ML17264A477
| ML17264A477 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 05/07/1996 |
| From: | Vissing G NRC (Affiliation Not Assigned) |
| To: | Mecredy R ROCHESTER GAS & ELECTRIC CORP. |
| References | |
| NUDOCS 9605160192 | |
| Download: ML17264A477 (35) | |
Text
=- ~
~p<<~ed,>
~o cs O
I O
~O WASHINGTON, D.C. 2055&0001 May 7, 1996
++*++
Dr. Robert C. Hecredy Vice President, Nuclear Operations Rochester Gas and Electric Company
'9 East Avenue Rochester, NY 14649
SUBJECT:
DRAFT 1982-83 PRECURSOR REPORT
Dear Dr. Mecredy:
l
.s;l UNITED STATES NUCLEAR REGULATORY COMMISSION 5o-ZP 5o-2+
Enclosed for your information are excerpts from the draft Accident Sequence Precursor (ASP) Report for 1982-83.
This report documents the ASP Program analyses of operational events which occurred during the period 1982-83.
We are providing the appropriate sections of this draft report to each licensee with a plant which had an event in 1982 or 1983 that has been identified as a
precursor.
At least one of these precursors occurred at R.
E. Ginna Nuclear Power Plant.
For background information, we have also enclosed copies of Sections A. 1 and A.2 of Appendix A from the 1982-83 ASP Report.
Section 2.0 discusses the ASP Program event selection criteria and the precursor quantification process; Sections A. 1 and A.2 contain an overview of the models that were used'in these analyses.
Further detail about these models may be found in various published volumes of NUREG/CR-4674, most recently in Volume 17, "Precursors to Potential Severe Core Damage Accidents:
- 1992, A Status Report."
We emphasize that you are under no licensing obligation to review and comment on the enclosures.
The analyses documented in the draft ASP Report for 1982-83 were performed primarily for historical purposes to obtain the 2 years of precursor data for the. NRC's ASP Program which had previously been missing.
We realize that any review of the precursor analyses of 1982-83 events by affected licensees would necessarily be limited in scope due to: (1) the extent of the licensee's corporate memory about specific details of an event which occurred 13-14 years
- ago, (2) the desire to avoid competition for internal licensee staff resources with other, higher priority work, and (3) extensive changes in plant design, procedures, or operating practices implemented since the time period 1982-83, which may have resulted in significant reductions ih the probability of (or, in some cases, even precluded) the occurrence of events such as those documented in this report.
The draft report contains detailed documentation, for all precursors with conditional core damage probabilities
> 1.0 x 10 However, the relatively large number of precursors identified for the period 1982-83 necessitated that only sumsaries be provided for grecursors wit) conditional core damage probabilities between 1.0 x 10 and 1.0 x 10 We will begin revising the report about Hay 31, 1996, to put it in final form for publication.
We will respond to any comments on the precursor analyses which we receive from licensees.
The responses will be placed in a separate section of the final report.
Rochester Gas and Electric Corporation is on P
9605ihOi'gI2 '&0507 PDR ADOCK 05000244 P
0
R. Hecredy distribution for the final report.
Please contact me at 301-415-1441 if you have any questions regarding this letter.
Any response to this letter on your part is entirely voluntary and does not constitute a licensing requirement.
Sincerely, Docket No. 50-244 Guy S. Vissing, Senior Project Hanager Project Directorate I-l Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
Enclosures:
1.
Section B. 1, "Precursor Analysis of I/25/82 Steam Generator Tube Rupture with One PORV Failed Open" 2.
S'ection 2 "Selection Criterial and guantification" 3.
Appendix A, "ASP Hodels" cc w/encls:
See'next page
Hay 7, 1996 R. Hecredy distribution for the final report.
Please contact me at 301-415-1441 if you have any questions regarding this letter.
Any response to this letter on your part is entirely voluntary and does not constitute a licensing requirement.
Sincerely, I
ORIGINAL SIGNED BY:
Docket No. 50-244 Guy S. Vissing,'Senior Project Hanager Project Directorate I-1 Division of Reactor Projects I/II Office of Nuclear Reactor Regulation
Enclosures:
1.
Section B. 1, "Precursor Analysis of I/25/82 Steam Generator Tube, Rupture with One PORV Failed Open" 2.
Section 2 "Selection Crite'rial and guantification" 3.
Appendix A, "ASP Hodels" cc w/encls:
See next page DISTRIBUTION:
< Docket Filej PUBLIC PDI-1 R/F S.
Varga J. Zwolinski S.
Shankman S. Little G. Vissing OGC ACRS R. Cooper, Region I DOCUHENT NAHE:
G: iGINNAiDRAFTASP.RP To receive a copy of this document, indicate in the box:
"C" = Copy without attachment/enclos re "E"
Co y with attachment enclo re "N"
No co y OFFICE DATE LA:PDI -1 SLittie 05/
/96 E
PM:PDI-1 GVissing/rsl 05/ 7/96 D:PDI-1 SShankma 05/
/96 Offic al Record Copy 05/
/96 05/
/96
1 I.
A
Dr. Robert C. Hecredy R.E.
Ginna Nuclear Power Plant CC:
Peter D. Drysdale, Senior Resident Inspector R.E.
Ginna Plant U.S. Nuclear Regulatory Commission 1503 Lake Road
- Ontario, NY 14519 Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 Hr. F. William Valentino, President New York State
- Energy, Research, and Development Authority 2 Rockefeller Plaza
- Albany, NY 12223-1253 Charlie Donaldson, Esq.
Assistant Attorney General New York Department of Law 120 Broadway New York, NY 10271 Nicholas S.
Reynolds Winston 5 Strawn 1400 L St.
N.W.
Washington, DC 20005-3502 Hs. Thelma Wideman
- Director, Wayne County Emergency Hanagement Office Wayne County Emergency Operations Center 7336 Route 31
- Lyons, NY 14489 Hs. Hary Louise Heisenzahl Administrator, Monroe County Office of Emergency Preparedness ill West Fal.l Road, Room 11 Rochester, NY 14620
B.l LER No. 244/S2-003 and -005 Event
Description:
Steam Generator Tube Rupture with one PORV failed open Date ofEvent:
January 25, 1982 Plant:
B.1.1 Summary On January 25, 1982, while operating at 100% power, the Ginna B steam generator experienced a tube rupture.,
The resulting plant transient included significant primary system depressurization,'ctuation of the safety injection system and minor releases ofradioactive materials from the plant. During the transient, a pressurizer PORV failed to close after being used to reduce primary and secondary pressure below the steam safety valve setting. The estimated conditional core damage probability for this event is 3.0 x 10".
B.1.2 Event Description On January 25, 1982, at 0925, while the plant was operating at 100% power, a tube rupture occurred in steam generator B.. Multiple control room alarms alerted the operators to a Reactor Coolant System (RCS) rapid depressurization.
