ML20011D824
| ML20011D824 | |
| Person / Time | |
|---|---|
| Site: | Three Mile Island  |
| Issue date: | 11/30/1989 |
| From: | Bertucio R, Buslik A, Nilesh Chokshi, Davis P, Eide S, Mays S, Reilly H, Schurman D, Welland H EG&G IDAHO, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-6892 EGG-2572, NUREG-CR-5457, NUDOCS 9001020055 | |
| Download: ML20011D824 (107) | |
Text
. - _
i I
]
EGG-2572 i --
l
! 1 A Review of the '
) Taree Mile Island-1
! t ProbabiListic Risk Assessment
) ;
Prepared by 11. J. Reilly, D. l., Schurman. I1. J. Welland, R. C. llettucio, S. A. IIide, P. R. Davis, S. II. Mays, A. J. Husiik, N. C. Chokshi l
Idaho National Engineering Laboratory EG&G Idaho, Inc. ,
I'repared for U.S. Nuclear llegulatory Commission
\
9001020055 091130 PDR ADOC%.05000D09 P
PDR m.. r,,-w.-.y y .w-- ., y_ .-
U e
.I AVAILABILITY NOTICE Availabilrty of Reference Materials Cited in NRC Publications Most documents cited in NRC pubhcations will be avaliabie from one of the ful!owing source $:
- 1. The NRC Public Document Room,2120 L Street, NW, Lower Level, Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, i
DC 20013-7082
- 3. The National TechnicalInformation Seree, Springfield, VA 22161 Although the listing that follows represents the majortty of do1Wments cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Documen? Boom include NRC correspondence and internal NRC memoranda: NRC Office of inspection and Enforcement butiotins, circulars, information notices, inspection and investigation notices: Licensee Evunt Reports; ven.
dor reports and correspondence; Corrmisslan papers; and apphcant and licensee documents and corre.
spondence.
1 The following documents in the NURE'3 series are available for purchase from the GPO Sales Program-formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC boowts and
. brochures. Al*,o avaltabic arc Regulatury Guides, NRC regulations in the Code of federal AeGJiations, and Nuclear Regulatory CommisGon Issuances.
Documents available from the National Technica) information Service include NUREG series reports ard technical reports prepared by other federal agencies and reports prepared by the Atonlic Energy Commis-sion, forerunner agency to tM Nuclear Regulatory Comrrtission, Documents available from pubhc and special technical libraries include at open bterature items, such as books, journal and periodical articles, and transactions, IeDerel Registor notices, federal and f. tate leilsla.
tion, and congressional reports can usually be obtatnea fror3 these Ilbraries.
Documents suc't as theses, dissertattor,s, foreign reports and translations, and non NRC conference pro-ceedings are ava:lable for purchase frons the organization sponscring the publication cited.
Single copics of NRC oraft reports are evallabie free, to the extant of supply, upon written ret.ucst to the Office of information Resources Management, Dist'ibution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Coples of indastry codes end standards used in a cubstantive manner in the NRC regulatory process are maintained at the NRC Litr ary,7920 Nocfolk Avenue, Bethesda, Maryland, and are aval!able there for refer.
ence use by the pubhe. Codes and standards are usually copyrighted and may be purchased from the originating organ!zation or, if they are American National Standards, from the American National Standards insthute,1430 Broadway, New York, NY 10018.
DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.-
Poither the United Sta'es Government nor any agoney thereof, or any of their employees, makes any warranty, ,
exprosed or iniplied, or assumos any legal liability of responsibility for any third party's use, or the resutts of -
such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not intringe privatoly owned rig *its.
i
I i
l NUREG/CR-5457 i EGG-2572 RG i i
I A Review of tLie Three Mile Island-1 ,
Probabilistic Ris< Assessment t
Manuscript Completed: September 1989 1
Date Published: November 1989 Prepared by
- 11. J. Rei!!y, D. L Schurman,11. J. Welland, R. C. Itertucio,'
S. A. Eide,* P.R. Davis,' S. E. May7,* A. J. Ilusiik,' N. C. Chokshi
P.O. Box 1625 Idaho Falls, ID 83415
'El International, Inc. (presently with NUS Corporation) eel International, Inc.
'PRD Consulting cTenera
'U.S. Nuclear Regulatory Commission Prepared for Division of Systems Research Omcc e6 Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A6892 Under DOE Contract No, DE AC07 761D01570
i
)
! I i !
- i l
i ABSTRACT l
! The I.4 vel 1 Probabilistic Risk Assessment that was prepared by Pickard, lowe and '
1 Garrick fee GPU Nudear, and forwarded to NRC, was seviewed. 'Ibe review included both plant insemal evenes and stuee kinds of exiemal events: plant ans, seismic events and river
, Sooding. At t!w close of the review,the authors estimated the bequencies the cose damage i j
sequences round have if the secommended corsections west made to the data and assump-l tions, it was concluded that the acosnarended corrections would have a mWor eflect on the i i esthneted siak pro 68e of TMI-1, including major increases in some sequence frequencies a and m(ce decreasesin others, i
l ,
, +
i I
I i
I 1
1 l
i l
l l
FIN No. A6892-A Review of the Three MileIsland-l Probabilistic Risk Assessment l
iii
. . _ . - . _ ~ . . ___ __. _, _ _ _ . . _ _
EXECUTIVE
SUMMARY
EG&G Idaho corducted a limited-scope review of Review of Assumptions tte Level 1 Probabilistic Risk Assessment (PRA) of hree Mile Islard Unit 1 (TMI-1). 'ne PRA was per. Tte PRA was studied to ascenain the validity ard formed by Pickard,14we ard Garrick (PLG) for GPU hi fluence of major assumptions used in the PRA. It Nuclear (GPUN) and submitted by GPUN to NRC. was difficult to find all the assumptions, because they he review included tie intemal events analyses and do not appear in one place in tte repon, and tecause three kinds of external events: plart fires, seismic many of trem were implicit assumptions not explicitly events, and river floodmg. At de close of the review, identified in the report. De assumptions regarding the tte authors estimated tie frequencies that tic core effects of loss of control building ventilation were damage sequences would have if the recommended overly conservative. The assumption, that sequences changes were made to the data. It was concluded that involving loss of Decay Heat Removal (DHR) during de recommerded corrections would have a major ef- shutdown corditions were unimportant, is not ade-feet on the estimated risk profile of TMI-1, including quately supported ard is inconsistent with analyses in major increases in some sequerre frequencies, and other PRAs. Studies by Brookhaven National Labora-major decreases in others, tory (BNL) indicated that such sequences could be among the dominant contributors to core damage fre.
quency at typical U.S. PWRs. 'De dismissal in the The follow.ing is a summary of the major conclu- PP A of tie impact of seismic Class 11 coinponents fall-sions,by sutsection:
ing and striking seismic 0 ass I components is not ade-quately supponed. De lack of an event tree for the V-sequerre is considered to te a deficiency tecause the Initiating Events Review v_ sequence, whiie oniy a smati contribuior to core damage frequercy, can te important to offsite risk.
De treatment of pressurized thermal shock was not Internal initiating events were reviewed for com- adequately documented (howcver, ITS results were pleteness, adequate grouping of initiators, and appro- consistent with other studies),
priateness of frequency values, it was conchded that the list of initiators was comprehensive, and that the Dependency Analysis grouping appeared reasonable. Ilowever, it was un-clear how only two event groups-steamline break in An independent dependency analysis was per tte intennediate building and steamline break m the formed as pan of the review. %e plant piping and m. - -
turbine building-<an cover all possible feedwater and strumentati n diagrarns (P&lDs) were obtamed from steamline breaks. 'ne frequencies that were used for or diis pmpom Generah, ddpendencies m very small LOCA and loss of Nuclear Services River the PRA appeared to be those that wete important to Water (NSRW) events appeared to be lower than they the cote damage frequency; omitted dependencies ap-should have teen. Tte V-sequence frequency values peared to be cather unimportant or those affecting the appeared questionable, although these sequenas are small contributors to core damage frequercy (CDF).
hveu and 3 anahses(not pan oMRA).
%e treatment of loss of control building ventilation was excessively conservative; it probably is not an im. Comparison with Crystal portant initiator at TMI-1. Review of documentation River 3 PRA submittc d to NRC in convection with Appendix R re-quirements supports this conclusion. Tle methodologies and results of the TMI-l and Crystal River-3 PRAs were compared. %e two plants have similar designs. We TM1-1 PRA was performed Event Tree Review using the support state method, whereas tre CR-3 PRA used the fault tree linking method,tterefore mr.k- ..
ing the two PRAs difficult to compare. Tte two PRAs he event tire methodology was seviewed to eyalu- agree reasonably well regarding estimated CDFs for ate tie completeness atd validity of the logic structure. like sequences; tte agreement is not as consistent re-No major errors were foural. Ilowever,it was not pos- garding initiator frequencies and conditional core f sible within the scope of this review to verify the cor- damage probabilities. The CR-3 PRA did not include i rectness of all the event trees. fires, floods and carthquakes. Loss of control building iv
ventilation sequences were not significant in the of river water would be smaller. It appears that CR-3 PRA. GPUN's procedures are based on tic PRA model rath-er than the NRC model for RCP scal-LOCA model, Comparison with B&W Owners e which does not seem satisfactory to the reviewers. It is expected that wlen nn-1 tates actions io compiy Group Evaluations with oc fonhcoming n soiutions of ceneric Issues in-volving RCP seals, this concem willle alleviated. 1 A comparison of the n0-1 PRA with results of the n
s&w Owners croup safety ard Perfonnance im- Component Failure Data ;
provement Program irdicated that tic DU-l PRA ad-dressed these common concerru: adequately. De )
The component database in the PRA is proprietary; Dbl PRA estimates higter frequencies for core ,
damage for the events of concem; the differenz is at- de details ofits derivation were unavailable for re. i view. However, tte database was resie wed to compare tributed to the assurnptiora in the PRA relating to oper- '
it with information sourws used in otter PRAs. %ere ator errors in throttling HPI flow following overcool-were some differences, but tre only ones identified as ing evems. De TM1-1 PRA has higher ficquency potentially significant in theit effects on CDF(assurn- i values than other PRAs for sequences initiated by in-ing that loss of control building vereilation is not an plant fires and by loss of control building ventilation. '
imponant sequence) were some beta-factors that were because of comervative assumptims that are not ap- employed.
propriate to a rigorous PRA.
Comparisons with Generic and Human Factors :
Unresolved Safety lasues De review of u c human respose analysis (HRA) indicated that the initial screening process employed in Comparisons were made to the anticipated NRC is- de PRA fm Wntdying human errors is not docu-sue resolutiora involving pressurized thcnnal shock snented adequately. The review fourd that errors of (ITS), decay heat removal (DHR), failure of instru- aniss m in perfonmng actiota not covered by proce-ment air, failure of emergency feedwater, failure of the dures, awl enors due to failures of indicators in the Integrated Control System (ICS) and Nonnuclear In- comid mm during smne segences, were omitted, al-strumentation (NNI), reactor cooling pump (R CP) scal th ugh this is fairly common m PRAW at the screcrung LOCAs as small . break initiators, loss-of-component stage cooling water, and RCP seal LOCAs as consequences of loss-of-scal cooling. The oocumentation of tbe ne review went on to compare 1I of tie most im-treatment of ITS was not adequate; it appeared that an portant human actions quantified in the PRA with data l adequate methodological structure was developed to from standard NRC databases. One error in de con-l
' cvaluate ITS, but there were some signiGcant omis- servative (high erroi rate) direction was foumi. In this sions that cannot be explained, llowever,iu no event is wiew, de car was corrected and fed back irto the PTS expected to be imp 9rtant in comparison witn oth- sequence requantification(see below). During a plant l er contributors to core damage frequency at TMl-1, visit to TMI-1, several questionable and important hu-
! man actions were walked-down. Except for the error The treatment of DHR issues is adequate except for the
! noted above,it was concluded that most of tie HRA neglect of possible accidents dunng shutdown condi-tioas. %e treatment of histrument air failures is con- unavailability values were slightly on the cornervative fusing and the documentation is inadequate. Losses of 8Id'~
power to ICS appear to be modeled conectly; mher ICS failures, and failun-s of NNI, were not modeled. Uncertainty Analysis We TMl-1 PRA frequency value for very small Tte uncertainty analysis was identified as incom.
breaks appears to include RCP seal LOCAs. %e re- plete because no sensitivity analyses were perfoimed.
view irdicated that the PRA adequately modeled the ne range of uncertainty in CDP that is quoted in the issues involved in failures of cooling water systems. PRA report was identified as much too small, especial-llowever,it appears ttut the PRA used a nonconserva- ly g;ven that the most-important seqtences (less of tive RCP seal-LOCA model. If t!e model of the draft CBV, fires)in the PRA were obtained using analyses NUREG-ll50 were used, the impact on CDFcould te suitable only for screening purposes, arxl tecause the large, because the time available for recovery a*tet loss most-imprtant sequence wming out of the review is y
river flooding above the Probable Maximum Flood 7.505-4/37. The frequency for CDF caused by seismic (PMF)--the frequency of which is highly uncertain. events was estimated several ways. The value ob-tained using the hazards curves in the PRA report was External Flooding 6.5E-5/yr, as compared to the PR A value of 2.70E-6/yr. The caternal events CDF is increased The review identified that the methodology I** I' *I I)**
- 8 **"**' '* *"#
the dominant initiators at TMI-1.
employed for analysis of river flooding in tie PRA was
, unsupportable. More recent analysis by the Corps of Besides these changes, a number of other differ.
Enginects ird! cates a much higher frequency ($5-4/yr ences were listed, some of which were assessed as hav.
vs. IE-5/yr in the PRA) for floods above the PMF. ing a significant eft'ect, that were not included in the The review concludes that the frequency value is not estimates for various techttical reasons. The most im-only highe r, but highly uncertain, because de estimate portant of these are a) loss of river water soquences,in involves extrapolation of erhaps f 250 years of data to which tte use of the NRC model for reactor coolant estim6te fleods uith return peilods greater than pump seal LOCA would have a major effect (increase) 1000 years, on the estimated core damage frequency, and b) fire se-quences, which are important in the PRA and GPUN Fires personnei feel wai decrease significantly when a more detailed analysis is done. '
A review of the fue analysis in the PRA concluded that the analysis was poorly documented, contained success of PRA in Meeting several errors, and was not s;rificiently detailed knd Stated Objectives rigorous to be considered adequate for a level 1 PR A.
The effects of scismically-induced fires do not appear De TW-1 PRA war to le a Level 1 PRA,includ-to have been addressed. Based upon a plant visit, and ing extemal everas as defined by the NRC PRA Proce-a comparison with results of other PRAs, the reviewers dures Guide. The PRA had five :pecific goals to meet felt that the enimated ftre sequence frequencies may the overall objectives of the PRA. The first three of tecome smaller if improved analysts is done, but that these goals related to the identification and quantifica- '
this has not been substantiated, tion of dominant contributors (initiators and system
, failures) to cose damage frequency, The review fo-
! Seismic Events cused principally on the degree to which the PRA succeeded in accomplishing these three goals,in ac-It was discovered, and acknowledged by GPUN, cordance with established methods as exemplified by that the quamification of the seismic events contained the NRC PRA Procedures Guide. The overall conclu-crrors that invalidated the results contained in the PRA sion of the revicw is that tic PRA generally followed report. Independent analyses were conducted as part established methods and accomplished the goals, al-of this review using seismic hazards curves from three though there were the following problems:
different sources: the PRA, EPRI and LLNL All three of tie analyses produced core damage frequen. 1. The documentation, though extensive, was cies larger than the value published in the PRA report. incomplete in some respects, prohibiting the reviewers from resolving some of the ques.
ti ns that at se to tir review. A 1 f the re-R uantification viewers felt that the documentation was rela.
tively difficult to understand, even for trained it was not possible to requantify the sequences dur- PRA analysts. Despite the extensive amount ing this review, because the computer programs used of documentation, pertinent information in de PRA are proprietary and wese not provided to needed for a comprehensive resiew was often EG&G Idaho and the scope of tte review did not per- not present or was unobtainable. For these mit independent requantification. However, some es- reasons, the reviewers found the documenta-timates of tie changes in sequence frequereies caused tion difficult to use for detailed technical re-l by intemal initiatlag events were made. The change in view, and believe that it would be difficult to l overall CDF for intemally-initiated events was a de- keep tle documentation up to date in future l crease from 4.4B-4/yr to 2.95-4/yr. uses at TMI-1.
1 The frequency value for floods above the PMF was 2. Some of the analyr.es, especially those in-estimated to te 5.05-4/31instead of tic PRA value of volving extemal flooding,in-plant fires, and vi
I l
i l
loss of control building ventilation, appeamd tum use by GPUN. '!he reviewers did not analyse the to be appropriate only for initial saeening l
risk model and database; however, it was the opinion i purposes. of the m*wers that the risk model would be relatively ]
difficult for GPUN to use because of its complexity, j
'the PRA had two other goals, relating to develop- the seeming incompleteness of the suppomng docu- l ment of a plant risk model and databane suitable for fu- '
mentation, and the errors existing in the risk profile.
-i a 1
- 1 I
t i
a d
I i '?
i
.i
'l c
I f
f l l s'
l i'
t
.n
- a
'i
)
j l' .i i
l F
vii !
u
~-,w ,
1 5, ,,- -..w,-- , - -
ACKNOWLEDGEMENTS 1
s The non NRC authors wish to express their apprecia. tion to Dr. Arthur Bushk,6e NRC Tbchnical Monitor of this projeet, for his instruction, guidance, and timely delivery of docu -
ments that were needed during the course of this review. Dr. Busiik :.!so contributed some ,
of the work that is included in this report. Without his assistance, the review would not have -l accomplished as much as it did. >
l '
-i 1,
l
.1 I
- i
{
i e
Viki 3
CONTENTS-ABSTRACT.......................................................................... iii EXECIITIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv. . . . .
ACKNO WLEDG EMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii a ACRONYMS ......................................................................... xii INTR ODUCIlON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. . . . .
Backpound....................................................................... 1 Scope of the Re vie w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Additional Assumptions and items of Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 l INTERNAL EVENTS ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. . . .
initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Event ' Dees . . . . . . . . . . . . . . . . . . . . . ............................................. 13' Important Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 ,
Dependency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Comparison with Crystal River-3 PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 i Comparison with B&W Owners' Group Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Comparisons with Generic and Unresolved Safety Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Compotent Fail ure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Human Fact ors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 ..............
i Uncertainty Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 l i
EX'IT1.RNAL EVENTS ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 ............. 1 i
ExtemalFlooding ,l
................................................................. 48
)
J In-Plant Fires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51. ...........
Se ism ic Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 .............. <
ESTIMATES OF EFFECI'S OF RECOMMENDED CHANGES TO THE PRA . . . . . . . . . . . 59 .......... !
I ntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 .....
3 Changes *Ihat Were Included in the Estimates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ,a Changes Not included in the Estimate ................, ....... .................. ... 60 IX
---,,,,....-.-.i-i-..
L o
REFEREN CES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 APPENDIX A-REVIEW OF ASSUMirTIONS IN THE PRA REGARDING LOSS OF CONTROL B UILDING VENTILATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 APPENDIX B-REQUANTIFICATION OF THE STATION BLACKOUT CORE DAMAGE FREQUENCY.................................................................... B-1 APPENDIX C-SEISMIC AN ALYSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 FIGURES
- 1. Nonhurricane and hurricane frequency curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
- 2. Estimated frequency curve for Susquehanna River at Harnsburg. Pa., in accordance with B ulletin 17B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 B-1. Annual frequencies ofloss of offsite power (LOP) exceeding a time T (review estimates) . . . . . . . . . B-10 C- 1 TMI plant fragility curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 TABLES
- 1. TMI intemal initiating events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , , 3
- 2. TMI-l intemal initiating event groups ....,............................................ 6
- 3. TMI-1 intemal initiating event group frequency distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
- 4. Dominant scenarios from TMI-l PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 19
- 5. Dominant initiating events from TMI-l PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
- 6. Systems contributing to core damage frequency, from intemal initiators, TMI-l PRA . . . . . . . . . . . . 21
- 7. Comparison of Crystal River-3 and TMI-l systems ...................................... 26
- 8. Comparison of Crystal River-3 and TMI-l PRA results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . '28
- 9. Comparison of component failure rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
- 10. Major differences between TMI-l data and other data sources .............................. 43
- 11. Comparison o f be ta-factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 44
- 12. TMI-l core damage frequency distribution ............ ................................ 46
- 13. TMI-l intemal fire frequency comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
- 14. TM1-1 intemal fire dominant core damage sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
- 15. TMI-l intemal fire core damage frequency comparison . .... . .................... .... 56 X
- 16. Summary of reestimation of core damage frequency , . . . . . . . . . . . . . . . . . . . . . . .- . . . . . . . . . . . . . .59-17.. Potential changes not included in Table 16 . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 :-
. B-1. Failure, mairmenance, and repair parameters used in the station blackout' requantine'a tion ......... B -
B-2. Aggregated RCP Seal LOCA probabilities for a Westinghouse Four loop Plant . . . . . . . . . . . . . . . . . B-8
'1
.: l 1
_. I o
i!
)
.'i .
f -
f;; .
.l
- s
!I
'{-
.t['
ACRONYMS ABV Auxiliary Building Ventilation ECCS Emergency Core Cooling System ac Altemating Current EF# Emergency Feedwater ADV Atmospteric Dump Valve EPRI Electric Power ResearchInstitute ;
ANL Argonne National Laboratories - ESAS Engineered Safeguards Actuation System ASEP Accident Sequence Evaluation Program ESD Event Sequence Diagram ASME American Society of Mechanical FRAR Fire Hazards Analysis Report Engineers FSAR FinalSafety Analysis Report ATWS Anticipated Transient Without Scram FW Feedwater q B&W Babcock & Wilcox GPUN GPU Nuclear Corp. j B&WOG B&W Owners' Group HCR Human Cognitive Reliability BNL Brookhaven National Laboratories HPI High Pressure lajection -
3 BWST Borated Water Storage Tank HRA Human Response Analysis ICCCW ' Intermediate Closed Cycle Cooling ' j CBV Control Building Ventilation Water l
CCF Common Cause Failure ICS Integrated Control System CCW Component Cooling Water IE Initiating Event .
CDF Core Damage Frequency IEEE Institute of Electrical and Electronic l COE Corps of Engineers IPE IndividualPlant Evaluation COMPBRN Computer Code for Modeling Compartment Fires LLNL Lawrence Livermore National Laboratories .!
CR-3 Crystal River Unit 3 i LOCA Lossof Coolant Accident CST Condensate Storage Thnk LOOP Loss of Offsite Power CVCS Chemical and Volume Control System LPI Low PressumInjection de Direct Current MCC Motor Control Center DHCCCW Decay Heat Closed Cycle Cooling MFLIV Main Feedwater Line Isolation Water Valve -
DHR Decay Heat Removal MFW Main Feedwater }
xii
MLD Master Logie Diagram RHR Residual Heat Removal MOV Motor-Operated Valve RPS Reactor Protection System ,
MP-3 Millstone Point Unit 3 RV Reactor Vessel MSIV Main Steam Isolation Valve RW River Water MU Makeup SAR Safety Analysis Report NNI Non-Nuclear Instrumentation SETS Set Equation Transformation NRC Nuclear Regulatory Commission ,
SG Steam Generator NSCCCW Nuclear Services Closed Cycle Cooling Water SGTR Steam Generator hbe Rupture NSRW NuclearServices River Water SLB Steamlire Dreak NUCLARR Nuclear Computerized Library for SLRDS Steamline Rupture Detection Assessing Reactor Reliability System OATS Operator Action Tree System gg, S WiaNai M W o h OTSG Once-Through Steam Generator gp,p p Improvement Program l- P&ID Piping & Instrumentation Diagram PLG Pickard, Lowe and Garrick . SRV Safety Relief Valve '
PMF Probable Maximum Flood SW _ Switchgear or Service Water PORV Power Operated Relief Valve TCV hrbine ControlValve PRA Probabilistic Risk Assessment THERP Technique for Human Error Rate Prediction PTS Pressurized ThermalShock TMI-l Three MileIsland Unit i
.PWR Pressurized Water Reactor TRC , Time Reliability Correlation RBIS Reactor Building Isolation System TSV hrbine Safety Valve RCP - Reactor Coolant Pump V-SEQUENCE Ruptures in ECCS piping which RCS - Reactor Cooling System bypass the containment l
xiii
A REVIEW OF THE THREE MILE ISLAND-1 PROBABILISTIC RISK ASSESSMENT INTRODUCTION Background (more than 5000 pages) of the PRA report, argued against a detailed review. Therefona EG&G Idaho de-cided that the review should attempt to assess the ex.
A Probabilistic Risk Assessment (PRA) of the tent to which the PRA was sucassful in fulfilling the
'IhreeMileIslandUnit1(TMI-1)wascompletedI by objectives of the PRA in acconiance with established Pickard, Lowe and Ganick (PLG) under contract from techniques as exemplified by NURFG/CR-2300.
GPU Nuclear Corporation (GPUN). The PRA was forwaided to the Nuclear Regulatory Commission It was decided that the review would not be a (NRC)in Deceraber,1987. 2 Ihe PRA is a full-scope "phand" review, wheitin some portion of the review PRA, including external events, that has been com- would be completed and rubsequently decisions made pleted through level 1 (the determination of core dam- as to the cost and scope of the next phase, or phsaes.
age frequency), but has a structure suitable for later ex- but that the entine review would be conducted acco d-tensien to Levels 2 and 3 (the deterndrmtion of the risk ing to the scope thatis shown b: low, associated with core damage). EG&G Idaho con-tracted, through the Department of Energy Idaho Op- The scope thEt 5 as selected for the limited-scope crations Office (DOB-ID), to ieview the document for reviewis as follows:
NRC. It is EG&G Idaho's understanding that there are no regulatory decisions that are supported by the e Review and culuate the scope, assumptions, PRA-it is an informational document-although it .
may be part of GPUN's subndttals in the forthcoming Y"" '"
, Individual Plant Evaluation (IPE) program.
sumptions used in the analysis and comment Scope of the Review on their vatidity.
Given the above status (relative to NRC require.
- Review the event trees for completeness and ments) of the PRA, a full-scope review was not validity oflogic ctructure. -
deemed appropriate. The goals of the PRA were stu-died as an aid in determining the scope and objectives
- Review other information available on of the review. These goals, stated on the first page of Babcock and Wilcox (B&W) plants, to hr.lp the Introduction, Volume 1 of the PRA, were to assess the completeness of the study and the (a) " develop...the likelihood of core damege and its as- validity of the assumptions made. Examine sociated uncertainty,"(b)" identify the significant con- the accident scenarios developed for Crystal tributors to risk," (c) " rack plant systems and cornpo- River Unit 3 for possible insights applicable
, nents...in terms of their contribution to the freqtency to TMI-1.
of core damage,"(d)" develop a plant risk model and the tools for its use by GPUN in futate .,",(c)" develop
~
- Review information developed in the study of and organize a data base (for) the plant nsk model..."
various generic and unresolved safety issues it was also stated that the PRA is a Level 1 PRA as de-
. (e.g., Unresolved Safety Issue A-45 on Shut-fined by the NRC PRA Procedures Guide. 3 down Heat Removal and Generic Issue 23 on Reactor Coolant Pump. Seal Cooling Integri.
Statements ira a " Caveats" subsection, in Volume 3 ty) for pertinence. Issues of particular inter-of the PRA report, indicated that the PRA was termi, est were:
nated prior to its compiction; revisions to the data and models were ongoing at the time of the completion of 1. Accident sequences involving pressur-the report and were not fully completed and integrated ized thermal shock and overcooling tran-Into the report. TEs circumstance, and the large size sients.-
g ,#
- 2. Failures of the Integrated Control Sys- Additional Assumptions and -
tem and losses (partiel or complete) of the N:mnuclear instruracotation System.. Items Of scope
- 3. Failures of the instrument air system. EG &G Idaho recommerded selection of this Scope because there areas of the PRA were the nost likely
- 4. Failures involvir,g the Emergency Feed, areas where sigraficant errors or omissions would be water System. found, given the statemeuts in the Exacutive Summary (Volurae 1 of the PRA Ryoit) regarding the fmdingy
- - Perform a dependency analysis, on a traits of ddRA. Seqtmes o{smalHrnpodance, and those having small uaportatue m other PRAs, such as toma-by-train basis, to identify the dependency of do-uduced core meh sequences, were not reviewed.
front 'isc systems on aupport systems, and Generally the phet'ornenologicas analysis was not support systems er wpport systems.. ,
questioned, except wherein istues ofipterest to NRC (such as the RCP Seal Cooling integrity issue) were
- Review the sources of accident initiators and sp;cifically identilied for their potential effect on the -
reliability da,ta used for fault tree and event pg tree quantification.
Pan of the database used in de PRA is a proprietary .
- - Evaluate the validity of die treatment of hu- database that was not provided to NRC or EG&G man errors. l Idaho. Therefort., this pan of the review was limited to -
comparisons c f the data in the report to data fmm other
- As time permits, sequantify the sequences to PRAs arJ databar,es. Proprietary computer progams tts extent possible were used but not provided for review. -
e Review and eva'ua'e the uncertainty esti- The revicw included a plant visrt by de NRC Tech-
. mates repcrted in the PRA. nical Monitor, the NRC Project Manager for TMI-1, .
and members of the EG&G Idaho review team.* How-i
- Per the seismic initiator, compare the hazard ever, the review did not include meetings with PLG l curves (frequencies of various peak ground personnel who performed the PRA.
l- initiators) used in the study to the hazard I
curves used in the Lawrence Livermore TMI-1 plant P& ids were provided by the NRC l National Laboratory (LLNL) Seismic Hazard Technical Momtor. Two copies of ttie PRA report, Characteriration Project. This subtask was which is copyrighted by PLG, were provided.sAddi-performed by NRC and the results were pro- tional documents were pmvided by the NRCTeclinical vided to EG&G Idaho. Monitor as rueded during the review. ;
e If possible within the time available, obt in Documents submitted by GPUN to dernonstrate; indepetident estirr.ates of tN extemal flood. compliance whh Appendix R requirements were ex-ing hazard function (frequencies of vanous amined during de com of this review, became die flood levels). documents provide infcrmation Lbnt relate to one of the domin int sequeu;esin t!e PRA.
- - Review the methcdology used, raid the data, and briefly seview tie fire risk scoping study at Sandia National Labor atories (SIIL) for in- a. Letter from H. J. Reilly, I!G&G Idaho, to -
sights as to the validity of the estimates of the Dr. Arthur Busiik, NRC, " Report of TM1-1 Plant fire-induced core nwlt frequency. Visit, October 18-19,1988," November 8.1988.
2 s
INTERNAL EVENTS ANALYSIS Initiating Events leading to a reactor trip and affecting muhiple safety systems (often termed special initiators") were identi-fied. The only frequently-appearing specialinitiator Review of the nree Mile Island Unit I (TM1-1) not listed it loss of an ernergency ac power tms (4160 Probabilist.c Risk Assessment (PRA) irdtiating events or 480 Vac). Normally, omission of this event indi-concentratal en three main concerns: completeness of cales that such ari occurrence does net lead to a reactor the list, grouping of events, and appropriateness of the trip. Ilowever, there is no documentation concenning frequencies. Each concem is discussed below. This this evet't, or the reaso i forits ranission, from the initi-section is limited to intenial e vents. Exterrol event ini-ating event list. Also, tlere is no explanation why de tinters are covered elsewhere.
bus A is an initiator, w:dle de bus B is not (During a plant visit to TM1-1, it was learned' lint GPU per-Initiating Event identification and Complete, f rmed pr cedure reviews, augmected by electronic rwas. The TM1-1 intemal initiating events were iden- sinmlator exercius, to veMy that loss of an ac power tified by performing a detailert teview of the plant de- bus or of de bus B will not trip the reactor. Thi.i ap-sign and industry experience. In adslition, the search pars t support tk assumptions in the PRA regarding for initiators was ruided by desclopment of a master the buses),
logic diagram (MLD). The resulting list of 41 inMa.
tors is presented in Table 1, he list of initi.itors is -
comprehensive. Coverage of reactor cook.nt hystem a. Letter from II. J. Reilly, EG&G Idaho, to (RCS) inventory control failme events is especially Dr. Arthur Burlik, NRC, "Repo:t of TMI-1 Plant extetuive. In addition, erany support system failures Visit, October 18-19,1989," November 8,1988 Table 1. ThG internalinitia.ing events SafelyAnction1brcAtened - Jnitiating Eventa
- 1. Reactivity control 1. Uncontrolled rod group witixlrawal
- 2. ' Control rod ejection
- 3. Control rod drop
- 4. Inadvertent boration
- 5. Inadvertent deboration
- 6. Inadvertent reactor trip
- 2. Reactor coolant system (RSC)inventony 7. Very small RCS pipe breaks
- controi 7a. Small RCS pipe breaks
- 8. Mechum RCS pipe breaks
- 9. Laroe RCS pipe breaks
- 10. Inadvertent power-operated relief valve (PORV) or high point vent vpive opening
- 11. Letdown or sample line break 12, Reactor vessel mpture 5
Table 1. (contir.ued)
Safetyluttction Tldcatened Initiating Event *
- 2. Reactor coolant system (RSC) inventory 13. Steam generator tube rupture cor. trol (continued)
- 14. Excessive chargingletdown
- 15. Break in decay heat removal (DHR) dropline
- 3. RCS pressure control 16. P:essurizer heater failure
- 17. Pressurizer spray failure 4 Core heat removal I8. RCP trip or shaft seizure / break i
- 19. Core intemals vent valve fails open
- 20. Core flow blockage 5, RCS heat removal 21. 'Ibrbine control valve opening
(
l-
- 23. Loss of condenser vacuum i
- 24. Integrated control system (ICS) failure (bus ATA -
failure)
- 25. Small steam line break (SLB) or inadvertent opening of atmospteric dump valve (ADV) or main steam isolation valve (MSIV)
- 26. Small SLB inside containment
- 27. Small SLB outside containment
- 28. Large SLB inside containment -
- 29. Large SLB outside contairunent but upstream -
ofMSIVs
- 30. Large SLB outside containment and downstream -
ofMSIVs
' 31. Main feedwater (MFW) pump speed increase or control valve opening above demand .
- 33. Inadvertent MSIV closure -
4
Tatdo 1. (continued) 1 Safety Function Threatened Initiatine Event *
- 5. RCS heat removal 34. Feedwaterline break upsteam of main (continued) feedwater line isolation valve (MFLIV)
- 35. Feedwater line break downsteam of(MFLIV)
- 36. Loss of control air (interruption of feedwater i J
~
flow)
- 37. Loss of river water
- 38. Loss of oisite power
- 39. Loss of de power train A '
- 40. Loss of nuclear services closed cycle cooling water
- 41. Loss of control building ventilation
- 6. Containmentisolation
- 42. Such events were not considered to be initiating events
- 7. Containment pressure and temperature
- 43. Such events were not considered to be control initiating events l
- 8. Controlofexcessiw 44. 'Ihe consequences of direct radioactivity ,
releases from sources other than the core were !
considered to beinsignificant i
- a. The TMI-l study also incitxtes an " otter" category for each safety function threatened. However,tlwse events were not used in the quantification.
