ML060240389

From kanterella
Revision as of 23:01, 23 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Final Precursor Analysis - Palo Verde 1, 2, 3 - Emergency Core Cooling System Piping Voids May Have Prevented Fulfillment of Safety Function
ML060240389
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 11/29/2005
From:
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060240240 List:
References
LER 04-009-00
Download: ML060240389 (44)


Text

Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Emergency Core Cooling System Piping Voids May Have Palo Verde 1, 2, 3 Prevented Fulfillment of Safety Function Event Date 7/30/2004 LER 528, 529, 530/04-009 )CDP 1.4E-5, per Unit November 29, 2005 Condition Summary On July 30, 2004, the licensee became aware of a voided condition in a section of ECCS recirculation piping in all 3 Units, such that both ECCS trains in a Unit were affected (Reference 1). Specifically, the section of recirculation piping between the closed inboard containment isolation valves and the associated train sump recirculation check valves (downstream of the outboard containment isolation valves) were void of water, for both ECCS trains. The relevant air volume was about 100 ft3 per train. Of this volume, approximately 90 ft3 of air was caught between the inboard and the outboard containment isolation valves, with the remaining 10 ft3 existing between the outboard containment isolation valve and the train sump recirculation valve.

As a compensatory measure, it was determined that an operator opening the inboard isolation valve on the containment spray signal in a LOCA event would lead to a condition with only 10 ft3 of air in the affected piping section, as the space between the containment isolation valves would fill with water in post-LOCA conditions. This was deemed to be acceptable from the standpoint of avoiding air binding the pumps, and contingent directions were given to operators in case of a LOCA. The permanent solution to the problem was effected subsequently, as by August 4 all 3 Units relevant sections of recirculation piping were filled with borated water.

The voided condition apparently persisted since 1992, when a modification to the recirculation piping leak testing procedure was put in place without proper analysis. This modification involved draining the recirculation piping section, each time the leak test with demineralized water was completed. In addition, even prior to 1992, quarterly stroke testing of the containment isolation valves left part of the suction piping in the partially voided condition.

Thus, the analysis will consider the one year period prior to discovery of condition, as per ASP program convention (Reference 2).

Other events in this (1 yr) time period that may have a bearing on consideration of this event:

1) Exceeding the maximum licensed core power level (Reference 3): It will be assumed that the 1% additional power will not materially affect the safety systems success criteria because the safety systems success criteria are based on conservative analyses.
2) Small RCS leakage (Reference 4): Operational events like this are below the leakage threshold for the small LOCA and therefore would not cause a change in the small LOCA initiating event frequency.
3) Increased primary to secondary steam generator tube leakage (Reference 6):

Operational events like this are already included in the SGTR frequency evaluation.

1

LER 528, 529, 530/04-009

4) 3-Unit LOOP already analyzed in ASP project (Reference 7): The two ASP analyses are treated as independent, i.e., the effects will be additive, as different event trees are predominantly analyzed (MLOCA in this analysis, LOOP in the above described event).

Analysis Results

! Conditional Core Damage Probability (CCDP)

The Table below shows the CCDP uncertainty distribution.

CCDP 5% Median Point Mean 95%

Estimate All Units 2.5E-6 1.3E-5 2.1E-5 2.3E-5 7.4E-5

! Importance ()CDP)

This event was modeled by failing with a certain probability the high pressure recirculation function in MLOCA sequence 4 and disabling the high pressure recirculation function in most other event trees except the large LOCAs. The MLOCA HPR failure probability was varied.

The best estimate impact of this event (point estimate) from internal initiators, per Unit, is found to be:

)CDP = CCDP - CDP = (2.1 x 10-5) - (7.2 x 10-6) = 1.4 x 10-5 The Table below shows the bounding estimates for the )CDP, based on varying the impact of the voiding condition on the ability to mitigate a medium break LOCA. The lower bound assumes that both the medium and large break LOCAs can be mitigated with nominal recirculation functional unavailability. The upper bound assumes that only the large break LOCA is mitigated with nominal recirculation functional unavailability.

SDP )CDP point estimates, internal events, each Unit lower bound upper bound 3.7E-6 4.4E-5 Note that the risk contribution from external events is not included in the above estimates.

2

LER 528, 529, 530/04-009

! Dominant Sequences The dominant accident sequence contributes 74% of the internal events )CDP and is shown graphically in Figure D-1 of Appendix D. The sequence is MLOCA sequence 4.

The events and important component failures in MLOCA sequence 4 are:

! initiator MLOCA (medium LOCA) occurs;

! success of RPS (reactor protection system);

! success of SIT (safety injection tanks);

! success of HPI (high pressure injection);

! failure of HPR (high pressure recirculation).

Results Tables

! The conditional probabilities for the dominant sequences are shown in Table 1.

! The event tree sequence logic for the dominant sequences are presented in Table 2a.

! Table 2b defines the nomenclature used in Table 2a.

! The most important cut sets for the dominant sequences are listed in Table 3a and 3b.

! Definitions and probabilities for dominant or modified basic events are shown in Table 4.

Modeling Assumptions

! Analysis Type This event is analyzed as a condition event assessment involving event trees utilizing high pressure recirculation and/or CS recirculation.

Due to significant phenomenological uncertainties, this current analysis draws many of its modeling assumptions from the SDP analysis that was performed for this event. The SDP analysis presents a range of results, with the upper bound probably conservative and the lower bound probably optimistic. The reader is referred to References 2 and 8 for a fuller discussion of the SDP methodology and results.

Appendix A shows a summary background on the SDP considerations and possible modifications to both the SDP analysis and to this ASP best estimate analysis.

Appendix B shows the human interactions considerations inherent therein.

For the best estimate of the condition assessment, an expert elicitation procedure was utilized to obtain the HPSI pump failure probability due to air binding. This is presented in Appendix C.

3

LER 528, 529, 530/04-009

! Unique Design Features This is a 3-Unit site with Combustion Engineering Units of approximately 1,300 MWe each. The unique design features which have a bearing on the analyzed event modeling are listed below.

No feed and bleed capability. The pressurizer contains four safety relief valves (SRVs) with a set pressure of 2475 psia and no PORVs. The safety relief valves are direct acting, spring-loaded safety valves meeting ASME Code requirements (Reference 9, Section 5.4.13). This adds a challenge to RCS depressurization and plant decay heat removal by alternative means.

There are only two high pressure injection pumps per Unit at this plant. Unlike many other CE plants with 3 HPI pumps (with one of them serving as an installed spare),

this configuration will tend to eliminate both working pumps in a postulated air binding event, if certain conditions (e.g., flow rates) are met.

Switchover to recirculation is automatic. The two modes of operation, injection and recirculation, are automatically initiated by a Safety Injection Actuation Signal (SIAS) and a Recirculation Actuation Signal (RAS) respectively. Operator action is only required to close the RWT discharge valves after verifying the sump discharge valves have operated after receiving a RAS. (Reference 9, Section 6.3.2.7)

Three pumps per train are serviced by a single recirculation line. HPI, LPI and CS pumps of each train are connected in parallel to a single recirculation line from the containment sump. Thus, the air bubble will affect all 3 pumps, but also operation of multiple pumps will tend to mitigate its effects.

High pressure recirculation is preferred, low pressure recirculation available as a backup. Upon recirculation switchover, high pressure injection pumps are used for recirculation function, even for large LOCAs. The LPI pumps are secured if having run in the injection phase. If high pressure recirculation fails, operator procedures direct employment of LPI pumps, if conditions allow (Reference 10, Section 4.2.6).

Palo Verde operates with relatively high boric acid concentration during the ECCS operation in LOCAs. Relative to most other plants the boric acid concentration is high, thus the post-LOCA precipitation control is essential.

Only high pressure pumps can inject into the hot legs for boron precipitation control. A few hours after a large or medium LOCA event, recirculation needs to be switched from the cold legs to the hot legs in order to control precipitation of the boric acid. At Palo Verde, only HPI pumps can be aligned in this manner.

Boron precipitation control (Long term Cooling) is essential for large and medium LOCAs. Long Term Cooling (LTC) is initiated when the core is quenched after a LOCA and is continued until the plant is secured. The objectives of LTC are to maintain the core at safe temperature levels and to avoid the precipitation of boric acid in the core 4

LER 528, 529, 530/04-009 region. According to the FSAR, one of two procedures are used, depending on the break size. Shutdown cooling is initiated if the break is sufficiently small. Otherwise, simultaneous hot and cold side injection is used to maintain core cooling and boric acid flushing (Reference 9, Section 6.3.3.4). For these larger breaks long term core cooling is manually initiated at approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> post-LOCA at which time the hot leg injection valves are opened to provide simultaneous hot and cold leg high pressure safety injection, which results in a circulation flow though the core (Reference 9 Section 6.3.2.7). Both the IPE (Reference 10) and the Palo Verde SPAR model (Reference 11) assume that core damage results if boric acid precipitation is not controlled via hot leg injection, in large and medium LOCAs. Precipitation of boric acid crystals may impede coolant flow and heat transfer in the core.

