Text

a Review of the Limerick Generating Station Probabilistic Risk Assessment
	ML20071E002
Person / Time
Site:	Limerick
Issue date:	02/28/1983
From:	Bari R, Fiarman S, Karol R, Lederman L, Ludewig H, Papazoglou I, Pratt W, Shiu K; BROOKHAVEN NATIONAL LABORATORY
To:	; Office of Nuclear Reactor Regulation
References
	CON-FIN-A-3393 BNL-NUREG-51600, NUREG-CR-3028, NUDOCS 8303140664
	Download: ML20071E002 (410)
	v • d • e

--

4 I

NUREG/CR-3028 BNL-NUREG-51600 4

A Review of the Limerick Generating Station Probabilistic Risk Assessment Prspared by I. A. Papazoglou, R. Karol, K. Shiu, S. Fiarman, L. Lederman, H. Ludewig, W. T. Pratt, R. A. Bari Brookhaven National Laboratory Prepared for U.S. Nuclear Regulatory Commission 1

f 1 ,

l l

i ho[knok o!00$$!2 PDR P

\

i I

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The N RC/GPO Sales Program, U.S. Nuclear Regulatory Commission, Washington, DC 20555

3. The National Technical Information Service, Springfield, VA 22161 Aithough the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and ir.ternal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigatiqn notices; Licensee Event Reports; vendor reports and correspondence; Commission papers;and applicant and licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Esgulatory Guides, NRC regulations in the Code of Federal Regulations. and Nuclear Regulatory Commission issuances.

Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be catained from these libraries.

Documents such as theses, dissertations, foreign reports arid translations, and non-NRC conference proceedings are available for purchase from the organization spor % ring the publication cited.

Single copies of NRC draft reports are available free upon written request to the Division of Tech-nical information and Document Control, U S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue Bethesca. Maryland and are available there for reference 1se by the pubiic. Codes and standards are usually copyrighted and may be !

nurchased from the originatir.g organization or, if they are American National Standards, from the American National Standards Institute.1430 Broadway, New York, NY 10018.

GPO Peinted copy pnce ._$9.50

l

)

NUREG/CR-3028 BNL-NUREG-51600 A Review of the Limerick Generating Station Probabilistic Risk Assessment

I I

Manuscript Completed: February 1983 Date Published: February 1983 Prepared by

1. A. Papazoglou, R. Karol, K. Shiu, S. Fiarman.

L. Lederman, H. Ludewig, W. T. Pratt, R. A. Bari Brookhaven National Laboratory Upton, NY 11973

'Pagas 5 5-63 have been deleted since they contain General Electric proprietary information.

Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20565 NRC FIN A3393 l

l

ABSTRACT A review of the Probabilistic Risk Assessment of the Limerick Gener-ating Station was conducted with the broad objective of evaluating its risks in relation to those identified in the Reactor Safety Study (WASH-1400). The review included a technical assessment of the assumptions and methods used in the Limerick study. It also included a re-evaluation of the main results within the scope and general methodological framework of the study. This in-cluded both qualitative and quantitative analyses of accident initiators, data bases, accident sequences which result in core damage, core melt phenomena, fission product behavior, and offsite consequences. Specific comparisons were made between the Limerick study, the Brookhaven review, and the WASH-1400 reactor for the core damage frequency and the average frequencies of acute and latent fatalities. The effect of uncertainties was considered throughout the review process and the uncertainty bands for the risk indices were quantified.

s t

ACKNOWLEDGEMENT The authors wish to thank their colleagues in the Department of Nuclear Energy at Brookhaven National Laboratory for many enlightening discussions and conments throughout this project.

The work was performed for the Reliability and Risk Assessment Branch (RRAB) of the U. S. Nuclear Regulatory Commission. Mr. Erulappa Chelliah of RRAB was the technical monitor of the project. The authors wish to acknowl-edge Ashok Thadani, Chief, RRAB, Franklin Cof fman, Leader, Systems Interac-tions Section RRAB, Erulappa Chelliah (RRAB), Brad Hardin (RSB), James Meyer (RSB), and Sarbeswar Acharya (AEB) for many constructive comments on the pre-liminary and the final drafts of this report.

Finally, we would like to express our appreciation to Denise Hiesell, Terri Rowland, and Nancy Nelson for an excellent job in typing this docunent several times and in a very short time period.

l t

iv

TABLE OF CONTENTS Page ABSTRACT ................................................................ iii AC KNO W L E D GM E N T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv LIST OF FIGURES ......................................................... xi LIST OF TABLES .......................................................... xvi S U MM A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x x i v

1.0 INTRODUCTION

....................................................... 1-1 1.1 Background .................................................... 1-1 1.2 Obj ect ive , Scope , an d Approa ch to Revi ew . . . . . . . . . . . . . . . . . . . . . . 1-2 1.3 Orga ni za ti on of Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.4 Refe ren ces t o Se cti on 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 2.0 PLANT MODELING ..................................................... 2-1 2.1 Safety Functi ons and Corresponding Systems . . . . . . . . . . . . . . . . . . . . 2-1 2.1.1 Safety Functi ons and Frontline Systems . . . . . . . . . . . . . . . . . 2-1 2.1.2 Success Criteria for the Frontline Systems .. . . . . . . . . . . . 2-3 2.1.2.1 Success Criteria for LOCA Initiators .......... 2-3 2.1.2.2 Success Criteria for Transient Initiators ..... 2-4 2.1.2.3 Success Criteria for ATWS Initiators .. . . . .. . . . 2-5 2.1.3 S u p p o r t Sy s t em s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.2 In i ti a ti n g Ev en t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 2.2.1 Comparison with Reactor Safety Study .................... 2-7 2.2.2 Compa ri s on wi th RSSMAP Grand Gul f . . . . . . . . . . . . . . . . . . . . . . 2-8 2.2.3 Comparison with the Big Rock Point (BRP) PRA ........... 2-8 2.2.4 Compari son with a List of Initiating Events . .. . . . . . . . . . 2-9 2.3 C on c l u s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.4 References to Section 2 ....................................... 2-11 3.0 ACCIDENT SEQUENCE DEFINITION ....................................... 3-1 3.1 Introduction .................................................. 3-1 3.2 Functional Event Trees ........................................ 3-2 3.2.1 BNL Revisions in the Functional Event Trees ............ 3-9 3.3 Functional Fault Trees ........................................ 3-9 3.4 Ti me- Ph a s ed E ven t T ree s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 3.5 Sy s t em F a u l t T r e e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 y

TABLE OF CONTENTS (Cont.)

Page 3.5.1 Summary of BNL Modifications to LGS System Fault Trees ............................................ 3-13 3.5.2 Sunmary of Differences in Assumptions Between L GS - P R A a nd R S S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1G 3.6 Hu ma n Pe r fo rma n c e An a l ys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 3.6.1 Cogn i t i ve Huma n E rro rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 3.6.2 Procedural Human Errors ................................ 3-17 3.7 Qual i tative Depe nde nce Analysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18 3.7.1 Some Functional System Interactions Omitted From the Event Trees ................................... 3-23 3.7.1.1 The Va por Suppression Function . . . . . . . . . . . . . . . . 3-23 3.7 .1.2 The Dne rgency Coolant Function . . . . . . . . . . . . . . . . 3-23 3.7.1.3 Contai nme nt Leak age . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23 3.8 References to Section 3 ....................................... 3-23 4.0 DATA ASSESSMENT .................................................... 4-1 4.1 Frequenci es of Initi ati ng Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1.1 Initiati ng Event Frequencies Used i n LGS-PRA . . . . .. . .. . . 4-1 4.1.2 BNL Assessment of the Initiator Frequencies . . . .. . .. .. .. 4-1 4.1.3 Los s of Of fsi te Power Ini ti ator . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.1.4 R ec ov e ry o f O f f s i te Powe r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.1.5 Conclusion ............................................. 4-5 4.2 Canpo nent Un ava il a bi l i t i es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 4.2.1 LGS Data Base .......................................... 4-5 4.2.2 BNL Eval uation and Concl u sion . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 4.3 Huma n Erro r Probabi l i t i e s . . . . .,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 4.3.1 Depressurization During a Transient .................... 4-7 4.3.2 Avoidance of Depressurization During ATWS .............. 4-12 4.3.3 S umma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 4.4 References to Section 4 ....................................... 4-13 5.0 ACCIDE NT SEQUENCE QU ANT IF IC ATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1 Overview of the LGS Accident Sequence Quantification .......... 5-1 5.1.1 LGS Quantification Approach ............................ 5-1 vi

l l

TABLE OF CONTENTS (Cont.)

Page 5.1.2 Areas of Concern in the LGS-PRA Accide'nt Seque nce Oua nti fi c a ti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.2 BNL Revisions in Quantification of Accident Sequences ........ 5-6 5.2.1 Incorporation of Support System Dependences into the Accident Sequence Quanti fication . . . . . . . . . . . . . . . . . . 5-6 l 5.2.1.1 Reduced Functi onal Fault Trees . . . . . . . . . . . . . . . 5-8

5. 2.1. 2 Co r e-Damage Fa ul t Tree s . . . . . . . . . . . . . . . . . . . . . . 5-10 5.2.2 Incorporation of Additional Dependences into !

the Accident Sequence Ouanti fication' . . . . . . . . . . . . . . . . . . 5-12 5.2.2.1 Dependence Retween 0 and W Functions . . . . . . . . . 5-12 5.2.2.2 Dependence Between Q Function and MSIV Cl os ur e In i ti a to r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 5.2.2.3 Dependence Between U and W Functions ......... 5-17 5.2.2.4 The Va po r Suppression Functi on . . . . . . . . . . . . . . . 5-19 5.2.3 C h a n ge s t o A TWS Tr e e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21 5.2.4 Sy s t em U n av a i l ab i l i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22 5.2.5 Revised Core Damage Frequency and Dominant Accident Sequences .................................... 5-26 5.3 Uncertainty Assessment ....................................... 5-27 5.3.1 Un certai nty Analys i s i n the LGS-PR A . . . . . . . . . . . . . . . . . . 5-28 5.3.2 BNL Evaluation of Uncertainties in the Core Damage Frequency ................................. 5-29 5.4 Im po r t a n c e An a l y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 5.5 Impact of Two Design Modi fications (COR and ATWS-3 A) . .. . . .... 5-33 5.5.1 Impact of Alternate-3A Modification to the ATWS Prevention /Mi tiga ti on System . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 5.5.2 Impact of the Containment Overpressure Relief System .. 5-35

5.5.2.1 Brid ge Tree fo r TW Sequences . . . . . . . . . . . . . . . . . 5-36 5.5.2.2 Bridge Tree for ATWS-W Sequences . . . . . . . . . . . . . 5-37 5.5.2.3 Bridge Tree for ATWS-C2 Sequences ............ 5-38 5.5.2.4 Bridge Tree for ATWS-C12 Sequences ........... 5-39 5.5.2.5 Calculated Reductions in the Frequency of Radioactive Releases Owing to the Inclusion of C0R ....................................... 5-39 vi i

TABLE OF CONTENTS (Cont.)

Page

5. 6

Re fe r e n c e s to Sect i o n 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -4 0 APPENnIX SA: Eval uation of LGS Systemi c Event Trees . . . . . . . . . . . . . . . . . . . 5-114 APPENDIX SR: Eval uation of BNL Modi fi ed Systemic Fault Tree . . . . . . . . . . . 5-121 APPENDIX SC: Un c e rt a i n ty An al ys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-124 APPENDIX SD: Im po rt a n c e An al ysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -128

6. 0* R I NN I NG OF ACCI DE NT SEQUE NC ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.1 De scri pti on of Limeri ck PRA Bi nni ng . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2 B N L R ev i s i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -9 6.2.1 Appropriateness of Accident Sequence Classification ... 6-9 6.2.2 Appropriateness of Containment Event Trees . . . . . . . . . .. . 6-11 6.2.2.1 Contai nment Event Tree Logic. . . . . . . . . . . . . . . . . . 6 -11 6.2.2.2 Branch Point Split Fractions - Containment Leakage ...................................... 6-19 6.2.2.3 Branch Point Split Fractions - Loss of -

Su p pre s s i o n P001. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -21 6.2.2.4 BNL Suggested Contai nnent Event Trees . . . .. .. . 5-22 6.2.2.4.1 Class I and III Containment Tree... 6-22 ,

6.2.2.4.2 Class II and IV Containment Tree R e s u l t s . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -2 3 6.2.2.4.3 BNL Containment Event Tree Results . 6-23 6.2.2.5 Contai nment Tree Uncertainties . . . . . . . . . . . . . . . 6-27 6.2.2.5.1 Optimi stic Ca ses . . . . . . . . . . . . . . . . . . 6-2 7 6.2.2.5.2 Pess imi sti c Ca ses . . . . . . . . . . . . . . . . . 6-28 6.2.3 Appropriateness of Rel ease Ca tegories . . . . . . . . . . . . . . . . . 6-30 6.3 C om pa ri so n wi t h R S S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -31 6.4 S u m ma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -3 3 7.0 CORE MELTDOWN MODELING AND CONTAINMENT F AILURE M0 DES. . . . . . . . . . . . . . . 7-1 ;

7.1 Desc ri pti on of Lime rick PR A An al ysi s . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.1.1 Con t a i nmen t Res po n s e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -3 7.1.1.1 Class I ...................................... 7-6 7.1.1.2 ClassII.....................................7-9

Pages 5 5-63 have been deleted since they contain General Electric proprietary information, viii

TABLE OF CONTENTS (Cont.)

Page 7.1.1. 3 ClassIII....................................7-9 7.1.1.4 C l a s s I V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -10 7.1. 2 Rel ea se Ca t ego ri e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -10 7.1.3 Cons eq ue n ces An al ys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16 7.2 Aud i t Cal cul a t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -2 3 7.2.1 M AR CH An al y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -2 3 7.2.1.1 C l a s s I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -2 3 7.2.1.2 C l a s s I I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -3 2 7.2.1.3 C l a s s I I I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -3 7 7.2.1.4 C l a s s I V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -3 9 7.2.2 C OR R A L An a l y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -4 3 7.2.2.1 C l a s s I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -4 6 7.2.2.2 Class II ..................................... 7-48 7.2.2.3 Class III .................................... 7-51 7.2.2.4 Class IV ..................................... 7-51 7 -5 3 7.2.3 C R A C An al y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.2.3.1 RNL Calculatiors Using Limerick Release Fractions .................................... 7-53 7.2.3.2 BNL Calculations Using BNL Release Fractions .................................... 7-57 7.3 Ouanti ficati on of Uncertai nti e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-63 7.3.1 Appropriateness of Combining LOCAs with Transients .... 7-68 7.3.1.1 Determination of Release Fractions . . . . . . . .. .. 7-69 7.3.2 Equi pme n t Su rv i v abil i ty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-70 7.3.2.1 Cl a s s I I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -7 0 7.3.2.2 Class IV ..................................... 7-72 7.3.3 Early Release of Core Debris into Suppression Pool .... 7-77 7.3.3.1 Determination of Rel ease Fractions . . . . . . . . . . . 7-77 7.3.3.2 Impa ct o n Ri s k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 9 7.3.4 Impact of Acti n id e Decay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-79 7.3.5 Impact of Steam Expl osions on Ri sk . . . . . . . . . . . . . . . . . . . . 7-79 7.3.6 U n c e rt a i n ty Ba nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -84 ix

TABLE OF CONTENTS (Cont.)

Page 7.4 S u mm a ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-86

7. 5 References ................................................... 7-89 8.0 ASS EMBLY OF R EStlLTS AND REASSESSMENT OF RI SK . . . . . . . . . . . . . . . . . . . . . . 8-1 8.1 Desc ription of How Ri sk i s Computed in the LGS PRA . . . . . . . . . . . 8-1 8.2 Compa ri son of LGS a nd RNL Res ul ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.3 An alys i s of Un certa i nti es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 8.3.1 Recapi tulation of Inte rmediate Results . . . . . . . . . . . . . .). 8-3 8.3.2 li n c e r t a i n ty i n R i s k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 -4 2

8.4 Si te Sen si t i vi ty An alyse s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 I

l l

1 i

X

LIST OF FIGURES Figure Title Page 2.1 Steam Break Inj ecti on Requi rements . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.2 Liquid Break Injection Requirements ...................... 2-13 3.1 Turbi n e Tri p Transi ent Event Tree . . . . . . . . . . . . . . . . . . . . . . . . 3-24 3.2 MSIV Closure / Loss of Feedwater/ Loss of Main Condenser Tr an s i e n t Ev e n t Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 5 3.3 Inadvertent Open Safety Relief Valve Transient Event Tree ............................................... 3-26 3.4 Man ual Sh u td own Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27 3.5 Loss of Offsite Power Transient Event Tree ............... 3-28 3.6 RSS-BWR Transi ent Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 3.7 Li me ri c k La rg e LOC A Ev en t Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 0 3.8 Limeri ck Medi um LOCA Event Tree ( S )1 . . . . . . . . . . . . . . . . . . . . . . 3-31 3.9 Lime rick Smal l LOC A Event Tree (S 2) . . . . . . . . . . . . . . . . . . . . . . 3-3 2 3.10 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng A Turbi ne Trip Initiator . . . . . . . . . . . . . 3-33 3.11 Event Tree Diagram of Postulated ATWS Accident Sequenc'es Fol l owi ng a Turbi ne Trip Initi ator . . . . . . . . . . . . . 3-34 3.12 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an MSIV Cl osure Initiator . . . . . . . . . . . . 3-35 3.13 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an MSIV Cl osure Initiator . . . . . . . . . . .. 3-36 3.14 Event Tree Diagram of Accident Sequences Following a Los s of Of f si te Powe r In i ti ato r . . . . . . . . . . . . . . . . . . . . . . . . 3-3 7 3.15 Event Tree Diagram of Postulated ATWS Accident Sequences Following a Loss of Offsite Power Initiator .... 3-38 3.16 Event Tree Diagram of Accident Sequences Following an IORV Initiator ........................................ 3-39 3.17 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an 10RV Initiator . . . . . . . . . . . . . . . . . . . . 3-40 3.18 Time Phased Event Tree for Calculating Injection Availability Following a loss of Offsite Power Event (Phases I, II, & III) Class I Event Variety . . . . . . . . . . . . . . 3-41 xi

LIST OF FIGURES (Cont.)

Figure Title Page 3.19 Time-Phased Event Tree for Calculating Containment Heat Removal Following a loss of Offsite Power Event (Pha se IV ) Cl a ss II Event Va riety . . . . . . . . . . . . . . . . . . . . . . . . 3-42 4.1 Event Tree Diagram of Accident Sequence Following a Tu r bi n e Tr i p I n i t i a to r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 15 4.2 Failure Probability vs Time for Operator Thinking ........ 4-16 5.1 Summary of the Accident Sequence Frequencies Leading to Degraded Core Conditions Summed Over Al l Accident Sequences Wi thi n a Cl ass . . . . . . . . . . . . . . . . . . . . 5-41 5.2 Summary of Dominant Accident Sequences Presented by C l a s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -4 2 5.3 Summary of Dominant Accident Sequences Presented by C l a s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -4 3 5.4 Functional Fault Tree for High Pressure In Functions ................................jection . . . . . . . . . . . . . . . . 5 -4 4 5.5 Functional Fault Tree for the Feedwater Injection Fu n c t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -4 5 5.6 Functional Fault Tree for the Low Pressure Injection Fu n c t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -4 6 5.7 Functional Fault Tree for the Containment Heat R em o v a l Fu n ct i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 7 5.8 Core Damage Fault Tree for Turbine Trip Initiator ........ 5-48 5.9 Core Damage Fault Tree for MSIV Closure Initiator . ....... 5-49 5.10 Core Damage Fault Tree for Inadvertent Opening of R e l i e f Va l ve ( T g ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -5 0 1

5.11 Time-Phased Core Damage Fault Tree for loss of Offsite l

Powe r In i t i a t i o r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51 5.12 Core namage Fault Tree for Manual Shutdown Initiator ..... 5-55 5.13 CDFT fo r La rge LOC A In i ti ato r . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-56 5.14 CDF T fo r Medi um L OC A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 7 5.15 CDFT fo r Smal l LOC A In iti ato r . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-58 l

l xii

LIST OF FIGURES (Cont.)

Figure Title Page 5.16 Functional Level Fault Tree for the Quantification of Containment Heat Removal Functions of the Turbine Trip Ev e n t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -5 9 5.17 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following a TT Event............... 5-60 5.18 Functional Level Event Tree for the Probability cf Long Tem and PCS Unavailability Following a TT Event .................................................... 5-61 5.19 Functional Level Event Tree for the Probability of FW and PCS Unavailability Following a TF (Loss of F/W)

Eve n t B N L Rev i s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-63 5.20 Turbine Tri p Tran si ent Event Tree . . . . . . . . . . . . . . . . . . . . . . . . 5-64 5.21 MSIV Closure / Loss of Feedwater/ Loss of Main Condenser Transient Event Tree ..................................... 5-65 5.22 Inadvertent Open Safety Relief Valve Transient Event Tree ............................................... 5-66 5.23 Turbine Trip Event Tree Depicting the U-W Dependence ..... 5-67 5.24 Residual Heat Removal System (Loop A shown, Loop B isidentical)............................................ 5-68 5.25 Event Tree Diagram of Postulated ATWS Sequences Fol l owi ng a Turbi ne Tri p In i ti ato r . . . . . . . . . . . . . . . . . . . . . . . 5-69 5.26 Event Tree Diagram of Postulated ATWS Accident Sequences Foll owi ng an MSIV Cl osure Initiator . . . . . .. .. .. . 5-70 5.27 Event Tree Diagram of Postulated ATWS Accident Sequences Following a Loss of Offsite Power Initiator .... 5-71 5.28 Event Tree Diagram of Postulated ATWS Accident Sequences Fol l owi ng an 10RV In i ti ato r . . . . . . . . . . . . . . . . . . . . 5-72 5.29 Total Core-Damage Frequency for the Four Cases . .. . . . . . . . . 5-73 5.30 Summary of the Accident Sequence Frequencies Leading to Degraded Core Conditions Summed Over All Accident Seq ue n c es Wi t hi n a Cl a s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-74 5.31 " Bridge" Event Tree Providing the Link Between Postulated Transient and LOCA Accident Sequences Which May Result in Containment Overpressure and the Containment Event Seq ue n c es F ol l owi ng Co re Mel t . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75 xiii

LIST OF FIGURES (Cont.)

Figure Title Page 6 -1 Binning of Accident Sequences in the Limerick PRA ....... 6-2 6-2 Limerick PRA Containment Event Tree for Class I, II, and I I I Eveh t Seque n ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6-3 Limerick PRA Containment Event Tree for Class IV Event Sequences ............................................... 6-13 6-4 BNL Revised Containment Event Tree for Class II Event Sequences ............................................... 6-14 6-5 BNL Revised Containment Event Tree for Class IV Event Seq ue n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -15 6-6 BNL Suggested Containment Event Tree for Class I and I I I Ev e n t Seq ue n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -2 4 6-7 BNL Suggested Containment Event Tree for Class II Event S e q ue n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -2 5 6-8 BNL Suggested Containment Event Tree for Class IV Event S e q ue n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -2 6 7.1 Diagramatic Representation of INCOR Organization ........ 7-4 7.2 Containment Pressure History for Class I (Case TQUX') ... 7-29 7.3 Contai nment Temperat ure Hi story for Class I . . . . . . . . . . . . . 7-30 7.4 RPV Pressure Hi story fo r Class I (Case TQUX) . . . . . . . . . . . . 7-31 7.5 Suppression Pool Temperature for Class I (Case TQUX) .... 7-31 7.6 Containment Pressure History for Class II (Case TW) ..... 7-34 7.7 Containment Temperature History for Class II (Case TW) .. 7-35 7.8 Containment Pressure History for Class III

( Ca s e A TWS - I I I ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -3 8

. 7.9 Containment Pressure History for Class IV

( C a s e A TW S - I V ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -41 7.10 Diaphragm Floor Penetration Histories for Class IV

( Ca s e A TWS - I V ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -4 2 l 7.11 Typical Sequence of Spike Fission Products Releases for l Po st ul a t ed Acci dent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -44 7.12 Distance - Time Diagram for Evacuees and Cloud .......... 7-55 l

l I

i xiv

LIST OF FIGURES (Cont.)

Figure Title Page

> 7.13 Containment Pressure History for Class I Sequence Ass umi ng New Core Melt Scenari o . . . . . . . . . . . . . . . . . . . . . . . . . 7-75 7.14 Comparison of Pressure Histories for Class II Sequences Wi t h a nd Wi t h out Acti n ide Decay . . . . . . . . . . . . . . . . . . . . . . . . . 7-81 8.1 Schematic Flow Diagram for Determination of Risk ........ 8-7 8.2 Complementary Cumulative Distribution Function for Acu t e Fa tal i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.3 Complementary Cumulative Distribution Functions for La ten t F a t al i ti e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 xv

LIST OF TABLES Table Title Page 2.1 Safety Functions Requi red for Initiating Events ......... 2-14 2.2 Safety Functions for Limerick Generating Station ........ 2-14 2.3 Frontline Systems for Limerick Generating Stations ...... 2-15 2.4 Compari son of LGS and RSS BWR Safety Systems . . . . . . .. . . . . 2-16 2.5 Summary of Success Criteria for the Mitigating Systems Tabulated as a Function of Accident Initiators .. 2-17 2.6 L OC A S uc c e s s C r i t e r i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 18 2.7 Tra nsi ent Succes s Cri teri a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19 2.8 Summary of LGS Capability for ATWS Mitigation

( Al ternative 3A Modi fi cations) . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20 2.9 Summary of the Categories of BWR Transients Used To Classify Operating Experience Data on Anticipated Transi ents (EPR I-S AI Study) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 2.10 Groupi ng of Transi ent Ini ti ators . . . . . . . . . . . . . . . . . . . . . . . . 2-22 2.11 BWR Transients (Reactor Safety Study Table 1.4-12) ...... 2-23 2.12 Initiating Events for BRP PRA for Which Event Trees We r e Dev e l op ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 4 2.13 Li st of Ini ti ati ng Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 5 1

3.1 BN L Chang e s i n LGS-PR A Faul t Trees . . . . . . . . . . . . . . . . . . . . . . 3-43 3.2 Cognitive Human Errors Model ed in Event Trees . .. . .. . . . .. 3-46 3.3 Cognitive Human Errors Modeled in Fault Trees . . . ...... . . 3-47 3.4 Frontline/Sup port Syst em Dependence Matrix . . . . . . . . . . . . . . 3-50 3.5 Su ppo rt/Suppo rt System Dependence Matrix . . . . . . . . . . . . . . . . 3-52 4.1 Frequency of Initiating Events (Mean Values /yr) ......... 4-17 4.2 Experiential Evidence From Plants of the Mid-Atlantic Reliability Council Loss of Offsi te Power . . . . . . . . . . . ... . 4-17 4.3 Frequency of Loss of Offsite Power for the Mid-Atlantic Area Council (MAAC) ..................................... 4-18 4.4

~

Probability of Not Recovering Offsite Power up to Time t ............................................... 4-18 5.1 Ranking of Limerick Core-Damage Accident Sequences ...... 5-76 xvi

LIST OF TABLES (Cont.)

Title Page Table F rontl i n e Sys t em s a nd Su p po rt Syst em s . . . . . . . . . . . . . . . . . . . 5-7 7 5.2 5.3 Feedwater Transient CDFT Cutsets ........................ 5-78 5.4 Feedwater Transient CDFT Cutsets with Support Systems ... 5-79 5.5 Core Damage Frequencies Including the Effect of Su p po rt Syst en Depe nden ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-80 5.6 System Unavailabilities Used in the Limerick PRA, the' BNL Revisions, and the Reactor Safety Study (RSS) ....... 5-81 5.7 Support System Unavailabilities Used in BNL R ev i s i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 82 5.8 "Rasic" Event Probabilities for Turbine Trip Core-Damage F a ul t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -83 5.9 " Basic" Event Probabilities for Feedwater Core-Damage F a u l t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -84 5.10 " Basic" Event Probabilities for LOOP Core-Damage Fa u l t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5 5.11 " Basic" Event Probabilities for 10RV Core-Damage Fa ul t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -86 5.12 " Basic" Event Probabilities for Manual Shutdown Core Dam a g e Fa ul t Tre e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 7 5.13 " Basic" Event Probabilities for Large LOCA Core Damage ~

Fa ul t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 8 5.14 " Basic" Event Probabilities for Medium LOCA Core Damage Fa u l t Tr ee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -8 9 5.15 " Basic" Event Probabilities for Small LOCA Core Damage F a ul t Tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-90 T u b i n e Tr i p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 91 5.16 5.17 F e ed wa te r , MS I V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -91 5.18 LOOP .................................................... 5-92 5.19 10RV .................................................... 5-92 5 -9 3 5.20 Ma n u a l Sh u td own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.21 L a rg e L OC A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -93 xvii

LIST OF TABLES (Cont.)

Table Title Page 5.22 Me d i um L OC A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 94 5.23 Sm a l l L OC A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-94 5.24 TOTAL ................................................... 5-95 5.25 Ranking of BNL & Limerick Sequences by Core Damage F r eq u e n cy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-96 5.26 - Class I Dominant Sequences .............................. 5-97 5.27 Cl a ss II Domi nant Seque nces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-98 5.28 Class III Doninant Sequences ............................ 5-99 5.29 Cl a ss IV Domi nant Seque n ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-100 5.30 Uncertainty Measures for Transient Initiators a nd Ma nu a l Sh utd own . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-101 5.31 Core Damage Frequency Di stri bution . . . . . . . . . . . . . . . . . . . . . . 5-101 5.32 Importance Ranking of Systems With Respect to Core D am a g e F r eq u e n cy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -10 2 5.33 Effect of Removal of the ATWS-3A Modification of the Frequencies of Accident Classes I-IV, and Core Damage ... 5-103 5.34 Effect of Renoval of the ATWS-3A Modification on the Ex pect ed Acut e Fa tal i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-104 5.35 Effect of Removal of the ATWS-3A Modification on the Expected Laten t Fa tali ti es* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-105 5.36 Brid ge Tree Event Sequences Impact . . . . . . . . . . . . . . . . . . . . . . 5-106 5.37 Summary of the Calculated Reductions in the Frequency of a Radioactive Release Due to the Use of Containment Overpressure Relief (reflected in the bridge tree) ...... 5-107 5.38 E f fect of COR t o TW Seque n ces . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-108 5.39 Ef fect of C0R to ATWS-W Sequence s . . . . . . . . . . . . . . . . . . . . . . . 5-109 i 5.40 Fffect of COR to ATWS-C and ATWS C Sequences. . . . . . . . . . 5-110 12 2 5.41 Effect of Inclusion of Containnent Overpressure Relief System on the Frequency of Core Damage . . . . . . . . . . . . . . . . . . 5-111 5.42 Effect of Inclusion of Containment Overpressure Relief i

System on the Expected Acute Fatal i ties . . . . . . . . . . . . . . . . . 5-112 i

l I

xviii

LIST OF TABLES (Cont.)

Table Title Page 5.43 Effect of Inclusion of Containment Overpressure Relief System on the Expected Latent Fatalities ................ 5-113 5A1 HPC I Sy s tem Cu t s ets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-116 5A2 RCIC System Cutsets ..................................... 5-117 5A3 LPC I Sy s tem Cu ts e t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-118 5A4 LPCS System Cutsets ..................................... 5-118 5A5 RHR System Cutsets ...................................... 5-119 5A6 SLC System Cutsets ...................................... 5-119 5A7 El ectr ic Power System Cutset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-120 5B1 Cutsets for BNL-Modified HPCI Systems Fault Tree ........ 5-122 582 Cutsets for BNL-Modified ADS Systems Fault Tree ......... 5-122 583 Cutsets for BNL-Modified SLC Systems Fault Tree ......... 5-123 SC1 Sampl e Functi ons for Cl asses I-IV . . . . . . . . . . . . . . . . . . . . . . . 5-125 SC2 SAMPLE Code Input Variables for Classes I and II ........ 5-126 5C3 SAMPLE Code Input Variables for Classes III and IV ...... 5-127 6.1 Generic Acc ident Sequence Cl as ses . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.2 Summary - Generic Accident Sequence / Release Path Combinations ............................................ 6-4 6.3 Release Categories Used in the Limerick PRA . . .. . ... . ... . 6-6 6.4 Accident Sequences Used to Represent the Generic Cl asses i n the Limeri ck PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.5 BNL Revised Conditional Probabilities for Class II Event Sequences (entrance to tree via loss of CHR) ...... 6-17 6.6 BNL Revised Conditional Probabilities for Class IV Event Sequences (entrance to tree via loss of CHR) ...... 6-18 6.7 New Release Category Probabilities Associated with New Class II and IV Event Trees ......................... 6-16 6.8 Probabilities of Containment Failure Modes with No Containment Leakage................................... 6-20 6.9 New Release Category Probabilities Associated with No Containment Leakage................................... 6-19 xix

LIST OF TABLES (Cont.)

Table Title Page 6-10 New Release Category Probabilities Associated with Los s o f Suppres s ion P001. . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . 6 -21 6-11 Release Category Conditional Probabilities for BNL Suggested Containment Event Trees........................ 6-27 6-12 Optimistic Release Category Conditional Probabilities ... 6-28 6-13 Pessimistic Release Category Conditional Probabilities .. 6-28 6-14 Containment Event Tree Results for Optimistic and Pess imi stic Condi tional Probabili ties . . . . . . . . . . . . . . . . . . . 6-29 6-15 Comparison of Limerick PRA and RNL Risk Measure Based on Limerick PRA Core Damage Frequency and Consequence Mo d e l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 -2 9 6-16 Comparison of Limerick PRA and BNL Risk Measures Assuming Core Melt Into an Intact Containment For Class II Sequences .................................. 6-33

7.1 Compa ri son of INCOR and MARCH Computer Codes . . . . . . . . . . . . 7-5 7.2 Summary of Containment Conditions for the Dominant Ac c i d en t s S eq ue n c es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 7 7.3 Summary of Containment Events Developed From the INCOR Analysis for the Radionuclide Release Fraction C al c u l a t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -7 7.4 Release Term Calculations Requirements in the Limerick PRA...................................................... 7-12 7.5 Radionuclide Release Parameters and Release Fractions for Dominant Accident Sequence Classes and Containment Fa il ure Modes i n the Limerick PR A. . . . . . . . . . . . . . . . . . . . . . . . 7-13 7.6 Pool Decontamination Factors Reported in the Limerick PRA......................................................7-14 7.7 Release Categories Used in the Limerick PRA Consequence A n al y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 - 17 7.8 Acute Fa tali ti e s (no rmal i zed means ), . . . . . . . . . . . . . . . . . . . . . 7-19 7.9 Latent Fatal i ti es (nonnal i zed means ) . . . . . . . . . . . . . . . . . . . . 7-20

, XX

LIST OF TABLES (Cont.)