In general, the initiating event list for TMI-l tained in the systems descrip' 'ns in the Systems appears to be comprehensive. However, documenta. Analysis Report."
tion concerning the actual steps taken to identify -
events and ensure completeness is lacking. Specifical. It is not clear what the plant design review included ly, the relevant documentation is contained mainly in or what the extent of tie review was.-
one short paragraph as follows (page 2-3 of the Plant ModelReport):
Finally, inclusion of an "other" event in Table 1, un-der each safety function threatened, does not help when the initiating events are combined into a limited "The list of initiating events in Table 2-1 is the number of groups for event tree development. Initiat.
result of an extensive analysis by the TMI-1 ing event grouping is performed to limit the event tree probabilistic risk assessment team, backed up by many development and yet preserve significant differences years of reactor safety research by the government and in plant response requirements and initiating event ef.
private industry. The list was produced by a detailed fects on safety systems. The "other" initiating event review of the plant design and industry operating expe-categories in Table 1 cannot be placed into groups, be.
rience. The plant design review included material con.
cause their characteristics are unknown. A solution to 5
j 1
this problem might be to create an "other" initiating the table are the initiating events included in each event group. Ilowever, in such a case, the plant re. group and the applicable categories from EPRI sponse requirements and effects on safety systems of NP-2230 (for quantification purposes). 4 The 41 initi-this "other" initiating event group, are unknown. ating events were combined into 19 groups (20 with Therefore, an event tree for such a group cannot be de- the inclusion of reactor vessel rupture) for event tree veloped, arul tie significance of such a group on the development. The groups are typical for PRAs of core damage frequency cannot be determined. Com- pressurized water reactors (PWRs). However, it is not pleteness at the initiating event group level is ensured, clear how feedwater breaks upstream and downstream to the extent possible, not by "other" events but by per* of tie main feedwater line isolation valve (MFLIV),
forming a comprehensive review of irxtustry experi- and steam-line breaks, can all be covered by the single ence and a compretensive review of plant design and event tree for steam-line break in the intermediate system dependencies. It is not clear whether such a building (in general, ttese events are not dominant procedure was followed for tic TMI-l PRA. contributors to core damage risk). Also, it is not clear how all types of letdown or sample line breaks can be initiating Event Grouping. Initiating event groups modeled in the small loss-of-reactor-coolant system ;
for the TMI-l PRA are listed in Table 2. Also listed in (RCS) inventory event tree.
Table 2. TMI-l internal initiating event groups initiatino Event Groun .__Appicable Iniliat nei Events
- Anolicable EPRI NP-2230 Eventsb
- 3. Smallloss of RCS inventory 2. Control rod ejection None
- 10. Inadvertent PORV or high point vent valve opening i lI. letdown or sampleline break
- 5. Containment bypass 15. Break in DilR dropline None 1
- 6. Steamline break in 25. Small SLB or inadvertent None -
intermediate building opening of ADV or MSIV
- 26. Small SLB inside containment
- 28. Large SLB inside containment
- 29. Large SLB outside containment but upstream of MSIVs
- 34. Feedwater line break upstream of MFLIV
- 35. Feedwater line break down-stream of MFLIV 6
Table 2. (continued)
Initiatine Even1 Stoup Apjicable Initiatine Events
- _ Apolicable EPRI NP-2230 Eventsb
- 7. Steamline break in turbine 21. Turbine control valve opening Note building B. Once through steam gercrator 13. Steam generator tube rupture None (OTSG) tube rupture
- 10. Loss of main feedwater 23. loss of condenser vacuum PWR 16. Totalloss of feedwater flow (allloops)
- 27. Small SLB outside containment
- 30. Large SLB outside containment !
and downstream of MSIVs
- 32. MFW or booster pump (s) trip Pump 24. Loss ofcorxlensate pumps or MFW control orisolation (allloops) valve closure PWR 25. Loss of condenser vacuum PWR27. Cotxtenserleakage PWR 30. Less of circulating water
- 11. Reactortrip 1. Uncontrolled rod group P W R 1. Loss of RCS flow withdrawal (one loop)
- 3. Control rod drop PWR2. Uncontrolled rod withdrawal !
- 4. Inadvertent boration - PWR3. CRDM problems and/or red drop
- 5. Inadvertentdeboration PWR6. High orlow pressurizer pressure
- 6. Inadvertent reactor trip PWR8. High pressurizer pressure
- 14. Excessive charging letdown PWR 11. Chemical and volume control system (CVCS) n malfunction--boron dilution
- 16. Pressurizer heater failure i
- 17. Pressurizer spray failure PWR 12. Pressure, temperature, power imbalance i
7
l l
Table 2. (continued)
Initiating Event Group ,_ Applicable Initiating Events
PWR 21. Feedwater flow instability-operator ,
error ,
PWR 22. Feedwater flow l instability- 1 miscellaneous !
mechanicalcauses !
PWR 23, lessofcondensatepumps
' (one loop)
PWR28. Miscellaneousleakagein secondary system i
PWR 36. Pressurizer spray failure !
PWR 37. Spurious auto trip-no I
- transient condition PWR 38. Auto / manual trip due to -
operator error PWR 39. - Manual trip due to false !
signals PWR 40. ' Spurious trips--cause unknown
control problems-PWR 34. Generator trip or -
generator caused faults _
- 13. Loss of control air 36. Loss of control air None
- 14. Loss of control building 41. Loss of control building None ventilation ventilation
.1 8
i j
Table 2. (continued)
I initiatino Event Groun Applicable Initiatine Evente AppJicable EPRI NP-2230 Evernd
- 15. less of bus ATA power . 24. ICS failure (bus ATA failure) None
- 16. less of one de power train 39. Ioss of de power train A None 17, Loss of off-site power 38. Loss of off-site power None
- 18. Iass of nuclear services 40, Loss of nuclear services None closed cycle cooling water closed cycle cooling water
- 19. Loss of river water 47. Loss of river water None
- 20. Reactorvesselrupture* 12. Reactorvesselrupturec Nonec
- a. These events are from hble 1.
- b. The EPRI categories were used to help generate the prior (industry) frequency. The categories are described in Reference 6. In some cases, EPRI categories existed for the initiating event groupin question, but were not used be. -
cause better sources were available. An example is the loss of off-site power.
- c. This group is missing in Tables 2-2 and 2-3 of the Plant Model Report and Table 3-8 of the Data Report.
The reactor vessel rupture initiating event is often involved prior distributions based on no events in 428 grouped separately as an event leading directly to core PWR years of operation. Rnally, four groups (5,14, damage. %e event appears in Table I but was not in-18, aix! 19) were quantified based on TMI-I system cluded in any of the 19 initiating event groups in the models. (Although the report indicates five were TMI-l PRA. %e event was dismissed, based on low quantified in this manner, a review irxlicated that loss frequency,in the process ofinitiating event grouping.
of air systems was actually quantified based on Nu-clear Power Eaperience rather than TMI-l system l Assignment of EPRI NP-2230 initiating event cate- models).
gories to the TMI-I groups (see Table 2)is reasonable.
However,13 of the 41 EPRI categories were not used, The loss-of-coolant-accident (LOCA) frequencies and no documentation is presented to explain why are typical for PWRs. However, the very small LOCA these west omitted.
frequency of 5.lE-3/yr is approximately four times i
lower than the same group for the Zion arxl Seabrook i- Initleting Event Group Frequencies. Frequency PRAs. 6,7 his LOCA group normally includes reac-distributions for the 19 TMI-I initiating event groups tot coolant pump (RCP) seal LOCAs, which are main-i are presented in Table 3. Also shown in the table are ly a potential problem with Westinghouse RCPs. Al-the generic (prior) mean frequencies and the TM1-1 )
though TMI-1 like Zion- and. Seabrook, has '
experience used in the Bayesian update process. Fre- Westinghouse RCPs, no explanation for the four-fold-quencies were estimated based on several different decrease in frequency for Th&1 is presented.
methods and sources. Three groups (10,11, and 12) were based mainly on data from Reference 5, with a
' Three initiating event groups were quantified utiliz-Bayesian update to account for TMI-l experience.
ing Reference 4 data to generate prior distributions.
Several other groups (3,4,7,8,13,15, and 16) in-The three groups are turbine trip, total loss of main volved a review of Nuclear Power Erperience5 to ob- feedwater, and reactor trip. Utilizing the more recent -
tain a prior generic frequency. One (group 9) utilized EG&G Idaho update, this review estimates (without only Babcock & Wilcox (B&W) reactor experience to reviewing actual events for applicability to TMI-1) the generate a prior frequency. Three groups (1,2, and 6) following mean frequencies:
9
1 i
Table 3. TM1-1 internal initiating event group frequency distributions TMI-I Generic (Prior) ,, Evidence Freauenev Per Year (Posteriori Mean Frequency InitiatingEunt_DIpup_ Per Year _. Eunts Years Mtatt 5th Pettentils 50th Perrentils 95th
- 1. Large loss of RCS inventory 2.744 0 4.5 1.954 7.3 & 6 7.4 & 5 5.244
- 2. Medium loss of RCS inventory 8.0 & 4 0 4.5 4.2 & 4 1.945 1.9&4 1.3&3
- 3. Smallloss of RCS inventory 3.6 & 3 0 4.5 2.2 & 3 2.7&5 9.4&4 1.1&2 l (3.2&3r l 5.2&3 0 4.5 5.1 & 3 2.744 7.55 & 3 1.4&2 I
- 4. Vety smallloss of RCS inventory (2.2&4r . (2.63r
- 5. Containment bypass - 0 4.5 1.047 4.7E-10 6.69 1.7&7 (4.6&l0f (6A&9f
- 6. Steamline break in 8.0 4 4 0 4.5 4.2 4 4 1.7&3 1.9&4 1.3&3 .i intermediate building (1.9&5)*
7 Steamline break in ~6 - -
A d d -6 turbine building (6.9&3)* (0) (4.5) (6.3&3r (1.844)' (2.8&3)' (1.6&2)*
- 8. OTSO tube rupture 1.442 0. 4.5 1.1&2 4.0 6 4 6.4B-3 2.8&2 1
- 9. Excessive main feedwater 2.341 0 4.5 1.241 2.1 & 2 7.9W2 2.8 & 1 3
.L
- 10. Loss of main feedwater 5.5&1 0 4.5 2.3 & 1 5.1&2 1.8 5 1 4.8 & 1 l 11 Reactortrip 6.6 3 4.5 1.4 6.751 1.4 2.2 12 Drbine trip 1.9 7 4.5 1.6 7.851 1.5 2.3
- 13. Loss of control air .- 0 4.5 6.063 2.0 & 4 1.943 1.962
- 14. loss of control buildin6 - 0 4.5 2.0B 4 :5.445 1.4&4 4.2 & 4 1 ventilation
- 15. Loss of bus ATA power 7.2&2 0 4.5 5.442 5.2 4 3 3.E2 1.7&1 -
- 16. less of one de power train 3.342 0 4.5 2.8&2 3.7&3 1.952 6,0&2 j
- 17. loss of offsite power 1.3&1 0 4.5 7.1 & 2 1.4&3 5.0&3 1.6&1 ~ j
- 18. Loss of nuclear services ' -- 0 4.5 1A&2 4.6 & 3 1.1&2 2.7&2 )
closed cycle cooling water
- 19. loss of river water -
-* 12.0 7.4 4 3 3.5&4 1.3&3 2.242 j
-6 -6 -6 -6 -6 -6 -6
- 20. Reactor vessel rupture
- i Total = 9.6 Total = 3.6 )
I i
- n. The munbers in parentheses are fwm Table 3-8 of the Data Analysis Report.
- b. Rese events and numbers are missing from Table 2-3 of the Plant Model Report.
- c. De text in Section 3.5 of the Data Analy sis Repwt indicates one event in 12 years, while Table M in the same section indicates tem events in 12 years.
l0 l l
- 1. %rbine trip-1.7/yr The following four initiators were quantified based on TMI-I system analyses:
- 2. Total loss of main feedwater--0.4/yr
- 1. Inadvertent opening of DHR valves.
- 3. Reactor trip-5.5/yr. 2. Loss of control building ventilation.
%ese results are close to the generic mean frequen- 3. L ss of nuclear services closed cycle cooling cies of 1.9,0.55, and 6.6/yr used for TMI-1. Tle pos- water.
terior mean frequencies for the three groups are 1.6, 0.23, and 1.4/yr, as indicated in Table 3. The total for 4. L sr of river water, these three is 3.2/yr, compared with plant-specific ex.
perience of 2.2/yr and generic experience of 9.1/yr. Inadvertent opening of tie DHR valves (the imer. ;
3 facing system LOCA event) has a mean frequency (see ;
TM1-1 experience from 1975 through half of 1979 Table 3) of 1.0b7/yr. Quantification of this group is !
irulicated a very low yearly trip frequency of 2.2/yr. explaired in Section 3.5.2.4 of the Data Analysis Re-L.
This was confirmed by reviewing Reference 8 for port. The two cold ieg injection lines of the DHR sys- '
TMI-l trips. During the same period. TMI-l was tem are the main contributors. Eachline has two check listed in Reference 8 as having six trips. This com- valves and a normally-open motor-operated valve pares with 10 trips listed in the TMI-l PRA. Dere- (MOV) in series. The analysis assumed that dunng fore, use of Refereoce 8 would produce an even norm al operation, a very small leakage (not considered smaller frequency for TMI-l trips. a failute) past the upstream check valve (tearest to the RCS) would result in the downstream check valve being subjected to RCS pressure on one side and low Loss of offsite power (LOOP) at TMI-l has a site.- Pressure on the other side, in such a case, tle down-based frequency of 7.1&2/yr. %e plant-specific ex. sueam check valve suffering a large intemal leakage is perience is listed as zero events in 4.5 years. The most the initiator. If the upstream check valve has already recent compilation of LOOP events, NSAC-111, was suffered a large intemal leakage, or fails to close (with reviewed to verify this.9 One possible LOOP evem equal pressure on each side, the valve could have been !
was listed for the TMI site through 1986. his event
" floating"), tien an open path exists from tlye RCS to occuned on April 21,1986 due to bus switching prob- the low-pressure DHR system. hantification of this lems while in hot shutdown. If this event were to be event involves a subsequent unavailability calculation {
i included, the plant-specific experience would be one for the upstream check valve, involving large mtemal
/
cvent in !! years, which results in 9.042/yr. Also, the leakage over a one and orye-half year test period, or a industry average plant LOOP frequency is approxi- failure to close, and an mitiator calculation for the mately 8.8B-2/yr, based on NUREG-1032 and NU. downstream check valve. %e large mternal leakage ME8700.10,11 Therefore, the TMI-1 value of mean failure rate was assumed to be 8.3B-9/h, based 7.1B-2/yr ts reasonable. on a review of check valve leakage data. Also, the check valve failure-to-close value used was 2.1L4/ demand Given these failure rates, the fre-
%e loss of air system mean frequency is listed as quency of both check valves failing during a year is 6.0&3/yr. This value was apparently obtained by re-1.9&B/yr. Two of these lines then result in a rate of viewing Reference 10 from 1970 through 1985. No 3.8&8/yr. In the PRA report, an extra factor of two is evidence of a totalloss of air was found. De conver-used, resulting in a rate of 7.658/yr (Apparently, this sion of this information to the mean frequency of value is rounded to IS7/yr, as mentioned above). It is 6.0&3/yris not explained. The System Analysis Re-port, Section 18, contains an analysis of the loss of air believed that this factor of two, found in Equation (3.14), is in error. This factor is considered erroneous frequency, based on the system analysis. The mean i frequency is 1.5B-2/yr, with the dominant failure because the downstream eleck valve cannot be open (or suffer a large intemal leakage failure) before the j mode being failure of the dryer transfer valve and op-erator failure to then bypass the dryer. It is not clear initiating event because the accumulator would begin to discharge. Such an event would be annunciated in why this analysis was not used to determine the loss of the control room and appropriate repair actions wou)d air system frequency. However, assuming no complete be taken. %erefore, the downstream valve can be the losses of air systems within the period examined, and otdy initiator. If either valve were the initiator (and the approximately 500 PWR years of operation, the mean other fail to close or fail because of a previously-unde-fn quency would be less than 2.0E-3/yr.
tected large intemal leakage), then the factor of two 11 1'
would be appropriate,. The discuss!on does not clearly equal to the repair time of the initially failed compo-desenbe how the result represents a yer.tly frequency, nent. The repair time used was either 24.9 or 32.9 l Finally,because the derivation of the check valvelarge bours, depending on the component. Credit was taken ;
internalleakage failuze rate is considered to be propri- for the following types of recovery: !
etary, the value cannot be checked.
- 1. Realignment to either the open or recircula- i J
tion mode of operation, depending on the No credit was taken for possibly being able to close type of flow path failure.
the normally-open MOV downs' ream of the check valves. Also,it v'as assumed that given fadure of the
- 2. Manual start of a standby train.
check valves, a rupture would occur in the low-pressure DHR system. By accounting for both intemal
- 3. Locally opening dampers which fail closed.
lealcage and h to close, there may be some double #
y on how data were collected for counting, Establishing alternate ventilation using porta-these failure depy,'esI However, the check valve large 4.
mod ble fans and elephant trunks, intemalleakage failure nte used is at least a factor of ten lower than that used in most recent PRAs. %c re- At least five hours was assumed for recovery. His port contains no infomiation on the derivation of this value, type of quantification procedure is believed to be the 7 most appropriate for such initiating events. %c result-ing frequency,1.95B-4/yr, seems reasonable. .Domi-Finally,it should be poted that analyres ofinterfac- nant failure modes involve dependent failures of the ing system LOCAs in previous PRAs have not been MW hulen orgMWie consistent. Equatious and assumpuons used have var-an outside temperature greater than 95'P (falling ied conaiderably. A major uncertainty arises from the ahemate mtuade), anMpendendauures onoost-interpretation and application of data for large intemal ,
er or exhaust fans with operator failure to establish leakages of check valves. For exa nple, do such fail-ahernate ventilation.
ures occu because of a previously.-undetected failure to close, ortwcause of a "rarxiom" disk rupture? In ad-Several potential conservatisms were built into the dition, can the disk rupture occur only if a large pres- loss of control building ventilation initiator. Probabiy sure differential exists across the valve, or can it occur the most limiting is the use of 104'F as tiw room tera-with a small pressure differential? De TMI-l analy, perature at which significant electronic failures will sis appears to have a balance of conservative assump-occur. More recent analyses indicate that loss of the tions, with potentially nonconservative data. The fail-ventilation may never result in component failures or a ure rate quoted is significantly lower than those used in _
plant trip (page 6-48, Systems Analysis Report).
previous PRAs (these sequences are also discussed in L the Assumptions Section of this report).
Loss of the nuclear services closed cycle cooling water initiating event includes the following systems .
Since the completion of the PRA, GPUN has sub- (Section4, Systems Analysis Report):
mitted information 12,13 to NRC relative to com-pliance with Appendix R and NRC has reviewed the 1. Nuclear services river water (NSRW), except submittals. I4 These docum:nts provide the results of for plugging of all intake screens, which was -
i tests and analyses showing that lose of control building addressed separately.
ventilation (CBV) will not lead to core damage at '
TMI-1. However, the PRA has not been updated to re- 2. Nuclear services closed cycle cooling water flect these changes. Therefore, some review of this (NSCCCW).
initiator was done. In the TMI-l PRA, the frequency ,
for loss of control building ventilation as an initiating 3. Class I auxiliary building ventilation (ABV) ;
event was detennined by requantification of the sys- system.
tem models (Section 6, System Analysis Report). All support systems were assumed to be available. Al- There are three NSRW pumps, three NSCCCW ,
though this is a nonconservative assumption. our opin- pumps, and two ABV trains. Following a plant trip, ion is~that the effects are probably minimal. In the re- only one of three pumps, and one ABV train, are re-quantification,the initial component failure in each cut quired. However, operational constraints require that -
set was determined over an entire year (8760 h). Addi- the plant shut down if two pumps in either the NSRW tional component failures that must occur in order to or NSCCCW are lost.- For convenience, the initiating fail the system were evaluated over a mission time event was defined as loss of all three pumps in either 12 ..
system (or other similar types of complete system fail-least a factor of ten lower than values in pre-utes). This simplification is acceptable as long as viously-published PRAs. However, potential these systerns affect other systems only when complete conservatisms in the analysis may offset this NSRW, NSCCCW, or ABV failure occurs, which ap- low value.
pears to be the case at TMI-1.
- 3. Loss of control building ventilation is prob-In the PRA, quantification of the NSCCCW initiator ably not an initiating event based on this re-was perfonned in a manner similar to that for loss of view report.
control building ventilation. All support systems were assumed to be available. The resulting frequency for 4. Loss of tie NSCCCW may have a conserva-tie initiator is 1.442/yr. Dominant contributors in- tively high frequency.
clude system leakages, pump failures combined with check valve failures to rescat, isolation valves transfer- 5. Loss of the NSRW may be twice as frequent ring closed, arxl dependent failures of all pumps in a as the value indicated in Table 3.
system. The frequency seems high and is probably conservative. Quantification ofleakage failures in- 6. Loss of instrument a.tt systems may have a volves significant uncertainty, especially when deter. c uservatively high frequency.
mining what !cakage rates should actually be consid-ered as failures. The potential importance of these concerns is dis- .
cussed in the section on Requantification.
, Finally, de loss of NSRW initiator was defined t include only failures resulting from plugging of the Event Trees intake screens. In the PRA, this event was quantified by using plant-specific data for plugging and then The purpose of the event tree review was to evalue.te applying a recovery action to account for unplugging the completeness and validity of the logic structure and of the screen before the waterin the intake structure isthe success enteria. The functional and support sys.
depleted. One complete plugging event occurred in tems dependencies, along with the implicit assump-12 years, resulting in a frequency of plugging of tions associated with the model, were alsoincluded in L 8.3b2/yr. Failure to unplug the screen within several the review, hours was assigned a probability of 1.7851. The product of the two is 1.5&2/yr. However, the report Overview of TMI-1 PRA Methodology.The indicates a frequency of 7.4E-3/yr. It is not known TMI-l PRA used support state event trees to establish why this frequency does not agree closely with boundary conditions for the operation of the systems 1.5E-2/yr, except that the data table indicates zero contained in the front line system event trees. Both events in 12 years, rather than one (Table 3-8, Data sets of event trees used the support state methodology Analysis Report).
for modeling plant response to van,ous inithting events. *niis methodology requires that dependencies Summary of Initiating Events Review. in gener- between headings on event trees be explicitly modeled m
al, the TM1-1 initiating event list (Thble 1) is compre- s ment the est trees,or diahndary con-hensive. Grouping ofinitiating events (Table 2) ap ditions (referred to as split fractions) be used to ac-pears reasonable. However,it is unclear how different count for dependencies. 'niis methodology produces a i types of feedwater and steam-line breaks can be cov- very large number of sequences (or scenarios, as they ered by only two groups-steam-line break in the m- are called in the TMI-I PRA).
termediate building arxl steam-line break in the tur-bane building. Finally, with the following exceptions, The support state event tree is the starting point for appropriate methods were used to quantify the initiat. modeling plant response to an initiating event. The ing event group frequencies (Table 3): TM1-1 support state tree produces over 6000 se-quences, representing the various combinations ofsup-
- 3. The very small LOCA frequency is port system successes and failures that the analysts 5.lE-3/yr, which is about a factor of four deemed imponant enough to examine. A computer lower than previously published PRA values. code was used to group these events into impact vec-tors, each having a specific affect on the front line sys-
- 2. tems. This was accomplished by comparing the status A check valve intemal leakage failure rate was used in the interfacing system LOCA (in- of support states from each sequence to tue support advenent opening of DHR valves) which is at system-to-front line system dependency table pre-pared by tie analysts. This resulted in approximately 13
1100 distinct i- ipact vectors. Tic anaiysts then com- in the report, except that certain vector designators ap-bined groups of impact vectors into 39 support states, pear in Table 3-5. ne support states do not list all the using qualitative and quantitative judgements, from impact vectors that were considered in deciding (le which each front line aystem event tree was quantified, groupings. Furthermore, there is no description of what system failures constitute each support state.
Derefore, it is impossible to verify that the support For each initiating event, there it a main tree depict. states and their coiresponding frequencies are correct, ing tic early response to the initiating event. For each tree, tiere are several subtrees that depict the long-tenu progression of events to eitler a stable condition gY or to one of several plant damage states. Each of the The TMI-l PRA used event sequence diagrams main trees for the transient events has over 1000 se- (ESDs) as the analytical tool for construction of the quences. Tle subtrees vary in length but most of them front-line system event trees. An ESD is a graphical have several hundred sequences each. Given that eact.
representation qf the plant response su an tmtiating of these sequences must be quantified forW diffeient event, and isdes$ned to depict the various ways that support states, the number ofindividual scenarios ,
the trutiating event can proceed to either a stable end quantified in this analysis is very large. state or to core damage, From this tool, the analyst Evaluation of Support State Modeling.The Plant Model Report contains the description of the - ESD to Event Tree Construction Comments, analysis of support system dependencies and how they A typical ic 'tiatiog event would be expected to have an .
were accounted for in the quantifica .of sequences. ESD imd event tree in the Plant Model Report. How-The process begins with compilathon of two tables, ever, some events have an ESD but no event tree (e.g.,
One is the support system-to-support system depen- steam line break in the turbine building). In coutrast, dency table (Table 3-1), and the other is the support some events have an event tree but no ESD (large system-to-front line system dependency table LOCA, reactor trip, turbine trip, and loss of nuclear (Table 3-3). De support system event tree was con- services closed cycle cooling water).
structed from these two tables. It was structured to ac-count for the support system interactions listed in Documentation of the event sequence diagrams and Table 3-1 of the Plant Model Report. For example, the event trees is uneven. While five pages of text are electric power system h adings appear before cooling dedicated to the general transient ESD and three pages system headings to account for the dependence of to the eveat ttve structure,the ESDs and event trees for '
these systems on power. There are over 6000 se- the initiating events actually quantified in the analysis quences on the support state tree. Bus made review of rece ve scant description. In fact, only three of the each sequence impossible, given the resource limita- front-line system event tree descriptions exceed one tions of dus review. However, several key sequences paragraph. In the majority of cases,this one. paragraph were reviewed for consistency with the dependency merely references the general transient ESD and only tables; the event tree appears to be consistent with vaguely describes any differences from that ESD or those tables. event tree. However, for the steam the break inside the intermediate building, the report dedicates 18 para.
De support state event tree was reduced by comput- graphs to describing the ESD and event tree. The loss er analysis to over 1000 unique impact vectors. The of power to the ICS power supply receives 12 para-report does not provide a listing of these impact vec- graphs while the steam generator tube rupture receives tors with the corresponding support state sequences so only two paragraphs of description.
that a verification of the groupings can be made. Fur-thermore, the number of impact vectors was too large The large-LOCA paragraph appears below to serve to be practical for quantification of the frontline trees. as anexample of this documentation approach:
Therefore, the analysts grouped the impact vectors into .
support states using qualitative and quantitative mea-
"Most of the alleviating actions that will take sures designed to ensure that all impact vectors were place following a large RCS pipe break are the considered in a conservative manner. Thirty-nine dif- same as those shown on the general transient ferent support states were identified; their effects on ESD. Many of these actions, however, are not the front line systems appear in Tr.ble 3-5 of the Plant important to preventing core damage following a Model Report. There is no one-to-one correspon- targe pipe Dreak. The only early action that is -
dence between the support state sequences and the im- required to prevent core damage is the operation pact vectors. The impact vectors are not documented of the BWST [BW). The long-term sump 14
recirculation actions and containment safety On Sheet 12, which is a continuation of the ATWS -
t~
features, which determine to which plant damage condition, the ESD indicates that with secondary state a ccie damage scenario initiated by . large steam relief, EFW operation, primary system relief, pipe break will lead, are shown in the and the BWST available, failure of tie 4 psig contain-j following subtrees: ment signal leads to core damage. Ttm rext sheet indi-cates that manual starting of the HPI pumps is a possi.
LLA (see Section 4.3.4) when the BWST is ble success path. Therefore, it is not clear why failure
"*"E" of the high containment pressure signal constitutes a core damage condition. Also, Sheet 11 indicates that even if MFW runs,it will run out of water in 26 min.
MLC (see Section 4.3.7) when the BWSTis not utes. Because its source of water is the CST, the EFW -
available." on Sheet 12 must be getting water from a source not shown on the ESD.
- The concept that the plant response to a large LOCA is i essendally similar to a general trainient roay be conect Section 4.1.2 of the Plant Model Report describes for TMI-1, but there is insufficient documentation to the process that was used to transfer the infonnation demonstrate this assumption is conect.
contained in s.n ESD to an event tree. It includes a list of six steps for this process. Apparent inconsistencies General Trandent Event Tree Comments. between the ESDs and event trees were examined in '
The bulk of the event tree descriptions draw heavily light of these six steps to see if the inconsistencies ,
from the general transient ESD and event tree. 'nds could be explained on this basis. However, some section will discuss the general transient ESD and events or paths on the ESD do not appear in the event evem tree, followed by specific comments about other tree and some events or paths on the event tree do not ESD/ event trees. appear in the ESD. For example, the RV heading ex.
l ists on the event trees to assess the likelihood of reactor vessel failore from pressurized thermal shock (PTS)'
On Slect 5 of the ESD, there is a path where HPIis events. This event is implied but not shown on the
) running, but the primary safety valves do not pass wa-ESD. The MR heading for reestablishing HP1 mini-l ter from the systern. The note for the subsequent mini-mum flow following an overcooling event is not speci-mum flow choice indicates that no 1600 psig signal fled on the ESD.
was generated and that the minimum flow would therefore be available. However, several of the paths leading to that point have had low-pressure signals The caly success paths involving the general tran-generated, implymg that for some cases, minimum sient tme that are not on the main tree occur cn subtree
- i. flow is unavailable. A. All other srquences going to all other trees tuult in l
core damage. This is not a trivial number of se-Sheet 7 hulicates that, for HPI cooling, manual start quences. For example, subtree B contains over 1000 of the HPI pumps is requiied. However, severai paths . sequences that have no success paths for preventing leading to HPI cooling alnady have 1600 psig signals, core damage. 'lhere are many sequences from the tran-which would start the HPI pumps anyway. It is not sient main tree that have subtree B as theirlong-term clear why additional HPI pump operation would make conclusion. This results in many thousands of se.
PORV-only relief a success. quences, thathave no impact on core damage frequen.
cy, being part of the overall quantification. The re.
mainder of this event tree review will not examine Sheet 8 indicates that a stuck open relief valve subtrees without a success state.
would lead directly to core damage. If this assumption . .;
is based on the iha that pressure will become too low for effective HPI operation, then a choice for LPI oper- Subtree A represents the long-term actions required ation should be made. .to successfully cool the core, assuming that HPi cool.
g was in progress. Basically, this is the recirculation tree. The event tree contains two events (B A and BB)
Sheet 11 deals with ATWS events. The ESD shows - for which no choices are made for any sequence.
that reactor coolant pump (RCP) trip leads to core There is no explanation for this condition in the text.
damage (as does the event tree). However, the descrip- The events do not appear on the ESD. According to tion of the ESD, and the success criteria desc-iption, the split friction table for this tree, the quantitative val-indicate otherwise, as Page 4.1-6 acknowledges, ues for headings DH and CS depend on operation or 15 1
failure of BA and/or BB. However, no decisions are ESD. However, the event tree has no headings for RT, made on these headmgs. EF ,not SD.
The ESD has an event for preventing boron precipi.
Sequence 47 indicates that a failure to close tic con.
tainment purge valves during a feed and bleed opera. tation in the core (DT). Failure of DT leads to core damage. %e mechanism and justification for this de-tion of the primary system can lead to successful core I. cision is inadequate. Furtiermore, if DT is required L coolingif recirculationis properly aligned. This event for success following a medium LOCA, then it should would seem to allow for escape of reactor coolant to also appear in all transient sequences involving HPI the atmosphere. In this case,it may be possible that a i coohng since open cycle primary recirculation is oc-
> significant amount of water needed for recirculation i would not be available, curring there as well. The treatment of DT is, there- ,
fore, inconsistent.
he general transient ESD atxt event tree are docu- Several headings on the event tree are not shown on mented as the basis for all sutsequent ESDs and event ,
tie ESD, Specifically, BA/BB, SA/SB, and C3 are net trees in the Plant Model Report %e inconsistencies in on the ESD. Additionally, the ESD (Sheet 3) accounts the Beneral transient ESD and event tree suggest that f rp ssiblemanualstartingoftheHPipumpsbutdoes further detailed review might uncover errors that n t similarly treat the LPI pumps, would cause the calculated core damage frequencies to be in error.
Steam Gotterator Tube Rupture-The
" ' " " " " '*E"'****
- SP*cific ESD/ Event Tree Comments. Tie re- - total tree, as is the case for all the other main trees that mainder of the discussion of ESD and event tree mod- follow the general transient tree fonnat. In tie other cling focuses on untiator-specific conditions that af- cases,the logic duplications that are not shown er.plic.
fect the structure of the analysis. As the other trees are tly on the trees are indicated by a "XFRn" indication based in such large part on the general transient tree, at tie end of the sequence, and a number somewhere sie comments from this tree apply also. else in the tree that shows the logic, structure that should be followed. His method of representation is The following comments on various ESDs and documenred in Section 4.1.2 of the Plant Model Re.
event trees focus on initiators other than external port. However, none of the " transfer" points are la-events and contr01 building ventilation events. This al- beled on the SGTR tree.
lows for comparison of tie TMI-l event trees to Level I analyses from other PRAs. Excessive F9edwater-After control buil'd.
ing ventilation failures and extemal events, this tree large LOCA- The general discussion above contains a significant dominant sequence _ There is has already discussed issues relating to the large . very little discussion of the details of this sequence.
LOCA initiator.
Sheet 2 of the ESD contains a blocklabeled "'Ibrmi-Medium LOCA--The medium LOCA ESD de. nate Overspeed." It seems that this should indicate overfeed instead. It is not apparent why this block velops conditions for failure to scram following the-initiator. It is not clear why this is done. Tlc probabil. should not appear before the EFW block on the ESD.
If overfeed is terminated, then EFW is not required. If ity of such an event using the TMI-l data is apptoxi.
EFW is needed, then main feedwater must have al-mately 8E-8, which could be reasonably screened out l ready failed and the " terminate whatever" block is un-of the analysis. Furthermore, the key issue for PWRs j in ATWS scenarios is the ability to inject boron via the necessary, it is not clear why the logic on the ESD for overfeed conditions dMfers from the logic for overfeed higtspressure injection system while preventing a cat.
on the general transient tree.
asuophic failure of the reactor vessel during the pres.
sure surge. With tie normal pressure relief available, and additional pressure relief via the break, this does The ESD indicates by use of a dashed line that the not appear to adversely impact either scenario more SLRDS is not to be considered on the event tree.
than tle more likely loss of feedwater or other events. SLRDS is included on the event tree despite rule num-Nevertheless, the ESD i xticates that successful EFW ber 5 from Section 4.1.2, which states:
riow in'5 seconds, and secondary steam relief, are suf-ficient to transfer this event back to the norwATWS " Dashed blocks on the ESDs do not become event -
flow path. Failure to do so leads to core damage on the tree top events."
