ML19264B612
| ML19264B612 | |
| Person / Time | |
|---|---|
| Issue date: | 07/15/1981 |
| From: | Mattson R Office of Nuclear Reactor Regulation |
| To: | Vollmer R Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML19250J298 | List: |
| References | |
| FOIA-82-93 NUDOCS 8108130121 | |
| Download: ML19264B612 (37) | |
Text
.
GSTC' JUL 15,198Q _
qp Q
MEf10RA!!DU!1 FOR:
Richard H. Vollmer, Director
[.h v g,
Division of Engineering
/
D @4, g,p[,J Office of fluclear Reactor Regulatory
'c
_ Q FRO l1:
Roger J. flattson, Director y
e.
Division of Systems Integration p VjY, Office of fluclear Reactor Regulatory
- e h
m-
SUBJECT:
EVErlT V - COMPETillG RISK OF CLOSIflG A HIGH PRESS N IbV[ ?
REFEREllCE:
- 1. Meno dated 05/13/81 from Bernero to Mattson
- 2. Memo dated 03/03/81 from Ross to Eisenhut
- 3. Memo dated 02/25/81 from Eisenhut to Vollmer The purpose of this memo is to transmit to you the results of an evaluation (Attach-nent 1 to Reference 1) of the conpeting risks associated with various tactics that are being considered to reduce the risk of intersystem LOCA and qy staff's coments on the results of that evaluation.
The evaluation was perfomed by the Division of Risk Analysis and was requested (Reference 2) to confirm that certain temperary fixes being considered to reduce the risk of UASH-1400 Event V type-intersystem LOCAs would not increase overall risk by degrading ECCS performance capability. Specifically, the evaluation addresses the relative reduction in risk of an Event V provided by the closure of certain fl0Vs vs the increase in risk from degraded large LOCA response capability when the fl0Vs to be closed are part of the ECCS low pressure safety injection system.
It was intended that the results of the evaluation be used in support of decisions ee-garding Orders to plants having potential susceptibility to Event V as described in Reference 3.
The Orders included requirements for certain PWRs and BURS to inmedi-ately implemnt Technical Specifications for extended sueveillance of prinary cool-ant system isolation valves and in some cases to temporarily shut MOVs.
tlhile the risk evaluation results generally support the action of the Orders which were issued on April 20, 1981, the evaluation makes certain additional recomenda-tions:
o Six plants were identified having a configuration of a single check valve and a single open or closed f10V, and it was suggested that these plants warrant increased attention due to their vulnerability to intersysten LOCA.
Since two of these plants (Haddam fleck and San Onofre 1) are SEP plants, and the issue of intersystem LOCA is being addressed in the SEP, it is our recomendation that the results of the SEP be used as guidance in deter-mining fixes as necessary for these six plants. The evaluation suggests e
that it may be appropriate to place the MOV in manual operation for any I
of the six plants that have a denenstrated susceptibility to spurious !!OV /
oDenings. We do not recommend this approach without further study.
f
'A C
omcc) sumam )
8108130121 810715 CF SUBJ CF omic )
RD-7 uc rem m oo m scu cm OFFICIAL RECORD COPY uscm mi_-
Richard H. Vollmr JUL 15 1981 o The evaluation suggests that there would be a substantial reduction in risk for nost valve configurations if the MOV were opened to allow a detemination of check valve leakage (past the fiOV) prior to return-ing the systen to full pressure. This appreach appears to have merit, and we recomend that discussions be initiated with the licensees of any plants that aren't expected to inplement a permanent fix to inter-system LOCA in the near tem. This approach is not necessary after a pemanent leak testing system is in place since continual leak detec-tion provides adequate reduction of the risk of intersystem LOCA.
Finally, as agreed in pmlininary meetings discussing the approach to be taken to resolve intersysten.0CA (Reference 2), the Division of Engineering has the overall lead responsibility in tnis area. Should further discussion of this matter be needed, Brad dardin of my staff is the primary contact.
w
...L. : + L7:
Ecsor J. Us t uou Roger J. flattson, Director Division of Systens Integration Office of fluclear Reactor Regulatory
Enclosure:
As stated cc:
R. Bernero D. Eisenhut DISTRIBUTION:
T. Murley Central File P. Check RSB R/F T. Speis BHardin R/F 0, Parr RMattson D. Crutchfield G. Mazetis B. Sheron P. Polk Vs. Murphy B. Hardin
- SEE PREVIONS CONCURRENCE
(
DSI:RSB*
DSI:RSB*
DSI:RSB*
'0)I ~):PS Edt[MdH' DSI IR sun we)
T5ii6Ts '...
F {c......
UffsFdih:ijd" TMaz6fis ~
.j.
j
.. /..
. L 2....
our>
nac renu ais oon nncu caa OFFICIAL RECORD COPY usc.co. mi-mw
ard H. Vollner o The valuation suggests that there would be a substanti reduction in r1 for nost valvo configurations if the.0V we pened to allow a detem ation of check valve leakage (past the i prior to return-ing the sy en to full pressure. This approac ppears to hhve merit,
and we reco.
nd that discussion be initiate vith the licensees of any plants tha aren't expected to inple.
a pemanent fix to inter-systen LOCA in t.
near tem. This ap ach is not necessary after a pemaner.t leak tes ng systen is inj ace since continual leak detec-tion provides adequa reduction r the risk of intersysten LOCA.
