ML20054H837
| ML20054H837 | |
| Person / Time | |
|---|---|
| Site: | Clinch River |
| Issue date: | 06/30/1982 |
| From: | Copus E SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1197 NUREG-CR-2681, SAND82-0720, SAND82-720, NUDOCS 8206250048 | |
| Download: ML20054H837 (170) | |
Text
. _ _ _ _ _ _ _ _ _ _
NUREG/CR-2681 SAND 82-0720 R7 Printed April 1982 Estimated Recurrence H Frequencies for initiating Accident Categories Associated With the Clinch River Breeder Reactor Plant Design Ervin R. Copus
. . of!$~*' """ "
under Contract DE-AC04 76DPC0789 D0 K O 57 A PDR Pre sra>oO. S. pared NUCLEAR for REGULATORY COMMISSION
NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Gwernment not any agency thereof, or any of their employ-empressed or imphed, or assumes any ces, makesorany legal liability warranty,bihty for any third party's use, or the responsi results of such use, of .tny information, apparatus product or process discimed in this report, or represents that its use by such third party would not ininnge privately owned rights. ,,
{
O/
y :P a
Available from GPO Sales Program Division of TechnicalInformation and Document Control U S. Nuclear Regulatory Commission Washington, D C. 20555 (nd National Technical Information Service Spnngfield Virginia 22161 P
Nr
NUREG/CR-2681 SAND 82-0720 R7 4 Estimated Recurrence Frequencies for Initiating 9ss, Accident Categories Associated with the
. Clinch River Breeder Reactor Plant Design E. R. Copus .
Advanced Reactor Safety Analysis Division 4424 Date Published: April 1982 l
l Sandia National Laboratories Albuquerque, NM 87185 operated by Sandia Corporation for the U. S. Department of Energy Prepared for Division of Reactor Safety Research Office of Nuclear Regulatory Research U. S. Nuclear Regulatory Commission i . Under Memorandum of Understanding DOE 40-550-75 gg NRC FIN NO. A1197
<T
Abstract Estimated recurrence frequencies for each of twenty-five generic LMPBR initiating accident categories were quantified using the Clinch River Breeder Reactor Plant (CRBRP) design.
These estimates were obtained using simplified systems fault O, trees and functional event tree models from the Accident gg Delineation Study Phase I Final Report coupled with order-of-
. magnitude estimates for the initiator-dependent failure proba-bilities of the individual CRBRP engineered safety systems.
Twelve distinct protected accident categories where SCRAM is assumed to be successful are estimated to occur at a combined rate of 10-3 times per year while thirteen unprotected acci-dont categories in which SCRAM fails are estimated to occur at a combined rate on the order of 10-5 times per year. These estimates are thought to be representative despite the fact that human performance factors, maintenance and repair, as well as l input common cause uncertainties, were not treated explicitly. l The overall results indicate that for the CRBRP design no single accident category appears to be dominant, nor can any be totally eliminated from further investigation in the areas of accident phenomenology for in-core events and post-accident phenomenology for containment.
i i
i l .. a
<?
contents Page Abstract ......................................'...... i Index of Tables and Figures ......................... iii
- g I. Introduction ........................................ 1 ,,
I.1 Independent Failure Probabilities and Uncer-tainty Factors for the ESS Functions ........... 3 I.2 A n a l y t i c a l To o l s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 I.3 Common Cause Methodology ....................... 6 II. I n i t i a t o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 III. Operator System ..................................... 14 IV. Reactor System ....................................... 20 V. Primary Heat Transport System ....................... 40 VI. Intermediate Heat Transport System .................. 54 VII. Steam / Electrical Generation System (S/EGS) .......... 65 VIII. External Events ..................................... 77 IX. Generic Accident Category Summaries ................. 93 IX.1 Protected Accident Category Summaries ......... 93 l
IX.2 Unprotected Accident Category Summaries ....... 107 i
X. Comparison of Results with other Studies ............ 119 XI. Conclusions and Recommendations ..................... 124 Aphendix A - Generic LMPBR Initiating Accident II$
y Event Tree Development ........................ A-1 i
Apphndix B - LMFBR Initiating Accident Categories ... B-1 l
App *!ndix C - Sensor Systems for the Detection ESS
} Function ...................................... C-1 i
i l References .......................................... R-1 l
5
-ii-
f' 1
Index of Tables and Figures Page Table I.1 - Basic Systems and Subsystems Involved in 3 the Generation, Control, and Transport of A* Heat in CRBRP 0* 4 Figure I.1 - Schematic Illustration of the Systems and Subsystems Essential to the Generation, Control and Transport of Heat in CRBRP Table II.1 - CRBRP Accident Initiators 8 Figure III.1 - Initiating Accident Event Tree for an 15 Operator Subsystem or Manual Control System Failure in CRBRP Figure IV.1 - Initiating Accident Event Tree for a CRBRP 22 Core Subsystem Failure-Due to Local Fault Propagation, Subassembly Failure (s), or Subassembly Overpower Fault (s)
Figure IV.2 - Initiating Accident Event Tree for a CRBRP. lM5 Core Subsystem Failure Caused by Pin Fail-ure(s) or Fuel Pin Overpower Fault (s) That Do Not Propagate or Caused by Intra-Core Axial / Radial Motion / Distortion Figure IV.3 - Initiating Accident Event Tree for a CRBRP 31 Core Support / Restraint Subsystem Failure Figure IV.4 - Initiating Accident Event Tree for a CRBRP 38 Control Subsystem Failure Figure V.1 - Initiating Accident Event Tree for a CRBRP 41 PHTS Pipe / Vessel Subsystem Failure Figure V.2 - Initiating Accident Event Tree for a CRBRP 42 PHTS Pump Subsystem Failure i ,4kg '
Figure V.3 - Initiating Accident Event Tree for a CRBRP .
43 PHTS Coolant Subsystem Failure f Table V.1 - Common Cause Relationships for the PHTS1 44 Initiator 4
Table V.2 - Accident Categories for Initiator PHTS1 45
-lii-
4 Index of Tables and Figures (cont'd)
Page Table V.3 --Common Cause Considerations for the PHTS2A 46 and PHTS2B Initiators Table V.4 - Accident Categories for Initiators PHTS2A 47 'A and PHTS2B
<w
, Table V.5 - Common Cause Relationships for the PHTS3A, 48 PHTS3B, and PHTS3C Initiators Table V.6 - Accident Category Frequencies for Pump 49 Failures (PHTS3A, PHTS3B, and PHTS3C)
Initiators Table V.7 - Common Cause Relationships for the PHTS4, 51 PHTSS, and PHTS6 Initiators Table V.8 - Accident Categories for PHTS Coolant Sub- 52 system Initiators PHTS4, PHTS5, and PHTS6 Table V.9 - Major Accident Categories for PHTS Initiators 53 Figure VI.1 - Initiating Accident Event Tree for a CRBRP 55 i IHTA Pump Subsystem Failure Table VI.1 - Common Cause Relationships for the IHTSIA and 56 IHTSlB Initiators
, Table VI.2 - Accident Categories for IHTS Piping System 57 l Initiators IHTSlA and IHTSlB l Table VI.3 - Common Cause Relationships for the IHTS2A, 58 IHTS2B, and IHTS2C Initiators l
l Table VI.4 - Accident Category Frequencies for the IHTS2A, 59 l IHTS2B, and IHTS2C Initiators l
( Table VI.5 - Common Cause Relationships for the IHTS3A, 61 IHTS3B, and IHTS3C Initiators Table VI.6 - Accident Category Frequencies for the IHTS3A, 62 IHTS3B, and IHTS3C Initiators l Table VI.7 - Common Cause Relationships for the IHTS4 62 Initiator i
j . Table VI.8 - Accident Category Frequencies for the IHTS4 63 l
Initiator i
i iv i
_ . . .. = . _ - -_ -- __
Index of Tables and Fiqures (cont'd)
Page Table VI.9 - !!ajor Accident Categories for the Combined 64 IllTS Initiators
, . Figure VII.1 - Initiating Accident Event Tree for a Generic. 66 CRBRP Steam / Electrical Generation System os Failure 4 i Table VII.1 - Common Cause Relationships for Initiators 67-SGSDRUM, SGSPIPE, and SGSVALVE Table VII.2 - Aceident Categories for the S/EGS Piping 68
. Subsysten Initiators
- Table VII.3 - Common Cause Relationships for the SGSEVP 69 Initiator Table VII.4 - Accident Categories for the SGSEVP Initiator 69 Table VII.5 - Common Cause Relationships for the S/EGS 70 Feedwater Initiators Table VII.6 - Accident Categories for the S/EGS Feedwater 72 Initiators Table VII.7 - Common Cause Relationships for SGSTT1 and 73
', SGSTT2 Initiators Table VII.8- - Accident Categories for the SGSTT1' and SGSTT2 73 Initiators Table VII.9 - Common Cause Relationships for the SGSCON 74 l
Initiator i Table VII.10 - Accident Categories for the SGSCON Initiator 75 Table VIII.1 - ESS Common Cause Relationships for Loss of 78 e Offsite Power
~
Figure VIII.1 - Initiating Accident Event Tree for a Loss 79 yg*
8 of Offsite Power i
Table VIII.2 - S!!RS Response as a Function of Common Cause 80 Relationships
! Table-VIII.3 - Accident Types and Frequencies for the Loss 80 of Offsite Power Initiators t
V J
-, r .- ,,,,-w .,.._..g...
-- , , , , , , _,y ., . ,_ , , . _ , ,,, . [,, ,
Index of Tables and Figures (cont'd)
Page Figure VIII.2 - Initiating Accident Event Tree for 82 Scenario 1 Earthquakes Figure VIII.3 - Initiating Accident Event Tree for 83 **
Scenario 2 Earthquakes Figure VIII.4 Initiating Accident Event Tree for 84 Scenario 3 Earthquakes Figure VIII.5 - Initiating Accident Event Tree for 85 Scenario 4 Earthquakes Figure VIII.6 - Initiating Accident Event Tree for 86 Scenario 5 Earthquakes Table VIII.4 - Earthquake Initiator Frequencies - Per Year 87 Table VIII.5 - Consolidated Conditional ESS Probabilities 88 and (Uncertainty Factors) for Earthquake Initiators Table VIII.6 - Accident Category Frequencies Associated 90 with Earthquake Scenario 1 Table VIII.7 - Accident Category Frequencies Associated 90 with Earthquake scenario 2 Table VIII.8 - Accident Category Frequencies Associated 91 with Earthquake Scenario 3 Table VIII.9 - Accident Category Frequencies Associated 91 with Scenario 4 (DC and PB)
Table VIII.10 - Accident Category Frequencies Associated 92 with Earthquake Scenario 5 (HTS)
Table IX.1 - Estinated Recurrence Frequency for the 95 '
CSA - No Rel. Accident Category Table IX.2 - Estinated Recurrence Frequency for the 95 CSA - Rel. Poss. Accident Category Table IX.3 - Estinated Recurrence Frequency for the 96 DC : CDA Poss. Accident Category Table IX.4 - Estina ted Recurrence Frequency for the 97 DC without FFLOU Accident Category vi
Index of Tables and Figures (cont'd)
Page Table IX.5 - Estinated Recurrence Frequenc'y for the 98 DC without SHRS Accident Category
Table IX.6 - Estimated Recurrence Frequency for the 98 DC and PRPB Accident Category wh Table IX.7 - Estimated Recurrence Frequency for the 99 DC and PRPB without PFLOW Accident Category Table IX.8 - Estimated Recurrence Frequency forLthe 100
! DC and PRPB without SHRS Accident Category l
Table IX.9 - Estimated Recurrence Frequency for the 101 1 PRPB without FFLOW Accident Category Table IX.10 - Estimated Recurrence Frequency for the 101 PRPB without SHRS Accident Category Table IX.ll - Estimated Recurrence Frequency for the 103
- PT/F without FFLOW Accident Category Table IX.12 - Estimated Recurrence Frequency for the 104 PT/F without SHRS Accident Category
- Table IX.13 - Protected Accident Category Summary 106 Table IX.14 - Estinated Recurrence Frequency for the 108 ULOF Accident Category Table IX.15 - Estima ted Recurrence Frequency for the 110 UTOP Accident Category Table IX.16 - Estimated Recurrence Frequency for the 110 USTEP Accident Category Table IX .17 - Estima ted Recurrence Frequency for the 111
- UTOP/USTEP Accident Category Table IX.18 - Estimated Recurrence Frequency for the 112
, URPB Accident Category Table IX.19 - Estimated Recuurrence Frequency for the 112 UCP Accident Category Table IX.20 - Estima ted Recurrence Frequency for the 113 ULOHS Accident Category j
l vii I
Index of Tables and Figures (cont'd)
Page Table IX.21 - Estimated. Recurrence Frequency for the 114 USTEP and ULOF Accident Category Table IX.22 - Estimated Recurrence Frequency for the 115
- UTOP and ULOF Accident Category Table IX.23 - Estimated Recurrence Frequency for the 115 UFOP/USTEP and ULOF Accident Category Table IX.24 - Estimated Recurrence Frequency for the 116 URPB and ULOF Accident Category Table IX.25 - Estimated Recurrence Frequency for the 116 UCF and ULOF Accident Category Table IX.26 - Unprotected Accident Category Sunnary' 118 Table X.1 - Conditional Failure Probability Comparisons 120 for Three Separate LMFBR Accident Analysis Studies Table X.2 - Accident Category Frequency Estimates from 121 Three Separate LMFBR Accident Analysis Studies Table X.3 - A Comparison of Selected Accident Sequences 122 for Three Separate LMPBR Accident Analysis Studies Figure XI.1 - Overall Initiating Accident Frequency 125 Estinates for CRBRP Figure A.1 - Mathematically Complete, Generic LMFBR A-4 Initiating Accident Event Tree i Figure A.2 - Reduced Generic LMFBR Initiating Accident A-6 Event Tree Figure A.3 - Red uc ed Initiating Accident Event Tree for A-7 a General Subsystem Failure in CRBRP e
Table B.1 - Spectrum of Possible LMFBR Initiating B-15 Accident Categories As Identified and Labeled in This Study Table C.1 - Primary Detection System Protective Subsystems C-2 Table C.2 - Secondary Detection System Protective C-4 Subsystems viii
Introduction The purpose of this report is to estimate approximate recurrence frequencies of various accident categories in the Clinch River Breeder Reactor (CRBR) . This should provide iden-tification of most of the dominant accident sequences and of the the relative importance of various types of accidents (accident categories). The consequences of these various accident cate-o gories may range from benign to, perhaps, catastrophic, however this question must be dealt with in subsequent analysis.
Although the results of this study are compared with other CRBR-related risk analyses, the purpose of this study was not to assess or evaluate risk. A relatively small effort was devoted to this present study; a substantially greater effort is needed to provide a definitive evaluation of the risk associated with the CRBR safety systems. This study, like the previous LMFBR Accident Delineation work done at Sandia, is based on a design of several years ago. The current design is slightly different; nevertheless it is similar enough that the conclusions of this study appear to be at least qualitatively correct. A more extensive Clinch River Risk Assessment study is currently.
being initiated which will be based on the current CRBRP design.
Due to the limited resources devoted to this study, many approximations were made, some of them rather arbitrary, particu-larly in the area of common cause effects. Thus the resulting accident recurrence frequencies may be somewhat inaccurate, how-ever this study can be used to identify those areas where addi-tional work is needed to improve the uncertainties associated with generic LMFBR accident categories.
The event tree methodology utilized in the Reactor Safety Study (Reference 1) for Light Water Reactors (LWRs) and in the CRBRP Safety Study (Reference 2) is an effective way to display accident sequences in a manner that lends itself to quantifica-tion. In both studies, the starting point for each event tree was labeled " accident initiator or initiating event." These
" accident initiators" typically result in a system or subsystem
- failure during power operation requiring successful protective plant responses (i.e., reactor shutdown or SCRAM and removal of decay heat) to avert a Core Disruptive Accident (CDA). Since the only condition during power operation that can lead to core disruption is a heat imbalance between the heat generation rate and the heat removal rate, i.e., overpower or undercooling,
" accident initiator" in this study has been defined to be a failure or fault in any major subsystem that directly affects the generation, control, or transfer of heat during operation and which requires a protective response from Engineered Safety Systems (ESSs). Given an accident initiator defined in this
. = . - __. , ., .
f manner, it is possible in a qualitative delineation to construct
, initiating accident event trees for a limited number of subsys-tem failures using the success / failure states of the ESSs as the important branch-point questions. The Accident Delineation Study Phase I Final Report (Reference 3) used this technique (see Appen-dix A) to develop a set of reduced initiating accident event trees for CRBRP. The end points of those event trees define sequences
- which delineate twenty-five generic accident categoriea. These categories are described in detail in Appendix B. Once the recur-rence frequencies for these accident categories have been estab- i, lished, further analysis can be performed in the Accident Phenom-enology and Containment areas as described in the ADS Phase I Report.
Two major CRBRP systems are defined to correspond to the generation and transfer of heat and include the Reactor System (RS) and the Heat Transport System (HTS), respectively. Since the HTS of the CRBRP is a three-stage system, it has been further subdivided into its three stages: (1) the Primary Heat Transport System (PHTS), (2) the Intermediate Heat Transport System (IHTS),
and (3) the Steam / Electrical Generation System (S/EGS). These l four basic systems (RS, PHTS, IHTS, and S/EGS) were then sub-divided into their major subsystems wherein failures can effect the generation, control, or transfer of heat during operation.
Table I.1 illustrates the results of subdividing the four basic CRBRP Systems into fourteen subsystems. Notice that a fifth system, termed the Manual Control System (MCS), is included making the total number of subsystems fifteen since the " Operator" is the only subsystem identified within the Manual Control System. The systems and subsystems identified in Table I.1 are described in Appendix A of Reference 3.
4 The basic CRBRP systems and subsystems together with their function in the generation, control, and transport of heat and power during plant operation is illustrated in the schematic diagram in Figure I.l.
A failure or a fault during operation in one of the CRBRP subsystems (denoted in Figure I.1) represents an accident initi-ator for which a corresponding initiating accident event tree is applied. As illustrated in Appendix A, the end points of that event tree describe accident sequences which can be grouped into generic accident categories. The specific type of acci- ,
dent category will depend mainly on which initiator starts the sequence. The estimated recurrence frequency contribution towards each accident category can be calculated by first estimating the recurrence frequency of the initiator, then assigning an initiator-dependent conditional failure proba-bility for each ESS branch point on the functional event tree and propagating the initiator through the event tree sequences to the accident category end points. After performing this
, E _
type of analysis for a comprehensive set of CRBRP systems-related initiators, the contributions to each generic accident category can be summed and an overall recurrence frequency can be estimated.
Table I.1
, Basic Systems and Subsystems Involved in the Generation, Control, and Transport of Heat in CRBRP System Subsystem __
Reactor Core Core Support / Restraint Control
==============================================
PHTS Pipe / Vessel Pump Coolant
==============================================
IllTS Pipe Pump Coolant
==============================================
S/EGS Steam Generator /Superheater Steam Piping Feedwater Turbine / Generator Condenser
==============================================
4 Manual Control System Operator o .
I.1 Independent Failure Probabilities and Uncertainty Factors for the ESS Functions The ESS branch points used in this study are: De tec tion ,
SCRAM, Pump Trip, SHRS, and Forced Flow. Fault tree models which describe these ESS f unctions were developed (Reference 4 )
MANUAL CONTROL SYSTEM (OPERATOR)
- HEAT TRANSPORT SYSTEM SYSTEM
- -- PHTS : : IHTS : : S/EGS CONTROL STEAM -
PIPE I '
PIPING [-
' RBINE GENERATOR COOLANT ,
e CONDENSER PUMP r
3 STEAM GENERATOR CORE CdRE i
/
SUPPORT / RESTRAIN
/////////////////////
l PUMPS /FEEDWATER COOLANT I PIPE /
VESSEL PUMP I
Figure I.1 Schematic Illustration of the Systems and Subsystems Essential to the Generation, Control and Transport of IIcat in CRBRP.
l i
and the independent failure probabilities with uncertainty bounds have been estimated. These values are tabulated below:
ESS Function Failure Per Challenge Uncertainty Factor
. Detection 8x10-10 10 SCRAM 7 x10 -8 to Pump Trip 3x10-4 5
. SHRS 2x10-8 5 Forced Flow 5x10-6 5 Here the " uncertainty factor" represents a 5 and 95 percen-tile confidence bound based solely on estimated component failure data uncertainties which are propagated through the fault tree log ic via Monte-Carlo analysis. This type of uncertainty factor is reported for all of the ESS conditional failure estimates and generic accident category frequencies in an attempt to show how the distribution integrals associated with any failure analysis can combine and affect the overall accident frequency.
I.2 Analytical Tools The primary tools used to reduce and quantify the Detection, SCRAM, and SHRS fault trees were the SETS, SEP, and FTD computer prog rams (Reference 5 ). The Set Equation Transformation System (SETS) program is a very general, flexible code used for' manip-ulating Boolean equations which can be derived from fault trees.
Given the f ault tree representation as input, SETS can be used to produce an equivalent Boolean equation which is then reduced systematically into the fundamental ways that the top event (failure) can occur. This Boolean expression represents a com-prehensive set of the minimal paths to failure which are referred to as the minimal cut sets of the given fault tree. Once the min-imal cut sets are known, the Sets Evaluation Program (SEP) code can be used to numerically estimate the probability of failure associated with the given fault tree. Given the minimal cut sets
, equation and the independent failure probability for each basic event (i.e., basic component) in that equation, SEP will compute the estimated upper bound based on the statistical rare event
. approximation of the failure probability of the top or any inter-mediate event as well as the relative importance ranking of the basic events. In addition, if the error associated with each basic event is known, a Monte-Carlo technique similar to the one (SAMPLE) used in WASH-1400 (Reference 1) can be used to estimate the probability distribution associated with the top or any inter-mediate event. The Fault Tree Drawing (FTD) program produces a plot of the SETS Boolean expression in fault tree format which can be used to check the fault tree logic and provide a base for hand calculations.
I.3 Common cause Methodology A conditional failure probability for each of the CRBRP Engineered Safety Systems must be determined in order to permit quantification of the overall frequencies of the CRBRP initi-ating accident categories. These ESS conditional failure prob-abilities are highly susceptible to initiator dependencies due ,
to special conditions as well as other common mode /cause effects due to secondary events. Throughout this report these two situ-ations are combined under the headings " common cause relation- .
ships" and " common cause considerations" mainly for convenience sake, rather than under the more cumbersome but perhaps more proper title of " Initiator Dependencies Including Common Cause/ Mode Considerations".
Methods have been developed to analyze the impact of special conditions and secondary events (i.e., common cause i effects) on the behavior of a system without requiring an explicit representation of these effects. These methods are directly applicable to fault tree analysis using the SETS com-puter code and are described in SAND 77-1832 " Common Cause Anal-ysis Using SETS" (Reference 6). The methodology described in Reference 6 is extended one step further in this study in an attempt to quantify potential common cause minimal cut sets and show how these minimal cut sets can affect the overall system failure probability. Un fortunately , sufficient data does not exist such that the common cause related conditional failure probability for any particular basic event within the ESS fault trees can be determined with confidence. Thus the overall ESS conditional failure probabilities generated and reported in subsequent sections of this report should not be considered as absolute values. Instead these conditional fail-ure rates represent the potential common cause effect due to order-of-magnitude estimates described individually for each ESS and initiator. Generally, these common cause estimates are intended to represent the maximum plausible common cause effect and are probably somewhat conservative in nature. Whether or not this assumption of conservatism is correct, however, is sub-ject to speculation and may or may not be borne out by a more thorough and rigorous treatment of common cause mechanisms. ,
II. Accident Initiators A set of accident initiators was chosen for use in the determination of conditional f ailure probabilities for the engineered safety systems branch points. A total of forty-four initiators was selected. The data sources used to quan-tify the recurrence frequency associated with each initiator were:
, , 1. CRBRP Safety Study (Reference 2)
- 2. Component Failure Data (References 7 and 8)
- 3. Design Duty Cycle (Reference 7)
- 4. Clinch River Breeder Reactor PSAR (Reference 9)
! The forty-four initiators are listed by their respective ESS function in Table II.l. The total recurrence frequency for all the initiators results in 13.6 challenges per year to the Engineered Safety Systems.
j i
I e
e 4
1
Table II.l. CRBRP Accident Initiators Recurrence Uncer-Frequency tainty Re fe rence (System / Initiator) (per year) Factor Source Operator System
- 1. All SHRS okay (OPERRl) 3 2 CRBR SS
- 2. One HTS out (OPERR2) 2 2 CRBR SS
- 3. DHRS out (OPERR3) .5 3 CRBR SS Reactor System co
' A. Core Subsystem
- 1. Local fault propagation, subassembly faults (RCOREA) 10-4 10 CRBR SS
- 2. Pin failure, local radial motion (RCOREB - 4 classes) 10-5 10 CRBR SS B. Core Restraint Subsystem
- 1. Support structure failure.(RSUPPA) 10-8 100. CRBR SS
- 2. Large scale motion (RSUPPB) 10-7 100 CRBR SS
- 3. Loss of hydraulic holddown (RSUPPC) 10-4 10 CRBR SS
Table II.1 (Continued)
Recurrence Uncer-Frequency tainty Reference (System /Initia tor ) (per year) Factor Source C. Core Control Subsystem 1 Single rod , low speed (RCON1)' 3x10-1 3 CRBR SS
- 2. Single rod, high speed (RCOtI2 ) 10-6 10 CRBR SS
I Primary Heat Transport System A. Pipe / Vessel Subsystem
- 2. Pipe rupture (PHTS2 - 2 classes) 10-7 100 CRBR SS B. Pump Subsystem
- l. Loss of flow in 1 pump (PHTS3 A ) .6 3 Failure Data
- 2. Loss of flow in 2 pumps (PHTS3 B) .02 3 Failure Data
- 3. Loss of flow in 3 pumps (PH TS3C ) .01 3 CRBR SS
-i Table II.1-(Continued)
Recurrence Uncer-Frequency tainty Reference (System / Initiator) (per year) Factor Source C. Coolant Subsystem
- 1. Moderator in coolant (PIITS4 ) 10-5 10 CRBR SS
- 2. Gas bubbles (PHTSS) 10-5 10 CRBR SS
- 3. DHRS insertion due to 1.8x10-3 5 Failure Data
- valve-failure (PHTS6) h o
IHT System -
j A. Pipe Subsystem (rupture) (IHTS1 - 2 10-7 100 CRBR SS classes)
'B. ' Pump Subsystem
- 1. Loss of flow in 1 pump (IHTS2A) .6 3 Failure Data l 2. Loss of flow in 2 pumps (IHTS2B) .02 3 Failure Data
- 3. Loss of flow in 3 pumps-(IHTS2C) .01 3 .CRBR SS l
1 O e e e
, w . .
4 Table II.1-(Continued)
Recurrence Uncer-Frequency tainty Reference j (System / Initiator) (per year) Factor Source .
C. Coolant Subsystem 1.1 Rupture disk failure (IHTS3A) 8x10-1 3 Duty Cycle 2.2 Rupture disk failures (IHTS3B) 3xlO-2 3 Duty Cycle 3.3 Rupture disk failures (IHTS3C) 2x10-2 3 Duty Cycle
- 4. Drain valve failure (IHTS4) 10-5 10 Failure Data i
H
' H i i Steam / Electrical Generator System A. Piping Subsystem
- 1. Steam drum (SGS-DRUM) .1/ loop 2 Duty Cycle
- 2. Main steam piping (SGS-PIPE) .18/ loop 5 Failure Data
- 3. Valves (SGS-VALVE) .43/ loop 2 Duty Cycle
+
B. Steam Generator /Superheater Subsystem Tubes (sodium leaks) (SGS-EVP)
- 1. .3/ loop 2 Duty Cycle 4
4 i'
r
- . . . . = . _ .. . - ..
Table II.1 ( Continued )
Recurrence Uncer-Frequency tainty Reference (System / Initiator) (per year) Factor __
Source C. Feedwater Subsystem (all) 2 3 CRBR SS
] 1. Pumps (SGS-FWl) .2/ loop 5 Duty Cycle I 2. Pipes (SGS-FW2) .005 5 Failure Data
- 3. Valves (SGS-FU3) .5/ loop 5 Duty Cycle
- 4. Isolation and control (SGS-FW4) .5 5 Failure Data a
8 D. Turbine Subsystem (all) 1 3 CRBR SS i
- 1. With reactor trip (SGS-TTl) .33 3 Duty Cycle
- 2. With TBS failure (SGS-TT2) .17 3 Duty Cycle E. Condenser Subsystem
- 1. Loss of nain condenser (SGS-CON) .3 2 CRBR SS I
1 9 . e .
Table II.1 (Continued)
Recurrence Uncer-Frequency tainty Reference (System / Initiator) (per year) Factor Source Other Events / Common Cause
- 1. Loss of off-site power (LOSITE) 1.0x10-1 3 CRBR SS
! 2. Operating basis earthquake (OBE - 5 1. 4 x10 -3 5 CRBR PSAR classes)
- 3. Safe shutdown earthquake (SSE - 5 1.5x10-4 5 CRBR PSAR classes) b 4. Greater than safe shutdown 3.4x10-5 5 CRBR PSAR y earthquake (BFE - 5 classes)
____.mm___m.-_____-_____ _-_ - _ _ . _
III. Operator System The accident categories associated with the event trees for all of the CRBRP systems including the operator system (Figure III.1) were quantified using a four step procedure:
- 1. Initiators and their recurrence frequencies ,a were identified.
- 2. ESS common cause/ mode relationships were .
established for each initiator.
- 3. Conditional ESS branch point failure probabilities were calculated for each initiator. ,
- 4. Accident category recurrence frequencies -
were calculated for each initiator.
As seen in Table II.1, there are only three initiators associa-ted with the Operator System, each of which can be evaluated using the event tree shown in Figure III.l. The first initiator involves an operator-induced signal to SCRAM with all shutdown heat removal systems intact. The second is a similar SCRAM situation with one heat transport loop unavailable, and the third is an operator induced signal to SCRAM with the Decay Heat Removal System out of commission. The recurrence fre-quencies for these events are estimated at 3/ year, 2/ year, and
.5/ year, respectively. The common cause/ mode considerations for all three initiators are expected to be minimal since the majority of them arise from conditions which are abnormal but insufficient to activate the automatic Plant Protection System.
Initiator OPERR1 - All SHRS Okay The common cause/ mode relationships established for OPERR1 are negligible. This is understandable since the plant should
^
be operating under nearly normal conditions and the. signal to
- SCRAM is assumed to be a more or less routine procedure. The common cause/ mode assumptions for Initiator OPERR1 are listed below along with their respective ESS conditional branch point ,
failure probabilities.
When these ESS system branch point failure probabilitiesfare combined with the initiator frequency, the contribution of OPERR1 toward the total frequency for the accident categories identified at the end points of Figure III.1 can be calculated. This result is tabulated below.
F FALURE AULT D. SUBSY M SYETEM FAILURE ENGINEERED SAFETY SYSTEM (ES$) RESPONSES INmATmG ACCIDENT CATEGOMsES
, REACTOR SHUTDOWN SYSTEM DECAY HEAT Mtt0 VAL
'I i SCRAM 8 SHRS 8
l DETECTION l l PUMPl TRIP ' l' FORCED FLOW ANObsAtOuS > 1 1 I 1 : A CS& NO REL.
EVENT,W W H g l l l
DOES 800T RESULT W AN -l l 1 PT/F Wro FORCED FLOW INTRINS, IC g l l :S Pt ANT < CDA POSS-SUBSYSTEM l FALURE BUT g WHICH DOES :C PT/F W/O SHRS: CDA INEVTT, REOUIRE AN -l EtBERGENCY
. PLANT l
W PLANT SHUTDOWN, i
- : D ROF W IBfTRUSION. OCCURS DeCORpfCT AaeObsALOUS IBCS
' MSTfluMENT #
EVENT.WH8CH i
+ OPERATOR ,
tsCS y DOES NOT - SUf33YSTElf FALURE
- E CONTpdUED 9eObsINAL OPERATION
- RE ADINGS.
TEST OF RSS RESULT m AN FALUptE SPuReOUS mTRBeseC PLANT Tfur PLANT SUBSYSTEta :F CONTBIUED NOISINAL OPERATION
- FALURE AND DOES NOT REOUIRE ERIERGENCY PLANT
- POSES NO PROBLElf AS LOceG AS A PLANT SUBSYSTEhd FAILURE DOESNT CUB $EOUENTLY OCCUIL SHUTDOWN. IF OedE SHOULD OCCUR,IT WOULD BE TREATED BY THE APPROPRsATE SUBSYSTEtf FAILURE OCCURS AND INmATBeG ACCIDENT EVENTTREE.
OPERATOR INMATES ERIERGENCY PLANT SHUTDOWN Figure III.l. Initiating Accident Event Tree for an Operator Subsystem or Manual Control System Failure in CRBRP.
g- -
4 ,
- A gQ*
i*e (w. .+ s
- n. +
b 1.
.t s. <
Initiator OPERR1 - Common Chuse Relationships =- . \v \\" m.
- s'..
- 3 Q '
\ ,
. I r ~
s Failure Probpbiltsty i Common Cause/Modd andUnc4rjdinty i ESS Function Considerations Factor) Y~ '
Detection None - operator acccmplishes '
- 0. . ?
detection 1
%,?
~
k.'
SCRAM None - perhaps 1% increase % 3'10-8 k x (10 ) g ;g * ~:
g' ,
- 3 None - 1% increase if GCRAM Pump Trip 340-4<fr) '
N "
- f ails x e N \ . ,t,,' , s, s b ', ' ' 4 j
. k s
SilRS None - slight increaae if '(\ hx10N ' ( 5 ).
other systems fail Q d' ?
