SUBJECT: COMMENTS ON NRC PROPOSED RULE ...

Annette Vietti-Cook, Secretary
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001
Attention: Rulemakings and Adjudications Staff
December 14, 2007
SUBJECT: COMMENTS ON NRC PROPOSED RULE “CONSIDERATION OF
AIRCTAFT IMPACTS FOR NEW NUCLEAR POWER REACTOR
DESIGNS” (RIN 3150-AI19)
Dear Ms. Vietti-Cook:
Pursuant to the notice published in the Federal Register (Vol. 72, No. 191, October 3, 2007, pp. 56287-
56308), we submit the attached comments on the subject proposed rule on behalf of the Union of
Concerned Scientists and the following individuals/organizations:
Sincerely,
Paul Gunter Rochelle Becker
Beyond Nuclear Alliance for Nuclear Responsibility
Takoma Park, MD San Luis Obispo, CA
Jim Warren
North Carolina Waste Awareness and Reduction Network
Durham, NC
Tom “Smitty” Smith Karen Hadden
Public Citizen SEED Coalition
Austin, TX Austin, TX
David Lochbaum Edwin S. Lyman, Phd
Director, Nuclear Safety Project Senior Scientist
Washington Office: 1707 H Street NW Suite 600 • Washington DC 20006-3919 • 202-223-6133 • FAX: 202-223-6162
Cambridge Headquarters: Two Brattle Square • Cambridge MA 02238-9105 • 617-547-5552 • FAX: 617-864-9405
California Office: 2397 Shattuck Avenue Suite 203 • Berkeley CA 94704-1567 • 510-843-1872 • FAX: 510-843-3785

No.
(1)
(2)
Comments on Proposed Rule:
Consideration of Aircraft Impacts for
New Power Reactor Designs
Comment
On page 56287 column 2, the published notice stated: “Comments on rulemakings submitting
in writing or in electronic form will be made available to the public in their entirety on the
NRC rulemaking Web site.”
By letter dated May 1, 2007, NRC Chairman Dale Klein updated Congressman Bart Gordon,
Chairman of the House Committee on Science and Technology, regarding documents
contained in former NRC local public document rooms (LPDRs). Chairman Klein informed
Chairman Gordon that the NRC had determined not to take any steps to further review or
control the LPDR documents. Quoting from Chairman Klein’s letter:
The determination was and continues to be based in part on the fact that the level of
sensitivity of the documents at issue is below that of Classified or Safeguards
Information and on the belief that the information is of marginal value to potential
adversaries.
We have attached to our comments documents we obtained from the former LPDR collection
UCS obtained in summer 2006 because the information in these non-Classified, non-
Safeguards Information documents, while “of marginal value to potential adversaries,”
contains information of considerable value to our positions. We respectfully insist the NRC
abide by its stated plan of making our comments, including these attachments, publicly
available “in their entirety.”
The NRC seems intent on repeating the wrong steps that led to the Davis-Besse debacle. In
spring 2001, the NRC became aware of cracking and leaking control rod drive mechanism
(CRDM) nozzles at the Oconee nuclear plant. The NRC issued a bulletin in August 2001
requiring owners of other nuclear plants to inspect the CRDM nozzles. The most vulnerable
plants were required to inspect the CRDM nozzles by the end of 2001. When Davis-Besse
balked at conducting the required inspections, the NRC drafted an order that would have
required its owner to shut down Davis-Besse by December 31, 2001. Because that date had
been selected arbitrarily, Davis-Besse’s owner challenged that aspect and argued that the
NRC should allow the reactor to operate until its refueling outage scheduled in spring 2002.
The NRC bent to this pressure and shelved the shut down order.
Now, the NRC seems destined to repeat this mistake. On page 56290, the NRC arbitrarily
proposes to exempt certified but unbuilt new reactor designs from considering aircraft impact
hazards. This proposed exemption both contradicts and undermines the objective stated by the
NRC on page 56288:
The overriding objective of this rule is to require nuclear power plant designers to
perform a rigorous assessment of design and other features that could provide
inherent protection to avoid or mitigate, to the extent practicable, the effects of an
Washington Office: 1707 H Street NW Suite 600 • Washington DC 20006-3919 • 202-223-6133 • FAX: 202-223-6162
Cambridge Headquarters: Two Brattle Square • Cambridge MA 02238-9105 • 617-547-5552 • FAX: 617-864-9405
California Office: 2397 Shattuck Avenue Suite 203 • Berkeley CA 94704-1567 • 510-843-1872 • FAX: 510-843-3785

No.
(3)
Comment
aircraft impact, with reduced reliance on operator actions.
December 14, 2007
Page 3 of 6
If the NRC arbitrarily exempts the ABWR, System 80+, AP600, and AP1000 reactor designs
from this stated objective, it will essentially eliminate the requirement for all future reactor
designs, too.
Consider for a moment the situation if the NRC proposed rule were adopted as currently
written. The Acme Reactor Company and Reactors ‘R Us, Ltd. dutifully review their new
reactor designs for aircraft impacts per the “final” rule. They identify design changes and
additional widgets that could reduce reliance on operator actions in event of an aircraft
impact, but at a higher cost. They are loathe to voluntarily raise the price tag of their new
reactor designs because it would hurt them in the marketplace against the non-aircraft impact
resistance ABWR, System 80+, AP600, and AP1000 designs. Just as Davis-Besse’s owner
successfully resisted the NRC’s arbitrary shut down date, vendors with new reactor designs
could easily cite the arbitrary exemption of their competitor’s designs to “justify non-adoption
of potentially advantageous design features, functional capabilities or strategies,” as stated in
the proposed rule (p. 56292). The NRC’s arbitrary exemption of some new reactor designs
has the inherent consequences of barring design upgrades on non-exempt reactor designs, too.
The aircraft impact assessment rulemaking must apply to ALL reactors constructed in
the future with no exceptions. Americans deserve much more than an empty “IOU”
promise from the NRC.
The NRC proposes to exempt certified but unbuilt reactor designs from considering aircraft
impact hazards: the Advanced Boiling Water Reactor (certified in May 1997), the System 80+
(certified in may 1997), the AP600 (certified in December 1999), and the AP1000 (certified
in February 2006).
It is of more than marginal significance that all of these reactor designs were certified more
than 15 years after the NRC published NUREG/CR-1345, “Nuclear Power Plant Design
Concepts for Sabotage Protection,” Volumes 1 and 2, January 1981. UCS provides both
volumes of this NRC report – obtained from the former LPDR we acquired – as Attachment 1
to our comments. A Design Study Technical Support Group consisting of representatives of
the Combustion Engineering System 80 area, the General Electric STRIDE project, the
Westinghouse Standardized Nuclear Power Plant project, and other industry companies
evaluated design changes to make future reactors less vulnerable to sabotage. They identified
changes such as physically separating the emergency diesel generator rooms and locating
them on different sides of the plant and relocating the control room and spent fuel pools
inside more robust structures. They further evaluated these identified changes as being
feasible, beneficial, and cost-effective. Yet those known enhancements are not reflected in the
certified ABWR, System 80+, AP600, and AP1000 designs. Both the NRC and the nuclear
industry had benefit from the knowledge gained during the development of NUREG/CR-
1345, yet neither applied that knowledge to new reactor designs.
The American public should not be placed at undue risk simply because the NRC failed to
apply knowledge it acquired and documented in the 1981 report when it certified these four
reactor designs. It’s not the American public’s fault that the NRC put NUREG/CR-1345 on
the shelf and ignored its findings while the agency certified these four reactor designs. The
American public must not pay for NRC’s inadequate performance.

No.
(4)
Comment
December 14, 2007
Page 4 of 6
Had one of the four aircraft hijacked on 9/11 struck an operating U.S. nuclear power reactor,
there is ZERO chance that the NRC would even be entertaining the notion of exempting
certified but unbuilt reactor designs from considering aircraft impact hazards. The NRC must
apply the tragic, high-cost lesson from 9/11 and require – not meekly request – that new
nuclear power reactors be made more resistant to aircraft hazards. Waiting for Americans to
die before requiring protective measures in new reactor designs – tombstone regulation – is
simply unacceptable.
None of these four reactor designs has been built in the U.S. or is currently being built. An
exemption is unwarranted. ALL new reactor designs, no matter when they were certified,
must be equally applicable under the aircraft impact assessment rulemaking.
It was a mistake for the NRC and the nuclear industry not to incorporate and consider the
results from NUREG/CR-1345 when it was reviewing the four reactor designs now certified.
The NRC must not now compound that mistake by excluding these four deficiently certified
reactor designs from this rule. After all, to quote the Commission from the proposed rule
(page 56287):
The Commission believes it is prudent for nuclear power plant designers to take into
account the potential effects of the impact of a large, commercial aircraft.
We concur that it is indeed prudent to do so. It naturally follows that it would be imprudent
NOT to take into account these aircraft impact effects. By considering it prudent to be done
yet allowing it not to be done, the Commission could and should be considered criminally
negligent if Americans are killed by an aircraft impacting a reactor exempted from the
prudent assessments and upgrades.
The NRC stated on page 56291 column 1 “The NRC recognizes that the decision to rely on
design features (as opposed to operator action or mitigative strategies) is complex, and often
involves a set of trade-offs between competing considerations.” Likewise, on page 56293 the
NRC stated “it would not be practicable to introduce a design feature that would have
adverse safety or security consequences under a different operational or accident scenario.”
We are concerned that the proposed rulemaking language sets the stage for mere
documentation of the status quo rather than producing the more resistant designs being
sought. The proposed rulemaking language lacks criteria that could be applied to steer the
trade-offs to anything but an “okay as-is” outcome.
For example, in the first column on page 56294 the NRC suggests one of the design changes
might involve a new wall to provide better protection against aircraft impacts. Installation of
that new wall can and will likely affect heating, ventilating, and air conditioning flows in the
building. If temperature control is adversely affected, the electrical equipment in that area will
be unable to meet the environmental qualification (EQ) requirements in 10 CFR 50.49.
Absent some criteria with which to evaluate the benefits derived from the new wall versus the
cost of replacing electrical equipment to meet a higher EQ profile, the regulatory requirement
will trump the beyond-design-basis enhancement every single time. Similarly, there are plenty
of regulations governing coatings, combustible material loadings, etc. that can be adversely
affected by any proposed design resistance upgrade.

No.
(5)
Comment
December 14, 2007
Page 5 of 6
As an additional example, a vendor might “consider” a design change in which exterior
reinforced concrete walls are tripled in thickness to provide enhanced robustness against
aircraft impact. But, such a commendable change from a security perspective has an adverse
safety implication – namely, the thicker walls afford reduced convective heat flow through
the walls.
In these and countless other examples, a potential security design change with a positive value
of 1,000 could be dismissed if it had an associated negative safety impact of ½ . As presently
worded, a miniscule adverse safety consequence can completely trump a humongous security
upgrade.
The aircraft impact assessment rulemaking must incorporate appropriate criteria so as
to prevent the very real trade-offs encountered during the assessment from always
defaulting to the “no change required” outcome.
A viable, practical means of providing appropriate criteria was presented to the NRC on April
28, 2003, (available in NRC’s ADAMS via accession number ML031200807) by UCS and
the Mothers For Peace of San Luis Obispo. UCS and Mothers For Peace petitioned the NRC
to deal with aircraft hazards at existing reactors analogously to how the agency earlier dealt
with fire hazards following the Browns Ferry fire in 1975. The NRC adopted fire protection
regulations that required each licensee to (a) establish discrete fire areas within the plant, (b)
assume the equipment, cabling, and components in each fire area – individually – was
disabled by fire, and (c) determine whether sufficient equipment outside of each affected fire
area survived to allow the reactor to attain and maintain a safe shutdown condition. This
model could be applied to new reactor designs via this rulemaking by requiring reactor
designers to (a) establish discrete aircraft impact zones for the plant, (b) assume the
equipment, cabling, and components in each impact zone – individually – was disabled by
impact and direct consequence (e.g., fire), and (c) determined whether sufficient equipment
outside of each affected impact zone survived to allow the reactor to attain and maintain a
safe shutdown condition. Because the NRC considers the aircraft impact hazard to be a
beyond-design-basis event, this fire hazard model would be suitable for the new reactor
design aircraft impact rulemaking because certain design basis requirements, like the singlefailure
criterion and crediting only safety-related components, are not applicable.
The Technical Issues discussion beginning in the first column of page 56292 does not clearly
require the assessments to consider all real consequences of an aircraft impact. For example,
paragraph V.C.3.a requires the assessments to consider “thermal effects resulting from fire”
and paragraph V.C.3.c requires the fire assessments to “consider the extent of structural
damage and aviation fuel deposition.” But other real consequences, such as the effect of
smoke on equipment and personnel are apparently excluded from the assessment scope. Even
in cases where the evaluations indicate the aircraft and its jet fuel remain outside structures,
heavy smoke could be drawn into the ventilation supply for the emergency diesel generators
and/or control rooms with adverse consequences. Additionally, operating experience
demonstrates that inadvertent actuation of the fire suppression system (e.g., Surry during its
pipe rupture event) and rupture of fire headers (e.g., Columbia Generation Station event)
impedes operator response times and threatens operability of safety equipment.

No.
Attachments:
Comment
December 14, 2007
Page 6 of 6
The 1982 Argonne study of aircraft impacts (NUREG/CR-2859, attached) clearly indicates
that the physical impact of an aircraft on a structure has more consequences than are
determined by whether that aircraft, or pieces of it, penetrate through the structure. The
violence associated with the impact can cause motion exceeding that resulting from design
basis and operational basis earthquakes.
The 1987 study of electrical relay chatter caused by an earthquake (NUREG/CR-4910,
excerpts attached) revealed another direct consequence of a postulated aircraft impact that
must be considered. On page 6-5, this study reported:
The number of min cut sets [minimum cut sets, meaning postulated scenarios leading
to core meltdown] found at LaSalle-2 is so large that, given an earthquake strong
enough to cause LOSP [loss of offsite power], the probability that at least one of
these cut sets will occur is very high.
Clearly, a direct consequence – namely, relay chatter – of an aircraft impact having a high
probability of core meltdown cannot be excluded from consideration.
The rulemaking must clearly require assessments to explicitly consider potential
consequences from smoke and consequential equipment actuations and/or failures.
1. Ericson, David M. Jr. and Varnado, G. Bruce. 1981a. Nuclear Power Plant Design Concepts for
Sabotage Protection, Volume I. Sandia National Laboratories report NUREG/CR-1345 for the
Department of Energy (DOE) prepared for the Nuclear Regulatory Commission (NRC). January.
2. Ericson and Varnado. 1981b. Nuclear Power Plant Design Concepts for Sabotage Protection,
Volume II Appendices D, E, F, G. Sandia National Laboratories report NUREG/CR-1345 for the
Department of Energy (DOE) prepared for the Nuclear Regulatory Commission (NRC). January.
3. Kot, C. A.; Lin, H. C.; van Erp, J. B.; Eichler, T. V.; Wiedermann, A. H.; 1982. Evaluation of
Aircraft Crash Hazards Analyses for Nuclear Power Plants. Argonne National Laboratory report
NUREG/CR-2859 prepared for the Nuclear Regulatory Commission (NRC). June.
4. Budnitz, R. J.; Lambert, H. E.; and Hill, E. E., 1987. Relay Chatter and Operator Response After
a Large Earthquake. Future Resources Associates Inc. report NUREG/CR-4910 (excerpts)
prepared for the Nuclear Regulatory Commission. August.

NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR
SABOTAGE PRO'I'ECTION
VOLUME I
David M. Ericson, Jr.
C. Bruce Varnado
Nuclear Fuel Cycle Satety Rcscarch Department 4410
P~lnted January 1981
Sandia National Laborator ics
Albuquerque, New Mexico 87185
Operated by
Sandia Corporation
for the
U.S. Department of Enerqy
Prepared for
Division of Safeguards, Fuel Cycle and Environmental Research
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555
Memorandum of Understanding DOE 40-550-75
NRC FIN NO. A1210

ACKNOWLEDGMENT
The authors gratefully acknowledge the contributions of several
of their Sandia colleagues to this study: D. E. Bennett, 111, for
assistance with the baseline plant analysis and sabotage fault tree
preparation: M. S. Hill for the analysis and reduction of fault trees:
and C. J. Pavlakos for the analysis of plant safeguards effectiveness
against an external threat.
We are also indebted to staff members of Ir,ternational Enerqy
Associates Limited (C. Negin, L. Kenworthy, R. Jacobson, J. Ouinn, and
R. Hamilton) and Science Applications, Inc., (J. Mahn, P. Lobner,
L. Coldman, and T. Kuhn) for their assistance in this atudy as re-
ported in Appendices D, E, F, and G. The compilation and analysis of
the many design possiblities would not have been possible without the
enthusiastic participation of these colleaques.
Finally, our thanks to the staff of Tech. Reps., Inc., for their
assistance in the myriad details of assembling the material into a
comprehensible and usable report.

ABSTRACT
. Using a modern design for a nuclear power plant as a point of
departure, this study examines the enhancement of protection which may
.
be achieved by changes to the design and the impacts associated with
the changes. These changes include concepts such as complete physical
aeparation of redundant trains of safety equipment, hardened enclo-
sures for water storage tanks, and hardened shutdown heat removal sys-
tems. The study examines the enhancement (value) in terms such as the
potential reduction in the number of vital areas and the increase in
probability of adversary sequence interruption. The impacts consid-
ered include constraints imposed upon operations and maintenance per-
sonnel and increased capital and operating costs.
The atudy results indicate that design changes alone do not pro-
vide significant enhancement of protection against sabotage. However,
Borne of the desiqn alternatives can facilitate the implementation of
effective physical protection systems for both insider and external
threats. Design changes that limit access and reduce outside accees
are practical only for new plants. A praising alternative considered
is a hardened decay heat removal system, which pro\pidea primary cool-
8 ant makeup and feedwater to the steam generators of a pressurized
*
water reactor plant. Such a system has potentic1 fn. incorporation
into new plant..

Glossary of Acronyms
1. INTRODUCTION
CONTENTS
Background
Public Risk Rationale for Study
2. PROGRAM AND TASK DESCRIPTIONS
General Program Flow and Scope
Design Study Technical Support Group
Baseline Plant Characterization
Plant Design Options
Damage Control Options
Alternate Plant Configurations
Physical Protection System
Preliminary Reference Designs
Evaluation of Preliminary Reference Designs
Final Reference Designs and the Value-Impact
Assessment
3. BASELINE PUNT DESCRIPTION AND CHARACTERXZATION
Plant Description
Sabotage Fault Tree for Plant Characterization
Vital Safety Functiona and Systems
Baseline Plant Analysis
Vital Area Analysis
4. PLANT DESIGN OPTIONS
Background
Categorization of Design Suggestions
Catalog of Potential Design Options
5. DAMAGE CONTROL OPTIONS
Rationale
Alternative Concept of Damage Control

CONTENTS (Continued)
Traditional Concept of Damage Control
6. ALTERNATE PLANT CONFIGURATIONS
Hardened Enclosures for Makeup Water Tanks
Physical 1 y Separated and Protected Redundant
Trains of Safety Equipnent
Hardened Decay tieat. Removal System
Additional Isolation of Lov-Pressure Systems
7. PHYSICAL PROTECTION SYSTEM
Physical Protection Requirements
Application of Security Requirements to
Baseline Plant
Application of Security Requirements to Deslqn
Alternatives
8. EVALUATION OF PRELIMINARY REFERENCE DESIGNS
Criteria for Evaluation
Procedure for Evaluation
Effectiveness Against an External Threat
Effectiveness Against an Internal Threat
Impacts of the Design Alternatives
Value-Impact Conclusions
9. CONCLUSIONS AND RECOMMENDATIONS
VOLUME I
APPENDIX A--Glossary of Terms
APPENDIX 8--Public Risk Due to Sa tbotage o
APPENDIX C--The Design Study Technical Support Group
Reference6
VOLWE 11
APPENDIX D--Nuclear Power Plant Design Alternatives
for Improved Sabotage Resistance
APPENDIX E--Reactor Plant Safeguards--Potential
Safeguards--Related System and Component Design
Changes and Damage Control Measures
APPENDIX P--Damage Control as a Countermeasure to
Sabotage at Nuclear Power Plants

CONTENTS (Cont inued)
APPENDIX G--Concept Development and Cost Estimates for
Design Alternatives for Improving the Resistance
of Nuclear Power Plants to Sabotage G-1
VOLUME I11
Figure
2-1
3-1
3-2
APPENDIX Il--Sabotage Fault Tree Development for SNUPPS ti-1
APPENDIX I--SAFE Analysis--~aseline/Alternatives 1-1
Program Flow
Baseline Standard Plant
1 LLUSTRATIONS
Top Portion of a Generic Sabotage Fault Tree for
a Pressurized Water Reactor
Simplified Auxiliary Feedwter System Diagram
Damage Control (DC) Analysis Sequence
Individual Reinforced Concrete Enclosure
Reinforced Concrete Building Enclosing Two Tanks
Reinforced Concrete Tank with Metal Liner
Baseline Standard Plant
Modified Plant Layout
Safety Building A: Elevation -- Grade Minus
26 Feet
Safety Building A: Elevation -- Grade
Auxiliary and Access Buildings: Elevation --
Grade Minus 26 Feet
Auxiliary and Access Buildings: Elevation --
Grade Plus 47 Feet
Preliminary Piping Diagram, Hardened DHRS
Hardened Decay Heat Removal Building
Layout of Baseline Plant
Location. of Exterior Locked and Alarmed Doors
Location. of Interior Locked and Alarmed Doors:
Elevation -- Grade Minus 26 Feet
Page

ILLUSTRATIONS (Continued )
Figure
7-4 Locations of Locked and Alarmed Doors:
Elevation -- Grade Minus 16 Feet
Locations of Locked and Alarmed Interlor
Doors: Elevation -- Grade (Exterior Doors
Not Shown)
Locations of Interior Locked and AIarmed Doors:
Elevation -- Grade Plus 15 Feet
Locations of Interior lacked and Alarmed Uoors:
Elevation -- Grade Plus 26 Feet
Locations of Interior Locked and Alarmed Doors:
Elevation -- Grade Plus 47 Feet
Iayout of Alternate Design (Physically Separated
and Protected Redundant Trains of Safety
Equipment)
Locations of Exterior Locked and Alarmed Doors
for Alternate Design
Locations of Interior Locked and Alarmed Mars
for Alternate Design: Elevation -- Grade
Minus 26 Feet
Locations of Interior Locked and Alarmed foors
for Alternate Design: Elevation -- Grade
(Exterior Doors Not Shown)
Locations of Interior Locked and Alarmed Doors
for Alternate Deeiqn: Elevation -- Grade Plus
26 Feet
Locations of Interior Locked and Alarmed Doors
for Alternate Design: Elevation -- Grade Plus
47 Feet
Locations of Interior Locked and Alarmed Doors
for Alternate Design: Elevation -- Grade i'lus
73 Feet
Computerized Layout of Baseline Plant Plus
Hardened Decay Heat Removal System
Relative Locations of Redundant Safety Train
Equipnent for the Baseline Plant
Relative Locations of Auxiliary Feedwater Pump
and Valve Compartments for the Baseline Plant
Relative Locations of Redundant Safety Train
Cquipnent for the Alternate Plant Layout
Locations of Accems to Safety Buildings for the
Alternate Plant Layout
Paqe
7-8

Table -
'2-1
4 -1
4-2
Summdry of I)drI.r

Table
TABLES (Continued)
8-2 Probability of Sequence Interruption for Type I1
Vital Areas
Typical Permanent Staffing for a Ruclear Power
Plant, 1977-1978 Time Frame
Typical Access Requirements
Assumed Baseline Plant Xanning for Normal Power
Operation, 1977-1978 Time Frame
Typical Inspection Schedule for a Baseline Plant
Design Study Technical Support Group Participants
Fase
&
8-6

AFh'S
AFWST
ASHR
ATWS
BIS
BIT
BW R
CCTV
CCW
CFR
CRD
cvcs
Dc
DHRS
WE
DSTSG
ECCS
ESF
ESFAS
ESW
HPCI
HPI
HVAC
LOCA
LPI
LWR
MCC
NRC
NSSS
PCS
PSAR
PWR
RCIC
Glossary of Acronyms
auxiliary feedwater system
auxiliary feedwater storage tank
Assessment of Alternate LWR Shutdown Heat Removal Concepts
anticipated-transient-without-scram
boron injection system
boron injection tank
boiling water reactor
closed circuit television
caponent cooling water
Code of Federal Regulations
control rod drive
chemical and voluine control systems
damage control
decay heat removal system, also referred to as an independent
safe shutdown system (ISSS) or a hardened AEWS
Department of Energy
Design Study Technical Support Group
emergency core cooling system
engineered safety feature
engineered safety features actuation system
emergency service water
high-pressure coolant injection
high-pressure injection
heating, ventilation, and air-conditioning
loss-of-coolant accident
low-pressure injection
light water reactor
motor control center
Nuclear Regulatory Commission
nuclear steam supply system
primary coolant system
Preliminary Safety Analysis Report
pressurized water reactor
reactor core isolation cooling

RCS
RHRS
RPS
RSS
RTS
RWST
SAFE
SIS
SNUPPS
TM I
V A
Glossary of Acronyms (Continued)
reactor coolant system
residual heat removal system
reactor protection system
Reactor Safety Study
reactor trip system
refueling water storage tank
Safeguards Automated Facility Evaluation
safety injection system
Standardized Nuclear Unit Power Plant System
Three Mile Island
vital area

.
NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR SABOTAGE PROTECTION
Volume I
1. INTRODUCTION
,. ,
The objectives of this program are to estimate the potential
value of various configurations of plant design and damage control
measures in providing protection againgt sabotage at commercial light
water reactor (LWR) power plants and to establish the impact of such
measures on facility costs, operations, and safety. The program
emphasizes new designs and future construction: therefore, design
changes that might be retrofitted to existing plants or to plants
under construction are not addressed here. Phase I of this program
was structured to identify a range of measures, document them in a
consistent fashion, provide. a preliminary evaluation, and select the
most promising ones for further consideration in Phase 11. Phase 11
wan thus intended to provide a limited number of detailed designs with
a more complete evaluation of values and impacts. This report details
Phase I of the program, summarizes the conclusions reached to date,
a and makes some recommendations for additional study, including sub-
stantial revision and redirection of Phase 11.
b
Background
This program to investigate design concepts for sabotage protec-
tion evolved fran the reconmendations of earlier studies 1,2,3,4 and
from views expressed by representatives of the Nuclear Regulatory
Canmission (NRC) Office of Nuclear Reactor Regulation, the Advisory
Committee on Reactor ~ afe~uards,~ and the nuclear power industry. 6

: A sahotaqe t-hreat nay arise from a determined violent external
assault, att.ack by stealth, or deceptive actions, of several persons:
or from the activities of an insider who could be an erployec in any
position. On this hasis, the previous studies identifie,! three catr-
gories of measures which provide sahotaqe protection: (1 ) physical
protect ion, ( 2) plant desiqn, and (3) (l;trn,rqe control . C~~rrent Depart-
ment of Enerqy (DOE) and NRC fiafequarrls research eryhasizr.s systcr
development and evaluation of the effectiveness of physical protection
measures or systems. The proqram described in ellis report was
designed to ccmplement the onqoinq DoE/NHc research by investiqating
the t wo remaininq categories of .safequards measnres for I.WR power
plants: plant desiqn and danaqe control. In the context of this pro-
gram, plant design (or plant design measures) is understood to encom-
pass those measures that can be employed in the design and fabrication
of operational systems or in plant layout to increase the difficulty
of sabotage (decrease component or system vulnerability)* or to hetrer
accommodate physical protection or damaqe control measures (decrease
plant vulnerability). Similarly, damaqe control encompasses those
actions which can he taken within a short time after radiological
sabotage to prevent or reduce the release of radioactive materials.
Public Risk Rationale for Study
The question of public risk from a wide range of eneroy-producinq
activities is receiving increasing attention in today's society. It
would perhaps he satisfyinq if all such questions could be addressed
in a single, coherent study so that public decisionmakers could read-
ily and straightforwardly evaluate the relative public rlsk of enerqy
alternatives. However desirable, such a study unfortunately qoes far
beyond the intent and scope of this proqrarr. Therefore, in this ef-
fort, only the public risk from potential malevolent acts aqainst a
single energy producer, i.e., nuclear power plants, is considered.
-t
A glossary of definitions of terms (e.y., vulnerability) used in
this study and report is given in Appendix A.

Furthermore, no judgment is implied as to the relative risk of nuclear
power as ccmpared to other technologies or the relative importance of
sabotage as a contributor to the risk from nuclear power production.
This restricted viewpoint must be kept in mind as the following mate-
rial is reviewed.
The basic objective of nuclear power plant safeguards is to re-
duce to an acceptable level the risk of public exposure to radiologi-
cal hazards caused by malevolent actions directed againat the facil-
ity. The earlier studies indicate that sabotage leading to a release
of radioactive materials is the principal safeguards concern with re-
gard to power reactors (References 2 and 3). The public risk from
such malevolent acts is discussed here in qualitative terms along with
the relationship between the safeguards objective and plant design.
Design objectives which cover the significant parameters affecting
risk are identified.
Factors Defining Public Risk from Malevolent Acts -- In general,
risk can be defined as the expected loss caused by the conduct of an
activity for a given period of time. Therefore, risk can be ex-
pressed as the product of the frequency of events and the magnitude of
the loss per event. For events which are purposely initiated, the
frequency of events depend6 upon the frequency of attempts to produce
some consequence and the conditional probability that an attempt is
successful. In sane instances, there may be a range of possible con-
sequences that can be caused and a number of ways by which the same
level of consequence can be induced. Thus, a consideration of risk
requires evaluation of several interacting parameters. Risk is not
only a function of the ways by which a saboteur might attempt to cause
a release but aLso of the actions which can be taken tu counteract the
attempt. Same mbotage events might be corrected or modified by dam-
age control measures to prevent or significantly limit the conse-
quences, and independent actions of consequence mitigation might be
taken to reduce the public impact of malevolent acts.

I
Public risk clue to sabotage is,' thcrdorc, a function of the
frequency of attempts to produce consequences, the prohabil ity of
successful completion of such attempts, the de?ree of success of dam-
age control or consequence mi t iqat ion ~nessures, anrf the consequences
of a release of radioactive rn.rterials from the site. 'I't~e frequency of
attempt is essentially undefindble, qivcn our present state oE urder-
atandinq of potential adversarie$;. Therefore, reducinq the frequency
of attempts is not a dircct objective of this stucly, even though it is
recognized that an advcrsary'e perceqtion of plant vu1nernbilit.y or
invulrierability may well affect the likelihood of an at-tack. These
concepts are developed more 'fully in Appendix Li. Subsequent comments
, ., . . .. .
ielat'c' plant desiqn to the more quantifiable risk factors.
Plant Characteristics Affect iny Risk -- Nuclear pwer plants con-
tain three significant sources of radioact-ive materials: the reactor
core, the spent fuel storage pol, and the radioactive waste system.
The material in these sources can be a target for sabotaqe or theft
leading to an offsite release. As mentioned earlier, the predominant
safeguards concern for LWRs is sabotage, and the sabotage incidents
with the greatest potential for public harm involve radioactive re-
lease from the fuel due to core meltdown (Reference 3).
LWRs are designed with numerous safety systems and structural
features intended to prevent the accidental release of radioactive
materialr therefore, in order for sabotage to lead to a release, it is
generally necessary for the saboteur to cause an inltlating event
(e.g., a loss-of-coolant accident or transient incident requiring
rhutdown) and also to disable those safety systems designed to respond
to the initiating event. Sabotage leading to offsite release thus
implies the ccmpletion of a sequence* of actions, including entry into
one or more vital areas (Reference 22) and destruction or damaging
manipulation of equipment in the vital areas. Definition of those
I A sequence sa srmply a sct of events and docs not necessarily
imply a particular time order.
1

sequences which could leaii to release of rarlloactive materials re-
quires a systematic and thorough analysis of plant functions, design,
and layout (References 3 and 11). Plant design details can affect the
number of possible sabotage sequences through differences in the ar-
rangement of vital equipment from plant to plant and by the types of
redundant systems provided to respond to initiating events.
Reduction of Public Risk by Plant Design -- Each of the many
sequences which can lead to a release of radroactive materials from a
plant contributes to the total rlsk from potential acts of sabotage.
Therefore, one technique to reduce risk is amply to reduce the number
of sequencee that can lead to a "release by reducing the options avail-
able to an adversary which could cause failure or malfunction of vltal
equipment. For example, changing the design of a component or system
to eliminate an inherent vulnerability would reduce the number of
possible sabotage sequences.
For a saboteur to successfully complete a sequence, every indi-
vidual act in the sequence must be completed. increasing the number
of items in a sequence increases the time required to complete the
sequence, which, in turn, increases the probability of detection and
interruption. This reduces the likelihood of successful completion of
the entire sequence and thereby reduces the risk from that sequence.
Furthermore, relocation to physically separate redundant trains of
vital equipment would increase the number of areas to which an adver-
sary must gain access as well as increasing the time required in order
to disable redundant features, The addition of physical barriers
around vital equipment also increases the number of items in sequencee
involving that equipment, agein making succeas less likely and reduc-
ing risk.
The likelihood of successful completion of a sequence can also be
reduced if the individual events in the sequence are made less likely.
W o methods of accompli8hing this are (1 ) to make the equipment inher-
ently lerr vulnerable (harder) and (2) to make it more difficult to
gain access to the equipment (vital area protection and hardening).

Somewhat contrary to the physical separation suggested above, a reduc-
tion in the number of different areas from which an event can be ini-
tiated, perhaps by colocation of equipment, would make it possible to
concentrate physical protection measures in fewer areas and thus in-
crease the difficulty of gaining access to the equipment. Decreasing
the number of areas in which sabotage could be initiated could also
reduce the impact of physical protection on plant operations and
costs.
If a sequence is successfully completed, it might still be possi-
ble to obviate or reduce the amount of radioactive materials eventual-
ly released by restoring some of the disabled system functions. This
Is particularly true for long-term transients (References 1, 2, and
3), which can take from a few hours to a day to progress from initiat-
ing events to release of radioactive materials. Thus, another way to
reduce risk is to provide for damage control measures in response to
emergency conditions.
Once a release of radioactive materials occurs or becomes inevi-
table, consequence mitigation measures provide the only safeguard
against public harm, i.e., the only means to reduce public risk.
Although it is not clear, a priori, that there are design measures
which could enhance or enable consequence mitigation even for a
limited set of sequences, some possibilities were considered in this
study.
Design Objectives for Risk Reduction -- Design objectives were
formulated based upon the preceding consrderations and the detailed
discussion in Appendix B. The plant design alternatives described in
this study are intended to achieve one or more of these design objec-
tives. A list of the broad design objectives follows. Each objective
is followed by more specific goals which are described in terms of
changes in particular plant features:
1. Decrease the number of sequences which could cause release.

a. E1iminat.e inherent vulnerabilities (fundamental failure
mechanisms) of systems or components.
b. Reduce the number of paths by which a saboteur -ould gain
accetxs to vital area..
Increase the number of individual actions required to com-
plete a sabotage sequence.
a. Physically separate redundant vital equipment so that
more areas must be reached in order for the equipment
function to be eliminated.
b. Increase the number of redundant functions which must be
disabled in order for a.lelease of radioactive materials
to occur.
Reduce the probability of success in sabotage sequences.
a. Decrease the vulnerability of vital equipment to acts of
sabotage.
b. Increase the difficulty of gaining access to vital areas.
Reduce the consequences of completed sabotage sequences.
a. Provide the means for effective damage control of dis-
abled equipment or functions.
b. Provide the means by which the licensee can take action
to mitigate the consequences of sabotage.

I
General Program Flow and Scope
2. PROGRAM AND TASK DESCRIPTIONS
The flow of the technical tasks established for this program is
illustrated in Figure 2-1. Although the feedback of information
becwgen tasks is not explicitly shown, interaction between the tasks
occurred.
OPTIONS
+ r TASK , 1 I TASK 5
DWGL PnvSlcA~
CONTROL PIMICCI ION
OPl lOkS 111TC*5
I,, '
1 lA5K i I ~A\K 4 I lASK 6 1
MSILINf
PLUI
CWLUCICIIIUTION
ALICRWTC
PLANT
CONIIGURATIONS
PRCLIMIMRI
RLICRCNCf
Dt SIGNS
Figure 2-1. Program Flow
The initial step was to characterize a baseline plant which was
reprerentative of current LWR standardized design practice. Given
thin baseline, practical design alternatives with the potential for
$ncreasing plant protection against sabotage were then identified.
Concurrently, sabotage events which may be amenable to damage control
were identified. The design options and damage control options were
canbind to provide plant configurations that supplied alternatives to
the bareline. A physical protection system consistent with current
I
I

egulations was integrated with these alternatives to generate a set
of preliminary reference designs, For each of these designs, a llm-
ited analysis of safeguards effectiveness and impacts was performed.
This portion of the program constitutes Phase I as defined in the
program plan. 12
I:
Phase I1 of the program was structured to select a few designs
for more complete definition and analysis based on the results from
Phase I. Current recommendations for Phase I1 as a result of Phase I
are discussed later.
Design Study Technical Support Group
Because the program objective called for a wide-ranging examina-
tion of plant design practices and operating philosophy, it was de-
cided that including a cross section of industrial expertise in the
program would be prudent. Therefore, a Design Study Technical Support
Group (DSTSG) was established to assist in the development and evalua-
tion of design concepts for sabotage protection. The DSTSG included
representatives from the reactor vendors, operating utilities, and
architect-engineer firms.
The DSTSG had two basic, interrelated functions. First, the
DSTSG attended several meetings at which the members reviewed and com-
mented collectively on a series of design concepts developed by Sandia
and its subcontractors. Second, individual members of the DSTSG in-
vestigated or evaluated specific concepts or questions and reported
their result6 to Sandia, generally in letter format. In fulfilling
their respon6ibilities, the DSTSG members did not act independently
but am an integral part of the overall program. Therefore, the
results of their involvement are reflected throughout the study and
report, and a meparate record on DSTSG inputs was not prepared. Fur-
thermore, the DSTSG was neither structured nor intended to provide a
conmensum viewpoint. Therefore, this report should not be interpreted
a@ an unqualified endorsement of the concepts discussed by the DSTSG
or its individual members. Additional details on the DSTSG are in-
cluded in Appendix C.

Baseline Plant Characterizatlon
The first task characterized a basellne plant which typlfles
current LWR standardized deslgn practice. For this study, the Stan-
dardized Nuclear Unit Power Plant System (SNUPPS) was selected as the
baseline plant. The characterrzation serves as a starting point for
the evaluation of safeguards measures and includes
1 Vital systems descriptions that provide function and compo-
nent details,
2. Sabotage fault trees (plant specifrc but derived from generic
fault trees) which define the events which must occur for
radiological sabotage to be successful, and
3. Vital area analysis which deflnes the physical locations in
the baseline plant which must be reached to accomplish sabo-
tage leading to a release of radioactive materials.
The charactriication procedure is described more fully in Section 3
and Appendix H.
Plant Design Options
This task identified possible plant design alternatives intended
to meet the design objectives outlined in Section 1. The design mea-
sures that have been suggested by industry personnel, the NRG staff,
and earlier Sandia studies have been categorized into four broad
groups :
1. Hardening critical systems or locations,
2. Plant layout modifications,
3. System design changes, and
4. Addition of systems.
These four categories include measures ranging from those which
require little or no change in plant layout through those which might
require the addition of complete new operational systems. Table 2-1
rummarizes the four categories, briefly describes the nature of the
changes included in each category, and then provides some examples of
deaign changes that were suggested. The recommendations of Table 2-1

are only indicative of the types of alternatives that were examined.
Further detail on the design options is provided in Section 4 and
Appendices D and E.
Category .-
Hardening critical
systems or locntions
Plant layout aodi-
f ications
System design changes
Addition of systems
Table 2-1
Plant Design Alternatives 2.4
Description
Little or no change
in either plant lay-
out or operational
systems
Major changes in
plant layout but only
minor changes in
operational systems
Major changes in
operational systems
Major additions of
operational systems
Typical Candidate
Measures
Harden the spent fuel
pool
Eliminate obvious
means of sabotaging
vital equipment
Harden compartments
containing vital
equipment
Physically separate
redundant vital
systems
Relocate vital equipment
into more protectableconfigurations
or locations
Assure the indepen-
dence of each train
of emergency power
Provide design fea-
tures to accommodate
damage control
measures
Coneider containment
designs which could
mitigate the conse-
quences of core
me1 tdown
Add a hardened decay
heat removal system

*
Damage Control Options -
In this task, the feasibility of specific damaqe control mc.asures
was examined, and those with the potential for significant rmntribu-
tions to overall safeguards system effectiveness were identified.
The approach to damaqe control which appears t.o have the must.
promise is the alternative use of already installed plant equipment..
In this approach, the functions which must he preserved were defined,
and the normal or usual systems involved were identified. Then, typi-
eal. plant abnormal operating procedures were examined to identi fy sl-
ready accepted, alternative uses for installed equipment. Rased upon
, ., ,
this information, some damage control options were identified which
rely upon installed systems, or such systems with relatively minor
modifications, and upon actions which can be accomplished in the con-
trol room.
Originally, this task was structured in two steps. The first
step waa identification of those sabotage sequences in which the indl-
vidual acts could be nullified or the consequences significantly miti-
gated by damage control. In the second step, the implementation re-
quirements were defined. This included estimation of the manpower
required, any special training necessary for each activity, and the
asaociated costs. In addition, special tools, equipment, and plant
modifications to accommodate damage control were identified. When the
early results from this two-step approach were reviewed with the
DSTSG, a number of concerns and reservations surfaced. These included
concern. that postulated staff response times were too short, equip-
ment availability was overestimated, and training and manning problems
were more difficult than projected. More important perhaps were the
concern. about the effect of sabotage on plant conditions, such as the
presence of radiation or heat or the absence of lighting, and concerns
about active adversary interference with damage control activities by
the denial of accesa to vital areas. As a result of these concerns,
the approach to damage control described above was used. The details
of the damage control study'are presented in Section 5 and Appendix F.

Alternate Plant Configurations
This task integrated the results from the first three tasks
described above. The promising plant design options had a definite
effect upon the layout and structural characteristics of the plant and
upon the location of vital equipment. In fact, one combination of
several options led to a new plant layout. These chanqes have been
documented, and the conceptual designs and associated rationale are
discussed in Section 6 and Appendix G.
Physical Protection System
The alternate plant confiqurations have somewhat different physi-
cal protection requirements because of increases or decreases in the
number of vital areas and access doors. In this task, the physical
protection requirements were defined for each configuration, and a
physical protection system consistent with current NRC regulations was
postulated. For some configurations, it was appropriate to modify the
physical protection without sacrificing the effectiveness of the total
system. For such cases, alternative physical protection systems re-
flecting such modifications were considered.
Throughout this effort, liaison was maintained with the ongoing
DOE safeguards program to ensure that the most current physical pro-
tection technologies were used. This liaison also provided some feed-
back to the DOE program concerning any physical protection technology
needs for LWRs identified in these analyses.
Details of the physical protection systems are presented in
Section 7.
preliminary Reference Designs
In this task, the plant configurations that evolved from the de-
sign and damage control tasks were combined with appropriate physical
protection systems to create several reference designs for a prelimi-
nary value-impact caparison. These designs, although perhaps labeled
conceptual, contain sufficient detail to allow evaluation of costs and
overall safeguards effectiveness.

Evaluation of Preliminary Reference Designs
In this task, which culminates IJhase 1, a limitell evaluatiorl of
the several prel iminary reference designs was per fornwl . The inct hod-
ology from the NRC safeguards research program, as well as inore sub-
jective criteria, were used to estimate the effectiveness of the total
safeguards system for each reference desiqn. The operjlt iorial irnpa(:t s
of each alternative were estimated in conjunct ion with indust ry ex-
perts (see DSTSG discussions in this section and Appendix C). " lll;+nt
costs were bounded with the aid of consultants. A value-impact ns-
sessment of these preliminary designs was prepared. This evalu~tiorl
is described in Section 8 and Appendix I.
Final Reference Designs and the Value-Impact Assessment
In the program plan (Reference 12), it was stated that severdl
reference designs would be selected for further analysis in oralcr to
include more detailed design data and a more comprehensive value-
impact canparison. For those designs which entailed extensive plant
modification or layout revisions, detailed architect-enyineerinq
studies were to be undertaken, but only one or two such studies were
anticipated. The architect-engineer was to develop the systems layout
and piping and cabling details to a level sufficient to allow meaning-
ful estimates of incremental costs relative to the baseline costs and
to allow identification of the operational impacts of the reference
designa. Selected consultants were to assist Sandia and the
architect-engineer. Any other engineering studies necessary to com-
plete the reference designs were included in this task. The res:lts
of Phase I indicate that a revision to the original program is appro-
priate. A recommended course of action is described in Section 9.

3. BASELINE PLANT DESCRIPTION AND CIiARACTERIZATION
The principal purpose of thls study was to examine the effect
that changes to current plant design practice would have on the secu-
rity of nuclear power plants. Therefore, a critical element in the
study was the selection of a baseline design that adequately repre-
sents current practice. After reviewinq the plants now under con-
struction, the SNUPPS was selected as the reference deslqn for the
baseline plant. This selection was predicated upon several factors.
First, five identical units were scheduled for construction, with two
units started. 14'15'16 Second, the units were using a nuclear steam
supply system (NSSS) which was well-documented. l 7 Third, innovative
modeling techniques were being employed in the design process, which
would provide layout data usually not available for plants still under
construction. Fourth, the management scheme for the SNUPPS construc-
tion18'19 provided a unique, single source of technical data should
information beyond that of the Safety Analysis Reports be required.
Other facilities under construction offered somewhat similar charac-
teristics, but it was believed that the SNUPPS plant adequately char-
acterized current design practice, for pressurized water reactors
(PWRs) at least. It was also believed, at the initiation of the
study, that insights gained could be applied generally to LWRs. It
should be noted that SNUPPS was used only to define aystem design,
plant arrangement, and equipment locations for the baseline plant.
The physical protection system characteristics (Section 7) were devel-
oped by the authors based upon their understanding of NRC requirements
and do not necessarily represent the approach to be taken in the
SNUPPS plants.

:iabotaye . Vault '~'rcc for Plant Charact~:rlz~~tir,n - .-.
Once the baseline [~lant wds ilcfir~el~~l
salx~t,~~je. Such an;iLysis 1s taci llt~ted by unin~j the qcnerlc
trccs previously developed at 5andi 3 (Hcfcrcncc 11) for PWRs.
,iy s t c::,1-
!ty tl,
tault
A fault trec is simply a loqic rii.lqrdm u:;e#l to qraphically rcpre-
scnt those combinations of subsystem and component faults that can
result in a spccif icd, undc:;irvd cvcnt. The undf:siried event of inter-
est hcrc is thc rcleasc of s i ~jnit icant qu.-irit.itics of radiodctivc inate-
rial from a nuclear power plant. In the analysis, this unti~:sir~%l
cvcnt is succcssivcly .icvclopcd into combinations oE ci,ntrlt)utin~~'
events until primary cvcnts (t.hat is, sntmtnqc acts such (IS dlsablinl]
a pump, scvcrlnq a pipe, ctc.,) terminate each branch of the trcc.
Filjuro 3-2 shows thc top portion of a qcncric fault trec for a powcr
reactor. Each qatc in thc trcc represents thc lo~jical operation (AND
or OH) by which the inputs combine to produce an output. Each branch
of the tree is dcvelopcd by idcntifying tho immediate, necessary, and
sufficient conditions leadinij to each cvcnt.

0
-
a
A
M- 3
a
I
a 0
0
M-2 *
a CONTAlNMf Nl ULih.
@ TUHCIIIL IILDG.
a MAIN 3TEAY:I CIi)MATlH
PLNETRATlOll ARLA
@ AUXILIARY RLDG.
@ CONTROL ULDG.
@ DIESEL GENCRATW BLDG.
a FUEL HANDLING ULDO.
@ IIOT MACHIIIL S110I1
@ RADWASTE BLDG.
@ SOLID RADWASTE STORAGE
M-1 : CONDCIISATE STORAGE TAXK
M-2: REACTOR MAKEUP n20 STC. TANK
M-3: REFUELIIIL ti20 STG. TANK
Figure 3-1. Baseline Standard Plant

Prom a fault tree, an equlvdlent iioolean logic equatlorl
deve 1 oped. 20'21 Each qate or event is given n label, and in
Boolean equation for the fault tree, these labels (or llterd 1s) are
joined together by the loqical operators V (OR) and A (AND),
cated by the qates. The Roolean equatlon for the top event
tree in Piqure 3-2 is
RMR-I'WR = RRCC V HSNFC V RFKADWSC
I-il fl bt?
the
as indl-
ir~ the
The logical equivalent for each of the events on the right side of the
equa,t.ion is aubstiruterl into the equation to develop the complete
equation for the tree. The successive substitution of evehts lower in
the tree fur ones higher in the tree ia continued until the top event
is represented solely in terms of primary events. Each combination of
primary events sufficient to cause radioactive release from the plant
appears as a term in the logic equation for the tree: therefore, each
term represents a sequence of events* which must be prevented. The
fault tree provides a means of cataloginq the large number of possible
combinations in a structured manner. The baseline plant fault trees
are included in Appendix H **
Vital Safety Functions and Systems
When a nuclear power plant is characterized with a sabotage fault
tree analysis and the sources of radioactive material have been iden-
tified, the nexr step is to define the functions which must be pre-
served in order to prevent a release. There are five functions which
must be performed by the safety system; these arc as follows:
1. Control reactivity,
2. Provide decay heat removal,
- A aequence is simply a set of events and does not neceesarily
imply a particular time order.
+. Appendices ti and I, which are classified, appear in Volume 111 of
thim report.

! 3. Maintain reactor coolant system invrntory,
4. Maintain primary containment inteqrity, and
5. Control radioactive effluents.
All LWR plants are equipped with a number of systems to accom-
plish thcse functions, includinq the
Reactor trip system (PTS),
Safety injection system (SIS),
Roron injection system (BIS),
Auxiliary feedwater system (AFWS),
Residual heat removal system (PIIPS),
Reactor coolant system (PCS) st.ructura1 components and RCS
pressure and inventory control systems,
Containment enerqy removal systems,
Containment isolation systems,
Containment hydrogen control system,
Effluent pathway monitoring and interruption systems, and
Containment poet-accident atmosphere cleanup system.
Of course, all of these systems require that certain auxiliary systems
be available in order to function properly. These auxiliary systems
include the
1. Onsite electrical systems,
2. Process cooling systems (component coolins, service water),
and
3. Ventilation systems
I Experience gained in earlier studies involvinq sahotiuje fault
tree analyses suggests that a number of thcse systems are particularly
important in sabotaqc protection. Therefore, a relatively dctailcd
description of the followinq systems has proven especially useful in
the fault tree davelopment. The systems are the
1, Auxiliary feedwater system,
2. Residual heat removal system,
3. Onsite electric, power system, and

4. Reactor protrrt ion syster (PI'S). incl~~dinq the cnol neer'.~!
safety features actuation system (FSFAS).
For evaluat inq resist.ance to satmt;loc4, rhr primary ccml~nt systtZn
(PCS) and its pressure houndary are also t reatc4 as a "system" her-ilt:sr
of the importance of milintaininqsystem inteari?~. F:ach of these
systems is described hriefly hr3re and in more detai 1 in Apprni+ix 1'.
The Auxiliary Fee,lwater System (AFWS) -- This system is use(! to
maintain the water levrl in the seroncinry side of the steam oenerntcrs
when the main feedwater system is not in qwrat ion an11 reat-tor coolant
temperature is crreater than 177'C (350'F). The major components of
the AFWS ore three nuxi 1 iary fredwater pumps, the ronatcnsate storaoc
tank or the essential servire water system, and the power-operated
relief valves on t.he main steam 1 ines
The performance ohject ives for the AFWS are to (1) provide an
adequate supply of feedwater to the steam qeneratoro when the main
feedwater system in inoperable, durinq normal startup, and during
normal or c.mt.rclc.ncv cooldown: (2) reduce the reactor coolant system
temperature and preusure durinq cooldown to the point at which the
residual heat removal syst.ein can be placed into operation for decay
heat removal: (3) provide adequate feedwater flow under the hiqhest
head requirements when the safety relief valves are discharqinq to the
ntmosphere: and (4) provide uuitnhle redundancy in the AFWS to ass'irc
that the aforementioned objectives can he achieved using the onsite
electrical power system, assuming offsite power is not available and
assuming a sinqle active-component failure.
The AFWS has three pumps, two electric-motor driven and one
steam-turbine driven, which are connected throuqh appropriate iaola-
tion to the main feedwater lines. The pumps are multistage, hori-
zontal, centrifuqal units, while the steam turbine is a horizontal,
mingle-stage, noncondensing unit. The steam turbine uses an electric
aped changer, an overspeed trip mechanism, and a trip and throttle
valve. Each motor-driven pump can supply two steam generators at
3
0.032 m /a (500 gpm) and 11.7 MPo (1,700 psig), while the steam

turbine pump can supply *I 1 four s +ea~
rIrr;cra*nrs a? n.06 l I" S
(1,000 qpm) and 11.7 MPa (1,700 pslo). The AkWS may he ront rol lrci
automatirally or rmnually from the cont rnl rnnr cr manual ly fror the
auxiliary control panel.
The auxi lisry services required by the AFWS are clrrtriral p(-wer
(Class IF), firean (from the main stearl I ~rlt.), and water (fror t.orldensate
atoraqe or esoent ial sert*ire water syst elr) .
A simplified diagram of the AFWS is shown in F'ioure 3-3.
,,.~, . . .,,, h .,
The Residual Heat Removal System -- (PI!PS) -- This synten is usd to
perform three functionst (1) attaln and ma~nta~n colt? shutdown: (7)
provide pumpinq power to nove horated water t~etwcen the rrfuellno
water storage tank and containment during refurlinq operations: and
(3) provide pumpinq an(? roolinq capability as part of the emrrqency
core cooling system (ECCS). The RHRS has two parallel coolina loops,
each containinq a heat exchanger, an electric-notor-firivcn pump, and
the associated valvinq and instrumentation.
As indicated, the system is desiqned to perform hoth normal and
safety functions. However, the valves associated with the RJIRS nor-
mally are aliqned to allow immediate use of the system in the safety
mode, which is the mode of interest for this study. The system is
designed with sufficient redundanry that the coolinq function can be
satisfied even assuming a single active component failure coupled with
a loss of offsite electric power.
When operating as part of the FCCS, the RIIRS operates in one of
two modes to supply coolant to the primary system. These modes are
injection and recirculation. In the injection mode, the RHRS draws
coolant from the refueling water storage tank and delivers it to the
primary coolant system when system pressure is below cutoff head for
the RHR pumps. In the injection mode,the usual path is injection
into the cold legs; however, injection into the hot legs is poasihle
by changing valve alignments. Following the injection mode of
3

loss-of-coolant accident (LoCA) ritinirtion, it 1s r:r~-rssary '- i-m.1
and recirculate the rnolant thrnuah the reactor to re-I-ovfA ~!et-%y I~P.I+.
The source of coolant in the recirculat ior: nm?r is the cnntairrrnt
sump. The use of the charqinq andfox safety irlj~c.: ~ r'n ps'pr: ,?or:r::
this mode depends upon thr pressure in the prirary syster.
Each train of the P HRS has a slnale-staor, vert lcal, ,-f*rxt rl f::qal
pump with an inteqral motor-pump shaft. The ~nteoral UCI? Iras a se: f-
contained, mechanical seal which is coolf?? by corponcnt cool inl wilt er.
The RITRS heat exchanaers are convent.ional she1 l an~l t~rhe, w ith the
primary coolant flowing on the tuhe side and conponf.nt coollna water
flowinq on the shell side. The associated pipina is ecluipprtl with
approprinte isolation and control valves to prevrnt nverp.rrss~1r17.nt ion
from the primary coolant.
The RllRS requires electrical power from the appropridtr Class IF
bun and component cnolinq water
Onsite Electric Power System -- This system ronsists of three
subsystems with provision for appropriate interconnections or isola-
tion to adapt to plant conditions. The three subsystems are as
follows r
1. Class 1E alternating current (ac) power system, which pro-
vides ac power for safety-related loads. It contains paral-
lel redundant branches to ensure safe operation if either
fails. Each branch can draw power from offsite through sepa-
rate transformers or from its own onsite emerqency qenerator.
The four, 120-volt ac vital buses can also draw power from
the Class lE, direct currant (dc), power system batteries
through inverters.
2. Clams 1E dc power system, which provides dc power for safety-
related loads. This system has four parallel hut nonredun-
dant branches, each of which draws power from its own hattery
or from the Class 1E ac power system through a battery
charger.
3. Non-Class 1E power system, which supplies power to non-
safety-related loads. This system has two branches and can
obtain power from the station generator (unit power) or from
offsite.

The Class 1E systems are designed to provide safety-related power
when unit power fails or when both unit power and offsite power fail.
Power from either of the two available offsite sources is called
"preferred" power. If preferred power fails, loads are autcmatically
dropped fron the 4,160-volt ac buses, the onsite emergency diesel
gcnerators are autcmatically started, and safety-related loads are
then automatically sequenced back onto the 4,160-volt ac buses.
Power for the Class 1E dc power system :iornally is obtained from
the Class 1E ac power system through rectifiers. If the Class 1E ac
system is interrupted (e.9.. during diesel startup following
preferred-power failure), the Class 1E dc system has power available
fra its batteries. Part of the available dc battery power rs used
directly to power panel indicators, control room emergency lighting,
control devices, instrumentation, and reactor trip switchgear. Part
of the battery power is directed to inverters to power the four,
120-volt ac vital buses for control power for Class 1E ac switchgear
and circuit breaker operation.
The Reactor Protection System (RPS) -- This system contains the
instrumentation and controls necessary to detect and respond to tran-
sients and accident conditions which could compromise the safety and
integrity of the reactor core. Signals generated by the RPS activate
equipment which prevents or mitigates damage to the core, heat trans-
fer systems, and reactor containment.
The RPS is composed of two interrelated systems, the RTS and the
ESFAS, the ccmbined response of which constitutes the RPS response to
accidents or transients. This collective action of the RTS and ESFAS
provides signals that activate equipment to
1. Shut down the reactor through control of core reactivity by
releasing the control rods to fall into the core and, if
necessary, by rapidly increasing the boron concentration of
the reactor coolant and
2. Provide core cooling by activating systems which re~nove
residual heat fra the core during and after shdtdown and

mitigate or prevent damage to the core and associated systems
after an accident.
The RPS is capable of shutting down the core fission process and main-
taining the reactor in a stable nonreactive state for an indefinite
period of time.
The RTS and ESFAS are systems which act in concert. The two
systems are designed to respond to different levels of transient or
accident conditions. The hPS requires ac and dc electric power from
the 125-volt dc/l20-volt ac Class 1E supply. Other auxiliary support
systems are not required, although some of the electronics may have
temperature limitations which rzquire that air conditioning be avail-
able after some period of time.
The Primary Coolant System (PCS) -- Although not a system in the
usual sense, the PCS and its pressure boundary play such a significant
role in providing a path for heat removal from the reactor core and
preventing the release of radioactive material that it warrants spe-
cial consideration. The PCS boundary may be defined in terms of the
reactor vessel and primary loop piping and those pipes, fittings, and
valves which connect directly to the PCS and which provide access to
the PCS for normal and emergency cooling functions.
The portions of the PCS boundary of primary concern here are
those major connections the failure of which could impair or prevent
core cooling. Many of these major boundary elements are associated
with piping which penetrates the m!?tainment walls and connects to
equipment located elsewhere. The major elements of the PCS boundary
thua include the
1. Reactor vessel, including the control rod drive mechanism
housing,
2. Reactor coolant side of the steam generators (primary),
3. Reactor coolant pumps,
4. Pressurizer and associated safety and relief valves,
5. Interconnecting piping for the above listed ccmponents, and

6. Auxiliary and support systens including the
a. Accumulators,
b. Chemical and volume control system,
c. Charging system,
d. Safety injection system (SIS), and
e. Residual heat removal system.
All of the systens listed under 6, with the exception of the accumula-
tors, penetrate containment.
In addition to the normal functions such as maintaining coolant
inventory and chemistry and removal of shutdown decay heat, the PCS
and associated companents must be available for emergency .tervice.
This service includes
1. Emerqency boron injection to ensure core shutdown,
2. Emeryency coolant injection in the event of a LOCA (involves
charging. SIS, and RHRS),
3. Emergency coolant recirculation, and
4. Emergency control of PCS pressure.
Therefore, it is appropriate to consider the PCS boundary as a system
when subsequent analyses are undertaken.
Baseline Plant Analysis
Using the generic fault trees and the system descriptions, a
sabotage fault tree was developed for the baseline plant (see Appen-
dix H). The fault tree was then analyzed using the procedures de-
scribed on pages 3-2 and 3-5. Assuming a loss of offsite power, a
basic assumption in these sabotage studies because of the relative
vulnerability of exposed power lines, the equation for rn'eaze of
radioactive material from the baseline plant containr 2',@4: terms.
Eleven terms ir,r>'.ve one event. 68 involve two events, 10,210 involve
three evente, 11,705 tnvolve four events, 2,436 involve five events,
365 involve six events, and 30 involve seven events.

Vital - Area Analysis
The primary events in the fault tree are sabotage actions which,
in proper combinations as specified by the logic of the tree, can lead
to release of radioactive material from the plant. It is important to
know the specific plant locations to which the adversary must go to
accomplish these acts in order to ensure that the total design in-
cludes adequate protective nechanisms for the buildings, rooms, and
compartments within which the sabotage actions can be accomplished.
For some combinations of sabotage actions,the time sequence of occur-
rence,(gr the order in which areas must be entered) is important.
Such time dependence is not considered in the definition of vital
areasoand is not presently address'ed in the fault trees. However, the
conservative assumption is made that the saboteur will perform the
sabotage actions in the sequence which could cause a significant
release.
In a vital area analysis, each primary event in the system fault
tree is replaced by the location or logical combination of locations
at which the action can be accomplished. The output of the vital area
analysis is a logic equation which identifies the combinations of
areas to which an adversary must gain access in order to cause a re-
lease of radioactive material from the plant. The equation lists the
single areas from which a set of events sufficient to cause release
can be accomplished, followed by the combinations of two areas, three
areas, and so on. From this equation, the vital areas for the plant
can be identified.
The location equation for the baseline plant has 56 terms. Five
terns contain a single location, 30 terms contain two locations, 18
terms contain three locations, and 3 terms contain four locations.
The equation indicates that the baseline plant potentially has 5
Type I \vital areas22 and 51 Type I1 vital areas. The potential Type I
aream are the
1. Reactor containment,
2. Main control room,

3. Auxil iary shutdown panel,
4. Spent fuel pool operating area, and
5. Spent fuel shipping cask area.
These are only potential Type I areas for several reasons. For the
spent fuel related areas, there may or may not be radioactive material
available for release, depending upon the len~t!~ of tine during which
the spent fuel has been cooled and the operating state of the plant.
The auxiliary shutdown panel may or may not be a Type I vital area,
depending upon the particular controls available. Certainly, ~f the
plant is already shut down, it is unlikely that the auxiliary shi tdown
, .
panel will be a Type I area. Additional discussion of such considerations
is presented in Appendix I.*
The location equation can be processed further to identify a
minimum set of locations, the protection of which will interrupt all
possible sequences leading' to radioactive release. This is done by
taking the Boolean complement (logical NOT) of the lccatlor? equatron.
A Boolean equation for an event represents the n ys in which the event
can occur in terms of the occurrence of the literals in the equation.
The complement of the equation represents the ways to preclude the
event in terms of nonoccurrence of the literals. For the locations,
nonoccurrence implies that access has been denied. If access is
denied to all the locations in one term of the complement equation,
then none of the event combinations leading to release can be accom-
plished. The terms in the complement equation can be ordered accord-
ing to the number of locations in each term or to any quantitative
measures (such as cost of protection or impact on normal operatrons)
which can be associated with each location. Such information can be
used to compare alternative designs.
*Appendices H and I, which are classified, appear in Volume I11 of
this report.

When the complement of the location equation is established for
the SNUPPS plant, the equation contains 2,304 terms. The smallest
term contains 17 locations, the largest 24 locations. As indicated
above, these results imply that, if adversary access were denied to 17
discrete locations within the plant, the top event (release of radio-
active material) of the original sabotage fault tree would be pre-
vented. If revised plant design decreases the number of locations to
which access must be denied,' that is, makes physical protection easi-
er, that result would provide some measure of the value of the design
change. However, this decrease must be weighed against the competing
criterion of making an adversaryls.task more difficu1t.b~ requiring
that more areas be visited to cause a release. Further discussion of
such comparisons is contained in Section 8 and Appendix I.

Background
4. PUNT DESIGN OPTIONS
.
As indicated in the introductory section of this report, interest
in the possible enhancement of safeguards effectiveness by revisions
- totplant design dates fran the earliest considerations of sabotage
(Reference 1). Furthermore, this interest has been rather broadly
spread throughout the industry and regulatory agencies (References 2,
4, 5, and 6). Because of this continued interest, numerous suggestions
have been made foz design changes. Unfortunately, many of these
suggestions, though often repeated, remained just suggestions. That
is, they were never subjected tc a systematic and thorough evaluation.
In fact, these suggestions had never been collected into a single
cohesive set. Therefore, when this study was undertaken, two interim
goals immediately became obvious: (1) categorize the suggestions into
definable groups and (2) document the suggestions in a single format
so that canparison and evaluation would be facilitated. In this sec-
tion, the categorization of design alternatives will be discussed in
some detail, with the emphasis, as indicated earlier, on new designs/
new construction and not on retrofitable concepts. The categorization
will be followed by a "catalog" of suggestions which includes some
b . discussion of relative merits (in essence a very subjective evalua-
. . analysis.
tion) and a selection of options for additional definition and
Categorization of Design Suggestions
After some consideration, the des .
~iqn
opt .ions and measures that
have previously been recommended by industry representatives, the NRC
staff, and Sandia studies were categorized into four broad groups:

. ,
3 ..:
1. Hardening critical systems or locations,
2. Plant layout modifications,
3. System design changes, and
4. Addition of systems.
These four categories include measures which range from those
which require little or no chance in plant layout through those which
might require the addition of complete new operational systems. Ta-
ble 2-1 (see page 2-4) summarizes the four categories, briefly de-
scribes the nature of each category, and then provides some examples
of design changes that were suggested. Each of these categories is
. .
discussed in more detail below.
Hardening Critical Systems or Locations -- Safeguards measures
previously suggested, such as hardening the spent fuel pool or the
compartments which contain vltal equipment, might be approached in
several ways. One possible option would be simply to increase the
inherent strength of the structures by making them even more massive.
Another approach would be to reduce the number of access points on the
presumption that doors or hatches are potential "weak links" in a
barrier. In some instances, spent fuel pools at grotind level but
above grade might be hardened by the addition of . l ?rm or dam to make
rapid draining and the uncovering of fuel more di' ..ult.
Design chanqes which eliminate obvious sabotage modes for vital
equip&nt could be accomplished in several ways. For some components,
functional redesign could be employed to eliminate the vulnerable
features: in other instances,,simple repackaging or add-on protection.
could be used to make it more difficult for a saboteur to exploit the
known failure mechanisms. Although there is general agreement that'it
is impo~sible to make components completely sabotage proof, it may be
possible to eliminate or at least mask the more obvious vulnerabili-
tien, thus increasing the knowledge or resources required for success-
-.:!
, . ful sabotage.
, ,

Plant Layout Modification -- Physical separation of redundant
vital systems implies sufficient isolation to eliminate connnon induced
failures. Such separation could include component relocation, cable
and piping rerouting, and the addition of barriers to increase com-
partmentalization. In contrast to separacior., relocation of vital
equipment into more protectable configurations could include colocat-
ing components with similar vulnerabilities into hardened compartments
(e.g., a motor control center) or locating the spent fuel pool below
grade. iolocation requires careful analysis, however, ts balance
. . . . , , . , , . . . . - . . . .
vulnerability should the hardened compartment be breached;
. .... .. . '.... , . . , , , .~, .
increased protectability of compact locations against the increased
. . ,. . . ,
System Design Changes -- Independence of the ac and dc electric
power trains requires that each train be self-sufficient. For this
goal to be achieved, each train must have its own buses, cables,
switchgear, batteries, battery chargers, and diesel generators. fir-
thermore, the trains could be housed in separate buildings between
which there is no direct access. The analysis examines the increased
construction costs associated with such canplete separation and the
costs due to associated effects on operations. Complete separation
also implies that cooling water, fuel, and ventilation for the diesels
must be separated and protected in some manner. The assumption that
such separation enhances safety is examined.
An examination of damage control options may also suggest system
design modifications which could enhance the likelihood of successful
dnmage control. Such design changes might inilude the addition of
blind flanges in certain cooling systems, which could be opened to
connect alternate water supplies or bypass disabled components. The
changes might also include the provision of standby pumps and trans-
formers. Previous alternative containment design studies23 were
reviewed to examine the potential effectiveness of such alternatives
againmt aabotaqe incidents and aqainst the cost associated with the
changes.

I
Addition of Systems -- The final category of design measures
involves the addition to the plant of a system or systems intended
specifically for protection against sabotage and the effects of sabotage.
One proposal is the addition of an independent, hardened, decay
heat removal system (DHRS) capable of providing heat rejection from an
intact primary system via the steam generators for some extended period
of time in the event of the loss of all other normal and emergency
systems outside containment. As proposed, all equipment, the power
supply, the water supply, and instrumentation and control for such a
system would be located in a hardened structure for which stringent
. ...,. .,, ~..:> .
,
physical protection measures wou1a"be enforced.
. ,. . , . . , . , . , ,
~ataloq of Potential Design options''
An important part of this task was establishing a format for
documenting the many suggestions in such a way that the e:3sence of the
ideas would be presented without an overabundance of infor,iation.
After some deliberation, the following format was adopted fcr docu-
menting the options:
Title -- A brief, descriptive statement.
Concept -- A short, narrative description of what is involved in
the particular option.
Sources -- A description of the sources of the suggestion
(literature references are also provided).
Advantages/Disadvantaqes -- A qualitative statement regarding
the relative merit, or lack thereof,
of the particular concept.
Sumary of DSTSG Input -- Where possible and appropriate, a summary
of the interaction with the DSTSG
is included.
Dimcussion -- Any amplifying remarks that the authore believed
ap[wnpPtflLe
The project timing waa such that the 29 "historical" recommenda-
tions (see Appendix D) were available for review by the DSTSG in sev-
eral meetings. Therefore, it was a reasonably straightforward task to
incorporate DSTSG reactions into the material. In contrast, material
which wan derived from several ongoing DOE programs was not available
until much later. Aa a result, these 37 later suggestions were not

discussed in an open forum. However, they were reviewed by individual
members of the DSTSG, who then provided written coments as they
deemed appropriate.
The initial effort is documented in Appendix D, "Nuclear Power
Plant Design Alternatives for Improved Sabotage Resistance." The
later effort is reported in Appendix E, "Reactor Plant Safeguards --
Potential Safeguards -- Related System and Ccmponent Design Changes
and Damage Control Measures." Pertinent aspects are swmarized below.
, .
"Historical" Design Options -- The 29 design options* were cata-
' loged into one of the four categories discussed on pages 4-2 to 4-4.
A tabulation of the options by category is shown on Table 4-1 (adapted
fram Table 2.1, Appendix D).
In order to prevent a challenge to containment integrity and
prevent a release of radioactive material that would threaten public
health and safety, whether £ran an accident or by a deliberate act, it
is necessary to maintain the reactor coolant system integrity, remove
decay heat, and ensure reactor shutdown (negative reactivity inser-
tion). Therefore, when the list of design changes to enhance safe-
guards was ccmpiled, design options were sought which would provide
improvement in at least one of the following areas:
1. Enhance protection of the reactor coolant pressure boundary,
2. Enhance protection of the decay heat removal function, or
3. Enhance protection of the reactor shutdown function.
There is a relationship between the first two in that a sound and
functional primary coolant system makes the decay heat removal task
easier.
1
Throughout the conducting of this study, the terms "design alter-
native" and *design option" have been used interchangeably.

Table 4-1
Categorization of Design Alternatives
Category Title NO.
!I Underground siting (3.2)"
llardcned containment building (3.3)
:.!i
UU
4 a
0 u
23
i! 't m
2 nardcncd tip
m
U't
rn o
c
0
4
c,
a
U
4
w
4
Hardened fucl handling buildfng (3.4)
llardcncd cnclosuro of control room (3.5)
Hardened cnclosuro for RPS~ and ESFAS~ cabincts 13.6)
Hardened ultimate heat sink (3.7)
Takinq advantaqe of natural protective fcaturcfi in si-c scloction (3.8)
cnclosurcs for m.tkcup water tanks (3.3)
Separation of cont~inmcnt pcnctrations for redundant trains of safety
equipment .- (3.10) . . ~ ~.
Spent fuel storage within containrncnt (3.12) 3
jI Spcnt fucl storcd bclow yrade (3.13) 4
H Physically scparcrtcd and protcctcd rcriundont trains of s.lfcL~'
cquipncnt 0.14)
Scparato areas or rooms for cnblc sprcodinq (3.15)
"I 5
Alternate control room arrangcmcnts (3.16)
d
F.CCS components within containmunt 0.17)
Administrative, information, and construction bul ldinqs loc.ltcd cmtsidc
8
of protwtcd arca 0.18) 9
.
Separation of safcty-rclatcd pipinq, control cables, i~nd :power cables in .. . . . . .
undcryround gallorics 0.11) ,2 . , .
- Rcactor protection systcm
C~~~~~ - Engineercd safcty fcaturcs actontion systcm
d~~~~ = Emcrgcncy core cooliny systcm
"~ach number in parentheses refers to the section number of Lhe rlcscrlption in Appendix D.
-
1
6
7
8
1

I
I
Table 4-1 (Continued)
Categorization of Design Alternatives
Category Title - No.
Isolation of low-pressure systems connecred to reactor coolant pressure
boundary (3.19)
Design changes to facilitate damage control (3.20)
5.1 .-
Alternate containment designs (3.21)
C
o
u
H tlr
-.
P)
'CI
H .z
fi
u
m
X
m
m . E
r( P)
z%$
'CI X
4-
Extra-redundant, fully separated, self-contained and protected trains of
emergcncy equipment (3.22)
Additional protected control'' rod trip (3.23)
Additional protected control rod trip acting on diverse, protected
trip breakers (3.24)
Turbine runback (3.25)
Reduced vulnerability of intake structures for safety-related pumps (3.26)
Trip coils for breakers/switchgear energized by internal power source (3.27) 9
High-pressure RHRSe (3.28) 10
Hardened deca2 heat removal system (3.29) 1
Additional independent, diverse scram system (3.30) 2
e~~~~ = Residual heat removal system

Although the attributes described above are fundamental to the
selection of viable design options, there are other attributes
against which any candidate alternativep should be evaluated. These
attributes are
1. Engineering and construction feasibility,
2. State-of-the-art technology,
3. High value/impact (benefit/cost) ratio,
4. Minimal impact on normal plant operation and maintenance,
5. Independence, and .
6.. Side benefits.
A feasible concept is one that can be put into a workable design
now, whereas state-of-the-art technology refers to one that can be
implemented with some development of technology or hardware based on
existing knowledge. In the initial screening, at least some qualita-
tive judgment was attempted except in the area of value/impact assess-
metat, which is treated later in this report. Also, this initial as-
sessment considers the potential contribution to sabotage resistance
offered by the proposed concept, although,at this point, the assess-
ment is subjective.
It will be noted that those suggestions dealing with hardening
generally refer to hardening sane boundary,such as a building or cabi-
net, rather than individual components, for example, pumps or valves.
The possibility of hardening individual canponenCs was explored, but
these ideas were deemed unacceptable for several reasons. First, a
brief survey conducted by the Los Alamos National Scientific Labora-
tory of the effects of explosive/incendiary devices on individual
canponents reveals that such a small amount (a pound or less, if
skillfully emplaced) in required to cause unacceptable damage that
strengthening cmponents would not add significantly to an adversary's
task. 24 Second, hardening would not materially affect an insider's
ability to cause problems, since he is presumed to be authorized ac-
cess and would therefore be able to circumvent simple hardening.
Third, because of the special nature of these components, schemes to

harden them often entailed adding shrouds or other covers; covering
canponents could lead to maintenance and operations problems because
of the restricted access.
The recommendations for modifications to plant layout emphasize
additional separation of safety-related equipment. Some of these
recammendations have already been incorporated in recent plant de-
signs, their inclusion having been motivated by several concerns.
For example, multiple cable spreading rooms are now accepted design
practice due to concerns about fire protection. Also, many utilities
have already begun to revise plant layouts in order to place adminis-
trative and other service facilities outside the protected area, pri-
marily as part of their response to requirements for increased secur-
ity as mandated by Chapter 10, Code of Federal Regulations, Section
73.55 (10CFR73.55). 25
Several suggestions deal with enhancing the protection of spent
fuel and of the canponents of the emergency core cooling systems. The
need for such protection varies with particular plant layouts as well
as with the availability of redundant systems to accaplish similar
functions.
The suggested system design changes affect facility design (e.g.,
alternate containments), functional systems (e.g., isolation or high-
pressure RHR), and operational capabilities (e.9.. turbine runback).
As with the plant layout modifications, some of these suggestions
b reflect actions which may already be under way for other reasons.
. Finally, the principal suggestion for additional system8 focuses
upon a hardened DHRS. In this context, a hardened system provides
decay heat removal through the steam generator by supplying an addi-
tional source of feedwater and primary system makeup. It is essen-
tially a hardened auxiliary feedwater system which, in some refer-
ences, is labeled an independent safe shutdown system. This again is
not a unique suggestion; in fact, assured decay heat removal has obvi-
ous nafety implications (References 5, 26, and 27).

A summary of the initial findings on these 29 options is presented
in Table 4-2 (Table 2.2 from Appendix D). It is emphasized
again that these findings reflnct the subjective judgment of the authors,
taking into account all the available inputs. The summary
chart is set up so that an option which was considered good in a11
aspects would have a solid circle in every column. All 29 concepts
are deemed feasible, but 3 (11.8, 111.3, and IV.2) would require some
technology development in order to implement them. Most of the concepts
appear to have potential for improving resistance to sabotage.
Hardening particular enclosures (1.6) probably does not offer much
increased sabotage resistance because of the considerations mentioned
above under component hardening (B& page 4-2) and because hardening
would not affect the "authorized insider." Moving spent fuel and ECCS
components into containment may not offer much advantage for several
reasons. For instance, although spent fuel in contlinment might be
better protected during operation, the increase in numbers of personnel
with access during outages could increase the overall vulnerability.
Moving major ECCS components into containment would introduce
other problems, for example, qualification of equipment for post-LOCA
environments, which would work against possible improvements in protection.
The ideas for additional protected trip mechanisms were not
considered to add to the resistance to sabotage because there are
already many conditions which will trip the plant off line. It was
noted by members of the DSTSG that tripping the plant is no problem:
in fact, just the opposite is true--the plants almost trip too easily.
. 'pi,: :
1 h . . .if..:
When the remaining factors--indepelu:nce, impacts, and side bene-
:b$bb'!\
fits--are considered, generali;htkqQp I.,I,,,. are no longer Appropriate. Only
eight of the options are considerq%to have independence f+m other
!.:,!;:I/ . .
aspects of the plant, a result which is perhaps not surpri&ng given
,a,~j,!i , a >
the strong interrelationships betw~~n normal plant systems,," Simply
making buildings harder (I .2 and 5";3) does not require interaction
;,!..!;(b
with other plant features; however, such hardening could affect the
performance of other structure8 uq !!&$ er seismic disturba"ce.,,.:!.Likewise,
kg ,
additional physical separation (1.3;' ,l;rilj and II.5), though it may require
careful engineering, is not depei$e*t upon other systems. The same
!:.?I:
r.

Dullga control
Alternate contrincnt
Separate trains
Protected trip
Addltlotul trip ,
Turbln~ Whck
Intake structures
Trip tolls
nigh-pressvn RHRS
Findings on Potential for Improved Plant
Sabotage Resistance

observation can be made for isolation of low-pressure systems and ex-
tra trains of emergency equipment (111.1 and I11.4), although piping
connections would require some evaluation. Adding an additional sys-
tem (IV.l) is relatively independent, except that such options usually
postulate and require an intact primary coolant system.
There is almost an even division between those options which are
deemed to have significant impacts and those which are deemed not to.
However, it should be emphasized that, in this initial analysis, the
question of impacts produces widely varying opinions, even among peo-
ple with similar experience. Therefore, these results are used advis-
edly and without forming an unchangeable position. For those options
which involve layout modifications, one of the most frequently cited
impacts was the increased cost of generally larger, more spread out
facilities. Also, operational impacts were often cited for storing
spent fuel in containment (11.3) or putting ECCS components into con-
tainment (11.8).
Although not central to the question of improved resistance to
sabotage, other potential benefits of the proposed options were
considered. Again, about half of the options offer some additional
benefit. The most cited benefit, especially for those designs which
stress separation, is the added protection against fire effects.
Where additional redundancy is proposed, a significant additional
benefit is the capability to have a full train of safety equipment
down for maintenance or testing and still meet single-failure criteria
for safety systems.
Based upon the foregoing considerations, six options from this
set were selected for further conceptual development and analysis.
These options were selected because, at this time, they appear to
offer the most pranise for enhancing protection without obvious major
impacts, and they cover a spectrum of possible designs. The six op-
tions are listed in Table 4-3.

Table 4-3
Design Options Selected for Conceptual Design
Hardened Enclo.sures for Makeup Water Tanks (1.8)
Separation of Containment Penetrat
Trains of Safety Equipment (11.1
Physically Separated and Protected
Trains of Safety Equipment (11.5
Hardened Decay Heat Removal System
ons for Redundant
Redundant
(IV.1)
Isolation of Low-Pressure Systems Connected to the
Reactor Coolant Pressure Boundary (111.1)
Design Changes to FaciLitate Damage Control (111.2)
Further discussion of these options is contained in Section 6 and
Appendix G.
Also at this time, seven options have been dropped from further
consideration primarily because they do not appear to offer any sig-
nificant increase in sabotage resistance and, in at least two in-
stances, because of the major technology development required. These
options are indicated in Table 4-4.
Table 4-4
Design Options Dropped From Further Consideration
Hardened Containment Building (1.2)
Hardened Enclosure for RPS and ESFAS Cabinets (1.5)
Spent Fuel Storage within Containment (11.3)
ECCS Components within Containment (11.8)
Additional Protected Control Rod Trip (111.5)
Additional Protected Control Rod Trip Acting on
Diverse, Protected Trip Breakers (111.6)
Additional Independent, Diverse Scram System (IV.2)

Several options (i.4, 11.6, and 11.9) were dropped from further
consideration in thf~ study because they are alreac'y being implemented
for safety considerations (e.9.. separate roans for cable spreading)
or in direct response to safeguards requirements (e.g . , hardened con-
trol roans and relocation of administration buildings).
The remaining additional options were not pursued further at this
time primarily because the impacts appear to overshadow any potential
benefits. For example, underground siting and using natural protec-
tive features as criteria for site selection carry large cost burdens
.a
and could create severe operational problems. Turbine runback to pick
up station loads is an example of a capability which may exist in some
designs, but the costs and operational considerations to demonstrate
the capability as part of plant licensing are not considered to be
worth the effort, considering only sabotage.
As was indicated earlier, many of the judgments at this point are
unquestionably subjective. However, it is believed that those options
selected for conceptual design (Table 4-3) do offer promise for in-
creasing protection. Therefore, if the subsequent analysis should
indicate only marginal improve~ent over existing practice for this
set, then further development of the other options would not appear
reasonable.
Design Options from W E Safeguards Studies -- There are differ-
ences in character between the design changes cataloged above and
those deriving from safeguards studies which must be recognized in any
comparison. Most of the "historical" design suggestions examined have
frequently appeared in other sources. In contrast, those arising from
particular DOE programs have had only limited public exposure or peer
review. The former list emphasizes protection against radiological
sabotage, whereas the latter list frequently emphasizes changes that
caopensate for, or reduce reliance upon, systems which may be unavail-
able due to sabotage. Therefore, when considering the potential for
improved sabotage resistance, a slightly modified perspective must be
adopted when canparing design changes in the two lists.

A tabulation of the design changes derived from the DOE programs
is presented in Table 4-5 (adapted frcm Tables 1.1 through 1.12 in
Appendix E).* If this tabulation is compared with that of Table 4-1,
the difference in perspective is readily apparent. The plant layout
modifications reflect increasing protection for the most part, while
the system design changes tend to emphasize (1) reducing vulnerability
by decreasing reliance on multiple systems (e.g., changing diesel
cooling, using passive lubrication); (2) providing alternate means to
accanplish some functions (e.g., power cross connections, swing load
capabilities): and (3) mitigating the effects of the sabotaging of
some given equipment (e.g., increasing station battery capacity, reac-
tor head venting, dc power generation capability).
A summary of the initial findings on these 37 sugqestions is pre-
sented in Table 4-6. As with the surmnary in Table 4-2, the Table 4-6
summary represents the authors' evaluation of the available inputs:
however, there are several differences between Tables 4-2 and 4-6.
First, these suggestions have not been discussed in an open forum with
the DSTSG: only DSTSG written comments have been used. Second, an
initial version of these suggestions was not prepared: that is, t?lere
Ls no canparable table in Appendix E. The format is the same as that
of Table 4-2; any option which has solid circles in every column would
be considered pranising.
Several general observations on these initial findings are in
order. For the most part, the suggestions are considered feasible and
state of the art. Some will require additional examination of feasi-
bility in light of other constraints. For example, placing circuit
breakers inside cabinets may introduce personnel safety concerns which
would require resolution, and increasing the battery size may or may
not be feasible since some already are the largest available. Other
suggestions may or may not be feasible depending upon electric power
The numbering in Table 4-5 continues from that in Table 4-1 for
convenience in later discussions.

Table 4-5
Categorization of Design Alternatives Derived
frog Safeguards Studies
Category Title
+I@ I m
c ,.A cl Increase protected diesel fuel oil supply (2.6)"
um ow o
Hrl h.4.4
mvu I Revise diesel buildinq layout (2.7)
I 1 Relocate RHRS inside containment (3.17)
Provide ac power swing-load capability (2.1)
Provide switchgear and MCC~ enclosures with
internal circuit'breaker trip (2.2)
Reyise vital electrical area cooling arrangements
(2.3)
Provide vital ac power cross-connections for
multiple unit sites (2.4)
Revise diesel engine cooling arranqement (2.5'
Increase station battery capacity (2.8)
Provide dc load-shedding capability (2.9)
Provide Class 1E dc division cross-conncctlons
(2.10)
Provide extended dc power generation capability
during station blackout (2.11)
Provide consolidation (comon location) of
safety-related instrumentation transmitters
(2.12)
Provide additional local-renote indicators for
plant equipment (2.13)
Rearrangc instrumentation cabinets to ml;?lmlre
panel-front controls (2.14)
Modify small diameter pipeway to hlgher schcdul i
and all-welded construction (2.15)
Maximize use of pssive lubrication (2.16)
Maximize use of enclosed modular components (2.17:
Provide localized cooling for vit~l pumps a:la
motors (2.18)
"Each number in parentheses is the sectlon of the descr~ptlon Ln
Appendix E.
b M = ~ motor ~ control center

Category
Table 4-5 (Contirue?)
Categorization of Design Alternatives Derived
from Safeguards Studies
Title 30. -
Reduce vital area coolrnq depende~ce on active
systems (2.19)
. Provide a Class 1E auxiliary stcan turbinegenerator
(3.1) 2 6
.
Pro*:ide Class li: po.wer to ?ressurizer heaters (3.?i
Add additional insulation to pressurizers !3.3)
2 4
30
Provide reactor vessel water level
instrumentation (3.4).
,, , ,
3:
Provide capability t,o rczstoly vent reactor
vessel head (3.5) ;+j, ,
.. . ,' 32
Provide dc motor actuators to reactor coolant
, .
, ,
-
-J
0
a
c
.rl
u
- 5
U
m
0
m
1 5
Z <
- C
m
n
0)
3
5 .J
m
B.
LT,
pump seal leak-off ,,i$platinn *:alves (3.6) I!: d 2, 2
Provide parallel a"djiindepc:?dcnt vctls,*es rn
pressurizer auxiliaty spray line !3.i) 3 4
C
Provide automatic actuation of AFNS '3.8)
&:, :? . .
3 5
Provide expanded supply of onsite emergency
feedwater (3. 9) !I#!,, 'I
>.I:;,',,
!'
Prcvide swina-load a ability for notcr-driven,
AFW pump (3.10) .,$ ., ., . , " . . : '
,,O# , .
Provide expanded sq,& of local instruments for
manual control of steam turbine Af'd pump (3.11)
:;$i;',
Pr0'~ide dc motor dqyers for notor-driven lube,, , .
oil punps on steant$:bine (3.12) I
Ithii:: I
Pipe gland seal 1eg)cfi~e out of turbine AFh'
, ., li !
pump room (3.13) 8 . .
f$j!j
Relocate temp< ratuqfi;$gensitivc turbine controls
from AFW turb-ne p4cp (3.14)
~ l > ~ :
Provide dc motor-drkyen or steam-turbine-driven ,
pump ruom ventilatiy& (3.15) 52
Increase safety inj&tion tank pressure ratinq,to
. make it available &passive source (3.16) 4 3
,. .
Provide an R m systgin'for BWR~ which operated in
n natural circulatign mode (4.1) 3
2?2
Q m
Q B.
4(n
, ,
I! \/
I,, y
'AFWS = auxiliary feed water system.
36
37
3 8
39
4 0
4 1

, .
.,. .
. - . . . . ~
Findings on Potential for Im$,,oved Plant Sabotage ~es'istance
and Desirable Attributes.&f:i!~andidate Design A-lternatives
I;?.;:! a
Dcslan Alternctlves
Increase fuel oil
Revlse ffi bldg.
RHRS inside contalnmnt
Ac snJnp load
SffiR internal breaker
Revise cooling
Ac parer X-connections
Revlse ffi coollng
Increase battery Capaci ty
Dc load sheddlng
Class 1E dc X-connects
Dc parer generation
C m n locatlon transmitters
Added local-remote
Uinimlze front panel controls
All-welded plpe
Passlvc lubrlcatlon
llodular cwonents
localized cooling of pws
Reduce YA coollng
Class 1E tux. stem turblne
Class 1E per to pressurlzr
Insulate pressurizers
Vessel water level
Vessel head vent
Seal leak-off valves
Pressurizer tux. spray valve!
Autawtlc AFYS
Onrlte feedwater
%in9 mi PW
Local lnstruncnts AFM
Dc-Prlvr luh 011 pumps
Gland seal leakage
Relocat* Afn controls
Rap row rmtllatlon
SI tank pressure
RHR for BUR
. .
- . . ,. .
i+~dlli.
, , , . ,

availability and other factors. For application in a nuclear power
plant, some suggestions would require hardware development and certi-
. fication, such as passive lubrication in safety-related pumps. Also,
these suggestions in general have significant dependence upon other
systems, which reflects the provision of alternate means or mitigation
of effects discussed earlier. Finally, as a general point, these suggestions
do not have as many side benefits, but this lack of side
benefits reflects the perspective of the DOE studies (i.e., emphasis
1
upon safeguards) and is not necessarily a detriment to their use.
:...,, ,, , '.. ,,,,.,., ,., .
Six of the changes appear to have potential for improving sabotage.resistance
(11.12: 111.15, 23, 26, 27: and Iv.3). Unfortunately, '
there are some major impacts associated with most of these concepts.
For example, moving the RHR into containment will require larger containment
structures witX attendant costs, maintenance will be more
difficult, and additional equipment will have to be qualified for
post-LOCA environments. Similarly, adding a passive RHRS for boiling
water reactors (BWRs) involves significant capital expense and introduces
maintenance and operational problems. Nevertheless, both of
these design changes (11.12 and IV.3) have been selected for additional
analysis and concept development because of their potential benefits.
Although revisions to cooling schemes appear to have some promise
(111.15, 26, 27), they will not be pursued further. The incorporation
of these concepts will not eliminate any of the Type I vital
areas usually identified in the sabotage fault tree analysis. One
concept (111.23) would appear to carry such significant impacts for
* operations and maintenance that it has been dropped from further
.
consideration.
A considerable number of these suggestions do not appear to di-
rectly affect the aabotage resistance of the plant, although they may
have potential or promise for recovery and mitigation. This list
includee 111.11, 21. 29, 30, 31, 32, 33,. 34, 36, 37, 38, 40, 41, and
43. Providing other sources of Class 1E power, alternate instrumenta-
tion, dc-driven valves, etc., does have some effect upon the way sys-
tems can be used, but such modifications do not directly affect sabo-
tage resietance. Alsotin some instances, there are significant impacts.

For example, additional remote indicators ,would require maintenance
(111.211, and isolated seals (111.33) could add problems by placing .
additional burdens on remaining seals.
There are some capabilities here that already are being included
in plants for safety reasons, based upon the events at Tnree Mile
Island (TMI), Unit 2. 28 These capabilities include additional emer-
gency power to pressurizer heaters (III.29), additional instrumenta-
tion to detect inadequate core cooling (III.31), and automatic initia-
tion of the auxiliary feedwater system (111.35). Because these are
required for other reasons, they exist (or will exist), and no further
analysia solely for safeguards effectiveness is necessary.
The remaining 17 suggestions may have some potential for improv-
ing resistance to sabotage, but their potential is not well-defined at
this point. In addition, mast of these suggestions carry impacts
which cannot be ignored. For example, providing cross connections
(111.18) may provide additional sources of power but, at the same
time, introduce single points of vulnerability or unreliability. Add-
ing something like a Class 1E auxiliary qenerator (111.28) will add to
system complexity and capital costs.

Rationale
5. DAMAGE CONTROL OPTIONS
An underlying safety principal for nuclear power plants has been,
and continues to be, redundancy. If a given system fails, there is
generally a duplicate (redundant) system available to perform the same
function. However, there has been a continuing interest in the idea
of damage control. Damage control measures are defined as "measures
that can be employed (or actions which can be taken) within hours
after an act of radiological sabotage to prevent or reduce the release
of radioactive materials."
Given this definition, damage control or operator response to an
adversary's actions can be viewed in two ways. These measures can be
the temporary repair of a system or its components effected to restore
or maintain operability. On the other hand, these measures can at-
tempt to accomplish the damaged system's "function" with some other
system which may not have been specifically designated for that func-
tion. Both of these views were explored in this study, and the re-
sults are discussed in this section and in Appendix F, "Nuclear Power
Plant Damage Control Options for Sabotage Protection."
Alternative Concept of Damage Control
The traditional concept of damage control is rapid repair or jury
rig of affected systems. In contrast to this is the alternate idea of
accanplishing a system's "function" by nubstituting another system
which was not originally designed for that purpose. Note that this
differs from redundancy in that not an exact duplicate but rather a
completely different system is used. An example of such an approach

would be to use the plant fire protection water system to cool vital
equipment in the event the normal and installed emergency cooling
systems failed.
Available Time Estimates -- A key question that mustbe addressed
in oraer to evaluate the protection afforded by damage control is,
Giv'en sabotage, how much time is available for remedial action before
recovery is impossible? Thus, one of the initial efforts of this
study was to establish bounding estimates of available time, which is
defined as "the period between an upset initiation and a subsequent
condition in which significant fuel damage leading to the release of
fission products from the fuel is imminent." The time available to
take damage control action is dependent on the postulated damage from
the sabotage and also on the prior state of the plant (e.g., full
power, hot shutdown, etc. ) .
Several representative cases were analyzed for a PWR and a BWR.
Details of these cases are presented in Appendix F. The cases were
selected based on a variety of events (e.g., loss of reactor coolant,
loss of electrical power, loss, of heat removal capacity), plant states
(e.g., full power, hot shutdown, refueling) and, in some instances, to
emphasize certain systems such as emergency feedwater. With one ex-
ception, all the calculations were done using simple, approximate
models. The exception was the use of the RELAP 4 transient simulator
to provide a comparison with the approximate calculations for a loss
of all power at a PWR. The primary reason for the use of the RELAP 4
code was that this transient is more complex than the others, pro-
gressing through several thermal-hydraulically sensitive s :ages. The
computer calculation agrees with the corresponding approximate cal-
culations. For the purposes of this study, it was impractical and, in
mast cases, unnecessary to use the large, thermohydraulic computer
codes.
The initial conditions and other important assumptions for these
calculations were generally nominal or best-estimate values.' That is,
the degree of conservatim characteristic of design basis safety ana-
lyews has been avoided. This ia considered appropriate for sabotage

8
studies because it is unlikely that sabotage evants would be coordi-
nated to occur simultaneously with worst-case thermal-hydraulic and
other plant conditions.
The PWR calculations are based on a typical four-loop plant rated
at 3,200 MW (thermal). The BWR calculations are based on a typical
jet pump plant rated at 1,700 MW (thermal). Because of the particular
NSSS used as a model for the PWR calculations, the results may not be
applicable to a plant having a different type of NSSS, especially
where the calculated times available are strongly dependent on the
initial water inventory in the steam generators. Also, the results
are sensitive to the primary system water mass relative to the decay
heat power; thus, NSSS models of both PWRs and BWRs having different
power densities per unit of reactor vessel volume may result in dif-
ferent time availabilities when analyzed in a similar manner.
Loss-of-Coolant Events--Available Time -- The calculations in
Appendix F show that FWR loss-of-coolant events, except for minor
leaks, require response times of significantly less than one hour. As
a result, damage control is not considered here for such events. Spe-
cific BWR loss-of-coolant cases are not analyzed: however, it is
inferred that similar conclusions would hold since the transient blow-
down and reflood times are of a similar magnitude as those for the
PWRa. Therefore, means other than damage control must be relied upon
to either prevent a loss of coolant by sabotage or to ensure that
emergency core cooling systems are not rendered ineffective by acts of
a sabotage.
* Reactor Trip Assurance--Available Time -- The consequences of not
acramning a reactor for transients where it would normally be required
have been analyzed over the past several years in response to the
Nuclear Regulatory Comnission'e call for anticipated-transient-
without-scram (ATWS) analyses. Those analyses generally assume that
all other mystems required to control or mitigate the transient will
operate. Regardless of those analyses, because there is no experience

with such events and because the complications of sabotage are unpre-
dictable, it has been deci3ed not to pursue damage control as a means
of assuring a reactor tri,>. Thus, it is assume? herein that a reactor
trip occurs soon after a major urset caused by sabotage since the
control room operator vould initiate a remote manual reactor trip."
Therefore, no attempt has been made to address local scramming of the
reactor from a panel outsi3e of the control room as a danaqe control
measure.
Reactor Vessel Decay Heat Removal -- The results of bounding
calculations to establish a'nominal minimum available time are shown
. . ,
in'~a'b1e 5-1. These cases assume the loss of offsite power and a loss
of cooling water flow, that is, steam generator feed for the PWR and
reactor vessel injection for a BWR, from several initial conditions.
The time at which significant fuel damage occurs was taken to be when
the water in the reactor vesnel reaches the core midplane. This cri-
terion assumes that significant fission product release will not occur
prior to the water reaching this level. The results shsw that, in the
two examples with the plant in hot shutdown, a minimum time of about
1 hour is available for operator response to termination of decay heat
cooling water flow and loss of external power. This minimum available
time provides guidance for evaluating damage control options, that is,
options were examined which support maint qning a hot shutdown state
and which can be conducted within 1 hour. FOL *he cases in ?'able 5-1
in which the initial condition is cold shutdown, se.--al hours are
available for damage control actions. While specific co,' shutdown
conditions were not analyzed, data in the the table imply that, when
the reactor vessel head is in place, at worst the plant could be al-
lowed to heat up and then use normal or abnormal operational response
for the hot shutdown condition. When the reactor head is off as an
4
A8 for sabotage actions that would prevent scram logic from oper-
ating properly, normal operator response action would be to initiate a
manual scram. Thus, reactor trip sabotaqe actions that would have to
ba protected against by means other than damage control are attempts
to prevent the control rods from physically inserting or attempts to
jumper the reactor trip manual initiation circuitry.

Sabotage Event
Loss of offsite pwer; loss of
water flow to BWR vessel or PWR
steam generators
Loss of offsite power; loss of
rater flo-* co BUR vessel or PWR
steam generators
Loss of offsite powert loss of
residual heat removal system
operation
Loss of offsite powrt loss of
residual heat removal system
operation
.
Table 5-1
Available Time Bounding Case Results*
Initial Plant State
Hot standby; 1 hour after
shutdown frau full power
Cold; reactor veazel head on;
15 hours after shutdown from
full poser
&fueling; reactor vessel head
off; 72 hours after shutdown
from full power; refueling
cavity full of water
Criterion is time to reduce reactor vessel level to core midplane.
P WR
2.0 hours
.4.4 hours
9.1 hours
77 hours
0.9 hour
2.2 hours -
16.3 hours
24 hours

initial condition, the time available to reinitiate cooling is on the
order of a day or more. Thus, it is judged that sabotage actions when
in cold shutdown could probably be countered with damage control mea-
sures as long as draining of the water in the reactor coolant system
is not part of the sabotage consequences.
Spent Fuel Pool Decay Heat Removal -- For the PWR example, if
sabotage actions disable the spent fuel pool cooling system, more than
6 hours is required to reach boiling temperatures even at the highest
possible decay heat levels. Once temperatures of 100°C (212'F) are
reached, an additional 12 hours is required to boil off 1 metre
(3 feet) of water. Thus, it is judged that spent fuel pool cooling
systems may be completely protected by damage control means since
cooling of some sort could undoubtedly be restored within 12 t o 24
hours and the decay heat level is likely to be less than that used in
this analysis. Although not specifically analyzed, the BWR result is
expected to be similar. This may vary considerably £ran plant to
plant because of differences in spent fuel pool design and capacity.
Regarding the mechanical removal of water from the spent fuel
pool, the available time depends on the rate of loss. In the PWR
example, it would take in excess of 1-1/2 hours to remove 3.05 metres
3
(10 feet) of water from the pool at 0.063 m /s (1,000 gpm) if all
makeup were prevented. This rate is equivalent to that which a larqe
portable pump weighing more than 227 kg (500 pounds) could provide.
It appears that damage control measures to refill the pool can be
relied upon for sabotage modes using pumps because there would be
adequate warning time to counteract the effects of pumps of a size
that could stealthily be placed beside or inside the pool. Larger
pumps would require overt efforts to set up, and this would be within
the scope of the protective guard force. Protection against pool wall
breaching should be accanplished by means other than damage control.
The water removal rate au a result of the breach of pool walls
cannot be estimated -
a priori because the damage is dependent on the
saboteur's capabilities.

Based upon this analysis, it is concluded that, for some sabotage
events, there is time available to initiate some form of damage con-
trol. Candidate actions are discussed in the following section.
Potential Damage Control Actions -- Damage control options are'of
necessity plant dependent because of the specific nature of the
plant's physical layout and the systems which are not directly a part
of the NSSS. In this study, two specific plants, one a four-loop PWR
. and the other a jet pump BWR, were used as models. Therefore, some
caution must be exercised in applying the results on a generic basis,
. although the types of options identified here are believed to be gen-
' . . . , .~. .., . ,
.
erally applicable.
The primary constraining factors in conducting any damage control
actions at a power plant are the staff available, the time available,
and accessibility. For this study, staffing levels are considered
essentially fixed, although,in some instances, increases might be re-
quired to man the damage control teams, especially on backshifts. The
,available time for various plant conditions was discussed previously.
Factors of accessibility were considered in the analysis. Actions are
considered to be possible from the control room or locally from a
roving operator. Containment access at a PWR is considered practical.
but this is not the case for a BWR. With these constraints existing,
numerous operator options to maintain system operability and functions
were developed and evaluated. Equipment modifications required to
support various options were also identified.
As indicated earlier, this alternate concept of damage control
depends on other installed systems and abnormal operating procedures
to overcome the effects of sabotage on systems normally required for
certain critical functions. The multiplicity of ways available to
provide these system functions were examined, and,in order to define
the required inn-tions and system availability, the following impor-
tant assumptions were made:
At the onset of the sabotage event, all sources of offsite
electrical power are assumed to be indefinitely interrupted.

' All reactor control rods are assumed to be inserted when a
scram signal is received. Other sabotage countermeasures are
relied upon to assure that the control rods are inserted.
There is no coincident significant loss of coolant because
loas-of-coolant sabotage events are not amenable to damage
control response.
The plant has been operating at full power for an indefinite
period of time.
Sabotage acts ccmmitted during shutdown periods or refueling
are easier to counter since the time available and access
conditions greatly expand the possible mitigating options.
Under these assumptions, the primary goal of the operator is to
bring'the plant to a safe and stable condition--defined fop this pur-
pone to be hot shutdown. In deriving the mechanisms available to the
operator, the plant and its associated systems were evaluated in light
of the assumed circumstances. (For example, ECCS loads on the vital
electric buses will not be needed.)
For each reactor type (PWR and BWR), the following activities
were undertaken:
1. The principal functions required to maintain the plant in a
hot shutdown condition were determined. In particular, the
basic considerations of coolant inventory control, decay heat
removal, and primary system pressure control were addressed.
2. The systems and canponents that would normally be expected to
perform these functions were identified.
3. Auxiliaries and support systems required for each of the
systems were identified.
4. Alternative ways of performing the principal functions and
providing needed support services, including procedural aspects
of each method, were established.
5. The procedural steps needed to initiate the alternative actions
were defined.
6. Hardware changes required for each action were defined and
examined.
Using the approach delineated above, candidate damage control
actions were identified and described (aee Appendix F). Each of these
options was waluated; the results of this initial evaluation are
.

show on Table 5-2 a able 3-1, Appendix F ). The object of the analyses
was to identify only those options which may be employed to
maintain the required minimum plant functions to preclude a major loss
of fuel integrity. Systems and components that are "desirable" but
not essential are not specifically addressed. Included in this category
are several plant instrumentation systems (i.e., control rod
position, reactor loop temperature, corltalnment pressure, power level,
etc.), sampling systems (containment and primary systems), and the
L
reactor cleanup system. Each of the 25 resulting options was cvalu-
. ated considering what targets (systems) are affected, what hardware
modifications might be required, what operational changes might be
necessary, and what level of engineering would be required to implement
the option. The subjective evaluation is shown in Table 5-2 as
an impact, the impacts ranging from none to high. An additional item,
regulatory concern, is included in an attempt to indicate areas in
which current licensing practice may require modification either to
implement the option or to allow regulatory credit for damage control
as a means of countering sabotage.
Because the emphasis in the study was on installed systems, the
majority (22) of the 25 options identified have little or no impact in
terms of requiring plant modifications or inducing engineering prob-
lems. In this context, installations of additional piping or electri-
cal cadling are considered low-impact items, because installing each
of these items is a relatively straightforward operation compared to
installing additional pumps 01 icu?signing equipment. Similarly, most
options (20) will have no significant operational impact because oper-
ations personnel will know how to operate the systems. It is envi-
sioned that there will be regulatory concern in about half the pro-
posed options because of the suggested departure from current practice
in terms of alternate uses of safety equipment.
As indicated, each of the options was considered independently.
Examples of the work sheets used in the analysis are shown in Tables
5-3 and 5-4. Table 5-3 is the evaluation for the first option, which
ie considered to have fairly significant impacts. Table 5-4 is for

Option
Function
Table 5-3
Evaluation No. 1
(BWR) Manually operated reactor vessel relief
valve.
Decay heat removal -- steam venting directly from
the main steam system to the suppression pool.
Targets affected
Main steam safety/relief valves -- In the event
that the reactor operator must depressurize the
reactor vessel in order to operate the core spray
or RHR systems, this can be accanplished without
the services of 125-volt dc or service air. This
eliminates the dependence on the remote-manual
operation of these valves.
Hardware modifications
No such system is presently installed in existing
plants. There must be a connection made to the
main steam system upstream of the main steam iso-
lation valves. This could be accanplished either
directly or by adding a branch to the HPCI steam
supply line. At the exhaust of this line, an addi-
tional suppression chamber penetration and internal
sparger will oe required. If the valve is to be
located within the primary containment then an ad-
ditional containment penetration will be required.
Operational considerations
Procedures and operator training will be required.
Engineering concerns
Accessibility, in terms of ambient temperature con-
ditions and possible radiation, to the valve opera-
tor will require attention. It is conceivable that
the valve could be mounted inside the drywell with
mechanical linkage through a containment penetra-
tion to an operating station in the reactor build-
ing.
This may add another sabotage target outside con-
tainment.

Option
Table 5-4
Evaluation No. 5
(PWR) Manual venting of the steam generators.
Function
Decay heat removal -- steam venting to atmosphere
from the main steam generators via the main con-
densers.
. . Targets affected
Main steam generator safety/relief valves -- In the
event that the safety/relief valves are rendered
inoperable, the steam generators can be vented
through the main condensers. The operator must
open a main steam isolation valve or bypass valve
and a steam dump valve. If a main circulating
water pump is.not operating, the condensers will be
pressurized and the steam will exit via the air
ejector vents or the low-pressure turbine rupture
disks.
Hardware ~siification
The steam dump valve control circuitry will require
modification to provide an override for the con-
denser high-pressure interlock.
Operational considerations
Since it is not good practice to overpressurize a
condenser, a special procedure will bc. required.
Engineering concerns
Comnents
None
It should be recognized that this is a potentially
destructive measure with regard to the turbine/
condenser unit.

the fifth option, which has only minor impact. The evaluations for
all options are contained in Appendix F.
Based upon this analysis, it appears that there are a number of
actions that the plant staff can take using installed equipment to
counter upset conditions. A portion of these concepts could be em-
ployed in a straightforward manner, while others will require addi-
tional studies to verify the concept and define the costs.
Traditional Concept of Damage Control
The idea of temporary repair to restore or maintain operability
of a system is the more traditional concept of damage control. Exam-
ples of such actions are firefighting, buttressing a dam or ship's
hull, or patching a critical piping system. Of course, such actions
may be taken to correct an existing failure or, in some cases, as a
precautionary measure to mitigate the effect of an anticipated event.
This traditional approach is scmetimes labeled "running repair."
The initial approach to damage control considered in this study
was based upon this traditional concept. Figure 5-1 illustrates the
analysis sequence used. The first step was to define the reactor
state (e.9.. hot shutdown). Then, safety analysis reports and the
analyst's experience were used to define the systems which are re-
quired to maintain the selected status. For example, to maintain hot
shutdown may require auxiliary feedwater, component cooling water and
essential service water systems, the diesel generator, and vital in-
etrumentation. Once the systems were defined, possible sabotage modes
for the systems were compiled. These sabotage modes define the "dam-
age conditions" for which manpower, equipment, and repair time esti-
mates were made. The time lines were used to analyze and quantify
times, equipment, and manpower for detecting, responding to, and per-
forming damage control activities required to rectify the sabotage-
induced problems. The time lines include the time required to
(1) respond to alarms or adverse indications in the control room,
(2) communicate to a roving operator and for him to reach the scene of

i
IUHHING
r EQUIRIENT LIST
TRWPORTABILITY
REACTOR STATES
SYSTEHS ~QUIR~O 4
I
SABOTAGE WOES
I
DESIGN CW)DIFICATIOI(S
FAULT TREES
CUT SET BY
LOCATION
1
FAULT TREES*'
EVENT CUT SET
PSAR;. REACTOR
OPERATION KNOYLEDGE
1
TOTAL ;C TIME
FOR GEkERIC EVENTS
L K CUT SET EVENTS F: AvA1*B,
LOCKER LOCATIONS
AWO CONTENTS CONCLUSION
.PRELIMINARY SAFETY W Y S I S REPORT
EVENTS THAT ARE
OwGE COFlTROLLABLE
'V.C.. SPECIFICATIOH OF SABOTAGE EVENTS TO BE ADDRESSED
Figure 5-1. Damage Control (DC) Analysis Sequence

the problem, ( 3) assess the difficulty once the operator reaches the
damaged equipment, (4) asse~.ble the necessary daaage control equis-
ment, and (5) perform the daxage control action. The time estinates
are quite subjective since no data base exists at present. Once the
time lincs were established, lists of equipxent necessary to counter
selected sabotage modes were generated, including soxe consideration
of equipment transporrability. Estixates were also prepared of the
type of personnel required to complete the repair. An example of a
completed time line for sabotage of an auxiliary feedwater pump is
shown in Table 5-5 (extracted fro3 Appendix F).
When the damage control study was reviewed with the DSTSG, aem-
bers voiced some malor reservations about the concept of "running
repalr* and other aspects of the analysis. These concerns are sum-
marized below:
This analysis does not take into account the actions an ad-
versary might take to interfere with repair crews. That is,
if an adversary is intent upon damaging particular items of
equipment, he could also take stcps to prevent a repair crew
from gaining access to the damaged equipment.
The tine estimates for response and repair activities are
highly subjective at this point and probably optimistic. To
adequately support such an approach, a data base (which does
not exist) is required which would provide response times to
various control room alams and times required to accomplish
particular damage control tasks.
There is uncertainty regarding the reliability ;actors and
time constraints involved in assembling a sufficient number
of appropriately skilled personnel to conduct repairs or jury
rigging. Establishment of standby damage control teams for
backshift response presents personnel management problems as
well as additional costs. Given current requirements for
fire brigades and 'security teams, a damage control team con-
cept would likely meet firm resistance from utilities, who
appear to believe they already have too many 'nonproductiven
personnel.
With the large amount of repair and backfitting now going on
during plant outages, maintaining "emergency onlyn stocks of
equipment and supplies could be a major administrative
problem.
Because of the reservations expressed by the DSTSG, the uncer-
tainties associated with regulatory credit for such a Capability, and

Table 5-5
Time Line Sheet
System: Auxiliary Feedwater System
Sabotage Mode: Motor-Driven Auxiliary Feedwater Pump
"Out of Commission" -- Shaft Deformed
Time Line Events
Initiation
. s
Alarm control room
response
Field personnel response
On-scene assessment
Acquire damage control
equipment -- studs,
nuts, gaskets, wrenches,
spool pieces
Perform DC action: for
a practiced crew -- 2
crews of 3 men minimum
Time Interval
for Event
1 min
3-5 min
3 min
5 min
15 min
Remarks
Saboteur must damage
all pumps to disable
system.
DC* on pump not fea-
sible; exercise other
DC options such as
safety injection (SI)
pumps.
Design modification is
to have prepared and
installed a jumper pipe,
double-valved, from the
SI pumps to the AFWS
pipes on the discharge
side of AFWS pumps.
Spool piece to complete
pipe circuit to be in-
serted at AFWS end of
pipe run. Two spool
pieces must be insert-
ed. Presume parallel
(timewise) insertion.
DC = damage control
Noter SI pumps deliver total flow approx. 850 gpm @ 1,160 psi
maintaining hot shutdown mode of decay heat removal

other difficulties that were beginning to surface in the a?slysis, the
application of damage control as a sabotage countermeasure was reexam-
ined. As a result, the alternate approach discussed earlier was se-
lected for study. However, rapid repair may still have considerable
value for mitigation of certain potential reactor accidents. The
actions taken by plant personnel during the Browns Ferry fire and the
TMI incident certainly suggest that damage control should be studied
further.

6. ALTERNATE PLANT CONFIGURATIONS
As indicated in Section 4, a number of the design options were
selected for further development or conceptual design. It should be
noted that the designs developed to implement these options are only
examples. That is, there may be other designs which accomplish the
sve,purpose. Also. these concepts. as developed, relate primarily to
PWR plants, although similar ideas may be applicable to BWR plants.
During the initial stages of the conceptual design work, it became
apparent that two of the options could be combined. Thus, after these
options were combined, conceptual designs and cost estimates were
developed for the following:
1. Hardened enclosures for makeup water tanks (1.8).
2. Physicclly separated and protected redundant trains of eafety
equipment (11.5). his includes separation of containment
penetrations for redundant trains of safety equipment
(II.l).)
3. Hardened decay heat removal system (IV.1).
In addition, the possibility of additional isolation of low-pressure
connections to the primary coolant system (111.1) was examined and the
cost estimated, although no new designs were created.
The conceptual designs and the associated cost estimates are
discussed in detail in Appendix G. The cost estimates are summarized
in Tabla 6-1,which shows the estimated total costs for the design
alternatives as well as the cost increase relative to the reference
plant. The reference plant does not include the additional protective
features in its design. Only cost differences were estimated in the
case of options 11.5 (including 11.1) and 111.1. and,therefore, only
cost increases are tabulated. These estimates, which are in 1978

Table 6-1
Cost Estimate Summary of
Selected Design Alternatives for Improved Sabotage ~esistance'
Alternative Alternative
~ethted Totrl Estimated Coat
Dollars ~ncrease,~ Dollars
1.8 Hardened enclosure for makeup
water tanka
Option 1, individual tank encloaureo $2,500,000 $ 600,000
Option 2, common enclosure for two
tanks 3,100,000 1,200,000
Option 3, hardened tank 2,300.000 390,000
I
11.1 &
11.5
IV. 1
Physically separated and protected
redundant trains of safety equipent
combined with separated containment .
penetrations
Hardened decay heat removal system
--
--
8,700,000
16,000,000
8,700,000
111.1 Isolation of low-preasure syatems
connected to reactor coolant pressure
boundary
a~he
cost estimates ahovn in this table are rounded from the estimates given in Tables 6.2
through 6.7 and in Appendix G.
b~oat estimates (in 1978 dollars) are exclusive of costa for engineering, licensing, intereat
during construction, operation, and escalation. See Tables 6.2 through 6.7 and Appendix G for
details of cost estimates. Uncertainties on the order of a factor of 2 or greater probably
exist.
C~ncrease is relative to the reference plant.

0
. ,
T
dollars, are for costs of materials and construction and do not in-
clude other costs such as engineering, licensing, or interest during
..
construction. Furthermore, these cost estimates are applicable only
to new construction. That is, the costing was done assuming that the
plant design was still in. the conceptual to preliminary stage and no
concrete had been poured. If changes were made after actual construc-
tion had begun. costs would obviously be higher. In a similar vein,
this study has not examined the costs associated with backfitting any
of these designs (for example, the hardened decay heat removal system)
to existing plants.
Each of the conceptual designs is discussed in more detail in the
following sections.
Hardened Enclosures for Makeup Water Tanks
Both the refueling water storage tank (RWST) and an auxiliary
feedwater storage tank (AFWSTI* have been included in this concept.
The RWST provides a source of borated water for injection into the
reactor coolant system, given an even:. dhich requires the use of the
SIS. The AFWST provides a heat sink for the reactor during the ini-
tial stages of plant cooldown, given the loss of normal ac power.
Three variations are considered:
1. Individual reinforced concrete enclosures for conventional
metal tanks,
2. Reinforced concrete building enclosing both tanks, and
3. Reinforced concrete tank with metal liner.
Individual Reinforced Concrete Enclosures -- A thickness of 0.6
metre (2 feet) of reinforced concrete was selected for the walls and
roof of the enclosure. This provides penetration times on the order
The baseline plant does not have a safety grade AFWST. A Seismic
Category I, safety Class 3 suction for the auxiliary feedwater pumps
is provided from the essential service water system which backs up the
normal auction from the nonsafety condensate water storage tank.

of 4 to 13 minutes based upon data from the Barrier Technology Handbook.
29 The enclosure (see Figure 6-11 consists of a vertical reinforced
concrete cylinder on a reinforced concrete base mat. The roof
is a slab 0.6 metre (2 feet) thick. The 17.4-metre (57-foot) internal
diameter of the enclosure provides an annular space 1.8 metres
(6 feet) wide between the tank and the wall. This space pe~mits access
for maintenance and inspection plus an area for pipe routing. A
hardened penetration room protects the pipe passing through the wall
of the enclosure. The enclosure provides venting for the tanks by
means of an internal standpipe.which opens into the underground pipe
tunnel. .
Reinforced Concrete Building Enclosing Two Tanks -- In this
option (see Figure 6-2), a single reinforced concrete building is
provided to house both the RWST and the AFWST. The building is sup-
ported upon a reinforced concrete base mat and has roof and walls 0.8
metre (2-1/2 feet) thick. An interior division wall between the tanks
is 0.6 metre (2 feet) thick. This design includes a hardened, pene-
tration-resistant door in each tank section. Each section is vented
in a manner similar to the previous option.
Reinforced Concrete Tank with Metal Liner -- This option, shown
in Figure 6-3, consists of vertical, cylindrical reinforced concrete
tanks lined internally with 1/4-inch stainless-steel plate. Each tank
has an internal diameter of 13.7 metres (45 feet) and a straight side
height of 10.7 metres (35 feet). The tanks are supported on rein-
forced concrete mat foundations which also constitute the tank bot-
tcnns. Wall and roof thickness is 0.6 metre (2 feet). Hardened pipe
penetration enclosures, similar to the first option, are provided
which also surround the tank manways. Penetration-resistant doors
provide access to the pipe penetration enclosures.
Costs -- The estimated costs for these three options are summa-
-
rized in Table 6-2. In order to compare these estimates with the
baseline, in which only the RWST serves a safety function, the as-
sumption has been made that the conventional tankage would require

Item
Excavation and
backfill
Concrete
Mat
Walls
Roof
Tank
Liner
Piping
Electrical
Door
Total, leas engineering
and contingency
Contingency, 10%
Total, less engineering
and escalation
Table 6-2
Cost Estimates for Design Alternative I.8:a
Hardened Enclosures for Makeup Water Tanks
Option 1 b
$ 16,600
option 2C Opt ion 3 d
$ 14,000 $ 10,200
'I+ is recognized that these cost estimates have uncertainties ap-
proaching factors of'2 or 3 and that they are in all probability
low. However, because all costs were estimated on a comparable
and conristent basis, the various designs can be reasonably com-
pared. All costs are in 1978 dollars.
b~ndividual reinforced concrete enclosures (2)
CRoinforced concrete building enclosing two tanks
'minforced concrete tank with metal liner (2)

excavation, a base mat, and tank. Thus, the baseline cost for two
tanka is approximately $1,900,000, which was used to estimate the cost
increases shown on Table 6-1.
Physically Separated and Protected Redundant Trains of Safety Equip-
ment
General -- As indicated earlier, it was convenient to combine two
1 design alternatives because locating the two new safety buildings on
opposite sides of the containment building also leads to separate
v penetration areas for the safety-related piping and electrical cables.
v
Basicall y, this design involves dividing the existing auxilrary
building into three separate buildings and bringing certain features
of the existing control building into the new auxiliary building. The
redundant engineered safety feature (ESF) equipment normally installed
in the auxiliary building is separated into two safety buildings, A
and B, while the remaining non-ESF equipment is located on a new.
smaller, auxiliary building. Also relocated to the new safety build-
ings are the Class 1E switchgear, diesel generators, batteries, and
other electrical equipment. An AFWST and an RWST, both of 1,514 m 3
(400,000 gallons) capacity, are located in each building and supply
suction to the ESF pumps in that building. Although this arrangement
results in the storage of more water than is required for design basis
events, cross-connecting piping between tanks of lesser capacity is
avoided, and the independence of the two safety buildings is
preserved.
Aa indicated, the modified plant is based upon the baseline stan-
dard p1ar.t. For ease of canparison, Figure 6-4 provides the basic
layout, and Figure 6-5 shows the modified layout. The expansion into
two separate safety buildings results in the allocation of a third
quadrant of the containment for piping and electrical penetrations
fran aafety building A. A full quadrant is still retained for con-
tainment equipment access. The location of the main ateam and feed-
water piping penetration area is unchanged. The relative location of
equipment in the safety buildings and modified auxiliary building has

CONTAINMENT BLDG.
TURBINE BLDG.
MAIN STEAMIFEEDWATER
PENETRATION AREA
AUXILIARY BLDG.
CONTROL BLDG.
DIESEL GENERATOR BLDG.
FUEL HANDLING BLDG.
HOT MACHIHE SHOP
RADWASTE BLDG.
SOLID RADWASTE STORAGE
0.
M-1: CONDENSATE STORAGE TAXK
M-2: REACTOR MAKEUP H20 STG. TANK
M-3: REFUELING H2D STG. TANK
Figure 6-4. Baseline Standard Plant

0
J
@
a CONTAINMENT ELM;.
PENETRATION AREAS
L@l
@ AUXILIARY BUILDING
@
(INCLUDES CONTROL ROOM)
0 @ HEALTH PHYSICS AREA, SHOWER
AND LOCKER ROOFIS
1-1
@ FUEL HANDLING BLDG.
@ RAOWASTE BLDG.
@ SOLID RAOWASTE STORAGE
@ "A" SAFETY EQUIPMENT BLDG.
"B" SAFETY EQUIPMENT BLDG.
@ "A" DIESEL GENERATOR BLDG.
@ "0" DIESEL GEhERATOR BLDG.
@ HOT MACHINE SHOP
T-1: REAC~OR MAKEUP HZO STG. TANK
Figure 6-5. Modified Plant Layout: Separated Safety Bui ldings
and Containment Penetrations
6-11

een preserved where possible, and floor elevation spacing is consis-
tent'with the baseline plant. The modified auxiliary building now
also contains the control room and the cable spreading rooms. Reloca-
tion of the control room and diesel generators essentially eliminates
the original control building. The levels of the control building
that housed health physics, locker and shower rooms, and miscellaneous
tankage have been relocated intact to the side of the modified aux-
iliary building. With the addition of several other functions, the
building itself becomes an access control building.
Description of the Structures -- The safety buildings are Seismic
Categ'ory I, reinforced concrete structures. Exterior walls and roof
thicknesses are a minimum of 0.6 metre (2 feet), and the buildings are
supported on 1.5-metre (5-foot) thick foundation slabs. Two vault-
type doors which offer penetration resistance equivalent to the walls
are provided for emergency escape in each safety building. Entrance
to the safety buildings is normally from the auxiliary building, where
two vault-type security doors at grade level provide separate access
to the respective safety buildings. The construction of the auxiliary
buildin; is similar to that of the safety buildings. Several levels
rrf one sai+ty building and tile auxiliary building are shown in Figures
6-6 throujhn6-9. Similar drawings for all levels of the modified
plant are included in Appendix G.
Piping crid Cable Rontinq -- One objective of this separation of
safety buildings is to locate the electrical cables and piping associ-
ated with m e train of ESF entirely within the building which houses
that train of equipment. This objective is accap? ~hed by establish-
ing dirc.%r: connections between the penetration rot and the safety
bufldir?q a d by locating the associated tankage, diesel generator, and
Clarb; 1% electrical equipment in the safety building. These arrange-
ment. eneure that each rafety building is independent and self-suffi-
cient. Becaure control cables must be routed to interconnect the
control roan and the logic and protection cabinets in each aafety
building, a cable tunnel is included in the design. This tunnel runs
beneath the lower floor of building A, beneath the main steam and

RECIRC. O
OVERHEAD
CDNTAlMNT
LCY-HEAD 51 P'WP
STAIRYAY
TO LEVEL
YATERTIWT
DOORS
Figure 6-6. Safety Building A; Elevation -- Grade Minus 26 Feet

Figure 6-7. Safety Building A; Elevation -- Grade
6-15, IS. \

opq
BORIC ACID
STORAGE TANKS .

