ML20090H871
| ML20090H871 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 05/31/1984 |
| From: | Payne A SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1241 NUREG-CR-3511, NUREG-CR-3511-V01, NUREG-CR-3511-V1, SAND83-2086, NUDOCS 8405220017 | |
| Download: ML20090H871 (273) | |
Text
.
l NUREG/CR-3511/1 of 2 -
SAND 83-2086/1 of t AN,RG Printed March 1984 >
i.
i i
- interim Reliability Evaluation Program
- ,
I Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant Volume 1. Main Report !
4 l
I i
Arthur C. Payne, Jr., Principal Investigator Prepared by Sarda National Laboratores Albuquerque, New Mexco 87185 and trvermore, Cahforrua 94550 for the Uruted States Department of Energy under Contract DE-AC04-76DP00/r3 I :
- ? .
i
',,g #
3
, ~. a.
,my - , , n 9< .
f .-
h+y. '
't
,,p'
~
- 2df .
k !OdlIU
- s r ,,., ' , . ,4 1, ,a r v
s %;
! o 3
- 2
- : -e n
5x .
3 o
aiyy}_ygg.jpa w f j 1,4
%a- _3, ;. 1 q_ _
1 s . n~ .s
, 'Ns.b.. ,
.. m 1 i . [.Egypl{ ,
. m 1,xa, ' y ,. T~s s, 7 tY' 'D;D ,
-u. . m npe,
,_v 4 hag,'IC.'.N a w' u s, /I'P.4 ,,? yfR . c' an!
[.J ram . W+
W ..
W 'M3 ,, , lg. .gj r
- m. m . ,c.c= cjj j
- a. .
- a. 3. - w ..
yu 9<a;r 9;,n.m k, f'a?'sQaO+p[ 3 ;. L . -
4 in. ' .
, , x; ,, q.g4
.Preparedfor? ^ 7.
- ' - .ev
, d1 l U. S. NUCLEAR REGULATORY COMMISSION
' . " ~ ~
SF29000 (8 80 8405220017 840531 '
l PDR ADOCK 05000317
, P PDR L..____-.~. - - - - - - - - - - ' - - - _ _ _ _ , _ , _ , _ _ .._ _ _._. ...
a s
s
's 4
NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their em-ployees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, et any information, apparatus product or process discicwd in this report, or represents that its use by such third party would not ininnge privately owned rights.
Available from GPO Sales Program Division of Technical Information and Document Control US Nuclear Regulatory Commission Washington, D.C. 20555 and National Technical Information Service Springfield, Virginia 22161 N
~
l l
n 1
o
'l_
NUREG/CR-3511/1 of 2 SAND 83-2086/1 of 2 AN, RG INTERIM RELIABILITY EVALUATION PROGRAM:
ANALYSIS OF THE CALVERT CLIFFS UNIT 1 NUCLEAR POWER PLANT VOLUME 1 MAIN REPORT MARCH 1984 f A. C. Payne, Jr. S. M. Davis D. W. Stack D. R. Lasher N. L. Brisbin P. D. O'Reilly S. W. Hatch U. S. Nuclear Regulatory Sandia National Laboratories Commission
~
S. H. McAhren J. J. O'Neill Remote Sensing. Inc. Evaluation Associates, Inc.
4 B. Atefi S. M. Davis W. L. Ferrell R. N. Hunt W. S. Galyean Baltimore Gas & Electric Co.
A. A. Garcia J. E. Kelly S. Lainoff 4 M. Modarres J. Held
, M. Raeisinia Energy, Inc.
5 Science Applications, Inc.
- M. I. Roush University of Maryland Sandia National Laboratories Albuquerque, New Mexico 87185 Operated By Sandia Corporation for the i U. S. Department of Energy Prepared for Division of Risk Analysis Office of Nuclear Regulatory Research U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Under Memorandum of Understanding DOE 40-550-75 NRC FIN No. A1241 l
l w___-__-- _ - _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ - _ . _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ - - _ _ \
TABLE OF CONTENTS VOLUME 1 - MAIN REPORT Pace Executive Summary . . . . . . . . . . . . . . . . . . . . ES-1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . S-1 Chapter 1 - Introduction. . . . . . . . . . . . . . . . . . 1-1 1.1 IREP Overview. . . . . . . . . . . . . . . . . . . . 1-1 1.2 Calvert Cliffs Unit 1 Analysis Team Makeup . . . . . 1-2 Chapter 2 - GENERAL METHODOLOGY . . . . . . . . . . . . . . 2-1 2.1 Information Base . . . . . . . . . . . . . . . . . . 2-1 2.2 Methodology. . . . . . . . . . . . . . . . . . . . . 2-2 Chapter 3 - Plant Design. . . . . . . . . . . . . . . . . . 3-1 -
3.1 Basic Information . . . . . . . . . . . . . . . . . 3-1 4
3.2 Plant Functions . . . . . . . . . . . . . . . . . . 3-1 3.2.1 LOCA Mitigating Functions . . . . . . . . . . 3-1 3.2.2 Tranaient Mitigating Functions . . . . . . . 3-4 3.3 System Dependencies . . . . . . . . . . . . . . . . 3. 5 l Chapter 4 - Initiating Events . . . . . . . . . . . . . . . 4-1 i
4.1 Introduction . . . . . . . . . . . . . . . . . . . . 4-1 4.2 Initiating Events Chosen for Calvert Cliffs . . . . 4-1 Unit 1 4.2.1 LOCA Initiating Events . . . . . . . . . . . 4-2 4.2.2 -Transient Initiating Events . . . . . . . . . 4-3 4.2.2.1 Service Water System Analysis . . . 4-4 4.2.2.2 Emergency AC Power Bus Analysis. . . 4-5 4.2.2.3 Emergency DC Power Bus Analysis. . . 4-5 4.2.2.4 Instrument Air System Analysis . . . 4-6 4.2.2.5 Component Cooling Water System Analysis . . . . . . . . . . . . . 4-6 4.2.2.6 Salt Water System Analysis . . . . . 4-7 4.2.2.7 Heating and Ventilation System Analysis . . . . . . . . . . . . . 4-8 4.3 Description of the Calvert Cliffs Unit 1 Initiating Events . . . . . . . . . . . . . . . . 4-8 Chapter 5 - Accident Sequence Delineation . . . . . . . . . 5-1 5.1 Introduction . . . . . . . . . . . . . . . . . . . . 5-1 5.2 CC-1 Functional Event Trees . . . . . . . . . . . . 5-1 5.2.1 LOCA Functional Event Trees . . . . . . . . . 5-1 5.2.1.1 Large LOCA Functional Dependencies . 5-1 l 5.2.1.2 Small and Small-Small LOCA l Functional Dependencies. . . . . . . 5-3 Lit
- , -- - , + ~ - .. , -- - ~-.
TABLE OF CONTENTS (Continued)
Page
- 5.2.1.3 LOCA Functional Accident Sequence Descriptions . . . . . . . . . . . 5-4 5.2.2 Transient Functional Event Tree . . . . . . . 5-9 5.2.2.1 Transient Functional Dependencies. . 5-9 5.2.2.2 Transient Functional Accident Sequence Descriptions . . . . . . 5-10 5.3 CC-1 Systemic Event Trees . . . . . . . . . . . . . 5-12 Chapter 6 - Systems Analysis. . . . . . . . . . . . . . . . 6-1 6.0 Introduction . . . . . . . . . . . . . . . . . . . . 6-1 6.1 Methodology and General Assumptions . . . . . . . . 6-1 6.2 Safety Injection Tanks (SITS) . . . . . . . . . . . 6-2 6.3 Low Pressure Safety Injection / Recirculation bystem (LPSI/R) . . . . . . . . . . . . . . . . . 6-4 6.4 Containment Air Recirculation and Cooling System (CARCS) . . . . . . . . . . . . . . . . . . 6-6 6.5 Containment Spray / Shutdown Heat Cxchanger System (CSS /SDHX) . . . . . . . . . . . . . . . . 6-7 6.6 High Pressure Safety Injection / Recirculation i System (HPSI/R) . . . . . . . . . . . . . . . . . 6-9 6.7 Reactor Protection System (RPS) . . . . . . . . . . 6-11 6.8 Power Conversion and Secondary Steam Relief 4 Systems (PCS) . . . . . . . . . . . . . . . . . . 6-13 3 6.9 Auxiliary Feedwater System (AFW) . . . . . . . . . . 6-14 j 6.10 Power Operated Relief Valves (PORV) . . . . . . . . 6-16 i
6.11 Chemical and Volume Control System (CVCS) . . . . . 6-18 6.12 Code Safety Valves (SRV) . . . . . . . . . . . . . . 6-19 6.13 Electrical Power System (Emerg. AC and DC Systems) . 6-20
! 6.14 Engineered Safety Features Actuation System (ESFAS) 6-22 1
6.15 Service Water System (SRWS) . . . . . . . . . . . . 6-26 6.16 Component Cooling Water System (CCWS) . . . . . . . 6-29 i 6.17 Salt Water System (SWS) . . . . . . . . . . . . . . 6-31 6.18 Heating and Ventilation- . . . . . . . . . . . . . . 6-34 6.18.1 Description (Diesel Generator Room Ventilation System). . . . . . . . . . . . 6-34 6.18.2 Description (ECCS Pump Room Cooling) . . . . 6-34 t
Chapter 7 - Accident Sequence Quantifications . . . . . . . 7-1 J
7.1 Introduction . . . . . . . . . . . . . . . . . . . . 7-1 7.2 Screening Quantification.. . . . . . . . . . . . . . 7-2 7.3 Final Quantification . . . . . . . . . . . . . . . . 7-6 7.4 Example Calculation . . . . . . . . . . . . . . . 7-7 iv-
TABLE OF CONTENTS (Continued)
Pace Chapter 8 - Results . . . . . . . . . . . . . . . . . . . . 8-1 8.1 Dominant Accident Sequences. . . . . . . . . . . . . 8-1 8.1.1 ATWS(PSF) . . . . . . . . . . . . . . . . . . 8-3 8.1.2 TDCL - Sequence TDC-82 . . . . . . . . . . . 8-6 8.1.3 S 2 H - Sequence S 2 -50 . . . . . . . . . . . . 8-9 8.1.4 S2 FH - Sequence S 2 -52 . . . . . . . . . . . . 8-15 8.1.5 T 2 L - Sequence T 2-82 . . . . . . . . . . . . A-20 8.1.6 T 4 KU - Sequence T 4 -173 . . . . . . . . . . . 8-22 8.1.7 T 4 ML - Sequence T 4 -147 . . . . . . . . . . . 8-26 8.1.8 T 1 0-D"CC'- Sequence T 1-81-65 . . . . . . . . 8-29 8.1.9 T I L - Sequence T 1 -82 . . . . . . . . . . . . 8-34 8.1.10 Station Blackout . . . . . . . . . . . . . . 8-41 8.1.11 T4 KQ - Sequence T 4 -152 . . . . . . . . . . . 8-43 8.1.12 T 3 KU - Sequence T 3-139 . . . . . . . . . . . 8-45 8.1.13 T 3 KQ - Sequence T 3 -ll8 . . . . . . . . . . . 8-47 8.1.14 T 3 ML - Sequence T 3-ll3 . . . . . . . . . . . 8-48 8.1.15 S 2 D" - Sequence S 2-59 . . . . . . . . . . . . 8-51 8.1.16 T t LCC' - Sequence T t -85 . . . . . . . . . . . 8-52 8.2 Containment Response and Determination of Release Categories . . . . . . . . . . . . . . . . . . . 8-58 8.3 Sensitivities . . . . . . . . . . . . . . . . . . . 8-60 8.4 Limitations of the IREP Methodology and Analysis and Future Uses of the Models . . .. . . . . . . 8-66 8.4.1 Application of Results . . . . . . . . . . . 8-67 8.4.2 Conclusions on the Applications of PREP . . . 8-70 References. . . . . . . . . . . . . . . . . . . . . . . . . R-1 l' ,
{
l r
v
l j ACKNOWLEDGEMENT The efforts of the Quality Assurance Review Team which period-i ically reviewed the conduct of the work and provided technical
{ guidance are acknowledged. This team consisted of:
I David D. Carlson, Sandia National Laboratories ,
j Jack W. Hickman, Sandia National Laboratories !
I Gregory J. Kolb, Sandia National Laboratories Joseph A. Murphy, U. S. Nuclear Regulatory Commission i Kenneth Murphy, U. S. Nuclear Regulatory Commission
{ Jonathan Young, Energy, Inc.
! in the area of human factors, we wish to thank Barbara Bell of- I
} Battelle Columhun Laboratories and Dwight Miller of Sandia National Laborat.o r i ns for guiding the team in the human error ,
i calculations. ,
i 4
, The authors also would liko I. o I. hank Molly Preston, Vickie l- Black and Robin Cassell for their help in typing this report.
i i
l 1
I 1
! l
- (
l, l
I I
4 Vi
I i i l h
Executive Summary This report presents the results of the analysis of Cal- :
l i vert Cliffs Unit 1 Nuclear Power Plant. The analysis was I l performed as part of the Interin Reliability Evaluation Program
! (IREP).- Two of the IREP objectives are addressed by this j analysis. They are (1) the identification of those accident sequences which can be expected to dominate the risk related to the operation of Calvert Cliffs Unit 1, and (2) the development j
! of system models that can be used for future, more extensive probabilistic risk assessments of Calvert Cliffs Unit 1.
l The analysis used fault tree and event tree models as the primary tools to evaluate the risk due to a core melt at Cal- l l Vert Cliffs. Core melt sequences initiated by one of three break-size LOCAs or one of six categories of transients were evaluated, and the dominant (i.e., highest frequency) sequences
! were further analyzed to estimate the magnitude and frequency
- of radionuclide release. The accident sequences were then placed into the release categories defined in the Reactor >
Safety Study (11).
l
! The most significant sequences contributing to the core j melt frequency are (1) Anticipated Transients Without Scram ;
l (ATWS) (33% of the total core melt frequency), (2) Small-small l LOCAs (i.e., 1.95 to 3" in diameter) with makeup system failure l
in the recirculation phase (20% of the total core melt fre-quency), (3) the loss of a DC bus followed by failure of secondary heat removal (16% of the total core melt frequency),
- and (4) Loss of'Offsite Power following by failure of second-ary heat removal or a stuck open relief valve (12% of the total !
core melt frequency).
{ Insights were developed concerning the importance of plant i design features. For example, several single failures were j identified in the systems called upon to mitigate accidents and
, in'their support systems. Support systems, e.g., AC/DC power, room cooling and service water, were modeled in detail and found to be important contributors - to risk. The analysis led to the identification of key components / events, that contrib-ute most to the core melt frequency.
l.
( Similar insights were developed concerning plant oper-ations. Operator errors made during the course of accidents were found to be significant. Some changes to plant procedures could be made based on this analysis in order to take greater advantage of possible operator actions. Operator recovery actions were very important in preventing or mitigating acci-dents. Test and maintenance contributions were, in general, small; however, maintenance of several key components was found to be a significant contributor to particular sequences. l l :
i '
The estimated core melt frequency for Calvert Cliffs Unit 1 (CC-1) is similar to the values predicted by probabilistic risk l assessments of other pressurised water reactors.
Ms 1/2 ,
l
_ _ _ _ _ - _ _ _ _ _ _ _ _ - . _-_ .--___________-._______--O
Summary This section summarizes the Calvert Cliffs Unit i dominant accident sequences, engineering insights gained via the analysis, changes to the design and operation of the plant as the result of this study and sensitivity analyses done on the dominant sequences. These topics are briefly discussed below.
A more detailed discussion can be found in Chapter 8. While a PRA has already been done on Calvert Cliffs Unit 2 (9), a detailed comparison of the difterences between the two analysis is not made here. The reader is referred to the paper referenced below for such a comparison.*
Dominant Accident Sequences Accident sequences are combinations of system failures following an initiating event such as a LOCA, which lead to some mode of containment failure. Sequences which were deter-mined to lead to core melt were examined and quantified. Those core melt sequences which had an initial frequency greater than 1.0E-6/yr were then recalculated, considering recovery actions, and a new sequence frequency was derived. (For a detailed discussion of this application of recovery to each sequence, see the recovery discussions in Chapter 8 and Appendix C.)
Those sequences which still had a frequency greater than 1.0E-6/yr were considered to be the dominant contributors to core melt (see Table S-1). These sequences were further analyzed to determine the probability of containment failure by five different mechanisms: in-vessel steam explosion (a),
containment leakage (8), hydrogen burning (Y), overpressur-ization (6). and basemat meltthrough (c). The dominant accident sequences were then assigned to release categories, and the results are presented in T1ble S-2 and Figure S-1.
(Release categories define the severi6y of the post core melt radioactive material release from containment. Category 1 is the most severe and Category 7 is the least severe.)
Seauence ATWS(PSF)**
This sequence is an anticipated transient without scram (ATWS) followed by reduced secondary heat removal capacity (i.e., either power conversion system (PCS) in a runback mode and/or auxiliary feedwater (AFW)). The resulting imbalance
- G. J. Kolb and A. C. Payne, Jr., Sandia National Laboratories "A Review and Analysis of Insights from Plant Transients as gained from the Interim Reliability Evaluation Program,"
Proceedings of the ANS Topical Meeting on Anticipated and Abnormal Transients in Light Water Reactors, Jackson, Wy.
September 26-29, 1983 (to be published).
- See the sensitivity analysis involving the sequence in Section 0.3.
S-1
1 between the energy production and removal rates leads to the heatup of the primary system and an increase in system pressure. Primary system failure (PSF) is assessed to occur and result in core melt if the pressure exceeds the service level C (3200 psia) limit. Such pressures can result in system damage sovere enough to make continued reactor core cooling highly questionable. For instance, core melt can result from a LOCA induced by the overpressure with simultaneous failure of all LOCA mitigating systems. Containment failure is predicted to occur. most likely, by hydrogen burn and/or overpressure.
Because this sequence is driven by phenomenological consid-erations, it was not explicitly modeled on the event trees and an independent calculation of its frequency was done. The resulting estimate is 2.8E-5/yr., and it contributes 20% of the total core melt frequency. (A detailed discussion of the cal-culation is presented in Chaptor 8.)
Sequence TDC-82 (TDChl In this sequence, a failure of DC bus 11 (TDC) results in a trip of units 1 and 2 and failure of the PCS and the AFW l motor-driven pump #13 with degradation of the safety systems.
The plant scrams successfully, but AFW (L) subsequently fails.
The Containment Air Recirculation and Cooling System (CARCs) and the Containment Spray System, Injection (CSSI) succeed and cool the containment. As a result of the lack of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for feed and bleed due to the low head of the IIPSI pumps and the uncertainty as to whether or not the pressure could be reduced enough for the llPSI pumps to be able to inject water, (24, 25]. Hocent calcu-lations done b y. EG&G for the Station Blackout Program (26]
indicate that approximately 86 minutes is available to start an AFW pump in order to prevent core uncovery. Containment fail-ute is predicted to be, most likely, by hydrogen burn and/or overpressure.
The sequence frequency is estimated as 2.1E-5/yr and con-tributes 16% of the total core melt frequency. The dominant contributors to this sequence are single failures in the AFW tutbine-driven pump Wil train combined with failure of the operator to start the locked-out turbine-driven AFW pump #12.
Sequence S 2-50 (S }I2d In this sequence, a small-small LOCA (S2) occurs followed by successful scram and operation of AFW and Iligh Pressure Safety Injection (IIPS I ) providing both secondary heat removal and primary system makeup. When the Refueling Water Tank (RWT) depletes and switchover to recirculation occurs (anywhere from 4 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> into the transient depending on the size of the leak), liigh Pressure Safety Hocirculation (IIPSR) (II) fails.
S-2
l 1
l Due to the lack of primary makeup, the core then uncovers and core melt ensues. CARCS and the Containment Spray System, Recirculation (CSSR) succeed and cool the containment.
Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
The sequence frequency is estimated as 1.4E-5/yr and con-tributes 11% of the total core melt frequency. The dominant contributors to this sequence are of two types: (1) failures of !!PSR pump #13 combined with failures of room cooling to the other two llPSR pumps (they are in the same room and failure of room cooling results both pumps failing) or (2) failures of the Component Cooling Water (CCW) system or Salt Water System (SWh) resulting in loss of pump seal cooling and failure of all llPSR pumps.
Sequence S -52 2 (S2fHll i
In this sequence, a Small-small LOCA (S2) occurs and is followed by successful scram and operation of AFW and IIPSI pro-viding both seconJary heat removal and makeup. When the RWT depletes and switchover to recirculation occurs (anywhore from 4 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> into the accident), llPSR (II) and CSSR (F) fail.
Due to the lack of primary makeup, the core then uncovers and core melt ensues. CARCS succeeds and cools the containment.
Containment failure is predicted to be, most likely, by hydro-gen burn and/or overpressure.
The sequence frequency is estimated as 1.1E-5/yr. and con-tributes 9% of the total core melt frequency. The dominant contributors to this sequence are failures in each train of room cooling to the two Engineered Safety Features (ESP) pump rooms. These result in failure of all HPSR and CSSR pumps.
Sequence T -82 2 (T2 kl In this sequence, a loss of PCS (T 2) occurs and is followed by a loss of AFW(L). The reactor has scrammed and CARC and CSSI succeed and cool the containment. As a result of the loss of secondary heat removal, the core inventory boils I
off.through the cycling open of the PORVs. No credit is given for use of feed and bleed due to information presented in References 23 and 24. Recent calculations done by EG&G for the Station Blackout program [2G) indicate that 86 minutes is available to start an AFW pump in order to prevent core uncovery. Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
The frequency of this sequence is estimated to be 7.1E-6/
yr, and it contributes 6% of the total core melt frequency.
The dominant contributors to this sequence are (1) failure of the common suction line valve resulting in failure of all operating APW pumps combined with failure of the operator . to S-3
realign the AFW suction to an alternate supply and start the locked-out turbine-driven AFW pump, and (2) double tailures of both operating AFW pumps combined with failure of the operator to start the locked-out turbine-driven AFW pump.
Sequence T -173 4 (T 4KU)
This sequence is a T4 (all other) transient followed by a failure to scram (K) and failure of emergency boration (U).
The reactor vessel has survived the initial preasure transient due to an assessed Power Conversion System (PCS) runback. CE analyses [21] and the NRC analysis in support of the ATWS rule [22] state that greater than 10 minutes are available for the operator to initiate emergency boration. In this study, we have assessed that, if the operator fails to start shutting the reactor down within 20-30 minutes, core melt will result.
Containment failure is predicted to occur, most likely, by hydrogen burn and/or overpressure.
This sequence frequency is estimated as 6.7E-6/yr and con-tributes 5% af the total core melt frequency. The dominant contributor to this sequence is common mode failure of the Reactor Protection system to insert any control rods combined with failure of the operator to initiate emergency boration.
Sequence T -147 4 (T4MR In this sequence, a T4 (all other) transient occurs and is followed by a loss of PCS (M) and AFW (L). The reactor has scrammed and CARC and CSSI succeed and cool the containment.
As a result of the loss of secondary heat removal, the corc inventory coils off through the cycling open of the PORVs. No credit is given for feed and bloed due to information presented in References 23 and 24. Recent calculations done by EG&G for the Station Blackout program (26] indicate that 86 minutes are available to start an AFW pump in order to prevent core l uncovery. Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
The sequence frequency is estimated as 6.3E-6/yr and con-tributes 5% of the total core melt frequency. The dominant contributor to this sequence is failure of 120 VAC inverter #11
! (which fails PCS and results in failure to actuate the motor-driven AFW pump) combined with various single failures of the AFW turbine-driven pump and failure of the operator to manually l
, actuate the motor-driven pump from the control room.
1 Sequence T 65 (T t O-D"CC')
l 1 This sequence is a loss of offsite power (T1 ) followed by a transient-induced 1,0CA ( Q ) . APW Works but IIPSI (D"),
CSSI(C') and CARCS(C) fail. Due to the lack of primary system makeup, the core uncovers in about I hour (see the EG&G Station S-4
i l
Blackout Analysis [26]) and core melt ensues. Containment failure is predicted to be. most likely, by overpressure.
l The frequency of this sequence is estimated to be 5.3E-6/
yr and contributes 4% of the total core melt frequency. The l
! dominant contributors to this sequence are various failures of AC power train A combined with failures of AC power train B.
The resulting lack of AC power fails all core and containment cooling systems except the turbine-driven AFW pump.
Sequence T -82 1 (TtL1 This sequence is initiated by a loss of offsite power (Tt ) followed by failure of AFW (L). The plant scrams suc-cessfully and CARCS and CSS 1 succeed and cool the containment.
As a result of the loss of secondary heat removal. the core
- inventory boils off through the cycling open of the PORVs. No credit is given for feed and bleed due to the information pre-sented in References 24 and 25. Recent calculations done by EG&G for the Station Blackout program [26) indicate that
, approximately 86 minutes is available to start an AFW pump in order to prevent core uncovery. Containment failure is pre-dicted to be, most likely, by hydrogen burn and/or overpressure.
The sequence frequency is estimated as 4.9E-6/yr and con-i tributes 4% of the total core melt frequency. The dominant i contributors to this sequence are failure of the AFW motor-driven pump due to failures of train A of onsite AC power combined with failure of the AFW turbine-driven pump W11 and failure of the operator to start the locked-out turbine-driven AFW pump #12 and failure to restore offsite power in order to restart the motor-driven AFW pump.
Sequence Blackout The Blackout sequence was not modeled explicitly on the event trees. This sequence is a new sequence identified by the Station Blackout Program [17]. The usual sequence modeled in most PRAs is loss of offsite power followed by loss of all onsite AC power and immediate failure of AFW due to hardware or i DC power faults (see sequence T t-05). While this usual sequence was identified in the Station Blackout Program and in this study as a dominant sequence, it was not as likely as the
, Blackout sequence. The Blackout sequence consists of a loss of offsite power Collowed by the loss of all onsite AC power and successful operation of the AFW system until battery depletion occurs some four hours into the accident (offsite and onsite AC not being recovered). Since all decay heat removat systems are ,
failed, heatup and bolloff of the primary inventory occurs followed by core melt. Containment failure is predicted to be, most likely, by overpressure. No containment heat removal i systems are operable due to the failure of AC power.
i i
i S-5
The sequence frequency is estimated to be 4.4E-6/yr and contributes 3% of the total core melt frequency. The dominant contributors to this sequence are various combinations of diesel generator and support system failures for train A and B emergency power combined with failure to recover offsite power and initiate cooling and makeup within six hours.
Sequence T -152 4 (T 4EQ)
In this sequence, a T4 (all others) transient occurs and l is followed by failure to scram and an induced LOCA due to a i stuck open relief valve (Q). The PCS is assessed to aave run back and the primary system has survived the initial pressure i transient. The operator then successfully initiates emergency boration. Due to the estimated high initial rate of coolant loss and the low rate of pressure reduction, core uncovery and i melt occurs before successful HPSI coolant injection. Injec-
- tion is prevented by system pressure remaining above the llPSI shutoff head of 1275 psia. This situation is unique to the Calvert Cliffs design because of the low shutoff head of the pumps. Containment failure is predicted to bo, most likely, by hydrogen burn and/or overpressure.
This sequence frequency is estimated as 4.3E-6/yr and contributes 3% of the total core melt frequency. The single contributor to this sequence is failure to scram combined with failure of a relief valve to reclose, jlequerce T3 :139 (T 3XU)
This sequence is a T3 (requirca primary pressure relief) transient followed by a failure to scram (K) and failure of j emergency boration(U). The primary system has survived the initial pressure transient due to a runback of the PCS as &
! result of the initiator. CE analyses (21) and NRC analysis in
! support of the ATWS rule (22] state that greater than 10 minutes are available for the operator to initiate emergency
- boration. In this study, we have assessed that, if the operator fails to start shutting the reactor down within 20-30 l minutes, then core melt will result. Containment failure is 5 predicted to be, most likely, by hydrogen burn and/or i overpressure.
l This sequence frequency is estimated as 3.7E-6/yr and con-tributes 3% of the total core melt frequency. The dominant contributor to this sequence is a common mode failure of the Reactor Protection System to insert any control rods combined with failure of the operator to initiate emergency boration.
Sequence T 3-118 (T3 M1 In this sequence, we have a T3 (requires primary pres-sure relief) transient followed by failure to scram and an I
l l S-6 I
d._.._.._____-_______ ____..__.____.._A_._
induced LOCA due to a stuck open relief valve (Q). The PCS has runback due to the initiator and the primary system has sur-vived the initial pressure transient. The operator then successfully initiates emergency boration. Due to the esti-mated hi.q h initial rate of coolant loss and the low rate of pressare reduction, core uncovery and melt occurs before successful 11PS I coolant injection. Injection is prevented by system pressure remaining above the IIPSI shutoff head of 1275 psia. This situation is unique to the Calvert Cliffs desigs.
because of the low shutoff head of the pumps. Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
This sequence frequency is estimated to be 2.3E-6/yr and contributes 2% of the total core melt frequency. The single contributor to this sequence is failure to scram combined with failure of a relief valve to reclose.
Sequence T 3-Il3 -(T3 tiId In this sequence, we have a T3 (requires primary pres-sure relief) transient followed by a loss of PCS (M) and AFW (L). The reactor has scrammed and CARCS and CSSI succeed and cool the containment. As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No etedit is given for feed and bloed oue to information presented in References 24 and 25. Recent calculations done by EG&G for the Station Blackout program (26]
indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery. Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
The sequence frequency is estimated as 1.7E-6/yr and con-tributes 1% of the total core melt frequency. The dominant contributor to this sequence is failure of 120 VAC inverter #11 (which results in failure of the PCS and failure to actuate the motor-driven AFW pump) combined with various single failures of the APW turbine-driven pump and failure of the operator to manually actuate the motor-driven AFW pump from the control room.
Sequence S -59 2 (U P".).
2 In this sequence, we have a Small-small LOCA (S 2), suc-cessful scram and secondary heat removal via the AFW system.
Ilowever, IIPSI (D") fails and we have no makeup in the injection phase. This initiator can be broken up into two parts: (1) reactor coolant pump seal LOCAs (IE.2E-2/yr) and (2) other Small-small LOCAs (IE.1E-3/yr). The other Small-small LOCA portion of the sequence is negligible (LE-3/yr initiating event l
- 1.3E-4 failure of IIPS1 = 1.3E-7/yr). Work done by EG&G for i
B-7
the Station Blackout program (26] indicates that, for a leak of the maximum expected reactor coolant pump seal LOCA (<500 gpm) with secondary cooling available, approximately three hours is available to isolate the leak or start primary makeup. Con-tainment sprays (CSSI) and fans (CARCS) are successful.
Containment failure is predicted to be, most likely, by hydrogen burn and/or overpressure.
The frequency of this sequence is estimated to be 1.6E-6/yr and contributes 1% of the total core melt frequency.
The dominant contributors to this sequence are failure of either of the two valves in the common minimum flow recircula-tion line. These values are common to all llPSI, LPSI, and CSS pumps. For the Small-small LOCA case, if these valves should fail closed, the IIPSI pumps were assessed as failing. This is because the slow drop in primary pressure from 1600 to 1275 psi would result in pump heat up and failure due to pumping against dead head for a significant period of time (i.e., greater than 10 minutes).
Sequence T -05 1 (T t LCC')
In this sequence, we have a loss of offsite power (T t) followed by failure of AFW(L), CSSI(C), and CARCS(C'). The plant has scrammed successfully, but due to the lack of second-acy heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for foed and bleed due to information presented in References 2 and 25.
Recent calculations done by EG&G for Station the Blackout program (26) indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery. Containment failure is predicted to be, most likely, by overpressure.
The sequence Croquency is estimated as 1,0E-6/yr and con-tributes 1% of the total core melt frequency. The dominant contributors to this sequence are of two types: (1) Main-tenance of two feedwater valvee which fails delivery of water to the S/G's from both turbine-driven AFW pumps combined with failure of both emergency AC power trains and no recovery of offsite power or (2) various single failures of the turbine-driven pump Mll combined with failures of both emergency AC power trains and faictre of the operator to start the locked-out turbine-driven APW pump #12 and no recovery of offsite power, Encinoerino Insichts Insights from the analysis were at three levels, The first level was overall insights on plant core melt frequency. 1 The second level was insights into the particular causes of !
each dominant sequence. The third lovel was insights into the specific causes of failure in individual systems which did not affect overall risk, l
l S-8
Overall Encineerina Insichts The total core melt frequency for Calvert Cliffs was estimated to be 1.3E-4/yr and consisted almost entirely of sequences with frequencies greater than IE-6/yr. This estimate is similar to estimates made for other light water reactors in other probabilistic risk assessments.
The following general classes of accident sequences were i f ou.*.d to contribute the most to the Calvert Cliffs core melt frequency:
- 1. Anticipated Transients Without Scram (ATWS) contributed 33% of the core melt frequency.
- 2. Small-small LOCAs (S 2) contributed 2(% of the core melt frequency.
- 11) contributed 16% of the core melt frequency.
- 4. Loss of Offsite Power transients (T t) contributed 12% of the core melt frequency.
- 5. Loss of the Power Conversion System (PCS) transients (T2 ) contributed 6% of the core melt frequency (not including the ATWS sequences).
- 6. All other transients (T 4 ) centributed 5% of the core melt frequency (not including the ATWS sequences).
- 7. Transients requiring pressure relief (T3) contrib-uted 1% of the core melt frequency (not including the ATWS sequences).
Dominant Sequence Encineerino insichts In addition to determining the overall results and signi-ficance of analysis as described above, it was important also to determine the reasons why these items were significant.
Carefu. examination of the dominant contributors to the dominant sequences revealed certain insightc, of which the most important are summarized below.
- 1. A review of the dominant and near dominant sequences shows that 12% of the total core melt frequency involves operator errors committed during the course of an accident. Almost all of this is from failure to initiato emergency boration after an ATWS.
S-9
i i
i i 2. A review of the dominant sequences, both before and i after recovery was applied. reveals that operator
! recovery actions play a very important role in reduc- l ing the frequency of various accidents. Overall, '
- operator recovery reduced the CC-1 core melt fre-quency by approximately a factor of 10. L 1
l 3. Failures in support systems were found to be impor- !
j tant contributors to the total core melt frequency.
l In particular. failure of Component Cooling Water l i
j (CCW) pump seal cooling which fails Emergency Core t
- Cooling System (ECCS) pumps and Shutdown Heat Removal <
~
in the recirculation phase of an accident, Salt [
] Water (SWS) ECCS pump room cooling which fails ECCS
- pumps in the recirculation phase, and diesel
i power were found to be important. Together theso ,
contribute to 20% of the total core melt frequency.
- 4. In one support system, a special transient initiating '
j event was identified that also wan found to contri- '
- bute significantly to the total core melt frequency.
j This event was failure of 125 VDC bus #11 and [
j resulted in the second most frequent sequence.
- 5. Several single failures were identified in front-line 4 and support systems. These were the dominant contri- !
j butors to some accident sequences.
] i i o For Small-small LOCAs, the failure of either of !
two valves in the common minimum flow recircula- s tion line for all the ECCS pumps could result in i heatup and failure of the HPS! and LPSI pumps as '
i a result of pumping against dwad head. This j contributes to 1% of the total core melt
- frequency.
j o Two common modes were found in the Component
! Cooling Water System. First, failure of a
) single valve in the return line from all the i HPSI and LPSI pump coolers would fail all HPS!
l and LPS! pumps in the recirculation phase.
j Second, since only one CCW heat exchanger .is )
{ usually in operation, various single failures in :
! this heat exchanger train or in its correspond- l
- j. ing salt water train will fail all of CCW unlese l l the operator actuates the other heat exchanger.
1 These contribute to 3% of the total core melt j frequency.
I i o All auxiliary feedwater pumps take suction from
' the condensate ' storage tank through a common header. Failure of the valve in this line could d
i j 5-10 l
result in failure of all operating APW pumps before the operator could stop the pumps.
Because of the new AFW design where one turbine-driven pump will be locked out, the operator has the ability to realign the pump suction to an alternate tank and start the undamaged pump. In addition, the locked-out turbine-driven pump gives added recovery potential for almost all other AFW f ailures and significantly reduced the frequencies of many of the dominant accident sequences. This con-tributes 2% of the total core melt frequency.
- 6. The unavailability of CC-1 systems due to test and maintenance outages was found, generally, to be small corapared to other system faults. Test unavailabil-ition were small because most systems are not taken out of servico during test. Many have auto-actuation signals which realign the systems to their safety position in caso of an accident. For those systems which are taken out of service, test personnel are, in genocal, in contact with control room operators and could quickly costoro the system given an acci-dent situation. A review of the maintenance logs showed that the frequency at which active components are taken out of service for unscheduled maintenance tu amall. This is primarily because it is plant policy not to do periodic maintenance on safety systems when the plant is during power. preventive maintenance on these systems is conducted at during scheduled shutdowns.
- 7. Safety system and component unavailabilities caused
- by the failure of personnel to realign valves and circuit breakers to their safoguards position _ af ter test or maintenance activities were generally small compared to other faults. There are two basic reasons for this: (1) most safety system components have alignment verification indication in the control room and are verified during each shift using a check list, and (2) the component tagging procedure require operators to portorm redundant checks on components following test and maintenanco.
- 8. The llPSI pumps have a low shutof f head (~1275 paia) l and successful primary makeup or operation in a " feed I and bleed" mode to remove decay heat is not thought to be possible for sequences where secondary heat removal has failed or a failure to scram has occurred. The ability to " feed and bleed" would affect most of the ATWS and loss of secondary heat removal sequences and would significantly reduce the total core melt frequoney.
0-11
4 System Reliability ICnoineerinc _Insiot1Lq During the early stages of the study, some discoverion were made of specific items which affected the reliability of '
individual systems. Those were important to individual system reliability; but, when the systems were analyzod together, it turned out that those items did not contributo significantly to risk. Since this is the case, modifications to solve thoso
" problems" would not significantly reduco risk. Iloweve r , they are, nonetheless, intecosting, if only to illustrate the type of things which can be found by a detailed probabilistic analy-sie. Some of those insights are summarized below (the roador should refer to the system descriptions in Appendix B for more discussion of those and other insights):
o The power Operated Holief Valves are poworod from two separate AC buses, but both requito actuation of colays poworod by the same DC bus to allow AC poWoe to roach the valves, o The Low prosauro Gafety injection Gystem in automatically shutdown in the recirculation phano of a LOCA. This is because the liigh pronouro Gafety Injection System is donigned to draw directly from the containment sump in the recirculation modo and is the preferred system. The low prosauro system can be used but, depending on the way in which the recirculation signal was generated, some com-plicated operator actions might be involved.
o The swing pumps in the Dorvice and Galt Water Gyntoms are aligned electrically to one train and mechanically to the other train. On f ailure of the operating pump in a sub-system, the swing pump does not automatically supply backup to that subsystem, plant Modifis_a_11 gag The utility has not yet mado any changos to procedures or hardware directly as a result of this study. Deveral insights developed during the course of the study are currently being lookod at by the utility to determino their significance and if any changen may be warranted. After the study is completed, the utility intends to use all the models developed to help analyze the offects of proposed modifications on plant risk.
The insights the utility is currently examining acet o For long term loss of offsito power, a 69 KV line which connects to the nr.Lghboring grid could be used to supply the necessary AC power to both units. The utility is re-examining the procedure for its uun in light of the importance of loss of offsite power to plant risk.
G-12
o The utility intends to use the motor-driven AFW pumps tot crosstooding the units in instancos where the AFW system on one unit has failed. Como insights discovered as a result of this study which relato to this, as yet unwritten, proceduto are (1) since the foodwater valvos are normally opone starting the motor-driven pump on the operating unit will inject cold water into that unit's steam generators (this is significant because the operators might be coluctant to initiato crosstooding without specific instruc-tions), and (2) for loss of ottsito power 61tuations tailuto of a diosol gonorator (which has a relatively high failure rato) may preclude the motor-driven pump on the other unit from operating so the cocovery potential will be limited by the DO unavailability.
In the second case, tho importance of being able to uso the locked-out turbino driven AFW pump is increased.
llagstetainty and_Agnaitivity The techniques for portorming data uncertainty analysis are in the procons of being improved. and it was decided to use the Calvert Clitts 1HFP study to test the improved techniques.
Thoroforo, a data uncertainty analysis is not presented in this report, but will be published 14 tor in a separato volume.
A sensitivity analysis is reported in Scotion 0.3 and covers the following items (1) IIPC! pumps tequiroment tor seal and room cooling Cor Dmall-small t.0CAs.
(2) Crossteading AFW from the other unit.
(3) The ability to perform primary system " Food and blood".
(4) ATWO (1) Dervice level "C" vs. "D."
(11) Prosaure equilibrating below the rettet valvo set point for an extended timo after failure to borate.
(111) Pressure decreasing enough with a stuck open P0HV to have succoustul primary i
makeup before core uncovery.
(iv) Various Probabilitten of unfavorable MTC.
(v) Various Probab111tten of tallute to scram, fl.13
i Table G.1 j Final Calvert Cliffs Dominant Accident Gequences *
(after recovery) 1 REP INKP FREQUMNCY FHROUMNCY % TOTAL '
BEFOkt AFTMN CM NRCOVMRY MECOVMRY FNEQUMNCY SRQUENCK DESCRIPTION (/YR) (/YH)
ATW8(PSF) ---- 2.8K-5 2.8K-5 20 l TDC-82 T DC L 4.9K-4 i 2.1N-5 16 i 8 -50 2
8H 2 5.1E-5 1.4K-5 11 8 -52 2
8 2FH 5.7R-5 1.1K-5 9 t T -82 2
TL 2 1.88-4 7.1M-6 4 I -173 4
T4KU 6.78 6 6.7N-6 5 T4-147 T4ML 3.4K-4 6.3K-6 5 T g 45 TgO-D"CC' 1.3M-5 5.3M-4 4
- TL T g -82 g 2.4K-5 4.9N-6 4 Blackout ----
2.4E-4 4.4M 4 3 T -152 T4KQ 4.3K-6 4.3R-4 3 4 ,
- T -139 3
T 3NU 3.7K-6 3.70-6 3 T -118 3 T 3KQ 2.3M-6 2.3E-6 2 T3-113 T 3ML 8.5M-5 1.7N-6 1 8 *II 2 8 D' 2 2.8E 6 1.4K-6 1 T g 85 T gLCC' 5.9K-5 1.0E-6 1 Sequencet below cutoff -- ----
it0E-t _1 Total -- ---- 1.3E-4 100 5-14
Table S.1 (Cont.)
Legend Used in Tables S.1, and S.2 Initiatina Events System Failures S2 = Small-small LOCA D" = High Pressure Safety
( l.9" in dia.) Injection i
T1 = Loss of Offsite Power F = Containment Spray System (Recirculation)
T2 = Loss of PCS H = High Pressure Safety i
Recirculation System l
T3 = Transients requiring K.= Reactor Protection System primary relief l T4 = All other transients L = Auxiliary Feedwater System TDC = Loss of 125 VDC bus 11 M = Power Conversion System i Q = Relief valves fail to reclose
! U = Chemical Volume and Con-
. trol System C = Containment Air Recircula-tion and cooling System C' = containment-Spray System 7
(Injection)
Containment Failure Modes a = Vessel steam explosion 8 = Leakage Y = Hydrogen burning 6 = overpressure 6' = Delayed overpressure -,-
l c = Basemat meltthrough l
- i. S-15:
e v . -m-, m , ,--,,c-,,- ,--,,v. ~.y-, . - - - -
-r=- + e , -,..m , ,-- . - _ . , , - - - - -.w -
-.. -%-%,%-i
. . . - . - - . - - ..__ - .-. .-. - - -. _. ... . . . . _ ~
Table S.2 Calvert Cliffs Unit-1 Dominant Accident Seguence Frequencies by Release Category Release Category Sequence. 1 2 3 4 5 6 7:
ATWS(PSF) _
a=2.8E-9 --
y+6=2.0E-5 --
a=2.0E-7 --
c=8.4E-6
- TDCL
- a=2.lE --
y+6=1.5E-5 --
.S=1.5E-7 --
c=6.3E-6
- S 2H a=1.4E-7 -. y+6=9.8E-6 --
c=9.8E-8 --
c=4.2E-6 l
.S2 FH a=1.lE-7 y+6=7.7E-6 -. 8=7.7E-8 --
c=3.3E-6 --
- T2 L 'a=7.lE-10 --
y+6=5.0E-6 --
a=5.0E-8 --
c=2.lE-6 i T 4 KU 'a=6.7E-10 --
y+6=4.7E-6 --
8=4.7E --
c=2.0E-6 T 4 ML a=6.3E-10 --
y+6=4.'4E-6 --
B=4.'4E-8 --
c=1.9E-6
- T 10-D"CC' a=5.3E-10 6=4.2E-6 6'=1.lE-6 8=3.7E-8 '--- -- --
l 7 T lL. a=4.9E-10 ..-- y+6=3.4E-6 --
S=3.4E-8 --
c=1.5E-6 H
- Blackout a=4.4E-10 6=3.5E-6' 6'=8.8E-7 8=3.lE-8 -- -- --
L T 4KQ- .a=4.3E-10 --
y+6=3.0E-6 --
8=3.0E-8 --
c=1.3E-6 T3KU 'a=3.7E-10 --
y+6=2.6E-6 --
8=2.6E-8 --
c=1.lE-6
'T 3KQ 'a=2.3E-10 --
y+6=1.6E-6 --
.a=1.6E-8 --
c=6.9E-7 T 3 ML a=1.7E-10 --
y+6=1.2E-6 --
B=1.2E-8 --
c=5.lE-7
- .S 2 D"' .a=1.6E-10 --
y+6=1.lE-6 --
B=1.lE-8 --
c=4.8E-7'
[ TILCC' :a=1.0E-10 6=8.0E-7 6'=8.0E-7 B=7.0E-9 -- -- --
l Category
- Total' 2.6E-7 2.0E-5 7.5E-5 1.5E-7 7.2E-7 3.3E-6 3.lE-5 L
I e
l i
l u
l
A i
i -
3E-6 -lE-5 7E-7 3E-7 2E-7 I -lE-6 Frequency 1
-lE-7 Y -lE-8 0
1 2 3 4 5 6 7 Release Categories Figure S-1 _ Calvert Cliffs Unit-1 Histogram of Release Category Frequencies
CHAPTER 1 INTRODUCTION 1.1 IREP Overview Probabilistic safety analysis and risk assessment tech-niques ,are widely believed to offer powerful tools for the safety design and safety evaluation of nuclear power plants.
Past attempts to apply such techniques to commercial nuclear plants have provided useful catalogues of accident sequences, identified many strengths and weaknesses in the design and operation of the plants, provided insights into the importance l of accident contributors, and provided estimates of the like-l lihood of serious accidents. Recent evidence tends to suggest that plant-to-plant differences in design and operation may give rise to significant differences in the likelihood and/or course of accidents. Therefore, the extensive application of l these safety analysis techniques to many reactor plants appears to be desirable. This need is reflected in the TMI Action Plan (NUREG-0660) [1] in which the Interim Reliability Evaluation Program (IREP) is identified as a high priority effort leading to the systematic risk assessment of all reactors by other PRA
[ programs (Section II.C).
l The Interim Reliability Evaluation Program is intended to apply probabilistic risk analysis techniques to five nuclear power plants and to develop procedures adequate for the con-sistent analysis of all plants with the following specific objectives: (1) identify -- in a preliminary way -- those accident sequences that dominate the contribution to the public health and safety risks originating in nuclear power plant accidents: (2) develop a foundation for subsequent, more intensive, applications of probabilistic safety analysis or risk assessment on the subject plants; (3) expand the cadre of experienced practitioners of risk assessment methods within the NRC and the nuclear power industry; and (4) evolve procedures codifying the competent use of these techniques for use in the extension of IREP to all domestic light water reactor plants.
Phase I of the IREP study consisted of a reliability analysis of the Crystal River Unit 3 facility. A report on that effort has been published (NUREG/CR-2515)[2]. Using methodological insights gained from the Crystal River Study, the Phase II IREP studies were initiated in September 1980. The Phase II studies consi'st of analyses of four plants:
- 1. Browns Ferry Unit 1, by a team compo. sed of personnel from EG&G, Idaho and Energy, Inc.
1-1
i l
- 2. Arkansas Nuclear One Unit 1, by a team composed of l personnel from Sandia National Laboratories. Science Applications, Inc. (SAI), and Arkansas Power and Light Company.
- 3. Calvert Cliffs Unit 1 (CC-1), by a team composed of personnel from Sandia National Laboratories, Energy.
Inc., Science Applications, Inc., Evaluation Associates. Baltimore Gas and Electric, and NRC.
- 4. Millstone Unit 1, by a team composed of personnel from Science Applications. Inc., Northeast Utilities, and NRC.
Responsibility for overall technical management of the study rested with Sandia National Laboratories. Periodic reviews to assure the quality of the product were conducted by Sandia National Laboratories and NRC personnel not directly involved with the work of any one team, with the assistance of Energy, Inc.
This report is one of a series of four reporting the results of these Phase II studies. A separate report, the IREP
> Procedures Guide [3), has been issued detailing procedures for
! conducting future analyses of the same scope and breadth as i
these four studies, and detailing the technical and methodo-logical insights and nuclear safety perspectives gained from this activity.
The reader is cautioned that while it is our opinion that these studies represent the state-of-the-art given their scope, l they are incomplete. External events (earthquakes, fires, etc.)
- are not included, and the assignment of accident sequences to 1
release categories was performed in a subjective manner with limited plant-specific calculations. Thus, this portion of the study relied heavily on analyses performed previously on similar facilities. Other limitations are discussed in detail l
in Chapter 8. While accident sequence and release category frequencies were quantified, they are of value primarily in comparative analyses, and the absolute values determined should not be used without a clear appreciation of their inherent un-certainties. The principal product obtained is the integrated engineering logic presented'in the plant - and system models and insights into plant features contributing- significantly to risk, not the specific values computed for accident frequencies. j 1.2 Calvert Cliffs Unit 1 Analysis Team Makeup The team was comprised of 21 individuals from Sandia i National Laboratories, Remote Sensing, Inc., Energy, Inc., I Science Applications, Inc., Evaluation Associates, Inc., Ba l t '_ - i more Gas and Electric Co., University of Maryland, and the i
1-2
l l
U. S. Nuclear Regulatory Commission. Four members worked full time, while the remaining 19 contributed on a part-time basis, either part-time for all or part of the study, or full time for a portion of the study. Sandia National Laboratories was res-ponsible for team leadership. The team members had varying degrees of risk analysis experience. Some had little or no experience, while others had participated in studies such as the Reactor Safety Study Methodology Applications Program, the Crystal River Study, the Station Blackout Program, Ringals II Safety Study, and the Reactor Safety Study.
Sixteen of the twenty-one members were systems analysts.
They were responsible for construction of the event tree and fault tree models which were utilized in determining the most frequent core melt accident sequences.
Three of the members were computer specialists. One of i these was responsible for manipulation and debugging of the computerized fault tree models. The remaining two were respon-sible for running the SETS code [4]. SETS operates on the sys-tem f ault- tree models and performs the Boolean algebra necessary to determine the most frequent core melt accident sequences.
Although no team members were human factors specialists, the Calvert team did have access to the services of two human factors specialists. Each team member was responsible for the initial evaluation of human factors effects on each system.
This included the evaluation of operational and emergency pro--
cedures, and test and maintenance procedures and their effects on the plant response to LOCA and transient initiators. Once the dominant human interactions were identified using conservative initial values, a detailed human reliability l
analysis using the techniques pr(sented in NUREG/CR-1278[5] was j performed.
l Finally, two team members, provided by Baltimore Gas and j Electric, acted to provide information.concerning plant opera-i tions. Their f amiliarity with the plant design and operation j helped facilitate modeling of the plant- systems and operator response.
l l
i 1-3
~
l CHAPTER 2 IREP METHODOLOGY To provide guidance for the IREP analyses and to aid consistency among the four IREP teams, procedures for the anal-ysis were developed. Since these procedures had never been ,
1 used in their entirety, it was recognized that some flexibility in approach would be necessary. Nevertheless, the four teams generally followed the same approach, which is described below.
A more detailed description can be found in the IREP Procedures Guide [3].
2.1 Information Base The IREP analysis of a plant represents an integrated plant systems analyses. Detailed analyses were performed of those systems required to respond to a variety of initiating events (i.e., front-line systems) and of those systems supporting the responding systems. The analyses included unavailabilities during test and maintenance activities, human errors which could arise in restoring the systems to operability following test and maintenance and in response to accident situations, and a thorough investigation of support system faults which could affect operations of more than one front-line system.
To perform the IREP analysis, considerable and, in some instances very detailed, information was obtained from the plant. The sources of information used in the analysis are listed in Tabic 2.1.
The Final Safety Analysis Report (FSAR)[6] and plant sys-tem descriptions and drawings provided the basic information base for the analysis. This was supplemented by information contained in other studies of the plants (where available) and by more detailed information in support'of particular aspects of the analysis.
To identify initiating events and initiating event fre-quencies, EPRI NP-2230, "ATWS: A Reappraisal - Part 3. Pre-quency of Anticipated Transients,"[7] was used as the basic source. Additional insight was obtained through reviewing Licensee Event Reports (LERs) for the plant and for plants of similar design. To identify the systems needed to respond to
! an accident and their success criteria, the FSAR was used. In
! some instances, documentation from the plant, Nuclear Steam l
Supply System (NSSS) vendor or other reports was obtained suggesting and supporting the use of less stringent success
- criteria.
l l
[ 2-1 P
j- .
w
i
~
To construct the fault tree models, more detailed drawings were obtained, particularly for electrical systems and control and actuation circuitry. Test, maintenance, and emergency pro-i cedures were reviewed to identify potential human errors to be
- i. included in the plant models.
i
- Data for quantifying the fault trees was a mixture of gen-
- eric and plant specific data. Basic hardware failure rate data was initially obtained from a modified WASH 1400 data base [8]
assembled by the NRC. Later, a generic data base, given in the IREP procedures guide [3], was developed and used in the Cal-vert Cliffs study. For particular components, plant specific j failure data obtained from plant logs was used. Plant specific test and maintenance frequencies were obtained from plant logs l and used in the analysis. Data for human error rates was obtained from NUREG/CR-1278.[5]
In addition to the above documentation, the utility per-
, sonnel participating in the study served as contacts with the i plant to obtain reore information when needed. Each team i visited its plant tn view particular equipment and to discuss questions with plant personnel. The utilities also reviewed periodic reports to ensure accuracy of information.
2.2 Methodology l
The IREP analyses consisted of eight tasks:
l I 1. Plant familiarization
- 2. Event tree construction
- 3. Systems analysis j 4. Human reliability and procedural analysis
- 5. Data development
, 6. Accident sequence evaluation I
- 7. Containment analysis
- 8. Interpretation and analysis of results.
The relationships among these tasks are illustrated in i Figure 2-1. Each is discussed briefly below.
2.2.1 Plant Familiarization The initial task of the analysis involved the analysts' becoming familiar with the plant. This began by identifying-those functions which must be performed to prevent core melt or to mitigate its consequences. By-reviewing the FSAR and other documentation,- the systems which perform these functions, termed " front-line_ systems," were identified.
Initiating events for consideration in the analysis were determined from EPRI NP-2230 and a review of LERs. These were l grouped according to the systems which . must respond to the 1 2-2 w _
event. Loss-of-coolant accidents (LOCAs) were generally grouped into - three or four groups. This grouping tended to be by size of LG 2A since mitigating requirements generally depend on the size of the break. Transients fell into three to six groups. The grouping often reflected equipment lost as a result of the initiating event.
I For each initiating event grouping, the criteria for suc-l cessful system operation to mitigate the accident were deter-
- mined. This information was usually found in the FSAR. Util-l ity, NSSS vendor calculations and other reports sometimes i indicated that the FSAR criteria were too conservative. Where appropriate documentation existed, the IREP teams used the more realistic criteria.
l A final activity during the plant familiarization tasks was the identification of system dependencies. Systems which support the front-line systems were identified; dependencies among various support systemd~were also noted.
Upon completion of the plant familiarization task, the following information had been developed:
- 1. The necessary functions to prevent core melt or to mitigate its consequence:
- 2. The systems which perform these functions (front-line systems):
- 3. The generic. initiating events included in the analysis and grouped according to mitigating requirements:
- 4. The systems required to respond to each initiating event group and the criteria for' system success; and l 5. Dependencies between front-line and support systems and support systems with other support systems.
l This task set the groundwork for construction of the models used in the study. The systems to be analyzed. were identified, and the number of and headings for event trees were defined.
2.2.2 Event Tree Construction l The accident sequences to be analyzed in IREP were delineated by event . trees. Functional event trees were con--
l structed . to clarify. functional dependencies. From these and
- information developed in the plant -familiarization activity,
- systemic J event trees were constructed. Sequences-delineated on the systemic trees were analyzed in the study.
2-3
In general, separate systemic event trees were constructed for each initiating event group. Each event tree had a dif-ferent structure since the initiating events were grouped according to mitigating requiremente. Different mitigating requitimente result in different tree structure. Headings for the event trees correspond to the systems responding to the initiating event. Only front-line systems appear on the t trees. Most identified system dependencies and dependencies arising from phenomenological aspects of the accident are reflected in the tree structure.
2.2.3 Systems Analysis Fault tree models were constructed for each front-line system. Gupport system fault trees were constructed to model the particular interfaces with the front line systems. In general, different fault tree modeling techniques were used by the different IREP teams. The approach used in The Calvert Cliffs Unit 1 analysis is discussed in Chapter 6. Top events for the front-line system fault trees correspond to the success criteria defined in the plant familiarization task.
The fault trees were developed to the component level.
Component faults which affected only the particular component were grouped as " local faults." Faults which could affect mul-tiple components, generally those faults associated with sup-port systems, were further developed. The level of detail in the fault trees generally corresponded to the detail of avail-able data,.
In addition to hardware faults, the fault trees included unavailability due to test and maintenance, human errors asso- 3 ciated with failing to restore components to their operable '
state following test and maintenance, and human errors associ-ated with accident responses. The human reliability analysis is discussed in the next section.
The detailed development contained in the system fault trees facilitated identification of hardware, test and mainten-ance, and human error faults which could cause multiple compon-ent failures. These classes of common mode failures were '
explicitly modeled in the fault trees. Other potential common mode failures such as environmental conditions or manufacturing defects were not considered in the study. !
2.2.4 Human Reliability and Procedural Analysis Test, maintenance, and emergency procedures were reviewed to determine potential human errors. Human errors associated with failing to restore a system to its operable state follow-ing test and maintenance were included explicitly in the fault trees. Potential operator errors in response to an accident 2-4 t
were included in a limited way. The emergency procedures expected to be used in response.to each accident sequence were '
reviewed. to identify actions expected to be performed. Incor-rect performance and omission of the actions were postulated and included in the model. The investigation, however, was limited'to those actions expected to be performed, rather than postulating all actions an operator might take. ;
l 2.2.5 Data Development A modified WASH-1400 [8] data base was used for quantifi-cation of hardware faults. However, for Calvert Cliffs, when the IREP generic data base [3] was developed, the basic data were changed to reflect the updated recommendations. In some instances, plant specific data was used instead. Tect and maintenance intervals and durations were obtained, where pos-sible, from discussions with plant personnel and from' reviewing plant logs. Estimated upper values were chosen for human error i
rates for initial calculations. For those human errors which
- appeared in potentially dominant accident sequences, detailed 4 analyses were performed with the assistance of human factors specialists. This approach to human error quantification per-mitted more efficient utilization of limited human factors l expertise. -
l l 2.2.6 Accident Sequence Evaluation For each accident sequence, a frequency was calculated.