Finally, as agreed in prelimina mee ngs discussing the approach to be taken to resolve intersysten LOCA (Refe ce 2), the Division of Engineering has the overall lead responsibility in th s hqea.
Should further discussion of this natter be needed, Brad Hardin f my sth f is the primary contact.
Roger J. Mattson, Director Division of SKstems Integration Office of flucle r Reactor Regulatory Enclosure As stat Bernero cc:
s.
D. Eisenhut T. flurley P. Check T. Speis DISTRIBUTION:
- 0. Parr Central File G. ftazetis RSB R/F P. Polk BHardin R/F K. flurphy RMattson B. Hardin B. Sheron D. Crutchfield f'
- '[
f
/ jB R
DSI:AD:PS DSI:0IR DSI:RSB DSI:RSB D
c,,,c,,
PCheck RMattson SURNAME) 7/W/81 7/O /81 7/ja'81 7/ /81 7/ /81 sac r enu 31s 03 eq Nocu c4a OFFICIAL RECORD COPY uma mi_m m
met CDUti FOR: Richard H. Vollmer, Director Division of Engineering Office of Nuclear Reactor Regulatory FRON:
Roger J. Mattson, Director Division of Systen,s Integration ffice of Nuclear Reactor Regulatory
SUBJECT:
EVE V - COMPETING RISK OF CLOSING A HI PRESSURE l'0V
REFERENCE:
1.
f'e dated 05/13/81 from Bernero o Mattson 2.
Meno (ted 03/03/81 from Ross Eisenhut 3.
ftema dab d 02/25/81 from Eise ut to Vollmer The purpose of this meno is to t smit to yo he results of an evaluation (Attachment 1 to Reference 1) of th competi risks associated with various tactics that are being considered to u
the risk of intersystem LOCA and my staff's connents on the results of evaluation.
The evaluation was perforned by the. visi of Risk Analysis and was requested (Reference 2) to confirm that cert n teapor fixes being considered to reduce the risk of WASH-1400 Event V ty, -intersystem OCAs did not increase overall risk by degrading ECCS performa ce capability.
ecifically, 'he evaluation addresses the relative reduct n in risk of an Eve t V provideo by the closure of certain MOVs vs the iner se in risk from degrad large LOCA response capa-bility when the MOVs to be closed are part of the ECC low pressure safety in-jection systen.
It was tended that the results of th evaluation be used in support of decisions r arding Orders to plants having no ntial susceptibility z
to Event V as describ.d in Reference 3.
The Orders include requirements for certain PURs and BW to inmediately inplement Technical Spec ications for extended surveilla ce of primary coolant systen isolation valve and in some cases to tenoora ly shut M0is.
While the ris evaluation results generally support the action of th Orders which were issued April 20, 1981, the evaluation makes certain additional commenda-tions:
o ix plants were identified having a confiquration of a single check alve and a single open or closed FDV, and it was suggestad that these plan warrant increased attention due to their vulnerability to intersystem L A.
Since two of these plants (Haddam Neck and San Onofre 1) are SEP plants, and the issue of intersystem LOCA s being addressed in the SEP, it is our recommendation that the results of the SEP be used as guidance in deter-nining fixes as necessary for these six plants. The evaluation suggest that it may be appropriate to place the MOV in nanual operation for any of the six plants that have a demonstrated susceptibility to spurious MOV openings. He do not recorrend this approach without further study.
L0i4 TALI :
dr< d Hardin OFFICE )
..X 2E;392....
$URNAME)
D ATE )
nne ronu m 00-80) NRCM Cao OFFICIAL RECORD COPY usa m e _ m m
s Attachment I Conclusions and Recommendations Concerning the Comeeting Risks of Event V and Closure of MOV in LPIS Discharge Table I provides a list of the nuclear reactor units under review. They have been placed in categories relevant to the question at hand. Our con-clusions and recommendations are given for each category in light of the different camceting risks associated with each category.
A.
Two Check Valves and a Closed MOV Eighteen of the plants under review have this configuration. The Oconee units are in this group and their LPIS configuration is typical (i.e., two parallel trains, each containing a closed MOV and two check valves). 'ne Oconee RSS/ MAP Study (NUREG/CR-1659) contains an analysis of Event V that can probably be applied to this group of reactors as a whole. The analysis provides three important results of interest. They are:
1.
If the MOV valve remains normally shut but is opened for
~
quarterly tests and the check valves are not closure-tested, Event V dominates the risk of core melt.
2.
If the MOV is open during ascension in pressure and a reliable means exists to detect leakage past the two check valves (e.g., LPI pressure, indicated and alarmed in control room), then the highest risk check valve failure mode, the simultaneous failure to reseat both check valves,
4 can be eliminated. Once it has been determined that this failure mode is not present at start-up then the MOV can be closed. This procedure significantly reduces the Event V contribution to overall risk, but it remains a dominant risk contributor.