NlllL AM
KUSS t'RC#
W R
LEVEL 0
LEVEL: GRADE MINUS 26 ft
120 h 6 In. c
t
Figure 6-8. Auxiliary and Access Buildings; Elevation -- Grade
Minue 26 Feet
J

.. .
2 (ft I
. . .'._
.
,,
.
.,
' . , ..
. ,
5 :.. .;:, , .
...
CABINETS
.EYLL: WUDE PLUS 47 f1
,., . .:. ..,
CONTAINMENT
Figure 6-9. Auxiliary and Access Buildings; Elevation -- Grade
6, ." ' . Plus 47 Feet
6-19,ZO

auxiliary feedwater piping penetration area, and then beneath safety
building B and the auxiliary building. Vertical chases in the safety
buildings and auxiliary building connect to the tunnel. Control ca-
bles from building A are routed through the tunnel and up the vertical
chase in the auxiliary building to the upper cable spreading room.
The vertical chase is closed and fire protected and is accessible only
at the zero level (ground level) and the cable spreading room. Con-
trol cables from building B pass directly to the lower cable spreading
room,which has two areas, one for the I3 building safety cables, the
other for nonsafety and operating equipment cables.
Personnel Access - -- Personnel access to the auxiliary building is
at level zero from the adjacent access control building. There is
direct access to safety building B at this level via a controlled
door. In order to maintain separation between safety buildings, there
is no direct access to building A from building B. Access to building
A is also from level zero of the auxiliary building via the cable
chase and tunnel described above. Again, access is via a controlled
door.
Additional Equipment -- The separation and rearrangement of the
plant have resulted in a requirement for some additional equipment.
This includes
1. High-head safety injection pumps. One pump, identical to the
existing centrifugal charging pump, is placed in each safety
building. Thus, equipment required for routine operation
(e.g., charging pumps) can be located within the auxiliary
building, which has relatively easy access, and this equip-
ment is not required to serve a dual role (e.g., charging and
high-pressure safety injection). This arrangement also main-
thins ESF piping entirely within the safety buildings.
2. Boron injection tank (BIT). An additional BIT and associated
tanks and pump are provided to ensure the functional and
physical independence of each safety building.
3. RWST. A second RWST is provided to maintain functional
independence between safety buildings. Two half-size tanks

were considered, but their inclusion would require cross-
connecting piping, which could potentially compromise the
independence of each train.
Turbine-driven auxiliary feedwater pump. A second turbine-
driven auxiliary feedwater pump has been added to provide the
two ESF trains with equal and independent protection capa-
bility.
AFWSTs. In some current designs, one safety-related AFWST is
provided: however, the separation of ESF trains requires an
additional tank. In the SNUPPS plant, normal suction for
auxiliary feedwater pumps.is from the condensate storage tank
with an alternate, hard-piped source from the safety Class 3,
Seismic Category I, essential service water system. In this
instance, the modified design leads to a requirement for two
additional tanks.
Component cooling water heat exchanger, circulating pumps,
and surge tank. One set of this equipment is located in each
safety building to serve the RHR heat exchanger and the
bearings and/or seals of the various ESF pumps. An addi-
tional component cooling water system is provided for non-ESF
equipment in the auxiliary building. This latter system
serves the letdown heat exchanger, reactor coolant pumps,
spent fuel pool heat exchanger, and other routine loads.
Additional details and specifications for these equipment items
are provided in Appendix G.
- Costs -- The estimated costs associated with the modified layout
are ahown in Tables 6-3 through 6-5. In developing these cost estimates,
attention was focused only upon those features which were
different between the baseline and the modified layout. That is, no
'attompt wa8 made to estimate costs for the entire plant. Therefore,
a8 indicated in Table 6-5, it would cost an additional $16,000,000 to
provide the meparation and protection of redundant trains compared to
the baeeline SNUPPS plant. For excavation and structural work, quan-
titier of materials are based upon the arrangement drawings for the

Table 6-3
Cost Estimates for Structurear Safety Buildings
A and B, Auxiliary Building, and Related Reference Plant Buildings
Coat
Item of Work Buildings A and B Auxiliary Bldg. Reference Plant
Substructure
Excavation and backfill $ 2,436,000
Concrete 3,876,000
Structural steel 520,000 210,000 356,000
Superstructure
Concrete
Steel
Total
(less engineering $14,078,000 $10,638,000 $16,718,000
and contingency)

Table 6-4
Cost ~stimates for. Equipaent and Services
for Wified Plant Layout
Equipment
High-head safety injection pumps
Boron injestzon system
Water storage tanks
Turbine-drive auxiliary feed pump
Component cooling water System
Installation costs (equipaent)
Piping (installed)
Electrical equipent (installed)
-
Total (equipment)
Services
Special doors
Heating, ventilation, and air-conditioning (HVAC)
Plumbing, fire protection. etc.
Total (services)
-
Total

Table 6-5
Cost Comparison of Modified Plant versus Reference Plant
Item of Work
Substructure*
Excavation and backfill
Concrete
Structural steel
Superstructure*
Concrete
Structural steel
Additional Equipment and Services
Equipment
Services
Total cost increase
(less engineering and contingency)
101 contingency
Total cost increase
(less engineering)
Based on information in Table 6-3.
Cost Increase

modified plant (see Appendix G) and equipnent location drawings for
the reference plant (Reference 14). Preliminary structural design
engineering was applied where necessary to determine wall and slab
thicknesses and structural member sizing. Material costs include
construction, concrete, concrete formwork, reinforcing steel. and
finishing of concrete surfaces. The cost for the access tunnel has
been distributed equally among the safety buildings and the auxiliary
building. Equipnent costs were obtained from vendor quotations based
upon the specifications outlined in Appendix G. Tank costs include
erection, but other equipnent installation costs are included as a
separate item. Piping and electrical costs take int~ account in-
creased piping and cable runs that result from the altered plant
arrangement. The increased costs for heating, ventilation, and air-
conditioning (HVAC), plumbing, and fire protection are based upon the
increase in building volume for the modified design.
Hardened Decay Heat Removal System
General -- ??rere are several alternative ways to implement a
hardened DHRS: however, there are a number of common features which
any alternative should possess (see Appendix Dl. Some of th-se
features are
Location in hardened buildings or structure complete
with power, water, and controls.
Manual activation From local control panel.
Independence from the remainder of the plant when
operating.
Design for removal of decay heat from an LWR in hot
shutdown for a specified period of time without operator
intervention.
Design to continue decay heat removal ~ ~ d manual e r
control beyond automatic operation period.
Design for transfer to conventional RHR system
operation.
Dedication for use only in extreme emergency.
Provision for isolation of fluid lines as required.
Noninterference with operation of other ESF.

The design chosen for development and for estimating cost Jses
electric power for its operation. Power is supplied by a diesel gen-
erato? located, with the remainder of the equipment required for the
system, in it hardened building. Heat is removed from the reactor by
supplying emergency feedwater to the secondary sides of the steam gen-
erators, where it absorbs heat from the primary coolant. The steam
generated is discharged to the atmosphere. Natural circulation pro-
vides primary system flow, and a charging pump is provided for- primary
system inventory control. Primary system pressure is maintained by
pressurizer heaters. Heat loads associated with the diesel generator
md other mechanical equipment are transferred to the atmosphere by an
air-cooled heat exchanger. A pipe tunnel connects the h-afdened decay
heat removal building with the containment. The system is a single,
100% system without redundancy or single-failure capability. The
design period of unattended operation is 10 hours.
Figure 6-10 is a preliminary piping diagram for the feedwater and
charging portions of the hardened DHRS, and Figure 6-11 presents the
general arrangement of equipnent within the building. A brief de-
scription of system operation and a discussion of the equipment struc-
ture and costs follow.
Operation of the DHRS -l Actuation of the hardened DHRS is manual
from either the main control room or locally within the hardened
building. Manual actuation has been selected because it is believed
that the plant operators can best make the judgment that a sabotage or
other emergency exists which requires the use of the hardened DHRS.
Manual actuation also eliminates the need for sensing plant parameters
for automatic actuation signals, thereby reducing the number of inter-
faces between the hardened DHRS and the remainder of the plant.
Reducing the number of interfaces in turn reduces potential sabotage
vulnerabilities associated with such interfaces.
Actuation of the hardened DHRS results in a reactor trip, isola-
tion of fluid lines, trip of normal electrical feed to the hardened

qp
PRESSURIZER

In, 5 m
I (2 in)
j PIPING C010(ECTIOnS ARE TYPICAL
,, 6 cn
LEVEL CCWTROL *" (2-112 in!
VALVE
MRGEkCY CHARGiNG
FWP. 3.2 m3/min (50 gpn)
Figure 6-10. Preliminary Piping Diagram, Hardened Decay Heat Removal
System -- Feedwater and Charging Portion

DHRS, startup of the diesel generator, sequencing of loads onto the
4-kV bus, and alignment of reactor pump seal leakoff to the borated
water storage tank.
The successful operation of the hardened DHRS (Figure 6-10) re-
quires an intact reactor coolant pressure boundary. It is therefore
assumed that this pressure boundary is not affected by an act of sab-
otage and that the containment structure and containment access con-
trols provide the required protection for the reactor coolant system
(RCS). It is also assumed that the reactor has scrammed and that,
consequently, the heat loads on the hardened DHRS are only those as-
sociated with the decay of fission products and removal of sensible
heat. In sabotage analysis, it is usv~ally assumed that normal ac
power is unavailable, so that the reactor coolant pumps are not oper-
ating. Thus, an intact RCS is a condition for establishing the nat-
ural circulation of reactor coolant to transport heat from the fuel to
the steam generators.
The function of the charging portion of the hardened DHRS is to
maintain reactor coolant inventory, thus preserving the natural circu-
lation heat transport capability. The level in the pressurizer pro-
vides the control signal for this function. Although all fluid lines
not required for operation of the hardened DHRS system are isolated
upon the actuation of the DHRS, some leakage of reactor coolant will
inevitably exist. Typical technical specifications for the total of
identified and unidentified leakage from an RCS are a maximum of
-4 3
7.6 x 10 m /s (12 gpm). In addition, a total flow of
7.6 x 10'~ m3/s (12 gpm) from the reactor coolant seals is maintained.
The 3.2 x 10'~ m3/s (50-gpm) capacity of the charging pump should
therefore be adequate to control primary system inventory under both
constant temperature and cooldown conditions. An auxiliary spray line
from the charging system piping to the pressurizer is provided for
assisting the pressurizer heaters in maintaining primary ststem
pressure.
The borated water storage tank has been sized at 114 m3 (30,000
gallons), providing sufficient water to compensate for shrinkage of

the RCS volume for a system cooldown to 177.C (350.F). This capacity
also provides for replacing RCS leakage over the design period of un-
attended operation (10 hours). A fill line to the tank permits re-
filling after this period. A 4% by weight boric acid solution has
been estimated to be sufficient to compensate for the reactivity ef-
fect of cooling down the RCS.
The emergency feedwater storage tank has been sized at 757 m 3
(200,000 gallons), sufficient to provide approximately 10 hours of
decay heat removal with the reactor coolant system maintained in a hot
shutdown condition (reactor subcritical, control rods inserted, and
reactor coolant pressure and teniperhture at no-load values). The
electric-motor-driven emergency feedwater pump takes suction from the
emergency feedwater storage tank and delivers feedwater to the four
ateam generators through individual feedwater control valves. Steam
from the steam generators is discharged to the atmosphere through one
eteam dump valve on each generator. These valves are dedicated for
use exclusively with the hardened DHRS. The valves have adjustable
setpoints to permit cooldown of the RCS by operator action after the
design period of unattended operation. As in the case of the borated
water storage tank, the emergency feedwater storage tank may also be
replenished after this period.
Electrical power is normally supplied from one of the Class 1E
4-kV buses. Upon actuation of the hardened DHRS, this feeder is
tripped, the DHRS diesel generator is started, the DHRS bus is reener-
gized by the diroel generator, and the system and necessary house-
keeping loads are sequenced back onto the bus. Fuel for the diesel
generator is stored in a day tank in the hardened decay heat removal
building with provision for circulation during storage. The quantity
of fuel stored is sufficient for at least the design period of un-
attended system operation plus some margin. After this period, the
tank can be replenished fra other supplies of fuel oil on site. The
dieael engine is started in the conventional manner by compressed air
stored in a starting air tan7:. A starting air compressor located in
the hardened building maintains pressure in the starting air tank.

The compressor also supplies control and instrument air for the DHRS.
This air is processed through filters and dryers.
The auxiliary cooling system is a closed system that serves the
diesel generator oil and jacket-water coolers, seal leakoff cooler,
and other components such as pump bearings and seals. An air-cooled
heat exchanger transfers the heat absorbed by the water to the atno-
sphere. The heat exchanger fans provide a forced flow of air through
the heat exchanger tube bundle. A cooling-water pump circulates
cooling water between the air-cooled heat exchanrjer and the components
served by the system. A head tank is provided for pressure and inven-
tory control.
Description of the Structure -- Because this is seen as a "last
ditch" emergency system, the hardencd DHRS building is a Seismic Cate-
gory I, reinforced concrete structure on a reinforced concrete base
mat foundation. Figure 6-11 shows the general arrangement of the
structure and equipment. Most of the equipment is located at approxi-
mately grade level. Thn cooling-air inlet and discharge ducts are of
reinforced concrete cot struction and are integral with the main struc-
ture of the building. The openings into these ducts are protected by
a heavy steel grillwork. Additional protection is afforded by the
height of the openings above grade. An air-supply fan lxated on the
intermediate level and taking suction from the inlet air duct furnish-
es air for diesel engine combustion and building ventilation. ?It0
vault-type doors, one at each end of the building, provide access for
personnel and light equipment. The penetration resistance of these
doorr against explosives is equivalent to that of the concrete walls
in which they are installed. The hardened building is located in the
plant yard at an assumed distance of 46 metres (150 feet) from the
containment building. An underground tunnel connects the containment
penetration area with the hardened decay heat remc.al building. The
tunnel carries piping and electrical conduit between these two
structurer.
Equipment List -- The preliminary specifications for major equip-
ment itamr required for a hardened DHRS are detailed in Appendix G.

These specifications served as a basis for the equipment costs. The
major equipment items are
Diesel generator, 1,700 kW
3
Feedwater pump, 0.08 m /s (1,200 gpm)
-3 3
Charging pump, 3.2 x 10 m /s (50 gpm)
5 6
Seal leakoff cooler, 5.9 x 10 watts (2 x 10 BTU/~)
Cooling water recirculation pump
Air-cooled heat exchanger, 1.6 x lo6 watts (5.5 x lo6 BTU/h)
Diesel starting air equipment 3
Cooling-water head tank, 2.5 m (650 gal)
3
.Feedwater storage tank, 757 m (200,000 gal)
3
Borated water storage tank, 114 m (30,000 gal)
Diesel generator auxiliary equipment
Electrical switchgear and motor control center
Battery and charger
- Costs -- The costs for the hardened DHRS are summarized in Tables
6-6 and 6-7. Approxir ltely 60% of the cost associated with this system
is attributable to equipment and its installation. Although the
building is not large, the heavy cost in concrete is due to the mas-
sive nature of the walls and roof. The costs associated with the
hardened DHRS are slightly more than half of the additional costs
associated with the revised plant layout.
Additional Isolation of Low-Pressure Systems
General Discussion -- Table 6-8 lists the containment-penetrating
piping connections to the reactor coolant pressure boundary for a typ-
ical four-loop PWR. This table is based upon the reference plant to
the extent that information was available in the preliminary safety
analysis report (PSAR). Supplemental information from other plants
has also been used. Several of the connecting systems have design
pressures lesa than that of the RCS. These connecting systems are
items 1 through 7. However items 2, 4, and 5 are incming lines that
are automatically isolated by check valves inside containment. This
automatic isolation is considered adequate protection for these
pipelines.

Table 6-6
Cost Estimates for Hardened Decay Heat Removal System
Item of Work
Substructure
Excavation
concrete
Superstructure
Concrete
Steel
process equipment
Mechanical
Piping and containment penetrations
Electrical (equip., control, penetration)
Building services
Special doors
, HVAC
Plumbing, fire protection, etc.
Total cost
(less engineering and contingency)
Contingency at 10%
Total cost
(less engineering and escalation)
Cost

Table 6-7
Cost Estimates for DMRS Equipment
Item
Diesel generator
Feedwater pump
Charging pump
Seal leakoff cooler
Cooling water recirculating pump
Air-cooled heat exchanger
Cooling water head tank
Diesel starting air equipment
Feedwater storage tank
Borated water storage tank
Diesel generator auxiliary equipment
Installation
cost
$ 800,000
565,000
220,000
400,000
13,000
63,000
5,000
25,000
500,000
lO6,OOO
20,000
420,000
Piping and containment penetrations
Electrical switchgear and MCC*
Battery and charger
115,000
28,000
Installation 36,000
Wiring and containment penetrations 172,000
Total
- *MCC motor control center
$5,075,000

Table 6-8
Piping Connections to Reactor Coolant Pressure Boundary
RHR supply from hot legs
RHR return/low-head safety injection to cold legs
Safety injection from boron injection tank
Safety injection pumps discharge to cold legs
Safety injection pumps discharge to hot legs
Chemical and volume control letdown
Chemical and volume control excess letdown
Chemical and volume control charging
Chemical and volume control seal injection
Auxiliary spray-pressurizer
Loop sampling lines
Pressurizer sampling lines
Overpressure rupture of the high-pressure connections (3 and 8
through 12) is not a concern. However, postulated sabotage (breakage)
of this piping outside of containment would require isolation to pre-
vent loss of reactor coolant. This is achieved autaatically by check
valves inside containment for isolating lines 3, 8, 9, and 10. The
small-diameter sample lines (11 and 12) are the only high-pressure
lines that require active isolation. The existing redundant and
diverse provisions now existing are considered adequate.
In summary, only the RHR supply, the chemical and volume control
letdown, and excess letdown require additional consideration to assure
their isolation from the reactors.
RHR Suction Piping -- Several techniques can be proposed to
prevent the unauthorized opening of the valves isolating the auction
piping of the RHRS from the RCS. These methods involve use of elec-
tric motoro of limited torque capability in the valve operators, use
of torque release couplings in the valve operator gear train, or use
of an additional torque switch. All of these devices could be, and

tical problems associated with their use. One is that the opening
torque for a gate valve is not a strong function of differential
pressure across the valve. Also, the opening torque is highly vari-
able depending upon valve cleanliness and lubrication. Therefore,
some difficulty has been experienced in reliably setting the torque-
limiting devices.
Normal and Excess Letdown -- Relief valves protect this piping
. . against . rupture by overpressuresin the event that downstream valves
are closed, all flow is blocked, and isolation cannot be effected.
Loss of fluid from the RCS will occur as the result of liftinq relief
valves, although the fluid will not be discharged outside of containment.
(Closing the flow path downstream of the letdown pressure
control valve will result in one relief valve discharging to the
volume control tank. However, this water will be returned to the RCS
by the charging pump.) Breakage nf this piping outside containment,
coupled with denial of the abili', go isolate the lines, will result
in a small losa of reactor coolant vutside containment. To prevent
loss of reactor coolant and potential release of radioactivity, it is
important that the ability to isolate this piping be preserved.
Since the isolation valves are located within containment, it is
assumed that the valves themselves do not sustain sabotage damage.
Rather, the inabrlity to close the valves is assumed to be caused by
sabotage of the control circuits or of the actuating power for the
valves.
The exceas letdown is a small-diameter (1-inch nominal pipe size
pipeline. The three, air-operated isolation valves are fail-closed
type. lko motor-operated valves, one inside containment, provide a
diverse means of isolating the portion of piping ou~,~de containment.
BeCaU8e this piping ie not normally in use and t.he isolation valves
are normally closed, any additional steps t> isolate the excess let-
down line are probably not warranted.

I
The normal letdown piping, being of larger diameter (3-inch nomi-
nal pipe size) than the excess letdom piping, represents a greater
concern with respect to breakage by sabotage. Isolation provisions
include two remote, manually actuated, fail-closed, air-operated stop
valves within containment, one manual stop valve inside containment,
and two air-operated, fail-closed containment isolation valves, one of
which is inside containment. Two separate acts of sabotage would be
required to deny the ability to isolate the normal letdown line, one
directed at the remote, ma&al stop valves, the second at the contain-
ment isolation system, which can be manually actuated. Additional
assurance of the capability to isolate the normal letdown line can be
achieved by providing an additional three-way solenoid valve in one
(or both) of the actuating air lines to the remote, manual, air-
operated stop valves. These additional solenoids are normally ener-
gized at all times and have no function during normal operation. The
solenoids are energized from a special, locked, distribution panel
located in the control room area. A third sabotage act, directed
against a third and independent target, is then required to prevent
isolation. To make use of this extra protective feature, the operator
deenergizes the solenoids at the distribution panel. This results in
closing the air supply to the valve diaphragms and permitting the ex-
haust of air from the diaphragms. The valves are then closed by
stored spring energy. Failure (deenergizing) of the additional sole-
noids does not have any effect on plant operation different from
failure of the existing ones (i.e., the Line isolates).
Costs -- Because the costs for the alternative are believed to be
relatively small, detailed cost estimates have not been prepared.
However, an approximate idea of these costs was obtained. In the case
of the RHR suction piping isolation valves, the cost of modifying the
valve operators to incorporate an additional torque switch or torque
release coupling is estimated to be $3,000 each. For four operators,
this wuld amount to $12,000. There will be additional costs for
engineering to ensure repeatability of performance of the torque
devices. Seismic qualification costs may also increase. It may be
estimated, therefore, that the cost of valve operator modifications ia

less than $50,000 per plant. Additional three-way solenoid valves for
the letdown line isolation valves probably would not cost more than
$100 to $200, although no actual costs have been obtained. Consider-
ing costs for installation, cable, and distribution panels and assum-
ing availability of spare connections in the complement of containment
penetrations normally provided for the reference plant (i.e., addi-
tional containment penetrations are not required), the installed cost
for this option should not exceed $10,000 to $50,000. Therefore, the
total cost for this design alternative is estimated to be, at most, on
the order of $100,000.

7. PHYSICAL PROTECTION SYSTEH
The primary objective of this study is to examine the effect of
plant design on resistance to sabotage. However, the examination must
take into consideration tjle physical protection system being employed.
Because the baseline plant is not yet complete, the ,,actual physical
protection system has not been defined. Therefore, for purposes of
this study, the requirements of 10CFR73.55 (Reference 25) are outlined
and a physical protection system consistent with those requirements is
postulated for the baseline plant. It should be noted that the physi-
cal protection system postulated is based upon the authors' interpre-
tation Of the requirements of 10CFR73.55 (Reference 25), and it has
not been subjected to the NRC review and approval process. Insofar as
possible, the same level of physical protection is provided for the
design alternatives; that is, the physical protection is held con-
stant. Subsequent sections out1,ine the requirements
cation to the baseline and alternatives.
Physical Protection Requirements
The requirements for physical protection at nuc
and their appli-
ear power reac-
tors are spellm' lt in lOCFR73.55 i rtef arence 25). In general, li-
censees are required to provide onsite physical protection against a
determined, violent, ex ornal assault, an attack by stealth, or decep-
tive actions of several persons: or an internal threat of one insider
including an employee in any position. The external throat is con-
aidered to have the following attributes%
1. Well-trained and dedicated people,
2. Inside assistance,
3. The availability of suitable weapons, and
4. The availability of necessary, hand-carried equipment and
tools.

To meet this threat, licensees are required to have a security organi-
zation with appropriate management onsite at all till~rs: the security
organization must include qualified armed guards with written operat-
ing procedures.
In addition, all vital areas are to be within a protected area so
that passage through at least two barriers is required to reach each
vital area. The protected area will be separate from but will contain
the vital area, with an isolation zone kept clear and monitored. All
employee parking is to be outside the protected area, and exterior
lighting will provide at least 0.2-footcandle illumination. The reactor
(plant) control room must be bullet resistant and have provisions
for locking the entrances. Access to the protected area will be controlled
by positive identification, that is, picture badges, and
seaarching. Entry into vital areas will require special .~uthorization,
a ~ ~ positive d personnel controls will be instituted during any refueling
operations. Intrusion detection alarms will annunciate in a continuously
manned central station that is bullet resistant, not visible
fran the isolation zone, and has no other functions that could inter-
fere with response to alarms. All detection systems are to be tamper
indicating and self-checking, with provisions to in3icate when they
are on standby power. As a minimum, the alarm will indicate the type
and location of intrusion. An alternate alarm station, not necessar-
ily onsite, must at least be advised that intrusion has occurred. All
emergency exits will be alarmed. Each guard is to be in continuous
contact with the alarm station. The central alarm station will have
telephone and radio contact with offsite law enforcement agencies in
order to obtain any required assistance. Onsite guards will respond
immediately to neutralize any threat, acting in accordance with appli-
cable laws. The use of closed circuit television (CCTV) is encouraged
to minimize exposure of security personnel. These requirements are
summarized as follows r
1. Qualified armed guards,
2. ~ences/barriers.
3. Lighting (0.2 footcandle),
4. Intrusion detection alarms (interior and exterior),

Secure central alarm station,
Locks,
Secure access control point,
Secure reactor (plant) control room,
Personnel control,
Communications,
Security: training, equipment, and procedures, and
CCTV (optional).
Application of Security Requlrements to Baseline Plant
Because the physical protection system is not the principal focus
of this study, no attempt has been made to design physical protection
in terns of specific items of equipment and costs. Rather, the known
attributes of typical components 29'30 have been used to select appro-
priate parameters.
Exterior Intrusion Detection -- The protected area is surrounded
by a perimeter fence with fence-mounted or microwave intrusion detec-
tion systems. The relationship of the fence and buildings is shown in
Figure 7-1. The detection systems are assumed to have a detection
probability for unauthorized entry of 0.9. There is a roving guard
patrol at randa times, at least twice per shift. In addition, CCTV
coverage of the protected area is provided by five pan-tilt cameras
such that the entire perimeter is viewed at least every 15 minutes in
a randa pattern. Because both the guard patrol and the CCTV scan are
randan, and because they could detect an intruder away from the fence,
the net effect is an increase in the detection probability. For
purposes of the analysis discussed later, a combined detection proba-
bility (Pd) of 0.92, including fences, guards, and CCTV, is assumed.
Exterior doors on the control building, auxiliary building, spent fuel
building, and containment are also alarmed. However, using the cur-
rently available magnetic switch alarms, ir~trusion will only be de-
tected if the door is opened. The detection probability under these
circumstances is 0.95. The locations of ground-level locked and
alarmed (Pd a 0.95) exterior doors are shown in Figure 7-2. Note that
exterior doors to the turbine hall are not locked and alarmed but that

A
KEY
4
- A
A DOORS AT GRADE LEVEL
- A
CONTROL BLDG.
A
1-
Q "
AUXILIARY BUILDING
I *
-
A
AUXILIARY FEEDWATER
1 PUMP ROOMS
SPENT
FUEL
BLDG.
A I
I
'DIESEL GENERATOR
@ DOORS INTO TURBINE HALL
EMERGENCb EXIT
Figure 7-2. Locations of Exterinr Locked and Alarmed Doors
5

I is
doors between the turbine hall and the auxiliary building are locked
and treated essentially as exterior doors. Access doors to the rad-
waste building are not alarmed.
Interior Intrusion Detection -- In applying intrusion detection
to the interior compartments of the plant, the approach has been to
place locked, alarmed do?rs on the entrances to compartments contain-
ing vital equipment and major plant operating equipment. Again, these
door alarms are the magnetic switch variety. Figures 7-3 through 7-8
show the locations of the interior locked and alarmed doors.
Exterior Barriers -- The fence surrounding the plant is assumed
to be AWG No. 11 chain link topped by three strands of barbed wire.
For purposes of subsequent analyses, a penetration time of 30 seconds
assumed. The exterior doors (Figure 7-2) in the diesel generator
compartments and containment emergency exit are assumed to be 3/8-inch
steel, exit-only, with a penetration time of 2 minutes. The door to
the auxiliary feedwater pump rooms is a watertight door with a pene-
tration time of 50 seconds. The two doors from the turbine hall to
the auxiliary building are standard doors with card-reader access con-
trol and an assumed 1-minute penetration time. There are two roll-up
truck doors, one to the auxiliary building and one to the spent fuel
building, which have a penetration time of approximately 2 minutes.
The remaining doors are standard type with card-reader access, having
an assumed penetration time of 1 minute. Exterior doors to the rad-
waste building and auxiliary steam boiler are locked but not alarmed.
The types of exterior barriers and the assumed characteristics are
summarized on Table 7-1.
Interior Barriers -- Interior doors are of two principal types,
watertight doors on aafety-related pump compartments and standard
ateel doors on other compartments. The location8 of these doors are
shown in Figures 7-3 through 7-8. It should be noted that unlocked
doors are not included. In general, key locks were assumed for those
compartments which do not appear to require frequent routine access.
Key-locked, standard doors have a 1-minute penetration time, and

RADUASTE
KEY
UATER: IGI{I DOOR: KLY LOCKLUIALARMEO
0 STANDARD DOOR: CARD HEADLRIALARMED
B STANDARU DOOR: KEY LOCKEDIALARMLD
I
Lull I nu
LSF PUHP BUILD1
COMPARTMCNTS7 I I
r12Jaa3
AUXILIARY BUILDING
CONTAINMENT
Figure 7-3. Locations of Interior Locked and Alarmed Doors;
Elevation -- Grade Minus 26 Feet

Figure 7-4.
Locations of Locked and Alarmed Doors;
Elevation -- Grade Minus 16 Feet

. . , . ,
\ KEY
0 STANDARD DOOR: CAR0 READERIALARMLD
Figure 7-6. Locations of Interior Locked and Alarmed
Doors; Elevation -- Grade Plus 15 Feet
0
7
,, ., .,. . . , , . ,.
t
$

,,.'
Table 7-1
Characteristics of Exterior Barriers*
Penetration Detection
Type (Number) Time, min Probability
Fence 0.5 0.92
Watertight doors (1) 0.8 0.9
Roll-up truck doors (2) 1.9 0.95
Standard doors
with card readers (10)
Standard doors
with key lock (6)
3/8-inch steel, exit-only door (3) 2.0 0.95
The values cited are nominal values. In the subsequent
analysis, a distribution of values about this nominal
value is sampled.
watertight doors have about a 50-second penetration time. Card-
reader-controlled, standard doors were used on compartments (and pas-
sageways) where frequent access apparently would be required, although
the adversary penetration time is still 1 minute. The types of in-
terior barriers and the assumed characteristics are summarized in
Table 7-2.
Guards -- A sufficient number of guards is assumed to be on duty
to carry out the access control, patrol, vjqitor escort, and alarm
response functions. The number of ~ards will be between 5 and 10
based upon usual industry practice. Because the subsequent effective-
ness analysis does not examine guard/adversary encounters, the exact
number is not critical. It is assumed, however, that guards not on
patrol or escort duty are avnilable at the guard house.
Application of Security Requirements to Design Alternatives
The three principal design alternatives which have been carried
to the conceptual design stage have differing impact6 upon physical
mecurityr therefore, each option is discuased separately.

Table 7-2
Characteristics of Interior Barriers*
Penetration Detection
Type (Number) Time, min Probability
Watertight doors (17) 0.8 0.9
I I Roll-up truck doors (1) 1.9 0.95
Standard door
with card reader (53) 1.0
Standard door
with key lock (16) 1.0 0.95
Personnel airlock
(containment) (1) . .f 10 0.95
Containment emergency
escape hatch (1)
* The values cited are nominal values. In the sub-
sequent analysis, a distribution of values about
this nominal value is sampled.
Hardened Enclosures for Makeup Water Tanks -- Because this alter-
native adds only additional structure to the existing tanks, the main
result will be the addition of barriers that cause increased penetra-
tion time and an increased probability of detection. Each enclosure
is presumed to have an access door with penetration resistance equiva-
lent to the surrounding walls. The increased cost associated with
such doors is included in the design costs.
Physically Separated and Protected Redundant Trains of Safety
Equipment -- As noted previously, this design option essentially
replaces the baseline plant control and auxiliary buildings with two
safety buildings and a modified auxiliary building.
Exterior Intrusion Detection. There is essentially no change
from the baseline plant'. The protected area is surrounded by a
perimeter fence with fence-mounted or microwave intrusion detection
system. The relationship of the fence and buildings i8 shown in
Pigure 7-9. Again, the intrusion detection probability is 0.9. As

with the baseline plant, there is a roving patrol and CCTV coverage
such that the combined detection probability--fence, guards, and
CCTV--is estimated to be 0.92. Exterior doors on the auxiliary build-
ing, safety buildings, the access control building, containment, and
the spent fuel building are alarmed. Again, use of available equip-
ment is presumed so that Pd = 0.95 if the door is opened. The loca-
tions of ground-level, locked and alarmed, exterior doors are shown in
Figure 7-10. Again, exterior doors to the turbine hall are not locked
and alarmed, but any access to the containment penetrations from the
turbine hall are treated essentially as exterior doors. Access doors
to the radwaste buildings are not alarmed.
Interior Intrusion Detection. As with the baseline plant, in
applying intrusion detection to the interior compartments, locked and
alarmed doors have been assumed for compartments containing vital
equipment and major plant operating equipment. Door alarms are the
magnetic switch variety. Figures 7-11 through 7-15 show the locations
of the interior locked and alarmed doors.
Exterior Barriers. A duplicate of the design in the baseline
plant, the site fence is assumed to be AWG No. 11 chain link topped by
three strands of barbed wire: the fence has an assumed penetration
time of 30 seconds. The emergency exit doors on the safety buildings
and diesel canpartments are vault-type doors, exit-only, with a pene-
tration time of 10 minutes. The containment emergency exit is assumed
to be a 3/8-inch steel, exit-only door with a penetration time of 2
minutes. The door from the access control building to the auxiliary
building is a controlled portal with a penetration time of 1 minute.
There is one roll-up truck door in the spent fuel building, with a
penetration time of approximately 2 minutes. The remaining doors are
standard type with card-reader access and assumed penetration time of
1 minute. Exterior doors to the radwaste building and auxiliary steam
boiler are locked but not alarmed. The types of exterior barriers and
the assumed characteristics are summarized in Table 7-3.

Figure 7-10. Locations of Exterior Locked and Alarmed
Doors for Alternate Design

KEY
'ENGINEERED SAFETY FEATURE
WATERTIGHT DOOR: KEY LOCKEDIALARMED
0 STANDARD DOOR: CARD READERIALARMED
STANDARD DOOR: KEY LOCKEDIALARMED
. -.
-..
Figure 7-11. Locations of Interior Locked and Alarmed Doors for
Alternate Design; Elevation -- Grade Minus 26 Feet
AUXILIARY
FEEDWATLa
PUMP

KEY
HATCH
.
.
@ DOOR INTO ACCESS CONTROL BUILDING
X VAULT DOORS TO SAFETY BUILDINGS
0 STANDARD DOOR: CARD READERIALARMED
STANDARD DOOR: KEY LOCKEDIALARMED
Figure 7-12. Locations of Interior Locked and Alarmed
Doors for Alternate Design; Elevation --
Grade (Exterior Doors Not Shown)
/

KEY
0 STAnDARD DOOR: CARD READER/ALARMED u
STANDARD DOOR: KEY LOCKED/ALARMED
X VAULT DOORS TO SAFETY BUILDINGS
Figure 7-13. Locations of Interior Locked and Alarmed
Doors for Alternate Design; Elevation -- Grade
PIUS 26 Feet
C
-

KEY
0 STANDARD DOOR: CARD READERIALARMED
STANDARD DOOR: KEY LOCKED/ALARMED
0 CONTAINMENT AIRLDCK
Figure 7-14. Locations of Interior Locked and Alarmed
Doors for Alternate Design: Elevation -- Grade
Plus 47 Feet

KEY
fl STANOAR0 DOOR: KEY
Figure 7-15. Locations of Interior Locked and Alarmed
Doors for Alternate Design: Elevation -- Grade
Plus 73 Feet

Table 7-3
Characteristics of Exterior Barriers -- Alternate Design*
Type (Number)
Fence
Roll-up truck door (1 )
Standard doors
with card reader (4)
Standard doors
with key lock (5)
3/8-inch steel, exit-only door (3)
Vault-type, exit-only door (4)
Penetration
Time, min
0.5
The values cited are nominal values. In the subsequent
analysis, a distribution of values about this nominal
value is sampled.
Detection
Probability
0.92
0.95
0.95
0.05
0.95
0.95
Interior Barriers. Like those of the baseline plant, the interior
doors of this design option are of two principal types--watertight
doors on safety-related pump compartments and standard ateel
doors on other compartments. The locations of these doors are shown
in Figures 7-11 through 7-15. Unlocked doors are shown simply as an
opening in the wall. Key-locked doors with a 1-minute penetration
time were assumed for zompartments not requiring frequent access.
Card-reader-controlled doors with an assumed penetration time of 1
minute were used where access is frequent. The watertight doors have
approximately a 50-second penetration time. The types of interior
barriers and the assumed characteristics are summarized in Table 7-4.
Guards. Coments made earlier for the baseline plant are also
applicable here.
Hardened Decay Heat Removal System -- This alternative involves
the addition of a hardened building to house a DHRS. The physical
protection system will be the same as that postulated for the baseline
plant, except for the addition of two alarmed, vault-type, exterior

Table 7-4
Characteristics of Interior Barriers -- Alternate Design*
Type (Number)
Watertight doors (16)
Standard door
with card reader (28)
Standard door
with key lock (19)
Personnel airlock
(containment) (1 )
Vault-type doors (4 )
Containment emergency
escape hatch ( 1 )
Penetration
Time, min
0.8
1.0
1.0
10
4.0
1.0
Detection
Probability
0.9
0.95
0.95
' 0.95
0.95
0.05
The values cited are nominal values. In the subsequent
analysis, a distribution of values about this nominal
value is sampled.
doors on the hardened building. These doors are assumed to have a
penetration time of 4 minutes with a 0.95 probability of detection.
This penetration time is less than that for exit-only doors because of
the requirement for normal passage in both directions, i.e., the door
is not as massive. The relation of this building to the rest of the
plant is illustrated in Figure 7-16.
Additional Isolation of Low-Pressure Systems -- The potential
modifications to increase the isolation of low-pressure systems from
the high-pressure primary coolant do not involve any structural modi-
fications. Therefore, the physical protection application will be the
same as that for the baseline plant.

8. EVALUATION OF PRELIMINARY REFERENCE DESIGNS
The preceding sections of this report have discussed the baseline
plant, several alternatives to the baseline plant, and the physical
protection system which is to be included with each design. In this
section, the baseline plant and the alternatives will be evaluated and
compared, and,to the extent possible, the values and impacts of each
will be defined. Methods for the evaluation of safeguards effective-
ness are still evolving, and there is no single model or methodology
which can he used to evaluate the effectiveness of a plant's design or
protection system against all threats to security. Similarly, there
is no procedure which even attempts to model in a single, integrated
package the impacts associated with various alternatives of plant
design or operations. As a result, the evaluation which follows ie a
combination of quantitative or semi-quantitative models and subjective
engineering judgments which are identified below. The evaluation
implies that there is no unique solution which unequivocally indicates
whether a particular concept is good or bad. The following subsec-
tions define the criteria against which the designs are evaluated, the
procedure used in conducting the evaluation, the results of the eval-
uation, and the conclusions which have been drawn.
Criteria for Evaluation
In Section 1, four broad design objectives or criteria were out-
lined. These are
1. Decrease the number of sequences* which could cause a release
of radioactive material.
a It should be kept in mind that a sequence is simply a set of
events which must occur, or a set of locations which must be visited,
to cause a release of radioactive material; a sequence does not neces-
marily imply a time order, although there may be a required order for
Borne events.

2. Increase the number of individual actions required to com-
plete a sabotage sequence.
3. Reduce the probability of successfully completing a sabotage
sequence.
4. Reduce the consequences of a completed sabotage sequence.
As each alternative is evaluated, it will be tested against this
list to determine whether or not it meets the criteria and to what
extent. Some alternatives may satisfy several criteria to one degree
or another,while other alternatives may satisfy only one of the
criteria.
Procedure for Evaluation
The evaluation of design alternatives could be handled in any
number of ways. In this study, values, in terms of increased resistance
to, or protection against, sabotage, are examined first. Then,
impacts, in terms of operational constraints, manpower requirements,
and costs, are defined.
The values are established by examining each design, given an
external threat to plant security, and then by repeating the cycle,
given an internal threat. The external threat includes a determined,
violent, external assault or an attack by stealth or the deceptive
actions of several persons. This threat is considered to have the
following attributes:
1. Well-trained and dedicated people,
2. Inside assistance,
3. The availability of suitable weapons, and
4. The availability of necessary, hand-carried equipment and
tools.
The inside threat assumes an insider in any position (Reference 25).
For each threat, the analytical models available are discussed. Then,
each design is presented and evaluated against that threat in terms of
the design criteria. A summary providing a value ranking of the
desfgns is then presented.

The impacts are estimated first for the baseline plant by examin-
ing the numbers and types of personnel who must visit particular loca-
tions (equipment) and the frequency of those visits. Then, the study
establishes whether or not the alternative designs cause significant
perturbations to these operational procedures in terms of required
manpower and frequency of visits. The capital costs for each design
are also considered in a summary ranking the alternative designs with
respect to impact.
The evaluation is cmcluded .,..., ~ ..,, by a cross comparison . of values and
.,,. .,. ,
impacts presented as value-impact conclusions.
.* ,,*-.,. . . .
Effectiveness Against an External Threat
A number of methods are being developed to examine safeguards
effectiveness. 31' 32' 33' 34 The Safeguards Automated Facility Evalu-
ation (SAFE) (Reference 32) methodology is used in this section to
compare the effectiveness of the various design alternatives against
an external threat. SAFE is a collection of functional modules which
combine facility representation, physical protection characteristics,
adversary path analysis, and response simulation to accomplish the
evaluation. Using this technique, an evaluation of a safeguards sys-
tem can be performed by systematically varying those parameters that
characterize the physical protection components of the facility to
reflect perceived (or assumed) adversary attributes and strategy, en-
vironmental conditions, and site operational conditions. The facility
characterization and physical protection system characteristics dis-
cussed earlier are part of the necessary inputs to SAFE.
The principal purpose of this analysis is to explore the effect
of the modified plant design on safeguards effectiveness. Therefore,
in using SAFE, several constraints were adopted which were intended to
emphasize this aspect of the analysis. Although SAFE has provisions
for doing so, this analysis does not model any engagement (battle)
between guard forces and an adversary. That is, neutralization of the
adversary by armed force is not considered. This study examines only
the likelihood that the adversary is confronted by guards before the

last barrier to vital equipment is breached. The likelihood of this
confrontation is termed the proba'ility of sequence interruption and
is denoted by PSI. This method tsffectively removes any consideration
of the attributes of guards anu d l ~rsdries (number, weapons, dedica-
tion, etc.). Thus, the analysis focuses on the question, Given a
particular set of design alternatives, does one alternative provide a
significantly higher probability of sequence interruption than does
the baseline degign? If so, such an alternative would obviously
deserve careful consideration.
Effectiveness of the Baseline Plant -- In the characterization of
the baseline plant, it was established that there are 42 vital areas
(VAs)--5 Type I and 37 Type I1 areas. It was also determined that,
given a loss of offsite power, there are 56 sequences (or combinations
of locations) which can lead to a release of radioactive material. If
the spent fuel areas are excluded (for reasons discussed later), then
there are 50 such sequences for the baseline plant.
The probability of sequence interruption (PSI) was first estimated
considering the Type I and Type I1 VAs individually: the results
for the baseline plant are shown in the appropriate columns of Tables
8-1 and 8-2. When the PSI estimates are done this way, the assumption
is made that one area is the target of an intruder and that the onsite
guards will go to that area in response to an alarm. Furthermore, the
intruder is assumed to use the path of minimum detection probability
until he is detected; then he is assumed to follow the quickest, or
minimum time, route to the target. Such an approach is considered to
be a reasonable upper Suund on a saboteur's ability to defeat the
plant safegu-L~S sy>tem. If the combinations of Type I1 VAs are
examined, several additional estimates may be obtained. In a MIN-MAX
analysis, the individual target PSIa for a particular sequence are
compared, and the pSI for the sequence is taken to be the best individual
PSI in the sequence (that is, the PSI for the target which
the guards can beet protect in that sequence). Then, all the se-
quences are compared, and the one identified with the lowest PSI is
termed the worst-case sequence. For the baseline case, the worst-case

sequence has a PSI (denoted by PSICworstl) of approximately 0.7. Al-
ternatively, if it is assumed that the guards respond simultaneously
to all locations in a sequence, then the probability that the ?dver-
sary is confronted in at least one area in the sequence is an upper
bound on safeguards performance. In this case, PSI(at least one)
x0.9. Subsequent sections of this report will compare the results for
the alternative designs to these baseline values.
. Table 8-1
Probability of Sequence Interruption
for Type I Vital rea as'^
Vital Area Baseline Plant
t %
Separate Safety Buildings b
option 1 Option 2 Option 3
Control room 0.7 0.6 0.6 0.6
Containment 0.9 0.9 0.9 0.9
Alternate shut-
down panel 0.9 (Not a Type I VA in these designs)
Spent fuel pool
operating floor 0.5
Spent fuel
shipping cask
area 0.1
a~stimates are based on the probability of detection, Pd = 0.92, in the
protected area.
boption 1 has vault-type doors on primary access routes and locked/
alarmed doors between turbine hall and piping penetration areas.
Option 2 has all vault-type doors. Option 3 has only 1ocked:alarmed
doors.
Effectiveness of Hardened Enclosures for Makeup Water Tanks --
The SAFE analysis for a baseline plant plus this additional protection
for tankage provides the same results as the baseline except that the
PSI for the condensate storage tank area is increased from 0.7 to 0.9.
That is, the protection of one Type I1 VA is enhanced, but all others
are unchanged. Also, the number of sequences remains the same as for
the baseline plant.

Vital Area
mergmncy cwling piping/valve8
Auxiliary fwdwater piping/valves
Die8el generator No. 1
Diesel generator No. 2
ESP svitchgear No. 1
ESP witchgear No. 2
Puml pool heat exchangers
Auxiliary feedwater pump No. 1
Auxiliary feedwater pump No. 2
TD' auxiliary feedwater pump
Auxiliary feedrater piping
Auxiliary feedrater piping
Battery roans and chargers
Main feedwater piping
Electrical penetration room
Electrical penetration room
Stem line8 to TD auxiliary feedwater
Wain steam lines
Spent fuel building vent and filters
Condensate water storage
ESW pump house
Alternate shutdown panel
Table 8-2
Probability of Sequence Interruption
for Type I1 Vital Areas
Baselinm Plant Separate Safety ~uildin~s"~
Option 1 Option 2 Option 3
0.9/0.9
- -
0.9
0.9
0.910.6
- -
0.9 0.9
0.9
0.9 0.9
0.9
0.9 0.9
0.9
0.9 0.9
0.6
0.7 0.7
0.7
0.9 0.9
0.9
0.9 0.9
0.9
0.710.7 0.9/0.9 0.710.7,
0.4 - 0.9
0.4
0.4 0.9
0.4
0.9 0.9 0.9/0.9
0.4/0.4 0.9/0.9 0.4/0.4
0.9 0.9
0.9
0.9 0.9
0.9
0.4 0.9
0.4
0.4/0.4 0.910.9 0.410.4
0.9 0.9
0.9
0.910.9 0.910.9 0.9/0.9
0.9 0.9
0.9
0.9/0.9 0.9/0.9 0.9/0.6
a option 1 has vault-type door. on primary access routes and locked/alarmed doors between
turbine hall and piping penetration areas. Option 2 haa all vault-type doors. Option 3 has
only locked/alarmed doors.
b~ entries (0.g.. 0.9/0.9) indicate that thm design alternate has two area. where formerly
there was one.
cTD = turbine-driven

Effectiveness of Physically Separated Redundant Trains -- This
design alternative is the most significant departure from the baseline
plant. The redundant safety trains, including water storage and elec-
tric power, are located in two separate though adjacent buildings.
(See Figures 6-4 and 6-5 for a comparison of layouts.) There are
three versions of this alternative. One, labeled Option 1 on Table
8-2, has vault-type doors on priqary access routes and locked!alarmed
doors between the turbine hall and piping penetration areas. The sec-
ond version, labeled Option 2, has vault-type doors on all points of
access. The third version, labeled Option 3, has only locked/alarmed
doors similar to those ef the baseline plant.
The vital area analysis for this alternative indicates that there
are 43 VAs (4 Type I and 39 Type I1 areas). In this case, given a
loss of offsite power, there are 43 areas that can be combined in 292
sequences. Again, if the spent fuel areas are excluded, then there
are 286 sequences. The results of the SAFE analysis are shown on
Tables 8-1 and 8-2. In this design, the alternate shutdcwn panel is
no longer a Type I VA because each train has a separate panel and
either is sufficient to shut the plant down and provide decay heat
removal. In Option 1, the PSI estimates for the diesel generators,
ESF switchgear, and makeup water have improved. In this version, access
to the main steam lines was provided through locked, watertight
doors because of the frequent inspections required. However, these
doors provide an access to the auxiliary feedwater areas, which leads
to a lower level of protection for that system than does the baseline.
Consequently, when the Type I1 VA combinations are examined, it is
found that PSI(worst) ~0.4 and PSI(at least one) e0.7. In Option 2,
the watertight doors between the turbine hall and piping penetration
area were replaced with vault-type doors, and the predicted PSI shows
dramatic improvement: in fact, all Type 11 PSIs ~0.9. Therefore, when
the Type I1 combinations are examined, it is found that PSI(worst) 20.9
and PSI(at least one) el for Option 2. Option 3 was included to provide
a direct comparison with the baseline plant because it may be
argued that using vault-type doors is a change in physical protection,
not in plant design. The estimates of individual PSIs in this version

are generally comparable with the baseline plant: several estimates
are slightly greater (diesels and ESF switchgear) and several lower
(auxiliary feedwater and main steam lines). Because of the lower in-
dividual PSI for Option 3, when the Type I1 combinations are examined,
it is found that PSI(worst) "0.4 and PSI(at least one) 20.7. These
are approximately the same as Option 1.
Effectiveness of Hardened Decay Heat Removal System -- In this
alternative, the characteristics of the baseline plant are unchanged,
except that a new system is added which can functionally replace the
AFWS in the event the AFWS is unavailable. The hardened DHRS adds a
I Type I1 VA, so that, for this alternative, there are 43 VAs (3 Type I
and 40 Type 11). Assuming a loss of offsite power, there are 56 se-
quences which could lead to a release of radioactivity. Excluding the
spent fuel areas, there are 50 sequences. The individual PSIs are the
same as for the baseline, with the addition of PSI a0.9 for the area
(bunker) housing the hardened DHRS. This addition reduces the number
of two-location sequences from 10 to 4 and increases the number of
sequences involving three or more locations. For these combinations
of Type I1 VAs, PSI(worst) z0.9 and PSI(at least one) >0.9.
Discussion and Comparison of Effectiveness Evaluation for an
External Threat -- The probability of sequence interruption, PSI, may
be viewed as a measure of the relative performance of various systems
configurations. Thus, the task here is to establish whether or not
there is a significant improvement in PSI based upon a change in plant
design and to use the analysis to gain some insight into the safe-
guards effectiveness of plant designs in general. At this time, the
objective is not to determine whether or not the predicted PSI is
adequate or acceptable.
The SAFE methodology provides an excellent mechanism for sensi-
tivity studies so that it would be easy to overemphasize the safe-
guards aspects of the study. Although a concerted effort has been
made to avoid such overemphasis, there are several characteristics of
the SAFE results discussed below which should be kept in mind during
thin discussion.

Earlier studies (References 3 and 34) have indicated that results
obtained with SAFE essentially are linearly dependent upon the assump-
tions made about detection probability (Pd) at the fence (or in the
protected area). This relationship applies equally to the baseline
plant and the alternatives. If the Pd is halved, the individual PSIs
drop by about half, and,if Pd is reduced to zero, PSI approaches zero
for most areas. This result obviously suggests that, in establishing
a design for a particular site, tradeoffs should be made not only be-
* tween potential plant designs but alao between potential plant designs
.
and possible configurations of the physical protection systems.
In this analysis, guards are assumed to intercept the adversary
at the VA that the adversary is attempting to reach. Therefore, the
guard response time is a fcnction of the target VA and 9uard location.
Reducing response time will usually increase PSI, while increasing
response time will lower PSI. However, it is again emphasized that
the change of PSI is more likely related to physical protection
tactics and procedures than to plant design.
The design alternatives considered have not led to any signifi-
cant changes in the Type I VAs or the estimates of safeguards effec-
tivenese: however, several observations are pertinent. Other studies
have suggested that the "time window" within which a release from
spent fuel is potentially a significant threat to the public is re-
stricted to a relatively short time after fuel is removed from the
reactor. Therefore, no attempt was made here to increase the PSI for
those areas associated with refueling by using design changes. Cer-
tainly, revisions to physical security could be employed to increase
pratection during refueling (and for a short time afterward). Also,
the control room is unquestionably an area of concern. However, it
appears that additional protection can more readily be achieved by
modiffcatfuns to physical protection, for example, adding doors which
are more substantial, than by total plant redesign.
This analysia suggests that design changes can have an impact
upon the ability to protect many of the Type I1 VAs. But a note of

caution is appropriate. For example, the improvement noted with Option
2 of the alternative of physically separated trains of safety
equipment is due in part to the restricted access routes, but, primarily,
the improvement is due to the vault-type doors used. This relationship
is apparent when Options 2 and 3 are compared. A similar
point is noted when Option 3 (new design but only locked doors) is
compared to the baseline. This versio? does not appear to offer any
improvement over the baseline and, in some respects, is not as effective.
However, in Option 3, there is one less Type I1 VA which meets
design criterion 1 by reducing the number of locations at which a
release could be initiated. Also, the increased separation between
Type I1 VAs (targets) could make access to combinations of areas more
difficult. In this respect, it meets criterion 2 (more individual
actions) by increasing the number of places that must be visited and
criterion 3 (decreasing the probability of success) by increasing the
difficulty of access. Also, this alternative reduces the number of
access points: that is, the safety building may only be reached
through the auxiliary building and the containment penetration area.
This arrangement meets criteria 1 (decreasing the number of sequences)
and 3 by reducing the number of paths for access and increasing the
difficulty of access. The analysis also suggests that increased physical
protection such as CCTV on access doors, sensors to detect door
tampering, etc., could more readily be used to reduce the reliance on
early detection. The multiplicity of paths to various compartments in
the baseline plant essentially precludes such modifications. However,
a design which has a very limited number of access points could take
advantage of such increased physical protection. Such a design would
also influence guard response tactics: that is, response to intrusion
alarms could be to several fixed locations, which would presumably
enhance the probability of sequence interruption.
Hardening only the makeup water tanks does not appear to offer
any significant gains in terms of overall protection. This is espe-
cially true considering that the alternate water soarce for auxiliary
feedwater, the ESW, is reasonably protectable. This h.rdening would
meet design criterion 1, however, by reducing some inherent vulner-
ability.
.

Adding a hardened DHRS is also a possible alternative. The ar-
rangement meets criterion 2 by adding more areas that must be reached
in order to cause a release and also increases the number of redundant
functions which would kt-.'e to be disabled by the adversary. However,
one aspect of this system which should not be ignored is the finite
time period of operation (10 hours for the current design) which ex-
ists unless additional water and fuel oil are made available. Other
alternatives, for example, a steam-driven system with partial closed
cycle, could alleviate this constraint.
Effectiveness Against an Internal Threat
As with the external threat, a number of methods are being devel-
oped and used to examine safeguards effectiveness against insiders at
nuclear facilities. 35'36'37 However, the emphasis to date has been
placed upon the nonreactor portions of the nuclear fuel cycle and, in
particular, upon safeguards for the prevention of theft of nuclear
material. The so-called "insider question" at nuclear power plants
has been considered in several studies, but no modeling comparable to
SAFE has been applied. There is a program now under way to demon-
strate the applicability of at least one of the models for insider
threat37 to a nuclear power plant, but results will not be available
until the fall of 1980. Therefore, in the discussion which follows,
the principal reliance will be placed upon a subjective analysis of
the contribution that the changing of plant design can make to protec-
\
tion against unauthorized actions by authorized insiders. In order to
make this analysis, it is appropriate to first consider (1) who are
the authorized insiders, (2) to what areas will they normally have
access, and (3) how frequent is that access?
Manning and Normal Plaht Access -- Each plant is unique in some
respects as to its manning. However, a comparison of available data
indicates that the personnel types and numbers shown in Table 8-3 are
fairly typical for the permanent staff of an operating reactor. In
this analysis, it is assumed that the technical management personnel
essentially have access to all areas of the plant, albeit infrequent-
ly; other management personnel (administrative/training/security) have

Table 8-3
Typical Permanent Staffing for a Nuclear Power Plant
1977-1978 Time Frame
Managerial/Supervisory
Plant superintendent
Or rations supervisor
Shift supervisors
Maintenance supervisors
Instrumentation supcrvisor
Health physics and :hemistry supervisor
Security chief
Administrative supervisor
Engineering staff supervisors
Quality assurance supervisor
Training administrator
Number of Persons*
Staff (Operators/~echnicians/~ngineers/Clerks, etc.)
Senior control room operators 5
Control room operators 10
Equipment operators/helpers 10
Maintenance and labor
(mechanical/electrical) 30
Instrument technicians 10
Health physics technicians 10
Security (armed) 3 5
Security (unarmed) 10
~dministrative/clerical/QA 2 0
Engineering support - 10
Total Staff 170
*The plant is assumed torbe a single unit in a normal operating mode.
Utility company preferences could increase or decrease these numbers.
In the post-TMI era with the mandated changes to installed systems,
average site staffing will be greater than that shown here.
only limited access and, generally, not to VAs except for the control
room. It is generally agreed that control room and equipnent oper-
ators and health physics and instrumentation technicians will have
acce8s (authorized as required by their shift supervisor) to all areas
of the plant in performance of their duties. Maintenance personnel
will have only slightly less access in that mechanical maintenance
personnel would have no need to enter areas that contain only electri-
cal equipment. Electrical maintenance personnel will probably have
1
1
5
5
1
1
1
1
2
1
1

need for access into nearly all plant areas. The VA access of such
technicians would usually be controlled by their individual supervi-
sion and the shift supervisor. Administrative personnel would have
only limited plant access. The status of security personnel is much
more difficult to generalize. In some plants, security personnel will
visit inside plant areas once per shift to inspect VA doors. Other
plants may have security personnel stationed inside for purposes of
access control and early response to intrusion alarms. For purposes
, of this study, it is assumed that armed security personnel only enter
VAs in response to an alarm, and, when doing so, they are accompanied
. by an operator.
Access to various plant areas for some personnel (operators, for
example) is essentially routine, repetitive, and frequent. For exam-
ple, control room operators and equiprvnt operators make rounds of the
plant several times during each shift. The summary of access require-
ments shown in Table 8-4 is a consensus based upon the Safety Analysis
Report Technical Specifications and interviews for several plants. It
shows clearly that many plant areas must be visited frequently by a
cross section of the plant staff.
These considerations have been limited to normal power operations
because, for most plants, special physical security provisions will be
instituted during refueling and maintenance outages. And, although
there will be many additional craft personnel onsite, the prestart
inspections and tests will verify the operability of safety systems
prior to restart. The foregoing assumptions underlie the analysis and
. discussion which follows.
Effectiveness of the Baseline Plant -- The baseline plant has a
highly canpartmentalj.zed design. In this sense, the various compo-
nents of the redundant safety trains are separated. However, examina-
tion of this compartmentalization shows that generally similar compo-
nents of redundant trai:~s are in close proximity. For example, note
the relationship of the vdrious ESP pump roams in Figure 8-1 or the
auxiliary feedwater pump rooms in Figure 8-2. If an insider has

Plant Ares
Control rom
PYR containmmnt
SYR containmant
Vital 4-kV/4eO-Volt
mwitchgaar, 125-volt dC bU*S
Battery
Spont fuel area
Turbine building
esch diesel generator
A11 ESP pimp.
(ECCS, ESV. IrIYS)
Auxiliary building
(mu) 1 reactor building (BUR)
Main stear, (PWR)
Table 8-4
Typical Access Requirements
~p.rator/~raft Round* ~estinq/~na~ction
No. Persons
- -
Pr.quency
- -
2 to 4/ponth
--
NO. Persona
--
C-nta
slomally occupid by
3 to B persona
w a s ~
6/raonth
Z/ruek
--
3/month
l/month
Daily
(variable)
4/ueek
1 to 2
2 to 4
2
probably continuous
occupancy on day ahift

AUXILIARY
FEEDWATER
KEY
El LOCKED. ALARMED DOOR
LOCKED, ALARMED WATLRTlOn WOR
MOTOR-DRIVEN
AUXILIARY
FEED PUMP
Fiaure 8-2. Relative Locations of Auxiliary Feedwater
Pump and Valve Compartments fo; the Baseline
Plant

. ,
access to both trains as part of his normal rounds, it would be possi-
ble for him to disable similar equipment in a short span of time. In
addition, because of the "openness" of the baseline plant layout,
there are no uniquely defined routes for access to the compartments
either. Theoretically, it would be possible to secure these individ-
ual compartments with locks (card readers) unique to each train. This
would permit the operator to visit only one train on each round and
would require him to return to the control room and exchange keys
(cards) before visiting another train. In addition to the possible
impact on plant surveillance that such a procedure might have, several
problems in logic also seem apparent:
I. During one round, an act of sabotage might be accomplished
which would not show up until the equipment was required,
2. Door locks could be disabled (left unlocked) to permit entry
to both trains on the next round, and
3. If maintenance personnel were working on one train while an
operator was checking the adjacent compartment, it would
be relatively easy for the operator to gain access to both.
Without very stringent and perhaps burdensome work rules, plant per-
sonnel would have no particular basis on which to challenge the pres-
ence of authorized personnel, especially because the maintenance sec-
tion would have no way of knowing which redundant train was on the
current round. Therefore, although the compartmentalization of the
baseline plant meets the safety separation criteria (including fire
protection), the arrangement does not appear to provide any special
advantage for controlling insider activities.
Effectiveness of Hardened Enclosures for Makeup Water Tanks --
This modification to the. baseline essentially makes no difference
insofar as the insider is concerned. If the refueling water and
condensate storage tanks were given additional protection, authorized
insider access would not be affected. Simply adding a door would not
alter the frequency of access, nor would it provide any special
protection.

Effectiveness of Physically Separated Redundant Trains -- This
design change maintains the redundant train compartmentalization
outlined for the baseline plant and provides two important advantages
for protection against the insider. First, the equipment compartments
of a given redundant train are grouped together. Second, access to
these groupings is through well-defined and limited routes. Consider
the layouts shown in Figures 8-3 and 8-4. Figure 8-3 illustrates in
part how the various equipment compartments for the two redundant
trains are grouped. Figure 8-4 illustrates the controlled access, by
only one route, to each of the individual safety buildings. These two
conditions are a step toward meeting the second and third design
criteria discussed earlier. Compartmentalization and separation
increase the number of locations which must be visited and reduce the
likelihood of successful sequence completion. These two aspects of
this design alternative suggest some advantages for insider control.
First, because all aspects of a single train (auxiliary feedwater.
emergency core cooling, makeup water, and emergency power) are to-
gether and reachable through one route, administrative controls are
easier to apply. For example, the roving operator could clear train A
and return to the control room. The train A status could be verified
and the operator then authorized to visit train 0. Admittedly, he
might still have the opportunity to disable some components, or insure
later failure, but doing so may now be more difficult. Furthermore,
if statue verification were to require an independent inspection by a
second party, the inspection would be easier to carry out with all the
canponents of a single train essentially colocated. The opportunity
to enter one train of equipment directly from the other no longer
exists; that is, a roving operator and a maintenance team with access
to different trains of equipment are [lot in the same area. This
design alternative also separates c~..tinuously operating equipment
(e.g., charging pumps) from standby, safety-related equipment, which
further enhances protection against an authorized insider on routine
rounds. Therefore, although this alternative may not directly protect
against the unauthorized activities of an insider, it does offer the
potential for implementing certain administrative controls with less
impact upon operations. Impacts of the designs are discussed in a
later section.

CHARGE PUMP
Figure 8-3.
CHARGE PUMP
CONTAINMENT
1
w KEY
MD = MOTOR-DR
TD = TURBINE-DRIVEN
Relative Lacations of Redundant Safety Train Equipment
for the Alternate Plant Layout

ACCESS TO
SAFETY BUILDING A
VIA PERSONNEL TUNNEL
Figure 8-4. Locations of Access to Safety Building for the
Alternate Plant Layout

Effectiveness of Hardened Decay Heat Removal System -- Thls
alternative, as noted earlier, does not chanqe the baslc layout or
characteristics of the baseline plant except that it adds an addl-
tional Type I1 VA, which offers some advantages for protection against
the insider threat. First, this independent DHRS alleviates the de-
pendence upon the inplant redundant systems. That is, instead of two
trains, there are three for certain events. However, thie system re-
quires that the reactor coolant system boundary be maintained, so the
alternative does not aid in countering loss-of-coolant events. Sec-
ond, the separate, hardened structure housing the DtiRS seems to pro-
vide some flexibility in the application of administrative procedures.
Because the DHRS is a standby system with completely independent power
and water, it may be possible to modify routine surveillance proce-
dures for it and perhaps reduce their frequency compared to the fre-
quency for safety systems. Given less frequent or less extensive
visits, some administrative control might be imposed with less total
impact upon operations. For example, an ins,.,ction by a second party
should be reasonably easy to complete because of the limited amount of
equipment involved and the equipment's compact arrangement. Again,
this is a design which satisfies two design criteria. It adds loca-
tions and reduces the probability of successful sequence completion.
Effectiveness of Additional Isolation of Low-Pressure Systems --
One additional area of isolation could potentially reduce the vulner-
ability to the insider. If reliable, reproducible, torque limiting on
the RHR isolation valves could be achieved, the number of locations
£ran which an insider could initiate a release of radioactive material
would be reduced. A reduction in the number of such locations would
satisfy the first design criterion. For example, torque limiting
would prevent the valves from being opened, while at operating pres-
sure, from the motor control center. Therefore, the insider would
have to enter containment and manually manipulate the valves.
Discussion and Comparison of Effectiveness Evaluations for an
Internal Threat -- Most studies to date suggest that the solution to
insider threats will depend heavily on administrative controls and

work rules. Certainly, none of the design alternatives considered
provides a unique or unequivocal solution. In nearly all cases, the
benefits which accrue from the design changes arise because the change
may facilitate the implementation of such administrative controls or
rules. The compartmentalization of the baseline plant itself has some
potential in this regard because components are separated. The com-
pletely separated redundant train design provides a further step
because the components are compartmentalized and segregated into
separate buildings with well-defined access routes. Such a modifica-
tion certainly could only be applied to plants not yet designed
because of its radical departure from current practice.
The hardened DHRS lie.; between the baseline and fully separated
designs in terms of potential protection from an insider threat. The
hardened DHRS provides some segregatiorl as well as compartmentaliza-
tion, and it provides additional redundancy for non-LOCA events. The
hardened system also has some advantage compared to the fully sepa-
rated trains of equipment in that it could be added to plants already
being designed because it is a separate entity which can be connected
to the plant via cabling and piping. The need for secure and seismic-
qualified piping connections and penetrations of containment make its
application as a retrofit to existing facilities problematical.
Impacts of the Design Alternatives
It was noted in the introduction to this evaluation that there is
no procedure which attempts to model the impacts of designs in a
single, integrated package. In fact, there does not appear to be any
documented and widely accepted methodology for such an evaluation,
even on a subjective baais. Certainly, numerous studies exist which
examine in various ways the impacts of particular actions or ideas,
but each of these studies seems to start with differing assumptions
and guidelines. In that respect, this current study is no exception.
For purposes of comparing the baseline and alternatives, it is assumed
here that the impacts associated with the baseline plant are accept-
able and reasonable. Also, these impacts are considered in current
terms; that is, no attempt is made to extrapolate 5 or 10 years into

the future to examine impacts or conditions--there simply are too many
uncertainties. Finally, the analysis here is subjective. Several
techniques were explored for quantifying such an analysis. Most of
these techniques essentially reduce to seeking a consensus of a panel
of experts to quantify the value measures and their application. This
approach was rejected as being too time consuming and expensive for
the limited amount of added insight it might provide in this particu-
lar instance.
The impacts to be considered include capital costs, manpower
requirements, operations and maintenance (including activities, proce-
dures and surveillance requirements), and safety. Where appropriate,
some comment is also offered on the less tangible impacts such as
staff attitudes and morale.
Although the impacts of the baseline plant are presumed accept-
able and reasonable, the discussion begins with some observations on
the baseline to provide a basis for subsequent comparison.
Impacts Associated with the Baseline Plant -- Although the base-
line plant is not currently online, the Safety Analysis Reports are
available and provide at least a preliminary indication of the utility
preferences for manpower and operational procedures.
Capital Costs. The two plants using the SNUPPS design are cur-
rently under construction, and,consequently, costs are not final nor
are they a matter of public record. Therefore, for purposes of com-
parison, a capital coat of $750,000,000 (1978 dollars) is assigned to
the baseline design. Generally, in the subsequent discussions, the
capital costs for the alternative plants are treated as incremented
costs to the baseline. Therefore, there will only be a relative
ranking of the alternatives with regard to costs.
Manpower Requirements. Based upon the availabla information, the
operations, technical, and maintenance manning for the single-unit

aseline plant is assumed to be as shown on Table 8-5. The manage-
rial/supervisory manning is consistent with that shown earlier (Table
8-31, but,because supervision is not really affected by design (at
least one of each type is always required), only the staff manning is
considered here. For the baseline plant, 62 operations, maintenance.
and technical personnel are required. Thirty of these are operators.
while 32 are supporting technicians and maintenance personnel.
Table 8-5
Assumed Baseline Plant Manning*
for Normal Power Operation
1977-1 978 Time Frame
Title Number
Shift supervisors
Senior control roan operators
Control room operators
Equipment operators/helpers
Instrument technicians
Health physics technicians
Maintenance and labor
5
5
10
10
6
6
- 20
Total 6 2
*IncluCa operations, technical, and mainte-
nance personnel but excludes management.
Operations and Maintenance. In considering these impacts, atten-
tion is focused upon only those activities which may change, given
t.hat there is a change in plant design or layout. That is, control
roan operations and routine tests and surveillance of the primary
reactor coo1ar.t system and the normal power conversion system are not
included. Based upon the information in Table 8-4, operators will
vi~it the dlesel generator, emergency switchgear, all ESF pump rooms,
and most areas of the auxiliary building at least twice per shift.
Battery rooms and spent fuel areas will be visited at least once per
shift. From Figures 7-3 through 7-8 and 8-1, which depict the layout
of the baseline plant, it is apparent that, even with the compartmen-
talization, operator rounds are relatively easy to accomplish because
.-----.

compartments are adjacent or access is from a common corridor. Adja-
cent compartments also have the advantage that like systems are com-
pared in a short span of time, so that anomalies may be more readily
apparent.
If the testing/inspection frequency information from Table 8-4 is
combined with the data on the number of pieces of safety-related
equipment in the baseline plant, the level of maintenance inspection
and testing shown in Table 8-6 is derived. The inspection schedule
shown in Table 8-6 implies more detailed inspection than is possible
merely through an operator making rounds. From Table 8-6, it may be
concluded that there is oignificant electrical inspection/testing
occurring every day and that mechanical testing (pump run, valve
exercise, etc.) occurs every other day. If it is assumed that two
people are involved, whether for safety or because it takes two to
accomplish the task, these tests could represent approximately 10
man-days per month (allowing about 1/4 day per test). Based upon
independent discussions with nuclear power plant maintenance person-
nel, it is estimated that more than 60% of the maintenance work load
involves unscheduled maintenance: the figure may approach 75% at some
plants. Total access requirements will thus be greater than is im-
plied by Table 8-6.
Safety Considerations. Compartmentalization has resulted from
safety concerns and thus, of itself, is presumed to be a positive
contribution to safety. In the baseline plant physical protection
scheme, compartments were assumed to be locked. Locked compartments
should not affect safety if appropriate personnel have access. How-
ever, canpartmentalization could have adverse impacts upon plant
safety, especially if the compartments are locked and keyed with
independent keys. Discussions with plant personnel indicate that such
controls could be perceived as nuisances and as being counter produc-
tive. It has been postulated that, in the extreme, this attitude
could lead to inspection rounds being skipped because they are con-
sidered to be "too much bother," with the result that safety equipment
problems could go urrdetected until they had an impact upon plant.

Table 8-6
Typical Inspection Schedule for a
Baseline Plant
Item
Vital 41601480 switchgear,
125-volt dc buses
Battery
Diesel generator
ESF pumps
AFWS
RH%
HPI (charging)
a~~~ = low-pressure injection
b~~~ = high-pressure injection
Test or Inspection Frequency
6/day
12/month
6/month
(at least one startup)
3/month
(one start/month/pump)
4/month
21month
2/month
In operation
safety. Also, such independent keying could impair the response to
emergency conditions if time were required to obtain access.
Impacts Associated with Hardened Enclosures for Makeup Water
Tanks - -- As stated earlier, this alternative represents a relatively
modest departure from the baseline design.
Capital Costs. Three options were explored for this alternative,
each of which has its unique costs (see Table 6-21. The total costs
of hardening are shown below, and the relative increase over existing
practice is indicated. For reference purposes, two tanks in the base-
line plant, with their associated base mat and piping, are estimated
to cost $1,715,000.
Option Estimated Cost Increase % Increase
Two tanks with two buildings $2,490,000 $ 774,600 3 1
Two tanks with one building 3,081,000 1,375,600 44
Two reinforced concrete tanks 2,266,000 550,600 2 4

If total plant costs are assumed to be on the order of $750,000,000,
the increase to harden tank enclosures is a few tenths of a percent.
Manpower Requirements, Operations and Maintenance, and Safety.
The entire discussion of the baseline plant applies here because there
is essentially no change in the plant itself.
Impacts Associated with Physically Separated Redundant Trains --
This alternative is the most radical departure from the existing prac-
tice which is considered in this study and could only be applied to
new plants. However, the impacts associated with that departure are
not as extensive as might be expected.
Capital Costs. There are two types of capital costs associated
with this alternative. One is the cost associated with the buildings,
and the other is the cost of additional equipment. Because actual
costs for the baseline are unavailable, the costs associated with the
baseline plant auxiliary and control buildings were estimated in a
manner consistent with that used for the new safety and auxiliary
buildings. Tnis method provides only a "localized" estimate of cost
increase but allows a realistic estimate. The baseline building
estimate was $16,718,000 (see Table 6-3). The estimated costs for
this alternative on the same site as the baseline plant are
Safety buildings $14,078,000
Auxiliary building 10,638,000
Additional equipment 6,359,000
Total $31,075,000
This estimate represents a $14,357,000 increase, or, including a 10%
contingency factor, a $15,797,000 increase. Again, assuming a
$750,000,000 basic total plant cost, this alternative represents about
a 2% increase.
Manpower Requirements. This alternative adds a turbine-driven,
auxiliary feedwater pump and.two high-pressure injection pumps. Also,
there is an additional component cooling system which will require
surveillance and maintenance. The additional ESF pumps represent a

25% increase in test and inspection time, or about 2.5 man-days per
month. Based upon 20 maintenance personnel, this figure represents
only a 10% increase in level of effort. However, if the additional
separation of equipment is taken into account, along with the added
nonsafety squipvent, it is assumed that some additional maintenance
personnel could be required.
Operations and Maintenance. From the viewpoint of operational
procedures and convenience, the completely separate safety buildings
will present some impacts. Operator rounds will take longer because
of the plant layout and the presence of additional equipment. Addi-
, . a
'
tional inspection procedures will be required to account for added
equipment. Maintenance activities will be affected by the restricted
access. Movement of tools and parts will be slower and more difficult
because of the need to use specific routes. Maintenance times could
be increased simply because of the added transit times, especially if
repeated trips are required to obtain special parts or tools from the
warehouse. For instance, assuming the same stsrting point and transit
speed, it takes 25% more time to reach the auxiliary feedwater pump
rooms in this alternative than in the baseline.
Safety Considerations. - The addition of the high-pressure injection
(HPI) pumps, a turbine-driven, auxiliary feedwater pump, and
inside makeup water storage could have a positive impact on safety.
Redundancy is increased, and, for some events, the additional water
supply increases the time available to reestablish normal plant conditions.
The addition of HPI places all safety-related equipment in a
standby status; that is, the centrifugal charging pumps are no longer
serving a dual purpose, aa they are required to do in the baseline.
The completely separated building further enhances the protection of
the redundant trains against fires and other events which could disable
the systems.
The separation inherent in this alternative may also lead to some
impacts on safety. The duplication of shutdown panels will necessi-
tate careful structuring of central transfer logic, and such duplica-
tion could require that two locations be manned instead of one in the

event that manual [peration is necessary. Similar considerations hold
if local manual control of auxiliary feedwater systems is required.
Also, without careful coordination, the two systems could be at cross
purposes under manual control. Clearly, in this design, any situation
which requires local control of pumps, valves, or other process equip-
ment could be adversely affected by the need to man two stations
instead of one or to visit two widely separated locations.
Staff Attitudes. Discussions with industry personnel suggest
that designs such as this alternative with vault-type doors and re-
stricted access routes could have an adverse impact upon the plant
staff and its performance. This alternative has a physical structure
which is new in concept to power plant applications, although other
portions of the fuel cycle use such concepts. Unfortunately, sucl.
impacts are subtle and essentially unquantifiable. Nevertheless, the
potential is there, and it should not be ignored.
Impacts Associated with the Hardened Decay Heat Removal System --
This concept represents a less dramatic departure from existing prac-
tice than does the concept of physically separated redundant trains
and, in some instances, could be added to existing plants.
Capital Costs. There are two costs associated with this alterna-
tive--the structural costs of constructing a hardened, self-contained
building and the equipment costs for the pumps, tanks, diesel genera-
tor, and associated auxiliaries. From Tables 6-6 and 6-7, the follow-
ing costs are obtained:
Mechanical equipment costs
(including piping h electrical)
Structural costs (for same site as
baseline plant)
10% contingency
Total
This computatior .apresents the cost of the alternative and the in-
crease in cost resulting from the addition of a separate structure to
the plant. For the assumed $750,000,000 basic cost of the baseline
plant, the total represents about a 1% increase in capital cost.

Manpower Requirements. This alternative adds an auxiliary feed-
water pump, a charging pump,'and a diesel generator. Therefore, there
is about a 25% increase in test and inspection time. Using the 20
maintenance personnel discussed earlier, this figure represents a 10%
increase in the level of effort. Although no other major plant equip-
ment is added, the additional isolation in a separate building and the
combination of mechanical and electrical equipment could lead to the
need for an additional maintenance man.
Operations and Maintenance. The location of the DHRS in a sepa-
rate and isolated structure will present some operational impacts,
such as, how it will be manned and under what conditions. Because the
DHRS is in addition to the usual redundant safety systems, it may be
possible to reduce the inspection/surveillance requirements compared
to those for safety equipment. However, if it is determined that such
a system must be inspected every shift, then obviously operator rounds
will be affected. This system will add to the maintenance workload
because of the additional pumps, switchgear, and diesel generator.
The fact that the system is in a separate structure and normally on
standby may ease maintenance scheduling.
Safety Considerations. The addition of this system augments
safety by incorporating another redundancy. However, this is a limit-
ed redundancy in that its implementation requires that the primary
coolant system integrity be maintained. Therefore, the system pro-
vides additional protection primarily for transient-induced events.
Staff Attitudes. The addition of a separate hardened structure
could induce a slight "fortress" syndrome. However, because this
additional system is a last resort measure, and because it would not
be a part of the main plant, it is anticipated that there would be
much less negative reaction .toward this alternative than toward the
other nlternativss. In fact, the additional safety introduced could
lead to n positive reaction, especially after TMI.
Impacts Associated with Additional Isolation of Low-Pressure
Systems -- This alternative involves the addition of control systems

!X torque limiters on selected letdown and RHR piping. The costs are
less than $100,000, but there could be some effect upon manpower re-
quirements because of the additional test and maintenance efforts.
This alternative has some benefit to safety in that it could remove a
potential loss-of-coolant mechanism. However, there could tc an irn-
pact if the narrower operating range for the valve drives adversely
affected the reliability of the RHR valves.
Value-Impact Conclusions
The objectives of this study were to estimate the potential value
of various configurations of plant design in providing protection
against sabotage and to establish the impact of such measures on
costs, operations, and safety. The objectives were accanplished
through a combination of quantitative and subjective analyses, and the
remaining task is to synthesize these results into a value-impact
statement.
Because the study involves multiple values and impacts, estab-
lishing or assigning unique numerical scales is LrnpossibLe. Also,
fewer a1ternativt.s were carried through this full analysis than was
originally envisioned. The preliminary evaluation provided enough
information to allow the elimination of a number of alternatives from
further consideration. Therefore, the evaluation is discussed in
terms of low, medium, and high values and impacts. This evaluation
produce8 some latitude in interpretatron; however, the general infer-
ences which were drawn from the analyses are relatively straightfor-
ward.
Hardening makeup water tank enclosures has the lowest impacts
(low cost; no effect on manpower requirements, operations, or eafe~y)
but, at the same time, the lowest value (no change for insider threat,
only one Type I1 VA upgraded against external threat).
Additional isolation of lc -3ressure systems has some value in
that a potential insider vulnerability could be eliminated. That is,
tho potential for causing a loss of coolant outside containment from

certain VAs is eliminated. However, there is some uncertainty about
industry's ability to produce the necessary hardware.
Physically separating the redundant trains is considered to have
medium value and impacts. There is an increase in protection against
the external threat when the access doors are upgraded to near-vault
quality; however, there is an associated impact on the ease of staff
access for inspection and maintenance. There are ~ncremental costs of
about $15,000,000, and the added equipment could .iecessitate addi-
tional staffing. If this option were combined with added administra-
.*
tive controls and work rules (facilitated by the design), then the
option could have some increased value because of the added protection
against insider actions. Unfortunately, that increase could be accom-
panied by additional impacts in terms cf restricted access for opera-
tions and maintenance activities. This question requires additional
study before firm conclusions can be drawn. There could also be some
negative staff reaction to the controls.
The hardened DHRS has also been assigned a high-medium ranking.
The alternative potentially eliminates a Type I VA, although it does
not alter the protection afforded other existing VAs. P~is option
does add a valuable, well-protected redundancy for essentially all
transient events. The incremental costs are about $9,000,000, and,
depending upon exactly how it was implemented, the alternatives might
or might not lead to a requirement for additional manpower. Here,
too, there is potential for additional protection against the insider
threat. The isolation in a separate building, coupled with the added
redundancy, may facilitate reasonable administrative controls. And,
because the DHRS is housed in a separate building, it should be possi-
ble to exercise such administrative rontrols without major, adverse,
operational impacts.

9. CONCLUSIONS AND RECOMMENDATIONS
The range of alternatives considered in this study and the re-
sults of the analyses have led to the following conclusions:
1. Structural design changes for PWR plants (that is, changes to
building or plant arrangement) in and of themselves do not
appear to provide significant additional protection against
either the external or internal sabotage threat. Or stated
another way, all other things being equal, merely changing
arrangement does not lead to significant changes in
protection.
2. Design changes can, however, facilitate the implementation of
more effective physical protection systems. For example:
a. Design changes that restrict VA access to a few well-
defined routes, if appropriately combined with adminis-
trative controls and work rules, can increase the protec-
.-ion against the insider threat.
b. Design changes that restrict outside access to a few
routes (e.g., reduced number of outside doors), appro-
priately coupled with increased physical protection
(stronger doors, more surveillance at selected locations,
additional intrusion detection),will increase the protec-
tion against the external threat.
However, it must be observed that design changes that sig-
nificantly revise plant layouts so as to limit access routes
to VAs and reduce outside access are practical only for new
plants.
3. Damage control using installed nystems in alternate (non-
standard) ways has some potential for countering sabotage (or
accidents). This damage control method requires additional
study and probably some revision to currsnt reyulatory
practice.
9-1

4. Damage control by running repair and/or jury rigging does not
appear to be a viable counter to sabotage because of the
associated operational impacts and the potential for an
adversary to interfere with the damage control effort.
Based on the foregoing conclusions and the supporting analyses,
the following recommendations are offered r
Additional detailed design of selected alternatives (Phase I1
of the original program) should not be pursued merely to gain
additional potential for improved sabotage protection.
Detailed design of an alternate DHRS should be pursued in the
NRC program, Assessment of Alternate LWR Shutdown Heat Re-
moval Concepts (ASHR study). he ASHR study will evaluate
improvements in shutdown heat removal reliability for a
number of conditions that threaten system operation (equip-
ment failures, fire, seismic events, and flooding, as well as
sabotage). Any detailed system design for an alternate shut-
down heat removal system should a~!dress all of these threat-
ening conditions. Close coordination between the two pro-
grams should continue.
Phase I1 of this program should address in greater detail the
influence of plant design and physical protection changes on
protection against the insider threat. The full gamut of
insider protection systems, e.g., administrative controln,
work rules, the two-man rule, and security clearances, ohould
be assessed for the pranising design alternatives.
The potential of damage control, or,perhaps more precisely,
operator actions, to counter sabotage and safety problems
should be pursued further. This additional study should
define any regulatory revisions that would be necessary to
take account of such concepts in licensing procedures.

APPENDIX A
Glossary of Terms Used in the Study of Nuclear
Power Plant Design Concepts for Sabotage Protection

APPENDIX A
Glossary of Terms Used in the Study of Nuclear
Power Plant Design Concepts for Sabotage Protection
... .., ,.,..The following definitions am. . , applicable to the . terns used in the
. ,
nuclear power plant design study..' They are not intended'to be all-
inclusive or universal. In this context, emphasis is placed upon
sabotage and related acts, although, in other applications, theft
could also be included.
CONSEQUENCE MITIGATION MEASURES. Actions taken onsite by a licensee
to mitigate the offsite conseqences of an unavoidable release of
radioactive materials.
CONSEQUENCES. Offsite public health and/or economic effects caused by
a telease of radioactive materials.
DAMAGE CONTROL MEASURES. Measures that can be employed or actions
which can be taken within hours after an act of radiological sabo-
tage to prevent or reduce the release of radioactive materials.
PHYSICAL PROTECTION MEASURES (SYSTEMS). The combination of proce-
dures, personnel, and hardware (alarms, barriers, etc.) included
in safeguards systems specifically to deter, detect, assess, de-
lay, and respond to acts of radiological sabotage against the
plant and/or the operational systems.
PLANT DESIGN MEASURES (OPTIONS). Measures that can be employed in the
design and fabrication of operational systems or in plant layout
,to increase the difficulty of sabotage (decrease component or

system vulnerability) or to better accommodate physical protection
or damage control measures (decrease plant vulnerability).
PLANT OPERATIONAL SYSTEMS. Normal and emergency plant systems re-
quired for safe operation or shutdown. These systems do not in-
clude physical protection measures (systems).
PLANT WLNERABILITY. The susceptibility of the nuclear power plant,
considered as an entity, to acts of sabotage. Plant vulnerability
depends upon component and system vulnerabilities, the nature of
the threat, operational procedures, and the physical protection
, veasures in operation.
RADIOLOGICAL SABOTAGE. A deliberate act of destruction, damage, or
manipulation of vital equipment witch results in the release,
beyond the plant boundary, of sufficient radioactive materials to
endanger public health and safety due to radiation exposure.
RISK (PUBLIC RISK). The possibility of personnel injury or property
damage. Alternatively, the expected loss due to a given unit of
activity or the conduct of that activity over a given period of
time. In terms of deliberate acts, R = npC, where R = risk,
V = probability that the act will be attempted, p = probability of
success given the attempt, and C = consequence given that a spe-
cific act occurs.
SAFEGUARDS SYSTEM EFFECTIVENESS. A measure, qualitative or quantita-
tive, of the degree of success of the safeguards system in pre-
venting acts of sabotage and/or preventing public injury due to
such sabotage. In this context, the term applies only to activi-
ties under the control of the licensee.
SAFEGUARDS SYSTEMS (LICENSEE). The totality of onsite measures, plant
design, damage control, and physical protection used to protect a
nuclear power plant against acts of radiological sabotage and/or
to protect the public from the consequences of such an act of
sabotage.
r

WLNERABILITY. The inherent susceptibility of a component or system
(by virtue of its design and construction details) to damage or
improper manipulation by an adversary. Hence, vulnerability is a
characteristic of the particular component or system. For exam-
ple, if a steel door can be cut with a power saw and opened, the
door is vulnerable to that action.

APPENDIX B
Public Riek Due to Sabotage of Light Water Reactors

APPENDIX B
Public Risk Due to Sabotage of Light Water Reactors
Risk is defined as the expected loss due to the conduct of an
activity for a given period of time (Reference 10). Risk is computed
by taking the product of the frequency of occurrence of losses and the
magnitude of the loss. Risk, R, in terms of frequency, F, and conse-
quence, C, is therefore
conse uence events consequence
TiTAiXT " unit time event
For events which are purposely initiated, the frequency of occur-
rence is a function of the frequency, r, of the attempts to produce
some consequence and the conditional probability, p, that an attempt
will be successful. The risk equation in this case becomes
For a particular type of activity, there may be a range of possi-
ble consequences which can be induced and a number of event sequences
which can cause the expected consequences. For certain activities, it
is possible to identify discrete levels of consequences and well-
defined sets of events (sequences*) leading to the different conse-
quence levels. In such cases, the risk equation for one sequence can
be written as
L
A sequence is a cut set of a sabotage fault tree equation and
does not necessarily imply a particular time order. However, a time
order can be determined for time-dependent sequences when necessary.

where
The risk due to sequence j leadin? to consequence level i.
Rij
= The probability that an adversary will attempt to complete
"1
sequence j.
= The conditional probability of success of causing con-
Pij
sequence level i given attempt of sequence j.
Ci = The magnitude of consequences for consequence level i.

The probability of causing release category i, given attempt of
sequence j, can be expressed in terms of the probability, p of SUC-
1'
Ceasful completion of sequence j and the probability, Uii, that com-
pletion of sequence j will cause release category i. ~h;s,
Each sequence j consists o'f one or more discrete events, all of which
must be completed in order for the sequence to be successfully completed.
If the probability of completion of the kth event in sequence
j i8 qjk and there are events in sequence j, then the probability
j
of sequence canpletion is
The probability that completed sequence j will lead to release
category i depends on the details of the accident progression as well
as on the success of any measures taken to correct failures induced by
a saboteur. In this discussion, the uncertainties in accident pro-
gression will not be treated. Instead, it is assumed that each com-
pleted sequence leads with certainty to a particular release category
unless actions are taken to reduce the magnitude of radioactive mate-
rials released or to mitigate the consequences of release.
Damage control measures could potentially restore some of the
functions lost as a result of the occurrence of events in a sequence.
The effect of these damage control measures could be reduction of the
release magnitude, which would effectively change the release cate-
gory. Similarly, consequence mitigation measures could reduce the
ultimate consequence level if release does occur. Consequence level i
could occur as a result of a succeesful attempt to cause Ci or as a
result of an attempt to cause some greater level of consequences
followed by damage control or consequence mitigation measures which
bring the consequence level down to Ci. If sequence j, in the absence

of damage control or consequence mitigation, leads to release category
I, if the probability that damage control measures reduce the release
category for sequence j from to m is written PDcjem, and if the
probability that consequence mitigation measures reduce the consequence
level for sequence j from m to i is written as , then
PCM
jmi
,where the PDC and PCM must satisfy the conditions
jam jmi
"c
m=l
"c
= 1 for all j, and
P 1 for all j
t t i o n of Equations (l), (5), and (6) into Equation (3) yields
the following equation for total risk accounting for damage control
and consequence mitigation:
c i i "3
= C C C n j n qjk
1 j=1 we k= 1
'CM jmi
= i

The objective of safeguards is to reduce risk to an acceptable
level. In terms of the expanded risk equation parameters which can be
affected by safeguards, risk can be reduced by
A reduction of the probability that an adversary will attempt
sabotage (reducing n 1,
j
A decrease in the number of sequences which could cause re-
lease (reducing ni),
An increase in the number of events required to complete
sabotage sequences (increasing n.),
3
A reduction of the probability of success of events in sabo-
tage sequences (decreasing q ), or
jk
An increase in the probability that the consequence of suc-
cessful sequences can be reduced through damage control or
consequence mitigation measures (reducing the product QijCi).
This can generally be accomplished by increasing
and PCM to force Ci to lower values.
'DC jlm jrm
The relationship between the probability of attempt and safe-
guards system characteristics is not well-defined. At present, no way
to quantify this parameter exists, although it is likely that reduc-
tion of the probability of success for a given attempt will reduce the
probability of attempt. The emphasis in the study will be on reduc-
tion of the conditional probability of adversary success; the proba-
bility of attempt will not be considered further.
Design objectives for the plant design alternatives considered in
the study are based on the risk reduction options stated in items 2
through 5, previously listed. A preliminary set of design objectives
to be used in the study followsa
1. Eliminate fundamental failure mechanisms of systems or compo-
nent# in order to reduce the number of sequences which can
lead to radioactive release,
2. Reduce the number of paths by which a saboteur can gain
access to vital areas,

4
3. Physically separate vital components that must be destroyed
into combinations of two or more so that a saboteur must gain
access to more areas in order to eliminate the system
function,
4. Increase the number of redundant functions which must be
failed in order for release of radioactive materials to
occur,
5. Enhance the implementation of safeguards systems,
6. Decrease the vulnerability of vital equipment to acts of
". sabotage,
7. Provide the means for effective damage control, and
8. Provide the means for effective consequence mitigation.
The first six of these objectives have a direct relationship to
the safeguards system at a reactor plant; the last two have safety
implications as well. The design alternatives considered in the study
will be primarily those related to the first six objectives. Damage
control measures will also be considered in some detail because they
appear to offer significant potential value with relatively low im-
pact. Consequence mitigation measures will be considered only if they
relate directly to the licensee responsibility e . , can be accom-
pliahed on site).

APPENDIX C
The Design Study Technical Support Group

APPENDIX C
The Design Study Technical Support Group
The Design Study Technical Support Group (DSTSG) was created to
assist in the developnent and evaluation of nuclear power plant design
concepts for sabotage protection. Most of the participants were indi-
viduals selected by corporate management after contractual coverage
was established. In two instances, direct consulting agreements were
established with individuals recommended for their particular exper-
tise by other sources.
The DSTSG functioned under the following Statement of Work:
The contractor will provide technical support through
participation in a Design Study Technical Support
Group (DSTSG) for: (1) the review and evaluation of
plant design alternatives for increased sabotage pro-
tection, (2) the review and evaluation of damage con-
trol measures as adjuncts to safeguards systems for
light water reactor nuclear power plants; and (3) the
value-impact comparison of alternative combinations of
plant design, damage control, and physical protection
for reactor safeguards.
For the first and second efforts, the contractor will
participate as part of the DSTSG in a formal review of
the program Nuclear Power Plant Design Concepts for
Sabotage Protection. During this review, the contrac-
tor will evaluate (with other members of the DSTSG)
the design alternatives proposed in terms of their
impact upon safety, plant operations (including main-
tenance) and, where possible, the direct dollar costs.

The contractor will evaluate the damage control op-
tions presented in terms of normal plant availability
of the required equipment and personnel, as well as
any impact such measures may have upon safety, opera-
tions, and costs. For the third effort, he will con-
sider, at the request of the Sandia staff. specific
questions arising from the formal review. These con-
siderations will center upon the value of particular
concepts or combinations of concepts to sabotage pro-
tection and their direct impact on safety, operations,
maintenance, and cpsts. The contractor will document
such considerations in a letter report.
The actual participants in the DSTSG are listed in Table C-1
along with their corporate affiliation. Two meetings with the full
DSTSG were held early in the program, in February and April 1979. The
interactions which occurred there significantly influenced the evalua-
tion of the design options and had a major impact upon the directicn
and scope of the damage control studies. In addition, individual
members were asked to review specific material during the study. A
final review meeting was held with selected members of the DSTSG after
this report was drafted to elicit their comments.
It must be emphasized that no attempt was made to have the DSTSG
reach a consensus on any particular issue. That is, the DSTSG did not
function independently but as an integral part of the total program.
Thus, the final product of the study includes consideration of views
expressed by the DSTSG but may not always agree with individual mem-
bers' ideas. There is no doubt that the use of the DSTSG was very
beneficial for the program. The individual members brought a wealth
of experience and knowledge to the deliberations, which would have
otherwise been unavailable to the study.

Name
Alan R. Kasper
Tobias W. T. Burnett
Eric W. Swanson
J. E. Maxwell
T. J. Victorine
Frank Gabrenya
Robert L. Dobson
Leon R. Eliason
Dennis P. Galle
Mario J. Maltese
Table C-1
Design Study Technical Support Group Participants
Corporate Affiliation
System 80 Area Manager, Combustion Engi-
neering, Inc.
Program Manager, Strateqic Resources Water
Reactor Divisions
Westinghouse Electric Corporation
Nuclear Engineer, Power Generation Group
Dabcock and Wilcox
Manager, Electrical Enyineering STRIDE
Project, General Electric Company
Project Manager, Sargent and Lundy
Principal Engineer, Thermal Power Organi-
zation, Bechtel Power Corporation
Senior Engineer, Electrical Division, Duke
Power Company
Plant Superintendent, Monticello Nuclear
Generating Plant, Northern States Power
Plant Superintendent, Braidwood Sta.
Commonwealth Edison
Director, Security and Safety, Power
~uthority, State of New York
Frank J. Schwoerer Technical Director, SNUPPS Nuclear
Projects, Inc.

- -- --
References
'safety and Security of Nuclear Power Reactors to Acts of
Sabotage, SAND75-0504 (~lbuquerque: ~andia Laboratories, March 1976).
2~rotection of Nuclear Power Plants Against Sabotage,
SAND77-0116C (~lbuquerque: Sandia Laboratories, October 1977).
3 ~ . B. Varnado et al., Reactor Safeguards System Assessment and
Design, I, SAND77-0644 (Albuquerque: Sandia Laboratories, June 1978).
4~ummary Report of Workshop on Sabotage Protection in Nuclear
Power Plant Design, SAND76-0637 (Albuquerque: Sandia Laboratories,
February 1977).
'~eview and Evaluation of the Nuclear Regulatory Commission
Safety Research Program, NIJREG-0392 (Washington: USNRC, Advisory
Committee on Reactor Safeguards, December 1977).
6~estimony of Frank Bevilacqua, Vice President, Engineering,
Nuclear Power Systems Division, Combustion Engineering, Inc., before
the Subcommittee on Energy and Environment of the House Committee on
Interior and Insular Affairs, May 5, 1977.
7"~rogram Plan for the Protection of Nuclear Materialn
(Albuquerque: Sandia Laboratories, November 1976, draft).
'~ixed Facility Physical Protection Program, Program Planning
Document for FY77-78 (Albuquerque: Sandia Laboratories, October
1976).
'~eactor Safety Study - An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants, NUREG-75/014, WASH-1400 (Washington:
USNRC, October 1975).
losocietal Risk Approach to Safeguards Design and Evaluation, ERDA
7 (Washington: USERDA, June 1975).
"G. B. Varnado and N. R. Ortiz, Fault Tree Analyses for Vital
Area Identification, NUREG/CR-O~O~, SAND79-0946 (Albuquerquer Sandia
Laboratories, June 1979).
12~. M. Ericson and G. B. Varnado, Program Plan Nuclear Power
Plant Design Concepts for Sabotage Protection, NUREG/CR-0463,
SAND78-1994 (Albuquerque: Sandia Laboratories, December 1978).

'5. W. Hickman, "Systems Analysis, Reactor Safety Study Method-
ology Applications Program," Schedule 189, revised (Albuquerque:
Sandia Laboratories, ~ebruary 1977).
14standardized Cuclear Unit Power Plant System (SNUPPS) Prelimi-
nary Safety Analyses Report, containing Revision 14 (Rockville, MD:
Kansas City Power and Light Co., Kansas Gas and Electric Co., Northern
States power Co., ~ochester Gas and Electric Co., and Union Electric
Co., January 1976).
15~alloway Plant ilnits 1 b 2 Addendum, Standardized Nuclear Unit,
Power Plant System (SNUPPS) Preliminary Safety Analysis Report, con-
taining Revision 9 (St. Louis: Union Electric Co., October 1975).
16wolf Creek Generating Station Addendum, Standardized Nuclear
Unit Power Plant System (SXUPPS) Preliminary Safety Analysis Report,
lcontalnlnq Revlslon
t
Co. and ~ansas Gas and Electric CO.).
17~eference Safety Analysis Report (RESAR-3 ) , Consolidated Version
(Pittsburgh: Westinghouse Nuclear Energy Systems, November 1973).
"Nicholas A. Petrick, "SNUPPS-The Multiple Utility Standardi-
zation Project," Nuclear Enqineering International, November 1975.
pp 935-941.
19~icholas A. Petrick, "A Progress Report on the SNUPPS Nuclear
Stations," Nuclear Engineering International, September 1977,
pp 55-57.
20~. U. Worrell, Set Equation Transformation System (SETS),
SLA-73-0028A (Albuquerque: Sandia Laboratories, July 1973).
"R. B. Worrell, "Using the Set Equation Transformation System on
Fault Tree Analysis," Reliability and Fault Tree Analyses, eds R. E.
Barlow, J. D. Russel, and N. D. Singpurwalla (philadelphia: SIAM,
22"~efinition of Vital Areas and Equipment," NRC Review Guiaelzne
- 17 (Washington: USNRC, January 1978).
23~. W. Hickman and D. D. Carlson, A Value/Impact Assessment of
Alternate Containment Designs, SAND77-1103C (Albuquerque: Sandia
Laboratories, November 1977).
24~urvey of Problems Associated with Power Reactor Sabotage by
~x~lon~ves or Incendiary Devices (Los Alamosr Los Alamos Scientific
raboratory, May 1978). Study was done for the Division of Operating
Reactors, NRC, and made available to interested participants at the
USNRC-sponsored Industry Meeting on Nuclear Reactor Safeguards,
Albuquerque, May 11-12, 1978.

25'o~equirement for physical Protection of Licensed Actrv~ties in
Nuclear Power Reactors Against Industrial Sabotaqe," Section 73.55 in
"Energy," Chapter 10, Code of Federal Regulations (Washington: GSA.
Office of the Federal Register, January 1, 1979).
26~. C. Ebersole and D. Okrent, An Inteqrated Safe Shutdown ecat
Removal System for Light Water Reactors, UCLA-~ng-7651 (Los Rngeles:
University of California, May 1976).
27~lan for Research to Improve Safety of Light h'ater Nuclear Powe
Plants, NUREC-0438 (woshinqton: USN'C, April 1978).
28~~1-2 l,essons Learned Task Force Status Report and Short-Term
Recommendations, NUREG-0578 (Washington: USNRC, July 1979).
., . 29~arrier Technology Handbook, SAKD77-0777 (Albuquerque; Sandia
Laboratories, April 1978).
30~ntrusion Detection Systems Han. :. 01, SAND76-0554 (Albuquerque:
Sandia Laboratories, November 1976, 0,::roer 1977).
31~. D. Boozer et al., Safeguards System Effectiveness Modellnq,
SAND76-0428 (Albuquerque: Sandla Laboratorres, September 1976).
32~. D. Chapman et dl., Safeguards Methodology Development Hlstory,
NUREG/CR-0788, sAN~79-0059 (Albuquerque: Sandla LdDOKatorleS,
May 1979).
33~. D. Chapman and D. Engi, Safeguards Network Analysis Procedure
(SNAP) -- Overview, NuREG/CR-O~~O, SAND79-0438 (~lbuquerque: Sandia
Laboratories, August 1979).
34~. D. Chapman, Application of SAFE to An Operating Reactor,
NuR~G/c~-0928, SAND79-1372 (Albuquerque: Sandia Laboratories, August
1979).
35~. D. Boozer and D. Engi, Simulation of Personnel Control Systems
with the Insider Safeguards Effectiveness Model, SAND76-0682
(Albuquerque: Sandia Laboratories, April 1977).
36~. D. Boozer and D. Engi, Insider Safeguards Effectiveness Model
(ISEM) User's Guide, SAND77-0043 (Albuquerque: Sandia Laboratories,
November 1977).
37~. L. McDaniel et al., Safeguards Against Insider Collusion,
NUREG/CR-0532 (La Jolla: Science Applications, Inc., December 1978).

NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR
SABOTAGE PROTECTION
VOL.lIME I I
APPENDICES D, E, Y, G
Printed Jdnuary 1981
!;an11 ii~ N'I~ ional Laborator ics
Albuqucrquc, Ncw Mexico 87185
0pc:ratcd by
Sandia Corporation
fur thc
U.!;. I1c:partmcnt of Encrc~y
rearel Lor
I)iv iaion of f;aforjuardtj, fuel Cyclo and Env lronmcntal Hc?warch
Off ice of Nuclo~r Iccquldtorv Iter,oarch

X 1.' -- " .IIt 1011 1.'- 1

NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR SABOTAGE PROTECTION
VOLUME 11, APPENDIX D:
NUCLEAR POWER PLANT DESIGN ALTERNATIVES
FOR IMPROVED SABOTAGE RESISTANCE*
L. D. Kenworthy
C. A. Negin
International Energy Associates Limited
Washington, D.C. 20037
14 September 1979
Volume 11, Appendix Dt contains work performed under Sandia
Contract No. 07-9129 for Yandia Laboratories.

INTRODUCTION
1.1 GENERAL
1.2 OBJECTIVE OF WORK
TABLE OF CONTENTS
1.2.1 Identification of Candidate
Design Alternatives
1.2.2 Classification of Candidate
Design Alternatives
1.3 DESIGN STUDY TECIINICAL SUPPORT GROUP
1.3.L Function of DSTSC
1.3.2 llow DSTSG Input was Uscd
1.4 EVALUATION
RESULTS
DESCRIPTION AND DISCUSSION
3.2 U:JDERCROUND SITING, CATEGORY 1.1
3.3 IIARDENED CONTAINMENT BUILDING, CATEGORY 1.2
3. 4 HARDENED PULL IlANDLIh'G 13UII,DII.IG, CATEGORY I. 3
3.5 HARDENED ENCLOSURE FOR CONTROL ROOM,
CATEGORY I. 4
3.6 IIARDENED ENCLOSURE FOR REACTOR PROTECTION
SYSTEM (RPS) AND EMCI NEERED SAFETY PEATUHES
ACTUATION SYSTEM (ESl.'AS) CAl3INKTS, CnTEG(.lRY 1
3.7 IlAROENEI) ULTIMATE III.:AT SINK, CATEGORY I. G
PAGE
-
D- 11

TAKING ADVANTAGE or NATURAL PROTECTIVE
GCOGRAPIIICAL I?EATUI

.-.*,....* ,.,.,.,.
3. 2 3 .\[)GITIONAI., I'ROTECTICD, I.L\E:UAL CO?!'CROI, ROD
TRIP, CATCGORY I1 I. 5
3.24 ADDITIONAL, KANUTiLI.Y ACTIVATED, DIVLRSI: AX.:;)
PROTECTED RE.\CTOH TRIP, CATEGORY I I I . 6
3.25 TURBINE RUNDACK, ChTECORY 111.7
3.26 RIIDUCED VULNEItADILITY 01' INTAKE STRUCTURE3 FOR
SAFETY RELATCD PUMl'S , CF~Tl~(~0lIY I I I. 8
3.27 TRIP COILS FOR LIREAKEI?S/SWITCHCE>LI< ENISRCIZED BY
INTERNAL POWER SOURCE, CATEGORY 111.9
* ,.,., * .,~> .,. . ,, ., ,, . .,
". . , . . ,,, ,,.,,
3.28 HI~ll PRESSURE: RllR SYS'I'EE:, CATECORY 111. 10
3.29 IIAI{DENED DECAY IlEAT REMOVAL SYSTEM,
CATCGORY IV. 1
3. 30 INDEPENDENT, DIVI2RSE SCRAM SYSTEI.1, CATI:GOI

4.11 SEI'AIU'PION OF SAFETY IICIATED PIPINC;, CONTItOL - PACE
CABLES, AND POWER C;iULES IN UNDERGROUND .
GALLERIES, CATEGORY 11.2 D-98
4.12 S'I'OMGE OF SPENT IWCL WITIlIlJ PRIMARY CONTAINML'NT,
CAT~~G0Rsf 1 I . 3 D-99
4.13 SPENT FUEL STORED RELOW GRADE, CATEGORY 11.4 D-39
4.14 PIIYSICAL1,Y SE;PARATE AND PROTECT REDUNDANT TRAINS
OI: SAl:l:'CY EQ!JIPMEN'I', CATEGORY 11.5 D-93
4.15 SEPAIIATE AREAS OH ROOMS FOR CABLE SPREADING,
. . . , -. . CATEGORY I I. G, , , .. ... , .,, .,,, D-100
4.16 ALTEI(N,\TC CONTROL VOOM ARRANGEMENTS, CATEGOIZY
11.7 D-101
4.17 XCCS CiXIPONCNTS WITIIIN CONTAINEGNT, CATEGORY
11.0 D-101
4. lfl AUEIINISTRATIVE, INFOPJ-WiTION, AND CONSTRUCTION
DUILDINC!: LOCATED OUTSIDE OF PROTECTED AREA,
(!'" n ILGOHY ' 11.9 D-101
4.20 DESI(;N CIIANWS 'Kt I'ACILITA'I'C DAMAGE CON'I'IWL,
CA'PKGOIIY I I I. 2 D-101
4.21 AI.TI?RIJA'I'E CONTAINMP~~~T DKSIGNS, CATEGORY 111. 3 D-102
4.22 EXTRA I(CDUPIDANT, FULLY SEPAIUiTED, SELF-CON'I'AINED
AND PROTECTED TRAINS OF EMERGENCY EQUII'MICNT ,
CATEGORY 111.4 n-102
4.2 3 ADDITIONAI, I~~:C'I'CD MANUAL CONTROL ROD wri,,
CATEGORY I 11.5 D-103
4.24 ADDITIONAI,, MANUAl,IdY ACTIVATL.:D, DlVEIISE,
PROTECTI

PAGE -
4.28 HIGlI PRESSURE RIIR SYSTEM, CATEGORY 111.10 D-104
4.29 II'\RDENED DECAY IlEAT REMOVAL SYSTEM,
CR~GORY IV. i D-104
4.30 INDEPENDENT, DIVERSE SCRAM SYSTEM,
CATEGORY IV. 2
TABLE 1-1: Summary of Rccommcndations Prom LWR
Safcqunrds-Relatcd Studies D-16
TABLE 2-1: Catccjorization of Dcsign Alternativcs D-22
of ~andidatc Dcsign Altcrnntivcs D-23
TABLE 2-3: Dcsign Altcrnatives Currently Applicd Having
Potcntiol for Irnprovincj Sabotaqc Rosistancc
with Minill~urn Impacts D-24
ADDENDUM A: Composition of Dcsiqn Study Technical
Support Group (DSTSG) D-103
ADDENDUM D: Cornmcnt Summaries of DSTSC D-113
ADDENDUM C: Systcm, Description, Inclcpcndont Safe.
Shutdown Systcm (ISSS) D-147

. . . , '
. . .
. .
. , ., , , ,
. . . ,
hls report describes work performed by International Encrgy Associates
imited (IEAL) under contract to Sandia Laboratories as part of the
Vera11 program Nuclear Power --- Plant Design Concepts for Sabotage
,:Protection (SAND 78-1994). This work was performed as a part of Task
ign Options.
-.-
VE OF WORK
. .
The objectives of the work reported here were to identify practicable
'plant design al ternatlves 'which would improve tnc rcsiscance of nuclear
power plants co acts of attempted sabotage and to categorize the candi-
date alternatives into four broad groups:
I. Hardening Critical Systems or Locations:
XI. Plant Laycr~r Modifications;
111. Systcms Design Changes: and
1'1. Addition of 'Systems
eparate task.in the overall program is thc invcstigacion of the
pllcatlon of damage control measures lor plant sabotage protection.
dttlonal tasks will then combine selected plant design alternatives
nd damage controi options'to provide alterr.3te plant cont'iguriitions.
physical protec:ion sysrem conei~tent wi:h current requlations will hen be integrated with those altercate plant conf~gurations to permit
analyses of thclr counter-sabotage eft'ectivcncsv and imp~cts. It is
not the intcnt of thc w ~rk pt'formed under Ta?'.. ? to .- recommend - .-- .- - - - .
daalqn alternaeiven b ~ r~thcr t to identiiy, catalog, and describe the
oltornstivqs 38 J basis tt>r furthcc ana:ysi.r ~ n d evai~~tron.
. specific

The design alternatives identified in this work are intended pri-
marily for new nuclear power plants rather than as backfits for
existing plants. However, some alternatives may be suitable for
consideration as backfits.
A four-loop PWR of current design was chosen as a model plant for
Purposes of this study. In general however, most of the candidate
design alternatives are not unique in concept to that specific plant.
1.2.1 Identification of Candidate Design Alternatives
1.2.1.1 Apprcdcn to Selection Of Candidate Alternatives. Plant de-
sign alternatives were sought which would provide at least one of
the following three improvements in plant protection. These are
termed general performance objectives and are:
1. Enhanced protection for reactor coolant pressure bounduL);
2. Enhanced protection of decay heat removal function; an2
3. Enhanced protection of reactor trip function.
EnhanceJ protection for the reactor coolant pressure boundary icproves
resistance to a sabotage induced loss of reactor coolsnt, an
event of major magnitude in itself but which, in combination with
othei postulated sabotage acts, could res~lt iir plant damage beyoqd
. the design basis. Enhanced protection of the reactor coolant pressure
boundary also contributes tc .n--ovement in the ability to remove
decay heat, sjnce an intact nuclear steam zupply system is
necessary for the functioning of some of the modified decay heat
removal systems presented in this report.
Enhanced protection of the decay heat removal function ensures the
ability to maintain the reactor in a safe condlt~on for an extended
period of time even though consldcrable damage nay ha3/e been done to
the moce vulnerable parts of the plant. Decay heat remo.~al also
applies to the sr?nt fuel stored in the spent fuel storage pool.

,.. .
,.
Providing enhaxed protection for the rezctor trip f~nction enF'ires
, .
the . . capability to rapidly reduce reactor power to decay heat l~vels.
If this capability were denled b:~ sabotsge, then energy removal from
the nuclear fuel would be de~e~dent cn the ?lant's power conver-:on
. .
system. But the power conversion system is relati\?ly unprotected
and vulnerable to attenpted cabotag-. and, in addition, the off-site
pwer transmission ?';;tern is sssuried to be unavailable under storage
analysis. Therefore enha1:ced prot~ction of the r~actor trip function
ensures the ability to rapidly reduce reactor power to levels that
are within the design capability of the decay heat rernoval system
(e.g., aux~liary feedwater and residual heat reinovql, RIIRI.
Trotectior, of tke er.erconcy core coolinq system (ECCS) is also part
of the general perforrance objective of enhanced pro:ection of '.:le
decay neat- reaoval function. Xhile t!ie rurposc of general perfor-
mance ohjecti.de ?;o. 1 is to obvlatr the need for the ECCS, the ful-
fillment oL that objective under an assumed eabotage action that
resulted in pzrtia: or total loss of ECCS capability wouid s:ill
leave the p!>nt In a pctentially threatened condition. Tberefare
sone of the candidate deziqn alternatives arc directrd towar5s pro-
tection of LCCS capabil i ty.
1.2.1.: Sourcee. Sources utilized for the identification of candi-
date cesiqc al:crn,3:i-fe~ incl~de previous recomnondatlons by Sj~dia
Laboratories ?tud~cz >no industr:~ working groups. Table 1-1 sum-
marizes the recnmz!endatlonz that resulted from these stndles. The
Advisory Committee on Re3ctor Safeguards (ACHS) in its report enti1
ted Beview an6 E'~aluatior, -- of trhe ;;UC~G~K 3eaulatory Conmiexion
-
--
Safet] iC~st?,irck Procr;:? (::i:P.EG-0.292) recom~ended tt~~t research be
conducted on nuclear power plant design concepts tht a2ke sabotaqe
more difficult snd nitigate it- consequences. Specific cxanplcc of
csch concepts t!-.d: were cited bre: !1) alternat~uc 10~3tion2 of the
zpent fuel ctora?? pocl, (2) 2 tunkcred, dedicated, deca:~ heat re-
moval s:z:r3n, ar.? ( ) lncr;.asr.u repiration of i?d\indant zafety-

eport Pian for Research to Improve the S3fety of Light-Water
Nuclear Power Plants (!dUREG-0438) selected, as a separate research
topic, lnprovements in plant design ttat would enhance protection
against sabotaqe. Aithough no specific scq?estions for design ia-
provements were given, the NRC authors acknowledged that many of the
concepts for improved plant configura~ion and design are zlso appli-
cable to protection against sabotage. As sources for candidate
design alternatives, tho concepts embodied in the following NUREG-
0438 research topics are considered, by the rsthcrs of the work pre-
. sented herein, to be spp!lcable for lmpraved sabotage protection:
(5) Alter?ate Emergency Core Cooling Concepts, (6) Alternate Decay
Heat 3ernoval Concepts, (7) Alternate Containment Concepts, (E) XZ-
proved Reactor Shutdoxn Systems, (13) Inproved Plant La;:oct and
Compocent Protection, and (15) !Jew Siting Concepts. The concepts
presented acov have all been incorporated inco candidate desi~n
alternativfis for improved sabota~e resiztancs.
In addizion to the sosrces previously mentioned, literature seirches
were conducted ccveri~g the period from Zanuary, 19i7 throuqh Axjust,
1978. These res-lted in the identification of several papers des-
cribing foreign design practices which agpear to offer improved
sabotage resistance. Tinally, engineerinq judger..ent, based cz the
authors' experience, was drawn upon for some alternatives and for
adqtion of desiyn practices which, to a greater or lesser extent,
are currently utiiized :G meet other requirements (e.g., turbine
runhacki.
The reader is relerred to Section 2 of this report for a complete
listing of the identified candidate design alternatives and to Sectldn
3 for descripticnr hnd details of inp!ementat:on. A conplete listlrlg
of reference material su~porting each of the indlviduai candidate
dccign alternativcs is provlded in Section 4 of tt:is report.