The air ejector radiation monitor alarm indicated that the rupture was likelyin steam generator B. The continuing pressure drop resulted in an automatic reactor trip and an automatic safety injection actuation.
Allthree HPI pumps started.
The safety injection actuation resulted in an automatic containment isolation and tripofthe operating charging pumps.
Allsafety systems functioned properly. Both reactor coolant pumps were manually stopped, and natural circulation cooling inthe RCS was verified. The pressurizer emptied, and the RCS depressurization reached a minimum of 1200 psig. A small steam bubble formed during natural circulation in the upper head but was collapsed when safety injection Qow refilled the RCS.
Initially,operators cooled down the reactor by sending steam Rom both steam generators to the main condensor.
The B steam generator was isolated at 0940, and natural circulation cooling in loop B was terminated.
The B steam gerierator water level continued to rise in spite ofthe termination offeedwater Qow to the steam generator due to Qow through the ruptured tube. At0955, the narrow-range water level indicator on B steam generator went offscale high and subsequently the B main steam line started to fill.
At 0957, the safety injection actuation circuitiy was reset thus resetting the containment isolation system.
Instrument air and thus control ofthe airwperated valves inside containment were restored.
At 1007, operators attempted to equalize the pressure differential between the RCS and the secondary side ofthe B steam generator to stop Qow through the tube rupture. Apressurizer PORV was cycled three times before it stuck open. The operator attempted to close the valve, but the valve would not close. The operator then closed the block valve to prevent further RCS water loss. Steam bubbles in the reactor vessel upper head and in the top ofthe B steam generator tubes occurred as well. The growth ofthe bubbles and increased safety injection Qow resulted inthe rapid fillingofthe pressurizer.
Loop Anatural circulation was not affected by the steam bubbles.
LER No. 244/82-003 and -005 Enclosure 1
One ofthe B steam generator safety valves cycled three times as a result ofthe over-pressurization caused by continued Qow through the ruptured tube. At 1038, safety injection was terminated to prevent further water discharge through the safety valve. At 1040, the condensate system was secured to prevent further radioactive contamiiiation ofthe condensate storage tanks and demineralizers.
The operators used the SG PORV to relieve steam &om the A steam generator.
At 1042, the pressurizer heaters were reenergized (aGer having tripped at 0928 &omlow pressurizer level) to re-establish a steam bubble in the pressurizer. At 1052, the rupture disk on the pressurizer relieftank burst due to the addition ofwater &om the letdown line reliefvalve, the pressurizer PORV, and the reliefvalve for the RCP seal return line.
At 1107, one safety injection pump was started in anticipation ofan RCS pressure drop due to the restart ofthe ARCP. At 1119, the B steam generator safety valve lifted and closed. Atthis time, the B steam line had Qooded sufficiently to cause water rather than steam to be released.
At 1121, the A RCP was started.
The RCP flow cooled and collapsed any remaining steam bubbles in the reactor upper vessel head and the B steam generator.
This addition ofQow lead to another cycle ofthe B steam generator safety valve. Safety injection was stopped, but the valve continued to leak water at approximately 100 gpm.
At 1152, the pressurizer level returned on scale and a steam bubble was re-established.
At 1202, normal letdown
&omthe RCS to the chemical and volume control system was re-established.
Due to the B steam generator safety valve leak, the RCS continued to leak through the tube rupture in steam generator B. Operators re-started one safety injection pump at 1212 in response to the continued decrease in pressurizer level.
The pump was intermittently operated until 1235. The safety reliefvalve on steam generator B stopped leaking at approximately 1225.
At 1227, the RCS and B steam generator pressures equalized.
RCS pressure was maintained at 25 psia below steam generator B pressure. At 1840, B steam generator water level returned on scale.
Feed and bleed was then used to cool steam generator B.
At 0700, on January 26, 1982, the residual heat removal system was placed in operation, and the plant was declared to be in cold shutdown.
B.1.3 Additional Event-Related Information The ruptured B steam geiierator tube was located at row 42, column 55 on the hot-leg side ofthe steam generator.
The rupture was approximately 4 inches long and 0.7 inches wide at its center.
The rupture was fish-mouth shaped and pointed outward along the tube column. The tube appeared ballooned at the rupture location and had a wall thickness of less than 5% of the nominal thickness.
Markings on the exterior of the tube had the appearance ofGetting wear. Danuige to sixteen additional tubes that had been plugged in steam generator B was identified. Foreign objects and tube &agments were found in the steam generator.
An examination ofsteam generator Arevealed the existence ofsome small foreign objects as well. The most probable cause ofdamage was due to a piece ofmetal that was left in the steam generator during a 1975 repair when a large ring was removed &omthe steam generator to incre ise the efliciency ofthe recirculation Qow. The ring was cut into pieces to be removed, but one piece was left inside the steam generator.
LER No. 244/82-003 and -005
~t
Additional information on this event is included in the Report to Congress on Abnormal Occurrences, January-March l982, NUREG-0090, Vol. 5, No. 1.
B.1.4 Modeling Assumptions This event was modeled as a steam generator tube rupture initiating event.
Since a second pressurizer PORV was available and other approaches could be used for depressurization during this event, the model was not revised to reQect the stuck open pressurizer PORV.
Since the Qow which continued to leak &om the steam generator safety reliefvalve would not have depleted the RWST during the mission time and the valve eventually shut, the model was not revised to reQect the stuck-open, leaking steam generator safety reliefvalve. However, a sensitivity study was performed assuming that the steam generator tube rupture occurred, the safety reliefvalve stuck open and the steam generator could not be isolated (SG.ISO.AND.RCS.COOLDOWN set to failed and non-recoverable).
B.1.5 Analysis Results The estimated conditional core damage probability for this event is 3.0 x 10".
The dominant sequence highlighted on the event tree in Figure B.l.1 (to be provided in the final report) involved the successM operation of auxiliary feedwater and the failure of high pressure injection.
The estimated conditional core damage probability forthe sensitivity case is 8.8 x 10'. The dominant sequence involved succussful operation ofAFW and HPI, the failure to isolate the steam generator, and the failure to cool RCS below RHR initiationpressure.
IER No. 244/82-003 and -005
SGTR RT HPI RUPTURED SG ISOLATED 8Ad RCS COO W
RCS COOLDOWN BELOWRHR PRESSURE END SEa.
