Text

VOLUME 1 PILGRIM NUCLEAR POWER STATION INDIVIDUAL PLANT EXAMINATION FOR INTERNAL EVENTS PER GL-88-20 PREPARED BY BOSTON EDISON COMPANY BRAINTREE, MA SEPTEMBER 1992

Pilgrim Nuclear Power Station Individual Plant Examination Prepared By: ct¥;fr:- :a:cr!zt/CJ z_

D. W. Gerlits 0- 9 C. Littleton Reviewed By:

t P. T. Antonbpoulos

,*

. Olivier Approved ?Y=

R. V. Fairbank Revision 0 - September 1992

purposes of the Pilgrim PR.A, no credit was given for RWCU operation for heat removal.

Containment Venting One of the options available to the operators for contr9lling containment pressure is to vent the containment. Pilgrim has a venting system which is capable of operation at pressures up to the containment design pressure of 56 psig. Containment venting is initiated in accordance with emergency procedures which require the operator to maintain the containment below the Primary Containment Pressure Limit. Keeping containment pressure below this limit permits continued functioning of equipment inside containment (such as SRVs) and maintains the structural integrity of the containment.

Direct Torus Vent The direct torus containment vent system is a system of last resort to prevent containment pressure from rising above the 56 psig design pressure. All other forms of DHR would need to have failed or be insufficient to remove decay heat before the DTV would be required. Required support systems include DC power and nitrogen accumulators. Use of the vent is initiated by actuating a key lock switch which causes valves to align in a manner which bypasses the SBGT system vent path and utilizes a hardened vent. EOPs instruct

'-

the operator to maintain and control containment venting with either the SBGTS or DTV to limit the rate of steam release and therefore prevent net positive suction head (NPSH) problems in the suppression pool. The DTV also directs any steam* re-lease outside the reactor building, limiting the environmental conditions in the secondary containment.

3.6-5

performed a limited scope IPE using the IDCOR methodology to assist in SEP decision making. A number of the SEP modifications dealt directly with the DHR issue. A summary of important modifications follows:

1. Direct Torus Vent-The direct torus vent was installed as a decay heat removal system to augment the existing decay heat removal capacity. In situations where the main condenser is unavailable and decay heat cannot be removed by the RHR heat exchangers, the only venue for heat removal is by direct release of steam from the containment. Before the installation of the direct torus vent, if the containment was vented at a rate which would remove significant decay heat, the high pressure vapor released into the vent path would have ruptured the ductwork, and resulted in unfavorable conditions in the reactor building.

2. The hard piped vent was installed in the torus ventilation piping,* between the inboard and outboard isolation valves. This allows the operators to release significant amounts of decay heat from the containment atmosphere over a broad spectrum of events. This system provides a diverse mode of decay heat removal which does not rely on the salt service water system as its ultimate heat sink.

3. Containment Spray Flow Reduction and Fire Water Crosstie-Another SEP modification was the blocking six of the seven spray nozzles. This modification was shown by analysis to provide better control of the depressurization process, while not compromising the effectiveness of the system. The principal benefit was to permit the use of drywell sprays over a broader range of containment temperature and pressure conditions.

Another key benefit of reducing drywell spray flow was to allow the use of the fire water crosstie as a water source. Lowering the drywell spray flow permits the use of the lower capacity fire pumps, not only by providing an alternate water source, but also a source which does not rely on AC power. This allows the use of sprays during Station Blackout sequences.

In general, no additional modifications were apparent that would both be cost effective and result in a significant reduction in risk. It appears that most, if not all, of the most important event failures in Class II cutsets could be handled by operator recovery action.

3.6-12

function arrests an event either in vessel or ex-vessel with an intact containment. This function is not needed if containment flooding from external sources is occurring due to the extensive mass addition, i.e., if there is success using external sources at the DS or VL headings.

The system credited with this function is suppression pool cooling.

Similar to drywell sprays, only one RHR pump, one RHR Heat Exchanger, and one train .of suppression pool cooiing valves are sufficient for success.

4.1.2.8 Torus Venting The Direct Torus Vent was credited as a potential heat removal system during core damage sequences with debris either in-vessel or ex-vessel in the Class I and III sequences. The system is designed as a hard piped system, and takes advantage of the scrubbing action of the suppression pool water to reduce the amount of fission products released. Fission products liberated from the damaged core into the drywell are forced down the vent pipes, into the vent header, down the downcomers, and through the torus water.

The design of the system allows for operation at high containment pressures, but because of the hard piped design, this mode -of containment venting prevents release of primary containment atmosphere to the secondary containment, minimizing the impact of venting on the availability of systems located in the reactor building.

4.1-7

whether or not drywell sprays are determined to bE? available since

. .

the drywell spray operating limits* in the EOP's may instruct the..

operator not to use drywell sprays under certain conditions; this

• would not prevent the operation of injection.

4.3.2.4.9 Containment Heat Removal Successful containment heat removal ensures that the containment pressure will be maintained below the containment capacity (in the absence of large quantities of non-condensible gases produced from debris/concrete attack). Following RPV failure containment heat removal.is accomplished with a RHR heat exchanger operating either in the pool cooling mode or in the drywell spray mode. Containment heat removal is branched for all sequences where containment failure has not already been determined to have occurred (the "FAILED" branch under Heading "Containment Failed Prior Core Damage" or the "NO VAP SUP" branch under Heading "Vapor Suppression").

4.3.2.4.10 Containment Venting Available Containment venting is accomplished with* the "normalvent" and* the wetwell "direct torus *vent". Venting is initiated . prior to the containment pressure exceeding 56 psig. Venting is branched for all sequences where containment failure has not already been determined to have occurred (the "FAILED" branch under Heading "Containment Failed Prior Core Damage" or the "NO VAP SUP" branchunder Heading "Vapor Suppression"). It is asked for all cases where CHR is asked.

Even for situations where CHR is available, over-pressurization of the containment may occur if the debris is not cooled ex-vessel and significant quantities of non-condensible gases are produced.

4.3-13

between the two systems. The spool piece can be easily installed by two quick connect couplings. Once the connection between the two systems is established, the plant's diesel driven fire pump (P-140) will automatically start on low fire header pressure.

The fire water cross-tie was installed primarily for injection during an SBO event. Since its use is proceduralized, however, it can be used for low pressure injection under all accide t conditions in which the reactor has been depressurized, and the probability of loss of low pressure injection has been reduced for all accident sequences in the IPE.

Containment Pressure Control (Event Wl :

Direct torus vent: The use of the direct torus vent as a means of containment heat removal has been shown to have a major impact upon the results of the Class II accident sequences. Pilgrim installed the hard piped vent from the wetwell air space as part of the SEP program. Because the hard piped vent is designed to operate independent of AC power and instrument air sources, it is available as a containment heat removal system for a wide spectrum of events.

Although not explicitly considered in the quan ification, the hard piped vent directs the steam*in the containment' atmosphere to the stack as opposed to the reactor building, extending the time for repair and recovery of failed equipment, and reducing the potential reluctanc'e to initiate venting.

Containment Spray Flow Reduction: Another modification proven to be important in the IPE models for containment heat removal purposes was the reduction of the flow capacity of the drywell spray nozzles. This allowed for a more gradual depressurization of the drywell, permitting the use of drywell sprays over a broader range of containment temperature and pressure conditions. To reduce the

.. 5.0-13

Required procedure 5.3.26 is a short procedure without check off.

The basic HEP from Table 20-7, item 3, is .003.

The stress level for step C is considered moderately high, step by step. Additionally, the operators are considered to be skilled due to their training in this procedure.

Therefore, from Table 20-16, the performance shaping factor is x2.

The total failure probability is .003 x 2 = .006.

SUMMARY

From Figure A1-2, the probability that the operator will fail to follow FWXT procedure 'is 8.33E-3.

\

A1-18

MXXDTVOPRY - OPERATOR FAILS TO ALIGN DIRECT TORUS VENT STEP A - OPERATOR RECOGNIZES NEED FOR DIRECT TORUS VENT The operators would already be in EOP-3, Primary Containment Pressure Control, as a result of elevated containment pressure. It has been calculated that it would take several hours for containment pressure to rise from 2.5 ps1g (scram I alarm setpoint) to 30 psig at which point the DTV would be manually aligned.

The basic HEP for failure to recognize the need for DTV is taken from Table 20-3, item 5 ; BHEP = .0001. This is conservative as it assumes that recognition would be only 60 minutes after the first annunciation whereas it takes several hours.

The stress level for this step is assumed to be extremely high due to the impending challenge to the primary containment. The recognition process relies on the operator knowing to read containment pressure and to react at or before 60 psig. As only pressure is necessary for successful recognition, this process is deemed step by step. Additionally, the operators are considered to be skilled due to their training in this procedure.

Therefore, from table 20-16, item 6, the performance shaping factor for step a is times 5. The total failure rate is then 5 * .0001 =

.0005.

STEP B - CONTROL ROOM RECOGNIZES THE NEED TO ALIGN NORMAL VENT The control room shift includes a Shift Technical Advisor whose training is different from that of the licensed operators.

Moderate dependence is assumed between the STA and the rest of the shift. Therefore, the probability of the STA failing to recognize A1-19

period was chosen to encompass this time and to correspond to AC power recovery time periods reported in the literature. Finally, with successful operator action to shed loads (which is the most likely pathway), both the A and B batteries will deplete within 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> -

thus, 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> was chosen as the upper limit for the third AC power r,-ecovery time period.

Failure to recover any source of AC power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (no load shedding) or 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> (successful load shedding) is assumed to result in core damage. This is regardless of whether high pressure or low pressure systems were in operation. Failure of either battery results in containment heat removal failure (the direct torus vent requires both DC batteries for operation, other systems require AC power, and firewater system operation through the containment sprays would be terminated by procedure once the containment water level reached a specified level). As the containment pressure rises it will force the SRVs closed, thus resulting in increased primary system pressure and the inability to inject with low pressure systems even if they are operable. Depletion of the batteries results in loss of control power to the RCIC and HPCI systems, with subsequent failure of these high pressure injection systems as well. Thus, unless some source of AC power is restored so that DC batteries can be charged, core damage is assumed to begin within 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />.

If AC power is restored, containment heat removal and continued primary system coolant inventory maintenance can cqntinue.

5. The potential for stuck open safety/relief valves were specifically addressed using event trees shown in Figures C.2-6 and C.2-7. Figure C.2-6 is used to address the situation in which at least one diesel generator is in operation while there is a SORV. This figure is structurally similar to the event tree developed for SORVs resufting from other transients in which off-site power is available. The quantification in Figure C.2-6 takes into account the source of AC power, i.e., the diesel generator. Note that if off-site power is recovered within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> use of the feedwater system for high pressure injection is possible; if off-site power is not recovered within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> it is assumed that the feedwater system can not be utilized for high pressure injection even if power is restored later.

Figure C.2-7 is used for the situation in which a station.

blackout exists along with a SORV. Power recovery within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is assumed to be successful for some sequences; C.2-10 r*

the operator must inhibit closure of either circuit breaker CB-501 or CB-601 (the feed breakers associated with the SBO DG or the 23KV line and the emergency buses

- these are different than the breakers associated with DG A and DG B). The operator can then start the SBO diesel generator and allow one of the breakers (the "uninhibited" breaker) to automatically close when it senses current from the diesel generator. Failure to inhibit automatic closure of one of the circuit breakers will result in a diesel generator overload condition; this is assumed to result in failure of the SBO DG. By procedure, the SBO diesel generator will be used only if one or both of the other two diesel generators has failed to start or is unavailable and the 23KV line is unavailable.

125VDC Bus (Battery) "A" This bus is required to start diesel generator 1. It also is a source of power for one of the high pressure injection sources (RCIC), and the ADS valves. This bus is required for operation of the direct torus vent.

125VDC Bus (Battery) "B" - This bus is required to start diesel generator 2. It also is a source of power for one of the high pressure injection sources (HPCI), and the ADS valves. This bus is also required for operation of the direct torus vent.

Figure C.2-2: Station Blackout (SBO)

This event tree starts with input from Figure C.2-1, namely, the cut sets in which all AC power sources are unavailable (either due to mechanical/electrical faults of the diesel generators or due to failures of support systems necessary to operate the diesel generators, such as DC batteries). Events C, M, and P are exactly as defined for Figure C.2-1.

I2 OSP Recovered 0-2 Hours: Recovery of off-site power within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is assumed to be sufficient to allow for feedwater and main condenser restoration, if necessary.

