ML13134A466
| ML13134A466 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom, Sequoyah, Surry  |
| Issue date: | 05/14/2013 |
| From: | Azarm M, Demoss G, Gitnick T, Herrick S, Marks C, Sullivan R Information Systems Labs, Innovative Engineering & Safety Solutions, NRC/RES/DRA/PRB |
| To: | |
| Herrick Sandra 301-251-7607 | |
| References | |
| Download: ML13134A466 (11) | |
Text
ANS PSA 2013 International Topical Meeting on Probabilistic Safety Assessment and Analysis Columbia, SC, September 22-26, 2013, on CD-ROM, American Nuclear Society, LaGrange Park, IL (2013)
RISK INFORMING EMERGENCY PREPAREDNESS OVERSIGHT:
EVALUATION OF EMERGENCY ACTION LEVELS A PILOT STUDY OF PEACH BOTTOM, SURRY AND SEQUOYAH M.A. Azarm Innovative Engineering and Safety Solutions (IESS), LLC 702 Russell Avenue, Suite 410 Gaithersburg, MD, 20877 mazarm@iesscorp.com Sandra Herrick, Randy Sullivan, Gary DeMoss, U.S. Nuclear Regulatory Commission sandra.herrick@nrc.gov Terry Gitnick, and Clifford Marks Information System Laboratory (ISL), Inc.
11140 Rockville Pike, Suite 650 Rockville, MD 20852 terryg@islinc.com ABSTRACT This study examines the use of probabilistic risk assessment (PRA) to evaluate the conditional risk of selected emergency action level (EAL) scenarios. It is the first effort by the NRC to apply PRA methodology to the Emergency Preparedness (EP) research. An analogous process to that used by the NRCs Accident Sequence Precursor (ASP) Program to evaluate operational events is applied to analyze selected EAL scenarios. Peach Bottom, Surry and Sequoyah are the pilot plants selected for this study.
They represent boiling water reactors (BWRs) with a Mark I containment, pressurized water reactors (PWRs) with a large dry containment, and PWRs with an ice condenser. Threshold conditions in the EAL scenarios, stated in the plant-specific EP documents, are mapped into the Peach Bottom, Surry and Sequoyah Standardized Plant Analysis Risk (SPAR) models. The use of SPAR models was limited to the internal event portion of the Level-1 PRA. The Conditional Core Damage Probability (CCDP) is used as a risk metric to evaluate each EAL scenario. The insights from this study can be used to enhance future risk informed EP regulatory activities.
Authors note that CCDP is not truly equivalent to (Nuclear Power Plant) NPP risk. NPP risk is conventionally defined by the product of the probability of an accident and its consequences. These consequences involve onsite and offsite releases. However, CCDP is a reasonable surrogate for risk in this EAL study, since it measures the probability of a core damage accident.
The results of this study indicate that the EAL schemes derived without the benefit of risk tools are generally consistent with the resulting risk information, i.e. risk increases as the Emergency Classification (EC) severity increases. These inconsistencies are identified for further consideration. The risk insights from this report may be applied to improve the current NRC approved EAL schemes. Nevertheless, it is important to note that regulatory decisions for EP are complex and should not be made solely considering CCDP values, but should be substantiated by deterministic approaches along with the PRA insights.
Azarm, Herrick, Sullivan, et al.
Page 2 of 11 Key Words: Risk-informed, Probabilistic Risk Assessment, Emergency Planning, Emergency Preparedness, Risk-informed decision making, Emergency Action Levels, Emergency Classifications, Nuclear Power Plant Risk, NPP risk, Accident Sequence, Accident Scenario 1
INTRODUCTION The existing EC levels in which EALs are classified are established by the NRC according to (1) their relative radiological seriousness, and (2) the time-sensitive onsite and offsite radiological EP actions necessary to respond to such conditions. In ascending order of severity, these ECs are defined in NRC Bulletin 2005-02 as:
Notification of Unusual Event (NOUE): Events, which indicate a potential degradation of the level of safety of the plant, or indicate a security threat to facility protection, are in progress or have occurred. No release of radioactive material requiring offsite response or monitoring is expected unless further degradation of safety systems occurs.
Alert: Events, which involve an actual or potential substantial degradation of the level of safety of the plant, or a security event that involves probable life threatening risk to site personnel or damage to the site equipment because of intentional malicious dedicated efforts of a hostile act, are in progress or have occurred. Any releases are expected to be limited to a small fraction of the exposure level limits set forth by the EPAs Protective Action Guidelines.