There are two hot legs and 4 cold legs, with two relatively oversized steam generators and 4 RCPs. See Reference 9, Section 5.4.3.2 for a description of the reactor coolant piping. This has a bearing on boron precipitation considerations (cold leg breaks will tend to induce conditions conducive to boron precipitation) and on the challenge probability of SRVs post various initiating events (in conjunction with lack of PORVs, the relatively large size of the steam generators (relative to the reactor thermal power produced) will tend to depress the SRV challenge probability which may have important effects on the lower bound and the best estimate of the event evaluation in this case).

Containment heat removal is needed in recirculation. Containment spray recirculation systems have heat exchangers for decay heat removal which are lacking in the core injection recirculation systems. Thus, for decay heat removal, containment spray recirculation must operate after recirculation switchover.

! Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.

S The condition duration is assumed to be 8766 hours0.101 days <br />2.435 hours <br />0.0145 weeks <br />0.00334 months <br />. The NRC Special Inspection Report (Reference 2) found that the piping between the containment sump inboard and outboard isolation valves had been drained every 18 months, during refueling outages, to support a leakage surveillance. Following the surveillance, the procedure directed draining the piping. The inspection team found that the instructions to drain the piping were added to the surveillance procedure during a revision in 1992. The inspection team also notes that every quarter the licensee strokes the containment sump isolation valves in accordance with an inservice test procedure. This procedure allowed water to flow into the containment sump from the suction piping while the inboard containment sump isolation valve was open. Since both procedures have been present for greater than one year, a full year exposure is used as the condition duration.

S For small LOCAs and non-LOCA initiating events, on recirculation switchover, the HPI pumps will fail due to air binding and will not be 5

LER 528, 529, 530/04-009 recoverable. Recirculation sump void testing (Reference 12, page 25) found that the degraded HPSI pump would develop sufficient discharge head to maintain flow to the RCS for all break sizes except for the smallest beaks less than 2". As a result, the licensee revised their PRA model by inserting a failure of the HPSI pumps at RAS (failing the high pressure recirculation function) for small-break LOCA events due to air binding. The final SDP (Reference 8) states that because the failures were limited to only the most severe conditions on the pumps, the licensee assumed that the pumps would not be recoverable.

S For medium LOCAs, on recirculation switchover, the HPI pumps are assumed to have a 0.26 likelihood of failure. This estimate is based on expert elicitation described in Appendix C. HPI pump failures during medium break LOCAs were also considered not recoverable.

S For large break LOCAs, on recirculation switchover, the HPI pumps are assumed to have their nominal failure probability. The Final Significance Determination (Reference 8) concluded that the licensees assumption that the risk from large-break LOCAs was not affected by the piping void issue was appropriate. The licensees assumption was based on the results of their recirculation sump void testing (Reference 12) that found that the degraded HPSI pump would develop sufficient discharge head to maintain flow to the RCS for all break sizes except for the smallest breaks less than 2". Note that the SDP and the expert elicitation took exception to the lack of degradation during medium break LOCAs.

S High pressure recirculation is necessary for medium and large LOCAs.

Due to the RCS pressure at recirculation switchover in medium LOCAs and the necessity to control boron precipitation (which only HPI can do via hot leg injection - see boron precipitation control in the Unique Features section above), medium and large LOCAs require the use of the HPI pumps in the recirculation phase.

This is further supported by the licensees IPE. Section 4.2.6 of the IPE (Reference 10) states: If HPSI recirculation fails for reasons other than failure of the containment sump valves, the LPSI pumps can be used to perform the same function once RCS pressure is sufficiently low. Since RAS shuts down the LPSI pumps. Operator action is required to restart at least one pump. For the small LOCA initiating event, operator action to rapidly cooldown and de-pressurize the RCS is also necessary for utilization of LPSR. The only other event in which LPSR is credited is Large LOCA, where its use is of limited value since LPSI cannot provide hot-leg injection.

S SRVs are assumed to be challenged during events where auxiliary feedwater is lost. The valves are also assumed to have a reduced challenge on auxiliary feedwater success. As stated in the Final Significance Determination (Reference 8), the licensees probabilistic risk assessment model indicates that the pressurizer safety valves would not open if the auxiliary 6

LER 528, 529, 530/04-009 feedwater function is successful and that they would always open if the auxiliary feedwater function is not successful. The SDP analyst agreed with the dependency on failure of AFW but did not agree that safety valves would never open given a success of the auxiliary feedwater function. This current analysis assumes the same screening value of 2.0 x 10-3 used in the SDP as the probability the safety valves open during a transient with successful auxiliary feedwater injection. This value was justified because there are no actuation circuits that could inadvertently open the valves below setpoint and the safety valve setpoints at Palo Verde are significantly higher than the anticipatory pilot-operated relief valve setpoints at other plants modeled. Additionally, the SPAR documentation invokes the oversize steam generators as an additional reason to potentially reduce the SRV challenge probability. Table 5.5-4 of Reference 13 shows about a 100 psid between these setpoints for the fleet of C-E plants. This is further supported by the SPAR model documentation (Reference 11). Section 3.2.2.2 states: Palo Verde only has SRVs. The SRV setpoint is approximately 150 psig higher than PWRs that have a combination of PORV/SRVs. Further, the steam generators at Palo Verde are larger capacity the typical PWRs. The effects of the larger capacity tends to dampen the effects of transients. As a result, the effect of transients on the frequency of SRV opening is different than plants equipped with PORVs that have lower relief setpoint. Palo Verde grouped transients into several categories based on the transient effect on SRV opening. The groupings are SRVs not challenged, SRVs not challenged initially but in subsequent mitigation, and SRVs initially challenged. The SPAR model used for SRV quantification is assumed to represent a weighted average of the SRVs opening and failing to reclose of the Palo Verde transient categories.

S Impact of water hammer was not considered. The HPI, CS and LPI pumps, piping and associated supports could have been subjected to the effects of water hammer due to the presence of the voided condition. Such considerations will not have a significant impact on the best estimate and lower bound evaluation.

Other assumptions. Other assumptions that have a negligible impact on the results due to relatively low importance include the following:

! The HPI pumps will not be permanently affected in large LOCAs recirculation, due to the high flow rate clearing the bubble from the pumps.

The staff concurred that the licensees testing showed that as break size increased, the probability of failing the HPSI pumps decreased and concluded that the licensees assumption that the risk from large-break LOCAs was not affected by the voiding was appropriate (Reference 8).

S The CS and LPI pumps will not be permanently affected by the air bubble passage in any accident with recirculation. Tests were conducted on an representative CS pump (Reference 12) that concluded that the voided pipe condition does not have a significant impact on Containment Spray pump functionality. Although the NRC staff determined that the were a significant number of concerns related to the applicability of the licensees testing, it 7

LER 528, 529, 530/04-009 determined that most of these concerns would have a greater impact on the HPSI pumps and assumed that the licensees assumption was correct (Reference 8). For the LPSI pumps, when the refueling water tank level decreases to approximately 10 percent, a recirculation actuation signal (RAS) automatically stops the low pressure safety injection pumps and transfers the HPSI and CS pumps suction source to the containment sump. Therefore the LPI pumps will not be operating during the initial voided condition (Reference 2).

In addition, the LPI pump is very similar in design and size to the Palo Verde CS pump (Reference 12, page 5). Therefore, if the LPI pumps are used for injection following depressurization, it is expected that their effectiveness would be similar to that of the CS pumps and would have the added benefit of the void clearing that had been accomplished by the operation of the HPI and CS pumps (Reference 2, D-1).

! Fault Tree Modifications Fault tree HPR was modified to add events HPR-SWITCH-MLOCA and HPR-SWITCH.

Event HPR-SWITCH disables the HPR function in SLOCA and transient/special initiator/LOOP events, thus simulating air binding of the pumps. The event HPR-SWITCH-MLOCA sets the HPR failure probability in MLOCAs, due to air binding of the HPI pumps. See Figure D-2 and D-3 in Appendix D.

! Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. The basis for these changes are provided below:

HPR switch event for MLOCAs (HPR-SWITCH-MLOCA). This event represents the failure probability of the HPI pumps due to the air in the recirculation piping in response to a medium break LOCA. It is based on expert elicitation for the best estimate as described in Appendix C and was varied in the sensitivity analyses from the nominal value to guaranteed failure due to air binding. Note that both HPR trains are assumed to fail together (perfect coupling) due to air binding.

HPR switch event for other initiators (HPR-SWITCH). This event was added to the HPR fault tree to simulate the air binding of the HPI pumps in SLOCAs, transients, special initiators and LOOPs. In the default case it is set to FALSE and has no effect on base case evaluation. When set to TRUE, it disables the HPR top event (sets the HPR top event to TRUE). It is thus set to TRUE in the event evaluation. Note that in the SDP evaluation, another event, HPR-MOV-CF-RWT is set to TRUE. However, this latter event disables all three recirculation functions (HPR, LPR and CSR). The HPR function needs to be considered separately, due to postulated higher impact on the HPI pumps, vs. the LPI and the CS pumps. (The difference between the two evaluations due to this effect is relatively minor, a little over 10% in )CDP).

