ML20011D915
| ML20011D915 | |
| Person / Time | |
|---|---|
| Site: | Brunswick  |
| Issue date: | 11/30/1989 |
| From: | Davis P, Gilmore W, Gregg R, Satterwhite D, Sattison M EG&G IDAHO, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-6895 EGG-2579, NUREG-CR-5465, NUDOCS 9001030013 | |
| Download: ML20011D915 (85) | |
Text
- -
tM ,. -
NUREG/CR-5465 i EGO-2579 i
.v:'
l j
L. -
t j
Review of the Brunswick Steam E ectric Plant Probabilistic Risk Assessment 1 i
I s-
" Prepared by M.H. Sattison, P.R. Davis, D.G. Satterwhite W.E. Gilmore, R.E. Gregg Idaho National Engineering Laboratory EG&G Idaho, Inc.
L . Prepared for
.U.S. . Nuclear Regulatory Conunission
- n2oaB8!RBM!Isa P
W l
[
I AVAILABILITY NOTICE Availability of Reference Matenals Cited in NRC Publications Most documents cited in NRC pubhcations will be avahable from one of the following sources:
- 1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555 2, The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 31082. Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the hsting that follows represents the majority of documents Cited in NRC publications, it is not intended to be exhaustive. j Referenced documents available for inspection and cop)!ng for a fee from the NRC Public Document Room I includo NRC correspondence and internal NRC memoranda: NRC Office of inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices Licensee Event Reports; ven- i dor reports and correspondence; Commission papers; and applicant and licensee documents and corre-spondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program; formal NRC stait and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guldes, NRC regulations in the Code of Federal Regulations, and NucIcar Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and techn! cal reports prepared by other federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical hbraries include all open literature items, such as books, journal and periodical articles, and transactions. Feaeral Reglster notices, f ederal and state legista- 3 tion, and congressional reports can usually be obtained from these libraries, '
Documents such as theses, dissertations, foreign reports and translations, and r:on-NRC conference pro-ceedings are available for purchase from the organization sponsoring the public .tlon cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Coples of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for refer- ,
ence use by the public. Codes and standards are usually copyrighted and may be purchased from the !
originating organization or, if they are American National Standards, from the American National Standards !
Institute,1430 Broadway, New York, NY 10018.
DISCLAIMER NOTICE This report was prepared as an account of work soonsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not intnnge privately owned rights.
t
1 NUREG/CR-5465 EGO-2579 RO Review of the Brunswick
- Steam Electric Plant LProbabilistic Risk Assessment Manuscript Completed: October 1989 Date Published: November 1989 =
Prepared by M.II. Sattison, P.R. Davis, D.G. Satterwhite W.E. Gilmore, R.E. Gregg Idaho National Engineering laboratory
. Managed by the U.S. Department of Energy -
EG&G Idaho,'Inc.
- P.O. Ilox 1625 Idaho Falls,ID 83415 Prepared for.
Division of Systems Research OITice of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission
' Washington, DC 20555 NRC FIN A6895 Under DOE Contract No. DE-AC07-761D01570
N I
l
)
i ABSTRACT l
.l -
A review of the Brunswick Steam Electric Plant Probabilistic Risk Assessment was con-ducted with the objective of confuming the safety perspectives brought to light by the pro-babilistic risk assessment. The scope of the review included the entire Level I probabilistic risk assessment including extemal events. This is consistent with the scope of the probabil. )'
istic risk assessment. The review included an assessment of the assumptions, methods, models, and data used in the study, I -l j ..
)
I-l 1 k
l' l
~
I
- l. i l
l l-l~
1 l- iii t--
EXECUTIVE
SUMMARY
lntrOdUCtlOn review assumes that the BPRA analysis team collected accurate design and operations information; e.g., cor.
- " E '#
This summary describes the Idaho National Engi.
neering Laboratory (INEL) review of the Brunswick-Steam Electric Plant Probabilistic Risk Assessment Init at ng Events (BPRA) for the Office of Nuclear Regulatory Re.
search of the Nuclear Regulatory Commission (NRC), Generally, the initiating events covered by the The review addressed the entire level I Pmbabilistic BPRA seemed to be complete. Comparisons were Risk Assessment (PRA) including extemal events, made to other PRAs (Shoreham and NUREG/
CR-4550 for Peach Bottom). No significant omis.
The primary purpose of the review was to confirm sions were found. Three methods of quantification the safety perspectives regarding the dominant acci, were used to detenntne the trutiatmg event frequen-dent sequences and major contributors to accidents cies: (1) the use of generic data, (2) a single-stage that were brought to light by the PRA. The review em- Bayesian update of generic data, an (3) case-by-case phasized the issue of completeness and the identifica- calculations. he use of these three metimds appears 3PPSPnate and the numencal results are reasonable, tion of modeling assumptions, techniques, and quantiScation methods which could significantly alter the PRA results. The inherently negative aspect of the Ten extemal initiating events were considered and review is reflected in this report. However,it should reviewed during the external event review. These be noted,in general, the BPRA was considered to be a sclude:
comprehensive and competent analysis. .
- 1. Atreraftimpact Areas of Review 2. Extemal nooding The BPRA is composed of severalinterrelated 3. Extreme witx!
tasks. A review of a PRA is not complete unless the information and analys!s which comprises each task is 4. Industrial or military facility accident examined. The BPRA tasks are depicted in Figure S-1. Also shown are the report sections which sum. 5. Intemalfire marize the review of the task. As can be seen, we did not review the first task, Plant Familiarization." his 6. Intemalflooding
"""*" Eniemal and Spatially-Event free
- Dependent imemal Development , ,,,
- "" Y$'*
2.2 g ! 2
, 4 A I I l l
l4 inihaung
_p . _
Human y_L uncenaw
- Dependeni e Data ==- Accioent Sequence pi,,
Famgra,.
Failure _
Develop- a w (Core Damage)
-- W*
12ation cation a An88Y5i8 Analysis m.
ment T- ouan% cation
- g ,
21 25 2a 25 25 23 l l . ,
l I J
Fault Tree Deveipment _
2.3 9 7950 Figure S-1. BPRA task flow chart.
iv
c
- 7. Release of chemicals from onsite storage venting must be performed or the containment will fait due to insufficient heat removal. This change in the 8; 'Ihnsportation accident NUREG/CR--4550 analysis leaves no basis for the DPRA ATWS with Isolation event tree success
- 9. %rbine-generatedmissile criteria.
- 10. Seismic activity Assumptions Portions of the Low Pressure Coolant Injection Event Trees (LPCI) system are powered from the opposite unit's emergency diesel generators. Therefore, should a sta.
The BPRA used 12 event trees to model the plant tion blackout condition occur on ore unit, it is possible system response to the mtemal initiating events. These to have LPCI supplied from the other unit, it is as-trees fellinto three gmups: sumed that the LPCI system would fail, after battery depletion,in a station blackout corxtition due to loss of
- 1. Transients water level instrumentation. This assumption seems to be overly conservative since it appears that LPCI 2, Loss-of-coolant accidents (LOCAs) inside would continue to operate on the other units diesel contamment generator.
- 3. Anticipated transients without scram in a station blackout condition, it was assumed that (ATWS) the operators would override the high pressure coolant injection (HPCI) and reactor core isolation cooling ne same event trees were used for both Unit I and (RCIC) ovenemperature trip circuits within the first Unit 2. %e event tree findings are briefly discussed in two h. This assumption implies that the operators this section and are categorized according to tie topics would never fail to do so. This seems to give the oper-underlined below, ators a large amount of credit in light of tie high stress situations that could te present.
Success Criteria No credit was given for recovery of ac power in a station blackout if all coolant injection systems failed.
De turbine bypass capacity for Unit 2 is 88%, but Core dryout will not occur for 30 to 45 min. The rea-for Unit 1 it is only 22%. De general transient even: son for this assumption is the high stress conditions trees do not question the reclosure of the Safety Relief that would exist in this situation. Ilowever, it is not Valves (SRVs) based on the 88% bypass capacity. This clear that the personnel responsible for recovering is not the case with Unit 1, therefore, the applicability power to the plant are the same ones under the high of the general transient event trees to Unit I is in ques- stress. Comparisons with other BWR PRAs (Peach tion. The same is true for the ATWS with turbine by- Bottom, Grand Gulf, and Shocham) indicate that one-pass /feedwater event tree in that suppression pool half to two-thirds of offsite powerlosses can be recov.
cooling is not asked because of the 88% bypass ered within 30 min.
capacity.
A 24-h mission time was used for all event tree top Transient-Induced Loss of Off-events. This is very conservative in a number of situa. site Power tions. For example, during an intermediate LOCA, high pressure injection is required only until the reac. There is no mention of transient-induced losses of tor depressurizes, something on the order of offsite power where the plant trip disturbs the offsite 1 to 2 h. power grid to tic point that the grid is lost in the area surrounding the site. The combinations of initiating in the ATWS with Isolation event tree, tie success events coupled with no offsite power can generate ac-criteria for coctainment protection did not require sup, cident sequences that otherwise may not exist.
pression pool cc.5R based on he early work for Peach Bottom in NUREu/CP -4%0. De final draft of Transfers Between Event Trees NUREG/CR-4550 for Peach bottom changed this cri-terion to require suppresion pool cooling. Failure of Several situations exist where transfers from one suppression pool cooling implies that containment event tree to another are required. In the loss of v
i off-site power event tree, transfers are made to tie in-
- nere is no structured formal modeling tech-termediate LOCA and main steam isolation valve nique used to develop the set of pre-accident (MSIV) closure event trees. Due to the success criteria errors.
for one of the top events in the loss of offsite power event tree, the transferred sequences can have either
- Human-induced initiating events (failures in one or both diesel generators operating. De status of human activities conducted during normal the diesel generators must be tracked properly through plant operation that lead directly to off-the transfers to assure conect quantification of the top normal plant conditions) are not addressed.
events downstream of the transfers, it is not possible l to determine if this tracking was done.
- Documentation of screening methods, ratio- l nale for selection of methodologies, and
%e small arxlintermediate LOCA event trees trans- bases for performance shaping factors was fer to the ATWS event tree. The discussion of the not presented.
transfers into the ATWS tree only mentions the tran-sients that are included. De LOCA transfers guaran- QuantlflCatlOn Methods tee depressurization of the reactor. This is equivalent to guaranteeing the failure ofinhibiting automatic de-The generation and quantification of accident se-pressuraization system (ADS)(model:d in the ATWS quence cut sets was performed using SETS, except for tree by top event X ). Bis corxlitionality on tie imti-three sequences that were developed without the use of ating event is not reDected in the ATWS models.
event utes. The cut sets were then modified for the fol-
' 8 '* *' ""
Fault Treet
- Success criteria changes involving room De system fault trees were reviewed to deterndne cooling and the RHR Service Water system ,
their validity in representing plant design and opera- required elimination of some cut sets.
tion as well as their completeness in quantifying the system unreliability. Selected systems were reviewed
- Cut sets representing violation of the techni-in detail to assure completeness of the models. This re- cal speci6 cations were removed.
view focused on the intersystem dependencies, the analysis boundary corxlitions, and the resolution of the
- Identified dependent failure events were add-models in the areas of common mode failures and hu- ed into the cut sets. I man errors. {
- Applicable recovery factors were added to !
With some minor exceptions, the fault trees ade- the cut sets.
quately model the systems. In the diesel generator fault trees, actuation failmes were not included even though All changes to the cut sets were completed using the the data base had information on actuation failures. In 'results module of SETS. The revised quantification the HPCI analysis, a situation that results in pump fail- was automatically performed by SETS.
ure due to minimum Dow considerations is discussed but not included in the fault tree model. The uncertainty analysis was conducted using the revised cut sets as input to the SEP code. The SEP code "Se8 Mome cario sampling techniques to propa-Human Reliability Analysis gate uncertainties. Input to SEP also included a me-dian value and range factor for each event in the cut The human reliability analysis was reviewed to: (a) sets. All similar component failure events were com.
detennine the completeness of the set of human errors pletely correlated.
contained in the PRA,(b) assess the quantification of human errors, (c) assess the suitability of the method- Sensitivity analyses were performed on a set of four ologies used, (d) assess the treatment of recovery, (e) cases. Rese cases explored the impact of dependent assess the treatment of dependencies among the human failures, recovery actions, and room cooling assump-errors, and (f) comment on justifications for the treat- tiors on the core damage frequency, ment of human errors. Some of the significant find-ings are presented below. The methods and conduct of the quantification pro-cess were appropriate and conformed to accepted prac.
- Errors of commission are not modeled. tices. Only one instance was found where tie accident vi
I sequence cut sets indicated i uproper fonnation of se- damage. Military accidents, other than those at Sunny quence cut sets. Point, were not addressed. 'Ihe seismic analysis did not completely address three unresolved issues: (1) the
- ^iS"' f*P S'ible faua z ne wimm25 mites orom
. External Events site, (2) 1iquefaction potential for large earthquakes, and (3) the effects of relay chatter. Claims that the haz-The BPRA included risk contributors from extemal ard curves used in the analysis were conservative are events and spatially dependent intemal events. 'lhese unfounded and may actually be non-conservative, include: And finally, the seismic analysis did not investigate the impact of anchors and foundations weakened by
. Aircraft impact corrosion.
- Extemalfloohg Summary and conclusions -
e exueme wind This review found the Brunswick Steam Electric Plant Probabilistic Risk Assessment to be a reasonable e Industrial or military facility accident and competent investigation mto the risks associated with plant operation. 'Ihe scope of the study and the e Intemal fire methodologies used are consistent with cunent prac-tices and in some areas (in panicular, extemal events) e Intemalflooding the effort was quite extensive.
- Release of chemicals from onsite storage By its nature, a review must concentrate on wea-knesses and, of course, some were found. The greatest e 'IYansportation accident overall weakness in this analysis is the lack of docu.
mentation of the t'ases and justifications for some of e- Wrbine-generated missile the data and assumptions used in many areas of the analysis. While the documentation is much more clear and concise man many odwr PRAs, it appean trace e Seismic activity ability and justification were sacri 6ced for simplicity.
Wese events were reviewed to determine the credi-bility of the extemal event risk estimates. The review It was obvious from the documentation that the included an evaluation of the data, methodology, logic, BPRA project team consisted of many analysts con-and completeness of the extemal events analysis. A centrating a great deal of effort in a short period of plant tour was part of this review, time. Tte result was a large number ofinterfaces and activities that had to be coordinated which increased Overall, the extemal events analysis provided a rea- the potendal for creadng discourects in the analysis.
- sonable and credible estimate of the extemal event Several situations wear found where one portion of the risks, although the uncertainties are large. Several de. analysis failed to properly communicate with another ficiencies are woith noting here. 'Ibe analysis does not Portion of the analys:s. For example, the success crite.
na for a top event in one of the event trees was not re-provide the basis for a rether significant number of as-sumptions, data, and other input. While only a very flected properly in the system analysis, in another case, the extemal events analysis indicated the simul-few of these were found to have any potential for a modest change in the results, the study is considered taneous failure of offsite power and the condensate deficient because it does not provide this information.
storage tank due to extreme wind conditions was treated in the intemal event models. However, the in-temal vents analysis failed to address this situation.
Several specific comments were made with the po-tential ofimpacting the results. The flooding analysis did not include flooding fragility of the diesel fuel oil The comments made in this review that have the transfer pumps, which was found to be significant at greatest potential for impacting the results concem the hrkey Point. The extreme wind analysis did not prop- extemal events. This area accounts for over 80% of crly consider the simultaneous failure of offsite power the estimated core damage frequency and is the source and the condensate storage tank as a result of wind of the greatest uncertainty in the results. 4 vii
{
l ACKNOWLEDGEMENTS j
'Ibe authors wish to thar* Dr. Erulappa S Chelliah of the Nuclear Regulatory Commis-sion for his review, comments, and suggestions. *Ihis work was supported by the Division of System Research, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, under DOE Contract Number DE AC07-76IDO1570.
l 4
i viii C ..
CONTENTS ABSTRACT........................................................................... iii
- EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii ACRONYMS.......................................................................... xii
' t. INTR ODUCrlON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. AREAS OF REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 'l 2.1 'IYeatment of Internal Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2,1.1 Selection and Grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.2 Quantification of initiating Event Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.13 Review of laitiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.2. Eve nt Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.2.1 General Transient Event Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.2.2 Stuck Open Safety Relief Valve Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 2.23 Loss of Offsite Power Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 2.2.4 Small LOCA Inside Containment Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' 2-12 2.2.5 Intermediate LOCA Inside Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 2.2.6 Large LOCA Inside Containment Event Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . 2-16 2.2.7 Anticipated 'IYansient Without Scram Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16 23 Systems Analysis / Fault Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 23.1. General Comments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 23.2- Evaluation of Emergency Diesel Generator System Fault Trees . . . . . . . . . . . . . . . . . 2-20 233. Evaluation of High Pressure Coolant Injection System Fault Trees . . . . . . . . . . . . . . . 2-22 23.4 Evaluation of Residual Heat Removal System Fault Tree . . . . . . . . . . . . . . . . . . . . 'A3 2.4 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 2.4.1 Objectives of Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 2.4.2 Summary of Observations and Finding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 2.43 Completeness of Human Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 2.4.4 Error Quanti 6 cation and Suitability of Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.5 Data. Quantification, and Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ .. 2-30 2.5.1 Failure Rate Data Generation. . . . . . . . . . . . . . . . . ........................ 2-30 2.5.2 Accident Sequence Quantification and Uncertainty. . . . . . . ... .... ......... 2-31 2.6. Review of Extemal Event Risks . . . .. .. ...... . ...... ....... . ....... 2-31
-2.6.1 Introduction . . . . . . . . . . . ... .. . . .. .. . .. ... 2-31 2.6.2 Approach . . . . . . . . . . . . . . . . . . . . ..... .. .. . ... 2-31 2.63 Brunswick Probabilistic Risk Analysis Results . . .. . . . . .... 2-31 2.6.4 Selection of Extemal Events . . .. . .. .. . . .. . 2-33 ix
B 2.6.5 Evaluation'of Extemal Event Risk Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 2.6.6. Summary and Results .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52 '
I 3. - DOMINANT ACCIDENT SEQUENCES . . . . . . . . . . . . . . . . . . . . . .3-1 .......... ,
- 4. INSIGHTS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 L 5. REPERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .' .
' APPENDIX A- -CAROLINA POWER & LIGHT RESPONSES TO QUESTIONS . . . . . . . . . . . . . . . . . . . A-1 FIGURES i
r V S-1.
B PRA task flow cluu t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv.
2-1. L
- B PRA task flow chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 ...
2-2 General transient ever.t tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 ..... .
2-3. Stuck ope n SRV event tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
. 2-4. ,
LO S P eve nt tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2-5.
Small LOCA inside containment event tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 2-6.
Intermediate LOCA inside containment event tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15 2-7. . Large LOCA inside containment event tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
. 2-8. . ATWS e ve nt tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18 2-9.
ATWS with isolation event tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19 2-10. - HCR results comparison. ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 2-11. Seismic hazard curves, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . 2-48 '
' 2-12. Comparison of BPRA and LLNL seismic hazard curves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49 2-13. Comparison of BPRA and EPRI seismic hazard curves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50 A-1. PDS I A plant level fragility curves-Case 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6 A-2. PDSI A full -correlation in randomness and uncertainty-Case 2. . . . . . . . . . . . . . . . . . . . . . . . A-6 A-3. PDSIA full correlation in uncertainty-Case 3. ..... . ....... .......... ... .... .. A-7 A-4. PDSI A randomness -full correlation; uncertainty-partial correlatior>-Case 4. . . . . . . . . . . . . . . A-7 A-5. PDSI A partial correlation in uncertainty-Case 5. . . .. . . ... ... ....... ... A-8 x
l L
TABLES-2-1. Initiating events applicable to Brunswick . . . . . . . . . . . .......... .......... .......... 2-3 l 2-2. Initiators contributing to general transient categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2-3. Comparison with other recent PRAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 2-4. DG hardware data compared to other data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 2-22 2-5. Comparison of selected human error rates from fault trees with values from NUCLARR database..................................................................... 2-28 2-6, Comparison of selected human error rates from the event trees with screcning values from ASEP 3
procedure (NUREG/CR-4772) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 1
2-7. Extemal and spatially-dependent intemal event core damage fiequencies . . . . . . . . . . . . . . . . . . . . 2-32 2-8. Extemal events climinated with the screening procedure used in tle Brunswick PRA . . . . . . . . . . 2-33 2-9. BPRA and revised wind core damage fiequency estimates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 2-10. Comparison of CDF results between the BSEP fire risk study and other PRAs . . . . . . . . . . . . . . . . 2-42 2-11. Review results from BSEP fire risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43 2-12. Comparison of cose damage frequencies due to intemal flood . . . . . . . . . . . . . . . . . . . . . . . . . . . , . 2-45 2-13. Comparison of BWR core damage frequency from seismic events based on PRA results . . . . . . . . 2-52 2-14. Results from review of the BPRA seismic risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53 2-15. Results of Brunswick PRA extemal events review . . . . . . . . . . . . . . . . . ........... . .... 2-54 A-1. Mean failure rate and source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 A-2. Annual frequency of plant damage state PDS1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
L-l ACRONYMS
- ADS Automatic depressarization system ASEP Accident Sequence Evaluation Program ATWS - Anticipated Transient Without Scram
. BPRA : Brunswick Steam Electric Plant Probabilistic Risk Assessment BSEP Brunswick Steam Electric Plant BWR Boiling Water Reactor 1
CNS: Containment Spray .i CRD Control Rod Drive CSS Core Spray System CST Condensate Storage Tank ,
i
- DG- DieselGenerator DHA Decay Heat Removal of the RHR System
. ECCS Emergency Core Cooling System
- EPRI Electric Power ResearchInstitute -
FDT- Fault Duration Time FSAR FinalSafety Analysis Report HCTL Heat Capacity Temperature Limit j HEP . Human Error Probability HPCI ( - High Pressure Coolant Injection HRA Human Reliability Analysis j HVAC Heating Ventilation and Air Conditioning IE Initiating Events INEL Idaho National Engineering Laboratory NRC NuclearRegulatory Commission LLNL Lawrence Livermore National Laboratory LOCA Loss-of-Coolant Accident LOSP loss-of-offsite power xii
LPCI- 1.ow Pressure Coolant Injection '
- MOV - Motor Operated Valve :
- MSIV main sieam isolation valve NRC Nuclear Regulatory Commission NREP National Reliability Evaluation Program .
i.
PCS'. Power Conversion System PRA ProbabilisticRisk Assessment PSAR Preliminary Safety AnalysisReport PSP Performance Shaping Factor RCIC reactor coreisolation cooling
-RHR ResidualHeat Removal RMIEP Risk Methods lategration & Evaluation Program RPS Reactor Protection System RFr Recirculation PumpTrip SDC ShutdownCooling SLCS: Standby Liquid Control System SPC SuppressionPoolCooling
'SRV Safety Relief Valves SWS Service Water System xiii
-:______=__--__-__.--_----__. . . _ _ _ - _ _ _ _ _ _ _ _ - - - _ _ _ - _ _ _ _ _ - - - _ - _ _ - - - _ - - - - - _ - _ _ . - _ _ - _ _ _ - - . _ -
REVIEW OF THE BRUNSWICK STEAM ELECTRIC PLANT PROBABILISTIC RISK ASSESSMENT 1
! 1. INTRODUCTION l l- ,
This report documents the review by the Idaho reviewed: (a) initiating events, (b) event trees,(c) suc-National Engineering Laboratory (INEL) of the cess eriteria, (d) fault trees, (c) human teliability analy-Brunswie Steam Electric Plant Probabilistic Risk sis, (f) component data, (g) external events analysis, Assessment (BPRA) for the Office of Nuclear Regula- (h) quantification, and (i) uncertainty analysis. Every tory Research of the U.S. Nuclear Regulatory Com- aspect of each area was not reviewed in detail. Empha-mission (NRC).1 The review was conducted by INEL sis was placed on those portions of the analysis which personnel with contractor support.
appeared most importart to the results of the Each major area of the risk assessment was assessment.
1-1
- 2. AREAS OF REVIEW The BPRA is composed of severalinterrelated 2.1.1 Selection and Grouping As is histurically tasks. A review of a PR A is not complete unless the done, the B PRA divided the IEs into two broad catego-information and analysis which comprises each task is ries: (1) trainients and (2) LOCAs. %e transient cate-examined. The BPRA tasks are depicted in Figure gory can be further divided into gerieral and special 2-1, Also shown are the report sections which summa- tnitiators. Special tiansient initiators usually involve rize the review of the task. As can be seen, we did not the failure of a support system which results in plant review the first task, Plant Familiarization." his re- trip or shutdown, and can also cause the impairment of view assumes that the BPRA analysis team collected one or more safety systems. %e LOCA category may accurate design and operations information (e.g., cor- be divided into three subcategories: (1) those occurring rect piping and instrumentation drawings, etc.). inside the containment,(2) those occurring outside the containment, and (3) those occurring through an inter-2.1 Treatment of internal facins system. nis dividing and further subdividing is necessary f r any PRA as a nwans f Unutinphe nund initiatinS Events ber of event trees that must be developed (i.e., one event tree can be used to model several initiators that
%e BPRA is a Level 1 PRA with a forther analysis have the same effect on plant response).
of containment response to core damage sequences (partial Level 2 analysis).1 This portion of the review 2.1.1.1 Transients (General). Most general is limited to internal initiating events (IEs) at power transients were identified using Electric Power Re-that could lead to core damage As is usually done in search Institute (EPRI) Report NP-2230, A7WSt A Re-PRAs, loss of offsite power (LOSP) was included in appraisal.3 The general transients were further the intemal initiating event cate t,ory. subdivided into six IE groups. Each general transient initiator was placed in one of the six groups after ex-Initiating events were selected on the basis of a amining it for the following effects:
comprehensive engineering evaluation as per the PRA Procedures Guide.2 Both generic and plant-specific . Trip signals expected following initiation information sources were used to identify potential IEs. The generic sources used included the following:
- Plant systems required to mitigate the ititiator
- EPRI NP-2230,3
- The effect the initiator has on the plant
- Nuclear Power Experience,4 armi systems required for initiator mitigation.
- past PRAs.5A7 The six general transient initiating groups are dis-cussed in detail in the following sections.
Next, a detailed study was made of the Brunswick Steam Electric Plant (BSEP) design and operating his- 2.1.1.1.1 Turbine Tr/p-The turbine trip tory.%e results of this study were used to identify any group ofinitiators is composed of 30 unique initiators.
BSEP-specific initiators not contained in the generic %ese initiators result in both a turbine trip as well as a ir. formation and to evaluate those initiators identified corresponding reactor trip. Some of the dominant initi-generically for applicability at BSEP. ators in this group include: (a) MSIV closures,(b) spu.
rious reactor trips, (c) manual scrams, (d) turbine trips, Once the applicable IEs were determined, they were and (c) scrams due to plant occurrences. A complete quantified for frequency of occurrence. In genml, this listing of the initiators that make up this group is given involved obtaining a generic prior frequency du.tribu. in Table 2-2.
tion from either Development of Transient initiating Event Frequenciesfor Use in Probabilistic Risk Asses. 2.1.1.1.2 Loss of Condenser Vacuutn-sments or the National Reliability Evaluation Pro- The loss of condenser vacuum group contains three gram9 (NREP), and then perfonning a single-stage separate initiators that have the same effect on the Bayesian update based on BSEP operating expericnce, plant and require the plant to respond in a similar Some special IE frequencies were specifically calcu- manner for mitigation. These initiators include: (a) lated on a case-by-case basis. Table 2-1 lists the IEs loss of normal coralenser vacuum,(b) turbine trip with found to be applicable to BSEP and their respective turbine bypass valve failure, and (c) clectric load rejec-frequencies. tion with turbine bypass valve failure.