This was performed by logically combining the initiating event and the system successes and failures to develop combinations
- of failures (cut sets) which could result in the accident sequence. Frequencies assigned to the initiating events, and probabilities assigned to each failure, were combined to 3
generate a frequency for each sequence.
i The evaluatica process was an iterative one. Initial cal-culations used generic data and upper bound human error rates.
. From these initial calculations, a collection of potentially
, dominant accident sequences was chosen. These were chosen l based on a certain frequency below which none of the sequences j were expected to contribute significantly.
i The potentially dominant sequences were examined more I closely to ensure that.the probabilities chosen were as accur-ate as they could be and to develop better human error rate estimates. The potential for recovery ' actions which could-terminate .the sequence was then evaluated and the sequence frequencies where recalculated. These more refined calculations resulted in a list of dominant accident sequences.
i d
f 2-5 L
l 1
- 2.2.7 Containment Analysis Each potential accident sequence was evaluated by Battelle Columbus Laboratories (BCL) to determine the expected mechanism of containment failure, the associated probability of failure, and to characterize the potential radioactive release. This analysis was quite limited in nature, relying primarily on insights developed from similar analyses in the past [9), but supplemented by further calculations where necessary.
2.2.8 Interpretation and Analysis of Results
, l i
The dominant accident sequences in terms of risk (the highest frequency sequences in the most severe release cate-gories) were examined to draw engineering insights of interest from the analysis. Those plant vulnerabilities and failure modes contributing most significantly to risk were identified.
These constitute the principal results of the study.
i G
f l
l i
8 I
l l
l l
l 2-6
< <w y. - . , , - , - , ,
e e r --
---c 4, r -t- .--
Table 2.1. Information Sources for IREP o Final Safety Analysis Report [6]
o System description and plant drawings o other probabilistic analyses of the plant [9]
o EPRI/NP-2230 "ATWS: A Reappraisal -- Part 3:
Frequency of Anticipated Transients" [7]
o Licensee Event Reports for the plant and sirilar plants o System performance documentation o Electrical one-line drawings o Control and actuation circuitry drawings o Test and maintenance procedures o Emergency procedures o A generic data base [3], [8]
o Plant logs o " Handbook of Human Reliability Analysis with Emphasic on Nuclear Power Plant Applications" (NUREG/CR-1278)[5]
o Plant visits o Discussions with and review by plant personnel 2-7
I I f I Event l
'* Stee -
Construction l l
Plant Accident Contairunent Interpretation Familiar- , , Sequence , ard Analysis ization Evalua tion Analysis of Results g
w I
m Systens Analysis I
nA l
I n=an Reliability ard Data Procedural Analysis Development Figure 2-1 IREP Methodology
CHAPTER 3 PLANT DESIGN 3.1 Basic Information Calvert Cliffs Nuclear Power Plant-Unit 1 (CC-1) is the first unit of a two unit plant owned and operated by Baltimore Gas and Electric Company (BG&E). Bechtel Power Corporation was the architect-engineer, and Combustion Engineering, Incorpo-rated (CE) was the reactor supplier. The operating license for CC-1 was issued by the Nuclear Regulatory Commission (NRC) in September, 1974. Commercial operation started in May, 1975.
The CC-1 plant is located on the western shore of the Chesapeake Bay in Calvert Cliffs County, Maryland, about 10 miles southeast of the town of Prince Fredrick.
3.2 Plant Functions The plant functions required to ensure safe shutdown following a transient initiator are different from those required following a LOCA initiator. The important functions required to place the reactor in a safe condition following a LOCA are (1) Reactor Subcriticality, (2) Reactor -Heat Removal, (3) Containment Atmospheric Heat Removal, and (4) Containment Radioactivity Removal. In addition to the four functions listed above for LOCAs, transients require two other functions: (1) Primary System Relief, and (2) Reactor Coolant System Integrity. In the case where failure of a function leads to core melt, success or partial success of other functions may still result in significant mitigation of the accident consequences.
Outlined in this section is a description of each of the plant functions listed above, including the plant systems that can be used to fulfill each of these functions. The response of the plant functions to LOCA and transient initiators is pre-sented in Chapter 5 of this report. Tables 3.1 and 3.2 contain listings of the required plant functions following a LOCA or a transient, respectively, and the systems that can perform each function. The systems used to perform the mitigating functions are more thoroughly described in Chapter 6 and Appendix B.
3.2.1 LOCA Mitigating Functions 3.2.1.1 Reactor Subcriticality (RESC)
This function is necessary in order to decrease the power output of the core to the decay heat level. At this level, decay heat only, the emergency core cooling and containment cooling systems have sufficient capacity to remove the energy from the primary system and prevent core melt.
3-1
For Large LOCAs (i.e., breaks greater than 4.3" in diameter), the reactor is rendered subcritical due to core voiding caused by the LOCA and subsequent reflooding of the core by borated water from the emergency core cooling sys-tems. For Small and Small-small LOCAs (i.e., breaks from 1.9" to 4.3" and .3" to 1.9" in diameter, respectively), it is necessary to use the Reactor Protection System (RPS) to perform the function of Reactor Subcriticality. This is done by inserting the shutdown rods into the reactor core immediately following a LOCA signal.
3.2.1.2 Reactor Heat Removal (REHR)
The systems used for reactor heat removal during LOCAs are i intended to both replace the coolant lost during the LOCA and j to remove the residual decay heat from the core. This protects 4 the core from uncovery, Imat up, and subsequent core melt. !
This function is generally divided into two phases: 1) Injec- l tion -- where makeup water is drawn from the Refueling Water '
Tank (RWT), and 2) Recirculation -- where the makeup water is drawn from the containment sump.
In the injection phase, water is pumped from the RWT by the High Pressure Safety Injection (HPSI) System and the Low Pressure Safety Injection (LPSI) System. These systems are actuated on decreasing primary system pressure (at 1600 psia) or on increasing containment pressure (at 2.8 psig) by a safety injection signal and begin injecting water into the core at about 1275 psia and 200 psig, respectively. The HPSI system consists of three high-pressure ' pumps which draw water directly from the RWT and inject it into the four primary loop cold legs. The LPSI consists of two low-pressure pumps which also draw directly from the RNT and inject into the four primary loop cold legs. For large LOCAs, the LPSI system operates in conjunction with the Safety Injection Tanks (SIT) System to keep the core covered and cool. The SIT system consists of four pressurized tanks which supply additional water during the initial phase of the LOCA when the primary pressure reaches 200 psig. For Small LOCAs, the HPSI system can perform this func-tion alone. For Small-small LOCAs, the HPSI system must be used in conjunction with the Auxiliary Feedwater (APW) System.
This is because additional heat removal is necessary to decrease the primary system pressure to below the shutoff head of the HPSI pumps (about 1275 psia). The AFW system consists of two turbine-driven pumps and one motor-driven pump which draw water from the Condensate Storage Tank (CST) and inject it into the Steam Generators (SGs). The water in the SGs absorbs heat from the primary system and boils off, venting to the atmosphere.
i 3-2
In the recirculation phase, either the High Pressure Safety Recirculation (HPSR) System (for all LOCA sizes) or the low Pressure Recirculation (LPSR) System (for Large LOCAs only) can perform the Reactor Heat Removal function. However, at Calvert Cliffs, the HPSR system is the preferred system. This is because the LPSI system is designed to shutoff on switchover to the recirculation phase and requires operation action to restart. These systems are really the HPSI and LPSI systems realigned to draw water from the containment sump when the water level in the RWT reaches a low level.
3.2.1.3 Containment Atmospheric Heat Removal (CNHR)
During the injection and recirculation phases following a
, LOCA, steam emitted through the break will cause the contain-ment pressure to increase. If the steam is not condensed, the l containment would fail due to overpressure within several hours.
l f In the injection phase, two systems can perform this func-tion: (1) the Containment Spray Sy n t.em (Injection) (CSSI) whi.ch consists of two pumps that draw cold water from the RWT and spray it into the containment atmosphere in order to con-dense the steam: or (2) the Containment Air Recirculation and Cooling System (CARCS) which consists of four f ans which cool the containment atmosphere using heat exchangers which reject i the heat to the environment. Both these systems are actuated on high containment pressure (at 4 psig).
In the recirculation phase, the CARCS can continue to per-form this function without any realignments; however, the CSSI must be aligned to draw water from the sump similar to the HPSI and LPSI systems. In this mode, the CSSI is called Containment Spray System (Recirculation) and denoted CSSR. However, since l the CSSR system is drawing hot water from the sump, it would no longer be effective unless there was some way of cooling the water before it was sprayed into the containment. This is done using the Shutdown Heat Exchangers (SDHX) System which consists of two heat exchangers in the CSSR spray lines that cool the spray before it is injected into the containment.
3.2.1.4 Containment Radioactivity Removal (CNRR)
After a LOCA has occurred, some method needs td be used to remove the radioactive material released into the containment j atmosphere through the break. The CSSI and CSSR perform this l function in the injection and recirculation phases, respec-tively. By spraying water into the containment atmosphere, the radioactive material can be scrubbed out of the atmosphere into the water where it can later be processed.
! Both this function and the Containment Heat Removal func-tion, previously discussed, can also mitigate the consequences of accidents which proceed to core melt.
3-3 i
f
l i
3.2.2 Transient Mitigating Functions 3.2.2.1 Reactor Subcriticality (RESC)
The Reactor Suberiticality function for a transient is the same as that for a LOCA. However, in addition to the Reactor Protection System (RPS), the Chemical Volume and Control System (CVCS) can also be used to shut down the reactor. The CVCS consists of three pumps which can inject a concentrated boric acid solution directly into the primary, resulting in reactor shutdown within a few minutes.
3.2.2.2 Reactor Heat Removal (REHR)
The systems used for reactor heat removal during a tran-sient must keep the core cool by removing the decay heat.
Primary makeup is not necessary, unless a transient-induced i
LOCA occurs; in which case the appropriate LOCA systems must be used.
Two systems can perform the REHR function for transients.
The Power Conversion System (PCS) and the Auxiliary Feedwater (AFW) System. The PCS is normally used for decay heat' removal.
The system consists of the Main Feedwater (MFW) and Condensate Systems (CS) which deliver water to the steam generators via i
three motor-driven condensate pumps, three motor-driven conden-sate booster pumps and two turbine-driven main feedwater pumps.
The steam is removed by * ' 'ondary Steam Relief (SSR) System to the atmosphere or b- uv 6 - main condensor via the turbine bypass valves. If .e PCS s. "11 be unavailable, then the Auxiliary Feedwater (APW) Systu 'n be used to remove the decay heat. The AFW system const. of two turbine-driven pumps and one motor-driven pump which raw water from the CST and deliver it to the steam generators.
3.2.2.3 Primary System Relief (PSR)
Following some severe transients, the surge capacity of the pressurizer may not be sufficient to prevent a pressure increase from rupturing the reactor coolant system. In partic-l ular, for all transients in which the Reactor Protection System (RPS) fails,,a pressure spike is assumed to rupture the primary system and lead to an unmitigatable LOCA unless primary system pressure relief occurs. This relief is accomplished in all cases by using the two Safety Relief Valves (SRVs) and two Power Operated Relief Valvos (PORVs).
3.2.2.4 Reactor Coolant System Integrity (RCSI)
For those transients where Primary System Relief was required or the relief valves may have been demanded but relief was not required to mitigate the accident, all the relief 3-4
__ _ _ _ _ . _. _ _ . ~ . _ _ . __
i valves.which opened must reclose when the pressure subsides or j a transient-induced LOCA may result (equivalent to a Sma l l--
small LOCA).
l 3.2.2.5 Containment Heat Removal (CNHR) i The function and systems used are identical to the LOCA function described in section 3.2.1.3.
l 3.2.2.6 Containment Radioactivity Removal (CNRH)
The function and systems used are identical to the LOCA ,
function described in section 3.2.1.4.
3.3 System DeDendencies l
l The systems described in section 3.2, which directly per-l form the accident mitigating functions are called " front-line"
, systems. In order to (1) identify special initiating events i
(discussed in Chapter 4), (2) to adequately model systems to include potential common mode failures, and (3) to establish a j complete list of systems which need to be modeled; the system
] dependencies between front-line systems, between front-line and j support systems, and between support systems were identified.
1 This was done by looking at each major component in each l front-line system one at a time to determine what kind of i
support requirements it had and where it got the support from.
This was then repeated for each component in the support i systems which were identified, and the process was continued until all obvious dependencies were identified. The results of this process are shown in the Failure Mode and Effects Analyses
' (FMEAs) done for each system in Appendix B. A cummary of these dependencies is shown in Tables 3.3 and 3.4.
Several systems .at Calvert Cliffs are either shared I
between units 1 and 2 or have connections with similar systems on the other unit. The two systems which are shared are the emergency AC and DC power systems and these are modeled
- l. explicitly in this analysis to include all components which can
- affect unit 1. 'Also, if a failure of a unit 2 component could i affect a unit 1 component (e.g. Diesel Generator 21 failure on j unit . 2 could require diesel generator 12, which is a swing j diesel, to be diverted to unit 2), the event was modeled on l unit l's fault trees. Those connections which increased the i reliability of a. system on a particular unit were not modeled
- explicitly on the fault trees since they usually required some operator action and 'were better treated in the recovery analysis or were judged not to be significant.
A description of each support system can be found in the appropriate section of Chapter 6 and Appendix B.
3-5 i
...,...-,-,,-r,. -
- . . . , . , ~ , _ . - . _ , , - - , _ , _ . - , . - - , - ,,_._,,,,...c,. __,.,,_,...._,m.. - _ .
TABLE 3.1 CC-1 LOCA FUNCTION / SYSTEM INDFX LOCA Function System (s)
Reactor Suberiticality (RESC) a) Reactor Protection System (RPS)
Reactor Heat Removal (injec- a) High Pressure Safety Injec-tion phase) (REHR) tion System (HPSI) with/
without Auxiliary Feedwater System (AFW) b) Safety Injection Tanks (SIT) c) Low Pressure Safety Injection (LPSI)
Containment Atmospheric Heat a) Containment Spray System, Removal (CNHR) (injection Injection (CSSI) phase) b) Containment Air Recircula-tion and Cooling System (CARCS)
Containment Radioactivity a) Cantainment Spray System, Removal (CNRR) (injection Injection (CSSI) phase)
Reactor Heat Removal (REHR) a) High Pressure Safety (recirculation phase) Recirculation System (HPSR) b) Low Pressure Safety Recirculation System (LPSR)
Containment Heat Removal a) Containment Spray System, (CNHR)(recirculation phase) Recirculation (CSSR) and Shutdown Cooling Heat .
Exchangers (SDHX) b) Containment Air Recirculation and Cooling System (CARCS)
Containment Radioactivity a) Containment Spray System, Removal (CNRR) (recircula- Recirculation (CSSR) tion phase) 3-6
1 i
TABLE 3.2 CC-1 TRANSIENT FUNCTION / SYSTEM INDEX Transient Function System (s)
Reactor Subcriticality (RESC) a) Reactor Protection System (RPS) b) Chemical Volume and Control System (CVCS)
Reactor Heat Removal (REHR) a) Power Conversion System (PCS) (i.e.,, Main Feedwater (MFW) and secondary steam relief (SSR) or turbine bypass) b) Auxiliary Feedwater System i
(AFW) and secondary steam relief (SSR)
Primary System Relief (PSR) a) Safety Relief Valves (SRVs) and Power Operated Relief
' Valves (PORVs) open Reactor Coolant System a) Safety Relief Valves (SRVs)
Integrity (RCSI) and Power Operated Relief l Valves (PORVs) close Containment Heat Removal a) Containment Spray Synt.nm, Injection (CSSI) b) Containment and Cooling l System (CARCS) l l
i Containment Radioactivity a) Containment Spray System, Removal (CNRR) Injection (CSSI) 3-7
TABLE 3.3 FRONT-LINE SYSTEM VS SUPPORT SYSTEM DEPENDENCIES i Front-line Support System **
System
AC RPS CVCS X X X X SIT LPSI/R X X X X X X HPSI/R X X X X X X CSSI/R X X X X X X CARCS X X X X PCS X X X X X APW X X X X SDHX X X X X X '
SRh PORV X X X
- The front-line systems are:
RPS = Reactor Protection System CVCS = Chemical Volume and control System SIT = Safety Injection Tanks LPSI/R = Low Pressure Safety Injection / Recirculation System HPSI/R = High Pressure Safety Injection / Recirculation System CSSI/R = Containment Spray System Injection / Recirculation System CARCS = Containment Air Recirculation and Cooling System PCS = Power Conversion System AFW = Auxiliary Feedwater System SDHX = Shutdown Cooling Heat Exchanger System SRV = Safety Relief Valves PORV = Power Operated Relief Valves l **The support systems are defined on the next page, r
i 3-8
TABLE 3.4 i
SUPPORT SYSTEM VS SUPPORT SYSTEM DEPENDENCIES Support Support System System
l Offsite AC -
ESPAS -
X Emergency AC X - X X DC X X -
CCW X X X X -
X SRW X X X X - X SWS X X X X - X RMCL X X X -
AIR X X X X -
- The support systems are:
Offsite AC = Offsite AC Power ESFAS = Engineered Safety Features Actuation Systems Emer. AC = Emergency AC Power System DC = 125 VDC Power System CCW = Component Cooling Water System SRW = Service Water System SMS = Salt Water System RMCL = Diesel Generator or ECCS Pump Room Cooling Systems AIR = Instrument Air, Plant Air, or N2 Systems.
3-9
i CHAPTER 4 INITIATING EVENTS 4.1 Introduction j l
ihe use of event tree methodology in the probabilistic risk assessment of Calvert Cliffs Unit 1 (CC-1) requires that accident initiating events be. defined. These initiating events !
. represent the starting points of many different accident
. sequences and delineate the initial conditions for these sequences. ;
This chapter will describe which initiating events were chosen for the CC-1 analysis, how they were grouped, and how they were quantified. The end product of the chapter is a list of the CC-1 initiating events and is described in Section 4.3.
4.2 Initiatina Events Chosen for Calvert Cliffs Unit 1
! Two general types of initiating events have been consid-
- ered for the CC-1 analysis: loss of coolant accidents (LOCAs) l and transients, i
l l In order to determine the specific types of LOCA and tran-
, sient initiating events to -be studied, a failure mode and !
j effects analysis (FMEA) was performed on the RCS piping and i front-line systems and their support subsystems which are j operating when the reactor is at power.
1 4
The RCS FMEA consisted of postulating different size RCS l l breaks and break locations to determine if different combina-
- j tions of plant . systems were required to mitigate the LOCA.
l Those breaks with similar front-line system mitigating require- ;
ments were placed in the same group. For example, LOCAs at i
- CC-1 were divided into three categories ranging from small pump j l seal ruptures to large RCS pipe breaks. The LOCA initiating >
events for CC-1 ar1: described in Section 4.2.1.
l The FMEA performed- to identify transients consisted of postulating a sinole fault in a normally operating system or .
, subsystem and studying the plant response to that fault.- For !
l each postulated fault, the following questions were asked: !
- 1. Does the fault lead'to a reactor trip? -
l l
- 2. If the' reactor trips, is the-reliability of the front.
line nystems 'and their support systems which must respond to the trip affected? If so, how?
1 l
4-1 J
t
Throughout the FMEA, EPHI NP-2230, " Frequency of Antici-pated- Transients," [7), provided guidance in choosing the general types of system faults to be considered.
A fault was only considered to be important if the answer to the first question was yes. If the reactor did not trip, it was assumed that the fault would be detected and corrected l before a reactor trip Crom some other cause occurred. The faults that did cause a reactor trip were then grouped. Those l which affected the reliability of the systems in a similar manner were placed in the same group. For example, CC-1 transients were split into six groups. Some of these groups were loss of offsite power, loss of the Power Conversion System, loss of a DC bus, etc. The CC-1 transient initiating events are described in Section 4.2.2.
4.2.1 LOCA Initiating Events .
A number of LOCA break size ranges were determined for CC-1. Each LOCA break size range defines a unique set of emergency core cooling requirements for the injection or recirculation phase of a loss of coolant accident. Table 4.1 presents the different LOCA sizes and the appropriate success criteria for various plant functions. The emergency core cool-ing success criteria and LOCA break size ranges were determined by information from the plant FSAR [6), NUREG-0635 (10), and the Calvert Cliffs RSSMAP Study [9].
The initiating event frequencies for each LOCA break size range were calculated using RSS [11] data. Two basic assumptions were made in the calculation of the CC-1 LOCA fre-quencies. The first assumption was that the total frequency of random LOCAs at CC-1 was the came as that identified for the RSS plants. It was also assumed that the probability distri- l bution over each RSS break range was constant. This assumption l allowed uniform probability distributions to be generated for each RSS LOCA break size range. These probability distri-butions were then integrated over the CC-1 break ranges to produce CC-1 specific LOCA initiating event frequencies. The RSS and CC-1 LOCA break size ranges, frequencies and an example calculation, are given in Table 4.2.
One CC-1 LOCA break size range has an additional initiat-ing event frequency contribution that is not included in the RSS data. For the smallest CC-1 LOCA break range (.3 to 1.9 inches equivalent diameter), a .02 f requency was assessed for certain types of reactor coolant pump seal ruptures. The RSS data only includes data on random pipe failures and therefore does not cover this type of LOCA. The .02 number overshadows the random failure contribution for this break size range. The pump seal information was obtained from an NRC memo on the subject [12).
l l
4-2
It can be noted that no LOCAs smaller than 0.3 inch equiv-alent diameter were analyzed. It was ascertained that breaks of this magnitude could be mitigated by normally operating makeup systems.
A final comment should be made concerning the LOCA initiating events analyzed for Calvert Cliffs Unit 1. The interfacing systems LOCA, which was found to be important to risk in other PRAs (e.g., Surry in the RSS and Oconee in the RSSMAP) was not found to be a significant accident sequence at CC-1. The interfacing systems LOCA assumes either: (1) a failure of a series of check valves and motor-operated valves in one of the low pressure injection lines; or (2) failure of two locked closed motor-operated valves in the shutdown cooling suction line. Both of these allow high pressure RCS Water to 1 enter the low pressure piping outside containment and a pipe rupture to occur. A core melt would ensuo because the core cooling systems are not des'igned to titigate a LOCA outside containment. The probability of this .ent was found to be low (less than IE-7 per reactor year) t cause of 'the number of valves in series which would have to tail and the placement of j relief valves which would alert the operators to this event, thus increasing the recovery potential. The RSSMAP Calvert Cliffs PRA (9] provides a more detailed analysis of the interfacing systems LOCA at the Calvert Cliffs' plant.
4.2.2 Transient Initiating Events A number of transient initiating events were identified for CC-1. The success criteria for front-line systems which function to mitigate transient initiated accidents are given in Table 4.3.
Four types of transient initiating events which do not involve specific component failures and which Wero quantified using industry data were analyzed for CC-1. These are:
- 1. Loss of offsite Power (T 1 ); this event was defined as a total loss of offsite power to both units at the site.
- 2. Events which totally interrupt the Power Conversion System (T2 ) (not caused by a loss of offsite power).
l 3. Transients requiring RCS pressure relief (T 3 ).
These are transients which do not affect front-line l
systems significantly but are severe enough to require primary system pressure relief to terminate tho accident successfully.
- 4. Transients requiring shutdown, but which do not affect front-line systems significantly (T 4 ).
These transients do not require primary pressure relief to successfully terminate the accident.
4-3
The soutco used to define and quantify those transient dedgnations was EPRI NP-2230 [7). This report presents and analyzes events at nuclear plants which have lead to fast reactor shutdowns (scrams). A list of the PWR transients defined in the EPRI document is given in Table 4.4. Tablo 4.5
, shows how the EPRI transient categocios woro grouped together to quantify the four transient tvpos listed above. The numbers used are the generic values for all plants at all power levels. Those numbers woro compared to Calvert Cliffs Unit 1 plant specific data for 26-110% power trips and found not to be statistically different. Calvert Cliffs has a higher than average number of trips from high power. Table 4.6 shows the EPHI NP- 22 30 categories not used in the CC-1 initiating event analysis.
Two normally operating support systems were identified at CC-1 whose failure would cause a reactor shutdown and also degrado safety systemc required post trip or affect recovery actions. These support system failures weto identified by the performance of a FMEA (described in Section 4.2) on all not-mally operating support systems. These support systems are listed in Tablo 4.7.
In the following sections, the normally operating support systems which woro reviewed in depth are discuased. The com-ponents identified as possible initiating ovents are included in the list of initiating events described in Section 4.3.
4.2.2.1 Service Water System Analysic The Service Water System (SRWS) at CC 1 consists of two trains, each of which contains a motor-drivon pump and heat exchanger, and is designed to remove heat from various plant components. Rotor to Appendix B.15 for a more detailed discussion of the SHWS.
Goveral component failucos in the SRWS wore identified as possible initiating events. During normal operation, train number 12 supplies water to the main feodwater pump lubo oil coolors and the condensato boostor pump lube oil coolers. If flow through train number 12 were abruptly stopped, all tube oil cooling to these pumps would be lost. Given this situa-tion, a reactor trip would be expected due to a main foedwater trip or operator action. The CC--1 Abnormal Operating Proceduto (AOP-3) for a loss-of-service water ovent indicatos that the operator vould trip the plant when high pump and turbine temperatures are measured.
Given that SRWS train number 12 fails and that the reactor is tripped, main foedwater would bo lost, auxiliary foedwater would be demanded, and a number of safety related systems would be degraded. The safety systems affected by SRWS train number 12 are containment Air Coolors numbers 13 and 14 and emergency 4-4
diesel number 12. For this reason, single failures of SRWS have been analyzed as initiating events.
The failures of SRWS train Number 12 considered in the quantification of this initiating event are the manual inlet l and outlet valvos (SRW 127 and SRW 120) for SRWS heat exchanger number 12. Refer to Figure 6-26. Other single faults of train i
l number 12 are feasible, but are more likely to be recovered.
I i The initiating event frequency for those service water failures was taken from the IREP quantification guido. A fro-quency of 0.8E-4 per year was assessed for each fault based on the plug standby failure rate for manual valvos (IE-7 x 0760 hrs.). Therefore, the total initiating event frequency for this event is 1.0E-3. It is acknowledged that an operating failure rate rather than a standby failure should be used and may be different than the assigned value. Ilowever, this Cro-quency is similar to the frequency used for this event in the Zion and Indian Point PRAs (13] which was calculated using a different method. The initiating event representation used in this analysis for this GRW fault is TSRW' ,
4.2.2.2 Emergency AC Power Bus Analysia The Emergency AC Power System provides AC power to several front-line/ support systems which may be required to operate after an initiating event. (Refer to AC power discussion in i
Section 6.13 and Appondix B.13).
A FMEA was performed on each emergency AC bus to determine the effects of the bus shorting to ground. No emergency AC buses were identified which would cause a reactor trip and degrade front-line systems if lost. This was due to the fact that there Woro no balance-of-plant dependencies on the safety-related AC buses.
4.2.2.3 Emergency DC Power Bus Analysis The analysis of the four DC power trains was very similar to that done for the AC buses. Failure of either of two DC busen (Numbers 11 and 21) were identified as causing a plant trip and degrading the safety systems. We will describe the failure of bus 11.
If bus 11 fails, one half of all safety systems which are not already running will be affected (i.e., AFW, IIPSI, LPS1, CSSI). Those systems which are running would not be affected.
A plant trip results when 120 VAC bus 11 fails as a result of DC bus 11 failing. Failure of 120 VAC bus 11 results in fail-ute of: (1) a SG lovel control, (2) variona instrumentation; and (3) a SGPP recirculation line valve and may result in a plant trip due to (1) low SG 1evel; (2) inability to control SG 1evel in auto requiring manual control which is ineffective; or (3) SGPP trip on low suction pressure.
4-5
T+,
The effects of DC bus 21 failing are not as severe as DC bus 11 '. Failure of bus 11 fails the motor-driven APW pump:
failure of bus 21 does not. Also, failure of bus 21 prevents the PORVs from opening which reduces the chances of a tran-
- sient-induced LOCA. '
The initiating event frequency for a single bus is taken j tc be 1.8E-2/yr. from NSAC data done for the Oconee PRA*.
Since only bus 11 was quantified, an initiating event frequency l of 3.6E-2 was used in order to envelope the failure of bus 21.
This data looks at bus failure as an initiating event not as an independent failure (i.e., includes independent failures l~ lE-8/yr. x 8760 per year = 8.76 E-5 = 9E-5/yr. and random human interactions, etc.). The initiating event representation used in this analysis for DC bus 11 failure is T DC-4.2.2.4 Instrument Air System Analysis The Instrument Air System (IAS) provides process air to many plant components, mainly air-operated control valves. The analysis of this system indicated that the only front-line or support- system which would degrade or fail on loss of the IAS is the Power Conversion System. The reason for this is .that most safety system components which interface with the IAS fail safe on loss of instrument air. The only valves where failure could affect a safety system is failure of the SRW and CCW heat exchanger valves in the SWS. Ilowever , this is a failure only if it occurssconcurrently with a Large LOCA or Small LOCA, not for Small-small LOCAs or transients. Because these valves have a separate and redundant, seismically qualified air supply; this Callure was judged to be negligible. Total loss of the IAS would lead to an immediate reactor trip as per Emergency Operating Procedure Number 14. Ilowever , since instrument air only affects main feedwater for transient initiators, its failure was considered as part of the T2 initiating event.
For this reason, no instrument air faults were analyzed as specific initiating events.
4.%.2.5 Component Cooling Water Analysis The Component Cooling Water System (CCWS) is a closed cooling system which provides cooling to various safety and non-safety components not cooled by the SRWS.
Two failures of the CCWS were found to lead to reactor trip.
cooling The first is the failure of a valve in the CCWS line the -reactor coolant pump seal and lube oil coolers.
- Ref: Telephone conversation between G, J. Kolb, Sandia National Laboratories and G. J. Boyd, Technology for Energy Corporation.-
4-6
However, since this failure would not degrade the ability of the CCWS to perform its safety functions, no special initiating event needed to be defined.
The second failure was a large rupture in a segment of the CCW piping which would result in a complete loss of water so fast that operator action could not prevent the complete draining of the system. An example of such a segment is the cross-tic piping between loops. This would result in a plant trip due to loss of cooling to both the reactor coolant pump j l
seals and the lube oil coolers. l This event was judged initially to lead to a reactor cool-ant pump seal LOCA and to simultaneously fail the IIPSI and LPSI pumps due to a lack of pump seal cooling. flowever, this was felt. to be much too conservative for the following reasons.
First, in discussions with the NRC, the CE Owner's Group [14]
presented evidence to show that reactor coolant pump seal leaks due to a loss of seal cooling are not likely to occur due to the design of their pumps which have three full system pressure seals (which are cooled by the Component Cooling Water System) and then a controlled 10 gpm leakoff back to the Volume Control Tank or another full system pressure seal to the containment.
Second, a recent assessment done by BG&E* showed no need for any LPSI or IIPSI pump seal cooling in the injection mode and only after two hours in the recirculation phase following a Large LOCA. Because of the long time to get to recirculation
(~10 hours)for a Small-small LOCA of this size: (1) the heat loads will be much less and the pump would likely last sig-nificantly longer than two hours in the recirculation mode; and (2) the operator could isolate the leak in the component cool-ing system and refill it. For the above reasons, this event was judged to be negligible and not considered further.
4.2.2.6 Salt Water System Analysis The Salt Water System (SWS) is a two train system, each with its own dedicated pump. The SWS provides secondary cool-1 ing for the SRWS and CCWS and cooling for the ECCS pump room coolers and the circulating water pump seals.
No single fault was identified in the SWS which would require a rapid reactor trip and degrade safety systems. A
(
! partial loss of SWS due to a single failure could cause a slow heatup of the SRWS and CCWS which, if left untended, could cause trouble. Iloweve r , the time for the heatup to occur is long (of the order of one hour), and it has been assumed that a safe condition could be achieved.
- Ref: Discussions with Niall ilunt and other BG&E engineers.
4-7
4.2.2.7 Heating and Ventilation System Analysis The heating and ventilation systems which were reviewed are the Diesel Generator Room Ventilation System and the ECCS Pump Room Air Coolers. No failure within these systems was identified which could cause a reactor trip. Therefore, no special initiating event associated with these systems was applicable.
4.3 Description of the Calvert Cliffs Unit 1 Initiating Events The accident initiating events used in the CC-1 analysis are those discussed in the previous sections and are summarized in Table 4.8. When the initiating events are combined with the appropriate system fault and success trees, unique CC-1 acci-l dent sequences are produced. An alternate way to display the CC-1 initiating events is with a fault tree. This is done in i Figure 4-1.
The initiating events define the initial conditions for accident sequences and may, in themselves, affect the avail-ability of front line systems. The dependencies found between the CC-1 initiating events and the mitigating systems are either modeled explicitly on the system fault trees or are i shown by the difference in system success criteria in Tables 4.1 and 4.3 for the different initiating events. They are also shown in the system dependency Tables 3.3 and 3.4 in Chapter 3.
.1
'l
- 4-8
f Event Occurs Requiring Reactor Shutdown s
i I 1 l l Sy S Ty T 4
2 2 2.4E-4 2.lE-2 0.14 .8 I I A T T 3 4 2.3E-4 1.85 6.8 1
1 1 T DC T SRW 3.6E-2 1.8E-3 Figure 4-1. Calvert Cliffs Unit 1 Initiating Event Fault Tree i
4-9
Table 4.1 LOCA EVENT DEFINITION AND MITIGATING SYSTEMS SUCCESS CRITERIA FOR CALVERT CLIFFS UNIT 1 ,
LOCA Sizel Mitigating Function 2 l Reactor Injection Phase Recirculation Phase Subcriticality (RESC) Reactor Containment Cosa t aina'*n t Reactor Containrent Containment Heat Atmospheric Radioactivi y Heat Heat Radioactivity Removal Heat Remova} Removal Removal (RENR) Removal (CNRR)J (RENR) (CNHR) Remova)
(CNRR)
(CNhR)
Small-Saall RPS 1/3 HPSI 1/2 CSSI 1/2 CSSI 1/3 HPSR 1/2 CSSR OR 1/2 CSSR AND OR
~ with 17T
. 3 vD *fl . 9
- 55E 1/4 CARCI 1/2 SDHX CARC AND 1/FAFH Small RPS 1/3 HPSI 1/2 CSSI 1/2 CSSI 1/3 HPSR 1/2 CSSR OR 1/2 CSSR OR with 17T A 1. 9 "<D * <
4.3* SSR 1/4 EIRC4 1/2 SDHX CARC 1
H O
Large . None .3/4 SITS 1/2 CSSI 1/2 CSSI 1/3 HPSR 1/2 CSSR OR 1/2 CSSR Required 5 AND OR with 1~/4 D*<4.3* 1/2 LPSI 1/4 EIRC 1/2 SDHX CARC
TABLE 4.1 NOTES
- 1. D* = Equivalent diameter of break in inches.
- 2. Mitigating functions are performed by mitigating systems.
Mitigating systems success criteria are defined as follows:
RPS = Reactor Protection System.
One half of the control element assemblies (CEAs) insert.
3/4 SITS = Safety Injection Tanks.
l 3 of 4 SIT trains (not connected to the l
failed loop) operate.
l 1/3 HPSI = High Pressure Safety Injection.
1 of 3 HPSI pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
1/3 HPSR = High Pressure Safety Recirculation.
1 of 3 HPSR pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
1/2 LPSI = Low Pressure Safety Injection.
1 of 2 LPSI pump trains operates with 1 of 4 safety injection headers (not connected to the. failed loop).
1/2 LPSR = Low Pressure Safety Recirculation.
1 of 2 LPSR pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
SSR = Secondary Steam Relief.
- 2 of 2 atmospheric dump valves dump steam l directly to the outside atmosphere, OR 1 of 16 steam generator safety valves dumps steam directly to the outside atmosphere.
1/2 AFW = Auxiliary Feedwater.
1 of 2 steam generators supplied by 1 of 2 AFW pump trains.
4-11
TABLE 4.1 NOTES (continued) 1/2 CSSI = Containment Spray System Injection. ,
1 of 2 CSSI pump trains operates. l 1/2 CSSR = Containment Spray System Recirculation.
1 of 2 pump trains operates.
1/2 SDHX = Shutdown Cooling Heat Exchanger. .
1 of 2 SDHXs (associated with the operating CSSR pump train) provides cooling.
1/4 CARC = Containment Air Recirculation and Cooling.
1 of 4 fan cooler trains operates.
- 3. The function of containment radioactivity removal is not required if reactor heat removal and containment heat removal ' have been successful. However, the severity of the offsite radiological consequences of any sequence which ends in core melt or containment failure will be affected by the success or failure of the containment radioactivity removal function in the injection and/or recirculation phase, depending on the timing of core melt and/or containment failure.
- 4. The function of containment heat removal may not be required for LOCA breaks with D* 14.3 inches, providing the reactor heat removal function in the injection phase and the reactor suberiticality function have.been success-ful. However, if.either the reactor heat removal function in the injection phase or the reactor subcriticality func-tion has not been successful, then the consequence will be core melt, but the severity of the offsite radiological consequences will be affected by the success or failure of the containment heat removal function in the injection phase.
- 5. The reactor subcriticality function is not dependent on the ' successful operation of mitigating systems fc~r LOCA breaks with D* >4.3 inches. The reactor'is automatically rendered 'subcritical due to core voiding during the blow-
< down phase and is maintained. suberitical during the
- subsequent core ' reflood by borated water from the Safety Injection System (SIS). It is assumed that 'the prob-ability of injection of inadequately borated water from the Refueling Water Tank (RWT) into the core is insignificant.
4-12
Table 4.2 Comparison of RSS and Calvert Cliffs Unit 1 LOCA Frequencies Reactor Safety Study Calvert Cliffs Unit 1 LOCA Breakl LOCA Break l ,2 Size Range Frequency Size Range Frequency S2= .5 to 1.0E-3 S2= .3 to 1.9 2.lE-2 2 inches inches Si = 2 to 3.0E-4 Si = 1.9 to 4.3 2.4E-4 6 inches inches A = 6 inches 1.0E-4 A = 4.3 inches 2.3E-4 and larger and larger lEquivalent diameter in inches.
232 LOCA includes RCS pump seal leak contribution.
Sample Calculation 2
For the RSS S2 LOCA, PS2 dx = 1.0E-3
.5 6
Similarly, for the RSS S1 LOCA, f PlS dx = 3.0E-4 2
Assume that the distributions are uniform probability distriDu-tions. Therefore, the normalizing constants Psi = 7.5E-5 and P2 S
= 6.67E-4. Now, integrate these distributions over Calvert Cliff's S1 LOCA break size range to obtain its frequency:
2 4.3 P dx + P ** '4 ~4 S2 Sl 4-13
b' l
l l
c l
Table 4.3 Transient Event Definition and Mitigating Systems Success criteria for Calvert Cliffs Unit 1 Transient Mitigating Functions I React or React or Primary Reactor Coolant cont ainment Containment Subcr itic ality Heat Removal System Belief System Integrety Heat Removal Radioactivity Removal (RESC) (REHR) (PSR) (RCSI) (CNHR) (CNRR)
Loss of RPS SSR With RPS Success: With RPS Succgsa 1/4 CARC 1/2 CSSI Offsi'e OR AND None 2/3 CVCS 2/4 reclose 3 Power (TI ) 1/2 AFW With RPS Failures With RPS Failure: 1/2 CSSI or 4/4 SRV Open 4/4 reclose Loss of With RPS & CVCS Failures
, Power None Effective 3 Conversion System (T2I A Transients RPS 1/2 MFW (PCS) With RPS Success: 1/4 CARC 1/2 CSSI I g g WithRPSSuccegs:
Requiring 2/4 SRV Open 4/4 reclose g RCS Pressure 2/3 CVCS 1/2 A?W With RPS Failure: With RPS Failure: 1/2 CSSI Relief (T 3) 4/4 SRV Open 4/4 reclose With RPS & CVCS Failure None Effective 3 Remaining RPS 1/2 MFW (PCS) With RPS Success: With RPS Success: 1/4 CARC 1/2 CSSI Transients 3 (1/1 MFW for Loss None 2/4 reclose2 g Requiring 2/3 CVCS of One MFW Train) With RPS Failure: With RPS Failure: 1/2 CSSI Reactor 3 J/4 SRV Open 4/4 reclose Trip (T 4) 1/2 AFW lWith hPS & CVCS Failure:
None Effective 3 e - __ _ -.
TABLE 4.3 NOTES
- 1. Success Criteria for Transient Systems from Appendix A:
PCS: 1 of 2 MFW pump trains and 1 of 3 condensate booster pump trains and 1 of 3 condensate pump trains and interconnecting valves, etc.
and 1 of 2 steam generators SSRS: 1 of 4 turbine bypass valves or 2 of 2 atmospheric dump valves or 1 of 16 steam generator safety valves SRVs open: 2 of 4 relief valves, where there are 2 PORVs, 2 SRVs 4 of 4 with RPS failure AFWS: 2 of 4 branches at 200 gpm each or 1 of 4 branches at 400 gpm (at least 400 gpm required) to 1 of 2 steam generators from 1 of 1 motor driven pumps at 450 gpm each or 1 of 1 turbine driven pumps at 700 gpm each CARCS: 1 of 4 fan units and SRW subsystem CSS: 1 of 2 pumps RPS: One-half of the control rod assemblies (CEAs) insert CVCS: 1 of 2 boric acid pumps
, and 2 of 3 charging pumps and 1 of 2 injection paths i 2. For T1 and T2 transients, a probabilistic demand of the
- PORVs will occur. If so, the two PORVs will open and must I reclose. If these do not open, the SRVs will not be j demanded. For T3 transients, a probabilistic demand of i the relief valves may also occur; however, as all four valves may be demanded, all four must reclose.
- 3. For transients with reactor suberiticality failure, pres-i sure relief through the relief valves is not effective in mitigating the accident and preventing core melt.
4-15
_ ~ m
Table 4.4 Transients Identified in EPRI NP-2230 1 Loss of RCS Flow (1 Loop) 2 Uncontrolled Rod Withdrawal 3 CRDM Problems and/or Rod Drop 4 Leakage from Control Rods 5 Leakage in Primary System 6 Low Pressurizer Pressure 7 Pressurizer Leakage 8 High Pressurizer Pressure 9 Inadvertent Safety Injection Signal 10 Containment Pressure Problems 11 CVCS Malfunction-Boron Dilution 12 Pressure / Temperature / Power Imbalance-Rod Position Error 13 Startup of Inactive Coolant Pump 14 Total Loss of RCS Flow 15 Loss or Reduction in Feedwater Flow (1 Loop) 16 Total Loss of Feedwater Flow (All Loops) 17 Full or Partial Closure of MSIV (1 Loop) 18 Closure of All MSIV 19 Increase in Feedwater Flow (1 Loop) 20 Increase in Feedwater Flow (All Loops) 21 Feedwater Flow Instability-Operator Error 22 Feedwater Flow Instability-Misc. Mechanical causes 23 Loss of Condensate Pump (1 Loop) 24 Loss of Condensate Pumps (All Loops) 25 Loss of Condenser Vacuum 26 Steam Generator Leakage 27 Condenser Leakage 28 Misc. Leakage in Secondary System 29 Sudden Opening of Steam Relief Valves 30 Loss of Circulating Water 31 Loss of component Cooling 32 Loss of Service Water Systems 33 Turbine Trip, Throttle Valve Closure, EHC Problems 34 Generator Trip or Generator Caused Faults 35 Total Loss of Offsite Power 36 Pressurizer Spray Failure 37 Loss of Power to Necessary Plant Systems 38 Spurious Trips-Cause Unknown 39 Auto Trip-No Transient Condition 40 Manual Trip-No Transient Condition 41 Fire Within Plant 4-16
_._, ~ .- _ _ - _ . - . _ _ , . _ _ __.._.,__ _ . . _ . _ __ . . . _ . . _ _ . _ _ - - _ _ . - - _ - - _ - - - - - -
L
! Tat le 4.5 l
f- Crouped EPRI. NP-2230 Transient Events Causing Reactor
! Shutdown at Calvert Cliff s Unit 1 EPRI NP-2230 Tot a1 Frequency Tr ansient Transient Applicable EPRI NP-2233 Frequency Per Per Reactor j Designator Description Transients Reactor Year Year
_Tg Total Loss of Off site Power 935) Total Loss of Of f site Power 0.14 0.14 T2 Total Interruption of the Power $16) Total Loss of Main Feedwater 0.15 0.80 Conversion System (Main Feed- F low water) 018) Closure of all MSIVs 0.03 021622) reedwater Flow Instability 0.36 024) Loss cf All Condensate Pisaps 0.00
-6 8 925) Loss of Condenser Vacum 0.20 H
930) . Loss of Circulating Water 0.06 T3 Transients Requiring RCS 033) Turbine Trip or Throttle 1.38 1.85 Pressure Relief Valve closure 834 ) Generator Trip or Generator 0.38 Caused Faults 4
037) Loss of Power to Necessary 0.09 Plant Systems T4 Other Transients Requiring 01) Loss of RCS Flow in One Loop 0.39 6.8
, Reactor Shutdown which Do Not Significantly Aff ect Front $3) CRDM Probless, Rod Drop 0.65 Line Systess
- 96) Low Pressurizer Pressure 0.03
- 08) High Pressuriser Pressure 0.03
- 99) Inadvertent Safety Injection 0.06 Signal i
e Table 4.5(Continued)
Crouped EPRI WP-2230 Transient Events Causing Reactor Shutdown at Calvert Clif f s Unit 1 EPRI NP-2230 Total Frequency Transient Transient App!! cable EPRI NP-2230 Frequency Per Per Reactor Designator Description Transients Reactor Year Year
$11) CVCS Malf unction-Boron 0.04 Dilution 012) Pressure / Temperature / Power 0.16 Inbalance 914) Total Losa of RCS Plow 0.03 015) Loss or Reduction in Main 1.88 Feedwater (I Loop) )
.017) Full or Partial closure 0.23 of one MSIV b
I' 419) Increase in Main Feedwater 0.69 -
N Flow in One Loops a
$20) Increase in Main Feedwater 0.01 '
Plow in All Loops 023) Loss of Condensate Pump 0.08
~
(1 Loop) 927) Condenser Leakage 0.05 028) Leakage in recondary . 0.08 Systen 929) Sudden opening of stean 0.04 Relief Valves 0 36 ) Pressuriser Spray Failure 0.04 038) Spurious Tripe-cause Unknonsi 0.14 039) Auto Trip-No Tras. stent 1.55 Condition
$40) Manual Trip-No Transient 0.62 Condition
. - - - - -- - ._ .. - ~ . _ _ _ _
Table 4.6 EPRI NP-2230 Transients Not Used in CC #1 Initiating Event Analysis EPRI NP-2230 l Transient Comments Uncontrolled Rod Withdrawal All control rods are out at high 92) power l
- #4) Leakage from Control Rods' For leak rates > 132 gpm, those transients are considered to be
- 95) Leakage in Primary Systemp LOCAs
- 47) Pressurizer Lsnkage For leak rates < 132 gpm charg-l Normal ing pumps supply makeup.
shutdown occurs, no reactor trip l required j 910) Containment Pressure It is assumed only LOCAs will e
l Problems cause this condition
! #13) Startup of Inactive RCS All pumps will be on at full Pump power i
426) Steam Generator Leakage Normal shutdown is assumed possible
- 41) Fire Within Plant Outside scope of IREP t
i !
1 i
i i
3 l
I ,
i 4-19
- - - - _ . - - , ,_ , . - - - . . - - , - . . ..,my , , , , ,,i,. .- ,-.-e-.-.-my e..--vw.w-m. ww---.------,,-,..v--. - ,
- . . - - - . - -- . - = . . .__ -.
Table 4.7 Support Systems Reviewed in the Calvert Cliffs Initiating Event Analysis The following systems were reviewed to identify possible j failures which could act as an accident initiator: '
l Service Water System Emergency AC Power System Emergency DC Power System
, Instrument Air System Component Cooling Water System Salt Water System Heating and Ventilation Systems i
i 1
4-20
Table 4.8 i
Initiating Events Used in the Calvert Cliffs el Analysis Frequency Per Designator Initiating Event Description Reactor Year S2 LOCA with a .3 to 1.9 inch 2.1x10-2 equivalent diameter break S1 LOCA with a 1.9 to 4.3 inch 2.4x10-4 equivalent diameter break A LOCA with an equivalent diameter 2.3x10-4
! break greater than 4.3 inches Tl Loss of offsite power transient 1.4x10-1 l Transient initiated by a total 0.8 T2 interruption of main feedwater ,
1 l T3 Transients requiring RCS pressure 1.85 relief Other transients requiring reactor 6.8
} T4 shutdown which do not significantly
) affect front line system l 1.8E-3 TSRW Failure of SRWS. Train #12 l
Failure of DC Bus 11 3.6E-2 l TDC i
l l
l 4-21 l
I CHAPTER 5
- ACCIDENT SEQUENCE DELINEATION 5.1 Introduction i
The type of accidents of concern for the CC-1 IREP study are the core meltdown accidents initiated by the LOCAs and
)
transients defined in Chapter 4. *t is the goal of the study i to quantify the frequency of these core meltdown accidents and to estimate their severity expressed in terms of radioactive material released from containment. The severity of a core J
melt accident depends on the initiating event, on which plant j safety functions / systems succeeded or failed during the acci-dent, and on the approximate time at which they failed, i.e.
the accident sequence.
Event trees are the logic models from which accident j sequences are derived. Two types of event trees were constructed to delineate the accident sequences. First, the
! functional event trees which interrelate the initiating event and the plant safety function failures and results in func-I tional accident sequences. Second, the systemic event trees l which interrelato I.h e initiating event and the safety system i failures and results in the system accident sequences. The
, CC-1 functional event trees are described in section 5.2. The CC-1 systemic event trees are briefly described in section a 5.3. A more detailed discussion of these can be found in Appendix A.
l j 5.2 CC-1 Functional Event Trees i
5.2.1 LOCA Functional Event Trees l The CC-1 LOCA functional event trees are depicted in l Figures 5-1 and 5-2. These trees were constructed by (1) j making the plant LOCA functions described in OSction 3.2.1 the event tree headings: (2) placing the event tree headings in the ,
i approximate chronological order they would be expected to be
' called upon following a LOCA; and (3) incorporating the - func-
! tional interdependencies into the event tree structure. The
, interdependencies were incorporated into the event' tree struc-l ture by removing success / failure decision branches at the appropriate places in the tree.
5.2.1.1 Large LOCA Functional Dependencies The following dependencies were incorporated into the Large LOCA functional event tree:
l l
5-1 l
-- - . - - . - - -. .- - _ _ - = . _ _ - - _ . _ _ -
- 1. The Reactor Subcriticality (RESC) f unc t. i o n is not i
required for successful mitigation of a Large LOCA.
Voiding of the core in the initial phase of the t accident and subsequent reflooding of the core with i
borated water from the Emergency Core Cooling Systems
! (ECCS) will render the reactor suberitical. This
! affects all sequences (1 - 15).
! 2. The failure 'of the Reactor Heat Removal (REHR) function in the injection phase precludes success of l.
REHR (recirculation) since some of the same systems
] are used in the recirculation phase and the dominant
- failure modes in injection are expected to fail the j systems in recirculation also. In addition REHR i (recirculation) success will not prevent core melt and is not expected to significantly affect the
! accident consequences. This affects sequences 9 - 15.
4 I
i j 3. The failure of the Containment Atmospheric Heat i Removal (CNHR) function in the injection phase 1
! precludes success of CNHR (Recirculation) and Con-i tainment Radioactivity Removal (CNRR) in both the ,
l injection and recirculation phases. The systems used '
l for these functions are the same as those used in l CNHR (injection) and the dominant failure modes in CNHR (injection) are expected to fail the systems in
~
any other mode of operation. Also, REHR (recircu-
, lation) is assumed to have failed since CNHR
! finjection) failure will result in containment
{ failure beforo I.h s recirculation phase is reached.
l tipon failure, the containment' would undergo rapid depressurization. Tais would cause the superheated i water in the sump to partially flash to steam and
} boil vigorously. The pumps which provide cooling and
' radioactivity removal during the recirculation phase are assumed to fail due to the pumping of two-phase water. This affects sequences 8 and 15. It should '
be noted that in sequence 8, containment failure-occurs before core melt.
- 4. The failure of the Containment Radioactivity Removal (CNRR) function in the injection phase precludes suc-cessful CNRR (recirculation) since the same system is.
used in both phases and the dominant failure modes in the injection phase are ' expected to fail the system in recirculation also. This affects sequences 13 and 14.
- 5. Successful Reactor Heat Removal (REHR) and Contain -
ment Atmospheric Heat Removal (CNRR) in the injection' -
Phase prevent a core melt in the injection phase. A 5-2
. _ . _ _ . _ - . - _ . , _ . _ _ , - . _ . _ . . _ _ _ . ~ , , _ . _ . , _ . _ . _ _ . _ , _ _ . , _ . . . _ _ . . - - _ . _ . . . . _
l' j.
i decision branch is not made for Containment Radio-l activity Removal (CNRR) in the injection phase for
, non-core melts since the success of this function I would not significantly affect accident conse-quences. This affects sequences 1 - 7.
l I 6. Successful Reactor Heat Removal (REHR) and Contain-l ment Atmospheric Heat Removal (CNRR) in .both the i injection and recirculation phase lead to a safe
! situation. A decision branch is not made for Containment Radioactivity Removal (CNRR) in recircu-lation since success of this . function would not
> significantly affect accident consequences. This affects sequence 1 only.
4 5.2.1.2 Small and Small-small LOCA Functional Dependencies i
The following dependencies were incorporated into the Small and Small-small LOCA functional event tree:
- 1. Upon failure of the Reactor Subcriticality (RESC) 30-36 were ass'med to lead to
! function, sequences u t core melt. This is not an unreasonable assumption ,
i since t.he turbine m,sy - not. trip for some time and the power level and pressure may remain high for an j extended period of time, thereby, preventing
~
successful primary. makeup. In the . case with i successful scram, reactor pressure drops relatively slowly. The higher amount of energy in the primary in the case with unsuccessful scram should result in even slower decreases in reactor pressure and
! increased likelihood of core uncovery without some t j '
l operator recovery actions within a short time.
l'
- 2. The failure of the Reactor Heat Removal (REHR) func-tion in t.h e injection phase precludes success of REHR in the recirculation phase for the same reasons as in (2) for the Large LOCA case. This affects sequences 23 - 29.
- 3. The failure of the Containment Atmospheric Heat Removal (CNHR) function precludes success of CNHR (recirculation)-and Containment Radioactivity Removal (CNRR) in both the injection and. recirculation phases for the same reasons as in -(3) for the Large LOCA case. This affects sequences'29 and 36.
- 4. The failure of the Containment Radioactivity Removal
-(CNRR) function in the injection phase precludes suc-cess of CNRR in the recirculation phase for the same i
t 5-3
_-- _n _ , _ , _ _ - - _ _ . _ . _ . , _ . _ . _ . . _ _ . . - _ _ . _ , - _ . _ _ _ ___ ._._ . _ .... _ _ _
reasons as in (4) for the Large LOCA case. This affects sequences 27, 28, 34 and 35.
- 5. Successful Reactor Subcriticality (RESC) and Reactor Heat Removal (REHR) in injection prevent a core melt in the injection phase. A decision branch is not made for Containment Atmospheric Heat Removal (CNHR) or Containment Radioactivity Removal (CNRR) in the injection phase since success of these function would not significantly affect accident consequences. This affects sequences 16 - 22.
- 6. Successful Reactor Heat Removal (REHR) in injection and recirculation phases and Containment Atmospheric
, Heat Removal (CNHR) in the recirculation phase pre-
- vent core melt and load to a safe situation. A decision branch is not made for Containment Radioac-
) tivity Removal (CNRR) in recirculation for the same reason as in (6) for the Large LOCA case. This affects sequence 16 only.
5.2.1.3 LOCA Functional Accident Sequence Descriptions The following sections will discuss the sequences shown on the LOCA functional event trees.
5.2.1.3.1 Sequence 1 This sequence is a Large LOCA followed by successful oper-l ation of the Reactor Heat Removal and Containment Heat Removal j functions. The result is a safe outcome.
I 5.2.1.3.2 Sequence 2 This sequence is a Large LOCA with successful reactor heat removal in both the injection and recirculation phases. Con-tainment heat removal is successful in injection but fails in recirculation. This results in containment failure by over-pressuro and subsequent failure of all safety systems leading to core melt. The containment radioactivity removal function
" works to reduce the ' initial radioactive release but is not effective after the containment fails.
5.2.1.3.3 Sequence 3 This sequence is similar. to sequence 2 except that con-tainment radioactivity removal has also failed. This will increase the initial radioactive release.
5.2.1.3.4 Sequence 4 This is a Large LOCA with successful reactor and contain-ment heat removal in the injection phase. Reactor heat removal 5-4
failn in I.h e recirculation phase and core melt occurs. Con-tainment heat and radioactivity removal continue to work.
Containment failure by meltthrough is most likely, although long-term overpressure failure due to non-condensables is possible.
5.2.1.3.5 Sequence 5 This sequence is similar to sequence 4 except that con-tainment radioactivity removal fails which may result in higher radioactive releases.
5.2.1.3.6 Sequence 6 This sequence is a Large LOCA with successful reactor and containment heat removal in the injection phase. Reactor and containment heat removal fail in recirculation cosulting in core melt. Containment radioactivity removal functions to i rnduce the radioactive release. The most likely containment failure mode is by overpressure.
5.2.1.3.7 Sequence 7 This sequonen is similar to sequence 6 except that both
! containment heat and radioactivity removal fail. This results in higher radioactive releases.
5.2.1.3.8 Sequence 8 This sequence is a Large LOCA followed by successful 1 reactor heat removal. Containment heat removal fails in the injection phase. The subsequent containment failure due to overpressure results in the failure of all core cooling systems i
and core melt.
5.2.1.3.9 Sequence 9 This sequence is a Large LOCA followed by failure of the reactor heat removal function resulting in core melt. The containment heat and radioactivity removal functions work and containment failure by meltthrough is most likely, although long-term overpressure failure caused by non-condensables is possible.
5.2.1.3.10 Sequence 10 This sequence is similar to sequence 9 except that con-tainment radioactivity removal fails. This may result in higher releases.
5-5
5.2.1.3.11 Sequence 11 l This sequence is a Large LOCA followed by failure of reac-J tot heat removal resulting in core melt. The containment heat i
removal function works in injection but fails in recirculation leading to containment failure by overpressure. The contain-
. ment radioactivity function works to mitigate the release.
5 5.2.1.3.12 Sequence 12 l Thin sequence is similar to sequence 11 except that the cont 7inment radioactivity removal function also fails in recir-culation leading to increased radioactive releases.
! 5.2.1.3.13 Sequence 13 i i
~
This sequence is a Large LOCA followed by failure of reac-tor heat removal and containment radioactivity removal. Core j melt occurs but the containment heat removal function works.
] Containment failure by meltthrough is most likely, although j long-term overpressure failure due to non-condensables is
! possible.
] 5.2.1.3.14 Sequence 14
>i l This sequence is similar to sequence 14 except that con-1 tainment heat removal fails in recirculation. ' containment j failure by overpressure is most likely, i 5.2.1.3.15 Sequence 15 l . This sequence is a Large LOCA followed by failure of all j functluns. Tho miro mn1La and containment failure by over-i pressure is most likely.
I 5.2.1.3.16 Sequence 16 f !