SRV challenge probability in transients and LOOPs (PPR-SRV-CO-TRANH and PPR-SRV-CO-L). These events were changed in the base case SPAR model based on comments in the SDP analysis (Reference 8) about the lesser probability of SRV 8

LER 528, 529, 530/04-009 challenge vs. PORV challenge in plants so equipped. In Reference 8, the NRC concurred that the value used in the SPAR was too high because Palo Verde units do not have pilot-operated relief valves. There are no actuation circuits that could inadvertently open the valves below setpoint, the steam generators are relatively large, and the safety valve setpoints at Palo Verde are significantly higher than the anticipatory pilot-operated relief valve setpoints at other plants modeled. Consistent with Reference 8, Event PPR-SRV-CO-TRANH was set to 2.0E-3 (one order of magnitude below the value in the SPAR model). PPR-SRV-CO-L, SRVs open during LOOP, was also reduced by a factor of 10 consistent with the treatment used in the transient analysis.

Note that logic was not added to guarantee challenge of the SRVs on AFW failure. A review found that the potential contribution from these types of sequences was very small and its inclusion would not change the risk significance of this event. Additionally, the SPAR model requires success of condensate system on AFW failure for all non-LOCA, and non-LOOP initiators, which may help in reducing the SRV challenge probability. In LOOPs, SLOCA and ATWS events, failure of AFW directly leads to core damage. The SBO SRV challenge probability was kept unchanged from its original SPAR value (0.37).

! Other events in this (1 yr) time period that may have a bearing on consideration of this event:

1) Exceeding the maximum licensed core power level (Reference 3): On July 14, 2004, during a review of historical operating data, Engineering concluded that the maximum Palo Verde specific calorimetric error was approximately 38.76 MW in Units 1 and 3 and 39.90 MW in Unit 2 or approximately 1 per cent (1%) . The error resulted in core power levels above the Operating License limits of 3876 MW thermal for Units 1 and 3 and 3990 MW thermal in Unit 2 while the ultrasonic flow measurement (UFM) instrument was in service . The non-conservative feedwater flow input to the secondary calorimetric calculation had been in place in Units 1 and 3 since 1999 and in Unit 2 since 2000.

Effect on this ASP analysis. It will be assumed that the 1% additional power will not materially affect the safety systems success criteria because the safety systems success criteria are based on conservative analyses.

2) Small RCS leakage (Reference 4): On February 3, 2004 at approximately 1418 MST, Unit 1 operations personnel became aware of a non-isolable reactor coolant system (RCS) pressure boundary leak from a drain valve (SIA-V056) off of a high pressure safety injection line which is connected to the RCS Loop 1 hot leg. The source of the estimated 1 to 2 drops/second leak was a crack in a socket weld on the upstream side of the one-inch drain valve. At the time of discovery, Unit 1 was in Mode 1 (Power Operation) at 99 percent power at normal RCS temperature and pressure. A manual reactor shutdown was commenced at 1535 MST in accordance with Technical Specification and Technical Requirements Manual Limiting Conditions for Operation (LCO) 3.4.14 (RCS Operational Leakage) and TLCO 3.14.103 (Structural Integrity).

Effect on this ASP analysis. Operational events like this are below the leakage threshold for the small LOCA and therefore would not cause a change in the small LOCA initiating event frequency. Note that another leakage event was discovered on February 29, 2004 9

LER 528, 529, 530/04-009 (Reference 5) at Unit 3 while in Mode 3 (hot standby). The event was boric acid deposits on a pressurizer heater sleeve.

3) Increased primary to secondary steam generator tube leakage (Reference 6): At 15:22 Mountain Standard Time (MST) on 2/19/04, the Control Room staff received ALERT radiation level alarms from the Main Steam Line N-16 Radiation Monitors, RU-142, channels 1 and 2 indicating there was primary to secondary leakage in Steam Generator
  1. 1, and entered the Excessive RCS Leak rate procedure. At 15:38 MST, the ALERT radiation level alarm was received from the Condenser Air Removal System Radiation Monitor, RU-141,channel 2 indicating primary to secondary leakage at a rate of approximately 11 Gallons Per Day (GPD). At 16:00MST, Plant Management determined they would shutdown Unit 2 in response to the apparent increase in steam generator primary to secondary leakage. The leaking tube was eventually plugged.

Effect on this ASP analysis. Operational events like this are already included in the SGTR frequency evaluation.

4) 3-Unit LOOP already analyzed in ASP project (Reference 7): On June 14, 2004, at approximately 07:41 MST, a ground-fault occurred on the Western Area Power Authority 230kV Liberty substation to West wing substation line (approximately 47 miles from the Palo Verde Nuclear Generating Station). A failure in the protective relaying resulted in the ground-fault not isolating from the local grid for approximately 38 seconds. The fault cascaded into the protective tripping of a number of 230kV and 525kV transmission lines, which ultimately led to the Loss of Offsite Power (LOOP) at the Palo Verde switchyard.

Effect on this ASP analysis. The two ASP analyses are treated as independent, i.e., the effects will be additive, as different event trees are predominantly analyzed (MLOCA in this analysis, LOOP in the above described event). The impact of this LOOP event on this ASP analysis is strongly dependent upon the SRV challenge probability in LOOPs and the structure and assumptions used in the LOOP event tree, particularly with respect to secondary cooldown.

! Sensitivity Analyses Sensitivity A: Baseline is the best estimate of the internal events evaluation The base case is taken to be the best estimate of internal )CDP of (i.e., HPR assumed to fail in small LOCAs and transients/special events and have a probability of failure of 0.26 in MLOCAs).

The major effect is the assumption of HPR operability in MLOCAs and SRV challenge probability (set to 0.016 in LOOPs and 0.002 in transients and special initiators). The best estimate )CDP is 1.4E-5. The most important sensitivity analyses are presented below.

Parameter Modification New )CDP 10

LER 528, 529, 530/04-009 HPR failure probability in nominal failures in MLOCAs (HPI pumps do not 3.7E-6 MLOCA air bind in MLOCAs)

Coupling between the A assume coupling parameter of 0.5 and B HPR trains in 9.0E-6 MLOCA air binding faults Coupling between the A assume coupling parameter of 0.1 and B HPR trains in 4.9E-6 MLOCA air binding faults SRV challenge 2.E-3 in transients/special initiators, zero in 1.2E-5 probability LOOPs SRV challenge zero both in LOOPs and transients 1.2E-5 probability SRV challenge 2.E-3 in transients/special initiators, 0.16 in probability LOOPs (equals the SPAR original value for 2.8E-5 LOOP)

SRV challenge 0.02 in transients/special initiators, 0.16 in LOOPs 2.9E-5 probability (equals the SPAR original value for both)

CSR failure CSR tracks HPR failure - CSR fails when HPR 1.4E-5 (NC) fails CSR and LPR failure CSR and LPR track HPR failure 1.4E-5 (NC)

HPR and BPC in assume recovery via LPI pumps possible and that MLOCA boron precipitation control (hot leg injection) not 4.7E-6 needed under the conditions of LPR in all MLOCAs (see App. A and B)

HPR and BPC in assume recovery via LPI pumps possible and that MLOCA boron precipitation control (hot leg injection) not needed under the conditions of LPR in hot leg 1.1E-5 MLOCAs but not in cold leg LOCAs (see App. A and B)

- sensitivity 1 assumes HPI pump continued operability in MLOCA recirculation and the effect is a substantial reduction in )CDP to below the yellow threshold.

- sensitivities 2 and 3 explore the coupling parameter between the HPR trains. In the best estimate calculation both HPR trains fail at the same time (perfect coupling or correlation). For these sensitivities, the HPR fault tree was changed further to allow for introduction of the coupling parameter between the trains. This parameter describes the probability that, given failure of train A, train B will fail also. It can be seen that for less than perfect coupling, the event impact can be reduced into the white region.

11

LER 528, 529, 530/04-009

- sensitivities 4-7 deal with the assumed SRV opening probability. In the best estimate calculation, both for transients/special initiators and for LOOPs, this probability is set to one order of magnitude below the SPAR original value, i.e., 2.E-3 for transients, 0.016 for LOOPs (SBO SRV challenge probability is left at its SPAR original value of 0.37, but this is of no consequence). It can be seen from these sensitivity analyses that the impact of this is of moderate magnitude and the driver is the LOOP challenge probability. (See also the discussion under Other Items of Interest above).

- sensitivities 8 and 9 describe the additional effects of the air binding failure on the CS and the LPI pumps. CS fault tree and LOOP event tree linkage rules, as well as SLOCA event tree were changed for these evaluations. As can be seen, no additional impact is seen if the CSR and the LPR functions were to fail at the same time as the HPR function (perfect correlation assumed). This can be expected from the structure of the event trees (HPR success is necessary for CSR to be invoked in most cases) and the low importance of the LPR function.

- sensitivity 10 shows that if MLOCA event tree sequence 4 is further developed to allow recirculation recovery via the LPI pumps and if the boron precipitation control (BPC) is not necessary, as discussed in Appendices A and B, then the event evaluation will be substantially less and may fall below the yellow threshold.

- similarly for sensitivity 11, the assumption of recovery by LPI is used, but only for hot leg MLOCA breaks, while the cold leg breaks are assumed to need hot leg injection for boric acid precipitation control, and thus not amenable to LPI recovery. This is further discussed in Appendices A and B. Here too, the evaluation results in impact reduction.