Table Title Page 7.10 Acute Fa tal i ti es (total ri sk) . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21 7.11 Latent Fatal i tie s (total ri s k ) . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -22 7.12 Highlights of MARCH Input Data for Class 1 Sequences .... 7-25 7.13 Comparison of BNL and Limerick PRA Analysis of the C l a s s 1 S eq ue n c es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7 7.14 Comparison of BNL and Limerick PRA Analysis of the Cl a s s I I Seq ue n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 3 7.15 Comparison of BNL and Limerick PRA Analysis for Class III ............................................... 7-39 _

7.16 Comparison of BNL and Limerick PRA Analysis for C l a s s I V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -4 0 7.17 Fission Product Release Source Sumnary - Best Estima te Total Core Rel ease Fractions . . . . . . . . . . . . . . . . . . . 7-4 4 7.18 Comparison of Release Parameters for BNL and PRA ........ 7-49 7.19 Compa ri so n of Eva cuati on Model s . . . . . . . . . . . . . . . . . . . . . . . . . 7-56 7.20 Comparison Between PRA and BNL Calculations - Latent F a t al i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -5 9 7,21 Comparison Between PRA and BNL Calculations - Acute Fa t al i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -6 0 7.22 Comparison Between PRA and BNL Calculations - Latent Fatalities....................e,......................... 7-61 7.23 Comparison Retween PRA and BNL Caiculations - Acute F a t al i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -6 2 7.24 Summary of Areas of Uncertainty Having a Minor Effect on t he LGS Ea rly Fa tal i ty CCDF . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 4 7.25 Summary of Areas of Uncertainty Having a Moderate Ef fect on t he LGS Ea rly Fatal i ty CCDF . . . . . . . . . . . . . . . . . . . 7-66 7.26 Summary of Areas of Uncertainty Having a Petentially Significant Effect on the LGS Early Fatalit> CCDF ....... 7-67 xxi

LIST OF TABLES (Cont.)

Table Title Page 7.27 Timing of Key Events for Class II Large LOCA . . . .. .. . . . . . 7-69 Comparison of Release Parameters of Class II and IV 7.28 LOCAs and Transients .................................. . 7-71

. 7.29 Class II Sequences lhat May Be Inappropriately Binnec ... 7-72 7.30 Class IV Sequence That May Be Inappropriately Binned .... 7-73 7.31 Potential Containment Pressurization During Core Debris / Water Interactions ............................... 7-77 7.32 Comparison Between Release Parameters for Early Release of Core Debri s Into Suppression Pool . . . . . . . . . . . . . . . . . . . . 7-78 7.33 Comparison of Consequences for Early Release of Core Debri s Into Suppressi on Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-79 7.34 Effect of Steam Explosion Binning on Risk - Acute Fatalities .............................................. 7-82 7.35 Effect of Risk of BNL Changes in Steam Explosion

, Probabilities - Acute Fatalities ........................ 7-84 7.36 Uncertainty Bands Associated with Core Meltdown Phenomena and Fission Product Behavior .................. 7-85 7.37 Summary of the BNL and PRA Consequence Analysis ......... 7-87 8.1 Mathematical Computation of Risk ........................ 8-10 8.2 Frequency of Initiating Events .......................... 8-12 8.3 Frequency of Core Damage ................................ 8-13 8.4 BNL Conditional Probabilities of Release Categories for Each Accident Class ................................. 8-14 8.5 LGS PRA Conditional Probabilities of Release Categories for Each Accident Class ...................... 8-14 8.6 Comparison of PRA and BNL Release Category Frequencies .. 8-15 8.7 Comparison of PRA and BNL Consequences by Release C a t eg o ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16 8.8 Comparison of PRA and BNL Average Acute and Latent Fat al i t i es ( pe r yea r ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17 i

t.

Xxii t

LIST OF TABLES (Cont.)

Table Title Page 8.9 Release Category Conditional Probabilities for RNL Suggested Containment Event Trees ....................... 8-18 8.10 BNL Optimistic Case Conditional Probabilities of Release Catego ry for Each Accident Class . . . . . . . . . . . . . . . . 8-19 8.11 BNL Pessimidtic Case Conditional Probabilities of '

Release Category Conditional Probabilities for Each Ac c i d e n t C l a s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 8.12 H Matrices Used in the Computations for Table 7.36 ...... 8-20 8.13 Compa ri son of Evacuati on Model s . . . . . . . . . . . . . . . . . . . . . . . . . 8-21 8.14 Comparison of Latent Fatalities and Thyroid Cancers fo r Di f fe rent Eva cuati on Scheme s . . . . . . . . . . . . . . . . . . . . . . . . 8-22 8.15 Comparison of Acute Fatalities for Different Evacuation Schemes ...................................... 8-22 4

xxi ii

l

SUMMARY

This review of the Probabilistic Risk Assessment of the Limerick Gener-ating Station was conducted by Brookhaven National Laboratory under the sponsor-ship of the U.S. Nuclear Regulatory Commission. The review began in January 1982 and involved eight staff members. A draf t version of this report was issued in October 1982 and comments were received in December 1982. These included comments from the Nuclear Regulatory Commission staff and fran the Philadelphia Electric Company and its consultants. In the course of preparation of this final report, all comments were given consideration. The broad objective of the review was to evaluate the Limerick Probabilistic Risk Assessment for its risks in relation to those identified in the Reactor Safety Study (WASH-1400). The review by Brookhaven included a technical assessment of the assumptions and methods used in the Limerick study. The review also included a re-evaluation of the main results within the scope and general methodological framework of the Limerick study. This included both qualitative and quantitative analyses of accident initiators, data bases, accident sequences which result in core damage, core melt phenomena, fission product behavior, and offsite consequences.

The review process included five meetings with the Limerick owner and its consultants, a site visit, and two formal rounds of (written) questions and an-swers. The utility and its consultants were helpful and cooperative throughout the course of the review. The review process was, however, encumbered by the submittal of Revisions 3 and 4 of the Limerick study in May 1982 and June 1982, respectively. Although these submittals did provide needed information for the review process, their receipt at the midpoint of the review affected the sched-ule and it was necessary to repeat some portion of the review. In addition, specific information was obtained in August 1982 on the quantification processes associated with containment and consequence analyses. Overall, the interactive review process was highly beneficial to the reviewers and the resulting revisions considerably enhanced the value of the information developed in the Limerick study.

xxi v

The main conclusions of this review are the following:

A. Within its stated scope, the Limerick study is a reasonably good piece of work. The utility followed the guidelines presented to them by the U.S.

Nuclear Regulatory Commission and produced a study which used the basic approach and techniques of the Reactor Safety Study, but which accounted for plant-specific design differences between Limerick and the Reactor Safety Study plant and included site-specific analyses of offsite con-sequences.

B. The Brookhaven reviewers believe that the Limerick study can be up-graded to more reasonably portray the risks associated with the accidents considered in the study. This can be done within the present framework and structure of the Limerick study by taking into account the specific comments found in the main body of this review report.

C. The reviewers found that some of the analysis (particularly the con-tainment analysis) in the Limerick study was rather conservative, i.e.,

led to an overestimation of risk. However, in some parts of the study, the analysis was determined to be optimistic. Thus, on the basis of the Limerick study, it is difficult to assess the validity of the stated un-certainty bands on risk. This conclusion coincides with the comment made by the Lewis Committee in its review of the Reactor Safety Study. In the main body of this review report, some of the optimisms and pessimisms have been evaluated and, in some places, more realistic alternatives have been put forth. However, a full reassessment could not be made within the scope of this review.

D. Within the perspective of the foregoing comments, the Limerick study is a very useful tool for identifying accident sequences that lead to core damage. Furthermore, the study could be used in strategy or a program aimed at the prevention of such accidents. The review did not include an evaluation of the cost-benefit tradeoffs of any strategies or programs in this area and therefore no conclusion is drawn in this regard.

xxv

E. While the study could be useful in connection with the prevention of dam-age to the core, it would be rather less useful in the evaluations of mitigation schemes for severe accidents. This conclusion follows from the finding that the core meltdown analysis in the Limerick study was not conducted in a sufficiently realistic manner. Therefore, a risk re-duction analysis that would be performed on this basis could be mis-leading and may not appropriately reflect the safety-benefit tradeoffs related to the consideration of severe accident mitigation features.

Moreover, the design or infomation requirements related to potential strategies for coping with the reactor containment environment following core damage should be established on the basis of more realistic studies.

The Limerick study did not include an assessment of the risks due to earthquakes, floods, fires, hurricanes, tornadoes, or sabotage.

The main quantitative results of the Brookhaven revision along with the re-suits of the Limerick study are given in Table 1. All frequencies in this table are per plant-year of operation and the latent fatalities have been computed for a thirty-year period following the identified reactor accidents. A discussion of the differences follows.

Table 1. Quantitative Results of the Limerick PRA Study and the BNL Revision Limerick Brookhaven Reactor Safety Risk Index Study Revision Study i Frequency of core 1.5x10-5 1,oxio-4 5.7x10-5 *

' damage (per plant-year of operation)

Expected acute

fatalities (per 2.4x10-6 4.8x10-5 3.0x10-5 **

I plant-year of operation)

Expected latent l fatalities (per 1.2x10-2 1.8x10-1 2.1x10-2 **

l plant-year of l operation)

Mean value assuming a lognormal distribution, median, and error factor re-ported in Reactor Safety Study.

Table 5-6, Main Report Reactor Safety Study.

xxvi

In the BNL revision both a point value of the frequency of core damage and the associated uncertainties were assessed. The results are depicted in Figure 1.

The 90% probability range for the frequency of core damage of the BNL revision spans almost two orders of magnitude from 6.6x10-6 (5% percentile) to 3.3x10 4 (95% percentile). The median value is equal to 3.7x10-5 The point value of the BNL revision (1.0x10-4) is greater by a factor of almost 7 than the point value of the core-damage frequency calculated in the Limerick study (1.5x10-5),

It is noteworthy that according to the uncertainty assessment of the BNL revision there is an 80% chance that the core-damage frequency will be lower than the SNL point estimate, a 65% chance that the core-damage frequency will be lower than the mean value.of the Reactor Safety Study BWR estimate, and a 22% chance tnat it will be lower than the Limerick study estimate.

The difference between the Limerick and Brooknaven point values for the core damage frequency is mainly due to three factors. The first is related to the de-pendences between reactor safety functions that exist as a result of the use of common support systems for different safety systems as well as dependences betwaen the initiators and mitigating systems. The BNL revision accounted for some these dependences that were not in the Limerick study.

Second, Brookhaven found it necessary to make several corrections and mod-ifications to the event trees and fault trees. A detailed account of these changes is presented in the main body of the report.

The third key factor that led to a difference in the Limerick and Brookhaven results was that different values were used for the frequencies of some of the e

twelve accident initiators.

The BNL revision is in qualitative agreement with the Limerick study on the identification of the highest frequency accident sequences. These accident sequences are presented in Table 2. The frequency of core damage, in the BNL re-vision, is dominated by five types of accident sequences. Four of them, con-tributing 94% to the frequency of core damage, involve incidents initiated by a transient, followed by a loss of reactor coolant makeup, which leads to core dam-age in an intact containment. The accident sequences that contribute the most to xxvii

i e

frequency of core damage are the T1 QUX sequences that involve transients that i do not cause feedwater and power conversion system unavailability (TI ), coupled with failure of these systems (Q), failure of the high pressure injection systems (U) and failure to timely and manually depressurize-the reactor (X). Second, are the accident. sequences2T VV that involve transients that imply loss of feedwater g and power conversion system 2(T ), followed by failure of the high pressure (U) and low pressure (V) injection system. Third, are the accident sequences (T VX) 2 that involve transients that . imply 1c.ss of feedwater and power conversion systems

.(T2 ), followed by failure of the high pressure injection system (U) and a failure to timely and manually depressurize the reactor (X). Next', but with a frequency lower by an order of magnitude, are the accident sequences T(DC) that l involve a transient followed by a total loss of de power. The fifth sequence involves a transient coupled with a failure of the containment heat removal fenction tnat leads to containment failure. The Limerick Study reached similar conclusions with regard to the identification and ranking of these accident sequences.

In contrast, the Reactor Safety Study concluded that transients coupled by a i loss of containment heat removal function are the type of accidents with the

highest frequency. Next, in the RSS assessment come anticipated transients without scram (ATWS) sequences and, last, transients followed by loss of high and low pressure injection functions. This inversion in the order of importance is i due partly to differences in the methodology used, as well as to differences in the design of the plants. The methodology employed in the Linierick Study is more detailed and realistic than that employed in RSS,- particularly in its inclusion of l the possibility of recovering unavailable systems. This is important for the containment heat removal system since there is a period of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months after the initiation of the accident during which the system can be recovered. The system for containment heat removal in the Limerick station is more reliable than that considered for the RSS-BWR plant. Finally, the ATWS sequences do not contribute

, significantly to the frequency of core damage for the Limerick station because the i

design of the plant incorporates the alternate-3A modification in the ATWS prevention / mitigation system suggest'ed by the NRC staff, and because the modeling and quantification of the ATWS sequences in the Limerick PRA are more realistic and, hence, less conservative than in the Reactor Safety Study.

i xxviii

The increase in health consequences shown in Table 1 resulted largely from the difference in the assessments of the core damage frequency. A reevaluation by Brookhaven of the containment event tree analysis also increased both acute and latent fatalities but with less impact than the new core damage frequencies. The BNL analyses of fission product behavior had little effect on acute fatalities and reduced latent fatalities. An in-depth review of the consequence (site) model used in the LGS-PRA is outside the scope of our review. The consequence model used in the PRA was based on the RSS model, but with changes to reflect population and meteorology appropriate to the Limerick site. The BNL health consequences shown in Table 1 were, therefore, also based on the RSS model. However, because dif ferent versions of the computer code (CRAC) were used to determine coasequences for the LGS-PRA and by BNL the increases in the health consequences in Table 1 also raflect differences in the mathematical models. The BNL CRAC model increased total mean acute and latent fatalities by a factor of approximately 3 relative to the version of CRAC used for the LGS-PRA.

The complementary cumulative distribution functions (CCDF) for acute and latent fatalities are presented in Figures 2 and 3, respectivley. The figures derict the " point estimate" CCDF of the BNL revision, the 5% and 95% limits of the BNL uncertainty assessment, the point estimate of the Limerick study, and the point estimate of the RSS-BWR CCDF. Note that the BNL uncertainty assessment reflected in Figures 2 and 3 does not include uncertainty associated with the consequence (site) model. During an NRC review of our draft report, it was noted that the prediction of acute fatalities is very sensitive to the assumed evacuation model. Although it was noted above that a detail review of the siting model is outside the scope of our review, we consider uncertainties associated with the evacuation model to be of such importance that we include and assessment of its impact on risk in Section 8. Uncertainty associated with the evaculation model is not reflected in Figures 2 and 3.

xxix I

Table 2. Important Accident Sequences LIMERICK BNL REACTOR STUDY REVISION SAFETY STUDY Sequence Frequency Sequence Frequency Sequence Frequency *

1) T 2VV 6.0x10-6 1) T QUX i

4.5x10-5 1) TW 2.2x10-5

2) T QVX 1

4.6x10-6 2) T 2VV 3.2x10-5 2) TC 1.7x10-5

3) T 2VX 1.4x10-6 3) T 2VX 1.5x10-5 3) TQUV 8.0x10-7

4) TPW 3.9x10-7 4) T(DC) 2.0x10-6 5)TQW 1.3x10-6 Symbols T:

1 Transient that does not imply feedwater/ power cor: version systun un-availability.

T:

2 Transient that implies feedwater/ power conversion system unavailability.

T: Transient regardless of feedwater/ power conversion system unavailability (for RSS, Limerick #4, BNL #4,5)

Q: Feedwater/ power conversion system unavailability.

U: High pressure injection function unavailability.

X: Manual reactor depressurization unavailability.

V: Low pressur e injection function unavailability (for RSS, V includes X).

P: SRVs stuck open.

W: Containment heat removal function unavailability.

DC: dc power unavailability.

C: Reactor protection system unavailability.

Estimated means from the median values reported in RSS.

xxx

CUMULATIVE ii PROBABILITY 1.0 0.90 l

0.80 -------_---------__________. ______

l i

0.70 l

- - - - - _ _ _ _ _ _ __ _ _ _ _ _. _ _ _ _ _ _ _ _ _ _. I I

0.60-. l I

I I I 0.50. l l x !g<

l x l>

0.40-- l l 1

l5 1 1 0.30-- Id l8 ll l3 5 0.20-- ~ ~ - - ~ ~ ~ - - ' ' ~ ~ - ~ ~ - -

l: lN I le IoTJ l !I lmE l"

l 0.10-- l" g lg l I ** H l l

lhh 14>

I I

l 10,6 5x10 6 ' -5 l0 5.7(x10-5) 10 '

CORE DAMACE (1.5x10-5) FREQUENCY (per year)

Figure 1. Cumulative probability for the frequency of core damage.

(BHL revision)

10-5 BNL 95%

10-6 BNL POINT ESTIMATE x

^l d 10-7 % RSS-BWR E N W

a:

N O N LGS-PRA I N 10 -

s Q BNL- 5% \

H N

N N

10' - -

l s N

ACUTE FATALITIES, X 10-1C 2 3 100 101 10 10 Figure 2. Complementary cumulative distribution function for acute fatalities.

I l

XXXii )

l

-4 BNL 95%

BNL-POINT ESTIMATE

- - - - ' ' ~ % .- RSS *BWR%

N N

N 10-5 LGS-PRA \

\

BNL 5% \

\

m s \

d \

10-6 .g \

s \

!i \

! E s\

l E \

5 h t;

i 10~I $

8 E

LATENT FATALITIES. X (IN 30 YEARS) 10-8 10 0 lI 10 l

102

3 10 104 Figure 3 Complementary Cumulative Distribution Functions for Latent Fatalities.

xxxiii

1.0 INTRODUCTION

This section contains a discussion on why a probabilistic risk assessment (PRA) was performed for the Limerick Generating Station (LGS), on how the re-view of the PRA was perfomed by Brookhaven National Laboratory (BNL), and on how this report is organized.

1.1 Background

In May 1980, the Nuclear Regulatory Commission (NRC) requested (l) that the Philadelphia Electric Company (PECo) perform a risk assessment of the Limrick Generating Station. This request was motivated by the concern that the operation of LGS, because of its location near a high population density area, would pose risks that would be a disproportionately high component of the total societal risk from U. S. commercial nuclear reactor operation. This con-cern was based on the assumption that if the Reactor Safety Study (2) (RSS) reference plant were located at the Limerick site, the societal risk from that plant would be higaer than the societal risk from the RSS plant located at the RSS reference site. Accordingly, PECo was requested to evaluate the relative risk for the Limerick plant as cmpared to the risk identified with the RSS reference plant.

The NRC requested that PECo conduct this analysis by using the basic ap-proach and techniques of the RSS. PECo was furthermore requested to account for design differences and site-specific differences between the LGS and the RSS boiling water reactor (RWR) plant and site. In response to these requests, PECo produced a PRA with the following features:

a. It included an updated list of accident initiators.

h. It included a specific evaluation of the LGS Mark II containment be-havior for the relevant core meltdown scenarios.

c. It included site-specific evaluations using meteorology and demography inputs related to the LGS.

d. It excluded seismic events, fires, tornadoes, hurricanes, floods, and sabotage from its list of initiating events.

1-1

The study also addressed the comments on RSS aade by the Lewis Conunit-tee (3) (NUREG/CR-0400) and PECo reflected these comments in the LGS PRA as they thought appropriate. ,

In March 1981, a version of the PRA was submitted to NRC. Subsequently, in September 1981 and in December 1981, Revisions 1 and 2, respectively, were submitted to NRC. NRC contracted with BNL to perform an in-depth review of the PRA, which began in January 1982 on the basis of Revision 2.

1.2 Objective, Scope, and Approach to Review The broad objective of the BN'. review of the LGS-PRA was to evaluate its assessment of risk in relation to the risks identified in the RSS. To carry out this objective, BNL reviewed the assumptions and methods of the LGS-PRA within its stated scope. Within this scope and within the basic method-ological framework of the LGS-PRA, BNL re-evaluated the basic risk indices.

The review included evaluations of accident initiators, data, accident sequence development and quantification, core melt phenomenology, containment analysis, and offsite consequences.

The review was performed over a one-year period. Eight people at BNL participated on a regular basis and others provided special assistance or con-sultation. Ioannis A. Papazoglou was the principal investigator for the project and directed the review of the core damage frequency assessment. W. T.

Pratt directed the review of the containment analysis and offsite consequences.

R. Karol reviewed the accident sequence modeling, the containment analysis, the meltdown process analyses, and fission product behavior. L. Lederman reviewed the accident initiator frequencies and other reliability data. K. Shiu re-viewed the quantification of the event trees and the fault trees. S. Fiarman reviewed the meltdown analysis and fission product behavior. H. Ludewig re-viewed the fission product behavior and offsite consequence. Finally, R. A.

Bari coordinated the whole review. Several meetings, which were open to the public, were held between BNL and PECo and its consultants. PECo presented an overview of the PRA to BNL on February 11-12, 1982, and on March 1, 1982, BNL submitted to NRC first-round questions .on the PRA. This was followed by a re-vised PRA (Revision 3) on May 1,1982. Many of BNL's initial concerns were 1-2

removed by material contained in Revision 3. Nevertheless, second-round questions on the PRA were submitted by BNL to NRC in early June 1982. In mid- ,

June 1982, PECo submitted Revision 4 of the PRA which contained the functional

) fault trees,' material needed by BNL to gain a detailed understanding of the ac-i cident sequence quantification process. In early August 1982, as a result of several conversations, BNL was able to obtain an understanding of how aspects l of the containment / consequences quantifications were done in the PRA. With the understanding of key aspects of the overall quantification performed in the

PRA, BNL was able to 1) audit the analysis in' specific areas; 2) test the re-

sults against alternative assumptions and data bases; and 3) develop its own j best estimates of the risk indices (within the scope and framework of the PRA).

A draft version of this report was submitted to NRC in October 1982, and in December 1982 comments were received from NRC.and from PECo and its con- -

l sultants. All comments were given consideration in the preparation of this final repcrt, f The review process benefitted from the several productive meetings held j between NRC, BNL and PECo. PECo and its consultants were entirely cooperative in providing the infomation and discussion that were needed to gain a detailed I' understanding of the PRA for the in-depth review process.

Finally, we note that the NRC has undertaken a seperate study of potential i mitigation features that may be incorporated in the plant design to reduce

! risk. This mitigation study will be based in part on the PRA and this review, however, a major finding of our review is that the core meltdown analysis was not conducted in a sufficiently realistic manner. Therefore, if the risk re-duction analysis was based purely an the PRA it could be misleading and may not appropriately reflect the safety-benefits related to the consideration of severe accident mitigation features. A major objective of the mitigation study

- will be to perform a more realistic (i.e., remove the conservatisms identified

. in the PRA) analysis of core meltdown, radiological source tems and con-1 sequences so that a more accurate determination of risk reduction can be ob-E tained. A preliminary account of this work is given in Reference 4.

l 1

1-3 l

._,__.___._2_._.

1.3 Organiza_t, ion of Report Section 2 contains a description of plant modeling which includes an iden-tification of initiating events that can lead to core damage and a dis-cussion of safety functions and systems important to preventing or mitigating core damage events. Section 3 contains a description of accident sequence de-finition and a discussion of the event tree / fault tree approach used in the LGS PRA. Section 4, on data assessment, reviews the numerical values for the para-meters necessary for the quantification of the accident sequences, including the LGS PRA values and the BNL assessment, for the initiating event frequencies and the component unavailabilities. Section 5, on accident sequence quantification, contains a brief description of the LGS PRA approach to quantification, the BNL modifications to the quantification process, and the revised core damage frequencies. This section also contains an analysis of the uncertainties in the core damage frequency and an irtportance analysis. Section 6 contains a review of the accident sequence binning procedure and the con-tainment event tree analysis used in the LGS PRA. Revisions to these trees are presented and the effect of these revisions on risk is assessed. This as-sessment is limited to a change in risk due to these revisions only and does not, at this time, include changes due to revisions identified in Section 5.

Section 7 reviews the core meltdown phenomenology, the radionuclide behavior in containment, and the offsite consequence analysis. Alternative evaluations and scenarios are presented and the effect of these alternatives, without the re-visions of Sections 5 and 6, are assessed. Section 8 contains an integration of the results of the previous sections. The BNL reassessment of risk is presented here and compared with the LGS PRA results. An evaluation of the un-certainty in the risk is also presented in Section 8.

I In the draft version of this report, offsite consequence calculations were performed with an evacuation model different from that used in the RSS and in the LGS-PRA. In this final report, the base estimate of risk was performed with the same evacuation model used in the LGS-PRA and in the RSS (as per instruction from F. Coffman, NRC).* The impact of the alternative evacuation model is now presented as a risk sensitivity and the corresponding results are given in Section 8. The references to each section are given at the end of each section.

Personal communication between R.A. Bari (BNL) and F. Coffman (NRC) on December 17, 1982.

1-4

1.4 References to Section 1

1. Letter f rom D. G. Eisenhut to E. lG. Bauer, Jr., " Risk Evaluation -

Limerick Generating Station, Units 1 and 2," May 6,1980.

2. Reactor Safety Study, "An Assessment of Accident Risks in U. S. Commercial Nuclear Power Plants," WASH-1400, NUREG/75-014, October 1975.

3. H. W. Lewis, Chairman, " Risk Assessment Review Group Report of the U. S.-

Nuclear Regulatory Commission," NUREG/CR-0400, September 1978.

4. A. Ahmad et al., "PWR Severe Accident Delineation and Assessment,"

NUREG/CR-2666, January 1983.

i l

l o

(

1-5 f

2.0 PLANT MODELING The plant modeling part of the LGS-PRA contains the identification of the initiating events that can lead to core damage, the safety functions important to preventing or mitigating core damage events and the systems directly performing each of the safety functions. These systems are referred to as frontline systems. In addition, the plant modeling includes the iden-tification of the support systems for each frontline system, i.e., the sys-tems required for the function of the frontline systems.

This section is divided into two subsections. Subsection 2.1 describes the safety functions, the corresponding frontline and support systens, and their success criteria. Subsection 2.2 discusses the particular initiating events and their partition into groups containing events having the same succesi criteria for the frontline systens. In both subsections, the LGS-PRA assumptions are reviewed, evaluated, and compared to those of the Reactor Safety Study (RSS).

2.1 Safety Functions and Corresponding Systems 2.1.1 Safety Functions and Frontline Systems The safety functions important to preventing or mitigating the con-sequences of core damage following an initiating event are given in Table 2.1.

These functions can be further subdivided for the LGS into the functions given in Table 2.2. Each of the functions in Table 2.2 is directly performed by one or more frontline systems. The frontline systems for the LGS are given in Table 2.3, while in Table 2.4 they are compared with the corresponding systems of the BWR plant analyzed in the Reactor Safety Study (RSS-BWR). A short l description of the systems and their differences follows.

Reactor protection system (RPS) - Unlike the RSS-BWR, LGS has incorporated design changes, as recommended by Alternate 3A of NUREG-0460, to reduce the probability of a failure to scram. These changes include:

a) Alternate rod insertion (ARI) - this system is effective in reducing electrical common-mode failure to scram.

b) Diverse and redundant water level sensors for the Scram Discharge l Volume (SDV) - this is expected to reduce the chance of an occurrence )

l similar to that at the Browns Ferry plant.(1) )

2-1 l J

/

Standby liquid control (SLC) - The LGS system is basically the Alternate 3A described in NUREG-0460; but it will include three SLC pumps (129GPM) in-stead of two, thus having the ability for independent loop testing to yield improved reliability. The RSS-BWR has two manually actuated SLC pumps.

Reactor core isolation cooling (RCIC) - There are no major differences between the LGS and RSS-BWR designs.

High prennre coolant injection (HPCI) - The major dif ference is that for the RSS-BWR, HPCI injects into a feedwater line whereas f or the LGS, HFCI injectico is split between the core spray injection line and the feedwater

!ine.

Control rod drive (CRD) - There are ao cajor of fferersces between the LGS and RSS-hWR designs.

Automaticdepressurizationsystem(AM. - The LGS system incorporates the following additional features:

a) Three separate gas supplies including the nomal N 2

, the station air system, and a bank of N2 bottles which can be manually placed in service.

b) The actuator gas supply to the five valves is split into two lines, with one supplying two valves, the other three valves.

Low pressure coolant injection (LPCI) a) The RSS-BWR LPCI system injects water into the recirculation loops using loop selection logic to ensure injection into the intact loop.

The LGS LPCI system injects water directly into the core shroud above the top of the core through four separate injection lines.

b) The LGS pumps can pump saturated water. The RSS-BWR LPCI pumps have !

net positive suc. tion head (NPSH) requirements which may not always be met and could lead to pump failure. This is particularly important i if excessive containment leakage exists.

Low pressure core spray (LPCS) - The LGS core spray pumps can pump saturated water. The RSS-BWR pumps have NPSH requirements which may not always be met.

2-2 l _

Residual he_a_t removal (RHR) - The major differences are that LGS has two RHR heat exchangers compared with four RHR heat exchangers for the RSS-BWR and that the LGS pumps can pump saturated water.

2.1.2 Success Criteria for the Frontline Systems The LGS-PRA considers three general classes of initiating everits:

1) Loss-of-coolant accidents (LOCAs),

2) Transients with successftil scram,

3) Anticipated transients withot.t scram (ATWS).

The success criteria for the systems available to provide successful tar-mir:ation of an initiating evert are sunnarized in Table 2.5 (excerptea from the LES-PRA report). The success c.riteria ut ed in the LGS-PRA represent

' realistic" requirements and they do not correspond to safety analysis report (SAR) criteria and/or predictior.s. As noted in the a~,wer(2) to Round One question 1.07,(3) the criteria were developed from analyses contained in NED0-24708, " Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors," December 1980. Here the LGS-PRA departs from the Reactor Safety Study practice where SAR criteria were used. The following three subsections provide a comparison of the success criteria assumed in the LGS-PRA with those in the RSS for each of the three major classes of the initiating events, respectively.

2.1.2.1 Success Criteria for LOCA Initiators Table 2.6 compares the success criteria for LOCA initiating events (with successful scram) for the LGS and the RSS-BWR. The table shows the required systems for both steam and liquid breaks as a. function of the break size.

Major differences are as follows:

1. The RSS distinguishes between injection and recirculation phases for large breaks in which only low pressure systems are adequate. This results in a stricter requirement for the injection phase for the RSS-BWR than that for Limerick.

2. The RSS-BWR requires operation of four ADS valves for depres-surization followi'ng small and medium break LOCA vs two ADS valves for the LGS.

2-3

3. The RSS-BWR requires only one LPCS pump to operate for' successful low .

pressure injection vs two for the LGS.

4. The LGS analysis took credit for the PCS as a means of long term cooling for the medium and small LOCAs based on successful reopening l

of MSIVs. The RSS did not. l l

S. The RSS-BWR analysis took credit for one CRD pump as a means of l injection for steam oreaks of less than 1 in diameter or liquid breaks of I less than 0.6 in, diamater. The LGS PRA took no credit for CRD pump I fnjection.

The required injecticn flow rate vs break area has been calculated and is depicted in Figures ?.1 and 2.2 for sten pipe breaks and liquid pipe breaks, respectively. It is ncteworthy that in all cases the LGS success criteria are more strict (i.e., higher ficu rate is required) except for the injection requirement of the RSS-BWR for large LOCAs. Both the RSS-BWR and LGS are 3293 MWt. On the basis of these calculations, shown graphically in Figures 2.1 and 2.2, it is concluded that the LOCA injection capacity success criteria for the two plants are comparable. The major difference is related to the number of ADS valves required for successful depressurization following small and medium break LOCA initiators, with the LGS requiring two-out-of-five valves and the RSS-BWR requiring four-out-of-five valves.

2.1.2.2 Success Criteria for Transient Initiators Table 2.7 compares the success criteria for transient initiating events (with successful scram) for the LGS and the RSS-BWR. Major differences are as follows:

. 1. For transient initiators, the RSS-BWR applies the LOCA success criteria given in the SAR. It is noted in RSS (page I-67) that these

, criteria were selected in an attempt to be conservative. /

2. The RSS-BWR allowed a condensate pump to supply sufficient low-pressure injection for transient sequences. Although the same is possible for the Limerick plant (as it is indicated in Table 2.5),

such credit was not taken in the LGS-PRA.

3. The RSS-BWR requires operation of four ADS valves for depres-surization following a transient in which low pressure injection sys-tems are required. The LGS requires only two ADS valves.

2-4

As noted in Subsection 2.1.2 the more realistic success criteria used in the LGS-PRA for the transient initiators are considered reasonable on the basis of NED0-24708. One exception is the assumption that RCIC is capable of supplying adequate vessel water makeup to an isolated reactor with a stuck open relief valve. The validity of this assumption remains to be verified.

The need for verification is inferred from the letter dated December 29, 1980, from D. B. Waters, BWR Owners Group, to D. G. Eisenhut, titled, "BWR Owner's Group Evaluation of NUREG-0737 Requirements." The letter attachment has a section dealing with " Adequate Core Cooling for Transients witn Single Failure, Evaluation of NUREG-0737, Item II.K.3.44.. Page 3 of this at-tachment states, "This capability is not a design basis for the RCIC system, and not all plantt have been analyzed to demonstrate this capability." The verification of the applicability of the generic coaiysis of NED3-24703 to the LGS was oatside tne scope of the SNL review.

As with the LOCA success criteria, the LGS and RSS-BWR transient success criteria are considered con.patible, the major difference being the number of ADS valves required for successful depressurization. Tne 3dequacy of the two ADS valve criteria used in the LGS-PRA appears reasor.able on the basis of NED0-24708.

2.1.2.3 Success Criteria for ATWS Initiators Table 2.8 presents the LGS-PRA success criteria for ATWS mitigation.

There are no comparable criteria for the RSS-BWR, since ATWS was not evaluated in as much detail. The LGS criteria appear to be acceptable; however, calculations would be required to verify the adequacy of each of the assumed systems or functions. The calculations which are to be done in accordance with Section 15.8 of the LGS FSAR would verify that the assumptions in the generic analysis of Reference 5 apply to LGS. .

I 2.1.3 Support Systems The major systems supporting the frontline systems are:

E,lectric Power System (EPS) - The major differences between the LGS and the RSS-BWR electric power systens are summarized below:

LGS RSS-BWR e four diesel generators per unit; e two diesel generators / unit ; inter-no inter-unit bus tie. unit bus tie.

