pro-perly used this method. ' 8NL's review, however, found that this designation was not followed consistently in all cases, and changes were made to correct ,.
. discrepancies as listed in the next section and in T& Die 3A.l.
I
! In summary, the SNPS-PRA has made a good and ~ detailed systematic fault I tree analysis that provides a model of the system (as seen in the next
- section). The SNPS-PRA has provided analyses of several f ault-t rees in .
1 addition to those done in RSS-BWR and LGS-PRA. It will be shown in the next section that several BNL consnents in tne LGS-PRA review 2 were taken into 1 account in the fault trees of SNPS. , 3.3.2 S'ummary of BNL Modifications to SNPS System Fault Trees and Their .,- Impacc , i The following is a list of the main modifications that were made to the ! -SNPS fault trees and resulted in changes of the system unavailabilities. The . unavailabilities derived in the SNPS-PRA, along with those suggested by this review, are summarized in Table 3.1. Appendix 3A lists all changes or comments on SNPS system fault trees recommended by the BNL review. 1 The BNL review of the system fault trees was based on comparisons with tne LGS-PRA and information for FSAR. The review did not, however, go to a i level of examining specific equipment differences that warrant a change in , 1 failure rates; only design features using generic failure rate data were e i considered. . 2 3.3.2.1 Reactor Core Isolation Cooling (RCIC) < Several improvements were made in the SNPS-PRA fault tree. For example, . the turbine s' ubsystem, which is a dominant contributor to RCIC, was treated in , some more detail. In doing so, however sometimes lesser failure rates were i used. The lube oil (turbine auxiliaries) in SNPS-PRA is an example of a case l in which the failure rate was reduced by a factor of approximately 4, conpared with that in the LGS-RCIC tree and SNPS-HPCI turbine auxiliaries subtree. 54 i t
- - - . . . . , , . . - - , _ _ _ --. , ,m.., , , _ - ,_,,mm_, ,,,,._._.__..m,__. .
- -:smm;.; . ~*~~- - L =_ '- us;;;. ~ . . ; t. ' < * =
i However, the event " loss of flow through turbine driven pump" remained overall' quite similar in all cases. BNL increased the lube oil (turbine auxiliaries) unavailability in RCIC turbine subtree from 1x10-8 to 3.6x10-3 to make it consistent with the HPCI tree and LGS tree. To perform a study of whether there were specific equipment considerations to reduce this failure rate by a factor of approximately 4 was not considered to be within the scope of the review. Another distinct change in the SNPS RCIC fault-tree is the increase
! (approximately tenfold relative to a past PRA) in failure rate of sensor in i the "f alse signal" failure mode that was given a value of 2.6x10-3 for 10 sensors. Thus, " false steam pipe area high temp signal" constitutes one third '
of RCIC unavailability. The high failure rate implies a low frequency surveillance test of these sensors, and further implies that a favorable change in this frequency .or procedures may be able to decrease the RCIC unavailability. Investigating the exact nature of the difference between the past PRA andeSNPS in quantifying the failure rate of these sensors was again' considerea outside the scope of the review. I" Table 3A'.1 of Appendix 3A lists the changes or comments on the RCIC fault tree. No one of them causes any significant change to RCIC unavailability. However, some of them are CMF of both HPCI and RCIC: t
~
! a. Changed name of miscalibration "too high" of level 8 trip sensors, to > properly account for comonality with HPCI level 8 trip (RCIC No. 5 *
- in Table 3A.1).
4
- b. Steam leakage from HPCI or RCIC steamline may cause their isolation. -
("HCOP910N" event included in the BNL review, RCIC No.1). The effect of these comon-mode failures of RCIC and HPCI is discussed in Section 3.3.2.4 below.
~ "
3.3.2.2 High Pressure Core Injection System (HPCI) . The turbine subsystem is modeled in detail, as .is the automatic transfer from CST to suppression pool suction. The overall unavailability of HPCI is within a reasonable range. The SNPS-PRA is more realistic than the LGS-PRA by .
- treating the probability of failure-to-start on subsequent start
- as compar-l able with that on initial start. A factor of 1/3 was used in SNPS-PRA com-I pared with 1/10 in the LGS-PRA. Table 3A.1 of Appendix 3A lists changes and corsnents on the HPCI fault tree. They do not impact significantly the HPCI
. unavailability, but have some impact on the HPCI/RCIC CMFs. 1 i a) The failure of the shaft-driven luSe oil pump, which is included on the fault tree, was also added to the list of cutsets resulting in a { small increase of HPCI unavailability from 0.096 to 0.1 (HPCI No. 5). t i b) The hijh drywell pressure signal to initiate HPCI was deleted for transient initiators (HPCI No. 1). Thus, miscalibration of water i level sensor becomes a significant contributor to CMF of HPCI, RCIC - and ADS not considered in the SNPS-PRA (see Section 3.3.2.4 for quan-tification). , c) The name of the miscalibration event of HPCI turbine pressure trip set point was changed to conform to the same RCIC event (HPCI No. 7). l ) 55 t l
- L . . _ _ _ .
. . l l
4 d) "HCOMMON" included. See comment .(b) for RCIC (HPCI No. 5). ! 3.3.2.3 Automatic Depressurization System (ADS) . The three comments of Ref. 2 were taken into account by improvements in the SNPS-ADS fault trees: a) The common-mode failure of all ADS valve solenoids due to .contami-nated nitrogen gas supply was included in the SNPS-ADS tree (1x10-4). 1
. b) No credit is given to human action to recover n1trogen gas supply if . main supply or accumulators were lost. -
c) A common-mode miscalibration of all pressure s'ensors in CS and RHR discharge lines was assumed,3 but with reduced probability - 5x10-s instead of 2x10 3 The 2x10- is for non-staggered calibration. For ! staggered calibration of different systems, the.value of 5x10-s seems i to be realistic. In addition, this value is rightly multiplied by l operator failure to initiate ADS manually (0.1). On the basis of these improvements, BNL accepted t,his unavailability of
- ADS (8.4x10 "). .
The CMF miscalibration of' level I was correctly denoted by the same name in HPCI and RCIC. The operator manual initiation was given a different name from the high pressure injection manual initiation, as expected. No changes were made to the ADS fault tree. 3.3.2.4 Boolean Combination of High Pressure Injection Function (U) and the AD5 Function (UX). , i The SNPS introduced this feature in .its PRA to account for. dependences between safety functions. ' Basically, the " super"-trees , of several systems ' were evaluated in the SNPS-PRA and cutsets for the super-trees were examined. The results of this Boolean reduction were used in the event tree quantifica- _ tion. This diminished the need for the core damage fault tree (CDFT) approach which BNL has used in its past revi ews . 2,3 However, the review of the Boolean combination of the U function (HPCI and RCIC) and of the UX function
- (HPCI, RCIC and A.DS) revealed some significant omissions, which are discussed .
here. U-Function The results of the SNPS-PRA analysis are given in Tables J.4-16 of PRA- ' Appendix J. Only two CMF contributions to V are identified there: a) Both HPCT ?.nd RCIC are unavailable because of maintenance (plant technical specifications require a shutdown within 12 hours). Fail- ,, ure probability = 1.4x10 ". , b) Failure of a level transmitter or miscalibration (high above level 8
- set point), which causes the failure of HPCI and RCIC trip on high j water level (L8) and leads to gross moisture carry-over in the steam supply lines, as well as damaging both HPCI and RCIC turbines.
, 56
. . . . . .._ ___.._ ._._ _ _ _. . . . . [ . _ .
l
?i d :.d.L. :'. _u:.' a.d.'. . b .. :.: _ ' ' 'c w * ' . c.' T ' _.h:.uL ., s . /.'a _._.1.
t The SNPS-PRA incorrectly estimated the probab'ility of this CMF to be 1.36x10 3 In our review only miscalibration was considered, leading to 0.2x10 3 (0.2 taken for operator error rather than 0.1 as in SNPS-PRA). BNL added the following four comonalities: c) Common miscalibration of level 2 transmitters leading to the failure of level 2 autoinitiation of HPCI and RCIC. The failure probability
, is 2x10 s x 0.'. = 2x10-" (where the 0.1 is due to operator failure).
d) Miscalibration of level 8 trip sensors (below the nominal' level 8 set point) leading to repetition of turbine pump trips on both HPCI and .i , RCIC: 2x10 3 x 0.5 = 1x10-3 ,
- e) Miscalibration of turbine pressure trip set points for both RCIC and 3
HPCI: 2x10 3 x 0.5 = 1x10-3 (suggested by SNPS-PRA, see RCIC FTA, but not caluclated). a f) Steam leakage from HPCI or RCIC steam line causing their isolation -
- "HC0f910N" = 1x10-3 ,
The SNPS-PRA summed up the comonalities of HPCI and RCIC to the total of 1 9x10 3 (see Table 3.1). This does not follow from Table J.4-16, where a total of only 7.8x10-3 is shown.* According to the six commonalities listed above, the total is 0.01. This is the BNL value for the "U" function. UX-Function , The results of the SNPS-PRA analycis' are given in T!ple J.4-17 of Ap- - 1 pendix J. One CMF contribution of all three systems to UX was identified 1 there, see (a) below, and two additional CMFs of two out of the three systems, see (b. c): a) Loss of all Division I and II electric power supplies. Failure prob-ability is 3.2x10-8 b) Combinations of dominant cut sets of HPCI with failures of level instrumentation, and operator actions which defeat both automatic and manual initiation of RCIC and ADS. Failur,e rate is 4.0x10-8 c) Combination of dominant cut set of ADS with failure to isolate HPCI and RCIC on level 8 (leading to carryover in the steam lines). Fail-ure rate is 1.3x10 s, The total of CMF contributions becomes 8.5E-6, which is consistent with i the values in the event trees. However, some add'itional ' contribution for ' i other ADS cut sets. combined with other HPCI and RCIC cut sets (failing' independently) was not included.
*The combinations of dominant, cuts.ets of HPCI and RCIC result in 6.3x10-3 ,
i 57 t
-,,s.. , . . , _ . , _m , < ~ , , --i--- a - - - - , - . - -w - - - - - - -~m - - * = - - - - - - - - -
. . - .- . - - - . . . . . . ~ . - . . - -.m.- . . . . . , ,
l The SNPS-PRA incorrectly estimated, however, the CMF of item' (b). In this case HPCI is assumed to be initiated by high drywell pressure signal. This is true, only for LOCA or ATWS. For transients
- and manual shutdowns no high drywell pressure is expected in less than I hour after the incident initiation, and therefore initiation of HPCI will fail manually and auto-matically too. 3This increases this commonality (see item (b) above) by a fac-tor of 5 (2x10 x0.1x0.1 = 2x10-5).
In the judgment of BNL, gi'ven proper stagge'ing r procedures for level instrumentation, the value of 2x10-3 for miscalibration would be too high by a factor of 10 or more. Therefore,' BNL did not change the UX quantification on the transient and manual shutdown event trees. The special case of miscali-
~ ~
bration is not ignored, however, and is discussed in Appendix SA.1.4. It is a significant contributor to core damage frequency, but it can be easily elimi-nated by apprcpriate procedures'. The calculated comonality .of HPCI, RCIC, and ADS in the BNL review becomes: HPCI/RCIC commonalities with ADS cut sets which are independent: 7x10 3x6x10 " = 4x10 6 Item (a) - loss of all Division I' and II electric power: = 3x10-8 Item (b) - miscalibration of level instrumentation (corrected): = 2x10-6 9x10-* Where 7x10-3 and 6x10 4 are the unavailabilities of "u" and "x" respect-ively after items (a) and (b) are subtracted.. The event trees values were not changed to reflect this small increase. 3.3.2.5 Low Pressure Core Spray (LPCS or CS) .- The core spray system is, in general, adequately modeled in the SNPS-PRA fault tree for this system. The small number of changes made by BNL tend to have counterbalancing effects, so that the LPCS unavailability remained _ j unchanged in the BNL review (see Table 3.1). The main changes are as follows: a) The LPCS system will not initiate on high drywell pressure in case of a transient sequence. When this is eliminated from the fault tree a new cut set appears , ""HHU7200XI * (LHU5000XI + LHU6000XI)", which probability is 2x10 . (The LHU5000XI and LHU6000XI should be AHU1990XI, see Table 3A.1 LPCS no. 5.) b) The probability of the event " suppression pool water unavailability due to clogged strainers" is incorrectly included in the SNPS-PRA analysis as 2.6x10 4, which is correct for a single clogged strainer. In the BNL review, a value of 5x10-5 for CMF of all strainers is used, which is consistent with the SNPS-PRA HPCI fault - tree. (LPCS No. 2) c) The SNPS-PRA states that valves LMVOSADPI and LM,V05BOPI are tested only during refueling rather than on a quarterly basis. This
- Apart from loss of drywell cooling and loss of offsite power.
58 t
.}
..w -* _. i. -.- .w, m.a..._ . ..;.c... a .. .c. . . _, . . _ . . < . _ . .- . . - increased their failure rate from 4x10-3 to 9.3x10-3 by adding 1.6x10 6/hr x 8760 hr x 3/4 x 1/2 = 5.3x10-3 . However, in Appendix J the LPCS unavailability was calculated on the basis of 4x10-3 This was corrected in the BNL review, which resulted in an addition of 1.5x10 " to the LPCS unavailability. Since'these changes cause only 47, increase in the BNL re-quantification , of the LPCS unavailability, the SNPS-PRA unavailability value was used also in the BNL review. Table 3A.1 in, Appendix 3A describes the changes to the .
. SNPS-LPCS fault tree. -
3.3.2.6 Low Pressure Coolant In.iection (LPCI) The LPCI is, in general, adequately modeled in the SNPS-PRA fault trees. . The small number of changes made'.by BNL tend to counterbalancing effects. As seen in Table 3.1, the BNL review practically did not change the LPCI unavail- > ability. The main changes are very similar to those in the LPCS fault tree. discussed above:
- a) The LPCI will not initiate on high drywell pressure in case of tran-sient sequences (same as item (a) of LPCS). ,
b) CMF of clogged suppression pool strainers is included (same as' item (b) of LPCS). c) The operator failure to initiate manually the LPCI is assumed to be dominated by the failure of the operator to initiate ADS if it failed to initiate automatically (Table 3A.1, LPCI No. 2). These changes -(see also Table 3A.1 of Appendix 3A) did not result in any .- significant effect on LPCI unavailability. They do, however, affect signif- ' icantly the unavailability of the low pressure injection function which com-bines both LPCI and LPCS, as discussed in the next section. 3.3.2.7 BooleanCombinationofLPCIandLPCS(V], 4 The main contributors to the failure of LPCI and LPCS are miscalibration of all reactor vessel pressure transmitters (N097A, B, C, and 0) of the LPCI and miscalibration of differential pressure transmitters (DPIs N005A and B) of the LPCS. They are not dependent if these channels are calibrated separately one from the other. However, miscalibration of all N091 level transmitters is a commonality of both systems, at least under conditions prevailing during I transient sequences. This commonality was not included in the SNPS-PRA, as explained before. The commonalities of LPCI and LPCS are as follows (most of them are included in the SNPS-PRA list of Appendix J Table J.4-18): a) Miscalibration of level transmitters and operator ' failu're to initiate manually (mentioned above) 2x10 " b) CMF of clogged suppression pool strainers 5x10-s c) Suppression pool water unavailability due to maintenance (ITM) or due to high water temperature (ZTK200KWI) 2x10-3 59 i
e . k d) Combinations of-manual system shutoffs on high reactor vessel level with failures subsequently to restart the systems when needed 3x10 4 e) Combinations of dominant cut sets of both systems ((3x10-3 x 2x10-5) 6x10-s Since these contributions sum. up to a value only 77, less than the 6.2x10 " used in the SNPS-PRA, the value was not changed in the BNL review. 3.3.2.8 Service Water System (SWS) There are two servjce water systems: a )- Reactor Building Service Water System (RBSWS), b) Turbine Building Service Water System (TBSWS). - ~ I Only the RBSWS was modeled in' a fault tree., It' is discussed here. - The SWS is a safety related system designed as a two-loop system, and the SNPS-PRA fault tree was constructed accordingly. The CHFs of both loops ar;e the main contributors to SWS unavailability. The following main contributions to SWS unavailability were evaluated in the SNPS-PRA: a) Both service water loops in maintenance 1.4x10-" b) Failure of all four SWS pumps 3.5x10-5 c) Combination of excess leakage in one lopp with failure to isolate the opposite loop 0.3x10,5 d) Combination of one loop in maintenance with two pump -
. failures in the oppoiite loop 0.2x10-5 -
e) Loss of water supply to screen well 3x10-5 l These resulted in the unavailability of 2.1x10 " for SWS in the SNPS-PRA. BNL considers this analysis to be realistic apart from item (a), which is conservative (yet is right for inclusion in the initiating event frequency for - SWS). The only change in the BNL review was the omission of. item (e) because it is due to external events, which are excluded from the PRA scope. (This is recognized in note No.1 on the SWS fault tree, but not carried out.) How-ever,sthe fault tree also includes event WFL 480 HEI which was quantified as 5x10- and stands for "All pumps suction clogged." This event is not included in the SNPS-PRA list of cut sets given in Appendix J Table J.4-5, but it is included in the BNL review. Thus, the SWS unavailability in the BNL review is I 2.3x10 ". , LERs s include precursors of the event of clogged strainers for al'1 SWS The value 5x10-5 is l loops ' suction. A real event has not occurred in a BWR. judged to be conservative. BNL did not change this value because SNPS, being situated on Long Island Sound, is considered more susceptible to this failure mode than an average nuclear power plant. 60 t l
..,,-,j...,. . . . .e
.; .. . ' - ' ' - - '"v-
..z .O. __ , s .i . .; . , ' ;E Table 3A.1 1'n Appendix 3A shows the two changes to the SWS fault trees discussed above.
3.3.2.9 Residual Heat Removal (RHR) System Even though a fault tree was separately developed for RHR. the SNPS-PRA does not present its cut sets in Appendix J. Another problem is that Table J.4-1 gives a value of 4.8x10 4 for RHR unavailability, which it inconsistent with SNPS-PRA functional event trees. This apparently arose from an error in the RHR fault tree (as explained below) which SNPS-PRA corrected. in a .later
. revision of the PRA and did not correct in Appendix J. -
BNL review found the following contributors to RHR unavailability,- based on the SNPS-PRA fault tree for RHR: - a) Both pump loops in maintenance 1.4x10-4 b) Failure of all 4 RHR pumps
- 3.5x10-5 c) Suppression pool water is unavailable due to clogged 5x10-5 l strainers d) Combinations of one loop in maintienance with two ' pump failures in the opposite loop 0.4x10-5 e) 'Both heat exchanger bypass valves fail open (valves F048A and B) 1.6x10-5 f) Both MOVs at RHR heat exchanger outlets fail closed (MOV 34A and B on the SWS side) 2x10 5 g) Failpre of SWS system (maintenance of both loops and failure of SWS pumps are excluded because the turbine building SWS would be able to provide the cooling water) 5.5x10 5 These contributions sum to 3.2x10-" for the RHR unavailabilit Using a 20-hour repair time with MTTR = 19 hours results in 3.2x10-" y. x exp(20/19) 1.1x10-". This value is used in BNL reassessment. The same value is also used by SNPS, but not enough information is included to support its derivation.
Two changes were made by BNL to the SNPS-RHR fault trees. These are detailed in Table 3A.1 of Appendix 3A. Finally, it should be noted that the above NR unavailability assumes either that PCS was available for several hours following an accident sequence or that RHR was initiated to cool the suppression pool during the first 10 hours after the initiation of an accident sequence. When these conditions are ' not met and suppression pool cooling starts 20 hours after a transient or LOCA 1 initiation, the suppression pool temperature will reach temperatures above 200*F and the RBCLCW system would be needed to cool RHR pump seals in order to prevent their failure. This increases the RHR unavailability by 2x10-" (to a i I value of 3x10-4 rather than 1.1x10-"), if the operator is successful in 61 t
e '.
~
aligning the system.. This dependency was not included becau'se 'of its small impact on the overall Class II core damage frequency. 3.3.2.10 RCIC-in the Steam Condensing Mode and RHR No changes were made to the SNPS-PRA fault tree of RCIC in the steam con-densing mode. The unavailability of this system is evaluated as 0.14. However, in the PRA this system is always used in the same function with the RHR. 'Thus, the Boolean reouction of the RHR and the RCIC in the steam con-densing mode is of interest. This was not presented in the PRA Appendix J. ~ The result of this Boolean reduction is given without its derivation in Table J.4-1. . The value of 6.8x10-5 seems to be based on an earlier evaluation of RHR unavailability of 4.8x10 4 The conditional failure probability of RCIC
'in steam condensing mode given RHR has failed is 0.4 [= 6.8x10-5 /(4.8x10-4 x0.35)].
i The commonalities of RHR and the RCIC in the steam cundensing mode are as follevs: a) The unavail'a bility of the SWS (with credit to TBSWS) 5.5x10-5 1 b) Both MOVs at RHR heat exchanger outlets fail closed ' (MOV 34A and B) .' 2.Ux10-5 1 c) Both RHR heat exchanger bypass valves f ail open (valves F048A and B) , 1.6x10-5 The probability of independent failure of both systems is 1.4x10-1 x 3.2x10 4x10-s; when the 20-hour repair probability of exp(-20/19) is applied to the sum of 'the values above, tne unavailability obtained is 4.5x10-5 This is less by a factor of 0.4 than the RHR unavailability of 1.1x10-". The SNPS-PRA also applied 'a factor of 0.4 and used the value .- 4.4x10-5 for the function of RHR with RCIC in the steam condensing mode. The same value was used also in the BNL reassessment, based on the above discus-sion and derivation. 3.3.2.11 The Electric Power System (EPS) The fault tree of this system includes two top events: a) Loss of power from 480 V Bus Division I, II, or III. This was found by SNPS-PRA to be 1.4x10-". , b) Loss of 125 V DC Bus Division I, II, or III. This was found by
- SNPS-PRA to be 3.7x10-4 I
The unavailability of a DC bus can be estimated from operating experi-ence. NUREG-0666 evaluates the loss of a DC bus as 6x10-3 per year, which is about 10-5/nr. Thus, the unavailability of 'a DC bus eval.nated in the SNPS-PRA - i represents a mission time longer than the 24 hours used in general in fault tree quantification. This is apparently so because the loss of a DC bus does not necessarily cause reactor shutdown in the SNPS, and the plant can continue
- to operate for a few days. However, the unavailability has very small . impact on the fault tree's of other systems. The effect of the loss. of a DC bus is i
l 62 . t
* * * * * * " " * *
- p+ es *=o*weegoe m e-ee,wo. sg , ., ,,,,e,., , , , , , ,
-- -,--.e . . - . ~ ,.= ,_ _ , - , , . - -, - - - - - . ~ . . --v ,, - - - - . - . . . , - , . - - , - - - - - ~ -
2.a .L... .e.t_ a . ..-,..m..._...-.-- u ( . . w ... _ , . . . . - _ . - . l l l I l evaluated as 'a separate initiating even.t in the SNPS-PRA, and this accident' sequence is reviewed in Appendix SG.2. . The BNL review did not change the fault tree for the EPS. 3.3.2.12 Feedwater System The SNPS-PRA tree of this system was prepared in detail. A review of the tree with respect to previous BNL comments2 shows that the fault tree has the features BNL considered important, such as the following: , a) Failure of the operator to stalt the mechanical vacuum pump .if the SJAE is unavailable (quantified with 0.1 failure probability) b) Conwnon-mode miscalibration of both reactor level channels, causing a spurious level 8 trip of the fee'dwater system (2x10-3) , c) Most of the other BNL concerns2? The dominant contribution to the failuie of the system is failure of the operator to control the system during long-term coolant injection. This was quantified as 2.5x10 2, which amounts to.50". of the feedwater unavailability. The loss of the condenser vacuum is another important contributor (2.5x10-3). On the basis of the above remarks, no significant changes were made to the feedwater system fault tree. 3.3.2.13 Condensate System The SNPS.PRA developed a separate detailed fault tree for the condensate system. Unlike the feedwater system, the condensate system shows no , clear relationship between the list of cut sets (Table J.4-15) and the fault tree. .. The main contributions to the condensate system unavailability derived from
- the PRA fault. tree and cut sets in Appendix J are listed below, with some examples of inconsistencies:
a) The main contribution comes from the failure of the operator to pro-vide long-term makeup water to the condenser (0.025). This does not ! appear on the fault tree. ! l'
- b) Sinultaneous failure of both condensate pumps or both condensate booster pumps (= 4x10-5). This appears on the feedwater system fault "
I tree and is developed in a different way on the condensate system fault tree. l .I c) Flow control instruments fail to supply signal or supply false signal to train A and B. This contributes = 4x10 " to the condensate unavailability. It appears on the fault tree but is not shown in the cut sets' list. - d) Event " ERUPT" is considered in the fault tree and stands for " rupture l of piping / heat exchanger." This 1.1x10 4 contribution is not in the I cut sets list. 63
..., . t i
i 1 - 5 ~ ' e) Loss of offsite power during the mission time for the system (= . 10-3). This item appears both in the fault tree and the cut sets - l list. It is apparent that the value given in Table J.4-1 of the PRA (0.12 for the condensate unavailability) has an error. The unavailability is about 0.03. - This unavailability is dominated by the operator error to provide long-term makeup ~ water to the condenser. , In the BNL re-assessment, the system unavailability is also dominated by operator response. However,'different values for the operator error are used l 4 for short-term responses. ' A value of 0.1 is , assumed for failure of the operator to: , a) Control the flow rate of the condensate pumps so that it will match , the rate of condenser makeup flow rate of about 1000 gpm. , b) Verify the successful initiation and operation of the condenser makeup from the Condensate Storage Tank (CST), which is automatic.* 3.3.2.14 Power Conversion 53 stem (PCS) A '
- No fault tree is given for this system in particular.- Major parts of this system are included in the feedwater and condensate systems fault trees.
The PCS includes also the MSIV, the condenser, the turbine bypass, and the circulating water system. The feedwater and condensate system fault trees represent these additional systems by undeveloped events (which are not j resolved to the component level). , The SNPS-PRA based the PCS unavailability on experiential data, which ' result in an unavailability of 1.1x10 2 Using a recovery probability of 0.45 in 15 hours (repair with MTTR = 19 hours) it derived a value of 0.005 for PCS * (see response No. 8 in Ref. 9). - l ^ In the BNL re-ass essment , the fault trees for the condensate and . 2 feedwater were used to estimate hardware unavailabilities for the PCS: 4 a) MSIV hardware failure 0.0005 b) Circulating Water System hardware failure l (including failure to run) 0.001 i-l c) Condensate System Control failures contribution 0.0003 d) Condensate system pumps and valves failure contribution (including failure to run) 0.0003 e) Steam Jet Air Ejector or Mechanical Vacuum Pump 0.002 ,, j Total 0.004
*Mr. Dick Paccione (LILCO), Private communcation with BNL (1984).
i 64 [ L f .
./-...-.. .. . . . . . . , . . .. . . , , . . . . _ . . , ,
? .-..-- . . . .s. :. . ;. . . '
u, , _. y a w . __ _ _ i b . This value .is used in BN'l functional level event trees for the evaluation of the long-term. PCS unavailability (see Apendix 5A.1). . 3.3.3 Summary of the Review of Fault Tree Analysis 'and its Impact on Core t Damage Frequency The BNL review did not result in significant changes to the front or sup-port system unavailabilities. It concentrated on the cut sets of safety func- ' tions which comb'ine several f ront systems. The review, also, did not signif-icantly change the unavailabilities of the safety functions. In the latter ' case, however, the main contributors to the functions' unavailabilities were modified, i.e., . failure modes other than those. in the SNPS-PRA were found to be important in the BNL review. The changes' are as follows: i a) In S'NP'S-PRA the "U" function is dominated by miscalibration "high" of - level 8 transmitters (high above level 8 set point). In tne BNL review this is a minor contributor, and the main contributions come from miscalibrating " low" the leval 3 transmitters (below.the nominal level 8 set point), and from miscalibration of the turbine pressure trip set points of both HPCI and RCIC. b) In the SNPS-PRA the "UX" function is dominated by loss of AC power to Divisio'ns I and II electric power supplies, failures of level instru-mentation combined with HPCI and operator failures, and level 8 mis-calibrated "high." The SNPS-PRA appears to include only some of tne contribution to the core damage frequency from the cocination of the
, "U" and "X" functions; proper ev'aluation of UX would increase the l SNPS-PRA result. The "UX" function is seen (Sections 3.3.2.4) to be about 50% independent failure of "U" and "X" in the BNL re-assessment, with the other 50% coming from loss of AC power, as in the SNPS-PRA, and from miscalioration of the level 1 instru- , .
mentation. - c) In the SNPS-PRA the "V.," function is dominated by suppression pool failure to supply water. BNL found the miscalibration of level 1 , transmitters to be the important contributor. d) In the case of RHR combined with RCIC in the steam condensing mode, BNL found that, unless the turbine building service water (TBSWS) is given credit, the reactor building service water (unavailability =
, 2.3x10-") will dominate the unavailability of this function, and there is little to be gained from tne RCIC steam condensing mode.
The SNPS-PRA factor of 0.4 was obtained by SNL only with credit given to TBSWS (the SNPS-PRA gave credit to TBSWS in the case of loss of SWS transient, see Appendix SG.3). . e) The event of miscalibration of level 1 and 2 N091A, 6, C, and D transmitters, named "HHU7200XI," appears on the fault trees and - 4 affects the "UX" and "UV" functions for transient sequences. This important dependence was not addressed in the SNPS-PRA. Details are discussed in Appendix 5A.1.4. e 65 i
, , _ , , _ - ,, - - - , - . - . _ . . . -.,-.,,.y--_ ,.y-,-, , , ,.v..__--_.------
. l The impact on core damage frequency of the ' fault trees modification is '
small. B;;' major modifications affected the contributors to the unavailabil-ity of safety functions when combining several system faulti trees. However, - these changes ned impacts that either increased or decreased core damage f requencies, so that the overall result did not change the SNPS-PRA estimation of core damage frequencies. 3.4 Human Performance Analysis . Two types of human errors. (cognitive and procedural) han contribute to
- the unavailability of frontline systems and impact on core rdamage frequency.
These are addressed in the SNPS-PRA1 . 3.4.1 Cognitive Human Errors
- The SNPS-PRA explicitly modeled cognitive human errors in the event trees and in the fault trees. These human errors , with a description of the required action and the time available (or assumed) .for action, are listed in Tables 3.2 and Table 3.3.
The BNL review in general agreed with the qualitative 'modeling approach to most cognitive human errors. BNL . disagreed with the model, in only a few cases', the most notable being the "GOL" model of the SNPS-PRA, which BNL changed to a "GL" model (see Appendix SF for details), and loss of a reference leg, for which BNL moved some cognitive errors to an earlier stage in the BNL event tree and thus affected -the core damage frequency (see Appendix SE for details). In many cases, however, BNL disagreed with the quantification of the human errors. Tables 3.2 and 3.3 include BNL quantifications* for compar-ison with the SNPS-PRA values where significant changes were made. Appendix C of Ref. 4 went into great detail in modeling potential cognitive errors in the analysis of SNPS water level measurement system and is ', discussed in the - detailed review in Appendices SE and SF. 3.4.2. Procedural Human Errors Procedural human errors contribute to system or component unavailabili-ties through routine procedures such as calibr. tion testing and maintenance or normal plant operation. In most cases the SNP3.PRA followed the techniques recomended in NUREG/CR-1278" for 'their quantification. The BNL review concentrated on determining whether any procedural human errors were omitted in the analysis; their quantification was not part of the review. Tables 3.2 and 3.3 present the gost important procedural human errors esvered in the SNPS-PRA. 3.5 References to Section 3
- 1. Papazoglou, I. A., et al., "Probabilistic Safety Analysis Procedure Guide," NUREG/CR-2815, September 1983. -
*The quantifications shown are for illustrative purposes. The appendices include the background for these quantifications. . . 66 i
l l .- .- - . . - -
2.1 . . . . u:: . . _ :: ..
. . Q ,2. . b;... ':' '
- 2. Papazogl'ou, I. A., et al., "A Review of the Limerick Generating Station I Probabilistic Risk Assessment " Brookhaven National Laboratory, NUREG/CR-3028, February .1983.
- 3. Hanan, N., et al., "A Review of BWR/6 Standard Plant Probabilistic Risk Assessment, Vol. 1 Internal Events and Core Damage Frequency,"
Brookhaven National Laboratory, NUREG/CR-4135P, May 1985 -
- 4. " Review of Shoreham Water Level Measurement System, Revision 1," S. Levy, .
. Inc., SLI-8221. November 1982. -
- 5. " Anticipated Transients Without Scram for Light Water Reactors," Nuclear Regulatory Commission, NUREG-0460,1980.
~
- 6. Shi u , K. , Sun, Y. Anavim, E., and Papazoglou, I. A., "A Review of the Accident Sequences Eollowing an Excessive Release of Water at Elevation 8 of Reactor Building ia the SNPS, Brookhaven National Laboratory, NUREG/CR-4049, April 1984.
- 7. Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors, GE Report NEDO-24708, December 1980.
- 8. Ha ried, J. A., Evaluation of Events . Involving SWS in Nuclear Power Plants," Oak Ridge National Laboratory, NUREG/CR-2797, November 1982.
- 9. LILCO's Response to Questions on Shoreham Probabilistic Risk Assessment, ,
Long Island Lightir.g Company, SNRC-1021, May 1984.
- 10. Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278, October 1980. ,
i l 4 I 4 I l l 67 i
_ . _ = - .
- . . . _ . . . .- . . . ' av , ,
1 Table 3.1 Point Estimates of SNPS System Unavailability 1 Compared to BNL Review 4 Quantified' Uriavailabilities System (s } SNPS-PRA BNL Review I RCIC )687E-2 7.E-2 - + - HPCI '9.63E-2 1.E-1 SERVICE WATER 2.12E-4 2.3E-4 STANDBY LIQUID CONTROL 21.05E-1 1.05E-1 RHR '4.83E-4 3.2E-4 RBCLCW 3.99E-4 . Electric Power
- 125 V DC 3.66E-4 3.7E-4 480 V AC 1.4E-4 1.4E-4 Core Spray 3.62E-3 3.6E-3 .
LPCI 2.68E-3 , 2.7E-3 l ADS 8.56E-4 8.4E-4
' i RBSYS & CHILLERS 2.33E-4 -
FEEDWATER 5.46E-2 -*** RCICSC 1.40E-1 1.4E-1 *
' ~
CONDENSATE 1.23E-1 - *** -
~
HPCI [A] RCIC** 8.99E-3 1.E-2 LPCI [A] Core Spray ** .6.25E-4 6.2E-4 , RHR [A] RCICSC** 6.8E-5+ 4.4E-5+ HPCI [A] RCIC [A] ADS ** 9.5E-6 9.E-6 HPCI [A] RCIC [A] LPCI 4.0E-6 6.25E-6 [A] Core Spray **
- Failure of one of the three emergency divisions.
**"[A]" represent a Boolean AND operation denoting the simultaneous failure of two or more systems. ***The fault trees were used to obtain an estimate of the PCS hardware unavailability for long-term containment heat removal. BNL used 0.004 '
for PCS hardware unavailability and failure to run for ten hours.
+ Include repair [exp(-20/19)].
i i 68 t l
..._.6 . .;s. sa.... _ . .. .. E .. ,. .. M .h. . s s L .; '
Table 3.2 ' Human Errors Modeled in Event frees < Ouantification* Time Available SNPS BNL Symbol Description of Required Action for Action PRA Review Q Feedwater Runbart (ATWS) 15 minutes 0. 3" 0. 2" CLI Reduce reactor vessel water level during ATWS. minutes ... 0.19'* The SNL value includes also failure to inhibit A05. O A05 fnhibit during ATW5 minutes 0.5 (0.2) , C SLC injection initiation (ATWS) * * " 0.11 0.15 C' Tfmely manual shutdown of reactor (ICRV) = 1/2 hour 0.001 0.01
~
Q.W* Recovery of FW and PCs. including reopening M51V . minutes in the short and long ters (Transtent/LOCA) 1/2 hour various various
- hours values" values "
V Condensate pumps flow control and verification of proper water makeup to hotwell (Transients /small LOCA): 1/2 hour 0.01 0.1 (Large LQCAs or LOCA outside containment): minutes 0.2 0.2 I (Phase 1) Timely ADS actuation when high pressure injection 1/2 hour 0.02 0.02 f a t t ed (LOOP) X (Phase Coerator error in performing early depressuriza. hours 0.1" 0.1"
!!. !!!) tion (LOOP)
I' Maintaining reactor in depressurized conditions hours 0.2 0.2 (LOOP) T Successful crost tie of turbine building SW5 1/2 hour 0.26 0.24*
- given R85WS fatled (Loss of SWS) -
L Maintaining water level 3 in reactor vessel (loss of drywell cooling)*: hours 0.005 0.001* (loss of offsite power. blackout conditions)*: 1/2 hour 0.06 0.05* G Recovery of drywell coolers or initiation of 1/2 hour 0.05 " 0.05** containment sprays (loss of drywell cooling)* In Erroneous actuation of A05 (Loss of reference 1/2 hour 0.01 0.01 leg transient) N Operator recognizes the need for eenwal inttfation 1/2 hour 0.052 " 0.062** of injection (h19h and low pressure injection) (Loss of reference leg transtant)
- Only significant cases are shown. The values are fatture probabtitties. The quantif ted values are
- illustrative. and s.ould not be used without the bases given in the Appendices of Section 5.
" Values are requence Jegendent. One enamole is shown. ** 30 minutes assumed available in SMP3.PRA; only 5 to 10 minutes in SNL review.
- Modeling changes were made in.this case which have larger ineact than the change in quanttf tcatto'n.
69 t
- Table 3.3 Major
- Human' Errors Modeled in~ System Fault Trees Time Available Quantification for Action 4
Description of Required Action in SNPS-PRA ' HPCI/ RCIC
- 1. Manual actuation of HPCI upon failure 1/2 hour 0.1 I.
of auto-ptart signal ,
- 2. Miscalibration of all level transmitters --- 0.002**
- 3. Miscalibration of turbine pump trip --- 0.002 exhaust pressure transmitters
- 4. Failure to control or snutoff minutes 0.1 l
1 RCIC/HPCI before water carryover upon failure of level 8 trip
- 5. Human error failure to transfer HPCI 1/2 hour 0.1 from CST to suppression pool in time, l upon f ailure of auto transfer .
k . 4 6. Manual actuation of HPCI upon failure 1/2 hour 0.1 of auto start (including auto start not
, reset)
ADS l 1. Manual depressurize plant given that 1/2 hour - 0.1 ' automatic depressurization has failed , LPCS
- 1. Failure to manually start the LPCS 1/2 nour 0.1** .
- t pump given that it failed to start
+
automatically i l 2. Same as LPCI items (3) and (4) -
- 3. Miscalibration of reactor pressure --- 0.002 transmitters
- 1 ,
*0nly human errors which are included in the major cut sets of the systemic fault trees. ** Modifications were made in BNL review (see Appendices or Section 4.3) 4 i
I 70 t
- -- - r - - - - ..-- .
__ . . _ _ ~ . _. . . __ _ _ - - _ _ _ _
- t . . a . l :. . .:. . . .. .. _ .. .. _ . . , ...t * &~3:
Table 3.3 Continued
. Time Available Quantification Description of Required Action for Action in SNPS-PRA LPCI
- 1. Manually start the LPCI pump given that 1/2 hour O'.1 *
- tt failed to start automatically :
- 2. Manually open pump discharge valves in 1/2 hour 0.025 alternate discharge line (same as RHR) -
- 3. Operat'or fails to restart LPCI as water 1/2 hour 0.003 level decreases .
- 4. Operator manually shut off LPCI on high --- 0.1 level during an accident
~
- 5. Miscalibration of differential pressure --- 0.002 channels
! Ele .trical Power
- 1. Direct power to 480-V bus is not ~ 2 hours 0.8
; restored within 2 hours R.IE.
- 1. Start suppression pool cooling when . hours dx10-5** . .
i required, and correct valve aisalign-ments during line-up of the system i
- 2. Manually open pump discharge valves hours 0.025 .
in alternate discharge lines, given that normal discharge line valves have failed SLC
- 1. Failure to manually initiate SLC 1/2 hour ** 0.1
- SWS
; 1. Failure to manually initiate SWS pump 1/2 hour 0.9 upon failure of automatic initiation e
4
- ** Modifications were made in BNL review (see Appendices or Section 4.3) l i
71 I t ! 1
. - - . . , - . . , - . , ~ , - -~n-,--.,- - , , . ,~. . - - , , . ..-..n. , , - - , - - --,-.,---.-..-----,.,-r.. --..n,.--- ,*- - , ,
. , . . - . . _ - . . . . . _ . . , . .. . .. . . _ _ . .- _m . . . - , , APPENDIX 3A CHANGES MADE TO SNPS-PRA FAULT TREES The changes to the SNPS-PRA fault trees suggested by BNL are summarized in Table 3A.1 for each system, in the followins order: '
- 1. RCIC - Reactor Core Isolation System
- 2. HPCI - High Pressure Core Injection System .
- 3. LPCI - Low Pressure Core Injection System
. 4. LPCS - Low Pressure Core Spray System
- 5. RHR - Residual Neat Removal System fi .
- 6. SWS - Service Water. System
- 7. RCICSC - RCIC Steam Condensing Mode
- 8. EPS - Electrical Power System .
I
- 9. Feedwater System
- 10. Condensate ' System l' The SNPS-PRA also includes the following systemic fault trees to which BNL made no modifications: .
- ! 1. ADS - Automatic Depressurization System . .
t 2. SLC - Standby Liquid Control System i - 4 3. RBCLCW - Reactor Building Closed Loop Cooling Water
- 4. RBSYS and CRAC - Chilled Water
- 5. Feedwater System ,
- 6. EPS - Electrical Power System i
I i l . 72 - ! t I 4 1 * \ q '. e', e _ - - _ . ~ - _ . - .-..
i-I" i. [. l Table 3A.1 BNL Changes in SNPS-PRA Fault Trees Gate Gate Input , ! System No. Page Name Type Name Value Description l RCIC 1 7 RTOP OR HCOMMON 10-3 This is a CMF of RCIC and HPCI which
, appears on both trees, but is ignored in the PRA evaluation without explanation. - 2 It can be justified as a steam leakage ~
from HPCI or RCIC steas lines or valves that cause some area temp sensors to isolate these systeas. A value of 10-3 may not be too high for a small steam leakage. It was considered in the BNL evaluation of HPCI/RCIC CMF. < 2 10 RLTA OR 'RLU002DWI 10-3 This lube 011' system unavailability was judged to be too low compared with that in past PRAs, and with the unavailabil-ity of the lube oil system of HPCI, y w which is almost 8 times as high. This - c. event was developed in detail in the
- HPCI fault tree, but here.it remained undeveloped. A value of 3.6x10-3 was assumed.
