ML18040B240
| ML18040B240 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 03/02/1989 |
| From: | John Lane NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Beckner W NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML18040B241 | List: |
| References | |
| RTR-NUREG-CR-5278 NUDOCS 8903150244 | |
| Download: ML18040B240 (73) | |
Text
pe RECVEE O
+k*kk t
UNITED STATES NUCLEAR R EG ULATORY COMMISSION WASHINGTON, D. C. 20555 tv 03 MEMORANDUM FOR:
William D. Beckner, Chief Severe Accident Issues Branch Division of Safety Issue Resolution, RES THROUGH'ROM:
SUBJECT:
Jocelyn A. Mitchell, Section Leader Severe Accident Issues
- Branch, RES John C. Lane, Nuclear Engineer, Severe Accident Issues Branch MEETING
SUMMARY
Wz6'//o 700 7 /
~. W ~E-ZP-od/
On February 8, 1988, representatives of the Pennsylvania Power and Light Co.
(PP&L) made a presentation to the members of the Severe Accident Issues Branch and other interested members of the NRC staff (attendance list enclosed).
The primary topics of discussion were PP&L's application of the Individual Plant Methodology
( IPE) to risk management at the Susquehanna BWR Mark II nuclear plant and their assessment of the NRC staff's cost estimation of potential BWR Mark I containment improvements.
PP&L originally performed the Susquehanna IPE in 1985 at the request of IDCOR.
Their comprehensive IPE tracked each accident sequence individually to determine the full spectrum of final plant damage states.
PP&L told the staff that their involvement with the IPE process has help them refine the concepts of defense-in-depth and severe accident risk management.
Based on these concepts they have made and are making changes to their plant.
To that extent they have developed an in-house computer program based on the IPE support state method which focuses on plant and operator performance, including emergency operating procedures (EOP).
PP&L also provided a critique of the NRC staff's cost analysis for the proposed Hark I containment improvements.
They did this by making a
comparison on an individual cost category basis, e.g., direct labor and materials, engineering/quality assurance, and overhead.
For the detailed comparison they chose the improvement pertaining to the replacement of ADS cabling >>ith mineral insulated cable.
The results indicated that the NRC high end estimate was within approximately 20 percent of the PP&L estimate, i.e.,
reasonably good agreement.
On the other hand the NRC low end estimate was deemed to be not representative based on their actual field experience.
The main differences between the staff's estimate and the utility estimate appear to center around two factors.
First, the utility used a significantly higher composite wage rate than the staff.
Their experience has been that in-field overhead drives labor rates up to approximately
$35/hour versus the staff's estimate of $28/hour.
- Second, PP&L added a contingency of 20 percent to their direct labor and materials subtotal to account for unplanned delays and complications
',n the field.
'The staff did not add this additional factor in.
Si03lSOZ44 5%3vd PDR ADOCK 05000387 t
)
P PDC
)iIbi
In summary, for this case, PP&L's opinion was that the high end estimate seemed to provide a valid cost estimate for cost/benefit calculations.
For other improvements,
- however, such as the hard pipe vent system, PP8L indicated their belief that the staff's estimate significantly underestimated the actual cost of such a
significant plant modification.
Their total cost estimate for that improvement was
$13.7 million versus the staff's estimate of
$568,000 (covers pipe replacement and electical aspects including design).
Clearly, there is a significant difference in the magnitude of the physical plant modification embedded in the estimates;
- however, PP&L did not break down the specific cost categories to find the source of the substantial disagreement.
Copies of the utility handout including Technical Report NPE-89-0001,
- entitled, "The PP&L Approach to Risk Management and Risk Assessment" are enclosed.
NUREG/CR-5278, "Cost Analysis for Potential BMR Yiark I Containment Improvements", details the staff cost estimates.
John C. Lane, Nuclear Engineer Severe Accident Issues Branch Division of Safety Issue Resolution
Enclosures:
Meeting Handouts Attendance List PPLL Report NPE-89-001 cc:
R.
M. Houston
~PDR~
pp<L Hlzc Lk Raw~
Ed..
WLQeL.
- Coo,~=,/4+ii:elk<
"Cfio.,desto,r.n/oai." k p
ERi~ Rio.9' inolg PL<3 No-m L,
I e~
P Jgl ~l-4~~
'PA<ic w w~
3~1 ~ 0;KI~()
!d. ~e KN~
&. TH~
4eo~r" C
bio.~~
aors r'HidC. dA'>6.
j <(z ggT=r r=P Voce. Ip t l <AD(
Ir e~i g P
~Mfa
. /~(J~~ 7/Moo~~~
ZpJ
- g. 49~r Q~GM<~llON PPg L,-Li~sin P/e'8
~ps, c~.~
RP@.
P/onnvtp 8 teens'in'se
)pr-g vM-pa~
/VO, C - R,t=g/Qgg Al~<< -ARk ivyc/gz ~~
un,c(zoo /~+SS AMc/sgia
't iL'.<j MS.V.
iVgC R'E S Al~c./pic'/ aA yyy+r ~g PA8P'gp g'-/65 MCC /RmW 4'r<c. /R Qe~ I.k.g fi/~~
//Z. e Z/DS/Q 4'c< lB/cÃ~
,8903150244
NRC COST ANALYSIS (MKI NODS)
SEA 87-255-07 PPRL COMMENTS/REMARKS o
REFERENCE PLANT CONCEPT GOOD o
GENERAL METHOD GOOD o
ESTIMATE DETAILS (SCOPE)
GOOD o
"BOTTOM LINE" COMPARABILITY GOOD (FOR HIGH CASE) o 25X ALLOWANCE FOR ENGINEERING/QA o
TOO LOW; DERIVE ENGINEERING MANHOURS NOT ENGINEERING COST o
PL EXPERIENCE IS 50X 40X OF DIRECT MANHOURS o
OVERHEAD RATE OF 100X DOES NOT COVER DIFFERENCES IN DIRECT WAGE PLUS FIELD NON-DIRECT MANHOURS.
PLUS OTHER HOME OFFICE MANHOURS o
CONTINGENGY IS A REAL COST
1 a I
COST CATEGORIES COMPARISON NRC VS.
PPRL NRC NRC BASIS PPRL PPaL DIRECT LABOR DIRECT MATERIAL S/T DIRECT PER ESTIMATE PER ESTIMATE PER ESTIMATE PER ESTIMATE DIRECT LABOR DIRECT MATERIAL ENG I NEER I NG/QA OVERHEAD 25X X DIRECT $
100X X DIRECT $
50-40X X DIR.
HRS.
ENGINEERING 20X X ENGR.
FIELD NON-MANUAL (Q-WORK) 55X X DIRECT HRS (NON-Q)
OTHER COSTS PER ESTIMATE NONE NONE 15-40X X ALL ABOVE CONTINGENCY
DIRECT COST ESTINATE CONPARI SON REPLACE ADS CABLING M/NI CABLE NRC VS.
PPRL NHRS
$ /HR TOTAL $
YIVmm NHRS
$ /HR TOTAL $
YHmm DIRECT LABOR CABLE WORK TERMINATIONS SUPPORTS/HANGERS SPLICE KIT FIRE MATCH SECURITY MATCH NISC.
CONSTR.
SUPP.
(5X X DIRECT HRS.)
NRC HI CASE (+12X)
DIRECT MATERIAL TOTAL DIRECT $
14,256 238 315 143 80 70 15,102 25.16 25.16 25.16 25'6 14.35 14.35 25.03
+3.11 359
. 16,280 6
266 8
374 4
. 160 1
1 850 378
.17.930
+47 10 435 35.00 35.00 35.00 35.00 35.00 35.00 570 9
14 30 628 10 4,850 STANDARD HOURS. X AVERAGE PRODUCTIVITY FACTOR OF 3,7
= 17,930
COST ESTIMATE COMPARISON REPLACE ADS CABLING-W/MI CABLE NRC 'HI'ASE VS.
PPRL NRC PPRL DIRECT LABOR DIRECT MATERIAL S/T DIRECT 0 ENGINEERING/QA OTHER HOME OFFICE FIELD NON MANUAL OVERHEAD OTHER COSTS 15,102
(.25 X 435)
(1
~ 0 X 425)
(,20 X 435) 28.14 109 1,940 350 8,070 425 87 425 17,930 10 435 60 54 36 628 10 638 115
(.4 X 4.850)
HOURS 19
(,2.x.i,SOO~aVa~)
290
(.45 X 17,930)
HOURS S/T CONTINGENCY (20X X S/T)
TOTAL li056 li056 1,062 201 1,263
(+20X)
'4,850
- STD, HRS.
