ts. Eta, ..vg-

e. s% > e.s " ,, , /a\.N . 0,, ,- . .. . w.m. i o.....~n......

m x m .a ,

! /

.I s Ny Nx %,x 0 \,'/ , A e.e.n.. u..a 9s: . .u . . . .m...t...

.u

.- . + /- N ' $' sh. ,V ' _ , , r,, n, ,  %, e'seo.ce

<s a en.

.a.

su'.t u e. s ** . a .

e

. /, p eseroe c s a.o a. .s we a..a c s

s . ,

.c~s,w.o.e. u a .4 o -

. .e

' %'s ~ .

• n.D. r m\ . <

v. lt 1 .

sa t

/, , ,s e ..

l' y ,

(

l sN --

,' y i .

I ,\ ~'

-l

.y'. . < .2 4 . . .. ,. .' n 4

,,~ ~= -

s vu u .

C 4

n<,- ' ""

/.

.s ,,'N +

I  :.';,

[' ' ' ' s.\ \

J\ g

[ f , 7-r- , a..5 J.; [ ,"$'

'a

's

,, .\D , \ ,# * # .,.'

- 'x%

• / . , f~ ~ n

/ <

s s .,, ,9 ,'e..s.s

- .?p -

N [.' '\ ^

i '/

'j #['?

e "

s' -

i ,{., is.7 ' eQ'b ;1 '

,i k, . * 's \

-.- ( ,: .w t /g ,,..* , I

....Y,* o ,' s.-

4:

.,,e' . ' / "* ; f

'y lll .-%. (x' N

m. .u_, , , , , , a-t

]

t,,a. -.- _. .' 't}.-@ t,. ..'".MY .

/.~[  ?,'  :

i

=

su m c.,ni m .

} == } m%

D

_.. "T - p a ~~v i' , B

.e. .n.g..p .c

~ f

• e .. ps" nr

_ g

• ' \

/,,1. -- - ,., .j ' r -u ,A ; . , , _ , . . ,, e e  ;.. s' ' , '

- // ,_io,_._,..., m, m ., h.

, ,--c-

,/

s' o

/%s

./

L7 ,'a s

n r--- g- -

..... m,,.

.K!."fr .L. s m . . y,'. -

f

[~

• h ., /..', ; - '

p . ..IL-(c;c. < ~.,, p - j-. .,

.,.,s q

• q s , . f.*g . .

s .$. s , , p. t --

D'**"*"*5";*

i

• ~

i

.s p._ '

o~u'"s ..~.y 'T

.s'.--

' ~- .. t. .q .

-- - - - - , g N 3

' ,_* _i__, , .<_- yg g ; Q s; .' g l m.,

{' - g~_.. v...'.

. .,g 3.

x- L

.i ..m.,. . ~ .q.i ,.h, . .,

l',$MUU , ,'[q'.",'M sf i --~

N,  ; _. : _ = 4- y--- . ' 'f.[" '

. . e. m m.ev .

t  ?, , 7.* : . _ h i, i!

u

._-7<~ 6 ,

_. ,. - __. g. i .e gf _

4-e '

E"* ' ,

l l

__ -~

'/ l 'I l~ \ , ., I

' '  ?

./

~

h j ,I . * .--- i l

• l q' ir ,,-b' ' + qi . CF a

/ ,/_sN y s i

, ; .4 e l , ,i

,A /_ p ,

( I

~

' , / ' ., s/C

• r' j

' ' 3 s

Q ," E ~

g M g,,p,.

- - - 1_ m . . r"-

de ..c...

I

--q n*. e

. a. .. g, .p _ . c p, - ,

i , 3 e

, / v

• D, I

7

~C .t T__ Tp f' l'i / y

'm i a

.7- _ . . . L_ . _ _ P-yl* */ ^$  ; ' " ~ '

i / c.

\ ~ [^ . /j  % .'&. ,_,g pi t //

. .. .~, . . .s.ac

~ ,

.[ < < j,p"..,:  %* '[C.' . .

s1q <

'.(',

_.' / y *'-

l[$ s a _Av.. '

fj# .'/f, s .y ,,, , 3 . ,' % 'c .

't

_a a

) } - e 7,,

W;. M

/

-z T. , --

e 2. ,y n - --

y.x / . q[. 53, % -

. , , , y /

)

_ _ y _ s i . ,3..

L,-,,- c

.e Ng'4. , %y v 4 e

. . . / ,., .... 1 y., h.

..-. r -

/ &,g. s,p , 3, %r v g H

. ~. .; p, , . ,

,/ ,

.s.,

A . , / s 3, / h. s.

,[s>>,  %,:, :

p'  %. *

l. ?

V 6' 9, ,4a~, ,475.".. . e

.; ' , Q, **e s

.,s-

. ._i .. N, ,/

s6. N </o %:.,.*@. e.

u s ,./, .,ws ,%<- y~ s

.. - i ,

a -

s v . - (w<v -jscy< >>,o-. Je ,

. o e o . (a o,. + a s+.

r

• A

- y og/.% *

~w Qs . i p, q. %. , v,

' . L

) r../'-O?,s'*/..>; s A ri-A l

_1 f *,, .* ., .1h y, y*

e

/

g yy,3a t'_ .?,Y;al,7 o,

_ .n

+ .Q-.-

p .

. -A s

- AQ, f : ,,nso..w.-,rr , e 3

,, .-- > , p/ 4, V .,.

__d

_.us.f. m.

t H- J my a t - ft*uc =

__I___,,._. .... _ %( s.s .g, , . ' .s f

--w<- -- -

• O/-- 7 /' .?

i PW . .

_ . . _ - stentt.i ccurany asenesa es eseness

'7 NQ. 9m/ , d r BAV!S-B[$$[ NUCl[AR P0w[R STAil0N G .". , ,'\ re tains ines tweev

'n nfsttsse I,tre4 mes ea' as tevense h'i.'L,M

'/j

"'""~'

.%s] = A#5,6#g 'f', s. eieine seuses co.ws

/ 'y * 't*t* P CONTAINW[NT ttJILDWG - AMA 9 Pt AN AT FL.%i,(7 K

1. y , . ts i ,

, ec Q

'Y. "- - .s .7

) FIGURE 1 '

{

Jm . _ . e .

i L s. s. j, , to.  : a { m. - t) --[ i sr t.r. .

. .j.A .Q<. . x-Qf, .a , M.'i AG -

s FIGURE 2 DHR SUCTION LINE DIAGRAM CONTAINMENT PENETRATION lp

\

DHR )

( -

/

PSV 4849 LJ V3 565' LEVE L ......................

w,,._...._.. . ... , .

