ML19352B292
| ML19352B292 | |
| Person / Time | |
|---|---|
| Site: | Clinch River |
| Issue date: | 06/30/1981 |
| From: | Copus E SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1197 NUREG-CR-1923, SAND81-0260, SAND81-260, NUDOCS 8107010448 | |
| Download: ML19352B292 (35) | |
Text
n, 'y^
n T'
Y C
1
. - ?$ Y I& '-
, c.y_
c s,
n=-
- .jsOO(15% [SU( cyfy,si.,.; ' r a _.
b.
1
}
~
&,;w.. aNg/CR 19'23U ' -
- ~
?
.y A
- g $ ;p NURE6 SAND 81-0260-4
'. W'-
w y;. ',, '.:RT:
~
?
'.g f $[:
44, 4
I 1
'r 4
O_
~
I
.4i 6
/
_ g, 1
n k
)' h' e
4 4
LQUANTI'FIED~FAULTNREEMODELS:FORhHE-CLINCH.RIVERtBREEDER REACTOR ENGINEERED.-
1SAFETYKSYSTEMS.
1
.ill?J y-i 4
's.
a m
n l9
$;gLi LJ F
U j
JUN 2 2198W L j
A L
k.u.s.*gd[
i-
/
s E.' R.-COPUS 4
w e
s-S.
1-
+
i
!-j-j, i,
i-
{
E D
i i.
g-1 i
I 1. ;.S F 2900-Q4 3-40)..
Prepare'd for U. S.-NUCLEAR REGULATORY COMMISSION I
b-,
4
.9 07010 4k.
w.-eekw..a.
.4
--w.-2.-.
... m
,e---
m
.. = - -
- f. },~;& -
_ l lu is
}fQW
- e z w-
, fR W#MkW M4)kfl9RM? WP}S%? '
f;
~%
~e..
>p b,.
X' We
, ;tr 1:
. W u
c
$1 "s
i J L ng
+
,r m ap;.
/
mm
~ ~-
,w L,
. - +
e
- , c w+
e,
.u 3
I
? ] ';
4 k
I
?
,i%
,~ 4y*
'./,'~ ' i ).,'lh * ' /.. <
^
e e
'w
_)
?
'_p
~
_L__
4 s
'[ 7 T
e-v' 4
m
. ; sc w.,;u
.g,.,,,
y
,c
- _zy,
- q q J. l
'y s
3 w
,' +
't y
~
/
4 m
1 n
2
~
s
+<.
- ~
r~
g
,{
- y;
Q ',
~
~
t e
S
+
i g
e
, 3
~*
.f..
l NOTICE l
~
^
3
.c c
. =.
, E This' report.was ? prepared : asian account of work sponsored -by;
- an agency;of.theJ. United States Government. iNeither
- tho-2 Un ted States Government ' nor 'any. agency-; thereof, or.:'any..ofi i
their.. employees, makes any warranty, expressed or-implied,-.
4 7
=~
~
Lor; assumes any:lega1L liability or responsibility for any-2
- third party?s uso, or the resultsfof such use,Jor1any.infor-4 E
mation, apparatus,iproduct or process disclosed'in:this.
r-report, Dor. represents that'its use by.such third party!would
~ notEinfringe_ privately owned rights.
)
l 4
P ~
- Available from'
~
GPO Sales Program
~.
Division of! Technical Information'and: Document 1 Control U.' S. Nuclear Regulatory Commission-
{
Washington, D.C.
- 205551
}
f.
t t
=and; I
National Tec,hnical Information.Scrvice.
U
~ Springfield, Virginia 22161 L.
.pe' y;
v b~
k; 6
a
,y F:_I 7-sle-bp.
a p
f
. it '_i w}y; pr, y
- 4" A_h.'
..3.a.
s l'
_,$_s.'.1
(
..h,_-
_mmm_
M
^
((_
r Y'
\\
l 1
NUREC/CR-1923 SAND 81-0260 R-7 QUANTIFIED FAULT TREE MODELS FOR THE CLINCH RIVER BREEDER REACTOR E!!GINEERED SAFETY SYSTEMS E.
R. Copus Manuscript submitted: December 1980 Date Published: May 1981 Sand la National Laborator ies Albuquerque, New Mexico 87185 operated by Sandia Corpor ation for the U. S. Depar tment of Energy Prepared for Division of Reactor Safety Research Office of Nuclear Regulatory Research U. S. Nuclear Regulatory Commission Wanhington, DC 20555 Under Memor andum of Under standing DOE 40-550-75 NPC Fin. No. A1197 1
I i
1-11
7- -
Abstract Fault trees which describe the failure modes for the Detection, SCRAM, and Shutdown Heat Removal System functions In the Clinch River Bteeder Reactor (CRBR) LMFBR design were developed both quantitatively and qualitatively using the models from the LMPRR Accident Delineation Study Phase I Final Report as a starting point. These fault trees represent the major branch points of the CRDPP Engineered Safety System initiating-accident event trees and will be used to identify the spectrum of meaningful LMFDR initiating-accident categot les for fur ther analysis in the LMPER core phenomenology and containment areas. The independent failure probabilities for the Detection, SCRAM, and SHRS Engineered Safety Systems were estimated to be 9x10-10, 7x10~8, and 2x10-8 per challenge, respectively based on a 12 challenge per year duty cycle and component failure data.
These estimates are thought to be representative despite the fact that maintenance, inspection, and repair functions as well as cer tain systems redundancies were not modeled in a de facto manner.
iii-iv
r TABLE OF CONTENTS PAGE 111-1v ABSTRACT-1 Introduction 1
Analytical Tools 3
Fault Tree Models and Analysis 3
CRBR Detection Fault Tree 7
i CRBR SCitAM Fault Tree 11 CRBR SilRS Fault Tree f
23 Future Work 25 References I
I 1
4 2
A 1
I I
i i
i i
?
\\
I I
J v-vi
F" In t r oduc t i on The Accident Delineation Study (Pef.1) developed a set of reduced initiating accident event trees for the Clinch River Breedet Reactor Plant.
These event trees were developed specifically to identify the cpectrum of meaningful LMFBR initiating accident categories for further analysis in the
-~
Accident Phenomenology and Containment areas. The basic CS8 responses tequired to complete a mathematically cor r ect event tr ee are De tecti.un, SCRAM, Pump Trip, Shutdown Heat Removal System (SHRS), and Forced Flow. When these ESS branch points were combined for the Clinch River design' and reduced so that only the physically meaningful or necessary paths were retained, the event tree illustrated in Figure 1 results. The accident categor ies identified at the end points of Figure 1 are categorized based on the action and effect of specific accident initiators as well as the response of the ESS branch point functions to those initiators. These accident categories then serve as 9 tar ting points for delineation in the accident phenomenology and post-accident phenomenology areas.
In order to be able to quantify the accident categories identified in Chapter 3 of the Accident Delineation Study, fault tree logic diagrams were developed for the major ESS functions (Detection, SCRAM, SHRS). This level of development is necessary in order to illustrate the functionality, redundancy, and diver sity of the ESS functions and to identify various combinations of ways in which those functions can fail.
It also facilitates the identification of potential common mode /cause mechanisms and provides a means for determining the conditional failure probability for any specific accident initiator.
This repor t is not intended to represent a cr itical reliability analysis of the CRBR ESS functions. Its purpose is to develop and quantify a set of working fault tree models which can be used in conjunction with the ESS event trees developed in Chapter 3 of the Accident Delineation Study to estimate the relative recur rence frequencies of accident categor les typical of CRBR type LMFBR systems.