For this event it is assumed that the* 345kv source must be restored. Event sequences in which off-site power is successfully restored continue using Figure C.2-4.

DG2 Dgs Recovered 0-2 Hours: Recovery of any of the three diesel generators, or the 23kv source, will allow for C.2-14

should not be adversely affected to maintain the primary system pressure below the design pressure.

Reactor Coolant Inventory Makeup, High Pressure:

Loss of one bus of DC power disables either the HPCI or RCIC system.

Loss of the second bus would disable the remaining system.

Therefore, quantification of this event depends upon the status of the second DC bus, as well as the determination of which system (HPCI or RCIC) is affected by the initial loss.

Regardless of which DC bus is lost, at least one pump of the feedwater system should remain available for high pressure inventory maintenance. As discussed previously, the loss of DC power operating procedures instruct the operators to trip the feedwater pumps associated with the DC division lost.

There are a number of support systems which must be available for continued feedwater operation. These include: (1) Motive and control power for operation of feedwater valves, feedwater pumps, and condensate pumps (these power sources are independent of DC power),

(2) Adequate water makeup to the condenser hotwell from the CSTs, and (3) SSW/RBCCW for pump cooling.

Reactor Depressurization:

The failure of one DC bus results in a higher failure probability for reactor vessel depressurization due to less redundancy in the DC power system.

Reactor Coolant Inventory Makeup, Low Pressure:

Following successful reactor depressurization, the low pressure injection systems can supply adequate makeup to the reactor. Note that the failed DC bus which initiated this sequence will not be C.4-7

/

(

available for control of the corresponding division of low pressure pumps. The result is that the LPCI and CS failure rate is higher than for most other initiators. The condensate system is affected by the initiators as feedwater was, with the operator instructed to trip the condensate pumps on the buses affected by the loss of DC.

Containment Pressure Control:

The main condenser is assumed to be unavailable for containment heat removal if DC power is lost. The availability of RHR is highly dependent on the availability of DC power for pump breaker control.

This is especially true for the sequences in which both DC buses are unavailable. The containment direct torus venting system would be unavailable if one DC division is unavailable, and one train of the normal vent would be affected.

I Continued Reactor Coolant Inventory Makeup:

This event represents the ability to maintain coolant inventory in the vessel following the occurrence of unacceptable containment conditions. Containment pressure and temperature conditions must be maintained within acceptable limits if the integrity of the containment is to be maintained. Loss of DC power affects the ability to control containment conditions, which may in turn degrade the performance of systems being used to maintain coolant inventory.

Quantification of this event is dependent upon previous system failures, since the same failures which contribute to the failure to control containment conditions may also affect coolant inventory makeup.

C.4-8

C.4.3 Loss of Instrument Air/Nitrogen Compressed gas systems fulfill a variety of functions at nuclear plants. Usually, the most important of these functions is to provide the motive force for operation of valves. At Pilgrim, some of these valves are safety related and some are located inside the containment, e.g., the SRVs and the MSIVs.

Two compressed gas systems are provided at the Pilgrim plant: one which provides nitrogen for use inside containment, and one which provides air for use outside containment. The Pilgrim plant has three redundant and independent nitrogen supply systems. Therefore, loss of nitrogen sequences need not be evaluated because the loss of nitrogen initiator frequency is very low. . Several independent nitrogen supplies must fail and there is no credible common cause internal event that can eliminate all sources. However, an evaluation was carried out for loss of instrument air.

The following air-operated valves are affected by loss of air:

1. Outboard MSIVs: On loss of instrument air, the outboard MSIVs are assumed to close. Although an accumulator is attached to each MSIV which keeps the valve open on loss of air unless the MSIV receives a signal to close, it is assumed that the air eventually bleeds away and the valves close. The MSIVs cannot be reopened until instrument air is recovered.

2. Feedwater Regulating Valves: These valves fail "as is" and cannot be opened or closed from the control room until air is restored.

3. Scram Valves: On loss of air, the scram valves fail open causing drive water to force the pistons upward, inserting the control rods into the core.

4. Scram Discharge Volume Vent and Drain Valves: On loss of air, the scram vent and drain valves fail closed, preventing loss of reactor water discharged from all CRDs during and after a scram.

C.4-9

Based on the failure positions of the air-operated valves described above, failure of the instrument air system during power operation will initiate a scram and close the outboard MSIVs. Plant response for this event would initially be similar to an MSIV closure.

C.4.3.1 Event Tree for Loss of Instrument Air This section provides a discussion of the loss of instrument air on the frontline systems of the Loss of Instrument Air event tree.

Reactivity Control:

The reliability of the scram system subsequent to a loss of instrument air is similar to that used in other accident sequences.

This independence of the scram system from the loss of air initiating event is primarily due to the redundancy in the scram system which requires a common mode failure to prevent successful scram.

Primary System Pressure Control:

The SRVs are not affected by loss of instrument air since they are Nitrogen operated.

Reactor Coolant Inventory Makeup, High Pressure:

Loss of instrument air is assumed to have no significant effect on HPCI, or RCIC. However, it fails feedwater (and condensate) because the minimum flow recirculation valves on the feed pumps open on a loss of air, diverting a significant flow away from the reactor and back to the condenser.

'

Reactor Depressurization:

Loss of instrument air does not affect the failure probability of depressurization. SRV actuation depends solely on Nitrogen.

C.4-10

Reactor Coolant Inventory Makeup. Low Pressure:

Following successful reactor depressurization, the low pressure injection systems are required. RHR, LPCI, and Fire Water Crosstie are unaffected by a loss of instrument air, but as was explained above, condensate is assumed to fail.

Containment Pressure Control:

Loss of instrument air is assumed to result in loss of the main condenser as an available heat sink due to closure of the MSIVs.

Reopening of the MSIVs is not assumed to be possible until instrument air is restored. The reliabilities of the RHR system and venting system are unaffected by loss of instrument air.

Continued Reactor Coolant Inventory Makeup:

This event represents the ability to continue coolant injection following the occurrence of unacceptable containment conditions.

Quantification of this event is dependent upon previous system failures, since the same failures which contribute to the failure to control containment conditions may also affect inventory control.

Section B.9 of Appendix B discusses these considerations.

C.4.4 Reactor Water Level Instrumentation Reference Leg Failure Reactor water level instrumentation failures can affect the operator's perception of the condition of the core and the automatic control of coolant makeup systems. As a result, failure of water level instrumentation can disable multiple systems and adversely affect operator response.

The potential accident initiators involving water level instrumentation which have been observed in operation are:

c .4-11

o High drywell temperature causing flashing of the reference legs.

o Leaks or breaks in one of the reference legs for the reactor water level instruments.

The Pilgrim plant has four reference legs - 2 sets of 2 legs, each coming from one of the 2 nozzles on the RPV. One leg of each set has instruments which provide signals for initiation or tripping of the HPCI and RCIC systems, low pressure injection systems, ADS system, and the MSIVs. The other leg of each set is used for feedwater control, with either leg being capable of controlling feedwater.

Each leg has its own level indicator in the control room.

The reference legs associated with safety related instruments at Pilgrim are located outside of the drywell and therefore are not susceptible to high drywell temperature. Therefore, plant trip due to reference leg flashing is not considered further in this analysis.

However, reactor water level instrument line failures are evaluated further below.

Previous reviews of operating experience and analytic evaluations

,have determined that loss of inventory in a reactor water level instrument reference leg could result in false indications of high reactor water level. This failure mode could initiate challenges to the plant systems required for safe shutdown. This sect.ion discusses the approach used for quantification of the core melt frequency due to a reference leg failure at the Pilgrim plant.

C.4.4.1 Initiator Freguency The probability of a leak or break sufficient to drain one of the reference legs has been calculated for the following three cases:

o Instrument line break o Instrument line leak C.4-12

o Valve misoperation causing loss of reference leg inventory All three of these cases are assumed to have equivalent impact on the operators response and the automatic ECCS initiation logic. They may be treated in the same event tree because the level sensors connected to the reference leg are assumed to indicate high level regardless of the failure mode (based upon observed incidents). The only case that is probabilistically significant is an instrument line leak; breaks and valve misoperations are of negligible probability.

For the Pilgrim PRA it is assumed that a leak occurs in one of the two reference legs which are associated with the HPCI and RCIC systems. Thus, feedwater operation should be unaffected. If the leak occurred in a leg controlling feedwater, then the feedwater pumps are expected to ramp down due to the false high level indication. However, in this situation HPCI and RCIC would be available and this s*equence is bounded by the sequence evaluated in this section.

Because the Pilgrim plant reference legs are coupled at the nozzles, the plant is treated as a 2 leg plant for the purposes of estimating the initiating event frequency.

C.4.4.2 Event Tree for Reference Leg Leak The event tree for a reference leg leak is provided in Figure C.4-6.

Each of the headings in the event tree are discussed further below.

Continued Power Operation (i.e., Continued Feedwater Operation)(RR)

A leak in a reactor water level reference leg will not always result in a plant transient. If feedwater maintains adequate level control, then power operation will continue. At Pilgrim the operation of the feedwater system following a reference leg draindown is evaluated as follows:

C.4-13

The initiating event is assumed to be a leak in a leg providing HPCI/RCIC system control. Therefore, the legs associated with feedwater control should be unaffected (there is no coupling between the legs except at the nozzle; a leak in one leg is not sufficient to cause drainage in the other leg from the same nozzle). Failure to continue power operation, i.e., failure of feedwater to continue operating, is estimated to occur due to a random loss of feedwater during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. If a feedwater trip occurs, the water level will fall to the low-low level setpoint for ECCS initiation.

Maintenance Error Causes Leak in Alternate Reference Legs (ORl The potential for a maintenance error causing failures in alternate reference legs is assessed here. Also included are errors which result during attempted repairs of the leaking leg. Loss of the alternate reference legs may occur if repairs or tests are performed on the intact legs, or if the operator inadvertently attempts repairs on an intact leg, when the leaking leg should be the one being repaired. With a failure in two of three reference legs, the high pressure injection systems (HPCI, and RCIC) would be locked out due to the false high level trip signal generated for these systems, but the feedwater system would still be available. If feedwater failed, successful coolant injection will therefore depend on the operator manually depressurizing the reactor vessel and providing coolant injection with low pressure systems while ECCS level indications are high, and the feedwater control, the shutdown and upset range instruments would indicate correctly.

Opposite Division ECCS Initiation Electronics Failure (LRl The loss of inventory in one of the reference legs causes all level instrumentation associated with that leg to read high. If the level instruments receiving input from the other reference leg associated C.4-14

with the ECCS systems fails, automatic initiation of the ECCS systems would not occur, since one of the legs is reading high and one has failed. For the Pilgrim plant, one of the reference legs on each set controls the initiation of HPCI and RCIC as well as the low-low level permissive for LPCI, Core Spray, and ADS operation. With one leg's instruments reading high, the other leg's instruments must respond on low-low level following a loss of feedwater. A random failure of the instrument on the opposite reference leg will defeat the automatic ECCS initiation logic, and therefore will result in the need for manual actions. The value used for instrument failure was taken from the IPEM, and is lE-2 per demand. . This failure could I

\

occur any time following the last test of the instruments.

The instrument failure probability is coupled with the probability of the operator failing to take action in response to the level indicator in the control room that is reading high. The operator should see the high level indication on one of the level indicators and take appropriate action to identify the cause. A plant trip is unlikely, because the feedwater level indicators,will be unaffected.

In this case, failure of automatic initiation of the ECCS systems due to instrument failures would require two concurrent random failures, which is very unlikely.

Reactivity Control:

The methods for initiating a scram are sufficiently redundant that the probability of successful scram is equivalent_ to that used following a general transient.

Primary System Pressure Control:

These events are unaffected by a reference leg leak.

Feedwater Available:

C.4-15

For thi's analysis, it was assU;med that the reference leg leak did not occur on one of the reference legs that controls feedwater.

Therefore, no direct impact on the failure of feedwater is assumed.

The feedwater system is assumed to trip due to random causes after the reference leg leak occurs.

High Pressure Injection - HPCI/RCIC:

As a backup to the feedwater system, HPCI and RCIC provide high pressure coolant makeup. Since the initiator is assumed to be a leak in one of the reference legs that controls HPCI and RCIC, the opposite leg's instruments must function. If.the opposite division ECCS initiation electronics do not fail, the opposite leg's instruments function successfully and HPCI and RCIC operation are assumed to be unaffected. If the opposite division ECCS initiation electronics fail, the auto start instrumentation for the HPCI and RCIC systems has failed. No credit is taken for manual start of HPCI and RCIC due to the indications of high reactor vessel level and the difficulty in manually operating these systems.