".,.;...y.',

• .Y.,

.. * . e ~ * *: 4'.. .~..

,,,.s:. . r'. g ', ,

r.--:..n....'-'

g..,.~... ~v 8., .c..-...,

• m..

, . . .:u NT;I6 s .

..- M M _ ,' Sj f]:f[;r'

, CONTA1NMENT AN,7:~-E[*d],9 .,'

'~

GIN.,*,$:- EMERGENCY 5i M' ~ 'e J" . . f.

x L LJ j ly.0,... .'.tT- V SUMP ,~.r-f.3[.l. - -'- k< .,.. .l .

r ,J

, ' -'. ,4 ': -93

. .. n,t RCS e rT 12-W--- '

-: 93>

DH11 DH12 . f*,' 2c: ' : -',.

4

'f2

...'. 9%.:*./:=-

.r.., n,4,

.i ' 6*r. . ~ . .., .:--

e - *

,....'s..

i. 3

. ..._.,,.,.,..e.-.

,, , .r - s

.g .

" .k .. ;.

. ' l,. .: s. f5-- . h.T! '.~:'.* Y,*/ - s' wlO,.y s

'0l's'~ b.:s h~.V.'.,.',

.b

.'j - :? ,. g ; . $! .W.,

u , .,_.*s.'

c r A'!"' W'.% < t r. . * ,.'h.. 5.: *!.'.i'.' .'I'.'.,.'

• . *.,, ! .'hY .?: so

- - ~ . . : .: . ::: < '

s s * ~. /, r ?!<. .- f e$.;M. ' )< ., :n v -* : ": -

M ~ . ' *:, ',; .?.,.S 'l$?+..,. s.

t.e'-

.,n.n.'v.'.,:,... ~

r

's;,,,'a v% o

.u q

d'i,

~

• j :.

.s

.Vg.. .. y',

^

.y.  :.M

,. s t . .* =,

• ' *'7,.. N*;,-' e *r p. 4.*.: ..5 s!s .2

^

Y . .f.',o.*. .h.; .

..- . , . ' .= , ' .' . Q%  ;. .

..q.'s'..-.; M .*D*$:?

. o <-.c

.~~~% ~e

.c. - ..;, ; *.y t ,; gn.:'., . -T g.T.?;:':"%.

,p..t.s: : ; .1;;. s:.'r ;, ~L, . '. 'a,:',.x: tn- . .,:;.t *:r

. ' :.s'.;;*.%l

. - ;:,'y.- .. A. -L. '< - ,':: T .'

.. . ~~ . .%. ~ v ; ,'et . ..-

e

~' 2'+ b.. ~ *l;' ' ,; ~. . %; * ' * *.' '#

v". . x s 'IL5!' ~

& .:: i'.'.\ 4 ',.t ,..'-%:

• i( ; J  ; 'h'}KR?{$;j.Q'?-I ,,

SE ALED VALVE PIT 4

--h _ .  % .,. , ... , -

ge . **

TABLE 2 (Sheet 1 of 2)

EQUIPMENT IN THE VICINITY OF THE DHR SUCTION BYPASS NOTE: Valve sizes are included La parenthesis a:~ter each valve or group of valves of each size.

1. DHR Suction Bypass Valves DH21 & 23 (8 inches)

2. DHR Valve Pit Sealed valve pit containing motor-operated valves DHll & 12 (12 inches), valves DH24, 49, 50 (3/4 inch), and 170 (1 inch),

and a light fixture

3. DHR Suction line to penetration #29 (El. 569'6", azimuth 138 )

Pressure-relief valve PSV 4849 (4 by 6 inch) flange on DH line

4. Containment emergency sump

5. In-core instrumentation tubes, bottom of in-core instrumentation tank, and associated valves DH91, 93 (3 inch), and 97 (1 inch)

6. Access to bottom of reactor vessel

7. Two light fixtures

8. One electrical outlet box

9. Station air header and valves (no numbers)

10. Instrument air header and valves IA516, 517 (1/2 inch), and others all small valves (no numbers)

11. Two snubbers, EBB-5-H6 and CCA-4-H10

12. 7en 51, (574'-0", 121.5 ) hydrogen purge line

13. Pen 41, (574'-0", 125 ) 2" pressurizer quench tank recirculation line and valves RC 152, 151, 113 (2 inch), and RC 59 (1 inch)

14. Pen 44, (578'-6", 1250 ) two 1" nitrogen lines and valves NN 112, 408, 415, 417 (3/4 inch), NN 59, 60, 61, 54, 66, 414, 416, 67, 63 65, 409, 411, 422, 423, 52, 53, 91, 836 (1 inch), NN 3864, 3865 (1 1/2 inch).

15. Pen 13, (574'-0", 135.5 ) normal sump drain line and valves DR 2012A (4 inch), DR 23, 24 (1 inch)

16. Pen 65, spare 8

TABLE 2 (Sheet 2 of 2)

17. Pen 20, (574'0", 128.5 ), high-pressure injection, valve HP54 (3/4 inch)

18. Pen 19, (578'-0", 128.5 ), high-pressure injection, valve IIP 55 (3/4 inch)

19. Pen 32, (566'-3", 159.5 ), 3" RCS drain line, valves RC 754 (2 by 3), RC 1773A, 74 (3 inch), RC 93 (3/4 inch)

20. Pen 48, (566'-3", 162 ), 3" Pressurizer quench tank recirculation line and valves RC229B (3 inch), RC76 (3/4 inch)

21. Pen 16, (578'-6", 132 ), 3" RCS vent line and valves RC1719A, 96 (3 inch), RC159 (1 inch), RC97 (3/4 inch)

22. Pen 57, (574'-0", 118.5 ), 4" steam generator drain line with flange, no valves

23. Pen 42, (397'-0", 144 ) two 1-1/2" air lines and valves CV314, 315 (1 inch)

24. Pen 27, (578'-6", 118.5 ) 10" low-pressure injection line, no valves

25. Pen 46, spare

26. Cable trays CLBF04 and CLBE04

27. Ventilation duct

28. Instruments FIS 4333 Flow-indicating switches, component FIS 4334 cooling water (CCW) for reactor FIS 4335 coolant pump 1-2-1, and associated FIS 4336 isolation valves PS 4301 Pressure switch, CCW (as above), and associated isolating valves

