ML14314A421
| ML14314A421 | |
| Person / Time | |
|---|---|
| Site: | Robinson  |
| Issue date: | 10/08/1992 |
| From: | Mozafari B Office of Nuclear Reactor Regulation |
| To: | Adensam E Office of Nuclear Reactor Regulation |
| References | |
| GL-88-20, TAC-M74460, NUDOCS 9210150413 | |
| Download: ML14314A421 (20) | |
Text
1R 0
UNITED STATES C,
NUCLEAR REGULATORY COMMISSION o
WASHINGTON, D. C. 20555 October 8, 1992 Docket No. 50-261 MEMORANDUM:
Elinor G. Adensam, Director Project Directorate II-1 Division of Reactor Projects -
I/II FROM:
Brenda L. Mozafari, Project Manager Project Directorate II-1 Division of Reactor Projects -
I/II
SUBJECT:
SUMMARY
OF ROBINSON STEAM ELECTRIC PLANT, UNIT NO. 2, INDIVIDUAL PLANT EXAMINATION (TAC NO. M74460)
Carolina Power & Light Company (CP&L) submitted the Individual Plant Examination (IPE) report for H. B. Robinson Steam Electric Plant, Unit No. 2 (HBR2) on August 31, 1992, in accordance with Generic Letter (GL) 88-20. The IPE for HBR2 was completed using a plant-specific probabilistic risk assessment (PRA), consistent with the method in Section 4 of GL 88-20. The assessment of core damage frequency (CDF) of the PRA was accomplished using event trees and fault trees to model the potential accident sequences. The plant models were fully integrated (fault-tree linking method) and explicitly included all system dependencies.
The study indicates that the estimated CDF from internal events, including internal flooding, is 3.2 X 10 4 per year. When internal flooding is excluded, the estimated CDF is 2.5 X 10-4 per year. The licensee considers these results typical of other pressurized water reactors that have yet to incorporate improvements identified in the PRA process. The licensee stated that enhancements to current operating practices have already been initiated as a result of the study, and several other areas are being examined to determine if cost-beneficial improvements can be made.
The two dominant contributors to CDF identified early and discussed with the NRC in a meeting on February 27, 1992, were (1) a loss of cooling to the reactor coolant pump (RCP) seals leading to an RCP seal loss-of-coolant accident (LOCA), and, (2) a specific interfacing systems LOCA (ISLOCA) sequence. CP&L has since implemented a procedure change to provide alternate cooling for the charging pumps, thereby ensuring RCP seal cooling. In addition the licensee re-examined the methodology and failure data used to evaluate the ISLOCA sequence. Further analyses ascertained that system piping would remain intact under postulated conditions. Therefore, if the initiating event in the ISLOCA sequence occurred, the safety injection function would not be lost.
Current results indicate that CDF contributions are about equally divided among four accident sequence classifications. Approximately 80 percent of the total CDF is accounted for by the nine most frequent individual event tree 9210150413 921006 PDR ADOCK 05000261 P
October 8, 1992
-2 sequences. Thus, the licensee concludes that there is not a single dominating risk contributor or accident sequence for which additional actions are required; therefore, no significant vulnerabilities to severe accidents remain for HBR2.
A copy of the Executive Summary of the IPE is enclosed for your information.
ORIGINAL SIGNED BY:
Brenda L. Mozafari, Project Manager Project Directorate II-1 Division of Reactor Project Office of Nuclear Reactor Regulation
Enclosure:
Executive Summary DISTRIBUTION:
Docket File?
NRC PDR TMurley FMiraglia JPartlow SVarga GLainas BMozafari PAnderson EAdensam RHernan WRussell AThadani JRichardson JFlack, RES WRussell JRichardson AThadani CRossi BBoger FCongel WBeckner DWheeler OFC LA:
P DRPE D
21:DRPE NAME PAnde4 son<
Mozafari:dt EA esam DATE
/92
/61 /92 O /
192 FILENAME:
ROB.IPE
00
-2 sequences. Thus, the licensee concludes that there is not a single dominating risk contributor or accident sequence for which additional actions are required; therefore, no significant vulnerabilities to severe accidents remain for HBR2.
A copy of the Executive Summary of the IPE is enclosed for your information.
Brenda L. Mozafari, Project Manager Project Directorate II-1 Division of Reactor Project Office of Nuclear Reactor Regulation
Enclosure:
Executive Summary
ENCLOSURE 1 1.0 EXECUTIVE
SUMMARY
1.1 Background and Objectives This report was developed in response to the Nuclear Regulatory Commission's (NRC's) request for individual plant examinations (IPEs), as detailed in Generic Letter 88-20 issued in November of 1988 (Ref 1-1). Carolina Power and Light Company (CP&L) has fulfilled all objectives related to the generic letter for its H. B. Robinson Steam Electric Plant, Unit No. 2 (HBR2) through completion of a comprehensive level II probabilistic risk assessment (PRA) for the facility.
