ML20211D109

From kanterella
Revision as of 18:08, 1 December 2021 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Forwards Util Responses to Questions Re Probabilistic Safety Assessment
ML20211D109
Person / Time
Site: Seabrook  NextEra Energy icon.png
Issue date: 02/06/1985
From: Ariuska Garcia
LAWRENCE LIVERMORE NATIONAL LABORATORY
To: Davis S
Office of Nuclear Reactor Regulation
Shared Package
ML20209C800 List:
References
FOIA-87-6 RARE-85-028, RARE-85-28, NUDOCS 8702200327
Download: ML20211D109 (76)
v  d  e


Text

'

i ->

Lawrence Livermore National Laborakr 3 NUCLEAR SYSTEMS SAFETY PROGRAM RARE 85-028 February 6, 1985 Ms. Sarah Davis Reliability and Risk Assessment Branch Division of Safety Technology U.S. Nuclear Regulatory Commission Washington, D.C. 20555 RE: PSNH Responses to Questions on Seabrook Station Probabilistic Safety Assessment

Dear Ms. Davis:

The enclosed material is a copy of a package that I received yesterday from Mr. K. L. Kiper of Public Service of New Hampshire (PSNH). This material is described as the PSNH response to our qtestions on the Seabrook Station Probabilistic Safety Assessment.

I have not yet had an opportunity to examine the contents in any detail, so I cannot at this time comment on the value of the information contained.

Sincerely,

. GA W Abel A. Garcia sr l Enclosure cc: T. J. Altenbach P. G. Prassinos J. B. Savy P. J. Amico, ART J. W. Reed, J. R. Benjamin & Assoc.

P. R. Davis, Consultant 8702200327 870211 PDR FOIA SHOLLYB7-6 PDR a- E:s ctw:,7 , Env e,r .vwsn c' caen . c o a:, en,emcie ca' om.a ME

  • Twem'*! ' G "= ' ' * " > 0- - --

t -- s SSP #850065 Pub 5c SeMoe of New Hampshiro January 23, 1985 New Hampshire Yankee Div - .a Mr. Abel Garcia L-95 Lawrence Livermore National Laboratory P. O. Box 808 Livermore, CA 94550

Dear Mr. Garcia:

Enclosed are our responses to your questions on the Seabrook Station Probabilistic Safety Assessment. I realize these responses may be late in your review process. However, we were unable to provide any more timely support due to our current financial situation. I hope these responses are helpful to you in your review.

If I can be of further assistance, you can reach me at Seabrook Station (phone no. 603/474-9574, ext. 4049).

Sincerely, cr_ a.t. g K. L. Kiper Staff Engineer KLK:lw Enclosure l

l l

t i P.O Box 300

  • Seabrook.NH O3874 . Telephone (603)474-9521

I A.1 Sheet 5 of Table 5.2-4 was inadvertently omitted from the final report. The attached sheet should be added to the report, page 5.2-26a.

i TABLE 5.2-4 (continued)

Sheet 5 of 5 Systems Affected IE Category I Support System Failure Mode
5. Primary lose Both Trains Containment Spray MLD-14 Component Residual Heat Removal MLD-14 Cooling Safety Injection MLD-14

! Water Charging Pumps MLD-14

) Containment Enclosure Air Handling MLD-14 Reactor Coolant MLD-14 01 Lose One Train Containment Spray TOPS 73 Residual Heat Removal TOPS

Safety Injection TOPS py Charging Pumps TOPS 6- Containment Enclosure Air Handling TOPS 3 Reactor Coolant TOPS i
6. Secondary Lose SCC Water Supply From Main Feedwater SCC
  • Cooling Turbine Generator SCC
  • Water Instrument Air See Section 4
  • New initiating event categories identified by support system FMEA.

i

A A.2 Transient event categories 7 through 16 are somewhat similar. The quantification of the generalized transient tree shows that these categories could be regrouped into four categories:

Group 1 - Reactor Trip (Table 5.4-22a) - used to quantify categories 7, 11, 13, 15, 16.

Group 2 - Total Loss of Main Feed. (Table 5.4-22b) - used to quan-tify categories 9, 10.

Group 3 - Turbine Trip (Table 5.4-22c) - used to quantify category 8.

Group 4 - LOSP (Table 5.4-22d) - used to quantify categories 12, 14, and 21.

Assuming that aux. (support) systems are available:

a) With successful turbine trip, the MSIV's will remain open for Groups 1, 2, 3 and 4. In group three, because turbine trip is the initiating event, MSIV's are not questioned. If turbine trip fails, all four MSIV's will receive automatic isolation signals (See Table D.6-2 for MSIV closure signals).

b) A safety injection signal is not expected as a direct result of the transient initiators 7 through 16. The primary system is e expected to remain intact. Therefore, there are no signals to initiate safety injection.

c) Yes if the startup feed pomp is available and starts auto-matica11y (group 2 only). For groups 1, 3 and 4 if the emergency feedwater system is unavailable, feed and bleed cooling is required. For group 4, condenser vacuum is lost, resulting in no credit for SDV's. SDV's are considered available for groups 1, 2 and 3 if turbine trip is successful.

d) For SGTR event, the MSIV's remain open assuming turbine trip is successful. Credit is taken for SDV's available if turbine valves close properly. Also, a safety injection signal is assumed in quantifying top event EF. This makes the Startup feedpump unavail-able. Thus, the only portion of the PCS considered to be available following a SGTR are the SDV's to the condenser.

I l

i -.n A.3 For the "incore instrument tube rupture event," the LOCA would be dischargingdiregtlyintothecavity. The cavity has a volume of about 14,700 ft. and thus will accommodate about 30% of the water volume which is injected f rom the RWST. Once the cavity is filled.

. the water would overflow onto the containment floor and into the sump. Thus, with the RWST injected, the sump would be full.

[511.2 Item 4 (p. 11.2-2,3), 15.3.4 para. 4 (p. 5.3-36)] '

i e

0 l

i-k i

en-k'

'l

'l t

l e >

l l

A.4 Loss of vital 4160 AC bus was considered as an initiator (see Table 5.2-4, p. 5.2-25). It was not included in the final list of initiating events because this loss does not cause a transient, but does lead to a Tech Spec required orderly plant shutdown. During a normal controlled shutdown, the plant is near equilibrium, shutdown proceeds at a controlled rate,and standby systems are started before they are needed. Thus, this is not considered to be an initiating event because it is an insignificant risk contributor.

Ip. 5.2-5 last para., p. 5.2-11 last para.]

l

}

l l

l c

, i

- v -- r w- - ,ee-, ,,----- - ,--m y, p.,+q ~,__,,_m__nm , _ , . , _ _ , , . _ , , , g 7--mmn ,

-,,__,,,,,_y, , ,. , - , , , , . - - , - ~ _ , - 4_,,_,, , . - _ . ,,,, .,_-,, - - ,.-- ,..