29. Electrical junction box JB 2921

30. Insulation on DH suction line and nitrogen line

31. Miscellaneous electrical conduits, air lines, and wires leading to air and motor operated valves 9

TABLE 3 LARGE MANUAL VALVES IN THE CONTAINMENT VESSEL Over 8" nominai line di, meter None 8" nominal line diameter DH21 (El. 567'-0", 130 ) DHR suction bypass isolation valves DH23 (El. 567'-0", 136 ) in series; horizontal, azimuthal pipe orientation; reflective insula-tion, locked closed DH88 (El. 578'-6", 200 ) Containment isolation valve on fuel transfer pit fill / drain line; hori-zontal, radial pipe orientation near penetration 49, normally closed DH90 (El. 587', 190's In-core instrumentation tank fill /

drain line; vertical pipe orientation c]ose to fuel transfer pit wall; reached from 585' level 6" nominal line diameter DH92 Refueling canal leak test line; in cavity between fuel transfer pit and reactor cavity wall CC227l Component cooling water isolation valves on lines to CC229 reactor coolant pumps located near reactor cavity CC231 wall in the steam generator compartments, normally CC233 open SW 64, 65, 66, 67 Service water isolation valves attached SW 69, 70, 71, 72 to containment air coolers, accessed SW 73, 74, 75, 359 from elevation 585', normally open 4" nominal line diameter CC97 , Component cooling water isolation valves at letdgwn CC98 heat exchangers, approximate location (570', 230 ),

CC103 normally ooen CC207 CC228 CCW isolation valves near reactor coolant pumps in CC230 steam generator compartments, normally open CC232' CC234 CV266 Containment air isolation valves, normally open CV268 10

Methodology, Data, and Assumptions The methodology employed in this study is that employed in the Reactor Safety Study (RSS), WASH 1400 [1]. That is, event, fault, and THERP (Technique for Human Error Rate Prediction [1, 2, 4, 5]) trees were used to structure the analysis. Data were taken from the RSS [1] and the study of human error by Fullwood et al. [2]. In those cases in which no clearly relevant data could be Yound with which to obtain event probabilities, no attempt was made to guess a "best estimate" directly. Rather, upper and lower bounds were estimated based on inference from less directly applicable data. These bounds were taken to be 95 and 5 percent confidence level points of a log-normal uncertainty distribution on the event probability to be estimated, in keeping with RSS practice. The SAMPLF code was used to propagate uncertainties through the analysis and to treat cases of moderate coupling (common mode effects) as was done in the RSS.

Errors in the alignment of the bypass isolation valves, DH21 and 23 were modeled with tight coupling, i.e., the mispositioning of both valves was taken to be no less likely than the misposi-tion of one valve.

Following the RSS, no probability of human error was assessed to be less than 10-5/ opportunity. The probability that a large manual valve a lock and chain is left in the wrong alignment was taken tosecured be 10-bg 10.5 per maintenance act after the RSS, page III-63.

Fullwood, et al., cites data tending to suggest that maintenance activities may result in the misalignment of typical (small, unlocked) manual valves with a probability in the range 1 to 3 x 10-3 per maintenance act. Since the Fullwood data include all reportsble (safety-related) occurren:es, they presumably include maintenance on systems with numerous small manual valves. The likelihood that any particular manual valve is misaligned is thus somewhat less than the Fullwood estimates. Wetaketheprobabiljty0.gatalargevalvenot t

secured by a lock is misaligned to be 10- _ per maintenance act.

The analysis requires an estimate of the probability that personnel working in the neighborhood of the bypass happen to have the key for the valve lock in their possession. Administrative controls on the keys now in effect at Davis-Besse Unit 1 should suffice to make this probability quite low. Possession of the key is not required for any activity within containment other than the deliberate opening of the bypass. The opening of the bypass will be an extremely rare event, as it is intended only to enable the DHR to function in the event that DH11 or DH12 fails to open when the transition to the DHR system is attempted at shutdown. Nevertheless, the key may be issued to personnel to gain access to restricted areas elsewhere in the plant. Therefore we have elected to assign a very conservative 11

estimate of 10-1 10.5 for the probability that the key may be in the possession of personnel working around the bypass when the unit is above cold shutdown. In the event that the valve lock key is unique (no other locks are opened by the key, and no masters common to other locks exist) , this probability is reduced to 10-310.5, in keeping with the probability estimate in Fullwood, et al., for failure to follow procedures in the course of maintenance activities. In the event that two unique keys are necessary to open the valves, the possession of both keys is taken to be a common mode error of moderate coupling.

That is, the probability is bounded above by 10-3 and bounded below by 10-6, i.e., 10-4.511.5 Other probability assessments are described in the body of this analysis.

Analysis of Sequences Leading to Opening of the Bypass While the Unit is Above Cold Shutdown

1. Maintenance in the Vicinity of the Bypass An investigation of the equipment in the vicinity of the bypass (see Table 2) revealed only one device which will routinely require service while the unit is above cold shutdown. This is the pressure relief valve, PSV 4849, on the DHR suction line physically above (downstream) of the bypass. This valve must be physically removed for bench testing to verify operability and setpoint. It cannot be removed while the DHR is in service as it cannot be isolated from the DHR suction line.

In the absence of a maintenance schedule for PSV 4849 we have assumed that it would be bench tested no more frequently than once a year and no less frequently than once in 10 years, i.e.,

X= 0.3 x 1010.5/yr. The removal for bench testing of PSV 4849 will be performed while the RCS is in transit between hot shut-down and cold shutdown.

In light of the diminished risk of DHR overpressure damage due to the reduced RCS pressure while PSV 4849 is being serviced, it might be thought that other scenarios involving maintenance on other equipment in the vicinity of the bypass might contribute as much or more to the risk.

However, several considerations indicate that this is not the case. First, the region is inaccessible except when the unit is shut down. Second, no other equipment in the vicinity routinely requires service while the unit is above cold shutdown. Third, other components on the DHR suction line (DH11, 12, 21, 23) can be serviced only when the DHR is out of service and the RCS is partially drained, i.e., only when there is no recently irradiated fuel in the reactor vessel.

Fourth, no other equipment in the vicinity remotely resembles the bypass, so misalignment of the bypass valves is much less likely during repairs on other systems than it is when per-sonnel intend to work on the DHR system.

12

Therefore, we conclude that the dominant contributor to the risk of DHR overpressure (due to the improper opening of the bypass in conjunction with maintenance) originates in periodic service on the pressure relief valve PSV 4849, despite the fact that the RCS pressure is likely to be below full reactor coolant pressure on such occasions.

We may assume that the bypass is initially closed when the pressure relief valve is serviced. The sequence in which startup is attempted with the bypass open is treated in the next section. Several scenarios might lead to improper open-ing of the bypass when PSV 4849 is removed or reinstalled:

1. The operator might mistakenly think it appropriate to open the bypass.

2. The operator might mistakenly expect to find the bypass open and intend to close it. He might then erroneously open it.

