ML18152A124
| ML18152A124 | |
| Person / Time | |
|---|---|
| Site: | Surry  |
| Issue date: | 06/01/1996 |
| From: | Edison G NRC (Affiliation Not Assigned) |
| To: | Ohanlon J VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.) |
| References | |
| NUDOCS 9606100122 | |
| Download: ML18152A124 (26) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. J. P. O'Hanlon Senior Vice President - Nuclear Virginia Electric and Power Company 5000 Dominion Blvd.
Glen Allen, Virginia 23060
Dear Mr. O'Hanlon:
June 01, 1996
SUBJECT:
DRAFT REPORT FOR 1982-83 PRECURSORS - SURRY POWER STATIONj UNITS 1 AND 2 Enclosed for your information are excerpts from the draft Accident Sequence Precursor {ASP) Report for 1982-83 precursors. This report documents the Accident Sequence Precursor {ASP) Program analyses of operational events which occurred during the period 1982-83.
We are providing the appropriate sections of this draft report to each licensee with a plant which had an event in 1982 or 1983 that has been identified as a precursor.
At least one of these precursors occurred at the Surry Power Station. Also enclosed for your information are copies of Section 2.0 and Appendix A from the 1982-83 ASP Report.
Section 2.0 discusses the ASP Program event selection criteria and the precursor quantification process; Appendix A describes the models used in the analyses.
We emphasize that you are under no licensing obligation to review and-comment on the enclosures.
The analyses documented in the draft ASP Report for 1982-83 were performed primarily for historical purposes to obtain the two years of precursor data for the NRC's ASP Program which had previously been missing.
We realize that any review of the precursor analyses of 1982-83 events by affected licensees would necessarily be limited in scope due to: (1) the extent of the licensee's corporate memory about specific details of an event which occurred 13-14 years ago, (2) the desire to avoid competition for internal licensee staff resources with other, higher priority work, and (3) extensive changes,in plant design, procedures, or operating practices implemented since the time period 1982-83, which may have resulted in significant reductions in the probability of (or, in some cases, even precluded) the occurrence of events such as those documented in this report.
The draft report contains detailed documentation for all precursors with conditional core damage probabilities~ 1.0 x 10-5
- However, the relatively large number of precursors identified for the period 1982-83 necessitated that only summaries be provided for Rrecursors with conditional core damage probabilities between 1. 0 x 10-and 1. O x 10-5
- We will begin revising the report about May 31, 1996, to put it in final form for publication.
We will respond to any comments on the precursor analyses which we receive from licensees. The responses will be placed in a separate
(- _ s:tion of t~e final report~ The Virginia Electric and Power Company is o~('O \\ v \\
9606100122 960601
~DR ADOCK 0500~~~0 W~I~ [r~!JE C[E!~TEI tOfPV
e.
Mr. J. P. O'Hanlon distribution for the final report. Pl~ase contact me at (301) 415-1448 if you have any questions regarding this letter. Any response to this letter on your part is entirely voluntary and does not constitute a licensing requirement.
Docket Nos. 50-280 and 50~281
Enclosures:
Sincerely, (Original Si~ned By)
Gordon E. Edison, Senior Project Manager Project Directorate II-1 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
- 1. Section 8.16, "Precursor Analysis of 11/18/83 Reactor Trip with AFW Pump Inoperable."
- 2. Section C.12, "Summary of Precursor Analysis of 2/11/83 Reactor Trip with AFW Pump Inoperable."
- 3. Section 2, "Selection Criteria and Quantification."
- 4. Appendix A, "ASP Models."
cc w/enclosures:
See next page Distribution
""Jiamret:-c-F.-i~le-..
PUBTif-'~:'i'>
PDII-1 RF SVarga JZwolinski OGC ACRS FILENAME - C: AUTOS\\WPDOCS SURRY OFFICE NAME DATE D: PDII-1 Eimbro /Ell.-
05/~l /96 COPY o
- Yes~.
OFFICIAL RECORD COPY
e Mr. J. P. O'Hanlon Virginia Electric and Power Company cc:
Mr. Michael W. Maupin, Esq.
Hunton and Williams Riverfront Plaza, East Tower 951 E. Byrd Street Richmond, Virginia 23219 Mr. David Christian, Manager Surry Power Station Virginia Electric and Power Company 5570 Hog Island Road Surry, Virginia 23883 Senior Resident Inspector Surry Power Station U.S. Nuclear Regulatory Commission 5850 Hog Island Road Surry, Virginia 23883 Chairman Board of Supervisors of Surry County Surry County Courthouse Surry, Virginia 23683 Dr. W. T. Lough Virginia State Corporation Commission Division of Energy Regulation P. 0. Box 1197 Richmond, Virginia 23209 Regional Administrator, Region II U.S. Nuclear Regulatory Commission 101 Marietta Street N.W., Suite 2900 Atlanta, Georgia 30323 Robert B. Strobe, M.D., M.P.H.
State Health Commissioner Office of the Commissioner Virginia Department of Health P.O. Box 2448 Richmond, Virginia 23218 Surry Power Station Office of the Attorney General Commonwealth of Virginia 900 East Main Street Richmond, Virginia 23219 Mr. M. L. Bowling, Manager Nuclear Licensing & Operations Support Innsbrook Technical Center Virginia Electric and Power Company 5000 Dominion Blvd.
Glen Allen, Virginia 23060 Mr. Al Belisle U.S. Nuclear Regulatory Commission 101 Marietta Street, N.W. Suite 2900 Atlanta, Georgia 30323-0199
B.16-1 B.16 LER No. 281/83-055 Event
Description:
Date of Event:
Plant:
B.16.1 Summary Trip with AFW pump inoperable November 18, 1983 Surry 2 Auxiliary feedwater pump B was found failed due to steam binding on November 18, 1983. On November 20, 1982, it was found failed due to a failed lube oil cooler. Surry 2 experienced a trip on November 16. The conditional core damage probability estimated for this event is 3.5 x 10-s.
B.16.2 Event Description Surry unit 2 was operating at full power on November 18, 1983, when the B motor driven auxiliary feedwater (AFW) pump failed to provide flow when started. An investigation determined that a leaking check valve was allowing backflow into the pump, which became steam bound.* A similar problem was experienced by the pump on December 6, 1983.
