ML19345B945
| ML19345B945 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse, Rancho Seco, Crane |
| Issue date: | 02/07/1980 |
| From: | Abbott E, Bickel J, Kastenberg W Advisory Committee on Reactor Safeguards |
| To: | |
| Shared Package | |
| ML19345B940 | List: |
| References | |
| RTR-WASH-1400 ACRS-R-0862A, ACRS-R-862A, NUDOCS 8012020804 | |
| Download: ML19345B945 (21) | |
Text
_.
't
' ANALYSIS OF FEECMATER 'IRANSIEffI' SEQlJENCES IN B&W NUCLEAR STEAM SUPPLY SYSTEMS i:. Abbott, J. Bickel & W. E. Kastenberg ACRS Fellows I.
INTRODUCTICN Tais study uses event tree analysis, and existing WASH-1400 methodology and l
data to determine various sequence probabilities for three different events which have occurred in plants with a B&W Nuclear Stean. Supply System. Se events evaluated are the March 29, 1979 Accident at t ree Mile Island (M I),
the March 30, 1978 Loss of Instrument Power Transient at Rancho Seco (RS) and the September 24, 1977 Depressurization Transient at Davis Besse (DB).
The sequence of events at RS and DB are given in Appendix A.
%e events are generically classified as loss of main feedwater. We 'IMI and DB events are similar in that the sequence of events (i.e., the separate plant and operator actions) are comparable up to the Inint of the operator manuclly blocking the power operated relief valve (PORV). We RS event is similar only in that the initicting event resulted in a loss of main feedwater. Se plant and operator actions, however, are different from MI and DB.
In the first part of this memo, a heuristic analysis of feedwater transients in B&W plants prior to MI is given. his is followed by an analysis using the data, event trees and sequences contained in WASH-1400 for the S2 small break LOCA (break diameter 62") and for the T-transient.* It must be recognized, however, that WASH-1400 utilzes event sequences characteristic of the Westing-house Nuclear Steam Supply System and its associated protective and engineered safeguard systems. In the last part of the study, we develop a feedwater transient A glossary of abbreviations is given in Table I (page 3).
1 p p oloF
. t
(
'Ihis tree event tree sequence unique to B&W plants valid prior to April 1979.
is applicable to B&W plants where the PORV is designed to lift prior to RPS trip during a feedwater transient.
4
(
9 M
a a
s I
i r
2 i
W
-e
(,
TABLE I C
k GLOSSARY OF TEIFS AEWS - Auxiliary Feedwater System i
CHRS - Containment Heat Reinoval System CSIS - Contairnent Spray Injection System CSRS - Containment Spray Recirculation System CVCS - Chemical Volume Control System ECI - Emergency Coolant Injection ECR - Emergency Coolant Recirculation EP - Electric Power DB - Davis Besse ICS - Integrated Control System HPIS - High Pressue Injection System LOCA - Loss of Coolant Accident (power supply for instruments NNI-Y - non-nuclear instrumentation power bus Y.not associated with th PCS - Power Conversion System PORV - Power (or pilot) operated relief valve Psi - Pounc s per square inch
= probability the RPS
- probability of failure for system X. (e.g., Psystemfailstoinaertth PX P A - Pressurized Water Reactors RCS - Reactor Coolant System RHRS - Residual Heat Removal System RPS - Reactor Protective System RS - Rancho Seco 3
nw
i ot
.. i S2 - small break LOCA event tree of WASH-1400 for a PWR i
SFRCS - Steam Feedwter Rupture Control System SHA - Sodium Hydroxide Addition SR - Safety Relief SSR - Secondary Steam Relief T - Transient Event Tree of WASH-1400 for a PWR TE - Transient Event M I - Three Mile Island Vo - Valve Opens VR - Valve Recloses WASH-1400 - The Reactor Safety Study NURU3-75/014.
(
~
4 l
l
9 IEURISTIC ANALYSIS T E&W STIDWATER WANSIENTS II.
As stated above, the sequence of events at Davis Besse (DB) and Rancho We Three Mile Island (MI) accident Seco (RS) are given in Appendix A.
is similar to the De transient up to the last event where the stuck open PORV is isolated at DB but not at M I.
As discussed later in this develo) rent, the time frames are however, somewhat different.
Examination of the sequences given in Appendix A yields the following heuristic analysis:
1.
%e events for WI and DB are determined by: a) the frequency of feed-water transients in IMRs a 3 per reactor year, b) the fact that in B&W plants prior to April 1979, a feedwater transient causes the PORV to open C
independent of AEWS operation, and c) failure of the PORV to close (3 x per demand). Hence this family of transients would be initiated on
-2 10
-2 the order of 9 x 10 per reactor year.
