ML20054H624

From kanterella
Jump to navigation Jump to search
Probabilistic Risk Assessment Program Plan
ML20054H624
Person / Time
Site: Clinch River
Issue date: 06/18/1982
From:
ENERGY, DEPT. OF
To:
Shared Package
ML20054H621 List:
References
RTR-NUREG-0718, RTR-NUREG-718 PROC-820618, NUDOCS 8206240272
Download: ML20054H624 (29)
v  d  e


Text

.

PRA PROGRAM PLAN JUNE 18, 1982 F206240272 820621 DR ADOCK 05000537 PDR

E e

'. s l

TABLE OF CONTENTS EAGE

1.0 INTRODUCTION

1 2.0 OVERVIEW OF THE RISK ASSESSMENT PROGRAM 1 2.1 initiator Development 2 2.2 Plant Model Development and Quantification 4 2.2.1 System Functional Event Tree Development 5 2.2.2 Fault Tree Development 6 2.2.3 Analyses of Plant Response 7 2.2.4 Accident Sequence Quantification 8 2.2.5 Uncertainty Analyses 8 2.2.6 Common Cause Failure Analyses 8 2.2.6.1 Explicit Modeling of Dependencies 8 2.2.6.2 Qualitative CCFA 8 2.2.6.3 Detailed CCFA 9 2.2.6.4 Special CCFA investigations 10 2.3 Core and Containment Accident Modeling 12 2.3.1 Phenomenological Event Trees 12 2.3.2 Source Term Evaluation 13 2.4 Ex-Plant (Site) Consequence Analysis 14 i

i l

l .

TABLE OF CONTENTS (Continued)

EASE 2.5 PRA APPLICATIONS TASKS 14 2.5.1 Operator Action Event Trees 15 2.5.2 Assessment Of The Effectiveness 16 Of Postulated Design Variations including Consequence Mitigation 1

Features 2.5.3 Improve Understanding of the Plant 17 2.5.4 Characterization Of Risk From Early 18 Life Failures 2.5.5 Implementation Of A Continuing Risk 18 Management Program 2.5.6 Input To The Site Emergency Procedures 19 2.6 INTERACTION WITH THE NRC 19 2.7 ACCIDENT DELINEATION 20 2.8 STUDY LIMITATIONS 22 3.0 STUDY PERFORMANCE AND REVIEW 24 4.0 SCHEDULE AND MILESTONES 25 TABLE 1 CRBRP PRA PRODUCTS 26 FIGURE I PRA FLOWCHART 28 FIGURE 2 CRBRP PRA ORGANIZATION 29 FIGURE 3 ANTICIPATED PRA INTERNAL REVIEW 30 FIGURE 4 EXPECTED SCHEDULE OF PRA PRODUCTS 31 il

I PROGRAM PLAN FOR THE CLINCH RIVER BREEDER REACTOR PLANT PROBABILISTIC RISK ASSESSMENT (PRA)

1.0 INTRODUCTION

The purpose of th is Program Plan is to describe the approach being taken in implementing the CRBRP PRA and to summarize potential applications of the study. The PRA has been initiated for a number of reasons principally related to the desire of the project to perform an Integrated safety assessment as one ingredient in the management decision process leading to a safe design. The PRA will also satisfy the requirements of NUREG-0718, Section ll.B.8 and it is believed to be consistent with the current direction of the NRC in development of safety goals and PRA applications. As specific detail is developed, it will be incorporated into a working level Progr am Pl an wh ich wil I be the subject of a continuing review. This review process will be discussed later in Sections 2.6 and 3.0. This decision process is expected to utilize the PRA both as an aid in evaluation of the current design and its alternatives, and as a tool to provide further assurance of safe plant operation, comparable to light water reactors (LWRs).

The PRA will represent, in the terminology of the PRA Procedures Guide (NUREG/CR-2300, Rev. 1), a Level IV PRA. In addition to the tasks which satisfy a Level IV PRA, several other tasks will support application of the study. These tasks will include utiliza-tion of the PRA models to define and support definition of operational programs such as emergency procedure preparation and operator training. The concept behind use of the PRA in this role is that it can serve as an analytical basis for defining potential operational incidents, thereby helping to f ill the gap caused by the limited availability of operating experience for LMFBRs.

~

2.0 OVERVIEW OF THE RISK ASSESSMENT PROGRAM The Program can be divided into the following major elements:

accident initiators, system functional event trees, fault trees, phenomenological event trees, and release and consequences analysis.

Furthermore the phenomenological event trees can be divided into two groups; those that describe the phenomena f rom core melt to breach of the reactor vessel (i.e. core damage phenomenological event trees) and those that describe the phenomena from breach of the reactor vessel to containment Integrity failure (i.e. containment phenomenological event

.::;). Refer to Figure 1 for a flowchart depicting how major elements will be tied together. These elements will be discussed in the following sub-sections.

2.1 INITIATOR DEVELOPMENT The approach being taken to logic model construction emphasizes the investigative nature of the task and results in an iterative model building process which ensures the accuracy of the final logic models. The following describes the iterative investi-gative method to be utilized.