STATE NO OK 401 OK 402 CD 403 CD 404 CD 405 OK 406 OK 407 CD 408 CD 409 CD 4IO CD 411 CD 4I2
CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
244/82-003 and -005 Event
Description:
Steam Generator Tube Rupture Event Date:
January 25, 1982 Plant:
Ginna INITIATINGEVENT NOH-RECOVERABLE INITIATINGEVENT PROBABILITIES SGTR SEQUEHCE CONDITIONAL PROBABILITY SUHS End State/Initiator 1 'E+00 Probability SGTR Total 3 'E-04 3.0E-04 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER) 405 sgtr -rt -afv hpi 412 sgtr rt Sequence End State Prob H Rec*>>
2.7E-04 8.9E-01 2.8E-05 1.0E-01
>>>> non-recovery credit for edited case SEQUEHCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER) 405 sgtr -rt -afe hpi 412 sgtr rt Sequence End State Prob N Rec>>>>
2.7E-04 8.9E-01 2.8E-05 1.0E-01
- non-recovery credit for edited case SEQUENCE H(eEL:
BRANCH HOOEL:
PROBABILIT'Y F ILE:
c:Xaspcodegnodels~pMrb8283.cap c Xaspcodehmodelshginna.82 c:XaspcodeVnodelshgwr8283.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch trans loop Ioca sgtr rt rt(loop) afv afv/atm System 2.6E-04 1.6E-05 2.4E-06 1.6E.06 2.8E-04 O.DE+00 1.6E-05 4.3E-03 Non-Recov 1.DE+00 3.6E-01 5.4E-01 1.DE+00 1.0E-01 1.DE+00 4.5E-01 1.DE+00 Opr Feil LKRNo. 244/82-003 and -005
~ ~
)
B.1-6 afv/ep mfa porv.chall porv.chal l/afv porv. chal l/loop porv.chall/sbo porv.reseat porv.reseat/ep srv.reseat(ates) hpi feed. bleed emrg.boration recov.sec.cool recov.sec.cool/offsite.pwr rcs.cooldoMn rhr rhr.and.hpr hpr ep seal
~ loca offsite.prr.rec/-ep.and.-afw offsite.prr.rec/-ep.and.afv offsite.per.rec/seal.
loca offsite.~r.rec/-seal. loca sg.iso.and.rcs.cooldoMn rcs.cool.beloM.rhr prim. press. limited branch model file
>>>> forced 5.0E-02 1.9E-01 4'E-02 1.0E+00 1.0E-01 1 AL OE+00 2.0E-02 2.0E-02 1 'E-01 3.0E-04 2.0E-02 O.OE+00 2.0E-01 3.4E-01 3.0E-03 2.2E-02 1 'E-03 4.0E-03 2.9E-03 2.3E-01 2.1E-01 9.9E-02 6.0E-01 8.2E-03 1 'E-02 3.0E-03 8.8E-03 3.4E-01 3 'E-01 1 AL OE+00 1.0E+00 1.0E+00 1.0E+00 1.1E-02 1.0E+00 1.0E+00 8.9E-01 1.0E+00 1.0E+00 1.0E+00 1.0E+00 1 AL OE+00 7.0E-02 1.0E+00 1.0E+00 8.9E-01 1.0E+00 1.0E+00 1.0E+00 1.0E+00 1 AL OE+00 1 'E-01 1 AL OE+00 1.0E+00 1.0E-03 1.0E-02 1.0E-02 1 'E-03 1 'E-03 1.0E-03 1 'E-03 3.0E-03 Heather Schriner 11-06-1995 10:09:02 LER No. 244/82-003 and -005
CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
244/82-003 and -005 Event
Description:
Steam Generator Tube Rupture with SG relief valve stuck open Event Date:
January 25, 1982 Plant:
Ginna INITIATINGEVENT NOH-RECOVERABLE INITIATINGEVENT PROBABILITIES SGTR 1.DE+00 SEQUENCE COHD IT IOHAL PROBABILITY SUNS End State/Initiator Probability SGTR Total 8.8E-03 8.8E-03 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence 404 sgtr -rt -afw -hpi SG.ISO.AHD.RCS.COOLDOMN rcs.cool.beloM.rhea 403 sgtr -rt -afM -hpi SG.ISO.AND ARCS.COOLDOHN -rcs.cool.below.rhr rhr
- 405, sgtr -rt -afm hpi
~* non-recovery credit for edited case SEQUENCE COHDITIONAL PROBABILITIES (SEQUENCE ORDER)
End State Prob 6.0E-03 2'E-03 2.7E-04 N Rec~~
1.DE+00 7.0E-02 8.9E-01 403 404 405 sgtr -rt -afw -hpi SG.ISO.AND.RCS.COOLDON -rcs.cool.below.rhr rhr sgtr -rt -afm -hpi SG.ISO.AHD.RCS.COOLDOMH rcs.cool.beloM.rhr sgtr -rt -afu hpi End State Prob 2.5E-03 6.0E-03 2.7E-04 N Rec**
7.0E-02 1.DE+00 8.9E-01
- non-recovery credit for edited case SEQUENCE NODEL:
c:Xaspcode'lmodelshprrb8283.cmp BRANCH NODEL:
c:~aspcode'uaodels~ginna.82 PROBABILITY FILE:
c:~aspcode~els~r8283.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch trans loop loca sgtr System 2.6E-04 1.6E-05 2.4E-06 1.6E-06 Non-Recov 1.DE+00 3.6E-01 5.4E-01 1 'E+00 Opr Fail LER No. 24'4/82-003 and -005
ll
rt rt(loop) afw afw/atws afw/ep mfa porv.chall porv.chall/afw porv.chal l/loop porv.chall/sbo porv.reseat porv.reseat/ep srv.reseat(atm) hpi feed.bleed emrg.borati on recov. sec. cool recov.sec.cool/offsite.~r rcs.cooldoNn rhr rhr.and.hpr hpr ep seal. Loca offsite.pwr.rec/-ep.and.-afv offsite.pNr.rec/-ep.and.afM offsite.pwr.rec/seal. loca offsite.~r.rec/-seal. loca SG.(SO.AND.RCS.CQOLOOMN Branch Model:
1.OFT 1 Train 1
Cond Prob:
rcs.cool.below.rhr prim.press. limited branch model file
<<>> forced 2.8E-04 O.OE+00 1.6E-05 4.3E-03 5.0E-02 1.9E-01 4'E-02 1.0E+00 1 'E-01 1.0E+00 2.0E-02 2.0E-02 1 'E-01 3.0E-04 2.0E-02 O B OE+00 2.0E-01 3.4E-01 3 'E-03 2.2E-02 1.0E-03 4.0E-03 2.9E-03 2.3E-01 2.1E-01 9.9E-02 6.0E-01 8.2E-03 1 'E-02 >
1 'E+00 1 'E-02 > Failed 3.0E-03 8.8E-03 1.0E-01 1.0E+00 4.5E-01 1.0E+00 3.4E-01 3.4E-01 1 'E+00 1.0E+00 1.0E+00 1.0E+00 1.1E-02 1.0E+00 1.0E+00 8.9E 01 1.BE+00 1 AL OE+00 1.0E+00 1 AL OE+00 1 'E+00 7.0E-02 1.0E+00 1.0E+00 8.9E-01 1.0E+00 1 'E+00 1.0E+00 1.0E+00 1 'E+00, 1 'E-01 1.0E+00 1 'E+00 1 'E+00 1 'E-03 1.0E-02 1.0E-02 1.0E-03 1 'E-03 1 'E-03 1.0E-03 3.0E-03 Heather Schriner 11-06-1995 10:10:42 LER No. 244/82-003 and -005
2-1 2.0 Selection Criteria and Quantification 2.1 Accident Sequence Precursor Selection Criteria The Accident Sequence Precursor (ASP) Program identifies and documents potentially important operational events that have involved portions of core damage sequences and quantifies the core damage probability associated with those sequences.