2 1 . 3 Desirable Attr~tutes of Candidate Desicn Alternatives. In
addition to the three general performance objectives for the candi-
date d,esign alternatives that were discussed in Section 1.2.1.1,
there are other desirable attributes which the candidate alternatives
should possess. These are:
1. Feasitility of Enq~neerlng and Construction.
2. State-of-the-Art.
3. High Benefit/Cost 3atio.
4. Minimal Inpact on Xormal Plant Operation and Maintenance.
5. Independence.
6. Slde Benefits.
h feasible concept is one that is capable of bein9 developed to a
workable design, wnereas state-of-the-art refers to a concept that
can be implemented without further development of technology or
hardware.
Feasibility and state-9i-the-art are attributes that ensure that the
candidate alternati.:es are >racticatle. A high Senefit/cost :atio
is desirable to rnaxiz:ze efficiency of investxent for sabotage protection.
The candiZ~te alternatives should not result in undue
restricticns on normal piant operation and xaintenance activities
(e.g., by reztricticg operator opportunities for rodtine surveillance)
since the effect- cuuld be in the direction of reduced overall safety.
To the extent practical, the alternative design fe=t,~rec should be
independent of the mire vulneratle parts of the plant. Independence
in thic sense can man f"?ctlonal or physical independence. As an
example 7f the former, a hardened emrgency feedwater system that
requi:c; D.C. power for its operation nhoald not. Sc dependen: on the
plant'c D.C. eloctr~cal s:tzter~ zincc that plant's s:/sten nay be vul-
ner able t~ at te!cp:c-2 ~acota.;.~. An example of physical inCependence
would be the magicq ~f :r:~

Plant Desiqn Recommendat ions
i
'I'AU1.E 1-1 :
.
i
summa^ y ' of the Recommenda' lons f lorn LWH Safeguards-Related Studles
A. Provide a secure source of emeryency
rool~ng sufficient to t ~ k e
thc plant
to safe shutdown (coolant and power
s11ppl ics)
n. Provide dcsiqn fcatures to accommodate
damaqe control measures
C. Enclasc the spent fuel pool rl secure
areas
E. Sepal at\% contJi nment penet rdt ions
F. hss;irtx independence of each train of
clacs !E AC and DC emergency power
11. IIa1-#ic:ni4 construct ion for fue 1
hancil iny bui Id incj to i?rotect aq31nst
t)omls clr oppcrl into spent f l;e 1 [>no 1
I

TABLE 1-1 (can't)
'The column head~ngs refer to the ft~llowing studies:
I. Safety and Securit;. c3f Nuclea! Powe: Reactols to Acts of Sabotacje, Part 1 - Case Study
c*f 3 typical PWH Plant, Sandia Lal~oratorirs, SAND 74-0069, March 1975
I I. Satety and Security of Nuclear Power Reactors to Acts of Sabotage, Part I1 - Case Study
of a typica; BWR Plant, Sandla 1,aboratories. SAND 75-0336, October 1975
11 i. Safety and Sec~lr~ty of Nuclear Power Reactors to Acts of Satx>taye, Part 11 1 - Cur rent 11.5.
1Ad-f Plants, Sandia i.ahrator ies, SAND 76-0108, March 1977
15,C;s. E..dlu3t.ion and Dcslgn of Safeguards Systems for Nuclear I'ower Reactors, Sandla I,aboratories,
SAND 77-0644. April 1977 (Draft1
l ii5 Surnm~ry Repott of Ir'otkshop or. Sabotage Protection In Nuclear Power Plant Design, Sandia
Laborjtcrt ies, SAND 76-0637, February 1977
I . : he entrles rn the c-olumr~s are the section numbers of
rcpor 7 s that appl;. t n c,,ch r ecommendat lvn. The R-clcs lqnator s
I ncl I c;rtc rccc1mmr.nd.3 t ion ntrrnbe: s.

the protect ion at Zordcd by the cr,nt.tirmrnr, r3tht.1 t!l;ln to thc normal
feedwater lines out.!:idc containmc.r;t. Sicic. !ienef it:; wc:uid include
the ability to have one train of englnccr~td salct:~ fc.3turcs (ESI.')
equipment down for m~intcnancr wlillc st111 nwetinq t!;,~ slnqlt? f.lililrc
crit'r ion (und1.r the design s1tcrr:dt lvc. or providiriy i:rrc.l:;ttd rcdun-
dancy in the ESF), or additional prutcction 3qainst other forcc?Lul
events such 35 fire.
With cxccption of the bcncf it,'cn:;t rario, which must await corn[~lt?tion
of 1att.r pro~jrarn tasks lor it:; dctelrnin.?tion, an attempt tias hern
made .t~, ~r;r,css tb,e:;r. dcsiratlc ; ~ t iliute:; t ~ I'ur t!ach of the idrntified
candidate desiqn altcrnat i.:r:;, t it l~.,lr.t in ;r

. . ... .
l I I. SYSTEM DES IG3 CHANGES.
. .
. . . . .
i. High Pressure RHR System
. ,.
. , 2. Turbine Runback
I.
, ~
1'1. ADDiTIONAL SYSTEMS.
1. H3rdened Emcrgsncy Feedwater System
1.3 DESIGN STUDY TECHNICAL SUPPORT GROUP
As part ot the overall proilram, 3 .Design Study Technical Support ..
..
Group [DSTSG) war organized and p:aced under contract by Sanaia
Laborarories. This group consisted of individu~ls with extcnsivc
rxptrience in nuclear power plant operation and NSSS and nuclear
power plant design, incluainq the dcsicjn of backfrt rnoditlcations.
All of the candidate design alternatives presented in this report
wcce rcvi~:~wod by the DSTSG. The mpkeup of thc DSTSG is givn in
Appendlx A.

. .
, .~ ,. .
of the DSTSG were convened
, . . at Sandia ~abora'tor ies
, . .
meeting, the candidate alternatives were 'piesented
. .. to th
Each alternative was described , ,
.. in concept, 'including advan
-
d disadvantages ("pros" . and ., . "cons") re
mpact as perceived by the authors,
ion provided in Section 3. Comncnts of the group were . .
ring the discussion of the alternatives. Following this
ch group member was requested to prepare written comment
ore of the candidate alternatives. These comments were
and were discussed with the group at its second meeting
omment summaries appear in Appendix R. ;
DSTSG Input was Used
omments were used to help develop an assessment of the
esign alternatives regarding their feasibility, state-of-
the-art, and impacts. These factors all relate to the practicability
of the candidate alternatives. Therefore, the DSTSC comments on
these factors directly contributed to the basic objective of this
work of identifying practi~able design alternatives. Also, the corn
nents of the group on the potential of a candidate alternative to
improve the resistance of the plant to attempted sabotage were con-
idered. However, the results of this work concerning the latter
ntial to improve the resistance of the plant to attempted
ere not dependent on the input of the DSTSC alone.
ause of insights gained in the pertbrmance of this and previous
botage-related design studies for Sandia Laboratories, particularly .~
t to design practices in foreign countries whcre sabotage
cr ror ist activities have represented more urgent, concerns, and
the authors' experience in nuclear power plant: design and'
ration, the authors' assessment of improved sabotage resistance
tential has sometimes diverged from that reflected by the comments
the DSTSC. Cases of this sort are pointed out in Section 3 of
is'report. In the!r comments on the candidate alternatives, tho
' .,.
, .

CATECORlZATlOll OF DESICI~I ALT
- , . . . , . .
-
D*\iqn c tiongw to focilitatk donrcrqc! control -- - 1 2 1
Ai ttwwtt! rorrtninnwnt dc4lns
I. x trri-rr~duri~lur~t. tullv sr*l)wfllc*& sui t.o~wrt~rmwt und prottwted
.~O(~!!~~!!z~'.l!!~~?.~?
--.-.-- --- ---------.-
Addi ti~mol ~r0tflctcd control rod trip

TABLE 2-3
DESIGN ALTERNATIVES CURRENTLY APPLIED HAVIUG POTESTIAL FOR
I>lPROVIKG PLANT SABOTAGE RESISTANCE WITH MININUN IMPACTS
1.3 HARDENED FUEL HANDLING BUILDING
1.4 HARDENED ENCLOSURE OF CONTROL ROOM
1.6 HARDENED ULTIXATE HEAT SINK
1.8 HAR1)ENED ENCLOSURES FOR MAKELIP iv'irTER TANKS
IS. 1 SEPARATION OF COSTAINMENT PENETRATIONS FOR REDUNDANT
PROTECTION SYSTEMS
*I1.2 SEPARATION OF SAFETY RELATED PIPING, CONTROL CABLE,, AND
POWER CABLES IN UNDERGROUND GALLERIES
, 11.6 SEPARATE AREAS OR ROOMS FCR CABLE SPREADING
11.9 ADMINISTRATIVE, INFORMATION, AND CONSTRKTION BUILDINGS
LOCATED OOTSIDL IF PROTECTED AREA
t111.7 TURBINE RUNBACK
-
*Impacts site dcpendctlt
:Currently appl~ed bct testing impacts coald he high if safety rclsted

GENE RAL
3. DESCRIPTIOtG AND CISCUSSION
Inthis Section, each of the candidate design alternatives identified
, ,
by IEAL is described and discussed. The concept is stated and ex-
amples are given where appropriate. The sources of the concept are
given and discussed if necessary. The sources are also fully iden-
tified in Section 4. The advantages ard disadvantages of {he concept
as perceived by IEAL are stated. These are the same ag the "pro" and
"con" statements that were presented to the DSTSG in more abbreviated
form. The DSTSG inputs relating to feasibility, state-of-the-art,
impacts, and potential for improvement in sabotage resistance are
summarized. Other major comments by the DSTSG are also listed. AS
previously mentioned, the DSTSG comment summary sheets are provided
in Appendix B. Finally, a summary discussion of the concept is pre-
sented.
3.2 UNDERGROUND SITIXG, CATEGORY 1.1
3.2.1 Concspts
3.2.1.1 Mined Cavities in Rock Formations. In this concept the
nuclear powcr plant, or portions thereof, is constructcd inside of
cavities mined into competent rock formations. Variocs arranqemcnts
have been proposed, including surface siting of the turbine - gene-
rator, total undcrground siting, vertical access shafts, and hori-
zcntal access shafts. Several underground cavities may be employed
to house different parts of the plant. The cavities are intcr-
connected by tunnels for access and piping and cable routing.
3.2.1.2 Cut -- and Cover Burial. This concrpt consists ?f ~nd~rqrounding
by construction of the plant in a large, d ~ep excavation followed Sy
backlilling the excavation. Lncation of the 'urtinc - generator and
5
other 2econda:y plant structures is optional, either surf,-.ce or

underground. In both the Mined cavity ~ n d Cut and cover cbnccpts
numerous acccss sharts to the surface arc rcyuired for personnel,
pipiny, cables, ventilation,,and equipment handlin~j.
3.2.1.3 Ring Tunnel -- - - Containment. - - This concept is for 3 vertial.
cylindrical, reinforced concrete containment building to be placcd
partially uncterground in colnpc.!terit rock iormation:;. A reinforced
concrete ring tunnel :;urrounds the containment :;hell at grade level,
and the tunnel, at least its base, is also in contact with competent
rock. The intent of thc concept is to provide a containment with
excellent resi:;tancc to wind and'sci:i'mic forces but who:;c cost 1:;
reduced 3s compared wi. th morc convc?ntional surface coritain~~tcnts 31ld
with designs intcndcd to bc place,! con~pli!tcly undf!r~jrouncl. rrom .I
oabotage resistanc~t standpoint, this concrlpt nffcr:; a smallcbr tarqrt
and poss it.11 y on*: of i rii.r

of war. The ring tunnel containment is a patented concept (Seiden-
sticker et. al.) for a reactor containment for a szfcty research
experiment facility. The underground suppression pool is described
in the paper by Straum. The objects of the paper were to introduce
the concept and show that the necessary construction technology
exists.
3.2.3 Advantages
It is believed that underground siting offers improved protection of
the plant from very forceful modes of attack involving the use of
. ..
munitions. The purpose sf the Loken study was, in fact, to investi-
gate designs capable of resisting wartime attack. With a limited
number of well defined and controlled access ways into the plant, the
problem of controlling access should also bc more easily managed.
The conscquenccs of an assumed successful act of sabotage may be less
for underground siting if the access ways to thc surface are properly
sealc?.
3.2.4 Disadvantqes
: Increased cost is an obvious disadvsnt3ge of underground siting.
This has been estimated at 20 to 40 percent above costs for surface
: plants. Thc time required to construct the plant would also probably
be increased. Reliable scaling of the access ways to the surface has
beep mentioned as a d~fficult technical problem. Tighter equipment
4.
arrangements may be the result of attempts to minimize the volumes
and spans of underground chambers. This could lead to more restricted
accpss for inspection and repairs and, hence, reduced safety.
Decause of thcsc possibly more compact arrangcmcnts, there may also
bo reduced capability for damw;c control.

3.2.5 Sdmmary of DSTSG Input
- ----
DSTSG input indicated that underground siting was feasible, was
. ..
state-of-the-art,
. . and that the concept offered potential for im-
, ,. .
proved sabotage resistance. There was aqreement with the advantages
and disadvantages as presented by IEAC. However there was
very definite feeling that the cost impacts were overriding.
Some specrfic comments were:
.
Vent openings would be vulnerable:
Flooding hazard may be increased because of potential
.
rupture of circulating water system;
May be more diffi.cu1t to regain cgntrol of the plant if
.
it were seized by sabotcurs; and
Costs could be up to 50% greater than for surface siting.
3.2.6 Discussion
-
The concluoions of SAND 76-0412 regarding sabotaqe resistance
benefits of underground siting were that: (1) negligible in-
creased protection was provided against covert threats: (2) the
increased protection provided against hiqh strength threats may
be offset by reduced flexibility in plant recovery and damage
control operations.
There were no sidc benefits identified for this concept.
Because of the potential vulnerability of the access ways and
their closures, independence is judged to be low although it may
be poss~b:c to desiqn adequate protection for these items.
In summary, it would appear that any potentla1 gain in sabotage
resistance may have very hiqh impacts on cost and operatLon.

3.3 MARDENED CONTAINMENT BUILDING, CATEGORY I. 2
3.3.1 Concepts --
3.3.1.1 Containment - Hardened - Against External Impacts. This
concept involves increasing the penetration resistance of the
containment to external impacts such as explosives.
3.3.1.2 Containment - Hardened Against Rupture from Internal Pressure.
This tor-ept involves increasing the design pressure of the containment
to enable it to withstand the internal pressures resulting
from a loss of rcactcr coolant accompanied by unavailability of
portions of other engineered safety features (ESP), both conditions
assumed to be the result of acts of sabotage.
3.3.2 Sources
A major source for this concept, espccially concerning external
hardening, is the practice in the Federal Republic of Germany
(FRG) of designing the containment shell to withstand the crash
of aircraft, including a fighter aircraft (at 440 mph), and the
pressure buildup from a gas cloud explosion (to 21.0 psia in 0.1
seconds, holding at 18.e psia for 1 second). These requiremcnts
result in concrete thicknesses of up to 2 meters.
The intended advanta~cs of theso concepts are to make sabotage
;within containment more '>iff icult by increasing the difficulty of
gaining entrance (by penetration) and/or to mitigate ths conse-
quences of an assumed successful sabotage act that results in a
lono of reactor coolant and unavailability of portions of the ESF
by pravantinq rupt:lrc of the cor,tainn t by internal pressure.

, .
he ~er&an spherical containment for PWRs (also used by Duke
' ,
Power for the Perkins/Chcrokce plants) which cmploys a fre'e
. .
stand'iny steel inner primary containment 3:)" a separate concrete
I I '
outer, or secondary, containment would appear to pe~mit external
,. . ,
hardebinq and internal design pressure to bc indcpendint conside-
rations.
It is believed to bc vt-ry difficult technically (and c0scly) to
incre~sc the containment design pressure, cvcn with a free standing
steel primary containment. Estimates of pcak internal prcssurc
that could res~lt under v~rious loss oi coolant or corc mclt
circumstances have ranged to several hundred psi.
3.3.5 Summary of US'FSG Ir,put
There was marqinal indl~~tlon that hardening the cofitalnmcnt was
feasrblc and statc-or-the-~rt. The most definite indication received
trvm the DWSC was that there was no potentla1 for improved
resistance tt> :;abotaqv through hardrninq the containment. It
wan be1 icved th~t. thc e x i:;t ~nq containment desiqns wcrc alre~dy
sufficlcnt!y hardened tu rcsist torclblc pcnetratiun by s~butage.
There wd:s rro d?rinl:t? indicjt~on a:< ro thc accc!ptability or
unacceptabil it1 o r 1m;Jilcts rcl~tc-d ti, hard~ninq the. cmntainmrnt.

. ' :,
mcnt entry. These factors opcrate to minimize the likelihood of
,: I ' '
a sabotage - indwed loss cl reactor coolant from within'contain-
. . , ,,
ment. Assuminy means can also be found to prevent a aabotaqe
I. . .
induced loss ot coolant initiated from outside of containment
, .
(such ds the openlny of a prcssur~zcr power operated relief
valve), the incentive for a containment that can resist higher
internal prcssurer, ccasrs to c.x~st.
A Hardened Cuntainment Building is considered by the authors to
be h~yhly independent oC other parts ot the plant which may be
vulncrablc to sabotdqe.
Because ot technlual alf f iculties that have been mentioned in
dcslgning cont~inmrnts tor increased internal pressure, it is
be1 icwd the cost impact could tw high.
One of tho concl ~!:iun;; prc:ic..ntocl in SAND 77-1344 was that, for
3trOn~jCbr COntalnT.+nt3, thcr~ Wd:j Some. rcduutli)ll in rl:;k for
ccrtaln WA:;Il-1400 .~i:cldcnt sequencer;. The ri!jk reduction can be
considrrcd (1 s~dc. bcneilt for the 1iardcnc.d Containment Building
concept as appl 14 to improvement in plant sabocaqe reslscancc.
4 I~ARIJENI:D F:JEI. IiANI)I.IN(; UU I LDINC, CATEGORY I . 3
3.4.1 Concept .-

3.4.2 Sources
As an exwple, the fuel handling buildings for Units 1 and 2 Of
the Salem Nuclear G~?ncratinq Station represent hardened structures
totally of reinforced concrete construction dcsigned to resist
site specif ic natural forccs (seismic and wind loadings). Adapt-
ations of these designs could be made to be resistant. to specified
modes of sabotage attack as well.
The advantage of hardened construction for the iucl handling
buildings is improved resistance to pcnetration by cabotcurs,
thereby providiny improved protection for thc spcnt fucl. It
has been postulatcd that water in the spcnt rucl pool would he
expelled by explosives placed inside thc pcol and that f u ~ l
overheating could result. Where an outside wall of thcs fuel
handlinq building also forms one of the walls of thc spcnt fut.1
pool, hardcninq C J ~ the bui ldiriy may prov~de improved protect ion
against brcachinq the wall and dr~ininq the pool. Howt?ver,
walls of this type arc already qu:te tti~ck bc1:ilusc ul' :;hielJiny
requirements.
Extra cost is a disacivantar~e fo. .his concept where dv:;ig:~ mc.1-
~ures othcr than total 1 y rcinfdrccd concrete cwstr uct ion have
been adopted for protecting the spent 111~1. Thrrc may also he
additional costs even in compnr i:;on with cxl:jt iny reinforced
concrete fuel handlil~q buildings, such as tho:w I(or Salem, wtwn
potential nat~ota[jc* !osdlnqs arc taken into account.

3.4.5 Summary - - - of DSTSG - Input -
DSTSG comments indicated that the conccpt of a hardened fuel
handlinq buildinq was feasible and state-of-the-art. There was
. . .
. . ,
also marginal indication that the concept offered potential for
,, 4
improving the resistance of the plant to attempted sabotage and
that impacts were acceptable. One commentator offered that the
conccpt may be applicable to existing as well as new plants.
3.4.6 Discussion --
Because of the massive construction of totally reinforced concrete
fuel handling buildings, such as Cor Salem Nuclear Generating
Station, it may be considered that these buildings inherently
offer the anti-sabotaqc ~dvantaqeo of hardened fuel handling
buildings. In any event, it may be possible to strengthen buildings
such as these to provide these advantages without excessive cosc
impacts. Greater costs woul'd be associated with present designs
which do not prof;) le reinforced concrete construction for the
roof and for the walls above the operating floor.
There were no slds bpncfics identified for this concept. Inde-
pendence is considered to be hlgh.
Dccouse of extra protection provided for chc spcnt fuel aqalnst
posolblc dlrect phys1c.31 damaqe and ov~rhcclt~nq, thls conccpt IS
belrcvcd to oftcr poten:ldI tor rmproviny plant rcsistancc to
attempted sabotaye.
3.5 HARDENED ENC[.(ISUHE OF (.SN'l'ROL HOOM, CATEGORY I .4
3.5.1 Concept - . -. . .-
This vonccpt i r v :
( 1 I !
th+: :3trr!nqt.hr.n1nq of wdl I .:, f !oc~r:l, ccil lnqs
i t rl~c. cc,r~tl r, l rrmm Jrca rL\ pr+',~~r,t I , url;lut.!~ol. I ztvj

entry. The lntent of the concept is to provide protection against
a takeover of the control room by saboteurs or terrorists.
3.5.2 Sources
.. .
his' concept is derived from the German design practice of creating
n 30 minute delay for forcible entry of the control room. However,
this delay requirement is met not by hardening the control room
enclosure itself, but by locating the control room in the seismi-
tally quali.fied switchgcar building and employing vault type
doors for qccess.
7
3.5.3 Advantages
--.. -
The advant&e of this concept is the extra prctection provided
aqainst a fibrced takeo.,er of the control room by saboteur:;, con-
sidered by ;ome to bc one of the more credible moderi of attempted
sabotage.
Depending on the security related design features applied to the
control ro{m doors (double doors, ~ntcrlocks, ctc.), a r~daction
in operati& convenience could rcsul t. Iccrcascd costs represent
3:
an additional disadsfantagc.

. . . ,
It was also pointed out during jroup discussions that controi
rooms wcrc presently required to be of bullet resisting construc-
tion (walls, floors, ceilings, windows, and doors). Still another
member pointed out potential control room vulnerabilities and
. ,
possibilities for improved protection with the 0b::ervation that,
in one design with which nr was aguainted, a cable tray entrance
5
would have allowed passage of a man with explosives or wcapons.
Because it is bcl~evcd thdt thc. control room is d likely focus
for saboteurs, this concept is considered to offer potentla1 for
$
improved .:csistancc to sabotage. This assessment 1s madc from
the viewpbint of preventing a takeover ot thc ccntrol room and
attendant? implications rather than from an analysis of t!le plant
damaqc (apd d~!iociatt?d r.?diation cclcase) t.hat could he caused
,;
by sabate'ucs gaining access to the control room. Howcy/cr, it
li
does not Jppe.3~ that thc concept would offer any improved pro-
tect. :*)n abainsc an insider.
Sincc con:trol rooms are already de:.;~yncd to with:itsnd earth-
quakes, p,@netrstion by missiles, and penetration by bullcts, the
Y
atlditionj) cost Impacts associatcad w ~ t h increasing pc:~etrstion
re~.nisc~nc& to attcmptcd 3abotaqr. arc bc! leved tCj bc low.
I
1ndcpc.ndrpco for th i : conccpt in considcicd to LI: iow :; ir~ce
tal;covt:r 6,c les!, protected p2rts oi the plant may achictve thc
...
objccr. ivet; of thc terror istsisaboteilr::. Again, the basi:i !'or

. .
, . .
,, ?
. .
.;.
3.6 HARDENED ENCLOSURE FOR REACTOR PROTECTION SYSTEM (RPS) AND
ENGINEERED SAFETY FEATURES ACTUATION SYSTEN (ESFASI CABINETS,
CATEGORY 1.5
3.6.1 Concept
Under this concept, the RPS and ESFAS cabinets are enclosed
in a hardened room. This room incorporates penetration rcsis-
tant walls, floor, and ceiling, and is fitted with security
doors. Access control, tamper indication, and intrusion detection
are provided for the hardened room. Instrument displays and
status indication presently located on thc cabinets are repeated
in a location outside the hardened enclosure. The intent is to
protect the RPS and ESF cabrnets from tampering whlch has as its
aim the defeat of protective logic functions.
3.6.2 sources
This concept falls under the general category of hardening critical
systems or locations.
3.6.3 Advantages
Under this concept, access to the proximity of the RPS and ESPAS
cabinets would only be permitted to pcr!;onncl authorized to per-
form maintenance and calibration activities, thus enhancing the
protection of the RPS and ESIZAS display, loqic and control functions
in case of forcible assault on the control room.
::
Thls cor~cept would of for no protection aqainst arr authorized
insider, and would also restrict thc reactor aperiitor'r. access
to the RPS and ESFAS ~nbincts.
i

3.6.5 Summary of DSTSG Input
There was weak indication that this conept was feasible and
state-of-the-art. There was very strong indication, i,zwev?r,
that the concept offered no potential for improved plant resis-
tance to attempted sabotage. It was polnted out by the group
that tampering with the RPS or ESFAS cabinets would most likely
result only in a reactor trip or ESF actuation due to the Eail-
safe design of the protective logic.
,:. .,v, !
3.6.6 Discussion
, .
While thisconcept would increase the protection of the UPS and
ESFAS logic cabinets against physical damage and tampering, it
is not clear that it has potentisl for improving plant resistance
to sabotage. This is because the kinds of sabotage actions
likely to be performed by outsiders forcing entry to the control
room area would probably result only in tripping the reactor or
actuating some .>f thc'en3ineered safety features. The concept
would of fec no protechion against an authorized, knowled~eablc
insider. HOwe'~er, by increasing the difficulty of occcss, some
protection may be provided against outsiders if one more of them
have detsiled knowledge of the RPS and ESFAS.
Operational impacts arc not cons~dcred to bc severe since lt is
currently the pr~ctice to protect these cabinets against tamperlnq
by access control or tamper switches and alarms. The cost impact
should be moderate.
This concept would not appear to offer independence unless assoc-
iated equipment, such as reactor trip breakers, ESP switchgear,
and cable runs, are also protected and thus n 1 4 v !r?s vu1ncrab:s.
Thcre weru' no side lxnef i tc: identi f i.?d for t-hi:: cnnccpt.

, ,
3.7 HARDENED ULTIMATE HEAT SINK, CATEGORY 1.6
This concept provides for hardening ultimate heat sinks of certain
types, such as cooling towers or spray ponds, to enable them to
resist attcmptcd sabotaqe.
3.7.2 Sources ---.
Thin concept falls under the general category of hardening critical
systems or locations.
3.7. 3 Advantagf!~ -- --- .--
This concept permits plant cooldown cvcn though normal cooling
6yctems arc dpnied by sabotage action.
Additional cost would appear to he thr chlct dis.idvantaqe of
this concept .
3.7.5 Sllmmary .--- ol DSTSG Input. --:..
Therc was no clcar indication of feasibility ur stdtc-of-t.hc-art
tor this concept. In fact, thsre wan little consensus for this
concept. on Fca3ibility, state-of-thv-art, impactr., or potential
' for improved satmtaqc rcslntdncl?, altt~ouc~h
the balance of opinion
irrcl icatcd no potent. i.ll for improwd s.il~ot.ccj~ r eri istdncc.

. . .
. . , ,
mcntator felt that costs €or hardening may be acceptable.
suggested examplc was a cooling . tower on the rooE or the auxi-
;
'y buildlng with the cxtra costs of a strengthened auxiliary
ding traded off against savings in piping and excavation.
, ,
coup member -felt that hardening of ultimate heat sinks
uld be given special consideration since they inay be outside
the security perimeter or, if insidc, may be exposed and vulnerabl
Another felt that ultimatc h at sinks were not a likely sabotage
.7.6 Discussion - .;
. . . ..
This concept appears to have potential for improvinq the re-
sistance of the plant to snbotaqe if it is assumed that sabotage
action has disabled normal cooling water systems.
Independence, however, is judged to be low since other areas/equ,p-
ment, if vul~wrable to attempted sabotage, could negate the im.
proved protection provided for the ultimatc heat. sink. Thcsc
would include d~csel generators, component coolrng water heat
'exchangers, and emergency scrvicc water pumps and piping systems.
Ultimate hcat sinks must already be of subst~ntialconstruction
to meet the deaiyn condition8 dencribed in Regulatory Guidc 1.27
(for commcnt). It is therefore reasonable to ask whether these
design conditions result in ultimate hcat sinks with inherent,
built-in reaistsncc to sabotaqe. It could at least he assumed
that such cxtra design measures. as may be requiri.d to provide
sabotaqe protecb,ion would not result in prohibitive cost impacts.
Conaletent with this reasoning, tho authors consider hordccinq
of ultlmate hejt sinks to he both feaaible and within the state-
of-the-art.
. ,:
There wero nu side bcnclit.~ idcntif led f?r this concept.
. .
. '

3.8 TAKING ADVANTAGE OF NATURAL PROTECTIVE GEOGZAPHICAL FEATURES
IN SITE SELECTION, CATEGORY 1.7
3.8.1 Concept
Under this concept, sites lor nuclear power plants would be
selected from those otherw\se qualified areas which presented
geograpnicai impediments to access such as islands, land joints,
carved out mountain sides, and other areas of difficult n~tural
terrain.
3.8.2 Sources
The source- for this concept are discussions between the authors
and Department of Energy officials who participated in visits to
foreign collntriec to learn of counter-sabotage and counter-
terriorlst measures applied for the protection of nuciear power
plants. Through these discussions, it was learned that some
countries try to locate nuclear facilities in geographically
difficult areas.
3.8.3 Advantages -
The intended advantages of this concept are to make nuclear
'power plants more defensible and more protected through the use
of prctcctive features of site terrain. In the case of mountainous
areas for example, the plant site may be very difficult to reach
except by deslgned access routes which could be provided with
physical protection measures such as detection aids and guards.
Also, for a giver piant design and given site, this cx~cept
may per-
mit a trade-off of site protective features *.;ail l t other protection
measure: which may be particularly odics Sic~use of thcir impacts on
plant operation.

3.8.1 Disadvantages.
If ,this concept were to become a criterion for nuclear power plant
siting, the site selection process would become more difficult and
the number of suitable sites would be reduced. Construction costs
would be increased if there are increased difficulties in getting
materials to the site. Extra costs could be incurred to construct
adequate access routes for emergency vehicles.
3.8.5 Summar:/ of DSTSG Input.
The ccmments of the DSTSG indicated that this concept was state-of-
the-art. Although there was no defin:te indication of feasibility,
the authors have so interpreted the group's intention on state-of-
the-art. One member felt the concept held potential for improving
2lant resistance to sabotage. However, there was indication that
impacts associated with this concept may not be acceptable. Some
~pecific comments on izpacts were that not all arcac of the ccuntry
exhibit difficult natural terrain and that the number of icceptable
sites could be severly restricted.
3.8.6 Discussion.
Because of its adoption by soae foreign countries, and because it
seems reasonable to assume that natural protectis/e site :eat.~res that
restrict acrss to the site would increase the difficulty cf sabotage,
tnis conc -. is considered to have potential for improving plant
sabotage re^. ..tance. However, because of the difficulty in finding
suitable site^, it possibly should not be made a site selection
criterion. Rather, credit for its ~rotective capability should be
allowed in evaluatins plant security.
~n'de~endcfice has not been e.;aluated f 3r ttis concept.

There were no slde tenefits identlf ied for this concept.
3.9 HARDENED ENCLOSURES FOR MAk.EUP
3.9.1 Conce~t -- -
WP.TE.9 TA!;KS, CATEGORY I 8
This concept invol.~es enclssln? safety-relarcd tanks, such an auxi-
lrary feedwater storaTe tantr .ind refueling water storago tanks, in
hardened structures capable of resisting forcible entry, or de-
signing this capability into :he tank structure.
3.9.2 Sources
This is a concepz which was recommended by the recent Sandia
Laboratories/lndcstry consultant workshop on sabotage protection for
nuclear power plants. Also, these tanks arc currently ;;rotec:ca in
some designs ?qalnst tornado missiles and se:sm~c events.
This concept provldes 2rotection for safety related tan.'~ aga~nst
act; of iorcible 5 a~~taqe.
These tanks are heat slnks during the
early phases of ccrchlr, plant tr~nslent and accident sequences.
Enclosures f3r zhese t3nKs w o~ld a!co ald lC controillnq access to
them, although !ess expcnsi*!e mean:, such as fenccs couid also be
used .'

systems and houzing them in separate enciosures (penetration area$)
th-t connect to access-controilcd vl-a! areas.
3.10.2 Sources
This concept wa s a recommenda::on of the Sandla;lndust ry workshop on
nuclear power piant sabot2gc protection. :r is ~ iso a feature of
the Kraftwerk Union (KKU) stand^:^! PKR.
The counter-sabotage advaztaqe of this concept 1s that it requires
that damage to be inflicted to piping and electric~l cables
penetrating contalnme~t in two physical.: cepararc and enclosed
areas to dlsable 31: redundant :rains of vitai sys:cms. Other ad-
vantages lncludc improved protection against fires and missiles.
Possible disadvanrsgcs identified b:; the authors inciq~dcd increased
complexity in plant a:ranyement, ircrtased difficuity ai access ta
conta:nmcnt pencrrations, and ~ncreaz*'nd difficult;' w~th inspection
and maintenance acr~vities if congcstlm is incrL:c, 2nd t>c.re was
sliqht ~ndics, lor) tn~: thr. cor:ccpt of fer4 potentiai far impruvcd
plant res1st;incc tc, c~!~ot2qf:.

This concept is considered zc offer the side benefits of improved
fire protecticn and missiie protection as mentioned above. Indepen-
dence nay be high or low, being determined by how the concept is
implemented. If safety related piping and electricpi cable are
reg~rded as adeqsately protecccd inside containment, then indepen-
dence will be high if the containment penetration areas communicate
with pipe ~alleries and e1ec::ical chases which are protected
and to which access is contrclled. If pipe galleries and electrical
chases are cct prctected howevcr, then they may be '.Julnerable to
attempted sabotage and independence would be low. in evaluating
independence, the former type of implementation is assumed.
Under this assumFcicn, :his concept is considered :o offer potentiaLly
impro.~ed piant sazot3ge resistance.
3.11 SEPARATIOS OF SkFE?Y RELATED PIPING, CONTFOL CABLES AND
POWEF. ZABSES IN UXDERGROUND GALLERIES. CATEGORYII.2
3.11.1 Concept
In this concept, eacn train of reducdant safety related piping
and eiec:r:ca: cabie is ran snderground in physically separated
tunnels or qallerles that ccnnect between separate safety re-
lated structures.
3.11.2 Sources
This cocccpt is 3 fca:~re ln the K W standard PWR plant design.
This drslcn ,~tiilzes
sepurare bui!dings !o house the emergency
feedwater system znd 61ese; generators. For the Trillo plan: in
Spain, a KW'; PWR, tn:s c:>nccpt has been sp.ecifica!ly mentioned
as having zountcr-sanot;cr.;*~aiiii.. Tnls concept is also :mplenented

. ,
in some G.S. ~lsnts. At San Cnofre 2 & 3 for exanple, Class 1E
, .
power I S r?ln fro!. the outlying diesel qenerator building in
,. . 1
separaFed, under!round galleries to otkr buildings containing
Class' lE svitchue~r.
The co~nter-~a~ - .m-~?e advan:age for this concept is the increased
protect:on prc-ided tor safcty related piping and electrical
cable by spstizl separation and underground insca1:ation. Tkis
protection nay a!so be of benefit against other sits specific
events sucn as aajor fires or nissi!es.
Increased cccrs would appear to Sc :% grircipal disads;antage
for this concept, but rkese woul: depend on local site conc3itions
and piant layou- - difficulty of tunnelling and lengtn of tunnels.
Another potent iai eisad':anta,3~ woald Se decreased accr-ssibil ity
for inspection, rralntenGnca, and damage control.
The connent; of tt.e DSTSG confir,~ec feasl~?i!ity 2nd state-of-
the-art. for tniz concept. The balance of opinion did no: recard
this concept as hzvinq potential for iaproving plant resistance to
sabots7e howcs;cr. Reasons given were that separdtion rcquirelnents
already exist for new designs, and that requirements to provide
access resuit in installation of manways at intervals which may be
vulneraolc. "he~c v:~s also inalcatlon th~: cost impacts vd:~ be
unacccp:aL.?r. 31 thocqh o:le .jrri*Jp nc:nDer, cnment in(? on the 2% of
tunnel: tor :lac!ear jcrvice ,.:atcr plpinq and electric-l c.ible at one
new p!ant, cf ftrec? r.c~:r.;. ;;i::w:ct i,:ct on tr.~??~:. T!i*! c:..c>rt tor tilnnels

.. .
is estimated to be SlOC per foot cheaper than for surface trenches,
and the tunnel ccsts include meecing OSHA requirements for lighting
and access manways e.Jrry 200 feet. Tunnel lengths range from 1000 to
300'0 feet. These estimates msy not be typical, being dependent on
site conditions as mentioned previousip.
, .
This conceFt is considered to offer the potential for improving plant
resistance to sabotage because of the increased protect1,on to safety
related pipiny and electrical cables offered Sy the underground
galleries or tunncis. Howevr, there are vulnerabilities associated
with nannole5, and these would therefore require protection. Because
of chis vulnerability, independence is judged to be low.
In general, lt would appear that cost impacts could bc high, depending
on actanl site conditions. :
The extra p~otectlon ofterea by underyround galleries may possibly
hz~e side benefits when considerin? c'Jents other than sabotag*, such
as major fire or missiles.
3.12 SI'OWGE OF SPENT FUEL WITKIN PRIMARY CONTAINMENT, CATEGOXY
11.3
Thi~ concept involves locating the spcnt fuel pool withln the prlmary
reactor containms-.rat, and co31id a!:

well as location of the spent fuel cooling equipnent within secondary
containment. The design allows work in the primary containment
during plant operation. ALARA design procedures are followed.
From a cc-nter-sacot::ce .;:cupoint, the advantages of this concept
are that protection of spen: fuel would be cnh~nced by the massive
construction of the rejctor containncct and by the strinycnt accezs
controls that are applied for containment entry. The concept would
also allow the elimination of a separate scismic category I struCtGre,
the f ~e; kznciinq building.
3.12.4 Disadvantases
This concep: rec.lireb that somc fuel handlinq operationr, such as
loading casks for shipment, be performed within containment. This
in turn rcquirec that workizr; conditior.~ within containment during
reactor operation be made acccptablc to the plant operators, both
psychologically as w l l 3s in tcrxs of radiation exposure. If this
could not be done, thcsc operations could only be performed during
shutdown, possibly rc!au; t ing in extendcd outages.
Extra zpacc would bc required within c~ntainmcnt to accommodate t!~e
fuel s!oraqe ;woi. An ~ i : iock hatch for thc tucl shipping cask
woi~ld ~ lso bc required, J:; would cask washing facilities. These
requircmcnts and the adciitional radiation sl~iclding to permit work
inside cc,nt:a~nmr!nt during reactor operation, appear to have high
impacts on containment dccign.
Finally, clur lnq m.ljor outages whcn Iarqc numbers of pr.rsonnel are
working within contdinmcnt, the vulnerability of thc spent fuel to
accidental or :~:.I>~.:I.!I? d.-~m.?qc may .2ctually hc inccc;tsr4.

3.12.5 Summary of DSTSG Input
The DSTSG indicated that this concept was feasible and state-of-ths-
art, although it was pointed out that such a design had never been
licensed in the U.S. There was no clear indication regjrding impacts
or potential for improving plant resistance to sabotage although the
genera! feeling appeared to be neaative.
3.12.6 Discussion
There does not appear to be a clear potential for .improving plant
resistance to sabotage associated with this concept. A hardened
fuel handling building, as is already provJided for s ox plants,
appears to offer nearly equivalent protection for the Fuel, especially
if stringent access controls are applied. The fuel ma;I actuaily be
less vulnerabie in a hardened fuel handling buiiding during major
outages than it would be in containment, where it may be exposed to
large numbers of transient craft personnel.
Because of the Eactccs mentioned above under Disadvantages, this
concept could be expected to have high ixpacts on containment design.
Independence for this concept is judged to be high if the spent f,~ei
cooling equipment is also protected by locating it within pri~ary OK
secondary containment.
There were no side bc.neEits identified for this concept
3. l SPENT FUEL STORED BELO:! GRADE, CATEGORY 11.4
3.13.1 Concept
Onder this ccncept, the eievaticn of the scent f~cl storage pool is
set to ensure that the tops o t the stored fuel aa~cmb:~es are below
grade so that forci5:e Lreaching of 3 pool eczernal w3l? does rrsait
in total loss of water from the pool.

3d3.2 -. Sources
This concept h.3:: been implemented in some ?.-signs. S3lc!n and Belle-
Eontc arc examples. A variation of this concept, wherein the pool
external walls are protected by !;:ilt-up bcrms. was a recommendation
of the Sandia/industry workshop on sabotage protection for nuclear
power plants.
3.13.3 Advantages
The counter-sabotage advantage of this concr[?t is the extra protection
provided for the fuel handling building external walls (those that
also serve nr, fuel pool walls) against breaching by force: for ex-
ample by use of explosives. Attempts to breach the walls would then
require excavation which increases the probability of detection.
Should breaching be zccomplished, the surrounding earth could provide
some water retention capability and prevent total loss of water from
the spent fuel pool.
Additional possible advantages include takinq credit tor thc shieldiog
effect of the surrounding earth which may pcrmit rcduciny the thickness
of the concrete walls, and reuuced above grade height of the fuel
handling building which may result in a stifrer ctructurc more rcsis-
tant to seismic and other external loadings.
Placinq thc spent fuel storage pool below (;tad~ may af Sect arrangement
of the cont.1inment hai lding. Sicce wat~cr lc.':els ir, thc spcnt fuel
pool and the reflleling csnal ~ r equal c i:!c.d daririy rt?facl ing, lower in?
thc spent Ct~cl pool el~v~t.ion ma), al;r, rfr~lui rc lower i ng the contdi n-
ment. The result woh~ld bf? incrr!asc4 r-xc:;~v;rt. ion c:o::t r. ]'or botl! tile
containment and the? fuel h:tr!d! inq tc I 14 ir.1;.

---
3.13.5 Summary of DSTSG Inout
This concept
. ,. was considered feasible and state-of-the-art by the DSYS.
However,
. . there was fairly strong indication that the concept held
little . .. potential to i:lprove plant resistanc~+ to sahotayc. Comments
supporting this indication were that a below yradc wall, if made
thinner, may actually be moro easily hrcachcd than a thicker. above
grade wall, and even iC the spent fuel pool were below qr.~de, breaching
a wall may resuit in pool water araininq into the surrounding soil.

There were no side benefits idcntifi4 for chis concept.
3.14 PHYSICALLY SEPARATE AND PROTECT REDUNDANT TKAIXS OF SAFETY
EQUIPMENT, CATEGORY Ii.,5
3.14.1 Concept -- -
This concept involves the followiny design features:
8
. Physically separated and hardened buildinqs (safety buildings)
, . ...- l,.,l*,."L,",~.i '!! are provided for edlV'Wdur~dant tr~in Of"'5a'fr'ty equipment.
D-I;,?
. Each separate building cant-ains a11 safety related equipment
for a rcdundant train includinq divsel ycncrators and fuel
tanks, Class IE switchqo;lr, DC power, KCS punps ar,d tanks,
ESFAS and RPS cabinets, and at:xil i ~ r y cool in9 water equip-
ment.
. Each sc1::ratr: building conrnil~:c~cr

3.14.2 Sources
In various degrees, this concept was a recommendation of the Sandla/
industry workshop, is a feature of the KKU standard PLiR plant, and is
advocated by the fire insurance industry on an international scale.
All of these sources recommend or apply the principle of physical
separation of redundant trains of safety equipment but have not
necessarily extended this to totally separate and independent safety
buildings. Physically separated and enclosed areas wlthin buildings
have generally been recommended or ayplied.
3.14.3 Advantages
These include the following for this concept:
. The functional independence of each train of safety eq~ipzent
reduces vulnerability to sabotage of otherwise shared com-
ponents (e.g., the ,refueling water storage tank).
. Spatial confinement of function and equipment for each train
in hardened and protected safety buildings eliminates vulner-
abilities associated with cable and piping runs through non-
safety areas.
. Spatial separation of safety buildings increases protection
against sabotage by requiring that more than one area be
addressed. This would apply both to attempts by stealth and
high strength attacks by explosives or munitions.
. Protection against other forceful events, such as fire, is
also bc enhanced.
. Locating safety equipment. within consolidated safety areas
may facilitate access control and physical protection system
designs.

3.14.4 - Disadvantages
t
The main disadvantages of this concept appear to be associated with
plant arrangement. Arrangements may result which are less than optimum
from the viewpoints of plant operation and maintenance and the cost
of materials and construction. As an example of the latter. this
concept would require that two, fully redundant ECC water storage
tanks be provided, one in ezch safety building.
3.14.5 Summaryf -- DSTSG Input
t ,,
The DSTSG comments gave clear indication that this concept was feasible,
was ~tate-of-the-art, held potential for improving plant resistance
to sabotage, ~ n d did not have unacce~table impacts on plant design or
operation. It was qcnerally fclt, howcvcr, that the physically sepa-
rate, hardcncd, and protected safety buildings housing the redundant
trains of safety c~luipment could be combincd as scparatc safety areas
in a common building without violating the concept. The authors
would agrcc as 't,:lg sc a11 safcty related equipmcnt (water and fuel
storaqe tanks, dics~?l engines, swit.chqcar, cable, piping, pumps,
etc.) in a redundant train was located in a tiardc?:icd safety area
pro~ected by access control ant1 intrusion detect-ion measurer; and was
physically separated by :;on!c dcfincd di:;tancc fron the other safr:ty
areas.
One memtwr stated that t!ie dr?qree of comprrtrncntation within ,111 indivi-
dual saluty L~uiidinq should not cxcctrd that requi~cd for prutection
against firc, rniczilcs, floodinq, or radiatjon li.c., shielding).
Otherwise, operation and maintt?nancc wol.rl.1 bc' qrcatly complicated.
, .

3.14.6 Discussion
The potential for improved plant resistance to sabotage for this
concept seems clear slnce it applies to the maxim~~m extent the
principles of separation, completeness and self sufficiency (i.e.,
independence), and location within hardened structures provided with
physical protection measures.
Impacts do not appear to be overriding based on DSTSG comments.
The high degree of hardened protection, separation, and independence
associated with this concept may result in the side benefits of
facilitating access control and physlcal protection measures and
improving protection against other Forceful effects such as fire and
severe n~tural phenomena.
3.15 SEPARATE AREAS OR ROOMS FOR CABLE SPREADING, CATEGORY 11.6
3.15.1 Concept -
Under this concept, separate rooms or areas are provided for spreading
cables that connect to logic and control panels in the control room.
The cahlcs corresponding to the several logic and control redundancies
arc dintributed amonq two or more of these areas. The cable spreading
areas are hardened and subject to controlled access.
3.15.2 Sources
This concept is already being adopted in current designs where two,
physically scparbtc cat~lc rprejdin9 room are used. The papcr by
Hcizcl~ suqqests that it may be possible to ext~nd the concept to four
separate catile spre~xlinq arcas.

3.15.3 Advantages
.. .
The sabotage protection advantage for this coccept is that it would
require sabotage action to be carried out in nore :han one area to be
successful. The fire protectlon advantage has been the motivating
factor in its adoption in recent designs. Another possible advsntage
is reduced congestion in the cable spreading rooms assuming adequate
size rooms are provided.
Possible disadvantaqes associated with this concept are increased
space requircacnts and increased lengths of cable runs.
3.15.5 Summary of DSTSG -- Input
This concept was considered to be feasible and state-of-the-art by
the FSTSG. Also the group considered the concept to have potential
for impraving :. i .~nt resistance to sabotage, conditional on the
assumption of a high strcngth attack and on the basis of incremental
improvement in protecticn over present new dcsiqcs. It was also
stated by one member that the GE STRIDE desiqn cffectively provides
four train separation for cable routing and spreading.
3 5
Discuss ion
This concept offers the potential for improved plant resistance to
sabotage because of the increased protection afforded control cables.
Based on it being a feat-rc of ncw designs, its impacts arc judged to
be acceptable. Independence is considered to be low since the cables
are all routed eventually to the control room which results in somc
loss of separation and hcrce protection. This is especially true if
the control room ir not a har~jcncd area.

Ircproved fire protection is the principal sile benefit for this con-
cept; no other side benefits have been identified.
3.16 ALTERNATE CONTROL ROOM P.XRP.NGEMENTS, CA'i'EGORY I I. 7
2.16.1 Concept
The objective of this concept 1s to rea~ce the vulnerability of control
rooms to forcible takeover t?.-ough use of alternate control room
layouts. The following are two suggested examples.
1. Provide physically separated, independent control rooms for
multi-unit plants.
2. Provide a backup control room for each main control room
which:
. is continuously manned by a senior reactor operator who
reports to the shift supervisor,
. provides safety related displays of flux level, reactor
thermal hydraulics, power conversion system energy re-
moval parameters, and reactivity changes,
. provides controls only for tripping the reactor acd
actuating decay heat remo-la1 systems,
. in 1ocat.ed well within the plant building complex such
that it would not be visible from off-site,
. provides continual closed circuit TV surveillance of main
control room,
. is a hardened etructurc :>rc*!ided with physical protection
measures.

3.16.2 ---- Sources
Physically separate and independent control rooms arc currently being
provided for some U.S. plants (Perkins, Cherokee, and Calloway for
example) and are rcyuired for Swedish plants.
The advantage of this concept is reduced vulnerability to a forcible
t3beovcr of the control room and possibly a large fraction of the
plant staff by terrorists or saboteurs. Example 1 would only provide
this advantage :or control rooms unaffected by actions of the sabo-
teurs, al1owint.j thc associated units to be pl,zccd in a safe shutdown
condition. Example 2 would permit trippinq the reactor and placing
the unit in a safe shutdown condition e..len if that unit's control
coon wcrc siezed by saboteurs.
For this concept, these include additional costs for plan: dcsign,
construction and n!~nning.
There was :;me sl iqht i nd icat ~cin t1:at this COKc[Jt ~a:: fcasi hic ant1
state-of-the-art.
There was unanimous opinion that thiz cot~c:c,[jt olScrr, no potential for
im[~rovir~g plant rc?:.:ir;tarlcc! to sabotdgf,. It wa:: :;t~tt.d t h ~ t a backup
control rofm of(ic?r:: fro hc.nc-tTit sincc ~U:il.li~ry :;l't\llrlowrl panels (?xist,
and that a cont. inuo~r!;l y ~iiar\ncd bnckul) contr111 rooln -AV.)I.I 14 cr~atc
opp~r tun itil-.:; for n : ; r Onr! n~c:~l~i)or r;tat.~:(! t!~.~t. i n(!ividuaI con-
trol CI~III:; I.IJ~ mu1 ti-(;nit pla~it:~ df fur(] no l,cn~:ii sincr! aj.~irlin

access to any one control room would accomplish the mlssion of the
saboteurs, and that if actual damage to the plant vls caused by sabo-
tage, a common control room may be preferable becausc additional
personnel would be available to respond.
The DSTSG judged that impacts for this concept would be high. Both
examples were considered to increase manning requirements, while
separate control rooms result in increased construction costs. The
capability of an operator, performing only monitoring duties, to
remain.alert in a backup control room was also questioned.
3.16.6 ---
Discussion
The discussion of this concept will be limited to Example 2. The
reason for this is that there appears to be some movement, based on
foreign design practices and some recent U.S. sthadardized pisnt
designs, toward individual control rooms for multi-unit plants.
Therefore Example 1 vill not be discussed further except to note
that, under the assumption of a takeover of one control room in a
multi-unit plant, the remaining units could be placed in a shutdown
condition and that this could be of potential counter-sabotacje
benefit.
Example 2 allows the capability to promptly shutdown the reactor and
initiate shutdown cooling from the remote, continously manned,
hardcncd and protcctcd backup control room in the event of a
takcover of thc main control room. Terrorists/sabotcurs whose objective
was to announce that they had gained control of a nuclear power
plant operating at C911 power to force compliance with certain denands,
would find their xlv~ntar;c deniccf and ~bjccti'/c. thwarted in that
their action would no lonf~er
be perceived, by thcnselves nor by others
(c.g., the news media) to kc a3 thrcateninq as they had planned. It
would be nnnounced, instc:d, that the plant WL:: i:. a saic shutdown
condition. It is in ::hi:; senst? that Exclmplc? I may h;rvc. 12otential
counter-sahot.-igc bcnef it.

Indqpcndencc is considered low for Zxample 2 tccausc it wouid also be
. ,
necessary to protcct the reactor trip brcskcr3 ogainzt sabotage action
that would prevent them from interrupting power and to protect as
well ao the s!lutdown decay heat removal systcms.
Impacts Eor Example 2 are considered to be high because of tbe the
increased zanninq reyuirrri~ents.
There were no side benefits inclcntiticd lor this cor4cept.
.,.. .
The finding pcescntcd in able' 2-7 for Design .Ilte'rn;ttive li.? refer
to Example 2.
'Phis concept provides protection in the form of J hardened enclocilr?
for ECCS conlponcnt:, ty locating then within thc reactor conta inmcnt.
The intent of this concept i:s met by the K:JU arid 3urc l'oxer nphericol
containmrtnt tlesiqns whcri. !XCS ;~sti'/c componcnts ~3ro locat,?d within
_ 1
seconrlarv con" inment.

Locating larcje components such as water storage tanks within con-
tainment may be impractical vitt.oct redesign of the containment (see
Category 111.3, Alternate Containment Designs). Increased contain-
ment volume would result if ECCS components were placed within pri-
mary contzinment. Also, the ECCS equipment vould have to be quali-
fied for the post-LOCA cnvironzent if lccated within primary con-
taiment.
3.17.5 - Summary of DSTSG Input
DSTSG indication was that this concept was feasible and state-of-tbe-
art cnly for ECCS components in secondary containment, not primary
containment. Post-LOCA en':ironmental qua1 if icztion would be a
problem for componentc located within primary containment.
Regarding potential for improved plent resistance to sabotage, it was
pointed out that, because of ECCS equipment surveillance rcquire-
rnents, there could be increased traffic within containment znd that
vulnerability to acts of sabotage within ccntainment may be increased.
The DSTSG considered that the impacts associated with this concept
were unacceptable. The cost impact was considered unacceptable for
ECCS components within primary contalnrcent. Also, if opportsnities
for survcill~nce were rcstricted because cf ECCS components being
located within primary containment, overall plant safety could be
adversly aftectcd. it was also stated that the concept would restrict
the number of presently acceptable containmnt designs.
3.17.6 Discussion -
For the parcicul~r casc of the spherical containment, this concept is
obviously feasiblc ~ n d
stotc-of- the-ar t as evidencrcl Sy its appl icotion
in tb,;lt design (KL'C.': componentr: wi!:hic secondary containmnt). F'or

3.18.2 Advantages
The counter-sabotage benefit associated with this concept is the
reduction in the number of potential opportunities due to reduced
numbers of people in the protected area.
3.18.3 Disadvantages -
Since it can be anticipated that this concept would require an increased
frequency in passing through security checks, it represents
an increase in inconvenience for plant personnel. . There . was concern
expressed that support staff who needed to be in the plant frequently
to do their job would not enter as frequently as they should.
3.18.1 -- Sources
This concept has been adopted in Germany and f ~ r the KNU supplied
Trillo plant in Spain.
San Onofre.
U.S. examples include Peach Bottom 2 & 3 and
3.18.5 Summary of DSTSG Input
The indication from the DS'I'SG was that this concept was feasible and
state-of-the-art. The overall opinion was that impacts would not be
unacccpt~ble, but one member commented that this concept vould onl:~
result in increased discontent amony people trying to do their jobs.
This concept. IS conside:l!d to hoid potc;r!tial ior improf:ed plant l'esistancc
to zabotaga simply by ceotrictinq the n-~rnbcrs of individuals
routinely insi~lc tne prcjtcctec! area. For c-xanplc, locating receiving
WJC~~OIJL~~? izci 1 jt i;l:-; OII~'. id? tt~c protc?ct~d srr:.i c.1 iminiltes the re-

quirements for routine passage of delivery trucks and drivers throuqh
che security gate and reduces search and escort duties of the guard
force. In addition, a general caEcteria located outside the protected
areawould require fe%er deli,:erie5 of provisions through the security
perimeter.
Independence 1s not considered applia-able to this concept. l'here
were no side benefits identified.
3.19 ISOLATION OF LOW PRESSURE SYSTENS CO?:NCCTCD TO REACTOR COOLANT
PRESSURE DOVCDARY, CATEGORY 111.1
Under t~~is concept, additional means are employed to prevent overpressurization
of low pressure piping systems connected to the reactor
coolant system and thereby prevent loss of reactor cooiant
through a rupture in a low pressure system.
3.19.2 Sources --
This concept vas a recommendation of the Sandia/industry workshop on
nuclear power plant sabotage protection. It is implemented in the
K W standard Plu'l? plant by designing the operating motors for the
valqles that isolate the residual heat removal system (I?IIRS) from the
reactor coolant system (RCS) with insufficient torque to open under
KCS/RNRS differential pressure. This is in addition to the usual
pressure interlocks.
This concept provides protection against a loss of reactor coolant by
the sjbot~gc act of defeating th? cxiekinc~ pressure interlocks on the
RCS/RHRS isolition va1;rc.s. Sinco the RIIH [)i[)ing r!xti?r~cic, outside
containment, this protection applies to a loss cf reGctor coolant
outside as well as inside containment.

Depending on the means of implementation, acidit ional cost and com-
ponent complexity could result.
3.19.5 Summary of --- DSTSG lnput
There was indication from the DSTSC that this concept was feasible.
State-of-the-art for an alternative implrmcntation, use of torque
release couplings in valve operators instcad of torque limited motors,
was quest ioned.
During discussion, there was indication that, in general, thc concept
held potential for improving plant resistance to sabotage 3nd that
considcrat ion should not be restr icted to i tr application to RCS/RHRS
isolation. Rather, it should bt! applied to ,111 low pressure piping
connecting to the RCS since thin piping could bc vulnerable to rup-
ture from ovcrprcssure and also direct physical damaqc outside con-
tainment. Specif ic,? i. iy nenti.on(4 wa; letdowc pi~~ir~g.
This concept was originally con!;ideccd by the, aut.hor:; a:: most applicablc
to HHR suction piping zincf? it 1) is of lower pressure? ricsiqr: than
the RCS, 2) in larqe diameter, 3) penetrates cont.ainnwnt, 4) is not
protected by rolicl: v.il,

upture or direct physical ruptt:re by cxtcrn~l Sorc:c or both. Exmplss
are letdown piping and charginq piping. Sinca both type:: of pipin

power jumper cables, etc., to facilitate connection of portable equipment
or substit~tion of other installed equipment for equipment damaged
by sabotage.
3.20.2 Sources
Recommendations of the recent Sandia/industry workshop on sabotage
protection of nuclear powcr plants included:
1. flexibility to bring in temporary or auxiliary hcses, nozzles,
pipes, pumps and/or water supplies under emergency conditions
to provide flooding or spraying of fuel in an open reactor
vessel or in the spent fuel storage pool, w i t h the provision
of built-in auxiliary nozzlca at strategic locations, anu
2. damage control programs featuring prcplanned procedure-,
prepared equipment., and traininq for damage control teams.
This concept increases the flexibility of the plant to respond to
sntotocje el.,crqencies 2nd to other emrqencies .is we!;, :;uct, as mrtjnr
tire::.
Regulatory .~t~tlloritit?s may r~.~cjuirc dc!mnnstration of t!>ir, concr.pt, i:!
the Lorm of drills and equipment tcstinf~, if credit wcrp grantcd to-
wards incredscd protecti(1n. Al:;o, clddition,~l count.cr-::;~l)ot.a?c. pro-
tection of' tt~e
dzm.-r*qr: contrrsl facilit.~tinq
Erdt~irc:: t!:t?:n.;clc~:; ma:; be
r cqu i r efl .

3.20.5 Summary of DSTSG Input
During discussions of this concept with the DSTSG, it quickly became
evident that damage control could be viewed as two different ap~ronches.
.. .
One could be defined as a traditional approach, patterned after programs
designed to cope with battle damage sustained ty naval snips.
This approach involves trained danage control teams and dedicated
damage control equipment in designated locations. The other approach
makes use of normal plant systems and equipzent aligned in nonstandard
ccnfigurations in accordance with speciel, written , , procedures
as a means of achieving additional operational flexibility
to deal with sabotage energencies.
The DSTSG found merit in the concept of damage control, but only in
connection with the latter approach. There was strong feeling cn the
part of those members with plant cperating experience that damage
control in the context of emergency repairs, ;unpers, portable equip-
ment, and trained damage control teams was unworkable for a comrercial
nuclear plant. Arguments given included too few people ay~ailable on
back shifts, tine to get additional people on site pius repair times
in excess of time availajle to perforn damage control actions, and
uncertain success in situations where attempts at damage controi may
be oprwsed by saboteurs. Tkn favored approach was thac of examining
the flexibility inherent in the normal plant systems and equipment,
and developing plant procedures to take advantaac of this flexibility
under emergency conditions. Plant design changes were not considered
necessary to facilitate this approach. The DSTSG also commented that
the term "damage control" was misleading in this context and that a
name such as "abnormal energency procedure" wocld bc more accurate.
3.20.6 Diccussion -
Based on reaction of the
proach to damage control
cated uamage control equ
DSTSG , it cppears that thc traditional ap-
- tra ined damage control teams using dedito
jury riq spstcmc or make emcrcsncy

epairs under satotace emergency conditions - may not be feasible for
nuclear power plants. However, the concept does a?pear feasible and
to have potential for 1mpro.fed plant sabotage resistance in the context
Of aligniny standard equipment in non-standard configurations in
accordance with special damagc control procedures. The authors believe
that plant design changes can be made to facilitate this approach.
For example, turbine runback would permit continued operation of all
non-Class 1E electrical equipment even though it is assutxed that
sabotage action has denied offsite power. Desi~n chanqes to facilitate
manual back-feed of Class 1~ power sources to non-Class 12 busses is
an a1 terrdst ive example.
Work is currently in Frosress to identify options in terns of utilizing
existing systems and equipment. Examples of specific design al'ernatives
that would facilitate the ability to conduct abnormal emeryency pro-
cedures will be identified when that work is comp!eted.*
In summary, thc aut"or cooncider the concept of design changes to
facilitate abnormal onergency procedures to be feasible and state-of-
the-art, to have potertial for improving plant resistance to sabotage,
to have minimam impace, and to offer the side benefit cf improving
fLexibility to deai with other emeryencies such as major fire. How-
ever, thi; assessment is bascd on a definition of damage control
quite diflercnt frcm that implied in the concept statement (3.20.1),
which views ddmayc control in the traditional sense of jury rigs or
emergency repairs by damage control teams using prepared damage contrcl
equipment.
Independence wac considared not applicable for this concept.
*IEA'I Report ?;o. 123, "Daxa7;. Control as a countermeasure to Sab~otage
at !Juclear Fower PlarbtsW.

3.21 ALTERNATE CONTAI5l4EHT DESIGNS, CATESCRY 11:. 3
3.21.1 Concept
Under this concept, alternate containment designs can be divided into
two classifications:
1. those which reduce the probability of containment failure by
oqJerpressurization subseql~ent to a loss of reactor coolant,
and
2. a containment incorporatina passive exergency core coolinq
system (ECCS) components, celluarization of the reactor
coolant system, and sub-atmospheric operatino pressure
following a loss of reactor coolant; the passive containment.
The containments in the first classification re associated with con-
,>entlsnsl ECC Eystens and containment heat removal systems. The
passive contalnmun: system, a patented concept, integrates contain-
ment and passie/e ECC systea designs.
3.21.2 Sourcrr
Sandia Report SitNG 77-1344 contains evaluations cf ninc alternate
containment desiqn concepts for their potential to reduce public risk
to nuclear plant acc~uents and their insacts on plant costs and operation.
- *he phsci-~e containxnt is a patented conct2t of the i;uc!edyne Engi-
neer inq Corporst-lon.

3.21.3 Advantages
The alternate containnent concepts offer socentially reduced conse-
.. .
qucnces (through reduction in containment failure probability) of
sabotage action that results in a loss of reactor coolant and dis-
ablement of portions of other engineered safety features.
"
he passive containment system appears to offer the potsntial for
increased protection against attempted sabotage becauze of the cellu-
arzation of reactor cool6nt system piping and component, and a
passive ECC system incor?orated into the containment.
3.21.4 Disadvantages
The alternete containment concepts resuit in significantly increzsed
costs. Depending on the particular alternative design, these include
costz for oce or more of the following activities:
i. design,
2. nodeling and testing,
3. llcensing, and
4. constrcction.
Kone of thc aitcrnativ containaent drsigcs under consideration have
been licensed in :he foras described in SANG 77-1345. Some of these
designs would KeqGiZc engineering d2,~elopmcnt and dcrnonstration,
especially the pass:ve con:ainmnt system.
3.21.5 - Discursisn

, .
I. Stronper Containment. Design pressura of 1'20 psia expected
to prevent failure by overpressnre excec: in the case of 2
. .,
loss of reactor coolant and unavailability ot the contsinnent
spray system. Modest reduction in risk due to containment
overpressure failure.
2. Shallow Underground Siting.
3. Deep Underground Siting.
4. Increased Containment Vc!ume. Offers :lsk reduction potential
sicilar to that for Stronqer Containment.
5. Filtered Atmospheric Venting. Provides greatest reduction
in risk from contairment failure at least cost.
6. Compartment Venting. 2isk reduction similar to Filtered
Atmospheric Venting but at increased cost.
. .
7. Thinned Bazc Nat. ..o measurable reduction in risk.
8. Evacuated Containment. Minimal efisct on overpressure
failure.
9. Double Ccntainnent. Almost no 2otcntial reduction in risk
over that of current surface plants.
10. Passit~e Containment. This concept appears to increase the
diffculty of sabotage of the reactor coolant systen (RCS)
and the CCCS since the components of these system3 would be
encased in heav;-steel-lined, reinforced concrete cells. In
addition the emergency core cooling system components would
be pazsivc and not dependent on external power supplies.

The counter-sabotayc aspects of underground siting and stronger containments
have been previously discussed. Of the remaining alternative
desi~ns described and investigated ia SAND 77-1344,,filtered
atmoBpheric ventin? and compartnrnt venting offer the greatest risk
reduction due to containment overpressure failure at least cost.
These concepts do not appezr to provide a nuclear power plant with
inherent resistance to sabotzge, but rather would reduce the consequences
of sabotage that resulted in damage sequences similar to
the accident sequences described in SAND 77-1344.
On t t other ~ hand, the passive contaiament system appears to offer
the potential for improved plant resistance to attempts at sabotage
of the reactor coolant system and emersency core cooling systems.
Since, after a postulated loss of reactor coolant, the pressure in
the passive containment returns to subatmospheric, the potential for
overpressure f~ilure should also be low.
Independence for the filtered atnospheric venting, compartnent venting,
and passive contalnment concepts is considered low. This is because
the vent system and the containment vent buildiag, respectively, must
be protected for the filtered atnospheric venting and compart3ent
venting concepts in addition to tbe containments themselves, while
for the passive contalnment, a passrve external heat exchange loop,
provided for long term decay heat removal, also requires protection.
When considered strictly fron a coucter-sabotage viewpoint, filtered
atmospheric venting, compartment vent in^, and the passive containment
concept offer the side benefit of reduced risk from 0verpressu:e
failure of the containment. .
Thc findings presented In Table 2-2 refer to :he filtered 2tmospher~c
venting, compartment venting, and passr-~e cgntalnment concepts. These
are considered to t~ fcasible concepts but not stat-c-of-the-art.

3.21.6 Sumnary of CSTSG Inout
The reader is referred to the comment suamary for DSTSG reaction to
the concept of Alternate Containment Designs.
3.22 EXTRA REDUXDbNT, FULLY SEPARATED, SELF-CONTA1::ED AND PROTECTED
TRAINS OF E:IEiZGE?:CY EQL'I P?lENT, CATXORY I I I. 4
3.22.1 Concept
The concept is laentical to Category 11.5 (Physically Separate and
Protect Redundant Trains of Safety Eqcipnent) except 4-504 reciundant
or 3-100% redundant tralns of emergency ep1;nent are proVJided.
3.22.2 Sources
This conzept is implemected in the Federal Republic of Germany and in
nuclear power plants exported by Germar:~ althaugk the original noti-
vation apFeers mainly to have been aininization of the size of
emergency diesel generators.
3.22.3 Advantaqes
In addition to tne advantages associated with the two train conccpt
as described under Category 11.5, this concept increases t!:e nuaber
of areas that would have to be addressed by sabcteurs in order to
incapacitate the plant's engineered safety features (ESF).
Additional advantages associated with this concept include the abilit;
to meet the single fallurc criterion whllc ka-~i~cj one train of emer-
qency equipmenr. down for mintcnanoe, and ;I reductLon in the rcquir96
size of diesel generators.

3.22.4 Disadvantages
>
The disadvantages identified previously for the two train concept
(Category 11.5) associated with plznt arrangement wocld be apdicable
to this concept also.
3.22.5 Scmmary of DSTSG lnp'Qt
This concept was considered feasible and state-of-the-art by the
DSTSG. Comments uere evenly split reyardinq potential for improving
the resistance of the plant to attempted sakotage.
There was no clear indication of tbe acceptability of inpacts asso-
ciated with this concept. Some pointed out that extra redundancy
would provide little counter-sabotage benefit relative to the extra
cost. It was also mentioned that surveillance testing would be in-
creased. On the cther hand it was xentioned that the extra redundancy
would provide some operational flexibility and would possibly improve
the overseas marke::ng position for U.S. plants (in Europe, 4-506
redundancies are connon).
One group member scggested the alternative concept of 3-50% redun-
dancics as the optimun arrangement. This provides for single failures,
permits use of snaller power supplies, increases the nxrr,ber of sabo-
tage target areas required to totally disable the plant's ESF, and
avoids possible problems with over-capacity In the case of automatic
actuation of 3-100% tralns.
3.22.6 Discussion
Most of the discassio' prcser~ted in Section 2.14.6 for Category 11.5
is also applicable here. However, it is believed that impacts on
plant design in terns of arrangercent would be greater thsn for

Category 11.5. Operation and maintenance nay also be impacted in
terms of increased surveillance testing and a less than optimum plant
arrangement. It is possible that these inpacts may be offset by in-
proved operat~onal flexibility; for exa~ple, the ability to shut down
one train for maintenance while retaining single failure capabilty.
The prelimin~ry assessment is made that, since extra redundancy would
be a departure from current O.S. practice, ixpacts, a: least on plant
design, would be high.
The capability to shut down one train for maintenance an2 still meet
the single failure criterion is considered an ndditionai side benefit
for this concept.
3.23 A;)DITIONAL, PROTECTED, IWNUAL CONTROL ROD TRIP, CATEGORY 111.5
3.23.1 Concept
Under this conccpt, one or more additional manual trip switches are
provided in secure, protected locations to permit trip of the reactor
from outside the control room.
3.23.2 Sources
Although not specifically intended as a counter-sabotage measure,
this concept is a feature of some research reactors, permitting a
reactor scram from selected locations outside the control room in the
event of emergencies.
3.23.3 hdvantaqes
This conccpt permits tripping tt,e reactor by an authorized person
from outside the control room in :he event of a forced take-over of
the main control room by terrorists or saboteurs.

3.23.4 . . Disadvantages
This concept may provide little protection against an insider who
could defeat the t.rip switches.
3.23.5 Summarv of DSTSG Input
The principal reaction of the DSTSG to this concept was that it wculd
have little potential for improved plant resistance to sabotage since
there already exist numerous ways to trip the reactor from outside
the control room.
The potential counter-sabotage benefit in being able to place the
rezctor in a safe shutdown condition in a situation involving the
force? take-over of the control room was discussel for Category 11.7.
However, this concept would permit only a reactor trip, and there
are, in fact, many +,xisting ways to accomplish this from outside the
control room. Only if the terrorists/saboteurs were effective in
totally immobilizing all knowledgeable statlon personnel could they
prevent a reactor trip, and in such an event, additional, protected
manual trip switches would te of no value. Proq/iding additional
means to simply trip the reactor from outside the control room without
providing also the capability to place the plsnt in a stable shutdown
condition (by protecting the decay heat remoT;al and RCS inventory
control equipment) does therefore not appear to offer tb,e potential
for improving plant resistance to sabotage.
Because of the necessity to protect the additional equipment required
tp place the reactor in a safe shutdown condition, independence for
this concept is considered to be low.
Impacts for this concept, resulting mainly in axtra costs for equip-
ment and installation, are belie-led to oe low.
There were no side bencfitc identified for :his concept.

3-24 ADDITIOIGAL, NhNL'ALLY ACTIVP.TED, DI'IERSE :AND P9OTECTEP REACTOR
TRIP, CATEGORY 111.6
3.24.1 Concept
An additional manual trip circuit, acting on additional, diverse, and
protected reactor trip breaker" is provided. The additional trip
switch or switches could be located in protected areas remote frsm
the main control room as well as in the control roon itself.
3.24.2 Sources
This concept is an extension of Category iII.5 in that additional,
diverse, and protected reactor trip breakers are ~ ~ 0 ~ i d ~ d .
3.24.3 Advantages
In addition to pe!nitting a reactor trip fron outside the control
room, thls concept would provide protection ayainst tampering with
the trip breakers and cncreby enhance the ability to trip the le-
actor.
3.24.4 Disadvantages
As identified for Cstegory III.S, little procectinn against the in-
sider is provided.
3.24.5 S m o- f DSTSG Input
Again, as tor Cat.c,jory 111.5, the DSTSC considered this concept to
have little potantial for inproved plant rcsiztanc? to sabotage since
alternative means already cxist to trip the reactor fro- outside the
control room, including the interrs~ption of power to the control rod
drives dt its SOU~CC.

3.24.6 Discussion
The discussion presented in 3.23.6 (Category 111.5) applies to this
concept also. Although protection of reactor trip capability may be
enhanced, this alone is not sufficient to place the plant in a safe
shutdown condition.
There arc additional ways to make the reactor subcritical without
requiring the opening of the reactor trip breakers (interruption of
rod driS/e power nearer to its source or manually driving in the rods),
and, in any case, the extra protection afforded by this ccncep: may
not be effectivc against the' ~nsidcr.
3.25 TURBINE RUNBACK, CATEGORY 111.7
Under this concept, thc capability is provided for the separation of
the turbine generator from its off-si,te load without ca.y.s,i,ng a tri?
of the reactor or turbine.
, ,, .: .. . . ,
3.25.2 --- Sources
This capability is provided in some U.S. nuclear plant designs:
BelleLootc is an example. In the Federal Hepublic of Germany, this
capability is required and must be demonstrated. It is providad in
place of a sccond source of off-site power.
Most sabotage scenarios assume that off-5it.c trancmission lines arc
unovailablc. Under this and the: Curthec asvumpcion th~t
secondary
plant cqui~,ment is not damaqcd, turl:inr! runi;acr. permits the continued

use of the power conversion system a; a heat sink for the plant. In
t.his sense it contributes to the defense kn depth concept in that
both it and the auxiliary feedwater system are potentially available
heat sinks.
3.25.4 Disadvantages
Apart from extra cost tor turbine control and bypass 6:q1xipment, re-
quirements for testing the turbine runback capability wouid involve
Costs in manpower, time, and equipment wear and tear.
3.25.5 Sum~nar:~ of DSTSG Input
The DSTSC considered this to be a feasible concept. However, the
qroup was divided as to its state-of-the-art, somc members feeling
that faster acting control valves may be required and th~:, because
of thc %ensitivit.j1 of the reactor protection system IRPS), some re-
design of t!i~ RPS miqht uc required to ensure the rcbctor does not
trip cpon scparatlon of tbe gcneator from the off-Site system. Also,
somc mentioned the need for a larqcr main condenser.
There was gencral aqreemcnt with the adv~ntaqe~ 3nd disadvantages
presentc4 above, a!thouyh there were diffcrlng oplnions rcqarding the
need to tcst the system.
The DSTSC also split on the question of impcoving the resiztance of
the plant to attempted sabotagr. The potential incrcase in flexi-
bility to deal with various situations, including facilitating damage
control, wan corrcicicrcd a plus. Out it war, also pointed out that the
secondary plznt mechanical a d electrical equipment upon which the
efficacy of this concept depends xas, in gcncral, exposed and vulner-
able to sabot.Jrje, consequently reducing its potential value as a
counter-:;3b0t~yc! ~ C~I~IJ~C.
Uack-fctcc!inq somc of t.his equipment from
the emergency dics~l gentrators wa.c snggestcd 3s an a1 tcrnativc.

' There was no clear indication of the acceptsbi;i", of iapacts although
it was mentioxed that the impacts ascoclated with testing could be
severe, especially if the system was considered to be safety related.
3.25.6 Discussion
It is believed that this concept offers potentially improved nlant
resistance to sabotage by the retention of the normal heat sink and
also by enhancing flexibility to deal with various anomolies using
secondary plant systems and equipment. It would support darage con-
trol in the context of aligning systems in non-standard configurations
to meet required funtions. However, because of the vulnerability of
secondary plant equipment to sabotage, independence for this concept
must be considered to be :ow.
When considered strictly from a counter-sabotage viewpoint, a side
benefit for this concept is its capability to aid the recovery of a
utility's generation and transmission system following a major dis-
turbance. However, this logic could he inverted in that this has
been the primary reason for providing turbine runback capability in
plants to date. If this continues to be the main motivation for tur-
bine runback, it may be possible that its counter-sabotage benefits
would allow trade-offs against other security measures.
Because of possible testing requirements, impacts for this concept
may be high.
3.26 REDUCED VULNERABILITY OF ISTAKE STRiJCTUP..ES FOR SAFETY RELATED
PUMPS, CATEGORY 111.8
3.26.1 Concept
This concept provides for improved protection of safety relotcd intake
structur-2- 2nd puaps agaiast sabntcurs attempting approach from tk,e
water side.

3.26.2 Sources
Through discussions with Department of Energy officiais it was learned
that this concept is emphasized in some foreign designs. For example,
one plant reportedly was provided with a labyrinth structure in the
intake canal for protection against the approach of divers.
Enhanced protection of intake structures through use of access control
was a recommendation of the Sandia/industry workshop on protection of
nuclear power plants against sabotage.
3.26.3 Advantages
This concept provides extra protection of the safety related service
water system and ultlmate heat sink, and also protects against cir-
cumvention of access controls provided by the land side perimeter.
3.26.4 Disadvantages
This concept involves extra cost for design and construction, and,
depending on the head loss associated with the protective features,
for pumping as well. Design conflicts cculd also result with environ-
mental requirements for approach velocity and fish escape.
3.26.5 Summary of DSTSG Input
The most significant input from the DSTSG for this concept related to
its potential for improving plant resistance to sabotage and to its
potential impacts. By a slight margin, the concept was considered to
offer potential for improved sabotage rcsist~nce. In the opinion of
one member, this potential was considered siqnificant in that intake
structures may be located in the least secure areas of the plant and
should be designed with inherent rcsistancc to s~botagc.

Thc DSTSG considered inpacts for this concept to he low.
3.26.6 Discussion
Eased on its employment in foreign designs, this concept is considered
feasible and state-of-the-art.
Since the functioning of safety related service water pumps is re-
quired for extended plant cooldown, and since the structures hoosin?
these pumps may be vulnerable to sabotage by approach from the water
side in some designs, this concept is considered to offer the potential
Eor'iaproved plan: resistance to sabotage.
Independence for this concept is considcred to be low since protection
of the remaining emergency cooling equipment would also be required.
There were no side benefits identified
3.27 TRIP COILS f,73 BRE,IKERS/SWITCliCEAR ENERGIZED BY INTERNAL PO\iER
SOURCE, CATI.:GORY I I I. 9
3.27. ? Concept
A self-contained source of control power for operating the contactors
of breaCers/xwitchgear is provided. The source iz the incoming Dower
feeder within the s~itchqe~~r enclosure.
This concept i:; applied in tllc d~zicjn t ~ f r!uclclr power plants in
Germ;iny to improvt? rc-liability of coztrol circuit:; lor ssCct.y related
motor fcedcrs.

Advantages -
This concept elialnates dependence on the DC electrical system for
operating power feed contactors and thercfore reduce the consequences
of its sabotage.
3.27.4 Disadvantages
Breaker control and status indication would be una.~ailable if AC
power was lost.
. . ,.. ,,. ,. . .!.~
3.27.5 Summiiry of DSTSG Input
,,-.,..
This concept was considered Eeasible and state-of-the-art by the
QSTSG. It was pointed out that the stated disadvantage of lost
status indication could be overcome by using DC indicating circuits
. or local mechanical indicators.
Impacts for this concept were considered to te ~91311, but it was considered
to hold little potential to improve plan: sahotagc resistance.
Specific comments in this regard were:
. The capability Eor at lease two manual operations is
provided in most switchgear.
. IE the source of instrument power is DC, then the ability to
operate switchgear remotely under loss of DC power conditions
is of little value.
During discussion of this latter comment, the DSTSG recommended that
consideration should be given also to a backup for the vital instru-
ment busses from an AC source (manually actuated AC backups presently
exist - authors).

3.27.6 Discussion
This concept ellminates the vulnerability to sabotage of the DC control
power supply and distribf~tion system from the DC busses to the
individual switchyear units as regards the capability,to operate the
switchgear remotely from the control room. For this reason, it is
considered to have potential for improving plnn: sabotage resistance.
This may be a very marginal potential however. Any vulnerabilities
associated with the control circuits between the switchgear and control
room would remain unchanged. Also, the separation and redundancy
applied to DC power and distribution systems tends to reduce
their sabotage vulnerab~lity.
Independence for this concept is considered to be low for the reasons
just discussed. It may have the side benefit of further inpro.ring
plant protection agJinst fire.
3.28 HIGH PRESSURE RHR SYSTEM, CATEGORY 111.10
3.28.1 Concept
Under this concept, the design pressure of the residual heat removal
(RHR) system is increased (to that for the reactor coolant system) so
that opening of the valq~es isolating the RNR system from the reactor
coolant system would nct result in overpressure and possible rapture
of the RHR system.
3.28.2 Sources
This concept has its origin in past regulatory agency deliberations
on means to prevent overpressure conditions in R Hk systems.

hdvan tages
-.-
This concept improves protection against a possible loss of reactor
coolant outside containment resulting either from sabotage or failure
of existing interlocks or check valT~es.
3.28.4 Disadvantages -
These in~iude extra costs for RHR system components, systen erection,
and system maintenance. A factor affecting maintenance costs would
be the extra effort in the disassembly and make-up of high pressure
joints such as pump caslng flanges.
3.28.5 Summary of DSTSG Input
The DSTSG comments and subsequent discussions indicated that this
concept was feasible and state-of-the-art. Thcrc was also some indi-
cation that impacts wcre acceptable but no clear indication as to
potential for i!n;l:oved plant resistance to sabotage.
3.28.6 Discussion -
Several DSTSC mmbers assumed that this ccncept referred to an RIIK
system, configured as at preeent, but desiqned to cperatc at high
reactor coolant system pressure. Mowever, the intent of this concept
is only to upgrade the design pressure of the RIIR system, the opera-
tional modes being unchanged. As such, this concept would increase
the difficulty of sabotage aimed at croating a loss of reactor coolan
outside containment. In the present, low pressure RHR systems, it
might be possible to create this condition by defeating the pressure
interlocks on the HCS/RIIRS isolation valves when thn reactor coolant
systcm is at operaitng pressure. Howcvcr, with a high pressure RIiR
system, additions1 action would ba required to breach the piping by
external force; e.g., by use of axplosives.

The concept of a RHR system designed to operate at normal RCS pressure
and temperature may also have merit frcm a counte:-sahotagc stand-
pornt. Such a system would provide a diversc mode of decay heat re-
moval at hlgh RCS pressure and temperature. The only presently avail-
able mode is through the steam generators. This csncept has not been
pursured by the authors in this work, but it appears that the technical
concerns are the design of RHR heat exchangers with high temperature
differences from the tube to shell side (primary system to component
cooling water system) and high volume flow rates.
Referring again to the oriqinal concept, independence is regarded as
low since access controls and hardened enclosures for the RHR piping
outside containment are required to c~mplete the protectioo of this
piping against breach by external force.
There were no side benefits identified for the original concept.
3.29 HARDENED DECAY HEAT REMOVAL SYSTEM, CATEGOKY IV. 1
3.29.1 Concept
This concept involves the provision of a decay heat remov3l system
designed specifically for improving overall plant resistance to sabo-
tage. The system includes the following features.
. Location in hardened buildings or bunkers, complete with
power sapplies, water storage tanks, and controls.
. ?I;rxi~num independence of remainder of plant.
, Redundant syctcrns, spati~lly separated.

D-HR
Designed for removal of decay heat from a water cooled
nuclear power power reactor in the hot shutdown condition
(reactor subcritical, rods inserted, reactor coolant pressure
and temperature at no-load conditions), with the reactor
coolant pressure boundary intact, for a defined period, automatically,
without operator attention.
. Actuated manually, either from the main control room or
within the bunkers. Once actuated, no further operator action
would he reqt~ired (but would not be precluded) for the design
period of automatic operation.
. With operator attention, designed to continue decay hect removal
beyond the design period of automatic, unattended
operation.
. With operator attention, designed to permit transfer to conventional
residual heat removal (RHR) system operation during
or followinr; :he design period of unattended operation.
. Dedicated for use only in a sabotage or other cxtrene emergency
as determined by plant operators. Would h~ve no function
during normal plant startup or shutdown operations nor
following loss oE normal AC power.
. Would provide for isolation of fluid lines connected to the
primary (and secondary) coolant systems as necessary to prevent
loss of fluid inventory.
. Would not block actuation of nor otherwise interfere with
the operaiton of other plant engineered safety features.
. System would be regarded as nuclear safety related.

Appendix C contains a description of a conce~tual design, developed
by the authors, for a hardened decay heat re3oval system incorporating
the above features. This system utilizes steam generated by decay
heat as its primary energy source. Other concepts are also possible,
Such as systems using diesel engines for power.
3.29.2 Sources
A bunkered emergency feedwater system containing most of the above
features is pro-~ided for German KlJU plants. Its original purpose WJS
to provide plant protection (in conjunction with a hardened contain-
ment building) against plane crashes and gas cloud exp:osions,
although its sabotage resistance capability has been recognized.
The recent Sandia/industry workshop on nuclear power plant sabotage
protection recommended an alternate decay heat removal system de-
signed to operate in conjunction with an intact reactor coolant
system as a means of implementing additional protection against sabo-
tage, and also recommended that high priority be given to a study of
bunkered, emergency decay removal systems to evaluate the feasibility
and cost effectiveness of such systems.
The NRC improved safety research program as described in NUREG-0438
includes projects for improved decay heat removal concepts with
emphasis on add-on, bunkerdd systems.
The paper by Ebersole and Okrent (References, Section 4.29) describes
a design concept for a bunkered emergency decay heat removal system
designed for the hazards of fire and sabotage.

3.29.3 Advantass
This concept provides the advantage of ver) hlqh assurance of decay
heat removal under extreme emergency conditions, including sabotage
and major fire, with essentially no dependence on external systems
except the nuclcar steam supply system w~thin containment.
These include extra costs for plant design, equipment, and construc-
tion. Also, operating costs would increase for such activities as
testing, routine surveillance, inscrvice inspection, and maintenance.
Because of requirements for additional buildiriqs (bunkers), additional
constraints would be placed on plant layout, psaibly resulting in
increased site congestion.
3.29.5 Summary of DSTSG Input -
Most of the commcnts on this concept were directed towards the steam
powered Independent Safe Shutdown System (ISSS) prevented by the
authors at the first DSTSG meeting (a description of the ISSS is in-
cluded as Appendix C) . The ISSS was considered a feasible concept,
but state-of-the-art was questiorted for one of its principal com-
ponents, the steam reciprocating charging pump. The readcr is re-
ferred to the comment summaries contained in Appcndis B for additional
comments specifically directed toward the ISSS.
DSTSG conirlwnts rcl;ltir.(j to bunk~>red cmercjency fet?dwatcr systclns in
general, without retqard to spt?cliic type, are 1 isted a:; follow:;.

. System capacty is limited in time.
. Providiny additional systems is going in the opposite direction
of solving problem. Shculd minimize -~ital equipment and
develop a basic plan for protection of plant.
. System should no: be required to be nuclear safety related;
possibly only seismically qualified.
. System should not have to meet single failure criterion;
rather, a reliability criterion.
. The stated advantage for improved fire protection was not
considered valid in vicw of present day (post-Drowns Perry)
fire protection designs.
. System should not be dedicated to use only for emergencies.
It should be used for normal operation an3 should be con-
sidered in :he context of eliminating other systems. Oper-
ator confidence in system capability is improved when
systems are used as part of normal plant operation.
. Objectives of the hardened decay heat removal system could
be better achieved by operator staff training, a hardened
nuclear island perimeter, s manned emergency control room,
and location of tankalje (RWST, CST, PMT, etc.) within the
perimeter. A bunkered systcm is very expcnsivc dnd hard to
mairitain.
. The system n(:cd not be declgned to cool doown rhc plant; may
ho clesiqncrl sir~lply to hold plant at hot shutdown.

. Manual, rather than unattended automatic operation was
mentioned as preferable by one mcmher.
. Actuation !;hould only bc from within bunker, for if in ccr,trol
room, it could be prevented by sabotage action in control
room.
. High pressure PI111 systcm should be considered as an alternative
to a system crnploying cvaporativc coolinq.
. Impacts in tcrms of capital cozts (5 to 50 million dollars)
and opcrating costs (10 to 100 tt40usand dollars per year)
could be vcry high.
3.29.6 -. Discussion
That a hardcned decay hcat removal system offers potential for im-
proving plant resistance to sabotagc has been generally accepted by
those who have ctr!nsidcred the prohlcm of zabotagt. protection of
nuclear power plants. Its cost effectiveness, however, has yet to he
determined. Uasad on the DSTSG comrncnt!:, impacts on plant capital
and operating costs nay be high.
There arc variations in implementation of the hardened decay heat re-
moval system concept. The German system (PIJI< version) employes 4-50,k
redundant systems, each with i ta own dcdicatcd d ic:jol cnginc (which
drives both a fccdwatcr pump and a generator), fuel supply, and feed-
water supply, a11 of which arc located in a hardened building arranged
to provide physical separation. Thc authors have prcpared a con-
ceptual dcsiqn of a twice redundant systcln, tlir Indr~pendent. Safe
Shutdown System (ISSS), which is powerctl by steam qcncratcd by decay
hcat.

The DSTSS has raised questions on the amourt of redundancy that shou?d
be required in hardened decay heat removal systems and whether or not
these systems should be dedicated to sabotage or other gross emer-
gency or should be integrated into normal plant operation, repiacing
existing systems (such as the auxiliary feedwater system). It also
suggested the high pressure RHR system (Section 3.28) as an alternate
to systems employing evaporative cooling.
On the question of state-of-the-art raised by the DSTSG with regard
to the steam reciprocating charging pump employed in the ISSS, the
authors have confirmed, through a detailed review oE the application
with Union Pump Company, that such a pump can be furnished. Some
component development may be required to achieve 858 mechanical
efficiency, a value that is judged desirable to maintain adequate
subcooling of the primary coolant. Nowever, actual efficiencies of
92% have been measured under controlled conditions. On this basis,
the authors consider the ISSS in particular to be state-of-the-art.
Since hardened decay heat removal systems in other configurations are
actually installed, there is no question about state-of-the-art in
general.
Improved protection against other gross emergencies such as fire may
be considered a side benecit for this concept.
3.30 INDEPENDENT, DIVERSE SCRAM SYSTEM, CATEGORY 1'1.2
An additional method to rapidly insert negative reactivity to scram
reactor which does not. employ existing control rods and which is pro-
vided vith an independent logic and actuation system.

3.30.2 Sources
This concept was originated by the authors as a m ans of meeting the
general performance objective of enhanced protection for reactor
trip.
3.30.3 Advantages
From the sabotage protection viewpoint, this concept may provide in-
creased protection for reactor trip by requ~ring that two diverse and
independent trip systems be addressed. The concept mlght also con-
tribute to ame:loration of concerns about anticipated transients
without scram (ATWS).
3.30.1 Disadvantages
This concept requires major design work on reactivity control systems
which could in turn affect reactor mecnznica! and ncclear design.
3.30.5 Summary of DS'rSG '1n2ut -
There was little discussion of this concept at the two DSTSG meetings.
The unanimous indication obtained from written cormne'ts was :!?at it
held no potential For improving plant resistance to sabotage. A~l~onc;
the reasons given were that the existing trip systems wvrc fail-safe
designs, and this concept only adds areas OF vulncrability to attempted
sabotage.
3.30.6 Discussion
Because it provides an independent, automatic, 2nd divurse, reactor
trip system which, in principle, could be spatially sepdrated and
provided with physical protection mcas*irc.z in the form of access

controls and hardened enclosures, this concept is philosopnically
regarded as having potential to improve plant resistance LO saootage.
However, its implementation is believed to be exceedingly difficult,
perhaps a practical impossiblity.
While the concept may be feasible, it is definitely not state-of-theart.
A truly independent, additional, rapidly acting trip system may
require additional control rods with diverse operating mecnan~sms and
detection/logic.~actuation s:Jstems. These represent major impacts on
the design of reactor control systems with implications on the
: , .~,., . . , 2, ,, ,b % . ..,,-. , , , , .., , , ,.. , ,,,,
mechanical and nuclear design of the reactor itself.
Independence for this concept is considered to bc low since, to main-
tain the plant in a safe shutdown condition, additional syscems (e.g.,
decay heat removal and reactor coolant inventory control) are needed
and would have to be protected.
ATWS amelioration is considered a side benefit for this concept.
Finally, there may be little increased protection provided by this
concept against a kno-dledgeable insider.

4.1 GENERAL
4. REFERENCES
Presented here is a listing of reference materials that served as
source and supporting documentation for the candidate design altern-
atives. The organization of this listing par=llels that of Section 3.
4.2 UNDEXaOOND SITING, CATEGORY 1.1
. Rock Cavity Construction of a Nuclear Power Plant - A Case
Study. Loken, P.C. : aakke, J. : Gloerson. I. ~ransactions
American tluclear Society: 27:641-612.
. Underground Pressure Suppression Systen for Eoiling Viater
Reactors. T. Straum. Lawrence Livernore Laboratcry. Ucid -
17695, January 1978.
. Rin~ Tunnel Ccmtainment. Seidensticker, R.W. et. 51. U.S.
Patent 4,045,289, August 30, 1977.
. Underground Sit-ng of Nuclear Power Plants: Potential Benefit:
and Penalties. James A. Allensworth, et. al. Sandia Caboratori
SAND 76-0412. August 1977.
. PIan for Research to Improve the Safety of Light-Water Nuclear
Power Plants, NUREG-0438, April 12, i978.
4.3 iiARDENED CO:ITI\INME?JT BUILDING, CATEGORY I. 2
. Nucleonics Week, August 31, 1978, ... The Sabotage-Proof
Nuclear Plant.

. Summary Comparison of Ee$t European and Z.S. Licensing
Requlations for LKRS, John A. Richardson, Nuclear Engineering
International, February 1976.
. Experience with Nuclear Power Plart Siting and Safety Criteria
In the Federal Republic of Germany, 3. Frewer, J. Dr. Nuclear
Energy Society, 1975, :lo. 3.
. A Value - Impact Assessment of Alternate Containment Concepts,
David T. Carlson end Jack W. Hickman, Sandia Laboratories,
NUPEG/CR-0165, (SAND 77-i341) June 1978.
. Spherical Containment Syztern Has Many Ad-~antaqes, A. Godfrey,
A.S. Madan, and W.S. Loeb, Nuclear Engineerin: international,
December 1977.
4.4 HARDENED FUEL HA:

4.8 TAKING ADVAPXAGE OF NATURAL ?XOTECTIVE: GECGRAPHICRL FCATURES
IN SITE SELECTION, CATEGORY 1.7
. Memorandum to S02-04 File, C. Negin, International Energy
Assocites Limited, September 22, 1978 (informal notes of
meetinq).
4.9 NARDENEL! EKCLOSVRES FOR MAKELIP WATER TNJKS, CATEGORY 1.8
. Sunmary Report of Workshop on Sabotage Protection in Nuclear
Power Plant Design, IJUXEG-0144 (SAND 76-C637) A~ril 12, 1978.
1 0 - SEPARATION OF CONTAINMEBT PENETRATIONS FOR REDUNDANT
PROTECTION SYSTEMS, CATEGORY 11.1
. Summary Report of Norkshop on Sabotage Protection in Nuclear
Power Plant Design, NUREG-014.1, (SAND 76-0637) April 12, 1978.
. Review and Evaluation of the ?:uciear Requlatory Commission
Safety Research Program, NUREG-0392, December 1977.
. Spherical Containment Has Many Advantages, A. Godfrey, A.S.
Madan, W.A. Loeb, Nuclear Engineering International, December
1977.
.". .,.;.
4.11 ' SEPARATIOK OF SAFETY RELATED PIPIFIG, COt2TROL CfiCLES, ArlD POXER
CABLES IN UNDERGROUND GALLERIES, CATEGORY 11.2 .-
. Review and Evaluation cf the Nuclear i?epjulatory Commisson
Safety Research Program, MUREG-0392, December 1977.

Applying Gernan Safety Philosophy and Technology in Spain,
Antonio Gonzalez and Felix hlonso Zzba10, Xuclear Engineering
International, Septenber 1978.
4.12 STORAGE OF SPENT FUEL WITIfIN PRIXAR'f CONTAIN>!EST, CATEGORY 11.3
. Apglying Gerxan Safety Philosophy and Technology in Spain.
Antonio Gonzalez, Felix Alonso Zabalo, Nuclear Engineering
International, September 1978.
. .
. Review and ES~al.uation of the Nuclear ilegulatory Commisson
Safety Research Program, XREG-0392, December 1977
. Summzry Comparison of Nest European and U.S. Licensing Regulations
for LWRS, John A. Richardson, Suclear Enjineering
International, Feb,ruary 1976.
3.13 S?E!

. Redundant Control Circnits Should Be Physically Separated,
Frigyes Reisch, Swedish Nuclear ?ower Inspectorate, Nuclear
Engineering International, October 1976.
. Fire Protection'for Nuclear Power Plants from the Insurance
Industry's Viewpoint, John J. Carney (?lei-Pia), Trans. of
America Nuclear Society, 27:706-707, 1977.
. Fire Protection in Nuclear Power Stations, G.C. Ackroyd and
J.P. Lake, British Insurance Companies Fire Offic~rs Comnittee,
Nuclear Engineering International, September 1978.
. Review and Evaluation of the Kuclear Regulatory Commission
Safety Research Program, NUREG-0392, December 1977.
. Applying German Safety Philosophy and Technology in Spain,
A. Gonzalez, F. Alonso Zabalo, :Juclear Engineering Intcr-
national, September 1978.
. Experience with Nuclear Tower Plant Siting and Safety in the
FRG, H. Frewer, J. 3r. Nuclear Energy Society, 1975,
No. 3, 191-200.
4.15 SEPARATE AREAS OR ROOXS FOR CABLE SPREADIKG, CATEGORY iI.6
. Gibbs and Hill Standard Safety Analysis Report (GIDBSRR),
May , 1977.
. Wolf Creek PSAR, 1974.
. Redundant Control Circuits St,ould Bc Physically Separated,
Frigyes Reisch, Swedish Nuclear Power Inspectorate, Nuclear
Engineering International, October 1976.

4.16 ALTERXhl'E CONTROL ROOF! ARRANGEMENTS, CATECCP.11 11.7
. Redundant Control Circuits Should Be Physically Separated,
Frigyes Reizch, Swedish Nuclear Power Inspectorate, Muclear
Engineering International, October 1976.
ECCS COMPONENTS WITHIN CONTAINMENT, CATEGORY 11.8
. Experience with Buclear Power Plant Siting and Safety Criteria
in FRG, H. Frewer, J. Br. Nuclear Energy Society, NO. 3,
191-2C0, July 1975.
. Spherical Containment System Has Plany Advantages, A. Godfrey,
A.S. Madan, W.A. Locb, Nuclear Zngineering International,
December 1977.
4.18 ADMINISl'RATIVE. II;FOR?lAT:ON, hND COIJSTRUCTIOI: BUILDINGS LOCATED
OUTSIDE OF PROTECTED ARE,\, CATEC0P.Y 11.9
. Applying German Safety Philosophy and Technology in Spain, A.
Conzalez, F. Alonso Zabalo, Nuclear Engineering International,
September 1978.
4.19 ISOLk'?ION OF LON PRESSilRE SYSTZ!.IS COIJP!ECTED TO REACTOR COOLANT
PRESSURE BOOKDARY, CATEGORY I I I. 1
. Summary Report of Norkshop on Sabotage Protection in Nuclear
Power Pldnc Design, NUREG-0144, (SAND 77-0637) April 12, 1978.
5.20 IIESIGN CIIANGES TO FACILITATE DAXAGE COXTROL, CATEGORY I I I. 2.
. Summary Report of Norkshop on Sanotaqt: Protection in Kuclear
Power Plant Dezign, NUR!X-0144, (SXJD 77-0637) April 1.2, 1978.

4.21 ALTERNATE COI:TAIN!4ENT DESIGNS ,~ CATEGOR'f I1 I. 3
A Value-Impact Assessment of Alternate Containment Concepts,
SAND 77-1344, David D. Caclson, Jack W. Hickman, June 1970.
WASH - 1400 Insights Utilized in Assessing Alternate Contain-
ment Desiqns, SAND 77-1353C, David D. Carlson, Jack W. Hickaan,
Merrill A. Taylor.
U.S. Patent 4,050,983; Passive Containment System; Frank
h'. Kleniola: September 27, 1977.
Plan for Research to Improve the Safety of Light-Vater Ncclear
Power Plants, NUREG-0438, April 12, 1978.
A Passi.de Containment System for Boiling Water Reactors.
Frank 'L. Klemiola, O.B. Falls, Jr., Nucledyne Engineering
COrp., NCJV~Z~~PC 30, 1977.
Recomrniscicninn - An Alternate to Dcconnissioninq, Frank W.
Klemiola, 0. B. Falls, Jr., tluciedyne Enqinecr in? Corp. ,
November 1978.
Containment Ventinq Considerations for Light Water P.,'ic;or
Accidents, R.S. Denning, P. Cykulskis, R.O. >:ooton, Battclle
Columbus Lat~oratories, Trans. Am. Nucl. Soc. 17:644-645
(1977).
. Applyin? German Safety Philosophy and Tcchnnlog:~ in Spain,
A. Gonza!cz, F. irlonso Zah.110, !4wlcar Ecginccr iwj Ir,tr-r-
national, Scpt.mbc~r 1978.

. Design of Kr;Z' Lh'R Safety Systems, ILEA-CN-26.132, D. 'Jon
Haebler, Conf. 779505, 1977.
. Experience with Noclear Power Plant Siting and Safety Criteria
in the FRG, H. Frewer, J. Br. Nucl. Energy Soc., 1975, 14,
No. 3. 191-200.
4.23 ADDITIONAL PROTECTED MA!TED
-
. Summ~ry Report of Zorksho? on Sabota~~c
Protection in Nuclear
Power Plant Design, ::!L'h!X-ClJ.1, I 5 - 6 7 , 1 2 , l97C.

. Memorandun to S02-04 File, C. Negin, International Energy
Associates Limited, September 22, 1978.
4.27 TRIP COILS FOR BREAKERS/SIV'ITCHGEAR ENERGIZED BY INTERNAL POXER
SOURCE, CATEGORY 111.9
. Standby and Emergency Power Supply of German Nuclear Power
Plants, Alexander Borst, KWU AG, IEEE Transaction on Power
Apparatus and Systems, Vol. Pas -95, No. 4, July-August 1976.
4.28 HIGH PRESSURE R!R SYSTE>4, CATEGORY 111.10
. None
4.29 HARDENED DECAY HEAT REMOVAL SYSTEM, CATEGORY IV.l
. Plan for Research to Improve Safety of Light Water Nuclear
Power Plants, XUREG - 0438, April 12, 1978.
. Summary Report of Workshop on Sabotage Protection in Nuclear
Power Plant Design, NUREG-011.1, (SASD 76-0637), 1977.
. Review and Evaluation of the Nuclear Regulntory Commission
Safety Research Program, NUREG-0392, December 197i.
. Zxperience with Nuclear Power Plant Siting and Safety in the
FRC, H. Frewer, J. Br. Nuclear Energy Society, July 1975.
. An Integrated Safe Shutdown Iieat Removal System for Light
Water Reactors, J.C. Ebersole and D. Okrent, OCLA - Eng -
7651, Kay 1976.

. Standby and Esergency Power Supply of German Nuclear Power
Plants, Alexander Borst, KIKI AG, IEEE Transactions on Power
Supply and Systems, Vol - Pas 95, No. 4, July-August 1976.
4.30 INDEPENDENT. DIVERSE SCRAEl SYSTEM, CATEG0P.Y IV.2
. Plan for Research to Improve the Safety of Light-Water Nuclear
Power Plants, MUREG-0438, April 12, 1978.

Firm
Nuclear Projects, Inc. (SNIJPPS)
Combustion-Engineering
General Electric
Westinghouse
Babcock and Wilcox
Bechtel Power Corp.
Sargent and Lund!~
Duke Power Co.
Commonwca 1 th-Ed i son
Northern States Power
Power Authority, State of NY
Design Study Technical Support Group
- Participant
F. Schwoerer
Technical Director
A. Kasper
System 80 Area Mgr.
E. Maxwell
Electrical Mgr., STRIDE Projects
T. Burnctt
Advisory Engr., Nuclear Safety
E. Swanson
F. Gabrenya
Principal Engr.
T. Victorine
R. Dobcon
Sr. Engr., Electrical
D. Calle
Station Mgr., Braidwood
L. Eliason
Plant Mgr., Monticello
M. Maltese
Director, security and Safety

This Addcndun cuntai ns sununar ies of the comments of thc DS'i'SG mcllluers
on the citr~tlitlatc dcsiqn altc!rnatives. Ilowevcr, not all of the rllclnbcrs
conuncntlnq on a ;1~rcicular alterr~ative n;.+de cornnlcnts on each of its
featurt?~ such as feasibility, state-of-the-art, and so f'orth. There-
fore, thc SUIII of the YL:S/NO conlments on a particular fcdturc of a
condidatc altcl-rldt ivc is not ncccssarily equal to tho nurliter of DSrI'.L;C.
n~r?n~ht~rs cCm;!lt~ntinq on that dl tornat ive.

CATEGORY: 1.1 UNDERGROUND SITING
NUMEZR CGMI4ENTING 5
- YES - NO
FEASIBILITY 2 0
STATE OF THE ART 1 0
PROS - AGREED 2 0
CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER COMMENTS
REMARKS -
2 0 Vent openings vulnerable.
Flooding hazard increased to
rupture in circ. water system
More difficult to regain con-
trol of plant if siezed by
saboteurs.
0 4 Cost too great, up to + 50%
Should consider island or off-
shore siting as alternatives
offering simpler access con-
trol.
An underground pressure sup-
pression pool should also be
designed to serve as alternate
water source for ECC b RHR
systems.
Drop complete burial idea.
Cost too great.

I
CATEGORY: 1.2 HARDENED CONTAINMENT
NUMBER COMMENTING 5
YES NO 7 -
FEASIBILITY 1 0
STATE OF THE ART 1 0
PROS - AGREED 0 0
CONS - AGREED 0 0
REMARKS
. POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 0 4 Containment already sufficient
hardened to resist sabotage.
IMPACTS ACCEPTABLE 0 0
OTHER COMMENTS Containment not a likely tar-
get for sabotage.

CATEGORY: 1.3 HARDENED FUEL HANDLING BLDG.
NUMDER COMMENTING 5
- YES NO -
FEASIBILITY 2 0
STATE OF THE ART 2 0
PROS - AGREED 0 0
CONS - AGREED
,..r, ,..-,. ~
,.
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER CO!4blENTS
REMARKS
Increased potential if pool
at ground level and easy to
reach from outside.
3 2 Particularly for new construc-
tion. Should also harden
cooling system.
Technical Specifications
already cover emergency
cooling of fuel in pool.
Consequences do not justify
additional expense.
2 1 Cost may be overriding impact.
Strengthening building walls
and roof to prevent forcible
entry offers potential for
increased sabotage resistance
in existing plants.

CATEGORY: 1.4 HARDENED ENCLOSURE OF CONTROL ROOM
NUMBER COMMENTING 5
- YES - NO
FEASIBILITY 1 0
STATE OF THE ART 1 0
PROS - AGREED 1 0
CONS - AGREED 1 0
REMARKS
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 3 2 No help against insider.
IMPACTS ACCEPTABLE
OTHER COMMENTS
Benefit for plants already
constructed.
Already designed to withstand
accidents and weather conditions
similar to containment
buildings. Further hardening
would increase operational
difficulty ..I#~ ,witb,;,little
j i >I bene-
1 ,tii i,;!,:. fit agains,~~/$~&~;ta~~.
Control room likely target of
sabotaqe.

CATEGORY: 1.5 HARDENED ENCLOSDRE FOR RPS AND ESFAS CABINETS
NUMBER COEPENTING 5
- YES NO -
FEASIBILITY 1 0
STATE OF THE ART 1 0
PROS - AGREED 1 0
CONS - AGREED 1 0
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 0 4
IMPACTS ACCEPTABLE
-- REMARKS
OTHER COMMENTS Cable trays outside enclosure
remain vulnerable. Enclosure
concept only valid for trip
breakers and ESF component
actuation circuits. Attempted
sabotage would most likely
result in trip due to fail
safe design. More applicable
to PWR than BWR.

CATEGORY: 1.6 HARDENED ULTIMATE HEAT SINK
NUMBER COE.L!IENTING 5
-
-- YES - NO
REMARKS
FEASIBILITY 1 1 Feasible only for certain type
designs such as cooling towers
or spray ponds.
STATE OF THE ART 1 1
PROS - AGRFXD
CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SAROTAGE 2 3 Hardeninq should be given
special consideration. Heat
sinks may be outside security
perimeter, or if inside, may
be exposed and vulnerable.
IMPACTS ACCEP'I'AULE
OTHER COMMENTS
Reg. Guide 1.27 provisions
are sufficient.
1 Neat sink not likely tzrget of
sahotaqc.
Costs for hardeninq may be
acceptable, e.g., cooling
tower on roof of aux. bldq. -
savings on excavation and
piping vs. cost for beeEcd up
auxiliary building.
Meat sink not a likely target
for sabotage.
Damage control may be feasible.
Even if UHS is dsmagcd by
sabotage, plant designed to
bc safely shut down withouc
it.

CATEGORY: 2.7 TAKING ADVANTAGE OF NATURAL PORTECTIVE GEOGRAPHICAL
FEATURES IN SITE SELECTION
NUMBER COMMENTING 4
FEASIBILITY
STATE OF THE ART
PROS - AGREED
-- YES - NO
1 1
2 0
2 0
CONS - AGREED 2 0
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 1 0
IMPACTS ACCEPTABLE
REMARKS
1 2 Would increase overall plant
construction work.
Could severly restrict number
of acceptable sites.
Not 611 areas of country cx-
hibit difficult natural ter-
rain.

CATEGORY: 1.8 HARDENED ENCLOSURE FOR MAKEUP WATER TANKS
NUMBER COMMENTING 4
7 --
FEASIBILITY 3 0
STATE OF THE ART 3 0
PROS - AGREED 3 0
CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER COMMENTS
-- YES - NO
REMARKS
2 1 Incremental cost increase not
significant.
Plants should be designed
with alternate, backup water
sources, e.g., torus for BWR.
3 1 Providing hardened enclosures
for exposed tanks at older
plants may significantly in-
crease sabotage resistance of
these plants.
2 1 Tanks not likely targets for
sabotage.
Integrating tanks into auxilia~
building structure is another
method of hardening.

CATEGORY: 11.1 SEPARATION OF CONTAINMENT PENETRATIONS FOR REDUNDANT
PROTECTION SYSTEMS
NUMBER C0FINENT;NG G
FEASIBILITY
STATE OF THE ART
PORS - AGREED
- YES - NO
4 1
CONS - AGREED 1 0
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 2 1
IMPACTS ACCEPTABLE
OTHER COMMENTS
REMARKS
Feasible for new plants only.
Additional ventilation units
nay be required.
Plant arrangement complexity
not increased.
In conjunction with controlled
access. Since it already is
done in new designs, would not
improve sabotage resistance.
Already a feature of new designs.
Required for other reasons:
missile, fire, pipe break.
Should be disregarded for post-
PSAR stage plants due to cost/
benefits.

CATEGORY: 11.2 SEPARATION OF PIPZNG, CONTROL CABLES, AND POWER CABLES
IN UNDERGROUND GALLERIES
------
YES - NO -
STATE OF THE ART 3 0
PROS - AGREED 0 1
'. CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
REMARKS
OSHA s inspection would require
manways at intervals, increasing
vulnerability.
1 2 Could improve resistance in
soule existing plants but m y
be too expensive for consider-
ation.
Little potential for new plants;
separation already required.
1 2 Too expensive for some oper-
ating plants.
Too expensive for new plants
because of requirement to
provide access for inspection
and n~nintenance.
Concept has been partially im-
plemented in some existing
plants.
would cause serious problems in
retrofitting.
Estimated costs for tunnels
actual1 y less than for trenches
St oIlf3 SltC.

CATEGORY: 11.3 STORAGE OF SPENT FUEL WITHIN PRIMARY CONTAINKENT
NUMBER COFIXENTING 5
. YES - - NO
FEASIBILITY 2 0
STATE OF THE ART
PROS - AGREED
CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER COMMENTS
--
PEMARKS
2 0 Never previously licensed in
U.S.
1 1 Yes only if all pool services
are also inside containment.
2 0 Also increased number of con-
tainment penetrations. In-
creased exposure of personnel.
1 Consequences of fuel pool
sabocdye not severe enouyh to
war rent extra protection.
1 Benefic not worth tne cost of
provldrng cxcra bdrr ler to
fission producc celedse glven
U.S. practice of sltlny plants
away from population centers.
Could noc handle fuel during
operation - prolonged refueling
outaycs.
Post-LOCA qualiticat~on of
pool and auxiliaries required.
Present fuel pool cnciosures
provide adequate protection.
Increased containment heat
load.
Post LOCA erlv i roruwnt undesir -
ab.te lor a fuel storaye area.
Backiit not feasible. Too
costly.
U.S. CsvernTncnt should taK0
charge of spent tuel to
a1 leviatc problem.

CATEGORY: 11.4 SPENT FUEL STORED RELOW GRADE
NUMBER COMMENTING 4
YES NO
-. --
FEASIBILITY 2 0
STATE OF THE AllT 2 0
PROS - AGREED 1 2
CONS - AGREED 0 1
POTENTIAL FOR IMPROVED
HES [STANCE TO SABOTAGE 1 3 Pool water may secp into soil
if pool wall were breached.
A thinner, below grade wall
may be more easily breached
than a thlcker, above grade
wall.
IMPACTS ACCEPTABLE 1 1 Is a desi~jn feature of some
plants.
Yucl handling labor is
greatly increased.
Conscqucnces of spent fuel pool
sabot.aqe are not zevcrc enough
to warrcnt cstra protection.

CATEGORY: II.5 PHYSICALLY SEPARATE AND PKOTECT REDUNDANT TRAINS OF
SAFETY EQUIPMENT
NUMBER COMMENTING 6
- YES - NO
REMARKS
-
FEASIBILITY 5 0 Only for new plants.
STATE OF THE ART 4 0 Ditto
PROS - AGREED 4 0
CONS - AGREED 3 1 Careful attention to design
may avoid increased floor
space and extra costs for
materials and construction.
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 6 0
,IMPACTS ACCEPTABLE 6 0 See qualification below.
OTHER COMMENTS Concept should allow for
separate safety areas in one
building.
A way should be found to not
run steam lines through con-
trol building. Should couple
this concept with extra re-
dundant safety equipment trains.
Not necessary to include RPS
and ESFAS cabinets in con-
cept.
Having equipment in individual
compartments would make O&M
a nightmare. Should provide
only that degree of compart-
mentation needed for radiation
shcilding, missile, fire, and
flooding protection.

CATEGORY: 11.6 SEPARATE ROOMS OR AREAS FOR CABLE SPREADING
NUMBER COMMENTING 5
FEASIDILITY
STATE OF THE ART
PROS - AGREED
- YES - NO
CONS - AGREED 1 0
4 0 Based on it being a feature
of new designs.
4 0 Based on it being a feature
of new designs.
3 1 Congestion would probably
not be reduced.
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 4 0 Conditional on:
IMPACTS ACCEPTt\BLE
OTHER COYJIENTS
a) if 3 or 4 train separation
is included, would provide
incremental benefit over
present new designs.
b) high strength attack.
STRIDE design effectively
provides 4 train separation
for cable routing and spreadin
Could not be backfit.

CATEGORY: I I. 7 ALTERNATE CONTROL ROOM ARRANGEPlEhTS
NUMBER COI4blENTI NG 6
- YES NO -
FEASIBILITY 2 0
STATE OF THE ART 2 0
PROS - AGREED 1 0
CONS - AGREED 2 0 ..
$y:..c,-cy.. ,.-y"*/, ; ! ;!

CATEGORY: 11.8 ECCS COMPONENTS WITHIN CONTAIXMENT
I:' NUMBER COIWENTING 6
t
.-
?
FEASIBILITY
STATE OF THE ART
PROS - AGREED
CONS - AGREED
POTENTIAL FOE IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER COMMENTS
- YES - NO
REMARKS
5 0 Feasible for secondary contain-
ment but questionable for pri-
mary containment.
1 3 Post-LOCA environmental
qualification would be a pro-
blem for location in primary
containment.
1
?
6 Second pro not a great plus.
Could have as many or more
penetrations as st present
considering increase in
electrical penetrations.
3 0 Should add extra cost.
Should add restricts number
of presently acceptable con-
tainment designs.
1 2 Increased traffic in contain-
ment may reduce protection.
Aux. bldg. could provide equal
protection.
Either primary or secondary
containment would provide pro-
tection.
0 5 Cost impact not acceptable for
primary containment.
Restricted surveillance. May
impact safety of plant.
Restricted maintenance. Tech.
spec. LC0 and need to make con
tainacnt entry may reduce time
available for repair prior to
forced shutdown.
Rcstrictcd. Surveillance.

CATEGORY: 11.3 IIJFOi(.WtT!O:J, ADM1:iISTRATI 10% AKD C0P:STRL'CTION BUILDIIIGS
LOCATED OUTSIDE PROTECTED AREA
FEASIBILITY
STATE OF TIE ART
PROS - AGREED
CONS - AGREED
- YES NO -
2 0
2 0
1 0
1 0
RE4LiRKS
P@TE:iTIAL FOR Ii.?PROVED
RESI STACCE TO SAEOTAGE 1 J. Yes, due to redcction in
number of people in protected
area.
IMPACTS ACCEPTABLE
OTHER COI.WEIJTS
Adnininstrstion buildings
can be left inside protected
area, no advantage to their
relocation. Construction and
information buildings should
be outsise.
3 1 For visitor center, yes.
Not for other bldgs. only re-
sults in more discontent of
people trying to do their
job.
Part in - part out design
offers some real advantages.
Now NRC requirement for infor-
mation, sdnin., and construction
buildinos.

CATEGOPY : I I I. 1 ISOIAT ION OF LOW IJRESSlJRE SYSTEMS CONNECTED TO REACTOR
COOLANT PR'LSSURE BOUIdDARY
NUMBER COM!4Et4TItIC 4
FEASTRILITY
STATE OF TllE ART
PROS - AGREED
CONS - ACPEED
POTENTIAl. FOR lMPJ

CATEGORY: 111.2 DESIGN CHANGES TO FACILITATE DAMAGE CONTROL
NUMBEX COI.V,!EP:TISG 5
- YES NO -
REMARKS
FEASIBILITY 1 I Not believed capable of being
used effectively.
STATE OF THE ART 1 1
PROS - AGREED ' 1 1
POTENTIAL FOR IHPROVED
RESISTANCE TO SABOTAGE 2 Concept of damage control has
very great potential but de-
slqn changes to enhance damage
control are not necessary.
IMPACTS ACCEPTABLE
OTHER COMMENTS
0 1 High impacts for traditional
damage control:
1. Identify spares
2. Procure
3. Inventory control
4. Storage
5. Personnel and Procedures.
Not much can be done from de-
sign standpoint. Simply
credit operators with ability
to respond to abnormal occur-
r ences.
Not optimistic that concept
would be credible with NRC.

CATEGORY: 111.3 ALTERNATE CONTAINKENT 7tSIGNS
NUMBER COI~J4E.IE:iTI:K 5
-
YES - NO
FEASIBILITY 1 0
STATE OF THE ART 0 1
PROS - AGREED 0 1
CONS - AGREED 0 1
- REMARKS
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 1 2 Filtered atmospher lc ventlng
shoulo be pursued. TMI-2
could have used lt.
IMPACTS ACCEPTABLE
OTHER COMMENTS
Passive containment appears
to have mer it.
0 1 Costs too great.
Current designs offer adequate
protection aqainst sabotage.
Passive ECCS should only be
considered for possibly im-
proving ECCS reliability.

CATEGORY: 111.4 EXTRA XEDUSDANT, FULLY SEPARATED, SELF CONTAINED AND
PROTECTED TPAINS OF EMERGENCY EQGIPMENT
lIT1!:G 5
FEASIBILITY
STATE OF THE ART
PROS - AGREED
CONS - AGREED
YES NO 7 -
REMARKS
2 0 Xot feasible for backfit.
1 2 Agreement with smaller power
supplies.
Disagreement with extra pro-
tection by requiring sabotage
of nore targets.
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 2 2 ECCS equipment not likely
target for sabotaqe.
IMPACTS ACCEPTABLE
Would slso provide some oper-
ating flexibility.
1 1 Benefits insignificant beyond
going atove three trains.
Three 502 trains would be
beneficial.
lOO? capability remains with
single failurc. Allows smaller
diesels.

CATEGORY: 111.5 ADDITIOSAL PROTECTED MANUAL CONTROL ROD TRIP
NUMBER COYJ!E:.ITT,;IG 5
- 'IES ?I0
- -
FEASIBILITY 1 0
STATE OF THE ART 1 0
PROS - AGREED 1 0
CONS - AGREED 1 0
REMARKS
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 0 4 Already sufficient means to
trip reactor from outside con-
trol room.
Procedures should be developed
to accomplish this.

CATEGORY: 111.6 ADDITIONAL MAtJUALLY ACTIVATED, DIVERSE, PROTECTED
REACTOR TRIP
NUMBER C0YXENTII:G 5
-- YES NO -
FEASIBILITY 1 0
STATE OF THE ART 1 0
PROS - AGREED 1 0
REMARKS
Procedures should be developed
to accompl~sh this.
POTEtJTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 0 4 Already suff~cient means to
trip reactor outside control
room .
For BW?, there is no single
area, including control room,
from which a person could pre-
vent a reactor trip.

CATEGORY: 111.7 TURBINE RUNBACK
NUI.IBER C3XMEtJ'PI:IG 5
FEASIBILITY
STATE OF THE ART
PROS - AGREED
CONS - AGREED
- YES - NO
4 0
2 2
POTENTIAL FOR IYPi

CATEGORY: 111.8 REDUCED 'lUL?4EPA9ILITY OF INTAKE STRCCTURES FOR SAFETY
RELATED PVKPS
YES ?:O --
FEASIBILITY 1 0
STATE OF THE ART ; 1 0
PROS - AGREED 1 0
CONS - AGREED 1 0
REMARKS
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE 3 2 Significant po:entla!. Intake
structures located in
least secure areas of plant.
Must be dcslqned w ~th inherent
reslstsnce to sabotage.
IMPACTS ACCEPTAELE
Provisions of Req. Guide 1.27
sufficient.
Uctter to prot-ect safety sys-
tems needed for safe shut-
down.
OTHER COYMENTS Recent novel Overload by
----
Arthur Hailcy shows intake
structure as a likely sabotage
t3r~JCt..