This document summarizes the methods and results of the PRA in a manner consistent with the submittal guidance provided in the generic letter and in NUREG-1335, Individual Plant Examination: Submittal Guidance (Ref 1-2).
The initial PRA work at CP&L was at the Brunswick Steam Electric Plant. Because of the usefulness and insights from this work, CP&L recognized the benefits of PRA and started a study of the HBR2 plant before the issuance of Generic Letter 88-20. The initial goals related to development of basic plant models and data were to develop an integrated tool from which insights into plant capabilities and potential weaknesses could be identified.
In addition the PRA was to be performed such that it could be used for addressing future operational, engineering, and licensing issues. There was also an intent to further develop in-house capabilities in PRA technology. Upon receipt of the generic letter, the goals of the effort were expanded to include those described in the generic letter. This principally involved two additions to the project scope: an evaluation of internal flooding and a level 2 analysis of accident progression, containment performance, and potential for radionuclide release.
The information provided in this submittal is backed by extensive PRA documentation.
The organization of the documentation is designed to support both the IPE and the continuing use of the PRA for future applications. The comprehensive documentation enables re-creation of the analysis and contains additional details that are not provided in this report.
CP&L's extensive involvement in the PRA and in the development of the tasks specific to the IPE submittal ensured that these PRA goals were achieved. Through self-initiated PRA efforts and the response to Generic Letter 88-20, CP&L has accomplished the goals established by the NRC (Ref 1-1):
- 1.
An appreciation of severe accident behavior from initiating event through the potential physical process of core damage and possible containment response;
- 2.
An understanding of the significant characteristics of the potential severe accident sequences that could occur, including the potential failures, involvement of the operations staff, the timing and the potential for recovery; 1-1
- 3.
A recognition of the quantitative aspects of the potential for severe accidents, including the most likely sequences and failure modes, and the sensitivity of the results to quantitative input; and
- 4.
A review of the results to understand incremental improvements that might be implemented to reduce the frequency or consequences of any significant sequences.
These goals, coupled with CP&L's motivations for developing and maintaining PRA capability, ensure that the potential benefits from the PRA technology can be successfully employed for assessing HBR2 issues, as a supplement to the other practices that ensure safe, reliable operation.
This executive summary provides a brief description of the study and its results. Section 2 of this report is a description of the overall scope of the PRA as well as the methods used in each task. The assessment of core damage frequency is detailed in Section 3, starting with a description of the models and data and concluding with a listing of the accident sequence frequencies. The evaluation of accident progression and containment response is then presented in Section 4 and provides the models and results for that part of the study. CP&L staff members participated extensively in all task areas and review of task products. The conduct of the study and the reviews to ensure quality are outlined in Section 5. The insights gained from performance of the PRA and the potential for safety enhancements are discussed in Section 6. Section 7 provides the summary and conclusions of this IPE evaluation.
1.2 Plant Familiarization The HBR2 Unit 2 nuclear plant is located near Hartsville, South Carolina, sharing the site with the Unit 1 fossil plant. The unit began commercial operation in 1971. The nuclear steam supply system (NSSS) is a three-loop Westinghouse design and is rated at 2300 megawatts thermal. The NSSS is enclosed by a large, dry, reinforced concrete, steel-lined containment Ebasco was the architect engineer and constructor.
The performance of a PRA requires detailed familiarity with the plant and its operation.
The CP&L project team started developing the knowledge base from the initiation of the project through use of and direct reference to plant documentation, and through extensive interaction with plant and engineering personnel familiar with aspects of HBR2 design and operation. This process was an important part of the initial PRA development, and was then rechecked through a complete reanalysis of all aspects of the PRA. In addition, the review process established by the PRA team ensured that all information used in the study was accurate and current to the study "freeze date" of March 1991. As described in Section 3, in a few cases plant modifications implemented after the freeze date were included to best represent the current plant status.
1-2
Plant walkdowns were an inherent activity associated with many of the tasks. The system equipment was examined and the manipulations of equipment were studied for important operational aspects.
The plant staff, including operators, engineers, and training instructors provided valuable insights during these on-site activities.
Section 2.4 describes in more detail the information assembly process for this project.
Additional measures taken to ensure that the analysis was based on current and correct information are discussed in Section 5.
1.3 Overall Methodology The individual plant examination for the HBR2 plant was completed using a plant specific, comprehensive risk assessment, consistent with the first approved method listed in Section 4 of Generic Letter 88-20. The PRA was performed using methods consistent with the technology in the PRA procedures guide (Ref 1-3) and PRAs of other facilities.
A synopsis of the methods used in the study is provided below. The specific analysis details and references to other reports discussing methods are provided later in Sections 3 and 4 of this submittal.