The turbine-driven AFW pump at Surry experienced a steam-binding problem on November 20, however the relevant licensee event report indicates that the pump had been operable previously. Additionally, AFW pump B was found to have a failed lube oil cooler during maintenance efforts.
on November.20. There was a trip reported on November 16, 1983.
B.16.3 Additional Event-Related Information None.
B.16.4 Modeling Assumptions As the problems with MDAFWP B reported on November 18 and 20 could have been latent during the trip on November 16, this event was modeled as a trip with the AFW pump inoperable. It was assumed that failure of the other AFW pumps from the same cause was possible. The potential for common-cause failure exists.
even when a component is failed. Therefore, the conditional probability of a common-cause failure was included in the analysis for those components that failed as part of the event. This was implemented in the model by setting the serial component failure probability equal to the conditional probability that the remaining pumps would fail, given failure of pump B (0.1 x 0.3). Accordingly, the failure probability of AFW during ATWS was calculated as 0.1 x 0.1 = 0.2.
LER No. 281/83-055
B.16-2 B.16.5 Analysis Results The conditional core damage probability estimated for this event is 3.5 x 10-s. The dominant sequence for this event, highlighted on the event tree in Figure B.16.1, involves a transient with reactor trip success, failure of main and auxiliary feedwater, and failure of feed-and-bleed cooling.
LER No. 281/83-055
~
HPI FEED BLEED F,~ '(3./,./
I I
RECOV SEC SIDE COOLING RCS COOL-DOWN I
I I
I AHR CSR I
I HPR
'END SEO.
STATE NO OK 101 OK 102 OK 103 co 104 OK 105 CD
- 106 CD 107 OK 108 OK 109 OK 110 OK 111 CD 112 OK 113 CD 114 CD 115 OK 116 OK 117 OK 118 co 119 CD 120 co 121 ATWS e
B.16-4 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier:
Event
Description:
Event Date:
Plant:
INITIATING EVENT 281/83-055 Trip with AFW ~
inop Novenber 18, 1983 Surry 2 NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator CD TRANS Total SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence 121 trans -rt AFW mfw feed.bleed 508 trans rt -prim.press.limited AFW/ATWS 119 trans -rt AFW mfw -feed.bleed recov.sec.cool -csr hpr
- non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence 119 trans -rt AFW mfw -feed.bleed recov.sec.cool -csr hpr 121 trans -rt AFW mfw feed.bleed 508 trans rt -prim.press.limited AFW/ATWS
- non-recovery credit for edited case SEQUENCE MODEL:
BRANCH MODEL:
PROBABILITY FILE:
No Recovery Limit d:\\asp\\models\\pwra8283.cmp d:\\asp\\models\\surry2.82 d:\\asp\\models\\pwr8283.pro BRANCH FREQUENCIES/PROBABILITIES Branch System 1.9E-03 1.6E-05 2.4E-06 1.6E-06 2.8E-04 trans loop loca sgtr rt 1.0E+OO Probability 3.5E-05 3.5E-05 End State CD CD CD End State CD CD CD Non-Recov
-1.0E+OO 5.3E-01 5.4E-01 1.0E+OO 1.0E-01 Prob 2.?E-05 5.6E-06 8.8E-07 Prob 8.8E-07 2.?E-05 5.6E-06 Opr Fail N Rec**
1.5E-01 1.0E-01 1.5E-01 N Rec**
1.5E-01 1.5E-01 1.0E-01 LER No. 281/83-055
rt(loop)
AFW Branch Model:
1.0F.3+ser Event Identifier: 281/83-055 Train 1 Cond Prob:
Train 2 Cond Prob:
Train 3 Cond Prob:
Serial Component Prob:
AFW/ATWS Branch Model:
1.0F.1 Train 1 Cond Prob:
afw/ep mfw porv.chal l porv.chal l/afw porv.chal l/loop porv.chall/sbo porv.reseat porv.reseat/ep srv.reseat(atws) hpi feed.bleed emrg.boration recov.sec.cool recov.sec.cool/offsite.pwr rcs.cooldown rhr csr hpr ep seal.loca offsite.pwr.rec/-ep.and.-afw offsite.pwr.rec/-ep.and.afw offsite.pwr.rec/seal.loca offsite.pwr.rec/-seal.loca sg.iso.and.rcs.cooldown rcs.cool.below.rhr prim.press.limited
- branch model file
- forced Dolan 10-30-1995 12:08:06 O.OE+OO 3.8E-04 > 3.1E-02 2.0E-02 1.0E-01 > 1.0E+OO 5.0E-02 2.8E-04 > 3.0E-02 4.3E-03 > 2:oE-01 4.3E-03 > 2.0E-01 5.0E-02 1.9E-01 4.0E-02 1.0E+OO 1.0E-01 1.0E+OO 2.0E-02 2.0E-02 1.0E-01 1.5E-03 2.0E-02 O.OE+Ol' 2.0E-01 3.4E-01 3.0E-03 2.2E-02 7.5E-04 4.0E-03 2.9E-03 2.7E-01 2.2E-01 6.7E-02
- 5. 7E-01 7.0E-02 1.0E-02 3.0E-03 8.8E-03 B.16-5 1.0E+OO 4.5E-01 1.0E+OO 3.4E-01 3.4E-01 1.0E+OO 1.0E+OO 1.0E+OO 1.0E+OO 1.1E-02 1.0E+OO 1.0E+OO 8.9E-01 1.0E+OO 1.0E+OO 1.0E+OO 1 :oE+OO 1.0E+OO 7.0E-02 1.0E+OO 1.0E+OO 8.9E-01 1.0E+OO 1.0E+OO 1.0E+OO 1.0E+OO 1.0E+OO 1.0E-01 1.0E+OO 1.0E+OO 1.0E-03 1.0E-02 1.0E-02 1.0E-03 1.0E-03 1.0E-03 3.0E-03 LER No. 281/83-055
C-11 C.12 LER No. 281/83-005 Event
Description:
Date of Event:
Plant:
Summary Trip with AFW pump inoperable February 11, 1983 Surry 2 Surry unit 2 was operating at full power on February 11, 1983, when the turbine-driven auxiliary feedwater (AFW) pump tripped during testing. The turbine governor was found to be defective, causing the turbine to trip on overspeed. Corrosion in the regulator piston in the pump governor valve prevented the piston from moving freely, which led to a pump overspeed trip. As a trip was reported on February 8, 1983, this event was modeled as a trip with the turbine-driven AFW pump assumed to be inoperable.