Sensitivity B: Baseline is the upper bound of the internal events evaluation (corresponds to SDP best estimate)

The base case is taken to be the )CDP of 4.4E-5, the upper bound of the internal events evaluation (i.e., HPR assumed to fail in small and medium LOCAs and all other events except large LOCAs). The major effect is the assumption of HPR operability in MLOCAs. The most important sensitivity analyses are presented below.

12

LER 528, 529, 530/04-009 Parameter Modification New CDP HPR failure probability in nominal in MLOCAs (HPI pumps do 3.7E-6 MLOCA not air bind in MLOCAs)

SRV challenge probability in set to 0.16 (old model) 5.8E-5 LOOP SRV challenge probability in combination of first two modifications LOOP and HPR failure above 1.8E-5 probability in MLOCA CSR failure assumed failed in all sequences 4.9E-5 HPR, CSR, LPR failure assumed failed in all sequences 4.9E-5 HPR and BPC in MLOCA assume recovery via LPI pumps possible and that boron precipitation control (hot leg injection) not needed 7.7E-6 under the conditions of LPR in MLOCA (see App. A and B)

- sensitivity 1 assumes HPI pump continued operability in MLOCA recirculation and the effect is a substantial reduction in )CDP to below the yellow threshold.

- sensitivity 2 utilizes the SRV challenge probability from the current SPAR model (the latest model assumes a SRV challenge probability of 0.016 in LOOP);

- sensitivity 3 shows that if the old SRV challenge probability is retained, white evaluation is not possible even with optimistic MLOCA assumptions;

- sensitivities 4 and 5 show little effect from assuming additional failures, in the CS pumps and the LPI pumps, from the void in the recirc piping;

- sensitivity 6 shows that if MLOCA event tree sequence 4 is further developed to allow recirculation recovery via the LPI pumps and if the boron precipitation control (BPC) is not necessary, as discussed in appendices A and B, then the event evaluation will be substantially less and may fall below the yellow threshold.

! SPAR Model Corrections The conditional SRV challenge probability may need to be reduced with respect to plants with pressurizer PORVs, see Reference 8. The RCP seal LOCA model in SBOs may need to be adjusted, according to discussion in Reference 8. There are questions about the LOOP modeling with respect to secondary cooldown and with respect to flag sets LOOP and LOOP-FTF.

13

LER 528, 529, 530/04-009 Appendix F of the Palo Verde SPAR model documentation contains several comments which seem to have been accepted by the SPAR developers for inclusion in model.

However, the existing model does not include those corrections.

References

1. Licensee Event Report 05000528-2004-009, submittal date 09282004 (ML0427904830).
2. Inspection Report EA-04-221, January 5, 2005. (ML050050287)
3. Licensee Event Report 5282004007
4. Licensee Event Report 5282004001
5. Licensee Event Report 5302004001
6. Licensee Event Report 5292004001
7. Licensee Event Report 5282004006
8. Final Significance Determination Report, EA-04-221_ML051010009, issued April 8, 2005.
9. Palo Verde FSAR
10. Palo Verde IPE
11. Palo Verde SPAR model, Version 3.11, released December 2004.
12. Palo Verde Nuclear Generating Station (PVNGS) Units 1,2 and 3 Docket Nos. STN 50-528, 50-529 and 50-530 Submittal of Redacted Version of Recirculation Sump Void Testing and Probabilistic Risk Assessment Preliminary Results, letter dated February 4, 2005 to U.S. Nuclear Regulatory Commission from Scott A. Bauer, Department Leader, Regulatory Affairs, Palo Verde Nuclear Generating Station (ML050040244).
13. NUREG/CR-5640, Overview and Comparison of U.S. Commercial Nuclear Power Plants, September 1990
14. Ronald Boring et al., Simplified Expert Elicitation Guideline for Risk Assessment of Operating Events, Idaho National Laboratory, INL/EXT-05-00433, ML051810363, August 2, 2005.

14

LER 528, 529, 530/04-009 Table 1. Conditional core damage probabilities (internal events) of dominating sequences (Unit 1, 2, 3).

Event tree Sequence

)CDP1 Contribution CCDP1 Contribution name no.

MLOCA 4 1.0E-5 74% 1.0E-5 49%

Total (all sequences)2 1.4E-5 100% 2.1E-5 100%

1. Values are point estimates.
2. Total )CDP includes all sequences in internal events evaluation (including those not shown in this table).

Table 2a. Event tree sequence logic for dominating sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

MLOCA 4 /RPS /SIT /HPI HPR Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition RPS Reactor protection system SIT Safety injection tanks HPI High pressure injection HPR High pressure recirculation Table 3a. Dominant )CDP cut sets for the dominant sequences (Unit 1, 2, 3).

Percent

)CDP Minimum Cut Sets (of basic events)

Contribution Event Tree: MLOCA 1.0E-5 74% IE-MLOCA

  • HPR-SWITCH-MLOCA1 1.4E-5 100% Total )CDP
1. Note that the above MLOCA cutset is both a )CDP and a CCDP cutset.

15

LER 528, 529, 530/04-009 Table 3b. Dominant CCDP cut sets for the dominant sequences (Unit 1, 2, 3).

Percent CCDP Minimum Cut Sets (of basic events)

Contribution Event Tree: MLOCA 1.0E-5 49% IE-MLOCA

  • HPR-SWITCH-MLOCA1 2.1E-5 100% Total (all CCDP cutsets)
1. Note that the above MLOCA cutset is both a )CDP and a CCDP cutset.

Table 4. Definitions and probabilities for modified and dominant basic events.

Probability/

Event Name Description Frequency Modified (per hour)

HPR-SWITCH Switch disables the HPR set to TRUE in non-MLOCA/LLOCAs True Yes HPR-SWITCH-MLOCA Probability of HPR airbinding failure in MLOCAs 0.26 Yes PPR-SRV-CO-TRANH SRV challenge probability in transients 2.0E-3 Yes1 PPR-SRV-CO-L SRV challenge probability in LOOP 0.016 Yes1

1. These values were changed both in the base case and the condition evaluation to the value given in the Table.

16

LER 528, 529, 530/04-009 Appendix A SDP Analysis Summary and Possible Modifications to the ASP Upper Bound and Best Estimate Results 17

LER 528, 529, 530/04-009 A.1 SDP Summary The SDP analysis presented a range of assumptions and related results. According to the SDP best estimate, the air binding of the high pressure recirculation pumps may be a problem in small and medium LOCAs. In large LOCAs, the flow rate may be sufficiently high so as to facilitate clearing the air bubble from the HPI pumps without air binding the pumps. Also, it is assumed that the low pressure and the CS pumps will not air bind in any accident due to the high flow rate through those pumps. It is also stated that additional failure modes by cavitation and water hammer are possible as well. Results are also presented where the large LOCA and the LPI/CS assumptions are not taken, but those results do not have a significant effect. The SDP analysis also presents results for the assumptions of possible recovery of the HPI and the CS pumps post-air binding. Those results fall in the range between the most optimistic and the most pessimistic results.

The licensee performed scale tests to determine the likely effect of the air bubble on the HPI pump operation. The licensee concluded, based on those tests, the HPI pumps will air bind only in small LOCAs and equivalent accidents (e.g. transients with stuck open pressurizer SRV).

The NRC found uncertainties associated with scaling of the test, the piping configuration and the accident conditions simulation, and thus found that air binding of the HPI pumps could not be excluded in medium LOCA conditions. The licensee also seemed to suggest that recovery of the air bound HPI pumps would not be possible, i.e., the pumps would not be turned off in a timely manner and thus would be destroyed. Prior to delivery of the final SDP analysis report, we had come to a similar conclusion, based on the time available and consideration of operator procedures and likely operator actions (see App. B).

Based on the licensee feedback, the SDP analysis converged on a best estimate methodology which considered that the HPI pumps would be irretrievably lost in an air binding event; that the air binding of the HPI pumps will never occur in large LOCAs but will always occur post recirculation switchover in small LOCAs and equivalent accidents (transients with stuck open pressurizer SRVs, support system initiators with RCP seal LOCA events); that it is not possible to say anything definitive about the HPI pumps air binding in the medium LOCA events; that the LPI and the CS pumps may survive all events, but will not significantly impact the results in any event. Thus a range of estimates was produced, based on the assumption of either no air binding or guaranteed air binding of the HPI pumps in the medium LOCA events. In the case of the latter assumption, the medium LOCAs are the most dominant contributor at a level of about 94% )CDP fraction; hence, the question of the HPI pump air binding in medium LOCAs is uniquely critical to our understanding of the significance of the event.

Note that the SDP best estimate corresponds to the ASP upper bound estimate. The ASP best estimate is also developed, due to availability of expert elicitation results, described in Appendix C.

The reader is directed to References 2 and 8 for a fuller discussion of the SDP analysis, inputs and results.

18

LER 528, 529, 530/04-009 A.2 Possible Modifications to the Upper Bound Evaluation (SDP Best Estimate) and Their Application to the ASP Best Estimate This section presents directions that might be taken if one were to resolve the )CDP to a greater accuracy than what either the ASP best estimate or the SDP result offer. Understanding of the medium LOCA in this context is really the crux of the matter as the major uncertainty comes from considerations thereof.

