ML19341A330
| ML19341A330 | |
| Person / Time | |
|---|---|
| Site: | Zion File:ZionSolutions icon.png |
| Issue date: | 12/31/1980 |
| From: | Bari R, Buslik A BROOKHAVEN NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| BNL-NUREG-28750, NUDOCS 8101220631 | |
| Download: ML19341A330 (60) | |
Text
BNL-NUREG-28750 INFORMAL REPORT LIMITED DISTRIBUTION A CRITIOVE OF THE OFFSHORE POWER SYSTEMS RISK STUDY FOR THE ZION NUCLEAR POWER PLANT A. J. Busiik and R. A. Bari Department of Nuclear Energy BROOKHAVEN NATIONAL LABORATORY Upton, New York 11973 December 1980 a
Prepared for U.S. Nuclear Regulatory Commission Washington, D. C.
20555 Under Interagency Agreement DE-AC02-76CH00016 1
spE 310/.2.20(J /
ABSTRACT An evaluation of the Offshore Power Systems Risk Study (Report No. 36A75, February 1980) for the Zion Nuclear Plant is presented. We obtained a larger probability for a WASH-1400 Category 2 release resulting from an extended loss of AC power coupled with a failure of the turbine-driven pump train in the auxiliary feedwater system. Potential common mode failures in the engineered safety features were included and this led to a larger probability of core melt resulting from los: of cociant accidents.
e
.=
-111-
TABLE OF CONTENTS Page ABSTRACT iii LIST OF FIGURES.............................
vi LIST OF TABLES vi
1.0 INTRODUCTION
1 2.0 ANALYSIS..............................
3 2.1 Loss of Offsite Power Initiating Event 3
2.1.1 Qual i tati ve An alysi s..................
3 2.1.2 Quantitative Analysis 7
2.1.2.1 Probability of Loss of Offsite Power 7
i 2.1.2.2 Diesel Generator Failure and Repair......
8 2.1.2.3 Repair Time for Loss of Offsite Power.....
15 2.1.2.4 Turbine-driven Auxiliary Feedwater Pump Fail ure Probabil ity..............
16 2.1.2.5 Accident Sequence Probabilities - Loss of Offsi te Power Ini tiator............
17 2.1.2.6 Containment Failure Mode Probabilities -
Loss of Offsite Power Initiated Accident Sequences...................
18 2.1.2.7 Release Category Probabilities - Accident Sequences Initiated by Loss of Offsite Power..
20 2.2 Loss of Main Feedwater Initiating Event............
23 2.2.1 Qual i tative Analysi s..................
23 2.2.2 Quantitative Analysis 23
?.2.3 Containment Failure Mode Probabilities - Loss of Main Feedwater Initiator 25 2.2.4 Release Category Probabilities - Loss of Main Feedwater Initiator 25
-iv-
i
)
i TABLE OF CONTENTS (Cont.)
Page 2.3 Small loss of Cool ant Accidents................
26 2.3.1 General Remarks 76 a
28 2.3.2 HPIS Unavailability 2.3.2.1 Qualitative Analysis of the HPIS 28 2.3.2.2 Quantitative Analysis of the HPIS.......
32 2.3.3 Accident Sequence Probabilities for Si and S2 Initi-a ti ng Events......................
35 2.3.4 Containment Failure Mode Probabilities for Accident Sequences Initiated by a Small Lots of Coolant.....
39 2.3.5 Release Category Probabilities for Accident Sequences Initiated by a Small Loss of Coolant..........
39 2.4 Accident Sequences Initiated by a large Loss of Coolant....
42 3.0 DISCUSSION AND
SUMMARY
.......................- 47 AC KN OW LED GME NT S.............................
49 i
REFERENCES 50 e
?
I
-V-
LIST OF FIGURES Figure Title Page 1
HPIS Flow Diagram.
29 2
HPRS Flow Diagram.
36 LIST OF TABLES Table Title 1
Contribution of Accident Sequences to the Probability (Per Reactor-yr) of a Release in Each Release Category, for Accident Sequences Initiated by Loss of Offsite Power.
24 2
Containment Failure Mode Probabilities for the Accident Sequences Initiated by Si and S.
40 2
3 Contribution of Accident Sequences to the Probability (Per Reactor-yr) of a Release in Each Release Category, for Accident Sequences Initiated by a Small Loss of Coolant.
43 4
Contribution of Accident Seauences to the Probability (Per Reactor-yr) of a Release in Each Release Category, for Accirer<t Sequences Initiated by a large Loss of Coolant.
46 e
-vi-
1.0 INTRODUCTION
An initial estimate of the risk associated with a particular nuclear power plant can be made by assuming that the nuclear power plant is similar in its reliability characteristics and probabilities of various radioactive releases to the reference plant in the Reactor Safety Study (Reference 1). Differences in risk then occur only because of differences in site characteristics (popula-tion distribution, meteorology, etc).
In order to make a more accurate risk estimate, it is necessary to take into account the fact that differences in plant characteristics may lead to differences in radioactive release probabil-ities. Offshore Power Systems (OPS) has performed a risk study (Reference 2) on the Zion plant; this study attempts to take into account the differences in the Zion plant characteristics from those of the reference plant in the Reactor Safety Study. The purpose of the present report is to present an evaluation of the OPS risk study (Reference 2).
The scope of the present report is limited. The seismic risk has not been evaluated. There was no thorough search for common mode failures or systems interactions. The requirements for system mission success given in the OPS study (Reference 2) were accepted without detailed analysis. The sequence in-volving the check valves interfacing between high pressure and low pressure systems was not analyzed. Furthermore, we did not consider accident secuences involving failure of the reactor trip system. Containment failure mode prob-abilities are taken (for the most part) from the OPS study and in no case was e
extensive evaluation made. A similar statement holds for release category as-s:grLents and probabilities.
A limited review of the LERs for the Zion Plant was performed and no sig-nificant events were identified which would affect this evaluation. Our analy-sis differs from that of the OPS study in several respects. We found a higher
_1_
l
contribution of loss-of-offsite-power initiated accident sequences to the prob-ability of core melt with atmospheric release. This was in part due to differ-ences in failure data and in part due to the inclusion of an accident sequence involving failure of the reactor coolant punp seals, which are no longer cooled if all AC power is lost. We obtained a higher probability of failure of the High Pressure Injection System, which affects the accident sequences initiated by small losses of coolant. We obtained a higher probability for core-melt se-quences initiated by a small loss of coolant, and involving simultaneous fail-i ure of the High Pressure Recirculation System and the Containment Spray Recir-culation System. This was because of the inclusion of common mode failures between the two redundant legs of that portion of the Low Pressure Recircula-tion System common to both the High Pressure Recirculat.on System and the Con-tainment Spray Recirculation System. We used a probability of.1 of failure of the containment fan coolers in accident sequences in which core melt had occur-red, and the containment sprays were not functioning, because the containment atmosphere would be filled with particulate matter, while the OPS study (Refer-ence 2) neglected failure of the containment fan coolers in such accident se-quences. We allowed for the possibility that the so-called " feed and bleed" method of cooling the core (using the charging pumps and the pressurizer relief valves) may be inadequate to prevent core melt, and therefore included a loss of main feedwater transient in our analysis.
The analysis is presented in Section 2.
Section 3 is a summary and dis-o cussion.
2.0 ANALYSIS 2.1 Loss of Offsite Power Initiating Event 2.1.1 Oualitative Analysis In the accident sequences considered here, there is a loss of offsite power (T), followed by common mode failure of the two diesel generators (B) associated with the motor-driven auxiliary feedwater pumps. The loss of off-site power results in loss of the main feedwater system.
If the turbine-driven auxiliary feedwater pump train is unavailable (L), there will be no feedwater supply to the steam generators, and they will dry out in about 3/4 hour.
If, however, offsite power is restored within the 3/4 hour period, the main feedwater system can be restarted and used. Nonrestoration of offsite power in about 3/4 hour is denoted by M.
The sequence TMLB was determined to lead to core melt in the Reactor Safety Study (Reference 1). There is a possibility, however, that even if the two diesel generators dedicated to the two motor-driven auxiliary feedwater trains of a Zion unit were to fail, that core melt could be averted. This is because the two unit Zion plant has five diesel generators - two dedicated to each unit (DGIA and DGIB for Unit 1, and DG2A, DG2B for Unit 2) and one diesel generator (DGO) which can be used to power certain equipment associated with both units. One possible means of cooling the reactor core (" feed and bleed")
would be to use the charging pumps to introduce water into the reactor coolant system and to release steam through the pressurizer relief valves. Since one e
charging pump on each unit is powered by DGO, if " feed and bleed" were to work using one charging pump, and if the DG0 diesel generator were to start, then core melt could be averted, even given the event sequence TMLB. However, there is uncertainty as to whether feed and bleed will work, even if both.
charging pumps are available. Therefore, no credit is given in the present study for this way of cooling the core.