Site Area Emergency (SAE): Events that are in progress, or have occurred involve:
- i. Actual or likely major failures of plant functions needed to protect the public ii. Security events that result in intentional damage or malicious acts:
(a) toward site personnel or equipment that could lead to the likely failure, or (b) prevent effective access to equipment needed to protect the public.
Apart from the site boundary, none of the releases are expected to exceed the exposure level limits set forth by the EPAs Protective Action Guidelines.
General Emergency (GE): Events, which involve actual or imminent substantial core degradation, or melting with a potential for loss of containment integrity, or security events that result in an actual loss of physical control of the facility, are in progress or have occurred. Releases can be reasonably expected to exceed the exposure level limits set forth by the EPAs Protective Action Guidelines for more than the immediate site area.
This study performed a risk assessment of a number of EALs using available tools from NRCs Office of RES. This work is part of a broader effort to more fully risk inform NRCs oversight on EP of nuclear plants. Detailed technical documentation of this study can be found in NUREG/CR-7154.
1.1 Study Objectives and Scope The objective of this study is to demonstrate how PRA results can be used to provide risk insights to support regulatory activities in EP. This study evaluates the risk implications of the
Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels Page 3 of 11 selected EAL scenarios using plant-specific PRA models and generates the results in the form of a surrogate risk metric: Conditional Core Damage Probability (CCDP). The CCDP results and insights of this study can be used as a part of risk-informing considerations to modify current EAL schemes. However, there are some EALs that cannot be addressed by CCDP alone. The threshold conditions of some EALs may generate low CCDPs, although the EALs may be appropriate considering other factors beyond those modeled in current PRAs. This is particularly relevant to the lower ECsNOUE and Alert. The regulatory decision making for EP is a complex process and should consider information from deterministic approaches along with the PRA insights with adequate consideration of uncertainties.
Peach Bottom, Surry and Sequoyah are the three pilot plants selected for this study. The selected EALs for each of these three pilot plants along with the nomenclature used in NEI 01 (revision 5, shown as V5) are shown in Table 1.
Table 1. Emergency Action Levels Selected for Risk Evaluation EC Initial Conditions Stated in NEI 99-00, V5 NEI 99-01 V5 Peach Bottom EAL Surry EAL Sequoyah EAL NOUE Loss of all offsite AC power to emergency buses for 15 minutes or longer.
SU1 MU1 SU1.1 SU1 NOUE Unplanned loss of safety system annunciation or indication in the control room for 15 minutes or longer.
SU3 MU6 SU4.1 SU3 NOUE RCS leakage. Op. modes: power operation, startup, hot standby, hot shutdown SU5 MU7 SU6.1 SU5 NOUE Release of toxic, corrosive, asphyxiant or flammable gases deemed detrimental to normal operation of the plant.
HU3 HU7 HU3.1 HU3 Alert AC power capability to emergency busses reduced to a single power source for 15 minutes or longer such that any additional single failure would result in station blackout.
SA5 MA1 SA1.1 SA5 Alert Automatic scram (trip) fails to shut down the reactor and the manual actions taken from the reactor control console are successful in shutting down the reactor.
SA2 MA3 SA2.1 SA2
Azarm, Herrick, Sullivan, et al.
Page 4 of 11 Table 1. Emergency Action Levels Selected for Risk Evaluation EC Initial Conditions Stated in NEI 99-00, V5 NEI 99-01 V5 Peach Bottom EAL Surry EAL Sequoyah EAL Alert Unplanned loss of safety system annunciation or indication in control room with either (1) a significant transient in progress or (2) compensatory indicators are unavailable.
SA4 MA6 SA4.1 SA4 Alert Access to a VITALAREA is prohibited due to toxic, corrosive, asphyxiant or flammable gases, which jeopardize operation of operable equipment required to maintain safe operations, or safely shutdown the reactor.
HA3 HA7 HA3.1 HA3 SAE Loss of all offsite and all onsite AC power to emergency busses.
SS1 MS1 SS1.1 SS1 SAE Automatic scram (trip) fails to shut down the reactor and manual actions taken from the reactor control console are not successful in shutting down the reactor.
SS2 MS3 SS2.1 SS2 SAE Loss of all vital DC power for 15 minutes or longer.
SS3 MS4 SS1.2 SS3 SAE Complete loss of heat removal capability (NEI Revision 4 only; has been deleted in Revision 5)
SS41 MS5 n/a n/a SAE Inability to monitor a significant transient in progress.
SS6 MS6 SS4.1 SS6 GE Prolonged loss of all offsite and all onsite AC power to emergency busses.