X 3.7 FACTOR
I PE RELATED NODIF ICATION NOD I F I CATI ON 3RD (T-30) S/U XFNR SERIES REACTORS FOR AUX BOILERS UPS FOR RPS LOOP UPS FOR AC INSTR INDICATION LOOP INVERTERS/RENOVE ENERG LIGHTING RATIONALE "HARDEN" PLANT TO OFFSITE POWER LOSS/STATION BLACKOUT (SBO)
STATUS CANCELLED (INEFFECTIVE)
PROJECT COMPLETE IN PROGRESS COST (4~00) 8,700 1,700 5,000 2,800 3,500 RHR HX SM ISO FIRENAIN/RHR SM HOOK-UP SBO DIESEL ISOLATION IN EVENT OF HX FAILURE PROVIDE MATER TO VESSEL/
CONTAIN IN SBO PORTABLE NON-1E GENERATOR TO PROVIDE POWER TO BATTERY CHARGERS IN SBO IN PROGRESS IN PROGRESS PROJECT CONPLETE 1,200 100
Et
!'~
MODIFICATION ADS LOGIC MOD (8 MIN TIMER)
NITROGEN BOTTLES CHARGE POINT VENT CAPABILITY ESW UPGRADE KEEPFILL MODIFY ESW BYPASS VALVE LOGIC ATWS (ARI)
SCRAM DISCHARGE VOLUME MOD RATIONALE ALLOWS OPERATOR TO OVERRIDE ADS PROVIDE N2 CHARGING CAPABILITY IN LOW LEVEL POST LOCA RAD ZONE PROVIDE LARGE HARD VENT CAPABILITY RESTORES REDUNDANCY TO ESW AND ON-SITE AC POWER REDUCES ELECTRICAL ATWS PROBABILITY REDUCES MECHANICAL ATWS PROBAB ILITY~
ALSO REDUCES COMNON MODE FAILURE PROBABILITY OF TWO SCRAM DISCHARGE VOLUMES STATUS PROJECT COMPLETE IN PROGRESS ON HOLD UNDER EVALUATION COMPLETE COMPLETE COST
($~00) 100 (Ul ONLY) 300 13,700 65 65 3,500 1,200 (Ul ONLY)
A 1
SUSQUEHANNA STEAlVI ELECTRIC STATION
STATIWPORTABLE DlESEl 8EiVERATOE PROJECT CONPLETION MEETINQ 0
INTImMCTION 0
OESIQN REQLIIREMENTS 0
ELECNICAL OESIQN 0
PHYSICAL ARRANQEMENT 4 LOCATION 0
OVERVIEW OF ESMEM1 0
IEMONSTRATION
STATION PORTABLE DIESEI. 8ENER4TOR 0
PNVIDK PONN TO )RSVDC 8NIPMENT MBlN AN SSO 0
FVL CONNKCMN IN LESS THORN 4 NNN 0
SATfNl58 )De)0, )Deio, RDO)1 4 RDORO 0
NHNQE VIA NCC CONNKCTIONNS N THE A 4 S D/I SAYS 0
CONNECT )OONN POlmTASLR D/8 VIA TNPOitASY CASLN 0
PROVIDE PONN AND FANS AT BATTERY ROOQ RN Nit NNNT 0 D/I SHOllLD Sm SELF COKFAINND NR AND CONTINQKO OP13ATIOll
771'EL LNIT 1 1II I
I II II I
L J
.8 RAllERY
~k I
ICN r~
I III L
L J
20610 125VDC IhTTERY r"
IIII r.
77V EL UHIT 2 ShTTERY 2D623 CHARGER 8
L r~
I II I
L HCC-OB516 HCC-OB52 52-073 52-071 52-073 52-071
>D/G BAY A' I
I I
3/C t6 hVG - 2OOFt Ctyp>
'D/G BAY Bi I
I I
I J
I 15KVA LOADCENTER 50A DS 50A DS 50A DS 50A DS FRAME l~
2 5A D/G CONTROLS GEN
'HQT TROUGH'AIN 200A JACK TEST 175 KVA LOADBANK D/G SET and ELEC RACK HQUNTED QN TRAILER V/
VEATHERPROQF HOUSING (Lorated outside D/G 'A'ay)
STATION BLACKOUT PORTABLE DIESEL GEN.
500 V LAMP VEIGHT DISTRIBUTION
-Diesel < 34Mlbs.
-Vlre
~
450lbs.
-Channel~
140lbs.
-Load rtr~660lbs.
-Plugs
~
320tbs.
-Gnd reel~
- 30lbs,
-Reels
~
300lbs.
TOTAL ~ 530ebs.
VHEEL VHEEL 500 V LAMP PLUGS 15 KVA LOADCENTER PLUGS I
I VIRE REELS GE R
NE DL D/G CONTROL PANEL ATTERY GER 825A CIRCUIT BKR.
100 KV DIESEL GENERATOR SOLAR CELL CHARGER ST GE BQX VITS
-INSTRUCT
-FLOODS
-EXT CORDS
-CQNNNECTQRS
-TOOLS
-MAN PUMP
-EXTRA ETHER
-FIRST AID
-FLASHLIGHT
-VIGGI T
-EXT ULBS 500 V LAMP VHEEL VHEEL TRAILER 6B' 141'/
HOUSING 4 LEVELING STUABS 500 V LAMP PORTABLE 175 KV LQADBANK STATION BLACKOUT PORTABLE DIESEL GEN.
ESK 101
Pl7R TABLE DIESEL GENERA Tl7R CGNNEC TION ENVQKE ES-002-001 START DIESEL OPEN OB516-071 OPEN OB516-073 OPEN OB526-071 OPEN OB526-73 CONNECT 5KVA LOAD CENTER TQ 2D613 CHARGER CONNECT 5KVA CONNECT 5KVA LOAD CENTER TO LOAD CENTER TQ 1D613 CHARGER 2D623 CHARGER CONNECT 5KVA LOAD CENTER TO 19623 CHARGER UNREEL GEN FEEL A TO OB516-071 UNREEL GEN FEED B TO OB516-073 UNREEL GEN FEED C
TQ OB526-071 UNREEL GEN fEED D TQ OB520-073 DETERM CHARGER FEED FROM OB516-071 DETERM CHARGER FEED FROM 0B516-073 DETERM CHARGER FEED FROM OB516-071 DETERM CHARGER FEED FROM OB526-073 SPLICE FEED A
SPLICE FEED B ~
SPLICE FEED C
PLICE FEED D
Q CHARGER FEE Q
CHARGER FEE 0
CHARGER FEE 0
CHARGER FEE PLUG FEED A
INTO GENERATOR PLUG FEED B
INTO GENERATOR PLUG FEED C
INTO GENERATOR PLUG FEED D
INTO GENERATOR CLOSE FEED A BREAKER CLOSE FEED B BREAKER CLOSE FEED C BREAKER CLOSE FEED D BREAKER NOTIFY SHIFT SUPERVISOR MAINTAIN DIESEL GENERATOR
Field cabl;e BK VH RD TB1 o a11 10 g'0 01'ND 480 VAC INCOMING MAIN 125VDC SECONDARY MAIN CB1 CB2 (ALT LOC)
GND CHARGERS SHOVN VITH DOORS OPEN V3 LJ
,L7 CL AJ
. A LJ I
A 8 connection points
A PHASE 10 AVG SO CORD GROUND C PHASE 500 VATT RJmDLIGHT 5
KVA LOAD LTR 1
PHASE I
N CH OA HI IN N
G SHQCE EJECTOR I
A I
RECPT B
SECONDARY I
B 0
HETAL TEE FRISK ON HANDTRUCK STATION Bl ACKOUT PORTABLE DIESEL GEN.
CIRCUIT BREAKER 00 L1 L2 L3 000 0 0 0 0
//.
////
RED WHITE BLACK HCC CUBICLES OB516 071/073 0B526-071/073 PORTABLE DIESEL GEN.
ESK-104 STATION BLACKOUT
480 VAC 480VAC FEED A TD OB516-071 15KVA LOADCENTER FEED C
TO OB526-071
)
INCOMING MAIN 480VAC FEED B TD OB516-073 RECPT 1
RECPT 2 RECPT 3 RECPT 4
SPARE SPARE LIGHT FLODDS FLOODS SPARE SECONDARY HAIN 480VAC FEED D
TD OB526-073 OO 120VAC OO OO STATION BLACKOUT PORTABLE DIESEL GEN.
II~ 00 Osll QsrsaosMIO SL'Osas I osass5 I
sssssssL fLL a/ Ssos1 CAssct frstL sca'I OL AIO aalla OassssS Ascatr 0AIIAKama 5'ssant CSC
~Alrfar OLAACIA d
~sa
~AlltAIAACA5 A14 Csastl Isalt5
~
tass1. tttrs asia 1
LSOC Os.