3. The operator might intend to verify that the valves are tightly closed and inadvertently open both.

All three of these scenarios were incorporated in our original study and are included in the results, Table 1,above, but onlywill be the analysis of the dominant contributor, case 1.

described in detail here. A THERP tree is shown in Figure 3, which develops the case that an operator reinstalls PSV 4849 and erroneously believes that he should open the bypass.

The basis for the probability assessments for the THERP tree is described below.

For the 12 options, the probability, PL, that the lock and chain is absent is taken to be as follows.

Procedural Optior:

No ek Irch & Chair il e e .

P 1.0 m 10 -5 1 1.0

1. Prosect Design 1.0 1.0 x 10

• 1 0.5 1.0 z 10

• 1 0*I

-4 1 0.5 1.0 m 10-e 1 0.5 i,g , in -3 1 1.C

2. Present

• Sign 1.C 1.0 a 10 Present

• Flange 1.0 1.0 a 10 -4 1 0.5 1.0 m 10

-4 1 0.5 1.0 m 10-5 1 1.0 3.

Clearly, if no lock is employed, the probability that the lock is absent is 1.0. For procedural options 2 and 3, the probability that the lock is absent is taken to be equal to the probability thatalargelockedvagvg*gsleftinthewrongalignmentafter maintenance, i.e., 10 - ,

after the RSS page III-63. In the event that two different inspectors are required to verify that the valves are locked closed, and each must sign a checklist entry to attest to his check, i.e., for procedural option 4, the probability that the locks have been left off is assumed to be one order of magnitude lower, with a broader uncertainty factor.

13

FIGURE 3 THERP TREE: OPERATOR MISTAKENLY ELECTS TO OPEN BYPASS AFTER REINSTALLING PSV 4849 OP LEAVES OTHER O O CLOSE D p,

SPECTACLE FLANGE CL(EE D LOCK AND CHAIN F KEY REFUSED IN PL ACE ON OP OPE NS P'1 FLANGE

^

VALVES N TO P

1 - P,. G OBT AIN KEY P ' 1-P OP K

OP ELECTS TO OPEN RYPASS COLLECTSo OPENS OPENS o P[

o KEY ' VALVES BYPASS '

OR[ Pc i

OP H AS KEY m OPENS OPENS _

I SPECTACLE FLANGE OPEN ON HIS PERSON ' VALVES BYPASS P g OR NOT INSTALLED OP REINSTALLS PSV 4849 i '

OTHER O O FLANGE Pd1 CLOSED SPECTACLE FLANGE CLOSED LOCK AND CHAIN P=IP p.

ABSENT OP-?' ENS

. P FLANGE L

G OP ELECTS TO OPEN RYPASS ,

I p \ OPENS VALVES OPENS BYPASS m

M EVENTS NOT LEADfNG TO OPENED BYPASS SPECTACLE FLANGE OPEN OR NOT INSTALLED M EVENTS LEADING TO p p.

OPENED BYPASS

The probability, Po, that the individual who is reinstalling PSV 4849 elects to open the bypass is taken to be 10-311 if the lock and chain is absent and 10-411 if it is present for all 12 options. The former estimate agrees with RSS and Fullwood, et al., estimates of the likelihood of valve misalignment in association with maintenance. There are many factors or clues available to personnel that opening the bypass is a serious error, clues that are not present in most of the cases where the Fullwood or RSS probability estimate might be appli-cable. Some of these factors or clues are:

1. Awareness that the bypass constitutes an RCS pressure boundary

2. The large size of the valves and the fact that there are two valves in series

3. Reflective insulation on the bypass, which should remind personnel that the line communicates with the RCS

4. Procedural rules governing maintenance on PSV 4849, startup checklists, etc.

5. The bypass is never opened routinely, even when the DHR is in service

6. DH label on each valve

7. Location of the bypass over the sealed valve pit next to the emergency sump

8. The sound of the opening relief value as the valves are cracked open.

On the other hand, it is a particularly plausible error for personnel to believe that the line should be opened after the pressure relief valve is reinstalled. Nevertheless, it is our judgement that the probability assessments of pol = 10-311 and POL = 10-411 are extremely conservative. No reduction in the probability of the error was given for the presence of a sign or tag on the valves saying "DO NOT OPEN" (design option

2) on the grounds that there are already so many clues present that the bypass ought not to be opened that one further clue will probably be ignored if all the other clues are ignored.

The probability that the flange is absent or open, for the cases in which no flange is installed, is clearly PF = PF' = 1.0.

For the case in which the flange is installed (design option 3) the probability that it happens to be in the open alignment is taken to be: ,, . m ,1 c,,,,,

lock trith Double 14ch, lack Chain L'n a q u. F.y Ete-so Lock NA 3 s 10-3010.5 3 s 10 -3.0 1 0.5 1 s 10 *I'0 1 I' lock in Plac.. =

1 0.5 3 , igdi1 3 , go di1 3 , sed 1 1 14ek sLissing, IF'

• 1 a 10 -3 15

The basis for these estimates is as follows. If no lock is intended (procedural option 1) the probability that the flange has been left open is taken to be equal to the probability or or procedural error in association ofvalvealignmenterg/

with maintenance, 10- demand, after Fullwood, et al. In the event that the valves should be locked and are locked, the inspectors may be slightly more likely to overlook flange mis-alignment, so a slightly increased probability assessment is used for these cases. However, the redul. dant inspecti.on of procedural option 4 is assumed to compens<te for this effect.

If the lock should be present but is absent, we give no credit for inspectors catching flange misalignment (strict coupling common mode error). However, the failure of personnel to re-place the lock and chain on valves DH21 and 23 does not imply that the flange has been opened, except for a moderate coupling between maintenance on DH21 and 23 and the exercise of the flange.

We assume that there is not more than one chance in 3 that the flange is open and not less.than one chance in 300, i.e.,

. 3 > P > . 00 3 or P = 3 x 10-2.011.0, The probability, PG, that the operator opens the flange be-fore he opens the valves given that he intends to open the bypass is taken to be no greater than 1.0 and no less than 0.01, i.e., Po = 0.1 x 10 1 1.0. The time and effort required to unbolt the flange, realign it, and bolt it tight in the open alignment provides many opportunities for the operator to reflect on what he is doing. Although it is alreaPJ given that he has missed many clues that his intent is erronetus, he may rethink what he is doing during the time-consum,.ng process of flange realignment, or his unduly long period in containment may come to the attention of other personnel.