2-1
. _ _ _ _ _ _ _ _ _ _ _ __ _ _ . _ . _ _ _ _ _ . _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ , _ _ _ _ _ . _ _ _ _ _ . . . _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . = . . . . . . , .. ..
r .
k g, g -* Esternal and Spatetty.
Development 2.2 }
M g to
[ -
a i I I
j, I i e
, _ p_
p ,,, 6nmen"U Dependent -im Human Data -*- Accident Sequence unconsin-p - E -
p gy,, W Develop.
'Y g ,,,,,,, .
s!g (Core Damage) =
tration cation a ^^8'F88 Analysis > m'"' *- 0"*"#'**'"
Analysse
'1 25 74 25 = 25
] ps 1 . .
'*~
I j Fault Tree Develpment 23 9 7951 Figure 2-1. BPRA task flow chart.
2.f.7.1.3 Other General Transient covered. Depending on the location of the break Groups-The four remaining general transient (steam or liquid piping), small LOCA breaks are less groups are each made up of a single initiator. These ini- than 1-inch in diameter for liquid piping and less than tiators include: (a) total loss of feedwater, (b) total 4-inches in diameter for steam piping.
MSIV closure, (c) a stuck open SRV, and d) loss of off-site power.
2.f.f.3.2 Adedium LOCA-A medium LOCA ranges from 1-in. to 8-in. in diameter for liquid piping 2.f.f.2 Transients (Special). Brunswick Steam and from 4-in. to 8-in. in diameter for steam piping.-
Electric Plant (BSEP) plant information was reviewed Although it is not characterized by an extremely rapid to find any support system failures which would result primary coolant system depressurization, the loss is in a subsequent plant trip, and at the same time, ad- fast enough that RCIC is not sufficient to provide ade-versely affect any of the plant's frontline safety sys- quate coolant makeup.
tems, it was determined that most of the special transient initiators thus found could be included as - 2.1.1.3.3 Large LOCA--Large LOCAs result contributors to previously identified general transient in the rapid depressurization of the reactor vessel.
groups (i.e. loss of reactor building component cool- 'Ihey result from pipe breaks of greater than 8-in. in ing water can be included in the turbine trip group). diameter for both steam and liquid piping.
- There are three special transient initiators that do not fall into previously identified groups, they are: (1) loss 2.1.1.3.4 Reactor VesselRupturo-A reac-of 125 V de bus 2A1, (2) loss of 125 V de bus 2B2 tor vessel rupture is assumed to be of sufficient size and (3) loss of nuclear service water.
such that coolant level cannot be maintained in the reactor vessel. Therefore, if such an event occurs, it is 2.1.7.3 Loss-of-Coolant Accident. LOCAs assumed to lead directly to core damage.
occurring inside the containment have been subdi-vided into four subcategories based on the size and 10-cation of the break is important because it will decide 2.1.1.4 LOCA (Outside Confalnment). Two initiators contribute to LOCAs outside the contain-how much time is available for mitigating actions, and ment: (1) steamline breaks with failure of the MSIVs what safety system responses are required. 'lhe four to close, and (2) feedwater or condensate ruptures with subcategories are: (1) small LOCAs, (2) medium failure of check valves to close.
LOCAs, (3) large LOCAs. and (4) reactor vessel rup-ture. They are discussed in ddtil below-2.1.1.4.1 LOCA (Interfacing System, Out-side Containment)-An interfacing systems 2.1.f.3.1 Small LOCA-A small LOCA is one LOCA is one in which primary coolant flows through where the RCIC system is sufficient to keep the core a system connected to the primary system boundary 2-2
Table 2-1. Initiating events applicable to Brunswick Mean Range *
- Initiating Event Category Frequency Factor Transients (General)
Turbine trip 5.5 2 Loss of condenservacuum 0.3 3 TotalMSIV closure 1.1 2 Totalloss of feedwater 0.11 4 Stuck open safety-relief 0.14 4 Loss of offsite power 0.04 3 Transients (Special)
Loss of125 V de bus 2Al 0.004 5 Loss of125 V de bus 2B2 0.004 5 loss of nuclear service water Negligible -
LOCA (Inside Containment)
SmallLOCA 0.03 3 Medium LOCA 3.0 x 10-3 5 Large LOCA 3.0 x 104 10 Reactor vessel rupture 3.0 x 10-7 30 LOCA (Outside Containment)
Steamline rupture with MSIV 3.0 x 104 30 failure to close .
Feedwater rupture with check Negligible -
valve failures to close .
LOCA (Interfacing System)
RIIR or LPCILOCA outside 1.5 x 104 50 contairlment
- a. 'Ibe range factor is defined as the ratio of the 95 percentile value to the 50 percentile value.
bypassing the containment safety features. A search 2.1.2 Quantification of Initiating Event Fre-was made for piping that is both connected to the pri- quencies. The method of IE frequency quantification
. mary system and penetrates the containment. All water was based on the category in which a particular IE was lines greater than 1-in. in diameter and all steam lines placed. The quantification methods for tie five general greater than 4-in. in diameter were considered. All categories previously identified are discussed below.
lines having less than two isolation valves or low pres- Results of IE frequency quantification are shown in sure piping downstream of the isolation valves were Table 2-1.
considered candidates for interfacing LOCAs.The two lines that were found to fit in this category were:
(1) the residual heat removal (RHR) suction line from 2.1.2.1 Transients (General). General transient recirculation loop A, and (2) the LPCI return line to re- frequencies were calculated by first obtaining a prior circulationloops A and B. frequency distribution from Reference 3, then a i
2-3
Table 2-2. Initiators contributing to general single-stage Bayesian update was perfonned using transient categories eleven yr of plant operating history (including the first year of operation, and bothlow and high power opera.
tions). Lognormal distributions were assumed.
Arbine' hip Electric load rejection 2.7.2.2 Transients (Special). he special tran.
hrbine trip sient frequencies were calculated on a case-by-case Closure of one MSIV basis. A de bus failure frequency was calculated by Partial MSIV closure multiplying the probability of de bus unavailability by Pressure Regulatorfails open the BSEP availability factor (the percentage of time in Piessuir regulator fails closed mode 1 or 2). his assures the loss of a dc bus will be hrbine bypass fails open considered an initiating event only ifit occurs during
%:bine bypass or control valves cause increased plant operation.
j pressure !
Recirculation control failure decreases flow Due to the redundancies of the sources available to ;
Trip of one recirculation pump supply nuclear service water, and the availability of an Trip of all recirculation pumps emergency backup method of core cooling, it was de-Abnormal recirculation pump stanup termined that loss of nuclear service water initiating Recirculation pump seizure event was a negligible contributor to core melt.
increasing feedwater flow at power '
Loss of feedwater heater Low feedwater flow at power 2.1.2.3 LOCA (Inside Containment). LOCAs occurring inside the containment (large, medium, and High feedwater flow during stanup or shutdown small) were assigned frequencies based on the data de-Rod withdmwal at power veloped for NREP.9The reactor vessel rupture fre- t High flux due to rod withdrawal during startup quency was assumed to be the same as that determined !
Inadvertent rod (s)insertioc by WASH-1400.7 Detected reactor protection system facit Loss of auxiliary power (loss of auxiliary transfomier)
Inadvertent startup of HPCI/HPCS 2.f.2.4 LOCA (Outside Containment). The 1 steamline LOCA outside containment requires both a Scram due to plant occurrences. . steamline rupture as well as failure of two MSIVs to Spurious trip by reactor protection system instrumenta-close. De steamline rupture was assigned the NREP tion fault large LOCA frequency of 3.0E-4/yr.9 he failure of Manual scram with no out of tolerance conditions two MSIVs to close was given a probability of 1.0E-4 Cause unknown (based on 1.0E-3 fai!ure probability for first MSIV l'
and a 0.1 Beta Factor for failure of a second MSIV).
Loss of Condenser Vacuum The feedwater LOCA outside containment requires Electric load rejection with turbine bypass failure both a feedline (or condensate line) rupture and the Turbine trip with turbine bypass valve failure f ilure of two in series check valves to close.%e prob-Loss of normal condenser vacuum ability of two in senes check valves to close was con-sidered to be negligible, so the feedwater LOCA TotalMSIVClosure utside containment IE is considered a negligible con-tributor to core damage.
AllMSIVs fail closed i 2.1.2.5 LOCA (Interfacing System, Outside TotalLoss ofFeedwater Confalnment). For the lines identified as being pos-sible sources of an interfacing system LOCA,there are Loss of offsite power two different piping arrangements. One case consists ofisolation by a combination of a check valve and a Stuck Open Safety-Relief motor-operated valve (MOV)in series. The other case Safety-relief valve sticks open consists ofisolation by two MOVs in series. There are several possible failure modes for the two cases. Each Loss of Offsite Power failure m de frequency was calculated separately. ne probability of a loss ofisolation on an interfacing sys-Loss of offsite power tem is the summation of all the possible individual fail-ure mode frequencies.
2-4
1
{
ne failure modes quantified include: (a) failure of 2.1.3.2 Grouping. The BPRA groupedIEsinto the check valve to close following catastrophic failure categories, based on the effect each initiator had on of the MOV,(b) catastrophic failure of the cleck valve plant response. Allinitiators that challenge the plant combined with the previous unavailability of the and mitigative systems in a similar manner are MOV, and (c) catastrophic failure of either of the two grouped in a single category.%e number of categories series MOVs in combination with the unavailability of adopted in the BPRA are consistent with other recent the other MOV. boiling water reactor (BWR) PRAs. Table 2-3 shows how the BPRA IGcategories compare to those of oth-Once the probability of a loss of isolation on an in- er recent BWR PRAs.
terfacing system was determined, the interfacing sys.
tem LOCA 1E frequency was calcuIated by 2.1.3.3 Ousnt/ffcation.De BPRA used three multiplying by the probability of rupture of the low methods to detemiine IE frequencies: (1) the use of ge-pressure piping given a loss ofisolation. In Overpres- neric data, (2) a single-stage Bayesian update of ge-surization of Emergency Core Cooling Systems in neric data, and (3) case-by-case calculations. In Bolling Water Reactors, this probability is estimated general, generic data wear used for those initiators from 1.0E-2 to 1.0&3.3 whose occurrence is so rare that no valid data can be obtained (i.e., LOCAs, where no large LOCAs have as 2.1.3 Review of Initiating Events. De INEL re- yet occurred in any operating nuclear power plants, viewed the BPRAIEs to evaluate the adequacy of their large LOCA frequency can only be estimated using the categorizauon and grouping. The review looked at generic sources available). For transient events which three areas of concern: (1) tle completeness of the IEs have occurred often enough industry-wide that go9d selected as applica19e, (2) the grouping of applicable generic data are available, a single-stage Bayesian up-IEs with similar characteristics, and (3) the quantifica- date was done to incorporate the plants actual operat-tion of IE frequencies. The review considered the ing history. Special initiators and those infrequent scope arxl assumptions involved m characterizing and nitiators that are extremely dependent on plant design quantifying the IEs. ( .e., nterfacing system LOCAs) were calculated on a case-by-case basis. Table 2-3 shows how the IE fre-As discussed previously, this portion of the review quencies used at Brunswick compare with those used addresses only intemal mitiating events. Dese events in other recent BWR PRAs.
were detennined by using the same approach taken by the NRC in Analysis ofSevere Core Damage Frequen-in general, the initiating event frequencies used in cyfrom InternalInitiating Events.ll Table 2-3 com, the BPRA were reasonable.The turbine trip frequency pares the BPRA IEs with those of several other recent may be somewhat high, especially in light of down-PRAs.
ward trends due to trip reduction programs. This could impact the dominant contributors to the core damage ;
2.1.3.1 Cornpleteness. The BPRA did not use frequency.
the master logic diagram approach that is used in many PRAs for IE identification. Instead, they relied on a three-step approach that included: (1) a review of ge- 2.2. Event Trees neric and plant spes.ific sources, (2) a comprehensive review of plant design, and (3) the inclusion of an un-The BPRA used the small event tree,large fault tree known cause event with a frequency of 0.03 per reactor yr in the general transient category. %e plant design approach. The event tree analysis was conducted in ac-review was performed both to check generically iden. cordance with the PRA Procedures Guide.2 Toproper.
tified IEs for applicability and to help identify any ly address all the initiating event categories identified plant-specific IEs that were overlooked. %e unknown by the BPRA analysis, twelve event trees were created, cause event was included to cover any possible IE that The following sections discuss the review of these had not been considered. event trees.
One possible omission that is not covered by the 2.2.1 General Translept Event Tree. This
" unknown cause" transient is the rupture of a steam event tree is applicable to the following transients:
supply line to a turbine-driven pump. ne differential piessure across the isolation valve may be too great for
. TT - Turbine trip with bypass the valve to overcome, resultmg in an umsoluble LOCA. The impact of this potential initiating event was not evaluated in this review.
- Tu - MSIV closure 2-5 l l
l Table 2-3. - Comparison with otler recent PRAs PRA Frequency of Occurrence / Reactor Year Initiating Event Category Bnmswick Peach Bottom Shoreharn i
'Iransients (Geteral) '
'Ibrbine trip 5.5 2.5 4.44 Loss of condenser vacuum 0.39
- 0.41 TotalMSIV closure 1.1 0.05 0.24
- Totalloss of feedwater 0.11 0.06 0.18 Stuck open safety-relief 0.14 0.19 0.09 Loss of offsite power 0.04 0.079 . 0.08 Transients (Special) !
Loss of 125 V de bus 2A1 4.0E-3 5.0E-3 3.0E-3 Loss of125 V de bus 2B2 4.0E-3 b _b Loss of nuclear service water Negligible
- 2.5E-3 i
LOCA (Inside Containment)
SmallLOCA 0.03 0.063 8.0E-3 Medium LOCA 3.0E-3 3.0B-4 3.0E-3 Large LOCA 3.0E-4 1.0E-4 7.0E-4 Reactor vessel rupture 3.0E-7 Negligible 3.0 6 7 LOCA(Outside Containment)
Steamline break with MSIV failun: to close 3.0E-8 *
- Feedwater break with check valve failure to close Negligible *
- LOCA (Interfacing System)
RHR or LPCI LOCA outside containment 1.5E-8 Negligible 1.2E-7 l
OtherInitiators -
Loss of ac bus .d 5.0 & 3 3.5E-2 Small-smallLOCA
- 3.0E-2 '
Reactor building flooding *
- 3.9 4 5 i Drywell cooler failure *
- 1.0E-2 Reactor waterlevel *
- 3.6E-2 measurement system reference lineleak
- a. Not considered by PRA.
- c. Considered unlikely by PRA. I
- d. Brunswick PRA included this initiator in the turbine trip category.
- e. This initiator was included in the small LOCA category.
2-6
c'
. Tc - Loss of cordenser vacuum (grouped event that all high pressure sources fail. Top event X with T) models depressurization of tie reactor vessel to allow the low pressure systems to operate. Top eventVi models the operability of the LPCI system and top e Tp - Loss of feedwater event V 2models the core spray system (CSS). Failure of the ADS prevents success of the low pressure sys-
Each of these initiating events had an event tree de-picted for it, although tie structures of the trees were ne last four top events detennine the status of identical.The top events were designated the same for decay leat removal when turbme bypass is not avail-all of these event trees; however, the value assigned to able. Top event W2 models suppression pool cooling a top event varied from tree to tree based on the specif- (SPC) and suppression pool spray (SPS). Top event ic initiating event. For example, the unavailability of 3 m dels normal shutdown cooling (SDC). If these the turbine bypass function in the turbine trip event methods of decay heat removal fail, then decay heat tree was designated Ye with a value of 0.05. In the inay be removed by reopening the MSIVs and reestab-MSIV closure event tree, the same function is also des-lishing the power conversion system (PCS)by opening ignated Yo, but is assigned a value of 1.0 because of the turbine bypass valves arxl reestablishing condenser the initiating event, vacuum. Tirse actioru are modeled in top event W4
%e last resort means of removing decay heat is to vent The structure of the general trnuient event tree is the containment and provide an injection source from shown in Figure 2-2. Brief descriptions of the top outside the containment. This is modeled in top events follow, event W3 2.2.1.1 Event Tree Description. 'ne first top 2.2.1.2 Heview Fincfings. The following find.
event, C, questions wietter the reactor scrams or not. .
tngs were made m the course of reviewing the general The failure branch of this top event transfers to the ATWS event nee. The next two headings Yi, and Yt, trainient event tree:
detennine if secondary cooling is available. If both tur-bine bypass and feedwater are available, the transient . De event ute model asks the reclosure of the is concluded. For cases where the MSIVs are closed' SRVs only if turbine bypass is unavailable.
these two top events are guaranteed failed. %e reason given for this is the 88% bypass capacity. %is is only true for Unit 2. De by-
%c next top event, P, questions the reclosure of the pass capacity fer Unit 1 is only 22%. It is not SRVs in the event of the failure of secondary cooling. clear that tic event tree structure for Unit 2 is Failure of the SRVs to reclose represents a breach of correct for Unit 1 in this area. %e reviewers the pressure boundary and is modeled as an intermedi- were not able to lind any modifications to the ate LOCA. event tree structures to reflect differences be-tween the two units.
De next top event, U ,3 determines the status of the high pressure makeup sources. If turbine bypass and
- The discussion of the general trarmient event feedwater are available, then these makcup sources are not needed. If feedwater is unavailable but turbine by- tree given in Section M.3.3.3.1.2 states that top event U3includes the 11PCI, RCIC, and pass is available, then coolant makeup can be provided CRD systems when turbine bypass is avail-by llPCI, KCIC or the control rod drive (CRD) pumps.
able. If turbine bypass is not available, the If turbine bypass is not available, steam is being dis-writeup implies that only CRD with operator charged to the suppression pool, requiring operator ac-action to control suppression pool water level tion to prevent overfilling of the suppression pool.
is possible.The reviewers could not find any expression for top event U3 other than the
%e next heading, U .2 is an extraneous top event that first success criteria (llPCIE RCIC*CRD). It is never used in any of the gerwral transient event utes. s not apparent that the analysts used a differ.
ent model for this top event wlen turbine by-
%c next three top events, X, Vi , and V2, detennine pass was not available. In addition, the the availability oflow pressure makeup sources in the operator action to control suppression pool 2-7 ,
x <
t *
- y n .
.~-i.-.
TURB TURB SRV- CRD HPCI MSIV VENT TRIP RPSL BYP- 'FW RCL HPCI RCIC ADS LPCI CSS SPS SDC PCS- INJ RCVY PDS
-~- T t C- Yb Yf P- U3 U2- X. Vl; V2~- W2 W3 W4 W5-OK OK.
OK-OK OK --
'., C2 OK-OK OK '--
C2 CID CIA I OK-OK OK i 1
'C 2 -l
~0K 1 OK OK C2 - 3' OK OK OK --
C2.
CID CIA
-- S 1 i
'ATW -j Figure 2-2. General transient event tree.
i 2-8 -
water level could not be found in the CRD 2.2.2 Stuck Open Safety Relief Valve Event system analysis discussion or fault tree mod. Tree. This event tree models the opening of an SRV, cl. This could change the failure probability either in response to a pressure rise or a spurious open-of the CRD system as well as the frequencies ing and failure of the valve to reclose. The event tree of the accident sequences involving the CRD (Figure 2-3) consists of only the initiating event and system, one top event, manual shutdown (Cop). The two se-quences transfer to the intermediate LWA event tree and the ATWS event tree.
e Dere is a discrepancy between the top event descriptions shown on the event trees (Fig-ures M.3.3-2 through 6) and the event tree The BPRA should evaluate tie modeling adequacy discussion of Section M.3.3.3.1.2. The fig- of the operator toinitiate the required scram signal, de-ures show top event W2as the SPS and SPC pending on plant-specific control room alarms and an-systems and W3 as normal shutdown cooling. nunciators. De above human error probability should The discussion has these top event descrip- be assigned to top event Cop.
tions reversed. It appears from tie tree struc-ture that the figures are correct. This is confirmed by the Boolean expressions for W2 2.2.3 Loss of Offsite Power Event Tree. The and W3 given in Table M.3.8-1. loss of offsite power initiating event was analyzed with a special event tree due to the unique considerations of station blackout. The structure of the loss of offsite e here is an inconsistency between the W2 p wement tm is shown in Figure M success criteria called out by the event tree and the success criteria used in the system analysis. De event tree asks the suppression 2.2.3.f Event Tree Description. The scram pool cooling questions (W2) in situations function is the first top event after the initiating event, where IIPCI has been successful and where Since the RPS is deenergized by the loss of offsite HPCI has failed. Section M.3.4.8.4.5.2 spe- power, top event Cu models only the mechanical fail-cifically states that the suppression pool cool- ures associated with the insertion of control rods, ing analycis applies only in cases where high pressure injection sources have been succes-sful. This discrepancy does not appear to im- The next top event, P, questions the reclosure of the pact tic results or validity of the models. SR, . (it is assumed that atleast one SRV will open).In a station blackout condition, failure of an SRV to re-close will cause a slow depressurization of the reactor, For scena-ios involving vessel isolation e
rendering the high pressure injection systems (steam-events m combination with failure to reclose driven) inoperable when pressure drops below about SRVs. the BPRA does not model the potential 150 psig. The depressurization allows tie LPCI system -
design inadequacy to suppress vapor in the (powered by Unit I diesel generators) to provide injec-torus air ripace following a pipe break in an tion flow' SRV tailpiece. The modeling of the design strength could include the type of wet well spray at BSEP and a desigo-specific torus Top event B models the availability of emergency ac pressure capability analysis. %e contribution power at Unit 2. Failure of both Unit 2 diesel genera-to the core damage frequency for this type of tors represents station blackout. Successful operation event may be small but could possibly be sig- of at least one diesel generator means that ac power is nificant to risk. available at Unit 2. These sequences transfer to the MSIV closure event tree or the intemiediate LOCA e For the loss of a single de bus, the impact on event tree.
top event U2 is not documented. Given the importance of the HPCI and RCIC systems, The next two headings question the availability of this topic should be addressed. liigh pressure coolant makeup. If the SRVs have re-closed, HPCI or RCIC are capable of providing cool-
. The BPRA should document the supporting ant makeup (top event U2). If an SRV has failed to analysis for the two-out-of-seven ADS reclose,it is assumed that only me HPCI system is suf-valve success criteria, especially for the ficient to provide high pressure coolant makeup (top TmU 3sequences, event UO.
2-9
l i
1 i
STOCK OPEN SAFETY RELIEF VALVE MANUAL SHUTDOWN PDS Ti Cop -
S1 ATW Figure 2-3. Stuck open SRV event tree.
Should the high pressum systems fail or an SRV fail ings were made in the course of t ntiewing the to reclose, LPCI (top event V3) can be used if the Unit Loss of Offsite Power Event Tree:
1 diesel generators are available. Automatic depressu-rization (top event X) is required if the high pressure system has failed to operate. If the high pressure sys-
- Section M.3.3.2.2 presents the overall event tem operated until the reactor was depressurized by a tree assumptions. Assumption 11 states that stuek open SRV, then ADSis not needed for use of LPCI. the operator will not depressurize the reactor if the heat capacity temperature limit (HCTL) for the suppression pool is reached during a station blackout. Section M.3.3.3.3.1, dis- i
'Ihe last two top event headings question the recov. . cussing the mitigation requirements during a -
cry of offsite power. Top event B2 asks if offsite power station blackout, states that the operators will is recovered within two h of the initiating event. This indeed depressurize the reactor to meet question is asked if an SRV failed to reclose, HPCIis HCTL requirements. Further discussion in '
operating and LPCIis failed. Recovery of offsite pow-Section M.3.3.3.3.2 indicates that HCTL will er is needed within two h to continue coolant makeup.
be reached in about five to six h and the oper-Top event B5 asks if offsite poweris recovered within ators would begin depressurizing the reactor.
l five h cf the initiating event. This question is asked in Depressurization would continue until HPCI
- l. sequences where battery depletion occurs at four h.
and RCIC became inoperable. This is esti-causing the loss-of-coolant makeup. If coolant make-mated to occur about eight to ten h afteriniti-
- up is not restored within an h of battery depletion, core damage is assumed to occur. ation of station blackout. Core damage due to l- battery depletion would take place before this. The event tree model treats this situation properly in spite of the conflicting 2.2.3.2 Review Findings. The Following find- assumptions.
2-10
LOSS OFF- 0FF-0F SITE SITE OFF- RPS SRV DG3 HPCI HPCI ADS LPCI PWR PWR RCIC RCVY RCVY PDS SITE RCL DG4 PWR (2H) (SH)
Te Cm P B U2 U1 X V3 B2 B5 Tm OK ClB OK C1B CIB ClB S1 S1 ClB S1 CIB S1 C1B ClB ClB ATW Figure 2-4. LOSP event tree.
2-1I
e In sequerces where LPCI is operating proper- portions of tie distnbution system controlled ly, the event tree questions the recovery of by the site. Comparison with other BWR offsite power witidn five h. Failure to recover PRAs (Peach Bottom,12 Grand Gulf,13 and
- leads to rorv damage. De documentation is Shorehams ) shows that anywlen from half not clear regarding the impact of top event B5 to two-thirds of the losses of offsite power on failure to provide containment heat re. can te recovered widdn 30 min.
moval in certain sequences, The BPRA should also provide documentation on the
- The reviewers could not detemtire from de modeling adequacy of the B5 top event for PRA documentation how transfers to the in-tie stuck open relief valve cases followed by diesel generator 3 or 4 failures. This seems termediate LOCA and MSIV closure event trees were treated. Two requences transfer very conservative in that given the situation, with one or both Unit 2 diesel generator (DG) water level control is not important in com-operating with tie loss of offsite power. De parison to keeping the core covered, it would other transfer sequences have offsite power appear that LPCI would continue to operate recovered. These two situations should be on the Unit I diesel gencrators to provide handled such that the treatment of the ac pow.
core cooling and makeup.
er sources and operational trains of safety systems are proper, e
De mission times for the various top events are not always 24 h. For the IIPCI system, tie e There is no mention of transient-induced mission time may le in the range of 2-8 h de-LOSP where the tripping of the piant disturbs pending on the failure modes, such as room tie grid to tie point that the grid is lost in the cooling failures, and battery depletion fail- area surrounding the site. The combinations urer Nowhere in the systems analyses were ofinitiating everits coupled with no offsite mission times other than 24 h used for the power can generste accident sequences that ilPCI system. This is a conservative treat-otherwise would not exist.
ment for some accident sequences and it may be optiraistic for some dominant sequences e such as T BB5, it is judged that the impact is Un BPRA does not explain how top event P applies to the various cases of safety relief staall, llowever, the change in core damage frequency incurred by using more accurate valve rec!osure, one open valve and multiple open valves 'this top event is used for both mission times, albeit small, would most likely unit analyses, however, the difference in tur-te noticeable-bine bypass capacity between the two units
+
can cause a different number of safety relief lt was assumed that the operators would over. valves to te opened in similar sequences. The ride HPCI and RCIC overtemperature trip plant analyses should address these circuits within the first two h of a station differences.
blackout. This implies that the operators would never fail to do so. This seems to give the operators an unreasonable amount of 2.2.4 Small LOCA Inside Containment Event Tree. This event tree m odels all breaks inside the dry.
credit.especially in light of the high stress sit-well which are less than 5x10-3 ft2 for liquid breaks untions that could be present. 2 and less than 0.1 ft for steam breaks. The structure of the Small LOCA Inside Containment event tree is
- shown in Figure 2-5.