If offsite electric power is not restored within a period of about 3 l
l hours from the loss of offsite power trip, containment failure by overpressure is likely. Denote by B' the event that offsite electric power is not restored l
within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, and by B" the event that it is restored within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. We shall not give credit for diesel generator repair in this limited study.
l If containment failure by overpressure occurs, the radioactive release l
source term depends on whether containment sprays are operating or not. Core l
l melt accident sequences were assigned in the Reactor Safety Study to one of 7 release categories, Release Category 1 being the most severe and Release Cate-gory 7 the least. The Reactor Safety Study assigned accident sequences in l
which containment failed by overpressure and containment sprays were operating to Release Category 3 or 7 (depending on the time of containment failure rela-tive to the time of reactor vessel failure), while accident sequences in which containment failed by overpressure but containment sprays were not operating were assigned to Release Category 2.
The OPS study assigned accident se-quences in which the containment failed by overpressure and containment sprays were operating to Release Category 5, and we shall follow this procedure, but without analysis.
In the Offshore Power Systems risk study for the Zion plant, the event B referred to failure of all three diesel generators associated with a given unit (e.g., for Unit 1, DGIA, DGIB and OGO).
In our study, however, the event B refers to failure of the two diesel generators associated with the motor-driven auxiliary feedwater pumps. (For Unit i, these diesel generators are DGIA and DGIB.) We are not giving credit for " feed and bleed" using the DG0
.4
l diesel generator to supply power to one centrifugal charging pump, because of uncertainties concerning its adequacy. Therefore, the event sequence TMLB, with our definition of the Event B, leads to core melt. However, if diesel generator DGO operates, ele ~ tric power is available to one containment fan c
e cooler and to one contaiment spray pump. The operation of the containment spray pump would assist in the removal of fission products from the contain-ment atmosphere. Denote the event that DG0 fails to operate by Bo, and the event that it operates successfully by Bo. Thus, given the event sequence TMLBB', and contaiment failure by overpressure, the release will be assigned to Category 2 if DG0 fails to operate, and to Category 5 if DG0 operates.
In other words, TMLBB'Bo is assigned to Release Category 2, and TMLBB'Bo is ascigned to Release Category 5, if containment failure is by overpressure.
The above discussed sequences are core melt sequences which involve fail-ure of the turbine-driven auxiliary feedwater pump.
There is a sequence involving loss of all AC power which leads to core melt even if the turbine-driven auxiliary feedwater pump is operating. The mechanism for this would be failure of the primary pump seals, which would no longer be cooled when there is total loss of electric power (See Reference 3).
The primary pump seals are cooled in part by the seal injection flow (which is supplied to the reactor coolant pumps from the Chemical and Volume Control System by the charging pumps) and in part by the component cooling water, which cools the reactor coolant pump thermal barrier. With the reactor coolant pumps tripped, component cooling water alone would provide adequate cooling for the primary pump seals. From discussions with Zion personnel it appears that the component cocling water systems for both plants are intercon-nected so that if any one of the component cooling water pumps of both units is operating, there will be adequate component cooling water flow for cooling the reactor coolant pump seals. This in turn implies that operability of only one of the five diesel generators is required, for adequate component cooling water flow. Denote failure of all five diesel generators by the event 8 -
5 According to Reference 3, the primary coolant seals would fail after about an hour without cooling. Denote by M' the event that offsite power is not restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The failure of the reactor coolant pump seals is equivalent to a small loss of coolant accident. High pressure injection is not available because of the loss of AC power.
A leak from a reactor coolant pump which fails while it is not operating may well be less than a leak which occurs when the reactor coolant pump is operating. At Arkansas Nuclear Unit 1, on May 10,1900, a reactor coolant pump seal failure resulted in a leak rate of 90 gal / minute. The pump had been tripped when the leak rate was 30 gal / minute. We will, for the purpose of this limited study, take the leak from one pump at about 90 gal / minute.
Preliminary MARCH calculations of this accident sequence by W. T. Pratt (private communication) indicate core slumping about 61/2 hours after offsite power is lost. However, there are considerable uncertainties in the calcula-tion. For the purposes of the present study, it is assumed that the. point of no return for core melt occurs three hours after offsite power is lost.
l From the above discussion, the sequence of events TM'B B' leads to core 5
mel t--TM' 85 leads to reactor coolant pump seal failure, and if offsite powar j
is not restored within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, the point of no return for breach of the re-i a
actor vessel head is reached, l
In summary, the accident sequences discussed above will be collected, with brief descriptions.
l l
l !
l l
(1) TMLBB'Bo This sequence consists of loss of offsite power, failure of the A and B diesel generators, failure of the turbine-driven auxiliary feedwater pump, failure to restore offsite electric power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, and failure of DGO.
~
(2) TMLBB 'Bo This sequence is like Sequence 1, except that DGO operates.
(3) TMLBB" This sequence consists of loss of offsite power for a period ex-ceeding 3/4 hr, failure of the A and B diesel generators, failure of the turbine-driven auxiliary feedwater pump, and recovery of offsite electric power within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
(4) TM'B B' 5
This sequence consists of loss of offsite power, failure of all five diesel generators in the emergency onsite AC power system, and failure to re-store offsite electric power within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
It involves failure of the re-actor coolant pump seals.
2.1.2 Quantitative Analysis 2.1.2.1 Probability of Loss of Offsite Power The frequency of loss of offsite power (Event T) is given in the OPS re-port, Reference 2, as.04/ reactor-yr. This differs from the Reactor Safety Study value of.2/ reactor-yr. We have made our own estimate based on the ab-sence of a total loss of offsite power at the 2 N piant for 7 years of oper-ation. At a 50% confidence level, one c ui Ma 0.t the probability of a loss of offsite power e unt, pr {T}, is 1
pr {T } =
7 n (.5)/(reactor-yr) =.1/ reactor-yr I
This value of.1/ reactor-yr is less than the overall average of.24 failures / reactor-yr for all nuclear power plants which responded to a survey of loss of power events at domestic nuclear power plants (Reference 4).
2.1.2.2 Diesel Generator Failure and Repair e
At a meeting with Zion personnel held August 11-10, 1980 new informa-tion on diesel generator failures was obtained. There were 25 failures in 1,434 tests, which yields a failure probability of.017 per demand, somewhat greater than the value of.012 per demand used in the OPS study (Reference 2).
In the OPS study it was argued that none of the diesel generator failures that have occurred at Zion were of a common cause nature, and a value of 10-4 per demand for the common mode failure probability of the diesel gener-ators was used.
The value of 10-4 per demand for the common mode failure probability of the diesel generators may be a reasonable estimate for the probability of failure of all 5 diesel generators associated with both Zion units, but does not appear realistic for the probability of a second diesel generator failing, given that the first has failed. For the case of common mode failure of all 5 diesel generators, the particular mechanism might be a common maintenance er-ror, or a type of failure which is not detected by the periodic testing pro-gram for the diesel generators. For example, perhaps some kind of human error could result in having the diesel generators attempt to drive the main plant generator as a motor. An incident has occurred at Zion (in September 1976) where a single diesel generator (which was under test) did, because of a human error, attempt to drive the main plant generator as a motor; this resulted in a diesel generator fire. There is the possibility that any one of a large number of accident sequences, each of low probability, may lead to the common l
l mode failure of all five diesel ger,erators, and assigning a value of 10-4 for the sum of the probabilities of all of these sequences does not seem unrealistic.
However, assigning a probability of 10-4 for the probability of failure e
of the ho diesel generators dedicated to a Zion unit seems unrealistically low. To begin with, taking the newer information on diesel generator failures at Zion referred to in the first paragraph, the prc'> ability of failure of a single diesel generator is estimated as.017.
For the simultaneous failure of both diesel generators due to random, independent causes one has (.017)2 =
2.9x10-4 In addition, there is the possibility that one of the dedicated diesel generators is under maintenance and the other one fails. The probability that a diesel generator is unavailable because of maintenance, or because of a test which renders the diesel unavailable, is 1x10-2, from data presented on pg.
54 of Appendix III of the Reactor Safety Study.(1) The probability of the A diesel generator failing to start, and the B diesel generator being unavail-able because of maintenance, or vice-versa, is, therefore, 2(.017)'(.01) =
3.4x10-4 Thus, even if there are no commoo mode failures of the diesel generators, the probability of both the A and B diesel generators being un-available, either because both have failed independently, or because one is under maintenance and the other fails, is 2.9x10-4 + 3.4x10-4 = 6.3x10-4 The above estimate of the maintenance contribution to the unavailability of the diesel generators was based on Reactor Safety Study data for the un-availability of a diesel generator due to maintenance.
It would be desirable to use Zion specific data, but this was not available within the time frame of I
! i
the study. One should note that diesel generator maintenance while the re-actor is at power is limited to 7 days duration at Zion.
A survey of diesel generator failures that occurred in the Zion plant was made by usir the ORNL NSIC RECON file. Six cases of 2 out of the 3 diesel y
generators associated with a unit being simultaneously unavailable were found.