Forced Flow None - slight increase if k.65/10-k.
(51 s i
other systems ^ failu , s
. t v ,
,,,. s..
. s y, k
Initiator OPERR1 - Accident Types and Frequencies T
.~ <
- ~
, t .- 4 Fre uency (Uncertainty' Sequence Accident Type ydi'dc' tor ) per Year '
A Cold shutdown achieved: no .@ ' '\a 3 (2) release .. b\ a d *
'4 , ;\
- B Protected transient vii.hout' 1.5x10-5 (p; j '
forced flow -
d.
C Protected transient without' N ~ 5x10-8~(6h* L Q SHRS- -
,k ' , ,- %.l*\ u
! D Unprotected loss of flow l 2x10 (12 ). . .
' =
r .-
~sp.'
E Anticipated fault x , 7 x10 -Il (17) , . t 5 w N .Y F Anticipated fault-O. ( v ; p l
. s.
-Y- N l
i .y$$
\
( . +j , q i -; <* r' % g. g 3 ,/ $
,i (h .
,r,
- . 4,,
-l'6 - "
t* ' ,.
[ 4
,,s c v 4 -
y . ,. - ,n. ,
-- m ,.
E 4
e i
Initiator OPERR2 - One Heat Transport Loop Unavailable The second: Operator Systen initiator deals with situations in which a SCRAM signal is generated by the. operator while one heat transfer loop is unavailable. Ilence the common cause/ node considerations for this initiator assume that one heat transfer
_' < loop is completely out of service and cannot be used to removeL
- - <Jocay heat or provide pony' flow. The common cause/ mode assump-
- tions and resultant failure probabilities- for the ESS branch points are:
Initiator OPERR2 - Common Cause Relationships, Failure Probability and i
(Uncertainty j 'm . ESS Function Connon cause/ttod. Considerations Factor) i i ,
De tection None - accomplished. by operator 0.
SCRA!! None 7x10-8 (10)-
- Punp Trip One pump unavailable 2x10 ( 5 )
SilRS One_prinary, intermediate , and 6x10-8 (4) auxfeed loop out q Forced Flow One pump' 5x higher - 2.7x10-5 (5) r
~'
The contribution of Initiator OPERR2 toward the total
' frequency for the Figure III.1 accident categories is calcu--
lated as before.
s 4
~
j - }
I
- i.
~
l
[ -
7 i.
. _, - . . -_ - - . - . . - - , _ . . . . _ _ _ - . - . . ~ . . , _ . , _ - - . _ . _-
Initiator OPERR2 - Accident Types and Frequencies Failure Probability and (Uncertainty Sequence Accident Type Factor)
A Cold shutdown achieved 2 (2)
B Protected fault without 5.4x10-5 (6) '
forced flow C Protected fault without SHRS 1.4x10-7 (7)
D Unprotected loss of flow lx10-7 (12)
E Anticipated fault 7x10-ll (18 )
F Anticipated fault O.
Initiator OPERR3 - DHRS Unavailable The third Operator System initiator involves an operator induced SCRAM while the DHRS is unavailable. Common cause/ mode considerations for this initiator assume that the DIRS is com-pletely out of service and that all other ESS functions are unaffected.
Initiator OPERR3 - Common Cause Relationships Failure Probability and (Uncertainty ESS Function Common Cause/ Mode Considerations Factor)
De tection None - accomplished by operator 0.
SCRAM None - minor increase 7x10-8 (10)
- Pump Trip None 3x10-4 (5)
SHRS DHRS out of service 3 x10 -6 (4)
Forced Flow None 5x10-6 (5)
4 The contribution of Initiator OPERR3 ~towards the total frequency for the Figure III.1 accident categories are listed below.
Initiator OPERR3 - Accident Types and Frequencies Frequency (Uncertainty Sequence ,
Accident Type Factor) per Year A Cold shutdown achieved .5-(3)
B Protected fault without 2.5x10-6 (7) forced flow C Protected transient without SHRS 1.5x10-6 (6)
D Unprotected loss of flow 3.5x10-8 (15)
E Anticipated fault lx10-ll ( 20 )
F Anticipated fault O.
Sunmary of Operator System Initiators The three Operator Systen initiators result in 5.5 chal-1 lenges per year to the ESS f unctions. This represents nearly 40 percent of the total number of expected ESS challenges' per year. Even though potential common' cause relationships for these initiators appear to be minimal,-the sheer frequency of these events makes them important contributors to the overall accident category picture. Some of the important totals for i the Operator System are listed below:
Estimated Recurrence l .,
Accident Category Frequency and Uncertainty Factor
. P7/F without Forced Flow 7.2x10-5 (5)
PT/F without SHRS 1.7x10-6 (5)
ULOF 3.4x10-7 (10)
IV. Reactor System The accident categories associated with the event trees for the Reactor System (Figures IV.1, IV.2, IV.3 and IV.4) were quantified using the same four-step procedure described previously for the Operator System event tree. Table II.1 shows that there are a total of nine initiators associated
- with the Reactor System. Four separate event trees were used to describe the accident scenarios associated with the CRBRP Reactor System. The first (Figure IV.1) of these describes ,
accidents which initiate within the core subsystem and are due to local fault propagation or subassembly failures (Initiator RCOREA). The second (Figure IV.2) was used to quantify acci-dont categories resulting from pin failures or local radial motion (Initiator RCOREB). Initiators dealing with support structure failure (RSUPPA), large scale motion (RSUPPB), or a loss of hydraulic holddown (RSUPPC) were quantified using the event tree of Figure IV.3 and the Figure IV.4 event tree was used to quantify initiators dealing with control rod motion (RCON1-RCON4).
Core Subsystem Initiator RCOREA Initiator RCOREA deals with accident scenarios which result from local fault propagation, subassembly failures, or subasem-bly overpower faults. As seen in the event tree of Figure IV.1, two levels of response are required -- one manual, and the second automatic -- in order to analyze these scenarios. The primary areas for common cause/ mode concern are the Detection, SCRAM, and SHRS functions. Since the initiator deals with a potential over-power condition, detection is limited to the High Flux, Flux to Pressure, or Positive to Delayed Flux sensors in the Primary Detection System and Flux to Total Flow, or Modified Nuclear Rate sensors in the Secondary Detection System. (See Appendix C for Sensor System details.) Also the SCRAM function is assumed to be mechanically inhibited to some degree and the potential for reactor vessel or primary boundary rupture is increased. These assumptions are listed below for the manual portion of the analy-sis along with the associated failure probabilities. This is followed by a list of the accident frequency outcomes for the '
manual response.
Initiator RCOREAl (Manual) - Common Cause/ Mode Relationships Failure Proba-bility and Uncer- l ESS Function Common Cause/Made Considerations tainty Factor)
Detection Failure dominated by operator 2x10-2 (10) error SCRAM Factor of 2 increase in failure lx10-6 (5) per rod Pump Trip None 3x10-4 (5)
SHRS Factor of 10 increase in 2.4x10-8 (5) primary boundary rupture Forced Flow None 5x10-6'(5)
Initiator RCOREAl (Manual) - Accident Types and Frequencies l
l l Frequency (Uncer-I tainty Factor)
Sequence Accident Type per Year A Damaged core lx10-4 .(10)
B Damaged core without forced flow 5x10-10 (7)
C Damaged core without SHRS 2.4x10-12 (6)
D Unprotected loss of flow 1x10-10 (20)
E Input' frequency for automatic mode 3x10-14 (30)-
F Input frequency for automatic mode 2x10-6 (30)
The E and F sequences from the manual mode analysis are the generating frequency for the automatic response. This f is dominated by the F sequence and i,s estimated at 2x10 gequency- / year.
Additional common cause assumptions for the automatic mode are that the operator has-failed to detect any anomaly and cannot cor-rect this mistake and that the SCRAM function is further' inhibited due to increasingly adverse conditions within the core. The com-mon cause relationships and attendant failure probabilities for the automatic mode are given below. This is followed by the list of final outcomes for the RCOREA initiators.
. . . - m . _ m F AtunE,1 ALLT COMPQatedT SUBSTSTEM FetST LEVEL MANLV) ESS SEO MCose LEVEL ESS WQ. RimaTWIG ACCEMar?
CAUBE F Aa.unt. F AULT FAtumE mESpossegg smanam m t ggg piESpossAES tAUTCesATIC) 13. CATE00nES DECAT
- EAT sitaCTOR SHUTDOute DECAT DEAT maananas geeJTDOWEB #EMOWAL SYSTEu 8EWOv at MesAING REACTOR PLar SMR$ FORCED MMCa SCRAds MAIP Stats PCACED TIOle seOTFW SCRAas T99 OR PLOW 78r FLOW tides out SMUT COAST CAe A om Down Down ERATC.f.1 ACTio I i 1 1 :A I i i 1 1 l i I '
I I I I I I I I I I I I a
' 2*
- 7 , "C'C**'***
I '
1 1 1 1 1 I i i :C 1 l i : DC =c cances e CDA POSS, E 3. F3 0
l I
gN- ,,no, PROPAGATION N8""'
CORE eLOCKAGE * + SUBSTSTEas -
F Ek, F4 y
V PJ m,,,,,,, ownPowEn #AutTrSi _
r.. ~
uce EK re
- eA DC: CDA POSS.
_ eg DC uro POIICED PLOW:
DA M Fmoti PWIST LEVEL ESS EWENT TIEE "
- eD utor Figure IV.l. Initiating Accident Event Tree for a CRBRP Core Subsystem Failure Due to Local Fault Propagation, Subassembly Failure (s) ,
or Subassembly Overpower Fault (s).
Initiator RCOREA2 (Automatic) -
Common Cause/ Mode Relationships Failure Probability and Uncertainty ESS Function Common Cause/ Mode Considerations Factor)
Detection 3 Primary and 2 secondary sensors 4x10-8 (3)
SCRAM Factor of 3 increase per rod 5.8x10-6 (5)
Pump Trip None 3x10-4 (5)
SilRS Factor of 10 increase in 2.4x10-8 (5) boundary rupture Forced Flow None 5x10-6 (5)
Initiator RCOREA2 (Automatic) -
Accident Types and Frequencies Frequency (Uncertainty Factor)
Sequence Accident Type per Year El,P1 Damaged core 2x10-6 (30)
E2,F2 Damaged core without forced flow lx10-ll (50 )
E3,F3 Damaged core without SHRS 5x10-14 (45)
E4,F4 Unprotected core fault and loss lx10-ll ( 50 )
of flow ES,F5 Unprotected core fault 3x10-15 (70)
E6,F6 Unprotected core fault 8x10-12 (35 )
Core Subsystem Initiator RCOREB This initiator deals with core subsystem failures which result from pin failures, fuel pin overpower faults, or intra-core radial and axial notion. The overall frequency for this-initiator is estimated at 10-5/ year. An examination of Figure IV.2 shows that there are a number of plausible accident out-comes for each end point of the event tree. In order to dif-ferentiate between these outcomes, four accident scenarios were chosen. Each scenario is seen as a subset of the total RCOREB
initiator class and therefore is related to the total RCOREB frequency. The scenarios and their respective estimated recur-rence frequencies are as follows:
Recurrence Frequency and Initiator Description (Uncertainty ~ Factor)
R00 REB 1 Minor core damage within design 3x10-5 (10 )
basis, primary boundary intact RCOREB2 Minor core damage , primary 1x10-5 (10) boundary in doubt RCOREB3 Core damaged beyond design basis, 3x10-6 (10 ) -
primary boundary intact RCOREB4 Core damaged beyond design basis, 1x10-6 (10) primary boundary breached Common cause/ mode assumptions for this initiator involve all five of the ESS functions to some degree. Detection is expected i to be essentially the same as for the RCOREA initiator where j three primary and two secondary sensor functions are allowed to detect the anamolous condition. The SCRAM function is nechani-cally inhibited by varying degrees according to the anticipated
- severity of the core environment. Since the primary boundary '
is in doubt, the pump trip and forced flow functions have corre-spondingly increased f ailure probabilities. The SHRS function is deg raded mainly due to an increased probability for primary boundary and reactor vessel rupture. A table of these consider-ations, as well as their associated failure probabilities, is given below.
i
- _ - , - - - ~ - . - , - - ._ - -. - - .. - , . - - - . , , .- _ , . . - - - . -
G e
- O C FA A Y asL
' ' LD g MACTOR SMUTDOWN SYSTEM g DECAT ME AT REMOVAL g 3 DETECTson I SCRAM I PUMP TRr i SMRS I FORCED FLOWI I i 1 l I l I l l A CS= =0 REL., CS= ret. ,OSS, l l l DC CDA POSS, OR DC & PRPE: CDA g "
i 1 1 l l l l l S PT F W/0 FORCED FLOR CDA POSS.
l PRPG W/O FORCED FLOW: CDA POSS.
l DC W/O FORCED FLOW: CDA POSS, OR DC & PRFB W/O FORCED FLOW:
l CDA POSS.
l _C PT-P W.O S Se CDA .EviT.P W'O SMRS: CDA BEVIT. DC Ws0 SDSISc CDA BEWTT, OR DC & PEwe W'O SMRSc CDA BEVIT, MRATO Pas FAS.UNE(S) T0 UCF & ULOF UTOP & ULOF, L>$7EP C
TDERIAAL TRESS '
PC ALETtS) CORE LOADesG ESIROR % SUBSYSTEM -
(ND PROPAGATION)
MSS DEN pf7 RAM:; ORE AILhL F AEURE :E UCF, UTOP,4> STEP, OR LOCAL ELMAGE Oft RADeAL G80T108g UTOP/1> STEP yg OR DeSTOflT10N EIPLOSsOfs
- F UCF, UTOP, t> STEP. OR UTOPr1> STEP Figure IV.2. Initiating Accident Event Tree for a CRBRP Core Subsystem Failure Caused by Pin Failure (s) or Fuel Pin Overpower Fault (s) That Do Not Propagate or Caused by Intra-Core Axial / Radial Motion / Distortion.
Common Cause/ Mode Relationships for the RCOREB Series ESS Function Failure Probability and Initiator and (Uncertainty Subclass Common Cause Considerations Factor)
De tection Same for all_ initiators RCOREB (All) 3 Primary and 2 secondary 4x10-8 (10) ,
sensors SCRAM:
RCOREB1 Factor of 3 increase in 6x10-6 (5) failure per rod RCOREB2 Factor of 5 increase in 5x10-5 (4) failure per rod RCOREB3 Factor of 10 increase in 7x10-4 (3) failure per rod RCOREB4 Factor of 50 increase in 4x10-1 (2) failure per rod Pump' Trip:
RCOREB1 None 3x10-4 (5)
RCOREB2 Factor of 2 higher per pump 6x10-4 (5)
RCOREB3 None 3 x10 -4 (5 )
RCOREB4 One loop disabled, other 4 x10 -4 (5) two higher by factor of 2 SHRS:
RCOREB1 Vessel and boundary rupture 3x10-8 (5) increase by factor of 10 e
RCOREB2 Primary boundary failure 6.4x10-4 -(3) probability = .1 RCOREB3 Vessel and boundary rupture 6.3x10-8 (5) increased by factor of 100 RCOREB4 Primary boundary ruptured 6.4x10-3 (3)
, Common Cause/ Mode Relationships for the RCOREB Series (Cont' d )
ESS Function Failure Probability and Ini tia to r and (Uncertainty Subclass Common Cause Considerations Factor)
Forced Flow:
RCOREB1 None 5x10-6 (5)
RCOREB2 Factor of 2 higher per pump 4x10-5 (3 )
! RCOREB3 None 5x10-6 (5)
RCOREB4 One loop out 3 x10-4 (3)
The four scenarios for the RCOREB initiator result in four separate accident category outcomes. These outcomes are tabu-lated here with their associated recurrence frequencies by
, initiator subclass.
1 Initiator RCOREB1 - Accident Types and Frequencies i
Frequency l (Uncertainty I
Sequence Accident Type Factor) per Year A Cold shutdown - no release 3x10-5 (10 )
! B Protected fault without forced 1.5x10-10 (20) 4 flow C Protected fault without SHRS 9x10-13 (18)
D Unprotected core fault and loss 2 x10 -10 (20) of flow E Unprotected core fault 5x10-14 (30)
F Unprotected core fault 1. 0x10-10 ( 30 )
l 1
1
Initiator RCOREB2 - Accident Types and Frequencies Frequency (Uncertainty Sequence Accident Type Factor) per Year A Cold shutdown - release possible lx10-5 (10)
B Protected rupture of primary 4x10-10 (15) ,
boundary without forced flow C Protected rupture of primary 6.5x10-9 (15) boundary without SHRS D Unprotected step insertion 5x10-10 (20) and loss of flow 4 E Unprotected step insertion lx10-13 (20)
(USTEP)
F Unprotected step insertion 3.7x10-ll (28)
Initiator RCOREB3 - Accident Types and Frequencies Frequency (Uncertainty Sequence Accident Type Factor) per Year A Damaged core 3x10-6 (10)
B Damaged core without forced 1. 5x10-ll ( 20 )
flow C Damaged core without SHRS 2x10-13 (20)
D UTOP/USTEP and ULOF 2x10-9 (15)
E UTOP/USTEP 6x10-13 (30) ,
F UTOP/USTEP 7.5x10-12 (30) i
Initiator RCOREB4 - Accident Types and Frequencies Frequency (Uncertainty Sequence Accident Type Factor) per Year
. A Danaged core and protected 6x10-7 (10) rupture of primary boundary B Damaged core and protected 1.8x10-10 (15) rupture without forced flow C Damaged core and protected 3.5x10-9 (15 )
rupture without SHRS D Unprotected transient overpower 4x10-7 (12 )
and loss of flow E Unprotected transient overpower lx10-10 (15 )
(UTOP)
F UTOP 5x10-12 (30)
Core Restraint Subsystem Initiator RSUPPA The RSUPPA initiator involves a catastrophic failure of the core support structure. The frequency of this rare event is estimated to be on the order of 10-8/ year. Common cause/
mode assumptions for the RSUPPA initiator affect all of the ESS functions. Detection is once again limited to three pri-mary sensor functions and two secondary sensor functions as for the RCOREA and RCOREB initiators. The SCRAM function is assumed to be almost totally disabled as are the pump trip, SHRS, and forced flow functions. These relationships are listed below along with their attendant failure probabilities.
9
(
a
Initiator RSUPPA - Common Cause/ Mode Relationships Failure Probability and (Uncertainty ESS Function Common Cause/ Mode Considerations _
Factor) ,
Detection 3 Prinary and 2 secondary sensors 4x10-8 (10)
SCRAM Failure highly probable .5 (1.5)
Pump Trip 2 loops blocked, third loop 1x10-3 (2) ten times higher SHRS 2 loops blocked , primary .2 (2) boundary failure = 1/5 Forced Flow Dominated by SMRS availability .2 (2) 4 The event tree described by Figure IV.3 was used to quantify the accident types associated with the RSUPPA initiator. These.
accident categories and their recurrence frequencies are listed below.
Initiator RSUPPA - Accident Types and Frequencies Frequency (Uncertainty Sequence Accident Type ,
Factor) per Year A Damaged core and primary boundary 5x10-9 (100) rupture B Damaged core and rupture without lx10-9 (130)
- forced . flow C Damaged core and rupture without lx10-9 (130)
SHRS D UTOP/USTEP and ULOF 5x10-9 (110)
E UTOP/ USTEP 1x10-ll (130 )
F UTOP/USTEP 4x10-16 (200)
a + ' '
]
l FAILURE / FAULT COMPONENT SUBSYSTEM ENGINEERED SAFETY SYSTEM (ESS) RESPONSES MO. INITIATING ACCIDENT CATEGOINES CAUSE FALURE/ FAULT FALURE LD.
REACTOR SHUTDOWN DECAY HEAT SYSTEM l REtsOVAL l DETEC- l SCRAM l PUMP l SHRS l FORCED l T
1 ION l l TRIP l l FLOW CSA: NO REL, CSA: REL POSS, g g l l l ;A DC: CDA POSS, OR DC & PRPs:
3 l l CDA PoSS.
4 a
3 l l PT/F W/O FORCED FLOW: CDA POSS, g l 8 PRPS W/O FORCED FLOW: CDA POSS, 1 DC W/O FORCED FLOW: CDA POSS, OR DC & PRPS W/O FORCED FLOW:
l CDA POSS.
! :C PT/F W/O Sects: CDA INEVIT, PRPS W/O SHRS: CDA INEVIT.,
FA TIGUE LOSS OF HYDRAUL8C DC W/O SHRS: CDA P.VIT, OR
] W THEROSAL STRESS HOLDOOWN DC & PRPS W/O SHMS: CDA INEVIT.
- D
^
Pd DEFECT RECOVERY OF y STEP & ULOF. OR UTOP/U-STEP &
hsFG ERROft CORE HYDRAULac HOLDDOWN SUPPORT / ULOF DESIGN DEFICIENCY + CORE SUPPORT
- RESTRAINT "
RAAINTENANCE CONE / PLATE ERROR SUBSYSTEM E U-STEP OR UTOP/U-STEP STRUCTURAL FALURE FALURE HUGAAN ERROR CORE RESTRAINT BLOCKAGE RADIAL Rs0 TION /
STICK-SLIP B00 TION DeSTORTION
- F U-STEP OR UTOP/U-STEP Figure IV.3. Initiating Accident Event Tree for a CRDRP Core Support / Restraint Subsystem Failure.
Core Support / Restraint Subsystem Initiator RSUPPB This initiator deals with large scale motion which alters
, the geonetrical configuration of - the core in a wholescale manner.
The recurrence frequency for this event is estinated at 10-7/ year.-
Connon cause relationship' will af fect all five of the ESS branch
. point functions in much the same manner-but not to the same extent as the RSUPPA initiator. Detection is nearly assured as with the previous reactor system initiators. The SCRAM function is very much in doubt due to extensive control' rod misalignment and tor-
- sion. One heat transfer loop is assumed to be unavailable and i the failure probability for the remaining loops is assumed to be quite high, thus jointly af fecting the pump trip, SHRS , and forced flow functions. These assumptions and their resultant-failure probabilities are tabulated below.
Initiator RSUPPB - Connon Cause/ Mode Relationships Failure Probability and
- (Uncertainty
! ESS Function Common Cause/ Mode Considerations Factor)
Detection Same as RCORE' series 4x10-8 (10) i SCRAM Very nuch in doubt .5 (1.5)
Pump Trip One loop out, others 10 times 2x10-3 (3) hig her SHRS One loop out, failure of .04 (3) others = .2 l Porced Flow Dominated by SHRS loop availability .04 (3) l The Figure IV.3 event tree was used to quantify the accident 4
types associated with the RSUPPB initiator. Since this scenario *
{ is expected to'be less severe than the one for the RSUPPA initi-ator, no rupture of the prinary boundary is reflected in the resultant RSUPPB accident categories. These categories and their recurrence frequencies are given below, i
- -_ .-. -- ._ _ . ~ . - . . _ . _ _ . _ _ . . _ . _ _-_ _ __ . , ._ __.,_ ,
Initiator RSUPPB - Accident Types and Frequencie_s Frequency (Uncertainty Sequence Accident Type ,
Factor) per Year
.A Damaged core: no release 5x10-8 (100)
, B Damaged core without forced flow 2x10-9 (125)
C Damaged core without SHRS 2x10-9 (140)
D UTOP/USTEP and ULOF 5x10-8 (110)
E UTOP/USTEP 2x10-ll (150)
F UTOP/USTEP 4x10-15 (200)
Core Support / Restraint Subsysten Initiator RSUPPC The event tree illustrated in Figure IV.3 was also used to quantify the -accident categories associated with the RSUPPC ini-tiator. This initiator has an estimated frequency of 10-4/ year
.which is expected to produce gross axial distortion of the core through the loss of hydraulic holddown forces due to blockages in the downward sodium flow. All'of the ESS functions will be af fect ed to' some deg ree by this initiator. . Detection is virtu-ally assured as with the other RSUPP in itia to rs . SCRAM.is inhi-bited, but not precluded, due to the axial motion of the core.
Excess debris in the sodiun is assumed to be the major contrib--
utor towards the loss of hydraulic holddown and this affects the SHRS function as well as pump trip and forced flow. These connon cause ef fects are listed below along with the failure probabili-ties for the ESS branch point functions.
4 l
Initiator RSUPPC - Common Cause/ Mode Relationships Failure Probability and (Uncertainty ESS Function Common Cause/ Mode Considerations Factor)
Detection Same as RSUPPA and RSUPPB 4x10-8 (10) 7x10-4 (3 )
SCRAM Factor of 10 increase in failure per rod Pump Trip Factor of 2 higher per pump 6x10-4 (5)
SIIRS Prinary boundary rupture, 4.3x10-8 (5) vessel rupture and DRRS heat exchanger tube failure 10
, times more.likely Forced Flow Factor of 2 higher per pump 4x10-5 (3)
The accident categories associated with the RSUPPC initiator and their recurrence frequencies are listed below.
Initiator RSUPPC - Accident Types and Frequencies Frequency (Uncertainty Sequence Accident Type Factor) per Year A Cold shutdown, no release 1x10-4 (10)
B Protected transient without forced 4x10-9 (15) flow
D USTEP and ULOF 7x10-8 (15)
E USTEP 4. 5x10-ll ( 20 )
F USTEP 4x10-12 (30)
I
Control Subsystem Initiators RCONl - RCON4 i This sequence of initiators was evaluated using the Fig ure IV.4 event tree and deals with accident scenarios which arise due to control rod failures. The RCON1 initiator is an uncontrolled withdrawal of a single rod at the operational speed of less than nine inches per ninute. .RCON2 is the same single rod f ailure at an overdrive speed of 9-72 inches per minute. The RCON3 initiator is the uncontrolled withdrawal of a six rod bank at operational speeds and the RCON4 initiator is a rod bank withdrawal at over-drive speeds. These events have estinated recurrence frequencies of .3/ year, 10-6/ year, .03/ year, and 3x10-7/ year, respectively.
All of the ESS branch point functions are affected by these ini-tiators. Detection is linited to two' primary sensors and one secondary sensor with an - estimated operator ef ficiency of zero.
The SCRAM function is automatically inhibited since the prinary control rods are the source of failure. Higher coolant tempera-tures and possible fuel-coolant interaction cause an increase in the failure rates for the pump trip, forced flow and SHRS. These common cause/ mode relationships and the failure probabilities associated with them are listed-below.
Common Cause/ Mode Relationships for the RCON Series ESS Function a nd Initiator Failure Probability Subclass Common Cause Considerations and (Error Factor)
Detection Same for all initiators RCON1 - RCON4 2 Prinary and 1 secondary 4x10-6 (10)
(All) sensors SCRAM:
RCON1 One primary 10x, other rods 9x10-7 (5) increased by factor of 2 RCON2 One primary 50x , others 1x10-5 (5) increase by factor of 3 RCON3 Primary failure = .01, second- 3.Gx10-5 (5) aries increase by-factor of 4 5.6x10-4 (5)
ROON4 Prima ry failure = .1, second-aries increase by factor of 5 i
'l 4
4 Common Cause/ Mode Relationships for the RCON Series (Cont'd)
ESS Function and Initiator Failure Probability Subclass Common Cause Considerations and (Error Factor)
Pump Trip:
All Factor of 2 increase per 6x10-4 (5) ,
pump SIIRS :
RCON1 Primary boundary rupture 3x10-8 (5) increased by factor of 10 RCON2 Primary rupture increased 6.3x10-8 (5) by factor of 100 RCON3 Primary rupture increased 3x10-8 (5) by factor of 10 RCON4 Primary rupture increased 6.3x10-8 (5) by factor of 100 Forced Flow:
All Factor of 2 increase per pump 4x10-5 (3) i The accident categories resulting from all of these initi-ators are the same. The contribution for each of the individual initiators in terms of frequency per year is tabulated below.
e j
6
~36-
e . .
- Initiators RCON1-RCON4 - Accident Types and Frequencies RCONI Frequency RCON2 Frequency RCON3 Frequency RCOM4 Frequency S equence Accident Type and Error and Error and Error and Error A CSA: no release .3 (3) 1x10 -6 (10) .03 (3 ) 3x10-7 (10 )
B PT/F without forced flow 1.2x10-5 (5) 4x10-II (15) 1.2x10-6 (5) 1. 2x10-ll (15 )
W C PT/F without SHRS 9x10-9 (7) 6x10-14 (20) 9x10-10 (7) 2x10-14 (20)
D UTOP and ULOF 3x10-7 (7) 1x10-ll (20 ) 1 x10 -6 (7) 2x10-10 (20 )
E UTOP 5x10-9 (12) 6x10-14 (30) 6 x10 -8 (12) 1x10-12 (30)
F UTOP 1.2x10-6 (7) 4xio-12 (30) 1.2x10-7 (7) 1. 2x10-12 ( 30 )
FAILURE / FAULT COMPONENT SUBSYSTEM -
ENGIDIEERED SAFETY SYSTEM (ES$) RESPONSES CAUSE FAILURE / FAULT FAILURE LD. CATEGOfMES REACTOR SHUTDOWN DECAY HEAT SYSTEM REteOVAL DETEC- l SCRAM l PUGAP SMRS l FORCED TBON g g TRIP g FLOW g g
! ! ! ! :A CSA: 100 MrL.
I I I I I I I l l g
- 8 PT/F W/O FORCED FLOW:
g CDA POSS.
w I l ?C PT/F W/O SHRS: CDA HURSAN ERROR INEVIT.
ELECTRtCAL FAULT /
- F ELE CHANICAL g FAULT ROD WITHDRAWAL CONTROL DESIGN ERROR / + UNCOff7 ROLLED
+ SUBSYSTEM -
DEFICIENCY CONTROL ROD FAILURE -- UTOP E
SANIC WITHDRAWAL
, PROCEDURAL ERROR FAmuE TF UTOP i
Figure IV.4. Initiating Accident Event Tree for a CRBRP Control Subsystem Failure.
Summary of Reactor System Initiators Reactor System initiators comprise nearly all of the events which contribute to the reactivity driven accident categories; namely UTOP, USTEP, and UTOP/USTEP type accidents. Due to the location and magnitude of these initiators, potential common cause relationships are expected to be minor for the SHRS func-tion, moderate for the Detection, SCRAM, and Pump Trip functions and relatively high for the SCRAM f unction. Despite this poten-tial, nearly 50 percent of the reactor system event tree scenarios have a recurrence frequency of less than 10-9 per year. This is due mostly to the extremely low recurrence frequencies associated with most of the reactor system initiators, which as a whole con-stitute less than 3 percent of the total expected number of chal-1enges per year to the CRBRP engineered safety systems. A summary of some of the more prominent Reactor System initiator totals is presented below.
Estimated Recurrence Frequency Accident Category Dominant Initiators and Uncertainty DC: CDA Possible RCOREAl lx10-4 (10)
DC and PRPB RCOREB4 6x10-7 (10)
PT/F without FFlow RCOREl, RCORE3 1.3x10-5 (5)
PT/F without SHRS RCON1 1x10-8 (6)
UTOP RCON1, RCON3 1.3x10-6 (6)
UTOP and ULOF RCOREB4, RCON3 1.7x10-6 (6)
USTEP and ULOF RSUPPC 7x10-8 (15)
UTOP/USTEP and ULOF RSUPPB, RSUPPA lx10 -7 (50) e Z
V. Primary Heat Transport System
- There are nine initiators associated with the PHTS. Three initiators deal with failure within the Primary Piping / Vessel subsystem (vessel rupture, pipe rupture, and large pipe leaks);
three more deal with failures within the Primary Pump subsystem (loss of flow from one, two, or all three pumps); and the final three address failures in the Primary Coolant subsystem (foreign contamination, large gas bubbles, and spurious DHRS insertion).
The recurrence frequencies for the Piping subsystem initiators are in the range of 10-7 to 10-4 per-year while Pump subsystem
- initiators fall in the .01 to 1.0 per year range and the Cool-ant subsystem initiators average around 10-3 to 10-5 per year.
Common cause estimates for these initiators are generally minimal for the detection function, low to moderate for the i SCRAM function, and moderate to high for the SHRS, pump trip a nd forced flow functions. Consequently, the protected acci-dent sequences resulting from PHTS failures are expected to be more prominent than unprotected sequences. Figures V.1, V.2, and V.3 illustrate the event tree paths associated with the accident categories generic to the PHTS subsystems.
These figures show that the PHTS system initiating events have the potential to contribute to 9 of the 12 identified pro-tected accident categories and 6 of the 13 identified unpro-tected accident categories. The results of the analysis which
< estimates the recurrence frequency contribution of each each initiator towards these accident categories is summarized in the following sections.
Initiator PHTS1 - Reactor Vessel Rupture
! This initiator is intended to represent a catastrophic rupture of the reactor vessel which results in a step-l reactivity input, minor core damage and a coolant leak rate of at least 75,000 gallons per minute. The recurrence frequency for this type of event is estimated at 10-7'per year. Common 4 cause considerations for this initiator which can affect all of the ESS functions include potential pressure transients, loss of
- hydraulic holddown, debris, and the possible redirection of flow.
The detection function is assumed to be accomplished via four
- primary systems (Flux to Pressure, Speed Mismatch, Positive to Delayed Flux , or Reactor Vessel Level) ' and three secondary sys-tems (Flux to Total Flow, Flow Mismatch, or Modified Nuclear Rate) so that no change in conditional f ailure probability is realized over the base ~ estimate. The Pump Trip, Forced Flow and SCRAM f unctions each experience moderate increases while the SHRS function is drastically affected since one of the min-inal cut sets leading to failure is described as vessel rupture
-..----r.e ,_. .