3 12 HAUTO OR HSWOOIDXI 5.8x10-* The SNPS-PRA tree designates this manual switch as cosanon between RCIC and HPCI. The BNL review assumed separate switches , for HPCI and RCIC. 4 20 RFTT OR RHU1000XI 2x10 3 Note 3 says that a common-mode miscali-bration of both RCIC and HPCI exhaust turbine pressure trip / shutoff sensors' can , conservatively be made. However, on the HPCI tree the designator HHU002DXI (page
' 28) is used. This was changed to the !,
same designator on both trees, and } '. included as CMF of both systems. It is, l missing in the cut set resulting from ! the Boolean combination of HPCI and RCIC , trees (see item below). s I-- -
o
- Table 3A.1 Continued -
1'
' Gate Gate Input System No. Page Name Type Name Value Description RCIC 5 21 RFFT OR HHU90.90XI 2x10 3 This event is a cut set which is missing in the list of Appendix J. It is also a CHF with HPCI; however', there it is des-
- g. ignated MiUOOIDXI. It was changed to -
3 HHUOGlDXI on the RCIC tree, page 21. Note that on RCIC, page 9, and HFCI, page 18, there are two other'HHU9090XI miscalibration events of level 8, but these are errors "too low". The
, HHUOGID.(! then designates miscalibration error of level 8 "too high".
6 22 RFLVCI OR ---- 2x10 3 BNL adde:i input RHU2000XI to account for~ miscalibration of low pressure sensors, ' giving f.ilse isolation valve closure. 7 27 RPMDI OR RTRID 10 3 Not appetring on cut set list even though i instability in turbine exhaust is a poten-
- tial trip mechanism in subsequent starts,
- the same way as it was on initial start.
i , 8 App. J The discussion here laplies that, at some page - time, RCIC had 29 cut sets rather than the J-36 28 shown. This needs correction. HPCI 1 5 HFTG AND HPRESI 2x13 3 This is true for LOCA initiators, but not for transients with successful scram, in ! which it takes at least one hour to reach '. the 1.7 pst drywell pressure setpoint if - RHR is not cooling the suppression pool. , It was separated into the above two cases, so that, in case of a transient that does' not cause 'drywell pressure, an event HPR = 4 1.0 was added to the OR gate HPRESI on page 6. e
, , e,: .
I Table 3A.1 Continued . bte Gate Input - System No. Page base Type Name Value Description HPCI 2 9 M FIL OR YHul000XI 10-3 A value of 0.05 for failure t.a replenish water to CST was used in BNI. enview. 3 12 HMMAN OR HSWO0lHWI 2.47x10 3 This failure of manual switch received an i
' hourly failure rate rather than the per '
demand failure' rate ~of'5.8x10-* given ' !- elsewhere for stellar events. See HPCI fault tree, page 4, event HSW0010XI. 4 15 HINT 8 OR HPR80 --- This event is developed on page 29 under
- the name HSPH. HPR80 changed to HSPH. *
' Other similar changes should be made on so these two pages. ' M 5 16 HPM OR HC0f990N 10-3 Included. For description see RCIC item No. 1.
)
6 23 HLUBE OR DWI 4.5x10 3 Auxiliary oli pump is used for startup of - HPCI turbine and when the turbine gains speed the shaf t driven oli pump begins to' supply the hydraulic pressure. Should 4 the shaft-driven oil pump malfunction, causing oil pressure to drop, the aux 11- ', tary oil pump restarts. The fault tree. - nevertheless, assumes both pumps are re-quired and puts them in series. The cut sets of Appendix J ignore DWI for the - shaft-driven, f.e. assume they are in t' parra11e1. This should be clarified. - Until then, a conservative assumption is that for long-term success of HPCI (10 hrs) both are required.
;r 9 - T , , a
- i 1
l Table 3A.1 Continued
. Gate Gate Input -
{ System No. Page Name Type Name Value Description HPCI 7 24 HOT OR HHV007DQI 1.24x10
- Typo error: NC-FC should be NO-FC.
8 28 HSPT DR HHU0020XI 2x10 4 Was changed to RHU1000XI. See RCIC ites I 4 for description. . 9 34 HIND AND HCV0190PD 3.33x10 5 1) The data base value of the check valve failure is 10-* per demand. ;
. There is no apparent basis to assume i 1/2 of its failure rate in subsequent j starts. 10-*/d was assumed. ~
i
- 2) Automatic transfer to suppression pool suction precludes use of CST. The l analysis assumed the probability of ' '
l ! . this event to equal.l.0 after I hr.
.I when automatic transfer on high sup-4
- on pression pool level was assumed. How-1 ever, this is not correctly modeled in the fault tree. Event HCV0190PD should be replaced by OR gate with two inputs:' HCV0190PD for the first
' hour and HINAUTS for the case of the as probability of high level in
- suppression pool = 1.0.
10 App. J The discussion here implies that at pg. J-36 some time HPCI had 40 cut sets rather than the 39 shown. This needs correc-tion. - e e i
____ _ .- _ ___ . _ _ - ~ _ .-_ _ _ _ _ _ - _ _ .. .. _ _ i
- h~
j I" Table 3A.1 Continued { Gate Gate Input System No. Page Name Type Name Value Description k l, I 4 LILOG2 2.0x10 3 {. LPCS 1 AND LPRA Value of 1.0 was used for these inputs in and LILOG2 LPR8 + the case of transient. For LOCA and ATWS ' 5 LPRC 2.7x10-3 the value of-the input remains unchanged. LPRD
- 2 2 LPCSI OR ---- ----
Added to each of these "0R" gates the - LPCS2 event "LSP" which mainly stands for fall-
- ure of suppression pool due to clogged 3 strainers, and which is included in the j
SNPS-PRA. cut sets list. (ZFL100HEI = , 5x10-5). See also LPCI fault tree, , page 4, and HPCI fault tree, page 11. > - 3 13 LDIDIS OR LMV05DPI 4x10-3 Changed to 9.3x10-3 to account for less frequent testing as stated in SNPS-PRA
- i O .
note 10 to the LPCS fault tree. a 4 14 LD20lS OR LMV0580PI 4x10-3 Changed to 9.3x10 3 as above. F 5 4 LAUTO OR LHU5000XI 0.05 Should be changed to event "AHU1990XI" I and + - appearing on page 13 of the ADS fault ! LHU600DXI 0.05 tree. This accounts for the failure of i the operator to initiate low pressure ) injection manually following failure sf 1 the high pressure injection. It is ' I assumed that failure of the operator to. injttate ADS will. result in his failure } ' to initiate the LPCS or LPCI, 1.e., pF these are dependent failures. - i. 1, - l1.' i d i 5 . 4
l I s... j i l . i i Table 3A.1 Continued
- , Gate Gate Input System No. Page Name Type Name .Value Description f
! LPCI 1 2 DlIA AND LIAUTO small The changes made by BNL to the LPCS tree (see LPCS No.1) will change this entry on the LPCI fault tree to - 2x10-3,
- . and it.will appear.in the cut sets list of the system as "HHU7200XI x AHul990XI,"
j contributing 2x10-* to the LPCI unavailability. 2 2 DllA AND DHUlllDXI 0.1 Changed to the event "AHU1990XI " which appears on ADS fault tree, page 13. See comment LPCS No. 5. i* RHR 1 4 DSTAX OR DFLOIAHEI 2.6x10-4 This is a " single strainer blockage / fall l
' ure" of the suppression pool strainers.
3! ' This should be a CMF of.all strainers and l . be comanon to'both HPCI and'RHR. It was ' changed to the notation "ZFL10011E!" as on the HPCI fault tree (page 11) and quantified as 5x10-5 j i 2 5 DHUM OR all 4x10-5 These are operator and procedure errors ' entries that cause failure to align the RHR to the suppression pool. This event can be reasonable for the first few hours following an accident, but the probabil-ity of its occurring 20 hours after the accident sequence initiation is assumed 1 3 to be lower--in the 10-5 range. Hence, j it is not included in the BNL list of - ! I, contributors in Section 3.3.2.6. . 9 i' s
b a , jr E Table 3A.1 Continued Gate Gate Input System No. Page Name Type Name Value Description > S4S 1 3 WEWlA OR WATER
~
3x10 5 Deleted. This is an external event and, .. as such, is not considered in the current l-scope of the PRA. l:7 2 3 WEWlA OR WFL480HEI 5x10-5 Included in the fault tree analysis. Even th'ough this event appears on the SNPS-PRA fault tree, it was excluded from I. the. list of cut sets. BNL included it as a cut set of SWS. , t.- RCIC in 1 4 RHXWA OR DHXA --- . The "DHXA" and "DHXB" are inputs trans-Steam DXH8 ferred-from the RHR fault tree. These Con- - gates should transfer-in the unavailabil-densing itles of Service Water Systems loop A and
~
y Mode loop 8. The cor. rect gate. names on RHR or - SWS fault trees are, however, "WEWA" and '
"WEW8." This was changed by BNL.
2 4 RHXWA OR ---- ---- A new gate named "lMV34ADPI" (and "WMV348DP!") had to be added to account for the failure of both MOV34A and M0V348 f on the RHR heat exchanger outlet from the (O'^ SWS side. . t 3 6 DHXATSP AND several ' several This gate has a subtree which is more ac- - curately developed in the RHR fault tree, pages 11,12, and .13. A transfer-in from the RHR fault tree was included in the , BNL re-assessment.. The main difference - [ is that event "DHU471DXI for " operator fails to manually realign flow path dis-charge to suppression pool" is missing in ~ [- the RCIC in the steam condensing mode ;- fault tree. - l v .
r.
'N ,
o i l - Table 3A.1 Continued i i - 1 Gate Gate Input l , System No. Page Name Type. Name Value Description RCIC in 4 4 RHXWA OR ---- ---- Added a new gate to the fault tree named i Steam event "DMV48ADWI" (and "DNV4fs8DWI"), 1- Con- . which appear. on page.6 of the RHR fault l! densing tree. This is the failure of the bypass
?
Mode valves of the RHR heat exchanger, causing l j . flow diversion. l ) Conden- 1 1 FLPINJ OR ---- ---- A new input was added with the name sate "FHU2120XI" and a value of 2.5x10-2, System similar to page 3 of the feedwater l{ system fault tree. It stands for "Long-term operator actions to control conden-g y sate flow an'd makeup during cooldown." .
. 2 8 FCPA OR ---- ---- New inputs were added "FCPA" and "FCP8" o FCP8 transferred-in from page 15 of the feedwater system fault tree and also l "FCPBA" and "FCP88" transferred-in from lg page 17 of the feedwater system fault
- 9 tree. .
l l 3 14 FSJ OR several several This gate should be an "and" gate, exact-I
. ly the same as in the feedwater system fault tree, page 16.
i 4 21 FLPH8Y OR several several This gate should be an "and" gate. l l 5 21 FAVTOBY AND several several This gate should be an "or" gate. e 1
- i '
.l t _ . . _ __
. . _,.a e, -- - ..... . . _ .m - -
s_ , u,, , ,,.; , . - , 2, I . I
- 4. DATA' ASSESSMENT . .
4 This section reviews.the numerical values of the parameters necessary for the quantification of the accident sequences. Subsection 4.1 presents the SNPS-PRA frequencies for the initiating events along with the BNL i- assessments. Subsection 4.2 discusses the SNPS-PRA data base used in the evaluation of corponent unavailabilities along with the BNL evaluation. . Comparisons with .the LGS-PRA are also presented. 4.1 Frequencies of Initiatir.g Events 4.1.1 Initiating Event Frequencies Used in the SNPS-PRA i The SNPS-PRA considered six groups of initiators:
- a. Transient initiators excluding loss of offsite power (LOOP) with successful scram,
- b. Manual shutdown initiators. .
; c. Loss of coolant accidents (LOCAs).
- d. Transient initators without scram (ATWS), . -
- e. Low frequency transient events. -
, f. Loss of offsite power initiator. The frequencies of these initiators are treated separately also in the BNL review as described in the following subsections. j . The frequencies of transient initiators used in the SNPS-PRA were based # on data included in an EPRI-NP-801 reports which summarizes experiential data obtained from twelve operating BWRs and covers plant histories up to 1978. , The frequency of manual shutdown events was taken from an SAI report7 . - ] LOCA frequencies were based on a 1977 EPRI reports. The SNPS-PRA evaluated tne frequencies of large, medium, and small LOCAs inside the drywell accorainy ! to that 1977 EPRI report. It also calculated the frequencies of large LOCAs outside containment, and of interfacing LOCAs. The first was calculated ] according to failure rates taken from WASH-1400 and pipe length end isolation i considerations. The calculation of the latter was different from that in J WASH-1400; the data are based on Ref.16, which summarizes LEP.s on valve fail-2 ure, and the analysis is similar to that in an NRC work 15 ] Frequencies of initiators coupled with failure to scram were based again
- on Ref. 5, with use of the same values derived for transients multiplied by ~
the probability of failure to scram. ) Low frequency transient events such as loss of DC, containment flooding, loss of service water, loss of reference leg in the water level measuring sys-tem, and loss of drywell cooling (see Table 4.1) were considered again on the basis of LER data, or, if the latter were unavailable, on the basis of esti-Wmated system failure probaoilities. 81 1
--,y , -- . -. e- r- , ,gww-, m ----e - * - , - , v.- -a s----
c ~s-- t=nw~w- - -
+w --~+n c
-. . ~~;
i l
'The frequency of the loss of offsite AC power initiator was given plant - ; specific treatment in the SNPS-PRA with use of LILCO fossil plant LOOP experi-
- ence gathered since 1965.
- Table 4.1 gives the frequencies used in the SNPS-PRA for the six groups
- ' of transient initiators, manual shutdown, the LOCA initiators , initiators coupled with a failure to scram, other low frequency transient events, and the LOOP frequency. SNPS-PRA values are compared with results of the BNL review.
4.1.2 BNL Assessment of the Initiator Frequencies . f a. Transient Initiators with Successful Scram , ', ' An independent assessment was conducted to determine point values and associated distributions for the frequency of each one of the transient initi-ators used in the stuoy. I ' ! The assessment is based on experiential data obtained from sixteen oper- { ating BWRs' and it includes both generic (i.e., characterizing the whole popu-1 lation) and particular (i.e., plant-specific) evaluations. The technique used is based on the "two-stage" Bayesian approach
- first proposed and used by Kaplan l in the Zion and Indian Point PRAs 2 ,3 and as modified ' by Papazo- I glou". The basic assumption of this method is that there is .an actual varia-
, bility in the frequency of each initiator within the' population, but the characteristics of this variability are not exactly known because of limited l information. $ The technique calls for the assessment of a prior distribution for cer-l tain parameters. This is equivalent to assessing a prior distribution, for i the frequency of the initiator, that characterizes the p1' nt a population. .,The j prior distributions are then updated .by using experiential data. 'In the' - I present assessment, the prior distribution for the initiator that character-izes the plant population was. practically log-uniform in the range of 10-*/yr to 10+1/yr. ! The data were obtained from a recent EPRI reports that provides informa-i tion on occurrences of 37 types of transients in BWRs. The data consist of i 910 events occurring over 101.5 plant-years at 16 different plants. Means, medians, and five and ninety-five percentiles have been determined for each of l the 37 initiators considered and for each of the 16 different plants. i For each initiator, a distribution was also generated to represent the population as a whole. This distribution best characterizes the uncertainties l in the frequency of initiators for plants (such as the SNPS) that belong to j the population but for which experiential data are not available.
- The population distributions were further combined according to the y.
! grouping previously described (Section 2. Table 2.11). Table 4.2 summarizes
- and conpares the results of the SNPS-PRA and those of the BNL review. The grouping of the transient initiators is indicated in parenthesis; the numbers
4 l
- ~
'I
*Because the SNPS has not started power operation, there are no plant specific transient data from the plant, and a one stage Bayesian approach, was used by BNL.
82 i 4 I
~
- -w - u.; . . - - , . .._.-;., w w.a L .
snow the initiator se'quential number as. it appears. in EPRI NP-22308. The
. group i ngs of tne SNPS-PRA were not changed in the BNL review, a 's stated in Section 2.
The first four columns of Table 4.2 show the SNPS-PRA results. The next four colt ans show the results obtained by applying the same SNPS metnodology to the more recent data source'. The two last columns present BNL results ob-
- tained by using the updated source sand the two-stage Bayesian methodology.
Most of the increase in BNL initiator frequencies is seen to be derived from the updated experience of BWR-related events8 . 'In the BNL independent assess- - ment, the values in the last column of Table '4.2 were used. The basis for this choice is further explained below. . The results in Table 4.2 are generic initiator frequencies. At least in one case there is some plant specific information that suggests a lower initi-ator frequency for Shoreham. The Shoreham plant utilizes Target Rock two stage SRVs which are more reliable than those SRVs which are included in the data base for the 10RY. Thus, a lower 10RV frequen'cy can be anticipated for SNPS than used in the PRA or in the BNL ieview.' However, .the effect of this transient on the results is very small, and a reduced i initiator frequency for 10RV would not have any significant effect. - The SNPS-PRA differentiated between the ' impact of failures during the first year of plant operation and of those in later years. BNL concluded, nowever, that the data base used 5 was. not sufficiently refined for this pur-pose. The later EPRI-NP-2230 update 8 showed that the impact of ignoring the first year of plant operating experience causes a reduction of about 20% in initiator frequencies (see last two columns of Table 4.2). In addition, BNL considers the " weighted average" approach of the SNPS-PRA to result in small underestimations of the initiator frequencies, due to the lack of experience from aging plants (after 30.to 40 years of operation), which may be comparable with the' first-year frequencies in the . number of challenges' because of .- increased failure rate (wear-out). The purpose of subtracting the data for the first year of operation was to obtain transient initiator frequency for the evaluation of risk associated - with Shoreham during mature plant operation. The SNL review is aimed at obtaining the average risk associated with Shorenas during the entire lifetime of power operation. This can be obtained by deriving the initiator frequency from the data of EPRI-NP-2230 for all years of operation. Note that tnis EPHI report includes, on the average, emperience from 7. years of a plant operation; thus the first year of operation is weighted 1/7 (and not 1/35 as in the SNPS-PRA). As shown in Table 5.15 of Section 5-3, the difference between these two assungtions amounts to 10% in the total core damage frequency for SNPS. Therefore, it was judged by BNL that the last column of Table 4.2 using tne entire data base is at this time (prior to tne plant's first year if opera-tion) more appropriate for the assessment.
- b. Manual Shutdown Initistors ,
.The frequency of such initiators has a relatively low impact on core dam 4ge probability. Considering the limited funds'and time allotted to this - review, .BNL chose not to review it in detail. The value chosen in the 83 N'a - .._...m. _- - .... ... ., _. ... - +
SNPS-PRA, basically taken from Ref. 7, appears to be in the reasonable range, and it was used in the assessment.
- c. LOCA Initiators The LOCA initiator frequencies used in the SNPS-PRA for large, medium, and small LOCA, as well as for LOCA outside containment and pressure vessel failure, appeared to be reasonable wnen compared with the available data s and therefore were not independently assessed. The frequency of interfacing LOCA was evaluated separately in more detail (Appendix F of the SNPS-PRA). The SNPS data and analysis were reviewed by BNL, and the results are cogared with the SNPS-PRA data in Table 4.3 . The frequency of core daniage in Class V was significantly affected by these changes; that in Classes I through IV was not. The main changes are due to the different approacnes used in the SNPS-
- PRA and the BNL review:
a) The SNPS-PRA used valves f ailure rate from LERs, whereas BNL used six
- specific LERs, which are interfacing LOCA precursors.
b) The SNPS-PRA used only leakage and rupture failure rates for NOVs. BNL also considered spurious opening. Appendix SC.2 includes further descriptions of the different approaches in the BNL review and tne SNPS-PRA.
- d. ATWS Initiators ATWS initiator frequencies were derived basically from the corresponding transient initiator frequencies, with some minor exceptions. In the SNPS-PRA, turbine trip ATWS events were evaluated by using a turbine trip initiator event tree (see Figure 4.1). The tree considered whether feedwater was' prop-erly controlled, whetner turbine bypass was available, and whether condenser heat sink was available. Failure to balance feedwater, or failure of the tur-bine bypass or the condenser heat sink, was conservatively assumed to nave a plant response similar to that of loss of feedwater, the MSIV closure, or less ~
of condenser events. Figure 4.1 shows the quantification method by which the turbine trip frequency was calculated, and also the fraction of the turbine trip initiator frequency that was transferred to the other ATWS initiators. SNL analyzed the sequences following turbine trip and prepared an event tree similar to Figure 4.1 which is shown in Appendix 50 Figure 50.8. The main difference in the BNL event tree is that BNL considered it more appropri-ate to treat the feedwater runback on tne functional event trees for ATWS. The feedwater runback is one part of a set of procedural actions wnien the operator has to follow progtly. These actions also include manual actuation of tne SLC system, reducing level and maintaining it above TAF, and ADS inhibit. In BNL's judgement, these actions are partially dependent. 4 The dif'erences in the quantification of Figures 4.1 and 50.8. result from tne use BNL made of the turbine trip transient functional level event tree (Table 5A.1) . The same values are used in ATWS Figure 50.8 as in Table SA.1 for the transient with successful scram.
% g , 84 - . . ~ -... .. _ --m -, - - - - - - - - .- %- -c- ---p- , - - - , - - , - - . - - - - -
U ' "'~
.2. ,_:..
- i. .x .
- N N'lue:.: s _.t:f ' r ' '* Y The resulting ATWS initiators frequencies for' the SNPS-PRA and the BNL review are compared in Table 4.1. For total ATWS frequency, the SNPS-PRA values of 5.49, given all power levels, and 3.87, for, power levels above 25%,
are compared with BNL values of 9.61 and 7.34 respectively. The difference for power level above 25% is almost 100%. This is because EPRI-NP-801, used by SNPS-PRA, has 60% of the data from the first year of plant operation which includes many cases of low power testin'g. EPRI-NP-2230 removed the data that belong to the time between first criticality and the start of commercial operation. Thus, in EPRI-NP-2230, only 33% c' the data are from the first year of plant operation...
~
The difference between the values of SNPS-PRA and BNL for the particular initiators is also due in part to the different treatment of feedwater runback which was discussed above. In summary, it can be expected that about a factor of two difference between SNPS-PRA and 8NL review results for ATWS core damage frequencies stems from the different sources of d4ta for evaluating the initi-ator frequencies. ' Additional discussion is provided in Appendix 50, and in particular in Table 50.2. .
- e. Low Frequency Transient Events ', .
These events include the following: - a) Loss of DC power bus, b) Reactor water level measurement system reference line leak, c) Drywell cooler fatture, . . d) Loss of service water, . e) Excessive release of water into Elevation 8 of the reactor butiding (Maintenance and Rupture). . Thg frequency of loss of DC power bus initiator was based on a NUREG report which taaes into account DC bus related LERs and calculates a frequency of 6x10-3 per year for a bus failure. A recovery factor of 0.5 was i used on the basis of considerations from this report, which SNPS says that it implemented in its design and precedures. , The frequency of loss of a reference leg and of a drywell cooler were l based on LERs. Loss of service water frequency was derived from the experience of no loss of service water in '400 8WR reactor-years, giving 0.0025 as a conserva-tive value. BNL used a frequency of one event in 600 reactor-years. - The frequency of excessive release of water in Elevation 8 was calculated quite differently in the PRA and by SNL. Shiu2s provides the details of the two approaches. The SNPS-PRA event frequency is given in Table 3.4-25 of the PRA (page 3-263). BNL used Markov modeling and recovery cons iderations
. 85 t
- - .- - - .--- - - -~. ---
w .W.=w.. ' 9 different from those in the SNPS-PRA, which resulted in an increase of the 1 total flooding initiator frequency (see Table 4.1). i t The results of the BNL assessment are listed in Table 4.1 along with the
; values used in the SNPS-PRA, LGS-PRA, and RSS. Because of its importance, the l frequency of the loss of offsite power initiator is discussed in detail here.
] 4.1.3 Loss of Offsite Power Initiator l - The. frequency used for the loss of offsite power initiator fri the SNPS-i ' PRA was derived from non-nuclear ' plant experience and reflects, only Long l Island Ligh' ting Company (LILCO) foss11-p'lant data. - j The data cover the period January 1,1965, through January 1,1981, for i LILC0 plants with three or more circuits emanating fr.om them. The data con- { sist of the.following for each plant: '
'o Years of operation during the period January 1.- 1965, to
{ January 1,1981 - l o Number of outages, , j o Duration of outages.
- 1
! Table 4.4 sunmarizes the LILCO specific
- grid reliability data. In total,
! these plants had four occurrences in 61.5 plant-years. The loss of offsite 4 power was calculated as follows:
TE
= occurrences + hypothesized incipient failure , ;
years plant experience TE= 4+1 = 0.08/ year . - I i 61.5 , 1 . i l The SNPS-PRA methodology for evaluating the frequency of loss of offsite power
- does not consider any regional nuc'iear power plant experience. The SNPS-PRA -
!' acknowledged that "the specific case applicable to SNPS is the Northeast Power
- Coordinating Council (NPCC)" (SNPS-PRA, page A-192); however, this effect was ;
j not included. The BNL assessment of the frequency . of the loss of offsite . power initiator and the associated uncer':ainties were derived from the nuclear ' I plant experience of the NPCC, which includes New York, Messachusetts, Connect-icut. Vermont, and Maine. Fossil-plant experience was not included to remain {,. consistent with current nuclear plant PRA practice, which does not include
!. non-nuclear plant experience in the quantitative estimation of the frequency 5i of loss of cffsite power, and their recovery probabilities. BNL believes that
.; both the probability of LOOP and the recovery probabilities as a function of ii time should be calculated from the same data base. This is done in this 1; review as described below and in Section 4.1.4. t l The technique applied to assess the frequency of loss of offsite power . and the asscciated. uncertainties is described in Subsection 4.1.2 and in more detail in Ref. 4 This ' technique takes into account the LOOP experience of ! I other nuclear plants in the same electrical reliablitty council to which SNPS j belongs. ' The methodology and data used by BNL to assess the LOOP frequency 86 1
.. . _r - ,._-.....:_ .- . .oc a.s- -ec..u. . w .1 a.m _ :.:, .... a -.2.;. m -
are different from those used in the SNPS-PRA and reflect 'the difference
- between the the SNPS-PRA and the BNL LOOP initiat sr assessed frequency.
The results for the NPCC..to which the SNPS delongs, were used in the BNL .
' review. The data used were taken from Ref.10, in which the loss of offsite !
power is categorized into four groups. The first group includes total loss of offsite AC power in nuclear power plants, and this was used by BNL. However, the loss of offsite power during cold shutdown (group four in Ref. 10) was l included by BNL in the final evaluation for LOOP frequency (Table 4.5) because the LOOP frequency should be evaluated on a yearly basis, and the mode of plant operation is irrelevant to the LOOP frequency. These events,'if caused .
.. by maintenance error, are recovered insnediately, and this is taken into account in the recovery probability distribution. The results of the analysis are given in Table 4.6. ! Since the SNPS is a new plant, not yet in operation, and therefore lacks
- plant-specific data, the appropriate values are those characteristic of the population of this partic61ar reliability council. That is, the SNPS should be treated as a plant taken randomly from the population of NPCC plants.
BNL's judgment is that utilizing merely LILCO fossil-fuel plant experience in calculating LOOP frequency, and using generic nuclear plant data for recovery probabilities rather than the same set of data used for LOOP frequency, is not aconsistent}andrealisticapproach., . l The mean, value of 0.15 occurrences per year (see Table 4.6) was used in ' the BNL review for the frequency of the LOOP tran'ient s initiator. In the .RSSMAP Grand Gulf PRA, this frequency was assumed to be 0.20 occurrences per year and in,the Big Rock Point PRA, 0.13 occurrences per year. In the RSS, nuclear power experience was considered for the year 1972 which included three LOOP events. These events occurred in about 150,000 operating hours, giving a point estimate for the rate of 2x10-5 failures per hour or 0.18/yr. .
*~ . i 4.1.4 Recovery of Offsite Power i
The probability of recovery of offsite power, within a given time, was - assessed in the SNPS-PRA by usit g IPRI NP-2301 data base'. The data repre-senting the entire population of U.S. plants was used in the SNPS evaluation. The recovery probability was simply taken as the percentage of events that were recovered in a particular time interval of interest. The BNL review used ' updated data from Ref. 10, which reconcile many of the differences between Schollgkenand EPRI-2301' data. However, in BNL'sjudgment, events of type IV* should be included in the data base (as discussed in Section 4.1.3 above). Their recovery time was included. The number of events for the NPCC region is sufficiently large to be considered separately rather than the data from the overall U.S. population of nuclear plants. - In the BNL approach, the recovery times were assumed to be lognormally distributed. , ext, the two paran.eters of the lognormal distribution were N '
'No offsite power available during cold shutdown because of special mainte-
- nancj0.
tion conditions that do not occur during or immediately following opera- : i n .s - e 87- 5
..p ,
t.
..m . . . _ _ . , . . ~ . .
assumed to be random variables distri buted according to given probability density functions. The experiential data for the 10 plants of the NPCC were updated ing of thethrough assumed December 1983 (Table prior distributions 4.5)two for the andparameters. then used for Finally a Bayesian by up',dat-
" averaging out" the dependence of the distribution of the recovery time on the two parameters, a " Student t" distribution was obtained to represent the distribution of the recovery times.
- The probability o.' not recovering offsite power within a given time is ,
calculated from the complementary cumulative distribution and is shown in Taole 4.7 along with the SNPS-PRA values. . The use of data from Ref.10. "as is" without modification resulted in a LOOP frequency of 0.13 per year; however, ,the associated recovery probabili-ties were lower than in the case discussed before. Table 5.15 compares the results of both cases and shows that they are basically giving ,the same res ul ts . Thus, the inclusion of the LOOP events occurring due to maintenance at plant shutdown does not affect the core damage frequency results. 4.1.5 Conclusion The frequencies of the initiating events determin'ed by the 'BNL approach differ, as shown in Table 4.1, from those used in the SNPS-PRA. The BNL-assessed frequencies 'of the initiator events were used to quan-tify the accident sequences. In Section 5, the relative contributions of the initiating event frequencies to the total core damage frequency are reported. It is seen there that the changes in the ATWS f requency, LOOP initiation frequency, MSIV closure frequency, and turbine trip frequency are the most important. , 4.2 Component Unavailabilities - 4.2.1 SNPS Data Base
~
The data base used in the SNPS-PRA to quantify component failure rates in the fault tree models comes from four basic sources: o Licensee event reports (such as Ref.14 and 15), o General Electric BWRs operating experience data (such as those in the LGS-PRA), , o The Reactor Safety Study (RSS), o IEEE reliability data for electrical components (ANS!/IEEE std. 500-1977). . The priority for data selection followed the above listed order. Th'is has resulted in nany cases in which NRC LER data was used. The maintenance and test data used in ~ the SNPS-PRA are, in general, said to be obtained from GE operating experience with BWRs. The technical 88 4 t l
...._.y
z.s.: :: ) s. p an a.
- u. - 4 ~.e s z:.w.:.x . '
na a :n - =
; -i l
l } .
! specification values and the test frequencies are dervied from SNPS draft *
] 4 technical specifications (February 1983). ! The probability of diesel generator failure to " start and run" and the j i conditional probability that multiple diesels will fail, giv'en the probability i 1 . of the first diesel failing, which were used in the SNPS-PRA, are evaluated in l ) its Appendix A.5. The values appear to be in the appropriate range. They , s were further reviewed by 8NL -(see Section 4.2.2 below), and recovery data 'of ! diesel generators were also reviewed and slightly modified. 4.2.2 Data Assessment for Diesel Generator Availability
! The SNPS-PRA uses data from nuclear power plant operating experience to ! characterize diesel generator performance in case of Loss of Offsite Power. ,
i The experiential data sources ara two EPRI reports (NP-2099 and t j NP-2433)22,23 and the NUREG/CR-1362 report! ". i i
! From these data, the SNPS-PRA calculates three sorts of fnformation needed for the event-tree quantification: l i
t l, 1. The probability of a single diesel generator failing to start on j , demand. i
- 2. The conditional probability of multiple diesel failures given , that
- one diesel failed.
L
- 3. Data on the length of time required to restore a diesel to operation 3
(recovery times). The approach used in the SNPS-PRA to obtain these data , and the BNL ! review comuments and ad' opted values, are discussed in the following sections. .. , ? j a. Probability of a Single Diesel Generator Failing to Start
- The SNPS-PRA used a value of 2x10 2 per demand for the failure to start i probability of an average diesel generator. This is an average value derived
{ ' from assessment of LERs of 36 plants, obtained mainly from NUREG/CR-1362 ". 1 8NL considered the value to be a reasongle choice at the time the PRA was performed. Newer data in NUREG/CR-2989 . published after the SNPS-PRA was !- completed, support this average value. The new data include failure go start i - l ! probabilities an average value (for of about 2.2x10- 40 g/d.iants) If arangingfraction from of the 3x10-8/d to 6.25x10-autostart failure/diswith i also considered to contribute to the overall failure to start probability, a , value of 2.5x10 2/d could be used, and that is the average value cited in i However, this NUREG report is aimed NUREG-CR/2989 (see their Table 9.5.19). j at obtaining plant specific diesel generators' unavailability estimates, and i provides abundant information for this purpose. Apparently there are plans to ! modify the SNPS diesel generator design configuration and hardware, but they j- , were not included in the version of the PRA reviewed by 8NL. Rather than
- using plant specific values for an. evolving design, 8NL decided to replace j them by conservative values from the older NUREG/CR-13621 ". The sensitivity i study in Section 5.3 shows the effect of an improved diesel-generator design l using NUREG/CR-2989 ' data as. given in Section 4.2.2b below. The value used in l
l this report is the same as that in the SNPS-PRA, 2x10 2/d. This is based, in i l 1 j -
. 89 l
!, t ! 1 '
'N 6 N h" -
- Se es+ +- ao gr. e , % ,m,,,.ma ,,,p y s ,,, ,
. . - . . . . . ~ . _ . - .. .
9 , the' BNL revisw. on the NUREG/CR-1362 data base with one week between tests, and includes failu e to run during the first hour (Table 20 of Ref. 14). The above discussion is sumarized in Table 4.8.
- b. Conditional Probabilities of Multiple Diesel Failures The SNPS-PRA used the data from plant Q (Plant-X in LGS-PRA 17 --see their Table A.5.9), because these were the best single-plant applicable data. The LGS-PRA used a value obtained by averaging plant Q, Cook, and Zion values, the RSS value, and the.NUREG/CR-1362 values. All the values are quite close, as
- seen in Table 4.8. From NUREG/CR-2989, a value for the failure probability of the third diesel given that two have failed P(3/2) can be easily derived, which is also similar to those of the SNPS and LGS-PRAs. To derive a value for P(2/1) from NUREG/CR-2989 a specific design must be assumed. When Table 4.8 is considered in its entirety, the values of SNPS-PRA appear to be on the high side of the spectrum of generic type values. This is thought to be suit-able unti". information on the' SNPS specific design for upgrading is sub-mitted. Data.from NUREG/CR-2989 could be used in such a case. BNL therefore used the SNPS results, but for sensitivity study purposes , evaluated the following values:
a Failure to start on demand 1x10 2 . o P(2/1) 0.11 o P(3/2) 0.40 These are examples of values derived from NUREG/CR-2989 for a design with three dedicated diesels, using average procedures and having service water cooling. . ,
. s-
- c. Recovery Times for Otasel Generators The SNPS-PRA used the e*ecovery data from NUREG/CR-1362 1
" af ter comparison with Peach Bottom data. In its Appendix A.5, recovery of diesel generators .
within the first half hour is argued to be uncertain, and a value of 1.0 for nonrecovery is suggested, but in the LOOP event tree, a value of 0.88 is used. A value of 0.95, which is consistent with Peach Botton data and with LGS-PRA recovery data, is used in the BNL review. For all other recovery times Bill used the SNPS-PRA data, which are the same as those in the LGS-PRA.
- d. Summary of Data for Diesels In sumary, the data used by BNL are not very different from those used by the SNPS-PRA. Both are generic, consistent with LER data, and quite conservative when a weekly testing interval is assumed. However, the data are not plant specific. BNL recomends that, for a modified SNPS design (if submitted), tg unavailability should be evaluated on the basis of data from ,
NUREG/CR-2989 or other comprehensive new studies. 4.3 Human Error Probabilities As stated in Section 3.4, two dif ferent types of human errors--procedural and cognitive--are . considered in evaluating the systen unavailabilities. The 90 t
..~ - - - . . . - - . . . . ~ . ~ . ~ . . . . . - . - - - . .w... w-1 1
I procedural human errors were based, in most cases, on NUREG/CR-1278 24 and were not part of the BNL review. Major procedural errors affecting the systems' unavailability are shown in Table 3.3 along with the probabilities used in the SNPS-PRA. In most cases BNL used the same values or model (see footnote to Table 3.3); in only one case, the mi.scalibration of all sensors, did BNL use a different value for a procedural error probability. The value of 2x10-3 used for miscalibration of all sensors (event "HHU7200X1") is developed in the SNPS-PRA Appendix A.3. It is derived simi-larly to the NUREG/CR-1278 Human Error Probability (HEP) tree *, but different quantification of the HEP tree results in a more conservative estimate of'the gross miscalibration of all four level sensors. The SNPS-PRA model includes
~
( Appendix A.3 page A-120): a) Use of a faulty setup such as a wrong scale or connection at an incorrect point. This was conservatively quantified by.a probability of 10-2, b) Technician rechecks the setup and recovers the gross miscalibration in the second sensor with a probability of 0.7. c) Technician rechecks and corrects the error in his third calibration with probability 0.3. d) All other sensors would be miscalibrated given tne technican failed to detect the error in the first two cases. This model resulted in a probability of 2x10-3 for gross miscalibration in the SNPS-PRA. It does not consider staggering of the calibration procedure. NUREG/CR-1278 2 " distinguishes between small and large miscalibrations. For the small miscalibration of all four channels the probability f aom the the . HEP tree is 5x10-", mainly because thg HEP tree assumes a probability of 0.9 for step (c). This is based on the assumption that a technician may accept a small change in the palibration for one channel, but in 9 out of 10 cases he will realize tnat something may have gone wrong when he finds a small change - in the second channel also. For large miscalibration, NUREG/CR-1278 assumes that tne recheck proba-bility is 0.9 for step (b) and 0.99 for step (c). Thus the HEP tree gives a probability of 5x10-6 for large misc 411bration. . BNL coneidered the value 5x10-8 too small if special procedures are not used, but found tne value 2x10-3 unrealistic for the large miscalibracion needed to fail the level 2 and level 1 auto start of HPCI, RCIC, ADS, LPCI, and LPCS. BNL-considered a value smaller than 2x10-4 to be realistic when miscalibr'. ion procedures are available that guide the technician to recheck his setup enenever he finds a significant change in calibration to be. required. - The list of the major cognitive errors introduced in the SNPS-PRA is given in Tables 3.2 and 3.3. The number of quantification changes performed
~ "NUREG/ca-14ie, August 1983 Revision, page 10.7. ,
91
~L i . . . . . . ~ . . -. .. ,.
.u - - ,; ; - a :.. y y by BNL in the cognitive human errors is significant. Most of these changes are based on the judgment of the total time available to the operator and the number of additional actions he would be required to perform concurrently. .
In most cases they involve changes made in the event trees (see Table 3.2), , and are explained in the tables depicting the revised event trees in Appen-dices SA to SG. The remaining changes made in the cognitive errors are shown in Table 3.3 and discussed in the next paragraph. The SNPS-PRA treatment of the manual initiation of ADS, LPCS, and LPC.', given the failure of the auto start of all three, is as follows:* . ADS: event "AHU1990XI" = 0.1, which stands for " Operator fails to initiate - ADS given auto system failure." LPCS: events "LHU5000XI or LHU6000XI" = 0.1, which stands for " failure to manually initiate LPCS." LPCI: event "DHU111DXI" = 0.1, which stands for " failure to manually initiate LPCI." However,. these three events are not independent under all accident sequence conditions. In th'e case of the. failure of high pressure injection systems, an operator error--f ailing to initiate ADS--will result with high probability in the failure to initiate other safety systems. Furthermore, if the operator fails to manually initiate LPCS or LPCI, depressurization will not occur even if the operator tries to depressurize by the ADS manually. Thus , there are two dependences: (1) functional dependence, (2) human interaction dependence which assumes that failure of the operator to initiate the first system iglies that the operator will not respond to initiate the second either. This latter dependence, which was recogn.12ed in SNPS-PRA Appendix A.3, was included in the BNL re-assessment. All the above different operator actions .- were denoted "AHU1990XI" = 0.1 in all three cases. This is also consistent with the NUREG/CR-12782
- approach. >
The two BNL modificaticas to SNPS-PRA human error treatment discussed in this subsection constitute the event of "miscalibration of all four water level transmitters." The impact on core damage frequency of this event is discussed in Section SA.1.4 of Appendix SA. , 4.4 References to Section a
- 1. Kaplan, S., "On a Two Stage Bayesian Procedure for Determining Failure Rates f rom the Experiential Data." PLG-0191, June 1981.
- 2. " Zion Probabilistic Safety Study," NRC Docket Nos. 50-295 and 50-304.
- 3. " Indian Point Probabilistic Safety Study," l'382.
- 4. Papazoglou, l.A., Lederman, L., and Anavim, E., " Bayesian Analysis Under Populatiort Variability with an Application to the Frequency of Loss of Offsite Power and Anticipated Transients in Nuclear Power Plants," BNL Report February 1983.
92 , t 4
*"O**#"'*" -F meae 4. 0 e e _ gn e a e,. g a.
L._ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ . - _ . _ _ . _ . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ __._________.__._____________________.__._____-_J
" O .. a- -
a ' _- ' d a i;.,_ m j,,; ' uf ., ; ,,, . - j . 2 ' i , v
- 5. " Anticipated Transients, A Reappraisal," EPRI NP-801, July 1978.
i 1
- 6. " Anticipated Transients, A Reappraisal," EPRI NP-2230 Janua'ry 1982.
1 ! 7. "Cogone'nt Failures that Lead to Manual Shutdown," SAI-180-80-PA. .
~
- 8. " Characteristics of ~ Pipe System Failures in LWRs," EPRI NP-438 August 1977.
j -
- 9. " Losses of Offsite Power at Nuclear Power Plants: Data. and Analysis,"
l . EPRI-NP-2301, March 1982. 1
- 10. "Lc3ses of Offsite Power at U.S. Nuclear Power Plants through 1983,"
NSAC-80, July 1984.