Given the intent to open the bypass with the flange either absent or open, it is assumed that the operator will proceed to open the valves if he can. That is, if there is no lock or if the operator has the key on his person, the bypass will be opened. The probability that the operator has the key on his person is discussed in the previous section. If the operator does not have the key on his person, he may be able to obtain the key. The probability that the operator collects the key and returns without effective challenge is Pc, which depends upon the procedural constraints but not on the bypass design:

Procedaral Option po Lock Lock & Chale 0 q.7 Tw e ys NA 10

• I ~3*I -5+1 P, . -

10 10 16

With present procedures (option 2) access to tha keys is restricted but there is a variety of circumstan:es in which personnel might legitimately use the key. Therefore, we assume that there is no more than one chance in 10 and no less than one chance in 1000 that the individual might collect the key and return without effective challenge.

If the key is unique to the bypass, it is no longer plausible that access to the key is legitimate. Therefore, we employ a probability centered around the assessment of the probabil-ity for a failure to follow procedures in Fullwood, et al.,

i.e., 10-3 If two distinct, unique keys are required, the keys are not kept together, and no single individual is permitted access to both keys, the probability that the in-dividual collects both keys is treated as a common mode failure of moderately weak coupling, i.e., 10-3 > p 2 (10-3) 2, with a slight bias toward the random, i.e.,

P= 10-5+1.

This completes the estimation of probabilities in the THERP tree. The algebraic expression for the rate of occurrence of DHR overpressure based on this analysis and a tabulatien of the event probabilities is shown in Table 4

2. Startup from Cold Shutdown with the Bypass Open The startup check list and startup procedures forbid pres-surization unless it has been verified that the bypass L=

closed. In the event that an attempt is made to pressurize the reactor with the bypass open, there is a safety-relief valve, PSV 4849, which will bleed off sufficient flow to prevent RCS pressurization above the DHR design pressure.

PSV 4849 cannot be isolated from the DHR suction line.

See Figure 2. In addition, there are two redundant pres-sure transmitters on the DHR trains either or both of which will annunciate an overpressure condition in the control room. There is also a temperature alarm to indicate that the relief is lifting.

A fault tree, Fig. 4, has been drawn to develop the event "DHR overpressurized during startup due to open bypass." The assessment of probabilities is given below.

It is assumed that the plant will be started up from cold shutdown not more than 10 times per year and not less than once per year, i.e., = 3.0x10+0.5/yr. The probability, P2, that the bypass is opened while the unit is shut down depends upon the design or procedural options:

Proc. dural Option 1 2 3 a P3 lio Icek leck & Chain L que o L'n1 Reys

1. Pre.ent D.ston 0.3 a 10; 0.5 0.3 a 1010.5 0.1 a 1010.5 g,i , 3,1 0.5

2. Pr...nt + sign 0.3 a 101 0.1 a 101 0.5 0.1 a 101 0.5 0.1 s 101 0.5

3. Pres.at . Flang. P. a 101

• 10 1I 10* 1' 10 1 17

TABLE 4

SUMMARY

OF MATHEMATICAL MODEL AND DATA IN THE EVALUATION OF THE FREQUENCY OF DHR OVERPRESSURE ASSOCIATED WITH MAINTENANCE ON PRESSURE RELIEF VALVE PSV 4849 The algebraic expression for the frequency of overpressure in-cidents is:

t x P) x (P L xP OL x (P F, + (1-PF') *PG+

(1-P ) xP OL + ~

• * + I K c '

F F G K where the variables are:

Variable Probability Interpretation At 0.3x1010.5/yr Frequency of maintenance on PSV 4849 P 0.3x10 10.5 Probability that RCS pressure is >450 psig 3

P g varies

• Probability that lock and chain on in place on bypcss valves P

OL 10-3.011.0 Probability operator elects to open bypass given absence of lock P 10 .011.0 Probability operator elects to open bypass OL given presence of lock P varies

• Probability flange is absent or open given F

presence of lock P p, varies

• Probability flange is absent or open given absence of lock P 1 Probability operator opens flange given in-G tent to open bypass P varies

• Probability operator has the key 7'

on his person P varies

• Probability operator collects key c and returns

• Probabilities noted as varying depend upon the design or procedural option being considered. See text for probability estimates.

18

FIGURE 4 FAULT TREE: DHR OVERPRESSURIZED DURING STARTUP DUE TO OPEN BYPASS DHR OVERPRESSURIZED DURING P RESSURIZ ATION FROM COLD SHUTDOWN DUE TO OPEN DHR SUCTION BYPASS LINE AND

\

PRESSURl-

-rBYPASS OPERATOR F AILURE TO fFAILURE 2 ATION OPENED / OF PRESSURE FOLLOWING DU RIN G I I CLOSE BYPASS l RELIE F VALVE COLD SHUT- j PRIOR TO PSV 4849 COLD DOWN STARTUP SHUT DOWN P P A P 3 4 1 2 OPERATORS CONTINUE HEATUP DESPIT E OVERPRESSURE ANNUNICATION P

5

' = *

,. e, s e. .-m ~-

For the design options without the flange, the probability that the bypass is opened per cold shutdown is bounded above by 1.0. The lower bound is based on the argument that the operability of the bypass will be verified not less than once in 10 years. This translates as 0.1 to .01 per shut-down. It is conservatively assumed that both bypass valves will be exercised at the same time (tight coupling). The assessment of the probability that the bypass is opened (per shutdown) is taken on the high side of the range, i.e., 1.02 F2 20.1 or P 2 = 0.3 x 1016.5 for those design or procedural options with less strict controls, and in the middle of the range, i.e., 0.3 2P2 2 0.03, or P2 = 0.1 x 1010.5 for those options with more stringent controls on bypass opening. For the three cases in which both locked-closed valves ara a spectacle flange block the bypass it is much less likely that the bypass will ever be opened. However, as maintenance acts to verify valve operability and flange movability are likely to be associated, it is not justified to treat them as random, uncorrelated events. To account for this association, we con-servatively assume that the bypass will be opened no more than once in 10 cold shutdowns and not less than once in 1,000 cold shutdowns, i.e., P2= 10-111 per cold shutdown.