3.
Installing leak testing equipment to periodically test the condition of the two check valves essentially eliminates Event V as a dominant risk contricutor.
Items 1 and 3 essentially supcort the proposed " Order of Modification" under question. However, Item 2 represents an additional notion not addressed in the Orders. Our risk analysis indicates that the procedure given in Item 2 can significantly reduce the probability of an Event V for the group of reac: ors in question and can usefully serve as an interim measure prior to the installation of the check valve leak detection equipment. This pro-cedure is, in fact, of far greater importance than the elimination of
' quarterly MOV stroking We, therefore, suggest that, in addition to the elimination of MOV stroking, that the Item 2 procedure also be required.
Note that the elimination of MOV stroking does not climinate inadvertant or spurious opening of the valve that can occur due to human error or an SI signal. Spurious SIS has an approximate frecuency of between 0.1 and 2.0. per year for operating pWRs.._This.hign frequency reduces the effectiveress of closure of the MOV as a measure for reducing Event V risk.
. Concerning the check valve leak detection system, it is our opinion that the principle objective of this system should be as follows (in order of importance):
1.
To detect the failure of the check valve to properly reseat.
2.
To detect gross leakage of the valve in excess of the RCS make-up capacity (e.g., capacity of a single charging pump).
3.
To detect trends in valve leakage that could denote a sig-nificant weakening in the interface, i.e., higner likelihood of a sudden gross leakage or rupture.
The design specifications of the equipment and the specifications for its operation should satisfy these cbjectives.
4 Table 1 Systems Survey Procram Data - LPIS Valve Conficurations (NOTE: - This data has been obtained frem Safety Analysis Reports.
The data has not been verified by the utilities)
A.
Two check valves and a closed MOV Arkansas One, Unit 1 Oconee, Unit 3 Arkansas One, Unit 2 Palisades Cook Rancho Seco Crysfal River, Unit 3 Robinson, Unit 2 Fort Calhoun Salem, Unit 1 Kewaunee St. Lucie, Unit 1 Main Yankee, Unit 1 Three Mile Island, Unit 1 Oconee, Unit 1 Turkey Point, Unit 3 (RHR Line)
~
Oconee, Unit 2 Turkey Point, Unit 4 (RNR Line) 3.
Two check valves and an open MOV Leg NSSS # Loops Beaver Villey (S)
W 3 (S) = a single MOV controls LPI discharge Davis-Besse (R) B&W 2
Farley 1 (R)
W 3 (R) = Two er more MOVs control LPI North Anna 1 (S)
W 3
discharge (redundant trains)
Trogan (S)
W 3
Surry, Unit 1 (S)
W 3
Surry, Unit 2 (S)
W 3
C.
One check valve and a closed MOV Haddam Neck Prairie Island 1 (in addition has a type A configuration)
Prairie Island 2 (in addition has a type A configuration)
San Cnofre (line from refueling water pumos)
.: * (Continued)
O.
One check v lve a
and an Point BeachPoint Beach open MOV 1
(RHR Line 2
E.
(RHR Line))
Two check valves none F.
Three check valves Calv Calvert Cliffsert Cliffs 1*
Indian Point 2,2*
Millstone 2 Zion G.
No LPI Interface Shown Ginna Not o hav n list of e the 3 check valplants under ve configurationreview, all of these units are hown to s
i 4 ?*I
4 B.
Two check valves and an open MOV Based on our System Survey Program (See Table 1) seven plants have this configuration. F:, ;f *he plants have a single LPI discharge leg with one MOV that delivers flow to a header that contains three parallel piping legs containing two check valves in series. The other two plants have a two train configuration, from the pumps right through to the LPI discharge into the RCS.
These plants have one MOV and a set of two check valves in each train.
The basic question that prompted this entire analysis is whether, for this type of plant, is it better to leave the MOV open until leak detection equipment is installed or whether to close it?
Leaving it open allows the risk for Event V to remain as it is (a high dominant risk). Closing it would reduce this risk (under certain conditions) but increases the unavailability of LPI. The apoendix to this study provides our complete analysis on this question. Section A-5 of the appendix summarizes the competing risk analysis of the va,rious options. The overall conclusions are as follows:
1.
The MOV should be opened during RPS pressurization to ensure check valve seating and to check on their leak tigntness.
2.
After reaching system pressure and before rods are withdrawn, the MOV should be closed.
4 3.
For Davis-Besse (B&W design where LPI is required for all
!.0CAs except the very smallest) the competing risk analysis shove that the MOV should be kept on the safety injection actuation signal.
4.
For Beaver Valley, North Anna 1, and Trojan (Westinghouse design where LPI is required for only large LOCAs) the com-peting risk analyses shows that taking the MOV off the SI actuation signal (reducing spurious opening of valves via SI3) and requiring it to be opened by the control room operator in case of a large LOCA, could be beneficial. The benefit of this option would be greatly increased if the hot leg MOVs (NC) would be electrically energized and placed on the SI signal. This would ensure aut:matic actuation and leave the option for operator switching to cold leg injection.