Medium LOCAs are RCS breaks in the range of 2"-5" effective diameter, according to the SPAR documentaion, or 3"-6" according to the IPE. Success, according to both models, requires the reactor shutdown, the use of the SITs (2/3 SITs on unaffected legs must inject), HPI (1/2 HPI pumps), HPR (via 1/2 HPI pumps), CS (1/2 CS pumps via train related SDC heat exchanger) and hot leg injection after 2-3 hours (via 1/2 HPI pumps).

Sequence 4 of the MLOCA event tree (see Figure C-1) is the dominant sequence, contributing 84% to the worst case evaluation (SDP best estimate) and 74% to this ASP analysis best estimate. This sequence involves the failure of the HPR function.

A possible recovery of this sequence, for which hardware exists at the plant, would be to utilize the LPI pump when the HPI pump is lost due to air binding. The assumption could be made that the LPI pump may not suffer deleterious effects from the air bubble as the flow rates are much higher (though there are questions about possible cavitation and water hammer problems). For comparison, the LPI flow rate is 4,200 gpm per pump at 145 psia, while the HPI flow rate is 815 gpm per pump, albeit at 1,230 psia.

There are the issues of the RCS pressure, the operator procedures and the timing.

The operator procedures exist at the plant to substitute the LPI pump in recirculation should the preferred option of HPR fail for some reason. However, there are apparently no procedures at the plant to effect depressurization post recirculation switchover. (Such procedures exist only for the injection phase of the accident, when sufficient time is available, e.g., in the case of small LOCAs).

Furthermore, it seems that the RCS pressure will drop below the LPI shutoff head after several hundred seconds (according to the IPE). This is corroborated by the IPE and the SPAR model Palo Verde MLOCA event trees, which both credit and require safety injection tank (SIT) injection into the RCS in order to keep the core covered after the initial blowdown. The SIT actuation pressure is 260 psig, whereas the LPI shutoff head is 205 psid and the normal LPI operating pressure is 145 psia. Thus, it seems likely that by the time the recirculation switchover occurs, or shortly thereafter, the RCS pressure will have decayed to a level allowing the use of the LPI pumps, and the operator procedures would then direct the operator to substitute the LPI pumps for the failed HPI pumps. It is also noted that, in the IPE, the MLOCA event tree has a stipulation that LPSI is a recovery for recirculation normally undertaken by the HPI pumps. This recovery is developed in Appendix B below, in which an HEP of 0.1 is conservatively calculated for this action.

Once the recirculation recovery via LPI is successful, the question arises about the boric acid precipitation control. This is implemented by utilizing hot leg injection 2-3 hours into the 19

LER 528, 529, 530/04-009 accident, in order to control crystallization of boric acid and subsequent local flow blockage (and subsequent fuel damage) in the core region under certain conditions. Both the IPE and the SPAR model stipulate that this is necessary in order to avoid core damage (in fact, the SPAR model conservatively follows the IPE stipulation in this case, without further development). In order to implement hot leg injection, HPI pumps must be used, as the LPI pumps cannot be aligned for this. Thus, it seems that the above LPI recovery cannot lead to success.

It is noted that Palo Verde operates with higher boric acid concentrations in the coolant during ECCS operation than most other plants (according to the SPAR model documentation, Appendix F) and is thus more susceptible than other plants to this issue of precipitation. It can also be noted that medium LOCAs are a very small contributor to the baseline risk (about 2.5%

of the total full power internal CDF in the SPAR model), and thus it is not as cost effective to develop MLOCA sequences in as great a detail as the more important sequences for the base case model.

A necessary condition for boric acid precipitation is that sustained boiling take place in the core region. This is apparently only a problem in large and medium LOCAs, as no other accidents require hot leg recirculation (including small LOCAs). Taking into consideration the hot spot factors, the condition of sustained boiling will take place if the ECCS injection flow through the core is such that, in conjunction with other cooling mechanisms (such as cooling via the break flow, the AFW, or steam generator boiloff), the core decay power cannot be taken away solely by sensible heating of the ECCS fluid alone, but latent heating (boiling) must take place at the RCS pressure. Locally, there is too much decay power produced, relative to the flow and the temperature/pressure of the coolant in the channel. This may occur if the break is in the cold leg, such that a substantial part of ECCS flow spills out the break.

The base case MLOCA event tree assumes that, in the recirculation phase, prior to hot leg injection, a minimum of one HPI pump operates (success criterion) injecting into the cold legs, with no cooling from the steam generators. The HPI pump(s) will inject into all four cold legs, but a further assumption is made that the break is in a cold leg, and all the injection flow in the affected leg will spill out the break. Under those conditions, local boiling will apparently take place, such that hot leg injection is necessary.

However, going back to the above case of LPI recovery of recirculation due to HPR failure, a condition will exist under which, instead of one HPI pump assumed in the recirculation success criterion (and for boric acid precipitation analysis), two LPI pumps will be injecting under low pressure, i.e., a much higher flow rate will be realized. (Both pumps will be available about 99%

of the time and injecting into all 4 cold legs). While the fraction of cold leg breaks may be about 67% (there are 2 hot legs and 4 cold legs at Palo Verde), the fraction of flow lost through the break may be less than postulated, in a medium LOCA at low pressure, in the recirculation phase. Thus, in the case of successful LPI recovery of recirculation, the propensity for boric acid precipitation may in fact be substantially less than in the base case assumed in the MLOCA event tree.

If one were to assume that boron precipitation control would not be needed under the conditions stipulated, and that the analysis in Appendix B applies for the recirculation recovery via the LPI, 20

LER 528, 529, 530/04-009 then an alternative best estimate )CDP from internal events can be developed from the SDP-like upper bound thus:

)CDP = )CDPlnon-MLOCA + IE-MLOCA

  • LPIlrecirc-recov
  • T = 2.1E-6 + 4.0E-5/yr
  • 0.1
  • 1yr

)CDP = 6.1E-6, where:

)CDPlnon-MLOCA is the )CDP from initiators other than medium LOCA; IE-MLOCA is the MLOCA initiator frequency; LPIlrecirc-recov is the HEP for LPI recovery of recirculation function.

Similarly, one can derive modifications based on the ASP best estimate ()CDP of 1.2E-5) to reduce the impact further assuming the above considerations are correct. There are two scenarios we could consider: 1) assuming that all MLOCAs are recoverable per the above developments (both hot leg and cold leg breaks) and 2) assuming that only the hot leg MLOCAs are so recoverable, i.e., we really need hot leg injection via the HPR in the case of cold leg breaks.

1) All MLOCAs are recoverable:

Total )CDP = 1.41E-5 MLOCA )CDP = 1.04E-5 Non-MLOCA )CDP = 3.7E-6 Then:

)CDP = )CDPlnon-MLOCA + )CDPlMLOCA

  • LPIlrecirc-recov = 3.7E-6 + 1.0E-5
  • 0.1

)CDP = 4.7E-6

2) Only hot leg LOCAs are recoverable:

Total )CDP = 1.41E-5 MLOCA )CDP = 1.04E-5 Non-MLOCA )CDP = 3.7E-6 HL MLOCA )CDP = 1.04E-5

  • 0.33 = 3.5E-6; hot leg MLOCA )CDP is the 1/3 fraction CL MLOCA )CDP = 1.04E-5
  • 0.67 = 6.9E-6; cold leg MLOCA )CDP is the 2/3 fraction

)CDP = )CDPlnon-MLOCA + )CDPlMLOCA-CL + )CDPlMLOCA-HL

  • LPIlrecirc-recov =

3.7E-6 + 6.9E-6 + 3.5E-6

  • 0.1

)CDP = 1.1E-5 Thus, the evaluation of this event would be reduced in all cases under the above assumptions and may become white. Similar calculations can be performed for sensitivities around the upper bound estimate (equivalent to SDP best estimate).

21

LER 528, 529, 530/04-009 In summary, in a realistic analysis of this event, the considerations laid out above would be evaluated: the effect of ECCS recirculation piping void on the CS and the LPI pumps, the RCS pressure after recirculation switchover, the procedures related to LPI operation in recirculation under those conditions and the hot channel conditions regarding boron precipitation if LPI recovery is successful. Such considerations are beyond the resources of this project.

22

LER 528, 529, 530/04-009 Appendix B Human Interactions 23

LER 528, 529, 530/04-009 B.1 Preventing Permanent Pump Damage Due to Air Binding Operators would be aware of the impending recirculation switchover as an alarm would sound in the control room. As the pumps suction is switched over to the containment sump (in the case of a medium LOCA), the air bubble will be drawn in. It is noted that the flow meter is downstream of the pump discharge check valve.

As the air bubble transverses the pump, the discharge check valve will close due to lack of forward pressure, and the flow meter will likely show zero flow, after initial fluctuation. The air bubble will stall inside the pump, the pump will stop developing head and the coolant will be stationary.

Other pump indicators will also be initially fluctuating wildly, like the flow meters mentioned above. For example, the pump power and ammeters.