_w ,- . , - . , - - - ,
.~e-- , , _ , , , ,e,, , .-, , , , , , , , . ,r, ,- g--
l
. . . . i 1
l t
F ABLURE/ FAULT COe0PONENT SUBSYSTEM SEO, MTIAfteeG ACCIDENT CAUSE FAILURE / FAULT FAILURE ENGOBIEERED SAFETY SYSTEM (ES$) RESPONSES LD. CATEGORSES
, RE ACTOR SHUTDOWN STSTEM DECAY HEAT REMOVAL I SCRAM I 3 SHR$ I FORCED 3 lDETECTsoNlI l PUesP TRsP l l Flow I l l l '
- a CSA: REL. POSS.,
I i i PetPS W/O FORCED FLOW:
l l l ;5 CDA POSS, DC & PRRS w/O l FORCED FLOW: CDA POSS.
MFG. ERROR g e PRPG W/O SHR$: CDA lesEVIT, DESfGN _
C DEFICIENCY PRIedARY COLD l DC & PRPS w/O SMRS:
DEFECT LEO POPE CDA lesEVIT.
CRACK GROWTH RUPTURE O UNDER CYCLIC INXSHELL H MPTURE OD MSW STRESS STRESS REACTOR VESSEL PHTS CORROSION + RUPTURE WITH + PIPE / VESSEL -
CONSTRUCTION ' OR WITHOUT - SUSS YS TEM i GUARD WESSEL FAILUME ;E ORPG ERROR uP CORROSWN pgue AR HOT CORROSION FATIGUE LEO PM RUPTURE :F URPS PIP 9NG $NUSSERS AND/OR HANGERS F AIL 1
Figure IV.l. Initiating Accident Event Tree for a CRBRP PHTS Pipe / Vessel Subsystem Failure.
F AILURE/F AULT COMPONENT SUSSYSTEM SEO. INITIATINO ACCCENT CAUSE FAILURE / FAULT FAILURE NGm ER D SAFEW SYSTEM ES$) RESPONSES 8.D. CATEGORIES REACTOR SHUTDOWN SYSTEM DECAY HEAT REMOVAL IDETECTION' SCRAM ' PUMP TRIP ' SHR$ ' FORCED i i l I i Flow
- A CSA: NO REL.
I I I I I i l 4
l l l :g PT/F W/O FORCED FLOW:
i COA POSS.
PUMP (S) F All MECHAN 4CALLY I PPS feelTIATED C PT/F W/O SHRS: CDA INEVlf.
PUMP TRtP l a y .
SWITCH GEAR BUS FAILURE (S)
, HUMAN ERROR LOF FROM THREE :D ULOF
! STORM / SEVERE PneteARY PUMPS WEATHER , LOF FROta ONE , g gy , _
PuesP(S) FAIL PRetBARY PUGBP ELECTRICALLY LOF FROtt TWO fat m :E ULOF OR ULOF - 2 PUtsPS' PRetBAR Y PRet0ARY PUtePS SOosues FLOW CONTROL SYSTEM F ULOF OR ULOF = 2 PUMPS
- FAULTS Cher FROts IHTS PutsP(S) *PuesP TRIP MERE ONLY REFERS TO Trap OF ONE PAIRdARY PUGBP BN THE C ASE OF THE LOF-2 PutePS ACCSENT 188tTIATOR.
Figure V. Initiating Accident Event Tree for a CRBRP Pump Subsystem Failure.
e o e O EAE L C SuSSTSTEM FAILunt 8E C FA ,N ENGueEEMD SAFETV SYSTEM (ESS) RESPONSES IIstTIATmG ACCSENT CATEGOA8ES l NEACTom SMUTDOWN SYSTEM DECav ME AT MMOVAL l DE TECTtON l SCAAM l PUnp TR8P SMAS l FORCED i
8 I i I
$ 8 l l l 8 l 1 1 8 3 1 l 1 :A CSA: N0 nEL.
I I l 8 i g i 8 g i I l l 0 PT/F W/O FORCED FLOW: CDA POSS, 1
1 k' 0 1
8 C PT/F W/0 SMAS: CDA usEvtT.
7D UTOP/U-STEP S ULOF =
- A OMRAT0e Eamon y PAMBAAV PUMP OIL SYSTEM PAILUAE r IME SODIURR WENT
- Y E UTOP/U-STEPe
- a SYSTEas FAdLURE CTM/ MS ENTERTAmeggENT OF
- FmTm W _ C N ANT GAS m PIREMART 000 IIII O' INSERTtDes OF FAILUME
" :F V 70P/U-STEP e
- g y PAIIBA.RY Sfo AM A8SOEMURB PROCEtteeG STSTEM FAR.4GE * *IF THE MACTIVITT W8SERitDI6 IS DUE TO GAS SUBBLE PASSAGE THROUGH THE ACCURIULATED GAS COAE, ANY REDUCTIOel m TME C00LueG CAPASILf77 asuST ALSO SE COesSEDEAEO BLEED FAILunt m DETAILED A80ALTSeS. Le TMBS COULO SE MOM LitLE A UCF-TYPE ACCSENT IF COIRE DeSWUPTNMe OCCURS AteD THE TRANSIENT DOESee7 PERSaST.
Figure V.3. Initiating Accident Event Tree for a CRBRP PHTS Coolant Subsystem Failure.
~
\ -
- i- 1 -
a
__ .m
.a u, - -
cg ;
s
% .s .
followed by guard vessel overflow caused by excessive puhpnead. '"'
The resultant condition failure probabilities for the PHTS1 ini- -
tiator are summarized in Table V.1. -
~;,
Table V.1 - Common.Cause Relationships -
- for the PHTS1 Initiator
~
Estinated Pg and ESS Common Cause (Uncertainty Punction Consideration Factor)
Detection 4 primaries & 3 secondaries Ox10-10 (10) act .
SCRAM Factor of 5 increase per rod 5x10-5 (4) ,
PTrip Factor of 2 increase per pump 6x10-4 [(5)
SHRS Vessel out, pumphead Pg 5x 5x10~3 (2) higher
~
FFlow Factor of 2 increase ~ per pump ' 4y.10-5 (f) ,
i ". _
Ni . : 1 The event tree logic of Figure V.1 deline'ated(the outcones -
which can result from a reactor vessel rupture described by ini- ,
tiator PHIS1. The estimated recurrence frequencies for these / -
outcomes are obtained by combining'the event. tree logic.with the initiator recurrence frequency and the conditional. f ailure prob-abilities listed in Table V.1. These frequencies are listed by , ,
accident category and event tree path in Table. V.2.
u _ -
1 Initiators PHTS2A and PHTS2B - Primary Pipe Ruptures
~
These two initiators deal with pipe breaks i,n the PHTS. "
PHTS2A is meant to represent a large catastrophic cold leg rup ' '
ture downstream f rom the check valve which spills: coolarit 'at a rate of 75,000 gallons per minute (gpm) while PHTS2B represents ,
a smaller leak on the order of 1000 gpm which .would require immediate loop shutdown and SCRAM. Ectimated' recurrence fre-quencies for these events are 10-7 per year and/9x10-5 }ier year, respectively. Common cause considerations for these initiators include debris, interruption of flow paths, and pressure tran-sients, as well as adverse radiation and temperature environments.
+
~
I
.\
c Table V.2 - Accident Categories for Initiator PHTS1 Estimated Recur-rence Frequency and (Uncertainty Sequence Accident Category Factor)
A DC + PRPB : CDA Possible 1x10-7 (100)
B DC + PRPB without FFlow 4x10-12 (150)
C DC + PRPB without SHRS 5x10-10 (130)
D URPB + ULOF 5x10-12 (150)
E URPB 3x10-15 (200)
F URPB 8x10-17 (180)
Detection for the PHTS2A initiator should be accomplished by the same sensor functions as for the Reactor Vessel Rupture initiator, PHTS1, with no change in the conditional failure probability over the bace case. A smaller leak like PHTS2B, however, night not be as detectable, particularly in the absence of a reactivity transient. Three primary detection functions (Flux to Pressure, Speed Mismatch, or Reactor Vessel Level) and two secondary detector functions (Flux to Total Flow or Flow Misna tch) are allowed to accomplish overall ESS detec-tion. In addition, since the time required for a small leak to cause core disruption is relatively long , the operator is assumed to be able to in'itiate manual SCRAM in 90 percent of the cases where the automatic functions fail. The conditional failure probability for the SCRAM function is also assumed to be higher for the PHTS2A event than for the PHTS2B event due to the increased severity of the core environment, while the f ailure rate for the Pump Trip and Forced Flow ESS functions are essentially the same for either initiator. For the SHRS, the overal1' conditional failure probability is dominated by subsequent failures in the other two primary loops as well as failures involving excessive pump head and consequential loss of coolant, both of which are more likely for the PHTS2A initi-ator' than for PHTS28. Conditional f ailure probabilities asso-ciated with both initiators for each of the ESS functions are li s ted in Table V.3.
The event tree in Figure V.1 can also be used to evaluate
. the PHTS2A and PHTS2B initiators. Accident category recurrence frequency estimates and uncertainties are given in Table V.4.
Table V.3 - Common Cause Considerations for the PHTS2A and PHTS2B Initiators Estimated Pf ESS and (Uncertainty Function Common Cause Consideration Factor) .
(PHTS2A - 75,000 gpm leak)
DTECT 4 primaries and 3 secondar- 8x10-10 (10) les act SCRAM Factor of 3 increase per rod 5.8x10-6 (5)
PTRIP One loop out, others 2x 4x10-4 (5) higher SHRS Loop Pf 10x and pumphead Pg 6.4x10-3 (2) 5x higher FFlow One loop out, others 2x 1x10-3 (3) higher (PHTS2B - 1,000 gpm leak)
DTECT 3 primaries and 2 second- 1.7x10-9 (10) aries; OPFAIL = .1 SCRAM Factor of 2 increase per 1x10-6 (5) rod i PTRIP One loop out, others 2x 4x10-4 (5) l higher SHRS Loop Pf 3x higher, base 2x10-3 (2) * '
case pumphead FFlow One loop out, others 2x lx10-3 (3) higher i
l l
t
Table V.4 - Accident Categories for Initiators PHTS2A and PHTS2B Estimated Recurrence Frequency per Year and (Uncertainty Factor)
- Accident Sequence Category PHTS2A PHTS2B 1
A CSA - Release 1x10-7 (100) 9x10-5 (10)
Possible B PRPB without FFLOW 1x10-10 (125) 9x10-8 (15)
C PRPB without SHRG 6x10-10 (125) 2x10-7 (10)
D URPB + ULOF 6x10-13 (170) 9xio-11 (20)
E URPB 3x10-16 (220) 4x10-14 (30)
F URPB 8x10-17 (183) 1.5x10-13 (30)
Initiators FHTS3A, PHTS3B, and PHTS3C - Primary Pump Failures Primary pump failures are represented by three separate initiators which can be analyzed using the event tree logic shown in Figure V.2. PHTS3A is a single pump trip or failure in any one of the three primary loops with an estimated recurrence frequency of .6 per year. PHTS3B is the simultaneous loss of at least two primary pumps with an estimated frequency of .02 per year, and PHTS3C is the coincident loss of all three primary pumps with an es tima ted frequency of .01 per year. Phenomenological common cause considerations for these initiators are flow perturbations, pressure transients, and debris which are estimated to af fect all of the ESS f unctions to a minor degree.
- Detection for the PHTS3A initiator is accomplished via three primary functions (Flux to Pressure, Speed Mismatch, or Pump Electrics) and two secondary functions (Flux to Total Flow or
- Flow Mismatch) with the operator capable of initiating manual SCRAM in an additional 90 percent of the cases when the automatic functions fail. Three additional functions would be available to detect the PHTS3B initiator and six additional runctions could detect the PHTS3C event. This is due to the redundant nature of the speed mismatch, pump electrics, and flow mismatch protective functions which are sensed in each of the three primary loops.
Thus the ESS detection failure rate is assumed to increase
slightly over the base case for PHTS3A and not at all for PHTS3B or PHTS3C. The SCRAM and SHRS failure rates are assumed to vary slightly for the three events, depending on the severity of the core pressure / flow environment and the increased chance for pri-mary loop failures. Pump Trip is automatically precluded by the initiator in the affected loops and the conditional failure prob-ability for the Forced Flow function is also assumed to increase proportionally according to the number of unavailable primary pumps. The failure rates resulting from these connon cause rela-tionships are listed in Table V.S. When these conditional failure
- probabilities are applied to the branch points of the event tree illustrated in Figure V.2, the accident category recurrence fre-quencies generated are given in Table V.6.
Table V.5 - Common Cause Relationships for the PHTS3A, PH TS 3 B , and PHTS3C Initiators Estinated Pg ESS and (Uncertainty Function Common Cause Consideration _ Factor)
PHTS3A (One pump out)
DTECT 3 primary, 2 secondary, 1.7x10-9 (10)
OPFAIL = .1 S CRAM 5x higher overall 3.5x10-7 (5)
PTRIP One pump out, others 2x higher 4x10-4 (5)
SHRS One loop 3x higher 2x10-8 (5)
FFlow One pump 10x higher 5x10-5 (5)
PHTS3B (Two pumps out)
DTECT None - base case 8x10-10 (10) .
SCRAM 10x higher overall 7x10-7 (5) ,
PTRIP 2 pumps out, others 3x 3x10-4 (5) h igher SHRS 2 loops 3x higher 3x10-8 (5)
FFlow 2 pumps 10x higher, 3 rd 3x 1.4x10-3 (3) higher Table V.5 (Continued )
Estimated Pg ESS and (Uncertainty Function , Common Cause Consideration Factor)
PHTS3C (Three pumps out)
. DTECT None - base Case 8xlC-10 (10)
SCRAft 2x higher per rod 1x10-6 -(5)
PTRIP All pumps out O.
SilRS All loops 3x higher 4x10-8 (5)
FFlow All pumps 10x higher 5x 10 -3 (2)
Table V.6 - Accident Category Frequencies for Pump Failures (PHTS3A, PHTS3B and PHTS3C) Initiators Frequency per Year and (Uncertainty Factor)
Event l Tree Accident Sequence Category PHTS3A PHTS3B PHTS3C l
l A CSA - No .6 (3) .02 (3) .01 (3)
Release l
B PT/F without 3x10-5 (7) 2.8x10-5 (5) 5x10-5 (4) ;
1 FFlow C PF/F without 1.2x10-8 (7) 6x10-10 (7) 4x10-10 (7)
SHRS D UIDF 2x10-7 (7) 1.4x10-8 (7) lx10-8 (7)
E ULOF or ULOF-2 8x10-ll (12) 4x10-12 (12) O.
, Pumps
Pumps *
- ULOF-2 pumps for PHTS3B only
Initiators - PHTS4, PHTSS, and PHTS6 - Primary Coolant Faults The event tree shown in Figure V.3 can be used to analyze initiators PHTS4, PHTS5, and PHTS6. These events deal with pri-mary coolant faults that are accompanied by a step reactivity i
insertion. PHTS4 represents a situation where foreign mate-rial which acts as a moderator (i.e. , oil) is injected into
- the sodium coolant. This is estimated to occur at a rate of 10-5 per year. PHTS5 represents a large void or gas bubble
- 3 traveling through the core and PHTS6 represents the spurious insertion of cold sodium into the reactor vessal via the DHRS.
These events are expected to occur at a rate af 10-5 per year and 1.8x10-3 per year, respectively.
Common cause considerations are based on the presence of an adverse radiation and flow environment as well as the pos-sibility of debris which could damage heat exchanger tubes, core coolant channels, pumps, or the mechanical SCRAM func-tion._ These considerations are estimated to result in a slight increase for the Pump Trip failure rate as well as for the overall SHRS f ailure rate while the Forced Flow and SCRAM ESS conditional failure probabilities are estimated to increase by factors ranging from less than 1.1 for the PHTS6 initiator to more than 50 for the PHTS4 scenario. Detection for all three initiators is assumed to be accomplished by three pri-mary sensing functions (HI Flux, Flux to Pressure, or Positive to Delayed Flux) and two secondary functions (Flux to Flow or Positive Modified Nuclear Rate) which results in an estimated
, failure rate that is two orders of magnitude higher than the reported base value of 8x10-10 The conditional failure prob-i abilities for the ESS functions are recorded in Table'V.7 Combining the branch point failure rates from Table V.7 l with the event tree logic of Figure V.3 results in the acci-l dent category recurrence frequencies shown in Table V.8.
e i
i l
Table V.7 - Common Cause Relationships for the PHTS4, PHTS5, and PHTS6 Initiators Estimated Pg ESS and (Uncertainty Function Common Cause Consideration Factor)
PHTS4 (Moderator in Sodium Coolant)
. DTECT 3 primaries and 2 secondaries 4x10-8 (10)
SCRAM 3x increase per rod 5.8x10-6 (5)
PTRIP 2x per purp increase 6x10-4 (5)
SHRS 10x increase in vessel and 5x10-8 (5)
HX tube rupture FFlow 3x per pump increase 1.3x10-4 (5)
PHTSS ( Large Void or Bubble)
DTECT 3 primaries and 2 secondaries 4x10-8 (10)
SCRAM 2x increase per rod 1x10-6 (5)
PTRIP 2x increase per pump 6x10-4 (5)
SHRS 10x increase in vessel 3x10-8 (5) rupture FFlow 2x increase per pump 4x10-5 (5)
PHTS6 (DHRS Insertion)
DTECT 3 primaries and 2 secondaries 4x10-8 (10)
SCRAM 2x increase overall 1.5x10-7 (5)
PTRIP Base case 3x10-4 (5)
SHRS DHRS unavailable 3x10-6 (4)
FFlow Base case 5x10-6 (5)
Table V.8 - Accident Categories for PHTS Coolant Subsystem Initiators PHTS4, PHTSS, and PHTS6 Frequency per Year and (Uncertainty Factor)
Event Tree Accident Fequence Category PHTS4 PHTS5 PHTS6 A CSA - No 1x10-5 (10) 1x10-5 (10) 1.8x10-3 (5)
Release B Pr/F without 1.3x10-9 (18) 4x10-10 (20) 9x10-9 (10)
FFlow C PT/F without 5x10-13 (18) 3x10-13 (18) 5x10-9 (9)
SHRS
'i D UFOP/USTEP 6x10-ll (20 ) 1x10-ll (20) 3x10-10 (10) and ULOF E UFOP/USTEP or 3x10-14 (30) 6x10-15 (30) 8x10-14 (15)
UCP i
F UFOP/USTEP or 4x10-13 (30) 4x10-13 (30) 7x10-ll (17)
UCF PHTS Accident Category Summary l A total of 54 event tree paths which lead to 15 different accident categories are described by the PHTS initiators. Of these, nearly 50% have an estimated recurrence frequency of less than 10-10 per year and should not be dominant accident scenarios. The remaining event tree paths fall mainly into seven accident categories of which four are protected acci-dent categories and three are unprotected categories. The
- total recurrence frequency contribution from the PHTS initia-tors towards these seven accident categories is summarized in Table V.9. .
l l
l f
i l
T
, Table V.9 - Major Accident Categories for' PHTS Initiators Per Year Recurrence Uncertainty Accident Type Initiator (s) Frequency Factor e
CSA-Release Possible Pipe / Vessel Sub- 9x10-5 10 system t
2 PT/F without Forced Flow Pump and Coolant 5x10-5 5 Subsysten.s PT/F without SHRS Pump and Coolant lx13-0 7 Subsystems j PRPB without SHRS Pipe / Vessel Sub- 2x10~7 10-
- system.
UIDF Pump Subsystem 2x10-7 7 UTOP/USTEP and ULOF Coolant Subsystem 3x10-10 10 UCP Coolant Subsystem 3x10-10 10
).
4 e
i G
o i
4
,~ ._ . . . - . _ . . . - . . . . - . , ._ _ . - _ . . . . . _ _ . . . _ , - _ . , _ _ _ . . . . . . . . . . . . . . _ - . _m , - , .
VI. Intermediate Heat Transport System The IHTS has nine initiators, many of which closely resemble those in the PHTS. Two initiators deal with Interme-diate Piping Subsystem faults (rupture and large leaks); three more deal with faults within the Intermediate Pump Subsystem (loss of flow in one, two, or all three pumps); and the remain- ,
ing four address Intermediate Coolant Subsystem f aults ( ru pture disk and drain valve failures). The average recurrence fre-quency for Piping subsystem initiators is 10-6 per year while .
Pump and Coolant subsystem initiators fall in the .01 to 1.0 per year range. Potential common cause relationships for the IHTS initiators are minimal for the detection, SCRAM, and pump trip functions, low to moderate for the Forced Flow function, and moderate to high for the SHRS function. All of the IHTS initiators can be analyzed using the event tree logic described in Figure VI.1 for the IHTS pump subsystem. IHTS initiators have the potential to contribute to only five of the 25 identi-fied accident categories since core fault and primary boundary interactions are remote. Analysis of the individual IHTS ini-tiators is summarized in the following sections.
Initiators IHTSlA and IHTSIB - Intermediate Piping Faults IHTS piping faults are covered by the IHTSlA and IHTSlB initiators. IHTSIA represents a major pipe system in any one of the three IHTS loops which results in a major loss of sodium in that loop. IHTSlB represents a large leak in any one of the IHTS loops which results in a SCRAM requirement. The estimated fre-quency for an IHTSlA event is estimated at 10-7 per year while IHTSIB events are estimated to occur at a rate of 9x10-5 per year. Common cause considerations for these initiators include sodiun fire and adverse pressure transients within the affected i
loop. For the most part, the ESS SCRAM and Pump Trip functions
( are assumed to be unaffected by a pipe break in the IHT. The SHRS is affected to a minor degree due to the loss of one loop and it is assumed that forced flow is denied in the affected loop due to loop isolation. Automatic detection for the IHTSlA and IHTSlB j nitiators is estimated to be relatively weak compared
- to other faults. Two primary functions (IHX Outlet Temperature or Speed Mismatch) and two secondary functions (Flow Mismatch or Evaporator Outlet Sodium) should be able to sense the anamoly. .
In addition, the operator should be able to correct automatic sensor faults in 90 percent of the IHTSlA cases and 99 percent of the IHTSlB cases due to the time involved befcre a CDA situa-tion arises. Overall, the ESS detection function is estimated to have a failure rate which is potentially two to three orders of magnitude higher for IHTS piping faults than for the base case. These conditional f ailure probabilities for the ESS functions are listed in Table VI.l.
A=,=;gA=T ,Cag,R;, .U..YSn u ,A.URE E-E- .A,ETY .Y.nu it..) -.Po E. T -T ACC.E.T Can.oRM.
-ACTOR SMUTDOwN SYSTEM DECAT MEAT REuCTAL DETECTION SCRAW Puur TheP e snRS l FORCED FLOW I I l i I I I l 1 l :A CSA: no REL.
I I i ,
I .
e I g i I I I
I e g :o PTer weo FORCEo rtow: coa Poss.
I e
I :C PT/F w/o sness. coa sostytT.
un OD UL.P a
COesenON WODEteoTOR GEsIERATOR FAULT Coaseson asoDE PUtsP COceTROL CIRCUIT :E ULOMS FAULT (B- AEERS LW FRom osse OPEIIED) mTSPuur lor FROM Two MTS W PuesP(S) Fall % MTS PUMPS SugSTSTEM EBECMAfHCALLY EA8'U"E
* LOF FM 70eftEE E*'R.C Au f " " ' " '
cr utOns MUGsAN ER8 TOR sooeum FLOW CouTRoL .RErEns To PRasART PUssPs SYSTEas FAULT Figure VI.l. Initiating Accident Event Tree for a CRBRP IHTS Pump Subsystem Failure.
d Table VI.1 - Common Cause Relationships for the IHTSlA and IHTS1B Initiators Estimated Pg 1
ESS and (Uncertainty Function Common Cause Consideration Factor) ,
IHTSlA (Major Pipe Rupture)
DTECT 2 primary and 2 secondary, 6x10-7 (10)
OPFAIL = .1 SCRAM Maxinum 2x increase 1.5x10-7 (5)
PTRIP Base case 3x10-4 (5)
SHRS 1 IHTS loop out, others 5x 8x10-8 ('4 )
higher FFlow 1 pump unavailable 3x10-4 (4) ,
g IHTSlB ( Large Pipe Leak) j DTECT 2 primary and 2 secondary, 6x10-8 (10)
OPFAIL = .01 SCRAM Maximum 2x increase 1.5x10-7 (5)
] PTRIP Base case 3x10-4 (5)
SHRS 1 IHTS loop out, others 2x 7x10-8 (4)-
j higher FFlow 1 pump unavailable 3x10-4 (4) l The event tree logic of Figure VI.1 lists the accident categories which can result from either IHTSlA or IHTSlB. The estimated recurrence frequencies for these accident categories ,
are derived by combining the event tree logic with the initia-tor recurrence frequency and the conditional f ailure' probabili-ties listed in Table VI.l. These frequencies are recorded in Table VI.'2.
Table VI.2 - Accident Categories for IHTS Piping System Initiators IHTSlA and IHTSlB Estimated Recurrence Frequency per Year and (Uncertainty Factor)
Sequence Accident Category IHTSlA IHTSIB A CSA - No Release lx10-7 (10) 9x10-5 (10)
B PT/F without FFlow 3x10-Il (16) 3x10-8 (16)
C PT/F without SHRS 8x10-15 (15) 6x10-12 (15)
D ULOF 2x10-14 (18) 1x10-Il (18)
E ULOHS 5x10-18 (30) 4x10-15 (30)
F ULOHS 6x10-14 (30) 5x10-12 (30)
Initiators IHTS2A, IHTS2B, IHTS2C - Intermediate Pump Faults
' Initiators IHTS2A, IHTS2B, and IHTS2C cover pump faults in the IHTS. IHTS2A represents a single pump fault or trip in any one of the three IHTS loops and is estimated to occur at a rate of .6 per year. IHTS2B represents the coincident loss of two main pumps in the IHTS and is estimated to occur at a rate of
.02 per year while the simultaneous loss of all three IHTS pumps is expected to occur at a rate of .01 per year and is represented by initiator IHTS2C. Common cause considerations for these ini-tiators include pressure and temperature transients within the affected loop. These relationships are expected to have almost no effect on the failure rates of the SCRAM or Pump Trip func-tion and only a moderate effect on the Forced Flow failure rate.
Detection for the IHTS2A initiator is generally less likely than for either of the other two IHTS pump subsystem initiators since redundant sensor functions are involved. Detection in any one
, loop should be accomplished via the same primary and secondary functions used to detect the IHTS piping faults previously described and the operator is expected to perform with at least 99 percent efficiency due to the time involved before a CDA situ-ation. For the SHRS function a loss of the main circulating IHTS pump is assumed to imply the loss of that loop for heat removal purposes and neglects any potential contribution due to pony flow or natural circulation. This assumption has almost no effect on the conditional SHRS failure probability for the IHTS2A and
-- . .. . _ . . . . =_ -.
l 4
j r
1 1
IHTS2B initiators where the failure rate changes by less than a factor of 50, but may be overly conservative for' the IHTS2C initi-a to r . A sunnary of the conditional failure probabilities for each of the three IHTS pump subsystem initiators is given in Table VI.3.
1
)
Table VI.3 - Common Cause Relationships for the IHTS2A, ,
IHTS2B, and IHTS2C Initiators Conditional Pf ESS and'(Uncertainty
' Function Common Cause Consideration Factor)
IHTS2A (One pump out)
DTECT 2 primary and 2 secondary; 3x10-8 (10)
OPFAIL = .005 SCRAM Factor of 2 max 1.5x10-7 (5) j PTRIP None 3x10-4 (5)
SHRS One loop out, others 2x higher 7x10-8 (4)
FFlow One pump 3x higher 1.5x10-5 (5) l IHTS2B (Two pumps out)
DTECT Base case 8x10-10 (10)
! SCRAM Factor of 2 max 1.5x10-7 (5)'
l PTRIP None 3x10-4 (5)
SHRS 2 loops out, other 5x higher 8x10-7 (4)
FFlow 2 loops 4x higher 8x10-5 (5)
IHTS2C (Three pumps out) i DTECT Base case 8x10-10 (10)
SCRAM Factor of 2 max 1.5x10-7 (5)
PTRIP None 3x10-4 (5)
SHRS 3 loops out 2x10-3 (2)
FFlow 3 loops 5x higher -
6 x10 -4 (4)
Combining Table VI.3 with the event tree logic of Figure VI.1 results in accident category recurrence frequencies for the IHTS2A, IHTS2B, and IHTS2C initiators which are shown in Table VI.4.
Table VI.4 - Accident Category Frequencies for the IHTS2A, IHTS2B, and IHTS2C Initiators Estimated Recurrence Frequency
. per Year and (Uncertainty Factor)
] '
Event Tree Accident Sequence Category IHTS2A IHTS2B IHTS2C A CSA - No Release .6 (3) .02 (3) .01 (3)
B PT/F without FFlow 9x10-6 (6) 2x10-6 (7) 6x10-6 (7)
C PT/F without SHRS 4x10-8 (6) 2x10-8 (6) 2x10-5 (4)
D ULOF 9x10-8 (7) 3x10-9 (7) 2x10-9 (7)
E ULOHS 3x10-ll (12) 9x10-13 (11) 5x10-13 (11)
G UIDHS 2x10-8 (13) 2x10-ll (13) 8x10-12 (13)
T Initiators IHTS3A, IHTS3B, and IHTS3C - IHTS Rupture Disk Faults The event tree logic delineated in Figure D can also be used to analyze initiators IHTS3A, IHTS3B, and IHTS3C. These events deal with IHTS rupture disk f aults accompanied by activation of the Sodium-Water Reaction Pressure Relief System. This system is intended to protect against severe sodium water reactions in the evaporator or steam generator by dumping the IHTS loop sodium to a dump tank and inerting the superheater and evaporators with
, nitrogen. The IHTS3A initiator represents a rupture disk fault i in one IHTS loop while IHTS3B represents rupture disk f ailures in any two loops and IHTS3C represents the simultaneous loss of
. rupture disks in all three loops. These events are estimated to occur at the rate of .8, .03, and .02 per year, respectively.
Common cause considerations for rupture disk f ailures are estimated to have almost no af fect on the conditional f ailure probability for the Detection, SCRAM, or Pump Trip ESS func-tions but should affect the SHRS and Forced Flow functions to some degree due to pressure and temperature transients.
l 4
1
.-,m , -. -, - e- - - -. ,.r-.,, , - - , - . -- , , - , .,- - --m---,
. Detection is assumed to occur via two primary sensor systems (Speed Hismatch or IHX Temperature) and three secondary sensor systems (Flow Hismatch, Steam Drum Level, or SWRPRS) in each of
, the heat transfer loops. Here again the operator is expected to act correctly in at least 99 percent of the situations where the automatic detection systems fail. All this results in only a modest increase in the estimated Detection ESS failure rate for the IHTS3A initiator over the base value and no increase '
for either the IHTS3B or the IHTS3C initiators. SCRAM, Pump Trip, and Forced Flow conditional failure rates for rupture '
disk faults are assumed to be essentially identical to those for the intermediate pump fault initiators. The SHRS function is af fected by the loss of one normal heat transfer loop for each rupture disk failure with no chance for loop recovery.
This increases the estimated SHRS failure rate by a factor of only 5 for the IHTS3A initiator and by a factor of 50 for the IHTS3B initiator. The IHTS3C initiator, however, has the potential to increase the SHRS conditional failure probability i
by many orders of magnitude due to the fact that redundant feed-water and heat sink systems are no longer available leaving only the DHRS for post-accident heat removal. The conditional fail-ure probabilities for each of the ESS functions due to rupture disk faults are summarized in Table VI.S.
When the conditional failure probabilities from Table VI.5 are combined with the event tree logic of Figure VI.1, the acci-dent category recurrence frequencies listed in Table VI.6 are gene ra ted for the IHTS3A, IHTS 3B , a nd IHTS3C initiators.
l Initiator IHTS4 - IHTS Drain Valve Faults The IHTS4 initiator deals with drain valve failures which result in an accidental dump of sodium in one of the intermedi-l ate loops. This event is expected to occur primarily as a l result of gross operator error and has an estimated recurrence frequency of 10-5 per year. Common cause considerations for j this initiator are basically the same as for either the IHTS2A initiator or the IHTS3A initiator; minimal for the Pump Trip, Forced Flow, and SCRAM functions and moderate for the Detec-tion and SHRS functions. These conditional failure probability
- estimates are listed in Table VI.7.
C l
l
Table VI.5 - Common Cause Relationships for the :
' IHTS3A, IHTS3B, and IHTS3C Initiators .
Conditional Pg and ESS Function Common Cause Consideration (Uncertainly Factor)
. IHTS3A (One Rupture Disk Fault)
- DTECT 2 Primary and 3 Secondary 1.5x10-8 (10)
OPFAIL = .005 ,
SCRAM Factor of 2 Max. 1.5x10-7 (5)
PTRIP None 3x10-4 (5)
SHRS 1 Loop out; others 2x higher 7x10-8 (4) l FFLOW l Loop 3x higher 1.5x10-5 (5)
IHTS3B (Two Rupture Disk Faults)
DTECT Base case .1.1-10 (10) >
SCRAM Factor of 2 Max. 1.5x10-7 (5)
PTRIP None 3x10-4 (5)
SHRS 2 Loops out; 3rd 5x higher 8x10-7 (4)
FFLOW 2 Loops 4x higher 8x10-5 (5) 1
)
IHTS3C (Three Rupture Disk Faults)
DTECT Base case 8x10-10 (10)
SCRAM Factor of 2 Max. 'l.5x10-7 (5)
- PTRIP None 3x10-4 (5)
SHRS All Loops out; DHRS only 2x10-3 (2)
FFLOW' All Loops 5x higher 6x10-4 (4)
-61'-
- _ . . ~ . , - _ - - . _ _ . . . _ . . , _ . . _ _ _ _ .