~
3
- 11. Scho'1 1, R. F., " Loss of "Offsite Powe'r Survey Status Report," Revision 3, i
Report of the Systematic Evaluation Program Branch, Division of Licen-l sing, U.S. NRC. 2
- 12. Papazoglou, !.A. et al., "Probabilistic Safety Analysis Procedure
- Guide", Brookhaven National Laboratory, NUREG/CR-2815, September 1983. ;
- 13. McLagan, G. P. et al., " Preliminary Assessment of Diesel Generator Relia-bility at Light Water. Reactors," SA!/Annes, March 1980.
i } 14. Poloski, J. P. and Sullivan, W. H., " Data Summaries of Licensee Event - Reports of Diesel Generators at U.S. Comercial Nucitar Power Plants. January 1,1976, to December 31, 1978," NUREG/CR-1362, EGG-EA-5092, March { 1980.
. 15. Hubble, W. H. and Miller, C. F., " Data Summaries of LERs on Valve's at .. I
! , U.S. Commercial Nuclear power Plants ," NUREG/CR-1363, EGG-EA-5125, May I 1980.
- 16. Rubin, M. P. , "The Probability of Intgrsystem LOCA; Igact Due to Leak l
) Testing and Operational Changes," NUREG-0677, May 1980. i ! 17. Paparoglou, I. A. et al., "A Review of the Limerick Generating Station ; PRA," NUREG/CR-3028 BNL-NUREG-51600, February,1983.
- 18. Wreathall, J., " Operation Action Trees, An Approach to Quantify Operator Error Probability During Accident Sequences ," NUS Report #4655, NUS Corp., July 1982. l l
- 19. Hall, R. E., Wreathall, J., and Fragola, J., " Post Event Human Decision '
i Errors : Operator Action Tree / Time Reliabiltiy Correlation," NUREG/CR- l 3010, BNL-NUREG-51601, March 1983. l j 20. Battle, R. E. and Campbell, D. J., " Reliability of Emergency AC Power ! Systems at Nuclear Power Plants, Oak Ridge National Laboratory, NUREG/CR. - l 2989, July 1983. t 1 i i l 1 93 i .. 1 i
=~@e_m***** * +e s.a._. _a-_.____pg un , _ _
.u .7 ) . s ~
- 21. Baranowsky, A. M. , Kolachzkowski , ' A. M. , and Fedele, M. A., "A Proba- ~
bilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants " NUREG-0666, Apri-1 1981.
- 22. Atwood, C. J. and Stevenson, J. A., " Common-Cause Fault Rates for blesel Generators : Estimates Based on LERs at U.S. Commercial NPP,- 1976-1978",
.NUREG/CR-2099, Jure 1982.
- 23. McClymont, A. and McLagan, G., "Otesel Generator Reliability at Nuclear Power Power Plants: 04ta and Preliminary Analysis"; EPRI-NP-2433, June 1982. .
- 24. Swain, A. D. and Guttman H. E., " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Appli cations ," NUREG/CR-1278, October 1980 (and also Final Report, August 1983).
- 25. Shiu, K et al., "A Review of the Sequences Following Release of Exces-i sive Water in Elevation 8 of the Reactor Building in the SNPS," BNL, NUREG/CR-4049, November 1984.
k 4 I . i I 4 94
_ _ . -~. .
.y_ . . . . .w - *. M.7 -' b.4hA*
- 4-*~**"~' '---"'"i* '
"- ^
1 *
- i i
1 tritt!Arce .gegttt CO*:0t:5CA tt111s stCCt:A*f
* *?!!it 'a!P FA0*t - Fttutita tirass t: TAT 5;::E REralN CCufA11 !! ct'ett PLA:7 rtt;;t ;Cy CLA13 0F postutAfgG -
R'*is
) *IM TatA . Cita r.DT C:*.3tf!CN (rta R* C3at TR.) Yutt;tpASLE OR TrJ':sttR T' 0 A W. O t l .
l 1.0 T TT WITM SY7 ASS 0.89 Fig. 3.4 14 AT M!GM POWER
~0 ft TT WlfM LYFASS -
0.1 (10) ........ ' add'.E.'.. ...........
- TD t$ly CLO$uRE 0.09 Fig. 3.4 16 i
(4)
! 1.0 i
TW TT WITHOUT C l 10*I ~0 III"33* TWE TT WITMOUT 01. ] . 0.30' (5) 1.0 IIII PA15' NO CONTAIN.
~
titNT III 1.0 TWO LOS$ OF CONO. 0.01 Fig. 3.4 44
~~
TA TT WITHOUT CTPt.1$ 0.001 **4 3.1/ts T' (A) II I tat TTWITMOUTSTPASI (1) 1.0 r:0 Cor:TAthHtaf (s) TA0 Loss 0F Cone. 0,001 rig. 3,4.gg
- t0 j
. 7g t0ss or rw 2.0 rig. 3.4 17 J/tvPass -
0.10 Tot TTWITMouttf*ASI - (3) 0.1 (la) 4 m. fair.wT 700 "!V CLU ::./ 0.22 rig. 3.4.tg * (t) 4 tesee seen failure of operater action within 12 minutes to trip the reedwater ' pumps ane autenstic necaue !
- All forbire Tript ter which typass to the ceaseater is.notf.actica i. are evasiserse to ne ewintent te
- t. eats
- Ais n entre 4tatten P, ; Trio ror turnine setu intstete tres ni,n power (uf rait.cn ice inci.see in sne Aer, ri,ss).
i rests: This ti,vre is nov se uti t. the trutten er turniae tres events free nign power which will hetow isoletten evoats it twere is a rati re to ser . i. Figure 4.1 Event Tree Diagram of tecident Sequences Follcuing 1 a Turbine Trip Initiator From High Power 4 I l i 95 1 , I i
*******'N_**_______N_*****'_.__'__Z_. .* _ . .
- _ _ . . _ _ _ _ _ _ r= _.___.__._---~+-*wm
Table 4.1 Frequency of Init'iating Events (Mean Values /yr) BNL Review SN PS-PR A- LGS-PRA SNP5 LGS WASH-1400 Transients 9.8 9.1 13.95 13.02 11 Turbine trip 4.49 3.98 8.01 8.17 MSIV Closure , 0.24 1.78 0.57 1.23
' Loss of Condenser 0.41 ' Included 0.50 Included in MS!V in MS!Y loss of Feedwater 0.18 Included 0.13 Included in MSIV in MSIV Loss of Offsite Power 0.08 0.053 0.15 ' 0.'11 .
10RV 0.09 0.07 0.25 0.25 Manual Shutdown 4.3 3.2 4.3 3.2 LOCAs Large 7.0x10 4 4.0x10-4 7x10 " 4x10 " 2.7x10-4 Medium 3.0x10-3 2.0x10-3 - 3x10-3 2x10-3 8.1x10-4 Small 8.0x10-3 1.0x10-2 8x10-8 1x10-2 2.7x10-3 Breach of the RPV 3.0x10 7 --- 3x10 7 --- Interfacing LOCA 1.8x10 7 --- 3x10-7 --- (LOCA Outside Containment) .. ATWS 5.49(3.87)* 5.92 9.61(7.34)* .9.82 Turbine Trip 2.14(.85)* 3.6 7.0(5.3)* 7.39 , MSIV' Closure 0.56(0.50)* 2.2 .88(.65)* 2.01 Loss of Condenser 0.41(0.25)* Included .57(.46)* Included in MS!V in MSIV , Loss of Feedwater 2.2(2.1)* Included .77(.59)* Included in MS!V in MSIV Loss of Offsite Power 0.08 0.053 0.15 0.11 10RV 0.09 0.07 0.25(.16)* 0.25
*In parentheses: Initiators frequency, which is at above 257, power.(above condenser bypass capability). Without parentheses: Initiator frequency at all power levels (0 to 1007.). -
96
. _ . . . .. . s_ . . .. . .1
. . y .- - . _.u.e - . na.o .. _ a a .. . ..._ _ _ . ; u..;, , . . _ ;_ .
i " Table 4.1 Continued 1 i '
$NPS LGS-PRS BNL WASH-1400 Low Frequency Transients -
Excessive Release 6x10-s --- 5.0x10-4 --- of. Water into Elevation 8 of the Reactor Building j . (Maintenance & i Rupture) ) Loss of a DC Power Bus 3.0x10-3 --- 3.0x10-3 , j Loss of all DC Power Buses 3.0x10 8 3.0x10-s . L
! Reactor Water Level 3.6x10 2 --- 3.6x10-2 ... ;
Measurerent System , l Reference Line Leak Drywell Cooler Failure 1.0x10 2 --- 1.0x10-2 ... r Loss of Service Water 2.5x10-3 --- 1.7x10-3 --- i t l i I I l l e l, b t i .l e i, i . . i f 97 I i _ *~ ~ ~*:_--. **.*** Y_** Y__ ---_.'__* ~ _** *_____--__2r_'~!_::r__________.________:____--_ _
. , _ . . _ ~ ~ - _ _ _ _
i f Table 4.2 SNPS-PRA and BNL Results for Initiator Frequency ! and Sources of Olfferences , BNL Review: SNPS-PRA: BNL Review: Two-Stage i , EPRI-NP-801 Data 5 EPRI-NP-2230 Data' - Bayesian . i SNPS-PRA 1st Subseq. All Years Weighted 1st Subseq. All Years Weighted subseq. All - Transient Year Years Average Average
- Year Years Average Average Years Yea rs*
- Loss of Condenser 1.6 0.38 0.67 0.41 1.0 0.38 0.47 0.40 0.40 'O.50 '
Vacuum (2,4,8) y- - r i Turbine Trip 16.9 4.14 7.3 4.46 13.4 6.39 7.39 6.59 6.85 7.89
~
i l
; NSIV Closure (5) 2.2 d.19 0.67 0.24 1.67 0.27 0.47 0.31 0.29 0.57 I ,i l gl Loss of FW (22) 0.6 0.16 0.27 0.18 0.27 0.11 0.13 0.12 0.11 0.13 '
? ,
~
0.4 0.11 0.16 0.08+ ' LOOP (31) 0.13 0.12 0.12 0.08+ 0.12 0.15++
?
- 10RV (11) 0.7 0.08 0.20 - 0.09 0.53 0.15 0.21 0.16' O.19 0.25 ,,
CRW (27. 28) 0.1 0.03 0.04 0.03 0.13 0.10 0.11 0.10 0.11 0.12 , Total 22.5 5.09 9.3 5.49 17.1 7.52 8.9 7.76 8.07 9.65 l l i
- Based on SNPS grid data. -
i ++ Based on NSAC-80 reporti e, j j *Used in the PRA. ;
; **Used in the SNL review. 9 l'
n ! I s L
- *- .- -t . . ._ .u . . . ._.; u. c ,2: :. .;_ . . . . _ . . . . . . . .
Table 4.3 Summary of Quantification for Exposing tne Low Pressure Systems to Primary System Pressure SNPS-PHA: 8NL Review SNPS-PRA: Frequency Frequency Point Estimate No. of Total Total System Calculation Interfaces Calculated Calculated i Per Interface (Per Rx Yr) (Per Rx Yr) Core Spray 4.8x10-s 2 9.6x10-s , (Figure F.2-1)* 1 RHR Head Spray 8.6xlu-12 1 8.6x10-12 . l (Figure F.2-2) LPCI Injection 4.8x10-' 2 9.6x10-' (Figure F.2-3) RHR Snutdown 1.6x10-8 1 1.6x10-s Cooling Line - (Figure F.2-4) l Total --- 6 1.2x10-7 3. U x 10- 7*
- t
- Figures in Appendix F of SNPS.PRA. -
i . ** Calculated in Appencix SC.2 of this report for the entire plant (not system by system) . i f* J q s ., 99 i I
. . _ . . . . . . . ~ . . . * - . . . . ______________..y-_1_. ___._e_- -- .- -
. - -- . - . - . . . _L _. .. . . _ _ . : __. . ,. _ ;
Table 4.'4 Summary of the Historical Data on the LILCO Grid for Loss of Offsite Power Incidents LILCO-Speciff c Grid Data. Loss of OffSite Power .(1/1/65 - 1/1/81) Years of Duration Plant . Operatt or. Occurrences (minutes ) - Barrett 16.0 1 222* Glenwodd 16.0 1 199* Northport 13.5 0 --- Port Jefferson 16.0 2 58* 15 Total ** 61.5 4
- East Coast Blackout (11/9/65). .
** Totals : 61.5 plant-yrs. 4 occurrences + 1 hypothesized incipient failure.
e e e i o a 1 0 100
' d.C2 Aim. oil ..a- u. "
- x. w ._. ,,'
Taele 4.5 Experiential Evidence from Plants of the Northeast Power Coordinating Council (NPCC) Loss of Offsite Power No. of Occurrences Years in Operation Plant Name/ - Recovery EPRI Data UNL EPRI 5ML Events ** Date of Accident Time NP.2301' NSAC/8018 Review NSAC/80 Review in SNL Review
- 1. Fitzpatrick 2 0 2 9.2 9.05 3/27/79 (3 min)*
10/4/78 (14 sec)* 3/4/71 30 min
. 10/21/73 40 min 2 2 2 14 .3 14.10
- 3. Maddam Neck 4/27/68 29 min 5 5 5 15.9 16.30
- 7/15/69 9 min 7/19/72 1 min 1/19/74 20 min .
6/26/76 16 min 4 Indian Point 2&3 7/20/72 55 min 1 3 3 12.2 10.5 7/13/77 6:28 hr 6/3/80 1:45 hr
- 5. Main Yankee 0 0 1 11.3 11.10 8/31/78 (1 min)*
- 6. pH11stoae 152 8/10/76 5 hr 1 2 2 13.2 13.10 7/21/76 5 min
- 7. Nine Rite Point .
11/17/73 to sec 1 1 1 14.3 14.25 .
- 8. Pilgrim .
5/10/77 2:40 nr 2/6/78 8:54 hr 2 2. 2 11.50 11.45
- 9. vermont Yankee 0 0 0 11.80 11.70 -
- 10. Tankee Rowe 11/9/65 33 min 1 1 1 22.50 23.30
- Recovery Time.
** Relative to NSAC/80.
l 101
.__i_ 1 *_I_'.!____ ..i_.____m_ _6 O
t l Table 4.6 LOOP Initiator Frequency Considered in SNPS-PRA and BNL Review" I SNPS-PRA EPRI-NSAC Study IO BNL Review I. NSAC/80 Data Base NSAC/80 Special fossil Plant NSAC/80 NSAC/80 NSAC/80 for NPCC Data Base Case Experience Data Base for Data Base for . Data Base + 3 Add'1 for Nat'l Plant NPCC Nat'l Population for NPCC Events" Population Specific Point Point Point Two-Stage Two-Stage Two-Stage Two-Stage Approach Estimate Estimate Estimate Bayesian Bayesian Bayesian Bayesian Data Used 5 events 1 in 16 events in 47 events in 16 events 19 events 47 events 18 events 2 61.50 Plant 136.20 Reactor 532.70 Reactor in 136.20 in 134.85 in 532.70 in 152 Years' Years Years Reactor Reactor Reactor Reactor
, y Years Years Years Years LOOP 0.12/Rx 0.088/Rx 0.13/Rx 0.15/Rx 3 0.09/Rx 0.12/Rx ! Frequency 0.08/Rx I
1 2 Four actual events and one hypothetical for some margin. - Fossil-Fuel Plant which experienced 2 events in 16.0 Plant Years is included as a hypothetical example of performance. . i 3 Judged by BNL to be most apprcpriate for the BNL review reassessment. .
" Three events were judged in BNL Review to be considered as LOOP initiators even though rejected by NSAC/80 evaluation. '
9 1 k
. t , l, Table 4.7 Recovery Time Distributions- , ~ !;
g SNPS-PRA BNI. Review y National NPCC , NPCC Recowery Cumulative . Cumulative Cumulative . ' Cumulative Time No. of Probability No. of - Probability No. of Probability No. of Probability in Hours Events I of Recovery Events 2 of Recovery Events 2 of Recovery Events 3 of Recovery .
, <0.5 20 0.48 25 0.55 9 0.55 12 0.63 .
l . O.5-1.0 6 0.62 7 0.68 3 0.67 3 0.73 I' 1.0-2.0 4 0.72 7 0.80 1 0.78 1 0.81 2.0-4. 0 2 0.77 4 0.88 1 0.86 1 0.88 b 4.0-8.0 6~ 0.91 3 0. 94 1 0. 91 1 0.92
~
, 8.0-10. 1 0.93 1 0. % 1 0.93 1 0.93 10.-24. 1 0.96 0 0.98 0 0.% 0.97 0' 't
>24, 2 1.00 0 -1.00 0 -1.00 0 -1.00 Total 42 47 16 19 1 I
4 t Based on EPRI-NP-2301'; point estimate. y. i 2 Based on NSAC-80 1 e; Student t distribution. 3 U Based on NSAC-80 and three additional events included by BE; Student t distribution (used in BE - re-assessment). I' g.
- L.
*n e *
- 6 h
U e e
. Table 4.8 Comparison Between SNPS-PRA Diesel Generator Data and Other Evaluations .
SNPS- LGS- NUREG/CR Zion
- Wash NUREG/CR 8NL .
PRA PRA -136215 14 00 -29892e peyj ,,
- Failure of a Diesel 2x10 2 1.7x10 2 2x10 2 1.9x10 2 3x10 2 2. 5x10- 2** 2x10-2 Generator to Start upon Demand
; Probability of Second 0.19 0.23 0.4 2* - 0.08 0.03 Plant or 0.19 Diesel Failure Given Design g one Failed - P(2/1) Specific ! Probability of Third 0.63 0.55 - 0.17* 0.45 1.0 0.4 9**
- Diesel Failure Given 0.63 ~ '
Two failed - P(3/2) I Failure of a Diesel --- --- --- --- ---
~2.4x10 3/h 2.4 x10- 3/h I - Generator to Run El (Six hours or more) ' *Taken from Table A.S.9 of LGS-PRA37 **This is an avera9e value, but this report deals mainly with plant or design specific evaluation.s. *** Derived from Table 9.6.8 of NUREG/CR-2989. (SWS, below average procedures).
1 I. e t t . Il O
a . . . : .. 3 -w , .
; ' w m_s.'nt .'Q P m" "> '
yj %.
- 5.
SUMMARY
OF ACCIDENT SEQUENCE QUANTIFICATION AND IDENTIFICATION OF DOMINANT CONTRIBUIUN5 TO CORE DAMAGE FdEQUENCIES . This section describes the SNPS-PRA approach to quantification of the - accident' sequences and the BNL modifications in this approach, and presents the revised results of the BNL review. Subsection 5.1 presents the SNPS-PRA and the BNL approaches and highlights the main differences; further details are given in Appendices 5A to 56. Subsection 5.2 presents the BNL revised
- results compared with the SNPS-PRA results: this is the summary of results of this review study. Subsection 5.3 provides additional insight into the -
- results by presenting a limited sensitivity analysis with regard to some other .
different assumptions. . The quantification results presented are point estimates of the accident ' sequence frequencies. Uncertainty analysis was outside the scope of the review. 5.1 Modifications Made by BNL in the Accident Sequences Quantification Subsection 5.1.1 describes the SNPS-PRA accident sequence quantification approach and presents the resulting accident sequence frequencies and the total frequency of core damage. Subsection 5.1.2 highlights the BNL approach followed in the review of the SNPS-PRA, and refers to the detailed description ' in the Appendices. . 5.1.1 Overview of the SNPS Approach to Accident Sequence Quantification In the SNPS-PRA, accident sequences were defined in terms of combinations of safety function fat tures given the occurrence of an initiator. These combinations were generated w' ith the help of the functional event trees. (see Section 3.1.2). The branch point probabilities in the event trees were calcu- - lated (as probabilities of function failures). To calculate the probability of each accident sequence, the failure probabilities of the functions involved in the sequence were multiplied by the frequencies of the corresponding initi-ators . - The failure probabilities for the functions were derived on the basis of the system fault trees (Table 3.1) and in some cases with the help of func-t' tonal fault trees
- and/or the functional-level event trees, or on the basis of additional emplanations supplied in the PRA.
The unavailabilities of the frontline systets were calculated from the corresponding system fault trees (see Section 3.3). The frontline system fault trees contain failures both of frontline system hardware and of support . systems, and these failures were further resolved down to the component level. Hardware, as well as test, maintenance, and human error contributions to the component unavailabilities were considered. This quantification procedure was followed for all the functions on the event trees that model the plant response to the various initiators (see
*The SNP5-PRA refers to functional fault trees in several places and states that they are developed in detail in Appendix B.10, but Appendix 8.10 does not include any functional fault tree.
105 i
*_m.- i
4 . . . _ _- - n. e a _ .. w .u. ; %, i , i . e-j - ! Section 3.1 and Appendices SA tio 5G). The accident sequences of each event i tree were classified into three categories: core damage sequences, non core i damage sequences, and transfers (see Section 3.1). The transfer sequences were the ones judged to be more appropriately modeled in a different function-i al event tree. > t l i In addition, all the core damage sequences were divided into classes i according to the nature and scenario of core damage: , a) Class -I core damage sequences are characterized by the loss of core !, - coolant inventory makeup and core damage before containment failure. [ b) Class !! sequences comprise events involving loss of long-term con-tainment heat removal function resulting in containment failure j
- which may be followed by core damage. Only part of this class will l' . result in a core damage state.*
i j c) Class !!! core damage sequences are characterized by LOCA in drywell ! 3 conditicns. ' I l d) Class IV are ATWS sequences with containment failure . prior to core
- damage. '
I l e) Class V are sequences of LOCA outside containment, which bypass the
! suppression pool and drywell.
l l The total core damage frequency is the sum of the frequencies of all the core damage sequences. Figure 5.1, from the SNPS-PRA, shows the total core damage frequency, as well as the frequency of each class as calculated.in the PRA study. The largest contribution to core damage frequency is seen .to be, from Class I, loss of coolant makeups it is larger than the sum of the- contri- - butions from all' the other class . The total core damage frequency in the SNPS-PRA is . estimated at 5.5x10- 'per reactor year. Table 5.14 includes a . L ( sumary of dominant sequences calculated in the SNPS-PRA. 5.1.2 BNL Modifications to the Accident Sequence 8NL comments on the $NPS-PRA approach were given in Sections 3.1 and 3.2 ' i ~ when functional event trees and treatment of dependencies were discussed. In general, ONL found that the SNPS-PRA approach included considerable dotati and tried to address the modeling of the accident sequences and its quantification as realistically as possible based on the SNPS specific design and past nuclear power plants' experience. BNL agrees to the general approach used. Most 8NL comments and modifications relate to quantification. However, some relate to the specific modeling of certain sequences. The BNL review of the SNPS-PRA functional event trees had two parts: l
- l a) A case by case review of'the functional event tree accident sequence modeling.
. 'In the SMP5-PRA, it is considered to be a core vulnerable state. In the BNL review, it is considered as a core damage state, even though core i damage will not always occur following the containment failure.. I 106 ,
L s j ._....s - u_ ._._._ _. . - - - _ _ -
m..._ ... . , , ,
. w . .e - ,,,v, .- .s . . .m g-1 i ~'
b) A case by case review of the functional event tree quantification. I Both parts of the review were based on the information provided lin the SNPS-PRA and its appendices, the SNPS-FSAR, the SNPS plant specific emergency procedures, the fault tree analysis of the systems, and the system description and drawings. In addition, realistic calculations of BWR plant response to transients were consulted in several GE, BNL, ORNL and other reports (refer-enced in Section 5.4 and in the previous sections). This 1.nformation made it l possible to check the validity of the modeling and the quantification of the .
; SNPS-PRA approach. It should be noted that the PRA itself included the needed ' . - information in many cases. ,
Highlights from the results of 8NL review of. the functional even.t tree modeling were presented in Section 3.2. Additional detail on modeling changes and the reasoning behind them are presented in the appendices to this sec. j tion. These appendices provide BNL revised functional event trees, which include the modeling changes that were judged important and also the I re-quantification by BNL. Each event tree is accompanied by a table explain- , i ing the values used on the event trees and their sources, or the reasoning that led to their choice. All the SNPS-PRA initiators were treated. To 1 facilitate comparisons between the SNPS-PRA and the BNL revised event trees,
- the appendices are ordered in the same way as the sections of the SNPS-PRA
l . Appendix SA: Deals with all the transient with successful scram dis-
- cussed in Section 3.4.1 of the SNPS-PRA, except loss of
- Offsite AC Power (Section 3.4.1.6 in the PRA), which is
- dealt with in Appendix 58.
Appendix 58: Loss of Offsite Power Event Tree (PRA Section 3.4.1.6). } Appendix SC: Treats LOCA both inside and outside containment (Section .- j 3.4.2 of the SNPS-PRA). Appendix SD: Treats the ATWS sequences and provides BNL revised event i trees (Section 3.4.3 of the SNPS-PRA). .
- Appendix SE; Reviews the transients initiated by the loss of.a reference leg in the water level instrumentation system (Section 3.4.4.3.1 of the SNPS-PRA).
l Appendix 5F: Treats the case of loss of drywell cooling for all tran-I sients and for the case in which this event is the initi-ator (Section 3.4.4.3.2 of the PRA).
- Appendix 5G.1
- Presents the case of the excessive release of water at '
Elevation 8 of the reactor building. In this case, how-ever, reference is made to the BNL review report ! of this . I accident sequence (Section 3.4.4 of the PRA). - l Appendix 5G.2: Loss of a DC bus is treated (Section 3.4.4.2 of the PRA). Appendix SG.3: Revised tree for the case of loss of the service water sys- ] tem is presented (Section 3.4.4.4 of the PRA). l ~ ! 107 l
- I -
. +
-. . . . . . _ _ . - _ _.. . , _ . - _.m. - . _ . . a. . , The Appendices SE and SF are an in-depth review of the report 2 " Review of Shoreham Water Level Measurement System", from which Sections 3.4.4.3.1 and 3.4.4.3.2 of the.SNPS-PRA are a summary. In general, the SNL ' review resulted in modifications related to the quantification of almost all the SNPS-PRA. The reasons behind quantification changes are explained in the tables attached to the revised event trees (see Appendices SA to SG). Each appendix provides the background information on the SNPS-PRA approach for the case, 'the general reasons for BNL modeling changes, and the results obtained. The next section focuses on the results, and presents the main differ-ences from the SNPS-PRA. The summary of the findings from the appendices is also given in Table 5.1, where it is ' compared with the summary of SNPS-PRA results. 5.2 Summary of the Results of the BNL Review in Comparison with the SNPS-PRA The sumary tables of this report are presented in Section 5.2.1, along with a discussion of the results for each accident sequence group. Section 5.2.2 provides some additional tables for comparisons such as the list of dominant sequences in each core damage class and SNPS-PRA and BNL dominant sequence lists. 5.2.1 Sumary of the Results Table 5.1 presents a summary of the BNL review and SNPS-PRA results. It is seen that in the BNL review the core damage frequency increased by a factor of 2.5 (1.4E-4 vs. 5.5E-5/yr) as compared with,the SNPS-PRA. From Table 5.1 the following coments can be made: . o The major contributions to the ' increase in the revised BNL core damage frequency are due to ATWS, LOOP, Transients with Scram, and Internal Flooding initiation. o The core damage frequency contribution from LOCA outside drywell is about five times as high in the BNL review as in the SNPS-PRA. Even though its contribution to total core damage frequency is very small (= 0.27.), it may be a very important contribution to risk. - o The contribution from transient initiators is increased by a factor of 1.7, largely because of the revised frequencies of the initiators , discussed in Section 4.1. It is fr@ortant to point out that, if a common-mode miscalibration of all water level sensors, which are the only signals for the automatic initiation of HPCI, RCIC, ADS, LPCI, and LPCS in the case of a transient, with a probability of 2x10-3 as given in the SNPS-PRA (page A-121) were used, the core damage frequen-cy from transient initiation would be about 5.4x10-5 instead of ' 2.2x10 5 However, BNL previously judged that the probability used in the SNPS-PRA for the miscalibration was not realistic, and the modift-cation to these numbers are given in Appendix 5A.1 and in Section 4.3. o The contribution from LOCA inside drywell remained practically the same as in the SNPS-PRA. 108
._ a ..u._2 ~ wwm ' .t L .3 :. . d...? ; ~ ~
Figure 5.1 shows the results by core damage classes' and compares 'them with Figure 3.5-3 (Page 3-338) of the .PRA. The results summarized by groups , j of initiators are given in Figure 5.2 in a " pie: chart". , Figure 5.3, reproduced from the SNPS-PRA, provides the BWR-RSS and the l SNPS-PRA results for comparison. The main reasons for the higher BNL results are discussed in detail in
- the appendices to this section. Here a brief summary of the main differences is presented.
5.2.1.1 Loss of Coolant Accidents (LOCA) Inside Drywell a i LOCAs are minor contributors to core damage frequency. Large and medium 1 LOCAs were modeled and quantified by BNL in the same way as in the SNPS-PRA. j BNL used a more realistic modeling for PCS recovery in the long term which , resulted in a small decrease in the Large and Medium LOCA contribution to i Class !! sequences. In addition, for Large LOCA in liquid lines originating at a low point in the RPV, it .was assumed that break discharge flow rates would be higher than the hotwell makeup can replenish. This leads to the small increase in Class !!! contribution in the BNL results. Pressure vessel i failure was not reviewed- in detail ~ and its failure frequency remained unchanged. The LOCA-in-drywell initiators are the major contributors to Class
!!!. The results of this review (Table 5.2) show little difference between the BNL and the SNPS values. , 5.2.1.2 Anticipated Transients Without Scram (ATWS) 4 The SNPS-PRA shows that ATWS sequences are a major contributor to core damage frequency. The BNL review found that some of the SNPS-PRA assumptions
- l t
had additional' implications which were not fully addressed in the PRA: .- a) Lowering water level below Level 1 has the implication of MS!V closure and is accompanied by a high probability of operator failure l to inhibit A05. . t b) Manual feedwater runback was treated in the SNPS-PRA as part of the turbine trip initiator event tree rather than on the functional event tree. However, the large unavailability value used for this func-tion resulted in overestimation of some of the sequence frequencies. j The BNL review identified three areas of concern:
- a. The ATWS physical analysis: Because available ATWS thermal hydraulic analysis results directly applicable to a BWR-4 reactor with manual 43 GPM SLC system are limited, it is difficult to establish critical ,
- parameters that define the condition of the SNPS and the time avail-
, able for operator actions. Based on the limited analyses, engineer- - ing judgment was used in reviewing the SNPS analysis and changes.were made to the SNPS event trees.
- b. The SNPS specific ATWS emergency procedures: BNL considers the cur-j rent emergency procedures to be unsatisfactory in areas of operator I
4 109 [ t
.- 1
.;,..--.._._. = _ - , , . ,, _ , , _ _ ;_ ,, g S
control of RPV water level, ADS inhibit .1' unction, and PRV pressure ' cont rol . .
- c. The extent of operator action required during an ATWS event to secure the plant to hot shutdown: .The SNPS requires manual actions for most of the ATWS mitigation systems. However, the operator has very
- little time to perform these tasks, which often must. be done within 10 minutes after the onset of the event. This is why the Shoreham ATWS core damage frequency is about an order of mag.11tude larger than that of the Limerick or t. e GESSAR-!! standard plant. It is'. prudent to recognize that 1 A ge uncertainties are associated with the esti-mates of human errors and therefore the ATWS core damage frequency could be very sensitive to changes in the human error probabilities.
Finally', BNL performed a realistic re-assessment of the SNPS ATWS event . as snown in Appendix 50. The results indicate that, given the assumptions used, there is only a small increase due to different ' assumptions and'modifi-cations to the event trees. The ATWS core d e frequency calculated 'by BNL using the SNPS . initiator frequencies is 2.2x1g0 , compared with the 'SNPS value of 1.8x10-8 (see Table 5.3). Use of the BNL initiator frequencies raises the total core damage to 4.5x10-5, about a factor of 2.5 higher than the SNPS value. Note that the BNL initiator frequencies, like those in the SNPS-PRA,
,dtstinguish whether the plant operated above or below a plant condition' of 25%
power. 5.2.1.3 Transients with Successful Scram
. Apart from loss of offsite AC power, which is treated separately in the next subsection, the SNPS-PRA included separate event trees for loss of feed-water, MSIV closure, and loss of condenser transients. Table 5.4 shows that the main contrioutors to the core damage frequency are the loss of c'ondenser and the turbine trip transients, and that the increase in core damage frequen- . ."
l cy in the BNL review is due to the different' frequency of transient initia-i, tion, described in Section 4.1. . I Table 5.4 shows that for Class !!, if the effect of initiating event fre- - e] quencies is not taken into account, the SNPS-PRA and the BNL review obtained i l, the same result: 4.8E-6. However, there are two differences between the j .' SNPS-PRA and BNL review which balanced each other: . !1 a) BNL included a dependence between Q and W functions in the functional !. level event trees that increased the Class 11 results. t, l' i b) BNL(assumed that for a case of successful feedwater injection (Q is successful) throughout the transient, no additional means of contain. ment heat removal are required. (See for example Tables 5.A.1 and 5.A.2.) The two 3Citys case was treated 'in the'SNPS-PRA in great detail without any impact. BNL also found it to be a minor event, but not of negligible effect as in the PRA. BNL developed one case in detail (Table SA-2 in Appen-dix 5A.1 fo- the turbine trip transient) to show that it has some impact and
. snould not bs totally ignored, as one may conclude from the SNPS-PRA results. ,
The results for two SORVs are calculated by 8NL to be 4x10-7 in Class I, 110 t
= - ~~ ~ ~y--- .. ., , . , . _ , , , , _ _ , , , __,
%.u, ;,- n. _, s , m.
2 3, .;.g
.g y
similar to the 'results of the 10RV transient with successful early scram. '
! They also contribute more than the small LOCA sequences.
Finally, the transient results of BNL include the igact of miscalibra-tion assuming the probability of gross miscalibration of all four level sensors to be 1/10 of the value used in tne SNPS-PRA (see Section 4.3). If l the SNPS-PRA value of 2x10-3 was used (whien is judged by BNL to be unrealis-tically high--see Appendix 5A.1.4) the transient contributions would become over 5.4x10-5 The BNL review concluded that the transient group of initia-tors contribute 151 to core damage frequency. 5.2.1.4 Loss of Offsite AC Power (LOOP) The SNPS-PRA treated the initiator in a detailed time phased event tree,
. using fossil plant experiential data for LOOP frequency. Diesel failure fre- -
quency and recovery factors were based on nuclear power plants' LERs.- The event tree included dependences of RCIC, LPCI, and ADS upon conditions of DC power, suppression pool temperature, and drywell temperature 'and pressure. *
- BNL did not change this modeling apart from the treatment of the initiator frequencies and of the loss of the containment heat removal function. The latter was transferred to MSIV closure in all cases, omitting the special case of recovery of diesels without recovery of ' site power for over 15 hours.
This low frequency event of non-recovery of c site power has a probability of l occurrence of 3%, which make it an additional Class 11 contributor 'as seen from Table 58.2 (sheet 2/5). The quantification changes made by BNL were mainly a higher deterioration rate of the batteries between 4 and 10 hours, and the assugtion of their loss j at about 10 hours. Thus, HPCI and RCIC were assumed to be unavailable after
- 10. hours in the BNL review. The SNPS-PRA did not sufficiently . support its assumption of the possibility that the battery will last 24 hours and ' Allow for HPCI or RCIC operation for that long. . Furthermore, several calculations of BWR suppression pool and drywell heat-up in blackout situations (or a statement in the SNPS-PRA itself), indicate that the drywell pressure may reach = 60 psi at 13 to 15 hours which may render ADS unoperable, and lead to -
core damage condition earlier than 24 hours. The SNPS-PRA described in detail its level measurement system as part of 1 its in-depth model of the effect, of loss of a reference leg of the system. 1 This revealed tnat level instrumentation readings are lost in the control room during blackout with DC power available because they lack OC backup (initia-tion of HPCI and RCIC or ADS is not lost). This was not appropriately modeled in the SNPS-PRA treatment of the interaction of LOOP and loss of level instru-mentations (see Section 3.4.4.3.2 of the PRA). This sequence was included in the BNL re-assessment as shown in Table 58.1 (sheet 2/6) and discusseo in more detail in the event tree of Table SF-4, branch TEIOGL. It contributes 1x10-5 to the core damage frequency because it impairs the operator ability to follow prnedures (contradicting procedures) and to control HPCI without level ,, 4 information. The LOOP frequency evaluated by BNL, based on a new NSAC report (NSAC/ . 80--see Section 4.1.3), was found to be 0.15 per year, and the recovery proba-bilities were.those given in Table 4.7 column 9. SNL judges that the value 0.15 is appropriate for the SNPS, wnich is part of the NPCC region, a fact not 111 _ _ . _ ____..__m_______________ _ _ . _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . . _ . _ _ _ _ _ _ _ _ _ _ . _ . . _ _ _ _
. 1 a . . ; , . , q . . ,_ . .;
i I !
, , , ,- t included in the SNPS evaluation. The BNL LOOP frequency value is twice .the * !
SNPS-PRA value. The recovery probabilities of the SNPS-PRA' are significantly l larger than those used by BNL. These two changes partially balanced each ' other. Overall, the increase in the BNL results for the core damage frequency is due to the quantification changes and level instrumentation and only to a lesser extent to the re-evaluation of initiating event frequencies. Diesel generator data used in the PRA were found reasonably conservative and reflect SNPS onsite power conditions when the PRA was submitted. New . ; updated probabilistic evaluations of'the onsite AC power were not submitted to ;
. 8NL during its review, even though some changes were apparently taking place due to other licensing reviews, which have the potential to reduce the impact l of the LOOP sequences. ,
As seen from Table 5.5, the loss of offsitie AC power is a major contribu- t tor to the core damage frequency..and account for 25% of the total frequency. 5.2.1.5 Excessive Relea'se of Water at Reactor Building Elevation 8 This initiator was treated in depth by SNL in a separate report1. As seen in Table 5.6 the BNL results are significantly higher, mainly because of two changes: (1) a. higher initiator frequency. calculated by 8NL from a more up-to-date and elaborate model, and (2) an increas e in the condensate injection failure probability (0.1 instead of 0.01 as was u.ed in BN'. revised transient event. trees). Also, a time . phased event tree was utilized to take into account the early failure of HPCI and RCIC at a water level lower than that for the LPC!/RHR or LPCS failure. This resulted in a 205 increase in the L core damage frequency. More detailed results are shown in Appendix 56.1 and , l in Ref. 1. It will be seen in Section 5.2.1.7 beiow'that BNL considered interf" acing ,- LOCA to be a significant initiator in the SNPS-PRA. This BNL result war s obtained from the same considerations that resulted in the high core damage frequency calculated for the excessive release'of water initiator. These con- ' siderations include the situation that all ECCS equipment may become compro- - * , mised in a relatively short time that does not provide the operator sufficient , time to recover. The conditional probabilities of core damage (given the initiator) for these sequences are higher than' those found in other BWR-PRAs . reviewed by BNL in the past. When the combined impacts of excessive release [ of water at elevation 8 and the interfacing LOCA are considered together, l their contribution to SNPS risk is expected to be above 20L Their calculated > core damage frequency is, however, only = 13% of the total. t 5.2.1.6 Level Instrumentation: Loss of Reference Lee and Loss of Drywell cooline , These two groups of initiators related to the water level instrumentation system were treated in greater depth than any other group. Past BWR-PRAs did - ! not treat them in detail. The SNL review of these event trees is described in , Appendices 5E and 5F, and the results are shown in Table 5.7. Loss of a reference leg is the major contributor to this group of initiators, and in the - BNL review its contribution was increased by a f actor of 3 compared with SNPS. ! PRA results. This increase is due to two major BNL changes: 112 g r g
i : L..: '.' .. :: ' ' " .. :-,: "W" *
~.d' 2. . a: :'.... .g l I 1
a). The' common mode failure due to maintenance of the second reference r leg: 8NL evaluation of this event was based on the LER data provided , j in the PRA and on BNL judgment related to probability of a human f i error. These resulted in an increase' of the contribution of this J sequence, i.e., loss of both reference legs. This event. ' loss of I both reference legs, defeats the automatic initiation of all ECCS systems and leaves the operator without level information if the i water level drops below level 3. i i b) The miscalibration of the.'two sensors on the other leg: .In this i
. case the value used in the SNPS-PRA, 2x10-3, for common miscalibra- . ! tion of two level sensors is reasonable and results in significant ,
i contribution to core damage frequency due to this group of initia- t tors . This miscalibration, as well as the loss of .DP cell, which is
! similarly important, have not been correctly included in the SNPS-PRA i 4
modeling. However, modification made at Shoreham will apparently L i reduce the impact of this sequence. , j- i Loss of drywell cooling contributes an additional fraction to this group ' i of initiators. The major contributor is the loss of off-site power transient [ ] with recovery of the diesels, but without recovery of the drywell cooling. ;
, This was not correctly modeled by the SNPS-PRA (see' Appendix 5F). l l The major contributors discussed above ' have -1x10-5 contributions to. ;
J SNPS core damage frequency (-75 of the total core damage frequency). ' f
; The increase in the BNL result in this case is due mainly to the BNL j raodeling, which included sequences not correctly treated in the SNPS-PRA. '
t ) The design of the SNPS has only two " safety related" reference legs, and 1 four level sensors supply all ECCS initiation signals. In* other plants HPCI . l q and RCIC are initiated, at least in part, by different sets of sensors! and ! q have yre reference legs. A GE generic study of water level instrumenta- l j tions suggested improvements which have been implemented in the $NPS. ,
; However, the core damage frequency calculated in the BNL review with these .
l Igrovements taken into account is comparable with the frequency in other l plants before implementation of the recommended improvement. i 5.2.1.7 Interfacing LOCA - ! Despite its low frequency, this is an important initiator. The increase ! in BNL review results by a factor of 5 above the $NPS-PRA value (Table 5.8), i j resulted partly from a change in the initiator frequency estimation and partly ' l from BNL's judgment that condensate injection of 1000 gpm will be insufficient i for a large interfacing LOCA in the LPCI system. The modeling and quantifi-cation of the event tree were only slightly modified by SNL. The "0.2" for
- condensate unavailability was based in the ONL review on different considera-
) The frequency increase was based on LERs distributed e j tion (Appendix
.recently by the NRC 5C.2)), 2s, containing two precursor cases and 5 failures of :
- testable check valves, which increase the probability of such an event. The impact of this sequence was discussed in Section 5.2.1.5 above.
j; . i i -
'This is Implemented in Shoreham in a recent design change to the Water Level j Instrumentation System.
i 113
5.2.2 Dominant Sequences in BNL Review , The contributions to core damage frequency grouped according to their initiators were listed in Table 5.1 and summarized in the preceding section. In this section the individual sequences contributing to the SNPS core damage frequency are presented. Tables 5.9 to 5.13 list the dominant sequences con-tributing to each core damage class. Classes I, !!, and IV have large numbers of contributors, but for Classes !! and IV more than half the total frequency is attributed to a small number of contributors. Class I has the largest number of small contributors. - Finally, Table 5.14 provides a comparison of the dominant accident sequences in the BNL review and in the SNPS-PRA. The basic pattern in the SNPS-PRA of having no single sequence contributing a large fraction to the total SNPS core damage frequency is seen also in the BNL results. The most dominant contributors in the BNL list consist of accident sequences from each
. of the initiation groups ATWS, loss of off-site AC power, and excessive -
release of water at elevation 8. . The following are some coments on the dominant accident sequences in Table 5.14: a) 50% of core damage frequency is attributed to thirteen sequences in . the SNPS-PRA, but to only ten in the BNL review. b) The following sequences are dominant in both the SNPS-PRA and the BNL review:
- 1) ATWS sequence of MS!V closure.