5.1 SSPSA p. 5.3-22, para. 4 states With no loss of offsite power and " feed and bleed" cooling in

' progress, the plant will be cooled down to the point at which the RRR system any be operated in the normal shutdown cooling mode.

The question correctly notes that no credit is taken for this in the GT event tree [p. 5.3-129); all "f and b" sequences end in high pressure recirculation. No cred1T is th en because of the uncertainty of RCP operation which is needed to allow cool down of

' the vessel internals and head. Without RCP operation, it is unlikely that cool down would be quick enough to avoid depleting the RWST before normal RHR cooling can be used.

4 I

)

I 4

1 1

i t

. - - - - . , . - - , , , , _ _ _ _ . . - , . , , - - - . . . - . . . . ._,n___,--,....._.-- _ . - -__. -_-,_-n,.,,,,--, - .

f -8 B.2 a) Turbine trip combined with MSIV closure:

These two system responses are combined in order to simplify the GT event tree. It is assumed that successful operation of either system would alleviate the need to consider FTS. Also, the functions are coupled in that a turbine trip failure would lead to low steam line pressure or high steam pressure rate of change which would generate an auto MSIV isolation signal [p. 5.3-28 top event TT1]

b) PCS cooling combined with emergency feedwater cooling:

These two systems represent the feed (EFW and startup feed pump) and steam removal (ARV or the condenser steam dump valves) for cooling the S/G's. If either system fails, the function, secondary cooling, fails.

The comment "PCS would be considered only if turbine trip succeeded" is correct and is handled in the quantification. For example, see Table 5.4-22a for the GT event tree _Igiven reactor trip) quantification. Under note 2 (p. 5.4-56) EF is quantified to two cases, given turbine trip (TT) success and TT failure.

For TT success, condenser dumps are included in the secondary cooling (SC) number; for TT fail, only the ARV's are included in SC quantification.

l

, s. ,

B.3 In quantifying the frequency of small LOCA initiating events, the data events were discriminated between isolable and non-isolable SLOCA's and between isolable SLOCA's that were isolated before and after reactor trip. Thus, isolable LOCA's which caused a reactor trip were included in the reactor trip frequency and were handled in the Generalized Transient Tree and quantified in Table 5.4-22a

" Reactor Trip". Non-isolable SLOCA's were included in the data for SLOCA initiating events and are modeled in the SLOCA event tree.

l 4

. b B.4 The only effect OM success / failure has on the sequences is that if OM fails then OP (operator contrcle HPI) is assumed to fail; i.e. if the operators cannot control feedwater, then the likelihood of operator action to throttle HPI is very low (and assumed to be zero).

[p. 5.3-28 OM, 5.3-29 OP, 5.3-32 second para.]

Quantitatively, OM = OP = .022; thus, either operator action failure has the same effect (to threaten the vessel) with the same frequency. Considering OM has very little quantitative effect.

[p. 5.4 - 54.]

6 l

i

I

, p B.5 a. The CST limit of 200,000 gal. is based on the Tech. Spec.

lindt. However, based on operations input, the CST will be run most of the time full or very near full. Thus, credit could be taken for the additional 200,000 gal., which would yield:

3.84 x 109Beu/3.24 x 106 Btu /sec = 1180 full power second

= 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> after shutdown

[See Appendix B.2]

In addition, credit could be taken for the water in the S/G's (89 full power seconds).

b. The event ON (plant stabilization and cooldown) is included for completeness, i.e. keeping the plant in a stable state. It includes operator actions such as assuring makeup to the CST, controlling EFW and HPI, etc.

B.6 The time to core melt for sequences with Seal LOCA (NL) is d'.scussed in several places in the report for different reasons, as follows:

- On p. 5.3-29, top event ON, the statement is made that:

" Analysis of the Seal LOCA event indicates core uncovery approximately 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> after PCC failure with the secondary cooling function operating, i.e. EF and ON successful."

- The basis for this statement is in App. B.4, which estimates the time to core uncovery from a Seal LOCA. The calculation yields 8.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for 20 gpa/ pump leak. It would appear that depressurization was not considered in this calculation since depressurization would reduce the leak rate.

- On p.11.5-34 (Fig.11.5-10), tise to core uncovery is given for various pump seal leak rates, for no_depressurization. This yields 15.6 hrs. to core uncovery for 20 gps / pump leak.

Thus, with EFW available, the Seal LOCA should always go to a late melt (9 hr to 16 hr). Assuming early melt for EF successful and ON failure is conservative.

g i

te i

B.7 TI and OH and (RW or HP) - - early, high pressure melt Operator fails to control EW ( 5) includes both overfeed (PTS concern) and overthrottle (EFW failure). In this sequence, the operator action modeled is overthrottle to the extent that S/C's boil dry and/or EFW is lost due to pump overheating [p.10.3-12, para. 5] .

This is assumed to preclude near-tern cooling with SG's. [p. 5.3-32, para. 2]. Since HPI is also not available, early core melt results.

I I

l l

l - . , - - . - . - . - . - - . , , . , - - - . - - . - . - _ _ _ - - . _ - - . _ . _ - - - , , - _ , , , _ - - _ _ _ . , _ , - - _ , . - -_ . . . _ _ . - - , - . . .-

B.8 Containment isolation (CI) successful implies that the containment isolation signal has been generated and received and containment isolation valves have closed. This includes the 8" diameter containment purge valves. Sequences with CI successful go to plant states A, C or D, depending on availability of containment spray and HX's.

When containment isolation (C1) fails, the question is asked how does it fail - what is the size of the opening. For sequences with containment. spray successful, this question is not important for several reasons: the release is reduced in magnitude because of the filtering effect of spray; more importantly, these plant damage states (E states) map to release category S6 l unlikely release (annual frequency of 7 x 10~ygich is it

). Thus, an is extreme not y important to make a distinction between large and small containment isolation failure.

When containment isolation fails in sequences with containment spray failed, the distinction between large and small containment isolation failure is important. For example, with CI failed, the 8" diameter, purge valves will fail if they are open (due to no signal to close). They are permitted to be open 1000 he per year by Tech Specs. This large isolation failure is classified as greater than 3" diameter opening As.d is assigned to plant gtates F which map to release category S6V(frequency = 2.4 x 10 /yr). Small isolation failure is classified as less than 3" diameter opening and ig_

assigned Ag_ plant states FP which map to release categories S2 (3.2 E-7) and S2V (1.8 E-5).

[p. 11.4-6; p. 5.3-132 LTI Event Tree; p. 5.4-147 quantification.]

l l

l l

l l

, a B.9 The statement references is on page 5.3-39, para. 2.

Small LOCA's are in the size of 0.5 to 2 inch diameter openings. In this range leak rates are sufficiently low that the RWST would supply makeup for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. By that time, make up to the RWST from the demin water supply could be in place. Also, the leak rate would decrease as the primary pressure was reduced.