The conditional core damage probability estimated for this event is 3.8 x 10*6* The dominant sequence involves a transient with reactor trip success, failure of main and auxiliary feedwater, and failure of feed-and-bleed cooling.
Summarized Precursors
J.
2-1 2.0 Selection Criteria and Quantification 2.1 Accident Sequence Precursor Selection Criteria The Accident Sequence Precursor (ASP) Program identifies and documents potentially important operational events that have involved portions of core damage sequences and quantifies the core damage probability associated with those sequences.
Identification of precursors requires the review of operational events for instances in which plant functions that provide protection against core damage have been challenged or compromised. Based on previous experience with reactor plant operational events, it is known that most operational events can be directly or indirectly associated with four initiators: trip [which includes loss of main feedwater (LOFW) within its sequences],
loss-of-offsite power (LOOP), small-break loss-of-coolant accident (LOCA), and steam generator tube ruptures (SGTR) (PWRs only). These four initiators are primarily associated with loss of core cooling. ASP Program staff members examine licensee event reports (LERs) and other event documentation to determine the impact that operational events have on potential core damage sequences.
2.1.1 Precursors This section describes the steps used to identify events for quantification. Figure 2.1 illustrates this process.
A computerized search of the SCSS data base at the Nuclear Operations Analysis Center (NOAC) of the Oak Ridge National Laboratory was conducted to identify LERs that met minimum selection criteria for precursors.
This computerized search identified LERs potentially involving failures in plant systems that provide protective functions for the plant and those potentially involving core damage-related initiating events. Based on a review of the 1984-1987 precursor evaluations and all 1990 LERs, this computerized search successfully identifies almost all precursors and the resulting subset is approximately one-third to one-half of the total LERs. It should be noted, however, that the computerized search scheme has not been tested on the LER database for the years prior to 1984. Since the LER reporting requirements for 1982-83 were different than for 1984 and later, the possibility exists that some 1982-83 precursor events were not included in the selected subset. Events described in NUREG -090020 and in issues of Nuclear Safety that potentially impacted core damage sequences were also selected for review.
Those events selected for review by the computerized search of the SCSS data base underwent at least two independent reviews by different staff members. The independent reviews of each LER were performed 10 determine if the reported event should be examined in greater detail. This initial review was a bounding review, meant to capture events that in any way appeared to deserve detailed review and to eliminate evems that were clearly unimportant. This process involved eliminating events that satisfied predefined criteria for rejection and accepting all others as either potentially significant *and requiring analysis, or potential I~
significant but impractical to analyze. All events identified as impractical to analyze at any point in the s!UJ, are documented in Appendix E. Events were also eliminated from further review if they had little impacr (,n core damage sequences or provided little new information on the risk impacts of plant operation-for examrk.
short-term single failures in redundant systems, uncomplicated reactor trips, and LOFW events.
Selection Criteria and Quantificati(,n
LERs requiring review Does the event only involve:
. component failure (no loss of redundancy)
. loss of redundancy (single system)
. seismic qualification/design error
. environmental qualification/design error
. pre-critical event
. structural degradation
. design error discovered by re-analysis
, bounded by trip or LOFW
. no appreciable safety system impact
. shutdown-related event
. post-core damage impacts only No Can event be reasonably analyzed by PRA-based models?
Yes Perform detailed review, analysis, and quantification Does operational event involve:
. a core damage initiator
. a total loss of a system
. a loss of redundancy in two or more systems
. a reactor trip with a degraded mitigating system Yes Is conditional probability~ IO_.
.Yes Document as a precursor Yes 2-2 Reject Identify as potentially significant but impractical to analyze Define impact of event in terms of initiator observed and trains of systems unavailable.
Modify branch probabilities to reflect event.
Calculate conditional probability associated with event using modified event trees.
No Reject No
, ___ _,.,_ Reject based on low probability Figure 2.1 ASP Analysis Process Selection Criteria and Quantification ASP models lant drawings, system descriptions, FSARs, etc.
2-3 LERs were eliminated from further consideration as precursors if they involved, at most, only one of the following:
a component failure with no loss of redundancy, a short-term loss of redundancy in only one system, a seismic design or qualification error, an environmental design or qualification error, a structural degradation, an event that occurred prior to initial criticality, a design error discovered by reanalysis, an event bounded by a reactor trip or LOFW, an event with no appreciable impact on safety systems, or an event involving only post core-damage impacts.
Events identified for further consideration typically included the following:
unexpected core damage initiators (LOOP, SGTR, and small-break LOCA);
all events in which a reactor trip was demanded and a safety-related component failed; all support system failures, including failures in cooling water systems, instrument air, instrumentation and control, and electric power systems; any event in which two or more failures occurred; any event or operating condition that was not predicted or that proceeded differently from the plant design basis; and any event that, based on the reviewers' experience, could have resulted in or significantly affected a chain of events leading to potential severe core damage.
Events determined to be potentially significant as a result of this initial review were then subjected to a thorough, detailed analysis. This extensive analysis was intended to identify those events considered to he precursors to potential severe core damage accidents, either because of an initiating event, or because pf failures that could have affected the course of postulated off-normal events or accidents. These detailed revie\\~,
were not limited to the LERs; they also used final _safety analysis reports (FSARs) and their amendment,.
individual plant examinations (IPEs), and other information related to the event of interest.
The detailed review of each event considered the immediate impact of an initiating event or the potentul impact of the equipment failures or operator errors on readiness of systems in the plant for mitigation, *t off-normal and accident conditions. In the review of each selected event, three general scenarios (invol \\ 1 n,:
both the actual event and postulated additfonal failures) were considered.
I.
If the event or failure was immediately detectable and occurred while the plant was at pm~ n then the event was evaluated according to the likelihood that it and the ensuing plant resp, 'n,,*
could lead to severe core damage.
- 2.