The probability, P3, that the bypass is not closed before startup is attempted, i.e., an error by both the maintenance personnel and the valve alignment inspectors, is estimated to be:

Procedural Os tacn P No ek Lock Chean L qe *wo r e ea 3

1. Present Design 3.0 m 10- .C 1 0.5 1.0 a 10-4.0 1 0.5 1.0 m 10-4.0 1 0.5 1.0 a 10-5 ; 1

2. Present + Sign 1.0 m 10-3.010.5 1.0 a 10-4.0 i C.5 1.0 a 10-4.0 1 0.5 1.0 a 10-5 1 1

3. Present . Flange 3.0 m 10-4.0 : 1.0 3.0 a IC'I 1 I 3.0 m 10"I 1 ' 3 x 10 1 '

The estimate for the present case was drawn from the RSS. In the absence of a lock or sign, a higher probability of 3 x 10-310.5 is used to be consistent with the valve mis-alignment operator error rates in Fullwood, et al. A slight improvement, to 10-310.5, is credited to the presence of the sign alerting maintenance and inspection personnel to the importance of valve closure. In the event of a unique requirement for double inspection (procedural option 4) we judge that an additional reduction of the present (RSS) probability assessment is warranted. Since the RSS credits a lock and associated paper work with a one-order-of-magnitude reduction in the probability that a manual valve is left misaligned, we apply this factor to the benefit to be expected from the double-lock and double-inspection procedure, over and above the one-lock, one-inspection procedure.

20

In the event that a flange is present, there is one addition-al " success path," i.e., means by which the bypass can be shut. However, as closure of the valves and closure of the flange can be expected to be quite closely coupled, and as the flange alignment is likely to be less conspicuous than the valve alignment and/or presence of the chain and lock, we es-timate that the reduction in the probability is slight: half an order of magnitude.

The probability that presspre relief valve PSV 4849 fails is taken to be P4= 10-5.010.a after the RSS. The probability that the operators fail to respond to the DHR overpressure annunciation in the control room is taken to be P5 = 10-211, At the maximum rate of heatup, 100 F/ hour, the RCS pressure could rise from the setpoint for the overpressure annunciator to the DHR design pressure in 10.8 minutes. Realistically, it would take roughly an hour before the RCS pressure reached a level that is likely to damage the DHR system. One can expect the operator to be alert and unpanicked at such times.

The operators are actively participating in the controlled heatup of the reactor coolant system from cold shutdown to hot shutdown. The likelihood that the operators fail to respond to the overpressure annunciation is assumed to be bounded above by the probability in the RSS that extreme stress situation, i.e., P5 < 10- 1, RSS Table III 6-1),

andboundedbelowbytheprobabilitythatanoperatorfails to follow procedures, i.e., after Fullwood, P5 > 10~ ,

et al. Failure of the overpressure annunciator itself is much less likely than the event that the operators fail to respond to the alarm, so the inclusion of this event does not alter the value of PS.

This completes the assessment of probabilities in the fault tree, Fig. 4. The algebraic expression for the rate of occurrence of DHR overpressure due to startup with the by-pass open and a summary of the event probabilities is shown in Table 5.

3. Valve Confusion Operators dispatched to enter containment to verify or alter valve alignment might select the wrong valves and open the bypass.

Table 3 contains a list of all manual valves in containment of 4-inch nominal line diameter or larger. Note that there is no other case, exclusive of the bypass, in which two large manual valves are arranged in series. No other valves in the plant are locked with a chain and padlock. There are 21

TABLE 5

SUMMARY

OF MATHEMATICAL MODEL AND DATA IN THE EVALUATION OF THE FREQUENCY OF DHR OVERPRESSURE ASSOCIATED WITH STARTUP FROM COLD SHUTDOWN The algebraic expression for the frequency of overpressure inci-dents is:

A =A xP xP xP xP 3 2 3 g 5 where the variables are:

Varidble Probability Interpretation

^1 3x1010.5/yr Frequency of startup from cold shutdown P varies

• Probability that the bypass is opened 2

during cold shutdown P varies

• Probability of a failure to close the 3

bypass before startup P 10 -5.010.5 Probability of pressure relief valve failure 4

(PSV 4849)

P 10 -2.0 1 1.0 Probability that operators continue heatup 5

despite overpressure alarm

• Probabilities noted as varying depend upon design or procedural option being considered. See text for probability estimates.

22

no manual valves in containment which require realignment when the RCS is pressurized. Therefore, there is very little potential for the bypass valves to be opened inadvertently due to operator confusion of valves.

The valves which most closely resemble the DHR bypass isol6>

tion valves, DH21 and 23, are the valves DH88 and DH90.

These four are the only 8-inch manual valves in containment, each have "DH" labels, and all but DH90 may be reached from the 565-foot level of containment. Access to DH88, like DH21 and 23, requires passage by an open steam generator cavity mouth. However, there are many distinguishing fea-tures. The piping runs horizontal in tr azimuthal orienta-tion and has bypass valves which are 1 n.at over the floor (specifically the valve pit seal at El. 565'), covered with reflective insulation, and are in close series configuration.

DH88 is on the other side of the fuel transfer pit, is 13-1/2 feet above the floor, and is in the radial, hori-zontal configuration, very close to the penetration. DH90 is vertical and close to the fuel transfer pit wall, 22 feet above the 565-foot floor level. It is approached from the 585-foot level.

Neither DH88 nor DH90 will require realignment when the plant is above cold shutdown. As they control fill / drain for the refueling pool and in-core instrumentation tank, they are opened only during refueling. DH88 serves as a containment isolation valve. If it were left open and the error were detected in the startup valve alignment check list, a contain-ment entry would be made to close the valve. The risk that the bypass might be opened by mistake due to confusion of DH88 with the bypass isolation valves DH21 and 23 is negli-gible because 1) realignment of DH88 while the unit is above cold shutdown will be a very rare event, 2) DH88 is dis-similar to the bypass valves in appearance, orientation, lo-cation, and in neighboring equipment, and 3) it is very un-likely that an operator intending to close and lock one valve would open two valves even if he mistakenly selected the wrong valve.

Other manual valves in containment are even less likely to be confused with the bypass valves, or result in inadvertent opening of the bypass. Among the 6-inch valves, DH92 is in an inaccessible location and need never be realigned while the unit is above cold shutdown. The 6-inch component cooling water (CCW) valves are isolation valves on the CCW lines supplying the reactor coolant pumps. They are located in the steam generator compartments. The 6-inch service water (SW) valves are isolation valves mounted on the containment air coolers.

Most of the 4-inch valves are also CCW isolation valves near the reactor coolant pumps or the letdown heat exchangers. The 23

remainder of the 4-inch manual valves serve as isolation valves on the containment hydrogen dilut _on system lines. None of the valves under 4-inch line diameter requires realignment while the unit is above cold shutdown.

4. Operator Panic Operators working in the vicinity of the bypass might panic in response to what they perceive as a small LOCA or tran-sient and open the bypass.