This sequence is a Small (St) or Small-small (S2) LOCA !
followed by successful operation of all functions. The result is a safe outcome.
5.2.1.3.17 Sequence 17 This sequence is a Si or 52 LOCA with successful reactor subcriticality, reactor heat removal and containment radioactivity removal. Containment heat removal fails in recirculation resulting in containment failure duo to over-pressure and subsequent failure of reactor heat removal and !
core melt.
5-6
i 5.2.1.3.18 Sequence 18 This sequence is similar to sequence 17 except that con-tainment radioactivity removal fails leading to increased releases.
5.2.1.3.19 Sequence 19 4
This sequence is a St or S2 LOCA with successful reac-tot subcriticality and reactor and containment heat removal in the injection phase. Reactor heat removal fails in recircula-tion leading to core melt. The most likely containment failure mode is by meltthrough, although long-term overpressure failure due to non-condensables is possible.
5.2.1.3.20 Sequence 20 This sequence is similar to sequence 19 except that the containment radioactivity removal function fails in recircula-tion leading to higher releases.
5.2.1.3.21 Sequence 21 Thia sequence is similar to 'equence 19 except that the containment heat removal function also fails in recirculation.
The most likely containment failure mode is overpressure.
5.2.1.3.22 Sequence 22 1 This sequence is similar to sequence 21 except that both the containment heat and radioactivity removal functions have i failed in recirculation. This results in increased radioactive releases.
5.2.1.3.23 Sequence 23 l This sequence is a Si or S2 LOCA with successful reactor subeciticality. Reactor heat removal fails in the injection phase resulting in core melt. Containment heat and l radioactivity removal work and containment failure by melt- l through is most likely, although long-term overpressure failure
! due to non-condensables is possible.
5.2.1.3.24 Sequence 24 This sequence is similar to sequence 23 except that con-tainment radioactivity removal fails in recirculation resulting in higher releases.
5.2.1.3.25 Sequence 25 This sequence is a Si or S2 LOCA with successful reac-tot subcriticality. Reactor heat removal fails.in the injection 5-7 m- m
phase resulting in core melt. Containment heat and radio-activity removal work in injection but containment heat removal fails in recirculation resulting in containment failure by overpressure.
5.2.1.3.26 Sequence 26 This sequence is similar to sequence 25 except that con-tainment radioactivity removal also fails in recirculation resulting in higher radioactive releases.
5.2.1.3.27 Sequence 27 l Tnis sequence is a si or S2 LOCA followed by successful reactor suberiticality. Reactor heat removal and containment radioactivity removal fail in injection and core melt occurs. Containment heat removal works and containment failure by meltthrough is most likely, although long-term overpressure failure due to non-condensables is possihte.
5.2.1.3.28 Sequence 28 l This sequence is similar to sequence 27 except that con-i tainment heat removal fails in recirculation. The most likely
! containment failure mode is now overpresuure.
5.2.1.3.29 Sequence 29 This sequence is a S1 or S2 LOCA followed by success-ful reactor subcriticality. Reactor and containment heat removal fail in injection resulting in core melt and contain-I ment failure by overpressure.
5.2.1.3.30 Sequence 30 This sequence is a Si or S2 LOCA followed by failure of reactor subcriticality and core melt. Containment heat and radioactivity removal work and containment failure by melt-through is most likely, although long-term overpressure failure due to non-condensables is possible.
5.2.1.3.31 Sequence 31 This sequence is similar to sequence 30 except that con-tainment radioactivity removal fails in recirculation resulting in higher releases.
5.2.1.3.32 Sequence 32 ,
This sequence is a Si or S2 LOCA followed by failure of reactor subcriticality and core melt. Containment heat ;
removal works in the injection phase but fails in the l l
5-8 1
A_._._----_.___--..__--.__-_A-_-_---____-----.__..______.__--__--__.
recirculation phase leading to containment failure by overpressure. Containment radioactivity removal works to mitigate the release.
5.2.1.3.33 Sequence 33 This is similar to sequence 32 except that containment radioactivity removal also fails leading to higher radioactive i releases.
5.2.1.3.34 Sequence 34 This is similar to sequence 31 except that containment i radioactivity removal fails in in j ec t. l on instead of recirculation.
5.2.1.3.35 Sequence 35 This sequence is similar to sequence 32 except that con-tainment radioactivity removal fails in injection instead of t
recirculation.
5.2.1.3.36 Sequence 36 This sequence is a Si or S2 LOCA followed by failure of reactor suberiticality and containment heat removal. Core melt occurs followed by failure of containment by overpressure.
5.2.2 Transient Functional Event Tree The CC-1 transient functional event tree is depicted in Figure 5-3. This tree was constructed in the same way as the LOCA functional trees.
5.2.2.1 Transient Functional Dependencies The following dependencies were incorporated into the transient functional event tree:
- 1. Upon failure of the Reactor Subcriticality (RESC) function, sequences 11-13 were assessed to lead to J
core melt. Following a envore pressure transient, 1 reactor power will equilibrate at the heat removal rate (i.e., either main feedwater and auxiliary feed-wa l.o r at about 10% or just auxiliary feedwater at i
about 5%). Current analyses of these accidents by CE and the NRC only go out to 20 minutes. The accident progression beyond this point is uncertain, and they are assessed to result in core melt if the operator fails to inject boron by 20-30 minutes (see dis-cussion of TKU sequences in Chapter 8 and the 5-9
[ sensitivity analysis in Section 8.3 for a more
- detailed discussion of the the rma l- hyd rau l ics ) . No
) choice is given for Primary System Relief (PSR).
- Reactor Coolant System Integrity (RCSI) and Reactor j Heat Removal -(RMHR) functions since the sequences j lead to core melt and their operation is moot.
l
- 2. The failure of the Reactor Heat Memoval (REHR) func-
! tion results in core melt and makes successful
, Primary System Relief (PSR) and Reactor Coolant i
System Integrity (RCSI) moot. This affects sequences 8 - 10.
) 3. The failure of the Primary System Relief (PSR) func- ,
j tion (if required) makes successful Reactor Coolant )
4 System Integelty (RCSI) moot since the resulting I j pressure transient is assumed to result in an ,
j unmitigatable t,0CA. This affects sequences 5 - 7.
} 4. The failure of the Cont..inment Atmospheric Heat !
! Removal (CNHR) function precludes successful Contain- i j ment Radioactivity Removal (CNRR) since the system ,
q used for CNRR is also used for CNHR. This affects -
l sequences 4, 7 and 10.
i ,
- 5. The success of Reactor Subcriticality (RESC). Reactor j ' Heat Removal (REHR), Primary System Relief (PSR) and i Reactor Coolant System Integrity (RCSI) lead to a >
2 safe situation. A decision branch is not given for !
! either Containment Atmospheric Heat Removal (CNHR) or I
! Containment Radioactivity Removal (CNRR) since they ;
{ would not significantly affect the consequences. ,
j This affects sequence 1 only.
a j 5.2.2.2 Transient Functional Accident Sequence Descriptions !
I 1 The following sections will discuss the sequences shown on
)
the transient functional event tree.
l 5.2.2.2.1 Sequence 1 f f
I In this sequence, all functions work as expected. The
' reactor is rendered subcritical, decay heat is' removed, primary t system relief works (if~ required), and RCS integrity is main- f tained. 'As a result, there-is no need for containment heat or t radioactivity removal. The sequence'has a safe outcome..
5.2.2.2.2 Sequence 2 i
l In this sequence, the reactor is rendered subcritical and decay , heat is removed. But 'after successful primary system pressure relief, the relief valves fail to reclose resulting 'in ;
- 5-10
?
.______._._m ...____________u_._.__.__.
l '
i ,
i t I
- a Small-small LOCA. The containment functions succeed and this t j sequence transfers to the appropriate Small-small LOCA j sequences. 3 5.2.2.2.3 Sequence 3 i
i This sequence is similar to sequence 2 except that the :
containment radioactivity removai function fails. This i sequence also results in.a Small-small LOCA and transfers to j f the appropriate Small-small LOCA sequences.
5.2.2.2.4 Sequence 4 ,
f This sequence is similar to sequence 2 except that con- l tainment heat and radioactivity removal fail. The sequence ,
transfers to the appropriate Small-small LOCA sequences. l i
1 5.2.2.2.5 Sequence 5 (
l
) In this sequence, the reactor is condered subcritical, i j decay heat is removed, but primary system pressure relief fails
- (if required) and is assumed to result in an unmitigatable
! LOCA. This results in a core melt. All containment functions 1 work to mitigate the accident and meltthrough is the most !
although long-term over-i likely containment failure mode, pressure failure due to non-condensables is possible.
l 5.2.2.2.6 Sequence 4 This sequence is similar to sequence 5 encept that the containment radioactivity removal function ha's failed. This may increase the radioactive release compared to sequence 5.
5.2.2.2.7 Sequence 7 1 This sequence is similar to sequence ,5 except that all containment heat and radioactivity removal functions have failed. This makes containment failure by overpressure most likely and results in higher radioactive releases. ,
, 5.2.2.2.s Sequence e In this . sequence, the reactor 1s rendered suberitical but reactor heat removal fails. This results in core melt. The-containment heat and radioactivity removal functions are suc-cessful and meltthrough is the most likely containment failure mode, although long-term ~ overpressure. failure due to non-condensables is possible.
i l
l-11
I 5.2.2.2.9 Sequence 9 This sequence is similar to sequence 8 except that the l 4
containment radioactivity removal function has failed. This may l increase the radioactive release compared to sequence 8.
5.2.2.2.10 Sequence 10 This sequence is similar to sequence 8 except that all containment heat and radioactivity removal functions have
, failed. This makes containment fatture by overpressure most j Itkely and results in higher radioactive releases.
5.2.2.2.11 Sequence 11 in this sequence, the reactor is not made subcritical. '
)' The containment heat and radioactivity removal functions succeed and containment fatture by overpressure is most likely.
5.2.2.2.12 Sequence 12 -
This coquence is similar to sequence 11 except that the containment radioactivity removal function has failed. This increases the radioactive release compared to sequence 11. !
l
- 5.2.2.2.13 Sequence 13 -
l Thic sequence is similar to sequence 11 except that the containment heat removal and radioactive release functions have '
i failed. This increases the likelihood of containment failure ,
by ovorpressure. l 1
5.3 CC-1 Systemic Event Trees
) There were three LOCA and four transient systemic event
- trees constructed to represent the plant front-line system i response to the 3 LOCAs, the 4 transients, and 2 special initi-
- ating events defined in Chapter 4. A total of seven systemic trees were drawn using the same method as for the functional, trees but using systems instead of functions for the event tree headings. This many systemic trees were required in order to represent all of the different sets of system success criteria required for the various initiators or the interdependencies between systems which may also vary with initiator. The seven
- systemic trees are shown in Figures 5-4 to 5-10.
l
! The definitions for the events depicted on the seven sys-temic event trees are listed in Table 5.1 and the notes for each tree in Tables 5.2 - 5.5. The reader should refer to Appendix A for a detailed discussion of these event trees and the system interdependencies.
5-12
W Figure 5-1 Large LOCA (A) Functional Event Tree
- Initiating Mitigating Functions Response Sequence ResJ1t Event Large Reactor Injection Phase Recirculation Phase LOCA Sub-criticality 7eactor Contain- Contain- Reactor Contain- ContainT
!!ea t ment ment Heat ment ment Removal Atmos- Radio- Removal Atmos- Radio-pheric Activity pheric Activity Heat Removal Heat Removal Removal Removal A RESC REHR CNHR CNRR REHR CNHR CNRR 1 SAFE
I F' ' 5 CM e tu I
s%
3 10 CM FAILURE
Figure 5-2 Small or Small-Small LOCA (Sg or S2) Functional Event Tree Initiating Mitigating Functions Response Sequence Result-Event Small Reactor Injection Flase Recirculation Phase or Sub-Small- criticality Reactor Contain- Contain- Reactor Contain- Contain-Small Heat ment ment Heat ment ment LOCA Removal Atmos- Radio- Removal Atmos- Radio-pheric Activity pheric Activity Heat Removal Heat Removal Removal Removal Sg or S 2 RESC REHR CNHR CNRR REHR CNHR CNRR 16 SAFE
, 17 CM
' 18 CM
, 19 CM ,
20 CM U1 1
, 23 CM
' 24 CM
, 25 CM
- ' I 26 CM
, 27 CM SUCCESS
, 30 CM
' 31 CM
%r 32 CM
' 33 CM
36 CM
Figure 5-3 Transient T1, T2, T3, T4 Functional Event Tree Initiating Event Mitigating Function Response Sequence Result Transient Reactor Reactor Primary Reactor Contain- Contain-Subcriticality Heat System Coolant ment ment Removal Relief System Atmos- Radio-Integrity pheric Activity Heat Removal Removal T RESC REhR P SR RD5I C'Nh R C'NRR 1 SAFE 2 LOCA and/or CM 3 LOCA and/or CM (n
[, 5 CM w
6 CM
., 7 CM 8 CM SUCCESS 9 CM 10 CM FAILURE 11 CM 12 CM Sr _ 13 CM
Figure 5-4 Large LOCA (A) Systemic Event Tree Initiating Event Mitigating Systems Response Sequence Functional Failures RCS Status IOTES Large 9 9 LOCA LPSI SET CARC CSSI CSSR SDHX HPSR No. Designator REHR CNHR CNRR A D' D C C' F G H INJ REC INJ REC INJ REC (2) , 1 A SAFE 1,2 I (3)
, 3 AF SAFE 1 I I3) 4 AFH x x CM 1,3
, 5 AC SAFE I 6 ACil x CM 3 2 ACC x x CM 11 l(3) 8 ACGH z x CM 3
'm. (4) g 9 ACF x x x CM 4 H (4) m 10 ACC' x x x CM 4
' 12 ADF a x CM 9 s%
13 ADC' x x CM 9
, 14 ADC x CM 9 SUCCESS I 15 ADCG x x CM 9 FAILURE 17 ADCC' x x x CM 9
%r g 19 AD'F x x CM 9 20 AD'C' x x CM 9 j I
22 AD'CC x x CM 9 23 AD'CF x x x CM 9 24 AD'CC' x x x CM 9
Figure 5-5 Small LOCA (Sg) systemic Event tree 4
Initiating Event Mitigating Systems Response Sequence Functional Failures Small RCS l IACA SFS HFSI CARC CSSI CSSR SDHX HFSR No. Designator RESC REHR CNHR CNRR Status NOTES
^
Sg K D* C C' F G H INJ REC INJ REC INJ REC (2) 25 S1 SAFE 1,2 I 26 u CM 1,2,3 (1) SgH
, 27 Sgr SAFE 1 I 28 x x CM 1,3 S gFit
, 29 SC1 SAFE I'
30 SgCH x CM 3
, 31 S 1CG x x CM 11 I ' 32 x x CM 3 SgCCH m (4) l 33 SgCF x x x CM 4 H (4) 4 34 SICC' x x x CM 4
- 35. SgD* x CM 5 '
I 36 SID*F x x CM 5 ss 37 S1D*C' x x CM 5 II 38 S1D*C x CM 5 SUCCESS I x x CM 5 39 S ID*CG I -
FAILURE 41 SgD*CC' x x x CM S 42 SgK x CM 6 sr , x CM 6 43 S1KF x 44 x x CM 6 S}KC' III 45 SgKC x CM 6
' 46 SgKCG x x CM 6 47 x x x CM 6 S}ECF 48 S 1KCC' x x x CM 6
?
?
b Figure 5-6 Small-Small LOCA (s2 ) systeetc Event Tree In6ttating svent masse esne sret... a..Fense seguence renettenet Fat 1.c .
smell-' nFs ssa mes: CAaC Cssr Cssa sous arsa me. peatonator asse arma Gaell LOCA AFW Cuma - Cnas aCs statsa N r7ES 8 E L D* C C' F G E 2 INJ AEC INJ AEC IuJ aEC -
(2) p 49 s2 $AFE 1,3,10 (1) '
50 8n 2 a CM 1,2,3,10
$1 8F 2 SAFE 1,10
'- 52 8 3ru a a Cn 1,3,10
, sa sc a sAFS le L." L se s Cm a Cn 3,le (11) y $5 S 2CG a a CN 31.10 T1/20 I L I33-*-- 54 8 2CGN 8 8 CN 3*I8 T0 h 3 (43 57 8 2CF s a a Cp 4,18 TO . 10) (4) 58 SgCC' s e a CN 4,10 St 8 2n* a Cn 5,10 y
60 .,o F . . C. ,,1.
H 41 $ 20*C' a s Cu 5,10 IN
, 62 820*C a CM S.10 ,
43 8 30*CG e a CN 5,10
- 6. . .CF s . . C. . 1.
65 820*CC' s a a CM 5,10 y 66 $L 2 a CN , 7 4% 1 67 8 2LF a a Cu 7 68 52LC' 8 8 CN I SUCctss y 69 5 3LC a C4 7
~ 70 'S 2LCG a a Cn 7 FAI1 Ante
?! SgtfF m a a g CM 7 72 3 2LCC* a a a CM 7 if y 73 8R 2 a CN 8 74 - s2EF z a CN S 75 8 28C' s s CN 5 (4) y 76 8 2KC a CN 8 77 8 25CG a a CM $
74 $ 2ECF a a a CN 8 79 52ECC' s a a CN 6
Figure 5-7 Loss of Offsite Power (Tg) Loss of PCS (72), Loss of a DC Bus (TDC) and Loss of Service Water (Tsaw) Systemac Event Tree initiating Event Mitigating Systems Response Sequence Functional Failures SRR SRV SRV RCS RPS CVCS AFW Open Rec 1. CARC CSSI No. Designator RESC REHR RCSI PSR CNHR CNRh Status NOTES T-1/2 K U L P Q C C' 80 T-1/2 SAFE 11,13 I 81 T-1/2 0 x LOCA 14
, 82 T-1/2 L x CM 1,2 y (3)
(g) 83 T-1/2 LC' x x CM 1,2,3 (2) 84 T-1/2 LC x CM 1,2 g(3,4) g 85 T-1/2 LCC' x x x CM 1,2,3,4 jg 86 T-1/2 K SAFE 5,7,13 Us I g 87 T-1/2 KQ x W A,CM 2.5,8,10 H , (3)
@ (8,10) 88 T-1/2 KQC' x x LOCA,CM 2,3,5,8,10 SUCCESS (2)
! 89 T-1/2 KQC x LOCA,CM 2.5,8,10 y
FAILURE 90 T-1/2 EQCC' x x x LOCA,CM 2,3,4,5,8,10 g
91 T-1/2 KP x CM 2,5,9 y (3)
(9) 92 T-1/2 KPC' x x CM 2,3,5,9
%r (2)
(5) 93 T-1/2 KPC x CM 2,5,9 y(3,4) 94 T-1/2 KPCC' x x x CM 2,3,4,5,9 95 T-1/2 KL x CM 1,2,5 g
g (3)
(1) 96 T-1/2 KLC' x x CM 1,2,3,5 (2) 97 T-1/2 KI4 x CM 1,2,5 g(3,4) g 98 T-1/2 KLCC' x x x CM 1,2, 3 ,4 , 5 (12) 99 T-1/2 EU x x CM 6,12 (6) g g (3) 100 T-1/2 KUC' x x x CM 3,6,12
5'5t'91 to e e e e ,3ses la pet (Sp ',
gt*p1 so e a e gas ta tot tag 3 (D13 (I
- Et *9'S ' t ~ eO e e e e .3 ass tg 891 -
81*tt*9 m3 e e e gas Sg tpt 49'. t (93 f t'tI*S*D E3 e e . 3es la Get ti t8 tttl f t'Et*9 a0 e e se to . Git as )
s ' 9*$ *9 en e a e .stygme la 981 -49'ss ^"
(*D E3 e Tage f4 Att tes 4 't*9 m3 e e .FIpe f4 981 448
... . A we la ett 458 %
It*9*S*D'S O 8 e e .33see E4 til 19*ss
t t'D *t to e e asus ta til del It'l*S's so e e e .3ses la Etl , its all e e
- i t't*t 53 see to tri 91'II*9'S'9't E3*TJFI e e e .33ste 88 Sit 49*51 , (133 9t*f t'p't 53*TJ.1 e abes to M1 (D) 9t 'I t *S
- p 't eO'TJErl e e .JBra E4 Ott 89t *f t 9t'It*D's to'T3rr e aus ta att (sa H -
I t'et ' $ esos es f4 til tet *46 9 S*D*S*t E3 e e e .33ss la lif , ,
t'e*t to e 3es to 921 d6 198 l'9*e*t 53 e e .3ss I& tit LEI
..*t m3 A .3f. Ett all
% .se,,,,
91*e's*D's't m3'usi e e e .3:08 fa 91 9'e's us'Tm o 181 " , ' ,
o see ta ett N St*t 'p 'e 's t9:
N3'TJ01 e e .30 84 Stt l'I ' t ' g
- 45)
tr9's 8 m3* east e en f a 9i t ,,
M st a . ene e la att
..c e s
&'t 's's e e e . .373es tg 9ft ,
t'9 m a Fin la ett
.'.'. .3 e e . E. .n ,,,'(D' u.
4*D 10 8 Ser 84 tif 9 s .'t e e e e .33 Sa Ett p*8 ao e asas la tit tel t'9't m3 e e .3mb ta ett ill s't en e as la set
... ) -
4 T3pt e tg 64 Set tti, t Sdee e la det 118 9'%'9't en e e e .33d84 set ,
9*t E3 e 3e 65 let tes 5 *9*t m e e 3s 03 pet (E 4 p's en e e Eg tot 456 i TJOT e e83 893 i t,,
I save ta tot
- tp 3 3 a a i u n e u l -~ ~
enace eewis ses3 seu eu toe een sen ==A.a.eee se In3 sen 'tase . .se, we ese sw eso we en es en en e =nea i e,38 , e E'+5e ee.e4 e 84e s tienen = s s.y e.9.et se24 $ USA 3 D}WS)SAS (C&) J8)TG3 W315$$ A2WWJ2d 6UJ2{nb83 9)UaySUW21 g.g 32n6yJ
w O O e a
a e o ee g .o.
.a e
- O o
O
- O e e, n ,. n ye ,oa .
se.
4 ., se. .es
. .e
.e e. e.o e. e. ,e. e. e. se.
e
- *** ** se* e.= .. ,e
.e. e.
g
.e n M
M=
M. M
- S, . G . So .e
. p. S*
Ge N*
- .* S*
O*
Me Mo Me mo see N Me MsoeM
.. m e se N 8e Na Ne N No $ R Oe Oo Ne N A O* N* $ N N* N N O fe N We M g . . . . . .
- . .i ss .
ss55 i
- 82 33e:es3is.ss.seeea!Is...ssesseseeeaeesee o 8
,8 , ~. . . .
,, - 6 m ;
en . . ... . . . .
, g er a N e W
ce 5 P . . . .
3 6.
g" . . . . . .
3 E
E . . . . .
r -!
- s. s. s. . o. k. 8. s. .. k. r. V. f . V. I. :. .V.V.5.as V. V. !.i. s. W. .= 1 V
F
=
- e
> > > > > > > > > > eo e > > > > > > en k
. . . e.. . > se . e. . e. . > > . >. >. >. >. >. >.> -
..-... e see e e e e a a
- se *se * * *es m
- n . . . . - fe - . ..e se M
o e.
se se se se se ese ese e ese ese eme e see see see se.
et se se se se se ce se se se og me se se se 3
- - a e- *-* m ,
- e. e.
a
. e..
- e. e. . a.* .**
g w . e.== .* w
=.=w .w w .
w w .
w w
w .
w
- w .. .. .. ..
Q . .. .. .. .. .. .. .. .. .. ..
> U 2 2 -
- 2
- - 2- 2- 2- * *
[ W u -
~
l 0 C. .
%. . C. - .
.N y I w am
- 's e w a "
g 9 a . w gw
. E g >
m.e . b e De g g"
@ W a ~=
.e "
.a." n* w g f w E5
. m $
E . ee ,e e . O *
( . .e
.u .
. e&
G u
=
C l
6 .
g 3 3 2.e
. . i e.n s .b 4 lj
- i 1
. i me i d
l 1
)
i l
5-21 1
'P I
'1 '
l
Table 5.1 Event Definitions For Systemic Event Trees
Small LOCA A breach of the RCS greater than 1.9" but less than or equal to 4.3" in diameter.
Small-small LOCA A breach of the RCS grea.ter than .3" but less than or equal to 1.9" in diameter.
T1 S"utdowns initiated by loss of Offsite Power.
T2 Shutdowns initiated by loss of the Power Conversion system (other than due to T t)
T3 Shutdowns initiated by transients which require primary system relief.
T4 Shutdowns initiated by all other transients.
TDC Shutdowns initiated by failure of DC bus 11.
TSRW Shutdowns initiated by failure of SRW train 12.
- 2. Systems RPS Reactor Protection System CVCS Chemical Volume and Control System SIT Safety Injection Tanks System LPSI Low Pressure Safety Injection System HPSI/R High Pressure Safety Injection /
Recirculation System CSSI/R Containment Spray System, Injection /
Recirculation SDHX Shutdown Heat Exchanger System 5-22
Table 5.1 (cont.)
Event Definitions For Systemic Event Trees 4
CARC Containment Air Recirculation and Cooling System SSR AFW Auxiliary Feedwater and Secondary Steam Relief System SRV Open Safety relief valves open SRV Recl. Safety relief valves reclose SSR PCS Power Conversion System and Secondary Steam Relief J
h l
f 5-23
. - .c
Table 5.2 Notes for LOCA Systemic Event Trees
- 1. CSSI is not required, because CARC performs the containment heat removal function during the injection phase, and because containment radioactivity removal is not needed until after core melt, which occurs during the recircula-tion phase if at all.
- 2. SDHX is not required because: (1) CARC performs the con-tainment heat removal function, (2) the combined operation of CARC and HPSR can perform the reactor heat removal func-tion, and (3) CSSR performs the containment radioactivity removal function independent of SDHX.
- 3. Core melt occurs early in the recirculation phase because of loss of core makeup due to failure of HPSR.
- 4. HPSR will eventually fail due to failure of containment
- systems.
l 5. Core melt occurs during the injection phase due to failure of HPSI.
- 6. Core melt occurs during the injection phase due to failure
, of RPS. Primary pressure will not drop below the HPSI 1
shut-off head in time to prevent core uncovery and melt
! since the turbine will not trip for an extended period of time and reactor power and pressure will remain high.
- 7. HPSI success / failure states are not given in sequences where SSR-AFW has failed, because RCS pressure is assumed not to drop below the HPSI pump shut-off head of 1275 psia.
- 8. With failure of RPS, RCS pressure is assumed not to drop below the HPSI pump shut-off head of 1275 psia in time to prevent core uncovery and subsequent core melt since the turbine will not trip for an extended period of time and reactor power and pressure will remain high.
- 9. Even though SIT is expected to operate before LPSI, LPSI appears first on the event tree because failure of LPSI precludes.any significant effect of SIT success or failure on the core melt consequences whereas if SIT fails LPSI can still significantly affect *the consequences.
- 10. Sequences T1/20 , TQ, 3 and T 3MQ- are transferred to the S2 tree in locations where RPS has succeeded and SSR-APW has succeeded.
- 11. Core melt occurs late in the recirculation phase because HPSR= fails due to failure of heat sink.
1 i
5-24 l
s - -
Table 5.3 Transients T d2 i EDC and TSRW Event Tree Notes
- 1. Failure of SSR/AFW to remove sufficient heat from the reac-tor coolant system after a Loss of Offsite Power (LOSP) or Loss of Power Conversion System (PCS) will result in core melt.
- 2. For all accidents leading to core melt, the consequences
, may be mitigated by containment atmospheric heat and
! radioactivity removal. Therefore, the operational response decisions fcr CARC and CSSI appears in these cases.
- 3. Failure of CSSI results in failure to remove radioactivity from the containment atmosphere.
- 4. Failure of CSSI when CARC has also failed results in com-plete loss of containment atmospheric heat removal and potential containment overpressure rupture.
- 5. Successful CVCS operation after failure of RPS will make the reactor subcritical with no side effects due to pres-sure spikes (see the discussion of the ATWS(PSF) sequence in Chapter 8). It is assumed that the SRVs will be chal-lenged when the RPS fails.
- 6. Failure of CVCS and RPS constitutes failure to reach sub-criticality. Reactor power will equilibrate at the AFW heat removal rate of about 5% after a severe pressure transient and substantial loss of primary inventory. 1
- 7. Due to failure of RPS but successful shutdown of the reac-tor by CVCS, the opening and reclosing of the SRVs is required. It is assumed that the excess pressure will not ,
rupture the RCS and that the core will remain intact (see I the discussion of the ATWS(PSF) sequence in Chapter 8).
- 8. Failure to reclose any one of the SRVs after RPS failure will result in a Small-small LOCA and subsequent core melt since the resulting high equilibrium primary pressure will i prevent successful primary makeup for an extended period of time due to the low HPS1 pump shut-off head.
- 9. Failure of SRVs to open is assumed to result in RCS over-pressure and subsequent loss of RCS integrity and core melt,
- 10. CVCS will provide successful reactor shutdown but will not provide successful coolant makeup.
5-25
Table 5.3 (cont.)
Transients T1/T 2h and TSRW Event Tree Notes
- 11. Successful recovery does not require operation of the PORVs or Code Safeties when RPS succeeds, as described in NUREG-0635 for a realistic treatment of~ loss of feedwater transients. However, since there is a chance that a PORV may/be opened, the SRV RECLOSE success would be required.
- 12. Sequences with failure of CARCS and/or CSSI are probabilistically negligible. CSSI was chosen so that i both containment heat removal and radioactivity removal I are successful. j
- 13. It is assumed that successful recovery from a T1 or
- T2 transient would result from successful RPS, SSR, AFW, and SRV RECLOSE (if SRV's demanded). However, in !
the event that RPS fails, successful recovery requires PORV and code safety operation.
- 14. Failure to reclose a PORV after RPS success would result in a Small-small LOCA. The success of this sequence depends on LOCA mitigating cystems success.
a l
5-26
1 l
Table 5.4 l Transient T _
3 Event Tree Notes
! 1. Successful opening and reclosing of the PORVs with the
, reactor subcritical and adequate reactor heat removal l will ensure a safe recovery. The RCS coolant loss r
through the PORVs will be retained by the reactor coolant ,
drain tank.
J
.i j 3. Failure to open any of the primary system pressure relief I valves is assumed to result in RCS overpressure and
, subsequent loss of RCS integrity and core melt.
1 a
- 4. For all accidents leading to core melt, the consequences may be mitigated by containment overpressure suppression i and adequate containment atmosphiric heat removal, which
! is carried out by CARC and/or CSSI.
! 5. Failure of CSSI results in a' reduced capability to remove radioactivity from the containment atmosphere. i j 6. Failure of CSSI when CARC has also failed results in '
j complete loss of containment atmospheric heat removal and j potential containment overpressure rupture, t
- 7. Failure of SSR/APW after failure of SSR/PCS will result i core melt due to insufficient reactor heat removal, t
- 8. The initiator involves a turbine trip which will cause the PCS to run back to a 5% flow level.
I
- 9. Due to the failure of RPS, the shutdown of the reactor is I carried out by operation of CVCS, and the opening of the l
PORVs and Code Safeties can be expected. It is assumed
! that the excess pressure will not rupture the RCS and +
i that the core will remain intact (see discussion of the ATWS(PSF) sequence in Chapter 8).
- 10. Success of CVCS after failure of RPS is assumed to provide the additional needed coolant inventory provided the SRVs reclose.
l
- 11. Failure of RPS followed by failure of SSR/PCS would leave only SSR/AFW to remove heat from a reactor that is l undergoing a slow shutdown. Safe recovery, even with pressure relief, may be less certain than for the PCS success sequence, o
5-27
Table 5.4 (cont.)
Transient T _3 Event Tree Notes
- 12. The initiator involves a turbine trip which runs back PCS flow to 5%.
- 13. With PCS flow at 5% and AFW flow at 5%. the excess energy in the core upon failure to scram will make the RCS pressure equilibrate near the RCS safety valve setpoints after a moderately severe pressure transient and substantial loss of primary inventory.
- 14. Failure of SSR/PCS with the reactor still critical would leave only SSR/AFW to remove heat. Reactor power will equilibrate at the AFW heat removal rate of about 5%
after a severe pressure transient and substantial loss of primary inventory.
- 15. Sequences with failure of CARCS and/or CSSI are prob-abilistically negligible. CSSI was chosen so that both containment heat removal and radioactivity removal are successful.
- 16. Transient-induced LOCAs following failure to trip the reactor but successful shutdown by CVCS are assumed to result in core melt because the pressure will equilibrate above the HPSI pump shut-off head for an extended period of time.
- 17. Core melt sequences are distinguished from each other due to timing of core melt and subsequent radionuclide release to the containment.
l 5-28
l l
Table 5.5 l Transient T4 Event Tree Notes 4
! 1. Successful recovery from a T4 event is assumed to be
. achieved by tripping the reactor and removing reactor heat.
- 2. Failure of SSR/AFW after failure of SSR/PCS will result j in core melt due to insufficient reactor heat removal.
- 3. For all accidents leading to core melt, the consequences may be mitigated by containment overpressure suppression and adequate containment atmospheric heat removal, which is carried out by CARC and/or CSSI.
- 4. Failure of CSSI results in a reduced capability to remove radioactivity from the containment atmosphere.
- 5. Failure of CSSI when CARC has also failed results in complete loss of containment atmospheric heat removal and potential containment overpressure rupture.
- 6. Due to the failure of RPS but successful shutdown of the reactor carried out by operation of CVCS, the opening of l the PORVs and code safeties can be expected. It is assumed that the excess pressure will not rupture the RCS and that the core will remain intact (see the discussion
, of the ATWS(PSF) sequence in Chapter 8).
l 7. Success of CVCS after failure of RPS is assumed to provide the additional needed coolant inventory provided j the SRVs reclose.
- 8. Failure to reclose one or both of the PORVs after RPS failure will lead to a Small-small LOCA and subsequent core melt, since the pressure will equilibrate above the HPSI pump shut-off head for an extended period of time.
- 9. Failure to open any of the primary system pressure relief valves would lead to RCS overpressure and rupture. This event is assumed to lead to a loss of RCS integrity and subsequent core melt.
- 10. Failure of RPS followed by failure of SSR/PCS would leave only SSR/AFW to remove heat from a reactor that is undergoing a slow shutdown. Safe recovsry, even with pressure relief, may be less certain than for the PCS success sequence.
5-29
i Table 5.5 (cont.)
Transient T 4 Event Tree Notes
- 11. Failure to shutdown the reactor would allow the PCS to l remove heat at a power level greater than or equal to 5%.
Should turbine trip or MSIV closure occur after the T4 initiator, the PCS would runback to 5%. This is expected to occur in about 50% of the cases.
4
in the core upon failure to scram will make the RCS pressure equilibrate near the RCS safety valve setpoints after a moderately severe pressure transient and substantial loss of primary inventory.
l 13. Failure of SSR/PCS with the reactor still critical would leave only SSR/AFW to remove heat, reactor power will equilibrate at the AFW heat removal rate of about 5%
after a severe pressure transient and substantial loss of primary inventory.
4 i
- 14. Sequences with failure of CARCS and/or CSSI are i probabilistically negligible. CSSI was chosen so - that both containment heat removal and radioactivity removal are successful.
4 4
r i
I 30
4 CEIAPTER 6 1
I SYSTEMS ANALYSIS 6.0 Introduction The probabilistic risk assessment of CC-1 necessitated a thorough comprehension of the systems at the plant which could he usedd to mitigate the effects of a LOCA or transient. This chapter briefly presents the methodology and several assump-
- t. ions used in this task. Furthermore, summaries of the syn t. ems , both front-line and support, are given. Detailed 4 system descriptions and fault trees are presented in Appendix B.
6.1 Methodoloov and General Assumptions 4
The methodology used in the CC-1 systems analysis is that presented in SAND 82-0963, " Modular Fault Tree Analysis Pro-
- cedures Guide." [15]. The methodology presented in the report is a modular _ logic approach to the development of detailed fault tree models for the various systems studied.
- Fault treo models were constructed for all systems described in this section, with the exception of the RPS (Section 6.7), the PCS (Section 6.8), PORVs (Section 6.10), and the Code Safety Valves (Section 6.12). These systems were '
either evaluated using operating experience and/or were modeled 4 using simple Boolean failure equations.
The fault trees were constructed using a modular approach. This involved developing a simplified energy flow diagram of the system to be analyzed. Each node on the diagram was noted and the system segment between nodes was assigned a reference letter. Pipo segment fault tree modules were selected for each component between nodes on the diagram and component fault tree modules were selected for each component in t.ho system segments. The component modules tie in the support systems required for the component. t.o successfully function. These modules were joined toget.her to form the system fault trees.
Some ' basic assumptions were established to formulate l guidelines for the failure modos to be considered in the fault trees. These assumptions are as follows:
- 1. System fault events which could also be . accident initiators (e.g., LOCA events, LOSP) were explicitly included as appropriate in each system fault tree.
- 2. Only-single passive failures which can. fail _the entire system were included in each system fault. tree unless the passive failure was an accident initiator.
6 1-
. _ . _ ~ . _ . _ _ . _ _ _ - . _ . _ . ~ . . ,
- 3. Flow diversion paths were considered. as potential system failure modes for fluid delivery systems.
However, each potential diversion path was only included on the fault tree if it could result in ,
failure of the system and its likelihood was com- I parable or greater than other system faults.
- 4. Spurious control faults of components after successful initial operation were only considered in tho%e cases where the component is expected to receive an additional signal during the course of the accident to readjust or change its operating state.
- 5. Operator errors of commission which misposition valves or fail other components in response to the accident were only included for those components which are specifically identified in procedures as requiring operator manipulation.
- 6. Consideration of operator action as a successful operating mode for systems was only done in those cases where a written procedure for system operation exists which specifies the required operator actions.
That is, operator recovery actions are not explicitly considered in the fault tree, but are treated follow-ing the screening calculations for accident sequence frequencies. " Verify" statements in proceduras are treated as recovery operations.
- 7. Mispositioning of valves prior to the accident was not considered in those cases where valve position is indicated in the control room and monitored shiftly.
Nor was it considered if the valves receive an automatic signal to return to their operable state under accident conditions.
6.2 Safety Iniection Tanks (SITS) 6.2.1 Description Four SITS are available to flood the core with borated water immediately following a large break LOCA. They are i designed to minimize core damage until the safety injection !
pumps can provide adequate water for core cooling.- Each tank is pressurized with nitrogen at 200.psig and contains a minimum wate: volume of 8,300 gallons with a minimum boron concentra-tion of 1,720 ppa. This concentration is sufficient to render the reactor subcritical with all rods withdrawn at 60 0F, The ' SITS are self-contained, self-actuating, and passive in nature. Each tank is connected to the RCS at one of the reactor inlets (cold legs). Two check valves, held closed by 6-2
RCS pressure, provide isolation during normal operation. The tanks can be i;olated by motor-operated valves during plant shutdown and depressurization. Figure 6-1 is a simplified dia- j gram of the SITS. The SITS are not dependent on any support systems.
In the case of the large break LOCA, RCS pressure will fall below the SIT pressure, the check valves will open and the tank contents will empty into the RCS. This action requires no actuation signal or outside power source. Three of the four tanks provide sufficient water to cover the core following a 1 Design Basis Accident (DBA), assuming the contents of one of i
the four tanks spilled through the break, 6.2.2 Fault Tree Top Event From the above success criteria, the fault tree top event is defined as "One SIT train (not connected to the failed loop) fails to function." Since operation of the SITS requires RCS t
pressure to drop below 200 psig, this fault tree is an input only to the large break LOCA systemic event tree.
I 6.2.3 Assumptions The following assumptions were made during the fault tree constraction of the SIT system.
I 1. Misposition faults for the normally locked-open motor-operated valves have been neglected since their position is checked shiftly.
- 2. Test and maintenance actions are not allowed due to technical specification requirements.
- 3. Faults related to tank pressure, level, and boron concentration have been neglected since pressure and level are alarmed and ehec'.ced every shift and boron concentration is checked monthly and after each makeup.
- 4. A Large LOCA is assumed to occur in the loop to which injection line 11A is connected and to fail that SIT l
tank by dumping its contents on the floor.
i 6.2.4 Qualitative Insights No unusual characteristics were identified for this system.
6-3
6.3 Low Pressure Safety Iniection/ Recirculation System (LPSI/R) 6.3.1 Description
.The Low Pressure Safety Injection / Recirculation i
System injects borated water from the RWT into the RCS(LPSI/R) with a i
design flow of 3.000 gpm at a head of 350 ft. The LPSI/R Sys-tem provides core cooling water during the injection phase of a i large break LOCA.
] The LPSI/R System can also be aligned to take suction from i the containment sump and maintain a borated water cover over t
the core for extended periods of time in the recirculation phase of the large break LOCA; however, since this requires j i operator action and it is not the preferred system (HPSR is !
i preferred), operation in the recirculation mode was treated as l l a recovery action.
i The LPSI/R System consists of two pumps taking suction from i
separate RWT discharge headers and discharging to a common i header. This header splits into four parallel injection lines j to the RCS. The RWT discharge header is common for the LPSI/R i l System, the HPSI/R System, and the CSS /SDHK System. The injection lines pipe segments just prior to the. cold legs are common for the LPSI/R System, the HPSI/R System, and the SITS.
Also, the pump recirculation lines from the LPSI/R, HPSI/R and
] CSS /SDHX systems back to the RWT all share a common portion.
' Figure 6-2 is a simplified diagram of the system and Figure 6-3 shows the support systems required to operate the system.
Upon receipt of a SIAS, the two pumps will start and four
- injection line motor-operated valves will open. When RCS pressure drops below 200 psig, the LPSI/R will begin to deliver flow to the cold legs.
i j At a low level in the RWT, the automatic Recirculation 1 Actuation Signal (RAS) will shutdown the LPSI/R pumps. The
{ pumps cannot be restarted until this signal is cleared. There j are complications involved in the process of clearing an j i automatic RAS signal. Thus, should HPSI/R fail in the l recirculation phase of the Large LOCA, the operator can not i
easily restart the LPSI/R pumps to proceed with the cooldown.
I
{ 6.3.2 Fault Tree Top Event -
1 i
A fault tree was only drawn for the injection phase of a l
Large LOCA. LPSI/R operation during recirculation was treated as a recovery action. The fault tree top event for the LPSI/R is defined as " Failure to deliver the flow of one out of two LPSI/R pumps to one of four safety injection headers."
i 6-4
I' 6.3.3 F.ssumptions t
l The following assumptions were made during the fault tree construction of the LPSI/R system:
i
? 1. RWT water temperature was assumed to be above 450F and thus failure of the RWT due to freezing was not considered.
- 2. No significan't flow diversion paths to the connecting i ESF systems were identified.
- 3. Unavailability due to test events for pumps and MOVs was neglected since all- affected components receive ESFAS signals to go to their safety states.
- 4. Failure to restore events for MOVs and/or their 4 breakers were neglected since all LPSI/R MOVs get ESFAS l
i signals to actuate and their positions are checked i shiftly.
! 5. A large break LOCA is assumed to occur in the loop to '
l which injection line 11A is connected and fail that line by dumping its contents on the floor.
6.3.4 Qualitative Insights (LPSI/R) i
- Some qualitative insights gained at the system level are i presented below. Quantitative evaluation shows that these ,
l insights are insignificant to risk (see Appendix C).
J
- 1. Failure of a single air-operated valve leads to sys- '
l tem failure (CV-306). This is a low probability. event l since the valve is locked-open, deenergized- and j position checked every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
- 2. The event tree for the Large LOCA does not take credit for the Low Pressure Safety Recirculation (LPSR) system should the High Pressure Safety Recirculation (HPSR) system fail. To use the LPSR, the pumps must be manually started since the RAS will have tripped them.
l RAS may be initiated manually or . automatically.
Procedures exist directing the operator to manually initiate RAS when the refueling water tank reaches a level- of four feet. If this occurs, the RAS can be reset manually and the LPSI pumps started manually. If manual RAS does not occur, it will occur automatically when the refueling water tank reaches a level of 2.5 feet. In this case, the LPSI pumps cannot be started until the RAS is reset. RAS cannot be reset until the water level is increased in the Refueling Water Tank or the RAS logic interlock is defeated.
6-5 ,
l 6.4 Containment Air Recirculation and Cooling System (CARCS) 6.4.1 Description The Containment Air Recirculation and Cooling System
- (CARCS) consists of four fan / cooler units supplying cooled, recirculation air to the containment and to the RCS components via ducts in the containment. The fans are driven by two-speed motors which are supplied by 480 VAC buses. Fans 11 and 12 are fed by Load Group A, fans 13 and 14 are fed by Load Group B.
The fans draw air over the cooling units which are supplied by the Service Water System (SRWS). Coolers 11 and 12 are sup-
! plied by SRW Subsystem 11 Coolers 13 and 14 are supplied by
- Subsystem 12. Figure 6-4 is a simplified diagram of the fans and Figure 6-5 shows the coolers. Figure 6-6 is a dependency
, diagram showing the support systems required for successful j oparation of CARCS.
! CARCS is normally operating with three of four fan coolers i at high speed and reduced SRW flow. Upon receipt of a Contain-
} ment Spray Actuation Signal (CSAS), all four fans start in slow l speed, and outlet valves open to increase SRW flow through the
- coolers. In addition, should containment temperature rise i
above 140 0F, fusible links will melt and dropout plates open. This bypasses the normal ductwork, allowing a free air flow should the ducts collapse during a LOCA. For all classes l of LOCA, CARCS succeeds if one of four units is operating with the fan in slow speed and full SRW flow through the cooler.
) 6.4.2 Fault Tree Top Event I
i From the above success criteria, the CARCS fault tree top i event is " Failure of CARCS to Cool Containment with one of four Fan Coolers".
6.4.3 Assumptions I
1 The following assumptions were made during fault tree i
construction of CARCS:
I
- 1. The only air flow paths considered in the fault tree are those that are rated for a normal air flow of 55,000 cfm.
- 2. For the Large LOCA case, the steam / vapor atmosphere would overload the fan motors if they remained in HIGH speed. Therefore, the fan is assumed to fail if it doesn't receive a CSAS to switch to SLOW speed.
6-6
,v.+- r,v,, .n , , - , ,,,--w -w, -
,,n-,.ny,v e~---nm,,,,,---,~ --.,,-,,,m.,,---,,v,- -
x,- n - - , , , . , --
w w .v w., ,-,,--+
l 1
l 3. Three of four fans are normally running. Fan 13 is assumed to be in standby and requires CSAS actuation j
for any size LOCA.
i Collapse of the ducts due to a pressure differential in 4.
the early stages of the LOCA is considered a credible event. This event was modeled as " local fault of duct" and a value of 0.1 was assessed for this event in a LOCA environment.
- 5. In duct segment AFL (see Figure 6-4), failure of any damper is assumed to fail the whole segment.
I
- 6. No credit has been given for unusual success criteria
! of CARCS (i.e., all four fans in slow speed with normal
+ SRW flow through each cooler).
f 7. Operation of CARCS was assumed to be impeded in a core melt environment. High aerosol loading could reduce the heat removal efficiency or fail the system. A probability of 0.1 was assessed for " Inadequate Heat Removal" in CARCS heat exchanger in a core melt environment.
1 6.4.4 Qualitative Insights No unusual system dependencies or characteristics were identified for this system.
i 6.5 Containment Sorav/ Shutdown Heat Exchancer System (CSS /SDHK) 6.5.1 Description ;
i i The Containment Spray / Shutdown Heat Exchanger System l (CSS)/SDHX) performs two functions following an accident. First, l it limits the containment pressure and temperature following a LOCA or transient-induced accident, thus reducing the pos- '
sibility of a breach of containment- and leakage of airborne radioactivity to the outside environment. Second, it reduces the amount of radioactive material in the containment atmos-phere so that even in the event 'of containment failure a l
reduced amount of radioactivity would be released.
The CSS /SDHX system sprays cooled, borated water into the containment atmosphere. During the injection' phase, borated water is supplied by the RWT. During the recirculation phase, suction for the CSS /SDHX system pumps is taken from the con-tainent sump. In both phases, the water is pumped through the shutdown cooling heat exchangers and then through spray nozzles and into the containment . atmosphere. The spray nozzles are 6-7
4 4
located in the dome of the containment and arranged in headers I to give complete ' spray coverage at the containment horizontal 1 . cross-section area. The CSS /SDHX system consists of two electric motor-driven pumps, the two shutdown cooling heat
- - exchangers, two spray headers and nozzles, and associated
- piping, valves and instrumentation. The capacity of each con-
! tainment spray pump is such that it can limit the containment l- pressure to less than its design value following a LOCA without i
needing CARCS operation. The CSS /SDHX system and CARCS provide I
the same function and thus are redundant. Figure 6-7 is a !
! simplified diagram of the system and Figure 6-8 shows the '
- support systems required for successful operation of the CSS /SDHX system.
. The CSS /SDHX system pumps are started on a Containment 4 Spray Actuation Signal (CSAS), while the spray header isolation
[ valve receives a SIAS signal to open. Also, a RAS signal will ,
- open the two containment sump valves in the recirculation phase. l 4-l In the injection phase, both the Containment Heat and
{ Radioactivity Removal functions are performed simultaneously
{ and this mode of operation is performed .by the Containment j Spray System (Injection) and denoted by CSSI. In the recircu-t lation phase, if the shutdown cooling heat exchangers do not i remove heat, then the system can still reduce the containment
] airborne radiation levels by spraying hot water into the l containment atmosphere. In this mode the system is called the
! Containment Spray System (Recirculation) and denoted CSSR. If j the shutdown heat exchangers are working, then both the Con-tainment . Heat and Radioactivity Removal functions can be performed. In this mode of operation, the system is called the i Shutdown Heat Exchanger System and denoted SDHX.
} ')
l 6.5.2 Fault. Tree Top Event
)
Three fault trees were constructed, one for the injection _.
phase (CSSI) and two for the recirculation phase (CSSR and 3
SDHX). Both CSS trains must fail in order to achieve system i failure. The fault tree . top events for CSSI/R are defined as i " Failure to provide water from 1 of 2 CSS pumps through 1 of 2 -
!~ headers in the . Injection / Recirculation phase." The fault tree
(
top event for SDHX is defined as " Failure to provide .contain-ment cooling through 1 of 2 shutdown heat exchangers."
6.5.3 Assumptions i
A list of system-specific assumptions made during.~the CSS /
SDHX fault tree analysis is provided below:
- 1. The minimum flow recirculation line does not : constitute a significant' path of diversion. l 6-8
,- ,e- ,,.n- 9 , , , , - - - , , , ~ ., --wwv, - , , - -wm.. -,.m, 3,,y. - , + . , - .**y,-m ,y -.,,,-e+_ -my w.r ._ . . . - , , - , . . - ,-w.....,e-o..
i
- 2. ' Lines to the LPSI/R and HPSI/R headers were not modeled l l
in the fault tree as paths of diversion since signifi-i cant diversion will not occur.
! 3. Failure of the operator to close the RWT outlet valves
! after recirculation has begun (RAS opened.the contain-ment sump valves and suction is being taken from the sump) will not cause the pumps to cavitate since the
- spray pumps e.r e at an elevation (-15 ft.) lower than i both the RWT (45 ft.) and the containment sump (10 ft.)
4 and there is sufficient net positive suction head for continued pump operation.
L l 4. Operation in a post-core melt environment is' assumed.
- While core melt debris thrown.into the sump could fail !
4 this system, one of the factors, pipe insulation, is not.of the type identified as possibly leading to pump j' failure.
I 6.5.4 Qualitative Insights were
~
i No unusual system dependencies or characteristics
! identified for this system. _ _
} . .
- 6.6 Hioh Pressure Safety Iniection/Recircul_gt_ ion System (HPSI/R) 6.6.1 Description 1 ~
- j. The High Pressure Safety Injection / Recirculation (HPSI/R) 4 System injects borated water from the RWT into the RCS at dis-j charge pressures up to 1,275 psia. The HPSI/R System provides 7
core cooling for Small and Small-small LOCAs when the RCS does
[ not depressurize sufficiently to allow injection via the LPSI/R l System before core damage occurs.
The HPSI/R System can also-be aligned. to take suction from the containment sump and maintain a borated water cover over the core for extended periods of time following any. size LOCA..
-The HPSI/R System consists of three pumps. drawing f' rom the RWT suction headers and injecting - into the~ RCS c61'd legs via .
two trains of four injection headers each. Upon receipt of a SIAS, eight HPSI/R MOVs open and tho'of the.three pumps start.
At least 400,000 gallons of borated waterfar.e available in the i
RWT f or safety injection and containment . spray. When. this This water' supply reaches a low . level, a KAS 'is generated.
opens two containment sump ' MOVs and the 'HPSI/R- System now begins to -recirculate sump water"that has' spilled through the ;
break..
6-9 4..
I
~ ^ -~
s -, s w ~n , e v ' , - ~ ~s , e t r . e ".
i
_The sump water can be cooled before recirculation to the core by passing it through two shutdown cooling heat exchangers and directing it to the HPSI/R suction header. This recon-figuration can be performed from the control room by the
- operator, but has not been credited in our analysis. Figure 6-9 is a simplified diagram of the system and Figure 6-10 shows the support systems required to operate the HPSI/R System in both modes.
In both the injection and recirculation phase, all _ three pumps must fail and both trains must be unavailable for system failure. These criteria cover all classes of LOCA except the
, large break. As mentioned previously, the HPSI/R System was
! not considered essential for mitigating a Large LOCA during the 4
injection phase, only during the recirculation phase. The HPSI/R System shares the RWT and containment sump suction headers with the LPSI/R and CSS /SDHX.
I l
! 6.6.2 Fault Tree Top Event i
) Two fault trees were drawn, one for the injection phase and i one for the recirculation phase. The HPSR fault tree includes j all events in the HPSI fault tree in addition to events of the recirculation phase. The fault tree top event for the HPSI/R
- System is defined as "HPSI/R fails to provide at least 1 pump i
flow through 1 of 4 headers."
t 6.6.3 Assumptions j A list of system-specific assumptions made during the '
HPSI/R fault tree analysis is provided below:
f 1. No significant flow diversions to other ESP systems were found.
I
- 2. Unavailability due to test events for pumps and valves has been neglected since all pumps and values receive
! ESFAS signals to go to their safety states.
- 3. Cavitation of the pump in the recirculation phase (due to non-closing of the RWT valves) has been neglected since sufficient NPSH exists for continued pump operation.
l 4. The minimum flow recirculation line was neglected as a j diversion path but failure in the closed position was assumed to-fail the HPSI pumps during Small-small LOCAs due to the pumps low shutoff head and the slow decrease in the primary pressure.
6-10 s m .
- = . - . . . - . . . .-
.s
,. so immediate operator actions were modeled except coerator failure to actuate RAS. All other actions were treated as recovery actions.
, 6. Failure to restore events for MOVs and their breakers have been neglected since all MOVs get ESFAS signals to go to their safety states and are position checked shiftly.
I
- 7. RAS actuation logic has been modeled to include both automatic and manual initiation (ESFAS fault tree).
6.6.4 Qualitative Insights (HPSI/R)
A qualitative insight gained at the system level is pre-sented below. Quantitative evaluation shows that this insight is significant to risk (see Chapter 8).
A.ll HPSI/R, LPSI/R and CSS pump minimum flow recirculation lines join together in a common portion which contains two normally open motor-operated valves. On initiation of HPSI following a Small-small LOCA by an SIAS signal failure of one of these valves in a closed position would result in failure of both LPSI pumps and all three HPSI pumps due to the slow decrease in primary system pressure and the fact that the pumps
, are pumping against dead head for a significant period of i time. The CSS pumps would not fail since they only start on a~
CSAS signal which is exp'ected to occur either simultaneously with or after the SIAS signal which opens the CSS spray header valves, thereby negating , the need for recirculation flow in
!- their case.
l 6.7 Reactor Protection System (RPG),
6.7.1 Description I
The Reactor Protection System (RPS) provides the initiating signals and means of rapid insertion of the CEAs into the reactor core when process and plant conditions deviate from the l limits established to protect the NSSS. 1 The RPS continuously monitors all critical NSSS and plant conditions and processes .the information to provide reactor
. trip ' initiation when each of the following functions are-determined to be beyond their allowable' limits:
- 1. Power' Level
.- 2. Rate.of Change of Power
- 3. Reactor Coolant Flow
, 4. Steam Generator Water Level
- 5. Steam Generator Steam Pressure c
1's 6-11
- ... . a - _. _ .._.._-..-_a._.___. _ . _ . _ . . . _ _ . _ . , , . . . ~ . _ . _ . . - - _ - . ,
. . ~ _ _ _ . - .
- 6. Pressurizer Pressure
- 7. Thermal Margin (DNBR)
- 8. Loss of Load
- 9. -Containment Pressure
- 10. Axial Power Distribution.
A simplified functional diagram of the RPS is shown in Figure 6-11 to assist in the understanding of the following sequence of events which take place during a reactor trip.
- 1. The magnitude of the measured signal is compared to a given preset level. If the allowable deviation from
- the preset level -is exceeded, a channel trip signal j for that function is generated and transmitted to the logic matrices.
- 2. The logic matrices identify two coincident channel trips from any _ group of four measurement channels monitoring a protective parameter. .
- 3. Upon identification of the 2 out of 4 channel trips, the coincidence logics generate four trip signals to two Control Element Drive Mechanism (CEDM) power supplies.
- 4. Interruption of the power to the two CEDM power supplies removes power from each C E D M ,- h o l d coil and allows the spring loaded CEDM holding latch to release 1
and cause the individual CEAs to enter the reactor Core.
S. Given failure of the auto-trip system.an independent
+
manual trip can be' initiated to interrupt power to the two CEDM power supplies.
The only- system providing support to the RPS is :the Electric Power System. However, a loss of electric power will result in a reactor trip. Thus, the RPS is a completely i independent system.
6.7.2 Fault Tree Top Event i
A simple fault tree was developed for the RPS. It was l determined that at full power, a reactor scram will be success-ful if at least one CEDM power supply bus deenergizes to cause approximately half of:the CEAs to enter the core. The RPS fault tree'was not used in the quantification and sequence evaluation process.. It is believed that a reliability calculation based-on operating experience would provide a more realistic estimate
~o f RPS failure. (See Appendix C for a discussion of the quan-
- tification of all-undeveloped events.)
6-12
I' Power Conversion and Secondary Steam Relief Systems (PCS &
6.8 i SSR) l
! 6.8.1 Description The Power Conversion (PCS) and Secondary Steam Relief l System (SSRS) at CC-1 consist of the Main Feedwater and Condensate System (MFWCS), the steam generators (SG), and the SSRS.
! The MFWCS is designed to transfer feedwater (condensate) l from the condenser hottiell to the steam generators. During this operation, this system raises the feedwater temperature
, and pressure and controls its chemical composition.
l' The two steam generators at CC-1 are shell heat exchangers with reactor coolant on the tube side and secondary system water on the shell side. They transfer the heat generated in the RCS to the SSRS. The Main Steam System (MSS) transfers steam from the steam generators via turbine throttle stop valves, the reheaters, and the turbine-driven pumps to the
!- turbine building. The steam is used here to drive the turbine i generator and produce electricity. The MSS also controls the
! pressure on the secondary side of the steam generators by means 4 of the turbine bypass valves, atmospheric dump valves, or steam i generator safety valves (high pressure) and main steam isola-tion valves (MSIVs) (low pressure).
j Figures 6-12, 6-13, and 6-14 show simplified diagrams of i the MFWCS, the. steam generator, and the SSRS, respectively.