1.3.1 Core Damage Frequency Assessment The assessment of core damage frequency (the front-end task) of the PRA was completed using event trees and fault trees to model the potential accident sequences. The plant models were fully integrated (fault-tree linking method) and explicitly included all system dependencies.
The construction of the plant model began with an evaluation of potential initiating events that would require a plant trip or shutdown. A comprehensive inventory of initiating events was developed from information in previous studies, operating experience, and in depth consideration of HBR2-specific systems that could initiate a transient. Systems required to respond following a trip to ensure the plant is maintained in a safe stable state were identified. The potential accident sequences that could occur given an inadequate response to an initiating event were delineated in event trees. The event trees for this study generally described the possible successes and failures of safety functions, such as heat removal from the steam generators or reactor coolant system inventory control. The successful combinations of equipment performing these functions (success criteria) were derived from analysis of the HBR2 plant and through examination of studies on similar plants.
All success criteria were based on documented analysis.
The translation of successful functional response to the necessary systems performing those functions was carried out in fault tree logic, termed top logic in this study. The top logic calls out the specific system models which provide for the integrated plant model.
The system modeling was done using detailed fault tree models for the systems called out in the event tree top logic. These fault trees, in turn, call on other systems, such as power 1-3
and cooling systems required for their operation.
These support systems were also analyzed with detailed fault trees.
The fault trees include component failures, maintenance unavailabilities, and potential human errors.
Direct dependencies are modeled explicitly; indirect dependencies are modeled through extensive consideration of potential common cause failures. The combined fault trees and event trees create an integrated plant model, the solution of which results in the combinations of events (cutsets) that could occur and cause each type of accident sequence.
The quantification of the accident sequence frequencies involves the generation of reliability data on every event in the plant model. Initiating event frequencies were derived from plant-specific data coupled with industry-wide data where necessary.
Component reliability values were assessed with a combination of plant-specific data and generic nuclear industry data. Results reflecting potential failures of the operations staff were assessed using an approach consistent with the latest Electric Power Research Institute (EPRI) methods for human reliability analysis. A significant focus in this study was on evaluating the human reliability events in the context of the accident scenario in which they occurred. This context includes the equipment failures as well as the other operational errors that could occur.
The accident sequences were solved using the CAFTA (Ref 1-4) software. The original generation of cutsets was performed using screening values for human reliability events to allow them to be assessed on a cutset basis. The sequence solutions were requantified using the final values for each event. The sequences were also subjected to recovery analysis, to ensure that the results represented a realistic portrayal of potential accidents.
The recovery analysis accounted for simple actions to overcome system failures, such as manual initiation of equipment when automatic initiation had failed.
The recovery analysis also accounts for equipment that was not included in the initial model, such as the dedicated shutdown diesel which is an entirely manually initiated system or for actions which are scenario dependent and must be considered in terms of the specific failures.
The evaluation of internal plant flooding was performed using the same basic models and solution process.
The potential for flooding was initially considered in successive screening steps to narrow the plant areas for detailed focus to those that might have a significant contribution to core damage frequency from a flood and its attendant damage.
Detailed analysis of potential initiating events, flood propagation, and the impact on equipment was completed for several important plant areas. New initiating events were developed and solved with the events trees and fault trees described previously.
The result of the front-end analysis is a listing of accident cutsets for each event tree sequence, along with both cutset and sequence frequencies. These results form part of the basis for the most important part of the study, the generation of insights. The insights are derived from a review of the quantified results, which indicate relative importance of different equipment failures and operations staff actions. Insights are also derived from 1-4
the PRA process itself, since the integrated models offer unique perspective on the performance of equipment.
1.3.2 Assessment of Accident Progression and Containment Response The assessment of accident progression and containment response (the back-end task) of the PRA was performed with methods directly compatible with the generic letter and NUREG-1335. The analysis evaluated the possible progression of the accident from core heatup in the vessel to possible relocation of melted core and reactor internals outside the vessel after vessel failure. A containment event tree was used to delineate the possible pathways that a sequence evolution could follow and addressed important issues identified in NUREG-1150 (Ref 1-6). The interface between the core damage sequence analysis and this analysis was simplified through the definition of core damage bins and plant damage states. The core damage bins allowed grouping of sequences that have similar accident progression. The plant damage states further refined the accident description by accounting for the availability of containment systems such as sprays and fan coolers.
These binning stages allowed the back-end evaluation to be performed more efficiently on groups of accident types rather than for individual sequences.
The study included accident analysis specific to the HBR2 plant using the MAAP (Ref 1-5) code.
The MAAP analyses were used as an input to the development and quantification of the containment event tree. They were used to investigate the sensitivity of the results to specific parameters, issues, system responses, and plant design features.
The containment event tree development task was not limited to the MAAP results, however.