The spurious ope,ing of the hot leg lines appear to be of con-siderably less concern as they contain three check valves in series. We are aware that the acceptability of this option can be questioned on both single failure and Appendix K grounds; nevertheless, from a risk standooint it is a favor-able option.
C. and D. One Check Valve and a Closed or Ocen MOV.
The risk potential for these configurations demand close attention.
It is vital that leak detection equipment be installed between the
6-check valve and the MOV as soon as possible.
In the interim, the MOV should be opened during RPS pressurization to set the check valve and to check its integrity. 0.1ce this is done the valve should be closed. The MOV should remain closed and steps should be taken to reduce spuriouc or inadvertant opening of the valve.
Placing the MOV in manual operation should also be considered if spurious SIS is expected to be a problem as discussed 'n the preceding section.
We believe that the one check valve /ene MOV configuration with periodic leak detection is unacceptable in the long run. There are a number of possible solutions to this problem. The use of an interlock on the MOV that prevents it opening given a faulty check valve and high pressure inay be one option. This would require a continucus leak detcction system. A second possibility would be to install a second check valve with appropriate leak monitoring. The utilities should be required to evaluate these and other options that may lead to a long-term solution.
E.
Two check valves None of the plants under review have this configuration.
F.
Three check valves Five plants have this configuration.
Past analyses show that the three chec's valve configuration has low catential for an Event V.
This conclusion is based on analyses that assumes indepencence betw2en valves. This independence ignores design, fabrication,
' installation, and maintenance dependencies that may exist. Recent precursors to E.ent V (see Table 2) show that some degree of de-pendence may exist. At the present time the effect of such dependence on the three check valve failure probability cannot be estimated.
Though no immediate measures segun warranted at this time, it is advisable to continue to be alert for additional precursors. Further probabilistic analyses should be conducted to determine if this valve configuration recuires the leak detection fix, or validation of proper design, installation, etc.
Table 2 Event V Precursors The precursor LERs of which we are aware (we have not done a systematic search) include:
1.
Sequoyah Unit 1, November 1980, 2 check valves jammed open--valve design error.
2.
Davis-Besse Unit 1, October 8,1980--detached valve disk.
3.
Arkansas Unit 2, August 24,1978--spring check valve failed to close because spring moved and jammed.
4.
San Onofre Unit 1, July 21,1978--gravity closed check valve intended for horizontal service, installed vertically.
Appendix A Ccmpeting Risk Estimates A-1 problem Statement The plants in valve configuration Category B have two check valves and open MOV in their LPI discharge line. The question posed is: as a temporary measure, prior to insti.llatiun of check valve leak measurement equipment, should the MOV be closed? Closure may reduce Event V risk but at the same time may increase the unavailability of low pressure injection.
This trade-off between Event V and LPI risks is the subject of this appendix.
A-2 Identification of Involved Accident Secuences For the purpose of this study a specific, high risk Event V sequence involving the discharge piping of the LPI system was studied.
The study did not include other~ potential Event piping. For instance, most plants have two closed MOV's in series on the supply side of the RHR systems where it connects to the hot legs of the RCS. The inadvertent opening of both these valves could initiate an Event V sequence. These and the other potential Event V interfaces other than the LPI discharge inter-faces are not included in this analysis.
The closure of the MOV will affect the availability of the icw pressure injection system since the valve must be cc.manded ocen either by an SI signal or manually. potential accident sequences involving the injection pnase of the icw pressure system were identified and evaluated. The
- The Order for Licensing Modification focuses on this piping.
sequences involving the recirculation phases of the icw pressure and the high pressure systems were not included for the following reasons:
1.
In those designs where the operation of the LP1 pumps are required for high pressure recirculation, the placement of the MOV in question is upstream of the line that supplies water to the high pressure system.
Thus, the operaticn of the valve does not affect high oressure re-circulation availability.
2.
Lcw pressure recirculation needs can be satisfied by supplying water via the high pressure system, or in some systems both the high pressure system and the hot leg supply lines. Thus, the leg containing the MOV in question is effectively bypassed.
The sequences involving failure of the low pressure injection system were identified for the WASH-1400 (PWR) and for the RSSMAP (Oconee) cases.
In both these analyses failure of the LPIS is denoted as a "D" system failure and thus sequences involving LPI failure will be referred to as " Event 0" sequences. Tables Al and A2 sunnarize the sequences and their probabilities for each case. Notice that the Oconee Event D probabilities are signifi-cantly higher than those of the WASH-1400 case. This stems principally from the differences in the LPI functional success criteria. Table A3 shcws that LPI is needed for all pipe break sizes in Cconee except for the very smallest breaks while in WASH-la00 (PWR) L?I is only required for the large LOCA events. Note also that for the S break in Oconee, 2
both trains of the LPI are requirea. Table A4 summarizes the resulting core melt probabilities for LPI failure. The Oconee overall probability for the LPI sequences is about 20 times higher than those of WASH-1400 (FWR), meaning that the LPI function is more important in the case of Oconee.