No credit was given for AC power recovery in the event that all coolant injection systems failed. Core d yout time is on the order of 30 2.2.4.7 Event Tree Descripflon. Tte first head-to 45 min. The reason stated was the high ing after the initiating event, top event P questions the stress conditions that would exist in this situa- operation of the reactor shutdown systems. Failure of tion. While it is true that high stress levels the RPS to shutdown the reactor transfers to the ATWS would be present,it is not clear that the per- event tree, soruel experiencing the high stress would be the same ones responsible for recovering off- The next top event, U 2, determines the success of site power. It can reasonably te expected that the high pressure injection sources. HPCI and RCIC.
a significant part of the loss of offsite power Success of this top event means that the reactor can was nue to loss of tic grid and not the onsite stay in a stable pressurized state for quite some time.
2-12
- - _ _ _ _ _ - _ _ _ _ _ _ _ ~
Failure of the high pressure coolant makeup sources
- The event tree asks the Wi question given or failure to provide suppression pool cooling requires failure of V (both trains of LPCI). In ttese that the reactor be depressurized. This furetion is ques- s tuations top event Wt is guaranteed to te tioned by top event X. failed since every combination of failures that lead to LPCI failure also fails the DilA align-Successful depressurir.ation allows use of tte low ment of RilR (one out of two trains in the suppression pool cooling mode).
pressure injection sources for coolant makeup. Top event V imodels the LPCI system and top event V2
- *Ihe BPRA takes credit for venting the con-models the CSS.
tainment in a small LOCA event. Ordy super.
ficial treatment was given to this action, All acquences involving successful coolant makeup Consuleration r.hould te given to consistency require decay feat removal. The next three top events with emergency operating procedures. Ttus provide attemate means of removing decay heat. The actim warrants a more in-depth human reh-first method is modeled by top event Wi . This method ability analysis.
uses the RilR system with RHR service water leing supplied to tte RHR tent exchangers ard all RilR flow going through the heat exchangers. 2.2.5 Intermediste LOCA Inside Conteln-ment. This event tree models all breaks inside the dry- !
2 The secord mettgd of decay tent removal modeled wellinite range of 5xt(r-3 to 0.3 ft for liquid breaks in this event tree is performed by opening tie MSIVs and 0.1 to 0.3 ft2for steam breaks. This break sire in-and reestablishing the PCS.*Ihis is represented by top cludes a stuck open SRV. The event tree structure is event W 4. Crediting such a method to remove decay shown in Figure 2-6.
heat following a small LOCA should be carefully re-viewed with respect to the plant procedures. Tie final 2.2.5.7 Event Tree Descripflon. The first top ;
roethod of decay heat removal is venting the contain-nent, C, is RPS. Should ihis top event fail, transfer is j ment combined with coolant inver, tory makeup, top -
made to the ATWS event tree.
event W3.
The next top event, Ui, determines the status of IIPCI. Although tie break sine is suflicient to depres.
2.2.4.2 Meview rinclings. The following find-surir.e the reactor, high pressure coolant injection is ings were made in the course of reviewing the LOCA needed during the blowdown. RCIC was determired to inside Containment Event Trees.
be insufficient to maintain water level. Due to the slow depressurizationof the reactor,the highpressure injec-
- It is assumed that the SRVs will cycle an un- tion source is only required to operate for twe h.
determired number of times during a small LOCA. There is no explanation about the If IIPCI is successful, the reactor will naturally de-possibility that the cycling of the SRV would pressurire to the point where llPCI becomes inoper. ,
aber tie probability that the SRV would stick able ard the low pressure injection sources come into l I
open. Allirdications point to the use of the play, if HPCI fails, water level in the vessel drops to same failure to reclose probability for an SRV the point that ADS is actuated. ADS is modeled in top I
I that is cycled and for an SRV that only opens event X. Failure ofIIPCI and ADS is mapped to core mcc. damage.
l l
l
. The documentation for this event tree is con- The next two top events model the low pressure j fusing in that top events W 2 and W3 are dis- coolant injection source. LPCI is modeled in top event I cussed but do not show up in tie event tree V Iard CSS is modeled in V 2. Failure of both of these j and W is not discussed. systems results in core damage.
]
l l
2-13
g;-se. #
{f <
i 4 ;
E,,. j
VENT j LOCA .RPS RCL RCIC- ADS LPCI CSS DHA PCS, INJ b ,
RCVY--
.PDS.-
r
$2- C P U2 X VI' V2 W1 .W4. W5 1 t
. .i i
OK !
. -i OK:
OK 1 k ;
C2 OK ,
p -
0K '
g OK 3
,y C2 i
, OK .
OK !
OK; l
C 2 -- :
.i C3C !
C3B i 51 f 1
-)
ATW j
- Figure 2-8. Small LOCA inside containment event tree. !
1 r
.I k
2-14 t
- il . , . - , - - - . . , , - - - -
IH MSIV VENT LOCA RPS HPCI ADS LPCI CSS DHA PCS INJ RCVY PDS S1 C U1 X V1 V2 W1 W4 WS OK NA OK C2 OK NA OK C2 01C OK l- -
NA OK C2 OK NA OK C2 C3C C3B ATW Figure 2-4. Intermediate LOCA inside containment event tree.
2-15
ne next three top events model means of removing The last two top events determine the status of decay decay heat. Top event W represents use of the RHR heat removal. Wi models the use of tte RHR system system with decay heat being removed by the RHR and WSmcdels venting the containment ard providing heat exchangers. W4 models reopening the MSIVs and makeup with CRD or cordensate.
recovering the PCS. This is only possible for situations involving an SRV that was initially stuck open but re- 2.2.6.2 Meview Mndings. %c following find.
chaed wlen tic reactor was depressurized. Finally,if ing was made in the course of reviewing the Large all other decay heat removal options fail, venting the LOCA Inside Containment Event Tree:
containment and pmviding coolant injection is cornid-ered in top event W5.
. The event tree asks the W questiot'in se-quences with LPCI failed. In Gese situations 2.2.5.2 Meview Mndings. %e following fird- top event W is guaranteed to be failed since ings were made in tic course of reviewing the Interme- every combination of failures that lead to diate LOCA Inside Contairunent Event Tree: LPCI failure also fails the DilA alignment of RHR.
- The requirement for operation of the HPCI system for only two h does not appear to be 2.2.7 Anticipated Tranelent Without Scram reflected in the systems analysis or quantif. Event Trees. Anticipated trarsients without scram ication. The use of a 24-h mission time is ( ATWS) were evaluated using two separate event conservative. trees. Every other event tree in the BSEP PRA except Large LOCA asks the operability of tle RPS. All fail.
discharging water to the reactor vessel, the he event tree structure for ATWS with turbine bypass suppression pool water, tie suppression pool and feedwater is shown in Figure 2-8 and the tree
,pn,y, or tie drywell spray header as success structure for ATWS wits isolation is abown of decay heat removal. his is misleading in "" N'"' 2#
that only the uischarge path to the reactor ves-
, set is modeled in top evem Ws. luclusion of 2. 2. 7. f ATWS With Turbire Bypsss/
the other discharge pths would also require feedwster Event Tnte DesctfpflonJIhe first two continued coolant makeup. top events after the initiating evnt determin, which portion of the RPS failed. Cy represents tie mechani-e .The event irce asks the Wi question in se- cal failures of the system that cannot be recovered by manual scram. Top event Ce models the failure of the quences with LPCI failed. In ttese situatioru electrical portion of RPS Failu;es of this kird can be top event W iis guaranteed to be failed since every combination of failures that lead to countered by initiating a manual scram, thereby by-passing the logic, sensors, and relays up to and includ-LPCI failure also fails the decay heat removal ing the automatic signal generated to open the scram of the RHR system (DilA) alignment pilot valves, of RHR.
If the failure of RPS was due to electrical failures, 2.2.6 Large LOCA inside Containment Event then the m anual scram, top event Ms, is asked. Success Tree. This event tree models all breaks inside the of mectuutical and electrical portions of RPS or suc-d well with an equivalent diameter greater than 0.3 ft7.The structure of this event ttee is shown in cess of manual scram terminates tie ATWS event and the transient is analyzed in one of the other event trees.
Figure 2-7.
The next top event questions the success of tic recir-2.2.6.1 Event Tree Descripflon. De first top culation pump trip (RFT). his action is required to re-event, C, questions tte RPS. Failure of RPS transfers duce power to limit suppression pool heatup.
to the ATWS event tree.
The next two top events, Ya and Yp, determine the he next two top events. V iand V 2, model the low status of turbine bypass and feedwater. If they are pressure coolant injection system and the core spray available, tie event continues until tie reactor can be system, respectively. No credit was taken for tte CRD shutdown. If bypass or feedwater is not available, then system and condensate pumps, although the procc- the ATWS tums into an isolation event, which is eva-dures allow tleir use, luated in the other ATWS event tree.
2-16
i
! LARGE VENTING /
LOCA RPS LPCI , CSS DHA INJECT. PDS A C V1 V2 W1 WS OK OK C2 OK OK C2 C3C C4 Mgure 2-7. Large LOCA insidnor.tainment event tree.
"De next top eve % P, questions tie reclosure of the er levels ci.pected. With HPCI operating properly, wa.
SRVs. A smck epen SRV transfers to the isolation terlevel is expected to drop below water level). Po ser event tree. will level out munewhere in the 10 to 25 percent range. l The final iop eveat, C 2, questions the success of Tin next top eveut in tie tree is closure of de SRVs.
SLG Failure to h9ect boron into tie reactor vessel is %c model dm not differe'niate betwoco tie require-assusned to lead to core damage, ments for open and closed SRVs. Therefore, there a:e no tancies at this top everit arkt it is induded in the 2.2.7.2 ATW8 With Isolation Event Ylee tv:c on)y for completeress.
Desctfp#en. De first three top events, C E, C,,,, arxl Ms are as described above De next leading, RPT. The next two top events model tie ability of tie op-asks about recirculation pump trip. Failure of RI'T al- erator to inisbit ADS anal control water level at tie top lows power to remain too high for the available sys- of the active fuel at high pressure. Top event Xi models tems to be successful. tic ADS inidbit function and Lit models tie water lev-el contml function. Failure to irdubit ADS causes the SLCS operation is asked in top event C2 . SLCS in reactor to depressurire arul requires operation of the itselfis not enough to mitigate tic ATWS but failure of low pressure systems.
SLCS will guarantee core damage.
Tie next top event, llCT, asks if the suppression Top event Ut questions the operation ofIIPCI. pool IICTL is reached. it is assumed that tiese limits RCIC is not sufficient for coolant injection at tic pow- will be reached.
i 2-17
7 h .
MAN- RE-RPS .RPS UAL CIRC TURB SRV ATWS MECH ELECT SCRAM PUMP BYP FW RCL SLCS PDS TRIP.
Tatws Cm Ce MS RPT Yb Vf P C2
> Developed in Non ATWS Trees NA
> Developed in Non-ATWS Trees NA OK C4 ATW I -
ATW .
l - -
ATW C4' 1
OK C4
'-- ATW ATW ATW C4
- Mgure 2-4. ATWS event tree.
4 l
2-18 u
i a
1 l
RE- H2O SUMP H2O i ATWS RPS RPS MAN- CIRC SRV ADS LVL POOL LPCI LVL i UAL PUMP SLCS HPCI CTRL TEMP DEPR CTRL ISOL MECH ELEC SCRM TRIP RCL ISOL HIGH LIM CSS LOW PDS PRES PRES Tai Cm Ce MS RPT C2 U1 P Xi- Lh HCT Xm VIV2 L1
> Developed in Non ATWS Event Trees NA
> Developed in Non ATWS Event Trees NA i i
OK !
e
't '
C4 C4 f i
Cic !! .
NA r
! - 3 ClC F --
OK t 1
C4 'i C4 ?
CIC :
OK L_ ._
2 C4 1
C4 ~;
C4 .
C4
>1 NA i
- 1. ' Transfer as shown. I
- 2. Transfer from Tatws Event-Tree.
- 3. May not . lead to core damage if depressurization does not occur later.
Figure 2-0. ATWS with isolation event tree.
2-19 ;
r I
Tbp event Xu determines the sucass of the operator * "nie PRA should discuss tie reasoning for not in depressurizing the reactor when the llCTL is modeling the impact of stuck-open relief reached. This allows operation of LPCI and CSS as valve cases.
mcdeled in top event Vi2 V . Water level control while at low pressure is needed to continue to limit the feat discharge to the suppression pool. This is modeled in 2.3 Systems Analysis / Fault top event Lt -
The system fault twes wem wviewed to detennine 2.2.7.3 ATWS With Turbine Bypass / *"'"**
.Feedwater Meview Findings. The last paragraph Y " P ""'" "I E'""' E" " "I'
tion, ard completeness in quantifying the system unre.
m Section M.3.3.7.1 states that no suppression pool liability. Selected systems were reviewed in detail to coohng is needed for transients with turbine bypass assure completeness of the models. This review fo-available because of the 88% bypass capacity at Urut 2.
cused on the intersystem dependencies, the analysis llowever, the same accident sequences are quantified boundary conditions, and the resolution of the models for Unit 1, which has a bypass capacity of only 22E It is not clear that suppression pool cooling is not needed in the areas of common mode f aiiures and for Unit 1, human errors.
2.3.1 General Comments. The fault trees eva-2.2. 7.4 ATWS W/th isolation Moview F/nd. luated during this review appear to adequately model ings. The following firdings were made in the course the system descriptions and provide adequate model of reviewing the ATWS with the Isolation Event Tree: detail. There are some exceptions to this conclusion and they are addressed for the individual fault trees.
- The small LOCA and intermediate LOCA an ew p ceu wa au ss wMer shared cmponente were correctly inodeled with event trees transfer to this ATWS tree. Ilow.
ever, the discussion in Section M.3.3.3.7.2 unique o mpexnt dentifiers. Of primary concern or.ly mentuus the transients that are included. * * ' ' U" " " "" "8 " **** I ""
(CST) as a snaroe of water. IIPCI and RCIC were ex-
% the LOCA cases, it will $c .:npossib*e to amined end it was found that Wased CST comnonems pree.ent deptusurization. Ttus is equrvalent and specific fanits were accarately identafied.' Actua-to making ADS inhibit guaranteed failed. The rion faults for ECCS were modeled separately and it quantification of top event Xt shomd reflect was deternuned dering the evaluation that these igu!ts this conditionality on LOCAs versus trenuents.
were correc@' transferred into the appropriate fetit ures.
- The f.uccess criteria for conta'nment protec. One general concem exists in tegards to the usage of t ion assumed that (.uppressica pool cooling the fault trees in the analysis. The trees are,in general, was not required based on the early work for quite detailed. Ilowev;r,it would appear that this de-Peach Bottom in NUREG/CR-455012 in tail was not usea in some of une dominant accident se-fact, the first draft of NUREG/CR-4550 did quences. An example is discussed in the HPCI not have SPCin the ATWS event tree,llow. evaluation. Tie PRA documentation should addrese ever, the final version of NUREG/CR-4550 this analytical procedure by providing supporting doc.
for Peach Bottom does have suppression pool umentation for accident sequences where fault trees cooling as the last top event in the ATWS were not used.
event tree. Quoting from the description of this event " Success implies that the RHR 2.3.2 Evaluation of Emergency Diesel Gener.
system is operated to pmvide sufficient con- ator System Fault Trees. Diesel generators were tainment heat removal so that containment in- chosen for evaluation due to their importance in the tegrity is not jeopardized. Failure implies that dominant sequence for core melt. T(E)-B-B(5).
containment venting must be perfonned or containment failure occurs because ofinsuffi. 2.3.2.1 System Discussion. Four DGs are lo-cient heat rernoval." It is recommended that cated in a separate DG building. Unit one is supplied the PRA explicitly model the suppression by DGs I and 2 through emergency buses El ard E2 pool cooling function including the impact of while Unit 2 is supplied through E3 and E4 by DGs 3 stuck-open relief valve events and their de- and 4. A unit crosstic exists for load sharing but is left ma:xl on containment heat removal systeras, in the unconnected configuration. Additionally, two of 2-20
the Unit 2 RHR pumps and both LPCI pumps are pow- 0.0. In de Urut 2 DG models, this event cred by Unit I emergency buses. is left as a transfer to the de fault trees that produce a non-r.ero contribution.
W PRA documentation provides a good discussion of the DG systems, support systems, ard system inter- - The faulted event where a generator fails faces. Dependencies ard operational modes are ad. to supply power to tie emergency bus as dressed in detail. The documentation also adequately a result of breaker failure or some un-addresses DG actuation given accident initiation, specified output failure is treated differ-ently betweten Unit I and Unit 2. To
- De success criterion for tie DGs is to start on de, complicate this evaluation, tiere seems mand and provide electrical power for sia h. Only one to be an crent naming error for tie un-DG is required to provide emergency power, per unit, r.pecified output failure, in all of tte DG and this requirement seems to be adequately reflected fault trees, this event i: designated as in the sequerce calculations. h six h mission time is DGP-SPE-VF-DGxyf(where a refers based on offsite recovery considerations resulting to tie specific DG and y appearsio te O from non-recovery calculations based on geretic data (zero) for Unit 1 DGs and O for Unit 2 from NUREG-1032. DGs). This event appears to be mis-named in the trees and should te DGH instead of DGP since the specified events 2.3.2.2 rsulf Tree Discussion. h diesel, gen-do not appear in the basic event list. Il, er,vor, support systems, ard operation are adequately nents am nuseamed in de trees, discussed in the PR A documentation but not explicidy then an additional problem in consisten-modeled in the fault trees. Documcated systems that
! inte-face with the DGs are de power for stan up, DG #Y**"'" " "'"" " #U MB-3 Im ue Unh 1 DGs and a value of
! cooling by the Service Water System (SWS), and DG 1E-9 f r the Unit 2 DGs. Additionally, cell cooling by the DG teating, ventilation and air con-tnm b an idendcal unavailability diiler-
! ditioning (HVAC) system. "Ihese letter sys* cms are i
represcated in the fault trees. The level of detail is e un tsim de he
! more than adequately supported oy tie available data c met Wer. hre is no expla-presented in the PRA documentation. Additions.lly, all nat6n dven M tie sh ohr ohnap componerc feilure modes seem to he tdequate.ly :epre-tude differencea in tbe PR A sented in t!c data. How ever, thJ data discussion pns-hutnentatha l
ems e ems about the adagaacy anc verification of e Completeness is inckmg in the DU ft ' alt t ees in that actuatio 1 failurcs are tvat modeled.
Basic esents exist for including actuation Tir DG systnis are sep.esented by a si.ngle fauP.
failures but the teviewer could not find my tree for each system. The fault trees are 9 resented m '
ndscation tSat th+y were used. Tic reviewer the PRA arpendir. 'the elemenu of each trac kre the secognires that the actuation failure event is same with DG identifiers differentiating betren the smaller than the other DG unavailabilities trees. h PRA docuruentation udicates that the trees and would not lead to a significant effect.
are simplified versions of detailed fm!t trees devel- However, other events with much smaller un-oped for use by the limnsee. They, m fact, reflect the availabilities were included in the model. An system interfaces, output circuitry, and the normally-additional consideration conceming actua-used DG unavailabilines of maintenance, failure to tion is that the operators have the ability to start, and failure to run. Common cause failure of the manually actuate the DGs given an actuation Unit 2 DGs to start and run are included in sequence failure. No credit was given for a recovery evaluations but are not present in the fault trees. Sev-action that wocid allow the inclusion of this crat inconsistencies were noted in the trees. These are:
manual aetion in the dominant accidenr e Differences in logic structure and unavail-ability values were noted between Unit 1 ard The actual significance of the above concems and Unit 2 DG models. apparent errors can not be assessed within the scope of this review. However,it is estimated that the data and
- For tie Unit 1 DG modcI:,, the loss of de modeling inconsistencies would comprise less than a power for DG start is modeled as a basic Factor of 2 increase in the dominant sequence fre-event and assigned an unavailability of quency. This is not a significant impact on the PRA 2-21
results. The unceObty in the data could have a more 2.3.3 Evaluation of High Pressure Coolant in-significant impact. jection System F6 ult Trees. The HPCI system 0
was chosen for evaluation due to its overallimportance in many accident sequences. Ofparticularinterest was 2.3.2.3 Dsts Discussion. The data used in the its use in sequences T(SI)-U(1)-X and T(AI)-C-U(1)
PRA comes from a very detailed generic data base and which yielded significant core melt frequencies.
has certain events updated by plant-specific data. In the case of DGs, plant data was available for failure to 2.3.3.7 SystemDesctfption. DeHPCIsystem stan on demand and maintenance outages. The fol. is an Engiteered Safeguards System acrying to provide lowing concerns are noted about the development of sufficient core cooling to prevent excessive fuel clad- ;
tie DG data. ding damage in the event of a small bseak of any uniso- l latable line directly associated with the nuclear boiler.
Die system is comprised of a 100% capacity turbine l e Data entries are provided in the data sheets and pump assembly and associated instrumentation, controls, valves, and piping. The pump assembly con-(Appendix A.4) for DGl. Data entries for the ,
sists of a main and booster pump to provide sufficient I otlers are omitted. All provided DG data was discharge pressure to inject makeup water into the entered as special data which indicates that reactor pressure vessel at high pressures. The HPCI plant-specific data was used. This is incon- turbine is a two stage, non-condensing, impulse tur.
sistent with the PRA documentation that im- bine suitable for rapid start service. >
plies the only hard ware DG data related to the i
failure mode " fails to start." There was no in.
The pRA documentation provides an adequate dis-dication as to how the data was generated, cussion of *.he system to understand the system func.
- and therefore, the data validity cannot be tion, configuration, and system interfaces as used in -
assessed.
the modeling. Init!ation arquenz and technical speci-fication sutveillance requirerneuts are also addressed '
in tb> C,ocummtation. Verification of the descriptica
. 'ihere ase date differences betweea the data xcursey was nM a part of this ;eview, developed for DGs serving t!e different units.
Table 2-4 lists the DG hardware data and System intenaces and dependencies discussed in tre compares it to other data sources. docuntentuion are as follows:
Table 2-.4.
. Shares certain valws and piping connections DG hardu are data compa ed to other to the CST with RCIC and output powpath dr.ta sources piping wiJuhe feedwater system.
BSEP-dol /2 BSEP-DO3/.I PB 115o Asi'P
- Independent of f.c power, service air, and eX-temal cooling.
DG-MA 1.0G2 1DN2 2.953 -
- Water systems.
DO FIS $.243 1.1G2 3.o&3 3.lL2 DG-FTR 5.SS3 1.5&2 1.662 1.742 e Shares actuation systems with other safety On the basis of the above comparisons the BSEP "I* #* **
data seems reasonable but it was not possible to evalu.
ate the accuracy of, or reasons for, the difference be-
- System control is independent of other tween the two units. This evaluation would be systems.
panicularly critical since the DGs reside in the same building and would supposedly undergo the same . Room coohng is not required except possibly rnaintenance practices. during LOCA transients.
2-22 l
The success criteria for the HPCIis tle availability the HPCI fault tree in these two sequences. We first of the system to inject water into the reactor vessel sequeme does not contain cut sets re flecting the failure through injection valve P006 for 24 h. of the main pump discharge valve E41-F006 or other single failure points in the IU'Cl system but does con-2.3.3.2 Fsulf Tree Discussion.The HPCI sys, tain events of lesser importance. The dominant cut tem is represented as a single detailed faul' tree corre. sets for this sequence reflect only turbire-driven pump faults from the HPCI system model. It would appear sponding to the stipulated sucwss criteiin. The fault the fault tree was errorcously not used in this sequence logic was evaluated against the system description and drawing. > general, system dependercies and failure quantification. Tte second sequence appears to have modes seemed to te adequately modeled. One notable been quantiGed using tic fault tree sinw many more exception is discussed below. While the modeling as. cut sets representing HPCI system failures are present.
sumptions were not examined in detail, they appeared to be adequate and reflected the documentatior in the The apparent inappropriate usage of the HPCI mod-PRA. De level of modeling detail is adequately sup. el in sequence T(SI EU(1)-X is judged to be a signifi-cant error. The inclusion of the appropriate faulted ported by the ayailabIe data in the PR A events would raise the sequence frequency to a higher documentation.
value and may even produce the dominant sequence.
Evaluation of the actual sequence frequency change The documentation stipulates that a single assump-was beyond de sco;e of tMs evaluation.
tion invohing room cooling was used in the fault tree quantification. The model reflects the need for roorn 2.3.3.3 Dsfa Discussion. De event data nsed to coolirg for the HPCI to perfonn its mission. Later quantify tre HPCi fault tree were er.amined for wason-a rn astrad diat am dg was nouec^ ableness. The data were compared to Accident essary and was thus set to rero during qumtification of Mn Progt am ( ASEP)H ano S
de toodel. *Dys assumption appens to have been ade' NUREG-1150 f each Bottom data.t2 No diacrepancies quately hand ed in tie analytis. wem noted. However,it was not possible to venfy the developmen; of the data used due to lack of One of the model assumptinm discussed in tbe FRA &cumentation.
documemation is that "If the H9CI pimp starts on a low level transient trua is not of sufGeient duration to 2.3.4 Evaluatlett of MeslGuel Heal Removal open F006 and the minimum flow line h not open, the System Fault free.The RHR sy; tem was chasen HPCI pump may fail." for evaluation du? to its impvtance for decay heat se-le h not clean diat dds scenario is correcdy mohled in the fault tree. We modeling consists of a delayed 2.3.4.1 Systern Descripflon. De RHR system actuation 61gnal to the pump discharge vr.tve F(Oo is a multi-purpose system designed to remose stored coupled with valve failures in the minimtim do e line. and decay heat during both normal shutdown and ac6 If the valve F006 fails te open, the system is failed in dent conditions. Its primary purprse is to serve as a any case and if this is an actuation error it should be low pressure injection system in de event of a LOCA modeled at a higt.et level of the tree. If this is in fact a once the reactor is depressurized.
legitimate scenario of corcem, it does not appear that it would apply to all HPCI actuations and should be The RHR system is a closed, two-loop system hav-represented with a conditional gate. A conditional gate ing three primary functional modes of operation. The is not used so the reviewers conclude that the modeling modes are as follows:
is incorrect. Additionally, if this is an actuation error of concem, a significant error could te introduced into e Low Pressure Coolant injection, the analysis since the delayed actuation is assigned a failure probability of 2.9B-1. An actuation failure of
- Containment Cooling, and this magnitude is not present in the actuation fault trees and consideration should be given for its inclusion.