I The PCS will operate successfully to provide 5% full MFW flow to the steam generators if one train (one MFW pump, one
, condensate booster pump, one condensate pump, and the asso-l ciated valves and piping) of the MFWCS remains in operation during One the transient. out of two steam generators functioning successfully is sufficient to remove the decay heat level of 5% full power from tra RCS. The SSRS can remove 5%
full power main steam flow successfully in several ways:
1
- 1. One out of four turbine bypass valves must open to relieve steam to the condenser, or
- 2. Two out of two atmospheric steam dump valves' must open l to relieve steam to the atmosphere, or
- 3. One out of 16 steam generator safety valves must-open
-to relieve steam to the atmosphere.
.The PCS depends upon a number of interfacing systems to successfully fulfill its ~ design function. Figures 6-15 and 6-16 show dependency ' diagrams for the PCS and SSRS, respectively.
6-13
. -. - - - - - -,. . - - . - - . - - - - . , . . - , - . .---- .~. - - . .
6.8.2 Fault Tree Top Event 4
i The success criteria for the PCS is to supply at least 5%
- of full flow to one of two steam generators via one operable j train of feedwater pumps (one condensate, one condensate booster and one main feedwater pump and associated valves and
! piping). Datailed fault trees were not developed for the PCS.
j Instead a Boolean failure equation was written directly from i
knowledge of the support system dependencies and all other i faults were grouped as local faults and quantified using CC-1 i operating experience. (See Appendix C for a discussion of the quantification and the Boolean equation of PCS.)
6.8.3 Qualitative Insights !
The qualitative insights presented below were gained at the system level. Quantitative evaluation showed that two of these insights were significant to risk (see Chapter 8).
- 1. The failure of either of two 125 VDC buses were found to
! lead to a trip of the PCS and result in a subsequent <
j reactor trip while simultaneously degrading the responding safety systems. These events were treated i as a special initiating event and are discussed in
- Chapter 4 in more detail. These events were found to l contribute significantly to risk (see the discussion of
} sequence TDCL in Chapter 8).
- 2. The failure of a SRW valve was found to lead to a trip
- of the PCS and result in a subsequent reactor trip
, while simultaneously degrading the responding safety systems. This event was treated as a special initiat-3 ing event and is discussed in Chapter 4 in .more detail. It found not to contribute significantly to I risk.
} 3. Following a T4 -transient with failure to scram, the
! PCS was assessed' to runback resulting in an ATWS
- sequence with inadequate heat removal. Accident
! sequences resulting from this series of events were j found to contribute significantly to risk (see Chapter 8).
J ;
6.9 Auxiliary Feedwater System (AFWS) 6.9.1 Description The purpose of the Auxiliary Feedwater . System (AFWS) is to supply feedwater to the steam - generators for evaporation to provide for the removal of decay heat and to cool the primary i system to ~ 3000 F .at . which point shutdown cooling is initi-l ated. The AFWS is used whenever the PCS is not available.
6-14 0
, ,i.4 e.r-.+,,,v- *+.<e.,---,.------m-,.w -*.wve- e- --mf*--ee-- ev ew,-w*v~'Y --
,~ . - . = . . _ - . __ - .. . . . _- - - -
1
- 1 i )
i i The system consists of a pair of steam turbine-driven feed pumps (one of which is locked-out) connected in parallel with a j motor-driven feed pump. Each of the three pumps has sufficient '
i capacity to provide the required flow to the steam generators.
l The only source of AFWS water modeled in this study is Conden-3 sate Storage Tank (CST) #12, a seismically qualified, missile i and tornado-proof tank. There are two other CSTs which could i supply water to the AFWS which are non-seismic. Manual action
- is required to realign the AFW to take suction from these
. tanks. Credit for those tanks was treated in the recovery '
! analysis.
The two turbine-driven pumps are located in the auxiliary 1 feed pump room and discharge into a common header to individual
, feedlines to the two steam generators. Flow in each feedline I is controlled to regulate automatically at 200 gym per
- feedline. The motor-driven pump discharges through a separate i pair of feedlines to the steam generators, again with flow
! related to 200 gpm per feedline. The motor-driven pump, located in the service water heat exchanger room receives motive power from the 4kV bus 11. The turbine-driven pumps i receive steam from either steam generator #11 or #12, and are l capable of operating as long as the steam pressure exceeds 50 i
Psig, i
i Successful operation of the AFWS is defined as the supply 1 of a sufficient flow of feedwater to the steam generators so
! they will perform their function. The AFWS supplies water
! through four branches with flow controlled to 200 gpm in each
! branch. By neglecting the consideration of partial success in
! any branch, the total AFWS flow need only be considered for
{ various values from 0 to 800 gpa in multiples of 200 gpm.
! Successful operation involves providing a flow rate of at least j 400 gpm, starting within about 86 minutes after termination of I PCS.
j Figure 6-17 is a simplified diagram of the system and Figure 6-18 is a dependency diagram showing the support systems
! required for successful operation of AFWS.
! 6.9.2 Fault Tree Top Event Eased on the success criteria described above, the top event for the AFWS fault tree is defined as " Failure to provide at least 400 gym to one or both ' steam generators." (This 'is equivalent'to flow'from at least one pump through at least'two of four headers.)
6.9.3 Assumptions A list of system-specific assumptions made during the AFWS fault tree analysis is provided below.
6-15
.. _ .. _ . _ . . _ . _ . - . _ . _ _ , - - _ . _ . _ , . _ . - . _ . . . _ . . . ~ . _ . _ . . _ . . - . _ _ , _ . . _ _ _ . _
s
- 1. Ongoing design modifications of the CC-1 AFWS have been modeled in this study. These modifications include the addition of the motor-driven pump to the two tur-bine-driven pumps of APWS and the locking-out of 1
turbine-driven pump #12. The use of this locked-out I
turbine-driven pump as a recovery factor significantly I
reduced the frequencies of some of the dominant i accident sequences. These modifications are scheduled
] to be mad,e during the November 1983 outage at Unit 1
- and have already been made at Unit 2.
- 2. Although a manual capability exists, via manual realignment, to supply water to the suction of the AFW pumps from CST #11, this capability was considered as a
!. recovery action and was not modeled on the fault tree.
! 3. Although the capability exists, via operator action, to
{ utilize AFW pump #23 from Unit 2 to provide water to steam generators #11 or #12, this capability was also considered as a recovery action and not modeled on the fault tree, l
t
! 4. The capability exists, via manual action, to open a
! flow path to bypass any one of the throttling valves
- and provide water to a steam generator in case of
! failure of a throttling valve. This capability was also considered as a recovery action and not modeled on i the fault tree.
} 6.9.4 Qualitative Insights i The qualitative insight presented below is gained at the
{ system level. Quantitative evaluation showed that this insight j is significant to risk (see Chapter 8).
There is a manual valve (AFW-161) in:the AFWS, between the l Condensate Storage Tank and the pump suction, that will disable i the system if it fails to remain open. Recovery is possible by j either (1) manually realigning the AFWS to the alternative CST
- 11 and starting the locked-out turbine pump, or . (2) ' cross-
- feeding from Unit 2's AFWS.
l 6.10 Power Operated Relief Valves (PORVs) l l 6.10.1 Description CC-1 is equipped with two PORVs located on the pressurizer.
The PORVs are a type of electromatic relief valve. These valves are pilot-actuated, reverse-seated relief valves that use primary system pressure as the ' motive force to open and close the valve. When the pressure in the primary system 6-16 -
,, , . . , - - - - %,y-, 7,4,--,.cem.-,r-r ,-,-r-e . ,,,-c.--. ,.w+, -,-,e y---w-g.-wa, r- -.- -.n
exceeds that of the valve setpoint, the pilot valve's solenoid is energized. Each solenoid is powered from a 480 VAC bus: ERV 402 f rom MCC-ll4R and ERV404 from MCC-104P. Both PORVs require DC bus 21 (load group B) to actuate a relay ts allow AC power to energize the solenoids. The eaergizing of the solenoid causes its plunger to actuate an operating lever which in turn opens the pilot ' valve. The opening of the pilot valve vents the main valve's pressure chamber, resulting in a pressure differential across the main valve disc, thereby causing the valve to open and. permit the discharge of the primary fluid at full rated flow. Conversely, when the pressure in the primary system drops below the valve's setpoint, the solenoid is deenergized. When the solenoid is deenergized. the pilot valve closes and steam is trapped in the chamber above the main valve disc. The trapped steam builds up pressure and forces the main valve's disc down on its seat, thereby closing the PORV. Dur-ing power operation, the PORVc are actuated whenever the RPS's high primary pressure trip is actuated by two or more of the four channel logic system. The PORVs are actuated by the same bistable trip units which actuate reactor trip on high RCS pressure. Figure 6-19 is a dependency diagram showing the support systems required for successful operation of the PORVs.
l There are normally open motor-operated valves upstream of the PORVs. These block valves can isolate the PORVs if seat leakage becomes excessive or' the valve fails to reclose. They
' are powered from the opposite 480 VAC bus as their respective PORV.
l The setpoint pressure for the PORVs is 2385 psig and the j relieving capacity is 153,000 lb./ hour.
i For Small-small LOCAs and transients where the PCS and AFWS I have failed, the " Feed and Bleed" method of core cooling can be initiated, the PORVs are blocked open by removing a histable, however, this is a complicated operator action and is not in j the procedures. Also, there is insufficient analysis to determine whether the PORVs are capable of relieving sufficient
{
i pressure to allow the high pressure injection system to i function due to the low shutoff head of the HPSI pumps and, at-this time, engineering judgement has concluded that this is not a viable mode of operation. For these reasons, " Feed and Bleed" has not been modeled in this study.
! Instead of constructing a fault tree for f ailure lof the i PORVs to open on demand and to reclose when required, operating l experience was used to quantify these events. A Boolean equation was written for the PORVs failing to open and included their AC and DC support system dependencies. A probability of 1E-5 per demand per valve.was used for the hardware failure of a PORV to open. The. failure probability for a PORV to reclose was found to be 2E-2 per demand per valve. If the PORVs do not j
6-17
- , , - - , , - - .ay.w,..,- ee-,,..-,.--_,,.--.-,-..,-,.--.---,.,,,e- ,%,-,-,-,-,--w..,..-- p.., .-~.,,,-...~,-,-n,,.-.wm,y -,,v, ,ww---%-,,e,,,,,,,,,-,.------,,-y,
reclose, there is a 1E-2 probability from the recovery model i
that the operator fails to observe the failure to reclose. If he does observe the failure he can close the block valves if power is available. The probability of a block valve failing to close is 1E-3. A more detailed discussion of the PORV
! Boolean equation and its quantification can be found in Appendix C.
I 6.11 Chemical and Volume Control System (CVCS) l I
6.11.1 Description The Chemical and Volume Control System (CVCS) provides several major functions during startup, normal operation, emergency operation, and shutdown of the reactor. The RCS boron concentration is normally controlled by the makeup portion of the CVCS. However, there are occasions when it is necessary to borate at a rate that exceeds the normal, maximum i
capability of the makeup system. In these situations, the CVCS )
is initiated either by a SIAS or manually to rapidly inject l concentrated boric acid into the RCS. Of concern here are the I situations where the CVCS can be initiated only manually (i.e.,
, following ATWS).
i Two boric acid storage tanks and two boric acid pumps are l provided to supply boric acid to the RCS cold legs 11A and 12B during the emergency injection phase of the CVCS operation. A batching tank is provided for convenience in preparing boric acid for makeup to the storage tanks. The two boric acid pumps are started either manually or on a SIAS. For emergency boration a boric acid direct foed valve MOV-514 is provided.
i This is a motor-operated valve which comes off the common boric acid pump discharge and ' supplies concentrated boric acid directly to the charging pump suction header. This valve may i
be opened by either a SIAS or a handswitch on the control panel.
l Figure 6-20 is a simplified diagram of the CVCS and Figure i 6-21 is a dependency diagram showing the support systems required for system operation. (Dependency on SIAS is not considered here.)
The CVCS fault tree was - constructed using a success criteria of 1 out of 2 boric acid pumps providing concentrated
- boric acid to 2 out of 3 charging pumps for injection into the RCS.
l l
6.11.2 Fault Tree Top Event Based on the success criteria discussed before, the CVCS fault tree top event ' was defined as "CVCS fails to provide 2 out of 3 charging pump flow to the reactor core."
i 6-18
6.11.3 Assumptions A list of major assumptions made during the CVCS fault tree analysis is provided below.
- 1. No credit was given for automatic actuation of the l systems since it is believed that there will not be a SIAS signal generated in the transient event tree !
sequence where there is a requirement for the CVCS.
- 2. Credit was not given for use of gravity feed lines, since the action required to open the MOVs on these lines is not mentioned in the emergency boration procedure EOP-13.
- 3. No credit was given for using the RWT as another source of boron. According to EOP-13, the RWT is used only in casos where the operator notices a low
' level in the boric acid storage tanks. Since failure of the boric acid tanks is a low probability event, this does not significantly affect system reliability.
- 4. Two out of three charging pumps were assumed to provide sufficient flow based on the information obtained from the technical specifications and EOP-13.
- 5. The makeup stop motor-operated valve 512 has not been modeled in the fault tree. This valve should be closed by the operator during emergency boration, but failure to close the valve would not lead to system failure, and at most (if makeup pumps are running and MOV-501 is open) could dilute the boric acid flow.
- 6. It is assumed that one charging pump is running at all times. Hence, faults of components in the segments associated with the operating pump have been ignored in the fault tree analysis, since these segments are assumed to be operational at the time of l the accident.
6.11.4 Qualitative Insight I
No unusual system dependencies or characteristics were identified for this system.
6.12 Code Safety Valves (SRVs)
CC-1 is equipped with two Code safety valves on the pressurizer. These valves are entirely mechanical devices.
Their set points are 2500 and 2565 psia. At least one valve must be operable when the plant is at power. Testing or maintenance can only be accomplished when the plant is at-a cold shutdown.
6-19
A fault. t.rce model was not constructed for these valves.
Generic operating experience for code safety valves was used
- for quantification of failure probabilities. A probability of
! 2E-5 per demand was applied to the event " failure of one of two code safety valves to open" and 2.4E-3 per demand for " failure of both valves to reclose." See Appendix C for more discussion of the quantification of these valves.
6.13 Emergency Electrical Power System 1
6.13.1 Description i
j The Emergency Electrical Power System consists of both the i emergency AC system and the 125 VDC system. The emergency AC l system is designed to provide electrical power to components in j{ vital systems which are needed to mitigate the consequences of LOCAs and transients. The DC system provides continuous power j for control, instrumentation, reactor protection, and engi-
, neered safety features actuation systems.
j The emergency AC system is composed of two trains (A-train and B-train), each consisting of a diesel generator, 4160 V i switchgear. 480 V load centers and motor control centers, two l 120 V instrumentation panels, and -associated transformer and I
circuit breakers. The DC system is composed of four separate trains (two A-trains and two B-trains), each comprising a 125 VDC battery, bus, battery charger, and control panels.
Figure 6-22 shows a simplified diagram of the emergency AC
- and DC systems.
Most of the emergency AC and DC systems are in continuous ope ra l. i o n and, as such, are not initial.ed in response to an
, abnormal situation. The exception to this in t.he~ operation of j the diesel generators, which are in the standby mode awaiting a
! start signal. Automatic actuation of the diesel generators can i
result from SIAS initiation or undervoltage on the 4160 V buses
- or manually, t l The emergoney AC and DC system (mainly the diesel gen-j erators) depends upon a number of interfacing systems to
- successfully fulfill their' design- function. These systems j provide support functions I.o - the diesel generators, such as .
cooling,' ventilation, and actuation. The systems which provide these functions are the Room Cooling and Ventilation System, l
Service Water System, and Engineered ' Safety Features Actuation System.
Figure 6-23 shows the support systems required for oper-ation'of the emergency AC and DC system.
i l
6-20
i 6.13.2 Fault Tree Top Events
! There are six top events for the Emergency Electrical Power 4
System fault tree. These top events define the loss of power events on four 120 VAC buses and I.wo 480 VAC motor control centers. Theso events were developed to include the faults in the emergency AC and DC systems up to the 4160 V buses and the i diesel generators. A- list of the six Lop events for the i
Emergency Electrical Power System fault tree is provided below:
1
' " Loss of power at 120V Bus ELC0011A" l.
- 2. " Loss of power at 120V Bus ELC0012B" t
- 3. " Loss of power at 120V Bus ELC0013B" b j j 4. " Loss of power at 120V Bus ELC0014A" i
- 5. " Loss of power at 480V Bus ELC104RB"
- 6. " Loss of Power at 480V Bus ELCll4RA" 6.13.3 Assumptions
! The major assumptions which were made during the fault tree
] analysis of the emergency AC and DC system are listed below:
- 1. While the AC and DC buses can be manually cross-tied, i no credit was given for this in the fault troe since the cross-ties are normally locked open and require j operator action to align, i
I 2. Room cooling and ventilation is _ assumed to be needed l
only by the diesel generators, and not by the switch-i gears, load centers, motor control c e n t.e r s , and the batteries. Since the loads following an accident will be lower, adequate ventilation can be obtained by
! opening doors and the time required to heatup is sig-
- nificantly longer.
- 3. The diesel generator dependency on control power was-developed to include only the ba t. t.o ry faults, thus avoiding circular logic problems in the fault tree.
- 4. The diesel generatorn are actuated by both the SIAS'and the undervoltage signal but are loaded only on an undervoltage signal. Diesel generator #12 is a swing diesel and was assumed to_ require operator alignment to the' unit requiring power on a simultaneous undervoltage to both units.
6 . . . . __- -- - - - - . - , , , . -- - - , - . - , - - . . - - , . . . -
4
- 5. Maintenance contribution has not been considered for i the buses, batteries, battery chargers, and inverters since a review of plant logs showed it to be negligible.
- 6. -Manual recovery actions are not allowed in the DC j system analysis.
6.13.4 Qualitative Insights The qualitative insights presented below were gained at the n y at t.nm level. Quantitative evaluation showed t. h a t. they were
- - significant to risk (see Chapter 8).
l 1. The failure of either of Lwo 125 VDC buses were found to result in a reactor trip and to simultaneously j degrade safety systems. These events were treated as a special initiating event and are discussed in Chapter 4.
$. 2. Diesel generator #12 was found either to line up
- randomly or not to line up at all on a simultaneous ,
l loss of offsite power to both units. Subsequent failure of the operator to align the diesel to Unit 1 l l
- was a significant contributor to a number of dominant '
, sequences.
6.14 Engineered Safety Features Actuation.__ System LESPASl 1
6.14.1 Description i
The Engineered Safety Features Actuation System (ESFAS) continuously monitors critical plant parameters, processes the
- received informat.lon and automatically actuates equipment i
required to control and mitigate the consequences of incidents which could lead to radiation ~ exposure to plant personnel and l to the general public.
The ESFAS comprises four independent monitoring channels (sensor subsystems ZD, ZE, ZF, ZG) and two independent actuation systems (actuation channels ZA, ZB) which provide actuation functional of ' t.he required equipment to sal.lufy the following requirements during mitigation of an incident.
These are:
- 1. Secondary Heat Removal - AFAS The Auxiliary Feedwater Actuation System:
- a. Starts the AFW pumps.
- b. Blocks AFW flow to a ruptured steam generator.
AFAS is initiated by low steam generator level.
6-22
AFAS blocking to a steam generator is initiated by a differential pressure between steam generators coinci-dent with identification of steam generator low level.
- 2. Core Cooling - SIAS 1
The major effects of the Safety Injection Actuation System actuation are to:
- a. Start HPSI/R pumps.
- b. Start LPSI/R pumps.
- c. Initiate operation of all valves which require repositioning to allow injection of water from the RWT into the reactor core.
- d. Initiate RCS boration.
- e. Isolate letdown flow,
- f. Actuate all support system equipment required to provide energy removal from the primary system (containment) to the ultimate heat sink (Chesapeake Bay). These systems are CCWS, SRWS, and SWS.
- g. Initiate starting of the emergency diesel gen-erators.
- h. Initiate sequential loading of the emergency diesel generators following a coincidental LOSP.
- i. Open containment spray mode isolation valves.
SIAS actuation occurs upon detection of low pressurizer pressure or high containment pressure.
- 3. Containment Depressurization - CSAS The major effects of the Containment Spray Actuation System are to:
- a. Start the containment spray pumps.
- b. Shift containment coolers to low speed and increase SRW cooling flow through the containment coolers.
CSAS is initiated by detection of high containment pressure. I 6-23
- 4. Long Term Containment Energy Removal - RAS The major effects of the Recirculation Actuation System are:
- a. Align HPSI/R pump and containment spray pump suction headers to draw water from the containment emergency sump instead of the RWT.
- b. Turn off the f. PSI /R pumps.
RAS is initiated by low level in the RWT.
4
l
- b. Shed the loads from the 4KV buses.
- c. Start the diesel generators and close the 4KV bus '
feed breakers from the emergency diesel generators,
- d. Provide the signal which initiates the sequential loading of the 4KV bus following its connection to the diesel.
UV detection is initiated by undervoltage detected on the 4KV bus.
- 6. Loading of Emergency Diesel Generators -
Shutdown Sequencer (SDS) and LOCA Sequencer (LOCAS)
The major effects of SDS are to:
- a. Block and then sequence the critical loads in programmable time increments to the diesel gen-erator when there in a LOSP. These loads involve the systems which maintain the energy removal path from containment to the ultimate heat sink, the e
instrument air compressors and the switchgear room
, HVAC units.
The major effects of LOCAS are to:
i j a. Block and then sequence the critic 11 loads to the diesel generator in programmable time increments during a LOSP coincident with a LOCA.
6-24
The critical loads in this case include the com-ponents which maintain the energy removal path from containment to the ultimate heat sink and the components required to provide core cooling, containment heat removal, containment depressur-ization. secondary heat removal (AFW) and primary system boration.
SDS is initiated by undervoltage at the 4KV bus (UV)
The LOCA sequencer is initiated by undervoltage at the 4KV bus coincident with receipt of an SIAS (UV, SIAS).
Eeuipment The ESFAS consists of two sections:
- 1. Sensor Subsystem
- 2. Actuation Subsystem Each initiating function is monitored by four isolated, redundant sensors for each actuation system. Upon receipt of a sign,il which is outside the prescribed limits for that function, a bistable provides a digital input to the actuation logic (exception: RWT level actuation is from a level switch which provides a digital input directly).
The actuation logic system processes the digital inputs from the sensor subsystem and provides an actuation signal when two out of four sensor loops (ZD,ZE,ZF,ZG) have changed state.
The actuation signal actuates two independent actuation channels (ZA and ZB), which in turn actuate multiple actuation relays which control the individual components.
Figure 6-24 is a simplified schematic of the ESPAS. Figure 6-25 showti 1.h u support systems required for operation of the ESFAS.
6.14.2 Fault Tree Top Events About 100 components modeled in the CC-1 IREP utudy require
! ESPAS action. Therefore, the ESPAS Cault tree has about 100 top events which are referenced by the " component actuation system fault module" contained in the front line and support i system fault treos. The top events are "ESPAS fails to actuate l component."
6-25
.n__ __ n _
6.14.3 Assumptions A list of the major assumptions which were made during the construction of the ESFAS fault tree is provided below:
- 1. Wire faults (open or shorts) were neglected unless they could disable multiple trains of redundant equipment since their failure rate was small compared to those of other components in a train.
- 2. Spurious blocking signals to the sequencer are neglected. These signals would also start the diesel generators and result in the diosel generator breakers closing. The fault developed is that the sequencer does not receive the subsequent signal to remove the block.
- 3. Failure of the A2 and/or B2 subchannels of under UV Inad shed Signal Group to load shed plant components is assumed to fail the dienol by overloading it when the diesel generator breaker closos.
- 4. When voltage is restored to t.h n 4KV Bus, the under-voltage signal must clear to allow a component to start either manually or via an ESFAS signal. This fault is considornd negligihin since it requires at least 2 simultannoun relay failures to fail one train of ESP equipment. and four simultaneous failures to fail the system.
6.14.4 Qualitative Insights No unusual system dependencies or characteristics were identified for this system.
6.15 Service Water System (SRWS) 6.15.1 Description The Service Water System (SRWS) is designed to remove heat
- from various plant components and to transfer this heat to the l SWS for ultimato disposal in Chesapeake Bay.
The SRWS consists of two subsystems, each of which contains an e lenl. r i c motor-driven pump and a shell and tube heat exchanger. A third motor-drivon pump can be used to supply elIhnt of the two subsystems in the event that the normal pump is lost.
Two 2350-gallon head tanks located in the auxiliary build-ing furnish the required not positive suction head for the SRWS pumps.
6-26 x __ x
l i
Figure 6-26 shown a simplified flow diagram for the CC-1 SRWS. Although the SRWS supplies cooling watei- to a number of plant systems and components, only the containment air coolers and the emergency AC power diesel generators were considered in this study.
During normal power operation, t.wo service water (SRW) pumps (#11 and #12) will be running, with the third pump (#13) in standby. This third pump (#13) can be lined up to take suction f ront and dischargo t.o either subsystem 11 or 12, using
. either head tank. Normally, pump #13 is lined up mechanically l to subsystem 12. Electrically, pump #13 is normally aligned to I receive power from 4160 VAC bus #11, which also supplies power to pump #11. Pump #12 receives power from 4160 VAC bus #14.
This configuration insures that the diesel generator supplying
- emergency AC power will hav.c a source of cooling water available.
Pump #13 can be manually aligned, using k ey-o pe ra t~.ed dis-connect links, to receive power from either 4160 V bus #11 or
- 14. In addition, the two subsystems may be cross-connected manually and one heat exchanger used to remove the full heat load within the time restraint specified in the plant Technical Specifications. Although two SRW pumps supply the required cooling during normal operation, only one pump is required to handle the SRWS cooling load following a LOCA. An SIAS or an SDS signal will automatically start pumps #11 and #12 if their control swit. chou are in the " normal" position and their respective supply buson arn energized. Pump 13 will start on 1 an SIAS or an SDS signal only if the other SRW pump (either #11 i or #12), aligned electrically to the same bus as pump #13, does not start within one second after the start signal is applied to its control circuit.
3 The SRWS depends upon a number of other support systems for succennful performanen of its design function. These systems are identified in the dependency diagram shown in Figure 6-27.
I In this study, o u t. of the various systems which receive cooling water from the SRWS, only the CARCS and the emergency l
AC power system, (more specifically, the diesel generators),
were analyzed. (Diesel generator 12 can be supplied with cool- )
iny water from the SRWS of either unit CC-1 or CC-2: however, l credit was not given for this on the DC #12 fault tree. It was I treated as a recovery operation.) For this reason, fault trees were drawn only for the failure of the SRW supply for these two systems.
l 6-27
6.15.2 Fault Tree Top Event The top event for each of the fault trees was defined as follows: Loss of Service Water Cooli ng for Component (either containment cooler or diesel generator). Failure of the SRWS to fulfill its design function was defined as failure to provide sufficient heat removal using either of the two SRWS trains.
6.15.3 Assumptions The major assumptions which were made during the fault tree analysis of the SRWS are listed as follows:
- 1. Component outages due to maintenance were considered for maintenance of active components and the heat exchangers only.
1
- 2. Although the two independent SRWS subsystems are I connected by a number of crosnLion, thoue crossties l were not considered in this analysis because each contains at least one normally closed, manual valve.
- 3. Although the capabiliLy exists, via manual realignment, Lo supply the SRWS at Unit I with SRWS from Unit 2, this capability was not considered.
- 4. SRW pump #13 was assumed to be aligned: electrically with 4160 VAC bus 11 and mechanically with SRW Sub-system #12. Because pump #13 is not an automatic backup to either subsystem individually, it was not modeled on the fault troe but was treated :as a recovery action.
- 5. As discussed in Appendix B regarding the containment air coolers, only one containment air cooler is necessary to successfully fulfill the system function following a LOCA or a transient. Consequently, failure of the SRW supply isolation valves to isolate the i turbine area components and/or the spent fuel pool coolers was not considered as an SRWS failure.
- 6. Secondary piping which was less than 1/2 the diameter of the main SRWS piping was not considered as a i possible division source in this analysis since all
! lines require failure of two normally closed manual valves. ,
- 7. Gross failure of the unpressurized SRW head tanks was not considered because of its relative improbability when compared to other SRWS failures.
6-28
- 8. Those branches of the SRWS which provide service water cooing to components other than the containment air coolers and the emergency diesel generators were not considered in this analysis.
- 9. All four of the coolers of the containment fans were assumed to be operating at the time the transient initiator occurs.
6.15.4 Qualitative Insights The failure of the inlet and outlet valves on SRW heat exchanger #12 were found to result in a reactor trip and simultaneously degraded safety syntoms. These evenLu were treated as a special initiating event dand are discussed in Chapter 4.
6.16 Component Coolina Water System (CCWS) 6.16.1 Description The Component Cooling Water Syntom (CCWS) is designed to remove heat from various plant components in order to maintain their required operating temperature. The heat absorbed during this cooling proccan is transmitted to the Salt Water System (SWS) for ultimate disposal in Chesapeake Bay.
The CCWS is a closed system with cross-connected trains.
It consists of three motor-driven pumps, two component cooling heat exchangers, a head tank, a chemical additive tank and associated valves, piping, instrumentation, control, and auxiliary systems. Of the several components depending on CCWS for their cooling requirements, only the following items are considered for this study:
- 1. LPSI/R-Pump Seal's Coolers and Bearing Jacket j 2) HPSI/R Pump Seal's Coolers and Bearing Jacket
- 3) Shutdown Cooling Heat Exchangers Figure 6-28 shows a simplified diagram of the CCWS.
During normal operation, two of the three component cooling pumps (#11 and #12) are running and one c9mponent cooling heat exchangers (#11) is inservice. However, one pump and one heat exchanger is sufficient for providing the component cooling requirements during normal operation. The third component cooling pump (M13) remains 'in standby, and can be lined up to replace any of the inservice pumps when necessary. In this study, it was considered that pump #13 is lined up to operate as a backup for pump #11.
6-29
Upon initiation of SIAS signal, two component cooling pumps 4 'will receive a start signal and the outlet valves on the shutdown cooling heat exchangers will open automatically.
l If a lons of power to the ESP buses should occur, the j component cooling pumps will be load shed, and can be restarted 4
manually aft.er the diosel generator picks up the bus. If an
! SIAS signal is present, the component cooling pumps will
- automatically be sequenced back on the diesel generators, f The CCWS interfaces with the SWS via the component cooling i heat exchangern. The CCWS operation depends on other support systems in the plant, including AC power, DC power, and the j ESFAS. Figure 6-29 shows the dependency diagram for the CCWS.
6.16.2 Fault Tree Top Events
)
i There are five top events representing t.h e loss of com-i Ponent cooling to the following component.s:
.f 1. The three HPSI/R pumps in the recirculation phase.
- 2. The two shutdown cooling heat exchangers (CSS /SDHX heat ,
exchangers).
Success of the CCWS is detined as one component cooling pump and one component cooling heat exchanger circulating water l
and removing heat from the above components of the fcont line
] systems.
l l 6.16.3 Assumptions i Major assumptions which wore made during the fault tree i analysis of the CCWS are listed as follows: !
l l 1. Two component cooling pumpn and one component cooling l heat exchanger are in service; however, successful operation required only one pump and one heat exchanger.
i j 2. Only the shut.down cooling heat exchangers (SDHK) and 4
HPSR pump coolers were cor sidered as items cooled by
-CCWS since the LPSI/R pumps require cooling only in the recirculation mode which was not modeled but instead treated as a recovery action.
i l 3. Maintenance on manual valves was neglected since a j review of plant logs showed that it was negligible.
l 6-30
.________________i________. _ _ _ _ _ . _ _ ___i___ . _ _ . . _ _ . .
6.16.4 Qualitative Insights The qualitative lunight presented below is gained at the system level. Quantitative evaluation showed that this insight is insignificant to risk (see Chapter 8).
Failure of a single, normally open, manual valve (CCW-258) in the pump seal cooling portion of the component cooling water system will fail the following:
1
- a. Low pressure system injection pumps in the recircula-tion mode.
- b. High pressure system injection pumps in the recircula-tion mode.
This particular valve is a horizontally-mounted gate valve with low pressures placed on it by domineraliv.ud water flow.
Because of the mounting arrangement, a stem break might not plug the valve and Iho assonned failure p r oba bili t.y is judged to be conservative.
6.17 Salt _ Water System (SWS).
6.17.1 Descript.lon The SWS provides cooling water from the ultimate heat sink (Chesapeake Bay) 1. o t. h e CCWS and and SRWS heat exchangers, to t.h e ECCS pump room coolern, and several other pla n t, systems.
The SWS consists of two subsystems, each of which supply one heat exchanger or air cooler of the above systems. Normally, Subsystem 11 is fed by pump 11 which is aligned electrically to 4 KV Bus 11 (Load Group A). Subsystem 12 is fod by Pump 12 which is powered by 4 KV Uus 14 (Load Group B), or by the standby Pump 13. Pump 13 can be mechanically aligned to either subsystem (normally to Su bs y n t.nm 12) and electrically aligned to either Load Group (normally to Load Group A). Figure 6-30 is a simplified diagram of the SWS and Figure 6-31 shows the support systems required for successful operation of the SWS.
Normally, both subsystems are operating. For the LOCA case, the SWS han t.wo modes of operation. During the in j ec t. l on phase, throttling valves to the component cooling heat exchangorn are shut by a STAS signal, since this system han no significant heat loads in this modo. SIAS also signals the service water heat exchanger valves to go fully open. Since SRW cooln t.h e CARCS, this permit.H maximum heat. transfer from the containment to the ultimate heat nink.
l 6-31
At the start of the recirculation phase, the RAS causes the CCWS heat exchanger valves to resume their normal throttling mode of operation. The SRW heat loads have been reduced at this point and now component cooling is required to cool the #
hot containment sump water being recirculated through the shutdown cooling heat exchangers. During both phases. SWS flow is provided to the ECCS pump room coolers.
The post-LOCA plant cooldown can be accomplished by one SWS subsystem.
6.17.2 Fault Tree Top Events The SWS provides cooling to six separate heat exchangers required to mitigate the LOCA. The fault tree has the following top events:
l
- 4. Failure to provide SWS cooling water to SHW IIX 12.
- 5. Failure to provide cooling water to component cooling
, HX 11 during the recirculation phase.
I
- 6. Failure to provide cooling water to component cooling i !!X 12 during the recirculation phase, j 6.17.3 Assumptions A list of major assumptions is provided below:
- 1. SWS pump 13 is electrically aligned to 4KV bus 11 (same as pump 11 in loop 11) and is mechanically aligned to j loop 12 (pump 12); therefore, it will start auto-matica11y on loss of pump 11 but it will discharge to loop 12. Since pump 13 is not an automatic backup to either subsystem individually, it was not modeled on the fault tree but instead was treated as a possible recovery action.
- 2. Valves which are throttled during normal operations (e.g., CV5210 and CV5212), and which are required to go l full-open upon SIAS, are treated as normally closed, l
fails closed, valves.
6-32
- 3. .The SWS pumps have no external lubrication system, nor do they have any ex t.o r na l cool 1ng (either lube oil cooers or room coolers). Therefore, those faults have been grouped with the local pump faults.
- 4. Both loops of the SWS are used during normal operation and any failure would be noticed within a short time (i.e., a few minutes). Therefore, restoration faults after maintenance on SMS components have been neglected.
- 5. During i n j ec t. l o n , failure of the CCW heat exchanger to isolate is assumed to fail the cooling of the SRW heat i exchanger.
- 6. During the recirculation phase, failure of the SRW heat exchanger outlet valves CV5210 and CV5212 to throttle, is considered to cause the failure of cooling CCW heat exchangers 11 and 12, respectively.
6.17.4 Qualitative Insights Some qualitative insights gainnd at the s y n t.nm level are presented below. Quantitative evaluation show that these t insights are insignificant to risk (see Appendix C).
- 1. A singin normally open manual valve (SWS-197) failure in t.h e SWS (at the discharge of I.he two SRWS heat
! exchangers) leads to failure of the SRWS and consequent
! failure of of:
- a. both diesel generators (during loss of ofsite power):
- b. containment fan coolers.
4
- 2. A single normally open manual valve (SWS-196) failure in 1.h e SWS (at the discharge of 1.h e two CCWS heat exchangers) leads to failure of the CCWS and ECCS pump room coolers 11 and 12, and consequent failure of:
- a. Containment Spray Recirculation System I b. High Pressure Recirculation System
- c. Low Pressure Recirculation System )
l I
1 l
' 6-33
6.18 Heating and_Vontilation l
6.18.1 Description (Diesel Generator Room Ventilation System)
The Diesel Generator Room Ventilation System is required to limit the diesel generator room to a temperature of less than 1200F, at which point the relia bil i t.y of the diesel is con-sidered suspect. Annunciation of a high temperature condition is provided in the control room, when diesel generator room temperature rises to 1100F.
The cooling system consists of a vano axial fan drawing air from cil. hor inside or outside of the room, or a combination of both, to regulate the temperature in the room. The room is maintained at a positive pressure and excess air is forced from 1.h e room through an exhaust damper which upons when the fan starts. A functional diagram of the system is shown in Figure 6-32. Figure 6-33 is a dependency diagram showing the uupport systems required for successful operation of the system.
The inlet and exhaust dampers fall open on loss of instrument air or loss of electric power. The inlet and recirculation dampers have dual pneumal.ic operal. ors and are coupled together.
6.18.1.1 Fault Tree Top Event and Assumptions The fault troe top event, the l osin of adequate diesel generator room cooling, was developed using the following assumptions.
- 1. Only local faults leading to loisit of power to the fans were included since otherwise circular logic would be introduced into the diesel generator fault tece.
- 2. T.o is of actuation wait not considered since the gen-eration of I. h o ist. art signal within the diesel start logic was not modeled in the diesel generator tree (i.e., the same signal that utacts the DG resultn in an actuation signal to the room ventilation.
i 6.18.2 Description (ECCS Pump Hoom Cooling)
Mach ECCS pump room (east and we s t. ) coni.alnu a cooling system consisting of a forced air / salt water cooled heat exchange. This cooling system in only required during periods j nf operation when the ECCS pumpts aro in operation. Air is l forced across the heat exchanger by a bank of three (west room) l l
6-34
T 1
E f or , four (east . room) fans. Recent calculations done by BG&E*
j for the NRC show that room cooling is only needed during the
- long-term heat removal or recirculation phase i
! The system is designed to maintain thu room temperature l' below 110 0F. Reliability of the components in the pump room i is unaffected until the temperature reaches 120 0F. The limiting component is the containment upray pump air cooled shaft seal, which is designed to operate with an air ten-
. perature of 120 0F. A functional diagram of the cooling
- j. system is shown in Figure 6-32. Figure 6-33 shows the support systems required to operate the system. ;
The controlling process parameter is room temperature, measured by TE 5404 (5405). The normal range of operation is 950 F to 104 0F, Wi t.h room temperature increasing at l
{ lO4 0F, t.he ou t.p u t. of the temperature controller matches the i- set point of prennuro switch PS 5404 (PS 5403) which, then
! actuates and:
1
- 1. Turns on the fans.
- 2. Opens the saltwater inlet valves by deenergizing SV i 5170 (5173) and saltwater valve SV 5171 (5174). With 4 room temperature decreasing at 950F, the output of the temperature controller TC 5404 (5405) allows reset ,
of PS 5404 (5403) which reenergizes SV - 5170 (5173) to
} close the saltwater inlet valve and.also turns off the
- fans.
1 l The automatic system can be overridden by the hand switches I to the following extent.
l HS 5404 (5404A) OFF - FANS OFF i
I HS 5404 (5404A) ON - FANS ON HS 5404 (5404A) AUTO - FANS CONTROLLED BY PS 5404 i (5403) 1 I #11 ECCS Pump Room - Inlet & Outlet Valves Open/ Auto / ,
Close (HS 5172) ;
l #12 ECCS Pump Room - Inlet Valve Open/ Auto / Clos 4 (HS
! 5173) l
- Ref: Discussions with Niall Hunt'of BG&E.
l
~
6-35
i T.o u s of instrument air or electric power opens the salt-water valves, however, short term loss of air is precluded by the installation of accumulators on the air supply.
6.18.2.1 Fault Tree Top Event and Assumptions Top logic for each tree (Room 11 and Room 12) consisted of loss of forced air cooling or loss of saltwater to the coolers i leading to system failure. The loss of saltwater portion of the fault tree interfaced with the saltwater fault troe.
i The fault tree top event is defined as " Room 11 (12) cool-ing or ventilation system faults."
1 I The following assumptions were made during the fault tree
- analysis
- 1. To simplify the fault trees, the fans were considered as a single unit, as were their controls and electric foed breakers.
- 2. Loss of heat removal to fan coolers was considered to fail the room cooling syst.em.
I 6.18.3 Qualitative Insights 1
- A qualitative insight gained at the system level is presented below. Quantitative evaluation showed that this
- insight is significant to risk (see Chapter 8).
The ECCS pump room cooling is tested on the average only
. once a year; therefore, the fault duration time for time-l dependent component failure modes are about six times that for '
similar components tested monthly.
i i
I I i
i
(
l l
6-36
ATatOSMIERE ATMOSPHERE J6 JL L58-211 F.C. F.C. k'
)[ : ATesOSPHERE ATMOSPHERE : 74 SI-e13 SI-s33 ggy SIT 11A O O [ Cold Legs LPSI HPSI LPSI HPSI
,r ,,
! SI-218 SI-235 S 8-e14 SI-t ia S S-13a S I-634 31-217 SI-237
! VESSEL
= N --V SS-128 SI-227 SI-247 S8-148 SI-624 '
SI-844 S I-245 SI-225
/
fggy Cold Legs sgy I I r 128 (11 )5 O O F.C. F.C.
)4 : A*.'esOSPHERE ATMOSPHEAE : h4
-4 SI-221 SI-e23 81-443 P SI-241 u ,r s ATheOSPHERE ATMOSPHERE I
Figure 6-1 Simplified Diagram of SITS
RWT RECsRC LINE cvCS SPENT FUEL POOL COOLNeG TO TO III SDHX11 SOMX12 58657 LC S1659 f p RAS CLOSES e CSSO457 LO. CSSO456 LC, $1660 k dk 13 RWT SI4155 NO.11 S84154 S14165 TO ,, ,
S4448 PLANT W ASTE . L2
~
S8AS g HEATING NO.11 PROCESSING 'F' OPENS M SYSTEM S3449 LO- S84164 584163 i (4 PLACES) TO HPSI PUwP
- 11' FR W ,,
TO PRtM. L >
Sl4142 LOOP 114' ' 7' TO HPS3 PUMP $14146 Si4156
- 1: "
St217 $3118 S3114 58615 S8447 S8446 S44152 $14153 SM44 TO PReu. - ?=
q g LO.
L, , pu,, , t t p % CVCS j js:475 F.C. g SIAS STARTS j S3441 LC. CVC225 MAKEUP LOOP 118 " '
RAS STOPS Sl4143 58227 S8128 $3124 Ss425 u m ~
- Qu F.O. St306 S84147 3 TO PRIM. mt2 p S3451 7 Q,^j7l4 @ -
$ LOOP 12 A -
S1237 58138 $3134 $ss35 rN S8658 LC.
58651 Ss452 SHUTDOWN COOLING
,,,, @ FROM PRIMARY LOOP 12 lCSSO453 LO, LO. MMM L 8 ' CSSO452 ^
S247$8148 5144 58645 L.C. & Ss435 S4434 CONTAINUENT SUMP ,1 LO.
LPS8 PU"P
- 12 TO ln n [ONT. SPftAY CONTAmeMENT OM S3AS STARTS ptrip b I
PUMP 11 M RAS STOPS ,g3 SPRAY PUMP 12y w a Ss4144 RAS OPENS F ' '
i: N
$34145 Ss4149 R AS OPENS Figure 6-2 Simplified Diagram of LPSI/R
..t ..
P 5
z >< >< >< >< ^ >
~
g=
L,- v 3r v v ,e U (E!
es- m f5Es "
!!CE m-w.
1 5 >< ^
g: C v v it v
>\
v
>\
v J)
. .- . - . :2 : . . . . .
ss 4 -
5"I g
5e
-sil ! !! . .
R-n V:w:: 5 Wh< ' l WI v!
Figure 6-3 LPSI/R' Support System Dependency Diagram e
6-39 t
. - . . . - p.- . - - ,
4 , , ,
CONTAINMENT COOLERS A18 AF8 )
.A13 ,T22 A10 NO.14 NO.11 NO.12 NO.13 A17 AFs COOLER = COOLER = COOLER = COOLER =
DAMPERS =CFCD A12 g CFCCTC4X CFCCTC1X CFCCTC2X CFCCTC3X p
FAN = FAN = FAN = FAN =
Alth AF3 SYSTEM CFCFN148 CFCFN11A CFCFN12A CFCFN13E DT AF4 F B CFCF 1X % CF 2X %
A15
- Dp CFCFDP3X (A18)
[19 A23 CFCD104XN. PLATE N. CFCD105X %.CFCD106X %. CFCD107X AF1 -\ / (TYP.4) g -
g -g
/ CFCDT19 (A 19)+ CFCFDP4X (A15) e CFCDT2O(A20) e CFCDT21(A21) .eC g22 CFCD148X CFCDTO4X 'N CFCDT10(A10)
CFCMDO2k CFCDT23 (A23)
,[ (AF4) #
.CFCMD01 CFCDTO3(AF3) pp 4CFCD146X - CFNX y CFCae03X g_ N_
CFCD151X
+ @
CFCDTO2 (AF2) f ' _T (A,.,
cn CFCDTO1(AF1) CFCD152X o GE . REACTOR CFCD153X SM CFCDTOS (AF8)
R.L,. GER v CFCD154X R.C.
J CFCD147X CFCD155X FCD150X CFCD156X CFCD158X CFCDl59X CFCD180X dCFCD157A -- .. ..
L .'/ / ./
/ /~ /~
- Figure 6-4 Simplified Diagram of CARCS i
' ~
FE I I SR SRw=135 SRw-1581 Set qg FO CTMT a y , CO ER ,
py SRw-317 gg SRw tss2 SRw-130 SRw-134 SRW-137
-ItHth-\
FO @
>< it*'F M
i AC SR ~152 _@
HT CN, 88**188 8"**1888 ' SAS i-NO.1 g FO CTMT a d '
'h 88**15M SRW-153
@ SRW-319 13" FO SRW-150 SRW-131 HT. XCR SRw-155 X M12 g SRW-154 SRw-145 g
g
=
l l h SRw-142 SRW-1544 f 8"**15$3g FO CTMT AC
< y -, COO ER <
py
,w.3,, ,,- SRw-15 5 SR..ie.
, SRw-143 SRw-144
' ' ' +
u -i t H i l 'o2 >< ltt-SRw-147 SRW-148 H +' AC , @
- ~ I SRW-15e SRw-1592 N 38 ,_
i M wO 'h T SRw-1593 SRW-160 SRw-320 14 FO
>< l s l l}H SRw-157 i l-N@
SRw-150 SRW-161-162 SR.t NOTES: 1. SRw-1581-1586 AND SRw-1589-1594ARE ACTUATED BY SOLENOO VALVES.
- 2. THE VALVES IN THESE PtPE SEGMENTS ARE NORMALLY LOCMED CLOSED. NO CREDff IS TAKEN FOR THESE SEGMENTS AS ALTERNATE INLET / OUTLET PATHS IN THE FAULT TREE.
- 3. OtSCHARGE END OF CARCS MODEL.
- 4. COOLANT SOURCE OF CARCS MODEL.
?
Figure 6-5 CARCS Service Water Supply f . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - . - _ _ _ _ _ _ _ _ _ _ _ _
l l
1 5: C }\
}\
}
g g ><
v 3r s,y s
E 5 E5 T 855$
y 2 q ><
3r 3r s
3 y 1
- C sr 3r 3 )
e a ; 2 e a s
z5g E5 =
SE $i! wI Figure 6-6 CARCS Support Dependency Diagram 6-42
REFUELMG WATER I
CS50663
9 4 SIS 4147 SIAS OPENS SHUTDOWN SIS 4146 SIS 4145 CSS 4150 _
COOLMG HEAT ,
SaS4144 RAS OPENS CSS 0317 CSS 0330 CSS 0316 CSS 0319 EXCHANGER 11 CSS 0314 RAS OPENS m . CSS 0011 CS ,
LO. F.O. CSS 0315 L.O. LO. CSS 0313 ~
LO. LO. geg494g CTMT SPRAY O O O PUMP NO.11 CONTAINMENT SPRAY HEADER 5 g 3 y NO.11 CSSNZ11 CSSO456 LC. CSS 4152 j L.C.
F.O.
Ch r, I CSSf457 FAI 4
CS$0658 LPSIPUMP SIAS OPENS CSS 4151 CSSO457 LO. CSSO453 LO.
CSS 0321 X ' '. '
CSSO327 F.O CSS 0326 L.O. CSS 0329 COOL GHEAT EXC" " '
CSS 0324 CSS 0323 O O O CSSO CTMT SPRAY PUMP NO.12 CONTAINMENT SPRAY HEADER I IAI CM *EN NO.12 CSSNZ12 COOL wgTER
>4 : HPSI PUMP NO.13 CSS 0662 Figure 6-7 Simplified Diagram of CSSI/R/SDHX
23 C >\
v
>\
v
>\
v
>\
v
>\
v
>\
v U
_1 a5 l$YI O E m u s.
c%f sw ><
!= C is v
is v v v v v U>
i l
~= = =
.. = 2 : 2 . . ..
s 4
- 55 g5 5 s t mEj5 J E sw WWEE 5$ = =
=s stE$ ::sas is56 gSW 3ews cris v:=s see: _ma wI w* m Figure 6-8 CSS /SDHX Support System' Dependency Diagram i
l 6-44
L.c.
.U. A
. f ., . ... , , , ,
... ~
.... -. c .:
. .. 7 _
T';' ""' . 1,-. .
- v. *A
.. n too . A -
- .a
=."'._ _g
.co.
to I
'8', C.C. ,s.a tup
... $ . ,' ,c,....._
.e.. opess. .e-. 3 3 "'" .n U P...
. .a ,., t.o 6 o.
ww ,.,
i Qm,u nn, .: n. *ns p==,.=, ,
=g,, ( ao. n l
. ... . x s a _
..n
- s. n~
iO to t.o.
h$ " gg, gg
,g.. _. . . _., ... _ . . . . ....
., g 4.. oPf h. 'U#' 12 g S ^
..n n, .,a win, , , = 7 t.o- . n, .,,,,i,,I. ...
f t,,,, . ---y* A ;A e - . ..t} ...
- *o
'g ,
., e sc= an. . u-
. n.
g - . . . . . .
PUMP 900, ,3
..n .f..
,,, ,, , .p. .
s j.... ,o c , e.. . .. -
. l., .a.... .,.3 PUesp ,3
. ..
- M W--iA * . , ... .. ,o tem Putsp .2 CouT ... opt m.
l a .neeseNT SUMP a Ip l. . .
l- . _ . , _
N =
s... ..-...,
. ...S Figure 6-9 Simplified Diagram of HPSI/R
b Wo 55
.n*
5$
_~-
_E8 sh
>s ><
f.- C v v is v v
>\ is v Ui rlg g5 3._
5; g, q is >\ >\ in >< >
v v v v v Qg, is!
s .!..s
=gs t-5 s ce
!$) t
- g:
g ><
v v
is v
sw v
ss v
J $E5 wp
.i!
E 2s5
-s 14
~5 erv E30
- : a . . T .#
ss 4s a a w
E:as w
55 esaI 38 5M - .
5mwm w:va lsa as5 dE wI 8I I
Figure 6-10 HPSI/R Support System Dependency Diagram 6-46
" O e-.
5 ,,h , __. a4_
--W'
+
- =
%g !.;
! e
~
i
- -* g -.
-~ 3
'- 4 as! hHHHHH
<<sgsa8 7,
Q ' .. . ,p gg p i it
- p w ,
2 l ,,
I a-. I R ., l E 3 ..- il o t-
- " - [
1I u m
@3 l'q**Y- I ll e -(3 . ! -
iEE2IE bT g Ma I l!i c g <
4 s
5 fMHHHH, 9
4%si i :iIl i ==
o 5
- - 4 3
.5 sia
- a a; i e 1
l l 3;
- _ J r ,!jvu
.a a
Dg U
- " ! -. $3I I m j l We
',3 3 3 25 ! l$s"~ d,
- ' I
~
j W l
2d.* *-
gi --*W
,fgi $
g
- o ? !. i e l-E1&Rj
~*
W
'4 '
l
- :~ 1 If !
o.
u 2
r
. I
_I i :
+c -
3a s
8 f (>-,s I gi a e
'- b 5! !
l ol I o ie i eI i m o a hf' js I! -o7@
o ;
- ,mJ:
3' Iml
~~
- T:
w -_;l g 3
y Q
j h <
ajg
. I ,,
a 4---
lll 3*
quSI e- .
' "'\f- I I
,I i lll lI l't l-1lll lb:=[5' :
o
- [
-. = '- f+' is ! b,,H l
H HH,H,,Q 29EE 8 == 3 ' Ml I '--
i"-
g 13 i _. bT.L h lIl I w
f a f(f 23
~*
o h b 4
l3 l!l I
.3 O
W 4 s.asc.E8 l :
IllI
. 8
_<,0
,4 ',
l! -
ll Q 4
c I' gj.
fHHHHH v E
l i
i liI $<
s
'-~
%et e 0
,--.~{t,4 e
._-. ej i i i%
i T
i
, s
.a u
o
-66' el i c
- -+ ,
.-. s
., a N
- h. '
g l
[
Q e
1
. ,3 8- ..a
,_ . !. 4 < 5t g
~ s g=
o u' d i- 4 E A
l $
- aI 'l.I n NE
-r 4
.E g a in l e .i s - ne e .a m
r.
i e-f E
l "
5 l ! .$.
. o e i E5 4 I
B 5 E!r lE - d g
4 GE E- &
3 gi -
1-, , . g. i i.3 !=.I.l. !
.. m l g f b g E
$333 0' I,, e ili i ! ! I I!!!!!!!!I.sI
[it ! ! ! :::: :::::;
6-47
. .N.
m
- h. A' ,. k m,..
N N. .,.
.T N
.m mm ,.
r-----
g g ~
N li:
.h .,2:=,'.
m, th
.N.
-bo~t+-
=
-c<
-co-
lll""
i l
l I
I e
- -+c N :: h .,::,'"',. rk N :< :,
M. ;;l"."H., :. 3 >o- ="lrl=
cn . ..
m,. mm ... . .do..
. .N...-- --l- .c< ...
I 8 a i co I i
N
.. mm mm
- .: k "
,J"l. k ...
N :>o-
.M.-- ~b ll- .c<
-cao- "llll'l""
L____
N lt: .Jll,"l',, N
__ _ m_ ._. .-
.9.
m.
Figure 6-12 (Sheet 1) Simplified Diagram of MFWCS
l t
I l
~
.1 9 y.r._s -6 = h:r sr _
+
.~._. +H = H = H = H_...
i A >
_.G M_ _
u L-4 y_ _n
.& = k-- -1. __
_~~_.- 4.. = H = H = w__
t
.r_ ; m_ _r-
-M=H=Hr . ri :-F tr
-5, 22-
.._,W_.-_ . _
I m
s 2m a _ . _ _ .
M =- H = Fr .tH'--Her W d -.. M "~~
u -m n- -& = H. = H_r -~R ~=1 .:r
- .w
-- - &- -- . -f* n --
N
._. _ .. _ ,, W. , 6
' i x x
,,,a" .
. w_ %=.
Figure 6-12 (Sheet 2) Simplified Diagram of MFWCS
_,--_n_.,-------.-------.---.-.--
Steam Outlet 126
\- Steam
' 166 JI Steam Dryers Separators 32 Detlector 9,am Secondary Manwoy / Dryer High ' Drains Water 1" I
- - - # nstrument Nozzle Level Norma (lg%
712 "
l t
Surfac e Water g -I r = = "
Level y : Blowdown Nozzle 239f"OD-=!
Low f [ [ { Feedwater Water / "' -
Primary NoziTe l***l g,,,,, outlet 1 = Level Auxiliary Instrument Blowdown Nozzle Feedwate r -
Primary & Drain
--- \ / f R 22185 (4) Manway Nozzle Nozzle p ---
-\/--t 90
~]f
~~ ~
8, 519 f" OD q
). (,y,]
Tubes 22 30'
- _ instr nt 749" Overall Length i
I 180* l - i - (+) I 7
f* 0
}
165" 00M * 'Y Inlet Nozzle Pn. mary 1
9 :
L_n j 45o Manway 1" Pressure Har ho 270*
- Primary /
35j [hoj 45
\ Bottom 1" Pressure Blowdo =n p,-
View B-B O le inlet ! % zzle Support
- instrument & Drain Nozzles (4) Nozzle Sirt N l1,1 3 y p l6"Dio Primary B 233 . B Outlet i _ _t Nozzle Figure 6-13 Simplified Diagram of the Steam Generators :
6-50
TO Am a < >
A. *<
/f d sf 2f ef /f sf Af -
Sc
~
c, e av av - av av av = mv i 2003 3993 See4 3905 390s 3907 Sese Seet FO-3900
.0- TO ATasm u.-,.i Cv-nu .c me-124188-,25 x
us-35, CV-3940 x
ass-,30 yo sigAm uAt Rv-4024 24* TO ATuoerMeme
. ,,0 . ,,e 4
IIEOULATOWs 4J g n-402S TUReest$
X ,, X M .. O e- 4J A Rv-4026 ess-333 CV-seat ass-,,e 24- me-200 CV-4024 9 1 MOT MEMEAT
,2-x _,
ese-334 Cv-Sede x
ass-1,9
-i,-
J ,0-g ,, -,
ef.A. T IIEME So-
"^
uov-een mov-4 ,7 m A,T,ER so- 24- l
. X33 .
CV-See. .X. .. \ - ,/
1
]1 -, ,1 4,-
g;i,34, i , ,,,, i , ,,,, i m or \in / xiumf x ,.. f
\ %e t i l 1 i %,i 1
I I I
, , , _ . E.g E _ ._ __
1
\1 ** ,/ lg "* * / , , ,
at I i3e, 1 I .no l l ii., I g f ,\ me /
i 42-ff \in /
E
\ ine / \ iin /
\mel la es0esM 30- MA
,0- eEPARATOR
"'""M te0TREMEAT
"*II a-asov-402e es0v-40ie 4.v .. ..-
=
Cv-4sa ,
$1 av-40f t TO ATtsOSPMElIE 3r g,,
To ATu0erMEst esov-4053 A l l A A 8em.12 n- u-C -4 4e m, em em doo4 eao3 eaas doo, 40 0 re-.aa, 10- TO ATesOspMME Figure 6-14 Simplified Diagram of SSRS T., e, ,',
n /\ /\ /\ s'
)
a gs 3: u v v v 3 Esau Z
!as,.! 8g!
as sa ;1 26 zgyfr
!E s a8"
- 3. ..