If the event or failure had no immediate effect on plant operation (i.e., if no initiating l' **
occurred), then the review considered whether the plant would require the failed item, *
- mitigation of potential severe core damage sequences should a postulated initiating,*,
occur during the failure period.
Selection Criteria and Quantificati,,n
2-4
- 3.
If the event or failurt;! occurred while the plant was not at power, then the event was first assessed to determine whether it impacted at-power or hot shutdown operation. If the event could only occur at cold shutdown or refueling shutdown, or the conditions clearly did not impact at-power operation, then its impact on continued decay heat removal during shutdown was assessed; otherwise it was analyzed as if the plant were at power. (Although no cold shutdown events were analyzed in the present study, some potentially significant shutdown-related events are described in Appendix D).
For each actual occurrence or postulated initiating event associated with an operational event reported in an LER or multiple LERs, the sequence of operation of various mitigating systems required to prevent core damage was considered. Events were selected and documented as precursors to potential severe core damage accidents (accident sequence precursors) if the conditional probability of subsequent core damage was at least 1.0 X 10-6 (see section 2.2). Events of low significance are thus excluded, allowing attention to be focused on the more important events. This approach is consistent with the appP)ach used to define 1988-1993 precursors, but differs from that of earlier ASP reports, which addressed all events meeting the precursor selection criteria regardless of conditional core damage probability.
As noted above, 115 operational events with conditional probabilities of subsequent severe core damage ~
1.0 X 10-6 were identified as accident sequence precursors.
2.1.2 Potentially Significant Shutdown-Related Events No cold shutdown events were analyzed in this study because the lack of information concerning plant status at the time of the event (e.g., systems unavailable, decay heat loads, RCS heat-up rates, etc.) prevented development of models for such events. However, cold shutdown events such as a prolonged loss of RHR cooling during conditions of high decay heat can be risk significant. Sixteen shutdown-related events which may have potential risk significance are described in Appendix D.
2.1.3 Potentially Significant Events Considered Impractical to Analyze In some cases, events are impractical to analyze due to lack of information or inability to reasonably model within a probabilistic risk assessment (PRA) framework, considering the level of detail typically available in PRA models and the resources available to the ASP Program.
Forty-three events (some involving more than a single LER) identified as potentially significant were considered impractical to analyze. It is thought that such events are capable of impacting core damage sequences. However, the events usually involve component degradations in which the extent of the degradation could not be determined or the impact of the degradation on plant response could not be ascertained.
For many event.s classified as impractical to analyze, an assumption that the affected component or function was unavailable over a 1-year period (as would be done using a bounding analysis) would result in the.'.
conclusion that a very significant condition existed. This conclusion would not be supported by the spec1 ri~*,
of the event as reported in the LER(s) or by the limited engineering evaluation performed in the ASP Program Descriptions of events considered impractical to analyze are provided in Appendix E.
Selection Criteria and Quantification
2-5 2.1.4 Containment-Related Events In addition to accident sequence precursors, events involving loss of containment functions, such as containment cooling, containment spray, containment isolation (direct paths to the environment only), or hydrogen control, identified in the reviews of 1982-83 LERs are documented in Appendix F. It should be
. noted that the SCSS search algorithm does not specifically search for containment related events. These events, if identified for other reasons during the search, are then examined and documented.
2.1.5 "Interesting" Events Other events that provided insight into unusual failure modes with the potential to compromise continued core cooling but that were determined not to be precursors were also identified. These are documented as "interesting" events in Appendix G.
2.2 Precursor Quantification Quantification of accident sequence precursor significance involves determination of a conditional probability of subsequent severe core damage, given the failures observed during an operational event. This is estimated by mapping failures observed during the event onto the ASP models, which depict potential paths to severe core damage, and calculating a conditional probability of core damage through the use of event trees and system models modified to reflect the event. The effect of a precursor on event tree branches is assessed by reviewing the operational event specifics against system design information, Quantification results in a revised probability of core damage failure, given the operational event. The conditional probability estimated for each precursor is useful in ranking because it provides an estimate of the measure of protection against core damage that remains once the observed failures have occurred. Details of the event modeling process and calculational results can be found in Appendix A of this report.
The frequencies and failure probabilities used in the calculations are derived in part from data obtained across the light-water reactor (L WR) population for the 1982-86 time period, even though they are applied to sequences that are plant-specific in nature. Because of this, the conditional probabilities determined for each precursor cannot be rigorously associated with the probability of severe core damage resulting from the actual event at the specific reactor plant at which it occurred. Appendix A documents the accident sequence models used in the 1982-83 precursor analyses, and provides examples of the probability values used in the calculations.
The evaluation of precursors in this report considered equipment and recovery procedures believed to ha,.:
been available at the various plants in the 1982-83 time frame. This includes features addressed in the curr.:nt (1994) ASP models that were not considered.in the analysis of 1984-91 events, and only partially in thl*
analysis of 1992-93 events. These features include the potential use of the residual heat removal system f, *r long-term decay heat removal following a small-break LOCA in PWRs, the potential use of the reactor L*,,r c*
isolation cooling system to supply makeup following a small-break LOCA in BWRs, and core dam.ic*,*
sequences associated with failure to trip the reactor (this condition was previously designated "ATWS.... 11i.1 not developed). In addition, the potential long-term recovery of the power conversion system for BWR Jc,.,
heat removal has been addressed in the models.
Selection Criteria and Quantification
2.-6 Because of these differences in the models, and the need to assume in the analysis of 1982-83 events that equipment reported as failed near the time of a reactor trip could have impacted post-trip response (equipment response following a reactor trip was required to be reported beginning in 1984), the evaluations for these years may not be directly comparable to the results for other years.
Another difference between earlier and the most recent (1994) precursor analyses involves the documentation of the significance of precursors involving unavailable equipment without initiating events. These events are termed unavailabilities in this report, but are also referred to as condition assessments. The 1994 analyses distinguish a precursor conditional core damage probability (CCDP), which addresses the risk impact of the failed equipment as well as all other nominally functioning equipment during the unavailability period, and an importance measure defined as the difference between the CCDP and the nominal core damage probability (CDP) over the same time period. This importance measure, which*estimates the increase in core damage probability because of the failures, was referred to as the CCDP in pre-1994 reports, and was used to rank unavailabilities.