16 m- _ __
l Steam-Line Steak /n fhe intermediate It was not feasible in this review to check the agree-Sullding--he mairatesm line break in the interme- ment of all the boundary condition tables with the sup-diste building, main tree discussion, corsains a para- port state tabD. However, the headmgs noted above l grapt that indicates that the SLRDS op* rates to stop (main feedwater urderfeed, emergency feedwater un-feed flow to the steam generators and thereby limits derfeed, and operator throttling of HPI) would be ex-overcooEg. It states that the SLRDS does this opera- pected to receive considerable attention in the quantifi-tion so quickly that "the transient is limited and does cation process. The report contains a general not cause an excessive cocidown, as manifested by a description of how tables like Table 4.2.12-2 are low RCS pressure engineered safeguards actuation." denved, but so many numbers and operations are in-On tic next page of the discussion this section states: volved that it was not possible to trace the derivt.tions of the numbers in tiese tables. )
4 "On a steam line break, the high pressure injection system receives a start si,;nal due to the excessive The fmal step in the review was to verify that the cooldown and results in low RCS pressure caused calculations of individual sequence frequencies were by the break " c nect Table 6-5 of the PR A report lists the top 100 sequences from the quantification process. Several se-quences from this list were examined to see if the fre-It appears that some text must be missing, quencies stated are accurate, provided input data and models are correct. No mistakes were found in the Review of Event The Quantification. %e quan- quantifications of these sequences.
tification process includes the assignment of split frac-tions, for each support state, to the main and sub tree in summary, the quantification process for the headings. For each main and sub tree, tiere is a table TMI-l PRA was very complex. It was not possible, in the PRA report that lists the support state numbers using tie available infonnation, to verify the quantifi-across the top and the heading down the side. For cation of the PRA, except in a general fashion. There some reason, some of the h?adings are duplicated are questions about the translation ofinfonnation from many times in the tables. Derc 'ioes not appear to be the support state tables to the main- and sub-tree in-any reason for the duplication. This appears to be a pots that suggest questions about the accuracy of this problem in the computer printout for the boundary - step in the process. In this review, the quantification condition tables. results presented in Table 6-5 were traced to the extent of the split fraction headings and the presumed support
%ese tables are where the boundary conditions for state frequencies. The multiplications of the values the headings are entered into the code for quantifying listed in Table 6-1 and the support state Table 3-7, for the event trees. Derefore,it would be reasonable to the sequences reviewed, were conect.
expect a one-to-one correspondence between the number of split fractions (other than the default) in the Summary of Event Tree Evaluation. The event table for a given support state, and the support state trees in the TMI-I PRA report were developed in a table developed earlier. Tie review found that this is form specifically adapted for solution using competer not necessarily the case, For example, the turbine trip programs. For a large, cunplicated plant like TM1-1, boundary condition table (Table 4.2.12-2) does not event trees like these are difficult to review in detail, compare favorably with the support state table (Table There is a lack of complete traceability even in a docu-3-5), in several areas. %e MF- heading in Table 3-5 ment as lengthy as the TMI-l PRA report. In the lim-indicates 32 states that impact this heading, but the ited review that was performed, some minor inconsis-boundary tabt only shows 31 (support state 34 is not tencies between the ESDs and event trees were included). For the EF- heading, both tables indicate identified, and some assumptions were questioned.
30 cases where there are support state impacts on the Some questions were raised about the support states heading. However, they are not the same 30 headings. appearing in the event trees. However, no majorerrors Support states 5 and 6 hppear to be extraneous in the were found. %erefore, it is concluded that this event boundary condition table; soppor; states 10 and 30 tree review has not revealed any major changes that are show no impact. In the case of the TH heading, the needed in the event trees published in the TMI-l PRA boundary condition table has 27 impacts, whereas the report.
support state table shows 24 impacts. De boundary condition table has nine impacts listed that are not Important Assumptions shown in the support state table, and six impacts that are in the support state table but not in the boundary introd uction. PRAs rely, in general, on numerous as-condition table. sumptions in order to allow the computation of risk 17
k i
results. These assumpdons are usually employed for sumed to be inoperable following loss of offsite pow-one of two reasons: (1) to simplify the analysis, or (2) er). While tiese stated corxtitions may fit the overall ,
to provide necessary input when data and information definition of assumptions in a general context, they are !
is lacking b a particular area. De uncertainties and of no interest in this evaluation sime they are not asso-unknowns in these assumptions can be accounted for ciated with uncenalnty or questionable bases, by perfomiing sensitivity studies to quantitatively esti-mate tie influence of uncenainties in the assumptions, In order to focus available resources on those as-and tien making appropriate adjustments to the overall sumptions with the greatest potemial for influencing results to reflect these uncertainties. the results, an evaluation of the risk profile of the -
TM1-1 plant, as estimated in the PRA, was undenak-This section reviews those potentially important en. %e PRA contains a significant amount of con-densed information to facilitate such an evaluation, general, or global, assumptions which were made in the PRA and were not necessarily reviewed in the oth. The evaluation consisted ofidentifying those initiating er sections of this review repon. Particular attention events, accident sequences, system failures, etc.,
was focused on assumptions which are unique to this which were imponant contributors to the overall re.
PRA, which appear to te inconsistent with cunent in, sults in terms of core damage frequency (CDF). De formation, which appear to be particularly significant, results of this evaluation are presented in the following or which appear to have inadequate bases. Assump- sectims.
tions specific to a particular system, model, analysis, data application, quantification, etc., are considered TMI-1 Risk Proflie. Tie " risk profile" of a plant separately in appropriate sections of this report. generally refers to a significance ranking ofindividual ;
contributions from the following elements: (1) acci. ,
dent sequences, (2) initiating events, and (3) system '
in the Thbl PRA, a large number of assumptions failures in terms of contribution to overa" risk. An were found.' Many of these a:ssumptions am aggre-na uada f the relative ranking of the individual .
gated in specific sections or subsections of the repon.
contributions within these elements was urxlenaken as -
Ilowever, others were found scattered throughout the ,
part f the review of assumptions. This allowed the text. In some cases, the assumption is specifically identified, but in other cases assumptions are charac-
"""U" **** Io f cus a se assmnpdes as.
sociated with the risk dominant contributionsi It "
terized by " engineering judgement," "it is reasoned that," or some other descriptor, in a few cases, the as- sheld be meed sat a risymp can also be funher subdivided to melude the sigmficance of hmnan ac-sumption is merely a statement of what was done in the tions and compant faHme rates wh cathe to assessment without any indication that an assumption was made. As a result,it was somewhat difficuh to the overall estimated risk from the plant. Dese ele-ments are considered separately m the sections on Hu- -
, identify allimponar.t assumptions.
man Responses and Failure Datai -
1 In most cases, the TMI-l PRA provides a qualita- Dominant Accident Sequences. Table 4, de-tive inwiication of the influence of the assumption, and, veloped from a similar table in the TMI-l PRA, illus-in a few cases, a quantitative estimate is provided. In a trates the top 11 accident sequences. De distribution majority (but not all) of these cases, tie assumption is of contributors is rather peculiar in that a single se-characterized as conservative (i.e, the assumption quence (loss of control building ventilation)is a very would tend to increase the risk result over the "true" targe contributor (33.3%) to the total CDE Further-value), but not overly significant (characterized as mom, the next most dominant sequence is a rather "slightly conservative" or "not overly conservative"), small contributor (5.5%), followed by two more se.
In a few cases, no evaluation is provided of the influ- quences with small contributions (3.6% each).
ence of the assumption. In some cases, further study is - Following the fifth sequence, the remaining individual called for to support the validity of the assumption, or sequence contributions drop dramatically to <2%.
provide the basis for a revised assumption,if the as- Thus, the top five sequences contribute almost half sumption is subsequently determined to be important (48.4%) to the overall CDF, while a similar contribu-to the overall result- tion is provided by low probability sequences. Any as-sumption with the potential to influence the probabili-In some cases, what is described in the PRA as an ty of the single most dominant sequence would bc assumption is actually a boundary condition, or a con- expected to have a significant influence on the overall dition related directly to the actual design of the plant, CDE On the other hand, assumptions associated with or the consequence of the occurrence of a previous any other individual sequence would have to increase -
condition (e.g., the primary coolant pumps are as. the probability of the sequence dramatically before any 18
l significant increase in the overall CDP would occur.
a factor of three, not a very significant change in view For example, a factor of 10 incurase in the probability of the estimated uncertainties discussed in this irport.
of the second most dominant sequence (sequence #2 in Table 4) would increase the overall CDP by only 50%. Some assumptions will obviously influence more ;
Changes in assumptions which would teduce any but than one sequence, and therefore could bc inportant. l the most dor.dnant sequence would have an insignifi- For example, sequences 2 through 4 all have fires as cant impact, even if the sequence were climinated. In the initiating events. Thus, any assumption which fact,if all sequences except the most dominant were influences tie estimated frequency or subsequent con-eliminated, the overall CDP would only be reduced by trol of fires can change the probability of each of Table 4. Dominant scenarios from TMI-l PRA MeanFrequency Total Description Per Reactor-Yr (%)
Loss of control building ventilation and failure to 1.8364 33.3 establish altemate room cooling Fire in auxiliary building. MCC area AB-Flc6 3.00 & S - 5.5 Fire in control building. SW room IS 2.0065 3.6 j Fire in control building. ESAS cabinet area 2.00 & 5 3.6' I Med. LOCA and fail to establish sump 1.30B-5 2.4 recirculation Excessive main feedwater, leading to !
1.02 & S 1.9 HPI; fail to provide HPI min-flow recirculation after HPI flow throttling, leading to HPI pump failure; and failure of RCP seal cooling to seal LOCA with noIIPI Fire in control building. IE SW room 1.0065 1.8 Loss of air; failure of RCP seal injection and 6.26 & 6 1.1 cooling Large LOCA and fail to establish sump 5.95 & 6 1.1 recirculation SGTR and fail one train of DHR and 5.88 & 6 1.1 opposite train of DHCCCW, leading to ,
i loss oflong-term DHR Very small LOCA and fail both trains of 538E-6 1.1 DHCCCW, leading to loss oflong-term DHR Subtotal 3.164 56.5 Allothers 2.4E-4 fl.ji Total 5.5Fe4 100.0 I
19
)
j these sequences. (See the External Events Section for tube rupture) would have to be raised by over a factor an evaluation of the external events analysis, including . of five to become as important as tie loss of control fire methodology). However, except for the top four building venti:ation initiator. '
sequences, a rather large probability increase in a sig.
nificant number of sequences would oc required to produm a significant change in tte total CDF. Dominant System Failures.nc contribution of individual system failure probabilities can add further !
Dominant initiating Events. Table 5, extracted perspective on the risk profile. Table 6, taken from the from the PRA, shows the ranking of accident initiating PRA, shows the re'ative ranking of system failure con-events. As would be expected, based on tie preading tributions to the CDF. Unlike the dominant accident discussion of dominant accident sequences, loss of sequences and initiating events discussed previously. '
control building ventilation dominates the accident ini- there is no single system which overshadows the risk tlator contributions to CDP. In fact, the probability of contributions. De top seven systems all contribute the second most dominant initiator (steam generator over 20% to the frequency of CDP, After the seventh .
Table 5. Dominant initiating events from 30-1 PRA CDP, Total Mean Frequency CDF-Descrintinn Per Reactor-Yr 'f%)
Loss of CBV 2.0054 36.4 Loss of other support systems - 4.53E-5 8.2 Loss of offsite power 2.90E-5 5.3 Loss of river water to pumphouse 1.58 & 5 2.9 All other transients 6.09E-5 11.1 Very smallLOCAsincluding SGTR 5.585-5 10.1 Alllarger LOCAs 3.58E-5 6.5 1.00E-7 <0.1 LOCA outside containment Fires cxplicitly modeled 8.645-5 15.7
<l.00E-5 <2 l
All other fires and allintemal floods ,
?
Earthquakes 2.70E-6 0.5 Extemal flood 7.5E-6 1.4 :
Tomado 1.2E-8 <0.1 2.3E-7 <0. 5
'Ibrbine missile 1.0E-7 <0.1 Aircraft crash 2.6E-7 <0.1 Toxic chemical 20
Table 6. Systerns contributing to core damage frequercy, from internalinitiators,TMI-1 PRA Contribution to CDF from Intemal Events' System
_ (0 i
Controlbuilding venidation 43 i p
Decay heat removal 37 Highpressure injection 37 1
i Electric power 24 Main steam and feedwater 23' RCS pmssure control 22 Decay heat cooling water 21 Intennediate closed cooling water 9 Emergency feedwater 6
Instrument air :
4 Nuclear services coolingwater 4 I Engineered safeguards actuation 2
Reactorprotection 1 !
- a. Total percent sums to more than 100, tecause more than one syrtem failure may occur in a given core damage -
sequence, i highest system, the contribution drops significantly . Specifically, the study limits consideration of acci-
- (down to 9%) Specific assumptions relative to plant dents, according to page 1-10 of Wlume 2, to those modeling and system reliability associated with these ,
initiated from power levels above 15% (the power . !
systems are considered in other sections of this report.
threshold, according to the study, for automatic feed-Evaluation of Major Assumptions.This section water control). The study further states (page 1-11)-
evaluates the major assumptions made in the TM1-1 that the PRA team considered accident initiating PRA, with particular attention given to the risk domi. events from shutdown conditions to be " insignificant." -
nant contributors identified in the precedmg discus- However, no basis is given for this judgement.
sion. In addition, assumptions made in de area of the overall scope of the PRA study are included, in recent years concem has been developing, among Scope. De scope of the study conforms generally the NRC and others, that core damage frequency due to ;
with traditional PRA studies. Only one aspect of the accidents initiated during shutdown cond;tions may be scope was found to be questionable and selected fut significant enough to warrant consideration. This con-evaluation. This aspect is tie limitation of the study to cem appears to have been generated primarily from '
consideration of core damage events whict, may be ini. event reports indicating instances where tie integrity tiated only from elevated power levels. of decay heat removal during shutdown conditions has 21 I
O
1 1
1 been compromised, most recently in the incident at bution to core damage from the loss of control building ventilation accident sequence is grossly overestimated Diablo Canyon.15 in tic PRA and is probably negligible. -
As a result of this concem. the NRC established Ge-As a result of this review of material related to Ap-neric Issue 99," Improved Reliability of RHR Capabil. '
pendix R, the assumptions m, the PRA relating to se-ity in PWRs," to examine the issue. In support of the quences involving loss of control building ventilation oregoing resolution of this issue. Brookhaven Nation, appear to be moot. Some review of these assumptions al Laboratory performed a study of the bequency of was done and appears here as Appendix A to this re-core damage due to insufficient decay heat removal under shutdown conditions.16 Tleirstudy concluded yiew rep rt. Additronal assumptions relative to otler (
uutiatmg events are provided in the initiating Events that the frequency of such events was 5.22Pe5/yr for Section of this report.
PWRs. While the study used the Zion plant as a model and data in Reference 17 as a framework, the results were considered as representative of "most" U.S.
Miscellaneous General Assumptions. This. I section identifies and evaluates miscellaneous general l l PWRs. Tins result,ifit applies to TMI-1, would rep- mmptions which are considered to be inconsistent or i
resent an approximate 10% contribution to the core unusual compared to standard PRA practice, or are damage frequency estimated in the TMl-1 study considered questionable on other grounds. Only gen-(mean frequency 5.5B-4/ys) and would thus become crat, or global, assumptions are considered here widch the second most dominant contributor. are not specific to individual elements of the PRA. 1 These more specific assumptions, as noted previously, As a result of these considerations, the TMI-l PRA are considered in other relevant sections of this report.
assumption that the frequency of core damage acca-dents from shutdown conditions is " negligible"is con
- Orn/ fled Dependencies. The PRA states on -
sidered questionable, and the basis for it (judgement of page 1-8, Volume 2 that "certain dependencies...were the PRA team) inadequate, judged to be insignificant contributors to risk and were therefore not explicitly modeled in the TMI-1 plant '.
In/ fisting Event Frequencies. As indicated model. These include the effect of flooding retalting above, a single initiating event, loss of control building from high energy line breaks, and the impact of seis- !
ventilation,is by far the most significant initiating mic Cless 11 components falling and striking seismic event in the PRA. In efforts to obtain additionalinfor* Class I components." However, Volume 7 does in-mation to assist in evaluating the loss of control build- clude consideration of high energy line breaks in the i ing ventilation sequence, additional documents were spatialinteractions analysis, failure of non-seismic obtained which are relevant to the issuc.12,13 These Class I components causing failure of Class I equip-documents were prepared by GPUN Corporation in ment has been found to be an important contributor in support of their assessment of the compliance of the other PRAs, but high energy line break flooding has TMI-1 plant to Appendix R (fire protection) Tiry not.18' 19
?
l were not submitted in support of the PRA, and the .
PRA is not discussed in the documents. Howcver, the y-Sequence. :It is assumed in the PRA s documents do provide a rather detailed evaluation of (page 1-11) that the V-sequence accident (rupture of the control building heat-up rate following loss of ven. . the primary system into the low pressure RHR system, tilation and also provide additional data to support the causing RHR pipe mpture) leads directly to core dam. l conclusion that much of the equipment in the building - age, and is therefore not treated explicitly in its own can survive temperatures in excess of 104'F. The basic - event tree. The basis for this assumption is that the se-2 l conclusion from the evaluations is that the loss of con- quence has a very low frequency. The frequency of the trol room ventilation will not result in loss of the core event was found elsewhere in the PRA (Volume 5,
- i. cooling function for times up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, although page 3-17,18) to be 7.89F,-8/yr. While this assump-some minor human actions would be necessary, in- tion is conservative and may not have a significant in-cluding opening doors and tuming offlights in the con
- fluence on the overall PRA results (which exclude trol room. This conclusion is supported by detailed consideration of offsite consequences),it should te analysis supplemented by test data. The evaluation ap- . recognized that this accident sequence can result in i pears to be reasonable and consistent and has been ac- very large offsite consequences, depending on the -
cepted on tie basis of an NRC review. I4 An analysis plant configuration in the vicinity of the RHR line l of the effects on the PRA would require substantial ef- break. On the other hand, a recent analysis f9r a differ- 1 fort and was therefore not undertaken as part of this re- ent PWR indicates that this sequence may not rupture view. However, on balance it appears that the contri- the RHR piping; instead, this sequence will result in a -
22
1 i
l much more tenign f.equmoe with reduced core dam. ure events--thus,it was very difficult to evaluate the age probability aM lower source arms even if die core PRA-identified dependencies. Tte PRA should have
! does melt. 20 It would appear app *opriate, especially provided enough of a system description to allow an if the PRA is to be exterded into a level 3 risk asses. independent evaluation of their conclusions, and to tell i
sment, to evaluate this sequerce in more detaJ. the user what the system configuration was at tte time of evaluation. If this information bad been provided MV Mupfure. De potential for reactor vessel rup. tic PRA user could determine casily if de analysis still ;
ture from pressunzed thermal shock (PTS) conditions applie:l to a particular system or if the system has tan has become a safety issue of concern in recent years, modificC since de PRA. It was necessary to obtain the ,
particularly for older plants. Dus, assumptions re. P&ID's and FSAR to determine de system functions garding de treatment of this issue in the PRA were ex. and wir suppon systera
- . *dned. On pages *-.13 & 14 of Volume 2, the general appreadi to the issue is discussed, and P. is stated that For this review, die syste:r Apmlencies were de.
"GPUN has estimated (based on previous work by tennined inde;endendy by selecung de systems nes.
B&W) that the conditional failure frequency of the ignated as frontline systems in Table 1-1 of Volume 4, 5 reactor vessel, given that an excessive cooldown sce. Chapter 1 and using the y& ids and the FSAR to iden. >
natio has occurred, is always less than SE-4. The ufy aH of de suppon systems for the frontline systems.
event is accoanted for by including snetor vessel rup. De support systems were then examined to identify ture on all event trees where PTS might occur." The their support systems The P&lD's were then te.
PRA also assumes (page 1-14) that no credit is given viewed to detennine if there were any other systems for mitigating reactor vessel ruptures. A more detailed that could te imponant to safety but were not ircluded ,
discussion of excessive cooldown events and PTS is in de frondine or suppon systems fmind in the above given on page 4.1-12 and 13 of Volume 3. Here it is investigation. De system dependencies discussed in stated that *la cach situation where an excessive cool. de TMI-I PRA were then compared with the depen.
down occuned, the likelihood of reactor vessel rupture dencies found above to determine if sll of the support was considered. The basis for this likelihood is the systems were considered in the analysis, pressurized themial stress analysis done by Batcodt &
Wilcox and GPUN and documented in the Systems Electrical Dependencies. The electrical depen.
Analysis Report (Volume 4), Section 19." However, dencies of tte frontline systems and their suppon sys.
tie B&W analysis was not in the PRA repon-it was terns were idendfied in tie individual system discus.
to be provided at a later time, hus, the specific treat. sions of Volume 4, books 1,2, and 3. He electrical ment of FfS in the PRA could not te reviewed com. dependencies for all frontline and support systems, ex.
I cept the systems discussed telow in tie discus.: ion of pletely. See the section on Comparisons with Generic and Unresolved Safety issues for more discussion. the mechanical system problems, were identified in the PRA. De ek ctrical power supplies identided in the PRA f r several Me systems,and s me f the can.
DeNndencY AnalYsis potents for other systems, were checked against the P& ids and the PSAR and found to be correct.
- Introduction. This dependency .nalysis was per.
l formed to determine if all of tte frondine suppen sys. Mechanical Dependencies. The following me-tems and tteir support systems were modeled in the chanical support systems are not discussed in the analysis.
TMI- ! PRA but they appear to be imponant systems:
Review Appoach. System dependencies are dis.
- Fuel Oil and Feed Pump Seal and Leak Off e issed in Volume 3 Cnapter 3 and Volume 4, Chap. System ter i of de TMI-l PRA. Volume 3, Chapter 3 denti.
fies the frontline and suppon systems ard describes the
- hrbine Lube Oil System l system dependencies. Volume 6, Chapter I provides '
I tables listing the fronthne systems, support systems,
- Diesel Generator Services ;
and the systems ravened f*om the PRA because they did not support safety functions. Some of de system
- Diesel Generator Lube Oil Systems description chapters in Volume 4 also describe some of the system dependencies. A major problem encoun-
- Diesel Generator Jacket & Air Cooler Cool.
teredindereviewof thed perdencyanalysiswasthat ant System l
the PRA did not describe all of the TMI-l systems-l most of the system descriptions orly discussed the fail.
- Diesel Generator Gear Box Lube Oil System 23 i
i I
Other Dependencies. The following mechanical I e Fuel Oil Unloading Stations.
support systems are listed in nhe TMI-I PRA as not 1 important to s.afety and not considered further, but they ]
ne Feed Pump Seal ard the hrbirr Lube Oil sys- appear to be important to de frontline or support sys-tems support de main feedwater pumps. ne only ac. tems they support:
cident sequences that could te noreconservatively af-fected by not considering these systems are the e Station Fire Protection System sequences involved with maintaining enough feedwa-ter to the steam generators with the main feedwater e Penetration Pressurization System pumps. Accident sequences involved with failure of the main feedwater pumps contribute about 14% to tl*
- Fluid Block System.
core damage frequency; however, only 0.1% of those ,
failures involve main feedwater pump failures that are The Station Fire Protection system is listed as not not guaranteed failures such as " operator trips main important to safety; however, it is the backup coolant feedwater pumps," or " main steam isolation valves supply for the Instrument Air Compressor. In fact, the closed." Based on the small contribution of main feed- PRA irdicates in another chapter that tie Instrument water pump failurtc to the core damage frequency,in- Air Compressor cooling system has such a small fail-cluding the affects of de feed pump neal and lute oil ute rate that it can be ignored tecause of the backup systems would probably not have a significant impact cooling sptem. Listing the Fire Protection system as ;
on tie core damage frequency. Oder main feedwater not important to safety is an error in the system de- '
pump accident acquemra are involved with overcool- scription only; the analysis resuhs pertaining to the in-ing, thus not considering a possible failure mode strument Air Compressor are correct.
would be corservative. ,
Tte Penetration Pressurization System and the Fluid Block System are parts of the Reactor Building Diesel Generator Support Systems. ne sys- Isolation System (RBIS). Although the RBIS will not tems associated with the diesel extators will affect contribute to preventing core damage and need not te the availability of tie diesel getw rs; however, all considered in a level 1 PRA, the TMI-I PRA lists the but the Fuel Oil Unloading Stations and the Fuel RBIS as a frontline system and calculates an Trarsfer Pumps are an integral part of the diesel gener- unavailability for the system. Not considering the alors and are considered in the development of the die- Penetration Piercurization and the Fluid Block system sel generator failure rate. The TM1-1 PRA used plant ssurization System pressurires all electrical penetra-specific experience in the development of diesel gener- tions, the fuel trarsfer tubes, the equipment access in ,
ator " fail to start" and " failure during first hour of op- tte RBIS unavailability could be a serious underesti.
eration" failure rates, and generic failure rates for de mate of the RBIS failure rate. The Peactration Pre-the " failure after one hour of operation" failure rate, hatch, and the normal and emergency persoru el air Because tie lobe oil am! coolant circulating systems locks, and the Fluid Block System backs up the con-are integral to the dicscl generators, their failure rates tainment isolation system valves by pressurizing the will be part of the plant specific ark! generic failure piping tetween the va! 1s and/or the valve bonnets, rates. ne fuel transfer pumps and fuel st rage tanks 1.oss of these systems could open significant leakage are plant specific, and they are not required until three paths from the reactor building to the envirotunent. I hours after the diesels are started, thus their contribu-J tion to the diesel generator failure rate will not be in- Some other minor discrepancies found during the cluded in the plant specific or generic failure rates. dependency review are noted below:
The mission time of the diesel generators is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, ]
and the diesel generator day tanks have about a 3-br Table 1-1 of Volume 4, Chapter 1 lists de frontline fuel supply; thus the pumps must start and fill the day ' systems. he frontline systems listed on the table tanks seven times during the 24-hour mission. Each do not agree with the trontline systems identified in >
diesel generator has a de and ac powered fuel transfer Volume 3 Chapter 3. Frontline systems identified pump with automatic start based on day tank fuel level. onTable 1-1 that are not identified as frontline sys-The pumps are powered by the Engineered Safeguards tems in Chapter 3 are: BWST, PORV/SRV, Reactor buses. Diesel gercrator failures contribute about 9% Building Ernergency Cooling. Ifigh Pressure injec-of the core damage frequency. But given the dual pow- tion, Low Pressure injection, Main Steam Safety er sources for the pumps, ticir unavailability is prob- Valves, Reactor Building Sump, Electrobydraulic ably very small. Control, Make Up, Seal Injection, and Condensate.
- 24
I I
I I
Parts or components of some of the systems are dis- opment of the RBIS failure rate; however, the RBIS I cussed in Chapter 3, and tre write-up of Chapter 3 does not contribute to the prevention of core damage.
indicates the Condensate System is considered in the Main Feedwater System, but it is very difficult to determine if all tmportant system components Comparison With Crystal River were considered in the dependency analysis. 3 PRA Table 1-2, Support Systems Analyzed, indicates An important feature of the review of any PRA is to that the Condensate Polishing and Condenser compare tie results to the results of oder PRAs per- ,
Circulating Water systems were analyzed as formed for similar plants. In this case, the Crystal support systems. Volume 3, Chapter 3. Support River 3 (CR-3) PRA serves as the comparison rool. 22 i
System Model does not indicate these systems are De purpose of this comparison is to evaluate wlether -
support systems. Dey are shown in some of the or not the estimates of core damage frequency for the figures of Volume 4. Book 2. Chapter 10, Main two PRAs produce any insights that indicate a differ- !
Feedwater and integrated Control System Analysis, ence in either the design and operation of the plants or but not discussed. the performance of the PRAs. .
Plant Visit to TMI-1. During the plant visit to The method of comparison in this review focuses TMI-1,* a brief tour of de buildings containing safe- primarily on the differences in the results and method. '
ty-related equipment was conducted. The equipment ology of the two PRAs. His is due to the fact that appeared to be adequately separated and free of ob-TMI-l and CR-3 are Babcox.and Wilcox (B&W) vious common cause failure dependencies that might plants of almost identical design. Thble 7 shows the he activated by mternal fires, flooding, seismic or oth-major systems analyzed by both PRAs and indicates er environmental shocks. Most safety-related valves the similarity between the plants. he only obvious .
appeared to be operable by handwheels as well as by differeras are in de cooHug water systems, the use of '
motors. The only obvious common cause failure two motor driven EFW pumps at TMI-l whereas mechanism was flooding above the PMF clevation of CR-3 uses one motor driven EFW pump, and different 310'--tle equipment required for safe shutdown is vendors for the RCPs. Review of the success criteria consistently protected up to this elevation, for the major systems and functions indicates no sig-nificant differences, his comparison discusses the Conclusions. De TMI-I PRA considers all impor-similarities and differences between tie two PRAs and tant support systems except for systems supporting the g.nes de areas where significant differences existi diesel gercrators, de main feedwater pumps, and the RBIS. he fuel transfer system for the dicael genera-Analysis. Both the CR-3 and the %G-1 PRA reports tors is required to function during tie 24 -br mission i time; thus not considering it could conceivably have a indicate that they were Level 1 PRAs. i A level I significant impact on the core damage frequency be- PRA is an evaluation of the likelihood of core damage cause failure of the diesel generators contributes 9% to for a nuclear plant and includes technical analyses as the core damage frequency. But tie fuel transfer sys, outtined in the PRA Procedures Guide. 3 As noted tem appears to be very reliable: each diesel has two elsewhere in this review, the TMI-l PRA includes pumps, one ac powered and one de powered, with the much more analysis than is necessary for a Level 1 power supplied by de Engineered Safeguards Buses. PRA. The systems analysis and event tree models The feedwater-pumps failures contribute less than from the TMI-l PRA went teyond the end state for a 0.1% to the core damage frequency; thus, increasing Level 1 PRA and incloded evaluations of systems that the feedwater pump failure rate to include the seal and have no impact on the estimation of core damage fre-l- lube oil system failure rates would probably not cause quency. The analysis was typical of that performed a significant change to the core damage frequency. prior to a Level 2 or 3 analysis in which systems relat-The RBIS support systems not considered by the ing to containment perfonnance and post-core damage i TMl-1 PRA should have been factored into the devel. phenomenology are included. Dis results in more l complex event trees and makes comparison of de re-l suits of the two PRAs more difficult. ,
In addition to the fact that the TM1-1 PRA ex-
- a. Letter from IL 1 Reilly, EG&G Idaho, to amined sequences beyond the scope of a level 1 PRA, Dr. Arthur Busiik, NRC," Report ofTMl-1 Plant Vis- the method of analysis for the two PRAs is different.
it, October 18-19,1988," Novemter 8,1988. The TMI-l PRA uses support state event trees '
25
Tatde 7. Comparison of Crystal River-3 ard TMI-I systems System or Fundion TMI-1 CR-3 Cnmments Reactor vendor Babcock and Wilcox Babcock and Wijcox TMI-1 is rated at 2772 MWt, CR-3 is 2560 MWt Reactor coolant h o hot loops, h o hot loops, system four coldloops four cold loops Reactor coolant Four Westmghouse Four Byron-Jackson pumps pumps pumps Steem gercrators Two B&W OTSGs Two B&W OTSGs High pressute Tture pumps with one Three pumps with one injection /make-up nonnally running nonnally running Low pressure ho pumps and heat Two pumps and Leat injection /DHR exchangers exchangers HPI/LPI control ESAS ESAS Power conversion Turbine bypass, main Arbine bypass, main system condenset, two steam condenser, two steam driven feedwater driven feedwater pumps pumps PCS control B&Wintegra:ed B&W integrated control system control system Emergency feedwater One turbine driven One turbine driven and two naotor driven ard two motor driven pumps pumps Emergency ac power Two emergency diesel Two(mergency diesel generators generators Emergency de power Two emergency de h>o emergency de ,
batteries batteries Cooling water NSCCCW, NSRW, NSCCW, hSSW, . TMI-1 has 3 pump trains for systems D!!CCCW, and DHRW DHCCCW, and DHSW NSCCW and NSRW while CR-3 has five NSCCW pumps. DHCCW are similar.
Both have 3 pumps dedicated toNSSW and one to each DHSW train.
combired with front line event trees: the support state headings, or to develop appropriate models of the sys-methodology (large event tree /small fault tree) tems for specific boundary conditions (refened to as !
appmach. his approach relies on the anhlyst to either split fractions). This method produces a very large j explicitly depict all dependencies tetween event tree number of sequences to estimate the core damage l ,
26
frequency. %e CR-3 PRA uses tie fault tree linking in its loss of feedwater initiator since its only impact (small event tree /large fault tree) approach to model- was on the feedwater system. Thu-l separated loss of ing the plant response In this method, dependencies air because of impacts on systems not related to core terween headings are accounted for by including the damage prevention. Tte CR-3 PRA also included loss common events in the fault trees for each of the sys- of a single ac bus, spurious ES actuation, and spurious tems and using a computer code to generate sequence low pressure signal initiating events. Although the cut acts that appopriately account for them. Compari- DC-1 PRA did not cxplicitly model these events, the son of the results of two PRAs that use such distinctly results of the CR-3 analysis indicate that they were not different methods requires that care te exercised to in- contributors to the dominant sequences. Dus, their sure a fair comparison. omission does not appear to be significant.
With the systems analyses so different, the most A special class of events that is considered in PRAs practical points of comparison terween the two PRAs is anticipated transients without scram (ATWS) are at their beginnings and at their ends. The initiating events. Some PRAs treat these events as initisting
. events and the core damage frequency estimates pro. events, while others treat them as part of the event ,
vide a framework for examining the differences be. trees. In tte case of the TMl-1 PRA,cach of the event ;
tween the two PRAs. trees for transicnt initiators includes sequences relating to ATWS mitigation. Tie CR-3 PRA relies upon ther-Initiating Evente Comparison. Another section inabhydraulic analyses that irdicate that the most se-of this review examines the details of the PMI-I initi- vere ATWS scenario would result in a LOCA with the ating event analysis. His section compares the start- IIPI ard LPI systems unaffected. Thus, they conclude ing points for the two PRA analyses without examin- that the analysis of LOCAs bounds the response for '
ing the details. %ere are three general areas for PRA ATWS events. It appears that the treatment of ATWS initiating events: loss of coolant accidents (LOCAs), events explicitly in the ThU-l PRA reflects the more transients, and special initiators. This section com, standard approach. Ilowever, ATWS events are not 5 pares the treatment of these events by the two PRAs. part of the dominant contributors from the Thu-l sequences.
%e TMI-l PRA includes initiating events for four In summary, the Thu-l PRA corr. pares favorably LOCAs and for steam generator tube rupture (SGTR) with the CR-3 PRA with respect to initiating event se-events. De ThC-1 LOCAs are classified as large, me-lection and frequency evaluation. %e Thu-l overall dium, small, and very small LOCAs. The CR-3 PRA transient frequency appears to be a factor of 2 lower uses only two classifications,large and small, along than the CR-3 frequency. %c differences in special with the SOTR event. De frequencies for these events initiator selectiors appear to be due to reasonable in the two PRAs are comparable, with TMI-I frequen-grouping preferences of the analysts. The lack of dom.
cies for the small and very small LOCAs slightly high-inant sequences invohing these initiators from either er (factor of 2) and large and medium LOCAs slightly PRA indicates that disparities in this area are not lower (factor of 1.5) significant.