Of these, 3 cases consisted of simultaneous failures of 2 diesel generators, and 3 cases consisted of failure of a diesel generator while another diesel generator was under test. The event and report dates, the diesel generators involved, and whether the diesel generator failed (F) or was unavailable be-cause of maintenance (M) is tabulated below.
Diesel Generator Involved Event Date l
Report Date l
F = Failed, M = Maintenance April 4,1980 1
May 5, 1980 l
DG0(M) and DG2B(F) i I
October 26, 1979 l
November 21, 1979 I
DG0(M) and DG2A(F)
I I
September 2, 1978 i October 2, 1978 i
DGIA(M) and DGIB(F) i I
January 16, 1978 i
February 15, 1978 1
DGIA(F) and DG0(F) l I
July 16, 1974 1
July 24, 1974 i
DGIB(F) and DGIA(F)
I l
October 8,1973 I
October 18, 1973 1
DGIA(F) and DGIB(F)
The Licensee event report for the event dated October 8,1973 states that the diesel generator 1B would have operated in the emergency start mode. The failure of DGO on January 16, 1978 was one in which the diesel generator was declared inoperable although it had started successfully. The reason was a low pressure condition in the control air system. When a diesel generator is under maintenance the other two diesel generators are tested daily. Keeping this in mind the data do not appear to be inconsistent with an unavailability due to maintenance of 1 x 10-2, and a failure probability of.017 for a die-j sel generator.
If anything, it suggests that the maintenance unavailability
! l l
l estimate may be too high. For a maintenance unavailability of.01, one would expect a diesel generator to be under maintenance for three or four days a year, or about 25 days in the seven years of operation of the plant.
If the diesel generator under maintenance were, say, DGIA, the DGIB and DG0 would each be tested about 25 times while DGIA is under maintenance, during the seven years of plant operation.
If DGO is under maintenance all four remain-ing diesels are tested daily. The total number (for seven years) of diesel generator tests while another diesel generator is under maintenance is about 300, and the expected number of diesel generator failures while a diesel gen-erator (associated with the same unit) is under maintenance is about five.
The actaal number that occurred is three.
We have found, assuming independence of diesel generator failures, that the simultaneous unavailability of the A and B generators associated with the same unit is 6.3 x 10-4, when the maintenance contribution to the unavail-ability is taken into account. We must still address the problem of common mode failure of the diesel generators.
According to a study (Reference 6) of diesel generator failures in U.S.
commercial power plants (during the time period from January 1,1976 to March 1980) about 16*. of all diesel generator failures are of common mode type.
When looking at these failures, however, we note that many of these represent single failures from a cause which is potentially common mode. Some of the events listed (see Appendix K of Reference 6) included corrosion products clog-ging air start valves, winter weather, a leak in the air line to the master shutdown valve, lack of lubrication causing the binding of fuel rack linkage, dirty oil in governor, and cavitation of lubrication oil pump because of water in lubrication oil. The events concerning corrosion products clogging air start valves occurred at Farley Unit 1.
Diesel generator 1B failed due to this cause on March 2,1978, and diesel generator 1C failed due to this cause on March 8, 1978. The effects involving binding of the fuel rack linkage oc-curred at Salem Unit 1 on July 30, 1977, and involved diesel generators 1A and IB. Thus the potential common mcde failures do include cases where two diesel generators have failed due to the same cause, but not all are of this type.
Of the common cause events listed above, the events involving a leak in the air line to the master shutdown valve occurred at Zion Unit 2, as did the event involving cavitation of the lubrication oil pump. There were two events involving a leak in the air line to the master shutdown valve at Zion Unit 2.
The first of these failed the 2A diesel generator on May 6,1977, and the second failed the DG0 generator on November 1,1977. The event involving cavitation of the lubrication oil pump occurred at Zion on November 10, 1977 and involved the DGO diesel generator.
Reference 6 also lists events classified as "unavJ'able/nonfailure," and some of these events are classified as common mode. An " unavailable /nonfail-ure" event consists of an event where the diesel generator was discovered in an inoperable state but no demand (either test or actual demand) was placed on the diesel generator.
If the demand had been present the diesel generator would have either failed to start, or to continue running. An example of an
" unavailable /nonfailure" event was a diesel generator inoperable due to wet circuitry, caused by inadvertent operation of the fire deluge system, at Arkansas 1 on November 22, 1976. This type of unavailability would not be found by testing.
From looking at the diesel generator common mode events in Reference 6, I
it seems clear that the probability of a diesel generator failing, given that another diesel generator has failed, should be something less than 0.16.
On the other hand there are types of common mode failures which are not revealed by testing. The probability of a second diesel generator failing, given the first has failed is, therefore, estimated by us as.1.
A justification of this value is given in the following paragraphs.
Reference 12, by Azam, Mclagan, Husseiny, and Metwally gives, in their Table 1, the fraction of diesel generator failures which are potentially common cause contributors because they are due to human error, design error, or procedural deficiency. These fractions are denoted, respectively, by S '
H SD, and S, and averaged over all plants, are given as p
Bg = 38/240 SD = 31/240 S = 11/240 p
Azam et al. (Reference 12) also gives, from their study of diesel gen-erator failures, probabilities P (2/1), P (2/1), and Pp(2/1) for the re-H D
spective probabilities that a hardware, design, or procedural error which could potentially cause the failure of two diesel generators, given that one diesel generator failed from this cause, actually does fail the second diesel generator. Thus the probability that, e.g., DGIA fails given that DGIB has failed, would be given by
.S' = B PH H (2/1) + eD D ( /1) + S Pp p (2/1)
The values of P (2/1), etc. averaged over all plants, are given in Reference H
12 as PH (2/1) = 5/38 PD (2/1) = 6/31 Pp (2/1) = 2/11 One obtains for s' ti,e value S' = 13/240 =.054.
Two diesel generators might also fail from independent causes. Thus, according to this model, if the probability of one diesel generator failing is P,
1 pr (DGIA and DGIB fail } = (1-S') P 2, g,p g
= (.946)2 (.017)2 + (.054) (.017)
= 1.2 x 10-3, where tha value P1 =.017 and S' =.054 have been used in accordance with the above discussion. However, allowance should also be made for diesel generator common mode failures not revealed by testing, so that we will use for the simultaneous failure of two diesel generators the probability 1.7 x 10-3 Simultaneous unavailability of two diesel generators could be either due to a simultaneous failure of both diesel generators, or due to one diesel generator being unavailable because of test and maintenance while the other fail s.
We have estimated the simultaneous failure probability as 1.7 x 10-3, and the unavailability due to either the A diesel generator being under maintenance and the B generator failing, or vice-versa, as 3.4 x 10-4 We, therefore, obtain 2.0 x 10-3 as the probability for the simultaneous unavailability on demand of diesel generators A and B (associated with a particular unit).
For the probability that DGO is unavailable, given that the A and B diesel generators are unavailable, we estimate 0.3.
From the paper by Azarm et al., one would estimate (from sparse data) a somewhat higher probability of a third diesel generator failing, given that two have failed. However, l
the loads on DGO are somewhat differant than those on the A and B diesel gen-I l
erators. Moreover, extensive maintenance on DG0 may occur, e.g., during a 1
refueling outage of the other Zion unit from the one under consideration.
These factors reduce the coupling between the DG0 generator and the A and B diesel generators, and leads to our estimate of.3 for the probability of unavailability of DGO, given that A and B have failed.
If it is found that
" feed and bleed" with one charging pump would be adequate to cool the core, then operability of DGO would mean that core melt could be averted. Moreover, operability of DGO means that one containment fan cooler and one containment spray pump would have electric power available. The availability of contain-ment spray aids in fission product removal from the containment atmosphere.
2.1.2.3 Repair Time for Loss of Offsite Power Information received from Ray Scholl at the Nuclear Regulatory Commission (Reference 5) was used to estimate the probability that one line of offsite power would not be restored within 3/4 hour after a total loss of offsite power event, and was also used to estimate the probability that it would not be restored within three hours. The event M corresponds to nonrestoration of offsite power within 3/4 hour, and the event B' corresponds to nonrestoration of offsite electric power within three hours.
In this study, we are not giving credit for repair of the diesel generators. The data obtained from Scholl (Reference 5) came from a survey of nuclear power plants. However, not all nuclear power plants responded to the survey request, and those that did respond did not always give the length of time to partial restoration of offsite power. What we did to obtain estimates of pr {M} and pr (B'} is de-scribed below.
If neither time to partial restoration of offsite power, nor time to total restoration of offsite power was given, then the data point was I
~
discarded.
If time to total restoration of offsite power was given, but not time for partial restoration of offsite power, then the time for partial i
, l 1
restoration of offsite power was assumed equal to the time for total restora-tion of offsite power. There were 70 total loss of offsite power events for which the time to total or partial recovery of offsite power was given. From the data, the probability of failure to partially recover offsite power in 3/4 hour was estimated as.47, and the probability of failure to partially recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> was.25.
That is, pr {M} =.47 pr' { B '} =. 25 Thus the probability of a three hour loss of offsite power, given that a 3/4 hour loss has occurred, is pr {B'IM} =.25/47 =.53.