The operators will be closely monitoring the pumps, their indicators, the flow to the core and the CS spray headers, etc., before and after the switchover. Thus, they will notice the initial fluctuations in all the indicators for all the working pumps, and they will go about resolving the issue and attempting to restore the flow. They will be going down the checklist of indications to consult in order to ascertain the condition of the pumps and the flows. This verification and checking procedure may take about 20 minutes before the shift supervisor might be alerted. It should be noted that the operators would not be in a position to suspect air binding of the pumps, though that would be one of several possible explanations for the anomalous instrument readings observed. The operators would certainly not be expecting that air binding of recirculation pumps might take place. At the same time, they are trained never to stop a working pump (the TMI syndrome) and interrupt flow to the core (even given the fact that at that point, the flow could be interrupted without penalty to the core for approximately two hours).

Thus, the pumps would continue to receive power for at least the 20 minutes mentioned above.

It is difficult to foresee what kind of a decision the shift supervisor might make upon notification of the recirculation problems. (The Technical Support Center (TSC) might also be on the scene at this point and may also be consulted). It is conceivable, for example, in light of the prohibition against stopping a working pump, that the supervisor might decide to stop one HPI pump and let the other run.

On the other side of the coin in the decision-making process is the fact that everything was working normally prior to switchover, and that something obviously connected to a common cause event impacting all injection and CS pumps took place after switchover, i.e. probably related to the length of piping from the containment sump to the pumps common header. This might be combined with the knowledge that the HPI pumps are uniquely necessary for recirculation at Palo Verde (for hot leg injection directed by procedure) and that recirculation piping is intentionally voided of coolant per procedure.

At any rate, it seems doubtful that the pumps might survive the length of the decision making process. The multi-stage centrifugal pumps of the kind used for the HPI pumps at the plant may be permanently damaged in as little as a minute of continued operation, though there may have been instances in the past, in which such pumps may have survived the requisite 20 minutes or longer unscathed. (Such pumps have tight clearances between the impeller blades and the housing, which would cause binding of the pump due to mechanical damage of 24

LER 528, 529, 530/04-009 vibration-susceptible internals). The licensee assumed in their analysis that the HPI pumps would be permanently damaged if air bound. The CS and the LPI pumps may also be affected by the air bubble ingestion, but they may be less susceptible to becoming air bound due to the higher flow rates.

Also working against the plant is the fact that at Palo Verde, unlike other Combustion Engineering plants, there is no third installed spare HPI pump, which could be turned on after the air-binding issue has been cleared up. Both HPI pumps would likely be operating at switchover, and both would then be irretrievably damaged. Yet, at this plant, HPI pumps are uniquely necessary for successful recirculation in medium LOCAs, as only they are aligned for the procedure-directed hot leg recirculation, prescribed to control boric acid precipitation.

Thus, as the best estimate, both HPI pumps would air bind in medium LOCAs, and would consequently be permanently damaged due to lack of timely operator action to switch off power to the pumps. It is noted that cavitation and water hammer are other possible modes of HPI pump failure due to the recirculation piping void and that the CS and the LPI pumps might also be affected.

B.2 Recovering the HPI Pumps As stated above, it is likely that the HPI pumps would be permanently disabled due to air ingestion. Then, any recovery analysis is moot. If the pumps were stopped in a timely manner, their recovery is possible and such was considered in the initial SDP analysis, prior to the licensees input that the HPI pumps should be considered irrecoverable once air-bound.

The HEP for the HPI pump recovery is very high - 0.24 according to the SDP SPAR-H calculation. The pump venting procedures are well established, however, the SDP analysis assumed that 30 minutes would be required to diagnose that venting was needed, another 30 minutes would be necessary to wait for the pump components to cool down below the water boiling temperature and 30 minutes would be required for the venting itself, due to the large volume of trapped air. On the other hand, about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> altogether would be available for the HPI pump restart. There are no reach rods to help venting the HPI pumps, so the operators would have to enter the pump room and thus be exposed to some level of radiation from the coolant.

The reader is referred to Reference 2 for details of this recovery analysis. It is emphasized that the final SDP analysis did not consider recovery, per licensee input, and neither do we consider recovery as part of the best estimate scenario, as explained in Section B.1 above.

B.3 Recovering the Recirculation Function The best estimate is that the HPI pumps will be irrevocably lost in a medium LOCA, due to air ingestion after recirculation switchover. According to the Palo Verde SPAR model medium LOCA event tree, this means that core damage will ensue. This is corroborated by the MLOCA event tree in the IPE.

However, there are indications that the above is a simplification (MLOCA is a minor contributor to the base case CDF and thus likely not developed in all the details) and that the LPI can 25

LER 528, 529, 530/04-009 indeed be brought into action in recirculation, as a recovery action for the damaged HPI pumps.

There are the issues of the RCS pressure, the operator procedures and the timing.

The operators are directed by procedure to use the LPI pumps in recirculation if the HPI pumps are unavailable. Furthermore, in medium LOCAs, it seems that the RCS pressure will drop below the LPI shutoff head after several hundred seconds (IPE). This is corroborated by the IPE and the SPAR model Palo Verde MLOCA event trees, which both credit and require safety injection tank (SIT) injection into the RCS in order to keep the core covered after the initial blowdown. The SIT actuation pressure is 260 psig, whereas the LPI shutoff head is 205 psid and the normal LPI operating pressure is 145 psia, i.e., the SIT actuation pressure is very close to the pressure range where the LPI pumps could be used, and the IPE even states that such pressures will eventually be reached within a limited time period. Thus, it seems likely that by the time the recirculation switchover occurs, or shortly thereafter, the RCS pressure will have decayed to a level allowing the use of the LPI pumps, and the procedures would then direct the operators to substitute the LPI pumps for the failed HPI pumps. It is also noted that, in the IPE, the MLOCA event tree has a stipulation that LPSI is a recovery for recirculation normally undertaken by the HPI pumps.

In addition, it can be noted that there is a likelihood that the technical support center (TSC) will be assembled on site by the time the recirculation problems are encountered, thus providing further support for a possible LPI operation after the HPR failed.

Based on the above, a screening value of 0.1 can be assigned to the HEP of utilizing the LPI in recirculation after the HPI failure. A similar value can be obtained by using the SPAR-H worksheets in a conservative manner and assuming a low dependence with the failed action of stopping the HPI pumps before damage (see Tables B-1 to B-4).

B.4 Hot Leg Injection Both the IPE and the SPAR model MLOCA event trees also stipulate that hot leg injection to control boric acid precipitation is required. The procedures direct the operators to do this, about 2-3 hours into the event, by opening the pathway from the HPI pumps to the hot legs (LPI pumps cannot be thus aligned). This procedure does not seem to be incompatible with the continued use of the LPI pumps in recirculation (e.g., see Figure 5.2-1 in the IPE, showing parallel pathways of injection by LPI into the cold legs and by HPI into the hot legs). Thus, this procedure may not interfere with the efforts by the operators to establish and continue with LPI pump recirculation.

26

LER 528, 529, 530/04-009 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Palo Verde Event Name: ECCS voiding Task Error

Description:

Recirculation recovery via LPI Does this task contain a significant amount of diagnosis activity ? YES NO T If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table B-1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are PSFs PSF Levels for selected, please note specific Diagnosis reasons in this column

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Low 10 Experience/ Nominal 1 Training High 0.5
5. Not available 50 Procedures Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Missing/Misleading 50 Ergonomics Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

27

LER 528, 529, 530/04-009 SPAR Model Human Error Worksheet (Page 2 of 3)

Table B-2. Action worksheet.

Multiplier If non-nominal PSF levels are PSFs PSF Levels for selected, please note specific reasons Action in this column

1. Available Inadequate 1.0a Nominal time conservatively assumed, Time Time available . time 10 -2 hrs available, allowing time for any required additional depressurization beyond the normal MLOCA pressure decay Nominal 1T Available > 5x time required 0.1 Available > 50x time required 0.01
2. Stress Extreme 5T extreme stress postulated in MLOCA High 2 situation with failed HP recirculation Nominal 1
3. Complexity Highly 5 nominal complexity postulated for using Moderately 2 the LPI Nominal 1
4. Low 3 Experience/ Nominal 1 Training High 0.5
5. Not available 50 procedures do not deal with a possible Procedures Available, but poor 5T need for further depressurization after recirc switchover, this is a conservative Nominal 1 evaluation
6. Missing/Misleading 50 Ergonomics Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2T poor work processes highlighted in the Processes Nominal 1 runup to the LER Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

28

LER 528, 529, 530/04-009 SPAR Model Human Error Worksheet (Page 3 of 3)

Table B-3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag.

Action 1.0E-3 x 1.0 x 5.0 x 1.0 x 1.0 x 5.0 x 1.0 x 1.0 x 2.0 5.0E-2 Total 5.0E-2 For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table B-4. Dependency condition worksheet.

Condition Crew Location Time (close Cues Dependency Number of Human Action Number (same or (same or in time or (additional Failures Rule different) different) not close in or not time) additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6T s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( 19

  • 0.05 )) / 20 = .0975 29

LER 528, 529, 530/04-009 Additional Notes:

Low dependence conservatively assumed with the previously failed action of timely stopping the HPI pumps after recirculation switchover.