Reactor Depressurization:

Plant procedures call for reactor depressurization if water level cannot be determined. When instrument failure occurs automatic ADS operation fails and the operator must manually initiate depressurization. However, the operator may believe that level is restored since ECCS level indicators are reading high, feedwater indicators are reading normally and no high pressure injection systems are operating. The operator can vary reactor water level with the controller, and verify that both water level indicators are tracking true water level. The operator may be hesitant to depressurize the reactor vessel.

Low Pressure Injection:

C.4-16

This event combines the operation of three redundant low pressure injection systems: Core Spray, LPCI, and the Condensate System. The redundancy in low pressure pumps is sufficiently high that the success of adequate core cooling is governed by the ability to depressurize the reactor and establish stable cooling while contradictory level indications are present.

Containment Heat Removal. and Continued Reactor Coolant Makeup:

See the discussion in Section C.l for the general transients.

c. 4*. 5 Internal Floods C.4.5.1 Introduction Generic Letter 88-20 requires an internal flooding analysis as part of the IPE process. A number of internal flooding PRAs to date have been qualitative scoping analyses which have concluded that internal flooding will not lead to core damage. However, the Oconee 3 PRA concluded flooding was a dominant contributor to the total core damage frequency and subsequently made plant modifications. Other plants have experienced maintenance events which have resulted in flooding of equipment. All of these factors provide the basis for performing the Pilgrim internal flooding analysis.

The purpose of the internal flooding analysis was to determine potential .vulnerabilities due to flooding from sources such as torus rupture and pipe ruptures. The analysis used bounding, frequently conservative assumptions while still demonstrating a low potential for core damage. Attention was focused on the major flood sources in the plant which could affect multiple systems and propagate to other areas. Low capacity systems which had limited or no impact on multiple systems and flood initiators which were bounded by other flooding events were generally not considered.

C.4-17

The study concludes that there is only one flooding sequence which has any impact at all on potential core damage sequences, and that sequence frequency is extremely low (less than lE-8 per year). The flooding event analyzed involves a feedwater line break in the main steam tunnel which was assumed to fail the high pressure feedwater injection system due to flooding. All flooding initiators identified have sufficient means of providing adequate core cooling independent of equipment potentially affected by the flood.

The assumptions, methodology, mitigative factors, and results of the Pilgrim internal flooding IPE are discussed in this section.

C.4.5.2 Background Considerable review of the Pilgrim plant design and operating procedures has been performed in the past with respect to the potential and effects of internal flooding.

Flooding occurs when mechanical components in fluid systems fail.

The most serious flooding usually occurs from catastrophic failures (i.e., ruptures). Flooding analyses performed at PNPS view ruptures as initiating events rather than as events likely to occur while responding to other designI basis transients or accidents. This concept was retained in determining the impact of ruptures on core damage frequency (CDF).

Fluid system ruptures usually cause the loss of the train in which they occur, and they can flood equipment in other trains or systems required to recover from the event. This two- fold effect was considered when determining the impact on CDF.

Postulated flooding events at PNPS include those which could initiate from pipe breaks outside containment (PBOC), pipe breaks inside containment (PBIC), and pipe breaks in systems with high volumetric flow rates (Sea Water, Salt Service Water, and Fire Protection C.4-18

System). These events were determined to be bounding in terms of their impact on plant systems, and so initiators such as over-filling water tanks, hose ruptures, and pump seal leaks were not considered further in this analysis. Also, the effects of spray upon equipment was not evaluated.

The impact of flooding events on CDF at Pilgrim is insignificant.

The following text documents the assumptions and methods used to arrive at this conclusion.

The PNPS Internal Flooding Analysis is contained in ERM 88-102 Rev.

1 "PNPS Internal Flooding Analysis". Several flooding events are discussed in that document, including pipe breaks outside containment, pipe breaks inside containment, ECCS leakage, fire protection system flooding, and seawater flooding. Section C.4..5.4 contains the methodology for determining flood levels, input a d assumptions, and a listing of flooding mitigation devices.

In addition to the evaluation discussed above, an evaluation of other potential flood sources was conducted for the PRA. The only flood source of note identified during this additional evaluation involved rupture of the torus, which might cause failure of equipment in rooms or areas which connect to the torus area. However, at* Pilgrim, all such areas (e.g., quad rooms) are located at levels above the mid-plane of the torus. Since the torus water level is normally maintained at or slightly below torus mid-plane level, a complete release of this water would not impact any other areas.

Without any other flood sources of concern, the PBOC analyses (reference SUDDS/RF 83-07 and SUDDS/RF 87-1032) were evaluated further for the PRA. Those analyses are described in FSAR Appendix

0. The worst case PBOC, in terms of flooding, is PBOC-10, feedwater break inside the main steam tunnel. This is the only event identified which could result in an initiating event (caused in this case as a direct result of the pipe rupture which causes the flood)

C.4-19

and which disables systems which could be used to respond to the initiating event. This event results in the loss of the feedwater system because of the rupture. In addition, the CRD system is rendered inoperable because the CRD pumps would be submerged during this event. Both of these systems are potential sources of high pressure injection to the RPV.

Other potential flood sources, in addition to the torus rupture, were determined to be insignificant in terms of their impact on the plant.

Flooding information contained in FSAR Appendix 0 focuses only on the reactor building because the turbine building was assumed not to contain any safety related equipment. Calculation S&SA 61-1 was generated to determine flood levels resulting from PBOCs occurring outside the reactor building, because safety- related cables run through the turbine building. The turbine building PBOC analysis was expanded by Calculation S&SA 62-0, radwaste building-flooding.

Flooding of the radwaste building via drain lines is assumed to occur as the result of PBOC flooding in the turbine building.

The PBIC flood level in the drywell was determined by the height of the lower lip of the eight downcomers (reference S&SA 84-157). The capacity of the downcomers is assumed sufficient to mitigate the submergence effects of the DBA LOCA which bounds'all other PBICs.

No safety related systems, or non-safety related'systems for that matter, are affected by this event.

ECCS leakage is assumed to accumulate for 30 days following a DBA LOCA (for the purpose of determining flood levels for the affected areas). Because open equipment drains interconnect each reactor building quadrant, except the CRD quad, flooding in one quad will eventually affect the other two. In a sense, this serves as a flooding mitigation mechanism for the quad in which the leakage occurs, but the postulated leak rate is small enough to warrant this departure from the NED flooding philosophy (i.e., take no credit for drains when evaluating flooding events).

C.4-20

',

Postulated seawater flooding occurs in three locations, the condenser bay and each RBCCW compartment. Seawater flooding in the condenser bay can occur as the result of a break in the seawater (SW)system.

The RBCCW compartments could be flooded by breaks in the salt service water system. Flooding from a SW break is assumed to be contained in the condenser bay. The RBCCW compartments are protected from the effects of flooding by two dewatering lines in each area. These lines route spillage to the torus compartment. In each case, operator action is required to terminate flooding by securing the appropriate pumps (if they are still running).

Fire protection system breaks were also analyzed for their affect on safety related equipment. The only safety related areas in which FPS flooding is the predominate source are the switchgear rooms. Wire mesh panels/doors prevent any accumulation in these areas.

Insights relevant to the potential and consequences of internal flooding that are provided as a part of the IDCOR IPE Methodology were also reviewed. The focus of this review was on flooding locations in the lower turbine building and the reactor building ECCS corner rooms. It was concluded that no special flooding vulnerabilities are expected at Pilgrim, consistent with previous reviews.

C.4.5.3 Impact of Flooding on CDF Pipe ruptures can impact CDF in two ways. They can either submerge equipment required to prevent core damage, or render inoperable the system in which the rupture occurs. As mentioned previously, the PBOC-10 event, feedwater break inside the main steam tunnel, was selected as the bounding flooding event for the PRA. This event was chosen because of its initiating event frequency (a function of the large number of components in the condensate, condensate demineralizer and feedwater systems). Also, this event results in the loss of two non-safety related high pressure injection systems.

C.4-21

The feedwater system would be lost because of the pipe rupture, and the CRD system would be lost because the CRD pumps will be submerged.

Modifications performed for the environmental qualification project give a high confidence to the assumption that no othkr plant systems

'-

are impacted from this event. No other event has impacts which approach this in terms of initiating event or . system failure probabilities.

The impact on CDF from the PBOC-10 events is similar to that evaluated for the loss of feedwater transient (TF). The major differences in quantification are the initiating event frequency (flood versus "random" loss of feedwater) and the failure of the CRD system. Even though the CRD system may be physically able to operate for the evaluation of the TF event, no credit was given for it to replace inventory lost due to decay heat. Thus, the unavailability of the CRD system due to the flood has the same impact as currently modeled for the TF sequences, i.e., no credit is given in either case.

Table C.4-1, rupture frequency, illustrates how the PBOC-10 rupture frequency was determined. The areas mentioned .in Table C.4-1 are shown on Figures C.4-1 through C.4-5. Each component on the figures was counted. The number of each type was summed and multiplied by the component rupture frequency provided in the Pilgrim PRA Internal Flooding Evaluation Methodology Revision 1 (1990) Table 2.4-2. The total for each component type was summed to arrive at the .rupture frequency for the feedwater system. This frequency (8.23E- 3/yr) includes pipe breaks in the condensate system and the condensate demineralizer system as well.

The feedwater pipe rupture frequency (8.23E-3/yr) is very low in comparison with the initiating event frequency for loss of feedwater (TF), which is 0.19 per year.

C.4-22

Since the sequence progression is similar for the flood event and the TF event, with the same systems available (or not available) to respond, the core damage frequency can be evaluated by taking the CDF calculated for events initiated by loss of feedwater (TF) and scaling down by the factor 8.2E-3/0.19, a factor of 4.3E-2.

The core damage frequency for TF sequences is approximately 1.83E-5.

Therefore, the CDF for events initiated by floods is approximately 1.83E-5 x 4.3E-2 or 7.87E-7 per year.

C.4.5.4.1 Methodology for Determining Flood Levels The methodology used for the flood analysis is outlined in this section. The major steps are:

1. Identify potential flood locations.

2. Determine blowdown/spillage volumes.

3. Determine whic,h spaces are affected by each flooding event.

4. Determine the area of affected spaces.

5. Calculate flood levels (Flood Level=Volume/Area).

C.4.5.4.2 Input and Assumptions

1. HELB locations are listed in FSAR Appendix 0 (Table 0.6-

1) .

a. Feedwater System - 89

b. Condensate System - 12

c. Main Steam System - 28

d. RWCU System - 24

e. RCIC System (steam line) - 8

f. HPCI System (steam line) - 4 A high energy line is defined as piping containing fluid at a temperature above 200°F coincident with a pressure above 275 psig.

C.4-23

2. Frontline mitigation systems (e.g., core spray and LPCI) are not considered potential sources for flooding since they are designed to higher standards and they are not usually operating during normal conditions.

3. Circ Water/SSW pipe break locations were determined in the PNPS internal flooding analysis (ERM 88- 891). The Circ Water breaks occur only in the condenser bay. The SSW breaks occur only in the RBCCW compartments.

4. No credit was taken for drains in terms of mitigating a flooding event, except in the case of ECCS leakage (postulated leak rates are small compared to the catastrophic pipe breaks and accumulation occurs over the course of 30 days). Drains were used as postulated pathways for flooding connected spaces (e.g., RHR quads/torus compartment-ECCS leakage; radwaste building-eire Water pipe break in the condenser bay). The 8 inch drains to the torus compartment from the 21 ft and 51 ft elevations in the reactor building are not assumed to mitigate the effects of flooding.

5. No credit was taken for tapering of walls, sloping floors or evaporation to minimize flood levels. The escape of flashed steam to the turbine building via a blowout panel was assumed for PBOC-10 (feedwater system break in the main steam tunnel). For all other postulated breaks, all flashing steam is condensed at atmospheric conditions within the compartment where the break occurs.

6. The volume of drains lines, sump capacity and sump pump operation were neglected when determining flood levels.

7. Blowdown times for PBOCs are based upon the maximum isolation valve closing times allowed by Tech Specs. Leak rates and duration of leakage are based upon total flows.

Leakage rates represent critical flows for the line losses from the fluid reservoir up and downstream of the break location to the break location.

The leak rate and duration for a feedwater line beak in the main steam tunnel represent actual system configuration, main steam isolation valve closure upon high steam tunnel temperature, makeup to the condenser and normal hotwell content.