Table VI.6 - Accident Category Frequencies for the IRIS 3A, IHTS3B, IHTS3C Initiators Event Tree Estimated Recurrence Frequency Sequence Accident Category and (Uncertainty Factor)
IHTS3A IHTS3B IHTS3C A CSA - No Release .8 (3) .03 (3) .02 (3)
B PT/F without FFLOW 1.2x10-5 (7) 2.4x10-6 (7) 1.2x10-5 (7)
C PT/F without SHRS 5x10-8 (6) 2.4x10-8 (6) 4x10-5 (4)
D ULOF 1.2x10-7 (7) 4.5x10~9 (7) 3x10-9 (7)
E ULOHS 4x10~11 (12) 1x10-12 (12) 9x10-13 (12)
G ULOHS 1.2x10-9 (13) 2.4x10~11 ( 13 )' 2x10-ll (13) f Table VI.7 - Common cause Relationships for the IMTS4 Initiator Estimated Pg and ESS Function Common Cause Consideration (Uncertainty Factor) l DTECT 2 Prinary and 2 Secondary; OPFAIL = .1 6x10-7 (10)
SCRAM Factor of 2 increase 1.5x10-7 (5)
PTRIP None - Base case 3x10-4 (5) '
l SHRS 1 Loop outs others 2x higher 7x10-8 (4) ,
! FFLOW 1 Loop 3x higher 1.5x10-5 ( 5) l __ _ _ ._-
Drain valve failures are potentially less detectable than either single pump (IHTS2A) or rupture disk (IHTS3A) faults due mainly to an increased chance for operator error when the auto-matic sensor systems fail. Here the operator is assumed to initiate reactor SCRAM only 90 percent of the time instead of at a 99 percent-plus rate even though the time to CDA could be qui te lengthy. Automatic detection is expected to be accomp-e lished by two primary sensor functions (Speed Mismatch or IHX Temperature) and two secondary sensor functions (Flow Mismatch or Steam Drun Level).
The event tree logic found in Figure VI.1 once again is used to estimate the recurrence frequencies associated with accident categories resulting from the IHTS4 initiator. These frequencies are calculated by combining the initiator frequency with the ESS branch point failure estimates listed in Table VI.7 and recorded in Table VI.8.
Table VI.8 - Accident Category Frequencies for the IHTS4 Initiator Es tima ted Recurrence Event Tree Frequency and Sequence Accident Category (Uncertainty Factor)
A CSA - No Release 1x10-5 (10)
B PT/F without FPLOW lx10-10 (20)
C PT/F without SHRS 7x10-13 (15) 1 D ULOF 2x10-12 (20)
E ULOHS 5x10-16 (30)
G ULOHS 2x10-12 (30) 1 ,
IHTS Accident Category Summary The 9 IHTS initiators lead to only 5 of the 25 identified accident categories via a total of 54 separate paths. Eighteen event tree paths lead to the ULOHS-type accident category while each of the remaining 4 categories (CSA - No Release, PT/F with-out FFLOW, PT/F without SHRS, and ULOP) has 9 contributing path-way sequences. Almost 40 percent of the IHTS accident scenarios
i d
I result in estimated recurrence frequencies of less than 10-10 per year. Many of these are associated with the piping subsys-i tem initiators which indicates that estimated potential common
' cause mechanisns due to sodium fires are heavily outweighed by
- the relatively low recurrence frequency associated with severe
- piping system faults. The remaining accident scenarios lie in r the 10-5 to 10-8 per year frequency range. Results of the com- .
I bined IHTS initiator analysis are delineated in Table VI.9.
r
- Table VI.9 - Major Accident Categories _for the '
Combined IHTS Initiators Combined Dominant Recurrence Uncertainty Accident Type Initiator (s) Frequency Factor PT/F without FFLOW Rupture disks, pumps 1x10-5 7 PT/P without SHRS Rupture disks, pumps 4x10-5 4
i 1
0 o
l e
e t
VII. Steam / Electrical Generation System (S/EGS)
There are eleven initiators associated with the CRBRP S/EGS.
One is due to faults within the Steam Generator /Superheater Sub-system and has an estimated recurrence frequency of .9 per year.
Three more deal with faults in the S/EGS Steam Piping Subsystem and average about 1.6 occurrences per year. Pour initiators stem from S/EGS Feedwater faults with a total recurrence frequency of 2.6 per year. The final three initiators result from S/EGS Tur-bine faults (. 5 per year) and Main Condenser failures (.3 per year. As a group, these eleven accident initiators represent almos t half of the total expected number of challenges per year to the CRPRP ESS functions. Consequently, the accident sequences resulting f rom S/EGS failures are expected to figure prominently among the overall generic accident category recurrence frequency estimates.
All of the S/EGS initiated accident sequences can be ana-lyzed using the event tree logic delineated in Figure VII.l. If the potential for violently explosive sodium-water reactions in the Steam Generator /Superheater Subsystem which propagate through the IHTS and result in core damage or primary boundary rupture is neglected, only five generic S/EGS accident categories remain.
These are CSA - No Release, PT/F without FFLOW, PT/F without SHRS, ULOF, and ULOHS. Common cause effects on the ESS branch points leading to these accident categories are generally negligible for the detection, SCRAM, pump trip, and forced flow functions while common cause relationships associated with the SHRS func-tion range from moderate to high. Results of the analysis which estimates the recurrence frequency contribution for each of the S/EGS initiators is summarized in the following sections.
Initiators SGSDRUM, SGSPIPE, and SGSVALVE - S/EGS Steam Piping Subsystem Faults S/EGS Steam Piping Subsystem f aults are handled through the SGSDRUM, SGSPIPE, and SGSVALVE initiators. SGSDRUM represents a steam drum f ailure in one of the three S/EGS loops and is esti-mated to occur at a rate of .1 per year per loop. SGSPIPE is a
intended to represent steam pipe ruptures within the individual S/EGS loops with a recurrence frequency of 0.18 per year per loop and SGSVALVE represents steam-side isolation or control valve faults within any loop with an estimated frequency of
.43 per year per loop. Common cause concerns for these events include common mode failures within similar components in the other two loops as well as moderate temperature and pressure transients within the affected loop. The ESS conditional fail-ure probabilities which result are tabulated below by initiator and ESS function.
S45797t. Svstves ,,g,,,,,, , ,,, g gg, ,, , l fu.t-Ef Cau aeAT CO.po.s..?
pas.45 F46&T p atunt 9 K48lE asTea.vums N Cave ca g l
l af ACTO. .se#7 0.eB Sv$7fEB CavemataBesDWE l l DETECYeoes l SC.a. l Pu 9 T.. See.S lpg.Cf. FLO. l
. 1 0 1 1
.f f f C T l 0 0 ' B
',:' . m .se l l ! 'e= -== .c.
-. .n.s.e ..
e
.e
...C see . - =.a:
ca= -
J,=a, - .u
. L, a cos
.C.-
a
.C a - E so.
a.C. , , ,
. m.
. i , c-- ..
.a s - , .a
-- .u4 ,E.a.. L a. L- . - . . - - .a
== -
c = == = .L.- ==_..-.4 c-
="8 fo~.~eTfJ- . ~ ,; ' =_*a,,; ,,, - -
a ,,, *"*".'".n.
. "./. , =,= = =:p,
,: ,--c- m.se c-u. .m. a oes .. . . . - . - -
,4,,,,.
g saa.vteTass7 vt.T vuyt C aa
.e wrT*
p aa.ulet
, --...m.
- =,,,,,, ,. - - ,mu u, 0,-. ,. co*
--== - E
,.",e,4. am.
,,,,,4,
='.,,,,, , , . , , , , , ,
- co E .aeem. - .-- m.E
.U... - _
E g r ramunt
,,,,,,g g,,, gg F.adL.aser p ees Fa F estaTERf.tunt f WKWEdS8,I atFat g ggs m OR.TS*
,,,g g m .-u.es l-m *apot s o.sa.w vo ssua.
Fat. users e m HesMIE p .smanven, surangeavv. .e.vsvens
.EFWCT estaCYeoses, ans assuasE.eop*GaTeosh TO em La *==m.aTWA
,"*,,,a,-c. c, c- ====
.na
=Lnc=. .c.,a., a, ho.un. =,c,u,"L ,,
- e.
- uc.= .,
" ; " ",yy,',,a,
,L4_,,**,,,
., .,a. a
. n.n.c=c.a.
,,,,,,4,,,,,,,,
,, .om vc-. .L .-,
Geesumavosi MCeemesacaL g,,,,,,,,
.ELP-.ES?nuCT
- a.Ta.ES.
c-Fafe.r.
u.
svua. u.n.pa.a.un.a. c.mv cia.a.r.sso areg E vacuu.
=== cto .u.n. on vm m .
eameman c- m .OP-waC.u.ute L.oa ac. * = ce==sassa
==mu s-u
- n . ~ mn= -
smu e-C PafeGUE L_o.au C ... ECLU,a sS
- nume T aL
.fftC.e En.ON PO.02:Fn, r - . ..
esul.aa me a.
M Gs se v-
.GBT-. sect RLECTP".ak ra4EI Figure VII.l. Initiating Accident Event Tree for a Generic CRBRP Steam / Electrical Generation System Failure.
. . . e
_ = _ _ . . .-. . . . _ _ .
I e
ESS Detection for the S/EGS Steam Piping Subsystem initiators
, is expected to be relatively weak in comparison to other S/EGS faults. One primary (Steam to Feedwater I!ismatch) and two sec-ondary (Steam Drum Level or Evaporator Outlet Temperature) sensor functions should be able to accomplish the initial Automatic Detec-4 tion function with at least 99 percent assistance from the operator.
. Overall this results in a conditional failure probability which is roughly two orders of magnitude higher than the base value. The SCRAM and pump trip functions should remain almost unaffected by
,e initiators SGSDRUM, SGSPIPE, or SGSVALVE while the forced flow a function experiences a potential increase in failure rate due to temperature and pressure transients. SHRS availability is affec-ted by the loss of the normal and the protected heat sink in one loop for all three initiators which increases the estimated SHRS failure rate by about a factor of ten over the base case.
Using the event tree logic of Figure VII.1 and Table VII.1, the recurrence frequencies for accidents resulting from initia-tors SGSDRUM, SGSPIPE, and SGSVALVE can be estimated. These values are reported in Table VII.2.
Table VII.1 - Common Cause Relationships for Initiators SGSDRUM, SGSPIPE, and SGSVALVE Estimated Pf and ESS Function Common Cause Consideration (Uncertainly Factor)
DTECT (ALL) 1 Primary and 2 Secondary 1.35x10-7 (10)
OPFAIL = .001 SCRAM (ALL) Factor of 2 Max 1.5x10-7 (3)
PTRIP (ALL) None 3x10-4 (5)
SHRS (DRUM) Loop steamdrum and pace out; 2.3x10-7 (5) other loops 3x higher f SHRS (PIPE) Same as DRUM, but 2x higher 1.3x10-7 (5)
. on loops SHRS (VALVE) Loop valves out; others 2x 1.5x10-7 (5) higher j FFLOW (ALL) 2x higher in affected loop lx10-5 (5) 1
Table VII.2 - Accident Categories for the S/EGS Piping Subsystem Initiators Event Tree Estimated Recurrence Frequency Sequence Accident Category and (Uncertainty Factory)
A CSA - No Release .3 (2) ^5 (2) 1.3 (2)
B PT/F without FFLOW 4.5x10-6 (10) 7.5x10-1 (6) 2x10-5 (6) .
C PT/F without SHRS 7x10-8 (6) 6.5x10-9 (6) 2x10-7 (6)
D ULOF 4.5x10-8 (7) 7.5x10-9 (7) 2x10-7 (6)
E ULOHS lx10-ll (10) 2x10-12 (10) 6x10-ll (10)
F ULOHS 4x10-8 (11) 6x10-9 (11) 1 6x10-7 (11)
Initiator SGSEVP - S/EGS Superheater-Steam Generator Faults Initiator SGSEVP covers faults within the Steam Generator, Evaporator, or Superheater modules such as internal tube failures, case rupture, or manifold failures. These type of events are expected to occur with a frequency of .9 per year. Common cause considerations include steam explosions, sodium-water reactions, and missile damage as well as common mode f ailures within similar components. Initial ESS Detection should occur via one Primary (Steam to Feedwater Mismatch) and three secondary sensor functions (SWRPRS, Steam Drum Level, or Evaporator Outlet Temperature) with a 99 percent-effective assist from the operator. The conditional l failure probability for SCRAM, Pump Trip, or Forced Flow functions is estimated to increase by no more than a factor of three for the SGSEVP initiator while SHRS reliability is estimated to decrease by a factor of ten due to the loss of one normal heat transfer l loop and common mode failure potential within the other two loops. The estimated failure rates for the ESS functions due
- to the SGSEVP initiator are displayed in Table VII.3.
The event tree logic shown in Figure VII.1 is used to ,
determine the accident category frequencies for the SGSEVP ini-tiator together with the assumption that sodium-water reactions in the Steam Generator /Superheater Subsystem will not result in t
any substantial damage to the reactor core or primary boundary.
l This assumption eliminates all but five of the possible outcomes
! listed at the end points of the Figure VII.1 event tree. These remaining accident categories and the contribution of the SGSEVP l initiator towards them are shown in Table VII.4.
l l
! l l
Table VII.3 - Common Cause Relationships for the SGSEVP Initiator Estimated Pg and
. ESS Function Common Cause Consideration _, (Uncertainly Factor)
DTECT 1 Prinary and 3 Secondary 6x10-8 (10)
. OPFAIL = .01 SCRAM 3x Max. increase 2x10-7 (5)
PTRIP 2x Max. increase 6x10-4 (5)
SHRS 1 Loop out; others 5x higher 5x10-7 (5)-
l FFLOU 3x Max. increase 1.5x10-5 (5) l l
l l Table VII.4 - Accident Categories for the SGSEVP Initiator Event Tree Estimated Recurrence Sequence Accident Category Frequency and Uncertainty A CSA - No Release .9 (2)
B PT/F without FFLOW l.4x10-5 (6)
C PT/F without SHRS 4.5x10-7 (6)
D ULOF 1.8x10 (6)
E ULOHS lx10-10 (10)
F ULOHS 6x10-8 (10).
-o -. .--- -- _
l Initiators SGSFWl, SGSFW2, SGSFW3, and SGSFW4 -
S/EGS Feedwater Faults Four initiators deal with S/EGS Feedwater Subsystem f aults.
SGSFW1 represents feedwater pump f ailures which have an estimated recurrence frequency of .6 per year. SGSFW2 events represent feed-water piping ruptures which occur at a rate of .005 per year. Feed- ,
water valve faults from either isolation, control, or drain valves are covered by initiator SGSFW3 which has an estimated recurrence frequency of 1.5 per year. Other isolation and control f aults due .
to operator error or electrical f ailure are estimated to occur at a rate of .5 per year and are represented by initiator SGSFW4. As a whole, the S/EGS Feedwater f aults represent more challanges per year to the CRBRP Frotective ESS functions than any other system within the plant. Common cause considerations for these initia-tors concentrate mainly on a loss of SHRS capability due to a loss of one of the two available feedwater systems and are nil for the Detection, Pump Trip, Forced Flow, or SCRAM functions.
Conditional failure probabilities for the ESS functions due to the SGSFWl, SGSFW2, SGSFW3, and SGSFW4 initiators are listed in Table VII.5.
Table VII.5 - Common Cause Relationships for the S/EGS Feedwater Initiators Estimated Pg and ESS Function Common Cause Consideration (Uncertainly Factor)
DTECT (ALL) Base case - at least 7 8x10-10 (10) functions SCRAM (ALL) Max. 2x increase 1.5x10-7 (5)
PTRIP (ALL) None - Base case 3x10-4 (5)
SHRS (SGSFUl) FW Pump out, AFW Pumps 1.5x10-5 (2) 2x higher ,
SHRS (SGSFW2) FW Pipe out, AFW Pipe 1.6x10-5 (2) 2x higher .
SHRS (SGSFW3) FW Valves out, AFW Valves 3xla-5 (2) 2x higher SHRS (SGSFW4) FW Insolation and Control 1.5x10-5 (2) out, AFW 2x higher FFLOW (ALL) Max. 2x increase lx10-5 (5)
ESS Detection should be accomplished by the Steam to Feedwater primary sensor function and either the Steam Drum Level or Evapor-ator Outlet Temperature secondary sensor function. Each of these is sensed in all three heat transfer loops so that as many as nine protective sensor functions could be able to detect a S/EGS' feed-water fault. Consequently no increase over the base case failure rate for the Detection function is anticipated. SCRAM, Pump Trip, and Forced Flow should not be seriously affected by a Feedwater fault. The conditional failure rates for these ESS functions are
, nominally increased by a factor of 2 which is meant to represent the maximum plausible common cause effect in the absence of any detailed analysis.
SHRS reliability is estimated to decrease by nearly three orders of magnitude due to the loss of the normal supply of feedwater combined with potential common mode f ailures in simi-lar components within the Auxiliary Feedwater System. The event tree logic of Figure VII-l is again used to compute the accident category recurrence frequency estimates for the SGSFWl, SGSFW2, SGSFW3, and SGSFW4 initiators. These results are in Table VII.6.
Initiators SGSTTl and SdSTT2 - S/EGS Turbine Faults Turbine trips are anticipated to be routine events for the CRBRP which generally do not require immediate SCRAM or Pump Trip.
Two special cases do exist, however. Initiator SGSTTl represents a turbine trip where SCRAM is called for due to some unspecified additional failure and where the Turbine Bypass System is fully operational. This scenario has an estimated recurre.nce frequency of .33 per year. Initiator SGSTT2 represents a similar situation where the Turbine Bypass System is not in service and has an esti--
mated recurrence frequency of .16 per year. Common cause consid-erations for these events include abnormal temperature and pressure environments within the main condenser and feedwater deaerator as well as increased potential for overall electrical failure. ESS Detection for both initiators is assumed to be at the base case level since failures in addition to the turbine trip which call for SCRAM are not specified. The initiator dependent failure probability for the SCRAM, Pump Trip and Forced Flow f unctions is estimated to increase a factor of two at the most due mainly to potential electrical faults while the SHRS failure rate is es tima ted to increase by roughly two orders of magnitude due to potential condenser and feedwater faults. These conditional failure rates for the ESS functions due to initiators SGSTTl and SGSTT2 are listed in Table VII.7. Once again the event tree logic of Figure VII.1 is used to. estimate the accident category recur-rence frequencies associated with the S/EGS turbine initiators.
These estimates are listed in Table VII.8.
(
)'
Table VII.6 - Accident Categories for the S/EGS Feedwater Initiators Event Tree Estimated Recurrence Frequency Sequence Accident Category and (Uncertainty Factor)
SGSFW1 SGSFW2 SGSFW3 SGSFW4
- 1. CSA - No Release .6 (2) .005 (3) 1.5 (3) .5 (2)
B PT/F without FFLOW 6x10-6 (6) 5x10-8 (7) 1.5x10-5 (6) 5x10-6 (6) to C PT/F.without SHRS 9x10-6 (2) 8x10-8 (4) 4.5x10-5 (3) 7.5x104 (3) l
'D ULOF 9x10-8 (6) 7.5x10-10 (8) 2x10-7 (6). 7.5x10~~6 (6)
E ULOHS 3x10-11 (10) 2x10-13 (10')- ,
'7x 10-11 (10) 2x 10'"11 - ( 10 ) . -
s s F ULOHS 5x10-10 (10) 4x10-12 (10) 4 1x10-9 (10) 4x10-10 (10) j: -
^
-t
- i
- ~,
-q s 6 f
3 i
j
- 3' m.
Table VII.7 - Common Cause Relationships for SGSTTl and-SGSTT2 Initiators Estimated Pg and -
, ESS Function Common Cause Consideration (Uncertainly Factor)
DTECT (Both) Base case 8x10-10 (10)
SCRAM (Both) 2x increase Max. 1.5x10-7 (5)
PTRIP (Both) 2x increase Max. 6x1n-4 (5)
SHRS (SGSTTl) P Condenser = .01, 2.3x10-6 (3)
P Power = .01 SHRS (SGSTT2) P Condenser = .1, 3.8x10-6 (2.5)
P Power = .01 FFLOW (Both) 2x increase Max. lx10-5 (5)
Table VII.8 - Ac:ident Categories for the SGOTTl and SGSTT2 Initiators Event Tree Estimated Recurrence Sequence Accident Category Frequency and Uncertainty SGSTTl SGSTT2 A CSA - No Release .33 (2) .16 (2) i B PT/F without FFLOW 3.3x10-6 (6) 1.6x10-6 (6)
C PT/F without SHRS 7.6x10-7 (4) 6x10-7 (3)
, D ULOP 5x10-8 (7) 2.4x10 (6)
- C ULOHS 3x10-Il (10) 1. 5x'.0 -ll (10 )
F ULOHS 3x10-10 (10) 1.3x10-10 (10) l l
7 i
J l
,_ _ ___ , _ _ ~. _ , , - . . _ _
1 i
l Initiator SGSCON - S/EGS Main Condenser Faults Initiator SGSCON is intended to represent faults within the main condenser and includes circulating water system f ailures, tube ruptures, a loss of vacuum, steam packing exhaustion fail-ures and local loss-of-power situations. The estimated recur-rence frequency for SGSCON is .3 per year. Common cause con-siderations for this event include pressure and temperature transients, debris, and potential common mode failures within both CRBRP feedwater systems. These considerations are expected '
to have almost no affect on the Detection, SCRAM, Pump Trip, or Forced Flow ESS functions. The conditional failure probability for the SHRS function, however, is estimated to increase by a factor of 103 due mainly to the loss of the main condenser as a viable heat sink. The estimated conditional failure proba-bilities for all of the ESS functions due to the SGSCON initia-tor are presented in Table VII.9.
Table VII.9 - Common Cause Relationships for the SGSCON Initiator Estimated Pf and ESS Function Common Cause Consideration (Uncertainly Factor)
DTECT No increase over base case 8x10-10 (10)
SCRAM 27. Max. increase 1.5x10-7 (5)
PTRIP None - Base case 3x10-4 (5)
SHRS Condenser out; SGS loops 1.5x10-5 (2) 3x higher FFLOW None - Base case 5x10-6 (5)
Table VII.9 and the event tree logic f .om Figure .VII.1 are used to compute the estimated recurrence frequencies for acci-
- dont categories resulting f rom a loss of main condenser scenario.
These results are listed in Table VII.10.
i I 4 Table VII.10 - Accident Categories for the
, SGSCON Initiator Event Tree Estima ted Recurrence Sequence Accident Category Frequency and Uncertainty a
e A CSA - No Release .3 (2) e B PT/F without FFLOW l.5x10-6 (6)
C PT/F without SHRS 4.5x10-6 (3)
D ULOF 4.5x10-8 (6)
E ULOHS 1.4x10-ll (10)
F ULOHS 2.4x10-10 (11)
S/EGS Accident Category Summary 4
The eleven CRBRP S/EGS initiators represent more than 40 percent of the total number of challenges per year to the ESS functions. In general, all of these initiators have a neglig-ible common cause ef fect on the detection, SCRAM, pump trip, and forced flow functions and a moderate to high common cause relationship with the SHRS function. Consequently, more of the S/EGS Protected Accident (i.e., SCRAM succeeds) scenarios contribute to the overall accident category picture than do j unprotected scenarios. This is borne out by the fact that almost one third of the unprotected scenarios have an esti-mated recurrence frequency of less than 10-10 pe r -year whereas the least frequent protected scenario is estimated to occur 7x10-9 times per year.
Figure VII.1 represents the event tree logic which was i
used to analyze each of the S/EGS-initiators. The overall e results of the analysis are as follows, o
l l
e
! Total Per Year' Uncer-Recurrence tainty Accident Type gminant Initiators Frequency Factor PT/F without Steam Piping, 8xlO-5 6
' Forced Flow Feedwater l PT/F without Feedwa ter 7x10-5 3 S!!RS ULOF Steam Piping, 5x10-7 6
.i Feedwater i
ULOEIS Steam Piping, 6x10-8 to SG/SH i
i i
S I i i.
i i
o e
VIII. External Events External events are defined as initiators that emanate f rom sources which are outside the CRBRP environment. Typ i-cal external event-type initiators are floods, tornadoes, wind storms, airplane impact, fires, loss of offsite power, and earthquakes. These events all have the potential to
- affect the entire spectrum of ESS response simultaneously.
Consequently, analysis performed to estimate the conditional branch point f ailure probabilities for these initiators is subject to a broader set of common cause relationships and is more detailed than in the previous work. This detail results in a number of potentially dominant accident paths s for external event-type initiators. In this study only two types of external events were considered: loss of offsite power and seismic events. According to the CRBRP Safety Study (Reference 2), these events constitute the major significant contributors to risk when compared to other external initiators and to CRBRP-sys tems initiated acci-dent sequences. These contributions to the generic acci-dent categories for the loss of of fsite power event and seismic scenarios are reported in the following sections.
Loss of Offsite Power Initiator Traditionally, the loss of of fsite power is considered as one of the potentially dominant common cause initiators due to the fact that almost all reactor and heat transfer control devices are electrically driven. While the estimated recur-rence frequency and duration of this type of event varies con-siderably from study to study, the values used for the present analysis are assumed to lie in the .03 to .3 per year range with a median value of .1 per year and with no chance for
, recovery after failure (Reference 2). Common cause relation-ships for the Engineered Safety Systems are assumed to vary directly according to their dependence on emergency diesel or DC power sources as well as the number of components within each system which might conceivably be af fected by an adverse electrical environment. These relationships range from zero e for the detection and pump trip functions to moderate for the SCRAM and forced flow functions and high for the SHRS f unction.
Numerical estimates for the conditional failure probability of the ESS functions due to loss of offsite power are summarized in Table VIII.l.
Here the detection function and the pump trip function are eliminated from further consideration since pump trip is virtu-ally assured in the absence of any backup power supply. This means that the only credible unprotected accident scenario for the loss of of fsite power initiator is a ULOF and that points E
a nd F can be ignored in the event tree of Figure VIII.1 which I
can be used to describe the remaining loss of offsite power accident scenarios.
Table VIII.1 - ESS Common Cause Relationships ,
for Loss of Offsite Power Failure Probability ESS Function Common Cause Considerations and Uncertainty Detection Pf = 0. if pump trip assured O.
SCRAM Unknown; 10 increase in 2.0x10-7 (5) electrical f aults per rod Pump Trip No backup power to pumps 0.
SHRS 30 critical components 1.8x10-4 (2) affected (3-100x)
Forced Flow 3x per pump increase 1.4x10-4 (5)
The SHRS function has at least 30 critical components which can be affected by a loss of offsite power (Refererce 4).- These components include pumps, control valves, f ans, and pony motors within the normal heat train as well as within the DHRS and SGAHRS. The failure probabilities for these components were initially estimated to increase by factors ranging from 3 to 100 in order to sort out the leading terms in the SHRS minimal cut set equation. Sensitivity studies were then performed on these leading terms in order to determine the envelope of SHRS response as a function of the common cause related increase in the failure probabilities of the critical components. The results of these studies are summarized in Table VIII.2.
These studies reveal that while common cause failures other than those due to diesel failure are important, they will not ,
dominate the conditional SHRS failure' probability unless each identified critical component is at least 20 times more likely to ' fail during a loss of of fsite power than under normal condi-
- tions. Since this seems unlikely, the original component esti-mates are assumed to be best estimates and the reported failure probability for the SHRS function is 1.8x10-4
, . . _ - . _ - . , . .~ . .~ -.-
- e e INITIATOR ENGINEERED SAFETV SYSTEM (ESS) RESPOstSES lesTIAT50G ACCIDENT CaTEGOsteES
, REACTOR SMUTDOWN SYSTEM DECAY MEAT REMOV AL DETECTION SCRAM PUMP TIWP SHRS FORCED FLOW I
I I i 1. l l l l l A CSA: NO ret 1 I I i 1 1 I i i i I i 1 ~l : O Pier WeO FoRCEo FLOW: coa PoSS. j i
I ,
I l C PT/F W/0 SHRS: CDA INEVIT.
a 4
D ULOF LOSS OF 3
OFFSITE POWER i : E ULONS*
I i : F ULONS' i
- THESE GRA8eCH POWITS ARE ELRAMATED WHEN PUMP TillP IS ASSURED d
9 Figure VIII.l. Initiating Accident Event Tree for a Loss of Offsite Power.
I 1
N Table VIII.2 - SHRS Response as a Function of Common Cause Relationships Critical Component Pg Increase SHRS Failure Probability 1x 1.08x10-4*
2x 'l.22x10-4 ,
5x 1.5x10-4 10x 2.4x10-4 20x -6.1x10-4 Best Estimate (3x-100x) 1.8x10-4
- Leading term due to diesel failure (Pg 10-4).
t 4
Using the conditional failure probabilities from Table VIII.1 in conjunction with the event tree ~ paths identified in Figure VIII-1, the following generic accident category frequency '
estimates are produced.
Table VIII.3 - Accident Types and Frequencies for the Loss of Offsite Power Initiators Estimated . Uncertainty Accident Type Frequency / Year Factor A. CSA - No Release .1 3 B. PT/F without Forced Flow 1.35x10-5 7 =
C. PT/F without SHRS 1.8x10-5 4 ,
1 D ULOF 2x10-8 7 l
l From Table VIII.3, the path with the highest potential for a Core Disruptive Accident is a Protected Fault without SHRS with an estimated frequency of 1.8x10-5 per year. This path is expected to contribute significantly towards the overall frequency of the PT/F without SHRS generic accident category.
Earthquake Initiators
, Severe earthquakes are of ten considered as the most serious threat to a reactor system and most reactors are designed to with-stand an operating base earthquake (OBE) of at least magnitude 5 on the Richter Scale. Nevertheless, almost any significant earth-quake will affect the conditional failure probability of all of the engineered reactor safety systems to some degree and, there-fo re , represents a potentially dominant common cause accident initiator. Three different earthquake initiators were chosen in order to analyze the CRBR design: (1) the CRBR Operating Base Earthquake (OBE) with an estimated frequency of 1.4x10-3 per year and a ground acceleration of .125 g. This earthquake-measures 5.5 on the Richter Scale and described as " difficult.
to stand" on the Mercali damage index. (2) The CRBR Safe Shut-down Earthquake (SSE) with an estima ted frequency of 1.5 x 10-4 per year and a ground acceleration of .25 g, which is 6.5 on the Richter Scale and described as "dif ficult to drive" on the Mercali index; (3) a greater than Safe Shutdown Earthquake (BFE) with a frequency of 3.4x10-5 per year and a ground acceleration of .4 g which is at least 7 on the Richter Scale and described as " general panic" on the modified Mercali Scale (References 9 and 10). Each of these three earthquake initiators was then arbitrarily subdivided into five separate initiator scenarios:
(1) A reactivity insertion without core damage or loss of pri-mary boundary whose outcomes are the end points of the event tree shown in Figure VIII.2. (2) Reactivity insertion with minor core damage and a loss of primary boundary whose out-comes are the end points of the event tree shown in Figure VIII.3. (3) Reactivity insertion with severe core damage and with primary boundary intact whose outcomes are the end points of the event tree shown in Figure VIII.4. (4) Reactivity inser-tion with severe core damage and the loss of the primary bound-ary whose outcomes are the end points of the event are shown in Figure VIII.S. (5) Unspecified heat transport system failures or loss of offsite power whose outcomes are the end points of the event tree are shown in Figure VIII.6.
Thus, there are 15 individual initiating scenarios which can be evaluated using the event trees shown in Figures VIII.2 to VIII.6. By assuming that the relative incidence of primary boundary rupture and core damage increases with earthquake inten-sity, and by arbitrarily assigning these values, each earthquake initiator can be expressed as the sum of 5 scenario-related initiators. These initiators are summarized in Table VIII.4.
a INITIATOR ENCdNEERED SAFETY SYSTEM (ESS) RESPONSES INITIATR00 ACCIDENT CATEOORIES REACTOR SHUTDOWN SYSTEas DECAY HEAT REMOVAL
'I DETECTION I SCRAM I PUMP TRIP I SMR$ IFORCED FLOWI l l l l
! ! ! ! : A CSA; 000 MEL.
1 I I l l I I g PT/F w/O FORCED FLOW:
1 I l CDA POSS.
l l
l CC PT/F w/O SHRS: CDA INEVIT.
I CD PJ
- D UCF & ULOF, USTEP & ULOF, UTOP/USTEP & ULOF, OR SCENARIO 1 EARTHOUAKE PRIt0ARY SOUNDARY INTACT LITTLE OR NO CORE DAMAGE
- E UCF, USTEP, UTOP/USTEP OR UTOP F UCF, USTEP, UTOP/USTEP, OR UTOP Figure VIII.2. Initiating Accident Event Tree for Scenario 1
, Earthquakes.
i I
Q $
- e e SETlATOR ENGBEERED SAFETY SYSTEM (ESS) RESPONSES perTIATSIG ACCSD87 CATEGORES REACTOR SHt/TDOWN SYSTEM DECAY MEAT REas0 VAL i
I DETECTION I SCRAM I PUMP TIMP I SMRS IFORCED FLOWI I i l l 1
- A CSA: REL. POSS.
I I i 1 I i i
' 1 I I l :S PRPS W/O FORCED FLOW 3 l l CDA POSS.
I I
I C PRPS W/O SMRS: CDA WIEVff.