A preliminary list of initiating events will be developed by extracting information from a variety of relevant sources. These sources include:

o CQER11A1190s_Q1_Sanar1C_EERarlancal Such as NUREG-0460 and EPRI NP-2230. In addition, NSAC has produced a screened list of LERs which identifies a number of risk significant PWR initiating events.

o Eraylous_EBAls: A number of other PRAs have either been completed or are on-going. Each of these PRAs has compiled a list of initiating events (often from the generic sources listed above). One such listing has been assembled in CRBRP-1.

~

. l o CBBBE_Ecolaci_Dscumania11ont A number of project-specific documents are being screened to identify potential initiating events. These include the PSAR, Overall Plant Design Description, SHRS Key Systems Review, Availability Analyses, and the existing Reactor Shutdown System (RSS) and the Shutdown Heat Removal System (SHRS) Reliability Assessments.

o Scandar_Banc19E_EsRariancal including foreign and domestic sodium and/or breeder experience.

The resultant list of initiating events allows the event tree and fault tree analyses to commence, but is not considered the final list. It is important that Information gained during the event tree / fault tree analyses be continuously fed back into the task of identifying initiating events. By definition, an important initiating event is one that can evolve into an important sequence. It is impossible, therefore, to confidently list all the important initators before the event tree and fault tree analyses have been performed.

This process systematically utilizes knowledge gained in the event tree /f ault tree analyses to ensure that all important initiating events are identified. This approach is based upon the recognition that (1) important initiators are either relatively high frequency events or are events which adversely impact the ability of the safety systems to respond, and (2) an initiating event must, by definition, require an active plant response to avoid core damage. The cut-sets of the f ault tree models wil l be systematical ly exam ined for their relationship to event tree headings (developed for the preliminary list of initiators). It is then possible to identify any failure events which both call for an active plant response and adversely impact the performance of the safety systems. These types of events will be considered as potential Initiating events.

In addition, where appropriate the approach requires performance of a fault tree analyses of the initiating event. In this l . - _ - . .

way, it is possible to ascertain whether the specific cause of the initiator could also impact the ability of safety systems to respond by comparing the cut-sets of the initiator with those of safety systems required to respond to the initiator. This additional step in Initiating event identification ensures the accurate quantification of conditional probabilities and allows an Initiating event to be broken down into sub-events to highlight potential dependencies between the initiator and subsequent events. (As a simple example of this step, the " loss of offsite power" event would be identified in the cut-sets of a " loss of feedwater" initiator and also show up as an element in

-a+s of the Shutdown Hea+ Pamovel Systems; accordingly, " loss of offsite power" is always identifled as a separate initiating event.)

Thus, the proposed approach is an iterative process of Initiating event identification which starts with the application of available compilations of operating experience and feeds back crucial information from the ensuing event tree / fault tree analysis. In this way, completeness is improved not only by searching available compilations of data but also by explicitly and systematically investigating the CRBRP plant design.

2.2 PLANT MODEL DEVELOPMENT AND QUANTIFICATION Considerable attention and a significant portion of the program resources will be devoted to the task of constructing accurate logic models. The version of the CRBRP which is being analyzed was baselined as of February 1, 1982. The design being analyzed will be updated to reflect the current baseline design at several stages during the PRA; specifically, any changes derived from the CP licensing review will be included in the final models.

The specific activities are included under the general heading of Plant Model Development and Quantification are the development of event tree and fault tree logic models, the analysis of plant response, reliability data collection and sequence quantifica-

tion, uncertainty analysis, and common cause failure analysis. The results of the plant model development and quantification tasks is a compilation of probabilistically quantifled accident sequences each of which leads to core damage and is associated with a particular plant state. These plant states are then the entry points both to the analysis of the severity of damage resulting from accident energetics (i.e., core damage phenomenological event trees) and to the severity of challenge to containment integrity associated with the accident sequences (i.e., containment phenomenological event trees). Damage analyses will be discussed in subsequent subsections.

2.2.1 SYSTEM FUNCTIONAL EVENT TREE DEVELOPMENT System functional event trees will be constructed for the initiating events discussed in Section 2.1. Before actual event tree construction begins, it will be necessary to group the numerous individual Initiating events into preliminary categories based upon their impact on the plant and the subsequent demands upon the plant safety systems. Following a preliminary categorization of initiating events, the approach to be used to perform the event tree analyses can be outlined as follows:

1. Determine the functional requi rements wh ich must be met in response to the initiating event. Examples of such functions are reactor shutdown and decay heat removal .
2. Define the functional Interrelationships and construct functional event trees. Functional interrelationships address the impact of success / failure of perf orm ing one function (e.g.,

coolant inventory maintenance) on the ability to achieve another (e.g., decay heat removal).

3. Define the plant systems available to perform each of the above functions.
4. List all of the supporting systems which are common to the plant systems identified in Step 3. Examples of supporting systems are service water, instrument air, and electrical power. This information will assist in the identification of potential depend-encies between systems and will affect the

identification and ordering of event tree headings.

5. Identify operator actions associated with the systems identified in Steps 3 and 4.
6. Define potential functional dependencies between the plant systems identified in Step 3. This is the first step in an iterative process of identifying important interrelationships between symptoms which are not apparent by merely listing common hardware.
7. Perform the necessary analyses to determine timing of events, systems requirements and interdepend-encies, and the corresponding failure stato definitions.
8. Construct the system level event trees. The two elements of constructing system event trees are determining (1) the definition of the individual event headings and (2) the ordering of the events to produce the logic model.
9. Document Event Trees. The assumptions and reasoning which produced the event tree form are caref ul ly documented.