PEASIUILI'fY
STATE OF TIIE AIVI'
PROS - A(;ltI.I:I)
CONS - ACl

CATEGORY : I 11.10 XiGH PRESSURE RYR SfSTEW
NUNDER CO?U.E:JTIXG 4
FEASIBILITY
STATE OF THE ART
PROS - AGREED
CONS AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
YES -- NO --
REMARKS
0 1 Only piping needs to be up-
graded, not entire system.
1 1 Increases consequences of
potential sabotage event
since a high and not a low
pressure system would penr-
trate containment.
2 0 May be

CATEGORY: IV.l HARDENED CECAY HEAT REMOVAL SYSTEY (ALL STEAM
POWERED VERSION)
IWI4BCR CGV3I2iTI!X 8
FEASIBILI'TY 8 0
STATE OF THE ART
PROS - AGREED
CONS - AGREED
POTENTIAL FOR IMPRO'JED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
OTHER COMMENTS
-- YES NO - REMASKS
3 5 Steam reciprocating pumps not
on the market.
3 2 Steam driven vent fans not
believed available.
4 0 Bunker may become target of
sabotaqe.
Sabotuer - caused transient
would not leave NSSS in the
intact condition prerequisite
to use of ISSS.
3 lfigh Cost - ~20x10~
High Cost - 5 to ~ j0x10~
High costs for operation,
testing, maintenance.
Systen capacity limited in
time. Providing additional
systems is going in opposite
direction of solving problem.
Should minimize vital equip-
ment and develop basic plan
for protection of plant.
System should not have to be
nuclear class. (4)
Steam dr ivcn charging pump
and HVAC fans aq~ailab;e?
Should find alternate to ,lse
of gas bot.t.les for ccntrols.
(3) !Batteries and gasoline
dr i'jen air compressor were
S U ~ ~ C S ~ C ~ )
.

CATEGORY: lY.l HARDENED DECAY HEAT REXOVAL SYSTEM (ALL STEAM
POWERED VERSION)
NUMBER COIG4ENTI?!G 8
YES -- NO d
- REHARKS
OTHER COMMENTS (CON'T) Need for system to be single
failure proof is questionable.
(2)
Testing, maintenance, and
operating costs may be high-
especially if system is safety
related. (2)
System need not be designed
to cool down plant. Simply
remain at hot shutdown.
High pressure RHR shotild be
considered as alternative.
Manuai, rather than cnattended
automatic, operation preferred.
Actuation should only be from
within bunker, Zor in ln con-
trol room, actuation could be
defeated by sabotage of con-
trol room.
Some AC power for AC motor
operated isolation valves may
be necessary. Pressurizer
heaters needed after 15 to 30
hours.
Steam turbine driven ch~rging
pump may be alternative to
recip.
Galleries between control
room and bunker justifiable?
Is one hour available to
assess necd for system?
The PRO stating increased
prutectlon against fires not
believed valid in view of
present-day, Post-i3rowns Ferry,
fire protection designs.

Systt:m st~ou~d
rlnt bc rt,str ictcd
in use to enwrqenc:y only.
Should be uscd for normal
operation. (2) Shuultl h?
considered in context with
elimination of other syst.omS.

CATEGORY: 1'1.2 INDEPENDENT DIVERSE SCRAM SYSTEY
NUMBER CO~~~.V.IENTI?;G 4
FEAS I B I LIIY
STATE OF THE ART
PROS - AGREED
CONS - AGREED
POTENTIAL FOR IMPROVED
RESISTANCE TO SABOTAGE
IMPACTS ACCEPTABLE
- YES - NO
0 0
REMARKS
0 3 No potential for increased
resistance to sabotage.
0 4 Procedures should be developed
to accorupl ish this.
Reactor is already too easy
to trip.
Trip systems designed to fail
safe - why duplicate them?
Concept would increase number
of vulnerability points.

System Description
Independent Safe Shutdown Sysren ilSSS)

- Introduction -- -- - CESCRIPTION
Presented here is a brief description of a concept for the removal
of decay heat from a water cooled nuclear power reactor which has
as its principal goal improved resistance to attempted sabotage.
To the extent that this qoal can be realized by this concept, re-
sistance to other ~xternal events is also improved, such as resis-
tsncc to major fircs and explosions.
Interest in improved decay heat removal systems has been growing.
The NRC improved safety research program has identified this as
an initial project for improving the reliability of the decay
heat rmoval function (1). The Sandia/industry workshop on sabo-
tage protection for nuclear power p1aat.s specifically recommended
a study of a system similar to theone being described here (2).
It is standard Ccrman practice to provide hardened, redundant,
indepondcrlt, and automatic emerqency feedwater systems for thcir
reactor plants (31.
Several differvnc opt.ions may be considered for the design of the
1~:;s. T!:-w rel;jtc tc the dcqrees oi rorlundznc). prgvidcd and
the ph~losophy that uovcrnn decisions on dedication of emergency
. .
sytrm3. Po:;nil):r opt ions ':ncl~irle:
1. 100% redundancy of systmn with thc redundant systems
spatially rt?parated:

. ,
2. A sinqle system:
: 3. A single system but with redundant compme~its;
4. Redundancy greater than 100% 14-504 cr 3-10~1 systems);
5. Systems dedicated to' emergericy use on1 y;
' 6. Systems wnployed for normal plant startup and shutdown
as well as emergencies that would rcpiace existinq
systems for these purposes which are not designed for
the ultimate emerqencics that could be presented by
, . , ,,,. . . . .
attempted s~botage; and,.
7. Combinations of the above.
The option describrd here is For two, fully redundant, spatially
3eparated, hardenr:d, independent and dcd icated wnergency decay
heat. removal systems.
,,. ~

plant, the fewer will be the opportunities for potential sabotage.
What is believed to be unique about this concept is its use of
reactor decay energy as the s'o"rce of power for th& 'system. A
steam powered system is envisioned, the steam being generated
from feedwater by decay heat. Except the small electrical loads
(e.g., lighting and valve solenoids) supplied by storage batteries,
the entire system is steam dri-)en. It therefore does not utilize
large quantities of electrical power which normally are supplied
by diesel generators. The elimination of diesel engi!les is
believed to be an important sabotaye resistance feature since
many potential "targets" are thereby removed. Principal among
these is the loqistics of fael supply. Fuel nust necessarily be
supplied from off-site sources which are riot directly under the
control of the plant operators and which therefore represent a
potential sabotage vulnerability. Dlesel starting, cooling, fuel
transfer/injection, and lubrication systems and their associated
sab0taqe vulnerabilities are also eliminated. Furthermore, elaborate
clectric.31 dlstribut~on systems c11ar;lcteristic cf safety related
powcr ~appli~s JKC not. r~quir~d for lSSS cjpration. The re-
duction in thc numtcr of supporting systems and components such
as ttiezr: should :I] 50 rt:rluce the ccirr.plc:tit;/ of t11e overall system
and enhanr:~? ri:1 1;lb11 it\/.

I
period of 10 hours without operator attention assuming
the reactor coolant system is intacc*. Hot shutdown is
defined as reactor subcritical, control rods inserted,
with the reactor coolant system at or near no-load
conditions of pressure and tenperatllre.
The system is designed to permit the reduction of pres-
sure and temperature in the reactor coolant system to
the conditions permitting intitiation of normal RHR
cooling by local manual operaticn of the system.
. The system is maacally actuated either locally or re-
motely from the main control room. Actuation of the
syatcm c~uscs a trip of the reactor.
. The system provides for isolation of fluid lines con-
nected to the primary and secondary coolant sysccms as
necessary to prevent loss of fluid inventory.
. The system does not ilock actuation of or otherwise
interfere with the operation of plan: engineered safety
features.
*It is assumed that other mpanz arc utilized (for example the
protection affordd by reactor containment) to p:event trebch cf
the reactor caolant pressure boundary by sabotage.

.. .
. ,
. .
. The system does not rcplace nrher systems desiqned to
permlt plant cooldown under loss of normal AC power
conditions. ~ h o s.{stcm is not used as an auxiliary
system durinq normal plant startup and shutdown
operation.
. Energy consuming equipmcnt is deslgned to be powered by
steam qenrrated by reactor decay heat.
. At le2st two, fully redundant system; are provided.
Each redundant system is located within individual,
separated, and hardcned buildings or bunkers.
. The system 1s rcgarded as nuclear safety related and 1%
designed in accordancr with the applicable design
, ,
criteria, codrs, skandards, and guides. The system and
its enclosure meet nuclear seismic requirements.
S stem Operation Thc accompanying drawlnq, Indeprndcnt Safe
Y--
Shutdown System PbID, depicts the ISSS in the configuration
envisioned for a pressurized water reactor (PER). A system for o
boiling water rc'octor fl3WR) is discussed lat?r.
The system 1s shown in +he standby mode. This wo1:ld be the normal
st3t.c for the system. The reactor coolant systrm and :he secondary
some lower vaiu~s 01t p~essur+~ %3nd tcmpcrdture corrcspondiny to

the initial phase of shutdown cooling, before the intiation oC
RHR cooliny. In either case, the steam pipinq to the ISSS equip-
mcnt an? the equipment itself is in a warmed up anddrained con-
dition. Stcam generator secondary side pressure exists up to the
ISSS stop valve and steam dump valves. Orificed bypass flows
maintain the operating cylinders of these valves hot. Similarly,
a small bypass flow around the ISSS stop valve keeps the down-
strea,m piping hot. A pc~rtjon of this steam flow is also used to
maintain the temperature of the bnrated water storage tank (if
requirca).
Condensate whi,.'- is formed from the w,3rm up steam collects in the
condens~tc dr~in t~1.1,. From hcrc it is purn?.-, hack to the main
con dens at.^ and fcedwatl?r system. Floor drainaqe is collected in
a flour dr~ln ?jump from which it is pumped to thc liquid radwaste
systom.
The wstcr lcvcls in t.hc condensate drain tanks and floor drain
sumps are intentionally maintained low whcn the ISS system is in
the :;tanclt)y mc:dr: so that sufEicient volume is a'jailablc to collect
the anticipated drSlinaqca dur inq ISSS operat ion. This is because
n pumps and floor drain pumps do not operate
on.
hu:; (480 V AC) i: r i d
in each ISSS bunker.

standby mode. For example, the bus for ISSS train A would be
energized from thc A bus of the class IE 4KV pouer distribution
'. syst.em. Thc ISSS 480 V bus su~pl'ies power to the ISSS battery
charger, maintaining the ISSS batteries fully charged, and also
to thc condcneate drain pumps and floor d:ain sump pumps. The
power supplies to the ISSS 400 V busscs are tripped when the ISS
is actuated. Lighting loads and valvc solenoids are supplied
from thc ISSS battery.
Actuation of thc ISSS system is manual from either the main control
room or at a Ioc~l station in the ISSS bunkers. Manual actuation
has been selcctcd since it 1s intended that the ISSS only operate
in response to a sabotagc or other gross emergency. It is believed
that plant opcratorc can best make the judgement that such an
emerqcncy docs or does not exist. Relyinq on the sensing of
plant parameters such as voltage or flow to actuate the system
automatically is bol icved to bc undesirable since conditions
: othcr th~n snbotagc could cause actuation. The actuation logic
i ,
could bccome quite complex if it had to determine, from sevcral
paramctcrs, that a sabotage evcnt was in progrcso. Elimination
of plant paramctc!r sensing for aut.omatic actuation also reduccs
the numhcr of intcrlacc!s hctwcen :b,c ISSS arid the rcmaindcr of
the? plant an(i tb,cir .2:;:;aci~t1?d ::~bot;lqc vu1ncr;lCil icier,. Sufficient
i time (on the ord~?r oS one hour) is avail;lt?!e to 3s:iez.s thc need
, .
. for thr LSSS and to actuatc it manually.

Actuation of the ISSS results in the following:
. Reactor t.rip (with associated trips of turbine snd
generator) .
. Isolation of fluid lines connected to the redctor coolant
system and to the steak, gerlerators incl udinq main steam
and feedwatcr .Jalvc clo+:bre. Isolation is discussed
below under "System Intcrtaccs".
. Trip of electrical feed to ISSS 480V AC busses.
. Trip closure of normal a,tmosphcric dump ./alves on msin stem
lines tipstrea-~ of main sceam isolation valves.
. Alignnwnt of reactor coolar~t pump seAi leakoff to the ISSS
boratcd water storage tank. Tr~p cf reacror coolant
pumps.
. Opening of ISSS steam supply valve, admitting steam to feed-
watcr pump turbine and rcciprocat in9 charging pump.
. Admission of pilot steam to ISSS stealr, dump ,~alves.
The ISSS 1s thus put into operation. Fcedwater is dclivcred to
the stcam qcrterators from the fecdwatcr storage tank while sceam
from the :;team ycncrators is discharqeri to atmosphere throuyh thc
pilot operated ISSS steam.du:np valves. The atmosphcrlc dump
valves n~airltdin corlstarit prc-ssure in the steam gencrators ac
approkl~natcly the no-load prc?:isure. Thc roci;jrocating charging
pump:; nt~rr. snd d~?livr?r 3 wciaht percent bor ic acid solution to
thr! co~lan: sy::tcm. This mode cf o1wration continues, automati-

.. . '
!
Maintaining constant steam generator pressure and temperature
dnsures a nearly constant temperature in the reactor coolant
system also. Therefcre, there will be no .~olu~ne shrinkage of the
reactor coolant. It will be necessary however to return reactor
coolant pwnp seal leak-off to the reactor coolant system and to
provide makeup for leakage from the system. I: will also be
necessary to ccmpensate for condensation of steam in the pres-
surizer which, because of the difference in specific *~olu:nes of
, .
the steam and water, would result in a decrease in reaccor coolant
system pressure and loss of subcooling of the reactor coolant.
All these functions are provided for by the reciprocating charge
pumps.
Each reciproactinq charging pun? has a nominal capaclty cf 50
gp:n wh~ch should be adequate to return reactor coolant pump seal
leak-off !assuned to be 12 qpn total) and coclperlsate for minor
reactor coulant system leaka(3e. Estimates of pressurizer heat
loss also show that this capacity easily compensates for conden-
sation of steam in the precnurizer. (This effect is estir~~ated to
require about 2 ypm of injection flow but t.his should be verified
hy more accuratc analysis). The reciprocating charglng pump will
therefore m3:ntain reactor coolant system pressure and inventory.
pressurizer heaters will nvt be required. As discasreb belcw
undc~ "Components" the steam driven rec1pruca::ny charying pump
accompi ~sht?n these functions in an inherently sel

prcsurizer relief valves. Gradually, over an extended period of
time (much lonqer than the design period of unattended operation),
the pressurizer nay fill to the solid condition. Again however,
this would not result in system over-perssurc nor discharge of
cbolant from the pressurizer relief valves bec~use of the self-
regulating characteristic of the reciprocating charging pump.
After the design period of unattended operation, or at any point
durinq th~s period, the ISS system can be utilized to manually
cool and depressurize the reactor coolant systen. This is ac-
complished by reducing the set point pressure of the ISSS atmos-
ph'eric dump valves and con~equently reducing tt.e pressure and tern
perature in the secondary sides of the steam generators. This is
done slowly su th.:c the rate of injection o: borated water from
the borated water storaqc tank by the reciprocating cb,arging pumps
can keep pace with volume shrinkage in thc reactor coolant system.
The boric acid solution compensates for the reactivity effect of
red~~clnq the tmporaturcl of thc reactor coolant.
: Manual act~on mdy also be rrqulrrd to add water to tbe ISSS feed-
wa.ter 3tor~qr tank, r,~nce rxh tank is sized for the aesi.jn period
! of unattended opcr.3t ion (10 bourn) . A£ ter the cooldcwn pc.r lod,
operat ion ,,I thv ISSS may cnnr lnue 2t. rcddccd pressure and temper-
atclrp until HHR c(.ol in? 1s ini+~ati.d.

.
described in more detail below would provide for condensing the
steam exhausted by the system pumps and steam yencrators. This
option would have thc advantage of permitting longer periods of
independent ~prration through recovery of feedwater.
. Instrllrnentation is provided to permit local manual operation of
the ISS systr~m :,uticcq~~nt to the design period of unattended
oepration and to permit local monitorinq of the system at any
tine. Where required t.o assess the readiness of the ISS system
in its standhy morlc, instrumentation displays and alarms are
provided in t.hc main control room as indicated on the PhID.
During thc design pcciod of unattended operation of the ;SSS,
manual int.er./cntion farid control are possible from w~ thin the ISSS
: Svstcm L - . . - 1rit1.r . . . . Facc!r. . -- . - One of the more important inter face functions
j
I that must. hc performed by the ISSS is isolation of fluid leakage
paths connract?wl tr) the rcac?.or coolant system and to thc secondary
i d
I I t I I ~ For I a typical PWR, thcrc would in-
CVCS I,f l~l\.1.1111 ::t(.drn
M;I ~n I.'I~W.'I t c.r
!;:,- jm [;c,n,b~ ,itor ;,tn~.t:;i>ll~?f
i~ PC 1 1 ~ ~ 1 '

Some of these fluid lines arc pro-~ided with m*~ltiple check valves
inside corltalrlriwrlt which prevent 'leakage from :he reactor coolant
system. Tniz 1s considered sufficient irolati~n for these lines.
Other lices !c.g., effluent lines) are provided with energlzs-to-
open, fai I-close va1'1es inside coctainnent. F9r ssch li~es, the
ISSS should gro+Jide an additional solenoid vai.?e in the air supply
line to the valve oprrat~r in containment. his additional sole-
noid valve would be rlorma!ly energized from the ISSS battery.
Ac:uation of the ISSS would de-energize the soienoid and isolate
the lice. 'Pre poss:bility of hot shorts which cou!d re-er:f?ryize
the actuatlr~y solcnoid v~lve should be considered (4). Still
anocfie: C X ~ I I I [ J ~ dre ~ - t!ic reilcfor coo!ant punns no. 1 seal leak-ot f
llnes. As srlown on the P&ID, these llnes could be icolated in
cor:tolrlmerlt uy providiny D.C motor ~perated '~a!'~es which are closed
by irctuarlon of tnc 1:;SS. The mocccs would receive power from
the lSSS battery. Once closed, power to the rotors would be cut
off by thc torque sw~tch In the valve operator.
It is ilripor t3r1r Chat the
fluid lints be I~cacttc! w ithin curitalnment whenes.ler possible.
This provldcs protaction
valves which are relied upon to isolate
ayair.st tampering and possible sabotage.
A hardened penetration area should be provided to enclose the
main steam isolatlor, valves, feedwater isolati~r valves, and the
normal steam generator atmospheric relief -~aives. This is to
protect these valves against unaGthorlzed jccess and strenpted
sabotage. A signal from the ISSS act7~at:on logic trlps these
, .
D-158 . .

FROM NORbIAL
AC POWER
iHAQGER FLOOR DRAIN PUMPS
-1sss
TRIP
-

. ~ ,. : "
The turbine is driven by strag from the steam generators and
&xhausti to atmosphere. The ttJrbine control system is designed
to maintain pump dischar~je ,prrrssure st a fixed inc:enent above
steam generator pressure. Manual adjustnent of this differential
may be provided, but shcvld not be required during the design
period of uaattended operation.
The rate of feedwater addition t3 the steam generator is con-
trolled by flow control ./alves whlch respond to stean geoerator
Water level. Level sensing instrument tubing is brocght d~rectly
from the stcam generators to the ISSS bunker throu?? penetrations
which are enclosed by and communicate with the tunker. The level
sensinq lines terminate at mechanical-pneumatic le-el controllers
within the bunker. The level controllers provide a loading
pressure to the level control valves proportional to the steam
generator water level. The source fluid for the loading pressure
is stored nitrogen gas. Sufficient gas is provided for 10 hours
of unattended system operation. For operation beyond this period,
tht depleted gas bottles may be replaced or the level ccntrol
valves may bc operated manually in the bunker.
A recirculat.ion iine from the ISSS feedwater pump discharge to
the feedwater stor~5e tank is provided fcr protection of the punp
as wc:l ac a source of cooling water for rhc s6:al leak-off cooler.

viously discussed. The roast,: for selectin9 rhis type puzp is
. .
that it is inhcrsntly self-reaulating. 9y aporcpr:ate selection
of the ratio of ztoam niotr)c and liquld plonger d:ameter;, the
punp can a* d~zlqn-d to be incasat,le of increasing the pressure
of the reactor coolant system to the set point of the pressurizer
ADOWt-: operated relief va1.1r.:; while n~'~erthe!ess nainrc!inir,g
. . . ,.. .
sufficient pressurc on th.? reactor coolant to ensure it remains
Th:s a?plicntion for a stcam reciprocatinq charqizq pump has been
pany. Feazl hi 1 I ?v of mantlfacture has been conf irmcd, and pre-
1imrnc:y [lump characreristics have S~en determined as fol?ows:
~ype Steam dris/cn, rrcicrocating,
slmpiex, double xtin?, liquid
plunqrr pl:n;T
Steam c.{lindor diameter, in. 7.5
Lrqurd cyl~nder didmeter, in 5
Stroke, in. 12
M(>ct>anical eff icl-ncy (assumed), 2 e0 to 85
Vomin.11 capacity, 7prn 50
Stroking rate, scr minute 5 1
Steam cy1indc.r dcsiqn pressurp, psi3 1200
. .
Liquid cy li ndcl design pressure, pxig
AZME Section 111 Class 2 liquid end
ASME 5v:tlcn IiI Class 3 steam end
Arranclcmcnt - stea?i ~ n d 1 :q:rid ends
3000
mnur,?.cd hor I zontal !-; cn comcon haze.
Ca:e st:ou!d tnr taken in the deslcn of the rec:g:ocating charqing
pump to achieve the highest possihle m~chanicil efficiency. This
will ensure the maximtin znctint of subcool iZq of tnu reactor

. .
coolant pressure that can be ob'ained for a qiscc ztean generator
pressure io linitrd by the sot poir~t of the prrszurjzer relief
valve and this in turn dptcrmines thv ratio of stsax piston to
liquid plt~nqer diameter. This maximum pressure aay be reached
under stall condjtions of the pump where thc mechanical efficiency
is taken as 1001, but under kunninq conditions, thc reactor
coolant pressure will be reduced in proportion tc the mechanical
efficir:nc:i. However, it is desirable that the relctor coolant
prezsure be majntained as high as possible to ensare the qreatest
deqrec of shucoolinq and it is necessary, therefore, to obtain
1 hiqh mechanical efficiency in the design ~f the puxp. It is the
opinion of Union Pump Company that an actual ~ecbar?iciil efficiency
of 85% is achievable, but protot:/pe testinq to confir2 this
opinion would be required.
The followinq is a listing of operating parameters for the pump
that might be expected for a typical PWR assuminr; two different
values of mcchanical efficiency. Stail conditions are also qiq~en.
For the stall condition, it is further assamed that steam qenerator
pressure is at the value corresponding to the lowest safety valve
set point (acsumed to be 1C50 psig). For thc running conditions,
it is assumed that the ISSS atmoepheric dump valves arc limiting
the steam generator pressure to LO00 psiq.

Mechanical efficiency
Steam pressure, psig
RCS pressure, psi3
Steam generator temp, OF
*RCS averaqe temp, QF
*RCS hot leq temp, OF
RCS saturation temp, OF
RCS subcool ing, "F
Operating Stall
*These -~alues based on a RELAP analysis of an intact reactor
coolant system during decay heat removal by natural circulation.
The reactor coolant system pressure undcr stall conditions may be
slightly higher than typical power operated relief valve set
pressures, and may require that the relief val.re set pressure be
increased slightly.
Typical npnrating conditions after cooldown rnicjht bc as follows,
.assuming 85% mechanical efficiency (these values are estimates
'only, and should t ~c verified by analysis) :
RCS average temperature, OF 350,
RCS hot leg temperature, F 355
Steam generator temperature, OF 3.15
Steam generator pressure, psig 110
RCS pressure, psiq 2 1 G
RCS saturation temperature, OF 3 9 2
RCS subcooling, OF ? 7
The nominal capacity of the reciprocating charsing pump has been
chosen at 50 ypm. This should be adequate to naintain kCS in-
ventory. Typical Technical Specification limits on RCS lcaka~e
arc 1 gpm unidentified Ieakaqe, I gpm total Icaka(;c thraugh stean
generator tubes, and 10 gpm identified icabage. Thercfare, the
required delivery from thc reciprocating charginq punp during
conditions of constant temperature in thc redctor co~lant sycten
should not excecd 25 to 30 gpm, Sascd on the a ~s~~ption of 12 qpm
:;leak-off from the rnactor coolant puap w;l!z.

Feedwater Storaye Tank
Each feedwater stqraqe +.zn% ha; a cacacl-.~ of fron 150',000 to
200,.000 qallons which should be sufficie:~t to proviie at least 10
'hours of e-~aporative cooling without replenishment. The water
.+tored. in the tank w~uld be of fe&dwatcr quality. connections
are provided frvm the condezsate and feedwater system for the
filling and topp~ng off after sysrem testin?. Connections from
the condensate and fecdwarer s:fstem and the safety class service
water system are provided to ?ern:! contlnuatton cf cooling afte:
exhaustion of the stored supply. '??e feedwater storsge tanks are
located w ~th~n thc ISSS bunkers.
Borated Water Storage Tank
Each toratcd wa:er storsse tank bas teen sized at 30,OGO gallonz.
providlnq sufficient water for compensating for shrinkage of the
. .
,
reactor coolant system volume for 3 system cooldown to 350 OF.
. .
. .
c his capacity also provides for making up re3ctor coolant system
leakaq~ over the design period of unattended systen operation.
Four weight percent boric acid solution has been estimated to be
sufficient tc compensate for the reactivity effect of c3oling
down the RCS. Th~s should nc verifird.
Condcnsatc Drain Tank and P,Jmps
The cood~nsate drain tank collects condcns~te thc?t iz formed from
thc steam u sci fur ISSS warm-dp and heating purposes. The
., condcnzate drain pumps returc tb~is .dater to tne condezsate acd
feedwater zys:+:m during ::?-ten s:a:.,dL!;. Durinq syste~ c,peration,

dur~ncr I ! ! ! n l
n I n k
t : r
indicator 2nd

ISSS A:mosphcr1c D G T ~ Val.io?,
?'he functivn of thr: ISSS .?rrr.ospkrtr i c dump vir:.~os is :o maintain
steam genera*.tir prPr,r.ufc! JC. ~hr- 5c.t pint ./sl'~c d~irin.; the d~sinn
period of 3lrl.ar t.t.n?er! oprr;?ticn, #and to 21 low stc-;jn qrncrator
prbmwrr! to be rrduc:erl 41:c i no crmidqwn throtlnh rn~n11~1 ad j!lstrnent
of the s ~ polnt. t An presently conc?ivcd, the -~alves arc self
cont.ainod, piston operated, pilot pressure actustrd, nodulatiny
prrsstrrc control vslves which require no estc~rnal powcr for thcir
opec'atidn. A funct~onal reprenentation of the .~alvrs is shown on
the PbID. Whckn thr ISSS is act.uat4, s:carn q':nerator prrssure is
admitted to :he valve and J pilot pressurc is dr.vcloped which is
propor t ion.31 to stcam qc?ncracor prcssurr. Th? p! iot prcssurf
acts on on*, si valt~e operjtinq Giston. ~hr: pi'lot prcssure
plus prcssure undel cnc valvc disc opponc5 full steam generator
pressure ~ctirlg 1x1 thr. opposite side of the val*~c operatiny piston.
1 Eacn valve should br S ~ Z F :or ~ at 1ea:;t 50% of the tctal steam
dump f lc,w.

to hold steam qenprator pressure should :SSS operation be called
upon durinq this pcriod. Nocma1:y the va1.d~ sot point will be
approximately no-load steam qenerator pressure (typically abnu:
1000 priiq) .
Arran'yement. - The ISS system is di-:ided into two 100% redundant
trains, with r~o interconnections hctwecn trains. Each train of
ISSS cluipment is located in its own building or, preferably,
bunker. The two bunkers are physically separated from each
other. For a typical PWR, each ISSS train wculd take steam from
the lines of two steam generators within containment and return
feedwater to the fecdwater lines for these steam generators,
aqain withln containment. ISSS containment penetrations com-
municatc etchcr dircctly with thcir respecti.1~ bunker, or via
undcrgrouml q,illcries. S(:parate penetration areas are assumed
for the main steam and feedwater isolation valvcs. The ISSS
bunkers, qallerics, acd main stcam/fcedwater penetration areas
are hardened structures, resistant to attempted Forcible entry
and the cffects of ]+?sign basis natural phenomena, and are areas
for whlch accrss is riyidly controlled.
The ISSS bunkcls cocld he arrangcd iato two floors or levels.
The uppcr level wou!d co~~ain the boratcd watcr storage tank; the
ISSS battery and associated elcctrica! cquipnfnt such as battery
charger, clrcult hreakcrz, and rno:or controllers; and :he ISSS
control panel. Thc: lower l~vel , or pump !cvei , would contain tbe
feedwater pump, reciproca t lnq chorg lnq pump, condensate storage

A conceptudl arrdngement 1s st,~wn lo Flqurcs 2 and 3.
Special deslqn attentlon ehou;$ be 3iT1en to the protection of the
ISSS actsation control cables between the ISSS bunkers and the
main control room. It may also bc desirable, considering the
anti-sahotaqe mission for the system, to provide hardened and
protected qallerles between the control room and the ISSS bunkers
for personnel passage.
Ventllatlon of the ISSS bunker or bulldlnq has not been addressed
in depth at thls t~me. Forced alr ventllatlon c ~uld easily be
provided for normal, standby periods. However it would be desir-
able, in cons~derinq posslble eqaipment and building arrangements,
to provide for nstural -vcntilat.lon durlnq systcrn operation to
eliminate the nccd for electrically driven fans. Alternately,
forced ventilation could be provided durinq systpm operation by
small, stcam turblne driven blowers.
-
ISSS Svstcm for Boiling Water Rcxtor. One concept for decay
heat removal from a BWH in the hot shutdown condition utilizes
boillnq hcat transfer in a hoilcr/condcnscr ( $ 1 . Thls unit
condenses reactor ~;:cdm on one sldc ~f the heat tr~nsfer surface
whily cvapor~tlnq frcduce: on thc nthcr. Figa:c 1 is a simplifird
flow diaqram for thlr. ccr,cc>;~t of !bat: 1SSS. Two level control

KI
%VIP MGVT
SORATED
WA TER
:TORa ctE

systems would he employed in thc BWa; one to control water level
in the .reactor and the cther to control water ?e.lel in the
boiler/condenscr. Other concepts may be possible and should be
investiqatcd.
, ..
With thcse exceptions, the general functional requirements and
arranycmcnt of the BWR I5SS are similar to that for the PWR.
~
Air - C~oled - -- -- Condenser - - - - - - - -- for -- Steam. The use of air-cooled condensers
has been considered as a means of reducing the size of the feed-
water storaqe tank. Figure 5 is a graph of the plan area for
each unit. as J function of time after shutdown. In the case of
the tank, the size is based on a horizontal cylindrical tank with
sufficient volume to compensate for decay heat boiloff in the
steam generator plus a margin of 20,000 gallons. A ten-hour tank
is 150,000 gallons whereas a one-hour tank is 45,000 gallons.
The air condenser area is based on information supplied by CE -
Lummus and in representative of typical units. A variation of
- + 25% will result from v3rious tube configurations and spacing.
For purposcs here, the estimated size is suffic ient. Plan area
has been used as an indication of relative cost . For the same
area, a condenser systen total installed cost w ill be greater
than for 3 tank.
Because of the large quantities of steam required to drive blower?,
the CUKVP for exnau~t stcam is r,iore representative of the required
air condenser size.

i g r
5
using exhaust
5team
%'ater stcrage
tank (horizontal
cviindrical)

As long as the time for ISSS opcratlon is specifled in the 10 to
15 hour ranrje, tank ntoraqe of condensate appesrs to bc more
feasible than a~r-cooled condensers. Fl~rthermore a tank can be
more resistant to sabota~e bccagst 1) it is easier to protect by
enclosinq than a heat exchanger which must be exposed outside,
and 2) it is relatively passive and sinpic whereas a condenser
requires steam-driven blowers, ductinq, and controls which are
more vulnerable to zabotage.
Thus it is concluded that air-cooled condensers should only be
: considered further if specification of system operating tine
without out.side supply w ere to be extended significantiy beyond
a ten hol~r requirement.

I I t I I I I I I I : : I in Fluclc.dr
O W I : I I - 0 7 i J - 0 1 4 ) , 1977.

., !
4 I 3 1 2
-
. !
I,.
,.Y- .,.I' .*#.,'LI...
.,.I , .., . , ..
I
. . ... ~ -
#."".'.*. -1. .._.*a. ...
"3 ..,... r,:..... .... c . ..,,,-
I

NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR SAROTAGE PROTECTION
VOLUME 11, APPENDIX E:
REACTOR PLANT SAFEGUARDS
Potential Sofcquards-Related System and Component
Design Changes and Damage Control Measures*
Jeffrey Mahn
with contributions from
Lewis Goldman
Thomas Kuhn
Peter Lobner
Science Applications, Inc.
La Jolla, California 92037
23 October 1979
.- -- -- F Volume 11, Appcnd ix E, contains work performcd under Sandia
Cont.ract No. 13-7341 for Sandin 1.ahoratories

Potential Safcguar

SECTION
I.
2.
3.
INTRODUCTION
GENERIC DKSIGN CHANGES
CONTENTS
2.1 AC Power System Swing-Load Capability
2.2 Switchgear and MCC Enclosure Internal Circuit
Breaker Trlp Capability
2.3 Vital Electrical Area Revised Cooling Arrangements
2.4 Mu1 tiple Unit Vital AC Cross-Connections
2.5 Diesel Engine Revised Cooling Arrangements
2.6 Increased Protected Diesel Fuel Oil Supply
2.7 Revised Diesel Building Layout
2.8 Increased Vital Battery Capacity
2.9 DC Load Shedding Capability
2.10 Class IE DC Division Cross-Connections
2.11 Extended DC Power Generation Capability During
Station Blackout
2.12 Consolidation of Safety-Related Inrtrunentation Trans-
mitters
2.13 Additional Local-Remote Indicators
2.14 Rearrangement of Instrumentation Cabinet Panel-Front
Devices
2.15 Small-Diameter Piping Modifications
2.16 Canponent Passive Lubrication
2.17 Modular Con~ponents
2.18 Canponent Cooling Modifications
2.19 Vital Area Emergency Cooling Modifications
PMR OEiIGN CHANGES
3.1 Class IE Auxiliary Steam Turbi:le-Generator
3.2 Class IE Pressurizer Heater Power
3.3 Additional Pressurizer Insulation
3.4 Reactor Vessel Water Level Instrumentation
- PAGE
E -9
E-27
E-27

SECTION
3.5 Reactor Vessel Head Vent
CONTENTS (Continued)
3.6 Reactor Coolant Pump Seal Controlled Leak-Off Is01 a-
tion Valve Actuator
3.7 Para1 l el Auxil iary Spray Valves
3.8 Automatic Auxiliary Feedwater System Actuation
3.9 I nrreascd Emergency Ferdwater Supply
3.10 AFWS Hotor-Driven Pump Swing-Load Capability
3.11 Additional Local AFWS Instrunentation
3.12 DC Powered AFU Turbine/Pump Auxil iaries
3.13 Elimination of AFU Turbine Punp Room Steam Leakage
3.14 Relocation of Turbine-Sriven AFW Subsysiem Local
Instrumentation and Controls
3.15 AFW Turbine Pump Roan Ventilation System Modification
3.16 lncreascd ECCS Safety Injection Tank Pressure
3.17 Reduced LOCA Potential in PWR Residual Heat Removal
System
BWR DESIGN CHANCES
4.1 8WR Passive Residual tleat Removal System
DAMACE CONTROL ACT!'!lTIES
5.1 LYH Cencrlc Dnm,u,t Contrr?l
5.2 PUR Ddmagc Contro: '
RtFLRENCES
ADDt NLUW-I VAilrB7 !bl!l AND SUMWRY OF 'XSICN STUDY XCtINlCAL
SUPPORT CHWP CuWth' ;
- PAGE
E-76

- TABLE
1.1
FIGURE
2-1
2-2
AC Power System
TABLES
Standby Diesel Generator and Auxilfarles
OC Power System
Sdfety-Related Instrumentation
Grneral Fluid and Mechanical Systems
Vital Area Emergency Cooling Systems
PWR AC Power System
PWR Reactor Coolant System
PWR Auxiliary Feedwater System
Emerge~cy Core Cooling System
PWR Residual Heat Removal System
BUR Residual Heat Removal System
LWR Damage Control Activities
Safety-Related DC Loads Supplied by Class 1E DC System
(Typical for One Channel)
ILLUSTRATIONS
AC Power System Design Change. Swing Loads
Dlesel Cooling and Lubrication System with External
Cooling Water Loop
Diesel Cooling and Lubrication System with Forced-
Draft Radiator Cooling
Alternative Safeguards Emergency DC Power Supplies
Typical Safety System Cabinet and Equipnent Arrangement
Horizontal Motor Sleeve Bearing and Oil Ring System
Physical Arrangement of a Typical Small Hyoraulically
Operated Valve with a Linear Self-contained Hydraulic Actuator
Localized Cool ing Arrangeme~t for Large Pumps and Motors
Local Cooling Supplied by Pump Discharge Fluid
External Arrangement of a Typical Draw-Through Fan Looler Unit
Simp1 i fird Schematic of a Typical Fan Coil Cooling Unit
- PAGE
E-12
E-13
E-14
E-'15
E-16
E-17
E-18
E-19
E-20
E-22
E-23
E-24
E-26

FIGURE
2-12
: 2-13
5,:
. .. . 2-14
..
:.: 3-1
, .
; 3-2
3-3
ILLUSTRATIONS (Continued)
Emergency Roan or Area Ventilation/Cooling Arrangement
Emergency Roan or Area Ventilation/Cooling Arrangement
Emergency Roan or Area Ventilation/Cool ing Arrangement
Reactor Vessel Head Vent Concept
Para1 l el . Redundant Auxiliary Spray Valves
Steam Generator Feedwater Requirements to Achieve and Maintain
Hot Shutdown Following a Loss of Nonnal (Offsite) AC Power
Isolation Condenser - Piping'Diagram
- PAGE
E-65
E-66
E-68
E-78
E-81

I
I
I
I
I
!
CHAPTER 1
INTRODUCTION
Among the methods being considered by the NRC for improving the physical
safeguards for nuclcar power plants are the use of design changes and/or damage
control activities to reduce the potential vulnerability of the plant to sabotage.
A program has been established at Sandia Laboratories to identify potential
safeguards design changes and damage control options and to estimate their value
and impact. This program has included participation by representatives of the
nuclear utility industry, architect-engineering companies, and nuclear steam supply
system vendors. As a contribution to this program. this report presents potential
design changes and damage control activities that were identified during, or were
' based on experience from. DOE-funded Sandia light water reactor safeguards
programs. Some of these design c'hanges and damage control activities were reported
I to Sandia in previous Science Applications. Inc. (SAI) reports.
The identified design changes have been categorized as being LWR generic.
or PWR- or B'rlR-specific. These changes are briefly sumnarized by system in the
following tables:
LW. Generic Systems
AC Power
Standby Diesel Generator
and Auxiliaries
DC Power
Safety-Related Instrumentation
General Fluid and Mechanical
Systems
Vital Area hergency Cooling
Systems
Tabie Number

P;IR Systems
AC Power 1.7
Reactor Coolant System 1.8
Auxlllary Feedwater System 1.9
Emergency Core Cooling System 1.10
Resl dual Heat Removal System 1.11
BUR Systems
Resl dual Heat Removal System 1.12
. Included in these tables is an indlcation of potential areas of Impact resul tlng
from each deslgn chan~e. Specf fic fmpacts are discussed, where approprlate, in
later sections of the report. Individual deslgn changes may be slte-speciflc.
Any glven change may be appllcable to some plants and non-appllcable to others,
dependlng upon the speclflc plant characterlstlcs. These characterlstlcs are a
functlon of such ltems as plant site location, NSSS design, and BOP design. Some
of the dlfferences in NSSS deslgn have been discussed in References 3 and 4. In
addl tlon, some pera at fig plants, as well as some under constructlon, presently
lnclude features suggested by the various deslgn changes. Many of the ldentlfied
deslgn changes may increase the complexlty of plant systems or components.
Additional complexlty is, in general, a dlsadvantage of such changes. In the
flnal analysls, such conslderatlons must be taken into account in wefghlng the
benefits of enhanced safeguardablllty.
It should be noted that the feaslbllity of the identifled design
changes has not been fully lnvestlgated. It is assumed that each deslgn change
ls achievable el ther in a new plant design or as a backflt-type modification.
Whether thls 1s indeed true requires further investfgatlon. In addition, further
investigation may be requiied in order to determine whether a particular change
wlll be perml tted under existing industry codes and regulations. The safety
implfcations of each change should also be investigated.
The ldentlf led damage control activf ttes are briefly sumnarized in
Table 1.13 along wlth their plant applfcabllity (i.e., llenerfc, PWR, or BidR), an
estfmate of the tlme available for lmplementatlon, typical equlpment
requirements, and an estimate of the required manpower. The actual applfcabllity
of these activities 1s also dependent upon the speclflc plant characterfstlcs.

Some of the design changes and damage control activities listed in the
tables were identified during the performance of work under Sandia contract SLA
07-9866. Such table entries have been appropr 1 ately footnoted.

DESIGN CHANGE
Table 1.1. AC Power System
(1) .
Provide swing-load capability for a1 1 vi tal
6900, 4160, and 480 VAC safeguards loads
Utilize vital switchgear and MCC enclosures
which require access to enclosure interior
for circuit breaker local trip capability(2)
Minimize dependence on external cooling water
loops for ESF switchgear and other vital electri-
cal area ventilation systems(2)
Provide unit vttal AC power cross-connection
for multiple unit plants
-
- 0
u
C-
a L
LL 6)
u U
C C C
-0 a
.r C
ale, 0
mmu
C L C
a 01%-
20"s

(1 1
Table 1.2. Standby Diesel Generator and Auxiliaries .
DESIGN CHANGE
Utilize forced draft radiators for diesel en-
gine cooling in lieu of diesel c oling via
external cooling water systems(2 7
Increase capacity of fuel oil day tank (2)
Provide a cro connection between unit fuel
oil day tanks t %
Locate fuel oil storage tanks and tra sfer
punips within a vital area enclosure( 27
Revise diesel room layout to provide an area
for control equipment and other temperature-
sensitive equipment which does not s
ventilation with the diesel engine(2
I
m
a L
mal
c a
m 0
c
U L
0
7
m- u
e m +
ceu
fi z3
t'z m
U c
- .r
C c-
e
H
t
t
t
t
- 0
- C
e
C
m L
n. al
u u
c c C
-om
ale w
mme
ELC
m w-.-
522

DESIGN CHANGE
Increase battery capacity (2)
Table 1.3. DC Power System (1) .
Provide capability for redundant instrumentation
load shedding in DC power system
Provide capabi 1 i ty for cross-connecting normally
separa e and independent divisions of DC power
system 121
Provide two independent diesel or steam turbine
generators for DC power generation and/or
battery charginq during an extended loss of all
AC power
-
u
C
m L
0
- 0
0 U
,a u
- m
C
C C C
weal
m m u
CLC
m 0,'-
5 39
Y
n
N
N

(1 1
Table 1.4. Safety-Related Instrumentation .
DESIGN CHANGE
Provide conmn locations for field-mounted
transmitters located in the same general
plant area(2)
Provide additional local-remote indicators to
vital area access by operating personnel
minimif%
Provide safety instrumentation cabinets which
mke maximum use of panel front test jacks and
minim m use of panel front calibration con-
troisY2)
Q
a I
cnw
c a
"Jo
,z
0 L
0
-
a#- m
er mer
c c) m
E' 'L3
- .r
w m
L U ~
U c
C C..-
+.
er
C - 0
Q I
a a
U) U
C C C
.r 0 *)
.r C
a- w
mm.J
CLC
m w-
582
N
N
N

I
I Replace
I
I
(1)
Table 1.5. General Fluid and Mechanical Systems .
DESIGN CHANGE
threaded or bolted snall-diameter ser-
vice.pip{;y connections with all-welded con-
nectlons
Use higher schedule, hardened piping
diameter service and instrument lines
bxitnize use of nodular compocents (2)
Provide locallzed cooling water arrangements
for large-size vital pumps and motors
Utilize ring-oiling wherever possible for
lubrication of vital pumps. turbines, etc.

I DESIGN CHANGE
Table 1.6. Vital Area Emergency Cooling Systems (1) .
Reduce dependence of vital area fan cooling
units on other active cooling systems to com-
plete the h at rejection path to the ultimate
heat sink(2 e
- 0
- 0 - C
e
C
m L
0 w
"I U
C C C
m
ale w
mmc)
C L C
mu-
50"5
N

Table 1.7. PWA AC Power Syst
DESIGN CHANGE
Provide a Class 1E 480 VAC standby auxiliary
steam-turbine generator

Table 1.8. FUR Reactor Coolant System
(1 1 .
DESIGN CHANGE
Pmer a sufficient number of pressurizer heaters
from Class IE busses to ensure RCS press r control
following a loss of normal AC pcwer ! 27
Provide capability to remotely vent the reactor
vessel head space
Provide more pressurizer insulation
Provide DC motor actuators for reactor coolant
pump seal leak-off isolation valves
Provide para1 lel and independent valves in pres-
surizer auxiliary spray line frorn reactor cool-
ant makeup system to pressurizer
Provide reactor vessel inst [yyntation to deter-
mine the vessel water level

I
I
I
I
Table 1.9. PWR Auxtttary Feedwater System (1) . -
DESIGN CHANGE
Expand protected on-sfte condensate water stor-
age capacity by:
1) provi i g redundant condensate storage
tanksf2Y. or
2) providing AFW cross-connection etween
unfts for multiple unit plants T 2 ?
Provtde swing-load capabilt ty for motor-driven
AFW pump
Provide DC motor drivers in cases where motor-
drfven lube oil pumps are uttllzed for turbine
and/or pump lubrt ca tion

Table 1.9. PWRAuxiliary Feedwater System(Continued)
(1) .
DESIGN CHANGE
Provide an expanded set of local meters to
permit local manual control of the AFWS folloss
of all AC and DC electrical
power lowi n?2j
Provide DC rotor-driven or steam turbine-driven
fans for turbine-driven pump room ventilation
Pipe gland seal leakage out of turbine-driven
A N pump room
Remove temperature sensitive instrumentation
and controls from turbine-driven AFW pump room

i
Tahle 1.10. Emergency Core Cooling System (1 1 .
DESIGN CHANGE
Increase safety injection tank pressure so
that it my be utilized as an emergency makeup
wing an extended loss of all AC
pow s0urc'T2P r

1 DESIGN CHANGE
Table 1.11. PWR Residual Heat Remval System (1) .
Provide pressure relief valve or pressure re-
ducing device in RHR suction line inside con-
tainment
Relocate RHR system inside containment
I
m
W L
mw
C a
m o
x
v L
0
7
m- LI)
e m u
c u m
8 zs
?!9 rn
U c
C c-
-.-C1
t
t
u
C
- 0
m 6
a 0,
.- C
LI) U
C C C
7- 0 m
weal
mmc,
C L C
m w.-
5oaz
-
N
Y

1.. DESIGN CHANGE
Table 1.12.BWRResidual Heat Removal System (1 1 .
Provide a backup RHR system which can operate
under full reactor pressure and does not require
AC power for operation

(1) Legend:
+ Increase
H Minor
Y Yes
N No
NOTES. Tables 1.1 - 1.12
R Requires further investigation
(2) This change was identified by SAI as a result of work performed
under Sandia contract SLA 07-9856.

DAMAGE CONTROL
ACTIVITY
Jrovide a source of diesel
fuel oil makeup before day
tank ts exhausted (FO
transfer pumps disabled).
Jrovfde makeshift mom
tentilation for ESF
rwitchgear and other elec-
trical equipment areas.
Shed DC loads to prolong
lattery life.
Establish local control
3f auxiliary feedwater
system (AF5rS).
Control AFUS cooldown of
reactor coolant system.
Provide a source of con-
densate water makeup
before condensate storage
tank is exhausted.
Decide upon proper stra-
tegy for RCS heatup/
cooldown and makeup
following f?rmation of
a steam bubble in reactor
vessel head.
Table 1.13. LUR Damage Control Activities.
LANT
PPLICA-
ILITY
Generic
Generic
Generic
PUR
PdR
PWR
PWR
STIMATED
TIME
VAILABLE
1-4 hrs.
%39 min.
15- 4 hr.
14-4 hr.
-30 min.
~7 hrs.
N A
YPICAL EQUIP-
ENT REQUIRE-
ENTS
Spare pump
parts, por-
table pump.
hoses .
Portable
fans, ex-
tension
cords
Jumper wires.
fuse pullers
Local instru-
mentation.
emroency
lighting and
conmunicatior
Not Applica-
bl e
Portable puml
and fuel
supply, hose!
LSTIMATED
MANPOWER
:QUI REMENTS
3-4
1 per
area
2
2-3
1
3-4
NA

CHAPTER 2
GENERIC DESIGN CHANGES
2.1 AC POWER SYSTEM SUING-LOAD CAPABILITY. CATEGORY I I I
2.1.1 Concept
Thts concept tnvolves dest gntng all vttal 6900, 4160, and 480 VAC
safeguar ds loads as swtng-loads with the capabilfty of being a1 igned to el ther a
gnormal' or an alternate dtesel generator (see Figure 2-11.
2.1.2 Source
Thts concept was identified by SAI as a means for increasing the
dlfficulty of sabotaging the power supply for electrically-po~ered components.
2.1.3 Advantages
The counter-sabotage advantage of thts concept ts that it increases the
redundancy of pol tions of the onst te electric pwer generation and distr tbution
system assoctated with a speciffc safeguards load. A sabotaged diesel generator
or its associated distrtbutton system can thus be bypassed and an alternate power
I'
supply made avatlablo to such loads. The nunber of individual actions required
to complete a sabotage sequence which affects the pwer supply to a parttcular
Class 1E bus is, therefore, increased.
2.1.4 Dtsadvantages
No dtsadvantages have been tdentified for this concept,.

Figure 2-1. AC Power System Design Change, Swing Loads.

2.1.5 Oiscussion
Nuclear power plant safety systems are designed for a minimum of 1001
electrical redundancy. Thus, all emergency electrical loads receive power from
two or more independent and redundant AC power trains. This is sufficient to
ensure safety system availability following an initiating event with a single
random failure (e.g., failure of one emergency diesel to start on demand following
a loss of normal AC power). However, in the case of deliberate sabotage. it may
be possible to disable the appropriate combination of components to negate a
specific safety function. Assuning the unavailability of normal (offsite) AC
power. this can be accomplished by disabling one diesel generator and the
appropriate component(s) in the other power train. A diesel generator is
particularly vulnerable to sabotage due to the relatively large number of single
events which can disable this component as a power source. lt is, therefore.
suggested that consideration be given to providing all vital 6900. 4160. and 480
VAC safeguards loads with swing-load capability. This will allow vital loads to
be aligned to a Class 1E bus thich receives power from an operable diesel
generator following sabotage of the diesel which is normally the standby power
source for these loads. Such switching capdbiiity is already available in nuclear
power plants with third-of-a-kind loads. Ilowever, since third-of-a-kind loads are
a special case, design provisions mst be made here to ensure that separation
requirements for Class 1E electrical systems are not compromised. In addition.
special operating procedures or design features may need to be developed to
provide for load-shedding prior to reloading vital safeguards loads on an
alternate diesel generator. This change is suitable for incorporation into new
plant designs. but is likely to be difficult to acconplish as a backfit
modification due to the physical separation of power train equipment in the plant.
The swl tching devlces may require additional safeguards protection.

2.2 SWITCHGEAR AN0 K
CATEGORY I I1
C ENCLOSURE INTERNAL CIRCUIT SREAKER TRIP CAPABILITY,
2.2.1. Concept
This concept involves the utilization of vital swltchgear and motor
Control center (KC) enclosures designed to require access to the enclosure
InWrior for circui t breaker local trlp capabll i ty.
2.2.2 Source
This concept was identffied by SAI as a result of work performed
Srndia contract SLA 07-9866.
~nder
2.2.3 Advantages
The advantage to requiring access to the enclosure interior for local
trfp operation is that the enclosure can be instrumented and used to provide both
detection and delay capability in preventing circuit breaker mismani~ulation.
Disadvantages
No disadvantages have been identified for this concept.
2.2.5 Oiscussion
Mdfran-vol tage. metal -clad sw-i tchgear and motor control centers (!KC)
are pmv 'idd with a manual control switch mounted on the front panel which can be
utflized to trip open the powr circuft breaker located inside the enclosure.
This action removes power from all egulpment which is normally suoplied with AC
power (except 120 VAC) from the uni t. Stnce i t would be df fficul t to provide
appropriate safeguards protection for sach a device without the aid of a separate
enclosure, it is suggested that. wherever posstble, the trip function capabtl i ty
be removed from the panel front and relocated within the Switchgear or K C
~nelosure. Such enclosure arran&ments my be readily available and already in
use in some plants. This design concept is applicable both as a new plant design
E-30

change and as a backflt nodiflcatlon to operating plants. The addftlonal capital
cost Involved 411 be ai nor.
2.3 VITAL ELEtTRICM AREA REVISED COOLING ARRANGEMENTS, CATEGORY I1 I
2.3.1 Concept
This concept tnvolves rintn{zfng the dependence on actlve, external
cool tng loops for vltal swltchgear and other vltal electrical area room coollng
systems.
2.3.2 Source
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.3.3 Advantages
The advantage of this concept Is the reduced vulnerability of these
room coollng systems to acts of sabotage perfonaed against external coollng water
service systems. In addition. there may be a resulting reductfon in the number
of target locations in which room cooling system sabotage can be accomplished.
2.3.4 Dl sadvantages
The minlmlzation of'external cooling system dependence for room coollng
capabil fty may require addl tlonal equipment
requf rements.
and. thus. addl tlonal mi ntenance
2.3.5 Discussion
Vital electrical equipment areas are provlded with both normal and
mrgency ventilation coollng units for the removal of heat generated by
operttlng equipment. Design changes identified for these fan cooler units (FC'J)

are discussed in mre detail in a later section (see Section 2.19). Electrical
area cooling is typically accompli shed by reclrcul ating room air over a coil
'through wh!ch cooling water is circulated. For EY switchgear area cooling.
chilled watcr is generally circulated through the coil. The chilled water
system, l tself. rqulres the operation of one or more cooling loops to conpletc
the heat transfer path to the ultimate heat sink. Sabotage of any of these
auxll fary cooling loops can result in the inabil i ty to adequately cool a vital
ehctrical area. Sabotage of these cool lng loops can general1 y be accoml {shed
In areas that are remote from the vital electrical area. It ls suggested that
vltal electrical areas be provided with rooa cooling system which have reduced
depenhence on external cool ing water loops. The potential design a1 ternatives
and their implications are discussed further in Section 2.19. as mentioned above.
A1 though this concept can be readily incorporated into new plant designs, it is
probably unsuitable as a backfi t m di fication.
2.4 MULTIPLE UNIT VITAL AC CROSS-CONNECTIONS, CATEGORY I11
2.4.1 Concept
This concept involves provldl ng uni t v ital AC power cross-connections
for mu1 tiple unit plants.
2.4.2 Source
This concept was identifled by SA1 as a means for increasing the
dl f f lcul ty of sabotaging the power supply for el ectricall y-powered components.
2.4.3 Advantages
The counter-sabotage advantage of this concept is that it requires that
damage be inflicted upon two (or more) unit Class 1E AC power systems in order to
disable the safety functions of either unl t. individual1 y.

2.4.4 -. Disadvantages
No disadvantages have been identified for this concept.
2.4.5 Dixussf on
Nuclear power plants, typfcally. are designed with the following
alternative power sources for operation of the various plant safety systems:
Preferredoffsite feeder
r A1 ternate offsite feeder
r Redundant standby diesel generators
These sources are considered to be sufficient to mitigate all credible plant
occurrences not resulting from acts of sabotage. Ho~ver. since these sources
are particularly vulnerable to acts of sabotage, it is suggested that a vital AC
power cmss-connection be provided between units at a multiple unit plant site.
Thls cmss-connection could be implemented by installing clrcul ts wI th redundant
circuit breakers to permit energizing a Class 1E 6900 VAC or 4160 VAC bus in one
unit froa a corresponding bus in another unit at a mlti-unit site. This type of
cmss-connection already exists in sme operating plants. In such cases,
redundant circuit breakers are typically racked-out to ensure the independence of
the units during normal operation. A cmss-connection of this type increases the
redundancy in portions of the Class 1E power systm. thereby canplicatlng systm
sabotage. Thls concept is appl icable as a backfl t aodlflcation to operating
plants as well as to new plant designs. The capital costs Include the switching
devlce(s) and appropriate safeguards.

2.5 UICSEL ft4CINE REV:SED COOLING t&RANGEttEIiT. CATEG3RY I1 I
, .
2.5.1 Concept
, ,
, .~
This concept involves the utilization of a forced-draft rddidtor in the
. .
diqel , , building for diesel engine cooling in lieu of engine coolipg via external
cooling water systems.
2.5.2 Source
This concept was identified by SAI as a result of work pcrfomcd under
Sandia contract SLA 07-8666.
2.5.3 Advantages
The advantage of this concept is the elin~ination of the vulnerability of
tb? diesel engine cooling systcm to acts of sabotage performed on the service
rtater cooling system outside of the diesrl building.
2.5.4 Disadvantages
Ilo disadvantages h~ve ken identified for this concept.
2.5.5 Discussion
Many standby emergency diesels are cooled via an arrangement of internal
and external cooling water loops and heat exchanger as shown in Figure 2-2. This
arranqemnt. due to the external active cool Ing wJtcr loop. nldkes the diesel
vultlerable to acts of sabotage performed on the service water systcm outside of
the diesel building. In order to minimize the nmber of potcrtldl Sabotdye target
arras for the diesels it is suggested that external coollr~g water systcms be
eliminate3 in favor of a forrrd-drdft radiator for ultlnidte dlescl hcat rejection.
as shown in Figure 2-3. Tlrls type of diesel cooling systmm is p:csenrly in use at
several nuclear powc~. plants. The radiator can t)e provided with' a mlssllc bdrrier
similar to that which ir.ight be provided for sateguards protection of Intake or
exhaust fans. This concept requires, in esrcnrc!. the rrpldccment of a hed:

" I . / ) I I
I
I
I
I
I
I
I
I
I
I
I
I
Flgure 2-2. Diesel Cooling and Lubrication System with External Cooling
rater Loop (Qcf. 1 ).
c- 35

Figure 2-3. Diesel Cooling and Lubrication System with Forced-Draft
Radiator Cooling (Ref. 3).

exchanger with a radiator and fan. Although this concept can be readily
incorporated into new plant designs, it is probably not suitable as a backfit
modification due to the impact on diesel building structure and the
re-optimization which would be required for both diesel engine and plant service
water cooling,systems.
2.6 IlU?EASED PROTECTED DIESEL FUEL OIL SUPPLY. CATEGORY 111
2.6.1 Concept
This concept involves providing an increased, protected supply of diesel
fuel oil for extended cinergency diesel operation by 1) increasing the day tank
capacity, 2) providing a cross-connection between diesel day tanks, or 3) locating
the main fuel oil storage tanks and transfer pumps withln a vital area enclosure.
2.6.2 Source
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.6.3 Advantages
Safeguarding an adequate supply of diesel fuel oil for extended diesel
operation is necessary for ensuring the capability for placing and maintaining the
plant in a safe shutdown condition for an extended period of time and provides
time for normal AC power restoration.
2.6.4 Disadvantages
Cross-ronnecting fuel oil day tanks may require special design
considerations to ensure adequate separation between redundant diesel generator
systems.
required.
A larger diesel building or separate fuel oil storage building may be

2.6.5 Discussion
An emergency diesel generator fuel oil day tank generally contains
Sufficient fuel oil for 1-4 hours of continuous diesel operation. While the mafn
fuel of1 storage tanks contain sufficlent fuel for seven days of diesel
operation, these tanks and the associated fuel transfer pumps are generally
located underground in the plant yard. The day tank is located within the diesel
generator building and is, therefore, afforded the protection of the building
vltal area safeguards. The location of the main fuel oil storage tanks and
pmps, however, 1 eaves these components particul arl y vulnerable to acts of
sabotage.
The vulnerability of the long-ten fuel oil supply can be minimized by
any of the following means:
1. Increase day tank capacity
2. Provide a cross-connection between unit day tanks
3. Locate main storage tanks and transfer pumps within a vital area
enclosure
For new plant construction the above concepts do not present any particular
problems. a1 though the first and third modifications may represent a slgni flcant
Increase in construction costs. These two items w i l l have a significant impact
on operating plants, however. In the case of the first modiffcatlon, there is
probably insufficient space vi thin the diesel generator building to slgnlficantly
Increase the size of an existing day tank. Thus. enlargement of the diesel
building or the addition of a appended structure would be required. The third
modiffcation will require the construction of a vital area barrier for sabotage
protection of the underground tanks and pumps. Such a barrier might be
constructed below ground, above ground, or both. The second modfflcation for
operating plants involves the addi tion of piping and one or more locked closed
manual isolation valves. This design concept w i l l have minimal impact on
ex1 sting plant facil f ties. The third desf gn concept ensures the avail abil i ty of
a long-term (?-day) fuel oil supply. The first two concepts represent an
increase in diesel operating capabili ty of on1 y a few hours.

. . .
. .
~,.
, .
. :
2.7. REVISED DIESEL BUILDING LAYOUT. CATEGORY 111
2.7.1 Concept
This concept involves revlslng the laput of the dfesel generator room
to provlde an area for control equipment and other temperature-sensltlve
equipment. which does not share room ventflation 4th the dfesel englne.
2.7.2 - Source
This concept was ldentlfled by SAI as a result of work performed under
Sandla contract SLA 07-9866.
2.7.3 Advantages
The advantage of thls concept results from the reduction or the
elfmfnation of the dependence of long-term dlesel availablllty on the performance
of the room ventilation system. It. thus, el lminates one potentlal sabotage mode
for the dlesel generator.
2.7.4 Dl sadvantages
No disadvantages have been identtfied for thls concept.
2.7.5 Discussion
A dfesel generator unft typically is equipped with a dfesel englne
gauge panel. relay boxes, and a generator exciter. control. and annuncfator
panel. The relay boxes contaln devlces and circuits for controllfng the dlesel
generator unit. The diesel englne gauge panel and relay boxes may be mounted on
a comnon skid wl th the englne in some unl ts. The gauge panel forms the central
location for the display of the fmportant parameters monl tored on the engfne
unit. The panel may also htuse some of the pressure switches used in the central
and monftoring circufts. NEMA 12 watertight boxes are typically furnished at
vari ,us locations on the engfne skid to provide housing for terminals and/or
devices for the control of the engfne generator set and Its required auxiliary

equipnent. !%tor. controllers and disconnects are provided for each of the
motor-driven pumps, heater units, etc.. as required. A central relay box is
generally provided rhich houses all of the relays and other devices that control
the Start-up and shut-down sequencing for the engine generator set. The generator
control panel typically includes a static exciter voltage regulator unit, an
annunciator unit, and various generator controls utilizing transformers, reactors,
semiconductors. resistors. and capacitors.
If area ventilation/cooling is unavailable during an extended period of
diesel operation. heat rejection from the diesel to the room interior under such
conditions will result in a rapid increase in mom ambient temperature to a level
which could adversely affect the reliaole operation of the above controls and
fnstrumentation. Isolating this equipent from diesel room ambient temperature
conditions will extend the period of time during which this equipncnt will remain
operable following a loss of diesel room ventilation.
This concept can be readily incorporated into new plant designs. Room
layout restrictions. however, may make the concept unsuitable as a backfit
modification at operating plants.
2.8 INCREASED VITAL BATTERY CAPACITY. CATEGORY I11
2.8.1 Concept
This concept involves .increasing the capacity of thc Class 1E station
batteries by the addition of more battery cells.
2.8.2 Source
This concept was identified by SAI ai a result of work performed under
Sandfa cmtract SLA 07-9866.

2.8.3 Advantages
The advantage of thfs concept 1s tn the Increased capabttlty to
malntaln a safe plant condftfon durtng an extended pertod of AC power
unavallabtltty (statlon bl ackoutl.
2.8.4 Dl sadvantages
Thls concept results in more battery maintenance tlme.
2.8.5 Dl xusston
The vltal battery capactty in a nuclear power plant Is, typlcally.
sufflcient for 2 to 4 hours of DC power operation tn the absence of an AC power
supply to the battery chargers. In sane plants, thls capact ty my be as short as
90 minutes. Followtng a loss of all AC electrical power, the batterles are
typlcally requlred to supply power to safety-related loads such as those lfsted
tn Table 2-1. The major load durlng thts ttm is the vltal backup pomr supply
whlch provtdes 120 VAC power to safety-related tnstrumntation vta an tnverter.
Yhen the batterles are exhausted. all rmte tnstrumentatton and control
capabtlttfes wlll also be lost. Thus, tt 1s suggested that the battery capaclty
be Increased, perhaps to as much as 6 or 8 hours, in order to provtde addttional
tlnc tn whlch to restore AC ponr following a sabotage event. The actual
requtred battery capactty wI11 be dependent upon the plant safeguards
capablltttes and the eff~tlveness of any prearranged damage control measures.
Thls concept can be readtly incorporated tnto new plant destgns.
Larger battery rooms and additional batterles wlll, of course, result In
increased capttal costs. Thfs change may or may not be suttable as a backflt
modtftcatfon in operating plants depending upon the space avallable in exlstlng
battery rooms. Increasing the plant vltal battery capact ty wlll also result in
increased battery survefllance and maintenance but wlll not necessarlly require
extra manpower.

Table 2-1. Safety-Related DC Loads Supplied by Class 1E DC System
(Typical for One Channel )
LOAD DESCRIPTION
6900 or 4160 VAC ESF Switchgear
Circuit Breaker Operation
480 VAC ESF Load Center Clrcuit
Breaker Operation
Diesel Generator Control Panel
NSSS Auxi 1 iary Relay Cabinet
Reactor Trip Circuit Breaker
Cabinet
Vital Backtup Power Supply Inverter
Contml Power
Contml Pomr
SAFETY FUNCTION
Control and Instrumentation Power
Control and Instrumentation Power
for Solenoid Operators
Reactor Protection
Vital Instrumentation Power

2.9 DC LOAD SHEDDING CAPABILITY. CATEGORY I11
2.9.1 Concept
This concept involves providing the capability to shed instrumentation
loads that have redundant channels powered from other divisions of the Class 1E
M: power system.
2.9.2 Source
This concept was identified by SAI as a potential mans to prolong the
Class 1E DC battery life and, thus, provide additional time for AC power
restoratl on.
2.9.3 Advantages
The advantage of thi.s concept is that the useful life of the Class 1E
batteries may
' ,,
be extended durfng a prolonged station blackout without the
addition of more battery cells.
2.9.4 Di sadvantages
Temporarily de-energizing some instrument channels will reouce or
eliminate the avallabllity of backup instrumentation for on-lfne instrument
operational status veri fication.
2.9.5 Di scusslon
The endurance of a DC battery may be extended if the DC distribution
system is provided with the capability for shedding instrumentatlon loads that
have redundant channels powered from other divisions of the DC power system. In
other words, if a particular safety-related plant parameter is provided with four
channels of indtcatron, and three of the channels can be dropped from their
respective batteries, then the useful life of these batteries can be extended.
W i th this capabil lty, at least one channel of instrumentation would remain
energized until its respectlve battery was exhausted. A t that time, an

fnstrunrntation channel powered from another electrical division would be
energi zed.
Thls concept is applicable to both new and operating plants and will
result in increased capital costs for appropriate remote disconnect devices and
controls. The safety implications of shutdown operation with only a single
Instrunentation channel ill need to be investigated to ensure that such
operatlon wi1 1 be permitted under exi st1 ng codes and regul ations.
2.10 CLASS 1E OC DIVISION CROSS-CONNECTIONS, CATEGORY I I I
2.10.1 Concept
This concept involves providing the capability to cross-connect
normally separate and independent divisions of the Class LE DC power system.
2.10.2 SOUKC
Thls concept was identified by SAI as a result of work performed under
Sandla contract SLA 07-9866.
2.10.3 Advantages
The advantage of thls concept is that OC loads may be suppl fed wi th
power from not on1 y a 'normal OC bus but an a1 ternate DC bus, as well. Thus.
this concept increases the dl fflcul ty of sabotaging an individual channel , or
division, of the vital OC power system.
2.10.4 Oi sadvantages
No disadvantages have been identified for thls concept.

2.10.5 Dlscusslon
It Is suggested that conslderatton be glven to provldlng the DC power
System wlth the capablllty to cross-connect normally separate and independent
divisions wtthln a unit. Thls capabilfty may permtt sabotaged portions of the DC
distrlbutlon system to be bypassed in order to supply power to vttal loads from
an Intact portlon of the system. Investlgatton of exlsting regulations wlll be
requtred to ensure that separatlon requirements are not compromtsed by such a
change. Thts concept may be accmdated in both new and operatlng plants as
long as there are no confltcts wlth existlng codes and regulattons.
2.11 EXTENDED DC POWER GENERATION CAPABILITY DURING STATION BLACKOUT.
CATEGORY I 2.11.1 Concept
Thls concept Involves pruvldtng small independent dlesel or steam
turblne generators for DC power generatlon and/or battery charging.
2.11.2 Source
Thls concept was ldentlfied by SAX as a means for lncreastng the
dlfffculty of sabotaging the plant vltal DC power system.
2.11.3 Advantages
The advantage of this concept is that It provtdes an alternative for
ensurlng the long-term avatl ablll ty of the DC power system when DC load sheddlng
and other measures are inappropriate or inadequate in provfdlng extended OC power
capablllty durlng a prolonged statlon blackout.
2.11.4 Di sadvantages
This concept may result in add1 tional millntenance and testing
requirements as well as addltlonal component safeguards.

2.11.5 Oi scussion
The concern over vital OC power avaflabillty for the duration of a
station blackout (loss of all AC power) has led one utll ity to consider the
addition of independent diesel generators for battery charging to ensure extended
DC power avaflabillty. It may be prudent, therefore, to consider this concept as
a safeguards measure in view of the sabotage vulnerabllity of both the offsfte
power system and the onsi t'e emergency diesel generators. In this case, however,
f t 1s recomnended that a sut table number of independent diesel or steam turbf ne
generators be provided for emergency DC power generation and/or battery chargfng
in the event of a sabotage-induced extended loss of AC power. Two potentfat
design arrangements are illustrated in Figure 2-4. ihfs concept can provide a
last-ditch source of emergency DC power when all other sources have been dtsabled
or exhausted.
The advantage of a steam turbine generator is that f t can be driven by
decay heat generated steam, while the diesel generator requires a standby fuel
supply. Decay heat generated steam will be available for many hours following
reactor shutdown. If steam turbine generators are utilized. a design
modification w i l l be required to supply steam from a main steam line. Fixed
diesel generators may be provided at a location whlch is remote from the OC
distrtbutfon system. If portable diesel generators are utilized, these may be
provided as part of a damage control program. The required generator size varies
from one plant to the next, depending upon the vital OC loading, but will
typically be in the range of 125-250 kM. This requires a 180-350 hp driver.
The addi tton of steam turbine generators is probably not suitable as a
backff t modification at operating plants due to physical 1 ayout restrictions.
Diesel generators are suitable for either backfit or new construction.
2.12 CONSOLIDATION OF SAFETY-RELATED INSTRUMENTATION TRANSMITTERS,
CATEGORY 111
2.12.1 Concept
This concept involves providing comnon locations for fie) d-mounted
transmitters which are located in the sdme general area of the plant.

Fra Class II
480 VK
Sull Stem Turbfne- or
Dlesel-Generator
Fra Class If
Flgure 2-4. Alternattve Safeguards fmergency DC Power Supplies.
hall Stew lurblnw
Dlesel-

2.12.2 Source
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.12.3 Advantages
The advantage of this concept is fn the reduced number of
sabotage-protective enclosures required for fteld-mounted transmf tters.
. .
2.12.4 Of sadvantages
The dlsadvantaqe of this concept is the single sabotage target created
by the grouping of mu1 tiple safety-related transmitters in a commn location.
2.12.5 Discussion
Sensors fn nuclear power plants are used to measure the important plant
operatf ng parameters and condt tfons. Transmi tters are used to amp1 1 fy and
transmit the sensor signals to the control room (and possibly other locations)
for use by safety systems, control systems, annuncfation and alarm systems, and
operator displays. Transmf tters are typfcally located in the general vfcfni ty of
the associated sensors dnd can be found throughout the plant. It is suggested
that comnon locations be provfdcd for field-mounted, safety-related transmftters
which are located in the same general area of the plant. Although this results
In a comn target for multiple transmitters, it also results in a reduced number
of individual safeguards protective enclosures which would be necessary as delay
devices for protection against sabotage by an insider. Transmitters of redundant
instrument channels must not be located in comnon enclosures in order to preserve
channel separatfon. This concept may be f ncorporated into both new and operating
plants without a significant increase in cost.
fewer fndfvflual safeguards.
It will, by destgn. result in

2.13 ADDITIONAL LOCAL-REMOTE INDICATORS, CATEGORY I I I
2.13.1 Concept
This concept tnvolves providing addttional remote tndtcators for
~eltckd plant and equipment paranters that would aid in minimltlng the need for
Operating Personnel to enter vital areas for lnstrumcntatton surveil lance.
2.13.2 Source
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.19.3 Advantages
The advantage of this concept is that 1 imt ting the access requtrments
to vltal areas reduces the complexity of the vital area safeguards or reduces the
impact of these safeguards on plant operations, testing, and surveillance.
2.13.4 Dl sadvantages
Less frequent visitation of vttal areas may reduce the ability of plant
personnel to provide tlmel y dekction of equi pent problems.
2.13.5 Discussion
A signt ficant portion of the operations staff acttvi ties performed
outside of the contml room involve area inspections and surveillance. In some
plants these latter acttvlties account for as much as 70% of the out-of-control
room activities. Such activitie$ may require vital area entry by operations
personnel as often as hrice a shift. In order to minimize the need for operating
personnel to enter vital areas, it is suggested that sufficient remote tndtcators
be provided for selected plant and equtpment parameters to preclude the need for
vttal area access for routine surveillance. This remote tnstrumentatlon may be
provfded in the control room or imnedfately outside the affected vital area.
1 pts will reduce the opportuni tles ' that an insider might have to sabotage

equipment during routine plant surveil1 ance. Thls concept i s appl icable to both
n u and operating plants and will result in additional equipment costs.
2.14 REARRANGEMENT OF INSTRUMENTATION CABINET PANEL-FRONT DEVICES,
CATEGORY 111
2.14.1 Concept
Thls concept involves the design of RPS and ESFAS equipment to maximite
the use of panel-front test jacks and ninid.ze the use of panel-front calibration
control s.
2.14.2 Source
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.14.3 Advantages
The advantage of this conc0'j)t is that instrumentation testing
operations can be performed without rquiring access to the enclosure interior,
while the enclosure can be used to provkqr both detection and delay capability in
preventing msnipulation of instrumentdti~n sensf tivi ty and setpointt.

TRA 1 N
CHANNEL B
CHANNEL "INNEL D
iNNEL
I I
MODULES. BISTABLE TRIP (2/4 COINCIDENCE LOGIC
MODULES MODULES. COMBINATIONAL
OR LOGIC MODULES. LOAD/
RELAY DRIVER MODULES)
Figure 2-5. Typical Safety System Cabinet and Equipment Arrangerent (Ref. 1).
..

insider sabotage and the dlfflcul tles involved f n providing adequate sabotage
protection, it is suggested that 1) maximun use be made of panel front test
jacks. and 2) minim use be mde of panel front cal!bration devices. The fonner
change 1 penlt necessary perfodfc testing while at the same tim minfmize
access requirements to the panel interior. The latter change wlll reduce the
opportunities that an insider might have to sabotage instrumentation and control
Systems by ml sadjusting alarm or trip settings. Since calibration activl tles
(typically perfonnrd annually) wlll now rqulre access to the panel interior,
work rules will be requfred as 8 safeguards measure. This concept is applicable
to new plants and as a backfit modification in operating plants.
2.15 SMALL-DIMTER PIPING mlOIFICATIONS. CATEGORY I11
2.15.1 Concept
This concept involves the utll ization of higher schedule
( thi cker-wall ed) , hardened pi ping wi th a1 1 -we1 ded connections for small-dl ameter
sewice and instrument lines
2.15.2 SOURC
This concept was dentifled by SAI as a result of work performed under
Sandia contract SLA 07-9866.
2.15.3 Advantages
The advantage of this concept is in the reduced vulnerability of
small-diameter piping to acts of sabotage.
2.15.4 Dl sadvantages
The disadvantage of this concept is in the Increased difficulty in such
activities as pipe routing fn small or congested areas and in the making and
breaking of all-welded connections.

2.15.5 Dlxussion
Mst appllcatlons of mall diameter piplng (4 Inch dlamcter) In
nuclear power plants are related to pmvfdlng auxiliary services (e.g., cooling
water, lubrlcatfng flufd, hydraulic pressure, alr pressure, etc.), transmfttlng
process fluld condltlons to local Instrumentatlon sensors, or tranwnftting
process fluid samples to local sampllng stations. Such piplng typlcally utlllzes
thread4 or flanged connectlons for ease of fabrlcatlon, Install atlon, and
aalntcnance. However, these types of conntctlons are partlcularly vulnerable to
sabotage using slmple, readlly avallabla tools. It Is, therefore, suggested that
such connutlons be replaced, In crl tlcal appl lcations, with all-welded
., . .
connktlons. Thls dl1 reduce the sabotage vulnerablity of these I'inks by raaklng
It more dlfflcult to open the connectlons. It f s also recommnded that hlgher
schedule, hardened piplng be used for these 1 lnes In crf tical sop, ::ations. Thfs
reduces the sabotage vulnerabllfty by nuking It more dlfflcult to cut or crlmp
these llnes.
These concepts are applicable to both new and operatlng plants. In
addltlon to increased material costs for the hlgher quality material and
connution preparation, these changes will have a slgniflcant impact on plant
maintenance. Thls results fm the increased time rqulred to make and break
all-welded connectlons. The use of hlgher schedule, hardened plping may a1 so
affect the abflity to route Instrument or service llnes In tlght spaces.
2.16 COMF'ONENT PASSIVE LUBRICATION, CATEGORY I11
2.16.1 Concept
Thls concept Involves mxlm1zlng the use of rlng-011 ing In
unpressurlzed component 1 ubc 011 appl icstlons.
2.16.2 Source
Thls concept was ldenti fled by SAI as a means for elfminating an
external auxil lary lube of1 system as a sabotage target for disabling vl tal pumps
or turbines.

2.16.3 Advantages
The advantage of this concept is in the reduction of the complexity of
equfprnt Tuba oil systems, and sputftcally, in the elimination of external
equlpvnt lube 011 systm.
2.16.4 Disadvantages
No disadvantages have been identlfltd for this concept.
'. L
2.16.5 Dtscussion
Most appllcatlons of pressurized lubricattng oil in power plants are
for the purpose of reducing bearing har. Thls situation is most likely to be
found tn heavily loaded bearings. where under starting and stopping conditions
there will be either no hydrodynamic pressure (and henc; no shaft/bearlng
P' ,
separation) or tnsufftclent pressure to maintain bearlng surface separation. In
such t nstances an external 1 y pressurl zed bearing t s utll 1 zed. Here the
lubricating oil is pumped out of an oil reservoir through an external service
line and back to the component bearings. The pump may be either a motor-driven
pump or an integral gear pump. When the speed of shaft rotation ts sufficient to
matntatn the separation of bearing surfaces the lube oil pump can be shut off.
Thts same lubricatlng oil arrangement ts sometimes found in power plant
',I
mtattng machinery with 1 fghtly loaded bearings in order to mtnimlze starting and
stopping wear on the bearings.
'3
HowFver. under these conditions pressurized
lubricating of1 is not requtred and sYch a system can make vital machinery
unnecessarfly vulnerable to a sabotqga;lnduced loss of lubricating 011. It Is,
therefore, suggested that for vltal appl lcations where pressurized lube oil is
, I1 "
not a requlrwnt, a ring-otltng arrangement be utlltzed. Such an arrangement is
shorn in Figure 2-6. This concept, which( will eliminate a potential sabotage
I
mode for vltal pumps and turbines, can be incorporated directly into new plant
designs. A1 though the concept is a1 so applicable to operating plants, it Is
probably not cost-effective as a backfit mdi ficatfon slnce it would require
replacement of some existing pumps and turblnes at a significant cost. The
elimination of each
less matntenance item.
electrlcally powered lube oil pump will also result in one

OIL
r e
INNER SEAL
OIL RESERVOIR
IL DRAIN PLUG
2 6 Horizontal Motor Sleeve Bearlng and 011 Ring System (Ref. 1).

2.17.1 Concept
Thls concept 1nvolves mxtatzlng the use of modular, enclosed
component: for vltal appllcatlons.
2.17.2 Source
Thls concept was ldentlfled b,,-iAI as a result of ,work performed under
Sandla contract SLA 07-9866.
2.17.3 Advantages
The advantage of this concept 1s in the simplification of vltal
component safeguards. , #, .
2.17.4 Olsadvantages
No dlsadvantages have been idmtf fied for this concept.
2.17.5 Oiscusslon
A signlftcant reductton In overall safeguards can be achleved by
utll lzf ng modular-type components wherever posslbl e In crl tlcal appl lcatlons.
The hydraullc valve actuator, shorn In Flgure 2-7, Is an example of a
wdular-type hydraultc valve actuator. The unlt 1s manufactured as a package
wlth an enclosure so that lnstallatlon requlres only mountlng and servtce
hook-ups. The enclosure may be uttltzed to pmvlde safeguards detectlan and
delay capability. Although access to the fnttrnals can be obtafned for
~Intenance purposes. the outer enclosure should include the necessary meters and
gauges (or instrument connectlons~ to allow an equlpmnt operator to detennlne
the component or process s t - wlthout requfrlng access to the enclosure
fntcrlor. This concept Is applfcable to new plant deslgns and as a backflt
modtffcatlon to operating plants.

Figure 2-7. Physical Arrangement of a Typical Small Hydraulically Operated
Valve wi th a Linear Self-contained Hydraulic Actuator (Ref. 1).

2.18 COFPONEKT COOLING MOOIFICATIONS. CATEGORY 111
This concept involves. providing localized coollng arrangements for
vital pmps and mtors (see Figure 2-01.
2.18.2 Source
This concept was identi fled by SAX as r mans for el iminating the
dependence of vi tal puaps and motors gn external cwl ing water systems.
2.18.3 Advantages
The advantage of this concept is in the reduction or elimination of one
potential sabotage location for vttal pumps and motors.
2.18.4 Ofsadvantages
The disadvantage of thts concept. as illustrated in Figure 2-8, is that
it is dependent upon the accessibility to outside air for heat rejection.
2.18.5 Olscusslon
Many large-size vital pumps a h motors are cooled vfa a cooling water
service system. Cooling water is generally supplied to the pump or motor
bearings, where frtctfon-generated heat 1s removed, and returned to the cootfng
water system heat slnk (heat exchanger or ultimate heat slnk). The long-term
avallablltty of such pumps and motors can be comprmised by acts of sabotage
performed on the coollng water system. It 1s. therefore, suggested that use of a
local cooling system be maximized for safeguards-related components. An example
of such a systetn is illustrated in Figure 2-8. Since each cooling water loop
requires a pump, this concept will result in the addttfon of both an air-blast
heat exchanger and a cooling water pump in each applicatfon. This concept fs,
not applicable where direct access to a suitable heat slnk (typically, the
atmsphere) is unavailable. It may be possible to integrate thts change with a
similar concept for the vital area emergency cooling function (see Section 2.19)

!
Outside A1 r
Air-Blast
Heat Exchanger
Missile Shltld
Ffgure 2-8. Localized Cooling Arrangemnt for Large Punps and Motors.
Roo
Ysl
Bul

to accomplish both functions with one coollng rater loop. Thls concept m y be
1Morporated Into new plant derlgns dthout any antlclpated problem. It is
probably unsuitable as r backflt mdlficatlon slnce re-opti~~~lzatlon of exlstlng
plant rftal cooling water facll'ltles would b. requlred along 4th additional
autartlc md mmote-unual controls. The alr-blast heat exchanger will require
aPVroprlate sdfeguards protection (e.9.. a sultable ~isslle barrler. etc.) due to
Its accesslbill ty from outslde the vf tal amr.
, , Other cool ing arrangements isry be possible, such as coollng pups and
J~~~dated drlyers 4th fluld from the pump dfscharge. In s a appllcations,
direct coollng my be posslble by routlng a sldestream of pump discharge flw to
the punp and drlver bearlngs. The fluld 1s then returned to the ; pump suctfon.
Thh arrangsmnt 1s presently found In soae nuclear plant appl icatlons (e.g..
turbine-drlven ailxlliary feedwater pmp). If the cwllng fluld is not suitable
*or direct cooling appllcatlons. then a local intenardiate coollng loop my be
Provlded as illustrated in Flgure 2-9.
2.19 VITAL AREA EMERGENCY COOLING nOOIFICATIONS. CATEGORY 111
2.19.1 Concept
This concept fnvolves mlnlmlzlng the dependence of vital area fan
coolfng units (FCU) on other actlve coollng systms to complete the heat
rejutfon path to the ultlmata heat sink.
2.19.2 Source
Thls concept was identlfled by SAI as a result of uork performed under
Sandfa contract SU 07-9866.
2.19.3 Advantages
The advantage of this concept 1s in the reduction or elfminatlon o
potent181 sabotage locations for vftal area mrgency cool ing system.

. .
Local lntendtate Heat Exchanger
-Etc.-d y/ Gear-drtven
Coollng Water
Figure 2-9. Local Cooling Supplted by Pvmp Dtscharge Fluid.

2.19.4 . Disadvantages
The lujor disadvantage of thls concept is that an increase in the
orxfnucl allowable rooa or area temperature llml ts may be required.
2.19.5 Discussion
Vital equipment rooa emergency cool i:+g is generally accomplished with
tk aid of a fan cooler unit (FCUI of the t,w@ shom in Figure 2-10 and
schcaatically illustrated in Figure 2-11. Such units receive cooling water fra
m external cooling water system which may be ei ther a closed- or open-loop
System. Roa heat is transferred to the cooling water by blowing recirculated
moa air across the unit cooling coil. One or more cooling water loops are
required for transferring roa heat to the ultlllatc heat sink.
Frol a physical protection standpoint. It is desirable to minimize the
number of potential sabotage target areas from which an individual systea or
I 1
component way be disabled. One way in which this objective may be accomplished
a I*
Is by nini~lzing the required nmber of process auxiliary systems or by
nlnimizln~ the nrrmbCr of interrdiate service systw. In the case of vltal area
emergen$y c&ling, three alternative design concepts are suggestel.
1' The first alternative. shom schmrtically in Figure 2-12. involves the
el intination of an emergency chilled water service system for cooling water supply
to the FCU. In this design concept, cooling water ftol a vltal, closed-loop.
sewice wabr system is supplied ro the FCU. This sewice water loop then
rejects the heat to another vltal coollng water system interfacing directly with
the ultimate heat sink. The purpose of thls concept is to eliminate the need for
safeguarding a chilled water system by utilizing a non-chilled coollng water
service system. Due to other emergency safety system cooling water requirenents,
such a vital service water system will require safeguards anyway. Thus. a
reduction in total safeguards requirements results. The above concept Is
momncnded. for example. for ESF swl tchgear rum cool ing.
I The second alternative. shom schmatically in Figure 2-13. involver
elimination of an intenMdiate vltal cooling water service systm for coollng
water su~ply to the FCU. In this concept. FCU cooling water supply is obtained
directly frw the ul tlmate heat sink. The intent. here, is to minimize the
number of potential sabotage target areas by eliminating an intenneblate cooling
water loop. Deptnding uwn the quality of the cooling water from the ultimate

I
CAN SECTION I
Figure 2-10. External Arrangerent of a Typical Draw-Thmugh Fan Cooler
Unit (Ref. 1).
57

VALVE
C00113B WATER
ISOLATION VALVE
TO SERVICE WATER
OR cnuuo WATER
SYSTEM
k
DRAIN FROM SERVICE WATER
VALVE OR CklLLED WATE R
SYSTEM
Y
COOLlNO WATER
ISOLATION VALVE
MOTOR CONIROL CENT€ R
figure 2-11. Simplified Schematic of a Typical Fan Coil Cooling Unit (Ref. I).

Cool lng
unlt
To Other
ESU Lords
2-
fSY Loads
I
Flgure 2-12. Emrgency Room or Ama Venti lrtlon/Cool lng Arrangcmnt
(Alternative to Chlll ed Yater Coollng).
To/Fm
U1 timate
Heat Sink

....,.. c.,
Frol Other
Loads
To Ultfwte
Heat 'Slnk
To Other 4 I From Ul tlmate
Lords < Heat Slnk
Ffpurr 2-13. Emqency Room or Area Ventllrtfon/Coolfng Arrangmnt
(Slngle Coollng Water Loop).

. .
'C?. . . .
:, *-.,::
.jj.i;
r. . .,
;" heat slnk this concept may or may not be compatible wfth FCU cooling coil
materl a1 s.
The thfrd alternative, shown schematically in Figure 2-14, involves the
total elimination of an external cooling water system for cooling water supply to
the FCU. 'rn this case, a closed cooling water loop transfers heat from the room
to the outside via two fan and heat transfer coil arrangements. Such an
arrangement, however. is dependent upon the accessibil lty to outside air for heat
rejection. In addftlon to requlrlng an air-blast heat exchanger for heat
dissipation, a cooling water pump and possibly a surge tank are necessary for
each applfcation. The air-blast heat exchangers nay be located on a building
roof and will require mlsslle and safeguards protection. If direct'access to a
Suitable heat slnk (typfcally, the atmosphere) is unavailable, then thls Concept
Is not applicable.
The intent of this concept i s to eliminate the vulnerability of the FCU
to sabotage of an external cool tng water sewice system. However, thls concept
may not be appllcable in some plant 1ocations where outdoor ambfent afr
condl tions may necessf tate addl tional heating or cool lng. In all three
a1 ternatives dl scussed above, cost or si tlng cons1 derations may require an
increase in the maximvm allowable room or area temperature limits. In many
instances, however, this may not be out of the question.
For new plant constructfon these concepts can be accomnodated by
re-desl gn of the room or area FCU. The concepts are probably not applicable for
operating plant backflt consideration for the same reasons given in Section 2.18.
Add1 tfonal automatfc and remote-manual controls may a1 so be required. These
concepts will. by design, result in a reductfon in total plant safeguards
complexf ty.

g u
Outslde Alr /
I Roof or Ida11
af Bulldlng
I
YIt8r Pup
c-- Fa Housf ng
2-14. Emergency Room or Area Ventfl~tfon/Cooling Arrangement
(No External Cool lng Water Loop).

CHAPTER 3
PIJR DESIGN CHANGES
3.1 CLASS 1E AUXILIARY STEAM TURBINE-GENERATOR, CATEGORY I I I
3.1.1 Concept
This concept involves the addition of a Class 1E 480 VAC standby steam
turbine-generator as an emergency backup to the existing onsite emergency power
system. . , , ,. . . ...,. .. . .
,. : . -
3.1.2 Source
This concept was identified by SAI as a means for increasing the
difficulty of sabotaging the power supply for certain electrical1 y-powered vital
components.
3.1.3 Advantaqes
The major advantage of this concept is that it provides the capability
for maintaining the PWR in a safe shutdown condition following a sabotage-induced
loss of offsite power and onsite diesel generators.
3.1.4 Disadvantages
This concept will require additional component safeguards and possibly
an additional vital area.
3.1.5 Disc~~ssion
The standby emergency diesel generators of LWR plants are particularly
vulnerable to sabotage by an insider. This is a result of the number of auxiliary
systems required to support diesel operation and their locations, and the frequent

, .
accessibility to the diesel and auxiliaries . . which is reqsired for :urreillance and
testing. In mst PWR plants the diesel generator day tank, which is enclosed
nithin 'the diesel vital area. contains sufficient fuel oil for only 1-4 hours of
diesel operation. The main fuel oil storage tanks and transfer pumps are
generally located underground in the plant yard, and are thus extremely vulnerable
to acts of sabotage. Therefore. even if the diesels are not sabotaged. the
unavailability of the main fuel oil supply results in AC power availability which
is limited by the day tank capacity.
Many plants also have a vital DC battery capacity which is only
sufficient for up to 2 hours of; operation following a total loss of AC power. It
was shown'elsewhere that even with anextended DC battery capacity '(for auxiliary
feedwater system control and safety-related instrumentation availability) reactor
operator control of reactor coolant system (RCS) conditions is extremely limited
without the availability of AC power. In particular, the RCS cannot be maintained
in a safe shutdown condition for an extended period of time following a transient
without RCS makeup. Makeup is normally supplied via one or more 480 VAC charging
or makeup pumps.
The concerns expressed above can be at least partially alleviated in a
PWR plant by the addition of a standby auxiliary steam turbine-generator. Such a
machine can provide a three-phase 480 VAC output by expanding steam generated from
reactor decay heat in a single stage turbine. The generator output may be wired
to an existing 480 volt bus or to a special bus from which only one train of DC
distribution equipment (two of four channels) and one charging pump can receive
power. The turbine wuld cxhaust to atmosphere in the same fashion as the PWR
turbine-driven auxil iary feedwater (AFW) pump. Oil for the turbine bearings and
the governing system may be supplied by a self-contained lube oil system which
includes a sel f-priming. gear-driven main oil pump, filter, cooler, reservoir,
lnterconncciing piptng, and gages as required. It is assumed that area cooling
would be provided via a DC motor-driven ventilation fan (see Section 3.13 for a
discussion of other means of minimizing heat rejection to tbe room).
The availability of such an auxiliary turbine-generator offers a numbcr
of safeguards advantages for a PUR plant. Thc availability of a charging pump. in
conjunction with the steam turbine-driven AFW pu~r~p, providcs the capability for
coolfng the RCS and maintaining subcooled RCS conditions. This design concept

ensures the ability of the plant to maintain a safe
clther nonnal or emergency AC power has been restored.
A conservative preliminary analysis indicates
shutdown condition unti 1
that five to 15 hours Of
auxil iary turbi ne-generator operation could be achieved before the decay heat
stcam generation rate is insufficient to drive the turbine. The lower value was
derived by assuming that thc majority of the plant emergency 480 VAC loads are
drawing power from the generator (-850 hp). The upper value was derived by
assuming only the following 480 VAC loads to be drawing power:
0 one charging pump (100 hp)
0 two battery chargers (70 kW each)
two motor control centers for motor-operated valve operation (40 hp
total )
0 one vital backup power supply transformer (25 kW)
auxil iary feedwater pump room fan (75 hp)
Both cases assume that rated steam flow (5.4 x lo4 lblhr) is being provided for
slmultancous opcration of the 700 hp steam turbine-driven AFW pump.
In addition tn !he t::rb!r.?-generator, this design concept rewires
additional piping. valvcs, controls and electrical wiring. Interfaces with the
main stcam supply and Class 1E AC power systcms are required. The additional
survcillance and testing requirements associated with this concept will have only
a slight impact on the respective plant surveillance and testing schedules and
will rcquirc no additional manpower. Since the system will normally be in
emergency standby, the preventive maintenance requ1rernents will be minimal.
Appropriate safeguards will neccssarily be requlred for the additional cquipnent
rcquircd by this conccpt. Due to the nced for main stcam supply, the safeguards
rcquircmcnts for this design conccpt, and plant physical layout restrictions, this
conccpt is likely to be unsuitable as a backfit modification in operating plants.

. .
.,,. . .. .
.,.
,, ..* .
. ..
,, .; .
,
. :.
, *i'
. . ,'~
, ,. . ... ,
... 3.2. CLASS 1E PRESSURIZiR HEATER POWER, CATEGORY 111
3.2.1 Concept
heaters.
3.2.2 Source
This concept involves providing Class 1E power to the PWR pressurizer
This concept was identified by SAI as a result of work performed under
..,.. . .... .., ., . .
Sandia contract SLA 07-9866.
3.2.3 Advantages
The advantage of this concept is in the ability to maintain the steam
bubble in the pressurizer using available onsite AC power during an extended loss
of offsite power.
3.2.4 Disadvantages
No disadvantages have been identified for this concept.
3.2.5 uiscussion
Some PWR plants utilize non-Class 1E power for the pressurizer heaters
on the philosophy that primary coolant pressure control during a reactor cooldown
can be achieved wtthout the heaters. This is indeed true if the reactor can be
taken to cold shutdown in a timely manner. However, if the shutdown cooling (or
residual heat remval) system is unavailable, then the primary coolant system
cannot be maintai ned subcooled indefinitely in a hot zero power condition, wi thout
heater avallabillty. This is due to the fact that, without a source of heat, the
normal heat losses from the pressurizer will eventually bring it into thermal
equilibrium with the RCS. At that point, the RCS reaches saturation conditions
and boiling colmnences in the reactor core. Such a situation could be attained in
about 7-1/2 hours or less following a loss of normal AC power with a concurrent
loss of shutdown cooling capability. Although core boiling does not necessarily

esult in fuel damage. the introduction of a steam bubble in the reactor vessel
head due to core boiling is likely to result in operational restrtcttons that
limit the operator's abiltty to maintain a safe condition. It is, therefore,
suggested that Class 1E power be supplied to a sufficient number of pressurizer
heaters to compensate for pressurtzer heat losses while the reactor is in a hot
standby condition. In addition, the heaters should be provided with suing-load
capability, as described in Section 2.1. or split among separate and independent
Class 1E busses, to provide 100% redundant heater capacity.
This design concept may be acconnodated as a backfit modification during
an appropriate plant outage with relatively minimal impact on the outage work
schedule. Since it is assumed that the'work involves prtnarily the re-routing of
electrical cab1 ing. the capital cost involved should be minimal.
3.3 ACOITIONAL PRESSURIZER INSULATION, CATEGORY 111
3.3.1 Concept
This concept involves the addition of more insulation to the pressurizer
vessel.
3.3.2 Source
This concept was identified by SAI as a means for reducing the heat loss
rate from the pressuri zer vessel foll owing a sabotage-induced loss of pressurizer
hcaters and shutdown cooling capability.
3.3.3 Advantages
The advantage of this concept is in the reduced pressurizer cooldown
rate and the ability to maintain the steam bubble in the pressurizer for a longer
period of time followtng a sabotage-induced translent and loss of pressurizer
heaters and shutdown cooling capability. This design concept may be an
alternative to the measures tdentifted in Section 3.2.

3.3.4 Disadvantages
No disadvantages have been identlfled for thls concept.
3.3.5 Dlscusslon
The rate of heat loss from the pressurlzer may be reduced by adding
more lnsulatlon to the exterior of the pressurlzer vessel. The vessel 1s
typically surrounded by Mir tor -type metal lic lnsulatlon. For typical vessel
surface temperatures of 650'~. the present maxirmm thickness provided by Mirror
has been 5-1/2 inches (Reference 2). Thls amount of lnsulatlon llmlts the
radiant heat loss rate during operation to around lo5 BTUIhr, which represents
about 25-301 of the total heat losses from the vessel. The remafnfng 70-75% of
the heat loss occurs via conduction to vesrel support structures. Beyond 5
fnches of lnsulatlon thickness, however. the addltlonal cost of Mlrror insulation
wlll signlflcantly outwelgh the incremental reductfon in radlant heat loss from
the vessel. In spite of the negatlve economfcs. It is suggested that
conslderatlon be given to addlng more insulatlon as a safeguards measure.
For operating plants. there is unlikely to be sufficient space wlthln
the pressurlzer encl~stlre for the addltlon of more lnsulatlon to the vessel
exterlor. New plant costs for such a concept Include addltlonal materials' costs
and posslble ~elocatlon rnodiflcatlons for pressurlzer service and lnstrumentatlon
pfplng. valves. etc.
3.4 REACTOR VESSEL WATER LEVEL INSTRUMENTATION. CATEGORY 111
3.4.1 Concept
This concept lnvolves provldlng water level nuni tor lng instr umentatlon
for the PWR pressure vessel.
3.4.2 Source
-
This concept was reported by SAl under Sandid contract SLA 07-9866.

i,, ' ...
.',!.
.. .,,. . . 3 .4.3 Advantages
. .,. . .
...
> ..
.
. .
,. .,
;. .
The advantage of this concept ts tn providing the reactor operations
staff wfth sufficient infomation to aid in determtning the need for primary
~00lant system makeup and the acceptabt 1 tty of the plant heatup or cool down
: ;
. ,.:, . Strategy
vessel.
in progress once a steam bubble has been established in the reactor
3.4.4 Dl sadvantages
No disadvantages have been identified for this concept.
3.4.5 Dtscussion
The possibil ty of boil lng occurring wi thin the reactor core as a
result of sabotage acttons can lead to the formation of a steam bubble tn the
reactor vessel head. In this sttuation, the reactor operator does not have
sufflcfent 1 nfonatfon avail able to monitor condi tfons wf tht n the reactor vessel
to ensure 1) adquate heat transfer to the steam generators, and 2) suffictent
reactor vessel water to keep the fuel covered. It Is, therefore, suggested that
instrunentatton be provided to monitor the reactor vessel water level. This
design concept may be accompl tshed with the atd of dt fferential pressure devices
caltbrated to be accurate at a specified vessel pressure and water temperature
condition. Level transmitters, which respond to the difference between the
pressure due to a constant reference column of water and the pressure due to the
actual water level in the vessel, can be used to provide the necessary signal for
control room readout. Such control room fndlcation would aid the operator In
determining the need for pmvtdfng primary coolant system makeup in order to keep
the fuel covered and fn detemfnfng the acceptabtltty af various operating
strategies with a steam bubble tn the vessel head. This design concept is not
suitable as a backfit modfftcation since it requires modification of the reactor
pressure vessel for the additional tnstrumentation.

jI..'$ .
$ 5
$!,
.. . .:.;,: . .,
I-:.. , . .. ',';: , .
..; 5 .
.!:. 3.5 REACTOR VESSEL HEAD VENT. CATEGORY I11
3.5.1. Concept
vessel head space.
This concept involves providing the capability to remotely vent the PWR
3.5.2 - Source
This concept was investigated by UI as a means for providing the
capability to prevent the interruption of reactor coolant flow to the steam
generators due to the formation of a steam bubble in the reactor vessel head.
3.5.3 Advantages
The advantage of this concept is in the ability to ensure adequate heat
transfer to the steam generators and to aid in re-establishing subcooled
cond!tions in the reactor coolant system following the formation of a steam
bubble in the reactor vessel head.
3.5.4 Disadvantages
The disadvantage of this concept is that the vent line is an additional
potential LEA source.
3.5.5 Dl scussion
As statcd previously in Section 3.4, the possibility of boiling
occurring wl thin the reactor core as a result of sabotage actions can lead to the
formation of a steam bubble in the reactor vessel head. This, in turn, may lead
to the interruption of reactor coolant flow to the steam generators as the bubble
size increases, unless it is possible to vent the steam space. In addition, it
may be extremely dl fficult to re-establ ish tubcooled RCS conditions wl th a steam
bubble in the pressuri ter without the capabil ity for venting the head space. It
is, therefore, suggested that capabi 1 i ty be provided for remotely ventf ng the
reactor vessel head space. This capabi 1 i ty involves providing an arrangement of

eactor vessel ptptng and valves simt l ar to that shown tn Ftgure 3-1. Here, it
has been assumed that redundant vent llnes with redundant, normally closed,
fall-closed lsol atton valves would be requtred. A1 though tht s arrangwnt would
rtd in re-establtshing the steam bubble in the pressurizer, it is alsoa
potcnttal LOCA source. As such, the approprtate lsolatton rqutrwnts wlll have
to be satlsfted. Thls deslgn concept is suttable as a backft t nodl ffcatlon.
3.6 REACTOR COOLANT PUMP SEAL CONTROLLED LEAK-OFF ISOLATION VALVE ACTUATOR,
CATEGORY I1 I
3.6.1 Concept
Thts concept tnvolves the uttllzatton of OC motor actuators for reactor
coolant pump (RCPI seal control led leak-off (sol ation valves.
3.6.2 Source
Thls concept was tdenttfted by SAI as a means for mtntmlzfng the
1 eakage of primary cool ant foll owtng a sabotage-t nduced transient wt th
unavatlabil fty of the reactor coolant makeup system.
3.6.3 Advantages
The advantage of thfs concept 1s in the reduction of RCS leakage,
whtch, In turn, increases the ttme requtred to achieve RCS saturatton condtttons
I., fonnatton of a steam bubble in the reactor vessel) following a
sabotage-lnduced trans! ent wt th unvatlabtl l ty of the RCS makeup system.
3.6.4 Dt sadvantages
No dtsadvantago have been tdenttfled for thls concept.

Vmt
Path A
Figure 3-1. Reactor Vessel Head Vent Concept.

3.6.5 Discussion
The pressurizer heaters are required in order to maintain subcooled RCS
conditions during an extended hot zero power condition. Such RCS pressure control
can be achieved only as long as the pressurizer water level is maintained above
the heater shutoff level. In the absence of a source of RCS makeup, RCS leakage
will slowly drain the pressurizer of water. When the pressurizer has been emptied
the RCS will reach saturation conditions and boiling will comnencc in the reactor
core. Under these conditions. the onset of RCS saturation may be delayed by
reducing the rate of RCS leakage. The only leakage source which can readily be
terminated in some PWR plants is the reactor coolant pump seal controlled
leak-off. This is accomplished by closing two motor-operated isolation valves
inside the containment. These valves are assumed to require Class 1E 480 VAC
power for operation. However. if AC power is unavailable, then these valves
cannot be closed from outside the containment. It may, therefore, be prudent to
provide these valves with DC motor actuators. In the event of a total loss of AC
power, the maximum allowable leak rate (Technical Specification limit) in
conjunction with decay heat removal only (no RCS cooldown) req~ires approximately
3 hours to empty the pressurizer. Thus. a significant reduction in the RCS leak
rate can result in a significant delay in the onset of RCS saturation.
For new plant construction, this concept does not result in any
additional costs as it involves only the substitution of one valve actuator for
another. DC power is already provided inside the containment buildings of nuclear
plants. For operating plants, this concept may be backfit during an appropriate
unit outage without serious cost penalties as long as there is sufficient battery
capacity to acconmodate the additional loads.
3.7 PARALLEL AUXILIARY SPRAY VALVES, CATEGORY 111
3.7.1 - ConccE
This concept involves providing parallel and independent valves in the
auxiliary spray line from the reactor coolant makeup system to the pressurizer.

3.7.2 Source
Thls concept was tdentifted by SAI as a means for increasing the
dl fffcul ty of sabotaging the auxtl iary pressuri zer spray function.
3.7.3 Advantages
The advantage of this concept fs in the increased number of actions
requtred to sabotage the auxiliary pressurizer spray function.
. .. , . .. , . ,.. ,
3.7.4 . , . . , . . Di sadvantages ..~.,, ,. .. ... . ., ,
No dtsadvantages have been fdentified for thts concept.
3.7.5 Olscussion
During normal power operation reactor coolant systm (RCS) pressure is
maintafned by the combtned operation of the pressurlzer heaters and pressurlzer
spray. During normal QCS cooldown. pressurlzer spray i s utll t zed to reduce the
temperature of the pressurizer steam and water volumes in order to maintain the
proper temperature differenttal between the RCS and the pressurizer. Normal
pressurlzer spray flow is obtained from the discharge of the reactor coolant
pumps (RCP) when the pumps are operattng. The unavaflabtltty of normal
pressurlzer spray (e.g. following a loss of offsi te power) results in the need
for auxll iary pressurlzer spray flow operation. Auxll iary spray flow Is obtatned
from the RCS makeup systm by opening one or more motor-operated valves in the
auxtl fary spray 1 tne. Due to the importance of maintaintng pressurizer pressure
and temperature control durlng reactor cooldown, it is suggested that valves In
non-redundant flow paths be replaced' by an arrangement of parallel and
elec trfcally independent valves ( see Ft gure 3-21 to ensure cool down control
capabiltty. This redundancy will have no stgnlficant impact or plant costs,
operations or maintenance activittes and Is suitable as a backft t modt ftcation
during an appropriate outage at operatlng plants.

3.7.2 Source
This concept was identified by SAI as a means for increasing the
dffficulty of sabotaging the auxiliary pressurizer spray function.
3.7.3 Advantages
The advantage of this concept is in the increased number
required to sabotage the auxiliary pressurlzer spray function.
of actions
3.7.4 01 sadvantages
No disadvantages have been identiffed for this concept.
3.7.5 Oiscussion
During normal power operation reactor coolant system (RCS) pressure 1s
~fntained by the combined operation of the pressurizer heaters and pressurizer
spray. During normal RCS cooldown, pressurizer spray is uttl ired to reduce the
temperature of the pressurizer steam and water volumes in order to maintain the
proper temperature differential between the RCS and the pressurlzer. Normal
pressurizer spray flow is obtained from the discharge of the reactor cool ant
pumps (RCP) when the pumps are operating. The unavailability of normal
pressurizer spray (e.9. following a loss of offsf te power) results in the need
for auxll iary pressuri zer spray flow operation. Auxiliary spray flow is obtained
from the RCS makeup systcn by opening one or more motor-operated valves in the
auxiliary spray line. Oue to the importance of maintaining pressurizer pressure
and temperature control during reactar cooldown, it is suggested that valves in
non-redundant flow paths be replaced by an arrangement of parallel and
electrical 1 y independent valves (see Figure 3-21 to ensure cooldom control
capability. Thts redundancy wlll have no significant impact or plant costs,
operations or maintenance activi ties and is suitable as
during an appropriate outage at operating plants.
a backfi t mod1 fication

Pressurl zer
c + hxlllrry
Elect. /
Dlv. B
Flgure 3-2. Para1 ?el. Redundant Auxiliary Spray Valves.
- ~nssur~zcr
Spray
Prcssurlzer
Spray

3.8 AUTOMAT1 C AUXILIARY FEEDUATER SYSTEY ACTUATION, CATEGORY I I I
3.81 Concept
Thls concept Involves providing automatlc actuatlon capabil ity for the
PW auxll iary feedwater systen (At%).
3.8.2 Source
Thls concept was identifled by SAI as a result of work perfonned under
Sandia contract SLA 07-9866.
3.8.3 Advantages
The advantage of thls concept is In the decreased response tlme of the
AFUS in ml tlgatlng opcratlonal occurrences and in the el lmlnatlon of re1 f ance on
the reactor operator for systen actuatlon.
3.8.4 Dl sadvantages
No dlsadvantages have been identified for thls concept.
3.8.5 Oixusslon
No( all PWR auxllfary feedwater systems have the capabillty for
automatlc actuatlon. In thfs case, system actuatlon is accomplished vta local or
remote-manual controls. However, due to sabotage conslderatlons and the need to
establish emergency feedwater flow to the steam generators in a timely manner
followlng a loss of normal feedwater flow. automatlc actuatlon capabiltty for the
AFWS Is suggested. Since the steam generators wlll boll dry In less than one
hour. and in some cases In less than 15 minutes, followlng tenlnatlon of normal
feedwater flow, auto~tfc actuatlon capabll i ty wl11 mlnimfze the posslbfll ty of
steam generator dryout due to operator inaction. Thls design concept ts
applicable to both new and operatlng plants and may be backfit into the latter
durlng an approprlate unlt outage. The instrumentatlon requtred to provlde Input
to approprlate system actuatlon loglc most 1 ikely exlsts in operattng plants so
that add1 tlonal Instrumentation may be unnecessary.

3.9 INCREASED EMERGEtiCY FEEOWATER SUPPLY. CATEGORY 111
3.9.1 Concept
feedwater.
3.9.2 Source
This concept involves providing an expanded supply of onsi te emergency
This concept was identified by SAI as a result of work performed under
Sandia contract SLA 07-9866.
3.9.3 Advantages
. -
The advantage of this concept is in the additional time provided to
initiate damage control activities appropriate to maintaining an extended hot
shutdown olant condition.
3.9.4 Disadvantages
No disadvantages have been identified for this concept.
3.9.5
,: . ,
1 Discussion
': For extened hot shutdown operation (e.g., loss of all AC power) it fs
necessary to provide an expanded supplyof onsite emergency feedwater. A typical
seismic Category I condensate storage tank (CST) has a capac!?y for 150.000 to
200,000 gallons of condensate-quality water. This is sufficient for ir~woximately
7 to 13 hours of extended hot shutdown ,AFWS operation depending upon the operating
strategy employed. The shutdown feedwater requirements for a typical 1100 Mwe FUR
are shown in Figure 3-3. Thwe are two basic alternative design concepts which
can be implemented in order to provide this additional capability. The purpose of
cdch concept is to provide adaitional time to initiate damage control activities
appropriate to maintaining an extended hot shutdown plant condition, rather than
to provide unlimited AFYS operating capability.
The first design concept involves providing redundant condensate water
storage tanks. In this case, NU pump suction can be taken from either tank.
independently. or from one tank only. with flow between tanks provided by a
suitably located gravity feed line. For the second design concept, suitable
piping connections to other conder~sate-quali ty onsi te water suppl ieS are

Ffgure 3-3. Steam Generator Feedwa ter Requt rements to Achteve and Mat ntafn
Hot Shutdown Followtng a Loss of Normal (Offsi te) AC Power.

pmvfded. In the case of a narltiple PWR unit plant tt may be possfble to achteve
thfs concept by provtdtng a cross-connection between unft condsnsate storage
tanks. However, in addltion to rcqulrtng approprtate valving for unit separatton
there may be some rddittonal safety requirements and constratnts due to this
cross-connution.
Then wtll be r sfgntficant capttal cost tmpact assoctated with the
fonner destgn concept due to the addttfon of a second condensate storage tank and
emlosure. Capttal costs for the latter destgn concept will be mtnimal sfnce
only rddlttonal plplng and valves will be rqulred. Both changes may be
rccannodated as backftt aodtflcations for lnost operating plants. Only in the
sputflc case noted above (unit CST cross-connuttons) will there be any
ps+,mrial tmpact on ext sting safety or regulatory rqutremcnts.
3.10.1 Concept
Thi s concept tnvolves providing swtng-load capabil f ty for the
mtor-driven auxtltary feedwater (WW) pump tn AFU system arrangements uttlizing
only a stngle motor-driven pump. '
3.10.2 Source
This concept was t bent1 fled by SAI as a means for increasing the
difficulty of sabotaging the power supply to a lone motor-driven pump.
3.10.3 Advantages
The advantage of this concept is that a lone motor-drlven ARI pump can
ruetve AC power from efther a 'normal' Class IE bus or a 'backup" bus.

3.10.4 Olsadvantages
No disadvantages have been f dent1 fled for thi s concept.
3.10.5 Discussion
Auxiliary feedwater systems are found in a nunhr of pump
conffgurations. For example, one system may utll Ire two 50% turbine-driven and
bfa 50% motor-driven pmps. Another sysm my utllize one 100% turbine-drfven
and two 50% motor-drfven plrmps. The model plant of Reference 3 utllfzes one 100%
turbfne-driven pump and one lOCZ mtor-driven pump. For configurations utflfzfng
a 'sfngle 100% motor-drf ven pump ft'f s suggested that the pump be designed as a
swfng-load. That is, the pump motor should have the capabfllty to receive power
from el ther of two mrgency power trains. This desfgn concept does not present
any significant problems for either new or operating plants as third-of-a-kfnd
pumps (e.g., the thfrd high pressure safety injection and chargtng pumps of
Reference 3) am deslgned with such capabl I f ty. Tht s concept will result in some
additional costs for both new and operatfng plants. The necesscry modlflcatlons
may be accomplfshed at operating plants during an appropriate unit outage.
3.11 ADDITIONAL LOCAL AFUS INSTRUMENTATION, CATEGORY 111
3.11.1 Concept
This concept fnvolves providfng an expanded set of local instruments to
permit local manual control of the steam turbine-drlven AN subsystem.
3.11.2 Source
This concept was identified by SAf as a result of work performed under
Sandfa contract SLA 07-9866.

3.11.3 Advantages
The advantage of thls concept is in the capability for operating the
MU system in a controlled aanner followfng a loss of all electrical power (AC
and DCI .
3.11.4 Di sadvantages
The disadvantdge of thls concept 1s in the cal ibration and maintenance
nquiremnts associated *I th additional instrumntatl on.
3.15 Discussion
If a loss of a11 AC and DC power were to occur as a result of sabotage
actions. reactor heat removal 'is still possible via the steam turbine-drlven AFU
subsystem. However. sfnce a loss of DC power results in a loss of remote
(control room) indication and remote-manual control capabil 1 ty. this system wo~rld
have to be operated ~anuslly at the appropriate locations. To assure successful
operation of the system under these conditions requires an expanded set of local
instruments to provide the operator(s) dth the necessary system performance
infomation. If an emergency source of DC power cannot be assured under all
conditions, then it is suggested that such local instrumcntatfw be provided. It
should be noted that emergency lighting and canrmnications will be required. and
spec fa1 operating procedures for coordinating plant control activities may a1 so
be required under these conditions. The costs assodated dth the concept will
include instrunentation costs and any costs required for additional emergency
1 ightfng and comnfcations. if existf ng facilities are not adequate. This
concept may be accmdated at operating plants during an appropriate unit
outage.

3.12.1 Concept
Thls concept Involves substl tutlng M: rotor drlvers wherever AC motors
m utllized to support operatlon of the turblm-drlven AFU subsystco (e.9.. lube
3.12.2. Source
This concept rrs identlfled by SLiI a a mans for fnceasfng the
dlfflcul ty of sabotaging the auxll lary feedwater system.
3.12.3 Advantages
The advantage of thls concept 1s that the long-tern avallabllity of the
turbfnt-drlvtn At3 subrysta 1s not de$wIdent upon AC power avallabllity.
3.12.4 Disadvantages
No disadvantages have been ldentlfled for thls concept.
3.12.5 Of scusslon
I 7 %
The auxlllary feedwater system Is deslgned to pmvlde dlverse and
lndepcndtnt means of dellverlng emergency fetdwater to the steam generators. One
of these mans generally operates Independently of AC power arailabillty by
utilirlng r stem turbine to drlve m auxlllaty fec6*ater pump. However,
c~nfcatlons wlth persons In the nuclear Industry lndlcated that some
turbfne-drlven N3 subsystam apparently utlllzc AC motor-drlven lube 011 pumps
for bearlng lubrlcatlon. Such an arrangement may not ptnlt extended
operatlon followfng r loss of a11 AC power. It 1s therefore, suggested that a OC
motor drlver be utllized to pmvlde the requlred motlve force in a pumped system.
If the bearfngs are not heavlly loaded. then a more appropriate lube 011
arranqmmt to utlllrc is the flng-olllng system of Ffgure 2-6. Efther concept
will assure the avallabllity of an AFY pump folloufng a loss of all AC power.

For operating plants which utilize pumped lube oil. the easiest solution is to
replace the lube oll pcrmp AC motor wlth a DC motor. This my be accarpllshed
durlng m rppmprlate unit outage.
3.U ELIMINATION OF AfY TURBINE PUMP RWM STEN! LEAKAGE. CATEGORY I11
3.13.1 Concept
This concept lnvolves piping AFU turbine gland seal leakage out of the
turbine pump room in order to minimize heat rejection to the toa envlmnment.
3.13.2 - Source
This concept ws identified by SAI as r means for irlnlmlzlng the
dependence of long-tern turbine-drfven #U operation on the availablllty of
ruxil lary support systems.
3.13.3 Advantages
The advantage of this concept 1s in the reduced dependence of long-term
rvallability of the turbine-driven S\FY subsystm on the avallabll ity of the pump
ma enbrrgency ventilation system.
3.13.4 Disadvantages
No dt sadvantages have been idtntl fled for thl s concept.
3.13.5 Of xusslon
There is a potential impact of elevated room temperatures on
temperature-scn~itive instrunentat ion and control equi pent. Such a
condition may result fra a loss of ma ventilation cooling. his is of
particular concern in the case of the turbine-driven AFW p w roam where
steam leakage MY Cause not only increased room heating but also condensation
on electrical and electronic equipnent associated wlth operation of the

. .
. ..
:
. ~ , ,
, . .
turbine-driven pump. It is, therefore. suggested that potentla1 sources of stem
leakage (e.g.. from the turblne gland seal) be provided with the capability for
Stcam ~01ltctl0n and muting outside of the punp roor. This dl1 aid in
minimizing the consequences of a loss of room ventilation. 31s concept is
rpproprlate for new plant designs and as a backfit modification for operatfng
plants.
3.14 RELOCATION OF TJRBINE-ORIVEN MU W8SYST04 LOCAL !WSTRU#NTATION AN0
CONTROLS, CATEGORY I11
3.14.1 Concept
Thfs concept involves relocating tmperatur+sensitlve instrwentatfon
and controls outslde of the tutbintdrlvcn AFH pump room.
3.14.2 Source
This concept was ldentlfled by SAI as a means for minlmizfng the
dependence of long-ten turbine-driven
ruxllfary support systems.
operation on the availabfllty of
3.14.3 Advantages
The advantage of this concept is in the reduced dependence of long-tern
avallabitity of the turbine-driven 4cV subsystem on the availability of the pump
ma mergemy vcntllatlon system.
3.14.4 Ol sadvantages
Thfs concept will require add1 tlonal safeguards and posslbly ar
addl tlonal vftal area.

3.14.5 Discussion
As mentioned in Section 3.13 there is a partfcular concern wlth
elwated AFU turbine-pump tocn temperatures resulting froa a loss of roan
ventll ation. This concern can be alleviated by relocating temperature-sensitive
lnstruoentation and controls outside of the pump room. However, additional
safeguards protcctlon dl1 then be required for this equfpment since the pump
rooa safeguards dl1 no lontpr offer any protection. This design concept 1s
appropriate to new plant designs and ray be backfit into operating plants during
an appropriate unit outage.
3.15.1 Concept
This concept involves providlng DC motor or steam turbine drlvers for
turbine-drfven ARI pump roon emergency ventll ation fans.
3.15.2 Source
This concept was identified by SAI as a mans for eliminating a
potential sabotage mode for the turbin&driven ARI subsystem.
3.15.3 Advantages
The advantage of this concept is in the el imlnatlon of the dependence
of long-terra avallsbiity of the turbine-drfven AFU subsystem on the availability
of AC power.
3.15.4 Dl sadvantages
No dfsadvantages have been identlfied for this Coccept.

3.15.5 Dlscusslon
A potential problem has been identffied wlth regard to emergency
ventflatlon of the turbfne-drfven AFU p m mom. In .any cases such ventllatlon
depends upon the availability of emergency 480 VAC power. In the event of a loss
ot all AC power, turbfne p q roa ventflstlon capabilfty wlll also be lost.
This my impact thr long-tern operatfonal capabillty of the E U p\ap due to
elevatcd mom temperature as di~ussed prtviously. Therefore, it is suggested
that the turblne-driven MU pump toa mrgency vent11 atlon fans be pmvfded with
efther DC motor or stma turbine drfvers In order to ensure long-term turbine
pump avallabflity. Thls concept m y be backflt lnto optratfng plants by changlng
fan drivers durlng an appmprlate unit outage. It li assumid here that
sufficlent vital battery capaciQ exfsts to accomnodatt the addltionai loads.
3.16 INCR!XED ECCS SAFETI INJECTION TAM PRESSURE, CATEGORY I11
3.16.1 Concept
This concept fnvolves fncreasing the safety lnjectfon tank (SIT)
pressure to a level whlch is 'suitable for SIT use as a passlve emergency source
of reactor cool ant system (RCSI makeup.
3.16.2 Source
Thls concept was ldentlfled by SAI as a result of work perf~nned under
Sandla contract SLA 07-9866.
3.16.3 Advantages
The advantage of thls concept fs fn its capabillty to provide a passive
emergency source of RCS makeup following an extended loss of all AC power.