The potential for this scenario has been assecsed with the aid of a THERP tree, Fig. 5. The frequency of events that might induce panic in operators within containment was assessed as follows:

a. Pressurizer relief incidents A transient with the potential to lift a pres-surizer electromatic relief valve may be expected roughly t hree times per year. At least two oc-currences of a failed open pressurizer electro-matic relief valve have occurred at commercial PWRs. These frequencies were used as upper and lower bounds for the frequency of pressurizer relief incidents with the potential to panic personnel in containment, i.e.,x pp , 0.3 x 10#3 /yr.

b. Failed rea-Tor coolant pump seal A sudden, complete failure of a reactor coolant pump seal is assumed to occur no more frequently than once in ten years and no less than once in 1000 years, i.e.,x pg = 10-211/yr.

c. Small line breaks Basin and Burns (Ref. 3) cite a frequency of pipe failures of one in three years for PWRs, of which slightly over half are detected in inspection and roughly three out of four occur outside containment.

From this we infer a failure rate for audible breaks in containmant of A

LB = .33 x.5 x .25 = .4 x 10-2.01 5 An uncertainty band of one order of magnitude is assumed.

Combining these estimates we arrive at a frequency of events with the potential to panic personnel inside containment given by A p

= 4 x 10-1.011.0/yr.

24

f FIGURE 5

• THERP TREE: OPERATORS NEAR DHR SUCTION BYPASS AT THE MOMENT OF A PERCEIVED LINE BREAK PANIC AND OPEN THE BYPASS FLANGE INSTALLED s , AND CLOSEG

- >OTHER VALVES

' ~SE L EC T E D PE 7 s

ERROR CORRECTED PANIC RESULTING KEY IN HANt, P1 1 IN VALVE p REALIGNMENT R ESPONSE P

3 OR >

OPERATORS NE AR DHR

, SUCTION BYPASS AT LOC K & CH AIN IN BYPASS VALVES PL ACE, F L ANGE OPS BRE Ah. LH AIN

' MOMENT OF APPARENT ' OH21 & 23 OPS OPEN BOTH ABSENT OR OPE N ' P = 10 2t1 m

LINE BREAK SELECTED P = (1 P g1 m P p VALVES P P = 0.1 x 1010'5 A= h m P9 mPy 4

, i t IGHT RESPONSt PI 1 LOCK PREV ENTS OPENING 1

u OPS OPEN BOTH VALVES P = 0.3 x 10 LOCK &

ChtAIN ABSENT FLANGE ABSENT /OR' OPEN

. ,Q EVENTS NOT LEADING p.p ap, TO OPENED Bv74SS

=W EVENTS LEADING TO OPENgNG BYPASS ERROR CORRECTED PI1

It is difficult to assess the probability that the contain-ment might be occupied when such an event takes place.

Bechtel has compiled experience data suggesting that the average containment occupation factor for operating PhRs is of the order of one percent, with very broad variation from plant to plant. A positive association can be expected between trips and subsequent containment entries to investigate the f ault. However, the delays entailed in the health physics constraints on containment entrance should diminish this effect, as most trip-induced failures can be expected to occur before the containment is entered. We have elected to use a conservative estimate of the probability that containment is occupied at the time of a potentially panic-inducing event given by P)= 0.1 x 10il' where the very broad uncertainty factor was derived f rom the variance in the experience data for containment occupation during PWR operation.

Since the realignment of the DHR bypass is an irrational response to a release into containrent, it was assumed that the potential for this error exists only if the personnel are in the vicinity of the bypass at the time. In light of the very high radiation levels in the neighborhood of the bypass, and the f act that there is very little equipment which might require examination there, it was assumed that there is no more than one chance in 10 and no less than one chance in 1,000 that personnel are near the bypass while the unit is above cold shutdown and containment is occupied. That is, the probability that personnel are near the bypass is P=

2 10-211 ,

In the event that personnel are near the bypass, which is adjacent to the emergency sump, at the time of a perceived line break the most probable response is flight. We estimate that hysterical valve realignment would take place in no more than one in 10 instances and no less than one in 1,000, i.e.,

P3 = 10-211 ,

The bypass valves might be more likely to attract the attention of panicked p.ersonnel because of their manifest size and im-portance, but a highly focused, concerted effort is required to open these valves even if there is no lock or flange secur-ing the bypass.- There fore , a probability given by P= 10 -1.010.5 4

26

has been inserted into the analysis to account for the likeli-hood that DH21 and 23 are selected by personnel panicked into irrational valve realignment. It is assumed that if a spec-tacle flange is installed and closed the bypass will not be opened by panicked personnel. The task of realigning the flange is too time-consuming to be the response of a panicked in-dividual. However, if only a lock and chain secures the by-pass, panicked personnel might open the bypass if the key is in their possession or if tools are handy with which to break the chain. The assessments of the probability that the flange is missing or open and that the operator has the key on his person were described in Section 1 above. The same values are used in this analysis.

The probability that an individual panicked into an attempt to open the bypass breaks the chain with tools in hand was taken to be no greater than 0.1 and no less than 10-3, i.e.,

P= 10 ~ 21

• Finally, the THERP tree includes factors describing a finite probability that a panicked individual completes the opening of the bypass valves, given that they are unlocked or he has removed the lock and then starts to open the valves. The valves can be expected tc be quite stiff. It will take one minute or more to open each valve. This provides an opportunity for the panic to subside or for the operator to change his mind and flee. In addition, audible blowdown from the pres-sure relief valve, PSV 4849, into the adjacent emergency sump as the bypass begins to open will provide a stimulus to the panicked operator indicating that he is making things worse rather than better. Therefore, we have assigned a probability in the range 0.15 P 51.0 that the operator stops short of opening the bypass if the valves are initially unlocked, and 0.03s P50.3 if the valves are initially locked. In the event that the panicked man unlocks the valves or cuts the chain, one might expect him to be more strongly committed to opening the bypass. Howevel, these steps require additional time and coordinated, focused effort neither of which is consistent with a panic response.

A summary of the probability estimates and the algebraic ex-pression for the frequency with which panic may result in DHR overpressure is shown in Table 6.