Although the above outline describes a step-by-step process, the event tree construction process will be an iterative one in which the failure state definitions, timing, and system headings are continuously influenced by information fed back from the fault tree analyses and the best-estimate plant response analyses.

I 2.2.2 FAULT TREE DEVELOPMENT l

Fault trees wil l be drawn for most of the event tree headings. Decisions concerning the necessity to develop individual fault trees will be based upon the recognition that the purpose of a fault tree is to (1) quantify the probability of an event for which no statistically acceptable data exist by logically breaking down the event into its constituent parts for which acceptable data do exist, l

and/or (2) identify potential dependencies among multiple systems.

Fault trees will not be drawn for systems for which either (1) acceptable data exist for the event heading and no significant dependencies could exist between this event and subsequent headings, l

l l

or (2) the event heading could not be involved in any risk-important accident sequences even if its conditional failure probability were extremely high.

The fault tree analyses will be performed using well documented and accepted procedures and symbols as presented, for example, in NRC's Emult Tcag_Bandhank (NUREG-0492) or in the EBA:Ernsadurgs_Gulda ( NUREG/CR-23 00, Rev. 1).

2.2.3 ANALYSES OF PLANT RESPONSE Sufficient analysos of realistic plant responses to postulated accident conditions will be performed throughout the course of the PRA to ensure that the plant logic models represent an accurate picture of the physical plant response and that all dominant risk contributors have been identified. Analyses will also be performed to assure that the system success criteria identified in the study are realistically based on physical capabilities of the design.

A key element of the approach to this task is concerned with the efficient, systematic identification of specific analytical needs.

Due to the potential costs and time delays in obtaining best-estimate plant response data, it is crucial that the analyst be able to determine (1) what analyses are truly necessary to the performance of the PRA, and (2) what are the specific Inputs and desired outputs of the analyses. The approach of systematically using the event trees as an investigative tool allows these determinations to be ef f iciently performed. At each branch point in the event tree, the analyst will ask:

o What are the existing plant conditions with respect to maintenance of critical functions?

, o What is required of the plant systems to maintain these l

functions?

o What are the realistic capabilities of these systems?

These questions determine the basic analytical req u i r em ent s . When answers to these questions are not readily available to the analyst, one of three avenues will be pursued to supply the needed information:

(1) Locate applicable analyses in available documentation.

(2) Perform hand calculation or extrapolation of existing analyses. Analytical needs not satisfied by available documentation can be satisfied by hand calculation where appropriate.

(3) In those occasional cases where documented analyses are not available and hand calculations are insufficient, additional computer analyses will be required. The role of the risk analyst at this point is to ensure that the results of the PRA are truly sensitive to the results of the desired analyses and to define the analytical requirements as carefully as possible.

2.2.4 ACCIDENT SEQUENCE QUANTIFICATION The computer code geckage which will be utilized in the generation of cut-sets and accident sequence quantification is the COMCAN lli (Common Cause Analysis) developed by Idaho National Engineering (INEL). As in the rest of the PRA, quantification will be an iterative process in which early analyses are used to help focus more detailed common cause failure investigations, (see Section 2.2.6).

2.2.5 UNCERTAINTY ANALYSES l

The initial uncertainty analyses will be limited in scope and performed after the best-estimate quantification and f iltering of accident sequences. Probability distributions or confidence Ilmits will be estimated only for those component failure rates and event frequencies which are potentially important to risk. For sequences, such as seismic, which are known to have large uncertainties, the assessment methodology will include evaluation of the effects of these i

uncertainties on the importance of the accident sequences.

l l Early in the PRA sensitivity studies will be utilized to provide information on the relative importance of equipment and human failures. Detailed uncertainty analyses will be delayed until later In the PRA program.

l l

2.2.6 COMMON CAUSE FAILURE AN ALYSES ,

For the purposes of th i s progr am plan, the common cause failure analyses can be broken down into four subtasks. These include: explicit modeling of dependencies, qualitative CCFA, detailed CCFA, and special CCFA Investigations. These subtasks will be delineated in the following four sections.

- 9-2.2.6.1 EXPLICIT MODELING OF DEPENDENCIES This portion of the CCFA entails those efforts required to ensure that all common support systems and functional dependencies between and among plant systems are accurately and explicitly included in the plant logic models. This task will be carried out in the process of constructing the event and fault trees.

2.2.6.2 QUALITATIVE CCFA The concern exists that there may be unidentif ied failure causes which are common to multiple components. Examples of potential common failure causes which fall below the practical level of resolution in the event trees and fault trees are:

o manufacturing, installation, or maintenance errors o adverse environmental influences such as high temperature, humidity, or radiation o corrosion, carbonization, rust, or other chemical degradation processes.

In this subtask, these types of common cause failures which could potentially have a significant impact on plant risk are identified. This will be achieved by a conservative f il tering process. This filtering process allows the subsequent, more detailed analyses decribed below to focus on those dependencies which could actually be important to risk. This screening process is based upon the recognition th at f or a common cause failure to occur, two criteria must be met:

(1) Both components must be susceptible to failure by the common cause (e.g., two different valves might both be susceptible to failure due to flooding, but a pipe and valve do not share a common susceptibil-ity to failure by flooding).

(2) The common cause must have the opportunity to affect both components.