%e eventual outcome of this sequence depends upon a) whether or not the 2.
IORV is gagged at the time of transient initiation (50% of the time it isolating is), b) operator action in not interrupting the HPIS, and c) the PORV if it fails to close.
For DB the PORV was not gagged, the operator interrupted the HPIS and 3.
did isolate the PORV.
In order to estimate the frequency of the outcome, A telephone survey the probability of these three events must be obtained.
of B&W plants by the authors revealed that the PORV is gagged 50% of the 5
- s WPSH-1400 We operator action is more difficult to obtain.
time.
(Appendix III) states that the probability of operator failure mder stress is:
0.9 - 5 minutes after a large IOCA 0.1 - 30 minutes after a large LOCA 0.01 - several hours later t e average error rate, in a high stress situation is given as.0.2 to 0.3.
In addition, if P is the probability of operator error, and the number of n is given as the probability of a collective people present is n, then P In practice, the final decision rests with the shift supervisor so error.
(See Appendix B) that n can vary between 1 and 3 depending on his influence.
One problem (among others) in using this data is that it is not clear Wat is, the that the operator made an error in defeating the HPIS.
pre:edure followed called for interruption of HPIS with high level indicated In that case, it may have been the procedure that was in the pressurizer.
in error, and the ooerators failed to recognize it.
(0.3)3 = 0.027 Using a probability of 0.5 for the chance of a gagged PORV, for defeating the HPIS after several minutes, and using 1-(0.1)3,,g for successfully blocking the PORV at 20 minutes yields a frequency for DB
-3 DB = (9x10-2) (0.5) (0.027) (0.999) = 1.2x10 At 'IMI, the PORV was not gagged, the operator interrupted the HPIS and 4.
Since the decay heat load was greater at 'IMI the PORV was not isolated.
We operator than DB, the failure to block the PORV occurred sooner.
l l
a4 should have recognized that the PORV had stuck open by the time the quench his yields tank rupture disk blew (about 15 minutes into the transient).
an estimate of the error probability of (.5)3 Hence at m I
-4 WI = (9x10-2) (0.5) (0.027) (.125 ) = 1.5x10 For Rancho Seco (RS), the initiating event (loss of non-nuclear instrument-5.
-3 Since this loss ation) was estimated to be 8.6x10 per reactor year.
initiated the feedwater transient, this value is used, rather than the 3 per reactor year used for DB and MI.
Since the PORV was gagged (0.5), the operators throttled the HPIS (0.027) and the code safety valves opened and closed as required ( 1.0), the frequency of this event is estimated as RS = (8.6x10-3) (0.5) (0.027) = 1.2x10-4 In the next section, an attempt is made to map these events on the WASH-1400 event trees.
-*/ Because of the difficulty in estimating the specific failure of the non-nuclear instrumentation (NNI-Y) power supply in the absence of a detailed fault tree analysis, the failure rate for low power, solid state devices was used.
It should be noted that the final result is very sensitive to this failure rate and should be viewed as representing the family of NNI failures.
7
III. WASH-1400 EVENT W EES In this section, we have attempted to trace the Davis-Besse (DB), Rancho-Seco (RS) and 'Three Mile Island (WI) events on the WASH-1400 Transient Small Break IDCA (S2) event trees shown in Figures 1 and 2.
Mapping the sequences occurring at DB and RS on the WASH-1400 T tree without any modifi-cation yields sequence 7, which does not result in core melt, and was s3se-Mapping 'IMI quently omitted from the dcminant risk sequences in WASH-1400.
(a) sequenet 'INLOU if no credit is given for the return on the T tree yields:
of the Auxiliary Feedwater System (AfWS) or EU if crecit is given for AfWS.
Both paths do not give credit for actuation of the High Pressure Injection With.HPIS actuation, the corresponding paths are 'IM and 'IMLO System (HPIS).
(See Figure 1). Several problems arise when trying to evaluate these events For the DB and RS events, sequence 'IM does not in terms of this event tree.
between the failure of the PORV to close at DB and the differentiate Second, the sequence is for all, transient ini-(
initially gagged PORV at RS.
tiated events and hence does not identify the initial loss of non-nuclear instrumentatica (power bus NNI-Y) induced by human action which resulted in the feedwater transient and in the loss of indicators during the transient at Iastly, for DB and 'IMI, the tree fails to include the fact that the PORV RS.
will lift regardless of the availability of the auxillary feedwater supply in B&W plants, and, therefore, neglects the possibility that the PORV fails to close.