2-5

e four load divisions / unit e two load divisions / unit e four 125 V DC Class IE buses per e four 125 V DC Class IE buses between unit two units

- two chargers / battery - one charger / battery

- no inter-unit bus ties - inter-unit bus ties The LGS has three 500 KV and two 230 KV incoming lines whereas the RSS-BWR has a 230 KV and a 13.8 KV incoming lines.

EmergencL service water (ESW) - The LGS has.more redundancy in the ESW system than RSS-CWR.

Plant air and nitrogen systems - Tne 1.GS has more redundancy in the plant air and riitrogen systems than the RSS-BWR, 2.2 Initiating Events The LGS-PRA considers three general classes of initiating ever.ts.

1. Loss-of-coolant Accidents (LOCAs),

2. Transients with successful scram,

3. Anticipated transients without scraw (ATWS).

The LOCA initiators have been further subdivided into three groups ac-cording to the equivalent size of the break and the corresponding success criteria for the frontline systems. The three LOCA initiating event groups are:

1. Large LOCAs - equivalent diameter > 4 in.

2. Medium LOCAs - 1 in. I equivalent diameter 14 in.

3. Small LOCAs - equivalent diameter 11 in.

The success criteria for each group of LOCA initiators are given in Table I

2.6.

L The transient initiators for which successful scram has been accomplished

( I have been divided into five groups, where the transients in each group impose the same success requirements to the frontline systems.

1. Transients which result in turbine trip

2. Transients which lead to isolation of the reactor vessel from the main condenser (MSIV closure and loss of feedwater) 2-6

3. Transients resulting from loss of offsite power

4. Transients resulting from inadvertent open relief valve (IORV)

5. Orderly and controlled manual shutdown.

The transient initiators grouped in the aforementioned groups were ob -

tained from an EPRI survey (6) of the operating experience with BWRs. The EPRI survey identified thirty-seven transient initiators shown in Table 2.9.

The grouping of these transient initiators into the first four groups is given in Table 2.10.

This particular partition of the transient initiators into the four groups has been reviewed ar,d is considered acceptable. In particular, a re-cent change in the LGS control logic cculd render this grouping conservative because the MSIV closure sat point has been moved from reactor Level 2 (10 ft.

above top of active fuel (W)) to reactor Level 1 (1.5 ft, above TAF). As a result, many'of the transients now classified under MSIV closure will probably not result in such an event, 'out in a simple turbine trip. Since the MSIV transients present a more severe challenge to the plant systems, the present grouping tends to overettimate the core damage frequency. No quantitative assessment of this overestimation was performed.

If the Reactor Protection System fails to scram the reactor after an initiating event in any of the first four transient groups, then an ATWS re-sults. Four groups of ATWS initiators were, therefore, considered.

1. Turbine trip ATWS

2. MSIV closure ATWS

3. Loss of offsite power ATWS

4. 10RV ATWS The completeness of the initiating events considered in the LGS-PRA was

- evaluated by comparisons with the Reactor Safety Study,(7) the RSSMAP Grand Gulf Study,(4) the Big Rock Point PRA(8) and additional initiating events that were discussed with NRC in connection with risk analysis more generally.

2.2.1 ' Comparison with Reactor Safety Study In the RSS, all transient initiating events were grouped together and a single event tree was developed. The fifteen likely transient initiators con-sidered in the RSS are given in Table 2.11. All fifteen initiators are included in the LGS-PRA list. Since worst case assumptions were made 2-7

l about the required responses and availability of th'e frontline systems in the single transient event tree of the RSS, the LGS-PRA approach of creating five groups of transient initiators is more realistic than the RSS approach.

Furthermore, in the RSS, a failure to scram leads directly to core damage while, in the LGS-PRA, each failure to scram is classified into one of the ATWS groups and a detailed plant response is considered. In this regard, the LGS-PRA is more realistic than the RSS.

For the 1.0CA initiators, both th'e RSS and the LGS-PRA consider three groups according to the equivalent break size.

The reactor vessel rasture initiator was handled the same way in both studies. That is, sr;ali and rwdium-size ruptures are considered tn be among the small and nedium LOCA initiators, respectively, and massive rector vassel ruptures are excluced on the basis of inoir extremely lod procebility of x-currence. Reactor coolant system ruptures into interfacing systems wer<! also considered, and found to contribJte insignificantly to the overall risk in the LGS-PRA as in the RSS.

Thus, overall, the handling of the initiating events in the LGS-PRA is more realistic than in the RSS.

2.2.2 Comparison with RSSMAP Grand Gulf This study considered two transient initiator groups, one consisting of the loss of offsite power and one covering all others. A single event tree was then used to model the plant response to the two transient initiating events considered.

LOCA initiators were first partitioned according to two break sizes and then a single event tree was developed to represent the entire spectrum of break sizes.

It follows that the LGS-PRA treatment of initiating events is more de-tailed and realistic than that of the Grand Gulf study.

2.2.3 Comparison with the Big Rock Point (BRP) PRA In this study, the selection of initiating events was based on a review of plant and industry experience for precursors to significant accident 2-8

r 1 sequences. Failures which would require an active response of the plant were classified as transients, loss-of-coolant accidents, or anticipated transients without scram. External events, although treated in the BRP study, are not included in the comparison in order to be consistent with the scope of the LGS-PRA. Table 2.12 shows the initiating events and respective frequencies (per year) for which event trees have been developed.

For the initiating events considered in the Big Rock Point PRA and not treated separetely in the LGS, the following remarks are made:

e Loss of instrument air initiator. This was given a frequency of 6x10-2/yr and was found to contribute less, than 5% to the total core melt frequency in the BRP PRA. In the LGS, failures due te loss of comp essed af r are treated in the system fault trees.

e Interfacing LOCAs,. According to the LGS-PRA this event does not con-tribute significantly to the core damage frequency. BNL agrees with this assumption based on review of other PRAs which have addressed this issue. There is a potential interfacing LOCA via leakage past the closed MSIVs during an accident. This does not affect the core damage probability, but could, however, affect the consequences of the various accidents. The effect on the risk of such an event has not been assessed in the LGS-PRA nor has it been considered by any other PRA performed to date.

e Steam line break outside containment. According to the RSS, the as-sociated accident sequences leading to core melt are several orders of magnitude smaller in frequency than the ones covered in the large LOCA t ree . In the BRP PRA, it is 0.2% of the total core melt frequency.

2.2.4 Comparison with a List of Initiating Events A comparison was also carried out between the LGS-PRA set of initiating events and a list of initiating events developed for use in the evaluation of risk studies. While this list was not developed for specific use in the evaluation of the LGS-PRA, it does provide an additional check on the set of initiators selected in the LGS-PRA. Table 2.13 contains this list. The following considerations apply to the initiating events not considered in the LGS.

2-9

e Loss of DC Power was considered in the LGS-PRA only in the loss-of-electric-power fault tree, and through this tree it was considered as a support system to most of the frontline systems.

e RCP seal failure was considered in the LGS-PRA as part of the small LOCA initiator frequency.

e Pipe breaks in auxiliary buildings and instrument tube LOCA were not explicitly considered. Although the frequency of the LOCA initiators is not affected by this omission, the :iependent failuees that could result from such an initiator were no: corsidered. Such failures were not included in the RSS eitner.

e Scram discharge volune (SD'/) LOCA was considered under the assumption that the frequency of SDV t0CA is about 10-'5 per plant year and that the operability of the required mitigation equipment is not degr6ded by the adverse SDV break environment. The fregtency of core damage is 1 estimated to be less dan 10-6 per plant year.(1) e Loss of component cooling water, loss of service water, and loss of ventilation in the auxiliary building are treated only in the. system fault trees. Inclusion of these events as initiating events is not expected to contribute significantly to the total core damage frequ-ency, provided that the dependences on these support systems are adequately included in the calculations and that as initiators they result in a transient equivalent to turbine trip.

e Reactor coolant pump seal failure following a station blackout was not considered and its possible contribution to the total core damage frequency was not assessed.

o Loss of instrument and control power was also not considered.

2.3 Conclusion It is concluded that the selection of initiating events in the LGS-PRA l has been done in a reasonable manner within the given scope of the study.

j This is based on the determination that the list of initiating events used for the LGS compares favorably with the RSS list; and that the initiating events l not treated in the LGS are not expected to significantly affect the total core j damage frequency.

l 2-10

2.4 References to Section 2

1. Hagen, E. W., editor, " Operational and Safety Concerns of the BWR Scram Systems," Nuclear Safety, Vol . 23, No. 2, March / April 82.

2. Letter from A. Schwencer, NRC, to E.G. Bauer, Philadelphia Electric Company,

Subject:

" Request for Additional Information and Clarification on Limerick PRA," March 23, 1982.

3, Letter to H.R. Denton, NRC, from E.J. Bradley, Philadelphia Electric Company, transmitting Rev. 4 to LCS-PRA, June 11, 1982.

4. Hatch, S.W., " Reactor Safety Study Methodology Application Program:

Grand Gulf #1 BWR Power Plant," NUREG/CR-1659/4 of 4, November 1981.

5. " Assessment of BWR Mitigation of ATWS," GE Report NECE-24222, Vols. 1 and 2, 1979.

6. " Anticipated Transients, A Reappraisal," EPRI NP-2230.

7. Reactor Safety Study, "An Assessn.ent of Accident Risks in ll.S. Commercial Nuclear Power Plants," WASH-1400, hCREG/75-014, October 1975.

8. Letter from Consumers Power Company to NRC, Attention: D. Crutchfield, attachment entitled " Consumers Power Company Probabilistic Risk Assessment of Big Rock Point Plant," Docket 50-155, March 31,1981.

2-11

I I I I I 6

> l0 -

3 s

' --- WAS H - 140 0 1

N LGS -

- 10 I ' _ m C

1 b' N ~ (RECIRCULATION) 5 l

5 4 o 10

'N 'N

~

N '

s ~

wf'(INJECTION) k.

~ ~ a

'N_

%~~~

3 10 -

{

h to 15 0 25 EQUlVALENT BREAK DlAMETER (inches)

{

m ~~ rg$!:$ , igF

- - - . =

- I 5 )

I

- 2 s 0 ) - e 0 N -

h 4 ) _

c 1

N O I

i n

- O T - (

H C I

S S T E - 0 R i A i 2 E A G L J

- T WL U N I - E C ( M

_ - R A

- I C _

N I D

E 5 i

R l

1 K

A

(

E R

/N '

B T

i 0 N N

I 1

E s

L q A V

l U

N Q l

i 5 E

\

\i \

'\'

c f' I - -

6 5 0

1 0

1 N : N 2 a_

~e

p

q. -

Table 2.1 Safety Functions Required for Initiating Events

1) Render reactor subcritical

2) Protect reactor coolant Eystem from overpressure failure

3) Remove decay and sensible heat from core ,

4) Protect containment from overpressure ,

5) Scrub radioactivity from containment atrosphere 'I I

, t

i. Table 2.2 Safety Functions for Limerick Generating Station

1) Render reactor subcritical

2) Protect reactor coolant system from oserpressure failure

3) High pressure injection of coolant into core

4) Depressurization

5) Low pressure injection of coolant into core

6) Containment Heat Removal

, 7) Scrub radioactivity from containment atmosphere '

l l 2-14 l

Table 2.3 Frontline Systems for Limerick Generating Stations Safety Function Frontline Systems

1) Reactor subcriticality 1) Reactor protection system

2) Recirculation pump trip

3) Alternate rod insertion

4) Standby liquid control

2) Reactor coolant system 5) 14 Safety / relief valves (SRV) overpressure protection

3) High pressure. injection 5) RCIC

7) HPCI 4

8) CRD

I 9) Condensate and feedwater o

system with power conversion

. system-

4) Depressurization

10) Automatic depressurization system

5) Low pressure injection 11) LPCI

12) LPCS *

13) . Condensate pumps 1

6) Containment heat removal 14) RHR and RHRSW

15) PCS

16) Suppression pool

7) Scrub radioactivity from 17) Suppression pool

18) Containment sprays

containment, atmosphere l

These systems were conservatively not considered in the PRA.

2-15

Table 2.4 Comparison of LGS and RSS BWR Safety Systems LGS RSS-BWR Power (MWT) 3293 3293 Containment MK-II (concrete with MK-1 (free star' ding steel liner) steel)

Relief valves 14 SRVs 11

Safety valves ---

2 RCIC 600 gpm 600 gpm HPCI 5600 gpm minimum 5003 gpm

LPCI 4 pumps, 10000 gom per 4 pumps,10000 gpm per pump with 4 loops pump with 2 loops LPCS 2 loops, 6350 gpm per 2 loops, 6250 ppm per loop with 2 pumps per loop with 2 pumps loop per loop ADS Valves 5 SRVs 5 relief valves RHRHX 2, cooled by RHRSW 4, cooled by HPSW EDG 4 4, shared between two units RPS Has ARI, RPT Has RPT 4

SLC 3 pumps, automatic 2 pumps, manual actuation,43GPM per pump. actuation RHRSW 2 loops with 2100% ---

pumps per loop. Each loop serves 1

, RHRHX for each unit (i .e. , shared between units)

HPSW ---

4 pumps, 100% each no cross-connection with other unit i considered l ESW 2 100% loops with 2 50% 1 100% pump per unit capacity pumps per loop.

Shared between units FW and condensate 3 turbine-driven feed 3 turbine-driven feed pumps and 3 electric- pumps and 3 electric-driven condensate pumps driven condensate l pumps 2-16

> Table 2.5

SUMMARY

OF SUCCESS CRITERIA FOR THE MITIGATING ,~

SYSTEMS TABULATED AS A FUNCTION OF ACCIDENT INITIATORS SUCCESS CRITERIA ACCIDENT INITIATOR Coolant Injection Containment lieat Removal Large LOCA: 1 of 4 LPCI Pumps 1 RHR Pump Steam Break > 0.08 ft OR 2

Liquid Break > 0.1 ft 1 of 2 Core Spray Subsystems (2 pumps)

Medium LOCA: HPCI PCS or 1 RHR Pump Steam Break 2 OR 0.016 to 0.08 ft 1 of 4 LPCI Pumps and Liquid Break 2 OR r 0.004 to 0.1 ft 1 of 2 CS Subsystems ADS

Small LOCA: HPCI PCS OR 1 RHR Pump 2

Steam Break < 0.016 ft OR 2

Liquid Break < 0.004 ft RCIC OR 1 Feedwater Pump OR 1 of 2 CS Subsystems 1 OR 1 of 4 LPCI Pumps yand OR ADS

1 Condensate Pump s

Transient Same as Small LOCA Same as Small LOCA 1

l l

l

ADS requires operation of ,only two safety / relief valves for adequate depressurization.

(1) This table has been extracted from Table 1.2 cf the LGS-PRA.

2-17 2 ._ _ _ _

TABLE 2.6 _

LOCA Success Criteria LGS RSS-BWR Equivalent Break Size Steam Liquid Stean Liquid-Diameter A* A*

.For Injection

" l 4/4 CS 1/4 LPCI or 13.5 in. - or 1 3/4 LPCI and 2/4 CS 2/4 CS

,For Recirculation I 1/4 CS

' AND 1 or 1 RHR l 1/4 LPCI and 8.5 in. - 1 RHR Sl+ HPCI or i

1/4 LPCI 4 or ADS 1/4 CS 4.7 in. - AND S2**

4.3 in. -

3.8 in. - l HPCI 1 RHR S1 HPCI or or RCIC 1/4 LPCI 2 or 2.5 in. - or ADS 2/4 CS 1/4 LPCI 4 AND or ADS 1.7 in. - PCS 1/4,CS 52** or

HPIC 1 RHR AND 4

or 1 in. - RCIC <S2** 1 RHR or FW 0.85 in. - or 1 1/4 LPCI 2 CRD or [ ADS . PUMP l

0.6 in. - 2/4 CS J AND PCS or 1 RHR A: Large LOCA.

+ S1: Medium LOCA.

- S2: Small LOCA.

2-18 l l-

Table 2.7 Transient Success Criteria LGS RSS SRV 8 out of 14 8 out of 13 Injection HPCI HPCI or or RCIC RCIC or or FW FW or or 2 out of 4 LPCS' 4outof4LPCSl pumps 'and pumps or ,2 or and 1 out of 4 LPCI I ADS 3 out of 4 LPCII 4 pumps viv. & 2 out of 4 J ADS LPCS pumps or 1 condensate pump )

Containment PCS PCS Heat Removal or or 1 RHR 1 RHR 2-19

Table 2.8

SUMMARY

OF LGS CAPABILITY FOR ATWS MITIGATION (Alternate 3A Modifications)

. Failed Systems or Functions 2 SLC + 2 SLC + HPCI MSIV Transient 2 SLC FW + 2 SLC + 2 SLC + FW + LEVEL 8 FW LEVEL 1 Initiator PUMP RCIC 1 RHR 2 RHR HPCI TRIP RUNBACK TRIP RPT TURBINE TRIP A A A A N A A N 7 N ,

8 MSIV CLOSURE A A A t; N N A A N LOSS OF 0FFSITE A A A N N N A A A POWER INADVERTENT OPEN A A A N N N A A A RELIEF VALVE I

A: acceptable H:not acceptable

Table 2.9

SUMMARY

OF THE CATEGORIES OF BWR TRANSIENTS USED TO CLASSIFY OPERATING EXPERIENCE DATA ON ANTICIPATED TRANSIENTS *

1. Electric Load Rejection

2. Electric Load Rejection with Turbine Bypass Valve Fatture

3. Turbine Trip 4 Turbine Trip with Turbine Bypass Valve Failure

5. Main steam Isolation Valve Closure j 6. Inadvertent Closure of One M51V (Rest Open)

7. Partial M51V Closure

8. 14ee of Ilormat Condenser vacuum

9. Pressure Regulator Fatis Open

10. Pressure Regulator Fatis Closed

11. Inadvertent Opening of a safety /Reitef Valve (Stuck)

12. Turbine Bypass Fatis Open

13. Turbine Bypass or Control Valves Cause Increase Pressure (Closed)

14. Rectrculation Control f ailure -- Increasing Flow

15. Rectreulation Control Failure -- Decreasing Flow .

16. Trip of One Rectrculation Pusp

17. Trip of All Rectrculation Pugs

18. Abnormal Startup of Idle Rectrculation Pump

19. Rectrevlation Pump 5etture

20. Feedwater -- Increasing Flow at Power

21. Loss of Feedwater Heater

22. Loss of All Feedleater Flow

23. Trip of One Feedwater Pus, (or Condensate Pump)

24. Feed ater -- Low Flow

25. Low Feedwater Flow Ouring Startup or Shutdown

26. High Feedwater Flow Durin2 Startup or Shutdown

27. Rod litthdraw at Power

20. High Flus Due to Rod Withdrawal at Startup

29. Inadvertent tnsertion of Rod or Rods

30. Detected Fault in Reactor Protection System

31. Loss of Offstte Power

32. Loss of Avattf ary Power (Loss of Aust11ary Transformer)

33. Inadvertent Startup of HPCI/HPCS 34 Scram due to Plant occurrences

35. Spurtous Trip via instruwentation. RP5 Fault

36. Manual Scram -- No Out-of-Tolerance Condition

37. Cause Unknown

EPRI-SAI Study 2-21

Table 2.10 Grouping of Transient Initiators ITEM TRANSIENT 1 MSIV Closure Closure of all MSIVs (5)*

Turbine trip without bypass (2,4)

Loss of condenser (8)

Loss of feedwater (22) 2 Turbine Trip Partial closure of MSIVs (5,7)

Turbine trip with bypass (3,13,30,32,33,34,35,36,37)

Recirculation problem (14,15,16,17,18,19)

Pressure regulator failure (9,10)

Inadvertent opening of bypass (12)

Rod withdrawal / insertion (27,28,29)

Disturbance of feedwater (20,21,23,24,25,26)

Electric load rejection (1) 3 Loss of Offsite Power (31) 4 Inadvertent open relief valve (11)

Number in parenthesis refer to transient numbers from Table 2.9.

l i

2-22 )

\

Table 2.11 BWR Transients (Reactor Safety Study Table I.4-12)

Likely Initiating Events

1. Rod Withdrawal at Power

2. Feedwater Controller Failure -

Max. Demand

3. Recirculation Flow Control Failure (Increasing Flow)

4. Startup of Idle Recirculation Pump

5. Loss of Feedwater Heating

6. Inadvertent HPCI Pump Start

7. Loss of Auxiliary Power

8. Loss of Feedwater Flow

9. Electric Load Rejection (Turbine Valve Closure)

10. Turbine Trip (Stop Valve Closure)

11. Main Steam Line Control Valve Closure

12. Recirculation Flow Control Failure (Decreasing Flow)

13. Recirculation Pump Trip (One Pump)

14. Recirculation Pump Seizure

15. T-G Pressure Regulator Fail-ure Rapid Opening 2-23

. Table 2.12 Initiating Events for BRP PRA for Which Event Trees Were Developed Frequency Initiating Event (per Year)

Turbine Trip 1.4 Loss of Main Condenser 6.0x10-2 l Spurious Closure of MSIV 6.0x10-2 Loss of Feedwater 1.6x10-1 Loss of Offsite Power 1.3x10-1

! Loss of Instrument Air 6.0x10-2 i

Spurious Opening of Turbine i Bypass Valve 1.0x10-1 1

Spur'ious Opening of RDS a Isolation Valve 1.2x10-3 I Spurious Closure of Both j Recirculation Line Valves 1.7x10-2 Stuck-0 pen Safety Valve 2.6x10-4 Interfacing LOCA 1.98x10 3 High Energy Line Break in

Recirculation Pump Room 3.9x10-7

) High Energy Line Break in Pipe Tunnel 3.8x10-6

Small LOCA 1.0x10-3

! -Medium LOCA 1.0x10 4 Large LOCA 1.0x10-5

, Small Steam Line Break '

Inside Containment 1.0x10-3 Medium Steam Line Break Inside Containment 1.0x10-4 l

1 2-24 l

a .v_ . - . . . -

Table 2.13 List of Initiating Events

-t

1. Station Blackout (loss' of of fsite and emergency ac power) a) RCP seal failure '

b) Loss of dc after finite time

2. Loss of dc power

3. Loss of instrument and control power

4. RCP trip for a small LOCA (PWR)

5. SDV LOCA (BWR)

6. Multiple instrument tube LOCA below core level

7. Overcooling events a) Pressurized thermal shock

, 8. Over pressurization during cold shutdown (PWR)

9. Large LOCA a) RCP missiles b) Other missiles

10. Steam Generator tube f ailure (PWR)

11. ATWS

12. Stuck open S/R valve

13. Break in RHR during cold shutdown l

14. Loss of main feedwater

15. Containment isolation

16. Turbine trip

17. Loss of component cooling water

18. Loss of service water

19. Loss of ventilation in auxiliary building

20. Pipe breaks in auxiliary building

21. RCP seal failure

22. Boron dilution a) shutdown (PWR)

23. Excess feedwater events

24. Loss of instrument and control air 2-25

.. .? _ -

3.0 ACCIDENT SE0VENCE DEFINITION 3.1 Introduction To assess the various accident sequences, i.e., the combintions of sys-tem failure events that, following the initiating events, lead to core damage, the LGS-PRA used an approach based on the event tree and fault tree tech-niques. This approach differs, however, from that followed in the Reactor Safety Study and those of other PRAs, in two major ways. In addition to using functional and systemic event trees and system fault trees, the LGS-PRA em-ployed three variations of these techniques, namely, the time-phased systemic event trees, the functional fault trees, and the functional-level event trees.

The logic employed in the LGS-PRA for the definition of the accident sequences is as follows:

e Functional event trees were developed for each of the twelve groups of accident initiators (see Section 2.2). A functional event tree de-picts combinations of safety functions that can lead to a safe core condition or core damage, or constitute an initiating event for some other kind of potential accident. The LGS-PRA functional event trees employ a finer safety function decomposition than that of the RSS functional event trees. For example, the coolant makeup function was decomposed into high pressure and low pressure makeup (see also Table 2.2). The combinations of the failed safety functions in these trees (tree paths) that can lead to core damage constitute the accident sequences for the LGS-PRA. The quantification of each branch point in the functional event trees was done with the help of functional fault trees, functional-level event trees, time-phased systemic event trees, and system fault trees.

e For certain functions in the functional event trees, functional fault trees were developed. In these latter trees, the top event is the failure of a particular function and this failure is further de-composed into simpler failures until a level of resolution is reached where each event constitutes a failure of a frontline system. For I other functions in the functional event trees, functional level event l

j trees were developed. These trees depict combinations of system suc-I cess and failures that can lead to a success or failure of the func-tion in question.

I 3-1

e For some functions in the functional event trees, which entail sys-tems that can be recovered (if failed) during the course of the ac-cident, time-phased event trees were constructed. The headings of these event trees are the states of the involved systems at various instances of time, e.g., unavailability of AC power one half hour after initiation of the accider,t. This approach is equivalent to dis-cretizing the recovery time of the various systems and, thus, it al-lows for incorporation of recovery in the analysis, o Unavailabilities for some systems in the functional event trees, the functional fault trees, and the time-phased systemic event trees were obtained by developing system fault trees. Some systems fault trees allowed for recovery of failed components or the entire system.

Functional fault trees, functional-level event trees, and time-phased ev-ent trees were employed in the LGS-PRA to account for dependences among front-line systems (through shared hardware or common support systems) and to ac-count for the possibility of recovery of systems that were unavailable at the initiation of the accident.

The various types of logic trees employed in the LGS-PRA along with the modeling of human errors and of dependences are further discussed in the re-mainder of this section.

In particular, Subsection 3.2 discusses the functional event trees. Sub-section 3.3 reviews the functional fault trees. Subsection 3.4 presents the time-phased event trees. Subsection 3.5 discusses the system fault trees.

Subsection 3.6 comments on the modeling of human performance. Finally, Sub-section 3.7 reviews the modeling of dependences. Functional-level event trees are not discussed in detail because they all involve proprietary information.

3.2 Functional Event Trees The functional event trees used in the LGS-PRA provide a logical method for developing and displaying accident sequences which may follow an initiat-ing event. The following major event trees corresponding to the initiating event groups were developed:

3-2

a) Transient Event Trees

1. Turbine trip (T T)

2. MSIV closure / loss of feedwater (Tp)

3. Inadvertent open relief valve (Tg )

4. Manual shutdown (TM )

5. Loss of offsite power (TE) b) LOCA Event Trees

6. Large LOCA (A)

7. Medium LOCA (SI )

8. Small LOCA (S2 )

c) ATWS Event Trees

9. Turbine trip (TT) 1

10. MSIV closure / loss of feedwater (Tp2)

11. Loss of offsite power (TE)

12. Inadvertent open relief valve (Tg4 )

The LGS approach included the following functions in each event tree for transients, LOCAs, and ATWS:

a) Transients e Reactor subcriticality (C) e Safety-relief valve actuation (M) e Safety-relief valve reclosure (P) e Condensate /feedwater and power conversion system (Q) e High pressure injection (U) e Automatic depressurization system actuation (X) e Low pressure injection (V) e Containment heat removal (W) b) LOCAs e Reactor subcriticality (C) e Injection system (injection (E) and recirculation (I) are treated separately) e Depressurization (when required) e Containment heat removal (J) 3-3

1 i

c) ATWS o Prevention Features

1) Mechanical or electrical failure of RPS identified

2) Recirculation pump trip (RPT)

3) Alternate rod insertion (ARI) o Mitigation Features

1) Poison injection (C12 &C) 2

2) Adequate pressure control (M)

3) Safety-relief valves reclosure (P)

4) Coolant injection (high pressure only) (U & UR)

5) Inadvertent operation of ADS or vessel overfill (D, Ug)

6) Containment heat removal (W2' W12)

For the transient initiating events, the LGS-PRA followed a different ap-proach than the Reactor Safety Study by developing five transient event trees instead of one in the RSS. Since the success criteria of the frontline sys-

! tems are not the same for all the groups of transient initiators, the LGS-PRA handling of the transient events is less conservative and more realistic than that of the RSS (e.g., manual shutdowns present the system with a much milder challenge than the transients resulting in MSIV closure). A short description of the five transient functional event trees follows.

Figures 3.1 through 3.5 are the transient event trees used in the LGS-PRA.

Turbine Trip Transient (TT ) (Figure 3.1) - This type of transient presents the least challenge to the plant. It was assumed that the turbine bypass valves are available for these sequences. For those cases in which the turbine bypass valves are not available, the MSIV closure / loss of feedwater event tree is used. The turbine trip function event tree comprises eight safety functions. The failure of the first function reactor subcrit-icality (C), results in an ATWS event which is more appropiately addressed in the turbine trip ATWS function event tree depicted in Figure 3.10. After the reactor has attained subcriticality, failure to accommodate the pressure surge caused by the transient due to failure of safety relief valves (SRVs) to open (M) is conservatively assumed to result in a large LOCA event. The success and the f ailure of the SRVs to reclose lead to two different, yet similar, sequences paths. Both branches are then evaluated for the high pressure sys-tem functions, viz., the feedwater and PCS function, Q, and the HPCI or 3-4 1 , .

RCIC function, U. If the high pressure functions are successful, core damage may not occur, provided that the containment heat removal function is successful. If it happens that both high pressure functions fail, then the timely ADS actuation function, X, is evaluated. This function entails only the capability of the operator to depressurize the system on a timely basis; the hardware failure consideration of the ADS system is included in the low pressure injection function, V. Failure of the containment heat removal function (W) or the low pressure injection or the timely ADS actuation function leads to core damage.

MSIV Closure / Loss of Feedwater Transient F(T ) (Figure 3.2) - These types of transients lead to a more significant challenge to the plant as compared to the turbine trip transients. The MSIV function event tree is identical in structure to that of the turbine trip. This is because of the similarities in both the challenges posed by the two initiators and the re-quired response of the safety functions of the plant to mitigate the events.

The only difference between the two functional event trees resides in the un-availabilities of the feedwater/ power conversion system for both the high pressure injection and long term containment heat removal functions. This is due to the more significant challenge to the plant from a MSIV closure initiator as noted earlier.

Inadvertent Open Safety-Relief Valve (T I ) (Figure 3.3) - This transient

! was treated separately since the operator must recognize the event and manual-ly scram the reactor. Additionally, the containment conditions are different from other transients because of the higher total heat addition to the suppression pool at the time of plant shutdown. This higher heat addition places a more significant demand on the containment heat removal function.

l The principal distinction of this tree stems from the three branches de-picted for the timely scram initiator function, c', c". The top branch re-

presents a successful timely scram in which no additional requirement is placed on the cooling of the suppression pool. The center branch denotes the scenario in which the reactor is scrammed prior to the suppression pool reaching a temperature requiring prompt RHR system operation and PCS recovery.

The third branch is equivalent to failure to scram the reactor prior to ex-ceeding the containment heat removal capability. The feedwater and PCS system 3-5

is not evaluated in this tree because operation data indicate that during an 10RV event the MSIVs may close, thus, causing all decay heat to enter the suppression pool.

Manual ShutdownM(T ) (Figure 3.4) - This event tree accounts for those chalienges to the plant which result from a controlled manual shutdown. The shutdown considered is not a scram but a manual control rod insertion in a slow, orderly manner. Examples of these types of shutdowns are scheduled or forced maintenance outages and refueling outages.

Operating experience indicates that because of the controlled nature of the transient, the SRVs are not challenged. Therefore, only the high pressure injection function, timely ADS actuation, low pressure injection function, and the containment heat removal functions are evaluated. Failure of the high pressure functions, and failure of the timely ADS actuation function, X, or the low pressure injection function would lead to core damage. Failure of the containment heat removal function also results in core damage.

Loss of Offsite Power (TE ) (Figure 3.5) - This transient provides unique initial conditions for accident sequences because of the loss of AC power and the resulting demand for the diesel generators. The initial condition of loss of AC power affects the majority of the frontline systems since AC power is needed for most plant systems. This tree has been time phased for the coolant injection and containment heat removal functions to I

account for recovery of AC power, and it is further discussed in Section 3.4.

i Figure 3.6 is the transient event tree from the RSS (Figure I 4-16).

This tree was used by the RSS for all anticipated transients requiring reactor shutdowns from power operation that are not the result of LOCAs.

The LGS-PRA approach is considered to be an improvement over the

! one-transient event tree, as used in the RSS. The use of the LGS-PRA MSIV closure / loss of feedwater (T p ) event tree for all LGS transients would be similar to the approach used in the RSS because this event tree represents a

! signi,ficant challenge to the plant. This would, however, be too conservative since not all transients challenge the frontline systems as shown in the Tp event tree. The RSS analyzed the loss of offsite power transient by using the l

3-6

same transient event tree. The LGS-PRA added more detail over this simplified approach in their loss of offsite power (TE ) event tree. This is considered to be a significant improvement. The use of the TI tree in the LGS-PRA is another improvement over the RSS approach. The RSS concluded that these types of transients are insignificant to the frequency of core damage.

For the LOCA-initiating events the LGS-PRA developed three functional event trees corresponding to the three break size categories (large, medium, small) as it was done in the RSS. The LOCA event trees used in the LGS analysis, however, are slightly different from those used in the RSS. The three event trees used model the different effects on the reactor and the different success criteria required as a function of LOCA break size and location (liquid or steam break). The large LOCA event tree handles those breaks which depressurize the reactor, and the two smaller LOCA trees handle the breaks that do not cause reactor depressurization.

The LGS-PRA large LOCA event tree (shown in Figure 3.7) differs from the one used in the RSS. It contains the same systems and has the same structure as the RSS event tree with the exception of the electric power (B), vapor suppression (D), containment leakage (G), and core cooling (F) functions.

Electric power was not included in the LGS LOCA event tree because LG5 considered that a more proper treatment of electric power and its interactions with systems would result by incorporating electric power into the individual system fault trees at the component level. In addition, containment leakage and vapor suppression were also eliminated from the LGS LOCA event trees, since they did not significantly affect the LOCA sequences at Limerick. At Limerick, the low pressure pumps are designed to pump saturated water from the suppression pool with no back pressure requirement in the containment. Thus, the presence of containment leakage would not adversely affect their performance. Emergency core cooling functionability has also been removed from the event tree since LGS identified no physical basis for this event.

Section 3.7 discusses the impact on risk of omitting these functions from the large LOCA event tree.