Based on this recognition, a two-step qualitative CCFA will be performed. The first step involves screening of redundant components, and the second step involves location dependent common cause analysis.

2.2.6.3 DETAILED CCFA

The input to this subtask will be the relatively small number of common cause " candidates" which survive the screening process discussed above. In this subtask a more detailed assessment of common failure susceptibility and opportunity will be performed and probabilities estimated for these common cause events.

The more detailed engineering investigation will address a rather extensive list of potential common cause mechanisms (e.g.,

vibration, high temperature, etc.) for each component and will

'-- +he potential f or these mech en isms coincidental ly af f ecting the components. For redundant components in different locations, this will entall evaluating the likelihood that important causes can be  !

coincidentally present in both locations. For components in the same location, this will entall a determination of whether the components are both (or all) susceptible to the same mechanisms and the likelihood of those causes existing in that particular location.

2.2.6.4 SPECIAL CCFA INVESTIGATIONS The above three subtasks will allow a practical, effective CCFA to be performed for most potential failure mechanisms. However, there are a few additional potential causes for multiple failures which should be addressed separately. These are fires, seismic events, and other large external events.

Eltss The common location analysis performed as discussed in Section 2.2.7.2 will form the basis for the fire analysis. The location analysis will provide:

o List of key locations.

o Key components in these locations.

o Failure modes of these key components.

11 -

Based on this information, a preliminary scoping fire analysis will be performed to determine if fire related accident sequences could contribute significantly to risk at the CRBRP.

Should the above scoping analysis identify any single or double location cut-sets which could realistically support a fire of sufficient size and duration to fall the components associated with these cut-sets, a more detail ed fire analysis will be performed for these specific locations. Thus, the scoping fire analysis will be used to focus any detailed fire analyses which are required on those

--r48c"'=- +fre related sequences which could potentially contribute to risk.

Salsmic nnd 91 bat Existant Exants External events such as seismic events, tornados, floods, etc. will be eval uated to ascGrtain thei r signi f icance to risk. Also, a detailed seismic methodology will be developed with anticipated review by NRC.

The preliminary analysis will be comprised of f ive basic steps:

(1) Estimate the frequency of occurrence of each external event.

(2) Identify the specific components or systems which could be adversely impacted by the event.

(3) Calculate the failure probability of such equipment and recalculate the probability of core damage with these components or systems unavailable.

l (4) Multiply the frequency of occurrence from (1) ly l the conditional probability of core damage from (3).

l f (5) Compare the results of (4) to the base-line core damage frequency.

I If the results of the preliminary Investigation Indicate that there

are potentially risk significant sequences initiated by one of the external events a more detailed analysis wil l be performed. The approach to th is more detail ed analysis wil l be very similar to that outlined above for the preliminary analysis. However, the conserva-tisms noted above will be replaced by realistic evaluations of the impacts of the initiating event on plant systems.

2.3 CORE AND CONTAINMENT ACCIDENT MODELING The result of the tasks on Plant Model Development and

.. *
:estion will be a set of probabilistically quantified dominant accident sequences each of which is expected to produce damage to the core. Associated with each of these accident sequences will be a plant state which will include:
1. An indication of the successful operation of the PPS.
2. An Indication of the availability of mitigating systems.
3. An indication of the capability of static and convective heat sinks during the accident sequences.

The definition of plant state for accident sequences terminated by core damage will allow two evaluations to be performed. First, the potential for various degrees of mechanical damage to the primary I

system resulting f rom energetic disassembly of the core can be evaluated. Second, the potential for failure of the containment system to maintain its integrity following a variety of severe accident sequences can be evaluated.

2.3.1 Phenomenological Event Trees

in the process of analyzing core and containment accidents, phenomenological event treesqvilI be prepared for both core damage and containment behavior resulting from accident sequences that lead to severe core damage states (i.e. core damage phenomenological event

(

trees and containment phenomenological event trees). These accident sequences will include those which could potentially lead to signifi-cant core energetics as well as those which have no significant energetics associated with the core disruption. The combined core damage and containment event trees will begin with the accident initiator and end with a description of either a stable coolable state for the core debris or the time and size of the containment failure.

As part of this evaluation, the radioactive source term above the operating floor at the time of a stable end point or containment failure will be defined. More speci f ical ly, the event trees wil l describe, in detail, the major physical processes occurring within the primary system and containment which precede, cause, and follow, hydrodynamic core disassembly and/or loss of core coolability. This will include consideration of the thermal margins provided by the CRBRP design to mitigate the consequences of a postulated core melt as well as the structural margins to mitigate energetic effects and minimize a direct release of sodium and radionuclides from the primary system through the reactor vessel head. Both the core damage and containment event trees will be accompanied by documentation of the bases for selecting probabilities for each nodal question. The proposed work will include a limited amount of analyses, as follows:

o Thermal-hydraulics evaluation of the protected loss of heat sink accident.

o Thermodynamic and heat transf er eval uation of the CRBRP primary heat transport system as it applies to the protected loss of heat sink accident.

o Extrapolation of currently available CACECO analyses

( to apply to the protected loss of heat sink accident.

l l o L im ited str uctur al calculations to assess the str u ct u r al integrity of CRBRP systems and components in areas where it is necessary for supporting phenomenological event trees.

