ML19275A953
| ML19275A953 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 10/31/1979 |
| From: | Burns R PRESIDENT'S COMMISSION ON THE ACCIDENT AT THREE MILE |
| To: | |
| Shared Package | |
| ML19254E707 | List:
|
| References | |
| NUDOCS 7910300400 | |
| Download: ML19275A953 (19) | |
Text
.
TECHNICAL STAFF ANALYSIS REPORT ON WASH 1400 - REACTOR SAFETY STUDY TO PRESIDENT'S COMMISSION ON THE ALCIDENT AT THREE MILE ISLAND ADVANCE COPY NOT FOR PUBLIC RELEASE BEFORE AMs, ~4EDNESDAY, OCTOBER 31, 1979 79/o3o0900 1182 039
WASH 1400 - REACTOR SAFETY STUDY BY ROBERT D. BURNS, III TECHNICAL ASSESSMENT TASK FORCE OCTOBER 1979 WASHINGTON, D.C.
1182 040
This document is solely the work of the Commission staff and does not necessarily represent the views of the President's Commission or any member of the Commission.
This pre publication copy is a.
al document and will be subject caly to minor editorial changes in itt < tblished form.
1182 041
WASH 1400 - Reactor Safety Study The WASH 1400 Reactor Safety Study (Rasmussen Report), published in 1975, contains descriptions of potential accidents in nuclear power plants and estimates of the probabilities of occurrence of accidents involving radioactivity release.
Examination of WASH 1400 shows that it is relevant to the study of the Three Mile Island a:cident because the sequehce of failures in the accident are discussed in the report, and the occurrence of the accident is consistent with WASH 1400 predictions.
WASH 1400 results and leesons that should have been learned from the report are discussed here.
WASH 1400 Summarv WASH 1400 involved (1) compilation of a list of potential accidents in nuclear reactors, (2) estimation of the likelihood of accidents involving radioactivity release, (3) estimation of health effects associated with reactor accidents, and (4) comparison of nuclear accident risk with other accident risks in everyday life. The purpose was to provide information for the judgment of the acceptability of the risk associated with reactors.
The study determined that nuclear accident risk is small--almost negligible--compared to more common risks, including airplane accidents, fires, dam failures, chlorine spills, earthquakes, hurricanes, and tornadoes (p. 2, Executive Summary). Results show that risk is small because the more likely reactor accidents involve success of safety systems designed to accommodate them, and because accidents involving failure of safety systems are unlikely. These syst2ms are providud in nuclear reactors to prevent core meltdown and to diminish radioactivity release.
The WASH 1400 risk assessment was reviewed by a Risk Assessment Review Group in 1977 (the Lewis Report) which concluded that "they were unable to deternine whether the absolute prcbabilities of accident sequences in WASH 1400 are high or low, but believe that the error bounds on those estimates are, in general, greatly understated."
However, they went on to say:l/
1/
Taken from Reactor Safety Study Review before House of Representatives Subcommittee on Energy and the Environment Serial No.
96-3 dated February 26, 1979, Pages 116-117.
1182 042 1
WASH-1400 was largely successful in at least three ways; in making the study of reactor safet/ more rational, in establishing the topology of many accident sequences, and in delineating procedures through which quantitative estimates of the risk can be derived for those sequences for which a data base exists.
Despite its shortcomings, WASH-1400 provides at this time the most complete single picture of accident probabilities associated with nuclear reactors.
The fault-tree / event-tree approach coupled with an adequate data base is the best available tool with which to quantify these probabilities.
WASH-1400 made clear the importance to reactor safety discussions of accident consequences other than early fatalities.
The NRC accepted the findings of the Risk Assessment Review Group and issued a statement which said in part:
The Commission accepts the Review Group Report's conclusion that ab:,olute values of the risks presented by WASH-1400 should not be used uncritically either in the regulatory process or for public policy purposes and has taken and will continue to take steps to assure that any such use in the past will be corrected as appropriate.
In particular, in light of the Review Group conclusicas on accident probabilities, the Commission does not regard as reliable the Reactor Safety Study's numerical estimate of the overall risk of reactor accident.
With respect to the component parts of the study, the Commission expects the staff to make use of them as appropriate, that is, where the data base is adequate and analytical techniques permit.
Taking due account of the reservations expressed in the Review Group Report and in its presentation to the Commission, the Commission supports the extended use of probabilistic risk assessment in regulatory decisionmaking.
2/
Taken from Reactor Safety Study Review before House of Representatives Subcommittee on Energy and the Environment Serial No.
96-3 dated February 26, 1979, Pages 116-117.
11R?
043 2
The Risk Assessment Review Group, while criticizing the actual numbers estimated in WASH 1400, commended the description of accident sequences and the " fault-tree / event-tree" approach as a valuable analytical tool for estimating probabilities of accidents.
Three Mile Island Events Two types of events are important in reactor accidents --
initiators and failures.
Initiators are the causes of accidents.
Sudden pipe breaks (such as loss-of-coolant accidents) and transients are examples of initiators. A transient was the initiator at Three Mile Island.
Transient is a general designation for all events causing interruption of normal operation and poscibly requiring shutdown of the reactor. Transients occur frequently in nuclear reactors and are routinely handled without incident.