The available information concerning potential accident phenomena was evaluated for its applicability to the HBR2 plant. This evaluation included the phenomena examined in the studies supporting NUREG-1150. The containment event tree includes events that account for uncertainties in the possible progression of an accident.
In addition, the tree includes events to account for the current uncertainty in phenomenological understanding which requires that alternative hypotheses be considered.
All of the phenomenological evaluations were considered in the context of the specific plant design and operational features.
The capability of the containment was assessed in several ways. The structural capability of the containment was assessed to determine the best estimate failure pressure and the most likely failure modes. That study resulted in the generation of containment failure probability versus pressure and temperature and an evaluation of failure mode. Potential accidents that would bypass containment, such as steam generator tube rupture, were assessed directly.
An analysis of potential containment isolation failures was also performed as part of the plant damage state assessment.
The quantification of the potential containment event tree outcomes was based on an evaluation of a representative accident sequences, as determined by the previous types of failures that led to the sequences in each of the plant damage states.
For each 1-5
containment event tree question, the branch point probabilities were assigned based on a combination of the insights derived from appropriate MAAP runs, hand calculations, and from evaluations of severe accident phenomenology provided in risk assessments, in IDCOR studies, and in NUREG-1 150. The probabilities were generally assigned as mean values from distributions that represented the uncertainty concerning the outcome as determined from the agglomeration of all of the reference information on the issue. The branch point probabilities are also dependent on the specific branch through the tree. This included a check on consistency so that the phenomenology would be internally consistent. For example, the potential for late hydrogen burns is dependent on whether earlier hydrogen burns had occurred.
The containment event tree was solved after all branch point probabilities were estimated.
The solution resulted in the probabilities of each outcome for each of the plant damage states. The outcome establishes the conditions at the end of the accident, including the condition and location of core material, and the status of the containment. The outcomes with significant frequency were then evaluated in terms of radionuclide release. The core damage bins and plant damage states included some information that helped determine the radiological source term estimates. The exact path through the containment event tree further influenced the source term. Some containment event tree events are only included because of their impact on potential release. The release fractions were estimated based on reference MAAP calculations, supplemented by modifications to account for sequence specific influences.
In addition to formulating the conditional probability of containment failure, this activity also provided an understanding of the accident progression and containment response for the significant accident sequences. The sensitivity of the results to various probabilities and phenomenologies was also investigated.
Examination of these results generated insights about possible accident behavior for the HBR2 plant. It is expected that these and other insights from the analysis will be particularly useful when accident management provisions are evaluated in the future.
1.4 Summary of Major Results and Insights 1.4.1 Core Damage Assessment The assessment of core damage scenarios and their frequencies has added some new perspectives to CP&L's understanding of potential accidents and important safety issues.
The study has already resulted in some enhancements to current operating practices, and a number of other areas are currently being examined to determine if cost-beneficial improvements could be made (see Section 6.1 for more details).
Probably the most significant outcome was the development of an integrated plant model that can be exercised to study new issues, improve understanding of the current core damage assessment through sensitivity studies, and help in the optimization of future 1-6
changes.
The fully integrated plant model, which includes representation of all dependencies, can be easily utilized since the process has been largely automated. The automated model is backed by extensive documentation that allows recreation of the inputs.
The system notebooks for this study include all the information the analysts used in developing the models, and serve as a repository for information concerning the systems and their models.
Insights have been derived from the model solutions and from the quantification process.
While the numerical results must be considered in light of the limitations associated with quantitative results in any PRA, a judicious examination of the accident sequences and their frequencies coupled with an engineering evaluation of the results yields a unique view of plant safety.
The first lesson that can be learned from the results is that the HBR2 core damage profile is not dominated by any particular accident. This is illustrated in Figure 1-1.
As is indicated in the first chart in the figure, no single type of accident is responsible for a large part of the overall core damage frequency.
In fact, accidents initiated by plant transients, loss of coolant accidents (LOCAs), internal flooding, and transient-induced LOCAs (relief valve or seal LOCAs that occur due to system response following a non LOCA initiator) all contribute similarly to the overall results.
The second chart illustrates this point further in terms of accident sequences.
The nine most frequent individual event tree sequences account for about 80% of the core damage frequency.
These results suggest that there is no particular plant feature that creates a unique accident type that is predominant.
A brief description of the most frequent sequences is provided in Figure 1-1. The details concerning the individual accident sequences and initiating events that influence the core damage frequency are available in Section 3.4 of this report.
The remainder of this section is devoted to a discussion of what CP&L learned from the study and what actions are being taken as a result.
The evaluation of the insights from this study requires consideration of what makes individual accident sequences more important than others, with a special emphasis on identifying any commonalities that might influence a number of accident sequences. The overall core damage frequency of 3.2 x 10 /yr is not atypical compared to other PWR results before the incorporation of improvements that are generally identified in the PRA process. After appropriate reviews to verify that the study accurately represented the facility, it was necessary to more thoroughly consider any insights. In order to determine the possibilities for improvement at HBR2, a special team was formed with responsibility for examining the results and evaluating potential enhancements. This team provided the broad perspective needed to evaluate effective and efficient improvements.