From the W ERG's (p. TE-1-41), the leak rate after 30 min. for a 2-inch bres'E'is about 40 lb/sec (287 gpm) at 1000 psia. For the volume of 450,000 gal. in the RWST, a leak of 287 gpa would drain the tank in 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br />. The leak would decrease as the plant was cooled down and put on RRR shutdown cooling.

I B.10 Manual reset of all automatic protective actions is provided through the SSPS. This gives the operators the ability to terminate a )

protective function when it is judged that the function is no longer i required. [p. D.6-15]

In order to restore operator control of HPI after SI signal (SIS),

the operator must reset the SIS by holding the SI reset switch momentarily in reset. However, this action cannot take place until after 60 seconds from when the signal was initiated - i.e., the SI timer must run out. This 60 second delay allows the operator time to evaluate the situation to decide if the SI is necessary or not.

With the reset signal generated in coincidence with the P-4 signal (reactor trip), an inhibit signal is placed on any SIS input regardless of its state. Any further degradation of the plant, once this inhibit is initiated, will not reinstate the SIS automatically.

[ Detailed Systems Training, Vol.10. " Integrated Safeguards,"

p. HO-IS-20].

The operator's procedures require him to assure that HPI is not needed before it is terminated or reduced. This is emphasized in operator training.

l l

l

. s be _b.M b,% s T(E M. IC) , # IMqccx6 ho)ead 3.2 Engineered Safety Feature Actuation Signals The Reactor Protection System continuously monitors the reactor to insure that the parameters are being maintained in a safe region.

Should one or more of these parameters shift out of their safe region (rasching their LSSS) and challenge reactor safety, the Beactor Protection System will generate signals to the ESF systems in order to prevent or mitigate damage to the reactor and relasses of radioactive asterial to the environment. These signals are called Engineered Safety Feature Actuation Signals (ESFAS).

Specific plant conditions could ganarste one or acre ESFAS's and some ESPAS's will generate other ESFAS's. The ESFAS's are

1. Safety Injection Signal (SIS)
2. Containment Isolation Signal Phase A (CISA)
3. Containment Ventilation Isolation Signal (CTIS)
4. Main Steam Line Isolation Signal (MSLIS)
5. Containment Spray actuation Signal (CSAS)

I 6. Containment Isolation Signal Phase B (CISB)

7. Feedwater Isolation Signal (FWIS)
8. Energency Feedwater actuation Signal (EFAS) ,
9. Emergency Diesel Generator Startup
10. Control Boon Ventilation Isolation Signal 3.2.1 Safetv Infection Actuation

' The ESTAS that most directly relates to the protection of core integrity is the Safety Injection Signal (SIS) which generates the "S" signal. This signal is directly responsible for shutting down the reactor, if this has not already occurred, maintain it shut-down, provide cooling to the core and, by the activation of addi-j tional ESTAS's, maintains containannt integrity. e In order for the 175 to adeiuately l protect the reactor core it must sense key parameters leaving the normal safe readings but act before

  • they rasch a point where the rasetor is damaged. Besides manual operator initiation there are three conditions whieb indicates to the s

l H0-15-17 9/83 a

l

EFS or the operator that the core is potentially threatened

- low steam line pressure of 585 peig indicating a steamline break accident. (Manually block.able at P-11 setpoint.)

- Low pressuriser pressure of 1785 peig indicating a LOCA or anjor steen rupture. (Manually blockable at F-11 setpcint.)

- Righ containment pressure of 4.3 peig indicating a LOCA or a stenaline break.

If any of the above conditions arise the RFS generates the SIS. When this signal is actuated it will produce the following results: (Rafer to Fig. 3.1, 3.2, 3.3 and Table 3.1).

- A reactor trip is initiated

- All ECCS peps are started to provide injection flow into the ICS cold legs

- ICCS valves are repositioned to provide injection flowpaths from the INST into the RCS cold lege

- Accumulator discharge valves are opened (if not already open) ..

- Energency Feedwater Pumps start

- Control Ecos Energency Cleanup Fans start

- Energency Diesal Generator start but the output breaker will not shut unless a loss Of Site Power (LOF) has occured. If the 51 is coincident with 14SF, then the F.mergency Power Sequencer (EFS) will sequencia11y start the ESF equipment at a set sequence and time. (refer to section 3.2.3).

- Containment integrity is insured by generating additional ESFAS's. (CSIA, CY15, and FWIS) These signals will be covered individually later.

Once the $15 is activated, it will remain active until operator action is taken. Even if the initiating signal is lost the SIS out-put will remain and any component that has been affected by the

, $15 signal will not respond to any changes demanded by the operator.

(With the exception of the " Full-To-Lock" function found on most pumps or breakers.) ,

O 80-15-18 9/83

- - - ---..,.-n,., n.-. ---- - . - - . , . -

i

) -. - -

2 O @

e-A

'r<7

} .

1 t

l 1 ==:r"

==

l I = 4= ,

l 1- > -

y, . ,_ ._ y =- = -

_y

,E ,l m -

rr===>

i . ==,,

! s f anno g i

a t.*=*. L a un a 'M=*,,* .

- s a w I .

ss new = semena =eems m l

,. p.- w

-==s===.. -

g ,E N .""" h I  !

'Nlf ,, le== = c== '

-=_ . g w ===>

].

ins. mena m I= '

j

.7 .

i-

V S SAFETYINJECTION ACTUATION .

FIGURE IS 3.3(TC Rev 01 W  ;

1  !

somme nese, ems . l

}  !

i

e d q 4

In order to restore control of the components to the operator, manual actico maat be taken. (Rafer to Fig. 3.3). Bovever, no action can be taken, for the first 60 seconds af ter the initiating event as the SI timer mast run out. The 60 second delay allows the operator time to evaluate the situation in order to decide the proper course of action. Af ter 60 seconds the operator any reset the SIS by

. holding the $1 reset evitch momentarily in reset. With the reset

^ signal generated in coincidence with the F-4 signal, an inhibit signal is placed on any SIS input regardless of its state (active or inactive). Este also that any further degradation of the plant, once this inhibit is initiated, will not rainstate the SIS automatically.

Only the manual mode of actuation by the operator is for SIS actuation.

i The activitation of the reset only provides to the operator the ability to stop (or start equipment) or reposition valves that were affected by tt.e *S* signal. No equipment will automatically change

( the state it was placed in by the SIS when the reset is initiated, nor will any other ESFAS's generated by the SIS reset. The other ESTAS's activated by the $15 have their own reset switches and are discussed individually later in the tart.