A-3 Relative Imoortance Between Event 0 and Event V By using a weighting factor the importance of the radioactive release categories can be accounted for. Table AS shows the method by which the weighting factors used in this study were derived-Basing the risk factor on latent fatalities is essentially a man-rem weighting factor which is suitable for our purposes. A refinement not incorporated would involve factoring in the acute fatalities. This would increase somewhat the. risk factors for the first three categories.
It is expected that such a refinement would not appreciably effect the outcome. Table A6 shows the outcome of weighting the probabilities and smaning them. The ielative importance between Events D, Event V, and the total risk is shown for both reactor designs. Note the Event D risks are of far greater significance in the Oconee case as compared with WASH-1400. As will become apoarent, this fact strongly influences the risk / benefit results.
A-4 Risk Trade-Off Diacrams The " valve open, valve closed" risk trade-off can be portrayed grach-ically. First consider the summation of risk:
0+V+0=T (1)
TABLE Al WASH-1400 (PWR)
APPLICABLE PROBABILITIES AND SEQUENCES PWR RELEASE CATEGORY EVENT 0 EVENT V ALL SEQUENCES 1
2-11"(ACD-a) 9-7 2
4-6 (V) 8-6 3
6-9 (AD-a) 4-6 4
3-12 (ACD-s) 5-7 5
1-9 (AD-s) 7-7 6
6-11 (ADF-c) 6-6 7
4-7 (AD-c) 4-5 "For the purpose of this report " Event D" refers to all sequence paths that can be effected by the closed MOV in the LF1 discharge piping. Also the probabilities given here have been adjusted to remove the coolant pump flywheel coman mode failure contribution.
2-11 reads 2x10-Il
~
TABLE A2 RSS/ MAP (0CONEE)
APPLICABLE PROBABILITIES AND SEQUENCES PWR RELEASE CATEGORY EVENT D EVENT V ALL S200ENCC.S 1
7.8-8 (S 0-o, 5 D-a) 1.0-7 1
2 2
4.7-6(V),
9.5-6 3
1.6-6 (S D-y, S 0-y) 2.5-5 2
4 4.2-8 (S 0-s) 2.6-7 5
3.7-9 (S D-s) 2.8-7 6
3.2-5 7
6.2-6 (S 0-c, 5 0-c) 2.7-5 1
2
- MOV opened at start-up to check for leak-leak check valve failure mode and then closed during operation. This excludes the leak-leak contribution, which if included would increase the probability to 7.3x10'*.
TABLE A3 LOCA INITIATING EVENT FREOUENCES AND LPI FUNCTIONAL SUCCESS CRITERIA EVENT BREAK SIZE FREQUENCY / YEAR LPI SUCCESS CRITERIA WASH-1400 A
6" < D 1X10 1 of 2 pumps S
2" < 0 < 6" 3X10 None 1
S h < D < 2" 1X10-3 None 2
OCONEE A
13" < D 1X10 1 of 2 trains S
10" < D < 13" 1X10 2 of 2 trains 1
5 4" < 0 < 10" 4X10 1 of 2 trains 2
5 0.5 "
1.3X10-3 None 4
3 TABLE A4 OVERALL PROBABILITY OF A CORE MELT INVOLVING LPI FAILURE (LOCA FREQUENCY X LPI SYSTEM FAILURE PROBABILIT()
WASH-1400 A
1X10 (4.2X10-3) 4.2X10-7
=
OCONEF A
1X10~ (2.4X10-3) 2.4X10-7
=
S 1X10~4(7.3X10-2) 7.3X10-6
=
1 5
JX10-#(2.JX10~3) 9.6X10-7
=
2 TOTAL 8.5X10-6 s
TABLE AS RISK FACTOR RISK OF ACCIDENT LATENT MEAN LATENT PROBABILITY FATALITIES FATALITIES NORMALIZED PWR RELEASE PER REACTOR PER REACTOR GIVEN A RISK CATEGORY YEAR YEAR RELEASE FACTOR 1
9-7 1.2-3 1300 0.33 2
8-6 6.1-3 760 0.19 3
4-6 5.2-3 1300 0.33 4
5-7 2.1-4 420 0.11 5
7-7 9.7-5 10 0.04 6
6-6 1.2-4 20 0.005 7
4-5 1.3-5 0.33 9-5 9-7 reads 9x10-7 NOTE:
The accident probabilities and latent fatality risk quantities were taken from WASH-1400. The risk of latent fatalities was divided by the accident probability t' obtain the conditional mean latent fatali ties. These conditional fatalities correspond to the expected level of risk for each release category given a release has occurred.
These quantities were then normalized to arrive at the risk factors.
These factors can be used to relate the risk importance between release categories. They are mean values based on averaging of the variatiens in demography, meteorology, and biological effects as treated in WASH-1400.
