Text

-

~

BES Files p; g f R dl s

- A>ct Fib No.

4

'cM bu - 3

$ Roquest No.

~

007 ?.' - g NO-C R -6d 6 'I ciG No.

Ost No.

?T4ENUEM3UM FORQ~ c:fD/l Th amas E. Murley, Director Of Fice of Nuclear Reactor Regulation p

n NRC-31 to Egges __

No Eb,c S. Beckjord, Director Ot" ice of Nuclear Regulatory Research

SUBJECT:

RESEARCH INFORMATION LETTER No. 172, " SYSTEMS ANALYSIS OF THE CANDU 3 REACTOR" Four significant research products supporting the CANDU 3 preapplication review are being provided to NRR by RES. One, a summary of Canadian regulation of CANDU reactors, was transmitted to Mr. Crutchfield on July 19.

Two others are not yet complete. One of those will provide an assessment of the data bases and models associated with Thermal Hydraulic and Severe Accident performance, identifying deficiencies that may have to be addressed for CANDU 3.

The other will describe our analyses of the power excursion caused by positive void reactivity associated with the large-break LOCA without scram.

This memorandum describes results from research conducted at the Oak Ridge National Laboratory to examine potential systems failures in the CANDU 3 design during normal reactor operation and postulated accidents including those that result in core damage.

The purpose of this work was to classify event sequences, plant systems, and operator actions in a way that would assist the NRC with its preapplication review for design certification. The results have recently been documented in NUREG/CR-6065.

Reculatory Issue For safety evaluation purposes, the NRC usually classifies event sequences as Anticipated Operational Occurrences and Postulated Accidents.

Events in each classification are then held to different requirements during the NRC's review. Because the CANDU 3 design is significantly different from any U.S.

reactor that has been licensed, the customary sequences evaluated for LWRs are not all applicable or appropriate for CANDU 3.

Selection of appropriate event sequences that will establish the design basis for CANDU 3 has thus been identified as a key policy issue in SECY-93-092.

Recognizing the importance of this issue, RES initiated a project on this subject two years before that SECY was issued, and results are now available.

The main purpose of this project was to systematically, and independently, screen possible scenarios for the CANDU 3 design and identify candidate event sequences for the safety analysis.

Important safety systems and key operator

Contact:

Ralph 0. Meyer

/

492-3732

/;

100046

'y 9311150163 931022 Ni PDR DRG NRRB C \\

PDR q

D 1.

OCT 2 21993 2

actions also enter into a review; therefore, the ORNL study included the idantification of systems significant to safety and significant operator a-ions.

Method The research products desired were typical of those from a Probabilistic Risk Assessment (PRA), but sufficient design detail and resources were not available to support a full PRA. Therefore, the plant assessment process used adaptations of PRA techniques that included fault trees and event trees, with l

modifications and special definitions to simplify the process.

A team of experts with broad experience started by identifying a long list of l

possible initiating events (approximately 50) and their estimated frequencies of occurrence.

Frequencies for those initiators are fairly well known and were obtained largely from a prominent PRA procedures guide (NUREG/CR-2815, Rev.1) and the CANDU 3 Conceptual Probabilistic Safety Assessment. A small number of representative initiating events was then selected for analysis, and event trees were constructed.

The focus of this effort was on systems behavior during power operation; therefore, low-power or zero-power operations were not examined, and event trees were not analyzed for fuel handling sequences.

Rather than solving the event trees quantitatively, however, a new method was employed to obtain the desired event sequence classification without a mathematical solution.' This method depends on event-category definitions that were developed by the RES staff for the purpose of this study. 'The complete definitions are given in Figure 1, and the categories were intended to be equivalent to those defined in the draft PSERs for PRISM and MHTGR (NUREG-1368 and NUREG-1338):

EC-I Event sequences that would be expected to occur one or more times during the life of a plant.

~

EC-II Event sequences that would be expected to occur oace over the lifetime of a population of reactors.

4 EC-III Less likely event sequences that would be analyzed for source terms and containment i

challenges.

4 EC-IV Extremely unlikely event sequences which i

nevertheless may have potential consequences that merit their consideration in the design.