The documentation does not address the actual The containment cooling mode is sutdivided into usage of the HPCI fault tree model in the sequence SPC mode and Containment Spray (CNS) tnode.
analyses. Sequences T(SibU(l)-X and T(AlbC-U(1) are dominant sequences containing the failure of The system is designed for automatic and manual HPCI. A significant difference was noted in the use of operation with manual overrides in the LPCI and 2-23 l
l I
containment cooling modes. Automatic initiation is exception is in the use of the RHR heat ex-used only for the LPCI mode of operation in the event changers during this mode of operation (the of a LOCA. The other modes require manual initia- teat exchanger bypass lines are closed). Suc- ;
tion. 'Ihe system consists of four 33% capacity (7700 cess is de fined as tte removal of decay heat to !
gpm) motor-driven pumps (two in each loop), heat ex- the SWS following an accident (either a l changers (one per loop) for heat removal from sup- LOCA or transient). No indication is given in pression pool and reactor water, and associated valves tie documentation that ore RHR pump is suf-and piping. ficient. However, the fault trees indicate that one pump is sufficient and the reviewers
'Ibe PRA documernation provides an adequate dis- agree.
cussion of the system to unders'and the system func-tion, configuration, and system interfaces as used in 3. SPC- Success of the RHR in SPC mode is the modeling. Initiation sequence and technical speci- considered to be the success of one pump tak-fication surveillance requirements are also addressed ing suction from the suppression pool, heat in the documentation. Verification of the description removal with tre heat exchanger, and retum accuracy was not a part of this review, to the suppression pool.
System interfaces and deperdencies discussed in the 4. CNS - Success of the RHR in CNS mode is documentation are as follows: defined as tte success of one pump taking i suction from the suppression pool, heat re.
- The RHR has no active components shared moval by the heat exchanger, and return with another system, through cor,tainment spray.
Electric power is supplied to Loop A from 5. SDC - Success, cf de RHR in SDCmode is Division 1 ard loop B fmm Division 2. ho tre soccess of suction of RPV water frou re-of the four Unit 2 RER pumps and the two c;ren!ation !oop A through two esormally-LPCI injection vah as can te powered from closed (brent is racked out) valves, removal Unit I, No indication was made that the con- of decay heat tc the SWS, and discharge to yes. wa true, the RPV by the appropriate recirculation loop. The racked out breakers must te manu.
- Automatic actuation is initist.*d by ECC3 cit. ally restored.
cuitry, A concem exists relative to the succes criteria used e Control power is obtained froni the same m the LPCI fault tree model. 'ihe current model uws a
! some as loop pown. sucess crinrion of a single pump d.livering flow as adequate for system succc.s. In all initiating events
success criterion. However, for a large LOCA, it is noted that in the Final Safety Analysis Reports l
Room cooling is supplied by the SWS with (FSARs) of similar plants the success of LPCI to re-electric power for room cooling fans supplied cover RPV inventory level requires three of the four by the loop power source.
RHR pumps to te operational. While this is consid-cred a conservative requirement, it is believed that the System success criteria for the various operational single 7700 gpm pump is not adequate to accomplish modes are discussed in the PRA documentation. The reflood. An example exists in the Peach Bottom PRA individual success criteria is as follows: where two 10,000 gpm pumps are required for reflood.
It is recommended that if this success criterion is to be
- 1. LPCI- Success of the RHR in LPCI mode is used, the PRA should document proof that a single dermed as at least one pump delivering rated pump is adequate for reflood. If a single pump is t.ot flow to the reactor vessel with suction fro n adequate, the results of the reviewed PRA could be in the suppression pool. For a large LOCA, the significant error. However,it is beyond tir scope of flow must be delivered through the unbroken this review to assess the magnitude of the error.
recirculation loop.
2.3.4.2 Fault Twe Olscussion. The RHR sys.
- 2. DHA - DHA is a decay heat removal mode tem is modeled as five detailed fault trees representing almost identical in operation to LPCI. The the five designated modes of operation. The fault logic 2-24
i was evaluated against the system description ard sim- NUREG-1150 Peach Bottom data.CThe comparison plified drawings for each operational mcde. Tic sys- was made for loop single failure events such as motos-tems, dependencies, and failure modes seem to be driven pump faults and motor-operated valve ' failure adaquately represented in the mcdels. %e assump- to open.' The result of the compansons indicated that tions detailed in tic PRA documentation are,in gener- the BSEP data (all of which were generic data) was al, adequately reflected in the fault tree models. Tim from a factor of 3 to an order of magnitude lower than level of detail modeled in the fault trees are adequately that used in the Peach Bottom quantification. It is not supported by the available data, judged that this is a significant problem since ttere is a
' loop out for maintenance' event in tic BSEP quantifi-
%e documentation details 18 assumptions that are cation that is significandy higher than any of tic Peach applicable to tie RIIR system in general ami specific Bottom events.
assumptions reflecting modeling of the specific opera-tional modes. De review produced the following Plant-specific data was obtained for the RHR pump faults but was not used in the analysis. %is omission single comment relative to the general comments.
should be addressed in the documentation. Addition-ally, it was not p ssible to verify the development of Assumption 9 - This assumption deals with the data used due to lack of documentation.
initiation failures of the RilR system. T1e discus ion is directed tg common cause hu-man error for all operauonal modes. De as-g gg Yg sumption is adequately modch d for all modes except L?Cl. It is poin'ed out that his section documents an independent desktop re-LPCl mode is autor natica'ly initiated but view of the Humaa Reliability Analysis (RRA) con-goes on toindicate that a single failure to ini- tained in the BPRA (Section M.3.6). The primary time it present foi both loopt of the LPCI c'jectives ot'this review atd the :r.ajor findings are ad-fault tree. %e diccussion would lead orw to dressed in the next sections.
telieve tim a bkup human action is teing refenerf. '.o be: notidng was included in tie 2.4.1 Objectivos of Evaluation. %e objectives of fault uee as tae assump ion irdicates. This this review were tssumption tmds clanGcation.
- Assess the completents.e of the set of human erron; identified in tte BPRA. (i.e., are there As .asted in the docir.nentr. con, there was no prob- any risk sigruficant human actions that s%uld ten fourd with the rema.: ing rud-speific or quan- be included in the PRA? Are all key (mntline (Meation assurnptions, human interactions idntified).
The revicw found a possibly significant problem . Assess the quantvication of tir human errors with the use of the Unit 2 RHR models for Unit I anal- (i.e., are they credibl:7).
ysis. The PRA documentation irdicates that the LPCI injection valves and two of tic RHR pumps for Unit 2 e Assess the suitability of rAc methodologies can te powered from a Umt I electrical bus. %ere is selected for quantification of the errors. Par.
no indication in the documentation that the converse is ticular emphasis is placed on: (a) the validity true. Tic shared power relationship between the two (applicability) of the methodology selected; units should be more explicitly addressed in tie PRA ard (b) the technical accuracy ofimplementa-documentation since the models used for Unit 2 are tion for the methods employed.
transferred directly to tie Unit I analysis with minor exceptions as noted in the documentation (electrical . Assess the adequacy of treatment and com-power is not one of the exceptions). In fact, the re- pleteness for: (a) pre-accident errors (also viewers are concerned that Unit 2 does not supply known as pre-initiator events, i.e., those re-power for Unit 1 RHR components and the analysis lated to test ard maintenance [miscalibration could be in significant error. However. it was beyond errors, restoration errors]); (b) problem-solv-the scope of the evaluation to assess the possible im- ing (" cognitive") errors: (c) post-accident er-pacts of a modeling error such as this. rors (those errors during an accident, also known as post-itutiator events).
2.3.4.3 Data Olscusslon. Tte eveut data used to quantify the RHR fault trees were examined for rea-
- Assess the treatment of recovery nudels used sonableness. The data was compared to in the PRA.
2-25
i l
l l
i Assess the treatment of dependencies (cou- l was to ensure that a comprehensive set of risk signifi- i pling between errors).
cant human actions that may contribute to errors had 3
teen included in tte PRA process. The findings from l Comment on tic justification offered in the each of the major task categories are discussed in tte PRA (i.e., are the justifications adequate, foHowing secdes.
based on de information provided, to support the values used in tte analysis?).
2.4.3.7 Pro-Accident Errors. This section was not reviewable. Essential materials and subject matter e
Review overall HRA documentation and as- expens were not found in the documentation.
sess its suitability as a traceable description of tre process used to develop the quantitative 2.4.3.2 Post-Accident. This section was not re.
assessments of human interactions.
viewable. Essential materials and subject matter ex-perts were not found in the documentation.
2.4.2 Summary of Observations and Finding.
'lhe following comments summarize the findings of this review:
2.4.4 Error Quantification and Sultability of Idethodology. In this section, the HRA results were reviewed to verify the quantitative restats obtamed for Pre-Accidents are commonly located in fault the human emn. b addidon, de overall medth tn ea; the modeling technique (or lack there Fi es fu rnakirig de quandtadve assessmenu im de off) shown in the BPRA is not presented. No human can were rnwed. M roeded was eva-
- credible account of human actions is ob- luated for: (a) validity, (8.e., the suitability of it s meth-served. There appeats to be a lack of struc- d feQm appucM and @ wlethem not de l tared, or formalized modeli ig technique used method was correctly and accurately applied to the !
to develop the ret of pre-accident errors. IIIA P'"T*88-e Errors of commission in tie BPRA are com- 2.4.4.7 Pro-AccidentHuman Errors.
p!ctely abse it.
2.4.4.1,7 Ueneralfindings--There are some
- These is a complete absence of nume.u- c neerns regaating the application of THERP to the induced initiators (failures in human activi- MA procca Then, are asputa of tM THERP ap-3 ties conducted during nonual plant operation preach (as documen'.ed in NUREG/CR-127815) that '
that lead directly to off-oormal plant gere o e c nsidered (or fail to show evidence of con-conditions). sideration)in the quantitative preparation of the hu.
man error probability (HEP) values. For example, l
General documentation. The following defi- there is no indication from the documentation that per-I ciencies were observed during the documen- formance shaping factors (PSFs) were applied to the tation review. analysis. Specifically, some attention to PSPs, such as
" Tagging", " Experience", and " Stress" should have been considered. PSPs are typically used to modify the
- The method for screening human inter-Nominai HEPs presented in th? tabIes of aetions for quantification is not available. NUREG-1278.15The effect of PSPs on task perform-ance can significantly influence the potential for hu-man error. A review of the HRA analysis for
- No evidence of control room reviews, er- pre-accident conditions also indicated a lack of con-gonomic assessments, for generation of sideration for the effects ofd9pendencies in tie failure PSPs.
paths. Although diffimit to model, there are several instances during the execution of calibration and resto-
- No reasons or rationale for selection of ration tasks where dependencies could contribute to methodologies used. overall human error rates. Typical common cause fail-ures that are deper&nt upon the successful outcome of 2.4.3 Completeness of Human Errors. A review a task include:
was performed of the human errota contained within the HRA before an accident (pre-accident) and during .
Technicians use of calibration instruments an accident (post-accident). The purpose of this effort that are not accurate.
2-26
e Technician consistently performs a step that detennination of human error rates (Table M3.6-6).
is inconsistent with accepted standards and There are some technical concerns with the use of this practim. matrix that could invalidate tir derivation of human rates from the matrix. The division of HEP values across the time domain is very rough. From tle view-Error rates derived from the THERP method were point of human decissor>-making, extreme variance in used to calculate component unavailabilities resulting HEP estimates are possible (e.g., between 5 minutes from miscalibration or restoration (UA). The parame-ters' fault duration time (FDT) before detection, and nunutes). b amon, tk duelopment oW inMdual HEPs wW tk matrix stmenne are d5 interval between calibrations (test or maintenance) cult to verify, These HEP values were developed with (INT). The values for INT seem to te easily obtain-inputs from the SHARP document and NUREG/
able from plant records, however,it is not clear bow or CR-3010.t6 The technical basis for shaping the final where the FDT values were determined. The tables in HEPs, which were obtamed from the inputs of these the HRA make no referexe to the source of tlese val-documents,is also difficult to track or verify. The doc-ucs or how they where obtained.
umentation ah points out that the finai HEPs shown in Table M3.6-8, were refined by comparisons from 2.4.4.1.2 Dets/ led Findings- Comments on other PRAs and the Risk Methods Integration and ,
the details of the HRA presented in the BPRA are: Evaluation Program (RMiliP)HRA.D There is non- !
planation within the PR A study in regard to how skse i e In Table M3 6-2,ilote 3, a v:.lue of 0.05 is " refinements" te the HEP estimt.tes (based on inputs shouts for the HEP salue. The referenced imm RMIEP arti other PRAb) were et,tained.
HEP vale.e from NUREG-1278 is 0.5.15 No rationale is provided that explains why these numters are different. In eddition, there is no It is unclear why the anQ sts did not apply an al.
explanation why the error factor, rtated in ready establisted modeling technique that appears si-NUREG-1278 as a 5, (and sucorded :n such miliar to the customized technique en ployed by the in the table) was reduced to 2.33 The calcu.
analyst. A comf&te "eooktut" approach,includi.ig lated mean of 0.05 for tiss value (given a me- the three ecsential skill, rule, arxl knowledge curves for diat. of 0.t15, and aa error factor of 2)is enor quantificatlao is aheady avai'able. This existing conect. However, tle mean value as used in 8PPiC"h raso lays out a anpreknshe, and to some the THERP model (Table MJ.6.-2) from mem, prevuAtsly validtted plan for HEP modifica-Note 3 on the failure path is E5. This appears tims Fad on iry ucs from PSPs. The do.cmentathu ,
to tracL with thc referenced valu) from for this apprwch i? availat.le and fully discus ,ed la NUREG-1278.t 5 Hanname.n, et. kl.1984 (Human Cogni4.i-e Reliability Model for FRA Analysis, DRAFrl8). If the HRA rna-lysts had followed this previously developed method-e The mean HEP value of 0.005 is shown in ology, a more complete and traceable analysis that test Table M3.6-2, Note 5. De value, re ferenced reflects the state-of-the-art in human error quantifica-from Note 5, that is used in the THERP model tion would have been obtained. It is difficult to ascer. '
(Table M3.6-2)is 0.01. There is no explana- tain the degree in wtuch the error rates would differ tion for tids discrepancy. between the modified technique (using NUREG/
CR-3010) described in the PRA versus the HCR tech-
- In Table M3.6-4, Note 1, the error factor ref. nique presented by Hannaman. Preliminary sensitivity erenced in NUREG-1278 is 3.15 The error studies indicate that human cognitive reliability factor was increased to 5. There is no justif . (HCR) models would yield more conservative values cation for this modification. at lower time intervals to perform the tasks. This rela-tionslup is illustrated in Figure 2-10 which shows the results btained from tic HCR model mpared with 2.4.4.2 Assesstnent of Hurnan Errors Mod- those obtamed from NUREG/CR-3010.
eled During en Accident.
2.4.4.2.1 Operefor Ert ors Modeled in Fault A more precise assessment of error quantification Trees-The rationale for using the methodology for was obtained by comparing a sample of the values developing the human error rates in the fault trees is from the fault trees with similiar rates selected from not apparent. In this portion of the HRA process, the the NUCLARR data base.W The results of this com.
analysts developed an enor probability matrix for the parison are shown in Table 2-5.
2-27
i 100 i
, i i iisisl i i s l a isi) i 11111l g E 3 M
s
[ ,NUREG/CR 1278 )~
l i
1"'
{
. ].
i
) 10 8 NUREGICR 3010 ;
10 ' e E
HCR l.
10 5 '""I ' ' ' ' ' "I ' '"N 100 105 108 '
108 Time (min) 8#
Figure 2-10.11CR results comparison. '
Tab % 2 6. Comparison of selected human error rates from fault t:res wih values from NW.1ARR rtatt, brae. ,
r PRA NUCLARR NOCLARP Identifier Probability Probabi,lig,, _ Delta Reference HPC-XIEFO-DPOTA 0.0001 0.006 -0.0059 2-84 (1)
CRD-XIEFO-FOO2A 0.01 0.0005 +0.0095 2-84 (1)
RfE-XIEFO-SDCA 0.1 0.0006 +0.0994 2-84 (1) 1-87 (2)
SWS-XIEF04.X)NV 0.001 0.f07 -0.006 1-87 (2)
SLC-XHE-FO-ACT 0.02 0.014* +0.006 2-84 (1) 1-85 (3)
RCIC-XIEFO-DPOTA 0.0004 0.0346 -0.0342 2-84 (1)
RCU-XHB-FO-FCU2A 0.001 0.0346 - 0.0336 2-84 (1)
(1) Calculating liuman Reliability Esamates Using Expert Judgement,2. November l984, NUREGICR-3688 (2) A nalysis ofCore Damage Frequency From internalEvents: Grand GulfUnit ),6 April 1987, NUREGICR-4550 1
(3) OperatorActions in Anticipated Transient Without Scram (A1WS-TC) SequenceforPeach Bottom Plant October 1985, Brookhaven National Laboratory (Unpublished Report) \
l a. Average taken for two reported values in the NUCLARR data base (.028 and .0001).
i Of the seven PRA probabilities evrJuated, three are two of them (RCIC-XIEFO-DPOTA, RCU-XHE-more convervative (i.e., showed higher probabilities) FO-PCU2A) differed by a factor of 10 or more. It is than those similiar values obtained from the NU. recommended that ticse two outliers be reassessed for CLARR data base. Of the other four remaining values, their overall suitability as valid human error rates, in 2-28
spite of tte relatively large differerses for some of the A subset of the event tree errors was evaluated by values, a t-test of the two sarnples (PRA versus comparing them with values independently obtained NUCLARR data points) revealed non-signficance using the ASEP methodc-logy described in NUREG/
(alpha = 0.05). As a result,it can be assumed that the CR-.4772.20 Ttese results are shown in Table 2-5. In two samples are representative of the same distribution general, the event tree enor values (PRA probabilities) are conservative estimates. Although all of tie ASEP-of human error probabilities.
generated values are somewhat higler than those from the event trees, it should be noted that ASEP probabili-ties are course screening numbers, arxl that numbers 2.4.4.2.2 Operafor Errors Modeled in generated from this technique are generally higher l Event Trose--The human initiators for event trees than what would normally be observed using other ;
were quantified using HEP data from past PRAs arxl techniques. Primary differences were noted for Event BSEP operator experience. 'nen is no traccable re- i cord within de PRA study that indicates the specific reference c;tation and rationale for ttese values. Sec-F'" ' *" ',*, Tie 'reviewerjudged
' " " " " Event MS as the probability shown fos Event W5 (for containment l ticas and page numbers from past PRAs would be ventmg) was deemed too low by the reviewer. 'De as-beneficial to show where tie original HEP values were sumptions consideard by the reviewer for the gerera-obtsined. At this point it is difficult to assess their va- tion of these values are also shownin hble 2-6.
tidity The reviewers sugfest that a rnore formaliad me;hodology for error quantification may be superior Agai% in spite of the obrervable differences be- ,
to dr. tie use of hiunrical data in particular, tech- : ween the two samples of probabihties (i.e.. crent tree rdques that model disguosis of the a:tions nect.ed. versus ASEF-pcaera:ed) a t-test (Alpha = 0.05) re-such as HCR models, snit /or THERP would have pro- vealed no signficaot differences betweeo the two duced a mom scrutable analysis. gnups.
' Table 2-U. Comparison of selected bumnn error rates from tie evenf trees with screening values from ASEP proceduie (NUREG-4772)
PRA ASEP Notes /
Identifier Probabilhy Pmbability _ Delta A$sumptio3s XM 0.001 0.03 -0.029 (1)
LL 0.1 0.13 0.03 (2)
YF 0.2 0.35 -0.15 (3)
W4 0.01 0.03 -0.02 (4)
! W5 0.01 0.25 -0.24 (5) l MS 0.05 0.015 +0.035 (6) l COP 0.00005 - --
(7)
XI 0.03 0.06 -0.03 (8) l l- (1) Time for Diagnosis <10 min. A critical action as part of a step-by step task done under moderatel ' high stress.
(2) Value taken from NUCLARR data base, for the task statement: "CRO operates the emergency core cooling sys.
tems, operator fails to maintain RPV level at tip of active fuel while at low pressure"(Ref: 1-85).
l l
2-29
Table 2.6 (continued).
(3) Time for Diagnosis <10 min. a critical action as part of a dynamic task done under extremely high stress.
(4) Hme for Diagnosis >20 min. a critical action as part of a dynamic task done under moderately high stress. As-sumed training and task familiarity for decay heat removal amongst the operators very Idgh.
(5) Time for Diagnosis >30 min. A critical action as part of a dynamic task, donc urder extremely high stress. As.
sumptions:(a) Training ard experience is nominal, tie event is covered, but not practiced in initial training of opera-tors for becoming licensed. (b) Communications (ich inside and outside the control room) very tdgh; (c) Wortload very high.
(6) Emc for Diagnosis >10 min. A critical action as part of a step by step task done under moderately high stress.
Assumptions: (a) sufficient time available to perform action ("within several minutes");(b) training high; (c) action is routinely checked and verified by SRO, and in some instances STA. (d) action steps to inititate manual scram is specifically called out in EOPs.
(7) NOTE: his value not analyzed. The stated piobability of 0.00005 is in tire with accepted standards for tius ac-tion.
(E) Time for Diagnosis <t d min. A cntical action as part of a dyrtmic task done under extrememly high stress. As.
ss.mptions: (a) Training high; (b) Typically called as an action step in EOP;(c) Workload level usually very high prior to rind during execution of step making error of omission likely.
2.4.4.3 Mecovery Actions AppIled to Se- veloprrwnt provided to verify t'ae accura y.
quence Cut Sets. The application of recovery ao This isjudged to be inportant s.nce a sigetifi-tions,in some cases is not evident. Tie rationale for cant portion of the BPILA generic data is up to selection of the " lowest" failure rate as stated on page an order of magnitude smaller than similar M.3.6-5,is conflicting with popular convention. A data devebped for the NUREG Il50 Pea.h mere acceptable practice would be to select the recov-Bottom analys!.s and that developed for use m cry action with the highest (i.e., most conservative) er- the NRC ASEP.12M ror rate for the analysis, e
FRA documentation indicated that plant-2.5 Data, Quantification, and Specific data **$ used only for the iterns Uncertainty listed above, in many mstances, the data t 3ie, in 13, ,ppendix todicaic inat generic data is not used and special treatment is given This section presents the results of the review of the to failure rate data. There is no indication as component reliability data, the quantification tech-to the source of infomtation or the develop-niques, and the :reatment of uncertainty in the BPRA.
ment of the special data.
2.5.1 Failure Rate Data Generation. The BPRA e Test and maintenance unavailability infomia-documentation details many varied sources of failure tion is presented in the PRA documentation.
data that was used to develop a generic failure rate data The maintenance unavailability was calcu.
base. Plant-specific data was obtained (and the docu-lated with tie use of the total outage time and mentation indicates that it was used) for tic ' fails to mission time. However, the mission time was start' failure mode for DGs. RHR pumps, HPCI not provided so the accuracy of the calcula.
pumps, RCIC pumps, and test and maintenance outage tions could not be assessed. The final value unavailabilities. While analysts may be able to support appears to be reasonable ard is consistent the failure rate data used in the arralysis, the PRA docu-mentation is severely lacking in development detail.
with that used in the Peach Bottom NUREG-Il50 analysis.12 The following discussion details specific reviewer concems regarding the data used in the analysis.
- As indicated above, the PRA documentation e
provided plant-specific information for cer-h is not possible to verify the generation of tain plant components. With the exception of the generic data used in the BPRA study. DGs, generic data was used for the compo-References are given but there is no data de- nents where plant-specific information was 2-30
r i
wailable. The PRA documentation should points in tie !!PCI systern. Other sequences involving address this discrepancy. the IIPCI system do contain these failures. It appears that tie IIPCI fault tree was not used in the formation it is beyorxl tte scope of this evaluation to assess the of this accident sequence.
impacts of the above concems. The PRA documenta-tion should addess these concerns prior to final sub-mittal to the NRC.
2,6. Review of External Event ;
Risks 2.5.2 f Mn1 Sequence Quantification and Uncerbr4,y, The generation arxl quantification of 2.6.1 Introduction. This section presents the review accident sequence cut sets was perfonned using SETS, results of the risks from accidents initiated from exter-except for three sequences that were developed with- nal events and spatially dependent intemal events as out the use of event trees.21 The cut sets were then estimated in Vol. 3 of tie Brunswick Steam Electric modified for the following reasons:
Plant (BSEP) Probabilistic Risk Assessroent (BPRA). 8 The objective of tie review was to determine tte cmd-
- Success criteria cbanges involving rcom ibility of t!e extemal event risk estimates. In pursmi of cooling arnt the RIIR Service Water system this objective, the review included an evalurt. ion of tte required climination of some cut sets. data, methodology, logic and completesers of th1 ex.
ternal event risk estimates. *1b review ano consisted
+ Q t seta rvresenting violanon m tte tectui- of a plant tout. Several questiorebased on a prelimi-cal specifications were remoed. nary review of the BPRA were discussed with plant personnel during the tour. Aaswers to no:ne of the
+ Ide::tified dependent failure events were add. questions which were WA ovidc4 during tbc discus-ed into the cut sets, sions were transmitted by separate conespondence from Carahna Power & Light Company, the operating .
- Applicable recovery ft.ctors were added to utility for BSEP. Those questions and answers nie pro-the cut sets, vided in Apperviin A.
All chmges to the cut scts were dore in the .esnhs 2.6.2 Approach. The epproach used in the review (nodule ofSE'IS 2: Thelev sedcuantification was:ra. consii,ted of three clernents. First, the information tomatically perfonned by SETSfgt contained in the BPRA, primarily Vol 3, waa reviewed for intema! consistency, completeness, logic, and cred.
The uncertainty analysis was conducted using the ibility. Second, the overall core damage frequency revised cut sets as input to the SEP code 22 SEP uses (CDF) results for tie individual event initiators were '
Monte Carlo sampling techniques to propagate uncer- compared with available results from other PRAs to tainties. Input to SEP also included a median value ascertain if any result was markedly different from and range factor for each event in the cut sets. All sim. comparable other studies. If significant differences liar component failure events were completely were fourd, tte reasons for those differences were eva-conclated, luated. *lhird, the methodology, data, and assumptions were evaluated agairut other relevant contemporary Sensitivity analyses were perfonned on a set of four information to determine if any important omissions or cases. These cases explored the impact of dependent obsolete technology exist in the BPRA.
failures, recovery actions, arxl roorn cooling assump-tions on the core damage frequency. 2.6.3 Brunswick Probabilistic Risk Analysis Results. To concentrate resources available for tie The methods ard corxiuct of the quantification pro- review on the important risk contributors, and also to cess were appropriate and confonned to accepted prac- establish the basis for comparison with other PRAs, tices. Only ore instance was fourxl where the accident the overall Brunswick extemal event risk results will sequence cut sets irxheate the improper formation of be briefly reviewed. Table 2-7, extracted frorn data in the sequence cui sets. Sequence T(SI)-UI-X does not Vol. 3 of the BPRA, provides an overview of the rela-contain cut sets reflecting the failure of the llPCI main tive contribution of extemal event initiators to the fre-pump discharFe valve E41-F0n6 or other single failure quency of core damage.