-R c n v
/
s) 2ae c o o e-
.. _ ;p, g4,.gg- _
s: o o
- .$ ,3
~E.k ^
cs ,C /
)
[2=;5 r,g v s fer ,s_,
sat-s al E- n ^ ^ >
ggs .=. ese !=s s
- t a u v v 3 )
n1.g1 x
ag.52't.!
rs!!I =!
n n a >
g, 3_
4 g as u v v 3 )
Etc
- uns EE
. ghs r!ri n A ^ /
g= s>
= u v v 52,
!!. O ss 85* " ^ /
t:
, u v 3 )
e$5
! t'i G i -
=is!3 igg }- t as u
^
v 8) 31 V
=
K 55 d -
t:
e n
u
^
v
/
3 )
em as
& e
!gg L n u v a s s >
a e ,,, _
w Y l l ,Y,N 3 ,N ,
R$
c' - >+ /
)
Is G G,
.- v 3
^ >
=5
- - y 3)
WI 5" g !$ g g
!S 55 as as sa wl w! H !s C3 is 55 Figure 6-15 PCS Support System Dependency Diagram 6-52
4
- a ss.
e i
! " dg=
5 115 c 0 0 0 g ~s 5 s=
. d wid ES2 t 255 e I: gard
- C 0 0 5
2 ce!! n - !s 5 O ti al g't
' c r.tea-3'
,i i#! -
i C O O <>
.i 5585 cies
.: A 3
f:
as 3
4 C O O 1
- , c 0 0 ;
t 5 e
i ve
!s O -
lI O C O O sa et a-as 5
o 4
s
- C O 9
e C 0 O i
e
'i I
- es s
G l !st 3
O!I -
1 3!5
=
' e5 : ras g =
~ 3 55 $,5 t,j .a
= g;a; E 8.s s s 55 i Iss =f w! E5 ci I
l Figure 6-16 SSR Support System Dependency Diagram
(
t I
1 6-53 l
AFWO970 r$
AFW4525 AFW4523 A 101 S/C AFWO971 AFWO972 AFW4522
+ 11 AFWOS73 i ,
AFWO129 AFWO182 AFW4521 AFW PUMP *11
< AFW4511 AFW4520 La F'
)
' AFWO167 AFWO116 d
AFWO183 AFWO117 A m 0131 Q AFWO115 g AFw0181 AFWO165 AFW PUMP *12 LA AFW4512 AFW45 AFWO903 E* bM AFWO184 AFWO963AFW4532 j
[^d AFWOS05
,UM, ,,
AFW2-161 AFWO960 AFW4535 AFW4533 AFW2-167 AFWO906 AFWO803 TO UNIT 4 AFW2-131 Q y( 2 S/Cs AFWOSO4 AFWO961 AFW PUMP #23 TO AFW PUMPS 4 21 422 i
Figure 6-17 (Sheet 1) Simplified Diagram of AFWS i
i
AUX.
STEAas
i:
Ei! } s
" V ' )
- 2En =
0 1
l
~ -
s.= G- -
- O C
- et !!
i I
i m }\J%
& 3r3f s
l
! E! 55 !
is Easg DEE: wl wI ilh Figure 6-18 AFWS Support System Dependency Diagram
'6-56
I 4
4 1
A\ }\ )
hs
.= } w 3r 3
= = es IEW!
is C O O O l
- -= - .
3 e, TEE
=
'a?a =
$IEE w! g!
i Figure 6-19 PORVs Support System Dependency Diagram 6-57
.- .~ -w
BORIC BORIC ACID ACID TO LET DOWN TANK 11 TANK 12 NEAT EXCHANGER CVC-435 CVC-188 REGENERATIVE' CVC-210 CVC-214 H.X. LO.
LO. CVC-187 CVC-519 CVC-392 w
LET DOWN O CVC-216 CVC-221 CVC-Se5 CVC-iS6 d h N-+
x LNIE 12A CVC-518 LO.
y q CVC-218 CVC-217 g,g, PUMP .11 CVC-184 CVC-183 LO. -
41 1 P CVC-223 CVC-222 <
CVC-166 CVC-165 2
- L CVC-514 VOLUME CONTROL CVC-164 TANK 11 m LO.
CVC-512 CVC-508 ;
CVC-182 LO.
\CVC-235 CVC-172 CVC-171 11 CVC-170 Z>G:
FC FROM CVC-50s k I MAKE UP 3 VC-501 PUMPS L O.
CHAROGNG PUMP CVC-162 CVC-178 CVC-177 lfvC-176 x
LO.
x ,
CHARGING PUMP 13 Figure 6-20 Simplified Diagram of CVCS
T
! C O O II:
- i
!f -- g C C .O
!!' l12 a B
e 8 -
V I=
a a W t :; a
- 3- i5I= C O "-
- s s,.
ass
- S O 3!3 328S y:I G5 5Y da lait og EE 55 32; Et' C O j w
d esl g O
O i
C C l
1
?=l i
l WI WI l
l Figure 6-21 CVCS Support System Dependency Diagram 6-59
a Is **tti33p{ u3S 33n 04 6 .sion T* g l
- 5.
- v g **- .
N g g y li si 6-ess eru a gg $g . : -*- ISdM i-e s a:
{eN as
=o
- r. -
3 a 3.* g ^
eiyi. A <
-v- -
,I*l m =->-es "mi "I g)", L Y l g$ jt e g.o
. Aa A g
>c a g-lZ --> E l
- g, .4, ,y * -o,i -.n, g u om .
e aa -Eu a I
- E=-' p Ih% 5' 1,-.*jjg:: DIT k g 5096-4Si308AW39 * - -
E
,= v *"**
s* hM 8 C j, *
- M Wf 4- toti-Eti lI) r %"I s s>:s. : g:%g = m 3 j eo.i-m
-- m.
,r, . a -?
- ne:
,a
_3=
l8 .,
. m w
A! n son-esi aws .gm(s.o -= d-to
- 2: -. c~ I- o y; -pori
-~~
'sg g g[,
, 3-. ph-, %n, [ != ;- g o
,s , .- - .., -
12
. .., ..e _, t e
. :: ~~~
4: 1 .:o ->l,iwLf_. v, c y;g ~_'
l_.~ 6 .. 2',"
, e 2 !
- 6II :?!. .
~
- ~ - o
?
- := : 2 -
Ei.d !~r s <
4 -::2 x - -f g ,..-
v.= e :g :t,s<.<-
.r :-- :
5 .
- 3 gs 98] -<-- -. _ - <- o h -
!!! !! F i eti
=
e - - I -
r:! ,:
.1-
= *e o u 23,4
- u
- I - I I- -.r-
- -g:s!ll id *E
- -1 di! ii i I i! $
1, 2, ,1 - -;-:
4 -a x-c ef ,F-
} .- V
\,! !
- I i.'! .;.s i. ',* ,2 0
!: ! : :8 ; si dita.[l
/
.N 4- %l i.:3-r a.
. g.
2
-l F,..
M u
I. e.I m 1.ge:,g 8: 3_: = -
e 4
1 2
4 - 4 1
e,: g as a
=.e 1- .. -
-e 2 " .- I2I. V l --
x 1 c U:*, o H s.! , .- -~gI 8
!. " . .a
-. 4. .E .
. as a
- :2 yg Ui, g
- ,:e -:
g
$.5 g!!
1L ..-e H
ll t- -
- 305 6I . r_ l: 7r- M* <r I 4+
E - - I-
-a
.s t xI ..
~. E<9 -r -
e .h a
- 2 ioi s,es:
- = d;e
-- i" :I - s" ->q:7 i!T-y m
- - gl[
es*
- y r -- -
-g +F5 g.9 It s an : e E I i s- rm v N, r
-- "#-m I g.- ("]&. 1: : ,
" i,ga, E.6g lg ::-: . -::sois-m u
- :: 13
^
-- i r.
i pg s .a
- r. 5:
8 2
o l: 5 ..- 4ois.ess a g
- 4 2:* ": : ~^ ~. L" 2 ! l-:l2 I+ We 3 D
- e. :: "Li-mld,i%. fA .T g .y
-. Is g.. $,,9--
3 e
n.
g - .F.i i ' :<"x .- I
-,c.<,4 g g.-
- , 9--3 . a g,f-W
- I
- J:' : - - -
Ug9
- ,-- E
$.!l.
ain m ',w.: -T
~~ A:
- 23 y
l 2
g - -- e r.
I l p- -
sini-ili Wait. -
I -me o==.- 1T1 s .iii... g,~ -.o.i 3385 tw.
6-60
i E
f i
Ei er !g i .
I*
. as 5 m v
c!
5 s5 se 24 vs sa I 5
- pw g >w >w >< sw su><
mr 3r mr 3r Arm /
saa a
- 2" i
el l
-1 0-
< wm9 i
5 sw JL >< sw tu
} Q mr v mr me m
33
- * - - : a : a T.7 ss eWg ?!.s W .
iia :Ebg IE $8 sis wI i
Figure 6-23 Emergency AC Support System Dependency Diagram (Sheet 1) 6-61
in li
-1 o-wIm id C O z.
w-14 1 o-usI ni C O IBi wh Figure 6-23 Emergency DC Support System Dependency Diagram (Sheet 2) 6-62 .
g ,____g___ _ _)
g ICg h m li:?
3 i 9 l-* y b 'l m., +
g L_"_g__. @ _-_,
a , i i
- , 9 ,___.__.___________J 5 i " '"
i~q L. , '
gi T . I 3
y 1e '"'*" 6 s @I 9 l h ~ II n L_3-$
5 , ! ,_ L_
J p a .,
=
g "Ff~ C fi-ll e -5, .
%ga #.
- i j
s ! 'I .
g i 33 .__-
g' 55 !
'i.np _it.- _ . , l "l :l@
~
o Es e
i-i 4 ~i. dl;g a
2 s u -
_.a._ 1 8
~. a i
i W4 %)
C
,jrt i n I M T ;E ! ! III
- l li .ni! l i !li!
i j ldII,i!
I p-g44 b= i @
' 5 eeris. ,.a wee:
_ . a _l,_.d._ _i j1_1__ __ _._ _ _ _ _,
E g g
'C *
} I
- = w a 1-
% i -
3 I
m @f ,i11! .a !
g ,3 b a l
")] 4'$ h!
g i .
~
l _, @ jif E
D. "
3
~~T-*
L_"
n p$ ___ __ _ J I' I_
t : I Af
.--}R ,Q
- - , - 31 s1
= 2 ;
- ,la
$ i-1 i-*
0 $i 6; 4=1 3 II-
=
, L-'
=
11 Figure 6-24 Simplified Functional Diagram of ESFAS (Sheet 1) 6-63
2
~T~~ {0-+@
a =
i q
[
n:
q k .*
g-O-+ @
m i
J
- d 5 O} s I *il 1 N .s^ i I ~~ 1 ha :- k
- -k" ig-L2 nl
- . 2 j 1 I .--.
J V :5,5 s a m 10-
' un 2
- r* {g IP i" i g p$
U
'W ne U
n ^ }&
nI Vn IO-
- 1 ns S " i g__ he j :
- E { l I 1
i ,*
~
v, ny a 1 5
-Y' & v!
n I
- - ,1 2 :.
8 U, ." v 1 5 g n. }2 $ *$ "
h,e w ?-~* Un v.
n-
=
g n- :. -
}8
- i V ' E V,
n-V ~
.I 'M ,,
i h= 1* s i ; y *Tg'AP'! y I >i ***j' %, :
'h, ..m.dar se
~
i }
Ei Aw
,. =
la?_!
1 -
5 IIe- .,:eJ}r3P i$
3D-1 i
1 %
~
7 AP Fi l AW l
- 'i !jg i . meg
- E**. . .
t$,p __
1
.h l>
SP l~ !
Il .maj*7
- I j
J,d{ ' T g@ol di
!! ki!
I 1 k*
s' i s_ . e k,1II;it M *.
9*
h .I t
js k
v s
=
i #
ue 4; hkk!
i g
. gn ~
} = ' 6 g Gh J-b '- !
i
)
a
.I i_1 3 Figure 6-24 cimplified Functional Diagram of ESFAS 2) 6-64
T 4
2 a ,
u I
~
1-' 6 ~
w, i
a m ,
s.
d 1
. s , y - _ g +3
-3 _*
T (9::
e-s p:
- . .O 2.
8 3V 4 1 a
v - -
- 6 .O 2 a
! J ,
[
s a
+b -
w e s a .
- I g
E
- 1 -
+
-h 1 8 -
f-J
, _ . g i a
- l -O i 3j We ..
- A 3'
.w. -
a l _, .
- s -
l-* V z
g
~
s 5 > l O
- : A _ _ ;
2 s J g
y cn -
- .I _ _
a&a -
i s J
Figure 6-24 Simplified Functional Diagram of ESFAS (Sheet 3) ~
f .
\
S - _
a
~
\
.w.
"a .I 6 %
s' '
'A'
_y
. . _ . _ . . _. - - = - . . _ . - . . . - - _ .
4 4
i i
6 i
. l I
i l
h o
a g c S
i
.s 55 95 a
'2!
g c o i
r si l Figure 6-25 ESFAS Support System Dependency Diagram l
6-66
e.
re 4._
A 3
- r. si &
i~ \ %- 1 ,.
g
% ' ' , , 8.w i Cvi , ww
^~
g ,,, '
sawiu c=w nO , EC.
r -
J Cytoes 3
' w,..'
7 = ys ... w ..
SRw1584 p- _ -
3gg,- -
p - - - , __
e * .O. N.O. .
1 SRW HK 11 Silw HI 12 l .siCOOuma
. ,m..% sawises anwis e sdwiset ,
+ 0g g g i MX 12
~
n3Rw t45 gew317 SAw313 gew1tF saws te SRW320 l y-
- I
' DwML OEE l
' OtESEL OfS-
"O" II gg,, g $ gew q gg SAw123 l LUBE CIL e
a '
W CMT N M.12 COOLE,t 1,0.11 CTuT CTNT l c COOLER COOLEft 98 124 l COOLER COOLIA I I
11 12
. i i 39 '. ,. */ m SRw,,w315,,, ,. ~ i i
- N i awf, ; !
= d
.w.. - - .~f,,.1Lg ., ;ia-g w
w.O m-g;= s-g;,*;,*, !
i
=". a=l
~..,
@ r
'4" i
sp c-
,,, ' '-4,g ' ,,
,,,,..x SAW1b F w .X 'T fI
+ Saw t15 p' 120 X -' = Xsme L__ __a gew322 w- -
. g .
%' V SRwlil EO.
._ ' * ,A f g4 9Rw103 g,pw t gg CV1946
'- y :>o-c4 ,w 4n w:w>4 cm--
.r . min :,= win
==n. win uwn. win
- , . ;s . m .
~
% , 9, N. ,
g %
s*# {4 A,
"% g h
g i
l 4
. I Figure 6-26 Simplified Diagram of Service Water System hM
He Is Ec 2
il 80 go g5a G3 Ih!
vse gh .
-55 eg lIs
!= c O O o a.. s
} -
I l
n >< >< >
$2 u v v 3 ) i s
s-g=E @
life
,g c o o z:2 1
i-
_ t.
s- C ><
v v sw 3 2 s
CE l
!!lt
_1 c o o is:
s = =
B wI 8I 55E Figure 6-27 SRWS Support System Dependency Diagram 6-68
1-CC-2 56 1-CC-255 A13 COOLERS 1-CC-253 1-CC-2 52 1-CC-2 70 A14 1-CV-3825 1-CC-16 2 1-CC-15 5 HPS8P12 COOLERS %H l 7j 1-CC-154 HEAD 1-CC-2 4 9 1-CC-2 50 24 1*CV" ifCC- W TAM 1 j A15 3826 156 A11 FO
^
Q
' p ,'
" 1-CC-113 T
1-CV-3828 -CC-261 1-CC-2 59 [ CCHX12 TOC 1-SV-38 28 SDCHX11 1-CC-2 60 g 9.CC-114 1-CC-115 -
1-CC-161 CCP11 e:
e 1-CC-26 5
_ 3, y a
~~
1 V-3830 I
.CC-266 1-CC-2 64 I
~8V~ 8 SDCHX12 ,, , CCP12 8 m NC 1-CC-14 7 124 - A1 1 -125 FC y i.CC-123 CCP13 1-CC-116 1 -C C- 1-CV. F HPSIP13 163 3824 l' M I"
COOLERS I~ #
1-CC-2 4 7 1-CC-246 A2 A5 A7 / g M CCHX11
~
1-CC-2 4 2 1-CC-2 58 C OLE S 1-C C-2 4 4 1-CC-2 4 3 A6 RETURN HEADER (RH1)
RETURN HEADER (RH2)
Figure 6-28 Simplified Diagram of CCWS
C O O O 4 5= 1 O l
- a l El ei o ,
51
$~
C 0 0 o i;g es at
- 5" ff ss igs Esi G -
I=
C O O O li-11 2
It' C O O i
i lai!
l I
O
!xl C O O igi.
.. .. .. =a s - . .5 5 wI WI II5 Figure 6-29 CCWS Support System Dependency Diagram 6-70
DISCHAROf TO BAV as SiivS5140 SwS0101 8"I"
=w N
. . AC,J. _ .
SwS0103 Sb130 Sb210
, g,g KOL-F.O. M.T.-FO A.O A.O AO AO TO Cwp SEAL g y (a, e e e a
I ;
Sws0113 / . SYSTEnt SwS5156 SWS5155 SwS5212 SwS5133 Sws 0197 g NC -F C seC-FC KT.-F.O. K O.-F.O.
, ,eooee ,
SwS0112 /*" '
COOLER '
' KC.- F.O.
SwS5170 *11 SwS$171 KC-F.O. AO ,
AO SwS0111 *- SwSS178 SwSS177 ..
SwSP013 e e MC-FC NC-FC SwS019e
~-/ SwS0114 , a, , , -
{ 4 SwSS144 SwSSISS
/ SwS0115
~~
I H 12 SwS5182 SwS5183 SwSS208 KO.-F.O. KO.-F.O. KO.-F.O.
Sw SO ,0.
lp: :
SwS0107 g AC AC SwSPC12 CCW , , <r h e , _
't i e g
a He ett d6 SwS$1eo SwS5206 SwS0194 h K O.-F.O. KO. -F.O.
1 TO CWP ROOes AstCOOLER , AC ECCS PutfP AC AC TO COND. TURE l l C R l #l I" Sws$173 +12 SwS$174 SwS5175 a
TO CwP KC.-F.O. KC.-F.O. K& -F.O.
SEAL SYSTEM TO @
AC t t IA*
~-
SwS5152 KO.-F.O.
Figure 6-30 Simplified Diagram of SWS
~
1 l
t-l' i
P
,a ><
ss-
- g:
1 C <
>m e me m>
kib Sh)
- n=t C CIld i,
- s, . :e a su >< ><
5 5
- 2. C 3r 3r 3r 3 )
- t
- o s
1 5 ::
! _: 5 i
- 5 s!Es >< {? s s'24 e C
- s. C
=cl i
>v< v ,e 3 ) v-ma
- ht $.3:
sl,i sepo ,
jgM i-= Io$
a
< v)-
! Li
-n
- f5 Na -
l l
IIf n 4 s E!g1a!I o
s!I 5:n wl WI Figure 6-31 SWS Support System Dependency Diagram 6-72
VTC l , RECMCULATMNd E\
~
0 rROM ROOM FC-AO
\ VRC 6 b
- EXHAUST FAN FO-AC. AIR TO FRESH g l-->
y/
VOT AIR --* LOUVER ) ) . }
FO-AC INLET Cy l EXHAUST I
CY
/[ LOUVER p y 3 ,PO9 l EXHAUST AR --
Q __ __
A I FROM ROOM --
m 429 A/S
- f _; p
( f l
p l g G F
,,.o gfo _ _ _ ' _ _' l- p--l--6*6 Zh H.D. n
_____l I I A/S SV l l l 543 g SMOKE HS m
543 434 REMOVAL l SWITCH
- 1. FAN START INITIATED BY SIGNAL FROM DIESEL START LOGIC 1
- 2. HSS433-3 POSITION SWITCH-LOCAL FAN CONTROL DIESEL STOP/ AUTO / START-SPRING LOADED TO
- AUTO
- START-STARTS
- 3. FAN START FUNCTION-DE-ENERGISES SV5430 TO ALLOW POSITIONING FAN AIR SIGNAL TO FAN WILET DAMPERS DE-ENERGISES SVS429 TO OPEN EXHAUST DAMPER
. 4. SMOKE REMOVAL SW. HS5434-OPENS EXHAUST DAMPER-SWITCH IS OUTSIDE D/G ROOM Figure 6-32 (Sheet 1) Simplified Diagram of Heating and Ventilation System
( Diesel Generator #11 Room Cooling) ( DG # 12 similar)
( - - - _ _
)
g- - - s4os 8
- - - - - - - - sy seos s40e s404 - - - - -
PS s404 I h, ri-- ,
i l*" 8!@!
!b l^
' @ A/S 8
A/S J ,'*""
!B58 l I
g A/S p- p p
- I
~
g SV
,. ~
I ACC sy I o UM
- s 3
<r j ' O SALT WATER C gygygg 5174 AC
" gj HEAmeR :
+12
>c AC40 CV
[, b # c s7 O
SALT WATER III4 SYSTEM 17 5d t SALT WATER System
/C-ro wAoER#ii SALT WATER SYSTEM SALTWATER SYSTEM Figure 6-32 (Sheet 2) Simplified Diagram of Heating and Ventilation System (ECCS Pump Room Air Coolers)
i 1 '
11, C O O s!s
!$= C 0 0 gli I
.ig, C O O hid l
Jr= C O O sing
= .. .
9* = =
QEtt
!!!!8 wI WE Figure 6-33 Heating and Ventilation System Dependency Diagram 6-75
CHAPTER 7 ACCIDENT SEQUENCE QUANTIFICATION 7.1 Introduction The CC-- I quantification procedure was performed in two separate steps in order to simplify the procedure and reduce the total amount of work necessary to account for post-accident recovery actions. The first step was a screening quantifica-tion where sequences were quantified based on generic and
> plant-specific data without considering any recovery action.
In the second step, the sequences which were identified in the screening quantification as " dominant sequences" (i.e.,
sequences with a frequency of IE-6/yr and higher) were requan-tified to incorporate the effect of recovery actions if recovery considerations were applicable. The end result was l the final dominant sequence with their frequencies and cut sets. The reader is referred to Appendix C for a more detailed
- discussion of the quantification process.
For the first step of quantification (i.e., screening quan-tification), a number of tasks were performed to obtain the dominant cut sets of the event tree sequences. These tasks are ac follows:
- 1. Collection and calculation of hardware failure data, human error data, and plant specific data.
! 2. Merging front-line system fault trees with support system fault trees.
, 3. Truncation of Boolean equations representing the merged front-line system fault trees.
- 4. Determination of the dominant cut sets of all the dominant sequences (i.e. cutsets with a probability greater than 1E-8)
- 5. Evaluation of the effect of the success events in the sequences on the cut sets of the failure events and calculation of the frequencies of the sequences.
For the second step of the quantification (i.e., final quan-tification), the following tasks were performed.
- 6. Identification of the cut sets of the sequences where the possibility of recovery exists.
- 7. Revision of data to include better human error and recovery action data and final calculation of the dominant sequence frequencies.
(
(
7-1
For Boolean calculations such as merging fault trees and truncating Boolean equations, the code SETS [4] was used. This code, developed by Sandia National Laboratories, is a general program for the manipulation of Boolean equations which can be applied to fault trees to find minimal cut sets.
A brief discussion of each quantification step is presented in Sections 7.2 and 7.3 and an example in Section 7.4. A more detailed description of the quantification process is presented in Appendix C.
7.2 Screenino Ouantification Tasks (1) through (5) are screening quantifications tasks that are described below:
- 1. Collection and Calculation of Hardware Failure Data.
Human Error Data, and Plant-Specific Data.
The hardware failure probabilities used in the calculations are based on the generic data base given in the IREP Procedures
- Guide [3]. This data source is shown in Table 7.1. This was l supplemented by the revised WASH-1400 data base [8] shown' in Table 7.2 which w.s the original data base supplied by the NRC for use in the IREP program.
The required human failure data were obtained by construct-ing THERP models and quantifying them using data suggested in the Human Reliability Handbook (NUREG/CR-1278) (5). A THERP diagram is used to predict human error probabilities, and to evaluate the degradation of a man-machine system likely to be caused by human error alone, operational procedures and practices, or other system and human characteristics that influence human systems behavior. Discussions of plant admin-istrative controls were held with the plant staff and a review of the plant operating, test, and maintenance procedures was conducted by the analysts. In addition, a detailed set of photographs of the plant control panels in the control room was used to identify possible conditions which may influence the Performance Shaping Factors and potential sources of error associated with the task of interest. Finally, the human error l probabilities were calculated by using data obtained from the l
( Handbook. These values are then used in the fault trees for '
final quantification of the sequence probabilities.
A plant-specific data base was generated by reviewing the CC-1 maintenance reports, but its use was limited to those items for which no failure rate data was provided in the IREP data base or if the plant data was significantly different from generic data. For example, no data was provided for Engineered Safety Features Actuation System (ESFAS) logic module failures, ,
so plant-specific data was used. Also. While generic data was l used for the initiating event frequencies, they were compared l 7-2
to the plant specific data and no significant differences were found.
Component unavailability due to maintenance was evaluated using plant specific maintenance procedures and data. As a matter of policy, periodic preventive maintenance is not done on most safety components at CC-1. The average maintenance frequency (in hours) was calculated by counting the number of maintenance actions recorded for each type of component and dividing by the operating hours of the plant. The average duration of maintenance acts was also estimated based on plant experience. The product of these two figures (average main-tenance frequency and average maintenance duration) was used to calculate the probability of unavailability due to maintenance.
Data for the loss and restoration of normal AC power was obtained from EPRI NP-2301 " Loss of Offsite Power in Nuclear Power Plants: Data and Analysis" (16) and NUREG/CR-3226
" Station Blackout Accident Analysis" (17].
- 2. Mercina Front-Line System Fault Trees with Support System Fault Trees The front-line fault trees were merged (combined) with their support system fault trees, as well as support system to support system fault trees, to form a complete merged fault tree for each system on the systemic event trees. This task is automatically performed by SETS. The merged front-line system was then manually checked to assure accuracy and consistency.
A major problem encountered during the merging process was the existence of circular logic in a number of the system models. This problem can occur when two support systems need support from each other. For example, the emergency electrical power system needs the SRWS (to cool the diesel generators) and the emergency electrical power system provides power to the SRWS. It was necessary to eliminate the circular logic in order to manipulate and evaluate the Boolean equations for the system fault trees and, subsequently, the accident sequences.
This was accomplished by cutting the system level circular logic loops at logical points. The circular logic loops at CC-1 all involved AC power and were cut at t h e, 4KV AC buses.
The AC power tree support systems were merged individually with the AC power system only up to the 4KV AC buses so as to put all local AC faults of these buses into the support system fault trees. Then these support system trees were merged with the whole emergency electrical power fault tree to form a merged AC power tree with its support systems and no circular logic. This AC fault tree with all its support systems could then be merged with all other systems in the usual way.
7-3 l
- 3. _ Truncation of Front-Line System Merced Trees Fault trees obtained through the merging process are often very large and contain up to five thousand events. The number of cut sets for these trees was also very large and generating them, if possible, requires a prohibitive amount of computer time. Therefore, it was necessary to eliminate all cut sets with small probabilities so as to savo computer timo and reduce the size of the Boolcan equations. These truncated equations were later used in the event tree sequence evaluation proce-dures.
All of the merged front-line systems were truncated at an unavailability cutoff value of 1E-8. That is, all the cut sets with an unavailability of less than 1E-8 were eliminated from the Boolean equations. The truncation process was performed by using a bottom-up procedure. In this procedure, selected stop points (i.e., intermediato events which are solved to obtain their truncated Boolean equations) were used in the troo, and stop points near the bottom of the tree were truncated first.
Those stop point truncations are used in the higher level stop point truncations. The process is repeated until, eventually, the last stop point (i.e., the top event) was reached and truncated. An average of 15 to 30 stop points were used in each tree. Stop points were often "AND" gates where prob-abilities were reduced due to multiplication of input probabilities. liowever, in certain cases "OR" gates were alsc used as stop points. As a result of this truncation, some error is introduced into the process. It is not possible at this present time to make a mathematical estimato of the amount neglected: however, the amount neglected is judged to be small since the dominant cut sets retained are usually several orders of magnitude larger than the cut off.
- 4. petermination of Dominant cut Sets of the Sequences in this stop, all the event tree sequences that lead to a coro molt were quantified. The truncated Boolean equations representing failure of each front-line system were combined to form one equation to represent the failure of the front-line
, systems in the sequence. The effect and treatment of successes l of front-lino systems in a sequence will be discussed in the next section. Considet a core molt sequence containing failuto of the IIPSI and CARCS systems. In ordct to calculate the prob-ability of core melt due to this sequence, the Boolean equations for these two systems must be "ANDED" together. The result was then Booloan reduced and truncated at 1E-8 and cut sets were obtained. By using this method, the Boolean equationobtained for the product becomes fairly small because the front-lino systems that are multiplied together are often highly independent producing very small probabilities when system equations are "ANDED." Some of the event tree sequences 7-4
l
- contained failures of systems that were not developed into fault trees but instead represented as a single event quanti-fled from industry data (such as RPS, and SRVs fail to reclose). In the sequences where failure of these systems occurs, failure of each was "ANDED" to the set of events in each dominant cut set. In addition, to obtain a complete set of cut sets, the appropriate initiating event must also be incorporated into the dominant cut sets.
- 5. Evaluation of the Effect of Success Events on Event Tree Sequences 4
As was discussed in section (4), the dominant cut sets obtained in that step include only the failure contribution of the front-line systems. In order to account for the success events of the sequences, one can find the complement of the truncated equations for front-line systems, and where appli-I cable, "AND" this with the equation obtained in section (4) for individual sequences. The difficulty with this method is that finding the complement equation in a reduced form is a non-trival task: therefore, it was decided to account for the success event contributions by using a comparative method.
In the comparative method, the cut sets of a sequence obtained in step (4) are compared to the cut sets of those front-line systems that succeed in that sequence. If cut sets of the succeeded system were a subset of any of the sequence cut sets, then that cut set was eliminated from the list of sequence cut sets. For example, if ABC was a sequence cut set, and BC was a cut set of a front-line system that had succeeded in this sequence, then ABC was removed from the list of the sequence cut sets. This procedure is implemented in the SETS code.
I Incorporation of the effects of the success states into in the sequences is important because it eliminates failure modes that are inconsistent with the success states. For example, j assume in a sequence the High Pressure Safety injection (HPSI) i system has succeeded, but the High Pressure Safety Recircula-tion (HPSR) system has failed; and further assume that a dominant cut set of both HPSI and HPSR is failure of two diesel
! generators. .For this sequence, the failure of two diesel gen-l erators is not a possible cut set. Because the success of HPSI i requires the functioning of at least one of the two diesel generators, and the failure of HPSR requires both diesel gen-erators to fail. This example demonstrates the importance of considering success events in the quantification of event tree sequences. In most cases, system successes have a significant impact on the probabilities of the sequences.
7-5
i 7.3 Final Quantification Tasks (6) and (7) are final quantification tasks and are described below.
- 6. Jdentification of the Cut Sets of the Sequences Where lhe Possibility of Recovery Action Exists The cut sets of the sequences obtained through the screen-ing quantification were examined to identify possible recovery actions that would significantly reduce the failure probability associated with the sequences. There were 23 different recovery actions identified. These recovery actions and their i application to the individual cut sets in the sequences are discussed in more detail in Appendix C. Those which con- l tributed to the final dominant sequences are discussed in Chapter 8 in the discussion of each individual dominant sequence.
The dominant cut sets of the sequencos were also examined to identify human errors that were significantly contributing to the frequency of the sequences. The purpose of this process was to reevaluate human error failure probabilities for these effects.
nificantly to Two actions were identified which contributed sig-the frequencies of some sequences. First, operator initiation of emergency boration in failure to scram sequences. This was originally quantified using a value of 0.5. Upon performing a THERP analysis, this value was reduced to 0.1. Second, operator initiation of the second CCW heat exchanger in the recirculation phane of Small-small LOCAs inicia11y was quantified using a value of 0.05, but consider-ation of the long time available before the operator must perform this action and the indications available to the operator reduced this value to 0.01.
- 7. Bevision of Data to include Recovery Action _ and Final palculation of the Dominant Sequence Freauencies In this task, the effects of recovery actions and prob-ability of non-recovery on the sequence frequencies were accounted for by "ANDING" a non-recovery action to each of the cut sets of each sequence and recalculating the sequence fre-quencies. This non-recovery factor was dependent on the type of action required for recovery and the critical recovery time, the maximum time the system could be failed before recovery.
The results obtained through this process are the final results as presented in Chapter 8. The explicit recovery model used and l how the values for the individual recovery actions were chosen is described in Appendix C.
7-6
J i
l 7.4 ggggg_le Calculatton j The requence quantification process used in this CC-1 j analysis will be illustrated using sequence S 2 -59. This i
sequence is initiated by a small-small LOCA (S2 ) and is
{ depicted on the Small-small LOCA systemic event tree in Chapter
- - 5. Sequence S 2 -59 involves, in addition to event S2: fail-l ute of the High Pressure Safety Injection (HPSI) System (event
- D"). This sequence also includes the succeJeful operation of the Reactor Protection System (RPS) (event I);
these systems:
1 the Auxiliary Feedwater System (AFW)(event T); the Containment Air Recirculation and Cooling System (CARCS) (event U); the Containment Spray System. Injection (CSSI) (event O ):,_and the Containment Spray System, Recirculation (CSSR) (event F). The Boolean representation of the sequence S 2D" is S KCD"U6'F. 2 I
of the six systems, only the reactor protection system (event K) can be considered independent. The availability of this system and the initiating event frequency are:
l' F(8 2 ) = 2.1E-2/yr j P(K) = 3E-5 l P(K) = 1-3E-5~1 j The remaining systems in this sequence are dependent due to .
shared components, subsystem or support systems and must be i j analyzed together. The first step in analyzing the LD"U5'F 1 part of the sequence was to use SETS to evaluate the prob-
} ability for the event D" . In this part of the analysis, the i following sequence dependent events were set to the values they
} should have for this sequence: (1) the event accounting for a I
LOCA initiator was set to "1"; (2) the event accounting for a Large LOCA initiator was set to "0";- (3) the event accounting
- for a. loss of offsite power (LOSP) was set to "1E-3," its value I when LOSP is considered an independent event, agi an initiator; i (4) the event accounting for ' the LOCA occurring in one of the i- injection lines was set to "1"; (5) the events accounting for j the requirement of SIAS actuation were set to "1"; (6) the i events accounting for ~no LOSP were set to " 999"; (7) . the l special initiating events DC bus 11 and SRW valve 120.were set i to their independent failure values; 'and (0) the operator
! failures to actuate SIAS or CSAS were set to their Small-small
} LOCA values. With a minimum cut set truncation value of IE-8,
- the event D" had an estimated probability of 2.78-4.
The Boolean expression for D" was then conjared to the l Boolean expressions for the succeeded events I, C. , E' and F.
- to determine logically inconsistent cut sets between the
,' success and failure states. As a result, approximately half of ,
the cut sets in the failure e3uation were eliminated and the new estimated probability f or ' LD"U6'F was 1.38-4. since Y is l
j independent of all' other events and has a probability of ~1, i
t i
7-7
l 4
then multiplying by R and the initiator frequency yields a screening value of 2.75E-6/yr for the sequence S2-59.
For the final quantification, the dominant cut sets for the sequence were examined to determine the effects of possible recovery actions. Human errors that had a significant effect on the sequence probability were also reevaluated. Ilowever, there were no human errors contributing to the dominant cut sets of this sequence.
Two recovery actions were judged possible for this sequence: (1) manual actuation of HPSI from the control room given that auto-actuation had failed, and (2) realigning the electric power supply of the swing HPSI pump #13 from the con-trol room given that a loss of offsite power, f ailure of DG#12 and failure of HPSI pump #11 had occurred. For both of these i events, a probability of .01 was assessed for non-recovery given that more than one hour is available to the operator to start primary makeup. These actions affected over 90% of the sequence cut sets; however, they did not affect the dominant two cut sets. After a gly"ing these non-recovery factors, the 4
probability value of KLD UU'F was reduced from 1.3E-4 to 7.7E-5.
The final quantification value for the sequence S -59, therefore, becomes 1.6E-6/yr: 2 the initiating event value of 2.1E-2/yr times the 7.7E-5 probability of the system failures.
i 7-8
Table 7.la Generic Data Base
- Component and Error Failures Modes Mean Median Factor Remarks
- 1. Pumps 1.1 Motor-driven Pump and motor; excludes control 1.1.1 Failure to start 3E-3/d 1E-3/d 10 circuits.
1.1.2 Failure to run, given start 1.1.2.1 Normal Environment 3E-5/h 1E-5/h 10 1.1.2.2 Extreme Environment 3E-3/d 1E 3/h 10 Considered as interface with heavy chemical environment such as concen-trated boric acid.
1.2 Turbine driven Pump, turbine, steam and throttle i 1.2.1 Failure to start (includes under 3E-2/d IE-2/d 10 valves, and governor. l and over speed) I 1.2.2 Failure to run, given start 1E 5/h IE-5/h 3 l 1.3 Diesel-driv (n Pump, diesel, lube oil system, 1.3.1 Failure to start IE-3/d 1E 3/d 3 fuel oil, suction and exhaust 1.3.2 Failure to run, given start 8E-4/h 1E 4/h 30 air, and starting system.
- 2. Valves Catastrophic leakage or " rupture" 2.1 Motor operated valves assigned by engineering l
2.1.1 Failure to open 3E-3/d IE-3/d 10 judgment; catastrophic leakage assumes 2.1.2 Failure to remain open 1E 7/h IE-7/h 3 the valve to be in a closed 2.1.3 Failure to close 3E 3/d IE 3/d 10 state, then the valve fails.
2.1.4 Internal leakage (catastrophic) 5E 7/h 1E-8/h 100 2.2 Solenoid-operated 2.2.1 Failure to operate 1E-3/d IE-3/d 3 2.3 Air / Fluid operted 2.3.1 Failure to operate 3E 3/d IE-3/d 10 2.4 Check valves 2.4.1 Failure to open IE-4/d 1E-4/d 3 3E-7/h 1E-7/h 10 Hourly rate is based on one actuation 2.4.2 Failure to close IE 3/d IE-3/d 3 per month.
3E-6/h 1E-6/h 10 Hourly rate is based on one actuation 2.4.3 Internal Leakage per month.
2.4.3.1 Minor 3E-5/h IE-6/h 10 2.4.3.2 Catastrophic SE 7/h 1E-8/h 100 Valve initially closed, then failed.
2.5 Vacuum breakers Applies only to BWRs.
2.5.1 Failure to open 1E-5/d IE-5/d 3 2.5.2 Failure to close 1E 5/d IE 5/d 3 2.6 Manual valves Failure to operate is dominated by 2.6.1 Failure to operate IE-4/d 1E-4/d 3 human error; hourly rate 3E-7/h IE-7/h 10 is based on one actuation per month.
' Adapted from EGG.EA.5887 118) 7-9
=- . _ .
I
}
h Table 7.1a (continued)
Component and Error Failures Modes Mean Median Factor Remarks 2.7 Code safety valves Applies only to PWRs; premature 2.7.1 Failure to open IE-5/d IE-5/d 3 opening treated as an 2.7.2 Failure to close, given open IE-2/d IE-2/d 3 initiating event.
2.8 Primary safety valves Applies only to BWRs.
2.8.1 Failure to open IE-5/d IE-5/d 3 2.8.2 Failure to close, given open 3E-2/d IE-2/d 10 2.9 Relief valves 2.9.1 Failure to open 3E-4/d 1E-4/d 10 2.9.2 Failure to close,given open 2E-2/d 2E-2/d 3 2.10 Stop check valves 2.10.1 Failure to open 1E-4/d IE-4/d 3
- 3. Switches Where torque / limit switches are 3.1 Torque used as part of pumps / valves, 3.1.1 Failure to Operate 1E-4/d IE-4/d 3 switch failure rate is included in pump /
valve failure rate.
3.2 Limit 3.2.1 Failure to operate IE-4/d IE-4/d 3 3.3 Pressure 3.3.1 Failure to operate IE-4/d IE-4/d 3 3.4 Manual 3.4.1 Failure to transfer 3E 5/d 1E 5/d 10 I
- 4. Other 4.1 Circuit breaker For sizes 4 kV and smaller.
4.1.1 Failure to transfer 3E-3/d 1E-3/d 10 4.1.2 Spurious trip 3E-5/d IE 5/d 10 4.2 Fuses 4.2.1 Premature open 3E 6/d 1E-6/h 10 4.3 Buses 4.3.1 All modes 1E-8/h IE-8/h 3 4.4 Orifices WASH 1400 data; no alternate data 4.4.1 Failure to remain open (plug) 3E-4/d 3E-4/d 3 available.
l 4.4.2 Rupture 3E-8/h IE-8/h 10 4 5 Transformers 4.5.1 All modes 1E-6/h 1E-6/h 3 IAdapted from EGO.EA 5887. [18) 7-10
\
I' t
4 Table 7.la (continued)
Component and Error Failures Modes Mean Median Factor Remarks 4.6 Emergency diesel (complete plant) Engine frame and associated moving 4.6.1 Failure to start 3E-2/d 3E-2/d 3 parts, generator coupling, governor, 4.6.2 Failure to run, given start output breaker, static exciter, lute (emergency conditions) 3E-3/h 1E-3/h 10 oil system, fuel oil, intake and exhaust air, starting system; excludes starting air
+
compressor and accumulator, fueling storage and transfer, load sequencers,
{'
and synchronizers. Failure to start is ,
failure to start, accept load, and run for
- 1/2 hour; failure to run is failure to run I for more than 1/2 hour, given start.
4.7 Relays
! 4.7.1 Contacts fail to transfer (open or close) 3E-4/d 1E-4/d 10 j 4.7.2 Coil failure (open or short) 3E-6/h IE-6/h 10 4.8 Time Delay Relays i 4.8.1 Premature transfer 3E-4/d IE 4/d 10 4.8.2 Fails to transfer
! 4.8.2.1 Bimetallic SE-6/h SE-6/h 3 Non. consensus source. Data source is l MIL.HDBK 217B [19). Fail-to. transfer rates are not currently available for non-I
. bimetallic time delay relays.
i 4.9 Battery power system (wet cell) Assumes out of. spec cell l 4.9.1 Fails to provide proper output 1E-6/h 1E-6/h 3 replacement.
j 4.10 Battery charger 4.10.1 Failure to operate IE-6/h 1E-6/h 3
] 4.11 DC motor generators 4.11.1 Failure to operate 3E-6/h 1E-6/h to 4.12 Inverters 4.12.1 Failure to operate 1E 4/h IE 4/h 3 4.13 Wires (per circuit) Consistent with IEEE-500
{
4.14 Solid state devices For more detailed information, j 4.14.1 High power applications 3E-6/h IE-6/h 10 see MIL HDBK 217C [201
! 4.14.2 Low power applications 3E-6/h . 1E-6/h 10 l 4.14.3 Bistables 3E-7/d IE-7/d to
' Adapted from EGG.EA.5887. [is) l 7-11 1
t
, . . . _ . , , , . , . . ~ ,_ , . . _ , o.. . . , . - , . - - . , - . _ . . _ . . . - . , , . , , _ . . . -
s Table 7.la (concluded)
Component and Error Failures Modes Mean Median Factor Remarks 4.15 Terminal Boards Values given are per terminJ.
4.15.1 Open circuit 3E 7/h 1E-7/h 10 4.15.2 Short to adjacent circuit 3E-7/h IE-7/h 10 4.16 Dampers 4.16.1 Failure to operate 3E 3/d 1E-3/d 10 4.17 Air coolers 4.17.1 Failure to operate IE 5/h IE-5/h 3 Not consensus data. Plant specific from ANO 1 IREP study.
4.18 Heat exchangers 4.18.1 Tube leak (per tube) 3E 9/h 1E-9/h 10 4.18.2 Shellleak 3E-6/h IE-6/h 10 4.19 Strainer / filter For clear Guids; contaminated Guids 4.19.1 Plugged 3E 5/h IE 5/h 10 or Guids with a heavy chemical burden should be considered on a plant-specific basis.
4.20 Scram systems 4.20.1 Failure to scram 3E-5/d 3E 5/d 3 4.21 Instrumentation (general) 4.21.1 Failure to operate 3E-6/h 1E 6/h 10
- Adapted from EGG.EA 5887. [18]
Table 7.lb Multipliers to Compute Mean From Median l Error Factor Multiplier l
[ 3 1.25 l 10 2.66 30 8.48 100 50.33 7-12
Table 7. 2a leechanical Component Failure Rate Data (from WASH 1400. Table Ill 4-1)
FAILURE COMPONENT & FAILURE MODE RATE A55E55ED TYPE RANGE MEDIAN EF Pumps (includesdriver):
Motor & turbine driven (generic class):
Failure to start on demand: 0(A) 3E-4 3E-3 1E 3 3 Failure to run, given start (norwl environments): 0 3E-6 3E 4 3E-5 10 Failure to run, given start (extreme, post accident environments inside containment): 0 1E-4 IE 2 IE-3 10 Failure to run, given start (post accident, after environmental recovery): 0 3E-5 3E-3 3E-4 10 Turbine driven pumps:
Failure to start on demard: D 1E 3 1E-2 3E 3 3A Failure to run, given start (normal environment): 0 1E-5 1E 4 3E-5 3A Valves:
Motor operated:
Failuretooperate(includesdriver): D[B) 3E-4 3E-3 1E 3 3 Failuretoremainopen(plug): D LC) 3E 5 3E 4 IE 4 3 Failure to remain open (plug): s IE-7 IE 6 3E 7 3 Rupture: s 1E-9 1E-7 IE.8 10 Solenoid operated:
Failure to operate: D(D) 3E 4 3E-3 IE-3 3 Failuretoremainopen(plug): D 3E-5 3E 4 IE 4 3 Rupture: s 1E 9 IE-7 1E-8 10 Air-fluid operated:
Failure to operate: 0(8) 1E-4 1E-3 3[.4 3 Failuretoremainopen(plug;it 0 3E 5 3E 4 IE 4 3 Failure to remain open (plug,i s IE-7 1E-6 3E 7 3 Ruptures s 1E-9 IE 7 IE.8 10 Check valves:
Failure to open: D 3E-5 3E 41[ 4 3 Internal leak (severe): 0 1E-7 IE 6 3E.7 3 Ruptures s 1E 9 IE 7 IE.8 10 Vacuum Valver Failure to operate: 0 1E 5 1E-4 3E 5 3 Manual Valve:
Failure to operate D 3E 5 3E 4 IE-4 3A Failuretoremainopen(plug): D 3E 5 3E 4 1E-4 3 Rupture: s IE 9 1[-7 1E 8 10 PrimarySafetyValves(PWRs):
Failure to open: D 1E 3 1E 2 3E 3 3R premature opent s 1E 6 IE 5 3E 6 3R Failuretoreciose(givenvalveopen): D(E) 3E 3 3E-2 IE 2 3R 7-13
__________x
Table 7.2a (Concluded)
FAILURE CO N NENT 4 FAILURE MODE RATE A55tSSED TYPE RAhGE MEDIAN (F Prime safetyvalves(SWRs):
Fa ure to open: 0 3g.3 3E.2 It.2 3a premature opent s IE.6 IE.5 3E.6 3R Failure to reclose (given valve open): 0 1E.3 IE.2 3E.3 3R Test Valves. Flow Meters. Orifices:
Failuretoremainopen(plug): 0 It.4 1[.3 3E.4 3 Rupture s IE.9 IE.7 1E.8 10 pipes Pipes 3.inchdiameter(persection):
Rupture / plug: s+0 3E.11 3E.8 It.9 30 Pipe a 3. inch diameter (per section):
Rupture / plug: s+0 3t.12 3t.9 It.10 30 Clutch Mechanical:
Failure to operate: D(D) It.4 It.3 3t.4 3 ScramRods($1ngle):
Failure to insert: 0 St.5 3t.4 It.4 3 1
1 j
e f
t l
l 7-14 l
Table 7.2b Electrical Camponent Failure Nate Data (from WA5H-1400. Table III 4 2)
FAILURE COMPONENT & FAILUNE MODE NATE AS$t$5E0 TYPE NAh6E MEDIAN EF Clutch. tiectrical Failure to operate: 0(0) It-4 1E-3 3E-4 3 premeture disengagenent: 0 It-7 It 5 It 6 10 listers.* tiectric Failure to start: 0(0) It 4 IE-3 3E-4 3 Failure to run, given start (normal environment): 0 3E 6 3E 51E 5 3 Failure to run, given start Lentreme environment): 0 1t-4 1E 2 1E-3 10 helays:
Fatture to energize: 0(t) 3E-5 3t 4 1E-4 3 Failure of N0 contacts to close, given eneretted: 0 1[ 7 IE 6 3E 7 3 Failure of N0 contacts by opening, given not energtred: 0 3t-8 3t-7 It 7 3 Short across N0/NO contact: 0 1[-g IE 71E 8 to Coil open: 0 1[-8 IE 6 IE.7 10 Coil short to power 0 1E.g 1E-7 1E 8 10 Circuit treakers:
Failure to transfers D(8) 3t-4 3E-3 It 3 3 premature transfer: 0 3t 7 3t 6 It 6 3 Switches Liett Failure to operate: 0 It 4 1E 3 3E 4 3 lure to operate: 0 3t 5 3t-4 It-4 3 Pressures Failure to operate: 0 3t 5 3C 4 1E-4 3 tennual:
Failure to transfer 0 3t 6 3t 51t 5 3 Switch Contacts:
Failure of N0 contacts to close, given switch operetton: 0 lt 4 It 6 Il-7 10 Failure of NC by opening, given no switch operetton: 0 3t g 3t 7 3t 8 10 Short across N0/NC contact: 0 IE g 1[ 7 It 8 10 Settery power System (Wet Cell):
Failure to provide proper outputs s It 6 It 5 3t 6 3 Treseformers:
Open circutt primary or secondary 0 3t 7 3t 6 It 6 3 Short primary to secondary: 0 3t 7 3C 6 It 6 3 Solid State Devices.)Mtpower etc. : Appittations (Oledes.
Trenststers, Fatts to function: 0 St 7 St 5 3t 6 10 Falls shorted: 0 15 7 It 6 It 6 10
- 7-15 J
Table 7.2L (Concluded)
FAILURE COMPONENT & FAILURE MODE RATE ASSESSED TYPE RANGE MEDIAN EF Solid State Devices, Low Power Applications:
Fatis to function: 0 1E-7 1E-5 1E 6 10 Falls shorted: 0 1E-8 IE 6 IE-7 10 Diesels (CompletePlant):
Failure to start: 0 1E-2 IE-1 3E-2 3 Failure to run, emergency conditions, given start: 0 3E-4 3E 2 3E 3 10 Diesels (Engine Only):
Failure to run, energency conditions, given start: 0 3E-5 3E-3 3E 4 10 Instrumentation General (Includes transmitter, espitfler and output device):
Failure to operate: 0 1E-7 IE-5 IE-6 10 l Shif t in calibration: 0 3E-6 3E 4 3E 5 10 l
Fuses:
l Failure to open: 0 3E 6 3E 5 1E-$ 3 i Premature open: 0 3E 7 3E-6 IE-6 3 Iftres(typicalcircuits,severaljoints):
Open circult: 0 1[ 6 1E 5 3E 6 3 Short to grounds 0 3E-8 3E 6 3E 7 10 Short to pomer: 0 1E.g IE 7 IE 8 10 Terminal Boards:
Open connection: 0 1[ 8 1E 6 IE 7 10 Short to adjacent circult: 0 It-g 1[-7 IE-8 10 i
1 7-16
I Table 7.2 (Notes)
NOTES: (A) Demand probabilities are based on the presence of proper input control signals. For turbine pumps, the effect of failures of valves, sensors, and other auxiliary hardware may result in significantly higher overall failure rates for turbine driven pump systems.
(B) Demand probabilities are based on presence of proper input control signals.
(C) Plug probabilities are given in demand probability, and per hour rates, since phenomena are generally time-dependent, but plugged condition may only be detected upon a demand of the system.
I (D) Demand probabilities are based on presence of proper input control signals. 1 (E) These rates are based on LERs for BAW pressurizer PORV 4
failure to reseat given the valve has opened.
4 i ABBREVIATIONS:
(1) for failure rate type abbreviations:
D = demand failure rate--failures per demand i
0 = operating failure rate--failures per hour of operation S = standby failure rate--failures per hour of standby S+D = standby or operating failure rate--failures per hour (2) Remarks (last column) abbreviations:
R = failure rate shown is a revision of WASH-1400 value A = failure rate shown is in addition to WASH-1400 failure
- rates.
l I
7-17
_ . ~ _ . _ ... _ _ _ _ . _ _ __ _
._..,- y _ ___. _-
i
- 1 ,
- \ :
CHAPTER 8' N r
( -l 4 RESULTS s. ,
, t, ,
- '. 1'
! 8.1 Dominant Accident Sequences ,,.N A -
1' l The culmination of the analysis wai; _ tNe ddc'a r'icina tion of f those sequences contributing most to the risk fy p core mel't at 's the plant. The process that was f o y c w e d (t.o arcive at this
- point is described in Chapter 7 and~iswexplaineddn detail in Appendix C. This chapter presents the results of that process. ,
t j The total core melt frequency.for Calve'rts,01)fis Unit 1 was i i j determined to be 1.3E-4/yr and consisted Alecs t'" entir ely of j
- sequences with frequencies greater than 1.0E-6/ yrs ThA list of t ,
j these sequences is shown in Table 8.2 and a ipnend forl all tav {
- terms can be found in Table 8.1. Most of these sequsnees weto ~ , ,I l evaluated acco
- ding to the process described in C, hapt W 7.5 , q ls i a 1s, - - s,-r :
i Two of the sequences were not identified by the ieirent trees, d accident sequence definition process. The first' was the I -
ATWS(PSP) sequence. This sequence is a composite sequence tog- ,
i estimate the likelihood of any transient initiator followed by i J failure to scram resulting in primary system failure. The(W'- s i results of CE analyses (21] and NRC analysis in support-of the ,
! ATWS rule (22) were used to estimate the frequency of this '
{ event. The second is the Blackout sequence. This sequenct 5
! involves a loss of offsite power (LOSP) followed by the losstof j all three diesel generators. Auxiliary Feedwater works j initially, but fails after four hours due to battery depletion; I AC power is not recovered. This sequence was not identified at i the time the fault trees were originally constructed, but as a f result of the NRC sponsored Station Blackout Program (17). The sequence actually modeled that is similar to this Blackout j sequence is T I-85. Sequence T t -85 involves failure of two >
j diesel generators and failure of auxiliary feedwater immedi-j ately after the LOSP due to hardware failures. This sequence i (Tt -85) was also identified in the Station Blackout Program, i but was found to be less important (this is confirmed by our results).
An estimate was made of the contribution to core melt of all the sequences with f requencies less than 1.0E-6/yr. These sequences can be divided into two groups: (1) The twenty-six of the original candidate dominant sequences which dropped below 1.0E-6/yr when recovery was applied to them, and (2) two hundred and sixty-eight sequences out of the total of 300 sequences defined for -Calvert. Cliffs which were below the 1.0E-6/yr cutoff in the screening quantification stage. For group (1), their frequencies atter recovery was applied were summed and came to 5,1E-6/yr. For group (2), their frequencies were either calculated explicitly by evaluating the whole ;
sequence (done for about 50% of the sequences) or an upper 1 l
8-1
bound on the point estimato was calculated from knowledge of the initiating events, undeveloped events and evaluating some of the developed events (see the discussion in Appendix C on N the screening calculation for more details). Summing the fre-quencies of these sequences resulted in a contribution of 2.7E-5/yr before recovery was applied. Only a few of the sequences were near the 1. 0E- 6 /yr cutoff and contributed significantly to this number. These few were found to be similar to existing candidate dominant sequences and to have
~'
_ similar recovery potential. Since the dominant sequences were reduced by a factor of 10 by application of recovery, this factor was applied to the group (2) contribution to give a final frequency estimate of 2.7E-6/yr Upon summing the group r
(1) and (2) estimates, we get 7.8E-6/yr or 6% of the total core melt frequency. This estimate was added into the total core melt frequency estimate.
From the list of dominant sequences in Table 8.2, the following general classes of accident sequences were found to contribute most to the CC-1 core melt frequency:
- 1. Anticipated Transients Without Scram (ATWS) contributed
\
,s 33% of the core melt frequency.
- 2. Small-small LCCAs (S 2) contributed 20% of the core melt frequency.
- 3. The special t ra nttient
- 11) contributed 16% of the core melt frequency.
initiator TDC (loss of DC bus 4 Loss of Offsite ?ove r (T )1transients contributed 12%
of the core melt frequancy.
- 5. Loss of PCS (T2) transients contributed 6% of the core melt frequency (not including the ATWS sequence).
- 6. All other transients (T4 ) contributed 5% of the core melt frequency (not including the ATWS sequences).
- 7. Transients requiring pressure relief (T3 ) contributed 1% of the coro molt frequency (not including the ATWS sequencos).
In order , to got an estimate of the consequences which may be expected from core melt accidents, all the sequences with frequencies greater than 1.0E-6/yr were analyzed by Battelle Columbus Laboratories (BCL) to dotormine which containment failuro modos and release categocios would be expected from the occurrence of each sequence. The sequence f requency was then multiplied by the containment falluto mode probability, and the resulting frequency was assigned to the proper releano category.
The results of this analysi9 are shown in Tables 8.3 and 8.4, and discussed in Section 0.2.
i 8-2 (A
w.. ,- . - - .
Sensitivity a na iy s~e's were perChrmed on the dominant
. accident sequenc'es and are discussed in datail in Section 8.3.
j Various phenomenological and modeling uncertainties were examined. ,
i
, i ,- /
The. remainder of this section describes in detail the acci-dent sequences with frequencies greater , than, or equal. to, i 1.0E-6/yr. The descriptions include the domi'nant cut sets 'of ,
! the sequences and details of the ' insights gained, major j assumptions made, and a . discussion of the~ recovery factors .,.
applied to each sequence. ,
~'
8.1.1 ATWS(PSF) - .s i
8.1.1.1 Description l 'l
, This sequence is an anticipated transient without scra[n i (ATWS) followed by primary system failure (PSF) due 'to overpressure and is assessed to result in,aLLOCA and subsequent-core melt. The CARCS and/or CSSI systems succeed and cool the j containment. ,
- As a result of some transient, the PCS is either tripped, fails, or runs back and AFW and/or the PCS is removing heat ,
! from the primary at a reduced rate (i.eJ, at least ~5% oF full power). The resulting imbalence, between the energy removal rate (~5%) and the energy production rate (~100%)
leads to the heatup of the primary system and an increase in system pressure. The magnitude of the -pressure increase is determined by several variables: the initial power level, final . heat removal rate, and the net reactivity in the core.
Assuming the initial power and final heat - removal rate are
~100%' and ~ 5 V, respectively, then the- major determining 4
factor is the moderator temperature coefficient (MTC) of' I
reactivity. The MTC determines. the negative' feedback between
[ 'the rise in temperature and the resulting decrease in power due to the' negative reactivity added by the' decreasing density or.
voiding of 'the primary coolant. 'The less- negative (i.ec,'
! closer to zero) the MTC, the smaller the ' f eedback and the; ^
higher the peak pressure.- r Given that the peak pressure exceeds.'the service level C(3:00. psia) limit, , various types of syntien damage have been postulated: (1) It' the pressure should exceed 3500' psia then l the reactor vessel head will lift (21] and will likely fail to reseat completely, (2)' the response' of the'Isteam generator tubes '(particularly. older. tubes) is uncertain at these-I differential pressures and a large number co'uld potentially.
rupture [22], and (3).'because there'is insufficient analysis of" the operability aof i checkJ valves iin thes _ primary . system fo'-r pressures exceeding serviceflevel l C, . there , is an assessment 5 that the CVCS, and would be unavailable some sig-j-4 nificant f raction*iHPSI syst'
,of' the ems time . due to the 7 check valves being)
~
& 0' #
4 hA ,
., >;g '
p ,
- ,L i, ,- j' ,
, .-gf' _
- 8-3 '
3_ Jg I 7, y w, fy LQ
+
w, ir " ' j{l/ NW m'i > n v.