Analytical Tools The primary tools used to reduce and quantify the Detection, SCf4M, and SHRS fault tr ees were the SETS, SEP, and FTD computer programs (Ref. 2).
The
, Set Equation Transformation System (SETS) program is a ver y general, flexible co-le used for manipulating Boolean equations which can be derived from fault trees. Given the fault tree representation as input, SETS can be used to pro-duce an equivalent Boolean equation which is then reduced systematically into the fundamental ways that the top event (failure) can occur. This Doolean expression represents a comprehensive set of the minimal paths to fattute which are referred te as the minimal cut sets of the given fault tr ee.
Once the minimal cut sets are known, the Sets Evaluation Pr ogram (SEP) code can be used to numerically estimate the probability of failut e associated with the given fault tree. Given the minimal cut sets equation and the independent failure probability for each basic event (i.e., basic componei in that equation, SEP will compute the estimated upper bound of the failure probabil-ity of the top or any intermediate event as well as the relative importance ranking of the basic events based on the statistical r at e event appr oximation.
1 l
so
!aTTIATIBG ACCIOLET Caittos?
REACTOR SMUT 30 hat Sr$Tt4 (Wis)
DECAr setAT agativAL DETECT!04 5CAME PUeP 1817
$nt$ AWA!LAttti FDAC10 FLOW 3
e g
e dA COLD SMitToma Acettwo utin OR WITWA:T A l
g IEttA51 PQ55 tele (CSA: a0 EL.) OE (CSA:
8' a
g IEL. POES.). DageGt3 COE: CDA P05110Lt I
8 s
g (SC: CDA 7051.1. m DAftEED C3mt 4 PAO-I I
TECTit auPTURE OF TW PSInsa? Omm0aaf i
8 i
g CDA 705519d (DC & Pes: CDA P051.).
I e
I I
I PS3!!CYtB TRAmittaf CA FAILL1C WITuccf 4
5 8
- g 8
I FOAC10 FLOW: CIA P0551tLE (PT/F W/0 g
FOK10 FLCW: CDA P055.)
I I
sxtt1Vvts l
d6 l
CC PacttCita TRAssttet OR FAILUPt WITd3l!!
l sats: Cid thistTAett (PT/F h/0 smas:
CDA IMf!T.)
l
- D UIPICTICit3 TRAnitt4T OR FAILDRt Am0 LCSS-OF-FLOW (UTtF & ULOF)
FALLL%2) nQ E
WePECTECTED TRAnsttaf OR FAILURE (L'T/f)
$PECIFIC ACCIDENT
- F ANT!CIPATED FAAT is0T REQutatoG SCAMI CIIII i
W
$Lt1TLTEM (AFus) gn!T! ATCR/ car.1C FAILt;nt
- s puPt0TECTta TaAmS!ENT M FAILuet (UT/F)
Figure 1.
Reduced Initiating Accident Event Tree for a General Subsystem Failure in CRBRP.
i n
4 e
a b
b ee
f In addition, if the error associated with each basic event is known, a Monte-Car., technique similar to the one (SAMPLE) used in WASH 1400 (Ref. 3) can be used to estimate the probability distribution associated with the top or any intermediate event. The Fault Tree Drawing (FTD) progr am produces a plot of the SETS Boolean expression in f ault tree format which can be used to check the f ault *.ree logic and provide a base for hand calculations.
Pault Tree Models and Analysis Minor modifications in the fault tree models presented in Chapter 3 of the Phase I repor t were required in order to incorporate the data base uti-lized for the Detection, SCRAM, and SHRS CRBRP functions. This data base was drawn primar ily f rom " Reliability Assessment of CRBRP Reactor Shutdown Sys-tem," (Ref. 4) and " Update of the Preliminary Reliability Prediction for CRBRP SHRS" (Ref. 5).
These two sources were also used to compile the CRBR Safety Study and consequently the independent failure probabilities calcu-lated for the Detection, SCRAM, and SHRS functions compare favorably with those found in "CRBRP Safety Study - An Assessment of Accident Risk From CRBRP" (Ref. 6).
The models for the CRBRP Detection, SCRAM, and SHRS func-tions are presented in the following sections along with the quantification of their respective independent failur e probabilities.
CRBR Detection Fault Tree Unlike previous studies, the Accident Delineation Study separ ated the Plaat Protection System (PPS) into two separate functions - Detection and SCRAM.
Detection is defined as the ability to sense anomalies, perform the required signal processing to produce the correct signal for the appro-pr iate coincidence logic modules of the Reactor Shutdown System, and generate a cor r ect signal f or SCRAM and Pump Tr ip.
The Detection f ault tree as shown in Fig. 2 is broken down into the Primary Detection System and the Secondary Detection System each of which consists of six basic events:
1 - Sensor Failure 2 - Electronics Failure 3 - Comparator Failure 4 - Calculational Unit Failure 5 - Log ic Failur e 6 - Wiring Failure Sensor f ailures are inabilities to detect anomalies: Comparator, Calculational Unit, Logic, and Wiring f ailures are signal processing f ailures; and Electron-ics fai;ures are signal generation errors. The Detection model also includes an Operator Error basic event which is intended to account for situations where the r eactor operator can independently generate a SCRAM eignal.
Not shown in the Detection fault tree are the r edundancies and diver si-ties which result from the 24 Primary Shutdown System Protective Subsystems and the 16 Secondary Shutdown System Protective Subsystems. These Subsystems are used to detect anomalous conditions within all areas of the plant and are descr ibed in detail in Appendix A of the Phase I Report (Ref. 1).
Since only a few of these systems will be used to detect any single initiating fault, four protective functions (High Flux, Flux / Pressure, Speed Mismatch, 3
li lIll i!
l n
l{
l}
1 8
E
/
R 3
U 1
L
/
t 2 I
R c0 y
F c
N O
I T
C u2 E
nw T
E cG wF D
I I
G4 I
M f
m l
i a
1 T
C F
I 4
e M
I3 TS TL H!M I Z 9 YC F0 '5 YS M
C d
'9 P
3 G
d G
a 4
s L
L T
l P
C.
3 t
4 3
t
!iR a
l TNTe IT4 T
aC Si Y
9 a
eP E3f r
IO n 3' ?
!O'9S tC-II
- fI 1
D n *T P F
O!
Y P
e
!fP C1 r
Ch T
R tC-R
$T ST O
E G
N e
L 0
w L
T 9 '9 'E I
M t9fM S
SY!I S
S
!L M
ILL T
1 M0N3 e
T 4
3 t9 4
0 TC 9MIT P
7 9
C C
?
t 99 R
J J'
JTT 3
T T
i u
i E I
T l
h u
t n
I 6 e
C e
Y r
T Y
F F
F I
O T
T 8
3 6
I 3
C
!3 M
M
!u. s T
s
!s i
MM
.a. !
mM Em YD Y
F $
FS OY Y
INS S
5 3
C M
SC N
S 8".
YC FIN C
OC I
E D
TJ YF iC T
t 8P
!L S
MYL RT OC
$T
]t V
R0 L' L
'KY X9
'4 T
TM T
YO FT0 OL9 Y
I FT O
T CM
!O E
- T S
f Steam-Feedwater Mismatch) were arbitrarily selected for the quantification of the Primary Detection System and three protective functions (Flux / Total Flow, Flow Mismatch, Steam Drum Level) were selected for the quantification of the Secondary Detection System. This assumption accounts for diversity bat not redundancy within the system and is somewhat conservative.