2-31
Table 2-7. Euemal and spatially-dependent intemal event core damage frequencies Frequency (% Contnbution)
Event Unit 1 Unit 2
- 1. Aircraftirnpact st.0b7(0) sl.0E-7(-0)
- 2. Extemal flooding si.057(Of st.0b7(~0P
- 3. Extreme wirx! sl.0E-7(0F 51.0b7(~0)*
- 4. Industrie.1 or military 51.0E-7(0) 51.0b7(=0)
Facility accident
- 5. Fire 5.5E-5(42) 6855(49) 1.9E-5(21)b 2.lb5(23)b
- 6. Inwmal flooding 5.166(4) 5.156(4)
- 7. Release orctemicals 1.057(-0) 51.0b7(~0) from onsite storage S. Truportatun accideruts st.0b7(-0) 51.057(*0)
- 9. 7Wbine genersted missile 51.067(-0) St.0b7(=0)
- 10. Seismic activity 6.6b5(507 6.665(477, 1btal 1.3E-4 1.4E-4 [
(9.065)b (9.2B-5)b t
- a. According to the BPRA, these events contribute to the core damage frequency by causing loss of offsite power and their contribution is included under the intemal event analysis. See related discussion following for further evaluation.
- b. These are the BPRA results assuruing implementation of fire risk reduction recommendations which tte PRA indi-cates are currently under evaluation. This area is discussed in further detail in Section 2.6.5.5,
- c. These results are described in the BPRA as tie result of conservative screening analysis, and the results may be altered significantly on tie basis of additional analysis, planned or ongoing. See Section 2.6.5.10 for further evaluation.
From Table 2-6,it can be seen that seismic and fire and spatially-dependent internal event initiators, was
- initiators are the major contributors, with internal estimated in the BPRA to be 1.55E-4/yr for Unit I ard flooding also providing a minor contribution. All oth. I 6154/yr for Unit 2 (assuming fire modifications are er initiators were found to be negligible (defined as not implemented). Thus, the extemal and spatially-equal or less than 1 B-7 in the DPRA).1hus, except for dependent intemal event contributions are substantial, the three contributors noted, tie frequency of any other representing over 80% of tie total core damage fre-initiator would have to be increased by at least two or- quency for both units. The BPRA cautions, however ders of magnitude to become a significant (on the order (Page 12-1 of Vol 3), that the results are "strongly of 10%) contributor to the overall frequency of core biased by an overly-conservative seismic analysis,"
damage from external and spatially dependent intemal and "It is fully expected that with more refined ongo.
- events. ing and planned analyses of seismic events, the core damage results will be significantly reduced." The va-It is of interest to note that the overall core damage lidity and implications of these statements are ex-probability, considering intemal as well as external piored in subsequent sections of this vport.
2-32
, . ~ _ . . . - . _ , , , ,
2.6.4 Selection of External Events.The ten cluded the following steps, similar to those recom-events in Table 2-6 were deris ed, according to Section merded in the PRA Procedures Guide:2
, 1 of Vol. 3, from considering some 35 extemal event atxt spatially-deperdent intemal initiators. (The spa- 1. Events which are not as severe as those for tially-deperdent intemal initiators include only fires which the plant has been designed, or which and floods within tic plants. As pointed out on Page were judged to te sufficiently considered in 1-1 of the BPRA, tiese events have historically been tie plant design.were climinated, classified as extemal events in the PRA literature).
- 2. Events which were included in another event dennhion were chminated, ami The hst of 35 events considered in the BPRA was stated to te derived from the PRA Procedures Guide ard the FSAR for the Brunswick units.2.n As part of 3. Events which have negligible site-independ-the review, this list was checked for completeness us, ent frequericy were climinated. htsle 2-8 in-ing a recent NRC assessment of extemal hazanis to nu- dicates which events were screened out on the clear power plants.24 The list of 35 evet ts in the basis of the three screening, steps.
BPRA was fourd to te cortplete except for omiss i on of the fellowing generic initiators: (a) volcanic activ. In evaluating tie walidity of the screening resuhs,it ity, (O aviac.che (larxistide), t.rd (c ) irdustrial tabo- was not 3.ossible with available resources to perform tage. Obeiwly, due to the location of the site, an iWepth review of the plant design basis and com-vo';anic activi:y is not relevr.nt. Tbitter, avalanche pare it with the likelihood and consequences of the potentivi is no) of co scem due to the fir.t lardscape in events which were climinated on the basis of plant de-the vicinity of the plaat. Sabetage is beyord the scope sign consiocrations (fint column in "Inble 2-8). Ilow-of the Bruruwick PRA, as it has gerwralty teen for oth, ever, based on the plant location,infonnation obtained er PRAs perfonned for nuclear power plants. I'. is during the plant tour, sad otherjudgmental corr.ider-therefore concluded that the origirnt list of 35 events in ations,it does not appear that any of the 14 items climi-the BPRA is sufficien' ard appropriate. nated on the basis of plant design considerations have the potential for (ontributing to plant risk. Further, no other available probabilistic risk arsessments which The initial list of 35 initiators was reduced to ten have considered external ever.ts (some 15 studies) events by a successive ccreening process which in- have fomd any of these events to be risk contributors.
Tatne 2-8. Extemal events climinated with the screening procedure used in tic Bruriswick PRA locluded in Definition of Negligible Frequency Plant Design Consideration of Anotler Event lidependent of Site
- 1. Drought 1. Costal crosion 1. Meteorite
- 2. Extemal fire 2. liightide
- 3. Fog 3. liigh river level
- 4. Frost 4. Ilurricane
- 5. liail 5. Intense precipitation
- 6. l{igh summer temperature 6. Storm surge
- 7. Ice cover 7. Tomado
- 8. Lightning 8. Tsunami
- 9. Lov: river level 9. Toxic gas
- 10. Low winter temperature 10. Waves
- 11. River diversion
- 12. Sandstorm
- 13. Soil shrink-swell consolidation 2-33
Relative to those events which wete considered to he next section evaluates the analysis of the ten ex-be includej in the definition of another event (second temal event initiators which remained after the initial column of Table 2-8), tie BPRA assurned that tte fol- screening process (see Table 24).
lowing events were included under the definition of extemal Gooding which was explicitly considered: (a) 2.6.5 Evaluation of Ex%rnal Event Risk Con-coastal crosion, (b) high tide. (c) high river level, tributors. The following sub-sections consider the (d) intense precipitation, (c) tsunami, and (f) waves- PRA tinalysis of each of the ten events listed in Table flowever, none of tiese events were addressed explic-24 which were not eliminated by the initial screening itly in the BPRA under tie extemal floodirig analysi" criteria. Because only fire and seismic events are sig-(Section 3 of Vol. 3) except tidal surge accompanyinE nificant contnbutors, ernphasis has been placed on the the probable maximum hunicane. According to the n view of these events, recognir.ing that, as discussed BPRA, the BSEP FSAR states that this event is ex-in the preceding section, the BPRA considers tte seis-pected to be tie most severe cause of exterr.al flood-mic risk analysis to be overly conservative and in need in g.23 While this appears to be a reasonable of refinernent (which is stated to be both underway and conclusion, arxl is consistent with other PRA studi 5 plarmed) to obtain more realistic results, for plants kicated on the Atlantic Coast, the BPRA is considered deficient in dism sing all other Good causes without any discussion. - It should also te 2.6.5.7 Aircraft impact. Accidems r.t the plant noted that the most severe flood may not te the most due to aircraft impact are considered in Section 2 c/ -
nsk significant based on frequency of occurrence con- Vol. 3 of the BPRA. A screening methodelogy was siderations. On the other harad, based on site hication employed to determine if additional analysis was re-and characteristics as wcll as resuhs from other PRAs, quired to evalx-:e the risk from aircraft impact De it does not appea' tta the o'her flood considerations My runcludes (Page 2-4) that "...titcraft impacts weald be nsk significant. Coa <tal crosier is a slow contribute negligibly to risk at BSEP." His conclu-sion wr4s based on a frequency oflarge commercial and process which would likely te detected long before it tecarne a threat to the safety of the plar't, the tides are military aircraft impact at the plant of 1.0E-8/yr atx! a frequency of SE-7/yr for light aircraft. The latter well i.nown on the Atlantic cout and accounted for in the plant design, as is risk of intense precipitation. event is expected to r:sult in only loss of offsite power, arxl would ex.t be a significant contributor to core dam-Tsunamis are expected to be rare on the Atlantic CoastM and river (Cape Fear river) flooding does not age due to the much higher frequency of power loss appear to be a potential threat due to the sue terrain' g, ,,her events. %e methodology used for compm-ing these probabilities is stated to te from the Ocorce The only wave concem would appear to be waves gen-and Seabrook PRAs'2L2s crated by hurricanes which are explicitly considered in the BPRA and evaluated separately in this review.
Tte BPRA analysis of aircraft crash probability was found to be reasonable aral credible. Only ole ques-Tte elimination of meteorites on the basis of low tionable aspect was found. On Page 2-11. Table 2-4, frequency is accepted practice in PRA methodology a glide ratio of 17 was used for all types of aircraft,in-and is consistent with the evaluation in the PRA Procc- cluding commercial, military jet fighter, and general, dures Guide.2 he basis for this value is stated to be " Reference 4",
liowever, Reference 4 is not included in the PRA. Fur-The ten events remaining after completion of the ther, a glide ratio of 17 for all types of aircraft appears screening process were further screened in the BPRA to te quite high. A more typical number would appear by a more detailed and site-specific analysis. This to be 8 to 10. This would increase tie computed crash process eliminated from further consideration all probabilities by a factor 2, but all of the results would events except intemal fire, intemal flood, and seismic still be negligible contributors to risk.
risks. (%e consideration of intemal fire risk is pro-vided in documentation separate from the main To validate the BPRA results for aircraft impact BPRA5). Regarding seismic risks, the PkA states that risks, a formula given in Reference 24 was employed.
additional seismic analyses have teen deferred "...be- Dis formula is different from that used in the BPRA, ,
cause of certain otler industry activities"(such as tts but tie same basic parameters are included. Based on
- eastem seismicity issues, A~46, seismic margins, etc.). the formulas in Reference 24, it was confirmed that The report states further "...the seismic results pres- aircraft crash events from civilian and military aircraft ented in this report are overly conservative and must be are insignificant contributors to plant risk %e con-refined further in order to obtain more realistic clusion for civilian aircraft is also consistent with use results." of the appropriate fannula in Reference 24, 2-34 l
The Brunswick result for aircraft crashes is consis- spect to flooding frequencies ootained for two other tent with other PRAs. No PRA for U.S. comrnercial sites on the Atlantic coast, St. Lucie and Turkey reactor facilities has found aircraft crash to be signifi- Point.22 n Ithese assessments, flooding frequencies cant contributor to risk. varied from 967 to 264 for plant grades of 22 and 18 ft., respectively (the BSEP plant grade is 20ft.)
2.6.5.2 ExfemalMootting. A screening estimate of extemal flood risk is presented in Vol. 3, Sect. 3 of As indicated previously, the BPRA apparently as-the BPRA. As indicated in Section 2.6.3 preceding, sumes (the wording on Page 3-4 is romewhat vague) only floods associated with the tidal surge accompany, that the only contribution to core damage frequency ing the probable maximum burricare are considered. from extemal flooding is from loss of offaite power The BPRA apparently concludes (Pg 3-4)that the only (with difBcult recovery) caused by switchyard flood-risk contribution from extemal flooding is caused by ing at a frequency of 3.044/yr. Tie actual core dam-loss of offsite power which is predicted to occur with a age frequency from this event is stared to be i frequency of 3.0B-4/yr (corresponding to the 20 ft. considered as a contributor to the loss of offsite power l floal frequency), and is corwidered difBcult to recover frequency for the internal events analysis. ]
within a short time period. This loss of power event is stated to be considered as a contributor to tic loss of An examination of the loss of offsite power initiated offsite power frequency for the internal events event in the intemal events assessment of the DPRA
""'I Y 888-was undertsken to deer <nire if the flood-caused event desenbed in tie preceding text was explicitly consid-The flooding frequency assessment was found to be ered. Sech W Wol 1) nakaks ty frequency of consistent and credible except for the derivation of cme damage for loss of offsite power uutiated events.
site-specific wind speed (frequency of occurrence).
No coruideratir,n catld te fourxl for flood-initiated According to Page 3-2 of Section 3, wind data frorn I ss of offsite power accidents with reduced probabih,-
ty cf recovery. Accordingly, a screening evaluation Southport, NC were used. *Ihese data, however, are stated to include only the geriod inen 1876 to I894. It was undmakn to detemine the potential sigruficance is stated that these data (which are not explicitly pro- of such events. Assuming a M-tmtiawd loss of off-vided in the report) indicate a 140 mph wind speed re- sitep werevent ccurs with a frequency of 3E-4/yr as turn period of 1000 yr Use or such limited data concluded in the BPRA, the core damage screening potential from this event can be estimated as follown (18 yr), which is almost 100 yr old,is considered ques.
tionable. Further, it is not clear how such limited data were used to support a retum period of 1000 yr for a CDFama = 3&4
- 2.653
- 1.0 m 7.867/yr l 140 mph event. It would be expected that much more extensive and contemporary wind speed data should be where 2.663 is the probability of emergency onsite available m the victruty of tie plant; for example, from power failure (taken directly from the BPRA) and 1.0 airports, military bases, weather stations, etc. In re-is conservatively assumed to be the probability of non-sponding to a related question (See Appendix A), the recovery of offsite power in four h, utility (Carolina Power and Light) indicated that tie data were considered adequate for a conservative screening assessment and was considered to be the best The severity of this flood would tender timely re-source at the time of tie BPRA. While the data appear covery of offsite power unlikely. 'Ihe four h period is inadequate for the application being considered, the assumed to be the limiting time that decay heat can le essential result from the PRA, that is, a frequency of removed due to loss of onsite DC power from battery 3.0E-4/yr for a flood height of 20 feet (corresponding depletion (this time interval is consistent with other to a wind speed of 148 mph) was fourd to be consistent 11WR PRA assumptions, e.g., Reference 36).
based on comparisons with other sources as discussed later in this section. (A separate evaluation of wind This is an insignificant contributor to the overall speed frequency is provided under Section 2.6.5.3, Ex-core damage frequency, but is greater r.han the screen-treme Wind, following.) ing cutoff value of 1.0N7 used in the BPRA.
The BPRA analysis of flooding appears consistent in comparison with 10 other PRAs,24 the extemal with the recommerded approach in Reference 24 for flood-induced core damage probability was fourxl to hurricane-irxtuced flooding. Further, the results ap- be significant (greater than 157)in three cases as pear consistent, and somewhat conservative, with re- follows:
2-35
I' Plant CDF Remarks site. No data could be found in the BPRA for the off-site power recovery probability under the flooding <:ir-1,0conee (27) 2.3 & S Assumed 100% CDP cumstances being evaluated he.e. The general probabihty given site norsrecovery probability estimated in the BPRA at 14 flooding. h is about 0.014 based on data provided on Page M3.3-48 of Vol.1. De norerecovery probability used [
2.hrkey Point (25) 2&4 . Without offsite power for hrtey Point is 0.02 for 14 h for the flooding see-recover natio being considered. Thus, die overall contribution 1&5 With offsite power to core damage from external flooding, assuming that recovery the 22 ft flood disables the fuel oil transfer pumps, and ;
that the Turkey Point non-recovery probability is
' 3. St. Lucie 1 (26) 266 applicable, would be In the case of Oconee, the Dooding source is a reser- CDF = (3&4) * (0.02) = 666/yr.
voir above the plant which acts as the ultimate heat sink. his situation is not applicable to the BSEP. nds would be aapproximately a 6% contributor to the overall core damage frequency for each of tic BSEP De hrtey Point and St. Lucie cases are of particu- units (assumiag the fire modifications suggested in the lar interest because they are both Atlantic coast sites. BPRA have been accomplished). While not overly '
hese assessments were examined in detail to deter- significant, this contribution is not negligible, mine if the results included any considerations which may have been overlooked or incorrectly assessed in in the St. I ucie assessment, corntamage is caused the BPRA.D from failure of core heat removal systems directly from the flooding event and note of the important se- ,
In the case of Tbrkey Point, tie core damage proba- quences are related to offsite power loss.26 Thus, the btlity is identical to the flood probability if offsite St. Lucie resuhs are plant-specific and not applicable power is not recovered. This result is based on the to DSEP.
finding that the diesel oil transfer pumps were suscep-tible to inundation during the flood (pg. 3-39, Refer- 2.6.5.2.1 Conclusions--It is concluded that ence 25). Thus, the DGs were assumed to fail from the BPRA extemal flood risk analysis is deficient, and loss of fuel after the fuel oil supply is exhausted in the that extemal floods could impose a small, but not in-day tanks (eight h supply). In the BPRA, no consider- significant, contribution to tte core damage frequency.
ation is given in the flooding fragility section (Section 3.3) to fuel oil transfer pumps, although DGs were 2.6.5.3 Erfterne Wind. A screening estimate of considered. It is not known if the fuel oil transfer core damage frequency is provided in Section 4 of Vot pumps would be susceptible to flooding for the 22 ft 3 of the BPRA. De assessment concludes (pg. 4-5) flood considered for Brunswick. However, during the that wind caused failure of seisode Class I buildings is plant tour, these pumps were examined and found to negligible (approximately $&8/yr.) llowever, fail-exist next to the long term fuel oil supply tanks located ures in the electrical gear providing power to the site considerably below grade in a buried chamber. Thus, may result at wind speeds grater than 135 mph, which it is possible that these pumps could be disabled in a are estimated to occur with a frequency of 2.0&3/yr.
flood if the surface access to this chamter is not pro-tected against the 22 ft flood, or if underground seep- Such winds are also assumed to fail the CST. De age is likely, if these pumps fait during the flood, then study concludes that "this event (loss of offsite power
- the core damage probability is and loss of CST)is considered to be covered by the loss of offsite power frequency and non-recovery of CDF = (3E-4) * (probability of failure to recover offsite power curve in the intemal events analysis." To offsite power in 12-14 h) verify this conclusion, an examination was undertaken I of the LOSP accident analysis as provided in Section
%e 12 to 14 h time interval is based on battery fail- M3.3 of Vol.1. Re loss of offsite power frequency ute in 4 to 6 h. after loss of DGs in 8 h. This analysis was assumed to be 0.04/yr. based on Table M.3.2-8 of assumes no other recovery actions are taken, such as Vol.1. The additional contribution from winds as as-obtaining attemate sources of fuel oil. However, dur- sessed in Section 3 (0.002/yr.) would have an insignifi-ing a flood of the magnitude being considered,it cant effect on this frequency, flowever, the LOSP would appear difficult to acccmplish recovery due to analysis does not include an explicit assessment of the extensive flood damage expected in tie vicinity of the loss of offsite power event concurrent with loss of the 2-36
CST from high winds. Further, the CST supplies water cy does appear reasonable, and is consistent with data to both of the systems which would nonnally supply in Reference 24 (Figure 4.1).
coolant to the core urder LOSP conditions,the Reactor Core Isolation Cooling System and the High Pressure With respect to the second item, a reassessment of Coolant injection System. For both of these systems, loss-of-offsite--power frequency was performed as.
automatic transfer to the suppression pool is designed suming the onsite electrical equipment would fail at to occur upon low CST level or they may be manually the design basis wind,90 mph, ratter than 135 mph.
transferred from the CST to the suppression pool. Assuming failure at the design basis level is more con-Thus,it does not appear that loss of the CST would re- sistent with the BPRA scoping assessrnent approach, duce the availability of either the RCIC or HPCI sys- especially since no basis is provided for the assumed tems to a great extent, although a detailed assessment 50% margin. Based on data provided on Page 4-13 of was not performed. However, loss of the CST at the the PRA, the return frequency of 90 mph winds is onset of the accident would reduce the time to core about 0.07/yr at the Brunswick site. This frequency damage under sustained plant blackout conditions was compared to tie overallloss of offsite power fre-since the suppression pool temperature would rise quency in the BPRA to determine the potential for a more rapidly and cause eventual failure of tin injection significant contribution. According to Table M.3.2-8, systeris. The actua? temperature rise cithe Suppres- Page M.3.2-38 of Vol. I of the BPRA, the loss of off-sicq od urder these con:.itions, ard the susceptibility site power frequency used in the PRA was 0.04/yr.
ta failure of the RCIC/HPCI pump:. as a function of Thus, de contribution assuming failure at 90 mph of rYag Juppression pool temperature are complex is- electrical gear in the switchyard, transformer yard, or sues and weir not evaluated as part of the review. relay house leading to offsite power loss would be sig.
However,it appears that core damage from loss ofin- nificant, raising the frequency of this event to 0.ll/yr.
jection due to banery depletion would occur tefore the The core damage frequency from LOSP initiated acci-suppression pool water temperature induced RCIC/ dents was examined to determine if the increased fre-HPCI pump failure for this case. On the balance,it quency associated with assuming LOSP at 90 mph does not appear that explicit consideration of the would result in a significart contributor to the overall LOSP event with concurrent loss of CST would in- core damage frequency for either of the BSEP units.
crease the CDF significantly. *Ihe BPRA is consid-ered deficient, however,in not addressing this unique Core damage frequency estimates resulting from LOSP sequence. LOSP-initiated accident sequences are the most domi-nant internal event sequences for both Bmnswick units in addition to the foregoing, tte wird risk screening as estimated in tic BPRA. Table 2-9 provides a com-assessment appears deficient with respect to the foi, raison of the core damage frequencies estimated cut-lowing threeitems: rently in the PRA compared to the revised estimates assuming that a 90 mph wird causes LOSP (recovery probability of offsite power is assumed identical for all
- 1. The data base for establishing wind return cases),
frequency was identical to that used for exter-nal flooding and appears inadequate (see Sec-tion 2.6.5.2 for details),
Table 2-9. BPRA ard revised wirxlcore damage frequency estimates
- 2. The basis for assuming that the switchyard, transformer yard, and relay house are able to CDF from LOOP Total CDP withstand winds up to 50% above the design wind (90 mph)is not given and appears ques- Unit BPRA Revised BPRA Revised tionable.
I 6.75B4 1.86 & S l.15&4 1.22FA
- 3. Tiere is no discussion in the PRA regarding 2 7.60 & 6 2.09Fe5 1.13 & 4 1.26 & 4 the possit<lity that non-seismic Class I struc-tures could fail and cause a failure in seismic Class I buildings which house most of the safety equipment
- The revised total CDFs represent about a 7% and Il% increase, respectively,in the CDFs for units I ard 2 over that currently estimated in the BPRA. These in-With respect to the first item, while the site-specific creases are not significant given the uncertainties asso- I data base appears inadequate, the wird retum frequen- ciated with the CDFs.
2-37
De third item (failure of non-seismic Class I struc- or industrial accidents, or why only Sunny tures from wird loading) was not examired in detail. Point accidents were considered.
However,it appears the off-gas stack is the only non-r,cismic structure which has a significant potential for 2. Details supporting the explosion-induced failure of seismic Class I buildings. Based on exami- missile frequencies given in Table 5-1 are not nation of the plant during the tour,it does not appear, provided. 'Ihe origin of the values in tte table due to relative locations, that the stack failure would is stated to be from evaluations "...in the cause additional critical failuies. However, lack of BSEP Preliminary Safety Analysis Report consideration of this failure mode, as well as possibly (PSAR) and supporting material." Tte BSEP others involving non-seismic Class I structures, is is now some 20 yrs, old.M considered a deficiency in the BPRA study.
- 3. The basis for considering detonation of 20,000,000 lbs of explosives (from collision A comparison was made between the Brunswick re- of two munition transport vessels) to be an sult ard results from other PRAs which examined core upper bound explosion is inadequate. The damage frequency from wind-initiated accidents. BPRA only stater that such an accident "...is Some 13 such PRA studies exist, ard de core damage believed to be an upper bound,"(Page 5-1).
frequency for wirds range fro n <lE-9 to 4.3E-5/yr d to six cases, the core damage frequency was greater in reviewing cunent methodology and data for eva-than IE-6 (the probability level which a ould begin to luating extemal event ri:1s as provided in Reference make a contribution to the CDF for BSEP). In the six 24, no explicit consideration of industrial or military cases where 'vinds were found to be a contributor to accidents was found. However, near-site explosion CDF, >.le major failure mecnanisrns appear to be dam- har.ards are examined in Chapter 6 under transporta-age resultinf, from collapse of off-gas stacks, or failure tion accidents. In this chapter,it is stated that Reg.
of 2he DG exhaust stacks. Neither of these failure Guide 1.91 provides that if tic peak positive incident modes are discussed in the BPRA. As noted above,it overpressure is below a value of one psi, the explosive does not appear that the plant stack is a potential prob- accident is not considered a threat to the plant. Fur-lem. *lhe plant was not examined to ascertain the pos- thermore,if the one psi criterion is met, dynamic pres-sibility of DG exhaust failure. su re, bias t-indu ce d ground m otion, and blast-gererated missiles do not require further study.
2.6.5.3.7 Conclusions-The assessment of For comparison, data from the BPRA (Figure 5.1) core damage risk in the BPRA from high winds is con- shows that the 20,000,000 lb explosion only produces !
sideredinadequate. A revised CDFestimate consider- about 0.55 psi of overpressure. (The origin of ing LOOP at the design basis wind produced a small Figure 5.1 is not specifically identified in the BPRA, increase in CDE Revisions to account for the other ap- but appears to be from the Preliminary Safety Analysis parent deficiencies could not be accomplished with re. Report).31 sources available for the review.
Industrial and military accidents have not been found to be important risk contributors in any known 2.6.5.4 industtfal or Millfary Facillfy Acci- PRA studies. This is consistent with the conclusions denf. In this section of the BPRA, only munition ex- of Reference 24. Furthermore, no unique or utrasual plosions associated with shipments to the U.S. Army aspects of the Brunswick site would suggest that these
! Military Ocean Terminal at Sunny Point, approximate- accidents would be significant. (For example, as indi-ly three miles from the site, are considered. It is con- cated in Refereace 24 Table 6.3.1, no commercial cluded in the BPRA that neither explosions not pipelines, railroads, highways or marine routes i explosion-induced missiles (including bombs impact- traverse the Brunswick site),
l ing site buildings) from Sunny Point are significant 2.6.5.4,7 Conclusions-It is concluded that risk contributors for Brunswick.
the BPRA evaluation of industrial and mditary acci-
. . dents is deficient in several respects as detailed in the The BPRA analysis of industrial or military acci- preceding discussion.
dents was found to be deficient in several respects, the more significant of which appear to be the following: 2.6.5.5 Internal Fire Analysis. According to Section 6 of Vol. 3 of the DPRA,it was concluded that,
- 1. Only military accidents at Senny Point are on the basis of a screening fire analysis, a more de-considered. The BPRA assessment does not tailed analysis was required. This analysis was indicate what,if any, evaluations were per- performed and documented in a separate report.30 fermed to screen for other potential military This report indicates (see also Table 2-6 preceding) 2-38
that intemal fire-initiated core damage accidents were Unit 2 in November 1975). Le actual fire data is found to be substantial contributors to the overall CDP. not provided in tie fire risk analysis report (Ref-For Unit 1, de core damage frequency was found to be crence 30). During a meeting at the BSEP site on 5.5&5/yr (contributing 42% to the CDF) before Ap- August 25,1988, BSEP personnel were asked if pendix R modifications, and 1.955/yr (21% contribu- the fue frequency data showed any trending with tor)after the modifications. For Unit 2, the time. Personnel at BSEP said the fire frequency corresporviing contributions were estimated to be had deftnitely decreased with time, but no quanti-6.S&5/yr(49% contributor) ard 2.1&5/yr (23% con- tative estimates were offered. The BSEP fire tributor). 'Dese contributions are second only to seis- analysis does not account for any such trends.
mic-initiated core melt sequences. They are also Thus, based on all of de fires reported since com-essentially equivalent to tie total contribution from all mercial operation began, assuming a constant fre-internal events (2.565/yr for Unit I and 2.1&5/yr for quency during future operations appears to be Unit 2) assuming completion of Appendix R modifica- comervative. Since the fire data has not been ob-tions. Due to this significant contribution, and the fact tained and reviewed, the extent of this conserva-that tie fue risk methodology as embodied in Refer- tistu has not been quantified.
ence 30 is somewhat innovative, a substantial portion hrbine Building Firts, hrbine building fires of the external event risk review was concentrated on the fire risk evkluation in the BPRA.
o &MhMMW to fire risk is negligible (es'timated to be 2.5B-8).