3-7 l

The medium LOCA and small LOCA event trees for Limerick (Figures 3.8 and 3.9) also differ from the RSS small LOCA event trees. Electric power (B),

vapor suppression (D), and containment leakage (G) were eliminated using the same reasoning given for the large LOCA. Since the plant's reaction to a small LOCA is similar to a transient, the small LOCA event tree resembles a transient event tree.

i The LGS ATWS event trees handle those transients which do not result in l successful scram. These trees include analysis of the four major transient groups (turbine trip, MSIV closure,10RV, and loss of offsite power). Thus, there are four ATWS event trees:

1) Turbine trip (see Figures 3.10 and 3.11) - In the event of a turbine

, trip with failure to scram, two scenarios have been developed in the LGS-PRA to model the plant response. The first case assumes that, j given the turbine trips, the turbine bypass remains open. The con-denser is available and feedwater is properly controlled to maintain adequate flow from the condenser hotwell to the reactor. However, should the turbine bypass fail, or should feedwater fail to be balanced, the LGS-PRA conservatively assumed that they are similar to a total loss of condenser heat sink which would result in a MSIV closure. These second case events are treated in the MSIV ATWS functional event tree.

2) MSIV closure / loss of feedwater (see Figures 3.12 and 3.13) - This group includes those transients which challenge the plant in a manner equivalent to or milder than a closure of all MSIVs or loss of feedwater. Also included are those turbine trips which were shown to resuit in eventual MSIV closure due to the instability of feedwater during the ATWS.

3) Loss of offsite pr>,er (see Figures 3.14 and 3.15) - The single initiator is luss of offsite power with ATWS.

4) 10RV (see Figures 3.16 and 3,17) - The single initiator is inadvert-ent opening of a SRV with ATWS.

4 3-8

These types of ATWS event trees were not used in the RSS. The LGS use of these trees yields a detailed analysis of ATWS mitigating function and this constitutes a realistic, less conservative approach to the evaluation of the ATWS contribution to the core-damage frequency and to the total risk.

In summary the use of four transient event trees, one manual shutdown ev-ent tree, three LOCA event trees, and four ATWS event trees provides a more de-tailed and realistic analysis in the LGS-PRA when compared to the RSS.

3.2.1 BNL Revisions in the Functional Event Trees BNL revised the event trees slightly to make the headings on the event trees applicable to systems instead of functions. This change was incorporated in order to include some dependences between functions. For ex-ample, in Figure 3.1, there is a dependence between the Q function (which includes feedwater, condensate, and PCS) and the W function (which includes PCS, RHR, and RHRSW). These dependences were not considered in the LGS-PRA.

Section 5.2 discusses the BNL revisions and their quantification.

3.3. Functional Fault Trees The functional fault trees were introduced in the LGS-PRA to account for hardware dependences among the frontline systems serving a specific function.

In these trees, the top event is the failure of the function, and the " basic" events are failures of frontline systems. If these basic events are replaced by the system fault trees developed for each frontline system and the re-sulting expanded tree is quantified, then the probability of the top event (i.e., the probability of the failure of the particular function) correctly incorporates any dependences among the frontline systems resulting from shared hardware or common support systems. This, of course, would be true if all common hardware and support systems have the same identifier at the various locations in the trees in which they appear.

To calculate the probability of a core-damage sequence in the functional event tree, the following steps are taken.

1) " Link" under an "AND" gate the functional fault trees corresponding to the failed functions of the sequence.

3-9

2) In tihe resulting tree, replace the " basic" events (system failures) by their system fault trees.

3) Perform Boolean manipulations of the resulting expanded tree and evaluate the accident sequence probability (top event).

, This approach is theoretically equivalent to the one that: 1) expands the functional event tree into an event tree that has systems as headings; and

2) for each sequence " links" under an "AND" gate the system fault trees of the systems involved in the seauence. The functional fault tree approach is a reasonable and logical way to develop accident seque.nces and the LGS-PRA an-alysis appears to contain sufficient detail. However, in the accident sequ-ence quantification process, the LGS-PRA has neglected potentially important dependences. This is due to the fact that the functional fault trees were used in isolation to quantify the probability of failure of the corresponding functions. Then to estimate the probability of an accident sequence, the probabilities of the failed functions of the sequence were simply multiplied.

This approach yields the correct results only if there are no dependences whatsoever among the functions of the event trees. This is not always the case, however, since there are support systems that support frontline systems serving different functions. By not linking together functional fault trees corresponding to different functions, the impact of dependences will be underestimated. This is a major deficiency of the Limerick PRA, which is further discussed in Section 3.7. The quantitative effect is estimated in Section 5.

3.4 Time-Phased Event Trees The loss-of-offsite-power initiator was treated by a separate event tree which had both coolant injection and containment heat removal functions time-phased via separate detailed event trees. These are shown in Figures 3.5, 3.18 and 3.19. This detail is considered appropriate because of the unique conditions placed upon the plant by this initiator. The event trees used in the LGS-PRA consider the time-phased interaction of systems and their response for various discrete time intervals ranging up to 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months following the loss l of offsite power. Thus, the possibility of recovering certain systems during the various time phases can be taken into account. This is a significant improvement over the RSS. Another improvement is the recognition and modeling 3-10

, of the effects of room cooling and DC battery life on the high pressure injec-tion systems (HPCI and RCIC). Specifically, in time-phasing the injection function the following considerations are taken into account: 1) cooling of the HPCI and/or RCIC roome, is required after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months or system failure is as-sumed, 2) recovery of AC power is required after 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of operation or injection is assumed to fail because of depletion of the batteries causing loss of automatic control and operator indication.

Another variation of the time-phased event trees were the functional-level event trees. In these trees the outcome of a tree path is the success or the failure of functions. The events in these trees are system success failures and operator actions. Different functional-level event trees were drawn to represent the success or failure of a function at different time-phases.

3.5 Systen Fault Trees The system f ault trees are contained in the proprietary document "Probabilistic Risk Assessment, System Level Fault Trees," Revision 2, April 1982.

The following LGS systems were analyzed by system fault trees:

High pressure coolant injection (HPCI)

Reactor coolant isolation cooling (RCIC)

Feedwater and condensate (FW)

Automatic depressurization system (ADS)

Low pressure coolant injection (LPCI)

Residual heat removal * (RHR)

Low pressure core spray (LPCS)

Electric power systems (EPS)

Emergency service water (ESW)

Standby liquid control system (SLCS)

There were no system fault trees developed for the following systems:

This system has two f aulf trees associated with it. One tree applies if the reactor is pressurized when the system is required, and the other tree applies if the reactor is depressurized when it is required.

3-11

a) Reactor protection system - the unavailability value given in NUREG-0460 of 3x10-5 was used b) Plant air systems (support system) c) Turbine enclosure cooling water (support system) d) Reactor enclosure cooling water (support system)

The impact of the omission of fault trees for the above systems has not been evaluated, but it may be important. In particular, the omission of the fault tree for the plant air systems may be important because this system interacts with (supports) over three quarters of the frontline systems and the service water system.

In general, the majority of the system fault trees appear to be reasonably complete and accurate. Some additions and revisions were made to the trees, however, by BNL. These changes are discussed in the following subsection and their quantitative effect is given in Section 5. The trees are resolved down to the component level. The level of resolution is determined by the availability of data and by the possibility that further resolution will uncover existing dependences. The level of resolution in the trees is consistent with state-of-the-art PRA practice. The fault trees were developed either to allow each component to operate as designed or to fail. This approach is conservative, but it is consistent with the present PRA state of the art. The following items were not included in the analysis of the failure of a component (or system) as being outside the scope of the PRA.

a) External events b) Sabotage c) Operator errors of commission d) Location-dependent common mode failures Manual operation of coolant injection, if required, was assumed to have a 30-minute grace period. The failure rates used in the fault trees were point values and were meant to represent the average over the plant lifetime (i.e.,

wear-in and wear-out rates were averaged into the failure rates). It should be noted that the risk during the first year of plant operation may be higher than the average risk over the plant lifetime. This is due to a higher initiator frequency and higher failure rate during the wear-in period. A com-l 3-12

pensating tendency is associated with the expectation that the average power level during the first year of operation is probably less than 50% of full power.

The dependences within a system were treated by using the same alpha-numeric designator for components that appear several times in the tree. For example, if a division of DC power supplies an initiating circuit of an ECCS pump, then the fault tree would designate this 125 V DC division by the same ,

alphanumeric designator, in both the initiating circuit and the control sys-tem. This ensures that the WAM code, when run, would properly account for this dependence between the initiating circuit and control system via Boolean manipulation of the tree. For some systems within the same function, for example, HPCI and RCIC for the function of high pressure coolant injection, this method was properly used. As noted in Section 3.3, this policy was not followed, however, for all system combinations within the same function, and definitely not when different functions are combined. For example, LPCI and RHR functions have many commonalities since they share a number of com-ponents. But some common valves were given different alphanumeric de-signations in the two system fault trees. In fact, when BNL initially tried to combine these functions in the WAM code, there were indications that interfunction commonalities and/or dependences were not properly treated. The effect of this oversight and of the improper treatment of other commonalities and/or dependences are documented in Section 5.

3.5.1 Summary of BNL Modifications to LGS System Fault Trees A thorough review of each fault tree was performed using PaIDs and sin-gle-line electrical diagrams provided to BNL. The following is a list of changes that were made to the trees which significantly changed some of the

system unavailablity values. Other omissions were found but these did not significantly affect the results. The specifics of these changes are given in Table 3.1.

Feedwater (FW) a) The LGS-PRA tree accounts twice for the failure of the operator to reset and restart the system following a false high reactor vessel level (level 8) trip. One of these was removed and the failure '

probability of the system was restored to its correct higher value.

3-13

l l

b) The steam seal supply line relief valve could stick open, thus, starving the steam seals and causing loss of vacuum.

c) Condenser vacuum could be lost via opening of vacuum breakers HV-142 through HV-145.

d) Increased failure probability was assigned to the operator for clos-ing valves HV-116A, B, and C (RFPT steam exhaust butterfly valves) due to the short time available to react following a RFPT rupture diaphragm failure or loss of sealing steam, e) Failure of the operator to start the mechanical vacuum pump if the steam jet air ejector (SJAE) legs are unavailable was added to the trees.

f) Failure of the SJAE noncondensible gas removal due to failure of the j offgas removal system was added.

g) Increased failure probability was assigned to the operator for by-passing a failed sealing steam pressure regulator due to the short time available to react to prevent loss of vacuum.

h) Common mode miscalibration of both reactor vessel level channels 1 and 2 causing a spurious level 8 trip of the RFPT's was included.

High Pressure Core Injection (HPCI) a) The failure of the shaft-driven lube oil pump was included.

L b) Failure of the turbine exhaust line vacuum breakers was included.

This was included in the RCIC tree but omitted for the HPCI tree.

c) The same probability of HPCI failure-to-start was used on subsequent demands instead of reducing the failure rate by a factor of 10 for subsequent starts (as was done in the PRA).

Reactor Core Isolation Cooling (RCIC)

No significant changes were made to the RCIC system fault tree.

l 3-14 l

Automatic Depres_surization System (ADS) a) The common mode failure of all ADS valve solenoids due to con-taminated gas supply was included.

b) The failure probability of the operator to open valves in order to line up plant instrument air to the ADS valves upon failure of the normal instrument gas supplies was increased.

c) Common mode miscalibration of core spray and RHR pump discharge pres-sure sensors was taken into account. These sensors are used in the ADS logic to verify that a low pressure pump is running before al-lowing depressurization.

Low Pressure Core injection (LPCI) a) The failure of RHR pumps due to the possiblity of the pump suction valve full open limit switches failing was included.

Core Spray (CS)

No significant changes were made to the core spray system fault tree.

Resider.1 Heat Removal (RHR - 1 & 2) a) Tile probability of the operator failing to open common valves MOV-67A and B was increased.

a) The fact that failures of MOV-F003A or B, the RHR heat exchanger dis-charge valves, could cause failure to discharge to the suppression pool was reflected in the tree.

c) The failure of cooling tower systems due to valve 1052 failing closed or the suction strainers from the towers being clogged was included.

Standby Liquid Control System (SLC) n a) Common mode miscalibration of the poison water tank level sensors can trip all three SLC pumps on low level.

3-15

t Electric Power No significant changes were made to the electric power system fault trees. I Service Water (SW)_ l l

No significant changes were made to the service water system fault tree.

3.5.2 Summary of Differences in Assumptions Between LGS-PRA and RSS Differences in the assumptions between the LGS-PRA and tne RSS that affect the failures of systems are summarized below:

a) LGS-PRA included common mode failure of the SRVs.

b) RSS took credit for manual insertion of control rods following an un-successful scram, c) RSS required 4 out of 5 ADS valves to operate for successful depres-surization; LGS required 2 out of 5.

I d) LGS included loss of room cooling of HPCI/RCIC as a possible failure mode.

e) RSS analyzed system fault trees for the vapor suppression system and containment leakage for LOCA.

f) LGS allowed HPCI and RCIC to operate for only 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months on DC power following a station blackout longer than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

3.6 Human Performance Analysis Two types of human errors can contribute to the unavailability of a

frontline systems and eventually to the frequency of core damage. The first type is associated with cognitive behavior events, that is, events characterized by extended mediational or descision-type activities, and the C second type with procedural behavior events. The treatment of these two types of human errors by the LGS-PRA is discussed in the following three subsections.

l 3-16 l-

3.6.1 Cognitive Human Errors Several cognitive human errors are explicitly modeled in the LGS-PRA.

Some are modeled in the event trees and depending on whether they occur or not they define the course of the accident. These human errors are listed in Table 3.2. The most important of these events, in terms of effect on core-damage frequency, is the failure of the operator to timely depressurize the reactor in the case of a transient event and a failure of the high pressure injection function. The event, designated by X is included in the transient 5

trees (see Figures 3.1 to 3.5).

The f ailure of the operator to depressurize the reactor was also included in the RSS-BWR analysis, but it was included in the fault tree of the low pressure injection system. Inclusion of this event in the event trees of the LGS-PRA helped emphasize the importance of this error as far as its con-tribution to the core-damage frequency is concerned. The effect of this error on the frequency of core damage is discussed in Section 5, Accident Sequence Quantification. The BNL review is in agreement with the qualitative modeling approach to this important cognitive human error. However, BNL disagrees with the value used for the probability of this event. This issue is further ex-plored in Section 4.3. Other cognitive human errors were modeled at the sys-tem fault trees, and in general they include failures of manual system initiators, suction transfer, etc. A list of these events is given in Table 3.3.

3.6.2 Procedural Human Errors Procedural human errors contribute to component and/or system un-availabilities through routine operations such as in test and maintenance acts. The LGS-PRA followed the technique recommended in NUREG/CR-1278(1)

' for quantification which is generally regarded as acceptable PRA practice.

The BNL review did not include the quantification of procedural human errors.

The review was mainly concentrated on including omitted human errors which 4

lead to common mode failures. The most significant of these omissions are discussed in Section 3.5.

3-17

3.7 Qualitative Dependence Analysis The objective of this subsection is to review the modeling of dependences in the LGS-PRA and to present the BNL comments and modifications. To avoid potential confusion, stemming from possibly unfamiliar terminology in this area, a short discussion of the various types of dependent events precedes the comments on the LGS-PRA.

Depandent events are those that are influenced by the occurrence of other events. In general this means that the probability with which a dependent ev-ent may occur will depend on whether those events on which it depends have already occurred. Since the existence of adverse dependences is of interest, a dependence between f aults is usually meant to imply that the existence or occurrence of one fault increases the probability of other faults.

Dependences can be classified on the basis of the causative factor of the dependence (i.e., the nature of the " coupling" between faults) and on the com-plexity of the devices

that are involved (i.e., system, redundant train, subsystem, component). On the basis of the nature of the causative factor, de-pendences may be placed in the following three categories:

Type 1 Functional dependences: Dependences among devices that are due to the sharing of hardware or to a process coupling. Shared hardware refers to the dependence of maltiple devices on the same equipment. An illustration of shared hardware is the dependence of both the LPCI and RHR systems upon the same pumps. By a proc-ess coupling we mean that the function of one device depends directly or indirectly on the function of another. A direct-de-pendence exists when the output of one device constitutes an in-put to another. An indirect dependence exists whenever the functional requirements of one device depend on the state of an-other. An illustration of a process coupling is the dependence of the low pressure ECCS upon the automatic depressurization sys- '

tem if the high pressure system should fail during a transient or small LOCA. An illustration of an indirect process coupling is

In the following definitions, the term device is used in a generic sense to

mean system, train, subsystem, or component.

l i

3-18 l

l

the increased flow rate requirements of a pump whenever another pump running in parallel fails. Possible direct process couplings between devices include electrical, hydraulic, pneu-matic, and mechanical connections.

Type 2 Physical dependences: Dependences that couple two devices through a common environment or environmental conductor (s). Most dependences of this type involve devices sharing a spatial domain which allows an extreme environmental condition to affect these devices simultaneously. Such extreme environmental conditions can be generated either externally to the plant by phenomena such as earthquakes, floods, airplane crashes, or other missiles; or internally to the plant by fires, explosions, pipe breaks, etc.

It should be emphasized that spatial coupling is not the only

" environmental" coupling inducing physical dependences. A ventilation duct, for example, might provide an environmental coupling among devices located in seemingly spatially decoupled locations. In addition, radiation or electromagnitic couplings are two other forms of coupling not directly associated with a common spatial domain. Examples of " physical" dependences re-sulting in adverse system interactions are the Browns Ferry-1 fire and the postulated Hosgri earthquake at Diablo Canyon. More specifically, at Diablo Canyon, a charging pump suction line could be " spatially coupled" with a crane monorail during a seismic event resulting in a loss of the charging pump suction.

Type 3 Human-interaction dependences: Dependences introduced by human actions. We can distinguish between two types: those based on cognitive behavioral processes and those based on procedural processes. Dependences due to cognitive human errors result in multiple dependent faults once the event has been initiated and during the actual development of an accident and can be con-sidered dynamic. An illustration of cognitive error is the failure of the operator to initiate reactor depressurization in a transient after failure to correctly diagnose the state of the plant (i.e., failure of high pressure injection). Dependences due to procedural human errors include multiple maintenance and 3-19 ,

equipment positioning and calibration errors which result in multiple dependent faults with effects that may not be im-mediately apparent. An illustration of multiple faults due to a procedural human error is the failure to reopen the discharge valves in all redundant trains of an auxiliary feedwater system after a test or maintenance (as also happened in the TMI-2 ac-cident).

It should be emphasized that the above three types of dependences are not mutually exclusive. Thus, a dependence existing between one device that provides a cooling function and devices that operate within the domain cooled by the first could be characterized either as a functional dependence (i.e.,

indirect process couplin'g since the failure probability of the latter devices depends on whether they operate in a cool 3ble environment and hence on the state of the former device) or as a physical dependence since they are associated with a common spatial domain.

Further classification of the dependences can be based on the complexity of the devices involved, e.g., system, train, subsystem, component. Here, a component is defined as a device that needs no further resolution into finer constituents (we will refer to anything consisting of more than two components as a system). We can therefore distinguish between dependences among systems and among components. Combining the classification of dependences based on the nature of the causative factor with the classification based on the canplexity of the devices, we finally distinguish six types of dependences.

1.1 System functional dependences 1.2 System physical dependences 1.3 System human-interaction dependences 2.1 Component functional dependences 2.2 Component physical dependences 2.3 Component human interaction dependences .

System functional dependences can be incorporated in the event trees and the fault trees, after being identified. Functional dependences due to

" process coupling" (i.e., input-output relationships) are best modeled in the event trees and the functional fault trees. These dependences were generally 3-20 I

addressed in the LGS-PRA. Some omissions in this area are presented in Subsection 3.7.1 where a dependence of the HPCI and RCIC systems on-the suppression pool temperature (state) and the omission of certain functions from the Transie,nt and LOCA trees are discussed. Functional dependences due to " hardware sharing" can be best handled by combining the system fault trees with the event trees and subsequent Boolean reduction of the resulting accident sequences. The functional fault tree approach was employed in the LGS-PRA to account for this kind of functional system dependences. However, system dependences between functions were not always addressed, because the functional fault trees were not " linked" together in accident sequences.

Examples of these omissions are dependences between the functions Q and W and V and W (see Figure 3.1). Functions Q and W both include the PCS system and functions V ar.d W include the LPCI and the RHR systems, respectively, which share some hardware. Furthermore, dependences of frontline systems on supoort systems were not " carried over" across functions. Table 3.4 presents a dependence matrix, that is, provides a list of the frontline systems and of the support systems on which the former depend. Table 3.5 presents a dependence matrix for the support systems. The effect of the system dependences introduced by the support systems of AC power, DC power, and cooling has been assessed by BNL and the results are discussed in Section 5.

The effects of the dependences introduced by the remaining support systems in Table 3.4 were not assessed in the BNL review. Another dependence identified by the BNL review is that of the high pressure injection systems on the containment heat removal systems through the suppression pool. The high pressure injection systems (HPCI and RCIC) consist of steam turbine driven pumps with the turbine lube oil system cooled via diverted pump discharge water. Thus, when the pumped water reaches 200 F, the lube oil will be at a temperature greater the 200 F. At such high lube oil temperatures, the oil

[ rapidly breaks down and causes failure of the turbine bearings. The impact of this omission is discussed in Section 5.2.2.

The following system interactions, although not included in RSS, were in the LGS-PRA study:

3-21

a) Common mode failures of the SRVs due to maintenance or mis-calibration.

b) Failure of HPCI or RCIC due to loss of room cooling.

c) Failure of HPCI or RCIC due to loss of DC power four hours after station blackout.

System physical dependences were covered only marginally in the LGS-PRA.

In particular, the effect of containment failure due to overpressure resulting i from loss of containment heat removal was incorporated in the analysis as well as the effect of loss of room cooling resulting from a station blackout. It l

was conservatively assumed that upon loss of containment integrity all the operating core decay heat removal systems will fail. This is consistent with the assumptions of the Reactor Safety Study. The effect of loss of room cool-ing resulting from a station blackout on systems not directly depending on AC power was also addressed. Here again, however, the dependence was not carried across functions. Such a dependence was also not included in the RSS. Other physical dependences not included are those resulting from causative factors, internal or external to the plant. Such dependences, particularly the latter, are considered outside the scope of the LGS-PRA.

System-human interaction dependences were treated to some extent. These

! dependences are usually introduced through cognitive errors of the operators.

The failure to inhibit depressurization in an ATWS is one example. Errors of comission, that is, the turning off of a system after operator failure to diagnose the condition of the plant, were not included in the analysis. These types of humanly introduced dependences are only now being introduced in the

! PRA realm and were not included in the Reactor Safety Study.

Component functional dependences result in increased system un-availabilities. The effect of such dependences can be treated parametrically by appropriate techniques as the 8-factor method or the Marshall-Olkin method.

The RSS analysis employed the square root approach which was criticized by several reviewers of the RSS. Component functional dependences were not included in the LGS-PRA.

3-22

Component physical dependences were not included in the LGS-PRA. The comments on the system physical dependences are pertinent here too.

Component-human interaction dependences were included in the analysis as common mode failures of components during test and maintenance acts. Multiple failures due to miscalibration and errors of omission were included in the system fault trees. Additional dependences identified by the BNL review were discussed in Section 3.5 of this report.

3.7.1 Some Functional System Interactions Omitted From the Event Trees This subsection discusses the omission of three functions from the functional event trees of the LGS-PRA that were included in the RSS analysis.

3.7.1.1 The Vapor Suppression Function The vapor suppression function as used in the RSS was not included in the LG5 LOCA event trees. As shown in Section 5.2.2.3, the exclusion of this type of vapor suppression has a minor effect at LGS due mainly to design differences.

3.7.1.2 The Emergency Coolant Functionability The emergency coolant functionability was not included in the event trees. This applies only to the large LOCA. It was shown to be a very minor contributor (<1%) to consequences in the RSS and should be equivalent for this LGS-PRA.

3.7.1.3 Containment Leakage Containment leakage in event trees is not considered since the LGS-PRA states that the LGS low pressure ECCS pumps can pump saturated water. This assumption was taken to be correct. In RSS, if the containment, leakage was greater than 100% per day, the ECCS pumps would fail owing to loss of NPSH.

3.8 References to Section 3

1. Swain & Guthmann, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278 Draft Report, October 1980.

l 3-23

k RHR AND G ENER ALIZED TUR BINE R EACTOR SIR S/R COND/FW HPCI TIMELY LP RHRSW CLASS OF TRIP SUBCRITICAL VALVES VALVES AND PCS OR RCIC . ADS ECCS OR PCS SEQUENCE POSTULATED TR ANSIENT OPEN. RECLOSE AVAILABLE AVAILABLE ACTUATED AVAILABLE AVAILABLE DESIGNATOR DEGRADED CORE TT C M P Q U X V- W CONDITION i

T*

T

~

I

' TTO* -

TTOWlO) CLASS 11 TTOU * -

TTOUW(0) CLASS 11-TT OUV CLASSI i

TT OUX CLASS I l

T TP' -

.i W T TPW(P) ~ CLASS 16 b

4 TTPO -

)

TTPOWIPol CLASSli TTPOU* -

T TPOUW(PO) CLASSII TTPOUV CLASSI

- TTFQUX CLASSI j T TMt TT C**

NOT CORE MELT SEQUENCE NOTE: THIS FIGURE INCLUDES MANUAL SHUTDOWNS FOR THE PURPOSE OF CALCULATING THE DEMANDS ON LONG-TERM CONTAINMENT

- ATWS INITIATORS ARE TREATED IN A SEPARATE EVENT TREE HEAT R EMOVAL ONLY t TR ANSFER TO LARGE LOC'A EVENT TREE I Figure 3.1. Turbine trip transient event. tree.

i i

D D E

ZF E ED N O l l 11 I I 1

1 1

1 I 1 l O A T DEI S S S S S S S l S S S S A SSLARI T - -

S A -

S S A AL A S -

S A -

S A AL A L F .S OT R A UROD E L SE TGCN L C

L C C L

C L

C.

L C

L C C C SN SE N

E C OD C O OD t G P LI C

n E e HI N v R )

)

Q TE e EO )

)

Q ) O P V X FR C T Q

V X P ' F

'b

(

U U I " t

(

' (

W OU n Q p OW Q U O Qp M

(

NA (

U W U U P W C S O W Op O U O p0 EN p 'O p p F P F P P p p %O e UG QI T T p T p T T p T p T P p T p Q P

p T T T T 0 9 L i

s T p C ES T T T N n SE T I VI a D ES r E

LM B

t D L A E r NWSBSC A R H T e A R P L E s RHRI A W V F n H RO V OO e R C% d A - ,I I E0 R7 n

,I I ED o

E c L BN S B OA n PC A V TS i LC IL D T a EA N N E m

V U D A OI f FCC O D

Y E S s T I A LSA RR s ED U X EE 0 MAT I TT 1 T C AA /

r A WW DD e E t EE CL EE a I I B FF w C

PRL CA U d I

e H RA " e OV f A

f E O

" S L E CB E s F

W PA R s L T 0

/DI Q D NA T N

1

/

N AV E e O

C A V r E u E s S E T 0 E S A 1 RV O L P R C

/L A .

S A C E P E Ve VR E E S

I e Sr S

A R T Mt EN NT RVE M I

N

/LP S DE .

AO EV V TE, 2 A

E E A 3

. CRC

- 'A NTO E L e UEE r I

I QR G u I

C EA g

SS R i A F T R L

_ LO

- 8 ETO

. MAT F R ET : ER OE RI NF T OI S V SA p C SN I

S OW T TWA M L D OTR DE NAT NE

AF "i a

c

)

LOW RHR AND GENERALIZED HPCI TIMELY PRESSURE R HRSW CLASS OF IORV REACTOR OR RCIC ADS OR PCS SEQUENCE POSTULATED SCRAM ECCS

.TR ANSIE NT SUBCRITICAL AVAILABLE ACTUATION AVAILABLE DESIGNATOR DEGRADED

! INITIATION AVAILABLE CORE Tg C*,C" C U X V W CONDITION T*

g TW g CLASS il

T g u' -

. T gUW CLASS 11 T g uV CLASS 1 i T gUX CLASSI T g C" 7

M T,C* -

T gC'WIC1 CLASSil T , C* U' T gC'UW(C1 CLASSil T gC'UV CLASSI T gC*UX CLASSI T g C'C"

. T,C; -

NOT CORE MELT SEQUENCE

" ATWS INITIATORS ARE TREATED IN A SEPAR ATE EVENT TREE

" MANUAL SCRAM TOO LATE TO PREVENT A CHALLENGE TO THE CONTAINMENT SIMILAR TO A CLASS IV EVENT Figure 3.3. Inadvertent.open safety relief valve transient event tree.

1 ~

RHR AND I GENERALIZED S/R S/R COND /GW HPCI TIMELY LP MANUAL REAMOR VALVES RHRSW CLASS OF VALVES AND PCS OR RCIC ADS ECCS OR PCS POSTULATED SHUTDOWN SUBCRITICAL SEQUENCE OPEN RECLOSE AVAILABLE AVAILABLE ACTUATED AVAILABLE AVAILABLE DEGRADED DESIGNATOR CORE T C M P O U X V W M CONDITION TM * ~~

TMO* ~

TMOW(0) CLASS ll TMOU' -

TM OMO) MM H TMOUV CLASSI

. TMOUX CLASSI ta t'u

, ~

i i

4

)

1 1

TMC" NA

NOT CORE MELT SEQUENCE

ATWS IS JUDGED NOT TO BE RISK CONTRIBUTOR FOR MANUAL SHUTDOWNS Figure 3.4. Manual shutdown event tree.

RHR GENERALIZED SIR S/R HPCI TIMELY LP AND RHRSW LOP REACTOR CLASS OF VALVES VALVES OR PCIC ADS ECCS TRANSIENT SUBCRITICAL AVAILABLE OR PCS SEQUENCE POSTULATED OPEN RECLOSE ACTUATED AVAILABLE AVAILABLE DESIGNATOR DEGRADED CORE T C M P U X V W CONDITIONS E

T* E

~

TW E TEU* -

i TW E CuMH t T# E

^ '

TE UX MM l 0

T EP' -

w T EPWIP) Cf. ASS 11

$ T EPU' -

T PUWIP) CLASS 11 '

E TEPUV CLASSI TEPUX Cup 1 TMT E

T C'*

E

NOT CORE MELT SEQUENCE

ATWS It.fTIATORS ARE TREATED IN A SEPARATE EVENT TREE t TRANSFER TO LARG E LOCATREE Figure 3.5. Loss-Of-offsite-power transient event tree.

RHR 6 gfg $fp HPC1 (p yp3w AT RS VO VR $ "

CIC [c-7 C e v

O ! U V i W

1. T i 2. Tw

, 3. TO I

4 TOW

, S. TOU l 6. TOUW

7. TOUV

8. TP I

9. TPvt

, 10. TPO I

11. TFOW

, 12. TPOV i

13. TPOUW

14. TPOUV

15. TM

16. TC l

l l

l Figure 3.6. RSS-BWR transient event tree.

1

\

i l

3-29

" CLA F LARGE REACTOR CO NT COOLANT ET RECIRCULATION SEQUENCE POSTULATED LOCA SCRAM INJECTION REMOVAL DESIGNATOR DEGRADED CO'1E A C E 1 J CONDITIONS A -

AJ CLASSil w Al CLASSlit b

o AE CLASS Ill AC" CLASSIV

- INDEPENDENCE ASSUMEO BETWEEN THE CONTROL 800 INSERTION SYSTEM AND THE LOCA BLOWOOWN FORCES; IN ADDITION ONLY MECHANICAL F AILURES IN THE CONTROL ROD SYSTEM AFF ECTTHIS SEQUENCE.

ARI WILL REDUCE THE PROBABILITY OF ELECTRICAL FAILURES IN THE RPS TO A NEGLIGtBLE VALUE.

Figure 3.7. Limerick large LOCA event tree.

MEDIUM HIGH LOW DECAY GEN ER AllZED REACTOR FEEDWATER DEPRESSURl-LOCA PRESSURE PRESSURE HEAT CLASS OF SCRAM ZATIDN Q SYSTEMS SYSTEMS REMOVAL E DEGRADED DESIGNATOR CORE g

CONDITION t

3*

1 SW j CLASSIl Sg O' -

SgOW(Q1 CLASS 11 Sg QU' -

Y w

S3OUW(0) CLASS 11 SgGUV CLASSI SgGUX CLASSI Sg C"

' NOT A CORE MELT SEQUENCE

' TREATED IN ATWS TREES Figure 3.8.

Limerick medium LOCA event tree (Sg ).

p i

O GENERALIZED HIGH LOW DECAY SMAll. REACTOR DEPRESSURI. "

CLASS OF LOCA SHUTDOWN ZATION SEQUENCE POSTULATED g

T 1 RE OVAL DEGRADED DESIGNATOR CORE S C U X 2 V .W CONDITION

~

S 2

SW 2

CLASS ll S2 U' -

S2UW CLASS 11 S2UV CLASSi S2UX CLAS$I l

SC"

NOT A CORE MELT SEQUENCE

" TREATED IN ATWS TREES Figure 3.9.

Limerick small LOCA event tree (S2 )*

CONiatratNT TRtt lINiTraicR H ParvtNTION H miricATiON l j rie. 3.11 GENERALIZED TURBINE RPS RPS R[ CIRC CLASS OF TRIP MECHANICAL ELECTRICAL PUMr ARI SEQUENCE POSTULATED W/ BYPASS TRIP D[ GRADED CORE CONDITIONS TRANSIENT ! PREVENTION 0

l T,3c g

I O I

I I T,3C"t Fl"E 3 11

. w I b

i T,I CR E

CLASS IV i

I l

I T,3C , riat 3.11 l

l TT CR g CLASS IV I

t Figure 3.10. Event tree diagram of postulated ATWS accident sequences following a turbine trip initiator.

. . . _ _ . _ . . . . . - . . - . - . . , n - .. ,. - ,.

POISON INJECTION COOLANT INJECTION INADVEflTE NT OPE R A ftON HE AT REMOVAL CONTROL ROOS TWOOR ADEO SAFETY AOS NOT Fw on HPc6 ONE PRESSURE CLA F F A'L TO yungg V ALV ES HPCI ACTU ATED DOES NOT BOTH ONE INSE RT SLC ONTROL RECLOSE OR RCIC AUTOM AT. CONTINUE RHR$ RHR SEQUENCE POSTU,LATEO DgG ADtD PU", E" PUMes ICALLY TO RUN Cont T y'C +Ty 'C,z C 12 C2 M b P h U UR 0 Ug W 2 *12 TC g -

Ty 'C,U, CLAssiv i

Ty 'C,0 CLAS$1v Ty'C,U -

, Ty'Cg Uw 2 class tv TT ICg Uw t2 El#IS '#

Ty'CM UUg class IV TT'Cg UD CLASSIV TT'EMUU, CLASS ill y

Ty 'CM ' '

~

Ty'Cg PW 2 class tilnv*

W Ty'C ,Pu g CLAS$ 1v g

b) Ty'CyPO CLAS$1v A

T y ICM PU CLAS$ stl Ty'CgM CLAsstv Ty'Cu C 12

~

Ty'C ,C l2Vg CLA5Stv Ty 'C C0 g 12 CLASS IV Ty'C,C 12 U CLASS ilt i

TT'UM C82# ~

I CLA551st/Iv*

Ty'C,C y,Pw 2 l '

Ty'C,C 12PUg CLASS IV 7

Ty'C u C12 PO CLASS tv TT'CM Ul2PU CLA5S ill TT'CM U12 CL AS$ tv TT 'C,C y CLASS iltnv e

THESE SEOUENCES ARE SM CLAS$ fH AND 20% CLASS IV Figure 3.11. Event tree diagram of postulated ATWS accident sequences following a turbine trip initiator.

i

lIulilAT0A H F8tVfhTION MillGAll0N l r CONIAIPp(Ni lat(

tie. 3.13 GINIRAliffD Milt RP5 RF5 Altitt CLAS5 OF CLO5URE TCILANICAL tt!CIAICAL tuMP ARI 5(QUthCE F051ULAfte IIIP OfCRADfD

, CORf CONolil0M5 IRAmit!NI ! _ Fulv! Nil 0g

! O r,8c --

l 3 I

I i

P l Tr#ct r risung 3.13

$ l I

I I r,8cga tra55 III i

l i r,8c,, riant 3.13 I

I i

3 t,8cp cta55 III i

Figure 3.12.