30

LER 528, 529, 530/04-009 Appendix C Expert Elicitation for HPSI Pump Air Binding Failure 31

LER 528, 529, 530/04-009 C.1 Introduction An attempt has been made to improve on the SDP analysis which assumed a guaranteed failure of the HPSI pumps due to air binding in medium LOCAs, which are the driver of this events evaluation. Since the licensees experimental setup was deemed insufficient to answer all the questions posed by this event, and since it was impractical to obtain pump failure probabilities in this event by other means, an expert elicitation procedure was used. In the procedure, each expert was polled individually as to the air binding failure probability of the HPSI pumps given the facts of this event, and then the panel with the two experts was convened to arrive at a common understanding of the values involved. The experts input was used to generated parameters of the beta distribution, which is assumed for this failure probability. The methodology is further described in Reference 14.

The appendix and the forms after this introduction is a copy of Appendix G from Reference 14 (Simplified Expert Elicitation Guidelines), which is an application of the methodology described in that report to the specific case of this event at Palo Verde, i.e., the HPSI pump air binding failure. Note that the plant name and the event details have been sanitized from the reference.

It will be assumed that the best estimate result from this expert elicitation is that both HPSI pumps fail simultaneously from air binding during medium LOCAs with a mean probability of 0.26, i.e., the failure probability is described by a beta distribution with the parameters " = 1.9 and $ = 5.4.

It will be assumed that the above estimate is valid only for medium LOCAs. The experts seem to concur that air binding of the HPSI pumps will not be a problem in large LOCAs, due to high flow velocities (air binding induced failure probability of 0 in the HPSI pumps) and that the HPSI pumps will almost certainly suffer air binding failure in small LOCAs and other events where HPR function is called for (failure probability of 1).

32

LER 528, 529, 530/04-009 C.2 Copy of Appendix G from Reference 14.

EXPERT ELICITATION EXAMPLE FOR HARDWARE The following example involves an incident at a PWR, in which air was found to be entrained in the suction line of the High Pressure Safety Injection (HPSI) pumps. In particular, air in the line from the emergency containment sump to the HPSI pump suction could have resulted in the failure of the HPSI pumps to operate if there had been an actual (emergency) demand for the pumps to operate. The LER, the SDP final analysis, and supplemental background information provided by the plant about the incident were provided to two pump experts, one affiliated with the INL and the other affiliated with the Idaho Completion Project. The worksheets are included for illustrative purposes. The specific LER, SDP final analysis, and plant background information have been omitted from this guideline in order to conceal the identity of the plant.

The experts reached consensus on the median failure rate, as defined by agreement within three orders of magnitude on the median value. By definition, it was not necessary to conduct an expert panel, and their estimates were mathematically aggregated. However, the experts did not reach consensus on the upper bound values. An analyst might, time permitting, find it fruitful to conduct the panel to determine a potential consensus value on the upper bound.

33

LER 528, 529, 530/04-009 EXPERT ELICITATION BACKGROUND INFORMATION WORKSHEET Instructions. Complete this worksheet prior to contacting the expert. Provide this worksheet and supporting materials to present the problem domain to the expert. All experts should receive identical information.

1. Analysts Name and NRC Affiliation: William Galyean, INL
2. Problem Type: Actual Hardware Failure X Latent Hardware Failure Other:

Actual Human Error Latent Human Error

3. Summary of Problem for Analysis: Air was found to be entrained in the suction line of the High Pressure Safety Injection (HPSI) pumps. In particular, the line from the emergency containment sump to the HPSI pump suction. This could have resulted in the failure of the HPSI pumps to operate if there had been an actual (emergency) demand for the pumps to operate.
4. Supporting Documents (Attached):

LER proprietary Q&A licensee report SDP final analysis

5. Summary of Results from Initial Analysis: This is judged to be a risk significant issue.
6. Analysis Assumptions: The HPSI system is designed to provide emergency coolant to the reactor pressure vessel (RPV) given a loss of coolant accident. If the reactor cooling system were to lose coolant, the HPSI system would take water from the refueling water storage tank (RWST) and inject that water directly into the RPV. Water lost from the reactor cooling system would collect on the floor of the containment building and collect in the emergency containment sump. Once the water in the RWST reached a low level, the HPSI system automatically re-aligns such that the HPSI pump suction draws from the containment sump instead of the RWST (this is commonly referred to as recirculation mode of operation, versus the injection mode when HPSI takes water from the RWST and injects it into the RPV).
7. Information Required from Expert: Given a demand for the HPSI pumps to operate in the recirculation mode, what is the conditional probability that the pumps will fail to run. The conditions are those described in the event description (as best as they can be interpreted), and assuming a real demand to operate is generated. This is a probabilistic exercise not a deterministic one. Many uncertainties, unknowns, and variations exist on the event and postulated demand. Try to consider the full range of possibilities when making your estimate of the likelihood of failure. The likelihood of failure can be expressed as a probability (e.g., 1%,

10%), a decimal (e.g., 0.001, 0.1), or a ratio (e.g., 1/1000, 1/5). Two estimates will be requested from you (the expert). A best estimate, which will be used as a median value. And, an upper bound estimate. The Median value can be viewed as an estimate at which point you believe there is a 50% chance the true value is in fact higher than want you guess (and a 50% chance the true value is lower). The upper bound estimate can be viewed as an estimate at which 34

LER 528, 529, 530/04-009 point you believe there is a strong likelihood (95% chance) that the true value will be lower than your estimate (and only a 5% chance that the true value is higher).

35

LER 528, 529, 530/04-009 EXPERT ELICITATION WORKSHEET FOR HARDWARE FAILURE Instructions. Complete this worksheet for each individual expert. Begin by answering any questions the expert has regarding the problem being analyzed. Then step through each question in sequence. Attach any supporting materials provided by the expert.

1a. Date of Elicitation: 6/22/2005 1b. Time of Elicitation: 09:00 am - 09:25 am

2. Experts Name and Affiliation: Steven R. Smith, Idaho National Laboratory In-house NRC Industry Consultant Academia Other:

X National Lab/DOE Licensee Vendor

3. Experts Areas of Expertise Relevant to Analysis: Fluid-mechanical system engineer at a nuclear test reactor (Advanced Test Reactor at the INL).
4. Experts Comments on Problem Under Analysis: There are a lot of uncertainties surrounding the details of the event. It would be useful to have information on such things as specific pump design (including the type of bearings used in the pump), and information on the amount of vibration observed during the testing performed.
5. Median Failure Rate/Percent of Time Theres a 50/50 Likelihood of Hardware Failure:

10%

50th Percentile Value (Median)

6. Upper Bound/Percent of Time That Hardware Will Almost Certainly Fail: 20%

95th Percentile Value (Upper Bound)

7. Factors Shaping Expert Estimate: Expert listed the following factors as influencing his estimate.
1. Testing might not have accurately modeled the air bubbles (negative influence)
2. Bearings in the pump were assumed by expert to be frictionless (negative influence with respect to this situation).
3. Maintenance was assumed to be good
4. Air bubbles seemed to be well dispersed and separate (positive influence)
5. Potential transient associated with the air passing-through pump appeared to be short (positive influence)
6. Pump already running when ingestion of air would occur (positive influence).
7. Pumps are 8-stage pumps (positive influence)
8. Additional Comments by Expert: None 36

LER 528, 529, 530/04-009 EXPERT ELICITATION WORKSHEET FOR HARDWARE FAILURE Instructions. Complete this worksheet for each individual expert. Begin by answering any questions the expert has regarding the problem being analyzed. Then step through each question in sequence. Attach any supporting materials provided by the expert.

1a. Date of Elicitation: 6/23/2005 1b. Time of Elicitation: 12:30 pm - 01:10 pm

2. Experts Name and Affiliation: Daryl Lopez, Idaho Completion Project In-house NRC Industry Consultant Academia Other:

X National Lab/DOE Licensee Vendor

3. Experts Areas of Expertise Relevant to Analysis: Mechanical engineer specializing in fluid system design.
4. Experts Comments on Problem Under Analysis: Pump performance depends on three factors: hydraulics of pump operation, mechanical issues of pump operation, and the details of the downstream demand (i.e., postulated break size). However, the mechanical issue is judged to not be a concern in this situation due to a short transient time, and the hydraulics will be a function of break size (and the backpressure upstream of the pump).
5. Median Failure Rate/Percent of Time Theres a 50/50 Likelihood of Hardware Failure:

25%

50th Percentile Value (Median)

6. Upper Bound/Percent of Time That Hardware Will Almost Certainly Fail: 90%

95th Percentile Value (Upper Bound)

7. Factors Shaping Expert Estimate: The hydraulics associated with the downstream demand will determine whether the pump works or not. Therefore, the predominant influence on pump performance is the postulated break size. There will be a threshold break size such that for smaller breaks the air will affect the pumps operability (air binding will occur), and for larger breaks the air will not (no air binding). This threshold will most likely be at a break size between 2 and 6-inches. The above estimates represent average pump failure probabilities regardless of break size.
8. Additional Comments by Expert: This expert relied upon the empirical data generated by the licensee, and comments on that licensee data by the NRC.