When the SIS is reset (along with the other appropriate ESyAS's),

the operator stat decide the course of action required. If the SI was suptious the operator will now be able to stop all ESF equipment and restore the valve lineups to normal. Bovever, if the plant is in a degraded condition, the procedures will direct the operator to

' stop equipment or realign valves sa necessary to mitigate or prevent l

damage to the core based on the event at hand.

~

I i

i

\

80-15-20 9/83 l

t

. o B.11 Emergency Procedure Guidelines for

- PTS

- termination and/or manual control for HPI or feedwater were sent.

. o 1

B.12 This is explained on p. 10.3-12, para. 5:

Excessive throttling of the flow control valves will limit the cooldown rate (and is therefore successful [with regard to reactor vessel integrity]); however, undesirable side effects such as overheating the emergency feedwater pumps due to operation at shutoff head or boiling the S/G's dry as possible.

Thus, " fail to control EFW" (5) includes both fail to throttle (PTS challenge) and over throttle (EFW failure).

IL addition, failure of turbine trip and failure of MSlV's to close (IT) causes the steam supply to be unavailable which f ails the turbine-driven EFW pump. [p. 5.3-43, para. 3]

[See Question B.7]

e i.

j

B.13 The statement referenced is on p. 5.3-53, para. 1.

MSIV closure signal is generated from the following:

- containment pressure Hi-2

- high steam pressure rate

- low steam line pressure MSIV closure is assumed to occur due to high containment pressure on MLOCA. (See page 5.3-50 para. 1: containment pressure increases sufficiently to generate an auto containment spray actuation signal). This will cause loss of condenser dumps.

This may not occur immediately so that condenser steam dump valves (SDVs) may be available at the beginning of the sequence. The assumption was made that condenser dumps are available unless loss of condenser or other loss on the secondary side made it unavailable.

This isn't significant quantitatively because of the high unavailability of EFW:

(3) E = E' + E (1) = 2.41 - E-2 (5) EF = EF' + SC (3) = 2.43 - E-2 where jfL(1) = 5.6 E-8 = ARV and SDV SC (2) = 1.8 E-4 = ARV only (p. 5.4-33 MLOCA Event Tree Quantification)

O

l B.14 [See p. 5.3-51, event 4)

Rapidly depressurizing the RCS with S/G's is desirable if HPI is available since HP recirculation cooling would then not be required after switchover.

Also, the nature of medium LOCA's is such that on the upper end (6"),

the RCS may depressurize rapidly enough to go immediately onto LPl.

In this size between small and large LOCA, the RCS will depressurize to a certain pressure just due to blowdown out of the opening. This operator action (OD) would be the logical step if the pressure had dropped significantly.

Emergency feedwater is considered because of the desire to depressurize using the S/G's (OD).

4 A

e l

B.15 Depletion of RWST is analyzed in Appendix B.I.

With all SI and charging pumps (450 gp / pump) and containment spray pumps (3300 gpm/ pump) the RWST would be depleted in about 40 minutes. Thus, this sequence, with recir. failed, is an early melt.

For the case where the RWST isolation valves (CBS-V2 and CBS-VS) fail, containment spray fails. Thus the only demand on the RWST comes from HPI (SI and charging pumps). With all four HP1 pumps running, the RWST would be depleted in about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. There is considerable time until core melt since the decay heat is reduced to less than 1%. [see p. B-8]. Thus, this sequence is a late melt.

t I

l 0

B.16 The statement referenced is on p. 5.3-55, para. 1.

The basis for that assumption is frce the FSAR 56.3.2.8 (p. 6.3-18a).

In the event of a design basis LOCA...the combination of the containment pressure and elevation head from the sump would seat the check valves in line between RWST and CBS and RHR pumps (CBS-V3-V7, V55, and V56)* reducing the flow rate out of the tank to 1000 gpm, i.e. the SI and charging pump flow (450 gpa/ pump). At this flow rate, at least 10.1 minutes remains above the " empty" alarm for completion of manual actions listed in FSAR Table 6.3-10.

Failure of operator action would affect HP recirculation, but this is not of importance for large LOCA.

W D

e

-m -

I B.17 For certain large breaks, there is a possibility that boron precipitation within the reactor vessel could lead to coolant blockage. This is an area of uncertainty and the conservative assumption was made. This could have been treated probabilistically by estimating the likelihood of needing hot leg recirculation.

Instead, it was assumed that every LLOCA sequence required operator aligning the system for hot leg recir (HE). The action was estimated to be performed reliably because of the long time available.

[p. 5.3-62 top event HE]

l

B.18 The referenced statement is on p. 5.3-57, top events IA and LB.

IA and LB are not identical. In the quantification, the effect of the accumulator (3 out of 4 for success) is put in train A (LA) when both trains are available or when only train A is available. When only train B is available (LA failed as a result of auxiliary system failure or RWST isolation valve failure), the accumulator failure is put into LB. Thus, the accumulators are considered in LA or in LB if LA is failed.

[p. D.8-34}

l l

l 1

B.19 The explanation is given on p. 5.3-66, para. 2.

The RHR pumps are assumed to fail long tern 11F), given failure of containment enclosure building ventilation (CV). The question asked by LC and LD is "does the pump continue to operate (in the short tera) up to the point where it fails due to room overheating (more than 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />)." If either pump is successful in the short tera, the core melt is late (plant state 6D, 6FP, 6F); if both pumps fail in the short term the core melt is early (plant states 2D, 2FP, 2F).  ;

I

\

B.20 If the cont. enclosure building ventilation fails, RRR and CBS pumps {

f ail in the long term (>6 hours). However, there is a possibility Ih,at both RHR pumps could fail early (for reasons not associated with CV), leading to an early melt. This is included in Sequences 100-102

[LL2 Event Tree p. 5.3-147]. Only in the large LOCA long term ILee is it possible to get an early melt due to RHR failure __,Thus, CV was included explicitly to show the sequences that include CV which go to early melt.

According to p. D.7-8, para. 2, the requirement for ventilation would be evaluated later if the assumption of long term failure of ECCS pumps was a major contributor 'I' " *"* * #* *" * "

has a high reliability (2x10~5) due to 1 out of 2 system configuration and is not an important contributor.

No study is available that analyzes the temperatures at which ECCS equipment fail.

l l

l l

B.21 It would appear that that decision point is unneessary.

[See p. 5.3-68, para. 7]

"HPI functioning or not functioning does not materially affect the outcome, however, since reactor trip has occurred."

HPI will be initiated from the SI signal (lo steam line pressure).

According to p. 5.3-68 para.2, boron injection (HPT.) is needed to ensure reactor core suberiticality; however, the SLB0 event tree does not model that.