Event tree diagram of postulated ATWS accident sequences following an MSIV closure initiator.

- _. - ..-- . , . - - - ~

s POISON INJE CTION COOL ANT aNJCCTION INADVERTENT OPERATION HE AT R[MOVAL CONTROL RODS Tiv0 0R ggg AM SAFE W ppgg ADSNOT FW OR HK4 g gg F AIL TO THREE PRE SSUR E VA(VES ACTUArtO DOES NOT SOTH ONE SLC RCIC RHR SE OUE NCE POSTULATED aNSE R T SLC CONTROL PECLOSE O y ,R AUTOMAT. CONTINut RHR$ DEGRADED PUMP PUMPS ICALLY TO RHN gopg CONDITIONS Ty Cu + T,2CmE C 12 C2 Mb P@ y UR O UM "2 *t2 T,Cu .

J T,Cgw2 *

' T,C Wu 12 CLASSuthV' T,Cg ua CLAS$1V I,Cg D C'LAS$4V T,Cg U .,

T,CgU .

I T,Cuvwt2 CLAS$HIAV" T,CguUn CLASSIV

,, T,CgUD CLASSIV T,CuuUn CLASS ill T,Cup .

I T,C yPW2 CLAS$IllAV' T,CuPU H CLASSIV TFCuPD CLASSIV (A) g T,CgPU CtAS$ 4:1 Ca) m 7,CgM CLASS IV T,C Cg 12 "

T,CgC12*2 CLASS IHMV*

I T,CgC12"l2 CLASS IHAV" T,C Cu 12VM CLASSiv T,C Cg 12 D CLASS IV T,C Cu 12 U CLASSHI T,Cu ct2P -

l T,Cg Cl2Pw2 CLAS$1 HAW' T,Cg C12PUH CLASS iv T,Cg C12PO CLASSIV T,CgCl2 PU CLASS Hi 7,C Cu 12 M CLASS IV T,C Cyy CLAS$tHMV*

?

THESE SEQUENCES ARE en CLASS fH AND 2n CLASS IV Figure 3.13. Event tree diagram of postulated ATWS accident sequences folioving an MSIV closure initiator. ,

[ nrTuT:n H ruvEurica H n m aafica '

= anTarocrr Tuz

/ Fis. 3.15 IRITIAT0s GENT 1 TALI 2D LM S OF RPS ItPS It!CIPt CUlis 0F OFF3!Tt E OMMICAL ElICTRICAL PLDF ARI Sc3fEMCt P057tt.ATD PCM[R TRIP OtrJtADtn CORE ConDIT10MB Tg3 Cg C'E R K@

T w sitxT 'c PRtytxTimi =

I @

l @

TE3Cr -

i E

I I

,' i t*Ct r riant 3.15 I

I I

l Yt'Cn FIQat 3.15 l

1 l

l

For the loss of offsite poser initiator, electrical faults leading to a failure to scrta any be virtually tero for loss of offsite peer tx1Ms. However. since no detailed evaluaticin hss te perforned to verify this assertion, electrical RPS failures are inc16ded here for t w ieteness. They are a small contritution to the overall probability of degraded core conditicres.

Figure 3.14. Event tree diagram of accident sequences following a t

loss-of-offsite-power initiator.

l 3-37

POISON INJE CTtON COOLANT INJE CTION INADVERTENT OPER ATION HE AT R E MOV AL g

CONTROL ROOS TWO OR ADEO SAFETY HPCs ADS NOT Fw O'1 HPCI CLASS OP F AIL TO THREE ONE PR ESSUR E VALVES ACTUATED DOES NOT SOTH ONE POSTULATED CONTROL O RCic 6NSE RT SLC LC, g RECLOSE g ,R AUTOMAT- CONTINUE RHR$ RHR SEQUENCE DEGRADEO PuuPS ICALLY TO RUN CORE Tg 3C g + T,3 Cn g

C 12 C2 Mb P C) U Un O U a Wy W eg Tg3Cy .

Tg3Cw g g .

I T gC 3

,w,, CLA$50tlAv*

. Tg3CU g g CLAS$fv Tg3CD g C u SSIV T3gcn -

g 3

, Tg Cg uw 2 -*

I Tg3Cg Uw t2 CLASS illAV*

I YgCW g g CLA$stv T3 g CyVD CLASS tv 3

TgCW g g CLASS til

, Tg3CP g -

TE Cg Pw 2 CL A&S tilA v' g

Tg 3Cu M'V CLASSev h

cn TgICu PD CLASS IV Tg3Cg PU CLASStti 8 CLAS$lV TE 0u M Yg 3CC g 12

i IECC M l2"2

I Tg 3 g CLASStHev*

C C,gw,g Yg CCg l2U M CLASS IV Tg 3Cg C12 0 CLASS 8V T g 3CgC,gU CLASSlit TEUM C,y P .

I Tg 3CC g 12 PW CLASStV I

Yg CgC,,PU H CLAS$tV Yg 3Cg C t2 PD CLASStV It Cy C 12 PU CLAS$ lle Tg I g C C,,4 ggggg iy T g 3C ,C 2 CLASSI88Av*

THESE SEQUENCES ARE 80% CLASS til AND 20% CL ASS BV Figure 3.15. Event. tree diagram of postulated ATWS accident sequences following a loss-of-offsite-power initiator.

PPEVENTION HITICATION l r CtaTAlleerT 7tEI l IRITIATCA Fig. 3.17 w$ GENERALIZED IRITIAt3 RPS RECIRC CLASS OF 10RV E CEMICAL ELECTRICM. PLP9 ARI SEQUENCE TRIP j POSTU'JTED l DEGRADED

" KO lCORICDCITION 11 C n C r

rRrvExum nusicxT l- =

1 O e T,g ..

I I

i d

T3 Ct g rianc 3.17 I

I I

Tan

'C namt 3.17 l

I I

i

\ l l

l Figure 3.16. Event tree diagram of accident sequences following an IORV initiator.

l l

3 19

_ , . . _ . _m. _ _. , _ _ . _ _ _ . . , . , _. _

POISON 'NJE C TION COOLANT INJECTION 8N ADVERT ENT OPE R ATION HrAT n EMOv at ADEO 0T CONTROL ROCS TWO OR ONE AD$NOT F W CR HFCI

$AFETY 64PCI gLggg FA7LTO THnti gtg mE ESUR E ACTUATED DOES NOT BOTH ONE INSERT SLC VALVES OR CIC $EOUENCE pyyp CONTROL RECLO5E FW AUTCVAT. CONTINUE RHn3 RHR PC$ T uL,A T E O PuvM iCALLY TO RuN

' Cont T,*CE K

T,*C y C 12 C2 M'b P h U UR D Ug W 2 "O l CONOf TIONS Tg*Cu *

, 7,*Cy w2 ~

I i T, CuWgy CLASSItshv' Ig Cg U g CL ALS IV T,*Cg o CLAssiv 3

T,"CuU CLA55en

, T,*C ,P .

7,"C ,Pw y CLASSIV g

T,*CyPU w CLASS tv T,*CuPD ^ CLASSev 7,*CuPU CL A5S ill T,*C,u CLAS$jV I CMC,g .

l l I C'#sS'"#v*

1 T,8 CCu t2*2 7, C,CygUg CLASSev 7,"CuC,7 0 CLA*.Ssv

}

^

T,*C ,C 12 u CLA$$H8

, T,8 CCu 12' ~

I T,8CCl CL ASS HAA v 4 g 2'"2 T,#C ,C12'U M CLASSsv T,"C ,C e2 PD CL Ass ev 7,*C,C, yPU CLAS$He 7,"CuCl2 M CL ASS IV T,8 CC g2 CL AS8 H'UV

'THESE SEQUENCES ARE SW CLA55 He AND 2M CLASS IV Figure 3.17. Event tree diagram of postulated ATWS accident sequences following an -

IROV initiator.

l l

COMMON RECOVER pg'OVER C HIGH ECOVER RECOVER RECOVER RECOVER TIMELY ADS F ALTERNATE OFFSWE

. LP ECCS POWER ODE OFFSWE DIESELS ROOM PRESSURE OFFSWE DIESELS DIESE LS ACTUATION AVAILABLE SEOUENCE O'ISEL SYSTEMS POWER <2HR POWER <4HR DES'GNATOR tNITIATOR < 1/2 HR COOLING X Y TEORT E, FAILURE < 1/2 HR U <2HH < 4 HR FIG.

I I TguV I TgUX g

FIG.

I I I TV E I TX E g

FeG.

I 3 TE UV I

igUK g

iFIG.

1 I

I E TVE 1

TKE FIG.

I TguV #

, I T E UX

- F8G.

i I I Tguv I TE UX FIG.

I I TE UV I TguX I I fFIG.

I TVE TUE fFIG.

i i i TVE TUE i

Figure 3.18. Time-phased event tree for calculating coolant injection availability-following a loss-of-offsite-power event (Phases I, II, & III) Class I event variety.

l l

CONTAINMENT TRANSF ER HEAT OF FSITE POW R REMOVAL SEQUENCE POWER RECOVERED F GURE POWER DESIGNATOR )

l AVAILABLE < 10 HR CONVERSION RHR l 3.18 SYSTEM OK OK TEW.

OK OK TWb E

OK TWE c Figure 3.19 Time-phased event tree for calculating containment heat removal following a loss-of-offsite-power event (Phase IV)

Class II event variety.

l 3-42

Table 3.1 BNL Changes in LGS-PRA Fault Trees SYSTEM PAGE GATE NAME GATE TYPE INPUT NAME VALUE DESCRIPTION FW/ Condensate 1 FWR AND FWRST Changed input FHUOO8DXD on page 31 accounted from 0.1 for failure of the operator to restore to 1.0 feedwater af ter a spurious level 8 trip. FWRST double counted for this restoration so its value on page 1 was set to 1.0.

11 FSSEB OR (ADD 1) (2x10-5) This input was added to account for sealing steam supply line reliefs (eitheroneof2)beingstuckopen.

13 FAILCV OR (ADD 2) (4x10-4) This input was added to account for loss of condenser vacuum because of failure of the condenser vacuum I" breakers (HV-142 through HV-145).

w 14 FMV16A. OR FHU16ADXD Changed The time period available to the oper-B and C FHU16BDXD from 0.01 ator to close valves 116 following a F,HU16CDXD to 0.1 failure of the RFPT rupture diaphragms was too short to use a value of 0.01.

16 FVAC OR (ADD 3) (0.01) Input added t'o account for failure of the operator to start the mechanical, vacuum pump.

21 FEJ102A OR (ADD 4) (2x1C;4) Added failure of the offgas system as and B a failure mode of the condenser vacuum.

22 FILB OR FHU104DXD Changed Time available for operator to bypass from 0.01 sealing steam pressure regulator was too to 0.1 short to justify 0.01 failure rate.

Table 3.1 (Cont.)

SYSTEM PAGE GATE NAME GATE TYPE INPUT NAME VALUE DESCRIPTION FW/ Condensate 31 FLCH2 OR Changed No change Now gross miscalibration of level chan-FHU19DHNI nels 1 and 2 on page 31 have the same to FHU19AHN! name (FHU19AHNI). This accounts for common mode af scalibrations of both channels.

HPCI 1 HRS 2 AND HRS 2A and Changed Changed to give the same failure and HRS 3 HRS 3A values probability of all three restarts.

from 2x10-3 and 2x10-4 to 2x10-2 18 HLUBE OR (AD01) (1x10-3) Added input to account for failure of the shaft-driven lube oil pump.

w b

19 HEXT OR (BRKF) (2x10-3) Added input to account for failure of 5 of 17 exhaust vacuum breakers.

ADS 3 ASV1AB1 & 3 OR Changed No change Changed input names to a common name to ASV2AB1 & 3 AAS111DWI account for common mode gas con-ASv3AB1 & 3 through tamination failure of valves.

ASV4AB1 & 3 AASS11DWI ASVSAB1 & 3 all to AAS111DWI 10 APIA1 and OR AHU001DXI Changed Value of 10-3 felt to be overly APIB1 from optimistic.

3 to 10 10- 2 15 ARHRA OR Changed No change Changed input name for miscalibration through AHU4000XI of RHR pump discharge pressure sensor ARHRD to AHU300DXI to that of CS pump discharge pressure sensor (on page 15) to account for com-mon mode miscalibration of all pressure sensors,

Table 3.1 (Cont.)

SYSTEM PAGE GATE NAME GATE TYPE INPUT NAME VALUE DESCRIPTION LPC1 3 and 4 DPM82 OR (1.9x10-4) Added input to account for failure of DPM2A2 (DSW01BHPI))

(DSWO1 AllPI LPCI pumps because of the pump suc-tion valve limit switches failing to DPMD1 (DSWOIDHPI)

DPMC1 (DSW01CHPI) indicate that the valves are open.

RHR1 6 and 7 DSTAC,etc. OR DXV67ADPI Changed The value of 1.25x10-4 was changed to on page 6. DXV67BDP1 1.25x10-4 3x10-3 to make it consistant with motor to 3x10-3 operated valve failure rate (see for 7 DSTCD and DSTDC on page example DMV06BDPI on page 6 of 27 of a

7 this fault tree).

14 DR10A th' rough Changed (ADD 1) (1x10 4) Changed the logic to an OR gate in 100 from AND order to account for failure to dis-to OR in charge to the suppression pool be-order to cause of valves F003A or B falling insert ADD 1 closed.

19 D1WCT1 & 2 OR (ADD 2) (1.2x10-3) Added inputs due to failure of 36" valve 1052 (N0-FC) or cooling tower screens clogged.

ELC 2 SLC1 OR (ADD 1) (2x10-3) Added input to account for failure of all SLC pua:ps because of conmon mode miscalibration of the PW tank level sensors.

Table 3. 2 Cognitive Human Errors Modeled in Event Trees Time Available Symbol Description of Required Action for Action

1. X Timely ADS actuation 1/2 hour

2. D ADS inhibit (ATWS) 2 minutes 5

3. c', c" Timely scram given 10RV 10 minutes ;

4. ATWS Balance feedwater Q 5 minutes

5. VH FW & HPCI disabled (ATWS) 5 minutes

5. Q MSIV reopen 1/2 hour

7. Q Recovery of FW & PCS 1/2 hour

8. W MSIV reopen 20 hour2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months

9. W Recovery of FW & PCS (by operator) 20 hour2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months

10. ARC Initiation of alternate room cooling (i.e., open HPCI or RCIC room doors) 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 3

I.

i c

l l

3-46 ,

1 L

Table 3.3 Cognitive Human Errors Modeled in Fault Trees Time Available Description of Required Action for Action HPCI E ' Transfer HPCI suction from failed CST to SP. 1/2 hour

2. Transfer HPCI suction from CST to SP upon failure of auto-transfer action. 1/2 hour

3. Manual actuation of HPCI upon loss of auto-start signal. 1/2 hour

4. Isolation of leaky room cooler coil.

5. Manual initiation of room cooling given failure of auto start.

2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months RCIC

1. Manual start of RCIC, given auto-start fails. 1/2 hour 2 Manual transfer from CST to SP, given failure of CST. 1/2 hour

3. Manual switch from CST to SP, given failure of auto transfer. 1/2 hour

4. Reset turbine stop valve following RCIC trip, given that it tripped on level 8 signal .

5. Manual initiation of RCIC for subsequent starts.

I hour (or later)

6. Manual throttling of HPCI to prevent level 8 trip of RCIC. 1/2 hour

7. Isolation of leaky room cooler coil.

8. Manual initiation of room cooling given f ailure of auto start. 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months FW/Cond~ I hour

1. Reset & restart FW following level 8 trip.

i (or later)

2. Select single element level control mode of FW if 1/2 hour problem with three element level control. (or later) l 3. Open AUX steam supply valve to supply main turbine steam seals, given that nonnal steam supply failed. 1/2 hour l

4 '. Transfer to standby leg of steam seal exhaust sytem, l

! given that on-line leg fails.

5. Isolate rupture RFPT rupture diaphragm. <1/2 hour

! 6. Transfer SJAE, given on-line ejector fails. 1/2 hour l 7. Shif t to standby steam supply for SJAE. given that on-line steam supply fails. 1/2 hour I

l 8. Bypass steam seal evaporator discharge PCV, given that it failed. 1/2 hour l

l 9. Close failed open condensate pump recirculation valve.

I 3-47

s

! l i

Table 3.3 (Cont.)

4 Time Available

_ Description of R_e_ quired Action for Action _

ADS l'.~ Manual shift to instrument air, given that .

instrument gas supply has failed. 1/2 hour LPCI II-~)Mnually open (locally) alternate suction valves for LPCI pumps, given that normal suction path fails.

2.

1/2 hour i

Line up to alternate vessel injection paths, given that normal path fails. 1/2 hour l 3. Open loop discharge valves, given that auto open of valves failed. 1/2 hour

4. Isolation of leaky room cooler coil.

5. Manual initiation of room cooling, given failure of auto start.

RHR1 (Pressurized)

1. Initiation of RHR. 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months

2. Opening of RHR discharge valve, given that the low pressure permissive signal failed to auto open it.

20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months

3. Blockage of false high radiation signal which would isolate the RHR HXS RHRSW supply. 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months

4. Isolation of leaky room cooler coil.

5. Manual initiation of room cooling, given that auto start fails.

~

RHR2 JDe)ressurized)~

~

Same as iffRT.

l LPCS II~~Nanual initiation, given that auto start failed. 1/2 hour

2. Open LPCS CST suction valves, given failure of suppression pool source.

1/2 hour

3. Replenish CST water, given that it is used as a suction source. 1/2 hour

4. Manually open LPCS discharge valves, given auto open failed.

1/2 hour

5. Isolation leaky roan cooler coil.

, 6. Manually start room cooling, given failure of room cooling to auto start.

4 f

3-48

Table 3.3 (Cont.)

Time Available

_ Description of Required Action for Action __

Electric Poweg

1. Transfer to alternate ESW supply for loop EDG, given that the on-line loop failed. . 1/2 hour

2. Manually start of EDG room ventilation, given that it failed to auto start.

ESW 15~ Start standby NSW pump, given that one of the two operating pumps f ail. 1/2 hour

2. Start ESW pumps, given that auto start failed. 1/2 hour SLC l'.~ Control SLC temperature with operational heater, given failure of auto temperature control. 1/2 hour

2. Control SLC temperature with mixing heater, given failure of auto temperature control. 1/2 hour

3. Manual initiation of SLC, given that auto initiation failed. <5 minutes 4

l l

i 3-49

_ _ - _ - . _ _ . . - - - . . - . . -~._. - - - -- -. - . - - .. . - - - .

Table 3.4 Frontline/ Support System Dependence Matrix i

System AC Power DC Power Cooling Compressed Gas Suction Husk Othe-MSRV ----

For manual ----

For manual --- For manual Suppresston p,ol actuation actuation re- actuatfon of requires for steam quires instru. MSRV's. Also condensation ment or ser- to manipulate I vice air or gas supplies.

primary in-str'anent gas or bottled M .

EachMSRVha$

an accumulator which is available upon loss of the ,

above sources ADS ---- For initiation ---- Same as above --- For manual Same as above and actuation actuation i W circuitry r

[n HPCI and RCIC ---- For initiation NSW,lSW or If NSW suppli- CST with auto- For manual Suppression pool O and control natural cir- es cooling re- matic switch- actuation lube / oil culation quires instru- over to sup-ment or ser- pression pool ,

vice air to upon high sup-maintain sup- pression pool ply valve open level or low .

CST 1evel l FW/ Condensate Non-Class IE For level con- NSW-RFPT lube PCS-for make- PCS for RFPT stese '

trol system oil coolers up to conden- supply and exhaust and condensate ser CST-con-pump room densate pump coolers TECW. seal water and condensate for hotwell pump lube oli makeup coolers

t Table 3.4 (Cont.)

System AC Power DC Power Cooling Compressed Gas Suction Human Other PCS Non-Class IE. Supplies MSIV Circulating To maintain ---- If RPV<8500sig Air ejectors and The RPS bus air solenoids water-for main MSIV open re- must place re- off gas system to supplies power condenser,NSW- quires prim- actor mode maintain vacuum to MSIV air for off gas ary instrument switch from (or mechanical supply solen. system and if gas or instru- run to startup vacuum pumps) oids auxiliary ment or ser- to prevent boilers used vice air or MSiv closure to supply air bottled N2*

ejector steam LPCI Class IE For initiation NSW, ESW-for If MSW supplt- Suppression To centrol ----

and breaker room cooler, es cooling re- pool flow rate to control bearirg cooler quires instru- RPV and motor ment or ser-coo 11rg vice air to maintain sup-ply valve open RHR Class IE For breaker RHRSW-for heat Same as above Suppression To control ----

jd control excharger NSW, pool or RPV flow rates and on ESW-same as

"' start RHR$W

~ for LFCI system LPCS Class IE For initiation NSW, E5W-for Same as above Suppression It requires and breaker room cooling pool or CST suction frvm cont rol CST SLC Non-Class IE For initiation ---- ---- Single poison To switch ----

but can switch water tank power to Class to Class IE IE supply EDG - --

For initiation E SW EDG air com- ---- ---- ----

breakers con- pressors and trol power and resevoirs field flash SGTS Class IE Control power ---- ---- ---- ---- ----

,. -_ -- - _ . - __ ~ _ - - .- . . ._ - .. __ . - _ -

Table 3.5 Support / Support System Dependence Matrix System AC Power DC Power Cooling Compressed Gas Suction Human Ot her Primary Con. Non-Class IE ---- NSW ---- Primary con- Same as above.

trol Instru- tainment Also to place ment Gas atmosphere N bottles in tervice N SW Non-Class IE ---- ---- Requires in- Cooling towers ---- ----

strument or service air if NSW is to sup-ply ESW loads E SW Class It For initiation ---- ---- Spray pond or To line up cooling towers suction to cooling towers R HR SW Class IE ---- ---- ---- Same as ESW To initiate ----

system and to l line up suct-lon to cooling o, towers e _TECW Class IE, but ---- . NSW ---- ---- Restart fol-

$3 auto-trip on lowing LOCA LOCA signals signal trip RE C W* Same as TECW NSW ---- ----

Same as TECW Service Air Non-Class IE ---- TECW ---- Atmosphere ---- ----

Instrument Air Non-Class IE, ---- TECW ---- Atmosphere To switch can be switch- power to Class ed to Class IE IE supply I

Normal supply for recirculation pump seal with backup supply being ESW. The SAR (p.92-50) notes that recirculation pump seal cooling is for economic reasons only.

4.0 DATA ASSESSMENT This section reviews the numerical values of the parameters necessary for the quantification of the accident sequences. The section is organized as follows.

Subsection 4.1 presents the LGS-PRA frequencies for the initiating events along with the BNL assessments. Subsection 4.2 discusses the LGS-PRA data base used in the evaluation of component unavailabilities along with the BNL evaluation.

{ 4.1 Frequencies of Initiating Events 4.1.1 Initiating Event Frequencies used in LGS-PRA The frequencies of transient initiators used in the LGS-PRA were based on

General Electric data. Table 4.1 gives the frequencies used in the LGS-PRA for the four groups of transient initiators, the manual shutdown and the LOCA initiators.

4.1.2 BNL Assessment of the Initiator Frequencies An independent assessment was conducted to determine point values and associated distributions for the frequency of each one of the transient initiators used in the study.

The assessment is based on experiential data obtained from sfxteen operating BWRs and it includes both generic (i.e., characterizing the whole population) and particular (i.e., plant-specific) evaluations. The technique used is based on the "two-stage" Bayesian approach first proposed and used by Kaplan(l) in the Zion and Indian Point PRAs,(2,3) and as modified by Papazoglou.(4) The basic assumption of this method is that there is an actual variability in the frequency of each initiator within the population.

The characteristics of this variability are not exactly known, however, because of limited information.

The technique calls for the assessment of a prior distribution for cer-tain parameters. This is equivalent to assessing a prior distribution for the frequency of the initiator that characterizes the plant population. The prior distributions are then updated using experiential data.

4-1 l

In the present assessment the prior distribution for the initiator that characterizes the plant population was practically log-uniform in the range of 10-4/yr to 10+1/yr. The data were obtained from a recent report by '

EPRI(5) that provides information on occurrences of 37 types of transients in BWRs. The data consist of 903 events occurring over 101.5 plant-years at 16 different plants.

Means, medians, five, and ninety-five percentiles have been determined for each of the 37 initiators considered and for each of the 16 different ,

plants. The complete results are presented in Reference 4.

For each initiator, a distribution was also generated to represent the population as a whole. This distribution best characterizes the uncertainties in the frequency of initiators for plants, such as Limerick, that belong to the population, but for which experiential data are not available.

The population distributions have been further combined according to the grouping previously described.

LOCA initiator frequencies used in the LGS-PRA appear to be reasonable when compared to the available data (6) and were not independently assessed.

ATWS initiator frequencies were derived from the corresponding transient initiator frequencies with the exception of those of turbine trip and MSIV closure. It was noted in the LGS-PRA that turbine trip ATWS events could be classified into two categories: one in which feedwater was properly control-led, turbine bypass was available, and condenser heat sink was available; and a second category in which there were failures of the feedwater balance, the turbine bypass, or the condenser heat sink. This second group was con-servatively assumed to have similar plant response as that of the MSIV closure j ATWS events. Figure 4.1 depicts the quantification method by which the turbine trip frequency was calculated and moreover the fraction of turbine trip initiator frequency which was transferred to the MSIV ATWS initiator i frequency.

l BNL's assessment of this approach revealed that it has been con-servatively formulated and applied in calculating the LGS ATWS initiator j frequencies. This same approach is employed by BNL in deriving the BNL ATWS l initiator frequencies which are tabulated in Table 4.1.

4-2

l The results of the BNL assessment are presented in Table 4.1 along with the values used in the LGS-PRA and in the RSS. Because of its importance, the frequency of the loss of offsite power initiator is discussed in detail in the following subsection.

4.1.3 Loss of Offsite Power Initiator The frequency used for the loss of offsite power initiator in the Limerick PRA was derived from the nuclear plant experience of Pennsylvania, i New Jersey, Maryland Interconnection and the Philadelphia Electric Company fossil-plant experience. In total, these plants had four occurrences in 94.7 plant-years. The loss of offsite power was then modeled by LGS as a Poirson random process and a flat prior distribution of the frequency was updated ac-cording to Bayesian techniques to yield a posterior distribution. The mean value of the posterior distribution obtained this way is 0.0528 occurrence' per year. This value was used in the LGS-PRA.

BNL assessed the frequency of the loss of offsite power and the as-sociated uncertainties on the basis of the nuclear experience above using the technique described in Subsection 4.1.2 and, in more detail, in Reference 4e The fossil-plant experience was excluded to remain consistent with current nuclear PRA practice which does not include nonnuclear plant experience in the estimation of the frequency of loss of offsite power (LOOP). This is the main l reason for the difference between the LGS-PRA and the BNL assessment of the loss-of-offsite power initiator.

The details of the BNL estimation of the frequency of LOOP are given in Reference 4. Data from all operating nuclear power plants at 47 different sites in the USA were obtained from References 7 and 8. Two analyses were l performed:

(1) Assuming that all the 47 plants (sites) belong to the same pop-

! ulation.

(2) Assuming that the plants in each regional reliability council (see Reference 7) belong to individual populations, independent of each other.

For the first case, 47 plant specific frequencies and associated un-certanties were obtained along with one that characterizes the population es a whole.

4-3

t i

For the second case, again a total of 47 plant specific frequencies and associated uncertainties were obtained but now, since there are eight regional reliability councils, eight population assessments were made, one for each council.

The results for the Mid-Atlantic Reliability Council, to which the Limerick Generating Station belongs, were used in the BNL review. There are five nuclear power plants in this council. The experiential evidence from these plants is given in Table 4.2. The results of the analysis in Reference 4 for this reliability council are given in Table 4.3. Since LGS is a new plant, not yet in operation to produce plant-specific data, the appropriate values to be used are those that characterize the population of this

) particular reliability council. This is equivalent to saying that LGS is a

! plant taken randomly from the population of the Mid-Atlantic Reliability Council population.

The mean value of 0.17 occurrences per year (see Table 4.3) wus used in the review for the frequency of the LOOP transient initiator.

In the RSSMAP Grand Gulf PRA, a frequency of 0.20 occurrences per year l

was assumed for the loss-of-offsite-power initiator, whereas, the Big Rock l Point PRA used a mean value of 0.13 occurrences per year.

In the RSS, the nuclear power experience was considered for the year 1972 which included three loss-of-offsite-power events. These events occurred in

about 150,000 operating hours giving a point estimate for the failure rate of offsite power of 2x10-5 failures per hour or 0.18/yr.

. 4.1.4 Recovery of Offsite Power l

The probability of recovery of offsite power, within a given time, was assessed in the LGS-PRA using the PJM/PECo data base. The recovery times for the four occurrences actually experienced were used to determine the mean

! recovery time and the variance of the recovery time. A gamma distribution was then fitted to the calculated mean and variance.

4-4

In the BNL approach, the recovery times were assumed to be lognormally distributed. Next, the two parameters of the lognormal distribution were assumed to be random variables distributed according to given probability density functions.

The experiential data reported in References (7,8) for the 16 plants of the Mid-Atlantic Area Council and of the Southeastern Electric Reliability Councils were then used for a Bayesian updating of the assumed prior dis-tributions for the two parameters.

Finally, by " averaging out" the dependence of the distribution of the recovery time on the two parameters, a " student t" distribution was obtained to represent the distribution of the recovery times.

The probability of not recovering offsite power up to a given time is calculated from the complementary cumulative distribution and is shown in Table 4.4 along with the LGS-PRA values.

4.1.5 Conclusion The frequencies of the initiating events determined by the BNL approach differ, as shown in Table 4.1, from those used in the LGS-PRA. The most significant differences are in the frequencies of the turbine trip and the loss of offsite power transient initiators.

The BNL-assessed frequencies of the initiator events were next used to quantify the accident sequences. The relative contributions of the initiating i event frequencies to the total core damage frequency is reported in Section 5 of this report.

4.2 Component Unavailabilities 4.2.1 LGS Data Base The data base used in the LGS-PRA to quantify component' failure rates in the fault tree models comes from three basic sources:

l e Licensee event reports e General electric BWRs operating experience data e RSS 4-5

RSS demand failure rates were used to quantify fault tree models. The General Electric reliability assessment used the concept of constant hourly failure rate for components in standby.

Maintenance and test data used in LGS are obtained from GE operating ex-perience with BWRs.

The technical specification values of Peach Bottom and the test frequencies from Susquehanna are used as representing future Limerick Specifications.

The maintenance unavailabilities for each system are combined in the fault tree logic model through the use of NOT gates.

Diesel generator failure to " start and run" probability used in the LGS is that of the Peach Bottom Station.

The conditional probability that multiple diesels may fail, given that a single diesel fails, is obtained from a composite assessment including data from LERs, RSS, Zion, and Cook diesels and data from a plant referred to as plant X.

l l The probability of recovering one diesel within two and four hours was derived from NRC data which agree with Peach Bottom available data.

4.2.2 BNL Evaluation and Conclusion The component failure rate data base used in the LGS-PRA was compared to the RSS component failure rates and to the Baseline Data Base of the NREP Guide.(9) Some differences have been identified in the three data sets, but they do not have a significant impact on the system unavailabilities and on the core damage frequency.

The fault tree logic models derived to represent the systems un-availabilities due to test and maintenance have also been reviewed and found to be reasonable.

4-6

Diesel generator composite models and data used to detemine diesels un-availabilities have been reviewed. In the LGS-PRA the diesel " failure to start and run" probability value used is 1.7x10-2/ demand. This value is smaller than the values used in the RSS of 3.0x10-2/ demand for the failure to start and 3x10-3/hr for the failure to run, under emergency conditions.

The LGS values are reasonable when compared with LER data.(10,11) The mod- .

els used in the LGS to account for diesel dependences and the maintenance re-presentation used in the fault trees were reviewed and found acceptable.

The probability of the common cause failure of all four diesels used in the LGS-PRA was 1x10-3 This value was based on data from 36 LWRs. In the BNL revision the value of 1.9x10-3 was used which is an " average" be-tween the values used in RSS, the "36-LWRs" values, and data from the Zion and Cook stations (see Table A.5.9 in the LGS-PRA). The value of 1.9x10-3 was selected because it is based on more plausible assumptions than the 1x10-3 val ue . Specifically, the 1x10-3 value is derived from conditional probabilities that suggest the likelihood of failing a third diesel given that

. two have already failed, is lower than that of failing the second diesel given i

that one has failed (see Table A.S.9 in the LGS-PRA). This is not true for the " timed values" given in Table A.5.9 of the LGS-PRA and on which the value l

of 1.9x10-3 was based.

l 4.3 Human Error Probabilities 4.3.1 Depressurization During a Transient.

The LGS-PRA uses a value of 2x10-3 for failure of the operator to

! initiate a safety system within 30 minutes. This is based on the probability of 10-3 that the operator fails to respond and the probability of 10-3 that the operator improperly responds. It is noted in the LGS-PRA, that these values are based on the case study by A. Swain for manual switching to auxili-

! ary feedwater from main feedwater (page 21-14 of NUREG/CR-1278, Reference 1 of Section 3). This case study used was based on the following three important assumptions: -

l

1) There is no dedicated operator (DO) to manually switch from main

! feedwater to auxiliary feedwater. The plant in the case study, how-ever, had a D0 whose only function was to maintain sufficient water inventory in the event of a transient.