The value of pr {M) =.47 is greater than the value of.2 used in the Reactor Safety Study, but the probability of a three hour loss of offsite power given that a one hour loss of offsite power loss occurred is just about the same as the.5 value used in the Reactor Safety Study. One possible reason for the larger value of pr {M} which we obtained is that the Reactor Safety Study used repair times for all loss of offsite oower events, not just total loss of off-site power events, and total loss of offsite power events may be such as to require longer repair times (on the average) than partial loss of offsite power. For example, a severe weather condition may cause a greater fraction of total loss of offsite power events, and the repair time for a line outage due to severe weather conditions may be relatively long.
2.1.2.4 Turbine-driven Auxiliary Feedrater Puno Failure Probability The OPS report (Reference 2) uses 1.8x10-2/ demand for the probability of failure of the turbine-driven auxiliary feedwater pump. From Reference 7, it is seen that there were 12 failures per 281 starts, which gives a failure probability per demand of 4.3x10-2 However, it is argued that seven of the twelve failures have been traced to a problem with the overspeed trip mecha-nism, and it is intended to replace it. Evidently, the OPS report obtained its failure rate by excluding the failures associated with the overspeed mechanism, so that the failure probability estimate was 5/281 = 1.8x10-2/ demand. How-ever, although future testing may show an improved failure probability for the turbine-driven auxiliary feedwater pump, we believe that it is premature to give credit for this before testing verifies the improved failure probability.
Moreover, the test and maintenance contribution to the turbine auxiliary feed-water pump unavailability has not been included. Using the Reactor Safety Study test and maintenance contribution of 7.8x10-3, one obtains an avail-ability of 4.3x10-2 + 7.8x10-3 =.051.
2.1.2.5 Accident Secuence Probabilities - Loss of Offsite Power Initiator The data developed above gave us:
pr {T}
=.1/ reactor-yr (expected frequency of loss of offsite power) pr {M)
=.47 (probability of nonrecovery of offsite power in 3/4 hr) pr {L}
=.051 (probability of failure of the turbine-driven auxiliary feedwater pump) pr {B}
=.002 (probability of simultaneous unavailability on demand of the A and B diesel generators) pr {B'lM} =.53 (probability of a 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> loss of offsite power, given that a 3/4 hr loss has occur-red) pr {B"lM} =.47 (probability offsite power is recovered with-in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, given that a 3/4 hr loss has oc-curred) pr (B }
= 10-4 (probability all five diesel generators are 5
unavailable on demand) l pr {ft'B' } = pr {B' } =.25 (probability of a 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> loss of offsite power, given that a loss has occurred) pr {B lB} =.3 (probability DGO is unavailable on demand, o
given that the A and B generators are un-available) pr {F lB} =.7 (probability DGO is available on demand, o
given that the A and B generators are un-available)
For the probabilities of the four accident secuences discussed in Section 2.1.1 we obtain pr {TMLBB'Bo} = pr {T} pr (M) pr {L} pr {B} pr (B'lM} pr {B lB }
o
= 7.6 x 10-7 reactor-yr
/
Similarly, pr {TMLBB'I } = 1.8 x 1 '-6 reactor-yr
/
o pr {TMLBB"} = pr {T} pr {M} pr {L } pr {B } pr {B"lM }
= 2.3x10-6 reactor-yr
/
Finally, for the sequence TM'8 B', which involves reactor coolant pump 5
seal failure, one obtains pr {TM'B B' } = pr {T } pr {B } or {M'B' }
5 5
= 2.5 x 10-6 reactor-yr
/
2.1.2.6 Containment Failure f4cde Probabilities - Loss of Offsite Power Initiated Accident Secuences The five different containment failure modes considered in the P.eactor Safety Study are:
i :
l
a: Vessel steam explosion 8: Containment leakage y: Overpressure by hydrogen burning 6: Overpressure, not by hydrogen burning c: Containment mat melt-through The OPS study (Reference 2) used, for loss-of-offsite power initiated accident sequences, a probability of 10-4 for the reactor vessel steam explosion mode of containment failure. This value for the probability was based on studies at Argonne National Laboratory and Sandia National Labora-tories. An assessment of this failure probability is not within the scope of this report. The probability of 10-4 will nevertheless be used since it represents current state-of-the-art thinking.
The sequence which we designate TMLBB'B, and denoted by TMLBB' in the o
OPS study, was assigned, in the OPS study, containment failure mode probabil-ities of.24,.56, and.2 for the Y, 6, and c failure modes, respectively.
These values come from the Reactor Safety Study and will be used in our evalua-tion as well. We will also use these containment failure mode probabilities for the sequence TMLBB'B, neglecting any change in containment failure mode o
probabilities which could be caused by the operation of the single containment spray and containment fan cooler.
For tile TMLBB" sequence, containment failure by hydrogen burning (mode Y) was assigned (in the OPS study) a probability of.24, and containment failure by melt-through (mode c) was given a probability of.76.
We will use these probabilities as well.
~
The preliminary calculations of the accident sequence TM'B B', which 5
involves reactor coolant pump seal failure, by MARCH (W. T. Pratt, private communication) indicate the potential for a hydrogen burn before reactor vessel melt-through, under certain conditions. The Zion units have a contain-ment spray pump operated by a dedicated diesel. This diesel is dependent on service water for cooling, and since service water requires AC power, is de-pendent on AC power for cooling.
If all five diesel generators fa'l on a *oss of offsite power transient, then the dedicated diesel-driven spray pamp may fail after a short time. The MARCH calculations indicate, however, that if the spray lasts for two hours a hydrogen burn in containment will take place, with potential for containment failure.
If, however, the spray lasts only one-half hour, MARCH does not predict a hydrogen burn. There are, however, considerable uncertainties in the MARCH calculation. For the purposes of the present study, we have therefore assumed an 80% chance of containment failure by overpressure (either mode Y or 6) for this accident sequence, and a 20%
chance of containment failure by containment mat melt-through.
2.1.2.7 Release Category Probabilities - Accident Seouences Initiated by Loss of Offsite Power Secuences in which containment failure results from overpressure (either y or 6) and in which containment fission product removal systems are not function-ing are placed in release category 2 in both the Reactor Safety Study and the OPS study (Reference 2).
Sequences in which containment failure results from overpressure (Y or 5) but in which containment fission product removal systems are operating are placed in category 5 in the OPS study (Reference 2), but are placed in category 3 or 7 in the Reactor Safety Stady, depending on whether containment failure precedes reactor vessel failure, or vice-versa. We shall follow the OPS study, but without any analysis. Thus, it is possible that
~
accident secuences with considerably different releases will be placed in the same release category. The vessel steam explosion containment failure mode (2) leads to release category 1 if containment fission product systems are not working, and to release category 3 if they are working. However, the vessel steam explosion containment failure mode is so improbable that it will be neglected here. The containment failure made of melt-through (c) leads to re-lease category 7 if containment fission product systems are not working, and otherwise leads to release category 6.
The sequence TMLBB'5, with containment failure by overpressure, is as-0 signed, on the basis of the above remarks, to release category 5 if containment failure is by overpressure and to release category 7 f f containment failure is by containment mat melt-through. From Section 2.1.2.6, the probability of con-tainment failure by overpressure (either mode Y or d) for this sequence is
.8, and is.2 for containment mat melt-through. Sinc 3, from Section 2.1.2.5 on ac-cident sequence probabilities, pr {TMLBB'i } = 1.8x10-6 reactor-yr,
/
o we have pr { TMLBB'5 - Y or 6 } = (1.8x10-6x.8)/ reactor-yr 0
= 1.dx10-6 reactor-yr,
/
and this probability is assigned to release category 5.
The probability con-tribution to release category 7 from this sequence is pr { TMLBB 'io - c } = (1.8x10-6x.2)/ reactor-yr
= 3.6x10-7 reactor-yr.
/
The seauence TMLBB'Bo, with containment failure by overpressure, is as-signed to release category 2 if containment failure is by overpressure and to release category 6 if containment failure is by melt-through.
(tle are not giving credit for the dedicated-diesel-containment-spray pump because it will operate for a maximum of two hours, and its efficacy under these circumstances l
l
is not known). The probability contribution of this accident secuence to release category 2 is pr {TMLBB'Bo - Y or 6} = (7.6x10-7x.8)/ reactor-yr
= 6.1x10-7/ reactor-yr, while the contribution of this accident seouence to release category 6 is pr {TMLBB'Bo - c) = (7.6x10-7x.2)/ reactor-yr
= 1.5x10-7 reactor-yr
/
The sequence TMLBB" leads to a category 5 release if containment failure is by overpressure, and to a category 7 release if containment failure is by containment mat melt-through. The probability contribution of this accident secuence to release category 5 is pr {TMLBB" - Y} = (2.3x10-6x.24)/ reactor-yr
= 5.5x10-7 reactor-yr,
/
and the probability contribution to release category 7 is pr {TMLBB" - c} = (2.3x10-6x.76)/ reactor-yr
= 1.7x10-6 reactor-yr
/
The seouence TM'B B' is assigned to release category 2 if containment failure S
is by overpressure and to release category 6 if containment failure is by con-tainment mat melt-through. The probability contribution of this accident se-quence to release category 2 is pr { TM'B B' - Y or 6 } = (2.5x10-6x.8)/ reactor-yr 5
= 2x10-6 reactor-yr,
/ l
while its contribution to release category 6 is pr {TM'B B' - c} = (2.5x10-6.2)/ reactor-yr S
x
= 5x10-7/reac tor-yr.