37

LER 528, 529, 530/04-009 EXPERT ELICITATION PANEL WORKSHEET FOR HARDWARE FAILURE Instructions. Complete this worksheet for the expert panel and data aggregation. Follow instructions in the guideline for facilitating the discussion. Begin by explaining the purpose of the panel, with a goal toward sharing information and arriving at a consensus. Next, read each experts estimation. Provide the initial aggregation of expert estimates in 3 below. Allow 5-10 minutes for questions and another 10-15 minutes for discussion. Allow 5 minutes for final discussion and consensus. Allow the experts to modify their individual Worksheet B to incorporate any new information from the discussion.

1a. Panel Conducted? x Yes / No 1b. Reason: UB bound estimates differed by greater than 3x 2a. Date of Panel: 6/27/2005 2b. Time of Panel: 10:00 x A.M. / P.M.

3. Average of Experts Median 17.5% and 95th Percentile 55% Values
4. Summary of Main Points and Issues Raised in Discussion (Including Areas of Disagreement):

The primary factors determining the operability of the pump were the potential for dispersal of the air bubble, and the hydraulics of the potential demand. The air was assumed to be initially a relatively consolidated bubble, but the when the pump starts to draw water from the sump, there would be a chance for the bubble to break-up and become more entrained in the suction water. The break-up of the air bubble would make pump failure less likely. The hydraulics of the demand would determine the amount of backpressure seen at the pump discharge, which would affect the likelihood of the air passing through the pump without air binding.

5. Consensus Estimate (Within 3x)? x Yes / No 6a. If YES, Record Median of Medians 17.5% and 95th Percentiles 55% Values 6b. If NO, Record Average of Median Estimates and 95th Percentile Values
7. Record Alpha (") 1.9 and Beta ($) 5.4 Values Derived from 6a or 6b for Beta Distribution or Other Parameters for Non-Beta Distribution:

38

LER 528, 529, 530/04-009 EXPERT ELICITATION WORKSHEET FOR HARDWARE FAILURE Completed during Expert Panel Meeting Instructions. Complete this worksheet for each individual expert. Begin by answering any questions the expert has regarding the problem being analyzed. Then step through each question in sequence. Attach any supporting materials provided by the expert.

1a. Date of Elicitation: 6/27/2005 1b. Time of Elicitation: 10:00 x A.M. / P.M.

2. Experts Name and Affiliation: Steven R. Smith, Idaho National Laboratory In-house NRC Industry Consultant Academia Other:

X National Lab/DOE Licensee Vendor

3. Experts Areas of Expertise Relevant to Analysis: Fluid-mechanical system engineer at a nuclear test reactor (Advanced Test Reactor at the INL).
4. Experts Comments on Problem Under Analysis:
5. Median Failure Rate/ Percent of Time Theres a 50/50 Likelihood of Hardware Failure:

10%

50th Percentile Value (Median)

6. Upper Bound/Percent of Time That Hardware Will Almost Certainly95th Fail: 40%

Percentile Value (Upper Bound)

7. Factors Shaping Expert Estimate: Expert listed the following factors as influencing his estimate.
8. Additional Comments by Expert: Reading about the event and testing performed was both interesting and informative.

39

LER 528, 529, 530/04-009 EXPERT ELICITATION WORKSHEET FOR HARDWARE FAILURE Completed during Expert Panel Meeting Instructions. Complete this worksheet for each individual expert. Begin by answering any questions the expert has regarding the problem being analyzed. Then step through each question in sequence. Attach any supporting materials provided by the expert.

1a. Date of Elicitation: 6/27/2005 1b. Time of Elicitation: 10:00 x A.M. / P.M.

2. Experts Name and Affiliation: Daryl Lopez, Idaho Completion Project In-house NRC Industry Consultant Academia Other:

X National Lab/DOE Licensee Vendor

3. Experts Areas of Expertise Relevant to Analysis: Mechanical engineer specializing in fluid system design.
4. Experts Comments on Problem Under Analysis:
5. Median Failure Rate/Percent of Time Theres a 50/50 Likelihood of Hardware Failure:

25%

50th Percentile Value (Median)

6. Upper Bound/Percent of Time That Hardware Will Almost Certainly95th Fail: 70%

Percentile Value (Upper Bound)

7. Factors Shaping Expert Estimate
8. Additional Comments by Expert: This expert relied upon the empirical data generated by the licensee, and comments on that licensee data by the NRC.

40

LER 528, 529, 530/04-009 Appendix D Event Tree and Fault Tree Figures 41

LER 528, 529, 530/04-009 MEDIUM LOCA REACTOR SAFETY HIGH SUMP CONTAINMENT BORON PROTECTION INJEC TION PR ESSURE RECIRC COOLING PRECIPITATON SYSTEM TANKS INJECTION C ONTROL IE-MLOCA RPS SIT HPI HPR CSR BPC # END-STATE FREQUENCY 1 OK 2 CD 3 CD 4 CD 5 CD 6 CD 7 CD Figure D-1 Medium LOCA Event Tree with Dominant Sequence Highlighted 42

LER 528, 529, 530/04-009 NO OR INSUFFICIENT HPR FLOW HPR MLOCA AIR BINDI NG FOR TRANS FER TO AIR BI NDING ALL I NI TI ATORS DEFAULT HPR EXCEP T MLOCA FAULT TRE E A ND LLO CA HPR-GATE-7-141 HPR-GA TE-7-142 HP R-TRA NS AI R B INDI NG OTHER MLOCA FLAG MLOCA AI R B INDING FA ILURE FAI LURE PROBAB ILI TY INITIA TORS PROBA BILITY I N A FFE CTE D OTHER EV ENTS FALSE FA LSE FA LSE MLOCA HP R-SWITCH-MLOCA HP R-SWITCH HP R-GATE-7-143 S LOCA FLAG TRA NS FLAG LOPCW FLAG LOIA FLAG FALSE FA LSE FALSE FALSE SLOCA TRANS LOPCW LO IA LODCA FLAG LONCW FLAG LOOP FLAG ATWS FLA G SB O FLAG FALSE FALSE FA LSE FA LSE FALSE LODCA LONCW LOOP ATWS SB O Figure D-2. New HPR Fault Tree with Modifications. Transfer HPR-TRANS is the old HPR Fault Tree.

43

LER 528, 529, 530/04-009 NO OR INSUFFICIENT HPR FLOW HPR-TRANS COMMON CAUSE COMMON CAUSE COMMON CAUSE CCF OF SUMP FAILURE TO INJECT COMMON CAUSE COMMON CAUSE FAILURE OF SUMP FAILURE OF SUMP FAILURE OF SUCTION STRAINERS WATER INTO THE RCS FAILURE OF HPI FAILURE OF SUMP INBRD. ISOL MOVs OUTBRD. ISOL MOVs INJECTION MOVs INLET CHECK VALVES CHECK VALVES 2.6E-5 2.6E-5 2.0E-7 2.5E-6 1.5E-6 4.8E-6 3 4 HPR-MOV-CF-SUMP2 HPR-MOV-CF-SUMP1 HPI-MOV-CF-ALL HPR-STR-CF-SUMP HPR-INJ-F HPI-CKV-CF-ALL HPR-CKV-CF-SMP FAILURE TO INJECT FAILURE TO INJECT FAILURE TO INJECT TO LOOP 1A TO LOOP 1B TO LOOP 2A HPR-INJ-1A-F HPR-INJ-1B-F HPR-INJ-2A-F S INJECTION NO FLOW THROUGH INJECTION CHECK INJECTION CHECK NO FLOW THROUGH INJECTION CHECK INJECTION CHECK CK VALVE TO HPI INJECTION VALVES TO LOOP 1A VALVES TO LOOP 1A VALVES TO LOOP 1B HPI INJECTION OP 1A FAILS HEADERS TO LOOP 1A FAIL HEADERS TO LOOP 1B VALVES TO LOOP 1B FAIL FAIL FAIL 1.0E-4 1.0E-4 1.0E-4 1.0E-4 1.0E-4 S-CKV-CC-1A HPR-HDR-1A-F HPI-CKV-CC-1A HPI-CKV-CC-542 HPI-CKV-CC-543 HPR-HDR-1B-F HPI-CKV-CC-1B LOW THROUGH NO FLOW THROUGH NO FLOW THROUGH ER A TO LOOP HEADER B TO LOOP NO FLOW THROUGH HEADER A TO LOOP 1A 1A HEADER B TO LOOP 1B 1B R-HDRA-1A-F HPR-HDRB-1A-F HPR-HDRB-1B-F HPR-HDRA-1B-F NO FLOW TO HPI HEADER B TO LOOP NO FLOW TO HPI HEADER B TO LOOP NO FLOW TO HPI HEADER A TO LOOP NO FLOW TO HPI HEADER A 1A ISOL MOV FAILS HEADER B 1B ISOL MOV FAILS HEADER B 1B ISOL MOV FAILS HEADER B

-3 1.0E-3 1.0E-3 1.0E-3 HPR-HDRA HPI-MOV-CC-636 HPR-HDRB HPI-MOV-CC-647 HPR-HDRA HPI-MOV-CC-646 HPR-HDRB Figure D-3. HPR-TRANS is the Original SPAR Model HPR Fault Tree 44