- 2) The excessive water. release sequence. .
- 3) Loss of .off-site power sequences; however, several differences are nnted and explained below.
- 4) The most important single contributor of the water level mea-surement, systems appears roughly in the middle of both lists, but more accident sequence contributors are included in the BNL results. '
c) Important differences between the top sequences of the SNPS-PRA and those of the BNL review are as follows:
- 1) Loss of condenser contribution T(C)UX and loss of a DC bus con-tribution T(D) O(!)0 rank much higher in the SNPS-PRA than in the BNL review, but their absolute frequency is almost the same.
- 2) Loss of off-site AC power contributions appear in both results '
but differ in their details 4 The SNPS-PRA has the time-phase
!!! and IV contributions corresponding to failures at 4 to 10 and 10 to 24 hours into the transients. BNL has only Phase IV ranking high, but it has, in addition, the sequences represent- .
Ing water level b1'ackout conditions; these appear high in the BNL list and are missing from the SNPS-PRA. 114 g
.. ....._.. _ .. . . a a. _ _ - , e n; - .J .. - ,',; . ,_ . , o a. L
- 3) The turbine trip ATWS sequence' ranks high in the BNL review, but
, very low on the SNPS-PRA list. l l
- 4) The Loss of Service water system, contribution is higher on the l BNL review list.
1 ! 5.3 A Limited Sensitivity Study l A limited sensitivity study was done to provide insight into the impact i of changes in the assumptions used in this PRA review. It focused on the l . Impact on core damage. frequency from two types, of changes: , l a) Changes in a few assumptions that represent modeling uncertainties. 1 I b) Changes in .a few assumptions that illustrate the particular impor tance of these assumptions in this PRA, or the great importance of selected safety systems with regard to core damage. frequency. The'following tests of assumptions to represent r$odeling uncertainties: a) LOOP frequency and recovery probabilities: The BNL review modified the data reconnended in NSAC/80 for deriving LOOP frequency and . recovery, probabilities, as described in Section 4.1.3 above and shown I in Tables 4.6 and 4.7. The results of the BNL review that included three additional LOOP events occurring during shutdown were compared with the results obtained by using the NSAC/80 recommended data (without modification)--see Table 5.15 line 1. The inclusion of the three LOOP events that NSAC/80 did not recommend using in the deriva-tion of LOOP frequency and recovery probabilities had a minimal
. impact on' the result. Hence, BNL concluded that it is better to include these events and obtain a complete data' base containing all total LOOP events than to screen out events on a judgmental basis.
l b) The BNL review was performed with realistic assumptions that led to a probability of 2x10-" or less for gross miscalibration of all four level sensors (see Sections 4.3 and 5A.1.4). The SNPS-PRA assumed that this probability may be conservatively quantified as 2x10 3 (Appendix A.3 of the SNPS-PRA) but did not model the effect of this , assumption correctly for the case of transients. The impact of this quantification in the case of transients is shown in Table 5.15 line 2, which shows that the total SNPS-PRA core damage frequency would have been much larger if the conservative value of the PRA had been used with adequate modeling. c) The BNL review used transient-initiator frequencies based on experi-ential data from BWR plants averaged over their entire operating . period from the date of initial commercial operation. The SNPS-PRA used a " weighted average" approach with the experience from the first , year of plant operation weighing 1/JS and the subsequent experience weighing 34/35. This was done in the SNPS-PRA in order to represent the mature plant. However, the SNPS-PRA used an earlier data evalua-i tion (from. EPRI report NP-801) rather than the updated one from l NP-2230, as described in Section 4.1.2 above. ine impact of remov-ing the experience of plant occurrences from the first year of 1 115 l 1 l L_--_-_________m__~_' . ~u -c;> -
--~c-- o~ - - - - - - - -
operation is snown in Table 5.15 line 3 by comparing the results from the use of columns 10 and 11 of Table 4.2. These columns were explained in Section 4.1.2 and are considered a more appropriate modeling of the igact of the transient initiator frequencies. The results are changed by about 25% for the transient initiator frequen-cies, but by only 10% for the total core damage frequency calculated in this review. BNL considers the approach of using data from the start of commercial operation to be more appropriate and to account more realistically for a possible " wear-out" period later in a plant's lifetime, if the average plant risk from its entire lifetime
, is desired. ,
d) Both BNL and the SNPS-PRA included credit for PCS an'd condensate systems in their analyses of medium and large LOCAs. Such credit was not taken in some past PRAs as seen by cogaring the success criteria shown in Table 2.6. Table 2.5 (Table 1.5.2 in the SNPS-PRA) shows that the stated SNPS-PRA success criteria do not inc.lude credit for PCS and condensate in all cases of LOCAs (see not'e 5 to Table 2.5). The impact of tne two sets of success criteria (with and witnout con-sideration of note 5 in Table 2.5) are shown in Table 5.15 line 4. Comparison of these results with the results in Table 5.2 for LOCAs snows that these assumptions have great impact on the Class 111 core damage frequency. The BhL review considers the inclusion of the credit for PCS and the condensate system to be more appropriate if realistic PRA results are desired. It is also important to consider this type of change wnen comparing past PRAs with the SNPS-PRA. The following tests of assumptions illustrate the importance of selected assumptions made in the PRA or tne importance of some safety systems in impacting the core damage frequencies in this particular PRA. -
, a) BNL basically used the SNPS-PRA da'ta on diesel generator availability -
and recovery probabilities as discussed in Section 4.2.2. Modifica-tions are being made at SNPS to the on-site AC power supply system. To illustrate the impact of a possible increase in tne availability of this system, a case study is suggested in Section 4.2.2 wnicn is compared in Table 5.15 line 5 witn tne baseline data used by the SNPS-PRA and the BNL review. It is seen that a significant reduction (10 to 15%) in the total core damage frequency can be obtained by increasing the availability of the on-site AC power supply system. b) Explicit credit to the Turbine Building Service Water System (TBSWS) is given only in the analysis of the loss of service water transients in the SNPS-PRA. However, apparently credit for this system was also considered in determining the availability of the RHR and the RCIC in the steam condensing mode, as partly shown in Section 3.3. BNL found the contribution to core damage frequency of this system to have a large significance, as snown in Table 5.15 itne 6. If no credit to ' this system is given, a 20% increase in the total core damage frequency can be calculated. The impact in Class 1 is from tne loss of service water transient only and in Class 11 from an increase in the unavailabilities of the RHR and RCIC in steam condensing mode, for all transients including the loss of service water transient. 116 i t.
..-....L..~.. -
- .: z u. : <. .
- c) Credit to the condensate system injection as part of the low pressure systen injection was not given in all past PRAs, as seen from the cogarison in Table 2.6 above. Furthermore, if improvement in the ,
availability of thir, system could be claimed, significant reduction in the contribution of some important sequences could be obtained. The important igact of this system in the SNPS-PRA is shown in Table 5.15 line 7. The results are quite linear with the availability assumed for this system; in the case of Classes !!! and V an unavail-l ability of 0.2 was generally assumed,#and in the case of Class I, 0.1 1 and 0.2 were used (with the average being about 0.15). BNL considers
- tnat credit to the condensate system should be given if realistic PRA results are desired. However, it is 'important to consider this credit when cog aring different PRA.results, Like the other cases, they d) Four cases related to ATWS were studied.
are given for illustration purposes only, and they show some of the , j - different contributions to, core damage f requency from ATWS. The case ! in line 8 shows the impact of operator failure to inhibit ADS when l low low level is reached in the RPV. The results are clearly sensi- ! tive to the quantification of operator error probability. Improve-ments to ADS manual inhibit have been suggested by GE and apparently l l applied to the SNPS re:ently, but credit for any impro,vements was not (PS-PRA or the BNL review. The case in line 9 l given in either the l shows tne effect of more reliable SLC, whicn seems to be as large as that of ADS inhibit in the BNL model. The case in line 10 is also as important as ADS inhibit. An increase in the SLC system flow rate (from 46 to 86 gpm) or an equivalent increase in the boron concentration (by a factor of 2) - will tend to allow for somewhat increased time for the operator to respond.to the ATWS incident. lhis results from the assumption that manually putting a double capacity SLC into operation after 16 to 20 minutes instead of 10 minutes, will lead to approximately the same total amount of power being transferred to the suppression pool and drywell . . Based on the above, the BNL event trees for ATWS were reevaluated assuming operator response required in 20 minutes instead of 10 minutes as assumed in the BNL base case. The results are shown in line 11 of Table 5.15. The estimate assumed that a nigher probabilty for feedwater runback will ensue f rom the larger response time avail. I able (0.1/0.9 vs. 0.2/0.8) and that "Ug" will be 10 to 15% smaller (if "UH " is not equal to 1.0), l e) The cases in lines 12 and 13 are similar and illustrate the impact of protecting one train of coolant injection from the impact of a very large flooding. They show that it may be possible to eliminate tne I flooding sequences from the main list of core damage contributors. ., The SNPS-PRA as well as the BNL review conservatively assumes that all injection but the condensate system would be lost in case of a large flooding. f) The RCIC in the steam condensing mode is not normally allowed in SNPS operation. The emergency procedures do not refer to it. Thus, it is 117 i
-m~~- _me-. >m.
O
..... 3 . a cooling mode for the ve'ry special cases of severe . accidents when all other long-term cooling modes failed. This was not considereo in quantifying the failure of the operator to initiate the containment heat removal mode. Line 14 shows the total impact of this system in the 8NL review.
g) BNL was informed after the review was completed that the water level instrumentaion system is undergoing modifications to include four additional level transmitters (two on each reference leg) which would be used to initiate HPCI level 2 and level 8 signals separately from RCIC and other ECCS systems. Furthermore, they will be connected to
- the other DC buses, so that any feference leg side would not coincide with a single DC bus. These changes can pote.itially remove some of the sequences of Table SE-2, and a significant reduction in core damage frequency can be obtained as seen in Table 5.15 line 15.
h) One of the NRC comments was that the Control Rod Drive (CRO) system may provide some additional ri'sk reduction. The impact of including CRD is tested in line 16. The system reliability is assumed ideal, and it is assumed that it 'af fects all the "UX" sequences apart from the "UX" belonging to the LOOP transient. However, the system can provide adequate core injection to remove decay heat only after about two hours of a transient initiation. This implies that HPCI and RCIC failure to start, or being in maintenance, are not recovered by CRO. Similarly, the miscalibration with f ailure of the operator to manual. , ly initiate injection and failure of Divisions I and 11 contributions to HPC!/RCIC failure would fail CRD as well. The estimated impact of CRD on the "UX" sequences is shown in line 16. Note that this limited sensitivity study was done for illustrative purposes only, to provide another point of view on the results of the SNPS-PHA and the BNL review Which are summarized in Sections 5.1 and 5.2. 5.4 References to Section 6 and Appendices
- 1. Shiu , K. et al., "A Review of t'he Accident Sequences Following an -
Excessive Release of Water at Elevation 8 of the Reactor Building in the Shorenam Nuclear Power Station", Brookhaven National Laboratory , NUREG/CR-4049, November 1984. ,
- 2. " Review of Shoreham Vater Level Measurement System, Revision 1", S. Levy, Inc., SLI-8221, November 1982.
- 3. " Isolation of Reactor Coolant System from Low Pressure Systems Outside Containment", Office of Inspection and Enforcement, NRC, IN-84-74, September 28, 1984.
- 4. Papazoglou, I. A. et al., "A Review of the Limerick Generating Station '
Probabilistic Risk Assessment", Brookhaven National Laboratory, NUREG/CR-3028, Feoruary 1983.
- 6. Hanan, N. et al., "A Review of BWR/6 Standard Plant Probabilistic ' Risk.
Assessment Vol.1 Internal Events and Core Damage Frequency", Brookhaven National Laboratory, NUREG/CR-Draf t, Maren 1984. 118 i
. . . . _ . . . . . .- .. .. .. ~ . _
~
'- - . .au : : .. . t.u :uw a
- 6. LILCO's Response I!c Questions on Shoreham's Probabilistic Risk Assess-ment, Long Island Lighting Company, SNRC-1021, May 1984
- 7. Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability".
NUREG/CR-1278, August 1983.
- 8. Cook, D. H., Greene, S. R., Harrington, R. M., and Hodge. S. A., " Loss of DHR Segeunces at Browns Ferry Unit One - Accident Sequence Analysis",
NUREG/CR-2973, ORNL/TM-8532, May 1983.
.* 9. Hubble,. W.H., and Miller, C. F., " Data Summaries of LERs on Valves at U.S. Commercial Nuclear Power Plants", NUREG/CR-1363 EGG-EA-5125 May 1980.
- 10. Rubin, M. P. , "The Probability of Intersystem LOCA; Impact Due to Leak Testing and Operational Changes", NUREG-0677, May 1980.
- 11. Burns,' E. et al., " Inadequate Core Cooling Detection in Boiling Water Reactors ," 5. Levy Inc. , SLI-8210, No'vember 1982.
- 12. Private Communication with Shoreham personnel. ,
- 13. "SER !ssue !. C. 8--Emergency Procedu'res Shoreham Nuclear Power Station- .
Un.it 1," Docket No. 50 322, SNRC-770, September 16, 1982.
- 14. Papazoglou, I. A. et al., "Probabilistic Safety Procedures Guide,"
NUREG/CR-2815. September 1983.
- 15. Baranowsky, A. J., Kolachzkowski, A. M., and Fedele, M. A., "A Probabi-listic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants," NUREG-0666 Nril 1981.
- 16. Perkins, K. R., " Success Criterion for PCS with Two or More 50RV's,"
Memorandum to D. !1 berg, Brookhaven National Laboratory August 21, 1984 (Based on Ref. 8 above and Ref. 4 of Section 2). -
- 17. " Assessment of BWR Mitigation of ATWS," GE Report NEDE-24222. Vols.1 and 2, December 1979.
- 18. Knuth (KMC) to Graves (NRC), " Supplement ATWS Evaluations," letter dated December 2, 1982.
- 19. Harrington, R. M. , and Hodge, S. A., "ATWS at Browns Ferry Unit One--
Accident Sequence Analysis," ORNL/TM-8902, NUREG/CR-3470, July 1984.
- 20. " Emergency Procedure Guidelines for BWR 1 through 6," Draft Revision 2, BWR's Owner Group, May 20,'1982.
- 21. Hsu, C. J., and Of amond, O. J., "The Effect of Downcomer Water Level and Vessel Pressure on the Reactor Power During the Latter Phase of a BWR/4 MS!V Closure ATWS Event," Brookhaven National Laboratory, Draf t Report, August 1984.
119 i
. ~ l .. ._ -..
i . ! 22. Chexal, 8., Lagman, W., and Healzer, J. , " Reducing BWR Power by Water Level Control During an ATWS--A Quasi-Static Analysis," Nuclear Safety 4 Analysis Center and S'. Levy Inc., NSAC-69, May 1984. 4
! 23. " Anticipated Transient Without Scram for Light Water Reactors ," U.S.
- Nuclear Regulatory Commission, NUREG-0460. '
- 24. 11 berg, D. , 'and Hanan, N. , "An Evaluation of Unisolated LOCA Dutside 4 Drywell in the Shoreham Nuclear Power Station " Brookhaven National
- Laboratory, Internal Report, May 1985. -
i 25. "AE00 Study . Finds LOCA Frequency in SWRs is Far Higher Than Thought," j . Irside NRC, April 1,1985. - c , i
- 26. Harris, J. 0. (ORNL), and 'Minarick, J. . W. (SAIC), "4n Evaluation of 8WR Over. Pressure Incidents in Low Pressure Systems " Preliminary Report', May
.,. '1985.. . J 1 . l 1 4f j- . i . i . j . . 1 j . I i i 2 1 i 1 i i e i l . 120 l t l ! ~ . .. . . . . . c
- a .. .'
. . . .L . . . . . a ._ . . . - . . _1.a.: .-v .wu.
e
- i,.: . -
G SNPS-PRA , I i BNL-REVIEW
,,.i.
a . 1.4t.4 m lm i d. g _ _ _ . . . _ - 4. st.s . - - - - - - - 3,,g ,,, j , I t ~.1 1.3C.5 t.4t.5 { adY' [
'* ,
- v .i. t j *bW., e.'t <
gh
. yr.wg*., W g &*
tg y. s
- r. ...oe.
pg' 1.st.4
's 3
i - 8
- i. . . wx n '. gav I
~ [tfg., @'
g p
;.K, ' . r i l '
ln*t% 3 g.3 g t, )y ; [f@t). ,i 1 2.0t.1 318 9 c.J v L 2i , I to 7 AN$d'- ($'dI.$;- j $ ' pp d.N <1 E 5hu l4.q~ ca.:g ' ng& o y ;~f
~r m.: x 7
y , E.% W.S. ,
,,.. n.1 t~- p. < - a 0 gg e . yA $ " ^E & .
p.u$h l
$N 781 ihEj l
4% i . 1 (; Fig,.. mW ety 3 i-b.Y., lkh,. !r.g'3 : . 1 N.*. . _ . _ cun i suas is suas :: auss e, sus , mm, , auss er cou sweessu comettens i Ftqure 5.1 Summary of the Results of the Event Tree i Quantification otsplayed by Class of -
- Post,ulated Core Damage Condition.
a 12 1 t 44 - ^ _m c'.. .. .%-._ _ _ - . _m__ _ . _ _ . -_ _ _ _ _ _ . _ _ . _ . _ . . _.._9
- i
$NPS-MtA BNL Review 3 5 - + . . Itsen - 5.5sW j,,,,,,, ,,,,
4 Itsen = I.4aW /teacter gear
* { . (Ceregnieerable)
- l. .
-(Cere ammage) -
i stEnKt
- EAELS he inna ,
. LEKL ,
I I h*** *
'f 3918/391E !*
I as wir 8818 (# 858 M - LEWL
- Ages (RAS $ M r
IggyM 185P* 5 C eu 1 i K un
!* N ftses ~
K ** 8 f
.
- as Itas .
FL8aa . taCA 3,,,,cg., _ g w**+ mesta L8CR* l *LO5P seperated out. A1W5 Class I locluded
,, Classes I and II . - *LASP Class I ,,, Anticipated transient and LaCAs only " Classes I and II . , '" Anticipated tressleet class II '
(cers.ee es,ects, tre tie ene er sos S. retie 3.s.s) o Figure 5.2 Comparison of the SNPS-PPA and the BNL Review Contributing Accident Sequences to the ; Calculated Core Damage Frequency (per Reactor Year) Due to the Identified Accident !
! Sequence Centributors. ,
l 1 e &
.I
1
~
N ' P
, . t . . - SOEEEN l'
w m - 5.5x10-5 Pfa nEAC10e VEAa
~
(CO M VidNF*AttE)
~
MSN-1400
-5 EAN = 5x10 PER REACT 0a YEAR -
we.x (CORE ELT) mue as y,=,n ans snais = si.s,.a: t
-{ = -
( ,. . J . aan. , I -
~
l .' I g I -
==
6 t . h Subsequent to MSN-1400, MC evalsentless of the potential c~entribution of ATW5 to core melt (e.g., HIREG- ' 0460) placed the frequency of ATHS in a De at nearly tasenty times that evalisated in MSN-1400. If this . ' were incorporated late the fignore,it isould he the single dominant centribester to core melt and esensid he sissiificantly larger than the frequency of core melt calculated for Shoreham. .
~
e Figure 5.3 Comparison of the Contributions of Various Accident Sequences to the Calculated Frequency - of Core Melt (from M5H-1400) and to the Calculated Frequency of Core Vulnerable Condi-tions (from the Shorelam Analysis). Area of " Pie Chart" is Proportional to Mean Frequen-cy. Reproduced from 58.tPS-PRA.- . l.
. t . , -, - 1,-
e 1 Summary Table 5.1 Comparison of SNPS-PRA and SNL Review Results Accident Core Damage (CD) Cla'ss Sequence Initiator I 11** !!! IV V CD Loss of Coolant SNPS 1.0E-6 1.0E-6 2.DE-6 Accidents BNL 5.3E-7 1.3E-6 1.8E-6 (LOCA) . Anticipated SNPS 4.0E-6 2.1E-9 1.4E-5 1.8E-5 Transient With. BNL
- 2.8E-8 4.5E-5 4.5E-5 out Scram (ATWS) ,
Loss of Offsite SNPS 9.9E-6 1.1E-6 ' 1.1E-5 AC Power (LOOP) BNL 2.9E-5 1.4E-6 3.0E-b } Transients SNPS 8.7E-6 4.8E-6 1.3E-5 (Turbine Trip BNL 1 5E-5 6.4E-6 2.2E-5 Manual Shutdown, MS!V and other) , Level SNPS 3.8E-6 1.2E-7 5.2E-9 3.9E-6 Instrumentation SNL 1.2E-5 2.5E.8 1.5E-7 1.2E-5 l (Reference leg
! and drywell coolino) , Flooding at SNPS 3.1E-6 7.8E-7 3.9E-6 Elevation 8 BNL 1.8E-5 2.0E-6 . 2.uE-5 "*
4 of Reactor Bldg. '
- LOCA Outstoe SNPS 3.7E-8 3.7E-8 j Drywell SNL 2.0E-7 2.0E-7 i Loss of Service SNPS 3.0E-6 7.7E-7 3.8E-6 Water, or DC SNL 7.6E-6 2. 4E-6 1.0E-5 l Bus .
I ] TOTAL SNPS 3.2E-5 8.5E-6 1.0E-6 1.4E-5 3.7E-8 5.5E-5 i BNL 8.2E-5 1.3E-b 1.5E-6 4.5E-n 4.2E-7 1.4E-4 t ! *In SNL review all ATWS sequences are assumed to lead to core damage class 1V. This is based in part on the judgment that the operator will not be i, able to inhibit A05. '
- ** Class !! leads in many cases to containment f ailure without loss of core i cooling. Therefore, only a part of Class !!,results in core damage. '
t i I l 124
' n ,qq .99 & sion M Wa r . , g ,g
.J _ _ , '
- a. _
l , i ! Table 5.2' Core Damage Frequency for LOCA in Drywell Initiators Class !! , Class !!! Total Core Damage Frequency Frequency Frequency SNPS BNL SNPS BNL , SNPS 8NL Large LOCA 7.0E-l' 2.8E-7 1.8E-7 3.7E-7, 8.7E-7 6.5E-7 ,
- Medium LOCA 2.7E-7 2.1E 7 ' 4. 9E-7 6.1E-7 7.6E-7 8.2E-7 Small LOCA 2.4E-8 3.6E 8 1.6E-8 0.8E-8 4.0E-8 4.4E-8 Reactor Pressure 3.1E-7 3.1E-7, 3.1E-7 3.1E-7 Vessel LOCA Total 1.0E-6 5.3E-7 1.0E-6 1.3E-6 2.0E-6 1.8E-6 i
Table 5.3 Core Damage Frequency for,ATWS 1 - Core Damage l l Frequency ;
, BNL BNL '
SNPS FT/ET* ALL' .. , Turbine Trip 3.5E-6 4.7E-6 2.0E-5 MS!V Closure / Loss 8.2E-6 7.2E-6 1.1E-5 , of Condenser Vacuum 60ss of Feedwater 4.6E-6 9.2E-6 2.6E-6 l Loss of AC 7.6E-7 7.9E-7 1.4E-6 Offsite Power inadvertent Open 3.2E-7 4.3E-7 7.1E-7 Relief Valve Total 1.8E-5 2.2E-5 4.5E-5 l
*8NL FT/ET denotes the results of the changes in fault trees l and event trees made by BNL excluding the changes in the l initiating event frequencies.
\ ! 125 l t 1 1
~ . .
s , i i
.t f Table 5.4 Core Damage Frequency for Transient Initiators 'l i !
l . I Class ! Class !! Total Core Damage Frequency Frequincy Frequency SNL BNL BNL BNL BNL BNL SNPS FT/ET ALL SNPS FT/ET ALL $NPS FT/ET* ALL
. Turbine 2.5E-6 2.9E-6 5.2E-6 1.0E-6 8.4E-7 1.5E-6 3.5E-6 3.7E-ti 6.7E-6 '
{ Trip - t I Manual 1.4E-6 1.8E-6 1.8E-6 1.2E-6 9.0E-7 9.0E-7 2.5E-6
~
2.7E-6 2.7E-6 Shutdown i MSIV 7.4E-7 1.3E-6 2.7E-6 3.5E-7 2.4E-7 5.0E-7 1.lE-6 1.5E-6 3.'2E-6 Closure {
! ~ - Loss of 2.0E-7 2.5E-7 1.6E-7 4.2E-8 3.7E-8 3.0E-8 2.4E-7 4.lE-7 3.0E-7 I M Feedwater Loss of 3.0E-6 3.8E-6 4.8E-6 2.lE-6 2.8E-6 3.4E-6 5.2E-6 6.6E-6 8.2E-6 ! Condenser .
l Inadvertent 6.8E-7 1.2E-7 3.3E-7 9.0E-8 2.4E-8 6.6E-8 7.7E-7 1.4E-7 4.0E-7 l Open Relief ' Valve
. Total 8.7E-6 1.0E-5 1.5E-5 4.8E-6 4.9E-6 6.4E-6 1.4E-5 1.5E-5 2.lE-5 1
i l 1
~ '
Y { n
w. I f l l. 3 Teole 5.5 Core Damage Frequency for Loss of .Of fsite AC Power Initiator j) l ' Class I Class II Total Core Damage Frequency frequency Frequency -- e , GNL BNL WIIL DIIL - SNL Bill - l SNPS FT/ET - RL SNFS FT/ET RL $NPS FT/ET RL . l . Loss of 1.lE-6 [ Of fsite AC 9.9E-6 1.6E-5 2.gE-b 0.7E-6 1.4E-6 1. lE-5 . 1.7E-5 3.0E-5 ,
't L Power
( - ( l . I l Table 5.6 Core Damage for Excessive Release of Water in Reactor Building Elevation 8 Initiator l , C w - Class I Class II Total Core Damage Frequency frequency Frequency - SNL MIIL SIIL BNL SIIL BNL ! i i SNPS FT/ET RL SarS FT/ET RL Str$ FT/ET RL L Estessive . telease of 3.lE-6 - 4E-6 1.8E 7.8E-7 - IE-6~ 2.UE-6 3.9E-6 - SE-6 2.UE-5 _ uater at Elevation 8 - g. W 9 15
- l! ,
. p.
Q-
r ___ . . . l e Table 5.7 Core Danese Frequency for Level Instrumentation and Dryuell Cooling Failure Initiators
! I s
Class ! Class III Total Core Damage frequency Frequency Frequency
! BNL BNL SNL SK BNL I-SNPS FT/ET RL SmPS FT/ET RL SNPS RL Reference leg 2.4E-6 7.3E-6 7.3E-6 2.4E-6 7.3E-6 t ilne leakage , ~
l Loss of Dryuell Cooling (and 3. X -7 7.4E-7 9.3E-7 - 3.3E-7 8. M-7 - transient l contribution) . f Isolation
- 2. K-8 j - Transient Loss 8.2E-7 1.4E-6 3.3E-7 8.N-7 8
Es of Drywell - Cooling - \ . Loss of Offsite
.~ ' . ~
AC Power utth 8.4E-7 1.1E-6 1.9E-6 - 8.4E-7 1.9E-6 Slesel Recovery .
, Small and Medium .
LOCA-Loss of 2.lE-7 4.0E-7 4.eE-7 5.0E-9 1. K-7 1.K-7 2.1E-7 5.5E-7 . Drywell Cooling - -
; Total 3.8E-6 1.8E-5 1.2E-5 5.0E-9 1.K-7 1.K-7 3.8E-6 1.2E-5 i a
J. y
! b . p 3 % j ~, .
e e-___ y-- --- .- . . _ _r, - r-m---~..
-r - -r -w- -- ' r-- -Mr --- =r - - - --
m -+e-- - ' - - = = -
w -- A ' w_ .: -u Table'5.8 Core Damage Frequency for LOCA Outside Containment Initiator Class V - Frequency . BNL' BNL SNPS FT/ ET ALL Interfacing LOCA 2.4E-8 7.2E-8 1.8E-7 , Steam ' Lines Break 1.1E-8 1.1E-8 1.5E-8 Outside Containment Feedwater Line Break 1.7E-9 1.7E-9 3.0E-9 Outside Containment Total 3.7E-8 8.5E-8 2.0E-7 9 9 6 129 e
-e*we
- _-._E** _
***ium._.4 , L ^ '-
=
Table 5.9 Class 'I Dominant Sequences *
- 1) T EIDE 1.0E-5 . IB
- 2) T! 6. -6 IB E
- 3) T QUX 5.5E-6. IA T
- 4) T UX 4.2E-6 .!A C ,
3.3E-6' i 5) T EIII DUX IB
- 6) T TSU'V 3g 2.6E-6 ID
- 7) T TSUX 3g 2.6E-6 IA .
- 8) T QUX g 2.5E-6 IA
- 9) TR R1 00H 2.4E-6 IA
- 10) T RRLR2 00H 2.2E-6 IA Total C! sss I = 8.2E-5'
- 11) TDQOg 2.2E-6 IA
- 12) T RO R R QUX 2.0E-6 IA
- 13) T EIGL 1.9E-6 IA
- 14) TE III DV 1.7E-6 IB ,
l 15) M 300X 1.6E-6' IA .
- 16) T IDUV E
1.4E-6 ID
- 17) TE III DX 1.2E-6 IB
- 18) TEIII DUV 1.1E-6 IB
- 19) TE III DU'V 1.0E-6 IB
- 20) T EIUV 1.0E-6 ID I
*Without the contributors from excessive release of water at Elevation 8, which would rank high on the list (1.8E-5 is the total contribution of all " flooding" sequences). -
l 1 ! 130 I t
c ,- - '
.h 110- __.c__ -t iG.I.i. 3 D W Table 5.10 Class II Dominant Sequences
- 1) TW 2.5E-6 C ,
- 2) T EI IV W 1.4E-6
- 3) T TSW 3g 1.4E-6
- 4) T'3g TW 5.8E-7 ,
- 5) T U'W C 4.2E-7 Total Class II = 1.3E-5
- 6) T TSUVW 3y 4.1E-7
- 7) T QW T 3.8E-7
- 8) T QW g 3.7E-7
- 9) M 0W 3 3.2E-7
- 10) AV'V"W 2.0E-7
- 11) S UV'V"W g l'.8E-7
- 12) A few contributors from excessive re-lease of water at .
Elevagion8,- - e-2x10- in total. Table 5.11 Class V Dominant Sequences
- 1) A 0UTY , 2.0E-7 Total Class V = 2.0E-7 4
131 t _ " = *e se-o oto r _ _ esoe -r m- C_ _ . _uh - - - - -
-.: ma. , . s . ' Table 5.12 Class III Dominant Sequences
- 1) S UV g 3.1E-7
- 2) AV 3.CE-7 Total Class III = 1.3E-6
- 3) S VX 1
2.5E-7
- 4) S QEl. 1.5E-7 1
Table 5.13 Class IV Dominant Sequences
- 1) T CTgKQ 9.1E-6 .
- 2) gg TCeg 8.3E-6
- 3) T CTgKUg 6.5E-6
- 4) T CTgKC2 4.2E-6
- 5) T CTgKUU H 3.9E-6
- 6) TCKTgg 2.4E-6
- 7) T CTgKP g 1.1E-6
- 8) T CggKUUH 1.0E-6 Total Class. IV = 4.5E-5 .,
- 9) T CggKPU g 9.1E-7
- 10) T CpgKUH 9.1E-7 .
- 11) TCGEg H 1.1E-6 l 12) T CTgKPUH 7.5E 13) T CpgKC2 5.7E-7 f 14) T CpgKUU g 5.1E-7
- 15) T CTgKPC 2 4.5E-7
- 16) T CTMKPUU H 4.2E-7 L -
132 t
,4 2' & '
4 Table 5.14 Summary Table of Dominant Accident Sequences Leading to Core Damage Conditions, Ranked by Frequency (per Reactor Year) .; Shoreham - PHA % of Total BNL - Review b Core Core Sequence Damage Class / Sequence Damage Class / f No. Designator Frequency Subclass SNPS BNL Designator Frequency Subclass , 1 T(M2)C(M)C(2) 6.4E-6 IV 12 7 T(T)C(M)K(Q) 1.0E-5 IV . 2 T(L)UX 3.lE-b IA 17 14 T(E)lDGL 1.0E-S IB 3 T(T)QUX 2.4E-6 ~ IA- 22 21 FS(0)QUX 1.0E-5* IA ; 4 T(0)D(1)Q 2.2E-6 IA 26 27 T(M)C(M)KU(H) 8.3E-6 IV - 5 T(E) IV DUX 2.2E-6 IB 30 32 T(T)C(M)KU(H) 6.7E-6 IV i 6 FS(0)QUX 1.7E-6 ID 33 37 T(E) IV U 6.7E-6 IB 7 T(E)lll(C)DV 1.5E-b 18 35 41 T(T)QUX 5.5E-6 IA 8 T(F)C(M)U , l.bE-6 IC 38 44 T(T)C(M)C(2) 4.2E-6 !V 9 T(F)C(M)UD 1.SE-6 IV 41 47 T(C)UX 4.2E-6 IA 10 T(C)W'W" 1.5E-6 'll 44 S0 T(T)C(M)UU(H) 3.9E-6 IV . 11 M(S)QUX 1.3E-6 IA 46 S2 T(E) Ill DUX 3.3E-6 IB 12 T(E)lll(A)DUV 1.2E-6 IB 48 S4 T(SW)TSUV 2.6E-6 10 g ti 13 T(E)W(D) 1. l E'-6 50 56 2.6E-6
- 11 T(SW)TSUX IA -
14 T(R)RQUX 1.lE-6 IA S2 57 T(M)QUX 2.SE-6 IA 15 T(F)C(M)C(2) 1.0E-6 IV S4 S9 T(C)W 2.SE-6 11
=tst mated N 3 .. .e 'i
! f i
t ! i Table S.14 Continued I
- Shoreham - PRA % of Total BNL - Neview. k Core Core
. Sequence Damage Class / Sequence Damage Class /
No. Designator Frequency Subclass SNPS BNL Designator Frequency Subclass 16 T(E)lDUV 9.9E-7 10 56 61 T(T)C(M)W 2.4E-6 IV 17 T(TI)C(M)C(2) 9.9E-7 IV 58 63 T(R)L(RI)QUH 2.4E-6 IA 18 T(T)W'W" 8.9E-7 11 59 64 T(R)L(H2)QUH 2.2E-6 IA i 59 T(E)GDL 8.4E-7 ID 60 66 T(D)D(I)Q 2.'2E-6 IA l l 20 M(S)W'W" 8.2E-7 11 T(R)RD(R)QUX 2.0E-6 IA ; 21 T(E)luV 7.7E-7 'ID T(E)lGL 1.9E-6 IA y 22 T(M)QUX 7.2E-7 IA T(E) til DV 1.7E-6 18 i 23 T(1)QUX 6.7E-7 IA M(S)QUX 1.6E-6 IA 24 T(E) 11 DU"V 6.5E-7 18- T(SW)TSW l.4E-6 I I, [ 25 T(M2)C(M)C(2)U 6.2E-7 IC T(E)! IV W l.4E-6 11 26 T(M2)C(M) CUD 6.2E-7 IV T(E) 111 DX 1.2E-6 IB i 27 T(E)C(M)C(2) 6.0E-7 IV T(T)C(M)PC(Q) 1.lE-6 IV [ 28 FS(C)QUX b.SE-7 10 1.lE-6 T(E)C(M)U(H) IV , 29 T(D)QUX S.3E-7 IA , T(E) Ill DUV 1.1E-6 iB 30 T(TI)C(M)U S.3E-7 IC 70 72 1.UE- 6 T(M)C(M)UU(H) .lv . Total Core Damage = 5.SE-6 Total Core Damage = 1.4E-4 i' i . P e
., -i
' ib;= _ . . . . . . . ~ '~?G' L.- ' ' ' ~'*
i- N ? - Table 5.15 Results from a Limited Sensitivity Study (0nly the sequences affected by the changes that are studted are included in the results shown.) Core Damage Baseline Core Damage CD (CD) Case in CD (CD) No. Case studied Class Frequency SNL Review Class Frequency
- 1. LOOP Initiator: N5AC/80 2.9E 5 LOOP Initiator: 8NL I 1
2.9E 5 LOOP frequency and recovery !! 5.4E-6 Review LOOP and !! 6.0E-6 probattlities for NPCC , Total TIGT Recovery Pro 6aellttes Total' T3GT for NPCC
- 2. Mtscalibration: Use of I 4.7E 5 Miscalibration: Use I 1.5E-5 SNP5-PRA value of 2x10-3 .
$NL-Review value of in the *UI" Function 2.s10** in the "UI*
Function
- 3. Transients + A1W5: EPR!- ! 1.0E-5 Transients + ATW5: I 1.3E-5 NP-2230 Data Base Excluding !! 4.3E-6 EPRI-NP-2230 Data !! 5.5E 6 First Year of Plant's IV a.9E-5 Base from All Years IV 5.9E-5 Emperience Tetal N of Plant Operation Total 7.8GT
($NL Review) 4 Large and Medium LOCAs: II . Large and Medtun 11 5.7E-7 No Credit to PCS or to !!! 2.6E 6 LOCAs: Credit Given !!! 4.1E.7 Condensate System Total ETUT N to PC5 and Condensate Total
- 5. LOOP Initiator: Olesel I 5.1E-6 LOOP Initiator: 1 2.9E-5 Data = FT5 = 0.01/d !! 6.0E-6 Diesel Data = FT5 = II 6.0E-6 I
- P(2/1) = 0.11 Total N 0.02/d; P(2/1) = 0.19 Total IlGT P(3/2) = 0.40 P(3/2) = 0.63
- 6. No Credit to 3 5W5 in I 2.1E-5 the PRA Credit Gtven to T85WS I 5.2E-6
!! 2.7E-5 in the PRA Total W II Total 1.3E-5 TKT
- 7. No Credit to Condensate ! 1.3E-4
~
System in the PRA Credit 61ven to I 2.2E 5 -
,It! *2.1E-6 Condensate System 1.!! 4.1E 7 V 2.1E-6 in the PRA V 4.2E-7
- 8. ATW5:, A05 Inhibit Isoroved IV 1.3E-5 ATW5: A05 Inhibit by 50% (Probattlity of IV 1.9E-5 from BNL Review fatture decreased by factor Pasults -
of 2)
?
s g
?
b 135 t a ,
;' _m -- -
,- - as.
Table 5.15 Continued . Core Damage Baseline Core Damage CD (CD) Case in CD (CD) No. Case $tudied Class Frequency SNL Review Class Frequency
- 9. ATW5: SLC fatture proba. IV 5.8E-7 ATWS: SLC fatture IV '5.8E-6 bility reduced by factor probability same as of 10 in BNL rewtew.
- 10. ATW$: Automatic FW Runbact IV 1.0E-6 ATWs: Manually IV Assumed, that may Reduce 1.0E-5 Initiated FW Failure Probability by , Runback .
factor of 10
- 11. .ATWS: Increased SLC Baron IV a 2.9E-5 ATWS: $LC injec. IV Concentration by a factor == 3.6E-5 tion of 46 gpm of 2 (or alternatively 86 gpa SLC)
- 12. Water Release at Elevation 1. 8E-7 1
1 Water Release at ! 1.8E-5 l 8: One LPCI Train Pro- Elevation 8: 8NL , tected Against Flooding Review I
- 13. LOCA Dutside Containment: V 4.2E-9 LOCA Dutside V 4.2E.7 One LPCI Train Protected Containment: 8NL Against Flooding Review .
14 No Credit to RCIC in the 11 9.1E-6 Credit given to 11 3.7E-6 Steam Consensing Mode Containment Heat Removal by the RCIC Steen Condensing Mode
- 15. Level Instrumentation ! 2.1E-6 System having additional Level Instrumenta. I 7.?E-6 tion Sy: tem having -
four level transmitters four transmitters ' for Independent initiation- for. Initiation of of HPCI RCIC, and low . HPCI. RCIC, and low pressure ECCS pressure ECCS
- 16. Impact of Inclusion of I 1.3E-5 Control Rod Drive System in Control Rod Ortve ! 2.0E-5 -
System not included ' the High Pressure Injection in the PRA Function l l l l I s l l 136 l
. .._ , .. . _ . . --- n
.. La ' ,
d *B C V O " - 4 ^ ' * '- l 2 ' - L r. N A 9 APPENDIX SA ANTICIPATED TRANSIENT WITH SUCCESSFUL SCRAM SEQUENCES This appendix summarizes BNL's review of the contribution of transients with scram to the SNPS frequency of core damage. The review covered material presented in Sections 3.4.1.1 to 3.4.1.5 and Section 3.4.1.7 of the SNPS-PRA. The following transients are reviewed in this appendix: .
- a) Turbine Trip ,
b) Manual Shutdowns c) MSIV Closure d) Loss of Feedwater e) Loss of Condenser Vacuum f) Inadvertent Open Relief Valve (IORV). . The initiator frequency for these transients was reevaluated as discussed in Section. 4.1 and summarized in Table 4.2 above. The frequency of manual shutdown in the SNPS-PRA was judged reasonably conservative and was not f urther reviewed by BNL. .The SNPS-PRA value of 4.3 shutdowns per year was used in the BNL reassessment. For all other transients, the new reevaluated frequencies of Table 4.2 were used by BNL. The SNPS-PRA attempted to take into account more frontline sys'tems ' interdependence in the event trees by increasing the event trees' detail. The .- interdependences between HPCI and RCIC were detailed in the SNPS-PRA event trees and the same was done for LPCI and LPCS. The condensate and feedwater pumps were explicitly treated in the event tree; the Containment Heat removal function was separated into contributions from RHR, PCS, and failure to - recover from a MSIY closure. These improvements made the modeling of the transients' contribution to core damage in the SNPS-PRA more realistic.