It was composed of representatives from operations, training, technical support, corporate engineering, licensing, and PRA analysis. This team examined the results and suggested 1-7
Figure 1-1. Summary of H. B. Robinson PRA Results ATWS 2%
Flooding 21 %
Transients 30%
Relative Contributions of Different Classes SGTR of Accidents 2%
ISLOCA Transient-1 %
Induced LOCAs 21%
LOCAs 23%
Total Core Damage Frequency = 3.2 x 10- 4/year Others NTO9F NA1 16%
18%
3%
Relative Contributions NM2 3, of Individual Event Tree Accident Sequences NTO8 6%
17%
NT5 7%
NT11 11 %
NTO9 D
NT3 NM1 NTO9F Internal flood initiating event results in a reactor coolant pump seal LOCA with failure of reactor coolant system inventory makeup.
NT5 Failure of all secondary side feedwater and primary system feed and bleed, dominated by loss of offsite power initiating event.
NT3 Failure of all secondary side feedwater and primary system feed and bleed, dominated by loss of service water initiating event.
NM1 Medium LOCA and failure to successfully establish recirculation.
NTO9 Reactor coolant pump seal LOCA and failure of all injection, dominated by station blackout.
NTQ1 Reactor coolant pump seal LOCA with successful injection but failure of recirculation, dominated by a loss of component cooling water initiating event.
NTO8 Reactor coolant pump seal LOCA and failure of all injection, dominated by a loss of service water initiating event.
NM2 A medium LOCA with failure in the transition phase of recirculation.
NA1 Large LOCA and failure to successfully establish recirculation.
1-8
some changes and areas for further investigation, the highlights of which are presented below. See section 5.1 for a description of the team and its role in the IPE review process.
Accident sequences initiated by flooding within plant buildings were important to the results. The HBR2 auxiliary building is relatively small and some safety systems are located in areas that could be flooded by a single initiating event. After consideration of the accident sequences that contributed to the results, it was determined that a plant procedure to deal with auxiliary building flooding would be a cost-effective improvement.
The flood procedure, planned for implementation by the end of 1992, will enhance the ability of the plant staff to deal with flooding in two ways. First, the procedure will discuss diagnosis of and actions to isolate significant flood sources.
Second, the procedure will identify mitigation actions that would prevent the flood from reaching a depth that would affect significant equipment.
Other plant improvements were discovered by examining the individual contributors that are common to a number of the accident sequences. One of these related to a particular failure mode of the steam-driven auxiliary feedwater pump. In several types of accident sequences the system supplying cooling to the steam-driven auxiliary feedwater pump was unavailable. The steam-driven pump is capable of self cooling, when switched to that mode through local manual operations.
The human reliability analysis suggested that under some conditions failure of the operations staff to make this switch was an important contributor to the sequence frequency. The results evaluation team determined that the pump could be placed in the self-cooling mode under all conditions, eliminating the need for operator action during a potential accident. Implementation of this clearly beneficial change is currently being planned for completion by the end of 1992.
Another improvement that will affect the current IPE results is the station batteries upgrade project. The project is currently planned to be completed during 1995. The station batteries are planned to be upgraded to 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> batteries from the current one hour rating. This change will increase the potential for recovery of offsite power, eliminate an operator action to manually reload the chargers after the loss of offsite power, and will eliminate an internal flooding sequence that accounted for water spray-related failure of both batteries and DC buses that are currently in the same room. As a result of this modification, the batteries will be placed in two different rooms.
The dedicated shutdown diesel plays a significant role in the results. This diesel was only credited as a recovery since its distribution system has limited capability and is manually initiated. The diesel is important to many loss of power sequences. To improve its availability, it was decided to develop a more extensive preventative maintenance program for the diesel, similar to the emergency diesel generators.
Other insights from the PRA suggested areas for further investigation.
A number of evaluations are ongoing to determine cost-effectiveness of candidate plant improvements.
1-9
For example, the accident sequences include several cases which highlight the importance of the charging pump cooling dependency. The dependency creates a circumstance where either a loss of the service water system or of the component cooling water system can result in a loss of cooling to the reactor coolant pump seal thermal barriers as well as loss of necessary cooling to the charging pumps which provide seal injection. Removal of the charging pump dependency would decouple the reactor coolant pump seal failure potential from loss of cooling initiating events. An enhancement was implemented to address this situation during the performance of the IPE.
A procedure was developed and implemented to allow the use of the fire protection system to cool the charging pumps.
The equipment for the implementation of this action is available and labeled, and the staff has been trained on the action.