Identification ofprecursors requires the review ofoperational events for instances in which plant functions that provide protection against core damage have been challenged or compromised. Based on previous experience with reactor plant operational events, it is known that most operational events can be directly or indirectly associated with four initiators: trip [which includes loss of main feedwater (LOFW) within its sequences],
losswfwffsite power (LOOP), small-break loss-ofeoolant accident (LOCA), and steam generator tube ruptures (SGTR) (PWRs only). These four initiators are primarily associated with loss ofcore cooling. ASP Program staff members examine licensee event reports (LERs) and other event documentation to determine the impact that operational events have on potential core damage sequences.
2.1.1 Precursors This section describes the steps used to identify events for quantification. Figure 2.1 illustrates this process.
Acomputerized search ofthe SCSS data base at the Nuclear Operations Analysis Center (NOAC) of the Oak Ridge National Laboratory was conducted to identifyLERs that met minimum selection criteria for precursors.
This computerized search identified LERs potentially involving failures in plant systems that provide protective functions forthe plant and those potentially involving core damage-related initiating events. Based on a review ofthe 1984-1987 precursor evaluations and all 1990 LERs, this computerized search successfully identifies almost all precursors and the resulting subset is approximately one-third to one-half of the total LERs. It should be noted, however, that the computerized search scheme has not been tested on the LER database for the years prior to 1984. Since the LER reporting requirements for 1982-83 were different than for 1984 and later, the possibility exists that some 1982-83 precursor events were not included in the selected subset. Events described in NUREG -0900~ and in issues ofNuclear Safety that potentially impacted core damage sequences were also selected for review.
Those events selected for review by the computerized search of the SCSS data base underwent at least two independent reviews by different staff members. The independent reviews of each LER were performed to determine ifthe reported event should be examined in greater detail. This initial review was a bounding review, meant to capture events that in any way appeared to deserve detailed review and to eliminate events that were clearly unimportant. This process involved eliminating events that satisfied predefined criteria for rejection and accepting all others as either potentially significant and requiring analysis, or potentially significant but impractical to analyze. Allevents identified as impractical to analyze at any point in the study are documented in Appendix E. Events were also eliminated from further review ifthey had little impact on core damage sequences or provided littlenew information on the risk impacts ofplant operationforexample, short-term single failures in redundant systems, uncomplicated reactor trips, and LOFW events.
Selection Criteria and Quantification Enclosure 2
2-3 LERs were eliminated from further consideration as precursors ifthey involved, at most, only one of the following:
a component failure with no loss of redundancy, a short-term loss of redundancy in only one system, a seismic design or qualification error, an environmental design or qualification error, a structural degradation, an event that occurred prior to initialcriticality, a design error discovered by reanalysis, an event bounded by a reactor trip or LOPYV, an event with no appreciable impact on safety systems, or an event involving only post core-damage impacts.
Events identified for further consideration typically included the following:
unexpected core damage initiators (LOOP, SGTR, and small-break LOCA);
'llevents in which a reactor trip was demanded and a safety-related component failed; all support system failures, including failures in cooling water systems, instrument air, instrumentation and control, and electric power systems; any event in which two or more failures occurred; any event or operating condition that was not predicted or that proceeded differently from the plant design basis; and any event that, based on the reviewers'xperience, could have resulted in or significantly affected a chain of events leading to potential severe core damage.
Events determined to be potentially significant as a result of this initial review were then subjected to a thorough, detailed analysis. This extensive analysis was intended to identify those events considered to be precursors to potential "severe core damage accidents, either because of an initiating event, or because of failures that could have affected the course ofpostulated off-normal events or accidents. These detailed reviews were not limited to the LERs; they also used final safety analysis reports (FSARs) and their amendments, individual plant examinations (IPEs), and other information related to the event of interest.
The detailed review of each event considered the immediate impact of an initiating event or the potential impact of the equipment failures or operator errors on readiness of systems in the plant for mitigation of off-normal and accident conditions. In the review of each selected event, three general scenarios (involving both the actual event and postulated additional failures) were considered.
Ifthe event or failure was immediately detectable and occuned while the plant was at power, then the event was evaluated according to the likelihood that itand the ensuing plant response could lead to severe core damage.
Ifthe event or failure had no immediate effect on plant operation (i.e., ifno initiating event occurred), then the review considered whether the plant would require the failed items for mitigation of potential severe core damage sequences should a postulated initiating event occur during the failure period.
Selection Criteria and Quantification
I
~ ~
2-4 Ifthe event or failure occurred while the plant was not at power, then the event was first assessed to determine whether it impacted at-power or hot shutdown operation. Ifthe event could only occur at cold shutdown or refueling shutdown, or the conditions clearly did not impact at-power operation, then its impact on continued decay heat removal during shutdown was assessed; otherwise it was analyzed as ifthe plant were at power. (Although no cold shutdown events were analyzed in the present study, some potentially significant shutdown-related events are described in Appendix D).
For each actual occurrence or postulated initiating event associated with an operational event reported in an LER or multiple LERs, the sequence of operation of various mitigating systems required to prevent core damage was considered. Events were selected and documented as precursors to potential severe core damage accidents (accident sequence precursors) ifthe conditional probability ofsubsequent core damage was at least 1.0 X 10~ (see section 2.2). Events of low significance are thus excluded, allowing attention to be focused on the more important events.
This approach is consistent with the approach used to define 1988-1993 precursors, but differs from that of earlier ASP reports, which adiuressed all events meeting the precursor selection criteria regardless ofconditional core damage probability.
As noted above, 115 operational events with conditional probabilities of subsequent severe core damage a
1.0 X 10~ were identified as accident sequence precursors.
2.1.2 Potentially Significant Shutdown-Related Events No cold shutdown events were analyzed in this study because the lack ofinformation concerning plant status at the time of the event (e.g., systems unavailable, decay heat loads, RCS heat-up rates, etc.) prevented development of models for such events. However, cold shutdown events such as a prolonged loss of RHR cooling during conditions ofhigh decay heat can be risk significant. Sixteen shutdown-related events which may have potential risk significance are described in Appendix D.
2.1.3 Potentially Significant Events Considered Impractical to Analyze In some cases, events are impractical to analyze due to lack of information or inability to reasonably model within a probabilistic risk assessment (PRA) framework, considering the level ofdetail typically available in PRA models and the resources available to the ASP Program.