For most unavailabilities that meet the ASP selection criteria, observed failures significantly impact the core damage model. In these cases, there is little difference between the CCDP and the importance measure. For some events, however, nominal plant response dominates the risk. In these cases, the CCDP can be considerably higher than the importance measure. For 1994 unavailabilities, the CCDP, CDP, and importance are all provided to better characterize the significance of an event. This is facilitated by the computer code used to evaluate 1994 events (the GEM module in SAPHIRE), which reports these three values.
The analyses of 1982-83 events, however, were performed using the event evaluation code (EVENTEVL) used in the assessment of 1984-93 precursors. Because this code only reports the importance measure for unavailabilities, that value was used as a measure of event significance in this report. In the documentation of each unavailability, the importance measure value is referred to as the increase in core damage probability over the period of the unavailability, which is what it represents. An example of the difference between a conditional probability calculation and an importance calculation is provided in Appendix A.
2.3 Review of Precursor Documentation With completion of the initial analyses of the precursors and reviews by team members, this draft report containing the analyses is being transmitted to an NRC contractor, Oak Ridge National Laboratories (ORNL).
for an independent review. The review is intended to (1) provide an independent quality check of the analyses, (2) ensure consistency with the ASP analysis guidelines and with other ASP analyses for the same event type, and (3) verify the adequacy of the modeling approach and appropriateness of the assumptions used in the analyses. In addition, the draft report is being sent to the pertinent nuclear plant licensees for review and to the NRC staff for review. Comments received from the licensees within 30 days will be considered during resolution of comments received from ORNL and NRC staff.
2.4 Precursor Documentation Format The 1982-83 precursors are documented in Appendices Band C. The at-power events with conditional Cl 1rc*
damage probabilities (CCDPs) ~ 1.0 x 10-5 are contained in Appendix Band those with CCDPs between I i 1 x 10-5 and 1.0 x 10-6 are summarized in Appendix C. For the events in Appendix B, a description of the t'\\ cnr Selection Criteria and Quantification
I*:.
2-7 is provided with additional information relevant to the assessment of the event, the ASP modeling assumptions and approach used in the analysis, and analysis results. The conditiona!"core damage probability calculations are documented and the documentation includes probability summaries for end states, the conditional probabilities for the more important sequences and the branch probabilities used. A figure indicating the dominant core damage sequence postulated for each event will be included in the final report. Copies of the
. LERs are not provided with this draft report.
2.5 Potential Sources of Error As with any analytic procedure, the availability of infonnation and modeling assumptions can bias results. In
- this section, several of these potential sources of error are addressed.
- l.
Evaluation of only a subset of 1982-83 LERs. For 1969-1981 and 1984-1987, all LERs reported during the year were evaluated for precursors. For 1988-1994 and for the present ASP study of 1982-83 events, only a subset of the LERs were evaluated after a computerized search of the SCSS data base. While this subset is thought to include most serious operational events, it is possible that some events that would norm:illy be selected as precursors were missed because they were not included in the subset that resulted from the screening process.
Reports to Congress on Abnormal Occurrences2-0 (NUREG-0900 series) and operating experience articles in Nuclear Safety were also reviewed for events that may have been missed by the SCSS computerized screening.
- 2.
Inherent biases in the selection* process. Although the criteria for identification of an operational event as a precursor are fairly well-defined, the selection of an LER for initial review can be somewhat judgmental. Events selected in the study were more serious than most, so the majority of the LERs selected for detailed review would probably have been selected by other reviewers with experience in L WR systems and their operation. However, some differences would be expected to exist; thus, the selected set of precursors should not be considered unique.
- 3.
Lack of appropriate event information. The accuracy and completeness of the LERs and other event-related documentation in reflecting pertinent operational information for the 1982-83 events are questionable in some cases. Requirements associated with LER reporting at the time, plus the approach to event reporting practiced at particular plants, could have resulted in variation in the extent of events reported and report details among plants. In addition, only details of the sequence (or partial sequences for failures discovered during testing) that actually occurred are usually provided; details concerning potential alternate sequences of interest in this study must often be inferred. Finally, the lack of a requirement at the time to link plant trip infonnation to reportable events required that certain assumptions be made in the analysis of certain kinds of 1982-83 events. Specifically, through use of the "Grey Books" (Licensed Operating Reactors Status Report, NUREG-0200)19 it was poss1hle to determine that system unavailabilities reported in LERs could have overlapped with plant trips if it was assumed that the component could have been out-of-service for Y2 the test/surveillance period associated with that component. However, with the link between tn;1, and events not being described in the LERs, it was often impossible to determine whether * *r not the component was actually unavailable during the trip or whether it was demandc,l Selection Criteria and Quantification
2-8 during the trip. Nevertheless, in order to avoid missing any important precursors for the time period, any reported component unavailability which overlapped a plant trip within Yi of the component's test/surveillance period, and which was believed not to have been demanded during the trip, was assumed to be unavailable concurrent with the trip. (If the component had been demanded and failed, t.'1e failure would have been reported; if it had been demanded and worked successfully, then the failure would have occurred after the trip). Since such assumptions may be conservative, these events are distinguished from the other precursors listed in Tables 3.1 - 3.6. As noted above, these events are termed "windowed" events to indicate that they were analyzed because the potential time window for their unavailability was assumed to have overlapped a plant trip.
- 4.
Accuracy of the ASP models and probability data. The event trees used in the analysis are plant-class specific and reflect differences between plants in the eight plant classes that have been defined. The system models are structured to reflect the plant-specific systems, at least to the train level. While major differences between plants are represented in this way, the plant models utilized in the analysis may not adequately reflect all important differences.
Modeling improvements that address these problems are being pursued in the ASP Program.
Because of the sparseness of syst~m failure events, data from many plants must be combined to estimate the failure probability of a multitrain system or the frequency of low-and moderate-frequency events (such as LOOPs and small-break LOCAs). Because of this, the modeled response for each event will tend toward an average response for the plant class. If systems at the plant at which the event occurred are better or worse than average (difficult to ascertain without extensive operating experience), the actual conditional probability for an event could be higher or lower than that calculated in the analysis.