SG1 MG1 SG1.1 SG1 1 This EAL is listed in NEI 99-00, Revision 4, but it is eliminated in NEI 99-00, Revision 5. Peach Bottom EALs refer to NEI 99-00, Revision 4; Surry EALs refer to NEI 99-00, Revision 5; while Sequoyah EALs refer to NEI 99-00, Revision 4.
Therefore, Surry and Sequoyah EALs do not have an SS4-equivalent scenario.
Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels Page 5 of 11 Table 1. Emergency Action Levels Selected for Risk Evaluation EC Initial Conditions Stated in NEI 99-00, V5 NEI 99-01 V5 Peach Bottom EAL Surry EAL Sequoyah EAL GE Automatic scram (trip) and all manual actions fail to shut down the reactor and indication of an extreme challenge to the ability to cool the core exists.
SG2 MG3 SG2.1 SG2 2
TECHNICAL APPROACH A process that is analogous to that used by the NRCs Accident Sequence Program (ASP) to evaluate operational events is applied to analyze selected EAL scenarios. The PRAs model two types of hazardsinternal and external hazards. Internal hazards (internal events) are caused by system malfunctions precipitated by hardware failures, or human errors within the plant.
Examples of internal events include general transients, Loss of Offsite Power (LOOP), Loss of Main Feed water (LOMFW), and Small Loss of Coolant Accidents (SLOCA). External hazards (external events) include fires, floods, seismic, high wind, and other man-made hazards such as explosions and aircraft impact. The focus of this study is on internal events.
The following general steps are used to analyze the EAL conditions:
Step 1:
Gathering of available scenario information Step 2:
Mapping of the incident context into the SPAR model (scenario development)
Step 3:
Use of the PRA to determine scenario-specific risk measure In Step 1, the analysts study the EAL threshold conditions to decide how the EAL scenario is defined. This generally involves defining a partial scenario consistent with the EAL threshold condition.
Plant specific features, the EAL technical basis information, and the PRA models are consulted in Step 2 to specifically identify the changes to PRA input and models that are necessary to simulate the EAL threshold condition. The changes made in PRA input included the selection of suitable IE, and setting it to the correct value, the applicable BEs representing equipment failures, setting modified human error probabilities and recovery actions, and modifying the Common Cause Failure models as necessary. In some cases PRA models, i.e.
Fault trees and event trees, were modified by adding one or more basic events including addition of a potential recovery branch point. In this study, the SAPHIRE software (System Analysis Program for Hands on Integrated Reliability Evaluations), Version 8.0.7.13 along with the plant-specific SPAR (Standardized Plant Analysis Risk) models is used to perform CCDP calculations.
Step 3 computed PRA results for each EAL scenario, and developed insights based on the PRA quantitative results. It included 3 sub-steps as briefly summarized below:
Azarm, Herrick, Sullivan, et al.
Page 6 of 11 Analysts first performed PRA evaluations and obtained the CCDP for each EAL scenario and its major contributors.
The estimated CCDP was compared with the presumed CCDP ranges for different EC. These ranges serve as a screening tool for this EAL study to identify outliers. It is important to note that they cannot be used as acceptance criteria for regulatory purposes, nor do they address any safety requirements.(see Section 3 and Figure 2).
Analysts then examined if the CCDP is within the presumed range. If the result was found to be outside the established range, EAL was considered as an outlier that requires further review. The analysts examined the dominant sequences and the cutsets of each EAL scenario to gain insights on the underlying plant specific reason for the outliers.
This study identified the sources of uncertainties, qualitatively characterized their importance, and performed a limited number of sensitivity case runs. This study identified three areas where uncertainties can affect the validity of the conclusions. These are:
- 1.
Uncertainties associated with the quantitative results from the PRA model,
- 2.
Uncertainties associated with the process of translating the EAL conditions into PRA input, and
- 3.
Uncertainties in the binning process, which include the uncertainties associated with the EAL threshold range, and the decision on whether or not the estimated CCDP is within the range.
3 QUANTITATIVE RESULTS Figure 1 shows the CCDPs for all the EAL scenarios analyzed. They are arranged by the severity of their ECsgreen labels indicate the NOUE EAL results; yellow labels indicate the Alert EAL results; orange labels indicate the SAE EAL results; red labels indicate the GE EAL results. There are labels for each point. These labels correspond to the EAL threshold definitions shown earlier in table 1. Figure-2 shows the graphical results for the CCDP range based on the results obtained for the three plants evaluated in this study. The CCDP ranges for the EAL thresholds show consistent trend; i.e. higher the CCDP, higher the EAL threshold classification.