Failures refer to equipment malfunctions or operator errors in the response to an initiator event.
If enough failures occur, a transient can result in an accident.
Three Mile Island involved two significant failures -- a stuck relief valve and operator interruption of emergency core cooling.
WASH 1400 includes a list of 18 events which are likely transient initiators (Table I 4-9).
Included in the list is the Three Mile Island accident initiator, loss of condensate pumps (EPRI/NSAC-1, p. C/FDW-3).3/
Condensate pump loss normally causes the main feedwater pumps to stop, requiring the auxiliary feedwater pumps to start up and remove heat from the reactor.
While th se pumps started at Three Mile Island, the path for the cooling water to reach the steam generators was blocked by valves inadvertently left closec.
Within 8 minutes, operators placed the valves in the correct position. WASH 1400 states, however, that auxiliary feedwater must be unavailable for a longer period of time before the event is regarded a failure, because it takes some time for a shutdown reactor to generate sufficient heat before an alternate means of cooling the reactor is necessary.
WASH 1400 suggests the delay could be 1 to 1-1/2 tours (p. I-61).
Analyses of the Three Mlle Island accident also indicate that unavailability of auxiliary feedwater for 8 minutes was not significant (EPRI/NSAC-1, p. TH-32).
The relief valve opened at Three Mile Island, as is normal in such transients, but it failed to close, causing the high pressure reactor cooling system to depressurize and spill radioactive water in the containment building. This failure is discussed in WASH 1400 (p. I-63),
and its likelihood was predicted based on actual reactor experience with relief valves (p. V-38 and 55).
3/
Electric Power Research Institute /Nucl ar Safety Analysis Center Report on Three Mile Island, July 1979.
i182 044 3
The normal response to the failure of a relief valve to close is actuation of emergency core cooling.
This prevents excessive loss of water from the reactor. Emergency core cooling failed at Three Mile Island because the operators throttled the flow, causing the core to be damaged.
Cooling was restored by the operators before core meltdown would have occurred.
This 'tilure event is discussed in WASH 1400.
It states that failure to res' e heat frcm the core could lead to core meltdown or damage (p. I-St and that operator action is required to prevent meltdown (p. I-87).
Other events discussed in connection with the accident involve hydrogen explosion, steam explosion, and collection of non-condensible gases in the reactor coolant system.
VASH 1400 identified an accident involving core overheating with metal-water reaction (at TMI-2) as the important source of hydrogen.
The report indicates that lack of oxygen prevents ignition of the hydrogen in the reactor vessel, but ignition in the atmosphere of the containment is likely after hydrogen leaks from the reactor. The conclusion in WASH 1400 is that the likelihood that hydrogen detonation will fail containment is negligible even in core meltdown accidents.
This conclusion is supported by staff analysis (see Chemis t ry ).
Containment overpressurization failure due to hydrogen burning can occur in meltdown accidents if significant sources of hyorogen other than core zirconium are available or if additional equipment failures occur in containment cooling systems (p. VIII-123).
In fact, a hydrogen explosion did occur at Three Mile Island, and did not threaten containment (EPRI/NSAC-1, p.9, summary).
Steam expissions are postulated to occur in meltdown accidents when large quantities of molten fuel drop.nto large volumes of water.
According to conservative calculations in WASH 1400, such explosions have the potential to rupture the reactor vessel and failure containment. However, sufficient uncertainties exist in the basic physical understanding of steam explosions that it is also possible that steam explosions pose no explosive threat to the reactor vessel (p.
VIII-98).
Experimental programs since WASH 1400 confirm that the WASH 1400 estimates are highly conservative.
Significant steam explosions did not occur at TMI-2.
Non-condensible (hydrogen) gas prevented the cooling of the damaged Three Mile Island core for a period of time during the accident (EPRI/NSAC-1, P. TH-5).
This mechanism for interruption of core cooling was not considered in WASH 1400.
WASH 1400 Accidents vs. Three Mile Island Accident The sequence of failures in the Three Mile Island accident can be considered in terms of safety functions performed and also in terms of specific systems required.
The safety functions are common to all pressurized water reactors, but the specific safety systems involved generally vary from reactor to reactor. The WASH 1400 general description of safety function performance (p. I-53) corresponding to the Three Mile Island transient involves success of reactor shutdown and overpressurization protection, but failure to adequately cool the core.
The result of this sequence, or combination of events, is eventual core melt if no operator action is taken.
This is an accurate description of the Three Mile Island accident.
i182 045 4
The more specific sequences, or combine tions of system failures, listed in WASH 1400 cannot be directly compared to the Three Mile Island accident because WASH 1400 was based on a Westinghouse pressurized water reactor (the Surry plant in Virginia) and the details of potential accidents differ from the accident in the Babcock and Wilcox pressurized water reactor at Three Mile Island.
For purposes of comparison, a compilation of potential accidents for transients in Babcock and Wilcox reactors was prepared and is attached to this report.
While WASH 1~00 results are based on the designs of a small. umber of reacters, the risk estimates are intended to be valid for al.1 reactors. To justify this, the study employs conserwum at many points in its analysis and argues that all reactors are within the WASH 1400 conservatism in terms of their accident potential.