The results for the loss of offsite power initiator are summarized in Table 1.
2.2 Loss of Main Feedwater Initiating Event 2.2.1 0 !alitative Analysis If a loss of main feedwater event, followed by failure-to-start of the Auxiliary Feedwater System ( AFWS) occurs, and if the main feedwater system (and AFWS) fails to start and supply water to the steam generators in a period of 1/2 to I hour, then the Reactor Safety Study (Reference 1) assumed that core melt would occur.
It is possible in fact that this is not the case, but that the reactor core can be cooled by the " feed and bleed" option where the charg-ing pumps are used in conjunction with the pressurizer relief valves. There is, however, some doubt as to the adequacy of this method of core cooling, because of uncertainties in the two-phase flow rate through the pressurizer relief valves. Because of this, the loss of main feedwater initiator will be analyzed on the assumption that the " feed and bleed" tuethod of core cooling is inadequate; it should be kept clearly in mind, bswever, th.it this assumption has been made.
2.2.2 Cuantitative Analysis According to the Reactor Safety Study (Reference 2, Appendix V) there are approximately 3 losses of main feedwater per year. Pawever, only 1% of the losses of main feedwater are expected to continue for 1/2 to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Denote by T' the event of loss of main feedwater which is not recovered within a period of 1/2 to i hour. Then, pr {T' } = 3/ reactor-yr x.01 =.03/ reactor-yr.
4 TABLE 1 Contribution of Accident Sequences to the Probability (Per Reactor-yr) of a Release in Each Release Category, for Accident 5eauences Initiated by Loss of Offsite Power Probability Contribution (per reactor-yr) to each release category Sequence Category 2 Category 5 Category b Category /
TMLBB'5'o 1.4x10-6 3.6x10-7 Tt1LBB'Bo 6.1x10-7
- 1. 5 x1'J-7 T!1LBB" 5.5x10-7 1.7x10-6 TM'B B'*
2.0x10-6 5.0x10-7 S
- Involves reactor coolant pump seal failure.
The auxiliary feedwater system for a Zion unit will be assumed to have l
approximately the same reliability as that of the Surry plant analyzed in the Reactor Safety Study. Deficiencies found in the design of the Zion auxiliary feedwater system (Reference 8) are being corrected (Reference 9) so this is probably not too bad an assumption. Accordingly, we estinate the probability of failure of the auxiliary feedwater system as that given in the Reactor Safety Study, or 3.7x10-5 per demand.
If this failure event is denoted by L', then pr {T'L' } =.03/ reactor-yr x 3.7x10-5
= 1x10-6 reactor-yr.
/
Thus, under the assumption that " feed and bleed" is not sufficient to pre-vent core melt, the probability of core melt due to the loss-of-main-feedwater seauence is 1x10-6 reactor-yr.
/
2.2.3 Containment Failure Mode Probabilities - Loss of Main Feedwater Initiator For the T'L' sequence, electric power is available for the containment pressure suppression systems. Thus, without additional independent failures, which would reduce the probability of the sequence, the dominant containment failure mode is assumed to be containment mat melt-through (mode c).
Follow-ing the OPS study (Reference 2), we assign a probability of.1 for the over-pressure by hydrogen burning made of containment failure (mode Y).
2.2.4 Release Category Probabilities - Loss of Main Feedwater Initiator Whether release occurs by overpressure (mode Y) or by melt-through (mode l
c), the containment fission product removal systems are operating in the T'L' sequence and consequently th e release is in category 5 if containment failure is by overpressure and in category 7 if containment failure is by melt-through.
l l,
Thus, the probability of a release in category 5, due to an accident sequence initiated by loss of main feedwater, is pr {T'L' -Y} = pr {T'L' } pr {Yl f'L' }
4
= 1x10-6 reactor-yr x.1
/
= 1x10-7 reactor-yr,
/
while the probability of a release in category 7, due to an accident sequence initiated by loss of main feed. vater, is pr {T'L' - c} ' 1x10-6 reactor-yr x.9
/
= 9x10-7/ reactor-yr.
2.3 Small loss of Coolant Accidents 2.3.1 General Remarks Scall Loss of Coolant initiating events are divided into two classes -
pipe breaks between 2 and 6 inches in diameter (event S ) and pipe breaks of 1
1/2 inch to 2 inches in diameter (event S )-
2 For pipe breaks in the class S, successful Emergency Coolant Injection i
(ECI) requires, according to the OPS study (Reference 2), that flow be provided from the accumulator in each intact loop and from any two pumps out of the four pump set consisting of the centrifugal charging pumps and the high head safety injection pumps. The system including these pumps is called the High Pressure Injection System (HPIS).
In order to prevent core melt, one must also have successful Emergency Coolant Recirculation (ECR). This requires, for the initiating event S,
i that the High Pressure Recirculation System (HPRS) operate successfully. The HPRS consists of components of the Low Pressure Recirculation System (LPRS) and of the HPIS. The HPIS pumps take suction from the LPRS pumps (the Resid-ual Heat Removal System pumps) which in turn take suction from the containment sump. i l
s The Containment Spray Recirculation System (CSRS) takes suction from the LPRS. Thus, it is possible for certain failures in the LPRS to fail both ECR and CSRS. The sequences involving the initiating event S1 which were consid-ered important are:
S{D - D represents failure of the ECI system SH - H represents failure of the ECR system t
S HF - F represents failure of the CSRS system 1
Similarly, the sequences involving the initiating event S2 which are con-sidered important are S 0', S H, and S HF. The event D' represents fail-2 2
2 Given S, t a loop accumulators do not need ure of ECI given the event S.
2 2
to function for ECI mission success; the requirements on HPIS are the same as for the initiating event S.
t The CSRS fulfills both a fission product removal function and a contain-ment pressure suppression function. However, the OPS study (Reference 2) states that, as far as pressure suppression is concerned, the containment fan i
coolers are redundant to the CSRS. A problem arises, however, with the envi-ronmental cualification of the fan coolers, since they do not appear to be cualified for a post core-melt environment with failed containment sprays.
The containment would then be filled with particulates, and one should take into account an increased probability of failure of the fan coolers under such conditions. There is also a potential for fan cooler failure (prior to vessel i
melt-through) as a result of a hydrogen burn in the containment building. This means that the probability of containment failure by overpressure may be con-o l
siderably higher for the S HF and S HF sequences than that assumed in the 1
2
~
l OPS study (Reference 2).
l.
However, we concur with OPS that for the Zion Plant, the fan coolers would prevent the Sequence S C from being dominant since they will prevent contain-2 ment failure by overpressure.
The S C sequence, a dominant secuence in the 2
Reactor Safety Study, consists of a small pipe break in a region for which there is inadequate flow of water to the containment sump coupled with failure a
of containment spray injection.
Another major difference in our treatment of the accident sequences ini-tiated by Si and 52 from that of the OPS study (Reference 2) is in the cal-culation or the unavailability of the HPIS.
In the OPS study (Reference 2), an attempt was made to derive a single pump failure probaMIity from the Reactor Safety Study unavailability for the Surry HPIS.
Since, for the Surry HPIS, two out of three HPIS pumps were required to operate for mission success, a single pump failure probability p was derived by 3p2 = Reactor Safety Study probability of two out of three charging pumps being unavailable.
This is an oversimplification. The Reactor Safety Study unavailability for two out of three charging pumps involved failure-to-start contributions, main-tenance unavailability cor.tributions, and failure of an operat%g charging pump to continue running.
If one uses the Reactor Safety Study values for failure-to-start and maintenance unavailability for an individ'. t' pump and combines the failures in the correct logical fashion for the Zion HPIS system, one gets a different answer.
1 We also estimate the contribution of common mode failures to the unavail-ability of the HPIS and that part of LPRS common to both ECR and CSRS.
2.3.2 HPIS Unavailability 2.3.2.1 OuaH tative Analysis of the HPIS A flow diagram for the HPIS is given in Figure 1 (taken from the OPS study, Reference 2). The reouirements for mission success are that flow l
FROM VCT
,A
--> NORMAL CHARGING LINES s
RHST V4 CCPal m
VI V3 V6 V8 Q CL BIT Q
n g
CCPm2 VS y,
V10 v
V2 V7 V9 h?