^
. . - - c .
forced shut and deformed to the point of inoperability. [22]
Thus, continued reactor cooling and long-term recovery after i the system has been overpressured is questionable. For the purpose of this analysis, it was assumed that pressures in excess of 3200 psia are equated to core melt.
The sequence frequency is estimated at 2.8E-5/yr and con-tributes 20% of the total core melt frequency.
8.1.1.2 Quantification In order to estimate the frequency of an ATWS event followed by an unfavorable MTC, one must multiply the transient frequency by both the failure to scram probability and the probability of having an unfavorable MTC (i.e., the probability of having an MTC value that results in the peak pressure exceeding the service level C limit) for that initiator.* Upon summing the results for the various initiators, the estimate of i the frequency of this sequence is calculated to be:
4 f(ATWS(PSP)) = T 2*k+P2(MTC) + T 3*k+P3(MTC) + 0.5 T *k=P4(MTC) 4
= 0.8*3E-5*0,5 + 1.85*3E-5*0.1 + 0.5*6.8*3E-5*0.1
= 1.2E-5 + 5.6E-5 + 1.0E-5 i = 2.8E-5/yr The sources of the various numbers are discussed in the next section.
8.1.1.3 Major Assumptions and Recovery actions l Because of the short time (~2 minutes) before pressure exceeds service level C, no credit has been given for any
- recovery actions. The IREP recovery model does not give credit l for.any action required to be performed in less than 5 minutes.
T i (Loss of Offsite Power) transients were not quantified since the initiator directly results in a de-energization of the motor-generator sets and the use of a 3E-5 probability for failure to scram was assessed as being too high for this initiator. The failure to scram would need to result from some mechanical common mode failure of all or most of the control t
rod drive mechanisms and was assessed as being negligible.
For- T2 (Loss of Feedwater) transients a probability - of 0.5 was chosen for an unfavorable MTC. The peak pressure predicted for this type of transient was 4200 psia for a new
- The MTC becomes more negative as a core approaches end-of-life.
Thus, new cores will result in higher: peak pressures than old cores. The probability of an unfavorable MTC is equivalent to the fraction of core life in which the peak pressure is expected to exceed 3200 psia for each specific transient type.
l 8-4 s
l i
l core [21] and allows for the reactor vessel head lifting at 4 ~3500 psia to relieve some of the pressure. This predicted i peak pressure greatly exceeds the service level C (3200 psia) I limit and a LOCA, due to failure of the vessel head to reseat '
or steam generator tube rupture or some other break in the primary, combined with failure of CVCS and HPSI to supply makeup due to stuck check values results in core melt. The value of 0.5 for the probability of a pressure transient exceeding service level C and resulting in core melt comes from NUREG-0460 [23] and is the same as that used in the NRC anal-ysis in support of the ATWS rule [22].
For T3 (Turbine Trip) transients, the system response has a peak predicted prennure of ~3400 psia for a new core. This is different from the response of larger CE plants for which the peak pressures from turbine trips and loss of feedwater are
, roughly the same (i.e., both ~4,000 psia). The NRC analysis j in support of the ATWS rule [22] groups CE and B&W plants and uses a probability of 0.5 for exceeding service level C for
. turbine trip transients. However: this value, while ,
appropriate for larger CE plants, was judged to be too large for smaller plants like Calvert Cliffs. A value of 0.1 was chosen based on the following considerations: (1) the 3400 psia peak pressure is based on a nominal full power initiator, but the analysis models initiators occurring from 25-110%
power, and (2) the probability of having an unfavorable MTC should be significantly less than for the loss of feedwater
- case since the transient is less severe and the value of the MTC needed to exceed 3200 psia should be much higher than in the loss of feedwater case (e.g., a factor of ~4 increase in the MTC would be needed to produce pressure comparable to the
- loss of feedwater initiator). The actual value was estimated by shifting the MTC probability table in NUREG-0460, Vol. 4
[23] to reflect the less severe characterintics of the sequence.
For T4 (all other) transients, it was assessed that l approximately 50% of the initiators would not result in runback
[ of the PCS and that no heat imbalance or pressure transient would result. The remaining 50% were assessed as resulting in i a turbine trip and runback of the PCS or conditions roughly similar to a turbine trip. The pressure transient for these initiators would be similar to the T3 transient described previously. A value of 0.1 for the probability of an unfavorable MTC was therefore used in this case, also.
I The value of 3E-5 used for the failure to scram probability is a generic value taken from NUREG-0460 [23]. This is the same as the value used in the NRC analysis in support of the
! ATWS rule [22]. Since the dominant contributors to failure to i scram are likely to be common modes that result in failure of I all rods to insert (e.g., Salem failure to scram on February 22 and'25, 1983), this number was used to represent failure of all rods to insert, and no credit was taken for the possibility of l
8-5
some rod insertion that would significantly reduce the peak pressure.
8.1.1.4 Engineering Insights As discussed in the previous section with the IREP recovery model and without ATWS procedures and training, no credit was given for operator actions mitigating this event. Calvert Cliffc has recently implemented a new ATWS procedure which directs the operator to: (1) trip the reactor manually. (2) de-energize the motor-generator sets, and (3) to initiate emergency boration. The de-energization of the motor-generator sets should bypass any actuation or control circuit failures (e.g., the Salem incident) and result in successful scram. If done quickly enough, this could result in a reduction in any pressure transient. With appropriate operator training, it may be possible to mitigate this sequence.
The only other ways of reducing this sequence's frequency or mitigating the results appear to involve changes to the plant such as: (1) reduce the number of transients, (2) improve the RPS reliability, (3) qualify the primary system and valve operability at higher pressures (~3500 psia), (4) do improved analysis to show peak pressures are not as high as currently predicted, or (5) change the fuel loading so that a more negative MTC is obtained.
8.1.2 Sequence TDC-82 (TDCL) 0.1.2.1 Description In this sequence, a failure of DC bus 11 (TDC) results in a trip of Units 1 and 2 and failure of the PCS with degradation of the safety systems. The plant scrams successfully, but AFil (L) subsequently fails. CARCS and CSSI succeed and cool the containment. As a result of the lack of secondary heat removal, the core inventory boils off throagh the cycling open of the PORVs. No credit is given for feed and bleed due to the low head of the HPSI pumps and the uncertainty as to whether or not the pressure could be reduced enough for the HPSI pumps to be able to inject water, [24, 25]. Recent calculations done by EG&G for the Station Blackout Program [26] indicate that approximately 86 minutes is available to start an AFW pump in order to prevent core uncovery.
The sequence frequency is estimated as 2.lE-5/yr and con-tributes 16% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8-6
8.1.2.2 Dominant Cut Sets - TDCL 4
% of Cut Set Frequency (/vr) Sequence 6.8E-6 32 TDC*RA-3*AFWP11-PTD-LF 25 TDC*RA- 3
- AFWPil-PTD-PRMN 5.3E-6 l 1.4E-6 7 TDC*RA-3*AFWS903A-NOC-LP 7 TDC*RA-3*AFW3987A-NOC-LP 1.4E-6 7.2E-7 3 TDC*RA-16*AFW4530-N-PRMN 3 TDC*RA-16*AFW4520-N-PRMN 7.2E-7 5.0E-7 2 TDC*RA-4*AFWPil-PTD-PRTS 2 TDC*AFW4511-CV-OE*AFW4531-NOC-LF 3.6E-7 3.6E-7 2 TDC*AFW4511-CV-OE*AFW4530-NOC-LP 2 TDC*AFW4511-CV-OE*AFW4512-NOC-LF 3.6E-7 2.9E-7 1 TDC*RA-3*AFWO103-X-FRFT 1 TDC*RA-3*AFWM911X-X-PRMN 2.3E-7 1.4E-7 1 TDC*RA-3*AFWC909X-CCC-LF 1 TDC*RA-3*AFWO102-CCC-LP 1.4E-7 1.9F,-5 90%
Term Descriptions TDC = Failute of DC bus 11; this results in failure of PCS, the failure of AFW motor-driven pump #13 and the opening of steam admission valve 4071 and feedwater valves 4512 and 4535 to steam generator
- 12; f = 3.6E-2/yr.
RA-3 = Operator fails to start locked-out AFW turbine-driven pump #12; p = 4E-2.
AFWPil-PTD-LP = Local fault of AFW turbine-driven pump
- 11; p = 4.7E-3.
AFWPil-PTD-PRMN = Maintenance of AFW turbine-driven pump
- 11; p = 1.4E-3.
AFWS903A-NOC-LF = Local fault of valve in steam admission line to AFW turbine-driven- pump #11; I p = 1E-3.
AFW3987A-NOC-LF = Local fault of valve in steam admission line to- AFW turbine-driven pump #11; p = 1E-3.
RA-16 = Operator fails. to crossfeed from unit 2's AFW: p = 1E-1.
! AFW4530-N-PRMN = Feedwater' valve whose - maintenance fails
! delivery from both AFW turbine-driven pumps; p = 2E-4.
8-7
Term Descriptions (Cont.)
AFW4 520- N- PRMN =
Peedwater valve whose maintenance fails delivery from both AFW turbine-driven pumps; p = 2E- 4 .
RA-4 a Operator fails to restore AFW turbine-driven pump #11 from test; p= 1 E-- 2 .
AFWP11 PTD-PRTS = AFW turbine-driven pump #11 in test; p = 1.4E-3.
AFW4 511-CV- OE = Operator fails to increase flow to steam generator #11 given plugging of valve to steam generator #12; p = 1E-2.
t AFW4531-NOC-LP =
Local fault of feedwater valve to steam generator #12, falls turbine pump flow to that steam generator; p = 1E-3.
AFW4 5 3 0- NOC-LF =
Local fault of feedwater valve to steam generator #12, fails turbine pump flow to that steam generator; p = 1E-3.
AFW4512-NOC-LP =
Local fault of feedwater valve to steam generator #12, fails turbine pump flow to that steam generator; p = 1E-3.
AFWO103-X-FRFT = Failur'e to restore from test an AFW turbine-driven pump #11 discharge valve; p = 2E-4.
AFWM911X-X-PRMN = Maintenance of valve in AFW turbine-driven pump #11 steam admission line; p = 1. 6 E - 4 .
AFWC909X CCC-LP = Local fault of check valve in AFW turbine-driven pump #11 steam admission line; p = 1E-4.
AFWO 102 - CCC-LF = Local fault of check valve in AFW turbine-driven pump #11 discharge line; p = lE-4.
l 8.1.2.3 Major Assumptions and Recovery Actions The initial screening value for this sequence was 4.9E-4yr. The recovery actions involve: (1) starting the locked-out AFW turbine pump #12 (RA-3, p = .04), (2) actuating-the AFW turbine pump #11 manually f rom the control room (RA-2, p= .02), (3) feeding AFW from unit 2's AFW system. (RA-16, p= .1), or (4) realigning AFW turbine pump #11 from' test (RA-4, p= .01).
8-s
a It-is assumed due to discussions with plant personnel that the operator would be reluctant to manually close the motor pump circuit breaker due to the lack of pump protection result- ,
ing from the DC bus loss; therefore, other recovery actions l were . preferentially considered. Also, while all the cut sets could be recovered by cross-feeding from unit 2's AFW system 4
once the AFW modification is completed (see Section 6.9 of main report or Appendix B.9), credit for this was only given when no other reasonable recovery action was possible. Because the procedures for dealing with these events have not been written, we judged that there would be some reluctance on the part of l unit 2's operators to divert flow to unit 1 and decrease the reliability of their own AFW supply and a 0.1 non-recovery
- probability was used for this event.
It may also be possible for the operator to restart one train of the PCS system: however, no credit was given for this action since the operator would preferentially be directed to the AFW system and, by the time _he decided to try to restart the PCS, it is assumed that it would be too late. The appli-cation of the recovery actions reduced the sequence frequency to 2.lE-5/yr.
{ 8.1.2.4 Engineering Insights e For this sequence, the loss of.DC bus 11 results in a trip of both unit 1 and 2, fails auto AFAS actuation and DC breaker
admission valve 4071 fails open and AFW train A feedwater i valves fall open resulting in auto start of AFW turbine-driven i
pump #11. However, various single- faults of AFW pump #11 result in a loss of all AFW. For most' faults (75% of the sequence frequency), it is possible for the operator to man-ually start the locked-out turbine pump #13: however, for the i case where feedwater valves 4530 or 4520 have been isolated for maintenance requiring disassembly (6% of the sequence fre-quency), the two turbine pumps are both unavailable. The only
! recovery is to then cross-feed from unit 2's AFW. system.
8.1.3 Sequence S 2 -50 (S 2H) 8.1.3.1 Description i In this sequence, a Small-small LOCA-(S2) occurs followed j by successful scram and operation of AFW and HPSI providing both secondary _ heat removal and primary -system makeup. When the RWT deplot.os and switchover to recirculation occurs (anywhere f rom 4 to'12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> into the transient depending on l- the size of the leak), HPSR (H) fails. Due to the lack of.pri--
- mary makeup, the core then uncovers and core melt ensues.
CARCS and CSSR succeed and cool the containment.
8-9
l The sequence frequency is estimated as 1.4E-5/yr and con-tributes 11% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.3.2 Dominant Cut Sets Because of the large number of cut sets of relatively equal value which comprise this sequence even after the application of recovery, only cut sets whose frequency is greater than 2.1E-8/yr are listed here. These cut sets comprise 74% of the sequence frequency. A more detailed list of cut sets for all dominant sequences can be found in Appendix C.
Freq. % of Cut Sets (/vr) Sequence S2*CCWO258X-XOC-LF 7.6E-7 5 S2*CCW3826N-NCC-OE*SWS5206A-NCC-LP 6.3E-7 5 S2*CCW3826N-NCC-OE*SWS5160A-NCC-LF 6.3E-7 5 S2*CCW3826N-NCC-OE*CCW3823N-NTO-LP 6.3E-7 5 S2*HPIOCl3B-CBL-LF*ECCFANWE-CBL-LP 4.6E-7 3 S2*HPIOOl3B-BOO-LF*ECCFANWE-CBL-LF 4.2E-7 3 S2*HPIOOl3B-PMD-LF*ECCFANWE-CBL-LF 4.2E-7 3 S2*HPIOCl3B-CBL-LF*SWS5171A-NCC-LP 2.1E-7 2 S2*HPIOCl3B-CBL-LF*SWS5170A-NCC-LP 2.lE-7 2 l S2*HPIOCl3B-CBL-LF* SIS 4144A-VCC-LP 2.1E-7 2 S2*HPIOOl3B-BOO-LF*SWSS171A-NCC-LF 1.9E-7 1 S2*HPIOOl3B-BOO-LF*SWSS170A-NCC-LP 1.9E-7 1
, S2*HPIOOl3B-BOO-LF*SWS4144A-VCC-LF 1.9E-7 1 S2*HPIOO13B-PMD-LF*SWS5171A-NCC-LP 1.9E-7 1 S2*HPIOOl3B-PMD-LF*SWS5170A-NCC-LP 1.9E-7 1 S2*HPI0013B-PMD-LF*SWS4144A-VCC-LP 1.9E-7 1 S2*SWS5206A-NCC-LF*SWS5208B-NCC-LP 1.9E-7 1 S2*SWSS206A-NCC-LF*SWS5163B-NCC-LP 1.9E-7 1 S2*SWS5206A-NCC-LF*SWSS162B-NCC-LP 1.9E-7 1 S2*SWS5206A-NCC-LF*CCW3826N-NCC-LP 1.9E-7 1 S2*SWS5206A-NCC-LF*CCW3825N-NTO-LP 1.9E-7 1 S2*SWS5160A-NCC-LP*SWS5208B-NCC-LP 1.9E-7 1 S2*SWS5160A-NCC-LP*SWS5163B-NCC- LP 1.9E-7 1 S2*SWS5160A-NCC-LF*SWSS162B-NCC-LP 1.9E-7 1 l S2*SWS5160A-NCC-LF*CCW3826N-NCC-LF 1.9E-7 1 S2*SWS5160A-NCC-LF*CCW3825N-NTO-LF 1.9E-7 1 l S2*CCW3823N-NTO-LF*SWSS208B-NCC-LP 1.9E-7 1 S2*CCW3823N-NTO-LF*SWS5153B-NCC-LP 1.9E-7 1 S2*CCW3823N-NTO-LF*SWS5162B-NCC-LF 1.9E-7 1 S2*CCW3823N-NTO-LF*CCW3826N-NCC-LP 1.9E-7 1 S2*CCW3823N-NTO-LF*CCW3825N-NTO-LF 1.9E-7 1 S2*HPIOC13B-CBL-LF*ECCR1448-BCO-LF 1.5E-7 1 1 S2*HPIOCl3B-CBL-LF*ECCFCB48-BCO-LF 1.5E-7 1 ,
S2*HPIOOl3B-CBL-LF*ECCFANWE-CBL-LP 1.5E-7 1 ;
S2*HPIOO13B-PMD-LF*ECCR1448-BCO-LF 1.4E-7 1 S2*HPIOO13B-PMD-LF*ECCFCB48-BCO-LP 1.4E-7 1 S2*HPI0013B-BOO-LF*ECCR1448-BCO-LP 1.4E-7 1 8-10
I Freq. % of 1 Cut Sets (/yr) Sequence
, S2*HPIOO133-BOO-LF*ECCFCB48-BCO-LP 1.4E-7 1 3 S2*HPIOO13B-P- PRMN*ECCFANWE- CBL- LP 1.1E-7 .8 S2*HPR0013B-PMD-LF*ECCFANWE-CBL-LP 1.0E-7 .8 S2*HPIOOl3B-CBL-LF*SWSS171A-NCC-LP 6.9E-8 .5
- S2*HPIOOl3B-CBL-LF*SWS5170A-NCC-LP 6.9E-8 .5 S2*HPIOOl3B-CBL-LF* SIS 4144A-VCC-LF 6.9E-8 .5 1
S2*HPIO406X-XOC-LF*ECCFANWE-CBL-LF 5.9E-8 .4 S2*HPIO405X-CCC-LF*ECCFANWE-CBL-LF 5.5E-8 .4 S2*RA- 18 *CCW3 8 2 6N-NCC- OE*SWS5206 A- NCC-CC 5.3E-8 .4
- S2*RA-18*CCW3826N-NCC-OE*SWS5160A-NCC-CC 5.3E-8 .4 S2*HPIOO13B-CBL-LF*ECCR1448-BCO-LF 5.0E-8 .4 S2*HPIOO13B-CBL-LF*ECCFCB48-BCO-LP 5.0E-8 .4 S2*HPIOO13B-P-PRMN*SWSS171A-NCC-LP 5.OE-8 .4 S2*HPIOOl3B-P-PRMN*SWS5170A-NCC-LF '5.0E-8 .4 S2*HPI0013B-P-PRMN* SIS 4144A-VCC-LF 5.OE-8 .4 l S2*HPR0013B-PMD-LF*SWS5171A-NCC-LP 4.6E-8 .3
- S2*HPR0013B-PMD-LF*SWS5170A-NCC-LF 4.6E-8 .3 L S2*HPR0013B-PMD-LF* SIS 4144A-VCC-LP 4.6E-8 .3 S2*RA-20* SIS 4144A-BOO-CC*HPIOC13B-CBL-LP 4.4E-8 .3 S2*RA-20* SIS 4144A-BOO-CC*HPIOOl3B-BOO-LF 4.0E-8 .3 S2*RA-20* SIS 4144A-BOO-CC*HPIOOl3B-PMD-LP 4.0E-8 .3 j S2*HPIOC13B-CBL-LF*ECCFANEA-FAN-LP 3.8E-8 .3 i S2*HPIOOl3B-P-PRMN*ECCR1448-BCO-LF 3.6E-8 .3 i
S2*HPIOO13B-P-PRMN*ECCFCB48-BCO-LF 3.6E-8 .3.
S2*HPIOOl3B-BOO-LF*ECCFANEA-FAN-LF 3.4E-8 .2 l S2*HPIOOl3B-PMD-LF*ECCFANEA-FAN-LF 3.4E-8 .2 S2*HPIOCl3B-CBL-LF*ECCFANEA-FANPRMN 3.4E-8 .2 S2*HPR0013B-PMD-LF*ECCR1448-BCO-LP 3.4E-8 .2
- S2*HPR0013B-PMD-LF*ECCFCB48-BCO-LF 3.4E-8 .2 S2*ECCFANEA-FANPRMN*HPIOOl3B-PMD-LF 3.2E-8 .2 j S2*ECCFANEA-FANPRMN*HPIOO13B-BOO-LP 3.2E-8 .2 i .S2* SIS 4148X-CCC-LF*HPIOC13B-CHL-LP 2.7E-8 .2 i' S2*HPIO406X-XOC-LF*SWS5171A-NCC-LF ~2.7E-8 .2 i S2*HPIO406X-XOC-LF*SWS5170A-NCC-LF 2.7E-8 .2 l S2*HPIO406X-XOC-LF* SIS 4144A-VCC-LP 2.7E-8 .2 ,
l S2* SIS 41481-CCC-LF*HPIOO13B-BOO-LP 2.5E-8 .2
- S2* SIS 4148X-CCC-LF*HPIOO13B-PMD-LF 2.5E-8 .2 S2*HPIO405X-CCC-LF*SWS5171A-NCC-LF
_2.5E-8 .2 S2*HPIO405X-CCC-LF*SWSS170A-NCC-LP 2.5E-8 .2 S2*HPIO405X-CCC-LF* SIS 4144A-VCC-LP 2.5E-8 .2 4 S2*SWSTD13-LF*CCW3826N-NCC-OE 2.3E-8 .2 i S2*CCWHP13C-H-PRMN*ECCFANWE-CBL-LF. 2.1E-8 .2 i 1.2E-5 86 Term Descriptions S2_= Small-small-LOCA;<f,='2.1E-2/yr.-
~
CCWO258X-XOC-LF = Local fault of CCW valve resulting in common mode failure of all LPSR and HPSR pump seal ~
l cooling and pump failure in the recirculation l phase;-p = 3.6E-5.
8-11:
l i, , , . . -, -,. ..
~-- -. _. - _ - - - . . - . - -~ = - - . - . -. . .-
t Term Descriptions (Cont.)
- CCW3826N-NCC-06 = Failure of the operator to open CCW HTXM12 outlet valve resulting in failure of CCW HTX
- 12, this fails 1/2 of CCW: p= lE-2.
- SWS5206A-NCC-LF = Local fault of salt water valve fails CCW HTX
- 11 cooling resulting in failure of 1/2 of ,
- 11 cooling resulting in failure of 1/2 of CCW: p = 3E-3.
- CCW3823N-NTO-LF = Local fault of bypass valve on CCW HTX #11
- results in failure of heat removal, fails 1/2
{ of CCW: p = 3E-3.
SWSS206A-NCC-CC = Control fault of salt water valve fails CCW HTX #11 cooling resulting in failure of 1/2 of CCW: p = 2.5E-3.
i l
^
SWSS160A-NCC-CC = Control fault of salt water valve fails CCW HTX #11 cooling resulting in failure of 1/2 of CCW p = 2.5E-3.
! HPIOCl3B-CBL-LF = Failure of control cable to HPS1 pump #13, p i = 3.3E-3.
HPIOOl3B-BOO-LF = Failure of HPSI pump #13 power breaker to close; p = 3E-3.
HPIOOl3B-PMD-LP = Local fault of HPSI pump #13; p = 3E-3.
ECCFANWE-CBL-LF = Failure of power cable to ESF room 11 room coolers, fails HPSR pumps #11 and #12 and
! CSSR pump #11; p = 6.6E-3.
1
! SWS5171A-NCC-LF = Failure of salt water valve results in failure of ESF pump room cooling and fails HPSR pump #11 and #12 and CSSR pump #11; p = 3E-3.
SWS5170A-NCC-LF = Failure of salt. water valve results in failure of ESF pump room -cooling and fails HPSR pump #11 and #12 and CSSR pump #11; p = 3E-3.
SIS 4144A-VCC-LF = Local fault of sump valve fails suction to HPSR pumps #11 and #12 and CSSR pump #11, p = 3E-3.
l l
8-12
- m. _
Term Descriptions (Cont.)
SWSS208B-NCC-LP = Failure of salt water valve fails cooling to CCW HTX hi2 failing 1/2 of CCW: p = 3E-3.
SWSS163B-NCC-LF = Failure of salt water valve fails cooling to CCW HTX #12 failing 1/2 of CCW: p = 3E-3.
SWS5162B-NCC-LP = Failure of salt water valve fails cooling to )
CCW HTX #12 failing 1/2 of CCW: p = 3E-3.
CCW3826N-NCC-LF = Local fault of outlet valve on CCW HTX #12 !
fails 1/2 of CCW: p = 3E-3. !
CCW3825N-NTO-LP = Local fault of CCW HTX #12 bypass valve results in failure to remove heat, fails 1/2 of CCW: p = 3E-3.
ECCR1448-BCO-LF = Local fault of power breaker for ESF room
- 11 cooling, fails HPSR pumps #11 and #12 and CSSR pump 411 in recirculation; p =
2.2E-3.
ECCFCB48-BCO-LP = Local fault of power breaker for ESF room
- 11 cooling, fails HPSR pumps #11 and #12 and CSSR pump #11 in recirculation; p =
2.2E-3.
HPIOOl3B-CBL-LP = Failure of HPSI pump #13 power cable; p = 1.1E-3.
HPIOO13B-P-PRMN = Maintenance of HPSI pump #13; p = 7.9E-4.
HPIO406X-XOC-LP = Failure of HPSI pump #13 discharge valve; p = 4.3E-4.
HPIO405X-CCC-LP = Failure of HPSI pump #13 discharge valve; p = 4.3E-4.
RA-18 = Failure of operator to manually open SWS pneumatic valves; p= .l.
RA-20 = Failure of operator to manually open con-
- tainment sump valve, fails 1/2 of HPSR and CSSR pump suction; p = 0.25.
SIS 4144A-BOO-CC = Control circuit fault of sump valve fails i suction to HPSR pumps #11 and #12 and CSSR pump #11; p = 2.5E-3.
, ECCFANEA-FAN-LP = Local fault of room cooling fans in ESP room l #11, fails HPSR pumps #11 and #12 and CSSR l pump #11; p = 5.4E-4.
l I
8-13
l
)
Term Descriptions (Cont.)
i ECCFANEA-FANPRMN = Maintenance of room cooling f ans in ESP rocn l
- 11 fails HPSR pumps #11 and #12 and CSSR pump #11 p = 4.9E-4. !
SIS 4148X-CCC-LP = Failure of valve in sump fails suction to l HPSR pumps #11 and #12 and CSSR #11; I p = 4E-4.
SWSTD13-LF = Short in one-second time delay in salt water pump #13 results in failure of salt water pump #11 failing heat removal to CCW HTX
- 11, fails 1/2 of CCW; p = 1.1E-4.
CCWHP13C-H-PRMN = Maintenance of HPSR pump #13 heat exchanger; p = 1.6E-4.
8.1.3.3 Major Assumptions and Recovery Actions The initial screening value for this sequence was 3.3E-5/yr. All of the most significant cut sets involve failure of pump seal or pump room cooling. For pump seal cooling, since only_ CCW heat exchanger #11 is normally in service, the most important recovery action is for the operator to manually open the discharge valve on CCW heat exchanger #12 in order to place it in operation (CCS3826N-NCC-OE, p = .01).
For pump room cooling, the operator can manually start the pump room coolers for control faults (local) (RA-17, p, =.01). If the sump valves fail due to control faults, the operator can manually open the valves (local) (RA-20, p =- .25). The application of recovery actions - reduces the sequence frequency to 1.4E-5/yr.
It is assumed in this sequence that the operator must go to recirculation from the sump in order to continue . cooling the plant. It is possible for shutdown cooling to be used if the plant is cooled down fast enough so that recirculation from the sump is never needed. However, it is unclear whether or not the operators would be directed to do this in an accident situ-ation, and- recovery credit was not given for this action.
Also, since the LPSR and CSS pumps require , the same room and
. seal cooling support as the HPSR pumps, the support system
, failures which dominate this sequence - would fail _ this mode of l
operation as well.
Possibly significant conservatisms exists for this sequence:
- 1. CCW seal cooling failure is assumed to fail the pumps.
Recent calculations show possibly two hours ~would be necessary to fail the seals and, even then, this might not fail the pumps. If the - pumps did not fail due to seal cooling failure, the sequence f requency -would be reduced to 1.OE-5/yr.
8-14
= __
- 2. Room cooling needs are based on all pumps running. For this size LOCA, all but one pump would be shut down.
This . would significantly reduce the heat up rate. If the pumps did not fail due to room cooling failure, the sequence frequency would be reduced to 1.2E-5/yr.
- 3. If both of the above conservatisms are combined, the final sequence frequency would reduce to approximately 1.5E-6/yr.
i 8.1.3.4 Engineering Insights About 25% of the sequence frequency is due to failures of
! HPSI pump #13 combined with failure of pump room cooling to ESF j room #11. The reason that pump room cooling is so significant is that the system is not tested often (on the average of twice
- a year). This means that the average time a fault could be expected to exist is about three months (i.e., one half the test interval) and that any time-dependent failures are going to have an unavailability about six times that for a similar
{ component tested monthly.
About 40% of the sequence frequency is due to cut sets
- involving component cooling water faults. The largest con-tributors being: (1) the failure of a single valve in the CCW i return line for all HPSR and LPSR pump coolers which would result in failure of all HPSR 'and HPSR pumps, and (2) the failure of the operator to open the outlet valve on CCW heat exchanger #12 from the control room combined with some other
- single failure of CCW heat exchanger #11.
8.1.4 Sequence S 2 -52 (S2FH) i I 8.1.4.1 Description i
i In this sequence, a Small-small LOCA (S2) occurs and is
! followed by successful scram and operation of AFW and HPSI I providing both secondary heat removal and makeup. When the RWT i depletes and switchover to recirculation occurs . (anywhere from i 4 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> into the accident), HPSR (H) and CSSR (F) fail.
! Due to the lack of primary makeup, the core then uncovers and I melt ensues. CARCS succeeds and cools the containment.
l The sequence frequency is estimated as 1.lE-5/yr and con-tributes 9% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.4.2 Dominant Cut Sets Because of the large number of cut sets of~relatively equal value which comprise this sequence event after-the application of recovery, only the cut sets whose frequency is greater than 2.9E-8/yr are listed here. These cut sets comprise 79% of the 8-15
. -_ _ _ _ . . _ . _ _ . _. _ _ _ _ _ __ ~
sequence frequency. A more detailed list of cut sets for all the dominant sequences can be found in Appendix C.
Freq. % of Cut Sets (/yr) Sequence S2*ECCFANWE-CBL-LF*ECCFANWW-CBL-LF 9.2E-7 8 S2*SWSS173B-NCC-LF*ECCFANWE-CBL-LP 4.2E-7 4 S2* SIS 4145B-VCC-LF*ECCFANWE-CBL-LP 4.2E-7 4 S2*SWS5171A-NCC- LF*ECCFANWW-CBL-LF 4.2E-7 4 S2*SWS5170A-NCC-LF*ECCFANWW-CBL-LP 4.2E-7 4 S2* SIS 4144A-VCC-LF*ECCFANWW-CBL-LF 4.2E-7 4 S2*ECCFANWE-CBL-LF*ECCR0448-BCO-LF 3.0E-7 3 S2*ECCFANWE-CBL-LF*ECCCB048-BCO-LF 3.OE-7 3 S2*ECCR1448-BCO-LF*ECCFANWW-CBL-LF 3.0E-7 3 S2*ECCFCB48-BCO-LF*ECCFANWW-CBL-LF 3.0E-7 3 S2* RAS-RSPLX-CM*OP-FL-MN-RAS 2.9E-7 3 i S2* SIS 4145B-VCC-LF*SWS5171A-NCC-LF 1.9E-7 2 I S2* SIS 4145B-VCC-LF*SWS5170A-NCC-LF 1.9E-7 2 S2*SWS5173B-NCC-LF*SWS5171A-NCC-LF 1.9E-7 2 S2*SWS5173B-NCC-LF*SWS5170A-NCC-LP 1.9E-7 2 S2* SIS 4144A-VCC-LF* SIS 4145B-VCC-LP 1.9E-7 2 ,
S2* SIS 4144A-VCC-LF*SWS5173B-NCC-LF 1.9E-7 2 :
S2* SIS 5171A-NCC-LF*ECCR0448-BCO-LP 1.4E-7 1 S2* SIS 5171A-NCC-LF*ECCCB048-BCO-LP 1.4E-7 1
! S2*SWSS170A-NCC-LF*ECCRO448-BCO-LF 1.4E-7 1 S2*SWS5170A-NCC-LF*ECCCBO48-BCO-LF 1.4E-7 1 S2* SIS 4144A-VCC-LF*ECCR0448-BCO-LF 1.4E-7 1 S2* SIS 4144A-VCC-LF*ECCCB048-BCO-LF 1.4E-7 1 S2*ECCR1448-BCO-LF*SWSS173B-NCC-LP 1.4E-7 1 S2*ECCR1448-BCO-LF* SIS 4145B-VCC-LP 1.4E-7 1 j S2*ECCFCB48-BCO-LF*SWSS173B-NCC-LP 1.4E-7 1 S2*ECCFCB48-BCO-LF* SIS 4145B-VCC-LF 1.4E-7 1 4
S2*ECCR1448-BCO-LF*ECCR0448-BCO-LP 1.0E-7 .9
- S2*ECCR1448-BCO-LF*ECCCB048-BCO-LP 1.0E-7 .9 S2*ECCFCB48-BCO-LF*ECCR0448-BCO-LP 1.0E-7 .9 S2*ECCFCB48-BCO-LF*ECCCB048-BCO-LF 1.0E-7 .9 S2*RA-20* SIS 4145B-BOO-CC*ECCFANWE-CBL-LF 8.7E-8 .9 S2*RA-20* SIS 4144A-BOO-CC*ECCFANWW-CBL-LF 8.7E-8 .8 S2*ECCFANWE-CBL-LF*ECCFANWB-FAN-LF 7.5E-8 .7 S2*ECCFANWW-CBL-LF*ECCFANEA-FAN-LF 7.5E-8 .7 S2*ECCFANWE-CBL-LF*ECCFANWB-FANPRMN 6.8E-8 .6 S2*ECCFANWW-CBL-LF*ECCFANEA-PANPRMN 6.8E-8 .6 S2*ECCFANWE-CBL-LF* SIS 4149X-CCC-LF 5.5E-8 .5 S2*ECCFANWW-CBL-LF* SIS 4148X-CCC-LF 5.5E-8 .5
, S2*SWS0196X-XOC-LP '5.0E-8 .5-
- S2*RA-20* SIS 4145B-CBL-LF*ECCFANWE-CBL-LF 4.2E-8 .4 S2*RA-20* SIS 4144A-CBL-LF*ECCFANWW-CBL-LF -4.2E-8 .4 S2*RA-20* SIS 4145B-BOO-CC*SWS5171A-NCC-LF 3.9E-8 .4 S2*RA-20* SIS 4145B-BOO-CC*SWS5170A-NCC-LF 3.9E-8 .4 S2*RA-20* SIS 4145B-BOO-CC*SMS4144A-VCC-LP 3.9E-8 .4 S2*RA-20* SIS 4144A-BOO-CC*SWS5173B-NCC-LF- 3.9E-8 .4 S2*RA-20* SIS 4144A-BOO-CC* SIS 4145B-VCC-LF 3.9E-8 .4 8-16~
Freq. % of Cut Sets (/yr) Sequence S2*RA-18*SWSS175B-NOC-CC*ECCFANWE-CBL-LP 3.5E-8 .4 S2*RA-18*SWS5174B-NOC-CC*ECCFANWE-CBL-LP 3.5E-8 .4 S2*RA-18*SWS5173B-NCC-CC*ECCFANWE-CBL-LP 3.5E-8 .4 S2*RA-18*SWS5171A-NCC-CC*ECCFANWW-CBL-LP 3.5E-'8 .4 4
S2*RA-18*SWS5170A-NCC-CC*ECCFANWW-CBL-LP 3.5E-8 .4 S2*ECCFANWB-FAN-LF* SIS 4144A-VCC-LP 3.4E-8 .3 S2*ECCFANWB-FAN-LF* SIS 5171A-NCC-LF 3.4E-8 .3 S2*ECCFANWB-FAN-LF*SWS5170A-NCC-LP 3.4E-8 .3 S2*ECCFANEA-FAN-LF*SW35173B-NCC-LF 3.4E-8 .3 S2*ECCFANEA-FAN-LP* SIS 4145B-VCC-LP 3.4E-8 .3 S2*RA-20* SIS 4144 A-BOO-CC* SIS 414 5B-ItOO-CC 3.3E-8 .3 S2*ECCFANWB-FANPRMN* SIS 4144A-VCC-LF 3.lE-8 .3 S2*ECCFANWB-FANPRMN* SIS 5170A-NCC-LP 3.lE-8 .3 S2*ECCFANWB-FANPRMN*SISS171A-NCC-LF 3.lE-8 .0 S2*ECCFANEA-FANPRMN* SIS 5173B-NCC-LP 3.1E-8 .3 S2*ECCFANEA-FANPRMN* SIS 4145B-VCC-LF 3.1E-8 .3 S2*RA-20* SIS 4145B-BOO-CC*ECCR1448-BCO-LP 2.9E-8 .3 S2*RA-20* SIS 4145B-BOO-CC*ECCFCB48-BCO-LP 2.9E-8 .3 S2*RA-20* SIS 4144A-BOO-CC*ECCRO448-BCO-LF 2.9E-8 .3 S2*RA-20* SIS 4144A-BOO-CC*ECCCB048-BCO-LP 2.9E-8 .3 8.8E-6 79 Term Descriptions 1
S2 = Small-small LOCA: f = 2.lE-2/yr.
ECCFANWE-CBL-LP = Local fault of power cable to ESF pump room
- 11 fan cooling, fails HPSR pumps #11 and #12 and CSSR pump #11; p = 6.6E-3.
ECCFANWW-CBL-LP = Local fault of power cable to ESF pump room
- 12 fan cooling, fails HPSR pump #13 and CSSR pump #12; p = 6.6E-3.
SWS5173B-NCC-LP = Local fault of SWS valve, fails ESF pump room cooler #12 failing HPSR pump #13 and CSSR pump #12: p = 3E-3.
SIS 4145B-VCC-LP = Local fault of sump valve, fails suction to i HPSR pump #13 and CSSR pump #12 p = 3E-3. !
l SWSS171A-NCC-LF = Local fault of SWS valve, fails ESF pump room cooler #11 failing HPSR pumps #11 and #12 and CSSR pump #11, p = 3E-3.
SWS5170A-NCC-LP = Local fault of SWS. valve, fails ESP pump room cooler #11 failing HPSR pumps #11 and #12 and CSSR pump #11, p = 3E-3.
8-17
.. . . - - _ - . . .-= - . . - . ._--_= - _ . ~ - . - . - . . - _ .- _. -.-
Term Descriptions (Cont.)
SIS 4144A-VCC-LF = Local fault of sump valve, fails suction to HPSR pumps #11 and #12 and CSSR pump #11; i p = 3E-3.
q.
i ECCR0448-BCO-LF = Local fault of breaker, fails power to ESP pump room #12 coolers failing HPSR pump 13 and CSSR pump #12; p = 2.2E-3.
l ECCCB048-BCO-LF = Local fault of breaker, fails power to ESP pump room #12 coolers failing HPSR pump 13 and CSSR pump #12; p = 2.2E-3.
~
ECCR1448-BCO-LP = Local fault of breaker, fails power to ESF pump room #11 coolers failing HPSR pumps 11 and 12 and.CSSR pump #11; p = 2.2E-3.
ECCFCB48-BCO-LP = Local fault of breaker, fails power to ESF j, pump room #11 coolers failing HPSR pumps 11
- and 12 and CSSR pump #11; p = 2.2E-3.
7 RAS-RSPLX-CM = Common mode sensor failure, fails auto '
i recirculation realignment from RWT to sump, fails all ESP pumps; p = 1.4E-3.
to sump, fails all ESF pumps in recircula-tion; p = IE-2.
. RA-20 = Operator fails to manually open a sump MOV 2 resulting in failure of pump suction to either HPSR pumps #11 and #12 and CSSR. pump
- 11 or HPSR pump #13 and CSSR pump #12;
- p= .25.
SIS 4145B-BOO-CC = Control circuit fault of sump valve, fails suction to HPSR pump #13 and CSSR pump #12; p = 2.5E-3.
i
{ SIS 4144B-BOO-CC = Control circuit fault of sump valve, fails I
suction to HPSR _ pumps : #11 and #12 and CSSR i pump #11; p = 2.5E-3.
i
! ECCFANWB-FAN-LF = Local fault 'of ESF pump room #12. cooling
- fans, fails HPSR pump #13_and CSSR pump #12; p = 5.4E-4.
ECCFANEA-FAN-LF = Local fault of ESF' pump room #11 cooling l fans, fails HPSR pumps #11 and #12 and CSSR pump #11; p = 5.4E-4.
i
'8-18
Term Description (Cont.)
ECCFANWB-FANPRMN = Maintenance of ESF pump room #12 cooling fans, fans IIPSR pump #13 and CSSR pump #12; p = 4.9E-4.
ECCFANEA-FANPRMN = Maintenance of ESF pump room #11 cooling fans, fails HPSR pumps #11 and #12 and CSSR pump #11 p = 4.9E-4.
SIS 4149X-CCC-LP = Local fault of sump valve, fails suction to HPSR pump #13 and CSSR pump #12 p = 4E-4.
SIS 4148X-CCC-LP = Local fault of sump. valve, fails suction to HPSR pumps #11 and #12 and CSSR pump #11; p
= 4E-4.
SWS0196X-XOC-LP = Local fault of SWS ESF and CCW HTX outlet valve failing heat removal from all ESP pump room coolers and both CCW HTXs. This fails all HPSR, LPSR, and CSSR pumps and both shutdown heat exchangers; p = 2.4E-6.
SIS 4145B-CBL-LF = Failure of sump MOV power cable, fails suction to HPSR pump #13 and CSSR pump #12; p = 1.1E-3.
SIS 4144A-CBL-LP = Failure of sump MOV power cable, fails suction to HPSR pump #11 and #11 and CSSR pump #11: p = 1.lE-3.
RA-18 = Operator fails to manually open SWS pneumatic valves to an ESF room cooler, fails one room cooler: p= .1.
4 SWS5175B-NOC-CC = Control fault of ESF pump room cooler #12 outlet valve, fails HPSR pump #13 and CSSR pump #12, p = 2.5E-3.
SWS5174B-NOC-CC = Control fault of ESF pump room cooler #12 i
outlet valve, fails HPSR pump #13 and CSSR pump #12, p = 2.5E-3.
l SWSS173B-NCC-CC = Control fault of ESF pump room cooler #12 inlet valve, fails HPSR pump #13 and CSSR l pump #12; p = 2.5E-3.
SWS5171A-NCC-CC = Control fault of ESF pump room cooler #11 outlet valve, fails HPSR pumps #11 and #12 and CSSR pump #11: p = 2.5E-3.
' .SWS5170A-NCC-CC = Control fault of ESF pump room cooler #11 inlet valve, fails HPSR pumps #11 and #12 and CSSR pump #11; p = 2.5E-3.
8-19
8.1.4.3 Major Assumptiohs and Recovery Actions The initial screening value for the sequence was 5.7E-5/yr.
The recovery actions involve either: (1) manually starting the ECCS toom cooling fans given auto-actuation has failed (RA-17, p = .01), (2) manually opening the sump MOVs given valve con-trol circuit faults (RA-20, p = .25) or (3) manually opening SWS valves to the ESF pump room coolers given valve control circuit faults (RA-18, p = .1). The application of recovery actions reduces the sequence frequency to 1.1E-5/yr. t Again, as with S 2-50, if only one pump is running, then failure of room cooling might not be a failure of the pumps and the sequence frequency would be about 1.lE-6/yr. Also, the operators are assumed to go to recirculation, not shutdown
- cooling.
I 8.1.4.4 Engineering Insights Over 85% of frequency of this sequence involves cut sets with ESF pump room cooling failures. As discussed for the previous sequence, the long test interval for the room cooling system results in the unavailabilities of components with time-dependent failure modes being six times that of a similar component with a monthly test interval, thus increasing their contribution to this sequence.
l j 8.1.5 Sequence T 2-82 (T2L) 8.1.5.1 Description t
In this sequence, a loss of PCS (T2) occurs and is followed by a loss of AFW (L). The reactor has scrammed and CARCS and CSSI succeed and cool the containment. As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for use of feed and bleed due to information presented - in
- References 24 and 25. Recent calculations done by EG&G for the Station Blackout. program [26] indicate that 86 minutes is available to start an AFW pump in order to prevent core uncovery.
- The frequency of this sequence is estimated to be 7.lE-6/yr
! and it contributes 6% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.5.2 Dominant Cut Sets
% of Cut Set Frequency (/ve) Sequence T 2 *RA-l*AFNOl61-XOC-LP 2.8E-6 39 T2*RA-3*AFWP11-PTD-LF*APWP13-FMD-LF 5.6E-7 8 l
l l
8-20 )
% of )
Cut Set Frequency (/yr) Scauence 4.5E-7 6 l T2*RA-3*AFWPil-PTD-LF*CBP13-B00-LF '
T2*RA-3*AFWPll-PTD-PPMN*AFWP13-PMD-LF 4.4E-7 6 T2*RA-3*AFWPil-PTD-PRMN*CBP13-B00-LF 3.6E-7 5 l T2*RA-2*ELC0011A-INV-LF*AFWPll-PTD-LP 1.8E-7 3 T2*RA-2*ELC00llA-INV-LF*AFW4070B-NCC-LP 1.5E-7 2 T2*RA-2*ELC00llA-INV-LF*AFWPil-PTD-PRMN 1.4E-7 2 T2*RA-3*AFWPll-PTD-LF*AFWP13-PMD-PRMN 1.2E 2 T 2*RA-3 *AFWP13-PMD-LF*AFWS903 A-NOC- LP 1.2E-7 2 T 2*RA-3*AFWP13-PMD-LF*AFW3987A-NOC-LF 1.2E-7 2 9.6E-8 1 T2*RA-3*ESFSQNCA-LOG-LF*AFWPil-PTD-LF T2*RA-3*CBP13-B00-LF*AFWS903A-NOC-LF 9.68-8 1 T2*RA-3*CBP13-B00-LF*AFW3987A-NOC-LP 9.6E-8 _1 5.8E-6 82 Term DescriDtions T2 = Loss of PCS transient; f= .8/yr.
RA-1 = Operator fails to realign AFW to CST #11 and start locked-out turbine-driven AFW pump #12; p= .1.
RA-2 = Operator fails to manually actuate AFW motor-driven pump #13 given failure of auto start; p= .02.
RA-3 = Operator fails to manually start locked-out AFW turbine-driven pump #12; p = .04.
AFW0161-XOC-LF = Local fault of CST #12 AFW suction valve, fails all operating AFW pumps; p = 3.6E-5.
AFWPil-PTD-LP = AFW turbine-driven pump #11, local fault; p = 4.7E-3.
4 AFWPil-PTD-PRMN = AFW turbine-driven pump #11, main-l tenance:!p = 3.7E-3.
AFWS903A-NOC-LF = Local fault of steam admission valve to AFW turbine-driven pump #11; p = 1E-3.
AFW3987A-NOC-LF = Local fault of steam admission valve to AFW-turbine-driven pump #11; p = 1E-3.
AFWP13-PMD-LF = AFW motor-driven pump #13, local fault; p = 3.7E-3.
I 8-21 l
Term Descriptions (Cont.)
AFWP 13 -PMD- PRMN - AFW motor-driven pump #13, maintenance; p = 3.7E-4.
CBP13-BOO-LP = AFW motor-driven pump #13, circuit breaker: p = 3E-3.
ELC00 ll A- INV- LF = llA vital AC bus, fails AFW turbine-driven steam admission valve 4071 due to no actuation signal and fails actuation of motor-driven AFW pump: p = 2.4E-3.
APW4070B-NCC-LF = Local fault of. Train B AFW turbine steam admission valve fails 1/2 of AFW steam supply; p = 4E-3.
ESFSQNCA-LOG-LP = Faults in ESFAS sequencer fail AFAS auto-actuation of AFW motor-driven pump
- 13: p = 6.4E-4.
- 8.1.5.3 Major Assumptions and Recovery Actions The initial screening value for this sequence'was 1.8E-4/
yr. The recovery actions for all cut sets involve recovering one train of AFW. These recovery actions are (1) manually starting the motor AFW pump from the control room (RA-2, p =
.02), or (2) locally starting the locked out. turbine pump #12 (RA-3, p = 04) and possibly realigning AFW suction to CST #11 (RA-1, p = .1). The application of these - recovery actions reduces the sequence frequency to 7.1E-6/yr.
8.1.5.4 Engineering Insights The major contributor to this sequence is the pingging failure of the single valve in the suction train of the AFW system. In addition to realigning the AFW suction to an alter-
, nate CST and starting the locked out turbine pump, it is also possible to recover by aligning unit 2's AFW system'to unit 1:
however, procedures have not yet been developed for this and, because of the chance that cold water might be injected into unit 2's steam generators-through its open feedwater regulation valves, no credit was given for this unless it was the only_
action possible.-
8.1.6 Sequence-T 4-173 (T 4KU) 4 8.1.6.1. Description
- This sequence - is a T4 (all other) transient followed by a failure to scram (K) and failure of emergency boration (U).
The reactor vessel has-survived the initial pressure transient due to an assessed PCS runback. 'The CE analyses (21] and NRC-l 8-22 ,
.- . . .- =- _-
analysis in support of the ATWS rule [22]. state that greater
-than 10 minutes are available for the operator to initiate emergency boration. In this study, we have assessed that if the operator fails to start shutting the reactor down within 20-30 minutes, then core melt will result. The CARCS and/or CSSI systems succecd and cool the containment.
This sequence frequency is estimated as 6.7E-5/yr and con-tributes 5% of the total core melt frequency. The dominant contributors to this sequences are outlined below.
8.1.6.2 Dominant Cut Sets
% of Cut Set Frequency (/yr) Sequence T4*K*CVCSTART-IISF-OE 5.lE-6 76 T4"K*CVCOCl2B-P-FRMN
- CVC0Cl3X-P-PRMN 7.0E-7 10 T4*K*CVC0514B-VCC-LP 3.1E-7 5 T4*K*CVCR514B-BOO-CC 2.6E-7 4 T4*K*CVC0514B-CBL-LP 1.1E-7 _2_
6.5E-6 96 Term Descriptions T4 = All other transients requiring reactor trip, for failure to scram only 50%
result in situations which demand immediate shutdown and result in severe pressure transients; f = 3.4/yr.
K = Failure to scram; p = 3E-5.
CVCSTART-HSF-OE = Failure of the operator to initiate emergency boration within 20-30 minutes; p = 0.05.
CVCOC12B-P-PRMN- = Maintenance of charging pump #12:
p = 8.2E-2.
CVC0Cl3X-P-PRMN = Maintenance of charging pump #13; p = 8.2E-2.
i CVC0514B-VCC-LF = Local Fault of CVCS MOV 514 (common mode failure of CVCS): p = 3E-3.
CVCRS14B-BOO-CC = Control circuit fault of CVCS MOV 514 (common mode failuto of CVCS): p =
2.5E-3.
8-23
l Term Descriptions (Cont.)
CVC0514B-CBL-LF = Power cable to CVCS MOV 514 fails open l (common mode failure of CVCS): p = l j 1.1E-3.
8.1.6.3 Major Assumptions and Recovery Actions The T4 transient group is a collection of all transient initiators which do not affect safety system reliability or cause a loss of PCS. For sequences where reactor scram is 1 successful, all the initiators require the same safety system response: however, for sequences involving failure to scram, the response of the PCS system may vary depending upon the i specific initiator. For some initiators such as closure of an MSIV, increase in feedwater flow, partial loss of feedwater,
, total loss of RCS flow, condenser leakage, leakage in secondary system. S/G relief values opening, and trips from unknown ,
causes, we expect an independent turbine trip and runback of the PCS system. While for initiators such as spurious scram t signals, rod drop, high or low pressurizer pressure, boron
! dilution, loss of RCS flow in one loop, or pressurizer spray l failure, we expect the PCS to stay at full flow. The original grouping of the transients was done assuming successful scram and, therefore, did not take this variability into account. In the quantification of the failure to scram sequences, the assessment was made that only 50% of the T4 transients
! resulted in a turbine trip and subsequent PCS runback or had characteristics roughly similar to a turbine trip. If the PCS
- were to remain at full flow, then reactor heat removal would be
successful and the rimat would be in a temporarily safe con-dition. However, some subsequent actions would have to be i
1 taken to terminate the incident.
Under the general rules for recovery adopted in this study, only one operator recovery action is allowed unless:
i (1) sufficient time and indication is available for the operators to perform multiple actions; or (2) multiple actions are necessary to recover the sequence to a non-core melt. In this sequence the recovery action is the operator initiation of emergency boration and due to the high stress and short time, no other recovery actions were allowed.
Given the high stress in the failure to scram scenario, the operator failure to perform an appropriate action is typically assumed to be 0.1 in past PRAs (our generic recovery
! model assumes 0.1 at 10 minutes). However, the thermal-hy-
! draulic analyses (21] show that the operator should have longer than 10 minutes. After examining the thermal-hydraulic characteristics of the sequence and the various uncertainties in system response and phenomenology, it was judged that some operator action would be necessary within 20-30 minutes. A THERP analyses of the-emergency boration procedure is presented 8-24
i l
in Appendix B.19 which leads to a value of 0.05 and this value corresponds to the 0.05 probability of operator failure in
. 20-30 minutes from our generic recovery model.
I i 8.1.6.'4 Engineering Insights
! There are substantial uncertainties associated with the j accident progression for this sequence. The CE analyses (21]
! show that after a moderately severe pressure transient (i.e.,
! less than ~3400 psia) with the loss of ~1/3 of the amount l' of water necessary to uncover the core, a quasi-equilibrium i state is reached by about 10 minutes with pressure at/or about i 1800 psia and increasing slowly. Given no further coolant
! loss, possibly several hours, would be available for subsequent
- operator action. However, no long-term analyses have been done
! on ATWS sequences and the long-term response can only be esti-i mated based on the above runs. Also, there is a question as to j whether the reactor coolant pumps (RCPs) will trip.
1
) The fact that saturation conditions will be reached in ;
some parts of the core does not necessarily lead to the i cavitation of the RCP's. If the pumps do not trip, then the
- amount of voiding in the core will be reduced and the pressure
' may actually increase back to the PORV setpoint due to the
! power remaining slightly higher than the secondary heat removal i 4
rate, though this remains uncertain. Given that coolant loss through the PORVs occurs, it is estimated that core uncovery (which is equivalent to core melt in our analysis) will occur at greater than 40 minutes. In order to give time for the ,
j, boron to begin reducing pressure about 5-10 minutes would be i needed. Therefore, for this analysis, operator initiation of i emergency boration would need to occur at greater than 20-30 .
. minutes. Long-term analysis for various initiators, times of i boration initiation and boron mixing assumption. RCP response, and secondary heat removal rates.would be necessary to resolve <
the timing questions. Follow-on analysis by the SASA program
! is planned in order to determine the long-term characteristics l of this sequence. ;
l The plant has implemented a new emergency procedure i explicitly for ATWS which directs ~the operator to (1) trip the t reactor manually,- (2) de-energize the motor-generator sets, and l (3) to initiate emergency boration. However,-the common mode i failure of the operators in a high stress situation to identify
! the failure to scram and take action dominates this sequence.
t _The value of 0.05 for operator failure in the high stress situ-ation remains unchanged, based on our generic recovery model, and the sequence frequency is not significantly affected by the new procedure. Although it appears, that with this new proce-dure and improved operator training, some mitigation of this
! sequence could be obtained.
l l
. e. 25
'. _ _. ,. _ _ ._ _ _ ..._ __ __ _ __._, _ ._ _ _ -- _ . _ _ ._. _ _ .. _ .-, a
8.1.7 Sequence T 4- 147 (T 4ML) 8.1.7.1 Description In this sequence, a T4 (all other) transient occurs and is followed by a loss of PCS (M) and AFW (L). The reactor has scrammed and CARCS and CSSI succeed and cool the containment.
As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for feed and blood due to information presented in References 24 and 25. Recent calculations done by EG&G for the Station Blackout program [26] indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery.
The sequence frequency is estimated as 6.3E-6/yr and con-tributes 5% of the total core melt frequency. The dominant I contributors to this sequence are outlined below. I l 8.1.7.2 Dominant Cut Sets Frequency % of Cut set _
(/vr) Sequence T4*RA-2*ELC0011A-INV-LF*AFWPil-PTD-LP 1.5E-6 24 T4*RA-2*ELC00llA-INV-LF*AFW4070B-NCC-LP 1.3E-6 21 T4*RA-2*ELC0011A-INV-LF*AFWP11-PTD-PRMN 1.2E-6 19 T4*RA-2 *ELC0011A-INV-LF*AFWP11- PTD-PRTS 4.6E-7 7 T4*RA-2*ELC0011A-INV-LF*AFWS903A-NOC-LP 3.3E-7 5 T4*RA-2*ELC0011A-INV-LF*AFW3987A-NOC-LP 3.3E-7 5 T4*RA-1*PCS-LF*APW0161-XOC-LP 1.2E-7 2 T4*RA-2 *ELC00ll A-INV-LF* AFWO103- X-FRPT 6.5E-8 1 T4*RA-2*ELC0012B-INV-LF*AFALOGCA-LOG-LF 6.5E-8 1 T4*RA-2*ELC00llA-INV-LP*AFALOGCB-LOG-LP 6.5E-8 1 T4*RA-2*ELC0011A--INV-LF*AFW4530-N-PRMN 6.5E-8 1
- T4*RA-2*ELC0011A-INV-LF*AFW4520-N-PRMN 6.5E-8 1 T4*RA-1*ELC0011A-INV-LF*AFW0161-XOC-LF 5.8E-8 1 T4*RA-1*ELC0012B-INV- LF* AFW0161-XOC- LF 5.8C-8 1 T4*RA-2*ELC0011A-INV-LF*AFWM911X-X-PRMN 5.2E-8 1 T4*RA- 2
- ELC00ll A-CHL-LF a AFWPil-PTD- LF _S.2E-8 _1 5.8E-6 92 Term Descriptions T4 = All other transients requiring reactor trip: f = 6.8/yr.
HA-2 = Operator fails to manually start AFW motor-driven pump from control room given that auto-actuation failed; p= .02.
l t
l l
l 8-26
Tera Descriptions (Cont.)
ELC00llA-INV-LP = Local fault of vital AC inverter #11 '
l causes failure of AFAS actuation of mo tor- d riven AFW pump and AFW turbine-driven pump steam admission valve 4071, one feedwater regulating valve fails 1
closed, one feedwater bypass valve fails full open, one main feedwater pump minimum flow recirculation valve fails full open, and one turbine bypass valve fails closed. If operating at power, a
' low suction trip of main feedwater pumps will occur. If operating at 5% in runback mode, may still get a pump trip depending on dynamics of suction pressure and steam pressure; p = 2.4E-3.