, Re general transients for the two pla..u correspotd. Comparison of Dominant Sequences. As l Dey include turbine trips, reactor trips, feedwater dis- noted earlier, tirre was a significant difference in the
! ruptions, and steam line breaks. The frequencies for manner in which the two PRAs analyzed tie plant re. '
the TMI-I events are similar to the CR-3 events, with sponse to initiating events. The TMI-I PRA included the exception of reactor. and turbine-trips and loss- analyses relating to containment systems. The ThC-1 of-feedwater es ents. %e TMI-l frequencies for these PRA examined the effects of fires and floods. In addi.
initiators are appioximately a factor of 2 lower than the tion, a significant increase in the core damage frequen-CR-3 frequencies. Data fur the Th0-1 PRA included cy for the TM1-1 PRA was caused by the assumption only the years of operation prior to the accident at that a loss of control building ventilation would lead to TMI-2 that resulted in the shutdown of TMl-1 for sev* core damage due to failure of the electric power to the eral years. It is not known what the impact of the year seal injection and cooling systems. Another part of l- of operation that occurred after restart would have on this review report concluded that this assumption was
) these values. unnecessary.
Special initiators evaluated by both PRAs included For the armainder of this section, comparison of the loss of offsite power loss of air, loss ofICS power, and two PRAs will ignore (le effects of several events in loss of river water. Tic CR-3 PRA included loss of air the TMI-l PR A that were not included in the scope of 27
tie CR-3 PRA. Table 5-1 of the Thu-l Technical Events section) that the frequency for Thu-l should Summary Report details tie effens ofinitiating events be higher than that used in the PRA. Regarding on the core damage frequency estimate. Excluding frequency of turbine trip, the TMI-l PRA used plant-control building ventilation failures, fires, floods, and specific data, it remains to be seen whether future carthquakes reduces the core damage frequency esti- operation of TMI-l will continue to have such low mate from :i.554/yr to approxirnately 2.5E 4/yr. '!he values for reactor and turbine trip. Finally,if errors remaining sequences are tie basis for comp:. ring the existed in the CR-3 fault trees that caused the condi- I results of the ThU-l PRA with the results of the CR-3 tional core damage frequencies to be erroneously i PRA. small, that would serve to explain some of the differ-ence that we noted above regarding the comparison be-The ANL review of the CR-3 PRA, including un- tween corxiitional core damage frequencies for CR-3 -
published information that ANL referred to as the and ThC-1.
" updated" PRA, concluded that some of the sequence frequencies should be different from those publisted Table 8 compares CR-3 and Th0-1 results, using in the CR-3 PRA.23 The principal changes recom- the values reported in the ANL review for CR-3. Oen-mended by ANL involve a) frequency of small-break crally, the agreement in estirnated CDFs for given ini.
LOCAs, b) frequency of turbine trip, c) several errors tintors is quite good, llowever, tiere are larger differ-tiey found in the CR-3 fault trees. Regarding small- ences when the initiator frequencies and conditional '
break LOCAs, we commented earlier (see initiating core damage probabilities are compared.
Table 8. Comparison of Crystal River-3 and ThU-l PRA results TMI-l
Initiating Event Egg._ CDF . Prob. Freq. _CDE. Emh Tbrbire Trip 1.MEO 1.28E-5 7.866 - - -
6.7E0 1.20E-5 1.8E-6 i
Reactor Trip 1.38E0 2.1 E-5 1.5E-5 - - -
Loss of MFW 2.33E-1 3.18E-6 1.4E-5 1.40E0 7.60E-6 5.4E-6 Excessive MFW l.18E-1 1.8E-5 1.5E-4 - - -
LOSP 7.10E-2 2.90E-5 4. lE-4 3.50E-2 3.40E-5 9.7E-4
, SGTR 1.13E-2 3.84E-5 3.4E-3 8.60E-3 3.80E-6 4.4E-4 Loss of Air 6.00E-3 1.98E-5 3.3E-3 - - -
i Loss of RW/SW 7.41E-3 1.58E-5 2.lE-3 5.60E-3 2.10E-5 3.8E-3 l
Large LOCA L91E-4 8.24E-6 4.3E-2 5.0E-4 6.4E-4 1.3E-2 Med LOCA 4.20E-4 1.973-3 4.7E-2 - - -
Small LOCA 2.20E-3 7.27E-6 3.3E-3 3.00E-3 1.40E-5 4.7E-3 Very sm LOCA 5.19E-3 1.74E-5 3.4E-3 - - -
- a. TMI-l PRA.
- b. ANL review of CR-3 PRA.
28
Comparison of the sequences remaining in the control building ventilation are excluded, are similar in TMI-I PRA when external events and the control regard to the nature of the events ard the relative con-building ventilation sequences are removed revealn tributions te core dunage frequency. The comparison l
that the top ten sequences for TM1-1 are similar to is not as good when the conditional probabilities of those for CR-3. While the relative order between the core damage are compued for different imtiators. For two varies slightly, the basic features are the same. some initiators. TMI-I is higher; for oders, CR-3 is Each of the sets of sequenceHontains transient events higher. Considerably more work v ould be required to with core damage occurring due to seal LOCAs and ascertain all the reasons for the ditTerenws.
failure to makeup to the primary system. Each con-tains t OCAs with failure of recirculation switchover. Comparison with B&W Owners' St?am generator tube ruptures with failure of decay heat removal are in both sets of sequences. Thus,it ap-g ggg pcats that the two PRAs produce similar dominant se-querces when the external events and control building IntrodJction. The purpose of this review is to com-ventilation events are excluded from the TMI-I pare the issues raised in the D&W Owners' Group analysis. (B&WOG) eva uation of plant trip frequency and se.
verity to the TMI-I PRA. 'Ibe B&WOG Safety and j Perfonnance Improvement Program (SPIP)inverti-There are some r.mportant differences m. the manner
, gated a large number ofissues relating to B&W reactor !
m which the two PRAs treat the seal LOCA events. trips and the severity of the responses to those trips. )
The dominant seal LOCA scenario from the TMI-I The Owners' Group report B AW-1919 contair.s tteir j PRA involves events which result m overcooling of '
3;s g g 3,24 The NRC seEOrt the primary system, leading to an HPIinitiation. This is due to shrinkage of the primary coolant volume NUR -1231 contains the staff's review of th.is resulting in reduced pressurizer level, which causes *0fk-pressure to drop. The TMl-1 analysis asks the question as to whether or not the opeistor will take Analyale. The B&WOG program addressed the is- ,
sues relating to the frequency of transients ac B&W action,it accordance with his ptocedures, to throttle HPI flow before overpresturizing the primary and plants and the severity of the posttrip plant tesponse, causing tte power operated relief valve (PORV) or The program examined operating history of trips and safety relief valves (SRVs)to open. Assuming that the the subsequent plant response, in addition, the pro-operator has properly diagnosed the cotulition and is gram examined the root causes of these trips as well as throttling HPI flow, the analysis then assumes that the Ce design criteria of the systems that could mitigate operator will have created a condition wherein the the impacts of the trips. The SPIP also produced a minimum flow valves must be ieopened. The core scale for measuring the severity of plant response to damage sequence results when the operator does not trips br, sed on the response of key parameters such as reopen these valves within the time allotted in the reactivity control; reactor coolant system pressure, Human Analysis Report. Furthermore, the analysis temperature, and inventory; and secondary systern j assumes that all three HPI pumps in this scenario fail pressure andinventory.
l simultaneously arxl catastrophically so that al! HPI is lost. Failure of the seal barrier cooling subsequent to The primary focus of the B&WOG activity was to l this event results in seal degradation and loss of examine ways to reduce the likelihood of complex inventory from the primary system. The CR-3 transiens such as the June 9,1985, Davie-Besse loss analysis assumes a scenario in which seal LOCAs oc- of feedwater event and the December 26,1985,
, cut when barrier cooling fails subsequent to HPI Rancho Seco overcooling transient. Comparison of
- l. failures from other causes. this effort with the PRA for TMl-1 is limited because the PRA focused on core damage rather than preven-m x en s. wever, s reasmaW -
Summary. Comparison of the TM1-1 PRA results to those from the CR-3 PRA was difficult in spite of the
- "I IE# # * * **' #*** W i
, . . the B&% OG with the PRA to determine whetler or l fact ; hat the plants are very sa.mtlar in design and not the PRA analysisincluded them as part of the enve-operration. Ttus was due principally to the fact that the lope of events for estimating core damage frequency.
two PRAs used different methods of modeling and quantification.
Pmf the SPIP examined the potential core damage risk associated with the occurrence of tie more severe Taking into account these limitations, the dominant Category C events (i.e., events wherein one or more sequences for the two plants, when extemal events and Abnormal Transient Operator Guideline response 29
indicators are significantly beyorvl the normal positrip A Category C event alt.o occurs if RCS inventory response, so diat nor. routine operator or safety system limits are exceeded. Ttn can occur wien pressurirer action is required to midgate the tramient). De analy- level is off-scale (low) with a loss of subcooling mar.
sia used evtnt trees developed primarily from the gin, or wten tle PORV or safety valves open. For non-Oconce and Crystal River PRAs, with plant specific LOCA initiators, failure of the operators to start a sec-system unavailabilities where r,uch values were avail. ond makeup pump ard control makeup tiow can lead able from existing or ongoing PRA efforts. In addi. to loss of pressurizer level. The PRA assumes that tion, the NRC review of the SPIP work included an starting the second pump will occur for every transient analysis by Brookhaven National Laboratory (D NL) of (i.e., the probability of failure is low enough to not the potential risk from Category C tiaruieras. corsider tie failure specifically in the analysis). Thus:
the PRA does not address this variety of Category C event. However, the PRA does have nequences wtere j Comparison with Category C Persmatero, HPl has failed wtren required and a seal LOCA occurs. l Co nparison of the sin key parameters for clsasifying events in Oc SPIP with :he leadings Krorn tbc genertj hse sequences would lead to loss of pressurizer level but are not trarnients examined by the SPIP. h other transient event see provides insight into the coverage of B& WOO issues by the PRA. The following discus- mechanism for exceeding tie inventory limits as lifting of tie PORV or safeues. This can occur followmg a sion examines each of these areas and how the PRA addresses stem' transient in two ways: to overfill tbc primary system due to operator f,dlure to throttle HPI flow, or by fail-ing to remove sufliciem heat vi tle steam generatura.
Reactivity control is a key parameser in the SPIP 'Ihis leads to heating and expansion of the primary in-classification of transient response. A Category C ventory until pressure reliefis needed. 'Ihe PRA ad-event here woold be ot.e in which recriticality oc- dresses all these cases. l cured. The TMI-1 PRA only addresses recriticality P in tenns of long-term respome to LOCA initiators. CateFory C events also occur if die OTSO p: essure This is done urder the heading for preven:ing baron exceeds ASME code limits or if pressure drops to the precipitation in the core during longderm reci:cula- point where isolation of the generator occurs. 7he first tion. The FRA does address reactivity controlin tran- condition could only occur if the secondary safety sient cases by evaluation of ATWS sequences. The valves failed to cpen when tequired. The second cun-SP!P scope did not inc!ude ATWS events, dition ceald necur if any of the 2.tcam relief paths (by-pass valves, atmcapheric vent valves, or safety t alves)
Reactor Coolaat System (RCS) tempera *ure control reinsdred open too long. Each of these scenarios is ad-conditions leading to Category C designation by SPIP drer.sedin the PRA.
included two ca3cs: events resulting in overcooling so tba' the plant's Pressurized Themial Shoi (PPS) lim. The last characteristic of plant response that can its are exceeded, and events where subcooling margin lerd to a Category C event is lors of all fe,x! water to is hist due to overheating. bcth OTSOs or overfeeding one or both generators be-yond 95% of the operriting range. 'the PRA accounts
. for tiss mechanism in the MF+, MJt , EF+, and EF-1here are several heaaings in the PRA dealm.g with headings on the transient trees, overcooling events. hse enclude sec >ndary pressure relief, excessive main feedwater, and excessive emer-Comparison wKh B&WOG Risk A.saessment, gericy feedwater. While the PRA does not examine tte The SPIP examined ttw potential risks tb at Category C frequency of exceeding tte PTS limits, it does include events pose to the B&W plants. While this effort was a heading for evaduating the likelihood of reactor ves. '
not a full-scala risk assessment. it did are risk asses-sel ruptme crom such ovcicoolmg*
sment techniques to apptcdur.te the contribution that Category C ever.ts would be likely to make to the lass of subcooling margin occurs if secondary test plants' overall risk profiles. This was t.ased in part on ,
removal is less than heat input into the reactor coolant completed risk auessments for Oarce and Crystal system. The headings from the PRA that deal with dCs River, ard on risk nssessn ents that wese in progre;s at icsue include main feedwater underfeed and other plants. In addition, NUREG-1231 included an emergency feedwater underfeed. The PRA does r:ot ir. dependent review by BNL to validate the Owacts' explicitly calculate the frequencies ofloss of subcool- Group work, ing margin events. However, tie occunence of a ses-tained loss of inain and emergency feedwater will lead These effcIts indicate that Category C transients do ,
to such an event, t.ot dominee the risk profile at BkW plants. The 30
l ThU-l PRA tends to supncat this assesstnent. Dere is profiles of B&W plants. There are differerces in abso-some disagreemerd between the 30-1 PRA and tre late values between the ThD-1 PRA frequencies for B&WOG ard BNL re iews with resprct to overcool- similar sequences and the B&WOG/BNL evaluations, ing evere.s. Le B&WOG ard BNL reviews concluded with the Thil-1 values being approximately four ttmes l that overcooling is not an important contributer to risk, higher. Some of the differences are because of the l ahhoui;h it would occur more frequently than the more ThU-l PRA assumptions relating to operator errors severe urdercooling events. We Thu-l PRA indi- foDowing overcooling events. Another section of this cates that they are important due to their assmnption review report points out that resiew by ANL of the that the cpentx has a high likelihood of failure to es- CR-3 PRA indicates it underestirnates some se-tablish minimum recirculation flow after throttling the quences, which would tcnd to make f.he contiogent HPI sys'ees following an overcooling even!. This as- probahilities nigree better.
sumption is reviewed in other parts of this review re- :
port. With tie exception of this difference, the major Comparisons with Generic and conclusions of the risk assessments as they relate to Cate gory C events are comparable.
gggg g gggg 4 This part of the review focuses on tte marmer and As reted ebewherc in this review report, the s,bso- extent to whidi the ThU-l PR A modeled selected ge- .
lute value of the cote damage frequency for Utl-1 it. neric safety issues. The particular issues ofinterest higher than in risk assessments of other B&W plants. are:
Cornrvative assumptions relating to contro' building ventilation effects, operator c:ror after throttling HPI, w Passtuired hermal Shock and fire effects, appear to be some of ste reasom for the differences. The B&WOG wl BNL ie views pro. . Dect,y Heat Removal d1ced estimates of the core damage freouency from Category C events that compare favor'bly with the e Failutts ofInstrument Air Thu.I PRA. *ne B&WOG estimates the core dam-age frequen:y from Category C events to be 1.5B-5/yr, e Failures of the Integruted Control System and while the BNL review estimates the contribution at Non Nitclear Instrumentation 1.91M/yr. We PRA estimates that the core damage frequency from excessive feedwater to be 1.0B-5/yr e Generieitsue 23-RCP sealLOCA (this value is the arquence summary value for domi.
nant contributnrs from Table 5-3 of the Techni':al
' e Geretic issue 65 --Loss of Compooent Cool-Summary Report and does not repesent all sequences ing Water leading directly to co e damage resulting from ttus uutiator). While this is the only tt;ansient sequence contained in hble 5-3 of the Tech.
- Reactor Coctant Pump Sca! Performance [
rucal 3ummary that is similar to the evenis analyzed by the B&WOG ar,d BNL reviews, all of the Thil-1 PRA during Loss of all Cooling Cotditions.
I sequences from transient eventr. that lead to core da '
ne manner in whie.h each of these issues was han-age would (by deftniuon) be considered as Category C died in tte PR A is discussed N the following sectiorts.
events. Summing the core damage frequencies for the Tte preferred fomtat is to establish a standard for anal-same transient initiators used in the B&WOG and ysis of each issue, by refertacing NRC sponsored re-l BNL reviews (reactor / turbine trip, loss of hiFW, ex-search on each subject, or by identifying other estab-cessive MFW, and loss of ICS power) produces a fie-lished analysLs to serve as a basis for comparison. The quency of 6.4E-5/yr. As noted in the Techrucal Sum-manner in which tic Thu-! PRA evaluated each issue mary Report, a significant part of this value is due to is t'en compared to the standard, differences are noted, the HP1 throttling scenario ciescribed cather, ano the quantitative impact of conservatism or defi-ciencies is estimated,if possible.
Summary. We B&WOG SPIP examined many is-sues relating to the frequencies and severities of Pressurirect Thermal Shock. Pressurized thermal trkruients at B &W plants. Tte TM1-1 PRA addressed shock (PTS) as evaluated in the TMI-l PRA was com-ttese issues in the constructi m of19 event trees and pared to the work documented in NUREG/CR-3770, a enluation of the sequeuce frequencies. Both the PTS evaluation of Ocome Unit 1, rformed by Oak TM1-1 PRA and the Owners' Group (and NRC to, Ridge National Lab for the NRC. 6 This work was view) agree that die complex tmnsients. ,ts defined by chosen as a basit for comparison because Oconec and tln SPIR are not the dommant conttibuters to the risk Hil-1 are both Babcock and Wilcox reactors.
31
Pressuriud thermal shock refers to a scenario of Oconee results to account for the SLRDS and the events where a rractor vesselis cooled to low tempera- htSIVs, an estimated core damage frequency of ture ard is then repressurized by the initiation of safety 6&8/yr at end of life could be expected at Thil-1. ;
- injection flow, thus creating the possibility that the his is an estimate and does not consider the specific l
fracture toughness of the vesselis insufficient to fracture toughness of the TMI-l vessel versus the provide vessel integrity. PTS is possible lecause the Oconee vessel,nor the specific weld locations or weld ,
ductility of a reactor vessel decreases as the tempera- fluence levels of the 30-1 vessel. I ture is reduced. Severe overcooling transients present i the potential to cool the reactor vessel to the point The ThU-! PRA calculated core damage frequency where normally-induced pressures can induce enough due to RS to be insignificant. A specific frequency stress to propagate existing weld flaws into through- for core damage due to PTS could not be found in the
! wall cracks. %e probability of NS in the early years report. Questions for reactor vessel rupture due to MS of reactor life is very small but increases significantly were asked on nearly all the event trees when events i
as neutron fluence on the reactor vessel inercases with combinod to produce overco?ig conditions. Vessel age, failure is even asked for overpressure corditions when overcooling does not exist. However, conditional Wssel rupture at a point telow the core would pre- probabilities of vessel failure for TMI-l are at least an vent successful reflood of the core by the ECCS. The order of magnitude less than thnse in the Oconee study probability of core damage due to PTS is very plant for similar transients.
spedlic and depends on the following: :
The Oconic report provides fracture mechanics cal-
- Prequency and severity of over cooling tran- culations, specific to Oconec, which calculate condi-sients tional probabilities of vessel failure ranging from 1E7 for excessive FW events to $.4b3 for steam-line breaks without feedwater isolation. De ThU-l PRA e Copper content of weld mr.terial uses B&W analysis documented in Section 19 of the ThU-l SAR for vessel failure probabilities. The prob-e Weld location and neutron fluence accumula- abilities range from 2E-10 for excessive feedwater tion events, to 5.8E-4 for events representing stuck open secondary safeties with failure to isolate feedwater.
- HPI flow streams ard mixing potential. %e 30-1 study also uses a value of 8bl7 for vessel failure under pressurized conditions when no over- )
he Oconec study in NUREG/CR-3770 addressed cooling is present (such as HPl cooling and PORVs fail '
all of tlese issues. The frequency of core damage due to open). De TMI-l calculations were not reviewed, to I% was calculated to te 2.2&7/yr after 7 effective so it is not possible to comment on the reasons for the full power years, increasing to 4.5E-6/yr at 32 effec- differences, tive full power years. Dese frequencies do not take into consideration tic effect of any neutron flux reduc- In summary, the Thu-1 PRA estimates that PTS is a tion programs, '
negligible contributor to core damage frequency. De values used for conditional probability of vessel fail.
De frequency of overcooling transients at Oconee ure upon overcooling question the sufliciency of the was calculated to be quite high due to two specific de- TM1-1 evaluation. However, based on an NRC spon-sign features at Oconce: a) there are no main steam iso. sored analysis of PTS at Oconce. (NUREG/CR-3770),
lation valves on the steam generators, ard b) tiere are in no event is PTS expected to le important compared no feedwater isolation circuits. Isolation of steam gen- to the other contributors to cose damage frequency at crators in overcooling events must be accomplished by TMI-1.
operator action. De Oconee study used very high hu.
man error probabilities for these actions, which otw Decay Heat Removal (Task Action Plan A-45).
viously increased the core damage frequency. NUREG/CR-4713 was used as a basis to review the TM1-1 PRA treatment of decay heat removalissues.
TMI-1, on the other hard, is provided with MSIVs NUREG/CR-4713 is a Sandia study of Arkansas and a steam line rupture detection system (SLRDS) to Nuclear One-Unit 1, which is a Babcock and Wilcox isolate all FW from the SGs upon indication of over- PWR.U The study was done in support of resolution cooling. De overall Oconec frequency of 4.5E-6/yr is of Unresolved Safety issue A-45. Tic study evaluates not directly applicable to ThU-l by reason of these de. the probability of core uncovery due to loss of decay sign differences. However, based on modifying the heat removal after smah break LOCAs and transient..
32
Tte study considered failures of snain feedwater, aux. fled in NUREG/CR-4713 into the Thu-l system and iliary feedwater, low- and high-pressure injection re- sequence models. ne results of tte Thu-l study may circulation systems, and pressuriter PORVs. De not te the same as those of the ANO-1 study, but this study firds that the core damage frequency at ANO-1, is to be expected. The TMI-I study results reflect due to failure of tiese systems to remove decay heat,is plant specific system con 5gurations, data. and human 8.32&$/yr. The stedy also identifies eight specific error probabilities.
vulnerabilities that contribute to this core damage frc.
quency. Dese are: Failures of instrument Alr. lass ofinstrument air at Thu-l fails all RCP seal cooling due to closure of e Failure of the turbine driven AfW pump the injection valves on the seal injection line atxt clo-sure of tte valve on the ICCCW line to the tiermal bar-e Common cause failure of valves in safety sys. tier coolers. Both of ttese failures are recoverable by tems local operator actiom.
e Common cause failure of pumps in safety There is no established analysis for loss of instru-systems ment air which can be used as a basis for comparison with the Thu-l analysis.
e Diesel generator faults The ThC-1 PRA included loss of instrument air as e an individual inutiating event. The frequency of the Common cause battery failure event is stated as 1.5E-2/yr in the systems analysis e
chap'er (Volume 4),6.0&3/yr in the irutiating event Random failure of the RHR pumps table (Table 2-3: Volume 3) and 2.0E 3/yr in Table 6-1 of Volume 3 (mean values of split fractions).
- Operator error to feed and bleed hble 6-2 of Volume 3 indicates 6.063/yr was used in the final quantification. Tte total frequency of core e Unavailability of the Borated Water Storage damage from loss ofinstrument air is 2.055/yr. This Tank. is relatively high compared to many other plants and results in a conditional probability t.f core damage In addition, they consider loss of decay heat removal upon loss of instmment air of about 3E-3. A condi-after extemal events such as fire, seismic, extemal tional probability of core damage in this range is rela-floods, sabotage, and other events. tively high, and ranked higher than the value for most other transient initiators considered in this study.
ne total core damage frequency from the intemal initiated events is S.3E-5/yr. Due to the detail of the Documentation of the loss of instrument air event analysis, tiese results must be considered specific to tree is very sparse and it is difficult to understand the the ANO-1 system configurations and the data used in effect of loss ofinstrument air on the plant, particularly the study, the auxiliary and main feedwater systems. Tte treat-ment of the back-up air bottles is also confusing. It is
%e ThU-l PRA analyzed all of the intemalinitiat- not clear which components are supplied with back-up ing events considered in NUREG/CR-4713. The air bottles, and which system models they were in.
ThC-1 PRA also analyzed the more important exter- cluded in. It appears the EFW control valves and the nal events such as fires, floods, and scismic. De secondary safeties are supplied with the same back-up ThU-l PRA analyzed all of the systems considered in air bottles, but it also appears from the dependency NUREG/CR-4713, probably in greater detail. The diagram on Page 3-51 that the air bottles were in-presentation of results in the ThU-l PRA is not similar cluded as part of the EFW only. De EFW and event to that of NUREG/CR.-4713, so it is not easy to derive TC are modeled indeperxlently, which is not correct if comparable results. Ilowever, Table 5-4 in Volume 3 they are both dependent on the air bottles.
of tie Thu-l PRA shows the contribution of various systems to core damage frequency nese contribu- Fallures of Emergency Feedwater. As within.
tions compare well with the frequencies in the A-45 strument air, there is no established analysis to use as a study, basis for evaluation of EFW modeling.
After reviewing tte fault trees, event trees, and re. The system model for EFW was reviewed. It ap-sults,it is concluded that the ThU-l PRA adequately pears to address all pertinent issues of EFW operability incorporates all the issues and vulnerabilities identi- and performance. The probability for failure of all 33 -
EFW wlen all support systems are available is 3.8E-5. hisissueis difrerent from Generic Issue 65, which in.
This value is on the low erd of expected unavailability volves loss of cooling water systems leading to simul-for a 3 train system, but appears to be reasonable when taneous RCP seal failures and failure of ECCS.
compared to other recent PRAs.
TMI-I has Westinghouse reactor coolant pumps.
Failures of the Integrated Control System and Complete seal failure in one pump will result in a leak Nort-Nuclear instrumenistion. Loss of power to rate of about 500 gpm. his is put into de very small the ICS was evaluated as a specific initiating event. It break category of initiating events. The very small has a frequency of 5.4E-2/yr ard results in core dam- break IE category in the TMI-l PRA has a frequency age frequency of 1.2E.-5/yr. Approximately ore third of 5.1E-3/yr. The recently published NUREG/
of this core damage frequency involves a stuck open CR-4550, Rev. I, Vol. 3, calculates a random seal fail-PORV. A preliminary review of the event tree for loss ure probability in PWRs of 3.9Er3/yr, based on histor-of ICS power indicates the interactions between the ical experience.28 The TMI-I frequency for very ICS and the plant systems were modeled correcdy. small breaks appears to include this conttibutor, r he TMI-I PRA did not model failures of de ICS The model used for reactor coolant pump seal fail-due toindividual component failure. he PRA did not ure upon loss of all seal cooling is discussed later in model loss of power to non-nuclear instrumentation, this section. 1 nor did it model random failure of nonnuclear instro-mentation. It is not known if failure of the power sup- Generic lasue 65. This generic issue involves fail- ,
ply to the ICS umbrellas all oder failures of ICS and ure of cooling water systems which can lead directly to i NNI. However.de initiating event frequency forloss core damage by causing an RCP seal LOCA (due to of ICS power, and the core damage frequency due to loss of cooling) and simultaneously failure of all this event, are relatively high compared to other plants. ECCS (due to loss of component cooling). -
EG&G Idaho examined the effects of loss of Class TMI has Westinghouse reactor coolant pumps.
1E or non-Class IE bus power to ICS and NNI as part Cooling to the thermal barrier is provided by tie Inter.
of an audit of TMI-l compliance with NRC Bulletin mediate Cosed Cycle Cooling Water System. Sealin-79-27. De licensee has reviewed the ICS/NNI power jection flow is provided by the charging pumps, which buses and other plant buses and made hardware and can be cooled by the Decay Heat Oosed Cycle Cool-procedural changes as a result. Based on these ing System or the Nuclear Services Closed Cycle changes, tte draft audit report gave reasonable assur- Cooling System.These closed cycle cooling water sys-r ance that the failure of any single Class 1E or non- tems in tum are cooled by otter cooling water systems.
l Cass !E bus that supplies power to plant instrumenta- he deperxlencies are as felowsb; tion and control circuits will not result in a plant condition requiring operator action and the simulta- SealIrricetion Flow
~
neous loss of the control room hxtication (on which the required action is based).
- Rere is also reasonable as- RCP%ermal surance that a safe (cold) shutdown corxlition can be Barrier Cooling _ Chg Pumn l AllC Che Pumn IB achieved by using existing procedures following the ICCCW Decay Heat CCW Nuc. Serv. CCW loss of power to any single Cass IE or non-Cass IE bus that supplies power to plant instrumentation and NSRW Decay Heat RW Nuc. Serv. RW River Water (RW) RW RW Generic lasue 23. Generic Issue 23 addresses the (Inst. Air)
(Inst. Air) (Inst. Air) possibility of reactor coolant pump seal failure as a small break arul thus as a contributor to core damage,
- b. These dependencies are from Page 3-50 of Vol.
ume 3. Instrument Air was inci uded in this exercise
- a. Alan C. Udy and Harry Reilly, personal commu- because it can (ail all seal :ooling and has dependen-nication, November 1988. cies on cooling water systems.
34
Cardidate Systems for issue 65 are the following:
FailBerm FailSeal RCP Seal Fail HPI Issue 65 Inu Banier Winerable Flow 14 now Candidate ICCCW Yes No No No -
NSRW Yes No No No -
DHCCCW No Yes No No -
DHR No Yes No No --
RW Yes Yes Yes Yes Yes Inst Air Yes Yes Yes No -
his table indicates the only system failure that can some sequences. The seal LOCA modelis discussed lead directly to core damage via seal failure and HPl in tle text section.
failure is the River Water System.
Reactor Coolant Pump Seal Model. TMI-1 is loss of River Water was included as an irxlividual supplied with Westinghoune Reactor Coolant pumps, initiating event with a frequency of 7.4E-3/yr includ. Dese pumps have a three stage seal assembly which ing a factor of 0.17 for noterecovery (cleaning of in. uses a film riding controlled leakage stage and two take screens) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. A check of tle results in rubbing face seals. Scaling is provided by seal injec.
Table 6-5 of Volume 3, shows core damage Se. tion flow with corarolled leak off between stages. In quences 8 and 9 are Loss of River Water with failure to the event that seal injection flow is lost, back leakage recover in the appropriate time period. Sequence 8 has through the seals will amount to about 20 gpm per the additional failure of EFW, and thus has a shorter pump. This has been determined by analysis recovery time, while Sequence 9 is just the initiator (NUREG/CR-4294) and verified in tests. " In the and noterecovery. he frequencies of these sequences event that seal injection Gow is lost, CCW to the ther.
are 3.9B-6/yr and 3.5E.-6/yr, respectively. mal barrier leat exchanger can provide seal cooling.
As back leakage flows over the thermal barrier heat ex.
It appears that the TMI-! PRA has adequately changer,it is cooled, and thus cooled water flows modeled and addressed the issues raised by Generic through the seals.
Issue 65. However, it is not clear that an acceptable seal LOCA model was used in this analysis. The in the event that both seal injection flow and CCW choice of seal LOCA model determines the time of to the thermal barrier are lost, the seals will gradually seal failure and the leak rate. ne leak rate in turn hae' up and are subject to failure. Maximum leak rates determines the amount of time for system recovery be. under the worst failure conditions can be 450 rpm.
fore core uncovery occurs. The amoum of time for he actual timing of seal failuse, and the expected leak recovery in turn determines the probability of non- rate. have been the subject of much disagreement with.
recovery, and thus inDuences core damage frequency. in the last four years. De Westinghouse research doc.
umented in WCAP-10541, Revision 2 provides one in the loss of river water sequence, the recovery perspective, but this document is proprietary and as factor for the case where EFW is available is 9.3E-4. such was not available to EGAG for review (although This pn sumes a mean recovery time of 10-12 hours. it is available to the NRC). Another seal LOCA model This value is clearly optimistic in light of current seal has been developed by the NRC in support of the j LOCA analysis performed by NRC for the NUREG-il50 program. 30 It predicts seal failure NUREG-1150 program. If an attemate seal LOCA may occur between 90 minutes and 150 minutes after model with a smaller recovery time were used, the im- loss of all cooling. The total probability of seal failure pact on core damage frequency could be significant. is 0.73. Avert.ge leak rate is atx>ut 250 gpm per pump.
De estimated time to core uncovery is about 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> in summary, it appears issues related to Generic Is. after loss of all seal cooling (see Appendix B),
sue 65 have been included in tlx TM1-1 PRA. How.
ever, the seal LOCA model used to determine recovery The seal LOCA model used in the Bil-1 PRA was times, and thus detennine recovery probabilities, ap- documented only as a note to the Event Sequence Dia.
pears to te optimistic compared to recent NRC work gram for tte Loss of River Water event tree. De seal on this issue. Use of an attemative seal LOCA model leak rate was assumed to te 20 gpm per pump for the could have a significant affect on the frequency of first ten hours and 300 gpm per pump after that. This 35 i
l 1
I implies seal success (i.e., the seals retain their integ- Element (c)is also considered acceptable, since the rity) for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, and then a large seal failure. An ad- use of mean values is now generally standard practice junct assumption to this model is that if seal injection in PRAs (some ektly PRAs were criticized for using flow is restored any time up to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, all seat leak. median values). In discussing the use of mean values, age will stop. This modelis much more optimistic the Data Analysis Report indicates on Page 2-21 that ,
then the referenced NRC model. Substitution of the " recommended" values from the IEEE data ;
NRC model in the Th0-1 PRA would be expected to base33were interpreted to be median values. his in- '
significantly reduce allowable recovery times and terpretation was employed because (1) estimators cause a noticeable increase in core darnage frequency, probably had in mind modian values when estimating '
recommended values, and (2) this interpretation would Component Failure Data pnxtuce conservative results, since mean values used in the PRA would be ldgher than the recommended introduction. nis section provides a review of the (assumed to be median) values from the IEEE data base. Since deteils regarding the use and weighting of ,
data used in the ThU-l PRA, as provided in the Data the IEEE data are not provided in the PRA, the extent l Analysis Report (Volume 5). %e Data Analysis Re-f this conservatism could not be established. Howev.
pon presents four general areas of data-related infor. er, it would be expected to be less than a factor of two mation, including: (1) component failure rates, m tenns of overall core damage frequency, since mean (2) common cause failure (CCF) parameters, (3) com. ,
values are typicaHy less than a factor of two greamt ,
ponent maintenance frequency and duration, and than medians for data employed in PRAs. ,
(4) initiating event frequencies. We first two of these areas will be considered in this section. %e other two Element (d)is considered adequate, because the areas are considered elsewhere in this review report.
Multiple Greek Letter method is an accepted method An overall evaluation of the data analysis approach as (see Reference 32 for discussion) for estimating com-descrited in Section 2 of the Data Analysis Report will m n cause failures his method is an extension of the be pmvided first, I simpler beta-factor model. ** v . vo models are equiv.
nt wh estimating 6 eg two componems, ne data evaluated here is limited to data considered in the Data Analysis Report of the PRA. Certain other Element (e) could not readily be evaluated, since types of data, such as human error rates, are evaluated details of the ThC-1 PRA data base development are elsewhere in this report consistent with their use m based on proprietary PLG documentation which was ,
specific applications in the PRA. not made available for this review. Instead, the com.