4-7

2) There are plant procedures requiring that the operator switch from main to auxiliary feedwater whenever a reactor trip occurs from high-er than 15% power. Thus, all the operating staff are well aware of the required initiation of this system for almost every reactor

, trip.

3) The switchover from main to auxiliary feedwater is frequently performed at the plant, in both real and simulated situations.

The manual depressurization operation at a BWR contrasts with the above in the following ways:

1) There is no dedicated operator assigned for rapid manual depres-surization. Although the Swain value used in the LGS-PRA is for the situation without the dedicated operator, it is believed that the presence of the dedicated operator in the case-study plant had a bearing ori the awareness of the reactor operators of the importance in switching over to the auxiliary feedwater.

2) BWR procedures do not require rapid manual depressurization for each reactor trip. In fact, only one ADS actuation is allowed before a reanalysis of the plant must be performed to recertify its integr-ity for further operation. This could likely result in a reluctance of the operator to depressurize even if he is aware that he must do so.

3) Rapid manual depressurization is not routine as was switchover from main to auxiliary feedwater in the case study of Swain.

On the basis of the above reasoning, the value of 2x10-3 used for the X event in the LGS-PRA is regarded to be optimistic. The probability of event X may be as low as 1x10-3 or as high as ix10-1 The lower value may be ap-plicable if there has been extensive training on the types of sequences and the timing of these sequences which could result in the requirement for rapid manual depressurization. This would enhance the probability that the operator would know when to perform this action. On the other hand, there may still be a reluctance on his part because this is not a frequent action (in most plants 4-8 I 4 W b

it has never been performed intentionally) and because, following this action, an extended shutdown would be required in order to re-analyze the pressure vessel integrity. This constitutes an important uncertanty in the core-damage frequency, since the latter is very sensitive to the probability of this event.

To assess the probability of this event more realistically, BNL followed the methodology suggested in References 9,12, and 13. This approach assumes that for cognitive errors of omission, the time available for a decision is one of the most important parameters detennining the probability that such an error will occur, and it is to some degree uncoupled from other factors (such as the particular situation at hand, the skill level of the individuals, and theirtraining). It is at least uncoupled enough that these other factors can be treated as perturbations of the time-based model.

To isolate the thinking phase, the approach can be divided into time phases. This produces three phases for the decision process to be modeled, namely:

A. Signal Annunciation Phase - This signal detection phase is initiated at the time the system indicates to the operator, by whatever means available, that a possible problem exists. This indication may be given by a clear an-nunciation via an alarm, or by something as subtle as a visual walkaround sur-vey of the control panel which provides the operator with the " feeling" that something may not be right. The annunciation phase continues through an oper-ator's secondary review of the initial and alternative indications, and ter-minates when the operator is convinced he has or does not have a problem with the system.

B. Situation Analysis Phase - This phase begins at the time the operator is convinced he has a problem requiring his action. The phase includes all the activities associated with the thought process he goes through to de-termine where the problem is, what the problem is and what must be done about it, the amount of time he has to act, and, finally, precisely what action he must take. When he is convinced of the action he must take, this phase is terminated.

4-9 D A

I C. Operator Action / Intervention Phase - This phase begins with the oper-ator initiating his intended course of action. It includes the performance of all the subsidiary actions required to carry the intended course of action to its conclusion, as well as the influence of the subsidiary actions required for recovery from errors.

From the definitions, it is clear that the Situation Analysis Phase is the one within which the screening activities will be concentrated. The effect of Phases A and C on the phase of interest, B, is assumed to be dominated by the fact that time elapsing in these phases will be unavailable for the decision-making phase. This assumption is made because it is felt that the bulk of the probability of error in knowledge-based behavior lies in the decision-making process, and, in fact, that the other probabilities are usually negligible by comparison. In those cases where these effects are be-lieved not to be negligible, they are estimated by application of a suitable version of the model used for the procedural-based behavior. A specific functional form of the probability of error as a function of the time avail-able for the situation analysis phase is given in References 9,12, and 13 and is reproduced here in Figure 4.2. Circumstances other than the available time which are judged to influence the results significantly (e.g., reluctance on the part of the operators to do certain things) are taken into account by ap-plying multiplicative factors to the first-cut error probability obtained from Figure 4.2.

For this particular error of failure to initiate depressurization, the thinking interval is given by the difference between 30 minutes (the total available time) and the sum of a) the time required for the cues to become available to the operator, and b) the time required for his actions to take effect: that is, the time required for ADS to reduce the pressure and for LPI I

to begin to inject. Let us assume that 8 minutes are required for the cues to materialize, this is, the interval over which the information that no water is being injected becomes available. Let us further assume that 5 minutes are required for ADS to succeed and the low pressure systems to inject. This leaves 17 minutes as the thinking interval.

For this thinking interval, one obtains from the " universal 0ATS formula" (Figure 4.2, see Reference 12) the failure probability of 4.7x10-3 At this 4-10 m o

point, other factors pertaining to this particular scenario must be con-sidered. As discussed above, it is expected that the operator will b' e reluct-ant to initiate the ADS system. This reluctance is due partly to the know-ledge that ADS actuation implies a lengthy plant shutdown, which management would like to avoid if possible. The operator is faced with deciding that j none of the high pressure systems can be made to work in time, even though every effort is made to recover these systems. In short, there is an incentive to postpone this as long as possible. For this reason, the failure probability is modified by a " reluctance factor" of 3, to become 1.4x10-2 (seeReferences12and13).

Possible modifications to this reasoning are easily taken into account.

For some transients, the 30-minute time frame might be judged to be too long, while for others it is too short. It might be felt that the cues are avail-

able much sooner than 8 minutes; if the cues are available after 3 minutes, the thinking interval becomes 22 minutes, which results in a failure probabil-ity of 8.1x10-3 after the reluctance factor is applied. If the definition of the top event is modified to be "uncovery of more than X% of-the core,"

rather than "uncovery of the top of the core," the thinking interval will again be extended. If the thinking interval is lengthened by this reasoning from 17 to 22 minutes, the answer will again be 8.1x10-3 If the cues are available after 3 minutes, and the top event allows for 35 minutes, and the time required for action to be effective is again 5 minutes, then the thinking interval is [35 - (3+5)] = 27, and the corresponding failure probability is i 4.8x10-3, Because the specific functional form given in Figure 4.2 is meant to be used for " screening" purposes only and in general because of the overall un-l certainties on what is exactly the available thinking interval for this event, BNL has used the value of 6x10-3 as the base value for the probability of event X. This value was used for the turbine trip, the loss of feedwater, and loss of offsite power transients. For the remaining initiators, the value as-sumed for the failure of the operator to depressurize the reactor (X) was the same as that assumed in the LGS-PRA. That is, 2x10-3 for the small LOCA 4-11 f

manual shutdown and 10RV initiators and 1.5x10-5 for the medium LOCA. These values were felt to be appropriate for the following reasons:

1) The manual shutdown is a controlled well-thought-out procedure and, as such, operator error would be minimized.

2) The small LOCA and 10RV events were felt to have a range of sequences in which the operator would not have to intervene and manually de-pressurize since the event itself might depressurize the reactor ves-sel. Additionally, for both the small LOCA and 10RV events, the sup-pression pool temperature and the containment pressure would be increasing. The Emergency procedure guidelines (EPG) direct the operator to depressurize the reactor under these conditions. There-fore, there would be two occurrences forcing the operator to depres-surize: the loss of high pressure injection and the out of normal containment conditions.

3) The medium LOCA used a value of 1.5x10-5 for the failure to depres-surize the reactor. The functional use of X in the medium LOCA tree was unique in that it included both failure to manually depressurize and failure to automatically depressurize the reactor. The automatic initiation signal from high drywell pressure would be present during the medium LOCA and thus would preclude the necessity of the operator to take action.

One way to circumvent the demand for this operator action would be to re-move the drywell pressure permissive signal (which is not satisfied during transients), thus allowing automatic ADS actuation on a level 1 signal. This modification would, however, have to be analyzed to see if any adverse effects would result should an ATWS occur for which actuation of ADS is definitely not wanted.

4.3.2 Avoidance of Depressurization during ATWS.

l The LGS-PRA uses the value of 0.01 for failure of the operator to inhibit ADS actuation during an ATWS situation. Should ADS actuate, the low pressure 4-12

i 1

injection systems would inject over 50,000 gpm into the vessel and thus, in slightly over one minute, the poison would begin to be flushed out the MSRVs.

There is a two-minute timer once ADS is signaled to actuate which must be timed out before the ADS valves would open. The operator must reset this timer every two minutes or stop the low pressure pumps to prevent reactuation of the timing device which when timed out would ultimately depressurize the

plant. The value of 0.01 is considered extremely optimistic. In the BNL evaluation, the value of 0.1 has been used and is judged to be more appropriate.

4.3.3 Summary The ADS system was designed to respond to design-basis (SAR-type LOCA) accidents. Its response during beyond-design-basis accidents such as trans-ients in which high pressun injection fails must be evaluated within the con-text of a PRA analysis. Iri the SAR, only single failures are encountered so a failure of one high pressure injection system following a transient does not preclude successful operation of the other injection system (HPCI or RCIC).

Similar arguments apply to the actuation of ADS during an ATWS. ATWS is not considered in the SAR. With the extreme sensitivity and potential importance of the operator actions for the core-damage sequences (manual actuation of ADS during transients or manual inhibit of ADS actuation during ATWS), it would seem to be good engineering practice to re-evaluate the functions of the ADS and to consider the risk / benefit tradeoffs associated with modifying its auto-matic features. An alternative selection would be to review the existing operator training program and revise it as necessary in order to assume that the operator may better understand and more efficiently respond to potentially risk-significent challenges related to ADS.

4.4 References to Section 4

1. Kaplan, S., "On a Two Stage Bayesian Procedure for Determining Failure Rates From the Experiential Data," PLG-0191, June 1981.

2. " Zion Probabilistic Safety Study," NRC Docket Nos. 50-295 and 50-304.

3. " Indian Point Probabilistic Safety Study," 1982.

4-13 l . .

4. Papazoglou , I. A., Lederman, L. , and Anavim, E. , " Bayesian Inference Under Population Variability With an Application to the Frequency of Loss of Offsite Power in Nuclear Power Plants," BNL Report, February 1983.

5. " Anticipated Transients A Reappraisal," EPRI NP-2230.

6. " Characteristics of Pipe System Failures in LWRs," EPRI NP-438, August 1977.

7. " Loss of Offsite Power at Nuclear Power Plants: Data and Analysis,"

EPRI-NP-2301, March 1982.

8. Sholl, R. F., " Loss of Offsite Power Survey Status Report," Revision 3, Report of the Systematic Evaluation Program Branch, Division of Licens-ing, U. S. NRC.

9. " National Reliability Evaluation Program Procedures Guide," NUREG/CR-2815, unpublished report. Available only from the NRC Public Document Room.

10. McLagan, G. P. et al., " Preliminary Assessment of Diesel Generator Re-liability at Light Water Reactors," SAI/Annes, March 1980.

11. Poloski, J. P. and Sullivan, W. H., " Data Sumaries of Licensee Event

Reports of Diesel Generators at U.S. Coninercial Nuclear Power Plants, January 1, 1976 to December 31, 1978," NUREG/CR-1362, EGG-EA-5092, March 1980.

12. J. Wreathall, " Operation Action Trees, An Approach te Quantify Operator Error Probability During Accident Sequences," NUS Report #4655, NUS l

Corp. , July 1982.

13. R. E. Hall, J. Wreathall, and J. Fragola, " Post Event Human Decision Errors: Operator Action Tree / Time Reliability Correlation,"

NUREG/CR-3010, BNL-NUREG-51601, March 1983.

l l

l 4-14

l TURSINE TRIP l TRANSIENT BALANCE TUR3!NE CONDENSER MSIVs SECOMOARY TUR3!NE FEED. BVPASS HEAT SINK RE!1AIN CONTA!!sMENT EVENT TREE TRIP WATER OPEN SEQUENCE CONSEQUENCE TR.uSFER T Q A J D E T TT with Bypass Figure 3.4.8e+

(3.5)

N NEa!#Et nyn 3.4.Be ,

.05 ... .. .........

TD ttISV Closure Figure 3.4.9e

(.18) ,

TW TT Without 8ypass, Figure 3.4.9e 10'2 I TWE TT Without Bypass

Figure 3.4.9a ,

tio Containnent 7

TWO MS!f Closure Figure 3.4.Se

(.04)

IA TT Without Bypass. Ftgure 3.4.9e 10-3 TAE TT Without Bypasif " 9"" ***

3.98 tio Containment 1.0 TAD MSIV Closure Figure 3.4.9e

)

TQ TT Without,8ypa ss* Ft yre 3.4.9e

.05 TQE TT Without Bypa ss*

fio Containnent F1 pre 3.4.98 1.0 TQO MSIV Closure F1 pre 3.4.9e

(.20)

All Turbine Trips for uhtch bypass to the condenser is not functional, are considered to be equiva?ent to MSIV Closure Events.

Figure 4.1. Event tree diagram of accident sequences following a isoTE: n ts eveat tree is eve 1=sted turbine trip initiator. (This is Fig.3.4.7 of the 88*==ias that * *='*$ae trip followed by a fe11ere to screm LGS-PRA.) 5. t progre n . The vie of the tree is to discriminate between events leading to isolation and

+ Figure 3.4.8a of the LGS-PRA is the turbine trip ATWS tree. those for wmsen the condena r remains evallable

Figure 3.4.9a of the LGS-PRA is the MSIV closure ATWS tree.

9

~~- CUT =OFF FOR ACCfDEN f 3 wtTM FREQUENCIES LESS THAN 4 PER 1(AR 16'

=

$1d*

t a

b o i5' E

i5* . . _ _ _ _

ic' l .

10 10 0 1

1000 MINUT E S 1

l l

l t

l l

Figure 4.2. Failure probability vs time for operator thinking.(12,13) 4 l

l r

4-16

Table 4.1 Frequency of initiating events (mean values /yr).

LGS BNL WASH-1400 Transients 9.08 13.02 11 Turbine trip 3.98 ~5?TT

~~

MSIV closure 1.78 1.23 Loss of offsite power 0.053 0.17 10RV 0.07 0.25 Manual shutdowns 3.2 3.2 LOCAS Large 4x10-4 4x10-4 2.7x10-4 Medium 2x10-3 2x10-3 8.1x10-4 Small 1x10-2 1x10-2 2.7x10-3 ATWS 5.92 9.82 Turbine trip MSIV closure W TT9 2.2 2.01 Loss of offsite power 0.053 0.17 10RV 0.07 0.25 Table 4.2 Experiential evidence from plants of the Mid-Atlantic Reliability Council loss of offsite power.t7,8)

Plant Name No. of Occurrences Years in Operation

1. Calvert Cliffs 3 5.66

2. Oyster Creek 2 11.08

3. Peach Bottom 2 and 3 0 6.72

4. Salem 0 4.34

5. Three Mile Island 1 and 2 0 5.99 I

4-17

Table 4.3 Frequency of loss of offsite power for the Mid-Atlantic Area Council (MAAC).

Plant Name N(1) T(2) Mean 5% 50% 95%

1. Calvert Cliffs 3 5.66 2.7E-01 6.5E-02 2.1E-01 5.7E-01 1

2. Oyster Creek 2 11.08 1.6E-01 4.3E-02 1.3E-01 3.3E-01

3. Peach Bottom 2 & 3 0 6.72 1.0E-01 1.1E-02 7.9E-02 2.5E-01

4. Salem 0 4.34 1.2E-01 l'.3E-02 8.8E-02 2.9E-01

5. Three Mile Island 1&2 0 5.99 1.1E-01 1.2E-02 8.1E-02 2.6E-01 Population Aggregace: 5 33.79 1.7E-01 1.8E-02 1.1E-01 4.8E-01 (1) N equals the number of occurrences.

l (2) T equals the number of years of reactor operation.

Table 4.4 Probability of not recovering offsite power up to time t.

t (hr) LGS BNL 0.5 0.66 0.54 2.0 0.35 0.25 4.0 0.16 0.17 10.0 0.01 0.07 15.0 --

0.05 20.0 0.0003 0.03 24.0 --

0.03 4-18 l

5.0 ACCIDENT SEQUENCE QUANTIFICATION The purpose of this section is to give a brief presentation of the LGS-PRA approach for quantification of the accident sequences along with the corresponding results, to describe the BNL modifications in the quantification approach, and to present the revised results. The section is organized as follows:

Section 5.1 summarizes the LGS approach to quantification and presents the LGS point values for the frequency of various accident sequences and core damage. Section 5.2 gives the BNL approach to the quantification and the re-vised results. Section 5.3 presents the BNL assessment on the uncertainties in the f requency of core damage. Section 5.4 contains the ranking of the various systems with respect to their contribution to the frequency of core damage. Finally, Section 5.5 discusses the effect on the frequency of core damage of two design modifications.

5.1 Overview of the LGS Accident Sequence Quantification This section is divided into two subsections. Subsection 5.1.1 briefly describes the LGS-PRA accident sequence quantification approach and presents the resulting accident sequence frequencies and the total frequency of core damage. Subsection 5.1.2 highlights the BNL areas of concern with the ap-proach followed in the LGS-PRA.

5.1.1 LGS Quantification Approach In the LGS-PRA, accident sequences are defined in terms of combinations of safety functions failures given the occurrence of an initiator. These combinations are generated with the help of the functional event trees (see Section 3.2). The branch point probabilities in the event trees were then calculated (as probabilities of function failures), and next, the probability of each accident sequence was calculated by multiplying the failure l probabilities of the functions involved in the sequence along with the h frequency of the corresponding initiator.

The failure probabilities for the functions were calculated with the help of the functional fault trees (see Section 3.3) and/or the functional-level j event trees (see Section 3.4). In both cases the event of failure of a par-5-1

ticular function was decomposed to simpler events, namely, frontline system failures using deductive logic (functional fault trees) or inductive logic (functional-level event trees). The unavailabilities of the frontline systems were calculated from the corresponding system fault trees (see Section 3.5).

The functional-level event trees and some functional fault trees were quantified by substituting the unavailabilities of the frontline systems by the top event probabilities of the system fault trees. For some functional fault trees, the basic events - frontline system failures - were replaced by

the system fault trees and the resulting expanded fault trees were then i quantified.

The frontline system fault trees contain both frontline system hardware failures and support system failures, and these failures were further resolved down to the component level. Hardware as well as test, maintenance, and human error contributions to the component unavailabilities were considered.

I i

This quantification procedure was followed for all of the twelve functional event trees that model the plant response to the various initiators (see Section 3.2). The accident sequences of each event tree were classified into three categories: core-damage sequences, non- core-damage sequences, and t transfers. The transfer sequences were the ones judged to be more ap-propriately modeled in a different functional event tree.

t In addition, all the core-damage sequences were divided into classes ac-cording to the nature and scenario of core damage.

Class I core-damage sequences are characterized by the loss of cool-ant makeup and core damage before containment failure.

Class II sequences are those events that exhibit loss of long-term con-tainment heat removal function and result in containment failure followed by core damage ;

Classes III and IV are ATWS sequences with core damage prior to and fol- )

lowing containment failure, respectively.

Section 6 further elaborates on this classification. The total core-damage i frequency is equal to the sum of the frequencies of all the core- damage 5-2

sequences. Figure 5.1, excerpted from the Limerick report, depicts the total core-damage frequency as well as the frequency of each class as calculated in the PRA study. The class that contributes the most to the core damage is the loss-of-core-coolant inventory makeup class (Class I) and is approximately one order of magnitude larger than the next two classes. Classes II and III are about equal in their contribution to core damage. Lastly, Class IV is about two orders of magnitude smaller in frequency than Class I. The total core damage frequency is estimated at 1.5x10-5 per reactor year.

A summary of the dominant sequences is given Figures 5.2 and 5.3. The first figure depicts dominant sequences of Classes I and II. For the Class I category, contributions from sequences of the same initiators were grouped together; the most dominant one within Class I is the sum of T UV E and T UXE which are the loss-of-offsite-power events coupled with loss of high and low pressure systems (UV) or failure of high pressure systems along with failure to manually depressurize the reactor vessel (UX). The remaining sequences in Class I are presented in descending order of frequency. The most dominant sequence in Class II is a turbine trip with failure of safety / relief valves to reclose followed by a loss of long-term containment heat removal. Mechanical failures of the scram system, given a turbine trip or loss of feedwater, dominate Classes III and IV, respectively.

These sequences, compiled in the order of core-damage frequency with no distinction made to classes, are given in Table 5.1. A number of observations l can be made:

i) 90% of the core-damage frequency is attributed to sixteen sequences, I and 88% of this contribution comes from sequences in Class I; l

ii) two sequences T E UV andpT QUX contribute 64% of the total core-damage frequency, 40% and 24%, respectively ;

iii) the top five sequences involve failure of the high pressure injection systems ;

l I iv) four of the top five sequences involve failure of timely manual ADS actuation; and v) loss-of-offsite-power induced sequences contribute 44% to the total core-damage frequency.

5-3

Two additional comments on the core-damage quantification approach are warranted here. First, the contribution of Classes II and Class IV to the core-damage frequency is conservative. This is because not all Class II and Class IV sequences will lead to containment overpressure failure since in some cases containment leakase will prevent gross containment failure and the resulting loss-of-coolant injection. Second, all the accident sequence frequency evaluations were truncated in a conservative way (rounding off on the high side}. Exceptions to this rule were some numerical errors in certain sequences in the loss-of-of fsite-power event tree.

5.1.2 Areas of Concern in the LGS-PRA Accident Sequence Quantification The potential problems of the employed quantification methods that were Identified during the review can be divided into three general categories.

1) Deficiencies in the incorporation of dependences in the various types of logic trees used in the PRA;

11) disagreement with some of the system unavailabilities and other event tree probability values used in the quantification; iii) differences in the assessed frequencies of the initiating events.

The deficiencies in the incorporation of dependences refer only to de-pendences that are within the scope of the LGS-PRA and are supposedly treated by the accident sequence definition and quantification method. The omitted dependences discussed here are confined, therefore, only to the functional type (see Section 3.7) and exist among functions or within functions because of shared hardware of frontline systems and/or support systems. The following types of dependence omissions were identified:

1) The full impact of the dependences introduced by the support systems servicing more than one frontline system was not evaluated. .

The dependences introduced by the support systems were not incorporated in the quantification process, both at an accident sequence level and at a t

5-4

functional level. At an accident sequence level, the frequency of a sequence was evaluated by simple multiplication of the function unavailabilities (and the corresponding initiator) where the function unavailabilities were calculated independently from each other. Thus, the effect of dependences introduced by support systems servicing several frontline systems performing different functions is not included in the evaluation of the accident sequence frequency. The effect of these support systems is also not evaluated for all of the functions. Thus, in some functional fault trees and functional-level event trees, the " basic events" of system failures were not replaced by the system fault trees but by the system unavailabilities calculated from the quantification of the independent system fault trees. An example of this kind of omission is the treatment of the functional fault tree for the containment heat remeval function W. In this tree the power conversion system (PCS) and the residual heat removal (RHR) system are treated as being completely independent which implies that they do not share any common support systems.

Both systems, however, depend on AC power, DC power, and service water among other things. The BNL review tried to assess the impact of these omissions, and the details are given in Subsection 5.2.1.

2) The impact of the dependences introduced by equipment hardware shared among frontline systems was not fully evaluated.

The quantification procedures followed for the accident sequence frequencies and the function unavailabilities do not allow for the effect of shared hardware among frontline systems for the same reasons mentioned above for the support systems. Cases of shared hardware exist both at a function level and at a system level. For example, the feedwater injection function (Q) and the containment heat removal function (W) both utilize the power con-version system (PCS). Common injection lines or valves, the condensate stor-age tank, the suppression pool, etc. introduce additional dependences, the impact of which has not been evaluated.

These dependences are important for the accident sequences resulting from transients and LOCA initiators. The ATWS accident sequences are not characterized by such dependences. This can be attributed to the short time duration of an ATWS event, the small number of systems involved in the ATWS sequences and the high degree of independence that characterize these sys-5-5

I J

tems. The BNL assessment of the impact of these dependences to the core dam-age probability is presented in Subsection 5.2.2. Changes in the ATWS event trees are discussed in Subsection 5.2.3.

The system unavailabilities used in the quantification of the accident sequences were obtained by one of two methods: 1). system fault trees were developed and quantified; and 2) system unavailabilities were derived from experiential data or obtained from other studies. In both these areas several potential problems have been identified and revisions made. The details of these changes are discussed in Subsection 5.2.4.

The differences in the assessed frequencies of the' initiating events were discussed in Section 4.1. The impact of these differences on the core damage frequency is presented in Subsection 5.2.5.

+

5.2 BNL Revisions in Quantification of Accident Sequences This section presents the BNL revisions in the quantification methodol-ogy and the corresponding results. It is organized as follows.

Subsection 5.2.1 discusses the quantification methodology employed to es-timate the impact of the dependences introduced by the support systems on the core damage frequency. Subsection 5.2.2 presents the modifications in the various logic trees to account for shared hardware between frontline systems performing the same or different safety functions. Subsection 5.2.3 describes i

the changes made in the ATWS event trees. Subsection 5.2.4 gives the changes in the system unavailabilities. Subsection 5.2.5 summarizes the effects of the various revisions on the beency of the various accident sequences, the i

frequencies of the foua e f 4 t dasses, and the total core damage frequency.

l l 5.2.1 Incorporation Q w e,. g 5ystem Dependences into the Accident Sequence

-Quantification ;

To properly account for the support system dependences, the quantifica-tion method must preserve these dependences first within the functions and ;

next at the accident sequence level.

~

I 5-6

l Preservation of the dependences at a funr. tion level can be achieved in the following ways. If the function is modeled by a functional fault tree (see Section 3.3) then the frontline system failures in these trees can be re-placed by the system fault trees. Boolean reduction of the resulting fault tree will then properly account for the support system dependences within the function. If the function is modeled by a functional level event tree, first the sequences of this tree that lead to loss of the function are assessed.

Next, the system failures in each sequence are " linked" under an "AND" gate and the system failures are replaced by the system f ault trees. This way a large fault tree is generated for each sequence. Boolean reduction of these trees properly accounts for the support system dependences in each sequence.

The loss-of-function probability is then equal to the sum of the probabilities of the sequences (which are mutually exclusive if the effect of function successes in each sequence is properly accounted for).

Preservation of the dependences at an accident sequence level can be achieved by " linking" all the function failures under an "AND" gate and then replacing them by the expanded nonreduced functional fault trees (i.e.,

functional fault trees with system fault trees in the place of frontline sys-tem failures). Boolean reduction of the resulting large fault tree properly accounts for the support system dependences at an accident sequence level.

Another way is to expand the event tree by replacing the functions with sys-tems, both frontline and support, so that the resulting event tree consists of events representing hardware (frontline or support) system failures that are independent. The accident sequences of this large event tree can then be quantified by simple multiplication of the constituant failures.

The BNL quantification consisted mainly of fault tree " linking." First, the system fault trees were "modularized." That is, portions of the trees involving hardware failures that were not shared by any other system were re-f placed by a single event. The same was done for the support systems. Thus,

each frontline system was represented by a reduced fault tree; usually an "0R" gate connecting a hardware f ailure event and support system f ailures. Next, the reduced system f ault trees were introduced into the functional fault trees. This procedure is further described in Subsection 5.2.1.1 below. Fi-nally, the new functional fault trees were combined to assess the core damage and accident sequence frequencies as described in Subsection 5.2.1.2.

5-7

_ _ _ . ~ _ -

5.2.1.1 Reduced Functional Fault Trees 4

Careful review of the system fault trees and of the plant design showed that support systems were widely involved in the operation of the frontline systems. For instance, the ADS is shown in the system fault trees of the Limerick study to include all four trains of Class IE DC power. Electric power dependence in the systems' fault trees accounted for the loss of offsite power due to grid instability in coincidence with diesel generators. Loss of offsite power (LOOP) due to other causes was considered to be incorporated in the sequences following a LOOP initiating event. Of all the support systems that, were qualitatively evaluatea, three (AC power, DC power, and service water) were found to contribute substantially and were, therefore, included in the BNL assessment. Table 5.2 summarizes the dependence of various frontline systems on these three support systems.

For each frontline system a reduced system fault tree was generated.

This tree explicitly accounted for the hardware unavailability of the system and any of the support systems identified in Table 5.2. For example, in Boolean notation, the reduced tree of the HPCI and RCIC systems can be written as follows:

! HPCI = HPCIH + EAC + EDC + WSW RCIC = RCICH + EAC + EDC + WSW, where HPCIH - hardware failure of the HPCI system without the support systems RCICH - hardware f ailure of the RCIC system without the support systems EAC - failure of all trains of offsite and onsite IE AC power supplies EDC - failure of all trains of Class IE DC power (battery and charger) l supplies l WSW - hardware failure of all service water trains.

Hardware failure of HPCIH or RCICH includes any combination of component i

failures which might lead to the failure of these systems. EAC failure l

includes the loss of offsite and onsite IE electric power supplies for more than a half hour. Similarly, EDC and WSW denote the common mode failure of 5-8 l

all redundant trains of DC power and service water systems due to independent or dependent failures. However, the assumption that loss of either AC power or service water would lead to HPCI or RCIC failure is conservative. Both of these support systems are needed to ensure adequate room cooling for'HPCI and RCIC. Failure of the support systems does not necessarily result in loss of room cooling since, according to the LGS-PRA there is an alternative way to es-tablish such cooling, i.e., by opening the room door to allow cooling by natural convection. BNL incorporated this alternate room cooling function into the reduced fault trees. The Boolean expression of the two reduced trees now becomes HPCI = HPCIH + EDC + (EAC) - (ARC) + (WSW) - (ARC)

RCIC = HPCIC + EDC + (EAC) - (ARC) + (WSW) - (ARC),

where ARC denotes the failure of the operator to provide alternate room cooling to the frontline system rooms EAC denotes the total loss of AC power for more than two hours but less than four hours EDC denotes the total loss of DC power because of total loss of AC power for more than four hours, or for other reasons.

Since either of these systems is capable of providing high pressure injec-tion, the functional fault tree for this function (U) is as shown in Figure 5.4.

In an analogous way, functional fault trees incorporating support system dependences were developed for the feedwater function (Q), the low pressure injection function (V), and the long-term containment heat removal function (W). These trees are given in Figures 5.5 through 5.7, repsectively. Since function W is not required before twenty hours from the initiation of an ac-cident, a " recovery" basic event has been added in the tree (see Figure 5.7) to model the possibility of recovery of the support systems within this time period.

5-9 l l

5.2.1.2 _Co_re-Damage r Fault Trees To preserve support system dependences at an accident sequence level,

that is, at core damage level, the functional event trees of the LGS-PRA were transformed into equivalent fault trees, called here core-damage fault trees (CDFT). The top event of a CDFT is core damage and the basic events are-function failures. The equivalent CDFT for the loss-of-feedwater transient event tree is depicted in Figure 5.9. The cutsets of a CDFT correspond one-to-one with the accident sequences (or paths) of the equivalent event tree. Furthermore, the cutsets of gate G2 (see Figure 5.9 and Table 5.3) provide the Class I accident sequences, and the cutsets of gate G3 provide the i Class II accident sequences. The event C1 in gate G3 was included to avoid generating Class II accident sequences that also cause Class I events. It is noteworthy that gate G2 in the loss-of-feedwater CDFT produces only two cutsets T pQUX and pT 4UV instead of the four Class I accident sequences of the corresponding evont tree (see Figure 3.2). This is because the sequences TpfQUX and Tp POUX are combined into T pQUX while sequences TpPQUV and TpP QUV are combined into TpQUV. This is proper since l the functions Q, V, and V do not depend on P. Gate G2 produces all four Class I accident sequences of the loss-of-feedwater event tree. CDFTs were l developed because they lend themselves to computerized analysis via the WAMCUT or other equivalent codes. Thus, the required Boolean reduction of the tree l is automated and the probability of error is minimized. Furthermore, this representation lends itself to parametric studies and, sensitivity analyses

and is helpful in the evaluation of the uncertainties (see Section 5.3).

Core-damage fault trees were developed for the four transient initiators (turbine trip, loss of feedwater, 10RV, LOOP). the manual shutdown, and the

[ three LOCA initiators. These trees are shown in Figures 5.8 through 5.15, re-spectively. For the loss of offsite power initiator, a time-phased fault tree l was generated to account for the different success criteria of the various systems as a function of the duration of the loss of the AC power and of the probability of recovering AC power. The LOOP core-damage fault tree is given in Figure 5.11. Four time phases have been considered. Three time phases were considered for Class I-type of core damage corresponding to total loss of 5-10 l

AC power for the periods 0-1/2 hr,1/2-2 hr, 2-4 hr. The fourth time phase corresponds to loss of offsite power for more than 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months and it is relevant for Class II-type of core damage. CDFTs were not developed for the ATWS trees, since no important support system dependences were identified among their frontline systems.

In order to account for support system dependences, the function failures in CDFTs were replaced by the respective reduced functional fault trees (see Section 5.2.1.1). Boolean reduction of the resulting expanded fault tree properly accounts for the support system dependences.

As an example, the results of the loss-of-feedwater CDFT quantification ,

will be discussed in detail. If the CDFT of Figure 5.9 is quantified, a core-damage frequency of 4.14x10-6 is obtained. This value is equal to the sum of the frequencies of all loss-of-feedwater core-damage sequences, as calculated by the LGS-PRA (see Table 5.3). If the function failures are replaced by the reduced functional fault trees and the tree is requantified, the top event probability increases from 4.14x10-6 to 5.10x10 6 (see Table 5.4 ) . The frontline and support systems unavailabilities used in the quantification are discussed in Section 5.2.4. Table 5.4 provides a list of the cutsets that contribute to core damage. 'The cutoff probability used for this calculation was 1x10-10 The cutset that contributes the most to the core damage probability is Tp0VX, consisting of hardware failures of frontline systems [Feedwater and PCS (Q), HPCI and RCIC] and failure to manually initiate depressurization (X). The next cutset is Ty(DC). This implies that loss of DC for more than a certain time (see Section 5.2.1.1) concurrent with a transient would result in core damage.

e The remaining CDFTs were quantified in a similar way and the results are given in Table 5.5.

The quantification of the ATWS event trees was not changed since no significant support system dependences were identified.

I The frequency of core damage if the support system dependences are taken into account is calculated to be 2.4x10-5, representing a 60% increase over the 1.5x10-5 value given in the LGS-PRA.

5-11

5.2.2 Incorporation of Additional Dependences into the Accident Sequence Quantification This section describes additional dependences identified by the BNL review. These dependences are again of the functional type (see Section 3.7),

existing among frontline systems performing different functions. They are due to shared hardware or process coupling.