I cn L.)
rD USTEP & ULW, W & EOF, UTOP/USTEP & ULOF,084 UTOP & ULOF SCEMARIO 2 EARTMOUAKE PRetARY DOUNDARY BREACMED -
DM :E USTEP, UCF, UTOP/USTEP, OR UTOP F USTEP, UCF, UTOP/USTEP, Oft UTOP Figure VIII.3. Initiating Accident Event Tree for Scenario 2 Earthquakes.
L_ _ ___--
1 INITIATOR ENGINEERED SAFETY SYSTEM (ESS) RESPONSES I,ED [ INITIATING ACCIDENT CATEGORIES REACTOR SHUTDOWN SYSTEM DECAY HEAT REMOVAL y
3 DETECTION I SCRAM I - PUteP TRIP I SHRS I FORCED FLOW I I I I I I I I I !
, A DC I I I I
. I i i i i I
, a re DC W/O FORCED FLOW: CDA POSS.
I I
a m
53
- D UTOP/USTEP & ULOF, UCF & ULOF, UTOP & ULOF, OR USTEP & ULOF SCENARIO 3 EARTHOUAKE SEVERE CORE DAMAGE PRib8ARY BOUNDARY INTACT UTOP/USTEP, USTEP, UCF, OR UTOP
- E
- F UTOP/USTEP, USTEP, UCF, OR UTOP 9
l r
Figure VIII.4. Initiating Accident Event Tree for Scenario 3 Earthquakes.
1 0 9
4 4
INITIATOR ENGINEERED SAFETY SYSTEM (ESS) RESPONSES T NT D[ C l
REACTOR SHUTDOWN SYSTEM g DECAY HEAT REtsOVAL g I DETECTION I SCRAM I PuesP TRIP I SHRS IFORCED FLOWI I I I I i
- A DC & PRPG l I I I I I I
I i :C DC & PRPS W/O SHRS:
- i CDA INEVIT.
U1
- D UTOP & ULOF, UCF & ULOF, UTOP/USTEP, OR USTEP & ULOF SCENARIO 4 EARTHOUAKE SEVERE CORE DAMAGE PRitAARY BOUNDARY BREACHED UTOP.UCF,USTEP,
i i Figure VIII.S. Initiating Accident Event Tree for Scenario 4 Earthquakes.
l
INITIATOR ENGINEERED SAFETY SYSTEM (ESS) RESPONSES 8, ED.'INITIATING ACCIDENT CATEGORIES j
g REACTOR SHUTDOWN SYSTEM g DECAY HEAT REMOVAL g i DETECTION ! SCRAM ! PUMP TRIP I SHRS I FORCED FLOW I I l l 1 l
! ! A CSA: NO REL.
I I I I I I l I
f ! :g PT/F W/O FORCED FLOW:
CDA POSS.
I I
l ?C PT/F W/O SHRS: CDA INEVIT.
m m
- o utoF SCENARIO S EARTHOUAKE LOSS OF OFFSITE POWER OR -
UNSPECIFIED HEAT TRANSPORT :E ULONS SYSTEM FAULTS
- F ULOHS Figure VIII 6. Initiating Accident Event Tree for Scenario 5 Earthquakes.
l
- # . O
~.
Table VIII.4 - Earthquake Initiator Frequencies
- Per Year Scenario Scenario Scenario Scenario Scenario 1 2 3 4 5 No PB* PB DC DC Total No DC* No DC No PB PB HTS
- OBE (1.4x10-3) 5.7x10-4 6.3x10-5 6.3x10-5 7x10-6 7xio-4 SSE (1.5x10-4) 3.6x10-5 2.4x10-5 9x10-6 6x10-6 7.5x10-5 BPE (3.4x10-5) 2x10-6 8.2x10-6 1.4x10-6 5.4x10-6 1.7x10-5
- PB = Primary Boundary Failure DC = Damaged Core HTS = Heat Transport Systems Failure Common cause considerations for the engineered safety systems vary for each of the 15 earthquake initiators and are dependent on four main factors: reactivity insertion, flow disturbance, loss of power, and most importantly, ground acceleration. The failure rates for components within each of the ESS functions are assumed to vary linearly with ground acceleration while reactivity and flow disturbances each increase failure rates 10 percent for the OBE, 5 percent for the SSE and only 1 percent for the BFE. Loss of offsite power is assumed to occur 90 percent of the time during a BPE, 50 percent during a SSE, and 10 percent during an OBE. . The results of summing all of these effects for each of the ESS sys-tems and each earthquake initiator is presented in Table VIII.S.
The detection function is assumed to occur in one of two ways: detection due to reactivity transients within the core or detection due to flow and heat transfer perturbations throughout the system. For detection due to reactivity transients, the base failure probability is taken as 4x10-8 per challenge
- 4) and is increased by factors of 30, 500, and 1.5x10{ Referencefor the
. OBE, SSE, and BFE, respectively. When detection is due to flow and heat transfer perturbations, the base failure probability is l 8x10-10 and is increased by factors of 120, 8x10 3, and 7.5x105 for the OBE, SSE, and BPE. The essential difference between the two means of detection lies in the number of protection functions (five for reactivity events and seven for flow / heat transfer) which will sense the anomalous condition. The failure probability for each of these protective functions is assumed to increase linearly with ground acceleration, resulting in the reported factors.
. _ _ _ . . _ ... .- ._ . - . . ._ . . . _ -- . _ . . ..__._..m - - _ _ - _ . _ . - _ _- _ _
4 i
Table VIII.5 - Consolidated Conditional ESS Probabilities and (Uncertainty Factors) I for Earthquake Initiators Scenario 1 Scenario 2 Scenario 3 Scenario 4 Scenario 5 i DTECT 1.2x10-6 .(10) 9x10-8 (10) 1.2x10-6 (10) 9x10-8 (10) 9x10-8 (10)
'l.6x10-4 (4)
SCRAM 2.3x10-4 (4) 1.6x10-4 (4) 2.3x10-4 (4) 1x10-4 (4)
. OBE- PTRIP' 5.4x10-4 (5) 3.6x10-4 (5) 5.4x10-4 (5) 3.6x10-4 (5) 5.4x10-4 (5) d SHRS 1.2x10-3. 6x10-2 1.2x10-3 (1.3) 6x10-2 1.2x10-3'(1.3)
I FFLOW 2.2x10-3 (1.3) (2) 1.7x10-2 (1.2) (2) 2.2x10-3 (2) 1.7x10-2 (1.2) (2) 2.2x10-3 (2)
I I : DTECT 2x10-5 (7) 6.4x10-6 (7) 2x10-5 (7) 6.4x10-6 (7) 6.4x10-6 (7) 2.1x10-3 3-
@l SCRAM (3) 2.6x10 (3)' 2.1x10-3 (3) 2.6x10-3 (3) 1.7x10-3 (3)
! I SSE PTRIP 6x10-4 (5) 4x10-4 (5) 6x10-4 (5) 4x10-4 (5) 6x10-4 (5)
SHRS 2.6x10-2 (1.3) 2.8x10-1 2.6x10-2 (1.3) 2.8x10-1 2.6x10-2.(1.3)
FFLOW 1.8x10-2 (2) -6.8x10-2 (1.2) (2) 1.8x10-2 (2) 6.8x10-2 (1.2) (2) 1.8x10 (2)
) DTECT 6x10-4 (5) 6x10-4 (5) 6x10-4 (5) 6x10-4 (5) 6x10-4 (5)
SCRAM 1.6x10-2 (2) 1.7x10-2 (2) 1.6x10-2 (2) 1.7x10-2 (2) 1.6x10-2 (2) i BFE PTRIP 2x10-4 (5) .l.3x10-4 (5) .2x10-4 (5) 1.3x10-4 (5) 2x10-4 (5)
SHRS 4.2x10-1 (1.3) 9x10-1 4.2x10-1 (1.3) 9x10-1 4.2x10-I (1.3) l FFLOW 1.4x10-1 (2) 2.7x10-1 (1.1) (2) 1.4x10-1 . (2) 2.7x10-1 (1.1) -(2) 1.4x10-1 (2)
I 1
- ' , p . .
I
The scram function conditional failure probability was assumed to increase linearly with ground acceleration on a per rod basis with four rods required to fail for system failure (Reference 4). Reactivity and flow perturbations added 10, 5, or 1 percent to the increase as previously reported. Pump trip and forced flow failure rates also increased with ground accel-
, eration and were further impaired by the loss of one pump for those cases when primary boundary failure was presumed.
. In order to determine the conditional failure probability for the SHRS function, the 90 basic components in that function were grouped into four categories: electrical, stiff mechanical, flexible mechanical, and electro-mechanical. Examples of elec-trical components are isolation and control valves, start signals and batteries. Stiff mechanical components include diesel gener-ators, relief valves, and internal service water fault mechanisms.
Flexible mechanical components are pipes, heat exchangers, and pressure vessels while electro-mechanical components include fans, pumps, and protected air condensers. Failure notes for each of the four groups of components increased linearly with ground acceleration but to different degrees. Electrical components were assumed to be the least fragile component group and were assigned an initial OBE conditional failure probability increase factor of 3. Stiff mechanical components were next in line with an initial OBE increase factor of 6, then come flexible components with an initial increase factor of 12, and finally electro-mechanical components with a factor of 15. These factors are similar to values derived from the CRBR Safety Study analysis which implies an initial OBE component increase factor of approximately 10 and assumes a linear component increase with increasing ground accel-eration (Reference 2).
When the RSS conditional failure pro'o abilities from Table VIII.4 are applied with the initiator frequencies in Table VIII.3 to the event tree shown in Figures VIII.2 to VIII.6, the follow-ing (Tables VIII.6-VIII.10) generic accident category frequency estimates are produced.
As seen from Tables VIII.6-VIII.10, some 90 separate accident paths were considered in the earthquake analysis. These paths contribute to 10 of the 13 generic unprotected accident categories and all 12 generic protected accident categories identified in
. Appendix D. Estimated recurrence initiated accident scenarios frequenciesfrom6x10-1{ortheearthquake per year for an OBE-generated UTOP to 6.3x10 gange per year for a Damaged Core; CDA possible due to an OBE. The majgrity (57 percent) of these scenarios lie in the 10-5 to 10- per year range. It is highly likely that these scenarios will either dominate or at least contribute significantly towards the overall recurrence fre-quency for many of the identified generic accident categories, especially those dealing with either Damaged Cores or Primary Boundary Ruptures.
Table VIII.6 - Accident Category Frequencies Associated with Earthquake Scenario 1 Event Tree Sequence Estimated Frequency
& Accident Category Per Year and (Uncertainty Factor)
- A. CSA - No Release 5.7x10-4 (3) 3.6x10-5 (3) lx 10-6 (3)
B. PT/F without FFlow 1. 25x 10 -6 (4) 6.3x10-7 (4) 1.5x10-7 (4)
C. PT/F without SHRS* 6.6x10-7 (3) 9.4x10-7 (3) 8.5x10-7 . (3)
D. UCF + ULOF* 9x10-8 (6) 7.6x10-8 (5) 3.3x10-8 (4)
E. UCF 5x10-ll (10) 4.5x10-Il (8) 7x10-12 (7)
F. UCF 6.5x10-10 (10) 7.2x10-10 (10) 1.2x10-9 (7)
S
- PT/F = Protected Transient / Fault UCF = Dn protected Core Fault ULOF = Unprotected Loss of Flow Table VIII.7 - Accident Category Frequencies Associated with Earthquake Scenario 2 Event Tree Sequence Estimated Frequency
& Accident Category Per Year and -(Uncertainty Factor)
! A. CSA-R EC . Poss. 6.3x10-5 (3) 2.4x10-5 (3) 8.2x10-7 (3)
B. PRPB without FFlow 1x 10-6 (4) 1.6x10-6 (4) 2.2x10-7 (4) f C. PRPB without SHRS* 3.8x10-6 (3) 6.7x10-6 (3) 8.1x 10-6 (3)
D. USTEP + ULOF* 1. 5x 10-8 (6) 6.2x10-8 (5) 1.4x10-7 (4)
- E. USTEP 5x10-12 (10) 2.5x10-Il (10) 1.8x10-ll (7) i F. USTEP 5x10-12 (13) 1.5x10-10 (10) 4x10-9 (7)
- PRPB = Protected Rupture of the Primary Boundary
- USTEP = Uhprotected Step Insertion
e Table VIII 8 - Accident Category Frequencies Associated with Earthquake Scenario 3 j Event Tree Sequence Estimated Frequency i & Accident Category- Per Year and (Uncertainty Factor) 4
B. DC without FFlow 1.4x10-7 (4) 1.6x10 -7 (4) 1x10-7 (4)
- C. DC without SilRS* 7.2x10-8 (3) 2.3x10-7 (3) 5.8x10-7 (3)
D. UTOP/USTEP + ULOF* 1x10-8 (6) 1.9x10 -8 (5) 2.3x10-8 (4)
E. VIOP/USTEP 5.4x10-12 (10) 1.1x10-11 (8) 4.8x10-12 (7)
F. VIOP/USTEP 7.2x10-II (13) 1.8x10-10 (10) 1.1x10-9 (7)
, *DC = Damaged Core UTOP = Unprotected Transient Overpower
! Table VIII.9 - Accident Category Frequencies Associated l with Earthquake Scenario 4 Event Tree Sequence Estimated Frequency
& Accident Category Per Year and (Uncertainty Factor)
OBE SSE BFE A. DC + PRPB 7x10-6 (3) 6x10-6 (3) 5.4x10 -7 (3) e' B. DC + PRPB without 1.2x10-7 (4) 4x10-7 (4) 1.5x10-7 (4)
- FFlow i
SilRS i D. UTOP + ULOF 1.6x10-9 (6) 1.6x10-8 (5) 9x10-8 (4)
E. UTOP 5.8x10-13 (10)- 6.5x10-12 (8) 1.2x10-II (7)
F. UTOP 6.3x10-13 (13) 3.6x10-II (10) 3.2x10-9 (7)
I i
, , _ . . , , ,, , ,- ., _ . , . . , . . _ _ . , . _ , _ . - , . . . . . ~ _ - , ,, . . , _ , , _ , . _ , , . , - .
Table VIII.10 - Accident Category Frequencies Associated with Earthquake Scenario 5 Event Tree Sequence Estimated Frequency
& Accident Category Per Year and (Uncertainty Factor)
OBE SSE BFE A. CSA - No Release 7x10-4 (3)' 7.5x10-5 (3) 8x10-6 (3) ,
B. FI/F without FFlow 1.5x10-6 (4) 1.3x10-6 (4) 1.2x10-6 (4)
C. PT/F without SHRS 8x10-7 (3) 2x10-6 (3) 7x10-6 (3)
D. ULOF 7x10 -8 (6) 1.3x10-7 (5) 2.8x10 -7 (4)
E. ULOllS 3.8x10-II (10) 7.7x10-II (8) 5.6x10-II (7)
F. ULOIIS 6.3x10-II (13) 4.8x10-10 (10) 1.4x10-8 (7) i 4
1 i
9
IX. Generic Accident Category Summaries Initiators from the Operator System, Reactor System, PHTS, IHTS, S/EGS, and external sources have been identified and anal-yzed in order to produce some 356 potential CRBRP accident paths.
Each of these paths has been identified with one of the 25 generic accident categories described in Appendix B. In order to estimate
. the overall recurrence frequency for each of these accident cate-gories the contributions from all of the initiators are summed together using a Monte Carlo technique which allows for uncer-
- tainty bounds and results in a reported median value which repre-sents the 50 percent confidence level for that particular generic accident category. It should be noted that as with all of the previous analyses, the reported uncertainty bounds represent the 5 and 95 percentile confidence bounds based solely on estimated conponent and initiator frequency uncertainties. Results for each of the 25 generic accident categories will be reported as an individual category within either the Protected or the Unpro-tected Accident Category Class. Protected Accidents are scenar-ios which result when SCRAM is successful and include cold shut-down, damaged core, or other protected transients where either SHBS or forced flow is unavailable. Unprotected Accidents are scenarios where SCRAM is unsuccessful and include transient overpower and loss-of-flow scenarios.
IX.1 Protected Accident Category Summaries Twelve generic accident categories are classified as pro-tected accidents. These are:
- 1. Cold Shutdown with No Release (CSA - No Rel . )
- 2. Cold Shutdown with Release Possible (CSA - Rel.
Poss.)
- 4. Damaged Core without Forced Flow (DC without FFLOW) a
- 5. Damaged Core without SHRS (DC without SHRS) 6.. Damaged Core and Primary Boundary Rupture (DC and PRPB)
- 7. Damaged Core and Primary Boundary Rupture without Forced Flow (DC and PRPB without FFLOW)
- 8. Damaged Core and Primary Boundary Rupture without-SHRS (DC and PRPB without SHRS)
- 9. Primary Boundary Rupture without Forced Flow (PRPB without FFLOW)
- 10. Primary Boundary Rupture without SHRS (PRPB without SHRS)
- 11. Protected Transients or Faults without Forced Flow (PT/F without FFLOW) *
- 12. Protectet Transients or Faults without SHRS (PT/F without SHRS) '
In general these accidents are considered to be more benign in nature than Unprotected Accidents due to the fact that only decay heat power must be accounted for. Estimated recurrence frequencies for these accident categories are therefore some-what higher than those seen for the Unprotected scenarios.
Results for each individual accident category in terms of the total estimated recurrence frequency per year are reported in the following sections. This is followed by a summary table for the Protected Accident category as a whole.
Cold Shutdown with No Release (CSA - No Rel.)
This accident category represents situations where all of the ESS functions have performed as expected and both the primary boundary and the reactor core remain intact. Forty-two initiators lead to this situation and the resulting recurrence frequency represents an approximation of the total expected number of challenges per year to the CRBRP ESS functions. This frequency is broken down into the major CRBRP systems in order-to show how each system contributes to the overall challenge picture. This breakout also shows the relative effect of the Monte Carlo technique that was used to combine the individual results, namely an upward shif t in the median value accompan-ied by a lower uncertainty bound. These results are presented in Table IX.1.
Cold Shutdown with Release Possible (CSA - Rel. Poss.)
Six initiators lead to this accident category which-represents situations where all ESS functions have performed as expected but the integrity of the Primary boundary is in doubt. Results are shown in Table IX.2. Here the total esti-mated recurrence frequency is 2.5x10-4 per year. About half of this is expected to come from initiators with the PHTS and Reactor Systems while the other half is due to earthquake scenarios.
t i
' Table IX.1 - Estimated Recurrence Frequency for the :
CSA - No Rel. Accident Category J
Estimated Recurrence Frequency.Per Year C RBRP Number of Point- Monte' Carlo Percent of- ,
System Initiators Value Value Total Ope ra tor 3 5.5 5.8 (1.7) 39 Reactor 6 .33 .33 (3) 2 1 PHTS 6 .63 .63-(3) 5 IHTS 9 1.48 1.61 (2.2) 11 S/EGS 11 5.95 6.4 (1.4) 42 Other _7 .1 .1 (3) <1 *L
- TOTAL 42 14.0 15.7- (1.3)
Table IX.2 - Estimated Recurrence Frequency - for the CSA - Rel. Poss. Accident Category 4
Event Estima ted '
- Initiator Tree Path Frequency Per Year Percent of Total RCOREB2 A 1x10-5 (10) 5 PHTS2A A 1x10-7 (100) --
PHTS2B A 9x10-5 (10) 48 OBE-B2 A 6.3x10-5 (3) 34 SSE-B2 A 2.4x10-5 (3) 13 BFE-B2 A 8.2x10-7 (3) --
Total 2.5x10-4 (4) l (Median) i i
d
Damaged Core with Possible CDA - (DC : CDA Poss.)
The DC : CDA Poss. accident category has seven initiators which contribute to it. Nearly 60 percent of the total esti-mated recurrence frequency is due to local fault propagation within the reactor core system while the remaining 40 percent j comes from postulated earthquake initiators. The estimated median recurrence frequenc : CDA Poss. acci-dent category is 2.2x10-4.y value forare Results thesummarized DC in Table IX.3.
A Table IX.3 - Estimated Recurrence Frequency for the DC : CDA Poss. Accident Category Event Estimated Initiator Tree Path Frequency Per Year Percent of Total RCOREA1 A 1x10-4 (10) 57 RCOREA2 A 2x10-6 (30) 1 RSUPPB A 5x10-8 (100) __
RCOREB3 A 3x10-6 (10) --
OBE-B3 A 6.3x10-5' (3) 36 SSE-B3 A 9x10-6 (3) 5 BFE-B3 A 1.4x10-6 (3) 1 Total 2.2x10-4 (5.5)
(Median)
Damaged Core without Forced Flow (DC without FFLOW)
Seven initiators lead to the DC without FFLOW accident a category which has an estimated median recurrence frequency of 5x10-7 per year. Three of these initiators deal with earthquake
- scenarios and three others deal with faults within the reactor core. As seen by Table IX.4, the earthquake initiators totally dominate the overall accident category frequency with the reac-tor core initiators being almost three order of magnitude less likely to occur in any given year.
Table IX.4 - Estimated Recurrence Frequency for the DC without FFLOW Accident Category Event Estima ted Initiator Tree Path Frequency Per Year Percent of Total ROOREAl B 5x10-10 (18) --
RCOREA2 B 1x10-ll (50) --
RCOREB3 B 1.5x10-ll (20) --
RSUPPB B 2x10-9 (125) --
OBE-B3 B 1.4x10-7 (4) 35 SSE-B3 B 1.6x10-7 (4) 40 BFE-B3 B lx10-7 (4) 25 1
Total 4.9x10-7 (2.4)
(Median)
Damaged Core without SHRS - (DC without SHRS)
The same seven initiators contribute to the DC without SHRS accident category as to the DC-without FFLOW accident category.
As before the three earthquake initiators dominate the overall estimated recurrence frequency b many orders of magnitude. This frequency is reported at 9.6x10- per year and is slightly higher than that reported for the DC without FFLOW accident category ,
which implies that the earthquake scenarios have the potential I to affect the SHRS function to a greater degree than they do the Forced Flow f unction. Table IX.5 summarizes the results for the DC without SHRS accident category.
i Damaged Core and Primary Boundary Rupture (DC and PRPB)
Six initiators contribute to the DC and PRPB accident category. Three of these are postulated earthquake scenarios while the remaining three are due to local core radial motion, core support failure, and rupture of the primary boundary.
The three earthquake initiators form 96 percent of the esti-mated total median recurrence frequency of 1.8x10-5 per year.
Results for the DC and PRPB accident category are reported in Table IX.6.
Table IX.5 - Estimated Recurrence Frequency for the DC without SHRS Accident Category Event Estimated Initiator Tree Path Frequency Per Year Percent of Total RCOREA1 C 2.4x10-12 (18) --
- RCOREA2 C 5x10-14 (45) --
RCOREB3 C 2x10-13 (20) --
RSUPPB C 2x10-9 (140) --
OBE-B3 C 7.2x10-8 (3) 8 SSE-B3 C 2.3x10-7 (3) 26 BFE-B3 C 5.8x10-7 (3) 66 Total 9.6x10-7 (2.3)
(Median)
Ta)le IX.6 - Estimated Recurrence Frequency for the DC and PRPB Accident Category Event Estimated Initiator Tree Path Frequency Per Year Percent of Total RCOREB4 A 6x10-7 (10) 4 RSUPPA A 2x10-9 (100) --
PHTSlA A 1x10-7 (100) 1 OBE A 7x10-6 (3) 50 SSE A 6x10-6 (3) 43 BFE A 5.4x10-7 (3) 4 Total 1.8x10-5 (2.5)
(Median)
Damaged Core and Primary Boundary Rupture without Forced Flow ( DC and PRPB without FFLOW)
Six initiators' lead to the DC and PRPB without FFLOW acci-dent category which has an overall median recurrence frequency of approximately 8x10-7 per year. .One of these deals with core support failure, one with local radial motion within the core, one with catastrophic failure of the PHTS, and the final three with earthquake scenarios. The three earthquake initiators are
, by far the most significant contributors toward the overall DC and PRPB without FFLOW recurrence frequency as seen by Table IX.7.
Table IX.7 - Estimated Recurrence Frequency for the DC and PRPB without FFLOW Accident Category Event Estimated Initiator Tree Path Frequency Per Year Percent of Total RSUPPA B 1x10-9 (130) --
RCOREB4 B 1.8x10-10 (15) --
PHTSlA B 4x10-12'(150) --
OBE-B4 B 1.2x10-7 (4) 18 SSE-B4 B 4x10-7 (4) 60 BFE-B4 B 1.5x10-7 (4) 22 Total 7.9x10-7 (2.6)
(Median)
Damaged Core and Primary Boundary Rupture without SHRS (DC and PRPB without SHRS)
, The IX: and PRPB without SHRS accident category has an over-all estimated recurrence frequency of-8x10-6 per year. The bulk of this frequency comes from three earthquake scenarios which deal with situations where the reactor core is damaged, the SHRS function is out, and the primary boundary is no longer intact due to ground acceleration. These accident paths are poten-tially two to three orders of magnitude more likely than those due to Reactor System or PHTS faults as seen in Table IX.8.
l Table IX.8 - Estim,tted Recurrence Frequency for the .
DC and PRPB without SHRS Acciden' Category Event Estinated Initiator Tree Path frequency Per Year Percent of Total RCOREB4 C 3.5x10-9 (15) --
RSUPPA C 1x10-9 (130) --
PHTS1A C 5x10-lO (130) ,
OBE-B4 C 4.2x10-7 ( 3 )- _
6 SSE-B4 C 1.7x10-6 (3) '
' 23
-x 5.3x10-6 BFE-B4 C (3p 71 ,
~
Total 8x10-6 (2.3), '
(Median)
=
l Primary Boundary Rupture without Forced Flow (PRPB without FFLOW) .,
~
Six initiators lead to the PRPB without FFLOW accident cate-gory. Three of these represent earthquako s,c e,n a r i o s , two more represent PHTS piping f ailures, and the last or.e^ represents local radial motion within the reactor core. .Together they form an estima ted recurrence frequency of'3.6x10-Cf per year with 97 per-
- cent of that total coming from.the three e_arthquake initiators.
1 Overall results for the PRPB without ; FFLGW , accident ea'tegory" are shown in Table IX.9. j i
- r(
Primary Boundary Rupture without SHRS (PRPB vithout SHRS)
) \,
O The six initiators which mad $ up the contribution to the PRPB ,
without FFLOW accident category al'so make up the total" con _tribu-tion to the PRPB without SHRS accident' category. Onco',again the ,e three earthquake initiators domina,te the overall accident category -. .;
frequency with the remaining initiators being almost two orders of /
magnitude less likely to occur in any given year. The estimated median recurrence frequency for the PRPB without SHRS. accident category is 2.1x10-5 per year as seen in Table IX.10.
-100-
. - - - . . a , e + ~ + - -. 7F, -
m.w, - ..p. , - - --y*
Table IX.9 - Estimated Recurrence Frequency for the PRPB without FFLOW Accident Category Event Estimated Initiator Tree Path Frequency Per Year Percent of Total RCOREB2 B 4x10-10 (15) --
PHTS2A B 1x10-10 (125) --
PHTS2B B 9x10-8 (15) 3 OBE-B2 B 1x10-6 (4) 34 SSE-B2 B 1.6x10-6 (4) 55 BPE-D2 B 2.2x10-7 (4) 8 Total 3.6x10-6 (2.6)
(Median)
Table IX.10 - Estimated Recurrence Frequency for the PRPB without SHRS Accident Category Event Estinated Initiator Tree Path Frequency Per Year Percent of Total RCOREB2 C 6.5x10-9 (15) --
PHTS2A C 6x10-10 (125) --
PHTS2B C 2x10-7 (10) 1 OBE-B2 C 3.8x10-6 (3) 20 SSE-B2 C 6.7x10-6 (3) 35 BFE-B2 C 8.1x10-6 (3) 43 Total 2.1x10-5 (2)
(fledian)
-101-
Protected Transients or Faults without Forced Flow (PT/F without FFLOW)
Forty-two initiators contribute to the PT/F without FFLOW accident category which has an estimated overall recurrence fre-quency of 5.?x10-4 per year. All of these initiators follow event tree path B which combines the initiator frequency with ,
the estimated Forced Flow function conditional failure proba-
- bility to obtain the individual recurrence frequency contribu-tion. No one set of initiators can be singled out as being .
d omi na nt. Within a CRBRP Systems context, the PHTS represents 34 percent of the total recurrence frequency as compared to 23 percent for the Operator System, 20 percent for the S/EGS, 13 percent for the IHTS, 4 percent for the Reactor System, and 6 percent for external events such as loss of of fsite power and i earthquake scenarios. Totals for the PT/F without FFLOW acci-dant category are shown in Table IX.ll.
Protected Transients or Faults without SHRS (PT/F without SHRS)
The estimated median recurrence frequency for the PT/F without SHRS accident category is 2x10-4 per year. All of the forty-two initiators which contribute to this accident category follow event tree path C. This path combines the initiator fre-quency with the estimated SHRS conditional failure probability to compute each individual recurrence frequency contribution.
Initiators from three of the CRPRP Systems (Reactor, Operator, and PHTS) contribute less than 1 percent towards the overall PT/F without SHRS recurrence frequency. External events repre-
- sented by loss of of fsite power and earthquake scenarios con-tribute 19 percent toward the total while the IHTS and S/EGS contribute 38 percent and 42 percent, respectively. These results are summarized in Table IX.12.
Protected Accident Category Summary The twelve Protected Accident Categories can be grouped
- into three basic sets. The first set encompasses those situa-tions where a Core Disruptive Accident (CDA) is predicted to be inevitable due to a loss of SHRS capability. This protected ,
accident grouping includes the DC without SHRS, DC and PB with-out SHRS, PB without SHRS and PT/F without SHRS accident cate-gories and has an estimated total recurrence frequency of 2.4x10-4 per year. The second set includes situations where a CDA is deemed possible but not inevitable due to the loss i of forced flow in the primary loop. This grouping contains the DC without FFLOW, DC and PB without FFLOW, PB without FFLOW and PT/F without FFLOW accident categories which have
-102-
l Table IX.11 - Estimated Recurrence Frequency for the PT/F without FFLOW Accident Category i Estima ted Percent Estimated Percent Recurrence of Recurrence of Initiator Frequency Total Initiator Frequency Total 4,
OPERR1 1.5x10-5 (6) 5 PHTS3A 3x10-5 (5) 9 OPERR2 5.4x10-5 (6) 17 PRTS3B 2.8x10-5 (5) 9 OPERR3 2. 5x 10 -6 (7) .5 PHTS3C 5x10-5 (4) 16 PHTS4 1.3x10-9 (18) --
I ROONI 1.2x10-5 (5) 4 PHTS5 4x10-10 (20) --
ROON2 4x10-ll (15) -- PHTSG 9x10-9 (10) --
l R00N3 1. 2x 10 -6 (5) .5 ROON4 1. 2x 10-l l (15) --
IHTS1A 3x10-ll (16) --
RODREB1 1.5x10-10 (20) -- IHTS1B 3x10-8 (16) --
RSUPPC 4x 10-9 (15) -- IHTS2A 9x10-6 (6) 3 I IHTS2B 2x10-6 (7) .5 SGS-DRUM 4.5x10-6 (6) 1 IHTS2C 6x10-6 (7) 2 SGS-PIPE 7.5x10-7 (6) -- IHTS3A 1.2x10-5 (7) 4 SGS-VALVE 2x10-5 (6) 6 IHTS32 2.4x10-6 (7) .5 SGS-EVP 1.4x10-5 (6) 4 INTS3C 1.2x10-5 (7) 4 SGS-FW1 6x10-6 (6) 2 IHTS4 1x10-10 (20) --
SGS-FW2 5x10-8 (7) __
SGS-FW3 1.5x10-5 (6) 5 'IDSITE 1. 4x 10-5 -(7) 4 SGS-FW4 5x 10-6 (6) 2 OBE-B 1 1.3x10-6 (4) .5
, SGS-TT1 3.3x10-6 (6) 1 SSE-B1 6.3x10-7 (4) --
1.5x10-7 SGS-TT2 1.6x10-6 (6) .5 BFE-B1 (4) --
1 SGS-COND 1.5x10-6 (6) .5 OBE-HTS 1.5x10-6 (4) .5 SSE-HTS 1.3x10-6 (4) .5 BFE-HTS 1.2x10-6 (4) .5 TOTAL (MEDIAN) = 5.2x10-4 (1.9)
TOTAL (POINT) = 3.2x10-4
's i e i
1 4
Y
-103- i
J Table IX.12 - Estimated Recurrence Freguency for the PT/F without SHRS Accident Category Estima ted Percent Estima ted Pe rcent Recurrence of Recurrence of Initiator Frequency Total Initiator Frequency Total *
- PHTS3A 1.2x10-8 (7) --
OPERR1 5x10-8 (6) --
PHTS3B 6x10-10 (7) --
OPERR2 1.4x10-7 (5) --
- PHTS3C 4x10-10 (7) --
OPERR3 1. 5x 10-6 (6) 1 PHTS4 5x10-13 ( 18) --
PHTS5 3x10-13 (18) --
SGS-DRUM 7x 10-8 (6) --
PHTS6 5x10~9 (9) --
SGS-PIPE 7x10-9 (6) --
. SGS-VALVE 2x 10-7 (6) --
RCON1 9x10~9 (7) --
SGS-EVP 4.5x1 F7 (6) --
RCON2 6x10-14 (20) --
SGS-FW1 9x 10-6 (2) 6 RCON3 9x10-10 (7) --
SGS-FW2 8x10-8 (4) __
RCON4 2x10-14 (20) -- SGS-FW3 4.5x10-5 (3) 28 RCOREB1 9x10-13 (18) --
SGS-FW4 7. 5x 10 -6 (3) 5 RSUPPC 4x10-12 (20) --
SGS-TT1 7.6x10-7 (4) .5 SGS-TT2 6x10-7 '(3) --
IHTSIA 8x10-15 (15) --
SGS-COND 4. 5x 10 -6 (3) 3 IHTS1B 6x10-12 ( 15) --
IHTS2A 4x10-8 (6) --
LOSITE- 1.8x10-5 (4) 11 !