The evaluation team is now considering the cost effectiveness of making the charging pumps self cooling. This evaluation is planned for completion by the end of 1992.
Another enhancement that would address contributors to a number of different accident sequences related to the water supply for the auxiliary feedwater system. The HBR2 design includes provision for auxiliary feedwater source requirements for a minimum of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Many of the accident sequence results include a contributor that accounts for failure to provide long term feedwater source when the condensate storage tank is depleted. Although there are several options for maintaining a source, the potential operator errors associated with establishing those sources were found to be significant contributors to the results. An evaluation of the cost effectiveness of providing automatic makeup to the condensate storage tank has therefore been undertaken. This evaluation is also planned for completion by the end of 1992.
Although the IPE provides a one time picture of the HBR2 plant response, the HBR2 PRA which supports the IPE is not being regarded as a static assessment. Evaluations are continuing to ensure that the study is a realistic examination of HBR2. The following specific areas are the subject of continuing investigation.
- 1.
Operations staff errors associated with actions for implementing long-term recirculation during a LOCA were involved in a number of different sequences.
Additional evaluation of the manual actions for implementing recirculation is planned to ensure that the current models appropriately reflect the staff training and procedures.
- 2.
Room cooling for the area which contains emergency power buses El and E2 is being evaluated. Calculations based on actual conditions with less than design air flow show that room heat-up rates and steady-state temperatures will be acceptable. However, calculations based on data from controlled tests will not be available until after the IPE submittal date. This evaluation should, however, be complete by the end of 1992 and results will be factored into the PRA.
1-10
- 3.
CP&L staff members are currently investigating the actual response of plant equipment to a specific interfacing systems LOCA (ISLOCA). It is expected that the ISLOCA analysis will be updated as new information is derived from these continuing investigations.
As indicated above, the IPE has generated a number of significant insights which have been or are being addressed by consideration of potential improvements.
More importantly, CP&L is planning to make this a living PRA and to make full use of this study in the future to address any new safety issues and assess plant changes.
This commitment to continued use of this valuable tool as an additional means of safety assurance achieves CP&L's goals for continuing safety improvement as well as NRC's objectives established in the IPE Generic Letter.
1.4.2 Containment Assessment The containment assessment provided insights into the response of the HBR2 containment to severe accident loading.
The results of the containment assessment and a brief description of the insights are provided below.
More details on the containment assessment are included in Section 4. The information obtained from the containment assessment will provide input into CP&L's efforts related to containment performance and severe accident management. An important aspect of the containment analysis was the determination of the containment's real strength. Although the design pressure is 57 psia (42 psig), the containment fragility assessment showed the best-estimate failure pressure to be 135 psig. This demonstrates the margins present in the containment design which can be utilized in addressing severe accidents.
The plant damage states, containment failure modes, and release categories represent the results of the three steps of the analysis that provide insights concerning containment performance. Each of these areas is discussed below.
The plant damage states (PDSs) represent specific categories of accident scenarios. Each PDS comprises a group of individual accident sequences that involve similar core damage sequence characteristics as well as containment safeguards systems response. The use of PDSs allows the containment analysis to be accomplished more efficiently, since all accidents within a PDS have similar enough accident progression and containment response to be treated as a single accident type.
A review of the sequences which comprise the PDSs identifies the types of accidents that are most frequent in order to determine a representative sequence for the containment assessment. The HBR2 plant damage state results are illustrated in Figure 1-2.
Ten plant damage states have frequencies in excess of L.OE-5/yr and contribute between 4% and 19% to the plant damage state frequency. The highest contributing plant damage state is PDS 1 1P (frequency:
5.9E-5/yr) which contributes 19% to the total.
The representative sequence for this PDS is a large service water flood in the auxiliary 1-11
Figure 1-2 Summary of Plant Damage Sequences Plant Damage State Contributions Others 2A lip 50 160 130 170 61 200 2A 5.20E-05 Loss of offsite power, failure of AFW early, and failure to establish feed & bleed cooling.
50 2.90E-05 Loss of CCW fails all RCP cooling & results in RCP seal LOCA. Injection is successful, but recirculation fails due to a lack of CCW cooling. Recirculation failure also fails containment sprays.
160 1.70E-05 Medium LOCA occurs with a failure of safety injection. Containment sprays also fail.
170 3.40E-05 Medium LOCA occurs with successful injection and failure to establish high-head recirculation.
As a result of the failure of recirculation, the containment sprays also fail.
200 1.30E-05 Large LOCA occurs with failure to establish recirculation. Recirculation failure also fails containment sprays.
3J1 3.40E-05 A total loss of SW occurs wifailure of AFW early. Loss of SW fails recirculation and containment sprays. The fans are failed due to loss of SW.
6J 1.20E-05 A large SW flood occurs which results in a loss of RCP seal cooling. An RCP seal LOCA occurs with a failure of all injection. Also, all containment safeguards are failed.