Forty-three events (some involving more than a single LER) identified as potentially significant were considered impractical to analyze. It is thought that such events are capable of impacting core damage sequences.
However, the events usually involve component degradations in which the extent ofthe degradation could not be determined or the impact of the degradation on plant response could not be ascertained.
For many events classified as impractical to analyze, an assumption that the affected component or function was unavailable over a 1-year period (as would be done using a bounding analysis) would result in the conclusion that a very significant condition existed. This conclusion would not be supported by the specifics ofthe event as reported in the LER(s) or by the limited engineering evaluation performed in the ASP Program.
Descriptions ofevents considered impractical to analyze are provided in Appendix E.
Selection Criteria and Quantification
2-5 2.1.4 Containment-Related Events In addition to accident sequence precursors, events involving loss of containment functions, such as containment cooling, containment spray, containment isolation (direct paths to the environment only), or hydrogen control, identified in the reviews of 1982-83 LERs are documented in Appendix F. It should be noted that the SCSS search algorithm does not specifically search forcontainment related events. These events, ifidentified for other reasons during the search, are then examined and documented.
2.1.5 "Interesting" Events Otner events that provided insight into unusual failure modes with the potential to compromise continued core cooling but that were determined not to be precursors were also identified. These are documented as "interesting" events in Appendix G.
2.2 Precursor Quantification Quantification ofaccident sequence precursor significance involves determination ofa conditional probability ofsubsequent severe core damage, given the failures observed during an operational event. This is estimated by mapping failures observed during the event onto the ASP models, which depict potential paths to severe core damage, and calculating a conditional probability of core damage through the use of event trees and system models modified to reflect the event. The effect of a precursor on event tree branches is assessed by reviewing the operational event specifics against system design information. Quantification results in a revised probability ofcore damage failure, given the operational event. The conditional probability estimated for each precursor is useful in ranking because itprovides an estimate ofthe measure ofprotection against core damage that remains once the observed failures have occurred. Details of the event modeling process and calculational results can be found in Appendix A of this report.
The fiequencies and failure probabilities used in the calculations are derived in part from data obtained across the light-water reactor (LWR) population for the 1982-86 time period, even though they are applied to
'equences that are plant-specific in nature.
Because ofthis, the conditional probabilities determined for each precursor cannot be rigorously associated with the probability ofsevere core damage resulting from the actual event at the specific reactor plant at which it occurred. Appendix A documents the accident sequence models used in the 1982-83 precursor analyses, and provides examples of the probability values used in the calculations.
The evaluation of precursors in this report considered equipment and recovery procedures believed to have been available at the various. plants in the 1982-83 time frame. This includes features addressed in the current (1994) ASP models that were not considered in the analysis of 1984-91 events, and only partially in the analysis of 1992-93 events.
These features include the potential use of the residual heat removal system for long-term decay heat removal following a small-break LOCA in PWRs, the potential use of the reactor core isolation cooling system to supply makeup following a small-break LOCA in BWRs, and core damage sequences associated with failure to trip the reactor (this condition was previously designated "ATWS," and not developed).
In addition, the potential long-term recovery of the power conversion system forBWR decay heat removal has been addressed in the models.
Selection Criteria and Quantification
2-6 Because of these differences in the models, and the need to assume in the analysis of 1982-83 events that equipment reported as failed near the time of a reactor trip could have impacted post-trip response (equipment response following a reactor trip was required to be reported beginning in 1984), the evaluations for these years may not be directly comparable to the results for other years.
Another difference between earlier and the most recent (1994) precursor analyses involves the documentation ofthe significance ofptecursors involving unavailable equipment without initiating events. These events are termed unavailabilities in this report, but are also referred to as condition assessments.
The 1994 analyses distinguish a precursor conditional core damage probability (CCDP), which addresses the risk impact of the failed equipment as well as all other nominally functioning equipment during the unavailability period, and an importance measure defined as the difference between the CCDP and the nominal core damage probability (CDP) over the same time period. This importance measure, which estimates the increase in core damage probability because of the failures, was referred to as the CCDP in pre-1994 reports, and was used to rank unavailabilities.
For most unavailabilities that meet the ASP selection criteria, observed failures significantly impact the core damage model. In these cases, there is littledifference between the CCDP and the importance measure.
For some events, however, nominal plant response dominates the risk.
In these cases, the CCDP can be considerably higher than the importance measure.
For 1994 unavailabilities, the CCDP, CDP, and importance are all provided to better characterize the significance of an event. This is facilitated by the computer code used to evaluate 1994 events (the GEM module in SAPHIRE), which reports these three values.
The analyses of 1982-83 events, however, were performed using the event evaluation code (EVENTEVL) used in the assessment of 1984-93 precursors.
Because this code only reports the importance measure for unavailabilities, that value was used as a measure of event significance in this report. In the documentation ofeach unavailability, the importance measure value is referred to as the increase in core damage probability over the period of the unavailability, which is what it represents.
An example of the difference between a conditional probability calculation and an importance calculation is provided in Appendix A.
2.3 Review ofPrecursor Documentation With completion of the initial analyses of the precursors and reviews by team members, this draft report containing the analyses is being transmitted to an NRC contractor, Oak Ridge National Laboratories (ORNL),
for an independent review. The review is intended to (1) provide an independent quality check ofthe analyses, (2) ensure consistency with the ASP analysis guidelines and with other ASP analyses for the same event type, and (3) verify the adequacy of the modeling approach and appropriateness of the assumptions used in the analyses. In addition, the draft report is being sent to the pertinent nuclear plant licensees for review and to the NRC staff for review. Comments received from the licensees within 30 days will be considered during resolution ofcomments received from ORNL and NRC staff.
2.4 Precursor Documentation Format The 1982-83 precursors are documented in Appendices B and C. The at-power events with conditional core damage probabilities (CCDPs) z1.0 x 10're contained in Appendix B and those with CCDPs between 1.0 x 10'nd 1.0 x 10~ are summarized in Appendix C. For the events in Appendix B, a description of the event Selection Criteria and QuantiTication
2-7 is provided with additional information relevant to the assessment ofthe event, the ASP modeling assumptions and approach used in the analysis, and analysis results. The conditional core damage probability calculations are documented and the documentation includes probability summaries for end states, the conditional probabilities for the more important sequences and the branch probabilities used.
A figure indicating the dominant core damage sequence postulated for each event willbe included in the final report. Copies of the
~ LERs are not provided with this draft report.
2.5 Potential Sources ofError As with any analytic procedure, the availability ofinformation and modeling assumptions can bias results. In this section, several of these potential sources oferror are addressed.
Evaluation ofonly a subset of 1982-83 LERs. For 1969-1981 and 1984-1987, all LERs reported during the year were evaluated for precursors. For 1988-1994 and for the present ASP study of 1982-83 events, only a subset of the LERs were evaluated after a computerized search ofthe SCSS data base. While this subset is thought to include most serious operational events, it is possible that some events that would normally be selected as precursors were missed because they were not included in the subset that resulted from the screening process.