WASH 1400 Predictions The WASH 1400 estimates of radioactivity release accident probabilities are one per 2000 years in pressurized water reactors (PWRs) and one per 7750 years in boiling water reactors (BWRs) (p. 79, main report). Due to uncertainties in the calculations it was necessary to establish upper bounds on these probabilities which are given in the report as 1 in 210 years for P%T.s and 1 in 775 years for BWRs.
Approximately 12% of the accidents involve core melt in PkRs, and 22% in BWRs.
The more likely accidents involve no core melt and result in radioactivity release from spilled radioactive water in the containment building. Three Mile Island radioactivity release coincides with the se/erity of the WASH 1400 sequences without core melt, because while the radio-xenon release was of the magnitude expected in core melt accidents, the more important health hazard, radio-iodine, was effectively contained in the unmelted fuel and the containment building.
If WASH 1400 predictions of best estimate probabilities are valid, there was a 13% chance (about 1 in 8) of having had an accident at the time of the Three Mile Island accident or earlier (i.e., 223 reactor years of operating experience in P%3s, 187 in BWRs).
Further, there was an 80% chance that an accident would have occurred at a PWR, rather than a BWR. There was also a 90% chance that an accident would not involve melt or the high radioactivity releases associated with core melt.
corr Hence, the fact that the Three Mile Island accident occurred when it did and the consequences were limited in extent is consistent with WASH 1400 predictions (see Ievine deposition, 8/8/79, p.
71; Rasmussen deposition, 9/15/79, p. 23).
The WASH 1400 upper bound probabilities yield a predicted 30%
chance of having had an accident this soon.
The available data (i.e., the fact that one accident occurred after 223 PWR and 137 BWR years of experience) are very limited and cannot be used to make a single estimate of accident probability.
For example, the probability of a reactor accident involving radioactivity release could be any number between one in 100 reactor years and one in 3000 reactor years, based on the data.
As time passes, with or without additional accidents, the range will change.
The range is useful because it provides a basis for rejection of probability estimates outside of the range.
Since the WASH 1400 estimates are within the range, they cannot be rejected and are consistent with the data, i182 046 5
Based on WASH 1400 probability estimates. there is a 40% chance of one or more accidents during the next decade.
In the 10 year period an accumulation of about 900 reactor years in P5Ws and 400 in SWRs is expected.
There is 50% chance during the 199C's, during which time 1200 reactor years in PWRs and 500 reactor years in SWRs are expected.
There is a 15% chance of a core melt accident by the end of the century, based on WASH 1400 best estiraates and the expected number of reactors by that time (58 BWRs and 119 PVRs).
The average of the expected consequences is less than one fatality for a cere melt sccident (p. 9, Executive Summary).
The following bar chart indicates the likzlihood of first nuclear accident having occurred in this decade, as opposed to another decade.
These are based on WASH 1400 best estimates.
(Note that the nrobability numbers associated.ith the decades depend on how the beginn
, and end points of the 10 7 ear periods are chosen.
However, shiftic.g the decade definitions would not change the numbers enough to affect conclusions based on the bar chart as is.)
Probability of First 33%
Reactor Accident 25%
Having Occurred 14%
During Decade 1%
1960's 1970's 1980's 1990's This chart indicates that the 1980's was the most likely time for the first reactor accident.
The likelihood in the 1990's was lower than in the previous decade, because of the large probability that the first accident would occur before 1990.
Lessons That Should Have Been Learned From WASH 1400 WASH 1400 contains three important messages. These involve expected frequency of accidents, methods for improving reactor safety, and the most likely types of accidents.
Perhaps it is a fault of the report that these messages were not emphasized, because the conclusion most of ten associated with WASH 1400 -- reactors are safe -- receives the primary emphasis in the report.
Perhaps it is the fault of the NRC that more effort was dedicaced to criticizzag WASH 1400 than was applied to understanding its messages.
In fact, WASH 1400 predicted that accidents could happen although most would present little or no public hazard. One message of WASH 1400 is that while nuclear accident risk is small comuared to other societal risks, accidents similar to Three Mile Island should be expected.
These accidents were not emphasized in WASH 1400, because they do not contribute as significantly to risk as the more severe core melt accidents (see Rasmussen deposition, 9/15/79, pp. 35-36).
The WASH 1400 study, in using the " event tree" and " fault tree" methodologies, borrowed from the aerospace industry, actually revealed a
" weak link" in the safety of the Surry reactor.
This led directly to a chanhe in inspection procedures at Surry and reduced the probability of one major risk contributing accident (see Rasmuasen deposition, 9/15/79, pp. 26-29) by a factor of 20 (p. 63. Main Report).
Thus, another 6
1182 047
message of WASH 1400 is that application of these methods to analysis of a specific reactor should be used to reveal ' weak links" in safety Recently, NRC officials have endorsed a plan to apply WASH 1a00 techniques to the analysis of other existing reactors for this purpose (see Levine deposition, 9/15/79, pp. 25-26). Since the accident at Three Mile Island, NRC has applied reliability analysis to the study of auxiliary feedwater availability in all U.S. commercial reactors (see Rasmussen deposition, 9/15/79, p. 25).