)
$05 Aaafattrt
~
OSOK 10 SSASC COCA A4 5IAAOAC As'I 5
OSAOCS AC rltC aslllar OsAAOA
~
CALOSII W 1500 Staasa SICLAICAS QsraaoualQ ILCL tsCAIP 0 atlrsas to ctartassssc of caassslsssf1 CS COsrtasast Cf CACsat CSACAA fACC EF ILISsKCL Satsstta OAAOICIS I
~Os tssssssSI CLAOa Asar astscst
~clsos Asaso-f tasssssSI satsaSA AOO'ALMI 11$ 00 Attest Ostassa
~Clos I scc Isosl taC KAID osn
~tt 51115 I
'i.
$.000 la AAOI OK CAOI SOC 1I00
~ 00 IS 00 IIII IIIIII III 100 CsuOA NCL IAAF 1
I I
I IL.s caassn CASASSSI LOSSSIA I
I I
s fLCL OLIN rssccss Aac oas sssoaasasc sssacc OAAAI5 S.OOO La 5 LLIKlrtCst I
5sftn Ossss AS LULf SOS S ~s~
OAIC~5-'L sr~~
Attaoa rtstaau aas
~ I.SO ataa IAcc cf ltrssatL atfs ttAL
~a ss Aa ass
~4 lrrrrIINIrlONAL Stftrtr
~SASS SS ~
S ACAA wo ocl Scc sat a CAI SIOA IAAACAtsfasfA ITAI
%'ALI.A
0 7
LOCATION OF COMPONENTS 0
~
8 0I 0I
~ I
~
I Q ~ ~4 i
i i
i II Il I,'
I I
". I l
I
~
~%iV'I 3
~Z'3 P1 el I
.'l;
---jj I Cfft&XI 10
)2
- 3. VAR (voltage adJust rheostat).
CONTROL PANEL
- 5. SAS (start ~ld switch) options L
- d. ECM (engine control module).
T. Switch (display hold switch).
- d. PLS (panel light switch) optional.
\\
Q. LTS (tamp/dlsptay test switch).
- 10. AVS (ammeter.voltlneter phase selector switch).
- 11. ESpS (emergency stop push button).
- 12. ECS (engine control switch).
Oilvi Q
L00CC Oh Orr AUTOMATIC StARf STOO ROOC STSTER hOT IH AUTOffATIC START.STOO ROOC ORANT AOSSSTAOLC LOif Rl
~ V AE VOhtS
~4 LOU OIL ORCSSURE OvfRSRCCO C~CROChcv
$ 000 I'AIL 00 START I OvfR CRAhc )
Q
- Oihr,
~IHATIOH LICRT f ~Slhf hfACC AIR OAROER CLOSEO S ~ S C0 OitffRV vOLviOC SCOv.'Cf OURS 8
Chs.hf STOO 5
OOO 0
vi 0 ISR A ~
~00f rO vOLfotfTER 00ASC SELECTOR Svf ff>>
P~ +
REvCRSC 40vER
<<10>>
COOLAhf tf<OCRATURC Sfiotlh0
~ 10 ~ Ef CR
AGENDA PRESENTATION TO NRC SEVERE ACCIDENT ISSUES BRANCH (2/08/89) 9:00 INTRODUCTION 9:05 PPRL VIEMS AND OBJECTIVES FOR RISK MANAGEMENT 9:50 RISK REDUCTION ALTERNATIVES FOR SUSQUEHANNA 10:45 BREAK PAUL HILL PAUL HILL CAS KUKIELKA ll:00 THE PPRL APPROACH TO ALTERNATIVE SELECTION THE INTEGRATED REDUCTION STUDY CAS KUKIELKA 11:10 COMMENTS ON NRC COST STUDY CHUCK LOMBARDI 11:35 MOTIVATION AND COSTS FOR SUSQUEHANNA ED HECKMAN MODIFICATIONS
- A HISTORICAL PERSPECTIVE ON PP&L SEVERE ACCIDENT STUDIES o
(1981-1985)
INITIAL EFFORTS BEGAN FOR STATION BLACKOUT EVENTS DEVELOPED STRATEGIES TO ttLAXINIZE COPING TINE DEVELOPED CODES TO ANALYZE STATION BLACKOUT TRANSIENTS DEVELOPED STRATEGIES TO AVOID AND TO ACCONNODATE ADDITIONAL EQUIPNENT FAILURE o
(1983-1985)
EFFORTS CONTINUED FOR ATNS EVENTS FOUND THE ORIGINAL BMROG/GE EVALUATIONS ON THE INFLUENCE OF WATER LEVEL TO BE NOT CREDIBLE DEVELOPED CRUDE NETHODS FOR ANALYSIS OF ATMS TRANSIENT
RESPONSE
STRATEGIES WORKED WITH NSAC ON EVALUATIONS FOR POWER/WATER LEVEL/PRESSURE RELATIONSHIPS PERFORNED SINULATE STUDIES TO DETERNINE STEADY STATE PRESSURE/CORE FLOW/CRITICAL POWER REl ATIONSHIPS o
(1980/1985)
DISPUTED CONTRIBUTION OF OPERATOR ERROR TO TM FREQUENCY
A HISTORICAL PERSPECTIVE ON PPRL SEVERE ACCIDENT STUDIES CONTINUED o
(1985)
PERFORMED THE SUSQUEHANNA IPE AT THE REQUEST OF IDCOR FOUND THAT PRIOR STATION BLACKOUT AND ATWS STUDY INFLUENCE ON EOPs PROVIDED GREAT REDUCTION IN PLANT DAMAGE FREQUENCY EXTENDED THE CONCEPTS DEVELOPED FOR TRANSIENTS AND LOCA DEVELOPED A MORE DEFINITIVE AND ACCURATE ANALYSIS OF DIFFERING TYPES OF ATWS CHALLENGES BASED ON EXTENSIVE DISCUSSIONS WITH OPERATIONS PERSONNEL DEVELOPED A
NEW APPROACH TO QUANTIFYING HUMAN ERROR CONTRIBUTIONS ADOPTED THE VIEW THAT NEARLY ALL SIGNIFICANT COMMON CAUSE FAILURES ARE DUE TO INITIATORS OR SUPPORT SYSTEMS PERFORMED PLANT SPECIFIC TRANSIENT ANALYSIS TO DEVELOP SUCCESS CRITERIA ADOPTED A STRATEGY OF SEGREGATING DIFFERING TYPES AND LEVELS OF PLANT DAMAGE EXPLICITLY TO COMPARTMENTALIZE THE IMPACT OF PHENOMENOLOG ICAL UNCERTAINTIES EACH ACCIDENT SEQUENCE WAS INDIVIDUALLYTRACKED TO DETERMINE THE FULL SPECTRUM OF FINAL PLANT DAMAGE STATES
- A HISTORICAL PERSPECTIVE ON PP&L SEVERE ACCIDENT STUDIES CONTINUED o
(1985-1987)
WORKED TO PERSUADE IDCOR (LATER EPRI)
TO IMPROVE MAAP MODEI ING DISPUTED CORE DAMAGE PROGRESSION RECOMMENDED EXTENSIVE IMPROVEMENTS IN GEOMETRIC AND PHENOMENOLOGICAL MODELS ADOPTED BWRSAR IN PREFERENCE TO MAAP IN 1987 INITIATED EFFORTS TO IMPROVE CONTAIN AND LINK IT TO BWRSAR AS THE BASIS FOR PPLL ACCIDENT TRANSIENT ANALYSIS RECEIVED EPRI REQUEST TO CARRY OUT A COOPERATIVE PROGRAM USING BWRSAR/CONTAIN IN 1988 CONTRIBUTED TO EPRI COMMITMENT TO RELEASE A RESEARCH VERSION OF MAAP 4.0 IN 1989 FOR USE IN IPE STUDIES o
(1986-1988)
BASED ON EVALUATIONS OF PRIOR WORK, DEVELOPED THE CONCEPTS OF:
DEFENSE IN DEPTH SEVERE ACCIDENT MANAGEMENT RISK MANAGEMENT
- A HISTORICAL PERSPECTIVE ON PPRL SEVERE ACCIDENT STUDIES CONTINUED o
(1987/1988)
IMPROVED THE STATION BLACKOUT AND ATWS TRANSIENT ANALYSIS PROGRAM.TO REFLECT IMPROVEMENTS SUGGESTED BY A SOL LEVY, INC.
REVIEW OF PPRL ATWS STUDIES o
(1988/1989)
DEVELOPED A COMPREHENSIVE COMPUTER PROGRAM APPROACH TO RISK ANALYSIS BASED ON THE SUPPORT STATE METHOD CONSIDERS FAILURE SEQUENCE.