3.16.4 Dl sadvantages
The disadvantage of thls concept is that thlcker walled pressure
vessels would be required for the safety injection tanks.
3.16.5 Dlscusslon
The emergency core cooling system safety Injection tdnks (or
accwlators) of a PWR plant are deslgned to provlde a passive fast-actfng
InJectfon source for LOCA aftlgation. However. these tanks my also be su~table
. .
for providing a passive emergency source of reactor coolant system makeup
followlng m extended loss of all AC power. RCS nukeup is rqulred following
reactor shutdown due to contraction of the RCS water volume which results frm
system cooldom and now1 RCS leakage losses (e.g.. through reactor coolant pump
seals). Increaslng the safety InJution tank pressure m y permit utillzatlon of
this source of water in m emergency to keep the reactor core covered and to
lfait the size of the steam bubble rhich muld be fomed In the top of the
reactor vessel following the onset of saturation condltlons in the RCS when other
mkeup sources are unavailable. Such capability auld also provlde more tlme for
damage control actions and AC power restoration.
This concept w lll result In s w
additional cost for s new plant due to
the increased vessel pressure requirwnts. It Is not considered to be suitable
as a backfi t mdtffcatfon since it would require SIT replacement in operatfng
plants.
3.17 REDUCED LOCA POTENTIAL IN PVR RESIDUAL HEAT REMOVAL SYSTEM,
CATEGORY I11
3.17.1 Concept
This concept involves relocatfng the PWR resfdual
system fnside of the containment building.
heat removal (RHR)

3.17.2 - Source
This concept was Identifled by SAI as a means for ellmfnatlng the RIR
systea as a potentlal source for r LOCA outslde of contafmnt.
.' 3.17.3 Advantages
The advantage of thls concept is in the ellaination of the low pressure
RHR systea as r potentfal LOCA source outslde of contafnmcnt. It a1 so hardens
t RM system against sabotage due to the Inherent pmtectlon offered by the
containment bull ding.
3.17.4 Disadvantages
I
The major disadvantage of the concept is in the requirement for a
larger contalmnt buildfng or more congested layout of an exlstfng containment
buf l di ng.
3.17.5 . Dlxussfon
The residual heat removal (RM) system of a PUR plant is the vital llnb
between the hot and cold shutdown operating modes. This systen provides closec
loop heat rcmoval capability for the shutdown reactor by transferrfng heat fron
the reactor coolant to a cooling water loop vla a shell and tube heat exchanger
The RHR system Is designed for low pressure (400 pslg) operation and, as such
requfres that the reactor coolant system (RCS) be depressurized prior to RH1
actuation. The Interface with the high pressure RCS, therefore, makes the lot
pressure Rt67 system a potentlal LOCA source If an adequate pressure boundary I
not assured. The pressure boundary. In thfs case, Is provlded by a mlnfmum o
two isolation valves. of which at least one is located inside and one outside o
containment. The second (downstream) valve serves as the pressure boundary
Overpressure protection Is generally provided In the forn af valve interlocks,
pressure relfef valve, or a pressure reducing device. The minfmum requirement
for the overpressure protection of low pressure systems connected to the reactc
coolant system pressure boundary are glven by American National Standar
ANSIIXNS-56.3-1977 (N193). Since a valve interlock may be defeated by
saboteur, it is, therefore, suggested that one of the latter two devices t

utfll ttd f n the RHR suction 1 lne i nside contatnmcnt to prevent overpressuri zation
of the RHR system. None of these wchanlsms. however, prevent the loss of
primary coolant froa the RHR system due to a breach event during normal low
prrssurr RIS owratfon. If the suctlon lint valves have been sabotaged in the
Open pO~iti~n, then such a breach results In a LOCA. In order to eliminate the
pOtentI&l for Vlls arrangement to result in a LOCA outslde of containment, it Is
Suggested that consideration be gtven to relocating the RHR system inslde of
contrinment. It Is to be stressed here that the Intent of this change is not to
pr0vlde & hardened RHR system but only to mlnlmlte the system potential as a LOCA
Source outs1 de of containment.
The advantages and disadvantages of locating the RHR system inside of
Containment have been outlined and documentad previously in correspondence and
rctlng~ between Sandla and their Design Study Technical Support Group. and
therefore. do not need repeating here. The overpressurization pwtectlon
suggestion Is applicable to both new and operating plants. a1 though in the latter
Cast r substitute shutdown cooling system arrangement wlll be required in order
to perform the necessary mdificatlons. The relocation suggestion Is only
appllcable to new plant designs. It involves a conslderablc increase in capital
Costs which result frora thc need for a larger containment structure. It wlll
also have some impact on plant operations and maintenance since i t w lll require
containwnt entry for system access. On the other hand. It will Increase the
safeguardability of the RHR system due to the inherent safeguards protection
provided by the contalnwnt building.

UWfER 4
BUR DESIGN CHANGES
4.1 BUR PASSIVE RESIDUN HEAT REMVM SYSTEM, CATEGORY 111
4.1.1 C O K ~ P ~
Thts concept fnvolves provldfng a BUR resfdual heat removal (RHR)
system whtch operates in a natural ctrculatlon mode.
4.1.2
Source
This concept was fdentfffed by SAX as a means for tncreastng the
dffficulty of sabotaging the BUR RHR fumtton.
4.1.3 Advantages
The advantage of thts concept 1s that RHR system operatton is
independent of AC power avallabt 1 l ty.
4.1.4 Ot sadvantages
The folloutng disadvantages have bctn fdentfffed for thts concept, as
illustrated In Figure 4-1:
0 The system requfres a very large heat exchanger.
0 A large prfmry system effluent pipe nust exit the contatnment drywell
(prtmary containment tn Mark I and I1 desfgns) In order to provtde a
prtmary coolant flow path to the heat exchanger.

0 The heat exchanger shell provides a dfrect path to the atmosphere tor
reactor coolant in the event of a heat exchanger tube leak.
The heat exchanger must be located high in the secondary containment
building in order to achieve the proper natural ctrculatfon drtving
head. This locatton results tn poor seismfc response character1 sttcs
for the heat exchanger.
4.1.5 Discussion
The residual heat removal system of a Bk'R plant is a multt-operating
mode system. One of these modes provtdes closed loop heat removal capabilfty for
the shutdown, depressurized reactor by transferring heat from the reactor coolant
to a cooling water loop via a shell and tube RHR heat exchanger. The vapor
suppression containments utilized in BUR plants can provide short-term reactor
tieat removal via reactor coolant blowdown t o the suppressfon pool (or chanher), if
normal means of heat removal are unavailable. However, long-term reactor coolant
system (XS) makeup wter must be obtained from this same suppression pool.
Therefore, heat must be removed from either the RCS, directly, or the suppression
pool water in order to achieve long-tern reactor cooling and, ultimately, cold
shutdown conditions. In addition, suppression pool or RCS cooling must be
initiated within several hours for a BUR16 with a Mark I11 contalnment tn order to
prevent a sequence of events resulting in a core melt.
The availability of normal low pressure RHR cooling is dependent upon
the availability of AC power for both tube-stde and shell-side coolant pumping.
This, therefore, demands long-ten emergency AC power avatlabflity. Due to the
difficulties ir,volved in providing emergency AC power safeguards protection, tt
may be desfrable to provide a backup RHR arrangement whfch can operate under full
reactor pressure and which does not rely upon AC power avaflabfltty for system
operation. Such a system, known as an Isolation Condenser System, is presently
being utillzed in some earlier BWR designs (e.g., Oyster Creek, Millstone 1. Nine
Mile Point). Thts system. shown in Figure 4-1, provides a heat stnk for the
reactor durtng a loss of all AC power. The isolation condenser system operates by
natural circulation wtthout the need for driving power other than the DC
electrtcal system used to place the system in operation. The condenser conststs

Figurs 4-1. Isolation Condenser - Piping Diagram.

of two tube bundles imacrsed in a large water storage tank. idhen the isolation
condenser is in operation, steaa frcn the reactor flows through the tubes of the
heat exchanger, and after condensing, returns by gravity to the reactor. The
fsolation condenser is located high ln the reactor buildtng to facilitate natural
circulation. The valves on the steam inlet lines are normally open so that the
tube bundles are at reactor pressure. The isolation condenser is placed in
operation by opening the closed condensate return valve to the reactor system.
Thls 1s Qne automatically on hfgh reactor pressure or it can be done at any tfm
by manual control. The normally closed valves on the return line are DC operated
and remain available upon loss of AC electrfcal power. During operation, the
water on the shell side of the condensq .bolls and vents to the atmosphere whfle
condensing steam inside the tube bundles. Radiation mni tors and alarm are
provided on the shell vents so that in the event of abnorml radiatton levels,
the tube side of the heat exchanger can be fsolated from the reactor by closing
valves. Two isolation valves are provided in the lines connecting the isolation
condenser and the reactor. In each set of valves, one is located inside the
primary containment. and the other is located outside.
The water stored in the shell of the isolation condenser can be
supplemented by makeup from the condensate storage tank or from the statfon
flrewater storage tanks, via the condensate transfer pumps or by el ther the
diesel-dri ven or electric motor-driven firewater pumps, resputtvely.
Demineraltred water is supplied to the fsolatfon condenser shell for fill and
normal makeup. The capaci ty of the condenser uni t 1s equivalent to the decay
heat rate 5 minutes after scram and thereafter continuously reduces reactor
pressure as decay heat is removed. The mlnirmrn quantity of water stored fn the
condenser shell at all times is sufficient to remove decay heat for 30 minutes
without makeup.
This concept w ill result in a significant increase in capital costs for
a new plant. It is not a candidate for backfit consideratfons. The concept w ill
have no impact on normal plant operattons or maintenance. However, it will
requtre rut table safeguards, especially wfth regard to the condenser makeup
system.

CHCSTER 5
DAMAGE CONTROL ACTIVITIES
The damage control acttvt tles to be discussed below were all tdentlfied
8s a result of work perfornrd under Sandla contract SLA 07-9866. The intent of
these actlvftles is to efther aid dtrutly in the effort to achfeve a safe plant
shutdown condttton or to eatntatn a tenporartly stable condition in order to
provlde addittonal tlaa for -re ttme-consuming damage control acttvtties. These
act1 vltles wtll be dlscussed according to thetr plant appl icabil ity.
5.1 LK CENfRIC DAMAGE CONTROL
5.1.1 Olesel Fuel 011 Clskeue ,
As pointed out in Sectton 2.6, an emergency diesel generator fuel oil
day tank generally contains sufftcient fuel oil for 1-4 hours of continuous
dftsel Operatton. A long-term fuel oil supply is also available, generally in
the form of an underground storage and transfer system. In operating plants,
however, thts long-term supply, because of its location, is vulnerable to acts of
sabotage. Thus, to ensure the long-term availability of the diesel generator, a
source of day tank makeup uust be made available. This may involve the following
aeasures:
a Provtde onsite, sufficient spare parts to repatr a damaged fuel oil
transfer pump;
a Provide onstte, a portable pump to serve as a temporary fuel oil
transfer punp;
r Provide onsite, spare hoses and couplings to be utilized in bypassing
the normal fuel of1 transfer system;

0 Provide an offsite reserve supply of fuel oil which can be delivered to
the sfte by truck in an emergency.
The first and fourth items listed above assme that these activities can be
accomplished before the day tank capacity is exhausted. If the fuel oil transfer
pump is damaged beyond repair. then the first measure is nullified. The second
and third items assume the availability of the fuel oil storage tanks. If these
tanks have been destroyed, then these measures are also nullified.
5.1.2 Vital Area Emergency Cool in9
Vital area mergency cooling is required in order to ensure the
long-ten availability of systems and equipnent necessary to achieve and mafntain
a safe shutdown condition for the plant. Section 2.19 discussed potential design
n~odifications to enhance the safeguardability of the vital area emergency cooling
systems. However. it was noted in this latter discussion that cost or sizing
considerations associated with these changes may require an increase in the
maxinm allowable room or area temperature limits. In any event. emergency
cooling systems which depend upon external cooling water loops will be vulnerable
to sabotage of the cooling water system. Thus, it may be necessary to provide
makeshift rom ventilation in order to erlsure the long-term availability of vital
equipment. The following measures may be appropriate to this task:
0 Open vital area doors and station security personnel at the doors for
safeguards protection, and
Initiate area ventilation with portable fans.
In some cases. the first item by itself my provide adequate heat removal. The
second item requires portable fans, electrical extension cords and appropri ate
sources of power which are strategically located for this purpose.

L1.3. DC Load Shedding
The vital UC battery capacity varies from one plant to the next. but fn
some cases may be as short as 90 minutes. These batteries supply powcr for vital
instrumentation. DC powered equipment. and vital AC power circuit breaker control.
In. the event of a loss of all AC power. DC power is required to maintain a safe
plant condition. This is accomplished in a PWR by the operation of the DC powered
Auxiliary Feedwater System, and in the case of a BUR by the operation of the DC
powered Reactor Core Isolation Cooling System. The vital batteries maintain powcr
continuity until a source of AC power can be restored. The specific battery
capacity at d given plant provides sufficient time for restoration of AC power in
the case of random AC power failures. , for sabotage events. however, it may be
. . .
necessary to provide extended DC power capability. One way in Hhich this may be
accomplished is to shcd individual loads from the DC distribution system. This
operation will reduce the total current load and prolong the useful battery life.
In some cases, the vital backup power supply. which provides 120 VAC powcr to
safety-related instrumentation via an inverter, may account for as much as 86: of
the total DC load. Thus, if a sufficient amount of vital instrumentation can be
shed. a significant increase in battery life may be realized. It will be
necessary to first detsrmine which vital instrunentation loads can be shcd, based
upon the plant condition. A special proccoure will a1 so be required for the load
shedding operation. In addition. appropriate equi pent. such as jumper wires or
fuse pullers nay need to be readily available.
5.2 PWR DAMCE CONTROL
5.2.1 Auxiliary Feedwater System Local Control
Auxili~ry feedwate; system (AFWS) actuation. following any event
resulting in a loss of normal feedwdter flow. is aut0ma:ic in some PWR plants, but
requires operator action in others. In addition, there are one or more areas from
which an operator has rzmote system actuation and control capdbil ity. llowevcr. in
the event of a loss of all AC and DC power. this sytem would have to be actuated
and controlled locally in order to remove decay neat from the rractor coolant
system. Such actuation of the steam turbine-driven ATW subsystem, under these

condtttons, is a straightforward matter of opening the approprtate steam and water
supply valves. Establ ishtng local control. however. may require addttlonal local
lnstrumentatton for monitortng system performance. as well as appropriate
emergency ltghttng and carmuntcattons. Even if DC power is not lost tmnedtately,
the station batteries can only provide ltmited power (tn sane cases, no longer
than 90 mtnutes) for remote indication and control capabtl tty. If AC Power Cannot
be restored withtn thts time, local actuatton and control of the AFWS will need to
be cstabl ished. In additton, spect al operatt ng procedures for coordt natl ng plant
controls would be wquired.
5.2.2 AFWS Cooldown Control
AFWS cooldown of the reactor coolant system (RCS) in the absence of AC
power was investigated el sewhere. Here it was found that cooltng down the RCS
wtll empty the pressurtzer due to RCS shrinkage and the unavatlabtltty of RCS
makeup. which requires the avat 1 abtl tty of AC power. Emptytng the pressurizer
results in saturatton condittons wtthin the RCS and boiling in the reactor core.
Therefore. cooldown control must be establ t shed fairly quickly, espect ally where
AFW actuatton is automatic. in order to terminate the cooldown and delay the onset
of RCS saturatlon followtng a loss of all AC power. Cooldown control may be
established by any of the following means:
Atmospheric steam dump valve modulation
AFW pump discharge valve nodulatton
AFW pump startuplshutdo~m control vta stop valve openlclose operation
Turbine throttle valve mdulation
Each of these actions can be performed from the control room, and the first three
can also be performed from the remote shutdown panel. In addition, local control
capabil t ty should be available for the latter three. Special operating procedures
may be required for local operatton.

5.2.3 Enqcncy Feedwater (Condensate) Makeup
As dtscussed in kctton 3.9, r typtcal setsmtc Category I condensate
storage tank (CSf) has r capactty for 150,000 to 200,000 gallons of
condensate-quallty water. Thts Is sufftclent for rpproxtmately 7 to 13 hours of
extended hot shutdown AWS optrrtton dependlng upon the operattng strategy
amployd. In the event of r loss of all AC power, the shutdown cool tng, or
rest dual heat removal, system d l1 be unavallrble. Therefore, lf cold shutdown
condlttons cannot be rchteved. tn a timely manner, It may be necessary to provide
C n rkeup ln order to ensure extended hot shutdown operating capablllty. Thls
cm be Wompl t shed 4th rvatl able onsfte water supplies such as dent neral tzed
Water or flre water. If such r CST makeup arrangement, complete wlth ptptng
connecttons, does not rlready ext st, then approprtate procedures and equl pawnt
should be avrflable to provtde adequate makeup capablltty. Onstte equtpmnt
rrqutred for thts operatlon includes span hoses and coupltngs, and a portable
p~p (or pumps) and fuel supply.
S.z.4 PUR Operatton wtth Reactor Vessel Steam Bubble
If a stem bubble is formed In the reactor vessel head followtng a
sabotage event, a suttable operatlng strategy must be developed in order to
prevent the steam bubble fmm expandtng In slze to the pofnt *here the natural
ctrculatton flow path from the reactor core to the steam generators is
interrupted. Such a strategy wt11 Involve RCS heatup/cooldown and makeup
conslderattons. It should be noted that the coordfnatton of the RCS heat rmoval
and makeup acttvtttes may require addtttonal instrumentation for monttorfng the
reactor vessel water level.

REFERENCES
'''power Plant Insulatton," Power Engincertnq. June 1979.
March 21. 1YIY).
'p. Lobner et al.. The Pressurized Water Reactor--A Review of a Typlcdl
Combustion Engineering PWR Plant. SAI-013-79-626LJ (La J0lld: Science
Applications, lnc., March 23. 1979);

ADDENDUM TO APPENDIX E
EVALUATION AND SUMWRY OF
DESIGN STUDY TECHNICAL SUPPORT GROUP COMMENTS
.. prepared by
D. M. Ericson, Jr.
Sandta National Laboratories

Introduction
EVALUATION AND SUMMARY OF
DESIGN STUDY TECHNICAL SUPPORT GROUP COWENTS
In the course of this study, the Design Study Technical Support Group
(DSTSG) had an opportunity to review, evaluate, and cment on the various design
proposals. In the early part of the program, a substantial portion of this review
process occurred during two meetings established especially for that purpose. The
results of this review process with the DSTSG are reflected in the documentation of
many of the design proposals (see Appendix D). In contrast, the work discussed in
Appendix E was initiated later in the program, and it was impractical to meet with
the DSTSG for a full review. However, the material in Appendix E was provided to
some members of the DSTSG, and their camnents were solicited. This addendm
sumnarizes the rep1 ies and docments the subsequent evaluation.
There are differences in character between the design changes discussed in
Appendix D and these discussed in Appendix E. These differences arise frun several
causes. Many. if not all, of the "historical" design suggestions included in
Appendix D have appeared in other material and have often been discussed in open
forums. In contrast, these suggestions in Appendix E, which arise from particular
Department of Energy (DOE) programs. have had only 1 imited public exposure or peer
review. The design changes outlined in Appendix D generally emphasize protection
against radiological sabotage, whereas those derived from the DOE programs emphasize
chanyes that compensate for, or reduce reliance upon, systems nhich may be
unavailable due to sabotage. Therefore, when evaluating this latter group. a
slightly modified perspective must be adopted.
A tabulation of the design changes suggested in Appendix E is presented in
Table A-1 (adapted from Tables 1.1 through 1.12). If this tabulation is compared to
that in Appendix D, the difference in perspective is readily appJrent. For the most
part. the plant layout modifications in Table A-1 reflect increasing protection,
while the system design changes reflect and tend to emphasize (1) reducing
vulnerability by decreasing the requirement for mu1 tiple systems (e.g., changing

tdtetjur~zdt~on of Ueslyn Alterndtlves Drrrved
frud Sdfeyudrds Studlrr
Cdteyory Tltle No."
., - I
n Incrense protected dlesel fuel oil supply (2.6) C
10
-.m 0- O -- - Hwise drrrrl buildlny ldyout (2.7)
I1
a * IVU
- Helocdte HllRS insldr contdlniwnt (3.17) !2
I
C 3.- C
Provide ac power su~ny-lod cdpdblllty (2.1)
-
e .~ 1 I
Ft'uvide swltchqtaar nnd WCL~ enclosures wit.h lntrrrrdl
clrcult bredher trip (2.Z) 1 Z
Hcvlse vital clectr~cdl area cool lr~y drranywien?~ (2.3) 13
I'rovlde vl tal dc power cross-cont~ectlons for 111ul tilrlt,
unit srtcs (2.4)
Arvlsr diesel erlqlne cool lny drrdtlywiwnt (2.5)
14
!ncredse s:dtlun batf.ery capdclty (2.8)
Provldc dC load-~heddlng ~dildblllLy (2.9)
Prcvlde Cl~ss If dc division cross-connccticns (2.10) 18
I'ro.,de extended dc power yenerdtion cdjrdhil ~ t y
durlny !,tdtion Dlncko~it (2.11) 1 9
Prwlde consul ldation (co~imon lucdtlon) of sdfetyr~ldtcd
instrffl~lent~tlon trdns~ultterr (2.12) 20
Vruvide dddltlofidl lacdl-rnnote indicators for pldnt
eq~r 1 ix~lent (2. 13 ) 21
Hedrrdngr lnstrumentdt Ion CJblnetS to IIII~IIIIII ze
pdnel-front controls (2.14) 22
M[~dlfy 5lilal I-dlalllcter pipewdy to hlyhw schedules and
all-wclded construction (2.15) 23
Mdxlllllze use of enclosed ~r~oduldr co~l~ponrnts (2.11) 25
Provide localized cool lnq for vital pumps and
lllotors (. . 18) 2b
d The ntn:lherlng in this tdnle continues fran that In Table 4-1 in Volu~iw 1 (Idble 2-1
in Apprndlx 0) for convenience in later discussior~s.
b~ach nunlber in parentheses is the sectiorl of the description in Aplleudix E.
C~~~ = nntor control center.

Table A-1 (Continued)
Cdtryorlzntion of Deslyn Alterndtives Derived
frwu Safeyudrds Studies
Cateyory Tltle No.
- C)
B I nar.urd1
-0- -- v *
4- l
d~~~~ a duxilidry feedwater system.
Heducr ~ l t d dred l c001iny drpendence 011 dCtlVC SyStL'lllS
(2.19) 2 1
Pruvldt. d Cldss li dual1 idry stem turbine+yCnerdtor
(3.1) 18
-
Proviae Cldss 1E power to pressurizer hedtCrS (3.2) 29
Add dddltlondl Insulation to pressurizers (3.3) 30
I'r~vlde redc~or vessel water level instru~~~entdtion (3.4)
Frovrdr cdpdbtl ity to remotely vent reactor vessel
31
h~dd (3.5)
Provide dc 11totor dctudtors to redctor cooldnt ~UIIIP
32
seal leak-off rsolatron vdlves (3.6)
Provlde pdrdllel dnd independent valves in pressurizer
33
dux~lidry spray. line (3.7) 33
Pr6,:de
d
dutolnatic dctuation of AFWS (3.8) 35
Provide eapdndcd supply of onsite emergency feedwdter
(3.R) ,JD
Provide swing-ludd cdpdbillty for 111otor-wivtn AFW ~UIIIP
(3.10 ) 37
I'rov lde expdnded set of local instrun~ents for l~idnual
control ot stcdln t~rrbrne AFW pullil) (3.11) 38
Provldc dc fllotor drivers for slotor-driden lube oil
p~~rnbls un stednl turbine (3.12)
Pipe gland seal leakd

diesel cooling. uslng passive lubrication); (2) providing a1 ternate means ta
accorrpl ish sane functions (e.y., power cross-connect~ons. swing-load capabil I ties);
and (3) mitigating the effects of sabotcgins some given equipment (e.g., increasing
Station battery capacity, reactor head venting, dc power generation capabil lty).
The fol lowlng section summarl zes the cments received from members of the
DSTSG, and the subsequent section provldes an overall evaluation of these potential
design changes.
Surmary of DSTSG Cments
This summary is based upon written cments s~ibmltted by various members
of. the DSTSG. In sane instances, several coments were received; in other
instances, only one. The summary attempts to reflect this variation through the
choice of language. The author accepts all responsibility for the interpretation of
comments. because this was not an iterative process such as an open meeting would
allow. Changes are discussed here in the sam2 order in which they appear in
Appendix E; where there were no comments, the change is omitted in this adderldum.
2.1 AC POUER SYSTEM SUING-LOAD CAPABILITY -- Concern was expressed about
how this meetslf its er ]sting separation criteria and about the potential for
introducing a new point of vulnerability or comnon mode failure, that is, the
transfer switch. It was pointed out that Regulatory Guide 1.75 does not allow such
an approach at present. Several reviewers also comnented upon the need for sensing
equipment, porter interruption devices, and multiple switches. It was a1 so pointed
out that procedures would be required to prevent transferring bus-disabling load
faults.
2.2 SW ITCHGEAR AND MCC ENCLOSURE INTERNAL CIRCUIT BREAKER TRIP
CAPABILITY -- Several reviewers were concerned about the safety aspects of opening
an enclosure containing energized systems in order to manually trip breakers. At
least one reviewer indicated that the costs of backfitting such a capability would
not be minor.
2.3 VITAL ELECTRICAL AREA REVISED COOLING ARRANGEMENTS -- One reviewer'
suggested that it would be better to design equipnent needing less cooling than to
attempt to revise the manner in which room HVAC is handled. Several reviewers
questioned how serious a problem heating really is, that is, how rapidly do these
compartments heat up, and h a t are the actual equipment heat tolerances?

. ,
2.4 MULTIPLE UNIT V;lAL kC LRUSS-CONNECTIONS -- It was pointed out that
there is a potential in such an arrangement for increasing vulnerability because of
the comnon point or points of cross-connection. Also, there would be a coord1narlon
problem for sites having separate control rooms. It was also pointed out that, in
light. of events at Three Yile Isldnd. there is a great economic incenttve to keep
multiple units on a single site truly independent. One reviewer comnented that it
may be more effective to provide a larger battery-powered motor-generator set to
ensure longer operation hile repairs were being made on damayed equipment.
2.5 DILSEL ENCINE REV:SED CDOL~NG ARRANGEMENT -- though such an
. ,. .
approach .is feasible in future design, some question was raised as to its worth
considering that there are still many systems which require .service water for
cooling.
,. 2.6 INCREASED PROTECTED DIESEL FUEL OIL SUPPLY -- Concern was expressed
about the lncredsed potential tor fire problems and damage with the presence of
larger day tdnks. Also, there was ccncern expressed about the reliability of fire
.. ,
separation when cross-connectior~s exist in a flanm~ble system. It was also pointed
, ,
out, that a buried tank may well be better protected than it would be if it were in a
building.
2.8 INCHEASED VITAL BPTTERY CAPACITY -- It was noted that such a concept
not only would increase bdttery maintenance with its dttendant costs but would also
requi;e mre spdce. servicing equipment, and ventilztion. A1 though one reviewer
believed this change might help if ?he goal was to survive station blackout., another
cmlented that, if damage could not be cguntered in 1 to 2 hows, it probably would
require 1 to 2 days. Furthennore, it was noted that some sites already have the
largest battery available.
2.9 DC LOAD SHEDDING CAPABILITY -- One reviewer conin~ented that as an
operator he did not like the idea of deenergizing redundant equipment. There is an
obvious safety implication, and dropping redundant indications is certainly Counter
to recent trends.
2.10 CLASS 1E DC DIVISION CROSS-COtiNECTIONS -- It was noted that.
although this arrangement exists to sme extent. it does not really benefit sabotage
resistance. The loss of one dc channel is not a major problem. Also, several
reviewers pointed out that this was similar to 2.1 in that there is a potential for
Increased vulnerability and sensitivity.

2-11 EXTENDED DC POWER GENERATION WABILITY DURING STATION BIACKOUT --
Using steam
.
as the motive force would require bringing NSSS steam out of
conta~nnent a measure hich muld then require appropriate is01 at1 on and protection
to avoid introducing an added vulnerability. (It was also pornted out that the
steam generators my be failed and isolated, and if so. there is a strong
possibility of a major release of radioactive material.) One reviewer suggested an
air turbine prlme mover.
2-12 CONSOLIDATION Of SAFETY-RELATED INSTRUMENTATION TRANSMITTERS --
Athough this could potentially reduce the envirormental qua1 if ications needed On
individual equi pent via revised packaging. such combined packaging could make
routine surveillance more drfficult. There is also the inherent problem of putting
everything in one place; i.e.. if you lose one, you lose all.
2.13 ADDITIONAL LOCAL-REMOTE INOlCATORS -- There is always a questicn
about adding monitoring points; does this measure add points of vulnerability?
Minimizing the "need" to enter vital areas may not make them less vulnerable. That
is. unauthorized tampering could go unnoticed longer. Furthermore, there is a
strong feeling that no system is as good as man's multiple senses. the operator's
"feel' for the way things are operating, which requires that he visit vital areas on
a regular basis.
2.14 REARRANGEMENT OF INSTRUMENTATION CABINET PANEL-FRONT DEVICES -- One
reviewer corrmented that calibration frequency is much greater than suggested in
Appendix E. Generally, calibration occurs quarterly. with some occurring even
weekly and monthly. Also, cabinets must still be accessed to maintain the
instruments.
2.15 SMALL-DIAMETER PIPING MODIFICATIONS -- Some concern was expressed
about the impact of this change upon safety via the effect on maintenance
activities. Also. the capital and maintenance costs may be higher on all-welded
piping.
2.16 COMPONENT PASSIVE LUBRICATION -- Although such techniques sound
pranising, there is cmsiderable question about the availability of qualified
equipment which uses passive lubrication.
2.17 MODULAR COMPONENTS -- It appears that new development and
qualification for nuclear service would be required. Certainly such units would
have higher capital costs. Also, in some respects, reduced or restricted
surveil lance may be viewed as disadvantageous.

3.1 CLASS 1E AUXILIARY STEAM TCRBINE-GENERATOR -- This approach may
reduce dependence upon short-lived dc power sources; however, it also raises
additional questions. The additional penetrations to the NSSS and the added
equipment may introduce new vulnerabilities. Additional surveillance and
maintenance activities would be necessary for this new equipient, thus increasing
costs and operational complexities.
3.2 CLASS 1E PRESSURIZER HEATER WWER -- Similar ideas are being
exazined as part of the post-TMI activities. However, this change is aimed at
providing the capability without upgrade to Class 1E. Pressurizer heaters are
non-Class 1E and. therefore, trip out on LOCA under existing procedures.
3.3 ADDITIONAL PRESSURIZER INSULATION -- Most cments expressed the
view that this approach offers little benefit. Radiation losses for the pressurizer
are not dominant mechanisms, and other reactor coolant system losses must be
considered.
3.4 REACTOR VESSEL WATER LEVEL INSTRUMENTATION -- Considerable concern
was expressed about the reliability of differential pressure measurements.
especially where the potential for voiding the reference leg exists. Any
penetrations of the reactor pressure vessel below fuel level must be viewed with
caution. Also, if the makeup/charging system is inoperable, merely knowing the
cooling leve! will not help control that level. Also, for PWRs, there is no way to
ascertain during normal operations that the system is functioning. i.e.. there is no
water level, because the primary is solid except for the bubble in the pressurizer.
7.5 REACTOR VESSEL HEAD VENT -- Current emphasis is on reactor vessel
venting to control hydrogen buildup. If the objective is to vent steam to ensure a
solid primary, there is a possibility of the flashing of additional water to steam,
unless the intent is to depressurize to the point at which the low-head ECCS pumps
could be employed. With vents large enough to accomplish that amount of
depressurization, the potential for inducing a LOCA must be considered. It should
be noted that natural circulation is not lost merely because there is a steam
bubble.
3.6 REACTOR COOLANT PUMP SEAL CONTROLLED LEAK-OFF ISOLATION VALVE
ACTUATOR -- Normal seal leak-off across seal No. 1 i s about 3 gp. If isolated, the
full 2000-psi pressure drop would exist across seal No. 2 which could have up to a
12-gpn leak rate. Therefore, such isoiation has a potential for increasing leakage.

Such fsotation could potfntial ly cause seals to fail, thus removing the main coolant
pump, which would be detrimental to overali safety.
3.7 PARALLEL AUXILIARY SPRAY VALVES -- A more extensive system is needed
than that described to ensure availability. There is also a question about the
detailed hydraulic behavior of such a system. Usually the power-operated relief
valves, rather than the auxiliary spray, are the backup system. Also, the auxflidry
spray should not be used unless let-down flow exlsts (which is not redundant).
because the cold auxrl~ary spray is a thermal shock on the nozzle and pressurizer
she1 1.
3.8 AUTOMATIC AUXILIARY FEEDUATER SYSTEM ACTUATION -- Th~s mechanism is
now being Installed as a result of TMI; as required by NUREG-0578.
3.9 INCREASED EMERGENCY FEEDUATER SUPPLY -- It can be argued that plants
have ample water avdilable now. The water may not all be demineralized, but
f ire-extinguishing water. we1 1 water, etc., should be avai 1 able. This approach a1 so
assines that steam generators are available as heat exchangers. An ability to go
closed cycle on the sec~ndary side may be potentially mcrre valuable.
3.10 AFWS MOTOR-DRIVEN PUMP SUING-LOAD CAPABILITY -- A question arises as
to whether or not s w i q capability introduces additional vulnerability. However, if
suitably isolated, this capability could be ar, acceptable short-term solution.
Implementation at existing plants would be expensive and time consuming.
3.13 ELIMINATION OF AFU TURBINE PUMP ROOM STEAM '.EAW\GE -- It must be
kept in lnind that main steam is potentially radioactive; therefore, it cannot simply
be vented. The condensate must be collected and retained.
$';
:;
3.16 INCREASED ECCS SAFETY INJCCTION TANK PRESSURE -- Some concern was
expressed that this change put,s another source of overpressure events into the
plant. Higher pressure means that isolation valves are required. which in turn
means that the valves are no longer passrve. Also, such a concept must be coupled
with a coolant system blowdown valve to reduce pressure so the SI tanks can inject
3
water (unless the tanks are above 2500 psi). Although the -1000 ft of water in the
tanks ls helpful in LOCA witigation, the use of this water would not extend core
uncovery for any appreciable period of time.
3.17 REDUCED LOCA POTENTIAL IN PWR RESIDUAL HEAT REMOVAL SYSTEM -- Moving
RHR into contalnmerlt would introduce considerable difficulty into test and
maintenance activities. Also, for post-accident situations, containmcnt

envirorments. with the presence of steam, radiation.
severity of the environments could preclude any
High-pressure RHR systems might otfer more benefits.
Preliminary Evaluation of Design Changes
etc.. may be very severe; the
sort of reliable operation.
A sumnary of the initial findtngs on the 37 suggestions in Appendix E is
presented in Table A-2. This sumary represents the author's evaluation of the
available information. Again, it is stressed that these concepts have not been
discussed in an open forum. and only the written comnents of the DSTSG have been
used to assist in the evaluation. In Table A-2. any option which has solid circles
in. .ev.ery. column would be considered prani.si ng.
Several general observations on. these initial findings are -in order. For
the most part. the suggestions are considered feasible and state of ,,p,he art. Some
will require additional examination 0f::feasibility in light of other constraints.
, ,
For example, placing circuit breakers inside cabinets may introduce personnel safety
! ! !k,
concerns rhich would require resolution. and increasing the battery size may or may
not be feasible because sme baKteries, already are the largest available. Other
,! '. ,\
suggestions may or may not be feasible ,depending upon electric power availability
:; ,:,:.\!
and other factors. For application in ~:.n~yclear power plant. some suggestions would
,..*
require hardware development and certj,f!,cation. such as passive lubrication in
safety-related pumps. A1 so. these [d;lggestions in general have significant
; ., I!$
dependence upon other systems, which reflects the provision of a1 ternate means or
1 ",ji
mitigation of effects discussed earlier, Finally. as a general point. these
suggest~ons do not have as many side , benefits;
, but this lack of 'iide benefits
,. . J!.,
reflects the perspective of thr DOE studi$s (i.e., emphasis upon safeguards) and is
not nece:sarily a detriment to their uset,: I
Six of the changes appear t~!
, . have significant potential for improving
sabotage resistance (11.12; I11.15, 23, ,. 26, v 27; and 1V.j). Unfortunately, there are
some major impacts associated with most 'of these concepts. For example, moving the
i :
RHR into containment wi 11 require 1 aiger containment structures with attendant
r q :8itil
costs; maintenance will be more difficul t; and irliitional equipment wjll have to be
qua1 ified for post-LOCA environments. , Similarly, adding a passive decay heat
removal system for boi 1 i ng BURS invol vesi capital expense and introduce? maintenance
3
and operational problems. Nevertheless, both of these design changes (11.12 and
IV.3) have been selected for additional analysis and concept development because of
their potential benefits. Although revisions to cooling schemes appear to have some

pranise (111.15, 26. 27). they will not be pursued further. The incorporation of
these concepts will not eliminate any of the Type 1 vital areas usually identified
in the sabotage fault tree analysis. One concept (11.23) would appear to carry such
significant impacts for operations and maintenance that it has been dropped fran
further consideration.
A considerable number of these suggestions do not appear to directly
affect the sabotage resistance of the plant, although they may have potential or
prwnise for recovery and mitigation. mis list includes 111.11, 21, 29. 30, 31, 32,
33. 34, 36. 37. 38. 40. 41. and 43. Providing other sources of Class 1E power,
a1 ternate instrunentat ion, dc-driven valves, etc.. does have some effect upon the
way systems can be used. but such modifications do not directly affect sabotage
resistance. Also. in some instances, there are significant impacts. For example.
additional remote indicators would require maintenance (I1 1.21). and isolated seals
(111.33) could add problems by placing additional burdens on remaining seals.
The remaining 17 suggestions may have sane potential for improving
resistance to sabotage. but their potential is not well defined at this point. In
addition. most of these suggestions cawy impacts which cannot be ignored. For
example. providing cross-connections (I 1 I. 18) may provide additional sources of
power but, at the same time, introduce single points of vulnerability or
unreliability. Adding something like a Class 1E auxiliary generator (111.28) will
add to system canplexity and capital costs.
There are some capabil ities here that already are being included in plants
for safety reasons. based upon the events at Three Mile Island. Unit 2. These
capabil ities include additional emergency power to pressurizer heaters (111.29).
ad$itional instrumentation to detect inadequate core cool ing I I and automatic
initjation of the auxiliary feedwater $stem (111.35). Because these capabil ities
are ~, .. required for other reasons, they exist (or will exist), and no further analysis
solely for safeguards effectiveness is necessary.

NUCLEAR POWER PLANT DESIGN CONCEPTS
FOR SABOTAGE PROTECTION
VOLUME 11, APPENDIX F:
DAMAGE CONTROL AS A COIJNTERMEASURE
TO SABOTAGE AT NUCLEAR POWER PLANTS*
FINAL REPORT
International Energy Associates Limited
Washington, D.C. 20037
April i980
*Volume 11, Appendix F, contains work performed uncic*r Sandla Con-
tract No. 17-9129 for Sandia 1.ahoratories.

Danaqe Control as a Countcrmeasurc
to Sabotagc at Nuclear Power Plants

Table of Contents
List of Tables
List of Figures
TARI,E OF CONTENTS
1.0 INTRODUCTION
1.1 General . . ,.
1.2 Definition of Damaqc Control
1.3 Purpose
1.4 Approach
2.0 SUMMARY
2.1 Ihmage Control Actions
2.1.1 Grrrera 1
2.1.2 fjot Shutdown Act-icns
2.1.3 Col rl Sh~it.down and Refur l inq Ac,t. i(>ns
2.2 Avai lahln Time Constraint on i)arr.agtu
Control lability
2.2.1 Available Time C.alculntions
2.2.2 Loss-of-Coolant Kvcnts -- Availah1 t? 'rime
2.2.3 Rcact.or Trip Assurance -- Av,ii l ;tt)lc! Time.
2.2.4 Reactor Vrsse 1 Decay cat Hcmova 1
2.2.5 Spent. Furl Po-1

LIST OF TABLES
Available Time Bounding Case Results
Summary of Damage Control Options
Availab?e Time Case Selection Summary - PWR
Available Time Case Selection Sumary - BWR
PWR Results Summary
RWR Results Summary
Time Line Response Times: Summary and
Comments
Equipment Required for Damage Response
Sabotage Time Line Resul t,s,Summary
. ..
Normal Systems
Chemical and Volume Control Systems, Summary
of Support Requirements
Auxiliary Feedwater & Safety/Relief Systems
Summary of Sllpprt Requ~remants
Safety Injection System, Summary of Support
Requirements
Main Feedwater System, Summary of System
Requirements
Essential Service Water (ESW) System, Summary
of System Requirements
Class 1E Electric Distribution System - 4160
VAC, Summary of System Requirements
Component Cooling Water System, Strmmary of
Support Requirements
Norma? Systems
RI.. ar Core Isolation Cooling (RCIC) Systcm
. . d.-:c,try of Support Requiremml.6
Iliqh i.!.essurs Coolant In jectiolt (t1PCI)
Summ?try of Support Requirenents
Control Rod Drive (CRD) System, Summary of
Support Requirements
Core Spray System, Summary of Support
Rcqui relnents
Resi411al lieat Removal (RIIR) system, Summary
of Support Reqiri relnents
Fmerqency Service Water System, Swmary of
Support Require!ncnts
Vital Distribution System - AC, Stlmmary of
Support Reqi~irem~nts
Comparison Betwren Relap Results and M

Fiq n-1
Fig C2-1
Fig C2-2
Fig C2-3
Fig C2-4
Fiq C2-5
Pig C2-6
Fir1 C2-7
Fig C2-8
Fig C3-1
Fig C3-2
Fig C3-3
Fiq C3-4
Fiq C3-5
Fig C3-6
Fiq C3-7
Fig D-1
Fiq 1,-2
Fig D-3
Fiy 1)-4
Fig D-5
Fiq D-6
Fig 11-7
Analysis Sequence
LIST OF FIGIIHES
Chemical and Volume (:orltrol System
'Auxil iary Pce?water Systcm'~'
Safety Injection System
Main FeedwRt er System
Essentinl Service Water System
AC Electric Dist rihut ion System
I)C 1~:lcctric Distribution System
Component Cooling Water System
Reactor L'ore Isolation Cooling System
Iligh-Pressure Coolant Inject-ion System
Core Spray system
Resi(lua 1 Heat ~etnoGa 1 System
Service Water System
AC Electric Distribut ion System
DC Electric Distribution System
Reactor Mmlel for Reli~p
Average Wat-er 'remperaturo in Core
Water 1.cvel in Core
Water 1,~vel in Steam Generator
WattBr 1,cvel. in I1rc?ssurizer
Flow Throuqh Core
I'resfiori z ~ 'rempcrature
r

1.1 GENERAL
1.0 INTRODUCTION
This report describes work performed by international Energy
Associates Limited (IEAL) under contract to Sandia Laboratories
as part of the overall proqram Nuclear Power Plant Design Concept
for Sabotage Protection (NUREG/CR-0163, SAND 78-1994). This
study is I part of Task 3 of that program, Damage Control Options.
1.2. DEFINITION OF DAFAGE CONTROL
In the above document, damage control measures are defined as:
Measures that can be employed (or options which can be
taken) within hours after an act of radiological sabotage to
prevent or reduce the release of radioactive materials.
In this study, damage control measures include those operatoq
responses needed to bring the plant to a safe and stable condi-
tion followiny a sabotage attev.:,,. Conceptually, such responses
could include (1) temporary repairs of a system or its components
to maintain its operability or (2) accomplishing the affected
system's "function" with a different system not specifically
designated for that function. The first concept is associated
with the more traditional approach of actions taken to preserve
the opecation of vital systems or components. Examples of this
are firefiqhtinq, buttressing a dam or ship's hull, or patching a
critical piping system. Such actions may be taken to eiiminate
an existing threat or as a precautionary measure to mitigate the
effect of a predicted danger. The second type of damage control
measure is that of maintaining the function of a system or com-
ponent by substitution; that is, by utilizing equipment desig-
nated for another purpose in place of normal equipment or sys-
tems. An example of t9is 1s using the plant Eire protection
water system to cool vital equipment in the event of failure of
the normal cooling system.

1.3 PURPOSE
The purpose of this work is to identlfy feasible damage control
conc'epts and options that;may be employed to mitigate the effects
of a sabotage act at a nuclear power station. These results will
be used later in combination with other information on sabotage
councerrneasures to assess their potential combined protection.
Additional goals are to identify impacts and modifications as-
sociated with the various options.
1.4 APPROACH
, ...
Damage control options are necessarily plant dependent because of
the specific nature of the plant arrangement and the systems that
are not directly a part of the Nuclear Steam Supply System (NSSS).
For this work, two specific plant:, a 4-loop Pressutized Kater
Reactor (PWR) and a let pump Boiiing Water Reactor (BWR), are
used as models. Caution should be observed in that these results
may not apply eqJally to all stations. However, the concept of
using the types of options identified here is generally applica-
ble.
The primary constraining facrors in conducting damage control
actions at a power station are the staff available, time avail-
able, and accessibility. In this study staffing leS?els are con-
sidered essentially fixed although some increases might be re-
quired. The available time under various plant conditions is
estimated assumlnq that any in-plant sabotage events are coupled
with the loss of all offsite electrical power sources. These
estimates also serve to identity systems thar are €easibleqfor
damage control actions where feasibility 1s based on reasonable
time beinq available for operator action. In developing these
options factors of accessibility Are conskdered. Actions are
asaumcd to be possible from the control room or loc~lly by a
floor operator. Containment access at 3 PWR is mns idered
pr3ct ical: ncweaJec, thls is not the case for the OWR

Numerous operator options to maintain system operability and
Eunctions are developed and evaluated. Equipment modifications
that are required to support various options are identified.
A limited investigation of practices in industries other than the
nuclear industry was conducted in the early stages of t.he study.
The results of this are presented In Appendix E.

2.1 DA.NAGE CONTROL ACTIONS
The damage control actions developed in this report should be
considered representative concepts. That is to say, the list is
not inclusive of all options, nor are they necessarrly applicable
to any particular plant or group of plants. However, the concepts
or modifications thereof can be applied to specific power plants
and used in conjunctlon with that station's security plan to
develop an overall program to assure ccntinued plant security and
safety.
2.1.1 General
Section 2.2 describes the time aval!akl? analysis for ma~ntaining
the plant in a safe condition -- that is to prevent cc:e.damage
with no oper.3tor action. This izplies that the saboteur disrupts
the plant systems to the point that the operator is ineffective
in utillzinq ilurmal recovery measures.
To counter this ccnsequence, it is then assumed that the opcra-
tin staff can effectively recover by utxonventional actions
taken in respsnse tu the effects of the sabotage. Namely, they
repair whatever damage that has occurred or, as we see in Section
3 and Appendix 8 , they substitute other plant systems orcom-
ponents far damaged ones.
In the case of the repair of plant system, we can see from Section
2.3 that such actions are not practical qiven the short time
available for recovery and thestaff required. Ho~eve.r,,~in the
"
later case, that of sdbstltutions, a number ot actions are odt-
lined in Section 3 whlch are possible. Each of these actions
consist of operational manipulation and can be carrled out by the
operating staff wit'^ no special sk~lls or assistacce.

2.1.2 Hot Shutdown Actions
. .
Section 3 develops a number of ac'ions possible to maintain the
plant safely at hot shutdown. The intent of this is to maintain
the stsbility of the plant while apprehending the saboteur, thus
. .
preventing further damage, and to muster additional staff support
to recover and effect a controlled cooldown. These actions are
well within the capability of a standard shift operations crew.
2.1.3 Cold Shutdown and Refueling Actions
.. . Actions required to combat iahbtaqe affects while' the Glant is in
cold shutdown or refueling present a significantly easier prob-
lem. The times available, depending on damage conditions,, are on
the order of many hours allowinq the operating shiEt to regain
control by possible repair or a much Sroader ficld of options.
2.2 A'JAILABLE TIME CONSTRAINT ON DAMAGE CONTROLLABILITY
2.2.1 Available Time Calculations
ULtimately one question that must be answered in order to allow
sabotage protection credit for dama,;e control is: Is there
sufficient time available to recover from sabotage-induced fail-
ur-?s? Accordingly, an initial effort in this study establishes
bounding estimates of the available time for several upset con-
dltions. Available time is defined as the period between an
upset initiation and a subsequent condition in whichslqnificant
fuel damaqe leading to the release of fisslon products From the
fuel is imminent. The time available to take damage control
action is dependent on the postulated damaqe as a result. of sabo-
tage and also on the prior state of the plant (e.q., full power,
hot:shutdown, cold shutdown or refuelinq).
Several reprcsentJtlve cases are analyzed tor 3 PWR and a BWR.
Deta~ls of these are presented in Appendix A. Cases .are seiectcd

ased on a variety of events (e.y.., loss of reactor coolant, loss
of electrical power, loss of heat removal capacity) and plant
states and. in some instances, to emphasize certain systems such
asemergency . . feedwater. Kith one exception all calculations are
done manually. The exception is the use of the RELAP 4 transient
simulator to provide a comparison with nanual calculations for a
loss of all power at a PKR (See Appendix Dl. The primary reason
for the machine-assisted calculation for this case is that this
transient is more complex than the others, proqressing through
several thermal-hydraulically sensitive stages. The computer
calculation verifies that the corresponding manual calculations
are essentially correct. For t!~e,.purposes of this -study,, it :s
impractical and, in nost cases, unnecessary to use machineassisted
calculations.
Initial conditions and other important assumptions for these
calculations are generally nominal or zest estimate ,values. That
is, the degree sf conservatism characteristic oE design basis
safety analyses has been avoided. This is considered appropriate
for sabotaye s~udies because sabotaqe events could hardly be
coordinated to occor simultaneously wi:h worst case thermalhydraulic
and other plant conditicns.
The TKR calculatio~ls are based on 3 typical 4-loop plant rated at
3200 MWt. The BWR calculations >re based on a typical jet pump
plant rated at !703 MWt. Because of the particular NSSS used as
a model for the PWR calculations, the results ma:? not be ap-
plicable to plants having different types of NSSS's, especially
where the cdlculated times available are strongly dependent on
the initial water inventory in the $team generators. Also, the
results are sensitlSfe t.o the primary system water mass rc13tiq~e
to the decay heat power: thus, NSSS models ot r,ot"PWR's and
BWR's bavinq d~fferent power densities per un~t of reactor vessel
volume may result in different tlmc a:'.>llabilitles whvn similar :y
analyzed.

2.2.2 Loss-of-Coolant Events -- Available Time
. . . i .
Calculations in Appendix A show that 2WR loss-of-coo~a~It'events.
.. .
except for minor leaks, require response times of significantly
less than one hour. As a result, damage control is notconsidered
here for such events. Specific awR loss-of-coolant cases
are no? analyzed; however, it is inferred that similar conclusions
would hold since the transient blowdown and reflood times
are of a similar magnitude as the PWR's. Therefore, means other
than damage control must be relied upon to either prevent a lossof-coolant
by sabotage or to ensure emergency core cooiing sys-
, , , .. .. . ,
tems are not rendered ineffective by acts of sabotaqe.
2.2.3 Reactor Trip Assurance -- Available Tine
Tho consequences of not scramming a reactor for trans~ents where
it would normally be required have been analyzed over the past
several years in response :o the Nuclear Regnlatory Conmission's
call for anticipated-transient-without-scram (ATWS) analyses.
These analyses generally assume that all other systems required
to cmtrol or mitigate the transient will operate. Regarqless of
these analyses, because there is no experience with such events,
and because the complications of sabotage are unpredictable, it
has been decided not to .pursue damar;e control as 3 neans of assuring
a reactor trip. Thus it is assumed hereln that a ieactor
I
trip occurs soon after a major upset caused by sabotage which
would include the control room operator initiating a manhol
ceaccor trip.' Therefore, no attempt has been made to address
local scramming of the reactor from a panel outside of thg control
room ds a damage control measure. !.
-
*As for sabotage xtions that would pre*Jent scrar logic fiom
operat.inq properly, normal operator response action wouldbe to
ini:iate a manual scram. rhus, reaccsr trip sabotage actions
that wouid have to be protected against by means other than
damage control are attempted to prevent the control cocs from
physlcaily inserting or attonpts to ;,Jnper the reactor trip
manual initration circuitry.

2.2.4 Reactor Vessel Decay Neat Removal
The results of bounding cases to establish a nomlnal minimum
available time are shown in Table 2-1. These cases assume the
loss of offsite power and a loss of cooling water flow, that is,
steam generator feed for the PWR and reactor vessel injection for
a BWR, from several initla1 conditions. The criterion for when
operator action is required to provide cooling flow for decay
heat removal is when the water in the reactor vessel reaches the
core midplane. This criterion assume that significant fission
product release will not occur prior to this. The choice . . of
cases covers a wide spectrum of initial conditions.
These results (See Table 2-1) show that in the two examples with
the plant in hot shutdown, a minimum time of about one hour is
available for operator response to termination of decay heat
cooling water flow and :loss of external power. These results
provlde guidance for evaluating damaqe control options, that is.
options have been examined which support maintaining a hot shut-
dawn state and which can be conducted within one hour. ,These
options ate described in Section 3.
The cases in Table 2-1 in which the lnitial condition is cold
shutdown result in several hours being available for damage control
actions. While not specifically analyzing the cold shutdown
options, it is noted that when the reactor *~essel head is in
place, at worst the plant could be allowed to heat up and then
use normal or abnormal operational response fcc the hot shutdown
condition. When the reactor head is off as an initi3l condition,
the time available to re-initiate coo1ir.g is on the order of A
day or more. Thus, it is judged that without specific demonstratlon
or system examples, sabotage actions when in cold shutdown
could probably be countered with damaqe control measures as
long as draining ot the water in the reactor coolant system 1s
not part of the sabotage consequences.

-
Table 2-1
AVAILABLE TIME BOli'lUlNG CASE HESIIIXS'
I&-s ot of fsite power, loss of
wjter t ldw to Hkh vessel or
PWt ste3m generdtors
Full p w t L 120 minutes 54 minutes
. ~- . - ... . -. ~
L,ss i,t uitslte poser, loss of tiut st~~idby, one hour at ter 4.4 hours 3.2 houts
water flow to BWH vessel or
I steam generators
shutdown iton, full power
. . .. . . . .. ., . , . . . . .., .
1 . a ) ~ of ~ oftsitti power, loss c,f C'oiJ, reactor vessel head on, 9.1 hours 16.3 hours
I rsidual heat removal systrm 15 t11u11s atter it~utdown from
r~perdt ion full power
Lc~ss uf ot tsi te power, loss of Hefiiel,ng, reactsr vessel head 75.9 hours 23.9 hours
1 r:sidual heat I .moval system off, 72 hours atter shutdown
cq~er
at ]on troin full power
*Cr~tcrlon 1s t ~ m r to reduce reactor vesstl levcl to core midplane.

2.2.5 Spent Fuel Pool
L I
If sabotage actions disable the spent fuel pool cooling system,
for the PWR example, over G h~urs is required to reach boiling
temperatures even at the highest possiale decay heat levels (Ap-
pendix A). OqJer 12 hours is required to boil off three feet of
water. Thus, it is judged that spent fuel pool cooling systems
may be completely protected by damage control means since cooling
,,.... ,-, , ,~ ,...
of some sort could undoubtedly be restored within 12 to 24 hours
and the decay heat level is likely .to be less than t.h.at used in
this analysis. Although not specifi:

2.3 RUNNING REPAIR/JURY RIGGING
One type of damage control is that which requires "running re-
pair" and jury riqging to compensate for danage that has occur-
red. This is representative of the more traditional concepts of
damage control. This type of damage control was investigated and
it has been concluded that it is difficult, if not impossible, to
take credit for it for the following reasons:
To support such an analysis, an extensive data base is
required on the time it.would take to conduct repairs.
Such a data base is currently non-existent. Furthermore,
because it is related to human response, there would be
considerable difficulty in achieving a representative
data base acceptable to all parties.
There is uncertainty in the capability of assembling a
sufficient number of personnel with the proper skills
within the short time required. Times on the order of
1 to 10 hours are, the range for completion of damage
control actions.
Establishment of standby damage control teams at power
plants for back shift response presents a personnel
management problem as well as significant additional
cost. With current fire brigade and security personnel
requirements, a darage control team concept would meet
firm resistance from utilities.
There is concern as to the actions of a saboteur who,
upon damaging some equipment, could also interfere with
the repair crews.

5. Keeping damage control storage lockers stocked, al-
though not an insurmountable problem, would create
administrative headaches.
For the purposes of recording work accomplished and documenting
the approach for future reference, a description of the analysis
as Ear as it was pursued is included as Appendix B. The effort
was terminated when the above considerations were fully realized.

3.C EVALUATION AND RESULTS
A number of candidate damage control actions are discussed in
Appendix C. In this section individual operations or options are
evaluated as to their complexity and practicality. Table 3-1 is
a summary of the evaluations. Included also in this section are
individual evaluation sheets for each item. As previously men-
tioned, it is anticipated that these results will be subsequently
used in combination with analyses of other sabotage counter-
measures to arrive at an overall evaluation of the effectiveness
.~ .
of the combinatlon.
...
.,i ~ ..
,., ,. . ..

V., ,"".
van lour

ITEM :
FUNCTION :
EVALUATION NO. - L
(BWRI Manually operated reactor vessel relief valve
Decay heat removal -- steam -1entinq directly from the maln
steam system to the suppression pool.
TARGETS AFFECTED:
. Xain steam safetyirelief valves -- In the event c113t :ne
reactor operator must depressurize c% re.?ctor vessei in
order to operate the core spray or RHR s,fst~ms. .his can he
accomplished without tt,e servic~s a< 125 VDC or 5er':;ce 31:.
This el iminater, the Ae~endence on :?e : emo~e-?nd?~~i ,:',:?rat :c?.
of these valves.
OTEWITIONAL CONSIDERATIONS:
Procedures 3nd operator tra~n:n,-: 4::; . .. . . :. :.-:

COMMENTS :
. This may add another sabotage target outside
containment.

ITEM :
EVALUATION -- NO. 2
(BWR) Feed-and-bleed operation between the condensate storage
tank(s) and the suppression pool.
FUNCTION :
Decay Heat Removal -- Feed-and-bleed operation between the
condensate storage tank(s) and the suppression chamber to
increase the effective heat capacity of the suppression pool.
TARGETS AFFECTED:
., .~ . .
Residual Heat Removal (RHR) System -- While venting the steam
from the reactor vessel to cool the core or to attempt a
cooldown, the suppression pool heats up at a substantial rate
and therefore requires cooling. Normally tne KHR system
cools the water in the pool, but in the event that the RNR
system is not operational, the operator can initiate a feed-
and-bleed ,?peration usina the condensate service pumps to
pbnp water from the condensate storage tank(s) to the sup-
pcession pool. Return flow from the pocl is accomplished by
opening the testibypass return line from the discharge header
of either the IlPCI or RCIC pumps (whichever is operatinq)
thus cyclinq water back to either condensate storage tank.
HARDWARE MODIFICATICNS:
Level lnstrmentation at the suppresslon pool and con-
densate stor3ge tanks should be improved.
Given a loss of offsite power, the condensate ser- ice
pump power supply must he made switchable to a vital
bus !see Ev,3!uat Lon 19 I .
OPERATIONAL *IONS IDERATIOPJS :
Pr'jceducc rerlulced. I:lper~tors ms5t be coqnizan: ?f the need
for makeup t o the redctor !vessel to erlsure that a zuificent
condensate inventory is maintalned.

ENGINEERING CONCERNS:
The proper NPSH for the condensate servlce pumps must be
available.
. The suitability of all compcnents of the service condensate
system should be evaluated For operation at elevated
temperatures ( 1750F).
. The loading of the diesel qener~tors must he evaluated
(see Evaluation 19) .
COMMENTS :
Regulatory concerns regardiny the potential radionuclide
. . ...
release from the condensate storage tank vent must be
addressed.
The additional; radioactivity in outside stor.3ye t.anks
must be evaluated.
Additional water volumes can be obtained in 3 similar
manner from the main condenser hotwells, the deminera-
lized water tanks, and various r~dwaste stor.~ye t.anks,
if needed.

ITEM:
FUNCTION :
EVALUATION NO. 3
(PWR) Restart the main feedwater system after trlp - Gper~ce
the condensate pumps on a vital bus.
Decay Heat Removal -- One main feedwater pump and a con-
densate pump are restarted to supply feedwater to the steam
generators.
. . TARGETS AFFECTED: ~ . ,.
Auxiliary feedwater system -- The :?din feedwater system is
used to augment the emergeccy systems for feeding the steam
generators. Assuming a loss of power to the non-Class ?E
buses, a condensate pump must be switched to a Class 1E bus
and resta:ted.
HARDWARE MODIFICATIONS:
The major plant modification will be electrical circuitry and
switchgear to enable shifting the condensate pump power supply
to a Class 1E bus. Also, piping modifications downstream of
the feedwater pumps may be required to allow feedwater pump
operation under reduced flow. Other modiEications may be
re.?uired to accommodate the main feed pump turbine exhaust.
OPERATIONAL CONSIDERATIONS:
Operating procedures will be required to permit operation in
this manner under low-Flow conditions.
ENGTNEERING CONCERNS :
The starting current of the condensate pumps must be
evaluated in light oE the d:esel generator breaker trips
and additional loads on the Class 1E buses.

COMMENTS :
I . . .
. Hydraulic Limitations may be imposed on the operation of
a main feedwater pump at lcw flow.
Operation of the main feedwate: pumps, which are driven
by condensinq turbines, under noncondc?nslnq conditions
and high backpressures must Se evaluated.
There may be regulatory concerns with loading a vital
bus with J larqe, non-vital piece of equipment.

ITEM:
FIJNCT ION :
EVALUATION - NO. 4
(PWR) Steam Generator feedinq with safety injection pumps.
. . . , .
Decay Heat Removal -- One or more safety injection pumps are
used to pump feedwater to the steam generators.
TARGETS AFFECTED:
Auxiliary Feedwater System -- One or two safety-injection
. . pumps are aligned to pump condensate into the steam genera-
tors via the auxiliary feedwater system. The lineup is
accomplished by shifting the pump discharge from the injec-
tion plpinq to the feedwater piping and the pump suction from
the refluelinq hater stor~aqe tanks to a condensate storage
tank.
HARDWARE M0DiF:CATIONS:
hppropridte pipinq and valves must be installed to permlt
shiftlng of the pumps' suction and discharge. In sdd~tion,
pump cont.ro1 circuitry will require modilication to allow
operarisn in this node.
OPERATIONAL CONSIDERATIONS:
The operator should take steps to f:ush e k nysram of excess
Jmounts of horic acid before fcztflncj the steam rjcnerators.
ENGINEERING CONCERNS:
The effects ot small mounts qi bor~c acid on the ltenm qen-
erators must Sr ev31udted.

ITEM:
EVALUATION NO. 5
(PWR) Manual venting of the steam generators.
FUNCTION :
Decay heat removal -- steam venting to atmosphere of the
main steam generators via the main condensers.
TARGETS AFFECTED:
Main steam generator safety/relief ., ,. valves -- In the ,event
tha't the safety/reliei valves arc rendered inoperable, the
steam generators can he vented through the main condensers.
The operator must o?en a main steam isolation valve or bypass
valve and a steam dump valve. If a main circulating
water pump is not operating, the condensers will ke pressurized
and tne steam will exit via the air ejector vents or
the L.P. turbine KUpt'Jre disks.
HARDWARE MODIFICATION:
The steam dump valve control circuitry will require mod-
fication to provide an overide for the condenser high-pres-
sure interloc*..
OPERATIONAL CONSIDERATIONS :
S~nce it is not qood practice to overpressurize a condenser,
a special procedure will be required.
ENGINEERING CONCERMS:
It should be recognized that this is a potentially destruc-
tive measure with regard to the turhine/condenser unit.
COMMENTS :
None

ITEN :
EVALUATION NO. 6
(EWR) Provide vessel makeup water using the high pressure
coolant 'injection (HPCI) system.
FUNCTION :
.. Reactor coolant inventory contro;/decay heat removal -- The
HPCI system is designed to inject water into the vessel at
high Elowrates.
. ., . ., . . ,>
TARGETS AFFECTED:
Reactor core isolation cooling (RCIC) system -- If the RCIC
system F~ils to function, the HPCI system will automaticallv
activate 3t the reactor vessel low-low-water level alarm
point to restore water level.
HARDWARE MODIFICATIONS:
None
OPERATIONAL COEjS IDERATIONS:
There are existicg plant procedu:es for this action
ENGINEERING CONCERNS:
None
COMME?ITS :
None

EVALUATION NO. 7
ITEM:
(BWR) Substitution of the emergency service water (ESW)
system for the RHR service water system.
FUNCTION :
Decay heat removal -- Secondary cooling of the suppression
chamber.
TARGETS AFFECTED:
' RHR service water pumps -2 It" the RHR service water pumps
are rendered inoperative, the discharge of the ESW pumps can
be aligned to provide the necessary cooling water.
HARDWARE MODIFICATIONS:
Cross-connecting piping and components are required.
OPERATlOsAL CONSTDERATIONS:
The operator must control flow such that other ESW Laads are
properly cooled.
ENGINEERING CONCERNS:
None
COMMENTS :
. The plant service water system can similarly be used
except a proviqion must be made to supply electric
power from a diesel generator bus to a service water
pump isee Evaluation 19).
. If portions of the RHR service water system are not
structurally intact then these sources of cooling water
could be made available via independently installed
supply piping or with temporary hose connections.

ITEM:
FilNCT ION :
EVALUATION NO. 8
(6WP.l Supply RWR service water system from tne fire
prntectlon water system.
Decay heat removal -- secondary coollng of the suppression
chamber.
TARGETS AFFECTED:
.. RHR Service Water Pumps --.. If the RHR service water
pumps should Secome inoperatjve the Eire main can be
aligred to the RHR service water pump discharge header
and thus provide the requlred coolinq water.
HARDWARE MODIFICATIONS :
Cross-connecting plping and components are required.
OPERATIONAL CONSIDERATIONS:
The operatur must be cognizant of the fact that the
capab~llty of the Flre protectlon system may be reduced
due to reduced fire main pressure.
ENGINEERING ;ONCERNS:
The capacity of t>e Eire water pumps should provide
adequate cooling: however, a detailed analysis of the
system will be necessary.
COMMENTS :
If ctie HHR service water pipinq has ncen damaged then
cooling water could be supplicd directly to equipment
via indie~idua! fire base or piplny connections.

, ;
. ,. .
ITEM :
FUNCTION :
EVALUATION NO. 9
(PWR) Serles operatlon cf the satety ln~ectlon pumps for
reactcr vessel makeup.
aeactor Coolant inventory Control -- Operation of the safety
injection pumps in series to increase the pump discharge
pressure and thus permit high pressure coolant injectiun
, ,. . . . .- . . .
into the reactor vessel.
, . , ...
TARGETS AFFECTED:
CVCS Coolant Charging Pumps -- Normally the charging pumps
are used :o >tovide make up to thy reactor coolant system to
maintaln pressurizer level. The design shutoff head of a
SIS pump is 1600 psi -- approximately 60C psi below reactor
coolant pressure at hot standby. If, hwever, the pumps are
aligned in cerles t.ne diichdrqe pressuie is increased by a
comparative amount thus pernlt:i~.g flow into the primary
system at hiyh pressure.
HARDKARE MODIF, ?ATIONS:
Pipiny and valves must be installed to allow series
operation.
SIS pump suction piping will require upgrading to a
higher pressure rating.
OPERATIONAL CONSIDERATIONS:
Th:s requlres an abnormal procedure and musr te done w ~th
cars to prevent dam~qiny rhc pumps.
ENGINEERING CONCEP.NS:
. TI:

that the design is adequate for operation at pressures
above 600 psi.
. The pumps are designed to operate at a maximum discharge
pressure of 1600 psi. Operation at pressures exceeding
2200 psi can result from the series lineup. This is
probably within the standard conservatism of the pump
design but must be evaluated.
. A means may be required to prevent excess recirculation
from the pump discharge during normal alignment.
COMME,NTS : . .
. There may Se regulatory objections related to the pos-
sible degrading of the safety injection pumps as a
result of exceeding design pressure.
. Additional valves and piping may increase the system
failure probability or add an additional failure mode
for the safety injection system. Thus, a re-assessment
of the SIS failure mode and effects analysis may be
required.

EVALUATION N e
ITEM:
(BWR) Provide vessel makeup water using the control rod
drive (CRD) pumps.
FUNCTION :
Reactor coolant inventory control -- The CRD pumps can dis-
charge water directly into the reactor vessel.
TARGETS AFFECTED:
, ,
keactor core isolation cooiing (RCIC) system -- The CRD pump
discharge can be aligned to permit discharging directly into
the reactor vessel. To accomplish this an operator must
open the pump test/bypass valve and isolate the charging,
drive, and cooling water headers. In so doing all drive
water flow will be directed into the reactor

ITEM :
FUNCTION :
EVALUATION NO. 11
(BWR) Provide residual heat removal (RHR) systems.
Reactor coolant inventory control -- The core spray or RFR
systems are used to inject water into the vessel at low
pressure.
TARGETS AFFECTED:
High pressure makeup sources (RCIC, HPCI, CRD arid main feed-
water) -- If none of the high pressure water sources are
available then the operator must reduce the reactor vessel
pressure by blowing down to the suppression chamber via the
safety/relief valves. One core spray pump in each redundant
loop will start when reactor level reaches the low-low level
alarm point coincident with the reactor pressure-low alarm.
When reactcr pressure reaches approximately 400 psig, the
motor-operated isolation valves open and the system will
initiate flow as the pressure is further reduced.
The RHR system functions in a similar manner except that in
the low pressure coolant injection mode both the pumps and
valves actuate at the low-low reactor water level setpoint
when reactor pressure reaches approximately 450 psig.
HARDWARE MODIFICATIONS:
None
OPERATIONAL CONSICERATIONS:
None

ITEM:
FUNCTION :
EVALUATION NO. 12
(BWR) Provide vessel makeup water dsiny the main condensate
system
Reactor coolant inventory control - The main condensate
system is used to inject water at low pressure.
TARGETS AFFECTED:
. . . .
Normal reactor vessel makeup systems (RCIC, HPCI, CRD, RHR
and core spray) -- The main condensate system can be ,~sed to
supply water to the reactor vessel after depressurization.
The main condensate pump will pump through the idle main
feedwater pumps and thence into the feedwater piping to the
reactor vessel.
HARDWARE MODIFICASIONS :
Elements of the electrical power distribution system must be
modified to provide power to the maln condensate pumps From
a vital bus (see Evaluation 19).
OPERATIONAL CONSIDERATIONS:
This is an abnormal operation that will require special
procedures.
. The operator should ensure that vital buses are not
overloaded while starting or operating the condensate
pumps.
. Loads on the diesel generators must be carefully
managed to prevent overloadlny.
ENGINEERING CONCERNS:
The flow rate of the condensate pumps mu;t be evaluated to
ensure adequate makeup capac1t.i.

COMMENTS :
This would most likely be considered a "last-ditch" effort.

EVALUATION NO. 13
ITEM:
(BWR 6 PWR) Substitute the plant service water system for
the emergency service water (ESW) system.
FUNCTION:
Auxiliary cooling -- Provides a source of cooling water flow
to vital eqipment.
TARGETS AFFECTED:
., . ,.,..... .
ESW pumps -- I£ the ESW pumps are inoperative then the plant
service water pumps can provide cooling water to ESW-supplied
equipment via existing pipinq.
HARDWARE MODIFICATIONS:
Since the plant service water system is the primary cooling
. I,
water source under normal plant conditi!.ms no pipinq changes
are warranted. There is, however, a problem regarding the
electric power supply to the pumps. Currently this supply
is from the non-Class 1E buses. For these pumps to operate
under the prescribed conditions (loss of offsite power),
appropriate el~~ctrical modifications must be accomplished to
provide these pumps with a reliable emergency source of
power (see Evaluation 19).
OPERATIONAL CONSIDERATIONS:
Procedures wrll be required to ensure the availability of
the vital buses for safety related equipment is maintained
(see Evaluation 19).
ENGINEERING CONCERNS:
!done

ITEM :
EVALUATION NO. 14
(PWR) Cross-connecting the feedwater and emergency servlce
water (ESW) systems.
FUNCTION:
Auxiliary Cooling -- Provides a source of cooling water flow
to vital equipment.
TARGETS AFFECTED:
ESW pumps -- To augment ESW flow a connection from the auxil-
iary feedwater pump or maln condensate pump discharges can
be used to supply the needed cooling water. This assumes an
excess pump capaclty and that the condensate is cool enough
to be effective as a cooling medium.
HARDWARE MODIFICATIONS:
Piping and valves must be installed.
OPERATIONAL CONSIDERATIONS:
. Operation in this mode must ensure adequate flow to the
steam generators and to simultaneously maintain an
adequate NPSH co the main feedwater pumps if operating.
. Operators must be cognizant of the condensate requirements
for decay heat recoval. This mechanism would be
viable only as long as there is an excess inventory of
condensate available.
. Main condensate pumps must be in operation (see Evaluation
3).
ENGINEERING CONCERNS:
Such a connection must be provided with adequate assurance
that service water cannot concaminate condensate water
piplng ducrnq normal operation.

COMMENTS :
. Any condensate used must meet the minimum radiological
requirements for discharge.

ITEM:
EVALUATION NO. 15
(BWR & PWR) Cross-connecting the fire protection water
system and the emergency service water (ESW) system.
FUNCTION :
Auxiliary cooling -- Provides a source of zoolinq water to
vital equipment.
TARGETS AFFECTED:
ESW pumps -- The fire protection water system can be used as
a source of water in the event that the ESW pumps are in-
Jperable. Upon the loss of offsite power the ~iesel .qwered
fire pump automatically starts and maintai~~ Eire main pressure.
With the proper valve lineup, the Eire pump could be
used to provide the required source of cooling water.
HARDWARE M0DI":CATIONS:
At a minimum, a fire hose connection could be in:talled in
the ESW pump discharge headers. Perm3ner.t k:r,~ss-connecrinq
pipiit? and isolation valves can also he p~.-$:i led.
OPERATIONAL CONSIDEP.ATIONS:
This operation must bc done prudently in an emergency situation
since it will result in a reduction of fire m3in prcssure
and thus limit the effectiveness of the fire protectlon
cystem it' it is coincidently needed.
ENGINEERING CONCERNS:
The f ire maln flow rats? should be adequate to provide sufficlent
coollng; how~~~-r, the system must be evaluated for
adequacy.

COMMENTS :
Regulatoey concerns about the possible downgrading of the
fire protection system could result.

ITEM :
EVALUATION NO. 16
(PWR) Suhstitution of emergency service water (ESW) for
component cooling water (CCW) system.
FUNCTION :
Auxiliary cooling -- Provide cooling water to vital equip-
ment.
TARGETS AFFECTED:
Component cooling water pumps -- In the event that the CCW
pumps become inoperable, flow of cooling water through the
system could be augmented by the ESW system. This could be
accomplished by cross-connecting the ESW pump discharge
header to that of,the CCW pumps. Since the CCW system is
normally a closed system the CCW return line must be pro-
vided with appropriate discharge piping making it a once-
thru system.
HARDWARE MODIFICATONS:
Pipinq and associated hardware to connect the two pump dis-
charge headers (ESW and CCW) must be installed. Additional-
ly, a mechanism for discharging the CCW return flow must be
provided.
OPERATIONAL CONSIDERATIONS:
The CCW discharge must he monitored for radioactivity
since it will come into intimate contact with com-
ponents containing reactor coolant.
Operators must remaln aware of the possibility of foul-
ing passaqes and heat transfer surfaces.

ENGINEERING CONCERNS:
Some components may be adversely affected by potentially
hiqh saline cooling water and may be subjected to excessive
corrosion rates.
COMMENTS :
This concppt could also be employed by using either the fire
~rotection water system or other plant water systems (e.g.,
service water, domestic water, demineralized water, main
condensate). All wor~ld involve similar modifications and
operational considerations.
,.... .. I ,:~

EVALUATION NO. 17
ITEM:
(PWR) Pressurizer and steam generator level indication -
local readout.
FUNCTION :
Decay heat removal and primary plant inventory control.
TARGETS AFFECTED:
Instrumentation power su,ppi,y -- control cabling --,If the
respective remote level indicazion is rendered inoperative
an operator can be dispatched to the local differential
pressure sensors and read level directly at those locations.
HARDWARE MODIFICATIONS:
Local indication will bc needed.
OPERATIONAL CQSS IDE?.ATTONS :
Since these instrments will be located inside containment,
operators must be provided with a means for quick access.
ENGINEERING CONCERNS:
None
COMMENTS :
A malor drawback of this action is that it can occupy one
operator on a full-time basis.

EVALUATION NO. 18
ITEM:
(PWR) Steam generator pressure indication -- local ind
ica t ions
FUNCTION :
Decay heat removal -- This is a significant parametor re-
flecting the temperature of the reactor coolant system.
TARGETS AFFECTED:
Steam generator pressure indica.:on -- If the remote (con-
trol room) pressure indication is lost an operator can be
dispatched to a local panel and read this pressure directly.
In the event that local indicators are also inoperable then
an operator can easily attach another calibrated gauge or
gauge calibcation kit at the calibration connections located
at each installed gauge location.
HARDWARE MODIFICATIONS:
Additional pressure gauges may be desired to be mounted in
easily accessible locations.
OPERATIONAL CONSIDERATIONS:
None
ENGINEERING CONCERNS:
None
COMMENTS :
None

ITEM :
FUNCTION:
EVALUATION NO. 19
(BWR & PWR) Provide non-vital backup equipment wlth an
emergency electric power supply.
Various
TARGETS AFFECTED:
Various -- The intent of this action is to provide various
"non-vital" backup components with a reliable emergency
backup power supply. Since these components are generally
supplied power from offsite sources and the premrse of this
study - is that such sources are unavailable, then this could
be an additional subrequirement for many of the actions
described in this section. Examples of such components are
service water pumps, main condensate pumps, service condensate
pmps, etc.
HARDWARE MODIFICATIONS:
This can be accomplished in two ways:
. Each designated component can be provided with an al-
ternate prwer feeder from one of the vital buses with
circuit breakers or disconnect links.
Feeder breakers from the vital (diesel generator) buses
to the non-vital buses can be provided. This would re-
quire interlocks to ensure that the reliability of the
Class 1E system is maintained.
OPERATIONAL CONSIDERATIONS:
Operating procedures will be required to eliminate any un-
needed or large cycling loads from all effected buses prior
to equipment actuation. Additionally, the operator must
monitor the diesel generator loads to ensure that the diesel
generat.ors are not overloaded while starting or operating
equipment.

ENGINEERING CONCERNS:
A desiqn effort must be conducted to ensure that any such
COMMENTS :
installation meets single-failure and separation criteria.
?equlatory constraints may prevent this action.

ITEM :
FUNCTION :
EVALUATION NO. 20
(BWR h PWR) Cross connect Class 1E Battery buses
Various -- Improve the reliability and availability of
125 VDC powered vital electrical components.
TARGETS AFFECTED:
125 VDC powered supplies -- The 125 VDC power supply to
various vital equipment could be made more reliable by pro-
vidlng appropriate connections to an alternate DC power
supply -
HARDWARE MODIFICATIONS:
Each 125 VCC Class 1E bus would be provided with break-
before-make circuit breakers which would permit supplying
power from zny Class 1E 125 VDC battery to any other Class
1E 125-VDC bus.
OPERATIONAL CONSIDERATIONS:
The procedures for accomplishing such an evolution must
ensure battery overload will not occur and that a faulted
bus is not transferred to a non-faulted battery.
ENGINEERING CONCERNS:
None
COMMENTS :
Requlatory concern will be significant.

ITEM :
FUNCTION :
EVALUATION NO. 21
(BWR h PWR) Csinq the non-Class 1E DC bus LO supply a Class
1E DC bus.
Various -- Improve the reliability ~ n d avail~bilit) of vital
125 VDC powered electrical components.
TARGETS AFFECTED: ., .
125 VDC batteries -- The non-Class 1E batteries could bs
used as a substitute for a Class 1E battery. A~-,z.,~iate
circuit breakers or disconnect links can be aligned to re-
place a non-operational Class 1E battery with the non-Class
1E battery. In the case of the 250 VDC battery, switching
and busing mechanisms would be employed to permit spllttiny
and paralleling sections of battery cells to provide the
propec terninal voltaqe
HARDWARE MODIFICATIONS:
Additional breakers and disconnect links wlth appropciate
businq would be required.
OPERATIONAL CONSIDERATIONS:
Operators must be instructed to disconnect all nun-nuclear
safety-related bus loads prior to conducting the transfer
operation. It should be noted that some vital auxiliaries
will be lost during this evolution (e.q., emergency turbine
lube oil pump) and that equipment damaqe may result. It may
be difficult for the operators to make such decisions.
ENGINEERING CONCERNS:
None

COMMENTS :
Regulatory restrictions may preclude this action.

EVALUATION NO. 22
ITEM:
(BWR & PWR) Providing alternate 125 VDC power supplies to
FUNCTION :
designated equipment.
Various -- Improve the reliability and availability of 125
VDC powered vital electrical equipment.
TARGETS AFFECTED
125 VDC power supply systems -- Individual components would
' be provided with indi~~idual'feeders from the redundant DC
buses to permit an operator to select alternate power supplies.
HARDWARE MODIFICATIONS:
A substantial quantity of wiring and hardware will be re-
quired to provide such a network. Additionally, inter-
locking me?ianisms should be installed to prevent over-
loadinq a bus or cross-connecting two buses.
OPERATIONAL CONSIDERATIONS:
Any plant operating procedures relating to DC powered
equipment with multiple power sources must be modified
to direct the operator as to the proper selection of a
DC power source.
Operators must ensure that electrical faults ace not
transferred.
ENGINEERING CONCERNS:
None
COMMENTS :
Regulatory restrictions may preciude such actions.

- EVALUATION NO. 23
ITEM:
(PWR) Backup water supplies
FUNCTION :
Reactor plant makeup and decay heat removal
TARGETS AFFECTED:
Auxiliary feedwater storage tank/condensate storage tank --
There are various water sources throughout the plant that
could conceivably be used Eor makeup during hot shutdown.
The only limitations would be that it would be imprudent to
inject borated water into the steam generators since it
would rapidly foul heat exchanger surEaces by crystalliza-
tion. These potential water sources include:
. Refueling Water Storage Tank
. Reactor makeup storage tank
CVCS volume control tank (borated)
Condefisdte storage tank (s)
. Main condenser hotwells
. Demineralized water storage tanks
. Radwaste storage tanks (various)
Essential service water system
. Plant service water system
Wellwater pumps
Domestic potable water system
Fire protection systcm
HARDWARE MODIFICATIONS:
In many of these cases the necessary piping already exists
and backup procedures prepared il.e., ESW for steam genera-
tor feed); howev~r, in others additional pipinq must be
installed.

F-G 0
OPERATIONAL CONSIDERAT1:ONS :
Procedures and instructions to operators must prevent an
unwanted injection of water into steam generators of an
unacceptable quality during non-emergency situations.
ENGINEERING CONCERNS:
COMMENTS :
None
The placement of these sources, in the case of tankage, must
be such that an adequate NPSH is available to the pump(s)

ITEM:
(BWR) B.ickup water supplies
FUNCTION :
- EVALUATION NO. 24
Reactor plant makeup 2nd decay heat removal
TARGETS AFFECTED:
Suppression chamber/condensate storage tank -- There are
various sources of water within the plaqt that can be
, utilized as backup sLipp1ie.s should the nor.'A sup;;lies,
suppression chamber and condensate storagv tanks, be unavailable.
.
These include:
main condenser hotwells,
. fire protection water main, and
. service water systems.
Any one of these could be aligned to pumps nlscharginq into
the reac:or vessel.
HARDWARE MODIFICATIONS:
To permit uslnq these water sources additio~lal cross-con-
nectinq pi~ing and valves will be requir~.,j.
OPERATIONAL CONSIDE~ATIOMS :
None
ENGINEERING CONCERNS:
The use of the main condensers may he precluded by NPSH
COMMEXTS :
IJ31nq servlce water for makeup feedwater must be considered
a "last ditch" effort since tnr water chenlsrry conditions
will damage plpLnq and core components.

ITEM:
EVALUATION NO. 25
(PWR & BWR) Manual operation of steam-driven pump turbines
(RCIC, HPCI, Auxiliary feedwater).
FUNCTION :
Decay heat cemoval/reactor vessel inventory control -- steam-
driven pump turbines can be operated in a local (mechanical)
mode.
TARGETS AFFECTED:
125 VDC/lZO VAC electric supply systems -- If the electric
supply to the turbine control system is inoperable, then the
pumps will not be operable. If either of these pumps are
needed then an operator can manually manipulate the turbine
throttle controls to start acd to operate the pumps.
HARDWARE MODIFICATIONS:
None
OPERATING
.
CONSIDERATIONS:
Additional plant procedures and operator tra ining are
.
required.
Due to the probable loss of power to turbine auxiliary
equipment the operator will probably to work in9 in a
relatively hostile environment of leaking steam and
high radiation.
This evolution will require close operator surveillance,

Al. INTRODUCTION
APPENDIX A: AVAILABLE TIME ANALYSIS
This Appendix provides the avai lable time basis for establishing the
type of sabotage events and the systems that are candidates for dam-
age control as a sabotage countermeas~lre. The results of the anal-
ysis are summarized in Section 2.2.
The selection of cases is based on an examination cf lcss-of-coolant
and loss-of-cooling type events, 'a variety of initial plant states,
and a variety of plan: systems. It is not intended to exhauStls~eiy
investigate specific combinations of sabotage events, hut rather to
select a set of postulated events that will establish a lower bound
on available time in order t3 select systems for further investiga-
tions of damage control feasibility. In the judgement of tiw authors,
the case selection is sufficient for this purpose. More extensive
analyses nay Se required if this approach is to be used For gaininq
1 icensinq credit.
A2. PWR CASES
Table A-1 is a summary of the PWR time avai1ab:e cases. This table
also indicates the associated initial plant conditions and the sys-
tems that are the focus of each Farticular case. Each case acd its
associated results are described on indiv~dual summary sheets fol-
lowing Table 4-1.
Case 6 is somewhat unique in that a computer-assisred aca!ysis was
conducted to compare with tne manual calcuiations. The details of
this analysis are presented in Appecdix D.

1 A 1: AVAllAR1.E TISE CASE SEI.ECTlUN SllWAYY - FYH
X X X X X X
X
X
h
X X
X X Y X
X X X X
X X

Case number: 1
. , .. . . .. .
Description: Loss-of-coolant large enough to surpass the-capacity of
. . . ..
i . .
the charging pumps. Safety injection system is sabotaged. Off site
power is simultaneously lost.
Initial conditions: Full power.
Systems emphasized: Safety injection.
Significant assumptions: Thi: event is assumed to be slmilar to de-
sign basis loss-of-coolant accident.
Available time criterion: Core is uncovered.
Description of calculation: No calculation is performed. The time
to uncover the core can be estimated from LOCA calculations in the
Reference Safety Analysis Report, (RESAR).'
Results: For a large break, the system would blow down in less than
one minute, based on Table 15.4-1 of RESAR. Without safety injection,
the core wouid remain uncovered and fuel damage would eventually
result. For a small break (3" diameter hole), the top of tbe core
vould be uncovered in 647 seconds, based on Table 15.3-1 of RESA4,
which assumes operation of safety injection pumps. Without safety
injection, the core would be uncovered even sooner. Because of the
: short blowdown times, sabotaye protection measures must either pre-
vent loss-of-coolant sabotage or ensure that safety injection systems
remain available.
*Reference Safety Analysis Heport IRESAR-dl), Westlnghouse Electric
Corporation, C.S. NHC Docket No. 50-48C, December 31, 197':.

Case number: 2
Description: A charging pump is sabotaged while it is being used to
maintain primary system level durlng a small leak. Offsite power is
simultaneously lost.
Initial condition: Full power.
. .
Systems emphasized: Charging system.
Significant
. assumptions: Liquid,leak*age is assumed to occur throughout
the incident. It is further assumed that after the pressurizer
drained, the steam generators maintain primary system temperature and
pressure at constant values so as to avoid calculating changes in the
leak rate due to fluctuating pressure. Safety injection does not
start when the pressurizer empties and system pressure is reduced.
Available Time Criterion: Uncover the core midplane.
Description of calculation: The basic approach For this calculation
is to determine the amount of water that must leak out in order to
uncover the core midplane, and then divlde by thc leak rate.
The stops are:
1. An initial shrinkage of 2% of the entire primary system
is postulated wh~ch results in a 229 reduction in pres-
surizer water volume.
2. The pressurizer drains into the hot leg at a rate of
200 qpm.
3 When the pressurizer is dry, system preszure drops to a
saturation pressure of 1133 psia, corresponding to a system
temperature of 5600~. Correspondingly, the ledk rates
reduces to 142 gpm.

Results:
1. Draining the pressurizer takes 26 mlnutes.
2. Top of core is uncovered in an additional 417 minutes;
total is 443 minutes.
3. Core rnidplane is uncovered in an additional 28 mlnutes;
total is 471 minutes.

Case number: 3
. .
~escription: The primary system is breached and the recirculation
phase of emergency core cooling is stopped one hour after the reactor
scrams. Without recirculation, there is no source of water to cool
.. . , . .
the .. .. core, which means that the core will be uncovered as soon as the
remaining water inventory boils off.
Initial conditions: The water temperature and pressure are equal to
the containment sump water temperature and containment pressure one
hour after a LOCA, as shown in the Reference Safety Analysis Report.*
Watez.leve1 is at the bottom of the -vessel hot/cold leg nozzles.
Systems emphasized: RHR in the recirculation mode.
Significant assumptions: It is assumed that the breach is not larger
than the deslgn basis so that emergency core cooling is adequate to
reflood the core after the initial blowdown.
Available time criterion: Uncover the core midplane.
Description of calculation: The basic calculational approach is to
determine the amount of heat required tc boil all the water remaining
above the core mldplane after recirculation stops; and then determine
the integral tlme of decay heat generation that is equivalent.
Results: The quantity of water above the core midplanc is calculated
to be about 1..000 lbs. The heat required to boil that quantity of
water would be about 5.9 x 10' BTU. Based on the ANS fission product
decay correlation and a Westinghouse correlation for decay heat from
. .
Np-239 and U-239, 22.4 minutes would' be required to generate that
amount of decay heat. Thus, the core midplane will be uncovered
22.4 minutes after recirculation stops.
RESAR-41, Westinghnuse Electric Corp., U.S. NPC Docket No. 50-480,
December 31, 1975.

Case number: 4
Description: Case 4 is identical to Case 3 except that the recircu-
lation system stops 24 hours after the reactor scrams. Because of
the lower decay heat generation rate, the cime available for damage
control is qreater.
Initial conditions: The water temperature and pressure are equal to
the containment sump water temperature and containment pressure 24
hours after a LOCA, as shown in the Reference Safety Analysis Report.*
Water level is at the bottom of the vessel hot/cold leg nozzles.
. . . ,* 1 /
,Systems emphasized: RHR in the recirculatioc mode.
Significant assumptions: It is assumed that the breach is not larger
than the design basis so that emergency core cooling is adequate to
reflood the core after the initial blowdown.
Available tlme criterion: Uncover the core midplane.
Description of calculation: The basic calculational approach is to
determine the amount of water remaining above the core midplane after
.recirculation stops: and then determine the integral time of decay
heat qenerstion that is equivalent.
Results: Because of a slightly lower water temperature than in Case
3, th.? amount of water above the core midplane is slightly higher
(about 63,000 lbs). The heat required to boil that water in about
6.4 x 107 BTU. That amount of decay heat would be generated in about
. ,
51.6 minutes. Therefore, the core midplane wlll be uncovered 51.6
minutes after recirculation stops.
RESAR-41, Westinqhnuxe Electr~c Corp., U.S. NRC Docket No. 50-480,
December 31. 1975.

Case number: 5
Description: The residual heat removal (RHR) suction line connected
to the primary system is breach*?d at full power. The break could be
caused by opening the RHR isolation valves, which would cause low
pressure piplng to be exposed to full reactor pressure.
Initial conditions: Full power.
Systems emphasized: RHR
, , . , , ..,. ., ..
Significant assumptions: The break'is assumed to be outside contain-
ment, so that water leaving the break is not available for recircula-
.tion. The emergency core cooling system is assumed to operate pro-
perly so that the core is reflooded after the initial blowdown.
Available time criterion: Completely drain the refueling water
storage tank (RWST), which is the source of water used to keep the
core flooded. iAlthough the radiological consequences of releasing
primary water outside the containment could be severe, the calcu-
lation addresses the time available to prevent the consequences of
core damaqc.)
Description of calculation: In order to keep the core covered, water
must be injected at a rate equal to or greater than the rate at
whic5 water is being boiled off by decay heat. The source of this
water is the refueling water storage tank (RWST), which has a
rspacity of 350,030 gallons. Six pumps (two charging pumps, two
,afety injection pumps, and two residual heat removal pumps), are
available for injecting water from the RWST into the reactor. The
ca!culatlonal approach is to divide the RWST capacity by the injec-
tion flow rate.
. ,

Initially, as a result of automatic ECCS operation, all six pumps
would be operatinq. After the core was reflooded, the operator would
have the option of turning off some of these pumps in order to con-
serve the RWST supply. The time required to empty the RWST would
depend on when the operator turned off the pumps. In addition, since
the three types of pumps have different flow rates, the time would
also depend on which pumps he turned off.
Run-out rates for the ECCS pumps are as follows:
.
HHR pump: 5500 gpm
.
Charging pump: 550 gpm
.,,., ... ~, .. .
. ,. .. '.
Safety injection pump: 650 gpm
Results: Assuming that each pump operates at its full run-out flow
rate, the time required to empty the RWST is given below for Four
possible operator actions.
1. If the operator leaves all six pumps running, the flow rate
would be 13,400 gpm, which means that the 350,000 gallor
RWST will be emptied in 26 minutes.
2. If the operator turns off all pumps except one residual
heat removal pump after 10 minutes, the RWST empties in 49
minutes.
3. If the operator turns off. all pimps except Qne safety
injection pump after 10 minutes, the RWST empties in 342
mlnutes.
4. If the operator turns off all pumps except one charging
pump after 10 minutes, the RWST empties in 402 minutes.

Case number: 6
Description: Loss of all electric power, loss of all feedwater flow
to the steam generators, and reactor scram.
Initial conditions: Full power.
Syst.ems emphasized: Auxiliary feedwater.
Significant assumptions: The behavior of the PWR is assumed to go
thraugh
.
four consecucive phases,: ,.,- , , . ,. . , . ,
Phase 1 - all four steam generators boil dry. Steam leaves
the steam generators through the safety valves; the power
relief valves and the mainsteam isolation valves remain
closed.
. Phase 2 - primary coolant in the reactor vessel heats up
and expands causing the pressurizer to go solid. The initial
stedx bubble in the pressurizer leaves the pressurizer
through the pressurizer safety valves.
. . Phase 3 - primary coolant continues to heat up and expand
until saturation temperature is reached in the reactor
vessel. Water is forced out of the pressurizer safety
valves: it is assumed that these valves function properly
to maintain primary system pressure at 2500 psia.
. Phase 4 - primary coolant in the reactor vessel boils and a
steam bubble forms in the upper head. As the bubble volume
increases, more water is forced out of the pressurizer
safety valves. Boilinq continues and the core is cvent-
ually uncovered. It is conservatively assumed t.hat no water
from the pressurizer drains into the hot lag when the hot
leq is fllled with steam.

Available Time Criterion: Uncover the core midplane.
Description of Calculation: The time duration of each phase is de-
termined by calculating the heat required for each phase and then
determining tbe integral time of decay heat generation that is equiv-
alent. The ANS fission product decay heat correlation and a Westing-
house correlation for Np-239, U-239 and residual fission decay heat
are used. Heat transfer to primary system metal is ignored.
The heat required for Phase 1 is calculated assuming an initial water
mass Of 9.49 x lo5 lb. in each of four steam generators, at an av-
erage quality of 7.06% and a pressure of 758 psia. The water is
assumed to undergo a constant-volume pressure increase to the relief
valve setpoint of 1100 psia, and then boil at constant pressure until
the steam generators are emptled.
The heat required Eor Phase 2 is calculated assuming that, at the end
of Phase 1, the average temperature of the primary system (neglecting
the pressurizer) equals the saturation temperature of the steam gen-
erators at 1100 psls, which is 5560F, and that the primary system
pressure is 2250 psia. The primary system then heats up and expands,
collapsing the pressurizer bubble, which is assumed to have an ini-
tial volume oE 720 Et3. Pressurizer relief valves are assumed to
keep pressure from exceeding 2500 psia, heat transfer between the
pressurizer and the hot leg is ignored, and the primary system is
assumed to heat up uniformly. The fluid volume of the primary system
less the pressurizer is 10,682 ft3. Thus, the temperature that the
primary system must reach to expand by 720 ft3 is calculated to be
5990F.
To calculate the heat required for Phase 3, the entire primary system
(except the pressurizer1 is assumed to heat up at a constant pressure
of 2500 psia to a saturation temperature of 6680F.

TO Calculate the heat required for Phase 4, it is assumed that as the
primary system begins to boil, a bubble forms in the upper head. As
the bubble expands, liquid is forced into the pressurizer from the
hot leg, causing a water discharge from the pressurizer safety valves,
which.are assumed to maintain pressure at 2500 psia. It is assumed
that water flows into the pressurizer from the hot leg until the
reactor bubble grows large enough to fill the hot leg to the level of
the pressurizer surge line connection. The size of the bubble is
then about 6000 it). From that point, it is assumed that steam flows
from the hot leg into the pressurizer but that no water flows from
the-pressurizer into the hot leq. The remaining volume of water that
must be boiled to uncover the core midplane is about 2958 it3.
Case 6 is also analyzed using the RELAP 6 computer code. A compar-
iS0n of the computer results with the manual calculations is pre-
sented in Appendix D.
Results :
. The heat required to boil dry all four steam generators
(Phase 1) is calculated to be 2.41 x 108 BTU. ~n calculating
the time required to generate that quantity of heat, it is as-
sumed that the average primary system temperature remains con-
stant, and so stored energy in the primary system is ignored.
Therefore, based on decay heat generation, the time required to
boil dry the four steam generators is calculated to be 65.4
,-inutes.
. Assuming an isobaric expansion at 2500 psia, the heat re-
quired to raise the primary system temperature to 5990F (Phase
2) is 2.78 x :2' BTU. The time required to generate that quan-
tity of decay heat is calculated to be about 10.5 minutes.
. The heat required for Phase 3 will be approximately 5.62 x
107 BTU, and the time required to generate that quantity oE
decay heat is calculated to be about 22.1 minutes.

The heat required to form the 6000 ft3 bubble at 2500 psia
during Phase 4 is 1.66 x 107 BTU. The heat required to boil the
2958 ft3 of water above the core is 3.75 x 10' BTU. Thus, the
total heat required for Phase 4 is 5.41 x lo7 BTU, which will be
generated in about 22.8 minutes. Therefore, the total time for
all four phases is about 2 hours.

Case number: 7
Description: Loss of all electric power and all feedwater flow to
the steam generators.
Initial Conditions: Reactor has been shut down for 1 hour
System emphasized: Auxiliary feedwater.
Significant Assumptions: The reactor is assumed to go through the
same four phases as described in Case Number 6.
. ,
Available Time Criterion: Uncover the core midplane.
Description of calculation: The calculation is done in a similar
manner as in Case Number 6, except that the steam generator second-
aries are initially at no-load conditions, which are assumed to be
1100 psia, an average! quality of 3.5%, and a water mass of 1.66 x 105
lb. per steam gener; tor.
Results: The heat raquired to boil dry the steam yenerators (Phase
1) will be 4.1 x lo8 BTU. The heat required for the next three
phases will be the same as in Case 6. Therefore, the total heat
required for all four phases is 5.4 s lo8 BTU. The time required to
generate that much decay heat, beginning one hour after shutdown, is
about 4.4 hours.

Case number: 8
Description: Disable RHR cooling system during cold shutdown con-
ditions.
Initial
.
Conditions:
.
Reactor vessel head on, primary system solid
.
Primary coolant at 1400F and 50 psig
Reactor has been shutdown for 15 hours
. RNR cooling in progress
Systems emphasized: RHR
., .
Significant assumptions: The RHR primary side suction valves are
assumed to remain open. Theretore, the primary system will heat up
reSult.iflg in Lncceasing system pressure to the RHR safety valve set-
point, which is assumed to be 600 psig. The steam generators will
heat up to the same temperature as that of the primary system. Heat-
ing of the primary system metal is ignored.
It is assumed that the RHR safety valves are adequate to maintain
sysytem pressure at 600 psig. The primary system continues to heat
up, boils, and relieves through the RNR safety valves.
Available time criterion: Uncover the core midplane
Description of calculation: ?,he calculational approach is to deter-
mine the heat required to (1) heat the primary and secondary water to
saturated cond~tions at 600 psia, and (2) boil enough primary system
water to uncover the core midplane. Then the integral time of decay
heat generation that is equivalent is determined. It is assumed that
no steam relief occurs on the secondary side.

Results: Assuming the initial conditions in each steam generator
pressure of 600 psig.
As the primary systems boils, a steam bubble forms in the upper head
forcing water out through the RHR safety valves as it expands. It is
assumed that liquid is discharged until the bubble fills the entire
primary system (except the pressurizer) above the bottom of the
reactor nozzles, a volume. of about 7893 ft3. From that point, steam
is discharged from the RHR safety valves. The volume of water re-
maining above the core midplane at this time is about. 1064 ft3. The
heat required to generate 7893 ft3 of steam in the primary system,
and then boil the remaining 10,64. .ft3 of water is 4..6 x lo7 BTU.
Therefore, the total heat required is 5.6 x 108 BTU. The time re-
quired to generate that amount of decay heat is approximately 9.1
hours. The time required to heat the primary system to ?OOoF is 84
minutes.

Case number: 9
Description: Disable RHR cooling system during refueling.
Initial
.
conditions:
.
Refueling cavity full of water
.
Reactor head removed
Reactor has been shutdown for three days
The reactor cavity water temperature is 1400 F
System emphasized: RHR , ,, .
Significant assumptions: Pressurization of the containment is
neglected. Natural circulation is assumed to be adequate to prevent
fuel damage while the refueling cavity is boiling.
Available time criterion: Boil dry refueling cavity.
Description of calculation: The calculational approach is to deter-
mine the heat required to boil the refueling cavity water and then
to determine the integral time of decay heat generation that is
equivalent.
Results: The refueling cavity water volume is 340,000 gallons, and
the amount of heat required to increase its temperature to 2120F is
2 x lo8 BTU. The decay heat 3 days after shutdown will generate
that much heat in 287 minutes. The heat required to boil dry the
entire cavity at atmospheric pressure is 2.7 x lo9 BTU. The tota!
time required to reach 212OF and boil dry is approximately 77 hours.

Case number: 10
Description: RHR piping is ruptured outslde the containment during
refueling.
Inrtial
.
condltlons:
Reactor shutdown
. Vessel head and upper internals removed
. Refueling cavity at normal refueling level
. The valve connecting the spent fuel pool and refueling
cavity is closed.
. Reactor cavity water temperature is 140oF
System emphasized: RHH
Significant assumptions: The elevation difference betwcen the pipe
break and the initial water level in the refueling cavity is 40 ft.
Resistance to flow between the cavity and the break is equivalent
to 100 feet of 12" schedule 80 pipe, two elbows, two gate valves,
an entrance loss .?nd an exit loss.
Available time criterion: Completely drain refueling cavity.
Description of calculation: The calculational approach is to assume
that the refueling cavity i s a box with a height of 26 Feet and an
area Of 1748 ft2. With this simple geometry, it is easy to express
the flow rate as a function of time using standard formulas as per
the Crane handbook: The flow rate is then integrated ovt r time to
calculate the total time required to completely draln the t,avity.
Results: The refuelinq cavity will drain completely in 49 milutes.
*"Flow of Fluids Thros~qh
Valves, Fittinqs and Pipe," Technical
Paper No. 410, Crane Co., 1974.

Case number: 11
Description: Disable the spent fuel cooling system
Initial conditions:
. Spent Fuel pool is filled with fuel to capacity.
. Fuel pool water temperature is 1400~.
Systems emphasized: Spent fuel pool ccoling system.
Significant assumptions: The maximum heatup rate for the spent
fuel pool is assumed, based on Table 9.1-3 of the SNUPPS PSAR.
Available time criterion: Boil off three feet of water.
Description of calculation: The calculational approach is to
divide the heat required to heat the pool to 212OF and boil three
feet of water by the maximum pool heatup rate.
Results: Based on Table 9.1-3 of the SNUPPS PSAR, the maximum
heatup rate for the spent fuel pool is 11.4oF/hr. Therefore,
assuming an initial water temperature of 140oF, the pool tem-
pecatuce teaches 21z0F in 6.3 hours. Assuming that the spent fuel
is generating heat at a constant maximum rate of 40.1 x 106 BTU/hr,
three feet of the pool water will boil off 6.2 hours after reaching
212oF.

Case number: 12
Description: Drain the spent fuel pool.
Initial conditions: Spent fuel in the spent fuel pool.
System emphasized: Spent Euel pool.
Significant assumptions: A draining flow rate of 1000 gpm is
assumed.
Available time criterion: Drain 10 feet of pool water.
Description of calculation: The calculational approach is to
assume a draining flow rate and divide it into the water volume of
10 Eeet of pool depth.
Results: The pool water volume is given as 10,660 gallons per
foot. Therefore, 3t a flow rate of 1000 gpm, it would take 107
minutes to lower the pool level by 10 feet.

A3. BWR CASES
Table A-2 is a summary of the BWR available time cases. Each case and
its results are described on individual summary sheets that follow
Table A-2.

case Huther
Table 8-22 AVAILAb1.E TIHE CASE SELECTION SUHHAWY - bWR
1 2 3 4 5

Case number: I
Description: Loss of offsite power, reactor trip, and loss of emer-
gency makeup water to reactor vessel.
Initial conditions: Full power.
Systems emphasized: RCIC and ECCS.
Significant
.
assumptions:
Reactor coolant remains at saturated conditions at 1080
... . psig. .. ..,,
No makeup water is available.
Available Time Criterion: Uncover the core midplane.
Description of calculation: The basic calculational appro,ach is to
calculate the heat required to boil the reactor coolant down to the
core midplane, and then to detern.ine the integral time of decay heat
generation that is equivalent. The ANS fission product decay heat
curve, and a Westinghouse correlation for decay heat were used.
Results: The amount of water that must be boiled off to uncover the
core rnldplane is 2.08 x lo5 lb. Core decay heat will boil this
quantity of water in 1.4 hours.

Case number: 2
Description: Loss of offsite power and emergency makeup water one
hour after shutdown.
Initial ccnditions: Reactor has been shut down for one ho*~r.
Systems emphasized: RCIC and ECCS.
. Reactor coolant remains ln a saturated condition at
1080 pslg.
. No makeup water 1s available.
Significant assumptions:
Available time criterion: Uncover core midplane.
Description of calculation: The calculational approach is the same
as that in Case 1. Since the reactor has been shut down for one
hour, the decay heat is lower than in Case 1 and thus more time is
available.
Results: The time required to uncover the core midplane is 2.2
hours.

Case number: 3
Description: The residual heat removal (RHR) system is disabled.
Initial
.
conditions:
Reactor vessel head on
Reactor coolant water is at atmospheric pressure and 1500F.
Reactor has been shut down for 15 hours.
Reactor vessel water inventory is 1.17 x 104 ft3
. RfjR cooling is in operation.
Systems emphasized: RHR
Significant assumptions:
The RHR system is assumed to be isolated after the initial
sabotage event thus, the RHR relief valves do not operate.
. No makeup water is available.
Available time criterion: Uncover the core midplane
Description of calculation: The reactor is assumed to go through
three phases:
Phase 1: Decay heat increaes the reactor coolant water
temperature causing it to expand until the reactor vessel
goes solid.
. Phase 2: Further heating of the water results in an in-
creasing pressure. At 1080 psig the main steam safety/
relief valves open discharging w:te:. The temperature of
the reactor water continues to increase until it reaches
saturation temperature. fieating of metal is ignored.
Phase 3: After the water is at the saturation temperature
bulk boiling begins.. Water continues to be discharged from
the relief valves until the water level drops below the
main steam vessel nozzles, after which steam is discharged.

The heat required for each p h~se is calculated and the equivalent
integral time of decay heat generation is determined.
Results: The reactor goes solid (Phase 1) when the temperature
reaches 1950r, which occurs in 0.96 hours. The saturation temp-
erature of 554.loF (Phase 2) is reached in another 8.02 hours. The
core midplane is uncovered (Phase 3) in another 7.3 hours. Thus,
the total time for Case 3 is 16.3 hours.

Case
number: 4
Desc ription: The RHR system is disabled during refueling.
Init
ial conditions:
Reactor vessel head is removed, but reactor cavity is
dry.
. Reactor coolant water is at atmospheric pressure and
1500~
Reactor vessel watnr inventory is 1.06 x 104 it3
. Reactor has been shut down for 72 hours
RHR coo1i::g is in ?petration.
Systems emphasized: RHR
Significant
.
assumptions:
Heating of metal is ignored.
Available time criterion: Uncover the core midplane.
Description of calculation: The reactor cooling water heats up and
boils at atmospheric pressure. The heat required to boil enough
water to uncover the core midplane is calculated and the equivalent
integral time of decay hea~ generation is determined.
Results: The reactor water temperature reaches 2 120~
in 1.86
hours. The core midplane is uncovered in 22 hours.

Case number: 5
Description: Loss of offsite power, reactor trip, and loss of
suppression pool cooling system. The RCIC system takes suction from
the suppression pool (torus) to supply the reactor.
Initial
.
conditions:
.
Full power
Initial torus water temperature of looo?.
Systems emphasized: Suppression pool cooling system.
Available time criterion: Suppression pool water reaches 1500F*
Significant assumptions:
.
Perfect mixing in suppression pool
No heat loss from suppression chamber shell
.
Constant pressure in reactor (1080 psig)
The average water inventory in the torus is
4.56 x 106 lb.
150°F is assumed to be the maximum suppression pool temperature
permitted.

A4. SUMMARY OF CASE RESULTS
Tables A-3 and A-4 are summaries of the results of available time
calculations for PWR and BWR respectively. The discussion of Section
2.2 utilizes these results to identify the type of events which are
candidates for further evaluation of damage control fcasibility.

lr~ss-01 -cwlant yceater than
charging pumps' capacity and
safely inlrction pulps dlsabled
Luss-ol-coolant less thjn I
chargrng pump capacity and
sabotaye of ',perat lng chary
'"9 YU-v
La~s-of-~~16ldnl and PllR trcirculation
dbsabled 1 haul
later
tass-of-caulant and RHR rr-
crtculstron dlsablrd 1 day
lalec
kltR p l t,rcah ~ outside run
lainlent causrny loss-ofcoolant
Tutal 51 ation I,lackout and
loss of lr~drater
Tatlr A-1: W R RESULTS SUMMARY
Cc itet ton Available Time
uw~ver tole A trr minutes or less
llnruvrt core to mid- 7.9 houts
plane
llncover cote to mid- 52 minutes
plane
tjncc~vrr core In rid- a.
plane
b.
26 mrnutes Ial: pumps
conttnue a1 runout)
49 minutes fall pumps
for 10 rinutes then 1
HllH pump1
5.1 hrrurs (all pwnps
for 10 mInules tlien I
SI purpl
6.7 hours (all pumps
!or 10 minutes I I
clt~rdlnq pvnpl

a l e 4 BUR kESULTS SUMMARY
1 Total stat son blackout and Uncover core to ard- 1.4 hours
loss ot makeup lo leaitol plane
vessel
2 Loss of olfslte ~urer and ulwovqt core to aid- 2.2 hours
loss of ukeup to aeactor plane
vessel alter one hour delay
I Dzsdble RtIR mllnq rllh Uncover cute to mid- 16.1 hours
reactor vessel head in place plane
4 Disable RHR cmllng rlth Ilncuvec core to mid- 22 bouts
reactor vessel head ceuwcd 01 m e
5 loss of olfsitr ~ rwrr
and loss Supptession pol 3.1 hours
of suppression p o l coollag reaches 150°F

APPENDIX B: INITIAL APPROACH TO DAMAGE CONTROL
This Appendix describes the initial approach for investigating
the feasibility of damage control measures to counteract sabo-
tage events so that a plant could subsequently be brought to
and maintained in a stable condition. This initial approach
emphasizes the traditional concept of damage control: rapid
repair to limit the consequences of damage. Rapld repair in
this context includes repairing damaged equipment necessary for
the continued removal of decay heat. It also includes jury-
rigging to use other systems to assist in performing the re-
quired functions. This approach was terminated and nbt used
for reasons discussed in Section 2.3 of this report.
To draw conclusions on damage control feasibility, the assets
required must be known. In determining these, an approach is
followed which defines a set of sabotage events and develops
the assets required to overcome each event. Figure B-1 depicts
the analysis sequence, starting from a definition of the re-
actor states in which damage control would be considered. The
analysis then proceeds through the identification of equipment,
manpower, and time required to effect damage control on those
systems and system elements that are needed to preserve reactor
stability. Following the identification of the assets re-
quired, summaries of equipment and an analysis of transportabil-
ity of various damage control items such as ladders, cables,
and pipes is made.
The results of the time line analyses and the personnel required
to perform damage control are summarized in Table 0-3. Further-
more, summary results of the time to perform damage control
actions for specific sabotage scenarios are included in Table
B-1 and a summary list of equipment needed is in Table 8-2.

.,.
Control Room ?.rmnso
1-5 m ~ n 20-10 mln Some D.C. eSmnts nay be ov.rcon* rlchovt
too11 or rrch CDOL* normally carr1.d.
10 rin Is nosc fcequmc rucn IS drlrn valve 0p.n.d. or cantzol
~smummd .cqu:.I~lon arD1.s cur. Lcnq tm.r rechct need
%,in.. for heavy or s~.cIaI equlpmnc such
1s reldrng or cuctlnq 9.w. 0am.q.
concml Lxko?r rkch th. nscasracy equipment
i.rcept tot special items such rs
:~crlnq >r wldlnql ace rraunnd to 00
n..rgv. spnl p~.c*s.
rtc.. are rn lcch.rs.
c~nbrr. v~rr,

I i i i
~ClncheI :c
.%r:a-;cw: ' w i x
1 l X j
- :u:m ;rcx -
zd;n:L:
' I
3urnxq s*?
: I l X i
'ecd saw I
=?Mn*c
3Ll.L
j 1 ...-.-
I -,--
~C:::*S i
X*:d:nq ua:: I I
EICX S.W ! x i
T!l*a
?*nc!l ..- - ,;:!cC*rl
1 ! I
z:u::I:I~~:?' i '
7':nctr sr:
c :
St:I:scn ,drrnc:
1 I
! / I 1 !
3.: i 1 I

The presentation o f the results of this initla1 appronch are as
follows:
Table 0-1: Summary of Time Linc Response Times
Tahlc R-2: Summary of Equiprent Hequlrements
Table
Time
t i 3: Summary of Time and Staff Requirements
l~ne analysis sheets
B1. DESCH IPTION OF ANALYSI!;
, ,
1,. . ,.Reactor States .. .~ .,. .. ,..., . . .,
Damaqe control is considerc~d fdr a reactor in any one of
three operational states: hot st~utd~wn, cold shutdown.
or refueling. For each of t,hese states the time available
for performing damaqo control operations is calculated as
described in Appendlx A. Dccause of the extremely short
response times requircd for loss-of-coolant events, damaqe
control is not considered for such sit.uations. Other 3ssumptions
made in thc analysis arc that normal (offsite)
AC electric power is lost and that no sabotage occurs
within the primary containmrnt because of restricted access.
2. Systems Required
IJsing information from typical Prcl iminary Safety Analysis
Reports (PSAR'sl the systems that are required t.o be operated
to maintain a reactor in each of the three operating
states are listed. This list of syntrm.? embodies the set
of cquipments considered likely to he sabotage targets and
the repair to any equipment in this set therefore must be
analyzed. The list of syst-ems required to keep a plant in
hot shutdown, for example, includes the auxiliary feedwater,
component cool inq watct , and esscnt is1 service
water system:;, and the diesel qenerator plus vital instrumenlation.
To this list. are ;xlded thr? systems required to
maintain the plant in cold shutdown arJ refueling states;

however, not all systems listed by the PSAR for each of
the states are considered "required". For example, the
charging pumps, boron transfer pumps and control room
ventilation, are not considered absolutely necessary in
the extreme emergency that a sabotage scenario represents.
3. Sabotage Mode
The purpose of this step in the analysis is to establish
the ways in which specific components -- pumps, pipes,
etc. -- of the required systems, compiled above, can be
damaged. This step provides specific damage conditions for
which manpower, equipment and time can be estimated.
4. Time Lines
The purpose of the time lines is to analyze and quantify
times, equipment, and manpower for detecting, responding
to, and performing damage control activities required to
rectify each of the equipment sabotage actions. As il-
lustrated below, a standardized approach is used in which
each step of the response is identified. The time lines
are a depiction of these steps for specific responses. To
quantify response times, an estimate based on personal
experience of the time required is made for each of the
steps. In making the time estimates, however, it is as-
sumed that the damaged component is accessible without the
construction of scaffolding, that there are no obstacles
to access such as security devices or requiring two in-
dividuals with keys, and that no quality assurance is
imposed on the performance of cceLyencg work. The in-
dividual time analyses follow Table B-3.

The following is a discussion of the time line steps.
Initiation t=O
Alarms and This is the estimated time for receipt,
Indications in the control room, of indications that
either producc an alarm or reveal that an
abnormal condition exists.
Control Room This is the time the control room operators
Response require to notice and assess the indications
and alarms. In some cases, the control
room operators may attempt correction by
active response in the control room. How-
ever, the operators eventually conclude
that they cannot remedy the problem from
the control room and that ~t must be investi-
gated locally.
Response of chis represents the time it takes a rovinq
Roving Operator operator to respond to the control room
call and to arrive at the location. It is
assumed that once the operator has decided
that he cannot overcome the problem from
the control room, the roving operator re-
sponds rapidly to make an on-scene assess-
men t.
On-scene
Assessment
This is the time required to determine the
source of the problem. No time is allotted
for the recordinq of evidence. Sabotaqe
intent is assumed to be immediately clear
once the damaged component is discoveed so
minimal time is lost in commencing damage
control actions.

Acquire Damage Assuming there are some local storage lockers
Control Equipment with specific equipment ready to be used
for damage control repairs, this is the
time required to assemble that equipment on
the scene. Specific equipment items needed
are also noted in order to develop the
equipment list in Table 8-2.
Transportability of equipment becomes an
important aspect of this time estimate.
.. . . , . ,.,,. - ,.... . ? . . . , ,
Perform Damage In the time lines the required damage
Control Action control actions are described, step-by-
step, with time estimates for each step.
The number of persons required to effect
the repair are also estimated.
Through the time lines, the assets required for the running-
repair approach to damaqe control are developed.
5. Operator Response Time
In deriving the tune lines, it is necessary to make subjective
estimates of control room operator response times. The speed
with which the control room operator perceives a condition that
is abnormal and beyond his control is important to the viabil-
ity of damaqe control. Other people and organizations involved
in reactor operations consider control room operator response
to be important to plant safety, yet there is no agreement on
what the expected response times should be, given specific
scenarios. Indeed, a draft standard that specified operator
response times received so much criticism that the standard was
withdrawn.

The solution to this problem of agreement on response times
lies in developing a data base. To that end NRC and EPRI de-
cided to conduct experimental data collection proqrams at two
different training simulators. Westinghouse is using their
trainer at Zion to collect data and General Physics is using
their simulator at Sequoyah. The programs are conducted using
selected scenarios to which operators must respond. The op-
erators will be both those who are being newly trained and
those who are undergoing requalificaPion.
The programs will run for two years, with data collection having
begun in December 1978. Although data will be available as the
experiments are being conducted, it will only be after a six
month period or more that the data will become statistically
significant.
The sig~ificance of this data collection effort for the damage
control project is not great since:
The experimental scenarios do not confront the op-
erator with a sabotage situation. If a system does
not respond automatically, the operator initiates it
from the control room. There is no scenario which
presumes that the system is completely lost and that
it does not re'spond to operator action. The sabocage
situation requires that the operator initiate an
investigation of the physical condition of the equip-
ment. Since the experimental program will not require
such operator action, the times developed will not be
entirely applicable.
. Significant results will not be available until some
time after this damage control study is completed.
Therefore, the time estimates used here will remai'
unchanged but may require modification xhen the ddta
base is made available.

6. Establishing the Limits of Transportability
The nominal equipment weight range that one or two workers can
carry is important in deciding for which damage control actions
a lifting device is required. This damage control study assumes
that 50 and 125 lbs are,the maximum that one or two workers,
respectively, can be expected to carry and to handle loads at
above knuckle heights with control. These limits are used on
the graphs (Figures B2-1 through 82-51 which show equipment
weights for various sizes and lengths.
The 50 pound limit is reported in Human Engineering Guide to
Equipment Designt as a result of studies done using unselected
persons lifting weights. That study also recommends that the:
. maximum portable by unselected males is 50 lbs.
. maximum portable at knuckle height (close up) by
selected males is 75-80 lbs.
. maxlnum portable above knuckle height (close up) by
selected males is 65-70 lbs.
This limit of 50 lbs is conservative. Other studies reported
in the above reference conclude that workers can conveniently
lift the following weights to the indicated heights:
height of person - lift t to 3 1/2' lift # to 5 1/4'
These last results indicate that it is reasonable to expect two
workers to lift, position and hold an item for damage control
that weighs up to 125 pounds.
*Human Engine~ring Guide To Equipment Design, Van Cott and
-
Kinkade, Editors, McGraw-Hill, 1972.

The 125 pound limit is repeated in the National Fire Protection
Association Standard 1001 Fire Fighter Professional Qualifications
for Physical Fitness. This standard requires that a indi did ate
be able to lift a 125 pound weight and move it 100 feet without
stopping. Certainly that requirement does not apply to power
station personnel, but the fact that a standards writing
organization considers this to be a reasonable physical task
for one "select" person to perform implies that one can certainly
expect two people to be able to maneuver that size weight.

TABLE 0-3: SABOTAGE TIME LINE RESULTS SUMMARY (FOLLOWS)
a. Sabotage events for generic plant components.
b. Time estimates for damage control of listed sabotage
events.
c. Manning required to perform damage control. Shift
supervisor is on-scene team leader but is not limitsd
in the manning estimates given. Senior operator,
reactor operator, and auxiliary operator are not available
for damage control work. , .
Abbreviations used:
9 Additional operators
M Mechanical task
E Electrical task
M/V Mechanics per valve
m x nE m crews of n electricians each

1 M-J
2 PI
Pluy hole. Rechrtye Lank.
Palch shell. D.C. may lwt I=
feaslblc If lvlrs ate also
ruplured.
Pluy dtain line
Hcplace filcoc elements. b

Hllog in fuel ull inuck LC

A,, t * . . st*. cut
"2 I ..
1.~162 1 Mr'V AM 1.1 c.lrct ire Iwur Iny
~nou#td yuke to ncslrlcl
oCcr,L to Llr-..