The products of this analyses will include definition and probablistic quantification of the range of potential sequences by which large quantities of radionuclides might be released from containment follow-Ing a variety of accident sequences which produce core damage. These

14 -

containment phenomenological sequences will define the conditions under which detailed analyses of the radionuclide source term from containment needs to be completed.

2.3.2 SOURCE TERM EVALUATION An analysis will be performed to define the environmental source term for each of the unique paths through the containment phenomenological event trees for which significant releases of radionuclides are expected. Existing computer codes which will be

"+Ived in this analyses include CACECO, HAA-3, and COMRADEX. In addition, ex-core sources of radionuclides will be evaluated.

2.4 EX-PLANT (SITE) CONSEQUENCE ANALYSIS The ex-plant consequence analysis will characterize the distribution of public health effects which can result from accidents involving core damage and significant radionuclide releases to the environment. Results from such an analysis will be used for a variety of purposes including:

(a) Assessment of the uncertainties in public health effect distributions resulting from uncertainties in predicted accident sequence probabilities and radionuclide releases from containment; (b) Employment of estimates of accident effects to support cost-benef it analyses f or postulated plant design or procedural modifications; (c) Support for development of emergency response procedures which relate to the expected accident characteristics and effects.

The characterization of ex-plant (site) consequences will be accomplished using the CRAC ll Code together with the meteorological and demographic data for the CRBRP site.

2.5 PRA APPLICATIONS TASKS

l The purpose of th is section of the plan is to summarize the tasks which are being considered for application of the PRA.

A number of PRA applications can be implemented by.using the results of the PRA. In general these applications rely on two characteristics of a PRA and its results:

1. A carefully implemented PRA represents an approach to a complete description of the accident sequences which have the potential to cause damage to the core;
2. A thoroughly performed and documented PRA incorporates sufficient information to provide a quantitative ranking of the importance of equipment failures and human errors to both the frequency of core damage and the public health risk.

The use of these characteristics in a variety of application tasks is discussed below.

2.5.1 OPERATOR ACTION EVENT TREES Operator Action Event Trees (OAETs) are a method developed to investigate the role of the plant operation staff in important accident sequences (Ref. NUREG/CR-1440). The analysis addresses three fundamental questions:

1) What actions can (or must) the operator take in response to the accident condition?
2) What information is required by the operator to take this action?

i 3) What instrumentation is necessary and sufficient to l provide this information?

l By developing logic models and supporting Information which allow these questions to be addressed systematically, a very detailed description of the operator's role in managing an accident sequence can be developed. This description will also provide information about the specific role of plant instrumentation in inf orming the

16 -

operator of the status of the plant. A complete set of OAETs usually consists of one tree for each dominant accident sequence. Common characteristics among a number of dominant sequences allow the total number of OAETs required to be reduced to f ewer than the number of dominant sequences.

2.5.2 ASSESSMENT OF THE EFFECTIVENESS OF POSTULATED DESIGN VARIATIONS INCLUDING CONSEQUENCE MITIG ATION FE ATURES Models developed during the PRA can be utilized to assess the potential benefits or lack thereof associated with

'a+ad changes in plant design. These changes may be oriented toward reducing the frequency of events which produce core damage or mitigating the consequences of these events.

The present design of the CRBRP containment includes a number of systems designed to mitigate accident consequences. A quantitative display of the effects of these features on the risk from the CRBRP can be developed. Such a comparative evaluation is called for in NUREG-0718, item II.B.8. This evaluation can include sensitivity studies in which the effectiveness both of currently designed and of postul ated consequence mitigation j systems can be assessed. One result of applying this evaluation process can be conf irmation th at the final plant design satisfies the licensing objective of ensuring a level of safety comparable to current LWRs.

In addition, a search of dominant accident sequences can be conducted to assess whether cost effective modifications to the existing design can be postulated. Where such potentially useful modifications are identified, a more detailed evaluation of alternative approaches to reducing the risk contribution from one or more dominant accident sequences can be performed. This evaluation can include assessment of feasibility, effectiveness, and cost of a variety of postulated changes.

2.5.3 IMPROVE UNDERSTANDING OF THE PLANT

17 _

Additional PRA applications which can be undertaken to assure that the insights gained in the conduct of the PRA are factored into the design and operation of the plant include:

1. Supplement the existing programs designed to address operator aids including Reg. Guides 1.47, 1.97, and NUREG-0497. This supplement can be provided by the use of the PRA in defining and ranking the risk significance of alarms and instrumentation which are designed to improve the operator's ability to prevent and mitigate the consequences of severe accident sequences.
2. Assist in the development and validation of emergency procedure gu i del ines. As in the LVR Industry, PRA as expanded by the use of OAETs can be used to assist in the development and validation of emergency procedure guidelines.
3. Providing information on the integrated performance of plant systems and instrumentation for use in evaluating the design and utilization of the plant simulator, as well as to train operators and other plant personnel.
4. Assessment of the sensitiv!ty of the CRBRP risk to uncertainties in the reliability of equipment required to perform its function in a degraded environment. If appropriate, alternative design features Intended to reduce the sensitivity of the overall plant risk to these uncertainties can be defined and evaluated.
5. Evaluation of the risk contribution and sensitiv-Itics to the testing interval of equipment and to the allowable on-line maintenance i nterv al . This evaluation will allow Technical Specifications to be implemented at the CRBRP in a manner which assures the minimum plant risk without unnecessarily restricting plant operation during the maintenance of safety related equipment.