AFWPil-PTD-LF = Local fault of AFW turbine-driven pump
- 11: p = 4.7E-3.
AFW4070B-NCC-LP = Local fault of AFW steam admission l
1 valve, fails 1/2 of steam supply:
j p = 4E-3.
AFWP11-PTD-PRMN = Maintenance of AFW turbine-driven pump
- 11: p = 3.7E-3.
AFWPil-PTD-PRTS = AFW turbine-driven pump #11 unavailable due to test: p = 1.4E-3.
1
! AFWS903A-NOC-LF = Local fault of valve in steam admission line to AFW turbine-driven pump #11 p = 1E-3.
AFW3987A-NOC-LF = Local fault of valve in steam admission line to AFW turbine-driven pump #11; p = IE-3.
RA-1 = Operator fails to realign AFW suction to
' CST #11 and start locked-out AFW turbine-driven pump #12, all actions must be done locally; p = 0.1. .
PCS-LF = Local fault causes failure of PCS; p = 4.8E-3.
! AFW0161-XOC-LP = Local fault of AFW suction valve results in cavitation failure of all operating AFW pumps: p = 3.6E-5.
l 8-27 l l
n m A
Term Descriptions (Cont.)
AFWO 103 - X- FRFT = Failure to restore AFW turbine-driven i
pump #11 discharge valve from test; p =
2E-4.
ELC0012B-INV- LF = Local fault of vital AC inverter #12, results in similar effects to inverter l #11 above except that the AFW motor-t driven pump does not fail and AFW steam i admission valve 4070 fails closed fail-j ing 1/2 AFW turbine pump steam supply; j p = 2.4E-3.
i AFALOGCA-LOG-LF = Local fault of AFAS logic unit fails
' actuation of motor-driven AFW pump and AFW steam admission valve 4071 failing 1/2 AFW turbine pump steam supply; I.
p = 2E-4.
AFALOGCB-LOG-LF = Local fault of AFAS logic unit fails j actuation of AFW steam admission valve 4070 failing 1/2 steam supply to AFW turbine pumps; p = 2E-4.
! AFW4530-N-PRMN = Maintenance of feedwater valve fails delivery by both turbine-driven AFW
{ pumps; p = 2E-4.
l AFW4520-N- PhMN = Maintenance of feedwater valve fails i delivery ~by both turbine-driven AFW j pumps: p = 2E-4.
AFWM911X-X-PRMN = Maintenance of valve in AFW turbine-1 driven pump #11 steam admission line; i p = 1.6E-4.
I ELC00llA CBL-LP = Local fault of cable from vital AC inverter #11 same effect as inverter j fault above; p = 7.5E-5.
8.1.7.3 Major Arisumptions and Recovery Accions The initial screening value for this sequence was j
i 3.1E-4/yr. The important recovery action involved starting the APW motor-driven pump f rom the control room given that auto actuation has failed (RA-2, p = .02). The application of this recovery action reduces the sequence frequency to 6.3E-6/yr.
, 8.1.7.4 Engineering Insights The failure of the vital bus 11A inverter is postulated as
! causing PCS failure due to instabilities induced in the i
I~
8-28 I
- w. n ..
feedwater flow; however, while this is true at ~80% flow, after a transient where PCS has run back, this is not necessarily true. If the failute occurred while the PCS was running back, it probably would cause the PCS to trip. If the inverter fault will not cause the PCS to trip, the sequence frequency becomes negligible.
8.1.8 Sequence T 1-81-65 (T 1Q-D"CC')
8.1.8.1 Description This sequence is a loss of offsite power (T1) followed by a transient-induced LOCA(Q). AFW works but IIPSI (D"), CSSI(C')
and CARCS(C) fail. Due to the lack of primary system makeup, the core uncovers in about 1 hour (see the EG&G Station Blackout Analysis (26]).
The frequency of this sequence is estimated to be 5.3E-6/yr and contributes 4% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.8.2 Dominant Cut Sets Because of the large number of cut sets of relatively equal value which comprise this sequence even after the application of recovery, only cut sets where frequency is greater than 2.4E-8/yr are listed hete. These cut sets comprise 71% of the sequence frequency. A more detailed list of cut sets for all the dominant sequences can be found in Appendix C.
Freq. t of Cut Sets .(j_ve.) Sequence T t*RA-LOSPl*ELC0021B- GEN- OPF
- ELC00llA-GEN-LF 1.lE-6 21 T t*RA-LOSPl*ELC0012B-GEN-LP
- ELC0011A-GEN-LF 5. 9E- 7 9 T t*RA-LOSPl*ELC0021B-GEN-OPF
- ELC0011A-G-PRMN 1.4E-7 3 T t*RA-LOSPl*ELC0021B-GEN- OPF
- ELC00llA-G-FRFT 1.lE-7 2 T t*RA-LOSP1*0P-FAIL-TO-ALIGN
- ELC00llA-GEN-LP 9.5E-8 2 T t*RA-LOSPl*SDSSONCA LOG-LP
- ELC0021B-GEN- OPF 8.lE-8 2 T t*RA-LOSPl*SRW1587A NCC-LP
- ELC0021B-GEN-OPF 6.4E-8 1 T 1*RA-LOSP1*ELC1103A-BOO-LF
- ELC0021B-GEN- OPP 6.4E-8 1 T t*RA-LOSPl*DGVCTilA- BOO- LF
- ELC0021B-GEN-OPF 6.4E-8 1 T 1*RA-LOSPl*DGVOTilA-DCC-LF
- ELC0021B-GEN-OPF 6.4E-8 1 8-29 ,
1
- );
V i ,, -
Freq. % of Cut Sets (/yr.) Sequence a
T 1*RA-LOSPl*DGVRCllA-DCO-LP
- ELC0021B-GEN- OPF 6.4E-8 1 T 1*RA-LOSPl*DGVIN11A-DCC-LP ,
- ELC0021B-GEN-OPF 6.4E-8 1 i
T 1*RA-LOSPl*SWS1105A-BOO-LF
- ELC0021B-GEN-OPF 6.4E-8 1 T 1*RA-LOSPl*SRWAOllA- BOO-LF
- ELC0021B-GEN-OPF 6.4E-8 1
, T 1*RA-LOSPl*ELC0012P-GEN-LP
- ELC00,11A-G-PRMN 6.2E-8 1 T 1 *RA-LOSPl*ELC00llA-GEN LF
- ELC0012B-G-PRMN 6.2E-8 1 T 1*RA-LOSPl*ELC00218-Gh*ti-OPF
- ELC1103A-B00 CC 5.3E-8 1 T 1*RA-LOSPl*ELC0021B-GENaOPP
- SWSS210A-NTC-CC 5.3E-8 1 T 1*RA-LOSPl*ELC0021B-GEN-OPF
- SWS5210A-NOC-CCs 5.3E-8 .9 T 1*RA-LOSPl*ELC00123 7GEN-LP 1
- ELC00ll Ar G- F3FT 4.8E-8 .9 I
T 1*RA-LOSPl*ELC0011A-GEM'LF i
- EIC0012B-G-FHFT 4.8E-8 .9 T 1*RA-LOSPl*SDSSONCA-LOG-LP
- ELC0012B-GEN-LF 3.6E-8 .7 T 1*RA-LOSPl*SDSSQNCB- LOG-LP
- ELC0011A-GEN-LF 3.6E-8 .7 T 1*RA-LOSPl*ELC0021Bp EN-OPP
- ELC00llA-G-PRTS 3.2E-8 .6 T 1*RA-LOSPl*ELC0012B-GEN-LF
- SRW1587A L;tCC-LP 2.9E-8 .6 T 1*RA-LOSPl*ELC0012B-GEN-LP
- ELC1103A-BOO-LP 2.9E-8 .6 T 1*RA-LOSPl*ELC0012B-GEN-LP 4 *DGVCTilA-BOO-LP 2.9E-8 .6 l T 1*RA-LOSPl*EL00012B-GEN-LP
- DGVOTilB-DCC-LF
, 2.9E-8 .6 l T 1*RA-LOSPl*ELC0hl2B-GEN-LP
,1*DGVRCllA-DCO-LP 2.9E-8 .6 T 1*RA-LOSPlcELC0012B-GEN-4F
- DGVIN1L?-DCC-i.F 2.9E-8 .6 l T 1*RA-LOSPl*ELC00128-0311gbF
[ $ s *SWSilOSA BOO-LP 2.9E-8 .6 T tqRA-LOSPl*ELC0012B-GEN-LF
*SRWA0113-BOO-LF
. 2.9E-8 .6 i j T 1*RA-LOSPl*ELCOO11A-GEN-LP
- SRW15883-NCC7LF 2.9E-8 .6 T1*RA-LOSPl*ELC00llA-GEN-LF A *ELCl406B-BOO-LP 2.8E-8 .6 T1*RA-LOSPl*ELC00llA-GEN-LP
- DGVCT12C-BOO-LP 2.9E-8 .6 t
8-30
~
, ]^ i ,
^l f f
_- ,' Freq. "4 of Cut' Sets ,.' (/yr.) Seouence Tt*RA-LOSPl*EiC0011A-GEN-LP
- DGVOT12C-DCC-LP 2.9E-8 .6 -
T t *RA-LOSPl*ELC0011A-GEN-LF /
- DGVRCl2C-DCO-LP ,,t 2.9E-8 .6 T t *RA-LOSPl*ELC00llA-GEN-LF
- DGV IN12C-DCC- LF 2.9E-8 .6 ,
T 1*RA-LOSPl*ELC0011A-GEN-LF -
- SWS1405B-BOO-LP 2.9E-8 .6 T t *RA-LOSPl*ELC00llA-GEN-LP
- S RWA 012 B- BOO-- LP 2.9E-8 .6 T t*RA-LOSPl*ELC0012B-GEN.LF
- ELC1103A-BOO-CC 2.4E-8 .5 T 1 *RA-LOSPl*ELC0012B-GEN-LF
- SWSS210A-NTC-CC 2.4E-8 .5 T t*RA-LOSPl*ELCOO12B-GF.N- LP
- SWS5150A-NOC-CC 2.4E-8 .5 T 1 *RA-LOSPl*ELC00llA-GEN-LF
- ELC1406B-BOOdCC 2.4E-8 .5 >
T 1 *RA-LOSPl*ELC00llA-GEN-LP , ,
- SWS5153B-NOC-CC 2.4E-8 .5 T1*RA-LOSPl*ELC00llA-GEN.-LP
- SWS5212B-NTC-CC 2.4E-8 .5 3.7E-6 71
/
-/ ,
' Term Descriptions ,,
, , i T1 = Loss of Offsite Power; f = .14/yr. ,
~
RA-LOSP1 = Non-recovery of offsite power within one hour; p= .45.-
t .
ELC0021B-GEN-OPF = Undeveloped event representing all dieseli,
, generatot' 21 faults, diverts DG #12 _to ,
f
, Unit 2 and fails train B of , AC } power; '
i p =. 12. . , i .
fails train' A o f-ELCO,011 A- GEN- LF - = Local fault of>DG #11, - '
~
AC power: .p = 5.4E-2. >
~
ELC0012B-GEN-LF s Loca1 fault,of DG '#12, fails, train B of AC. 'powe r : . p = 5. 4E-T.
ELC0011A-G-PRMN = Maintenance offDG #11, fails traib A of .i
>
- j', /
AC power; p = 6.6E,3,. -7 j ',['
e s ELC00llA-G-FRFT ^[ Failure to restore bG #11 fpilbwing test, , 2 fails train'A,of i AC power: p = SE-3. !.
. . e. ,
s
- s <
i
~(
OP-FAIL-TO-ALIGN at Operator fails .to , align DG #17,. to Unit --
f ails train .B..of AC power; p '=,,1E-2. 'f n 1,
,, y ? , y a p
- _l J
{ ~
~
' ' .g 3
+ ;
'yi
,y L '.,,
a-31f}'f. f, t,
s p 4,u
~ -
l' (s # %* , ;
.n . .J. , -,
I 1
l Term Descriptions (Cont.)
l SDSSQNCA-LOG-LP = Local fault of shutdown sequencer logic unit fails to sequence loads to DG #11, fails all train A components; p = 3.8E-3.
SRW1587 A- 111CC-LP = Local fault of outlet valve from DG #11 coolers, f ails DG #11 and train A of AC power; p = 3E-3.
l ELC1103A-BOO-LP = Local fault of DG #11 circuit breaker, fails DG #11 power output and train A of AC power; p = 3E-3.
DGVCT11A- BOO- LF = Local fault of power breaker to diesel generator #11 room cooling, fails DG #11 and train A of AC power; p = 3E-3.
DGVOTilA- DCC-LP = Damper fails to operate; fails DG #11 room cooling, fails DG Mll and train A of AC power; p = 3E-3.
DGVRCll A- DCO- LP = Damper fails open; fails DG #11 room cooling, fails DG #11 and train A of AC power; p = 3E-3.
1 DGVIN11A-DCC-LP = Damper fails to operate; fails DG #11 room cooling, fails DG #11 and train A of AC power; p = 3E-3.
SWS1105A-BOO-LP = Local fault of power breaker on SWS pump
SRWA011A-BOO-LP = Local fault of power breaker on SRW pump
ELC0012B-G-PRMN = Maintenance of DG #12, fails train B of AC power; p = 6.6E-3.
ELC1103A-BOO-CC = Control. circuit faults of DG #11 i breaker, fails DG #11 power output and train A of AC power; p = 2.5E-3.
SWS5210A-NTC-CC = Control circuit fault- of service water heat exchanger #11 outlet valve, fails DG #11 and train A of AC power; p = 2.5E-3. )
SWS5150A-NOC-CC = Control circuit fault of service water heat exchanger #11 inlet valve, fails DG
- 11 and train A of AC power; p = 2.5E-3.
8-32 i
I 1
Term Descriptions (Cont.)
ELC0012B-G-FRPT = Failure to restore DG #12 following test, fails trdin B of AC power; p = SE-3.
SDSSQNCB-LOG-LP = Local fault of shutdown sequencer fails loading of all AC train B components; p = 3.8E-3.
ELC0011A-G-PRTS a DG Mll unavailab'le during period of alignment after test, fails train A of AC power; p = 1.5E-3.
SRW1588B-NCC-LP = Local fault of inlet valve to DG #12 coolers, fails DG #12 and train B of AC power; p = 3E-3.
ELC1406B-BOO-LP = Local fault of DG #12 breaker, fails DG
DGVCT12C-BOO-LP = Local fault of power breaker to DG #12 room cooling, fails DG #12 and train B of AC power, p = 3E-3.
DGVOT12C-DCC-LF = Damper failc to operate; fails DG #12 room cooling, DG #12 and train B of AC power; p = 3E-3.
DGVOT12C-DCO-LP = Damper fails open; fails DG #12 room cooling. DG #12 and train B of AC power; p = 3E-3.
DGVIN12C-DCC-LP = Damper fails to operate; fails DG #12 room cooling, DG #12 and train B of AC power; p = 3E-3.
SWS1405B-BOO-LP = Local fault of SWS pump #12 power breaker, fails DG #12 cooling and train P of AC power; p = 3E-3.
SRWA012B-BOO-LP = Local fault of SRW pump #12 power breaker, fails DG #12 cooling and train B of AC power; p = 3E-3.
ELC1406B-BOO-CC = Control circuit fault of DG #12 breaker, fails DG #12 power output and train B of AC power; p = 2.5E-3.
SWS5153B-NOC-CC = Control ' circuit fault of service water heat exchanger outlet valve, fails DG
- 12 cooling and train B of AC power; p = 2.5E-3.
8-33
_ =. .- . _
^
Term Descriptions (Cont.)
SWS5212B-NTC-CC = Control circuit fault of service water heat exchanger outlet valve, fails DG
- 12 cooling and train B of AC power; p = 2.5E-3.
Note: 1. Failure of train A of AC power fails 1/2 of all ESF systems and the motor-driven AFW pump.
! 2. Failure of train B of AC power fails 1/2 of all ESP systems, but doer not affect the AFW system.
8.1.8.'3 Major Assumptions and Recovery Actions The initial screening valve for this sequence - was 1.3E-5/
yr. The recovery action is to restore offsite AC power within one hour, close the PORV block valve and start HPSI to restore 3
vessel inventory '(RA-LOSP1, p = .45). Other recovery actions are possible for some cut sets but are not likely in the limited time available. The' application .of this recovery action reduces the sequence frequency to 5.3E-6/yr.
8.1.8.4 Engineering Insights The dominant failures for this sequence are double failures
- of both diesel generators either from loca l' faults or diesel j support systems (room or DG cooling). . Many of these. faults are not of the type' which would cause immediate -f ailure of - the diesels. Therefore, AC power may or 'may not be available to the PORVs in the early-stages of the' accident when the pressure i transient occurs. -For purposes'of simplifying the quantifica-- t tion, both PORVs were conservatively assumed to have'AC power l' available - and .to open -if the pressure reached the PORV set 3 point in the early stages -of the accident (p..= .07 ' f or T1 initiators). If both open, both need to reclose and.a-failure to reclose of 2E-2/ demand for each valve .was
- used for a total of 4E-2 for 1 o f. 2 valves failing to~ reclose. Given that ' a j PORV stuck open, then failure of ' the diesel generators was
- assumed to ' occur before the . operator - could close the block l . valve ' ( i . e . , the dies'els f ail within about '.3-5 ' minutes. due to loss of cooling,'and our recovery model~does not allow recovery.
'within the first five minutes).
8.l'.9- Sequence T I-82 (Tib) 8.1.9.'1 Description
- This- sequence is' initiated by a loss of- offsite power 3 (T1) followed by failure of AFW (L).. The plant- scrams j successfully . and CARCS - and CSSI succeed and cool the .contain-
~ ment. - As : a result of the' loss- of secondary heat . removal, the 8-34
., , ,a. . . . , _ , , _ - , _ . . _ . _ . _, --- , . . _ _ _ . , . -
core inventory boils off through the cycling open of the PORVs. No credit is 'given for feed and bleed due to the low head of the HPSI pumps and the uncertainty as to whether or not l the pressure could be reduced enough to initiate HPSI [24, 25]. Recent calculations done by EG&G for the Station Blackout program [26) indicate that approximately 86 minutes is avail-able to start an AFW pump in order to. prevent core uncovery.
The sequence frequency is estimated as 4.9E-6/yr and con-tributes 4% of the total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.9.2 Dominant Cut Sets Because of the large number of cut sets of relatively equal value which comprise this sequence even after the application of recovery, only the cut sets whose frequency is greater than 1.7E-8/yr. are listed here. These cut sets comprise 86% of the sequence frequency. A more detailed list of cut sets for all the dominant sequences can be found in Appendix C.
Freq. % of Cut sets 1/yr) Sequence T 1*RA-LOSPl*RA-3*AFWPil-PTD-LF
- ELC0011A-GEN-LP 6.4E-7 13 10 T 1*RA-l*AFW0l61-XOC-LP _
5.OE-7 T t*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- ELC00llA-GEN-LP 5.0E-7 10 T 1*RA-LOSPl*RA-3*AFWS903A-NOC-LP
- ELC00llA-GEN-LP 1.4E-7 3 T 1*RA-LOSPl*RA-3*AFW3987A-NOC-LP
- ELC0011A-GEN-LP 1.4E-7 3 T 1**RA-3*AFWP11-PTD-LF
- AFWP13-PPD-LP 9.7E-8 2 T 1*RA-3*AFWPil-PTD-LP
- CBP13-BOO-LP 7.9E-8 2 T 1*RA-LOSPl*RA-3*AFWP11-PTD-LP
- ELC0011A-G-PRMN 7.8E-8 2 T 1*RA-3*AFWP11-PTD-PRMN
- AFWP13-PMD-LF 7.7E-8 2 T 1*RA-LOSPl*RA-16*AFW4530-N-PRMN
- ELC00llA-GEN-LF 6.8E-8 1 T 1*RA-LOSPl*RA-16*AFW4520-N-PRMN
- ELC00llA-GEN-LF 6.8E-8 1 T 1*RA-3*AFWPll-PTD-PRMN
- CBP13-BOO-LF 6.2E-8 1
! T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN
- ELC00llA-G-PRMN' 6.2E-8 1 ,
T 1*RA-LOSPl*RA-3*AFWP11-PTD-LF l
- ELC00llA-G-FRFT 5.9E-8 1 T 1*RA-LOSPl*RA-4*AFWPil-PTD-PRTS r *ELC00llA-GEN-LP 4.8E-8 1 l
8-35
Freq. t of Cut Sets LLytl Sequence T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- ELC00llA-G-FRPT 4.7E-8 1 T 1*RA-LOSPl*RA-3*SDSSQNCA-LOG-LP
- AFWPll-PTD-LP 4.5E-8 1 l' T 1*APWN-PIP-LFB 4.3E-8 .8 T1*RA-LOSPl*RA-3*AFWP11-PTD-LP
- SRW1587A-NCC-LP 3.6E-8 .7 T1*RA-LOSPl*RA-3*AFWPll-PTD-LP
- ELC1103A-BOO-LP 3.6E-8 .7 T1*RA-LOSPl*RA-3*AFWPll-PTD-LP
- DGVCTllA-BOO-LP 3.6E-8 .7 T 1*RA-LOSPl*RA-3*AFWPll-PTD-LF
- DGVOTllA-DCC-LP 3.6E-8 .7 ,
T 1*RA-LOSPl*RA-3*AFWPll-PTD-LP '
- DGVRCllA-DCO-LP 3.6E-8 .7 i T1*RA-LOSPl*RA-3*AFWPil-PTD-LP l
- DGVIN11A-DCC-LP '3.6E-8 .7 '
T1*RA-LOSPl*RA-3*APWPll-PTD-LP
- SWS1105A-BOO-LF 3.6E-8 .7 T1*RA-LOSPl*RA-3*AFWPil-PTD-LP
- SRWA0llA-BOO-LP 3.6E-8 .7 T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN
- SDSSQNCA-LOG-LP 3.5E-8 .7 T 1*RA-LOSPl*AFW4511-CV-OE
- AFW4530-NOC-LF*ELC00llA-GEN-LP 3.4E-8 .7 T 1*RA-LOSPl*AFW4511-CV-OE
- AFW4531-NOC-LF*ELC0011A-GEN-LP 3.4E-8 .7 T 1*RA-LOSPl*AFW4511-CV-OE
- AFW4512-NOC-LF*ELC00llA-GEN-LP 3.4E-8 .7 T 1*RA-LOSPl*AFW4512-CV-OE
- AFW4520-NOC-LF*ELC00llA-GEN-LP 3.4E-8 .7 T 1*RA-LOSPl*AFW4512-CV-OE
- AFW4521-NOC-LF*ELC00llA-GEN-LP 3.4E-8 .7 '
T 1*RA-LOSPl*AFW4512-CV-OE
- AFW4511-NOC-LF*ELC00llA-GEN-LP 3.4E-8 .7 T 1 *RA-2*AFWPil-PTD-LF
- ELC00llA-INV-LF 3.2E-8 .7 T1*RA-LOSPl*RA-3*AFWPll-PTD-LF
- ELC1103A-BOO-CC 3.0E-8 .6 T1*RA-LOSPl*RA-3*AFWPll-PTD-LF l
- SWS5210A-NTC-CC 3.0E-8 .6 T1*RA-LOSPl*RA-3*AFWPil-PTD-LF
- SWS5150A-NOC-CC 3.0E-8 .6 T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- ELC1103A-BOO-LP 2.8E-8 .6 T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- DGVCTilA-BOO-LP 2.8E-8 .6 T1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- DGVOTllA-DCC-LF 2.8E-8 .6 8-36
Freq. % of Cut Sets (/Yr) Sequence T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- DGVRC11A-DCO-LP 2.8E-8 .6 T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN
- DGVIN11A-DCC-LF 2.8E-8 .6 T 1*RA-LOSPl*RA-3*AFWP11-PTD-PRMN
- SWS1105A-BOO-LP 2.8E-8 .6 T 1*RA-LOSPl*RA-3*AFWPll'-PTD-PRMN
- SRWAOllA-BOO-LF 2.8E-8 .6 T 1*RA-LOSPl*aA-3*AFWO103-X-FRFT
- ELC00llA-GEN-LF 2.7E-8 .6 T1*RA-2*ELC0011A-INV-LF
- AFW4070B-NCC-LP 2.7E-8 .6 T 1*RA-2*ELC0011A-INV-LF
- AFWPil-PTD-PRMN 2.5E-8 .5 T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- ELC1103A-BOO-CC 2.3E-8 .5 T 1*RA-LOSPl*RA-3*AFWPll-PTD-PRMN
- SWS5210A-NTC-CC 2.3E-8 .5 T 1*RA-LOSPl*RA-3*T.FWPil-PTD-PRMN
- SWSS150A-NCC-CC 2.3E-8 .5 T 1*RA-LOSPl*RA-3*AFWM911X-X-PRMN
- ELC00llA-GEN-LF 2.2E-8 .5 T 1*RA-3*AFWPil-PTD-LP
- AFWP13-PMD-PRMN 2.lE-8 .4 T 1*RA-3*AFWP13-PMD-LF
- AFWS903A-NOC-LF 2.lE-8 .4 T 1*RA-3*AFWP13-PMD-LF
- AFW3987A-NOC-LP 2.lE-8 .4 T 1*RA-LOSPl*RA-3*AFWP11-PTD-LF
- ELC0011A-G-PRTS 1.8E-8 .4 T1*RA-3*CBP13-B00-LF
- AFW33987A-NOC-LF 1.7E-8 .4 T1*RA-3*CBP13-B00-LP AFWS903A-NCC-LF 1.7E-8 .4 T 1*RA-LOSPl*RA-3*AFWS903A-NOC-LF
- ELC0011A-G-PRMN 1.7E-8 .4 T 1*RA-LOSPl*RA-3*AFW3987A-NOC-LF i
- ELC00llA-G-PRMN 1.7E-8 .4 l 3.9E-6 80 Term Descriptions T1 = Loss of offsite power: f= .14/yr.
RA-LOSP1 = Failure to recover offsite power within one hr.: p= .45.
RA-3 = Operator fails to manually start locked-I out AFW t'arbine-driven pump #12; p = 4E-2.
8-37
Test Descriptions (Cont.)
AFWPll-PTD-LP = Local fault of AFW turbine-driven pump l
- 11; p = 4.7E-3. '
ELC0011 A-GEN- LF = Local fault of diesel generator #11, fails AFW motor-driven pump #13 and 1/2 of all ESF systems; p = 5.4E-2.
RA-1 = Operator fails to manually realign AFW suction to CST #11 and start locked-out turbine-driven AFW pump #12; p= .1.
AFW0l61-XOC-LP = Local fault of AFW suction valve to CST
- 12, fails all running AFW pumps; p = 3.6E-5.
AFWPil-PTD-PRMN = Maintenance of AFW turbine-driven pump Mll; p = 3.7E-3.
AFWP11-PTD-PRTS = AFWS turbine-driven pump #11 unavailable due to test; p = 1.4E-3.
RA-4 = Local operator fails to return AFW from test; p = lE-2.
AFW3903A-NOC-LP = Local fault of valve in turbine-driven AFW pump #11 steam admission line; p = IE-3.
AFW3987A-NOC-LP = Local fault of valve in turbine-driven AFW pump #11 steam admission line; p = lE-3.
ELC0011A-G-PRMN = Maintenance of diesel generator #11, fails motor-driven APW pump #13 and 1/2 of all ESF systems; p = 6.6E-3.
RA-16 = Operator fails to initiate crossfeeding from Unit 2's motor-driven delivery by AFW pump; p = .1.
AFW4530-N-PRMN = Maintenance of valve in APW turbine pumps feedwater lines, fails delivery by both turbine-driven AFW pumps; p = 2E-4.
l AFW4520-N-PRMN = Maintenance of valve in AFW turbine pumps feedwater lines, fails delivery by both turbine-driven AFW pumps; p = 2E-4.
ELC00llA-G-FRFT = Diesel generator #11 not returned from test, fails 1/2 of all ESF systems and motor-driven AFW pump; p = 5E-3.
8-38
Test Descriptions (Cont.)
SDSSONCA-LOG-LF = Shutdown sequencer logic unit fails to sequence loads to DG #11 fails 1/2 of all ESF systems and motor-driven AFW pump; p = 3.8E-3.
AFWP13-PMD-LF = Local fault of motor-driven AFW pump #13; p = 3.7E-3.
CBP13-BOO-LF = Local fault of motor-driven AFW pump #13 power breaker; p = 3E-3.
SRW1587A-NCC-LP = Local fault of diesel generator #11 cool-ing outlet valve, fails dicsol generator I cooling and fails AC power to 1/2 of all ESF eysLems and motor-driven AFW pump; p
= 3E-3.
! ELC1103A-BOO-LF = Local fjult of diesel generator #11 breaker, fails 1/2 of all ESP systems and APW motor-driven pump; p = 3E.-3.
DGVCT11A-BOO-LP = Local fault of power breaker to diesel generator #11 room coclers, fails diesel generator #11 and AC power to 1/2 of all ESF systems and motor driven AFW pump; p = 3E-3.
DGVOT11A-DCC-LF = Damper fails to operate, fails diesel generator #11 room cooling; fails diesel generator #11 and AC power to 1/2 of all ESF systems and motor driven AFW pump; p = 3E-3.
DGVRC11A-DCO-LP = Damper fails open, fails diesel generator
- 11 room cooling; fails diesel generator
DGVIN11A-DCC-LP = Damper fails to operate, falls diesel generator #11 room cooling; fails diesel generator #11 and AC power to 1/2 of all ESF systems and motor driven AFW pump; p = 3E-3.
SWS ilOS A- BOO- LF = Local fault of SWS pump #11 power i breaker, fails diesel generator #11 cooling and AC power to 1/2 of all ESP systems and motor-driven AFW pump; p = 3E-3.
8-39
Term Descriptions (Cont.)
SRWAOllA-BOO-uF = Local fault of SRW pump #11 power breaker, fails diesel generator #11 cooling and AC power to 1/2 of all ESF systems and motor-driven AFW pump; p = 3E-3.
l ELC1103A-BOO-CC = Control circuit fault of diesel generator
- 11 output breaker, fails 1/2 of all ESF systems and motor-driven APW pump; p =
2.5E-3.
SWSS210A-NTC-CC =
Control circuit fault of outlet valve on SRW llTX #11, fails cooling to diesel gen-erator #11 and failure of AC power to 1/2 of all ESF systems a r.d AFW motor-driven pump; p = 2.5E-3.
SWS5150A- NOC- CC =
Control circuit fault of inlet valve to SRW llTX #11 fails cooling to diesel gen-erators #11 and results in failure of AC power to 1/2 of all ESP systems and AFW motor-driven pump; p = 2.5E-3.
AFW4511-CV-OE = Operator fails to increase flow to steam generator #11 when flow to other steam generator is blocked; p = IE-2.
AFW4530-NOC-LP =
Local f aults of feedwater valve fails AFW turbine-driven pump flow to steam gen-erator #12 p = 1E-3.
AFW4 5 31- NOC- LP =
Local faults of feedwater valve fails AFW turbine-driven pump flow to steam gen-erator #12; p = lE-3.
APW4512-NOC-LP =
Local faults of feedwater valve fails AFW l
' turbine-driven pump flow to steam gen-erator #12; p = IE-3.
APW4512-CV-OE = Operator fails to increase flow to steam generator #12 when flow to other steam j generator is blocked; p = IE-2.
AFW4520-NOC-LP =
Local fault of feedwater valve fails AFW turbine-driven pump flow to steam gen-erator #11 p = IE-3.
AFW4521-NOC-LP =
Local fault of feedwater valve fails AFW ,
turbine-driven pump flow to steam gen-erator #11 p = IE-3.
1 8-40
Term Descriptions (Cont.)
APW4 511-NOC- LP = Local fault of feedwater valve fails AFW turbine-driven pump flow to steam gen-erator #11; p = I E-- 3 .
AFWO103-X-FRFT = AFW turbine-driven pump #11 discharge valve, fail to return from test; p = 2E-4.
AFWM911X-X-PRMN = Maintenance of valve in AFW turbine-driven pump #11 steam admission line; p= 1.6E-4.
ELC0011A-G-PRTS = Diesel generator #11 unavailable due to test, fails 1/2 of all ESF systems and motor-driven AFW pump; p = 1.5E-3.
ELC0011A-INV-LP = Local faults of vital AC inverter #11 fails auto-actuation of train A SIAS and motor-driven AFW pump; p = 2.4E-3.
8.1.9.3 Major Assumptions and Recovery Actions The initial screening value for this sequence was 2.4E-4/
yr. The recovery actions involve recovery of APW by either (1) starting the locked out AFW turbine pump #12 (RA-3, p = .04),
(2) realigning AFW pump 11 from test (RA-4, p= .01), (3) crossfeeding from unit 2 (RA-16, p = .1) or (4) recovering offsite power and either crossfeeding from unit 2 or restart-ing the PCS (RA-LOSP1, p= .45). The application of these recovery actions reduces the sequence frequency to 4.9E-6/yr.
8.1.9.4 Engineering Insights The dominant failure modes for this sequence are of two types: (1) loss and non-recovery of offsite AC power combined with failure of DG #11 due to local faults (which fails the motor-driven AFW pump) and failure of turbine-driven AFW pump
- 11 (41% of the sequence frequency), or (2) loss and non-recovery of offsite AC power and failure of AFW suction valve 161 (10% of the sequence frequency). The factor prime con-tributor of the dominant cut sets of this sequence is the diesel generator unavailability.
8.1.10 Sequence Station Blackout 8.1.10.1 Description As mentioned at the beginning of this section, this sequence was not modeled explicitly on the event trees. This is a new sequence identified by the Station Blackout program (17]. In this sequence, a loss of offsite power occurs 8-41
1 followed by the loss of all onsite AC power. The AFW system l succeeds until battery depletion occurs some four hours into j the accident (offsite and onsite AC power not being I recovered). Due to a lack of secondary heat removal, the pri- I mary heats up and boils off. Within another two hours, core uncovery followed by core melt occurs. All containment heat i removal systems are failed due to the lack of AC power.
The sequence frequency is estimated as 4.4E-6/yr and con-tributes 3% of the total core melt frequency.
8.1.10.2 Quantification An estimate of the frequency of this sequence can be made using the following formula:
f(Blackout) = (frequency of LOSP)*(probability of non-recovery of offsite AC within six hours)*(probability of failure of all onsite AC)*(probability of non-recovery of onsite AC).
= .14/yr*0.18*1.7E-3*0.1
= 4.4E-6/yr A discussion of the derivation of the various numbers appears in the next section.
8.1.10.3 Major Assumptions and Recovery Actions The number used for the frequency of loss of otfsite power was the generic number taken f rom EPRI-2230 [7]. This corres-ponds closely to the number calculated in EPRI-2301 (16] for the Calvert Cliffs grid and to the plant specific number calcu-lated from Calvert Cliffs data. There was no statistical difference and so the generic number was used.
The probability of non-recovery of AC within six hours comes from the Station Blackout program [17] and is the generic value used for all plants. This value is not significantly i different from the value determined for the Calvert Cliffs grid l in EPRI-2301 (16].
1 At Calvert Cliffs failure of two diesel generators (DGs #11 and #12) will fail all AC power to unit 1, but will not result in the depletion of all DC power. The third DG, #21, while cupplying AC power to unit 2 buses, will also charge two of the four shared DC buses. These DC buses power instrumentation on unit I which would allow a continued operation of the AFW system. In order to have a long-term loss of DC power, all three DGs must fail. The fault trees representing the DG and DG support systems were solved in order to estimate the DG unavailabilities upon loss of offsite power. The total DG 8-42
unavailability (including- support system faults) was found to be p = O.12.. ~About 50% of the unavailability is due to support system faults, the rest is a combination of local DG faults and
- test-Jand maintenance outages. Since no significant common modes were found to' exist between the DGs, the onsite reli-ability is estimated. is estimated as 0.12*0.12*0.12 = 1.7E-3 for failure of all three diesels.
There are two plausible - recovery actions for onsite AC:
(1) restoring a diesel generator or, (2) restore onsite power by. connecting an . existing 69KV line to a neighboring grid.
Data from the Station Blackout program indicated that restoring a diesel generator is not very- likely (~0.5 probability);
therefore, no credit was given for this action. Instead, the second recovery action of connecting the 69KV line was used. A non-recovery factor of 0.1 was estimated for this action based on the f act- that this is a relatively complicated and unusual action (no procedure), 'but that a long time- (~6 hours) is available to perform it. Since most causes of a loss of off-site power have been identified as plant or local grid related (17), the use of this line is plausible recovery action.
8.1.10.4 Engineering Insights In light of the importance of less of offsite power sequences, in general, and station blackout in particular, the utility is reviewing its procedure for connecting the 69KV line. Also, as a result of Task Action Plan A-44 Station Blackout, it is likely that all plants will be required to have improved loss of offsite power procedures. These improved procedures and other changes should result in significant mitigation of loss of offsite power sequences in the future.
8.1.11 Sequence T 4 -152 (T 4KQ) 8.1.11.1 Description In this sequence, a T4 (all others) transient occurs and is followed by failure to scram and an induced LOCA ' due . to - a stuck - open relief valve (Q). -The primary system has survived the initial pressure - transient, due.to an assessed PCS runback, !
and the operator has successfully initiated ' emergency bor-ation. Due to the-high initial pressure, high rate of cool.nt loss, and low' rate of pressure reduction coupled . with theclow head Lof the' HPSI pumps, core uncovery and ' melt occurs before injection can be successfully implemented.
This sequence frequency is estimated'as 4.3E-6/yr 'and con-tributes 3V of' the total core ' melt ' f requency. The dominant contributors are outlined below.
'8-43
- e. . ._ __ _ _ __ - - _- .-- - _ _ _ _ _ --_-_x
8.1.11.2 Dominant Cut Sets I
% of '
, Cut Set Frequency (/vr) Sequence T4*K*Q 4.3E-6 100
- Term Descriptions j
T4 = All other transients requiring reactor
} trip, for failure to scram only 50%
results in pressure transients severe 1
enough to demand the PORVs; f = 3.4/yr.
K = Failure to scram; p = 3E-5.
Q = Failure of 1 of 4 'reliet valves to
- reclose; p = 4.2E-2.
8.1.11.3 Major Assumptions and Recovery Actions 1
As with the TKU sequences, there are similar phenomeno-logical uncertainties associated with the TKQ sequences. No explicit analyses have been done for sequences with a stuck-
! open PORV. The short-term response must be deduced from the TK i-
' analyses and then the long-term response must be extrapolated.
From the CE analysis [21] for plants in Calvert Cliffs class, we find that for TK sequences, the pressure remains above the
. HPSI pump shutoff head until some time (~5 minutes) after i boration is initiated.
However, these analyses assume perfect mixing of the boron
{' and that the reactor coolant pumps (RCPs) have tripped. Non-uniform mixing would increase the time before pressure would begin to drop. If the RCPs failed to trip (and it is not clear l
at present if they would trip), then reactor power might decrease slower due to the sweeping of voids from the core.by the forced flow. This may affect the rate of pressure reduction-or even increase pressure.
Complicating this scenario is the stuck-open PORV itself.
Core uncovery can be expected to occur in about 40 minutes due Y <
to the loss of coolant, but the mass loss should . result in a decrease in pressure. It is problematical if the pressure
' decrease due to the mass loss' can result 'in pressure reaching the HPSI shutoff head before core uncovery can occur. The RCPs not tripping, the increased heat removal rate through the PORV, and the longer the operator delays boration initiation all tend to make power equilibrate at a higher level and to keep the l pressure up.
8-44 a ~ ,
Current expert opinion is that, for a plant with system characteristics such as Calvert Cliffs, that the race between core uncovery (assumed to be equivalent to core melt in our analysis) and the initiation of successful makeup is too close to call without explicit long-term thermal-hydraulic analyses.
In this study, therefore, this sequence has been modeled as resulting in core melt. Follow-on analyses by the SASA program are planned in order to clarify the long-term characteristics of this sequence.
A possible recovery action is to close the PORV block valve. However, in this sequence, one operator action has already occurred, i.e., the initiation of emergency boration.
Given that the operator can initiato emergency boration any time from 0 to 30 minutes, that leaves 10 to 40 minutes for the operator to recognize that the PORV is stuck open and to decide to isolate the PORV under an ATWS condition. It was decided that, due to the lack of ATWS procedures, lack of ATWS operator training, the high stress, and the short time (~10 minutes) that no credit should be given for this action.
8.1.11.4 Engineering Insights Since these calculations were made, Calvert Cliffs has implemented a new emergency procedure for ATWS events which directs the operators to (1) trip the reactor manually, (2) de-energize the motor generator sets, and (3) to initiate emergency boration. The second step, de-energizing the motor generator sets should effectively bypass the most frequent of the electrical or mechanical common mode failures and result in a reactor scram in a majority of cases. The uncertainties in the accident phenomenology and the uncertainty in the time at which the operator performs the emergency boration or de-energizes the motor-generator sets make it difficult to determine the affect on the sequence without explicit thermal-hydraulic calculations Although it appears that, with this new procedure and improved operator training, some mitigation could be obtained.
8.1.12 Sequence T 3 -139 (T 3KU) 8.1.12.1 Description This sequence is a T3 (requires primary pressure relief)
I transient followed by a failure to scram (K) and failure of l emergency boration(U). The primary system has survived the initial pressure transient (with PCS runback). CE analyses (21] and NRC analysis in support of the ATWS rule (22] state that greater than 10 minutes are available for the operator to initiate emergency boration. In this study, we have assessed that if the operator fails to start shutting the reactor down within the 20-30 minute time frame, then core melt will result.
8-45
This sequence frequency is estimated as 3.7E-6/yr and con-tributes 3% of the total core melt frequency. The dominant contributors are outlined below.
8.1.12.2 Dominant Cut Sets ik o f Ctit Set Freouency (/yr) Sequence T 3*K*CVCSTART IISF-OE 2.8E-6 76 T 3*K*CVCOC12B-P-PRMN I
- CVCOC13X-P-PHMN 3.8E-7 10 T 3*K *CVCO514B- VCC- LF 1.7E-7 5 T 3*K*CVCR514B-BOO-CC 1.4E-7 4 l T 3*K*CVCO514B-CBL-LP 6.0E-8 _2 l 3.68-6 96 Term Descriptions T3 = Transients requiring primary system i pressure relief: f = 1.85/yr.
K = Failure to scram; p = 3E-5.
CVCSTART-IISF-OE = Failure of the operator to initiate emergency boration; p = 0.05.
CVCOC12B- P- PHMN -. Maintenance of charging pump #12; p = 8.2E-2.
CVCOCl3X-P-PRMN . Maintenance cf charging pump #13; p = 8.2E-2.
CVC0514B-VCC-LF =
Local Pault of CVCS MOV 514 (common mode failure of CVCS); p = 3E-3.
CVCH 514 B- BOO- CC = Control circuit fault of CVCS MOV 514 (common mode failure of CVCS);
p = 2.58-3.
CVC05148-CBL-LP = Power cable to CVCS MOV 514 fails open (common mode failure of CVCS);
p = 1.1E-3.
8.1.12.3 Major Assumptions and Recovery Actions Given the high stress in the failure to scram scenario, the operator failure to perform an appropriate action is typically assumed to be 0.1 in past PRAs (our generic recovery model l assumes 0.1 at 10 minutes). However, the thermal-hydraulic l analyses [21] show that the operator should have longer than 10 i
minutes. After exa.aining the thermal-hydraulic characteristics of'the aequence and the various' uncertainties in system response 8-46
[
i~
and phenomenology, it was judged that some operator action would be necessary within 20-30 minutes. A THERP analyses of the emergency boration procedure is presented in Appendix B.19 which leads to a value of 0.05 and - this value corresponds to 1 1 the 0.05 probability of operator failure in 20-30 reinutes from )
j out. generic recovery model. I i
i 8.1.12.4 Engineering Insights
! The response of this sequence is the same as the T 9 KU
. sequence and the reader is referred to Section 8.1.6.4 for dis-cussion of the thermal-hydraulic characteristics.
8.1.13 - Sequence T 3 -118 (T 3KQ) 8.1'.13.1 Description J In this sequence, a T3 (requires primary pressure
. relief) transient occurs and is followed by failure to scram and an induced LOCA due to a stuck open relief valve-(Q). The primary system has survived the initial pressure transient, due to the PCS cunback, and the operator has successfully initiated i emergency boration. Due to the high initial pressure, high i cate of coolant loss, and low rate of pressure reduction j coupled with the low head of the HPSI pumps, core uncovery and
, melt occurs before injection can be implemented.
l This sequence frequency is estimated to be 2.3E-6/yr and i contributes 2% of the total core melt frequency. The dominant contributors are outlined below.
) 8.1.13.2 Dominant Cut Sets
% of j Cut Set Frequency (/ve) Secuence l T3*K*Q 2.3E-6 100 Term DescriDtions T3 - Transients - requiring primary system pressure relief; f =-1.85/yr.
I j K = Failure to scram; p = 3E-5/yr.
I
! Q = ~ Failure of 1 of 4 relief valves to j reclose; p = 4.2E-2.
j 8.1.13.3 Majoc Assumptions and Recovery Actions 1
! The assumpIions and recovery ' actions are the same as for l the T4 KQ sequence (see Section 8.1.11.3).
l
(
8 .,
L
d 8.1.13.4 Engineering Insights See Section 8.1.11.4 of sequence T4KQ for insights
- applicable to this sequence 8.1.14 Sequence T 3 -113 (T 3ML) 1 8.1.14.1 Description
} In this sequence, a T3 (requires primary pressure i relief) transient followed by a loss of PCS (M) and AFW (L).
The reactor has scrammed and CARCS and CSSI succeed and cool the containment. As a result of the loss of secondary heat j removal, the core inventory boils off through the cycling open '
of the PORVs. No credit is given for feed and bleed due to information presented in References 24 and 25. Recent calcu-lations done by EG&G for the Station Blackout program [26]
indicate that 86 minutes are available to start an AFW pump in
- order to prevent core uncovery.
The sequence frequency is estimated as 1.7E-6/yr and con-
, tributes 1% of the total core melt frequency. The dominant j contributors to this sequence are outlined below.
t j 8.1.14.2 Dominant Cut Sets
}
l Frequency % of
! Cut Set (/yr) Seouence T3*RA-2*ELC00llA-INV-LP*APWP11-PTD-LP 4.lE-7 24 i T 3 *RA-2*ELC00llA-INV-LP*AFW4070B-NCC-LF 3.5E-7 21
, T 3*RA-2*ELC0011A-INV-LF*AFWP11-PTD-PRMN 3.3E-7 19 l T3*RA-2*ELC0011A-INV-LF*AFWP11-PTD-PRTS 1.3E-7 7 i T 3 *RA-2*ELC00llA-INV-LP*AFWS903A-NOC-LF 9.0E-8 5 l T3*RA-2*ELC0011A-INV-LF*AFW3987A-NOC-LF 9.0E-8 5 i T3*RA-1*PCS-LF*AFW0161-XOC-LP 3.3E-8 2 j T 3*RA-2*ELCOO11A-INV-LF*AFWO103-X-FRFT 1.8E-8 1 T3*RA-2*ELC0012B-INV-LF*AFALOGCA-LOG-LP 1.8E-8 1 T3*RA-2*ELC0011A-INV-LF*AFALOGCB-LOG-LF 1.8E-8 1 j T3*RA-2*ELC0011A-INV-LF*AFW4530-N-PRMN 1.8E-8 1 i T3*RA-2*ELC0011A-INV-LF*AFW4520-N-PRMN 1.8E-8 1 i
T3*RA-1*ELC0011A-INV-LF*AFW0161-XOC-LF 1.6E-8 1 i T 3*RA-1*ELCOO12B-INV-LF*AFW0161-XOC-LF 1.6E-8 1 T 3*RA-2*ELCOO11A-INV-LF*AFWM911X-X-PRMN 1.4E-8 1 l T 3 *RA-2*ELC0011A-CBL-LF*AFWPil-PTD-LF 1.4E-8 _L 92 1.6E-6 Tern Descriptions T3 = Transients requiring primary system pressure relief; f = 1.85/yr.
i I
I 8-48
Term Descriptions (Cont.)
RA-2 = Operator fails to manually start AFW j motor-driven pump from control room given that auto-actuation failed; p = .02.
ELC00ll A-INV- LF = Local fault of vital AC inverter #11 causes failure of AFAS actuation of motor-driven AFW pump and AFW turbine-driven pump steam admission valve 4071, one feedwater regulating valve fails closed, one feedwater bypass valve fails full open, one main feedwater pump minimum flow recirculation valve fails full open, and one turbine bypass valve fails closed. If operating at power, low suction trip of main feedwater pumps. If operating at 5% in runback mode, may still get a pump trip depending on dynamics of suction pressure and steam pressure; p = 2.4E-3.
AFWP11-PTD-LP = Local fault of AFW turbine-driven pump
- 11; p = 4.7E-3.
AFW4070B-NCC-LP = Local fault of AFW steam admission valve, fails 1/2 of steam supply; p = 4E-3.
AFWPil-PTD-PRMN = Maintenance of AFW turbine-driven pump
- 11: p = 3.7E-3.
AFWPil-PTD-PRTS = AFW turbine-driven pump #11 unavailable due to test: p = 1.4E-3.
AFWS903A-NOC-LP = Local fault of valve in steam admission line to AFW turbine-driven pump ' #11: p =
lE-3.
APW3987A-NOC-LP = Local fault of valve in steam admission line to AFW turbine-driven pump #11: p =
4 1E-3.
RA-1 = Operator fails to realign AFW suction to CST #11 and start locked-out AFW turbine-driven pump #12, all actions must be done locally; p = 0.1.
PCS-LF = Local fault causes failure of PCS: p =
4.8E-3.
AFW0161-XOC-LF = Local fault of AFW suction valve results in cavitation failure of all operating AFW pumps: p = 3.6E-5.
l 8-49
Term Descriptions (Cont.)
AFWO103-X-FRFT = Failure to testore AFW turbine-driven pump Mll discharge valve from test; p = 2E-4. I ELC0012 B- I NV- LF = Local fault of vital AC inverter #12, results in similar effects to inverter
- 11 above except that the AFW motor-driven pump does not fail and APW steam admission valve 4070 fails closed fail-ing 1/2 AFW turbine pump steam supply; p = 2.4E-3.
AFALOGCA- LOG-LP = Local fault of AFAS logic unit fails actuation of motor-driven AFW pump and AFW steam admission valve 4071 failing 1/2 AFW turbine pump steam supply; p = 2E-4.
AFALOGCB-LOG-LP = Local fault of AFAS logic unit fails actuation of APW steam admission valve 4070 failing 1/2 steam supply to AFW turbine pumps: p = 2E-4.
AFW4530-N-PRMN = Maintenance of feedwater valve fails both turbine-driven AFW pumps; p = 2E-4.
AFW4520-N-PRMN .= Maintenance of feedwater valve fails both turbine-driven AFW pumps: p = 2E-4.
AFWM911X-X-PRMN = Maintenance of valve in AFW turbine-driven pump #11 steam admission line:
p = 1.6E-4.
ELC0011A-CBL-LF = Local fault of cable from vital AC inverter #11, same effect as inverter fault above; p = 7.5E-5.
8.1.14.3 Major Assumptions and Recovery Actions The initial screening value for this sequence was 8.5E-5/
yr. The important recovery action involved starting the AFW mo to r- d r iven pump from the control toom given that auto actu-ation has failed (RA-2, p = .02). The appilcation of this recovery action reduces the' sequence frequency to 1.7E-6/R yr.
( 8.1.14.4 Engineering Insights
! The failure of the vital bus 11A inverter is postulated as l causing PCS failure due to instabilities induced in the feed-watet flow: however, while this is true at ~80% flow, after a transient where PCS has run back, it is not clear what will 8-50
happen. This is a dynamic situation with several valves in the PCS system opening or closing, combined with the loss of various instrumentation and may cause a sufficient loss of main foodwater turbine pump NPSil to result in a pump trip. If the failure occurred while the PCS was actually running back, it is judged likely that the PCS would trip. If the inverter fault occurred after the PCS had stabilized itself at the St level, then it is not clear what the effect would be.
8.1.15 Sequence S 2-59 (S2 D")
8.1.15.1 Description In this sequence, we have a Small-small LOCA (S2).
successful scram and secondary heat removal via the AFW system. Ilowever, llPSI (D") f ails and we have no makeup in the injection phase. This initiator can be broken up into two parts: (1) reactor coolant pump seal LOCAs (IE=2E-2/yr.) and (2) other Small-small LOCAs (IE=1E-3/yr.). The other S ma l l--
small LOCA portion of the sequence is negligible (IE-3/yr.
initiating event X 1.3E-4 failure of ilPSI 1.3E-7). Work done by EG&G for the Station Blackout program [26] indicates that for a leak of the maximum expected reactor coolant pump seal LOCA (<500 gpm) with secondary cooling available approximately three hours is available to isolate the leak or start primary makeup. Containment sprays (CSSI) and fans (CARCS) are successful and cool the containment.
The frequency of this sequence is estimated to be 1.6E-6/yr and contributes 1% of tho total core melt frequency. The dominant contributors to this sequence are outlined below.
8.1.15.2 Dominant Cut Sets Frequency % of Cut Set (/ve) Sequence S2* SIS 660B-VOC-LF 7.6E-7 48 S2* SIS 659A-VOC-LF 7.6E-7 ,4_0 1.5E-6 94 Term Descriptions S2 = Small- small LOCA: f = 2.1E-2/yr.
SIS 660B-VOC-LP = Local faults of valve in common !!PS I ,
LPSI, and CSS pump minimum flow recitcu-lation line, fails all llPSI due to pumping against dead head as a result of high primary system pressure (greater than 1275 psia); p = 3.6E-5.
SIS 659A-VOC-LP = Similar to above valve SIS 660B.
8-51
__ 4 . . _. - _ - .- - _ . _ -_-. _ - . _ . - _ - _ . _ _ _ _ _ _ _ - _ _ _ _ - _ . _ . _ _ _
3 i
j 8.1.15.3 Major Assumptions and Recovery Actions
! The initial screening value for this sequence was 2.8E-6/
i yr. The recovery action is to recover IIPSI by manually actu-i ating HPSI from the control room (RA-6, p = .01) for auto j actuation faults. The application of this recovery action
- reduces the sequence frequency to 1.6E-6/yr. t i 8.1.15.4 Engineering Insights f
The dominant failutes, responsible for 96% of the sequence frequency, are failure of either of the two valves in the common minimum flow recirculation line. These values are common to all llPS I , LPSI, and CSS pumps. For the Small-small 3 LOCA case, if these valves should fail closed, the EIPSI pumps ;
i were assessed to fail. This is because the slow drop in pri- ,
- mary pressure from 1600 to 1275 psi would result in pump heat I
- up and failure due to pumping against dead head for a signifi-l cant period of time (greater than 10 minutes). i j 8.1.16 Sequence T t-85 (T1LCC') >
l 8.1.16.1' Description f
in this sequence, we have a loss of offsite power (T 1)
, followed by failure of AFW(L), CSSI(C), and CARCS(C'). The .
! plant has scrammed successfully, but due to the lack of second- '
l ary heat removal, the core inventory boils off through the i
! cycling open of the PORVs. No credit is given for feed and .
I bleed due to information presented in References 24 and 25. l Recent calculations done by EG&G for Station the Blackout program [26) indicate that 86 minutes are available to start an i
- AFW pump in order to prevent core uncovery, s ;
! The sequence frequency is estimated as 1.0E-6/yr and con-
) tributes '1% of the total core melt frequency. The dominant j contributors to this sequence are outlined below, i <
! 8.1.16.2 Dominant Cut Sets Because of the large number of cut sets of relatively equal l value which comprise this sequence even after the application of recovery, only cut sets whose frequency is greater than 4.1E-9/yr are listed here. These. cut sets comptine 73% of the sequence frequency. A more detailed list of cut sets for all the dominant sequences can be found in Appendix C. !
Freq. 4 of
! Cut Sets LLyd, Sequence [
l T t*HA-LOSPl*AFW4530-N-PRMN
- ELC00218-GEN-OPF*ELC0011A-GEN-LF 8.2E-8 8 l T t*HA-LOSPl*AFW4520-N-PNMN [
- ELC0021B-GEN-OPF*ELC0011A-GEN-LF 8.2E-8 8 8-52 i
L
a f Freq. % of Cut Sets 1/yr) Sequence a
d T 1*RA-LOSPl*RA-3*AFWPil-PTD-LF
, *ELC0021B-GEN-OPF*ELC00llA-GEN-LF 7.7E-8 8 l T1*RA-LOSPl*RA-3*AFWPil-PTD-PHMN
- ELC0021B-GEN-OPF*ELC0011A-GEN-LP 6.0E-8 6
$ T 1*RA-LOSPl*AFW4530-N-PRM
- ELC0012B-GEN-LF*ELC0011A-GEN-LP 3.7E-8 4 :
T 1*RA-LOSPl*AFW4520-N-PRMN i *ELC0012B-GEN-LF*ELC0011A-GEN-LP 3.7E-8 4 l
T 1*RA-LOSPl*RA-3*AFWP11-PTD-LF ,
, *ELC0012B-GEN-LF*ELC0011A-GEN-LF 3.5E-8 3 i T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN l *ELC00128-GEN-LF*ELC00llA-GEN-LF 2.7E-8 3 &
j T t*RA-LOSPl*RA-3*AFWS903A-NOC-LP i *ELC0021B-GEN-OPF*ELC00llA-GEN-LP 1.6E-8 2 l T 1*RA-LOSPl*RA-3*AFW3987A-NOC-LP j *ELC00218-GEN-OPF*ELC00llA-GEN-LF L.6E-8 2 ,
j T 1 *RA-2*ELC0011A-INV-LF l
- ELC0012B-INV-LF L.6E-8 2 T 1*RA-LOSPl*AFW4530-N-PRMN ;
~
O *ELC0021B-GEN-OPF*ELC0011A-G-PRMN 1.0E-8 1
! T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*ELC00llA-G-PRMN 1.0E-8 1 T 1*RA- LOSPl*RA- 3
- AFWPll-PTD-LP j *ELC0021B-GEN-OPF*ELC0011A-G-PRMN 9.4E-9 .9 T 1*RA-LOSPl*AFW4530-N-PRMN i *ELC00212-GEN-OPF*ELC00llA-G-FRFT 7.6E-9 .8
! T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*ELC0011A-G-FRFT 7.6E-9 .8 i i
T 1*RA-LOSPl*RA-3*AFWP11-PTD-PRMN
- *ELC0021B-GEN-OPF*ELC0011A-G-PRMN 7.4E-9 .7 T 1*RA-LOSPl*RA-3*AFWS903A-NOC-LP
- ELC0012B-GEN-LF*ELC0011A-GEN-LF 7.3E-9 .7 l T 1*RA-LOSPl*RA-3*AFW3987A-NOC-LF ,
l *ELC00128 1EN-LF*ELC00llA-GEN-LF 7.3E-9 .7 '
L T 1*RA-LOSPl*RA 3*AFWP11-PTD-LP l *ELC0021B-GEN-OPF*ELC0011A-G-FRFT 7.1E-9 .7 j T 1*RA-LOSPl*AFW4530-N-PRMN !