. The support system dependence was also treated in the SMPS-PRA. The treatment chosen was to screen selected support systems dependences and treat them in separate event trees so as to focus their impact better. Three support systems were treated in this way:
a) AC Power: Transient induced Loss of Offsite Power (LOOP), or . LOOP occurring during the transient. b) DC Power: Loss of a DC bus, both transient-induced and in' the course of the transient. - c) Service Water: Loss of service water during the recovery f rom a transient. BNL found this treatment helpful and added another support system to the
'ist:
137 t
. . . .,. ~. m . ;
J d) Drywell Cooler: Loss of drywell coolers following a transient. SNPS-PRA treated this explicitly on the transient event trees rather
- than by the same, screening method they suggested. BNL used the
' screening method for loss of drywell coolers , but differentiated between transients that lead to MSIV isolation and non-isolation transients (see Appendix SF). i , Other support systems were included in the fault-trees analysis 'and their impact, if important, .was accounted for in the front line systems' unavaila- { bilities. Note, however, that some underestimation of support system dontri-i . bution may result when the more rigorous CDFT .is not used. As stated in . 1 Section 1.2, BNL judged this underestimation to be unimportant. The SNPS-PRA treatment of anticipated tran'sients is innovative in the division of the isolation transients into separately treated initiators. This was discussed in Section 2.2 abov'e. l SA.1 TURBINE TRIP. TRANSIENT SA.I.1 Background This is the most frequent transient. The frequency of the transient is 5 i 4 per year in the SNPS-PRA and 8 per year in the BNL review. This difference was discussed in Section 4.1. Here, the modeling and quantification differ-l ences between the SNPS and BNL approaches are discussed. , Following a successful scram, SRVs are opened to relieve the pressure that is rising in the RPV after the closure of the turbine stop valves. If i none of the 11 SRVs opens, then the pressure inside the .RPV will breach the 4 pressure boundary at a weak point and a LOCA is assumed to occur. Thi.s is , however, a small probability relative to the large LOCA . frequency, and has no - - . substantial impact. The. open SRV may fail to close after pressure is ! relieved. A single SRV may fail open with as high a probability as 0.1; how-ever, this apparently does not change the course of the transient significant-i I ly, because the high pressure injection system can easily maintain pressure in - the RPV in spite of the small loss of coolant inventory through the stuck open relief valve. However, given two SORVs , changes in plant behavior are expected, in three ways: a) The RPV pressure will slowly decrease to a point at which high pres-sure injection may no longer be successful. This can happen as early as four hours ts after transient with two SORVs initiation. b) The suppression pool will heat up slightly faster, and reach 200*F at about I hour rather than 2 hours or more. c) At the beginning of the incident, if there is no high pressure injec-tion, the RPV water level will decrease ' faster given 2 SORVs than - given none; this in turn will reduce the time for recovery of FW during the time period when water level decreases from level 2 to level 1.
- The impact on the PCS availability, however, is small in the case of 2 50RVs relative to none.
138 J
-.-<r.-=b --------m-.--- - --.4is.--- -,---e,- r--.--,,, - . . - - , , , , r ,-,---------mvgm r--~----rn-- .~v-e-, w, .-w&-m,- - - - - -
, _ + . . uw 2 ' .a .-
" . : 2:: ..D ' a .. ud : : Q - :--
The "Q" function is discussed in detail in the next section. The coolant injection functions and the ADS ~ are modeled next on the event trees. Their quantification is based on the SNPS-PRA system fault trees. The unavailabili-ties were discussed in Section 3.3, when fault trees were reviewed.
~
The containment heat removal function includes the following:
- 1) RHR system unavailability. -
- 2) The RCIC steam condensing mode with RBSWS cooling'the RHRHX directly.
' ~
- 3) The PCS. .
The RCIC steam condensing mode 'has a small' contribution, considered in
~
the SNPS-PRA to be 0.4. It might not even be this large if the RBSWS, which is conunon to both, is assumed to fail.and no credit is taken for interconnect-ing the turbine building service water systems. The values of 0.4 or 4.4x10-5 are explained in the discussion in Section 3.3 on RHR with RCIC in steam condensing mode. The PCS is dependent on the availability of offsite power, one circulat.- ing pump, the condensate pump, the MSIV, the feedwater discharge valves, and air ejection or mechanical vacuum giump. All these have a hardware failure probability assuming repair of 4.5x10-3 BNL used a value of 0.004, as explained further in Section 3.3.2.14. 5A.1.2 The FW and PCS Availability (0 and W" Functions) In the event of a Turbine Trip, the SNPS-PRA states that the operator is instructed by procedure and trained to maintain feedwater or recover it ,imme-diately. This igortant feature was taken into account in BNL's reevalua- - tions. The recovery of feedwater function (Q) is an important function in mos t transients. BNL has therefore followed the approach of past BWR-PRAs * ,5 and constructed a functional level event tree for the Q function and tried to use it in a consistent way for all the transient events. Table SA-1 - gives the description of the functional event tree used for Q and the basis for its quantification in the turbine trip case. The tree includes two phases: a) The Short-Term Phase: Probability that FW will be available, begin- - ning 30 minutes after initiation of the transient. b) The Long-Term Phase: Probability that the PCS will be available for containment heat removal,15 hours after. accident initiation. The BNL functional event trees result in probabilities for Q similar to those found in past BWR-PRAs. However, those PRAs, as well as the SNPS-PRA, assumed that the long-term PCS. availability is independent of the unavailabil - - ity of parts of this system at accident initiation. BNL does not consider this to be realistic. One anomaly that may arise when.considering the long-term PCS recovery to be independent of failure to recover the PCS in the'short term is that overall recovery probabilities for the transient duration become unrealistically - 139 t
-- ~ . . _ - .
_. .I.. . . - _- .. . .. . :. _.. .. m .,.. m .. high. For example, failure. to recover turbine bypass valve in the short term, and then again in the long term, are related, and the probability of late recovery should decrease if early recovery already failed. The above' situation is shown in Table SA.1, in which both the short- and long-term PCS recovery probabilities are shown on the same tree. The condi-tional probability of long-term recovery, given that short-term recovery has failed, is of the order of 10-2,.which is higher by a factor of 2 than that in the SNPS-PRA, where the. short- and long-term phases are assumed to be completely independent. This factor becomes . larger in cases of MSIV closure
. or loss of condenser trans.ient. In fact, the SNPS-PRA assumes some dependence between the short- and long-range recovery in some other transierits in a few cas es .
The SNPS-PRA considered a dependence between ADS operation and MSIV re-covery probability, increasing the non-recovery probability by a factor of two for cases in which depressurization by ADS has occurred. This was insuf fi-ciently explained, and it was applied non-uniformly for the transients, with factors ranging from 1.4 to 3.0. The BNL approach, used with its functional level event tree, was to apply a uniform MSIV recovery probability of 0.001 for all cases (but for the case of MSIV closure see Section SA.3) based on the long period (15 hours) available for the MSIVs to recover. Unlike the SNPS-PRA, BNL did not model the MSIVs as a frontline system, but used 9mn as a part of the PCS. , In summary, the BNL approach used the functional level event tree, approach for Q and W" quantification to gain more consistency in their quanti-fication. Ancther change made by BNL is the assumption that, when FW injection (Q)
.is successful, the long-tenn containment heat removal function is not req'uired .-
because no decay heat would be deposited into the suppression pool throughout the transient. . l 5A.1.3 The Results of the BNL Revised Event Trees . l The revis ed BNL event trees take all the above considerations into l account. They are shown in Table SA.2, along with additional explanation regarding their quantification. . I The result of the BNL re-assessment is about twice the value in the SNPS-PRA, mainly because of the increase in initiator frequency. A small increase in SNL results is obtained from the sequences including two SORVs. Although the contribution of this increase to the total core damage frequency is small, it is nach higher than ' estimated in the SNPS-PRA. The small increase in Class II, apart from the change in initiation frequency, results from the dependence l between early and late recovery of the PCS included in the BNL re-assessment. i 5A.1.4 The Special Case of Common Mode Miscalibration of Level Instrumentation - The SNPS-PRA considers a miscalibration of all water level transmitters. to be an event having a probability of occurrence of 2x10-3 It does not state that procedures for staggered calibrations are available. 140 , t
., . , . .__ . . . . .. -- 2
- _ . ' .s ' - "~
.2 ..: . -
__' E.. f ;** '. ^, .Ce ._ u.a..."i. The fault trees of the SNPS-PRA include 'the miscalibration error of all water level sensors as input to HPCI, RCIC, ADS, LPCI, and LPCS. . It is iden-tified on all those fault trees by the same basic event, namely "HHV7200XI". The fault tree model assumes that if miscalibration occurs, no automatic init-1ation will occur in RCIC and A05. However, on HPCI, LPCI, and LPCS fault trees, the modeling assumed automatic initiation by high drywell pressure, which is true only for LOCA or ATWS and is incorrect for all transients and manual shutdowns. Therefore, the. commonality of miscalibration for high and
~
low pressure injection under trans,1ent conditions was not recognized in the cut sets of those fault trees and was not accounted for in the SNPS-PRA tran-
., sient functional event trees. ,- -
The fault trees have included an operator action for manually starting the ECCS subsystems if automatic initiation failed. These include the folicw . ing: , a) HHU50'00XI and HHU6000XI for operator failure to manually actuate HPCI or RCIC, b) AHU1990XI for operator failure to manually initiate A05, c) DHU111DXI fde op'erator failure to manually in'itiate LPCS, d) LHU5000XI and LHU6000XI for operator failure to manually initiate LPCI. i Theref ore, in the SNPS-PRA fault tree analysis there exists the following cut set (see also Section 4.3): HHU7200XI * (HHU5000XI + HHU6000XI)
- AHU1990XI. -
which can lead to Class I core damage if feedwater injection becomes unavail-able. This event "TT Q" for the turbine trip transient is T Q = 8 x 0.082 T
= 0.66 per year.
The core damage probability for turbine trip with miscalibration then becomes TTQUX = 2x10-3 x 0.1 x 0.1 x 0.66 = 1.32x10-5, which is double the value for TyQUX calculated on the event tree of Table SA.2 (Sheet 2). SNL considers this result conservative for the following reasons: a) A common-mode misi:alibration error rate for a large miscalibration (a miscalibration of level 2 and 1 by over 10 feet is needed to uncover the core without safety system actuation) should be Icwer than 2x10-3.. BN'- judges that a value smaller by a factor of 10 would be ' more realistic if some calibration procedures emphasizing the effect of large calibration changes are used. The Handbook of Human Relia-bility (NUREG-CR/1278) gives even lower values for similar cases (see.Section 4.3). 141
,. - . _ . . - ._- .- ....- - . . < ..,=..m, b) In order for a large miscalibration to be unnoticed, the ' operators-must ignore a white indicator light in the control room for. HPCI high.
level trip transmitters N091 C and D. - c) In order for the operator to perceive that the core is well covered-and significantly reduce core injection for a long time, an addition-al miscalibration must have occurred on the wide or narrow range level transmitters, in a direction that will display high. water level-in the reactor vessel. The reviewers consider the situation posed by such a. gross miscalibration- . to be of sufficient importance to warrant calibration procedures that require' staggered calibration such that N091 A and C would be calibrated at different. times than N091 B and O. Such a procedure may be sufficient to ' reduce the probability of this event to a fraction of the T QUX Tsequence modeled in the event tree diagram and appropriately represented by the value of UX =:8.4x10-6 used from the fault tree analysis. After the review was completed, BNL was informed that a modification to the level instrumentation system is underway at Shoreham. This mo'dification will potentially reduce the probability of miscalibration by the addition of four new level instruments for HPCI actuation. p 9 9 I i l e 142 1 o eq -e, ,- ge ge pae e9a e esp
- e*= =h emnb eemme *=* *
- y w e we gem
.- . . - ~ . _ . - _-.
- l. .d.L . . : 2. u:a .. ~-
a ::'L.~ a . .a e 4 , i
; Table SA.1 Functional Level Event Tree Description for FW
- and PCS Recovery Probability (Turbine Trip) i .
(Sheet 1 of 3) Function Probability Description / Comment 4 Feedwater system remains 0.1 SNPS probability that the feed-l
.on line: , water system fails to rapidly re-spond to the transient resulting in a level 8 trip or MSIV closure. ~ , -Recovery of FW between 0.7 The SNPS probability of FW ; Level 2 an'd Level 1: recovery given that HPCI or RCIC.
does not start. 6-10 minutes are . available to the operator before level 1 signal.
?
Turbine controls and by- 0.011 Probability that the main turbine pass valves available: controls and bypass valves are failed or fai.1 during the tran-sient. A factor of 10 was applied s trice the initiating event involved the turbine. 3
} MSIVs remain open: Probability that the MSIVs fail to remain open during the tran-sient.
0.02 If FW system remains on line. . 0.20 If loss of FW system occurs. It may result in MSIV closure on low i reactor level or pressure. .. j MSIVs reopened: 0.1 Probability that the operator 4 fails to reopen the MSIVs within 30 minutes of transient initia-j ' tion. Recovery of FW and PCS: 0.01 Probability that the operator t fails to recover the FW and PCS within 30 minutes given a failure or turbine trip. The low failure probability is assumed because it
. is a standard action that the i operator is called on to perform '
normally, and is trained to do on simulators . 1 i 143 c i .
-----..---..__-.-,.-,_.-._._-_-,-__,__-_-__._..-_.,--.-,,._..__-.,.c.,.___..
. . . . . . _ ... ~' . _ . . _ .. ,. . .. . . . p . s Table SA.1 Functional Level Event Tree Description for 'FW and PCS Recovery Probability (Turbine Trip)
(Sheet 1 of 3 Continued) Function Probability Des cription/ Comment , Turbine Controls and By- 0.05 Conditional recovery probability pass Valves Available - given fai. lure to recover during Long-Term: the early phase. Total f at. lure
- to recover probability should not.
exceed 5.'5x10
- for the transient duration..
5.5x10 4 Probabil'ity that the turbine con- , trols and bypass valves are not available. System restoration is assumed. (0.5 x Estimated System unavailability). MSIVs Reopened - Long-Term: 0.001 . Probability that the operator fails to reopen the MSIVs during
'the time available fpilowing the initiation of the transient.
Assumed to be 15 hours. MSIVs Reopened - Long-Term: O.01 Conditional recovery probability ' given failure to recover during
.the early phase. Total failure to recover probability during the transient assumed not to exceed .,-
0.001. Recovery of FW and PCS: 0.001 Probability that the operator falls to recover the FW and PCS - during the time available. Assumed to be 15 hours. 0.1 Conditional recovery probability
- given failure to recover during the early phase. Total failure to recover probability should not exceed 0.001 for the 15 hour duration.
FW and PCS Hardware: 0.004 Probability that the FW and PCS will not be availabe to provide water to the reactor and remove , decay heat to the environment. Value based on the SNPS fault trees (see Section 3.3). 144 . t . f
. =_ . _- _ .. ..,.... m ~. ... ..:.. ,.. ,
1 p _- . . u ; . ..:. . = . --
. e- - - - - - - - ~ . .-- _.
a
= m m m . . m m am 4 4 d d'. d ea 2 s s-
- A..
s s8 s8sd d.
- - s. m.s8s- --- s. e e '4 -s~ -
R i s d-gII e 85 e - ais f 1 e
- f. .
i . i. i . C _ O_ e _C _ _C _ _C _ C_ .J g5
-I . a. . g *
- E58 3- e - 8 8 .
6 & i d *
. g
- g. ..
o.=l . 5 8:ge$ . - -
" 5 8 8 02 d d d 10 a
w
- J
$ E o +
- A t-QIz. 4 e
y 3 w Ee. d e
- e o e. e e e e se mome _e e mee. - e se --e , o e m e . e e ee. e. 6 ee . .. e ]s "I
% *=
- wE I8 =
p e e e e
- e e p E
b b b b b b b b
-f me . ee = =eee== ioneeeee o m. m >emoet e m e eee eee<eee.e eweeeeee eoo .e eees.o 3 4 .* 8 %
C lag
- C E
, . . . . . . . . _.e. - JS ., @ 5 o e d . ~ !I . . . . .. .. . . . . . . . . s. I. I" . . . . ... O 8
8 ,e. g E
- ar #M I
e d o
. R$ - ~~.
- 3 -
e-= B e .I . a% - -
- Wg r[I , g { p ~O E ~
C e
- l 3; 6.20~{
l y 3 : C a 1$1I , C d d I 3 ge y, n s.2 g C
- C C
* "1- gg e e ~
d d I l 145 t i
I I e ses stems 4(ME 118 MCortsv t' & eu a fu ime 4 usav w stravtav tweet asst ecs (Quaratus i mannee at t.t te w sE#418 sais w cxpuvusart es Marte Mcavtar easteset 04:4 12 - Lt attostar OP18 M&'
- PCS 1*ams stano Mooster teore ttame trarettass to auw
- 8 2 3 8 S 8 8 4
I ' " 0.98 .
- OK
. 1. 0 02 . (3.5E-3) 9 . . OK I ,
0.989 so.nnt ,
.- (6.3E-5) o,9 ; '
l 0.9 OK l 0.01 e .! M.00ls
- ) .1 * 'O.1 r 0.02 *
. 1.6E-5 t' : i .e OK } 0.9 1 . 0. 0 01s I.
- Sm o, 3 l
- 0.001
- m . *
- 1.1
- - 0.01 1.8E 5 ! OK I i p.ong, -
- ; i
- - 3.8E-5 0.011
_ f. 9.5E-6 8 0.001 9.5E-6 , 2 1.1 , 0.05-i.
=
5.0E-Is [ s . l t).1 j l 0- O Is.0Lle g g .
. . 1.0E-Is 1.0 '
0.001
- 1.051: . .1 I S.TLle . 1 g,ggg g a ' ~
Total = q = 0.112 . f M &L = 1.?F-3 i
- Table 5&,1 Punctional Imrel Brent Tree for the Probability of FV and FCS Unevallability ; V' = 1.2E-3/0.112 ..
Following a Turbine Trip. Short, Tere and long Tosin Recovery Probabilities. Case of 2 SORYa. 8 0.011 I .' (Sheet 3 of 3), i
% j ? 'g* ' .. .e
.f.J .. l _. : . 's.: Table SA.2 Event Tree' Diagram for Sequences Following' a Turbine Trip Initiator (Sheet 1 of 3) TT = 8.0: The frequency of turbine trip transients per year is based on the discussion in Section 4.1. C = 3.E-5: This is the scram electrical). failure It.is taken fromprobability NUREG-0460(2 both 3, mechanical and - M = 1.E-6: This is the probability assumed for failure of 11 SRVs to cpen on high reactor pressure exceeding their set point.' The failure leads to an unimportant contribution to LOCA frequency. P = 2.E-3: The probability that 2 SRVs will be stuck in the open posia tion (stuck open relief valve = SORV). The probability of this failure mode is 3.75x10-3/d. An average of three challenges per valve is assumed for turbine trip transient. The summation of 2 out of 7 combinations results in 2x10-3 Q = 0.082: This probability cf failure to recover FW is evaluated in Table SA.1. Q = 0.11: This is the feedwater unavailability folh ving turbine trip with 2 SORVs (see Table SA.1 sheet 3 for derivation). La' = 0.07: The unavailability of RCIC based on the fault . tree for the RCIC system (see Section 3.3).
- U" = 0.1: The unavailability of HPCI based on fault tree analysis (see -
Section 3.3 for discussion of the fault trees of the HPCI system). U = 0.01: The value of the unavailability of RCIC and HPCI, considering their commonalities (see Section 3.3).
~
X = 8.4E-4: The ADS unavailability as derived from SNPS-PRA fault trees. V'.V" = 6.2E-4: The unavailability of LPCI and LPCS based on their combined fault tree analysis (Section 3.3). V = 0.1: The probability that the operator initiates or , controls the condensate pump within half an hour or less,, following loss of high and low pressure injections. V = 0.02: This is the probability of aligning the condensite system in the case of 2 SORVs when this system is needed four hours into the accident, af ter the pressure in the core decreased below high pressure injection reactor pressure re,quirement. 147 i
. . _ _ . . . . . . . _ _ . . . m ._ ._ --
- u. . .
~ . Table 5A.2 Event Tr'ee Diagram for Sequences Following , a Turbine Trip Initiator (Sheet 1 of 3' Continued)
W' = 4.4E-5: The value of RHR with RCIC in steam condensing mode (see Section'3.3).
~
1.1E-4: RCIC assumed unavailable. The value . represents RHR reliabil-
.' ity with, assumed repair for 20 hours (-0.36). It is , developed in, Section 3.3 based .on SNPS-PRA fault tree analysis.
W" = 4^.E-3: Unavailability of PCS if available during the turbine trip transient (see Section 3.3). 0.013: Conditional unavailability of PCS given it failed to be re-covered in the first half hour of the transient (see Table 5A.1). 0.011: Same as above for 2 SORVs (see Table 5A.1). e i l
~
[ f i l I . I l 148 t
. - . . - . + - - - . .. . . ,. ~~~,~~'~' - . _ . - -- __,,,-- -. ,-- __, _.- - _ - . - - - - _ - - .
-' -.. , ..'..i.- . ,.4. d.E.* i ... _. - 4 _ *** _
gj jlsg = = = fg g gg 29,
== $II M 7e w ghk e
sti a a : aaae E E = } b -
>> h ~ ,
I I 1 s : : : 5 f E
- c c o
, 'i 1g C C C C 3 C
+ -- mm , -- -- ==
s s v.gs . e a a a SE -1,I . . . . g E IgEwl * : 1 5i. C . 1 - EU
- el
*I C l4 - a t , , d . *g . . ' g - I; ce L j J l u
I 4 F-
. g o.
5 jae
. J J
s .II* . 3 as
,.e i
8" g 4g.
.i g V:I - =
C 3 g g d-~- vf , Mk. kC i 1*
"I,S j E n IIIs == - s s
e { ' g .g *
- Ed
$ E .
k I. I is - 2 1: I g u V "i Eu E 2 i.g -
=
E la
, z I
Ji 149 t
,y--= , ,.--c__ __,y - , . - . - c___ _-- ,,---.--__,_.,-_-,v__,--,,--, - - ~ _ _ - - - . , - - - - , , - ,-y ,,-__..,.-m,. ~ . .
A** O ## W- S = *w9 e 4 a . . . =g, 4%- ggg g,, I O I e
- sillsi oy a
- = = ~ ~
4 3 2
!! -s ::a W ,, e e- e- e-in d w sed En:s a : a: y EEE ]
E !. a e It e ers . N
~
- s 9 - - -
Y E 5 o o g Et s o d d . yg , 3 33 5 3=g3 , e a g 8 ]M7'E h h = T
-le : ~ & II .
o d srtcs :
- I 83cli a - .
w g_
-. g - t 2" -g -
4 s-a t 4 - o E-C
" )',f d... f3 r j ]* As o[: - t d
- a.
3 *
- 6 I . d 1 -84$ " ,
g A i H
!!!j -
gg .
~j d 3' f ce -
I"I b
- R d 8 = d 2 s v-a no Iwo3=
I w =.e * -
.a .
g I g3 8 a 15
- k g.
- la s
150 t
* ..?* s g ~ . :P - . ;._ _ Sy&- ., .. ,
4 l - l . 6A.2 MANUAL SHUTUOWN I, . !' Manual shutdowns a'e r gradual controlled reactivity insertion events. . They have various reasons. The PRA lists contributors to manual shutdowns j~ (Table 3.4.3 page 3-53). Most of them involve minimal challenges to the plant safety systems because often feedwater and PCS remain available with a very hign probability. A few of 'them result in the challenge and initiation of j-safety systems. . [ ' An elaborate approach could be to treat separately the many possible com-binations of manual snutdowns with frontline system unavailabilities, and sum J~
. their contributions. The SNPS-PRA chose a more efficient approach even though it may be conservative. It .modeled tnree of the important ' cases of manual l;
snutdowns with frontline systems unavailability concurrently on the same event - tree: 1: . (a) Manual shutdown because of condenser problems.
- i. (b) Manual ' shutdown because HPCI and RCIC became unavailable. ,
- (c) Manual shutdown because RHR (two loops) became unavailable.
For case (a) tne frequency was taken from experience (Table 3.4.3 on the
~
l PRA) showing that 4% of manual shutdowns result from condenser problems. For case (b) the SNPS-PRA estimated that 1 of 100 shutdowns will be caused by HPCI i and RCIC unavailability. BNL modified the frequency to 1/43 because in Appen-i dix A.4 of the PRA, wnere maintenance is discussed, the PRA assumes that the i same event can occur once in 10 years or 1 in 43 shutdowns. For case (c) the j- PRA estimated that both RHR systems may become unavailable with a prooability i less than 8x10-"~ per year or 2x10-" per manual shutdown., However, the initia- . tion of this system may be delayed for 20 nours, and therefore a recovery ',
; factor of Q.36 accounting for repair was assumed in the BNL revised t,ree. -
l' Modeling all three cases on the same event tree results in overestimation
- of the manual shutdown contribution to core damage frequency. The result would most probably be much larger than the sum of the contributions of the i many possible sequences of manual shutdown combined with frontline systems i unavailability. The revised event tree diagram of the BNL review is shown in
? Table 5A.4. It shows that, even using the conservative combinations of 1: concurrent system failure and manual snuteowns, the contributions from these j' sequences are relatively small, i j Note also that the SNPS-PRA determined the frequency of manual shutdown,
- based on experience, to be 4.3 per reactor year. This is on the high side of
], - the range of values used in past PRAs and therefore reinforces the conclusion !- that the SNPS-PHA results for manual shutdown sequences represent their con-
- tribution quite conservatively.
5 ,' I i: : 151 t ll _
>- a : >. i. ; -
1 . Table SA.3 Functional Level Event Tree fo'r FW and PCS Recovery Probability (Manual Shutdown) l (Sheet 1 of 2) - Feedwater System 0.04 According to Table 3.4-3 (page 3-53) of the Remains: Online: SNPS-PRA, in . 4% of BWR manual shutdowns the cause is condenser problems.
, . Recovery of FW 0.7 It is assumed that part of the condenser prob- .
- - before Level 1
- less a're in the condenser support subsystem' and do not interfere with feedwater injec-tion. The value of 0.7 is taken to be the same as in turbine trip. ,
Turbine Controls and 0.0011 Same as in the turbine trip case (Table SA.1), - Bypass Valves Available: but not multiplied by 10 because initiator
; event did not occur in this subsystem. .
MSIVs Remain Open: 0.0?. During manual shutdown operation there is a probability of MSIV closing. The same proba-bility as in the case of turbine trip was used. l j MSIV Reopened: 0.1 Same as in the turbine trip case. 3 j Recovery of FW and 0.01 Same as in the turbine trip case.
- PCS (short term =
j 30 minutes): .
! Lineup of Condensate 0.1 Probability of operator success to manually .-
! Pumps: or control the condensate pumps within less than 0.2 30 minutes as well as validating connection of CST to hotwell. This is given as 0.1. How-e ' ever, because a condenser problem is the cause - of the shutdown, a 10% probability that the hotwell is involved was added when the conden-i ser has failed. Turbine Controls 5.'5x10 4 The unavailability is assumed to be 0.0011 i and Bypass Valves or with 0.5 probability of repair. However, if i Available Long- 0.5 this system failed in the short term, then it has the 0.5 probability of being repaired in j Term: I the next 15 hours. . l MSIVs Reopened 0.001 This is the probability that the operator i Long-Term: fails to reopen MS!V in 15 hours. Taken from
- SNPS-PRA event "Z" in the case of the manual ,
shutdown tree. j- 0.01 If MSIV recovery failed in th.e short term, it is assumed that the overall failure to recover probability remains 0.001. Therefore a condi-tional probability is given. 152
*ww*ede. .
~ . '- .. ~ . .. - . . . L .
h> ' Tabl e
- SA.3 Functional Level Event Tree for FW and PCS Recovery Probability (Manual Shutdown)
(Sheet 1 of 2 Continued) Recovery of 0.036 This is based on the SNPS-PRA consideration Condenser or that 10% of the condenser problems would be Hardware in 0.001 hardware malfJnctions which 'have a mean . time ,
- Long-Term: to repair of 19 hours. The'refore a recovery factor of 0.36 is used for 10% of the hard-ware. The rest is recovered with a probability of 0.001.
Recovery of FW 0.001 The pr::bauflity that the operator fails to and PCS Long-Term recover the systems in 15 hours during the (before 15 hours): accident. 0.1 Conditional probability given recovery has failed during the short term. FW and PCS 0.004 This is the hardware availability of the PCS Equipment and includes circulating pumps, condensate, Availaole: air ejector or mechanical vacuum pump, MS!V, instrumentation and control, etc. (see Section 3.3 for PCS unavailability discussion). 9 9 4 4 O 153 O e
-_.m. -
o 9
= -
8ig 8I8 g
. A8}
- a t8 . . . I a8 .* .a(d9 :
AE s e. W
.64 5 jh gig * , g i
ts ( f f e f
. i. (. -
e y
... 1.- -- -- -- --
3 g 3 I, l * . Ig'!g . i 4 1
. 5 M i 4
l Ig I ..1 . 1E - I E
. 8 .E, une um-m j
v IIg u o e j 4g 22
~t = ......................a.......... .J....... ;A leig . . L1 . - 11 . . . . . . . - 31 . . . . ... ....i d . ..i d ......f d
_ _ .i ' d 3j il t-i., . k k j - e e = si
. . . . . .jsN
- I-~
*s . . 2 ~
f d d A j}.. e "
*. e .
3 ll5 - , i . a, 3, 3 j i,l - t
.i.
e, $ .
- g #.
ss a
- 4 4 S
al'SI
. s s f d l
l i l l 154 t 1 l
= = = - ==6 * * " -- *"*W98.u.am..*4-** **"**".*NSEk'** N*** ! *
. .u - . . . t . .-. .: - .. s . ;. w w ' a .g . ..w .
c ' ' ' ~ ~ ' *- Table SA.'4 Event Tree Diagram for Sequences Following a Manual Shutdown (Sheet 1 of 2) M3 = 4.3: The SN'PS-PRA assessed the frequency of manual shutdown based operating experience, and obtained this frequency. It is , apparently conservative. BNL used the,same value. P = 2.E-5: - The probability of challenging the SRVs is small for a manual
. shutdown. If challenged, they would require less valves to lift than in the case'.of a turbine trip. ^ .
0 = 0.03: This value was developed in Table 5A.3. It represents a case of a condenser problem which required manual shutdown. U = 0.015: The normal value for the U function is 0.01. Here it it assumed by BNL, following the rationale of the PRA, that one time in ten years the HPCI and RCIC both will be unavailable and the plant will be manually shut down. This means once in 43 shutdowns or an addition of 1/185 to the U function given 4.3 shutdowns per ye'er. X = 8.4E-4: , Same as in turbine trip event tree. V = 6.2E-4: Same as in turbine trip event tree. '.' e V = 0.15: Because the manual shutdown is assumed to be caused by - troubles in the condenser system, it is assumed that in 5% of the cases the problems will be in the hotwell which af.fects the condensate systetit. ., W' ='7.2E-5: This value for W' is obtained when a special case of manual shutdown is assumed, in which both RHR loops are unavailable and the plant is manually shut down. The SNPS-PRA estimates . the frequency of such an event to be 2x10 " per manual shut- - down. To that a recovery factor of 0.36 is appited for 20
- hours repair time. .
,W' = 4.4E-5: The unavailability of RHR with RCIC steam condensing. .
er 1.1E-4: The unavailability of RHR without RCIC steam condensing. .
,3 W" = 0.055: Developed by 8NL in Table 5A.3. It is the conditional proba-bility of having PCS available given manual shutdown was due to condenser problems.
W" = 0.004: PCS unavailability. - 155
- e ,= e ,se.-- w+= . . , e .e-. .mN - -- -1__-
i
. i i
- l 1
\
e ) i 'emersavam amin e- reessame cm.imat cuotant sucesses esuvapeemt osat )l c tiv, esmoeat catamates he W re5IHaateO y ensemana. cwasase acic comi macessate iment For se steam catonavan - unemas see. see. isoso - acec secs aos cs secs immesses caesasis. seemuca ensowacy a
! seestamm sense eram naassas niete avaitam a massame smessatees maatame seacties sea stan s eius se ecs assiemavam aces me as . inansese
] = c n e e e' == s ** ** e' s" s .. . .i . 1 85.097 j < 4
':.hs-5/ ' ~
k . j 3
. . M,sti . . 3.'2E-7 II 1
1 ]. 1.03 1.is-b - *
's i p.tK5 M,qU'v 5.5s-8 II ~
,j y um
, eh 0.07 3,1 4 g ,
- F'"5 1.2s 8 ;
M,sumf II 4
~
- 1.1s-L g r 1.6s-3 0.1 g' I
j o.015 2.ts-i F M5 5.7s-8 M,qur v Ir I W 0.35 L.3 6.2s-k ID bque 1.8s-7
, 8.4s-4 M,qRK 1.6 M I4 ; 2.s-5 , ,
Negligible i
+
l Iingligible ' Begligible t . k Table 54.4 arent tree niegram ter soge nees mellemstas a semismat mista ma - * * : (Anset 4 et 2) , t 0 O
. . . . . o, ..... .y .. _
m s. . ..>. 0 . .n r i SA. 3 MSIV CLOSURE TRANSIENT ' 6 5A.3.1 Background ( The SNPS.PRA MSIV closure transient event trees are reviewed here. Con-sidered as MSIV closure transients are only those events in which the MSIV closure was the initiating event. Cases in which MSIV failed during the . . transient are dealt with in eacit respective transient. - 3 The freqyency of the initiator, discussed in Section 4.1, is 0.57 per . .' '
. year in the BNI, review. To that are added the LOOP cases which are recovered .
{ early. The major contribution is '0.15x0.63, where 0.63 is the LOOP recovery probability within half an hour (see Table 4.7). Thus, the total f requency of MSIV closure transients is assumed to be 0.67. (For Class II sequences there is a slight' " double counting" because it is also developed in the LOOP event j tree). _ Some MSIV closure events can be recovered immediately or within half an . r j hour. The recovery probability in the BNL reassessment is evaleated by means L of a functional level event tree, as shown in Table SA.S. It is based _on the . same functional level event tree structure as in the turbine trip case shown j in Table 5A.1.. The quantification of that event tree uses the same recovery ,' probabilities shown in the Turbine Trip case.. The 0.7 for the early regavery probability of the MSIV is based on the SNPS response to a BNL question , and i is stated to reflect BWR experience. The resul'ts of this functional event tree are the following: I (a) For MSIV closure without SORV: Q = 0.45: W" = 0.03 1 .... - - l (b) For MSIV cl.osure with 2 SORVS: Q = 0.92; W" = 0.018. . ; The values for item (b) are calculated by using the same functional event - [
! tree, with 0.9 instead of 0.3 for failure to reco'ver FW before hitting Level -
l l 1, which isolates the MSIVs. The two 50RVs case is not further developed - because of its small contributton. The case with no 50RVs is shown in Table - - SA.6 sheet 2 and the values are explaihed in sheet 1. - i 5A.3.2 The Results of the BNL Revised Event Tree .t The revised event tree shown in Table 5A.6 takes all the above considera- ! tions into account. The results 'of the BNL reassessment are higher by a v i factor of 3. A factor of' 2 is due to the revised initiator frequency and the [ other 50% to the increase tri Q function developed in Table SA.S. t (
, As in the case of turbine trip, a common miscalibration of all four level !
transmitters will result in an increase by a factor of 2.5 above the reported ! 3 ' BNL results if credit for staggered miscalibration procedures is not given. ' l Otherwise, it would constitute only a small fraction of the 8.4x10-6 consid- l . ered for the "UX" function in Table SA.6. This miscalibration event wa'; l discussed in Sections SA.1.4 and 4.3. t i ( : [ i, - * ! i l l 157 - i t ; f
. 4 -,.__.~w- -. ~ - . , , - - + .----,----n-----n-~~.,-----
__L._. . .,_ _. -- l Tabit SA.5 Functional Level Event Tree Description for FW and PCS Recovery Probability (MSIV Closure) (Sheet 1 of 2) - Recovery of FW 0.3 The SNPS-PRA event tree for the MSIV initia-before Level 1: tor uses this value. The basis is given on Page 3-72g and as stated in respcnse #9 to BNL questions , comes from l operating experience F with BWRs. ,
- O.9 With two SORVs there is a'digher rate of level' f decrease and a shorter tinie period to recover FW if HPCI and RCIC fail (SNPS-PRA).
Turbine Controls 0.0011 Same as Table 5A.1, but not multiplied by 10, and Bypass ' Valves because initiator event did not occur in this
; Av.allable: subsystem. .
t MSIVs Remain Open: 1.0 Probability that the MSIVs fail to remain open during the transient. , Here it fails and initiates the transient. . MSIVs Reopened 0.2 Probability that the operator fails to reopen Short-Term: the MSIVs within 30 minutes. A higher failure. probability to recover is. assumed (factor of
- 10) because transient originated in this
; equipment.
i Recover of FW 0.01 , Same as in Turbine Trip ' Table SA.1. and PCS : '
~ .
l Lineup of C'ondensate Same as fn Turbine Trip - Table SA.1. i Pumps: Turbine Controls 5x10 " See comments to Table SA.1. and Bypass Valves or , Available: 0.5 The probability of recovery in 15 hours is
- about 0.5, given system is in failed state.
! MSIVs Reopened 0.01 Long-Term: SNPS-PRA event tree for MSIV assumes 0.05 for i long-term recovery of MSIV. This is because the initiating event originated from this equipment. In the BNL review, a factor of 10 was applied to the MSIV recovery probability ' i used for a Turbine Trip initiator (which is 0.001--see Table SA.1), to account for this potential dependency. { ,, t 0.05 Conditional probability used for long-term recovery of MSIV given failure to recover in the first 1/2 hr. 158 _ _ _ . . _ . . . . _ . _ _ . . . _- _ . - . _ .-_i._ . , y
. sL-Table 5A.5 Functional Level Event Tree Description for FW and PCS Recovery Probability (MSIV Closure)'
(Sheet 1 of 2 Continued) Recovery of FW 0.001 Same as in Table 5A.1. and PCS: FW and PCS 0.004 This has been assumed- for the long-term
, Equipment Available: phase. Use is made of the .same value as assumed in Turbine Trip,.because the initiator did not originate from the PCS. -
T e D e
- D s
4 159 t er -m ., w , m e -
, _^ _ . . = ,w
. , . . - - - . . .. _ .. - ~~~ ^
r "=~;~ b p -a m a a m w 4 w m .a m 'a y 5 a88 883 aa dad.:$e 5 8a ., a&! .a
$5a 888d a a .:
MS
.: e W
m E Ao III bl b lis
~
ee a t i i t i s m. 0 b .b- b b me we I E
- M Ein.t . .
,.g g 8 a C.
h d mm f - 1L M. i . I
- n r - i 2 .g!
f- r.a
'4 zc z q j 'o o C
- M V
.7 g5E -
If
-a d.
v v s tbe d b l *
=g .... ................-.......................6....-.~...-.---. 23 . . . . . - as t *a 1 .L -
3.E o p e w . g9
= e e b . . . .b. , "Um 9"P . . b b b b PWTl F1T . .. . M ""T .===.a.. . P'PPP 'PTT . . . - al gag . ' ,l,Eg ._
8 o . I t . A . . .. m e . e 3 . gs . - 3 gs
- ' E -
"?
- e ~ogoN e '.o lU
_,s, .
- o. 3 o
o g . a* I 8
- g 2}I t -
- o.
5
- n. " e 1 $
y E I5ba g b b 5 g. [a.E: a ,= ,
- r. A d b *
*T *1- -
a5 R g 160 g l 1 e o$ * "'
,. - . - , ' - - . - . . ~ - ,
- .n.~
- w . . _ _. ~.
- n. n: . . :.L a. - '
Mc Table SA.6 Event Tree Diagram' for Sequences Following a . MSIV Closure Initiator - (Sheet 1 of 2) - Tg = 0.67: Frequency of MSIV closure, which includes the frequency from operating experience as derived in Section 4.1 (Table 4.2) combined with the contribution from LOOP events in which off-site power was recovered early. ' M = 2.E-3: Failure of SRV t6 reclose. The probabilit'y is assumed to be . the same as in 'the turbine trip cas.e. The contribution of this sequence is relatively small and is not further deve-loped. It can be evaluated if event tree similar to Table . SA.2 (sheet 3/3) is developed. , Q = 0.45: Developed on Table SA.S. ., U = 0.01: Same as in the t'orbine trip event tree - X = 8.4E-4: Same as in the turbine trip event tree V = 6.3E-5: Same as in the turbine trip event tree W' = 6.4E-5: Same as in the turbine trip event tree
= 1.1E-4: Same as in' the turbine trip event tree W" = 0.004: Same as in the turbine trip event trea = 0.03 : C'onditional probability of PCS recovery given it faile'd in the short term. Developed in Table .5A.S. -
4 e O e 1 l l . 161
l ee i ee fk!If8l
- 5E I
a 0 0
.f.$f,k !I I 1 3 3 gu.n b,5 e
n s 9 3 2'l m - ewe3.~*4 s II ?
!a! +
t 6 4 6 4* E.
* *s *s .
i f . l i jj [i 2 L - o G. o 2. 9
- 2. _ E.
c. S. G g 3 g
-ar aul-3 --t s a
d d d d d a .
- 8 IWI*8 -ge ", "
.i . .
k E- a i :: f : = as t. - g I..I *
- e F
E E .L
-s - k.
u . [ 4
...I. .
d a u l.i
- e a
A y. I
- ~' a i V9 8g .. u jg -r[" a-a g . -
A.j j! b ' 9 e i )s i a of Je 8 .2 - 5 : 1 95 E ; J *
- SIA. $$
i !I - s s
==i! 4 e e
g -a se - - to E d
!v f i
i* , 4 1N k
' y g ; ":Su}
u d I 3* I I) d
". O d
e
, 162 I
t \ , . _ _ . . - - - .. .-- - .. ~ . - . . ..-
',e
. . . , -_... . .. m...a r ..a. w '~ ~
- I .
I 4 , l l SA.4 LOSS OF FEE 0 WATER TRANSIENT SA.4.1 Background J l l l This section reviews the loss of FW transient event trees of the SNPS-PRA. Only those loss of feedwater events that initiated the transient are
! considered. Not considered are cases in .which this event occurred subsequent i to another initiator such as a turbine trip with Level 8 FW tri.p. Cases in which FW is lost during the transient are dealt within each respective tran-sient. .