Known plant-specific equipment and procedures that can provide additional protection against core damage beyond the plant-class features included in the ASP event tree models were addressed in the 1982-83 precursor analysis for some plants. This information was not uniformly available; much of it was based on FSAR and IPE documentation available at the time this report was prepared. As a result, consideration of additional features may not be consistent in precursor analyses of events at different plants. However, analyses of multiple events that occurred at an individual plant or at similar units at the same site have been consistently analyzed.
- 5.
Difficulty in determining the potential for recovery of failed equipment. Assignment \\,r recovery credit for an event can have a significant impact on the assessment of the event. Th:.*
approach used to assign recovery credit is described in detail in Appendix A. The actu.11 likelihood of failing to recover from an event at a particular plant during 1982-83 is diffil*ulr to assess and may vary substantially from the values currently used in the ASP analyses Th:,
difficulty is demonstrated in the genuine differences in opinion among analysts, oper~t1,,n, and maintenance personnel, and others, concerning the likelihood of recovering from six*l 1:.
failures (typically observed during testing) within a time period that would prevent.
- damage following an actual initiating event.
- 6.
Assumption of a I-month test interval. The core damage probability for precursors in\\, *I*.
Selection Criteria and Quantification
2-9 unavailabilities is calculated on the basis of the exposure time associated with the event. For failures discovered during testing, the time period is related to the test interval. A test interval of 1 month was assumed unless another interval was specified in the LER. See reference 1 for a more comprehensive discussion of test interval assumptions.
Selection Criteria and Quantification
e A-1 Appendix A:
A-2 A.O ASP Models This appendix describes the methods and models used to estimate the significance of 1982-83 precursors. The modeling approach is similar to that used to evaluate 1984-91 operational events. Simplified train-based models are used, in conjtmction with a simplified recovery model, to estimate system failure probabilities specific to an operational event. These probabilities are then used in event tree models that describe core damage sequences relevant to the event. The event trees have been expanded beyond those used in the analysis of 1984-91 events to address features of the ASP models used to assess 1994 operational events (Ref. 1) known to have existed in the 1982-83 time period.
A.1 Precursor Significance Estimation The ASP program performs retrospective analyses of operating experience. These analyses require that certain methodological assumptions be made in order to estimate the risk significance of an event. If one assumes, following an operational event in which core cooling was successful, that components observed failed were "failed" with probability 1.0, and components that functioned successfully were "successful" with probability
- 1. 0, then one can conclude that the risk of core damage was zero, and that the only potential sequence was the combination of events that occurred. In order to avoid such trivial results, the status of certain components must be considered latent.
In the ASP program, this latency is associated with components that operated successfully-these components are considered to have been capable of failing during the operational event.
Quantification of precursor significance involves the determination of a conditional probability of subsequent core damage.given the failures and other undesirable conditions (such as an initiating event or an unexpected relief valve challenge) observed during an operational event. The effect of a precursor on systems addressed in the core damage models is assessed by reviewing the operational event specifics against plant design and operating information, and translating the results of the review into a revised model for the plant that reflects the observed failures. The precursors' s significance is estimated by calculating a conditional probability of core damage given the observed failures. The conditional probability calculated in this way is useful in ranking because it provides an estimate of the measure of protection against core damage remaining once the observed failures have occurred.
A.1.1 Types of Events Analyzed Two different types of events are addressed in precursor quantitative analysis. In the first, an initiating event such as a loss of offsite power (LOOP) or small-break loss of coolant accident (LOCA) occurs as a part of the precursor. The probability of core damage for this type of event is calculated based on the required plant response to the particular initiating event and other failures that may have occurred at the same time. This type of event includes the "windowed" events subsetted for the 1982-83 ASP program and discussed in Section 2. 2 of the main report.
The second type of event involves a failure condition that existed over a period of time during which an initiating event could have, but did not occur. The probability of core damage is calculated based on the required plant response to a set of postulated initiating events, considering the failures that were observed. Unlike an initiating event assessment, where a particular initiating event is assumed to occur with probability 1.0, each initiating event is assumed to occur with a probability based on the initiating event frequency and the failure duration.
ASP MODELS
A-3 A.1.2 Modification of System Failure Probabilities to Reflect Observed Failures The ASP models used to evaluate 1982-83 operational events describe sequences to core damage in terms of combinations of mitigating systems success and failure following an initiating event. Each system* model represents those combinations of train or component failures that will result in system failure. Failures observed during an operational event must be represented in terms of changes to one or more of the potential failures included in the system models.
If a failed component is included in one of the trains in the system model, the failure is reflected by setting the probability for the impacted train to 1.0. Redundant train failure probabilities are conditional, which allows potential common cause failures to be addressed.. If the observed failure could have occurred in other similar components at the same time, then the system failme probability is in::reased to represent this. If the failure could not simultaneously occur in other components (for example, if a component was removed from service for preventive maintenance), then the sys~em failure probability is also revised, but only to reflect the "removal" of the unavailable component from the model.
If a failed component is not specifically included as an event in a model, then the failure is addressed by setting elements impacted by the failure to failed. For example, support systems are not completely developed in the 1982-83 ASP models. A breaker failure that results in the loss of power to a group of components would be represented by setting the elements associated with each component in the group to failed.
Occasionally, a precursor occurs that cannot be modelled by modifying probabilities in existing system models.
In such a case, the model is revised as necessary to address the event, typically by adding events to the system model or by addressing an unusual initiating event through the use of an additional event tree.
A.1.3 Recovery from Observed Failures The models used to evaluated 1982-83 events address the potential for recovery of an entire system if the system fails. This is the same approach that was used in the analysis of most precursors through 1991.1 In this approach, the potential for recovery is addressed by assigning a recovery action to each system failure and initiating event. Four classes were used to describe the different types of short-term recovery that could be involved:
1 Later precursor analyses utilize Time-Reliability Correlations to estimate the probability of failing :,,
recover a failed system when recovery is dominated by operator action.
ASP MOD*~l-~
A-4 Recovery Likelihood of Non-Recovery Characteristic Class Recovery2 RI 1.00 The failure did not appear to be recoverable in the required period, either from the control room or at the failed equipment.
R2 0.55 The failure appeared recoverable in the required period at the failed equipment, and the equipment was accessible; recovery from the control room did not appear possible.
R3 0.10 The failure appeared recoverable in the required period from the control room, but recovery was not routine or involved substantial operator burden.