TABLE A6 RELATIVE RISK IMPORTANCE BETWEEN EVENT D (LPI) AND EVENT Y (CHECK VALVES)
PWR RELEASE PRODUCT OF RELEASE PROBABILITIES AND RISK FACTORS CATEGORY EVENT 0 EVENT V ALL SEQUENCES WASH-1400 1
6.6~12 3.0-7 2
7.6-7 1.5-6 3
2.0-9 1.3-6 4
2.2-13 5.5-8 5
4.0-11 2.8-8 6
3.0-13 3.0-8 7
3.6-11 3.6-9 TOTALS 2.1-9 7.6-7 3.3-6 RELATIVE IMPORTANCE (%) 0,163 23 100 OCONEE 1
2.6-8 3.3-8 2
8.9-7 1.8-6 3
5.3-7 8.3-6 4
4.5-7 2.7-8 5
3.5-8 1.1-8 6
1.7-7 7
2.4-9 TOTALS 1.1-6 8.9-7 1.0-5 RELATIVE IMPORTANCE (%)
11 8.9 100
D = risk from Event D V = risk from Event E O = all other risks T = total risk The risk trade-off only involves D and V--the goal being to reduce overall risk--thus:
D' + V'
< 0 + V (goal)
(2)
Where D' and V' are the risks after modification. A break-even function can be defined as:
D' + V' = 0 + V (break-even)
(3)
D' = AD, (LPI Unavailability)~1> A > 1 (4)
V ' = BV, B <_1 (5)
Where A and B are the factors the risk has changed given the modification.
Given a 3 the break-even expression for A is:
A=1+Y 0
(break-even)
(6)
Plotting this break-even function gives the graph in Figure A1. This example graph shows three fixes, X, Y, Z.
Each fix reduces Event V risk but increases Event D risk. Fixes X and Y are in the lower risk :ene shcwing that they imorove overall risk.
X, however, reduces overall risk more than Y (X is further below the break-even line).
Z is above the break-even line; therefore, it is unaccept-able. Note that the break-even line quickly aporoaches an asymoote
ZONE OF HIGHER RISK
\\
1+[
/[////////
//
ZONE OF LOWER RISK
/
1/B FIGURE A1 - RISK TRADE-OFF DIAGRAM POOR CHOICE UNCERTAIN
~
u GOOD CHOICE C
1/8 FIGURE A2 - DIAGRAM WITH UNCERTAINTIES
valued as:
1h (7)
Aa
=
Thus, if Ever:: D risk is increased above Aa then the proposed modification is unacceptable regarcless of the reduction in Event V risk. Note also that the value of A has a maximum value which is (LPI una.vailability)"I A value greater than this value makes no sense since you cannot have a modified system unavailability of greater than unity.
Uncertainties in V/0, in A, and in B can be placed on the trade-off diagrams as shown in Figure A2. Factoring in the more significant uncertainties is necessary if a more ;ccolete perspective of the advisability of the fixes is to be gained (note that in the example the advisability of fixes Y and I are less clear than they seem to be in Figure A1).
As is evident frcm Figure Al the break-even curve depends on the ratio of Event V risk over the Event 0 risk. For our two cases the ratics are:
WASH-1400:
7.6X10-7/2.1X10-9 362
=
8.9X10~7/1.1X10-6 0.309 OCCNEE
=
Thus, the break-even curve will be significantly different in each of these cases. The uncertainty in this ratio requires scme discussion.
Event V Risk Uncertainties 1.
Leak Lambda - Current usage combines actual leak events and reseat failure events. The WASH-1400 lambda of 1.3X10-3/ year was used in both WASH-1400 and Oconee cases. This appears acceptable for leaks alone. Recent experiences, however, suggests a signifi-cant probability of reseat failure (5 failures in 2 years, 300 PWR reactor years, s6 check valves / plant) =2X10-3/ year. Adding this to the leak case results in a combined lambda two or three times higner than the original WASH-1400 value.
2.
Rupture Lunbda - 8.8X10-5/ year (3) was used. Uncertain statistical base, no nuclear plant rupture events known.
3.
Operator Response - no credit was given for plants having an MOV operated from control room where, given an Event V, the operator could shut the valve, stopping loss of coolant.
4 Fact that Event V can affect operations in the auxiliary building and control rooms of a multiple unit plant may shift the risk even more toward Event V.
5.
Design and installation errors, if present, could increase likelihood of Event V and thus increase its risk.
Event 0 Risk Uncertainties 1.
Initiating events. Current thinking appears to favor a shift away from very large LOCAs. This shift would reduce imcortance of LPI.
2.
Success criteria for LOCA events have a significant bearing on LPI importance. The question arises whether current criteria are accurate; there may be considerable conservatism in some of the criteria. The exceedinglf large spread in the V/D ratio of both designs analyzed begs the question of whether this spread is real or an artifact of incomplete success criteria definition.
- t is judged that the uncertainty in the break-even curve for both plants should favor a shift toward higher Event V risk.
Figures A3 and A4 break-even zone snows the uncertainty with the lower break even curve based on the calculated point estimates of risk and the upper curve a factor of five higher conveying the judgment call with respect to the above discussed uncertainties.
A-5 Competing Risks of the Options Table A-7 sunnarizes the options investigated. Each one of these options will be discussed in turn:
Option AI.
Closure of the MOV results in a single point vulnerability.