8. PBOC blowdown times account for diesel starting delay, except for PBOC-10. This event would be made less severe if the condensate pumps were assumed to fail on low voltage instead of low NPSH.

C.4-24

9. All blowdown from PBOCs occurring in the turbine building above the 51 ft elevation falls through the grating to the turbine auxiliary room.

10. All blowdown from PBOCs occurring in the turbine building below the 51 ft elevation falls to the condenser*bay.

11. Drywell flooding is prevented by the eight downcomers to the torus.

12. ECCS leakage occurs during a LOCA at a rate of 1 gpm and accumulates for 30 days.

13. The capacity of the dewatering lines in the RBCCW compartments is 9000 gpm.

14. The maximum flood rate from a Circ Water pipe break is 200,000 gpm.

15. Gross equipment areas were derated by 2-3% to allow for equipment space when determining the net floor areas.

16. Only gravity induced flow paths are considered.

17. The flood levels for HELBs are maximized based upon quasi-static analysis of flow between relatively "still" rooms/areas. Wave fronts and reflections from walls and

,objects are deemed insignificant.

18. Floor hatches with covers are considered watertight.

19. No conduit or cable installed in the plant is qualified for submergence.

C.4.5.4.3 Flooding Mitigation Devices

1. Flood protection (from a fire main break) in the 1 B 1 switchgear room (23 ft el.) is provided by a wire mesh door leading to the adjacent corridor.

2. Flood protection (from a fire main break) in the 1 A 1 switchgear room (37 ft el.) is provided by a wire mesh panel leading to the turbine trucklock.

3. M0-1001-47 is enclosed by a flood barrier.

4. The actuator for M0-1001-28A is rotated into a position that is above the flood level assumed for its location.

C.4-25

5. Enclosures for D7, DB, D9, MCCs B17, B18, and B20 are watertight to preclude flooding of these components.

6. Significant flooding of the turbine trucklock from the turbine deck (51 ft el.) is prevented by the 4 inch curb around the perimeter of the access space.

7. Door #11 prevents flooding of the reactor auxiliary bay during PBOCs ( 51ft el.) in the turbine building.

8. The CRD quad contains no open equipment drains. Otherwise ECCS quads would be compromised during PBOC-10.

9. Unisolable, open equipment drains interconnect the RHR and RCIC quads within 19 inches of the floor. This prevents leakage in any one quad from compromising safety related equipment.

10. The two 14 inch dewatering lines located in each RBCCW compartment are credited with mitigating the effects of SSW pipe breaks in those spaces.

11. Door #15 will confine flooding in the condenser bay until the flood level reaches the 12.1 el.

12. A blowout panel between the main steam tunnel and the turbine building mitigates the effect of PBOC-10 by allowing flashed steam to escape from the reactor building.

C.4.5.5 Conclusions As a result of flooding analyses performed previously for Pilgrim, augmented by additional evaluations performed for the PRA, it is concluded that the internal floods contribute insignificantly to the overall CDF. The flooding impacts are bounded by a break in the feedwater line inside the steam tunnel. The CDF calculated as a result of this flood is roughly 1/100 of the CDF calculated for events initiated by a loss of feedwater event. The CDF due to floods is approximately 7.87E-7.

C.4.6 Inadvertent Open Relief Valve (IORV)/Stuck Open Relief Valve (SORV)

C.4-26

A main steam safety/relief valve can open accidentally during. plant operation or can fail to close if it opens during a transient. In this discussion, the former is referred to as an inadvertent open safety/relief valve {IORV) and the latter as a stuck open safety/relief valve {SORV).

The focus of the IORV/SORV evaluation is an assessment of the plant response to the unique containment cooling and* coolant injection challenges presented by these types of events. Specifically, the IORV/SORV related sequences result in:

o RPV pressure reduction.

o Reactor decay heat being rejected to the suppression pool.

The reduction in RPV pressure may present a core cooling problem if the redundancy and reliability of the low pressure injection systems i

is inadequate.

Containment pressure control is the second concern. In this case there is an uncontrolled release of steam to the suppression pool through the SRV discharge line. This results a long term containment heat removal challenge.

The event tree described in this section can be used t6 model both

!ORV events and SORV sequence transfers from other event trees.

Because Pilgrim has two unpiped safety valves that discharge directly into the drywell, the phenomenology is similar to that described for a medium LOCA if one of these safety valves is stuck open. It is assumed that no environmentally induced problems occur within the mission time of concern for components inside containment if an unpiped safety valve is stuck open.

C.4.6.1 Initiating Event Freguency for IORV/SORV C.4-27

The derivation of the initiating event frequency for IORV is discussed in Appendix A.

The SORV event as discussed above, is as a result of the failure of a relief valve to reclose after opening during a transient. To derive the initiating event frequency for IORV, the probability of a relief valve failing to reclose of 6.8E-3 from the IPEM was used.

The transfer probabilities list of initiating events was calculated by multiplying the initiating event frequency by the.number above.

Initiating events with frequencies less than lE-3 were excluded from further analysis, as the combination of the two events results in a very low initiating event frequency. Those events which do not lead directly to an MSIV isolation and SRV challenge were excluded as well. The remaining events: loss of feedwater, MSIV closure, and loss of condenser vacuum, were quantified in an event tree similar to the IORV event tree. The quantification of SORV with Partial and Total Loss of . Offsite Power is discussed in Section C.2 Loss of '

Offsite Power. One important difference to note between the IORV and SORV event trees and the other special initiators is that gravity feed to the condenser is insufficient to make up for the loss of inventory in the RPV'due to the flow through the relief valve, and so no credit is taken for feedwater during SORV events.

C.4.6.1 Event Trees for IORV/SORV This section provides a discussion of the frontline systems* ability to maintain core cooling and containment heat removal during IORVs and SORVs.

Because there is a high probability, based upon industry experience, that an IORV/SORV will reclose as primary system pressure falls, the event trees were constructed to distribute IORV/SORV events into two categories: (1) sequences in which the valve recloses, and (2) sequences in which the valve remains open. The information contained in Section B.2 for event P was used to determine the distribution C.4-28

among the two categories. The basis for initiating event frequency for IORV is contained in appendix A.

Reactivity Control:

The scram system reliability is similar to that used in other accident sequences. This independence of the scram system from the initiating event is primarily due to the redundancy in the scram system which requires a common mode failure of the scram system to prevent successful scram.

SRVs Reclose:

The major difference between the IORV and SORV event trees is this event, discussed briefly above. If a transient occurs, an SRV sticks open, but closes later at a lower pressure, this event is treated as part of the quantification for the original transient initiator. The initiating event frequency for this event is the product of the original transient initiator, times the probability that the valve will fail to reclose immediately, times the probability that the valve will fail to reclose later in the blowdown. The initiating event for SORV therefore is a relief valve that is stuck open, and will remain stuck open for the rest of the event tree.

The IORV tree is drawn with the inadvertent opening of the IORV as the initiating event. In the IORV event tree, the valve is given a chance to close by the "Valve Fails to Reclose" event. If the valve closes, the rest of the tree is quantified similar to a transient initiator tree. If not, the quantification is similar to a medium LOCA.

Reactor Coolant Inventory Makeup. High Pressure:

C.4-29

The IORV/SORV will eventually result in reactor depressurization.

For a typical plant, RPV pressure may drop to 400 psi within 30 minutes and then continue to drop more slowly. This response makes HPCI and RCIC viable coolant injection options over the short term, (i.e., during the first hour). Note that the motor driven feedwater pumps are assumed to remain available during this event. The event tree indicates that even though high pressure injection may be successful during the short term, low pressure injection eventually will be required due to reactor depressurization.

Reactor Depressurization:

The IORV/SORV should result in . a lower failure probability for depressurization because fewer valves will be required to open.

However, because the failure probability for depressurization is typically dominated by common cause failures, no significant impact is expected.

Reactor Coolant Inventory Makeup. Low Pressure:

Following successful reactor depressurization, the low pressure injection systems can supply adequate makeup to the reactor. Because the condensate system is unaffected by an IORV/SORV, the probability of coolant makeup from the hotwell is similar to that evaluated in other sequences.

The IORV/SORV event tree takes credit for the use of the CRD system to maintain inventory in the reactor vessel. This is because of the fact that high pressure injection from other sources (feedwater or HPCI/RCIC) has been successful for some time, and the reactor depressuri.zes gradually through the open valve.

For the other event trees it is assumed that if the feedwater or HPCI/RCIC systems are successful, they will continue to be successful until the reactor is stabilized at hot shutdown conditions, at which C.4-30

time it is assumed that many options exist to continue vessel inventory control and decay heat removal. The evaluation also conservatively assumes that mechanical or electrical failures of the high pressure systems, if they occur, happen immediately upon demand of the systems. This assumption eliminates the CRD system as a short term injection source, since the flow requirements shortly after shutdown are greater than the capability of the CRD system. Thus, for most event trees, the CRD system is not considered either because the other high pressure systems are available, or the CRD system is incapable of maintaining inventory.

For the IORV/SORV event tree it is still assumed that feedwater and HPCI/RCIC, if they fail, fail immediately. Therefore, the CRD system is assumed to be inadequate in the sequences in which high pressure injection is immediately unavailable from other sources. However, on the success path for high pressure injection, the high pressure systems are available only until the vessel depressurizes through the IORV/SORV, at which time the evaluation assumes that the HPCI and RCIC systems become unavailable due to low pressure. The depressurization is slow enough that the amount of decay heat removed is sufficient to allow injection by the CRD system to be adequate for continued water inventory maintenance following reactor vessel depressurization. Because the CRD pumps, if at maximum flow, can provide adequate flow to make up to the vessel at decay heat loads after one or more hours of heat removal, the CRD system is included as a "low pressure" injection source on the path in which high pressure injection is initially available.

Containment Pressure Control:

An IORV or SORV is assumed to have no adverse impact on the failure rate of the main condenser or the RHR system for containment heat removal.

C.4-31

Continued Reactor Coolant Inventory Makeup: This event represents the ability to continue coolant injection following ,the occurrence of unacceptable containment conditions. Quantification of this event is dependent upon previous system failures, since the same failures which contribute to the failure to control containment conditions may also affect inventory control. Section B.9 of Appendix B discusses these considerations.

C.4-32

Table C.4.-1 RUPTURE FREQUENCY Component Area Area Area Area Area Total Component Total 1 2 3 4 5 Rupture Frequency Frequency Check 3 0 3 4 0 10 4.2E-9 4.2E-8 Valve AO Valve 1 0 6 0 14 21 1.1E- 8 2.31E-7 MO Valve 0 5 5 0 14 24 4.4E-9 1.06E-7 Manual 3 3 7 2 14 29 1.5E-9 4.35E-8 Valve Piping 20 20 35 8 60 143 8.5E-10 1.22E-7

>3" Piping 40 40 8.5E-9 3.4E-7

<3" Heat 3 8 4 0 0 15 8.5E-10 1.28E-8 Exchanger Restricti 1 1 *o 0 15 17 1.5E- 9 2.55E-8 on Orifice Pump 3 0 3 0 0 6 1.5E-9 9.0E-9 Tank 0 0 0 0 7 7 8.5E-10 5.95E-9 9.4E-7/yr

1. Rupture Frequency: 9.4E-7/hr (8760 hrs/yr) = 8.23E-3/yr.

2. Heat Exchangers were assigned the same frequency as tanks.

3. Pumps and restriction orifices were assigned the same frequency as manual valves.

4. Basket strainers (Figure C.4-5) were counted as restriction orifices.

C.4-33

26*110*102 12"1 LV*J300A,FC (2"1 LV*3JOOO,FC WI

'ft J:

REJECT (SEE FIG 21 fV.JJ51 COND A 9-t MIN HOW RECIRC MtUFROMCST

• E107A --- * ------------------------.

26*110*109 (J"I CK-413 LV-3301A.rC (J") '--1---y---.J LV*JJOID,FC (10"1 TO 1-L----- COND OHliN SEE FIG. 5 GLAND SEAL COND P-10IC CONOENSAlE CONDO PUMPS E107B lilli£ I. THE SUCTION SIDE OF TilE PUMPS IS NOT CONSIDERED SUSCEPTIBLE TO RUPTURE.