2.5.4 CHARACTERIZATION OF RISK FROM EARLY LIFE FAILURES The approach dev; sed to contend with the problems anticipated to occur during early years of operation should include two important elements.

Both of these elements involve the careful screening of available operational data and results from the PRA. The first element should be designed to analyze these data to focus on the potential for systematic recurring failure causes and to identify measures which i

18 -

have been successfully used in the past to contend with these causes.

The second element must be designed to focus on the equipment which has or is expected to produce the most significant operational problems and to def ine operational, maintenance, or tr ai ning programs which might reduce the severity of these specific equipment failures.

2.5.5 IMPLEMENTATION OF A CONTINUING RISK MANAGEMENT PROGRAM Since a well formulated PRA will have applications as a tool to evaluate operational experience and to address licensing issues which will arise during the operation of the plant, a program can be developed to facilitate use of the study in these applications.

Implementation of such a continuing risk management program woul d have several important aspects including:

Formulation of the models and documentation developed during the rRT to facilitate ease of long-term utilization;

2. Transf er of the PRA technology and associated tools to the TVA operations staff;
3. Definition of a TV A program by which the PRA and its associated documentation can be updated to reflect the current state of the plant design and operation as well as current operational experience.

The continuing risk management program would allow several of the applications to be carried out by the TVA plant staff throughout the life of the plant. The program would also provide a much higher level of assurance that operational and back-fit decisions would be based on a realistic and complete understanding of the important safety characteristics of the plant. This understanding would clearly be influenced by experience gained in the operation of the plant.

2.5.6 INPUT TO THE SITE EMERGENCY PROCEDURES The PRA can be used as an effective tool to assist in the development and implementation of the site emergency procedures. The use of the PRA in this role is supported by the fact that it embodies a description of important accident sequences which includes estimates of the timing of significant radionuclide releases relative to the occurrence of the initiating event and the subsequent system failures which lead to significant core damage.

19 -

By using this definition of the timing of the accider.t together with a description embodied in the CRAC-Il code of the effect of meteorology and demography on population exposure, various strategies can be developed and assessed to determine the combination of evacuation and shielding (i.e., non-evacuation) which minimize population exposure given a set of meteorological conditions.

Developments in the real-time f orecasti ng of meteorological conditions might also allow facilities to be developed which would allow management of the detail s of the emergency procedures

  • ;': :.ntation based on well characterized conditions both in the plant and at the site.

2.6 INTERACTION WITH THE NRC The Project believes that ensuring high reliability of CRBR critical safety functions through the application of available reliability and risk assessment techniques will require cooperation with the NRC. The Project desires to commit to an interactive, phased review process on a mutually acceptable schedule. Such a process will be designed to promote an improved understanding of the PRA complexities, uncertainties, and validity and to have NRC provide comments on schedule, scope, and detai l ed implementation for project consideration as the work progresses.

This review process is to be carried out at appropriate l

intervals during the PRA program in a two-stage format. The first stage will be designed as an overview to provide information to NRC management on the overall status of the effort and on the significant results. The second stage will be designed to support more Informal detailed discussions of methodology and interim results. This latter l stage is aimed at providing more technical detail to the NRC staff and i

i it's consultants.

l l

l As noted earl ier, as the PRA progresses a more detailed definition of methodology to be used in such analyses as seismic risk i

-w -

- . a: .:

~.

characterization will be developed. It is expected that this more .

detailed methodology will be presented at appropriate NRC review meetings and that comments will be censidered on the selected methodology as it relates to issues which the NRC considers.to be [

candidates for resolution or prioritization using the PRA.

2.7 ACCIDENT DELINEATION l'

The CRBRP Project and the NRC are cur'rently pursuing programs aimed at providing additional assurance that al l appropriate sequences

. . .  :..cluded within the reactor design envelope. As part of this program, the CRBRP Project is preparing documentation on the bases upon which the current design events have been defined. A complete set of initiators together with a well formulat'ed and quantified set of event trees and fault trees will provide a set of accident sequences in a probabilistic context. A review of the accident sequences developed in the PRA will be performed to define e-reasonable set to serve as the design envelope. This review will include the folicwing considerations:

1. A ser of criteria on which def inition of seque'nces ,

comprising the design envelope should be based will be prasented in the referenced project documentation.

2. Accide.it sequences produced in the PRA (including sequences which do not result in core damage) can be characterized by:
e. Occurrence frequency;
b. Number of active failures following the initiating event (minimum);
c. Number of passive failures following ' '

the initiating event (minimum);

d. Severity of sequence impact on the environment surrounding safety-related equipment;
e. Severity of sequence challenge to systems designed to remove decay heat (e.g., how many different

~.

systems are capable or available to remove decay heat at the end of the sequence);

f. Severity of sequence challenge to reactor str uctures, including the containment'Duilding;
g. The availability of support systems in important sequences at the point in the sequer.ce at which a particular system is required to perform its function.
3. Consider both plant Induced and external initiating event sequences in this analysis;
4. Select sequences based on the criteria in (1) and the characteristics in (2);
5. Compare the selected sequences with those which currently comprise the design envelope and group the sequences by the various measures of severity def ined in (2). The result of this comparison and grouping should be a reduced' set of sequences, many of which are enveloped by current design events. Any significant new events would be added to the design basis.