When the fault tree in Fig. 2 is analyzed qualitatively using SETS t'1ere are 36 minimal cut sets leading to Detection f ailure. Of the thir teen basic events, the Operator Error event is the most important since it occurs in all 36 of the min.ral cut sets.
The remaining twelve events each occur in six separate minimal cut sets and are of qualitatively equal importance.
The failure probabilities for at of the basic events except for the Operator event were determined from hourly failure rates and with the follow-fr-assumptions.
1 - 12 challenges / year duty cycle.
2 - All basic events independent.
3 - 97 percent of the Primary and Secondary systems are renewed monthly 4 - Failures remain dormant until renewal.
5 - one-time response required at challenge.
6 - All failure rates known within a factor of S.
The twelve challenges per year assumption is used to calculate the component failure-per-challenge rate from the expected number of failures per year and is based on values reported in Ref. 4.
The resulting component failure prob-ability can be used to calculate the iniependent failure probability for the Detection function only if all basic events and their failure rates are inde-pendent of each other. Whyn all systems are renewed periodically and failures remain dormant until renewal, the component failure probability will increase with time at a constant rat-d Mf19 that period, after which it can be reset l
to its original value.
T' 5
asuuption effectively allows inspection and repair to be incorpor
'*a the fault tree model without requiring the use
+
of component repair uponent dead-times can also be ignored if a one-5 s
time response is req,. red isa11enge.
.5 Since componen t failur e da ta w *1 desired, the failure rates for the
' Primary Detection System basic events were each compiled by multiplying the combined failure probability for the Flux / Pressure, Speed Mismatch and Steam-Feedwater Mismatch subsystems with the componen* failure data for the High Flux function to arrive at the final failure p J ability values while the a
failure rates for the Secondary Detection System b..,ic events were compiled by multiplying the combined failure probability for the Flow Mismatch and Steam Drum Level subsys 'ms by the component failure data for the Flux to Flow function. The resultant f ailure per demand rates are listed in Table 1.
The Operator Error (D2) basic event relies heavily on individual accident scenarios and is initially assigned a value of 1.0, i.e.,
the operator has I
no effect on the detection function.
When the Detection Fault tree is analyzed using the SEP program the fail-ure probability of the Detection System is estimated to lie between 2.0x10-10 4
5 l
i
TABLE 1.
BASIC EVENTS FOR THE DETECTION FAULT TREE 6
PRIMARY DETECTION SYSTEM FAILURE /10 HOUR ERROR FACTOR ENP*/ CHALLENGE
? lux / Pressure 38.0 Speed Mismatch 13.5
~
Steam-Flow Mismatch 22.5 High Flux - Sensor (DIA) 2.4 5
1.35 x 10-6 Electronics (D1B) 16.0 5
9.03 x 10-6 Trip Comparator (DIC) 1.9 5
1.07 x 10-6 Logic (DlD2) 1.0 5
5.80 x 10-7 Calc Unit (DlD1) 1.9 5
1.07 x 10-6 Wires (DL 1) 3.6 5
1.99 x 10-6 SECONDARY DETECTION SYSTEM Flow Mismatch 15.0 Steam Drum Level 11.5 Flux / Total Flow - Sensor (D3A) 3.4 5
3.30 x 1p-6 Electronics (D3B) 20.0 5
1.93 x 10-5 Trip Comparator (D3C) 1.7 5
1.70 x 10-6 Logic (D3D2) 1.5 5
1.40 x 10-6 Calc Unit (D3D1) 1.9 5
1.60 x 10-6 wiring (D3D3) 3.6 5
3.50 x 10-6 OPERATOR SYSTEM Operator Error (D2) 1.00
- Expected Number of Failures and 3.5x10-9 with a median value of 8.05x10-10 per challenge. Further
. analysis shows that the Primary Electronics (DiB) basic event and the Secondary Electronics (D38) basic event dominate the f ailure probability value with the single minimal cut set which involves the coincident fail-ute of bath Electronics basic events contributing almost 40% toward the total value. The top five minimal cut sets are listed below in Boolean form along with the point values for their respective failure probability.
TERM ENF/ CHALLENGE DETECTION FAILURE
=
D2*DIB*D3B 1.74 x 10-10 (See Table 1
+
D2*D38*D1D3 3.48 x 10-11 for basic event
+
D2*D1B*D3D3 3.16 x 10-11 descriptions)
+
D2*D1B*D3A 2.98 x 10-11
+
D2*D3B*DIA 2.61 x 10-11 These five minimal cut sets constitute approximately 60% of the total estimated point value failure probability for the CRBRP Detection function.
6
7-It should be noted that the point value f ailure probability does not include any uncer tainty factor s and therefore is generally somewhat lower than the median failure orobability.
CPBR SCRAM Fault Tree The CR9RP SCRAM function is defined here as the sequence of receiving a cor rect signal f or SCRAM, per forming the appropr iate electromechanical actions, and inser ting enough control rods to drive the reactor subcritical.
The fault tree model used to descr ibe the CRBRP SCRA'1 function (Figs. 3 & 4) is broken into Primary and Secondary Control Subsystems both of which may fail due to either an electrical f ault (failure to receive and transmit the cor r ect SCPA1 signal) or a mechanical fault (f ailure to inser t control rods).
Since the Primary Control Subsystem and the Secondary Conttol Subsystem are both designed so that SCRAM may be achieved with one control assembly stuck in the full-out position a SCRAM f ailure is fur ther defined as the inability to insert two control assemblies in both subsystems. Thus either an electr i-cal or a mechanical fault must occur in two Primary control assemblies and two Secondary control assemblies before the SCRAM function becomes disabled.
In order to account for the fact that there are more than 500 possible com-binations by which failures of this nature may occur, the failure / challenge values assigned to the Pr imary basic events fo; the SCRAM fault tree have each been increased by a factor of 5 and the Secondary events by a factor of 2.5.
These values are shown in Table 2 and are based on values repor ted in Ref. 4 as well as the following assumptions:
1 - 12 challenges / year duty cycle.
2 - All systems renewed after 1 year.
3 - All basic events independent.
4 - Failures remain dormant until challenged.
5 - Unlatching (i.e., spurious SCRAM) modes included in total failure rate.
6 - One-time response required at challenge.
~ - All failure rates known within a factor of 5.
A qualitative assessment of the SCRAM f ault tr ee using SETS shows that there are a total of 2,304 minimal cut sets in the equation for the top event.
All of these sets are fourth order (i.e., a combination of four separate basic events must occur in order to fail the top event) with each Primary Contr ol Subsystem basic event occur r ing in 384 of the 2,304 minimal cut sets and each Secondary Control Subsystem basic event occutring in 288 minimal cut sets.
7
1 8
/
OE M
1 NR EE 2
/
CH US 1
_0 E
LY S I
SN W R
EO FY HH R
,. G ES u
I EI i
F t
i R
3 1 I TSO io iQ MF E
a EI I "n c.
rs r
O O
i NRR Pcn I g I
Ec i
So a
o s
I I
iQ
'3 I
Sr n
rl Ei o.
M v
I g
I E"r==
i rs Ero m
- m N
i u
EC I
s SI G
I MT R
o do 1
s r
a
- m i
r I
=,
i c.