Failure to open the MOV in the case of a large LOCA can result in core melt (disregarding possible human rescue). A single closed MOV will contribute the following unavailability:
~
AE - \\ ;Asa - 1900 (PWil) W54
}
iucc-; $
W i
7-, a. o r s ICoc s
l S
i e
r f
/
t r
1 m
1
_ _=
_ n' i..w v - r i
i f
i i
c i n-2 - amm 5
4 E
f 3
_f._
2, m
3 1
r w
l
\\
0 D 1
1
\\
i e
i,
i i i 1
v I
l I I
I l
5 f
l 0
[
.f
,, i,
i_,,,,,,
w e
y 7,
i e
i i i i
i
,i 5
e
=,
m
= s d
2 v1
,-u..
m
.-_m i
2 u_
q) :
i
=
. w n j hys Nj >
+
t e.
i i
-, i o a
_-xo O,
og T
7 IJ i
i i
i i i i i i i
i gd*
- I..
g
@g3 4
w T
Q3 g
-a m
j I
I r
i
( M4
)
-(-
e e i
e t
t t.
2 3
4 5 6 7 8 913 2
3 a
S 6 7 8 9 :Q 1
3 4
5 6 7 8 9 ';
I 10 10 0 WCC is K CuCTio W Ck
'/ dN T
(
s b
Ih'k
@U[d'
~
~
==
f
\\::c.
9 S
T i
i i
i j
e 4
9
+
1 1
1
}
4 5
4 3
re 2
~~
3C CVC yc 1
i i
i Mr e
t i i i i
i 6
6 i
t i
t I
t i
6 i
t i 6
i 3 l8:
~
I t
t
,f 9. -
6 5
,. g 3
Y g
2 X
X
\\
\\j I
N ej a,
i i
i i
i s
.I 4
a tU3
+
i.
i d" $ 1 p.
t i
e i-i e
'u 3
~
N34
~as 3
im
~
-i ir
~~
U gg 7,
i-a 1 gx 2$
i i
1 i
i i i i
6
.- e a
Za s
- 5 tl 3s e
e"
/
-W l
s-4 3 7
2 mC e
t I
a
._2-g,
g 2
nr r-zm =tk r i r A e1 N it 6
i 7 r i
w i
i 1#
(
~* * * *.
i e
i gg 2
3 4
S 6 7 8 9 LO 2
3 4
5 6 7 8 9 10 2
3 4
5 6 7 3 7 ;c i
to tec 10cc hiS t4 hEcuc. Tit N C { b' JEST k'3)
TABLE A7 OPTIONS ANALYZED A.
WASH-1400 (One MOV (NO), Three parallel sets of two check valves in series)
A 1/B OPTION (LPI Risk Increase)
(V Risk Decrease)
I. Valve closed, quarterly stroking of valve eliminated, SI actuation intact.
2 to 3 1.5 to 20 II. Valve closed, quarterly stroking of valves eliminated, manual actuation fror control recm 12 to 60 500 to 1000 III. As in II but with Hot Leg Injecticn (the MOVs (NC) in HL injection lines placed on SI actuation signal), assumes HL injection meets intent of Appendix K to 10CFR Part 50.
The ouestion of acceptability of HL injection applies only when considering a large CL break.
1 to 1.2 500 to 1000 8.
RSS/ MAP (0conee)
(Two trains, each having an MOV (NC) with two check valves in series)
I.
Quarterly stroking of MOV eliminated, SI actuation intact 1 to 1.2
' 5 to 20 II. Quarterly stroking of MOV eliminatad, manual actuation frem control room 4.4 to 18 250 to 500
1X10~#
Valve plugged Mechanical failure:
1X10~3 3X10~3 to 6X10-3*
Control Circuity :
Total 4X10-3 to 7.1X10-3
.short term connection to SI may result in higher than usual control circuit error rate.
This unavailability is added to the base value of the LPI system, resulting in an increase in risk of approximately 2 to 3.
The closure of the valve will add a third barrier to the high/ low pressure interface.
If the valve remains closed, the Event V probability would be significantly decreased. However, spurious SI signals occur at between 0.1 to 2 per year; thus, markedly reducing the beneficial effect of this third barrier. The Event V risk reduction is estimated to be between 1.5 and 20 based on the range of spurious SI given above.
Option AII.
Eliminating the SI actuation and depending on human actuation will reduce scurious opening of the valve to that of an inadvertant opening by the operator (probability of ocerator error s1X10~3 to 2X10~3, resulting in a 1/B of 500 to 1000). A human error to actuate the system will dominate
d Event 0 (a human error rate of 0.25 to 0.05 appears reasonable and thus equates to an increase in Event 0 of 12 to 60).
Option AIII.
If hot leg injecticn is judged to be a viable alternative by the Appendix K reviewers then this option would return the LPI unavailability to close to its base value. This is applicable to those systems having two separate hot leg pip-ing ruar, each with a normally close MOV. The MOVs would have to be electronically energized and actuated by SIS.
Option BI.