R4 0.01 The failure appeared recoverable in the required period from the control room and was considered routine and procedurally based.
The assignment of an event to a*recovery class is based on engineering judgment, which considers the specifics of each operational event and the likelihood of not recovering from the observed failure in a moderate to high-stress situation following an initiating event.
Substantial time is usually available to recover a failed residual heat removal (RHR) or BWR power conversion system (PCS). For these systems, the nonrecovery probabilities listed above are overly conservative. Data in Refs. 2 and 3 was used to estimate the following nonrecovery probabilities for these systems:
- BWR RHR. system BWRPCS PWR RHR. system System p{nonrecovery) 0.016 (0.054 if failures involve service water) 0.52 (0.017 for MSIV closure) 0.057 It must be noted that the actual likelihood of failing to recover from an event at a particular plant is difficult to assess and may vary substantially from the values listed. This difficulty is demonstrated in the genuine differences in opinion among analysts, operations and maintenance personnel, etc., concerning the likelihood of recovering specific failures (typically observed during testing) within a time period that would prevent core damage following an actual initiating event.
A.1-4 Conditional Probability Associated with Each Precursor As described earlier in this appendix, the calculation process for each precursor involves a determination of initiators that must be modeled, plus any modifications to system probabilities necessitated by failures observed
?J:bese nonrecovery probabilities are consistent with values specified in M.B. Sattison et al., "Methods Improvements Incorporated into the SAPIIlRE ASP Models," Proceedings of the U.S. Nuclear Regulatory Commission Tv.ienty-Second Water Reactor Safety Information Meeting, NUREG/CP-0140, Vol. 1, Ap'nl 1995.
ASP MODELS
C A-5 in an operational event. Once the probabilities that reflect the conditions of the precursor are established, the sequences leading to core damage are calculated to estimate the conditional probability for the precursor. This calculational process is summarized in Table A. I.
Several simplified examples that illustrate the basics of precursor calculational process follow. It is not the intent of th~ examples to describe a detailed precursor analysis, but instead to provide a basic understanding of the process.
The hypothetical core damage model for these examples, shown in Fig. A. l, consists of initiator I and four systems that provide protection against core damage: system A, B, C, and D. In Fig. A. l, the up branch represents success and the down branch failure for each of the systems. Three sequences result in core damage if completed: sequence 3 [I /A ("f' represents system success) BC], sequence 6 (I A/BCD) and sequence 7 (I A B). In a conventional PRA approach, the frequency of core damage would be calculated using -the frequency of the initiating event I, l(I), and the failure probabilities for A, B, C, and D [p(A), p(B), p(C), and p(D)].
Assuming l(I) = 0.1 yr1 and p(AII) = 0.003, p(BIIA) = 0.01, p(CII) = 0.05, and p(DIIC) = 0.1,3 the frequency of core damage is determined by calculating the frequency of each of the three core damage sequences and adding the frequencies:
0.1 yr*1 x (1 - 0.003) x 0.05 x 0.1 (sequence 3) +
0.1 yr*1 x 0.003 x (1 - 0.01) x 0.05 x 0.1 (sequence 6) +
0.1 yr*l X 0.003 X 0.01 (Sequence 7)
= 4.99 x I0-4yr-1 (sequence 3) + 1.49 x 10-6 yr*1 (sequence 6) + 3.00*x 10-6 yr*1 (sequence 7)
In a nominal PRA, sequence 3 would be the dominant core damage sequence.
The ASP program calculates a conditional probability of core damage, given an initiating event or component failures. This probabiliw is different than the frequency calculated above and cannot be directly compared with it.
Example 1. Initiating Event Assessment. Assume that a precursor involving initiating event I occurs. In response to I, systems A, B, and C start and operate correctly and system D is not demanded. In a precursor initiating.event assessment, the probability of i is set to 1.0. Although systems A, B, and C were successful, nominal failure probabilities are assumed Since system D was not demanded, a nominal failure probability is assumed for it as well. The conditional probability of core damage associated with precursor I is calculated by summing the conditional probabilities for the three sequences:
1.0 x (1 - 0.003) x 0.05 x 0.1 (sequence 3) +
1.0 x 0.003 x (1- 0.010) x 0.05 x 0.1 (sequence 6) +
1.0 x 0.003 x 0.01 (sequence 7) 3 The notation p(B I IA) means the probability that B fails, given I occurred and A failed.
ASP MODELS
A-6
= 5.03 X 10"3*
It: instead, B had failed when demanded, its probability would have been set to 1.0. The conditional core damage probability for precursor IB would be calculated as 1.0 x (I - 0.003) x 0.05 x 0.1 (sequence 3) + 1.0 x 0.003 x 1.0 (sequence 7) = 7.99 x 10-3_
Since B is failed. sequence 6 cannot occur.
Example 2. Condition Assessment. Assume that during a monthly test system B is found to be failed, and that the failure could have occurred at any time during the month. The best estimate for the duration of the failure is one half of the test period, or 360 h. To estimate the probability of initiating event I during the 360 h period, the yearly frequency ofl must be converted to an hourly rate. Ifl can only occur at power, and the plant is at power for 70% of a year, then the frequency for I is estimated to be 0.1 yr*1 /(8760 h/yr x 0. 7) = 1.63 x 10-5 h*1.
It: as in example 1, Bis always demanded following I, the probability ofl in the 360 h period is the probability that at least one I occurs (since the failure of B will then be discovered), or I - e*.1.(1)
- fililun: duration = I - e*l.63E-5
- 360 = 5' 85 X 1 o-3.
Using this value for the probability of I, and setting p(B) = 1. 0, the conditional probability of core damage for precursor B is calculated by again summing the conditional probabilities for the core damage sequences in.Fig.
Al:
5.85 x 10-3 x (1 - 0.003) x 0.05 x.0.1 (sequence 3) + 5.85 x 10-3 x 0.003 x 1.0 (sequence 7)
= 4.67 X lQ*5*
As before, since B is failed, sequence 6 cannot occur. The conditional probability is the probability of core damage in the 360 h period, given the failure of B. Note that the dominant core damage sequence is sequence 3, with a conditional probability of 2.92 x 10-5_ This sequence is unrelated to the failure of B. The potential failure of systems C and D over the 360 h period still drive the core damage risk.