The frequency of the initiator, discussed in Section 4.1, is, 0.13, which is lower than the SNPS-PRA value--estimated to be 0.18. Most of the loss of FW events can be . recovered in a short' time, as BWR
.. experience indicates'. This is given credit in the SNPS-PRA event' tree and by BNL. The recovery probability is evaluated in the BNL review by means of a , functional level event tree, shown in Table 5A.7. This tree is consistent with the other functional level event trees used for MSIY closure.or turbine -
trip. The results of this evaluation are as follows: (a) For, loss of FW without SORY: Q = 0.12,.V = 0.25, W" =.0.035. - (b) For loss of FW with 2 SORVs: Q = 0. 51, V ' " = 0.30, W" = 0. 03, i Values. for Item (b) are calculated by using the same functional level ; event ' trees, with 0.5 instead of 0.1 for failure to recover FW before hitting ! Level 1. The case of two SORVs was not further developed here because of its i small contribution. The case with no SORV is shown in Table SA.8 sheet 2, and the values, used are explained in sheet 1. . SA.4.2 The Results of the BNL Revised Event Tree ' l ' l The revised event tree shown in Table 5A.8 takes the above background considerations into account. Most of the values are, howeveri similar to those in the turbine trip case. The results of the re-evaluation-are similar { to those of the SNPS-PRA. This is because, based on the functional level event tree, a similar non-recovery probability to that of the SNPS-PRA is 4 predicted by BNL (0.12 compared to 0.14). The similar Class !! results are i due to the compensating effects in the BNL assumptions: (1) the dependency between W" and Q, and (2) the reduction in SNL frequency for the initiating
- event, and also by the assumption that after recovery of FW, there is no need
' for containment heat removal because all decay heat is transferred to the condenser.
This transient as a whole is a small contributor to the SNPS-PRA core damage frequency. ) { 1 i^
- 163 e 1
- . ~ . - -, ---__c.-[U .--, Oi-. m- .. .d2 71-. . ~ , ' S C;4 L-.L_-...,,_ -**w,. .
l Table SA.7 Functional Level Event Tree for the Probability + - of FW and PCS Unavailability Following Loss of FW Transient: Short-Term and Long-Term Recovery
. Probabilities
', (Sheet 1 of 2)
- Recovery of FW 0.1 BWR operating experience indicates that for
! before Level 1: about 90% of the loss of FW events, the FW can j
be recovered. , ,
? -
0.5 With two SORVs, there is a higher rate of
- . level decrease and a shorter time period to recover FW if HPCI and RCIC fail (SNPS-PRA). .
Turbine Control 0.0011 Same as Table SA.3. . and Bypass Valves j Available: I' MSIVs Remain Open: 0.2 Same as Table SA.1. MSIVs Reopened: 0.1 - Same as Table SA.1. l , l Recovery of FW 0.01 Same as Table SA.1 if MSIV closes. If the FW {- and PCS: or is recovered and no subsequent failure occurs, 0.0 no further recovery of PCS is required as in , the case of Turbine Trip.
- Lineup of Condensate
- 0.1 Dominated by operator error to align the CST
! or to condenser hotwell. However, when the ; ! 0.3 recovery of PCS or FW f ails , it is assumed ..
~
that hardware failures in the PCS exist and a l , conditional probability of 0.3 is used to
- account for a 1/3 probability that this is in ,
the condensate system. These assumptions .
! result in an increase in condensate unavail-l ability by a factor of about 2 relative to the i case of MSIV closure. The SNPS-PRA also used a factor of 2. -
Turbine Control 5x10 " Same as Table 5A.3. Long-Term: or l 0.5 ,; MSIVs Reopened: 0.001 Same as Table 5A.1. i' l e e9 I . 1 e 164 t j . . L-,-,-..,.-~-,,-, ,.---.:.-.-- -,.-,,--,,,,, ,
-r , . , - - - , - ..n. --.-,--.,,.,,.,n.--., ,- -, ,- -
i _-- _ , . . ;_ - -- . w , 1.n , ,
,,:,: g . .. -. .,g; Table SA.7 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following Loss of FW Transient: Short-Term and Long-Term Recovery Probabilities ~
(Sheet 1 of 2 Continued) Recovery of FW 0.001 Same as in Table 5A.1. However, a factor of and PCS: or 10 is applied to increase the probability of 0.3 failure t;o. recover, if FW was not recovered in ,
. 0.1 the early phase, because it is considered to . result from the original initiating -event.
In addition. dependences were taken into account.}and conditional probabilities were calculated so that the 0.001 recovery proba-bility will be preserved in all sequences. FW and PCS: 0.016 Because the transient originated in the PCS system, a factor of 4 was applied to the PCS equipment unavailability used for the Turbine Trip transient. D 4 4 p e
. 165 i . b . j
. . . ~ . - _ . - _ . . . . . . _ . ~ . . .. _ . . , _ _ _ , , , , , , . , , . . . _ _ * . ', o e
e ,
" a ea am a em m m $" kg U hd 5 dd . I Wwed 5 $$ h j .
C 6 da 'dd Add i Jadi 4 1 111 .-
$22 Y T T T T T 1 e c o o o o e -
o .o d f f f f
-- -- -- -- -- -- -- , , _ _, ,I, e g * .I e . . . =, ~
I e m k k a h s o o 9 s.f! l
-" == -- -- -
s 1 I *
.Il - = '
- 5 *:
i 8 - - - o 8 8 . d d a E WI in pl - 2
. U.
r V V . y m
, b b . .$ ** *
- O 2] '
t a e [% 4 b" Il ~ n n n - n - 1 a'll 8 O O O e o g ~. m. .
-- -- e ,e, g h 4p.
, E I=E -
.--. e - _.
3f.: i
- d R .
II
- d a .
g , , e - - . .. . . T*g 3
,5 g . R s .
y . s en i o d =
=* -
E .a . h-g $ = '9 1 1 *
~ $ 4 8 3 , j E 2
l V 1:a1 : 8 a *
. o I e ,igS~* aI. =*
i
- e*
b O intl . . si l - \ l l 166 l i i l
,- - ,-. ,,,, - - - - - , , - - , . - - , ,,,y - - - - ~ - , , - - - , , . , - - - - . - - - - - - --, , - - - -
.... . w R.9 .s . - : . : ..,~.-~.:._ s. . a- _..-.:. - . L . :. :a - - .:L.-- . .=t . .- . a.
Tabit SA.8 Event ' Tree Diagram for Sequences Following a loss of Feedwater Iniciator . (Sheet 1 of 2) f Tp = 0.13: Frequency of loss of FW derived from operating experience
~
as explained in Section 4.1 of this report. This is 30f. smaller than the SNPS-PRA frequency. C = 3.E-5: . Same as in Table SA.2. .
. r M = 1.E-6: Same as in Table 5A.2.
- P = 2.E-3:
- Same as in Table SA.2.
Q = 0.12: Developed in Table SA'.7. - U = 0.01:. Same as in Table SA.2. X = 8.4E-4: Same as in Table 5A.2. . V'.V" = 6.2E-4: . Same as in Table SA.2. V = 0.25: Developed in Table 5A.7. It is assumed that part of the Initiator frequency is coming from the loss of condensate system. . W' = 4.4E-5 Same as in Table SA.2. or 1.1E 4: ' W" = 0.035: Developed in Table SA.7. A higher non'-recovery probabil-ity for PCS in the long term is assumed for this initia-tor. I a O e p W I a I 167 1 P+ ea ee
- 4 e am_-m m.. ,.___4 _ _ _ _ _ _ _ _ _ , . .____.____________.__________.__$_
n
..g . . . . , , . - . - , . . . .. - . . v-- . . - . . * * * = = ' '
e
, [ i 4
n
- s
* * ,- 1 e
e !,
. e J, ~
s . II. : - iilI=1 5I
= = ===
b I. h e St St W *n d d-4 4 44.4i.gJg 1
,i 1,i ~ - - ~ .. = ,
w h
, f. 3 P -
5 h
, .h . k E
3
=
1 I ,. .
,1 . . e .
jl d -a a
- s,,,y,a
[ 3w8g* 5 v
.4 I 'E d ] , ,_, y 8
.i
-ale.!_n g . , -
5 !I -* S
. -m , f
- 3 i
gc s g u . 1 i a A J 8*i 6 j f a
.E. I a =$ I i
g i !si i 1 s j! i gii . t I
.5 '
i o aJ' e 3 ,
)
t
!*I
- 8
'2 I -
d - 1 ' I . ' l 1> W j u [! . m l il -
~ ,
I e E II = ( l 1 e i P
- i is
! I I i I. 8 [ o . E e 168 1 e ee. e p m e t e e. - 9emapW oo r W+4 M4 *. P+ N ** 8D # #
-M*'
- OO***" - 4
,e -~
y,- .c,.,-_-,-_,._.e4.---,- , ,,,___w,_,,.,ga,,w._-. ,. , - - - - - _ , . , ,,, 4 , _ - - , , , ,_,w,,.,-, - _ - . . _ _ , . , _
w -. t a -. . . . . . - m u,; ., M.:..a - . .. - :. 5A.5 ' LOSS OF CONDENSER VACUUM TRANSIENT SA.S.1 Backgrouno This is an important initiator because it affec'ts both the ability to provide coolant makeup and long-term containment heat removal. Upon loss of condenser, the turbine stop valve will close, the turbine bypass valves will . be prevented from opening, and reactor scram, feedwater pumps trip, and MSIVs closure will be initiated. The pressure buildup will be relieved through the SRVs to the suppression pool. Upon level 2 the HPCI and RCIC will start to
- maintain level and prevent level 1 MS!V closure and ADS initiation.
The feedwater is assumed to be not recoverable in this event, until
. vacuum in the condenser is reestablished. Credit however, is given to the use of the condensata system for low pressure injection. In the case of loss of condenser, it is assumed that 5% of the failure of condenser will affect the hotwell water supply'and will fail the condensate system.
Because.the PCS is isolated, the suppression pool receives all the decay heat through the SRVs or high pressure inejction steam turbine exhaust. The RHR must be initiated within 20 hours, or the PCS reestablished before 15 hou as . The probability of reestablishing condenser vacuum is assumed to be exponentially distributed with 19 hours mean time to repair. This gives, for a 15 hour repair time, a non-recovery probability of 0.45,:which is used in Table 5A.9. This is higher than in the SNPS-PRA, where 23 hours were as. sumed. However, some calculations e appear.to indicate that at 17 hours with-out heat removal the drywell pressure wil.1 reach -60 psi, which can fati the SRVs. In addition, the PCS does not cool the suppression pool, but only diverts the decay heat to the condenser. This means that if PCS is initiated at 23 hours, the drywell may remain at conditions close to its failure condi-tions for several hours, with substantial probability of failure. ' BNL chose ,. the 15 hours for PCS initiation 'as a success criterion for this containment heat removal mode. The SNPS-PRA in several other cases also uses 15 hours for PCS initiation rather than the 23 hours used in the case of loss of condenser. The SNPS-PRA has assumed that or.ly 25% of the cases of loss of condenser require long repair time because of hardware problems. The other 75% are assumed to be easily recoverable within a few hours. BNL used the same value, but did not review it. Table 5A.9 shows that an increase in this number would similarly increase the PCS unavailability for the long-term containment heat removal function, and may increase significantly the Class !! contribution. 5A.5.2 The Results of the BNL Revised Event Trees The revised event trees are given in fable SA.10. The results of the re-assessment are higher by a factor of 1.5 higher than those of the SNPS-PRA in both Class ! and Class !!. Most of the change is due to the 25% increase in initiating event frequency (see Section 4.1) and some is due to increased - failure to recover probabilities given in the BNL review for PCS and conden-sate pumps. The sequences of loss of condenser are najor contributors to Class I and !!. They provide about 5% of Class I and 15% of Class !! contri-butions to core damage probability. 169
Table SA.9 Functional Level Event Tree for th'e Probability of FW and PCS Unavailability Following a Loss of Condenser Initiator (Sheet 1 of 2)' Feedwater Remains 0.0 Loss of condenser event results in feedwater On Line: trip.
, Feedwater Recovered:- 1.0 It t's.asumed that condenser vacuum is .not -
recovered within one half hour and the feed-
. water remains in tripped condition.-
Lineup of Condensate: 0.15 Loss':of condenser does not prevent the conden-sate. system from being realigned or from pro-viding water to the reactor vessel. . The prob-
. abil.ity of the operator failure in this task is assumed to be 0.1 because of the short time available and the stress conditions following the loss of high and low pressure injection.
An additional 0.05 is put in because it is assumed that 51 of the events of loss of con-denser will involved hotwell unavailablity. . PCS Hardware: 0.25 Following the SNPS-PRA assumption, it is assumed that the fraction of condenser related scrams that could. lead to a long term hardware problem is 0.25. PCS Recovery: 0.45 Failure to recover hardware problems bas.ed on MTTR = 19, and 15 hours available to recover, .,- the PCS. The SNPS-PRA requires opening of MSIV in 15 hours (page 3-99). MS!V cannot be reopened unless condenser vacuum can be re-4 stored. . 0.01 Failure to recover non-hardware problems because of operator errors. A factor of 10 was applied because the initiator originated from this system. Note that hardware relia-bility is included in the above values and therefore is not modeled separately as in the turbine trip tree. MS!V Reopened 0.001 See Table 5A.1. Long-Term: 8 6 170 .
' g 2 =n. .. '- .a-. _ l. .: ...., -.~. . .14 . A . -- - -- ' ;51 ~ '* ^ , * ~ ~ *-- ' ~ ~ - . 1 d
I
- l 1
1 t s.amt team neccesse som TWee secovent
!. I i
ue w fteesafet . OF MS ft1 WIT neanie estomatWe cactusett muumans secoseer neapego seewg onted MCoute00 Ssett TWue MetLAtiLit? Lount TWes L0ne TWut . PROBA041t? t 3 3 4 9 4 e.
. og 0.0 ;
- 0.001 6 35-L IO.7T s 0.09 6 35-)
0.6% og 0 55
,i 0.009 1.23-k '
4 0.25 0 L5 9 6s-2 i 1.0 *
! Og 1 O.001 ' n,99 e 1.15-k .-
1.13.) 0.15 0.55
>'00' g , ,, 2.1s-5 l 0M l t . 1 7s-2 I
- Total . 0.12
{ 4 e 1.0 7"' = 0.15 it' = 0.12 . 1 .l Table 54 9 hastional teet arent free ter the Protettlity et W and Pe.1 I
- Unara11st111er Following a Lose of Condoneer Initiator.
(Sheet 2 of 2) , l j . . I i 171
~. : , . . .- . , . . ~ . o;. .- .l , . Table 5A.10 Event Tree Diagram for Sequences Following - . a Loss of Condenser Vacuum .
(Sheet 1 of 2) Tc = 0.5: Frequency of Loss of Condenser in the SNL re-evaluation as taken from Section 4.1 (Table 4.2). It is slightly higher than in the SNPS-PRA. GE experience apparently shows that recovery is possible in -50% of the cases, but the SNPS.PRA
. did not provide the data and did not take credit.
C = 3.E-5: Same as in turbine trip , event tree. M = 1.E-6: .: . Same as in turbine trip event tree. .
. P = 2.E-3: Same as in turbine trip event tree. The contribution of this ', sequence was evaluated 'and the resulting calculated frequencies for two sequences are shown on the event tree. - . T,ie contributions are small, but they are an order of .
magnitude higher than in the SNPS-PRA.
. U = 0.01: ,
Same as in turbine trip event tree. . X = 8.4x10": Same as in turtine trip event tree.
- V'.V = 6.3E-4: Same as in turoine trip event tree. ,
V = 0.15i The probability of failure to realign. and control the f condensate pugs is assumed to include two contributors: a)' 0.1 for human error, as 'in Table 5A.8 or in the tu'rbine trip case.
- b) 0.05 for a 51 possibility that the loss of condenser is the result of loss of inventory in the hotwe11. .
W' = 4.4E-5 Same as in turbine trip event tree. or ' 1.1E-4: . I W" = 0.12: Developed in the functional level event tree of Table 5A.9. 9 '* e d t
*s e
W 172 i 4 0 .
- _ _ - . - - . . . _.__._ _ _ ._.____. ...._ __. . - - -__.._._ ,. -__.-. . _ . _ . _ _ _ _ _ _ _ _ _ _ _ ____.._m.,-._.. . . . . . _ _ . _ . . _ . _ _ _ - . _ _ - . _ . . -
e t
. {
o-9 g-ses sense move. c= .1, sussenes caena comaar smactam casenessesst seat m c=os.=e f seen m - pe63u.. pes
! .egs seemunese cessanass ac.c ces . .umme . .. - se sua c=a .=e e r
] causeanna ss suo. esmose. ecac arcs aos cs .rce inacteen asse.saw sneessa eseesser, m
- - -e e . . . .... . . . . . . . .a .. c a.. . s. ,cs me .m me m -, ,,e i~
j s c a P e up u= a v* va v"* se ap {r , L u s-s . . b, i p.12 Tw e 2.5s4 II. [
- 4 f 1 1.1E%
0.12
, , [
i
? 5'W %.2E7 II ' . C i
i ; t 1.1b% - ' O.07 0.12 . '
~ T Mi s.6&s II N
w . C {. g I 4 1.15% g
- y).12 ,
f- ' 3.65-1
- 0. s '
W I-N# L 0.01 2.75 3
' i Tg ur' M 3.257 II g' TCuF b'I I II
- TWC %.25 4 I4 2 s-i
____ __ _________________________ egw.n s.kwa II {
- ,,u s.i.s-a Ia ,
Transfer :s 1.E-S EDCA . h i
. TC Transfer -
N .f, , e , s Table Sa.io n,ent tree mass == ter segnamese polleistas a I.aes et ch wasuun . , (Sheet 2 of 2) , i I; '. D D h O O
O i . I -l .
, 5A'. 6 INADVERTENT OPEN RELIEF VALVE TRANSIENT (10RV) i . . . , - 5A.6.1 Background
- , The 10RV event includes aspects of both a transient and a small LOCA. It.
i
, starts like a small LOCA, but discharge is directed to the suppression pool, and ECCS initiation signals may come later than in the LOCA case. .
{ In this case, suppression pool temperature will rise until the reactor is scrammed (first manually and later automatically). The NPCI and RCIC are t ! receiving their lube oil cooling from the coolant flow, and, if suction is } , taken from the suppression pool, this function would be degraded to some . extent. However, RCIC suction can remain on CST for almost the entire dura-l.,. tion of the transient. , i> . .
- .
- Another difference from other transients is the low availability of FW
-, and PCS for this event. The SNPS-PRA states that BWR experience shows that. in most 10RV cases MSIVs closure occurs in .the course of the transient. .The PRA l model for. this is very conservative, more conservative than that in past BWR-
- PRAs, in contrast with the small LOCA event tree. The assumption in the i' PRA--that for a case of early reactor shutdown PCS will be available in 15 j . hours, and for a case of shutdown one hour later it would not be available for ,
3 recovery a few hours later--is apparently too conservative, and was changed in
- the SNL reassessment to reflect some probability of recovery consistent with small LOCA..
j, 5A.6.2 The Results of the ONL Revised Event Trees
- j' The revised 10RV event trees are given in Table 5A.12. Several changes t: were made by 8NL, as explained above and in Table 5A.12, sheet 1. The BNL ,
l. ' results are lower than the SNPS-PRA values because of the additional c'redit .. given for FW and PCS in the BNL revised quantification, which balanced the ) increase in the C' and U functions and the increase in the event frequency. i The overall contribution is about 4x10 7 in the BNL review, which is about i half that in the SNPS-PRA. The frequency of this event is calculated genert. . ! cally to be 0.25 per year (see Section 4.1) which apparently overestimates the expected frequency for Shoreham. This is because it does not consider the j' design change made at Shoreham using two stage Target Rock safety relief ! , valves in order to reduce the frequency of 10RV occurrence. As can be seen 2 from the overall low contribution of this sequence to SNPS core damage f*- j' frequency, the effect of such a frequency change would be relatively small in terms of core damage frequency. . l I' i
- i. .
a j; . . 1 1 . i, i , , 174
- ( .
-a.u :.-..- . _ .6~ . . . . .-
Table SA.11 Func' tional Level Event Tree for the Probability - of FW and PCS Unavailability Following an 10RV For the Case of Timely Manual Control Rod Insertion) Sheet 1 of 2)
- Case 1: Timely Control Rod Insertion 1 FW Remains FW may remain on line or fail. If it remains on
- on Line or line, it will be lost later when MSIVs close.
Recovery of FW:
, . Operating experience data indicate that the MS!Vs will virtually always close during an 10RV l event (see SNPS-PRA. page 3-134). The SNL func-tional event tree is based on this premise.
1 j Turbine Controls 0.0011 Same as in MSIV closure (Table SA.5). 1 and Bypass Valves Available: l MS!V Remains Open: 1.0 See comment above. 1 . MSIV Reopens 0.1 Same as in the. turbine trip case (Table SA.1). Short-Term: 4 Recovery of FW 0.01 Same as in the turbine trip case. and PCS Short-Term: i
, All Other Same as in the manual shutdown case for long Headings and term (see Table 5A.3).
Quantification: . Case 2: Scram is Delayed
- MSIV Reopened 1.0 Power operati.on with 10RV is assumed to continue .
Short-Term: to a point that water level become low and MS!V
- closes. The SNPS-PRA assumes that MS!V would not be reopened in the short term under condi-j tions of 10RV with delayed scram.
0 0 1 11 i 1 ! 175 . l i _O ~ _O'_.___.___ 't ut8 i e.a.* -'a.m._
, ___O
. .. ... . . _ - . . - . - .. . _ _ . . _ . . _ .m _
g... Table SA.11 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following an 10RV For Sheet the1 Case of Timely) Manual Control Rod Insertion) of 2 Continued MSIV Reopened 0.1 The SNPS-PRA conservatively assumed that the Long-Term: MSIV would not be reopened also during the long term. This seems too conservative and difficult
. to explain. In the cases of 2 SORVs and small LOCA, the MSIV is reopened in the long term.
Successful scram is achieved in 10RV af ter 30 minutes at most, on low level or high drywell pressure. From that time on, the transtant would be similar to the 2 50RVs or small LOCA case. BNL assumed a 0.1 recovery probability to . be consistent with small LOCA. This value is
. higher than in the 2 SORVs case wh'e re 0.001 is assumed; however, in the case of 2 SORVs the heat transferred to the suppression pool is .
small, and more time is available for recovery, so it is consistent to have , higher recovery . probability for that case. 1 I s g' 'e
- 4 I
\ . i l . l 176
- l g
..v : .' L._: f . . .. . ' . '-. . L :. .. ,
- w. c a ...:. : . . . .. .. . /i;.l.i.t.i w
a 4 4 ; .: .: . ,,: m m ~ 4 e *'. 1 sti - 4 las i i i i _i _t _i s g s.
.b.
Gg 8 .- 8 9 ' s i 4 g A " a
~ .. y . . . . ._=1 'll .
E: - - .
- a 8
_a 1~ a v i 8 4 DI gig - y y d
- I .
o o g . 2 , E s rI. # - na 4 .- .J 1 d a 4 o t o o a I .
. I ag . 5 ]
q .. o
.tisv .. .= , . . . .. g .. . _. g y. . - .
gII , .
.: =1-9
- g.
o o A 9 ~ o e ~ { t != - 3 a lI ?. y 8. o. e I I Wl II8s a 8 a 5: 13 1 8s2
- g. ,
zis8l . - 177 i
* .w . ene m - -A
~ " . .. - : .-- . .... . .-.2._.. .. .. . ,. . ;
I k . . l Table 5A.12 Event Tree Diagram for Seq'uence Following 10RV ' i 4 - (Sheet 1 of 3) Tg = O.25: Taken from Table 4.2. See discussion in Section 4.1. This l 1s three times as high as the SNPS-PRA frequency. It does l not consider the Shoreham design change to two stage Target ! Rock relief valves, which would apparentlyf reduce this ] frequency of occurrence. ." I C' = 0.01: Timely manual control rod insertion is a key action in this
- transient. It is a manual operator action for which several
', indications and annunciators are avt.11able. However, this needs to be cogleted within a few minutes to prevent sup-
- pression pool heat up. BNL used a value taken from past '
!, PRAs. supported by functional fault trees, rather than the i unsupported $NPS-PRA value. Furthermore, the BNL value is ! meant to represent a relatively fast operator response, for ) . which feedwater recovery is possible (see next "Q"). J { Q = 0.11: This is developed in Table 5A.11. BNL gave credit to recov-i ery of feedwater within 30 minutes if manual.. shutdown was j completed early. In cases of early shutdown. BNL assumed I that this transient would be similar to small LOCA or turbine trip with 2 50RVs. . Q = 1.0: For late shutdown, it is assumed, as in the SNPS-PRA quanti- ! !. fication, that no recovery of MSIV will be successful in the early time frame. Operation at full power for some time j1 .L 4 before shutdown requires immediate injection .after reactor ! tripped. Operatinil experience indicates that M51V 'would . !. almost always be c' osed, and therefore the grace time for
- i
,I . recovery of FW would be significantly less than the 30 }' minutes assumed in the turbine trip transient.
- t
~
ll U = 0.01: For early shutdown the r.ormal value is used. ( ! 0.036: When shutdown is completed later, the suppressi'on pool teg- I l erature is assumed to be above 140*F with,some impact on HPCI i availability (0.3 assumed). For RCIC, however. If the opera.
- tor does not transfer RCIC to suppression pool suction (0.05 for operator error) then normal availability can be assumed as long as' suction continues from CST. (RCIC=.0.07+0.05).
l X. V. W': Same as in turbine trip event tree (see Table 5A.2). l W" = 0.023: This is explained in the functional level event tree of Table l 5A.11 for the case of early shutdown. , ( . 1
. 178 s
- 4 e- ,
*w ee s - -eed ,p. .. c yp ,egypese a , ,, a,ge e , , , , , , , .___-__--_-______.u-_____-_-_____
- o. ...
a.? '. :. i s - . . . , , . n.,. .
, . ;.a _ a ;-;a, _.;_M's, Table SA.12 Event Tree Diagram for Sequence Following IORV (Sheet 1 of 3 Continued) ,
W" = 0.1: For late shutdown, BNL used a probability of 0.1 for PCS mainly becat,se of failure to recover the HSIVs. This is made consistent with the small and medium LOCA event tree diagram (Appendix C). The SNPS-PRA assumption of no recovery in several hours is apparently too conservative if reactor shut-down is assumed to be completed in the first hour , before ,
, suppression pool tegerature exceeds 200*F. . -
5 S 4 8 . g 9
. 4 e
S O a 9 e 179 i W __
_. _ ___ . . _ . _ _ . _ . . _ _ _ _ . _ _ _ _ , _ .m.. _ _ . _ _ . . _ . - _ . __ _ _ _ _ _ _ _. ~ . _. _ m _ e
~ ~ ~ ~ ~ ~ ~ ~ ~
smessahan ma tscat e rs Comans saJECteen j puntaeassefseat
; gem Q aS5 9 a ee me ava tenett seemstem 3sutte 1
ese
. last ecsc Cet ausenet caeumt asemisme es acion mar massetes se sanan seasics catamareo -s een om usese- acte sets esses > c5 tres amascream cass ma ss.
senesteen eassessaan ensemasts a easetem as.tv asastan s meestans us43:een seastmas sometasas mestasta etus se ecs yta na uns smaasssa t, ce c= e un u= a e v= ce* se r l L.I.E-T I E' 1 TgSt 2.65-8 II 18 . 1 1
. 1.15-4 "'" I I' T gsaw h.La-9 II -
g
>. 0.25 .
CD 0.07 - . . O . 1.15-1: [
-{ ,
4 yLO2) g } l
. ! l i
l
! - 1.15-li g -- ' j , ILM) ,
, 1.65-1 ! i i 0.1 l ! I 38*** 3 0.01 N'"I
?.7s-1 Tg y*M 3 6s-9 II ; 1.5-2 , 01 6.WI ? IIWF 1.75-8 ID
{ 8.4f.4 g
? grz 2.3s-7 IA .
4 3 E-S
! TC Tremefer
- ATWS i , -
l . l , Tabl. 5a.32 ar at vre. Dinsren for segname.e h11e= tag IceF. ( m t 2 or 3) ,; e g
'I * .
- t. , -
. :.: - .L:=.... e. r u.o r& 3-
-: La:.Q +
ij =
= = aa at((a ,
nia . 3 . . 3 I m h *
- hh3 a 4 aaa IE Il P I aae a*
r g> >r q> j g 6
,, .i i 'i ii y ,
isti! g 4 4 4 Eg. . , j)D: i. I II .
*g a
j!I g2 I ff
~ 11 **
ce i i s
) ..j L
l . -
..D. ; ' i! AIp n . g 4 .-
I .
" . s .i eI i I C
a -
- 9 I o M & "I 9 f ; I
- g
)l e
e s ft t, 8
~
i I
! Il 6 n 1 * -
a 1 .- . I A > 181 9
--e .
APPENDIX 58 , LOSS OF OFFSITE POWER WITH SUCCESSFUL SCRAM BNL's review of the contribution of Loss of Offsite Power (LOOP) initia-tor to the SNPS frequency of core damage is based mainly on Section 3.4.1.6 in the SNPS-PRA. The LOOP tran~siert is important in the Shoreham PRA because of its high
, , contribution to the frequency of core damage. This is due to of the loss of .
PCS when LOOP occurs and loss of other frontline systems with the failure of. ? diesels to start or run. The SNPS-PRA analyzed the sequences following LOOP with- subsequent loss of diesel generators (blackout) in great detail using four time phases, each assuming blackout conditions not recovered at its start. Phase ! = 0-2 hours: HPCI and RCIC essentially have their normal relia ' bility. Manual ADS is required if HPCI and RCIC fails and diesels are. i not recovered. The depressurization will allow the use of LPCI with the .
; third diesel train. Suppression pool level and temperature are close to normal. , Phase !! = 2-4 hours: Battery is designed to supply DC power for two
- hours. When operator is successfJI in shedding out auxiliJry loads from the DC power system, the batteries w!11 easily supply the power for this phase. However, HPCI consumes more DC power than RCIC, and therefore two branches for HPCI are modeled:
. HPCI. operates from beginning of transient - higher failure proba- '
bility of batterics. , ,.
. HPCI operates only part of Phase !!.
At this phase, a switchover of HPCI to suppression pool suction will occur on high suppression pool level. The suppression pool temperature exceeds 140*F at about 2 hours, which is the design tegerature of tube oil for HPCI and RCIC. This is more of a problem for HPCI than for RCIC because , RCIC can remain or can be returned to CST suction.. The drywell temperature is
; at =300*F from the beginning of this phase. '
The design of the systems, however, provides sufficient margin to operate reliably during this phase and, in general, fatture rates are only moderately above normal. , 4 Phase !!! = 4-10 hours The probability of battery failure increases
- significantly during this phase. . Suppression pool temperature exceeds
, 200'F and may reach 240'F toward the end of this phase. The sustained ,, l high temperature in the drywell may degrade the SRVs' solenoid valves and is assumed to result in the failure of ADS in Phase IV if depressuriza-l tion is not completed in Phase !!!.~ I If HPCI started to provide injection before this phase, it is assumed not ' to survive this phase because of DC depletion and lube oil deterioration. 4 182 i I
.s. . . . - _ . ~ . . . . L~ a., - ..x- . . _ . - . . :n a-.i However, if RCIC operated successfully to Phase 111 and failed- only during this phase, it'is assumed that HPCI will be able to complete tnis pnase suc-cessfully. In general, in this phase, higher than normal f ailure ratas for these frontline systers are assumed. Phase IV = 10-24 hours: It is assumed in the BNL review, as in previous BWR-PRAs, that batteries will be depleted during this time. The SNPS-PRA - claims small probability for failures of the batteries and possible suc-cessful operation of RCIC for the entire time phase. In addition, at times longer than 10 hours the probability of isolation of the RCIC/HPCI due to high area temperatures muy becam high because.of the steun line,ithout long time w secondary containment' cooling, 'wnile in the drywell and the suppression pool the temperatures exceed 250*F, causing a significant amount of heat to be transferred to the secondary containment. , The control room indicators and recorders of the reactor water levels are supplied from RPS and instrumentation buses wnich have no DC backup. There is apparently one narrow range N004B instrument that is connected to a vital AC bus inverter. Thus, the blackout conditions (even in the case that DC power - is available) may result in the loss of level information in the control room. The HPC1 in particular and the RCIC systems require level info'rmation for tneir control to prevent level 8 trips. The startup reliability of HPCI ' and RCIO on subsequent starts is relatively low. Thus, BNL judged that the *
- f ailure of the injection function during a blackout situation would be about L = 0.05, which makes the sequence TE 10 L one~ of the most important single sequences of the SNPS. This event is further discussed,and the quantification explained, in Appendix SF, where the level instrumentation is reviewed. The event is presented in the SNPS-PRA (Figure 3.4-52).
The frequency of the LOOP initiator in the BNL review is 0.15, and it is based on NSAC/80 data as explained in Section 4.1.3 of this report. Th e' SNPS-PRA LOOP frequency is 0.083. The time paased event trees used by the SNPS-PRA for each of the above time phases were found to be very effective in providing a more detailed and realistic evaluation of the LOOP sequences. However, SNPS used the time phase event trees essentially only for tne injection phase. For the containment neat renoval phase it used the MS!V closure single-time phase event tree. BNL modeled the containment heat removal function on its Phase 1 event tree and found a significant contribution to Class 11 from the LOOP event, whten was underestimated .in the SNPS approach. This contribution is from a LOOP that is not recovered before 15 hours (=3%), with recovery of diesel generators fol. Iowed by their failure to run for the entire decay heat removal mission time. The TE IV W sequence is the most important to Class !!. BNL's results for the LOOP initiator are significantly higher than those in the SNPS-PRA. These sequences were found to be the most important for Class I states in the SNPS-PRA (PRA page 359). The BNL results are three , times as high for Class ! and about 1.5 times as high for Class !!. The main reasons for these differences were discussed above and can be seen from the event tree diagrams in' Table 58.1. They are sunmarized in tne following list: 183 . t
~ .
- b ,
a) Loss of all AC cois1d cause loss of water level instrument indications in control room. This can lead to less successful operation of high pressure injections . which require level information for their control. b) BNL LOOP initiator frequency is twice as high as SNPS-PRA frequency. c) BNL increased the batteries' failure probabilities for Phases !!! and t IV relative to those in the SNPS-PRA. d) In the review a Class !! sequence is added for unrecovered LOOP, with [ . failure of diesels to run and supply AC power.to RHR. l . . e 8 e e
- 4 t
t 0
. p e*
e 8 e t f I eP
}
t i f & i 184 ' t 6
*M** "*
- e .m o Gute.W p 4- .ay gy e og,, , . ,
O gg ,, g .
;s. m. . . - - -
7- . , .
?. w ~* ;. .a ..: : lw % ' ' ' ' ~
qaY_
. w.. W. . Table 58.1 LOOP Event Tree Di'agram Phase '! (0-2 Hours) , (Sheet 1 of 5)
Values for Sheet 2 of 5 , The probability of LOOP occurrence was discus' sed in Section m TE = 0.15: 4.1.3 and shown in Table 4.6. The same data base used in 4 deriving the above frequency was also esed to generate the .
. LOOP recovery times, which were slightly different from . - . those of the.SNPS-PRA (see , Table 4.7 in Section 4).
I = 0.37: Offsite power recovery within 30 minutes. The value is de-rived from Table 4.7. The recovery probabilities in the BNL l
- review are somewhat larger in the short term. .
D = 3.6E-3: Appendix A.S.'of the SNPS-PRA provides the data and basis for i this diesel generator failure: probability. These data are
- discussed in- Section 4.2.2 of 'the BNL review. The data are j derived from evaluation of LERs. Even though the data base does not go beyond 1978, it is significant and appr.opriate.
BNL used basically the same . values for D. in the following . j way: , D = 0.02x0.19x0.95 = 3.6E-3.
~
The first two numbers are from Appendix A.S (0.02 = single . diesel failure to start and run; 0.19 = conditional probability P[2 13). The 0.95 value was used for DG non-i rec 3ve(y withir 30 minutes. It is from another BWR-PRA l review , because the basis for the 0.88 'value 'used in the .- 3 SNPS-PRA is unexplained. Note that recovery of diesel gen- , erator or offsite power is considered successful if only a ' single diesel or a single cffsite line becomes available. This results in a small and insignificant underestimation of . failure to run probabilities because, in a fraction of the cases, sone train will be available. U' = 8.E-2 or These values are used for the RCIC system the same way as in 7.E-2: the SNPS-PRA. The additional 0.01 in the first case is U" = 0.11 or included -to take into account the possibility of the 0.1 Division I battery failing during the first two hours of RCIC operation. Similarly, 1.1E-1 and 1.E-1 are used for HPCI, with the .0.01 added for the possibility of Division II battery failure during the first two hour period. The value U = 1.1E-2 seems to account reasonably for a possible CMF of both Division I and !! batteries and was used wthout change in the. BNL reassessment. ' ' e 185 -
, t b ., _ _ _ _ . . , _ ' Q. ,,,,._.___y. _
Table 58.1 LOOP Event . Tree Diagram Phase I (0-2 Hours) (Sheet 1 of 5 Continued) Values for Sheet 2 of 5 (Continued) X = 0.02: A timely ADS failure probability of 0.02 is used in the SNPS-PRA to account for operator failure to initiate ADS manually when injection has failed and automatic ADS initiation is unavailable because of blackout conditions.
. The same value was used in the BNL review. .
V = 2.E-3: The value V' = 2E23 combines the availability of the low pressure systems (6.3E-4) with the failure of the diesel
. generator to run.during the next '10 to 20 hours (-1.E-3).
V = 0.63: The value .V =. 0.63 is taken from Appendix A.5 of the SNPS-PRA with no change (see discussion in Section 4.2.2). This is the. conditional availability of the Division III diesel generator, given failure of Divisions I and II, which can drive one of the LPCI pumps. It = 0.08: Containment heat removal availability is dependent on the avail &bility of offsite power. The SNPS-PRA considered that offsite power will be recovered before 15 hours and trans-ferred all successful injection cases to ' the MSIV closure event tree. BNL included explicitly the conditional proba-bility of the recovery of offsite power given it was not recovered in half an hour. This is (1-0.97)/0.37 or 0.08. W' = 3.1E-4: , In the case that offsite power. is.,not recovered (= 0.08) , ' the PCS becomes unavailable and only the RHR can be utilized from onsite AC power. The. RHR failure probability is then dominated by the failure to run probability of the diesels. It is estimated that three hours of RHR operation ~ would be sufficient to delay containment failure for many hours so tnat offsite power will be recovered earlier. For
- a mission time of three hours (say between 15 and 18 hours after the LOOP), SNL obtained 0.0024x3(hours)x0.19x0.23x0.63 = 2.0x10-". To that was added the RHR unavailability of 1.1E-4. -
Phase II (2-4 Hours) Values for Sheet 3 of 5 T: Transfer-in from Phase I. Two were employed: E (1) From RCIC success = 1.8E-4; ' (2) From HPCI success = 1.6E-b. II = 0.51: Conditional probability 'of recovering offsite power at 2 hours, given failure to recover it at 0.b hours. This is 0.51 (see Table'4.7 of this review). l 186 \
- ~.
e .,y 8. - , . . , . g.. e , l l l Table 58.1 LOOP E' vent Tree Diagram Phase II (2-4 Hours) l (Sneet 1 of 6 Continued) . Values for Sheet 3 of 5 (Continued) D = 0.69: Conditional probability of recovering. diesel generators of Division I or II at 2 hours, given failure to do so at 0.5 hours. This is 0.69 (which brings the value back toward the SNPS cumulative value of 0.66 given in Table A.5-8 of the
. . SNPS-PRA).
V' = 0.1: The SNPS-PRA judgment was that the RCIC conditional failure probability during this phase would be 0.05 to account for the following possibilities:
. . Batteries deple~ted as a res' ult of unanticipated drain.
I
- The batteries are designed to provide power for 2 hours.
Additional time' can be obtained only if operator is suc-cessful in removing a sufficient number of loads from the DC buses. , U' = 0.1: . At .=1.6 houis 'the suppression pool t'emperature reaches 140*F, wnich exceeds the des 1gn lube oil cooler inlet temperature. This is a problem, however, only if HCIC is 3 transferred from CST.to suppressica pool suction (low probability).
. At =2.5 hours suppression pool water level exceeds the high level automatic switchover set point for RCIC. , RCIC 4- , would generally' be kept on the CST, but it requires oper- ,_
ator intervention. . . BNL considered that these events with higher probability will cause RCIC failure, and a value of0.1 was used in the _ BNL assessment. Two separate cases have to be considered: the HPCI failure
. U" = 0.22:
- probability given either successful operation or failure of RCIC in Phase I. The values given in tne SNPS-PRA were used in both cases. The value of 0.22 for the first case was chosen to account for the following considerations:
- . At =1.6 nours a suppression pool temperature of 140'F will be reached, which is the design temperature of HPCI lube oil.
4
. At 2.5 hours an automatic 'switchover of HPCI to ,
suppression pool may be. expected. This cannot be easily bypassed.
. The potential for accumulation of water in the HPCI steam 3
line during standby in Pnase I. . l 1 187 t , e 9 ,g-e. ee ,mc=>n h- -hA- -- d-_ .
= . a . Table 58.1 LOOP Event' Tree Diagram Phase II (2-4 liours)
(Sheet 1 of 5 Continued) Values for Sheet 3 of 5 (Continued)
. The start of HPCI has a significant DC power consumption.
U" = 0.3: The value of 0.3 for the second subtree was ' chosen to account for the above, and for the additional consideration
. . that HPCI operation. from the initiation of the accident has a larger potential for draining the batteries because of the higher consumption of DC power required by HPCI operation.
X = 0.02 Two values are used on the SNPS event tree. Botbareused or in the BNL assessment. Depressurization is assumed to be l~ = 0.1: required by procedures down to.150 psi, so that HPCI and RCIC can still be in operation if offsite or diesel power is not recovered. The value of 0.02 is the probability for the ~ operator error in failing to depressurize the reactor manua-lly following failure of high pressure injection systems, or . in failing to follow depressurization procedures' when th, , suppression pool heats up. The automatic ; initiation requires AC power, because automatic ADS .is conditional upon the running of one LPCI or LPCS pump. The value of 0.1 is the probability for operator error in not performing an j early depressurization of the reactor when high pressure l injection is successful. This early depressurization is t needed because it is considered that deteriorating environ-l mental conditions in the drywell will at later times degrade i
. the -SRVs ' solenoid valves and prevent depressurization .- , needed at about 10 hours, when the battery may be expected ~ '
to fail.
, V = 0.63: This is the contribution of the Division III diesel and bat- .
teries, which can be used to drive one of the low pressure injection pumps. The SNPS-PRA used a value of 0.55. BNL used, for consistency, the value 0.63, which is used in most l other cases in the PRA, and is justified in Section 4.2.2. l Values for Sheet 4 of 5
, III = 0.63: Recovery of offsite power for this phase. See Table 4.7.
! D = 0.'71: Recovery of DGs, which is taken from the SNPS-PRA (Appendix l A.5). l I U'; U": The probability of RCIC failurei during this phase is high because of the factors listed above (see Phase II) and the following: 188 i
---. n., .. ..