Data Analysis Approach. The data analysis aP-E " " *" " '* * * " " " " * " " * " * * * "'*"
- l ters contained in this database, as reported in the proach used in the TMI-l PRA, as described in Sec- DU-l PRA, were compared with data from other tion 2 of the Data Analysis Report (Volume 5),in- sources to determine if any significant deviations ex.
volved the following principal elements: isted. Dese comparisons are provided in the follow-
- a. The B ayesian update method was used to combine generic and plant specific data Component Failure Rates.The component failure rates used in the ThC-1 PRA are presented in Sec-
- b. Lognormal distributions were assumed tion 3 of Volume 5 (Data Analysis Report). Dese fail-for failure rates ure rates were described (Page 3-7) as having been de-veloped by combining geretic distributions (obtained
- c. Mean values were used primarily from the proprietary PLG database) and ,
ThD-1 plant-specific failure data. Since the PLO da-
- d. The Multiple Greek letter method was tabas: is proprietary, it was not provided for review.
used for common cause failure Thus, the review consisted primarily of comparing the PRA component failure rates with comparable failure
- c. A PLG proprietary data base was used as rates from other sources which have been developed the principal source of generic data in es- for, and used in, various PRAs for nucleat power tablishing failure rates. plants. The significance of any deviations was estimated by examining the impact the failure rate -
Elements (a) and (b) above are generally standard would have on system failure probabilities, accounting assumptions made in PRAs and are considered accept- for tie relative influence of the specific system failures able, on core damage frequency.
36
T ble 9 illustrates the results of the comparison de- o: curs frequently in system analysis for nuclear power
, scrited in the preceding discussion. Tte first column plants, he gamma factor is defined as the conditional l provides the component desenption, and the second probability that the cause of a component failure that is column the failure mode. he third column provides shared by two or more components will te shared by the failure data from the TMI-I PRA, and the final three or more comporents in addition to the first. For three columns provide comparative data from other a three train system, it can te shown that for a typical ;
sources. he failure rates are all mean values; the op- gamma-factor of 0.5 (most of the TM1-1 PRA gamma crational failure rates, except as noted, are per hour. factors are 0.5), the system failure probability would The " RANGE" column gives the cange of values as be increased by only 25% over the estimated failure p ovided in Reference 21. This range is stated to be rate using only the beta-factor analysis. 32 Further- j from past PRA and safety studies. The ASEP column more, gamma factors for comparison to the TMI-! j refers to the values derived in the NRC's Accident Se- PRA values could not be found in existing PRA litera- i quence Evaluation Program, and was developed from ture. For these reasons, this evaluation will be limited I a variety of data sources. Rese data were used in the to an evaluation of the beta-factors used in the recent NRCeffort to estimate risks from a group ofnu- Th0-1 PRA.
clear power plants. 33 he last columnlists data from a recent PRA wiuch employed an independent data- In order to evaluate the numencal values of the base developed by Westinghouse Electric Corporation. beta-factors used in the Th0-1 PRA, a comparison ,
This PRA has been reviewed by NRC contractors.M with other sources of beta-factors for nuclear power plants was used. These sources included a previous he data values in Table 9 were examined to identi. PRA for a PWR,7 a report which induder geretic be-fy any large differences between the ThU-l PRA data ta-factors from the Electric Power Research Institute and the otler sources. Table 10 lists the major differ- Institute,32 a recent NRC sponscred efTort in whic'.i ences. We criteria used to identify a major difference beta-factors are recommerxied,33 and one additional was a facto of about 5 or greater between the Thn-1 source for diesel generators. 35It should be noted that "
data and other sources, the purpose of the comparison is not to imply that the 30-1 PRA values are suspect 'Ithey don't compare The failure rate differences in Table 10 were ex- well with the others, but rather to identify any large amined to determire if furtier evaluation of the data differences between dem and evaluate further the sig-would oc appropriate. De exarnination consisted of a nificance of these differences. Details of die develop-qualitative evaluation, based primarily on how the fail-ment of the 30-1 beta-factors could not be reviewed ure rates might affect the systems and components because the database used for the derivation which were found in the TMI-l PRA to be significant is proprictary.
contributors to risk. On this basis, none of the failure rate differences in Table 10 appear to be significant ne Seta-factor comparison is provided in nble 11.
enough to influence appropriate system failure rates to From the compadsoo, the following conc!asions and an extent that would result in significant change to the implications can be drawn:
core damage frequency as it is currently estimated in the TMI-1 PRA. For those TM1-1 PRA failures rates Ventilaflon Fans Fall to Start o.- Operate.
for which no comparative value was found, all impor- he 30-1 beta-factor for ventilation fans (.65) is sig-tant rates appear to be reasonable-nificantly lower than the value (.0) in NUREG/
CR--4780. This implies that systems with rnultiple Common Cause Failure Rates. As noted above, ventilation fans would be estimated in the TMI-l PRA the TMI-l PRA employs the multiple Greek letter to have a lower failure probability than would be the CCF model. This moclel uses two parameters, a beta- case using the NUrtEG/CR 4780 value.
factor and a gamma-factor, to quantify common cause contributions. The beta-factor is defined as tre proba- According to volume 2, Table $-4 of the TMI-l bility that the cause of a component failure will be PRA. failure of the control building ventilation system shared by one or more additional components. he is the most dominant system contributing to core meh beta-factor is de lominating parameter in estimating (43%). Further, hble $-4a (Volume 2) of the PRA es-CCFs for the cases of interest, and it is the only factor timates that CCF of the ventilation fans contributes
( used wien only two components are involved, which about 19% to the initiating event of interest (loss of 1
37
Table 9. Companson ofcomponent failta rates JM
_HUEEQlCLJXGL.
Comm.nent Descngben Fadag M sle _ 'D&1 _ Eange_ _ .ASJR _.J7P--3(4)_
Air Compressor Fa2me dunng opersoon 8.10-5 Air Compressor Failure to gart on demand 3.29-3 Air Dryer-Corapressed Air System Failure during geri.dca 1.66-7 Air Filter (ventilation) Failure during operanon 5.83 4 Air Filter (oilremova') Failure durung opershon 1.76-5 Air Filter (compressed air system) Fsiere during operahon 354-5 Battery Charger Faih re dunng operance 1.6b5 IJE-7 Bistable Falore to operate on demand 4.40-5 1.64 o2.44 l Battery (125 V dc) Failere ofoutput on demand 1.29-5 125 V de Battery Failure of output on demand 4.84-4 Electrical Bus Failure dermg opershon 4.98-7 1.5 4
- w Circuit Breaker (ac 480 V and above) Failure to close on demand 1.61-3 Circuit Breaker (ac 480 V and above) Failure to open on demand 6.49-4 Circuit Breaker (ac 480 V arxl above) Transfers opeu during operanen 8.28-7 Circuit Breaker (ac 480 V and above) Failure to close on demand 2.27-4 Circuit Breaker (ac of de, LT.480 V) Transfers open denng opera;ien 2.68-7 Circuit Breaker (reactor trip) Failure to open on demand 2.50-3 3.4F 4 Single Control Rod Assembly Failtne on demand 3.11-5 CavitatingVenturi Failme derir:g opershon 2.66 4 Diesel Chor Failme to stact on demand 1.58-2 8.0-3 to 1.0-1 3.0-2 Diesel Generator Failere denng first hour of operanon 638-3 2.0-4 to 3.0-3 2.0-36 Diesel Generator . Fadere aAer first hour of operance 2.50-3 2.0-4 to 3.0-3 2.0-36 Pneumatic Damper Failure to operase on demand 1.52-3 Pneumatic Damper Transfers openVclosed denng operseen 2 67-7 Fire Damper inadvertent actuahon 4.20-8 Gravsty Damper Failure to operate on demand 1.52-3 EFW Valve Control Circut Fadme on demand 2.41-4 EFW Enable Failure denng opershon 454-5 EFW Actuation Circuit Failure on demand 2.41-4 EFW Level Switch Fadme danng operanon 5.69-6 EFW SignalIsolater Faiime denng operanen 8.75-6
Tatde 9. (continued)
Rate
._JfLEFG CR M hiwwsi.h _ Failus1 Mode 'J16-1 __Eampe .ASEF_ __MP_3(4)
EFW ActuatiorVControl Signal Failure during operation 2.07-5 Expansion Joint Faihue during operahon 1.64-6 Feedwater Hand / Auto Station Failure to switch to manual control (#) 8.07 4 Feedwaterlland/ Auto Station Failure donng operation 130-5 River Water Screen Plugs dunng opersoon 4.51-2 Flow Transmitter Failure danng operaoon 6.25-6 3.9-5 ICS Feedwater Module Failure donng operauen 130-4 Fuse Failure during operation 9.20-7 4.4-7 Ventilation Fan Failure donng operation 3.63-5 Ventilation Fan Failure to start on demand 2.94-3 Heat Exchanger Ngs denog operation 7.49-7
,, IIcat Exchanger leaks / ruptures denng operation 7.49-7 ICS Integrated MasterModule Failure during operanon 5.21-5 Inverter Failure denng opershon 1.83-5 1.0-4 to 1.0-6 1.0-4 Steam Generator Water level Controller Failure dunng operanon 2.66-5 ESAS Load Sequencer Failure to operase on demand 2.40-6
- Limit Switch Failure to operase on demand 4.28-4 1.0-4 LevelTransmitter Failure denng operanon 1.57-5 43-5 Manual Loader Falore denng operauon 2.66-5 Reactor Building Spray Nozzles Ngs dunng operation 7.06-8 Offsite Grid Failure on demand. given plant trip 2.66-4 Pushbutton Switch Faihne to operate on demand 2.40-5 4.0-7 Piping.GE 3-inch Diameter Failure per season 8.60-10 Piping (3-inch Diameter) Failure per secten per hour 8.60-9 '
Power Supply Failure Failure during operation 1.71-5 Pressure Switch Failure to operate on demand 2.69-4 Pressure Transmitter Failure durmg operation 1.57-5 6.5-5 Normally Operatirg Motor-Driven Pump Failure to start on demand 3.49-3 Normally Operating Motor-Driven Pump Failure donng operation 6.69-6 Standby Motor-Driven Pump Failure to start on demand 1.83-3 5.0-4 to 1.0-2 3.0-3 Standby Motor-Driven Pump Failure during operation 4.48-5 1.0-6 to 1.0-3 3.0-5
u . . _ . . .
Table 9. (continued)
Race
__NUREG1CREK31._
lhC_.1 _.__ Range _ASEP_ __hfP-3L41__
campenentl2escnetion Failurc}lmic 331-2 5.0-3 to 9.0-2 3.0-2 Turbine-Driven Emergency Feed Pump Failure to start on demand 930 4 8.0-6 to 1.0-3 5.0--3 Turbine-Driven Emergency Feed Pump Failure to run 2.23-2 5.0 4 to 9.0-2 3.0-2 Turbine-Driven Main Feed Pump Failure to start Failure during operation 6.90-5 8.0-4 to 1.0-2 5.0-3 Turbine-Driven Main Feed Pump Failure to start 3.05-3 Normally OperatingRiver Water Pump Fadure durmg operation 3.02-5 Norma!!y Operating River Water Pump Failure to start 4.11-3 Standby River Water Pump 4.41-5 Standby River Water Pump Failure duringoperation Failure to start 235.-3 Vacuum Pump Fadere to run 336-5 Vacuum Pump 4.0F 4 Failure to operate on demand 2.41 4 Relay 2.7-8 to 1.2-7 Failure donng operation 4.20-7
& Relay 1.00-5 Reactor Sump Clogs / fails dormg operation 3.23-6 1.06-5 Service Water Strainer Failure de,nng operation Nggingdanng operatnen 3.23-4 SealInjection Line Filter 2.94-6 Signal Modifier Fadme during operation Failure to operate on demand 1.40 4 Shunt Trip Coil Failure to operate on demand 2.40-6 7iming Circuit 2.41 4 Time Delay Relay Failure to operate on demand Fadere donng operation 7.50-7 Temperature Element Failure dunng operation 2.66-6 Turbine Exhaust Boot No output 3.41-6 Temperature Monitor Loop 8.0-10 Rupture denng operation 2.45-8 Tanit Failure during operation 1.43 4 ICS Unit Load Demand Module 1.11-2 Ventilation Chiller Failure to start on demand Failure during operation 4.86.-5 Ventilation Chiller 3.51-3 1.0-3 to 9&3 3.0-3 Motor-Operated Valve Failure to operate on demand 9.27-8 2.2-6 to 4.6-6 Motor-Operated Valve Transfers open/ closed during operation Failure to operase on demand 2.43-3 3.0--4 to 2.0-2 1A3 Solenoid Valve Transfers open/ closed during operation 4.95-7
' Solenoid Valve 3.0-4 to 1.0-3 1.0-3 Failure to operate on demand 2.16-3 Air-Operated Valve
Tatde 9. (continued)
Race
_ NURIGCR-455001__
C aL % h u w e -i FhE DEL ___Rasse ASEP_. __.MP-J(4)
Air-Operated Valve Fadere to modulace to control pressee I.62-2 1.4-6 to 4.34 Air-Operated Valve Transfers operi/ closed denng operanon 3.24-6 1.4-6 to 4.3-6 Air-Operated Valve Transfers open/ closed denng operamon 2.62-7 Air-Operated Valve Failure to transferto failed poseon 2.66-4 Electrohydraulic Valve Failure to operase on demand 1.57-3 Electrohydraulic Valve Transfers y..'M denng operation 2.67-7 Stop Oneck Valve Failure to operate on dernand 9.13-4 Stop Check Valve . Transfers operi/ closed donng operanon 1.04-8 Check Valve (other than stop) Failure to operate on dernand 2.11-4 1.0-4 to 6.0-3 1.0-4 Check Valve (intermediate coohng) Failure to operate on demand 5.09-4 Orck Valve (river water) Failure to operate on demand 2.08-3 e
~
Check Valve (other than stop) Gross reverse leakage during operation 9.78-7 Check Valve (intermediate cooling) Gross reverse leakage denng operation 1.81-4 Check Valve (river water) Gross reverse leakage during operation 1.0(H5 Check Valve Gross reverse leakage during operanon 7.24-5 Check Valve (other than stop) Transfers closed; plugs during operaten 1.03-8 Check Valve (intermediate cooling) Transfers closed; plugs during operation 1.04-8 Check Valve (river water) Transfers closed; plugs during q.u.iks 1.04-8 Manual Val'e Failure to open on demand 7.40-4 Manual Vcive Transfers open/ closed during operation 2.14-8 4.9-7 to 2.2-6 Relief Valve (other than PORV or safety) Failure to operate on demand 2.42-5 Relief Valve (other than PORV or safety) Premature open 6.06-6 Pressurizer Safety Valve Failure to cpen on demand (passing steam) 2.92-4 Pressurizer Safety Valve Failure to open on demand (passing water) 2.92-4 Pressurizer Safety Valve Failure to reseat on demand (passing steam) 1.53-3 3.0E-3*
Pressurizer Safety Valve Failure to rescat on dernand (passing water) 1.01-1 Pressurizer Safety Valve Transfers open/ closed 3.03 4 1.9-6 PORY Failure to open on demand (passing stearn 4.10-3 1.0-5 PORV Failure to open on demand (passing water) 4.10-3 1.0-5
.PORY Failure to open/rescat on demand (passing steam) 2.05-2 1.0-1 to 3.0-3 3.0-2 PORV Failure to reseat on demand (passing water) 1.01-1
_. ._ . . ._ . _ . _ _ _ _ - _. , . ~
Tatde 9. (continued)
Rate
... NUREGCR-4550(3)
Componca esqnplson Failum119de 'JMId Ra C JLSEP_ _)1P-3(4)_
Transfer closed danng opershon 3.03-6 PORV Turbine Stop/ Control Valve Failure to operase on demand 1.254 Pressure Control Regulating Valve Transferclosed during operahon I.69-5 Failure to operase on demand I.52 3 Air Co..+.w Transfer Valve 2.66-6 Y-Type Strainer Fadere durmg opersoon Failure oermg operanon 1.26-6 2.8-6d Transformer (GST!UAT/ RAT) 2.8-6d Transformer (station service /480 V to 4,160 V) Failure danng operation 4.28-7 Failure dormg operation I.55-6 2.8-6d Transformer (ii o oega;/120 V to 480 V) g a. Transfers open.
- b. Tune not specified.
- c. Phase of water being passed not ydiwd, assumed to be stearn.
- d. Type and sizeedisd.
~
i Tetne 10. Major differences between TMI-I data ard other data sources camra-ro p.;in, uw .rMI-1 hr(sw
- 1. Air Operated Valve Transfers open/ closed 2.62b7 5.7E-6 (MP-3) during operation
- 2. ManualValve 7tansfer open/ closed 2.14E-8 2.7E-6 (hT-3) ,
during operation t
- 3. PORY Fails to open on dernand 4.1E-3 1.0E-5 (NUREG/CR -4550) '
- 4. Pushbutton Switch Fails to operate on 2.4E-5 4.0E-7 (MP-3) !
demand
- 5. 7\ubine 7tip(MF) Fails during operrtion 6.965 5.0E-3 (NUREG/CR-4550)
- 6. Relay Fails to operate on 2.41FA 4.0E-6 (he-3) demand '
- 7. Ttmpertture Element Fails during operation 7.5E-7 8.3E-6 (MP-3)
- 8. Thnk Rupture during 2.45 & 8 8.0E-10 (MP-3) ,
operation
- 9. Motor Operated Transfer operVclosed 9.27E8 6.FB-6 (he-3)
Valve during operation '
- 10. Battery Charger Fails during operation 1.63E-5 1.3 B-7 (NUREG/CR-4550)
I1. Battery Failure ondemand 1.29E-5 4.0E-4 l (NUREG/CR-4550) i
- 12. CircuitBreaker Fails to open 2.5E-3 ' 3.4B-4 (h@-3)
- 13. HeatExchanger Plugs 7.49B-7 5.7E-6 (NUREG/CR-4550) l l
c 43
Table 11. Comparison of beta-factors s.
TMI-1 NUREG/ Seabrook NUREG/ NUREG/
. Componet _
Fa me Mcde PEL CR-4780 ERA. CR-2099 CR-4530 Air compmosor Fails during operation 0.0$ - - - -
0.01 - - -
Air compressor Fails to start on demand -
Distable Falls to operate on demand 0.05 - - - -
Circuit brenker Fails to open m demand 0.185 0.19 0.111 - 0.08 Diesel generator - FrLie to mart on demand 0.049 ' O.05 0.01$ 0.08 0.02 Diesel generator F.ats during first hour of 0.041 0.0$ 0.0336 - -
operation Diesel generator Faus after first hour of operation 0.041 0.0$ - - -
Pneumatic damper Faus to oprate on demand 0.10 - - - -
Ventilation fan - Fails to operate on demand 0.0$ 0.13 - - -
Ventilation fan Fails to mart on demand 0.05 0.13 - - -
Heat eachanger Pluge during operation 0.05 - - - -
Pump -motor driven, Fails to mart on demand 0.0$6 0.025 to - - -
normally driven 0.076 Pump-motor driven, Fails d iting operation 0.014 - - - -
normany operating Pump--motor driven, Fails to etart on demand 0.162 0.03 to 0.067 to - 0.01 standby 0.17' O.125 0.07' lbmp-mosor driven, Fails during operation 0.034 0.03 to 0.118 - -
standby 17' Pump-turbine driven Fails to mart on demand 0.024 - - - -
Pump-turbine driven Fails during operatix 0.032 - 0.118 - --
1%mp-siver water, Fails to start on demand 0.056 - - - -
nominuy operating f%mp-river water, Fails during operation 0.014 - - - -
nonnaDy operating Pump-river water, Fails to start on demand 0.056 - - - -
standby Pump--river wates, Fails during operation 0.014 - - - -
standby Emergency FW pump Falls to start on demand 0.026 0.03 - - 0.01 Emergency FW pump Fails dming operation 0.034 0.03 0.118 - -
Relay Falls to operate on demand 0.10 - - -- -
Service water strainer Fails during operation 0.10 - - - -
Time delay relay Fails to operate on demand 0.05 - - - - i Ventilation chiller Fails to start on demand 0.05 0.11 - - -
Ventilation chiller Fails during operation 0.10 0.11 . - -
Motor operated valve Fails to operate on demand . 0.081 0.08 0.042 - 0.03 Stop chec k valve Fails to operate on demand 0.10 0.06 - -
Relief valve (not Fails to open on demand 0.10 0.07 - -- 0.03
- PORV or safety) . .
Pressurizer safety valve Fails to open on demand (steam) 0.05 0.07 - - 0.03 Pressurizer safety valve Fails to open on demand (water) 0.05 0.07 - - -
Pressuriier safety valve Fails to rescu on demand (steam) - 0.05 - - -
Pressurizer ss fety valve Fails to remat on demand (water) 0.05 - - - -
- a. See references for details.
- b. Time not specified.
- c. Range for yarious pumps;RHR = 0.11, containment spray = 0.05, service water = 0.03,safetyinjection = 0.17,suailiary feedwater = 0.03.
- d. Range for various pumps: RHR = 0.05, containment spray = 0.02, service water = 0.01, safety injection = 0.07.
44-1
i control building ventilation). On this basis, the cort
- To assess whether the quantification or we damage frequency from loss of control building venti- human errors is credible atd well-supported lation would be about 30% greater if the NUREG/ in the PRA l CR-4780 beta-factors were used. However, this l
would only raise the overall core damage frequency by
- To assess whether the treatment of post-ac-10%, not a large change. Also, (see Initiating Events cident recoveryis proper {
and Assumptions Sections) the core damage sequences
- l which involve containment building ventilation do not To survey the methods used by the PRA and
, appear valid since loss of this system would most like- characterize them by comparison to stardard ly not lead to core damage. Derefore this change in methods.
beta-factor would no longer be important.
Each of tiese objectives is addressed separately be-low. The scope of this review was not such as to allow Standby Afotor Drhen Pumps FsII to Start. revision to the HRA performed in tie PRA, other than !
The TMl-1 beta-factor for this component (.162)is one major human error probability discussed under the somewhat higher than the range (.01.07) given in topic of credibility of the quantification of human er-NUREG/CR-4780 for motor driven pumps. In ex- sors.
amining the dominant system contrite.tions,it appears this failure mechanism would have only a small effect Human Error Identification and Complete.
(a few percent) on the core damage frequency, with the ness. here are two steps in common use to identify TM1-1 result being slightly higher than that which which human errors to include in the quantification of would be obtaired by using tie lower beta-factors. a PRA. %c first step is to determine which human er.
rors o include in the initial screening. The second step Turbine Driven Pumps Fall During Opera- is to perfonn a coatse screening to detennine which tion. Tie Seabrook PRA beta-factor for turbine driv- human errors to examine in more detail, and to quanti-en pumps (.Il8)is higher than the TMI-l value fy them.
(.0317). However, CCFof turbine driven pumps does not appear significant at Th0-1 based on the discus- he identification of human errors to include in the sion in Section 5 of the PRA report. initial screen is usually based on engineering judge-ment, plant history, and literature reviews, as was done in the Thu-1 PRA. However, the engineering judge-Ventilation Chl/lets Fall to Start. The ment is usually perfomied in some clearly systematic NUREG/CR-4780 beta-factor for this component fashion. he system underlying these judgements is
(.11)is higher than the Thu-l value (.05). However, relatively inscrutable in the Thu-i PRA.
this difference does not appear significant based on dominant system failures and their operating modes . In addition, several types of human error were spe-l from Section 5 of tie PRA report. cifically excluded. For example, errors of omission for .
those actions not covered by procedures or written in-structions (an important category, according to indus-For those TMI-I beta factors in Thble 11 for which try experience) were excluded. Errors due to failures values were not given in the sources used for compari-of indicators in the control room during some se.
son, none appear to be unusual or questionable. All are quences were not believed to be within the capabilities within the range of beta factors given in the sources
' of human response analysis at the present time.
used for cornparison, although this range is quite large l
(0.01 to 0.10). Initial (Coarse) Screening Techniques. Initial screening of human errors was performed by deriving values from NUREG/CR-1278 and by obtaining con.
Human Factors sensuaijudgement on " realistic to conservative" prob.
l abilities. M Then the contribution of tie human errors introduction. Review of the Three Mile Island so quantified to overall risk was evaluated by some un. l Ung 1 (ThD-1) Probabilistic Risk Assessment (PRA) stated rulc. The PRA only states (page 2-2, Human lluman Response Analysis (HRA) concentrated on Action Analysis) that the human errors " identified in ,
four major objectives: the initial quantification rounds as being imponant" l were retained for detailed evaluation. i
- To assess whether the errors analyzed in the Credibility and Suppottability of Human Error l HRA are a reasonably complete set Quantification. Eleven of the most important human i 45
actims were investigated in detail. One humsin action and experienced PRA practitiorers. This attempt ap-value that was very important in the PRA was ques. pears to be successful, based on the conclusions of tie tioned. For HSR-3 (failure to switch to sump recircu- other sections of this review report.
lation following a menium LOCA), the value that was used was the value HSR-1 (failure following a Data ureenainties involve the uncertainties in initi-targe 1 OCA). ating event frequencies, component failure rates, and human error rates. Modeling uncertainties involve Treatment of Post Accident Recovery.Wah hu- questions such as success criteria for systems. Two man actions, there are two types of recovery to consid- typical methodologies for handling these two types of er. There is tte recovery of mistakes or misdiagnoses uncertainties are outlined below:
on the part of the operators, and tiere is recovery of systems or components. The review looked at both 1. Evaluate data uncertainty effects on core types. damage frequency by a formal uncertainty.
analysis using a Monte Carlo or discrete Recovery of A# stakes orMisdegnoses. Tte probability distribution method. Then evale-PRA states it is assumed that all such initial misding, ate the effects of modeling uncertainties by noses are eventually successful and tie accident se- perfonning sensitivity analyses querce conectly rediagnosed." Since the Human Cog-
- 2. Evaluate both data and modeling uncertain-nitive Reliability (HCR) model is being used, there is ties in a combined fonnal uncensinty analy.
no such assumption. 37 Both the HCR and the 'nme-sis. (Various modeling assumptions are given Reliability Conclation (TRC) models account for cor- ,
weights m sudi analyses).
rect rediagnosis in tie models and in the benchmarking of tte model , so that recovery from misdiagnoses is The TMI-! PRA used the first methodology. How-not an issue. The THERP model presents explicit ever, no sensitivity analyses were performed. The methmis for alyzing the probability of recovery TMI4 uncennimy dysis shwld be consided b-IT0" "O *
- f? complete to the extent that it did not incorporate or in-Recovery of Systems or Components.The adequacy of the treatment of these post-accident re- The PRA estimated a mean core damage frequency coveries are addressed elsewhere in this review. Prom of $.5P 4/yr, with a 95th percentile of 9.4B-4/yr and a the Human Reliability Analysis point of view, these re- 5th percentile of 2.5E-4/yr (Thble 12). The range fac-coveries are handled properly,if conservatively. tor, based on the 95th percentile and median,is 2.1, As discussed previously,this distribution does not account Survey of Methods Used.The methods that were for modeling uncertainties. Alao, some of the data un-used in this PRA included: 1) Technique for Human certainties may be underestimated. Examples include Error Rate Prediction (THERP),2) Human Cognitive the uncertainties in internal fire frequencies and some Reliability (HCR),3) Operator Action Tree System of the transient initiator frequencies. 1 (OATS), and 4) Confusion Matrix method.39 Table 12. TM1-1 core damage frequency Summary. Major strengths of tie HRA of this PRA distributim include the full documentation of tie human actions that were analyzed-allowing requantification of Percentile Core D=== Fr-nev Per Year questionable values ~and the detail of discussion of tie actions analyred. Weaktesses include the inscruta-5th 2.6B-4 bility of the initial screening process. No major errors 50th(median) 4.5E-4 were found.
Mean 5.5E-4
- ' "4E"4 Uncertainty Analysis Uncertainties in a probabilistic risk assessment Compared to estimates for other reactors, the above (PRA) are often grouped into three classes: complete- range of uncertainty (less than a factor of four)is ness, data, and modeling. The Three Mile Island small. For example,in the recently completed revision Unit 1 (TMI-1) PRA has attempted to minimize com- of NUREG/CR-4550 for the Surry plant, the range of '
pleteness uncertainties by using proven methodologies uncertainty for core damage frequency caused by 46
l l
internal events is more than 20: from 6.7F4/yr to tte dominant sequenas in tie Th0-1 PRA. Also this
)
1.4FA/yr.*And in a miew by ANL of the updated review itdicates that river flooding may be a dominant PRA for CR-322 a similar plant,the estimated range initiator, with a large uncertainty. If an event is a large of uncertainty is a factor of ten: from 2.5E-5 to contributor to mean CDP, it will nonnally be a large 2.56-4/yr. The authors of that report emphasire that contributor to tte overall range of uncertainty in CDP. i the estimate includes only uncertainties in the database Tte uncertainty in overall CDP willincrease if se-usedinthereview. Ars:1theCR-3PRAaddressedonly querxes hadog large uncertamues become dominant.
Intemally initiated events, whereas the Th0-1 PRA in. '
cludes ememalevents. We concluded that the urgertainty range quoted in !
the TMI-l PRA is unrealistically small,even for core damage sequences initiated by internal events. Also, in the 30-1 PRA, all extemal events apart from in- the uncertainty range may increase greatly if river-plant 6:es are estimated to teve very small contribu- flooding becomes a dominant initiator, because of the '
tions to the CDP. This review indicates that core large uncertainty in the frequency of flooding above damage sequences initiated by in-plant 6:es are among tie PMF.
a 47
EXTERNAL EVENTS ANALYSIS Extemal Flooding would certainly be less than IE-04/yr based on this curve.
Dil-1 is desigred for a Probable Muimum Flocd A Corps of Engineers (COE) report prepared in (PMF) of 1,625,000 cfs at TMI (1,750,000 at 1975 estimates the frequency of a flood greater than Harrisburg), corresponding to an ele ration of 310 ft at 1,750,000 cfs at Harrisburg to be approximately the upstream end of the island. De PMF was selected 75-04/yr, based on a figure which is reproduced here prior to the 1972 hurricane Agres, which produced a ,3p;gy,,g,41 This frequency estimate is based on stream flow of 1,020,000 cfs and a maximum ele ration plotting hurricane and non-hurricane floods separate-of approximately 302 ft. Review of the TMI-l and ly. Tle curve drawn through the hurricane flood data TMI-2 FS ARs indicated that the TMI FSARs were up-has a much steeper slope than that through the non-dated to address the 1972 flood. However, the value of hurricane Dood data. Note that the curve passes below the PMF was not changed. the 1972 flood data point; this feature of the curve is consistent with the methodology recommended for
%i1-1 proposes to accommodate floods > 305 ft by Federal agencies.42 installing gasketed cover-plates, that are kept tvail-able, over doors to buildings containing equipment es- he U.S. Water Resources Council reviewed flood sential for safe shutdown, by inflatable door seals, and data for the Eastern U.S. and recommended that the by dikes around outdoor equipment. (De island has data be fit using a %g Pearson IIP' equation 42, g,,,,
dikes that protects it against flooding for floods 300 ft-305 ft.) logioQp = m + s(k g,p) (I)
The PRA report estimates the frequency of the PMF where by plotting the frequencies of tic 3 largest floods, oc-curring in 1936,1964 and 1972,. on a semilog scale; logtoQp = the fitted logarittunic discharge i.e., flood elevation vs. log frequency %ese floods are having exceedance probability said to te the greatest since 1784 and possibly since p 1740. A straight lire is drawn between the two largest flood elevations and extrapolated to estimate the fre- k g.p = the standardized Pearson 'lype quency of exceedance of tie PMF to be approximately 111 deviate with skew g and ex.
IEr05/yr. This value is referred to as both the mean ceedance probability p, which !
value and the frequency of exceedance. Dere is no istabulatedinReference 42 justification or discussion as to the validity of this method of estimating the PMF, Tle quoted uncertain- m = the sample (logarithmic)mean ty band is a factor of 25, without reference as to how this value was obtained. %e PRA estimates tic proba- s = the sample (logarithmic) stan-bility of recovery for floods above 310 ft as 0.5, based dard deviation on an assumption that tiere is equal probability of any value between 0 and 1. Tic PRA also estimates a fre- g = the skewress of the logarithms quency 1.5E-04/yr for floods between 305 ft and of the data.
310 ft-an event tree is constructed to estimate the probabihty of core damage given such a flood. Con. In a personal communication between COE and siderable credit (a factor of about 40 overall)is NRC,' the COE stated that, using all data up to 1983, claimed for possible protective actions in the event of they estimated the parameters of such an equation to be a flood 305-310 ft. log mean = 5.4475, standard deviation = 0.1559, skew coefficient = 0.90, where units of flow are cfs. His The FSAR does not address the probability of the equation predicts the exceedance frequency of the PMF Ilowever, tte TMI-2 FS AR states that the 1972 PMF to be about 3.2E-04/yr, with an uncertainty flood has a retum frequency of about 400-500 years. factor of 5, see Figure 2 (the expected value The curve that is shown for flood frequency is not ex-trapolated to lower frequencies. The curve has a slight negative curvature, so that extrapolation would be very a. Letter from Arthur Busiik, NRC, to Mr. Harry uncertain, but the frequency of a 1,625,000 cfs flood Reilly, EG&G Idaho, Inc., Octolv:r 7,1988.
48
Exceedance f requency per hundred years
.1 99 96 95 90 80 70 605040 30 20 10 5 2 1 .5 .2 }.05 .01 1 I I I I I I I I I I I I i l I 3 I Combined curve
--- Nonhurricane events e 4
-- Hurricane events a ,
/ - 2
/
s' 1,000,000 -
Combined curve e' -
10 Nonhurricane eventD
- '/ -
8 6
/ -
5
/
4 p
/,
3 2" / -
2 Hurricane vents /
$ f 'A
] 100,000 -
/ -
10 .
e /d 8 ,
3e -
6 *
{ 5 4
j 3
,l l -
2
/ /
/ ^
, 10,000 -
/ -
10
/
l l 4
2 8
~ 0
/ 4 , i 1 i e i i
/ 5 10 20 50 [ 200 /1000 10,000
/ 100 500
/ Exceedance intervalin years
/
,/
9 1045 Figure 1. hdiunicane and hurricane frequency cun'es.