IHTS23 2x10-8 (6) --
OBE-B1 6.6x10-7 (3) -- !
! IHTS2C 2x10-5 (4) 13 SSE-B1 9.4x10-7 (3) .5 I
IHTS3A 5.6x10-8 (6) --
BFE-B1 8.5x10-7 (3) .5 IHTS3B 2. 4x 10-8 (6) --
OBE-HTS 8x10-7 (3) .5 IHTS 3C 4x10-5 (4) 25 SSE-HTS 2x 10-6 (3) 1 IHTS4 7x10-13 (15) ---
BFE-HTS 7x10-6 (3) 4 TOTAL (MEDIAN VALUE) = 2.0x10~4 (1.8) l TOTAL (POINT VALUE) = 1.6x10-4 4
4 -104-
.- - =- . _ .. __ = _ = _ _ _ - - - - .
il
! a cambined median value of 5.2x10-4 occurrences per year. The third Protected Accident set combines accident categories which can possibly lead to a CDA situation due solely to the accident initiator itself. This grouping includes the DC, DC and PB, and CSA - Rel. Poss. accident categories and has an estimated total recurrence frequency of 6.7x10-4 per year.
The CSA - No Release category represents slightly off-normal conditions within the CRBRP which should be of little or
. no consequence in terms of overall risk to either the plant or the public. This category is therefore ignored .in the computa-tion of the overall Protected Accident Category recurrence fre-quency estimate which has a median value of 1.42x10-3 occurrences i per year. This total represents the number of protected acci-
, dents which might be expected to occur in any given year within i' CRBRP and which might also be expected to lead to CDA or radio-active release conditions.
A summary of the Protected Accident Category Class as a whole is shown in Table IX.13. This table also breaks out each accident category in terms of its external event contributions.
These contributions, due to earthquakes and loss of of fsite power, figure significantly in almost all of the protected accident categories and totally dominate many of them.
[
]
9 4
-105-
4 Table IX.13 - Protected Accident Category Sumnary
. Estimated External Percent Recurrence Event of Accident Category- Frequency Percentage Total ,
IX: without SHRS 9.6x10-7 (2.3) 100 .1
SHRS PRPB without SHRS 2.1x10-5 (2) 100 2 PT/F without SHRS 2.0x10-4 (1.8) 13 18 Subtotal (CDA-INEVIT) 2. 4 x10 -4 (1.7) i j DC without FFLOW 4.9x10-7 (2.4) 100 .1
. DC and PRPB 7. 9 x10 -7 (2.6) 100 .1 I
without FFLOW PRPB wi thout FFLOW 3.6x10-6 (2.6) 97 .5 i
PT/F without FFLOW 5.2x10-4 (1.9) 6 36 Subtotal (CDA Poss.) 5.2x10-4 (1.9)
DC : CDA Poss. 2.2x10-4 (5.5) 42 19 DC and PRPB 1.8x10-5 (2.5) 97 1.5 CSA - Rel. Poss. 2.5x10-4 (3.9) '47 21 Subtotal (CDA Poss.) 5. 7x10 ( 3.1 )
TOTAL = 1. 42x10-3 (1,9) 4 5
i J
i
-106-4
-- , , , , - ~ - , . - - . . , - - - - - , . + . , . . . , - - . . - . . -
< - - y , - . . - - - , - . - , - , - _ - . . ~ . . , - - , . _ . - . . . . . . ,
b l
IX.2 Unprotected Accident Category Summaries 1
Thirteen accident categories are classified as being unpro-l tected accidents. These are:
i
- 1. Unprotected Loss of Flow (ULOF)
- 2. Unprotected Loss of Flow in Two Pumps (ULOF -
2 Pumps)
- 3. Unprotected Transient Overpower (UTOP)
- 4. Unprotected Step Reactivity Insertion (USTEP)
- 5. Unprotected Transient overpower or Step Insertion (UTOP/USTEP)
- 6. Unprotected Rupture of the Primary Boundary (URPB) f 7. Unprotected Core Fault (UCF)
- 8. Unprotected Loss of Heat Sink (ULOHS)
- 9. Unprotected Step Insertion With Loss of Flow (USTEP and ULOF)
- 10. Unprotected Transient Overpower With Loss of Flow (UTOP and ULOF)
- 11. Unprotected Transient Overpower or Step Insertion With Loss of Flow (UTOP/USTEP and ULOF)
- 12. Unprotected Rupture of the Primary Boundary and Loss of Flow (URPB and ULOF)
- 13. Unprotected Core Fault and Loss of Flow (UCF and 4 ULOF) 1 Generally these accidents, which are described in more
] e detail in Appendix B, are considered to be more severe than l Protected Accident scenarios due to the fact that the reactor is still operating at or near the full power level and has the potential to be driven into a . supercritical configuration, Esti-mated recurrence frequencies for these accident categories are therefore expected to be several orders of magnitude lower than those reported for the Protected Accident scenarios. Results for each individual Unprotected Accident Category in terms of the total estimated recurrence frequency per year are reported in the following sections. This is followed by a summary table :
for the Unprotected Accident Category as a whole.
-107-
Unprotected Loss of Flow (ULOF)
Thirty initiators lead to the ULOF accident category which has an estimated median recurrence frequency of 3.8x10-6 per year.
Each of the thirty initiators contributes to the CRBRP ULOF fre-quency via event tree path D (initiator and SCRAM f ailure) . In addition, the PHTS3A and PHTS3C initiators which represent PHTS pump faults contribute to the overall recurrence frequency via event tree path E (initiator plus SCRAM and pump trip failure) and event tree path F (initiator plus detection failure). No
- single initiator or group of initiators dominates the median frequency. Initiators from the Operator System represent 16 percent of the total frequency with the Reactor and PHTS initi-ators supplying 10 percent, IHTS initiators adding another 10 percent, the S/EGS contributing 42 percent, and external events representing 23 percent. Overall results for ULOF accident category are reported in Table IX.14.
Table IX.14 - Estimated Recurrence Frequency for the ULOF Accident Category Estimated Percent Estimated Percent Recurrence of ,
Recurrence of Initiator Frequency Total Initiator Frequency Total OPERR1 2x10-7 (12) 9 RCOREA1 1x10-10 (20) --
OPERR2 1x10-7 (12) 5 PHTS3A/D* 2x10-7 (7) 9 OPERR3 3.5x10-8 ( 15 )- 2 PHTS3A/E* 8x10-11 (12) --
PHTS3A/F* 1x10-9 (13) --
PHTS3B/D 1.4x10-8 (7) .5 IIITS 1 A 2x10-14 ( 18) --
PHTS3C/D* 1x10-8 (7) .5 IllTS 1B 1x10-11 ( 18) --
l IHTS2A 9x10-8 (7) 4 Pi!TS3C/F* 8x10-12 (13) --
I IIITS2B 3x10-9 (7) --
IHTS2C 2x10-9 (7) --
SGS-DRUM 4.5x10-8 (7) 2 l IHTS3A 1.2x10-7 (7) 6 SGS-PIPE 7.5x10-9 (8) --
l IllTS3B 4.5x10-9 (7) --
SGS-VALVE 2x10-7 (6) 9 IHTS3C 3x10-9 (7) --
SGS-EVP 1.8x10-7 (6) 8 IHTS4 2x 10-12 (20) --
SGS-FW1 9x10-8 (6) 4 SGS-FW2 8x10-10 (8) -- '
LOSITE 2x10-8 (7) 1 SGS-FW3 2x10-7 (6) 9 OBE-HTS 7x10-8 (6) 3 SGS-FW4 7.5x10-8 (6) 3 SSE-HTS 1.3x10-7 (5) 6 SGS-TT1 5x10-8 (7) 2 BFE-HTS 2.8x10-7 (4) 13 SGS-TT2 2.4x10-8 (6) 1 SGS-COND 4.5x10-8 (6) 2 TOTAL = 3.8x104 (2.1)
- Contribution due to event tree paths D, E, and F
- 108-
Unprotected Loss of Flow in Two Pumps (ULOF - 2 Pumps) t The ULOF - 2 Pumps Accident Category represents a.special i case of the ULOF category where total primary flow is initially reduced by only 60 percent instead of 100 percent. Only one 1
initiator contributes to this accident category: PHTS3B (pump failure in two primary pumps). This initiator contributes to 1
- the overall ULOF - 2 Pumps Accident Category via event tree paths D, E, and F,- of which only path D is significant. The median recurrence frequency for the ULOF - 2 Pumps Accident Category is 1.4x10-8 per year and would represent only .6 per-cent of the overall ULOF frequency if it were included in that accident category total. Results for the ULOF - 2 Pumps Acci-dont Category are reported in Table V.6 and are not repeated here.
Unprotected Transient Overpower (UTOP)
Event tree paths from eight initiators lead to the UTOP accident category which has an estimated median recurrence fre--
quency of 1.8x10-6 per year. Three of these initiators come from earthquake scenarios while the remaining eight come from the CRBRP Reactor System. Each initiator contributes to the.
overall UTOP frequency via the E (initiator plus pump. trip and SCRAM failure) and F (initiator plus detection failure) event tree paths. Results for the UTOP category are shown' in Table IX.15 which indicates that nearly 99 percent of the expected UTOP frequency comes from low speed reactor control rod with-
- drawal faults.
Unprotected Step-Insertions (USTEP) i The USTEP category has an overall estimated recurrence f requency of 5x10-9 per year.
The bulk of this frequency comes from two earthquake scenarios which deal with situations where l the reactor core is damaged and the detection function is dis-abled due to ground acceleration. Other potential initiators are reactor core faults and core support structure failures.
USTEP category results are shown_in Table IX.16.
Unprotected Transient Overpower or Step-Insertion (UTOP/USTEP) i The UTOP/USTEP Accident Category represents reactivity insertion situations more severe than the USTEP category but less severe than the UTOP category. This accident category has a median recurrence frequency of 2.6x10-9 Nine initiators con-tribute to the UTOP/USTEP frequency. Dominant among these are r the earthquake scenarios which make up nore than 95 percent of the total. Overall results are shown in Table IX.17. ,
l -109-i
, . _ . . _ , . .- _, . , _ _ , ,,, - _ ,_.._., . .-, -~.-m .,
Table IX.15 - Estimated Recurrence Frequency for the UTOP Accident Category-Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total
~'
RCOREB4 E 1x10-10 (15) --
RCOREB4 F 4x10-12 (30) ---
^
RCON1 E 5x10-9 (12) --
RCON1 F -1.2x10-6 (7) 86 RCON2 E 6x10-14 (30) -- ' i RCON2 F 4x10-12 (30) -- l RCON3 E 6x10-8 (12) 4 l RCON3 F 1.2x10-7 (12) 9 RCON4 E 1x10-12 10) __
RCON4 F lx10-12 ((30) --
OBE-B4 E 6x10-13-(10) --
OBE-B4 F 6x10-13 --
SSE-B4 E 7x10-12 (13)
(8) --
SSE-B4 F 4x10-ll (10) --
BFE-B4 E 1x10-ll (7) --
BPE-B4 F 3x10-9 (7) ---
TOTAL = 1.-8x10-6 (6)
Table IX.16 - Estimated Recurrence . Frequency for the USTEP Accident Category Event Estimated Initiator Tree Path Recurrence Frequency- Percent of Total
! RCOREB2 E' 1x10-13 (20) --
! RCOREB2 F 4x10-Il (28) 1
( RSUPPC E 5x10-ll 1
- RSUPPC F 4x10-12 (30)
(20) --
OBE-B2 E 5x10-12 (10) __.
OBE-B2 F 5x10-12-(13) --
i SSE-B2 E 3x10-ll (8) 1
- SSE-B2 F 1.5x10-10 (10) 3 r BFE-B2 E 2x10-ll (7) --
l BFE-B2 F 4x10-9 (7) 94 TOTAL = 5x10-9 (6)
! -110-t.
Table IX.17 - Estimated Recurrence Frequency for the UTOP/USTEP Accident Category Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total RCOREB3 E 6x10-13 (30) --
RCOREB3 P 8x10-12 (30) --
RSUPPA E lx10-ll (130) 1 RSUPPA F 4x10-14 200) --
RSUPPB E 2x10-ll ((150) 1 RSUPPB F 4x10-13 (200) --
PHTS4 E 3x10-14 (30) --
PHTS5 E 6x10-15 (30) --
PHTS6 E 8x10-14 (15) --
OBE-B3 E 5x10-12 (10) __
OBE-B3 F 7.2x10-ll (13) 5 SSE-B3 E 1x10-ll (8) 1 SSE-B3 F 2x10-10 (10) 13 BFE-B3 E 5x10-12 (7) __
BPE-B3 F l.1x10-9 (7) 78 TOTAL = 2. 6x10-9 (6)
Unprotected Rupture of the Primary Boundary (UPRB)
Three PHTS initiators lead to UPRB-type accidents. These initiators deal with catastrophic reactor vessel f ailure as well as PHTS piping faults. The overall frequency for the UPRB Acci-dent Category is estinated at 4x10-13 per year. This extremely low frequency is dominated by the PHTS 2B initiator which deals with very large PHTS piping leaks. Results are shown in Table IX.18.
Unprotected Core Faults (UCF)
The UCF Accident Category is made up of 13 event tree sequences which derive from eight dif ferent initiators. The estimated median frequency for the UCF accident category is 5x10-9 per year, 93 percent of which stems from those three initiators dealing with earthquakes. Table IX.19 lists the UCF results by initiator and event tree path.
-111-
Table IX.18 - Estimated Recurrence Frequency for the URPB Accident Category !
. Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total
{
PilTS1 E 3x10-15 (200) -2
- i PHTS1 F 8x10-17 (180) --
PIITS2A E 3x10-16 (220) --
PilTS2A F 8x10-17 (183) --
PHTS2B E 4x10-14 (30) 21 PliTS2B F 1.5x10-13 (30) 78 TOTAL = 4x10-13 (20)
Table IX.19 - Estimated Recurrence Frequency for 4 the UCP Accident Category Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total RCOREA2 E 3x10-15 (70) __
RCORE;2 P 8x10-12 (35) --
RCOREB1 E 5x10-14 (30) --
RCOREB1 P lx10-10 (30) 4 l P11TS4 F 4x10-13 (30) --
PHTS5 F 4x10-13 30) --
PIITS6 F 7 x10-ll (( 17 ) 3 OBE-B1 E 5x10-ll (10) 2 OBE-B1 F 6.5x10-10~ 23 SSE-B1 E 4.5x10-ll (13)(8) 2 SSE-B1 F 7.2x10-10 (10) 25 =
BFE-B1 E 7x10-12 (7) __.
BFE-Bl' F 1.2x10-9 (7) 42 .
TOTAL = 5x10-9 (4)
-112-
Unprotected Loss of !! eat Sink (ULOHS)
Forty-six event tree sequences contribute to the CRBRP ULOHS Accident Category via 23 separate initiators. Nine of those ini-tiators come from the IllTS, eleven come f rom the S/EGS, and three are classified as external events in the form of earthquakes.
Each of these initiators contribute to the estimated median ULOHS
- recurrence frequency of 5.2x10-7 by way of event tree paths E and P. Nearly 90 percent of the total. ULOIIS frequency comes from three S/EGS initiators with an additional 7 percent coming from IllTS ini-tiators and 5 percent coming from the earthquake scenarios. A sun-mary of the ULOliS Accident Category totals is given in Table IX.20.
Table Ix.20 - Estimated Recurrence Frequency for the ULOlis Accident Category Estimated Percent Estimated Percent Recurrence of Recurrence of Initiator Frequency Total Initiator Frequency Total IIITS 1 A/E* 5x10-18 (30) --
SGS-DRUM /E 1x10-11 (10) --
IllTS 1 A/F* 6x10-14 (30) --
SGS-DRUM /F 4x10-8 (11) 13 IllTS 1B/E 4x10-15 (30) --
SGS-PIPE /E 2x10-12 (10) --
IllTS 1B/F 5x10-12 (30) --
SGS-PIPE /F 6x10-9 (16) 2 IllTS2A/E 3x10-1I ( 12) --
SGS-VALVE /E 6x10-11 (10) --
IllTS2A/F 2x10-8 (13) 7 SGS-VALVE /F 1.6x10-7 (11) 53 IllTS2B/E 9x10-13 ( 11) --
SGS-EVP/E 1x10-10 (10)
IIITS2B/F 2x10-1I (13) --
SGS-EVP/F 6x10-8 (jo) '. 2 0-IIITS20/E 5x10-13 ( 11) --
SGS-FW1/E 3x10-11 (10) --
IHTS2C/F 8x10-12 (13) --
SGS-FW1/F 5x10-10 (10) .1 IllTS3A/E 4x10-1I (12) --
SGS-FW2/E 2x10-13 (jo) __
IIITS3A/F 1.2x10-9 (13) .5 SGS-FW2/F 4x10-12 (10) --
IIITS3B/E 1x10-12 ( 12) --
SGS-FW3/E 7x10-11 (10) --
IIITS3B/F 2.4x10-11 (13) --
SGS-FW3/F 1x10-9 (10) .5 IllTS3C/E 9x10-13 (12) --
SGS-FW4/E 2x10-11 (10) --
IliTS3C/F 2x10-II ( 13) --
SGS-FW4/F 4x10-10 (10) .1 IIITS4/E 5x10-16 (30) --
SGS-TT1/E 3x10-11 (10)
IIITS4/F 2x10-12 (30) --
SGS-TT1/F 3x10-10 (10) .1
- SGS-TT2/E 2x10-11 (10) --
OBE-lits /E 4x10-11 ( 10) --
SGS-TT2/F 1x10-10 (jo) __
OBE-flTS/F 6x10-1I (13) --
SGS-COND/E 1x10-11 (10) --
SSE-IITS/E 8x10-11 (8) --
SGS-COND/F 2x10-10 (jj) ,1 SSE-flTS/F 5x10-10 (10) .1 BPE-flTS/E 6x10-11 (7) --
BFE-IITS/F 1.4x10-8 (7) 5 TOTAL = 5.2x10-7 (4)
- Contribution from Event Tree Path E or F
-113-
, Unprotected Step-Insertion and Loss of Flow (USTEP and ULOF)
.; Five initiators lead to the USTEP and ULOF Accident Category.
- which 'has an estimated median frequency of 4x10-7 per year.
Roughly 75 percent of this accident category frequency comes fron earthquake initiators with the remaining 25 percent coming f rom faults within the CRBRP Reactor System. Results for the USTEP and ULOF-type accident are summarized in Table IX.21.
Table IX.21 - Estimated Recurrence Frequency for the USTEP and ULOF Accident Category .
Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total RCOREB2 D 5x10-10 (20) --
RSUPPC D 7x10-8 (15) 24 OBE-B2 D 1.5x10-8 (6) 5 SSE-B2 D 6.2x10-8 (5) 21 BPE-B2 D 1.4x10-7 (4) 48 I TOTAL = 4x10-7 ( 3. 5 )
Unprotected Transient Overpower and Loss of Flow (UTOP and ULOF)
I The estimated recurrence frequency for the UTOP and ULOF Accident Category is 2.5x10-6 per year based on contributions f rom eight separate initiators. Five of these initiators are from the CRBRP Reactor System and the remaining three.are external . events due to earthquakes. The Reactor System ini-tiators dominate the UTOP and ULOF Accident Category with more than 90 percent of the median recurrence frequency coming from low speed control rod withdrawal faults and local core motion faults. Table IX.22 lists the overall results for the UTOP and ULOF Accident Category.
Unprotected Transient Overpower or Step-Insertion with *'
Loss of Flow (UTOP/USTEP and ULOF)
Nine initiators contribute to the UTOP/USTEP and ULOF-Accident Category which has an estimated median recurrence fre-quency of 2.2x10-7 per year. Approximately half of that total is due' to CRBRP Reactor System initiators with the other half coming from earthquake initiators. Three PHTS initiators also contribute to the total but at a much lower level. UTOP/USTEP and ULOF overall results are summarized in Table IX.23.
-114-
- __ _ _ -- _ _ _ _ - _ ~ _ - -
Table IX.22 - Estimated Recurrence Frequency for the UTOP and ULOF Accident Categ; y a
Event Estima ted Initiator Tree Path Recurrence Frequency Percent of Total
< RCOREB4 D 4x10-7 (12) 22 RCON1 D 3x10-7 (7) 17
. RCON2 D lx10-ll (20) --
RCON3 D lx10-6 (7) 55 RCON4 D 2x10-10 (20) --
OBE-B4 D 1.6x10-9 (6) --
SSE-B4 D 1.6x10-8 (5) 1 BPE-B4 D 9x10-8 (4) 5 TOTAL = 2.5x10-6 (4,4)
Table IX.23 - Estimated Recurrence Frequency for the UTOP/USTEP and ULOF Accident Category e
Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total RCOREB3 D 2x10-9 (15) 2 RSUPPA D 5x10-9 (110) 5 RSUPPr, D 5x10-8 110) 46 PHTS4 D 6x10-ll (-(20) --
-PHTR$ D lx10-ll (20) --
PHTS6 D 3x10-10 (10-) __
OBE-B3 D lx10-8. (6) 9 SSE-B3 D 1.9x10-8 (5) 17 BFE-B3 D 2.3x10-8 (4) 21
] TOTAL = 2.2x10-7 (35)
Unprotected Rupture of the Primary Boundary and Loss of Flow (URPB and ULOF)
Three PHTS initiators lead to the URPB and ULOF-type accident.
These initiators also lead to the URPB Accident Category described earlier. The overall frequency for the URPB and ULOF Accident Cate-gory is estimated at 1.8x10-10 per year with the PHTS2B initiator making up some 94 percent of that total. The URPB and ULOF summary is shown in Table IX.24.
-115-
4 Table IX.24 - Estimated Recurrence Frequency for the URPB and ULOF Accident Category Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total PHTS1 D 5x10-12 (150) 5 PHTS2A D 6x10-13 1 PHTS2B D 9x10-ll (170) (20) 94 .
TOTAL 1.8x10-10 (16)
Unprotected Core Faults and Loss of Flow (UCF and ULOF)
} The UCF and ULOF Accident Category is made up from five initiator sequences and has an estimated median frequency of 2x10-7 per ye.ar. Three earthquake scenarios totally dominate the overall frequency since they are expected to be two to three orders of magnitude more frequent than 'the two initia-4 tors associated with the CRBRP Reactor System. UCF and ULOF totals are show in Table IX.25.
Table IX.25 - Estimated Recurrence Frequency for the UCF and ULOF Accident Category Event Estimated Initiator Tree Path Recurrence Frequency Percent of Total RCOREA2 D lx10-ll (50) --
RCOREB1 D 2x10-10 (20) --
1 OBE-B1 D 9x10-8 (6) 45 SSE-B1 D 7.6x10-8 -(5) 38
- BFE-B1 D 3.3x10-8 (4) 16 TOTAL = 2.5x10-7 (3.4) 1 e
-116-1 I
.-..m .
_y, , , ,. ey--,, y -, - y -,,y, ,__.v.m,- , - - . . ,n , ,, . - - .
Unprotected Accident ' Category Summary The thirteen Unprotected Accident Categories can be grouped into three phenomenological sets. The first set includes situa-tions where a loss of cooling ability is of prime importance.
This grouping combines the ULOF, ULOF - 2 Pumps, URPB, and ULOHS Accident Categorica and has'an estimated total recurrence fre-quency of 4.6xio-6 per year. The second set contains the UTOP, USTEP, UTOP,'USTEP, and UCF Accident Categories. This grouping represents situations where core damage and reactivity insertion are the driving phenomenological concerns and has an estimated total recurrence frequency of 1.9x10-6 per year. The. third Unprotected Accident Category set encompasses accident catego-ries which combine the effects of core damage or reactivity insertion and loss of flow. This grouping includes the UTOP and ULOF, USTEP and ULOF, UTOP/USTEP and ULOF, UCF and ULOF, and URPB and ULOF Accident Categories-and has an estimated total recurrence frequency of 4.3x10-6 per year.
The entire Unprotected Accident Classification, including all of the thirteen individual accident categories, has an esti-mated total recurrence frequency .of 1.25x10-3 per year. Three ,
accident categories dominate: ULOF with 35 percent of the total, UTOP and ULOF with 28 percent of the total, and UTOP with 22. per-cent of the total. A summary of the Unprotected Accident Category Class as a whole is shown in Table IX.26. This table also breaks out each accident category in terms of its external event contri-bution. As with the Protected Accidents, these contributions due to earthquakes and loss of offsite power figure significantly in almost all of the Unprotected Accident Categories and totally dominate many of them.
1 9
-117-4
._ __. - -_ _- _, -. ,. - , . . -. _ ... _ ,m._
Table IX.26 - Unprotected Accident Category Summary i
- ' Estimated External Percent Recurrence Event of Accident Category Frequency Percentage Total ULOF 3.8x10-6 (2.13) 23 35 ULOF - 2 Pumps 1.4x10-8 (7) --
.5 URPB 3.8x10-13 (19) -- --
~
ULOHS 5.2x10-7 (4) 5 5 Subtotal 4.6x10-6 (2)
(Loss of Flow)
UTOP 1.8x10-6 (5.9) .2 22 USTEP 4.9x10-9 (6) 98 .1 UTOP/USTEP 2.6x10-9 (6) 97 .1 I
UCF 4.9x10-9 (4) 93 .1 Subtotal 1.9x10-6 (5.5)
(Reactivity Insertion)
UTOP and ULOF 2.5x10-6 (4.4) 6 2:8 USTEP and ULOF 4x10-7 (3.5) 75 5 UTOP/USTEP and ULOF 2.2x10-7 (35) 47 2 UCP and ULOF 2.5x10-7 (3.4) 100 3 URPB and ULOF 1.8x10-10 (16) -- --
Subtotal 4.3x10-6 (4.2)
(Insertion plus Loss of Flow)
TOTAL = 1.25x10-5 (2.3) e
-118-
X. Comparison of Results with Other Studies Several studies have been made which estimate the risk in terms of radiological consequences associated with either the CRBR or generic loop-type LMFBR designs. The initial phase of these studies includes fault tree and event tree analysis which can be used to estimate the recurrence frequencies associated with generic accident categories such as the transient overpower (UTOP) of loss of flow (ULOF) type accident. These results can then be compared to the results of the present Sandia study in order to assess the relative accident recurrence frequency predic-tions associated with each approach. Two studies are particularly suited for this type of comparison: The Risk Allocation Model Development Study (Reference 11) performed by the General Electric Advanced Reactor Systems Department in 1980 and the CRBRP Safety Study performed by the Project Management Corporation in 1977.
The main purpose of the Risk Allocation Model Development Study was to develop methodology for credible LMFBR risk assess-monts and to show the relative sensitivities of various design options in terms of cost and overall risk. This study consid-ered 16 separate initiators which lead to around 150 initial event tree sequences. Thirty-two sequences were retained as Protected Accident contributors while 64 were found to contrib-ute to the Unprotected Accident classification. The Risk Allo-cation Model Development study also utilized five separate core response event trees and five containment event trees in order to estimate the eventual radiological risk and further define variables for optimization studies.
The CRBR Safety Study (Reference 2) was performed in order to assess the risk associated with CRBRP. Thirty-three initia-tors were considered in association with eight different event tree sequences and 13 different SHRS failure paths to produce approximately 250 accident sequences. Of these, only 20 were retained as Unprotected Accident category contributors with an additional 49 being kept to contribute to the Unprotected Acci-dent category. Core response phenomena event trees were elimi-nated in the CRBR Safety Study analysis and only one containment system event tree was utilized.
In contrast to the two previous studies, the purpose of the present Sandia effort is to determine the relative recurrence frequencies associated with generic LMFBR accident categories as applied to the CRBR design. No attempt is made to analyze core response or containment systems. This study considers some 50-odd initiators in conjunction with 20 functional event trees to produce around 350 accident sequences. One hundred twenty-five of these sequences were retained as potential Protected Accident contributors and more than 170 were kept as Unprotected Accident category contributors.
-119-
All three studies use order-of-magnitude estimates for the conditional failure probabilities associated with the major ESS functions. As seen in Table X.1, the General Electric study allowed a considerable variation in these ESS failure estimates for the Detection and SCRAM functions due to ini tia tor-d epe nd en t common cause mechanisms but held pump trip, forced flow and SHRS failure rates relatively constant. The CRBR Safety Study allowed '
for initiator-dependent variation in the SHRS conditional failure probability but did not vary the other ESS failure rates while the Sandia study attempts to assign initiator-dependent failure ~
rates to all five major ESS functions. None of the studies made a concerted effort to include the effects of human error or con-siderations for maintenance and repair in their conditional failure probability estimates.
Table X.1 - Conditional Failur e Probability Comparisons for Three Separat LMFBR Accident Analysis Studies Range of Conditional Failure-per-Demand Probability ESS Function GEFR CRBRP Sandia Detection 10-5_10-6 3x10-8 4x10-6 8x10-10 SCRAM 10-4-10-7 7.5x10-7 6x10-4 1.5x10-7 7x10-8 Pump Trip 3x10-3 3x10-4 10-3-3x10-4 SHRS 5x10-6 10-2 2x10-3 1.5x10-8 5x10-8 2x10-8 FFlow 2x10-2 3x10-9 10-1-5x10-6 Many initiators used in these studies were essentially identical and those specifically dealing with feedwater faults, turbine trips, pumping system faults, loss of offsite power, ,
operator-induced SCRAM and earthquake scenarios were identified with potentially dominant accident paths in each of the three studies. Overall, the initiators used in the General Electric study resulted in a total of 16 challenges per year to the ESS functions while the CRBRP study's initiators totalled 17 chal-lenges per year and the Sandia study's totalled around 14 challenges per year.
-120-
. - = - . .
Recurrence frequency estimates for five major accident categories can be compared using thesa three studies. These categories are UTOP, ULOF, ULOF/UTOP, ULOHS, and PT/F without SHRS. As seen in Table X.2, general agreement among the three studies varies from case to case. These differences range from a factor of four within the ULOF accident category to more than
, three orders of magnitude within the UTOP category and can be directly attributed to the initiator-dependent conditional fail-
- ure probabilities assigned to the ESS functions. This is graph-
. ically illustrated by contrasting the UTOP category results with those for the ULOF category.
Table X.2 - Accident Category Frequency Estimates from j Three Separate LMFBR Accident Analysis Studies Estimated Recurrence Frequency per fear Accident Category
- GEFR CRBRP Sandia ULOF 1.2x10-6 2x10-6 4.6x10-6 UTOP 1.9x10-5 10-8 1.9x10-6 ULOF/UTOP 6x10-6 2.3x10-7 4x10-6 ULOHS 2.5x10-5 8x10-7 5x10-7 PT/F without SHRS 5x10-6 2x10-5 2x10-4 4
- Accident categories are described in Appendix B.
The UTOP-type accident is predominantly controlled by the condi-tional failure probability for the Detection function. Both the GEstudyandtheSandiastudyassignegconditionalDetectionfail-ure probabilities on the order of 10- per demand for the domi-
! nanteventsleadingtothisaccigentcategorywhiletheCRBRP study assigned values in the 10- per demand range, thus there
, is roughly a two to three order of magnitude difference in the recurrence frequency estimates. Conversely, the predominant factor in ULOF-type accidents is the conditional failure proba-bility of the SCRAM function. Here all three studies estimated the co of 10 gditional failure per demand forprobability the dominant for initiators SCRAM toand be agreement on the order among the resulting recurrence frequency predictions was quite good. Additional comparisons for selected individual ac'cident 4
sequences which contribute heavily to the overall accident cate-gory recurrence frequency are shown in Table X.3. In general the
-121-
i
- values associated with the Sandia' study are seen to lie below the GE recurrence frequency estimate which seems to be based on broad, conservative ESS conditional failure rates and the above CRBRP study prediction which appears to be based on more optimistic conditional f ailure probabilities.
Table X.3 - A Comparison of Selected Accident Sequences for Three Separate LMPBR Accident Analysis ,
Studies Estimated Recurrence Frequency per Year Accident Category and Initiator GEFR CRBRP Sandia UTOP due to design speed control rod 3.6x10-7 10-8 1.5x10-6 insertions (2-504 Ramp)
UTOP/ULOF due to OBE 1.2x10-7 10-8 1.2x10-7 earthquake scenarios SSE 4.7x10-6 1.5x10-8 1.8x10-7 10-8 2.8x10-7 (OBE, SSE, BFE) BFE 1x10-6 ULOP due to loss of offsite power 1x10-8 1.5x10-8 2x10-8 ULOHS due to S/EGS faults 2.5x10-5 6x10-8 4xio-7 PT/F without SHRS due to loss of one 1.2x10-6 1.1x10-8 2.5x10-7 heat transfer loop Within the UTOP category, there is good correlation between the GE and the Sandia studies for the 2-50# ramp reactivity inser-tion initiator. This initiator is also referred to as an uncon-
. trolled rod insertion within design speeds and was identified as a major contributor to UTOP's by both studies. The CRBRP study es tima ted the recurrence frequency for this scenario to be less ,
than 10-8 per year and elininated it from further consideration.
For the UTOP/ULOF accident category, all three studies iden-tified earthquake initiators as a major contributor to the overall recurrence frequency. More emphasis was placed on these events by the GE and Sandia studies than by the CRBRP study, however. .
This type of trend in emphasis can also be seen for the loss of one heat transfer loop initiator within the PT/F without SHRS accident category.
-122-
- . - _ = _ _ - =_- _ _ _ . __ _ _ - - -. . -- - - . _ _ . . _ - - - _ _ - .