Reports to Congress on Abnormal Occurrences (NUREG-0900 series) and operating experience articles in Nuclear Safety were also reviewed for events that may have been missed by the SCSS computerized screening.
Inherent biases in the selection process.
Although the criteria for identification of an operational event as a precursor are fairly well-defined, the selection of an LER for initial review can be somewhat judgmental. Events selected in the study were more serious than most, so the majority of the LERs selected for detailed review would probably have been selected by other reviewers with experience in LWR systems and their operation. However, some differences would be expected to exist; thus, the selected set of precursors should not be considered unique.
Lack ofappropriate event information. The accuracy and completeness of the LERs and other event-related documentation in reflecting pertinent operational information for the 1982-83 events are questionable in some cases. Requirements associated with LER reporting at the time, plus the approach to event reporting practiced at particular plants, could have resulted in variation in the extent of events reported and report details among plants. In addition, only details of the sequence (or partial sequences for failures discovered during testing) that actually occurred are usually provided; details concerning potential alternate sequences of interest in this study must often be inferred. Finally, the lack of a requirement at the time to linkplant trip information to reportable events required that certain assumptions be made in the analysis ofcertain kinds of 1982-83 events. Specifically, through use of the "Grey Books" (Licensed Operating Reactors Status Report, NUREG-0200)'~ it was possible to determine that system unavailabilities reported in LERs could have overlapped with plant trips if it was assumed that the component could have been out-of-service for i/z the test/surveillance period associated with that component. However, with the linkbetween trips and events not being described in the LERs, it was often impossible to determine whether or not the component was actually unavailable during the trip or whether it was demanded Selection Criteria and QuantiTication
2-8 during the trip. Nevertheless, in order to avoid missing any important precursors for the time period, any reported component unavailability which overlapped a plant trip within 'lz of the component's test/surveillance period, and which was believed not to have been demanded during the trip, was assumed to be unavailable concurrent with the trip. (Ifthe component had been demanded and failed, the failure would have been reported; ifithad been demanded and worked successfully, then the failure would have occurred after the trip). Since such assumptions may be conservative, these events are distinguished from the other precursors listed in Tables 3.1 - 3.6. As noted above, these events are termed "windowed" events to indicate that they were analyzed because the potential time window for their unavailability was assumed to have overlapped a plant trip.
Accuracy ofthe ASP models and probability data.
The event trees used in the analysis are plantwlass specific and reflect differences between plants in the eight plant classes that have been defined. The system models are structured to reflect the plant-speciiic systems, at least to the train level. While major differences between plants are represented in this way, the plant models utilized in the analysis may not adequately reflect all important differences.
Modeling improvements that address these problems are being pursued in the ASP Program.
Because ofthe sparseness ofsystem failure events, data from many plants must be combined to estimate the failure probability of a multitrain system or the frequency of low-and moderate-frequency events (such as LOOPs and small-break LOCAs). Because of this, the modeled response for each event willtend toward an average response for the plant class. If systems at the plant at which the event occurred are better or worse than average (difficultto ascertain without extensive operating experience), the actual conditional probability for an event could be higher or lower than that calculated in the analysis.
Known plant-specific equipment and procedures that can provide additional protection against core damage beyond the plant-class features included in the ASP event tree models were addressed in the 1982-83 precursor analysis for some plants. This information was not uniformly available; much ofit was based on FSAR and IPE documentation available at the time this report was prepared. As a result, consideration of additional features may not be consistent in ptecursor analyses ofevents at different plants. However, analyses of multiple'vents that occurred at an individual plant or at similar units at the same site have been consistently analyzed.
Difhculty in determining the potential for recovery offailed equipment.
Assignment of recovery credit for an event can have a significant impact on the assessment ofthe event. The approach used to assign recovery credit is described in detail in Appendix A. The actual likelihood of failingto recover from an event at a particular plant during 1982-83 is difficult to assess and may vary substantially from the values currently used in the ASP analyses. This difficultyis demonstrated in the genuine differences in opinion among analysts, operations and maintenance personnel, and others, concerning the likelihood ofrecovering from specific failures (typically observed during testing) within a time period that would prevent core damage followingan actual initiating event.
Assumption of a 1-month test interval. The core damage probability for precutsors involving Selection Criteria and Quantification
p ~r
2-9 unavailabilities is calculated on the basis of the exposure time associated with the event. For failures discovered during testing, the time period is related to the test interval. A test interval of 1 month was assumed unless another interval was specified in the LER. See reference 1
for a more comprehensive discussion of test interval assumptions.
Selection Criteria and Quantification
Appendix A:
ASP MODELS ASP MODELS Enclosure
~ ~
A-2 A.O ASP Models
'Ibis appendix describes the methods and models used to estimate the significance of 1982-83 precursors.
The niodciing approach is similar to that used to evaluate 1984-91 operational events.
Simplified train-based models aie used, in coajunction with a simplified recovery model, to estimate system failure probabilities specific to an operational event.
These probabilities are then used in event tree models that describe core damage sequences relevant to tbc event The event trees have been expanded beyond those used in the analysis of 1984-91 events to addiess features ofthc ASP models used to assess 1994 operational cvcnts (Ref. 1) known to have existed in the 1982-83 time period.
A.1 Precursor Significance Estimation
'Ihe ASP program performs retrospective analyses ofoperating experience.
These analyses require that certain methodological assumptions be made in order to estimate the risk significance of an event. Ifone assumes, following an operational event in which core cooling was successful, that components observed failed were "failed"with probability 1.0, and components that functioned successfully were "successful" withprobability 1.0, then one can conclude that the risk ofcore damage was zero, and that the only potential sequence was the combination ofevents that occumxl. In order to avoid such trivialresults, the status ofcertain components must be considered latent.
In the ASP program, this latency is associated with components that operated successfully these components are considered to have been capable offailingduring thc operational event.
Quantification ofprecursor significance involves the determination ofa conditional probability ofsubsequent core damage given the failures and other undesirable conditions (such as an initiating event or an unexpected rehcfvalve challenge) observed during an operational event. The cQcct ofa precursor on systems addressed in thc core damage models is assessed by reviewing the operational event spccifics agaiiist plant design and operatmg inkanatica, and translating the results ofthe review into a revised model for tbe phmt that reQccts the observed failures. Thc prectirsors's significance is estimated by calculating a conditional probability ofcore damage given the observed failures.
The conditional probability calculated in this way is useful in ranking bccausc itprovides an estiniatc ofthe measure ofprotection against core damage remaining once the observed failures have occurred.
A.l.l Types ofEvents Analyzed Two diKacat types ofevents me addressed inprccursa'uantitative analysis. In the Grat, an initiatmg event such as a loss ofof&itepower (LOOP) or small-break loss of coohmt accident (LOCA) occurs as a part of tbe precursor.