1

B.22 a) Potential return to criticality on SLB1:

See FSAR Fig. 15.1 assumes most reactive RCCA stuck fully withdrawn, uncontrollable steam line break.

b) Why is recirculation considered:

While primary coolant is not being lost (unless on feed and bleed cooling), containment spray is needed to cool the containment building. After about one hour at full spray flow (3300 gpa/ pump) the RWST would be drained, requiring sump recirculation.

c) Difference in plant response between SLEI and SLB0 is due to the need for containment spray for SLB inside containment.

l l

l Steam Generator Tube Rupture - General Comment l

The SGTR event trees developed for the SSPSA are more detailed and complicated because of the attempt to model the varied operator actions in a realistic manner and the need to model the releases in special categories because the release is outside containment.

Several points should be noted. First, while operator actions are very important, the operator has much time in which to act. Second, the SGTR is similar to a general transient except for the operator actions needed and the much lower frequency of occurrence. Third, SGTR contribution to core melt is 1.72 E-6 or 0.7%. Thus, while SGTR is an important licensing issue, it is not to core melt or to health effects.

l l

l

i B.23 The referenced statement is on p. 5.3-78, para. 2.

With uncontrolled safety injection flow, the primary pressure will high, above the shutoff head of the SI pumps. The charging pumps would maintain the pressure close to the PORV set point, at a flow rate of 150 to 200 gpm per pump. [p. 5.3-6]. The flow out the ruptured tube would be less than the charging flow (about 320 gpm at 2400 psia). Thus, in the hypothetical case where the operator does nothing, the RWST (450,000 gal) would be drained in about 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br />.

A more detailed analysis would be needed to determine the actual time interval but such an anlysis is not warranted because of the unrealistic premise of no operator action.

The intent of this paragraph is to demonstrate that, while operator actions are important for SGTR response, there is much time (~24 hours) for the operator to act. Thus, the human actions can be done very reliably.

1 I

+

w

, , , , , , , , , - - - - - - , - - , - , , - - - , . - , - - , .-n., e----.---n-,-------------------.---------r- - - - - - - - .a- - - - -

B.24 Operator action _0P (control of RPI) is considered only for turbine trip failure (TT) where PTS is a concern. This is short term operator action.

Operator action to control HPI is also considered in event OR (operator controls the break flow). The operator depressurizes and stabilizes the RCS at a pressure below that of the ruptured S/G.

(p. 5.3-82).

The long tera control of HPI is included in event ON which models any operator actions needed for long term stability. ON also includes operator action to makeup to the RWST if it were needed. Long term operator actions are lumped together in ON because of the long time available (as illustrated in question B.23). [p. 5.3-83]

l j

a I

c

B.25 Emergency Procedure Guidelines for SGTR were sent.

4 l

.,1

B.26 Event ON adds a total of 21 additional sequences, 9 jdL which are in the subtree K - sequences resulting from Seal LOCA (NL). For sequences in subtree A, event ON allows identification of the normal cooldown (with S/C) and makeup (HP1) sequences that lead to success. ON also allows the modeling of a success where OR or SL have failed because of the large amount of time available for operator action.

While "long term industry response" is not expanded upon, the implication is the kind of support made available following the incidents at TM1, Ginna, etc. This uight include technical support and/or spare parts. This response encompasses any support received by the utility 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and more after the incident. [p. 5.3-83]

The only credit taken for " limiting damage done to seals"_1,s in the timing of_cpre damage for sequences involving seal LOCA (NL), EFW failure (EF), and successful operator action (ON). For these sequences, core melt is assumed to be late (> 6 hr.). According to P.a_II.5-14, core melt will occur at 4.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> for station blackout (NL) with failure of EFW and no depressurization. Operator action ON includes actions to depressurize which would slow the leak and extend -

the time to core melt beyond six hours. (

(

B.27 The referenced statement is on p. 5.3-90, para. 4.

The event tree, sequences 288-291, disagrees with the te.gL at this point. Sequences 288 and 289 are " feed and bleed" with OR (operator fails to establish " bleed",l_and go to late melts. Sequences 292-293 are " feed and bleed" with HP and go to early melts.

Thus, only if HP1 is available do the sequences go to late melt.

This is based on HP1 continuing, eventually lifting the code safeties.

For " feed and bleed" sequences 294-313, see the response to Question B.26 concerning seal LOCA sequences.

It is correct that the sequence " feed and bleed" failure,iUE conservatively go to early melts in the GT and SLOCA trees.

l l

l

B.28 The action to stop the break flow is modeled in operator action OD

[p. 5.3-83, para. 3 - Success of EF, failure of HPI and failure of SL]. According to the ERGS, the operator will blow down the unfaulted 3/Gs to atmospheric pressure. Performing secondary depressurization concurrent with a SGTR and no RPI will cause rapid depressurization of the RCS. At this point, RRR can provide low pressure injection to makeup what is being lost out the ruptured tube.

This success path does depend on the nature of the steam leak and the operator's ability to repair the leak. However, the operator has a large amount of time to perform the necessary actions.

i The statement referenced is on p. 5.3-28, para. 2.

C.1 For basis see p. D.ll-2, SD.ll.l.2.2. .

f The blowdown of one S/G through an open MSIV is equivalent to an

, unisolable SLB - which is analyzed in the FSAR chapter 15.

I i

l i

I h

- -- ,--e----w-y ---gy-e- ,,..,m- - - + ---- ,-e,,--m-,~~---wr-=e-+-e-- +- ---y <- w ev-c-r--------w =-ww--e- ee- s+ r r--s--,a e-* -"-?' - - - - - =- e- *'--- r =*-""

C.2 [ Success criteria p. 5.3-45, p. D.8-95]

[ pump flow curve p. 5.3-121]

For breaks up to about 1" diameter with one HPI pump operating:

The RCS will depressurize and an auto reactor trip and SI signal will be generated. Provided that a secondary side heat sink exists, the RCS will reach an equilibrium pressure which corresponds to the pressure at which the liquid phase break flow rate equals the HPI flow rate. [p. TE-1-3 W ERG's E-1]

For breaks between 1" and 2" with one HPI pump operating:

The RCS will depressurize and an auto reactor trip and SI signal will be generated. The level in the RCS will decrease since one HPI pump cannot keep up with the break flow. As soon as the break goes to all steam flow, steam generated in the core can exit out the break, and further system depressurization occurs.

