ML19352A586
| ML19352A586 | |
| Person / Time | |
|---|---|
| Site: | Clinch River |
| Issue date: | 03/16/1976 |
| From: | Vesely W, Wall I NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Kouts H NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML18025B195 | List:
|
| References | |
| FOIA-80-587 NUDOCS 8104170242 | |
| Download: ML19352A586 (13) | |
Text
.
l 1
-.--__.. L. j
\\
UNITED STATES 9,*,
NUCLEAR REGULATORY COf.!MisslON VV ASHING TON. D. C. 23555
/
.l
!*t 15 E I
j Herbert J. C. Kouts, Director d
- ' Office of iluclear Regulatory Research
'CO:MEftTS 0.'l " RELIABILITY ASSESSMEiT OF CRSRP REACTOR SHUTD0'.Si SYSTEMS" (HARD-D-Oll8, P.EV.1) NOVEMSER 1975 We have briefly reviewed the subject document and offer the following cournents. We would like to preface our remarks by noting that we approach I y
-the subject from the context of the Reactor. Safety Study which was an in-l depth study of light water reactors and that neither of us are.very familiat with LMFBR technology or the Clinch River Breeder Reactor Project and its documentation. Ac.ordingly, some of our observations may be based upon incomplete knowledge.
The subject docu ent contains a failure mode and effects analysis and a corcnon mode failure analysis of the reactor shutdown system (RSS), neither of which are quantitative. In addition, the availability of the shutdown system is quantitatively assessed by using fault tree c:ethodology. The fault tree analysis only predicts the random independent failure rate of i
the RSS since the effects due to common mode failure, hu.an err *Jrs, test an:
maintenance contributions are omitted. From this quantitative assessmenty.
the ra.3 dom independent failure rate of the RSS is estimated to be 4.13x10 year which is compared to the CRSRP objective of 1.47x10-9/ year for random independent failures. For the predicted 12 demands per year, the above failure rate and objective translate respectively to unavailabilities of 3.5x10-12 and 1.2x10-10 per de :and.
A sununary of our coments follows:
1.
The failure mode and effects and common mode failure analyses appear to be a good start for an effective reliability analysis.
A frequent conclusion in the cocion mode failure analysis is
" sufficient analysis should confirm that this failure mode is highly improbable." This conclusion is questionable and unsub-stantiated by analysis.
The prediction of the random independent failure rate and its 2.
favorable comparison to the project objective is not meaningful, in our opinion, since the prediction excludes any contribution, As shown in Tables 1 from co=on mode and operational failures.
and 2, the analyses contained in the Reactor Safety Study sho;;ed that all safety systems had mediam unavailabilities greater than B10417 0 %V
L.
1-
/,
l
/
Herbert J. C. Kouts 2
- /
.- i
/
10'$ per demang and 75% of the systems were in the range
/
4 of 10-4 to 10- per demand. As shown in Tables 3 and 4,
- I co=non mode, human error, and test maintenance were i
significant contributors to many of these system unavail-
" abilities. A]though the subject document notes that cc.: mon mode failures are.om,itted from the prediction and co= sits
'~
to their inclusion in later calculations, the message conveyed is that the inclusion of con:on mode failures will not prevent the attainment of the overall reliability objective; this is probably incorrect. Based upon the experience of the Reactor Safety Study, we believe this approach is grossly misleading since we would expect coer.on mode failures to contribute significantly to the overall unavailability of such a highly redundant system.
, e 3.
The Reliability Confirmation Test Program is. planned to confirm the CpSRp overall reliability objective. As stated earlier the objective is questionable based upon the failure contributors con'sidered. Furthermore, to demonstrate 10-10 per
(
demand unavailability with 50", confidence would require roughly 9 tests. If a test was perforced every 5 minutes, sucn a 7x10 Lest program would it.st cbout 70,000 years' Clearly, confiim tion of such a low unavailability is impractical and its suggestion implies that the reliability program has not been properly thought out.
- j i
!l e
4.
The project appears to place substantial emphasis on the CRAM coc:puter program. This program c= bodies a Markov model to predict the variation of failure probability with time. All failures are assu.ed to occur'ih a 'ra'ndom independent canner.
t Further work appears to emphasize refining the model for time
. dependent failure rates, staggered repairs, etc. to "further reduce conservatism." Dependent failures (co=.on modes) ap:: ear to receive very low priority since "the system. is so redundant that they ar, jective."not expected to limit the attainment of the overall reliability :
In our opinion, this emphasis is incorrect and symtomatic of the miseenception contained in the entire analysis.
t In su= nary, on the basis of WARD-D-Oll8, Rev.1 it appears to us that the applicant's rel.ibility prograa needs some reassessment. He offer j
some preliminary thoughts below:
0 l
a I $
- b. I
~ ~ ~ - -
~
.-_,n
s
.a lierbert J. C. Kouts 3
4 s
1.