This assessment assumed that the worst conse-
%e first part of tic review, consistent with the re- quences of a fire in the turbine building would be view approach described .9 Section 2.6.2 preceding, loss of offsite power to the emergency buses and consisted of reviet<ing tie Brunswick probabilistic fire tie loss of DO auto start capability. %e frequen-analysis for consistency, completeness, and credibili- cy of such a fire was estimated to be SE-5/yr.
ty.30 The methodoingy employed in the fire analysis This was combined with the diesel failure rate of consisted of a four parameter model which included: 5&4 (from the internal events BPRA study) to (1) calculation of fire ignition frequencies for each obtain the overall CDF contribution. However, plant tone ofinterest,(2) calculation of fire growth the 50w4hiemand rate is for failures under auto-and suppression probabilities,(3) evaluation of fire- start conditions. Marmal start, which would be re-related equipment damage in each rote, ard (4) calcu- quired for the scenario being evaluated, could lation of core damage probability given unavailability have a much higher failure probability due to hu-of fue-damaged equipment. His approach appears to man error contributions. Conservatively assum-be logical and consistent, ard generally equivalent to ing an error rate of 0.1 would raise this CDF contemporary fire risk assessment methodology, as contritution to SE-6/yr, still not a significant coa.
will be explored in some detail in the latter part of this tributor, but above the BPRA screening cutoff section. The innovative or unique features of the mod- value of IE-7.
el, compared with other fire risk assessments, are stated in the BPRA to be:(a) use of plant-specific fir 2.6.5.5.2 Fire Growth and Suppression-ignition data rather than a generic data base, (b) use of Several deficiencies and questionable aspects of the elemental fire ignition frequencies coupled with a fire growth and suppression analysis were found, as comprehensive model for fire growth and suppression, follows:
ratler than merely using large fire frequencies. (c) pro-babilistic treatment of the automatic fire suppression Model. Appendix D of the BPRA provides the systems, and (d) development of a fire barrier failure fire propagation and flame temperature snodel model to account for fire barrier failure probabilities as used in the BPRA. However, neither the origin a function of fire barrier type and combustible type, nor derivation of the modelis given in the very Aspects of each of these features will be examined in brief description. Further, no indication is given this review. of any verification information which might be available regarding the model. This model ap-2.6.S.5.1 Fire inittsfors pears to be quite important in establishing the ti-me/ temperature relationships used to assess the Fire Data. he BSEP fue risk analysis uses plant frequency of equipment damage. Thus, the study fire data to estimate future fire frequencies. Ac- is considered deficient in not providing at least a cording to the analysis, a total of 175 fires have reference to the origin / source of the model.
been reported during plant operation since the two BSEP units have been placed in operation (Unit I Conservatisms. The BSEP fire growth and sup-began commercial operation in March 1977 and pression models contain several assumptions 2-39
which are claimed to be conservative, in no case, on August 25,1988, only one small scaffold was
- however, were the quantitative (or even quaiita- noted in the many plant areas visited. However, tive) influence of the assumptions estimated, as indicated on Page 5-5, supported with the sen-Since conservatisms can produce unrealistically sitivity results in Table 5-3 of the fire risk study, high CDFestimates, and distort the plant risk pro- the probability of scaffolding being in a fire zone file (especially for a major CDP contributor such has an insignificant effect on the overall CDF, as fires in the case of the BPRA) these assump-tions were examined in an effort to determine Regarding the assumed cable damage ternpera-their significatce, as follows:
ture threshold (7007) for 20 s paint tlunnes fires, According to Page iv of the BSEP fire risk the significance of tids assumption could not be study, the fire growth model used " bounding as- readily determined from information in the BSEP sumptions in areas where there is no accurate ana, report. However, based on the high probability of lytical basis for calculation of such (fire successful manual suppression of paint thinner propagation rates and suppression) probabili- thes (0.95, the highest probability assigned for ties.30 The core damage frequencies predicted in any combustible, Appendix F, Page F-3), it does this report are thetefore conservative " la ex- not appear that this assumption has a signi6 cant amining these elements of the model, no apparent conservative effect on the overall CDF result.
conservatisms were found in the suppression (The general assumption of the 7007 damage probabilities used (either manual or automatic). threshold for cables is evaluated in Section The manual suppression probabilities were 2.6.5.5.5.)
derived based on the collective judgement of plant fine protection personnel. There is no ind1- Regarding the lube oil spill probability, this al.
cation, either m the main report (Page 2-8) or m, leged conservatism does not appear significant -
Appendix F (Characteristics of Combustibles based on the sensitivity results presented in Sec.
Analyzed in This Study) that any deliberate at- tion 6 of the BSEP fire risk study. According to tempt was made to produce conservative esti- Table 5-3, a reduction in the probability of oil spills by a factor of 5 would reduce the overall j mates, and the values used do not appear to contain any conservative bias. The automatic CDF by only about 10%.
u suppression reliability (0.025/ demand for the A conservatism assumption has been made and Qd C
sprinkler system) is based on a fault tree evalua-tion which is presented in BPRA Appendix C.
is stated on Page 25 that "all ignition events in a zone could ignite all combustibles in close prox-This evaluation does not describe or appear to imity within that zone." 'this assumption appears contain any obvious conservatism. reasonable, and not necessarily conservative, de-The fire propagation rate model is described on pending on the meaning of"close proximity,"
page 2-6 and the flame model is given in Appen- which is not defined.
dix D. 'the Appendix D model description does On Page 3-5, it is stated that use of the fire wa.
not contain any indication of conservatism. (In ter system to provide altemative core make-up fact, lack of any information relative to the origin was conservatively not considered for service wa-and derivation of this model is considered a defi-ter building fires because the scenario presup-ciency in the BSEP fire study as discussed in the poses loss of the sprinkler system. It is pointed following part of this section). Section 2 does out that some failure modes of the service water contain liuee alleged conservatisms: (1) on Page buildmg sprinkler system could leave other por-2-6,7 it is stated that a 50% probability was con-tions of the firewater system operable. 'Ihis is a servatively assigned because scaffolding would conservative assumption. However, as pointed be stored in a fire zone. (2) on page 2-7, it is out in Section 4.0 of this document, service water <
stated that the assumption of a probability of 1.0 building fires contribute only 1.7% to the core for cable damage upon reaching a temperature of damage frequency before Appendix R modifica-7007 for paint thinner fires is conservative be-tions, and 15% after the mods. Thus, this assump-cause the fire would only last 20 seconds. (3) 0.1 tion would have an upper bound effect of was conservatively assigned to the probability reducing the CDF by 15%, not a significant re-that 25 gallons of tube oil would be spilled in a duction in view of the uncertainties.
fire zone.
In summary, it appears that the alleged conser-With respect to the scaffolding, the assumption vatisms in the fire growth and supprd sion models does appear conservative. During the plant tour are either nort-existant or not significant.
2-40
2.6.5.5.3 Combustibles-The study assumes cable at BSEP meets IEEE 383. The relationship (Page 2-6) that 25 gallons oflobe oil must be spilled from Reference 25 illustrates that cable failures for ignition to tale place. No basis is provided for this are very sensitive to ternperature, time at temper-volume of oil, and no equivalent number could be ature, and type of cable,in view of these compar-found in the literature examined for diis review. The isons,it appears the BSEP failure te'nperature BSEP fire safety study is considered deficient in not threshold of 700 F is reasonably curaistent with providing a basis for this assumption. In view of the other studies, and is probably acceptable.
fact that the probability of the existence of oilin the Service Water i umps. According to Page 3-4,
- fire zones does not have a significant impact on tie re.
"A hrge fire in the service water building is con-sults,it is not expected that this assumption would be servatively assumed to fail all five service water particulary important to the results. Ilowever, a defini-tive conclusion could not be established in this regard. pumps that supply a unit." This is obviously a conservauve assumpuon. Ilowever,it is not con.
2.6.5.5.4 Propagsflon/ Fire Barriers-On sidered to be overly significant. The service wa-Page 5-3 it is stated that the fire barrier failure proba. ter pumps are not separated by fire barriers, and bilities are conservative, but the effect is not quanti. would be susceptible to common cause failure re-fled. Ilowever, based on sensitivity studies contained sulting from fire damage, such as loss of electrical in Sectc 5, reduction in fire barrier failure probabili. power, loss of room ventilation, etc. Further, hot ties by a factor of 10 has an insignificant effect (about gas and smoke damage would be expected to a factor of 2)on the overallCDE readily spread among tic pumps.
2.6.5.5.5 Damage Model 2.6.5.5.6 Miscellaneous-Table 2-8, starting on Page 2-24, lists the major assumptions in the BPRA Cable Damage. The BSEP study assumes (Pg fire risk study, and provides justification for some of 2-7) that tie threshold of cable damage is 700*E them. llowever, for assumptions 11 through 18 the If flame temperatures greater than this value were justification column is left blank (although in a few computed to occur at the ceiling, the probability cases, some justification appears to be included witl in of cable damage was assigned 1.0. If the calcu- the assumption description). Although norr of these lated 0 (temperature was less than 700 F), a value assumptions appear to be particularly significant or of 0.05 was assigned "...because it represents a questionable, the BSEP fire risk study is considered commonly used lower bound of uncertainty in deficient in not providing a definitive justification for probabilistic analysis." No basis is provided to these assumptions.
justify the selection of the 700 E Three other sources were examine <! in an attempt to verify the 2.6.5.5.7 Compartson with Other Sfu-selection of 700 E 'lhe first is a comprehensive dies ~lhe rext part of the review consisted of com-assessment of fire risk methodologies atx! issues paring the overall BSEP fire risk CDF result with recently completed by Sandia National Laborato- similar results from other studies. 'lhe sources for ries.32 This Saxxiia document indicates (Appen~ these comparisons were the BSEP report itself, which dix A, Page 25) Sarxtia tests show that tie cable contains some comparisons, the six PRAs completed damage threshold temperature was 623K (600 F). under NRC sponsorship in support of the resolution of The second source was Reference 31, in which a Unresolved Safety issue - Decay lleat Removal cable threshold temperature of 760*F was used, (References 25,26,33,34,35, and 36), arx! finally a without any indication of the basis for the value.32 report on extemal event risk assessment methodolo-
'Ihe third source was the recent NRC case studies gies.2.t The comparison also included anidentification completed in support of resolution of Unresclved of fire locations which were the significant contribu.
Safety issue - Decay ifeat Removal. In these stu- tors to CDE 'Ihis comparison was accomplished to es-dies, typified by Reference 25, a time at tempera- tablish if the BSEP study was consistent, both in ture relationship was used to establish cable estimated CDF as well as important fire locations, with failure criteria. The relationship also considers other studies. The results of this comparison are pro-both unqualified and qualified (IEEE 383) cable. vided in Table 2-10. The comparison also includes The faih,re temperatures range from 7 min at (fourth column) the results of an effort by Sandia Na-418*F for unqualified cable to 3 min at 958 F for tional Laboratories 32 to requantify or update the fire qualified cable. For the BSEP-assumed threshold risk results from four of the PRAs based on:(a) revised of 700 F, the uncpudified cable would last about 1 fire initiating data; (b) revised fire growth modeling; min. and qualified cable about 10 min. Accordg (c) revised fire suppression data; and (d) updated infor-to Table 2-8, Page 2-26 (Item 19)"important" mation on damage thresholds for cable insulation.
2-41
y
- !i I
Table 2-10. Comparison of CDP resuhs between the BSEP fire risk study and otler PRAs i Plant g CDF Update Fire Locations Ref.
Limerick BWR 2.3B-5 1.5E- 4 CRD'uydraulic equip. 37,4' +
Rm.,13kV switchgear Rm.,safeguants access Area, general equip, room
' hxtian Pt. 2 PWR 1.4 & 4 3.2B-4 Switchgear room, 37,4 Electrical tunnel, Cabl: spreading room Oconee PWR 1.0E-5 2.0E-5 Cable shaft, 37,4 Electrical equip. room ,
Seabrook PWR 2.2E-5 4.0 6 5 Control room primary 37,4 s Component cooling water Pump area Zion PWR 1.8B-5 NA (undetermined) 4 I
' hulian Pt.-3 PWR 9.6E-5 NA (undetermined) 4 Big Rock Pt. PWR 2.3B-4 NA (undetermined) -4 Milestone-3 PWR 4.8B-6 NA (umletermined) 4 Cooper BWR 1.lB-5 NA Cable expansion room - 14 l
Pt. Beach PWR 3.3B-5 NA Aux. feed pump room, 12 Controlroom ANO-1 PWR 5.8B-6 NA Cable spreading room 13 Quad Cities . BWR 1.3E-5 NA Controlroom 15 Cable spreading room St. Lucie BWR 4.4B-5 NA Cable spreading room 10 Tbrkey Pt. PWR 7.5E-5 NA Cable spreading room 9 Brunswick (a) BWR 3.844' NA Controt room, 39 5.1B-5b NA Cable spreading room, SWS intake structure, DG building basement Brunswick (b) BWR 5.8E-4' NA Controlroom 39 6.8 L 56 NA Reactor building SWS intake structure
- a. Based on plant configuration at time of the BSEP fire risk analysis.
- b. Based on plant configuration after implementation of Appendix R modifications.
2-42
Table 2-11. Review results of BSEP fire risk analysis Area Issue Conclusion
- 1. Fire initiators a. Fire Data Data does not account for declining fire frequency.
- b. Turbine bldg Fires Requirement for manual diesel start not considered.
- 2. Fire growth & a. Model Origin basis, arxi verification of suppression model not included.
- b. Cornervatisms Numerous stated cornervatisms non-existant or not significant.
- 3. Combustibles a. Oil spill No basis for ignition requirement of 25 gallons.
- 4. Propagation a. Fire barrier Conservatism not significant.
- 5. Damage malet a. Cable damage No basis for 700 F assumed cable damage threshold, assumption probably ok.
- b. Service water pumps Alledged conservatism not significant.
- 6. Comparison a. CDP liigher than 15 other PR A w/other studies results before mods; at upper emi of range but higher than othe: BWRs after mals; consistent with Samlia requantification of selected results,
- b. Fue zones important fire zones consistent with other studies.
- 7. Methodology a. Contml system Did not consider; probablycomparison interaction not significant.
- b. Adequacy of fire Partially consideied; not barriers significant.
- c. Seismic / fire Not considered,
- d. Manual fin' Partially considered. suppression
- e. Total environment Not considered; probably equipment survival not significant.
- f. Analyticaltools Could not be evaluated since origin, basis, and verification of model not given.
2.6.5.5.6 Conclusions--A summary of the analysis. The more significant of these ap-conclusions from a review of the BSEP fire risk study pear to be; is provided in Table 2-11. The table identifies issues examined in the review and the conclusion. . 'unbines are considered susceptible to failure only from submersion of the turbine lubrica-2.6.5.6 internal Flooding. The BSEP internal tion or control oil subsystem (Page 7-2).
flooding risk assessment is presented in Section 7.
Vol.1. The results indicate that the core damage fre.
- 90% fall back for failure resulting in small quency from internal plant flooding is 5.lE-6/yr, spray pattenn (Page 7-2),
applicable to both units. As indicated in Table 2-6, this represents about a 4% contribution to the total CDF for each unit. The major contribution to the flood
. 60% of water carried away duough analyzed risk is flooding in the service water intake structure. How patim for large spray panenu.
Flood sequences at this location contributed 4.5F4/yr (88%) to the total.
- Leakage from service water system pump seal failures are assumed to ir within pump e The PRA internal flood assessment was discharge capacity.
found to be generally logical, consistent, and compreheruive. The only important deficien.
- Leakage through doorways leading from cy foum! was a lack of basis provided for sev- cable spreading room to battery room and .
eral assumptions and data employed in the bree7cway is assumed to be 10 gpm. )
l 2-43
- Pipe failure rate is: 8.0E-Il!b-ft values seem inconsistent with existing data sources
(>.Nn)(Page 7 -31). Tic data for which no bases are provided are:
- 8. dbl 0/lort
(<3in)(Page 7-31). e Tank car rupture frequency = 2.6E-4/yr.
- Flange / gasket failure rate is 6.0E-8/h (Page e Valve and pipe mpture Irequency = 7.1 E-4/yr 7-3!). (<3 in. diameter).
e ' Operating h per yr are 5256 (Page 7-31).
- Human error probability during tank car con-nection = 1.054/yr (note: the resulting hu.
Most of the above assumptions are reasonable or are man car contrRmtion is given as 1.7&4/yr not particularly significant to the overall analysis, on pg. 8-2. This is an obvious error, and
{
. However, tic PRA is considered deficient because it should be 1.7E-3/yr, which is the value used does not provide any basis for the assumptions and in the final quantification).
data.
. Single contml room IIVAC damper failure to it should be noted during the plam tour, a plugged close = 2.5E-3 (per demand).
drain was noted in the Unit 2 RHR pt.mp room (north).
However, this does not appear to have any influence on e Dependent failure beta factor for dampers =
tle PRA results, because credit does not appear to have 0.04 (said to be appropriate for motor-oper.
been given for drains in the RHR rooms, ated valves).
A comparison was made with remnt PRAs which e Number of transients per yr = 10.
have included intemal flood risk assessments. The re-sults from these PRAs are summarized in Table 2-12. The foregoing data values were compared with al.
temative data sources to ascertain their validity, No Not much can be made of these comparisons except matboua foM car mptum fmqwmy cd that the BSEP result is somewhat unusual in finding a "" Y ' " 8## ** * ** "* '
significant contribution from intemal flooding, al- unhennore,it woq" han to k incread over tluce i though the result is considerably less than Point Beach. niers of magrutude m order to become a contributor to the overall CDF for Brunswick. -
In summary,it L .oncluded that although the BPRA Regarding pipe and valve failures, the PRA does not is deficient in the analysis of intemal flooding due to provide individual failure rates. However, a 100 ft omission of the basis for several assumptions and data langth of pipe is assumed in the PRA (Page 8-2). If the values, it is not expected that intemal flooding events at the plant would be a significant contributor to risk. pipe failure rate used elsewhere in the report (t W10/h/ft as indicated on Page 7-31) is used, the pix failure contribution would be 2.6.5.7 Release of Chemicals from Onsite Storage. The core damage frequency from release of (SW10/h/ft)(8760h/yr)(100ft) = 7E-4/yr, onsite chemicals is screened in Section 8 of the PRA.
The screening assessment concludes that the only po-leaving a contribution of 1E-5/yr for valve failure.
tential risk from onsite chemical release is due to re-
.lhe pipe rupture probability is consistent with data in lease of chlorine which is stored in a railroad tank car Reference 38 which gives a value of between 2.6E-4 arx!is used to control bio-fouling in the circulating and service water systems. It is concluded that the core and 7.854 for pipe between 3 and 10 in.,100 ft long.
damage frequency from onsite release of chlorine is However, manual valve failures appear to be higher based on other failure rates. Reference 39 gives values 2.4E-9/yr, which is negligible.
of 8.76&4/yr(Millstone 3 PRA) and 4.3E-3/yr (NRC l 1 REP data) for manual valves " transfer open" failure i The PRA assessment of chemical release risks is mode, and Reference 35 gives values between 1.8E-4 considered reasonable and credible in terms of the and 1.8E-3/yr for the "extemal leakage" failure mode methodology employed. However, the assessment is based on reported valve failures at nuclear power considered deficient in not providing the basis for sev- plants. For screening purposes, a value of 4E-3/yr will eral failure data values used, and furthermore, some be used for the requantification which follows.
1 2-44
Table 2-12, Comparison of core damage frequencies due to internal flood Plant Reference CDF-Intemal Flood Quad Cities (BWR) 15 Not significant ANO-1 (PWR) 13 Not significant (no sequences >lFM)
Cooper (BWR) 14 Not significant (no sequences >lE-6)
Turkey Point (PWR) 9 Not significant St. Lucie (PWR) 10 Not significant Point Beach (PWR) 12 7.66B-5/yr (loss of service water pumps)
De human error probability is difficult to estimate where:
without information on the actual actions to be per-formed, availability of written procedures, number of it f.CR = the frequency of a large release of people involved, and supervision and checking onsite chlorine, which is estimated employed. However, it is estimated, based on infor- at 2.2E-2 in the requantification masion in Reference 15, that the human error probabil- compared with 2.7E-3 inthe BPRA, ity could be closer te IB-3 rather than lE-4 (no basis given for this value in the EPRA, as noted above) as Poi = the failure of the controlroom used in the PRA. Thus, IE-3 was used as the screen- HVAC,whichis estimated at 2.5PA ing value in the requamification. compared with 1.0E-4 used in the DPRA, asul The damper failure to actuate (2.5E-3/ demand) is Pco = the probability of core damage oc-consistent with the generic value from Reference 38.
curring before relief personnel are able to reenter the control room, es-he beta factor for dampers used in the PRA (0.04) timated at 9E-3 which is obtained is stated to be based on a beta factor for MOVs. This by dividing the number of transients value was compared with data from three sources. For per yr(10)by the total number of 8 motor-operated valves, Reference 28 gives a value of h periods in a yr (1095). This same 0.0423, Reference 40 a value of 0.08, and value was used in the requantifica.
Reference 41,0.049. These values are reasonably con- tion.
sistent with, although somewhat higher than, the PRA value. However, tiere is no obvious reason to expect Using the above revised values yields:
that motor-operated valve beta factors apply to damp-ers. For screening purposes, therefore, a value of 0.1 CDF = (2.2B 2)(2.5S-3X95-3) = SE-7/yr.
was used in this requantification, which is consistent with generic component beta factors recommended This result is an insignificant contributor to core and used in References 28 and 40. damage frequency given tie overall CDP result in tic PRA.
The number of transients assumed (10 per yr)is somewhat conservative but consistent with Reference 4 did not consider onsite chlorine releases, so no methodology evaluation could be made.
Reference 41. For screening purposes, it was used m tie sequanitincadon.
One other PRA was found which evaluated onsite chlorine release 21 In this case, the risk contribution With the above changes, a requantification of the was found to be insignificant, consistent with chlorine release risk was performed. The result, using the BPRA result.
the same nomenclature and formula in the PRA is:
In conclusion, the BPRA was found to be deficient because it did not provide the basis for data used in the CDP = fn.cs
- Pno Pco, evaluation. Further, some data values did not appear to 2-45
be consistent with attemative sourcrs of information. and provides a conservative overall estimate of rist.
= However, the overall conclusion, that onsite chlorine which is insignificant compared to the overall release is not risk significant,is confinned even though plant CDR a requanitification produced a higher CDF estimate.
Reference 24 did not consider turbine-generated 2.6.5.3 Transportaflon Acc/ dents. The risk missiles, so no evaluation of the melluxlology could te from transportation accidents is given in Volume 3, made.
Section 9, of the BPRA. The only hazard considered is explosions from transportation of explosives, cither by A PRA has not found turbine-generated missiles to rail, road, or waterway (Cape Fear River). It is con, provide a significant contribution to risk.
cluded in the BPRA that the risk from transponation accidents is negligible. 2.6.5.70 Selsmic Activity. The seismic risk analysis is presented in Section 11 of tie BPRA, The The transportation accident assessment is consid, mean annual core damage frequency for each unit cred to be adequate atx! the conclusions valid. While from seismic events is estimated at 6.6E-5/yr. This release of toxic materials was not considered, the frequency is a mrdor contributor to the overall core assessment of onsite chlorire releases, found to be in, damage frequency, contributing over 40% for each signiacant as indicated in Section 2.6.5.7, appears to unit. Ilowever,it is stated in tlx smnmary section of bound the hazard potential from offsite sources. No the report (Sect.12) that "It is fully expected that with basis was provided for the conditional probability (0.1) more refined ongoing and plarmed analyses of seismic of truck munitions explosion given that a truck has an events, the core damage results will be significantly re-accident on the site, However, this value appears rea- duced."(Page M3.9-1 of Vol. I also indicates that sonable, and would have to be signi6cantly increased "More refined seismic analysis is planned.") The first to cause this hazard to become a significant risk part of the seismic review consisted of two general contributor. areas; review of the development of the seismic hazard for the site and a brief examination of tic BSEP equip-ment fragility estimates. This is followed by a com-
'lhe methodology employed in the PRA is consis-tent with that recommended in Reference 24 parison f the methodology with contemporary sources, and finally a comparison of the seismic CDP (Page 6-52). However, the truck accident rate used in estimated in the BPRA with results frnm other PRAs.
the PRA,5.067/mi-yr (it appears the unit should be
/mi) is not consistent with the average accident rate given in Table 6.A.6.1 (Page 6.A-57) of Reference 24 2.6.5.10.1 Selsmic Hazard of 2.48E-6/mi. This would raise the truck accident . .
Seisnue Hazard Curve. The seismic hazard at frequency calculated in the PRA by approximately a BSEP was developed by Dames and Moore. The factor of 5, giving a frequency of tmck explosions on the BSEP access road of SE-7/yr, still below a level dec llement zone assumpti n was adopted as pro; viding "a norm for the scismic hazard at BSEP which would make a significant contribution to the ,
(Page 11-10). Two attenuation models were then overall CDF. ,
assumed, the Campbell attenuation hypothesis which provides "the upper bound to the hazard",
Of the some 20 PRAs which have evaluated extemal and the AID attenuation assumption. The BPRA events, none are known to have found transportat on
, thus uses two seismic hazard curves developed accidents of sigmficance.
for the Camptell and AID attenuation hypothesis.