2 Quantitative solution of the event trees was, in fact, performed using assumed frequencies for subsequent branch points. Those results are presented

[

in an appendix to the ORNL report, but they were not used in obtaining project results because the intermediate frequencies are not considered reliable.

OCT 2 21993 3

Unlike the definitions in those draft PSERs, the definitions used in this stcdy do not depend on the overall probability of the event sequence, which is the product of the individual probabilities of all the events in the sequence.

Instead, the definitions depend only on one probability -- that of the initiating event -- and'on the number and type of subsequent' failures in the i

sequence.

It should be noted that Anticipated Operational Occurrences and Postulated Accidents, as defined for LWR licensing, are analogous to EC-Is and EC-Ils.

Severe accidents, which are considered for LWRs in risk assessment, source term analysis, and selected areas of the design (e.g., hydrogen accommo-dation), constitute a category of scenarios that is similar to EC-IIIs.

Sequences in the EC-IV category are thought of as contributing to the residual risk of the plant.

This study alsn provided an indication of potential consequences' by associating a consequence category, which is a measure of core damage, with each scenario.

The consequence categories (CCs) are used only as rough estimates, and they have also been defined to correspond with past licensing practice:

CC-1 No significant fuel cladding damage and no fission product release from the fuel.

t 4

CC-2 Moderate fuel cladding damage with release of some volatile fission products from the fuel (the fuel rod gap inventory), but coolable geometry of the fuel bundles is maintained.

CC-3 Extensive core damage with large release of fission products from the fuel and potential relocation of core debris.

Findinas Based on the large number of initiating events considered, eight event trees were analyzed and these are identified in Table 1.

Six of these trees were for true initiating events that were representative of many others. One, the so-called SCRAM event, was not an initiating event per se, but several types of initiating events (see table) led directly to a SCRAM and then followed the SCRNi event tree.

The " Failure to Shutdown Event," sometimes referred to as a transfer sequence, was also not an initiating event, but was a sequence that could be entered from many of the other events.

It should be noted that a large-break LOCA without scram was an event sequence considered in this study. That sequence proceeds directly to extensive core damage without involving other sequence pathways.

Therefore, a separate event tree was not needed to investigate that scenario.

t 5

a I.' 4[

y DCT 2 21993 4

From the eight event trees, substantial numbers of EC-I, EC-II, EC-III, and EC-IV sequences were identified, utilizing the definitions provided for this purpose. These sequences were associated with their expected core damage (CC-1, CC-2, and CC-3), and they are tabulated in NUREG/CR-6065.

Examples of these sequences are given in Table 2.

As expected, all EC-I sequences are believed to terminate in consequence category CC-1; that is, all frequently occurring events are. expected to take place with no fuel damage and no fission product release.

Only two of the EC-II sequences ended in consequence category CC-2 (moderate fuel damage); all of the other EC-II sequences ended in category CC-1.

The two sequences that are expected to cause moderate fuel damage resulted from the same initiator, a feeder-tube header break. One had no further failures, and the other had the subsequent failure of one of four heat transport system pumps. All of the other sequences initiated by a feeder-tube header break were classified as less likely EC-III or EC-IV sequences.

Surprisingly, none of the EC-III sequences (" severe accidents") resulted in extensive core damage (CC-3). This is largely the result of the fact that CANDU 3 has two independent shutdown systems and two effective cooling systems (ECCS and the moderator system) such that the failure of two or more whole systems must occur to get serious core damage. The failure of two or more independent systems results in those sequences being classified as EC-IV (residual risk) sequences according to the definitions used for this study.

For example, a feeder-tube header break with failure to shutdown (LOCA without SCRAM), which is of interest because of the positive-void characteristic of CANDU 3, was classified as an EC-IV sequence.

Systems that are significant to safety were also identified in this study.

AECL divides reactor systems into two groups: Group-1 systems are those that contribute to normal power production while Group-2 systems can perform all safety-related functions even if Group-l systems are disabled.

In our. study, all Group-2 systems were designated as significant to safety.

Group-l systems could also be identified as significant to safety if they were required for successful termination of a sequence, if they were not backed up by a Group-2 system, and if they prevented damage from escalating above CC-1 and CC-2 -(nc or moderate fuel damage).