EVENT TIMING'ND TECHNICAL SPECIFICATION CONSTRAINTS DISPOSITIONS EACH INITIATOR AND EQUIPMENT FAILURE COMBINATION TO A FULL SPECTRUM OF PLANT DAMAGE STATES CAN ANALYZE EXTERNAL EVENTS AS WELL AS INTERNAL EVENTS THE COMPUTATION CAN READILY BE EXTENDED TO MONTE CARlO EVALUATION OF INPUT UNCERTAINTIES THE METHODOLOGY IS TOTALLY TRANSPARENT AND RESULTS CAN BE EASILY TESTED FOR SENSITIVITY AND CREDIBILITY o
(1986-1988)
PRESENTED PAPERS AT ANS AND NRC MEETINGS ON VARIOUS ASPECTS OF PPRL STUDIES o
(1988)
PRESENTED A TWO DAY SEMINAR ON THE PPaL APPROACH TO RISK ASSESSMENT AND RISK MANAGEMENT TO SEVERAL BWROG UTILITIES
THE PPSL VIEW OF THE CURRENT STATUS OF SEVERE ACCIDENT ISSUES o
THE WASH-1400 STUDY WAS A MONUMENTAL ACHIfVEMENT OF ENORMOUS IMPORTANCE, BUT:
THE BWR REPRESENTATIONS WfRE COMPLETELY DOMINATED BY ASSUMPTIONS WHICH SHOULD NO LONGER BE VALID BECAUSE OF TMI-2 AND ATWS RELATED MODIFICATIONS THESE ASSUMPTIONS ARE STILL GENERALLY PRESENT IN BWR RISK ANALYSIS AND COMPLETELY DOMINATE THE RESULTS THE FOCUS ON OFF-SITE CONSEQUENCE OF MASH-1400 HAS HAD A DETRIMENTAL INFLUENCE ON NRC AND INDUSTRY EFFORTS TO RESOLVE SEVERE ACCIDENT CONCERNS FOR THE BWR o
THE CURRENTLY EXISTING EMPHASIS ON DERIVING DEFENSIBLf (CONSERVATIVE) ESTIMATES OF OFF-SITE CONSEQUENCE HAS RESULTED IN:
AN ASSESSMENT OF DOMINANT ACCIDENT SEQUENCES WHICH IS SEVERELY DISTORTfD AND IS ALMOST ENTIRELY ASSUMPTION DRIVEN OBSCURING THE NUMEROUS OPERATOR ACTIONS WHICH CAN DRAMATICALLYREDUCE THE PROBABILITY OF SEVERE CONSEQUENCES SHIFTING THE FOCUS OF ATTENTION AWAY FROM THE PROPER CENTER OF ATTfNTION TO ACCOMPLISH RISK REDUCTION (PROCEDURES, TRAINING, AND PERFORMANCE),
TO AREAS OF PHENOMENOLOGICAL RESEARCH WHICH REPRESENT SEQUENCES FOR WHICH THE CONDITIONAL PROBABILITY SHOULD BE EXTREMELY LOW
THE PPRL VIEW OF THE CURRENT STATUS OF SEVERE ACCIDENT ISSUES CONTINUED o
A HEIRARCHY OF PRA EXPERTS HAS BEEN CREATED WHO ARE NOT TRULY EXPERT IN THE AREA OF BWR PLANT SYSTENS, BWR OPERATIONS AND BWR TRANSIENT CHARACTERISTICS.
AND SO THEY CONTINUE TO PERPETUATE AND DEFEND AN INPROPER CHARACTERIZATION OF BWR RISK
THE PPai APPROACH TO RESOLUTION OF SEVERE ACCIDENT ISSUES o
PPaL BELIEVES THAT IT IS NANDATORY THAT THE DISTINCTION BETWEEN CALCULATED AND ACTUAL PLANT DAMAGE FREQUENCY BE KEPT CLEARLY IN NIND.
o EOPs AND OPERATION TRAINING NUST BE BASED ON REALISTIC ASSUNPTIONS AND CALCULATIONS AND NOT ON CONSERVATISNS INTENDED TO CONPENSATE FOR DEFICIENCIES IN THE COMPLETENESS OR PHENONENOLOGICAL MODELING OF OUR ANALYSIS o
THE RESULT WILL BE CALCULATED PLANT DANAGE FREQUENCIES WHICH NANY MILL REJECT AS INTUITIVELYNOT CREDIBLE o
FOR THIS REASON, PPaL DOES NOT WISH TO USE CALCULATED FREQUENCY AS A MEASURE OF ACCEPTABILITY OF OPERATION SAFETY o
PPaL HAS DEFINED DEFENSE IN DEPTH CRITERIA MHICH ASSURE A
LOW FREQUENCY OF PLANT DANAGE A
LOW CONDITIONAL PROBABILITY OF SEVERE FISSION PRODUCT RELEASE NININIZATIONOF EVENT SEQUENCES INVOLVING SEVERE CONTAINNENT CHALLENGES
0
THE PP&L APPROACH TO RESOLUTION OF SEVERE ACCIDENT ISSUES CONTINUED o
THE DEFENSE IN DEPTH STRATEGY ASSURES:
A REQUIREMENT FOR VERY IMPROBABLE, MASSIVE EQUIPMENT FAILURES TO RESULT IN CORE OR CONTAINMENT DAMAGE FOR DESIGN BASIS EVENTS A REQUIREMENT FOR AT LEAST TWO INDEPENDENT SYSTEM FAILURES TO RESULT TO RESULT IN CORE OR CONTAINMENT DAMAGE FOR NON-DESIGN BASIS EVENTS OF LOW PROBABILITY (ATWS AND STATION BLACKOUT)
A REQUIREMENT FOR AT LEAST ONE ADDITIONAL SYSTEM FAILURE TO RESULT IN REACTOR VESSEL FAILURE GIVEN CORE DAMAGE FOR ANY ACCIDENT SEQUENCE A FURTHER REQUIREMENT FOR AT LEAST ONE ADDITIONAL SYSTEM FAILURE TO RESULT IN CONTAINMENT FAILURE GIVEN EITHER CORE DAMAGE OR REACTOR VESSEL FAILURE FOR ANY ACCIDENT SEQUENCE.
o THIS REQUIREMENT IS IMPOSED FOR ALL CREDIBLE EVENT SEQUENCES FOR THE PLANT, BUT WITH CREDIBLE TREATMENT OF COMMON CAUSE FAILURE AND OPERATOR ERROR
REQUIREMENTS FOR THE PPRL APPROACH SEVERAL PROGRAM ELEMENTS ARE REQUIRED TO EXECUTE THE PP&L APPROACH TO RESOLUTION o
ACCIDENT TRANSIENT ANALYSIS CAPABILITY (SUCCESS CRITERIA AND EOP VALIDITY) o COMPUTER RISK ANALYSIS METHODOLOGY (A COMPREHENSIVE PROCESS FOCUSSED ON PLANT AND OPERATOR PERFORMANCE) o EVALUATION OF EOP EFFECTIVENESS AGAINST ALL ACCIDENT SEQUENCES FOR THE PLANT o
PROGRAMS TO MONITOR EQUIPMENT PERFORMANCE o
PROGRAMS TO MONITOR OPERATOR PERFORMANCE (EXECUTION OF EOPs) o DEMONSTRATION OF DEFENSE IN DEPTH FOR ALL ACCIDENT SEQUENCES o
FEEDBACK OF EVALUATIONS AND PERFORMANCE MEASUREMENTS INTO RISK ANAL'YSIS
RATIONALE FOR THE PPRL APPROACH o
THE DEFENSE IN DEPTH APPROACH ASSURES A VERY LOW FREQUENCY OF ANY FOfN OF PLANT DANAGE AND AN EXTREMELY LOW FREQUENCY OF EVENTS HAVING SEVERE CONSEQUENCES FOR ALL KNOWN INITIATORS AND ASSOCIATfD EQUIPNENT FAILURES.
o USE OF THfSf CRITfRIA ALLOWS PPaL TO FOCUS ON THE QUALITY OF PLANT DESIGN, EQUIPNENT PERFORNANCE,
- EOPs, AND OPERATOR TRAINING TO DENONSTRATE THAT THE ANALYTICALBASIS FOR DENONSTRATING DEFENSE IN DEPTH IS VALID.
o THE PROCESS AVOIDS THE CONFUSION AND CONTROVERSY INVOLVED IN SOURCE TERN TECHNOLOGY AND OFF-SITE CONSEQUENCE ANALYSIS.