10J 2.10E-05 A loss of SW fails all RCP seal cooling, RCS makeup, and all containment safeguards.
130 2.60E-05 LOSP w/ both DGs failing to run resulting in station blackout An RCP seal LOCA occurs w/o makeup or secendary cooling. All containment safeguards fail & a small isolation failure occurs.
11P 5.90E-05 Large SW flood results in RCP seal LOCA & failure of all containment safeguards.
Containment isolation is successful.
1-12
building level 226 hallway which results in an RCP seal LOCA without RCS makeup.
The containment sprays and fan coolers are unavailable due to the service water flood but containment isolation is successful. The next highest contributor is PDS 2A (Frequency:
5.2E-5/yr) which contributes 16% to the total. This PDS is represented by a loss of feedwater with subsequent failures of auxiliary feedwater and of the operator to correctly establish bleed-and-feed cooling.
Safety injection systems as well as all containment safeguards are available.
Comparing the two dominant PDSs highlights an important insight.
For the case involving the loss of a major support system, both core protection and containment cooling systems are lost due to the common dependence on support systems between the core cooling and the containment systems. This insight is not unique to HBR2. In fact, most PWR designs have similar dependencies.
It is important, however, that this consideration be included in assessing accident management alternatives.
Table 1-1 lists the outcomes of the next step of the analysis, the assessment of containment failure potential. The outcomes can be grouped into the broad categories listed in the table, consistent with the assessment of containment performance in other risk assessments.
A summation of the frequencies in the table yields the insight that the containment does not fail for a large portion of the of the overall core damage frequency.
For cases in which failure is expected, the most frequent failure modes are small containment isolation failures and late containment failures. These failure modes would result in a small release i.e. well below PWR 2 category releases as defined in the Reactor Safety Study (Ref 1-7). The small containment isolation failure case is dominated by plant damage state 13Q, which involves a station blackout followed by an RCP seal LOCA with no injection and a leakage path back through the containment spray lines.
The assessment did not concentrate on this scenario because of the low release potential.
Additional evaluation would further reduce the importance of this potential leakage path.
Further refinement would credit resistance and possibly plugging of the spray nozzles, plateout in the piping, and operator action to isolate the pathway. None of these three limiting factors were specifically addressed in the containment analysis.
Late containment failures are dominated by overpressurization due to steam and gas generation. The plant damage states that lead to this outcome generally include failure of support systems such as service water or electric power such that core and containment injection and cooling systems are not available. Without recovery of containment cooling, a containment failure due to overpressurization is expected in the long term, greater than 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. The late timing of containment failure is supported by design elements that enhance the possibilities for ex-vessel core debris coolability. Particularly, in many cases the core debris is expected to be spread over a large area such that the depth would be less than 25 cm and a large quantity of water would be overlying the debris. These conditions greatly favor debris cooling.
The containment assessment included an evaluation of the likely depth of debris for different conditions as well as the availability of water for cooling the debris.
1-13
Table 1-1 Containment State Frequencies for HBR2 Containment State Frequency (/yr)
Early Containment Failure 3.9E-6 Late Containment Failure 3.2E-5 Small Isolation Failure 3.8E-5 Large Isolation Failure 1.9E-8 Small Containment Bypass 5.6E-6 Large Containment Bypass 7.7E-7 Containment Failure after In-Vessel 1.6E-6 Recovery Early containment failures were found to be very unlikely at HBR2.
Containment overpressurization due to hydrogen burning is the most likely cause for the early containment failure. Early containment failure is unlikely for several reasons. Direct containment heating is not a significant threat at HBR2 due to the design of the cavity which limits pathways for debris transport to the general containment and because of the presence of significant quantities of water in the cavity for most accidents. Containment failures due to pressurization following hydrogen burning are not more frequent because the pressurization is limited relative to the containment capacity. For example, even if a 75% metal water reaction followed by complete burning is assumed, a 100 psi pressurization would result. While significant, there is still good margin since the mean containment capacity is 135 psi.
The containment design also promotes substantial mixing, essentially eliminating the potential for the formation of localized hydrogen concentrations sufficient for detonation or deflagration to detonation transition.
Overall, the results of the containment assessment are consistent with results for similar plant designs. The lack of a specific susceptibility to direct containment heating, the high containment capacity, and the presence of water in the cavity for accidents without containment bypass make significant early containment failure unlikely.
Specific sequences do, however, give rise to the potential for other failure modes, as indicated in Table 1-1.
Figure 1-3 shows the breakdown of the release category contributors.
The highest frequency category is RC-3 which includes the plant damage states with small isolation failures. Noble gas release occurs with only limited release of other constituents, e.g, 0.08% CsI.
1-14
Figure 1-3. Summary of Release Category Conributions Release Category Contributions RC-4 ~thers R
RC-1 B RC-3......