Results and

Conclusions:

The mathematical models describing the three event sequences leading to DHR overpressure were evaluated individually with 27

e TABLE 6

SUMMARY

OF MATHEMATICAL MODEL AND DATA IN THE EVALUATION OF THE FPIQUENCY OF DHR OVERPPISSURE IN CONTAINMENT ASSCCIATED WITH PANIC OF PERSONNEL The algebraic expression for the frequency of overpressure incidents is:

xPB+ I~7I* x (Pg+P10' *I11' A=

(23+A2 #AI*P 4xP12

• I5*I6 3

x (P 3 13 where the variables arer Probability Interpretation Variable c x10 -1.011.0 Frequency of pressurizer relief incidents x3 10

-2.0 O Frequency of PCP seal f ailure

^2 A 4x 0- .010.5 Fregaency of pipe failure in containrent 3

10 -1.011.4 Probability huran occupatien of containment Pg (above cold shutdown) 0 -2.011.0 Probability personnel realign s'alves in panic T

5 varies

• Probability panicked personnel elect to realign P

6 bypass valves given 5 above varies

• Probability that lock and chain are absent P

7 and flange is open or absent 3x10

-1.01p.5 Probability operator completes opening of bypass Pg given no lock varies

• Prchability operator has key in his possessien P

9 10~2'011.0 Probability operator cuts chain with tools at P

10 hand 10

-1.01p.5 Probability operator completes opening of by-P 33 pass given lock present 10- .011.0 Traction of containment eccupaticn tire in-P 12 volving personnel near bypass (above cold shutdown) varies

• Probability lock and chain in place and flange T absent or open 13 Probabilities noted as varying depend upon the design or procedural option being consideret.

.ee text for these probability estimates.

28

s the SAMPLE code for the case of the present bypass design and operating procedures. The results are tabulated below.

TABLE 7 TS FOl'FN CY (PER YEAR) of DHR OVEPPRESSURE EVENTS DUE TO THE TPRONTnt'S OPENING OF THE DHR SUCTION BYPASS, 1.S PRESENTLY DFAIGNTD AND OPERATED Confidence level __

__ Event Sequjnee (Percent) TFW G h 9 Paintey nce Startup with Pypass Open Pan 1_c

~ -10 -6 A9 1.4 x 10 " 5.6 x 10 7.5 x 10

~b -10 05 3.9 x 10 1.9 x 10 8.2 x 10~

-5 -10 on 2.1 x 10 1.0 x 10 3.0 x 10~

-8 75 6.0 x 10 3.3 x 10" 5.5 x 10

-12 -9 50 2.0 x 10 9.6 x 10 5.4 x 10

~0 25 6.1 x 10~ 2.3 x 10~ 8.6 x 10

~3 -0 10 2.0 x 10' 6.7 x 10 1.5 x 10

~7 ~I3 4.1 x 10~

5 1.3 x 10 1.9 x 10 9.0 x 10

~2 3.9 x 10~

Meilan Point 1.3 x 10

-II Distribution Fean 1.0 x 10 4.8 x 10 4.9 x 10 It is clear from the results in Table 7 that no unacceptable risks are posed by either a bypass left open at startup or a bypass possibly being opened by personnel panicked by a line break or transient. The frequency of these event sequences is well below any of the criteria proposed or now in use for exclusion of events from consideration as design basis accidents.

The case of pressure relief valve maintenance requires closer examination. Relief valve maintenance will take i.e., place while the RCS is being pressurized or depressurized, between hot shutdown and cold shutdown. No credit was given in the analysis of this scenario for 1) the possibility that the RCS pressure may be below the design pressure of the D11R, 450 psig, 2) even if the RCS pressure is above 450 psig, it is unlikely to be much higher; therefore, the 29 I -

pressure relief valve may suffice to keep the DHR pressure below 450 psig, 3) the DHR may tolerate pressures in excess of the design pressure, 4) the operator erroneously opening the bypass may be stimulated to close the valves by the audible blowdown of the pressure relief valve into the adjacent emergency sump, or 5) the reduced risk of a major release of radioactivity due to the fact that the reactor is likely to have been shut down for a long time. It is justifiable to assume that there is a very small probability of a violation of 10 CFR 100 dose limits or the occurrence of an overpressure incident leading to an interfacing systems LOCA if the bypass is inadvertently opened while the pressure relief valve is being serviced.

In light of the extremely low occurrence rate for DHR over-pressure due to all scenarios except maintenan :e on the pres-sure relief valve, and in light of the mitigating factors that are present when maintenance on the pressure relief valve is performed, we conclude that the present bypass design and operating procedures provide ample protection to assure the health and safety of the public.

A spectrum of design and procedural options for the DHR suction bypass was also evaluated. The results are shown in Table 1. These results include all scenarios leading to DHR overpressure, due to the inadvertent opening of the by-pass, but in each case maintenance on the pressure relief valve, PSV 4849, is the dominant contributor. Note that the presence of a sign or tag on the valves saying "DO NOT OPEN" does not result in a significant reduction in the probability of DHR overpressure. This is due to the fact that there are already numerous factors serving as clues to plant personnel that it is an error to open the bypass when the RCS is above the DHR design conditions. The value of one further clue, the sign, is attenuated by the effect of common-mode error. It is interesting to note that increasing the strin-gency of procedural controls is actually more effective in reducing the risk than changes in the hardware.

The presence of a normally closed spectacle flange on the bypass tends to reduce the frequency of inadvertent DHR over-pressure by one order of magnitude below the frequency that would obtain with the same operating procedures but no flange installed. That the benefit of the flange is not greater can be traced to the fact that erroneous opening of the bypass is most likely to take place where the individual making the error has the idea of opening the bypass quite firmly fixed in his mind. The purpose of the bypass is to enable the DHR to function in the event that one of the motor-operated valves on the principal DHR suction line fails to open.

30

o

, The presence of the normally closed spectacle flange would make it more difficult and time-consuming to start the DHR in the event of such a failure. Since the positive benefit of the flange is only a factor of 10 reduction in an already very small risk, we believe that it is not desirable to install a flange on the DHR suction bypass line.

The results indicate that more restrictive procedural con-straints on access to the keys for the lock (s) securing the bypass valves can be more effective than the flange in re-ducing the likelihood of inadvertent opening of the bypass.

In conclusion, the present bypass design and operating pro-cedures provide sufficient prote tion against the possibility of an overpressurization event 1.66ing to an interfacing systems LOCA due to the inadverte..t opening of the bypass.

However, Toledo Edison proposes to implement the use of a lock with a unique key to secure the bypass valves, as this has been shown to improve safety.

References

1. Reactor Safety Study WASH-1400 (NUREG 75/014)

U~S NRC, October 1975.

2. Fullwood, R.R., and Gilbert, K.J., "An Assessment of the Impact of Human Factors on the Operations of the CRBR SCRS," Science Applications Inc., SA1-010-76-PA, August 1976.

3. Basin, S.L., and Burns, E.T., " Characteristics of Pipe System Failures in Light Water Reactors," EPRI NP-438, August 1977.

4. Swain, A.D. "A Method for Performing a Human Factors Reliability Analysis," Sandia Labs SCR-685, 1963.

5. Swain, A.D. "THERP" Sandia Labs SCR-64-1338, 1964.

31

. .