A suitable CCDP range was proposed for each of the EC based on the clustering of the CCDP points shown in Figure 2. This proposed CCDP range referred to as presumed CCDP ranges for different EC are:
NOUEbelow 1 x 10-5; Alertbetween 1 x 10-5 and 1 x 10-3; SAEbetween 1 x 10-3 and 1 x 10-1; GEbetween 1 x 10-1 and 1.
Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels Page 7 of 11 Figure 1. CCDP for all EAL scenarios
Azarm, Herrick, Sullivan, et al.
Page 8 of 11 Figure 2. CCDP Range for each EC for Surry, Sequoyah, and Peach Bottom 4
CONCLUSIONS The results show general consistency between ECs and CCDP valuesa higher EC corresponds to a higher risk as estimated by the associated CCDPs. Although the CCDPs of most EALs with the same EC reside within the presumed CCDP range, there are outliers among the three plants.
Some unique plant features were identified as the main reason for the discrepancies between the CCDP results for Sequoyah and Surry. The major differences that significantly impacted the CCDP results were the existence of shared systems between units at the same site (e.g. electrical systems, service water system, and other support systems), and the presence or lack thereof, a manually aligned redundant or diverse system train.
In addition to plant specific differences impacting the CCDP associated with EALs belonging to the same EC, outliers were identified for (1) potential modification to the EALs or (2) re-rank of their EC. These outliers can be grouped into one of the following categories:
One Source Away from Station Black Out (SBO)
Loss of All Vital DC Power Total Loss of all AC and DC (note that this scenario is currently not in any plant-specific EAL, but it is important for EP)
Loss of Annunciation and/or Indication Successful and Effective Manual Scram (Trip)
Toxic Gas Effects 1.E-11 1.E-10 1.E-09 1.E-08 1.E-07 1.E-06 1.E-05 1.E-04 1.E-03 1.E-02 1.E-01 1.E+00 PBOT NOUE Surry NOUE SEQH NOUE PBOT Alert Surry Alert SEQH Alert PBOT SAE Surry SAE SEQH SAE PBOT GE Surry GE SEQH GE CCDP CCDP Ranges for all ECs
Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels Page 9 of 11 The following summarizes the findings associated with each of the above issues.
One Source Away from Station Black Out (SBO)
Depending on plant-specific features, a single emergency power source (i.e., one EDG) may not be sufficient to bring the plant to a stable shutdown at any of the units in a multiple-unit site in response to a prolonged loss of offsite power. Furthermore, many plants may be equipped with an alternate AC power source (AAC), which could be a black start DG, an offsite hydro unit, or an AC source provided by gas turbines. The alignment and loading of the AAC power source is, in some cases, manual. Therefore, it takes some time to utilize the AAC source. If AAC is credited as a part of definition of one source away from SBO, the delay time associated with the manual alignment and loading should be examined. A concise clarification of the definition of one source away from SBO on a plant specific basis is necessary.
Loss of All Vital DC Power Loss of all vital DC power is generally modeled conservatively and in a stylized manner in PRAs. The current simple, but conservative PRA modeling techniques appear to be generic. This issue can benefit from additional plant-specific risk evaluations, more detail PRA models for loss of DC initiator, and development of the required recovery models.
Total Loss of all AC and DC There is no existing EAL that describes the condition of a total loss of AC and DC. It is generally concluded that prolonged loss of AC and resulting loss of DC could eventually end up with the core damage. The time of core damage and containment failure depends on plant-specific features. Therefore, the total loss of all AC and DC should be classified as a GE.
Loss of Annunciation and/or Indication Loss of majority of control room annunciators and/or indicators during plant operation or post transients is covered under several EALs. This study shows that the loss of annunciators and the loss of indicators are not equivalent events considering the resultant CCDPs. The loss of annunciators is expected not to cause any major difficulty in the control room operator's ability to recover from a transient, as long as the control room indicators remain operable.
The EAL threshold conditions do not specify the relative importance of the loss of different types of annunciators or indicators, even though they require different operator diagnosis and recovery actions. As different types of operator actions have various HEPs, the CCDP associated with the loss of different types of annunciators or indicators is different. Also, Technical Specifications state different requirements for different losses of instrumental signals. The loss of some important signals requires initiating hot shutdown within one hour, while the loss of lesser important signals allows time for repair before initiating hot shutdown. Therefore, a more precise definition of this EAL, in specific loss of 75% of safety-related annunciators or indicators, would improve the PRA evaluations of these EALs.