Reactor sa.fety research, both before and after WASH 1400 was published, has ccncentrated on the double-ended pipe break, or large loss-of-coolant accident.
Safety systems were designed specifically to accommodate this accident.
Yet, the WASH 1400 results published in 1975 indicated *. hat reactor accident risk is dominated by sm:11-break loss-of-coolant accidents and transient initiated acci.3nts, like Three Mile Island (p. 63, Main Report).
A thi.rd message of WASH 1400 is that relative esforts in reactor safetv research for lar2e loss-
-of-coolant accidents. small loss of coolant accidents, and transient-initiated accidents should be consistent with priorities suggested by their relative risk contributions.
Generally, NRC has based priorities on " good engineering judgement" (see Rasmussen deposition, 9/15/79, pp. 56, 57), although the Lewis Report and the NRC commissioners have recently endorsed the use of WASH 1400 techniques to more efficiently carry out licensing. In fact, the NRC staff bas successfully applied the techniques to prioritize safety issues, study overpressurization of vessels, and optimize inspection time intervals (see Rasmussen deposition, 9/15/79, pp. 53-59)
It should be noted with regard to small-break loss-of-coolant accidents (LOCAs) that it was thought by NRC that safety systems designed to accommodate large LOCAs would necessarily be adequate to deal with small LOCAs (see Budnitz deposition, 3/27/79, pp. 23-30).
It should have been clear from WASH 1400 that such was not the case for transient initiated p0RV LOCAs (Rasmussen depositon, 9/15/79. pp. 14-15).
Instead, WASH 1400 was taken by XRC as an affirmation of their good ragalatory work (see Budnitz deposition, 8/27/79, p. 33).
Further, practical considerations inhibit the application of WASH 1400 techniques.
It is very difficult to properly apply the techniques, and few people are trained or experienced in such work (see Levine deposition, 9/15/79, pp. 20-21).
Also, the criticisms of WASH 1400 techniques by the NRC commissioners left the NRC staff unmotivated to develop ways to apply the techniques.
Since the Lewis report and the Three ?!ile Island accident, this trend appears to be reversing.
potential Accidents Resultine from Transients in Babcock and Wilcox Reactars This section describes the TMI-2 accident and alternate courses the accident might have taken. Alternate sequences are discussed in more technical detail in another section of this report, entitled
" Alternative Event Sequences." " Event trees" are used here to graphically illastrate the results of possible combinations of failures in order to answer "what if" questions associated with TMI-2.
The work draws on information in WASH 1400, wnich includes descriptions of possible failures and event trees relevant to IMI-2.
1182 048 7
WASH 1400 contains a separate event tree for each different accident type. This is done because the sequence of possible system responses is different.
The accident types for which separate trees are presented are (1) large break LOCAs/ (2) small break LOCA requiring low pressure safety injection 3*/ (3) small break LOCA requiring high pressure safety injection 5/ (4) vessel rupture, (5) LCCA through boundaries separating the high pressure primary system from attached low pressure systems, or " interfacing systems LOCA," and (6) transients.
The TMI-2 accident occurred during a transient.
The TMI-2 sequence of events is related to WASH 1400 transient event trees in the present report.
General Description of Possible Outcomes of FNR Transients WASH 1400 includes a " functional event tree" for PWR transients (Figure I 4-13) which describes system responses and possible failures which are common to all PWR designs (i.e., Westinghouse, 3abcock and Wilcox, and Combustion Engineering).
It is the basis for the WASH 1400 PWR transient event tree (Figure I 4-14) which translates the more general functional event tree into a more detailed event tree repersenting specifically the Westinghouse design.
In the present report, the functional event tree from WASH 1400 is translated into a more detailed event tree representing specifically the B&W design (i.e.,
TMI-2), since the tree for the Westinghouse design is not applicable for TMI-2.
The principal difference between the Westinghouse and B&W designs in regard to possible sequences of events following transient loss of main feedwater is that the " pilot-operated relief valve" (PORV) is-normally required to operate in the B&W design, but not in the Westinghouse design.
Westinghouse reactors are automatically scrammed (i.e., shutdown) upon interruption of main feedwater flow.
- Hence, pressure in the primary coolant system does not rise rapidly enough to require operation of the PCRV.
B&W reactors do not scram until an overheating trend is sensed.
The purpose of using this direct indication of a need for reactor scram is to minimize the number of unnecessary scrams of the reactor resulting from erroneous signals.
Id the B&W reactors, PORV operation is normally required to control system pressure until main or auxiliary feedwater supply to the steam generators becomes available to cool the reactor. Hence, PORV operation is not required in Westinghouse reactors unless auxiliary feedwater is not immediately availaole, and the combination of the success of auxiliary feedwater availability and failure of the PCRV to close is not included in the transient event tree.
In fact, WASH 1400 states that PORV failures to close (in Westinghcuse reactors) are better represented by the "small LCCA" event trees (p. I-59). (Accordingly, the TMI-2 accident sequence cannot be found on the WASH 1400 transient event tree, and is better described in LOCA event trees).
i/
loss-of-coolant accident 1/
emergency core cooling S
1182 049
The functional event tree for PWR transients, Figure I 4-13 attached to this report, includes a tracing of the path of the TMI-2 accident.