I r
I c
lO I Et sQ E
2 i
M i
1
'un I
s i
1 r
c r
S
=
i i
l "m
i
- o s
cn E
n ei r
o oN ne d"u5 E
e c
1 s
33 I "%nO R
'cW ir
'Et o
r o
=,
i gn l
=
i g
IO s
1 f
a
'Mtrs r
m
=
l l
f TABLE 2.
BASIC EVENTS OF THE CRBR SCRAM FAULT TREE PRIMARY CONTROL SYSTEM FAILURE /
BASIC EVENT
- FAILURE MODE ERROR FACTOR CHALLENGE SPIE,NEl Logic & SCRAM Breaker 5
3.6 x 10-4 PCRDM,SFlM1 Distortion & Structural Failure Chipping or Galling Spring Assist Failure Ejection Pawl Failure C-11ows Failure / Deposits 5
5.05 x 10-3 PDL SPlM2 Se?:=ent Arm Spr ing Failure Lead Screw Failure Distortion 5
4.06 x 10-3 PCA-DTORT,SFlM3A2 PCA Distortion 5
7.00 x 10-4 PCA-CORE,SFlM3Al Core Distortion 5
1.07 x 10-3 PCA-AB,SPIM3A3 Loss of Absorber 5
2.50 x 10-6 SECONDAPY CONTROL SYSTEM SP2E,MEl Solinoid Logic Failure 5
5.00 x 10-4 SCRDM,SP291 SCRAM Valve Failure Tension Rod Failure Drive Shaft Failure 5
1.12 x 10-2 SDL,SP2M2 Piston Fails Collet Failure Shaf t Distor tion / Failure 5
3.73 x 10-3 SCA-AB,SF2M3A4 Loss of Absorber 5
4.13 x 10-4 SCA-HYDRO,SF2M3A5 Hydtdulic Malfunction 5
6.25 x 10-5 SCA-DISTORT, SF2M3Al SCA Distortion 5
1.00 x 10-4 SCA-CORE,SP2M3A3 Core Distortion 5
1.50 x 10-4 SCA-GTUBE,SP2M3A2 Guide Tube 5
2.50 x 10-5
- There are two names for each event.
One represents f ailur e in the first rod of the system and the other represents an identical failure in the second rod of the same system.
When the basic events are quantified and ana-; zed using SEP the proba-bility of failure for the SCRAM function is estimated to lie between 9.0x10-9 and 6.9x10-7 with a median value of 7.13x10-8 This assumes that the failure / challenge values for all of the primary events are known within a fac*or of five.
The first ten most probable minimal cut sets comprise 50%
of the total estimated failure probability and are listed below in Boolean form along with point values for their individual failure probabilities, ln
f i
Smft1 FAILS W DDWD0 l
l I-lI I
1 PR!rWRY CNTCOL RCD SECDORY (XNTROL STSTD1 FAILWE R00 SYSTD1 FA! LURE ITWO RG3St iTWO RCDSt SCE NOTE 1 SCC NOTE !
1 i
SECOURY ELECTRICfL SECCNorRY f1EDfN! CAL SUBSYSTD1 FAILS SWSYSTD1 FAILS Y
I Srat I SECm 0RRY COMTROL SCR ORIVELINC FAILS SEC R00 m!VE tEDfNISP1 ft FA!LS l'/bill l Sr.It12 l C
0 I
I SCA 015iORTED SUCH SCA GUI E TW C (M
THAT IN' N !DN IS DISTmTED PRE (UXID I Srpr3At !
I SrN13A2 ]
[
O O
l
)
~
9 NOTE 1 R SIMILAR TREE FOR THE.SECOND ROD FRILURE IS NOT SHOWN HERE
't 3
r l
L em cara pYrn!ts EdErJ i
i i
toss 4 7 m p g g it orstarra eam sen *r viru-rsten i srarm i i sranns i SCRRM FRILURE
- O O
O SECONDARY SYSTEM
_r._
FIG. 4 02/13/81 i
9
=..
(
,ll
' "~
' 7 SCRAM-FAIL =
TERM-PROB. VALUE PCRDM*SFlMl*SCRDM*SF2M1 3.09 x 10-9
+
PCRDM*SF1M2*SCRDM*SF2M1 2.48 x 10-9
+
PDL*SF1M1*SCRDM*SP2M1 2.48.x 10-9
+
SFIM2*SPOM1*PDL*SCRDM 1.99 x 10-9 (See Table 2
+
SFlM1*SP2M2*PCRDM*SCRDM 1.07 x 10-9 for event
+
SFlM1*SF2Ml*PCRDM*5DL 1.07 x 10-9 descriptions) +
SF1M2*SP2M2*PCRDM*SCRDM 8.57 x 10-10
+
SFlM2*SP2M1*PCRDM*SDL 8.57 x 10-10 8.57 x 10-10
+
SFlM1*SP2M2*PDL*SCRDM 8.57 x 10-10
+
SklM1*SF2M1*PDL*SDL CRBR SHRS Fault Tree The CRBR Shutdown Heat Removal System (SHRS) is tie ESS function which to respcnsible for the adequate removal of decay heat af ter reactor shutdown (i.e., after SCRAM and Pump Trip).
In order to accomplish this the SHRS is divided into three subsystems, any one of which is designed to be sufficient for adequate decay heat removal. These three subsystems are.the Normal Heat I
Sink' the Direct Heat Removal System (DHRS), and the Steam Generator Auxiliary Heat Removal System (SGAHRS).. The Normal Heat Sink por tion of the SHRS fault t
tree is shown in Fig 5.
Any one of the three Normal Heat Sink Loops is adequate for decay heat removal. Failure modes for this leg of the SHRS include feedwater subsystem faults, condenser faults, and steam drum faults as well as any fault within the three loops of the Primary or Intermediate Heat Tr ansfer Systems. The Direct Heat Removal System is shown in Fig. 6.
This single loop system is designed to be able to remove decay heat in the event that the Normal Heat Sink is unavailable due to a fallute in either the Primary or Intermediate Heat Transfer System.
Failure modes for the DHRS ine.lude operator error, insuf ficient sodium levels within the reactor vessel, riant service water faults, loss of pony motor flow, and overflow heat exchanger faults. The three loop Steam Generator Auxiliary Heat Removal System (SGAHRS) is designeo to remove decay heat under accident conditions which preclude the use of the normal feedwater and condenser subsystems.
The fault tree model for the SGAHRS por tion of the SHRS function is shown in Fig. 7.
Internal faults within the Protected Air Cooled Condensers (PACC),
Auxilary Feedwater System (AFWS) faults, and steam vent valve faults as well as any failure in the Primary or Intermediate Heat Transfer Systems will cause the SGAHRS to fail.
Overall 90 basic events were used in the SHRS fault tree.
The SHRS func-tion is both diverse and redundant in that each subsystem represents a dis-tinctly dif ferent path for heat removal yet no one subsystem is completely independent f rom the other two.
Consequently there are several basic and intermediate events within the SHRS fault trae which occur in more than one place.