To understand the significance of the failure of system B, another calculation, an importance measure, is required.
The importance measure that is used is equivalent to risk achievement worth on an interval scale (see Ref. 4 ).
In this calculation, the increase in core damage probability over the 360 h period due to the failure of B is estimated: p(cd I B) - p(cd). For this example the value is 4.67 x 10 2.94 x 105 = 1.73 x 105, where the second term on the left side of the equation is calculated using the previously developed probability of I in the 360 h period and nominal failure probabilities for A, B, C, and D.
For most conditions identified as precursors in the ASP program, the importance and the conditional core damage probability are numerically close, and either can be used as a significance measure for the precursor. However, for some events-typically those in which the components that are failed are not the primary mitigating plant features-the conditional core damage probability can be significantly higher than the importance. In such cases.
it is important to note that the potential failure of other components, unrelated to the precursor, are sull dominating the plant risk.
ASP MODELS
e A-7 The importance measure for unavailabilities (condition assessments) like this example event were previously referred to as a "conditional core damage probability" in annual precursor reports before 1994, instead of as the increase in core damage probability over the duration of the unavailability. Because the computer code used to analyz.e 1982-83 events is the same as was used for 1984-93 evaluations, the results for 1982-83 conditions are also presented in the computer output in terms of "conditional probability," when in actuality the result is an importance.
A.2 Overview of 1982-83 ASP Models Models used to rank 1982-83 precursors as to significance consist of system-based plant-class event trees and simplified plant-specific system models. These models describe mitigation sequences for the following initiating events: a nonspecific reactor trip [which includes loss offeedwater (LOFW) within the model], LOOP, small-break LOCA, and steam generator tube rupture [SGTR, pressurized water reactors (PWRs) only].
Plant classes were defmed based on the use of similar systems in providing protective functions in response to transients, LOOPs, and small-break LOCAs. System designs and specific nomenclature may differ among plants included in a particular class; but functionally, they are similar in response. Plants where certain mitigating systems do not exist, but which are largely analogous in their initiator response, are grouped into the appropriate plant class. ASP plant categorization is described in thr. following section.
The event trees consider two end states: success (OK), in which core cooling exists, and core damage (CD), in which adequate core cooling is believed not to exist. In the ASP models, core damage is assumed to occur following core 1D1COvezy. It is acknowledged that clad and fuel damage will occur at later times, depending on the criteria used to define "damage," and that time may be available to recover core cooling once core uncovery occurs but before the onset of core damage. However, this potential recovery is not addressed in the models. Each event tree describes combinations of system failures that will prevent core cooling, and makeup if required, in both the short and long term Primary systems designed to provide these functions and alternate systems capable of also performing these functions are addressed.
The models used to evaluate 1982-83 events consider both additional systems that can provide core protection.
and initiating events not included in the plant-class models used in the assessment of 1984-91 events, and only partially included in the assessment of 1992-93 events. Response to a failure to trip the reactor is now addressed,
- as is an SGTR in PWRs. In PWRs, the potential use of the residual heat removal system following a small-break LOCA (to avoid sump recirculation) is addressed, as is the potential recovery of secondary-side cooling in the long tam following the initiation of feed and bleed. In boiling water reactors (BWRs), the potential use of reactor
- core isolation cooling (RCIC) and the control rod drive (CRD) system for makeup if a single relief valve sticks open is addressed, as is the potential long-term recovery of the power conversion system (PCS) for decay heat removal in BWRs. These models better reflect the capabilities of plant systems in preventing core damage.
ASP MODELS
A-7 The importance measure for unavailabilities (condition assessments) like this example event were previously referred to as a "conditional core damage probability" in annual precursor reports before 1994, instead of as the increase in core damage probability over the duration of the unavailability. Because the computer code used to analyze 1982-83 events is the same as was used for 1984-93 evaluations, the results for 1982-83 conditions are also presented in the computer output in terms of "conditional probability," when in actuality the result is an importance.
A.2 Overview of 1982-83 ASP Models Models used to rank 1982-83 precursors as to significance consist of system-based plant-class event trees and simplified plant-specific system models. These models describe mitigation sequences for the following initiating events: a nonspecific reactor trip [which includes loss offeedwater (LOFW) within the model], LOOP, small-break LOCA, and steam generator tube rupture [SGTR, pressurized water reactors (PWRs) only].
Plant classes were defined based on the use of similar systems in providing protective functions in response to transients, LOOPs, and small-break LOCAs. System designs and specific nomenclature may differ among plants included in a particular class; but functionally, they are similar in response. Plants where certain mitigating systems do not exist, but which are largely analogous in their initiator response, are grouped into the appropriate plant class. ASP plant categorization is described in the following section.
The event trees consider two end states: success (OK), in which core cooling exists, and core damage (CD), in which adequate core cooling is believed not to exist. In the ASP models, core damage is assumed to occur
- following core uncovezy. It is acknowledged that clad and fuel damage will occur at later times, depending on the criteria used to define "damage," and that time may be available to recovC2' core cooling once core uncovery occurs but before the onset of core damage. HowevC2', this potential recovesy is not addressed in the models. Each event tree descnbes combinati<m of system failures that will prevent core cooling, and makeup if required, in both the short and loog tam Primmy systems designed to provide these functions and alternate systems capable of also performing these functions are addressed.
The models used to evaluate 1982-83 events consider both additional systems that can provide core protection and initiating events not included in the plant-class models used in the assessment of 1984-91 events, and only partially included in the assessment of 1992-93 events. Response to a failure to trip the reactor is now addressed..
- as is an SGTR in PWRs. In PWRs, the potmtial use of the residual heat removal system following a small-break LOCA (to avoid sump recirculation) is addressed, as is the potential rccovezy of sc:condmy-side cooling in the long tam following the initiation of feed and bleed In boiling wakJ' reactors (BWRs), the potential use of reactor core isolation cooling (RCIC) and the cont:rQl rod drive (CRD) system for makeup if a single relief valve sticks open is addressed, as is the potential long-term recovery of the power conversion system (PCS) for decay beat removal in BWRs. These models better reflect the capabilities of plant systems in preventing core damage.
ASP MODELS