More complete technical descriptions of the events are in the WASH 1400 pages I-55 and 59.
The events of TMI-2 are described as follows:
1.
Transient loss of main feedwater supply constitutes event A.
This is a normal occurrence at nuclear power plants. A list of possible transients is shown in. Table I 4-9.
2.
Reactor scram was successful at TMI-2, which is represented by the path going up one level for event B.
(Up normally represents the desirable outcome of an event).
3.
Event C represents the failure to cool the core at IMI-2 through manually defeating the emergency core cooling.
More generally, this involves failure to adequately cool the core even though main or auxiliary feedwater is available. This failure leads the TMI-2 path down one level in the functional event tree.
4.
The TMI-2 path turns up one level at event D, because protection against overpressurization of the primary system was available at TMI-2. This involves opening of relief or safety valves on the primary system.
Hence, the TMI-2 sequence is designated "AC" on the functional event tree.
Core status associated with sequence AC is that the core will evcacually melt if no operator action is taken.
At TMI-2, operator action to restart safety injection with the high pressure pumps prevented core melt. Further, WASH 1400 states that if adequate coolant inventory is not maintained, core damage and core melt may occur (p.
I-58).
At TMI-2, failure to keep the core flooded resulted in core damage.
Outcomes of Transients in Westinghouse PWRs The PWR transient event tree for Westinghouse reactors is attached to this report (Fig. I 4-14).
The TMI-2 path does not exist on this tree.
If it were to be added to the tree, it would involve the following:
1.
Transient loss of feedwater constitutes event T.
2.
The path goes up for event K, due to successful scramming of the reactor.
3.
The path continues up at event M, because auxiliary feedwater (unavailable for 3 minutes at TMI-2) did become available in time to constitute success of this cooling function.
4.
A branch is requirad at event Q, to represent failure of the PORV to close.
This is not included in the tree, because PORV operation is not required in Westinghouse reactor transients which come to this point in the path. The path turns down with event Q.
llb2
)
9
5.
Event U represents the failure to maintain coolant inventory in the re3Ctor Core.
Hence, a sequence designation ef TQU represents the TMI-2 accident on the WASH 1400 event tree.
(Further, the S2 sequence on the PWR small LOCA event tree in WASH 1400 can also be used to reprasent TMI-2, except that core damage must be included as a possible outcome of the sequence.)
Outcome of Transients in B&W Reactors Transient events in B&W reactors are normally terminated without damage, but they can lead to loss of coolant through the PORV (either by PORV failing to close or by providin; for an exit for water entering the reactor from the safety injection system) or core meltdown. The B&W event tree is attached to this report.
It includes the path of the TMI-2 and Davis-3 esse (D-B) transients.s/ The sequence includes the following events:
9 1.
The transient loss of main feedwater occurs (T).
2.
The reactor scram system is available on demand (K).
Th'e TMI-2 and D-B transients follow the path up at this event, because scram on demand was achieved in both cases.
3.
The path goes up at event P' if the PORV or the safety valves are not required to open in order to control primary system pressure and temperature.
At TMI-2 and D-B they were required.
The significance is that if any of these valves open, there is a chance they will fail to close, as at Three Mile Island.
PORV operation is required in designs with low pressure settings for PORV actuation, and PORV or safety valve operation is aliays required if auxiliary feedwater is not immediately available.
(NOTE:
Pre-TMI-2 B&W designs included low PCRV settin; so that the PORV was always required to operate in feedwat3r trau. tents.
Post-TMI-2 designs include higher settings so that r'0RV is not required unless auxiliary feedwater is not available. Thus at TMI-2, the PORV would have been required due to auxiliary feedwater unavailability even if the PORV setting had been high.)
4.
Event Q refers to failure of relief (or safety) valves to close.
The TMI-2 and D-B paths turn down at event Q, due to PORV failures to close.
i/
A transient at Oconee-3 (1975) was similar to the Davis-Besse transient.
10 1182 051
5.
With rapid depressurination and coolant loss througn the stuck open PORV, high pressure safety injection (HPSI) is required to cool the The TMI-2 and D-B paths turn up at event U, because HPSI core.
systems were available when needed.
6.
Event U' represents failure to adequately cool the core, even though HPSI is available.
This could accur if HPSI flow is interrupted, as at TMI-2, and results in core damage or meltdnwn.
The D-3 path t. urns up at event U', because the HPSI was successful at cooling the cort. until the loss of coolant through the PORV was stopped.7/ The TMI-2 path turns down here, as HPSI interruption by the operator caused parts of the core tc become uncovered and core damage resulted.
7.
Event U" represents loss of core coolability leading to core meltdown.
This can result from faile.re to recover HPSI flow before the core melts, collapse of a severely damaged core into an uncoolable geometry before HPSI flow is restored, or large quantities of noncondensible gases (i.e., hydrogen) blocking flow paths in the primary coolant system.
HPSI recovery at IMI-2 constitutes success of event U".
Hence, the TMI-2 sequence is designated TP'QU', v.d represents the two failures in the accident -- PORV stuck open and interruptica of HPSI flow. The D-B sequence is TP'Q.