_ - - - . _ . _ . . . _ . , . - . . __ . , - . . . _ - _ . _ , , - ,,___.__.r - - - _ . - _ . - . , . -
.w _ _w . _.- __a- -
w.w f. nam. l
. u Table 58.1 LOOP Event' Tree Diagram' Phase III A or II C (4-10 Hours)
(Sheet ,1 of 5 Continued) Values for Sheet 4 of 5 (Continued)
. The probability of battery depletion is higher because of the design life, which is less than 10 hours of opera . . tion. . HPCI/RCIC steam line isolation may be caused by high temperature as a result of having insufficient area cool- . ing and by steam leaks and radiative heat transfer from the suppression pool walls. This could be a significant problem between 6 and 13 hours after the accident initia-tion. A value of 0.25 for RCIC is used in the SNPS-PRA and in the BNL assessment. For HPCI a value of 0.3 is used if RCIC operated for the first 4 hours successful-ly. However, the SNPS-PRA assumed a failure of HPCI in l Phase III if it was running from Phase II throughout , , Ph'ase III. A CNF of both HPCI and RCIC due t.o- battery depletion is added in the BNL assessment. Its value is assumed to be 50% of the RCIC failure probability used in the SNPS-PRA (0.13).
X' = 0.2 or 0.3: Maintaining the reactor in a depressurized condition is required in case of high pressure injection failure. DC power is required for SRV operation. The failure of the batteries, assumed by BNL to be 0.13, would be a CMF for this function as well. However, when HPCI fails. In Phase .- III C after operating since Phase II, a higher; ADS failure probability is used, because the failure of HPCI is caused largely by depletion of the" battery due to longer use of the HPCI system. . X' = 0.3 or 0.4: The difference between Phases III B or III D and III A or III C is due to the judgment made in the SNPS-PRA (page 3-116) that failure to depressurize the reactor in a period longer than 2 hours would lead to the following: a) Accelerated environmental degradation of the solenoid valves in the drywell preventing long-term depressuriza-tion. b) Dynamic oscillation during late blowdown when high suppression pool temperatures prevail. e 189 i
'** * " * * * * '~- *' =c>=o D -e .___
_ o e ,., _ _m, _ _ _ . _ _ _ _ _ _
.
- Table 58.1 LOOP Event Tree Diagram Ph'ase III A or III C (4-10 Hours)
(Sheet 1 of 5 Continued) . Values for Sheet .4 of 5 (Continu.ed) It was taken into account in the SNPS-PRA by increasing "X" by a factor of 2. In *the BNL Phase III B and III D sequences, a higher probability of failure was assigned to
. - .the "X" . function, i.e,, 0.4 rather than the 0.3 used in Phases III A and III C. However, in the BNL model the loss of battery is the main factor affecting the results and not < ; . the quantification of the ADS degradation.
UX = 0.13: A CMF of 0.13 is assumed 'in the BNL . assessment. . This is , chosen to' be 50% of the RCIC failure rate. The choice is f based on the premise that a large part of the failure proba-bility of RCIC, HPCI, and AOS results 'from the depletion of
. the Division I and II batteries up to 10 hours after the ac-cident started. An assumption of a probability.of 0.13 for loss of DC within the period from 4 to 10 hours seems rea-sonable, and is consistent with the assumption that all DC will be lost in the subsequent time period between 10 and 20 hou rs .
V = 0.63: The value for Division III LPCI operation is taken to be
- 0.63 because of the dependencies between diesel generator 4
systems (see Section 4.2.2). 4 Values for Sheet 5 of 5 l, V = 1.0: BNL gave no credit for RCIC or HPCI after 10 hours. This is l based on the SNPS-PRA arguments (pages 3-114 to 3-130) and - i is consistent with other BWR-PRAs and their reviews, which l- assumed loss of batteries before 10 hours if no AC recovery l -! was successful. In addition, the SNPS-PRA argues that the l
, . RCIC high turbine exhaust pressure . trip (40 psi or 26 psi above normal) would be reached at approximately 14 hours ,
and, similarly, that HPC1/RCIC steam line isolation may be 4 caused by high area temperature (with no area cooling) be-
; fore 13 hours. Therefore, BNL assumed that, if . AC power is not recovered at 10 hours, then a core damap state would be reached. BNL did not distinguish between Ph ses III - IV E I
. and Phase IV as was done in, the SNPS-PRA, and combined them ' i into one single Phase IV sequence. i X = 1.0: In the BNL assessment the probability of main _tatning depres-surization after 10 hours was assumed to be 1.0, not 0.95. 190 t \ .. . . .
. . . . . ~ . . , . .gg . a . . .. ._ ;; .
i Table SB.1 LOOP Event Tree Diagram.Phas'e IV ' (10-24 Hours) (Sheet 1 of 5 Continued) Values for Sheet 5 of 5 (Continued') W' = 3.1E-4~: When offsite power is 66t recovered within 15 hours, only the RHR is available for containment heat removal. However, its reliability to complete'a mission time of 3 hours (the period from 15 to 18 hours)'is basically the reliability of the diesel generators, given by 0.0024x3x0.19x0.23x0.63 = 2.0x10-4, where
. failure to run probability = 0.0024/hr,
. . mission time = 3 hrs,
. CMF failure of second diesel P(2 1) = 0.19, . non-recovery probability of diesels within 8 hrs = 0.23, and . failure probability of Division III train given Division I and II failed = 0.63.
To the 2.0E-4, tne RHR unreliability of 1.1E-4 is added, to result'in 3.1E-4. ,_ 4 6 e O O e e 191 1
- . . ~ __
f . O o 4 at z5 e e y - 4 m
- y h h hN* b $
5y;* a aa: ' a ea s " A ^ Ij R t g
- 2 2 I I ~al I:
== $ ~ ,= *s *s j 1 I s y *s I -
l i E 'S og 3e i
~-
la ' , ja syf 3 * = ,' *
- 3' l4 8 $ 3 3W*lt
. 3 . e , - ? I 8 !I'i=l ~
8 8 a a l e I,g , 3.=3 t
.. e - S w
I- *
, g g .3 g. *] .s l 2 s 11: -
g J jsc 5 . g.. i !I! 5 3 s - g d d j - 2"j al_ i!: 5 - E :i 3. 1,; _ a
,1 - '
d lt l d '. ! E E v*5 = A IE * *
......1-
- Et ^ -
$3 5 ~~
Isain . .t: e I a .2
- - g3* .o -
g t . s 3 [ajj,. ; g g g h I 8 f g j
- 1 . a l
I la
- n a I a 4
si . 8 2, is I w ' 5 = 5%r d
. g i e3 d
i siw " e 192 t
. se . . .*=.am .. ....,e- .=p. .% ..w. . . . - - . .. *
- g. - a -- --.a
-:~:. w - saawe; . . . . - _ - -
L. . x - 9
== 2 2 2 2 2 2 E = = = = 2
- 5 : = 3 2 5 I
l 3 33 3 3 *3 3 3 3 3 3 b ~
$I'EIE5$ $EI55 -
i; -4 4 - - . - .. . 1.
.e r. J J J J 9 . . ~s. = = = w a s. a
- s-a" s. s.
gi .=B B E Ig .2 E h I" gi ======E = = = ==
*E e-ee eeer- i 3
8 2 J: 5-j = A F. - w w i .i 38 la g s- - H 8 e
.: a e s. . _ e_ _ e_ _ e_
Ug 1 . 3 -- g 54-3
- Il 9 ,i i A
- s'4 -
e e Eg- *. n (9 l gl > g - h-N d
.- h.
5 2 .;. =
- 3 . S.
M E few GIfa g a 2 M G g
-S o -
n : I
= = '1 2 m . 9 . ; - I I -
g 3 d' E , I 193 i l ' ~~ - -
- . ~ .
e
. . . . cua.,...c I
cuss er
, etenst get Ilttastes asCout et ecstatatte ! mas a eerseas os. eineessansa ans cattutarse cet , enrus s- emas e a se acic mi sams sse- msses seosaa mes e, enmace ; seine as e semes as e es=ms musene mami.s stateme . anaction esseesse aeta es me en .
saamsesa n, sis e e* em s* e 1
- 5. N s N'
o.61 t ,III a 1.9s-5 Painee It s Tg III N' b. % 6 Phase IV
- l o.25 Pha.e III a , tg III N 6.47 MIY Nse III B 30.6 1 0.1 ?g III M 1.5-6 *
, Class I 3 0.3 l ?g III BUI ).38-6 Close I B ,l ( *3 s
0.13 ,
@ 0.0E-6 5.ys-T 0.6)
- Tg III 3 1.E.6 Phase IV l
o.71 3}I Tg III N 1 7s-6 Clase I 3 Ts III M I*PE"4 UI"** I I
; Phase III c III As Pree-winnt an) KIC available III B: Dtprassurized, EIC available, j Ihase III B III C Pressarizal aral EIC unsvallatale. III D Dep--lam $, KIC tansvallable. ~
Table St.1 tsee Nee sneet tree steerem for Imor Init1aenr.
- Itase-III . 1,-10 Romare
, (Sheetle et 5) . .
f
- ee q .
- t 4
- 1 t
'I s g . .e *
'*_gg .;.;;het . _ _ . '
- ig'
~ . .gh4, t ;: g- f_'gg-43,h, ,,.,,, ,;;,u g ij,,;,;
e O 9 1 O 6 e 9 m
. M. + - vill i =1. a i i e
g
.3 SG.I .. 5 1=*
- 1
~ ~ ,
u{ e 9e Y B g5 5 a
- al 2 2 8
=5 .= ." h.-
E s 43
- I:,(-[ .
(
.1s g.
Q b . - I :l . a li-I = *
* "s 3 E 3 . . 3 S.Sg == I .
- e d
v d 5 . t t . a
.E 4
a9 e
/
8 e e i 195 1 L _ _ _ _ . _ . _ _ . . . . _ . . . . - _ _ . - . . ~ - -- ~ - - *&
~
APPENDIX 5C ! , LOSS OF COOLANT ACCIDENTS BNL's review of the contribution of Loss of Cool' ant Accident (LOCA) l, initiators to the SNPS f?ecuency of core damage is based mainly o'n Section 3.4.2.of the SNPS-PRA and on Appendices A.1, A.2, and F. LOCAs are not important contributors 'to core. damage frequencies. How-ever, their consequences are considered to be greater than th.ose of Class I
' core damage sequences and therefore their impact on risk might be higher than
, reflected by the frequencies sumarized in this appendix;
, The LOCA sequences analyzed are separated into two groups:
a) LOCA inside drywell (Large, Medium, Small and RPV failure) b) LOCA outside containment (mainly' large LOCA in steam lines, water lines, and interfacing system LOCA). l' The frequency of group (b) is less than that of group (a), but their consequences are larger because these sequences bypass the primary containment j system (drywell and suppression pool). Thus group (b) events, though having lower frequency, are more important with respect to the SNPS risk than, group (a).
- SC.1 LOCA INSIDE DRYWELL 5C.1.1 Background i
The SNPS-PRA approach is very much similar to the RSS-BWR approach' and .. event trees. Two types of. breaks are considered, steam line break and rectr-i culation line break. There are differences between the behavior of the reac-tor vessel pressure and level in the two cases, but both cases can be treated by the same event tree modeling because the differences are in most cases i small compared with the impact of the low pressure injection, which in both - cases starts within 1 minute after the assumed break, and pumps water in larger amounts than are required to fill the vessel. The SNPS-PRA chose to model the case of a recirculation line break. It i assumes that the line break would render one train of LPCI unavailable. This is modeled on the fault tree, but has a v'ery small effect because low pressure injection is governed by CMF (see Section 3.3.2.7), and the unavetlability of one train is not important. The amount of credit given to PCS is the main difference between the BNL - and SNPS-PRA analyses. In the large LOCA case, the SNPS-PRA gives ro credit to FW and to PCS even in the long term because of the possibility fcr radia-tion isolation of the drywell (MSIV closure). Credit is given only to. the ' 1 - condensate pump for injection (even if PCS is unavailable). The value of 0.2 ) is not explained. BNL uses the same 0.2 for the following reasons: . a) The condensate pumps wil.1 remain operating, and will inject -20000 gpm into the RPV automatically when pressure becomes low a a result 196 t i
..-.-,.--4. .. - -. .. - . _ ' ._ . . - - . . . . . . - . _. - . ... ..
- i
.:s' =.u- -
L :.-- .w _ C'ML: ' l l of blowdown. However, at this flow rate the hotwell water inventory will be exhausted in several minutes b). Therefore, the oeprator is required to control manually the conden- . sate injection to maintain both RPV level and hotwell inventory. c) The operator will have to replenish water to the hotwell if he failed to control condensate flow in time. Automatic water supply to hot-well from CST is limited to about 1000 gpm12, and therefore the operator must take control of condensate flow. In the case of a large LOCA, the 1000 gpa makeup to the condenser hotwell may not be sufficient for all large breaks. It is assumed that for all cases of breaks at an elevation higher than the core, so that steam only will be discharged through ,the break, the above makeup rate will be sufficient. A flow rate of 500 sps would be sufficient to remove decay heat by steaming. However, when more than 500 gpa of injection water would be discharged through the break, the makeup of 1000 gpa may become insufficient. Based on some
' crude estimations, BNL judged that break sizes larger than 10" in diameter may require injection flow larger than the makeup to condenser can provide.
- Assuming that 50% of the large LOCA breaks would be in this category, we obtain 50% of the breaks: successful condensate injection = 0.2 50% of the breaks: unsuccessful condensate injection = 1.0 Thus, a value of 0.6 was used by BNL for large LOCA. i In the case of a medium LOCA, FW is still assumed unavailable because of MSIV closure on low level or low pressure in the RPV. More credit is. given for condensate because a flow. rate o,f 1000 gpar 'may be sufficient in all' cas es . In this case credit is given for PCS recovery in the long term, because no radiation from fuel failure is expected.
In the case of a small LOCA, credit is given for FW short-term recovery; however, PCS and condensatt are treated the same as in a meatum LOCA in the SNPS-PRA. This was slighty changed in the BNL reevaluation, which treated small LOCAs the same way as the 10RV transient for the case of early scram (Tables 5A.11 and 5A.12). 1 M e 197 4 e
*. l t . )
f a - .
.s .m 33 s. u o o,u = * = ====
j Igl = ==EEEEE = 33EEE
. g g 2 . -
Igj e 2 jji2 44 I ,
~~~Ig 44 4 2 4 l a, a aa aea a esaaa+
I- . I!, a F h. s.,IIIs =.
- 8. 8. u. a. s. s.
3 j , s 13 I
- n g n . a.
s o a 1 ing s ii.i, k. .i. !. I. _t ll.I 5 -
- 4 I 2~~ h
=
8 5 d i si a (I1 - 11 I y , \~ - - j '- .. 5 1 4 4 3 I g s=n -
- i 8
i !nin
![i 3
t_
-l .t i 5 e
W - o a I E - h I g ': = .
- a M W
- S E
- h. k.
.I .g - - =- 'I il s 4~ 'I - 1 =
1
& 4.
11! ! l . A. e. 4 s . A. 4 8 e .
%lg$s-5 3M e la -
i 198
" L- _' i .' . . "'" "A.; -....kl.C.. h M > - - - - . 15 S 1 I
5C.1. 2 BNL Revised Event Tree The BNL revised event trees for large and medium LOCAs are shown in Table 5C.1. The revised event tree for a small LOCA is not given;. it would be che i same as that for IORV with early scram (Table SA.12 sheets 1 and 2). The frequency of small LOCA'is assumed to be same as in the SNP The effect of small LOCA therefore becomes small, less than 10 g-PRA, 8x10-3 The BNL recults for the LOCA events are similar to those of the 5NPS-PRA. In fact, they are smaller for the Class 11 contribution and larger for Class III, as seen from Table 5C.2. The reason for the smaller Class II values is that the SNP$-PRA used apparently old values for the "Q"fu. ction, which BNL corrected for consistency with the other event trees of the, PRA. The cause of somewhat higher Class III contributions is the different quanti-fication of the condensate system injection, which was discussed above. Table SC.2 LOCA Contributions to Core damage Frequencies Class Total II III Core Damage r Large SNPS 740E-7 1.7E-7 8.7E-7 LOCA BNL 2.8E-7 3.8E-7 6.6E-7 Medium $NPS 2.7E-7 4.9E-7 7.6E-7 LOCA BNL 2.1E-7 6.1E-7 8.2E-7 . Small SNPS 0.24E-7 0.162-7 0.4E-7 LOCA BNL 0.36E-7 0.08E-7 0.4E-7'
- Reactor SNPS Pressure and 3.1E-7 3.1E-7 4
Vessel BNL l LOCA i 1 Total SNPS 1.0E-6 1.CE-6 2.0E-6 4 BNL 5.3E-7 1.3d-6 1.8E-6 t 5C.2 LOSS OF COOLANT ACCIDENT OUTSIDE CONfAINMENT A LOCA outside containment has the following adverse characteristics compared with a LOCA inside drywell. - a) In the event of an unisolated break, high environmental stress may . be produced on equipment inside the reactor building. This may compro.nise ECCS operation. l 1 199 i i 1 l
. I
.=-.- -- : -- ...w w, .- . . .e _ w -.. -
v.. :u . :. .e y . b) In the event of an unisoiated break, there may, be a flood in the reactor building which may flood high and low pressure injection equipment and compromise their operation. c) fheconsequencesofcoredamageinthissituationmaybecomesignifi-
- cantly different because of the potential direct pathway out of the primary system, bypassing the suppression pool and drywell. '
It has a beneficial characteristic in some cases, namely, the possibility l' of isolating the break in order to limit the rele^ase. The' SNPS specific design makes items (b) and (c) of special interest.
. However, only the core damage probability is evaluated here, not the total
- ris k. The results are assigned a separate core damage class V, for further j consequence evaluation. ,
l The SNPS-PRA evaluates the initiator frequency from three sources: a) Steam line or main feedwater breaks outside containment b) Breaks in the HPCI/RCIC steam supply or pump discharge lines c) Interfacing LOCAs in low pressure systems. L i-Case (c) is the most important contributor to LOCA outside containment. Therefore, larger uncertainties can be . tolerated in cases (a) and (b). Most of the uncertainty stems from lack of applicable data for evaluating pipe and valve ruptures. SC.2.1 Main Steam Line Break Within Reactor Building - The SNPS-PRA assessed the frequency of steam line breaks in the small , sections between the inboard isolation valves inside the drywell and the out-l board isolation valves inside the reactor building. Breaks downstream of the I outboard isolation valves will have two isolation valves between break and . RPV, which makes their contribution small. The evaluation in the SNPS-PRA takes the following into considerations: l l a) Mean value for pipe rupture taken from the BWR-RSS is 8.6x10-10 per 8 hr/section (SNPS-PRA, page A-24). b) The SNPS pipes in the reactor building steam tunnel are designated as
" break exclusion" pipes , which means that they are designed and inspected to even more stringent requirements than the primary system :
piping. In view of this, the SNPS-PRA applies a factor of 1/10 to the RSS-8WR failure rate. This results in 8.6x10-ll per hr/section, which is used for estimating rates of rupture in " break exclusion" pipes. . , c) The valves in the subject pipe sections may be subject to external - leakage or rupture. The data from RSS-BWR for valve leak or rupture are used. Based on the latest LER review of valves', a ratio of 1/18 l for rupture / leakage is assumed. In. addition, the valves are also 1 200
, .n----,n,,----,-.,---, -n------,..---,--- --,-v -- ,,-~- ---e - - - - - - - - - - - , - - - - - - - - - - - , . - - - - - - - - - - - - - - - -- ~
- x. :-- ' u= - a .. L
.L.? " ' . :.w . - ~ " break exclusion," and an additional factor of l'/10 is 'taken, which results in 1.5x10-10 per br/ valve rupture.
The BNL review notes the lack of a data base for evaluating the rupture probabilities . Considerations (a) and (b) are judged reasonable, but BNL did not review the 1/10 assumption for " break exclusion." Consideration (c) is reasonable, but was judged by BNL to be more appropriate than the LER data from NUREG/CR-13638 . Thus the WASH-1400 data used in the SNPS-PRA are also used in the BNL reassessment. The LER data s [ indicate that only a small frac-tion of the events may be rupture precursors and most of them are leakage that
, cannot be considered "large LOCAs." Therefor.'e ~ the factor of 0.05 was judged to be reasonable as well. Additional discussio,n is given in Ref. 24.
BNL evaluated the annual frequency of , steam l'ine breaks by calculating the frequency of pipe or valve breaks in the's,ection outside drywell: a) 8.6x10-11(rupture /hr) x 24(hr) x 365(days) x 4(pipe) = 3.x10-sjyp, - b) 2.7x10-s(leakage /hr) x 0.05(rupture / leakage) x 0.1 (MSIV/MOV) x 24 x 365 x 4 = 5.2x10-8/yr, where 0.1 is a factor of 10 for assumed better break resistance of the MSIV
" break exclusion" valves in the SNPS than of an MOV from tne data base (as stated in the PRA).
The inboard isolation valve in the drywell is normally open. It can be isolated and is assumed qualified for this purpose. Its failure rate from NUREG/CR-1363 (Table 23)8 is , for BWRs , Failur,e to close 6x10-sfq, , This. value is also used' by SNPS-PRA. The ' probability of unisolated - breaks then becomes: (5.2x10-s + 3x10-s) x 6x10-3 = 5.0E-8/yr. i Similarly, from the section, between the outboard MSIV and the Jet Impingement Barrier, we obtain an additional contribution of 6.0x10-8y r. This brings the total calculated frequency for main steamline breaks to 5.6x10-afyr, SC.2.2 Feedwater Line Break Contribution , There are two feedwater lines 3 feet long up to the check valve in the reactor building. The failure probability of these is calculated by 8.6x10-11(rupture /hr) x 2(pipe) x 24(hr) x 365(day) = 1.5x10-8 per reactor year. 2.7x10-s x 0.055 x 0.1 x 24 x 365 x 2 = 2.6x10-8 per reactor year. , The conditional probability for check valve failures is taken by BNL from the Reactor Safety Study to be 3.8x10 7/hr for BWR check valve internal leakage 201 t p -e , -ee . y eme. =h- - - - -- - - - - -
_- _ -. _ - -- . . - =
- .a--~4 1
1 -
~
- l -
(mean val'ue). This gives 3'.8x10 7 x 24 x 365 = 3.3x10-3, which' is smaller '. than the value used in the SNpS-PRA (5.8x10 3). The contribution of FW line breaks then becomes 1.4x10-8 This value is considered conservative because not all leakages through the inboard check valve are large enough to be the size of a large LOCA. ' SC.2.3 HPCI/RCIC Steam Line Break Contribution - RCIC lines are 4" and 3" in diameter and are considered to be too sma'll -
- - to cause a large LOCA outside containment. Furthermore, because steam blow- '
down through the 4" line break will be relatively slow, the time until it will
- impact equipment in the containment will be relatively large. Hence, there is a significant probability that the operator will successfully follow 'proce-
~
dures and will depressurize the reactor by ADS, routing the steam blowdown to . I the suppression pool rather than to the reactor building atmosphere. In Ref. 24 it is shown that the conditional probability of core damage given medium .' LOCA is, by a factor of 10, smaller than the conditional probability in the case of large LOCA. Therefore, the contribution from RCIC lines will be small relative to the contetbution to core" damage frequency from the HPCI lines. The HPCI has one 10" line, and in response No.17 to BNL questions 4 it is stated that the HPCI pipe section to the first outboard valve fs of " break exclusion" pipe. Therefore, the contribution may become 8.6x10"11 (rupture /hr) .x 24(hr) x 365(day) = 7.5x10-7/yr. 0.1 x 2.7x10-s x 0.055(valve rupture /hr) x 24 x 365 = 1.3x10 s ,
- . 2.0x10 8 x 8x10-3 = 1.6x10 e i
where 8xiO 3/d is the failure of the inboard valve including failure of its connand.8 BNL assumes that this valve will be closed upon demand, because it was designed
- to isolate upon sensing the conditions of a steam line break.
Downstream of the outboard isolation valve, which is normally closed, 4 challenges per year of 24 hours each may be assumed. However, piping is non-break-exclusion in this part. Therefore, the contribution from these sections will become 6 (sections) x (8.6x10-18 + 2.7x10-s x 0.055) x 4 (challenges) x 24 = 1.4x10-8/yr , 1.4x10 8 x 2 x 10-3 (two isolations valves fail by CMF) = 2.8x10-8 1 The total frequency of a HPCI steam line break becomes 1.9x10-sjyp, l
*The review did not address the question of the adequacy of isolation valve qualification. However, Section SC.2.5 below compares the contribution of .
HPCI steam line break to the impact from interfacing LOCA for the assumption of isolation valve failure.
- l 202 i
. . - - - y . - . . .. w .
m--,.w-m---e,-
- - - - -, ,-m-. ----m, w - ,,. .,--,,-,-.m-----,----v-,,m - - - - - , , . - ~ ~ - . - e,- - ---,--n-e-w,. --m1-me- w---,. .- ,---- s- -- -
41 ^
- _w. m .: --
E w c.J xt NU.dDif2F?. ) 1 l
. 1 It should be noted here that the SNP'S has the outboard' isolation valve of HPCI normally closed.- In LGS, for example, the inboard and outboard valves
- I are both normally op'en which increase the contribution. from the downstream piping of the HPCI system.
f In addition to the HPCI/RCIC lines there are other lines that can poten-tially cause a LOCA outside drywell if their isolation valves fail: (1) Reactor Water Cleanup (RWCU) system supply lines
. These are h 'to 6" lines having, in addition to th'e inboard and out-
- board isolation vlaves, two remote operation valve-arrangements that can be used~ to isolate the RWCU if a break outside drywell occurs.
(2) Main Steam # hine Drain (Inboard) - These are 3" lines. They are not considered for the same reason that is giv'en above for RCIC lines. (3) Main Steam Line Orain (Outboard) and MSIV Leakage Control
~
These are 2"-3" lines and are isolated by the inboard MSIV. (4) Other smiill lines of size less than 2" in diameter. All these lines were not further considered by BNL on the basis of the assumption that their isolation valves will close as designed. In .such a case, the core damage frequency estimated for these lines (see Ref. 24) is about an order of magnitude smaller than that estimated for the large steam line break in the last three subsections.
~~
SC. 2.4' Interfacing LOCA Frequency ,- i i If a set of multiple failures should occur, a LOCA could be induced out-side containment in piping systems that are rated for low pressure. This is referred to as interfacing LOCA. This section reviews Appendices F and A.2 of ~ the SNPS-PRA, which consider the frequency of interfacing LOCA. It has two parts: a) Review of SNPS-PRA approach; I b) The BNL reassessment. i The specific pipes of low pressure systems which are potentially sources of an interfacing LOCA are the following: a) RHR/LPCI loops A and B. Each loop has a testable check valve and two electrically interlocked motor-operated valves (MOVs) in its injec-tion lines. The inboard MOV 37A or 8 (F015--normally closed) will not be cycled untill the plant is entering cold shutdown. The outer-most of the two MOVs--MOV 36A or 8 (F017 normally open) will be l cycled on a .3-month frequency. However, the BNL review considered -
- this second MOV to be unqualified as an isolation valve.
i , 203
a a.. ,.a. b) RHR reacior head spray line.' This has a check valve md two MOVs in s eries . . The MOVs are interlocked to prevent opening at pressure above 135 pst.
- c) RHR shutdown cooling mode line, which has two MOVs in series. The MOVs are interlocked to prevent opening at pressure above 135 psi.
d) LPCS loop A and B. Each loop has a testable check valve and MOV in series in its injection lines. The MOV will be checked only during outages. ,
$NPS procedures state that the testable check valves will be tested during refueling outages only.'
A. A Review of the SNPS-PRA Approach . The 'SNPS-PRA approach to quantification of the frequency of interfacing LOCA follows NUREG-0677 " with some modifications. The data are'yalve failure rates taken from NUREG/CR-13638 . An analysis of operator errors. led to the conclusion that the probability of MOV inadvertent opening by the operator with subs?quent failure to isolate is a small contributor. The .'SNPS PRA produced a small reduced fault-tree for each of the four i configurations of low pressure systems listed above. The top event is "Large LOCA in Low Pressure System Given Exposure to High Primary System Pressure." 3 These fault trees do not allow for spurious opening of MOVs due to false sig-nals. In one case, credit is given on the tree for MOVs which are not quali-fied for isolation. This has the effect of doubling the result of the calcu-
~
lations so that noth LPCS and LPCI loop A and B contribute similarly (rather than the LPCS alone, as presented in the SNPS-PRA). The data used for the quantification of the fault trees are taken from ~ the NUREG/CR-1363 with needed modifications. Because MOV or check valve large ruptures did not occur, and the data available are. for leakage only, a modi-fying factor had to be estimated for the fraction of large leakages or rup-tures in the entire leakage data. The SNPS-PRA assumes that this factor is - 5%. BNL was not able to validate this value. Based on a review of LERs in NUREG/CR-1363, BNL judges that this factor may range from 0.01 to 0.15. Nothwithstanding, BNL found the SNPS-PRA values too difficult to repro-duce. If NUREG/CR-1363 data for SWR valves are used, then by. applying the SNPS-PRA approach one may derive the following values: a) Check valve internal leakage: 1x10-8/hr x 8760(hrs)' = 8.8x10-3/yr. Applying the 0.05 factor for large leakages gives 4.5x10-*/yr, which is 1.5 times the SNPS-PRA value appearing on the fault trees. b)- Check valve or MOV rupture: 7x10-s/hr x 8760(hrs) x 0.05 = 3x10-s/yr. The value used in SNPS-PRA is 6 to 7 times as high. - If Reactor Safety Study data is used, then one may derive:
- a) Check valve internal leakage: 3.8x10-7/hr x 8760(hrs) = 3.3x10-3/yr 204
s ' '; .=;. * ~
- .x '*** '
O':' -'
- b) Check 'v'alve or MOV rupture: 2.7x10 s/hr x8760(hrs ) ~ x 0.05 =
1.3x10-3/y r. B. BNL Reassessment Acoroach The reassessment is based on 6 LERs circulated recently by the Office of Analysis and Evaluation of Operational Dataa,2s of the NRC. These events
- are precursors events, in which a failure of the boundary between high and low pressure systems has occurred at least temporarily. The data cover events
, that occurred over more than 15 yea.rs. BNL assumed that they are relevant to . . the BWR reactor operating experience of 250 reactor years. Table SC.3 pro-vides a short description of the LERs. The following is concluded from the LERs :
- 4) At least two cases of pressurization of the low pressure systems have occurred for a few minutes (Browns Ferry, Vermont Yankee LE.".s).
b) Five events are relevant to testable check valves unavailability. If one assumes 250 reactor years, then 0.02/yr .is this estimation of frequency. , c) During the two cases of overpressurization, the pipes did not breach or fail. Plants returned to normal operation. (d) The events were all isolated or recovered shortly. An additional MOV has to fail in order .to challenge the low pressure system. For quantification of the MOV failure probability the following was considered:
~
a) The condijional probability of spurious opening of an M0'Y is assumed . _ to be 10 . This includes mainly the effect of spurious control sig-nals. This value is taken from Table A.2-1 of the SNPS-PRA (A = 1.6x10 7/hr). The human contribution during functional testing is assumed to be small because the operator will 1sunediately isolate the MOV when an alarm is received, as occurred in the Browns Ferry LER (Table SC.3). Furthermore, it is assumed that functional tsting will be performed only during cold shutdown (as specified in SNPS proce-dures ). . b) The data for MOV ruptures or gross leakage seem to be 1.3x10-3/yr. The LER data for MOV failed open (for normally closed MOVs) was evaluated by the SNPS-PRA to be 1.24x10 *. , c) Shoreham has an interlock logic of the injection MOV and the primary system pressure. This interlock is considered to reduce the proba-bility of spurious openings by a factor of 10. Based on the above consideration, a value of 1.5x109 was used by BNL for the MOV failure to the open position. This value is considered to include the . effects of operator recovery and SNPS specific procedures that require testing of the testable check valves and the MOVs, during cold shutdown. 205 t m
, . . m-Table SC.3 LER Summaries for Interfacing LOCA Events -
No. plant Date/LER Description of Event 1 Browns Ferry 08/14/84 A comoination of improper assembly of 1 LER-84-32 testable check valve with operator error (failure to electrically disarm the MOV injection valves) caused the check valve to be open for a long period of time (strice December 1983) and the MOV to open , while' tes ting, compromising high/ low * , e pressure boundary. The pressurizat. ion of ' the; LPCS above its 500 psi design con-tinued 13 minutes without significant damage. The seal of one pump burst and sprayed steam. This is probably due to substantial design margin. Plant.c6ntin-ued' power operation. Note:. SNPS procedures do not allow for testing the outboard LPCS MOV during ' power operation. 2 Pilgrim O'9/29/83 Durt'ng functional testing of HPCI system LER-83-048 Togic, personnel error occurred causing opening of both injection.MOVs. A test-able check valve was partially open be-cause of rusted stem to actuator link-
- age. This caused overpressurization of HPCI (150 psi design pressure). This
, caused no LOCA, but ruptured the gland seal condenser gasket on the HPCI tur-bine. The overpressurization caused the . ~~
testable check valve to close after a ,
- short time.
3 Hatch 06/07/83 The ' testable check valve of the LPCI/RHR - to was stuck open for about 4 months. This 10/28/83 resulted frem maintenance errors, LER 83-112 4 LaSalle 09/14/83 Stuck open LPCI testable check valve. LER-83-105 The operator opened one LPCI injection Also: valve during routine testing, and leakage LER 83-066 into the suppression pool occurred. The LER 82-115 plant was in cold shutdown. { ! ( , 6 206 t
+ e6e g ' - = , emag pe . esee _ e y,g, . . , ,, .g
o .. k . _-- - .: .2 d ' "' '"~ x:. .I
%.l :8.O a.. '.u.. $V Table SC.3 LER Summaries for Interfacing LOCA Events (Continued)-
No. Plant Date/LER Description of Event 5 Cooper 01/21/77 During steaoy state operation, while the HPCI system logic was being tested, HPCI testable check valve failed to close allowing feedwater backflow into HPCI injection line. HPCI system was is o-
, lated. A loose part was found wedged under the edge of the check valve disc preventing the valve from seating.
C. Vermont 12/12/75 During monthly testing of LPCI pump and MOV, one MOV failed to respond. This was because a testable check valve was leak-ing past its seat causing an excessiv'e dp across the MOV. Another isolation valve was closed before the test but did not ' shut fully. Its light indicated it was shut. Since .this MOV was thought to be shut, the second MOV was cycled open, and a flow pass existed from the RPV to the LPCI loop. This caused the LPCI to be overpressurized past its 450 psi design pressure. Three L?CI relief valves
. discharged steam and water mixture and a gasket in the RHR heat exchanger leaked.
e
- 9 O
e 207 f e w _
_ . _ . . . . . . _ ~ . . .- -.....-...... , For a LOCA .to occur, the piping must break and the break must be large. The SNPS-PRA states that the low pressure system piping is designed to 500 psi
- by ASME code standards , with -100". . margin. It assumed that break probabil-ity will be 0.5 gf en high pressure. SNL estimated this probability to be 0.1, on the basis of the following arguments:
(1) The LERs already show two cases of a low pressure system sustain'ing the high pressure without significant damage, for a significant time
. p e ri od.' .
(This by itself gives a factor of about 1/3.)
, (2) The los ' pressure piping is . designed to meet' the ASME code, which includes large mergins. This indicates that the two cases in which the low pressure system was pressurized for some time and did not breach .are apparently typical and not mere chance. Ref. 26 assumes that~ the large. margins may be evaluated as failure probability of 10-2 to'10 ". However, it is also stated there that this evaluation has not yet been completed.
Note that Ref. 26 pre 11 cts higher LOCA frequencies. However, SNPS procedures do not allow for testing the outboard M0Vs during power operation. l This can reduce .the frequency of the initiating event considerably because five of the six .LERs were cases of testing performed on MOVs during plant operation,.and therefore may not fully apply to the SNPS. The BNL approach is sumarized as follows: 2x10 2 (testable check valves unavailability) x 1.5x10 4 (MOV. opening) x 0.1 (rupture probability) = 3x10 7/yr. SC.2.5 Comparison of the Contribution from Steam Line Breaks and from , Interfacing LOCA . The frequency of an unisolated HPCI steam line break was estimated in Section SC.2.3 above to be 1.9x10-s per year. This frequency includes the assumption that the inboard isolation valve on the HPCI steam line can be
- closed if available upon sensing the conditions of a steam line break. How- '
ever, if it is postulated conservatively that this isolation valve would fail to close against the pressure conditions of the steam blowdown through the valve into the downstre cy will become 3.5x10 gmper break, yearthe unisolated (see Section HPCI SC.2.3). steamThe linefrequency break frequen- calcu-lated in Sectico. SC.2.4 for interfacing LOCA in the SNPS is 3x10-7 per year. It is lower by a factor of ten if no credit is given to the inboard isolation valve closure following HPCI steam line break. Thus, the SNPS-PRA results are sensitive to assumptions on HPCI isolation valve qualifications. Ref. 24 dis-cusses the case of unisolated LOCA outside containment. SC.2.6 Core Damage Frequency for Large LOCA Outside Containment The initiators of this sequence were discussed in the previous se'ctions. ' The results are: 208 4
. .' .. . . weg s 7, 9{ ~ ^ , ;.ly e Interfacing LOCA frequency = 3x10 7/ year Feedwater and Steam Line Breaks = 1x10-7/ year Total = 4x10 7/ year The BNL review considers the main igacts of the LOCA outside containment to be the following: ,
a) Adverse environmental conditions leading to degradation of motor con-
. trol centers and other electrical equipment.
b) Flooding of the reactor building which has the potential to flood' ECCS pumps. The flooding of this systems can, in some cases, happen , within less than 10 minutes. c) Depletion of water from the condenser hotwell leading to insufficient water at the condensate pumps suction. The SNPS-PRA considers the main impact to be somewhac different: a) Item (a) above . b) Depletion of water from the primary containment and suppression pool leading to insufficient water at the ECCS suction. The event tree diagram for this incident in the SNL review is the same as that in the SNPS-PRA. However, in some cases the consideration behind the quantification is different. The event tree is shown in Table 5C.4. The ECCS pugs are considered to be failed because of adverse environmental condit. ions and flooding. . The condeasate system is the main frontline system remaining in this case. BNL assumed a failure probability of 0.2 for the condensate system for the following reasons: a) The operator needs to control the condensate flow progtly in order to reduce flooding rate, but mainly to conserve the hotwell inven-tory and thus ' avoid condensate pump failure or trip upon low hotwell level. b) The operator should validate that autoustic transfer for hotwell makaup from the CST is working. c) It is assumed that a condensate flow of 1000 gpm to the RPV, which is consistent with the CST makeup to the hotwell, is sufficient to keep the core covered even without line break isolation only for breat size smaller than 10" in diameter or for breaks in pipes connecting ,, at a high point of the RPV. (The BNL reviewers failed to find physt-cal calculations showing that for very large break LOCA (such as in . the case of interfacing LOCA] the core could be successfully cooled by 1000 gpm.) Therefore, the following was assumed in BNL quantification of the condensate system injection: , 209 i 4
_. - c a. -
--w 4
- For steam line breaks: ,
'v = 0'.2 For feedwater line breaks v = 0.2 For LPCI interfacing LOCA v ' ' = 1. 0 .
i for LPCS interfacing LOCA v
= 0.2 F = (1x10 7[0.2] + 1.5x10-7[1.0 + 0.2)]/(4x10 7) = 0.5 ,
l l . This value was use'd in Fig. SC.4. The event-tree ' diagram shows that break isolation is dependent upon re-establishing the PCS and opening an MSIV to allow the containment heat removal
, function. The W' and W" functions are the following:
- W' - Unisolation of the break, with decay heat being removed through the break into the reactor building.-
t l> W" - Isolated decay heat. break and FCS established for containment heat removal of i The SNL results are 5-fold higher than the SNPS-PRA results mainly because of the use of the LER occurrences and some differences in failure rate assumed for valves and for the condensate injection. ' The BNL review ' determined that the condensate system is not affected by a flood or adverse environmental conditions in the reactor building. Further-1 more, the outboard valves on the feedwater injection line (valves F032A and i F0328) through which the condensate pumps transfer cooling water into the RPV are operated from MCCs at elevation 112'9" (40' above the main steam line,s in
, thereactorbuilding)whicharelocatedinseparateenvironmentallycontrolled cubicles isolated from the remainder of the reactor building 1 The two valves are operated by two separate MCCs located on opposite sides of the con-l tainment.
i t- . I o j- , 9 l 210
-m,--nn----- , , - , - - - ---...---r-ww- o- ---w - - -.--o-+-c----ee,v .-w--- -, -w- - - - - + - - - - - - ~- , - , ~ - ~ - , - - - - - - - ~ - - - r ---
i'- -
. g .. ' W '
f,Eg.e. ' m 'd'.-',,*I'.j~k. ' i ,
- I
. . _ _ .:. . . ; L--i- ' --- -'i# .'I . . = >
3 31 s .3 . w w w g3
- i
-2 8 8 8 8 W W b 6- ~ - . . P P E . , -3 - .- .- . . > u-J:: -/ .c .3 3 . 3 F.
E E 5 * = v e g ._ . . _ _ . _ _ .s. . . . .
.g y ..
E I.I c 3 _3 I L . . . . _.
. _ g 3 _..
4 24
=
- g. .
. . . _ . . . s4..
i s a =
!G I- .
l __ . . . . _ _ o .
.. i, ,n.
U
. ws - = .
3 - I t I
. . . ..x _. _ .
I - r . 2, p. 3 5 e S I = . _ _ . .
- t. M su.
g 1 .
-i II 9: 2 *-
i -ag 1 - l 211 i
...m i .
4 ,, APPENDIX SD ANTICIPATED TRANSIENT WITHOUT SCRAM (ATWS) 50.1
SUMMARY
OF SHOREHiM ATWS EVENT TREES i- The ATWS event trees developed in the SNPS-PRA are described here, with i emphasis on their special features and important aspects; they are discussed in detail in Section 3.4.3 of the SNPS-PRA. A total of five ATWS functional event trees were developed for t'he SNPS-
'PRA: turbine trip, MS!V closure Loss of Feedwater, Loss of Offsite Power (LOOP), and 10RV. A special event tree was developed for the turbine trip -
ATWS initiator (Figure 50.1). Since' the purpose of this event tree is to identify properly those turbine trip initiator events that eventually result in either a loss of feedwater, a loss of condenser, or a MSIV closure, th'e ' event tree evaluates the availability of the following functions: feedwater runback, loss of turbine bypass valves, loss of condenser heat sink, and MS!V closure. The outputs from this event tree are scenarios that can be charac-terized as a turbine trip with bypass available, a loss of feedwater event, a l loss of condenser event, or a MSIV closure event. On the basis of these results , the respective ATWS initiator frequencies are reevaluated. For instance, the ATWS turbine trip initiator frequency becomes 0.85/ year instead of 3.2/ year, and the loss of feedwater ATWS frequency is 0.08/ year rather than 2.10/ year. I
; Figure 50.2 shows the SNPS ATWS turbine trip event tree. . A major departure in the SNPS-PRA treatment of ATWS events from that in other BWR PRAs is that it separates the initiator frequency of a particular ATWS event into .