J i
On the other hand, there is reasonable agreement between the Sandia study and the CRBRP study for ULOHS category accidents due to a failure in one heat transport loop while the GE study pre-diction, Which is more than two orders of magnitude higher, is seemingly over-emphasized.
Overall, the Sandia study compares fairly well with the other
. two analyses. The effect of. including more initiators and retain-ing all of the event tree paths provides some additional insight
-
- accident categories but is not overly dramatic. As was done with the GC and CRBRP studies, many low-frequency initiators and event j tree sequences can be eliminated from further consideration with-
] out seriously compromising an overall generic accident category recurrence frequency estimate. Other initiators such as individ-
- ual feedwater faults can be combined into one overall category and ~
analyzed as a whole, thus reducing the amount of analytical effort effort required. A few additional initiators should be consid-l ered as potential contributors however, -particularly those dealing with moderate PHTS piping leaks and those dealing with IHTS rup-
] ture disk faults. The effect of assigning conditional failure J
probabilities for all fivo ESS functions for each individual ini-tlator is more significant, particularly for the Protected class of accidents which depend heavily on the conditional failure prob-ability of the SHRS and Forced Flow functions. In many cases, common cause relationships associated with initiators leading to the PT/F without SHRS and PT/F without FFlow accident categories has been shown to have at least the potential to increase the estimated recurrence frequencies associated with Protected Acci-dents by as much as two orders of magnitude over those proje.ted by the GE and CRBRP studies.
I l
6 I
-123-
XI. Conclusions and Recommendations
- 1. Protected Accidents as a class are predicted to occur more frequently than the class of Unprotected Accidents. Figure XI.1 shows that the median recurrence frequency Accidentsisestimatedtobeontheorderof10forProtected per year while Unpgotected 10-Accidents are estimated to occur at a rate of around ,
per year. The underlying reason for this difference is that the SHRS and Forced Flow ESS functions are more initiator-dependent than are the Detection and SCRAM functions for high ,
frequency initiators such as feedwater faults, pump trips, and operator-induced shutdown.
- 2. No one major Unprotected Accident Category appears to be dominant in terms of f requency of occurrence. The estimated recurrence frequencies for t ULOF, and UTOP + ULOF - type accidentsalllieinthe10geUTOP,6 to 10- per year range as seen in Figure XI.l. ULOHS and UCF + ULOF - type accidgnts ar9 estimated to be somewhat less frequent and lie in the 10- per year range.
- 3. Protected Accidents fall into three major subclasses, all of which have relatively the same estimated median recurrence frequency. Figure XI.1 shows that roughly twenty percent of the Protected Accident total recurrence frequency is due to scenarios which incorporate SHRS failures (PT/F without SHRS). . Another forty percent of the total comes from situations resulting from a loss of forced flow capability (PT/F without FFlow) and the remaining forty percent is due solely to initiator actions such as primary boundary ruptures or faults within the core.
- 4. External events such as earthquakes and a loss of offsite power are major contributors to many of the generic accident.cate-gories. Nine of the twelve Protected Accident categories and six of the thirteen Unprotected Accident categories are dominated by external event initiators (Tables IX.13 and IX.26). Overall, more than twenty-five percent of the Protected Accident category total median recurrence frequency stems from external event initiators while roughly eighteen percent of the Unprotected Accident cate-gory total comes frcm these initiators.
e
- 5. When the present Sandia study is compared to similar analyses from other studies, general agreement is seen to vary ,
from case to case. These differences can be directly attributed to .the initiator dependent conditional failure probabilities assigned to the basic ESS functions. In general, the recurrence frequency estimates associated with this study are lower than GE (Reference 11) recurrence frequency estimates which seem to be based on broad, conservative ESS conditional failure rates and higher than CRBRP (Reference 2) predictions which appear to be based on more optimistic conditonal failure probabilities.
-124-
= - . .
RECURRENCE FREQUENCY (PER YEAR) 10 -8 10
-8 10-7 10-6 10-5 10~4 10-3 10-2 s e a s e s UTOPl <>
l ULOF l <>
l UNPROTECTED ACCIDENTS UTOP & ULOF l <>
UCF & ULOF <>
l ULOHS l <> j y PT/F W/O FFLOW l <>l PROTECTED PT/F W/O SHRS l <>l ACCIDENTS DC: CDA POSS. <>
CSA: REL.POSS. ti TOTAL-TOTAL- UNPROTECTED l <>
l UNPROTECTED TOTAL-TOTAL-PROTECTED l <>
l PROTECTED Figure IX.l. Overall Initiating Accident Frequency Estimates for CRBRP.
l
- 6. Rupture disk failurus and moderate (vs. catastrophic) sodium piping leaks should be considered as potential initiat-ing events. These initiators were not specifically included in either the GE Risk Allocation Model Development Study or the CRBRP Safety Study. Protected Accident scenarios for these ini-tlators have relatively high common cause potential for the SHRS and Forced Flow ESS functions resulting in estimaged Protected Accident recurrence frequencies in the 10 10- per year range.
- 7. The uncertainty associated with initiator frequencies ,
and component failure probabilities tends to increase the median (50% confidence) value and decrease the bounding uncertainty fac-tor (5-95% confidence band). Table IX.1 illustrates this effect which is a product of the Monte Carlo technique used to combine individual accident scenarios as well as the combined contribu-tions to each generic accident category.
- 8. The technique developed in this report demonstrates a basic methodology by which the frequencies of distinct LMFBR initiating accident categories can be quantified, however, many improvements in the analytical models and input parameters will be necessary before this methodology can be included as part of a comprehensive LMPBR probabilistic risk assessment. This report uses " order-of-magnitude" estimates in an attempt to quantify initiator-dependent conditional failure probabilities for the ESS functions. Generally, these common cause estimations are intended to be conservative, although this assumption of conservation is not backed by any type of rigorous analysis. In addition, the fault tree models used to describe the CRBR ESS functions have been simplified in order to compensate for data base inadequacies and in some cases to expedite the analysis. The effects of human perform-ance, maintenance, and repair are also noticeably absent. A com-prehensive probabilistic risk assessment would require a more com-plete treatment of human factors, improved fault tree models, and extensive supporting common cause analysis in order to estimate initiating accident category frequencies with any confidence.
- 9. Further analyses in all areas of core response, systems response, and containment response are indicated. No single CRBRP response phenomenology appears to be dominant, nor can any be eliminated based on the results of this study. The UTOP, ULOF, and combined ULOF + UTOP - type accidents are all relatively equal in terms of estimated frequency of occurrence and should be inves- ,
tigated in terms of core response phenomenology. CRBRP Systems response phenomenon such as natural circulation and a potential loss-of-heat sink should also be given equal consideration based on predictions for Protected Accidents where in many cases a loss of flow is estimated to be just as likely as a complete loss of SHRS capability. Containment systems response to all twenty-five generic accident categories would also seem to be in order, par-ticularly for those categories which are dominated by external event initiators.
-126-
- 10. This report fullfills the Phase II objectives' set forth for Accident Initiation in the Accident Delineation Study.
Namely, to quantify the frequency associated with each of twenty-five generic LMFBR accident categories and to identify the poten-
^
tially dominant accident sequences within each category as they pertain to the CRBRP design. These results are now ready to be used as inputs in the areas of Accident Phenomenology for in-core events and Post-Accident Phenomenology for containment. In this way, key uncertainties in the core response, systems responso, and containment response areas can be identified and prioritized in order to provide a support basis for additional LMFBR research, development, and design efforts.
1 1
i
)
i i e i
e 4
.I .
127-128
1 f
(.
Appendix A Generic LMFBR. Initiating Accident Event Tree Development To identify the spectrum of meaningful LMFBF(initiating accident categories for analysis in the Accident Phenomenology Area, information about the accident ' initiator and the possible success or failure response of Esss, =to /the initiator is ' required.
Event trees are ideally suited to such a binary (success or fail-ure) logic situation where the important ESS responses are incor-
~
porated as branch points constituting the important qu,estions within the event tree. j !
In the LMFBR Accident Delineation Study (Re5ere ce 3), using the CRBRP for illustration purposes, it has been'possible to dis-play initiating accident sequences in terms of the logically allowed response of two broad ESS functions - the Plant Protec-tion System (PPS) function and the Decay Heat Removal function.
In this study, the response of the CRBRP<PPS has been broken down into three Detection, basic SCRAM, andfunctions necessary'o, Pump Trip, in that rder. for reactori shut'down Detection encom--
passes the ability to sense faults 1or anomalies, perform the required signal processing to output the. correct signal to the
~
s
. appropriate coincidence logic modules of the PPS and generate a correct signal for SCRAM and Pump Trip. SCRAM ' includes the .
sequence of functions involved .with receiving- a correct signap for SCRAM, performing the correct,or appropriate electromechanical actions, and terminates with control rod insertion to drive the reactor subcritical. (Rod insertion for the CRBRP is accomplished via gravitational forces with some mechanical assist.) Similarly, ~
Pump Trip includes reception of a correct signa'l ~for Pump Trip 4
and terminates with the interruption of power from a the motor- l^
generator sets and ultimate coastdown of the primary' sodium pumps.
The remaining ESS response necessary to achieve plant shut-down in CRBRP is adequate removal of decay heat after reactor shutdown, i.e., aftec avecessful SCRAM'and Pump Trip. For CRBRP, e assurance of adequrie (ea, oval of decay heat after successful SCRAM and Pump Trip (1 w , ' o achieve what is referred to as cold ' shut-down) requirer s . sv- table and adequate Shutdown Heat Removal System (SHRS) vl d. .. a v pump ( forced convective) flow as well as a core configurstion thut is coolable. Questions regarding the adequacy of natural circulation and core coolability are deferred to analysis in the Accident Phenomenology Area. As a result, the initiating accident event trees will display those sequences under which core disruption might occur via melt as end points since further analysis in the Accident. Phenomenology Area is required to determine whether cold shutdown or ccre disruption ultimately will A-1
result. These end points will be categorized by the conditions which indicate that core disruption is possible, but not certain, together with the statement "CDA possible." This qualitative categorization scheme not only identifies those sequences requir-ing further analysis but also provides information for that anal-ysis about the reason (s) for concern.
In addition to identifying sequences under which a CDA is possible, the initiating accident event trees should also iden-tify sequences where a CDA via melt is inevitable. If we assume that SHRS is a generic LMFBR functional requirement after reactor shutdown, an inevitable CDA via melt will result if the SHRS is unavailable over the short and long term. The obvious branch point question after successful reactor shutdown, therefore, involves SHRS availability over the short and long term. Under this definition, an unavailable SHRS would include conditions where an ultimate heat sink is not available or where heat cannot be transported to an available heat sink. Interpretation of the former condition for SHRS unavailability is straightforward but the latter condition is somewhat ambiguous and requires further qualification. For example, the SHRS will be assumed unavailable if there is an insufficient volume or level of sodium within the reactor vessel such that removal of decay heat via an otherwise available SHRS is precluded. On the other hand, situations involv-ing a damaged core (damage beyond design basis) which might pre-clude core cooling are not included in the definition of SHRS unavailability. Moreover, SHRS availability / unavailability says nothing about the flow conditions which might exist, i.e., whether forced convection or natural circulation conditions exist or not.
Under our definition of the SHRS function, if the SHRS is unavail-f able, core disruption via melt is inevitable. However, if the SHRS is availabJe, there is still no assurance that cold shutdown will be achieved. Two more conditions must be met to assure that cold shutdown is achieved: 1) forced flow conditions must be provided over the short and long term, and 2) the core must not be damaged beyond the design basis. The first condition can be addressed by an additional event tree branch point.to determine whether forced or natural circulation flow is available. The second condition does not require an event tree branch point, since the accident initiator will dictate whether core damage can occur 'r not. If .
the SHRS is available with pumped flow and the core has not been damaged beyond the design basis, cold shutdown will be achieved.
If, however, the SHRS is available with natural circulation flow, core disruption via melt is a possibility and requires further analysis in Accident Phenomenology for resolution. In this phe-nomenological analysis, if core damage beyond the design basis is also suggested, both core coolability and adequacy of natural circulation will be addressed; if core coolability is certain, only analysis of natural circulation adequacy is required.
A-2
Achievement of cold shutdown does not necessarily rule out a release to the environment. If the primary boundary remains intact and cold shutdown is achieved, then no release is possible.
If, however, the primary boundary is compromised, an environmental release is possible if containment isolation subsequently fails, since the primary sodium is itself radioactive. The integrity of the primary boundary is basically determined by the accident initiator-eliminating the need to ask whether the primary bound-ary is intact or not as a distinct event tree question. However,
, primary boundary integrity may or may not be clear for certain accident initiators (e.g., a seismic event). A conservative approach will be taken such that if primary boundary integrity could have been compromised as a result of the initiator, it will be assumed to have occurred for the moment, with further analysis and ultimate resolution to occur in Accident Phenomenology (to determine the extent of damage and the available source terms) and in Containment to determine the likelihood and extent of any onvironnental release. Therefore, those cases where cold shut-down has been achieved but the primary boundary may have been com-promised will be categorized as " Cold Shutdown Achieved: Release Possible" and will require further analysis and resolution of the prinary boundary integrity question in the Containment Area.
We now have in hand the important ESS responses for construc-ting a generic LMFBR initiating accident event tree. A mathema-tically complete event tree with Detection, SCRAM, Pump Trip, SHRS (available over the short and long term), and Forced Flow as important branch points, using binary logic for " success" (or "yes") and " failure" (or "no") responses, is shown in Figure A.l.
Since five branch-point questions each with two possible states are involved, one would expect (2) 5 = 32 possib]e end points for 1
the mathematically complete event tree. Fortunately, a mathema-tically complete event tree is rarely appropriate since some com-binations of responses have no meaning or involve unnecessary additional questions to arrive at a meaningful initiating accident category. For example, Sequences 17 through 32 inclusive in Fig-ure A.1 are unnecessary since failure to detect an accident initi-ator requiring emergency plant shutdown automatically leads to a meaningful initiating accident category for further analysis; it also means in this case that SCRAM, Pump Trip, SHRS, and Forced Flow will not be called upon or given an opportunity to respond.
Therefore, Sequences 17 through 32 in Figure A.2 may be replaced
, by a single horizontal line progressing to the right and emanat-ing from failure of Detection. If such an exercise is continued, displaying only the physically meaningful or necessary paths to obtain useful end point initiating accident categories, then the reduced generic LMFDR initiating accident event tree shown in Figure A.2 results. Eight end points are shown in. Figure A.2 as Sequences A through H, indicating the elimination of twenty-four sequences from the mathematically complete tree of Figure A.l.
A-3
s REACTOR SHU1DOWN SYSTEld (RSS) DECAY HEAT ret 00 VAL I DETECTION I SCRA40 I Put0P Tfi1P I SHR$ I FORCED I l l l l AVAILASLE7 I FLOW 7 l l l l '
1
' '1 1 I I i i I :2 SUCCESS /w S
- a i i i :3 l l ' 24 1
S -
l I
, er
' :a
=,
I
- 10 ir
' : 11 FAILURE /NO
,' ' 12 y
- 13
' 14 4
- 1S ACCIDENT INITIATOR OR I ANO4dALY RESULTING IN A : 16 SUBSYSTEld FAILURE REQUN11NG I _ 97 EteERGENCY PLANT SHUTDOWN
' r is
, e is I
- 20
, C 21 I
- 22
, C 23 I
- 24
, e 2S I
- 26
, : 27
- 2e
, 2 29 ,
I 30
, C 31 I 2 32 l Figure A.l. Mathematically Complete, Generic LMFBR l Initiating Accident Event Tree.
L A-4
The initiating accident event tree in Figure A.2 can be applied to any LMFBR since the questions used are believed to be generic and necessary functional requirenents to achieve plant shutdown under emergency situations. Detection, SCRAM, and SHRS certainly are necessary functions in achieving plant shutdown.
Pump Trip and Forced Flow, on the other hand, may not be necessary depending on the specific LMFBR. Their existence as generic event tree questions, therefore, might be argued. However, forced con-vective flow both during operation and immediately after reactor shutdown is a design requirement for all existing LMFBRs. There-fore, Pump Trip and Forced Flow are generic questions to ask but may or may not be required to achieve plant shutdown, depending on the design. Since there are LMPBRs which do require these actions, such that if they should fail, a distinct accident type can or will result, they should be maintained as generic event tree branch-point questions.
The event tree in Figure A.2 can be reduced further depend-ing on the specific LMPBR design to be analyzed. For example, if Pump Trip failure is of no major consequence other than over-cooling with a mild associated thermal shock to the system af ter successful Detection and SCRAM, then two Sequences (D and E in Figure A.2) would disappear. Alternately, if it is assumed that Pump Trip or coast down will ultimately be achieved af ter success-ful Detection and SCRAM prior to or without any damage of conse-quence, then Sequences D and E in Figure A.2 would be unnecessary.
This assumption is realistic for CRBRP and is applied to the CRBRP initiating accident event trees developed and discussed in Refer-ence 3. In addition, if the PPS were designed such that Pump Trip is only called for af ter a successful SCRAM, e.g., through the use of an interlock, the Sequence F in Figure A.2 would dis-appear. Such a PPS design would further act to eliminate poten-tial combined accidents. That is, it is possible to get a loss-of-flow without SCRAM (SCRAM f ails but Pump Trip succeeds) simply through the action of the ESSs without such an interlock PPS design. If this sequence of events is coupled to an accident initiator which results in an accident type significantly dif fer-ent from a loss-of-flow without SCRAM, then a combined accident results. As an example, the CRBRP PPS does not incorporate an interlock preventing Pump Trip from occurring should SCRAM fail.
- As a result, if the accident initiator in CRBRP results in an accident type significantly dif ferent from a loss-of-flow with-out SCRAM (e.g. , a transient overpower excursion without SCRAM),
a combined accident will occur if Pump Trip succeeds and SCRAM fails - in this example a transient overpower and loss-of-flow without SCRAM. Obviously, the form of the initiating accident event tree ultimately to be used in any further delineation will depend on the specific LMPBR design. Figure A.3 illustrates the generally applicable initiating accident event tree which results when the CRBRP is considered.
A-5
REACTOR SHUTDOWN SYSTEM (RSS) DECAY HEAT REMOVAL I SCRAM ! PUMP TRIP SHRS I FORCED DETECTION I I I I AVAILABLE7 i FLOW 7 I I I I I I
cA I I I I I I I I I I I I i :s I
i I I I i i SUCCESS /YES I I n i I
Y OD I
=
- g I
V OE FAILURE.'un
- F ACCIDENT INITIATOR OR ANOMALY RESULTING IN A SUBSYSTEM FAILURE REQUIRING OG EMERGENCY PLANT SHUTDOWN 0H Figure A.2. Reduced Generic LMFBR Initiating Accident Event Tree.
. . e .
nEACTon SauTDoWu STSum (nSS: DeCAT wEAT mEmovAt senAT o ACC Enf CanoonT l
DETECTION I SCRAes I Pump fasp SMRS IFORCED FLOW l l l I AvAsASLET l 1 COLD SuuTDeWu AC eve 0 mTu on mTuouT A nEtEAsE l l l l l l PotteLE (CSA: no afu on (CS= mEL. POSSA g g ; A DamAaED Cone: CDA PoSS LE (DC: coa PoSSA On i -
DAMAGED CORE & pmOTECTED RUPTURE OF THE PRIMARY SUCCESS /YES l 1 l l SOUNDART: CDA POSSeLE (DC & PHpS: CDA POSSA o 1 1 I l l l :g PROTECTED TR.*JeSEENT Oft FadLURE g e a WITHOUT FORCED FLOW: CDA PotteLE (PT/F W/O FonCED FLOW: CDA POSSJ g PROTECTED TRAsetemT On FAtumE M i WITHOUT SHett: CDA NEEVITASLE ir (PT/F W/O SMRS: CDA WIEVITJ F AILURE, NO
- O UIUPACTECTED TRANSIENT Ce pasLumE AND LOSS-OF-FLOW (UT/F & ULOF)
CaenP ATOfl CAUSE CE tarn 0TECTED TRAMSENT OR FAEUBIE
, UIspe0TECTED TRAfsSaENT OR F AILURE (UT/F)
F Figure A.3. Reduced Initiating Accident Event Tree for a General Subsystem Failure in CRBRP.
Gequences A through F in Figure A.3 are labeled with appropriate general initiating accident classifications that can result. These sequences are assumed to emanate from an anomaly at or near full power and are discussed individually below:
Sequence A: This sequence begins with an initiator which results in an unspecified CRBRP subsystem failure which requires emergency plant shutdown. The anomaly is detected successfully, SCRAM is called for and obtained, Pump Trip or coastdown is of no
- consequence and is assumed to ultimately occur (hence no branch point is shown at Pump Trip), the STIRS is available and the pony pumps operate providing forced flow for decay heat removal. The actual categorization of this sequence depends on the accident initiator and/or subsystem failure involved. For example, if the core has not been damaged and the primary boundary remains intact, cold shutdown will be achieved without any possibility for a releare to the environment. If, however, the primary boundary is compromised but the core has suffered no damage, a cold shut-down will still be achieved but a release is possible should con-tainment isolation fail. On the other hand, if the core suffers damage, it may not be coolable even though the SHRS is available with forced flow. The first scenario obviously requires no fur-ther analysis. The second scenario, however, requires further analysis in the Containment Area to determine the likelihood and extent of a release to the environment. The third scenario really involves two situations to account for primary boundary states.
Nevertheless, both will require further analysis primarily in the l Accident Phenomenology Area to determine if the core is coolable or not. If it is coolable, no CDA results and cold shutdown is achieved. If, however, the core is actually not coolable, core disruption will ultimately occur via melt. The four possible scenarios are categorized as: 1) Cold Shutdown Achieved: Uo Release (CSA: No Rel.), 2) Cold Shutdown Achieved: Release Possible (CSA: Rel. Poss.), 3) Damaged Core: CDA Possible l CDC: CDA Poss.), and 4) Damaged Core and Protected Rupture of the Primary Boundary: CDA Possible (DC & PRPB: CDA Poss.).
Sequence B: This sequence is identical to Sequence A except forced flow via the pony pumps is not available for the SHRS. In i
CRBRP, the adequacy of natural circulation is still in question. -
j As a result, for CRBRP, this sequence is categorized as a general Protected (protected here simply means that SCRAM has succeeded) '
Transient or Failure without Forced Flow: CDA Possible (PT/F without Forced Flow: CDA Poss.). Analysis in Accident Phenomen-ology will determine if core disruption occurs or cold shutdown ultimately is achieved. This accident category is really a broad class of protected accidents with a potential for core disruption.
The specific protected accident category which results can be easily identified by the initiator or subsystem failure involved.
A-8
Sequence C: This accident sequence leads to a CDA via melt due to an unavailable SHRS. This sequence is generally termed
" Protected Transient or Failure without SHRS: CDA Inevitable (PT/F without SHRS: CDA Inevit.)" and includes a broad class of protected accidents which can be specified by the particular accident initiator or subsystem failure involved. Because the SHRS is unavailable, decay heat is not adequately removed and core disruption is inevitable and only a matter of tin.c. The ADS Phase I report section dealing with the accident phenomenology and pro-gression of protected accidents will delineate via event trees Whether a CDA will occur or not, for those protected accidents Where CDA possible is listed, and timing to core disruption via melt for those protected accidents where CDA inevitable has been
- determined.
Sequence D: This sequence displays the potential combined accident mentioned previously. In Sequence D, the anomaly is successfully detected anc. both SCRAM and Pump Trip are called for; Pump Trip is successful but SCRAM fails, leading to a loss-of-flow without SCRAM - termed an Unprotected Loss-Of-Flow (ULOF).
" Unprotected" here and in the remainder of this report means sim-1 ply that the reactor has not been SCRAMMED for whatever reason. '
SHRS and Forced Flow (pony pumps) obviously cannot act to miti-gate an accident unless SCRAM is first successful. Therefore, no branch points are shown for SHRS and Forced Flow in this sequence. If the accident would be assumed to occur. However, if the accident initiator results in an accident type signifi-cantly dif ferent from a ULOF, then Sequence D leads to a combined accident termed here a general " Unprotected Transient or Failure and ULOF (UT/F & ULOF). "Obviously UT/F encompasses a number of more specific unprotected accident categories Which depend on the particular accident initiator or subsystem failure involved.
Sequence E: This initiating accident sequence is similar to that of Sequence D except that both SCRAM and Pump Trip fail upon demand. The system, therefore, remains at or near full power with the pumps operating and an unmitigated transient or failure still imposed. This accident has been generally termed UT/F and requires more information about the particular accident initiator or subsystem failure in order to determine the more i specific unprotected accident category involved.
Sequence F: This accident sequence occurs as a result of failure to detect an anomalous event requiring emergency plant shutdown. Because the anomaly has not been detected, SCRAM, Pump Trip, SHRS, and Forced Flow functions are precluded and the system remains at or near full power with the pumps operating, and the imposed transient or failure goes unmitigated, resulting in an unspecified general UT/F accident. The actual accident initiator or subsystem failure will determine the specific unpro-tected accident category within UT/F that ultimately is involved in this sequence.
I A-9
I We now have in hand all the tools to systematically identify the spectrum of initiating accident categories associated with a particular LMFBR design for further analysis in the Accident Phenomenology and Containment Areas.
j In a generic sense, the existence of an-initiating accident
' category does not necessarily mean that core disruption is cer-tain - whether core disruption occurs or not depends on the -
I response of the core to the initiator or failure. This analysis is part of the Accident Phenomenology Area and is highly design
- i specific. A ULOF in CRBRP, for example, will result in core dis-l ruption, but it is conceivable that an LMFBR could be designed to accommodate a ULOF without core disruption. The Accident Initia-tion Area, therefore, merely identifies situations which pose a threat to the system and defers final judgment of the outcomes to analysis in Accident Phenomenology and Containment.
i I
f l
l I
a 4
h f
f I
i l A-10 t
, . --. ~ ~ w . , - - - --a-,--, , ...,.my_- - - . .-,.,,,y. , , - , - -- ...--m , . _ _ , ,- , _ _ . . ,
Appendix B LMFBR Initiating Accident Categories Initiating accident -event trees displaying the important ESS response - necessary in attempting to shutdown the reactor and
. adequately remove decay heat terminate in either a benign out-come requiring little or no further analysis (e.g., Cold Shutdown Achieved or faults within tolerance permitting continued opera-tion), or initiating accident cadegories that interface with and provide a starting point for the accident phenomenology analysis and event trees describing the nanner, likelihood, extent, and end result of core disruption. Figure A.3 f rom Appendix A illus-trates the process by which LMPBR general initiating accident classes were identified for CRBRP. Potential core disruptive accidents are divided into two general types: 1) those which involve a failure to SCRAM the reactor (unprotected accidents),
- and 2) those in which SCRAM is successful but core disruption i
nevertheless can eventually result due to an inability to ade-quately remove decay heat (protected accidents).
These two types or classes of accidents are too general to serve as useful starting points for analysis in the Accident Phenomenology Area and must, therefore, he further subdivided into specific initiating accident categories. Ideally, such specific categories should meet the following criteria:
- 1) They should be comprehensive with respect to accident initiation, so that every logically possible combina-tion of the various accident initiators and outcomes of the event trees can be assigned to a specific ini-tiating accident category.
- 2) They should be comprehensive with respect to accident phenomenology, so that no possible.CDA will involve phenomenologies not included in any of the accident categories, and the range of accident outcomes con-sidered among the categories will span the full range of outcomes that are possible.
o
- 3) They should be sufficiently narrowly defined to serve as useful starting points for phenomenological analysis without beconing too numerous or unmanageable.
This last requirement is-admittedly somewhat vague and implies both dif ferentation and combination of accident situa-tions on an unspecified basis. Actually, the process of cate-gorizing initiating' accidents is merely a simplification exer-cise lumping similar overall situations together even though their specific conditions vary. The question then becomes one B-1 4-e-- y- -- , y - -m oe.+- y e,-- we
i of degree. To what degree are these accidents similar? It is of ten expeditious to turn this question around - "To what degree are these accidents dif ferent?". If the differences require a new and varied phenonenological treatment or if they suggest a significant shift in consequences, a new and distinct initiating accident category is required and was generally established. As an example, an accident sequence which involves a rupture of the
- primary boundary was labeled as a distinct category in itself since one of the najor boundaries for containment has been lost very early in the accident and can alter the way in which the ,
accident progresses and is treated in the Containment Area.
Establishing an adequate and meaningful set of initiating accident categories, as judged by the above criteria, is somewhat subjective but requires a considerable degree of understanding of what the relevant accident phenomenologies are, and also a certain amount of effort to systematize the available information. For the most part, the availability of the information required for the categorization of unprotected accidents is sufficient for the task, and the initiating accident categories assigned to this class of accidents in the present report are believed to meet the I,
above criteria reasonably well, with some qualifications noted at the appropriate points in the discussion. In contrast, much less work has been done on the class of protected accidents, and it is not clear that analysis has reached the stage that would permit definition of a meaningf ul set of protected accident categories that is comprehensive, useful, and likely to cemain unchanged.
j Nevertheless, delineation of protected accidents seemed necessary and desirable, and this study does attempt to categorize protec-
! ted accidents where core disruption is inevitable In CRBRP on the i basis of timing to whole-core disruption via melt. This basis may prove incorrect or inadequate as nore information about such protected accidents where a CDA is inevitable becomes available.
However, this basis appears comprehensive, useful, and logical for the present since once core disruption is assured for a pro-tected accident via melt, it is only a question of tine. Since protected accidents in the broad sense, as identified in Figure A.3, nay or may not ultimately result in core melt, depending on the sequence of events and actual core response, phenomenological analysis is required to determine if core disruption will result or not (for those cases where CDA possible is sho"n). In addi-tion, timing to whole-core disruption involves phenomenological as well as accident initiation questions. As a result,' detailed ,
categorization of protected accidents in CRBRP is developed and discussed in Accident Phenomenology Section (Reference 3), which specifically addresses Protected Accidents. Therefore, protected accident categories listed in this section do not include timing inf o rma tion , and are based on accident initiation information j only.
B-2
1 4
4 1 The initiating accident categories identified by the various CRBRP initiating accident event trees for subsystem failures are
! described below in terms of the accident initiator or subsystem failure involved and the actual response of the ESSs. The." Cold I
Shutdown Achieved: No Release Possible" and " Anticipated Fault Not Requiring SCRAM" categories do not call for any further anal-ysis in Accident Phenomenology or Containment and are, therefore, l
. included below primarily for completeness:
- 1. Cold Shutdown-Achieved (CSA). This classification applies to any accident initiator or subsystem failure that requires emer-gency plant shutdown when the plant shutdown is achieved via suc-
- cessful Detection, SCRAM, Pump Trip, and adequate removal of decay heat by an available- and reliable SHRs operating with Forced Flow.
If core damage which might preclude _ core coolability is suggested 7
by the accident initiator, then achievenent of cold shutdown is not assured and, therefore not assigned. In such cases, a " Dam-aged Core: CDA Possible" category is-assigned,. and phenomenologi-cal analysis is required to determine whether core disruption results (because of the core being in a non-coolable configura-tion), or cold shutdown is ultimately achieved. See the " Damaged Core: CDA Possible" category under the discussion of Protected Accidents below for more information.
A CSA classification does not rule out the possibility of an environmental release. If the primary. boundary is compromised, i for' example, radioactive primary sodium and any additional radio-active material in the primary sodium could potentially be released
^
to the environment if containment isolation fails. The important question, therefore, in distinguishing whether a release is pos-sible or not for a CSA sequence, involves the integrity of the i primary boundary.
I a. Cold Shutdown Achieved: No Release Possible (CSA:
No Rel.). This category is a subset of the CSA classification where not only has the plant been success fully shut down, but the primary boundary-remains intact. This category is only assigned
! when the primary boundary integrity is assured,
! the plant has been shut down successfully, and no i .. core damage beyond the design basis is involved.
i
- b. Cold Shutdown Achieved: Release Possible (CSA:
, Rel. Poss.). This category is.also a subset of i the CSA classification. It is assigned when the I primary boundary may have been compromised as a f result of the accident initiator. This category requires further analysis in the Containment Area to determine whether the primary boundary was actu-ally breached or not and, if so, to determine the likelihood and extent of-any release.
i j B-3
- 2. Anticipated Fault Not Requiring SCRAM (AFNS). This category results only when an anomalous event or condition occurs which does not require emergency plant shutdown, i.e.,
SCRAM, Pump Trip, and subsequent removal of decay heat. Such events fall into two distinct types:
- a. Faults or transients that are within tolerance, such as random fuel pin failures, or small pos-itive reactivity insertions due to such things as small bubbles passing through the core, etc. ,
and,
- b. Faults or transients that require a protective response other than emergency plant shutdown, such as a small steam generator tube leak or a small steam line leak, etc.
The AFNS category is used to represent anomalous events within tolerance or faults requiring a protective response other than emergency shutdown. However, should an AFNS situation esca-late to the point where emergency plant shutdown is required, it would then be treated by the normal event tree binary logic and would be recategorized in terms of the fault calling for shutdown and the responses of the ESSs.
The AFNS sequence will not occur for every subsystem failure and, therefore, will only appear in a few subsystem failure initi-ating accident event trees. As a result, its existence will be primarily to identify those subsystems which are susceptible to aoch anomalies.