5.2.2.1 Dependence Between Q and W Functions The feedwater injection function (Q) is performed by the feedwater (FW) and the power conversion (PCS) systems. These same systems are involved in the long term containment heat removal function W (see Figure 5.16). The relationship of the FW and PCS systems both in performing the Q function and in contributing to the W function is modeled by functional-level event trees.

These two trees for the turbine trip initiator are given in Figures 5.17 and 5.18, respectively. The tree in Figure 5.17 models the various events and operations or failures of equipment which subsequently lead to the failure of the feedwater and PCS systems. The tree in Figure 5.18, models the unavailability of the FW/PCS system at later times due to changes in plant conditions. The approach used in the LGS-PRA was as follows. The functional-level event tree of Figure 5.17 was used to assess the failure probability of the Q function (FW/PCS unavailability immediately after accident initiation). The functional-level event tree of Figure 5.18 was used to assess the unavailability of the same systems (FW/PCS) at a later time when they can be used to perform the W function. The probability of the FW/PCS systems failing late (as calculated from the tree of Figure 5.18) was input into the functional fault tree for W, and the failure probability for W was calculated. Then the two probabilities (for Q and W) were multiplied together in all accident sequences involving the joint event of QW.

This approach contains various pitfalls owing to dependences between the events that contribute to the early and late unavailability of the FW/PCS sys-tem. In effect, the approach in the LGS-PRA consists in combining each sequ-ence of the functional-level event tree for Q (see Figure 5.17) with each sequence of the functional-level event tree for W (see Figure 5.18) and multi-plying their respective frequencies. Some of these combinations contain early I and late considerations for the same event that are not, in general, 5-12

independent. The first such event is the availability of offsite electric power. The event tree for the early availability of the FW/PCS function (Figure 5.17) correctly asks whether the offsite electric power is available following a transient and assigns a probability of 10-3 that a loss of offsite power will occur as a result of the reactor scram. The next event addresses the possibility of recovering offsite power in a time frame that will not jeopardize the success of the FW/PCS function early. This sequence, with a probability of 10-3 results in a failure of the Q function. When this sequence is combined with the unavailability of the W function (i.e.,

FW/PCS unavailable late), the corresponding functional event tree again asks the question whether loss of offsite power occurred following the transient and whether it has been recovered before the W function is needed (i.e.,

within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ). The value of 10-3 is again assigned for LOOP while a value of 1.3x10-2 is assigned for the probability of not recovering it within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . When these two sequences are combined, the probability of having the FW/PCS function unavailable both early and late owing to loss of offsite puwer is aqual to 10-3x10-3x1.3x10-2=1.3x10-8 This, of course, is not correct since the probability of losing offsite power and not recovering it within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months is simply 1.3x10-5 It is also noteworthy that the LGS-PRA approach includes combinaticos of the sequence of LOOP early l

with sequences on the unavailability of the W function that contain the event offsite power available. These combinations are impossible and overestimate the joint probability of FW/PCS failure early and late. The BNL review removed this discrepancy by setting the unavailability of LOOP equ31 to 1.0 each time the W function was combined with the Q sequence that contained loss l

of offsite power.

For the turbine control and bypass valves, the LGS-PRA used the values of 1.1x10-2 and 5.5x10-4 for early and late unavailability, respectively.

l This assumption results in a joint unavailability of 6x10-6 for combination of sequences that contain both early and late failures of the valves. This j

unavailability was judged to be too high, and the late unavailability was I changed in such a way that whenever a sequence combination contained an early j and late unavailability of these valves, the joint probability was equal to 5.5x10-4 The probability of MSIV reopening in the late phase was assessed by LGS-PRA at a value of 10-3 This value was changed in the revision, for 5-13

those sequences in which the MSIV did not open in the early phase, to 10-2, Thus, for sequence combinations that involve failure of the MSIV to reopen in both early and late phases, the BNL value of this event was 2x10-3 instead of 2x10-4 implied by the LGS-PRA approach.

For the probability of f ailure to recover FW and PCS by the operator through actions in the control room, the Q functional-level event tree (Figure 5.17) assigns a value of 10-2, assuming that the operator has 15 minutes to realize the need for and perform the necessary actions. The W functional-level event tree (Figure 5.18) assigns for the same event a 10-3 probability since the operator has to perform these actions within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . This 10-3 value represents a lower bound for a human error of cognitive nature. If the two trees are combined, however, there are sequences that assume a 10-2 probability for a human error early (in Q) and a 10-3 probability for a human error late (in W). This is equivalent to assuming a total of 10-5 human error probability. This value is unrealistically low. To account for the fact that the operator has failed to recover FW/PCS initially, accident sequences in the Q functional-level event tree (Figure 5.17) that involve such a failure were combined with the W functional-level event tree (Figure 5.18) where the probability of recovery of FW and PCS was put equal to.10-1 This value combined with the 10-2 value in the Q functional-level event tree results in a total human error probability of 10-3 If there is no failure to recover in the sequence of the Q functional-level event tree, then the sequence is combined with the W functional-level event tree. as it appears in Figure 5.18.

The joint failure of the Q and W functions consists of various com-binations of system failures. Some of these failures are due to hardware unavailability of FW/PCS early (in the Q function) and hardware unavailability of FW/PCS late (in the W function). The approach used in the LGS CRA is equivalent to assuming a 10-3 probability for each of these events or a 10-6 probability for the joint event. This is not correct. If the FW/PCS is not available at the beginning of the accident because of a hardware failure (with probability 10-3), then the probability that it is not available 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months later (when needed for the W fenction) is not 10-3 again but it is equal to the probability of not recovering it within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . This latter probability is estimated at 3.6x10-1, using a mean time to repair of nineteen hours and assuming exponentially distributed repair times.

1 5-14

J 4

i i In order to account for this dependence the following approach was employed. Each event path that leads into Q function failure in the Q functional-level event tree '(Figure 5.17) was examined to assess whether it involves FW/PCS hardware unavailability. If this was the case, this pa~th was then combined with the W FW/PCS functional-level event tree (Figure 5.18) where now the 10-3 probability for FW/PCS hardware failure was replaced with the nonrecovery probability of. 3.6x10-1 If there was no FW/PCS hardware in the Q functional-level event tree path, this path was combined with the W 4

FW/PCS functional-level event tree as it appears in Figure 5.18.

These evaluations were performed for the turbine trip, loss of feedwater, manual shutdown, and medium and small LOCA initiators. For the turbine trip transient, the dependences result in an increase of the unavailability for the

. FW/PCS system to participate in the W function from 3.5x10-3 to 6x10-2, j For the loss of feedwater initiator the increase is from 4.2x10-2 to

! 1.9x10-1 For the manual shutdown the increase is from 3.5x10-3 to 7.1x10-2 For the medium and the small LOCA initiators, the increase is' from 3.5x10-3 to 6x10-2 and 3.5x10-3 to 9.1x10-3, respectively.

A final point of concern on the treatment of the FW/PCS availability in the LGS-PRA has to do with a potential conservatism stemming from the inclu-sion of hardware unavailability in the functional-level event trees. In both early and late functional-level event trees, a hardware unavailability _ of 10-3 was included (last column in Figures 5.17 and 5.18). Both the feedwater and the power conversion systems are, however, en line systems that are operating and hence available while the reactor is at power. Fol-lowing a transient (that did not originate from FW/PCS failure) and a reactor scram, the FW/PCS hardware should be available to operate. All possible failures of equipment and subsequent failures to recover are covered by the various events in the functional-level event trees (e.g., feedwater system re-mains on line, r,ecovery of FW/PCS). The inclusion of another event concerning the unavailability of the FW/PCS hardware seems, therefore, unwarranted at least for the turbine trip, manual shutdown, and small LOCA initiators. For L

the loss-of-feedwater transients, a very high degree of dependence between the l FW/PCS hardware unavailability and the initiator of the transient exists.

l 5-15

i i

l These dependences are discussed in Section 5.2.2.2. If the FW/PCS hardware unavailability is removed from the functional-level event trees, the Q func-tion unavailability for the turbine trip, manual shutdown and small LOCA initiators, is reduced from 1.8x10-2 to 1.7x10-2, from 6.5x10-3 to 4.5x10-3, and from 0.16 to 0.15, respectively. The corresponding reductions for the W function unavailability are, from 6x10-2 to 4.4x10-2, from 7.1x10-2 to 2.2x10-2, and from 9.1x10-3 to 6.9x10-3 The impact of these reductions can be assessed with the help of the sensitivity analysis presented in Section 5.4.

5.2.2.2 Dependence Between Q Function and MSIV Closure Initiator In the LGS-PRA, all transients which would lead to the isolation of the reactor vessel from the main condenser are grouped together under MSIV closure. A detailed description of the initiator classification is provided in Section 2.2 and in Table 2.10. These transients include turbine trip without bypass, MSIV closure, loss of feedwater, and loss of condenser. If one of these initiators occurs, the sequences are treated as if the feedwater/

t condensate system is tripped off line and is no longer available. However, for turbine trip without bypass or MSIV closure, successful recovery actions by the operator allow the feedwater system to be brought back on line for the purpose of decay-heat removal; whereas for loss-of-feedwater or loss-of-l condenser events, these operator recovery actions might not be sufficient to l render the FW/PCS operational and additional effort and time may be re-quired before the feedwater system can start operating again. This dependence between the loss of feedwater initiator and the Q function is evaluated in the LGS-PRA by increasing the F/W and PCS equipment unavailability by a factor of 4 and the operator failure to recover the system by a factor of 10. These increases when quantified using the loss of feedwater functional-level event tree yield an unavailability for Q of 0.12. A similar functional-level event tree is developed for the MSIV closure initiator and the Q function un-availabiity is calculated to be 0.28. The overall Q function value used in th? MSIV functional event tree is evaluated to be 0.21, using weighted averages of the respective initiators.

The increase of the feedwater and PCS equipment unavailability by a factor of 4 is in no way justified in the LGS-PRA. A more realistic approach 5-16

h is to calculate the probability of recovering the FW/PCS system within the

, required time. Following this approach, for a loss-of-feedwater or a loss of condenser event, the feedwater and PCS equipment unavailability is calculated based on the ' assumption that injection must occur within half an hour using a mean time to repair of nineteen hours (used in the LGS-PRA) and exponentially distributed repair times. The calculation yields a feedwater system equipment

! unavailability equal to 0.974. On the basis of this evaluation, the Q function unavailability, given a loss-of-feedwater or a loss-of-condenser initiator, is estimated to be 0.978 (see Figure 5.19). The overall Q function l unavailability based on the relative contribution of the initiators is l increased from 0.21 (used in the LGS-PRA) to 0.61.

, This dependence between the initiator and a safety function is not limited to the Q function only. As a result of loss of feedwater or loss of-condenser, the long-term heat removal capability by the power conversion i s3 stem may be compromised. To calculate the unavailability of the FW/PCS system late (W-function), the method outlined in Section 5.2.2.1 was used.

Each failure sequence of the loss of feedwater functional-level event tree is examined; if it contains failure of the feedwater system, it is combined with the long term functional-level tree and a prob, ability of failure to recover the system equal to 0.36 is used. The long-term PCS unavailability is then equal to 0.325. For the MSIV functional-level event tree, similar calculations result in a long-term PCS unavailability of 0.072. The overall (weighted) long-term PCS unavailability is then equal to 0.19.

5.2.2.3 Dependence Between U and W Functions The high pressure injection function (U) is performed by the high pres-sure coolant injection (HPCI) and reactor core isolation cooling-(RCIC) systems. If this function is successful but the containment heat removal function (W) fails, it is postulated that the containment will fail from overpressure which will lead to failure of all core injection systems (both I

high and low pressure). Thus, every TW accident sequence leads to core melt in an already failed containment. Although this may be a conservative assumption, the long period of time (20 hr) during which the W function can be i recovered without containment failure implies a high probability of recovery and hence the contribution of the TW sequences to the frequency of core damage is small. There is, however, a dependence between the U and W functions such l

5-17

that failure of the W function leads to failure of the U function. This is because both HPCI and RCIC pumps are turbine driven requiring lube oil which in turn is cooled by suppression pool water diverted from the pump discharge.

If the W function fails, the tempercture of the suppression pool will rise to 200 F in approximately six hours. At this temperature the lube oil can not perform its function, causing a failure of both systems in the U function.

Additionally, the required minimum NPSH of both the RCIC and HPCI pumps would not be satisfied at a suppression pool temperature of approximately 190 F (20 ft for RCIC and 21 ft for HPCI). Although, the failure mechanism is uncertain (loss of lube oil cooling or loss of minimum NPSH), the fact is that the high pressure system would fail.

To incorporate this dependence the transient event trees were modified as f oll ows. The accident sequences involving success of function U and failure of W (see Figures 5.20-5.22) were not assumed to lead into a Class II core damage but were transferred to another event tree (see Figure 5.23). In this tree the state of the low pressure injection function (V) is investigated.

Failure of manual depressurization (X) was not considered because of the long time elapsing between initiation of the accident and need for depressurization (six hours). The unavailabilities for the W function systems used in the tree of Figure 5.23 represent the possibility of nonrecovery within a twenty-hour peri od . Since RHR is assumed failed at the time of the accident initiation and since the RHR and LPCI systems share major components, [ including the four motor driven pumps, suction lines, and associated valves (see Figure 5.24)]

only a 0.25 success probability was assigned to the LPCI system (due to equip-ment not shared with RHR).

The results of this modification slightly increase the total core-damage frequency and transfer some of the Class II frequency into Class I. This de-pendence does not significantly affect the overall results for two reasons.

It is assumed that the failure of the W function leads to core damage. Thus, the fact that failure of W leads to failure of an additional function (U) should not affect the probability of the final result, that is, of core dam-age. It does, however, lead to failure of U in six hours which, if not for the low pressure injection (V), would reduce the time available for recovery of W 5-18 -

in a very significant way. Because of the existence of function V, however, it takes an additional function failure (V) to actually reduce the _ time available for recovery of W from twenty hours to six hours. Thus, although the probability that twenty hours will be available for W recovery is reduced, the effect in the total core-damage frequency is not significant. It is felt, however, that this is an important dependence which will have a greater effect in the results if a less conservative assumption about the consequences of the W failure is adopted.

One other effect which would influence the outcome of a W failure from a risk point of view is the inability of the MSRVs to remain open as the containment pressure approached the failure point. The MSRVs would be operated in the manual mode (i.e., by N2 ) to maintain the reactor vessel pressure low enough to allow low pressure injection to continue. The N2 pressure is at approximately 105 psig. As the containment pressure ex-ceeds 80 to 90 psig, the MSRVs would shut and vessel pressure would increase.

When the vessel pressure exceeds the low pressure injection pumps shutoff head, there would be no coolant makeup to the vessel. This would result in sequences similiar to that of Class I with core damage in an intact containment, and not in a failed containment which has been assumed by the LGS-PRA. BNL has used the LGS-PRA conservative assumption in the review (i.e., meltdown in a failed containment) since this was also assumed in the RSS. However, it should be emphasized that the consequences of these sequences would actually be much milder than assumed.

5.2.2.4 The Vapor Suppression Function The vapor-suppression function was not included in the LOCA event trees of tha LGS-PRA. Failure of vapor suppression is defined as the failure to I

condense an adequate quantity of steam in order to maintain the pressure at a value which does not cause the primary containment to fail structurally. A simplified calculation of the effect of excluding the vapor suppression func-l tion on the core damage frequency follows.

I The RSS-BWR has twelve vacuum breaker assemblies consisting of one vacuum breaker per assembly. Failure of any two would fail vapor suppression for a large LOCA, and failure of any one would fail vapor suppression for a small 5-19 t

LOCA. Additionally, failure of any one of the RSS-BWR downcomers or any one of the eight vent lines would fail vapor suppression. The four LGS vacuum breaker assemblies have two check valves in series; hence, two check valves must fail open in order to fail one assembly. For the large LOCA condition, using the RSS single vacuum breaker failure and downcomer pipe rupture probabilities, the following unavailability is calculated for the loss of vapor suppression function in LGS. ;

Q LL=(87)(4.3x10-7)+Y4{2)!(1.1x10-4)2=3.75x10-5, where 87 is the number of LGS downcomers and is the number of possible combinations of two out of four 2 2 ) *,

vacuum breaker assemblies failing Using the same method the small LOCA vapor suppression unavailability is calculated to be QS 2 = 87(4.3x10-7) + 4(1.1x10-4)2 = 3.75x10-5, Thus, the failure probability of vapor suppression is the same for small or large LOCAs at LGS and is dominated by rupture of a downcomer pipe. These values are approximately 80% of the RSS value for large LOCA and 3% of the value for small LOCA. The reason for the large reduction in the small LOCA value is that LGS has two check valves in series to form a vacuum breaker, whereas'the RSS BWR has a single check value.

A simple check was made on the impact of the loss of this function using the LGS-PRA base analysis with the following results.

a) It was assumed that these failures would result in an increased Class II type of core damage since core damage would occur in a failed con-tainment caused by loss of vapor suppression. This core-damage )

frequency increase would be approximately 4.6x10-7, an increase of approximately 3.2% above the LGS core-damage estimate.

5-20

b) Mean acute fatalities would increase by 1.6% above the LGS estimation.

c) Mean latent fatalities would increase by 4.4% above the LGS estimation.

This _is of course a simplistic analysis but tends to be conservative. It is concluded that exclusion of vapor suppression has a minor effect at LGS due mainly to design differences between systems, l

5.2.3 Changes to ATWS Trees The following changes were made to the ATWS event trees (see Figures 5.25-5.28).

a) Unavailabilities of the standby liquid control (SLC) system were changed because of changes made to the SLC system fault tree and because of a de-pendence on the initiating event. The values that were used are as fol-lows.

ATWS Event Tree C12(1) C2 (2)

Turbine trip 3.5x10-3 0.6 MSIV closure 3.5x10-3 0.6 Loss of offsite power 1.4x10-2 0.85 10RV ----

0.1(3)

(1) One or two SLC pumps f ail to operate.

(2) All SLC pumps fail given failure of one or two SLC pumps.

(3) 10RV ATWS sequences are assumed to require manual actuation of SLC (as prescribed by the PRA), thus, operator action dominates the un--

availability of the poison injection system, b) The unavailability of the U function (HPCI or FW) and UR function (RCIC) has been increased to reflect BNL revisions to these system fault trees.

c) The probability of inadvertent operation of ADS when HPCI is injecting has been increased by a factor of 10, to 2x10-3, over the PRA value of 2x10-4 The LGS-PRA value was felt to be overly optimistic.

l l

5-21 L . .

d) The probability of inadvertent operation of the ADS when RCIC is the injection system in use has been increased by a factor of 10 above the BNL value used when HPCI is injecting (from 2x10-3 to 2x10-2). The LGS-PRA used a value of 4x10-4 RCIC injection capacity is on the order of 10% of HPCI capacity, and is thus judged to have a lower probability of maintaining the vessel water level above the ADS actuation setpoint (level

1) during an ATWS. l e) The 10RV ATWS event tree was revised to consider SLC unavailability to be dominated by the operator failure to manually initiate SLC. This is as stated in the PRA functional fault tree description. A value of 0.1 was used assuming a fifteen-minute reaction time and giving added credit to the operator action due to the attention estimated that he would give to shutting down the reactor.

f) Because of the high pressure system lube oil cooling problem (described in Sections 3.7 and 5.2.2.3), 100% of all accidents with loss of containment heat removal were placed in Class III rather than 80% in Class III and 20%

in Class IV as in the LGS-PRA.

These changes resulted in an increase of Class III frequency by a factor .

of 2 (from 1.1x10-6 to 2.0x10-6) and for Class IV frequency by a factor of 1.7 (frorn 1.1x10-7 to 1.9x10-7),

5.2.4 System Unavailabilities This section presents the changes made in the system unavailabilities as a result of the BNL review modifications.

The system unavailability values used in the LGS-PRA can be classified into two categories: 1) those that were obtained from fault tree analyses, i such as the HPCI system; and 2) those from statistical analysis of ex-I i periential data, such as the unavailability (and the recovery probability) of the diesel generators.

A total of ten system fault trees were developed in the LGS-PRA:

5-22

1) Feedwater system (FW)

2) Reactor core isolation cooling (RCIC)

3) High pressure coolant injection (HPCI)

4) Automatic depressurization system (ADS)

5) Low pressure coolant injection system (LPCI)

6) Low pressure core spray system (LPCS) l 7) Residual heat removal system (RHR)

8) Standby liquid control system (SLC)

9) Electric power dystem (EP)

10) Emergency and normal service water system (WSW)

The system unavailability values reported in the LGS-PRA are listed in Table 5.6. These results were verified by evaluation of the fault trees using

, the WAMCUT and WAMBAM computer codes. In addition, minimal cutsets were

. generated with the WAMCUT code for all ten systems. These cutsets are given i in Appendix SA.

Dependences of the frontline systems on the support system appear-to have baen properly modeled either by transfer to the support system fault trees (i.e., for electric power and service water) or by explicitly modeling the '

support system failures in the frontline systen trees. In any event, the effect of the support system unavailability on the frontline system i

unavailabilities is minimal. The latter are dominated by hardware failures.

A qualitative description of the BNL modifications to the system fault trees was given in Section 3.5. They can be summarized as follows:

1) In the feedwater system:

a) common mode miscalibration of reactor vessel level sensors b) operator's actions

[ c) additional ways to lose condenser vacuum.

L j 2) In the HPCI system:

a) failure of shaft-driven lube oil pump l b) turbine exhaust system failures c) increased failure rate of system restart.

l l

5-23 i

l l

l

3) In the ADS system:

a) common mode failure solenoid of valve because of contaminated gas supply b) common mode miscalibration of sensors.

4) In the LPCI system:

a) pump failure owing to suction valve limit switch failures.

5) In the RHR system:

a) failure of heat exchangers' discharge valves to the suppression pool b) cooling tower unavailable for RHRSW suction.

6) In the SLC system:

a) common mode miscalibration of poison-water-tank-level sensors.

These changes were incorporated into the fault trees of the LGS-PRA.

Data values selected for the BNL changes were based on the RSS data base.

Both the WAMCUT and WAMBAM computer codes were utilized to quantify the system fault trees. The results are presented in Table 5.6. The changes in the systm unavailabilities range from a factor of 5 (SLC) to insignificant (RHR,LPCI,LPCS). Table 5.6 also gives the system unavailabilities in the RSS-BWR analysis for comparison purposes. Appendix SB contains the- new cutsets of the various systems after the modifications.

Additional changes on certain event probabilities were discussed in Sec-tion 4.2.

The support system unavailabilities used in the support system dependence

l. analysis (see Section 5.2.2.1) were not the results of detailed reliability analyses. They were rather judged to be reasonable estimations (if not lower bounds) of the corresponding event probabilities. The choice of the particular values, listed in Table 5.7, was based on the following con-siderations.

1 a) Total loss of all AC power for more than two hours but less than four hours. This represents a station blackout that lasts for more than i

5-24 l

~

two hours but less than fe,ar hours. Such an event is possible if a loss of offsite power occurs, followed by failure to start of all four diesel generators and restoration of offsite AC or diesels within four hours but not before two hours have elapsed. The probability of a reactor trip challenging the stability of the elec-tric grid and causing its collapse is assessed at 10-3 (both LGS-PRA and RSS). The common cause failure to start all four diesel generators is assessed in the LGS-PRA at 1.9x10-3 Hence, the probability of a station blackout following an accident initiator (and caused by it) is equal to 1.9x10-6 This probability was com-bined with a 26% chance of recovering at least one source between two and four hours to yield the value of 5x10-7 used in the BNL as-sessment. It is noteworthy that the value of 0.26 is higher than the 0.16 probability of recovering at least one source between two and four hours that results if the values of Table 4.2 of this report and Table 5.1 of LGS-PRA are used. Yet the value of 0.26 is con-sidered optimistic because the loss of the offsite AC is not due to any of the usual causes of these events, e.g., loss of one or more lines, short circuit, breaker trip. Rather, the whole grid has failed. The recovery of the grid is a relatively lengthy process and hence, the recovery of the offsite power is not following the probability distribution presented in Section 4.2. Similarly, the re-covery of the diesel generators under blackout conditions can not

follow the probability distributions derived from times-to-repair based on restorations performed under normal conditions with AC l power available and the reactor at a safe state.

i b) Total loss of AC power for more than four hours or total loss of DC

p_ owe r. This failure represents total loss of AC power for more than four hours which results in loss of DC power because of battery de-pletion, or loss of all four DC buses because of battery failures or i charger and bus unavailabilities. Total loss of AC power for more than four hours means total loss of AC power upon accident initiation (1.9x10-6) and failure to recover within four hours (non-conservatively assumed equal to 0.08 from Section 4.2). This is equal to 1.5x10-7 Test and maintenance contribute the most to de-pendent failures of the four DC buses. NUREG-0666 assesses a value 5-25 0 0

of 6x10-5 unavailability because of test and maintenance for a two-train system. The Limerick system is a four-train system but it was not assessed whether failures of all four buses are involved in each and every core-damage accident sequence. Assuming a weak de-pendence among the trains, a failure probability of 1x10-7 was as-signed for loss of all DC power from causes other than total loss of AC power. Thus, the probability of this event was assessed at 2.5x10-7, c) Total failure of the service water system. This failure assumes failure of both normal and emergency service water. According to the LGS-PRA fault trees, the common cause failure of the three normal service water loops is 10 4 Common cause failure of all the loops of the emergency service water (dominated by maintenance errors) is assessed also at 10-4 Assuming a weak dependence between the two systems, the value of 5x10-7 was used for the failure of both sys-

. tems.

Tables 5.8-5.15 summarize the probabilities of all the " basic" events of i the core-damage fault trees used by BNL to calculate the core damage frequ-ency. They include both unavailabilities for frontline and support systems for the four transient, manual shutdown, and LOCA initiators. System de-signations are.similar to those used in the functional and core damage fault trees presented in Figures 5.4 to 5.15.

5.2.5 Revised Core Damage Frequency and Dominant Accident Sequences l

The effects of the various modifications on the frequency of each class j of accident sequences and for each initiator group are given in Tables 5.16 through 5.23. The total frequencies for each class of accident sequence and core damage are given in Table 5.24 and depicted in Figure 5.30.

In these tables Case 1 refers to the results in the LGS-PRA. Case 2 re-fers to the changes if the following are added to the analysis of Case 1: the support system dependences (see Section 5.2.1), the additional intrafunctional dependences (Section 5.2.2), the changes in the ATWS trees (Section 5.2.3),

and the modifications of the system unavailabilities and other event prob-l abilities. Finally, Case 3 refers to all changes mentioned above and in add-5-26

ition it employs the modified initiating event frequencies used by BNL.

The inclusion of the dependences introduced by the support systems and the other BNL modifications (Case 2) increased the core-damage frequency by a factor of 5 over Case 1. Finally, incorporation of the BNL initiator frequencies resulted in an increase of 25% over Case 2 or an overall increase by almost a factor of 7.

i

! The dominant sequences for Case 3 are given in iable 5.25. It is noteworthy that in the LGS-PRA fifteen sequences contribute 90% of the core-damage frequency, while in the BNL revision six sequences contribute the same percentage. Furthermore, in the BNL revision, the top 90% core-damage sequences are all Class I sequences and only sequences ranked eleventh and twelfth with combined contribution slightly over 1% of the total core-damage frequency are Class 11 sequences. The first five sequences in both assessments are the same with a slight difference in the order. In both assessments the first two sequences TpQUX and TE UV heavily dominate the core damage probability, contributing 68% and 64% in the BNL and LGS assessments, respectively. The next few sequences in both assessments contribute less than 10% and after the tenth sequence the relative contribution is less than 1%. The BNL assessment ranks the accident sequence l Tp 0W (loss of feedwater with loss of long-term containment heat removal capability) as the accident sequence with the seventh highest frequency owing l

to the significant dependence of the initiator and the availability of the FW/PCS systems (see Section 5.2.2.2). For the same reason the sequence j TpQUV is ranked ninth in the BNL revision while it is ranked fifteenth in

! the LGS-PRA. The accident sequences TT (DC) and TT (WSW) that involve the support system of the DC electric power (lost because of a total loss of AC f for more than four hours or other reasons) and of the service water, are also within the ten most dominant sequences in the BNL assessment. The dominant l

sequences for each of the four classes are given in Tables 5.26-5.29, respectively.

5.3 Uncertainty Assessment This section presents an assessment of the uncertainties about the frequ-ency of core damage. These uncertainties should be interpreted as being 5-27

introduced by uncertainties in the values of the various input parameters, given the modeling assumptions of the LGS-PRA as revised by BNL and described in the previous sections. They are not meant to include uncertainties introduced by initiators, failure modes, and other modeling assumptions considered outside the scope of the LGS-PRA.

This section is divided into Subsections 5.3.1 and 5.3.2, describing the approach of the LGS-PRA and the BNL reassessment, respectively. A more de-tailed description of the uncertainty analysis is given in Appendix SC.

5.3.1 Uncertainty Analysis in the LGS-PRA The LGS-PRA presents the uncertainties in the results in terms of the final consequences of potential accidents. An intermediate assessment of the uncertainties about the frequency of core damage is not provided. The quantification of the uncertainties is based on assessing the uncertainties of selected accident sequences, subjective assessments of other potential con-tributors to the risk, and subjective evaluation of consequence variations based on limited sensitivity analyses.

Uncertainties associated with the calculation of accident sequence probabilities can be evaluated by propagation of input uncertainties through each accident sequence, and combination of all accident sequences to determine the overall uncertainty range for each accident class.

I This process was simplified in the LGS-PRA analysis based on the fol-lowing arguments:

1. If there is a single dominant accident sequence in a class with probability much larger than the other sequences, then the un-certainties of this sequence characterize the uncertainties for the s entire accident class.

2. If all the accident sequences in a class have similar probabilities, and the uncertainty ranges associated with each are nearly the same, then this allows the use of the uncertainty range determined from the explicit calculation for one sequence to represent the range for the Boolean sum of the class.

1 l

5-28

The following assumptions (mainly from the RSS) were made in the quantification of the uncertainties for each accident sequence in the LGS-PRA.

1. Lognormal distributions for most hardware failures

2. Uncertainty factors of 3 for most hardware failures

3. Short term operability of equipment and allowable credit for operator action utilizing the operator action stress curve from RSS.

The following specific accident sequences were used in the LGS approach.

Class I - MSIV closure and loss-of-coolant injection (T QUX).

p Class II - Large LOCA initiator followed by a failure to provide adequate containment heat removal capability.

Classes III-IV - One sequence from Class IV, that of an ATWS coupled with continued operation of HPCI, was selected to represent the uncertainties in both Class III and Class IV.

The uncertainties assessed for each accident class were then combined with " subjectively assessed uncertainties about the consequences" to yield the final band of uncertainti_s presented at the LGS-PRA. Since intermediate re-sults for core-damage frequency (total or per class) are not presented, and, furthermore, details of the quantification of the uncertainties in the con-l sequence evaluation are not given, specific comments about the uncertainties in the core-Jamage frequency can not be made.

5.3.2. BNL Evaluation of Uncertainties in the Core-Damage Frequency l

Because of limitations in the BNL review of the LGS-PRA, a rigorous propagation of the uncertainties was not performed. Instead, a rather con-j servative approach for the assessment of the uncertainties in the frequency of l core damage was followed. The approach consisted of the following general steps.

1. The uncertainties in the initiating events, the frontline and the support systems were quantified by fitting lognormal distributions to evaluate uncertainty measures (mean and variance).

5-29

2. The uncertainties in each accident class were quantified, using the most important accident sequences in each class (contributing 99% of the class frequency) and the distributions assessed in step 1.

3. The uncertainties in the frequency of the total core damage were evaluated, using the most important accident sequences (contributing 99% of the core damage frequency) and the distributions assessed in step 1.

The main approximation of this approach lies in the evaluai. ion of the un- 1 certainties for the various systems. The procedure is further described in the remainder of this subsection.

, Initiating events: Frequency distributions were derived for each of the thirty-seven transient accident initiators using the methodology de-scribed in Section 4.1.

Error factors defined as the square root of the ratio between the 95% and the 5% percentiles of the distributions have been calculated. A lognormal distribution was fitted to the mean value and the assessed er-ror factors. Finally, the several initiators that form the turbine trip l

l and the MSIV groups were added by simply adding the means and the l variances. The results for each of the four transient and the manual shutdown initiator frequency distributions were again fitted to lognormal distributions. Table 5.30 gives the mean values and probability inter-l vals for the five initiators. Uncertainties in the LOCA initiators were not assessed since the corresponding accident sequences have a negligible contribution to each of the generic accident classes and to the total core-damage frequency.

Frontline and support systems: The uncertainties of the frontline system unavailabilites were quantified using the corresponding fault trees as modified by the BNL review.

e Lognormal distributions with error factors of 3 were assumed for most hardware failures.

i e Human error uncertainties were assessed based on the stress curves provided in Reference (3.1),

5-30

4 e First and second moments for the system unavailabilities were obtained by the approximations employed in the WAMCUT code. A lognormal dis-tribution was fitted to these two moments. If an error factor less than 3 was computed, the lognormal was modified to preserve the mean f and to have an error factor of 3.

For the support systems, lognormal distributions with error factors of 10 were assumed, owing to the larger uncertainties involved in determining the common cause failures.

^

Quantification of Class I and Class II uncertainties: For the quantification of the Class I and Class II uncertainties, the core-damage fault trees (CDFT, see Subsection 5.2.1.2.) developed for the turbine trip, the MSIV closure, the 10RV, the LOOP, and the manual shutdown initiators were used.

For each initiator, the accident sequences that contribute 99% to each class frequency were determined. The accident sequences for each class l were then inputed into the SAMPLE code (l), which provided the un-certainties for each class frequency. No uncertainty was assumed in the offsite power and diesel recovery probabilities used in the LOOP tree.

Table 5.31 gives means, medians, 5% and 95% probability intervals for the frequencies of Classes I and II.

Quantification of Class III and Class IV Uncertainties: In the quantification of ATWS sequence uncertainties, dominant (top 99%)

sequences were determined from the BNL modified ATWS event trees. The dominant sequences for each class were then input into the SAMPLE

, code.(1) i An error factor of 5 was used for the failure to scram probability dis-tribution according to the analysis in Reference (2).

The characteristics of the Class Ill and Class IV core-damage frequency distributions are given in Table 5.31. t i

5-31 t

Total core-damage uncertainty determination: The total core-damage frequency was obtained by combining the uncertainties in the accident sequences that contribute 99% to the core-damage frequency using the SAM-PLE code (see Appendix SC). The results for the final distribution are given in Table 5.30.