- that above the 25% power level and that below the 25% power level. A casi in
' point is the turbine trip event presented in Figure 50.2. The SNPS-PRA reported that only 0.85 event / year can be considered to be turbine trip with bypass available and restore power , level above 25%, and the balance con-l stitutes 1.3 events / year for which the reactor is operating below the 25%
! power level. The rationale for selecting the value 25% is based on the con- - i denser's capability to remove heag The probability, of an ATWS event occur-l rence is based on the NUREG/0460 values of 1x10- for reactor protection j system (RPS) mechanical failure and 2x10-s for RPS electrical failure. The recirculation pump trip function is implemented in the SNPS and is actuated given a high reactor vessel pressure or a low reactor water level condition. Alternata rod insertion (ARI) is also installed in the SNPS to provide a
, redundant means of inserting the control rods, should the RPS electrical
! system experience malfunction. If indeed an ATWS event is imminent, then the ! tree evaluates the pressure control functions: namely, the proper opening or reciosing of saf ety relief valves. The reactivity control function used in the SNPS-PRA entails 4 different tasks: manual initiation of the SLC system, manual feedwater trip to minimize cold water injection into the core, lowering the reactor water level to slightly above level 1 and lastly, re-establishing ' water level and boron atxing when the SLC tank is empty. The SNPS analysis l assumes that the operator will have 25 minutes to perfonn these tasks. The
- i high pressure injection function U, is then evaluated. ADS inhibit, D, and l water level control, Ug, are also included in the event tree to model the need to preserve the boron concentration inside the reactor vessel. Finally,
( 212
... . . _ . . - . *i _ a
_ _ __ _ _-.- _ _ _ _ . _ _ .. _ - - _.___ _ _ _ . _ _ _ _- - - _ _ _ - . . . . . . . _ _ _ _ . . . . _ . ._t
. m g @ 4- e.eup --
W- %-Eh
+$ ^M ' b *b M 4 ^ - ' 9 M 4' *
- l the event tree considers the success of the heat' removal ' function tnrcugh the .
condenser and the RHR heat exchangers. The combination of success or failure of these functions, shown in Figure 50.2, gives rise to the definition of an ATWS accident sequence. For instance, based on the success criteria defined for a turbine trip ATWS event, failure of Recirculation Pug Trip (RPT), given RPS electrical failure, results in a core damage. condition. Also, with successful RPT, failure of the ARI and the reactivity control function would still result in core damage. Part A of Figure 50.2 shows these accident sequences, which are related to RPS electrical failure, and Part 8 shows sequances related to RPS mechanical fail-4 ures . Subsequent to the reactivity control function, the tree evaluates the coolant injection and ADS inhibit functions, and finally the maintenance of level and containment heat removal functions. l Figure 50.3 is an ATWS event tree, similar to that for the turbine' trip' initiator for MSIV closure events. This tree is also divided into two parts. . for mechanical and electrical RPS failure sequences. The initiator freqdency is classified into two groups according to whether the power level at the time-of reactor scram is above or below 25%. The MSIV ATWS event tree is identical to the turbine trip tree 'except that the unavailabilities of the various func-tions are different. Included in this MSIV ATWS initiator frequency is the contribution from loss of condenser ATWS events. These are grouped together - and treated in the same event tree because both initiators result in a similar - plant response of losing the capability for heat removal to the heat sink. The loss of feedwater ATWS event tree is shown in Figure 50.4 The SNPS-PRA considered two power levels, below 25% or above 25%, for this event. The main difference between this event and the turbine trip ATWS is the unavaila-bility of feedwater. In this case, feedwater runback is not necessary. Simi-larly, the availability bf the condenser for the loss of feedwater event dis-tinguishes this event from an MSIV ATWS event, in which the conderser is not N, available. Otherwise, the ATWS event tree is identical to the other two trees. I I The loss of offsite power ATWS event tree (Figure 50.5) is essentially - the same as the MSIV ATWS tree. Given the onset of a LOOP event, the MSIV will close and the response of the plant to the 'inittacor is similar to a MSIV event. However, a LOOP event does, in certain cases, present a more notable challenge to the system availability than the other ATWS discussed thus far l because of the loss of offsite AC power. This is noted in the unavailability of the heat removal functiion; otherwise the two trees are identical. The last ATWS event, tree developed in the SNPS-PRA is that for an IORY ^ event. It' is similar to the others, described above, but it contains one additional function that models the failure of the high drywell pressure or high suppression pool temperature signal (Figure 50.6). Given the onset of an IORV transient, at the initial stage the reactor operator is instructed by the
. procedures to manually shut down the reactor; however, failure to do so does '
not necessarily preclude a scram since at high drywell pressure -2 psi, an automatic scram signal is generated. The SNPS-PRA determined that failure of the suppression pool temperature and the drywell pressure instrumeqtation would result in the equivalent of an ATWS sequence. This is reflected in the . SNPS 10RV ATWS event tree. - 213 m
--n--- ,-J -- g v e s te see 4 pa ( 'we n--e--w,-wA- ' ~ ' ' ' ' * ' ' ' = - - - ~ ~--+*-*~'4--'-=*--r-'v,-*-w -9'w*w~--w=*m--',n ,e "cvo---e=--e - ~ + - - '
. . _ . _ . _ _ .... _ _ . . - - . . ~.2 --.+- ,
i . . 50.2 00ALITATIVE REVIEW OF THE SNPS ATWS EVENT TREES This discussion of the results of the BNL qualitative review of the SNPS ATWS functional event trees is focused on several topical items rather than on ,< each ATWS initiator. Turbine Trio Initiator Event Tree - BNL's review of the SNPS turbine trip initiator event tree (Figure 50.1) indicates that the function "feedwater runs" consists of feedwater runback
, action by the operator in 12 minutes, so as .to preserve an cederly' shutdown
! with low suppression pool temperatures. .It is considered to have a high like-l 11 hood of failure in the SNPS-PRA. Failure of this function leads to either a loss of feedwater or a MSIY closure. However, this appears to contradict the ~ definition' of plant condition given for each sequence. For instance, the
- sequence T is characterized by the success of feedwater runback; turbine bypass, condenser heat sink, and MSIV open. But, if fe'edwater runback is suc-l
- cessful, then the T sequence should behave more like a loss of feedwater than !
like turbine. trip with bypass available. A similar example can be noted in the TQ sequence, where failure to runback, implying that feedwater is avail-i able, resul.ts in the loss of feedwater events. One possible explanation is } that the upper branch of the feedwater run function should be interpreted as no feedwater runback. ' The SNPS-PRA states that a 0.4 operator error 'probabil-l tty is assumed for failure to manually runback feedwater and a 0.75 failure probability is used for the automatic backup feedwater trip on Level 8. High Power Initiator Frequency l In the SNPS-PRA, the ATWS initiator frequency is separated into two l parts: that at high power plant condition, greater than 25% power, and that
- at 25% powcr ' or. lower. The basis for this division is existing plant data l from BWRs. -
. i BNL -did . reassess the initiator data base i;o determine the relative con-tributions from such a grouping (see Table 50.2). BNL considered that during the normal operation of a plant, i.e., not including the initial period of -
comercial operation, some percentage of plant transients would be initiated at low power, and credit should be given to reflect this situation where the condenser is adequate in removing heat from the reactor vessel, thus allowing additional time for the operator to initiate the SLC system. Depending on the nature of the data base, if, during the initial period of plant operation, there tend to be more scram events at plant condition of 251 power 'or less, then the estimation of this percentage can be potentially biased toward the low power events, and may not be representative of the plant over its. averaged life. For the BNL reassessed core damage frequency, all ATWS events are assumed to occur at power greater than 25%, similar to the SNPS-PRA. Water Level As described in the preceding section, the SNPS design provides a num-ber of means for reactivity control in an ATWS event. These include injection ' of boron into the reactor vessel by the SLC system, manual feedwater runback, and lowering of reactor water level to slightly above level 1. BNL concurs that these are important measures which can serve to reduce the reactor power. ' \ , 214 t l -. _ . _ .. -
.. -.. - - . . . . - . - . .~
A. - _ _ . - - - u.I "G WO - .. w ' ~ ".. s.n L._;; ..; : _, . . v c.,.h With regard to the task. of lowering water level, the SNPS-PRA suggested in one place that the water level be maintained slightly above level 1 and in another place that the water level be maintained near the top of active fuel (TAF), and the SNPS ATWS emergency procedure guide" offers no insight into this apparent discrepancy, stating that the water level should be kept above TAF. In a broad sense, these statements are not contradictory, but it is left to the reader to interpret the true intent of the procedure. Furthermore, based on the physical analysis performed to support this action, an 8% power level was cited in the SNPS-PRA. This power level corresponds to the water level at TAF. Hence, there is, at best, an uncertainty as to .the level at which the reactor water must be maintained. The effects of this operator
-action are discussed further in the next section. .
SLC System Initiation The SNPS design has two SLC loops, each with the capacity t'o inject 43 GPM of sodium pentaborate into the reactor vessel, but the maximum injection rate is 43 GPM, so that only one loop can be injecting at any one time. The system is manually actuated. A 25-minute action tim 97is allowed by SNPS-PRA for this task. BNL reviewed the GE report NEDE 24222 and the KMC letteria, and concluded that the maximum action time allowed for the reactor operator appears more likely to be about 15 minutes. - ADS Inhibit - Since the initial submittal of the SNPS-PRA, a modification to the ADS function (including a preliminary concptual design drawing) was conveyed to BNL via responses to the BNL questions . This modification entails a manual inhibit switch for use during an ATWS event, should the reactor vessel water level drop below level 1, and is designed to eliminate the .need for ,the operator to repeatedly reset the A05 timer. BNL has assessed the it. pact of. this modification by a sensitivity analys,is given in Section 5.3. The effect of a manual inhibit switch upon the success of low pressure ECCS in transient events warrants more thorough investigation, since inadvertent operation of t'he switch would disable all low pressure ECCS. With regard to ATWS consider-ations, this appears to be a useful design with the benefit of reducing the ~ probability of failure of the operator to achieve timely inhibition of the AOS, as shown in Table 5.15 of Section 5.3.
~
BNL found that the SNPS ATWS procedures were not clear in a 'few areas as to what the operator mast accomplish upon the onset of an ATWS. .A case in point is the A05 inhibit function. In the procedure, the operator is instructed to initiate either the A or 8 SLC loop given a range of plant con-ditions (see Table 50.1, item 3.6.1). The operator is further required to terminate all injection into the RPV except the CRD and HPCI or the CR0 and RCIC maintaining reactor water level above TAF (item 3.6.1.2). At this point, two scenarios are possible. The first is quite benign, in that the reactor water level falls to a point where the operator, by controlling high pres-
- sure makeup, is able to maintain the water level above level 1 at all times. ,
In the second scenario, the reactor water falls quickly even with rated high pressure injection systems, and the water level drops below level 1. The pro-cedure does not appear to provide the instruction necessary to guide the operator to identify the critical parameter that must be closely monitored in reducing the water level, and to perform the inhibit function. In item 4.2 of 215 t _,e - _ _ _ m
~
. Table 50.1, the operator is' only directed to manually open enough SRVs td 1 reduce reactor pressure to between 800 and 960 psig when there is cycling of, the SRVs. Given the critical nature of this function, failure of which is assumed to lead to core damage, perhaps this operator action warrants more attention than it has been given in the procedure guide thus far.
50.3
SUMMARY
OF PHYSICAL AN b t N fESULTS f A few of the ATWS analyses performed on. BWRs, and their results, are dis-cussed here, with an emphasis on areas having more direct effects on the assugtions as well as the ground rules and conduct of the ATWS portion of the 4 PRA. In reviewing the SNPS-PRS ATWS analysis, BNL found either a lack of 1 detailed information on some aspects, or information insufficient for reason-l able establishment of assumptions. This deficiency will become more apparent as the discussion continues. , Section 50.3.1 provides a chronology of' the ATWS accident sequence, and ; Section 50.3.2 focuses on specific areas considered to have more substantial
;- impacts on the ATWS PRA review.
50.3.1 ATWS Accident Chronology i Given the onset of a plant transier.t. ihe MSIV closure event is recog-nized to impose by far the most severe requirements, compared with other events on the safety systems needed for mitigation. Therefore, for this dis-cussion MSIV closure is selected as the initiating event, and departures from the MSIV discussion will be addressed separately. This discussion will be further confined to BWR-4 reactors. Upon closure of all MSIVs and failure of the scram system to insert the i control rods, an ATWS ' event is in progress. ,.The reactor pressure ' rises rapid-ly causing the safety relief valves to open. Consequently, a substantial - amount of heat is being discharged into the suppression pool. Also, the pres- !
.sure increase in the reactor vessel initiates the recirculation pump trip.
Success of such a pump trip will reduce the core power to about 50%. Because J the initiating event is a MSIV closure, feedwater will also not be availante. - Given the large amount of reactor power still being generated, the reactor i water level drops rapidly, and at Level 2 .both the HPCI and RCIC systems j receivg a signal to inject from the CST. It is predicted in the GE ATWS report that all of these events occur within a minute after the initial RPS I trip signal. At two minutes, the GE analysis assumes that the automatic SLC actuation timer is timed out and the SLC system begins injection into the core. A time trace of the reactor water level (Figure 4.1.3 of NEDE-24222) shows that, after the water level drops below. Level 2, the HPCI and RCIC flow reduces the rate at which the level decreases until a point when the boron-from the SLC injection begins to take effect. The water level reaches a mini-mum at about 5 minutes and begins to rise again. This minimum is just short of level 1. A simil'ar situation occurs with a turbine trip with bypass available event. A time trace of the reactor water level (Figure 4.1.7 of NEDE-24222) ~ shows that the time at which the water level drops to level 2 is about 1.5 minutes . Feedwater is assumed in the GE analysis to be run back within 1 minute after the onset.of the event. As in the MSIV case, the SLC is assumed 216 t I. a
.... -.~ . _ _. ... ._ ....- .- ----- - . ~ _ .__,_ -. _ - ,. . ,,, ,_ _ _ --_ _ __ --, - . . - - -,- - s - - - - - - _ _ _ , , - - . _ . - . _ -
Afi ; 4 3 '
, " cit Q'ja - * .g. . . - ] ..
n,s .d ! 1 \ l I~ t'o begin -injection at 2 minutes. F'igure,4.1.7 of NEDE-24222 shows that the {
- water level decreases at a lower rate than in the MSIV case. The analysis predicts that at about 5 minute the reactor water level reaches a minimum, which is approximately 1.2 feet above level 1.
The results of the two different calculations indicate that little time, about 5 minutes, is available for the operator to take any action to secure the reactor. According to the SNPS specific ATWS emergency procedures (Table 50.1), a series of operator actions is to take place. These are of two types: inmediate and subsequent. The immediate actions include manually scramming the reactor, tripping the recirculation pumps, initiating RHR suppression pool cooling, initiating SLC, controlling water level, and, if manpower 'is avail-
; able, re-scram of the reactor with operation of scram discharge high level i
bypass and other vent valves and logics. Subsequent actions deal with SRV cycling and plant shutdown procedures. *
~
The SNPS specific ATWS procedures make 1t obvious that the GE analysis is no longer applicable to the SNPS beyond' the 5 minute time frame. An ATWS - analysis of Brown Ferry Unit One18 provides some insights as to the response of the plant given that ghe operator' follows the ATWS emergency procedures guidelines (EPG) fg SWR. 8 This ATWS EPG differs in certain areas from the SNPS specific EPG. For instance, the BWR EPG . recommends lowering the RPV water level to TAF; .it also allows .depressurization and use of low pressure systems. In the SNPS'EPG, pressure is. supposed to be maintained between 800 to 900 psi and no credit is given for low pressure systems. Therefore, the ORNL 18 analysis results are not directly applicable to the SNPS ATWS situa-tion. l The purpose of maintaining the water level below the normal water level is to minimize the amount of heat produced in the core. This, in turn ,has two related effects. The first effect is reduction. of. the amount of heat i discharged into .the suppression. pool, and this allows the second effect: ' additional time for the operator to actuate the SLC to inject boron into the vessel. The reactor power will eventually diminish because of the boron, and the shutdown procedure can continue. 50.3.2 Discussion This section provides a discussion of the pertinent areas that affect the SNPS ATWS PRA. Water Level' Control A cording to the SNPS specific procedure, operator control of the water level is important in minimizing reactor power. The SNPS-PRA states that, when the water level is at TAF, the power level is about 8%. This value is referenced in the XMC letter 18, which cites information from GE that ". . . the reactor power level 'when the water is at TAF should have been 8% rather than 15%." The level to power curve included in the document s1 shows the 16% ' valug2(see Figure 50.7). Figure 50.7 also shows curves obtained by NSAC 21 and BNL. The range of power level at TAF is between.15 and 20%. If the water - level is maintained at Level 1 rather than TAF, then the' power level ranges from about 18 to 23%. If the intention is to avoid initiating the ADS func-tion, and to maintain the water level above Level 1, then the power level is 217 i
more like 20 to 25L Because of the significant increase in the slope of the curve near the TAF region, changes in water level in this region have large
. effects on reactor power.
Suooression pool Temoerature Limit ' The SNPS-PRA reports the suppression pool temperature limit to be 240*F; I above this point, the plant condition is considered not to be acceptable. Subsequently, the XMC document 1 s suggested that, on the basis of GE data on minimum subcooling required for efficient steam condensation, the suppression'
' pool temperature limit may be about 285'F. BNL did not assess the validity of .
either value, but it is prudent to point out that a 45' increase in the temperature limit provides significant benefit in terms of added allowable time for the operator to perform his task.
,SLC System Actuation., ~ ~
The KMC calculations include ' a sensitivity analysis to model a BWR-4 reactor with a manually initiated 43-GPM SLC system. Three different delay , initiation times were assumed in addition to the base case, which is injection - in 2 minutes after the onset of an ATWS. The reactor water level was assumed to be at TAF and the power level at about 8L The maximum suppression pool temperature estimated' for a 10-minute delay of initiation is between 260* to -
; 270*F for the SNPS. If the delay is around 2 minutes, the maximum pool -
temperature is about 220*F. The above information on water level versus reactor power indicates that, if the water level is at TAF, the power level is more likely to be 18L This could have a substantive igact on tne suppression pool temperature. If it is further assumed that the water level is above Level 1, the time taken to reach t the suppression pool, temperati.re limit is even shorter. As a result, the operator will have only a few minutes to initiate the SLC, thus ' making it a highly likely to fail event. - i Sumary
- In the process of establishing a basis for the SNPS ATWS success criteria
{ and ATWS assumptions,.a limited number of documents were reviewed to determine the applicability of their results to the SNPS and the reasonableness of the analyses. A lack of detailed information was found in certain aspects of I these analyses; even though these are generic studies, they do not provide a basis broad enough to' account for the range of operator actions specific to j the SMPS. 1 ( The areas of suppression pool temperature limit, boron mixing in the reactor plenum and its igact on delay in plant shutdown, and human action to lower reactor water level are each addressed separately. There is a lack of integrated analysis that could be used to support the SNPS speciff e situation j and the SNPS specific EPG.
- t It is assumed in the BNL reassessment of the ATWS accident sequence that '
the water level is to be maintained between Level 1 and Level 2, and that the suppression pool temperature limit is 240*F. 218 s t
. . _ _ _ . . _ _ . . . , . _ .. - . . . . - . ~ . . . . _ _ _ _ . _ _ _ . . _ _ . _ _ . _ . . _ _ _ _ . _ . _ _ _ _.'~
_a . :.a. b:w ' x= ,
. ~ :---~l - ' - :- . - ~:- w*:: M '
I 50.4 OUANTITATIVE REVIEW i The SNL revised ATWS event trees and the ATWS core damage frequency quan-l tification of these trees are discussed here. l I Turbine Trio Initiator Tree As noted in the qualitative review of the SNPS turbine trip initiator event tree, BNL made minimum changes to this tree. The unavailability 0.7 used by the SNPS-PRA on the feedwater runback function was found to be high.
' BNL thought that, g.1ven the onset of a turbi.ne trip, regardless of whether it is an ATWS event or.not, some portion of this event will result in either a ~ MSIV closure or a l'oss of feedwater or loss of condenser, and developed a revised turbine trip initiator event tree accordingly (Figure 50.8). The ,
basic structure of this tree is s'imilar to that in the SNPS-PRA. It has a total of four func'tf ons: feedwater trip due to high level, turbine bypass, condenser heat si,nk, and MSIVs remain open. Consistent with that used in the transient event analysis, a 10% probability is assumed' for feedwater loss given a turbine trip initiator. In order to further distinguish loss of feed-
- water events from MSIY closure, a 20% probability is used for failure of the MSIVs to remain open. Loss of turbine bypass or condenser heat sink results in MSIV closure and loss of condenser events, respectively. Given the availa-bility of the feedwater, the bypass and the condenser, the probability that the MSIVs will not rem, tin open is assumed to be 0.02. The end states of th'is initiator event tree can he clarified into four groups: turbine trip, MSIY closure, loss of condenser, and loss of feedwater. Each of these is trans-ferred to the respective ATWS functional event tree.
Turbine Trip In the review of the SNPS ATWS turbine trip event tree, BNL found 'the reactivity control function unavailabilities, namely, RPS electrical or ..
- mechanical failures CE and C, M recirculation pump trip R. ARI function, and K to be reasonable.
The RPS failure values are derived from NUREG-0460.1,3 The R function value reflects sensor failures, and the 10-2 value for the K function represents the failure of the diverse logic to scram the ~ reactor. With regard to SRVs open to control pressure, M, and SRVs reclose P, the values us'ed are also considered to be reasonable. In general, BNL concurs with the unavailability used for the coolant injection function, U. BNL in the re-quantification revised the values of the remaining 4 functions (C2 . O, UH , W), and reconstructed the event tree (Table 50.6). The first part of the ATWS event tree is identical to that in the SNPS-PRA. Subsequent to the SRV reclose function, the question of feedwater run-back is evaluated. Note' that the initiator is a turbine trip event with-bypass available; the feedwater system continues to provide feedwater flow ,, into the reactor and to maintain the water around the normal level. As dis-cussed above, with regard to the effect of water level cn reactor power, if feedwater is not runback, the power level with recirculation pung trip is around 50%. This certainly far exceeds the capability of the condenser. 219 i q, , , , , . - - -- W_
~ ^ . _ . _ . _ . . . . ..._.- . - .. . .a - . . . . ._ - __._ ___.- . ,
e 4
- Therefore, it is important to runback feedwater in a timely manner. The prob- l ability of failure to runback feedwater is evaluated to be 0.2, based on the SNPS human error curves.
If feedwater runback is successful in a timely manner, however, then the RPV water level will fall below level 2 and the probability of failure of the HPCI is assessed to be the same as that used in the ' transient event trees. RCIC 'is not considered to be an adequate means of providing coolant injec-tion. In the event that HPCI is successful, the event tree evaluates the
" Control Level 1" function and the SLC function. Actually, because of the rapid progression of an ATWS event, the feedwater function, .HPCI function.
Control level 1 function, and.SLC function should be considered,to take place concurrently. It is estimated in the KMC letter that using the EPG no blowdown case ' with a 10 minute delay in SLC initiation and water level at. TAF (8% core power), the suppression pool temperature is calculated to be 221'F. BNL esti-mated that if core power is at 18%, the 240*F pool limit will be reached. Therefore, BNL assumed that the operator is required to initiate SLC and feed-water runback within 10 minutes. Moreover, if it is abov'e 200*F, the relia-bility of the HPCI will be significantly degraded because of inadequate lube oil cooling. As noted in the preceding section, without feedwater the reactor water level will quickly fall below level 2; the ShPS EPG (Table 50.1) instructs the operator to take control of water level by terminating injection and to main-tain it above TAF. Since the MSIV closure and ADS initiation is at level 1 and the EPG contains no explicit instruction for the operator to inhibit ADS, SNL assumed for this study that.the water level is to be maintained between level 1 and level 2. The unavailability of the Control Level 1 function is ' ' derived from a functional level event tree (Table 50.7). The tree first. evaluates the likelihood that the water level will fall below level 1. A ~ ~ probabi,11ty of 0.5 is eno en, based on review of a number of documents. The l GE" report indicates that, even with automatic SLC at 2 minutes, the teater ( level falls to within 1.2 feet of the level 1 setpoint, but the ORNL s report i indicates that, for a turbine trip event, water does not reach level 1. - l The ADS inhibit value of 0.2 is selected on the basis of engineering l judgment aided by human error curves (Figura A.3-3 of SNPS-PRA). Finally, failure of the operator to maintain water level above level 1 and below level ( 2 is assigned a value of 0.1. Failure to control water level .will result in core damage. l The SLC manual initiation failure and the RHR initiation failure are l given probabilities of 0.15 and 0.1, respectively. Failure of these functions also leads directly to core damage. l Should the HPCI fail to inject given a successful feedwater runback, the RPV water will reach level I within a couple of minutes, causing closure of ' l the MSIV and actuation of the ADS if the operator fails to inhibit. For all l practical purposes, no successful operator actions can be assumed in. these. ~ t short times, and therefore the control level function is assumed to fail. 220 i _ . ._ _ ._. __. _ . 1 . . . . .. __ ..
----y. -- --,_,- - , - - - - - - -- , - - - - - - , w , ---m n- - - - - - - . , .,
..-- ^ h: > . - . . - . ......, !E' MSIV and Loss of Condenser The MSIV closure and the loss of condenser ATWS are grouped together an'd .
treated in one functional event tree (Table 50.8). The basis for this group-ing is the similar ' plant response of these two types of events. In both cases, the MSIVs are closed and the feedwater injection is lost.- , A major difference between this ATWS event tree and the turbine trip tree resides with the feedwater runback function (Table 50.8). Since the initiator . In this case has already caused the loss of feedwater, the runback function is
,, not required and it fs represented,in the tree with zero failure probability.
Anothe.~ area of difference is the level control function. A functional level event tree similar to the one developed for ,the turbine trip ATWS is shown in Table 50.7-case !!. As discussed in the preceding section, the water level following a MSIV or a loss of condenser ATWS initiator reaches level 1
' within one or two minutes. Hence, the " water level below level 1" function (Table 5D.7) is chosen to be unity. In light of the situation, the ADS inhibit function is given a 0.9 probability of failure. Given the success.of the inhibit function, failure to maintain level is assumed to be 0.2. '
For the SLC initiation function, it is assumed in the reassessment that 5 to 10 minutes are available for actuating the system, and it is given an unavailability of 0.25. Similarly, the RHR suppression pool cooling function is assignd a failure probability of 0.2. . LOOP The loss of offsite power ATWS event tree (Table 50.9) is developed in a similar way, as the MSIV event tree. The plant and system response are c,on-sidered identical, Loss of Feedwater - This event tree also is similar to the MS!Y event tree except in the con-trol level function, the SLC function, and the W function (see Table 50.10). Because of the initiator, feedwater is automatically runback. Despite the loss of feedwater, the MSIV remains open and the condenser is still avail-able. Therefore, the control level function, given the success of coolant injection, is similar to that for turbine trip; the unavailability is 0.19 (Table 50.7). However, in the event that coolant injection is not success-ful, the control-level 1 functional level event tree evaluation shows an unavailability value of almost unity (Table $D.7-case !!! shows this tree). Since, without injection, level 1 is reached within 1 to 2 minutes, the ADS inhibit function is also assigned a high probability of failure: 0.9. Even in the event inhibit is successful, without injection, level cannot be main-tained. . 10RV '
. Table 50.11 is the BNL revised ICRV ATWS event tree. Operation data indicate that the onset of an 10RV event often precipitates a loss of feed-water; therefore, the runback function is assumed succesful. The SRV reclose function is assigned ' unity failure probability because of the initiator. All 221 m
a.
. .. .....e.- E..-., _, e..- . . ., .. r ,-
the fbnctions other than these are also the same as f ri the turbine trip event tree. , 50.5 OISCUSSION OF RESULTS This section presents a discussion of the ATWS results based on the quantification of the BNL revised ATWS event trees and comparisons between the BNL reassessed values and the SNPS-PRA values. Table 50.2 lists the BNL' ATWS ini:iator frequencies for six initiators.
. The first column gives the SNPS ATWS initiator frequencies at. 255 power or-above, and the third column gives. the initiator frequencies with power level larger than 25% used in the transient analysis of this review. Transfers from the turbine trip initiator event tree are identified and listed in column 4; they are made to MSIV, loss of condenser, or loss of feedwater initiators.
The last column shows the ATWS initiator frequencies used in the BNL re-quantification. . To illustrate the effects of the BNL modifications to the event trees without the initiators' Table 50.3 compares the conditional frequency of core damage based on the SNPS and SHL ATWS event trees. Only five initiators are listed; the loss ' of condenser and MSIV events are consolidated into one group. The increase in conditional frequency is seen to be relatively small; no initiator shows more than a factor of 2 increase, and the MSIV case. even shows a slight reduction. Based on this information, it appears that, even though BNL introduced major revisions to the ATWS event trees, the final results (without the contributions from initiator frequencies and from the feedwater runback function) do not change significantly. The results should be interpreted with the understanding that there is a lack of information from physical analysis to fully support the BNL assumptions; they are often derived , on the basis of engineerin'g judgment. The final results are also though't to be sensitive to these assumptions made in the reassessment. Moreover, the i
- current EPG can be improved to provide. added assurance concerning the opera-l tor's role in successfully mitigating an ATWS event. In the SNPS design, the operator is greatly relied on to mitigate such an event, and his failure to follow procedure or to perform a particular task in time is the major contrib-utor to the ATWS core damage sequences. Almost all ATWS accident sequences are related to some form or another of operator error.
Table 50.4 lists core ' damage frequencies for the five different types of initiators, obtained by using BNL revised ATWS event trees and SNPS initiator f requencies. The first column shows the .5NPS core damage frequencies for com-parison. The second and the third columns give the core damage frequencies for Class IV and for the ATWS induced LOCAs based on the BNL revised event trees.- The last column is the sum of the second and third, and it gives the total core damage frequencies based on BNL event trees and SNPS initiator fre-
, quency. The increase in core damage frequency for most of the initiators is small, less than a factor of two, and there is a slight decrease for the MSIV initiator, from 8.3(-6) to 7.2(-6). The' overall increase in core damage '
frequency is less than a factor of two. , Table 50.5 lists the core damage frequencies calculated on the basis of BNL revised ATWS event trees and BNL initi.ator frequencies. It is similar to l Table 50.4, and includes' the SNPS core damage values for reference. The Class 222 D e. eeee -- 4 e . y
- ame
- e.* + +
- s.gD i
g.negemmee b .weemem+ es.-g h
r c..,
. ...-. _ o . . w.e . . . u -- .. .- :.' < %.n !-
IV contribution and ATWS LOCA coittribution from the BNL calculation are pre-sented. Note that there are no Class 1 ATWS accident sequences in the BNL quantification. This is because BNL judged that insufficient time is avail-able for the operator to inhibit ADS and prevent a Class IV sequence. BNL judged that. most Class IV will result in a core damage due to loss of suppres-sion pool water. The major. contributor to core damage comes from turbine trip followed by MSIV events. This is to be contrasted with the SNPS case, where MSIV is the most dominant contributor follow (d by turbine trip. Note that the BNL MSIV core damage frequency, though contributing less than turbine trip, is still higher than the SNPS MS!V core' damage frequency, 1.1(-5) versus 8.3(-6). The major reason for the increase is ascribed to the difference in ATWS initiator frequency. The BNL ATWS core damage frequency is a factor of 2.5 higher than the SNPS value.. 50.6 $UMMARY 8NL reviewed the SNPS-PRA ATWS evaluations, both' qualitatively and quan-titatively. The assumptions and physical analysis results used in the SNPS-AWS analysis, as well as the SNPS specific EPG, were reviewed. In general, the SNPS ATWS PRA attempted to model the events as realisticly as possible; areas of conservatism in previous PRAs were explored to provide a realistic - picture of the ATWS induced core damage' risk. This includes the availability of the condenser heat sink for turbine trip and loss of feedwater events and low power ATWS events. Ine general, the SNPS analysis was considered to be reasonable and useful in providing an estimate of ATWS core damage risk. In the course of the review, 8NL identified three areas that warrant some discussion here. The first relates to the ATWS physical analysis. There appears to be only a limited amount of ATWS data that are directly applicable to a BWR-4 reactor with a manual 43-GPM SLC system. Consequently, it is dif-ficult to establish critical parameters that define the condition of 'the Shoreham plant and the time"available to the operator for particular actions. '~ Based on the limited analyses, engineering judgment was used in reviewing the SNPS analysis, and changes were made to the SNPS event trees. For instance, these changes affect the time at which RPV water reaches level 1, the suppres-sion pool temperature limit, the effects of 43-GPM SLC on water level, and the - effects of delay in actuating the SLC. BNL judges that changes to these physical parameters could have significant major impact in the assessment of core damage frequency. The second area concerns the SNPS specific ATWS EPG. It is BNL's opinion that improvements in the EPG would be very beneficial in the areas of operator control of RPV water level ADS inhibit function, and RPV pressure control. More details are needed to assist and guide the operator in responding to the accident at hand. i The last area relates to the extent of operator action required during an ATWS event to secure the plant to hot shutdown. The SNPS requires manual actions for most of the ATWS mitigation systems. However, very little time is ' available to the operator to perform these tasks; in many cases they must be
' done within 10 to 15 minutes after the onset of the event. This is why the
- Shoreham ATWS core damage frequency is about an order of magnitude larger than that of the Limerick or the GESSAR-!! standard plant. It is prudent to recog-nize that there are large uncertainties associated with the estimates of human -
223 y e w 9 -ea ^
--.-...-.2--. - ,. . . - . - - . . . . . . . -- r e
errors , and. for this reason the ATWS core damage frequency c6uld be very sensitive to changes in the human error probabilities. Finally, B':1. performed a realistic reassessment of the SNPS ATWS event. The results in.icate that, given the assumptions used, the increase due to different assumptions and modifications to the event trees is far less than a factor of 2. The ATWS core damage frequency calculated by BNL using the SNPS
- initiator frequency is 2.2(-5), compared with the SNPS-PRA value of 1.8(-5).
Use of the BNL initiator fre{uency increases the total core damage to 4.5(-5), which is about 2.5 times the SNPS-PRA value. . 4 e s 8 e G 9 9 0 0
$ 0 e
D D e 8 0
- e C
e s s l 224 l l 1 l t .
. ~. .. . . _ . . . . . . _ . _ _ . . . .2....,. ._:
. '. ! -'+ :.$. . .. - . . . -- ..
...:...__" j IPlf:A*04 ret 31! t '33!M C7:*tr.1*R !!117t itC*P.:!t AT dip ra;.* 7t.traftt tvrtss g.;;s "
HUT SI:t P C'"it s C:!ifA IN. !!74t4Ct Pt.J *:T ret;'.tiCT CLA13 0F 8017;;t!.it3
- gl3H 77.!A C;ts Ptaf CP.;tf!Cn (ftt RA C;At YR.) Vt(?;tU3([
CA *T.471112 7 1 0 A W 0 t t
- 1. 0 T TT WITM ITPA15 0.45 Fig. 3.4 14 AT MtGM POWER
~0 ft TT WITM 877A13 -
0.1 (10) 7: 0 C E Afff,jM!;,, ,,,,,,,,,,, TD 7:S!V CL0tumt 0.Qg Fig. 3.4 14 (6) 1.0 TV TT WITHOUT ~ g *g *
* ' 10 2 ,g 8TPA13' Twt TT v1Thout 37 0.30* (5) 1.3 (113 *~*
PA15' No CQNTAIN. MENT 1.0 TWO LOSS OF CONO. 0.01 Ffg. 3.4 14 TA TTw!ThoutCTPt.1I - 2.vas er 0.001 M tag - g (4) 1.0 (III TT vtThout trPAs3 r;0 Cor;utnMtaf (8) TAG LOSS OF COHO. 0.001 Ffg. 3.4 1g
. 1. 0 g Loss CF W 2.0, Fig. 3.4 17 '."
0.70 WITPASS
'O T0g ~ TTw!THOUTITPAJI -
(3) 01 (13) MO CarifAir.=tMT T00 e tV CLQ5ust 0.22 (9) Fig. 3.4 83
' Based ween failure of eserater action within pues one 12 automatic minutes to tris the feeewater Bactue
- All Turntne Trios for which tysass to the concenter is not functional, are consteeree to be equivalent to M11V Ctesure twents.
" Asswaet 8ectreviation Pure Trfe for turnine tries fattisted free high power (RPT failures are included in the Ref. Fitt). !CTts This figure it wtee to estimate the fractfen of turtine trie events from hign power watch util betere fielatten events if there is a failure to scr . . ~ - .. --- .F igure S.E._. T Event Tree Otagram of Accident' Sequences Following a Turbine Trip Initiator Frem Hign Pcwer 225 t
n
=
j -- ._ j tae. ,sasts,33ssy t,a,dma _ .,_geg_ mgx!syste , q[ ' , ~ l' bi+ 6aW a.th mg. ,-
-g j ,,, , =cesc. ameau asseau
! ., . -.m - sa tie g,,,,, ans se im mi ,,, ,w, w, ," Ad5,g, j **" ,,,,,,a, ,,,,.a, - -s= n..n -us . - =. , eme== ca mneu
,,,, , , ., , . .. . <=
u m.. u une daap8
..,s_ .
3 s e, c, a s
- a E, P u ,~.a . .
a g u l . . 3 IgOr gs) as I Ig 8 ff gsly a nats av S g Fg8 % 4 statt av t j i gOr,sts 3.w.se asass av
, I.M-g FgE ld j W * * *
- Ig 1.38 3 pass at 3.M .3 Eg ' If gE>e I. l( -8 taan av
- i g ~ j l g Ig Fg )P E - a # If Q v I I ' ' I g F gs E'fW 3.N 80 nati is i g' leg s% e nass se
. 3.3 I g8 lEg Elft B.M-le (east le r,' Kg swe 3
- 3. M .. nass 5 1.aE.1 1 3,I gt s)g pes 3.M-9 (east le u I g8 kgs F, i
m a r.s a r.n a 2.a -o ciau se
; , a i an a e.ta l ,
Egskan 8:I fr s)tp as riass es 8.M-2 3.W.3 E Ig I.4f-9 g (tali E e ed..e, ' 3.M-3
, 8 W98 Ig Fg 8s'If 1. 8E - 9 (8 ass 89 g g ,, g ,'g , I Fg8)B g a tsast to ' .... ,,,., i, Fi ...... . .- a 3,5 F,als c ,aats sese 3*88 _.5 h et 4 * ,; a e..-, .e
,; - % , o.a in., a,. s sa 3..-is , uia.,e, ,c.u.i -
@- .. .a i. s. . . .. i I
Figure 50.2 Event Tree Diagram for Postulated A1WS Accident Sequence ; Following a Turbine Trip w/ Bypass Available (Sheet .1 of 2)
- k i
y _ _ _ _ _ _ . , , , . _ _ __ _ _ _ _ _ _ _ _ _
e.. -
- 4 ,.
llI ,, , . ([- . ' lt -
'[. 't t f.
a
.e g ng ox g 3' = e n: n s K s f I I .
s afMe nn g s s s I s s s s s , s s s %s ee .E g g s s a a a ' t I
- enonna s s a a a t s n,4 E l s A a .A o Mt(6e. .Oer s 8 anH n" l.
I G C o g
" M g s a I .. -e. s.
I 7 4 . . 8# h " g, u. N. M. I'- -
- x. u. u.s ie.i m. . ~ E4 M. - M. . .
g 3 8 s I i3 . 4 . . I M e g . ((y l o
\ ,Q kg g g , g ,
ycjgggsy 5',,','g e t 8 s e . . c 'c 'e . , g , , g g [Eg'g',I C ggy f F e
. I g s I 8 3 s s I r s , I I E I c) n2 . e sf g i E = .e e t m
a
# E E - 2 8
S2 go e g3 tt 0 mg ne
- IW C es g ' ee g ' 4 dh 8
W .a g . E. g . , g e h
" E.
3 iS c( 8 u p ig c
. Ae . l . I 3 ' I Sb I' - 8 - -
Wa E 8 W . 8 - I Tl O 5 I n Ai
,a - I , gI a ,
dv e
, eA _
I. a g g 3 . 3 3 t as g I mg ( , w g s
. . m.
g g
. M.
l s ua _
, 3 3 t p sy o8 . wsu W a I P/ - 4 8
5 P M. : e
. r w op fi M r . wa *
- 3
- mT a
s 4I t 3 g . re mmc M- E g e g y gn ai l n ib o . Dr e E. r y i s . et eT
- S I
M " {_ s s e e i t e ra M 8 Mt T ea l b g , m t n e ni M 8 prr e ew vo
" EI $^
8 b C , e
. 8 2 0 t e - M.,
0 . 8 , t 8 C f a t S ol 5 y y a s e g , g d- pr e o e s r u g
, g t 6 e f i - g g E 5 f
4 F g s e ame d c ee g I s e s g p s g ,, s E' a
,, , fa h
g ' J.
, s %_ , a a- . B 8 . t s . tn .
e a
- e m
m u a 0, I _ A 3
. B . . 4 =
d.
,,'j' =
e
!.:iI i 3g: ====: ===x=====!. s j ..-..' a s. :.
CC CC C
- s. .a e. a a. s. .s a. .a. s. ss.a. .s ,a .,
l Gj g C C C C C C CCC C _ C
- i s s. . . . ... .
l sa
, 5= -)
s , s e s s 6. ~ ~ ~ s s a s s s ~ s - aa 4 s . .: saa a I s u _ s. t. a. n. A. m. I. f. 1 1. 1. t. >..>. I. m. . x j
~
l .e. .t. .a. .r.t .t.e..r.3.s.=.t>~~~~ s .
= > .= s = s .e.
s st tss=t =e xr .t -r ' .
.g 1 , , .g w, 3 ==1 =
w g, 3 , Qv I,1 ' i n .s e t
*l E* ,!r a :! '
f _ _=. <.
=. is - . . . i. s.- 'gl 4.!
- a. 2 Ig -
. 2.b I* A 5
_A N$ w.
*$$ l I:3s3 o =
- i. 3 e-
. .2 W a ,,
E: C: 53i g
.w g v 4- - a s 4 . .. -
3. ar. 3* p 6 s. 3 ,tu I -[II III
- =
n ial s** ww s A:{!I.E' M 3 I. .' i - *l* ci m . l i- - 4,4 e
- ;1 I
w - s, l ,3g g 1 =* ;'" g l .j w C. : r Ei I 5 j3
' s? E3 l 'I Jn ! =; 5 '
ol n is' 5
.jl . l , sl I ,L!
f ' 3!kk.! t j , t'@
.. ,}}