- 3. Unprotected Accidents. This term refers to a whole class of initiating accidents in which a transient or failure occurs which should have resulted in SCRAM but, for whatever reason, SCRAM fails or does not occur. This class of accidents has also been termed " Unprotected Transient or Failure (UT/F)"
in Reference 3. Several specific unprotected accident cate-gories fall into this general UT/F accident class. These are typically distinguished by the accident initiator or subsystem failure involved and are identified and discussed individually below: *
- a. Unprotected Transient Overpower (UTOP) or ,
Unprotected Step Insertion (USTEP). The term
" Unprotected Transient Overpower," or UTOP traditionally has been used in two slightly different ways. The first, more general, usage is for any accident involving an inser-tion of excess reactivity outside tolerance where SCRAM should occur but does not. How-ever, the great majority of analyses of such B-4
accidents have involved a description of the transient in terms of reactivity insertions at a constant rate, with this rate (called the ramp rate) being a key input parameter for the analysis of accident phenomenology.
Thus, much discussion of "UTOP" accidents actually presupposes an accident involving
- a constant-ramp insertion. In general, this description is probably a reasonable
. approximation for most transients where the total reactivity available for insertion is large compared with a dollar. In this case, the onset of core disruption, and the reac-tivity effects associated with disruption, will become governing before the full magni-tude of the potentially-available initiating.
insertion can be actually realized. The exact magnitude of the potential initiating insertion is then less important than the initiating insertion rate. In the present report, the designation "UTOP" will be reserved for transients which can be rea-sonably well approximated by constant-ramp insertions.
At the opposite extreme, reactivity transients are possible for which the total reactivity available for insertion is under one dollar, and it is inserted on a time scale that is short compared with reactor response times other than the neutronic prompt jump, assuming the reactivity remains reasonably well below prompt critical. In these cases, the exact insertion rate is relatively unimportant and the key parameter is the magnitude of the total reactivity insertion. Transients of this type, with an associated failure to SCRAM, will be referred to as " Unprotected Step" insertions or "USTEP" in the present report.
e i For some initiators leading to reactivity insertion, either a ramp-type or step insertion may result (conceivably the actual insertion function may not be well approximated by either of these two limiting cases). In these cases, if SCRAM also fails, the designation "UTOP or USTEP (UTOP/USTEP)" will be used.
B-5
., . e~ y. - ~ --- -, -- < - =-
I
- b. Unprotected Loss Of Flow (ULOF). In this accident-category, either the accident initiator leads directly to the primary pumps. failing and SCRAM does not occur, or else some other inconsequential fault or failure requires emergency shutdown and Pump Trip occurs but SCRAM fails. In this report, l the "ULOF" category will be reserved for accident sequences in which the flow decay rate is approx- e imately equal to the normal pump coastdown rate, and the initial conditions are reasonably close to normal operating conditions. The large major-ity of existing analyses are for these conditions, although the term "ULOF" has sometimes been used more generally to apply to any unprotected acci-dent involving sufficient loss-of-coolant-flow such that adequate core cooling is not maintained (the term " transient undercooling" is also some-times used for this more general case).
- c. Unprotected Loss Of Flow From Two Pumps (ULOF -
l Two Pumps). In this accident, two of the three main CRBRP primary sodium pumps are assumed to fail; neither reactor SCRAM nor trip of the remaining primary pump occur. The core may be temporarily coolable under these conditions though the situation is marginal and, in any case, failure of the third primary pump or some other failure is expected to eventually result in a CDA. The detailed sequence leading up to the CDA has not been analyzed. If the immedi-ate cause of the CDA is failure of the third pump, the resulting accident obviously has important similarities with the normal ULOF accident but the initial conditions are suf-ficiently different so this accident will be j kept as a separate category.
- d. Unprotected Loss Of Heat Sink (ULOHS). This initiating accident category refers to any sequence in which the immediate effect of the initiator results in a loss of the capability .
to remove-heat from the primary sodium system; initially-the Reactor System and PHTs continue to function normally (neither Pump Trip nor SCRAM occurs). The initiator may be a fault or failure in either the IHTS or the S/EGS.
Since the ability to remove heat from the core itself is not inmediately affected, core dis-ruption does not immediately occur. However, the entire PHTS heats up on a time scale of B-6
minutes and, if corrective action is not taken, additional failure (s) will result leading directly to a CDA. The detailed sequence leading to the CDA has not been analyzed and this is a clear need.
- e. Unprotected Rupture of the Primary Boundary (URPB).
This category refers to any initiating accident in
- which the integrity of the PHTS boundary (reactor vessel, intermediate heat exchanger shell, reactor vessel and guard vessel, or piping) is lost and SCRAM does not occur. If a CDA results it will likely be due to a loss-of-coolant-flow, but con-ditions may dif fer significantly from the standard ULOF accident category. In addition, the rupture of the primary boundary has important implications to the containment analysis and the ultimate acci-dent consequences and is, the re fo re , kept as a separate category.
Rupture of the primary boundary in LMFBRs corresponds to the Loss-of-Coolant Accident (LOCA) in LWRs and it is sometimes referred to as a LOCA in LMFBR analyses (e.g., the CRBRP Safety Study, Refe rence 2 ) . In an LMPBR, however, it seems unlikely that the core itself will actually lose coolant as a direct result of this failure because the coolant is subcooled (i.e., there is no blow-down), and the volume between the reactor vessel and the guard vessel is not large enough to per-mit the sodium level to drop to the core location, even if there is a total catastrophic failure of the reactor vessel. Even if the reactor vessel were to rupture and the primary pumps remained on, in which case sodium would be pumped out of the reactor vessel into the guard vessel causing it also to overflow, the core would still not become uncovered, since the primary pumps would cavitate before the core would become uncovered because the pumps are at a higher elevation than the top of the core. The core could drain dry
- only if there is also a failure of the guard vessel and a massive leakage into the primary equipment cells, and the term "LOCA" will be reserved for this type of event in the present report. However, even in the event of such leakage, an unprotected LOCA does not appear to be possible because flow will be lost well before the core could drain dry; once flow is lost in an unprotected accident, sodium boiling within a very few seconds and the phenomenology is similar to that of ULOF-type sequences. An B-7
i.
unprotected LOCA, therefore,'will be categorized l as.a ULOF accident. LOCA will, therefore, only I be a meaningful category within the class of protected accidents.
I f. Unprotected Core Fault (UCF). This category refers
- to any sequence in which the initiator or failure
~
.only involves or is within.the core subsystem'itself.
- Examples would include pin failu're propagation, fuel loading errors, coolant blockages, propagation of subassembly-scale faults, etc. Within the logic of l the event tree, this categoey strictly speaking arises when the fault reaches the point where auto-
' matic SCRAM should occur but does not. It is con-ceivable that the. fault may initiate at a level
- above the threshold for a protective. response (e.g.,
+
subassembly blockage and meltdown), and thus: call
- for SCRAM immediately, but no mechanistic' initiators l for such events have been identified for CRBRP. It i
may be that it is more likely that this condition l will arise due to a local fault that is initially
, within tolerance-(e.g., random pin clad failure),
- but which subsequently propagates until protective l action is called for, but SCRAM fails.
1
! g. Unprotected Transient or Failure and Loss-Of-Flow
- j. (UT/F and ULOF). -This combined accident class
" actually refers'to several combined accident cate-gories in which one of the failures or transients j discussed above calls for emergency plant shutdown, j the PPS detects the anomaly, and Pump Trip takes i place but SCRAM fails (conceivably, the combination of LOF and the other initiating fault condition involved could also result from a common-mode /com-mon cause failure). If the initiating failure or
! transient results in conditions that differ. signifi-
! cantly from the standard ULOF category, the relevant l failure or transient will be explicitly identified-l at the Levent tree end pointst ' examples include UTOP
, and ULOF, USTEP and ULOF, UCF and ULOF, UTOP/USTEP.
! 'and ULOF, and URPB and ULOF. In other cases,Lthe =
i initiating failure may be a negligible perturbation on the effect of the loss-of-flow without SCRAM and
- ~
the accident can be categorized simply as ULOF. An example of this would be ULOHS and ULOF'in which the loss-of-heat-sink without SCRAM is inconsequential with respect to the loss-of-flow without SCRAM and is, therefore, simply termed ULOF.
B-8
- 4. Protected Accidents. This term actually refers to a whole class of potential or inevitable core disruptive accident situations in which an unspecified transient or f ailure requir-ing emergency plant shutdown occurs, and is effectively mitigated by successful Detection, SCRAM, and Pump Trip, but core disrup-tion via melt may still result because of an inability to ade-quately remove decay heat. The class of protected accidents
- has sometimes also been generally termed a " Protected Transient or Failure (PT/F )" and , when applied in this general fashion, involves situations in which core disruption is either inevitable (due to an unavailable SHRS) or possible (due to core damage which could preclude core cooling, or due to operating without forced flow a fter reactor shutdown with an available SHRS since natural circulation might prove inadequate). Both the CDA inevitable and CDA possible protected accident categories require phenomenologi-cal analysis to determine the timing to whole-core disruption via melt for the CDA inevitable cases, or to determine whether core disruption actually results or cold shutdown ultimately is achieved for the CDA possible cases. In addition, if a CDA pos-sible protected accident is shown by the phenomenological analy-sis to lead to core disruption, then the phenomenological analy-sis would continue -- to determine the timing to whole -- core melt and the final extent of plant damage.
For those cases where an emergency plant shutdown is called for and SCRAM and Pump Trip are successful but the SHRS is unavailable over the short and/or long term, for whatever reason, decay heat is not going to be adequately removed and core dis-ruption via melt is inevitable. As a result, time to whole-core disruption via melt was chosen as the logical basis for phenomeno-logical delineation of protected accidents where core disruption is inevitable. Determining the timing to whole-core disruption obviously requires phenomenological analysis to evaluate the ther-mal response of the core. However, the accident initiator is also important since it establishes the conditions under which the core must respond. Therefore, the phenomenological analysis of pro-tected accidents in which a CDA is inevitable must also consider information from the Accident Initiation Area since ultimate categorization based on timing to whole-core disruption is the desired objective. As examples, important accident initiation
- considerations having a bearing on timing to whole-core disruption via melt include: (1) the integrity of the primary boundary, (2) the sodium level in the reactor vessel, and (3) the core state --
to mention a few.
For those protected accident situations where a CDA is pos-sible because of core damage or because forced flow is not '7 ail-able, phenomenological analysis is also required to determine whether core damage and/or lack of forced flow is sufficient to preclude adequate decay heat removal, i.e., to determine whether core disruption via melt ultimately occurs or whether cold shut-down is ultimately achieved. If the phenomenological analysis B-9
indicates that cold shutdown is ultimately achieved, further delineation follows that ddiscussed earlier under the "CSA" categories above. If, however, core disruption is indicated, then the phenomenological analysis continues -- to determine the timing to whole-core disruption and the final plant damage that was sustained.
Since a full delineation of protected accidents involves both accident initiation and phenomenological considerations, the Accident Initiation analysis will delineate protected accidents ,
into initiating protected accident categories which can be speci-fied by accident initiation and ESS response information only.
As a result, timing to whole-core disruption via melt, and the ultimate plant damage sustained as a result of CDA inevitable or CDA possible protected accident categories, will be deferred to analysis and delineation within the Accident Phenomenology Area.
This indicates that two distinct types of initiating protected accidents will emerge from the Accident Initiation and ESS Response Analysis: 1) CDA Inevitable initiating protected acci-dents, and 2) CDA Possible initiating protected accidents. These two types of initiating protected accidents are discussed separ-ately in the remainder of this section and each type is further subdivided into meaningful initiating protected accident categories.
- 1. CDA Inevitable Initiating Protected Accidents. This classification includes several specific initiating protected accident categories in which core disruption via melt is a cer-tainty. The only way in this report that an initiating protected accident is identified as definitely leading to core disruption via melt is if the SHRS is unavailable after successful SCRAM.
Four specific initiating protected accident categories fall into this classification and each is discussed separately below:
- a. Damaged Core without SHRS: CDA Inevitable (DC without SHRS: CDA Inevit.). This category involves an initia-tor which directly or indirectly causes core damage.
The accident initiator or fault is successfuly detected and initiates successful SCRAM and Pump Trip but the SHRS is unavailable. As a result, decay heat will not be adequately removed and core disruption via melt is inevitable. The timing to whole-core disruption obvi-ously will depend on the actual accident scenario and ,
extent of core damage involved; it can occur either at an early ( E, ~ minutes to an hour) or intermediate (I, >
an hour or ~several to tens of hours) time.
- b. Protected Rupture of the Primary Boundary without SHRS:
CDA Inevitable (PRPB without SHRS: CDA Inevit.). This initiating protected accident category involves an ini-tiator which directly or indirectly results in a loss B-10
of primary boundary integrity. The rupture of the primary boundary not only has important implications to the subs equent Containment Analysis, but also may affect the actual accident progression. For example, if both the reactor vessel and guard vessel fail but SCRAM succeeds, the core can become uncovered and dis-ruption via melt will occur in a relatively short period ;
- of time. Regardless of the impact of the primary bound- I ary rupture in a "PRPB without SHRS: CDA Inevit."
accident, core melt is inevitable, i.e., it is only a matter of time, and the primary boundary rupture may also act to hasten the process of core disruption.
- c. Damaged Core and Protected Rupture of the Primary Bound-ary without SHRS: CDA Inevitable (DC & PRPB without SHRS: CDA Inevit.). This initiating protected accident category is a combination of (a) and (b) above, since it involves an initiator which either directly or indirectly results in both core damage and a loss of primary bound-ary integrity. These ef fects can, of course, impact the progression of the accident but since the SHRS is unavail-able, a f ter success ful SCRAM, core disruption via melt is inevitable, nevertheless, but they may also tend to hasten core disruption.
- d. Protected Transient or Failure without SHRS: CDA Inevitable (PT/F without SHRS: CDA Inevit.). This _
initiating protected accident category encompasses acci-dent initiators which do not result in core damage and/or loss of primary boundary integrity (as in-(a), (b), and (c) above) but, nevertheless, will lead to eventual core nelt because the SHRS is unavailable after successful SCRAM. There is no need to include the actual accident initiator or fault which called for a protective response within this category because it is of no consequence and was ef fectively mitigated by successful SCRAM. Hence the use of the non-descript " transient or failure" namencla-ture in this accident category. The initiating failure, however, may be in part responsible for the SHRS being unavailable. Therefore, for quantification, the specific e accident initiator must be considered. This is, obvi-ously, also true for categories (a), (b), and (c) above.
- 2. CDA Possible Init19 ting Protected Accidents. This classification includes several spect#ic initiating protected accident categories in which core disruption via ac1* is a pos-sibility (i.e., a CDA may occur) after successful SCRAM even though the SHRS is available if: forced flow is not and natural circulation proves to be inadequate, and/provided or core damage is involved which could preclude core coolability. Since B-ll
l phenomenological analysis is required to determine whether core disruption via melt ultimately results or not, and to determine
- the accident progression and final outcome in time if core dis-ruption is indicated, the initiating protected accident catego-ries indentified and discussed below are only interim assign-ments which provide a starting point for the phenomenological analysis where they will ultimately be recategorized and further delineated to their respective logical and resolved conclusions. *
, Six specific initiating protected accident categories fall into this classification and each is discussed individually below: ,
l
- a. Damaged Core: CDA Possible (DC: CDA Poss.). In this initiating protected accident category, the accident initiator results in core damage either directly or indirectly. The initiator or fault is successfully detected and initiates successful SCRAM and Pump Trip.
Subsequently, the SHRS is available with Forced Flow but core disruption via melt is still a possibility since core damage was sustained and this core damage could preclude core coolability. Obviously, the extent of core damage will determine whether the core is coolable or not, but this is a phenomenological question requiring further analysis. The subsequent phenomenological analysis of this accident category will result in a recategorization of the accident as either "CSA: No Release." or "DC: CDA Inevit."
Further, if the latter is indicated, the phenomen-ological analysis will go on to determine the timing to whole-core disruption and the final plant damage which was sustained.
- b. Damaged Core without Forced Flow: CDA Possible (DC without Forced Flow- CDA Poss.). This initiating protected accident category is similar to that in (a) above, except that, in addition to the initiator either directly or indirectly resulting in core dam-age which might preclude core coolability, Forced Flow also is not provided, and natural circulation could prove inadequate - not only in and of itself but in conjunction with the actual core damage involved.
- c. Damaged Core and Protected Rupture of the Primary Bounda ry : CDA Possible (DC & PRPB: CDA Poss.).
- j~
This initiating protected accident category is very similar to that in a) above, except that the initiator directly or indirectly causes both core damage and pri-mary boundary rupture. The fact that the primary bound-ary is ruptured is of no consequence (except to con-tainment) since the SHRS is, nevertheless, available
' with forced flow. There fore , the PHTS rupture must not be very severe. The important consideration in the sub-sequent phenomenological analysis (to determine if core B-12 l
disruption results or cold shutdown with a release possible is achieved) is the extent of core damage -
specifically, "Is the core in a coolable configura-tion with Forced Flow operating in an available SHRS?"
Significant damage, obviously, must be involved here and in (a) above to preclude core coolability under Forced Flow conditions, certainly the amount of core e damage must be greater here and in (a) above than in (b) above for the core to be non-coolable and an CDA to occur. Similarly, if the core proves to be non-
- coolable here and in (a) above, core disruption would proceed in a relatively short period of time, while that may or may not be the case for (b) above.
- d. Damaged Core and Protected Rupture of the Primary Boundary without Forced Flow: CDA Possible (DC & PRPB without Forced Flow: CDA Poss.). In this initiat-ing protected accident category, the initiator either directly or indirectly results in both core damage and rupture of the primary boundary. The initiator or fault is success fully detected, SCRAM occurs, the pri-mary pumps are either tripped or coasted-down eventu-ally, and the SHRS is available. However, Forced Flow is not provided, leaving only natural circulation for decay heat removal from the damaged core and transport to an ultimate heat sink. Since the SHRS is available here, the rupture of the primary boundary is obviously not severe and of very little initial consequencc (except to containment), unless natural circulM ion proves to be inadequate - in which case the primary boundary rupture could affect the accident progression to some extent. The two effects which will ultimately determine whether the core is coolable or not include:
the extent of core damage in conjunction with the ade-quacy of natural circulation flow. These are the exact same concerns involved in (b) above, and require phe-nomenological analysis for resolution.
- e. Protected Rupture of the Primary ' Boundary without Forced Flow: CDA Possible (PRPB without Forced Flow: CDA Poss.). This initiating protected accident category is similar to that in (d) above, except that no core damage beyond the design basis is involved. It will become evi-dent after reading (f) below, that' (e) and (f) are very similar. The fact that the primary boundary is ruptured here is of little or no consequence (except to contain-ment since the SHRS is available) unless natural circu-lation proves to be inadequate and core melt then becomes inevitable. Notice here that the SHRS is available. This means that the primary boundary rupture is not very sev-ere, i.e., the core and reactor vessel outlet nozzles B-13
_ . . ~ . -.
a must be covered with sodium for the SHRS to be available.
The phenomenological analysis that is required of this
- particular category must focus on the . adequacy of natural circulation flow, since this is the governing question which will determine whether core disruption via melt ultimately occurs, or cold shutdown with a release'pos-sible is achieved.
4
- f. Protected Transient or Failure without. Forced Flow:
CDA Possible (PT/F-without Forced Flow: CDA Poss.). *
- This initiating protected accident category does not involve either core danage or primary boundary rupture.
As a result, the initiator or fault is of no consequence
, and need not be specified in a strictly qualitative delin-eation. However, since forced flow is not provided after successful SCRAM, core disruption via melt is still a possibility if natural circulation in the available SHRS proves to be inadequate. The phenomenological analysis
- of this category, therefore, needs only to determine the adequacy or inadequacy of natural circulation flow in transporting heat to the ultimate heat sink for an essentially intact plant.
He now have a complete list of LMFBR initiating accident categories for subsequent analysis in the Accident Phenomenology and/or Containment Areas. - As a summary, Table B.1 lists all 26 i of the LMFBR initiating accident categories' identified as being possible for CRBRP in this report.
i s
0
]
B-14
--p-, y,-g. -y e-+. ve y --
9oy q -
e n * +
Table B.1 - Spectrum of Possible IhtFBR Initiating Accident Categories As Identified and Labeled in This Study Major Accident Accident Subclass Classification (If Appropriate) Initiating Accident Category Nominal Events -
CSA: No Release AFNS CSA: Release Possible j Unprotected Accidents (UT/F) -
ULOF ULOF - Two Pumps UTOP USTEP UTOP/USTEP URPB UCF g
ULOHS J, Combined Unprotected Q Accidents (UT/F and ULOF) UTOP and ULOF
? USTEP and ULOF y (frOP/USTEP-and ULOF URPB and ULOF j UCF and ULOF Protected Accidents (PT/F) CDA Inevitable PT/Fs DC without SHRS: CDA Inevitable PRPB without SHRS: CDA Inevitable DC and PRPB without SHRS:
CDA Inevitable PT/F without SHRS: CDA Inevitable CDA Possible PT/Fs DC: CDA Possible DC without Forced Flow: CDA Possible DC and PRPB without Forced Flow:
CDA Poss.
PRPB without Forced Flow: CDA Possible l
PT/F without Forced Flow: CDA Possible
. DC and PRPB: CDA Possible Total No. = 3 Classes Total No. = 3 Subclasses Total No. = 26 Categories
Appe nd ix C Sensor Systems for the Detection ESS Function
{
Primary Logic Subsystems of the Primary Detection System (See Table C.1) o
- 1. Iligh Flux - This subsystem utilizes compensated ion
' chambers on the guard vessel wall to measure the radiation flux a nd initiate reactor trip for positive reactivity insertions at or near full power. The intent is to protect against sustained operation with the fuel near incipient centerline melting. The worst case estimated trip point is 115 percent of full power with an estimated maximum subsystem response time of 50 ms.
This subsystem is never bypassed.
- 2. Flux - Pressure - This subsystem initiates reactor trip for positive reactivity excursions or for reductions in the pri-mary flow. The compensated ion chambers used in subsystem 1 are used. Two pressure sensors are provided in each channel, one as an installed spare. The square root of the pressure signal is proportional to the coolant flow rate in the core and is compared to the radiation flux. This system is never bypassed.
- 3. Positive Flux to Delayed Flux - This subsystem also utilizes the compensated ion chambers used with the High Flux Subsystem to initiate reactor trip for rapid sustained positive (increasing) reactivity insertions. It is intended to protect against severe thermal transients. The radiation flux signal is compa red to the nominal load level as measured - by pump speed and with the output of a delayed flux signal. The trip point is dependent on the initial power level, rate of power change and magnitude of power change. This subsystem is never bypassed.
- 4. Negative Flux to Delayed Flux - This subsystem is the same as the Positive Flux to Delayed Flux except that it protects against negative (decreasing) reactivity. insertions. The same compensated ion chambers are used as in subsystems 1, 2 and 3.
2 This system is never bypassed.
- 5. Primary Pump Electrics - This subsysten provides pro-tection for loss of power to one or more of the primary- pumps.
There are three subsystems, one for each of the pumps. Each subsysten uses three undervoltage relays, one for each phase.
If two of the three relays in any one pump are tripped, the reactor is tripped. These subsystems must be bypassed in order to start the reactor; the permissive signal used is the radia-tion flux. If the flux is below 10 percent of the full power flux, these subsystems can be bypassed manually. For two loop operation, a nanual bypass can be instated.
C-1
Table C.1 - Primary Detection System Protective Subsystems Protective Subsystem Measured Parameters
- 1. High Flux Reactor Power 6
- 2. Flux To (Pressure)l/2 Reactor Power Primary Cold Leg Pressure ,
- 3. Positive Flux To Delayed Reactor Power Flux
- 4. Negative Flux To Delayed Reactor Power Flux
- 5. HTS Pump Electrics
- Pump Bus Voltage
- 6. Primary To Intermediate
- Primary Pump Speed Speed Mismatch Intermediate Pump Speed
- 7. Reactor Vessel Level Sodium Level
- 8. Steam To Feedwater* Superheater Steam Flow Mismatch Feedwater Flow
- 9. IHX Primary Outlet
- Primary Cold Leg Sodium Temperature Temperature
- Three Subsystems - One per Loop
- 6. Primary-Intermediate Speed Ratio _These subsystems (one-loop) initiate reactor trip for imbalances in the heat transfer capability between the primary and intermediate cool-ant circuits within the sane loop. The primary and inte rmediate i
signals from tachometers are normalized and subtracted. The (
absolute value of the difference is compared with a fixed bias and a linear ratio of the primary pump speed to determine trip
- initiation. These subsystems must be bypassed to start the i
plant. The permissive signal is the radiation flux. For less than 10 percent full power, the subsystem can be bypassed manu-ally. For two loop operation, no additional permissives are required. The bypass for the shutdown loop is automatically removed as power is increased.
- C-2
. . ~ _ _
4
- 7. Reactor Vessel Level - This subsystem prevents reactor operation unless the sodium level in the vessel is at least 6 inches above the suppressor plate. An inductive probe is used to sense the sodium level. This subsystem is never bypassed.
- 8. Steam-to-Peedwater Mismatch - These subsystems trip _ the reactor for large imbalances between the steam and feedwater- flow
- in any loop. The subsystems are designed to prevent large thermal transients to the steam drums and generators. Venturi meters with pressure dif ferential sensors are used to measure steam and feed-water flows. A permissive bypass may be used for nuclear power less than 10 percent.
i 9. Intermediate Heat Exchanger (IHX) Primary Outlet Temperature - This system initiates reactor trip if the sodium temperature, measured with a Cr-Al thermocouple, in the primary cold leg of any IHX exceeds a setpoint. These subsystems are never bypassed.
Primary Logic Subsystems of the Secondary Detection System (See Table C.2)
- 1. Flux-Total Flow - This subsystem uses three fission counters mounted on the guard vessel and magnet flow meters to protect against increasing or decreasing flow or power in the 40-100 percent load range of the reactor. The flux level signal from the fission counters is subtracted from the sum of the pri-mary flow ir the three loops and the difference is compared to a setpoint. If the dif ference exceeds the setpoint, the reactor is tripped. This subsystem is never bypassed.
2,3. Modified Nuclear - Positive / Negative - These subsystems also use the fission counters to initiate reactor trip for rapid sustained reactivity insertions, positive or negative. The system should protect against undesired thermal transients due to rapid changes in power with constant flow. These subsystems are never bypassed.
- 4. Primary-to-Intermediate Flow Ratio - These subsystems ~
(one per loop) use magnetic flowmeters in the primary and inter-a mediate heat transfer loops to detect imbalances in the coolant flow rates. The primary and inte rmed ia te flow rates are . normal-ized and ~ subtracted and if the difference exceeds a set point the reactor is tripped. These subsystems can be manually bypassed during reactor startup. The permissive signal is based on reactor power. If the reactor power is less than 10 percent, the sub-systems can be manually bypassed.
I
- 5. Steam Drum Level - These subsystems (three per loop) measure steam drum f eedwater level with a pressure dif ferential
- sensor and trip the reactor if the level is outside a preset rang e . These subsystems are never bypassed.
C-3
Table C.2 - Secondary Detection System Protective Subsystems Protective Subsystem Measured-Parameters
- 1. Flux To Flow Reactor Power Primary Sodium Flow
- 2. Positive Modified Nuclear Rate Reactor Power , ,
- 3. Negative Modified Nuclear Rate Reactor Power Primary Sodium Flow
- 4. Primary To Intermediate Flow
- 5. Steam Drum Level
- Steam Drum Water Level
- 6. Evaporator Outlet Sodium
- Intermediate Cold Leg Sodium Temperature
- 7. Startup Nuclear Reactor Power
- 8. Sodium Water Reaction
- Sodium Dunp Line Pressure
- 9. Loss of Condenser Condenser vacuun
- Three Subsystems - One per Loop
- 6. Evaporator Outlet Sodium - These subsystems (three per loop) measure the outlet temperature of the sodium at .the evapor-ator with Cr-Al thermocouples and trip the reactor if the temper-ature is above a predetermined level. These_ subsystems are never bypassed.
j 7. Startup Nuclear - This subsystem uses the fission detec-s'
~
l tor in the guard vessel to trip the reactor in case of positive
- reactivity insertion during startup. The subsystem may be manu-dlly bypassed upon " verification" of the operation of the ion ,
chambers of the Primary Shutdown System.
j 8. Sodium Water Reaction - These subsystems (one per loop) i are intended to protect against sodium - H 20. leaks in the super-heaters or evaporators by detecting Na-H 2O reaction products.
These subsystems are never bypassed and are part of the-SWRPRS.
i l
C-4 t
- 9. Condenser Vacuum - This subsystem measures condenser vacuum with a pressure sensor and trips the reactor if the con-denser is unable to accept steam flow. The reactor is tripped if the pressure measurement exceeds a set point. A permissive module allows manual bypass of the subsystem if nuclear power is less than 10 percent.
l I o
C-5/c-6
References
- 1. WASH-1400, APP. II, " Reactor Safety Study," August 1974.
- 2. CRBRP-1, "CRBRP Safety Study - An Assessment of Accident Risk from CRBRP," March 1977.
6
- 3. SAND 80-1267, "LMFBR Accident Delinuation Study - Phase I Final Report," December 1980.
- 4. SAND 81-0260, " Quantified Fault Tree Models for the Clinch River Breeder Reactor Engineered Safety Systems,"
May 1981.
- 5. SAND 77-2051, "A SETS User's Manual for the Fault Tree Analyst," November 1978.
- 6. SAND 77-1832, " Common Cause Analysis Using SETS," December 1977.
- 7. WARD-D-0118, App. 9.2, " Reliability Assessment of CRBRP Reactor Sh*2tdown System," Rev. 1, November 1975.
- 8. GE-NEDM-14082, " Update of the Preliminary Reliability Prediction for CRBRP SHRS," January 1976.
- 9. CRBRP PSAR, CRBRP Preliminary Safety Analysis Report, April 1975.
- 10. Lewis, E. E., Nuclear Power Reactor Safety, " Seismic Reponse of Nuclear Plants," pp. 505-515,.Wiley, 1977.
- 11. GEFR-14023, " Risk Analysis Methods Development," April 1980.
l l e o
i R-1 i
f-Distribution:
U. S. NRC Distribution Contractor (CDSI) (380 copies for R7) 7300 Pearl Street Bethesda, MD 20014
, U. S. Nuclear Regulatory Commission (13)
Division of Reactor Safety Research Office of Nuclear Regulatory Research t Washington, DC 20555 Attn: C. N. Kelber, Assistant Director, Advanced Safety Technology Research R. T. Curtis, Chief (10)
Analytical Advanced Safety Technology Research M. Silberberg, Chief Experimental Advanced Safety Technology Research R. W. Wright Experimental Advanced Safety Technology Research U. S. Department of Energy Office of Nuclear Safety Coordination Washington, DC 20545 Attn: R. W. Barbert U. S. Department of Energy (2)
Albuquerque Operations Office P. O. Box 5400 Albuquerque, NM 87185 Attn: J. R. Roeder, Director Operational Safety Division D. L. Krenz, Director Energy Research and Technology Division For: C. B. Quinn D. R. Denham T. Ginsberg Department of Nuclear Energy 1 Bldg. 820 Brookhaven National Laboratory g Upton, NY 11973 U. S. Department of Energy ,
O Clinch River Breeder Reactor Project Office P.O. Box U Oak Ridge, TN 37830 l
Dist-1
l
, Distribution (continued)
Advanced Reactor Systems Department (2)
General Electrical Corporation 310 De Guigne Drive l Sunnyvale, CA 94086 Attn: W. W. Phelan, Manager a Licensing and Safety Systems P. Greebler, Manager Reliability and Safety Engineering i Captain Joseph A. Sholtis, Jr. , USAF Defense Nuclear Agency Armed Forces Radiobiology Research i Institute /SSRS Bethesda, MD 20014 U. S. Nuclear Regulatory Commision l Washington, DC 20555 Attn Gary R. Burdick Reactor Risk Branch .
MS ll30SS Bill M. Morris Program Director Clinch River Breeder Reactor MS AR5003 4000 A. Narath 4400 A. W. Snyder 4410 D. J. McCloskey 4412 J. W. Ilickman 4414 G. B. Varnado 4420 J. V. Walker 4420 D. Soblick 4421 R. L. Coats 4422 D. A. Powers 4423 P. S. Pickard
- 4424 M. J . Clauser E. R. Copus (20)
~
4424 4424 P. J. McDaniel g.
4424 F. W. Sciacca 4424 D. C. Williams 4425 W. J. Camp 4 4426 G. L. Cano 4440 G. R. Otey 8214 M. A. Pound 3141 L. J. Erickson (5) 3151 W. L. Garner (3)
For DOE / TIC (Unlimited Release) 3154~-3 C. H. Dalin'(25)
For: NRC Distribution to NTIS Dist-2
- u.s, GOVE RNME NT PRINTING O FFIC Es 1982-0-576-021/550
Org U!;!; fa,* Hoc.'d t >v Org L' hit Nome Rec'd by g.
I }
J I ! ! !
! I l _ .
. . _ _ - ~ _ + .. . _
t i
...__..___..___.......__.__._._.._.p._-_. .__._9 , _ . _ . _ _ _ _ p t
I
.h_______...._.__..__._____.____.__-.._._____ ___ _. _.._..__ ,__
l
}/%* /4 // .
1 . )
- i. /
! l '> , (
f s
'A ,1 l '/ i i i1
- s l [r y ,,l g j( '!{, 'A ,J f
..... t. ,. , .,
! ! 1 <* '1.
- j ,g, , , . i .- 7< u >- ws
.}.- - , _ __ -._ - - - _ _ t-_ __
i
! i
_____u-_. _ _ _ _ _ _ _ . . . . _ . . _ . _ . _ . _ . . . _ . _ _ ..____ _ _ _ _ _ _
I 4
~ . - . . _ - . - _ . _ _ _ _ _ . _
l i
i
---.7-_-_.
I i l _ _. ..._.___i I
I l !
( ._
__2 l
r a
h Sandia National Labor