HPI flow becomes greater than the break flow and there is no longer a net loss of mass from the system. For hot leg or pressurizer vapor space breaks, the system vent path exists above the level of the core. For a cold leg break, the loop seal region blocks the core from the break and so the core must partially and temporarily uncover in order to create a vent path for the steam to exit through the break. The system draining occurs until such time that the break location uncovers, and break flow switches from two phase to all steam. [p. TE-1-14 W ~~

ERG's E-1]

l l

l l

C.3 MLOCA (2" to 6" diameter leak)

Success criteria: 2/4 HPI pump (any 2 pumps)

The MLOCA success criteria is any 2 out of 4 HPI pumps. In the event of a NLOCA, the primary system will depressurize to around 1000 /Ja (immediately for the 6" diameter break, af ter about 5 minutes for the 2" diameter break). At this pressure, the pump flow rates for SI and charging pumps are almost identical.

a) The break flow will exceed injection until the liquid level in the RCS drops below the break. At that point, the break will be passing steam at a mass rate which 2/4 HPI pumps can keep up with. The RCS pressure stabilizes at a pressure where the safety injection flow is matching the break flow. [p. TE-1-21 y, ERG's E-1].

b) The accumulators will activate for breaks of this size when the RCS depressurizes to 600 pia and will contribute to more rapid core recovery. However, this pressure will be reached much later than for a large LOCA, when the decay heat is much lower. (For example, for a 3" diameter break, the accumulators will discharge at about 20 minutes; decay heat is about 1%). [p. TE-1-20]

c) The flow rates are shown on curves on p. 5.3-121. The rates used in Appendix B analyses are maximum values used to calculate time to depletion of RWST. For success criteria. the pumps flow curves were used.

l

C.4 The criteria use MS(1)=6(MSIV)g(3/4)wasdevelopedintoalogicexpressionas

. [p, 0,11_11)

The criteria that you propose can be written as MS(1) = (MSIV) [ SIy + ggry + gggyj

= 3 (MSIV)

Thus, the criteria used in the report is conservative by a factor of This function (MSIV isolation) is dominated by common cause fail so that a change in success criteria would have little effect.

[p. D.11-23]

e

=

l

D.1 Page 10.3-3 para. 2 explains that 10 minutes is a conservative time limit based on the initial time required for the reactor to become critical again because of the plant cooldown. Figure 5.3-30 shows that the reactor power starts to increase about 8.5 minutes following the ATWS event.

As discussed on p. 5.3-98, Westinghouse analysis done for the ERG's has shown that if a reactor trip is generated within 10 minues, plus a turbine trip within 30 seconds (for LOMF) and EFW within 60 seconds, acceptable consequences result.

[ ERG ECA 1 Background Info., p. 1]

b 1

~ ~ ~ ' --. . _ _ . . . _ _ _ _ _ . _ _ _ . _ _ _ _ . , _ _ _ _

D.2 First, the time assumed for diagnosis is less than one minute. Thus, diagnosis is in a very limited fashion, allowing for checking multiple parameters in the event of a disagreement.

Second, reactor trip is not a " reflex action" because of the cost of a trip. ( 40/MW hr x 1150 MW x 24 hr E 1 M dollars). In the case of

" serious abnormal conditions" where there were multiple failures, it would be the operator's first action. However, in general, a short diagnosis time is the proper operator model.

l f

t--- -- ,- . ,- _,- ,-., , , - - . . - _ . , , , _ , - - , - - , . _ - , - - . , , . , - - - - - -.- -- ,-- .- - - - - - - - - - - - - - -

D.3 success GT h RT-fall AWS - - - OH-success h

fail h

The first distribution on p. 10.3-7 is for RT failure. End state 1 is for RT successful. Thus, the first sentence in the second paragraph should read:

"The distribution assigned for RT is:"

a Similarly, end state 2 is for ON successful; the second distribution is for ON failure. Thus, it should read, "The distribution assigned for ON (end state 3) is" i

l I

l

D.4 According to p. 10.3-12, para. 5

" Excessive throttling of EFW will limit cooldown rate and is therefore successful. However, undesirable side effects can occur, such as overheating the EFW pumps due to operation at ,

shutoff head or boiling dry the S/Gs. ,

Event OM is considered because of the potential for PTS if EFW is s uncontrolled. Failure of OM is assumed to preclude near term cooling with the S/G's. [p. 5.3-32, para. 2]. -

Event ON is described as " operator reestablishes long term feedwater ,

control" [p. 5.3-32, para. 2] and models any operator action needed to provide long term secondary cooling.

In the GT tree, sequence 103 [p. 5.3-129] is the only sequence with OM failure to end in success. Sequence 103 includes short term cooling with successful RPI and long term reestablishment of feedwater (ON successful).

s s

4 r

\

9 4

l l

w TF

\

+--

w

o i

r-D.5 [p. 10.3-11]

Overcooling and boil dry are considered in event OM to simplify the GT, SLOCA, SLBI and SLB0 trees. OM failure is assumed to always cause loss of EFW in the short term. This leads to early core melt in all the sequences except where HPI is available to provide short term core cooling. For the sequences where QM fails, HPI o"ccessful and RV successful, the long term operation of EFW is questioned in event ON. If ON fails, core melt is late; ON successful ends in a success state or transfer to LT1. [p. 5.3-32, para. 2].

Overcooling is considered with OM failure only if HPI is also available.

I s

t

~

j ,

s l

l 4

t B

  1. '+ WD

'N 4

J D.6 [p. 10.3-13, 5.3-29 top event OP]

Event OP models the operator action necessary to limit RCS repressurization by throttling the HP pumps for sequences where turbine trip has failed - a sev.gI,e overcooling condition. If the operator fails to._spntrol HPI (OP), there is a 1 in 100 chance of vessel failures (RV) [see p. 5.4-54].

The other PTS _g,hallenge in the sequence where the operator fails to con 1Ip1 EFW (OM). Event OP is also assumed to fail. The likelihood of RV is again 0.01.

l L

h t-,

I b r } i l

D.7 [p. 10.3-15, para. 4)

Yes, agreed.

i l

l

D.8 Ip. 10.3-15, last para,j If the operators do not secure the HPI when it is not required, the system will pressurize to the point of lifting the PORV's and safeties. Then, the sequence becomes a " feed and bleed" scenario.

l l

D.9 [p. 10.3-17; see p. 10.1-4 for time interval]

For a core with no feedwater and no makeup, core cooling comes from .

the S/G inventory and the RCS inventory above the core. The S/G's will dry out after about 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> (p. B-3) and for a 2" diameter primary leak (the PORV " bleed"), the core will uncover in about 0.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Thus, the operators have about 2.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> to initiate "b. and f."

i l

I l

l

-' e - - -

,y,w - - -wy- w- ----,-- w -

p s-y---y,- , , - - - * - - - w

, - - , - - --,v-- ,_,--y-- - -- - -y-w- -

. D.10 [p. 10.1-3, 10.3-8]

As stated on p.10.3-10, para. 2, event ODI is operator action to depressurize S/G's in 1/2 hour, event OD2, the same action but over one hour. ODI was used in event tree ML and OD2 was used in SL, GT, SLBO, and SLBI. The S/G inventory is the basis for the longer time

- frame in comparison to other plants.

(

f e

I

l 1

D.11 Operator action OP (control RPI flow) is considered only in sequences where PTS is a concern, i.e. where turbine trip has failed leading to an overcooling event. (see event trees: GT, SLOCA, SLBO, SLBI, SGTR). The operator action modeled by OP is throttling HPI to limit RCS repressiirization during a severe overcoaling condition. [p. 5.3-45]

The operator action where "the LOCA is misdiagnosed' as an inadvertant SI and action are taken accordingly" is modeled in the SLOCA tree.