Similar to AI in terms of effect on Event V risk. Elimination of quarterly testing effects the LPI unavailability somewhat, slightly increasing the Event D risk.
Option BII.
Same approach as in AII.
Existance of 2 MOVs doubles the probability of inadvertant opening by the operator, 2X10-3, resulting in a 1/B of 250 to 500.
Table A8 provides a summary of the LPI unavailabilities used in this study.
TABLE A8 LPI UNAVAILABILITY Valve Closed Valve Closed Valve Open (Under SI Control)
(under Operator Control)
Single Leg (WASH-1400) 4.2X10-3 7.3XIO-3 to 1.1X10-2
.05 to 0.25 Redundant Leg (0conee) 1 of 2 NA 2.6X10-6
.05 to 0.25 2 of 2 NA 7.3X10~2
.12 to 0.32
Attachment II COMMENTS ON NUREG-0677 There is a conceptual deficiency in NUREG-0677.
It fails to note the triple-threat character of an interfacing system LOCA in PWRs and its less serious character in BWRs. In a PWR, a failure of the pressure boundary between the reactor coolant system and a low pressua system outsida containment (leading to rupture of the low pressure system) constitutes:
(1) a LOCA, (2) a bypass of containment systems, and (3) assures core damage if the LPI and LPR functions are failed by the Event B break or subsequent equipment failure in areas external to the containment caused by the Event V envirenment.
In a BWR, however, the very large inventory of ECCS water supplies (CST plus suppression pool) should suffice to sustain ECCS until the RCS can be depressurized, decay heat has subsided, and some continuing form of once through or recirculating cooling can be establishe6. This is based en a presumpticn that the steam release (which mignt be in the auxiliary building for some scenarios) or other equipment damage does not defeat such success paths.
In any plant for which the Event V probability is not made negligible, these systems interactions and mitigating procedures should be considered.
There are also deficiencies in the way NUREG-0677 calculates the likelihood of the pressure boundary failure for the several valve design and procecural options. The NUREG follows calculational models that have been used before, but they, too, are approximations and could stand improvement.
'ie suggest distinguishing several check valve failure modes and modeling them distinctly, as noted in the table below:
Time Dependence Estimated Value Failure Mode of Probability of P or 1 1.
Design or installation error Decreasing P over P s10-2/ valve first years of decreasing stecwise operaticn after testing and operation 2.
Stuck Open Constant P after P s10 / opening each opening, zerced by test 3.
Internal Rupture A increasing with A% 10 / hour aging, 1r reduced after initial valve test (increased saw tooth function -
ac::aunting for imperfect NOT testing and valve aging) 4.
Excessive leakage A increasing with aging A s 3X10-6/ hour A set to zero after initial value test The several failure modes are acted upon differently by testing, by the passage of time, or by the differential pressure acting upon the valve.
Thus, they must be distinguished in a careful analysis of specific pressure boundary configuration, operation, and surveillance practices.
If one of a set of check valves is subject to one of these failure modes, there is a higher-than-random probability that others will be subject to th's same failure mode due to common design, fabri::ation, installation, surveillance, and service environments of the values. We do not have
4 the data to quantify this coupling but engineering judgment suggests that neither strong coupling nor very weak coupling is warranted.
The use of engineering judgment, sensitivity or bounding studies, and the explicit acknowledgement of uncertainty is suggested in dealing with the conditional probability that more thar. one value falls victim to the same failure mode.
General Deficiencies:
Section 2 Fails to scope out the various combinations of isolation boundaries, operating procedures, and test methods. Thus a generic modeling approach that can be applied to all combinations is not presented.
Section 3 Does not realistically treat the impact of leak testing or operational changes (e.g., it assumes that testing methods are 100% reliable and that procedures, such as valves locked out, are also 100% reliable).
Section 4 To adequately support 00L's Event V program the report must include an evaluation of the present configurations and procosed fixes for reviewed plants to cover all basic combinations of isolation boundaries, operating procedures, and test methods.
Specific Deficiencies:
Results The sucmary results presented in Table 1 are confusing.
In several places
~..
the revised probability numbers are not for the valve configurations shown but for a presumed fix, e.g., case 1.e. is supposed to be for 2 check valves and one normally closed MOV. The revised probability, however, is for 2 check valves and one normally ocened MOV. The table should be revised.
, Mathematical Model The use of the (Ir)" equation form for all valve configurations is a.
questionable as it drops terms that, in some cases, may be important.
A more careful derivation of the math model is required.
b.
The model should apply to all barrier configurations and include the non-reliabilities of operation (human error) and testing.
The effect of leak testing on the leak and ruoture probabilities c.
over the life of the plant should be cons'aered.
d.
Consider the use of an increasing saw tooth function over 40 years' for the rupture case (to account for imperfect NOT testing and valve aging).
Account for common cause failures involving design, manufacture, e.
installation, operation, and testing.
f.
Update failure rates based on best information to date.
r a
g.
hipossible failure combinations should be eliminated (this was not done for the triple check valve case, pl8). The elimination of the leak-leak sequences should be reevaluated since detection at start-up, though likely, should not carry with it a unity probability in all cases.
9