For the DB and RS events, the frequency of sequence 'IM for all feedwater trans-ients would be given by:
K M II~ 0) (1-P ) (1-P ).
P'TM = P,7 (1-P I U
g
=1 Based on NASH 1400 data, P.7 = 3 feedwater transients per reactor year, Pg (failure to recover the main feedwater system within minutes) and assuming (1-P ) = 1 we obtain g
8 p.e
P,
= 3 per reactor year.
For '!MI, the appropriate sequence (taking into account the return of the ANS) is 'IMU with P,ggg = PT (1-P ) Pg (1-P ) PU g
g is the unavailability of the Per reactor year where Pg Hence P7pg = 3 x PU Since HPIS was available, but the operators interrupted its operation, HPIS.
is chosen as (0.3)3 which is in the range of WASH-1400 numbers for operator P
U error. Hence for this sequerr;
-2 P
= 8.1x10 per reactor year.
yg Again, this tree negles*.s failure of the PORV to close.
In WASH-1400, it is suggested that transients, for which the PORV fails to close, should be treated as a small break LOCA, and the event tree S2 be used (Figure 2).
Since the LOCA is terminated at both DB and RS, (the PORV is finally blocked at DB and the code safety valve reseats at RS), these events with a frequency of 3 per year.
become sequence S2
'Ihe Mapping the 'IMI event on the small break LOCA tree yields sequence S D.
2 initiating frequency S2 is given by
-2 S2 = 3 feedwater transients / year x 10 failure to close/ demand *
-2
= 3 x 10 S2 events /yr.
Using a HPIS unavailability of (0.3) due to operator error, 'IMI becomes
~4 P
= 8.1x10 / yen yy Failure to block the PORV is not included in the tree and the PORV failure to close on demand nunber comes from Appendix V, page V-38 of MSH-1400.
- WASH-1400 states this number has an error factor of 10.
9 l
t o
For the particular feedwater transient at Rancho Seco, the probability of loss of non-nuclear inctn: mentation (which led to loss of feedwater) and the proba-J bility that the Icss was attributable te btunan error should be obtained.
9 Data from WASH-1400 on loss of non-nuclear instrumentation is abo Hence the Rancho Seco initiating event may be on the
-3 10 / reactor year.
~ -3 order of 8.6 x 10 / reactor year.
APPLICATICN OF A B&W EVENT 'IREE 'IO %I, DB AND RS IV.
A unique event tree was developed for feedwater transients in B&W plants whic We differences between the WASH-is different from those used in WASH-1400.
1400 - PWR and the B&W PWR were described in Section III.
he W e sequence of events at PtI is well known and not presented here.
events follow along sequence #5 on the attached event tree and are self-explan-x atory (Figure 3). The sequence of events for Davis Besse follows sequence 86 W e sequence of events for Rancho Seco follows sequence on the event tree.
- 14 on the event tree.
h e probabilities and failure rate data shown below were obtained from WASH-h e uncertainty in P. and 1400 except for those marked with
- and **.
g W e uncertainty in the other probabilities P were also obtained from B&W data.
g are difficult to obtain because they depend on human errors, operating pro-Hence, the final results could cedures, etc., and have not been ascertained.
have large error bounds.
10
De probabilities for the significant events in the event tree are:
- 3 per reactor year (WASH-1400, Appendix V, pg. V-34)
P7
- P
=.5 p
~
- P ' = 3 x 10-2 ( 1 x 10 )
Q P = 3 x 10-2 ( 1 x 10-2) g P ' = (.3)3 (WASH-1400, Appendix III, page III-60)
U (for MI)
P " = (.5)
Q (for DB)
P
= (.1)3 g
For W I the probability is as follows:
P
'=P xP x (P ) x (P.) x (P.)
yy T
g g
U g
= 3 x.5 x 3 x 10 x (.3)3(.5)3
-2
-4
= 1.5 x 3J / year For DB the probability is as follows:
P
=P xP xP x (P,) x (1-P.)
g T
p g
g g
= 3 x.5 x (3 x 10-2) x (0.3) x (1-(.1)3)
-3
= 1.2 x 10 / year For the Rancho Seco event, the probability of the loss of an instrument bus leading to a feedwater transient must be used for P. Using WASH-1400 T
data, the failure rate of low power solid state devices is:
-3 Per year.
1 x 10 /hr or 8.6 x 10 value was obtained from a telephone survey of B&W plants and
- The Pp their estimate of the frc'nency of defeating the PORV by blockirv3 or gagging.
- Obtained from B&W
W e probability of the RS family of events is then estimated as P
=P xP xP' RS gy p
U
-3 x.5 x (.3)3
= 8.6 x 10
-4
= 1.2 x 10 per reactor year.