The applicant and f!RR should re-examine, with respect to need and attainability, the rationale and basis underlying the overall reliability objective for CRERP and its alloca-tion to specif,ic :ystems and their specific failure contributiens.*
First, as observed above, the randem independent failure objective as stated by CP3R? is not ceaningful and cannot be "daconstrated."
Second, it will probably be impossible to show with any confidence
' e.
that cc:xnon hode failure contributions satisfy the allocated system objective of 8x10-9 per demand. Therefore, one is unable to show quantitatively that such a system objective is able to
~
be met even with bounding techniques. Third, the system objective (8x10-9 per demand) is far more stringent than the unavailabilities found in the Reactor Safety Study.
a Even though the LHR system unavailabilities were greater than 10-6 per de=and,*the Reactor Safety Study esticated that, over a spectrum of accident magnitudes, the probability of death from 100 light water reactors was one ten-thousanth of all other societal risks and a factor of 100 less-than the next U
-smallest contributor Based upon a consideraticn of relative consequences to the public, it should be feasible for the
. j applicant and HRR to esi.nlish a comparele and.;sra rselistic
.P objective for the CR3PS.
I 2.
A reliability program should be planned which recognizes the proper roles of prediction and de=onstration at each stage,
+
1 e.g., design, bench testing and pre-cperational testing. He would be pleased to cooperate with you in developing a suitable program when suitable objectivas are established.
~
I Table 5 herein indicates the approximate nu.ber of tests 3.
p required to deconstrate a specified unavailability with a j.
certain confidence. In a 3 year test prpgram, a realistic j
- demonstrated unavailability would be 10-3 per demand with 95~.
confidence. It should be noted that the results of bench i
testing are oftentices not translatable to actual plant equipment I*
without further on-5f te tests. If the pre-operational period is limited, a realistic "deconstration" would probably be limited to 10-3 to jo-4 per demand with less than,50% confidence.
-6 The overall reliability objective is stated as 10 per year for loss of coolable geometry. Of this goal, transients without scram -
are assigned 10-7 per year to which random independent failures are assigned 1.47x10-9 failures per year. For 12 demands per year, the last two probabili ics translate respectively to unavailabilities of 8x10-9 and 1.2x10-}O per demand.
e
-M6
- 6 Nh mp e e We e
M.pe.M6m**@ma e
+-6 86 e'9 a
4*w6 m
M ge&
g
\\
Y'!
4
~
Herbert J. C. Kouts-j f
Based on the results of UASH-1400 and with prop 4.
< l of less than 10-6 per demand can only be achieved by two or le These systems may be
?
rore effectively independent systems.
Based either functionally similar er functionally diverse.
d upon Lt R experience, if functionally diverse systems are use (e.g., Scram plus recirculatico trip and baron injection on s
'~
Ic.1
.BWR), one would have greater confidence that.a very univailability had been achieved than if functionally similar p:N
. systems were used.
William E. Vese, Jr.
c Ian B. Hall, Chief Special Assistant for Method:.
i
. Probabilistic Analysis Branch
)
Tables 1 and 2, PWR Calculated System Unavailabilities (22 System
Enclosures:
and BWR Calculated System Unavailabilities (18 Systems) 1.
Table 3, Contributions to BIR System Unavailabilities I-Table 4 Ccr.trib::tions to PNR System Unavailabilities 2.
3.
i 4.
1 h.
A W
c (I 4 i
'. N) i
.,.e
..y 3
b e
e
,,m
- * = -
- ^ '
e
.9 I
i N nt!
Co mm e s, l.s Safaty Ga /
S46 M be to i
D.., 'l 2b e L a l.r.,1 De./4s, but w e Euty F& J./ lin i
Shoa d v e.,8 T v~ e u I
0 i
Aw' i
Af./
se41*vec/
7
.s ne,,,4
'l to do to e
-3 t o"4 A-5xt o i
zl ;.a diff,ea y.,oi 4 u.ce
& /,,, /
p w. v, u f y 1
'o 2.,w, c n
anpas., a a o,uc> rys.,
- >4*h nekd k ong,
e,,,,,,,,.
h!*"S'Uff Y
cen
~ reil.PCem) ece
~
- i. esy 7,e.. i f,si,,,leM.) ~ lo'#kY tooo Bact.-
p f,,e., d "0 ~ !* '/ky
~
aru
\\
- h.., c<,.9 ~ n,.-%
P w,,a,,,,ce n ) ~ i,- 4,,i ?..