RC-283 RC-1 Late containment failure caused by long-term overpressurization. Core debris is coolable.
The dominant accident sequence for this release category involves a total loss of service water.
Containment safeguards are failed late in the event by the loss of service water.
O RC-1B Uke RC-1 except radionuclide scrubbing by containment sprays and/or water pools is unavailable.
RC-2B This release category represents a large early containment failure with coolable core debris.
No containment spray or pool radionuclide scrubbing occurs. Significant revaporization does not occur. This release category is comprised of many different PDSs of which none are dominant.
A medium LOCA with a failure of recirculation is an example of this PDS.
O RC-3 This category represents early, small isolation failure (<4"). Core debris is coolable and the release from containment is scrubbed by sprays or water pool. The small isolation failure allows for radionuclide retention and natural removal mechanisms, such as gravity settling, to take place. This category is dominanted by station blackout sequences resulting in an RCP seal LOCA w/o makeup or secondary cooling. All containment safeguards fail and a small isolation failure is present.
RC-4 This represents containment bypass accident sequence with a small leakage rate. The major contributor for this release category involves an ISLOCA which is directed into the RWST.
The RWST provides a scrubbing mechanism to remove radionuclides.
1J Others 1-15
00 The release category with the highest release fractions is RC2B, which occurs with a frequency of 4.7 x 10'6 per year. Although this release category is larger than the others, with about 16% release of CsI and 6% release of TeO, it is still smaller than others typically considered to constitute a large release, such as PWR-1 or -2 from the Reactor Safety Study (Ref 1-7).
The containment assessment identified several qualitative insights related to containment performance. The fundamental insight from the containment assessment is that the HBR2 containment can withstand postulated severe accident loadings for a wide range of sequences.
If isolation failures and bypass sequences are excluded, the conditional probability of containment failure is 0.11 which is near the containment performance goals which have been discussed at various times in the past.
Total frequency for potentially significant releases is about 2% of total core damage frequency.
These releases are considerably less than a PWR-1 release as defined in WASH 1400.
The potential for induced steam generator tube failure due to thermal loading was identified early in the assessment as an important issue. Current procedural guidance requires that the operators restart the reactor coolant pumps when inadequate core cooling conditions, as defined in procedure FRP-Hl, are met. This results in a clearing of the RCP loop seals and establishes a natural circulation path which results in steam generator tube heating and the potential for failure. HBR2 operations staff have committed to removal of this requirement to preclude clearing of the loop seals and the potential for induced steam generator tube failure. Thus, the importance of this potential failure mode has been greatly diminished.
The successful operation of containment sprays provides important control of pressure and, if functioning, maintains containment pressure well below design limits for all but prompt loads, e.g., direct containment heating (DCH). Additionally, the ability to cover a large portion of the containment with a water spray provides for radionuclide scrubbing which greatly reduces radionuclide releases (with the exception of noble gases).
Another insight into the HBR2 containment is that the cavity will be flooded and the reactor vessel partially submerged for a large portion of the accident sequences with or without the RWST inventory being injected into the containment. If the RWST inventory is injected into the containment, the reactor vessel will be approximately 50% flooded.
The flooded cavity provides several benefits with regard to severe accidents. First, the presence of a substantial quantity of water in the cavity at reactor vessel failure aids in assuring debris coolability and the potential for early debris quenching. The magnitude of DCH may be reduced for situations with cavity flooding. The presence of a flooded cavity also provides a medium for scrubbing any radionuclides released from the debris.
Although not credited in the analysis, recent work has indicated that vessel failure may be precluded if the reactor vessel is partially submerged. Based on the current analysis, HBR2 demonstrates a similar degree of flooding as has been postulated to be necessary 1-16
0 0
to preclude vessel failure. As this issue becomes better understood, the inclusion of this cooling mode may be appropriate.
1.5 References for Section 1 1-1.
U.S. Nuclear Regulatory Commission, Individual Plant Examination for Severe Accident Vulnerabilities, 10CFR50.54(f), Generic Letter 88-20, November, 23, 1988.
1-2.
U.S. Nuclear Regulatory Commission, Individual Plant Examination Submittal Guidance, NUREG-1335, August 1989.
1-3.
Hickman, J. W., et al., PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, American Nuclear Society and Institute of Electrical and Electronic Engineers, NUREG/CR-2300, January 1983.
1-4.
Science Applications International Corporation, CAFTA Manual, 1989.
1-5.
Electric Power Research Institute, MAAP 3.Ob Users Manual, September 1990.
1-6.
U.S. Nuclear Regulatory Commission, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150, Second Draft for Peer Review, June 1989.
1-7.
U.S. Nuclear Regulatory Commission, Reactor Safety Study, An assessment of Accident Risk in U.S. Commercial Nuclear Power Plants, WASH-1400, 1975.
1-17