Rese results are sunnarized as follows:.
TABLE II.
B&W WASH-1400 T
-4
-2 8.1 x 10-4 1.5 x 10 WI 8.1 x 10
-3 1.2 x 10 DB 3
-4
-3 1.2 x 10 RS 8.6 x 10
(
It is important to recognize that the largest uncertainty is in charac-terization of operator action. WASH-1400 states that if P is the prob-ability of operator error, then P is the probability of error if the n
Because of the supe.-
number of personnel in the control room is n.
visory nature of the shift supervisor, the probability may be between P and P".
Wis report uses.3 for HPIS unavailability as an average for Failure to block the initial one-half hour for all three sequences.
the PORV is given a probability at.5 at fifteen minutes and.1 at thirty Bis report does not t. valuate in detail the resultant error minutes.
Se in the calculations _because of a lack of data on operator action.
values chosen are considered to be within the ranges of WASH-1400, and consistent with the methodology.
- Does not apply.
12.
-.4
i V.
CDNCLUSIONS After mapping the 'IMI, DB and RS events on the WASH-1400 Transient and Small Break LOCA trees,' constructing an event tree for B&W Feedwater Transients, and employing the WASH-1400 data, the following is concluded:
As shown in Table II, the values obtained from a B&W transient iree differ 1.
event trees in WASH-1400 because from those obtained from the T and S2 the latter trees do not include the necessary features as discussed above.
As noted in Section II, the WASH-1400 event trees cannot be used since the PORV '.
lifts during a feedwater transient. tis clearly shows that the strict use of
% is should be these event trees to other PWRs yield erroneous results.
obvious because the trees in WASH-1400 are. unique to the Surry Plant which is a Westinghouse PWR.
he values obtained above could'have been obtained prior to the event sequences discussed because the data, knowledge of the transients and methodology were i
W e only requirement to complete a similar study would have been known.
development of a unique event tree for B&W plants.
- 2. he consequences of these sequences of events depend upon the exoosure history At DB, the plant was operating at low power with fresh fuel.
of the core.
At TMI, the plant was operating at full power well into the fuel cycle.
% e time allowed to block the PORV and for re-initiating HPSI before the core is uncovered was different in each case. %ese time differences hre ref1 w-ted in the cr.aracterization of operator action.
13.
gee
e Se tRC will construct event and fault trees for ir.dividual plants under 3.
S e individual li-the Integrated Reliability Evaluation Program (IREP).
censees, however, could easily perform similar studies using available failure rate data and developing a unique event tree for their respective
'n.is would innediately focus upon needed areas of improvement in planti.
operations and provide an independent check to IREP.
e
(
14.
o e
(
APPENDIX A Sequence of Events he sequence of events for Davis Besse is:
- A spurious initiation of Steam Feedwater Rupture Control System T
isolates the steam generators and starts the auxiliary (SFRCS) feedwater pumps.
- The pressure rise in the primary system causes the Power Operated P
Relief Valve (PORV) to open.
or because the
- The control room operator manually trips the ret.
K pressurizer level is outside (high) of the operating range.
- Both auxiliary feedwater pumps start but only one feeds a generator L
due to binding in the throttle linkage in the other ptrnp's turbine l
control system.
P;Q-Code safety valves do not lif* as the PORV is relieving reactor coolant pressure.
- The PORV " simmers" due to a missing relay in the closing circuit and Q
after nine cycles it sticks open.
initiation on low RCS pressure U - Safety Features Actuation System (SDS) starts the HPI pumps.
U'- The operator cycles the HPI pumps to maintain pressurizer level.
Q"- The operators recognize that the PORV is stuck open and shut the block valve.
he sequence of events for Rancho Sece is:
T - ne loss of one of the two non-nuclear instrumentation fuses (NNI-causes the Integrated Control System (ICS) to sense a loss of BTU output and isolates the feedwater system.
. s
(
P - S e primary system pressure rise would have caused the PORV to oper but it was gagged shut.
K - S e reactor trips on high RCS pressure.
L - The operator manually in2tiates main feedwates after realizing the WI-Y failure has blocked the initiation of the auxiliary feedwater system (the auxiliary feedwater pumps initiates automatically on SFAS actuation later on in the transient.)
P - The increased RCS pressure causes one of the tw code safety valves to open at a pressure less than maximurn setpoint of 2f00 psi..2e subsequent decrease in RCS pressure causes a SFAS initiation (HPI and AFWS start).
O'- h e power safety valves reseat.