Each of these curves was assigned a 0.5 probabili-It is concluded that transportation accidents are not ty of accurately characterizing the seismicity of a significant risk contributor to the BSEP. the BSEP site. 'Ihe BPRA states that these seis.
mic hazard curves are "in line with" seismic haz-2.6.5.9 Turbine-generated Affssiles. Plant ard characteristics for other eastern sites (Page risks from turbine-generated missiles are evaluated in Il-10), and "...are judged to be conservative and Section 8 of the PRA. It is concluded that the probabil- bound the hazard spectrum." These characteriza-ity of CDF from turbine-generated missiles is no tions are apparently based on comparisons with greater than IB-7/yr. various seismic hazard data developed for other eastem nuclear plant sites, namely the Limerick,
'Ihe turbine-generated missile assessment in the Shearon Harris, and Vogtle plants as provided in PRA appears sound and reasonable. The methodology Table i1-2 of the BPRA. These data were plotted appears logical. The assessment is screening in nature, to provide a more definitive comparison with the 2-46
b L
L BPRA hazard curve, and the results are shown in and the BPRA provides an ovemil fragility curve '
Figure 2-11. his comparative plot indicates that for this damage state.
the Brunswick hazard ct:rve is not demonstrably conservative with respect to the other data, and it The hrst part of the requantification process in-is arguable if the Brunswick curves are "in line volved combining the two BPRA scismic hazard with" the other curves. If added weight is given o curves (cach with an assumed 0.5 probabillty) the Vogtle and Shearon Harris curves, since they with the BPRA fragility curve for plant damage are much closer to the Brunswick site than Limer- state 1 A (Figure 11-6, Page 11-61) in order to ick it appears that the two Brunswick curves have validate the requantification process and confirm return frequencies a factor of two to three lower in the BPRA result, nls exercise produced a result the acceleration region of interest (from 2xSSE essentially identical to the BPRA estimate level to 4xSSE level). (4.8B-5). Next, the LLNL arithmetic mean scis-mic hazard curve from Figure 2-12 was com-bined with the BPRA fragility curve for plant To further evaluate the BPRA seismic hazard damage state 1 A (Figure ll-6, Page 11-61). This characterization, comparisons were made with process resulted in a core damage frequency for two recent sources of seismic hazard information plant damage state 1 A of 4,7Fe-4, about a factor of for the BSEP site, both of which were published 10 greater than the BPRA rcsult, his result sug. .
after the BPRA was completed. De first was de- gests that use of the LLNL arithmetic mean seis-veloped by the Lawrence Livermore National mic hazard curve for the BPRA analysis would Laboratories (LLNL) under NRC sponsorship.42 increase the overall CDP fr'om seismic initiators Figure 2-12 shows the LLNL estimates for the about a factor of 10. Use of either the LLNL 50%
Brunswick site compared with the BPRA Camp- or the "best estimate" curves would produce re-belland A1Dattenuationcurves. Asillustratedby sults similar (probably within a factor of 2 to 3) to the figure, the LLNL 50% curve is very similar o the BPRA estimate, the BSEP AID curve, and the LLNL Best Esti-mate curve compares well with the BPRA Camp-The EPRI hazard curve was also employed in bell curve. However, the LLNL arithmetic mean the requantification prccess, also using plant is considerably higher than either curve. He seg damage state 1 A. This resulted in a CDF of and hazard curve was developed by EPRI, and is 1.7E 5, about a factor of 4 lower than the BPRA plotted in Figure 2-13 along with the BPRA resuhs.
curves.43 Both the EPRImean and median (50%)
curves show a lower hazard than either of the BPRA hazard curves. To establish the potential It should be emphasized that these CDf com-significance of these alternative hazard curves, a parisons using the EPRI and LLNL hazard curves crude requantification effort was undertaken, are only crude estimates to provide an indication This effort involved requantifying one of the of what the rough significance of the differences BPRA plant damage states utilizing the LLNL might be. Such comparisons should nonnally in-arithmetic mean curve and the EPRi curve, clude the effects of the response spectra asso-ciated with the hazard curves, and also should include building amplification effects and build-he BPRA seismic risk evaluation does not in. ing and component frequency responses. Howev-clude any discussion of response spectrn asso, er, since none of this information was provided in ciated with the hazard curves, nor does it evaluate the BPRA, it could not be included in these esti-mates, potential building amplification effects. Further, the assessment does not provide any building fre-quency response information. Thus, none of Potential Faults. On page 11-5 of the BPRA it is these factors cold be evaluated in the review or stated that Shaler and Ferenczi have suggested the in the requantihcation process. existence of a hinge line passing about 20 to 25 miles from the site which could be a fault zone.44 The PRA dismisses this potential by stating that The BPRA segregated the overall CDF into "... existence of faulting along this hinge has not seven plant damage states. In the requantification been established." There is no discussion of process. plant damage state l A was selected since whether faulting evidence has actually been ex-it is one of the highest contributors to the total amined, or what other evaluations may have been CDF, contributing a mean frequency of 4.8E-5, done to dismiss this potential fault zone.
247
I i I I l i 1 N\\
\
\\
\.
\ l 10-3 - - Limerick -
\- tg (SARA Docol)
\\
S b
\s \ .
i 8
\g g l
! \
g\
$ \
\
\
E l \ '
ia \
p g \
- c. * \
t i i
\\\\ \ \ Shearon Harris - !
10-4 \ '
l \ g (UCID-20421)
I \
' \\
Brunswick -
(Cam.) g 1
\\ \ \
l \\ g \N Limerick \ - Vogtle
\
(SARA NET) I
\ s
\
(UCID 20421)
\ \\ N
's Limerick CID-20421)
Brunswick g s
\ N I
I (AID) g
\
\s s 10-5 I I \l i I I N 0 0.2 0.4 s 0.6 0.8 1.0 1.2 1.4 Acceleration (g)
Figure 2-11. Seismic hazard curves.
2-48
?(
- )
f 210 8 i s Design basis
\
, \
\
\
\
\
\
\
10 3 g -
\
\
A 'g s LLNL arithmetic mean
!m \
s
\
\
\ (\ s
! \
LLNL best s
\
\
i o estimate g 5
ze
\
N a l
- 0. wNLLNL 85% ]
N N
10-4 -
N -
N N
N
' s, N
N
- s N *s
- N BPRA CAM s
LLNL 50%m\
\ BPRA AlD g
N LLNL 15% \
s N
\
10-5 I I I
's I I 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Peak ground acceleration (g) 9 7944 Figure 2-12. Comparison of BPRA and LLNL seismic hazard curves.
249
o>
i 10 8 l- 1 I I I I E
.R k
8 E
- k 10-4 - -
5
.8 k EPRI Mean '
EPRI 50 %
AID !
I I I
' l I 10-5 0.1 0.2 0.3. 0.4 0.5 0.6 0.7 0.8 Acceleration (g) 9 7942 Figure 2-13. Comparison of BPRA and EPRI seismic hazard curves.- !
-2.6.5.10.2 Liquefication--On page l1-6, of 2.6.5.10.3 Fragilities the BPRA it is stated that site preparations included measures to preclude liquefaction up to tie design ba. ,
- sis carthquake (0.16g). It is further stated that "No in- Relays. On page 11-17 it is stated that electrical i formation was found regarding the liquefaction relays are not part of tle review performed for the {
potential for considerably larger carthquakes." Based BPRA. 'This apparently means that relay chatter on information in Section i1, particularly 'Thble Il-8, has not been considered in the seismic risk asses-the dominant risk contribution comes from earth- sment. (No further reference could be found to
- quakea with accelerations above 0.4g, considerably this issue in the PRA), in a recent assessment of larger than the design basis. Ilowever, no further con. this issue, it was concluded that, in general, the sideration is given to liquefaction at dicsc higher accel- contribution to core damage from relay chatter cration levels in the seismic risk assessment. and related failures at nuclear power plants could 2-50
not be eliminated as a potential significant con- be conservative compared to this souice. De an-tributor.45 swer to Question #8 in Appendix A of this docu-ment also affirms this conservatism. The Loss of Offsite Power. Tne PRA states that"All significance of this conservatism was not deter-stur'ics to date indicate that offsite power will be mined as part of this review due to limited re-lost at relatively low seismic accelerations." sources. However, as noted elsewhere in this While this is a wmmon assumption in PRAs, due section, other aspects of the PRA appear to im-primarily to the low fragility assumed for ceramic Pose non-conservatisms. Furthermore, addition-insulators in the plant substation, there have been al non-conservative elements related to fragilities cases noted where substations survived rather were also found,as follows:
large accelerv.lons.* He arbitrary use of this as.
sumption without a detailed examination of the substation fragility and other vulnerabilities
- Corrosion found at anchors of instrument which may exist in the power grid and may affect rack, but not evaluated (Page 11-19),
power to the BSEP site is considered question-able. This assumption is significant because the dominant BPRA contributor to the seismic CDF e Limited walk-down could not assess the en.
is failure of the diesel generators due to the same tire hazard posed by potential systems inter-scismic event which is assumed to cause loss of actions, but several hazards were noted offsite power. (Pages 11-18,19).
Selection of Equipment for Evaluation. The PRA identifies seven pieces of plant equipment 2.6.5.10.4 System and Sequence Model-which were selected for seismic capacity (fragil- ID9--%c modeling of system and accident sequences ity) evaluation on the basis that this equipment is described in the BPRA in Section 11.3.3. Basically, was important in performing critical plant safety the loss of offsite power event tree developed from in-functions during seismic events. His equipment temal events analysis was used for all seismic-ini-was compared to a similar list developed from the tiated sequences since, as noted previously, LOSP was examination of six PRAs performed for BWRs.46 assumed for all scismic initiators of interest. New cut The lists are consistent with one exception; the sets involving scismic equipment were generated and Reference 46 list contains the condensate system quantified. Random fallares and common cause which is missing from the BPRA list. However, equipment failures not related to the seismic initiating this omission does not appear significant since event were also considered in the development of the none of the six BWR PRAs found it to be an im, cut sets. De system and sequence modeling appears portant contributor in the dominant seismic acci, to be sound and appropriate given the preliminary sta-dent sequences as described in Reference 46. tus of the seismic risk assessment.
Conservatism. As previously noted, the BPRA 2.6.5.10.5 Methodology-The overall BPRA seismic risk analysis is stated to be preliminary, gg gg g and the results are screening values (Page 12-1).
c nsiderably simplified with respect to contemporary It is also stated on Page 12-1 that the seismic rc-methodology recommended in Reference 24 and sults are " overly-conservative". Aside from the employed m other PRAs. Most other recent PRAs scismic hazard input which is claimed to be con, which have considered seismic risks have performed servative (see Section 2.6.5.10.1 preceding), the m re extensive and rigorous analyses, particularly in major source of conservatism appears to be ,
the area of plant-specific fragiliues and seismic mter-derived from what are described as conservative actions. Consideration of input resonse spectra and fragilities used in the study. This was evaluated building amplification effects are generally found in by comparison of selected fragilities with values the PRAs. None of these effects are desenbed in the used in a recent compilation of fragility BPRA' information.47 The BPRA fragilities do appear to 2.6.5.10.6 Comparison with Other Re-sults-The BPRA seismic risk results were com-
- a. Telecon, P. R. Davis, PRD Consulting, to pared to results from other PRAs for BWRs. The P. D. Smith, EQE, September 16,1988. comparison is shown in Table 2-13.
2-51
Table 2-13. Comparison of BWR core damage frequency from seismic events based on PRA tasults Plant SSE CDF- Reference Comments Limerick 0.15 4.0E-6 24 Brunswick 0.16 6.6F 5 1 Result applies to Units 1 & 2 Cooper 0.20 8.lPr5 35 Excludes consideration of large break LOCAs and ATWS Quad Cities 0.24 8.3B-5 36 Excludes consideration oflarge break LOCAs and ATWS I
%e omission oflarge break LOCAs and ATWS for 4. The methodology, data, and assumptions Cooper and Quad Cities as indicated in tie last column used in each of the ten detailed extemal event of Table 2-13 does not appear particularly significant assessments was corupared with similar in-because these seismic-induced events have not been formation from several other contemporary found to be major contributors to core damage fre- sources, quency in seismic risk assessments.
A summary of the results of the review follows.
Based on Table 2-13, the Brunswick results appear generally consistent with other PRA seismic-induced 2.6.61 Selection of Extemal Events. %e 35 core damage frequency estimates. %e BPRA results, extemal events considered in the BPRA were found to ;
however, do not appear to be conservative, as claimed, be complete and appropriate. The screening approach with respect to these other results. which reduced these 35 events to 10 events for more i detailed assessment were found, with minor excep- !
tions, to be valid.
2.6.6.10.7 Conclualons-A summary of the conclusions from a review of the BSEP seismic risk ;
study is provided in Table 2-14. The table identifies 2.6.6.2 Evaluation of Potenflal External issues examined in tic review and the conclusion. Event Risk Contributors. A generalconclusion of the review of the 10 potential extemal event contribu.
- 8 * * ***#88"#" #8"'E" **
2.6.6. Summary and Fleaults.This section pres- for a rather sagruficant number of assumptions, data, ents a summary of the procedure and results of the and other input. %e study is considered deficient in BSEP extemal event risk assessment review.
idi@ds i&Mm The review procedure consisted of four steps, as Table 2-15 provides a summary of each of tie ten follows: extemal events considered in the BSEP extemal event risk assessment. Tic table lists each initiator, tie esti-
- 1. he extemal events considered in the BPRA mated CDF from the BPRA arxt,in selected cases, the were compared with other sources, and the requantification of this estimate based on revisions initial screening procedure, which resulted in considered appropriate based on the review. The last ten events for further analysis, was evaluated. column provides a brief statement of the deficiencies found in the review of each initiator area arul provides assumptions used in the requantification procedure.
- 2. Each of the ten extemal events assessed in the Further details may be found in the preceding section.
BPRA were reviewed to determine consisten' Talile 2-15 indicates that none of the requantified cy, completeness, and credibility, De esti- assessments are estimated to have a significant influ-mated risks were requantified in selected ence on the overall result. Ilowever, in two important cases based on firxtings from the review.
areas, fire and seismic, a complete requantification was not possible due to the complexity of the issue,
- 3. The BSEP estimated risks were compared lack of detailed plant-specific data, and limited re-with results from other PRA sources. sources for the review.
2-52
Tatne 2-14. Results from review of tic BPRA seismic risk assessment Area Issue Conclusion
- 1. Seismic hazard a. Applicability of Hazard curve non-conservative curve to BSEP site with respect to other southeastern US -
sites; consistent with LLNL $0% and best estimate curves; use of LLNL arithmetic mean curve appears toincrease CDP by factor of10; use of EPRImean hazard curve decreases CDF by a factor of 4.
b Potential fault - Hinge lire near site summarily dismissed,
- c. Liquefaction Not evaluated for accelerations above SSE (0.16g). 1
- d. Response No indication of response spectrum used, r;*ctrum, amplification considerations or building I amplification response frequencies, l
- 2. Fragilities a. Relay chatter Apparently not considered.
1
- b. Loss of offsite Assumed to always occur for important seismic events power.
, c. Selection of Appears appropriate except for relays.
equipment
- d. Conservatism Elements of conservatism and non-conservatism found.
- 3. System and a. Methods used Appears adequate for preliminary -
sequence modeling asser.arnent.
- 4. Methodology a. Compared with Much simplified,less ri forous and contemporary FRA extensive than contemporary methodology.
2-53
s j
Table 2-15. Results of Brunswick PRA external events review CDF(% Contribution)
Initiator PRA Review Comments la 1. Aircraftimpact $1.067(0) Negligible Minor deficiencies found l
l 2. External flood $1.057(0) 7.857(.5) Requantification considers LOSP without recovery 6.066(4) Requantification assumes fueloil transfer pumps fail
- 3. Extreme wind $1.0&7(0) 6.75B-6(4) Requantification assumes switchgear fails at 90 mph versus 135 mph assumedin BPRA i 1
- 4. Industrial or $1.067(0) Negligible Severaldeficiencies found ;
military facility accident
- 5. Fire 5.565(35) Not No adjustment for fire data trends, 5.865(36)* determined - no basis for fue growth model, numerous minor deficiencies
- 6. Internal flood 5.lE-6(3) Insignificant No basis for assumptions and data used 7 Chemicalrelease $1.0 6 7 5.0&7(3) No basis for data, some data not consistent with other sources
- 8. Transportation <l.0&7 5.067(3) Revised truck accident rate used accidents in review
- 9. 'Ibrbine gen- <l .0B-7 Negligible erated missile
- 10. Seismic 6.6 & 5(43) Not Numerous deficiencies found,
(~7EA)b determined some claims of conservatism
(~1.7&S)* invalid,non-conservative aspects found, refined analysis said to be underway, a.These values apply to unit 2, all othervalues apply to unit 1. CDP reduction due toimplementation of fue modifica-tions are not reflected in Table 2-13 results. These modifications, according to the BPRA, would reduce the overall CDFby about 15%
- b. This estimate for CDP was obtained by requantifying the BPRA result using the LLNL arithmetic mean seismic hazard curve,Due to lack ofinformation and resnurces, this quantification was performed without coesiderating the potential effect of the LLNL response spectra and amplification factors, and thus represents only a crude approxima-tion. The LLNL 50% and best estimate seismic hazard curves are generally consistent with the BPRA curve.
- c. This estimate for CDP was obtained by requantifying the BPRA result using the EPRI mean seismic hazard curve.
! Due to lack of information and resources (see text), this requantification was performed without considerating the
! potential effect of the EPRI response spectra and amplification factors, and thus represents only a crude approximation.
2-54
- 3. DOMINANT ACCIDENT SEQUENCES
'Ib total core damage frequency for Unit 2 from ure of manual scram given that the RPS failure is in the only intemal events is 2.1E-5/yr. Six sequences have electrical portion. his equation is fre juencies greater than 1.0W6/yr and contribute 83% -
to the total core damage frequency. Seven mo:e se- C = C + C,M, querces have frequencies greater than 1.0E-7/yr and contribute 14%. The remaining 15 sequences L(H)is the single event representing failure to control contribute 3%. water level at high pressure, and SUC(UI-XI) repre-sents the success of HPCI and ADS isolation. I Station blackout sequences contribute 38% to the to- !
tal. Anticipated transients without scram sequences The third sequence, TAIC,, t with a frequency of contribute 44%. Sequences with loss of high pressure 2.46&6/yr,is the second full sequence on the ATWS injection and failure to depressurize contribute 13%. with Isolation event tree. This sequence is similar to Loss oflong-term decay heat removal sequences con- the one above except water level control is lost after tribute 4%, and all other sequences account for the the reactor is depressurized due to suppression pool remaining 1%. temperature considerations. His sequence consists of a single cut set containing terms for the initiating event The highest frequency sequence is T t ;BB3 with a freqmcy, failme of the reactor to scram, failme of frequency of 7.6E-6/yr. This station blackout se- water level control at low pressure and success of quence appears as the third sequence on the Loss of HPCI, ADS isolation and high pressure water level Offsite Power event tree. After the loss of offsite pow- contrM.
er, the reactor trips, the safety valves cycle but reclose, and tie HPCI system operates initially. Failure of DGs Sequence TsIUnX, the fourth highest sequence, has 3 and 4 to r, tart and run causes battery depletion after a frequency of 2.14&6/yr, his sequence begins with four h, at which time HPCI fails. Attempts to recover a transient that resuhs in a stuck open safety relief offsite power within five h of the initiating event fail, valve. Thus, the model for this sequence starts on the resulting in core damage. Appendix A shows that this the transient trees, results in failure of top event P, fail-sequence contairm 87 cut sets. De dominant causes of ure of the SRVs to reclose, and transfers to the Inter-failure of DGs 3 and 4 are common cause failure to mediate LOCA Inside Containment event tree. Tie l run, independent failures to run, and common cause HPCI system fails to operate and ADS fails, thereby I failure to start,in that order. denying use of the low pressure injection systems. The result is core damage at high pressure. Appendix A De next highest frequency sequence is TAICLII ailures are dommated by failure of the turbme -driven with a frequency of 2.73E-6/yr. This ATWS sequence Pump to start and test and maintenance on the pump.
appears as the sixth full sequence on the ATWS with ADS failure is entirely modeled by common cause Isolation event tree. The sequence begins with any transient that has isolation of the power conversion failur f the O-rings and other dependent failure system from the reactor pressure vessel (MSIV clo-sure). The reactor protection system fails to shut down tie reactor and manual reactor scram is not successful The fifth highest sequence,TAICU ,has I a frequency either. The recirculation pumps trip, and HPCI and of1.24B /yr. HissequenceisthetenthfuHsequae SLCS are actuated. Any lifted relief valves reclose n the ATWS with Isolation event tree. The sequence and ADS is inhibited. At this point, failure to control begins with a transient resultmg m MSfV closure, water level while at high pressure resuhs in core dam. Failure of the RPS and manual scram makes this an age. Appendix A shows that this sequence has only ATWS sequence. The recirculation pumps trip and one cut set. This cut set is SLCS begins injecting boron into the core. De HPCI system fails to operate properly resulting in core dam-age. His sequence contains 20 cut sets. De dominant T(A1)
- C
- L(H)
- SUC(UI-XI) cut sets reflect failure of the HPCI pump to stan or pump outages for test and maintenance.
T(AI)is the initiating event frequency. All failures of the RPS are grouped together into an event called C, The final sequence with a frequency greater than where Cis described by the equation for failure of the 1.0E-6/yr is TAi CC2at 1.1166/yr. This sequence is electrical and mechanical portions of the RPS and fail- the next to last full sequence on Ihe ATWS with 3-1
isolation ever:t tree. This sequence progre.:ses similar of external events to the overall core damage to the previous sequence except that the Standby Liq- frequency, uid Control System fails to operate properly, resulting in core damage. The sequence contains 6 cut sets. The The dominant accident sequences for Unit I are -
dominant cut set (representing over 98% nf the se- very similar to Unit 2, as would be expected wlen the same event tree models are used and only small differ-quence frequency) shows that failure of SLCS is due to operator failure to actuate the system, ences est ktween de two umts. W Mt I msults show an increased contribution from transients with stuck open relief salves due to tie smaller turbine by-pass capacity at Unit 1. However, based on the fmd-The dominant sequence for Unit 2 as presented ings of the general transient event tree review, several above appear reasonable and correct. Tle implications more such sequences may be appropriate for Unit 1.
of the findings of the event tree, fault tree, and data re- While these new sequences will most likely not greatly views am estimated to affect these results by less than change the overall core damage frequency, they may a factor of 2, which is not significant in light of the un- cause stuck open SRVs to be tie dominant type of in-certainty bourxis and the overshadowing contribution ternal event for Unit 1.
l l
3-2
- 4. INSIGHTS AND CONCLUSIONS i
This review of the Brunswick Steam Electric Plant
- The BPRA is a good and comprehensive Probabilistic Risk Assessment was conducted by the analysis of the risks to core damage for the INEL under the sponsorship of the U.S. Nuclear Regu- Brunswick plant. Tic study used a basic ap-latory Commission. Tic review addressed the entire proach and techniques consistent with prac-Level 1 PRA including extemal events. 'me primary tices accepted by the PRA commurdty. The purpose of tie reWew was to confinn t!e safety per- use of plant-specific data was especially spectives regarding tie dominant accident sequences appreciated.
and major contributors to accidents that were brought tolight by the PR A. To the maximum extent practical, the review emphasized the issue of completeness and e 'me documentation, while simple in its pre-the identification of modeling assumptions techniques, sentation, often lacked the basis for assump-and quantification methods which could significantly tions, data, armi models used. This severely alter the PRA results, detracted from the scrutibility and tracribility of the atulysis.
The review process included a meeting with the Brunswick staff involved in the analysis and a plant tour. The information in the PRA documentation was e Many of the key comments on the BPRA re-augmented by tie FSAR, a set of Altemate Safe Shut- late to the extemal events analysis. This is down Procedures, a set of Emergency Operating Pro- due to the overwhelming contribution that cedures, containment venting diagrams, and written tiese events make to the overall core damage responses by the licensee to questions posed during the frequency. This is not an uncommon result of plant visit. PRAs, but may be inherent in the scoping na-ture of the seismic analysis and the somewhat
'Ihe major findings of tids review are the following: conservative approach of the fire analysis.
i 4-1
M a;my:: x;;:g:p< M = y y u w * + x nany%p
&x nbh s
++ a > ;s, s r+u% ~ <,c r, n-x;_-s n
t '
Wca '
A :- .d:-
- :. -v" c. a ,
on ,
i u .,
-p , ,te s c c. ; ; 3;w u%- qc
,j s v ;
,w. 13 u.s ,^yT g :, .=^p- ,,
=
c i-uvn W. .a[4 'k y l.i,3.-Iki -+y 4 ' ss ' ' Y,1 -_4.w,-- y
, ,M d. ,-)mi m ._
n' y ( " i' c.
A -MC
,1,; i . . ; . .i r
W - y,b 1:-2i.f. . g' - e.L' .I' , .!
, -- ' ". ' y_.I'.
=.
i > .,. y -
e,~~3ya
-D P i W'_ - - -,'W.qg # e 4 ..,Gr r:
's$,' -
-- . =, ,',q .k,-.5 --
4 J Y:; c ' '_,[{
c
.i. k'k.:- 3 h,.-- 3 cgl'y q -2mi7 ,
t' .;#'_,.+ . ,, , . 4.
3
=2.;..
y m'.-
rf- y 2 ;._y
-yQ' ' v 2', _t1' a -- _;
y
.;Q.i :."v:pq h . , y.I
-v n ,w m :,,, -w ' :
,,y-- -
H n.+
- . ' ,r n .
- x- ,-- x :. - s swm y_
M g'y<_ts+ ,
y --
t w h_c ,
u.
~
r
. ,3
- '~
< , -.'.r.:
y
- .+ c n _. _7.yg.,. !( p,
, ;w.:3 ,
+ ye, ; 3 >
_ P- . . .g. .
g ,
1:4,P y ~,__ y.. ,
- 4 S
A --l.
&='Q- w n,_$,_
-o -eu s. . .
z, ,.y '; si, m_M-
- wl.)w.
3 ,w is i& . .
m 'O, m.-
- .--:- t . ;u,u
. ~
r.
w 1 4
&,.y t,. ,
-<1--
# .n. .. 3 ,
s g
( D-W ' '
I
- l. .t f .', x , : a,e, f ,']y'
~-
,'l' 4
~<1j'? 'e f ( - -
jy j',bg, ,
ga - ' ' ")
~
1
, v-A ;-,
h',f ',=,'[.e'.. ,
g l
4.m. - ,L-r - . .
irt +.-a1"- s
._,i <fg:- - 4:c'7. 4 q<.,t -_'; .s -
I , ; i 4
JM. i r_ 4,.,-.1.-kI h b g M
- hb p -
4 p G' -
_ -- ..-g,h[
I h 1 -'
s; E
('_
h + b ;'.h $ ??; '
k&..c.:4_
s
,._- w 4 ., i -
,y g'4 j,4a e Mr T 1 _ c_' " " ' ' "
v.
w ]' , f._Q 1C ' '
u :", 3 . 3 ~.?d TV.
5,,.
-g
('
f,A :*F t=d ' t. f ( 4 '-- *
^' ;' ' ". -
l' 'j 2M t,, , . s 5 s .
, v
.s g L-;
w f ke.mi,;M yy,-
w '
<--'uw ' ,.e' f*i "
, r e
} .i_'" k y
+
gp i -}. ,1
&? , j, ; .
- : +
i.n. :s * , .
L i L. 5 . ,. . .
'M ) A 3
..s, ur.
e
"' , f b; .y :4k.4 - - R f
- , -l h t
- , -.,.p p I % -'%,T' Q' 2Q , W:
~ , '
- c '
- - t:. ,
m:w ,= _ m;: n - . ,_ , :
a
- ~j g "Ai r q m. -
,3
.m 4 p, , o yn a.
~ k
?..* 3 , ,7 4 4 12 4
?. W 5
"'i y'- - .
f'c ,h,)y; %s ap~, Wi
, - {, :. h
+ ;?