Systems found to be significant to safety according to this definition are given in Table 3.

Important support systems were also identified, and those are described in NUREG/CR-6065.

Some branch oints in the event trees required specific operator actions to achieve suc ussful termination of an accident.

These were identified as significant operator actions and are listed in Table 4.

It can be seen from the failure analyses performed in th;s study that CANDU 3 includes many active systems. The existence of redundant active systems leads to an apparent high level of safety, but confidence will have to be developed that those systems perform their intended function within the available time.

x OCT 2 21993 5

Reoulatory ADolication Prior to the submittal of a safdj analysis for desiqn certification, the applicant and.the NRC will have to agree on which event sequences will be analyzed for CANDU3. This will be difficult as a practical matter because the traditional transients and accidents analyzed for LWRs will not be appropriate for CANDU 3.

This difficulty will be exacerbated in the area of severe accidents because containment requirements have not been finalized and because.

scenarios that challenge containment integrity may have probabilities that appear so low that requiring their analysis may be questioned.

Results from this study will provide NRR with candidate lists of event sequences that have been classified in a manner consistent with past NRC practice. Th m independently identified sequences will give NRR a basis for assessing tLe

' cant's proposals for the scenarios to be analyzed for design certit m n.

Early attention must also be given to systems that will require seismic or environmental qualification. These systems should be identified prior to the review for final design certification so that major re-design of equipment is not required at a late date. The systems identified in this study as significant to safety will provide NRR with an independent basis for reaching conclusions on safety systems.

The need for operator actions to mitigate accidents is also a fundamental consideration.

Early decisions should be made regarding automatic versus manual actions.

Significant operator actions identified in this study will help NRR with these decisions.

The method of classifying event sequences developed for this study may itself have direct regulatory application.

It avoids reliance on compounded probability values with large uncertainties, thus eliminating objections that often arise from probability-based regulation.

It is particularly well suited for preapplication uses inasmuch as well developed PRAs do not exist at such early times. And the method incorporaies concepts that are part of our traditional licensing practice.

Eric S. Beckjord, Director Office of Nuclear Regulatory Research Distribution:

RES Circ /Chron DSR Chron BMMermI8NWrT s/ RPSB.R/F R0Meyer ROMeyer r/f LMShotkin TLKing BWSheron TSpeis EBackjord a:\\ril.172/ ROM

• Previously concurred.

i c

RPSB/DSR*

RPSB/DSR*

DD/DSR*

D/DSR*

/R ROMeyer/cle LMShotkin TLKing BWSheron a

peis eckjord 10/1/93 10/1/93 10/ /93 10/7/93 10 93 10/

93 a

y

-J.

~

t

.1~

..i 6

r i

~

Begin sequence evaluation

'l l

I s

\\ [

Is initiator frequency greater than No m

or equal to 10'2 ?

Sheel2

'l Lv-1y

' I

\\ [

N [

\\ [

'l

\\ [.

I No failures.

Single failure Double failure Triple failure in sequence.

. exists exists -

.. exists in sequence.,

in sequence, in sequence.

-l b

i equence equence equence equence Category Category Category Category EC-1 EC-l EC-Ill EC-IV Bin A Bin B Bin C Bind Notes:

Single failure denotes one cornponent failure or one operator error.

Double failure denotes one system failure or two component failures or two operator errors or cornbination component failure /

operator error.

j Triple failure denotes multiple failures which exceed the criteria for double failure.

1 Sheet 1 of 3 Figure 1.

Logic diagram' for sequence classification

n.

9 :*-

d v ?iI w

u p

.7-A Sheet 1 L-

) f l

is initiator frequency greater than N

B-or equalto 10 ?

^ Sheet 3 d

Yes

=

i f i f-

.l f i f t

No failures Single failure Double failure Triple fahre in sequence, exists exists exists in sequence.

in' sequence.

in sequence.

s t

j equence equence equence equence i

Category-Category Category Category i

EC-Il EC-Il EC-Ill EC-IV BinE BinF Bin G Bin H Notes:

Single failure denotes one cornponent failure or one operator error.