49 i
Discharge rate, cf s 1 08 1 05 1 06 10 7 2 3 4 5 678910 2 3 4 5 678910 23 4 5 678910
.9999 i i i iiiij i i i i iiisi i i i i i i i i-
.999 -
.995 -
.99 - -
1.01
.98 -
.95 - -
1.05
.90 g\
.80 -
g\ -
1.25
.70 - \
.60 - \
b .50 -
\\ - 2 k E .40 -
\\ -
3 E
$ .30 -
\\
$ .20 -
\\ -
5 e-e \ \g. E' 8 .10 - -
10 5 e \\ 2 y .05 -
\\ -
20 E b .02 - \\ -
25 h 5 01 - \\ -
100 R 200
.bOS -
\\\
- 500
.001 -
\ \ -
1000
\ \\
\ g -
6000 10-d -
- 20.000 10-6 1 05 Mean: 5.4475 10-e -
Std. Dev.: 0.1559 -
1 06 Skew: 0.90 10-7 Estimated exceedance frequency 1 07
--- 5% & 95% confidence estimaies - jos 10-8 ' ' ' ' 'iiii e i i i siiii i i e i i t u 10' 2 3 4 5 678910 2 3 4 5 678910 23 4 5 678910-9 1046
~
Figure 2. Estimated frequency curve for Susquehanna River at Harrisburg, PA,in accordance with Bulletin 17B.
w
$0 l 1
corresponding to 3.2E-4/yr is SE-4/yr, based on "The literature review indicates that extrapolation Reference 42). Of course, these uncertainty values are of the frequency curve does not provide experien-valid only if the underlying distribution is Log tially defensible estimates of flood probabilities Pearson III, n.uch beyond those defined by the length of re-cord." 43 i The conclusion we draw from these comparisons is that the frequency of Doods greater than the PMF is Andin a review for N;.2 by LLNL:
i very uncertain, but may be much higher than the value (IFAS/yr) that was reported in the PRA. It seems un. "'Ihe best smateny of the current situation is prob-likely that the plant can withstand a flood greater than ably that extrapolations Leyond the historical re-me PMF-during a plant visit to TMl-1 it was ob- cord are difficub except in those few (site-specific) served that the prctective cover-plates, dikes, and air situations where good regional data and a good lo- )
intakes, are designed for t10 ft. Therefore, the CDP cal site model allow defensible analyses. In any due to flo(xb greater than the PMF is equal to the fre- event, extrapolations to values of Fp (the mean fre-quency of the floods. quency of the flood)in the ran e, say, about 0.001/ year, are highly uncertain." g It is also appropriate to address the frequencies of core damage due to floods 305-310 ft. These frequen, Our perspective is that the upper bound on the fre-cies will be greater than shown in the PRA if the COE quency of the PMF for TMl-1, assuming that the un-equation or the curve of Figuie 2 is used-Le., about derlying frequency distribution has not changed during SPA /yr. The PRA takes substantial credit for protec- the last two centuries and is not changing now, must be -
tive actions (early waming, shutdown, installation of in the vicinity of SE-3/yr; ifit were higher than that, cover plates)inGe event of a flood 305-310 ft. Dur- the PMF would probably have occurred during the last ing the plant visit, the personnel at TMI-I indicated two centuries.
they did not practise installing the cover plates. The PRA rf:seme<l that a burricane is unlikely to produce Based on this information, the best-estimate fre-the PMF at the site, and tnat the emergency closure ac- quency for river floods above the PMF is much higher tions (top event SL) could be considered routine (suffi- than estimated in the PRA - SE-4/yr rather than cie:L time) rather than dynamic. However, it appears IE-5/yr. Extemal flooding may become a dominant to us that the PMF is more likcly to be produced by a sequence. And the large uncertainty band on the flood.
hurricane, it seems the approach of the hurricane- ing frequency should cause an increased uncertainty in induced flood, with the emergency closure taking the total CDF.
I place, wouki be accompanied by loss of offsite power l along with heavy rain and high winds on site. The per. In-Plant Fires sonnel would have one chance to make proper installa-i tion because after the arrival of high water, the island Introduction. Review of the Three Mile Island Unit l would be flooded, leaving little if any chance to corn.ct 1 (TMI-1) Probabilistic Risk Assessm(nt (PRA) inter-l any deficiencies. The PRA estimates the human error nal fire analysis concentrated on the t saajor concerns:
I ratn with a recovery factor of 0.19 to account for po-tential recovery in the event any steps in the emergen* methodology, data, and comparison with the draft
" Fire Risk Scoping Study."4 . Each concem is dis-cy closure (top event SL) have failed. Our review indi-cussed below.
cates that the human response analysis results would not be changed for the decrease in waming time that Internal Fire Analysis Methodology.TheTMI-l would be involved in a hurricane--caused PMF. The PRA intemal fire analysis is documented in the Envi-human response analysis did not consider the likeli-ronmental and Extemal Hazards Report, under the hood of a cover plate or air-inflat ble seal being defec-section " Analysis of Spatial Interactions." 1hc spatial tive and nonrepairable within the available time. The interaction analysis involved determining area bound.
PRA may be optimistic in this regard. However, on a aries, identifying components and electrical cables in best estimate basis, the floods 305-310 ft are not as each area or zone (location), identifying the types of important as those above 310 ft.
environmental hazards (fire, flood,' steam, pipe whip, missiles, and others) in each area, performing a The opinions of experts on the accuracy of fre- screen;ag analysis for each hazard in each area, and quency estimates for flocds beyond the PMF should be perfonning a more detailed analysis for the dominant noted. In a recent review of the literature, the review- events. in addition, some fires were considered in the ers concluded: system fault trees (as events occurring during a 51
mission tirre) while others were considered to be con- reactor trip circuit would be prevented from being tributors to initiating events in the internal event energized."
analysis.
A similar assumption vm made for the RBIS. How-For the spatial interaction analysis, the TMI-l PRA ever, the RBIS is not believed to be needed for the Lev-used fire areas, zones (within areas), or locations as el 1 analysis.
appropriate boundaries. This is consistent with the approach taken in previous PRAs. - Also, a wealth of Hazard identification for each fire area included component and electrical cable location information consideration of fire, smoke, flood, steam, water jet, from Fire Hazards Analyses Reports (FHARs)is wa:er spray, high energy line break, explosions, mis-available, based on these locations, in addition to the siles, and falling objects. For the fire analysis, only safe shutdown equipment considered in the FHAR, the fire and smoke are applicable. Potential inadvertent PRA also considered the following systems and operation of sprinkler systems is considered to be part >
components: of the intemal floeding analysis. Fires were consid-cred to be possible if transient combustibles, electrical '
I, Reactor building spray system cabling, or electrical panels are present. Some PRA fire analyses have ignored one or more of tiese poten-
- 2. Power-operated relief valves (PORVs) and tial fire sources, so consideration of all three is a com-- l associated block valves pichensive approach. j
- 3. Emergency safeguards actuation circuits During the investigation of fire hazards, n.oces of detectionandsuppressionwereidentified. Also, prop-
- 4. Condensatepumps agation paths to otherlocations were considered. It ap-pears that the most likely mode for fire propagation +
- 5. Instrument air system from one area to another is through doors left open or -
opened while fighting a fue.
- 6. 'P.:rbine stop and control valves Potential fire scenarios, in general, were quantified
- 7. Borated water storage tank (BWST) using the following equation:
- 8. Condensate storage tanks Fed,i = (Fri,i) (So.t) (Gi ) (S.,i) (O i), -(2)
- 9. Control building HVAC Units AH-E-17A where and AH-B-17B Fed.i = core damage frequencyperyear
- 10. Offsite power. from fire scenario "i" l- 'lhese additional components and systems were in- Fri,i = fire frequency in area of con-l cluded because they were used in the various event cem for fire scenario"i" l trees developed for the intemal event analysis. Cable
! routings for these components were not always known S.,i = nonsuppression probability for -
and in some cases had to be estimated. Again, this is fire in fire scenario "i" typical of PRA fire analyses.
Gi = geometric factor (usually frac-Two systems modeled in the intemal event analysis tion of floor area of fire area were not included in the spatial interaction task: the from which a fire has the poten- .
reactor protection system (RPS) and the reactor build- tial to damage essential cables ing isolation system (RBIS). For the RPS, the follow- or equipmcnt) fer fire in fire l- ing statement is made (see pp. 3-2 and 3-3 of the Envi- scenario "i" -
l ronmental arxl Extemal Hazard Report):
S.,i = security factor (judgement as to "From an evaluation of the RPS, it is concluded that potential for nonsuppressed fire -
it is highly unlikely for any of the hazards consid- to be able to damage vital cred in this analysis to fail the RPS so that the con- cables or equipment) for fue in trol rods would be pn' vented from inserting or the fire scenario "i" 52
04 = other event failure probability Seabrook, Zion, and Indian Point). Screening values (covers additionalhumanerrors for S. i ranged from 0.2 to 1.0. Values for G; ranged or component failures which from 0.01 to 1.0. Finally, S.,i ranged from 0.03 to 1.0.
must occur in order for core damage to occur) for fire sce- For fue scenarios with screening core damage fre- 1 nario "i". quencies greater than 3.0E-6/yr (less than 1% of the !
internal events core damage frequency), it is stated that !
Fire frequencies for fire areas were estimated from his- a more refined analysis was performed. The six domi-torical evidence, as evaluated in Reference 46. The nant fire scenarios are presented in Table 14. Also fue frequencies from this source are summarized in presented in Thble 14 are two (of many) scenarios that Table 13. were screened out: a control room fire and a relay room fire. The six dominant core damage sequences As is typical of most PRA fire analyses, frequencies have a total core damage frequency of 1.0E-4/yr. his of fires in areas within a building were often estimated total is compared with results from selected previous by applying varying fractions of the total building fire PRAs in Table 15. 'Ihe TMI-l results are higher than frequency to each fire area. The fractions were usually any previous study except for Irwiian Point 2. It is not estimated based on fraction of floor area, concentra- clear why this is the case. However,in the TMI-1 tion of electrical equipment, personnel traffic, amount PRA it is stated that the dominant fire scenarios did not j of transient combustibles present, and other factors in - receive as much attention as would have been desired. i some other cases, as indicated in Table 13, fire area It is possible that more refined analyses of these su.
frequencies were assigned values ranging from narios might reduce their frequencies. One interesting 1.064/yr to 3.0E-3/yr. note is that most of the dominant scenarios result in the loss of reactor coolant pump (RCP) seal cooling, lead.
The multipliers S,.,i, O i, and S.,i were estimated ing to an eventual RCP seal LOCA with no coolant in-from experience with past PRAs (presumably jection possible.
Table 13. TMI- ! intemal fire frequency comparison l Fr~n=nev Per Year Fire Risk I_ncarinnK'eng.or.er.t TMI-2 Scabrook PRA Scopmg Study Auxiliary Building 4.8E-2 4.8 0 2 6.4E-2 i
Thrbine Building 1.6E-2 1.6E-2 3.2E-2 ControlRoom 4.9E-3 4.9E-3 4.4E-3
. Cable Spreading Room 6.7E-3 6.7E-3 2.7E-3 DieselGenerator 7.4E-4/ start 7.4E-4/ start -
ReactorCoolant Pump 7.4E-3 7.4E-3 -
" Typical" Room 1.0E-3 - -
i Larger Room (or with 3.0E-3 - -
i more electricalequipment)
Smaller Room (or with 3.0E-4 or - -
less electrical 1.064 equipment orless visited) 53
Table 14. TMI-1 intemal fire dominant core damage sequences Cae D= nase Fire Initinear Geometne Severity % Other Fregnency Location Demennoon Freamencv Per Yr Factor f.origt_ Facta Factor aMn Notes .
AB-FIA h in Auxiliary 0.001 (MCC Fire) ID ID ID OD3 (hot 326-5 Building MCC A fire short) area (onginating in MCC 480V-ESV-I A), and a resultant hot short which fails all RG acalinpection and the thermal barrier cooling to at least 1 RG.
resulting in an RG LOCA with no high Prenaere injection capability CB-FA-3a Fire in Control Bids 0D03 (switchgear ID 0.1 0.5 OD8(random 2AB-5) The Technic =I Sonenary 4160 Vac switchgear fire) Report indicanes this feelere of ID (train A) fire traei B meqaence has a area, failing train A negligible W of several safety However, the a se systems, & a random analysis tables
. '$ failure of train B, indiesse 2AB-5/yr_
resulting in core The dwerepancy is damage not -.1. .M CB-FA-2b Bre in Control Bldg OD03(cabinet fire) th OD3 (mest 0.2 ID 225-5 Sweechgear Room IS born cables (arnin B of electncal cataide i silare of sealcacha eventual RT aeallDCA with no high-preamere injection -
CP-FA-3c Fire in Control Bldg 0D02 (cabling or ID 0.1 0.5 0.2 226.-5 I!SAS ares & failure transient (failare of retnoen slsindown, combeatable fire) ofremcee resulting in an RG aheedown)
LOCA wish no high-prennere agection CB-FA-3b Fire in 4160 %c - OD03(cable, I4 0D5 0.2 0.3 (het iD6-5 amiechgear IE room cabinet, or . ahert)
& a het abort, transient resulting in an RG combustible fire)
- acal LOCA with no I hip c- agection
. - 2: . a ,.
Table 14. (continued)
Case Damage
& Irmannor Geometne Seversy Non-deppression Odur Frequency Locauca Descasaan Frequency Por Yr Factor Passer Facter Fmskt b Year Notes CB-FA-2d ~ Fue in east OD03 (cable. 03 0D3 0.2 1h $ D E-6 charser area rese cabinet, or
. in 7 transient combustible fue)
CB-FA-4b Fire in counrol roern OD049 (cable, ODI (muse ID ID OD5 : 3JIEe -
panels f ' the cabiness,or cecarin (ondenned remote transient com- 2 of many opersoor capability, combined bassible fue) peneh) error) with undernied ,
& error !
resulting in ?
CB-FA-3d & in relay rocen. 0.007 0.05 0.1 0.3 0.2 2JtGe combined w4 failure (failure of remose shutdown of remose sheedown)
U
- n. These sequerres were eliminsem! in the screening process and were a se considered to be darmnant.
- . . - - ..-- _ - , _ _ - _ _ - . = _ , ..__- - -
Table 15. TMI-l internal fire core damage A screening frequency of less than 1.0&6/yr would frequency comparison have been more appropriate.
3 Data Comparison. Fue inquencies utilized in the Intemal Fue TMI-l PRA are summarized in Table 13. Also pres.
PRA Fue Core Damage ented in Table 13 are corresponding frequencies from Analysis Study TheencvPerYear Reference 45. The TMI-1 values are based on re- j ported fires in commercial nuclear power plants up '
TMI-l 1.0E-4 through 1981. Reference 45 includes an update through June 1985. Both so uces agree within a factor Seabrook 2.6&5 of two 'ntis difference is not large compared with tie uncertainty in apportioning building fire frequencies Indian Point Unit 2 2.0E-4 among various fue areas.
Indian Point Unit 3 6.3&5 For So,i, O i, and S,e,i, the TMI-l ranges are consis- i tent with other studies. This is not surprising consider-Millstorie Unit 3 3.1&6 ing that no plant-specific values were generated for Limerick 2.3B-5 TMI-il values from other PRAs were used instead. .I Oconee 1.3&5 Comparison with Fire Risk Scoping Study,'
The draft Fire Risk Scoping Study identified several areas of concem for probabilistic fire analyses. 'Ibese areas of concem arelisted below: !
In general, the methodology used to identify and !
quantify important fire-laduced core damage se- 1. Controlsystem haeractions i quences is appropriate and is similar to the Seabrook 1 PRA. - However, several differences exist. Fust, the 2. Effectiveness of manual fire fighting }
screening process for TMI-I was performed manually, i while the Seabrook PRA incorporated an automated 3. Total environmental equipment survival !
SETS location-transformation process to identify pc-tentially important single fue areas and adjacent pairs 4. Seismic-fire interactior.s of fue areas. Both methods are appmpriate. 'Ibe man- !
ual method of screening might be more prone to error, 5. Adequacy of fire barriers however, the SETS methodology may require the use i of simplified system fault trees and event trees (the 6. Adequacy of analytical fue tools.
Seabrook PRA utilized simplified models for the . .
Each of these is discussed below with respect to the SETS location-transformation).
TMI-1 PRA Sre analysis.
Secondly, the TMI-l analysis appears to have been
. The Fue Risk Scoping Study identified unanticipat-stopped aller the screening phase. The six dominant ed control syrtem interactions as a potential weakness '
fue scenarios do not appear to have been quantified in in past probabilistic fire analyses. Such interactions any more detail than the scenarios that were screened '
include control room failures that may result in failure out. It is clear that no plant specific COMPBRN analy-of remote shutdown, or hot shorts that may fail sys- i ses were performed, as opposed to detailed tems or components not actually damaged by a fire, COMPBRN analyses in the Seabrook PRA. f lhe TMI-I analysis attempted to consider some types {
of system interactions. For example, hot shorts have '
'Ihe third aspect is that the TMI-I fire analysis doc-been considered for several of the fue scenarios (see umentation is extremely abbreviated. 'Ihis issue is ex- the dominant fire sequence in Table 14). Also, the !
amined more closely in the latter part of this section. single control room scenario involves cabinet damage that fails remote shutdown. However, documentation j The final aspect is that tie screening frequency of .
is much too sparse to detemiine either the level of de- t 3.0E-6/yr appears to be inadequate. If the frequencies tail of such modeling or the comprehensiveness of the .
of the already screened out fue-induced core damage search for such interactions.
sequences are summed, the result is 5.0&5/yr, which is 50% of the core damage frequency from the six The effectiveness of manual fue fighting is another .
dominant fire sequences. This total is much too high. issue of concem. Some past PRAs may have taken too l
56
much credit for manual suppression, given the poten. Internal Fire Documentation. ne TMI-l intemal tial for smoke and misdirected efforts. Five of the top fire analysis documentation, contained mainly in Sec-six TMl-1 fire sequences in Table 14 include credit for tion 3 and Appendix D of the Environmental and Ex-manual suppression. The documentation is too brief to temal Hazards Report,is grossly inadequate. De fire evaluate the nonsuppression estimates; however, the analysis methodology is essentially discussed in two lowest value used is 0.2. paragraphs in Section 3.5 of that report. Also, the six dominant Src sequences are described in several sen-Total environment equipment survivability refers to tences in Section 3.7. No diagrams of the fire areas the concem that equipment may actually be damaged and zones were included in the report. Also, almost to indirectly by a fire or fire suppression agent, rather documentation is provided to support analyses and than by direct exposure to the fire. Again, the TMI-l probabilitics used in the screening tables. For exam- j documentation is not detailed enough to evaluate plc, the control room fire (Table 14) with a frequency j whether such concerns were adequately covered. of 3.0E-6/yr was screened out. This sequence in. l volves a fire frequency of 4.9B-3/yr, a geometric fac-Seismic-fire interactions are not discussed in the t r of 0.01, and an operator error of 0.05. De geomet- i TMI-l fire analysis. A review of the seismic docu. ne factor of 0.01 supposedly represents the probability of a nie staning ,monly one of many panels b the con-mentation produced the same result. %erefore,it ap- !
pears that the potential for seismic-fire interactions trol mom. In this case, remote shutdown upparently is was not consid red in the TMI-I PRA. n t p ssible; however, an undefined operator error of 0.05 is also applied to this sequence. Dere is no docu.
mentation indicating what type of operator error is in- i The Fire Risk Scoping Study addressed the concem volved. Also, what happens if there is a fire in the oth-that fire bamers, especially doors and cable penetra-er 99% of the control room panels? If remote tion seals, may not withstand actual fire conditions.
, shutdown must be used, the TM1-1 analysis assumed a Specrficall: if a significant pressure differential as 0.2 failure probability. In such a case, the sequence created acro.s the fire barrier, then premature failure frequency would be:
may occur. Such a pressure differential could be crened under fim conditions. The Fire Risk Scoping (0.0049/yr)(0.2) s. 9.8E-4/fr. (3)
Study indicates that a barrL:r failure probability of 0.01 l
may be too optimistic, and that 0.1 might be more an- The study does not indicate why fires in 99% of the propriate, it appears that the TMI-l fire analyris con- control room panels are not significant.
sidered fire door failures, but mainly from doors lei open or opened to fight a fire. Otherwise, the screen Plant Visit to TM6-1. During a plant visit to TMI-1, ing analysis assumed fire door failure probabilities of conducted during the course of this review,it was 0.01 or lower. Therefore, the TMI-l study may be found that a) TMI-1 has a well thought out and thor.
nonconservative in this respect. oughly documented fire plan, b) there are zero to very- {
low amounts of transient combustibles in areas con- 1' Finally, the Fire Risk Scoping Study evaluated the taining safety-related equipment, and c) there are adequacy of COMPBRN I and III. Several coding er. multiple means of detecting and suppressing fires.*
rors and instances of nonphysical behavior were found GPUN personnel stated they are reanalyzing the fire in COMPBRN III. Conclusions that were drawn from sequences and expect to find them to be an order-of-this study indicate that when any of the versions of magnitude smaller in their contribution to core damage COMPBRN are combined with fire suppression esti-- frequency than was indicated in the PRA report.
mates, the resulting estimates for condition.d failure to suppress a fire before cable damage occurs may v iry Summary. The TMI-I PRA fire study appears to be ' l by a factor of 20 or more, a comprehensive screening analysis. However,it ap-pears that the six dominant sequences were not ana-The TMI-l fire analysis did not include plant- lyzed in detail. Plant-specific COMPBRN analyses specific COMPBRN analyses. However, screening es- were not used, and screening estimates for nonsup-timates for fire severity and nonsuppression factors pression, geometnc, and severity factors were esti-were obtained from past PRAs that did include mated based on previous PRAs. Seismic-fire interac-COMPBRN analyses. Because of this,the TMI-l fire tions were not included. The total core damage
. sequences should reflect a high degree of uncertainty.
However, Table 6-9 in the Plant Model Report appears n. letter from H. J. Reilly, EG&G Idaho, to to have no information on fire sequence uncertainty Dr. Arthur Busiik, NRC, " Report of TMI-l Plant distributions. Visit, October 18-19,,1988," November 8,1988.
57
frequency from it.temal fire is quoted in the PRA as analyses were cor. ducted as part of this review, using 1.0E-4/yr, irloweves, the screened-out sequences seismic hazrads cerves from three differett sources:
, would add up to an additional 51E-5/yr. Documenta< the PRA EPRI, and LI.NL. These analyses are de-tion is grossly inadequate. making it impossible to scribed in Appendix C. All three of the analyses pro-perform a detailed review of the methodology, data, duced core damage frequencies larger than the vslue and resuit s. It was the feeling of the reviewers, based publisted in the PRA report. Using the PRA hazards ,
on a plant visit and comparisons with other PRAs. that curves and camponent fragdities, a mean seismic CDP F the core damage frequencies caused by in-plant fires of 6.5E-5/yr was obtained, as opposed to the va:ue may be overestimated in the TMI-l PRA, but this 2.7FA/y in the PRA. With the EPRI hazards curves. -,
claim cannot be substantia'f4 without more analysis, and some modifications to equipment fragilities be- l cause of tie different scismic spectrum, the mean seis.
mic CDP would be 2.3E-5/yr, with tie LLNL hazards Seismic Eventa curves, it would be 3.8C-4/yr. It is also observed that only a few of the component and structural fugilitier During the review,it war discovered that the quan- were based ou plant-specific analysis. However, this tificati >n of the seismic events contataed errors that in- effect is not considered as imponant as the selection of validated the results contained in the PRA report, de appropriate hazards curves. This situation may be These errors were acknewledged by GPUN (see the clarified wlen GPUN completes its evaluations as part discussion in Appendix C to this report). Independent of tL< IPE program, a
4 58
ESTIMATES OF EFFECTS OF RECOMMENDED CHANGES TO THE PRA inti'Oductl@M Three kinds of estimates were made. First, the ef-fects of changes in initiat 9r frequencies were estimated directly fmm Thbles 5-1 and 5-2 of the PRA Report, It wu not possible in this review to requantify the Vol. 2. Thase tables list the aggregates of the core accident sequences hem the TMf-l PRA, because of damage frequencies attributable to each initiator and ;
the complexity of the analysir md the unavailability of - initiator catego y. Estimates using this method are be-the computer progrs'ns anJ inputs. Therefore,it was lieved to be precisc. ,
difficult to determine the impacts of changes in model.
ing or data on the o lerall resnits. However, it was pos. Secorrity, the efrects of changes in parameters that sible to gain some insights by manipulating the dtta in affect only fractions of sequences for specific initiators the repcrt. were estimated using the top 100 sequences listed in Table 6-5 of the PRA Report, Vol. 3. 'Ihese top 100 sequences compose about 75% of the total core dam.
There wwe several items of interest to the re~iew age frequency, so that an estiraate using this method, that were "secstiranted." nach is discussed briefly in 'ahile wt approximation, probably accounts for most of thia bection; the detailed explanation of the basis for the effect.
cach item is else where in this review repon (for exam-plc, :he imptet of changes to foss of controi budding Lastly, the offects of cbanges in the analyses of sta-ventilttion s;quences is exainined in this analysis, tion blackout, extemal floods, and seismic events were while the diwtusion of the validity of the assumptions taken from the respective review sections in this re-is in the Assumptiorm section). 'fhe results of the rees- port. The methodologies for those estimates can be timation are abown in Table 16. seen by reading those sections.
Table 16. Summary of reestimation of core damage frequency Chanee Old Valuc. New Value Control building ventilation failure elimincted as 2.00E-4/yr 0 a core ar. mage sequence Factor of 6.6 reduction in IIRA value for sump 1.46E-5/yr 2.2E-6/yr rccirculation switchover,inedium LOCA Very small break LOCA frequency 4 times larger 1.74E-5/yr 6.%E-5/yr Use of value 2E-3/yr for loss of instament air 1.98E-5/yr 6.656/yr initiator frequency Regaantifwation of :oss of offsite power 2.90E-5/yr '55-5/yr sequences t Total CDF fpilntemall'utiators 4.4B-4/yr 2.9E-4/yr l
Requentification of seisn.ic sequences 2.70E-6/yr 6.5E-5/yr Requantification of e demal flooding sequences _ 7.50E-6/yr SE-4/yr l'
l Total CDP for Extemalltutiato.s 1.lE-4/yr 6.6E-4/yr
Changes That.Were included in The review of Extemal Flooding indicated that the best estimate frequency for river floods above the PMF the Estimates is 55-4/yr instead of IE-5/yr.
A major finding of tie PRA was that control build. Appendix C contains three analyses of the seis'nic ing ventilation failures were major contributors to the frequencies for TMI-1. The first corrects the erroneous analysis in the TMI-1 PRA report. The sec- i core damage frequency. This was based on the as, ond is an analysis using the seismic acaleration fre-sumption that the electric power system would fait cat-astrophically when the temperature in the control quency data from studies by LLNL. The third is an analysis using tie seismic acceleration frequency data building exceeds 104'F, Subsequent analysis by the from studies by EPRI. The tivec analyses produce dif-utility indicates that loss of control building ventilation would not lead to failure of the electrical power sys- ferent results for the CDF (attributed to seismic tem. A review of this information by members of the events), but all are higher than the value in the TMI ,1 PRA report. The highest value (using LLNL data) ts review team confirmed that loss of CBV would not 3.85-4/yr, which would make seismic events among make a significant contribution to overall CDR There-the dominant sequences for TMI-1. Able 16 includes fore, the reestimation used a value of zero for se-the value 6.55-5/yr, which was obtained using the data quences with control building ventilation failure, in the PRA report.
The PRA indicates that the sequence of higlest fre- After reestimating the extemal event sequences with quency (other than control building ventilation failure) the changes noted above, tie CDP for extemal events ,
is a medium LOCA with failure of sump recirculation increased from 1.lF 4/yr to 6.6B-4/yr, making exter- ,
switchover. 'De human response value used to quanti- nal events the dominant sequences at TMI-1.
fy tnis sequence was the same as that for the large LOCA. Tte Systems Analysis Report clearly defined a value for both trains of the recirculation for medium ChanOes Not included in the LOCAs distinct from large ones, but tic PRA did not Estimate '
use this value. The estimate in hble 16 used a value reduced by a factor of 6.6 for the (SAA*SBB) head- There were numerous other changes that were rec-ings of the ML sequence to account for this ommended in the various sections of this review re-discrepancy- port. 'Ihey were not included in Table 16 for various reasons. The following is provided to explain these changes as they appearinTable 17:
The initiating event review indicated that the very small break frequency appeared to be a factor of four lower than estimates from other sources. The reesti, The Assumptions sect'on indicated that the assump-mation increased the initiator frequency for those se, tion in the PRA, that shutdown operations need not be l quences by that factor. exammed because they have no significant effect, was I
questioned. The PRA for this operational mode could -
have a significant effect on overall CDF at TMI-1.
The loss ofinstrument air initiator frequency ap- ,
peared to be overestimated according to the initiatin8 The section on Fires indicates the analysis in the event review. The value assumed in Table 16 is the PRA was suitable only for screening purposes, and it 2.0E-3/yr value from that review. seems likely, but not certain, that further analysis will show core damage from fires to be smaller Appendix B, which contains a requantification of **9"*"#Y' CDF attributable to station blackout, indicates that this The initiating event review indicated that there had frequency should be 3E-5/yr rather than the PRA val, ue of 6E-6/yr. The CDF for alllosses of off-site pow- been one incident in 12 years of operation in which the er then becomes about SE-5/yr rather than the PRA intake screens at Unit 2-which was the only one of value of 2.9E-5/yr. the two units operating at the ti ne-plugged com-pletely, requiring 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to clear. The discussion of this initiating event appears erroneous; the PRA di-After reestimating the intemal event sequences with vides the assumed frequency of 1/12 per year by a re-the changes noted above, the CDF for intemal events is covery factor related to recovery before turbine trip.
reduced from 4.4E-4/yr to 2.9E-4/yr. 'lhe PRA also uses a seal-LOCA model that assumes 60
Table 17. Potential changes not included in Table 16 Probable Significance Potentini amnpe Effect on CDF on CDP Risks of shutdown operations Increase High-Sequences initiated by in-plant fires Unknown High Loss of river water sequences increase High V-sequence fsequency Unknown Low Frequency of reactor vessel rupture due to PTS Increase Low Miscellaneous component failure data Unknown Low-Added backup air compressor Decrease Low l 4
Relay chatterduring seismic events lacrease Unknown !
Seismio-initiated fues Increase Unkncwn' l
Effects of non-Class I equipment falling on increase Unknown ;
Class I equipment during a seismic event that 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> is available after loss of river water pump PRA-of booking up fire service water in place of riv- ,
suction before r.eal-LOCA occurs. The NUREG/ er water. These are all knowledge-based actions, with CR-4550 seal-LOCA modelis much more pessimistic an operator-to-plant interface that is fair at best, and I when applied to TM1-1. Given a blockage of the in- conditions of potential emergency. Without more de-take screens with mean time to clear of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the fol- tailed infomtation and analysis, it is not possible to de-lowing factors govern the time available (using the rive defensible values for the failure probabilities of times quoted in the PRA for the EFW available case): the human actions.
Water available in pump house: 1.3-4 hours with 2 GPUN provided some additionalinformation infor.
RW pumps operating, double that for 1 pump mally. 'lhere have been an additional 5 years of opera- i tion of the TMI-l intake screens without blockage.
Additional time gained by rotating MU pumps after There are no procedures to maintain a minimum loss of river water: "a few hours" according the amount of water in the river water intake structure, and PRA-actualtime is unknown no procedure directing the operator to reduce the num- l ber of operating river water pumps if a complete loss Time to seal-LOCA after loss of seal cooling: of river water supply occurs. However, a fire service '
l.5- 2 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> (70% chance) supply is available near the DHCCCW heat exchang-ers with connection points available for a temporary Time to core damage after scal-LOCA (not part of hookup. Also, the heat load is so low (32 gpm) when time available): I br. running only makeup for RCP seal injection flow, that GPUN believes the makeup pumpa would run for a The minimum time may be less than required. To en- long time even without river water. '
sure success, the operator must take actions to tum off 1 RW pump and rotate MU pumps after the water in Unless it can be verified that the makeup pumps can the pumphouse is depleted, as well as diagnosing and run without river water, or that a recovery action is initiating the screen-clearing operation. There is also possible using the fire service water supply, the situa-a possibility-identified but not analyzed in the tion upon loss of river water supply-which is reason-61
l ably probable based upon its previous occurrence- During the plant visit, we noticed the addition of a may be much more serious than the PRA indicates. backup air compressor, it is not clear how this will af-feet the PRA, except it should be beneficial, in the analysis of V-sequence frequencies, the PRA combines what appears to be conservative assump- ,
tions with nonconservative data. These sequences are During the plant visit, it was established that relay insignificant contributors to CDF, but are important to chatter was assumed to be recoverable,i.e., had no ef-offsite risk in most PRAs, fect on the CDF due to seismic events. Forthcoming resolutions by NRC of generic issues involving seis.
The teview (see Comparison with Generic mic events may be expected to have an impact if relay Unresolved Safety Issues) found that frequency of core chatter during seismic events is fourx! to be an impor-damage due to PTS was probably underestimated, but tant failure mode of electrical power and control !
conceded that ITS is not a dominant contributor to systems. !
overall CDP, i The Data section of this review report indicated that The effects of seismically-induced fires, and the ef-some of the component failure data values were signif- fects of non Class I j uipment falling on Class i equip-icantly different than in other databases. But it was not ment during a seismic event, appear to have been ne- !
- expected that any individual change in a value would glected in the PRA The effects of their inclusion ,
have much effect on the overall CDP, would not be simple to calculate, !
l 1
i l
l 62
)
REFERENCES i
- 1. Pickard, Lowe and Garrick, Inc., Three Mile Island Unit 1 PRA, PLG-0525, prepared for GPU Nuclear Cor-poration, November 1987).
- 2. Letter from H. D. Hukill, Vice President & Director, TMI-1, to U.S. Nuclear Regulatory Commission, December 7,1987,(available from Hukill Gle).
- 3. J. W. Hickman et al., FRA Procedures Guide, Vols.1-2, NUREG/CR-2300, prepared under the auspices of the ANS and IEEE, January 1983. ..
4.^ A. S. McClymont and B. W. Pochlman. ATWS: A Reappraisal, Part 3: Frequency ofA nticipated Transients, EPRI NP-2230, Electric Power Research Institute, January 1982, '
- 5. Nuclear Power Erperience, S. M. Stoller Corporation, Boulder, Colorado.
- 6. Zion Probabilistic Safety Assessment, Commonweahh Edison of Chicago, Fall 1981. i 7.
Probabilistic Risk Assessment, Seabrook Station, Public Service Company of New Hampshire, December 1983.
i 8.
D. P. Mackowink, C. D. Gentillon, and K. L. Smith, Development of Transientinitiating Event Frequencies for Use in Probabilistic Risk Assessments, NUREG/CR-3862, U. S. Nuclear Regulatory Commission, 1 May 1985. '
i
- 9. H. Wyckoff, Losses of 0)fsite Power at U. S. Nuclear Power Plants, All Years Through 1986, NSAC-l11, Nuclear Safety Analysis Center, Electric Power Research Institute, May 1987. I 10.
P. W, Baranowsky, Evaluation ofStation Blackout Accidents at NuclearPower Plants NUREG-1032, U. S.
Nuclear Regulatory Commission, June 1988.
Il. '
Guidelines and Technical Basesfor NUMARC Initiatives Addressing Station Blackout at Light Water Reactors, NUMARC-8700, Nuclear Management and Resources Council, November 20,1987.
i
- 12. 1.etter from H. D. Hukill of GPUN Nuclear Corporation to USNRC, Docket No. 50-289, May 5,1988, (avail- i able from Hukill file).
1
- 13. Letter from H. D. Hukill of GPUN Nuclear Corporation to USNRC, Docket N150-289, August 5,1988, (available from Hukill file).
k
- 14. Letter from Ronald W. Hernan, Senior Project Manager, to Mr. Henry D. Hukill, Vice President and Director
- TMI-1, " Resolution of Various TMI-l Appendix R Issues (TAC Nos. 64951 and 68331),"
September 7,1988, (available from Hernan file).
- 15. USNRC, Loss of Residual Heat Removal System. Diablo Canyon, Unit 2, April 10,1987, NUREG-1269, June 1987, 16.
Brookhaven National Laboratory, improved Reliability of Residual Heat Remmal Capability in PWRs as
.Related to Resolution ofGeneric issue 99, NUREGICR-5015, May 1988.