Figure c .1-/ -1 Condensate System Area 1

M0-3J9J M0-3<127 M0-3371 TO FROM REACTOR COND FEED DEMIN PUMPS SEE SEE FIG. 5 FIG. 3 M0-3372 Ofii\IN EIOIO E1020 E1030 COOLEO EIOGIJ lOW PAESSUOE FEED HEATERS Figure c. .ll -2 Low Pressure Feed Heaters Area 2

MO 3409 FEEOWATER

...... CLEANUP TO EI079 r/-3435 M03477 M03479 FV-642A CK420 167 441A

- L---1 FEEDWATER LINE 'A' TO llf'V

> t*l 0 PIOOA E104A EIOSA SEE FIG_ 4 443 FROM IOW PRESSURE FEED HEATERS SEE FIG_ 2 PIOOB MO 3470

' J- FV-6429 FEEOWATERLINE *o* lO lli'V

......... SEE FIG. 4 PIOOC E1040 E1050 REACTOR IIIGIIPRESSURE FEEDWATER FEED FEEDWAlER REGULATING PUMPS HEATERS VALVES Figure *4 -3 Feedwater System Area 3

PIIIMAAY CONTAINMENT CK-62A CK-50A CK-57A FEEOWI\TEA liNE 'A' 10 APV SEE FIG. 3 FEEOWATEA liNE 'A' TO APV CK628 CK-588 CK-578 FEEOWATEA liNE '8' TO APV SEE FIG. 3 FEEOWIITEllliNE '0' TO llPV Figure C. 't * -4 Feedwater System Area 4

FllOM CONDENSATE SYSTEM SEE FIG. I f- 1- 1- f

- 1

- 1

- 1

-

TO LOW PRESSURE IIEATERS SEE FIG. 2

...... 1*1 f f f f CONDENSTATE DEMINEilAUZERS f ! f Figure c.. t.f -5 Condensate Demineralizers Area 5

INITIATOR STATUS PRIMARY PRESSURE REACTOR COOLANT INVENTORY CLASS SEQUENCE CORE

\ CONTROL DESCRIPTION DAMAGE FREQUENCY REACTOR CONTINUED OTHER OPPOSITE REACTIVITY SRVs OPEN SRVs CLOSE HIGH OEPRESSURI LOW CONTAINMNT REACTOR REFERENCE POWER OPER REFERENCE DIVISION CONTROL PRESSURE ZATION PRESSURE PRESSURE COOLANT LEG LEAK ATION (FW LEG cscs CONTROL INVENTORY OPERATING)

SRRR RR OR LR c M p QU )( v w DUV OK -

I OK -

I I OK -

II RL1 < IE-9 I IO RL2 < IE-9 IA RL3 < IE-9 I SORV XFER LOCA XFER ATWS XFER I

OK -

I OK -

II RL4 < IE-9 I

OK -

I OK -

II RL5 < IE-9 10 RL6 < IE-9 IA Rl7 < IE-9 SORV XFER LOCA XFER ATWS XFER I

OK -

I OK -

II RLB < IE-9 10 RL9 < IE-9 lA Rl10 < IE-9 SORV XFER LOCA XFER ATWS XFER

'----

I OK -

I OK -

II Rl11 < 1E-9 10 RL12 < 1E-9 lA RL13 <IE-9 SORV XFER LOCA XFER ATWS XFER FIGURE C.4-6 REFERENCE LINE BREAK

INITIATOR REACTOR COOLANT CLASS SEQUENCE CORE INVENTORY DESCRIPTION DAMAGE FREQUENCY SORV HIGH LOW CONTAINMNT REACTOR PRESSURE PRESSURE PRESSURE COOLANT CONTROL INVENTORY TSORV QU v w QUV OK -

OK -

II SORV1 < 1E-9 ID SORV2 < 1E-9 OK -

OK -

II SORV3 < 1E-9 ID SORV4 < 1E-9 FIGURE C.4-7 NON LOOP STUCK OPEN RELIEF VALVE

INITIATOR REACTOR COOLANT INVENTORY CLASS SEQUENCE CORE DESCRIPTION DAMAGE FREQUENCY IORV REACTIVITY SRVs HIGH DEPRESSURI LOW CONTAINMNT REACTOR CONTROL RECLOSE PRESSURE ZATION PRESSURE PRESSURE COOLANT CONTROL INVENTORY TIORV c IP au X v w QUV I OK -

OK -

I OK -

I II IORV1 < 1E-9 OK -

OK -

I II IORV2 < 1E-9 ID IORV3 < 1E-9 IA IORV4 1.2E-7 OK -

OK -

II IORV5 < 1E-9 ID IORV6 < 1E-9 OK -

I OK -

II IORV7 < 1E-9 ID IORVB 2.9E-B ATWS XFER FIGURE C.4-B INADVERTENTLY OPENED RELIEF VALVE

C.S ATWS SEQUENCES A portion of the spectrum of low frequency accident sequences postulated in PRAs are associated with a transient with a coincident failure to scram. This section evaluates potential risk contributors from these sequences at the Pilgrim plant. Principal contributors to the core damage frequency associated with a failure to scram can involve sequences affecting accident classes IC and IV.

The specific topics to be discussed relative to ATWS and the operation of the Pilgrim plant include the following:

0

Background:

Section C.S.l 0 Response of Pilgrim during ATWS: Section C.5.2 0 Scram System Reliability: Section C.5.3 0 Criteria for Acceptable Safe Shutdown: Section C.5.4 0 Operator Error Probabilities: Section C.5.5 0 Transient Initiator Frequency: Section C.5.6 0 ATWS Event Trees: Section C.5.7 C.S.l Background One of the functional requirements for successful accident mitigation is the ability to insert sufficient negative reactivity into the core to bring the reactor subcritical. In preceding sections, sequences investigated are those in which successful control rod insertion has been accomplished and the focus of the evaluation is on subsequent functional requirements such as coolant injection and containment heat removal. This section focuses on those event sequences in which an initiator, principally an anticipated transient, occurs coupled with a failure to insert the control rods. Other initiators, such C.S-1

as LOCAs, when coupled with the conditional probability for failure of reactivity insertion may also be included in the contributors to Class IV, but are generally of low frequency compared to the dominant ATWS sequences discussed in this section.

Substantial effort has been made in recent years to the reduction in risk at BWRs associated with ATWS events. Modifications to the control rod drive scram discharge systems in the form of increasing their volumes and providing diverse instrumentation for level monitoring have been performed reducing the potential for common mode reactor trip failure due to mechanical causes. Modifications associated with the ATWS rulemaking (10CFR50.62) similarly reduce the potential for control rod insertion failure due to electrical reasons through the installation of Alternate Rod Insertion (ARI) solenoid valves. Mitigation of ATWS events also has been improved through the installation of automatic trip of the recirculation pumps, enrichment of the boron associated with Standby Liquid Control, and through the improvement of emergency operating procedures. Each of these improvements maximizes the amount of time available to the operator to take effective action in terminating the event.

This analysis incorporates the effects of these safety enhancements in evaluating the residual risks associated with ATWS at the Pilgrim Plant.

C.5.2 Response During ATWS Pilgrim's response to a postulated failure to insert the control rods following an anticipated transient potentially involves the operation of a number of both normally operating and standby safety systems.

The basic functions that satisfy the requirement for a safe and successful shutdown are:

o Primary system pressure control; C.5-2

o Reactivity control; o Coolant injection and primary system inventory control; and o Containment heat removal.

For postulated ATWS sequences, Table C.S-1 summarizes the required functions and systems available to mitigate the potential adverse plant conditions.

Table C.5-2 summarizes the nomenclature used to describe these functions in the event tree evaluation.

Response of the Pilgrim plant to an ATWS event has been extensively analyzed to determine the potential success paths which are available at the various stages of the event. The following is a condensed discussion of these analyses and is presented to provide a basis for selection of the various headings of the-event tree and their success

'criteria which follow in later sections of this report.

The discussion is divided into the response of the reactor nd the containment to an ATWS.

For the purpose of discussion the event under consideration is an MSIV closure with a failure to insert control rods due to mechanical causes. This particular event is typical of that historically analyzed from a regulatory perspective and is generally considered to be bounding in its effects on primary system and containment response and on the time available for the operator to take appropriate actions to terminate or mitigate the event. Where there are aspects of the Pilgrim plant response to ATWS that are important during scenarios other than for this particular initiator, these features will be identified and their effect on plant response during these other scenarios discussed at related stages of the MSIV event.

C.S-3

Primary System Response It is assumed conservatively that the transient begins with the reactor at full power and that the cause of the failure to trip prevents all control rod drive mechanisms from insertion. Initial reactor power less than full power or partial rod insertion either automatically or due to manual actions in response to the event will result in less limiting plant conditions and more time available for operator action than presented in this discussion.

Analysis of a reactor trip from full power for the Pilgrim plant has been performed with TRACG [Ref C.5-2]. The code was developed by General Electric Company and features three-dimensional reactor vessel thermal hydraulics coupled with one-dimensional core neutron kinetics.

During the first few seconds of the event reactor pressure rises to the point that the four safety relief valves open (1090 psig), the alternate rod injection and recirculation pump trip (RPT) setpoints are reached (1175 psig) and the two spring loaded safety valves actuate (1275 psig). The four safety relief valves are piped directly to the torus and heatup of the suppression pool begins at this point. Pressurization of the containment by way of steam flow to the drywell through the unpiped safeties also begins.

The rate at which power continues to be generated is limited, however, by the void increase and reactivity reduction which results from the recirculation pump trip. Reducing reactor flow to natural circulation results in a drop of nearly 40% in reactor power.

If the failure to scram were due to electrical causes, this reduction in power and pressure would be sufficient to provide time for ARI solenoid valves to bleed the pressure from the air headers to the scram valves, gradually causing rod insertion (-15 sec) and termination of the event. Also, if the main condenser were C.5-4

available, the pressure rise resulting from closure of the admission valves would result in actuation of the turbine bypass valves (940 psig) which can relieve as much as 25% rated steam flow [Ref C.5-3].

If either ARI or the turbine bypass* valves are available and effective in performing their intended functions, then in conjunction with RPT, the pressure rise in the primary system will be limited to well below primary system pressure limits.

For MSIV closure events, steady state reactor pressure is greater than that which would occur during events with the main condenser available. Vessel steam flow for these events is analyzed to be just below the capacity of the safety relief valves, thus preventing reactor over-pressure conditions [Ref C.5-5]. To provide margin on reactor pressure design limits, an automatic trip of the feedwater pumps occurs when the initial pressure rise reaches 1400 psig. This trip provides additional reductipn in reactor power in two ways.

First it reduces core inlet sub-cooling which increases the voiding within the core. Also, the subsequent drop in reactor level reduces the natural circulation flow rate through the core resulting in a decrease in reactor power. During MSIV closure events, the combinat*ion of RPT and feedwater pump trip (FWT) reduces reactor power to the point that the pressure rise which occurs. in the primary system is again, well below design limits. Feedwater pump trip is not necessary for events in which the main condenser is available and will not occur because the additional capacity provided by the bypass valves prevents the initial pressure rise from reaching the FWT setpoint. Without further operator intervention, then, events with the main condenser and feedwater pumps available will continue with reactor pressure elevated above the safety relief valve setpoint, reactor water level near normal due to the availability of feedwater, and steam flowing both to the suppression pool through several safety relief valves and to the main condenser through the turbine bypass valves. The rate of energy relief will be split about evenly between the bypass and safety valves at an approximate total steam flow between 50% and 60% rated [Ref C.5-1].

C.5-5

Continuing with the MSIV closure event description, a reduction in power level and reactor pressure will begin to occur following trip of both the recirculation and feedwater pumps. This is because of the combined effect of the loss of forced circulation, core inlet sub-cooling, and the lowering of reactor water level. On reaching the reactor low-low water level setpoint (-49") only two to three safeties will be open. At this level the HPCI and RCIC systems will receive a signal to actuate and begin injection of cold water to the vessel. A temporary additional reduction in reactor pressure will occur as a result of this cold water addition to the point that as few as one safety valve will remain open. Once the cold water reaches the reactor core, however, a power increase will occur and reopening of additional safeties will begin. The approximate power that ultimately will result will be equal to that required to heat up and boil the water being injected to the vessel. The steam flow associated with the injection of water from the HPCI and RCIC systems to the reactor under these conditions is approximately 40% of the steam flow associated with normal power operation. This requires three to four safety valves to maintain control of reactor pressure.

The reactor water level calculated to be reached through the use of HPCI at rated flow is above the top of the fuel assemblies but*below the reactor low-low level setpoint. As a result of maintaining reactor inventory at this level, the ADS timer will begin operation.

Because of the actuation of the unpiped safeties early in the event, containment pressure is expected to be in excess of 2.5 psig at this time and automatic operation of the ADS is expected within two minutes of reactor water level falling to below reactor low-low water level.