Tbe pxebability ofcore damage for this type ofevent is calculated based on the required plant resp'o the particular initiatmg event and other failures that may have occurred at the same time. This type ofevent mciudes tbe "wiiidowcd"events subsetted fortbe 1982-83 ASP program and discussed in Section 2.2 ofthc main report.
The second type ofevent mvolvcs a faihue caxhtion that existed over a perio oftime during which an initiating event could have, but did not occur. The probability ofcore damage is calculated based on tbe xequircd plant ieslxese to a set ofpostulated initiating events, considering the failures that were observed. Unlike an initiating event as.ament, where a particular initiatingevent is assumed to occur withprobability 1.0, each initiating event is assumed to occur with a probability based on the initiatingevent frequency and the failure duration.
ASP MODELS
A-3 A.1.2 Modi6catiou ofSystem Failure Probabilities to Refiect Observed Failures The ASP models used to evaluate 1982-83 operational events describe sequences to core damage in terms of combinations of mitigating systems success and failure following an initiating event.
Each system model represents those combinations oftrain or component failures that willresult in system failure. Failures observed during an operational event must be represented in terms ofchanges to one or more ofthe potential failures included in the system models.
Ifa failed component is included in one ofthe trains in the system model, the failure is reQected by setting the probability for the impacted train to 1.0. Redundant train failure probabilities are conditional, which allows potential common cause failures to be addressed. Ifthe observed failure could have occurred in other similar amporxnts at the same time, then the system failure pubability is in~ised to represent this. Ifthe failure could not simultaneously occur in other components (for example, ifa component was removed &om service for preventive nninteriance), then the system failure probability is also revised, but only to reQect the "removal" of the unavailable component &om the modeL Ifa failed component is not specifically included as an event in a model, then the failure is addressed by setting elements impacted by the failure to failed. For example, support systems are not completely developed in the 1982-83 ASP models. A breaker failure that results in the loss ofpower to a group ofcomponents would be represented by setting the elements associated with each component in the group to failed.
OccasionaHy, a precursor occurs that cannot be modelled by modifying probabilities in existing system models.
In such a case, the model is revised as necessary to address the event, typically by adding events to the system model or by addressing an unusual initiating event through the use ofan additional event tree.
A.l.3 Recovery from Observed Failures
'Ihe models used to evaluated 1982-83 events a@bess the potential for recovery ofan entire system ifthe system fails.
This is the same approach that was used in the analysis of most precursors through 1991.'n this approach, the potential for recovery is addressed by assigning a recoveiy action to each system failure and initiating event.
Four classes were used to describe the diQ'erent types ofshort-tenn recovery that could be involved:
'ater precursor analyses utilize Time-Reliability Correlations to estimate the probability offailing to recover a Med system when recovery is dominated by operator action.
ASP MODELS
Recovery Class Rl R4 LUrelihood ofNon-Reco wry'.00 O.SS 0.10 0.01 Recovery Characteristic Thc failure did not appear to bc rccovcrablc in thc required period, either from thc control room or at thc failed cquipmcnt.
Thc failure appeared recoverablc in the rcquued period at the faikd cquipmcnt, and the equipment was acccssiblc; rccovcry from the control room did not appear possible.
Thc failure appeared rccovcrablc in thc required period from thc control room, but recovery was not routine or involved substantial operator burden.
The failure appeared recovcrablc in thc required period from thc control room and was considered routine and procedurally based.
'Hte assignment ofan event to a recovery class is based on engineering judgment, which considers the specifics ofeach operational cvcnt and the likelihood ofnot recovering &om the obsaved failure in a moderate to high-
-stress situation followingan initiating event.
Substantial time is usually available to recover a failed residual heat removal (RHR) or BWR power conversion system (PCS).
For these systems, the nonrecovay probabilities listed above are overly conservative.
Data in Refs. 2 and 3 was used to estimate the followingnonrecovery probabilities for these system:
nonrecove BWRRHR system BWR PCS PWR RHR system 0.016 (0.054 iffailures involve service water) 0.52 (0.017 forMSIVclosure) 0.057 Itmust be noted that the actual likelihoodoffailing to recover &om an event at a particular plant is dmicult to assess and may vary substantially &om the values listed.
This difficultyis danonstrated in the genuine dif5xcnccs inopinion among analysts, operations and mtuntautncc personnel, etc., concaning thc likelihoodof recoverin specific fmlures (typically observed during testing) within a time period that would prevent core dttmagc followingan actual initiatmg event.
A.l-4 Conditional Probability Associated with Each Precursor As described carlicr in this appendix, the calculation process for each precursor involves a dctaminafion of initiators that must be modeled, phs any modifications to system probabilities necessitated by failures obsaved Ihese nonrecovay probabilities are consistent with values specified in M.B. Sattison et al., "Methods Improvements Incorporated into the SAPHIRE ASP Models," Proceedings ofthe U.S. Mtclear Regtdtttoty Contntlssion ~ty-Second Watei Reactor Safety lnfortnanon Meeting, NUREGICP-0140, Vol. 1, April 1995.
ASP MODELS
A-5 in an operational event.
Once the probabilities that reflect the conditions ofthe precursor are established, the sequences leading to core damage are calculated to estimate the conditional probability for the precursor.
This calculational process is summarized in Table A.l.
Several simpli6ed examples that illustrate the basics ofprecursor calculational process follow. Itis not the intent ofthe cxamplcs to describe a detailed precursor analysis, but instead to provide a basic understanding ofthe process.
The hypothetical core damage model for these examples, shown in Fig. A. 1, consists of initiator I and four systems that provide protection against core damage: system A, B, C, and D. In Fig. A.l, the up branch teptescnts success and the down branch failure for each ofthe systems.
Three sequences result in core damage ifcotnplcted: sequence 3 P /A("/"represents system success) B C), sequence 6 (IA/B C D) and sequence / (I AB). In a conventional PRA approach, the &equency ofcore damage would be calculated using the &equency of the initiating event I, A(1), and the failure probabilities for A, B, C, and D fp(A), p(B), p(C), and p(D)].
Assummg L(1) = 0.1 yt'nd p(A(1) = 0.003, p(BlIA)= 0.01, p(C(i) = 0.05, and p(DARIC) = 0.1, the &equency of core damage is determined by calculating the &equency ofeach ofthe three core damage sequences and adding the &equencies:
0 1yr'(1-0.003) x0.05 x 0.1(sequence3)+
0.1 yr' 0.003 x (1-0.01) x 0.05 x 0.1(sequence 6)+
0.1 yr' 0.003 x 0.01 (sequence 7)
= 4.99 x Ip+yr t (sequence 3) + 1.49 x I0+ yr't (sequence 6) + 3.pQ x 10+ yt't (sequence 7)
= 5 03 x 10~
yt'n a nominal PRA, sequence 3 would bc thc domitumt core damage sequcttce.