Double failure denotes one system failure or two cornponent i

failures or two operator errors or combination cornponent failure / -

operator error.

+

l Triple failure denotes multiple failures which exceed the criteria q

L for double failure.

Sheet 2 of 3 i

Figure 1.

(continued) i N

q o

i a N'

f.

l h

_ g-l B

Sheet 2 l

al 1

!j 1f 1

Is initiator frequency greater than No m equence or equalto 10 7

$'CY

i 7

i Yes t

I f

) I' I f

.) f~

No failures -

Smgle failure Double failure Triple failure

~I in sequence.

exists exists exists-in sequence.

in sequence.

'in sequence.

.j

.]

1 l

1 l

equence equence equence equence Category Category Category -

Category EC-Ill EC-Ill EC IV EC-IV

- Bin i Bin J Bin K Bh 1. -

Notes:. Single failure denotes one cornponent failure or one operator.

error.

Double failure denotes one system failure or two cornponent failures or two operator errors or cornbination cornponent failure /

operator error.-

-l Triple failure denotes muhiple tailures which exceed the criteria for double failure.

Sheet 3 of 3 '

Figure 1. (continued) e S

7,.

y L

9 t

E 1

Table 1.

Initiating events for event trees.

Event Tree Initiator Event Type Feeder-Tube Header Break Large-Break LOCA Liquid Relief Valve Failure Small-Break LOCA Feeder Tube Break Small-Break LOCA 1

Loss of Power loss of Power Supplies Loss of. Heat Transport Feedwater Pipe Break Undercooling Event (in reactor building)

Interfacing LOCA Feedwater Pipe Break Undercooling Event (in turbine building)

SCRAM Reactivity' Transient.

l Overcooling Event Loss of Moderator Failure to Shutdown (transfers from other events)

?

e r

y

_Jr4

• - h,.

ve.-

g f-1 10 i

i Table 2.

Examples of event sequences, grouped according to event categories.

l 1

Event Event Consequence i

Category Sequence Category EC-I Liquid Relief Valve Failure CC-1 EC-I Loss of Class-IV Power CC-1 EC-I Control Rod. Position Error CC-1

. t (38 other EC-I sequences identified)

(

EC-II Feeder Tube Header Break CC-2 EC-II Feedwater Piping Break in the CC-1 Turbine Building EC-II Steam Generator Tube Failure CC-I (8 other EC-II sequences identified)

EC-III Feeder Tube Break with CC-2 Crash Cooling. System Failure i

EC-III Feeder Tube Break with ECCS-CC-2 Lcw-Pressure-Injection System Failure EC-III Loss of Class-IV Power with Failure CC-1 i

of 2 Atmospheric Steam Discharge Valves (120 other EC-III' sequences identified) i EC-IV Feeder Tube Header Break with Failure CC-3 of Shutdown Systems SDS) and SDS2 EC-IV Feeder Tube Header Break with Failure CC-3 of ECCS High-Pressure-Injection System and Moderator Cooling System Failure ~

EC-IV Loss of Class-IV Power with Failure to CC-3 e

start Diesel Generators and Failure of Bleed condenser System (more than 500 other EC-IV sequences identified) i

f5]

t 11 Table 3.

Systems classified as significant to safety.

AECL Designation System Group 2 Shutdown System 1 Shutdown System 2 ECCS High Pressure Injection System ECCS Low Pressure Injection System ECCS Recirculation System Crash Cooling System-Group-2 Feedwater System Main Steam Safety Valves Liquid Relief Valves Group 1 Bleed Condenser System Shutdown Cooling System Auxiliary Feedwater System Moderator Cooling System Steam Generator Isolation Valves Emergency Diesel Generators l

f

((, ~

~

~

(

12 Table 4.

Significant operator actions.

Operator Action Affected Event ECCS Initiation Very Small Loss-of-Coolant Events Refill Feedwater Tank Events Depleting 10-hour Capacity Initiate Shutdown Cooling Events Needing Alternate Cooling Isolate Steam Generators Pipe Breaks before Check Valve Add Liquid Poison Failure-to-Shutdown Sequences

__------.--_------------_------_----_---------_--------_