V13 V15 V17 M
HHSIPut V19 V14 I
V10 Vll yip V3 HHSIPm2 l
FIGURE 1: HPIS FLOW DI AGRAM
must be delivered from any two of the four pump sets consisting of the two Centrifugal Charging Pumps (CCP) and the two High Head Safety Injection Pumps (HHSIP).
In nonnal operation, the positive displacement charging pump is used, for the most part, and the two centrifugal charging pumps are not in opera-tion (Reference 10). This di ffen from the Surry configuration where, of the three pumps used in the HP!' one of them would be operating (and therefore not subject to the fail are-to-start mode of failure).
Not more than one of the six pumps consisting of the four HPIS pumps and the two LPRS pumps (i.e., the two residual heat removal pumps) may be out of service for maintenance at a given time.
Referring to Figure 1, adopt the convention that a component label with a box around it refers to the unavailability of that component (on demand). For example, h refers to the event that valve V1 is failed, Then, define the events A, B, B, B, 8, C, D, E by the Boolean equations, 1
2 3
4 V1
- V2 + V3 (1)
A
=
B1 = l CCP #1 l+ V4 (2)
B2 = l CCP #2 l+ V5 (3)
B3=
V13
+ lHHSIP #1l +
V15
+
V17 (4)
B4 = - 5
+ jHMSIP #1l +
V16
+
V18 (5)
V6
- h +
BIT +@*h+
V10 (6)
C
=
Vil
+
V12 (7)
D
=
V19 (8)
E
=
Furthennore, decompose Bi into two parts, corresponding to whether the unavailability of the components associated with B1 are true failures, or l
l whether the unavailability is due to maintenance on CCP #1:
F M
B1=B1 + B1,
(9) -
where the superscript F refers to component failure and M to maintenance. Sim-F M
ilarly define Bj, Bj, j = 2, 3, 4.
Furthennore, define Pi=A+B1+C (10)
P2=A+B2+C (11)
P3=D+B3+E (12)
P4=0+B4+E (13)
Here P, e.g., represents the event that there is no flow from CCP #1.
1 The event G that the HPIS is unavailable on demand is then given by G=PPP123+PPPi24+PPP134+PPP, (14) 234 since no flow from any three HPIS pumps fails the system.
Substituting Eqs. (10) through (13) into Eq. (14), and using B =B F+B",
3 3 j
one obtains a Boolean expression for G which can be simplified using the rules of Boolean algebra and using the fact that M BkM = 0, j/k, (15)
Bj since no two pumps can be down for maintenance simultaneously. The result is G = ( A + C) (D + E) + ( A + C) (B3 +B3
+B
+B)
+ (0 + E) (Bf + B1+B2+B)
+ Bf B 3+BfB B
B
+B B
+B B B B
2 3 2
2 4+BfB
+ Bf B
+ Bf B B4 (16)
B
+B B2 B
B 2
2 2
+ Bf B 4 + B( B
+ Bf B B4+B B3 B4 B
B 3
3 Bf Bk+(B B" + BF E I
F F
3 2 3 4+B B B B
+B B
3 2 3 2.3.2.2 Quantitative Analysis of the HPIS If we neglect the possibility of common cause failure of the HPIS pumps, then pr { G} = ( qA + 9 ) I 9D + 9E I + 2 I4A + 9CI I43F + 9 !I C
t 2
+ 2 (q 1F + 9 ) + 2qip qM + 2q3F 9fi II7I D + 9 I I9 M
E 2
+ 8qlF 93F AM + 2qip q3F + 2qip q3F where q
= pr {Al (18)
A qC = pr {C}
(19) qD = pr {D}
(20) qE = pr (E l (21) g1F = pr (Bf} = pr {B }
(22) 2 q3F = pr {B } = pr (Bk}
(23) 3
= pr (B } = pr {B"} = pr (B } = pr (B }
(24) qM i
2 3
In deriving Eq. (17) from Eq. (16), the unavailability of a HHSIP due to maintenance was assumed equal to that of a CCP.
Using the Reactor Safety Study failure data given on p. 300 of Appendix II of Reference 2,
-2 pr { pump FTS} = 2.5x10 (25) where FTS means " fails to start", and
-2 g = pr {1 pump is out for maintenance} = 5.7x10 (26) g From Eq. (2),
= pr {Bf} = pr { lCCP #1 FTSl } +pr { h }
g 1F l l
and using OPS study (Reference 2) data for pr {
V4 '), and Eq. (25) for pr { lCCP #1 FTSl}, one obtains g1F = 2.5x10-2 + 2x10~4= 2.5x10'.
(27)
Similarly, using OPS study (Reference 2) data except for the pumps, where Eq. (25) is used, one obtains from Eqs. (1) through (8),
= 1.3x10
+ 2.5x M + 2x d + 1.3x10 q3F " Pr {B3
= 2.8x10-2 (28) q
= ( 3.2 x10 -2) 2 + 2 x10 -4 = 1.2x10 -3 (29) q
= 2.4x10 -3 (30) q D
q
= 1.3x10 -3 E
(32)
Using the numerical values given in Eqs. (26) through (32) in Eq. (17) one obtains
-3 pr {G) = 1.6x10 (without common mode failures).
(33)
It is interesting to try to estimate the effect of common-mode failure in the HPIS, using the 5-factor method of Fleming (Reference 11). As remarked in Reference 11, common mode failures may arise from commonalities of design, man-ufacture, operating specifications, operating environments, or human-equipment interactions. Fleming (Reference 11) has observed that the proportion of all component failures which are common mode (i.e., the S value) is very nearly constant, and ranges from about.1 to about.2, for a number of diverse equip-i ment types. Although the failure probabilities for these diverse eauipment
types may vary over several orders of magnitude, the S values exhibit little variation. The B value for a pump failing to start is given as.14 in Refer-ence 11, and the s value for a valve f ailing to open or close is given as.23 in Reference 11. However, the failures being considered here do not include control circuit failures.
It seems best, therefore, for our purposes, to use a
an average S value of.15 for both pumps and valves.
We couple the failures of both centrifugal charging pumps, obtaining, to a good approximation pr{Bf8}"
9 (34) 8 2
p 1F.
We similarly couple both high head safety injection pumps, pr {B Bk}=
3 sq p 3F*
Failure Coupling of the pairs of valves VI and V2 changes aA to s pr {
V1 } + pr {
V3 }.
(36) q
=
Similarly coupling of V6 with V7, and V8 with V9, changes the probability of qC to v [pr {
V6
} + pr {
V8 }] + pr { lV10 } + pr { BIT }.
(37) qC 8
The expression for pr {G} obtained, when common mode failures are included, is similar to that of Ea. (17) except that qfp is rmlaced by 6 g in those terms yp 2
2 containing q p, and similarly 03F is replaced.
a a3F. Of course, qA and qC p
must now be calculated from Eas. (36) and (37) instead of Eqs. (29) and (30).
Using an average 8 value of.15 one obtains
~
pr {G} = 4.8x10 (common mode failures included).
(38)
This is to be compared to the OPS study (Reference 2) HPIS unavailability of l
5.4x10-4 2.3.3 Accident Seouence '"obabilities for Si and S2 Initiating Events Initiating event probabilities used are those of the Reactor Safety Study (Reference 2). The failure probability for the HPIS we will use is that in-cluding common mode failures by the S-factor method, 4.8x10-3, as given in Section 2.3.3.
For the probability of failure of the containment fan coolers, given that core melt has occurred, and that the containment spray is failed, we will use.1.
This value come, from a discussion with Perril A. Taylor of HRC, who had to make an estimate of failure of the containment fan coolers for the Indian Point units. Denote failure of the fan coolers by X.
Denote by X the event that the fan coolers function.
The calculation of pr (HF) will be modified from that of the OPS study (Reference 2). The dominant contribution to the probability of occurrence of the event HF occurs because of failure of that portion of the LPRS which is common to the HPRS and the CSRS (See Figure 2). This portion of the LPRS con-sists of two redundant legs, one leg containing (See Figure 2) components V1, P1, V3, V4, V5 and a heat exchanger, while the other contains components V2, P2, V6, V7, V8 and a heat exchanger. The failure probability of one of these legs, as given in the OPS study, is 3.6x10-2 The OPS study treated the fail-ures of these legs as independent, obtaining (.036)2 = 1.3x10-2 as the prob-ability of the event HF. We, however, will use the S-factor method (Reference
- 11) of estimating the common mode failure probability of the two legs (see the brief discussion of the 8-factor method in Section 2.3.2.2).
Using a 8-factor of.15, we obtain
~
pr f.HF ) = (.15 ) (.036) = 5.4x10
[ Hardware Contribution Only). -
P3 V I 4, v,
r.'
f
~
~
W RCS TO y
>4 V9 V24 V26 vi pg p4 V10 @ @ Vil V1B TO "RCS
~ V20 V22 x
V12 P5
& V13 M
V19
- vi7 TO CSRS FIGUPE 2: HPRS FLOW DIRGRAM e
g
The simultaneous failure of the HPRS and CSRS could also occur by operator error. We will use the OPS study estimate for the probability of this operator erro r.