! *ELC0021B-GEN-OPF*ELC0011A-GEN-LF 6.8E-9 .7
- T 1*RA-LOSPl*AFW4520-N-PRMN i
- OP-FAIL-TO-ALIGN *ELC00llA-GEN-LF 6.8E-9 .7 i T1*RA-LOSPl*RA-3*AFWPil-PTD-LF l *OP-FAIL-TO-ALIGN *ELC0011A-GEN-LF 6.4E-9 .6 i T 1*RA-LOSPl*RA-4*AFWPil-PTD-PRTS i *OP-FAIL-TO-ALIGN *ELC00llA-GEN-LF 5.7E-9 .6 i T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN
- ELC0021B-GEN-OPr*ELC0011A-G-FRFT 5.6E-9 .6
} T 1*RA-LOSPl*RA-3*SDSSONCA-LOG-LF l *AFWPil-PTD-LF*ELC00218-GEN-OPF 5.48-9 .5
- T 1*RA-LOSPl*RA-3*AFWPil-PTD-PRMN l *ELC0011A-GEN-LF*OP-FAIL-TO-ALIGN 5.0E-9 .5
[ c 8-53 I
Freq. t of Cut Sets 1/yr) Sequence T 1*RA-LOSPl*AFW4530-N-PRMN
- ELC00218-GEN-OPF*SRW1587A-NCC-LP 4 SE-9 .5 T1*RA-LOSPl*APW4530-N-PRMN
- ELC0021B-GEN-OPF*ELC1103A-BOO-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4530-N-PRMN
- ELC0021B-GEN-OPF*DGVCTilA-BOO-LP 4.5E-9 .5 T 1*HA-LOSPl*AFW4530-N-PRMN
- ELC0021B-GEN-OPF*DGVOT11A-DCC-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4530-N-PRMN
- E LC0021B-G EN- OP F
- DGVRC 11 A-DCO- LF 4.5E-9 .5 T 1*HA-LOSPl*AFW4530-N-PRMN
- ELC0021B-GEN-OPF*DGVIN11A-DCC-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4530-N-PRMN
- ELC0021B-GEN-OPF*SWS1105A-BOO-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4530-N-PRMN
- ELC0021B-GEN-OPF*SRWAOllA-BOO-LF 4.5E-9 .5 l T 1*HA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF
- SRW15 87 A-NCC- LF 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*ELC1103A-BOO-LF 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPP *DGVCTilA-BOO-LF 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*DGVOTilA-DCC-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*DGVRC11A-DCO-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*DGVIN11A-DCC-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN
- ELC0021B-GEN-OPF*SWS1105A-BOO-LP 4.5E-9 .5 T 1*RA-LOSPl*AFW4520-N-PRMN j *ELC0021B-GEN-OPF*SRWA011A-BOO-LP 4.5E-9 .5 d
T 1*RA-LOSPl*RA-3*AFWPll-PTD-LP
- ELC0021B-GEN-OPP *SRW1587A-NCC-LP 4.3E-9 .4 T 1*RA-LOSPl*RA-3*AFWP11-PTD-LP
- ELC0021B-GEN-OPF*ELC1103A-BOO-LP 4.3E-9 .4 T1*NA-LOSPl*RA-3*AFWPil-PTD-LP
- ELC0021B-GEN-OPF*DGVCTilA-BOO-LP 4.3E-9 .4 T 1*HA-LOSPl*RA-3*AFWP11-PTD-LF
- ELC0021B-GEN-OPF*DGVOTilA-DCC-LP 4.3E-9 .4 T1*RA-LOSPl*RA-3*AFWPil-PTD-LP
- ELC0021B-GEN-OPF*DGVRC11A-DCO-LP 4.3E-9 .4 T 1*RA-LOSPl*RA-3*AFWP11-PTD-LP
- ELC0021B-GEN-OPF*DGVIN11A-DCC-LP 4.3E-9 .4 T 1*RA-LOSPl*RA-3*AFWPil-PTD-LP
- ELC0021B-GEN-OPF*SWS1105A-BOO-LF 4.3E-9 .4 T 1*RA-LOSPl*RA-3*AFWP11-PTD-LF r *ELC0021B-GEN-OPF*SRWA011A-BOO-LP 4.3E-9 .4 T 1*RA-LOSPl*RA-3*SDSSQNCA-LOG-LP
- ELC0021B-GEN-OPF*AFWP11-PTD-PRMN 4.3E-9 .4 8-54
i Freq. t of Cut Sets 1/yr) Sequence T1*RA-LOSPl*AFWPil-PTD-LF
- ELC0012B-GEN-LF*ELC00llA-G-PRMN 4.2E-9 .4 T 1*RA-LOSPl*AFWP11-PTD-LP
- ELC00llA-GEN-LF*ELC0012B-G-PRMN 4.2E-9 .4 T 1*RA-LOSPl*AFW4511-CV-OE*AFW4530-NOC-LP
- ELC0021B-GEN-OPF*ELC0011A-GEN-LP 4.lE-9 .4 T 1*RA-LOSPl*AFW4511-CV-OE*AFW4531-NOC-LP
- ELC0021B-GEN-OPF*ELC00llA-GEN-LP 4.lE-9 .4 T 1*RA-LOSPl*AFW4511-CV-OE*AFW4512-NOC-LP
- ELC0021B-GEN-OPF*ELC0011A-GEN-LP 4.1E-9 .4 T 1*RA-LOSPl*AFW4512-CV-OE*AFW4520-NOC-LP
- ELC0021B-GEN-OPF*ELC00llA-GEN-LF 4.lE-9 .4 T 1*RA-LOSPl*AFW4512-CV-OE* AFW4521-NOC-LF
- ELC0021B-GEN-OPF*ELC0011A-GEN-LF 4.1E-9 .4
. T 1*RA-LOSPl*AFW4512-CV-OE*AFW4511-NOC-LP
- ELC0021B-GEN-OPF*ELC0011A-GEN-LF 4.lE-9 .4 7.3E-7 73 Term Descriptions T1 = Loss of offsite power; f= .14/yr.
RA-LOSP1 = Non-recovery of offsite power within one hour; p = .45.
AFW4530-N-PRMN = Maintenance of valve in AFW turbine pumps feedwater lines, fails delivery by both turbine-driven APW pumps; p = 2E-4.
! AFW4520-N-PRMN = Maintenance of valve in AFW turbine pumps feedwater lines, fails delivery by both turbine-driven AFW pumps; p = 2E-4.
ELC0021B-GEN-OPF = Undeveloped event representing all diesel generator #21 faults, diverts DG #12 to Unit 2 and fails 1/2 of all ESF systems; p= .12.
ELC00llA-GEN-LP = Local fault of diesel generator #11, fails AFW motor-driven pump #13 and 1/2 of all ESF systems; p = 5.4E-2.
RA-3 = Operator fails to manually start locked-
' out AFW turbine-driven pump #12; p = 4E-2.
AFWPil-PTD-LF = Local fault of AFW turbine-driven pump
< #11; p = 4.7E-3.
AFWPil-PTD-PRMN = Maintenance of AFW turbine-driven pump l #11; p = 3.7E-3.
8-55
Term _bescriptions (Cont.)
OP-FAI L- TO- ALIGN = Operator fails to align diesel generator
- 12 to Unit 1, fails 1/2 of all ESF systems; p= IE-2.
AFWS903A-NOC-LP = Local fault of valve in turbine-driven APW pump Mll steam admission line; p =
IE-3.
AFW3987A-NOC-LP = Local fault of valve in turbine-driven f
AFW pump Mll steam admission line; p =
IE-3.
ELC00llA-G-PRMN = Maintenance of diesel generator #11 fails motor-driven AFW pump #13 and 1/2 of all ESP systems; p = 6.6E-3.
ELC00llA-G-FRFT = Diesel generator #11 not returned from test, fails 1/2 of all ESF systems and motor-driven AFW pump; p = SE-3.
RA-2 = Operator fails to manually actuate AFW mo to r- d r iven pump #13 given failure of auto start; p= .02.
. ELC0011A-INV-LP = Local fault of vital AC inverter #11, l Calls auto-actuation of train A SIAS, and the motor-driven AFW pump; p = 2.4E-3.
ELC0012B-INV-LP = Local fault of vital AC inverter #12, ,
RA-4 = Local operator fails to return AFW from test; p = IE-2.
SDSSONCA-LOG-LF = Shutdown sequencer logic unit fails to sequence loads to DG #11, fails 1/2 of all ESF systems and motor-driven AFW pump; p = 3.8E-3.
SRW1587A-NCC-LP = Local fault of diesel generator #11 cool-ing outlet valve, fails diesel generator cooling and fails AC power to 1/2 of all ESF systems and motor-driven AFW pump; p = 3E-3.
1 ELC1103A-BOO-LP = Local fault of diesel generator #11 breaker, fails 1/2 of all ECCS systems and AFW motor-driven pump, fails diesel generator cooling and fails AC power to 1/2 of all ESP systems and motor-driven AFW pump; p = 3E-3.
8-56
Term Descriptions (Cont.)
DGVCT11A-BOO-LP = Local fault of power breaker to diesel generator #11 room coolers, fails diesel generator #11 and AC power to 1/2 of all ESP systems and motor-driven AFW pump;
. p = 3E-3.
DGVOT11A-DCC-LP = Damper fails to operate, fails diesel generator #11 room cooling; fails diesel generator #11 and AC power to 1/2 of all ESF systems and motor-driven AFW pump; p = 3E-3. s 1
DGVRC11A-DCO-LF = Damper fails open, falls diesel generator
- 11 room cooling; fails diesel generator
systems and motor-driven AFil pump; '
p = 3E-3.
DGVIN11A-DCC-LP = Damper falls to operate, fails diesel ,
i generator #11 room cooling; fails diesel I generator #11 and AC power to 1/2 of all
- p = 3E-3.
\
SWS1105A-BOO-LF = Local fault of SWS pump #11 power . .\
breaker, fails diesel generator #11 h j cooling and AC power to 1/2 of all ESF ,
systems and motor-driven APW pump; p =.3E-3.
i SRWA011A-BOO-LF = Local fault of- SRW pump #ll power '
J
! breaker, fails diesel generator #11 cooling and AC power to 1/2 of all ESP systems and motor-driven. AFW pump; p = 3E-3.
ELC0012B-G-PRMN = Maintenance of , diesel generator .#12,
! fails 1/2 of all..ESF systems; p = 6'.6E-3.
j AFW4511-CV-OE = Operator falls
- to increase flow to steam
- generator #11 when' flow to other steam generator is blocked; p = 1Fr2.
T. :
j AFW4530-NOC-LP = Local faults \gf feedPater valve f alls AFW C i l turbine-driven; pump. flcw to s tede. gen-
- erator #12; pf'lE-3. ' '
,.g S i ,
is AFW4531-NOC-LP = Local faults l of feodwater valve f a in AFW -
turbine-driven pump: flow to - steam ~ gbn- I erator ;M2; pa 1E- ! '
' , o) ' ,.
-s 3'
.,g i d, t i,
>g , g5 , <t } g 7
[
t_ r y
8-57 8 ,
ll. , N, i \ ,.
j \, k ,j i
"P ,
.w Iest Descriptions (Cont.)
AFW4512-NOC-LP = Local faults of feedwater valve fails AFW i turbine-driven pump flow to steam gen- '
erator #12: p = IE-3.
AFW4 512-CV- OE = Operator fails to increase flow to steam generator #12 when flow to other steam .
generator is blocked: p= IE-2.
APW4 5 20- NOC- LP = Local fault of feedwater valve fails AFW turbine-driven pump flow to steam gen-erator #11; p = IE-3.
AFW4 521-NOC- LP = Local fault of feedwater valve fails AFW turbine-driven pump flow to steam gen erator #11; p = IE-3.
AFW4 511-NOC- LP = Local fault of feedwater valve fails AFW turbine-driven pump flow to steam gen-l erator #11; p= IE-3.
8.1.16.3 Major Assumptions and Recovery Actions The initial screening value' for this sequence was 5.9E-5/
yr. The recovery actions are to recover offsite power within one hour and start the AFW motor . pump (HA-LOSP1, p= .45) or start an AFW train by either (1) starting the locked out turbine pump #12 (HA-3, p = .04), (2) returning turbine pump 11 from test (RA 4, p = .01), (3) starting the motor pump (RA-2,
, p= .02), or (4) crossfeeding tecm unit 2 (HA-16, pa .1). The application of these recovery actions reduces the sequence frequency.to 1.0E-6 yr.
1 , N I
,8.1.16.4 EtW i neering Insightu Approximately one-third of the sequence frequency is the result of cut sets which contain terms representing maintenance i of two AFW feedwater regulation valves. Maintenance of these valves requiring disassembly would require that both AFW
/ turbine-driven pumps be locked out. This event would not have
(
been allowed by technical specifications prior to adding the third motor-driven AFW pump.
8.2 Containment Response and Helease Categories The dominant Calvert Cliffs core melt sequences are listed in Table 8.3, along with the applicable containment failure modes. The accident processes, timing of core melt, containment i failure modes, and level of fission product releases to the
- atmosphere for these sequences are based on previous analysis l performed at Battelle Columbus Laboratories on the Calvert Cliffs Unit 2 plant for the RSSMAP program. The containment o
8-58
7 % .~ ._ [ . _ ,, Y Q.[.2 - Q f
~
-- ; k - ) ; )
^
a
- J } -. / ? ? : . ' . -}'z.j ; . ..
1.
failure modes (a, B, y, 6, r.) and release categories listed in Table 8. 41 f o r the various a>3quences are the same as ,
~
those employed forithe PWR in thu Reactor Gafety Study (WASII-1400) [11]. The purpose of the analysis performed at Battelle was to (1) determine the probability of. each containment failu're mode occurring for each dominant sequence, and (2) determine what release category the full accident sequenCOF belong,in. The results of this analysis are shown in Table 8.3 In the quantification of conta.inment failure modes, the probability of containment failure / due to in-vessel steam explosiont (a) was assumed to be IF- 7 fot ~ meltdowns at low pressure and lE-4 for high primary system pressures. The former corresponds to the steam explosion containment f ailure probability developed in the Reactor Safety Study; the latter reflects- more recent experimental observations indicating reduced potential for energetic intetactions at c, leva ted syst e:a pressures All ' containment failure probabilities are assumed to be the same as'in the RSSMAP Calvert Cliffs. Study [9).
From Ta b le ' '8. 4, it is seen that all the steam explos' ion cases f ot Calvett Cliffs are estimated to fall into Release Category 1, even those in which' the sprays are initially operating. In- the Reactor Safety Gtudy, the latter ~ were predicted to be in Release Category 3. Examination of the detaila- of the analyses indicates that the higher release f ractions , currently calculated for steam explosion cases with sprays initially operating are a : direct result of larger puff releases susociated.with the steam explosion itself. The MARCl!
analyses take into account the vapot; generated by the steam explosion and include this in the' puff' release. For steam explosions at low containment' pressures, .this results in larger fractional releases than were previots).y , predicted. The results for . stear explosion without containment sprays are consistent with pr /lous results. '
Based on previous results, sequeaces involving loss of con-tainment isolation (B) were assiqued Category 4 or Category 5 releases, without and with containment sp-ays, respectively.
~
Co r.t a i nmeitt failure due to' hydrogen burning (Y) was found to lead ' to Category 2 and 3 releases. Tae Category 2 releases
' generally occur in the absence of cpntainment sprays during
< core meltdown, The Category 3 releases are generally asso- ,
ciated with sequences in which containment sprays are operational, but in which hydrogen ,burnipg is predicted to fail containment:att about the time of vessel'hottom head failure. <j Containment overpressurization (c) i~n the absence of con-tainment heat removal, but with operational emergency core L ' cooli.ng,.sys tems , leads to meltdowns in a failed containment and Mas >1isen found to result in Category 2 releases. Overpressur- g q' ization due to rapid boiloff of water frcm the reactor cavity
, ,)
pa v -
i i
8-59 e
lc
)
v .
s i
-* -~
'.E , .
~*..
./,,.' -
/, - s
,5 , . . , . . , ,. * , 9
m-
__/
by quenching of the core debris leads to Category 2 or 3
. releases, depending on the availability of the containment sprays up to the time of containment failure. In the complete absence of containment safety features, the difference in time
, between containment failure due to debris fragmentation and
, failure due to concrete attack without debris fragmentation is relatively short, and both types of overpressure failure may lead to Category 7 releases. In the intermediate case where g the core debris may be only partially quenched, either due to limited fragmentation or other factors, containment failure could possibly be delayed somewhat longer, with resultant Category 3 releases.
Containment meltthrough (c) may be the principal mode of containment failure of the other failure modes are avoided.
Meltthrough sequences in which the containment sprays or coolers are operating have been found to result in Category 7
{
releases. If meltthrough takes place in the absence of con-tainment safety features, Category 6 releases are predicted.
8.3 Sensitivities a
Several assumptions were incorporated into the structure of the analytic models utilized in this study. These assumptions
- were generally founded upon engineering judgment. While we feel that the assumptions are good, we recognize that alternate 1 assumptions could have been made which could significantly p impact the model structure. In this section, we investigate
~
the effect that an alternate set of assumptions would have on m the quantitative results of this study. This is done by recal-C culating the affected sequence's frequencies taking into e account all deleted or modified cutsets as a result of the modeling change.
Table 8.5 summarizes the effect that these sensitivity issues have on the total core melt frequency esti-mate for the Calvert Cliffs Unit 1.
HPSI Pump Sea 1 Cooling
]
3 The fault tree model of HPSI explicitly models the need for HPSI pump seal cooling from the CCW system in the recirculation phase of an accident. However, a recent assessment d e 'i t bv the
- utility
- indicates that up to two hours might be 1- -3 red before the seals would fail in the case of a Large LOCv For Q the sequences of interest, Small-small LOCAs, the temperature g of the water should be less and possibly even longer times might be required before the failure.
=r
=
- Personal communication with Niall Hunt of BG&E.
r E
8-60 m
If we assume that HPSI pump seal cooling is not required, then sequence SH 2 is affected. The frequency of SH 2 goes from 1.4E-5/yr to 1.0E-5/yr and the total core melt frequency is not significantly affected.
HPSI Pump Room Cooline The fault tree models of HPSI and CSSI explicitly model the need for pump room cooling in the recirculation phase of an accident. This need is taken from the FSAR requirement for room cooling following a Large LOCA. A recent assessment done by the utility
- indicates that room temperature will indeed reach pump temperature limits rather quickly (~15 minutes) when all pumps are working. However, for the case of a Small-small LOCA where only one pump is running, the heat load is much less. In this case, it is not clear if the room temper-ature will ever reach the pump temperature limits dua to the large heat sink in the room.
A reasonable assumption would be that the HPSI and CSSI pumps would not fail due to a lack of room cooling in the recirculation phase of a small-small LOCA. Sequences SF2 and S2 FH are affected by this assumption. The frequency of SP 2 goes from 1.4E-5/yr to 1.2E-5 and S2 FH goes f rom 1.1E-5/yr to 1.6E-6/yr. The total core melt frequency is reduced to 1.lE-4/yr.
Crossfeedina APW Prom Unit II As a result of the recent design change in the AFW system, a motor-driven AFW pump has been added to each unit. These motor-driven pumps can each crossfeed the other unit and supply sufficient water to cool down the plant. The actions required can be performed in the control room. New procedures are being written to direct the operator to perform this action.
In the case of loss of offsite power, the likelihood of the operator successfully performing this operation is limited by two considerations: (1) the motor-driven pump is powered by a diesel whose unavailability is ~.12 (including all support system faults), and (2) the AFW needs of his own unit which has also, most likely, tripped. Therefore,-for recovery modeling, the most likely recovery action, in this case, was still considered to be the operator starting the locked-out-turbine-driven pump.
In the case where,offsite power is not' lost, starting'the other units motor-driven pump would result in cold water'being.
injected into the operating units-steam generators. -and it was judged that there would be some reluctance on the part of the operator to perform this action. In this report, therefore, it.
- Personal communication with Niall Hunt of BG&E.
8-6L
I was decided to use other likely recovery actions, if they were available, and use crossfeeding from the other unit only if no other action was possible. However, given appropriate proce-dures and operator training, crossfeeding may very well be the preferred action.
If we assume that the operator is likely to perform this action within a one-hour time frame, a probability of non-recovery of p = .01 can be assigned. Applying this recovery action to all non loss of offsite power sequences which involve failure of AFW, the total core melt frequency is reduced from 1.3E-4/yr to 1.0E-4/yr. The sequences affected are TDCL-T2ML. T 4ML, and T 3 ML. In order to recalculate the sequence frequencies, the unrecovered frequencies were multiplied by the probability of not crossfeeding (p = .01).
This assumes that crossfeeding is the only recovery action.
Given the long time available, multiple actions may be possible and even greater reductions realized with appropriately designed procedures.
Primary System " Feed and Bleed" Possible In this report, no credit was given for the possible use of primary
- system " feed and bleed." " Feed and Bleed" is an alter-nate way of cooling down the plant given all secondary heat removal has failed (i.e., PCS and AFW have both failed). It is performed by using HPSI to feed the primary with cold borated water while at the same time bleeding through the PORVs to remove energy from the core.
There are two questions about the feasibility of using this method at Calvert Cliffs. First, the thermal-hydraulic con-sideration that, due to the low shutoff head of the HPSI pumps
(~1275 psia), it may not be possible to reduce the pressure sufficiently by opening the PORVs within the short time available (~ 10 minutes) to initiate " feed and bleed"
[24,25]. Second, there are no procedures at Calvert Cliffs for performing this action, and it requires the removal of a trip unit to de-energize a bistable in order to keep the PORVs continuously open.
Given that the thermal-hydraulic question is resolved in favor of " feed and bleed," it is still doubtful if " feed and bleed" could or would be performed at Calvert Cliffs given the current design, operator training, and time available. If appropriate changes were made in operator training and 5n hardware to make the action easy to perform from the control room, the total core melt frequency could be reduced at most to 1.0E-4/yr with the optimistic assumption that the probability of the operator not performing " feed and bleed" was p = .01.
This is the same reduction as for crossfeeding the AFW from the 8-62
other unit and affects exactly the same sequences. If a more likely probability of p = 0.1 was used for the operator not performing the " feed and bleed" within ~10 minutes, then no reduction would be realized in the total core melt frequency.
Credit would not be given for " feed and bleed", as other more-likely recovery actions would be used instead (i.e., the actions we have given credit for in this analysis).
ATWS i) Primary System Failure on Exceeding Service Level D As discussed in Section 8.1.1, any pressure transient following an ATWS event which resulted in pressures greater than the service level C (3200 psia) limit was assessed to result in unacceptable plant conditions and equated to core melt. This position was taken because of the large uncertainty in the system response at pressures greater than this limit.
In particular, significant uncertainties exist in the expected response of the reactor vessel head, old steam generator tubes, and HPSI and CVCS check valves at such high pressures. This position is consistent with the NRC analysis in support of the ATWS rule [22], but not with CE analyses [21].
The CE analyses [21] use exceeding the service level D (4200 psia) limit as leading to unacceptable plant conditions.
Considerable controversy exists as to which assumption should be used. If the service level D limit is used, as in the CE analysis, then the probability of an unfavorable MTC is 0.04 for all transients (although this was calculated f or ' loss of feedwater transients only and should be less for other tran-sients). The ATWS(PSF) sequence frequency using the' service level D limit is reduced from 2.8E-5/yr to 7.3E-6/yr and the T 2 KU and T2KQ sequence frequencies are increased Crom 8.5E-7/yr to 1.7E-6/yr and 5.0E-7/yr to 1.0E-6/yr, respec-tively. The total core melt frequency is reduced to 1.1E-4/yr.
ii) TKU Sequences are not Early Core Melts L
As discussed in Section 8.1.6, no long-term thermal-hy -
draulic analyses have been done for this type of sequence.
Approximately one third of the amount of water necessary to uncover the core has been lost due to the initial pressure transient. The predicted system response after the pressure transient, assuming the RCP's trip and after PORV closure, shows pressure equilibrating at about 1800 psia and rising slowly. However, there is some doubt that the RCPs will trip as assumed by CE. CE assumed pump cavitation, when the primary system coolant saturated, would degrade pump operation causing a trip. Experimental evidence does not support this con-tention. Without RCP - trip the . decreased voiding in -the core region may lead primary system pressure to increase, possibly to the PORV setpoint. The time allowed in this analysis for the operator to initiate boration in order to decrease system 8-63
- n
pressure enough to prevent subsequent core uncovery is 30 minutes.
Given that the RCP's trip or that the response with the RCP's running is not severe enough to result in continued high pressures and coolant loss, possibly much longer than 30 minutes would be available for the operator to initiate emergency boration (i.e., up to several hours). If we assume that greater than one hour is available, then the probability of operator failure is less than or equal to p = .01 and the frequencies of T4KU and T 3 KU decrease from 6.7E-6/yr to 2.9E-6/yr and 3.7E-6/yr to 1.6E-6/yr, respectively. The total core melt frequency is reduced to 1.2E-4/yr.
iii) TKQ Sequences are not Early Core Melts As discussed in Section 8.1.11, no thermal-hydraulic analynes have been done for ATWS sequences with stuck-open PORVs. The response has to be extrapolated from the TK sequence analyses. Because of 1. h n low shutoff head of Calvert Cliffs HPSI pumps, thorn is considerable uncertainty as to whether or not pressure can be reduced enough to allow primary makeup in time to prevent core uncovery and melt. The uncer-tainties in sequence phenomenology and system response make the out.come difficult to predict. Some examples of these uncer-tainties are: (1) various times of boron initiation, (2) RCP's tripping or not tripping, (3) the effect of 1.h e mass loss through the PORV vs. the increaned heat removal rate (which results in a higher equilibrium power), and (4) the timing of core uncovery due to the mass lost in the initial pressure transient plus the amount lost through the subsequent sticking open of the PORV. In this analysis, the sequences were modeled as resulting in core uncovery and melt.
If one maken t.he assumption that the pressure decreases enough so that HPSI injection can successfully be implemented in time to prevent core uncovery, then the sequence frequency can be reduced by allowing mul t. i ple recovery actions such as initia l. i ng emergency boration and subsequen t.ly high pressure injection. Given that the operator may not have initiated emergency boration until 30 minutes into the accident, a time of the order of 10 minutes would be available to perform any additional action.
If we assignad a probability of p = 0.1 to the operator failing to perform any subsequent action then the frequency of T 4KQ decreases from 4.3E-6/yr to 6.lE-7/yr and T 3KQ decreases frcm 2.3E-6/yr to 3.3E-7 yr. The total core melt frequency decreases to 1.2E-4/yr.
iv) P(MTC) = 0.5 for T3 and T4 transients In this analysis, we have used a value of 0.1 for the probability of having an unfavorable MIC on T3 and T4 8-64
transients. This value is less than the 0.5 value used for T2 transients because of the less severe characteristics of predicted peak the T3 and T4 transients (i.e., the lower pressures).
The NRC analysis in support of the ATWS rule [22] uses 0.5 for all transients. This value is from NUREG-0460 and was used for all CE and B&W plants becaunn of the similarities in plant responses. While the response of other larger CE plants and B&W plants is similar and this seems to be a reasonable group-ing of plants for a generic analysis, the response of Calvert Cliffs is significantly different for T2 vs. T3 and T4 transients.
If, however, we assume that the probability of an unfavor-able MTC is 0.5 for all transients, then the ATWS(PSF) frequency increases from 2.8E-5/yr to 9.1E-5/yr and the fre-quencies of T4KU. T 3KU, T4KQ and T 3KQ decrease from a total of 1.7E-5/yr to 8.5E-6/yr (i.e., just multiply by a .5 probability of a favorable MTC). The total core melt frequency increase to 1.9E-4/yr.
v) Failure to Scram Probability The value used in this study for the probability of failure to scram is 3E-5 and is taken from NUREG-0460 [23]. Although this value was used in the RSSMAP PRA, other IREP studies, the utility group ATWS study [21], and I.he NRC analysis in support of the ATWS rule [22), considerable controversy still exists about this number.
Tn order to bound the effects of various sides of this issue, two values have been chosen to perform sensitivity analyses. The first is 1.0E-4. This value is the point estimate baned 'on world-wide LWR RPS experience and is taken from reference 22. It represents three failures in 22,560 demands. The second value is 5.0E-6 and represents the value obtained in the ANO-1 PRA [27] from a fault tree analysis of an RPS system. This value is judged to be typical of an RPS system wit.hout any significant common mode failures and to represent a likely lower bound on RPS unavailability.
For the assumption of 1.0E-4/yr, the total core melt fre-quency is increased from 1.3E-4/yr to 2.4E-4/yr as all ATWS sequences are increased by a factor of 3.3. For the assumption of 5.0E-6/yr, the total core melt frequency decreases from 1.3E-4/yr to 9.lE-5/yr as all ATWS sequences are decreased by a factor of 6.
8-6s
c 8.4 Limitations of the IREP Methodolocy and Analysis and Future Uses of the Models The quantitative results of this IREP study must be viewed and used with a thorough understanding of the limitations of the methodology used. As previously identified, this is principally a reliability study. While inference regarding risk-dominant accident sequences can be obtained from the analysis, a detailed risk analysis was not performed, nor was it intended. .The analysis leading to the grouping of accident sequences- into release categories relied heavily on previous studies performed on similar plants and did not do extensive plant-specific analyses. Recognizing the inherent uncer-tainties in this type of categorization, the information generated was not used as an input to a calculation of conse-quence distribution. External events such as earthquakes, fires, floods, and other influences from without were not considered. Thus, the quantitative results must be regarded as being incomplete from a risk perspective. However, this anal-ysis does give a good estimate of'the frequency of core melt accidents from internal initiators.
In utilizing the results of this study, the following limitations should be recognized:
- 1. The final generic data base [3] used in the quan-tification analyses for CC-1 was similar to the WASH-1400 data base but updated as a result of the National Reliability Evaluation Program (NREP).
Plant-specific data were utilized when the analyst found it different from the generic bane. However, the detailed comprehensive examination of plant logs necessary to fully evaluate in-plar.t ' data was not performed.
- 2. Human performance was modeled using- the techniques described in NUREG/CR-1278. [5] However'" the systematic bias in human response (either pssitive or negative) that may result because of morale or management practices was not included. In addition, human _ acts of-commission were, in general, ' not- included in the analysis.
- 3. An attempt was made to couple the root cause of- the initiating event with system faults in analyzing accident sequences. The technique used is believed-to be reasonably efficient to identify single failures
-which may initiate a transient and degrade the per-formance of .one or more safety systems. However, multiple f ault ' scenarios of this type may have been omitted.
8-66
- 4. Coupling of faults associated with design, fabrication, or environmental conditions, was not treated explicitly.
- 5. Since the dominant accident sequences were identified using upper-bound human error rates and generic data, and then had a aecond more-sophisticated analysis per-formed on them, all the residual non-dominant sequence frequencies are evaluated on a more " conservative" basis.
There were also several assumptions made throughout the analysis regarding the depth of analysis which could influence the results. The depth of the analysis in many ways defines the level of interactions or dependencies considered; and, while we believe the assumptions made are valid, the possi-bility exists that additional dependencies might be identified with further analysis. Examples of the type of assumptions made include (1) including only those single passive failures which can fail an entire system, and (2) ignoring misposition faults for valves which automatically are commanded to the proper position upon engineered safety features actuation and for valves which have position indicated in the control room and are monitored each shift using a checkoff procedure.
The incompleteness and subjectivity associated 'with the aforementioned topics do not invalidate the analysis per-formed. The important product of this project is the framework of engineering logic generated in constructing the models, not the precise numbers resulting from the mathematical manipula-tions of these models.
The patterns, ranges, and relative behaviors which are obtained can te used to develop insights into the design and operation of a plant which can only be ' gained from an inte-grated consistent approach such as this IREP analysis. These insights are applicable to utility and regulatory decision making, although they should not be the sole facts for such descriptions. By comparative evaluations, those features of the plant which are predicted to have a more significant influence on risk can be identified, and owner and regulatory efforts can be focussed on them to determine if they are acceptable. Similarly, regulatory efforts addressed should also be evaluated. The rank ordering of risk-dominant accident sequences provides a framework for future value-impact analyses on potential plant modifications.
8.4.1 Application of Results The generic views regarding- the usefulness of the IREP analyses expressed above suggest several concrete applications that - can be made. They are presented - below in the form of suggestions to plant owners for application of the results.
For this program to have value, the' models should become a 8-67
practical tool for use by licensees as the centerpiece of a risk-management or safety-assurance program. In many cases, the models may have to be perturbed somewhat to achieve the various goals. However, we have attempted to construct them in such a manner as to minimize the difficulty associated with such use. These models should be maintained in a current status and used as tools in operations management. Specific suggestfs are listed below.
8.4.1.1 Operator Training and Simulator Design.
Ths IREP study generated a catalog of severe accident sequences, with rough assessments of the likelihood, severity, and principal root causes of each. Some of these could be included in operator training and simulator design. This information can also be used as a starting point for further studies intended to assess the similarity of the symptom profile among accidents requiring different operator response, and to survey the hazards associated with misdiagnosis or less-than-optimum recovery actions. A natural follow-up is an assessment of the adequacy of instrumentation and status-mon-itoring equipment.
8.4.1.2 Emergency Planning The catalog of accident sequences and the likelihood esti-mates emerging from IREP can be used to train emergency response personnel in what to expect. IREP results can also serve as a basis to improve the set of symptoms to be used as trigger points for the declaration of site or general emer-gencies, and they can be used in developing guides on the diagnosis and prognosis of accidents as they develop.
8.4.1.3 Adequacy of Procedures It is common in studies such as IREP to discover a few instances in which emergency procedures or maintenance proce-dures should be improved and which are of prime importance to the accident susceptibility of the plant. The results herein should be studied to determine if this is the case here.
Beyond these lessons. IREP models can be used to measure the importance of individual procedures to safety and to explore the risk associated with errors in following procedures.
8.4.1.4 Adequacy of Limiting Conditions of Operation An IREP study provides the tools with which to optimize allowable outage times and surveillance intervals. The IREP models can also be used in evaluating requests from utilities to continue power generation when equipment is out of service beyond their specified allowable outage times.
8-68
8.4.1.5 Systems Integration Reviews IREP is designed to model explicit functional dependencies among systems. It is not uncommon to discover that an auxiliary system is a weak link with respect to reliability in such a manner that it governs plant risk. Hard-wired systems interactions, human behavior that can couple the unavailability of several safety systems, and the importance of auxiliary systems to safety have emerged in IREP results. Such findings are not complete or precise: nonetheless, they represent a vast improvement on safety analyses done to date.
8.4.1.6 Significance of Component Reliability The IREP models can be used to develop quantitative measures of importance to safety for the reliability of com-ponents, trains, whole systems, and classes of accident sequences. These methods enable the use of cost-benefit analyses on reliability improvements for components, and the more discriminating use of the more expensive quantification or in-service inspection techniques.
8.4.1.7 System Reliability Estimates of system reliability can be produced from an IREP study. Quantitative measures of the importance of system components can be calculated from the IREP models, and the more likely failure modes which are believed to dominate the unavailability of these systems are identified. With this information, one can assess the possibility that .a failed system could be repaired before its failure reaches a' point of no return under accident conditions. Operators can be trained in fault diagnosis and in " quick fixes." The ade'quacy of diagnostic instrumentation and status monitoring can be assessed. Surveillance practices can be altered to improve the availability of particularly critical systems.
8.4.1.8 Accident Sequences In addition to identifying accident sequences and estimat-ing their frequency, IREP models can also serve as-a test bed with which to explore the effects of changes in design or operations practices. Possible improvements may be obvious in light of the results. In other cases, the effectiveness of hypothetical improvements can be assessed (within the limits of the completeness of the models). A particularly valuable use of these models lies in the evaluation of attendant risks asso-ciated with changes, i.e., will a fix for one safety problem make different accident sequences more likely? IREP provides a tool that can be used to address such questions.
8-69
8.4.1.9 Evaluation of Operating Occurrences The IREP models and results can be used in the evaluation of whether or not a fault occurring in plant operation or test-ing was a precursor of a more serious event, and to evaluate its importance. One can explore each of the classes of severe accident sequences for the role that might have been played by the actual event. In addition, patterns of licensee events or trends can be assessed for risk significance with the IREP models.
8.4.1.10 Validation of IREP Analyses The 'oc cu r rence of faults or errors in the operation or testing of the plant can be used to update, validate, or improve the completeness or accuracy of the IREP models and the projected failure frequencies. Doing so has the dual advantage of improving the IREP model for its many other uses, as well as illuminating the safety significance of the operating experience.
8.4.1.11 Design Errors and Generic Safety Issues There are several cases of safety problems in reactor plants that IREP studies do not analyze. Among these are susceptibility to fires, floods, sabotage, earthquakes, design or installation errors that are not revealed by the explicitly known, hard-wired functional dependencies among systems, and effects assumed to be negligible in the IREP study, such as the role of snubber failures. However, the models generated in IREP can:be used to put such concerns into perspective once the concern has been explicitly postulated. For example, one can use IREP to assess which accident sequences might be affected by the postulated safety issue and estimate at what level of severity the deficiency -- if any -- might emerge f rom the background of minor contributors to risk- into one of the dominant concerns. Thus, IREP can be immensely useful even in contexts in which its predictive power is poor.
8.4.2 Conclusions on the Applications of IREP It should be noted that none of the uses suggested above depend upon the bottom-line predictions of risk. They all depend upon the more trustworthy comparative measures of importance and upon the catalog of accident sequences to which the subject plant is susceptible.
Some of the applications are sensitive to the limitations of the study, particularly in completeness and quantitative accuracy. Nonetheless, the applications can be tailored to the known limitations and the models generated can provide a coherent framework to address the "what if" questions con-cerning its accuracy in these applications.
i I
8-70 x .. a_ _ -
The suggested applications of the models in this report do not require a precise analysis of the phenomenology of reactor accidents. Thermal hydraulics, containment challenge analyses, and the like need only be good enough to develop the broad out-lines -- the " cliffs and valleys" -- in the accident processes, although there are rare occasions when uncertainties in the modeling of accident processes can make largo differences in the course or consequences of reactor accidents.
In general, formal, plant- spec ific consequence analysis is unnecessary for these applications. It is useful to be able to identify accident sequences with categories of outcome severity, and the applications to emergency planning require some information on offsite consequences. However, the accuracy warranted can be met by interpolating the accident sequences among those in the published risk assessments that have included formal consequence analysis.
It is hoped that studies similar to this IREP analysis will become a common language, shared by the NRC and the licensees, to put safety issues in context. The use of IREP as a tool for safety analysis and in operations management should enable many loopholes in the assurance of reactor safety to be identified and closed, and at the same time, improve the cost-effective-ness and risk-relevance of NRC regulatory initiatives.
8-71
Table 8.1 Legend Used in Tables 8.2, 8.3, and 8.4 Initiating Events System Failures S2 = Small-small LOCA D" = High Pressure Safety
'( 1.9" in dia.) Injection T1 = Loss of Offsite Power F = Containment Spray System (Recirculation)
T2 = Loss of PCS H = High Pressure Safety Recirculation System =
T3 = Transients requiring K = Reactor Protection System primary relief T4 = All other transients L = Auxiliary Feedwater System TDC = Loss of 125 VDC bus 11 M = Power Conversion System Q = Relief valves fail to reclose U = Chemical Volume and Con-trol System C = Containment Air Recircula-tion and Cooling System C' = Containment Spray System (Injection)
Containment Failure Modes a = Vessel steam explosion 8 = Leakage Y = Hydrogen burning 6 - Overpressure 6' = Delayed overpressure c = Basemat meltthrough 8-72
Table 8.2 Final Calvert Cliffs Dominant Accident Sequences ,
(after recovery)
IREP IREP FREQUENCY FREQUENCY % TOTAL BEFORE AFTER CM RECOVERY RECOVERY FREQUENCY SEQUENCE DESCRIPTION (/YR) (/YR)
2.8E-5 2.8E-5 20 T -82 T L 4.9E-4 2.lE-5 16 DC DC S -50 SH 5.1E-5 1.4E-5 11 2 2 S -52 S FH 5.7E-5 1.lE-5 9 2 2 T -82 TL 1.8E-4 7.lE-6 6 2 2 T -173 T 4 KU 6.7E-6 6.7E-6 5 4
T 4 -147 T 4 ML 3.4E-4 6.3E-6 5 T y 65 T yQ-D"CC' l.3E-5 5.3E-6 4 T y -82 TLy 2.4E-5 4.9E-6 4 Blackout ----
2.4E-4 4.4E-6 3 T 4 -152 T4KQ 4.3E-6 4.3E-6 3 T -139 T 3 KU 3.7E-6 3.7E-6 3 3
T -118 T 3KQ 2.3E-6 2.3E-6 2 3
T -ll3 T ML 8.5E-5 1.7E-6 1 3 3 S -59 S D" 2.8E-6 1.6E-6 1 2 2 T y -85 T yLCC' 5.9E-5 1.0E-6 1 Sequences below cutoff ---- ----
7.8E-6 _6 Total ---- ----
1.3E-4 100 8-73 l
- Table 8.3 Calvert Cliffs Unit-1 Dominant Accident Sequence Frequencies by Release Category Release Category 2 3 4 5 6 7 Sequence 1 ATWS(PSF) u=2.8E-9 --
y+ 6= 2. 0E- 5 -
B=2.0E-7 -
c= 8. 4 E- 6 a=2.1E-9 --
y+6=1.5E-5 -
0=1.5E-7 -
c=6.3E-6 l TDCL S2H a=1.4E-7 -- y+6=9.8E-6 --
c=9.8E-8 -
c=4.2E-6 S 2 FH a=1.lE-7 y+6=7.7E-6 --
8=7.7E-8 --
c=3.3E-6 --
TL a=7.lE-10 --
y+6=5.0E-6 -
8=5.0E-8 -
c=2.lE-6 2
T4KU a=6.7E-10 --
y+6=4.7E-6 --
G=4.7E-8 -
c=2.0E-6 T4ML a=6.3E-10 -- y+6=4.4E-6 --
0=4.4E-8 -
c=1.VE-6 T10-D"CC' a=5.3E-10 6=4.2E-6 6'=1 lE-6 8=3.7E-8 -- -- --
TLI u=4.9E-10 --
y+6=3.4E-6 --
S=3.4E-8 -
c=1.5E-6 Blackout a=4.4E-10 6=3.5E-6 6'e8.8E-7 B=3.lE-8 -- -- --
a=4.3E-10 --
y+6=3.0E-6 --
8=3.0E-8 -
c=1.3E-6 m T4KQ a=3.7E-10 -- y+6=2.6E-6 --
0=2.6E-8 -
c=1.lE-6 5 T3KU a=2.3E-10 y+6=1.6E-6 --
0=1.6E-8 -
c=6.9E-7 T3 Q u K u=1.7E-10 -- y+6=1.2E-6 --
B=1.2E-8 -
c=5.lE-7 T3ML c=4.8E-7 S2D" u=1.6E-10 --
y+6=1.lE-6 -
0=1.1E-8 -
TILCC' a=1.0E-10 _6=8.0E-7 _6'=8.0E-7 8=7.0E-9 -- -- --
Category Total 2.6E-7 2.0E-5 7.5E-5 1.5E-7 7.2E-7 3.3E-6 3.lE-5
s Table 8.4 Calvert Cliffs Unit-1 Containment Failure Mode Probabilities Release Category 2 3 4 5 6 7 Sequence 1 ATWS ( PSF) a=lE-4 -- y+6=.7 --
B=7E-3 --
c=.3
=lE-4 -- y+6=.7 --
B=7E-3 --
c=.3 TDCL SH a=lE-2 --
y+6=.7 --
0=7E-3 --
c=.3 ,
2 c=.3 S 2 FH u=lE-2 y+6=.7 --
B=7E-3 - --
TL2 a=lE-4 -- y+6=.7 --
B=7E-3 --
c=.3 T 4 KU a=lE-4 -- y+6=.7 --
0=7E-3 --
c=.3 a=lE-4 y+6=.7 --
G=7E-3 -
c=.3 l T 4 ML --
T10-D"CC' a=lE-4 6=.8 6'=.2 B=7E-3 - - -
l TLI a=lE-4 -- y+6=.7 --
B=7E-3 -
c=.3 Blackout a=lE-4 6=.8 6'=.2 B=7E-3 - - --
T4KQ a=1E-4 --
y+6=.7 --
B=7E-3 --
c=.3 f a=lE-4 y+6=.7 -
8=7E-3 -
c=.3 4 T 3 KU --
T 3KO a=lE-4 -- y+6=.7 --
B=7E-3 --
c=.3 T 3 ML a=lE-4 -- y+6=.7 --
8=7E-3 --
c=.3 S 2 D" a=lE-4 -- y+6=.7 --
8=7E-3 --
c=.3 TILCC' a=lE-4 6=.8 6'=.2 G=7E-3 -- -- --
. ; m . . ., ; _ y .; , , , , . .. . . _, . ;-
g . .; < ,. 3 , . . . , . . .. , , . . ,
er , .~,. , 3, R ' ._ .j _ ,a _ ^ *' ;...[ ,f *v
.; ; 3_Q ,.. ,
._' . p. . _ . ;,: ,., -^ . ,.+
_. [ . ' . , -
t
> - ~ . . , ' , . -
s
. ."-:n: :-,; * -
u,. ,
.. ,",e'~.'
- . .. ,
- , r.
, - ," ' , . g. .. n :-/ /'.;.'>'. ,
. ]' "*
1 8y'. .~ k. .
- y4
- ,a,
, , }r . *~ .
4.' ,,, ' . , -7,,.,-
5., -
, - y . ,'
,f.;,. ;,- r - * '-l ?.
.- s, -
' , . >'n' ... , $' ' Y ..' m t.s -
.- l* .-
' i' . <- % . .; _
, , .. 8,. . _<
Table 8.5 Summary of Sensitivity lasues CC-1 Total Core Melt Sensitivity Issue Frequency (/yr)
- 1. Base Case 1.3E-4
- 2. HPSI Pumps do not Need Seal 1.3E-4 Cooling
- 3. HPSI Pumps do not Need Room 1.lE-4 Cooling
- 4. Crossfeeding AFW from Unit 2 1.OE-4
..( P = .01) ,
- 5. Primary System " Feed and Bleed" 1.3E-4 to 1.OE-4 Possible (depending on assumptions)
- 6. ATWS
- 1) Primary System Failure 1.lE-4 on Exceeding Service Level D ii) TKU Not Core Melt 1.2E-4 iii) TKO Not Core Melt 1.2E-4 iv) P(MTC) = .5 for T3 and T4 1.9E-4 Transients vii) Scram Failure Probability = lE-4 2.4E-4
= SE-6 9.lE-5 8-76
REFERENCES
- 1. U. S. Nuclear Regulatory Commission, NRC Action Plan Developed as a Result of the TMI-2 Accident, NUREG-0666, May 1980.
- 2. Garcia, A. A., et al., Crystal River-3 Safety Study, NUREG/CR-2515, SAND 81-7229/1, December 1981.
- 3. Carlson, D. D., et al., Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, SAND 82-1100 Sandia National Laboratories, January 1983.
- 4. Worrell, R. B. and D. W. Stack, A SETS User's Manual for the Fault Tree Analyst, SAND 77-2051, Sandia National Laboratories November 1978.
- 5. Swain, A. D. and H. E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Plant Applications. Draft Report, NUREG/CR-12788, SAND 80-200.
Sandia National Laboratories, September 1980.
- 6. Calvert Cliffs Nuclear Power Plant Units 1 and 2. Final Safety Analysis Report, Baltimore Gas and Electric Company, January 1971.
- 7. ATWS: A Reappraisal - Part 3: Frequency of Anticipated Transients. Prepared by Science Applications, Inc., EPRI NP-2230 Project 1233-1, Interim Report, January 1982.
- 8. Letter from J. A. Murphy, NRC to D. D. Carlson, SNL, Subject, Component Failure Rates to be Used for IREP Quantification, September 26, 1980.
- 9. Kolb, G. J., et al., Reactor Safety Study Methodology Applications Program: Calvert Cliffs #2 PWR Power Plant, Sandia National Laboratories and Battelle Columbus Laboratories, NUREG/CR- 1659 / 3 of 4 SAND 80-1897/3 of 4, May 1982.
- 10. U. S. Nuclear Regulatory Commission, Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Combustion Engineerino - Desianed Operating Plants, NUREG-0635, January 1980.
- 11. U. S. Nuclear Regulatory Commission, Reactor Safety Study
- An Assessment of Accident Risks in U. S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), October 1975.
- 12. Memorandum for D. G. Eisenhut, NRC, from T. E. Murley, NRC, Subject, Reactor Coolant Pump Seal Failure, nd.
R-1
- 13. Indian Point Probabilistic Safety Study, PASNY and Consolidated Edison Company, SPRING 1982.
Zion Probabilistic Safety Study, Commonwealth Edison Company, FALL 1981.
- 14. Memorandum for V. S. Noonan, NRC, from J. E. Jackson, NRC, Subject, Summary of Meeting with Combustion Engineering Owners Group on Reactor Coolant Pump Seal Performance, Generic Issue 23, April 28, 1983.
- 15. Varnado, G. B., W. H. Horton and P. R. Lobner, Modular Fault Tree Analysis Procedures Guide, NUREG/CR-3268/4 Vols., SAND 82-0963/4 Vols., Sandia National Laboratories, August 1983.
- 16. Loss of Offsite Power at Nuclear Power Plants: Data and Analysis, EPRI NP-2301, Science Applications, Inc.,
Interim Report, March 1982.
- 17. Kolaczkowski, A. M. and A. C. Payne, Jr., Station Blackout Accident Analysis (Part of NRC Task Action Plan A-44, NUREG/CR-3226 SAND 82-2450, Sandia National Laboratories, May 1983.
- 18. A. J. Oswald, C. D. Gentillon, S. L. Matthews, and T. R.
Meachum, " Generic Data Base for Data and Models Chapter of the National Reliability Evaluation Program (NREP) Guide,"
EG&G Idaho, INC.. EGG-EA-5887 June 1982.
- 19. " Military Handbook: Reliability Prediction of Electronic Equipment," Rome Air Development Center, Griffith AFB, NY, MIL-HDBK-217C, April 1979.
- 20. " Military Handbook: Reliability Prediction of Electronic Equipment," Rome Air Development Center, Griffith AFB, NY, MIL-HDBK-217B, April 1979.
- 21. Power Engineering Services, Technical Support for the Utility Group on ATWS, Task I: Ouantitative Evaluation of Industry Proposed Modifications Relative to Existing Plant ATWS Requirements. Appendix D, Science Applications, Inc.,
SAI-Oll-82-SJ, December 31, 1981.
ATWS Early Verification: Response to NRC Letter of February 15, 1979, for Combustion Engineering NSSS's, CE Power Systems, CE Inc., CENPD-263-NP, November 1979.
ATWS Analysis: Analysis of Anticipated Transients Without Reactor Scram in Combustion Engineerinq NSSS's, CE Power Systems, CE Inc., CENPO-158, Rev. 1, May 1976.
R-2
- 22. SECY-83-293. Amendments to 10 CPR. Part 50. Related to Anticipated Transients without Scram (ATWS) Events, NRC, July 19, 1983.
- 23. U. S. Nuclear Regulatory Commission, Anticipated Tran-sients without Scram for Licht Water Reactors, Unresolved Safety Issue Program, Office of Nuclear Reactor Regula-tion, NUREG/CR-0460, March 1980.
- 24. U. S. Nuclear Regulatory Commission Memorandum to Karl Kniel, Generic Issues Branch, DST, from Brian W. Sheron, Reactor Systems Branch, DSI, on the Status of Feed and Bleed for Emergency Decay Removal, March 31, 1981.
- 25. Memorandum from B. W. Sheron, NRC, to T. P. Speis, NRC, Subject. Feed and Bleed Capability in CE Plants Both with and Without PORVs. February 11, 1982.
- 26. C. D. Fletcher, A Revised Summary of PWR Loss of Offsite Power Calculations, EG&G Idaho, Inc., EGG-CAAD5593, September, 1981.
- 27. G. J. Kolb, et al., Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One-Uait 1 Nuclear Power Plant: NUREG/CR-2787, SAND 82-0978, Sandia National Laboratories, June 1982.
R-3
=
9 DISTRIBUTION:
US NRC Distribution Contractor (CDSI) (250 copies) _
7300 Pearl Street Bethesda, MD 20014 250 copies for AN, RG B. Atefi -
Science Applications, Inc.
1710 Goodridge Dr.
- McLean, VA 22102 '
R. M. Bernero Division of Risk Analysis =
Office of Nuclear Regulatory Research '_
US Nuclear Regulatory Commission :
MS ll30SS Washington, DC 20555 P. Cybulskis ,
Battelle Columbus Laboratories 505 King Avenue Columbus, Ohio 43201 -
S. M. Davis Calvert Cliffs Nuclear Power Plant i' Lusby, MD 20657 S. M. Davis '
Reliability and Risk Assessment Branch =
Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission Mail Stop 216 Washington, DC 20555 M. L. Ernst Division of Risk Analysis Office of Nuclear Regulatory Research US Nuclear Regulatory Commission MS 1130SS Washington, DC 20555 W. L. Ferrell Science Applications, Inc. .
505 Marquette NW, Suite 1200 =
Albuquerque, NM 87102
~
W. J. Galyean Science Applications, Inc.
505 Marquette NW, Suite 1200 Albuquerque, NM 87102 Dist-1
- . A. .
DISTRIBUTION (Cont.)
A. A. Garcia Lawrence Livermore National Laboratories P. O. Box 808 Livermore, CA 94550 J. Held Energy Incorporated 1851 So. Central Place Suite 201 Kent, Washington 98031 R. W. IIunt (8)
Baltimore Gas and Electric R and AE Unit Ft. Smallwood Rd. Complex Baltimore, MD 21203 J. Kelly Science Applications, Inc.
5 Palo Alto Square, Suite 200 El Camino Real at Page Mill Rd.
Palo Alto, CA 94304 D. M. Kunsman c Science Applications, Inc.
505 Marquette NW, Suite 1200 Albuquerque, NM 87102 D. R. Lasher Reliability and Risk Assessment Branch Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission Mail Stop 216 Washington, DC 20555 S. Lainoff Energy Incorporated 1851 So. Central Place Suite 201 Kent. Washington 98031 Dr. M. Modarres Department of Chemical and Nuclear Engineering University of Maryland .
College Park, MD 20742 J. A. Murphy Division of Risk Analysis Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 Dist-2
1 DISTRIBUTION (Cont.)
K. Murphy (25)
Division of Risk Analysis Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 National Technical Information Service (25)
US Department of Commerce 5285 Port Royal Road Springfield, VA 22161 J. J. O'Neill Florida Power & Light Co.
700 Universe Blvd.
Juno Beach, Florida 33408 P. D. O'Reilly NUS Corporation 910 Clopper Road Gaithersburg, MD 20878 M. Raeisinia c/o B. Atefi Science Applications. Inc.
1710 Goodridge Dr.
McLean, VA 22102 M. L. Roush Department of chemical and Nuclear Engineering University of Maryland College Park, MD 20742 Ashok C. Thadani (2)
Reliability and Risk Assessment Branch Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission Mail Stop 216 Washington, DC 20555 J. Young Energy, Inc.
515 W. Harrison, Suite 220 Kent, Washington 90031 3141 C. M. Ostrander (5) 3151 W. L. Garner 6400 A. W. Snyder 6410 J. W. Hickman 6411 A. S. Benjamin Dist-3 i i
- DISTRIBUTION (Cont.)
6411 J. H. Linebarger 6412 M. P. Bohn 6412 S. W. Hatch 6412 F. T. Harper -
6412 G. J. Kolb 6412 S. H. McAhren 6412 A. C. Payne (22) 6412 D. W. Stack 6412 T. A. Wheeler 6412 D. W. Whitehead 6414 D. M. Ericson 6415 D. C. Aldrich 6417 D. W. Carlson 6420 J. V. Walker 6430 N. R. Ortiz 6432 L. D. Chapman 6440 D. A. Dahlgren 6447 D. L. Berry 6450 J. A. Reuscher 8424 M. A. Pound P
a Dist , <
- 1. REPORT NUMr.E R (Assignsd by DOCl NRC FO:st 335 U.S. LUCLEA7s RE!ULATORY COMMISSION m en NUREG/CR-3511/1 of 2 BIBLIOGRAPHIC DATA SHEET SAND 83-2086/1 of 2
- 4. TITLE AN D SUBTIT LE (Add Volume No., #f appropnate) 2 (Leave D/mkl Interim Reliab ity Evaluation Program: Analysis I of the Calvert iffs Unit 1 Nuclear Power Plant 3 RECIPIE[S ACCESSION NO Volume 1 Main R rt f
- 1. AUTHC,RIS) 5. D ATF[EPORT COMPLE TED Arthur C. Payne, .
tember 1983
- 9. PERFORMING ORGANIZATION N AN AND MAILING ADDRESS (Inc/ var lep Codef [TE REPORT ISSUED
"'" I^"
Nuclear Fuel Cycle S tems Safety [ September 1983 Division 6412 Albuquerque, New Mexic 87185 ; f*"'"'"'#
h 8. (Leave Nwkl
- 12. SPONSORING OHGANIZATION N AME AND MA NG ADDHESS I/nclude les Codel 10. PROJECT / TASK / WORK UNIT NO Division of Risk Analysis Office of Nuclear Regulatory esearch -
i t. riN NO.
US Nuclear Regulatory Commiss n Washington, DC 20555 , A1241 13 TYPE OF HEPORT PE Rif COV E RE D (loctusive dates)
Technical (Final Report)
- 15. SUPPLEMENTARY NOTE S None kXg [ 14 (Leave olek/
- 16. ABSTR ACT (200 words or iessi This report present e results of the Probabilistic Risk Assessment (PRA) of Calvert Cliff ' nit 1 Nuclear Power Plant. The analysis was performed as part of the n rim Reliability Evaluation Pro-gram (IREP). The analysis used fault':re and event tree models as the primary tools to evaluate the risk d to core melt at Calvert Cliffs.
Core melt sequences initiated by oneL f thr break-size LOCAs or one of cix categories of transients were e,'luated, d the dominant (i.e., high-est frequency) sequences were furt analyze to estimate the magnitude of radionuclide release. The acci nt sequence were then placed into the release categories defined in the. eactor Safety tudy to estimate this magnitude. The most significant quences contri ting to the core melt frcquency are (1) Anticipated Tr sients Without S am (ATWS) (44% of the total core melt frequency), (2) all-small LOCAs ( e., 3" to 1.9" in diameter) with makeup system fa ure in the recircul ion phase (19% of the total core melt frequency), nd (3) the loss of a C bus followed by failure of secondary heat remo 1 (14% of the total co melt frequency).
The estimated core melt frequ y for Calvert Cliffs Un 1 (CC-1) is similar to the values predict by PRAs of other PWRs,
- 17. KEY WORDS AND DOCUME NT AN ALYS!S 17a DESCRIPTORS IREP PRA Calvert Cliffs -
K 17tt IDENTIFIERS OPEN ENDE D TERVS
- 18. AVAIL ABILITY STATEMENT 19 SE CUHITY CLASS (Tms report / 21 NO OF PAGES Unclassified 245 Unlimited Unavailability 20 S I Y LA S s aW1 22 PRICE N e ,oRu aas iiisii .......,,... ,(.i.
a oro. eld 9 Name Hec'd by Org. Bldg. Name Rec'd by i
t
. +
.- h I
~
I 1
I 55502 30 N019NI llS vM-105-% --
t 91 HON BGd-H6 19W god *3 A3170d 3011.30 A10-WGV 3HN 50
- 9b1NV1 I L LO9 LO 55 50 21 l f-I.
l l 7--
/
f ..
h Sandia National Laborator N;( j ,
,.