In botn sequences, the TP' represents the normal situation of delayed scram in a transient in which the PORV is required to operate. Note that P' does not constitute failure unless PORV is not normally required to operate, but auxiliary feedwater is not immediately available.
The top sequence T and the sixth sequence TP' are the normal outcomes of transients.
The difference between the two is in the requirement for PORV operation. Most other sequences result in loss of coolant through the PORV, either
- .o accommodate HPSI flow through the system or due to failure to close.
Th,ese outcomes are designated PORV LOCAs, and involve core damage, if the sequence ends with U' (e.g., TMI-2).
PORV LCCAs do not involve core damage if the sequence ends with L or Q (e.g., D-B).
Core melt is the outcome in sequs'ce TK and in sequences ending with U or U".
Differences between the WASH 1400 transient event tree (for Westinghouse reactors) and the B&W tree represent differences in the response to transients.
Event P' is added to the B&W tree to separate situations in which PORV operation is required frem those in which it is 7j HPSI was interrupted by the cperators at Davis-Besse but not for a long enough period to effect inadequate cooling and result in core damage.
1182 052 11
not.
Event Q occurs earlier in the B&W tree, because its function is important earlier in B&W transients.
WASH 1400 event M is combined with event L (pr.-longed auxiliary feedwater availability) in the B&W tree.
Due to the high reliability of pressure relief and safe;y valves, WASH 1400 event P (failure to open) is not included in the B&W tree.
WASH 1400 event U (HPSI availability) is divided into three events for B&W reactors, to represent HPSI availability, interruption resulting in core damage, and recovery in time to prevent core melt.
The U' and U" events are added to the B&W tree because direct indication of PORV position is not available. The operator may not recognize the PCRV LOCA, and may respond by turning HPSI off.
WASH 1400 event W refers to final cooldown of the reactor and availability of residual heat re= oves systems.
Because of the long time available to put these cystems into service (i.e., days), it is not included in the B&W tree.
Significant Outcome of B&W Transients The event tree for B&W reactor transients showc. where deviations from the TMI-2 accident path would have significantly altered the course of the accident. The sequences one step different from that of TMI-2 (TP'QU') are discussed here:
(TK)
If secam had not been successful, core melt down may have resulted.
Dua to the high reliability of scram systems and the high concentration of baron in the HPSI water, this was a very unlikely path.
(See Chapter 4, Alternative Event Sequences)
(fP')
The normal outcome of the transient loss of main feedwater is TP'.
It requires successful operation of the PORV and availability of main or auxiliary feedwater within about one hour.
(See Case 2, Alternative Event Sequences)
(TP'QU)
Unavailability of HPSI may have led to core meltdown.
The WASH 1400 estimate of HPSI reliability is 99 percent.
(See Case 9, Alternative Event Sequences.)
(TP'Q)
The PORV LOCA sequence involving no core damage, as at Davis-Besse, would have been the outcome if HPSI had not been interrupted long enough to damage the core.
(See Case 3, Alternative Event Sequences.)
(TP'QU'U") Failure to restore HPSI flow may have resulted in core meltdown.
(See Case 9, Alternative Event Sequences.)
Sequence T and the four TL-sequences are not applicable, because the TMI-2 transient involved delayed scram. If the PORV had not been required to operate, these sequences would have been applicable, and the most likely outcome woulo have been sequence T, since PCRV would not have been required.
Use of Even". Trees in Safety Analysis The accident probabilities in WASH 1400 are based on the event trees. Much of the wort in WASH 1400 went into calculating probabilities for each of the events in the trees.
The probability of 12 1182 053
any sequence was calculated by multiplying the event probabilities in the sequence together.
The results were used in WASH 1400 risk estimates and in identification of significant sequences which contribute more to the risk than others.
It was found, for example, that one sequence (the
" interfacing systems LOCA") contributed heavily to the risk associated with the Surry PWR, and a few similar reactors, and that a simple change in the inspection procedure for scme valves could decrease the chance of the accident by a factor of 20.
This led to NRC action to effect the change.
Further, WASH 1400 event tree results indicated that the accident types that dominate the risk are small LOCAs and transients.
(TMI-2 was a transient).
It had previously been thought that large LCcAs (e.g.,
double-ended pipe breaks) were the major risk contributors and this thinking guided NRC safety research finding.
WASH 1400 pointed out that consequences of small LOCAs and transients can be just as severe as those of the large LOCAs, and their prcbabilities of occurrence are much higher.
Since TMI-2, changes have been implemented in B&W reactors to cause reactor scram upon turbine trip and raise the PORV pressure set point.
At'IMI-2, this would normally not have required the PORV to open, but since auxiliary feedvater was not immediately available, the PORV would still have opened.
In this situation the PORV would still have stuck open.
The effect of the PORV setting change on the probabilities of outcomes of other transients in B&W reactors can be predicted by determining probabilities for the events in the B&W tree and using the se to calculate probabilities for the sequences. This analysis is presented below.
The change affects event P' in the event tree (required PORV operation). With scram assumed to operate properly, only the probabilities of the events to the right of K' in the tree need to be considered. WASH 1400 probabilities for the events are used when possible.