There is a possibility that the loss of annunciators or indicators condition is caused by the loss of an electrical bus. However, the operators generally rely on the annunciators and/or indicators to monitor loss-of-bus or under-voltage conditions. If there is a loss of annunciators or indicators, the operator may not be able to diagnose the loss-of-bus condition. The analysts recommend the loss of a single bus condition be addressed in the EAL threshold conditions.
Azarm, Herrick, Sullivan, et al.
Page 10 of 11 Successful and Effective Manual Scram (Trip)
Manual scram of the reactor, after a failure of automatic scram, has the EC of an Alert.
Failure of auto scram, in general, is a risk-significant event and would require post-incident examination to ensure that the underlying causes are identified and future occurrences are eliminated. However, for this EAL scenario, which assumes that timely and effective manual scram has terminated the adverse impact of the failure of auto scram, the expected risk is considered to be low for both PWRs and BWRs. This is an example that other considerations beyond the risk informed information based on CCDP, can help to better define EAL threshold.
Toxic Gas Effects EALs categorize the release of toxic, corrosive, asphyxiant, or flammable gases into the categories of NOUE and Alert. For NOUE, the normal operations of the plant may be affected.
For Alert, not only the normal operations, but also the safe shut down operations may be affected due to the potential that toxic gas is released into a plants vital area. There are many examples that can fall into toxic gas EALs. Release of toxic gas would hinder operator actions with various levels of severity.
Alerts have also been declared by numerous NPPs due to the spurious actuation of fire suppression systems that use halon or CO2 in a protected area. Spurious actuations are defined as the scenarios in which the suppressant is discharged when there is no fire in the area. In addition to spurious discharges during test and maintenance, halon could also be spuriously discharged due to seismic events, thermal effects of steam leak, random component failures, or maintenance mishaps. Spurious actuations are not expected to have any impact on plant systems and components. However, the affected areas must be evacuated and no personnel can be allowed to enter until the halon is completely purged. Past occurrences of spurious halon actuations, due to test or maintenance by plant staff, have lasted an average of two hours.
For an Alert due to release of toxic gas, the plant-specific risk analysis showed that the estimated CCP falls significantly below the expected result range of other Alert EAL scenarios, and below the NOUE presumed range as well. A total of nine analyses were performed -- three cases for the three pilot plants. These cases were selected since they are the most likely rooms where spurious halon actuations could occur. The three cases were: toxic gas in an EDG room, in a switchgear room, and in all protected areas such that no local manual actions could be performed. In all these cases, the control room is assumed to be unaffected by this event, as the abandonment of the control room is covered under a different EAL. A total duration of eight hours was considered for these evaluations, which is conservative since past operational events have shown that most spurious actuations of halon were recovered within two hours.
Overall, this study is to this study shows PRA results can be used to provide useful risk insights to support regulatory activities in EP. Additional work would be needed to establish the depth and breadth of analysis required to support any license changes or other regulatory activities. The CCDP results and insights of this study can be used as part of risk-informing considerations to modify current EAL schemes.
Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels Page 11 of 11 5
REFERENCES
- 1. NUREG/CR-7154, Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action LevelsA Pilot Study of Peach Bottom, Surry and Sequoyah, Vol. 1 (Main Report, Appendices A and B) and Vo. 2 (Appendices C - F), January 2013.
- 2. NUREG-0654/FEMA-REP-1, Revision 1, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants, Nuclear Regulatory Commission, November 1980.
- 3. NEI 99-01, Methodology for Development of Emergency Action Levels, Nuclear Energy Institute,
- a. Revision 4, January 2003;
- b. Revision 5, February 2008.
- 4. Regulatory Guide 1.101, Emergency Planning and Preparedness for Nuclear Power Reactors, Revision 5, Nuclear Regulatory Commission, June, 2005.
- 5. NUMARC/NESP-007, Methodology for Development of Emergency Action Levels, Revision 2, Nuclear Management and Resources Council, Inc., January 1992.
- 6. Inspection Manual Chapter (IMC) 0609, Significance Determination Process, Nuclear Regulatory Commission, June, 2011.
- 7. NUREG/CR-6952, Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE), Volumes 1-7, March 2011.
- 8. Exelon Nuclear, Radiological Emergency Plan for Peach Bottom Station, EP-AA-1007, Exelon Nuclear Standardized Radiological Emergency Plan, Revision 20, March 2010.
- 9. NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, Nuclear Regulatory Commission, August 2005.
- 10. NUREG-1855, Guidance on the treatment of uncertainties associated with PRA in risk-informed decision making, Volumes. 1, 2 and 3, Nuclear Regulatory Commission, March 2009.
- 11. NUREG-1953, Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk ModelsSurry and Peach Bottom, Nuclear Regulatory Commission, November 2010.