11
SHRS F9!LS si SHIR-FIG. 8 SH321-FIC. 9
<A I
I K
STEffi GENERflTOR DIRECT HE9T RE.T VAL PLJX!LIARY HEAT SERT!CE F91LS REMOVAL F9!LS M
A A
s M8!N CONDENTR LN9/8!LFVILE I PlO l
^
I I
FEEDW9TER Vf1LVE MA!N CWTNSED 5t W SED /!CE # m ra!LtpC Rup7tytS rop coot!gg (Nav8!L9Bt.I I SH1f6 I IWra I I m3ri I
(
O A
~1 I
l
,tTER PLf1P FEEDWRTER ISOLATION FEEDW9TER CDPCROL TITLE
!LtRE VALVE F91LLRE (ALVE FRILLRC SHRS TREE NORMAL HERT SINK nm i rgso, i iFc,,,
Q Q
m!*; mte mTE FIG. S 01/20/81
d NOR m L HERT SIN UWWfl!LfBLE SHI NORMPL TERT TRR!N TO MIN FEEDWRTER
%L ftstEE SC/GtLMS UNFWR!LFBLE U-R
'R SH10 FEEDwiTER PIPING FEEDWRTER CXNTROL FEEDWRTER DEFERRTOR LOSS Or rLOW FR06 RLPTURE FWD INSTRUPENTION FFiULTS MRIN FFILA.TS FEEDWRTER/CONDENSRTE PLMPS N1 l ShiB2 l l SH583 I I SH$B4 i O
O Q
f LOSS Or arr SITE FEEDW PCMER FR ILOSTONSITI
(
4 I
12
Il
'!l i
1 1
8/
. c.
iO 6
9
?
wr E
1 9.
?
R
/
m S7. G
.a CU 2
.=
i CL m0 1
~
GI RI
,lF TR GgF -
em F
o II - P
- m g h SH S
O F c. C R l
RS H
230 1
6 NHH9
,O m,
D SSSN
.G E
m r
wFI i
i
, u. =
eO tO, "w
w r
s
=
y 2
r r
c
]
2 ig E L.
O g.
i s
n n
wrO aO rm e
r g
2 h,
"m g
3 l.===
t
=
I n
r n
I== rO bw O
c a
r Tm "e<
w w
a r
r tm ma N
L*
,~-
=, D w
4 8
3 1
bn a
rO a
n f
ue r
L'.
=
=
J
=
=
~ ~
~
m i
?-
y' e.
"'r. n-
%.g
'm D,
r
'i J
imO c.
o c
Il eQ d*
r A
=
2,~.
E J'
'e C= eO a eg il i
- ", = =
h r
Z
~
x=
u 2~
5 r
Ye bu c
w~
"L -U rcT-lL e
"L I
r l
i 5
r -- -
= - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
i
,y SH1-FIG. S SH3-FIG. 6 SHIR-FIG. 8 SH2Rl-FIG. 11 SGSLOOP-FIG. 10 mu nu I
or tem w,r "wwnIE".c i
g rn m p roc l
esan i
i i
j gg*,m4%
I "turc 7 x m m i, e ret axes rum nwari b
I m ue raume I
l 15LIIE"4LFT I 15LI N 2I 15LI N 3i O
O O
l reru,c 7 x r,cc f
b ra m I
nst NILUNC PMI Mf W B0m F9tL P9ec UMDt3 MDml4 P'TC (PWDt3 40914 U.
O rm rug s 1 rm O
i I
I I
oO'"JsTic m"uE7 som r,ce
"^
=
r*s SHRS TREE rm SGRHRS FRILURE
! r9Wrm O
O FIG. 7 02/IS/81 l
m eo,<-
n' eaugt c stier STEM EDE8mTGt LpfemtugLE MY I
oewerveLE m
I I
$G PLL P IIdY $O 7
its =
, = -
=
STtm (90LRT130 Si V%VC N!LL51C 1 IL>ffdfM.f I I IL f'Iv&V2 I IILTNfiv3I P
O O
O b
oewm h.
~
m pyggro gs, g g srg aggm
-e raim m
H LIKPS MIL T
O 14
l^
q Y="r E"Sk' SH1-FIG. S
/\\
SH28-FIG. 7 3H2R-FIG. 7 0$
- J Q
NROROP-FIG. 9 Ii SGSLOOP-FIG. 10 f eritETICIENT LEvt1 LOSS 7 N8 7 SEC!LPI fu VESE TO %. TWlEE seaviS Cra$$!vt V8Put stC!tst LEVEL DitFS LDSS 7 PERT SPMEZ !4 LMER t'IrW/tR PtRTIOe F WCS$CL TO OC SG/D ut rMen O
T I
1 ursS 7 mi.1 ux, sG Src out r=S forcimiare ux, 14 GC UxP GJT rar i
mlWT fK1DURY MINFY DECX v%vt INx fttpftst rue tit 1Do 'PEDf 9ft Iwit WM CLD5171C GLfr0 WES9EL rm!LS T RtFTutt t w bia rwATi creqhv1 0
P't11781ED PR19FY
.P'P!WT C6 vitt IME mpflAIC INX GLrgr0 WESSEL FL38 IIEWA SLFTtS 90 STICKS stipitetS i F'IEMR'A I i v%vESTIK 1 I IMr1PTM i i !$ ngM ]
i O
O O
I mi.1 cm ave m! r c,ECK ave 1!m SL/TtS Sf!CES SHRS TREE 4
HERT TRANSFER LOOPS icaam i O
ut)wu
" ~ ~ ~
~
FIG. 8 02/13/F:
l 15
l
\\lj\\!i
!I O
1 2
8 H
/
68 1
566 g
T 2
rE N
/
I O
.GG I
U
=
ER 1~0 E
EL GGGI I
3 FF 1
RP I I I T
FFF - -
R SCM O
T 3l M
SN TI C8CCA uDe 1
RR 9
5 I 333I uT$! C't 1I H
T HHHHH rE
~9 u
SP SSSSS I
L E' v' M4OT ff1 r5 r
O e M1SS 4T?
I R
~F G
D 14!s c
U se/
L sa, i
6 I
P fTx N
u7Mi c!O d
f r
es e
C T
=OeS E cY 3
rN cTsS
[
M sie de Tt s.Tz I
i tIL sE e 'L
, e28!
I mm i
t xtw I
m rv a
o H
' O 1 ms5 c.0 0L c$
Y M
E
,u5 w
c
.u' 2
,. re i
IL o
mt I
v T
L i
O T a3 t
F t
J mD iP vO OT e
3 ez
' PDE O
c
!O
. _e TM I
s it e P
]
L ET W
0 CS 5
3EM E
r e
9T r
_me=
a rS P
o m
Tis 7DY FE 7
inu s
5 o
i v
5 E"
]
s L
eei som S
OO 6
m s
c s
L a
r T.
.a e.
vco gwE t
i e
m
?T m
StS n
f tut I
i l
s m
uP$
IO b_m eO s
T T
r s
Lft h
J0 y
sOe f!OT t
r T RTET P
t M 3
r t e 7P I
E 2
s 1
e T
4Mv!
s I
i
%f4C I
s L
w 1Tt i C.