\\
l
ar f
i l00 0 fene /e vs la0 af Jet le 9eo a&
5x!5 Anu}4**r$*=*Uf*vt*wh) 1 I
~5
-3
-3 Ask Ex h
-+
4 5 X/0 9.Sx/J K1 1
.. ~ - -
M-N< d
/e I-),.v e PkR1 L> Tkg, Tk Mq ?Z to*
C,eek Valyn i 4x/* b
$ms ll l~ccA 5
l*
l I~,pvoved by
?>Tus a Sm/nov./ fy 7a.,+
L pu smfavene4 em
-rw, TC N /*
Impvat by 27px p;n
\\
&2 ',& 2,
- )
3
[
~
,1 t
?
'P F*
- 2.
-F i
i i
/
i
_1,.
p'.
/
s
.._t __
I t
]
M 4
/
.T-
__i
._.J_...
N,
. A.-
_-w
~
f
~f.
? --~
.b'
- l _~-'~
f
~
~
? -
~~
~
g 1
.'v '-.r^t ^_:.1 -.
__._ r
_4__
_t.
~. _
_____-__ q:7...__. _ _.-_.
.___.__g_ r__- "...s.
. ___q_. _.
j^ T -*.; f kf f f?'7:'
~-
.t Q-*~-~.{ff2.~.-
^
h
-= _. L. _.- }==i =
- t. - r.-E F1-dp,TM. '. = = -. - =;rji:-. :-
.3=_ d.:=JEG.1-- 9+=
h
- 7. ~
=1
_5f_ -
f-5
_ N
. = f.---'
L
*2 21 L2,* =-'CZ[
8"
'~~-
~=
~J'--
7
= -- -i :. EE _=.'- ~;=-7----
- s3 ;
-A-
-- s y-
-*-r;j 1
~
--4__.
'._'_~_"~_~'~*Z_
t_
. s. _ - __ L _._
'.__**.*_1._t___.__M.'-'. _ -.. _
-. - -_y--
1_"____.._l._.' _
~. " ". _.
4
- ~ " - '-
N_' H-'~:~~.... _$ l'-Fi E-E ~ =E t' h -
_3,_.
= -.._
g,
n.- = _ ~.- i r--
_~=_;.- E-q ;i" --;k. E
=i Et. gJ.;g ~ ~ - ; 7__'-
~ _.2E+j=
i -.- nT=E E y _. m = :_ n..=.. =_w
= _ + =.. = - i=- ^w
. ;_ _=q-- = -- g_=t=a ;.
._ y- -p
.-.=,-:.
=- y = r-=-t.--
p-I
.s I
)
I i
c-1 i
i w
t 1
i I
M 4
1 0
4 y y J-
,A e
r M
.W o C.
--t-e o
a _.....---:--. _. --t= t _ _ + _.w.
.-+
m.----.=
g<qt7 5
b~-T~ Mr ~~ L i =~ ~:~13T-Y+Db=+15%-- a-ds?;M-
--22/
=fq
- .w
_3 : ; erE z =- =_t= w g - g a,s;.pe-c.n._.;__
==_
_f _
4 -;
/.-m
=mun,
-in i w, y-w-r ="=c=-q- =w
=
==f--;;.x
.t.
.p._ p- -
._=_. _._. 1... _=_ _=._,=__. _.
._=.- }._.c,.a_4 y,e
. ~. w-, ;__ _. y-.- _i__. ~m _--
t
=
-55=E :-' - ' UN C-{M.O ~-- 4fE..
~O~-i---i- :--TOM EI-~
=
- =- = p_-w_--e =ct-p i= ;. c.
g.9 7 - - =-c
-agm===wf 4 =
- -=;
=-
- p= 3 o1 1-.--
p-.=
. - _t. _ w p._
=+_. 7/
H.p.___n===>
== q-+
=
W.'
+:ya---._...a=== n=-A==- p.
f-
;g e & t g' 3 s
-_...,.__t--
=_
3 6
i
- > g_ _
e
</ !
f
't, f
yl q,
i-n I
. i s
==_
f L
h:q i
__p C <-
g ar g mtr +-
T" p
3,*
tw
+
t _. _ _-t :. _ t=rn r...;
I g
- --- i __ _:
s _! -
i
=:-- t--t-1 i,
C-
.-t-1 c t r L..g g__g _u_ r-y
.---y-
- - -- b--.. ; g__. _ +--.t-t- :: t-- _ = t --
L._.__.
p-g r
+m s
>.-r---
r== = = - - =awa =
_~m e
= r=-
1
k=
--5=
=-^-
. = = ~
=
-=_=1= m-a wa=n- +r N Y b
?-- = -+==-: N==- -is Y=
N_-
N
=
x mmm.
--.-s
+
+
m m---c m wrm-
? ---+- N-MTN" g __.. - - b._._- _
\\
_&.__.__.L.._
m
,0 i___
T=
.___4__,__
3
?=- --! !=--i-E_;p_l__ '-a==Ry
=p
_ = _ -? -U: J. :E-i -l-W_ :-
4
. - ~
==
%s s
, {!