LC TIME MWIW ULSIW -ntsk:-
l!*uf"l !%?!%E' :'N!CN lm~ht!k~

1110 IIP AIMS

3 lnqlne starts or rrtanpcs Ea
star:.
suDstance -3 a
viscous or soill .%acar:a?.
e?.a operacor may orrserra a
hijh diLlerentral lressure
3cross tu.1 ti?=.:.
5 mm. rf -.he r e ;
1, Connect an adapts: l5 nln. 31s asa,u~ds a desljn 30Clt:-
t~-.t:nqs and :~u.nper %so usin? :at:on. ;um?er ?l:t:?.q?
'amape control f:re:nqs are zot ?a:: of or~;:nar
;rqv:ded. per id'( des:~..
b&Tk.

14-98 aln.

2 Enqtce s:ops. wall nor
car=/ load (qenerazor
clrcurc breaker opens). ar
ah-EWS are received rn
ccntrgl r9om.
2ay Yank, :JW Live:.
Law :we 31; ?resSu:e
Cn-Scene Assessment 15-40 min. >bser.fr nigh -?, '?-scza1ner.
Open Y-srrar.-.er--de~ac-.:
solid Ceb

SYSTLY: Diesel Generator Fuel Oil Storaqe an& :zmsfer Syscel
SABOTAGr' .WEE: Day tank CraL~ed by areaking drair. Line.
Tine :nterfal
7i3a Line Eveets far 91ent
Initiation 0 smotaqe went ocxrs .
Alarm and Xndicacions Variable. 3ay tank low
:ran~~e~.,p,Ume St0:We
vi;l start before
; day tank low level
alarm and may
prevent this alan
(ran occurrL77.
Level.
LOW lp.v,e;&
Controi Room R.ponse 5-21 mln. op.racors ObSerJe fuel transfer
?up runnmq. C:. It
Clasel rs ~nn~nq, scorlqe
tank Level is ooser~ed :a decrease
nore :aprCly :!an
norma;. Also nay obserra
=%at day cnnk low level dam
~f received, Coes not clear.
Dispatca ravlnq operltar.
Tertlrra Oomaqe C~ntrol
~ctlon :3-20 nln. Plsq drain Lana.
Total Tima 24-51 mrn. IncluCcs only time fzam
receipt at alams.

" ., .
Initratfan 0 sabotaqa event occurs.
~Ldms md :ndiratlons 1 nln. LOW level alan-axpans~on
tank.
Concral Rccn Response 2-5 3x1. r\:tmpt t1 .-KO up :a tank.
9;spatch ravanq aneracar.
9n-Scene dsseasnent 1-2 nm. icovrnq operazor locas 1dr:E
quantities of c?cldnt on
Floor ar.C identxLies cause
as broken caran$ of ;acXeC
coolxnq sump. Reports za
contr31 room that repairs
not .aossrSla.
Acquire Emape
Conzra: Equl?menc
Damaqa contral not oas:b:a
Lor chis eSrenc.

On-Scene Assesrmanc
0 Enq~ne :.mnrng: sabotaae
event acc~ra. Enq~ne
stopped> engine srarza or
actempta eo start.

0 enq-he starts or at:empts
t3 Start.
Con:rol Xoorn Ras;onse 30 3.c.-2 min. D~spatch :cv:n5 opsratsr.
. ..,. ,.. . >:,
Response of Rovrnq
z)peracor
Shusdown enq:ns
xomova filter
i0-30 mln. Cp*ra:or nay obsar-e high
A? aczoss fiLtel dur:ng
star- attempts.

S :
Alarm and idicatrons
Cant:ol Room aesponse
PerfsrJI Damaqe
Contrnl Act lon
Dlerel rdnerator Lube 3 2 5ystern
Ti.ae :nterlal
Lor Event
0 Lnqina runnlnq: sabotaqr
event occurs. Enq;-.a
stopped: Enp:?.e starts
or at-enpts to sear-.

SXBCTACE XODE: 5tar:l-q alr tank deoresrurrred.
:c is nsaumod sabotnps
pravents Low starcmq air
Tressure alam. Ecqlna ?&i:s
:o scar= on demand.
Caner31 Room Response 30 sac.-2 nln. Dispat:n r3oinq operstor.
Xcpulie 5ma5.
Control Equl?nenc

. .
Time Zncerm:
TLm i:ne Lvancs tsr E.ver.5
:niciaclon o Sabacaqa event ocC11:s.
Alarm and 1ndicac:onr 30 sac.-l aln. Low srartinq air prtssurm.
Conc.~ol Room Raspcnae 30 sac.-2 xn. 9ispacch ravx; aperator.
,.~: , .,. ., . , . . .. .
On-Scene Xssesamrnt
Perfom Damaqa
Cantrol Actlon
Pluq holes
Sacura pluqs viserap
R.cn.rq* a1: tanks
Total Tim.
1-2 am. If lrrje rupture.
1-5 am. :f rmaLL c'2pture.
5 ax. 3amaqe concrol LmasLSle for
small rxpcurs only. Equ1)-
rant requrred includes
harmer, vo&.an ?i,Jqs. qas~et
materxal. vlre sr scrlpplnq
to sacsra ?luqs.

inirration 0
Albms and indications 20 min.
ConrrJl Won Response 30 5ec.-2 mLn.
9175 ?:e3s 518 hose
1400 ?rll
Porrab:. Compralsoc
pa nipple, vrencnes
Kosa Xddpter
3-5 zip..
1-5 mrn.
5-15 mi.".
Sdbotaqe even= occurs.
LOV szarcinq a x pressure.
Tme ro recelre 31s ah03
is dependent on ini'ial
pressure icd :+ak down :ate.
20 xnutas 1s asrumad.
Observss obvious pnysical
damage =a :crnpreasorr.
"-
2. Provld. hose cannaceion
on comprassor d1rchar;e
:inas co starzinq alz
tanks.
inscall hose adapter :a
star-mq rlr cank dram
nipple and connecr hose.
or connect hose ca peaex~stinq
connection on discharqe
llm.
Portable compressor sirad
to mast this t~ne req"ir.man:.
"oes not include 'iae :a
receive &lam.

Tine :ntarva:
Trm Line Events tor Event
.,.' . . . . . R1.m and inf2icrcrons 5' min.
. ...,.
Control Room Rplponsm 30 sac.-2 nx.
Acquire Damaqe
Con crol Eq.xpmenc ?5-10 aln.
Perform Dmga
Control Actlon
sabotaqe evmt oczurs.
Reactor in RHR c0ol:nq
condrcion.
~rnpatch :ovlaq operator.
Operators may racognlze
event and cLo1e RqR
:roldtxon 'Ialvrs.
60-180 mm. Two teams of t>ree ?lire-
frttera. Staraleas rcml
cutclnq and ue::~aq may w

SYSTS..: Relidudl Heat Ramova?. jystmn
SddOTXCE YCICDE: aupture in shell of W R bar. exchacqer.
Contr9: Room Responsa
Response ut Rovtnq
operaroc
On-Scenr Xsless.?ant
30 sac.-2 mln.
1-5 min.
S6Sotaqe event occurs.
React~r In .WR coolinq con-
ditrsn.
w :!ow, :CY Iron .WR heat
excnanger. lecreaaxq :eve1
:n CFJ use -.u.k, ma:, ;ec
low Level alarm.

Aiams and 1sd~cac:ons L-i3 w n. raw Tras$urn. pup drsc5arge
LQW Leedwaeer flow ;nd:-
ca51on.
SCW :grSum soeed ~ndicaeron
CantroI Rooa Response 10 iec.-2 312. ~etampt mua: rescar:.
31$?atch rovinq ogerlear.
Responra of Rovznq Onerat3r 1-5 mm.
?er:Jrm 3mqe
Contra1 Action
Total TLW
?and cools.
13-30 a m. iu-. away haqed p?mq
or tubinq. Insta;: holm.

Initilz~on 0 Demand tar X. syeern.
Cantroi %om Basponre 30 set.-2 nrn. Aczenpe nklual restar+.
Caeck open meor-~per3re<
steam is0:aeion 'Iuves.
Disaatch E?V:nq Op4rlCO~.
?erfom i)smaqa
Cmtrol Action
11;. C?eraeor hears sound ot
ascaplnq hljh ;resr,ue seem
my not be anla to enter
pump room. 3eports szea
laak r.0 cor.tro1 roan.
Coner~l r~orn clases stem
rsolarlon val.>es. Danaqa
Located and assessed.

1nlti4tion 3 ?amand Lor Xi'& system.
On-Scane Aasasrmanc 3-5 %in. Requests conciol mom scar-
?urn?. Sbsarves aotor %tali
or sxc5ss;m v:brrcion.
:

Iaitiacion 0 Demand :sr Afi4 yYtel.
XosFnse of aovlnq O?erator 1-5 mi.?.
'9n-Scene Assalsmenc 1-30 %in. :4ay discover lxae~cn ot
?u: :;ulck:y :! .:xs?lcuour.
:? not, zay requasc
assistance of elaczrician
:a :heck far :a.s!xal '7oicage
at Tocar.
Acquire 3amaqe
ionrrol Equrpenc
:dans:?y cable in :ray.
?ull back caole to ?roVlCo
vorkablm lanqt? md z3

SI\BOT.\CE XOOE: Xanual .ralve. 'Value snur, snat'. '.?.:cads 2maced.
Xlrrma and :ndicaclons
Sabotage event 0c:Urs.
system runnlnq.
3emand !or ZSWS. 3yscea
shut lorn.
Control Roam Response 10 sac.-? ain. Acknowledge aiams. Check
l:ow. Check ?oslzrons af
aii ,raives mat are mdl-
cated. Check pumps
oparatinq. Olspacch :svl?q
operator.
$a-Scana Asseasmenc 5-15 nln. aovlng operator onecks -flat
?umpa are operatlnq and
a t irrchrrqe pressure
hrqn. 'dalkr Chrouqt!
system. Drscovers daaaqed.
zlorud valm.
zo aliov oalva co
be re-openad: !~:es,
pancl? grander, alr nose.
cold s e l s hlmmer.
cqul?ment to dlrassemb?e
valve and removr ilsc or

34-i~2 min. Note: Riarnq stem '~alve
assmed.

Controi Room Rer?onsa
Carand tor RT:J system.
me change.
?~liLnq water :evels rn
stem 7anera:3rs.
LJW ?.v*l, seem ;eaeratora
Yore valve posrrlon rndl-
taclnq llqhcs shov valve is
ziosad. Xctanpc remote
aanuai operation. XcXnow-
Ladqa hov Levrl alara.
31spatch ravmq oparacor.
CnboLs yoke !tap uor~s!
Lrm bonnet. 1a;m top
vorkr rlc.9 stm at:ached
.mcil vaive ?iuq IS in open
?oiticc.

SYSTZX: Auxa;;ar( Peedwe-er System
:XaOTXCE .WOE: AX-operated valve -- scam :ut.
-me Line E.fYncs
Inrciatlon
Alan) and :ndicac~ans
Can-rol Rocm Response
Xesponsa of bvlxg Operatsr 3-5 mix
0 Demand for AFW system.
9-13 nan. :nd?ca:ron of no au-
rLrarl ieedwater flow.
Valve mdrcatxg :Iqkt
snow closed. Fallznq
leveir in s:ean qenerators.
Low level, steam qeneratlrs
10 sac.-2 %an. sote posrtron inCfcbtion.
actmpt remote mnual
aperation. Acknowledqe
:OW Level slam. 3lspdtCk
rovtnq operator.
On-Scene Assessmen= 3-5 man. 3ovLnq aperacor 3bser'r+s ,
syscem cond::Lan agpare
n a . Checks ra17.
poazcron. Requests COntrCl
room open valva. 2brerrss
C'X seam.
60-120 am. Iasconnect air line Lrom
diaphraqm or pasrtioner.
Unbolt bonnet and remove.
Pull stem and ~ 1 . ~ ss~enb~y
9
out of stu:tinq box. ?lace
aceel dowel rod equal rn
5lameter ro stem rn sc.:ti-
2.i~ 30% :o Lam seal. Replace
3cnce:.

Can=:01 Room Response
ACquIre Ssmaqe
Control Equiprnmc
PeCIam 0am.q.
Concrzl Acclon
f im :nzo:val
to: :vent
10 set.-2 mtn. !lore ?osr:ion 1ndr:az:orr.
!lore no flow r:.dlss:ton.
Ac:anpc rmore lanuai
qerarion. Ackncnisdqe
:cv lwe? aiarn. 3ls,paCz>
:,vlnq 3pe:a:z:.
1-3 mln. RovInq ogeraczr s2ecks
valve ?oaleion clgsed.
yay hear sound af escap:nq
a : xay Obsarm :e:a
supply s: :oadlnq ?:assu:a.
Checks 11: ayscm. :b-
serves hrshsn irr line.
5-13 xln. ?nr-.abie 41: :r ;as
cylinder vlzh ;ressu:s
requhcor and ?:ess'xs
qauqe, a1: !mse, hose
adapter, tublnq and
f:ec:nqs, c,xb~:.q :-2t:er,
ursnches.

C~n=:?l Room Response
u :ntar!al
for Event
0
30 ;ec. -2 rin.
10-20 min.
10-60 nun.
Demand for U'ri syrtam.
-AS isw flow radlcatlon.
Fallanq lavels in
stem paneratera.
Valm posl:~on lljhcs show
valva ln ~ntmrxeduta
postcton.
LJW level, s t janeracara
sot* Lncomplete valve rra-
v.1. xoce low X d fI0W.
at:ampc :smote manual
valve oparatlon.
Xcknowledqe ?cw iwal
31am.
3;spetch rovlnq operatJr.
Rovlnq oparscor abaarles
rmoca manual speratlon.
AttemptS local olectr~cal
md manual Operation.
Observes stem Oarnaqs.
Wrenchas, Chdln fall.
button ~ack, wood :rtbbrnq
Unbolt yoka from valve
bcnnet. Jack or holst
yoka and aperator
asaambly away from bonnet.
'lalve scam rs capcurad
by valva operator. atam
vl:l travel ,~p wlrh
operator and yoke
assembly and va:va vl::
>pen.

Alrna and InClcacrona 3-la >&n.
, ,
Caneroi Rcom 3esponae 10 sez.-2 nin.
Rasponaa ?i R0v:nq Orlracor 1-5 am.
On-Scana Aasaasmenc 1-?S arn. Rovinq operacor obrer-ran
damaqa to va:m operrcor I:
3bVlOUJ. 1: no+, a='.Cm?ta
local elec'.ri:al and nanua:
operation. Repor=s jmarrnq
]amad or CisenqaqeC.
Xrtnchea. chain Lall. 3uezan
:ack, vood crlbblnq.
Unbolt valve aprator ?ram
nouncing flange at cop of
yoke. 2ack or hola:
oprraeoe dsae.nbLy of1 yoke.
'lalve atem is :apcueed by
valve oparacar. Scea rt?:
travel rLc.3 aper?.ar snd
valve WLii apar. A. '9raaLs?y.
bole bonnet e : ,%-'la 5oW.

:2itlrtion 0 Sabocaqe event occurs.
~lannr md Indrcatlonr 3-15 am. TI.nlnq and c:ec ot il3ms Are
syscsn dapenCent. Tgal:ally:
;ow Level, Lou ~r%ssure. :ow
L l w . h~qh xraa rxdi3clcn
a l a s :~.;n ?.ram a n :avala.
anorma1 flow indl;ac:ons.
acqu~r* Oamqe Control
~qu~pmenc
Psrtam Zamaqs
Control Aczron
TOt.1 Tim0
10-240 min. 7a::h 3amaqod ractlun I:
jamaqe is nlnor. :L damaqo
is malor, re?nOva dmaqed
sectlon and replrcs wlth
spool plecs Aslnq Drssrsr or
Plrdco coupllnqs.

OsntrJ: Room lespcnsa 13 sac.-2 azn.
Ac:u:ra Jmqe
Ccntrol Equqment
Sabotage event occurs or
demand far equipment.
LOW sus voltaqr.
system ;arametsr *lams.
Loss 3: Fwer avarlabla
rndrcaclon.
:nC~catlons that sqal?mer.r
not operatxng.
Xckxvledqe rlans.
Acfm~t :euwta ndnual stars.
31Spdt3h SOV:Aq OPeSat3S.
Xay 5:acover locat-on of
CUE ;u:ckly :: conspLc*aous.
i L not, nay requrrs assxsr-
ance of alactrlclan.
Pgrcable Sank saw. .:remolded
connsczron, soi'rent, cord,
kaife, spl;:o 212.
compression c~ol.

112-1147 min. IAsswrnq sp1ic:nq. not
c*mi~.atinql.

:cltiacion 1 Sabocaqe event occur.
;ontral Room assponso 30 sac.-2 7-3. 3~aparch r?vLna Jperlcor
Concurrent: ?:'I-130 m:a.
i am - cue bus wcrk
i.? m aqed area away
from urabia bur.
2 aon - clam up Canaqea
area. :Lean rest af bus.
Cancurrant.
2 xan - cue iccler cao?es
back from ar.aker where
insuiacron is adaq~aca
2 man - 1 rrnalnxq bus
'work for cable connsc;:on.
Canc'uzren-. :
2 am . spi:ce r.ew cabLa
idnqthr ro existlng iabie.
2 nen - '.enr:ats :ab:e
;anqc>s sc bur vork.
.
1-30 arc. Assistance of aiacrrrclan
xay je required LZ C&?aqa
cot obvlous .

Xiamo and :ndrcatrans 9-13 nm.
ControL Room Response 10 sac.-? xn.
On-Scene Xssessmanc
0-1 %in.
?br?orm iamaqa
Concrai Ac- an 120-960 ax.
canc'u:enc:
2 mn - cur damaqed bus
work way fram rest 0: bus.
2 aan - clean up damaaed
area. clean :sac at 3us.
Concurrent:
2 man - cut Load cable
back from breaker vhers
insulatlan LS adequate.
2 a n - 1 1 ramamlnq
buswork !Or CAD^ CO
jwpbr ovrr csmoved rcc=:on.
Locate spare Sreakrr.
sabotaqa even'. oc- -ass 3c
ienand for rqulpment.
:Joce system indlcarions.
Xcknov?adqe allrnr . 3:s-
?atch rovlnq operazar.

1 am - rd:grt :miry.
Total Tine 114-998 mrn.

SYSTPV: 48OV Class :E Electrical 3istribution Systrm
SXBCPXGE .%DL: 480'1 ncc load breaker daarr9yed.
Tim :nterral
5r Event
0 sabotaqe event occurs or
demand Car equipment.
t Alana and Zndfcatlona 1-10 nan. FeeCer breakez may trap.
System parameter rrdlcact0c.s
and aiarns.
fiotor falls eo stare 9n
demand.
$
Contrll Room 3crponse 30 sac.-? nln. :lore system indlcatrans.
Xckzowladqe aia-7%.
3ispacch rovr-q operstlr.
On-Scene Xsaassrnant 0-1 rln.
Acq-lire Dmaqe
Control Equ:?mant 15-10 at.?.
?*r.orm 3amaqe
Control Action
1. : nan - splice c~blcs. 10-50 alns.
1 zuo - camanace
cablea ae new XCC
breaker.
2. If using sun8 XCZ; 120-240 ain.
Cut damaqed bur
work, verelcal and
horrzontal.
Connecc cables iram
hoeironell bua to
usable breakers in
I3e sme vertical
stack Is :he carpet
bceakor.
Clean up equt;ment
cable cut:ers.
sp:icrnq equ.: --men:
!prsmolded l
Note: :he fxst and %xi
actrvrttss can proceed
sixltar.eous:y if ampower
1s avatLabie. Ett!!e:
actrvrtles 1 and 2 or 1 and
3 would be per:orned.

C1. APPROACH
APPENDIX C: OPERATIONAL DAMAGE CONTROL ACTIONS
The approach to damage control as described in this appendix depends
on other installed systems and abnormal operating procedures
to overcome the effects of sabotage on systems normally required
for certain critical functions. The multiplicity of ways available
to provide these system functions are described. In order to
define the required functions and system svailability, the followlng
important assJmptions are made:,
. , . . . . .
. , , ,
. At the onset of the sabotage event all sources of offsite
e~actrical power are assumed to be indefinitely
interrupted.
. All reactor control rods are assumed ta be inserted when
a scram signal is received. As discussed in Section
2.2.3 other sabotage countermeasures are relied upon to
assure that the control rods are inserted.
. There is no coincident significant loss of coolant as
discussed in Section 2.2.2; loss-of-coolant sabotage
events are not amenable to damage control response.
. Thfa plant has been operating at full power for an indefinite
period of time.
. Sabotaqe acts committed during shutdown periods or refueling
are easiei to counter since the time available
and access conditions greatly expand the possible mitigating
options. (The times available for these conditions
are ;rscussed in Section 2 .2.4 and 2.2.5 and in
Appendix A. As a result, specific damage control options
in these modes are not der1ved.l
Under these assumptions the primary aim of the operator is to
bring the piant to a safe and stable condition -- defined for this
purpose to be hot shutdown. In derivlng the mechanisms available
to the operator, the plant and its associated systems are eval-
uated in light of the assumed circumstances. (For example, ECCS
loads on the vital electric buses will not be needed.)

For each model (BWR and PWR), the following elements of the eval-
uation are de~~eloped:
( .
1. Establishment of the principal required functions to
maintain the plant in a hot-shutdown condition. In
particular the basic considerations of coolant inventory
control, decay heat removal, and primary system pressure
control are addressed.
2. Identification of the systems and components that would
. . . . , . .
3.
normally be expected to perform these functions.
Identification o£ auxil;'a; ies and support system's required
for each of the systems.
4. Determination of alternative ways of performing the
principal functions and providing needed support services,
including procedural aspects of each method.
5. Definition of the procedural steps needed to initiate
the alternative actions.
6. Examination of any hardware changes necessitated for
each action.
Candidate damage control actions are identified and described.
Each of these is individually evaluated and presented in evalua-
tion sheets included in Section 3.
The object of these analyses is to identify only those actions
that may be employed to maintain the cequired minimum plant func-
tions to preclude a major loss of fuel integrity. Systems and
components that are "desirable" but not. essential are not specif-
ically addressed. Included in this cate?ory are several plant
,in~trument.ation systems (i.e., control rod position, reactor loop
temperature, contain~nent pressure, power level, etc.), sampling

systems (containment and prlmary system), and the reactor cleanup
, ,
system.
C2. PRESSURIZED WATER REACTOR (PWR) APPLICATION
For this analysis the initiating incident is considered to be a
complete and sudden loss of the offsite electric power supply(s).
Under normal conditions (without an associated sabotage event) the
plant is designed to be self-suffic ient, maintaining the reactor
systems in a safe and stable condit ion at hot shutdown with a
.,. minimum of operator action.
,. ,.... ,,,,, . . .
. .,. ..
C2.1 SYSTEMS REQUIRED - NO SABOTAGE EVENT
Upon the loss of offsite power, the main turbine generator and the
reactor trip instantaneously. As the steam generator pressure
increases, the power-operated steam relief valves are automatically
opened to atmosphere. (It is assumed that :ne main condenser
steam dump is unavailable.! If required, the self-actuated steam
generator safety valves may also open to maintain steam generator
pressure at an acceptably low level and to dissipate decay heat.
The auxiliary feedwater system starts automatically to supply
water to the steam generators. In this manner the plant can be
maintained at hot shutdown indefinitely. The charging pumps in
the chemical and vnlume control system will continue to operate to
provide makeup water to the reactor coolant system as required.
Table C2-1 is a summary of'those systems normally tunctioning to
maintain the vital services to the plant.
C2.1.1 Primary System Inventory Control
The chemical and #volume control system (CVCSI is designed to per-
form numerous services for the reactor plant, including:

FUNCTIONS
-
Primary Coolant Inventory Control
Decay Heat Removal
Primary System Pressure Control
TABLE C2-1
NORMAL SYSTEMS
i
SYSTEM
Chemical and Volume Control
Auxiliary feedwater
Steam generator safety/ release
valves.

. Maintaining pressurizer water level in a programmed band
. Prov~ding for primary system makeup and boron chemical
shim and
. Providing pumps for high-head safety in;eccion when the
safety injection system is actuated.
I I Maintaining reactor coolant chemistry conditions
The CVCS system comprises numerous tanks, pumps, heat exchangers,
and other miscellaneous equipment. In view of the complexity of
this system this discussion will be limited to only those func-
..contr ibut ing to inventory. q~ntrol and makeup. , F,igur.e C2-1
is a simplified diagram of the system. For this case, the two
charging pumps are most ~mpoctant in providing mak+up water to the
prlmry coolant system. As shown, they can take a suction trom
the volume control tank, from the refueling water storage tank, or
from the discharge of the safety injection pumps.
. :!,..,&ions
.. ,:
Pressurizer level is normally controlled by the CVCS system Sy
using a continuous bleed (letdown) and feed (charging) process.
The relative magnitude of .the letdown and charging flowrates gov-
erns the net change of pressurizer level. It is likely that when
offsite power is lost, the operator may secure letdown flow and
crDntrol pressurizer level by manually controlling the chargir.g
water flow control valve or cycling the charging pump(s), thus
making up for system losses (i.e., shrink, leakage, etc.) Table
C2-2 provides a summary of support requirements for the CVCS sys-
tem.
Decay Heat Removal
The standard mechanism of decay heat removal at hot shutdown is by
venting steam to the main condensers via the turbine bypass valves
while feeding the steam generators with the auxiliary feedwater
pumps. The reactor coolant pumps normally operate to circulate
water through the steam generators and reactor core. When offsite

Chemical and Volume Control System

FUNCTIONS
4160 VAC Power to charging pumps
125 VDi' 4160 KV switchyear
Central Power
480 VAC Motor-operated
valve operator
instrumentation Pressurizer level
120 VAC Instrumentation
Volume Control Provide water at the
Tank suction of the charging
Pumps
Con~ponent Pump seal cooling
Cooling Water
TABLE C2-2
CHEMICAL AND VOLUME CONTROL SYSTEMS
SUMNARY OF SUPPORT REQUIREMENTS
POTENTIAL
ALTERNATE ( S)
None
Manual breakel
operation
Manual operat ion
None
Use portable power ;
supply
Refueling water
storage tanks
REMARKS
--
Powered from diesel generated
buses.

electric power is interrupted, the main circulating water pumps
will stop, thus eliminating the main condensers from consideration
as a heat sink, and steam venting to atmosphere via the steam
generator safetyjrelief system will serve this purpose. Additional-
ly, the reactor coolant pumps will stop, shifting the reactor
coolant system into a natural circulation mode. During this period
the auxiliary feedwater system will continue to supply feedwater
to the steam generators (Figure C2-2 is a simplified diagram of
the auxiliary feedwater system). Table C2-3 provides a summary of
support requirements for the auxiliary Eeedwater and steam qenerator
safety/relief systems.
C2.2 BACKUP SYSTEMS -- REACTOR COOLANT INVENTORY CONTROL
C2.2.1 Safety Injection System (SIS)
The function of the SIS system is to provide berated makeup water
at high pressure in the event of a loss-of-coolant accident (LOCA).
The system consists of two electrically-driven high-pressure pumps
connected to the primary system loop piping and supplied with
water from the refueling water storage tank (See Figure C2-3).
Since the shutoff head of the SIS pumps is approximately lGOO psi,
this system cannot be used until the reactor coolant system pressure
is reduced to something lecs than this value. It is unlikely
, :.
that the operator could reliably depressurize in one hour. One
potential application could be placing the two SIS pumps in series
in order to increase the discharge pressure of the pair. In this
case the system wlll requite manual valve manipulation and initiation
from the control room. A summary of the support requirements
for the SIS system is provided in Table C2-4.
C2.3 ALTERNATE SYSTEMS -- DECAY HEAT REMOVAL
The only practical method of decay heat removal ilrtdec hot-shutdown
conditions followiny an extended operating perlod is by using the
steam generators as an intermediate heat sink. If the reactor

Auxil iarv Feedwater Svstem

." ,.,-
4160 VAC
(vital)
125 VDC
TABLE C2-3 '
AUXILIARY FEEDWATER 6 SAFETY/RELIEF SYSTEMS
SUMMARY OF SUPPORT REQUIREMENTS
POTENTIAL
FUNCTION ALTERNATE ( S
-
Power supply for electric None
aux. feedwater pumps
Turbine control Manual operation
Steam generator relief Manual operation
valve control
Electric motor control Manual breaker operation
120 VAC ~ir-operated valve
operation
Manual operatiun
Portable power supply
Plant control Air-operated valves Manual operation
air
Instrumrntation Steam generator level Wne
Condensate Water supply
Storage Tank
Condenser hotwells
Essential service water
system
Pire protection
system.

4160 VAC
vital
125 VDC
121) VAC
FUNCTION
Power to SIS pumps
Valve operation
Pump breaker control
Instrumentation power
supply
Instrumentation Pressurizer level
Retwling Water Water supply
Storage Tank
component Pump seal cooling
Cooling Water
TABLE C2-4
SAFETY INJECTION SYSTEH
SUMMARY OF SUPPORT REQUIREMENTS
POTENTIAL
ALTERNATE0
None
Manual operation
Manual breaker operation
Use portable power supply
None
Condensate storage tank
REMARKS -

does not have an extensive power history, cooling could be accom-
plished by a feed-and-bleed process using the charging or safety
injection pumps, however, this case is not pursued in this
analysis.
C2.3.1 Maln Feedwater System (See Figure C2-4)
The function of the main feedwater system is to supply feedwater
to the steam generators and to maintain the desired steam qenerator
programmed level. ~ t major s components are two steam-driven
feedwater pumps, two electric main condensate pumps, and the feedwater
heaters. The main condensate pumps supply condensate from
the'main condenser hotwells to the suction of the main feedwater
pumps and provide them with an adequate net positive suction head.
The feedwater pumps increase the line pressure and inject water
into the steam generators. Steam generator water level is normally
controlled automatically by the feedwater regulating valves at
the discharge of the feedwater pumps.
At the onset of the reference event (loss of offsite power) the
feedwater system will shut down as the result of the loss of power
to the condensate pumps. The main feedwater and condensate system
could be restarted to provide feedwater to the steam generators
for decay heat removal. This would necessitate shifting the elec-
trical supply of one condensate pump to a diesel generator bus and
restarting the main pump. In addition, the feedwater pump steam
exhaust must be vented since the main condenser is unavailable.
The relatively low flow rates will likely require manual flow
control operation either with the feedwater regulating valves or
bypass valves. System support requirements are summarized in
Table C2-5.
C2.3.2 Safety Injection Systems (SIS)
Assuminq that -he safety injection system is not needed for primary
system makeup, it could be used to free tPe steam qenerators.

FIGURE C2-4
Main Feedwater System

TABLE C2-5
PAlN FEEDWATER SYSTEM i
SUUMAHY OF SYSTEM REQUIREMENTS:
POTENTIAL
FUNCTION ALTEHNATE (s)
120 VAC Turbine control system Operate manually
115 VUC Breaker control power Manual breaker operation
Main Condenser Condense teedwater pump Vent to atmosphere
t, auxiliaries turbine exhaust
4160 VAC Operate Condensate Switch to vital puwer
pump(s) source
REMARKS

This would require isolating the satety injectLon punps from the
downstream safety injection system plping and llning up the SIS
pump discharge to the main feedwater supply header(s). The safety
injection pump suct~on would also requlre shiftinq from the tefueling
water storage tank to a condensate storage tank or condenser
hotwell to minimize boron inlection ~ nto the steam generator
s.
C2.3.3 Main Steam System Ventinq
In. the. ..unlikely event that the main. steam safety/relief ;valves are
inoperable, the main steam system can be used for steam venting.
The main steam system is provided with bypass piping capable of
dumping steam directly into the main condensers. This can be
accomplished by opening one or more of the main steam isolation
valves IMSIVs) (or MSIV bypass valves) and the steam dump valve.
Steam will enter the condenser and exhaust throuqh the maln steam
air ejectors.
C2.4 SERVICE SYSTEMS
In order for most of the systems to function it is necessary that
various support systems also be in operation. The system require-
ments tables summarize these requlred services. A further discus-
sion of each and potential damage control optlons are presented
here.
C2.4.1 Essential Service Water (ESW) System (See Figure C2-5)
The function of the ESW system is to provide forced cooling water
to critical plant equipment. It consists of two electrically-
driven pumps supplying two separate headers that branch to the
individual components to be cooled. During normal operation the

ESW pumps are on standby with cooling water beinq supplied by the
plant service water system. In the event of a loss of offsite
power, the ESW system will automatically isolate from the service
water system and the ESW pumps will start. Table C2-6 is a sum-
. . of support requirements for the ESW system.
i . ...
mary
Dependinq on the mode of system failure, numerous backup cooling
mechanisms could be made available. Assuming the system is struc-
turally intact, the following actions can be taken.
Servlce Water System. Re-enerqlze the plant service Water pump to
. ".
provide flow -- an emprgency power source for the service water
pump is required for this action. ,
Main - Feedwater System. Connect the main feedwater pump diqcharge
pipinq to critical equipment using condensate as a cooling medium.
This alternative is limited by the quantity of excess condensate
available since it would be a once-through type arrangement.
Fire Protection System. The diesel fire pump, being independent
of other plant systems, could provide an emergency source of cool-
ing water.
If the system is not intact, then individual components would
require cooling via individual pipe or hose connections to these
systems.
C2.4.2 Class 1E Electric Distribution System -- AC
The Class 1E electric distribution system is designed to provide a
reliable power source to those systems and components critical for
the safe shutdown of the plant. The emergency sources of powec to
the vital service buses are the diesel generators that start auto-
matically upon a loss of offsite power (See Figure C2-6). These
qanerators and buses are mutually independent. They cannot be
cros:;-tied to the opposite diesel qenerator or enqlneered safety

4 160 VAC
125 VDC
TABLE C2-6
ESSENTIAL SERVICE WATER (ESW) SYSTEM
SUMMARY OF SYSTEM REQUIREMENTS
FUNCTION
Power to ESW pumps
Breaker control power
POTENTIAL
ALTERNATE ( S
None
Manual breaker operation

features (ESF) transformer. Table C2-7 provides a sunmdry of
support requirements for this system.
C2.4.3 Non-Vital Electric Distribution -- System -- AC
The non-Class 1E electric distribution system provides power to
those plant components not considered essential to the safe snutdown
of the plant. Since one of the precepts of operstional
damage control is the use of non-vital designated systems and
components as emergency backups to vital equipment, then allowance
must be made to provide these with a reliable electric power Supply.
This can be accomplished in pne of two different ways:
1. Power components directly from a vital bus or provide an
alternate (switchable) power supply from a vital bus.
2. Modify existing circuitry to permit loading the diesel genera-
tors with selected non-vital buses.
C2.4.4 Electrical Distribution - 125/250 VUC
The DC system, as shown in Figure C2-7 is composed of:
. Four (4) indepehdent Class 1E - 125 VDC subsystems,
. One non-Class 1E - 125 VDC system and
One non-Class LE - 250 VDC system.
The significant loads supplied from the DC buses involve primarily
the Class
.
1E circuits and include:
. Diesel generator control and field flashing
AC breaker control . Vital inverters . Emergency 1 iqhting
The relative independence of the system suggests that a potential

155 VDC
Essential
Service Water
TABLE C2-7
CLASS 1E ELECTRIC DISTRIBUTION SYSTEM - 4160 VAC
SUMMARY OF SYSTEM REQUIREMENTS
FUNCTION
POTENTIAL
ALTERNATE ( S
Diesel Generatar Field Por table supply
Flashing
Diesel Generator Control
Portable supply
Breaker Control Power Manual Breaker Operation
Diesel Generator Cooling (See Sect ion 2.5.1 )

FIGURE C2-7
DC Electric Distribution SyStenlS
,.rW I,., < YII..I.II.II. .I,.-
..=. ,-.
I , I.
1111
I

t .
damage control option -- that of cross-connecting buses -- could
be accomplished with appropriate system modification. These
options include:
. Supplying one battery bus from the battery associated
with a different bus or tying the buses together with a
bus- tie.
Providing power to one or more Class 1E 125 VDC buses
from the non-Class 1E 125 VDC bus.
Providing power to one or more Class 1E 125 VDC buses
from the 250 VDC bus by reconfigurinq the battery con-
nections and providing a bus-tie.
, . ,
. Providing designated c&ponents with a multiple set of
power sources available with an appropriate Selector
switch mechanizm.
C2.1.5 Component - Cooling Water (CCW) - System
The function of the component cooling water system is to cool
critical piant components. Although this system serves other
importai~t reactor components, such as the reactor coolant pumps
and the RHR system, for this analysis the significant loads are
the safety injection pumps and the chacginq pumps.
The system consists of two redundant., closed loops each containing
two pumps and a heat exchanger along with associated piping, valves,
instrumentation, etc. (See Fiqure C2-8). Normally, the system
has one pump operating alonq with one heat exchanger. The second
pump is on stdndby and will start if the system experiences
trouble (e.g., low pressure or pump trip). Tabla C2-8 is a sum-
mary of the CCW system requirements.
In the event that the CCW system is. disabled but intact, several
option:; could he available to the operator. 'These include using
other plant wat.cr systems to provide a source of relatively cool
water in a once-through cooling regime. Some system modifications
would be requirod. t.;xarnples of these backup systems include:

FIGURE CZ-8
Coinponent Coolli~g h'atcr System

125 VDC
TABLE C2-8
COMPONENT COOLING WATER SYSTEM
SUMMARY OF SUPPORT REQUIREMENTS
POTENTIAL
FUNCTION ALTERNATE (S)
Breaker Control Power
Pump Power Supply
Manual Breaker operation
(See Section 2.4.5)

. ESW'S~S~~~. The ESW system could be lined up to su~ply
makeup water to the CCW system.
. Plant Water Systems. Any of the demineralized or condensate
water pumps could supply water to the CCW if required.
. Fire Protection Water System. The fire protection water
system is a convenient source of cooling water. With
the electric and diesel pumps this system is very reliable.
Additionally, it is conceivable that cooling water could be supplied
directly to individual components from these systems in the event
that the CCW system is not intact.
C2.4.6 Backup Water Supplies
There are several sources of water for cooling and for reactor
plant makeup. These ~nclude:
. Refueling Water S'orage Tank. This is borated
water (2000 ppm boron) designated for reactor plant
makeup during safety injection and reactor cavity fill-
ing during refueling.
. Reactor makeup storage tank
. CVCS volume control tank (borated)
. Main condenser hotwells
. Demineralized water storage tanks
. Radwaste storage tanks (variou?'
. Essential service water system
. Plant service water system
. Well water pumps
. Domectic water system
Any or all of these systems could act as a backur supply assuming
that proper piping or hose connections are provided.

C2.4.7 Instrumentation
In order for the plant operator to safely shut down the reactor
and maintain the plant in stable condition, he must be kept aware
of the status of critical plant parameters. For our case, the
most important of these are pressurizer level, steam generator
level, and steam generator pressure. These are in addition to
operating status indications such as pump operation and valve
position that can be visually observed by an operator.
Most of the key electrical instrumentation is powered from the
Class 1E 120 VAC system. As discussed earlier, there are methods
of providing emergency sources of power if required. For specific
instruments, an operator can connect a portable power supply capa-
ble of providing adequate power. The desired and easiest alter-
native is for an operator to read the locally mounted gauge and
transmit this in.Jrmation to the control room verbally.

C3. BOILING WATER REACTOR (BWR) APPLICATION
As before, the initiating incident is considered to be a complete
and sudden loss of the offsite electric power supplies. Normally
(without sabotage), under this condition, the plant is designed to
be self-sufficient; the reactor systems are maintained in a safe
and stable condition at hot shutdown with a minimum of operator
action.
C3.1 SYSTEMS REQUIRED -- NO SABOTAGE EVENT
. .,. ..
The loss of offsite power will cause a subsequent loss of feed-
water flow followed by a turbine trip and closure of the main
steam isolation valves (MSIV's) at the reactor vessel low-level
alarm. The emergency diesel generators will start automatically,
providing auxiliary AC power to vital electrical equipment. As-
suming that the MSIV's are shut, reactor pressure will increase to
the relief valve setpoint and these valves will automatically
function to dump steam to the suppression pool. When reactor
vessel water level reaches the "low-low level" alarm point, both
the high pressure coolant injection (HPCI) system and the reactor
core isolation cooling (RCIC) system will automatically start, re-
turning water levels to a high level. The HPCI System will auto-
matically trip off at the high level alarm point, leaving the RCIC
system to automatically control level in an operating band. When
required, the operator will use the residual heat removal (RHR)
system to cool the suppression pool and Lo control the water
level within the chamber. Table C3-1 is a summary of those sys-
tems normally functioning to maintain the vital services to the
plant.

'Table C2-i
Normal Sys-
. , .
System
.-
Primary System In.~entory Control Reactor Isolation Cooling
Decay Heat Removal Safety Relief Valves
Residual Heat Removal
(Torus Cooling)
C3.1.1 - Trlmar~ System inventory Control
The react^.: core isolation coolinq (RCIC) system is designed to
maintain sufficient coolant in the reactor vessel to keep the fuel
covered in the event of a loss of feedwater flow. A turbine-
driven pump is the heart of the system, taking suction from the
condensate storage tank!^) or the suppression chamber, discharging
into the main Ecedwater piping, and thence to the vessel. Opera-
ting steam for trj= turblne is supplied from the main steam system
upstream of the main steam isolation va13Jes (see figure C3-1).
Nor~~~ally, the motor-operated water valves are closed and the system
is in a standby condition. Upon receiving a "reactor vessel
low-low-level" signal, the motor-operated valves open For pumping
to the vessel and supplying steam to the turbine throttle. The
turbine governor vlll take over to automatically restore and rnaintain
reactor water level. RCIC support system requirements are
listed in Table C3-2.
C3.1.2 -- Decay Heat Removal
The standard mechanism of decay heat removal at hot shutdown is
ventlnq steam throuqh the main steam system bypass valves to the
main condenser. If the main circulating water, and thus the con-
denser, ii unavailable due to the loss of offsite power (as in
this case1 then steam must he vented to the suppression chamber

I -
-1- --
.

FUNCTION
Gland Seal Condenser
Blower
Gland Seal Condenser
Pump
Motor-operated valves
125 VDC Governor control system
Instrumentation Power
Supply
HVAC Steam line area cooling
Condensate Primary water supply
Storage Tanks
Instrumentation Reactor water level
System lineup and
operation
TABLE C3-2
REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM
SUMMARY OF SUPPORT REQUIREMENTS
POTENTIAL
ALTERNATE (S )
None Required
None Required
Manual Operation
Manual Operation
None
Override temp
switches
Suppression Chamber
Local readout
Local visual check
System parameter
response
REMARKS
Steam Release into Reactor
Bldg must be tolerated
Steam Release into Reactor
Bldg must be tolerated
Drywell entry required
One operator required
Only required for Auto
Operation
Only required if 250 VDC
available
Available at two locations
outside drywell

via the main steam safety/relief valves. These valves can be
operated remote-manually from the control room or automatically
when reactor system pressure reaches the preset setpoint. The RHR
System is also used to cool the suppression pool during safety/
rellef valve actuation (see Section C3.4.2).
C3.2 BACKUP SYSTEMS -- REACTOR COOLANT INVENTORY CONTROL
C3.2.1 High Pressure Coolant Injection (HPCI)
The function of the high pressure coolant injection (HPCI) System
., i,s to provide coolant to the reqctor core in the event, of a loss
of coolant resultinq in a rapid depressurization of the pressure
vessel. The system consists of a steam-driven turbine coupled to
a main pump and a booster pump. Sources of water for the booster
pump include the suppression chamber and the condensate storage
tank(s). Operating steam from the turbine is extracted from a
main steam line upstream of the main steam isolation valves (see
Figure C3-2). A summary oE the support requirements for the HPCI
System is provided in Table C3-3.
Normally, the motor-operated valves are closed and the system is
in a standby condition. Upon receiving a "reactor vessel low-low-
level" signal, the motor-operated valves open for pumping an2 to
supply steam to the turbine throttle valve. The turbine governor
and throttle valve control system will take over to automatically
restore reactor water level LO the high-level alarm point and
then system will shut down.
C3.2.2 Control Rod Drive (CRD) System
The CRD System operates co~itinuously to supply ~ooi;~?g
and charg-
ing water at high pressure (250 psi above reactor pressure) to the
control rod drives and their associated hydraulic control units.
In an emergency the water flow to the drives and control units can
be diverted and the full flow of the two CRD pumps redirected.

High-pressure Coolant Injection System

250 VDC
FUNCTIONS
TABLE C3-3
HIGH PRESSURE COOLANT INJECTION (HPCI) SYSTEM
SUMMARY OF SUPPORT REQUIREMENTS
Gland Seal condenser
Blower
Gland Seal Condenser
Pumps
Motor-operated Valves
Aux. Lube Oil Pump
125 VDC Governor 6 Flow Control
system
HVAC Steam line area cooling
Condensate Water Supply
Storage Tanks
Instrumentat ion Reactor Water Level
System line-up and
and Operation
POTENTIAL
ALTSRNATE ( s )
None Required
None Required
REMARKS
Steam Release to ~eactor
Bldg must be tolerated
Manual Operation Drywell entry required
None Available A manually operated lube oil
pump might be installed to
preclude this limitation.
Manual Operation One operator required
Override temp switches Only required if 250 VDC
available
Suppression Chambers
Local Instrumentation Available at two (2)
locations in Rx Building.
Local visual check
System parameter
response

through existing pump test/bypass piping into the reactor vessel
via the cleanup system piping. A summary of support requirements
for the CRD system is provided in Table C3-4.
C3.2.3 Core Spray System
-
The core spray system is designed primarily to prevent fuel cladding
damage in the event of a loss-of-coolant accident resulting
in uncovering the reactor core. The cooling effect is accomplished
by directing water sprays onto the fuel elements after
reactor pressure has been suitably reduced by initiation of the
. . .. ,
automatic depressurization system or other means.
The main elements of the system are the core spray pumps. System
design provides for a water supply to these pumps from either the
suppression chamber (primary) or the condensate storage tanks (see
Figure C3-3). A summary of the support requirements for the core
spray system is provided in Table C3-5.
In the case of an event requiring plant cooldown or stabilization,
the core spray system could be used; however, it would require
depressurization of the reactor vessel to approximately 280 psig.
The outboard isolation valves must be manually operated and the
pumps started manually from the control room.
C3.2.4 Residual Heat Removal System (RHR)
The operation of the RHR System is devoted to a mulitplicity of
functions, namely:
Maintaining coolant inventory in the vessel in the event
of a loss-of-coolant accident (LOCA)
Providing for drywell and torus spray cooling
Coolinq the sup&ession pool In the event of a LOCA

125 VDC
4160 VAC
(vital)
Condensate
Storage Tank
TABLE C3-4
CONTROL ROD DRIVE (CRD) SYSTEM
SUMMARY OF SUPPORT REQUIREMENTS
POTENT I AL
FUNCTION ALTERNATE (S)
Breaker Control Power Manual breaker operation
Pump Power Supply None
Water Supply
Demineralized Water Storage
Tank Main Condenser Hotwell

FIGURE C3-3
Core Spray System

41 hU VAC
125 VIK'
TABLE C3-5
CORE SPRAY SYSTEM
SUUUARY OF SUPPORT REQUIHWENTS
POTENTIAL
ALTERNATE (SL
~-
None
4 kv ~ k r Control power Manual Breaker
Operat ion
Hotor-Operated Valves Manual Operation
1ns;rumentation Power None
Suppress ion Primary Water Supply Condensate Storage
Chamber tank (5)
Emergency Pump-motor cooling one
Service Hater
System
nuto-Depres- Reduce Operating Main steam line
sorization Pressilre blowdown
insti umentat ion Reactor Hater Level Local Instrumentation
systea line-up and Local visual checks
operat ion
System response
REHARKS
From Vital [D.C.) buses
Hequlred drywell entry
Potential for system modifica-
t ion
Might result in offsite release.
Available at two (2) locations in
Reactor Building. Not of great
importance since vessel over-
fillling is not a serious problem

. Removing decay heat from the nuclear system during shut-
down periods
. Supplementing the fuel pool coollng system
. Providing head spray during reactor vessel filling
The system comprises four (4) redundant RHR pumps, two heat ex-
changers with interconnecting piping, valves, etc. (See Figure C3-4).
The RHR System is designed to operate in a low-pressure cool-
..,..,,.,.. ant .... injection (LPCI) mode if required. In this case, as with the
core spray system, reactor vessel depressurization would be re-
'. .
quired. A summary of support requirements are provided in Table
C3-6.
C3.2.5 Main Condensate System
If no other systems are available, the main condensate pumps could
be used to pump water from the main condenser hotwells via the main
feedwater system through the feedwater pumps to the reactor. In
order to accomplish this,.electric power must be supplied to a non-
vital 4160 VAC bus and reactor vessel pressure reduced to less than
250 psig.
C3.3 ALTERNATE SYSTEMS -- DECAY HEAT REMOVAL
Decay heat must be removed from the reactor vessel immediately and
from the intermediate heat sink (suppression pool) at a later time.
The alternate mechanisms to accomplish the tasks are somewhat
limited and include the following:
C3.3.1 Manual Relief System
Reactor vessel venting can be accomplished by providing a manually-
operated bypass (vent) Line connecting the main steam system to the
suppression pool. This allows an operator to depressurize the

I*.',. -.-
taw
Residual Iledt Removal System
-A-

ELECTRICAL
FUNCTION
125 vx E :lectric Contro
480 VAC Uotor-operated valve
actuation
4160 VAC Electric Power to Pumps
and 480 VAC distribution
Suppress iun Primary Water Supply
Chamber
RBCCW Cooling to RHR pumps
Instrumentation Reactor Water Level
Reactor Pressure
System line-up
and Operation
Auto-depr es- Reduce Reactor Vessel
surization Pressure
ThBLE C3-6
RESIDUAL BEAT RWOVAL (RHR) SYSTEM
SUHHARY OF SUPPORT REQUIREMENTS
POTENT1 AL
ALTERNATE (S)
Local-Uanual
Operat ion
Local-Hanual
Operat ion
None available
Condensate Storage
Tank/fuel pool surge
tank with supplemen-
tal water supply
Local (mechanical)
Local (mechanical)
Local ovservation/
System response
Uain Steam Bleed
RHR service Cooling to heat exchangers None available
Water time dependent
REMARKS
System not operable upon loss
of 4160 VAC.
Also possible to connect gauge to
numerous RX system instrumentation
taps outside containment.
For short tern needs would
not be required.

eactor vessel by manually dumping steam to the suppression pool in
the event that the safety/rellef valves become inoperable (electri-
cally or pneumatically).
C3.3.2 Condensate - Transfer System
The condensate transfer system can be used to accomplish a feed-
and-bleed operation between the condensate storaqe tank and the
suppression pool, thus providing some limited cooling to the sup-
pression pool. This could lengthen the effective time in which the
pool is available as an effective heat sink.
. .
. .
C3.3.3 Cool ing Water -- Systems
. . . , ,
IJnder normal conditions the RHR Servlce Water System is used to
cool the RNR heat exchangers and thus acts as a heat sink for decay
heat removal via the suppression pool. If the RHR service water
system is unavailable, other sources of cooling water could be
found to accomplish this function, including:
. Emergency Service Water Systems
. Service Water System
. Fire Protection Water System
Each of these options requires plant modifications or temporary
hose connections.
C3.4 SERVICE SYSTEMS
In order for the most plant systems to function it 1s necessary for
various support systems to also he operable. As can be seen in the
'associated system requirement tables, several vital systems depend
on common support services. Thus, a discussion of support systems
and backups thereto is required.
C3.4.1 Emer~e~y - Service - Water Sxstem . (ESW) ..
The tunctlon of the ornecqency servlce water !ESW) system 1; to
12-191

provide cooling water to critical equipment required to operate
under loss of offsite power and other accident conditions. The
system consists of two redundant loops each containing a pump,
strainer, . .. associated piping, and instrumentation. The significant
components cooled by this system include the diesel generators,
HPCI and RHR room ventilation units, and the RHR and core spray
pump motors. It is thus apparent that the ESW system is critical
for maintaining the plant in hot shutdown. (See Figure C3-5)
Table C3-7 summarizes the support systems required for operation ot
the ESW system.
Under normal plant operating conditions, the system is liried up to
in standby with the pumps;idle. During this time components are
supplied cooling water from the service water system which operates
continuously. Upon loss of normal station AC power, the ESW pumps
automatically start after their associated diesel generator has
started.
Depending on the mode of system failure, numerous backup cooling
mechanisms could be made available. If the failure is associated
with the pumps and the system maintained is structurally intact,
then several alternates could be utilized, including:
Service Water System -- The plant service water system
can provide cooling water flow if they were provided with
an emergency electrical power supply.
. RHR Service Water System -- The RHH service water system
could be cross-connected with the ESW system.
. Fire Protection Water System -- The dlesel fire pump,
being independent of other plant systems, could provide
emergency cooling water to crlticsl components.
On the other hand, ~t the E5W system 15 not Intact and sectlons ot
the supply headers are unusable, t.hen components will requlre

Service Water System

FUNCTIONS
480 VAC Pump Power None
4160 VAC Feeder to 480 VAC
Inad Centers
TABLE C3-7
EMERGENCY SERVICE WATER SYSTEM
SUMMARY OF SUPPORT REQUIREMENTS
POTENTIAL
ALTERNATE
125 VDC 4160 VAC Breaker Control Manual Breaker
Power Operation
REMARKS
Fed from Diesel Generator

cooling on an individual basis. Such cooling water could be sup-
plied vith "har2-piped" cross-connections or via temporarily in-
stalled hoses. The same systems are described above could be also
used in this case.
C3.4.2 Vital Distribution System -- FIC
The vital electric distribution system is designed to provide J
reliable source of power to critical plant components in the event
of the loss of the offsite power sources. The main power sources
are
.
two independent diesel generators that are automatically
.
, . ..
started and come online upon occurrence of a power failure. The
vital buses are interconnected to permit cross-connections such
that one diesel generator can power both buses and act as a redundant
power supply for duplicate safety system trains (see Figure
C3-6). Table C3-8 provides a summary of the support requirements
for this system.
There is no conceivable backup source of electrical power except
for additional emergency generators or other convenient power
generators co-located at the site.
C3.4.3 Non-Vital Distribution System -- AC
The non-vital AC distribution system is designed to provide elec-
trical power to those components and equipment not considered
safety related. If operational damage control is to use non-vital
designated systems and components as emergency backups to vital
equipment, than some allowance must be made to provide these equip-
ments with a reliable electrical power supply. This can be accom-
plished in one of two ways:
1. Power these components directly Erom a vl:al bus or
provide an alternate (swltchable) power supply from a
vltal bus.

AC Electric Distribution System

Emergency
Service Water
System
FUNCTION
Control Power
D.G. Field flashing
D.C. Cooling
TABLE C3-8
VITAL DISTRIBUTION SYSTEM - AC
SUMMARY OP SUPPORT REQUIREMENTS
POTENTIAL
ALTERNATE (S)
-
Possibly manual Consider possible
operation of breakers connection to 250 VDC system
None Should consider possible connection
to 250 VDC system
Service Water System Question seal water requirement --
others be fire pumps, and
RHR service water system

2. Modify existing bus-ties to permit loading the diesel
generators with selected non-vltal buses.
C3.4.4 Electr~cal ~istriktlon 125-250 VDC
The DC distribution system consists of three Independent sub-
systems, two 125 VDC and one 250 VDC (See Figure Cj-7). The SyS-
tems ate important since they provide the controi power vital to
the operation of both primary safety systems and backups. Addition
ally, the DC systems are used for ~ specific . . purposes, including:
v .
. Diesel generator field flashing (125 VDC)
Acnunciation and instrumentation (125 VDC)
HPCI auxiliary lubricating oil pumps (250 VDC)
. HPCI 6 RCIC auxiliaries (250 & 125 VDC)
Critical valve operation (125 VDC)
Since each of the DC subsystems is important in its own right,
measures should be taKen to maintaln the aSJaiiability of these to
thegreatest extent possible. Some ot these include:
Cross-connecting --
the 125 VDC bcses to permit
substitutlcn. The existing system does provide for
switching power for vltal control functions fro~ one bus
to the other assuming the loads are not faulted. This
same feature is also applied to all of the other crit-
ical loads on the 125 VDC buses.
. . Series .- connect-ion - - -. - of - - the 125 - - - VDC - batterles - -. to - - supr~iement
the 250 VDC 3atter.y. This can be d0r.e wlth the instal-
-.-
/ i , Iatlon of 3ppropriace swltchqear at the battery ter-
minals. It cculd be of signi:lr:~nt :~se i~hllr s:artlng

FIGURE C3-7
DC Electric Distribution System

the HPCI system by providing an alternate source of
power for the HPCI auxiliary lube oil pump until the
shaft-driven pump is up to speed.
Parallel connection of the 250 VDC - battery to supplement
the 125 VDC system. Switching devices could be used to
split the 250 VDC battery and connevting the halves in
parallel to supplement the 125 VDC battertes for crit-
ical operations, e.g., diesel generator field flashing.
..* . .. , Operation of the HPCI and RCIC turbines without DC ,,,.,
power. Operation of;these systems without DC power
would necessitate certain abnormal activities and
"annoyance" conditions. First, the HPCI turbine cannot
be started without its auxiliary lube oil pump. If DC
power is unavailable at the onset, then this unit cannot
be reliably started unless a suitable'lube oil supply is
available. One option is to install a manually operated
lube oil pump in the turbine lube oil system. When the
HPCI turbine is started, then both units, HPCI and RC17,
are operated under similar circumstances, namely,
without automat~c throttle control and turbine auxil-
iaries. The turbine throttles are provided with mech-
anisms for manual manipulation but few plants, if any,
have procedures or training to assume reliable operation
in this mode. In addition, since power to the gland
seal system is unavailable, it will not be operable
resulting in gland leakage of radioactive steam into the
atmosphere of the reactor building; -- a cc,Zition that
should be tolerable.
. Manual valve operation. Several containment isolation
valves normally supplied power from the DC system may
require manual manipulation. It is unlikely that con-
tainment access is practical within the time available

Therefore, onl: valves accessible from outside contain-
ment fall in this category. All motor-operated valves
are provided means for manual operation, and operators
are instructed in the operation of valves in this man-
ner.
. Manual circuit breaker operation 125 VDC control power
is normally supplied to the 4KV circuit breakers for
normal, remote operation. If DC power is unavailable,
manual (mechanical) operation is possible. Most break-
ers have this capability, and operators are instructed
in operating in this mode.
C3.4.5 Backup Water Supplies
There are several supplies of water that can supplement the pri-
mary supplies as required for vessel makeup. The required total
makeup for 6 hours of cooling following a shutdown from full power
is approximately 40,000 gallons. The following is a list of the
systems potentially requiring a water supply source with a discus-
sion of available sources.
. High Pressure Coolant Injection (HPCI) -- The HPCI sys-
tem is normally lined up to pump water from the suppres-
sion pool with a normal backup source being the conden-
sate storage tanks. Other sources that could be used
are the main condenser hotwells, fire protection water
system and any or all of the service water systems
(plant, emergency, or RHR)
. Reactor Core Isolation Cooling (RCIC) -- The RCIC system
is normally lined up to pump water from the condensate
storage tanks with the primary backup source being the
suppression pool. Other sources that could be used
include the same group discussed previously for the HPCI
system.

. Main Condensate System -- The main condensate pumps take
suction directly from the main condensers. Existlng
plant features allow filling the condenser hotwells with
che emergency ser*Jlce water system. Other sources of
water including the RHR service water, and the fire pro-
tection systems could be utilized, wlth appropriate
piping, to provide a continuous supply of water.
. Core Spray -- The core spray system normally is supplied
from tne suppression pool with the condensate storage
. tanks as a backup supply ... Other sources that could be
used are the service water and the fire protection sys-
tems, each of which would require addit~onal plping con-
nections.
. Residual Heat Removal -- The RHR system operating in the
low-pressure coolant injection mode is supplied makeup
in a similar manner as is che core spray system previou-
sly discussed.
C3.4.6 Instrumentation
In order for an operator to operate the plant in a hot-shutdown
condition he must be aware of the status of critical plant pars-
meters. The most important of these are reactor water level and
ceactor pressure. I£ the suppression pool is being used as the
heat sink, then eventually pool parameters will become increasing-
ly important. Amonq these are pool temperature and level.
All of the key electrical instrumentati~n is powered by the
125 VDC electrical system. As discussed earlier, there are damage
control methods available to improve the reliability of this sys-
tem. For the case of individual instruments it is practical to
temporarily install a small portable DC battery source or power
supply capable of providing power on at least an intermittent
basis. Other methods are discussed below:

, : %..- ~
DC
1. Reactor Water Level
Electrical reactor water level instrument indicators are
provided in the control room. All level sensing lines
penetrate the containment and terminate in the reactor
building. At four accessible locations within the reactor
building, numerous level indicators are installed
including direct reading mechanical indicators, indicator
switches, and indicating transmitters. Any of
these can be used to monitor reactor water level. Additionally,
if electrical readout is desired, a portable
power supply (125 VDC)-could be connected .to..nny
transmitter if DC control power is unavailable.
2. Reactoc Pressure
Reactor pressure can be monitored at numerous locations
throughout the plant, including the control room (elec-
trical) and the direct reading main steam and reactor
pressure gauges mounted at the containment walls. In-
dicators on auxiliary systems can be used to read re-
actor pressure such as the liquid poison system, RCIC/HPCI
turbine throttle piessures, CRD pump discharge pressure
(correction required), and reactor water cleanup system
at various locations. In addition, the station calibra-
tion kit can easily be attached to numerous primary
system sensing lines located throughout the reactor
building.
3. Suppression Pool Temperature
Thermocouples are installed in the pool transmitting
pool temperature to a monitor and recorder in the re-
actor building. In the event these thermocouples become
inoperable, the operator can monitor temperature by
sensing suppression chamber skin temperature with a
portable contact type thermometer.

4. Suppression Pool Level
The suppression pool level sensor and transmitter is
located in the void space outside of the suppression
chamber. In the even it becomes inoperable, water level
can be determined by attaching a differential pressure
gauge on the existing level sensor line or one of the
low-point drains in either the HPCI, RCIC, RHR, or core
spray piping systems. Resulting pressure readings can
be converted into equivalent water column height.

APPENDIX D: COMPUTER CALCULATIONS FOR CASE 5
In addition to the manual calculations described in Appendix A, Case 6
for the PWR is calculated by computer, using the RELAP4/MOD6 code*.
The reactor model that is used for the RELAP run contained 21 volumes
and 24 junctions, as shown in Figure D-1. As in the manual calcula-
tion, primary system metal is ignored. Initial reactor power was
3238 MWt. A trip is initiated at time zero, and the feedwater inlet
and steam outlet valves are closed at time 0.1 seconds. The RELAP
code calculates the conditions in the prlmary and secondary system
over the next 2 hours. A comparison of the manual calculations and
the RELAP results is shown in Table D-1. It should be noted that an
input error results in neglecting a small part of the primary system
volume in the RELAP run. However, the result of the comparable hand
calculations would be changed by only about 1% if the volume was
included. Therefore, the comparison is still valid. Several of the
plots from the RELAP run are included in Figures D-2 through D-7.
Inputs used for the RELAP run are shown in Table D-2.
In performing the RELAP calculations, csreful consideration had to be
given to selecting the maximum calculational time step used by the
code. Normally, RELAP is used to analyze LOCA scenarios that last
less than a minute of real time. Typical maximum time steps used in
these cases range from 500 microseconds to 20 m~lliseconds. In
analyzing sabotage Case Number 6, which lasts two hours of real time,
a larger maximum time step was needed in order to keep the computer
run time within reasonable bounds. A time step of one second was
tried, but that resulted in numerical instability. A time step of
Aerojet Nuclear C o m p ~ o m u t e r
Program for
Transient Thermal-Hydraulic Analysis of Nuclear ?.eactors and
Related Systems, ANCR-NUREG-1335 (Septemoer 1 975).

0.5 seconds was finally selected, whlch allowed the analysis to run
to completion in approximately 23,000 seconds of computer run time.
This large amount of computer run time was due to the fact that the
code frequently had to choose time steps smaller than the user-
selected maximum of 0.5 seconds, especially when the primary system
was heating up and boiling.

69
F i yur c 1)- 1 : HEACI'OR MOIIEI. W1? I{EL.AI'

Phase
1. Boil dry steam
genecatocs
Table D-1: COMPARISON BETWEEN RELAP RESULTS
AND MANL'AL CALCLTLATIONS FCR CASE 6
2. Pressurizer goes 438
sol id
3. Average core 1437
water temperature
reaches saturation
4. Core midplane
uncovered
Duration (seconds) Cumulative Time (seconds)
Relap Manual Relap Manual

680.0
660.0
640.0
620.0
600.0
JBO.0
5BO. 0
-
-
-
-
-
STAllON BLACnOUr
540.0
0.00 1.00
I I I I I I I I I I I I I
I I I
Figure D-2:
Saturation --.--t
I I I 1 I 1 I I 1 I I
2.00 3.00 4.00 5.00 6.00 7.00
AVERAGE WATER TEMPERATURE IN CORE
.
I

0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00
T lME (SECONDS)
Figure D-4: WATER LEVEL IN S'l'I:AM GL.:NEl

-
-
-
-
-
-
-
-
-
STATION BLACKOUT
I I I I I I I I I 1 I I I I
Pressurizer Solid /
1 1 -
I I I I I I I I I I I I I I J
TlHE [SECONDS)
Figure D-5: WATER LEVEL IN PRESSURIZER
x10
3
-
-
-
-
-
-
-
-
-
-

STATION BLACKOUT
Figure 0-6: PLOW THROUGH CORE

TIHE (SECONDS) XI0
j - 7 PHESSUHI ZER TEMPERA'I'URE
3

TABLE G-2
P IXP'JTS
PRESSUR :ZEP
O5JO11 1 C 2 2 5.3 0.0 1d00.1 L,j.>hL Z'1.177
059072 3 Jf .r64
[MYACT LC'P
6.ak17 :Z.LL 0
5T*. GEN. IhLET PLFYU'
0500al 1 3 2242.69 539.3 -1. 597.12 5.?14 5.?J1*
. 050012 L14.2 h.0;9 1.755
STEPPI CENEEATC? IC?:VE TL~ES $T INTICT LOSP
050091 o o ZZJ!.!~ 577.17 -1. 115.0 1n.354 14.158
053092 3 44.396 -at458 6.4eq 0
050101 0 3 222l.JZ 556.65 -1. 736.4 lll.163 irc.th1
090102 0 4k.156 -3tL58 25.347 0
050111 0 0 2215.hS 542.63 -1. 736.4 lO.163 1R.1-5
050112 0 4b.156 .OCk53 25.Jb7 0
050121 5 0 2215.4 511.42 -1. q15.J 14-$54 !4.55(
OSJIZZ o 4 ~ ~ 1 % .Crr5n 6 . ~ 9 3
INTpc7 LCCP ZT*. GFN. CUILET PLFWI*
05U151 0 0 271h.15 7 -1 5'27~77 S.2 (4 5.Ztb
Il*,l(1.. I1 I,....' I I.?"= st

. LMTAI:
050141 [ 2Zon.tt I -1. I .
1 LLIIJI~ I*UMI ';Ill. f I LS 1 I G.
I1#.*.I'. ll~.h~'.
050142 0 20-?64 8
.
050151 9 0 2706.9,'
050152 a ZLS6S 2.5C3
INTICT LOOP PV*F
-1l.SUl.
520. 16 -1.
-LL,tOb 0
0
131.644 5.?3 4.19
3531hL 11 0 ZZlr6.16 SZC..Ia -1. 224.0 6.954 6.158
050t5Z 0 20.96s I.OE5 -5.820 0
- - - , . . - . . - . . -
1~shCrrNWM
E C i i i 1 c ~ I~PE. I53 IIJ*11:1101 C :trFft 4,
16*CChtPACl13~ CcEfF IClE!IT FCS U Lt.6~. If .JIlfdCr[Ofl CHCKING
~ 8 ~ ~ I r w b t Pl6fnC.FCCf ' I
I-ICEC. l?=S7SIM+ 2f ahG~-t FOR SC:f'*
ZQ.PCJ~CENT, ~1-hc1IC.n h~i'jEV F70 I ! L :LIO.

Tabie 0-2

'-. - - - . - - - -- . .
. HEAT S i l P ?PTA OQCS
.
LSOOOO t r) C Z USE CChCIE-9Eb1CSTO~ F:Lr .?O:L[VC.
. 4VEabGE CCRE
150011 Ll 2 1 0 2 1 1 0 52117.5 C58.9
150012 0. -6445 0. .046S 0 12. -323 12.323

.
STEAP
CE~ERATQ4 TUeES
0 .
110400 -2 !Z.t 7 -62 1J5J.O :~.58.2
.
0 PPCPER7:ES ATT1IhEC FWC* IhCCNEL IN *ECUDN:C.IL E'lG1'1Lt'l:L.5 w ~ N P ~ C ~ U
P6.c-92. THE ECLnTT.CN :I r: 7.62 r C.CO5il I TE~J. - 321.

APPENDIX E: INDUSTRY SUR'JEYS
At the onset of the damage control analyses, a number of calls
were made onoffices and organizations in order to determine if
damaqe control practices outside the nuclear power industry
miqht be transferable. Situations were so~ght in which action
would be required against an unexpected condition before some
detrimental result occ*~rs. Specifically, oil refineries, nylon
processors, and the 6.5. Navy were contacted. These were chosen
because :
1. It the continuity of operation is disturbed, some
detrimental situations result; for example, nylon
will harden in process lines, or the survlval of a
ship may be threatened. Refineries were called upon
because it seemed logical that damaqe control ?to-
cedures would exist there.
2. There is cine ava~lable to respond to recover from
the situation before the detrimental results become
~rreversihle.
El. OIL REFINING
The major concern of the oil industry is fire but relatively
little threat. to the public health and safety exists from an
oil refinery fire. However, because the threat of fire is so
prevalent dnd because of the obvious commercial risk, the in-
dustry is well prepared. Operators of local processing panels
are trained to recognize problems in the equipment and to re-
spond with preplanned procedures to a fire. h list of telc-
phone numbers of people to be called in sequence is provided at
each control :

E2. NYLON PROCESSING
The nylon processor has the problem of material hardening in
process pipes if the processinq were to be interrupted. In
addition, at one point in the process an explosion could occur
if exothermal reactions become out of control. The industry
depends on installed spare circulatinq equipment to maintain
flow. To protect against explosion, an installed system is
provided to dump the process stream into a coolinq tank if
safety limits are exceeded.
. . , .
EJ. 0.5. NAVY
The 1J.S. Navy requires computers and control equipment for
their ships to be vlable weapon platforms. Furthermore. it
depends on the ~nteqrity of the ship's hull and a continued
supply of electricity. The Na9/y's approach toward maintaining
the computers and r 1ect.r ical qenrrat ion, even under hostile
attack, 1s throuqn equipment redlndancy or t.hrouqh hardenlnq
enclosures of critical components. No repair durinq emerqency
conditions is contemplated except for firefiqhtinq, hull repair,
and posslble electrical cable rcpalr for the purpose of
op~r at. i nq pumps and commun icat ion equ ~pment
E4. CONCLUSIONS
Concllls ions reuul t iirq f rom the:le contacts fa1 low:
1. In situations that seem t.o h~vc a continuity-ofoperation
ri!quiremr!nt similar to re.lccor plant decay
hr.~t removal, nonr of the operators JI*? prepared to
wl tl~ztand t.he 10:;s of ttlelr inst.31 led systems. Ins
t 1 1 ! n is necessary to overcome emerqency
cond I t ions.
.

2. In the cases of the oil refineries and nylon p'snts,
abnormal operating procedures are prepared in advance
and are part of the operators' training.
3. Reacting to severe plant upsets is the v:sponsibility
of the onsite personnel. In the ny1r.1 industry the
control room 'operator will take +:,e required actions.
In the oil industry firefight~nq is done by onsite
firefighters, but it may be necessary to call offsite
personnel back to the site to assist in firefighting
activities.
Based on these observations and specific conversations, it is
concluded that there are few if any applications of damage
control methods or evaluation techniques for which a "tech-
nology transfer" effort will be beneficial to this project.

NtJCLEAR POWER PLANT DKSIGN CONCEPTS
FOR SAHOTAGE PROTECTION
,VOLUME 11, APPENDIX G:
CONCEPT 1)EVELOPME:NT AND COST ESTIMATES FOR
DESIGN AL,TERNATIVES FOR IMPROVING TllE RISISTANCE
OF NIJCIXAR POWER PIANW TO SABOTAGE*
I,. D. Kenworthy
C. A. Ncgin
E. J. Ricor
H. S. tlarnd l
International F:nergy Associiltcs Limited
Washirigton, D.C. 20037
14 ncccmbcr 1973

Concept De~e~lopment
and Cost Estimates for
Design Alternatives for Xmprovinq the Resistance
of Nuclear Power Plants to Sabotage

........... 3. 1 llardcncd Enc1osurc.s for Makcup Watcr Tanks
3.1.1 r>iscussion of tlardehing Option 1
3.1.2 Discussion o! Ilardcninq Option 2
3.1.3 Discussion of Ilardcning Option 3
3.2 Physically Scparatcd and Protected Rcdundant
'I'rains of Safety Cquipmcnt Combined with
Scparatcd Containment Pcnctrations for
I

- PAGE
' 4.5 Cost Estimates for Isolation of Low
Pressurc Systems Connected to the
Reactor Coolant Prcssurc Boundary (3-119
4.5.1 General Discussion G-113
TABLE 2-1 Cost Estimate Summary G-16
TABLE 3-1 Caseline Design Information for
RWST and AFWST
'I'ADLE 3-2 Dcslgn Information for Hardened
RWST and AFWST, Option 1
TABLE 3-3 Design Information for Hardened
RWST and AFWST, Option 2 G-25
TABLE 3-4 Design Information for Hardened
RWST and AFWST, Option 3
TADLE 3-5 Summary of Piping Connections to
Reactor Coolant Pressure BounAary G-95
TADLE 4-1 Estimate, Category 1.8, Option 1 G-104
TABLE 4-2 Estimate, Category 1.8, Option 2 G-106
TABLE 4-3 Estimate, Category 1.8, Option 3 G-107
'I'ADLI'. 4-4 Estimate, Categories 11.1 and 11.5,
Safety Buildings, Excavation and
Structure G-108
EsCirnatc, Catcrjorics 11.1 and 11.5,
Modified Auxiliary Building,
Excavation and Structure (;-109
Lstimatc, llcfcrcncc Plant Excavation
and !;t ructurc G-110
Estimate, Catccjorics 11.1 and 11.5,
,kl,l i t ions 1 I.:qiri;xncnt on11 nui ldinrj
Sc.rvi cc:; G-111
Cot;L Cornlmrison, (:a tc!gorics 11. 1
arid iI .5, vr;. Rcfcrcncc Plant C-112
I:stimdl.c, L'atcqory IV. 1 G- 115

FIGURE NO. -
LIST OF FIGURES
3- 1 Individual Reinforced Concrete Enclosure
3-2 Reinforced Concrete Building Enclosing
Two Tanks (.Sectional Elevation)
3- 3 Reinforced Concrete Building I:nclosiny
Two Tanks (Plan)
j- 4 Reinforced Concrete Tank with Metal Liner
I I
3-5 Plant Layout: Separated Safcty Buildings
and Containment Pcnctrations
3-6 Safety Building A, Lcvcl -26
.; - 7 Safcty Building A, Level 0
3-8 Safety Building A, Lcvcl +26
3-3 Safcty duilding A, Lcvel t47
Safcty Duilding B, Level -26
Safcty Building U, Level 0
Safcty Building 13, Level t2G
Safcty Uuildiny B, Lcvcl t47
Auxiliary and Acccss Buildings,
Lcvels -26 and -10
Auxiliary and Access Buildings,
Lovcl 0
Auxiliary and Access Buildinrjs,
Levels +15 and +26
Auxiliary and Access Buildings,
1.cve1 +47
Auxiliary Building
Lcvcl t73
PAGE
-

!;cl~crn;~tic Arrangemcrnt of ESF
hctua tion lor Sc:cmratcd Safcty
L3uiLdinrjs
Gcncral Arranycmcnt - Plan,
Levcl 0, IlariJcncr! Dccsy lleat
Itcmova 1 Uui ldinq
., .
Ccneral Arrangement - Plan,
1,cvcls 24 b 34, llardcncd
rlecay llcat Rc111ova1 Duildinq

1. INTRODUCTION
As part of the contract work performed by International Energy
Associates Limited (IEAL) for Sandia Laboratories, 29 nuclear power
plant design alternatives were identified which could potentially
improve the resistance of nuclear power plants to acts of sabotage.
Descriptions of these design'alternatives and of their categorization
may be found in IEAL Report No. 111, Nuclear Power Plant Design
Alternatives for Improved Sabotage Resistance, September 14, 1979.
Of this number, Sandia selected six alternative design concepts for
development in sufficient detail to permit the estimation of their
costs. The selected concepts are:
. Hardened Enclosures for Makeup Water Tanks, Category 1.8
. Separation of Containment Penetrations for Redundant
Protection Systems, Category 11.1
Physically Separated and Protected Redundant Trains of
Safety Equipment, Category 11.5
. Hardened Decay Heat Removal System, Category IV.l
. Isolation of Low Pressure Systems Connected to the Reactor
Coolant Pressure Boundary, Category 111.1
. Design Changes to Facilitate Damage Control, Category 111.2
This report presents the developed design concepts and cost estimates
for five of the six selected alternatives. These developed design
concepts consist, in general, of equipment lists, functional re-
quirements, arrangement drawings, preliminary system diagrams, system

descriptions or descriptions of operation, and descriptions of
structures. The development is sufficient to ~ermit the preparation
of preliminary cost estimates. Similar estimates have also been
prepared for current standard designs so that the added costs of the
improved sabotage resistance may be determined. The development also
facilitates the analytical modeling of the concepts to determine
their counter-sabotage effecti-~eness.
Damage control as a sabotage countermeasure is discussed in IEAL
Report No. 123, Damage Control as a Countermeasure to Sabotage at
Nuclear Power Plants. That report describes various damage control
options, approximately one-half of which would require, for their
implementation, changes in the design of present-day plants. Further
development of and costs estimates for these options have been de-
ferred by Sandia Laboratories until a preliminary screening can be
accomplished to select the more promising candidates.
A SNUPPS group standard PWR, has been chosen as a reference plant for
development of the design concepts and comparison of estimated costs.
Reference site information is as follows:
Soils and Groundwater. Overburden soil ranges from high
- -
plasticity clay to low plasticity clayey-silty sand. nverage
depth of overburden is 6 Eeet. Underlying the overburden are
alternating shales, limestone, siltstones, and sandstones to a
depth of at least 400 feet. Groundwater is encountered 6 to 8
feet below the ground surface.
Loadings on Seismic Category I Structures.
-
. Wind velocity 100 mph at 30 fcet above grade;

. Ground acceleration 0.2 g; and
. 100 year snow pack load of 32 lb/ft2 combined with probable
maximum precipitation snowload of 128 lb/£tZ Eor total snow
loading oE 160 lb/ft2.

2. SUWlARY
Cost estimates for construction of the selected design alternatives
and cost comparisons with the reference plant are reported in detail
in Section 4 of this report. The estimates are based on the engi-
neering development of the design alternatives which is presented in
Section 3. A summarization of the cost estimates is provided in
Table 2-1. This table shows the estimated total costs for the design
alternatives and also their cost increase relative to the reference
plant, whose design does not include the additional protective
features. In the case of alternatives 11.1 and 11.5 (combined) and
alternative 111.1, cost differences only were estimated. Conse-
quently, for these alternatives, only estimrted cost increases are
tabulated in Table 2-1. The estimates are of costs for materials and
construction and do not include other costs such as engineering,
licensing, or interest during construction.
The cost estimates should be regarded as applicable to new con-
stuction and not as back-fits to existing designs. Further dis-
cussion of the estimates and their bases is provided in Section 4.

TA0I.E 2-1
COST ESTINXTL: SWARY
5ELElTE.D DESIGN ALTfkNATIVtlS t\)P IUPRO'JED SABLZThGE RESISTANCE
hLCEHNATIVE
TITLE
tlarJtneJ Enclosure fez Pukeup
Mater T3hks
Option I, Inrfivldual rank Enc1o:urcs 2.490.000
Dprion 2. L'o-cn Enclosure for Two
Tanus J.C81.000
Physrcally sepacated and protecred
reddnJ3r.t rr31ns of s3lely equijment
cwbancrf rlth ~epazaterf contdlnment
penetr~t~ons
EST IHATED TirTAL LST IRATE0 COST
LVST.. CXXUIIS IWREASE.. UOLlAHS
------------
'c'vsc eslrc3tes are exclusive of sobts 101 enqlneer 1nj. I rcensln~j. rnterest Jut in9 construct ion, operpt,i~n,. an& e:;~~;cJIJt ,on.
See Sr-

3. CONCEPT DEVELOPFIENT
.3.1' .HARDENED ENCLOSURES FOR i4AKEUP WATER TANKS
, . .
>, , . ., . , .... . ,
'Two . tanks .. . have been included under this concept; the refueling . . water
:. storage tank (RWST) , and the auxiliary, feedwater storage tank (AWST).
.. , .
;:The safety related function of the RWST is to provide a source of
':berated water for injection into the reactor coolant system in the
event of a loss of reactor coolant or main steam line break that
..requires use of the safety injection system.
, .
. .
i .
The safety function of the AFWST is to provide a heat sink for the
reactor during the initial stages of plant cooldown under the con-
dition of unavailability of normal AC power. Table 3-1 lists the
basic design information for these two tanks*. Reference costs, or
the costs to which the costs for hardened RWST and ARiST are com-
pared, arc estimated based on the data in Table 3-1 and also on
location of tanks in the plant yard.
Three hardening options are considered. These are:
. Hardening Option 1 - Individual, reinforced concrete
enclosures for conventional metal tanks.
Nardcning Option 2 - Reinforced concrete building enclosing
both tanks.
Hardening Option 3 - Reinforced concrete tank with metal
liner.
*The reference plant does not have a safety grade auxiliary
feedwater storage tank. A Scisnic Category I, Safety Class 3
suction for the auxiliary feedwater pumps is provided from the
essential service water system which backs up the normal suction
from the non-nuclear-safety condensate storage tank. However,
for the purposes of obt?inlng a cost comparison, a reference,
non-hardcncd AFWST is assumed as descrrbed in Table 3-1.

Capacity, Gal.
Diameter, Ft.
Height, Ft.
Contents
Specific Gravity of Contents
Quality Group
Design Code
Seismic Category
Seismic Ground Motion, g
Wind Velocity, mph @ 30ft. above grade
Material
Foundation Type
Design Pressure
Design Temperrture, OF
Snow Load
100 yr Snowpack Load, PSF
. PMP Snowload, PSF
Soils and Groundwater
TABLE 3-1
BASELINE DESIGN INFORMATION FOR RWST AND AFWST
- RWST
400,000
Demin. Water
with 2000 PPM
~issol-ieied Boron
AFWST
4OO.OOO
Steam Condensate
Stainless Steel Stainless Steel
Reinf. Concrete Mat Reinf. concrete Mat
Atmos. Atmos.
Overburden soil ranges from high plasticity
clay to low plasticity clayey-silty sand.
Average depth of overburden is 6 feet. Underlying
the overburden are alternating shales, limestone,
siltstones, and sandstones to a depth of at least
400 feet. Groundwater is encountered 6 to 8 feet
below the ground surface.

..: +".
.. . . : ,. \,.L . . , .:
f,? '>:;
, 3 1 1 Discussion of Hardening Option 1
*>.. s
. . .
,+:,. A thickness of 2 feet of reinforced concrete has been somewhat arbi-
~.
: trarily selected for the walls and roof of the hardened enclosure.
' Based on data from the Barrier Technology Handbook, SAND 77-0777,
:,.. . penetration time could be expected to range from 4 to 13 minutes
I
I
. . .
assuming the saboteur's tools included 20 pounds of explosives,
tamper plate, and gas powered hydraulic boltcutters.
. , , .. ,.
As can be seen in Figure 3-1, the enclosure consists of a vertical
reinforced concrete cylinder supported on a reinforced concrete
basemat. The enclosure roof is a concrete slab of 2 feet thickness.
An internal diameter for the enclosure of 57 feet has been selected,
providing an annular space six feet wide between the tank and inner
wall of the enclosure. This space permits access for maintenance and
inspection as well as an area for routing of piping.
Each enclosure is provided with a penetration resistant door large
enough for personnel passage and light equipment. The door is a
vault type with penetration resistance equivalent to the enclosure
walls.
A typical piping penetration is also shown in Figure 3-1. A hardened
penetration room protects the piping passing through the wall of the
enclosure. The piping is routed down through the floor of the pene-
tration area through sleeves, entering an underground pipe tunnel
through which it passes to the auxiliary building.
The tank enclosure is vented in order to provide venting for the
tanks. The enclosure vent must not represent a potential pathway for
introduction of explosives or passage of personnel into the enclosure.

2 f t 4 '-24 ft 6 in. 24 ft 6 in.-+
Figure 3-1.
Individual Reinforced Concrete Ecclosurr

.,
%W ; :
;,'
: .?
vent system consists of an internal standpipe, one end of which
erminates near the cop of the enclosure. The standpipe is routed
hrough the piping penetration room to the underground pipe tunnel
here the lower end terminates. A minimum slope toward the pipe
unnel' is provided to prevent collection of condensation. The pipe
unnel is in turn vented to the auxiliary building.
Design information for this concept is tabulated in Table 3-2.
3.1.2 Discussion of Hardening Option 2
Hardening Option 2 is illustrated in Figures 3-2 and 3-3. Design
information is presented in Table 3-3. A single reinforced concrete
building is provided to enclose both the RWST and the AFWST. The
building is supported on a reinforced concrete basemat foundation.
Building wall thickness is 2 1/2 feet. An interior division wall, 2
feet thick, is placed between the two tanks. The building roof is a
reinforced concrete slab 2 1/2 feet thick.
The building is provided with a hardened, penetration resistant door
in each tank section for personnel and light equipment. Each section
of the building is vented im a manner similar to that provided for
the individual tank enclosures of Option 1.
3.1.3 Discussion of Hardening Option 3
This option is illustrated in Figure 3 and consists of vertical,
I cylindricol, rcinforced concrete tanks lined internally with 1/4"
stainless steel plate. Each tank has an internal diameter of 45 feet
and a straight side height of 35 feet. The tanks are supported on
reinforced concrete mat foundations which also constitute the tank
bottoms. Tank wall thickness is 2 feet. The tanks have reinforced
concrete slab roofs of 2 feet thickness. Design information is
presented in Table 3-4.

Tank Capacity, Gal.
Tank Dia., Ft.
Tank Height, Ft.
Tank Material
Quality Group, Tank
Design Code, Tank
Seismic Category
Seismic Ground Motion, g
Tank Design Pressure
Tank Design Temperature, OF
Enclosure Wall Thickness, Ft.
Enclosure Roof Thickness, Ft.
Enclosure I.D., Ft.
Enclosure Height, Ft.
Base Slab Dia., Ft.
Base Slab Thickness, Ft.
Design Code for Enclosure
TABLE 3-2
DESIGN INFORMATION FOR HARDENED RWST AND AFWST, OPTION 1
- RWST
400,000
4 5
35
Stainless Steel
B
ASME 111, CL.2
I
0.2
Atmos.
100
2
2
57
5 1
6 7
3.5
ACI 318
AISC
AFWST
400 ,oon
4 5
35
Stainless Steel
C
ASME 111, CL.3
I
0.2
A tmos .
100
2
2
5 7
51
6 7
3.5
ACI 318
AISC

2 ft 6 in.
3 ft\
\
- N SLOPE
SLOPE
I I
-I-+
F
5 ft.
Figure 3-2. Reinforcing Concrete Building Enclosing
Two Tanks (Sectional Elevation)
! ft
i in.
/

Figure 3-3.
-TWO 3-ft BY 3-ft by 2-ft SUMPS
Reinforced Concrete Building Enclosing
Two Tanks (Plan)

Tank Capacity, Gal.
Tank Diameter, Ft.
Tank Height, Ft.
Tank Hater ial
Quality Group, Tank
Design Code, Tank
Seismic Category
Seismic Ground Motion, g
Tank Design Pressure
Tank Design Temperature, OF
Building Dimensions
I.ength, ft.
Nidth, ft.
Height, ft.
Building Wall Thickness, ft.
Building Roof Thickness, ft.
Base Slab Thickness, ft.
Design Code for Building
TABLE 3-3
DESIGN INFORMATION FOR HARDENED Hlr'ST AND AFh'ST. OPTION 2
- RWST
400,000
4 5
35
Stainless Steel
B
ASME 111, C1.2
I
0.2
Atmos.
100
AFWST
400,000
4 5
3 5
Stainless Steel
C
ASME 111, C1.3
I
0.2
Atmos.
100
11 3
7 5
52
2.5
2.5
4.5
ACI 318
ASIC
,

Tank Capacity, Gal.
Tank Dia., Ft.
Tank Height, Ft.
Tank Roof Thickness, Ft.
Tank Wall Thickness, Ft.
Wall Liner Material
Tank Design Temperature, OF
Tank Design Pressure
Scismic Category
Seismic Ground Motion, g
Tank Design Code
TABLE 3-5
DESIGN INFORMATION FOR HARDENED RWST AND AFWST, OPTION 3
RWST
400,000
4 5
3 5
2
2
Stainless Steel
100
Atmos .
I
0.2
ACI 318
... .A I SC . .
AFWST -
400,odo
4 5
3 5
2
2
Stainless Steel
100
Atmos.
I
0.2
ACT 318
h ISC

7 ft 6 in.

Hardened pipe penetration enclosures are provided, similar to Option
1, which also enclose thc tank manways. P~netratlon resistant doors
provide access to the pipe pnetration enclosures.
Tho tanks are provided with vents designed to prevent passage of
personnel or the introduction of explosives.
3.2 PNYS ICALLY SEPARATED AND PROTECTED REDUNDANT TRAINS OF SAPETY
EQUIPMENT COMBINED WIT11 SEPARATED CONTAINMEIIT PENETRATIONS FOR
REDUNDANT PROTECTION SYSTEMS
. .
3.2.1 General Description
These two combined concepts are illustrated in Figures 3-5 through
3-10. It was found convenient to combine the concepts since locating
the two safety buildings on opposite sides of the containment building
leads also to separate penctration areas for the safety related
piping and elcctrical cables.
The design basically involves dividiny the existing auxiliary building
into three separate buildinyn. The redundant enqineered safety
features (ESF) equipment normally installed in the auxiliary building,
such as safety injection pumps and containment spray pumps, is
separated into the two safety buildings, safety buildinq A and safety
buildinq 0 , while the remainder of the equipment (non-ESF) is located
in a new, smaller auxiliary building. Also relocated to each of the
sepnratecl safety buildinqs are the diesel yent2rators and the redun-
dant nets of Class 1E switchgcar, batteries and other electrical
equipment. An auxiliary fccdwater storaqc tank (AI?WST) and a refueling
water storage tank (RWSTI , both of 400,000 qallons cap~city, arc
located in each safety buildinq and supply suction to the ESP pumps
in the respective buildinq::. Althouqh this result^, in storing more

auxiliary feedwater and refueling water than is required for design
basis transients and accidents, or for refueling, cross-connecting
piping between tanks of lesser capacity is avoided and the indepen-
dence of the two safety buildincjs, a design objective, is preserved.
The modified plant arrangement, shown in Figure 3-5, is based on the
SNUPPS standard plant. Expansion into two separate safety buildings
results in the allocation of a third quadrant of the containment
(from 0 to 90°) for piping and electrical penetrations for safety
building A. However, a Eull quadrant (90° to 18G0) is retained for
containment equipment access. The location of the main steam and
feedwater piping penetration area is unchanged. Relative location of
equipment in the safety buildings and modrfied auxiliary building has
been preserved where possible. Floor ele- ati ion spacing has been
retained with zero elevation corresponding to grade. The modified
auxiliary building now also contains the control room and upper and
lower cable spreading areas. Relocation of the control room to the
modified auxiliary building and the diesel generators and Class 1E
electrical equipment to the respective safety buildings has essen-
tially eliminated the original control building. Two levels of this
building have been relocated, intact, to the west side of the modi-
fied auxiliary building. These levels contain the locker and shower
rooms, health physics areas, and miscellaneous tanks such as the
laundry and hot shower drain tank. Two additional levels contain
heating and ventilating equipment, the computer room, and instrument
shop. This building is renam'ed the access control building. Equip-
ment locations are shown on the arrangement drawings in Figures 3-6
through 3-18.

0
1
@ CONTAINYENT BL DL.
@ TIIkRINE ULDG.
@ MAIN STEAMIFLtDWATiR
PENETRATION AREAS
@ AIJXILIARY DUlLDlNG
a HLALTH PHYSICS AREA. SHOWER
0
AND LOCKER ROOMS
@ FUEL t(ANDL1NG DLDL.
M- l @ RADWASTt ULDG.
@ SOLID HADUASTE STORKE
@ "A" SAFETY [QUIPMENT BLDG.
@ "0" SAfETY EQUIPMENT BLDG.
0 "A" DIESEL GENERATOR OLDr,.
@ "R" DIESEL GENERATOR DLDG.
IiOr MKIIINE SHOP
El @
-1: RIACTOW MAKEUP HZO STG. TANK
- 2 OFMIN. tI2D STG. TANK
r -5. M o d i f i w l plant I,o;vc~ut: Sc1~;1ratcd Safcbty 13uildin9r.
arid Corltilinl~lcnt Pcnctr:~ t ions

................ ................ -.
.. - . --
...... .... ..-.-........
Figure 3-7. Safety Building A, Lcvol 0
(;-7 3,

Fiqurc 3-9. Safety Building A, Lcvcl +47
G-37,38

I .,I I , , . ............. .),.I.
I
1

I i
I.. I !
, .......
I.,i.,.
i
i

I
i
, .. ! 'It-

LLlWYN CHI
~4lA1 LILHAN'

LLYtL GMDL
PLUS 73 it

3.2.2 Description of StructJres
Safety Buildings
Safety buildings A and B are Seismic Category I, reinforced concrete
structures. Ext?rior wall and roof concrete thicknesses are a mini-
mum Of 2 feet which should provide penetration resistance of 4 to 13
minutes (see 3.1.1). These buildi~gs are supported on a 5-foot thick
ceinforccd concrete foundation slab which is founded on rock 31 feet
below grade. The main portions of the buildings are 124 feet long.
100 feet wide, and 93 feet hlgh (67 feet above grade). The tank
enclosure portion is 71 feet longi 108. feet wide, 52 feet high, and
is founded on a 4 1/2 foot reinforced concrete slab on grade.
Floor slabs in the main portions of the building are cast in place
concrete over metal decking, supported on structural steel framing.
The roof slab is cast in place concrete over metal decking covered
with a roofing membrane, and supported on steel framing.
Two vault-type doors are provided for each safety building. These
doors offer penetration resistance equivalent to the reinforced
concrete walls in whlch they are installed. The purpose of these
doors is primarily for emergency escape. Entrance to the safety
buildings is normally from the auxiliary building as discussed below
in Section 3.2.4.
Modified Auxiliary Buildinq
Construction details for this building are similar to those of the
safety buildings. The princLpa1 dimensions are length, 153 feet;
width, 98 feet; and heiqht, 119 feet (93 feet above grade). The
building foundation consists of a 5-foot thick reinforced concrete
slab which is founded on rock 31 feec below grade. Exterior walls

and roof are of reinforced concrete construction and are of a minimum
thickness of 2 feet. Floor slabs and roof are cast in place concrete
over metal decking, supported on structural steel framing.
Two vault-type security doors are located on level zero. As dis-
cussed below in Section 3.2.4, these doors give access to the re-
spective safety buildings.
, ,
Adjacent to the main portion of the modified auxiIiary building is
the access control building. This also is a reinforced concrete
structure. The foundation is a reinforced concrete slab 3 feet
thick, founded on rock 13' feet below grade. Top of slab elevation is
-10 feet. Upper level floors are cast in place concrete on metal
decking, supported on steel framing. These floors are at grade, +IS,
and +30 elevations respectively. The building roof is at +45
elevation.
3.2.3 Piping and Cable Routing
One of the design objectives of separated safety buildings is the
location of electrical cables and piping associated with one train of
ESF equipment entirely wiithin the safety building housing that train
of equipment. This is largely accomplished by providing direct communications
between a piping and electrical penetration area and the
associated safety baildin?, avoiding piping crossconnects, locating
tankage within the safety building, locating the diesel generator and
Class 1E electrical ew,ipment in the safety building, a.nd, in general,
ensuring that each ~ ~fety building is an inde?endent and self-sufficien
unit. Some communication between safety buildings and between a
safety building and the auxiliary building cannot be avoided however.
Control cables must be rauted to the control room. Also, as shown in
Figure 3-19, control cables must interconnect the logic and pro-

, .
! I .
. . . . , ,
ANALOG PROTECTION
, . . ,
DEMDDULATOR
** UNSER-VOLTAGE RELAY
' ENGINEERED SAFETY FEATURE

tection cabinets installed in the separate safety buildings. A cable
tunnel 'is therefore included in the design. This tunnel runs beneath
. .
the 'lower floor of safety bui1dir.g A, beneath the main steam and
feedwater piping penetration area, and beneath safety building B and
tile auxiliary bullding. Vertical cable chases in the safety buildings
and auxiliary building connect to the tunnel. Control cables from
safety building A are routed through the tunnel to the vertical cable
chase running up the auxiliary building. This vertical cable chase
is closed and fire-protected, and does not communicate with any of
the compartments in the auxiliary building except at !eve1 zero for
personnel access as discussed later. It exits into the upper cable
spreading room, within which the cables are distributed to the
cablnets in the control room Selow. Interconnecting cables bet:x?.en
the separate logic and protection cabinets are routed similarly
through the tunnel and through vertical cable chases in each safety
building.
Control cables for tne 0 oafecy building pass directly to the iower
cable spreading room in the auxiliary buildlng at level +26. The
lower cable spreading area is divided into two areas; one for the B
safety bulldlng cables, the other for auxiliary building cables.
3.2.4 Personnel Access
Personnel access to the auxiliary building 1s at level zero from the
adjacent access control Suilding. From this leq~el of the auxiliary
building, access to the 0 safety building can be obtained. From a
counter-sabotage deslgn standpoint, it is undesirable to permit
access between safety buildings directly, at least on a routine basis.
Therefore, access to the A safety bulld~ng is also from the zero
level of the ~uxiilary Sullding v ~ a the cable chase and cable tunnel
described previously.

3.2.5 Additional Equipment
, I
Rearrangement of the plant has inevirably resulted in requirements
. . , ~
for extra equipment. Major eqxipment i tems Se;~ond the 'SIJLPTS
standard plant are listed below. Specifications for this equipment
are provided in Section 3.2.6.
. Hi-Head Safety Injgction Pumps. Two pumps, identical to the
centrifugal charging pumps, are provided exclusi./ely for the
Safety Injection System. One pump is located in each safety
equipment building. The two centrifugal charging pumps,
, .
which in the modified plant arran.jement function only 3s a
part of the Chemical and Volume Control System (C1fCS) and
not in their previous dual capacity as both charging and
safety injection pumps, are located with the reciprocatlnq
charging pump in the auxiliary building. The philosophy
behind this arrangement is that equipment required for
routine operation and which must be looked at by tie ?lant
operators on a frequent and routine basis (i.e., the cen-
trifugal charging ?umpsJ should not be located in the safety
buildings, whereas the safety injection pumps shou:d be.
The arrangement also ensures that pip~ng which is part of
the ESF installation will be located entirely within the
safety buildings.
Boron In]ection Tank (9IT). An additionai BIT and associated
surge tank And ctrculating punps are ;rovided to
ensure the functional and physical independence of each
safety buildin~.
. Refueling Water Storaqe Tank (ttWSTi. As prev~ously disc,~ssed,
a second R!qST of 400,COO gallon clpaclty t lOOir :s
provldcd in srdcr :fiat eacfi safety 3u:ld:nq Se rmct:onai:y

ndependent. Two ha? f-size tanks were also considered but
,, ,
would require thac cross-co'cnecting plping be 'installed
between the safety buildings. Lince this could potentially
compromise the independence of tke t.7 safety buildings, no
further consideration has' been gi-)en to half-s~ze tanks.
Turbine Driven Auxiliary Feedwater Pump. A second curbine
driven au).ililary feedwater punp has Deen added to provide
the two, spatially separated trains of ESF equipment with
equal and independent protectLon capa311:ty.
. Auxiliar:~ Feedwater Storage Tanks (AFIGTI. In some plant
designs, one safety related auxiliary reedwater storage tank
of 350,000 - 4OO.OCO gallons capaclry :s 2rovlded. Then the
nod~fiel plant arrangement, wherein each safety building
contJins an AFKST, results in a requirement for an extra
tank. The reasons for pro.~iding an AFWST in each safety
building corrospnnd to those fcr the RWST discussed earlier.
In the case of the SNUPPS reference plant, there is no
safety related ArWST. The corm1 suctlon for the aLxiilary
feedwater pumps IS from the condensate st7rage tank with an
alternare, hard plped source froc the safety class 3,
seisn~c c3tegory I essential scrvlce water system. In deslqns
such as tnis, the modified pianc arrangement Senerates
a requ~remen: fo: ruo additional tanks.
. Conponen: Cooling Water Heat Exchanger, Circulating Punps
and Surge Tank. One se: of thls egulpnen: 1s Located ~n
each safety equipmen: build~ng and serve5 tne equipment
located therein. aased oc tae SNUPPS ?!ants 3s a rqferencc,
the equipment served would consist of the 3HR heac exchansers
~ n d tke DQ3rlnqS ~nd!or sea! cmiers oi cne >~3r:o~s ESF
pumps. A neat excnanqer, :%a pdx~s, and 3 surge tank are
provlded tor e3ch safety cqil:>cenr acildinq.

An additional component cooling water slrste,m is provided for
non-ESF equipment. The heat exchangers and . . pumps for this
. ,
system are located in the auxiliary building. Two 100% heat
exchangers and four, 50% pumps are provided since the system
supports normal plant operation and is in continuous service.
A single surge tank is also provided. Some of the major
loads served by this system are the letdown heat exchanger.
reactor coolant pump thermal barriers, seal water cooler,
reactor coolant pump motors, spent fuel pool heat exchanger,
and the recycle and waste evaporators.
3.2.6 Specifications for Additional Equipment
HI-HEAD SAFETY I!JJECTION PUMPS
V-. Required
TY Pe
Design flow, CPM
Head at Design Flow, Ft.
Design Pressure, PSIG
Design Temperature, OF
Driver
tiaterial of Construction
Deslqn Code
Horizontal centrifugal, nuitistage
? 50
5800
2800
300
Electric Kotor (600 BtiPl through
spced increaser
Stainiess Steel
ASXE Sectlon 111, Class 2
Note: These pumps are identical to the centrlfuqai charging punps
supplled as part of the chemlca: and vol.~ne control system.
F!uld Pumped Dezlner31 lzea vatc: cont~ln~ng
;flss~!-:~d aqr~c :,cld
Car on I
(2000 PPX

BORON INJECTION TANK
No. Required
Total Volume, Gal.
Contents
Design Pressure, PSIG
Design Temperature, OF
Material of Construction
Design Code
Heaters
aORON 1NJECTIO:J SURGE TArJK
No. Required
Total Volume, Gal.
Contents
Desiqn Perssure
3eslqn Temperature, "F
Matarla1 of Constructlnn
Desiqn Code
tleaters
Boric Acid solution in deminer-
alized water, 12 percent by
weight
2735
BORON INJECTION TANK RECIRCULATION PUMPS
300
Carbon Steel internally clad
with Stainless Steel.
ASME Section 111, Class 2
Strip Type, 12 kw total
1
7 5
Borrc ~ cid solution in deminer-
alized water, ! 2 percent by
welght
Acnospher ic
200
Stainless Steel
ASME Section 111, Class 3
Inmersion Type, 6 kw
No. Requrred
TY PC
tior rzontai Centr liuqal
Deslgn Flew, GTb!
2 U
Head st Desiqn Flow, ft. ! 00
Dcslqn Pressure, L3:G
.. 7
i ;O

Design Temperature, OF
Driver
Material of Construction
Fluid Pumped
Design Code
REFUELING WATER STORAGE TANK
No. Required
Type
Volume, Gal.
Diameter, Ft.
Height, Ft.
Locat ion
Foundation
Seismic Input, g
Design Pressure
Design Temperature, OF
Material of Construction
Contents
Design Code
TURBINE DRIVEN AUXILIARY FEEDWATER PUMP
250
Electric Motor, 1 1/2 BHP
Stainless Steel
Boric Acid solution in deminer-
alized water, 12 percent by
weight
ASME Section 111, Class 3
1
Vertical Cylindrical
400,000
4 5
35 .
Inside building
Concrete slab
0.2 horizontal
Atmospher ic
100
Stainless Steel
Demineralized water containing
dissolved Boric Acid (2000 PPM Bar'
ASME Section 111, Class 2
No. Required 1
TY pe
Horizontal centrifugal, multistage
Fluid pumped
Steam condensate
Design Flow, GPM
1200
Head at Design Flow, Ft. 3200

Design Pressure, PSIG
Design Temperature, OF
Material of Construction
Design Code
Driver
Design Pressure, PSIG
Desiqn Temperature, OF
AUXILIARY FEEDWATER STORAGE TAIJK
No. Required
Type
Volume, Gal.
Diameter, Ft.
Height. Ft.
Location
Foundat ion
Seismic input, g
Design Pressurc
Design Temperature, OF
Material of Construction
Contents
Design Code
COMPONENT COOLING WATER HEAT EXCtAVGEKS
No. Rcquired
Type
Duty , DTU/lIR
1700
150
Steel
ASME Section 111, Class 3
Single stage, non-condensing
steam turbine, 1200 BHP
1200
6 50
2
Vertical Cylindrical
J011,000
4 5
3 5
Inside builainy
Concrete slab
0.2 H3r izontal
Atmozpher ic
100
Stainless Steel
Steam condensate
ASME Section 711, Class 3
2
llor~zontal shell and straiqht
tube
42 x 10G

U, RTU/HR-FT~-~F
Area, Ft2
Tube Side:
Fluid
Flow Rate, GPM
No. Passes
,Temp. In/Out, OF
Design Pressure, PSIG'
Design Temperature, OF
Material
Codes and Standards
Shell Side:
Fluid
PIOW Aate, GPM
, ,
River water
5600
2
95/110
NO. Passes 2
Temp. In/Out, OF 117/105
Design Pressure, PSIG 150
Design Temperature, OF 200
Material
Codes and Standards
COMPONENT COOLING WATER PUHPS
150
200
Stainless Steel
ASME Section 111, Class 3 ;
TEMA
Component Cooling Water (deminer-
alized water with corrosion in-
hibitor)
7000
Carbon Steel
ASME Section 111, Class 3;
TEMA
No. Required
4
Twe
Horizontal centrifugal
Design Flow, GPM
7,000
Head at Design Flow, Ft. 200

Doalgn Pranouto, PSIC 150
Design Temperature, OF 200
Driver Electric Motor (500 BHP)
Design Code ASME Section 111, Class 3
COMPONENT COOLING WATER HEAD TANKS
No. Required
Ty@e
Volume, Gal.
Contents
Design Pressure, PSIG
Design Temperature, OF
Material
Design Code
COMPONENT COOLING WATER CHEMICAL ADDITION TANKS
No. Required
Type
Volume, Gal.
Contents
Design Pressure, PSIC
Design Temperature, OF
Material
Design Codc
3.3 HARDENED DECAY fIEA'I' HEMOVAL SYSTEM
3. 3.1 (;crier.~l ~ S C iption I
Vertical
5,000
Component Cooling Water
150
200
Carbon Steel
ASME Sectlon 111, Class 3
2
Vertical
500
Component Cooling Water
150
200
Carbon Steel
ASME Section VIII, Div. 1
As pulntcd out in IEAL-111, Nuclear Power Plant Design Alternatives
- for Improvcd Sabot~cp? kesint~ncc, - scvcr,~l alternative implementations
of a hardened dccay hcat removal system arc possible. However, a11
-

alternatives should have certain common features. Some of these, as
extracted from IEAL-111, are as follows:
Location in hardened buildings or bunkers, complete with
power supplies, water storage tanks, and controls.
Maximum independence of remainder of plant.
Design for removal of decay heat from a water cooled nuclear
power power reactor in the hot shutdown condition (reactor
subcritical, rods inserted, reactor coolant pressure and
temperature at no-load conditions), with the reactor coolant
pressure boundary intact, for a defined period, automatically,
without operator attention.
Actuated manually, either from the main control room or
within the bunkers. Once actuated, no further operator
action is required (but is not be precluded) for the design
period of automatic operation.
. With operator attention, designed to continue decay heat
removal beyond the design period of automatic, unattended
opef at ion.
. With operator attention, designed to permit transfer to
conventional residual heat removal (RHR) system operation
during or following the design period of unattended operation.
. Dedicated for use only in a sabotage or other extreme emer-
gency as determined by plant operators. Has no function
during normal plant startup or shutdown oper.rtiorls nor
following loss of normal AC power.

. Provides for isolation of fluid lines connected to the
. .
primary (and secondary) coolant systems as necessary to
prevent loss of fluid inventory.
. Does not block actuation of nor otherwise interfere with the
operation of other plant engineered safety features.
The implementation chosen for development and costing is a system
utilizing electric power for its operation. Electricity is supplied
by a diesel generator located, along with the remainder of the equip-
ment required for the system, in a hardened building. The method of
I # .
heat removal is evaporative cooling.' Emergency Feedwater is supplied
to the secondary sides of the steam generators where it absorbs heat
from the primary coolant. The steam which is generated is discharged
to the atmosphere. Natural circulation provides primary system flow.
A charging pump is provided for primary system inventory control.
Primary system pressure is maintained by pcessucizer heaters. Heat
loads associated with the dieSel generator and other mechanical
equipment are transferred to the atmosphere by an air cooled heat
exchanger. A pipe cunnel connects between the hardened decay heat
removal building and the containment.
The hardened decay heat removal system is a slngle, 1003 system with-
out redundancy or single failure capability. The design period of
unattended operation has been chosen to be 10 hours.
Figure 3-20 is a prelim~nary piping diagram for the feedwater and
charging portions of the hardened decay heat removal system. Figures
3-21, 3-22, and 3-23 present the general arrangement of equipment
within the hardened decay heat removal buildinq. A preliminary, one-
line electrical diagram is shown in Figure 3-24.

I !
i
I
I
i
j
i
I
23.13 m
(78 ft!
I I
-
p
CHARGING
I I
f.k 38.7 m (127 ft)
Figure 3-21.
FEEDYATER STORAGE TAUK
Hardened Decay Heat Removal Building, General
Arrangement -- Plan of Level 0 (Grade)

I-- 38.7~1 (127 ftj
Figare 3-21.
U
FEEDUATER STORAGE TANK
Hardened Decay Heat Removal Building, General
Arrangement -- Plan of Level 0 (Grade)
.. .

ROOF ELEVATION 34 ft

I
( N.C.*
I
I
I
4-kV CLASS 1E EMERGENCY BUS
. &
BUILDING YALL
DIESEL
GENERATOR
ILj qurc 3-24. One-Linc DlJCJt-am of ilardcncd
Decay Hcat Rcrnova 1 Systcm

A brief descrlptlon of system operation is provided in the following
section. Details on the hardened decay heat removal building and
equipment may be found in Sections 3.3.3 and 3.3.4 respectively. For
a more detailed description of design philosophy for a hardened decay
heat removal system, the reader is referred to IEAL-111, Appendix C.
3.3.2 Description of Operation
Actuation
Actuation of the hardened decay heat removal system is manual from
either the main control room or locally within the hardened building.
Manual actuation has been selected since it is believed that the
plant operators can best. make the judgement that a sabotage or other
emergency exists that requires the use of the hardened decay heat
removal system. Also, manual actuation eliminates the need for
sensing plant parameters for automatic actuation signals, thereby
reducing the number of interfaces between the hardened decay heat
removal system and the remainder of the plant. This, in turn, re-
duces potential sabotage vulnerabilities associated with such
inter faces.
Actuation of the hardened decay heat rcmoval system resu Its in the
followinq:
I
Reactor trip (with associated trips of turbine and gene-
rator).
Isolation of fluid lines connected to the reactor coolant
system includinq main steam and feedwater valve closure.
Trip of electric1 feed to the hardened decay heat removal
system 4KV bus, 3tart of the diesel generator, and sequencing
of decay heat removal equipment onto the 4KV bus.

,
Alignment of reactor coolant pump seal leakoff to the
, .
. .
borated water storage ta'nk.
. . . .
Reactor Coolant System
The hardened decay heat removal system shown in Figure 3-20 depends,
for its successful operation, on an intact reactor coolant pressure
boundary. It is therefore assumed that this pressure boundary is not
affected by an act of sabotage and that the containment structure and
containment access controls provide the required protection for the
,. ., :

An auxiliary spray line from the charging system piping to the pres-
surizer is provided for assisting the pressurizer heaters in main-
taining primary system pressure.
The borated water storage tank has been sized at 30,000 gallons,
providing sufficient water For compensating for shrinkage of the
reactor coolant system volume for a system cooldown to 350 OF. This
capacity also provides for making up reator coolant system leakage
over the design period of unattended operation (10 hours). Although
not shown in Figure 3-20, a fil: 1ine.to the tank permits refilling
it after this period. Four weight percent boric acid solution has
been estimated to be sufficient to compensate for the reactivity
effect of cooling down the RCS.
Emergency Fecdwater
The emergency fcedwater storage tank has been sized at 200,000
gallons, sufficient to provide approxim~tely 10 hours of decay heat
removal with the reactor coolant slitem maintained in a hot shutdown
condition (reactor subcr itical, control rods inserted, reactor coolant
pressure and temperature at no-load values). The electric motor
driven emergency feedwater pump takes suction from the emergency
feedwater storage tank and delivers to the J steam qenerators through
individual Ecedwater control valves. The steam generated in each
steam generator is discharged to atmosphere through a steam dump
valve dedicated for use excldsively with the hardened decay heat
removal system. Thcsc valves have adjustable setpoints to permit
cooldown of the reactor coolant system by operator action after the
design perlod of unattended operation. As in the case of the borated
water storage tan

Electrical Power
The major electrical equipment for the hardened decay heat removal
systen is shown in Figure 3-24, Preliminary Electrical One-Line
Diagram. The 4160V bus is normally energized by a feeder from one of
the Class 1E 4KV busses. However, upon actuation of the hardened
decay heat removal system, this feeder is tripped, the system's
diesel . , generator is started, the decay heat removal system bus is reenergized
by the diesel generator, and the system loads are sequenced
back onto the bus.
The loads assigned to the 4160V and 480V busses are sh0n.1 ~n Figure
3-24. Also shown is an uninterruptible power supply consisting of a
battery, battery charger, inverter, and an AC and DC bus.
Fuel for the diesel generator is stored in a day tank in the hardened
decay heat removal building. The quantity of fuel stored is suffi-
cient for at lext the design period of unattended system operation
plus soae margin. After this period, the tank can be replenished
from other supplies of fuel oil on site.
The diesel engine is started in the conventional manner by compressed
air stored in a starting air tank. A starting air compressor, located
in the hardened building, maintains pressure in the starting air
tank. The compressor also supplies control and instrument air for
the decay heat removal system. This air is processed through filters
and dryers.
Auxiliary Cooling System
The aux~liary cooling system is a closed cooling water system that
serves the diesel generaor 011 and jacket water coolers, seal leakoff
,cooler, and other components such as pump bearings and seals. An sir

cooled heat exchanger transfers the heat absorbed by the water to the
atmosphere. The heat exchanger fans provide a forced flow of air
through the heat exchanger tube bundle. A cooling water pump ~ i r -
culates cooling water between the aircooled heat exchanger and the
components served by the system. A head tank is provided for pres-
sure and inventory control.
3.3.3 Description of Structure
The hardened decay heat removal system building is a Seismic Category
I, reinforced concrete structure supported on a reinforced concrete
base mat foundation. The foundation mat is five feet thick. The
bottom of the mat is 4 1/2 feet below grade and bears on a layer of
compacted granular material 3 L/2 feet thick. The exterior walls of
the structure are four feet thick. Based on data from the Barrier
Technology Handbook, the penetration resistance of these walls ranges
from 13 to 40 minutes assuming three attackers armed with 80 pounds
of explosives, tamper plate, and gas powered hydraulic boltcutters.
Figures 3-21 through 3-23 show the general arrangement of the struc-
ture and enclosed equipment. Most of the equipment is located at
approximately grade level. An intermediate level is provided at one
end of the structure for the aircooled heat exchanger and the cooling
air inlet and discharge ducts. Internal structural steel framing
supports this level.
The building roof is a reinforced concrete slab four feet thick. Top
of concrete is 61 feet above grade over the area enclosing the aircooled
heat exchanger and 34 feet above grade over the remainder of the
structure.

The cooling air inlet and discharge ducts are of reinforced concrete
construction, integral with the main structure of the building. The
openings into these ducts are protected by a heavy steel grillwork.
Additional protection is afforded by the height of the openinqs above
grade. A supply air fan, located on the intermediate level and
taking suction from the inlet air duct, furnishes air Eor diesel
engine combustion and building ventilation.
TWO vault type doors, one at each end of the building, provide access
for personnel and llght equipment. The penetration resistance of
these doors agalnst explosives is equivalent to that of the concrete
walls 111 which they are ~nstalled.
The hardened decay heat removal building is located in the plant yard
~t an assumed distance of 150 feet from the containment bt:;ldinq. An
underground tunnel connects the containment penetratirr Jrea with the
hardened decay heat removal building. The tunnel c31ries piping and
electica; conduit between these two structures.
3.3.4 Equipment List and Specifications
The following is a listing of the -a2*;: equipment required for the
hardened decay heat remo;al sy: 2.q Thc speci f icac:ont, qiven are
preliminary and would probab:~ ..!,ange somewhat during a detalled
engineering design. Howevar, they are belleved to be representative,
based on preliminary e..,:i~eering analysis, and serve as a basis for
equipment costs.