[p. 10.3-15, para. 1). While this action is not explicitly modeled, it can be considered to be included in event ON - operator action necessary'to assure long term stabilization of the plant.

The operator is guided in this action by the Critical Safety Function Status Trees and Functional' Recovery Procedures, part of the TMI mandated SPDS. These procedures guide the operators to maintain the plant within safety limits without having to first diagnose the problem. Thus, if the operator shuts off the HPI when it was needed for a SLOCA, the core cooling would indicate a "not satisfied" condition, instructing the operator to go to Procedure FR-C.1

" Response to Inadequate Core Cooling." The second step in this procedure is " verify ECCS flow in all trains." Thus, the operator is guided to reinitiate HPI even though he may still not have diagnosed the SLOCA.

t e

-- p ,,,,p -..- .p _ _ . ,w, ,, ,,-__-w.y 7,,y

D.12 a) The SGTR operator actions in 55.3.11 are equivalent to actions in

$10.3.9 as follows:

Event OR (operator controls the break flow) includes two operator actions:

OP41 - operator depressurizes the RCS using pressurizer spray and non-faulted S/G's; OP42 - operator depressurizes the RCS by " feed and bleed" of the primary. [p. 5.3-82]

Event OD (operator depressurizes RCS and provides makeup) includes two operator actions:

OP51 - operator continues to depressurize by " feed and bleed" to the point where RHR shutdown cooling is available.

OP52 - operator continues to depressurize the RCS using non-faulted S/G's, no HPI available.

Thus, in sequence 1: OR = OP41 [p. 5.3-87]

in sequence 31: OR = OP41, OD = OP52 [p. 5.3-88]

in sequence 232: OR = OP42, OD = OPSI [p. 5.3-90]

b) OPS 3 is a typographical error and should be deleted.

c) The quantification of these operator actions was based on the consultant's engineering judgment and further questions must be deferred to them. The value of 0.05 was used in quantifying operator actions OR and OD in 55.4.

r i

i I

+

D.13 a) Only in a few cases were components analyzed which don't appear in a flow diagram in Appendix D. In these cases, the components can be found on the complete P&ID.

b) BIT valves are listed on p. D.8-27 and 28 and can be found on flow diagrams on p. D. 8-145 and 150.

The instrument air filters [p. D.5-1] were combined with the compressors in the schematic [p. D.5-30] and the reliability block diagram [p. D.5-31]. The failure of a filter would cause failure of a compressor. Thus filter failure causing compressor failure is included in the data for compressor failure.

l l

t

- ---------_--a

. o E.1 The D/Gs are analyzed assuming both water cooling and room ventilation are needed. [p. D.2-34]

The water cooling system (Diesel Engine Component Cooling Water) is a closed loop system cooled by service water. [p. D.2-22]

The D/G building ventilation [p. D.2-23] is designed to remove heat generated during the operation of the D/Gs and to maintain normal temperatures during normal and emergency conditions. Ventilation failure is conservatively assumed to cause immediate f ailure of the D/G it cools.

4 l

- , - - -,---,,,w -

--vg ,y ,4--v-w----,--- ---* --ww,---w-- , - -- , , e w- -- , -- - - -- - ----+,-----.,--e ,-- --m- - - , -w--- - %

E.2 a) .N.o.for SWS ,

[See p. D.3-8 $D.3.1.4.2.1 paragraph 2.] .

b) For PCC, the standby pump is auto started if the preferred pump fails to start. From p. D.4-13:

-Boundary Condition IB (loss of offsite power)

PCC-1B = (BB + C') (BB + C') + G + HH where B represents "either pump in a train needs to start and run for success."

(

i l

l

E.3 [See p. B-4]

The Westinghouse core and containment response analyses done in support of the SSPSA assumed a RCP seal leakage of 20 gpm/ pump for

. the first 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> and 300 gpm/ pump thereaf ter. This assumption was based on the best available information available at the time.

Reference B-2 cites an expected leak rate of 10 to 13 gpm/ pump, assumed for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, with an upper bound leakage of 300 gpm/ pump.

[Also, see p. 11.5-13, para. 3 and p. H.2.2-21, para. 1) 4 a

5 I

i

! E l

[

E.4 There are several difficulties in following the calculations in Appendix D. First, for logic expressions with squared terms, it is necessary to include a variance ters to account for data dependency. In cases where there is a great amount of uncertainty in the data, the variance term can be larger than the squared term alone. The variance can be estimated by assuming the data distributions are lognormal and using a relationship between variance and the lognormal parameters. In order to reproduce the calculations exactly for non-lognormal distributions, it is necessary to use the computer codes used by the consultant (DPD-6).

The second difficulty in following the calculations is that there appear to be a few errors in Appendix D. We have found several in addition to the one you mentioned. However, we have found nothing that affects the systes quantification. In a study this large, it is not surprising to find a few errors and typos. However, we are confident that these would not significantly affect the final system results because the consultants who did the analyses evaluated not only the inputs and logic expressions but also the final results.

Also, the computer calculational outputs were checked in detail.

Thus, the final answer should be correct at a higher level of confidence than the intermediate results in Appendix D.

We plan to update the study in several years and at that time any errors we have found will be corrected. However, we do not anticipate that the errors will propagate beyond intermediate systems results.

f e

i .

l

l j

)

E.5 Both UATS or both RATS do trip on a single transformer protective relay actuation. The dependencies could have been treated using the Beta factor model. However, in the risk important case of loss of offsite power, the UATs and RATS do not effect the emergency power availability. Also, the data for LOSP includes some dependent losses of power from trip of UAT's and RAT's due to protective relay actuation.

i

E.6 The explanation for the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> mission time for electric power with no offsite power available is given on p. 10.4-2, paragraph 2 and 3.

The six hour mission time, rather than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, was used to get realistic number in Section D.2, without factoring in recovery. In the recovery analysis, the diesel operation is taken out to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with the possibility of recovery. The numbers given in D.2 are conservative, i.e. the effect of recovery is greater than the probability of failure for hours 6 to 24.

Extension of system mission time to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without considering the effects of recovery would have resulted in very unrealistic estimates of power unavailability, especially where LOSP has occurred.

]

)

i i

I I

E.7 Prior to the addition of the RCP thermal barrier cooling water system (which occurred during the time the SSPSA was being done), the loss of one PCCW train (thus one SWS train) would require immediate shutdown because the cooling water supply to two RCP's is lost.

However, with the RCP thermal barrier cooling water system, either PCCW (and thus either SWS) train is sufficient to cool seals on all four RCPs.

The T.S. requires two SW loops to be operable and allows 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore an inoperable loop before shutting down.