CONCLUSIONS AND RECOMMENDATIONS o
THE DOMINANT THREATS OF SEVERE ACCIDENT DAMAGE TO SUSQUEHANNA ARE ALMOST ENTIRELY A CONSEQUENCE OF SUPPORT SYSTEM DESIGN FEATURES.
o
, IF EOPs ARE OPTIMIZED AND OPfRATORS ARE TRAINED IN THEIR USE, THE CALCULATED FREQUENCY OF PLANT DAMAGE CAN Bf VERY SHARPLY REDUCED AND THE CONDITIONAL CONTAINMENT FAILURE PROBABILITY CAN BE GREATLY REDUCED.
o THE CONTRIBUTION OF THE MAJOR SOURCE TERM PHENOMENOLOGICAL UNCERTAINTIES CAN BE SHOWN TO INFLUENCE ONLY A VERY SMALL FRACTION OF SEVERE ACCIDENT SEQUENCES.
o THE MOST EFFECTIVE SOURCE OF NUCLfAR PLANT OPERATIONAL RISK REDUCTION IS OPTIMIZATION OF EOPs, OPERATOR TRAINING AND LOW COST MODIFICATIONS TO NON-SAFETY RELATED EQUIPMENT (WITH A POTfNTIAL FOR PLANT UNIQUE EXCEPTIONS).
o WE RECOMMEND THAT THE NRC TAKE A PRACTICAL AND PRAGMATIC APPROACH TO ADVANCING THE PERFORMANCE OF IPEs AND CONSIDERING UTILITY RECOMMENDATIONS FOR THE OPPORTUNITIES FOR AND THE NEED FOR RISK REDUCTION.
o WE STRONGLY RECOMMEND THAT THE NRC AND THE INDUSTRY MOVE TOWARD DEVELOPMENT OF MORE REALISTIC RISK ANALYSIS TECHNIQUES WHICH ARE NOT DRIVEN BY CONSERVATIVE ASSUMPTIONS TO EVALUATE OPERATIONAL RISK.
The Influence of Conventional PRA Conservatisms Dn The Assessment of BWR Accident Sequences P.
R. Hill and C. A. Kukielka Pennsylvania Power 6 Light Company Abstract The Susquehanna Steam Electric Station is a two unit BWR4 plant using a Mark II containment.
These 3293 MWt units have been in operation since 1982 for Unit' and 1984 for Unit 2.
PPGL has devoted considerable resources to evaluation of the plant's capability to survive severe equipment failures such as ATWS and Station Blackout.
These studies not only considered such severe events, but also considered the effects of additional equipment failures.
In the evaluations the unconventional use of plant equipment was considered in order to assure a minimum level of plant damage for each succeeding level of equipment. failure considered.
In mid-1985 PPaL performed an Individual Plant Evaluation for Susquehanna using a modified version of the IDCOR IPE Methodology for the BWR plant.
In the performance of the IPE the same principle of considering what could be done with existing equipment was followed for all initiating events.
The result was a drastic reduction in the calculated frequency of plant damage and the severity of the damage in comparison with previous PRA results.
We have examined our Emergency Operating Procedures to determine whether the operators could be expected to make use of the equipment as assumed and found that with only a few problem areas that the actions would be indicated.
Measurements of our operating crews'erformance on simulator experiements to test the quality of our EOPs and training have indicated that we can expect our operators to utilize the full capabilities of the plant with a high degree of success.
This expectation has lead us to question the validity of several conventional PRA assumptions for the BWR plant.
This presentation
~ is intended to identify the most important of these and to demonstrate why we believe they are inappropriate for a plant with procedures that attempt to make maximum use of existing plant equipment.
The Primary PP&L Objective for Probabilistic Risk Assessment The BWR4 plant has a wealth of redundancy in equipment to serve the three basic front line functions required to avoid damage to the plant.
PpaL wishes to assure that our operators at Susquehanna will make optimal use of this equipment for any initiating event with any combination of additional equipment failures.
Fulfilling this objective requires that a realistic analysis'of all accident sequences be performed in order to determine the time available for operator action to use the equipment, the degree of success permitted by various equipment combinations, and the occurrence of unambiguous symptoms which will trigger the operator actions.
In addition, it is necessary to have developed a comprehensive set of Emergency Operating Procedures (EOPs) which have considered all of the credible initiators that can threaten the plant.
The EOPs which result are quite complex and are vulnerable to misintezpretation because of ambiguities or excessive complexity.
Complexity can be greatly zeduced by use of a flow chart format which references the specific details for actions taken to supplemental written procedures.
Ambiguity is addressed by testing operator performance in use of the EOPs in simulator exercises involving a variety of severe accident scenarios designed to exercise as much of the EOPs as possible.
The effectiveness of the EOPs is determined by an analysis of the accident transient which considers the actions specified by the EOPs.
We believe that, with effective operatoz training the contribution of operator failure to follow a procedural step will be dominated by equipment failure rates in all cases where adequate time is available to take the action.
This view is supported by the results of the program of measurement of operator performance on the Susquehanna simulator.
This level of performance is critically dependent on the organization and clarity of the EOPs and the thoroughness of operator training in their use.
The overall adequacy of plant equipment to respond to all credible initiating events is tested by application of a set of procedural and equipment defense in depth criteria.
These criteria were presented at this meeting by R. A.
Cushman in Session 6, Industry Safety Research.
With the exception of a wetwell vent capability PPaL has found that very simple, low cost modifications can be made to existing equipment to assure defense in depth can be met.
Examples are:
2) provision for connection of the Fire Main System to the RHR Service Water System by fire hose, I
connection of the SLCS boron solution tank to the RCIC suction by fire hose, and 3) provision of a back up AC generator for connection to battery chargers in long term Station Blackout events.
The provision of a wetwell vent capability at Susquehanna that has acceptable characteristics appears to be a rather expensive modification, but the venting issue has iTot yet been resolved at PPGL.
This use of PRA techniques is much more important than use of it for conservative assessment of plant damage frequency and public risk.
The use of realistic PRA as discussed above results in a very sharp reduction in calculated plant damage frequencies.
We believe that the reduction is real/
particularly with regard to protection of containment integrity.
Conventional PRA Conservatisms If the process discussed in the previous viewgraph is adopted, many of the assumed causes of loss of a front line function found in conventional PRA treatments become unrealistic and lead to an improper view of the dominant accident sequences for the BWR4 plant.
ATWS represents a severe (but low frequency) threat to the BWR plant.
Nevertheless, if the operator takes prompt response and anticipatory actions, given occurrence of ATWS, the expected frequency of severe consequences of ATWS can be held at an extremely low level.
The first seven of the actions (and analysis assumptions) listed in this viewgraph represent actions which can assure a very high level of success at minimizing plant damage as a result of an ATWS event.
While time is limited for operator response in ATWS events, our analysis shows that the most frequent ATWS event of a serious magnitude is result of a single Scram Discharge Volume failure which results in the rods on only one side of the core failing to insert.
The educed power generation of this type of ATWS provides sufficient time for operator action to assure a very high level of success even for isolation events in which SLCS or HPCI fail.
The operator actions are important as follows.
1)
Timely SLCS initiation terminates the threat of the ATWS event and assures shutdown without plant damage.
2)
Actions to control water level are minimized at Susquehanna and require only HPCI to run at full flow in isolation events or feedwater run back to an equivalent flow in non-isolation events.
3)
Depressurization to the 150 to 200 psia range is required for power reduction if SLCS fails.
This power reduction allows time for manual insertion of 46 control rods to reach hot shutdown.
4)
Since high pool temperatures may be reached, prevention of HPCI suction transfer or high back pressure trip is important (but not essential) to minimize the threat of inadequate core cooling or severe reactivity transients.
With these provisions, the frequency of plant damage from ATWS is sharply reduced and the dominant form of plant'amage is postulated mechanical clad damage resultihg from reactivity excursions or unstable operation in a low pressure regime.
The level of success is also very high even for full ATWS events where time constraints are much shorter.
while mechanical clad damage is postulated to be nearly certain, unless SLCS functions properly, containment over pressure failure is always avoided except in cases of very massive equipment loss.
Similar results can be achieved for Station Blackout by:
1) assuring adequate CST inventory for vessel injection, 2) stripping non-essential DC loads or by backing up the DC supply, and 3) early depressurization to prepare for vessel injection from the Fire Main System in the event of HPCI or RCZC failure.
/
Similar improvements can also be made for transients by:
1) utilization of alternate water sources, 2) use of alternative depressurization
- methods, and 3) use of RWCU blowdown mode for decay heat removal in sequences which benefit from such actions.
Finally, it is essential to avoid unrealistic treatment of common mode failure.
We believe that loss of redundant system function is dominated by one division being out of service for maintenance accompanied by independent failures in the other division or by loss of common support systems such as loss of all AC power in Station Blackout.
BWR Front Line Functions The first three functions listed in the viewgraph are the basic BWR front line functions, which, if satisfied, will assure safe shutdown of the plant with no plant damage.
There are a variety of plant systems which can satisfy the requirements of these functions.
When severe accidents are to be considered, it is important, in addition, to consider a fourth "front line function" that will stabilize the core debris and halt the damage progression even when the prime function of reactor vessel make up has initially failed.
Most important is terminating the damage progression prior to reactor vessel failure.
PPGL uses the ORNL BWRSAR code and criteria developed by Steve Hodge and his coworkers at ORNL for determining the level of success for this objective.