?=
-n 4 .
y z' f
%. 3 p, Msi m'
^
[-, - -jkf
.e ,
s
%ye h t if y 4
... k . 4 t
+a*.
sNpf
.1[a f4,6 ^ $
t
.,t r'w g g
~ 1;~
9,u~ y -r_- e
'7i('; ' ~ -
g.
b T -
I.
U 3,-:..f .t -g.-
-'n,R.v.
'A :
3 i 6 4- i q' g 2 h' g ,
44 ( t a >
p d- 5V I
-vk. -
4, i._y, 9 f _" z .
? -y
.-[. : t
$ . q
, < , 4:- ,
@sv<Y - 4 -.;
, 3 _ m y ,
3N 3 3 f _
f';; 6 . t
- ' .}->
s l -:
p!'(i_ ,
./
-t'.
4 I. K 3 f S .1 e >
y Ly # '~ ~ ' ."f'.,' a y
'F: '
- % a' k w' 1
e
- a.
. ;' m c a g
- u>% ^
-[: gf ' k y, L
9' g -d < .j 3 ' '
3 #
- z. u
( $*
I '
I
,,.[4 , st- .<J' - i a n 2.V+
f
- mY,.' ag 3
d } b
' ' {V'f
~
l
-h- % d- %
y.+- k i
(
4 N I
W -g-
% i
-,hj
, - 0.".")
__F_-
'* h ';:: {, E_'
'e ' '
- =-
~
S L'j' . . a n: s $I ..-
3 -
- r 3 k
-ke.j">.-r
. . I 3L p
.4 S'4 s i
v h g O: _(-
, ' . ]' _'37
,-t. ,t' ?
I r"=.-,.,}_
[
rq i w- 4 ,
'l.-
1' , l
["' w ,\ , - /
- j ,
?
,[^'
~ *'
t 9 g ra <
+J,V 2 i
'::.'4 w i'
Gm(J,sW "' LTl{ -
4 "
~
.I .-- -[
6 f ?
_i
[% -
y t e a,
E
- a. tg.
.,- (- 1 t
- x +
' r. -p i '.' .* ,k ? ;
N
&: 7
(
P 1 -.
e b
'$ ^( &
s f,
. b
'.g.,-_- '
.J F
,b '
'QU' % * ., , . , ,
3 m. :QiWd{ # < ^
- s. ? %> : , ,,
i u,f f. ,;:I
-- - _ .M.> .y,,1L, , - , , e --)
+
h
i
- 5. REFERENCES
- 1. Carolina Power and Light Company, Brunswick Steam Electric Plant Probabilistic Risk Assessment, April 1988.
- 2. U.S. Nuclear Regulatory Commission, PRA Procedures Guide, NUREG/CR-2300, January 1983.
- 3. Electric Power Research Institute, A1WS A Reappraisal. EPRI NP-2230, Jantary_1982.
- 4. S. M. Stoller Corporation, Nuclear Power Experience, Boulder, Colorado.
- 5. lang Island Lighting Company,Probabilistic Risk Assessment, Shoreham Nuclear Poner Station, Hicksville, New York, June 1983.
- 6. Philadelphia Electric Company, Probabilistic Risk Assessment, Limerick Generating Station, Pittsburgh, Pennsylvania, June 1982.
- 7. U.S. Nuclear Regulatory Commission, Reactor Safety Study - An Assessment of Accident Risk in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), October 1975.
- 8. U.S. Nuclear Regulatory Commission Development of Transient initiating Event Frequenciesfor Use in Probabilistic Risk Assessment, NUREG/CR 3862. May 1985.
- 9. EG&G Idaho, National Reliability Evaluation Program (NREP), EGG-EA-5887. June 1982,
- 10. U.S. Nuclear Regulatory Commission, Overpressurization of Emergency Core Cooling Systenu in Boiling WaterReactors, AEOD/C502, September 1985.
I1. D. M. Ericson,1r. (ed.), Analysis of Severe Core Damage Frequency: Methodology Guidelines, Sandia National Laboratories, NUREG/CR-4550, Rev.1, Volume 1. July 1989, Draft, (available at the NRC Public Document Room),
- 12. U.S. Nucleat Regulatory Commission, Analysis of Core Damage Frequency: Peach Bottom Unit 2 Internal Events, Sandia National Laboratories, NUREG/CR-4550, Rev.1. Wlume 4, Parts 1 and 2, August 1989.
- 13. U.S. Nuclear Regulatory Commission, Analysis of Core Damage Frequency: Grand Gulf Unit J Internal Events, Sandia National Laboratories, NUREG/CR-4550, Rev.1 Volume 6, Parts 1 and 2, September 1989.
- 14. U.S. Nuclear Regulatory Commission, Accident Sequence Evaluation Program, Interim Report, September 1984,
- 15. A. D. Swain and H. E. Guttmann, Handbook of fluman Reliability Analysis with Emphasis on Nuclear Power Plant Applications, FinalReport, NUREGICR-1278, August 1985.
- 16. R. E. Hall, J. Fragola, and J. Wreathhall, Post Event Human Decision Errors: Operator Action 7 hell 1me Reliability Correlation, NUREG/CR-3010, November 1982,
- 17. L. M. Weston, D. W. Whhchead, N. L. G raves, Recovery A ctions in PRAfor the Risk Methods Integration and Evaluation Program (RMIEP), NUREG/CR-4834, Volumes 1 and 2, June 1987,
- 18. G. W. Hannaman, A. J. Spurgin, Y. D. Lukic, Human Cognitive Reliability Modelfor PRA Analysis, NUS-4531, December 1984.
- 19. W. E. Gilmore et al., Nuclear Computerized Libraryfor Assessing Reactor ReHability (NUCLARR), User's Gidde NUREG/CR-4639, February 1988.
- 20. A. D. Swain, Accident Sequence Evaluation Program Human Reliability Analysis Procedure (ASEP),
NUREG/CR-4772, February 1987.
- 21. ~ B. B. Worrell,SETSReference Afanual, Sandia National Laboratories, NUREG/CR-4213 May 1985.
- 22. U.S. Nuclear Regulatory Commission, Quantitative Fault hee Analysis Using the SETEvaluation Program (SEP), NUREG/CR-1935, September 1982.
- 23. Carolina Power and Light Company, Brunswick Steam Electric Plant, Unks 1 and 2, Final Safety Analysis Report. April 1972.
24 C. Y. Kimura and R. J. B udnitz, Evaluation ofExternalHazards to Nuclear Powr Plants in the United States, NUREG/CR-5042, December 1987.
- 25. G. A. Sanders et al., Shutdown Decay Heat Removal Analysis of a Westinghouse 3-Loop Pressurized Water Reactor, Sandia National Laboratories, NUREG/CR-4762, March 1987.
- 26. W. R. Cremond et al., Shutdown Decay Heat Removal Analysis of a Combustion Engineering 2-Loop Pressurhed Water Reactor, Sandia National Laboratories, NUREG/CR-4710, July 1987.
- 27. Electric Power Research Institute, Oconce Probabilistic Risk Assessment, NS AC-60, Nuclear Safety Analysis Center, June 1984.
- 28. Public Service Company of New flamshire, Seabrook Station Probabilistic Safety Assessment, December 1983,
- 29. Carolina Power and Light Company, Preliminary Safety Analysis Report, Brunswick Steam Electric Plant,1968.
30, Carolina Power & Light Company, Brunswick Steam Electric Plant Fire Risk Analysis, December 1987.
- 31. J. A. Lambright and S.P. Nowlen, Fire Risk Scoping Study: Investigation ofNuclear Power Plant Fire Rhk, including Previously Unaddressedissues. Sew'ia National Laboratories.NUREGlCR-5088 August 1988.
- 32. W. T. Wheelis, hansient Combustible Fuel how cesfound at Nuclear Power Plants (Data), Sandia National Laboratories, July 1984.
- 33. W. R. Cramond et al., Shutdown Decay Heat Removal Analysis ofa Westinghoase 2-Loop Pressurized Water Reactor, Sandia National Laboratories, NUREG/CR-4458, March 1987.
- 34. W. R. Cramond et al., Shutdown Decay Heat Removal Analysis of a Babcock and Wilcox Pressurhed Water Reactor, Sandia National laboratories, NUREG/CR-4713, March 1987.
- 35. S. W. Hatch et al., Shutdown Decay Heat Removal Analysis of a General Electric BWR4thiark 1, Sandia National Laboratories, NUREG/CR-4767, July 1987.
- 36. S. W. Ilatch et al., Shutdown Decay Heat Removal Analysis of General Electric BWR3thfark 1, Sandia National Laboratories, NUREG/CR-4448, March 1987.
- 37. M. A. Azarm and J. L. Boccio, Probability-Based Evaluation ofSelected Fire Protection Features in Nuclear Power Plants, Brookhaven National Laboratory, NUREG/CR-4230, May 1985.
- 38. D. S. Cramer, Data Base Development and Equipment Reliabilityfor Phase I of the Probabilistic Risk Analysis, Savannah River Laboratories, DPST-87-M2, Octoter 1987.
- 39. A. A. Garcia et al., A Review of the hillistone 3 Probabilistic Safety Study, Lawrence Livermore National Laboratory,NUREGER-4142, April 1986.
5-2
- 40. Proceduresfor heating Common Cause Failures in Sqfety and Reliability Studies, NUREGICR-4780, Pickard, Lowe and Garrick, Inc., January 1988.
- 41. Mary T. Drouln et al., Analysis of Core Damage Frequencyfrom internal Events: Methodology Guidelines, Sandia National Laboratories, NUREG/CR-4550, Volume 1, September 1987.
- 42. D. L. Bernructer et al.. Seismic Hazard Characterization of 69 Nuclear Plant Sites East of the Rocky Mountains, Lawr::nce Livumore National Laboratories, NUREG/CR-5250, Volumes 1 and 2, January 1989.
- 43. Goutam Bagchi, NRC, Letter to Richard J. Barrett, NRC, July 14,1989.
- 44. D. L. Bernicutet et al., Seismic Hazard Characterization of the Eastern United States: Comparative Evaluation of the LLNL and EPRI Studies, Lawrence Livermore National Laboratory, NUREG/CR-4885, May 1987.
- 45. R. J. Budnitz et al., Relay Chatter and Operator Response After a Large Earthquake, NUREG)CR-4910, Future Resources Associates,Inc., August 1987.
- 46. P. J. Amico, An Approach to Ihe Quantification ofSeismic Margins in Nuclear Power Plants: The importance of BWR Plant Systems and Functions to Seismic Margins, Lawrence Livermore National Laboratory, NUREG/CR-5076, December 1987.
- 47. R. D. Campbell et al., Conpilation of Fragility informationfmm Available Probabilistic Risk Assessments, UCID-20571, Rev.1, Lawrence Livermore National Laboratory, September 1988.
i 5-3 l l
l
4 l - r.
APPENDIX A CAROLINA POWER & LIGHT RESPONSES TO QUESTIONS A-1
APPENDIX A CAROLINA POWER AND LIGHT RESPONSES TO QUESTIONS ne following responses are provided to questions It should be noted that the WASH-1400 data source from Mr. P. R. Davis which were not answered during shown for gasket leakage in Table A.3-2a (page the review meetings on August 25-26,1988. Allques. A.3-23)is incorrect. %e correct values used to derive l
' tions are related to Volume 3 of the BPRA. the 6.0 E-8/hr. value are shown on the attached i markup.
l Question 1 (p. 3-2)
The number of operating h per yr for the plant It is not clear why the wind data is restricted to two (5256) was chosen on the basis of an average plant availability of 60 percent per yr (0.6 x 8760 hr/yr time periods (1872-1971 @ Wiirrington and
= 5256 hr.). The systems utilizing these gaskets may 1876-1894 @ Southport). Isn't more extensive and well operate a greater fraction of the yr; however, more recent data available? Also, ple .se explain how a 140 mph wind speed retum period of 1000 yr was she codamage events Mg h numWo@yr that these systems will be required to prevent core derived from the Southport data whi :h includes only damage for m events during power operation.
18 yr of very old data?
Question 8 (p.11-19)
Please explain how the use of generic fragilities pro-De extemal flooding analysis is a screning study; vides conservatism. (Also claimed on page 11-33.)
therefore, the Southport data were used to be conservative. Response
%e source used for wind speed versus retum period Seismic fragilities assigned to the components was published in 1982 and was considered to be the based on the review and walk-down of Bumswick best source at the time. A more recent source were generic in nature. For each component type, the (Neumann et al, July 1985)is listed on page A-37 of seismic fragilities from published and unpublished the final report of NUREG-1032 (June 1988) but this seismic PRAs have been compiled in Reference 1.
I data source was not known to be available at the time Dese fragilities were derived using a combination of the flooding analysis was performed. generic and plant specific analyses, fragility and quali-fication test data, and actual earthquake experience Question 5 (p. 7-31) data. A review of the.e fragilities was done for appro-priateness to the Brunswick equipment. The median capacity Amwas assigned using the lower range of the What is the basis for the gasket and flange failure median capacities of the equipment type reported in rate quoted here? Also,it appears the operating h per the above reference. The variabilities,Bg and Bu were yr for the plant was assumed to be 5256 h (60 percent assigned using the higher range of those reported in availability). What is the basis for this number?
this reference. De combination oflow median capac-ity and large variabilities makes the generic fragility Response assignment conservative.
First, the means for gasket and flange failures for Reference 1: Campbell, R. D., M. K. Raymdra, A.
both sources in Table A.3-2a of WASH 1400 (a por. Bhatia and R. C. Murray, " Compilation of Fragility In-tion of this table is provided as Table A-1) were con. formation from Available Probabilistic Risk Asses-verted to medians and a geometric average of these sments," Lawrence Livermore National Laboratory, values was taken. This provided a composite median Livermore, CA, UCID-20571, September 1985.
failure rate for gaskets and flanges. This value was then converted back to a mean. Then the value was di. Question 9 (p. I1-26) vided by 100, reflecting the assumption that 1/100 of gasket / flange failures provided catastrophic leakage Please explain the trimming process described in failure frequency. Section 11.3.3.2.
1 A-3
Table A-1. Mean failure rate and Source Mean Failure Race and Sonne LER-Valves.
IPRDS- Pomps Diesel EG&G EPRI Valves, Generators, YNPS CRBRP Component / Failure Mode NP-2230 Pumps NPRDS CRDMs WASH-1400 IREP PSS PRA NEDil-14082 Varices Accumulator Extemal leakage - -
2DB 4h(40) - - -
3.7&&h3(6) - - -
Extemal rupture - ' -
2DB-Wh(40) - - -
3.7IMiA3(6) - - -
Pipes F 3 inch Leakage - -
(41) -
I.757/Leect 30(6) - - - - -
Rupture - -
(41) -
8.5B-9Aw 30 -
(7) 8.5B-9A4ect 30 - -
Plug - -
(4!) -
8.5B-9A sect 30 - - - - -
>3 ir ch Bush Leakage - -
(41) -
1.7&8/h -sect 30(6) ' - - -
(10) ID&4 to ID&5heector-yr(12)
Rupture - -
(41) -
8.5&l0A-sect 30 -
(7) 8.5&lWh-eect 30 (II) IDG-S to ISS ',ha.-yr(13) y Plug - -
(41) -
3.5B-10A-eer 30 - - - - -
L Gasket hh2 Extemal leakage - - - -
2.6B-Wh 30 or - - - -
13B-Wh or 2.6B-!lh 30(7) 3.5b-6A (l4)
External rupture - - - - - - - - -
3.55-Wh(14)
Strainer NPRD-2 -
Plug - -
I.5E. Sh(42) - -
3DSSA 10 - - -
3DB-6/h(15)
Fail open - -
1.555/h(42) - - - - - -
3.056A(15)
Diesel Generator EPRINP-1433 Fail to start - -
9.55-Wh(43) IE2/d or 3.8B-2/d 3 362/d 3(7) 462/d 3 3.3&2/d 3 1.0&2/d - 1.7&2/d(16) 4&2/d(13)
Fail to run - -
6.5B-4/h(43) 6.0B-Mor 8&M 10 or 3DB-M 10(8) S h % 10 2.7&M to -
163A or 3.0B.-2/h(13) 8DB-4/h 10(S) 1.5B-2A (17)
Control Rod HONJU Fail to insert - -
2.157/h(44) 2.8B-5/d(14) 1.2B.Nd 3 -
1.2B-Nd 3 - -
4.3&$/d (18)
Clutch Fail to operate - - - - 3.85-#d 3 - -
8.05 4/d 10 - -
Premature - - - - - - -- 2.7&@h 10 967/l -
disengagement
l Response linked arx! evaluated to generate the Boolean expres-sions used to quantify seismic core damage frequency.
%e fault tree trimming process discussed in Section 11.3.3.2 is used to remove those non-seisnde events Question 10 (p.11-27) that would not le risk significant from the fault trees tefore quantification. The screening criteria for trim- Please explain the alleged conservatism in the as-ming non-seismic events (such as equipment unaval. sumption that the component failure are statistically labilities, operator errois, or common cause failures) independent both in terms of the randomness in the ca-were developed for NUREG/CR-4826, Seismic Mar- pacity and the uncenainty in the capacity.
- gin Review of the Maine Yankee Atomic Power Sta-tion. They are more conservative than the single Response criterion of 0.01 given in NUREG/CR-4482, recom-mendations to the Nuclear Regulatory Commission on A review of the Boolean equations for seismically Trial Guidelines for Seismic Margins Reviews of Nu- induced dominant plant damage states and core dam-clear Power Plants. The criteria are based on experi- age at Bmnswick indicates that the failure events (i.e.,
ence with pst seismic PRAs and knowledge of the components) are in series. Assumptions of indepen-relationsidp among the seismic hazard curve, compo- dence in tie randomirss give the upper bound on the nent seismic fragilities, and 'on-seismic failure probability of the plant damage state (or core unavailabilities. damage) wlen the components are in series or single-tons. Assumption ofindependence in the uncertainty The system fault in:es from the intemal events anal- of median capacity results in spreading the fragility ysis were modified for the seismic analysis by first curves for the plant damage states thereby increasing adding the seismic failure events to tle fault tress, the annual frequency of plant damage states at higher Then, non-seismic events that had unavailabilities confidence values. Some sensitivity studies were per-lower than the screening criteria were removed for the formed to confirm these observations; Table A-2 be-fault trees. If the event to be removed was input to an low show the results for the plant damage state PDS I A "OR" gate, then the event could be simply removed with the upgraded fragility of the battery charger.
from the tree, with some consolidation of the tree gates for clarity, if the event was an input to an "AND" gate, Figures I through 5 show the plant damage state fra-then that gate and all of the subtree below the gate was gility curves for these curves. The conservatism in the removed from the fault tree. All non-seismic events assumption ofindependence in randomness and uncer-were reviewed for trimming, including non-seismic tainty can be judged by inspecting Figures 1 and 2 comm an cause failures (treated with beta factor), oper. where the fragility curves for the independent-inde-aror errors, test / maintenance outages, and equipment pendent case are shifted up arxl to the left with respect unavailabilities. The trimmed fault trees were then to those for the dependent-dependent case.
Table A-2. Annual frequency of plant damage state PDSI Case Confidence Randomness-Uncertainty Mean Median (95%)
- 1. Independent-Independent 4.4E-5 4.4E-5 1.1E-4
- 2. Dependent-Deperulent 1.9E- 5 7.9E-6 6.7E-5
- 3. Independent-Dependent 3.1 6 5 1.4E-5 1.0E-4
- 4. Dependent 50% correlated 3.1E-5 2.2E-5 7.455
- 5. Independent 50% correlated 4.1E-5 2.7E-5 1.0E-4 A-5
.r '
)
N 4
I I I '
' 1.0
=
95%' confidence curve 0.8 - -
e B
=
2 Median fragility curve o
x 0.6 E
s n.
e a
- 0 '4 -
E 5% confidence curve
- 8 1
8 0.2 - -
1 I
O
' I I I O 0.2 0.4 0.6 0.8 1.0 Peak ground acceleration (g) ;
Figure- A-1. PDSIA plant level fragility curvM 1. l i
i i i i -
1.0 -
0.8 - -
. 95% confidence curve r-E
=, ,
2 ,
o 0.6 - - .!
A li Median fragility curve
?
E !
e a 0.4 - -
E
.9
.j 5% confidence curve '
O 0.2 - -
l l
0 I I i 0 0.2 0.4 0.6 0.8 1.0 9-7946 Peak ground acceleration (g)
Figure A-2. PDSI A full correlation in randomness and uncertainty-Case 2. ,
A-6
l l
i i i i 3o _.
0.8 - -
95% confidence curve B
'O p 0.6 - -
- j. Median fragility curve 9
a a 0.4 .
8 g .' 5% confidence curve c
8 0.2 - -
0 I I I O 0.2 0.4 0.6 0.8 1.0 Peak ground acceleration (g)
Figure A-3. PDSIA full comlation in unartainty--Case 3.
' I I I 1.0 -
0.8 - -'
95% confidence curve 2
Median fragility curve I 0.6 -
~
o e
5% confidence curve k 0.4 - -
8 E
E 6
0.2 - _
I I I I 0
O 0.2 0.4 0.6 0.8 1.0 Peak ground acceleration (g)
Figure A-4. PDSI A randomness - full correlation; uncertainty - partial correlation--Case 4.
A-7
v i
I 1 I i i 1.0 - =
t On - -
l 95% confidence curve l $
3 15 ' of _ IAedian fragility curve ,
b 3
4 5
0.4 -
f e
5% confidence curve '
0.2 - -
o 0
0 0.2 0.4 0.6 0.8 1.0 Peak ground acceleration (g)
, Pigure A-4. PDSI A panial cornelation in uneenainty--Case 5.
A review of the oser plant damage states developed tons. Again, there is no reason to treat the non-seismic in the selsinic PRA of Brunswick has shown the and seismic failures as dependent.
following.
The plant damage state PDSIB has singletons, and Plant damage state PDS3C has non-seismic failure l doubletons and tripletons containing seismic failure (#17) with the union of several singletons (seismic with non-seismic unavailabilities. 'Ihere is no reason failures). The union of theses seismic singletons has to believe that seismic and non-seismic failures are been evaluated with the conservative assumption of conelated. It isjudged that the seismic singletons con, independeme in randomness and uncertainty.
tribute most tot the frequency of this damage state.
The assumption of it. dependence in randomness and uncenainty in these sigleton failures is conservanve. in the plant damage state PDS4, the major contribu-tion comes fro n de doubletons of reactor intemals or CRDM suppons and failure of any one of electrical
'the plant damage state PDSIC has seismic double-cabinets, pumps, heat exchangers, tanks, etc. The tons, and tripletons containing seismic arxl non-sets-union of singletons has been quantified using the inde-mic failures. It is seen that doubletons consist of pendence assumption which is conservative. As stated failure of citier the reactor miernals or CRDM sup- tefore, there 13 no reason to believe that failures of ports and block wall or MCC anchorage. There is no reactor intemals or CRDM support are correlated with reason to expect correlation in the failure of reactor in-the failures of other components such as pumps and ternals and the MCC anchorage, given the carthquake electrical cabirets and treating them as independent is level. Note that the major common cause source of justified.
large earthquake ground notion damaging toth these components has been treated consistently by keeping the seismic hazard outside the integration. It l'. therefore concluded that the assumption of in.
dependence in tie randomness and uncertainty in tiw Plant damage states PDS2 and PDS3B have seismic component failures is conservative for the dominant failures and non-seismic failures appearing as double- damage states considered.
A-8
ASSUMPTIONS CONCERNING INITIATING EVENTS
- 1. IEs occurring during maintenance and reft 4 1-inch in diameter for water-lites, (b) tley ing outages were assumed to be irsignifictv.t. must te greater than 4-inctes in diameter for steamlires, ard (c) have either less than two
- 2. IEs involving radioactive pources other than isolauen valves or low pressurt piping down-the core were assumed to te insignificant, stream of the isolation valves.
- 3. Reactor vessel rupture events were assumed 5. Lognormal distributions were assumed to to lead directly to core damap, perfonn the single-stage Bayesian updates for general trarnient initiator frequencies.
- 4. The following assumptions were made to idernify candidate piping for interfacing rys- 6. An Availability Factor (% of time in mode I tem LOCAs:(a) they must be greater than or 2) of 60% was assuned.
)
I A-9
\
C C 90mw 336 U,$.WUCLE A81 ktGuthlokY CoMM!t&loN 1 klPohl Nuvt.th L'"C,lll,,",f.f .'Oh,","t*~ "" -
f.fcbin nn uar titLIOGRAPHIC DATA SHEET
'5"""""'*'""***"' _
NUREG/CR-5465 uikt Awusvatii6t EGG-2579 cati atroateveusuin Review of the Brunswick Steam Electric Plant a
"u a " aa Probabilistic Risk Assessment 1 November 1989 4 6 iN oh GH ANT NUVtil h A6895
- 6. AVIHohibi k 1Ytt of ftlPohi Formal M. B. Settison, P. R. Davis, D. G. Satterwhite 1. rt moo cov t ut o u ,, .. o.,-
W. E. Gilmore, R. E. Gregg A now - 8 AM t *~ p Ac o n t $5 u, a c. ,,-. ou. a . u s ~-, a +-, c -...- .- -.** .~.. .. .. ,.. .. -.. + .
a r.i.n,onMi,4,
-. onca,~i Idaho National Engineering Laboratory EG&G Idaho, Inc.
P.O. Box 1625 Idaho falls, ID 83415 w . . . . . - ~ac o,...- o,,- ., a .. o s ~- - a ,-a.--~~.
- s. ..
s.eo.us.onin.o on, c.wi Auom . h*Mt Awo Aeoatss ,,, h c.
- Division of Systems Research Office of Nuclear Regulatory Research ll.S. Nuclear Regulatory Commission Washington. DC 20555
- 10. sVPPLtML NT AltY NOlt 5 11, ABS 1hAC1 sm m -m as ar.ss ABSTRACT A review of the Brunswick Steam Electric Plant Probabilistic Risk Assessment was con-ducted with the objective of confirming the safety perspectives brought to light by tie pro-babilistic risk annessment. The scope of the review included the entire levelI probab!!istic risk assessment including external events. This is consistent with tie scope of tte probabil-istic risk assessmer.t. The review included an assessment of the assumptions, methods, models, and data used in tie study.
- u. n a v wonosrot scH <ei os 6,w -- .a,.- ea, ..u =,, .~ - =cas ,a. ~, , u a=a.amm 6ia o ei linlimited Core damage frequency, reliability, external events analysis, 'a a wa m " a "" '"' "-
probabilistic risk assessment " aa ** >
linclassi fied llncl assi fied ib NUMitt H 06 i Abt b 16 PhtCL hmC s omu s3t, t2 ae'
.U.S. f.0Vt8hetL ht Palht thG Off lCt s1989 7o2 436 00352
U:'lTED CTATES senat 'o*w ria55 amit 7 NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555
'**tsin'""* $
,, ,,,, ,,. c c , m Of FlCIAL BUSINESS 9
O PENALTY FOR PRIVATE USE. 8300 gu\ 9' t$
1 16 h r3 eb5
' n g*O m 0
59 h*1pt 30 9# $2 g'p g Sho W)f t
s Tes2ge4e w+
c, g gb i
l \'s; p
5
-gh ea y
Ei Ce W8 M!
E5 a.
s M~
J v>
E ,:
9C NN E
m A