The accident sequence probabilities are given below:
1 Secuence S1D s
pr {HPIS Failed}
4.8x10-3
-3 pr { Accumulator Failed}*
1.2x10 pr (D) 6.0x10-3 3x10-4 reactor-yr pr (S }
/
i
~0 pr {S D}
1.8x10 / reactor-yr I
Seouence SiHFX pr {HPRS and CSRS Failed) 5.4x10-3 pr (Operator Error During Injection-Recirc. Shift}
3x10-4 pr {HF}
5.7x10-3 pr {X}
.9 3x10-4 reactor-yr pr {S }
/
i
~0 pr {S HFX}
1.5x10 / reactor-yr 1
Seouence S1HFX pr {HPRS and CSRS Failed}
5.4x10-3 pr {0perator Error During 4
Injection-Recire. 3hift}
3x10 pr { HF1 5.7x10-3 pr {X}
.1 3x10-4 reactor-yr
/
pr { S }
i pr { S HFX}
1.7x10~ / reactor-yr 1
- See remarks about accumulator failure probability in Section 2.4. - -
Sequence S2D pr {HPIS Failed}
4.8x10-3 1x10-3 reactor-yr pr { S }
/
2 pr {S D}
4.8x10-6/ reactor-yr 2
Sequence S2HFX pr {HPRS and CSRS Failed}
5.4x10-3 d
pr {0perator Error During Injection-Recire. Shift}
3x10-4 pr { HF) 5.7x10-3 pr {i}
.9 1x10-3 reactor-yr
/
pr { S }
2
-0 pr { S HFY}
5.1x10 / reactor-yr 2
Sequence SpHFX pr {HPRS and CSRS Failed}
5.4x10" pr {0perator Error During 4
Injection-Recirc. Shif t}
3x10 pr {HF}
5.7x10-3 pr {X}
.1
-3 pr {S )
1x10 / reactor-yr 2
pr {S HFX }
5.7x10-7/ reactor-yr 2
The probabilities of the accident sequences S H and S H are taken to be the 1
2 same as given in the OPS study (Reference 2),
~
pr {S H } = 1.2x10-6 reactor-yr t
/
pr {S H } = 3.9x10-6 reactor-yr 2
/
The accident sequences denoted by S H and S H actually refer to accident se-1 2
quences in which the HPRS fails, but the failure is not in the portion of the LPRS common to the HPRS and the CSRS. Thus, CSRS is assumed not to fail in thera accident sequences. A more logically consistent notation for these sequences would be S HT and S HF, where 7 means the event "not F".
How-1 2
t ever, in order to be consistent with the notation of the OPS study, we will denote these accident sequences by S H and S H.
1 2
2.3.4 Containment Failure Mode Probabilities for Accident Sequences Initiated by a 5 mall Loss of Coolant The probability of containment failure by overpressure due to hydrogen combustion (mode Y) will be taken as.1, the value used in the OPS study (Ref-erence 2), for all sequences initiated by small losses of coolant. We neglect the contribution of the vessel steam explosion (mooe a) and the containment leakage (mode S) containment failure modes to the release probabilities. In those S and S initiated sequences in which the containment fan coolers 1
2 failed (sequences S HFX and S HFX), the probability of containment failure by i
2 mode 5 (overpressure, not due to hydrogen burning) was taken as.9, so that the probability of containment failure by overpressure (mode y or 6) was unity.
For all other sequences initiated by Si and S2 the containment failure by con-tainment mat melt-through is assigned a probability.9, so that the probability of containment failure by either mode Y or mode c is unity. The containment failure mode probabilities for the various accident sequences initiated by Si and S2 are given in Table 2.
2.3.5 Release Category Probabilities for Accident Sequences Initiated by a Small Loss of Coolant As mentioned in Section 2.1.2.7, sequences in which containment failure is by overpressure (mode Y or 6) and containment fission product removal systems are not functioning, are placed in release Category 2, while if containment r
)
4 TABLE 2 Containment Failure Mode Probabilities for the Accident Sequences Initiated by 51 and 52 Containment Failure Mode Probability Accident Sequence y
6 SD
.1 0
.9 1
S HFX
.1 0
.9 1
S HFX
.1
.9 0
1 SD
.1 0
.9 2
S HFY
.1 0
.9 2
S HFX
.1
.9 0
2 SH
.1 0
.9 1
SH
.1 0
.9 2
I aI>
es i
,-e-
-- - -. -r
failure is by overpressure but the containment fission product removal systems are operating, the sequence is placed in release Category 5.
- Thus, T
S 0-Y 1
s S H-Y 1
are placed in release Category 5 S H-Y 2
t S0Y 2
while h
S HFT-Y 1
S HFX-Y 1
S HFX-6 1
are placed in release Category 2.
S HFT-Y 2
S HFX-Y 2
S HFX-6 2
j Sequences in which containment failure is by containment mat melt-through (mode c) and containment fissior product removal systems are not functioning are placed in release Category 6, while sequences in which containment failure is by mode c but containment fission product removal systems are functioning are placed in release Category 7.
- Thus, 3
S 0-c 1
S H-c 1
> are placed in release Category 7 S H-c 2
S 0-e 2
i o
while S HFi-c )
are placed in release Category 6.
1 t
S HFX-c )
2 Combining the accident sequence probabilities given in Section 2.3.3 with the containment failure mode probabilities given in Table 2, and making use of the above assignment of accident-containment-failure-mode sequences to release categories, one obtains the contributions of the Si and S2 accident sequences to release category probabilities given in Table 3.
2.4 Accident Secuences Initiated by a Large Loss of Coolant Our treatment of accidents initiated by a large loss of coolant differs from the OPS study in two ways:
(1) Our analysis assumes a 10% chance of failure of the containment fan coolers in those accident sequences in which core melt has occurred and the containment sprays are not working.
(2) The probability of simultaneous failure of both Emergency Coolant Re-circulation (ECR) and the CSRS is calculated by the S-factor method of Reference 11. The components involved are the same as those in-volved in calculating the simultaneous failure of HPRS and CSRS, as given in Section 2.3.3, and the result is the same.
The large pipe break consists of a reactor coolant system pipe break greater than 6 inches. This event is denoted by A, and its probability, taken from the Reactor Safety Study, is 1x10-4/yr.
In order to prevent core melt, given event A, Emergency Coolant Injec-tion (ECI) must operate. Event D refers to failure of ECI.
Successful ECI re-quires that the accumulators in each intact loop operate and that flow be pro-vided from at least one residual heat removal (RHR) pump. The RHR pumps are here part of the Low Pressure Injection System (LPIS). The failure probability for the LPIS used in the OPS study was taken from the Reactor Safety Study and we will use the same value. The failure probability of the accumulator system i
l l
1 TABLE 3 t
Contribution of Accident Sequences to thc Probability (Per Reactor-yr) of a Release in Each Release Category, for Accident Secuences Initiated by a Small Loss of Coolant Probability Contribution (per reactor-yr) to each Release Category Accident Sequence Category 2 Category 5 Category 6 Category 7 S0 1.8x10-7 1.6x10-6 1
S HFX 1.5x10-7 1.4x10-6 1
S HFX 1.7x10-7 1
SD 4.8x10-7 4.3x10-6 2
S HFX 5.1x10-7 4.6x10-6 2
S HFX 5.7x10-7 2
SH 1.2x10-7 1,1xio-6 1
SH 3.9x10-7 3.5x10-6 2
O.. _.
i i
was calculated in the OPS study by converting the one-out-of-two system for the Reactor Safety Study 3 loop plant to the one-out-of-three system corresponding to the 4 loop Zion unit. We will use the OPS value for the failure probability of the accumulators.
Moreover, successful Emergency Coolant Recirculation (ECR) must occur.
J Event H denotes failure of ECR.
Successful ECR requires flow from at least one RHR pump taking suction from the containment sump.
Failure of CSRS is denoted by F.
From Section 2.3.3, pr {HF) = 5.4x10-3 (hardware failures only). We will use the operator error contribution of 1x10-3 for simultaneous failure of ECR and CSRS during a 1arge LOCA. Both the Reactor Safety Study and the OPS study used this value.
The probabilities for sequences AD and AH are calculated to be unchanged from those of the OPS study (Reference 2), and are pr { AD} = 5.4x10-7 reactor-yr
/
pr { AH} = 2x10-8 reactor-yr
/
For the sequence AHF we obtain 5.4x10-3 pr {ECR, CSRS also Failed}
=
pr {0perator Error During Recire. Shift) 3x10-3
=
8.4x10-3 pr (HF }
=
1x10-4/ reactor-yr pr {A}
=
8.4x10-7/reac to r-yr pr {AHF}
=
In order to make allowance for failure of the containment fan coolers (failure event X) we subdivide the sequence AHF into the sequence MF'(, where l
l the fan coolers are not functioning, and AHFX, where the fan coolers are func-tioning.