If the reactor vessel has failed, actions can be taken to flood the drywell floor before vessel failure and operate drywell sprays or vessel injection sources after aessel failure to reduce the threat of core debris to the containment integrity.
PPGL intends to use the CONTAIN code recently acquired from Sandia National Laboratories for these calculations.
This code is not yet operational at PPGL, but preliminary information obtained from various investigations of the behavior of core debris falling into the under-pedestal region, in combination with the available equipment, leads us to expect a high level of success in protecting containment integrity even in this severe condition of the plant.
Event Codes The complexity of the next two viewgraphs has made it necessary to provide a separate list of the event codes necessary to interpret the tables.
This viewgraph presents the codes for constraints on availability of systems and defines the events which have been considered.
While this list is not complete it does include the most important and the most severe event types in order to demonstrate the influence of the event type on equipment availability and effectiveness.
Front Line Function Vessel Make U
In this viewgraph a matrix of the front line systems which can supply make up to the reactor vessel are listed down the left hand side of the matrix and the various events which can challenge these systems are listed across the top.
Unavailability of a system for a given event is depicted by a blank space.
Systems which are available are denoted by a letter code which denotes various considerations related to the availability.
A variety of quantitative information is given in this viewgraph including, 1) the number of components available, 2) the number of components required to perform the function, 3) the frequency of the various events, and I
4) the unavailability or failure rate of the front line systems where applicable.
Examination of this matrix quickly shows that loss of vessel make up capability is an extremely improbable event for all transients, LOCAs, and loss of off site power.
Except for the low pressure ECCS injection permissive whigh reduces 8 pumps with 4 independent power sources to an unavailability of 10
, there are no important common cause losses of equipment to threaten inadequate core cooling except loss of all AC power, Station Blackout.
Even in this case, however, there are two independent reactor steam driven pumping
'ystems available which, when combined with the low frequency of the Station Blackout event, results in a core damage frequency in the 10 range.
The causes of core damage in Station Blackout in the long term are sharply reduced by operator actions to avoid them.
These include:
1) back up of DC power, 2) early depressurization and connection to the Fire Main System to permit injection if HPCI and RCIC are lost after the first hour.
3) addition of water to the suppression pool from the Fire Main System to reduce the rate of pressure increase in the containment due to pool heat up, and 4) operation of the wetwell vent as a last resort to preserve containment integrity.
Even in the case of HPCI/RCIC failure to start (the dominant core damage sequence) the Fire Main connection can save the reactor vessel and greatly reduce the threat to containment integrity.
0
Inadequate coze cooling in transients, LOCAs, and ATWS is believed to be a
much less probable occurz'ence due to the numerous systems available which can provide ad5quaCe make up flow.
The primary risk in these sequences is believed to involve ATWS sequences in which reactor depressurization is required while the reactor is still critical and at power levels well above the decay heat level.
Our concern in such cases is postulated mechanical clad damage due to reactivity transients rather than inadequate core cooling however.
Assurance that operators will properly make use of the equipment available for
'the events shown here must be the first priority in structuring EOPs, operator training, and evaluation of plant capabilities.
The Susquehanna IPE contains detailed descriptions of the various actions, commonalities, and success criteria foz this function.
Front Line Functions Deca Heat Removal and Reactor Shutdown The system-event matrix for the front line functions Decay Heat Removal and Reactor Shutdown are presented in this viewgraph..
For Decay Heat Removal (DHR) a response action used when normal systems are unavailable has been included.
This action involves adding water to the suppression pool by means of any one of several systems which can do this.
The primary purpose of this action is to avoid the necessity of venting and to provide time to reacquire the condenser or suppression pool cooling capability.
In the case of transients this can extend the time to venting pressure out to beyond 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> and the time to containment failure out to about 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> given no coz'e damage.
This capability can greatly enhance the likelihood of regaining suppression pool cooling capability.
This capability combined with the introduction of RWCU blowdown for transient events virtually eliminates the need to vent as a response to loss of other forms of Decay Heat Removal.
The addition of mass to the pool also provides a
greatly increased time margin or operator action in other events and can be particularly important for Station Blackout and ATWS.
Use of this capability for full ATWS cases with failure of SLCS to inject boron would virtually assure operator success at reaching hot shutdown before reaching containment failure pressure.
If this is also reinforced by operation of full suppression pool cooling capability and operation of the wetwell vent, even greater time margin can be provided.
The acceptability of venting during degraded ATWS sequences is still under investigation at PP&L since mechanical clad damage and noble gas release are possible early in the event.
The limiting accidents for Decay Heat Removal are clearly Station Blackout and ATWS.
The threat from transient events is clearly negligible as a consequence of the redundant and diverse means of Decay Heat Removal.
In the case of Station Blackout, AC power recovery becomes the prime objective for recovering
\\
DHR with wetwell venting being a last ditch action.
In the case of ATWS the hierarchy of actions to achieve adequate DHR capability involves reducing the heat generation rate by injecting boron or, failing that, by manual rod insertion.
Reactor pressure reduction, suppression pool mass addition, and possibly wetwell vent operation can all extend the time available to succeed at these actions.
As a result of these capabilities a proper set of EOP instructions and operator training in their use can sharply reduce the greatest threats to containment integrity from Station Blackout and ATWS.
In the case of achieving Reactor
- Shutdown, one additional capability exists at Susquehanna
- connecting the RCIC suction to the SLCS boron solution tank by means of a fire hose.
While this capability exists it is very time consuming due to the physical elevation separation of these systems and requires on the order of one to two hours to make the connection.
Nevertheless, this capability could be extremely important in severely degraded cases where CRD pumps were not available.
The preceding discussion has shown that considerable capability exists in the BWR4 plant to achieve a dramatic reduction in the calculated values of plant damage frequency and a reduction in the severity of that damage in comparison with conventional PRA treatment of the BWR plant.
Accomplishing such a
reduction does impose strict demands on the quality and comprehensiveness of EOPs and operator training in their use.
This process will require far more realism and rigor in the calculation of accident transients and the translation of the information derived into practical and demonstrably effective EOPs.
In addition to developing procedures strictly directed toward'voiding core damage, the process must be extended to terminating the damage progression, preferably in-vessel.
It is important to test the procedures and operator capability for execution of them using a plant simulator if possible.
Only in this way can it be determined that the EOPs will actually result in the. operator actions envisioned when they were written. It is by far the most effective way to assure the absence of ambiguity, the practicality of the procedures, and the adequacy of the operator's knowledge to use them effectively.
While this approach imposes a heavy demand on analytical; documentation,.and training capabilities of the organization it is by far the most credible, dependable, and cost effective approach to true operational risk reduction for a nuclear plant.
RISK MANAGEMENT FOR THE BAR PLANT Robert A. Cushman,*,
Paul R. Hill,'erschel Specter'ource Term Committee EPRI Safety Technology Task Force Ian B. Hall Nuclear Power Division Electric Power Research Institute ABSTRACT The operational risk from a BNR plant can be significant;ly reduced by implementing a program which incorporates the elements of:
1)
Emergency operating procedures (i.e., accident management);
2)
Operator training; 3)
Transient analysis; 4)
Risk analysis; and 5)
Plant and operator performance monitoring.
Large reductions in the calculated core melt and containment failure frequencies, relative to more standard PRA numbers, appear to be justified by the methodology presented herein.
The methodology is based on employing realistic, rather than "conservative" assumptions in analysis; maximizing the use of available plant equipment (safety and non-sfaety related);
taking full credit for operator actions in carrying out well developed EOPs as a
consequence of simulator training; and utilizing improved analytical techniques which more adequately describe core melt progression (thus helping to identify "success paths" and develop EOPs).
Introduction This paper presents the views of four persons associated with the Source Team Committee of the EPRI Safety Technology Task Force who are actively interested in the issue of risk management; it should not be inferred that it necessar.ily presents the views of their organizations.
The process of risk analysis described here has been applied to a BNR4 plant.
and the use of the defense-in-depth criteria has resulted in the calculated low frequency of core damage.
These results can be taken'as illustrative, but not generic.
The risk management process advocated,
- however, does have generic application.
- Company affiliations, for identification only are:
R. A. Cushman - Niagara Mohawk Power Corporation P.
R. Hill Pennsylvania Power 5 Light Company H. Specter New York Power Author) ty Page 1
Nuclear Plant 0 erational Risk This view graph presents and describes the three program elements which are essential to a demonstrable level of control of the magnitude of nuclear plant operational risk and describes the objectives of each of the three elements.
In the discussion which follows, only the BHR plant will be considered.
The three program elements described may be viewed as a "defense-in-depth" strategy for limiting the magnitude of BHR plant operational risk in that:
1)
Risk Management is intended to assure the lowest level of public risk achievable with a given plant, 2)
Accident Management is intended to assure a minimum level of plant damage given the occurrence of an initiating event and any combination of independent equipment failures, and 3)
Emergency Management is intended to minimize the off-site health consequences if items 1) and 2) above fail to prevent a release of radioactive material to the environment.