Thus, the plant could operate at reduced power for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> with only one SW train. Operationally, one loop SW operation at power would occur only if the other train could be restored in a short time.

t I

P! ANT SYSTEMS 3/4.7.4 SERVICE WATER SYSTEM LIMITING CONDITION FOR OPERATION 3.7.4 At least two independent service water loops shall be OPERAALE.

APPLICABILITY: MODES 1, 2, 3 and 4 ACTION:

With only one service water loop OPERABLE, restore at least two loops to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

SUnVEILLANCE REQUIREMENTS 4.7.4 At least two service water loops shall be demonstrated 0FEdA3LE:

a. At least once per 31 days by verifying that each valve (manual, power operated or automatic) servicing safety related equipmect enat is not locked, sealed, or otherwise secured in position, is in its correct position.
b. At least once per 18 months during shutdown, by verifying that each
  • automatic valve servicing safety related equipment actuates to its correct position on a test signal.

i i

I 1 )

l Seabrook - Units 16 2 3/4 7-12 1

- _ , _ , ~ . _ _ . - _ . , . _ , _ . - ___ . _ _ . . - , m--.,__.., _ _ . . ._ _ _ - -_ _ _ _ - _ - - - _ - - - . . , _ . _ m _ _ _ _ _ . -- - - _ - - _ _ . _ _ _ - - _ , _ .

E.8 The unava11 abilities of PCC (hardware) and PAN (hardware) are on the same order:

[p. D.4-45] PCC PAH .

1B 1.48 E-6 5.48 E-6 If the norma order of 10'g (based ventilation were considered, on ventilation and assuming fans and damper valves), theit was on the offect of ventilation would be insignificant.

5.48 E-6 x 1.0 E-3 5 5.E-9 <<1.48 E-6 4

9

E.9 FW-V-57, 30, 39, 48 = (No fail position) are main feed isolation valves which fail in the "as is" position as listed in Table D.5-4 Page D.5-4, ID.5.1.4.2.3 should be corrected to read:

" failure of the compressed air system... meaning that-the feedwater control valves close causing a plant trip due to loss of feedwater."

Thus, loss of instrument air leads to loss of feedwater transient.

It is the feedwater flow control valves (FW-FCV-540, 510, 520, 530) and bypass valves (FW-LV-4240, 4210, 4220, 4230) that fail closed on loss of instrument air.

d 1

i i

i I

I

E.10 Once air gets to the common supply leaders, it is assumed that its path is unobstructed to the equipment it serves due to the very small failure rate attributable to piping [p. D.5-6, SD.5.2.1.1].

Also, the system contains check valves and normally open gate valves. The failure rate for " transfer closed" is very low (1.0 E-8/hr).

Because the IA system supports plant operation,, there is no operator error included for mispositioning isolation valves. This error, if it occurs, could lead to a plant trip (which is quantified).

O

E.11 Loss of a 120V AC instrument bus will result in generation of a trip signal to the SSPS logic matrices for all signals except containment pressure Hi-3. Instrument power is required for the generation of a Hi-3 containment pressure signal because of the desire to avoid inadvertant containment spray. [p.D.6-27] Instrument buses are shown in Figure D.6-5 for display purposes; they are correctly modeled in the SSPS logic expressions. [p. D.6-25 to 29].

SSPS and ESFAS trains are top events in the Aux. System event tree.

Failure of an SSPS train will disable the corresponding ESFAS train. The ESFAS asster and slave relays are powered by the same instrument bus in sach train. ESFAS unavailability, including contribution from 120V AC instrument bus failures, was analyzed only with SSPS trains successful. Also, loss of instrument buses 3 and 4

[rather than 2 and 3 as indicated on p. D.6-30] will result in f ailure of ESFAS but will not fail SSPS.

Thus, the " loss of 120V AC instrument bus" event was not double accounted in SSPS and ESFAS quantification. The analyses simply took into account the different combinations of component failure.

(

\

E.12 a) For both support train available boundary condition, the logic expression for block PC4PJ is correct. [p. D.6-36] Failure of both input relays of a parameter channel is a minimal cut set.

For single support train boundary condition, the block PCd-j [see

p. D.6-36] should have been:

PC =

ho0rs)(+ bistable pressure+transmitter + signal modifier + cable) (6 (input relay) where input relay = input relay in the unaffected train.

This does affect the quantification of PC (3.3 E-4 rather than 9.10 E-5); however, this has no affect on the quantification of SSPS because the tern PC is at least squared in each case.

b) " Output relays" in the SSPS output cabinets are actually the master relays and slave relays quantified in ESFAS unavailabilities.

E.13 a) Only in a few cases were components analyzed which don't appear in a flow diagram in Appendix D. In these cases, the components can be found on the complete P&lD.

b) BIT valves are listed on p. D.8-27 and 28 and can be found on flow diagrams on p. D.8-145 and 150.

The instrument air filters [p. D.5-1] were combined with the compressors in the schematic [p. D.5-30) and the reliability block diagram [p. D.5-31]. The failure of a filter would cause failure of a compressor. Thus filter failure causing compresssor failure is included in the data for compressor failure.

l t

t i

L I

l l

E.14 No:

As with other new Westinghouse plants, the need for BIT st Seabrook is being analysed. Most likely it will be removed or at least surrounded by locked close valves.

e h un i sim i

E.15 ARVs are designed to fail closed. Thus, failure of the actuation or control systems would cause the valves to f ail in the closed position.

Also, the ARVs can be operated locally without power [p. D.ll-6].

1 6

F.1 [see p. 4.3-56]

It was not assumed that passive components are not subject to common cause failure. However, it was judged that the contribution from common cause failures of passive components is insignificant because of the low failure rates.

l v

j i

I i

Q F.2 The failure data for disc rupture is given in Table 6.2-1, component

  1. 31 and on p. 6.6-5. (Mean = 1.55 E-8/hr)

The calculation for " cold leg injection and shutdown cooling," disc rupture for two series check valves [p. 6.6-4) is detailed below:

For a single path:

<A path > = 1/2 A 2 T

1/2 [A 2 ind + var.] T where A2 ind"independentfailuredatadisgributionsquared

(1.55 E-8/hr x 8760 hr/1 yr) var =variancetegabasedondatadependency=

5.16 E-7/yr T = 1 year Thus, < Apath) = 2.6 E-7/ year The variance term is so large because of the large uncertainty in the data. There are four injection paths. Thus, failure of injection path is given ast 4 x 2.6 E-7/yr = 1.04 E-6/yr The quantification for other failure sequences are similar to the above calculation.

1 6

l l

l

..]

. o G.1 (see SMA analysis details)

N.

E k A

0 f

I f

n 4

4

,, , - . - - - -- , , - - - - ,----a

Retrieved from "https://kanterella.com/w/index.php?title=ML20211D109&oldid=3303484"