4 The product'of this effort will be presented and discussed at one of

^

the NRC program review meetings.

7.8 STUDY L lHITATIONS A'crief summary listing of the study limitations is presented below:

1. COMPLETENESS AND LEVEL OF DETAIL OF THE MODELS- The issues of completeness and level of detail of the models are complicated in the CRBRP PRA as a result of the state of the design, and the unavailability of detail s of construction. These limitations can, however, also be viewed as strengths since there is the opportunity to utilize the PRA in reviewing

(

9

,, , - , _ , ,+.e..%, ,,y- 4.--.,.- .---

_- ---,__-,.=.---,c-.

x these design details for their risk implications as they are established.

2. HUMAN FACTORS ANALYSIS- The role of the plant operations staff in the infilation, aggravation, and mitigation of an accident will be modeled in the f ault trees and event trees developed to describe the sequence of events. Since the ability of these models and the available quantification methods to evaluate the role of the oparator in situations which are outside the range of existing procedures is quite limited, a supplementary approach can be utilized. In this approach, operator action event trees can be used to investigate the role of the operations staff in severe accident sequences. The results of this analy*Is can then be utilized in the development and validation of emergency procedure guidelines and in the defirItlon of operator ai ds of potential value.
3. EXTERNAL EVENT QUANTIFICATION- Experience with the analysis of risk from external events (e. g.,

seismic events) has shown that the associated uncertainties are significantly larger than for

,, accident sequences initiated by in-plant causes (which typically have a less pervasive effect on equipment reliability). Nevertheless, external events have in some cases been assessed to be significant contributors to plant risk. This analysis with its inherent uncertainties has, therefore, been included within the scope of the PRA.

4. FAILURE DATA- A significant quantity of failure data is avail able f or equipment on the steam side of the CRBRP. These data have uncertainties no greater than those associated with LWRs. Components on the sodium side (e.g., pumps, valves, pipes) and at the interf ace between the sodium and the steam (evapor ators and superheaters) are much less well characterized. Although uncertainties in the reliability of these components exist, the implica-tions of these uncertainties to the risk prof ile can be well characterized using sensitivity studies

-carried out within the context of the risk assess-ment. Other areas in which significant uncertain-ties exist which may be important to the overall description of plant risk incitde:

a. Initiator frequency;
b. Equipment reliability in a degraded environment; I

r

c. Equipment repair time distributions and allowable on-line maintenance intervals.
5. ACCIDENT CHARACTERISTICS- Both the response of the core to conditions which will produce core degrada-tion and the response of the containment to severe l accident sequences are somewhat uncertain. These i uncertainties are being handled by the use of j phenomenological event trees developed to describe '

physical processes which can lead to accident j energetics and to containment failure following core damage.

6. SITE SPECIFIC CHARACTERISTICS- The effects of uncertainties in site meteorology and demography as well as in evacuation procedures can produce significant uncertainties in overall risk. Again, the effect of these uncertainties can be investigated using sensitivity analysis.

3.0 STUDY PERFORMANCE AND REVIEW i

The purpose of th is section is to describe the study performance and review. Organizations which are presently involved in implementation of the study are shown in Figure 2. Also shown on the figure in a box separated from the PRA performers are the design and contractor organizations. These organizations will serve both to provide information about the plant features to the PRA performers and to review the technical results of the study for accuracy and completeness.

The overall review program is pictured in Figure 3. As shown, four levels of review by the CRBRP Project and its consultants are planned. The first level is a working review by the performing organizations designed to assure the technical accuracy, clarity, and consistency of elements of the product. The second level is a review by CRBRP Project interf acing organizations to assure consistency of the elements of the analysis with plant design and operational

! characteristics. The third lovel of review will be conducted by a project management review committee to assess the validity of the approach taken to project int =aration and to assure proper implementation of the approatn. Finally, the fourth step is an

overall review by a peer review-group made up of participants external to the Project. The purpose of this final review is to assess the adequacy of the program integration and to evaluate the consistency of the methods used with the state-of-the-art.

The CRBRP Project Office will ultimately be responsible for utilizing the results and insights from the risk assessment to help ensure that the systems designed to shutdown the plant, to cool the core, and to mitigate the effects of severe accident sequences are designed and operated to be consistent with good engineering practice.

"- '-'a-- an possible changes to the plant design will be made through established Project procedures for engineering, such as those for change proposals (ECPs). These proven procedures ensure both consideration and review of proposals by all affected personnel throughout the project.

4.0 SCHEDULE AND MILESTONES The PRA products are listed in Table 1 and the schedule for key milestones in the PRA is depicted on Figure 4. As shown, the program is expected to produce a final report in l ate 1984.

l l

, TABLE 1 CRBRP PRA PRODUCTS EEDDDDIS o INITIATING EVENT TOP LOGIC AND INITIATOR COMPLETENESS ANALYSIS o PROBABILISTICALLY QUANTIFIED ACCIDENT SEQUENCES AND THEIR BASIS A. SYSTEM FUNCTIONAL EVENT TREES C. FAULT TREES C. DETAILED COMMON CAUSE FAILURE ANALYSIS (SYSTEMS INTERACTION EVALUATION)