Event P' (Required PORV operation) - Probability is 1 for reactors with low pressure settings and about 1 in 100 for those with high settings (due to auxiliary feedwater availability)
Event Q (PORV stuck open) - WASH 1400 estimate for PORV stuck open is 1 in 100.
Event L (Secondary side cooling restored) - WASH 1400 estimate for not recovering auxiliary feedwater is approximately 1 in 10,000.
Event U (HPSI available) - WASH 1400 estimate for HPSI failure is approximately 1 in 100.
Note, however, that with the higher PORV setting, HPSI ability to pump water into the core is diminished in transients with Icss of main and auxiliary feedwater.
In these cases, operator action to manually open the PORV is required to lower primary pressure.
The probability that the operator will not respond properly and HPSI will not be available is roughly estimated to be 1 in 10.
13 ii82 054
Event U' (HPSI interrupted) - In two TMI-2-like transients at Davis-Besse and Oconee-3, HPSI was interrupted by operators.
The chance of HPSI interruption is estimated to be 1 in 10, for the purposes of this analyais.
Event U" (KPSI restored) - At TMI-2, HPSI was restored before core meltdown.
The change that HPSI will not be restored is estimated to be 1 in 10.
Using these valuer, the probability of the TMI-2 sequence having prtreeded to core damage in sequence TP'QU' is:
(probability of Event Q) x (probability of Event U') =
(1 in 100) x (1 in 10) = 1 in 1000.
Thus, for every 1000 transients in B&W reactors invoiving delayed scram, one was expected to go the way of IMI-2.
The mathematics of probability combinations for other sequences is not included here, but the results are summarized as follows:
Probability of Outcomes for B&W Reactor Transients No rmal PORV Core Core Termination LOCA Damage Meltdown With Lower PORV Pressure Setting (Pre-TMI-2) 99%
1 in 100 1 in 1,000 2 in 10,000 10,000 With Higher PORV Pressure Setting 99.98%
2 in 10,000 2 in 100,000 1 in 100,000 100,000 (Post-TMI-2)
This ta' ole indicates that both PCRV LOCAs and core damage are 50 times less likely in the transients not requiring PORV operation than in those which do.
Core melt is 20 times less likely. The reason is that the critical component when PORV is required is the PORV itself, while in the transients when PCRV is not required the critical component is the more reliable auxiliary feedwater availability. The PORV failure rate is 100 times the product of auxiliary feed water and PORV failure rates.
Note, however, that the higher PCRV pressure setting ma~y degrade the reliability of the HPSI in transients with loss of main and auxiliary feedwater.
1182 055
This analysis shows hev event traes could have been used prior to TMI-2 to identify a simple change that could have greatly reduced the proba';ility of the TMI-2 accident (and the Davis-Besse and Oconee-3 transients), just as the'; were used in WASH 1400 to reduce the probability of the " interfacing systems LOCA" in the Surry rea. tor.
Note that this analysis was possible even with very rough estimates of the event probabilities.
While the probability estimates presented here for outcomes of B&W reactor transients are not strictly reliable, the basis for comparison between the higher and lower PORV pressure settings is appropriate. This example positively demonstrates the utility and importance of applying WASH 1400 techniques.
1i82 056 15
TRANSIENT EVENT TREE FOR B&W REACTORS l ** l o h ;*
x c'
sev e:ce I.
--.g.
-p.
,.3,,
J:
-2 :,
)
i,i I
L' j
.,3.. -. g.
3' :'....y l
, y.::
,.c pa) 2.:)
f '....... ]( :::-- -m,,...... : -e c.
,-?*gg.3*
r'cc n
Normal Termination: T TP' PORV LOCA (no damage):
sequence ending in I. or Q Core damage:
sequence ending in U' Core meltdown:
sequence ending in U, U",
or K T - Transient event K - Scram availability (up/yes)"
P' - PORV or safety valve operation required (down/yes)
Q - PORV or safety valve stuck open (down/yes)
L - Secondary side cooling restored (up/yes)
U - HPSI available (up/yes)
U' - HPSI interrupted and PORV open for sufficient period of time to cause core damage (down/yes)
U" - HPSI restored and PORV closed in time to avoid core meltdown (up/yes)
)\\D 16
Findings from Study of WASH 1400 1.
Preditions based on WASH 1400 accident probabilities indicated nearly one chance in six of a radioactivity release accident by the end of the 1970's, about one chance in two of one accident by the end of the 1980's. We should have anticipated TMI-2 and been prepared to deal with it.
2.
Use of WASH 1400 analytical techniques can and have revealed " weak links" in the safety of nuclear reactors and have led to significant improvements in safety.
3.
WASH 1400 is remarkably defined and accurate in its description of events corresponding to those which occurred at Three Mile Island.
4.
So much effort has been expended in criticism of WASH 1400 that little attention has been paid to the messages it contains.
17 1182 058
TABLE I 4-9 P'iR ? m IST3 Likely Initia:ing Even:s Unlikely Int:iating Iven:s 1.
Turbine Trip 1.
Rupture of High Ener;y Piping in Se:ondarv Coolan: Sys:e,
2.
Spurious Signals f rom SICS a) Rupture of Main Feedwa:er Lines, b) Ruoture of Lines in 3.
Less of Condenser Vacuus Main Steam SystenC3) 4 Inadver:ent Cicsure of Main Stean 2.