This presentation shall focus attention on the approach to assure effectiveness of the first two of these three program elements'reviou's and current evaluations of risk associated with nuclear plant operations have considered the third of these three elements by conservatively determining the magnitude of radioactive material release from severe accidents and the effectiveness of emergency procedures.
It should be noted that the risk to the public health and safety, represented by the release of radioactive material from severe accidents is consistently being calculated to be within the NRC's safety goals.
Risk management is important in reducing that risk; it is also important in reducing the risk to plant investment, a risk that could remain even if no radioactive material were released in the event of a severe accident.
Utility management should endorse and utilize operational risk management to reduce risk in both these areas.
The various requirements imposed by the NRC particularly since the TMI-2 accident have resulted in creating Emergency Plans for protection of the general public should a severe accident occur at an operating plant.
The NRC requirements have also provided a considerable portion of what is required for Risk Management and Accident Management including:
1) control room enhancements, 2) implementation of symptom based Emergency Operating Procedures (EOPs),
and 3) periodic operator training in use of EOPs.
The BNR Owner's Group development of Emergency Procedures Guidelines (EPGs) from which BNR plant EOPs are derived have been found to result in development of a near optimal set of EOPs to exploit all plant capability for avoiding or minimizing plant damage if the unique characteristics of a plant are considered in the development of the plant's EOPs.
Page 3
The Risk Hang ement Process This view graph is intended to represent the risk management process.
This is a continuous, or cyclic process, which must be carried out to reflect, 1) changes in equipment or procedures, 2) the effectiveness of operator training, 3) changes in equipment or operator performance, and 4) new phenomenological data or improved analytical models Effective implementation of this process imposes new and more stringent requirements on the risk analysis
- process, and requires implementation of an accident management process.
The overall objectives of this process are to assure that:
1) the entire available capability of the plant will be effectively utilized to avoid or minimize plant damage that could result from any ini tiating event in combination with any number of independent equipment failures, 2) procedures will achieve a very high success rate in utilization of available plant capability, 3) operator training will result in a minor contribution to plant damage frequency due to operator failure to correctly follow and execute these procedures, and 4) changes in equipment, procedures, or training will not lead to degraded performance over a long period of time.
These objectives then imply a need to carry out the risk analysis process in the most realistic manner possible.
The use of simplifying conservative assumptions is not acceptable.
The use of realistic analyses is superior to simplified conservative analyses in identifying operator actions and their timing that could successfully terminate an accident. 'ach accident transient must be calculated as accurately and realistically as possible in order to determine the time available for opeiator response
- actions, the level of success to be expected from operator actions, and the availability of unambiguous symptoms to assure that operators will take the necessary actions.
The purpose of the risk analysis is not to derive a conservative estimate of plant damage frequencies but is to determine the effectiveness of the plant Emergency Operating Procedures and the capability of the operators to successfully execute those procedures.
The most important aspect of this process is the measurement of actual performance of plant equipment and operator performance in execution of EOPs for comparison with target values established to control the calculated frequency of plant damage.
Deviations from the target values would be used to identify where maintenance
- programs, procedures, or operator training need improvement.
Page S
The Risk Mana ement Process (Continued)
A set of defense-in-depth criteria governing both equipment and procedures is applied to each individual accident sequence.
These criteria, in combination with the use of symptom based
- EOPs, provide a high level of assurance that the likelihood of severe consequences from any accident will be extremely low.
Required Characteristics of the Risk Anal sis For risk management
- purposes, the objective of risk analysis is not to derive an estimate of plant damage frequency or public risk.
The purpose is to realistically test the adequacy of plant facilities,
- EOPs, and operator capability to respond to any combination of initiating events and equipment failures to minimize damage to the plant.
This latter objective imposes far more stringent demands on the risk analysis process and the nature of accident transient calculations for accuracy and realism in the results.
Operator actions to respond to an accident, to recover failed equipment, and to prevent avoidable loss of essential equipment are extremely important in assuring that plant damage frequency and public risk been minimized.
Fuil have exploitation of the operator's capability in this regard results in a two-decade reduction in plant damage frequency in comparison with traditional risk analysis models.
The most important aspect of this reduction,
- however, is the influence on the con'ditional containment failure probability (given core damage) which is on the order of a one to two decade reduction.
To achieve this gain requires the development of a carefully prepared and thoroughly tested set of EOPs and comprehensive training of operators in their use.
It may also be necessary to correct some deficiencies in plant equipment which degrade the capability for or prevent operator actions.
Examples of such improvements might be:
1) provision of backup inventory to the condensate storage tank (CST),
and 2) extension of OC power endurance in Station Blackout.
The ability to quantify the degree to which operators act successfully requires transient calculations which identify the plant
- symptoms, prompt the necessary operator
- response, and give realistic estimates of the time available for such action.
Operator training in the use of these procedures is of fundamental importance in achieving the level of frequency reduction cited for core damage and containment failure.
For example, in the case of ATNS, operator actions may be shown to be extremely effective at avoiding containment overpressure failure to a level determined almost entirely by equipment failure.
If, however, the operator does not recognize ATHS or is unaware of the various action alternatives available to him and the associated time constraints, the rate of containment failure may be increased by as much as four to five decades.
Page 7
Requ 1 red Charac te r i s t i c s of the Risk Anal sis (Continued)
For this reason, ri sk analysis must explicitly consider the quality and character of the plant
- EOPs, the level and quality of operator training, and the constraints imposed on plant operation by Technical Specifications.
The Technical Specification constraints are important to specific event sequences and can have a decade or more influence on the resulting plant damage frequency.
There are currently a number of phenomenological issues which have very large uncertainties associated wi th them, for example the core-concrete interaction phenomena.
If an effective risk management process is applied,
- however, the fraction of plant damage events which involve core-concrete interaction can be shown to be small.
For this reason, the tabulation of results of the risk analysis must have the capability of segregating sequences which have such high impact, high uncertainty characteristics.
This is important not only to avoid obscuring the effectiveness of plant equipment, procedures, and operator actions in responding to the great majority of plant accident sequences, but also to determining the impact of various response strategies on these high uncertainty sequences.
Oefense-in-Oe th Criteria (Frequency and Equipment)
This view graph presents recommended criteria for plant equipment defense-in-depth.
If these criteria are satisfied for all accident sequences, a very low frequency of plant damage is calculated, as is an extremely low frequency of significant off-site consequence.
The reasons for this are:
1) the frequency of initiators combined with sufficient equipment failures to lead to core damage will be on the order of 3xlO-7/Ry for all contributions
- combined, 2) given that core damage has occurred, the conditional probabili.ty of sufficient additional failures resulting in reactor vessel failure will be on the order of 10-2, 3) given that reactor vessel failure has occurred, the conditional probability of containment failure will be on the order of 10-1, 4) given that reactor vessel failure has not occurred, the conditional probability of containment failure will be on the order of 10-3 or les,s, and 5) given that core damage does not occur, the conditional probability of containment overpressure failure wi 1 1
be on the order of 3xlO-9/Ry.
Page 9
Def en'se-i n-De th Cr i ter i a (Frequency and Equipment>
(Continued)
These results are a direct consequence of meeting the defense-in-depth
- criteria, the frequency of the initiators which can potentially lead to plant damage if sufficient equipment fails, and the inherent unavailability of the various systems which must fail to lead to one of the results listed above.
Procedural defense-in-depth criteria assure optimal use of all plant equipment in order to achieve these results, and operator training assures a minor contribution to plant damage frequency as a result of operator failure to follow procedures correctly.
Overall, this approach to severe accident response results in a calculated core damage frequency on the order of 3x10-7 yr-1 and a containment failure with core damage on the order of 3x10-9 yr-1 for the BNR-4 plant.
This result does depend on utilization of all available plant systems in response to an accident, execution of important anticipatory actions to avoid or accommodate additional equipment
- failures, and availability of a reliable wetwell vent.
Lack of wetwell vent capability could increase the containment failure frequency by one to two decades.
Absence of a wetwell vent capability,
- however, would be found to result in violation of'he defense-in-depth criteria for important accident sequences.
Both the core damage frequency and the containment failure frequency could be influenced by as much as one decade by differences in emergency service water system design, inability to backup CST inventory, inability to extend DC power availability, or inability to utilize unconventional vessel injection sources such. as injection from the Fire Hain System.
The checking of all accident sequences against defense-in-depth
- criteria, both procedural and equipment, clearly identifies any important contributions resulting from either procedural deficiencies or from inability to make unconventional use of plant equipment in severe accident situations.
The EOPs can then be revised to correct any deficiencies.
Defense-in-De th Criteria (Procedures and Instrumentation)
The defense-in-depth criteria for procedures are important to assure optimal use of plant equipment.