- 17. Zion Nuclear Plant Residual Heat Removal PRA, NSAC-84, July 1985.
I8. A. Ang and N. M. Newmark, A Probabilistic Seismic Safety Assessment ofthe Diablo Canyon Nuclear Power Plant,1977.
l 63
- 19. Power Authority of the State of New York, Consolidated Edison Company of New York,Inc., Indian Point Probabilistic Safety Study,1982.
- 20. Fauske & Associates, Inc., Emluations of Containment Bypass and Failure to isolate Sequencesfor the IDCOR Reference Plants, FAI/86-29, July 1986.
- 21. M. T. Drouin, et al., Analysis of Core Damage Frequencyfrom internal Events: Methodology Guidelines, NUREG/CR-4550, Vol.1. Sandia National Laboratories, September 1987.
- 22. CrystalRiver Unit 3 PRA, Florida Power Corporation and Science Applications International Corporation, July 1987.
l
- 23. N. A. Hanan and D. R. Heniey, A Review ofIhe CrystalRiver Unit 3 ProbabilisticRisk Assessment, NUREGI i CR-5245, Argonne National Laboratory, January 1989.
i
- 24. Safety and Performance improvement Program, BAW-1919, Rev. 5, Babcock & Wticox Owners' Group, July 22,1987.
- 25. Safety Evaluation Report Related to the B& W Owners' Group Plant Reassessment Program, NUREG-1231 and NUREG-1231 Supplement 1. U.S. Nuclear Regulatory Commission, March 1988.
1
- 26. Oak Ridge National Laboratory, Preliminary Development ofAn Integrated Approach to the Evaluation 4 Pressurized Thermal Shock as Applied to the Oconee Unit 1 Nuclear Power Plant, NUREGICR-3770, May 1986.
- 27. Shutdown Decay Heat Removal Analysis ofa Babcock and Wilcox PWR, NUREGICR-4713, Sandia National Laboratories, March 1987.
- 28. Analysis of Core Damage Frequency: Surry Unit ] Internal Events Appendices, NUREGICR-4550, Vol. 3, Rev.1, Part 2, (Draft), Sandia National Laboratories, December 1988 (Available from the NRC Public Docu.
ment Room).
- 29. Leak Rate Analysis of Westinghouse Reactor Coolant Pump NUREGlCR-4294, RockwellInternational Corp., July 1985.
- 30. AnalysisofCoreDamageFrequencyfrominternalEvents:ExpertJudgmentElicitation-Part1:ErpertPan- i el Results, Part 2t Project StagResults, NUREG/CR-4550, Vol. 2 Sandia National Laboratories, April 1989.
3I. IEEE Guide to the Collection and Presentation ofElectrical, Electronic and Sensing Component Reliability Datafor Nuclear Power Generation Stations,IEEE STD-5DO, June 1977.
I
- 32. Proceduresfor Treating Common Cause Failures in Safety and Reliability Studies: Procedural Framework and Example, NUREG/CR-4780, January 1988.
- 33. U.S.NuclearRegulatoryCommission,ReactorRiskReferenceDocument,NUREG-Il50,Vols.1-3,(Draft),
February 1987. ,
- 34. A. A. Garcia, et al., A Review of the Millstone 3 Probabilistic Safety Study, NUREGICR-4142, Lawrence-Livermore National Laboratory, April 1986.
- 35. C. L. Atwood and J. A. Steverson, Common Cause Fault Ratesfor Diesel Generators: Estimates Based on Licensee Event Reports at U.S. Commercial Nuclear Power Plants,1976-1978, NUREGICR-2099, EG&G Idaho, Inc., May 1982.
- 36. A. D. Swain and H. E. Guttman, Handbook ofHuman Reliability Analysis with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1278, Sandia National Laboratories,1983.
64
37, G. W. Ilannaman, A. J. Spurgin and Y. D. Lukic,Iluman Cognitive Reliabilityfor PRA Analysis. NUS-4531 Electric Power Research Institute,1984.
- 38. R. E. Ilall,3. Fragota and J. Wreathall, Post Event fluman Decision Errors: Operator Action TreeTTime Rell. l ability Correlation, NUREG/CR-3010, Brookhaven National Laboratory,1983.
- 39. L. M. Potash e*. al., Experience in integrating the Operator Contributions in the PRA ofActual Operating- I Plants,1981 ANS/ ENS Topical Meeting on Probabilistic Risk Assessment, Port Chester, NY,
- 40. R.C. Dettucio and J. A. Julius, Analysis ofCore Damage Frequency: Surry Unit 1 internalEvents NUREG/ i CR-4550, Vol. 3, Rev.1, Part 1, Sandia National Laboratories, September,1988.
- 41. Corps of Engineers, Department of tic Army, North Atlantic Division, flydrologic Study - Tropical Storm Agnes, December 1975.
- 42. United States Water Resources Council, Guidelinesfor Determining Flood Flow Frequency. Bulletin N17B, September 1981.
- 43. Interagency Advisory Committee on Water Data, Hydrology Subcommittee, Feasibility o/ Assigning a Prob-ability to the Probable Marimum Flood,1986.
- 44. C.Y. Kimuru and RJ. Budnitz, Eval'uation ofEtternalliarards to Nuclear Power Plants in Ihe UnitedStates, NUREG/CR-SM2, Lawrence Livermore National Laboratory, December 1987.
- 45. Fire %sk Scoping Study, investigation ofNuclear Power Plant Fire Risk including Previously Unaddressed Issues. NUREG/CR-5088 (Draft), Sandia National Laboratories, March 1988 (Available from NRC Public Document Room).
- 46. M. Kazarians and G. Apostolakis, Modeling Rare Events, The Frequencies ofFires in Nuclear Power Plants, presented at the Workshop on Low-Probability /High-Consequence Risk Analysis, Society for Risk Analysis, Arlington, Virginia, June 15-17,1982.
- 47. N.O.Siu, COMPDRN-A ComputerCodeforModeling CompartmentFires, NUREGICR-3239, University l of Califomia, May 1983.
l l
1 l
65
.,. .s. . .
l APPENDIX A REVIEW OF ASSUMPTIONS IN THE PRA REGARDING LOSS OF CONTROL BUILDING VENTILATION 4
I A-1
APPENDlX A j REVIEW OF ASSUMPTIONS IN THE PRA I REGARDING LOSS OF CONTROL BUILDING VENTILATION i It should be noted that, unlike most initiators, the stated on page 6-48 that this essumption is frequency of the loss of control room ventilation hiitia- believed to be conservative, but ru evaluation tor is not based on data (Table 3-8, Page 3-38, Volume could be found that provided either a qualita-5), but is instead quantified based on an enalysis of the tive or quantitative estimate of the degree of system failure probability as contained in Volume 4, conservatism. The following statement is i Book 1, Section 6. Ris review is concemed only with made on page 6-48:
, the evaluation of major assumptions made in the PRA l regarding the initiator-loss of control building venti- "%e assumed temperature limit is important lation. because it not only affects the time available -
for recovery, but also, if the limit was just a !
De major assumptions made in the PRA regarding little higher (i.e.,130*F), many of the rooms this initiator and the accident sequena that it initiates might never reach the limit even without are as follows: ventilation."
- All key electrical equipment in the control In view of the extraordinary dominance of the se.
room is assumed to always fail if the tempera- quence associated with this initiator the omission of ture exceeds 104'F'. any estimate of the significance of this assumption is considered a major shortcoming in the study. Further-more, u does not appear that the uncertainty or conser-
- 1ess of control room building ventilation is vatism associated with this assumption is reflected in assumed to result in a core damage accident the very tight uncertainty bounds estimated for the (see discussion below). core damage frequency.
- If the outside ambient air temperature ex- An attempt was made to assess the validity, quanti-ceeds 84'F, the chillers associated with the tative significance, and uncertainty associated with control room building ventilation system are this assumption; Such efforts proved generally futile, assumed to be required. however, for several reasons. First, no assessment of the control building heatup rate could be found in the
- Operator action to establish control building TMI-l PRA. Thus, the timing and sensitivity of the ventilation from a portable vent system is 104*F limit to building heatup rate could not be veri.
modeled. Equipment for this system was be- fled. Further, no other PRA or safety assessment could ing purchased at the time of the PRA study, be found, for comparison, which evaluated this initiat-ing event. %e manufacturer of, and specifications for,
- The operator actuated portable vent system is the electrical equipment in the control building are not assumed to be incapable of limiting control known. Thus, an independent evaluation of the opera.
building temperature below 104'Fif the out- tional temperature limits could not be detemiined, al-side ambient air temperature is >95'F. though engineers familiar with this general field con-firmed that assuming failure at the design limit is
. likely to be a very conservative approach.
- Control tower air system failures are ne-glected.
ne TMI-I PRA contains additional discussion of the interest related to the control building ventilation ne significance and validity of each of these as- failure sequence in particular, Pages 2-6 and 2-7 of sumptions will be explored individually, as follows: the Executive Summary (Volume 1) make tie follow-ing statement:
- 104'F Limit-The only basis that could be found for this assumption was on page 6-47, " Tests in September of 1987 have indicated that Volume 4, Book 1, where information shows more time is available for operator action prior to that this is the design temperature limit of the the hottest rooms reaching IWF. It may,in fact, equipment in the control building. It is also take as long as 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for these rooms to reach
- A-3 L
I
104*F. This longer time is due to initial overesti. " Failure of the ventilation system causes the mations of the heat generation rates in thesc rooms. intemal room temperatures to increase and, In addition, the outside air temperatures for which within a period of hours, to exceed the design temporary ventilation would be effective can temperatures of electronic and electrical therefore be higher. More time available for equipment in the rooms. At some elevated recovery will result in a higher likelihood that the temperature (which is not well known), equip-operator will succeed in establishing altemative ment will fail and the plant will automatically ventilation. Ris higher likelihood will reduce the trip or be tripped by the operator. Ris event frequency of loss of control building ventilation calls on the systems to remove decay heat to scenarios that go to core damage, thus reducing the operate, but, in this dominant accident se-total core damage frequency. If the heatup is slow quence, these systems also eventually fail due enough so that the operator has more than enough to loss of motive and/or control power, as time to perfonn the action successfully, then the morc electrical equipment in the control build.
frequency of the scenario will become insignifi- ing fails. Core damage will result from the cant. De results of these recent tests will be failure to remove decay heat. This scenario reviewed and their impact on the estimated core alsoincludes thelikelihood of the operator try-damage frequency will be incorporated into tie ing, but failing, to recover control building s next revision of the PRA." ventilation and trying, but failing, to provide ,
alternative ventilation."
1 An attempt was made to evaluate the analysis of this Further, Page 2-7 of Volume 1 preseras the sequence and also to estimate the impact of a more realistic assessment utilizing the September 1957 data. I U *I8 However, no analysis of the building heatup rate could be found, nor was any detail found regardie3 the time "At 104'F, equipment required to maintain available and assumptions made regarding operator re- reactor coolant pump seal injection or cooling i covery actions. Furthermore, the September 1987 data and mitigate the failure of the seals is assumed l is apparently not included in the PRA. to be lost." l In a related discussion, the PRA speculates he reviewers concluded that the basis for the 104'F (Page 2-7) that tests performed by Westing-control building equipment failure assumpuon is mad- house on RCP seals, belie ved to be represcata-equate and probably not realistic (overly conserva- , tive of the seals for the reactor coolant pumps tive). His appears to be a major shortcommg m the at TMI-1, suggest that seal failures may be study m view of the sigtuficance of the related accident delayed from what was assumed in the sequence. A related shortcoming is the lack af suffi- PRA^-3 nese delays are addressed on -
cient information in the PRA to allow either m inde. Page 2-8' pendent evaluation of the sequence or a qumtitative estimate of the effect of the assumption. Furthermore, "These delays will significantly increase the it appears inappropriate in a PRA study to assume a step failure distribution (i.e., never fails at tempera-d fd d y ,g g;, g, tures <104'F and always fails at or above 104'F) for jection in scenarios after both were lost) and such an important initiator. It would be more realistic' such actions that already exist in the PRA thus and more consistent with the general PRA approach, to reducing the total core damage frequency "
represent the failure as a temperature versus failure probability relationship. Such a relationship would -
have to be derived on the basis of existing data, or en. Based on the previous discussion,it appears that the PRA assumes that the loss of control building ventila.
gineering judgement if data is unobtainable.
tion leads to loss of the sealinjection and cealinjection cooling systems, due to loss of ac power to the pump
- Loss of control building ventilarion leads to motors in these systems. The loss of these systems core damage-The PRA assumes that loss of causes a loss of pump seals, resulting in a LOCA (of control building ventilation will lead to unspecified size). Because the high-pressure injection equipment failures in the control building that system is also assumed lost due to loss of ac power to result in core damage. Page 2-2 (Volume 1), the pump motors, the pump seal LOCA results in unre-presents the following conclusion to this coverable loss of primary coolant inventory and even-problem: tual core damage.
A-4
This assumption of core damage (given failure of side temperature appears important based on equipment in tie control building) appears reasonable - de following statement on page 6 49:
if pump seals fail and HPI is unavailable. The speculation that Westinghouse dsta on pump seal fail- " Common cause failures of the two chilled urcs may argue for an extended recovery period and re- water trains at a time when the outside ah tem-duced core damage frequency. although not quantified per.ture is greater than 95'F is the major in the PRA, does not appear particularly favorable in contributor to the initiating event (loss of con-view of a recent report on pump seal failures.A-2 This trol building ventilation) fmquency."
report presents a rather high probability of core uncov-ery from pump seal failures in a rather short time (four if the 85'Flimit stated on Page 6-10 is the ac-hours or less) given loss of seal injection and seal tn. tuallimit,then loss of control room ventilation jection cooling. 'Ihe forthcoming resolution of NRC frequency would be even higher.
Generic issue 23 (Reactor Coolant Pump Seal Failure) should provide additional data and information rele-vant to this issue, and may require modifications at
- Use of a Portable Vent System-The PRA some plants, including TMl-1, which could alter the states on Page 6-10 that a portable vent sys-probability of the accident sequence considered here, tem is modeled on the basis that equipment for the sysum was being purchased, and pro-as well as other sequences in the repoit.
cedures were being revised, at the time of the PRA study, it is questionable if an accurate e Control building ventilation chillers assumed estimate of the unavailability of this system required youtside ambient exceeds 84*F- .
could have been made at the time of tie PRA The PRA states, on Page 6-10, that if the without this information. However, this chilled water system fails, it is assumed that ,
quantincation may not k omly sigmGcant adequate ventilation is provided as the out-imw f epace ng sassbn,wMch t side air temperature is less than 84*E The ba-
, dicates that failure of the main system when -
sis for this assumption is not given in the outside air temperatures are greater than 95'F PRA, but is based on GPUN correspon-(when the backup system would also not be dence.^-3 This reference was not provided e etive) is de major comor to loss of with the PRA and was therefore not re-natilation.
viewed. However, an apparently conflicting assumption appears on Page 6-49 of the PRA, which states:
- Operator actuated system inefective V out-side air temperature is >95*F-This assump.
l "Ifnuclear services closed cooling wateris un- tion appears on page 6-10, Volume 4, Book 1.
available...the chilled water system...is un- 'Ihe basis for it is referenced correspondence available. The system failure frequency then that has not been reviewed.Ad becomes strongly dependent on thc outside air temperature. If the outside air temperature is
- Control air system failures are neglected-greater than 95'E..then neither the normal 'lhis assumption appears on Page 6-43, Vol-ventilation system operating in the once- ume 4, Book 1. Further, on Page 6-12, it is through mode nor the alternate ventilation stated that the control tower compressed air system that may be established by the opera- trains are needed for damper position and fan tors is assumed to be successful." control for the control building ventilation system. However, page 6-11 states that the
'Ihe validity of the outside ambient airtemper- control tower air system consists of four com.
ature assumption could not be evaluated on the pressors, two powered from each train; there.
basis of information provided in the PRA. fore, this omission is expected to have a very However, the significance of the assumed out- minorimpact.
A-5
REFERENCES A-1 Westinghouse Owness' Group, Reactor Coolant Pump Seal Performance Following the Loss ofAll at Power, WCAP-10541, Revision 2, November 1986.
A-2. D. B. Rhodes, Review ofthe M'estinghouse Owners Group Report M' CAP-10541, Revision 2, Reactor Coolant Pump SealPerformance Following a Loss ofAllac Power, NUREGICR-4906P, January 1988, .
A-3. Letter from C. D. Adams of GPUN Nuclear Corporation to D. J. Wakefield of Pickard, Lowe and Garrick, Inc., April 29,1986.
A-4. letter from C. D. Adams of GPUN Nuclear Corporation to D. J. Wakefield of Pickard, lowe and Garrick, Inc., May 9,1986.
i s
1 A-6 l
a-anoawam---2--MLa m2,.mmo,- s-ar----jai +4, -a a's+5- a.a-AM-m'..w.A,A, ei -ei ,,J_s --4.- na4.s A.k m m. ag.ead ar ---aw-ma.a emAm-4xar .ma se .s 4 .o,44 .ns .,y e op ,4-w, 1.a e a-4 .$... m. e i
1
' t i
f 1
APPENDlX B .
1 REQUANTIFICATION OF THE STATION BLACKOUT '
CORE DAMAGE FREQUENCY t
't
.t f
i i l
l l
B-1
APPENDIX B REQUANTIFICATION OF THE STATION BLACKOUT CORE DAMAGE FREQUENCY
'Ihis appendix provides an independent calculation the results for the mean value of tie station-blackout-of the frequency of core damage from station blackout induced severe core damage frequency would not be at TM1-1. The basic model is that of affected.
NUREG-il52.8-I A station blackout may occur either at the time of the loss of offsite power, or later if, The estimates obtained closely a; proximate the for example, the diesel generators fail during operation mean frequency of severe core damage (due to station while offsite power is unavailabic. If the duration of blackout). Mean values are used for estimates of the various failure rates; the dominant terms in tfe result the station blackout exceeds a certain time (called the
" grace time" here), core damage occurs. Recovery of for the station blackout core damage frequency are lin-the diesel generators, and ofloss of offsite power are ear in these parameters, because the terms involving modeled. One distinction between the model used common mode failures are the most important terms, here, and the model developed for NUREG-Il52, is There are contributions from non-linear terms, for ex-that the grace time is treated here as a random variable, ample, both diesel generators failing to start from inde-Another distinction is that, in the model used for pendent causes, and because the mean of the square of i NUREG-il52, the grace time depended on the time a variable over its degree-of-belief distribution is not after the loss of offsite power that the station blackout the square of tie mean, the estimates for the frequency occurred, and this distinction is not made here, of severe core damage due to station blackout are not exactly mean values.
The model considers contributions from five different ways of ernering station blackout: Glossary of Symbols
- a. Both diesel generators are unavailable at the A, Rate ofloss of tie offsite power network time ofloss of offsite power, either because (CVents Per year).
they fail to start, or hecause one is in mainte.
nance and the other fails to start Q,(t) Probability that offsite power has not been
- b. One diesel is in maintenance, the other diesel recovered by time t'after its loss.
starts but fails while running . Thus A,Q (t) is the frequency oflosses of
- c. One diesel fails to start, the other diesel starts but fails while running, leading ultimately to q, The probability that a single diesel generna core darnage tor fails to start on demand.
- d. Both diesels start but fail (at the same time) Q,(t) Probability of nonrecovery of a diesel gen-during operation from a common cause crator by time t after its failure, for either de faHuNo-start mode oManum or de
- c. Both diesels start, then one fails during opera- ,
tion from an independent cause; later, the sec- [aume uring- peration mode oMaBure, af these failures were from independent ond diesel fails from either an independent or C""8*8' common cause.
9'" r y a s6gmel generatoh The term " probability" is used here as the frequent.
ing in maintenance at the time of demand.
ist would use it. It corresponds to the term " frequency" used in the PRA. In this section, frequency refers to a rate per unit time (e.g., frequency of loss of offsite Q.(t) Probability a diesel generator in mainte-power). The probability distribution for the grace time nance will not be recovered by time t after is then a frequentist's probability distribution. Howev- the maintenance is begun. The equations ;
er,1f one were to assume that this probability distribu- for the contribution of the maintenance tion really represented a degree-of-belief distribution, unavailability to the station blackout core i
l B-3 l
l
l damage frequency are valid only for an of wi si determined from wi + r = 24 exponentialdistribution for Q.(t). In this hours, case, Q.(t) also equals the probability a diesel generator found to be in mainte. Model Equations nance at the time t = 0, at which loss of off- !
site power occurs, will still be in mainte. Corresponding to each of the five ways of reaching nance at de time t after the loss of offsite station blackout, a quantity wlere I ,jJ = a, b, c, d, or e, power occurred; is defined. 'Ihen the contribution of case j to the station blackout core melt frequency is A,1. 3 q, Probat,ility both diesel generators fail to start from a common cause. The values of I Jfor the five cases are given as follows:
Q,(t) Probability a diesel generator that has
- a. Both diesel generators are unavailable at the failed from a common cause will not be re-time of the loss of offsite power, either be.
covered by time t afterits failure; the same cause both diesel generators fail to start, or distribution is used for both the common because one diesel generator fails to start and cause failure-to-start and the common the other is in maintenance. I cause fails-during-operation modes of failure, i
1, = ((q,-q,)2 [q,(7)): + q,Q,(r))Q.(r) i I
Ar Failure rate (per unit time) for a diesel generator to fait during operation. The
- O*(*}9'9'" *)O*(#) (~}
rate is assumed constant, and independent of the time since the diesel gererator was b. One diesel generator is in maintenance, and started. The observed increased failure the other fails during operation, rate of a diesel generator during the first j hour of operation is incorporated into the model by increasing the failure-to-start L=2%Q,(t) ' A,exp(- A,w)Q,(w + r) !
probability of the diesel generator.
Q.(w + t)dw (B-2)
A, Failure rate from a common cause event (or shock) that will disable all the running c. One' diesel generator fails to start, the other diesels. fails during operation.-
r Orace time, or coping time, if the duration I, = 2qA (r) 'Arexp(-Arw)Q,(w + r) -
of the station blackout exceeds the time (r), core damage occurs. The value of r j
depends on whether or not emergency Q,(w + r)dw (B-3) feedwater is available, the timing and j
magnitude of a reactor coolant pump seal d. Both diesel generators start, but then fail dur-LOCA, and the timing of battery deple- ing operation by common mode, tion. Therefore, a probability distribution '
is used for r .
I, = Q, (r) A,cxp(- A,w) .
.O wi 'Ihe end point in the calculations. Station exp (-2A,w)Q,(w + r)dw (D-4) blackouts occurring after this point of time (as measured from the time ofinitiation of e. Both diesel generators start, then fail during the loss of offsite power event) are as-
- operation at different times; the diesel gener-sumed to be recovered before core damage - ator that fails first by an independent failure, occurs. An inherent assumption in the and the other diesel generator fails by either model is that some source of ac power will common cause or an independent failure.
be recovered within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The value Little error results from assuming that the l
B-4
distribution of the time to recovery for the timing and magnitude of the reactor coolant pump seal second failed diesel generator is that for a die. LOCA are random variables, and because failure of sel generator failed from an independent - emergency feedwater is a random event. t cause, although, strictly speaking, it should le a mixture of the distributions for the inde-If emergency feedwater (EFW)is not available, the pendent failures and the common cause fail-grace time is about I hour, according to the PRA (see ures, weighted by their relative frequencies.
- p. 4-43, Vol. 6, Book I of the PRA). The probability ,
m the EFW fails, given station blackout,is 0.056, accord- i 1, = 2Q,(r) A,exp(- A,w)Q,(w + r) ing to Table 6-1,Vol.3 of the PRA.
4 A,cxp(- A,x) , As for the grace time distribution if the RCP seal LOCA is controlling, the calculation proceeds as fol-lows. According to the expert opinion clicitation done Q,(w-x + r)dxdw . (B-5) in support of NUREG-1150 (see Re f. B -4, pp. 5-6ff),
there is a 53% chance of a RCP seal LOCA of i Then the station blackout core melt frequency is: 1000 gpm after 1.$ hours (Table B-2, reproduced from Ref. B-4, Table 5.4-2 gives the results of the expert clicitation process.) It is assumed that the "old" P,6 = A,(1, + 1. + 1, + 1 + 1.) . (B-6) O-rings are in use.
Diesel Generator Failure, ' With a 1000 gpm leak,it is estimated that' core un- j covery will occur in about an additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The '
Repair and Maintenance basis for oiis esemaie ts as fonows According to a re- i port by Fletcher, core uncovery will occur at TMI after
'Ihe diesel generator failure-to-start pmbabilities a loss of 2.4E5 lbm of water from the primary sys-and the fails-during-operation failure cates are taken tem.B-3 For a Westinghouse reactor (Zion), core un- i from the PRA (these values, and the manner in which covery will occur after aloss of 3.3E5 lbm of water. It they were derived, were reviewed during the review of is estimated that the time to core uncovery for a 4-loop the PRA, see the section on component failure data in Westinghouse reactor with a 1000 gpm RCP seal leak the main review report). The common mode parame- is about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> if credit is given for operator action in ters (the beta factors) are also taken from the PRA. For - depressurizing and cooling down the primary system the recovery distributions for a failed diesel generator, (the leak rate decreases as the reactor pressure de-or the distribution for the maintenance time, expanen- creases). If it is assumed that the core uncovery time tial distributions are assumed. For the recovery distri- for a given size leak is proportional to the amount of bution for a die:;el generator failed by independent water that must be lost before core uncovery, then, for -
causes, the parameter in the exponential distribution is TMI-1, the time to core uncovery is about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> obtained by fixing the median repair time at the me. from the time of the start of the leak. If the leak begins dian value of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> given in NUREG-1032 (see at 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after station blackout, then the grace time Ref. B-2, p. B-12). For recovery from a common is about 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
cause failure, the value of the parameter is chosen so as to best reproduce the distribution of recoveries given There is an additional pmbability of 13% that the in NUREG/CR-3226 (see Ref. B-3, p. 237). The 1000 gpm leak begins at 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> according to the dis-same re ference is used for recovery from maintenance. cretized distribution forleak rate versus time given by - i Table B-1 summarizes the diesel generator data.
the NUREG-ll50 expert elicitation process (see 4 Table B-2). Here the time to core uncovery_would be Distribution of the Grace Time the time (2.S hours) until the leak starts plus the 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> until core uncovery given the leak, or 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Leak rates other than 1000 gpm are of sufficiently low prob- ,
'Ihe grace time, or time that the plant can be without ability or magnin de that they do not contribute signifi-ac electric power without suffering severe core dam- cantly to the station blackout core damage frequency, age, depends on the timing and magnitude of any reac- Moreover, the probability of a 1000 gpm leak initiating >
tor coolant pump (RCP) seal LOCA, on whether or not after 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> is sufficiently low as to have a negligi-emergency feedwater is available, and on the battery ble contribution to the station blackout core damage depletion time. It is a random variable, because the frequ:ncy.
B-5
Table B-1. Failure, mainte3ance, and repair parawtem used in the station blackout requantification A. Failure data for the diesel generators q, = 0.02 q, = 0.00095 A, = 2.5E-3/hr i l
A, = 1.02E-4/hr l Note: The above value of qr includes a correction to account for the increased failure-to-run rate of the diesel generators during the first hour, a constant value of A, is used. 'the PRA used gr = 0.0158 per demand, and anincreased value of Ar during the first hour ( Ar = 6.58E-3/hr).
The diesel generator repair time distribution is assumed exponential, but the exponential distribution used is fitted to the median repair time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> given in NUREG-1032 instead of the mean repair time. The distribu-tion obtained is Qf(t) = exp(--t), where = = 11.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
'Ihe distribution for repair of a diesel generator failed by common cause is also assumed to be exponential, and is fitted to the distribution given in NUREG/3226, on p. 237. A mean 10-hour repair time is obtained for a diesel - -
generator failed by common cause.
B. Maintenance data Maintenance unavailability of a diesel generator: 0.0341
- For recovery from maintenance, an exponential distribution is assumed
l l- Q.(t) + exp(-a t),with a = .05. (B-7) .
l-This value of = fits reasonably well the recovery from maintenance distribution given 6 NUREG/CR-3226,
- p. 237, for the pertinent values of t (less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or so).
l I
t
! 1 l
l B4
.. M .. E ..
Table B-2. Aggregated RCP seal LOCA probabilities for a Westinghouse four loop plant
- OkiO-Rings New O-Rings Time Time Leak Rate (h) from) (h) 4.5 5.5 _L5. 16 3.5 . . 4.5 _5 5._
M 2.5 3.5 0.809 - 0.809 0.807 0.805 0302 0.286 0.271 0.271(255) 0.271(0.239)6 0.810 84 0.014 0.016 0.017 0.0198 0.020 0.148 0.038 0.053 0.051(.067) 0.049(.081) 244/245*
- 0.010 0.010 0.010 0.010 0.010 313 - - -
93E--3 6.0E-4 6.0Fe4 6.0E-4 6.0E-4 6.0E-4 433 0.011 0.012 0.028 9.9E-3 13B--3 13E-3 13E-3 13E-3 13B-3 - .
480 2.6E-3 2.6E-3 2.6E-3 2.6B-3 2.6E-3 543 0.146 0.146 0.146 0.146 0.146 0.146 1.2B-3 1.2E-3 1.1E-3 1.1E-3 y
688/698/728
- - 2.7E-3 2.7E-3 2.7E-3 2.7E-3 2.7E-3 7% - - -
0.665 0.566 83E-3 83E-3 83E-3 83E-3 83E-3 1000/1026 0.530 0.659 0.659 1230 1.6E-6 1.6E-3 1.6E-3 1.6E-3 - -
4.2E-3 4.2B-3 4.2E-3 4.2E-3 4.2E-3 4.2E-3 1920 4.2B-3 4.2B-3 42E-3 4.2E-3
- a. Reproduced from Table 5.4-2 of NUREG/CR-9550, Vol. 2.
- b. Parentheses denote calculations which change if no depressunzation is assumed. All other probabilities are for 4-_; zed conditions.
- c. Similarleak rates have beenlumped together These values are the probabilities of being at a particular leak rate at a particular time.
t
The battery depletion time is taken as 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, based blackout rule, the site characteristics are as follows on the estimate given in the PRA, Section 4.3, Vol. 6, (with reference to the model in NUREG-1032):
- p. 4-43. According to Ref. B-3, p. 35, severe core damage will occur in a B&W plant about I hour after Switchyard category: I = 3 (worst battery depletion. However, no credit is taken here for category) averting severe core damage by recovering ac power in the time between battery depletion and the onset of se- Grid stability category: G= 2 vere core damage. As noted on p. 4-32, Vol. 6 ofite PRA, battery depletion guarantees core damage. The Recovery category: R= 2 (no diesel generators are no longer recoverable because enhanad they require de power. Moreover, the 230 kV substa- recovery) tion breakers require de, even for local operation; hence offsite power may not be recovernble. De grace Extremely severe weather time is six hours as determined by the battery depletion fseq: 0.0016/yr .
time if it is not limited to a smaller value by loss of emergency feedwater or reactor coolant pump seal Severe weather freq: = 0.004/yr LOCA.
NUREG-1032 uses Weibull distributions for the non.
The grace time distribution is as follows: recovery curves for loss of offsite power; however,in the actual numerical work performed in support of the Grace Time station blackout rule, exponentials or linear combina-(hrs) Probability Result tions of exponentials were used. These equations, when specia'lized to the TMI site using the above 1 .056 (EFW fails) categorizations are as follows:
3.5 (1 .056X.53) = .50 (EFW succeeds, i(t) = 0.069(0.7008exp(-2.002t) -
1000 gpmleakat + .3063exp(-0.5072t))
1.5 hrs) g(t) = 0.03(0.6886exp(-1.971t)~' '
4.5 (EFW succeeds, +.349exp( .2903t))
(1 .056)(.13) = .12 1000gpmleakat 2.5 hrs) s(t) = 0.004cxp(-0.1983t) 6 .32 (Battery ss = .0M 6 depletion) with the annual frequency.oflosses of offsite power
"'***"8 " # "'"" " ' 8'"*" '#
Frequency of Losses of Offsite Power Exceeding a F(t) = i(t) + g(t) + s(t) + ss.
On b adon The terms i(t), g(t), s(t), and ss, respectively corre-spond to the switchyard, grid, severe weather, and ex-The model used for predicting tbe frequencies of tremely severe weather contributions to the loss of off-losses of offsite power of a given duration is essential- site power frequency, ly that described in NUREG-1032, Appendix A, with the parameters for the TMI site supplied by John Flack Figure B-1 gives the frequency oflosses of offsite of the NRC staffin a private communication.B-2 Ac- power exceeding a duration t, as calculated from tim cording to the analysis done in support of the station - above expressions.
l B-8
0.15 e !
o j 0.12 -
H
_E 0.09 5
0-g !
g 0.06 - !
E I sc 8 0.03 -
u.
T 0 ,
0 2 4 6 8 10 T (hours)-
Figure B-1. Annual frequencies ofloss of offsite power (LOP) exceeding a time T. (Review Estimates) i
.i Results for the Station Here conditional core damage frequency is the station i blackout evere core damage frequency conditional on . -
Blackout Severe Core the given grace time. l Damage Frequency j It is interesting to compare the results to those ob- !
A stadon blackout severe core damage frequency of tained in the PRA. In particular, Section 4.3.5 of vol-3E-5/yris obtained from the above data and equations, ume 6 of the PRA was not understood. 'lhis section is The station blackout core damage frequency is calcu. entitled " Electric Power Recovery Modet" The equa .
lated conditional on each value of th: grace time, and tion for & I= in this section was especially then the weia,hted sum is taken, with the weights being g g ,g,gg,; , ;
y, .
the probabilides of each grace time. The intermediate en in the PRA, was 0.071/yr (see Table 3-8 of Vol. 5 of results of the severe core damage frequency '
the PRA). 'lhe above model gives 0.106/yr. '
conditional on each value of the grace time are as follows:
The severe core damage frequercy due to the loss of offsite Power initiator was given as 2.9E-5/yr in Table Grace Time ConditionalCore Damage Frequency (ner year) 6-4, Vol. 3 of the PRA. However, the greatest contn-ihrs)
' bution to this frequency was apparently from consta- l =
1 1.2E-4 tion blackout loss of offsite power sequences. Of the top 100 sequences on pgs. 6-46,6-47, Vol. 3 of the 3.5 3.3E-5 PRA, the core damage frequency from allloss of off . ,
4.5 2.3E-5 site power sequences was 1.45E-5/yr, while the core damage frequency from the single station blackout se-6 1.4E-5 quence (in the top 100 sequences) was 2.8E-6/yr, B-9
composing atout 19% of tle total of allloss of offsite the PRA assumes that the leak will be limited to 20 g
power *equences in the top 100 sequences, gpm per pump for the first 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> of a station black. >
out (see p. 4-42, Vol. 6 of the PRA). Because of the U .t sequerr:s telow the top 100 contributed ne- dMeulty in following tk PRA analysk of stade gligibly to the station blackout severe core damage fre-
" "I' II " *" I' * * ***"I ##'
queryy, then station blackout would contribute about ences in assumptiors areimportant.