!dSD a
I v E c *W sL I
m UE m
I 5
1 J
, T.W I
a I
P m
O r
e z
t n
.t 9T D
.F t5
!O
_m i
s M
I i
T a
O T
5 t
T I J03 7P I
5 L
5 i
3L F
i
- t SH2R-FIG. 7 SH28-FIG. 7 3
)
I I
1 I
r FBILUPCS C00DGt!C STORAEC TMS WFLYC m!uRCS P9tCTCCTCD WTTDt TfNK m!LS STORE Tfta m!LS I CO l
N I
f 1
LOSS T BOTH O!CSCL TW CDfTR3. vftvt YW ISOftTION VFLYC FUX!L! PY FM PLFPS m!LtRC m!LLRC l
I NS_J I TALV I M
I O
O I
r0 STCftt PLFP LOSS T OC OICSCL TERNFL N! LURE Dt!VCd FUI!LIFRY rtCamRPuc I INTC% 1 i O CDPO P I O
i i
LOSS 7 PDCR TO DIESCL UttvrN INTERWL m!LLPC 7 O!CSCL T W PtFF FUXILIFFY rW PJP OICSCL ffW PtFF STfRT $!GWL LOST I POCRt. CSS I IN055fGwLI IINTC*WLS I n
O O
II I
I SS or Tr S!TC LOSS 7 O!CSCL POCR gg y POCR SHRS TREE itusT7rsir i i tusr6Czt i RFWS g
a-wis -
act FIG. 11 01/21/81
I i
I MECHANICft., FRILURE FRILtRC 7 STEfM 7 STERN RUPTURE LOOP ERT TRfNSFER 0!SK CQ1PONENf5 I R0!9:0VT I ISTERMOUTl 0
Q I
I S00!LJi NRTER REACT!UN IN ONC LOOP I S00I(tN201 f
I StFERHC9TER T100 TUDE rRILLRC IN BOTH SLFERHf FR!LLRC EVRPORATORS ASSCtt L
iSHERTRTURE I
[ELVFPRTUBE l O
O 1
\\
SH2R TWS te!N P! PING W WS PU rm! List U
L LOSS Or STE91 DRIYEN T W PUMP l STMb)F l t
i i
LOSS or C3dTROL NO STCfE SFPLY TO A
POO TO TW STUN PLMP IN PU1P l%I I N045Tf>h I i
LOSS Or 0FT SITC Fft.lLTS IN 1E BRTTERY CHRRiiER FRILS TO WW STEfM PU1P POO S M NO. J DIESCL CDdTP L VFt.YC FR! LURE ILOSTdTSIT I INOBATTCRY I I N00SGER l
{_SCOfv8Lv0 l 1SL!k W ]
O O
O O
O 18
SG/ STEM DRUN FRILS IN ONE L e SH2R4-FIG. 7 A
SH284-FIG. 7
' S** '
NOLOOP-FIG. 8 ne 91281 91284 i
i STEM VALVE FRILURC STEM DRUM RUPTLRES I VALVh0 LIT ]
I'LRtt10l1T l Q
O 1
I I
SH/CVAPORATOR 9CLL STEM ISCLRTION STEM RELIEF VALVE STEM DRRIN VALVE ASSEmLY RLFTURE VALVE F81LLRC FRILS OPENS 19 RTTI ER ALV l I REL ALV l 10RA V]
- i i
ER 9CLL BOTH EvrfumT(RS TI M Y RUPTURE RUPTtRC 9CLL nsSt a i SHRS TREE nis,Cu. i i ecVndyCu. i SGSLOOP Q
Q m ins NuneER onTE FIG.
10 01/21/81 17 J
When the SHRS fault tree is reduced using SETS, the equation for SHRS failure is made up of some 7020 cut sets.
These minimal cut sets range in order f rom two to eight with the following distributions ORDER NUMBER OF TERMS 2
3 3
417 4
1789 5
2615 6
1722 7
470 8
4 The three second order cut sets dominate the qualitative analysis. These minimal eut sets are:
SHRS-FAIL =
PBRPTURE*PUMPHEAD
+ VRPTURE*PUMPHEAD
+ GRUPTURE*VRUPTURE The PBRPTURE*PUMPHEAD failure mode corresponds to a severe rupture of the pr i-mary boundary along with sufficient pumphead to expel sodium coolant so that the DHRS inlet is left uncovered. The VRUPTURE*PUMPHEAD failure mode cor-responds to a reactor vessel rupture along with excessive pumphead and the GRUPTURE*VRUPTURE mode is a coincident failure of both the reactor vessel and its guard vessel. All three of these modes defeat the SHRS function by dras-tically reducing the amount of sodium in the reactor vessel and this reduc-tion is seen at least qualitatively as the weak link in the SHRS.
Data from the Probabalistic Data Sheets in Ref. 4 were used to determine the failure probabilities for the 90 basic events in the SHRS tree.
These as-signed values along with their respective error factor s are shown in Table 3.
The normal heat train components are all under a constant demand while the plant is in operation, therefore hourly failure rates are assigned. Compon-ents of the DHRS and SGAHRS subsystems generally lie dormant until called up-on and failure rates for these basic events are assigned on a per challenge basis. Further assumptions used to compute the f ailure per challenge rate for the SHRS are as follows:
1 - 12 challenges per year duty cycle.
2 - All events independent * (Exceptions are PUMPHEAD, CVALVESLAM, FREVERSAL, and VSTICKSHUT which are conditional evcuts).
3 - Failures within SGAHRS and DHRS remain dormant until challenged.
4 - All systems renewed after challenge.
5 - Continuous response required for two hours at challenge.
6 - All failure rates known within a factor of ten or less.
19
TABLE 3.
SHRS BASIC EVENTS ERROR EVENT NAME FAULT (S)
FAILURE RATE FACTOR 5 x 10-6/ challenge 5
ABFAMS 2 Airblast Fans 5 x 10-6/ challenge 5
ABLOUV 2 Airblast Louver s ABSHELL 2 Airblast Shell Sides 5 x 10-6/ challenge 5
7 x 10~3/ challenge 2
A9 TUBE Airblast Tube side APTU9E2 Airblast Tube Side 7 x 10-3/ challenge 2
AFWCVLV Aux Feedwater Control Valve 2.1 x 10-3/ challenge 2
AFWIVLV Aux Feedwater Isolation valve 2.1 x 10-3/ challenge 2
APWPIP Aux Feedwater Piping 3.9 x 10-4/ challenge 5
BEVAPRTUBE 2 Evaporator Tube 91 des 4.22 x 10~6/ hour 5
BEVAPSHELL 2 Evaporator Shell Sides
- 3. x 10-6/ hour 5
CDTANK Condensate Storage Tank 1 x 10-8/hout 10 CONTROL PACC Instrumentation 7 x 10-5/ challenge 5
CVALVESLAM Check valve Slam 1 x 10-2/ challenge 2
7 x 10-5/ challenge 5
DAMPERS PACC Dampers DHRSP DHRS Piping 1 x 10-4/ challenge 5
1.5 x 10-4/ challenge 5
DHRSV DFRS Valves DRAINVALV SGS Drain Valve 6.3 x 10-7/ challenge 10 1.0 x 10-4/ challenge 5
EL-MECH PACC Fans FREVERSAL Primary Flow Raversal
- 1. x 10-3/chajlenge 2
- 1. x 10-6/ hour 5
FWAER Feedwater Aereator FWCONV Feedwater Control Valves 2.1 x 10'S/ hour 5
FWICON Feedwater Isolation & Control 5.5 x 10-5/ hour 5
FWISOV Feedwater Isolation Values 2.1 x 10-5/hout 5
FWPIP Feedwater Piping
- 5. x 10~7/ hour 10 FWPUMP Feedwater Pumps 2.1 x 10-5/ hour 5
GPUPTURF Guard Vessel Rupture
- 1. x 10-S/ hour 10 IBRPTURE Intermediate Boundary Rupture 1.3 x 10-6/ hour 5
19TLOOP2 Intermediate hoop 2 1.3 x 10-6/ hour 5
IETLOOP3 Intermediate: Loop 3 1.3 x 10-6/hout 5
IHXGUPUPT IHX Guard Vessel Rupture
- 1. x 10-8/ hour 10 6.3 x 10~7/hout 10 IHXRPTURE IHX Repture 2.1 x 10-5/ hour 5
ILATFVALV Isolation Valve ILATEVALV2 Isolation valve 2.1 x 10-5/ hour 5
ILATEV ALV 3 Isolation Valve 2.1 x 10-S/ hour 5
2.1 x 10-5/hout 5
INFAULTC Chilled Water System INFAULT Normal Plant Water System 2.1 x 10-5/ hour 5
1.4 x 10-5/hout 5
f INTERMALS Diesel AFW Pump 1.4 x 10-5/hout 5
l INTERNALS 2 Diesel AFW Pump 3.35 x 10-5/ hour 5
I*'T E RN A L AFW Steam Pump l
LOSTDIESEL Primary Diesel
- 1. x 10-2/ challenge 2
10-2/ challenge 2
LOSTDIESEL2 Backup Diesel
- 1. x i
l I
20 a
{
TABLE 3.