If operation of the ADS occurs automatically, it could result in depressurization of the reactor to below the shutoff head of low pressure injection systems such as LPCI and core spray. It is desirable to avoid uncontrolled injection from these systems in order to prevent power spikes associated with the rapid insertion of cold C.5-6

water from these high volume sources. If HPCI is in operation, reactor power will return to a sufficiently high level that the reactor pressure should be higher than the shutoff head of low pressure pumps. Without HPCI, depressurization and injection with low pressure systems ill occur.

However, TRACG analysis [Ref* C.S-6] has shown that uncontrolled injection with low pressure systems during an ATWS will not result in substantial fuel damage or threaten the integrity of the reactor vessel. This is because reactor power and pressure rise as a result of cold water insertion to the point that the shutoff head of the low pressure systems will be exceeded. This terminates low pressure injection flow to the vessel until reactor power and pressure once again drop back to levels at which low pressure systems can resume injection. In this regard, automatic low pressure injection during an ATWS is self-limiting under these conditions.

It is still desirable to avoid automatic and uncontrolled low pressure injection (to allow the operator easier means of controlling reactor level) and ultimately to reduce the potential for boron washout. During the MSIV closure event the means of preventing ADS operation and depressurization of the reactor is to inhibit ADS.

Either or both methods are acceptable in accordance with Emergency Operating Procedures (EOPs). Care should be taken, however, if the

'latter method is used in preventing automatic operation of the ADS.

It should be remembered that during events beginning with the isolation of the primary system the feedwater pumps are tripped initially for the purpose of assuring that reactor power is sufficiently low that safety valves are adequate to control reactor pressure. Returning reactor water level to near normal requires returning multiple feed pumps to service while the reactor is still at power. However, the potential for raising the water level to near normal such that there is little margin on safety valve capacity is judged to be low for a number of reasons. Emergency operating procedures warn the operator to slowly raise water level during ATWS C.S-7

situations in anticipation of rises in reactor power and pressure such as this (post boron injection), and the operators are trained to anticipate the need to lower level during such an event as opposed to raising level in an uncontrolled manner. Even in the unlikely event the operator were to assume that a normal transient were in progress as OP,posed to an ATWS event, it would be unusual for actions to be taken to return multiple trains of feedwater to service in an attempt to restore reactor level to above normal levels.

Should the operator not take action to inhibit ADS operation in either manner, depressurization of the reactor to the shutoff head of low pressure systems will occur. Approximately three minutes occurs between the time that the ADS actuates until the shutoff pressure of LPCI and core spray is reached. At this point operator action to control level with low pressure systems is desired. Again, even if uncontrolled injection is allowed, primary system response is such that substantial core damage is not expected nor will the integrity of the primary system be in jeopardy [Ref C.S-6].

Through al] of this, the operator should be attempting to shut down the reactor by way of control rod insertion or actuation of Standby Liquid Control (SLC). The design of SLC at Pilgrim is such that it is capable of injecting the equivalent of 86 gpm of 13% sodium pentaborate solution. Analysis indicates that reactor shutdown can be achieved in 12 minutes following initiation of this system [Ref C.S-7]. This analysis assumes that adequate mixing of the boron solution is occurring as it enters the vessel. The adequacy of mixing is dependent on flow through the reactor. Sufficient flow and adequate mixing are predicted to occur as long as the operator maintains the water level at or above the top of the fuel. For most scenarios, as a result, the reactor water level will be sufficiently high and adequate mixing will occur during the injection phase.

In addition to actuation of SLC, the operator may be attempting to limit steam flow to the containment by minimizing power through C.S-8

reactor level control. The power level with the reactor water level near normal level, the main condenser in service, and natural circulation occurring, is expected to be between 50% to 60% full power. As stated above, under these conditions steam flow is split between the main condenser and safety valves. For the MSIV closure event, again under natural circulation conditions and with HPCI and RCIC maintaining reactor inventory, reactor water level is lower and the reactor is limited to near 40% initial power [Ref C.S-1].

Operator action to limit injection flow to the reactor and lower level to the top of the fuel can reduce power still further to as low as 10% to 20% rated power [Ref C.S-8]. The advantage of taking this action is to decrease the amount of steam being directed to the containment and maximize the amount of time available for operator action and SLC injection to take effect in shutdown of the-reactor.

Containment Response As noted above, containment response to ATWS events depends on the rate at which reactor power is directed to the containment. The amount of energy released to the containment early in the event is governed by automatic response of plant systems and equipment to the ATWS. Early during the MSIV closure event, for example, five to six safety valves are required to prevent reactor over-pressure. As a result, steam is being released to both the suppression pool through the safety relief valves and directly to the drywell through the unpiped safeties. Containment pressure rises quickly during the event to above the containment high pressure setpoint of 2.5 psig.

Shortly after the recirculation and feedwater pumps have tripped, however, power drops to the point that only the piped relief valves are required and all energy release is to the suppression pool. From this point of the transient, containment pressure slowly rises as the suppression pool heats up and becomes saturated.

Containment response during the latter stages of an ATWS event is principally governed by operator response to the transient. Several C.S-9

containment parameters are important in determining the most appropriate operator actions during the event. These parameters include- the suppression pool temperature, which indicates when the Residual Heat Removal (RHR) system should be initiated, the boron injection initiation temperature (BIIT) by which boron initiation should have commenced and reactor level/power control is required, the heat capacity temperature limit (HCTL) at which point reactor depressurization is required, and the containment temperature and pressure limits for which action is required to preserve containment integrity.

For transients occurring at decay heat loads, the latter limit would be represented in the emergency procedures by the primary containment pressure limit (PCPL). The PCPL has a value of 56 psig at normal suppression pool levels and a corresponding suppression pool temperature (assuming all heat is being directed to the suppression pool) near 300F. A lower value is used during ATWS events where steam flow rates to the suppression pool are substantially greater than decay heat levels. The IPE methodology suggests a suppression pool temperature limit of 260F at which time items such as suppression pool loads greater than normal and the potential for inadequate vapor suppression at steam flow rates greater than those associated with decay heat loads may become considerations.

Conservatively assuming little action by the operator to terminate the event or limit the rate at which energy is entering the containment, the following are the approximate time frames to reach these various limits:

BIIT HCTL 260F Time (min) 5 12 28 (These values assume reactor power near 30% to 40% rated is being direct to the suppression p'ool following RPT)

C.S-10

As stated above, the operator plays a significant role in terminating or otherwise affecting the course of an ATWS event. Perhaps the most significant of these actions is the initiation of SLC. To be effective in shutting the reactor down in time to avoid exceeding some of these containment limitations, SLC must be actuated sufficiently ear.ly to permit injection of a sufficient amount of boron to achieve reactor shutdown prior to exceeding recommended limits associated with these parameters. As noted earlier, Pilgrim specific analysis indicates that the existing SLC system configuration and the enriched concentration of boron will permit reactor shutdown in approximately 12 minutes. Assuming this rate of injection with little other operator action, the time available to the operator to initiate SLC and prevent exceeding 260F for the suppression pool in an MSIV closure transient is 20 minutes. As before, this value assumes that the steam flow to the pool is 30% to 40% rated power and drops off linearly as boron concentration increases in the vessel).

In fact, other operator actions are expected which increase the amount of time available for SLC to become effective and reduce the energy addition to the containment. Such actions include lowering level in accordance with emergency procedures to reduce reactor power level to the maximum extent practical. For sequences in which the main condenser is available, this action can result in termination of steam flow to the suppression pool all together by reducing power to below the capacity of the turbine bypass valves regardless of whether or not SLC has been actuated or is effective. For MSIV closure sequences, however, it is assumed that the operator action to limit the power level in this manner is highly coupled with SLC initiation. That is, the operator will be performing this action only if it is also recognized that SLC should be initiated. In this rega,rd it is expected that level control will be effective only during the period in which SLC injection to the vessel is occurring and will result in extending the time for effecting reactor shutdown

• by only a few minutes. Time available for the operator to take these C.S-11

actions including actuation of SLC for .the MSIV isolation transient before pool temperature exceeds 260F is 25 minutes. This value assumes that SLC and level control are initiated simultaneously, and that for main condenser events this action effectively terminates all steam flow to the suppression pool and for MSIV closure events power is reduced to <20%.

Still more time is available for operator action to inject SLC given the guidance provided in the emergency procedures. For MSIV closure events, for example, in excess of an hour can be made available to initiate SLC if level control is initiated at the boron injection initiation temperature as directed by the EOPs. However, because these events are assumed to oe highly coupled (i.e., the operators are highly likely to have injected SLC given that they are attempting level control) the time frames listed above are used in determining the likelihood of operator action to shutdown the reactor during ATWS events.

Besides operator actions in controlling reactor level and actuating SLC, containment heat removal equipment plays a role in determining containment response to an ATWS. Normal heat removal equipment includes the main condenser, RHR, sprays from external sources, and containment venting. For the purpose of removing heat at reactor power levels, only the main condenser is considered to have sufficient capacity to prevent the containment pressure and temperature from rising. Even if reactor level control is used to reduce reactor power to as low as 10% to 20% rated, the combined capacity of RHR and the vent are insufficient to prevent the temperature of the suppression pool and containment pressure from rising (each loop of the RHR heat exchanger is capable of approximately 2.5% rated power at a suppression pool temperature of 260F).

If sufficient venting paths are initiated to manage this steam generation rate, a substantially greater steam flow addition to the C.5-12

reactor building will occur than under decay heat conditions, possibly degrading the environment in the reactor' building more than expected for containment decay heat removal failure events. As a result little credit for heat removal systems other than the main condenser is taken while the reactor is at power.

Once the reactor is shutdown, however, these other means of heat removal become more viable. Less credit for repair of these systems is taken, however, because of the short duration over which containment heatup occurs during ATWS. Detailed assumptions associated with the adequacy of system and operator actions described above and used in the quantification of the ATWS event tree are presented below in the success criteria section of this discussion.

C.5.3 Scram System Reliability The single system in the ATWS sequences which has a dominating effect on the probabilistic quantification of ATWS quantification is the scram system consisting of the reactor protection system logic, the control rods, the control rod hydraulic system, and the control rod drive mechanisms.

The common mode failure to scram estimate of 3E-5 per demand is taken from NUREG-0460 for this evaluation. This failure to scram estimate is allocated between mechanical and electrical failures based upon observed precursors at BWRs. The allocation of the BWR scram system failure rate for this evaluation is based upon observed precursors and operating experience with BWR scram systems. The allocation is 2.25E-5 per demand for electrical failures, 7.5E-6 per demand for mechanical failures. Reference C.5-10 contains details on the precursors used to calculate the allocation. Of the events listed in Table 3.3-1 of Reference C.S-10, one event has been eliminated for all plants, and one mechanical precursor, namely the July 1980 SDV event at Dresden, was eliminated as a potential event at Pilgrim because of modifications made to the plant in response to the ATWS C.S-13

rule. This leaves eight total events, of which two are potential common cause mechanical failures. Thus, the allocation between mechanical events and electrical failures becomes 1/4 mechanical, 3/4 electrical for the Pilgrim plant. The overall value of 3E- 5 per demand is highly uncertain (log normal distribution with an error factor of 20 to 30). It is recognized that the value used in this probabilistic evaluation, i.e., the mean point estimate from NUREG-0460, may be conservative.

C.5.4 Success Criteria Success criteria for the functional events that must be accomplished to achieve shutdown of the reactor during ATWS events are discussed below:

Control Rods (RPS)

Success at this heading implies insertion of control rods over the first several seconds of a transient as a result of a signal from the Reactor Protection System (RPS). Successful reactor shutdown in this time frame reduces power to decay heat levels and results in the use of equipment important to cooling the core and removing heat from the containment as outlined in the transient event trees. Following failure of the RPS heading, the systems necessary to achieve successful shutdown depend to some extent on whether the cause of the failure to insert rods is mechanical or electrical in origin.

Electrical RPS failures can be successfully mitigated by tripping the recirculation pumps (RPT) and subsequently causing control rod insertion by actuation of alternate rod injection solenoids (ARI).

Mechanical control rod insertion failure or electrical failures with coincident loss of ARI require actuation of standby liquid control (SLC) to terminate the event.

Alternate Rod Insertion (ARil In conjunction with recirculation pump trip (RPT), alternate rod injection (ARI) equipment can successfully provide rod insertion by C.S-14

bleeding the pressure from the pneumatic supply to the scram valves, effectively terminating those ATWS sequences initiated by an electrical failure to scram. Actuation signals for ARI include high reactor pressure (1175 psig) and/or low reactor water level (-46").