3b6/yr to tte severe core damage frequency in the PRA. If the ratio of the contribution of station black-T, king the 1.265bt contribution of non-station-out to the contribution of all loss of offsite power se' bhh ofoNsieme h hPRA '
quences was the same as for the top 100 sequentes top 100 sequences, and multiplying it by the ratio of (that is,19%), then station blackout would contribute the estimate of the loss of offsite power initiating event a E-6b'r to the severe core damage frequency in f &PM i ,0.l M /0 M 1, would result in an estimane of 1.8E-$/yr for the contri-bution of the r,0nstation blackout loss of effsite power sequences to the core damage frequency, Adding this The discrepancy, between the estimate in this re- figure to the 3B-541 estimate of the cose damage fre-quarnification of 3E-5/yr for the contribution of sto- quency from station bladout sequences, will result in tion blackout to the core damage frequency, and the about $B-$/yr as an estimate of the core damage fre-PRA estimate of about 6E-6/yr,is caused in part by quency from the loss of offsite power initiator. A sub-different assumptions on the behavior of the reactor stantial portion of this value is attributable to the RCP w>lant pump seals upon loss of cooling (and seal in- seal LOCA problem. If the seal LOCA problem did jection). We estimate a $3% chance of a RCp seal not exist, the core damage frequency would be about _
LOCA of 1000 gpm (250 gpm per RCP pump), while 3B-547 from loss of nJaite power.
h
\
B-10
, REFERENCES B-1. G. Kelly, R. Barrett, ard A. Buslik, Millstone 3 Risk Evaluation Report, NUREG-1152, June 1986.
B-2. P. W. Enranowsky, Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUkEG-1032, Jure 1988. i B-3. A. M. Kolacrkowt,Li ard A. C. Payne,Jr.. Station Blackout Accident Analyses.NUREG/CR-3226,May 1983.
- 84. T. A. Wheeler, S. C. Horn, W. R. Cramord, Analysis of Core Damage Frequency From internalEvents: Ex.
PertJudgementElicitation,NUREG/CR-4550 Vol.2. April 1989, t-5. C. D. Pletcher, A Revised Summary ofPWR Loss ofOfsite Power Calculations, EGG-CAAD-$$$3, EGkG Idaho,Inc., September 1981.
B-11
-v ' " ' ' " " " ' " " " ' " -
~11 APPENDlX C SEISMIC ANALYSIS L .
C-1
APPENDIX C SEISMIC ANALYSIS Riis apperdix estimates ite core damage frequency damage frequerey. liowever, plant damage states $E from the seismic initiator ard compares it to the esti. and $F(see Table 5-1 of Volume 3 of the PRA) corre-mates given in the PRA. Estimates of the seismic-in. sporded to late core damage, where the Borated Water duced core damage frequerry are made with the fragil. Storage Tank (RWST) water accumulated in the reac-ity parameters given in the PRA, ard with the seismic tot building sump tefore reactor vessel meltthrough.
hazard curves given in the PRA. The uncertainties due Moreover, these plant damage states were states in to the uncertainties in the hraard curves are presented. which the contairunent is not intact at the time of core melt initiation. In our analysis, tie seismic severe core In addition, estimates with the Lt NL hazard curves damage sequerres of importance are station blackout and EPRI hazard curves are provided.ot.o2 Because sequerces, loss of de sequences, and loss of Nuclear the response spectrum estimates and the soil amplifica. Service River Water sequences. In these sequences, tion factors are different for the LLNL hazard curves, reactor vessel meltthrough occurs without water accu-the fragilities must be modified wlen the LLNL curves mulating in the contaitunent sump. BWST injection are used. never occurs, reactor vessel meltthroegh is at high pressure, the containment functions (heat removal and in this section, tie tenn " probability"is used as the fiss n product removal) are inoperable, and tlye con-j frequentist uses it. Riis correspords to the term "fre- tainment is intact at the time of core melt. 'niis is plant quency"used in the PRA. Here, frequency refers to a damage state 3C of Table $-1, Vol. 3 of the PRA.
time rate, as in the expression " core damage fre-Of the sequences contributir.g most often it, plant quency ,* Probability, as used in the PRA, corresponds damage state SE in the PRA (See table on page A-100, to the term degree-of-beliefin tins secuan.
Vol. 3 of the PRA) the top 8 sequences came from tie 0.6g seismic initiator. These sequences allinvolved Seismic Core Damage loss of de power arxl faiture of the Bws P, several of Frequencies with the Utility them also involved failmr of reacmr trip. It is puzzling how such sequences could have been assigned to a Hazard Curves and Component piant damage state in which the BwST water is sup.
Fragilities paed to find its way to the containment sump before reactor vessel meltthrough.
oeneral Momerks. Die reis nic core damage fre.
quency is estimated using the utility hazard curves and Component Failure component fragilities. It will be seen that the scismic- Probabilities, for a Given Peak induced core damage frequency estimated here is Ground Acceleration much higher than that estimated in the PRA. A mean frequency of 6.5Fe5/yr is estimated, whereas the PRA The mean failure probability for a component or estimated 2.7E-6/yr for the seismic-induced core stmeture, for a given horizontal peak ground accelera-damage frequency; a differential factor of about 24. tion a,is ghen by This difference exists despite the fact that the same harard curves and component fragility parameters (the p(a) = p[In (a/A.,4)/61 (C-1) median ground acceleration capacities and the loga-rittunic standard deviations of the capacities) are used here. One reason for this discrepancy is that apparent- where f(z) is the distribution function for a normally ly an error was made in tte PRA in the evaluation of distributed variable with mean zero and unit variance, the seismic-induced core damage frequency. This cr- ,
ror consisted in the neglect of some of the supgort states, as noted in a letter from GPU to the NRC. 3 f(z) = [l/ /(24 )) .-- exp(-t'/2)dt .
(C-2)
'De assignment of the dominant sequences to plant 'Ihe quantity Amed it the median ground acceleration damage states also appeared to be in error. In the PRA, capacity (MGAC) of the component or structu e, and the seismically initiated plant damage states SE and $ F ,is the standard deviation of the logarithm of the contributed 90% to the seismically-induced core ground acceleration capacity, given by C1
V (p, ' + B, 2 ) iC-3) Conditional ProbabilitlJs of Selsmic Sequences, given the Peak Ground Accelera.
tion. We select the sequences we const:ler most hLely where to te important after inspecting the component failure probabilities condiuonal on the pga, and after inspect-ing tie list of Boolean expressions given in Table 2-7 p, = the logantirnic starxiard deviation of Vol. 7 of the PRA. Although it is possible that an associated with the tandomness in tie important sequence was missed, the result for the se-acceleratiot. capacity, and vere core damage frequency is a factor of 24 greater than in tir PRA, even though the same component fra-8, = the logarithmic standard deviation gilities and hazard curves are used. T1e sequences considered are:
associated with the uncertainty in the accaleration capacity.
I. Loss of offsite power, followed by loss of on-site power. The loss of offsite power is event The component failure probabihties, conditional on I of Table 2-.7, Vol. 7, Book I of the PRA.
the peak grourxl acceleration (pga), are calculated at The loss of onsite power is event 9 of the the four values of the pga (0.15g,0.25g,0 4g, and 0.6g) same table. Denote this sequena by used in the PRA, an$ compared to those given in tir PRA, for the components judged to be important.
These components are as follows: E(1) E(9) (C-4)
- 1. Centmic iraulators That is, EG) denotes event number j i . the table referred to above. Tius notation is used
- 2. 4160 V switchgear in the discussion of the otler sequences.
Event E(9) is caused by either loss of the 4160V switchgear, the 480V ewitchgear, the
- 3. 480 V switch fear 480V MCC, the fuel oil day taaks, the 4160V/480V transformers, or the diesel
- 4. 480 V MCC gercrators.
- 5. Battery cha per 2. Loss of de power in conjunction with loss of offsite power.11us sequence is E(1) E(5 j.
6 Fuel oil day tank The loss of de power either occurs immedi.
ately frorn failure of the batteries (leading to immediate station blackout) or later from
- 7. 4160V/480V transformers failure of tie battery chargers (leadieg to sta-tion blackout later after tie batteries dis-
- 8. Diesel generators charge, since the diesel generators requix de control power to continue running ) The ret result is loss of de and ac. leading to severe 9 de power battery core damage.
- 10. NS river water pumps
- 3. l. css of nuclear services nver water. Tlus is event E(2). Event E(2)is caused by loss of
- 11. NSS tank the nuclear service river water pumps, loss .,f the NSS tank, or loss of the r.uclear service
- 12. NS heat exchanger.
leat exAangea No significant differences are found Note that, be- '*"""""*U '*" """' I * " #80 the events E(2 L E(5) and E(9L given the pga. mvolve cause the same median ground acceleration capacities calculating the probabihty of a Boolean sum of events.
and 's are used, this is a check on the computatmns T1us is done by f ormulas like the followmg. wheie the onh. C, represent comporent failure events.
C-4
pt(Ci + C, + C I a) = 1-(I - pr(C i al) i Once de probabilities of the events E(i) are calcu-lated, corditional on tie pga, the following, quantities (1 - pr(C: I al)(1 - pr(C3 I al) .
(C-5)
This type of formula accounts for the overlap between tie compotent failures at high pga's. It assumes, how.
ever, that the component failure events are conditional- Pr(S2 I a) = pr(E(1)I al.ptlE(5)I a) ly indeperdent,in the sense that PrlS3 I a) = prlE(1) I a) (C-7) pr(C . C3 1 a) = pr(C, I al pr(C3 I a) . (C-6)
Here Si represents tie mation blackout sequence, S2 the loss of de acquence (either immediately by loss of If this is not tie case,then the formula is conservative.
the batteries or later because ofloss of the battery chargers), and S3 represents the loss of nuclear service The results obtained for tie conditional probabili- ,. ver water. De core Jamage event is given by de ties of events E(1), F,(2), E(5), and E(9), given de pga, Boolean sum of these 3 sequences, since tie contnbu-may be compareJ to those given in Table 2-7, Vol. 7 of tions of all other sequences to the seismically-induced the PRA. The only substantial differences occur in core damage frequency are being neglected. Overlap event E(2), at 0.6g, and in event E(5) at 0.4g. The con-between the sequences is accounted for as follows:
ditional probability of event E(2), the loss of nuclear services river water, given a pga of 0.6g,is 0.74, ac-cording to these calculations, while it was 0.94 in the PrlSI +$2Ia) = P'(E(1)Ial.(pr{E(5)Ial PRA. The conditional probability of E(5), given a pga + prlE(9)Ia) - pr(E(5)Ia) of 0.4g,is 0.426, acconting to these calculations, while . pr(E(9)Ial) it was 0.185 in de PRA. It is easy to see, without cal-culation, that the value for the conditional probability of E(5), given a pga of 0.4g, was incorrect in the PRA. pr(S1 + S2 + S3 i e) = pr(St + S21 al + pr(S3 I a)
'Ilus event referred to failure of de caused by either -pr(Si + S2talprlS3ta)(C-8) failure of the battery chargers or the batteries. Howev.
er, the battery chargers, according to Table 2-5 of he quantity prlS1 + S2 + S31alistie conditional Vol. 7 of the PRA, have a 32.4% chance of failing at probability of core damage given a pga of a. When 0.4g; tierefore de probability of E(5) must be at least considered as a function of n,it is sometimes callcd the as great, at this pga, and must be gicater than the 18.5% plant fragility curve. The mean plant fragility curve is given in the PRA. De error in the probability of E(2), displayed in Figure C-1. One sees that there is about a given a pga of 0.6g. is probably not important. since at 50% chance of core damage, given a pga of 0.36g.
such a large pga there is a high probability of core dam- Since the Safe Shutdown Earthquake (SSE) corre-age ' rom other failure.s. The error in E(5) could possi- sponds to 0.12g for the pga, there is a 50% chance of bly have some effect, but not rearly enough to account core damage at about 3 times the SSE pga. Typically for the differences in the estimates of seismically-in- the 50% point on the plant fragility curve is between duced severe core damage between our results and the twice the SSE and four times the SSE, so tlw tesults for results given in tic PRA. 30 are not unusual.
4 C-5 l
1 0.9 -
TMI plant fragility curve 0.8 -
h -
g 0.7
} 0.6 -
8 g 0.5 -
Io,0.4 -
0.3 -
0.2 -
0.1 -
0 ' ' ' '
O 0.2 0.4 0.6 0.8 1 Peak ground acceleration (g) 9 1048 Figure C-1. TMI plant fragility curve. -
Combining the Conditional Sequence Probe. A typical values of a used,in each of these ranges, bilities and the Hazard Curve. If, based on the for evaluating the conditional probabilities of failures, mean hazard curve, g(a)da is de6ned as the probability are, respectively,0.15g,0.25g,0.4g, and 0.6g.
that the pga lies in the interval da about a, then tie mean freq ene of core damage from tie sequences 0.$g to infinity for the last range, The value of the mean acceleration frequency for tie range 0.5g<a f,,,,,,,,= should be 6.8FA/yr, while Table 2-1, Vol. 7 of the pr(St + S2 + S3 I alg(a)da . (C-9)
PRA gives 5.6E-6/yr. The error has quite a small ef.
feet on the review results.- (A correction for this error would be, to a good approximation, an increase in the This integral is approximated by a sum, in the same seismic-induced core damage frequency by the differ.
way as was done in the PRA. A small error was made ence of these two mean acceleration frequencies, or in tie PRA, which is not corrected in our review. Tte 1.2E-6/yr, tre reason for this is that the probability of four ranges m the pga sa::
seismically-irxluced core damage is close to unity, given a pga of 04g, using tte component fragilities in 0.1 g<a<0.2g the PRA for TMI.)
0.2g<a<0.3g Tle results obtained in this review are:
0.3g<a<0.5g pr[SI) = pr(S1Ialg(a)da = 2.3E-5/y(station 0.5g<a <
blackout)
C-6
. m o t
pr[S2) = prlS2 I alg(a)da = 3.255/yr f, = pried I alg, (e)3a (C-10) 0 ** #} '
has degree-of-belief weight wi. In diit way one firds the folicwing table of seiwic-induced core-melt fre-quencies and associated *isights:
pr[S3)= priS3 I alg(n)da = 3.165/yr Ooss of NS Curve
' Cum tmativs river water) No. Weight ._QE_ Weiphr.,_,
10 0.047 2.66E44 1 and the ::cismic induced core damage frequency, 9 0.074 1.16604 0.953 prlSl+S2+S3),is 6.5b5/yr. 0:is to be recalled that, 7 0.147 1.10604 0.879 because of overlap, pt( S l + S2 +S31a ) is not equal to the sum of the pflSjla),j = 1,2,3). 2 0.033 5.44605 0.732 3 0.138 5.22E-05 0.699 The value obtained for the mean seismically- 6 0.052 4.46E-05 0561 .
induced core damage frequency is some 24 times greater than the value of 2.7&6/yr given in the PRA, 5 0.182 4.35FA5 0.509 despite the fact that de same component fagility pa- 4 0.141 3.71605 0.327 rameters and hazard curves are used.
8 0.086 2.48605 0.186 Uncettainty due to the Hazard Curves using the Utility Hazard Curves. The PRA (see Thble 4 Apperdix A of Vol. 7) gives a family of hazard curves, in this table, the curve number corresponds to the each with a different degree-of-belief weight as- curve number of the aggregate hazard curve in Table 4.
signed. Each member of tie family is really an aggre. Appendix A, Vol. 7 of the PRA. he weight is the cor-gate of a set of hazard curves. By considering the vari- responding weight from this table. The column head-ation of the scismic-induced core damage frequency ing CDF represents the seismic-induced core damage over this ensemble of hazard curves, one can generate frequency; the curves are ordered such that the CDF's a degree-of-belief, or uncertainty distribution, for the are in descending order of magnitude. From the above seismio-induced core damage frequency. Of course, table one sees that the 95.3 percentile on the uncertain-this uncenainty distribution includes only tie uncer. ty distribution corresponds to a seismic CDP of tainty due to the uncertainty in the hazard function, and 1.16E-4/yr. %e median vahie of the seismic cdfis not that due to the uncertainty in tie median ground ac- about 4.3E-5/yr, and the mean value is about celeration capacities of de components and structure 6.5b5/yr.
In addition, although this uncertainty distribution is appropriate for the authors of the PRA, other analysts Qualitative Discusalon of the Uncertainties in may decide that the hazard curves of other expens the Fragilities, in the PRA, the fragdity parameters should be included in the assessment of the uncertain- f r many of the components were based on generic ty, Nevertheless,it is of mterest to determine the un- data. M intmduced greater uncensinty. Also, h certainty in the seismic core melt frequency caused by *8 E"'** *'#" "
- 8*"" "**
, treated conservatively. This is appropriate u- for an u.
the uncertainty to the hazard curves, using the uncer-tial screening analysis, but for components which are tainty distribution for the hazard given in the PRA.
dentified as important contributors to the seismic core Each hazard curve generates a density function; the damage frecuency, a plant-specific analysis should be density function g(a)is the negative derivative of the done. In particular, the battery chargers, with a rela-hazard curve, since the hazard curve H(a) gives the an-tively low median ground acceleration capacity of nual probability that tie pga exceeds a. If gi(a)is the 0.48g, contributed significantly to the seismic core density function for the ith hazard curve, and if wi is damage frequency, and a plant-specific analysis would the degree-of-belief weight assigned to it, then the be appropriate. If the battery chargers were so strong seismic core melt frequency calculated from that they would never fail, the mean seismic core C-7
damage f;equency would chany from 6.f F.,-5/yr to no anchorage between the concrete saddles and the 4 SE 5/yr. If the fragility parameters of tre battery tank.
chargers and de ceramic insulators are Prpt de came, and all otter components strengdeced to tie point that if the fragility parameters of tte nuclear senice riv-they would never fail, then Ge rnean seistnic core dam. er water pumps were kept the same, but all other com.
are frequency would be 2.95-5/yr. ponents strengthered to the point where they would never (ad. then the mean seismic core damage frequen. __
Of de components entering into the important scis. cy would be 1.9E-5/yr.
mic sequences. only tte nuclear service river water _c pumps and the fuel oil day tank were treated by plant- SelSmlC Core Damage spesfic calculatiorein de PRA. Frequencies with the LLNL 1.r.ss of coelant accidents from seismically-. induced pipe breaks were not imponant contributois to core .
damage it this PR A, as in most v'ility-sponsored General Romerks. Sirce the completion of the TMi PRA, results of the Easteru Seismicity Characteriza-FRAs. However, PRAs peiformed using de Seismic Safety Margins Research Program (SSMRP) method- tion Program at LLNLN ard a parallelprogram con-ducted by EPRic-2 have become available. These re-ology have estim4cd much higher conditional proba, bilities of small LOCAs at a given tevel of peak ground suits include site-specific probabilistic hazard acceleration. For exaruple, at Zion, according to estimates and site-specific uniform hazard spectra.
Ref. C-4, Table 7.3, there is a 26% chance of a small 'Ihe hazard estimates and spectral shapes of the LLNL LOCA due to a pipe break, at a p;n of M7g. We note study, the EPRI study, and the TMI PRA, all differ _
furtter that de SSE pga t'cr Zion is 0.17g, while it is from each oder. We will therefore estimate the sensi-0.12g atit ec Mile Island. tivity of the scismically-induced core damage fre-quency to the LLNL hazard curves and spectral sha[es, and later to de EPRI hazard curves. W re-1he lack of inclusion, even in e generic way, of de-ahs of the hawd smdie inhnce de fragmues an sign and construction errota in dw assestment of the two ways: through a soil amplification factor, and fraglitico was ano he: source of uncertainty. The most important uteertalmy in the fragilWc is judged U#@
- T* **
to te de use of generic data.
Soll Amplification Factor. Except for the diesel generator (DG) building, the borated water storage Uncerthintiesin'he Accidu.lt Sequer:ce Delin* tank (BWSn the condensate storage tank (CST), and eation. Relay chaiter was assunel to te completely the underground fuel oil day tank, all TMI structures recoverable. This assumption should be investigated are founded on bedrock, lhe DG building, BWST, and furtler. If this assa nptica were remcved, gitater de- CST age on compacted backfill which is approximate. -
tall in the accident sequence delineation would be ly 30' thick over tedrock. In the TMI PRA analysis, required. the seismic bazard was defined with respect t0 bedrock end a soil amplification factor was included in the The accident sequences considered were those fragility antlysis to account for the acceleration expe.
judged to be most important. *lhe error associatert with rienced at the top of the bedrock. In the LLNL pro-lack of completenes is believed to te ;; mall. grarn, hazard estimates are provided for both the bed.
rock condition and the surface condition. %crefore, insights. %e fuel oil day tank was twated by a plant the first issue is to examine whether the soil amplifica-specific analysis, and contributed significantly to the tion factor t sed in the TM1 analysis was consistent seismic severe core damage frequency, if the fuel oil with the information developed by LLNL. LLNL,in day tank were so strong it would never fail, but all oth. Ref. C-1, provided approximate estimates of the fol-er fragilities remained the same, the mean seismic core lowing ratios of PG A values between shallow and rock damage frequency would change hem 6.5E-5/yr to conditions for fixed values of the hazard (annual ex.
6.lE-5/yr. If the fragility parameters for the ceramic ceedance pivbability):
insulators and the fuel oil day tank were kept the same, but all other components strengthened to the point Ratio Shallow / Rock PGA where ttey would never fail, tie seismic severe core damage frequency would be 1.2E-5/yr. According to Probability of 10-3 104 10-5 the PRA (see p. 5-45, Vol. 7. Book 2, of the FRA) the Exceedance (per year) Avg.
Iuel oil day tank had no seismic design and contained 1.50 1.47 1.44 1.47 C-8
The amplification factor used in the Thil analysis was structural response factor in compotent fragility eval-1.2. Implications of this differeo e, along with otter untions) used in calculations was 1.0 since the median differences, are discussed below. spectrurn was used in tte response analysis. his fac-tor should be changed in the sensitivity analysis hs dis-Spectral Shape issues. The unifonn hazard spec- cussed above when the plant-specific fragility esti-tra (UHS) developed in the LLNL ard FPRI programs mates are used, exhibit significantly different characteristics than the median spectral shapes used in the ThU analysis ne Ideally, ore should also evaluate urcertainty param.
LLNL spectra are significandy lower than the nil eters (p,and ,) associated with the spectrum shape median spectra below approximately 10 Hz, and high-factor, however,it is very difficult in a short amount of er at high frequencies. Spectral accelerations are am-time to st,rt out the partitioning of uncertainties in the plified even at frequencies of 50 Hz or greater m the hazard estirnates ard uniform hazard spectra estimates LLNL results, while PGA values are approacled at 20 provided by the LLNL. Therefore,in this order of Hz m tle nil spectra. Ore should be cautioned that there are a number of issues yet to be resolved in using magnitude sensitivity analysis, the TMI p, and , val-uniform hazard spectra in the probabilistic risk analy- ues are retained.
sis. Funher investigations are needed to properly char-acterire the damage potential of a grourxl motion Rosetimailon of Some Fragilities. nree specif-which is rich in high frequencies but less rich in low ic fragilities were reexamined in this effort. Two com-frequencies. Issues associated with unattainty esti- ponents are surface mounted (the DG building and the mates require further examination. The following BWST), and the oder component (the Nuclear Service table lists the ratio of amplification factor (value of River Water Pump) is one for which a plant-specific spectral acceleration at given frequency to PGA) used fragility was developed as part of the PRA, and which in tte Thil median spectrum to the amplification factor was found to be risk-significant in de PRA.
of the median LLNL tock spectrum for a 104 return period: The approach used was to derive qualitatively- and judgmentally-. determined median factors of safety for TMI Amph6 cation Factor soil amplification, Spectral shape, and peak ground ve.
- "*"" o4 uNt, Ulls Arnph6 canon Facto, locity values, and requantify fragility values for the above components. No requantification ofuncertainty ID 3D values is made. It must le emphasized that detailed or 2D 2.36 specific calculations were not available.
23 23$
3.33 2.t Of the above tture components, only tte Nuclear 54 1.7 Service River Water Pump is found to be an important m3 i3 ccntributor. De fragility parameters for the fuel oil 293 og day tank, for which a plant +weific analysis was per-formed for the PRA, should M te revised. However, tte calculations performed for the PRA were not if specific fragility calculations for component aM available, structures, or information on natural frequencies of i Thil structures, were available, then one could make For the nuclear service river water pump, the struc-betterjudgmeca about the impact of different spectral tural response factoris revised to 1.5 from 1.0, leading shapes on the fragility estimates nis information to an increase in the MGAC to 1.02g from 0.68g. Note was requested but has not been received. that s detailed evaluation of this component has not been made with regard to the other failure modes and In the absence of the needed information, to gain the tdequacy of the parameter values used in the analy- ,
qualitative insights,it can be assumed that the stiff nu. sis. l clear structures founded on the bedrock will not have natural frequencies below 5 Hz and frequencies will be There is the potential for the MG AC to be decreased in the range of 5-10 Hz. Examining the above table, in significantly for certain components. One reason for the frequency range of 5-10 Hz, the Thil spectrum this is the soil amplification factor discussed earlier, shape overpredicts the response for a given PGA by Another reason is that, for component natural frequen-approximately 0% to 70E For a sensitivity analysis, cies greater than about 10 Hz, the spectral e mplifica-an arbitrary value of 1.5 is se!ccted. It should be noted tion factor (ratio of the spectral acceleration at a given that in the TM1 analysis, the spectral shape factor (or frequency to the PGA) will be larger than assume'l in C-9 I
l
the PRA. furtier rrducing the MGAC For example, hazard curve, or mean annual probabihty of excee-chesel generators generally have natural fiequencies in dana of PGA. The LLNL mean hazard curve is con-the neighbortuxxl of 20 Hz, as may be seen from siderably lugter than the mean hazard curve in the Table 5.2 of NUREG/CR-3428 N Furder support PRA. For example, at 0.4g the mean exceedance fre-for tius value is supphed by the Long-Term Seisnue quency is 18E5/yr, from the data in Volume 7, Ap-Program L)iablo Canyon PRA.C-5 where the diesel perxhx A, Table 4 of tie PRA, while it is 2.28E-4/yr generater natural frequency is estimated to be about from the LLNL mean hazard curve, more than an order 17 Itz. For a frequency of about 20 Hz, the spectral of magnitude different.
amphfication factor obtatned from the LLNL program is about 1.6 times that assumed in the PRA. Since the Results with the LLNL Hazard Curves. Two cal-diesel generator building is on soil, there is the addi- culations were perfonned with the LLNL huard tional reduction coming from the soil amplification curves. First, the seismic core damage frequency is factor. The two factors together would yield a reduc- calculated with the sarne fragibly parameters as in the tion of the MGAC by a factor of about (l .6)(I 47/1.2), PRA. Secondly, the seismic core damage frequency is or a factor of about 2. Since at present the MGAC for calculated with the increased MGAC for the NS river the diesel generators is about 0.75, this would result in water pumps denved abosc. We estimated above that a revised MGAC of about 0.38, if straightfon ard the MGAC for the NS river water pumps should be mochfications to the median safety factors are made. 1.02g. instead of 0.68g, when the LLNL hazard curves Further investigations are needed to properly charac- and spectral shapes are used. Because there are other terize the damage potential of high frequency ground important components contnbuting to the seismic core mouon. The precise impact of such high frequency damage frequency, there is not much effect from this motion on component fragihties is not clear. In any change. With the same fagihty parameters for the NS event, tecause the fragibty parameters in the PRA are river water pumps as in the PRA, the mean seismic ;
not plant specific, it does not appi . r appropnate to core damage frequency is calculated as 4.3&4/yr, make this correction. It would be more desirable to do while with the mochfied fragility parameters for the a plant specific fragibty analysis for the diesel genera- NS river water pumps it is 3.844/yr. For companson, tors, with all factors affecting the diesel generator seis- the seismic core damage frequency with the utihty mic capacity considered in a ph nt specific way. hazard curves was calculated as 6.5W5/yr, so that the LLNL results are a factor of about 7 higher.
The important implications for the stiff components of nuclear power plants of the spectral amplification S8lSmlC Core D8m898 factor obtained from the LLNL program is noted in the LLNL report (see p. 47, Vol. 6, of Ref. C-1).
Ff9quenCl88 with the EPRI Curves LLNL Hazard Curves. The LLNL mean hazard curve (see Ref. C-L Vol. 2, p. 211) is given by the %e mean hazard curve for the EPRI study for the table: TMl site is given by the following table:
PGA H
_PD/L _ 11 0.510 F02 0.640E-02 5.00E4)2 1.37E412 0.510E4)1 0.510E-03 7.55 & O2 7.20 & O3 0.102E+00 0.170E-03 1.26601 2.88E-03 0.255E+00 0.260 & O4 2.00 & O1 tile 4)3 0.510E+00 0.380E-05 2.50001 6.83E--04 0.7i4E+00 0.120E-05 4.00E4)1 2.28EW 5.6 t WO! 9.82E-05 The column labelled PGA gives the peak ground ac-6.12E411 7 85E-05 celerauon in g's. The column labelled H gives the cor-7.6sE-01 4.37E-05 responding values of the mean hazard function, or an-100E+00 211605 nual probability of exceedanx of the corresporxting value of PGA. This hazard curve lies below the mean hazard curve of the utihty. For example, at 0.5g the Here the column labelled PG A is the perk ground ac- utthty hazard curve has the value 6.8E-6/yr, while the celeration in g's; the column talelled 11 gives the mean above table gives 3.8E6/yr C-10 1
C > ,- - _ _ _ - - - .
For the EPRI hazard curve >, all that was done was to agc states, as is noted in the letter from GPU to the calculate the mean scismic core damage frequency us- NRC.c-3 Tiere may be other reasons. The assign.
ing the mean EPRI hazard curve and the structure / ment to plant damage states in the PRA also appears component fragilities given in tie PRA. The seismic incorrect, core damage frequency obtained is 1.74E-5/yr.11e uniform hazard spectra generated in the EPRI program Ordy a few of the nunporKat and structure fragility are similar to the LLNL uniform hazard spectra but in-parameters are based on plant-specific fragility analy-dicate a smaller sp.stral amplification factor for all ses. It would be highly desirable to use plant-specific frequencies. The estimate of 1.74B-5/yr for tle seis- fragilities.
mic core damage frequency does not include any changes in spectral response factors from those used in the TMI PRA. If, as in the case of the LLNL hazard, The 95th percentile core damage frequency is only the MGAC of the nuclear service river water 1.2M/yr, when only the uncertainty in the hazard is considered and the utility hazard curves are used.
pumps is changed, not much change in tie seismic core When the LLNL hazard curves are used, a mean sels-damage frequency would be expected, mic core damage frequency of 3.8E4/yr is obtained with the NS river water pump fragilities modified to Summary account for the response spectrum shape obtained in the LLNL study. This value of 3.8E-4/yr falls outside The estimate of the mean seismic core damage fre- the 95th percentile bound obtained when the PRA har-quency is 6.$B-5/yr when the PRA hazard curves and ard curves are used. When the EPRI hazard curves are component / structure fragility parameters are used. used, a value of 1.74B-5/yr is obtained for the mean This is a factor of 24 greater than the value of seistnic core damage frequency. This value is below 2.7E-6/yr given in the PRA. One reason for this is that the 10th percentile value of 2.3B-5/yr obtained from the PRA omitted the contribution of some plant dam- the utility hazard curves.
C-Il
REFERENCES C-1. D.L Bernreuter, J.B. Savy, R.W. Mensing, atui J.C. Chen, Seismic Ha:ard Charadert:aricn of 69 Nuc.'ese Plaat Sites East of the Rocky Mountains, hTREG/CR-5250, January 1989.
C-2. R. K. McGuire et al., Probabilistic Seismic Ha:ard E%!uations in the Central and Eastern United $lates:
Resultsfor $7 Sites, Project P101-53, Fmal Report, Dectric Power Research lastitute, Appeidix E to EPRI NP-6395-D, April 1989.
C-3. Letter from H. D. Hukill to U. S. Nuclear Regulatory Commission, GPU letter no. C311-89-2020, GPU Nu-clear Corporation, March 17,1989.
C-4. M. P. Bohn et al., Application of the SSMRP Methodology to the Seismic Risk at the Zion Nuclear Power Plaat, NUREG/CR-3428,Januar/ 1984.
C-5. Long-Term Seismic Program Diablo Canyon PRA. Paci6c Gas & Dectric Co., March 1988.
E s
C-12
waceomaan us wucumicutaioni comunow i nicum wovn a L'.'s in' M E*.**.'O.T '.,1* '"-
mi.3m B'!JLIOCRAPHIC DATA lijEET is .,w, o.,u en e . sei NUREG/CR-5457 a.ma Asa svemte EGG-2b72 A Review of the Three Mile Island-l 3 c,3, ,, p3,3 py,, ,3,,, o Probabilistic Risk Assessraent oae u, g
November 1989
. . .~ on c,n Am ~uviu A6892 s aui.40eusi t.1 vrt o' at ro" H.J. Reilly, D.L. Schurman, ii.J. Welland, R.C. Bertucio, s
S.A. Eide, P.R. Davis, S.L. Mays, A.J. Bu>lik, N.C. Chokshi Technical an sioo covini o.. . o....
g Pt H I oN M ING ohb ANil A l loN - 88 AM L AN o AooN I kb IH *8'C P'** U*'*** U" #'*** U I ""' ** **'"*' C'"'***""" "' "*'W *#d**' 8"""*"8"*""#
~~'T6MiNI(ional o Engineering Laboratory EGhG Idaho, Inc.
P.O. Box 162b Idaho Falls, 10 83415 e .s.co.ns,oni,sc.
. . . , . . + . , onc, Awir A nou - N Avi Awo Acoa t 55 ,,, ==e ... w .. .~..c
,,- ,,-- .-~~ ~* o- - o" . -u a - u s - a u--a . ~.-
Division of Systems Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Connission Washington, DC 20555 10 sVFPL t ME Ni AHY Nolt 5 II AUST H ACT tm-.,d. ~ ew
'Ihe level 1 Probabilistic Risk Assessment that was prepared by Pickard, lowe and Ganick for GPU Nuclear, and forwarded to NRC, was reviewml. The seview included both plant internal events arki three Linds of external events: plant fires, seismic events ;ind river i flooding. At tic close of the review, the authors estimated the frequencies the core damage sequences would have if the reconuneraled corrections were made to tic data ankl assump-
- tions. It was concluded dut the recommerkled corrections would have a major effect on the csimated risk prorde of TMl-1, mcluding major increases in some sequence frequencies and major decreases in others.
Tri i y wo tas.ot so mFi en u ... .-,. -,a,..n ,- ..n.J~ . . =--. * ,.- , o a a i m .u n siaiteo.i Unlimited Probabilistic Risk Assessment (PR) i. suu n.n u aw. .v iiv Three Mile Island-1 -o ... ,
Unclassified trea Ar-a.,
l l Unclassitied
+e Ib NUVist H V6 F AG( 5 16 Phict h8sc eoHM 336 0491
.U,$.C0vtpheEhi Pathilhr. OrfICL s1999 262 436 sOO353 I I
UNITED STATES 5 m.. ,, nt,,,,, c,.ss .n NUCLEAR REGULATORY COMMISSION *cistan'
- nis 'ae WASHINGTON, D.C. 20555 n awi w r, ev OFFICIAL BUSINESS PLNALTY FOR PRN AT[ U$f, $330 3
,--e
- s. -
ec .
- , 3, 97,c ? ; 1 li'l'Oll'
,; F, f UhLI(bT ') h
g; 3a. ,,s mrc r.2r? -
c ;ac=5
, g , s l +, r. T ". N _]
6
?
- e. .:.