^) }-.
f.
j.
-- [ ; - -
l - -- l -- $ -
-.. '-h
. _ __ ;,4 ;..- f q. U-- ~
. = =.
?
~
=-- - z=r n =.% t =.===.--M =-3 =. e +=- - - L = =. = =+== d m = W -- t--M =m R
h t
da' e
O
.I
i l
N ASH-l 400 Stub sES Pew em ga_
W NPT A
i As.com.
4 n-3si,4 e
%~
...4
,,.- i i
t' i
i l
Rw Ln A th,mL*-
Pwl.w4.ea
.5k Gem F= W G;h ws.
3mif5 l
t
.g ss
,,,. s
~ io I
I RPT 6xc. 5 l
rw r.a-~
h e
s u.s l
t C
m huen (oce P1,;g
- s. sat!
"l l
r
~i
~'**'
1 et
- e.sse5' bd e
e,sa isf wel
^ * '
f(,3Al Px ce n gre. m hr & E Miur Per.c 64/gpr I.D io Rurs pf gpr f.s xli*
=. _. -..
I NAlfffNT FAIUK ICES
- 5 ORTAlttefT OWmediSIFE, UEE El.T, STEAM ERDSIW, MISSILES TO AT!EREE
~ y2 e
v Y E QMAI?tfNT DetsME, GFE lE.T (BLOH0 LIT PNES BLOWN RU/IDIPE LF#AE PAT}D g.
1.3 x IfT5 TUTAL RISK 2x10-5 l
f ATE RISK 1.3 x 11T5 l
I ATE FRKTIO'S EiS!
FOR PUWTS WIl10;T WT, ATE RISK ~1001 6
a
~l
~~
-~
~~- -
FIGURE 1 - GE EVENT Tttt ( u.:ew Ne.3o.zos,26 F'ex) y
,t F3 GI ca un us W wig -
p-EY1[ C MCEABILiu tv45E OUfMst_s FPT art SLC prC1 auC th W W 4.3. W --. ~io" -aamr' -wr' -w* - W'C0 d
-w 'O I
1 s 10(1 WLv.) U""'#k N'
KP 1 mlO4(2vtv5.) '
sp i
4 KW 1 x 10 f.
I 1C m.
i x tO-'
AcceA1.th TCMAP I X IO~I Odd 4"[EdN#
h). -
l M**h -
- TCO, f..x10-5 i-I l
f fa 1
TCtanP 1..* 10 4 Unacech/.sh/4 -
l i
- 1. x10-I TCUtMt
)
TCU l x to**
Unacceple#+
l TCUMg l x 10-7 U; -
4 I
TCuius
'1. x1o dn known' l
I
%U,UtML__I.X#"
N[A i
I l_.
TC.Ca
<Jo*7 N[A 1
I i
I TC,C1
< !O'I N/A
_ T*C d
f.310 i
__3C FI
< !O'I H[A i
i j.
si.
e l
w I
I f'
/
s
\\.
OPTIONS:
1.
CRD UNRELIABILITY 10-5 A.
ATWS SAFETY GOAL FOR FIRST 100 REACTORS 10-6 IWACT:
RPS - ELECTRICAL MODS.
NO SINGLE FAILURES FOR PWRS LIMITED SINGLE FAILURES FOR BWRS SMALL COST TO FIX PWRS < $1 M REDUCED COST TO FIX BWRS
\\
B.
ATWS SAFETY GOAL FOR STANDARD PLANTS i
(FUTURE) 10-7 1&ACT:
STATUS REPORT Pf90lRE?ENTS 2.
CRD UNRELIABILITY 10-4 WHETHER THE SAFETY GOAL IS 10-6 OR 10-7 STATUS REPORT FIXES WOULD BE INDICATED 1
3.
CRD UNRELIABILITY 10-6 A.
ATWS SAFETY G0AL FOR FIRST 100 REACTORS 10-6 IMPACT:
SIMILAR TO (A) 0F OPTION 1 EXCEPT CONSIDERABLE COST REDUCTION FOR BWRS 10-7 B.
STANDARD PLANTS SAFETY GOAL IMPACT:
f SIMILAR T0 (A) 0F OPTION 1 WITH l
~
SIGNIFICANT UPGRADING 0F THE RPS RECOMMEND:
' OPTION # 1 A.
CONSISTENT WITH 00R PHILOSOPHY 10-3/ UNACCEPTAB l
CONSEQUENCES B.
DOES NOT DISAGREE WITH RSS RISKS C.
DIFFICULT, IF NOT IMPOSSIBLE, TO DEMONSTRATE CRD UNRELIABILITY LESS THAN 10-5 D.
ASSURES FUTURE NUCLEAR RISK TO BE A FRACTION OF OTHER RISKS
.