DIESEL GEXERATOH
. .
No. Required
Ratinp KX
Ce~:rator Vol tage
Generator Fequency, HZ
Description of engine:
No. Required
Type
Fluid Punped
Design Flow, GTM
Head at Des~gn Flow, Ft.
Desiyn Pressure, PSIG
Design Temper3core. c F
Design Code
Dr l~er
EMERGENCY SHARG IKC -- Pf3?
1
1700
4160
6 0
For nuclear service, seismically
qualified, direct connected,
furnished with oil cooler,
jacket water cooler, inlet air
filter, exhaust silencer.
L
Horizont~l centrifugal, multi-
stage
Steam Condensate
1200
3200
17CO
15C
ASXE Secticn 111, 213s~
3
Zlectrlc Xotor, 1200 3HP

Design Temperature, "F
Material of Construction
Fluid Pumped
Design Code
Driver
SEAL LEAKOFP COOLER
No. Required
Type
Duty, BTU/HR
Flow, GPH
Design Pressure, PSIG
Design Temperature, OF
Inlet Temperature, OF
Outlet Temperature, OF
Fluld
tlater la1
Deslgn Code
Flow, GPM
Deslgn Pressure, PSIG
Design Temperature, Of
Inlet Tenpcratdre, OF
Outlet Temperature, OF
Fluid
Ilater la1
Deslgn Code
TUBE SIDE
SHELL SIDE
300
Stainless Steel
Demineralized water containing
dissolved boric acid (2000 PPM
Boron)
ASME 111, Class 2
Electric Motor, 100 BHP
1
Shell and tube, multi-pass
2.05 x lo6
7 2
2500
200
177
120
Demineralized water
Stainless Steel
ASME 111, Class 2
3 15
150
150
110
123
Inhibited demineralized water
Carbon Steel
ASME 111, Class 3

COOL~NC WATER CIRCULATISG PUtIP
No. Xequ r r ed
pipe
Design Flow, GPM
Head at Design Flow, Ft.
Deslgn Pressure, PSIG
Design Temperature, OF
Fluid Pumped
Design Code
Dr lver
AIR COOLED HEAT EXCHANGER
No. Required
.ripe
No. of Bundles
Total Surface, Ft. 2
Duty, BTU/HR
Deslgn Temperature, OF
Water Outlet Teapersturc, OF
Design Pressure, PSIG
Design Temperature, OF
No. of Fans
Fan Or lvecs
COOLING WATER HEAD TANK
No. Required
Ty Pe
Volume, Gal.
Diameter, Ft.
Heiqht, Ft.
Horizontal centrifugal
650
7 5
150
150
Inhibited demineralized water
ASME 111, Class 3
Electric motor, 20 BHP
1
Multi-pass, :inned tube, inlet
and outlet headers
2
2900
5.5 x 106
96
110
150
150
4
Electric motors, 50 BHP each
Vertical
650
4
-

Design Pressure, PSIS
Deslqn Tcnperature, 9p
Contents
Macer la1
Des~qn Code
DIESEL STA2TI:rG A13 RECEI'JEil
So. Reqtilred
Type
Dlamcter, Fr.
Height, Ft.
Design Pressure, ?SIC
Design Temperature, OF
Conten::
!later 131
?lo. Requl red
Type
Capac i ty , SCF:!
Del lvery Pressure, ?SIC
Dr :'let
150
150
Inhibited denineraiizcd water
Carbon Steei
ASNE 11;. Ciass 3
1
Vertical Cylindrical
1
2
a
300
150
Conprcssed 31r
CarScn Stee:

Desiqn Tem;&rdturt, OF
Mater~al of Construcr:on
Contents
Design Cuc?e
No. Requ i : ed
'W w
Capaciry, Gal.
Diameter. Ft.
Length, Ft.
Dcsign Pressure
Design Te-perature, OF
MareriJl of Cunstrucrlon
Contcr.t?
,;3
5ca:niess 5ieel
Steam condensate
hSXE I:I, Class 3
Hor lzonta: cyiindr ~cai
30,000
! 5
?J
A:nospher kc
; 53
S:a;zless Steel
Denlneralizied water cor.:alning
disso!ved boric acid (20013
PT?! Boron)
-.
idME : 1 I , -.ass 3

DIESEL GENET(ATOR - LVBE OIL STORAGE TAXK
No. Required 1
Capacity, Gal. 200
Dimensions, Ft. 3 x 3 ~ 3
Desiqn iressure Atmosphe: LC
Design Temperature, OF 100
Material Carbon Steel
DIESEL GENERATOR COOLING WATER EXPANSION TAXK
No. Required 1
Capacity, Gal. 200
Dlmens~ons, Ft. 3 x 3 ~ 3
Design Pressure Atmospheric
Des~gn Temperature, OF 200
Contents Inhib~ted demineralized water
hlater~al Carbon Steel
'SUPPLY AIR FAN
No. Requ ired
TY Pe
Capacity , cm
Head, In. Hz0
Driver
FLOOR DRAIN SUMP PUMPS
Centrifugal
30,000
4
Electric motor, 25 BHP
!to. Required One set conslstinq of two pumps
and level switch on common base
C~pacity each Pump, GTM 2'J
Head at Design Capacity, Ft. '10

Mater la1 cf C~nst:uctlon
Type of Punps
Pump Cr 1 .ter s
4160 VOLT Sh'ITC!GEAR
No. Requlred
4160 VOLTi480 VOLT TRANSFOPAEH
No. Required
Hating
Type
480 'JOLT MOTGR CONTROL CENTER
BATTERY
No. Required
Carbon Stee1,'Cast Iron
Vertlcai Sump PwrpS
Electrlc motors, each 10 BHP
One assemoly consisting of five
breakers and oce spare housing
Hetal clad, horizontal drawout
circuit breakers, operated by
spring-stored energy charged by
D.C. powered electrlc motor
1
750 KVA, 3-PHAZE, 60 HZ
Gas filled, dry
One assembly conslstlng of four
stacks of motor controiler/
feeder tap housings
Molded case circuit breakers.
1..,3tor starter contactors actuated
by D.C. control power

Table 3-5 1:~:s the elping concections to tbe reactcr coolant
preszute tccncary ior a :jy,~c3i

TABLE 3-5
SUWARY Of PI PING CONNECTIONS TO REACIUR COOLANT PRESSURE BWNDARY
Polnt of Noa i na I Approximate Design Means of
Cuwect -- on .. -. . Connection - Size 1_ Inches -- Pressure, rSIG
Isolation
1. HHH Stnp&rl y Lmps I & 3 (1I.L.) 12 2485/600 IRC: Pressure inteclocked
M.O. valves (2 in
ser ies)
Lmps 1. 2. J
b 4 (C.L. I
. Satety Injection
Iror Hoton In- Loops 1, 2. 3
lect iqm lank b 4 1C.L.I
4. Safety lnjecllon
Pumps - I>ischarge h>ps 1, 2, 3
to Cold Leys b 4 (C.L.)
5. Safety In~cction
Pumps - Discharge Loops 1. 2. 3
to llot Legs b 4 (H.L.1
lpc: 2 Check valves
ORC: M.O. valve (C. I.)
Additional ranu~1
Valves and check
va l vrs
IRC: 2 Check valves
L Manual stop valve
ORC: H.O. valves (2 in
parallel)
IRC: 2 Check valves
Manual stop valvcs
ORC: 2 M.0. valves
IRC: Check valve Manual
stop valve
ORC: M.0. valve

Loop J lC.L.1
Loop 1 lC.L.I-*:..mal
Loop 4 l L . r ! t e r n a t e 3
Prrssur i zer 2
OllC: I Y.C. A.O. stop vdlve
C l . AdJ~lru~~.ll
r.lnual s t \ ' I In
& ~ w n : ; t ~ c . pil,lnq
~ ~
IHC: l.lsc..k Valve Y.C.
A.O. valve. I'lwrk
valve lin c h t q i w
line1

not I.,.']
('Old 1.,.q
nu>lcz ope1 ate4
Alr 4)peraled
Fa11 L.lobrd
NSM m., l l y Cl used
' 1 n Isolat lon
lns I&. Heacl #,I Contait*ment
tmts 1st~ Rea~loc Lbntainment
Heactcrr Pressure
Vessel head
IRc': Manual stup valve
F.C. A.O. stop va!vr
n.o. valve (c.1.1
OW: A.0. valve (C.I.)
AAli t itma1 n.anuaI
stop valves in IIL)YII-
slteaa plpinq
0 : A.0. VdlVe (5.1.)
Addi t itm.11 mantnal
slop valves ill dcwn-
sttcaa pipincj
. . ..
IRC: Manual stop valve
(N.C.1 and Ulind
Flallqr
IRC; 2 Manual stop valves
[N.C. I

ability to isolate it to prevent loss of reactor coolant. This
isolation is achieved automatically by check valves inside con-
tainment for incorning lines (items 3, 8, 9 and 10). Item 13, the
vessel vent, does not penetrate containment and is therefore pro-
tected. The small (3/8") diameter sample lines, items 11 and 12,
are the only high pressure lines that require an active means of
isolation. The redundant and diverse isolation provisions for
these lines (see Table 3-5) are considered to reliably assure the
ability to effect their isolation.
In summary, only connections 1, 6, and 7 require additional con-
sideration to assure their isolation from the reactor coolant
system. These are, respectively, the RHR suction piping, normal
letdown, and excess letdown.
3.4.2 RHR Suction Piping
Several techniques can be proposed for preventing the opening, by
sabotage, of the valves isolating the suction p~ping of the RHR
system from the reactor coolant system. Two that were mentioned
in Section 3.19 of IEAL-111 are use of electric motors of limited
torque capability in the valve operators and use of torque release
couplings in the valve operator gear train. An additional torque
switch, similar to the ones presently used to control seating and
backseating loads, is another possibility.
Torque release couplings, additional torque switches, and torque
limited motors were discussed with a representative of a valve
operator manufacturer. All of these devices could be and have
been employed in valve operators. However, some practical pro-
blems associated with their use were mentioned by the vendor re-
presentative. The first of these is that opening torque for a

gate valve is not a strong function of differentlal pressure
across the valve. Secondly, the openlng torque is highly vari-
able, depending on valve cleanliness and lubrication, for example.
Therefore, difficulty has been experienced in reliably setting or
calibrating the torque limiting devices.
Hardware costs for any of the above alternatives are believed to
be minimal, based on the discussions reported above. Some of the
alternatives involve additional operating costs. These costs are
discussed briefly in Section 4.5.
3.4.3 Normal and Excess Letdown
Relief valves protect this piping against rupture by overpressure
in the event downstream valves are closed, all flow is blocked,
and isolation cannot be effected. Loss of fluid from the reactor
coolant system will occur as the result of lifting relief
valves, although the fluid will not be discharged outside of containment.
(Closing the flow path downstream of the letdown pressure
control valve will result in one relief valve discharging to
the volume control tank. However, this water will be returned to
the RCS by the charging pump). Breakage of this piping outside
containment coupled with denial of the ability to isolate the
lines will result in a small loss of reactor coolant outside con-
tainment. To prevent Loss of reactor coolant
activity release, it is important that the ab
piping be preserved.
and potential radio-
lity to isolate this
Since the isolation valves are located within containment, it is
assumed that the valves themselves do not sustain sabotage damage.
Rather, the inability to close the valves is assumed to be ca~sed
by sabotage of the control circults or actuating power for the
VJ~V~S.

The excess letdown line is a small diameter (1 inchnominal pipe
size) pipeline. The air operated isolation valves (3) are fail-
closed type. Two motor operated valves, cne inside containment,
,
provide diverse means of isolating the portion of the piping
located outside containment. It is also pcssible, by actuation of
an air operated three-way valve, to divert the flow from the
volume control tank to the reactor coolant drain tank which is
located inside containment. A manually operated root valve is
provided inside containment. Finally, this piping is normally not
in use, and the isolation valves are normally closed. Based on
these considerations, added assurance of the ability to isolate
the excess letdown line is probably not warranted.
The normal letdown piping, being of larger diameter (3" nominal
pipe size), represents a greater concern wi:h respect to breakage
by sabotage. Isolation provisions include two remote manually
actuated, fail closed, air operated stop valves within contain-
ment, one manual stop valve inside containment, and two air
operated, fall .:!05ed containment isolation valves, one of which
is inside containment. Two separate acts of sabotage would be
required to deny the ability to isolate the normal letdown line,
one directed at the remote manual stop valves, the second at the
containment isolation system (which can be manually actuatedj.
Additional assurance of the capability to ;+alate the normal let-
down line can be achieved by providinq an additional three-way
solenoid valve in one (or both) of the actuating air lines to the
remote manual air operated stop valves. These additional sole-
noids arc normally energized at all t.imes and have no function
during normal operation. Enerqization is from a special, locked
distribution panel located in the control room area. A third
sabotaqe act, directed aqalnst a third, independent target, is
then required to pro.jent i.jolation. To make use of thls extra

protective feature, the operator de-energizes the solenoids at the
distribution panel. This results in closing the air supply to the
valve diaphrams and permitting the exhaust of air from the diaphrams.
The valves are then closed by stored spring energy. Failure (de-
energization) of the additional solenoids does not have any effect on
plant operation different from failure of the existing ones (i.e.,
the line isolates). As stated in Section 4.5, costs Eor this option
Should be minimal. This option can also be applied to the excess
letdown line if desired.

4.1 GENERAL
I
4. COST ESTIf4ATES
The following estimates provide preliminary costs for the selected
design alternatives consistent with the degree of their development
as described in Section 3. The estimates include costs for equip-
ment, materials, construction, and installation. Similar estimates
have been prepared for the unaltered plant so that the increased
costs of the design alternatives can be identified. The costs are
based on prices and labor rates existing in November 1979.
The cost estimates should be regarded as applicable to new con-
struction; that is, to comparisons between new plants with and without
the additional protective features. Although the cost estimates are
preliminary, they are believed to adequately support such comparisons.
Excluded from the estimates arc costs for engineering, licensing,
interest during construction, escalation, operation, and other extra-
ordinary costs. Also, effects of construction schedule increases on
the power plant project have not been included. A contingency of LO
percent has been applied.
4.2 COST ESTIMATES FOR HARDENED ENCLOSURES FOR MAKEUP WATER TANKS
4.2.1 Nardening Option 1, Individual Hardened Enclosures
The cost estimate for this option is shown in Table 4-1. To obtain a
comparison with non-hardened tanks, the estimated costs for excavation,
foundation mat, and tank have been extracted. A contingency of 103
was applied. Thus the cost of 71,245,000 per tank, hardened in
accordance with the design features of Opt~on 1, compares with $938,000
for the non-hardened tank. The cost difference is approximately

ITEM OF WORK
Excavation and
Backfill
Concrete
TABLE 4-1
STUDY ESTIMATE, NOVEMBER 30, 1979
DESIGN ALTERNATIVE CATEGORY 1.8, OPTION 1
INDIVIDUAL HARDENED ENCLOSURES
QUANTITY MATERIAL LABOR
s $
Sub-contract 9,300
Mat, 4 feet thick 600 C.Y. 64,200
Walls to 10 feet high 210 C.Y. 27,400
Walls over 10 feet high 410 C.Y. 58,800
Roof Slab 225 C.Y. 30,600
Sub-total Concrete
Tank Sub-contract
Piping Allow.
Electric Service Allow.
Vault Door, 1 each Sub-contract
Total, less engineering
costs and contingency
Contingency, 103
Total, less engineering
costs and escalation
TOTAL
S

4.2.2 , Hardening Option 2, Reinforced Concrete Building Enclosing
Two Tanks
The Cost estimate for this option is showr: in Table 4-2. Using the
Cost for non-hardened tanks as qiven in Section 4.2.1 ($928,000 each
Or $1,876,000 lor two), the cost for hardening, $3,001,000, is an
increase of $1,205,000 or approxlmGt.ely 64%.
4.2.3 Hardening Option 3, Reinforced Concrete Tank with
Metal Liner
The cost estimate for this option is shown in Table 4-3. Comparing
the cost per tank for this option to the cnst of a non-hardened tank
(S938,000), the difference is approximately 5200,000, an increase of
21%.
4.3
4.3
COST ESTIMATE FOR PHYSICALLY SEPARATED AND PROTECTED REDUNDANT
TRAINS OF SAFETY EQUIPMENT COMBINED WITH SEPARATED CONTAINMENT
PENETRATIONS FOR iiEDUNDANT PROTECT ION SYSTEMS
.1 General
The cost estimate is presented n Tables 4-4 through 4-8. The excavation
and structural estimates for the two safety buildings, the
modified auxiliary building, and the reference plant auxiliary, control,
acd diesel generator buildings are provided in Tables 4-4, 4-5,
and 4-6 respectively. Table 4-7 presents the estimates for the
additional equipment and building services required for this design
alternative. Table 4-8 is a cost comparison table. Entries in this
: table were obtained by comparing excavation and structure costs for
I
the modifled plant (Table 4-4 and 4-51 with corresponding cost items
for the reference plant (Table 4-6). The costs for additional equip-
1 ment and building services, as reported in Table 4-7, were also included.

ITEM OF WORK
Excavation and
Backfill
Concrete
Mat, 4 feet thick
Walls
Roof Slab
Sub-total Concrete
Tank
Electr ic Service
Vault Doors
Total, lcss enq~necrinq
costs and contingency
Contingency 10%
Total, less engineer iny
and escalation
TABLE 4-2
STUDY ESTIMATE, NOVEMBER 30, 1979
DESIGN ALTERNATIVE CATEGORY r.a, OPTION 2
REINFORCED CONCRETE BUILDING ENCLOSING TWO TANKS
QUANTITY MATERIAL LABOR
$ $
Sub-contract
1874 C.Y.
2450 C.Y.
1036 C.Y.
2
Allow.
Allow.
2
TOTAL
$

xcavat ion and
Backfill
Mat, 3 feet thick
Walls
Roof Slab
Sub-total Concrete
Liner
'iping
2ectrical Servlce
fault Door
"otal, less enqlneerlng
:osts and contlrigency
:ontingency, 10%
'otal, less enqlneering
osts and escalat~on
TABLE 4-3
STUDY ESTIMATE, NOVEMBER 30, 1979
DESIGN ALTERNATIVE CATEGORY 1.8, OPTION 3
REINFORCED CONCRETE TANK WITH METAL LINER
Sub-contract
277 C.Y.
440 C.Y.
147 C.Y.
Sub-contract
Allow.
'MATERIAL LABOR TOTAL
$ $ $

ITEM OF WORK
Substructure
TABLE 4-4
STUDY ESTIMATE, NOVEMBER 30, 1979
COMBINED DESIGN ALTERNATIVE CATEGORIES 11.1 and 11.5
SAFETY BUILDINGS A AND B, EXCAVATION AND STRUCTURE
QUANTITY
Excavation and Backfill
Machine Excavation 7,400 C.Y.
Wet Excavation 31,500 C.Y.
Backfill Select 4,500 C.Y.
Backfill 36,000 C.Y.
Dewater ing
Sub-total Excavation and Backfill
Concrete
Base Slab, 5 feet thick 7,000 C.Y.
Membrane on fill L.S.
Water stops L.S.
Concrete to elevation (various) 5,900 C.Y.
Supported Slab 1,100 C.Y.
Sub-total Substructure Concrete
Structural Stcel 260 T
Total Substructure
Superstructure
Concrete Outside Walls
Concrete Partltlon Walls
Concrete Supported Slabs
Waterproofing
Sub-total Superstructure Concrete
Structural Steel
Miscellaneous Iron
Total Superstructure
TOTAL COST
$
7,800 C.Y. 2,320,000
1,978 C.Y. 633,000
9,500 C.Y. 3,135,000
L.S. 14 000
560 T
Z-xE%m
1,120,000
Allow. 24,000
7,246,000
Total, less engineering and contingency 14,078,000

TABLE 4-5
STUDY ESTIMATE, NOVEMBER 30, 1979
COMBINED DESIGN ALTERNATIVE CATEGORIES 11.1 and 11.5
MODIFIED AUXILIARY BUILDING, EXCAVATION AND STRUCTURE
ITEM OF WORK QUANTITY
Substructure
Excavation and Backfill
Machine Excavation 18,600 C.Y.
Wet Excavation 82,600 C.Y.
Backfill 87,400 C.Y.
Dewater ing
Sub-total Excavation and Backfill
Concrete
Base Slab, 5 feet thick 3,300 C.Y.
Membrane on fill L.S.
Waterstops L.S.
Concrete to elevation 0.0 3,000 C.Y.
Supported Slab 1,550 C.Y.
Sub-total Substructure Concrete
Structural Steel 105 T
Total Substructure
Superstructure
Concrete Outside Walls 6,000 C.Y.
Concrete Inside Walls and Shielding 4,250 C.Y.
Concrete Supported Slabs 4,100 C.Y.
Waterproofing L.S.
Sub-total Superstructure Concrete
Structural Steel 270 T
Miscellaneous Iron Allow.
Total Superstructure
Total, less engineering and contingency
TOTAL COST
S

TABLE 4-6
STUDY ESTIMATE, XO'JEMBER 30, 1973
REFERENCE PLANT AUXILIARY, CONTROL, AKD DIESEL GENERATOR BUILDINGS
EXCAVATION AND STSUCTUXE
.' I.TEM OF WORK QUANTITY
Substructure
--
Excavat Lon and Backf 11 1
Machine Cxcavation
Wet Excavation
Backfill
Dewater lng
Sub-total Excavatlon and Backfill
Concrete
Base Sldb
:4cmbr~ne on f I il
Waterstops
Concrete to clevat~on (vat lous!
Supported Slab
Sub-total Substructure Concrete
Structural Steel
':';t~i Substr ~1cture
Concrete Outside Walls
Concrete Inside Walls and Shielding
Concratc Supported Slabs
Waterproof ing
Sub-total Superstructure Concrete
Structur~l Steel
Mlscel laneous Iron
Total Supcrscructurc
Total, less cnylnecring and contingency
20,000 C.Y.
84,060 C.Y.
94,000 C.Y.
6,803 C.Y.
L.S.
L.S.
5,735 C.Y.
1,463 C.Y.
178 T
7,380 C.Y.
5,957 C.Y.
11,670 C.Y.
L.S.
702 'T
A1 low.
TOTAL COST
S

ITEM OF WORK
TABLE 4-7
STUDY ESTIMATE, NOVEMBER 30, 1979
COMBINED DESIGN ALTEaNATIYE CATEGORIES 11.1 and 11.5
ADDITIONAL EQUIPMENT AND BUILDING SERVICES
ii-Head Safety Injection Pumps
3oron Injection Tank
3oron Injection Surge Tank
3oron Injection Tank Recirculation Pumps
Refueling Hater Storaye Tank
rurbine Driven Auxiliary Peedwater Pump
Ruxil iscy Feedwater Storage Tank
Zomponent Cooling Water Ileat Exchangers
Zomponent Cooling Water Pumps
Component Cool iny Water Head Tanks
Component Cool lnq Water Chemlcal
Additlon Tanks
Sub-tot~l i.lechnn1cal Equipment
Installation
Sub-total i.lechanlca1 Equipment and
Installation
Plping (instal led1
Electrical Equipment ~ n d Installation
Total Add~t.l~;n,?l Cqulpment
Building S~~rvic~e
Vault Doors
HVAC
PI umhinq
Fire Protect~on
Electric Servlcc
Communic~tinns .~nd Ahras
QUANTITY TOTAL COST
5

TABLE 4-8
COST COMPARISON
COMBINED DESIGN ALTERNATIVE CATEGORIES 11.1 and 11.5 vs. REFERENCE PLANT
ITEM OF WORK
Substructure
Excavation and Backfill
Machine Excavation
Wet Excavation
Backfill Select
Backfill
Dewater ing
Sub-total Excavation and Backfill
Concrete
QUANTITY INCREASE COST INCREAS
$
6,000 C.Y.
30,100 C.Y.
4,500 C.Y.
29,400 C.Y.
Base Slab 3,497 C.Y.
Membrane on fill
Waterstops
Concrete to elevation (various) 3,165 C.Y.
Supported Slab 1,187 C.Y.
Sub-total Substructure Concrete
Structural Stesl 187 T
Total Substructure
Superstructure
Concrete Outside Walls 6,420 C.Y.
Concrete Partition Walls 271 C.Y.
Concrete Supported Slabs 1,930 C.Y.
Waterproofing
Sub-total Superstcucture Concrete
Structural Steel 128 T
Miscellaneous Iron
Total Superstructure
Total Excavation and Structure
Additional Equipment and Buildlng Services
Total increase less engineering and contingency
Contingency, 10%
Total increase less engineering and escalation

The approach to the estimate, therefore, has been to determine cost
differences, based on differences between the modified and, reference
plants, rather than to develop a total cost for each design. As
shown in Table 4-8, the estimated cost increase, relative to the
reference plant, for providing separated and protected redundant
trains of safety equipment is approximately 1G million dollars.
4.3.2 Excavation and Structure
Quantities of materials are based on the arrangement drawings (Figures
3-6 through 3-18) for the modified plant and on equipment location
drawings for the reference plant. Preliminary structural design
engineering was applied to these drawings where necessary for determining
wall and slab thicknesses and sizing of structural members. Material
prices include costs for construction. Concrete prices include costs
for formwork, reinforcing steel, and rubbing of concrete surfaces.
The cost for the access tunnel connecting between the modified auxi-
liary building and safety building A has been distributed equally to
the substructure costs for safety building A, safety building 5, and
the modified auxiliary building. The cost for the tunnel is estimated
at 1.3 million dollars. An alternate tunnel design utilizing reinforce
concrete pipe rather than poured-in-n\acr! relnforced concrete is ~len
estimated to cost 1.3 million dollars. It is believed the alternate
design is preferable from the standpoint of preventing infiltration
by groundwater. However further engineering study is necessary to
evaluate the two alternate tunnel designs.
4.3.3 Additional Equipment and Building Services
Costs for the additional equipment items listed in Table 4-7 were
obtained from quotations based on the specifications provided in
Sectlon 3.2.6. The costs given for the refueling water storage tank
and the two auxiliary fecdwater storage tanks are for erected tanks.

Consequently the ccst for equlpment installaticr is tor all rquipocnt
exclhive of these tanks. ~l~~ng'and electricai costs take into
accbunt increased piping and cablb runs that result from the altered
plant arrangement. These increased piping and cabie runs were esti-
mated by comparing the modified and reference ?lant arrangnents,
noting especially the relative locations of the control roon and
swltchqear in the modified arrangement. In some cases for individual
equlpment items, piplng runs are unchanged or actually reduced, but
the piping for tne total installation is increased.
The increased costs for HVAE, plumbing, and fire protection are based
on the Increase in building -101urne for the modified design. The
referonce in thls case was developed from :iUi?EG-2041, Capital Cost:
Pressurized Water Reactor Plant. The cost for ,~ault doors is a pre-
liminary .lendor quotation for doors having penetration resistance
against explosives equal to that for the walls in which they are
installed.
4.4 COST ESTIMATE FOR fIA3DENED DECAY HEAT REXCVAL SYSTZM
4.4. Cenerai
The cost estimate for this design ~!ternative 1s presented in Tables
4-9 and 4-1s. Table 4-9 presents the complete estimate for construc
and equlpnent costs while Table 4-19 presents the cost breakdown Ecr
nechJnlca1 and electrical equlpment, lncludlng piping.
The est1mar.e is based on the hardened decay hcdt remo*~al system desc
In Section 3.3, whlch is a slngle lOOb system without redundancy or
,;lnglc fail~re capablilty. As shown ~n TJD!~ 4-9, 'hc eitlmated cost
1s appt(~xlrnate1y ~~,7C0,1100. A:thou~]k no formal estimates haq:e been
prepared, addlnq redund~ncy to the systen cou:d reasonably be expected
ta increas~ the est~mated cost :o :he nelqhbornood of il m::llon
dollars.
ion
i be

Substructure
Excavation and Backfi 11
Nach ine Excavation
Select Backflll
Sackfiii
Sub-tot31 Excdvatlon 3nd
B;lcr.f ill
TABLE 4-9
STUGY ESTIMATE, NOVEXBER 3C, 1979
DESIGN ALTERNATIVE CATEGORY IY.l
HARDENED SECAY HEAT REMOVAL SYSTEM
4,i;OO C.Y.
1,000 C.Y.
d20 C.Y.
Concrete
Base S13b 1.540 C.Y.
Tunnel 7C0 C.Y.
Sub-tot~l S ln?.:r 2cc;rc Coccrete
Total S u n ~ t r u c t ~ r e
Concrete
Outside 5.ilIz 3,77i: C.Y.
Pirrltlon WJ~;; 534 C.'i.
Suppor tcc! Si !h.i 1,387 C.Y.
Alr Duct 5!:0 C.Y.
Sub-tot31 Supcrztructgre Concrete
Structur~: Stcc:
Miscei 1 -tneogs Ircn
Total Superstructure
Process Equsment
Mcchanlcal Equll~n~cnt
Piplnq and ContJliirrcnt Pccctr3:it-jns
ElfXtrica1 Eqq~lF!lle!it
Instr~tmentatlon anu Control
Power and Control :i:r 1r.g -:;?
Cot~tainment ?f'c~tt.>L~~>!l!;
Sub-total Froc~is E.i~:pnc?,r
TOTAL C3ST
S
91 3, COO
lSY.000
823.000

ITEM OF WORK
Building Services
Vault and Other Doors
HVAC
Plmbing
Fire Protection
Electrical Service
Bench Lockers and Tools
Signals and Communications
Sub-total Building Services
TABLE 4-9 (cont.)
STUDY ESTIMATE, NOVEMBER 30, 1979
DESIGN ALTERNATIVE CATEGORY 1V.l
HARDENED DECAY HEAT REMOVAL SYSTEM
Total, !ess engineering and contingency
Contingency at 100
Total, less engineering and escalation
QUANTITY TOTAL COST
S

TABLE 4-10
STUDY ESTIMATE, NOVEMBER 30, 1979
DESIGN ALTERNATIVE CATEGORY IV.1
EQUIPMENT AND PIPING COSTS
ITEM OF WORK QUANTITY
TOTAL COST
s
Mechanical Equipment
D~esel Generator
Emergency Feedwater Pump
Emergency Charging Pump
Seal Leakoff Cooler
Cooling Water Circulating Pump
Air Cooled Heat Exchanger
Cooling Water Head Tank
Diesel Starting Air Receiver
Diesel Starting Air Compressor
Feedwater Storage Tank
Borated Water Storage Tank
Diesel Generator Fuel
Oil Day Tank
Diesel Generator Lube Oil
Storage Tank
Diesel Generator Cooling
Water Expansion Tank
Sub-total Mechan ical Equ ipment
Installation
Sub-total Mechan ical Equ ipment
Installed
Piping (~nstal'ed)
Containment Penetrations (installed)
Sub-total Piping and Containmect
Penetrations
Electrical Equipment
4KV Switchgear
4KV/4AOV Transformer
480 V Motor Control Center
125 V Battery
Battery Charger and Inverter
Sub-total Electr ica 1 Equipment
Installation
Sub-total Electr ica
Instal led
1 set
1
1
1
1

3ESIG!; ALTEP:!ATI.iE CATEG3RY IV. i
ECiiI??lE!iT >.ND ? ITINC COSTS
'XTAL COST
S

6L:ained. In tk,e case of rne RHi+ suctior, piping is0:ation valves,
the cost of modifying t5e valsze operators to incorporate an additional
torque switch or to:que release coupling was estimated by the repre-
sentative of the valve operator ./endor to be 53,000 each. For focr
operators, this would amount to $24,000. There will be additional
costs for engineering ts tnsure repeatability of performance of the
torque devices. Seismic qualification costs may also increase. It
ma,y be estimated therefore that the cost of valve operator modifications
1s less than $50,000 per plant. Additional threeway solenoid valves
for the letdown l ~ne isolation valves probably wnuld not cost more
than 5150-5200, altt?ough no actual costs have been obtained. Considering
costs for 1nsta;:ation. cable, and distribution panel=, and assuming
ava~lability of spare connections in the complement of containment
penetrations normally provided for the reference plant (i.e., additional
containment penetrations are not required), the installed cost for
this optlon should not exceed 510,000-550,000. Therefore, the total
cost for this design alternative 1s estimated to be on the order of
510c.000.

DISTRIRUTIOS:
'J.S. Nuclear Requlatory
Commission
(320 Copies for KS)
Division of imcument Control
Distribution Service6 Branch
7920 Norfolk Ave.
Rethesda, MD 20014
U.S. Nuclear Regulatory
Commission
R. C. Robinson (5)
Office of Nuclear Requlatory
Research
MS 1130 SS
Washinqton, :X: 20555
Nuclear Projects, Inc
Attn: F. Schwoerer
5 Choke Cherry Rd.
Rockvi lle, MD 20850
Combustion Enqineerinq Inc.
Attn: A. Kasper, kpt. 9487-427
1000 Prospect Hill Rd.
Windsor, CT 06095
Westinqhouse Electric Co.
Attn: W. T. Rurnett
Nuclear Safety Drpt .
P.O. Box 355
Pittsburqh. PA 15230
Rabcock and Wi lcox
Attn: E. Swanson
P.O. Box 1260
bfnchhurq. VA 24505
C~nerol El e?ct rir Co.
Attn: J. E. Maxwell
Nuclear Enerqy 1)ivlfilon (M/C 395)
175 Curtner Ave.
Snn Jose. CA 95125
Northern St atrmn i'c>wer
Attn: 1,. t:Iinson
414 Nlctml let Ma1 l
Hinnenlnli~, Mh' 55431
Dukc Power Co.
Attn: R. L. Dobson
P.O. Box 33189
Charlotte, KC 28242
Power Authority, State of N.Y.
Attn: M. Maltese
10 Columbus Circle
New York, NY 10019
Commonwealth Edison
Attn: D. Galle
P.o. Box 767
Chicaqo. IL 60690
Bechtel Nat lonal Inc.
Attn: F. Gabrenya
50 Beale St.
San Francisco, CR 94105
Sorqent and Lundy
Att?: T. Victorlne
55 E. Monroe St.
Chicago, IL 60603
International Enerqy Assoc.,
Ltd. (2)
Attn: C. A. Neqin
600 New Ilampehi re, NW
Washington, DC 20037
Science Applirati?ns, Inc. (2)
Attn: P. 1,obner
P.G. Box 2351
La Jolla, CA 92036
k'.
(: .
J.
J .
'I' .
h.
I).
J.
C.
I).
0.
I).
.I .
,. .
1; .
C. Myre
I!. Mauney
E. St19ler
Jacobs
Sel lrrs
W. Sny;ler
J. McCloskey
k'. H~ckm~n
8. Varnndo (51
I.. tkrry
E. lcerlnct t
u. Er~i:son. .Jr. (lC1)
[IdKO)'
0. Chnpman
H. :1tt.y

TECHNICAL MPlORANDUn
EVALUATION OF AIRCRAFT CRASH HAZARDS ANALYSES
FOR NUCLEAR PWEK PIANTS
by
C. A. Kot, H. C. Lin, J. 8. van Erp,
T. V. Eichler, and A. H. Wiedermann
Prepared tor
U. S. NUCLEAR KEGI'IATOHY (:OMHISSION
under lntera~ency Agreement WE 40-5'~~-15

This document, ranked number 1 in the hitlist, mas retrieved from the rrrcinfo d
10043j4770
8210150557
19320930
NUREG/*NUREG REPORTS
STAT/*CONTRACIED REPORT - RTA,QIJICK LCOK,ETC. (PERIOD
TPjTEXT-PROCUREMENT & CONTRACTS
128
EVALUA'I:I:3N OF AIRCRAFT CRASH HAZARUS FOR NUCLEAR POWE
PLANTS .
ACCIDENTS
AIRCRRFT
EVALUATIONS
HAZARDS
POWER PLANTS
KOT C A
EX1 ANL,/@ARGONNE NATIONAL 1,ABORATORY
EICHLEK ?' V
LIN ti C
VAN ERP J B
WIEDERMANN A B
WIEDERMANN f H
RXI*--**/@AFFIl,IATroN NOT ASSIGNED
EXIANLjCdARGONNE NATIONAL LASORATORY
EXIATRA/@ATRESEARCH ASSOCIATES, INC.
EXI*****/@AFFILIATlON MOT ASSIGNED
" cX1ANL/PARGONNE NATIONAL LABORhTORY
EXIATMIPATRESEARCH ASSOCIATES, INC.
NREH/@DIVISION OF HEALTH, SITlMG L WASTE ;"IANAGEMENT I
ANL-CT-01-32
NUREG-CR-2859
15723:294-15724:060
820330-8210150557
NU?,ZG--CR-2859-3-820939
?I?-A-2076

TECHNICAL MEMORANWn
ABGQNNE NATIONAL LABORATORY
9700 South Cass Avenue
Argonne. Illinois 60439
EVALUATlm OF AIRCMFT CRASH HAWRDS ANALYSES
FOR NUCLEAR KWER PLANTS
by
.C. A. Kot, H. C. Lin, J. 8. van Erp,*
T. V. Eichler,** and A. H. Wiedermsnn*
Components Technolosy Division
Manuscript Completed: September 1981
Date Published: June 1982
Prepared for
Division of Health, Siting, and Waste Management
Office of Nuclear Re~ulatory Research
U. S. Nuclear Regulatory Carrplssion
Waehfngton, D. C. 20555
under Interagency Agreement WE 40-550-75
NRC PIN No. A2076
* Reaccor Analyais and Safety Division, ANL
** ATResearch Associates, Inc., Glen Ellyn, Illinois
Lstributton Codes:
E and XA)

The state of knowledge concerning aircraft crash hazard* to nuclear power
plants is critically evaluated. Thir effort is part of a study to analyze
the potential effect8 of offrite hzarda upon the ufety of nuclear power
plant- and to develop a technical basis for the assesameat of siting
approacher for ruch facilities. Tha evaluation includes the deterministic
modeling of aircraft crarh acamrior and threat environmsnts. the ectimrtion
of the effecer on and the responrs of ths vital plant systems. and the
probabilistic -rsp.ctr of the crash probler, i.e., data baser and atstistics1
methodologier. Also critically reviewed are p.st licensing axperience and
regulatory practicr with respect to aircraft crash hazards.
In genaral it in found th~t the date haes, mthodologies and modeling
approacher are adequate to ertiuts the threat and plant response. However,
this knowledge is mt always fully rued in rpecific applications. Siting of
nuclear power plant8 relatiwe to aircraft harard. is a risk baaed procedure
that considerr t h probabilities of crash occurrencs and their
consequences. Ia thia cootext it appears Luaible to improve the site
screening procedurer and to develop eacluslon wnes from controlled air
spaces (airports, ainays, etc.) based solely on local aviatlocl atatistica
and independant of plant design. Hethndologies for treating camplax
aviation onvironuntr ruch u multiple airport8 and overlappin8 airways are
needed, ar are guidelines for crash target calculations. Further
investigation8 of crash scewrlor, particularly those that could lead to
multiple or propagating failures, should be pursued.
N RC
FIN No.
A2076
Title
-
and Tkir

4.1 Sources of Information
.4.2 Air Traffic/Accident Data Base
4.2.1 Air Brrier Statistic.
4.2.2 General Aviation Data Base
4.2.3 Military Aviation Statistics
4.2.4 Airport Statistlcr
4.3 Aircraft Qash Rate Hodels
4.3.1 Crash Rate. per Aircraft-Mile
4.3.2 Qash Rate. per Square nile
4.4 Aircraft Crash Probability Methodolo&ies
4.4.1 &ash Probebility Weir
4.4.1.1 Aircraft Crash Path
4.4.1.2 Mrcraft hpact Qlaracteriatic.
4.4.1.3 Aircraft Fires
4.4.2 Crash Probability Calculationm
4.5 Aircraft Hazards S-ry
5. SAFETY-REUTED SYSTEUS
5.1 PUR Safety-Related Systems
5.1.1 PUR Oiticality Bntrol Systems
5.1.2 PYll Heat Removal Systems
5.1.3 PUR Support Systems
5.2 BUR Safety-Related System
5.2.1 BUR Qiticality Bntrol Symtem.
5.2.2 BUR Heat Removal Systems
5.2.3 BUR Support Systems
Page No.
1

TABLE OF ONTENTS (cont'd)
Pa841 NO
5.3 Accident Sequences Involving Safety-Relrtd Syrteoe 5 $9
5.3.1 Caneral kpecta 50
5 3 2 Accident Sequencea Involving PUP. Safety-
Related Syatemr 51
5.3.2.1 Accident Sequences Involving PUR
Criticality bntrol Syatems 5 1
5.3.2.2 Accident Sequencer Involving PYJL
Cooling Syetem 52
5.3.3 Accident Sequencaa Involving BUR Safety-
Xelatad Syatema 53
6.1 Aircraft Iapact Loade
6.2 Constitutive Bclationrhip of Structural Hateriels
6.2.1 Haterial bdelr
6.2.2 Material Nonlinearity Effacer on
Structural RLsponse
6.3 Local Structural Responae
6.3.1 Local hilura Uchanirma
6.3.2 Failure-We Aarlyaia Using Plastic
Shellm of kvolution lhaory
6.4 Structural Syata m d Equipment Response
6.6 Evaluation S-ry
7. PIRE AHD EXPLOSION HAZARD ASSOCIATED UlTH AN AIRCRAFT W H
8. EVALUATION OF METHODS AND APPROA~S
9. REGULATORY APPIlOAQl RtWKMENDATIONS
10. PROBLW ARCAS
REPEUENCeS
APPENDIX - LXlZRATURC S ~ I L S

polar Plot for a11 hudiur hndira Accident8 for
Aircraft Above 18,000 Pounda hring 1960-1973 (141.
C.nad1.n Accident Biatograu, 1963-1975 1141.
~lnadian Crash Point Riatogram for Diatance to Lndln8
or Takeoff Site for tlaht Aircraft [15].
Crash Ute Lbatour Urur for Heavy Atreraft in the
Vicinity of a Iiypothetical C.rudim Airport with
150,000 Landing and 150,000 Takeoff Annual ibvmnta (151.
Crarh Site. Orthowrul to a Flight Path 1161.
%hadow Area of a Plant Structure (161.
Weight Dietrtbution and Cruahlry Lod Distribution,
FSlll 1371.
ReactiorTim hlationahip for FB-111 wish Iapact Velocities
of 200 mph. P dewtea the acala cruahl~ load ueed in th
calculation. $ /5 &nd PC x 5 denote that one-fifth and fir.
tirun the cruahfnL load were cued, reapectlvely (371.
lorce-Tim Diagru for PIuntm at 215 d e r [IS].
Constitutive Lava; (a) bcrate Shear Wulua. (b) Concrete
Failure Surface. (c) Concrete Hyatarerie, (6) Steel
Hyatererir 1421.
Impact on Laactor Buildiry (421.
ntarik Impact mraowrv [I)].
Failure Zone at thr @x 1451.
Uximm inuiniry hpacc Lod u a Punctioa of Impact
Valocity [45].
Btructurrl Idealiratia of t h Wucloar Power Plant 151).
Floor Uarponre Spectra at tho Top 31 the Foundation bft,
Noda 3, (a), (a) 1% Duping. (b) 5% Lbmpiq [Sl]
Ompariron of baponee Spectra Due to Cxterrul Dynamic toad*.
PUR hrctor Bullding/loundetioa Plate, Irdial (561
vil

Lirt of Figurer (contdl
19. Comparlr Spoctra Du+ to dxterml Dpumic
Loadr. RR Roactor kildi~fFwndation Plate. Vertical
[561
20. haponre pariron [56].
21. Rerponra Spoctra, Caspariron (561.
22. Rerpoaaa Spoctra. -pariron X1 [56].
7
23. Rarpon.. Spectra, f&mparlron X3 1'561. .73
24. Besponra Spectra at Impact Area. Outer Qntainuat
(astaping 2%) [56].
1. Critical Civil-Aviation Accidantr Within 5 Hiler
of M Airport 1966-1970 1131.
2. Critical Civil-Aviation Accident* of -11 Fixed-Win8
Nrcraft, 1966-1970 1131.
3. Nature of -11 Fircd-Via# Aircraft Accidantr
1966-1970 [13].
4. Fatal Crarh irtrr for Air Carrier - Uilitar). Aviation
(6.201
5. Fatal Crarh lrtrr for Conera1 Aviation (201.
6. Detailed Qarh Rater - Fatal kcldentr per Operation
per Square Hilo [Zl].
7. Crarh Probabtlitier for Various Sitem [6,20]

Thir report providu a revieu and evaluation of aircraft cr,
analyren for nuclear power plants. Of plrticular concern are tb
both prt and propond, and regulatory experieau of tha U
Regulatory Cbmirrion cogatding the riting md derign of there Q
U.S. Cod. of tedrral logulationa currently requlrm that the ri
and engineered ufety featurer of a nuclear power plant should 1
rlsk of public exporum to accidental radioactive releaner, and
basis events used to onrum thlr rhould not be exceeded by a
considered credible. HllC rtandard review practice conrider
potential exporure events as tho.= having an expected rate of
greater than frar lo* to lo-' per year depending upon the na
data and arrumptionr. Both tho Bde of Federal Lgulationr and
provide foe engineering rafeguardr to capenrate for unfavc
characterirticr. The I(RC ha recently inrtituted a formal polic
future site relectioo on tho barir of proximity criteria to COI
of cornercirl ond military aircraft activitier.
It ?as been auggerted that tho prerent ruler and regulationr ma
an over-reliance on onginmering oolutioar, mmecersary exposuz
empharir of rltlng as a defenre-in-depth factor to aircraft h
addition to rpocific plant derian featurer to dtigate airc
induced conrequencer, .:ternat0 rlting approaches have been adva~
summarlzed ar follows:
minimu rtandoff distance.
exclurion dirtrncer
alto acceptance limit. - exclurion threrhholds
rite acceptance Yloorr - approval threrhholds
acreenfry dirtaao valuer
rcreening probability levelr
As mentioued, recent NRC reviow procedurer ertrblirh rcreeni
valuer which aro fadopondont of rpecific plant design.
In general, extonrim aircraft data barer and rtatirtical crarh
have been developod. Thr latter are Judged here to be act
national barir to within about one order of uhnituds with
arising from tha definition of crasher potentially threatenin4
pover plantr rad tho clareification of aviation characte
activitier. Deficiancier do, however, exirt vith regard
aviation, drlinartiol% of phrrrr of operetion, and important p
I hazards
po1i;ies.
I kclecr
RtB. the
location
Irre a low
at design
occide~t
credible
ccurrence
re of the
RC policy
;b~e rite
to acreen
,ntrationr
1
rerult in
and de-
lrdr. In
tt crarh-
;'I and are
I
i
ariationr
nuclear
military
tern of

aircraft crarh ocenerior. There dlfflcultier are usually murmounted through
analytical wdelr, probability dirtribution function conrtructions. and
cormervatiw arrcn~tionr.
.~.,;+'$!:...
., .. .'
L1L.
Aircraft crarh rates correspond to groupings of aircraft type, aviation
activity. airport cluracterirticr, and air rp.ce usage (e.g., airway.
restricted air space, .od hckground air octivitier). The rates scale with
the number of operatioor; other porrible scaling rffectr have not been
adequately rtudied. A value of lo-' events per year per aquare dle is
representative of tha crash rater of background light aircraft and of heavy
aircraft in the icmediate vicinity of heavily traveled alruayr and within
about five milea of a ujor airport. Although detailed cramh ratea in
actual oitutiono ulll vary widely. thia representative value demonstrates
that siting and plant daoign faaturea are imyortant and necessary
considerationo in meeting federal rafety requirements for nuclear power
plant. relative to aircraft harardm. More rpecifically, rltea tearby heavy
aircraf c aviation rpacer, uhich concentrate uir traffic, inaeaae crash
rate., and multiply the types of aviation activities, muac
acrut!nized, and plantr rhould be relatively nonauscepti
aircraft crarhes.
Crash probabilitlar correrponding to various aviation groupings have been
calculatsd for s mmber of plantr. There rerultm depend prinhliyally upon
the number of annual operationr occurring locally in each avdtlon group,
respective crooh rates, arrmed accllent scenario paramete auch as
aircraft type and crarh path, and plant parametere. The latter ncludee the
identiflcatioa of ~urceptible rafety-related feature8 and coaputation of
their effective target areas. There ulct'lationr typical1
considerable local data gathering. rite-rpecific repreaentati
parameter mdaling, and conditional probability ertimationr of
occurrences. In particular, conditional probebilltier
radioactive moterial releare exceeding NRC guidelines given
cramh are urually implicitly mede am follovr: a value
mtructurer ured in the effective target area evaluation ond
excluded.
The reaults obtained ara often near to or mrgimlly within
occurrence safety guf.daliner. Conridereble conrervatiom
included in t h usrs reviewed. Houever, not enough
to certain spacialired arpectr of the problem
renritivitier ,"o ,"rarultr to variations in the key
important in any m l g f ~ 1 rituation. For example,
aircraft and aircraft drrilor on eubrtantlal

extenrively rtudied, but other crarh rcenarior have not been purrued in any
similar detail. Mrcraft crasher ray result in ultiple failure initiating
events. and a pt.?pagating failure orginating with a nonrafety ayatem
nalfunction my be porrible. Fire and explorion hazards arroclated with the
aircraft fuel haw not born treated in rufficient detail, and, uhile there
threats u y be relatively lerr hazardous than the direct aircraft lmp~ct
threat, thie h u not bean adequately demonstrated.
Further, there la a hck of clear and rupported statement. on nny important
underlyiag arntnptioar and of comprehenrire trestmentr of the overall
hazard. ?roo thr prrpective of rid malyoir rthod~logy. the calculation
experience ir genrrally rather rlmplified with grorc. and often implied
relationships rued to represent the complex couplings mong the many
variabler of the problem. It Sa important to state, however, that thlr does
-- not necerrarily lmply that tho rerultr are rimleading or invalid or that
rignificantly different erti~ter can k lade, but that improved treatments
of aircraft htard ecanarior and mre advanced athodologiem are generally
desirable.
re that, in addition to the types of lmprovementa in
analyrer and m8thodologiea outlined above, certain alternate regulatory
approaches are worthy of prrruit. Spcifically, the recently inrtltuted
site rcreeniq approach ua be further refined, and thu ertablirhment of
mlnlmun otandoft andlor axclurion distances relative to airports, airwaym,
and cooplex aviation envirormentr appearr hoth feasible and practical to
develop. The principal dvantager of the latter wuld be (1) to clearly
mpharize rite relectim over engineering solution^ in thore carer where
safety deeiga futurer are cortly md heavily relied upon to reduce the risk
of power gemration to the public, and (2) to ri&nlflcantly streamline and
simplify the repulatory procerr.

1. INTRODUCTION
In recent pars tha effect* of offrite hazardr hve bacome an important
consideration in thr riting and deminn of nuclear power plants. The
objective of tha current rtudy ia to provide llRC with technical background
for possible tuleuking on the riting of nuclear power plenta with regard to
a number of offrite brzardr. One of the considered luzardr is the crash of
m airplane on the power plant rite. An with all hazarJr tha ultimate
concern is the safety of the ueneral lu!~lic, vhich in turn implier the
avoidance of rubstantial radioactive relersea. Such releases may arise
either directly throuah the duage or breaching ol a plant component
containing radioactive uterialr or indirectly through the malfunction of
plant ryrtemr d caponentr, which in turn rarult in substantial dansge to
the reactor =om and primary heat transport system.
nbt mjor threat* urociated vith an aircraft crarh are the impact loada
rel~ulting fra th collirioa of the aircraft with power plant structures and
corlponentr d the tharul andlor overprerrure effects which can mire due
to th ignition of th fuel carried by tha aircraft. While the damage
mechanirmr depend on the plant rymtem affected by the craah, credible
accident acamriCr muat conridrr both the direct release of radioactivity
due to bruchiag of hrriarr and tha delayed releare aasociated with damage
to core and othar vital plant ryrtemm. In the latter category of prime
lmportanca are s&fety ryrtua hick are needed for ufe shutdown and lon&tern
heat rmoval.
Slnca oifrita tuzardr to arelaat power plantr nrira from accidental event.,
the rtoclurtic arpoct. of th. problem murt alw k conridarad. This uxim
hold. particulrrly for aircraft crarhar kt aure it is mt possible a prieri
to exclude tha praraoer if aircraft frm any particular location. The
purpora of the current i4.8 ir to critically raviaw and svaluata the atate-
of-thwart of both deremJ 2. . and probabilistic knowle6~- concerning the
hazard* to arelaat paws .). from aircraft crarher. This effort ir not
only intaadd u raviau of part practices, bnt raprerants : indepandent
avaluatioo of the &ta braes and uthcdologier wed in artluting the
hararde to nuclear pomr plantr. Roth t rtrong point# and the
i~dequactar 01 pmt practlcar are identified, and where porribla raedlal
approache* rrr rrcmadad. Porribla regulatory approachem ara dircurmed in
light of them .raluatioar.

;
6
. ..,~
spective, presmt' policie., practiceo, and
efly reviewed in the next section. This is
s,,:,.. . ' .' " ' ,.
followed by:.ni~'overviav'of the literature survey. Aircraft hazards analyois
, I . ,..
and the safety::relsted power plant systems and protection barriers are
one. This is folloved by a detailed evaluation
estimate crash loads, structural response, and
The final sectiolu of the report concern the
odologies and recomndations concerning analysis
asible regulatory approaches. Brief summaries of
re, reports and documents are provided in the

7
2. BAQ;CPOUKD
r plant siting has ken to address t
rdr on a care-bycare basis. ld approach
consisted of (i)~:identifkstion of significant hazards, (ii) an a&lysis and
evaluation of .thc'&iard level the applicant using recommended $r his own
methodologies, :&dj(iii) a demonstration of techniques and engine&ed design
features for mitigating the cocuequencu if the level of hazard is found to
be excessive^ .In the past all of there efforts are directed to meet the
nuclear reactot'~imit1ng critori. which are contained in the Code of Federal
Regulations - ~*rt 100 of Title 10 (10 (PB 100) [I] and which &nstituted
the primary mandate for HRC evaluation of pr~pored rites.
.-; . .q: ?
While new criteria u y be developed in conjunction vich future siting
rule~king, several aspects of 10 CFX 100 are important to this study since
they have hiotoriullr lrot only influenced the site selection and reactor
plant design processes but have provided the objectives of most of the
subject analyses to be evaluated here. Specifically, "... the site location
a d the engineered features included as safeguards against the hazardous
conaequenc~n of M accident, should one occur. should insure a low risk of
public exposure." Provision ia made for the derivation of an exclusion
area, a low population zone. and population center distance usuming a
fission product release fraa the core and expected demonstrable~leak rate
from the containment utilizing exposure guidelines described for these
regions. The fisrinr product release assumed is suggested to follw from
calculations bared upon a ujor accident having potential hazards not
exceeded by those from any accident considered credible. It is further
stated that ~ c &cidents h are generally lssumed to result in &bstantial
core mltdown and releara of appreciable quantities of fission products.
Site acceptability factors to be taken into account include, among others,
unique or unurd faaturea having a significant bearing on the probability
and conrequences~.of. accidental radioactive release and appropriate and
adequate engineeriag'. eafeguardr that compensate for unfavorabG physlcal
characteristics of ;:!,the site.
, ... ,
the following topicex;
Thus. 10 (PB 100 predicates cons1d;ration of
; {$pt@g$;:.
.. ~?,.',
def init. . . . . I
l fail~r?,~$wder
i

8
narios. mechaniraa, ad credibilities;
ed by the NRC in interpreting 10 Q1
there are contained in the Stand
(SW). NIlllP1C-0800 121. These procedures establish criSeri
complied withslin rpacific licensing cases before a license
direct bearing on aircraft hazards are:
dentification of Potential Hazards in Si
Evaluation of Potential Accidrnts
Aircraft Earards
Section 2 -2.1-2.2.2 is primarily conceraed vith the locations #nd separation
distances from ,. the site of industrial, military, and
facilities .and:::routes in the vicinity and during the
plant. It suggests review of a11 identified facilities activities
within 8 h' (5 miles) and at greater distances if th
affecting plant.,safety-related features exists. Section 2.
review of ~.the.'~:identification of pocential accident s
completeness,,..,and the bases of design accomodation.
appropriate,~~~~.~ii'!~the review of probability mnalyses -
analytical wdebi; - and consequence analyses of acciden
design bakia%&ts. In the past design basis events had
..: b,
accident having-'a expected rate of occurrence of poten
excess of the .lO:CPB 100 guidelines exceeding approximat
include each
using site-specific or representative information and
realistic estilutioas. A rate of per year
conaervatir ,cM$~ demonrtrated. The effects of those
on ~fet~rslat.d~~fatures must be analyzed, and IbebSUre
consequencmimust .:be taken. It is recognized in the S
probabilitr..$f . ~ . >;inhividual ? .
classes of external smn-sad
the acceptan&': criteria even though the individual ra
acceptably .lw, and that idditional design features my
Section 3.5.1.6. is specifically concerned vith aircra
establiaher~~:&r& procedures to ensure that they are elidn
%.,rrm*Ji
basis concem'~:.or; that appropriate accident events have b chosen end
properly .ch&t&ired relative to impact and fire hazards.
. .
as the following situations:
SRP review

Y
1. Sites having an adequately la, probability of occurr ce (less than
about 10" par year) of radiological coneequences excess of the
10 CPB 100 guideline. This condition is aasu to occur by
inspection if the distances from the plant meet requirements
below:
The plant-to-airport diatsnce D is between
?#
5 md 10 statute
miler, and the projected annual number of operltion~ is less
e
than 500 D*, or D is greater than 10 statute )ilea, and the
5 2
projected annual number of operations is less than 1000 D ,
t
The plant is at least 5 statute Piles from the edge of military
training routes. including low-level tr~inl utes, except
those associated with a ueage greater than 1 flights per
year, or where actlvltle. (e.g., practice bom ) may create
an unusual stress situation,
The plant is at least 2 statute miles heyond neareet edge
of a federal airway, holding pattern, or approa
2. Sites not meeting the above proximity criteria or sufficiently
hazardous mllitary activities are identified. In t situation e
detailed rcview of aircraft hazards must be perf
aircraft accidents uhlch could ltad to radiolo
excess of 10 CPR 100 exposure guidelines wit
probability greater than about lo-' per year should
the deoign of the plant, subject to the design
criteria regarding aircraft impacts (miasilea) and
Th's section of the SBP also addresses review procedures some detail
relative to aviation uaes, holding petterna, deaig
airways. For thaw! caatn the crash probability depends u
and frequancy. the airway location and characteristice, i
(crashes per aircraft-mile flown per year), and plan
addresaed are civilim and military airports dnd hell-ports.
probability will depend upon the types of aircraft, number
affecting the site, airport crash statistlca (crashen
equare mile) of the aircraft types, traffic data for the
paths, and plant features. The total aircraft hazard
integrated over all potentially threatening aviation
effective plant area is recognized to depend upon a st.ad
assumed crash angles of the various aircraft and failure
*

ased on aircraft and topographical characteristics, and the susceptible.
features of the plant relative to structural or fire damage.
T current nuclear power plant siting policy and practice, in which an
applicant selects a single proposed site wing factors presented in 10 CPR
100 and submits it for NRC staff review, h~ encountered significant
criticism and has been under review by NRC for sone time. One outcome was
the fornation by HRC of a Task Force to develop a general policy statement
on nuclear power reactor siting. Their findl?gs were preeented in 1979 in
the "Report of the Siting Policy Task Force," NUREG-0625 (31. The major
conclusion of this study is that past siting practicc has stressed the
employment of engineered safety system and has tended to dermphasize site
isolation leading to the acceptance of reactor sites with unfavorable
characteristics. Recommendation 2 of the Report, which deals specifically
with offsite hazards, states that 10 CFR 100 should be revised to require
consideration of potential hazards pooed by man-made activities by
establishing minimum atandoff dietances for specific threats. This
recommendation is in line with the overall goals set by the Task. Force,
namely:
To strengthen siting as a defense in-depth factor by establishing
requirement. for site approval that are independent of plant deaign
considerations.
To take into consideration in siting the risk associated with
accidents beyond the design basis by establishing population density
and distribution criteria.
To require that sites selected will minimize the risk from energy
generation.
Wth respect to the hazard of aircraft crashes, the Task Force felt that
some practicable standoff distances can be set and recommended specifically
that nejor or commercial airports be no closer than 5 ailes from a nuclear
povrr plant.
While not all recomwndationa of the Task Force have been generally accepted
by the NRC, seriou consideration has been given to changee in the siting
policy as evidenced by the Mvance Notice of Rulemaking 7590-01: Revision
of Reactor Siting Criteria [4]. While the Notice discusses many specific
aspects of nuclear power plant siting, its major thrust is to emphasize site
isolation, 1.e.. siting neu plants away from highly populated areas and
major industrial facilities. At the same time more uniform national

criterk for plant aiting are stressed. One approach stAggested for the
implementation of much uniformity is the so-called "three-tier" approach.
This Would involve the apeciflcation of tw thresholds for each pnrameter.
One wuld la the acceptance limit uhich would exclude any site not meeting
it. The other would be .n acceptance floor - any site that did not exceed
thdt floor would be approved with respect to this criterion. Between these
extremes would be s middle grould where residual risks would be considered
in deciding whether to approve a site. In the case of offsite hazards the
establishment of minimum standoff distances is again proposed. These
suggestions have by no means gained general acceptance as evidence by some
of the ACRS coment3 incorporated into the Notice.
To provide technical backup for some aspects of this proposed rule-making
NRC - Office of Nuclear Reactor Regulatory Research requested that Argonne
National Laboratory review, evaluate, and mere possible improve and
recommend methodologies and approaches for addressing offsite hazards to
nuclear power plants. At the same time a somewha1 similar effort was
launched by Ssndia National Laboratories under the auspices of NRC/NRR [>I.
A review of past nuclear power plant siting experience Indicated that
hazardu ariaing from aircraft crashes were analyzed in at least 12 cases in
the U.S.A. Ihe preferred approach in the evaluation of the aircraft hazard
is through probabilistic techniques. tiowever, deterministic studies
addressing pri~~rily impact loading and the structural response of concrete
structures are also part of past experience. b with other offsite hazards
the current approach has led to a variety of solutions to mitigate the
aircraft crash problem. In the vast majority of cases the hazard in aimply
excluded on the basis of the stati6'.ical daca. In some cases the vital
power plant systems, in particular ttw cnntai:tment structures, are hardened
to resist the impact of certain types of aircr~fr, e.g., nree Wle Island
161. It appears that for all U.S. plante currerrcly under constrwt~on it
has been found that ft is not necessary to require containments d-cl~\%r.d to
take the impact of a large commercial jet aircraft.
This practice is contrasted by the experience in the Pedecal Republic of
Germany where it has been found necessary to design essentially all nuclear
containments to withatand the crash of certain types of military and
commercial aircraft [7,8]. A systematic approach to the problem of aircraft
hazards is a180 recommended by the International Atomic Energy Agency [9].
Durifng the aite survey stage it is recornended that either a Screening
Distance Value (SDV) or a Screening Probability Level (SPL) approach be used
to determine if aircraft hazards require further considerations. Steps to
be follwed in a detailed evaluation of the hazards are also outllned in the

IAU Safmty Gui& ad include the detetrination of probabilities for crarher
of all pertinant typaa of aircraft. When it ia nocearary to protect the
plant against aircraft craahem, the dealgn hsls crarh, 1.e.. the crash
giving the moat wvmrm coaoaqwnce, ir defined. Effects which are included
in tb ovalu~tioo arm impact and secondary mirailer aa well aa poarible fire
and axploaion uusmd fuel ignition. The document rlao recownds careful
coneideration and procadurea for the detet.ination of design barir
parmetera, I..., aircraft type, aircraft speed, load tine functions, and
amount and type of furl.

The literature survey can b. utegorirad into the following four areas:
NRC Document$: NUII)RCC reportr, regulatory guides, rtandard review
plan, regulations, past aiting experience (SAR'a, SKR's.Dockets),
IAEA Documentst Safety guides, Safety Standards, recommer~dations,
and procedures.
l Coverruent Documents: DOE, DOT, DOD, WA, etc.
Open Literature.
The NRC documents provide the background of current regulations, criteria.
and procedures for licensing and approval of nuclear power plant sites, as
well as the past siting experience which is contained primarily in the
vari~us SAR and SER reports. In addition, some pertinent information ie
contained in specific plant Dockets. The Docket material is poorly
referenced and ir available only in aicroflche form, making the surrey of
thin information rather difficult. On the other hand, the ZAEA documents
are readily available and much of the information is also contained in other
U.S. publications. Concerning other U.S. Government documents, National
Transportation Safety Board reports were collected since they provide the
data base for low probability accident events in the paat. Uost of the
structural response ad analysis of aircraft crash on the nuclear power
plants can be found in the published open literature.
Computer searches were used to locate much of the material and provided A
large number of titles; e.g.. in the category of structural response alone,
several hundred papers surfaced a8 published in the last decade. After
screening and collection of these original papers from various journals and
reports, a sumary sheet wa prepared for each relevent paper. These are
presented in the Appendix of this report. In each summary sheet, the title.
author's name, origin, and a brief description of the contents are given for
the convenience of later referral. As cm be teen fro6 the References, most
of the pertinent open literature appears in the Journal of Nuclear
Engineering and Deaign, which collects papers fro6 various international
conferences ouch M SHIRT and the International Extrew Load Conference on
Nuclear Power Plants. Some pertinent structural llterature can be found in
the area of seiadc analyses a' -2 many air crash responses have been
compared with the consequences of earthquake.

4.1 Sources of Information
4. AIRCRAPT HAZARDS ANALYSES
Literature relevant to aircraft hazards was identified, collected, and
evaluated. la addition to the NHC documents discussed in Section 2, the
literature consists of
data hoes, e.g.. air trafficlaccident reports,
probabilisticldetermini~tic methodologies and app:ications,
nuclear power plant and other aite-specific aircraft risk
estimations.
Extensive data bases exist fcr virtually all aspects of air travel, both
clvlllan and military. In particular, excellent compilations are maintained
on a routine basis of aircraft by type. usagc , flights, etc., and of
airports including movments and traffic patterns. The air apace over the
United Stater ir rather nll defined; an extensive network of air corridors
la maintained for air carrier traffic, and restricted air upaces are
enforced for epecial purposes such as military applications in addition to
airport activitiee. The principal aource of civilian avidtion records and
atatistics is the Federal Aviation Administratton (PM), Department of
Transportation. Specialize~l statistics that my be required in general or
for a particular site vill be provided to the extent posaible by the FAA
Management Services Division and airport records. Uilitary flight
information can be obtained from the appropriate branch of the Department of
Defense, military airports, and other comand . Unique problems exist,
however, in the case of dlitsry aviation; in particular, these relate to
unavailability, reliablllty. and veriablllty of the data bases aa
exemplified by classified operations and data and the statistical
significance of much of the flying expcrience and especially short duration
missions.
Accident data for U.S. Civil Aviation are thoroughly compiled on a caae-by-
case basis as well A# statistically by the National Transportation Safety
Board (NTSB). It can be assumed that the deta base of accidents potentially
threatening to a nuclear power plant is complete and accurate to the extent
possible. Unfortunately, however, the nature of an accident scenario
usually preclude. the accurate gathering of certain data that would be
useful to nuclear power plant applications, for example, the aircraft
trajectory from norm61 flight to point of impact, the inclination of the
final crash path to the ground, and the ability or inability to control the

descent and point of impact. Details of the air trafficlaccldent data bases:'
are presented in Section 4.2.
Probabilistic methodoiogier, both generic and special application, have been
developed for aircraft crashes, crash impact characteristics, nuclear power
plant characteristics, and the risk estimation process. In general, the
various aspects of the problem can be treated with reasonable confidence
given a particular site. Results of the relevant analyses are presented in
Sections 4.3 and 4.4.
Deterministic (and experimental) studies have been made for the aircraft
impact loading and ntructure-component response for certain structures and
systems. In addition to impact loading, fire and possible explosion provide
other loading mechanisms. These results are very important to (1) define
the range of consequences and bound the risk estimation, and (2) provide for
some measure of control via engineered safety features over both the
consequences and level of risk. These resulta are presented in Sections 6
and 7.
The results of analyses made for the aircraft hazards to nuclear power '
plants and other sites are summarized here KO illustrate in some detail the
nature of the problem and past practices. It should be remembered that
aircraft hazards, like most other offsite hacarde, beloitg to that class of
low probability-potentially high consequences events.
4.2 Air Traf f ic/Accident Data Base
The necessary &ta to estimate crash probabilities include8 both normal air
traffic and accident statistics. The moat general statistical categories
are
Mr Carrier
General Aviation
Mlitary Aviation
Nr Carriers operate under 14 R 121 and include certified route and
supplemental (charter) caavlera and comercial operators of large aircraft*
(over 12,500 pounda). The c~pea of services provided by Mr Carriers are
typically parranger, cargo, training. and ferry operations.
*Commercial operators were included in the Ceneral Aviation
category prior to 1975.

General Aviation refera to the operation of all U.S. Civil Aircraft other
than Nr Carrier operations. The aircraft are classified according to type.
fiaximum gross takeoff weight, the number and type of engine., etc. The
typee of flying include instructional, noncomercial, commercial, and
miscellaneoue flying. HiXtary Aviation includes aircraft and airlair-
ground operations unique to military applications and militar airports.
z
4.2.1 Air Carrier Statistics
-
Air Carrier accidents are defined to occur [lo] when any person, paasenger,
crewmember, or other person in direct contact with thr sircrnft, suffers
death or serious injury or the aircraft receives substantial damage.
Accordingly, such accidents are tabulated by the NTSB by injury - fatal,
involving serious injury, involving minor injury - and by aircraft damage -
destroyed or substantial damage. The type of accid~nt relates to the
circumetancea surrounding the acciden t e11ch as collision wi tl~ ground/vater ,
engine failure, overahoot, etc.. and tw separate types may be recorded,
i.e., first and second types. The flrst phase of ope:etion - atatlc, taxi,
takeoff, in-flight or en route, landing, unknown - is recorded for each
type. Finally, causes/factora categories such as pilot, weather. power
plant, etc. are tabulated from the accidetrt data.
For ehe ten year period 1967 to 1976* there was an average of 40 accidents
per year with an average of 6 per year with fatalitiea [lo). For this period
fatal accidents vere, therefore. abo,~t 15 percent of all Air Carrier
accidents, and from 1971 to 1976 about 25 percent of the aircraft in
accidents were destroyed. Over 50 percent of all fatal accidents from 1967
to 1976 had collision of some kind including midair as the first type of
nccide~t, whereas, for all accidents, collisions represented less than 20
percent (turbulence is cited in about one-third of all accidents). The
principal caures/factorr cited in both fatal and all accidents are pilot,
personnel, and weather; these are reported on the average about seven times
more frequently than other cauees/factors such as airframe, landing gear,
power plant, systems, inetruaents/equipmrnt, airporta/airways/facilitles,
and mincellaneous. For the ten yearn 1967 to 1976, about 20 percent of all
accidenta are during the atatlc or tax1 phaaes of operntion; landing
accidents at about 25 percent are nearly four times more prevelant thans
takeoff accidents, and nearly 50 percent occur in-fllght. The firet phase;,
of operation rtatistics for fatal accidents involve landings slightly wore
*Unless otherwise stated, the from-to notation is inclueive.

of ten than in-flight
more than takeoffs.
(both around 40 percent) and landings about five times
Prom 1971 to 1975 an average of 2.6 x 10
9
aircraft-miles were flom annually
by Air Carriers excluding commercial operators (about 2 to 3 percent of
Ldtal miles flovn). The average accident rate for that period was 0.018 per
mlllion aircraft-miles flom, and the average fatal eccident rate was 0.003
per million aircraft~ilea flown.
4.2.2 General Aviation Data Base
Ceneral Aviation accidents are also defined (111 on the basis of injury and
damage indexes. In addition to the type of accident, phase of operation,
and cauees/factors, the kind of flying and type of aircraft are
statistically analyzed. Kinds of flying are instructional; noncommercial,
including pleasure, business, and corporate/executive operations;
commercial, such as air taxi and aerial application; and a miscellaneous
category. The types of aircraft are small fixed-wing having maximum gross
takeoff weight less than 12,565 pounds, large-fixed wing heavier than 12,565
pounds, and rotorcraft.
Prom 1969 to 1978 there was an average of 4,427 accidents per year (more
than 100 times that of the Air Carriers) with an average of 696 fatal
accidents per yecr or about 16 percent of the total. accidents ill] - note
that the fatal to total accident percentage is essentially the same for both
Air Carrier and General Aviation. During 1977 and 1978, abou'. 26 percent of
the aircraft damaged were destroyed, again roughly the same percentage as
for Nr Carriers, and virtually all the others -eceived substantial damage,
i .e., damage normally requiring ma Jor repair or replacement of the affected
component. Prom 1973 to 1978 the most prevalent first accident type was
engine failure/malfunction, accounting for 24 percent of all accidents.
Uncontrolled collision with ground/water accounted for 17 percent of fatal
accidents followed by controlled collision with ground/vater at 13 percent
and engine failure/malfunction at 12 percent. The most frequently cited
causes and related factors for both fatal and all accidents were pilot,
weather, and terrain.
From 1973 to 1978 the in-flight phase of operation accounted for about one-
third of all accidents and two-thirds of fatal accidents. For all
accidents, landings at about 42 percent owur Nore often than in-flight and
about twice as often as takeoff accidente; landing and takeoff phases of
operation occur in about 16 and 12 percent of all fatal accidents,
respectively. Pleasure, aerial application, and inatructional flyln~

18
accounted for 81 percent of all accidents from 1975 to 1978, and pleasure,
aerial application, and air taxi accounted for 75 percent of fatal
acciaents.
Of 793 fatal accidents in 1978 about half of the aircraft were beyond
miles from an airport (for all phases of operation); of the 4,494 total
accidents (4,554 aircraft) in 1978, lesa than 30 percent were beyond 5 mller
of an airport. Chelapti, Kennedy, and Wall [12] analyzed ten- and four-yea
periods up to and including 1968 and found that on the average about two
thirds of the fatal accidents occurred beyond 5 miles of an airport fo
amall and large Ceneral Aviation aircraft and for Air Car-riera. Smal
fixed-wing aircraft accounted for 90 percent of both all and fatal accident
during 1978. Large fixed-wing aircraft accounted for 1 to 2 percent of
these accidents, specifically, 14 fatal and 48 total acci-denta during!
1978. Rotorcraft and miscellaneoue types account for tt~e remalnder.
.
$ 3
f ;$
Prom 1969 to 1978 an average of 3.9 x 109 aircraft-milen was flown ann~ally,~,~
ranging Iron 3.1 x lo9 (1971) to 4.9 x lo9 (1978) miles flown per year. he"
total and fatal accident rates both exhibited decreaalng tendencies during
that period. On the average (1969 to 1978) 1.2 accidents occur per nlilion
aircraft-miles flown, ranging from 1.48 (1971) to 0.90 (1978), and 0.18
fatal accidents occur per million aircraft-miles flown, ranging from 0.211,.
, :a
(1971) to 0.159 (1977 and 1978).
;.$
:.2
I
4.2.3 Military Aviation Statistics 54
* :
Comparable accident statistics for U. S. Military Aircraft are not
publiahed. It is widely assumed, g . by Solomon and others, that the
accident rate of lrllitary aircraft on noncombat missions that could cause
the aircrrft to crash or collide with any utructure not at the airport is
comparable to the aimilar accident rate for Mr Carriers. An accident data
compilation published by the NRC, "Aircraft Impact Risk Assessment Dale Base
for Assessment of Fixed Wing Air Carrier Impact in the Vicinity of
Airports." NVREC-0533, June 1979, by Akstulewicz, Rend et el. found that
military air transport, "...when operating as an air carrier, has accident
rates approximately the sams as those of civilian non-scheduled air carrie
service." The accident and traffic experience used in I compilatio
included military aircraft similar to typeu flown by civilian Air Carriers -
specifically, CSA, C141, E4A aircraft. It has been the pract Ice in certain
cssen where military aviation is involved to adopt a rate equal to the Air
Carrier accident rate multiplied by an integer greater than one (to allow
for uncertainty) ar the military transport accident rate whrn tho
acquisitlon of specialized data appeara to be unwarrnt~ted.
<
, ~.

4.2.4 Airport Statistics
1 Y
Niyogi, britr, and Bhattacharyya (13) analyzed the characteristice of
critical accidents, i.e., accidents resulting in fatalitiel or a destroyed
aircraft, of civil aviation occurring within 5 mfles of an alrport for the
years 1966 to 1970. The ratio of theae critical accidents to fatal
accidents is 1.6. Their statistical reeults are of interest because of the
breakdovl~ by aircraft type and power plant, phase of operation, and airport
type. The airports listed are those covered in the 1972 National Airport
System Plan and are characterized in the table below:
Airport Type Number of Annual Number of
Designation t (~perations/~r.) Nrports Total Operations
A 40,000 (non FAA) 299 85.4 x lo6
E >40,000 (FM) 330 192.5 x lo6
Totals 10,010 417.6 x lo6
t(assigned here)
Table 1 givas the number of critical accidents during the 1966 to 1970
period for several types of aircraft. Table 2 shows the relationship
between typsa of airport and power plants for small fixed-wlng aircraft.
Table 3 giws the distribution of small fixed-wing aircraft accident
according ta phase of .operation and dlatance from the airport for eac
airport type.
Godbout 1141 studied takeoff and landing accidents that produced fatalities'
of cerious aircraft damage for heavy aircraft (gross weight more than 18,00
pounds) for the yearm from 1960 to 1973 in the vicinity of Canadian
airports. Ilo found that most of these accidents occur within 10 milea of an
airport but included data out to 30 miles in the airport-related, e.g.,
takeoff and landing, statistics. Figure 1 is a polar representation of the
landing accLdentr that bvs occurred. Very few heavy aircraft accident
wero found to occur off the runway axis mr indicated in the figure; thi
my, in part, bo due to Canadian airport traffic pattern procedurer. Flgur
2 rhown tha accident histograw for landing (A), takeoff (B), and combine
(C) accident#. Them statistlcn are lnterestlng since they are analyzed 1
a manner that clearly illustrates landing and takeoff direction:
correlatlons.

Table 1. Critical Civil Aviation Accidente 'dithin 5 Utles . K
of an Airport 1966-1970 [13]
Critical
Type of Aircraft Accidents
Large Pixad-Wing (more than 12,500 lb)
Smell Fixed-Wing - jet
Small Fixed-Wing - 2 propeller
Small Fixed-Wing - 1 propeller
Other
35
20
260
1640
110
Total 2065
-
Table 2. Critical Civil Aviation Accidents of Spa11 Pixed-
Wing Aircraft, 1966-1970. [13]
Airport Type of Power Plant
Designhtion Jet propeller 1 Propeller ~ n y
E 7 7 5 214 296
Total 20 260 1640 1920

Table 3. Nature of Small Pixed-Wing
1964-19 170. [13]
Aircraft Accidents, I
Frequency of Accidents $
Air- Diatanee frca Airport (miles) I
port Phaae of Traffic tPheae
Type operationt Pattern 0-1 1-2 2-3 3-4 4-5 Total Prection
TO 113 65 9 5 1 0
IF 29 109 70 61 55 17
A IL 1 1 2 1 1 0
OL
Total 717 .. 1.000
. .
OL 82 2 1 1 4 2 1 111 0.272
Totrl 5 100 58 44 43 18 408 1.000
- - - - "
OL 38 17 5 0 0 1 62 : 0.284
Total 8 58 3 5 25 13 9 218 h1.000
OL
23 12 9 7 508 0.265
Total 212 206 1131 61 1920 -!a56
Fraction of aircraft ererhea 0.412 0.2?m.tC7 0.146 0.055
+TO - Takeoff, I? - In-flight, IL - Inatrumcnt Landing, OL - Other land in^.
. -

Fig. 1 Polar Plot for all Canadian Landing Accidents for Aircraft Above
18.000 Pounds during 1960-1973 [I41

PO^ any of tha aviation categories and chmracteriaticr dircusae
much rpecific detail ar desired is generally available.
location is aalected the presence of nearby airports, fede
controlled air apncea, and military activities can be id
appropriate rite-rpeclfic rtatiatica can be gathered and ana
informatiorr is necrraary to (1) identify the appropriate cra
determine whether ~pectalired rtetiatical crash modela requir
and (3) compute the deeirad crash probabilities for aircraft
nuclear power plant. In Section 4.3 existing crash rate adels are
presented.
4.3 Nrcrsft Crash Rate Hodela
Several definitions of an aircraft accident potentially har
nuclear power plant have been used. e.g.. fatal and critic
defined in the preceding nection. Other definitions include i
result in fatalitier or malfunctions serious enough to force the
land at other than its planned dertination and accldents that
the aircraft to crarh or collide with any atructura not at an
the following crash rate models, the definition involved will
aa used with no rerioua attempt at quantitative correlati
general, the differenca between fatal and mjor accident ru
accidents la lesr than OM order of magnitude. The thre
normalizing factora applied to the accident data are the number
miles flown, tha aurfaee area over which flights are made, and t
airport operations or movements.
4.3.1 Craah Rater par Aircraft-Mile
As derived in Section 4.2.1, the average fatal Mr Carrier ac
about 3 x 10" per aircraft-mile. NRC Standard Review P1
value of 4 x comnerclal aircraft en route crashea pcr
having been urad and references H.E.P. Krug, "Teatimo
Operations in Rasponee to A Request from the Board," Docket
50-323. This crash rate is baaed on the assumption that
in-flight failure wlll occur in the U.S. per year, an event
loss of altitude with no pilot directional control of the a
certainly an accident aubaet amaller than the total fatal
and, although no accidmt data bare analyaia was presented, the v
en route cataetrophic rlrcratt avant per year appears pla
it is not obvioua that only cetaatrophic aircraft failure
to nuclear power plmte in view of the record that cltee
of accidents Ae warther, personnel, and pilot (e.g., pilot failed

2 5
procedures a d directions, misjudged speed and distance. etc.).
would appear that calculating the in-flight crash rate per aircra
the basis of tho rmallest accident subset, i.e.. catastrophic accidentb,
yields the lover bound for the Nr &crier en route accident rate.
Th SRP aleo cautions that heavily traveled corridors (more than 100 flights
per day) my require a mra detailed analyria. This is laportan
rep-ognizes that the above value is .n average over a11 corridor
knowledge Nr Carrier crash rates have oot been derived as a func
corridor characteristics such as identity. traffic density.
altitude, etc.
Codbout and Br have calculated the following en route
for heavy aircraft in several countries for the years 1969 to 1973;
Craah Rate per
Country Billion Mrcraft-Uilea Uncertainty
United Stater 2.1 30%
Uni tad Kingdom 24 58%
Prance 50 50%
West Gewny 32 100%
World Average 9.5 12%
These rates are baed upon all accidents serious enough to
aircraft to land, but include only accidents that occur fart
miles from .a airport. In the U.S. it has been observed that
third of fatal accidentr occur within 5 miles of an airport
4.2.2). Thur, their value of 2.1 x potential crashes per
reflects the increasiq effect of using an accident data bas
the fatal subset and the decreasing effect of the 30-mile
son around UI airport. For heavy Canadian aircraft they ha
in-flight serious accident rate of 8.0 x per aircraft-dle.
Solomon [16,17,18] derived tha followiq average Mr Carrier
three classes of accidentr for the period 1967 to 1972:

2 6
Accident Clarr Accident. per Aircraft-Mile
All kcidentr 23 x
Mjor ~ccidentr~ 11 10'~
Fatal Accidents 4 x
tPotential crash or collision with any structure
not at an airport
For major Nr Csrrier accident. Solomon derived the following
for three phares (mode.) of operation:
Major Accident.
Phar of Operation per Aircraft-Mile
Takeoff 116 x lo-'
lnflightt 5.2 x lo-'
Landing 450 x lo-'
Average 11 lo+
tIncluder climb and dement
Cottlieb 1191 determiner a fatal accident rate of 0.045 x
averaging the rates for the year. 1970 to 1975 am reported by
This value ir en order of magnitude lower than other rimilar
and since the rupporting data bare ia not presented, it is no.
calculation is made.
Subject to poerible air corridor traffic variations, value of
the in-flight hebv aircraft crash rats per aircraftnil
corridors uppearr to be a reaeonable compromise among varia
phase of operation end accident definition. Site analyses in
of an alrport my duplicate from one-third to one-half of these
the airport-related hrtbrd rater, and an expanded accident data
than about 1.5 to 3 timea the fatnl accident data could be ju
upon reviawr of accident typee and acenarioa that could be
potentially thraataaing to nuclear power plants.
For the Cenaral Aviation category, craah rater per aircraft-m
developed by Solown 116,171 uith kind of flying sa an addition

2 1
thane rerult umarired belw for major accidenta and the phares of
operat ion :
)(.for Accidentr per Aircraft-Mile (x
Pllght Category All Takeoff 1n-flightt Landing
All 530 2440 318 2440
Inrtructional 330 153 1 198 1010
Buainerr/Corporate 370 L71Q 222 1210
Pleasure 940 423G 564 6350
Aerirl Application 790 2370 474 1740
Air Taxi 320 1470 192 1230
-
tJ.ncludea climb and dercect
The ratio of the major accidant and fatal accident crash rates la about the
r.me for both Air fhrrier and Ccneral Aviation, alightly lam th+p a Factor
of 3. (Thlr ratio ia rignificantly lar~er than three for inrtruational and
aerial application flighte.)
Niyogi et el. 1131 derivad crarh rates for critical accidents of small
Firedring Canera1 Aviatim aircraft as a functlon of dirtance frm the
airport; these are prereated below for the five-year period 1966 to 1970:
Accident Ava~sge Critical Critical ~ccideota-
Location Accidents per Year per Alrcraft-Mile
airport
0-1 d1.r
1-2 miles
2-3 oiler
3-4 milea
4-5 mile.
: 5 milea
All accidantr
Clearly, the ctrrh rat* of ma11 fixed-ving aircraft reaches the. bcyond-5-
mile aaymptoth valru rhortly after the S-dla distance. hi; value ir
,!
computed uaing an rvarage 02 3.12 x lo9 rircraft-dler Elom beyo* 5 miles;
tho miler flm witdin I miler of an airport is OM order of magnigude less.

Critical accidentr defined by Riyogi et al. are 1.6 times larger than the
fatal rubset; therefore, the average fatal crarh rate is 175 x per
aircraft-dle conriatent vith tho valuer of 180 x loe9 and 187 x per
aircraft-mile given in Section 4.2.2 and by Solomon, respectivelp. Cottlieb
1191 giver fatal cral rater for twin-engine aircraft of 69 x 6.4 x
lo-', and 14 x 10" per aircrrft-nile for pleasure, business, and air- taxi
flying, respectiveLy, derived from data for 1975 and 1976.
There crash rater are used in computing crsrh probabilities for slter in the
vicinity of flight paths or airways (see Section 4.4). A atatistical
measure of the craah dirttibution normal to the flight path or airvay is
needed to defin th. crarh accidentr per aircraft-mile per mile normal to
the flight path or per flight operation per square rile.
4.3.2 Crash Rates per Square Mile
There is an absence of rtatirtical data required to correlate the
distribution of crarh impact locations vith aircraft and flight path
characteristiccr. Analyser :hat construct wdels to do this are discuaaed in
Section 4.4. Hovever, tu, carer can be developed frm statirtical data and
correspond to the axtremer in vhich the flight path is either irrelevent or
relatively fixed. Th. firrt reprerents statistically random fllghtr vhich
clorely approximate uch of General Aviation, and the recond represents the
imediate vicinity of airportr.
Uoing the data of Hiyogi st a1. from 1966 to 1970, there la an average of
898 critical accidentr per year of ma11 fixedring aircraft (not including
aircraft on the airport), ubich gives an average of ?.O x accidentr per
square mile per year ovor the Continental U.S. during the reference 5-year
period. Nlyogi et 81. derive a value of 2.3 x loe4 crashes per square mile
per year for there cccidantr occurring more than 5 miles frm an airport
aesuming 10,010 airpotto; the average airport rate, 1.e.. vithin 5 mlles, is
4.9 x accidmtr per aquare mile per yeat, and this rate tncreasea
rapidly as the dirtrncs to the airport de~,reaaes. 'the Canadqan light
aircraft en routs average crarh rate is dertred by Godbout at 41. t.1 be
about 4 x 10" per rqrure mile per year durin~ 1974.
*Continental U.8. area ia 3.023 x lo6 square miles (sourke:
i! a,
1978 Hammond Almanse). !i
:I

These race# aaruw tha: a crash can occur anywhere with equal likelihood and
independent of flight path. They my be viewed as nonconservative in the
sense that thq represent gross averages of atrtlctical data and do not take
into account flight traffic density. The Canadian craah rate could ell
reflect thin type of variation. Thus, the aru of susceptible targets of a
nuclear power plant to mall fixed-wing aircraft ust be exceedingly low for
the probabilit, of an unacceptable crash event to be lesa than loq7 per
year. Thia will be diacusred in more detail in Sections 4.4 and 8. k
t
Several analyaer have been made for airport crash rates utilizing
statistical data on the distributlon of crasher occurring in the vicinity of
an airport. Eirenhut 161 analyzed fatal crashes that 'occurred within a 60
degree reference flight path symmetric about the extended centerline of the
runway." His resulta are based upon 8 x lo7 Air Carrier. 5.5 x lo7
Navy/brine brpr, and 3.9 x 10 7 Air Force movements and are given in Table
4. Eisenhut 16,201 alao derived fatal crash rates for Ceneral Aviation as
function of distance from the sirport using a data base of 3993 fatal
accidentr resulting from 3.2 x 10' movements from 1964 to 1968. These are
given in Table 5 and range from 3.75 to 6.46 times higher than the
corresponding rates for Air Carriers vith an average of 5:l.
Boonin 1211 performed a almllar analyais of d~ta for the years 1966 to 1970
aasuning that a11 accidentr (fatal) occurred within the 60 degree cone uaed
by Elsenhut. Results vcre obtained for -11 (less than 12,500 pounds) and
I
large (more than 12,500 pounds) aircraft in General Aviation and Air Carrier
cacegorles and are given in Table 6. They agree closely vlth Eisenhut's
resulta for General Aviation but exhibit a m diffe~encea with regard to Air
Carriers. i
Prom hbler 5 or 6 for General Aviation the fraction of fatal aircraft
crashes occurring in each radial zone can be computed after multiplying by
the respective zone arear. The resulting distributlon of fatal accidents
agree. closely with that of Niyogi et al. for critical ma11 fixed-win#
aircraft accident# operating out of any airport (see Table 3). The radiaf
variation of craah rate strongly decreases due to (1) the decrease in thi
nuober of accident# with increaaine distance from the airport, and (2) th
geometric divergence of the radial rones.
Solomon et a1. 122,231 derive an average craah rate of 2.0 x lo-' per
operation pet square ails by consideriq a11 fatal crashes occurring at al*
col.mercia1 airport8 from 1965 to 1972 over the 10 square piles immediately
adjacent to th runway#. In addltlon s fatal crash rate of 15 x per
a
i

..
. . .
30
. .
: . Table C Fatal Crash Date8 for Air Carrier -
Hilitary Aviation (6,201.
: . .
: . .,,
,. 7
. ..
Distance Probability (x 10') of a fatal craah
frca end per aquare mile per aircraft movement
of runway
(miles) U.S. Air Carrier USNlUSUC USAP
NAt NAt
NA N A
NA N A
NA N A
HA N A
*No craahea occurred at theee distances within e 60' flight
path.
tData not availahla.
Table 5 Fatal Craah Rates for General Aviaticn [20]
Probability of q fatal
Diataace from craah per mile per
airport, .ilea aircraft movement

hble 6 Detailed Crash btes - Fatal Accidents per Operation per Sguarr Mile 1211
Distance from Airport
Aircraft ategories 112-1 rL;e 1-2 mile 2-3 mlle 3-4 dle 4-5 mile
All aircraft
Sull alrcraft
Large aircraft
Gcnerll Aviation (total)
General Aviation (swll)
General Aviation (large)
---
Air taxi (total)
2.447 x
5.319 x lo-'
Air tad (small)
Nr taxi (large)
2.447 x
--- --
5.319 x lo-'
Air Carrier (total)
7.639 x lo-' 1.091 x lo-' 8.488 x lo-'
Air arrier (-11)
1.905 x 10-7 3.809 x 1.905 x
Air Carrier (large) 2.601 x lo-' 6.135 x lo-' 4.090 x lo-' 2.761 x lo-' 4.090 x lo-'

operation per aquare mile over the 'moat dangerous' square mil
distance of one mile and along the centerline of the runway
These valuea are independent of aircraft category and are
agreement with the a11 aircraft values in Table 5.
Codbout and Brair [IS] found that for light aircraft (gross we
18,000 pound*) the craah point distribution in the vicinity
airports exhiblta no angular dependence with respect to
dlrectfon. Further, the number of nccidenta decrease. ver
distance ruch that the presence of a light aircraft air
unlnportant after about 2 to 5 dles as shown in Pig. 3.
crarh rates would appear to drop off faster wlth diatance tha
indicate; kovrvet, the en route value for light aircraft exi
caaes in the neighborhood of 5 miles fram the airport.
The dependence of the heavy aircraft crsmh rate on the po
(r.0). r being the radial distance and B the angle to a
measured relative to M airport runway, is derived by Codbout
on the basis of Fig. 2 for takeoff and landing r-variations a
et al. model [22] for the +variation. lac., given a rels
C(O) - 1.0 between 0 and 1 degree of the runway.
- { 1.0 , ooaaO ,
a.
11 8 , l0

DISTANCE FROM LANDING OR TAKE -OFF SITES, MILES
Fig. 3 Canadian Crash Point Histogram for Diatanca to Landing
or Taluoff Site for Light Aircraft 1151
- ,

. ,... ."
,, . , .... .... ~. . ..
. . . . . .
Pig. 4 Crash Rnte Contour Lines for Heavy Aircraft in the Vicinity of a Hypothetical Canadian
102 UrWm vith lM,000 Landing rad 150.000 Takeoff Annual Movements 115)

the calculatiod where desirable. Bornylk et 81. [2.6,25,26] derived c.aah
rate distributiona for military aircrsft flying target-bombing flight
patterns, again 'utilizing available site-apecific information (in thin case
military data &re /obtained).
;>,

aircraft-.ile in lq. 4.2(11). and W is the effective crash width extent
centered on the aircraft's flight path (when C is given per aircrsft-
mile). All of these variables depend upon the identities of the parameters
chosen to belong to the various posaible groupings (subscripts to indicate
the five principal paremetera are omitted for clarity with the ringle
subscript C affixed to P to sophasize chis dependence). The values of the
variables in Eq. 4.2 are, of course, site-specific, and their variability
depends upon the level of detail represented by the parameter groups chosen.
Note that although crash rates can vary considerably depending upon their
parameter composition, they are derived on the basis of the national
accident data barn - a statistical requirement in view of the rarity of
aircraft crashes at any given site location. Additionally, certain
conditional probabilitfu are required as they affect potential target areas
and aircraft crarh consequence models. These relate to the aircraft crash
path and its orientation relative to the plant features. the aircraft impact
speed and might. and the likelihood of fuel fire and explosion events.
given that the crash of a psrtlculsr type of aircraft occurs. The
discussion in the following subsections dl1 examine the formulation and
evaluatioa of the pertinent ~ ~nditio~l probabilities.
4.4.1.1 Aircraft Crash Path
Crash trajectories from the flight point here trouble. (first) de~lelopa to
the impact point are implicitly represented by the statistical distribution
of crash points for airport-related activities and treated as randomly
occurring even- for uncontrolled (general) aviation. For in-flight traffic
along prescribed router such as air corridors and traffic patterns here a
flight line existr, for example. military air maneuvers such as weapons
dtlivery or ~vigation practice 1251, prob~bility distributions can be
constructed for both th. oorul traffic deviatioo. and crash traJectorie8.
The latter uill depend upoa such factors as altitude, attitude. type of
aircraft and other characteristics such aa speed.
Hornyik et al. [24.25] conrtruct a normal air traffic density function in
order to compute a collimioo prob~bllity, tbt is, collisioru resulting fro6
deviations from tb intended flight path and the presence of plant
structures. Then accident types are included in the statirtical data base
and can be curully Ignored as an Important uparate class of events except
in very speci.1 cases of l w flying aircraft in aerial application and
military aviation. ?or most low flying slrcraft. e.g.. pleanure flying, the
deviations fra 'Intended' routes are uiually ea large that the routes are
virtu~lly mruxlstent relative to the present application, and collirionr

i
are equivalent to randm craah events. For high altitude flights along air
corridorr, flight path deviations are assumed negligible in extent abd
implicitly included within the crash trajectory distribution orthonormal to
the flight path.
C
.a
Crash site probability dirtribution functions have been conetructed by
tlornyik et a1. [24] ad Sol- [16]. Figure 5 illustrates the geometric
relation betveen the crash aite and (straight) intended flight path, e.&,
i
air corridor centerline. hsociated vith the crash site to flight path
distance x is the conditional probability of a crash occurring along the
line x equal to a conatant, given that a crash occurs. Solomon assumes this
conditional probability to be a negative exponential function that decays
(symmetrically) as x increares and given the folloving subjective estimates
for the decay constant as a function of aviation category:
'i
Exponential
Aviation Category Decay Constant (mi-')
Air Carrier
General Aviation-
Aerial Appliction
Ceneral Aviation-Other
Military Mrcraft
Cottlieb [19] incraared certain of there valuea to account for lower alr-
corridor altituder in hie aite-specific analysis.
!
In general, air corridora my mt be rtraight, and there are often arltiple
corridorr haviq different directions a d different altitudes over a given
site. Gottlie? wdeled rush an inrtance by dividing the air apace ido
hnlf-mile vide strips and ruperimpoaed the negative exponential densily
functions for each strip. He found that the orthonor~l conditio~l
probability bsco.~~ negligible beyond x equal 3 miles for a decay conrtant
of 2/.ile.
t
The value of If1 in Eq. 4.2 ia thir conditional probability of orthonordl
craah site location and is a function of the distance fra the plant to ths
air corridor unterlln8. SUP Section 3.5.1.6 suggeata using for the val&
of Y the air corridor width vhen the rite is under it, and thim vidth Pl&
tvicr the dirtance from its edse to the atre when the aite is beyond the b

e effective plant area A is the equivalent ground surface area such that a
ash probability computed on the basis of A accounts for all crashes that
could affect susceptible targets at the plant site for each parameter
jrouping. The calculation of A vill, in general, involve aircraft, craah
related, and target characteristics. Noat analyses treat A as the sum of a
pkid area, ahadow area, and true target area. The shadou area is very
significant since it allows for target height; it depends strongly upon the
crash angle and is illustrated in Pig. 6. The shadow area varies inversely
with tan 4 where 4 is the crash angle shovn in the figure. Solomon uses
&
values for + of 15. 116) and 20. 122); Niyogi 113) quotes values of 10. for
"&andings and 45. for takeoffs. Cravero and Lucent [28] conclude from their
,@tudy of international aviation that of 34 accidents from 1962 to 1966 over
&elf resulted in vertical dives ($ equal to 90°), and tor the remainder ,+ is
#eater than 45.; they arrive at similar conclusions fran their study of
@ropean private sviation for the years 1968 to 1970. Joerissen and &end
@9] assum an average value for 4 of 45..
k
i
e skid area is shorn by Solomon [I61 to vary proportionally withe the
@piare of the aircraft's initial horizontal velocity, and inversely wiih n
friction factor that depends on the ground terrain. Prom a review of
accident reports and other studies. Solomon [16] lists possible skid
lengths, v1z.i 0.6 mile for high velocity military aircraft; 0.3 mile' for
Air Carrier aircraft; 0.06 mile for General Aviation aircraft; and an upper
+!stance of one mile for high velocity military aircraft on very &oth
rrain. tfotn,ik and Crund 1251 state that the choice of skid length sdould
11 into the category of conservatism due to "partial/total ignorance".
i t
many analyses, skid area is not factored into estimations of A; this my
C
due to the corresponding decrease of the aircraft's iopact kinetic ewrgy
L
the sku distaaa increases. However, Solomon notes that skid area tends
6
1
dominate the evaluation of total effective area, more so than the c ice
4, and is, therefore, important.
general, the calculation of effective plant area can become rather
plex. The effective aircraft diameter is of the same order of magnqtude t
plant structure dimensions und must be included; this is usually do6 by
ply increasing th dimenrions of the target. Accordingly. A is a ddrect
nction of the aircraft type. Crash related charactarlntics other than $
n be important such a8 crash orientation relative to the plant! and
cident failure modes. The targets at the plant have complex geometries
2

T PATH
Fig. 5. Crash Sites Orthonormal to a Plight Path (161
hadw Area of a Plant Structure [16]

&pecislly in r?lation to one another (shielding possibilities arise and
vary wfth crash orientation), and terrain features (both natural and esn-
made) strongly affect skidding.
4.4.1.2 Mrcraft Impact Olaractertstics
L
From 1973 to'1976, 19 different aircraft mkea and mdels were involved in
88 percent of all and 90 percent of fatal Air Carrier accidents [lo].
Including both piatrl and turbine engines, there were over 118,000 mall
(lighter than 12,500 lbs) and 5,100 large (heavier than 12.500 lbs) aircraft
in 1968 [12]. Chelapati et al. note that the size, weight. and speed of an
aircraft are direct functions of its horsepower and use the 1967 annual FAA
census and other data to construct frequency distributions for muall 'and
large aircraft apeeds and engine weights and thur their effective diameters
and weights. A 'typical speed of 140 percent of stall was assumed within 5
milee .~t an airport, and 75 percent of power,
maximum power wre assumed beyond 5 miles.
140 percent of atall.'and
Niyogi et al. [13] analyzed the characteriatica of small fixedring aircraft
and observed that length, maximum takeoff might, stalling velocity, rand
~xirnum horizontal velocity (for at least single-engine aircraft) all scale
with empty wight, w,. - They developed idealized aircraft parameters as
functions of wo for single-engine (1000 lb
e

accidents froll 1962 to 1966, 26 fires commenced after iapact &inst the
ground (about 60 percent of the accidents) hila 9 aircraft "verefLn fire at
th moment of th impact O. tll ground.- Joerissen and Iuerd t29] report
r
that an engine catches fire in about a third of a11 fatal accidents,
according to rtatirtlcr. Wall (301 reviewed RTSB reports of accidents and
found that about 30 percent of General Aviation and 50 pcrcdnt of Mr
Carrier crashe0 involvd postaccident fire.
4.4.2 Crash Probability C.lculations
The hdiate objective of ulculating an aircraft crash probability at a
given nuclear power plant site 1s to obtain the annual frequency of the
condition -given a crash occurs" corresponding to each or eny combi~ution of
groupings of the aircraft accident ad plant parameters defined kn Section
4.4.2 and selected from site-specific criteria. This can then d. combined
with suitable co~lditionnl probabilitiea (see Sectionm 4.4.1.1 Lb 4.4.1.3)
and deterministic relationships (see Sections 6 and 7) to enhate the
possibilities that varioru modes and magnitudes of crash-ind&ed plant-
related c4nsequences will exist.
However, the crash probability is itself a conditional p&bability,
conditioned by the particular paruoter grouping, that is, accida& sceanrio
characteristics 4, arc Lportantly in the current context, th$.?dfectlve
target features. Since the nature of the tarket in the present 8iPlication
depends itself upon the curumed accident scenario, e.g., light?; or heivy
aircraft, the calculation process can ta rather involved; ~urtherc~otential
nuclear power plant (safety-related) targets are complex and "Fried (see
Section 5). The procedure requires identification and quant
likely accident ..cenarios and evaluation of corresponding targe
the basis of inistic and judgmental methudologies and
the results of various investigati
tive in mind since the necessary det
both scenario and ,plant feature assumptions and sensitivity calculations are
extremely d1ffieultto find and evaluate. Furthermore, crash probabilitiee
wh be mltiplied",bj .ppropriate conditioaal probabilities of a .%dioactive
. , , ;.p*:, .;.
material reluri-,,exceedin$ 10 CFR 100 guidelines to obtain the onrequeace
.,% >; , ,,:.,?fi;
.,,. ".,
.>.!,,.;;>; ,f ' ,,". :.:.
'.:q
$?, x: ;.yi.

involved. Sensitivity to the eecord assumption cur ba eatimatd by using
all potentially relevant plant features (and their shadow, $,kid, md
shielding chmacteri8tics) as dn upper-bound calculation, but total
effrctive plant area .valuations are generally unavailable.
Niyogi st ale [13] discuss this aspect of thc problm in more 1 ,detail ' and
numerically might the effective areaa of
i
their identified susceptible
targats by assumed conditional release probabilities as follows: a value of
1.0 for the containasat, fuel storage building, and control roam; 0.1 for
the prima?y auxiliary building and equipment vault; 0.01 for ;ha dieselgoneritor
buildi&, cooling tower, waste-processing building,@refueling ..
water: storage tank, circulatingratzr pump house, and rervice water pump
house;l&nd 0.0 for the turbine building.
$4
.loerisnen and Zuend 1291 present probabilitiem of crash-induced
.L%
releaoes and refar to detailed studies of syste~/component susce
and reactor responw for both BUR and PUR plants, but do not cit
or prhide detaila. They estimate the conditional probability
damage in a rooo inside a penetrated building M generally gra
7 U
percent. Selvidge [31] considerr damage scenarios for an air
penet&ing a buildiag containing plutonium and computer
(~ockj; Flats Plant) of varioue forms of plutonium escaping
quantities,
rele
4% >
hen scenarios all involve fire of the aircraft fuel as the
Tab1ep7 presents various crash probability and related results
power'pbnts [20] and ir based on calculations by Eiaenhut [6]
SAR a h AEC Ihgulatory staff evaluations. Chelapati et el.
[30] hive the following crash probabilities for a "typic
located ralative to an "average" airport using crash rates and t
averaged over the entire 0.S.r
do not include my conditional probabilit

Uircellaneous
0.01 mf* 0.02 mi2
tn* facility is ,&sip6 to ulthstand th craeh of all these 97000 .&
movements.
WI-carrier statistics were used for theae mvemnts. .+. $
S~or small
F.
aircraft, ara used was 0.005 mi2 &.
..$

44
sequences, but they derive adjustments to the strike
probabi liries based upon calculations of the perforation failure mode ifor
varyiw thicknerres of concrete and tu, aircraft types. Additionally, they
derive the conditional probability of striking any specific iatety-related
equipment within a building to be 0.01.
Niyogi et a1.
3
1131 derive the following crash probabilities from normal
backeround aviation crashes into safety-related structures fm a typical
two-unit nuclear power plant h6ving a total area of, about 0.01
2 ,'
mi : :;
X.,
2
Aircraft Two-Unit
Type Crarh Probability (yr-l)
'I: Mr Ckrrier 2.0 x lo-8
Soall Fixed-Wing (2 Engine) 2.0 lo-'
.',
7~
i
W.~
t .
, .
Sad1 Pixad-Wing (1 Engine) 1.1 x lo-b .j*
, .
h~ 1.3 x lo-b
fie effective plant area does not appear to be conservatively calculated,
and the conditional damage probabilities discussed above have ban applied
to obtain these results. Further, the background aviation used does not
explicitly take into account airport and airway effects.
, k
t
~ol& [16] deriver effective plant areas* for the Palo Verde Nuclear
2
Cenerating Station of 0.017 mi2 for General Aviation aircraft. 0.1 mi for
an P-104 Starfighter Jet, and 0.067 mi2 for a DC-10 using shad- and skid
areas for the contaiaunt, fuel, and radwaste buildings. Thssq areas are
significantly larger than those used in most such studies. Tlk PVNCS is
near &me military aviation and approximately 5 dles from an air corridor
havlng about 100,000 flights per year. The crash probability for the air
corridor hazard (s:rongly dependent upon separation distance) ir derived to
ba abdut 6 x 10" per year and represents the largest aircraft hazard at
this site. Solomon [17,18J alro has developed a generalized met6dology for
calcul.tiqg the crash-probability at an arbitrarly located site,; but, since
his &ple results are hypothetical in nature, they will not bb presented
';$
here. i~ . ~
'.>
...
;$
C-ott&b 1191 treated a specific site near several air corridois, a large
airPo& 50 ay, r large number of small airports, and at least .ix
g 6
;?{
a
8

4 5
large ones within 75 oiler. His analysis clearly illu~trates the importance
of deriving crash probabiliticr on the basin of the parameter groupings
discussed previously. The crash probabilitier for single-engine and twinengine
General Aviation aircraft are given ar 3.9 x
year, respectively.
and 1.0 x per
Excdlent inforution sourcer exist and are readily available for
establishing aircraft-related data bases and statistics. A11 sircraft
accidents are investi~ated and reports filed contsining as much drtail as
possiblc under the circ~*mstsnces. Th. abrence of or difficulties involved
in generating certain typea of accident parameters can usually be
compensated for by analyticel procedures, conservative aasumptlons, or
probability distribution functions. lhjor aircraft crashes at any given
site represent very low probability eventr. Aircraft crauh rates that scale
with the number of operations and based upon the data bases can be estimated
with a reasonably high degree of confidence. However, except primarily for
a cursory treatsent in the Canadian reports [14,15,27], other scaling
effects have not been adequately studied. Niyogi et al. [I31 found.
however, that the airport-related accident rate for emall fixedring
aircraft variee from ahout one-third to alnort five timea the average rate
in going from large PM airports to very mall airports (see Table 3). The
possibility of regional ad air corrldor variations in the crarh rates for
a11 typer of aviation, beth mnrouted and in airways,
adequately inveetigatad in regard to the present applicatio
enough attention is given in general to the particular
scenarios posed by small but relatively heavy and fast (e.g
three primary effects of airports, airways, and o
4
r: (1) to concentrate the bevel of air traffic. (2) to tncrease the
crash ratee a8 distance to these zones decreases, and (3) to #ncreaae the
number of different types of aviation actlvitier (for example, takeoffs,
landingr, and the concentration of large commercial aircraft; others include
milit+ry applicatioas, stc.). It is reasonable to conclude that the
combiaed effacfr of there controlled regions represent a dgnificantly
*i
increased hazard to nuclear power plantr than the true or even averaged
background aircraf c tusard .
d
.#
for hull ( Aviation) aircraft it would appear from the available
analyjes that the airport effect mergea into background crash rater at about
8 having say 10,000 operations per year and probably at
. .

46
only a slightly larger distance, say 6 miles, for any nize airport; a
significantly incteased rate would only begin to appear very close in, say
uithin 2 to 3 miles. For large (Air Carrier) aircraft a nominal background
crash rate on the order of major crashes per flight per square mile can
be assumed along tho affected strip of ground under a single air corridor
(assume a crash rate of 3 x per aircraft-~ile and a mean crash-width
dimension of 3 miles). For heavily traveled corridors, more than 100,000
flights per year, the heavy aircraft crash rate in the immediate vicinity of
air corridors will vary fraa about the same to significant , greater than
the background light aircraft rote.
The heavy aircraft crash rate per square mile 5 miles from an airport is not
significantly lnrger than that near an air corridor per operation. If it la
assumed that one-third of all M r Carrier crashes occur vithin 5 d les of an
airport and one-half of all craahes ere "airport related," then the airport
effect on crash rate will extend for some, poaoibly considerable, distance
beyond 5 miles. This dirtance-airport effect relationship cannot be
examined further at present using only the analyses and data evaluated hare.
Crash probability calculations for the specific sites previously studied
involved considerable data gathering and modeling of site features and
accident parametera. Results are strongly dependent upon the= factors and
invariably reflect derived and in most cases assumed conditional probability
estimations of certain event occurrences. In general, the air&sft accident
hazard cannot be eliminated solely on the basis of the crash probability
being less than to lo-' per year without taking into account the
inherent hardnesr and identity of eafety-related features of the plant.
Even doing so often leads to results that are near to or marginally vithin
10 CPR 100 guidelines; however, considerable conservatism is apparently
included in the radioactive release conditional probabilities typically
used.
The aircraft hazards studies that have been made are important to more
general considerations of reactor safety, siting, and risk estimation.
These procedures are essentially risk-based concepts [32,33,34) in that both
probabilities of occurrence and consequences as the result of occurrence,
i.e., all aspecte of possible event, are considered. Finally it should be
noted that there ate m explicit requirements on the frequency of occurrence
of aircraft crasher per se on nuclear power plants provided that the risk i,
acceptably small. llw low risk value La, of course, tantamount to a lov
crash probability in cases uhere the conditional probability of having a
radioactive release given a crash is taken as unity, e.g., for large
commercial aircraft. At the other extreme of zero conditional probability,

4 7
giw aircraft crashing into the containment rtructure,
no much relation~hip exirt~.
,* ,..
!

. . , ,>
,.:, 5. SAFER-RELATED SYSTEMS .y $. .
. .
* '.~
?d
Safety-related rysterr my be rubdivided in (1) criticality control systems,
(2) heat removal ryrtemr. (3) support systems, (4) containment system(s),
CI
and (5) mitigation ryrtemr. In ths following we shall address primarily the
first three typar of ryrtems.
5.1 PUR Safety-Related Syrtems
5.1.1 PUR Criticality Control Systems
For RIB. the criticality control ryrtems conrist of: (1) control rods and
driver, and (2) rsfety injection system (SIS). Rapid shutdown by dropping
the control rodr doer not require the availability of electric power.
However, it rhould be recognized that in PWRs the control rods do not
constitute a complete shutdown system, in that the reactivity worth of the
rods iu only sufficient to bring the plant from full power to,hot stand-by
conditionr. To brin8 the plant to cold shutdown require8 inje&on of boron
by meana of the aafety injection system, which doea require electric power
if the primary syrtem remairrs pressurized. Note thet both these criticality
P
control ayateur are quite well protected against direct impact in case of an
aircraft crash.
5.1.2 PUR Beat Barnoval Systems
These syrtema MY be rubdivided into two groups:
(1) PUR Xeat Removal Symtemm for Norm81 Operation
primary heat transport systes (PUTS), including:
prerrure vessel, primary coolant piplng and pumps,
atem generators. and pressurizer,
0 lain feedwater uystm and stem liner,
0 condenser and condehaer cooling system,
0 reridusl heat removal syrtem (RHRS),
water intakes and ultimate heat sink(s) (UHS).
Of these ryetar, the condenser and condenser cooling water ryrtem, partr of *
the feedwater ryrtem and the ateam lines, ar well ar the water intakes and
ultiute heat aink(r) are not protected inside hardened atructures; they are
thus vulnerable to direct impact. braover, though the rrridual heat
removal rystaa itralf is fully contained in the hardened containment and
auxiliary buildlnpa, ita intermediate hcat removal circuit and ultimate hcat
rink ere not protected in that way.

0 emergency core cooling system (ECCS), with its
injection and recirculation mode,
0 auxiliary feedwater systea,
stem dump systea,
0 containment cooling ay#teo (PAW).
0 systems for the feed-and-bleed cooling mode,
0 residual heat removal system (RHRS),
0 water intakes and ultimate heat sink(e) (UHS).
Most of the above systems are contained inside hardened structures, except
for vater intakes, ultimate heat sinks, and sow of the support system.
5.1.3 FHR Support Systems
The support systems play an extremely important role, in that kuny safety-
related system would fail without theZr correct performance. . Among these
support oystems should be named
0 component cooling water systeu (CCUS),
0 rervice water system (SWS)
electric power system (PPS), including (a) opsite paver,
(b) offsite power. (c) emergency diesel generators, and (d)
batteries.
4%
Though the CCUS and SUS are well protected in hardened structures, some of
their subsystems are not (e.g., water intakes and conduits frga the water
intakes). Furthermore, the offsitc power is quite vulnerable to direct
impact in case of an aircraft crash.
i
5.2 BUR Safety-%latad Systems
-
5.2.1 BUR Criticality Control Systems
-
In the BUR8 the reactivity worth of the cootrol rod. is sufficiently large
to shut the reactor dom from full power to cold conditions. Th. rods have
to move against gravity; however, each rod is provided vith an indopendent
energy source (conprarsed nitrogen), and is not dependent on outoide
electrical power for rapid reactor shutdown. Furthermore, the entire
reactor shutdom ryrtam is well protected agalnet direct i,rpact in case of
an aircraft crash, being fully inride the containment otructure.

t removal systems my ba rubdivided into
eridual heat removal system (RHRS).
water intakes and ultimate heat slnk(s).
Ae for PWRr, the condenaer and condenaer cooling rystcn, parts of the
feedwater system and stem 1
linen, the condenser and condense cooling
system, ac well a the water intake8 and ultimate haat ei k(s) are
vulnerable to direct fmpact in case of an aircraft crash. ~otp that for
BWRs the PHTS includes tha rtem lines, the condenser, and the pain
feedwater rystem.
(2) BWR b at Removal Systems for Off-Normal Bnditlons
high preasura core rpray system (HPCS),
0 lw pressure core spray syatem (LPCS),
0 low pressure coolant injection (LPCI).
rasidual heat rwmoval rysta (RHRS).
%
As for the Ma, mrt of the above aystems are contained inaide hardened
structures, except for the vater intaker for the service water
the ultimate heat sinks.
5.2.3 BUB Support Systems
The BUR rupport aystems are similar in nature to those in a
fety-Related Systems
The results of m aircraft crarh on a nuclear power plant are nut
the affect. of thr impact of heavy parts (such as a jet engin
engineering structure#. )luoerous syetemr are required in ords
reactor rhutdovn ad adequatr long-tam cooling of the core.
of these safety-related systamr ara wll protected wit
rtructures (eontafnment syrtem, auxiliary buflding), som

zero: Paat .xh?ience h a ahown that electrical failures
Onofre, Rancho Sco, eystal Rtver).
the availability of a turbine-driven auxiliary feedwater pump.
, .
different from a direct impact on a hardened structure, mu1
on syateru affecting long-tern heat removal capability such
hall (severing the atem lines) and the water intakes. It
foremost in sid tha due to an
present rtudy.
depreraurization',of tha plant's secondary cooling system,
cooldovn of t ary aystcm, thus resulting in recritical

5 2
rated water), and since the safety injection system
unctioning due to 1068 of electric power, thars muPd be
. Purthermore, since the loss of electrical
pomt 'and tha:Ld"age ;to the recondary rystem would preclude any cooling
other than short-term ' boil-off of the primary coolant inventoiy, the core
would moat probably be. headed for eeriour dmge if not t
Core meltdown without the availability of electric power,
result in containment orerprersurization and release o
materials to t roment far in excess of 10 CPR 100 guide
Note that th equence of events does not depend in
breach of a hardened structure due to the impact of a heavy
aircraft at some optimum (i.e., =st-damaging) angle, which
to have had the greateat attention in the evaluation of
reactor safety with respect to aircraft crashes. Note further that this
accident scenario requires the occurrence of multiple failures, many of
which are strongly plant-dependent. As an example, the location (inaide or
outside hardened structures) of the auxiliary transformer (used ,for reducing
the voltage of the offrite power lines) and the aerociated brea,kors. strongly
affects the 'probability of losing all electrical power. . A detailed
probabilistic : evaluation of this accident scenario is beyond .. the . scope of
this study;. ekh a study is, however, recommended if the
. .
a a probability of occurrence larger than re
. .
Long-term cooling capability is m important requirement for p
damage or meltdown. An aircraft crash could compromise long
capability in nunerour ways. Systems, or parts of systems, mo
to aircraft ;:.impact 'are thoae not (or not fully) encloaed
structures. -hng,there should be named: The main feedwat
condenser co&ing.water ayrtm, the steam lines, the ulti
(cooling tower,'vater,
, . , , ,,~.. intakea, etc .) is ...,
.,,,,, $+:>,s4,.,' ;.
. , ..,. , ",>.
.'I.'
..;>ji[,&+;: ,/ , , .
:I$;
(1) ~u~ture'~'of~;'either
. .. the stem lines or the main feedwater lime (aircraft
crash on the %biw building) couldcompromiw the normal mean$~;'~or cooling
down the core~~~~d'depreasurizing the PHTS to the point here t$,WR ,, system
can be employkd.. If the feedwater line rupture can be isolatedj.! the use of
the auxiliaryfecdwater rystem muld provide an adequate mcan(J,;of cooling
tha core a+;deprersurizing the PHTS to the level of the BRsls. If the
suxi liary feedker system is nor functional, the feed-and-bleed . .
mode would c the only long-term method of cooling the
cooling

5 3
lw it to deprearurirs the PHtS to the level of the
e, resulting in rupture of the pain feedvater lines
of electrical power, would require the correct
driven auxiliary feedwater ptmp.
affecting the ultimate heat rink (cooling tower,
uohld leave core cooling dependent on th. feed-and-
a sufficient water aupply and electrical power
5.3.3 Accident Sequencer Involving BUR Safety-Related Systems
control ayatems are well-protected agatnat direct
plant, and aince their performance is i&pendent of
electrical power, it seems that theae aystems can be
witted aa contributor# to accident caurer in can of an aircraft crash.
The availab the large suppression pxl (heat sink) inaide the
hardened contni etructure makes BWUs in general leas susceptible than
PWBs to loas of &ling capability. However, aince the PHTS includes the
steam liner.'ind' feedwater lines, a direct impact in the era of the
containment penetration of the ateam Line(s) and feedwater line(#) could
conceivably cauw blowdown of PHTS into the environment, if both steam line
isolation valves in the steam lines, or the check valvea in the feedwater
line, were to k damaged simultaneously.

54
,'
. , ..
:/ *,:
., .
6. STRUCWIIAL RESPONSE
To underatand'the phenomena of nuclear power plant structural response
subjected to aircraft impact. it is necessary to discuss first the impact
lodin8 function. Without proper definition of impact load. the structural
raoponse cclculstion u y led to erroneow conclusions. In dealing with
structural rorponse, one h a to examine the material description and its
modeling technique. In Section 6.2 some typical constitutive equations for
concrete and structural steel will be given together vith the effects of
material nonlinearitias on +.he atructural response. The local response of
the structure vill than be presented in tern* of its failure mechanism and
corresponding tailure-mode analysis. The structural system may fail through
either its local or global renponar. Tna nuclear power plant equipment
response CN 'be correlated to the floor response spectra which depends upor.
the structu~el system response to the impact. The aeverity of equipment
response is then compared to a rodest earthquake-induced vibrational
effect. Since a variety of approaches is used in the publishad analysas, a
comparison of modeling techniques is also made.
raft u;'~ a relatively rigid or hard structure vill
generally rarult in the grdh collapse or cruahing of the aircraft
\
structure. Some components of e aircreft, such as outboard mounted
\
engines, which are relatively solid ~v,bstructures, can impose severe local
impact loads upon the structure and msyN?ead to local puncture of the plant
structure. Still other aircraft components, such as the fuel, can be
expected to behave in yet another response wde. Since the plant structures
are generally hard etructures, their grosa motion8 in tire vicinity of the
impact will he mall compared to thore of the aircraft structure. Thus, the
response of the aircraft can ba uncoupled from that of the plant structure.
and the inpact load can be evaluated under the condition that the aircraft
impacts a rigid surface.
It is reaaonablo to expect that the motion of all the mass of the impacting
aircraft, at least for impact normal to the structure. will be completely
arreeted (without any significant rebound) by the impact event such that the
momentum transferred to the plant structure is vall defined and is equal to
the product of the mssr of the aircraft and its speed at the onset of the
iapact procers. Since the aircraft is, in its simplest gaosatrlc forn, a
line murce (along its flight path), the impact process will take place over
a shorc period of time which, to a first approxioation, can be calculated aJ
the gmtiant of'the length of the aircraft and the aircraft speed. Thus,

mgklw imposed upon the plant structure is known and the
uration can bs estimated. An adequate treatment of the
d power plant structura to nn aircraft impact will
.arb detinitive dracriptlon of the impact load.
details of the force acti~rg over a nominal impact
addition, for certain aircraft configurations, a
eourca representation may be appropriate. This wuld
aircraft uhich ha8 relatively massive outboard engines.
t hu been expended over the paat decade in orhr to
resulting from the impact of an aircraft on a hard
structure.. .,Th.'recent Cnnadian report I271 presents a cumprehensive summary
and evaluation of this aspect of the aircraft crash problem. Tvo models for
the soft missile (aircraft fraor and dlstribnted .ass reprasentation a8
differentiated from tha relatively solid ea.line auh-structure, the w-called
rigid iasila impact treatment warrant discuaaion. Both wdels are
relatively simplistic nnd treat the aircraft as a line source of distributed
maas and cruahing strength. The tim dependent reaction force is
represented a0 the sum of two terms; the Pirat represents the force acting
upon the , (still) uncrushed portion of the aircraft, and the second
reprerent. th. influence of the cruahed portion of the aircraft adjacent to
the rigld impact aurface. The firat model of interest was developed in 1968
by Uiera 1351. In this wdel the uncrushed portion of the aircraft is
decelerated b 4 result of the imposed crushlng load, and the second term
ccntrlbuting to the reaction force repreaents the mnnentua flux entering the
crushed region. . Ths reaction ir given as a function of the distance from
of the aircraft. This distance is converted to time by assuoing
the M S ~
that the crushed region is very small; hovever, this assumption slw leads
to a velocity diacontinuity at the wall (rigid boundary) or at the crushing
front. Thia apparent nonphysical feature is the primary veatnesa of the
Biera mdal [27]. In 1975, Rice et a1. [36] developed a someuhat different
model whichalimiruted the velocity discontinuity and represented the tvo
terns thct': contribute to the reaction force directly as a function of
time. ~hdse tw aodals allw tne distributed character of the aircraft
(1.e.. its MSS and crushing atrcngth) to be incluGcd into the load
definition., The uss distribution ia generally well known; however, the
axial crushing strength of the aircraft is not ell knona.
.:, ..,'
. ,,.
The Rice &dkl & usod [37,38] to analyze the aircraft craah problem for
, . ;.-. ;i.
the &abrookc~'#lclb.r Station. The specific application dealt with the
.