SHRS BASIC EVENTS (Continued)
ERROR EVENT NAME FAULT (S)
FAILURE RATE FACTOR LOSTOPPSIT Offsite Power 1.3 x 10-5/ hour 5
- 7. x 10-5/ challenge 5
MCOND Main Condenser 1.0 x 10-5/ hour 5
- 7. x 10-4/ challenge 5
NAKPUMP DHRS NAK Pump NAKPUMP2 DHRS NAK Pump
- 7. x 10-4/ challenge 5
- 1. x 10-2/ challenge 2
NOBATTERY DC Pattery NOCHARGER DC Battery Charger
- 1. x 10-2/ challenge 2
NORGCS DHRS Recirc Gas Cooling
- 1. x 10-3/ challenge 2
NORGCE2 DHRS Recire Gas Cooling
- 1. x 10-3/ challenge 2
10-2/ challenge 2
NOSSIGNAL Diesel Star t Signal
- 1. x NOSIGNAL2 Diesel Star t Signal
- 1. x 10-2/ challenge 2
OFMXSL Overflow Heat Exchanger : hell
- 7. x 10-5/ challenge 5
10-4/ challenge 5
OFHXTB Overflow Heat Exchanger rube
- 7. x OFVESS Na Overflow Vessel
- 1. x 10-6/ hour 5
ONEINTFUC Emergency Chilled Water
- 1. x 10-3/ challenge 2
ONEINTFU Emergency Chilled Water
- 1. x 10-3/ challenge 2
ONEMOREF Emergency Chilled Water
- 1. x 10-3/ challenge 2
ONEMOREFC Emergency Chilled Water
- 1. x 10-3/ challenge 2
ONEPAC2 Protected Air Condenser 3.8 x 10-4/ challenge 5
ONEPAC3 Pr otected Air Condenser 3.8 x 10-4/ challenge 5
OPERR DHRS Operator Error
- 1. x 10-3/ challenge 2
PACTUBE PACC Tubes
- 7. x 10-5/ challenge 5
PBRPTURE Primary Boundary Rupture
- 1. x 10-8/ hour 10 PONY 1 Pony Motor Flow 1.7 x 10-2/ challenge 2
PONY 2 Pony Motor Flow 1.7 x 10-2/ challenge 2
PONY 3 Pony Motor Flow 1.7 x 10-2/ challenge 2
PRILOOP2 Primary Loop 1.1 x 10-3/challence 2
PRILOOP3 Primary Loop 1.1 x 10-3/ challenge 2
PUMPHEAD Excessive Sodium Pumphead
- 1. x 10-3/ challenge 2
PWTANK Protected Water Tank Rupture
- 1. x 10-8/hout 10 RDISKOUT Rupture Disks
- 8. x 10-6/ hour 5
RELTFVALV Steam Relief Valve
- 1. x 10-6/ hour 5
SCONVALVE Steam Control Valve 1.17 x 10-6/hout 5
10-7/ hour 10 SDRUMOUT Steam Drum
- 4. x SGSLOOP2 Steam Generator Loop 2.4 x 10-5/hout 5
SGSLOOP3 Steam Generator Loop 2.4 x 10-5/ hour 5
SHEATRTUBE Super Heater Tubes 4.22 x 10-6/ hour 5
SHEATSHELL Super Heater Shell
- 3. x 10-6/ hour 5
SLINERPPP Steam Line Rupture
- 2. x 10-6/ hour 5
SLINERUPT Steam Line Rupture
- 2. x 10-6/ hour 5
21
TABLE 3.
SHRS BASIC EVENTS (Continued)
ERROR EVENT NAME FAULT (S)
FAILURE RATE FACTOR
- 2. x 10-6/ hour 5
SLINEPUPT2 Steam Line Rupture
- 2. x 10-6/ hour 5-SLINERUPT3' Steam Line Rupture
- 7. x 10-4/ challenge 5
SODPUMP Sodium Pump 4
SODPUMP2 Sodium Pump
- 7. x 10-4/ challenge 5-6.3 x 10-7/ hour 10 SVVALV Steam Vent Valve 6.3 x 10-7/ hour 10 SVVALV2 Steam Vent Valve 6.3 x 10-7/ hour 10 SVVALv3 Steam Vent Valve VRUPTURE Reactor-Vessel Rupture
- 1. x 10-7/ hour 10 VSTICKSMUT Check Valve Sticks
- 1. x 10 2/ challenge 2
Since two hour s of continuous response are arbitr ar ily assumed to be required per challenge the failute probability of the SHRS function can be computed by calculating the unreliability of top event as a function of time and taking the slope at the 720 hour0.00833 days <br />0.2 hours <br />0.00119 weeks <br />2.7396e-4 months <br /> point. This point represents the unreliability per hour of the SHRS function at the time of challenge (1/12 year) and is multiplied by two to obtain the final estimated failure per this value lies between 3.4x10-9 and 8.5x10-8 challenge value. Using SEP, with a median value of 1.7x10-8 This compares to a reported value of 4.85x10-8 per ccalienge found in the CRBR Safety Study.
Ninety-five per cent of the total estimated failure probabt11ty is der ived from the top 100 minimal cut sets.
Of those 100 terms, two are second order, fifteen are four th order, and the balance are third order. Some c' the basic events which occut most f r equently in the top 100 terms ar e given below along with their recur r ence f r equency:
APWIVLV - 31 A FWPI P - 17 AFWCVLV - 31 FWICON - 16 OPERR
- 22 FWCONV - 15 OFVESS - 21 FWISOV - 15 OFHXTB - 19 FWPUMP - 15 When these terms are identified with their respective subsystems, the Auxiliary Feedwater System isolation and control valves ( AFWIVLV, APWCVLV) the dominent f ailur e modes f or the SGAHRS function along with the Auxil-are iary Feedwater piping (AFWPIP). The independent point value for the proba-l bility of SGAHRS failure is 4.65x10-3 per challenge, f
The Dir ect fleat Removal System has an independent potnt f atture pr oba-bility of 2.09x10-3 per challenge which is dominated by an oper ator er r or basic event (OPERR) as well as terms dealing with over flow vessel failuies
[
(OFVESS) and overflow heat exchanger faults (OFHXTB).
i l
22
.=.