It is necessary to trip the recirculation pumps in addition to actuating ARI in order to reduce power below safety valve capacity while the air headers to the scram valves depressurize.

Recirculation Pump Trip (RPT)

Automatic recirculation pump trip occurs on the same high reactor pressure and low reactor level signals as initiates ARI. Tripping the recirculation pumps eliminates forced circulation, reducing the flow through the core. This causes additional voiding in the core and a corresponding reduction in power. This reduction in power assists in the mitigation of ATWS in two ways. First, reactor power is reduced to below safety valve capacity quickly during the event providing protection of the reactor from over-pressure. Second, it minimizes the amount of steam directed to the suppression pool, increasing the time available for the operator to take actions to initiate SLC. Reducing the power to near safety valve capacity permits time for ARI to bleed down the pressure in the air headers to the scram solenoids and insert control rods, 'if the failure to scram is due to electrical causes. If the failure to trip is due to mechanical causes, however, the effectiveness of tripping the recirculation pumps is dependent on the status of the main condenser.

Safety valves, in conjunction with the turbine bypass valves, are sufficient to relieve all the power being generated by the reactor after the recirculation pumps are tripped (80% capacity as opposed to -55% power). For sequences in which the main condenser is not available, however, an additional reduction in power is desirable to assure that reactor power remains below the capacity of the safety valves. This additional power reduction is provided by tripping the feedwater pumps. Feedwater pump trip (FWT) occurs on high reactor pressure (1400 psig). The effect of tripping the feedwater system is a loss of sub-cooling at the core inlet and a lowering of level C.S-15

and hence flow through the reactor. These conditions result in additional void generation and further power reduction.

Given these Pilgrim specific design features, success at the recirculation pump trip heading implies the following: for sequences in which the main condenser is available, trip of either of the recirculation pumps is required (to trip the recirc lation pumps, either the field breaker or the drive motor breaker to each recirculation pump motor generation set must open); for sequences in which the main condenser is not available, it is assumed that both recirculation pumps and all three feedwater pumps must be tripped to attain the necessary reduction in power. Failure of the appropriate combination of recirculation and feedwater pumps to trip is assumed to lead to power levels above the capacity of the safety valves and subsequent failure of .the reactor vessel on over-pressure. In fact, analysis indicates that failure of feedwater pump trip will result in a steam flow rate which is near but slightly below the safety valvcapacity. Tripping the feedwater pumps results in additional margin on the safety valve capacity providing further assurance that reactor over-pressure conditions do not occur.

RPV Pressure Control (SRVs)

RPV pressure control success criteria with safety relief valves vary depending upon the initiating event. Events in which the main condenser remains available and steam flow is occurring through the turbine bypass valves require only three to four safety relief valves to relieve the steam not being directed to the main condenser.

Events in which the main condenser is unavailable and feedwater is in operation require five to six safety relief valves to open in addition to the trip of both recirculation pumps. All three feedwater pumps should trip to provide additional margin on safety relief valve capacity, as noted above. Failure of a safety relief valve to open during a reactor trip failure without the main condenser, or failure of multiple safety relief valves to open with C.5-16

main condenser availability is assumed to lead to reactor vessel over-pressure failure.

Coolant Inventory Make-up (QU)

The HPCI and feedwater systems are each as umed to be adequate high volume high pressure means of coolant inventory makeup during the initial stages of an ATWS event from 100% power with no control rod insertion. EOP 02 requires the operator to stop and prevent all RPV injection from all sources except CRD and SLC if:

a)reactor power is above 3%, and b)torus water temperature is above the Boron Injection Initiation Temperature Curve, and c) drywell pressure is above 2.5 psig or any SRV is open, and d)water level is above top of active fuel.

He is directed to lower water level until one of these values recovers below the level listed above, and then maintain water level between that level and -155 inches. He is not allowed to raise level above that point until the hot shutdown boron weight of SLC solution )

has been injected.

By itself, HPCI is sufficient to keep the reactor level above the top of the active fuel following a failure to trip from full power.

Operation of the feedwater system can have a number of competing effects on the outcome of the transient depending on the initiating event. For events 1' n wh1' ch the feedwater systI em rema1' ns in operation or is returned to service early in the event, feedwater operation is capable of maintaining reactor inventory.

If the feedwater system is returned to service following a high pressure reactor trip, care must be taken by the operator not to raise the water level back to the point that reactopower causes the plant to exceed the values listed above. The operators are trained to anticipate the need to lower level during such an event as o posed C.5-17

to raising level in an uncontrolled manner, making this situation unlikely.

The HPCI system is a lower volume system than feedwater, capable of providing on the order of 4000 gpm at elevated reactor pressure (approximately 1/4 normal feedwater flow during full power operation). The lower flow capacity is such that during an ATWS, HPCI is not capable of returning reactor level and power to the point that safety relief valve capacity is approached. A heading for HPCI level control is therefore not included in the ATWS event tree as it is for feedwater. TRACG analyses indicate that the equilibrium level reached with HPCI during an ATWS from full power is less than the reactor low-low watelevel setpoint. As a result, it is assumed that HPCI is capable of maintaining adequate core cooling during an ATWS without feedwater but will not prevent automatic ADS actuation.

SLC Injection (C2,& C4)

Whether inventory makeup is being accomplished by high or low pressure injection systems, reactor shutdown following a failure to insert control rods requires initiation of Standby Liquid Control.

Successful SLC injection requires the operation of either of two SLC pumps and may also require additional power level reduction by way of reduction in reactor water level if there is a significant delay in SLC initiation. Each pump is capable of injecting the equivalent of 86 gpm of 13% sodium pentaborate solution into the vessel.

The effectiveness of SLC injection is represented by several headings in the ATWS event tree.

The first heading examines the potential for mechanical or electrical failure of SLC (heading C2). Failure of SLC due to equipment problems is assumed to lead to the need for alternate methods of injecting boron as outlined in plant emergency operating procedures.

C.S-18

The remaining heading for SLC actuation represents the effects of injecting sufficient boron to shutdown the reactor at successively later periods of time during the transient. The points in time considered important for the purpose of this event tree include SLC injection in time to take action to prevent challenging the containment. Depending on how late in the transient that SLC is initiated, its success in preventing containment over-pressurization may also depend on taking actions to lower reactor level in order to reduce power.

SLC initiation is needed to achieve reactor shutdown in order to prevent challenges to containment integrity. The second SLC initiation heading reflects action to inject SLC in this time frame (C4). Operator action early during this period requires only that SLC be initiated. For events in which high pressure injection systems are in operation, calculations indicate that approximately 20 minutes are available to initiate SLC if the reactor remains at high pressure while 20 to 30 minutes exist if depressurization to low pressure systems occurs.

As SLC is delayed later in the period, operator action to lower reactor water level to limit reactor power and the amount of energy being directed to the suppression pool will be required in addition to initiation of SLC. With water level/reactor power control, operator action may be delayed an additional several minutes and still be successful in shutting down the reactor during sequences in .

which the primary system is isolated and all the energy is being directed to the suppression pool. Since the same operators will be injecting SLC as will be controlling water level, no credit is given in the PRA for water level control if the operator fails to inject boron in event C4

• C.S-19

Safety Valves Reclose (P)

For sequences in which SLC is injected sufficiently early that the reactor is shutdown prior to the occurrence of containment conditions requiring reactor depressurization, it is important to examine the potential for inadvertent depressurization of the reactor through a stuck open safety relief valve. An open SRV will necessarily result in reactor depressurization following shutdown and the need for low pressure injection systems.

Low Pressure Injection (V)

The low pressure heading of the ATWS event trees has two success criteria depending on the status of reactor shutdown. For those events in which SLC was actuated early and the reactor is effectively shutdown prior to the need for low pressure systems, the success

\

criterion for this heading is the same as for transients in which reactor trip was successful. Systems available to provide low pressure inventory makeup include condensate, LPCI, core spray and the fire system.

For sequences in which reactor depressurization occurs prior to reactor shutdown it is assumed that water level control with low pressure systems must occur with the reactor still at power.

Analysis of this situation has been performed by GE using TRACG [Ref C.S-6]. From these analyses it has been determined that uncontrolled injection from low pressure injection systems is a self limiting event that will not result in large power excursions or pressure spikes to the point that core or vessel integrity is threatened.

However, it is highly likely given that the reactor is not yet shutdown that the operator will be attempting to control low pressure injection rates to reduce reactor power in accordance with the power/level control contingency of the emergency procedures. Control of reactor level in this manner with systems such. as LPCI and core spray is assumed to be more difficult than at decay heat loads.

Because level control may be at or near the top of the active fuel during these scenarios, a slightly greater possibility of core damage C.S-20

is assumed under these conditions as compared to transients in which decay heat loads govern the need for injection.

Boron Dilution (UH)

Even following successful reactor shutdown, ATWS scenarios entail operating considerations in addition to those which would occur during more routine transient events. Among them is the need for the operator to limit vessel water injection to prevent uncontrolled injection from the low pressure systems into the reactor. Two possible failure modes are considered at this node:

o SLC has been initiated and the reactor is subcritical.

Injection in an uncontrolled manner with the low pressure systems can result in washing boron from the core. A rapid reactivity excursion may result.

o A slower transient in which the boron is washed from the reactor vessel due to extended operation of low pressure injection systems without level control.

The purpose of this heading is to examine the potential for this event and the need for operator action to preclude its occurrence.

Containment Heat Removal (W). Containment heat removal in 1 the ATWS event trees takes several forms depending on the status of SLC and its success in attaining reactor shutdown.

The first version of containment heat removal is similar to the containment pressure control heading of the transient event trees.

Systems such as the main condenser, RHR, and containment sprays have the ability to control containment pressure. This definition of the containment heat removal heading applies to those sequences in which shutdown was effected prior to exceeding containment limits. The need for these systems will occur much earlier following an ATWS event due to the fact that early in the event the energy being directed to the suppression pool is that associated with reactor C.S-21

power as opposed to decay heat. As a result, little time is assumed to be available for repair of heat removal systems following an ATWS.

The other version of this heading involves using containment heat removal systems to remove energy at rates associated with reactor power. For sequences in which the main condenser is available, success at this heading requires that the reactor water level be lowered to the point that all of the energy being produced in the reactor is being directed through the turbine bypass valve. This action can provide an effectively unlimited amount of time for operator action to initiate SLC. However, since the same operators will be injecting SLC as will be controlling water level, no credit is given in the PRA for water level control if the operator fails to inject boron in event C4.

For sequences in which the main condenser is not available, success at this heading would imply that injection to the vessel be terminated such that reactor water level would be lowered to the point that reactor power would drop to below the capacity of other available heat removal systems (such as RHR). Assuming the ATWS began with the reactor at full power, the reactor water level associated with this heat generation rate is less than the minimum steam cooling level. Little chance of success is given to this heading as current emergency operating procedures do not suggest this mode of ATWS mitigation.

c.s.s Operator Error Probabilities There may be a wide spectrum of operator actions which contribute to the operator success in the implementation of the reactivity control procedures. The evaluation of the operator error probabilities for failure to perform these actions is dependent upon the following:

o Time available for action to be performed C.S-22

o Indication of the need for action o Stress on the operator o Successful performance of the associated actions o Number of members of the crew involved in the decision making and dependencies among them o Degree of difficulty of the operation o Hesitancy in performing the action.

Each of these can be referred to as a performance shaping factor duririg the overall assessment of the potential for operator error.

The values used in the Pilgrim ATWS event trees are based on guidelines presented in Appendix A, and in Appendix A of the IPEM.

The dominating factor in estimating operator error probabilities in this evaluation is the time available to the operator to successfully accomplish the actions required by the emergency procedures.

Examples of the operator actions that are important during ATWS, and their probabilities, are listed below:

Action HEP Comment Operator fails to .09 Governed by the time frame depressurize SLC injection prior to 260F .04 No main condenser w/o level control action must occur: within 13 min

.04 Main condenser available, action must occur within 12 min C.5.6 Transient Initiator Frequency The anticipated transient initiators are the same types as considered in the other sections of the IPE. These transient types include turbine trips (TT), loss of feedwater (Tp),. MSIV Closure -(TM), loss C.S-23

of condenser vacuum (Tc), loss of offsite power (TE), and IORV (T1)

• The frequencies of these initiators are presented in Appendix A.