D. EXTERNAL EVENT EVALUATION (SEISMIC, ETC.)

o CORE DAMAGE PHENOMEN0 LOGICAL EVENT TREES AND QUANTIFICATION o CONTAINMENT PHENOMEN0 LOGICAL EVENT TREES AND QUANTIF 6 CATION o UNCERTAINTY ANALYSIS o RADIONUCLIDE RELEASE ANALYSIS o HEALTH CONSEQUENCE ANALYSIS o AN ALYSIS OF EX-CORE SOURCES OF RADIONUCLIDES o DEFINITION OF PROGRAM TO SUPPORT CONTINUING OPERATIONAL APPL I CAT ION S o OPERATOR ACTION EVENT TREES AND APPLICATIONS TO OPERATIONS SUPPPORT AND TRAINING PROGRAMS o DEFINITION OF A RISK-BASED PROGRAM TO DEFINE AND CORRECT SIGNIFICANT EARLY LIFE FAILURES o EVALUATION OF POTENTIAL RISK REDUCTION ASSOCIATED WITH SUGGESTED DESIGN CHANGES o EVALUATION OF RISK CONTRIBUTION AND SENSITIVITIES TO EQUIPMENT TESTING INTERNALS (TECH. SPEC. IMPACT) o DETAILED DOCUMENTATION OF STUDY AND FINAL REPORT

m. __ _ , - - _ _ .

g FIGURE 1 PRA FLOWCHART ASSIGNMENT ASSIGNMENT ASSIGNMENT OF RELEASE OF HEALTH OF PLANT CATAGORIES EFFECTS STATES I .

I I I

I I I

1 1 l l I I l

l l I

1 1 I

I I

I I I I

I I I

i 4 I

I I CORE CONTAIN- ~

SYSTEM DAMAGE MENT [

N NS RISK ACCIDENT PHENOME- PHENOME- RAD +

NOLOGICAL OUAMED INITIATORS NOLOGICAL NUCLIDE ANALYSIS NT WENT RELEASE TREES TREES TREES AMLYSIS n d 1

l FAULT EXTERNAL l TREES EVENTS 4823411

FIGURE 2 CRBRP PRA ORGANIZATION ~~i CRBRP PROJECT OFFICE -

l i

ACCIDENT SEQUENCE b' DEFINITION AND ACCIDENT PROCESS

! QUANTIFICATION: ANALYSIS: FAUSKE &

EG&G-IDAHO; WOOD-LEAVER ASSOCIATES, INC.

& ASSOCIATES, INC.

i PROJECT SOURCE TERM

DESIGN AND EVALUATION AND
OPERATIONAL HEALTH CONSEQUENCE ORGANIZATIONS ANALYSIS

'l i

I FIGURE 3 ANTICIPATED PRA INTERNAL I!EVIEW PLAN ELEMENTS PURPOSE .

  • ASSURE O.UALITY, .

INTERNAL REVIEW BY CLARITY, AND ,

ORIGINATING ORGANIZATION CONSISTENCY OF l

ELEMENTS OF PRODUCT 1

  • ASSURE CONSISTENCY OF HEVIEW BY PROJECT ELEMENTS OF ANALYSIS  !

INTERFACING ORGANIZATIONS WITH DESIGN AND y

(DESIGNERS, SAFETY AND OPERATIONAL I

LICENSING) CHARACTERISTICS l~

  • ASSURE PROPER OVERALL REVIEW BY INTEGRATION OF PRODUCT DESIGNATED PROJECT ELEMENTS AND ACCURACY ,

COMMITTEE OF APPROACH TO l INTEGRATION I

  • PEER REVIEW OF '

OVERALL REVIEW BY PROJECT INTEGRATION APPROACH AND EXTERNAL PEER FOR ACCURACY AND ,

i REVIEW BOARD CONSISTENCY WITH STATE-OF-THE-ART IN PRA

FIGURE 4 EXPECTED SCHEDULE! OF PRA PRODUCTS 6/84 12/84 i 12/81 6/82 12/82 6/83 12/83 6/81 iiiii iiiei iiiii i iiiLiiii l ACTIVITY 1IIII iIIii l T SAFETY R T S ICENSING EVALUATION REPORT V V g MILESTONES SUPPLEMENTAL 1

DRAFT REVISED SAFETY EVALUATION .

{

  • INITIATING INITIATING REPORT ISSUED INITIATING
EVENT EVENTV 57 EVENT
DEVELOPMENT ()

REVISED

  • SYSTEM DRAFT EVENT EVENT 4, FUNCTION TREESV VTREES  ?

- EVENT TREE (s' DRAFT REVISED FAULT FAULT

  • FAULT TREE TREES 57 V TREES DEVELOPMENT ()
  • PHENOME-OLOGICAL PHENOMENO OGICAL PHENOMENOLOGICAL E EN TR E EVENT TRE S $ $ EVENT TREES p DRAFT RELEASE RELEASE
  • RADIONUCLIDE ,s V CATEGORIES V CATEGORIES RELEASES "

PRELIMINARY FINAL

  • SEQUENCE y y DEFINITION C HEALTH AND CCFA EFFECTSV
  • CONSEQUENCES g '

l STUDY APPLICATIONS FINAL

  • FIN AL REPORT REPORT V Q BEGIN I ISSUED I SO M21

__ _ _ _ _ _ _ _ _ _ _ _

Retrieved from "https://kanterella.com/w/index.php?title=ML20054H624&oldid=3640923"