The Normal Heat Sink is seen to fail primarily due to feedwater faults (FWICON, FWPUMP, FWISOV, FWCONV) and has an andependent failure rate of 2.85x10~4 per challenge. A combination of the independent failure proba-bilities for the three subsystems gives an estimated point value of 3.8x10~9 for SHRS failure as compared to the reported value of 1.ix10-8, The dif ference between these two values is pr imar ily due to redundant failure modes which appear in all three subsystems. The most obvious of these modes is the loss of of f site power coincident with a f ailure of both auxilary diesel supply units ( LOSSOFFSIT* LOSTDIESEL*LOSTDIESEL2 ). This failure mode has an estimated expectancy of 1.3x10-9 per challenge and heads the last of the top 21 terms responsible for SHRS failure which are descr ibed in Boolean form in Table 4.
Future Work The next phase of the Accident Delineation Study proposes to provide a technical base for prior itizing LMFBR safety research based on the potential risk associated with a broad range of plausible accident scenarios and the uncertainty associated with that risk. The Engineered Safety Systems contr ibution toward this goal will be a detailed description of the relative r ecur rence f requency associated with the accident scenar io types identified
[
in the Phase I report.
For the base case of CRBR, this process has already begun. The ESS event tree has been developed and its major branch points (Detection, SCRAM, and SHRS) have been modelled using fault tree logic. These independent fault trees have been reviewed both qualitatively and quantita-tively using Sandia's SETS /SEP/FTD computer program and the minimal cut sets for each function have been identified. The median independent f ailure
)
probabilities per challenge have been determined to be 8.05x10-10 for Detection, 7.13x10-8 for "CAAM, and 1.7x10-8 for SHRS.
The next step in the relative accio.nt frequency quantification process is to assemble a set of accident initiators. These initiators will be chosen from each of the four teen subsystem categor ies descr ibed in Chapter 3 of the Phase I r epor t.
Then for each initiator the conditional failure probability will be determined at each ESS event tree branch point by (1) identifying and quantifying the common cause/ mode effects within each ESS fault tree, (2) identifying and quantifying common cause/ mode ef fects between the f ault trees, (3) separately quantifying the initiator contribution to each plausible accident scenario, and (4) determining uncer tainty estimates for each scenario.
After all of the accident initiators have been analyzed in the above man-ner, the results can be combined to deter mine the total relative frequency of each accident category. In addition, the main fault tree events and system initiator s which lead to each category can be identified along with their attendant sensitivities and uncertainty bands.
I 23
TABLE 4.
TOP 21 FAILURE MODES FOR SHRS TOP EVENT TERM PROB. VALUE/ HOUR @720 HRS SHRS - FAIL =
LOSTO F FS IT* LOSTD I ES E L
- LOSTDI ES EL2 1.3 x 10-9 3.29 x 10-10
+
AFWIVLV*FWICON*OFVESS 3.29 x 10-10
+
AFWCV LV' FWICON
- 0FV ESS 1.15 x 10~10
+
AFWIVLV*FWICON*OPEDR 1.15 x 10-10
+
AFWCV LV
- FWICON
- OP E RR 8.1 x 10-11
+
AFWIVLV*FWICON*0FHXTB 8.1 x 10-11
+
AFWCV LV
- FWICON
- 0FHXTB 6.35 x 10-11
+
A FWIVLV
- FWCONV
- 0FVESS 6.35 x 10~11
+
AFWCVLV*FWCONV*0FVESS 6.35 x 10~11
+
AFWIVLV
- FWISOV
- 0 FV ESS 6.35 x 10-11
+
AFWCV LV
- FWISOV
- 0 FVESS 6.35 x 10-11
+
A FWIV LV
- FWPUM P
- 0 FV ESS 6.35 x 10-11
+
APWCV LV
- FWPUMP
- 0FVESS 5.0 x 10-11
+
PBRPTURE*PUMPHEAD 5.0 x 10-11
+
VRUPTURE*PUMPHEAD 4.4 x 10-11
+
FWCONV* AFWIVLV *OPERR
+
FWISOV
- AFWIVLV
- OP ERR 4.4 x 10-11 4.4 x 10~11
(
+
FWPUMP*AFWIVLV'OPERR 4.4 x 10~11
+
FWCONV
- Af WCVLV* 0PERR 4.4 x 10-11
+
FWISOV*AFWCVLV*05.7R
+
FWPUMP*AFWCVLV*OPERR 4.4 x 10~11 I
4 24
r'
}
ret'ERENCES
. l.
SAND 80-1267, "LMFBR Accident Deilneation Study-Phase. I Final Repor t,"
December 1980.
' 2.
SAND 77-2051, "A SETS User's Manual for the Paul Tree Analyst," Novem-ber 1978.
3.
WASH-1400, APP. II, " Reactor Safety Study,". August 1974.
4.
WARD-D-Oll8, APP. 9.2, " Reliability Assessment of CRBRP Reactor Shut-down System," Rev. 1, 10 November 1975.
5.
CE-NEDM-14081, " Update of the Preliminary Reliability Prediction for CRBRP SHRS," January 1976.
6.
' CRBRP-1, "CRBRP Safety Study - An Assessment of Accident Risk from CRBRP," March 1977.
J l
l 25
Distr ibution s.
U. S. NRC Distr ibution C2ntr actor (CDSI) (380 copies for R7) 7300 Pearl Street Bethesda, MD 20014 U. S. Nuclear Regulatory Commission (13)
Division of Reactor Safety'Research Office of Nuclear Regulatory Research Washington, DC 20555 Attns C. N. Kelber, Assistant Director, Advanced Safety Technology Research R. T. Cur tis, Chief (10)
Analytical Advanced Safety Technology Research M. Silberberg, Chief Experimental Advanced Safety Te..nology Research R. W. Wright Experimental Advanced Safety Technology Research U. S. Depar tment of Energy Office of Nuclear Safety Coordination Washington, DC 20545 Attn R. W. Barber U. 7 Department of Energy (2)
Albuquerque Operations Office P. O. Box 5400 Albuquerque, NM 87185 Attn:
J.
R.
Roeder, Director Operational Safety Division D. L. Krenz, Director i
Energy Pesearch ar.3 Technology Division Fort C. B. Quinn D. R. Denham T. Ginsberg Department of Nuclear Energy Bidg. 820 Brookhaven National Laboratory Upton, NY 11973 U.S. Department of Energy Clinch River Breeder Reactor Project Of fice P. O. Box U Oak Ridge, TN 37830 Advanced Reactor Systems Depar tment (2)
Gener al Electr ic Corpor ation 310 De Guigne Dr ive Sunnyvale, CA 94086 Attn W. W.
Phelan, Manager Licensing and Safety Systems P.
Greebler, Manager Reliability and Safe ty Eng ineer ing Captain Joseph A. Sholtis, Jr., USAF Defense Nuclear Agency Armed Forces Radiobiology Research Institute /SSRS Be t he sd a, MD 20014 4000 A.
Narath 4400 A. W. Snyder 4413 D. J. McCloskey 441' J. W. Hickman 4414 G. B. Var nado 4420 J. V. Walker 4420 D.
Sobtick 26
Distribution (continued):
4421 R.
L. Coats 4422 D. A.
Powers 4423 P. S. Pickard 4424 M. J. Clauser 4424 E.
R. Copus (10) 4424 F.
E. Haskin 4424 P. J. McDaniel 4424 F.
W. Sciacca 4424 D. C. Williams 4425 W. J. Camp 4426 G.
L. Cano 4440 G. R. Otey 8214 M. A.
Pound 3141 L. J. Erickson (5) 3151 W.
L. Garner (3)
Fort DOE / TIC (Unlimited Release) 3154-3 C. H. Da.'in (25)
Fort NRC Distribution to NTIS l
e b
27
-