---
POSITION OR LENGTH. Ft
TIME, s
-- -
Pig. Time Relationship for PB-111 with Impact Velocities
PC denotes the scale cruching load used in the
Pc/5 and PC x 5 denote that one-fifth and
he crushing load were used, respectively 1371

the calculatioru were repeated with crushing strength variations differing
by a factor of five (both larger and a l r . The reaults of there
calculation# are a h presented in Pig. 8 and show that, for this cane at
leaat, the cruahing strength is ~t an influential parameter in the impact
load specification. The aircraft weight is 107,440 lba and itr length la
73.8 ft; thur, tho total ispulse in 9.79 x 10' lb-aec with an approximate
load duration of 0.252 see. The corresponding uniform reaction force pulse
la 8180 presented in Pig. 8. It is clear that the total impulse of the load
history caputed by the Rice model is significantly smaller (by
approximately 40 percent) than the correct impulse; hovevcr, the duraclons
are generally in the correct range.
The Canadian report wined Riera's wdel and compared its load prediction
with the prediction# from a nuaber of more sophisticated models
[39,40,413., 'Theme comparisons are presented in Pig. 9 ond show that the
various models yield similar results. They also note that sensitivity
analyses for typical comnercial aircraft indicate that the momentum tens (of
Riera's model) contrlbutea approximately 80 percent of the impact force.
Thus, the crushing strength details should not be an influentisl parameter
in these carer. The Canadian report concludes that Riera's model yields
results which are "pessimistic in nature" due to its treatment of the
behavior of the cruahcd portion of the aircraft. It used Rice's model to
evaluate the above reference ueakneas of Riera'a wdel and notes that peak
loads predicted by the Rice model are approximately 40 percent lower than
those predicted by Biera'r wdel. They further conclude that "even if 'the
RIERA approach may be in error by at least 40% it represents a reasonable
formulation for the upper bound."
The current evaluation examined the Mere model for a simple soft mlselle
which consiated of a uniform mass and crushing strength distribution. The
resulta demonstrated that the total impulse uas conserved and that for the
limiting case of zero crushing atrength the load is 8 simple constant
reaction force whose duration is equal to the approximate (i.e., idealized)
value defined in the initial portion of this section. A slmllar limiting
treatment of Rice's mdel yielded a uniform pulse shape; however, the
amplitude war only one-half of the proper value and thus, 50 percent of the
total impulse war loat. The current evaluation also examined a continuum
model for a rimple uniform rigid-perfectly plastic material. In such a
model 8 plastic vave exista across which the particle velocit/ changes
discontinuously. Thia detaL1, although not explicitly defined in Riera's
model, can k used to infer the correctness of the model. This continuum
model indicated that the compression ratio which occurs across the plastic
front la the only pararetar involved (it is relatsb1.e to the cruahing

-.- TOTAL FORCE
-.- IDEALIZED FORCE
0 12.5 25.0 37.5 50.0 62.5 75.0 87.5 tWX)
TIME, s
Fig. 9 Force-time Diagrama for Phantom at 215 m/sec 138)

strength). The reaction load for this idealized case is uniform in
magnitude, and its duration is shortened as the comprerrion ratio is
reduced. Since the total impulse is conserved, the amplitude oust
increase. For typical values of the compression ratio. the influence of the
crushing strength ir relatively small. It is clear that Rice's model is not
correct and that Riera's model is adequate.
6 proportional to the speed of the aircraft at the onset
t ir important to specify the value of this parameter
The Canadian report presents an excellent
statistical treatment of this aspect of the aircraft crash problem.
Finally, the appropriate representation of the aircraft as a single line
source or as a series of additional passes to model any significant outboard
features of the aircraft is important. Again, the Canadian report presents
a comprehenriva summary of the methodologies needed to treat the hard
missile problem. The level of sophistication used to define the impact load
should be conaimtent vith the level of sophistication being applied to the
response of the plant rtructure.
6.2 Constitutive Relationship of Structural Materials
6.2.1 thterial Models
The reaponre of containment structures subjected to aircraft impact depends
on the material properties of the structures. The material models for
reinforced concrete in general include a fracturing, spalling, and yielding
of concrete and steel components. There are three types of concrete
failure: (i) failure by tension, (if) failure due to shear deformation, and
(iii) failure due to compressional crushing. Concrete can be considered as
an isotropic raterial in a three-dimensional state of strain. In tension
and for moderate compression, a linear elastic constitutive law can be
applied. In the domain of higher compressiva stress, a nonlinear stress-
strain relationship should be used. The failure criterion can be expressed
as a function of etress invariants, specified in the spatial coordinates of
the three principal stresses. The same fnilure criterion governs the
failure in ten (cracking) and compression (crushing).
The nonline for of concrete is described by a variable shear modulus
~r as a function of the second stress invariant I*, such as shown in Fig.
10(a) taken' from [42]. The failure surface, shown in Pig. 10(b) is a
general cone centered along the average axis of ',he principal stresses. Any
state of .tress which is on or outside the surface represents a failure.
The loadingvnloading behavior of concrete '.s shown in Fig. lO(c). For

61
for axample, by the von Misea criterion:
ere Xk), the uniaxial tensile yield stress, ia a
k. Figure 10(d) shows a typical curve for
kinematic hardee&:';hailure in steel bars occurs when the u2tii.ate tensile
6.2.2
Z!.rrmermann investigated the effects of material nonlinearities
cir response a resulting from the impact of a Boeing 107-320 on the
secondary eontsiment of a BWR reactor such an shown in Fig. 11. hey used
: finite-element madel which consi6ered concrete cracking and crushing as
vell as steel yialding for the analysis. The resulting displncrment time
histories ara sham in Pig. 12. Comparison of the nonlinear and linear
displacement time histories shows a significant ir.creaee in the vertical
displacement (28%) in the vicinit; of impact zone, which fadqs out rspidly
away from tha impact point as expected, since the response far away from the
i~pact aru is primarily elmtic behavior. Therefore, if the impact loading
is sufficient to produce any permanent deformation, a more complicated
constitutive equation must be used in order to obtain the real structural
response. Since thare is no consensus theory which can predict&llnaterial
behavior of concrete, much sa tensjon. compression, cruahing. microcracking,
creeping, etc., tha choice should depend on the most important.
6.3 -- Local Structur~l Response
6.3.1 Loc.1 Yailurn Mechanisms
The lopact of uur aircraft upon a concrete containment of a nuclear povcr
plant generally u y rasult in th+ damage to concrete walls. The damage may
be locd at .my produce an ovarall dynamic response of the target wall.
Kennedy [43] ..grrsentad a detail raviw of procedures for the analy*is and
deaign of concrete rtrwturer to vlthstand missile impact eff acts. Missile
vslocitiar genaratrd by aircraft crashes nay be between 100 and 1500
ga doe to aircraft impact consiats of spallina of
ont (impa.".ted) surface and rcabbiq of concrete from the
rear surface ~targ'tt togather vith mlssile =netration into the target
as rhom in I If the damage is rufficient, the missile may perforate
As the veloclty of tha Lpacting missilc increases, pieces of concrete are
apalled off from 'the impscted surface of the targat. This spalling craater
a spa11 crrtor that can extend over an area ?ubstantially greater than the

Fig. 12 Displacements-Time-~Iiutories 1421
i

A) MlSSLE PENETRATION
AND SPALLING
B) TARGET SCABBING
RESPONSE
Fig. 13 Miesile Impact Phewmena [43]

cross-sectional area of the striking missile. As the velocity increases,
the aissile will penetrate the target to depths beyond tho depth of the
spall crater, forming a cylindrical hole with diameter slightly greaecr than
the missile diameter. Aa the penetration continues, the missile will stick
to the concrete target; thls is called plastic impact. Further increases in
velocity produce cracking of the concrete on the rear surface followed by
scabbing of concrete fron thls rear surface. The zone of scabbing will
generally be much wider, but not a& deep as the front surface spall crater.
Once scabbfng begins, t\e depth of penetration will increase rapidly. For
barrier thickness to missile diameter ratios less than five, the pieces of
scabbed concrete can be large and have substantial velacities. Aa the
missile velocity increases further. perforation of the target ~$1 occur as
the penetration hole extends through to the scabbing crater
velccities will cause the missile to exit from the rear
taryet. Upon pls#tic impact, portions of the kinetic en
impacting missile are converted to strain energy associated wit
of the missile and energy losses associated kith target pene
remaining energy is absorbed by the impact target. Thfs a
results in an overall target response that includes flexural
the target barrier and the subsequent deformation of
structures. A reviaw of commonly used empirical procedures
local missile impact effects such as penetration dept
thickness, and scabbing thickness for concrete targets subject(#, to hardmisnile
impact can be found in 1431. Noce that these empiric+ formulas
were developed by the Amy Corps of Engineers, the National ~efeqk Research
Committee, and others many years ago barled on experimental d)#ervation.
Today, with the advent of the finite-element method and sftee intensive
research in fracture mechanics. it is possible to predict these phenomena
analytically. The above discussion deals with concrete atructuree only. If
the aircraft impact on a steel structure, then only penetration,
perforation, and overall response will occur. The numerical approach to
various target geometries of this type can be found in (441.
6.3.2 Failure-node Analysis Using Plastic Shells of Revolution Theory
Degen, Purrer, and Jemielewski [45] have investigated the effect
commercial airplane cra~hing perpendicularly on the surface of
reactor building dome. They obtained the carrying capacity of t
under en rrquivalent rtatic load using the yield-line theory
plates, and calculated the sections: forces ualng linear-e
theory. They ',hen calculate the failure load and dtstrlbution
forces using the plastfc shell theory. The analysis was petfo

computer code STARS-2P developed by Pvalbonas and Levine [46]. This code
performs plastic analysis of shells of revolution. Plastic effects are
approximated using the initial strain appproach, and different modes of
hardening may be taken into account. From the results, they obtained the
failure zone mechanism at the apex of a spherical ishell~ubjected to
aircraft inpact over a finite loading area. The results are'shown in Fig.
14.
Degen et al. [45] also presented failure mode analysis by the finite-element
progrsm TRID1 1471 which utilizes three-dimensional elements for concrete
and one-dimensional elements far reinforcing steel. This program considered
nonlinear stress-strain relationships for concrete under multiaxial stresa,
cracking and crushing under a triaxial stress state, .and elastic-plastic
behavior for reinforcing steel. The calculation of collapse lond using
yield-line theory for plates, STARS-2P for shell of revolution, and threedimensional
TRIDI are in the pressure range of p - 11 to 25, 30 to 35, and
25 to 30 kg/cm
2 , respectively as reported by Degen et al.
Since the calculated collapsed load wns assumed to be distributed over a
certain contact area, the impacting total load correspdnding'to a range of
30-35 kg/cm2 results in 28,000-33,000 tons, using the peak load-velocity
I
relationship; the crushing velocity of a large commercial airplane which the
structure under consideration could still qustain may be between 480 and 530
kmlhr. If the impact velocity further increases, part of the energy (not
absorbed by the structure) will be retained in the falling object. Figure
15 nhows the maximum remaining loads an a function of crash velocity.
Within the velocity range of 480 to 750 kmlhr, only part of the peak load
may act on the structure, but over 750 km/hr the total peak load me. be
used. Carlton and Bedi [48] and Cupta and Seaman [49] also studied the
local response of reinforced concrete to missile impacts using a different
computer code. The analysis appears to be adequate for the description of
failure mode mechanisms.
6.4 Structural Systm and Equipment Response
There are many rtudies 150-581 concerning the comparison ol the dynamic
rerponse of a typical nuclear pover plant subjected to a modest earthquake
and to the impact of aircraft crashes. Ahmed at al. [50-511 used a finite-
element beam model and modal superposition techniques to obtain the time
history response and the corresponding floor response spectra of the
structure/component. The effect of soil-structure interaction is considered
in that rtudy. Figure 16 shows the structural idealization of the nuclear
power plant in the finite-element model. Figure 17 show the comparison of

LOADING AREA
REINPORCEYE
STILL E'LASTIC'
BEHAVIOUR OF STEEL
TOGETHER BY c
REINFORCEMENT MATS
5,
i
Fig. 14 ~ailure Zone at the Apex [45]! . ;
INT ERlOR STRUCTURE
300 400 500 600 700 100 900
IMPACT VELOCITY Lhn /h 'J
Pig. 15 Maximum Remaining Impact Load as a Function
of impact Velocity 114)
L

FOUNDATION
RAFT
MY CONTAINMENT
DING
2 2
Fig. 16 Structural Idealization of the ~uclr
Power Plant 1511

4 6 lo-' 2 4 6 10
t?
2j3
PERIOD t s)
i
Pis* t$ Floor Response Spectra at the Top df th
1 Foundation Raft, Node 3. (a) 1% Danpin
(b) 5% Damping 151 ]

70
damping.
tra at the top of the foundatlon rafthor
These spectra show clearly that the effect of impac; by a Multi-
Role Combat Aircraft (HRIRCA) at 215 m1s is considerably lesa gevere than a
modest Safe Shutdown Earthquake (SSE) as represented by

Fig. 18 Comparinon of Response spectra due to
External Dynamic Loads. PWR Reactor
Building/Poundation Plate, Radial 1561
FREQUENCY In11
Comparison of Response Spectra due to
External Dynamic I.oads, PWR Reactor
BuildingIFoundation Plate,Vertical 1561

--- meom modal
Response Spectra, ~om~ar'ison 1561
------____
FRLOUENCY (Hz)
--- Beam model
Fig. 21 Response Spectra, Comparison [56]
+
6

I
Fig. 22 Response Spectra. Comparison. X1 1561 '
Fig. 23 Response Spectra. Conparison. X3 1561

6.6 - Evaluation Summarl:
The atructu ponse of s substantinl nuclesr power plant structure to
the impact of aircraft has been dir~cussed bn the previous subnectlona
with reapect to (1) the establishment of the impulsive load that the
aircraft imposes upon the structure- under a normal flight impact
condition, (ii) the wailable atructur a1 re-ponre models or llcthodologiee
for examining the local i.. punc ,,re) and the gross response of the
structure, (iii) tha current state-of-tht!-art of the constitutive models for
concrete/reinforced steel. systems experisncing plastic deformation, and (iv)
the vibrational respoirsa of the structure and its attendant equipment.
These deterministic aspects of the response need to be aueented by a series
of stochastic variabl~mr relating to the aircraft typo a weight),
aircraft speed, flight impact direction, aircraft orientation (pitch and
yaw), and impact location on any given ntructure or structural system. 'Ihe
level of daterainistic analyses currently available and being applied to
this problem appears to ba adequate in most cases, except perhaps for those
dealing with the systlm vibratior. Tt~ese analyses are alro adequate to
establish the level of the hazard imporrd upon the plant or the degree of
enginseritlg safety syaterm required to mltigate this hazard to an acceptable
level. Ibwevur, it 111 clear that thetle methodologies should include the
thc problem to better define the hazard.

the gener.~?vicinity of the crash site. A significant fraction of the
naximm air&ft'--t.keoff weight is fuel; thua, quantities of the order of
50,000 lb 'oft fuel "cm be expectad to be releared by large miiitary alrcraft
such as an F&111 fighter. Even larger quantitiea of fuel are uaed in large
comaercial aircraft. 'Ihe fuels ore, typically. JP-1, JP-4; or kcroeen*.
There fuelr are not highly volatile, but they burn readily and when properly
mixed with air can explode.
Crarh eventr uhich conairt of relatively long ground traverses frequently
sever or puncture fuel tanka (i.e.. wing ~tructurea), and the leaking fuel
ia sprayed and apilled out over rather long distances forming vapor clouds
and liquid poolr. Craah events which conaiat of the abrupt arresting of the
entire aircraft, and, therefore, providing earentially total structural
collapse of .tha hircratt in a few tenths of l aecond, releare their fuel
very rapidly, rpilling the fuel on the impact point (structure) and the
imediate area.. hain a portion of the fuel will tend to mix with the
rurrounditqj air !forming a potentially explosive cloud. A ~jbr portion of
the fuel will foxm poola or wet dom the adjacent surfaces.
. ,
The craah avant, being rather catoatrophic, rlll be associated with the
release of. aignificant amouata of energy, heat, and aperka auch that
ignition aourcsr Wil generally be preaent; it la therefore mat likely that
a fuel fire will occur. There firer will be local eventa end last for
periods of time of the order of man7 minutea, perhaps a few tena of
minuter. They will generate l aignificmt amount of heat (thermal radiation
and hot gar&) -.nd embuntion productr (amok. and toxic fuwa). The hot
argely gasea, 1 be traaaported upward due to
will rove downwind. Ihua, them 6iaea have the
nearby intaka venta of th surrounding fdcilitiea.
f
above potential combination and Lsxic hzarda, uhich
4
in may instancar, at leaat for adeqqtely deaigned
tant to examine the craah event and th; local impact
i
tuationa which u y caure m unacceptablei hazard. For
i
are of an iapact on a double mvelopdd containment
poraible to deporit a aignificant adequib quantity of
envelopes. The aubrequent vaporization ind ignition of
mixtuie could lead to a rather violent explosion
ae upon the priury containment relatively revere

impact procese,but ruy be just as severe. Purthermore, these loads will
occur short1y:a'ftecj'thc impact load, and, therefore, the response of the
structure to 'the :c'&bi&d load event should be examined.
i
f data and analysis methodologies exists relating
to fires result! om the crashes of aircraft. This data base resides
rrimarily in 'th domain and is aupported by a yet larger data base
dealing with fire fire effects in general. 'he quantification of fires
xpecially pool fires, has been developed~, to a stage
ristics (i.e.. flame height, duration, radiative
own. While it ia still difficult to predict with
precision the e of various aircraft fuel-spill fires. the Influence of
many major. parametbts auch as fuel properties and vind .!effects is
understood. The anjot difficulties generally lie in the complex nature of
the fuel distribution, the influence of random effects, and tila somevhat
extreme geometric h my be encountered in any realistic aircraft crash
at a plant si luster of buildings).
The explosion sulting from the crash of an aircraft is difficult to
define for several reasons. One is that the bcsic phenomenon is very
complex, and aany or varied degrees of energy release or combustion can
occur. The other is that the dissemination of the fuel and its partial
mixing with the surrounding air to form an explosive cloud are virtually
impossible to predict with any acceptable degree of accuracy. TIH approach
used by Eichler end lhpandensky 1591 and others in dealing vith a broad
class or accidental vapor cloud explosions was to define, frm accident and
experimental date, reasonably conservative TNT equivelence factors for these
events. Because of the very dynamic fuel dispersion and the low vapor
pressure of aviation fuels, the applicability of the TNT equivalency
approaches to the explosion hazards frcu catastrophic aircraft crashec musc
be carefully evaluated. This is particular1.y true for the effects close-in
to the explosion. Rapadensky and Takata [60]. while exeminir& train
accidents involving the release of combustible materials for a 10-year
period in vhich a fire andlor an explosion occurred, observed that
approximately 36 percent of the evento involved both fire end explosion,
whih approxtmntely 56 percent of the *vents involved only fire. The
remaining 8 percent of the events involved only an explosion.
It is clear od spectru or mix of fire and explosion event* can
occur, and aunt of fuel involved in any explooion event my be
quite small, t .nee of such events must be considered. If only one
percent of y 500 lb for the PB-111 fighter piene, ia!.involved in
!

77
such an even nvironaent will be equlvalenc to the detonation of
approxiautely 1000 lb of M. The local blast characteristica of s vapor
cloud are substantially different from those of a M explonion; however, at
longer ranges 'thi"'equivalency concept is appropriate. For the above
explosion the "aa preaaure of 1 psi will exist at a range OF
n a complete and perhapa correct picture of the
ptance proceaa as it appliea to any given offsite
hazard featu he detaila are frequently divided between laany
diverse docum dockets and in the iterative question and answer
format which Uaing the fire hazard analyclia of the Seabrook
lave1 of treatment appear8 to ba typical. The
1e vapor in dismiansd aa being insignificant (in
at the atomization process takes placd over the
tion. This duration la not representa6ive of the
early a number of vapor production $echanisms
will exist. , some fuel will be aprayad into the atm

78
E 8.
licensing eXperien
I
it appears t1i.t fire and
treatad with much lee. care than!, the direct
ti- rtructural response. ~herefoii, the claim
4:
acts do not represent a threat to nuclear power
clearly demonstrated. 4
?
I
<
.;
!,

, .';,,>,~robabilit~
. . . _ of occurrence of an aircraft crash. In actual
practice 10 CPRII.lOO%ni.SRP guidelines have been'(exclusive1y) employed on a
ir. ..*. ..
case-by-care "bksis.~$/:~hls. methodology provides for the implicit 'inclusion of
.,. .., ..*?.. : . !:
risk by reguiring'::thrt' the exposure probability of aircraft crash events is
acceptably rmai1;:~~datekinirtic analyses and engineered safety features are
used in carer of design baris events, those having otherwise unacceptable
exposure pr ntil the exposure (risk) guidelines are satisfied.
The aircraf d for nuclear power plant. is primarily a atochastic
problem, vhi s on many conditional probabilities including the
probability o oactive material release given a particular crash
event. Con is usually applied in estimating the conditional
probability of occurrence of any given level of radiological consequences -
in the extreme a value of unity is assigned to the conditional probability
of having an unacceptable release. However, it is observed that there is a
direct coupling between the calculation of crash probabilities and these
conditional probabilities. and. therefore. the problem is nct sicply
defined.
In general, account is taken of the stochastic features, response, and
relative vulnarability of structures. systems, and components. Major
criticisms that my be made of typical aircraft hazarda analyses are the
lack of clear and.,'iupported statements on many key underlying aseumptions
and comprehensive ;:treatments of the overall hazard. Thus both the open
literature a~doc&mentation concerning epecific pover plants abound with
studies of thd, ' impact phenomena of aircraft or aircraft missiles on
substantial concreti .atructurea. Them analyses are pursued to the virtual
exclusion of other,: &craft crash scenarios. While it fa trcognized that
the breac11ingi:otj;;:bou
,.. of the plant's concrete barrier8 may often be
... . , ,.;,
tantamount to-.a:'rolra8r of radioactivity, it is not readily evident why
? ..:, >> .,,.,
other crauh rcenarid.:i8hould not be considered in similar detail.
i ;i.'jyi'&Jip$i . ,

80
i
?
essary to have multiple initiating' events or a
the malfunction of a nonsafety system ultimately
affects a,piin~.'&f&y system. There is some indication that the latter, a
propagating.'fiilk& can sometimes occur. The crash of s large aircraft
with the resulting projectile impacts, fuel rplllage, and firelexplosion
. . , . . ,'
scmariossuggertr that multiple initiating events MY also b. possible. In
none of the?{rdvi&&d literature have thew problem been addressed; the
combination'~~f,!~~fir./explosion and impact damage has recaived a little but
highly supdrficial. attention.
s directly influence the estimation of radiosctive
expoaure probability and the cramh probability itself, through site
location, susceptible target areas, etc., it is necessary to represent them
consistent with the range of possible accident ecenarios. As indicated
above this process ir usually performed either inadequately or without
pertinent rupporting data or calculations. In particular, potentially
vulnerable plant features are not identified through a uniform code of
practices. as, for example, the inclusion or not of switchyard, turbine
hall, and other structures. On the other hand, calculations of the
effective plant area for the included susceptible targets are made
conservatively through the choice of the aircraft crash angle, although the
skid problem and it8 contribution to plant area have not been adequately
resolved. Another shortcoming of .any aircraft crash analyses is the
esploynent of simplified and/or outdated methodologies or data when much
more advanced methods and batter data are available. An example of this is
the treatment of local structural damage to concrete walls where both better
material representations and computational procedures are availa'Jle than
conservatism is apparently included in the conditional
oactive release that are typically used for the plant
the amlysee performed, craeh probability calculations
ar power plant niter haw yielded values that are often
ct to 10 CPR 100 and SRP guideliner, i.c., in the
to 10" per year, and/ox (ii) unacceptably high
ount either the inherent hardness of plant structures
aturer. Generally these rites ere close to one or
n and military) and in some instances within 5
ence of General Aviation light aircraft flights in
and major air corridor traffic in the immediate
usually result in unacceptable crash probabilities
of hardness factors through a significant reduction
tee. In addition, the followiog specific observations

and conclurio
81
0 1 Aviation aircraft it is found that at about 5
milea from moat airporta, the effect of the airport becomea
unimportant; 8 , the background level dominates. Using
national avrrager for craahea of light aircraft results in a
relatively'high frequency of approximately eventa per year
per square aile. This in general giver marginal crash
probabilities (on the order of per year) for nuclear pover
afgnlflcant aim, and, therefore, a major portion
tea mat be nonsuaceptible or hardened against auch
rhould also be noted that in areas of high traffic
ployment of m'tional average crash rates may be
0 vicinity of heavily traveled airwaya, mre than
tr':per year, the craah frequencies again appear to be
high .::::* : > ,
B *e* sl:, . , . eventa per year per aquare mile, resulting in
, ,
I: , . ...
uargid~;situations for pomr plants with vulnerable areas of the
order :df':l0-* mquare dler. Since airways are predominantly used
by large aircraft, power plant hardening ia not an easy tank.
kain, the effect. on national average craah rates due to local
nditiona and traffic patternr is not eatabliahed.
ut 330 major FAA-controlled airport. in the U.S.,
berof critical Air Carrier crashes, i.e., crashes
age 8 nuclear power plant, fa of the order of about
ten per year. Assuming that one-third of such crashes occur
within5 dler of these major airporta and using the national
accident atatiatica, one finds that the probability of auch a
crash within the 5-mile radius from the airport in on the average
lo4 ;ient',per year per aquare mile - again a rather exceaaive
value'.~~::'.'Sanaitivity atudiaa performed during the current wrk,
.'.,l%< ,~
however, indicate that this airport effect may extend to
aignificantly greater distances, e.g., ray to 10 miles or more.
airports are much leas defined; however, they
eneral to be comparable to commercial airports.
cia1 flight patterns, e.g., training flights, high-
speed,: flight#, lorflying aircraft. bomb runs, etc., must be
conridered . carefully. Indications aro that past bractice has
taken there aaoecte into account.

82
ing the actual analysis methodologies can also be
ry to employ the virtual areas of power plants,
aed on the shadow araaa of vulnerable structures.
aircraft hazards malyses. Indications are that
air&aft .kid areaa ma9 in some caner be considerably larger than
thoae virtual areas, but skid analyses are generally not
performed.
., .,,
r,:,$,:>
,.i:!, ;.,, ~.J

itself a coditional probability, conditioned by the accident scenario
: . .:, ,.
characterirtici~~*~and th;. affectiva target feature;. Since tha nbture of the
.. , .$i v.
targat dependr t:!tself ::upon the aasumed accident . : scenario, thij calculat ton
process can:&?rathar
.i. , ,: ::: involved; further, potential nuclear !power plant
targets are i:&plex and varied.
latione for the specific aites previously studied
involved conriderable data gathering and modeling of site features and
accident parameters. Rcsultr are atrongly dependent upon those factors and
invariably reflect'derived and in most cares assumed conditional probability
: . , ._.
estimationm -$bf;$fcsrtafn .:. event occurrences. The proced&e requires
? :: . *.K;
identification.~~and'~ quantification of likely accident scenarios and
evaluation of ';iiorres&nding target features on the basis of deterministic
37"'.
and judgmental~~~athodologiea end consequences criteria. Uowev~r. necessary
detail supporting both scenario and plant feature assumptions and
sensitivity calculrtio~ are difficult to find and evaluate. The state-ofthe-art
of th;'acomplex problem is relatively advanced at the preaent time;
however, tb avhlable knowledge has not been employed to its full advnntage
in paat applicationr, and a lack of detailed procedures or codifications
appears ta persiot. It appears, therefore, that row for improvement exists
in carrying out tha stochastic analyrer and, in particular, in the more
deterministic areaa of scenarios and damage mechanisms, and where a complex
aviation environment exirt8.

The present regulatory approach re aircraft hazards to nuclear power plants
is to allow for a compensatory combination of site location and engineered
safety features to meet federal regulations and licensing standards.
Neither this study nor to our knowledge any other study haa shown that this
approach is fundamentally unsound or deficient in achieving the desired
safety standards although these standards and the topic of rislcs vere not
themselves included in the current scope. A reasonable argument can be made
that this approach results in better plant design compatible uith its
(aircraft) environment although again this point has not been proven and is
beyond the current scope. Equally credible arguments have been made that
the present approach reaults in some cases in an over-reliance on
engineering solutions, unnecessary exposure to aircraft hizards with
possible increaaed risk, and does not effectively utilize or emphasize
siting as an inherent defense-in-depth factor.
The three araas where changes have been suggested and can be made to
establish alternate regulatory approaches are in the Code of Federal
Regulations, NRC Standard Rcviev Plan, and Regulatory Guides. Several
alternate approaches are discussed in Section 2 and are summarized here as
follovs :
0 establishment of minimum standoff distances from geographically
located offsite hazards;
exclusion distances from the same;
site acceptance limits where sites not meeting these thresholds
are excluded;
0 site acceptance floor.
are approved;
where sites not exceeding these thresholds
0
containment design to withstand certain aircraft crash scenarios;
P
derign against most severe aircraft-induced consequenc(as;
eatabliahment of acreening distance values an$ screening
probability levels to identify situations requiring
3
substantive
treatmeats.
2
In particular, the question a raised as to whether a sit
relative to aircraft (and other) offsite hazards ir feasible andppracticable
ii
whereby site approval requirements can be established independently of
specific plant design. k an example, it has been recomaendad : 0 hat nuclear
power plants be located no closer than 5 dles from major airpo ts. At the
present tima there ara no requirements on the frequency of %&urrance of
aircraft crasheo per re on nuclear power plantr provided that the risk ia

acceptrblY -11, and the risk evaluation procerr is rtrongly dependent upon
plant featurer- Another quertion that ariser concerns vhether more uniform
ritiw rtandrrdr can k dtvrlopd ar, for example, procedures for rcreening
potential rite locations or evaluating ~ f standoff e distances.
4 1
Presently, federal re~ulationr are written to enrure that no credible risk
i m posed by aircraft (and other offrite) hazardr to nuclear power plants on
the baa18 of radiation expoaura criteria. Thur, in ttrme of both
probability (cradibility) and conrrquence (exposure) analyses, plant
featurer are at prrrent central to the determination of compliance to
regulationr through effective target area and vulnerability charactariatics;
there cheracterirticr are thaeelvas coupled to
scanmior. The current SRP review procedure (Rev.
the aircraft crash
2 - July 1981) does
ertablish rite rcreeni~ proxioity criteria relative to airrpace usage and
otherwire enrurer that a11 potential design baris accidents are eliminated
as credible uventr through proper identification, charecterization. and
treatment. h e net effect of the preaent approach is that the annual
frequency of unacceptable radiation exposure reeulting frm offsite hazards
(integrated over all aviation and other aituationr) must be less than
to lo-' per year depending upon the nature of the modeling.
On the barir of these rirk criteria, our findings indicate that certain
alternate regulatory approacher to eiting rtandards and more uniform
procedurer are ferrible tut not completely independent of plant design
considerationr. Siting panalitier (and poosibly plant hardening) would need
to be impoaed in thore carer where the effective arear of auscaptible
targets exceed nominal valuer that could, in principal, be aarociated with
the variour clarrer of aircraft hazard ecenarior. k an uxemple, the
nationally avaraged background crash rate of light General Aviation aircraft
ia on the order of 10'~ craahee par aquare rile per year rnd could be
substantially higher in regiona having abova average traffic rates.
Therefore, a nominal effective area calculation rrlative to background
aviation and bard upon rurceptible tergetr together with conditional
probabilitier of radioactive utrrial raleasaa would in the firrt place have
to bo roall rnough ro am to prarent no credible rirk, and in the eecond
the extent that local aviation rtatirticr vary.
t, howvrr, the prerence of backgrou~d avlrtion hazardr
cilitier and rhould be viewed am a baaic design
r a riting problem only inrofar ar there are
r in the hazard ievrlr. Accosdingly, it ir
t the present approach be applied in tho treatment of
background aviation turrrdr mince thir. for a11 practical purposer, in

synonymow vith"containnent (and other) design to withrtand certain aircraft
crash scenarioi~$-: primarily from light single-engine pleasure aircraft;
,ijl . ,
other *uggestd:i:siting. alternatives do not appear applicable to background
aviation. '-&?.;findings . .. indicate that specialization of the SRP to
background
to this tan
easible and that the following steps are important
r definition of the beckground aviation which a
plant is exposed to irregardless of siting details;
generate appropriata crash rate statistics relative to
geographical variations, fleet mix, and aviation parameters;
ertablirh procedures for estimating local background aviation
activity;
perfom more detailed crash scenario and rusceptibility analyses
primarily for the switchyard and other noncontainment features.
With respect air traffic concentrations, such as airports, air
corridors, and other rertrictd air spaces, our findings indicate that other
siting approaches appear to be feasible and practicable, and that the basic
information required in any alternate formulation exists. This conclusion
is based upon the observation that nominal crash probabilities, i.e.,
independent of plant design, can be evaluated for any assumed site location
relative to fixed aviation air-spacer. Thus, mlnimum distances between the
suggested plant site and airports, air corridors, etc. or acceptability
criteria could be applied on a aite-specific basis and based upon, say, the
background crash probabilities of light (and heavy) aircraft in the
region. Although the data bares and methodologies are generally available,
such calculations have not been made in a oystematic manner.
It appears that the following alternate regulatory approaches are mrthy of
pursuit and potentially capable of yielding additional practical guidelines
with reapact craft hazards in the vicinity of fixed aviation air-
rpscest
vslopment of the rite screening methodology that
depend8 only upon local aviation statlstics and locations rnd is
.,., .. . t of plant design; suitable probability criteria muld
tabilirhed relative to acceptability.
2. f minimum standoff or exclusion distances from
Wsyr, end other controlled or restricted air spaces
pon levels of potential hazards and independent of
this approach ia based upon the obsenation that

then aviation zones concentrate traffic
rater,' and increase phases of operation in
levels, increase
their vicinity.
crash
"""& +, , .
' .' .,b'++:,;* . .
:+.,..: ..!.
Due to the background and possible residual effects of fixed air-spacem, it
-
does not appear feasible to develop safe standoff distance lscthodologies for
aircraft hazardr'~'independent1y of nuclear power plant design considerations
as discussed above. I:::':? '.. . .
. .
. .
The alternate approaches wuld clearly emphasize rite selection over
engineering solutions to aircraft hszarda prasented by airport., air
corridors, stc.; however, to be effective procedures should cover situationa
that are complax in the sense that multiple airports (of varying size),
overlapping air corridors and other air-usage spaces, and a wide range of
aviation paramatera will generally be involved in any actual situation. It
is anticipated that a principal advantage of the indicated alternate
treatments vill ba in the handling of large (Mr Carrier) aircraft hazards
for vhich engineered aafety features are costly and defense-in-depth
site selection is most desirable.
through
. , . , ', : ....
.. --., :,: ,,,, ,st,< p 1
Finally, it rhoul~~k'noted that the present mcreening criteria contained in
&. ,. .
the SnP estab1irh;:rita proximity distances to airports, military training
router, and c~erciel aviation de~ignated sir spacer as l function of the
annual number of airport operations, at five miles, and at two miles,
rsspwtively. In each of there situations, the acreening distance value

A nuaber of arear concerning aircraft hazards to nuclear power plantr are
prarently anrarolved andlor treatad in .a inadequate manner. It is fnir to
sat that although .a. of the problem area. talate to advances in th. atate-
of-the-art (e-g., aircraft rtid sad fireu), aort only involve the generatton
of additional epecialired information and procadurer, and the orieneatien of
there more to the pofnt of vieu of the regulatory and revieu procrrses.
fhua, rerolutian of these problem areas ie eignificont to the existing
regulatory approach a8 mll as p~rrible alternate approachrr. Important
benefitr tht can be cxpcted to reeult include overall rimplification of
the ritiq procedurar relative to aircraft hazards end streamlining of the
regulatory procera. The rore important areas that appeared duriw this
study will be briefly notnd belor under the headings of aviation, rcenerios,
and plant; it ahould ba noted that there are mnsite-opcrcific, i.e., generic
with rerpect to nuclear pouer plants:
Aviation
detailed review of aircraft accident reports av.3 data to
eateblieh criterla to better define those aircraft accident
rcerurioa that are potentially threatening to nuclear power
plant# and appmpriatc notoc.xzing atatirticr;
a definition of aviation categories from hazard and siting points
of vier, e.g., background craeh exporure. airport-relatad crash
zones, riturtioar threatening to nuclear pouer plsnta, etc.;
acaliw characterirticr of crarh rates relative to aviation
parmrtrra auch an airport rite, traffic denaity, air corridor
characterirticr, geogrephical variations, etc.;
Q mra detailed rtrtirtica on aircraft in-betmen the llght ringle-
engine and heav comercia1 aircraft, e.8.. twin-engina and
military aircraft;
procedural guidelines for getbering and statirtically treating
local aviation data bares and the rcalitq of craeh rates;
methodologier for treating caplex aviation anvirumk*nts much as
the prerenca of multiple nearby airportr, overlapping airways,
etc;

Scenarios
- Plan:
methodologies for treating fleet m1:tes with respect
parameters and aviation activities.
0 modeling and verification of crash characteristic
flight path Farameters auch as speed and altitude.
characteristics such as orthonormal deviations to the
and crash inclination angle. and skid momen
relationships, among others;
establishment of probability distribution functions
aircraft impart parameters, e.g., speed and ori
impact. fleet mix effects, etc.;
0 analysis of aircraft firefexplosion characteristics.
further identification of plant features susceptib1.a
crashes, multiple failure possibilities, and plant
rasponse characteristics;
procedural guidelines for target area calculations
relative to fleet and accident scenario mixes.
All of the above areas aro, of course, neceaearily addrebaed in
if only through implicit assumptions (such as ignori14 the pc
fire), highly rimplified or unsupported models, and the ap
subjective judgement. In some areas, auch as identiflcatlon 01
crasher, the data bare appears adequate and is readily avalla
criteria development and mtandardization is needed, while othe
considerable atatintical or modeling efforts, e.g., airport-#
zones, thn aircraft rkid problem, and crashes into the svitchya
few. More aphasis should be placed on the sensitivity o
variations in the many probabilistic and phenomenological as
aircraft hward to nuclear power plant problem.
To conclude, it rhould be emphasized that it has been fo~
aircraft hazards to nuclear power plants ate generally very lo'
with respect to 10 CVR 100 radiological exposure guidelines, an
phenomenological and incidental factors ca.1 usually be errimat~
to soma degree. Therefore, the concluricns und problem areas r
aircraft
including
rash path
ight path
)-distance
lative to
:ation at
aircraft
ilure-mode
rticularly
st rtudies
Lbility of
cation of
hreatening
! and only
weas need
tted crash
to name a
:esu1ts to
tr of the
that the
isk events
lost of the
or bounded
.led out in

this atudy need not br +.:awe for alarm although many details cannot be
expected to be adequateiy r:t-,.luad for st leaat mny yznt..$

REFERENCES
1. U.S. Nuclear Regulatory Commission. Title 10, Code of Federal
Re~ulatlon., Part 100. "Reactor Si e Criteria." Wasnington, DC: U.S.
Covernnant Printing Office. 1975.
;
2. U.S. Nuclear Regulatory Comnission. NUREG-0800, (formerly NUREG-
751087). "Standard Review Plan," Revision 2, July 1981,
3. U.S. tbclear Regulatory Commission. MIREG-0625, "Report of the Siting
Policy Task Force," Augub~ 1979.
4. U.S. Nuclear Regulatory Cormionion. 17590-011, "Modification of the
Policy and Regulatory Practices Governing the Siting of Nuclear Power
Reactors."
5. Finley, N. C. and Hcr.eid. S.. "Nuclear Power Plant Siting; Offsite
Hazards (Rough Draft),, Sandia National Lahoratoriem, NUREC~CR-SANRBI-
1022, April 1981.
6. Eisenhut, D. G., "Reactor Siting in the Vicinity of Mcfields," Trans.
h. Nucl. Soc. 16~210-211, Chicgo. Juna 1973.
7. Drittler, K., Cruner, P. and Krivy. J., "Berechnung des Stoasea cines
deformierbaren Flugk6'rpermodells gegm ein defomierbares Hindert:is,"
Institut f a Reaktoraicherheit, Technical Report IRS-W-20, April 1976.
8. Stevenson, J. D., "Current Summary of International # Extrem Load Design
Requirements for Nuclear Power Plant Facilities," Nucl.
(1980) 197-209.
Eng. Dan. 60
9. International Atomic Energy Agency. No. 50-SC-S! , "External Man-
Induced Evants in Relation to Nuclear Power Plant Siting - A Safety
Cuide," Vienna, 1981.
10. National Transportation Safety Board. NTsB-ARc-~~-~, "Annual Review of
Aircraft Accidents Data, U.S. Air Carrier Operations - 1976," U.S.
Department of Traneporcation. Washington, DC. January 1978.
11. National Transportation Safety Board. NTSB-ARC-80-1, "Annual Review of
Aircraft Accident Data, U.S. General Aviation, Calendar Year 1978,"
U.S. Department of Transportation, Washington, DC, b y 1980.
12. Chelapati, C. V., Kennedy, R. P., and Wall, I. B., "Probabilistic
haessment of Aircraft Hazardm for Nuclear Pover Plants," Nucl. Eng.
Dar. 191333-364, 1972.
13. Niyogi, P. K., britr, R. C., and Bhattacharyy., A. K., "Safety Dasign
of Nucloar Power Plants Against Aircraft Impacts," Uniten Engineerr 6
Constructors, Inc., Philadelphia, PA

Codbout. P. J.. "A Methodology for 1 Assessing Aircraft Crash
Probabilities and Severity as Related to the Safety Evaluation of
Nuclear Power Stationm," Ecole Polytechnlque de Montreal, ALCB-1204-
1: bin Report, AECB-1204-2:Appendices 1-11, May 1975.
i
Godbout, P. J. and Brais, A., "A Methodo:ogy for Assessing Aircraft
Crash Probabilities and Severity as Related to the Safety Evaluation of
Nuclear Pover Stations," Ecole Polytechnlque de Montreal, AECB-1204-
3: Final Report, September 1976.
I Solomon, K. A,, "Estimate of the Probability that an Nrcraft will
Impact the PVNCS," NUS Corporation, NUS-1416, June 197 . f
i
Solomon. K. A., "Analysis of Cround Hazards Due 'to Nrcrsfcs and
Missiles," Hazard Prevention Journal, Volume 12, Number 4, March/Aprll
1976. $
Solomon, K. A., "Analyois of Reactor Hazarda Due to Mrcraft and
Missiles," Trans. her. Nucl. Soc. 23:312-313, Toronto, Canada, June
1976.
Gottlieb, P., "Estimation of Nuclear Power Plant Aircroft Hazards,"
Probabilistic Analysis of Nuclear Reactor Safety; Topical Meeting, Lo8
Angeles, CA, by, 1978.
Nrcraft Crash Probabilities, Nuclear Safety, Vol. 17. No. 3, by-June
1975.
Bonnin, D. M., "An Aircraft Accident Probability Distribution
Function," Trans. her. Nucl. Soc. 18:225-226, June 1974.
Solomon, K. A., Erdmann, R. C., Hicks. T. E., and Okrenc, D.,
"Airplane Crash Riaks to Cround Population." UCLA-ENC-'1424, March 1974.
Solomon, K. A. and Okrent, D., "Airplane crash' Risks," -- Hazard
Prevention Journal, Volume 11, Number 3, January-February 1975.
Hornyik, K., Robinson, A. H., and Crund, J. E., "Evaluation of Aircraft
Hazards at the Boardman Nuclear Plant Slte," Portland General Electric
Company, Report No. PCE-2001, Hay 1973.
Hornyik, K. and Crund, J. E., "The Evsluation of the Nr Traffic
Harsrds at Nuclear Plrnts." Nuclear Tecimologp Volume 23. July 1974.
Hornyik, K., "Nrplane Crash Probability Near a Flight Target," hana.
her. Nucl. Soc., 161209-210, 1973.
Codbout, P. and Brais, A., "A bthodology for Assessing Nrcraft Crash
Probabilities and Sevarity as Related to the Safety Evalustion of
Nuclear Power Ststions - Phase I Final Report, Atomic Energy
Control Board (Canada), March 1980.

Crarrro, U. and Lucenet, C., "Zvaluation of the Gobability of an
Aircraft Crash on a Nuclear Power Plant," Proceedings of the Fast
Reactor Safety Ueeting, Beverly Hilla, California. April 1974.
ir
Joerissen, C. and Zuend, M., "Risk of an Aircraft haah on a Nuclear
Power Plant,' International Nuclear Industries Ylar. D.sel/Switterland,
October 1973. d
Wall, 1 B , Probabilistic Aaaessment of Mrcraft ki sk for Nuclear
PoWer Plants," Nuclear Safety, 15(3): 276-284, May-June, 1974.
a
Selvidge, J. E., "Probabilities of Aircraft Crashes at Rocky Flats and
Subsequent Radioactive Release," Rockwell International, TID-4500-R65,
April 1977.
Nuclear Regulatory Loamission, WASH-1400 (NUREG-75/014), "Reactor
Safety Study - An Assessment of Accident Risks in; U.S. Commercial
Nuclear Power Plants," October 1975.
Otvay, H. J. and Erdmann. R. C., "Reactor Siting end Design from a Risk
Vievpolnt," Nucl. Eng. Des. 13:365-376, August 1970.
Wall. I. B., "Probabilistic Assessment of Risk for Reactor Design and
Siting," Trans. her. 1 Soc. 12:169, 1969.
t
Riera, D. J., "On the Stress Analysic of Structures Subjected to
Aircraft Impact Qorcea," Nucl. Eng. ks., Vol. 8, pp. 415-426, 1968.
'4
Rice, J. S., ct 81. "Reaction-Time Relationship and Structural Design
of Reinforced Concrete Slabs and Shells for Aircraft Impacts," 3rd
SMRT, Paper 5513, London, 1975.
i
Docket-50443-169, "Seabrook Station Containment Aircraft Impact
Analysis," Jan. 24. 1975.
A
Wolf, J. P., Bucher, K. H., and Skrikcrud, P. E., "Response of
Equipmant to Aircraft Impact," Nucl. Eng. Des. 47 (1978) 169-193.
It
Bahar, L. Y., and Rice, J. S.. "Simplified krivetion'of the Reaction
*iac Hirtory in Aircraft Impact on a Nuclear Power Plant," Nucl. Eng.
,. 49 (1978) 253-268. i'
C
Drittler, R. and Cruner, P., "Calculation of the Total Force Acting
Vpm a Rigid Well by Projectiles," Nucl. Eng. Des. 137 (1976) 231-244.
Drittler, K. and Gruner, P., "The Force Resulting from Impact of Qast-
Plying Uilitary Aircraft Upon a Rigid Wall," Nucl. Eng. Dra. 37 (1976)
245-248.
Zimsrssnn, nl., Rebors, B. and Rodriguez, C., "Aircraft Impact on
Reinforced Concrete Shell.: Influence of Uaterlal Nonlinearities on
Equipent Response Spectra," Computers and Structurer 2, pp. 263-274,
1981.

@
Kennedy, R. P., "A Review of Procedures for the Analysir and Design of
Concrete Structures to Resist Msrile hpact Effects," Nucl. Eng. Des.
37 (1976). 183-203.
Cristescu, N.,
i
"Dynamic Plasticity," published by Norch-Holland
Publimhing Company, Amsterdaa, 1967.
F
Degen, P., Rrrrar, H., and Jemielewski, J., "Structutll Analysim and
Design of A Nuclear Power Plant Building for Aircraft Crash Effects."
Nucl. ng. Den. 37 (1976). 249-268.
F
Svalbonas, 4. and Levine, H., "Numerical Nonlinear Inelastic Analysis
of Stiffened Shell of Revolution." NASA CX-2559, July 1975.
8
Saugy, B., Zlmmermann, Th., and Hussain Khan, U., "Three-Dlmenaional
Rupture Analymis of a Remtressed Concrete Pressure Vessel Including
Creep Effects.^ Vol. 111, 2nd SMUT, Berlin (1973). 6
i
Carlton, D. and Bcdi, A,, "Theoretical Study of Aircraft Impact on
Reactor Containment Structures," Nucl. Eng. Den. 45 (1978). 197-206.
$
Gupta, Y. M. and Seaman, L., "Local Rcaponse of Reinforced Concrete to
Uimrile Impactm," Nucl. Eng. Des. 45 (1978), 507-514. [
Parker, J. V., Ahmed, K. H., and Ranshi, A. S., "Dynamic Response of
Nuclear Power Plant due to Earthquake Ground notion and Aircraft
Impact," paper No. K9/5, 4th SHIRT, San Prancimco, CA. &uat 1977.
a
Ahmed. K. M. and hnshi, A. S.. "Dynamic Response of, Nuclear Power
Plant due to Earthquake and Aircraft Impact Including Effect of Soil-
Structure Interaction," Journal of Sound and Vibration (1978) 59(3).
423-440.
8
I
Schalk, M. and W6lfu1, H., "Response of Equipment in Nuclear Power
Plants to Airplane Crash." Nucl. Eng. Des. 38 (1976), 567-582.
S
Hamel, J., "Mrcraft Impact on a Spherical Shell," ~uci. Eng. Den. 37
(1976), 205-223.
Attalla, I. and Novotny, B., "Ulssllc Impact on a Rein*Iorced Bncrete
Structure," Nucl. Eng. Den. 37 (1976), 321-332.
Zerna, W., Schnellenbach, C., and Stangenberg , ?. , "Opt lmlrod
Reinforcement of Nuclear Power Plant Structures for Aircraft Impact
Porcer," Nucl. kg. Den. 37 (1976), 313-320.
Krutrik, N. J., 'Analysim of Aircraft Impact ~robielrs," Advanced
Structural Dynsmica, Cd. by Donea, J., Applied Science Publishers,
Ltd., London, 1978, 337-386. k
8
I(ui1, H.. Krutrik, N., Kort, C., and Sharps. R., "Overview of Major
Asp.ctm of tha Aircraft Iapact Problem," Nucl. Eng. Dea 46 (1978) 109-
121.
f

96
Viti, C., Olivieri, X., and Travi, S., 'Developmen of Nonlinear Floor
Reaponre Spectra," Nucl. Eng. Dee. 64 (1981), 33-38.
Eichler, T. V. and Napadensky, H. S., "Acci ntal Vapor Phase
Explosion8 on Tranaportation Routes Near ~ucleiir Power Plants,"
NURECICR-0075, April 1977.
Napadsnaky, H. S. and Takata, A. N., "Potentia Danger of Fixed
Propane-hobutane Storage Tank8 1n a Reatdential bea," KIT Reeearch
Inatltute Report V6141-J19, %rch 1976.
Docket - 5029549, "Potential Effects of Aircraft I ct and Post-Crash
Fires on the 2101 Station," 1972.

APPMDIX

Offslte Hazards: Aircraft Crash
Type of Model: Rterminiatic
Authors: Ahmed. K. M. and Ranshi. A. S.
Title: Dynamic Response of Nuclear Powel
Earthquake and Aircraft Impact 11
Soil-Structure Interaction
Reference : Journal of Sound and Vibration (:
Brief Lhscription:
This paper compares the dynamic response of a
plant to a modeat earthquake (Parkfield) and to
Boeing 707-320. Finite element and modal superp
used to obtain the time-history response and tl
response spectra. It is shown that the response
to impact of URCA on the primary containmen
compared to the response due to a modest earthqt
Boeing 707 crashing onto the facility, the den
could be damaged depending upon the amount of ene,
Offsite Hazards: Aircraft Crash
Type of Model: Determlnistlc
Authors: Bahar. L. Y. and Rice. J. S.
Title:
Simplified Derivation of the Ren ct, d
History in Aircraft Impact on a Nu1
Reference :
Nuclear hnineerinn - - and Raign - 4
Brief Lbacription:
This paper present. a simplified derivation E the
history of an aircraft impact on a nuclear pow
reaction-time
of motion for the rigid part of the aircraf
variable system of particles loosing mass. The stion of motion for
the crushing region is obtalned using containu
The res~lts indicated that the reaction la not
velocity distribution in the crushing region of t
chanice approach.
ed by the assumed
I
1 t 4
'lant due to
uding Effect of
'pica1 nuclear power
r impact of URC4 and
Ltion techniques are
corresponding floor
f reactor plants due
structure is small
e. In the event of
R of reactor plants
absorbed locally.
Offsite Hazards:
Tvoe . of Model:
Authors:
Aircraft Crash
Determinlatlc
Attalla, I. and Nowotny. 8.
Title:
Ref trance :
Brief Description:
Mssle Impact on a Reinforced CO
Nuclear Engineering and Rsign 5'
:et Structure
11976) 321-332
This paper studies the behavior of reinforced co~
missile impact loading using PISCES 2 Dl. code.
in a11 directions including wall thickness, r
waves near the loading area were considered. PI
defining the material and yield models for reinfo
I
&eta structures under
l local deformatione
aticity, agd stress
p diacuasions are on

Offrite hzards: Aircraft Crash
Type of bdel: Probabilirtic
Author: Bonnin, D. M.
Title: An Alrcraft Accident Probability Mat!
Reference: Transactions American Nuclear Society
June 1974
Brief Description:
Proximity to m airport has bean considered a dieadvar
reactor; hence, the likelihood of aircraft crashee c
considered during site relection and licensing ac'
preparing an amendment to the application for constru
nuclear reactor a study was made to establish a
accident probability dirtribution function which WI
likelihood of aircraft accidents.
The rtudy covered civil aircraft accidents within 5 ml
in the United Stnter for the years 1966-1970. The ail
the probability function were subdivided by usage (
air taxi, and air carrier) and aircraft aize (:
categories.
Several bark conclusions were noted from the
probability dirtribution function:
1. Ihe probability dl tribution function was always
from 1.100 x loeg to 2.076 x w9 accidents I
aquare mile depending on the flee. pix and tht
from the center of the runway.
2. Ihe probability decreased as the radial dirtance
increased.
3. Use of the function requires mly the air traffi~
at any specific civil airport of intereat and t
in aquare Piles, of the site.
Offaice Hazards:
Type of tindel:
Author:
Title:
Aircraft Crash
Survey
Buchhardt. F.
Reference :
Brief Dercriptionr
Ihis ppar reviews varioua aspects of undergrou
plantr. It dlscurree some critical analyues concerni
darign criteria, conetructional concepts, and imp
probleu of liceneibility and operation.
:ion Punction
225-226.
! to a nuclear
be carefully
ties. While
n permit of a
iled aircraft
reflect the
of an airport
tt end thereby
ral aviation,
c and small)
ults of the
:e low varying
operation per
~dlal dlstsnce
~m the airport
gures compiled
:rltical area.
-
lund
.cal Review
lies
-
nuclear , power
ifferent basic
I as wll as

Offaite Hazards: Aircraft Crash
Spe of tbdel:
Authors :
Deterministic
Carlton. D. and Bedi. A.
Title:
Theorrtical Study of Nrcraft Impact o,
Reactor Containment Structures
Reference :
Brief Descriptiont
Nuclear Engineering and Design 45 (1971
This paper presents results using a flnite differer
(PISCES) based upon dynamic relaxation Initially deve
problema. me code models concrete, reinforcement
throughout the ahort term nonlinear range. Concrete it
a limited tensile stress capacity, couple4 with a
capacity which ic dependent upon the aggregate and cr,
yleld condition iu also specified to allow for
states. The results of a particular reinforced concr
to MRCA loading indicated that 80 um thick model slab
load.
2.h.
In real structures this corresponds to a wal
Offsite Hazards: Aircraft Crash
Type of ?Hodel : Probabilistic and Deterministic
Authors: Chelapati, C. V., Kennedy, R. P., and
1 Referance:
Brief Lbacription:
Probabilistic Assessment of Aircraft H
Nuclear Power Plants
Nuclear Engineering and Design 19 (197
Asgpart of a general probabilistic safety analysl
structural damage to a nuclear power plant frm eirc
been evaluated in a quantified oanner. Requency
aircraft speed and weight and engine weight were cons!
and4 large aircraft and for site locations adjacent ta
anaeirport. Based upon United Stater data an anal
incldenta ia presented to establish the probability
hitting a nuclear power plant.
:1
This paper presented a quantified rimk analysis of str
a nuclear power plant frm aircraft crashes. Three mo
dimcurred here: perforation, collapoa, and cracking.
of amage to an 18-inch thick reinforced concrete aide
4 in the parforation and collapse mcdes is investlga
ar alao compared to the damage of cracking mode.
propoaed to cover the range of parameters encountt
engine impact. The conditional probability of local
wall panel ia evaluated by using probabilistic appr
line theory.
cracking mode.
An elastic finite element method was use
dynamic code
d for atatic
prestressing
sumed to have
ear carrying
size. And a
axial stress
slab subject
In resist the
~ickness 1.4-
, I. P.
d for
the rink of
: crasl~sa has
:ributions of
ted for #mall
1 remote from
of aircraf t
an aircraft
ral damage to J
of damage are
e probability
of a typical
Ihe results
cw formula la
in aircraft
Llapae of the
les and yield
8 estimate the

. .
Authors: Cravero. M.. Lucenet. C. i
Title:
Reference:
Beverly Hills, California, April 1974
Brief Description:
The liquid Metal Past Breeder Reactor WPW-PHWIX.
1200 13W) which will be built at CREYS-EULVILLE in
follow the guidelines given in Rance for the sa
One of these guidelines is to evaluate the risks
lectrical power
traffic. Consequently. a study of this problem wa un to estimate
the probability of an aircraft crash on the power
particularly on reactor building.
SUPER-PHWIX,
Offsite Hazards: Aircraft Crash
Type of mdel: Deterministic
Authors: Degen, P.. Purrer, H., and
Title:
Reference:
Brief Description of Modeling Effort:
I
This paper discusses the effect of s large commercial irplane crashing
perpendicularly on the surface of a mpherical react r building dome.
The carrying capacity of the structure under an eq ivalent statical
load is considered. The presentations include: I
(i) calculation of the failure load
(11) calculation of the sectional
shell theory
method.
and subsequent design by the strength
(iii) calculation of the failure load,
mechanism and distribution of sectional
sh~11 theory.
(iv) calculation using a 3-D FIN wlth plaeatic
Offsite Hazards: Aircraft Crash
Type of Model: Lktenninistic
Author: Dietrich, R.
Title:
Reference:
Brief bscription:
lhis paper evaluated the reliability against damage due to
an aircraft craah on a two effects
are considered in the paper: local
the structure. The empirical
applications ware used for

so11.1tion of the dynamic analysic ia obtained
metlrod. Both n~sults indicated the mfe denig
sub,lect to an aircratt impact.
Offsite IMrnrdn! 3k1rcrsft Crash
Type of lbdsl: Deterministic
Authors: Drittler. Y:. and Ctuner. P.
Title: l~lculatlorr of the ~otai Force Ac
Mall by ~rojectilea
Ref erencc!: iluclear Engineeri& and Design 37
Brief Ikc~cri~tion of tlodallnn Effort :
~ -
A nuaerical (finite difference) method is present
of total force acting upon a buildlng during in
Yariatibnn of gecmetric and materiul properV.ies
axis; are replaced by proper average \,slues.
Offnite Ibzardnr Aircraft Crash
Type of P'bdel:
Authors:
Rterministlc
Drittlar, K. and Cruler. P.
Title:
The Force Resulting Rom lnpdtcd
Military Aircraft Up.m a Rikld Y
Referenca:
Nuclear hnineerin~ - ilnd balkn7'
Brief Dascription of Modelin8 ~ffort:
The authors using the previous propo~ied method t
force of phantom aircraft on a rigid wall. Ihe
the impact force la almost lnnensltlvn
parameterm. Therefore only one force vs. time
for safety consideration.
Offsits Hsrsrds: Aircraft Crash
Type of Model: Probabilistic
Author : Eisenhut. D. C.
Title:
~eactor-i1 tings in the Vicinity
Reference:
American huclear Sociely Transac
Chicago, June, 1973
Brief Dsacriptionr
An evaluation of the probabllity of tin aircra
facility in the vicinity of an airport has
evaluation, together with other sfudien, my am
of general criteria for the siting of reactor
analyela connldercd those accidents that occurrec
the runvay and alno occurred within a 60-degree
npetric about the extended centerline or the N
g finite element
A spacific ship
Upon a Rigid
76) 231-240
br the cnlculation
of a projectile.
as the projectile
lculate the impact
Lts indicated that
various relevent
curve may be used
rfields
-0-211,
rash at a nuclear
performed. This
in the development
Ir airports. Ihe
hin a few miles of
srence flight path

Offrite Hezrrdr: Aircraft Crash
Type of Model: Probsbi:listic
Author: PSAR
Title: Potent1111 Effects of Aircraft Inpa
Pirer on the Zion Station
Reference: Docket 50295-45, 1972
Brief hacriptionr
Prerentr e rtudy of the Probability of an airc
airport hittiqt the statlon. Includes a second re
rffcctr of aircraft impact and poat-crash fires on
Of frite Hazards: Aircraft Crash
Qpe of Model: Probabilistic - Deterministic
Author: Codbout, P. and Rrais, A.
Title:
Reference:
Polytechnologique de Montrual A
Board (Canada), brch 1980.
Brief Darcripttonr
Reportr (1) the accumulation of a s?ecial and ex'
data bank results from related experimects done
France, &run7 ard Austr&lia, (2) an involved
modelling and ite proper coupling of eacl
significant phenomenon present durina the impact p
and p.r mirsille type, (3) use of existing (or
computer coder to identify important processes an<
rerultr against axparimeotal data.
Specific rerultr for W W Reactor Types, prin
projectiler having lov velocities, large diamete
Techniques can k applied to other types of proJecl
Offrice Hazardr: Aircraft Crarh
Typa of ibdelr Probabilistic
Authors: Codbout, P. and Brais, A.
Title r
Reference:
r e
Darcriptionr
Polytechnique d; .tlontreal, PO; i
Board (Canada), 1204-3, September
Thir Phars I1 effort compiled more extensive
aircraft including international experience. T~I
and he~vy aircraft were investigated and crash r
Probability dirtribrttions for aircraft striker 01
rtructurer *.re aenerrted, vith particular slphasi
md Post-Crarh
t using a nearly
: on the potential
station.
, L'ecole
.c Energy Control
~tive experinental
the U.S., U.K..
ailed theoretical
phenomenologically
ass of an aircraft
velopment of new)
i) benchmarking of
ally and to hard
and large masaes.
8.
t.do the Safety
- nnal Report.
, Ecole
~ i c Energl Control
176.
atirtical data on
Itsgorier of light
models developed.
uelear power plant
In sites mar to an

I
104
airport. Inpact forciw functions for the crash of n aircraft nn the
plant containment structure were evaluated using the haracteriatlca of
each aircraft type. Standsrized forcing functions ere developed of
the global energy envelope for the striking phenome a as a hole was
generated.
Offsite Hazards!
Type of bdel:
Author:
Title:
Aircraft Crash
Probabilistic
Codbout, P.
****he***** b
Reference: Centre de
f
order. Accident data was obtained for all typer of ircraft accidents
aincs 1960. Ihe criterion was chosen that any a rcraft which has
navigational difficulties forcing it to land impropedly or unwillingly
is an accident and a poasible danger to the surroundinba.
dm Fbntraal for ~tomic hergy Control Board (Ca
AECB-1204-1 and 2, May 1975.
Brief hecription!
The probability of an aircraft striking n nuclear po r plant has been
evaluated. The method of approach as uaed in this s udy conaiatm of a
aeries of orderly atepa or procedures which ma l use of logic
modelling, of probability theory, of the energy enve ope technique, of
the sensitivity technique and of the limit line oncept, in that
Offaite Hazards:
Type of Model:
Author:
Title: 1
Aircraft Crash
Probahillstic
Cottlieb, P.
Entimation of Nuclear Power Plant Nr raft kzards
Refere~oce :
Probabilistic Analysis of Nuclear Reactor Safety
t
Topical Meeting, Los Angeles, CA, Mey 8-10, 1978
Brief Dcacription:
The standard procedurea for entimeting aircraft risk to nuclear power
plant. provide a conservative estimate, which is dequate for most
aitea, which are not cloae to airporta or heavkY traveled air
corridorr. For thoaa mites which are cloae to f ilitiea handling
large numbers of aircraft movements (airporla or pro), a more
preciae matimate of aircraft impact frequenry can obtained aa a
tunction of aircraft alre. In many inntancan the
aircraft can b shown to have an acceptably am
while the very small general aviation aircraft
aufficiantly aerioua impact to impalr the safety
lhia paper examinaa the in between aircraft: prim twin-engine,
uned for buaineas, pleasure, and air taxi th's group
of aircraft the
once ia one million years, the
ation of avecific

Authors: Cupta, Y. U. and Seaman. L.
Title; Local Reaponse of Reinforced
Impact.
Reference:
Nuclear hgineering - - and Lksign - 45 (
Brief Description:
F
This paper presents an experimental and cw tational (finite
difference) mtudy of reinforced concrete walls response to impacts from
postulated tornado and nlssiles.
of a atudy to datermine the
This paper elro fleaencs the results
dynamic conetitu~ive relations of
reinforced concrata for use in tvo-dinensional cafculations of local
impact remponse. I
Author: bumel. J. rn
Title:
Refareace: 76) 205-223
Brief Description of Uodeltng Effort:
mi8 paper iaolacements of a
structure on the impact load P(t). he a!rcraE -idealired by a
linear mass-rpring-daahpot combination. Ihe tin endent reactions
of the .hell as a function of P(t) are expanded term of normal
wdes .
Oh**********
Offrite Hazard: Aircraft Crash
Type of bdel: Analytical (Structural respo
Author: Haseltine, J. D. (Project Ma
mle: Scabrook Station Containment
Ref erenre: License Application (brch 3,
Docket Nos. 50-443 and 50-444
Brief Dascription of Uodeling Efforts:
1. Conventional elest:c-eiatic analysis
2. Couvaational alastic-dbnamic analysis
3. 'Biggr vpe" elastic-,?laatic analysis
4. "Wave T'ype' impact sna1;:l.s for aircraft
Reault of Analysis:
The elastic-rtatic and elastic dynamic calculations iadicated that
~lestic behavior would occur. The elastic-olaatic calculations
~.
indicetei that the concrete containment structure design was
rdeqcute. A mothodology for determining the impact loads on a rigid
structure is preaented in an Appendix and a sensitivity analyeia
indicate. that the crushing strength of the aircraft in not an
important prwter. A brief fire analysis claims that fire and
e~.plosioa affect. are not important.

Offaite Hazards: Aircraft Crash
Type of Flodelr Robabilistic
Authors: Rornyik, K. and Crund, J. E.
Title: The Evaluation of the Mr Traffic Wzarda at Nuclear
Planta
Reference: Nuclear Thchnology: Volume 23, July 1974
Brief Deecription:
Analytic mdala have been developed and applied to the investigation of
the hazards to a nuclear pover plant from air traffic. Separate models
applying to collisione vith and crashes into the plant, respectively,
employ concepta traffic density and crash site distributions. These,
along vith the more conventional concepta of accident rates and
effective plant area, are used to determine the annual strike
probability of aircraft into safety-related plant structures. Although
the models are quits general, they are applied to two apecific flight
patterns of common interest. The probability maps vhich are obtained
may be umed to resolve siting problems In a quantitative manner.
Offaite bzards: Aircraf t Crash
Type of Model: Probabilistic
Authors: Hornyik. K.
Title:
~ir~lane Crash Protability Near a Plight Target
Reference :
Brief Description:
Transactions American Nuclear Society. 16:209-210.
1973
A aummary of the crash and collision probability models developed in
previous work for a proposed nuclear plant site near a military
aviation training area is presented.
Offaite Hazards: Aircraft Crash
Type of Model:
Authors:
Probabilistic
Hornyik. K. Robinson, A. H. and Crund, .I. E.
Title: Evaluation of Aircraft bzarda st the Boardman Nuclear
. Plant - - - Site - - - -
Reference: Portland General Electrlc Company, Report No.
PCE-2001. Hay 1973
Brief Description:
The document presents an assessment of the probability of aircraft
crashing into a proposed nuclear pover dencrating plant located nrar
Boardun in Horrov Count. Oregon. Qmntitative estimates of crash
probabilities into the proposed plants are based on analysea of
operations of conmkrcicl aircraft use of federal airways and the U.S.
Navy aircraft uae of a nearby Navy vesl)ona Syatemv 'Raintag Facility.
The VSTF, it8 procedures, its utlliz~tion, the aircraft used and
operating experience at this and other related fscilitiea are describrd
in wme detail. Both low altitude collision and high altitude crash
probability modela are constructed.

Offsite bra
i . :. .
affic ikrards at Nuclear
logy: Volume 23, July 1974 ,
ve been developed and applied to the investigation of
the harards to a nuclear power plant from air traffic. Separate models
applying to collisions with and crashes into the plant, respectively,
employ concepta traffic density and crash aite distributions. These,
along with the more conventional concepts of accident rates and
effectiva plant area, are used to determine the annual strike
probability.of aircraft into safety-related plant structures. Although
Reference :
1ve siting problems in a quantitative cunner.
***I********
ea is presented.
************
Offsite bzar rcraft Crash
obabilistic
, Robinson. A. H.. and Crund, J. E.
of Aircraft mzarda at the Boardun Nuclear
Reference : neral Electric Cmpany. Report No.
CE-2001, y 1973
;
nts an assessment of the probability of aircraft
proposed nuclear power generating plant located near
ow Count, Oregon. Q~antitative estimates of crash
roposed plants are based on onalyaes of
ircraft use of federal sirvays and the U.S.
rby Navy weapons Systelu Training Pacility.
its utilization. the. aircraft used and
operating axperiance at this and other related facilities are described
in nome detail..:. Both low altitude collirlon and high altitude crash
probability models~ara constructed.

Offsite rcraft Crash
diagram and compared with tolerable rink limite.
), ~,:4&>'%+:;~!!& r,\....
r,
, . ~.. ,:, ,.,
U
:<
j.~
g
?
+
sh.on a nuclear
are estimated
rike, missile
s i and systems
ted in a hrmer
The probability that an aircraft crash vould initiate an kident in a
nuclearpower plant with mubsequent release of radiosctive material is
lower by several orders of magnitude than those of the design basis
accidents. , Although the consequences in term of activity release to
the enviroment wuld be ruther severe in the worrt conceivable case,
the risk vould still be about two orders of magnitude belov the risk
limit stated by Farmer. bse calculatione show that even under
unfavourable meteorological conditions tlm maximum radiation dosem to
the population wuld be far below the lethal dose. The consequences
for the population vould therefore be leas revere than for the much
more probable aircraft crash in a densely populated area.
************
Offsite lhc Aircraft Crash
TYDQ of lbdel . . , . I ,
~"thors:
Titlet
Reference:
. : . . . .>
. . . : ..: , .,. , :.
. . .
bail; A., Krutzik, N., Kost, C., and Sharpe, R.
Overview of Major Aspects of the Aircraft Impact
Prohlem . - - - .
Nuclear hgincering and Dcsign 46 (1978) 109-121
Brief Description:
, This paper identifies the major aspects of the aircraft impact problem
and rpotlights the most rele~ent topics for future investigation.
Three uin topics are presented: modeling techniqu*s, influence of
nonlinear behavior, and damping effect in the dpmic structural
response for aircraft Impact loading.
ircraft Crash
rious empirical procedures for determining .penetration,

tsrgstr rubJect4 to mirsile impact. Simplified procedures are defined
for determining the dynamic response of the target vall and for
eventing overall failure of the vall.
************
Offrite fhzsrdnr Aircraft Crash
Type of bdelt Rten~inistic
Author : Krutzik, N. J.
Title: Analysis of Aircraft Impact Problems
Reference! ' Advanced Structural Dynamics, ed. by Donea.
J. Applied Science Publishers, Ltd., London,
978, pp 337-386
Briof Desc
This paper presented the characterization of the load case induced by
various aircraft impacting on the nuclear power plants. Also the
influence of elastoplastic deformation in the area of impact on load
function is discuseed. The dynamic structural inveatigationa for
reactor building are presented using beam and shell models. The modal
damping, : daoping parametera, soil parameters are discussed.
Investigation of two neighboring buildings of unequal mires ahow that
the presence of the smaller building has a damping effect on the
dynamic response of the larger building, and the impact bn the lar,ter
building exciter orcillationa in the smaller buildings. Am far as the
cornparirons wlth an earthquake and an explosive shuck wave, in the low
frequency range (up to 5 ) the load case of an earthquake is
governing uhereas in the high frequency range (above 10 ifr) the lord
case of an aircraft crash dominated.
Offsite thzardsr Aircraft Crash
Tvm of Model: Probabiliatic
Reference : United hsineers 6 Conetructors, Inc., Philadelphia,
PA.
Brief Description:
A nuclear power plant ir considered adequately designed against
aircraft hazard# if the probability of aircraft accident. resulting in
radiological conreque car greater than 10 CFR part 100 guidelines is
leas then about 10-' per year Othervire an aircraft accident is
conmidared a derign basis event and the plant must be hardened up to
the point at which ths above criterion is met. In many canes it haa
been mufficient to demonstrate that the probability of an impact on a
safety-related building is less than per year. In other cases, it
is necarsary to take into account the intrinsic hardness of buildings
and rtructures derigned :o withstand tornado, seismic, and manmade
hazard# in order to demnstrste that an afrcraft impact preaents an
acceptable rirk In some carer, hovever, it ir necessary to conaider
aircraft impactr sr deaign basis event. end to specify the level of
hardening required to satisfy the design criterion.

hi tr a numbar of techniques which may be utilized to
accomplish the above objectives. lirstly, a re-evaluation is ude of
aircraft crarh probabilitier. Secondly. methods are described for
calculating .; aircraft impact forcin~ functions, for obtaining
probability ,'dirtributions for the impact parametere. Thirdly,
evaluation8 are ude for asaeaaing the probability that an impact on a
given atructure will result in consequences exceeding those listed in
10 CPR 100 and recolllnndations are mde for treating lower consequence
events. Finally, other effects such as fires, explosions, and
secondary deailea are examined briefly.
Offsite Ibzardat : ' ; Aircraft Crash
Type of Model t :.: I.,., ."%' Probabilistic
.,. . . ., . ,
Authors: . . . ' :: . NRC . . .,
Title: .. . .,.; ; Nrcraft Crash Probahllities
' . .. .
Reference t
.!+; ,";. Nuclear 8afety. -. Vol. 17. No. 3. Mag-June 1975
Brief Ikscription:,+
Ihe preaent article is taken from the NRC Rerctur Safety Study and
eumarizes the procedure followed by the Regulatory Staff in assessing
aircraft risk and also tabulatea crash probabilitiec. Such inf3rmation
is necereary for an aircraft hazards analysis as descr:'nd in the NRC
ulatory Staff h a compiled data on aircraft mvementa and
calculatd crarh probabilities as a function of distmce from an
airport and orientation wlth respect to runway flight paths. Ihe
probabilities are computed per square mile8 per aircraft movement so
that the individual plant sites un be evaluated by determining the
plant vulnerable area, distance from the airport, and the number of
aircraft mvementr involved.
************
Offsite hr
flP. of lbd
Aircraft Crarh
Mek
Authora t
Mtlet
Mvay. 8. J. and Erd~nn. R. C.
, , . , < :
' . : ,- .: ~eactor Siting and DeaiBn from a Risk Viewpoint
Uefarence I . .: : . - Nuclear Dneineerine - - Ceeien - 13: 365 - 376 , August 1970
Briaf Rscriptionr
lhin paper proporas a mthod for the aaeessment of raactor aafety,
baed upon th. individu~l mortality risk, which rllowo (i) the
detaamination of mcesrary eite exclusion radii and (ii) the evaluetion
of aafoguarda in trru of the risk reduction provided. An application
to a 1000 PUll indicatea that for a uximua individual mortality
rink of lbpv year (at the site boundary) an exclusion radlu of 350
ie required, lor a denrely populated urben site the total risk ma
found to bo 0.003 death. over a 30-year reactor lifetin. Riak was
found to k not prrticularly sensitive to accident probabilitiea.

Dynamif ~srponre of kcfear'Power p1antWdue to
krthquake Ground Motion and Mrcraft Impact
2th MRT. paper No. K3/5, Son Rancieco, 4%.
n\ir papw prerentr e compariron between earthquake induced vibrrtions
end aircraft impact induced vibrations. he nuclear power plant has
been rimulated rr beam in finite element luthod. h e aircraft assumes
to impact th. primor). containment directly and horizontally near the
top of the atructure. he results of rtructural rerponae is
overertimated rince the local impact effect which will absorb much of
the energy has been ignored. Nmertheless, it ir rhovn that the
rerponre of the reactor plant due to the impact of the mulci role
combat aircraft (HRCA) at 215 mls on the primary containment structure
la small compared to the response due to a modest earthquake. By
contrert the mxlmum response to impact by the Boeing 707-320 at 103
m/r ir considerably more oneroua than the earthquake.
************
Offrite bzrr Combination
Author r
Probabilistic
Ravindra, M. K.
Title: bad Combinations for Natural and Man-made Hazardc in
-
Nuclear Structural Design
Reference:
Brief De8cription:
This paper outlines a methodology for deriving combinations of
rtatietically independent and dependent hazard events that may affect a
nuclear power plant by considering the uncertainties in hazard.
occurrence, intenrity, and duration.
Offrite ihrerdrt Aircraft Craah
Spa of tbdsl: Deterministic
Authorar . Rice. J. 9.. and Bahar. L. Y.
Brief Lbrcri
r a procedure by which reinforced concrcte atructurer
(rlabr and ahella) u y be derigned to retain the required rtructural
integrity after an&rcreft impact. ?ha reaction-time relationship for
a deformable aircraft impacting on a rigid wall is devaloped. The
result# indicated that the reaction load ir rignificantly leer (40
percent) than that predicted by other modelr. The renritivity of the
reaction lord to,the uncertainty in the crurhing rtrength of the

aircraft fraac is examined and it was found that this parameter is not
important. 'Ihe dynamic effects of the structural systems were examined
using the method of Biggs.
-
**********
. rcraft Crash
~
~ype of i(ode1r : ; . hterministic
, , ,..
Authors:
,,... '., I,.!:.. Schalk. M. and Wb'lful. H.
;, ..,:'.'
Title: , , . . Response of l3pipment in Nuclear Power Plants to
, ' . Airplane Crash
," . ,~ ,?:.
Reference: Nuclear Engineering and Dcsign 38 (1976) 567-582
Brief Ocscription of Modeling Effort:
This paper deals vith airplane induced vibrations of the whole building
which cause loadings for secondary aystem (equipment). Floor response
spectra due to airplane crash are studied for two different power plant
buildings. The influence of various parameters such as time history of
excitation, direction and location of impact mathematical wdel, soil,
damping, etc. are discussed. A comparison with the results of
earthquake loading is also given.
Brief Descri
Aircraft Crash
Deterministic
Schmidt, R., Heckhausen. 8. Chen, C..
Rieck, P. J., and Lemons, G. L.
Structural Design for Aircraft Impact Loading
International Seminar on Extreme Load Conditions and
Limit Analysis Procedurer for Structural Reactor
feguards and Containment Structures, Berlin,
ptember 1975. 3 494-514
-
ntom RP-4d fighter (weight-20 tons metric) impacting
perpendicularly midway along a soft shell-hardcora structure at 215
m/s. Thiapaper defines the important structural features that wuld
allw soft-shell to sustain the aircraft impact without damaging
hardcora. . : 'Iha analytical wdel used here is a simple spring-oass
rystee: , TI& tarulta indicated that the kinetic enarm of the aircraft
has ban effectively attenuated using 1/2 meter thick walls.,
Offsite Harm ircrsft Crash
lype of Mode obsbilistic
Author: lridge, J. C.
Title: PvobsLilities of Mrcraft Crrshes at Rocky Flats
and Sobrequcnt Radioactive Release
Refcrenc~r Rockwell Internstional. TID-4500-R65, April 1977
Brief Dcscriptionr
The probability of A mall airplane from Jefferson County Nrport
(Jeffco) or Staplrton Internstional Airport crashing into a lutonium
araa at tha Rocky Flats Plant h ~ been s cslculated at 1.4 x lo-' and 4.2
x 10' par 7ear. respectivel~. The probability of such a crash

112
invo airplane from Jeffco or Stapleton la 3.5 x and
1.1 ar, rerpectively. Overall, the chance of an aircraft
of any rize, or any type, and from nnl source crarhing into a plutonium
area at Rocky Plats is 2.88 x 10- per year. An event tree uae
developed -to cover every plausible aeriea of eventr leadine to a
releare of plutonium in the range of 0 to 1000 graqr. Selected results
ahow an annual ele ease probability of 3.9 x ' for leas than 0.5
5.8 i 10- for 50 to 70 gram 1.6 x 10-dO~or 200 grams. and 6.4
:?lB tor 200 graor, and 6.4 n lo-" for 1000 gra r. Calculations led
to a reighted average release mount of 3.7 x lo-' grams of plutonium
per year. Becaure of conaervative aormptions, it la eatimatcd that
there probrbilitier are high by a factor of about two for aoall
aircraft and 10 for large aircraft.
'Ihie atudy conmirtr of three part.. Mrrt, the probaqility of an
aircraft crashing into a building containing plutonium la cooputed.
Secondly, the damage that arch a crash mlght cause la ertioated. Ihe
third part ir an aseesroent of the amount of plutonium that could
escape arrming the damage described were to occur
Several categories of aircraft, a11 havin~ different probabilltios of
crashing, are considered. Construction of the variour buildings
containing plutonium is taken into considrratlon sr is tha amount and
tom of plutoniuo that might be eubject to releare. Reaulta of the
study are eulmurized in probability tablea and graph# that show
different amount# of plutonium verrua the probabilities of those
amounta being released. Incorporated in there probabilities are the
three principal typea of uncertaintier previous;y mentioned; namely,
the probability of l crash, the probability of certain damage if a
crash occur*, and the probability of a certalr! sire of ralease if the
damage occurrr
************
Offrite kzardrt Aircraft Crash
Type of Pbdclt Probabllirtic
Authors: Solown, K. A.
Title: Analyrir of Cround Hltardr h e to Aircraft. and
kiaailea
hfetence t tlrarbrevention Journal, Vol 12, M 4, HerchlApril
1976
Brief Dsrcriptia:
Ih. ptrporo of thin generic rtudy la to develop and to apply a
generalizd methodology which approxioator both the best ertimate and
pesrlmietic probabllitier that an aircraft or a miraile will impact the
definod target area of an indumtrial, comrcial or residential
fecllity* To krt demOn#trat@ the application of thir methodology, the
ptob.bllit7 impact for a hypothetical facility and crrumed air activity
are emtiut,dr
Coordi~tee
of a proporad facility are parametrically relected relative
to fixod, rrruud locations of (a) Victor airuaya, (b) general aviation
elrportr, (c) air urrler airportr, (d) military inatallationa, and (0)
other arear of air ectivity ruch ae crop durtiw flalds. Ihe
probability that an aircraft or riarile rill impact the tarnet area 10

113
idual probabilities that an aircraft or a missile
icular source wlll impact the subject area. h e
probability of

Offmite Harar Aircraft Crsmh
Probabilietic
Solomon, K. A.,
Okrent, D.
Erdmann, R. C., Hicks, T. E.,
Airplane haah Risks to Ground Population
Reference:
Brief Dcscriptiont
UCU-Eng-7424, March 1974
Analysis of ~ tnal i aircraft accident atatiatica yielded an average
value of 4 x lov8 am the probability, per square mile, per operation.
of a crash vithin a five mile radius of Los Angeler International
Airport (LAX) and Hollywood-Burbank Airport. Taking into accoun
annual 4r traffic at each nmults in average valuea of 1.6 x 1O-'
the
and
4 x 10- for the probabilitleo, per square mile, per year, of a crash
averaged over the five mile radial region for LAX
Burbank, respectively.
and Hollyvood-
Using there crash probabilitiem and considering both rerident and
tranmient populationr, estimates of expected annual mortalitlee were
0.8 fatalities per year. per 80 square milem around U X and 0.5
fatalitier per year, per 80 square miles around Hollywood-Burbank
Airport, (thim 80 aquare mile region corresponds to about a 5 mlle
radius around the airport).
?he study identified nine sitre in the vicinity of UX a t which large
numberr of people are frequently brought together. Uaximm occupancies
varied from several hundred to many thousandr of persons.
Probabilitiem of accidental aircraft pact while o cupied, per year,
per tsrgst mite, varied from 1.6 x 10-'to 3.5 YC lo-'. lhree of these
sites were large mportm facilities. Analymis for OM of them,
Hollyvood Park Race Track, is prraented later in detail rince its
period of ~raateat occupancy corraaponds with the tiw of maximm crash
probabilitiem (80% of air craahes occur during daylight hourr). ?he
pro ability of an aircraft impact on the facility i m estimated as 6.6 x
10') per year. lhm probability that auch an accident will occur while
the facility ie occupied is emtimated a8 1.3 x per year. he
probability that such an accident pll occur while the facility is
occupied la emtisated as 1.3 x 10' . Maximum mortalities, based on
capacity occupancy of 50,000 people and a hypothetical impact by one of
the largert aircraft in aervics, la estimated am 32,000 peopla; this is
a much lowr probability event than the 'average craah". It is
eatinated that the evarsge craah durlng occupancy would result in
5.000-6.000 mottalitier.
hrenty-five eften of frequent high occupancy in the vicinity of
Hollywood-Burbank Airport wra identified and inveati~ated. H.ximun
occupancies vary from 450 to 5000 perron Probablli iea of impact
while rite ir occupied vary from 2.8 x 10-"to 4.0 x lo-' per year, per
target aita.
lhe valuer derived are, of course, aubject to an element of
uncertainty. Asruming a Gaussian Distribution of aircraft cramh
probabilitier, the 90% confidence bounds are crudely entimates as t20X
of tho atated valuer.
*I**********

'Ihir paper giver a rrm~ry of extreme load derign criteria vlthin any
national jurirdiction as applied to nuclear power plant design.
Extreme loadr are defined a8 thore loadr having probability of
occurence lerr than 1 0
and where oceurence could reoult in
radiological conrequencer in excerr of thore permitted by national
health mtandrrdr. The specific loah conridered include earthquake,
tornado, airplane crarh, exploaion.
Of frite IUsardr:
h ~ of e %de1:
~ithorr
Title:
Combination
Survev -
- *
Stevenron, J. D.
Survey of Rtreme bad Design bgulatcry Agency
Licensin Requirements for Nuclear Power Plants
Reference: -i-%
Nuc ear hgineering - - and Darign - 37 (i976) 3 - 22
Brief D.rcriptfont '
%is paper prerentr the remultr of a rurvey made of national atomic
energy regulatory agencier and major nuclear rtem supply design
agencies, vhich requerted a runnary of currmt licen~ing criteria
arrociated with earthquake, tornado, flood, aircraft crarh. and
accident (pipe break) loadr applicable vithin the various rhational
jurirdictionr. Alro prerented are a number of comparironr of
differancar in national regulatory crireria.
************
No evaluationr are ude.
ircraft Crarh
and hmvi, 3.
noor Rerponre Bpectrk
hrign 64 (1981) 33-38
cmputatio~l rcheme for nonlinear floor reapoar*
ingle degrw of
ad to tho cam
eactorAuxfliar
Ih* r*rulta 1
reduction factor# arm higher then tho
*******#,****

Aircraft Crash
Probrbiliatic
116
Title? Probabilistic haeaaoent of Riak for Reactor teaign
and Sitin
Reference l'ranaacti~na American Nuclear &cirtv 121 169. 1969
liner a wthod of forul aaaernent of rink, thereby
ational approach to safety deaign and aiting of power
unt and allocation of investment mong engineered
erly ertimated by (1) a probabilistic aasearment of
e.g., earthquaker, mechanical failure. operrtor
th (2) a raliability amlymln of the whols reactor
aymtem leadin8 to complementary cu.ulative probability denaity
function of fiaaion product releaae, and (3) an aaaeraaent of the
probability density function of damage given any radioactive release.
h e latter aspect dependa upon the rite meteorology and local
demogmphyr
************
Alrcrrft Craah
Probabilimtic
Wall. 1. 8.
~0b;billatic haesament of Mrcraft Rink ,for Nuclear
Pover Plant l
Nuclear Safety, IS()): 276-284, Hay-June, 1914
h e dik to^ the public from an aircraft rtriking a nuclear power plant
ha8 ken evaluated in r quantified manner. Aircraft accident d~ta have
ken analyzed to eatimte the probability of an aircraft driklng a
typicalnuclear power plant at aites adjacent to and re~otet~frca an
airportri-i: In the event that an aircraft atrikea a building, thi re~ion
of impact'ir generally reatrictd to a local component. Tvo!modea of
misnificrnt damae are delineatedr (1) perforation and (5) local
collaparr Uethoda have been developed to estimate th. cobditional
probabllitier of ruch atructural damage given an aiccr
probability valctea calculated for a repreaentatlve atr
riak to the public (probability va. radioactive-releaa
be eatluted from a cleaaification of critical aafety
their atructural protection and the likely releaae
evmt ' of . their damage. All foreaee~ble relara
inrignificant offrite doam or, for moat miter, are asa
low probabilftiea. A brief rva1wf:an ahom that fire upon
not a aignlficant incrwent of rirk. Cwpariaon of there
rocirlly acceptable riak 1eve1a mhom that reactor ait
or away from a bury air corridor
potantial rltea need individual era
row caaaa ening of the rtructure my k ~cearary. , ,
*********.*.

111
Offrite Rarardr craft Crash
-pa of nodal! terminlatic
Authors! hlf, J. P., Bicher. K. U., and SLrikerud, P.E.
fitle: Response of Equiplent to Aircraft Impact
Reference! Nuclear bgineering and Design 47 (1978) 169-193
Brief bacriptlonr
Ihia paper dircuraes the state-of-the-art of the developent of
equivalent forcrtlm relationships for aircraft impact, the results of
the no-called illera mdel and of a luoped-maas model are compared for
rigid and deforublr targela. A typicel ieaponm spectrm ahowa that
the airplane crarh lr dominant in the high-frequency range when
capared to the effect of an SSd. It alm examined the effect of the
aircraft-structure interaction, of the material nonlinearity, of the
dupiw ard of the mare distribution on the response of equipment.
Off aite B.carda ! Aircraft Craah
'Type of Ptdel:
Authorr:
K&terminiatic
Wolf, J. P. and Wrikend, P. C.
Title: -9. of Chimney buaed by hrthquake or by
~ircrdrt hpingerent ulth Sbaequent Inpact on Reactor
Reference : %%?hglneerlng and Lkaign 51 (1979) 453-672
Brief Description:
T b paper presented r mmrical analysis of typical chimney stack of a
nuclear power plant rubjected to earthquake and impact loads.
Convected coordinate finite element method. uere used. Force-time
curves of tlw aircraft impinging on the chimney were derived. The
subsequent impact of the chimney on the rerctor bullding la alao
studied.
Off alte B.rerda: Aircraft Crash
Type of Models: Drtermini8tic
Author*: Zcrna, W., Schnellanbach. C.. and Stangenberg. F.
Title:
Reference:
Brief Dsscription:
Ihin pper deals vith the development concerning the reinforcement of
nuclear powr plant structures for protection against aircraft
impact. lainforcementa with high-tensile bars, wlth tensile cablea,
and vith rteel fibera in connection with cables are considered. Steel
fikre and cablea aeem to enable new design for aircraft-impact
rtsistent atructurer.

Offrite Wzarda: Aircraft Crash
Vpe of Pbdel: Deterministic
Author.: Zimereann, TH.. Rebora. B. and Rodrituez. C.
Mrcraft &pact- on Reiniorc;d ~oncrete-~heils:
Influence of Material Nonlinearitism on Pquip~ent
Reference:
Brief Description:
Response Spectra
Computer. and Structures 13, pp 263-274, 1981
The paper lnvemt1patem the effect. of material non-lineartiee on
equipoent reaponre spectra fcr the impact of a being 707-320 on the
secondary containnent of a BWR reactor. A finite element rode1 taking
into account concrete cracking and cruahing and ateel yielding is ueed
for the analysis. The reoulta indicated that no reduction of the
responmo spectra due to material non-linearity in the impact zone.
Hovever, coopariaon of the aon-linear verrus linear displacement timehiatareies
ahow a significant increase in the vertical displacement in
the inpact zone, which fades out rapidly away from the inpact point.

Internal:
E. S. Beckjord
C. E. Till
R. A. Valentin
R. Avery
R. S. Zeno
C. S. Roaenberg
P. R. Huebotter
R. E. Rowland
W. J. Hallett
External :
Distribution for NUReCfCR-2859 (ANL-CT-81-32)
C. A. Kot (23)
H. C. Lin (2)
J. B. van Erp (2)
M. Weber
ANL Patent Dept.
ANL Coritract File
ANL Libraries (2)
TIS Files (3)
USNRC, for distribution per RE and XA (230)
DOE-TIC (2)
Manager, Chicago Operations Office. DOE
President, Argonne Universities Association
Components Technolugy Division Review Comnltcee:
A. A. Blahop. Univezrlry of Pittlburgh. Pittsburgh, Pa. 15261
F. W. Buckman, Consumers Pwrr Co., 1945 Parnall Rd., Jackson, Mich. 49201
R. Cohen, F'urdue University, West Lnfayetce, Ind. 47907
R. A. Greenkorn, hrdue University, West Lafayette, Ind. 47907
W. M. Jacobi. Westingl:ouae Electric Corp., P. 0. Box 355. Pittsburgh,
Pa. 15230
E. E. Ungar, Bolt Beranek and Newman Inc., 50 Moulton St., Cambrid~c,
baa. 02138
.I. Weisman, UniveraiLy of Cincinnati. Cincinnati. 0. 45221
T. V. Eichler, ATResearch Aaaociatea, Inc., 94 Main St., Glen Ellyn,
Ill. 60411 (3)
A. H. Wiedermann, ATResearch Asnociatea, Inc., 94 Main St., Glen Ellyn,

Relav Chatter and
Opefator Response After
a Large Earthquake
An Improved PRA Methodology With Case Studies:
Manuscript Completed: Junr 1987
Dae Published: Auguat 1967
Propared by
A. J. Budnitz. H. E. Lambert, E. E. Hill
Futurr Rnourcw Aasociatss, Inc.
Berkeley, CA 94704
Prepared for
Division of Reactor Accldent Analysis
Offico of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20666
NRC FIN Dl668

ABSTRACT
The purpose of this project has been to develop and demonstrate improve-
ments in the PRA methodology used for analyzing earthquake-induced acci-
dents at nuclear power reactors. Specifically. the project addresses methodo-
logical weaknesses in the PRA systems analysis used for studying post-
earthquake relay chatter and for quantifying human response under high
stress. An improved PRA methodology for relay-chatter analysis is developed.
and its use is demonstrated through analysis of the Zion-1 and LaSalle-2
reactors as case studies. This demonstation analysis is intended tp show that
the methodology can be applied in actual cases. and the numerical values of
core-damage frequency arc not realistic. The analysis relies on SSMRP-based
methodologies and data bases. For both Zion-l and LaSalle-2, assuming that
loss of offsite power (LOSP) occurs after a large earthquake and that there
are no operator recovery actions, the analysis finds very many combinations
(Boolean minimal cut sets) involving chatter of three or four relays and/or
pressure switch contacts. The analysis finds that the number of min-cut-set
combinations is so large that there is a very high likelihood (of the order of
unity) that at least one combination will occur after earthquake-caused LOSP.
This conclusion depends in detail on the fragility curves and response
assumptions used for chatter. Core-damage frequencies are calculated. but
they are probably pessimistic because assuming zero credit for operator
recovery is pessimistic. The project has also developed an improved PRA
methodology for quantifying operator error under high-stress conditions such
as after a large earthquake. Single-operator and multiple-operator error rates
are developed, and a case study involving an 8-step procedure (establishing
Iced-and-bleed in a PWR after an earthquake-initiated accident) is used to
demonstrate the methodology. High-stress error rates are found to be
significanlly larger than those for no stress, but smaller than found using
methodologies developed by earlier investigators.

TABLE OF CONTENTS
1.0 INTRODUCTION AND BACKGROUND
1.1 Project Scopc
1.2 Background of the Projcct
. , . 1.3 Earlier Studies
1.4 Applicability of thc Projcct Rcsults
1.5 Format of This Report
2.0 RELAY AND CONTACT CIIATTER: INTRODUCTION AND METHODOLOG\
2.1 General Approach
2.2 Previous Work
2.3 Scope of the Analysis Prcsentcd Hcrc
2.4 Assumptions Made in Gcncrating the Accidcnt Scqucnccs
2 5 Computational Approach
2.6 Fragility Values for the Chattcr and LOSP Failurc Modes
2.7 Earthquakc Hazard Curvcs for thc Zion and LaSalle Sites
3.0 DETAILS OF THE LIMITED-SCOPE SEISMIC PRA FOR ZION-I
3.1 Zion Electric Powcr Systcm
3.2 Failurc Modc Analysis for Chattcring
3.3 Core-Damage Scqucnccs for Zion-1
3.4 Gcncration of Min Cut Scts
3.5 Probabilistic Rcsulti
3.6 Sensitivity Studics
3.7 Operator Rccovcry Actions at Zion-1
4.0 DETAILS OF THE LIMITED-SCOPE SEISMIC PRA FOR LASALLE-2
4.1 Systcms Analysis
4.2 Failure Modc Analysis for Chattcring
4.3 LaSallc-2 Corc Damage Scqucncc
4.4 Generation of Min Cut Scts
4.5 Probabilistic Rcsults
4.6 Scnsitivity Studies
4.7 Operator Rccovcry Actions at LaSallc-2
/II
/I

, .
5.0 HUMAN RELIABILITY ANALYSIS UNDER HIGH-STRESS CONDlTlONS
5.1 Introduction
5.2 Our Original Approach to the Problem
5.3 Development oT a Model for Generating HEPs for High Stress
Conditions
5.4 Results of Applying the Methodology
5.5 Conclusions and lnsights
6.0 SUMMARY OF MAJOR TECHNICAL INSIGHTS
6.1 Introduction
6.2 Plant-Specific Insights for Zion-I: Vulnerabilities From Relay
Chatter
6.3 Plant-Specific Insights Tor LaSalle-2: Vulnerabilities From
Relay and Contact Charter
6.4 Generic Insights: Analyzing Seismic Vulnerabilities From Relay
and Contact Chatter
'6.5 Generic Insights: Analyzing Human Reliability Under High-
Stress Conditions
,
7.0 RESEARCH NEEDS EMERGING FROM THIS PROJECT
8.0 ACKNOWLEDGEMENTS
9.0 REFERENCES
APPENDIX A: Description of the X-Y Circuit Breaker Scheme for 4-kV
Switchgear
APPENDIX B: Human Reliability Analysis Under High-Stress Conditions:
Additional Figurcs and Tables
APPENDIX C: Accident Sequence Fault Trees for Zion-l
APPENDIX D: Accident Sequcncc Fault Trees Tor LaSalle-2
AI'PENDIX E: Sargent & Lundy Standard STD-EC-115, "Device Function
Numbers and Lcttcrs as Used on Sargent & Lundy's
Electrical Drawings", version of 9 January 1981
'I

, .
1.1 Project Scope
SECTION I
INTRODUCTION AND BACKGROUND
The scope of this project has been a study of the following two issues:
'
o a detailed examination of the effect of earthquake-inilialed
chattering of relays and pressure switch contacts at two rcactor
plants: Zion-l and LaSalle-2; this work has involved developing
an improvcd PRA methodology for describing earthquake-induced
relay chattering, contact closing and opening. circuit-breaker
tripping, and related electrical and control circuit behavior.
I
5
o developing an improvcd PRA-based methodology for describing
how rcactor operators respond under high-stress post-earthquake
conditions, and applying this new methodology to a realistic case
study example.
The relay-chatter and circuit-breaker study has used two specific rcactor
facilities as case studies, the and LaSalle-Z reactor stations owned and
operated by Commonwealth Edison Company. Zion-I is a Westinghouse PWR
and LaSalle-2 is a General Electric BWR. Each has a twin unit on the same
site.
The high-stress operator-response study has used a typical and gcncric post-
earthquake operator-response problem --- thc need to establish feed-and-bleed
heat removal following loss of both normal and auxiliary fcedwpter to the
steam generators in a PWR --- as a case study. (Originally, the projcct had
planned to perform a detailed task analysis of this and other procedures for
the Zion-I station, but the gcncric fccd-and-blccd study was pcrformed
instead due to inaccessibility to the Zion-l control room or its simulator.)
For the part of the project dealing with earthquake-induced chattering of
relays and pressure switches, the following questions. 2oscd .in laymen's terms,
capture the objectives of the projcct:

Given an carthquakc large enough to cause both loss-of-offsi,tc
power and chattcring of relays and prcssure switch contacts, and
assuming no operator rccovcry actions, are there any combina-
tions of relays and prcssurc switch contacts whose chattering, if
they were to occur. could lead to a core-damage accident ?
If so, what are these combinations of relays and prcssure
switches. and how many combinations arc there ?
What is the calculated overall corc-damage frequency from this
type of earthquakc-initiated accidcnt, assuming no operator
recovery ?
What is the effect on core-damage frcqucncy of changcs in the
assumed fragility curves of relay chatter and pressure switch
chatter, such as increasing the median capacity and/or dccrcasing
the standard dcviaticn ?
What arc the types and sizes of the unccrtaintics in this annly-
sis? 'i
!
For the part of the projcct dealing with earthquakc-induced high strqss for
the opcrators. the following questions. in laymen's terms, capture the objec-
tives of the projcct:
I. Under very high-strcss (life-threatening) situations such as would
occur after a major carthquakc. what is the probability of human
crror, and how docs it depend on factors such as the number of
opcrators prcscnt?
2. What is the probability of crror in cxecuting an actual proccdure
(in our case study, an 8-btcp procedure to establish feed-an+
blccd). and how docs it depend on stress lcvcl?
1.2 Background of the Project
The idea for this projcct originated during the review of thc state-of-thc-art
of PKA that was pcrformcd in early 1983 as part of NRC's "PRA Reference
Document", report NUREG-1050 (Ref. NRC. 1984). 7 he Principal Investigator
on this projcct, R. J. Budnitz, was one of thc team of NUREG-1050 authors.
and carricd out the NUREG-I050 rcvlcw of cxlcrnal initiators. During this
rcview. he became aware of certain specific weaknesses in the statc-of-thc-
art of seismic PRA.
1-2

These weaknesses were the subject of a proposal to NRC in the spring of
1983 for a 'Phase I projcct" under the auspices of NRC's "Small Business
Innovation Research Program". The proposal was successful, and a 6-month
scoping study of these issues in 1983-1984 produced a report (Ref. Budnitz
and Lambert, 1984) that idcntiricd and analyzed thc following weaknesses in
thc mcthodology of scismic PRA:
seismic PRA methodology inadequately trcats electrical and control
system failures, such as earthquake-induced problems with circuit
breakel .s. relays, and relntcd cquipmcnt; I
seismic PRA mcthodology inadcquatcly treats the possibility that
operator performance aftcr a large earthquake may be degraded due to
higher than normal post-accidcnt strcs-
seismic PRA mcthodology inadcquatcly treats the issue of how railurcs
of equipment located inside a structure arc affected by thc failure of
the structure itself; spccirically. the usual assumption in past PRAs
has bccn that structural failure of a building automatically implies
failure or all equipment within.
The idcnrification of thesc thrcc mcthodological weaknesses in seismic PRA
Icd to the current projcct, which is a "Phase II project" under NRC's SBlR
Program. In the current projcct, bcgun in the fall of 1984, we have,.examined
!he first two or the thrcc wc..kncsscs cited just above. Although there have
bccn mcthodological advances in the intervening pcriod, the weaknesses
cxamincd here still cxist in currcnt scismic PRAs.
1.3 Enrllcr Studlcs
1.3.1rlicr Work on Re-
Other papers and research reports have idcntilicd various methpdological
wcnknerscs in seismic PRA mcthodology. An example is the rcview of seismic
PRA occomplishcd ns part of NRC's "seismic margins program" (Re!. Budnitz
ct nl.. 1986), which identified various inadequacies, and focussed atpntion on
rclay chattering and circuit-breaker tripping. Similar findings wer9 reported
by Dudnitz (Ref. Dudnitz, 1984) in his article reviewing the staterof-the-art
hascd on the NUREG.1050 work. Conclusions along thcse same lines have
bccn published in rcvicw papers under F.PRI sponsorship by i~avindra,
Kcnncdy. and their collaborators (Kcf. Ravindr~. 1984; Knvindra. 1989).
I
,I
I j

Relay chatter was not treated at all in the three important early utility-
sponsored full-scope seismic PRAs, the Zion PRA (Ref. ZPSS, 1981). the
Indian Point PRA (Ref. IPPSS. 1983). and the Limerick PRA (Ref. Limerick.
1981; Limerick. 1983). and of these thrce only the Limerick PRA made an
effort to treat high-stress operator errors under earthquake conditions as a
separate issue. The NRC-sponsored "Seismic Safety Margins Research
Program" (SSMRP) at Lawrence Livermore National Laboratory produced a
series of reports on PRA methodology that tried to cover the relay fragility
topic in a preliminary way (Ref. SSMRP. 1981). and the SSMRP study of the
Zion reactor (Rcf. SSMRP, 1983) provided additional insights, but the assump-
tion was made that relay chatter was always recoverable (which is equivalent
to omitting its treatment entirely in the analysis). More recently,
uncertainties in our understanding of the fragilitics of relays and similar
devicts have been pointed out by the industry-sponsored SQUC effort
(unpublished) and the NRC-sponsored work at LLNL (Ref. Holmar) et al., 1986)
and Brookhaven National Laboratory (Ref. Bandyopadhyay ct al.. 1986;
Hofmaycr el a).. 1986).
Ovcr the last five years, a large number of plant-specific seismic PRAs have
becn done, most of which have treated the key issues of this prpject in only
a cursory way, In the last two years, three ongoing proje~ts have all
identified these same methodological issues. These are the NRC-sponsored
KMlEP project studyinp, the LaSallc station, the NRC-sponsored se;ismic-margin
trial review o'f Maine Yankee, and the EPR1-sponsored seismic mugin review
or Catawba. None of these three projects has been complete$ as of the
writing of this rcport.
Although much effort is underway to develop and use , seismic-PRA
methodology, until this project there has not been any systematic,,and detailed
published examination, in the context of a -, of the
extent to which relay-chatter, breaker-trip, and related problems could affect
the ahility of a nuclear plant to shut down safely after a very large earth-
quakc. Our work on this project is reported in Sections 2. 3, and 4 of this
report.
Although this analysis is more realistic than carlier siesmic PRAi the authors
acknowledge that its realism is limited in some key areas. most importantly
hccnuse the information used about fragilitics is ncncric anQ because a
realistic analysis has not been done or how operator recovery actions could
nlitigntc the accident sequences iflentificd.
:t
, .
, ,

On the issue of human high-stress response. there have been a few attempts
to provide a PRA-type methodology for describing how operators might
respond under high-stress conditions. The most well-known of these is the
work of Swain as part of WASH-1400, which led later to the very important
and influential report by Swain and Guttmann (Ref. Swain and Guttmann,
1983). Swain's work served almost as a "bible" for PRA human-factors
analysts for many years. More recent studies by Bell and Swain (Ref. Bell.
1983). Hall et al. (Ref. Hall, 1982.). and Hannaman and Spurgin (Ref.
Hannaman. 1984) have examined the high-stress issue further.
However. the work reported in Section 5 of this report seems to be the first
attempt at a specific examination of how operators might respond under h.igk
conditions.
1.4 Appllcrblllty of the Project Results
By a conscious decision, the project's work has focussed in great detail on
only a few specific technical issues. Later in this report (Section 6). the
authors will discuss the extent to which the project's conclusions can bc
applied more generically. As a preview and summary of that discpssion, it is
useful to state here the authors' belief that the specific conclusions arc
probably not universally applicable, but that the methodologies developed and
demonstrated surely of wider applicability. as arc the broader lessons
learned.
It is important to note that this study has placcd cmphasis on the detail of
the operation of circuit brcakcrs, motor-operated valves, and signal actuation
systems and the effect of relay and pressure switch chatter on these systems
and components. Past seismic PRAs havc typically given this matter only
cursory treatment, if any. Literally thousands of circuits and drawings were
analyzed for Zion-l and LaSalle-2 to gcneratc the fault trees presented hew.
Due to the complexity of the problem, we do not claim that wc havc included
all possible fnilurc modes caused by chattering.

6.1 lntroductlon
SECTION 6
SUhlhlARY OF hlAJOR TECHNICAL INSIGHTS
A number of technical insights have resulted from the research reporte,d here.
Some of these are quite gcncral. and probably apply broadly to nuclea< power
reactors as a class. A few of them are very plant-specific. and althouhh they
apply to Zion-l or LaSalle-2, their applicability to any other particular plant
is unknown.
The insights will be presented separately for the relay-chatter part "of the
projcct* and the human-error-under-high-stress part of the project.
I:J~ the part of the project dealing with earthquake-induced chattering of
,plays and pressure switches, the following questions. posed in laymen'~.tcrms.
v

chatter. such as increasing the median capacity and/or dccrcasing
the standard deviation ?
5. What are the types and sizes of the uncertainties in this analy.
sir?
For the part of the project dcaling with earthquakc-induced high stress for
the opcrators, the following questions. in laymen's terms, capture the objec-
tives or the project:
I. Under very high-stress (lifc-thrcatcning) situations such as would
occur after a major earthquakc, what is the probability of human
error, and how docs it depend on factors such as the number of
I
opcrators present?
2. What is the probability of error in cxccutlng an actual procc$ure
(in our case study. an &step proccdurc to establish fced-and-
bleed), and how docs it depend on strcss level?
6.2 Plant-speclflc inslghts for Zion-1: Vulnerabllltles from Relay Chatter
I) Our analysis has identified two different groups of accident scqhnces at
Zion-I, both following earthquake-induced loss of offsite AC power and taking
no credit for operator recovery. One accident sequence group invo~v:~s failure
of component cooling watcr or of service watcr, eithcr of which, produces
both a reactor-coolant-pump-scal LOCA and failure of high-pressure~injection
pumps. The other accident scqucncc group comprises various electricallyinduccd
transient sequences involving failure of scrvicc water; this leads to
ovcrhcnting of the dicscl generators, loss of onsite AC power, and c.onscqucnt
failure of auxiliary fecdwatcr and inability to perform primary hcii rcmoval
using fccd-and-bleed.
2) Thc electrical distribution problems at Zion-l leading to both of thesc
sequcncc groups are similar: cnrthquakc-induced loss of oflsitc power (LOSP).
swing dicsel alignment to one or thc other of thc two unlts, and state chang-
cs in varlous circuit breakers or load sequencers due to chatter. ,However,
the specific combinations of failures (nlin cut scts) arc extremely plant-
spccific to Zion-l in minute detail.
3) The number of relays and pressure switchcs involved in these sequences is
not large: only 94 rclnys wcrc idcntificd. (No important prcssurc switch
contacts wcrc idcntificd for Zion-I, although for LaSallc-2 some of these
6-2

were found to be important). These relays are all in electrical equipment
identified in detail in Section 3 of this report. We believe that finding and
analyzing them is entirely feasible uslng the methods that we havc developed
and applied here.
4) For the pump-seal-LOCA sequence group, the analysis finds gvcr 27.00Q
min cut scts of order 5 (LOSP. swing diesel alignment to othcr unit. 3 rclay
chatters) and Qver 17.00Q of order 6 (LOSP, swing diesel, 4 rclay chatters).
5) For the transient group involving failures of service water pumps. rn
min cut sets of order 6 are identified (LOSP, swing diesel, 4 relay
chatters).
6) The number of min cut scts is so large that, given an earthquake strong
enough to cause LOSP, the probability that at least one of these cut scts will . .
occur is close to 100% wmina 1 hat the r u l e r with the f r a w
v . This is true for both of
the rcsponse cases analyzed. the predicted-response case as well as the pcakrcsponse
case (see Section 3.5) Therefore, in the absence of operator
recovery, the value of the computed core-damage frequency, given LOSP and
chattering, is approximatcly equal to the recurrence frequency of {he earthquake
strong enough to cause LOSP. Thus the calculational problem is
reduced approximately to a convolution of the hazard curvc and the LOSP
frngility curvc.
7) Using SSMRP-derived generic fragility values for chattering of relays, and
site-specific carthquake hazard information from the SSMRP study of Zion
(Ref. SSMRP, 1983). the analysis calculates a best-estimate value (point valuc)
or core-damage frcquency from these sequences of about 9 x IQA-.
For reasons cited next. this numhcr is not to be taken as correct at face
valuc, since several assumptions havc been made in this analysis. :!
8) Our analysis takes no credit for opcrator recovery. As mcntiined, this
assumption is pessimistic. In actual fact, manual reset of all circuia. breakers
nt Zion-l is possible from the individual motor control centers, and many of
them can be rcsct from the control room. Furthermore, a modification that
is now in process at Zion for othcr purposes will further improve recoverability
for at least one group of potential sequences by moving certain remotely
located controls to the control room. Operator action must be acqpmplished
cr~cctivcly, of course, for which there may not be assurance immcdiaply after
I #
a large carthquake that could induce high stress in the operators.
9) Our fragility curvc for rclay chatter, taken from the SSMRP data base, is
&. and the great width of the fragility curve (in technical terms, the
large "beta" value) is necessary to cover the wide range of individual
j,I '

fragilities of specific relay types. Also. relays have different fragilities
depending on whether or not they are energized, and whether they are open
or closed, none of which is captured spccirically in the gencric fragility curve
we use. While we do not have a more appropriate set of fragility curves to
use in our analysis. and thcrclore cannot tell for sure what the "correct"
fragility curves would be. our judgment is that the fragility curvc used is
probably quite conservative. Furthermore. the analysis assumes full indepen-
dclwe of the fragilitics and full correlation in the responses of the relays in
the cut sets. Whether this is corrcct is not known. Our sensitivity studies
reveal that the numerical values or min cut set frequencies are sensitive to
the values of the response function width ("beta value').
10) Our sensitivity studies for Zion-l show that changes in the fragility
curve parameters for relay chatter do not have a major effect on the
numerical core-damage frequcncics calculated. Neither decreasing the "beta"
(width) of the curvc, ndr approximately doubling the "median" fragility value,
causes much change. Modirying both parameters together only changes the
calculated core-dama~e frequency by a modest factor (about a factor of 4,
which we judge not to be signiricant in light of other uncertainties).
II) Our analysis assumes that no pipe-break or other LOCA is caused
directly hy the earthquake. If a pipe break or other LOCA were to be
directly caused, its analysis would require a separate detailed study of
chatter-caused electrical problems. similar in scope but dilfereqt in detail
from the an~lysis performed hcrc.
12) We believe that, on balance. the core-damage frequency ~alc~ulated hcrc
is pessimistic (that is. too large). However. it is very difficult to estimate
how pessimistic, or how big is the numerical uncertainty, so we will not do
so here. The conscrvatisrns arise mainly from the following two sources:
o Operator recovery is pessimistically assumed never to occur (see ncxt
comment).
o The fragility values used in this analysis arc generic aqd probably
conservative valucs.

6.3 Plant-spccllic lnslghts for LaSalle-2: Vulnerabllltles from Relay and
Contact Chatter
I) Our analysis has identified accident sequences involving carthquake-in-
duced failures, after loss of offsite power, in the following key systems at
LaSallc-2: the electrical power distribution system, the automatic deprcssuri-
zation system (ADS), and the reactor core isolation cooling (RCIC) system.
The group of accident scqucnccs identified involves (i) the failure or inadc-
quacy of all coolant makeup systems. due to RClC steam supply failure or
inadvertent opening of ADS safety relief valves causing a medium-sized LOCA;
and (ii) failures of both high-pressure and low-pressure heat-removal systems
after loss of all AC power.
, .,,,
2) The electrical distribution problems leading to these sequences are similar
for all sequences: earthquake-induced loss of offsite power (LOSP); swing
diesel alignment to the other unit; and state changes in various breakers and
prcssure switch contacts due to chatter. Howcvcr, the specific combinations
of failures (min cut sets) arc extremely plant-specific to LaSalle-2 in minute
detail.
3) Only a small number of relays and pressure switches are involved in these
sequences: only 22 relays and 18 pressure switch contacts were identified
whose chattering is involved in thcsc vulnerabilities. These relays and
switchcs arc all in electrical equipment identified in detail in Section 4 of
this report. We believe that finding and analyzing them is entirely feasible
using the methods that we have developed and applied here. (Indeed.
dctcrmining thcir spccific fragility functions should even be feasible.)
4) For the group of sequences identified, the analysis finds &ut 40Q min
cut scrs of order 5 (LOSP, swing diesel al~gnment to other unit. 3 relay or
prcssvrc switch chatters). and about 6eQeP of order 6 (LOSP, swing, diesel, 4
chatters of relays and/or prcssure swltchcs).
5) The number of min cut scts found at LaSalle-2 is so large that, given an
carthquake strong enough to cause LOSP, the probability that at least one of
these cut sets will occur is very high. For the peak-response case (see
Section 4.5). this probability is cswntially 100% BSSumioR that the r u
. .
tcr with the frfunctionr and rcsooms behavior we havs
m. For the predicted-response case. the probability is about 30 %.
meaning that in the absence of operator recovery, the value of the computed
core-damage frequency. given LOSP and chattering. is approximately 1/3 of
the recurrence frequency of the earthquake strong enough to cause LOSP
6) Using SSMRP-derived generic fragility values for chattering of relays and
prcssure switchcs. and silt-spccific carthquake hazard information from the

m.
SSMRP study of LaSalle-2 (Ref. Wells. 1986). the analysis calculates a best-
estimate value (point value) of core-damage frequency from these sequences
of about zalpsm. For reasons cited next, this number is not to be
taken as correct at face value, since several assumptions have been made in
this analysis.
7) No credit is taken for operator recovery. This assumption is pessimistic.
At LaSalle-2, a seal-ins can be recovered by switches in the control room,
except diesel lock-out relay seal-ins which must be reset in the diesel room.
If the operators can reset the RClC breakers first, then several hours are
available to get the diesels started; if RClC is not reset or cannot be reset.
the diesels must he available within about 80 minut:s to avoid a core-damage
accident.
8) Our fragility curves for relay and pressure switch chatter, taken from the
SSMRP data base. are ncncrif. and the great widths of the fragility curves
(in technical terms, the large "beta" values) are necessary to cover the wide
range of individual fragilities of specific relay and switch typo. Also, relays
have different fragilities depending on whether or not they are energized, and
whether they are open or closed, none of which is captured specifically in
the generic fragility curve we use. While we do not have a more appropriate
sct of fragility curves to use in our analysis, and therefore cannpt tell for
sure what the 'correct" fragility curves would be, our judgment is that the
fragility curves used are probably quite mrvativc Furthgrmore, the
analysis assumes full independence of the fragilities and full correlation in the
responses of the relays and switches in the cut sets. Whether this is correct
is not known. Our sensitivity studies reveal that the numerical values of min
cut set frequencies are sensitive to the values of the response funplion width
("beta value").
9) Our sensitivity studies for LaSalle-2 show that changes in the fragility
curve parnmcters for relay chatter and pressure-switch chatter can in some
cases have a 0 on the numerical core-damage frequencies calculated.
Increasing the "median" fragility values. while keeping the widths
("betas") large at 1.5, causes a decrease in core-damage frequency of about
two orders of magnitude. Decreasing the "betas" of the fragility curves from
1.5 to 0.4, with medians kept constant, causes a much larger change: coredamage
frequency is calculated to decrease by several orders of magnitude.
10) Our analysis assumes that no pipe break or othcr LOCA is caused
directly by the earthquake. If a pipe break or othcr LOCA were to occur. its
analysis would require a separate detailed study of chatter-caused electrical
problems, similar in scope but different in detail from the analysis performed
here.

11) We believe that, on balance, the core-damage frequency calculated here
is pessimistic (that is, too large). However, as is true for the Zion-1 analysis
it is very difficult to estimate how pessimistic, or how big is the numerical
uncertainty. so we will not do so here. The conservatisms arise mainly from
the following two sources, which are identical to those identified for Zion-I:
o Operator recovery is pessimistically assumed never to occur (see next
comment).
o The fragility values used in this analysis are generic and probably
' conservative values derived from the SSMRY. !
I!
$
, 6.4 Cencrlc Insights: Analyzing Sclsmlc Vulnerabllltlcs from Relay and
Contact Chatter
I) Given our several assumptions in this analysis, at both Zion-l an La$alle-
2, the number of min cut sets identified is very large --- so large that,for
each reactor the likelihood of having at least one cut set occur, given an
earthquake large enough to cause LOSP, is a number close to unity (at hion-
I. about 100% likelihood; at LaSalle-2. about 30% likelihood). This meaqs. if
true. that in the absence of operator recovery the frequency of a core-
damage accident would be within small factors of the frequency of an
earthquake large enough to cause LOSP.
2) The most important -1- . .
is that it is to analyze
the potential vulnerability of a specific plant to the type of earthquqke-
induccd relay and contact chatter studied in this project. The analysis,re-
quires delving into the &j& or the electrical and control circuitry involved
in the AC power distribution system. Major uncertainties in the analysis
derive from inadequate information about relay-specific fragility curves for
the chatter modes, from ignorance about how independent or correlated are
the fragilities and the responses, and from uncertainties about whether OK not
operator action can erfcctively recover from any electrical problems that
occur. (One example of a specific detail of the kind referred to is given in
the next paragraph).
3) Our analysis found distinct differences between the Zion-l and LaSalle-2
plants. which dirferences scem ~1 to be related to the fact that Zion is a
PNR and LaSalle a RWR --- but rather due to idiosyncracies in the design of
1

their electrical circuitry. The example of the control circuits to the diesel
generators will demonstrate this point. At Zion-I, the device that senses
DG-IA differential current, 487DGIA/SA-I [M-18 on Figure 3.91, is a solid-
state device that docs not exhibit failure modes due to relay chattering.
Thus there are no chatter-related failures that can cause lockout relay 486-
DGIA to energize. At LaSnlle-2, there are numerous interposing relays that
could seal in and energize the lockout relay 86DG (for diesel generators DG-0
and DG-2A) and lockout relays KI and KIS (for diesel DG-2B). Energized
lockout relays cause circuit breakers to trip open and also prevent reclosure.
unless reset (which is generally accomplished at the local cabinet remote frum
the control room).
4) Another methodological insight is that this analysis could not have been
performed if fault trees generated lor an ordinary PRA had been u$ed and
. . modified. We believe that it is necessary to develop socclallzcd fault trees
for this type of analysis, which cannot be accomplished without close
interaction between analysts and the utility. General event-trees and faulttrees
that include U seismic failure modes could be intractable to evaluate
either qualitatively and/or quantitatively, because of their large size. Also,
we believe that it is important to perform bounding studies before eliminating
min cut sets by their probability, because a large number of min cut sets may
be risk-significant even if the individual cut-set probabilities are small.
. .
. . ...
5) If core-damage frequency is the appropriate figure-of-merit, the most
important
earthis
that ~
. . .
~ C I v ul- ~
rclav and -.
I C
That is,
based on the research reported here, it is not possible to rule out such
vulnerabilities with high confidence at either Zion-l or LaSalle-2.
The rationale for this major insight is based on four points, as follows:
i) First, the analysis identifies very many potential accident,
sequences (represented by 'cut sets' or Boolean combinations of
components) that without operator recovery could lead to core-:
damage accidents. if the r w
and w t s
were to c-,
following loss of offsite power. Given the assumptions we,
used, for both Zion-l and LaSalle-2, many cut sets (literally.
tens of thousands) involve four different relays or contact$.
chattering, and at LaSallc-2 a very large number of cut sets
involve only three. We believe that there will probably be
large numbers of such cut sets at other plants.
ii) Second, there is rather large uncertainty in the actual
fragilities of relays and pressure-switch contacts lor chatter.
We believe that the fragility values we have used are probably
.,

conservative but we are not certain of this at Zion and
LaSalle, and of course we have no knowledge about the
fragilitics of comparable relays and contacts at other plants.
iii) Third, there is uncertainty because we do not know
whether correlations in capacity or response are high or low.
We have done this analysis using zero correlation for the
capacities and full correlation for the responses. but we do not
know what is the correct correlation to use.
iv) Fourth, we cannot accept for the argument that 8
,,. . ~.$,. chatter-caused electrical problems are recoverable by operator:'
. . action at Zion-l and LaSalle-2, even though arguments in favor
of rtcovery are plausible. This issue depends in detail on the
conli~urations of the breakers, on the location of reset
controls, and on the operators' ability to diagnose the problem,
which last issue is aggravated by potentially high stress. A
detailed task analysis would be necessary to determine whether . ,
recoverability can be accomplished with high assurance. I
four &nts. in our iu- -m rav for sure
2 are imoortant. Furt-
e l i c v e thp*$
6) We believe it likely that every US. plant will have important idiosyncracics
in its behavior under earthquake-induced relay and contact chatter. This
is based on our analysis of Zion-1's and LaSalle-2's electrical and control
circuitry for the AC power systems, in which we found that the plant:specific
features at the two plants are very different from each other: the designs
are characterized by miDYtE. design details that affect their behaviqr under
I
relay and contact chatter.
7) Operator recovery Trom the chatter sequences we have examined requires
resetting circuit breakers either in the control room or at their local
cabinets. Our assumption of no operator recovery is surely pessimiptic, but
we cannot judge what would be a better analytical approach without perform-
ing a detailed task analysis Tor the recovery tasks.
t
'I

-Type- NUREG/*NUREG REPORTS
STAT/'CONTMCTED REPORT - RTA,Q!JICK LOOK,ETC. (PERIODIC
'?/TEXT-PROCUREMENT & CONTRACTS
-Keyterms- CASES
znaTi:Qi;nKEs
METHOUOLOGIES
OPERATORS
PRA
PROBAl3TLISTIC RISK ANALYSIS
RELAYS
STUDIES
-AuthlAffil- EECFC'TW/@EWTURE RESOURCES ASSOCIATES, INC.
-Author2- LAMBERT ii E
BILL t: E
-Aut?.2Affil- ZECFUTIV./FFUTURE RESOURCES ASSOCIATES, INC.
EECFI;T:XA/iaEWTURE RESOURCES ASSOCIATES, INC.