For some accident sequences the consequences of the accident may lead to an unnecessary loss of equipment, for example, loss of HPCI due to high suppression pool temperature in ATNS.
This loss may be prevented simply by not allowing the suction transfer from CST to suppres'sion pool and backing up the CST inventory to avoid its depletion.
The procedural criteria are important to assuring effectiveness of the equipment'riteria.
The final criterion relating to instrumentation is important to assure that the actions called for by procedures wi 11 actually be executed.
In the absence of a symptom requiring the action, it is unlikely that the action wi 1 1 be taken.
Page 11
Defense-in-De th Criteria (Frequency and Equipment)
(Continued)
These defense-in-depth criteria in combination with the symptom based EOPs are believed to provide a high degree of protection against known accident sequences.
Nhile the calculated value of the frequency of these sequences may be optimistic as a consequence of a lack of completeness in the modeling of plant dependencies and interactions, the effectiveness of the operator actions is nevertheless valid.
For this reason, the plant damage frequency and degree of'ublic risk derived by this approach is believed to be the best assessment of the actual risk associated with the plant operations.
The use of arbitrary conservatisms to attempt to compensate for a lack of completeness does not result in a more credible evaluation, may obscure the true nature of dominant risk contributor, and may obscure success paths available to the operator.
Severe Accident Mana ement If the risk management process previously described is implemented for a
- plant, an effective severe accident management program will result.
The definition of severe accident management provided in this view graph states that the EOPs are the source of'uidance for response to an accident.
The risk management process assures that FOPs are developed that are comprehensive and provide the optimal response to any event sequence considered in the risk assessment.
The EOPs must provide the operators with complete directions on the actions necessary to stabilize the plant.
Effective advice from outside the control room is not likely within the first hour or two of the accident since some time is required for staffing and Technical Support Center and Emergency Operations Facility and to bring the personnel up to speed on the plant status.
In most BHR accident sequences the critical actions must all be taken within the first hour or so of the accident so that outside assi stance should not be depended upon for accident mitigation.
The primary role of these external resources must be the implementation of the Emergency Plan and the planning and execution of recovery actions once the operators have stabilized the plant.
In a case where the operators can no longer i'nfluence the plant from the control
- room, perhaps because of loss of habitability, these external resources may be used to develop and execute coping actions to bring the plant back to a safe condition.
- Thus, the EOPs represent the severe accident management process in that they must be designed to make optimal use of the plant equipment to avoid or minimize damage to the plant.
This definition is important since any less stringent definition will leave the plant vulnerable to improper response during the critical first hour or two of a severe accident sequence.
Page 13
Potential Accident Tra ectories There appears to be much confusion over the, issue of severe accident management and what objectives should be set for it.
The diagram on the view graph is intended to define the various phases which can occur in the accident sequences for a plant.
The limits on the definition for Severe Accident Management and EOP applicabilit'y are presented in the form of a time line for potential accident sequences in the view graph.
The EOPs govern actions taken during those portions of potential accident sequences labeled AB and AC.
In the case of the segment AC stabilization and control of the plant are eventually re-established by control room actions, although in some cases with varying degrees of plant damage up to, but not including, the point of containment failure.
Venting could take place during the segment AC in order to avoid uncontrolled failure of the containment.
Upon reaching point C, a period begins during which recovery actions are initiated.
These are actions which would re-establish long term safe conditions in the plant.
In a sequence where little or no plant damage is sustained recovery could involve refurbishing as needed for continued operation of the plant.
In cases, such as for TMI-2, it could involve clean up of fission products. and removal of fuel in preparation for decommissioning of the plant.
In all cases, the FOPs completely govern the time segment AC, but do not apply over the time period, CD.
There are currently no formal programs or procedures defined for the segment CD other than the Emergency Plan.
That plan, however, primarily addresses communications, evacuation, and monitoring of radioactive material releases.
The alternative time line, AB, represents an accident sequence where control of the plant cannot be regained by application of the EOPs, usually as a
consequence of massive levels of equipment failure.
In those cases containment would fail, either with or without prior core
- damage, and control room habitability would be lost.
In cases where no core damage had occurred, the possibility of core damage resulting from consequential loss of equipment would require consideration.
In such cases, it is likely that control room occupancy and reactor building access would be lost so that further actions would be initiated from outside the control room.
At the point where control room actions are no longer effective or cannot be taken, the EOPs are no longer applicable to defining the actions to be taken.
Currently, we have defined the actions to be taken during the time segment BC to be coping actions.
As in the case of recovery actions, no formal programs or procedures have been defined other than the general provisions for activation of the EOF and General Office support.
By the nature of the situation in such cases, a
formal definition of actions to be taken to bring about stabilization and control will be difficult to develop.
The view graph then defines the time period for Severe Accident Management (segments AC and AB only),
and the EOPs fully define the actions to be taken during those time periods.
The
- EOPs, therefore, are by definition the Severe Accident Management
- program, and it is essential that plant specific EOPs be developed.
Page 15
Emer enc 0 eratin Procedures In order to fulfill the objectives of the Risk Management and Severe Accident Management process, it is necessary to impose a number of requirements on the FOPs.
The view graph lists the requirements which are important to development of effective procedures.
The symptom based procedures have an important disadvantage in most accident sequences it is necessary to follow through several branches of the procedures simultaneously.
This process can be simplified by use of a flow diagram structure for the
- EOPs, but, even so, the wording and organization of the flow charts are critically important for effective use by operators.
Testing the effectiveness of the procedures by simulator exercises has been found to be an excellent means for discovering and eliminating ambiguities in the flow charts.
Another helpful practice is to use supplemental procedures external to the flow charts for those actions which are not time constrained.
This permits a considerable reduction of the volume of information which must be included on the flow charts and therefore enhances the ease of following the procedures involved.
In the best situation,
- however, the EOPs remain complex and challenging.
For this reason rigorous operator training on the use of EOPs reinforced by periodic re-training is an essential element to assuring a high degree of reliability in operator performance in use of the EOPs.
~Summar The Risk Management. Process for the BNR imposes special requirements on
- and, in addition, requires monitoring of unavailability of equipment and operator performance in execution of'nd knowledge of EOPs.
The EOPs must consider all initiators in combination with any degree of equipment failure and assure utilization of all available plant facilities to minimize the degree of plant damage In this process it is essential to account for operator recovery and repair actions'ealistic estimates of recovery and repair times must be used in combination with realistic estimates of available time for success.
The success criteria used in the risk analysis must distinguish a full range of plant damage states which must include:
1) core damage only, 2) core damage with reactor vessel failure only, 3) wetwell venting in combination with no core damage and
- 1) and 2)
- above, 4)
Containment overpressure failure with no core damage and with 1) and
- 2) above, and 5) containment drywell overtemperature failure with 2) above.
Page 17
~Summa r (Cont>nued)
This degree of resolution in plant damage states permits events having very high uncertainty, or a controversial
- basis, to be segregated from the general array of plant damage sequences, but imposes more severe demands on the supporting transient analysis both in terms of the number of calculations and the realism of the calculations.
It is particularly important to derive and apply criteria for halting the core damage progression before reactor vessel failure and for stabilizing core debris on the drywell floor before thermally indiced failure of containment integrity.
Application of these criteria in turn requires a higher degree of accuracy in describing the core degradation processes, the reactor vessel failure process, and the phenomena which govern the behavior of core debris falling into the under-pedestal region.
The benefits from this process are a very large reduction in the calculated and actual frequency of plant damage and public risk.
This reduction far exceeds what can be achieved with even major plant equipment modifications with the exception of a wetwell vent.
The actual value and risks associated with the wetwell vent have not yet been adequately quantified, but the results that are currently available indicate that it can sharply reduce the frequency of containment overpressure failure due to loss of decay heat removal systems.
Such failures are of great concern since consequential loss of equipment could lead to inadequate core cooling and core damage.
The process can also be used to isolate and focus attention on those accident sequences which involve controversial phenomena or very high uncertainty.
This is important because such sequences tend to be those having the most severe consequences, but also tend to be those having the lowest calculated frequencies.
The proposed risk analysis process will permit such sequences to be placed in a much clearer perspective and permit a more accurate and effective assessment of the appropriate measures to be taken.
- Finally, we see this Risk Management Process as a rational app oach to resolution of the severe accident issue.
It would utilize actual plant operating experience (supported by generic data only when needed) to characterize the calculated value of plant damage frequency and would clearly identify the important contributors to the calculated value.
Hhi le we believe that calculated values are optimistic because of dependencies or interactions not known and considered, we believe the defense-in-depth concept in combination with comprehensive EOPs and thorough operator training offers the best possible defense against all accident sequences including those which may have been overlooked because of a missed dependency or interaction.
- Further, we believe that this approach is by far the most effective application of resources for true risk reduction.
Page 19