The ASP program calculates a conditional probability ofcore damage, given an initiating event or comlxwtent failures. This ptabability is different than the &equency calculated above and cannot be directly compared with it.
E l
1 Assume that a precursor involving initiating event I occurs.
In response to I, systetns A, B, and C stmt and operate ctmcctly and system D is not denuuwkd. In a precursor initiating event assessment, the y~l jan% ofI is set to 1.0. Although systems A, B, and C were succe.'rsful, naninal Mure probabilities are assumed.
Since system D was not demanded, a nominal Mure ptobabiiity is assumed foritas well. The conditional probability ofcote damage associated withprecursor Iis calculated by summing the conditional probabilities forthc three seqttences:
1.0 x (1 - 0.003) x 0.05 x O. 1 (sequence 3) +
1.0 x 0.003 x (1 - 0.010) x 0.05 x 0.1 (sequcttce 6) +
1.0 x 0.003 x 0.01 (seqttcttce 7)
~ The notation p(B iIA)means the probability that B Ms, given I occurred and A t311ed.
ASP MOSELS
- t
\\
A-6
= 5.03 x 10'3.
If,instead, B had failed when demanded, its probability would have been set to 1.0. The conditional core damage probability for precursor IB would be calculated as 1.0 x (1 - 0.003) x 0.05 x 0.1 (sequence 3) + 1.0 x 0.003 x 1.0 (sequence 7) = 7.99 x 10'.
Since B is failed sequence 6 cannot occur.
Ic 2.
'tion s
sment. Assume that during a monthly test system B is found to be failed, and that tbe failure could have occuned at any time during the month. The best estimate for the duration ofthc failure is one halfofthc test period, or 360 h. To estimate the probabilityofinitiatingevent Iduring the 360 h period, the yearly &xpcncyofImust beconverted to an hourly rate. IfI can only occur at power, and the plant is at power for 70/o ofa year, then the ~ucncy forI is estimated to be 0 1 yr-l/(8760 h/yr x 0 7) 1 63 x 10-$ h If,as in example 1, B is always demanded followingI, the probability ofI in the 360 h period is the probability that at least one I occurs (since the failure ofB willthen be discovered), or e.lg) ~ failledunrxa 1
e.1.638-$ ~ 360 5 85 x 10-3 Using this value for the probability ofI, and setting p(B) = 1.0, the conditional probability ofcore damage for precursor B is calculated by again summing the conditional probabilities for the core damage sequences in Fig.
A.1:
5.85 x 10 x (1 - 0.003) x 0.05 x 0.1 (sequence 3) + 5.85 x 10 x 0.003 x 1.0 (sequence 7)
=4.67 x 10 As before, since B is failed, sequence 6 cannot occur.
The conditional probability is thc probability of core damage in the 360 h period, given the failure ofB. Note that tbe dotninant core manage sequence is sequence 3, with a conditional probability of2.92 x 10'. This scquct3ce is u33rclatcd to the failure ofB. Thc potential failure ofsystems C and D over the 360 h period stilldrive the core damage risk To understand tbe significance ofthc faihue ofsystem B, another calculation, an importance measure, is requital.
Thc m3poctance measure that is used is equivalent to risk achievement worth m an interval scale (scc Rcf. 4).
In this calculation, the increase in core datnage probability over the 360 h period duc to the failure of B is estimated:
p(cd ) B) - p(cd). For this example the value is 4.67 x 10 -2.94 x 10' 1.73 x 10', where the second term on thc left side ofthc equation is calculated using the previously developed probability ofIin the 360 h period and nonnnal failure probabilities forA, B, C, and D.
For most conditions idcntificdas prccursas intbe ASP prognun, the importance and the conditional core damage pmbabiiity me numaically close, and either can be used as a significance n3casure for the precursor.
- However, for some events typically those in which the components that are failed are not the primary mitigating plant feature.~be cooditional axe damage probability can be significantlyhigher than the importance. In such cases, it is imI3ortant to note that the potential failure of other components, unrelated to the preatrsor, are still dominating the plant risk ASP MODELS
'I
The importance measure for unavailabilities (condition assessments) like this example event were previously referred to as a "conditional core damage probability" in annual precursor reports before 1994, instead ofas the increase in core damage probability over the duration ofthe unavailability. Because the computer code used to analyze 1982-83 events is the same as was used for 1984-93 evaluations, the results for 1982-83 conditions are also presented in the computer output in terms of "conditional probability," when in actuality the result is an importance.
A.2 Overview of 19S2-83 ASP Models Models used to rank 1982-83 precursors as to significance consist ofsystem-based plant-class event trees and simplified plant-specific system models. These models describe mitigation sequences for the followinginitiating events: a nonspecific reactor trip [which includes loss offeedwater (LOFW) withinthe model], LOOP, small-'reak LOCA, and steam generator tube rupture fSGTR, pressurized water reactors (PWRs) only).
Plant classes were defined based on the use ofsimilar systems in providing protective functions in response to transients, LOOPs, and smail-bieak LOCAs. System designs and specific nomenclature may differ among plants included in a particular class; but functionally, they are similar in response.
Plants where certain mitigating systems do not exist, but which are largely analogous in their initiator response, are grouped into the appropriate plant class. ASP plant categorization is described in the followingsection.
The event trees consider two end states:
success (OK), in which core cooling exists, and core damage (CD), in which adequate core cooling is believed not to exist.
In the ASP models, core damage is assumed to occur followingcore uncovcry. Itis acluiowlcdgcd that clad and fuel damage willoccur at later times, depending on the cntcria used to define "damage," and that time may be available to mover core cooling once core uncovcry occurs but before the onset ofcore damage.
However, this potential recovery is not addressed in the models.
Each event tne describes combinatioas ofsystem failures that willprevent core cooling, and makeup ifrequired, in both the short and long tern -Pnmary systcins designed to provide these functions and alternate systems capable ofalso performing thcsc fimctions are addressed.
The models used to evaluate 1982-83 events consider both additional systems that can provide core protection and initiating events not included in the plant-class models used in thc assessmcnt of 1984-91 events, and only partially included in the assessmcnt of1992-93 events.
Response to a failure to trip the reactor is now addressed, as is an SGTR in PWRs. In PWRs, the potcntml use ofthe residual heat rc'moval system followinga small-break LOCA (to avoid sump recirculation) is addressed, as is the potential recovery ofsecondary-side cooling in the long tarn followingthe initiate offeed and bleed. Inboilingwater reactors (BWRs), the potential use ofreactor core isolation cooling (RCIC) and thc control rod drive (CRD) system formakeup ifa single reliefvalve sticks open is addressed, as is the potential long-tenn recovery ofthc power conversion system (PCS) for decay heat removal in BWRs. These models better rcficct thc capabilities ofplant systems in preventing core damage.
ASP MODELS
0 I
k
~= J u4