Rupture of Steas Generator Line Isolation 7alves (See ? receding Discussions in secticn 4.1.5 f:r Ccvarage) 5.
Less of Main 5:ation Genera:or with Failure :o Pelay Auxiliare 3.
Rupture of Centrol R:d P.echan-Loads (e.g., Main Feedwater Pumps,
is: Housing on Rea:::: Vessel Condensate Pumps) to AC ?:wer Leading :s Small LCCA and C:n-Inceming f rc= Cffsite Tetwork.
Orol R:d Ejection (See ?reced-ing Oiscussions in se::icns 6.
Loss of Main Cir:ulating Water a.1.3 and 4.1.a f:r Coverage)
Pu=ps for Condenser Cooling 4
Abrup: Seizure of All Main 7.
Loss of Main Feedvater ?u=ps RCS Recirculation Pumps 3.
Less of Cendensate Pu=ps 5.
Star:up of Inactive Reac:or Coolant Loop vich Ab rupt Open-9.
Loss of AC Paser Incoming from ing of 3oth Isolation '!alves Of fsite Network in One RCS Leep in ??R Flan:s Employing RCS Loop Isolation 10.
Inadvertent Opening of Steam Valves Generator ?:wer-Operated Relief Valves (-10" Sudden Load Demand)
(*);hese rup:ures are included sc=e-usat aroitrarily within :he Un-11.
Increase in Main Feedvater Flew; likely Even Ca:e g o ry. Hetever, Malfune: ions in Feedwater Flse f ailures of lines in the PUR Control see:ndary coolan: sys ters have occurred principally during 12.
Malfunctions of Control Resulting plant testing and star:-up per-in Inadverten: Opening of All icds. These ty;es of f ailures Turbine Steam 3ypass Valves (:40".
have included inade:uate ini:ial Sudden Load Demand) design of relief valve headers in the s:ea supply lines, dis-13.
Uncontrolled Rod Withdrawal a) At charge of secondary coolan: fr:n Full Power, b) At Startup leaking feedvater valves, dis-charge of secondary coolant frc:
14 Control Rod Asse bly Crop cracks in main feedwater lines, etc.
The RCS ::cidevn ::ansients 15, 3oren Dilution by Malfunc: ions in sterming from these failures Chemical Volume and Con::al Sys:ec would be less severe than :hese included under No. 12 of :he ike-16. Startup of Inse:1ve Reactor Coolant ly Even: Categ:rv ab ove. The :o-Loop (in ?WR vi:n No RC3 Locp Iso-tantial impact of such high enerr/
lation Valves) line failures in spectii: *:ca-tions of the plan:, since they 17-Acciden:al Opening of ?ressuri:ar mi gh t com=caly in:eract w;:n and Saf ety or Relief Valves affe:: availabili:y of :he plan:
ESFs, was considered as par: ef 13.
- .oss of RC5 C:olan: Flew (Main RCS this study. Ref er to A;;endices Circula:ing Pump Malfune: ions )
II and :V Frcm Reactor Sa.fety Study, An Assessment of Accident Ricks in U.S. Commercial Suclear Power Plants, Appendix 1.
Fig. I 4-D - Tig. I4'4 Table : 4-?
I-37/38 kk0-
I Coed l' ' ew !. int. k C
Hot Shutoown l
l R$ fMTEy TE VCVC HTEc A l 9 i C [ O E i F CCRE S*ATUS AND REMARKS a
0.K.
3 I
AF I
Return to Hot Shutcown (HTE.,)
AE Pemain At Hot Shurcown AC Eventual Veit..f no Coeratcr Act.on Tauen -
ACO LCCA with Cor: Meat n
A3 Poss.bie O.K.
1 ASF Poss.oie O.K., Remain at Hot Shutoown ASE Core Veit A80 Hign RCS Pressure Levet. LOCA witn Core Veet t.8C Hign RCS Pressure LTvel. LOCA with Core Mest
A: TE
- Trunnent Event 3: RS
- Reactor Succrits.a4 C: HTEg - west Transfer to Envvoament During CocSown of RCS to - tSC*F and 400 osa 3: OP Overoressure Protecuon of Reactor cooien: System E: VCVC - Reactor Veues Cooient Volume Coatrol F: HTEC-Heat Transfer to Envronment Durmg Cold $hutoown of RCS from S t S0* F and S 400 PSI A (This tunew is snown for completeness but is of simited interest to this stucy of PwR transent events)
. FIGURE 1 4-13 Functional Event Tree - PWR Transient Events f $8/ fCVCS TE 9PS 53#b II#I I#/
RMR$
l SECUENCE fM l l
lc lV lw T
K L
P 1
7 i
2 TM 3
TV 4
TM 5
TMw 6
TMU 7
TML g
8 TMLQ 3
TMLQU to TMLP 11 TK i
12 TKW T3 TEU l
14 TKQ f5 TECU f6 TKP 17 TKM
_t TS TEMW I
19 TKMU 2Q TKWQ 21 TKMCU 22 TEMP 23 TEML 24 TKMJ FIGURE 1 4-14 WR Transient Event Tree From Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nucle.r Power Plants, Appendi:(
l.
1182 060
.