The majority of transient initiators at Pilgrim result from turbine trips or lead to turbine trips. However, two principal distinctions made in this analysis are turbine trips which proceed with normal systems available (i.e., the condenser available as a heat sink) and those turbine trips in which the condenser is unavailable due to MSIV closure or the closure of the* turbine bypass valve. These initiating events were the initiating events for the ATWS event trees. The various modes of failure to scram, and the subsequent events are captured in the event trees. The difference between isolation and non-isolation ATWS events are accounted for in the success criteria for the various safety functions.

C.5.7 ATWS Event Trees This subsection takes the qualitative and quantitative information presented in Sections C.5.1 through C.5.6 and uses it to quantify the ATWS event trees which are used for .the Pilgrim IPE.

C.5.7.1 MSIV Closure Initiator ATWS Event Tree General Discussion The MSIV closure class of transient initiators are an important class of accident initiator because they adversely affects the normal heat sink. Figure C.5-1 is the event tree for the MSIV isolation type initiating events for ATWS accident sequences. The initiator frequencies are determined from operating experience includes those postulated turbine trip with failure to scram sequences which may C.S-24

become isolation events. These initiating events are included in the MSIV closure ATWS initiator event tree.

The operator response to an ATWS initiated by an MSIV closure must be relatively rapid as all of the energy being produced in the reactor is being directed to the suppression pool. A need to inhibit ADS operation in some way is required during this event as the feedwater pumps will trip on high reactor pressure causing reactor water level to drop below the low-low setpoint.

• ,

Even given the operator's action to reduce power by lowering the reactor water level, substantial amounts of heat will still be transferred to the suppression pool until the boron is injected and sufficient mixing occurs. to reduce the heat load to decay heat levels. Therefore, the operator has less time for action in the MS!V closure initiated transient than in the turbine trip with bypass case, for example.

System heading success criteria for the MSIV closure initiator include:

Heading Success Criteria RPT Both recirculation pumps and all feedwater pumps must trip SRVs Five to six safety relief valves are required to open HPCI Must operate to maintain reactor water level SLC Must be initiated within 20 minutes (20-30 minutes with depressurization to low pressure systems)

C.S-25

C.5.7.2 Non MSIV Closure ATWS Event Tree General Description The postulated effects of ATWS on the turbine trip are evaluated in Figure C.S-2 for cases with the bypass valves available. Implicit in the construction of the event tree for a turbine trip with bypass is the fact that feedwater is initially supplying coolant injection to the reactor.

I For those events which continue as turbine trip events with feedwater available, the ability of the plant to cope with such events is good because use of the normal heat sink can potentially provide substantial time for the operator to take appropriate action to initiate SLC without challenging containment, while also maintaining adequate coolant injection.

System heading success criteria dependent on the turbine trip initiator include:

Heading Success Criteria RPT Only one recirculation pump is required to trip to reduce power to below bypass valve and SRV capabilities SRVs Three to four safety relief valves are required Feedwater Normal operation precludes automatic actuation of

• the ADS. Feedwater operation will not result in power levels in excess of the safety relief valve capacity SLC Must be initiated within 18 minutes (but can be postponed indefinitely with reactor level control within first 25 minutes)

C.S-26

References C.5-1 General Electric Company, NEDC- 31425 (Draft) "Evaluation of ATWS at the Pilgrim Nuclear Power Station," 1988.

C.5-2 TRACG Analysis Results (Draft) presented by General Electric for Pilgrim ATWS events, September and October 1987.

C.5-3 Pilgrim Nuclear Power Station System Lesson Notes, Main Turbine.

C.5-4 R.E. Henry to C.S. Brennion, June 22, 1987, Comparison of TRACG Analysis with MAAP (modified Chexal-Layman).

C.5-5 Pilgrim ODYN Analysis, SEP Meeting of March 27, 1987.

C.5-6 General Electric Company, TRACG Analysis Assuming Uncontrolled Low Pressure Injection (unpublished).

C.5-7 S. Mintz to J.E. Torbeck, September 17, 1987, Time to Hot Shutdown for ATWS Events in Pilgrim.

C.5-8 BWR IPE Methodology, IDCOR Technical Report, T86.3B1, Vol. 1 & 2, March 1987.

C.5-9 Andersen, V.T., and Burns, E.T. "Human Error Probabilities in the BWR Individual Plant Evaluation Methodology," Proceedings, 1988 IEEE Conference on Human Factors, June 1988.

C.5-10 Burns, E.T., "Reassessment of the Scram Failure Probability", TENERA, L.P., document S-470058-037, September 1988.

C.5-27

Table C.S-1

SUMMARY

OF REQUIRED FUNCTIONS AND SYSTEMS AVAILABLE FOR POSTULATED ATWS SEQUENCES FUNCTION SYSTEMS USED TO ASSUMED RESULT IF FULFILL NECESSARY FUNCTION FAILS FUNCTIONS Insert Adequate Negative ARI (electrical RPS) High Containment Reactivity or Pressure SLC Hi Pressure Coolant Demand on Low Pressure Injection FW or HPCI Systems Make-up Containment PCS (at Power) High Containment Heat Removal and Pressure PCS or RHR (Reactor Shutdown)

Short Term Safety Relief & LOCA, Possible Pressure Turbine Bypass Valves Degraded Core, Control and High Containment RPT (and FWT for Pressure MSIV events)

Low Pressure 1 LPCI or Inadequate Coolant 1 Core Spray or Core Cooling Injection 1 Condensate Makeup C.S-28

Table C.S-2 DEFINITIONS OF FUNCTIONS OF EACH SYSTEM APPLIED IN THE ATWS EVENT TREE DEVELOPMENT DESIGNATOR SYSTEM FUNCTION Reactor Protection The RPS has been divided into System electrical and mechanical functions for the study. The mechanical function includes the operation of the CRD hydraulic system, the physical insertion of a sufficient number of control rods to bring the reactor subcritical, and other mechanical components as required.

The electrical portion of the RPS includes generation of a scram signal through the logic, and the de-energizing of the scram solenoid valves.

Poison Injection Termination of reactor poweris required to assure containment and

\.

core integrity. Following failure to scram this function is accomplished through initiation of SLC. The C2 heading is used to evaluate the potential for failure of SLC due to mechanical or electrical cause, C4 is used to evaluate the potential for failure to inject SLC prior to the pool temperature exceeding 260F (level control is not credited if SLC injection failed)..

)

C.5-29

Table C.S-2 (Continued)

DEFINITIONS OF FUNCTIONS OF EACH SYSTEM APPLIED IN THE ATWS EVENT TREE DEVELOPMENT DESIGNATOR SYSTEM FUNCTION R Recirculation Pump This system is designed to be Trip (plus Feedwater completely diverse from the RPS pump trip when required) (both electrically and mechanically). The RPT is intended to trip the recirculation pumps which will reduce the flow through the core and lead to reduced moderation in the core and lower core power level. Feedwater pump trip can be used to further reduce core power during isolation transients by reducing core inlet sub-cooling and lowering reactor water level.

K Alternate Rod This system is completely diverse Insertion (ARI) to the RPS. ARI is considered effective in terminating events in which the failure to scram is due to electrical causes. This is accomplished by depressurizing the pneumatic supply to the scram values.

M SRVs Open Successful pressure control requires sufficient SRVs open to maintain reactor pressure below reactor vessel pressure limits.

This requires five to six safety values during events initiated by isolation of the primary system and only 3 to 4 SRVs for events in which the main condenser is available.

p SRVs Close This event includes effect of a single relief valve remaining stuck open (SORV) during the transient.

Depressurization to low pressure systems is assumed to occur once reactor power is reduced.

C.S-30

Table C.S-2 (Continued)

DEFINITIONS OF FUNCTIONS OF EACH SYSTEM APPLIED IN THE ATWS EVENT TREE DEVELOPMENT DESIGNATOR SYSTEM FUNCTION QU Coolant Injection The coolant injection function requires sufficient water in the reactor vessel to maintain the core covered. The methods available to perform this function vary with the transient. Feedwater or HPCI are sufficient to prevent core uncovery during power generation. If the RPV is isolated, only HPCI is available.

UH Operator Controls Level The operator is required to control level and prevent overflow of the reactor to the suppression pool following SLC injection. This prevents dilution of boron in the primary system and any subsequent return to power. Also, inadvertent actuation of ECCS is included in this heading which might result in washing boron from the core and a prompt critical situation.

w Heat Removal Heat is removed from the reactor through either the main condenser or steam relief through the safety relief valves to the suppression pool. However, the heat must also be removed from the suppression pool or a failure of the containment could result from over-pressurization. With the reactor at power, only the main condenser is assumed to be capable of relieving the energy being produced in the core. After reactor shutdown, the main condenser, RHR, spray from external sources and the vent are capable of maintaining the containment below design pressure.

C.S-31

CLASS SEQUENCE CORE DESCRIPTION DAMAGE FREQUENCY ISOLATION RPS RPS RECIRC ALTERNATE SRVs OPEN FEED AND DEPAESSURI LOW SLC MECH OPERATOR SAVs CLOSE LOW BORON CONTAINMNT ATWS ELECTRICAL MECHANICAL AND FEED ROO HPCI ZE PRESSURE AND ELECT FAlLS TO PRESSURE DILUTION PRESS CONT INITIATOR FAILURE FAILURE PUMP TRIP INSERTION INJECTION INJECT INJ SBLC TATWS CE CM A K M ou X v C2 C4 p v UH w OK -

OK -

I II ATHSII < IE-9 I IV ATW521 I .5E-7 OK -

I II ATHS31 < IE-9 I I IV ATHS4I 5. 7E-9 I IC ATHS5I < IE-9 JV ATHS6I 6. IE-7 IV ATHS7! B. 2E-B OK -

II ATWSBI < IE-9 IV ATHS9I 4.1E-9 I L IV ATHS!OI 5. 4E-B I L IV ATW5111 < IE-9 I I IC ATHS12I < IE-9 I IC ATHS13I < IE-9 IV ATHSI41 < IE-9 IV ATHSI5I < IE-9 OK -

OK -

II ATHSI6I < IE-9 IV ATHS17I < IE-9 OK -

II ATHSIBI < IE-9 I IV ATIOS!91 < IE-9 I IC ATHS201 < IE-9 IV ATHS21! < IE-9 IV ATWS22I < IE-9 OK -

II ATHS231 < IE-9 I IV ATIOS24I < IE-9 I I IV ATHS25! < IE-9 I I IV ATHS261 < IE-9 I I IC ATHS271 < IE-9 I IC ATHS28I < IE-9 IV ATHS29I < IE-9 LOCA < IE-9 IV ATHS30I < IE-9 FIGURE C.5-! ISOLATION ATWS

CLASS SEQUENCE CO E DESC IPTJON DAMAGE F EGUENCV NON RPS RPS RECIRC ALTERNATE SRVs OPEN FEED AND DEPRESSURI LOW SLC MECH OPERATOR SRVs CLOSE LOH BORON CONTAINMNT ISOLA TJON ELECTRICAL MECHANICAL PUMP TRIP ROD HPCI ZE P ESSURE AND ELECT FAILS TO PRESSURE DILUTION PRESS CONT ATHS FAILURE FAILURE INSERTION INJECTION INJECT INJ INITIATOR

• - au v SBLC p v w TAH S CE CM R K

" X C2 C4 UH OK -

OK -

II ATHS!NI < IE-9 f IV ATHS2NI 4. 5E-7 OK -

I II ATHS3NI < IE-9 J IV ATWS4N! 2 OE-8 L IC ATHS5NI < IE-9 IV ATWS6Nl I .BE-6 IV ATHS7NI 2. 5E-7 OK -

f II Jlo.TWSBNI < 1E-9 I IV ATWS9NI < IE-9 I I IV ATHS!ONI < IE-9 I I IV ATHS!INI < IE-9 I I IC ATHS12NI < IE-9 I IC ATHS!3NI < IE-9 IV ATHS14NI 6.BE-7

./

IV ATHS!5NI < IE-9 OK -

OK -

II ATHS!6NI < IE-9 IV ATWS!7NI < IE-9 OK -

II ATWS!BNI < IE-9 I IV ATWS!9NI < IE-9 L IC ATWS20NI < IE-9 IV ATWS21NI < IE-9 IV ATW522NI < IE-9 OK -

II ATWS23NI < IE-9 I IV ATH524NI < !E-9 I I IV ATHS25NI < IE-9 I I IV ATWS26NI < IE-9 I IC ATHS27NI < IE-9 I IC ATHS28NI < IE-9 IV ATHS29NI < IE-9 LOCA XFER -

IV ATHS30NI < IE-9 FIGURE C. 5-2 NON-ISOLATION ATHS