U'- NNI-Y is restored. %e operators recognize an excessive cooldown (> 100 F/hr) has resulted. hey throttle HPI and auxiliary feed flow to reduce rate of cooldom.
t Tt Arl eat 544 Sa/
88' CYCs awes Im=
, sE0utesct T
a u
L P
O y
e
.s.
i e
3 tw 3
Yu DB & RS v.
1 TMI-2 t==
a
.._....--_.--i 7.
I 7
ftsk
...M L.._
(
TM-2 e vuou 1
s I
II IEW sa ruu 14 TKO to TROW te TEP n
tam se tsam t$
TKug m
TaasQ 31 Tuasou a
ten 3
Taast
~
n snew I
FIGURE I 414 FIfR Transient Event Tree FIGURE 1 e
4 O
1
'(
bl SSR &
CSIS Ecl GR$
CHR$
SEQUENCE LOCA h
B K
L C
D F
G H
I 1 h i
1 2
8I 2
1 3
5H 2
l 4
8 HI 2
5
$ G, S HG 2
2 1
6
$ 0 8 HO' 2
2 7
$ F,S HE 2
2 8
$ EI'I HEI 2
J g
S D *TMI
~"
2
~
l-1 10 S DI 2
11 S DG i
2 12
$ DGI
~
2 13 S DF g
14 S DFl 2
1 15 SC y
16
$ CD 2
17 5'
2 C
18 5 LI 2
19
$ LG 2
1 20
$ LGI 2
21 5 LE 2
Yes l
22 5 LEI 2
23 5 LC h
2 24 3K t
2 l
25 5 "I 2
l 26
$ "O 2
l 27 5 KGI 2
l 28 5 "E 2
29 8 "EI 1J 2
30 $ KC 2
31 58 2
No 1
32 5 8K 2
FIGURE I 44 MfR Small LOCA (52, 1/2-2 inch diameter) in RCS FIGURE 2
,-.,--en----.,-,,-+.w.e...reepy_,---
.y'--c
.r-,.,w-.
l o
e c
s e
s S
v B
o h
s c
i n
v I
a a
M R
i 9
T e
t_. b 5
4 s,
o 1
L t0
\\
s 1
S_
i9
\\
l J
,k )"
wL. 9 1 (
7 eS('a Q
I D
E M
E m
R
)
u 1
z E
nT
(
V
~
E k
1 T
t u, l p a (a cL E
N I
yA I
N S
AR s
)
T e d (Q
e t
~
K.
p s
.~
t tA
,)
M
- u. Y"L 'q
)
t.
t.
n c'i (
W
)
~$_(e' q
c 3
E RU
- c. {j G
I n l% (J F
t
,l r
eM ()t s
c v
- s. )
xr* g (r o
~
l i
wi wt r
)
>e T o (
I' I
o*
t APPENDIX B i
OPERATOR ERROR 4
The rationale for characterization of operator error in WASH-1400 can be demonstrated as follows.
Let pf be the probability of operator failure and Then let p be the probability of operator success.
3 (1) p + pf =1 3
Let P as it should. Suppose there are n operators in the control room.
f In WASH-1400, be the probability the n operators make a " collective" error.
P is given by f
(2)
= (pf)"
P f
Since probability must be conserved, the probability that the n operators make a " collective" success, denoted P is 3
(3) f = 1-(pf)"
P
=P s
To understand the implications of such an approach consider the following:
pf = 0.1 (individual failure), n=3.
let It follows that:
p = 1-0.1
= 0.900 (individual success) s
& (0.1)3 a 0.001 (collective failure)
P f (collecthe success) 1-(C.1)3 0.999 a
P
=
s.
y 1
e i
e 9
e 4
4
~
s
( The nossible operator actions are:
(0.1)3
.001
=
pfpfpf=
(0.1)2 (0.9)
.009
=
pf pf ps
=
(0.1)(0.9)(0.1)
.009
=
Pf
=
pf ps (0,1)(0.9)2
.081
=
pf p P
=
s s (0.8)(0.1)2
.009
=
p,pfpf=
(0.9)2(0.1)
.081
=
P p pf
=
3 s (0.9'(0.1)(0.9)
.0 81
=
p Pfps
=
s (0.9)3
.729
=
p P E
=
s s s 1.000 Hence, WASH-1400 can be interpreted as follows:
a).
For a " collective" failure, all n operators must be in error.
i b)
For a " collective ' success, at least one operator must take correct action.
With this interpretation, P IP i.e. all operators are correct.
s s
As stated in the report, the shift supervisor should have the final word...
however, to be consistent with the WASH-1400 approach and P
- 1-(P )"
Pf = pf s
f is used, with the interpretation given above.
--