Since we are assuming pr {Xl AHF} =.1, we obtain l
pr { AHFX} = 8.4x10-8 reactor-yr
/
1 and pr {AHFX} = 7.6x10-7/ reactor-yr t
We again assign a probability of.1 for containment failure by the hydro-gen burning overpressure mode (mode Y), for all of these secuences. For the sequence AHFX, where the containment fan coolers are not working, the prob-ability of containment failure by the overpressure mode 6 is estimated as
.9, so that there is unity probability of containment failure oy overpressure for the sequence AHFX. For the sequences AH, AD, AHFX the probability of contain-ment failure by the mode 6 is taken as zero and the probability of containment failure by mode c is taken as.9.
Sequences containing an F which fail the containment by overpressure are assigned to release Category 2, while sequences containing an F which fail the containment by containment mat melt-through (mode c) are assigned to release Category 6, since the event F implies failure of the containment fission prod-uct removal function. Making use of the accident sequence probabilities for the sequences AD, AH, AHFX, AHFX, the cont:inment failure mode probabilities, and the assignment of combinations of accident sequences and containment fail-ure modes to release categories, we obtain the release category probabilities given in Table 4, for accident sequences initiated by a large loss of coolant.
O e
i r
)
TABLE 4 Contribution of Accident Sequences to the Probability (Per Reactor-yr) of a Release in Each Release Category, for Accident Sequences Initiated by a large Loss of Coolant Probability Contribution (per reactor-yr) to each Release Category Accident Sequence Category 2 Category 5 Category 6 Category 7 AD 5x10-8 5x10-7 AH 2x10-9 2x10-8 AHFX 8x10-8 7x10-7 AHFX 8x10-8
.i e,
3.0 DISCUSSION AND
SUMMARY
The contributions of tne loss-of-offsite-power initiatea accident se-quences to the various release categories are given in Table 1.
The sequence 7
TM'B B', involving failure of the reactor coolant pump seals, contributed a 5
probability of 2x10-6 reactor-yr to release category 2, while the accident
/
c.
secuence TMLBB'Bo, involving loss of auxiliary feedwater, contributed a probability of 6x10-7/reacto r-yr.
There was a probability contribution of 2x10-6 reactor-yr to release category 5 from loss-of-offsite-power initiated
/
accident sequences. One should keep in mind that accidents where the contain-ment failed by overpressure, but the containment sprays were operating, were assigned to release category 5, but there may well be a considerably larger radioactive release from accidents where the containment fails by overpressure before reactor vessel failure, as compared to accidents with containment fail-ure sot.m time after reactor vessel failure (when the sprays have had time to remove the fission products from the containment atmosphere).
In this connec-tion, failures of containment by hydrogen burning before reactor vessel melt-through are of special interest. Such detailed analyses of containment failure mode probabilities and release category assignments are beyond the scope of the present report. The contributions to the release category probabilities of the loss of coolant accidents are, from Tables 3 and 4 1.6x10-6 reactor-yr Release Category 2:
/
1.2x10-6 reactor-yr
/
Release Category 5:
a 6.7x10-6 reactor-yr
/
Release Category 6:
i 1.1x10-5 reactor-yr.
/
Release Category 7:
The loss of main feedwater initiator (see Section 2.2.4) gives a Category 5 re-lease of 1x10-7/ reactor-yr, while the Category 7 release is 9x10-7/ reactor-yr.
! l
The risk from this accident sequence is relatively low, and it is therefore not too important whether " feed and bleed" works here.
In contrast to our study, accidents initiated by loss of offsite power were a minor contributor to risk, in the OPS study (Reference 2). Loss of r
offsite power sequences did not contribute to the Category 2 release, in the OPS study. This was a result of the credit given for the diesel-driven con-tainment spray in the OPS study. We did not give credit here, because of the limited time of operation of the spray.
In the OPS study, loss of offsite power sequences contributed only to release categories 5 and 7; the total prob-ability contribution to release category 5 was 7x10-9 reactor-yr.
In con-
/
trast, our values, as given in Table 1, are much higher.
For comparison, the contributions to the release category probabilities of loss of coolant accidents, obtained in the OPS study, are 3.2x10-7 reactor-yr
/
Release Category 2:
6.8x10-7 reactor-yr
/
Release Category 5:
Release Category 6: 2.2x10-6/ reactor-yr 6.1x10-6 reactor-yr.
/
Release Category 7:
The error in the probabilities of the accident sequences are subjectively es-timated to be about an order of magnitude. The sequence TM'B B', involving S
failure of the reactor coolant pump seals may have an even greater uncertainty, because of uncertainty as to the timing and magnitude of the reactor coolant pump seal failure.
It should be emphasized that the scope and depth of the study was limited, and it should not be considered a final assesssment of risk for the Zion plant.
l l
l.
i
1
(
ACKNOWLEDGMENTS The authors would like to thank W. T. Pratt for helpful discussions.
e e
1 REFERENCES 1.
Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), U.S. Nuclear Regulatory r
Commission, October 1975.
2.
"An Evaluation of the Residual Risk from the Indian Point and Zion Nuclear J
Power Plants," Offshore Power Systems, Report No. 36A75, February 1980.
3.
M. Llory and B. Gachot, "Probabilistic Analysis of Systems Related to PWR Safety -- Synthesis of EDF Studies," Paper XII.3 in the Proc. of the ANS/
ENS /0 ECD Topical Meeting on Probabilistic Analysis of Nuclear Reactor Safety, May 8-10, 1978, Los Angeles, California.
4.
Memo from D. Crutchfield, Chief, Operating Reactors Branch #5, Division of Licensing, USNRC to D. Crutchfield, Acting Chief, Systematic Evaluation Program Branch, Division of Licensing, dated May 20, 1980 on the subject of the results of survey of loss of power events at domestic nuclear power pl ants.
5.
Ray Scholl, private communication, August 20, 1980.
6.
V.P. Poloski and W.H. Sullivan, Data Summaries of Licensee Event Reports of Diesel Generators at U.S. Commercial Nuclear Power Plants, NUREG/CR-1362, EGG-EA-5092, March 1980.
7.
Letter, W. F. Naughton, Nuclear Licensing Administrator, Pressurized Water Reactors, Commonwealth Edison, to A. Schwencer and H. Reeves, USNRC, on the subject of Station Blackout - Additional Information for Zion Station, November 2,1979.
8.
Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants, NUREG-0611, U.S.
Nuclear Regulatory Commission, January 1980.
( l l
REFERENCES (Cont.)
9.
Memo from Paul S. Check, USNRC to Thomas M. Novak, USNRC, on: Zion ti Units 1 and 2 - Safety Evaluation Reoort Input on the Implementation of Recommendations for the Auxiliary Feedwater System, dated Ma3 t
1980.
- 10. PWR Information Course, Westinghouse Electric Corporation, January 1978,
- p. II-2.8.
- 11. Karl N. Fleming and Paul H. Raabe, "A Comparison of Three Methods for the Quantitative Analysis of Common Cause ailures," Paper X.3 in the Proc. of the ANS/ ENS /0 ECD Topical Meeting on Probabilistic Analysis of Nuclear Reactor Safety, May 8-10, 1978, Los Angeles, California.
12.
A. Azarm, G. McLagan, A. Husseiny, and M. Metwally, Trans. Am. Nucl. Soc.
35, 387 (November 1980).
i S
e t
i !
DISTRIBUTION LIST Advisory Committee on Reactor Safeguards (IS)
U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. R. Bernero, Director (1)
Probabilistic Analysis Staff U. S. Nuclear Regulatory Commission 1
Washington, D. C.
20555 Mr. H. Denton, Director (1)
Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. W. J. Dircks, Executive Director (1) for Operations U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. Malcolm L. Ernst, Assistant Director (1) for Technology Division of Safety Technology Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. J. Hickman (1)
Sandia Laboratories P. O. Box 5800 Albuquerque, New Mexico 87115 Dr. Sanford Israel, Acting Chief (10)
Reliability and Risk Assessment Branch Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Local Public Documents Branch (2)
Office of Administration U. S. Nuclear Regulatory Commission Washington, D. C.
20555 e
Dr. James F. Meyer (1)
Reactor Systems Branch Division of Systems Integration Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 I
Mr. Thomas Murley, Director (1)
Division of Safety Technology Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission 4
Washington, D. C.
20555 Mr. Thomas M. Novak, Assistant Director (1) o for Operating Reactors Division of Licensing Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Public Document Room (2) 1717 H Street N.W.
U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Dr. Themis P. Speis, Chief (1)
Reactor Systems Branch Division of Systems Integration U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. W. Stiede, Commonwealth (1)
Edison Company P. O. Box 767 Chicago, IL 60690 Technical Library (1)
U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. Ashok Thadani, Chief (1)
Reliability & Risk Assessment Branch Division of Safety Technology t
Office of Huclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Mr. David Wigginton, Project Manager (1)
U. S. Nuclear Regulatory Commission Washington, D. C.
20555 BNL Distribution DHE Chairman (1)
DHE Deputy Chaiman (1)
RSP Associate Chaimen (3)
)
Safety Evaluation Group (8)
Huclear Safety Library (2)