5.4 Importance Analysis The importance of the frontline systems, the support systems, and other significant events with respect to the frequency of core damage was calculated following the analysis outlined in Appendix 50. The BNL-revised estimation of the core-damage frequency was the basis for the calculation. The Fussel-Vesely importance measure (Ipy) for each system, initiator, and event is given in Table 5.32. The Fussel-Vesely importance measure is defined as the ratio of the frequency of all the accident sequences that include the particular system (event) over the frequency of core damage. For example, the importance measure for the high pressure coolant injection hardware (HPCIH) is 0.61 which means that the total frequency of the accident sequences that involve HPCIH failures is equal to 61% of the core damage frequency, or that if the HPCIH were perfect (never failed) the frequency of core damage would be reduced by 61%. In certain instances, the Fussel-Vesely importance measure is equal to the logarithmic derivative of the frequency of the core damage with respect to the system unavailability (or event probability). It thus gives the percentage change of the frequency of core damage per unit of percentage change in the unavailability of the system. In the case of the HPCI system, the importance measure is 0.61, hence, the core damage frequency will decrease by 6.1% if the HPCI unavailability is decreased by 10%. Caution should be exercised , however, in such interpretation of the importance measure since, in many cases, the unavailability of a system is not constant but accident-sequence dependent. In such cases the unavailability of the system must be changed by the same amount in all accident sequences in order for the importance measure to be equal to the logarithmic derivative.

The results of the importance analysis indicate that the most important systems are those involved with the high pressure injection function (see Table 5.32). The first-ranked system is the high pressure coolant injection 5-32

system. The second system is the reactor core isolation cooling system. The reason for the lower importance of RCIC is that it plays a lesser role in mitigating ATWS sequences (Class III) because of its smaller capacity. Third in the ranking is the failure of the operator to manually depressurize the reactor, following a failure of the high pressure injection systems (HPCI, RCIC or FWPCS). Fourth in the ranking is the loss of offsite power initiator. Fifth in the ranking is the feedwater and power conversion system. Although this system serves the same safety function as HPCI'and RCIC (i.e., high pressure injection), it ranks lower in importance because of its complete dependence on offsite electric power and its unavailability following transients that involve closure of the MSIVs. Sixth in the ranking is the loss of feedwater transient initiator. Seventh in the ranking comes the probability of a dependent failure of all diesel generators to start. Eighth in the ranking comes the turbine trip transient initiator. Following these eight systems / events are the rest of the important systems / events, but each of them has an importance measure of less than 10% (see Table 5.32). It is noteworthy that the low pressure coolant injection and core spray systems contribute very little to the frequency of core damage. This is because the low pressure injection function failure is dominated by the failure to depressurize the reactor rather than the low pressure hardware unavailability, which is very low anyway owing to the high degree of redundancy of these systems.

( 5.5 Impact of Two Design Modifications (COR and ATWS-3A) t This section presents the impact on the frequency of core damage, as well as on the risk, of two specific design modifications, namely, the containment overpressure relief system (COR) and the alternate 3A modification (ATWS-3A) to the ATWS prevention / mitigation system proposed by NRC staff in NUREG-0460.

The analysis in this section utilizes results of the BNL assessment of the containment response and the core meltdown modeling given in Sections 6 and 7,

respectively.

The reference LGS design upon which the PRA is based includes the ATWS-3A I modification but does not include the COR system. Therefore, the analysis of

! this section is aimed at assessing the impact on the core damage frequency and on other risk measures of two design modifications:

1) Removing the alternate 3A modification from the present design.

5-33

2) including a containment overpressure relief systen to the present de-sign.

These two cases are discussed in Subsections 5.5.1 and 5.5.2, respectively.

5.5.1 Impact of Alternate-3A Modification to the ATWS Prevention / Mitigation System The features of the present ATWS prevention / mitigation system of the LGS design that can be attributed to the ATWS-3A modification, and which are re-levant to the risk analysis, are the following:

1) The inclusion of an alternative rod insertion (ARI) capability, and

2) a three-pump, automatically initiated standby-liquid control (SLC) system, instead of a two-pump manually initiated SLC.

Removing the ATWS-3A modification is, therefore, equivalent to removing these two features mentioned above.

The removal of the ARI capability affects the ATWS transfer event trees (seeFigures 3.10, 3.12, 3.14, and 3.16). The change in the SLC system affects the ATWS event trees shown in Figures S.25 through 5.28. In this case, the failure of the SLC system is dominated by the failure of the operator to manually initiate the systen when required. The lower half of the event trees in Figures 5.25 through 5.28 was thus replaced by a single sequence involving the f ailure of the operator to initiate the SLC system. The probability of such an error was assessed to be equal to 0.10.

The effects of removing the ATWS-3A modification on the frequency of core damage are given in Table 5.33. As expected, only the Class Ill and Class IV accident f'requencies are affected, and they are increased by a factor of 11 and 2.5, respectively. The total frequency of core damage increases by 357.

The effects of the ATWS-3A elimination on the expected acute and latent fatalities are given in Tables 5.34 and 5.35, respectively. The expected acute fatalities (per year of reactor operation) increase by a factor of 2. The expected latent fatalities (per year of reactor operation) increase by a factor of 1.5.

5-34

5.5.2 Imp _act_of the Containment Overpressure Relief System The LGS-PRA and the BNL revision were performed under the assumptions that a containment overpressure relief (COR) system is not included in the design and that a containment failure will lead, with a probability of one, to loss-of-coolant makeup capability. The accident sequences that are affected by the COR system are those involving loss-of-containment heat removal. In these accident sequences the containment eventually fails from overpressurization, and it is then conservatively assumed that the long-term reactor coolant makeup capability is lost. In the presence of COR, however, containment heat removal is suc-cessful although the RHR and PCS systems are unavailable. The heat would be re-moved from containment by steam passing from the reactor vessel through the MSRVs, through the suppression pool, through the drywell, and directly out the COR to the atmosphere. The following types of accident sequences are af-fected by the presence of a COR system:

a) Anticipated transients for which the RHR and PCS are not available (TW).

b) ATWS sequences in which SLC and HPCI operate but the RHR and PCS are not available (ATWS-W).

c) ATWS sequences in which SLC fails, HPCI operates, and the RHR and PCS are not available (ATWS-C2 )-

d) ATWS sequences in which one pump of the SLC system is available HPCI operates, and RHR and PCS are not available (ATWS-Cl2)*

l For these sequences, core damage will not occur if coolant makeup is main-tained during the long-term overpressure relief of containment. To account for the effect of the COR system, the sequences that can be affected by its availability are Connected with a " bridge" event tree that delineates the var-( ious possibilities of COR operability. This technique was used in an earlier version of the LGS-PRA and is closely followed in the evaluations of this sub-section. The bridge tree is given in Figure 5.31, and its application to the various types of accident sequences is discussed in the following subsections.

l l

5-35

5.5.2.1 Bridge Tree for TW Sequences The following discussion of the bridge tree as applied to TW (Class II) sequences is provided to clarify the event descripticss (see Figure 5.31):

TW - Sequence: For the TW sequence to occur, an anticipated transient must occur and the RHR system and the power conversion system must be un-available.

Mode 1 - Failure of containment overpressure relief: This represents a failure to open the containment vent. Failure of COR is assumed to result in containment failure sequences as if the C0R were not present.

Mode 2 - Failure to maintain overpressure relief over the long term: The failure of any of the requirements of Mode 1 may result in closure of the COR valves. In addition, the C0R valves may be closed to prevent rapid blowdown, and then fail to reopen. This Mode 2 is similar to Mode 1 in its impact on the containment.

Mode 3 - Failure of coolant makeup to the reactor vessel: All sources of makeup water available to the operator must be lost for an event Mode 3 to occur.

l Mode 4 - Failure of COR valves to reclose: Once C0R has been initiated, there is a possibility that conditions in the core may deteriorate (i.e.,

j Mode 3) such that the COR valves should be reclosed to provide an intact containment. The failure to reclose the COR valves because of mechanical

! problems or human error is assessed in Mode 4.

l Mode 5 - Long term makeup fails and containment integrity fails: Mode 5 is a decision point used to define the possibility that following a loss of long-term coolant injection (Mode 3) with the containment at relatively l high pressure, the ensuing postulated core-damage RPV failure, molten core-concrete interaction, and containment heat load may all combine to lead to a containment failure prior to the radionuclide vaporization re-leases. This possibility is only considered for those sequences associated with high containment pressures prior to initiation of core damage and is assumed to lead to radionuclide releases comparable to that of Class IV.

6-36

Table 5.36 summarizes the effects of each of the bridge tree event sequences for the accident sequences processed by the bridge tree.

In summary, preserving containment integrity is important to the evalua-tion of the TW sequences. Preserving containment integrity through the incor-poration of a pressure relief function means that the only other function re-quired to maintain core coverage is makeup water.

5.5.2.2 Bridge Tree for ATWS-W Sequences The bridge event tree is also used for the ATWS sequences involving the inability to remove heat from containment. An ATWS plus loss of containment heat removal (W) does not necessarily lead to inadequate core cooling, since the inclusion of containment overpressure relief (COR) could provide a viable alternative to maintain containment integrity and remove heat from containment if both liquid poison and coolant injection fail. The important features of the ATWS-W bridge tree are the following:

Modes 1 and 2 - Containment overpressure relief: Failures coupled with success of coolant makeup to the reactor despite failure to maintain con-tainment pressure within design limits following an ATWS. This involves HPCI operating successfully beyond its normal limits. Failures of this type are considered to lead to containment failure prior to core melt (Class IV), so that the fission product releases to the drywell have an im-mediate and direct path outside containment. This type of failure is con-sidered similar to the TW sequences, except that there may be more heat stored in the fuel resulting in a more energetic release, melting may occur more quickly, and a larger radioactive source term may result.

Mode 3 and 1/3 - Makeup water to reactor: Failures leading to accident scenarios similar to Class 111 accidents; that is, the containment is at elevated pressure prior to the initiation of a degraded core condition, but maintains its integrity throughout the core damage and vaporization F phases.

Mode 3/4 - COR valves fail to reclose: Failures grouped under Class IV since they have ef fects similar to those noted above for Mode 1; that is, the containment is not intact when the postulated core melt occurs. The loss of containment integrity is due to the failure to isolate the COR sys-tem following initiation of core damage.

5-37

Mode 1/3/5 - Loss of containment integrity before core melt with loss of coolant in_jection: Failures similar to Mode 1 failures. Mode 5 implies that failure of coolant injection occurs but the core damage / core vaporiza-tion does not occur until af ter containment failure. This failure mode is assigned a low probability.

i in summary, the ATWS-W bridge tree displays the possible outcomes of an ATWS event followed by a failure to remove the heat from containment. The out-comes are classified as: (1) acceptable for the cases which involve successful COR; (2) Class III events; (3) Class IV events involving a containment which is not intact prior to core melt from relatively high power.

5.5.2.3 Bridge Tree for ATWS-C2 Sequences These sequences involve mismatch of containment heat removal and heat production following an ATWS with loss of all SLC poison injection (ATWS-C2 typesequences). This type of event is evaluated to have a low probability; however, the consequences may be very great. The key features of the ATWS-C2 bridge tree are as follows:

Mode 1 and Mode 2 - Failure of containment overpressure relief: The an-alysis is similar to that discussed before; however, from the nature of the accident it is assumed that there is a high probability of steam generation in excess of C0R capacity or that sufficient fuel failures may occur re-sulting in an automatic interlock preventing COR from operating. Because of these two factors, the probability of COR preserving the containment integrity, given ATWS-C2 accident sequences, is felt to be low.

, Mode 3 - Failure of makeup water to reactor: The design of Limerick includes specific features to shut off both high pressure safety systems (HPCI and RCIC) on high containment pressure. The shutoff is on high turbine exhaust pressure, and is included to protect the turbine. Since these features are included in the design, a high probability is assigned to the shutoff of the high pressure systems for this sequence. However, the interlock or trip can be bypassed, so it is assumed that the pos-sibility exists that the operator will ignore the interlock and restart HPCI.

l 5-38

i i

Mode 3/4 - COR valves fail to reclose: Given that COR has operated and that coolant makeup water is lost, the COR valves may also not reclose.

Mode 1/3/5 - Loss of containment integrity before core damage with loss of coolant injection: Because of the relatively rapid increase in reactor pressure associated with ATWS, and failure of the SLC, the containment pressure is expected to rise sharply. Following HPCI shutoff on high turbine exhaust pressure, the containment may fail because of high internal pressure.

5.5.2.4 Bridge Tree for ATWS-C12 Sequences When only one SLC pump is available for poison injection, the outcome of ATWS events may differ from the two-pump case, so these sequences have been treated separately to add specificity to the determination of ATWS events.

Mode 1 and Mode 2 - Failure of containment overpressure relief: The an-alysis is the same as discussed above; however, since some poison injection does occur, reactor subcriticality will take place in approximately 30 minutes. Therefore, the probability of success of COR and the failure modes are similar to those discussed under ATWS-W.

l 5.5.2.5 Calculated Reductions in the Frequency of Radioactive Releases Owing to the Inclusion of COR Table 5.37 excerpted from an early version of the LGS-PRA gives the values used for the reduction in the frequency of radioactive releases due to the use of COR.

Tables 5.38 to 5.40 summarize the processing of the applicable accident sequences through the bridge tree.

The effects of the inclusion of COR on the core-damage frequency are sum-marized in Table 5.41. Class I accident sequences are not affected in any significant way. Class Il sequences are reduced by the largest factor (42) be-cause these seq.uences are precluded by successful COR operation. Class III sequences are also slightly reduced but a portion of these Class III sequences i

5-39

have the potential for being transferred to Class IV sequences should the COR fail to close, given loss of long-term makeup to the reactor vessel. Note that should this failure to close the COR occur for Class 11 sequences, they are transferred to Class I but the resulting probability transferred is so small that it adds insignificantly to Class I sequences probability. The total frequency of core damage is reduced by 4%, from 1.0x10-4 to 9.8x10 5, The effect of the COR inclusion to the expected number of acute and latent deaths is given in Tables 5.42 and 5.43, respe~ctively. The expected acute fatalities increase by approximately 18% from 4.8x10-5 to 5.7x10-5 owing to the increase of the Class IV sequence frequency because of the possible COR failure to close following loss of long-term makeup to the reactor vessel. The expected latent fatalities decrease slightly (3%) frpm 1.8x10-1 to 1.7x10-1 owing to the decrease of the Class II accident frequency.

5.6 References to Section 5

1. Reactor Safety Study, "An Assessment of Accident Risks in U. S. Commercial .

Nuclear Power Plants," WASH-1400, NUREG/75-014, October 1975.

2. Apostolakis, G. et al., " Assessment of the frequency of failure to scram in LWRs," Nuclear Safety, Vol. 20, No. 6, Nov.-Dec. 1977.

5 40

10 APPR ATE FREQUENCY OF DEGRADED CORE CONDITION LIME RICK TOTAL 10- -

y 10 - ,.

8 b

5 e

h 10- -

E 10 -

I l

l l

l

-0 10 CLASSI CLASS 11 CLASS 111 CLASSIV LOSS OF LOSS OF HEAT ATWS ATWS NVErTORY AU IT Y MAKEUP FROM CONTAINMENT Figure 5.1. Sunmary of the accident sequence frequencies leading to degraded core conditions sunned over all accident sequences within a class.

5-41

! mummu ! > >

D a

4 0

h. < -

4 J

m I

u O

6 H h 4 W

.4 C 2

6 O

u.

O O g U

_ C f I f f b 4J T

O iO iO 7 i i 5 O O O

- e e - - - ,y O

U to

+>

C to C

e x > b

, p

i 2 b b w O M

s h.

L L H~ H

- m Z

W X >

H H N l U r F z -

5 e .-

b

-b -- - \ \ --

w .

t f f f l

I 0 0 N m m o a i e a o

o o o o 5-42

<~

-2 10-2 10 CLASSlit CLASS IV 10-3 -

10-3 _

10 10 10-5 -

10-5 -

TOTAL 10 -

10

" TOTAL

[ ,

b 10-7 10-I -

. . y : ; .. : . . .

, p

[

9 ,

- 10 10 2 TgICR T,# CN I 2 TT CC T Tp CM PW TpCW T TCM UH 't TT Cg PU Tp Cg PU g 2 i

T I'tPW 2 2 g 12 1j E g 2

Tp2Cg UUR TpCW 2 TECM UUR TT CM2 C C 2m T gCD Tp 2Cm u 2 M 12 T,# CMU T y RELATIVELY RAPID CORE MELT WITH INCIPIENT RELATIVELY RAPID CORE MELT WITH A CCNTAINMENT F AILURE FAILED CONTAINMENT Figure 5.3. Summary of dominant accident sequences presented by class.

U J

I b b v1 n A RCICH A HPClH i l r3 I /3 WSW ARC WSW ARC 88 88 Figure 5.4.

Functional fault tree for high pressure injection functions, l-l 5-44

-' --p.m,%-+* .o - ------e- - - - - , y- er -iy -em-r-w.,g- y-w y y-v-gry p --+---w--- -

ee e-+-r- --+--

i 9

/5 T

8888 i Q -

EAC + EDC + WSW + FWPCS i EAC - loss of offsite and onsite AC for more than two hours but less than four.

EDC - loss of all DC (loss of all AC for more than four hours or other failures in DC power supply system)

WSW - loss of service water FWPCS - hardware failure of the feedwater and PCS system Figure 5.5. Functional fault tree for the feedwater injection functions.

l 5-45

y q.

ADS T I ADSM EDC LKI JC,S y

EAC EDC WSW LPClH EAC EDC WSW LPC5H Figure 5.6. Functional fault tree for the low pressure injection functions.

l F

5-46

.-. .~. _ _ _ _ _ _ _

t 4

W l

n i

RHR QLT T

b b RHRH b b FWP I # l EDC REC 0v REC 0V EDC RECOV WSW RECOV RHRH - hardware failure of RHR system FWPCSL - hardware failure of feedwater and PCS system for long-term containment heat removal EAC - loss of onsite and offsite AC for more than two hours but less than four

! EDC - loss of all DC (loss of all AC for more than four hours or other failures in the DC power supply system)

WSW - loss of service water REC 0V - recovery of the support system l

Figure 5.7. Functional fault tree for the containment heat removal functions.

t I

5-47

e $@

s A $

A' $s@ _

e t r

o a

A'e i

t i

n e

i 4' e i t

p r

G ee r e n

i b

r u

t N

C I @ 9 A e f r

o e

e r

e T t T

t l

i u

G s a f

e e G $e d g

a m

a e

e m' G r

o C

r 4

e 8 5

e r

u rG g _

i _

F 1

\

G G cIQ

~

G 4 cI

$e @

i t

r.

o a

t i

_ n i

e

$ k l s

o r

u c

' V I

$G@ e S

M r

o f

e e

M C

F i

@ 8 t t

r T

I G e l f

u a

e&

e g

a G

e d C

m a

e r

o e' e e 9 e

5 e

r

_ u

- g

_ i

@e F

f L

' s ' ,

t s

0 ?s s

1 6

I 4

- s

- " 4 s

- 1 9

6 sf i o

g n

n I e 4st

- p o

n e

_ st i d

a n

r e

v r

_. o f

- I 2 l e

C e

- r t

_ t) l y uT a(

M C

I 8

5 6

6 f df ev gl aa mv a

e Tg 2

G I I 6 ei rl oe Cr e

'I 0 1 -

I l 3 l 5 8

C e

r u

- g i

F A

5 6 -

1 -

'C g

' , 1

! i i' , ' I. l

TE CD T i '

i ,

ClassI Class 2 l --

l Phasei Phase 2 Phase 3 Class /h T

n . ,

4

__ __ OFFSITE OFFSRE AVAIL. NOT AMIL.

b UI b U2 I\

m L

U3 ID m.

A

@4 @4 G eQGo@@@@Q RHRH RHRH

! Figure 5.11. Time-phased core-damage fault tree for loss of offsit'e power i initiator.

t 9

Phase I (O< ts 1/2 hr) Phase 2 (8/ 2 <ts2hr) Phase 5 (2<ts4hr)

Ul d U2 -b U3 d g AUH h

~% T i No I'R9 UH T-UH

RCICH HPCIH b I T T 7

& No N

offsite onsite T

^ ^

T

D D 131 132 r-Figure 5.11. (cont'd) Fault trees for high pressure injection funciton for the three time phases, s

Phase l Phase 2 Phase 3 VI d V2 d V3 d A A A

@ 8 C 8

@- Q -

e^@

A A

eene 4 r

4 86@6@ '

g g

@5@6@@@g@@g Figure 5.11. (cont'd) F uit es or low pressure injection function for the

Notes on Figure 5.11 HPCIH= Hardware failure of high pressure coolant injection system RCICH= Hardware failure of reactor core isolation cooling system X= Rapid manual depressurization VH= Hardware failure of either low pressure injection system of low pres-sure core spray system .

L1= Probability of not recovering offsite power in 1/2 hour

, L2= Probability of not recovering offsite power in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , gjven_ it was not recovered in 1/2 hour L3= Probability of not recovering offsite power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , given it was not recovered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months L4= Probability of not recovering offsite power in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , given it was not recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months CD= Common cause failure to start of all four diesels D1= Diesels not recovered in 1/2 hour, given common cause failure D2= Diesels not recovered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , given D1 D3= Diesels not recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , given D2 D131= Independent failures of Divisions 1 and 3 diesels and not recovered in 1/2 hour D132= Divisions 1 and 3 diesels not recovered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , given D131

D133= Divisions 1 and 3 diesels not recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , given D 132 D241, U242, D243= Similar to D131, D132, D133 for Divisions 2 and 4 l

5-54 I

l

TNCM b

si I

A IM 62 l

I Q a T

65 G4 i I G7 T

l

V X G8 69 l I j

u U Figure 5.12.

Core-damage fault tree for manual shutdown initi.ator.

5-55 n

i ?

'LOCA A

A e

-s C3 C2 C4 G2 G3 C T T E I Cl J 4

I Figure 5.13. CDFT for large LOCA initiator.

5-56

^

6 AI 6 6 I

$ 6 O A

C I

AI I 6L i d

u e

m e

m 6 6f T F

r o

D C

g 4

1 S .

5 e

r u

g i

6 F

$ 6 I

e e w

st 6

si i

st 62 T

cl 63 b

64 I

' Cl 65 T

A

@@ # A*

L QG@e Figure 5.15. CDFT for small LOCA initiator.

i l

5-58

..o.- . - - - 9. -... _

l Figures 5.16, 5.17, 5.18 and 5.19 have been deleted.

(Contain General Electric Proprietary Information) i l

k l

Pages 5-59 through 5-63 f

l * -

RHR AND GENERALIZED TURBIN E REACTOR S/R S/R COND/FW HPCl TIMELY LP RHRSW TRIP VALVES VALVES CLASS OF SUSCRITICAL AND PCS OR RCIC ADS ECCS OR PCS SEQUENCE TR ANSIENT OPEN RECLOSE AVAILABLE AVAILASLE ACTUATED AVAILABLE POSTULATED AVAILABLE DESIGNATOR DEGRADED CORE TT C M P Q U X V W CONDITION T'7 -

T TQ* -

4 /=1166 CLAs$r Y o t to 'O TTU*l0I DA'I T' clan TL 4 3 AItf I TTOU * -

TTOUW(3) CLASSII TT OUV CLASSl TTOUX CLASS I T T"* ~

T TPW(P) CLASSli m TTPQ* -

ef 9.9X104 7 powgpo)

T TTPOU*

N@D T7 cresz. (.o tro-9 T TPOUWlPO) CLASS 11 TTPCUV CLASS 1 TTPOUX CLASSI T T MI TT C**

NOT CORE MELT SEQUENCE NOTE: THIS FIGURE INCLUDES MANUAL SHUTDOWNS FOR THE PURPOSE OF CAWWING THE DEMANDS ON LONSTERM QNTAINMENT

- ATWS INITIATORS ARE TREATED IN A SEPARATE EVENT TREt:

HEAT REMOVAL CNLY t TRANSFER TO LARGE LOC'A EVENT TREE Figure 5.20. Turbine trip transient event tree.

1 _

t i

I MStV RHR AND GENERALIZED CLOSURE REACTOR S/R S/R CO ND/FW '" HPCI TIMELY LP RHRSW

' CLASS OF AND LOSS OF VALVES VALVES AND PCS OR RCIC ADS ECCS OR PCS SUBCRITICAL SEQUENCE POSTULATED FEEDWATER OPEN RECLOSE AVAILABLE AVAILABLE ACTUATED AVAILABLE AVAILABLE DEGRADED DESIGNATOR Tp CORE C M P O U x V W CONDITION T'p T p O' -

SSX M T FOW(Q) D C3^381 11 gg ggl Tp OU' -

T pOUW(0) CLASSH Tp OUV CLASSI TpOUX CLASSI T pF* -

T pFW(P) .CLASSX i T,Po* -

$ Mtidf' T pPOW (Pol TM b C T p PQu' -

T pPOUWlPO) CLASSH TpPOUV CLASSI T pFOUX CLASSI TMI p

Tp C"

NOT CORE MELT SEQUENCE

" IATWS INITIATORS ARE TREATED IN A SEPARATE EVENT TREE "' FEEDWATER 18 FOUND TO BE RECOVERA8LE IN 9M OF THE LOSS OF TRANSFER TO LARGE LOCA EVENT TREE FEEDWATER ACCIDENTS AND 70% OF THE MSIV CLOSURE INCIDENTS.

I l

Figure 5.21. MSIV Closure / loss of feedwater/ loss of main Condenser transient event tree.

LOW RHR AND GENERALIZED TIMELY HPCI TIMELY PRESSURE RHRSW CLASSOF lORV SCRAM EAMOR OR RCIC ADS TR ANSIENT SU8 CRITICAL ECCS OR PCS SEQUENCE POSTULATED INITIATION AVAILABLE ACTUATION AVAILABLE AVAILABLE DESIGNATOR DEGRADED CORE Tg C',C** C U X V W CONDITION T' * -

~T g,4 g TWg Ta 7,

, au t m_g etAu E IssaO T,u' -

T g uW CLASSil T,UV CLASSI T,UX CLAS$8 T,C'*

T , C'*

m 3.6X16N T gCw(C*) 10 M CLAUI AMO g m CLACS X Fev.lo T gC* U * -

T gC*UWIC1 CLASSil T gC*UV CLASSI T ,C*UX CLASSI T gC*C*

T gC"* * *

NOT CORE MELT SEQUENCE

" ATWS INITIATORS ARE TREATED IN A SEPARATE EVENT TREE

" MANUAL SCRAM TOO LATE TO PREVENT A CHALLENGE TO THE CONTAINMENT SIMILAR TO A CLASS IV EVENT Figure 5.22. Inadvertent Open safety relief valve transient event tree.

i

TT LPCI CS PCS RHR V W O.64 OK 03 OK

-7 0.3G 3.6 x 10 0.36 8 CM-II l.2 x 16

@ 0.64 0.997 0K 5

0.64 0.75 0K O.36 0.36 8 CM-H 3.5 x 16 2.6X.1d

CM-I 7Xld' Figure 5.23. Turbine trip event tree depicting the U-W dependence, i

e

/ A' betatt 3Q y easA sesA Qm UA EsA Recirc.

. Puer' l

3 e2 l See O. i

.*61 ]n l Detail N ,:, LO si,A 1 :

5 e LO es,A i

to M l

t & A

' i

" ~

-- - 'E'M ,,,g n

Suppression -

Pool l _

estA]{ , ,

g g I **eA g g ,,

ess Q M ataA e,,

lCA

"'o j

t g g8e... 'g gt e..

[ e.,A

...A

' flHA Pump -

h

,e.A h H esiC 1hA l ~ RHR Pumps i

To LC LC fMR Pump esi8 es,A _3

,,, ,,,g . .. A]

hQ

~ ~

To/From ***A[.

RHR HX 3 To ICIC From e 77. essa]g

,,HPCI From RHR HI J s

Figure 5.24. Residual heat removal system (Loop A shown, Loop B is identical).

l l

i 5-68

PotSON INJECT K)N CCOLANT l' EJECT 10N INADVER TENT OPER ATION HE AT REuOVAL g,gg CONTROL ROOS ADEO SAFETY AOS NOT Fw On HPCS APPROXIMATE CLASEOF TM OR IN RT R L RECLOSE O RCIC m SEOut8eCE DE ADED g Auf af CO TsN 5 E EL( R I" 8CALLY TO RUN CORE PUMPS REACTOR YE AR)

Tg'C *T T'C,a C t2 C2 uS P@ u u, o Ug W, l

w t2 TC. On -

2 s to T,'e,v, t,+ u d ct ,y 2 . .-3 Ty 'C D N CLAssav l.14IO TT'Co u Ost .

T C,W2 CLASEtv I I Ql TT'Cu uw,, j ct,,, ,,

,,-s T,'c.uu,, NEGuG LE CtA ,v 7xto'8 .ou TT'Cu vo Xtd'8 et,,, ,y atS T,'c uu, t. P.pd'1 et,,, ,,

l o.ot T,'C Pw, 6.6X s01 CLAssen 2 ,,,-4 i TT'Cu'un t.5%so class iv 0.* 2.,o-3 TT'Cu 'O l.5%IN . class av ci

.fl5 7 $7Ad b 10'8 T,'C ,Pu 7.5 00 4

CLASS see ct,,, ,y T,'C,w 7,'C c,, Ox -

2 s 10*d 7.M XIO Y UO M 12U N NEGLIGOOLE CLAsstv 2 m 10-3 [.7 % Npf0 TT'C C,,D class v ells 7 TT'Cu C 1.I g 30-6 iru class ne l

TT 'C Cl2P OK -

n b O' EM 'N M 2 D 210-4 CLAsssv T OCM 12N H NEGLIG88LE 0.9 2 a 10-1 i.q xto d et,,, ,,

TT'Cu C,,Po ger,N .lf 57 T,'C,C,,m le2%10 class en to- 8 M CLAssev T,'C,C i2 NEGuGeoLE 04 TT'C=C 2 l.6 Xtd'7 Cuss en Figure 5.25.

Event tree diagram of postulated ATWS accident sequences following a turbine trip initiator.

POISON BNJECTION COOLANT SNJf CTION INADYEXTENT OPEIATION HEAT RE MOVAL CONTROL ROD $ TwO OR gg ADEO SAFETY y,gg AD$NOT Fw OR HPC8 AMontM Af t F AIL TO THREE PRES $URE VALVES ONE c

gtg ACTUATED DOES NOT SOTH

NSE R T SLC CONTROL RECLOSE O,,R RCIC AUTOMAT CONTINUg RHR$ RHR SEQUENCE PRosASILIT,Y g g yg( (pg POSTULATED PUMP OEGRADEO PUMPS 6CALLY TO RUN REACTOR CORE I, C, . T,2 C, u C 12 C 2 ,@ p@ U UR O Uw "2 "t2 CONDaTsONS T, Cu OK -

ut i t'Cu"2 0" -

tom T,c,w,, g,6 w'7 class ue i

2.to-* 7,c u, 3,3jvoi cLAssav

=to-3 Y,coo 33 X t04 class ev T,c u On -

oat f *M ~

I* 7,c,Uw,, [ 6 xso-8 ct Ass ui to-*

7,c uu, NEGuGieLE cuss iv

.115 7 ,ots 7,c uo 4e sso-* cuss iv c.25 7,c uu, 57967 cuss in 7,C ,P OK -

7,C ,7w2 t.6 (f I class in 2m10-4 T,C ,PUg $fD CLAssiv o.i 2=10-3 f ac,Po 4 S&Wo CLA85

.115 7 f T,c ,Pu smed etAss ue

,,-4 N 7,c une O 2.1 %10'I cLAssev 7,C ,Ct2 OK -

7,c c,,w, _9 class ue

'm i T,c c.,w,, 2.2VJo cuss in 2.cs.io-5 '*

""*'2" "EcuGieLE cuss iv 2 to-* T,c ,c,,o gir U ctAss iv el!57 T,c,c,,u pa-1 cuse n,

, 7,c ,c,,P On -

i a' T,c c ,Pw2 25p* cta55 "'

2 m to 7,C Cg l2 PuH NEGuGISLE class IV o., 2 = co-k T,c,c,,Po 5.3 EM class av y -) sh57 7,c ci Pu 33gggM cuss ne so-*

7,c c ,8 NE GuGestE ctAss iv oJo T,C ,C, g g4 CLAS$ n8 Figure 5.26.

Event tree diagram of postulated ATWS accident sequences following an MSIV closure initiator.

. . _ .. ._. . . .-- . . . _ , . , _ , . . . . _ _ . . . . _ _ . - . ._ . - ~ _

POESON INJE CTION COOLANT INJECTION INADVERTENT OPERATION ME AT REtsOVAL gg,qg CONTROL ROOS TwO OR ADEO SAFETY gg, AD$NOT Fw OR MPCI APPROxlMATE CLASSOP THREE ONE PRE SSURE VALVES ACTUATED DOfSNOT DOTH ONE PROsAssuTV 80sTULATED F AIL TO CONTROL O,,R RCIC AUTOM AT - CONTINUE RMRS RHR SEQUENCE LEVELlPER DEGRADED tesstRT SLC RECLOSE PUMPg 3 Catty TO RUN RfACTOR CORE I 3 C, C2 g Un o Ug =2 "t2 Yg CM+Tg CK g g M41 P (3)

Yg3C y osc -

0.48 g M"2 M ~

10.71 y3 g CM"12 3W CL ASS HB 2.to-* y,3C ,ug QM #

mW 2 e 10 y CD 2 g 1,7 X 10A CLAssiv T3 g U OK -

3 0.14 3 TgCW g 2

~

'*" T,3C ,Uw,, t.1)co'8 class m 10 4 T,3C,UU,, NEcuoieLE Cuss ev 0.14 *0lf T3g J,7 X10~T CLAssiv UD 0.5 3 Tg CM UU n Ie! M CLASEtti

, Tg3CP g OK -

l 0.14 yg 2 g C P"2 10 10-8 CLAsssu 2 m td g gC2 g PU g NEGUGetLE CLASSfV 2 = 10 4 0.3 T g 8C,PD 3.0 M CLAssiv us o.4 y,2gru 2M Al0 CLASBHt 80** 3 '

Tg M C" t' I

Yg CC g t2 OaC -

and i TE 'C,C,,w, OK -

i""

T,8C ,C,,w , 2.7 xi0

C'*88

ggf 3 " '" 8 Y g C,C,, u,, NeoucesLE CLAssiv 2 m to 3 D y gCC g l2 [h(30 CLASSIV 015 T,3CC O 4.3 XIO CLASE lli g l2 j g Tg3CC g 12P OK -

' "'" TE'CM C12Pa 4.3 or CtAssiv TE CM C12N H NEGUOteLE CLASS IV YgICC g 12 PD mgquggggg 'CLA984v 1 0'T TE 'CMC,,PU 55 (l0" class us 10-4 Tg 3CCg 12M NEGUGISLE CLASE8V o.85 'E*C=h il X.80 C'a "'

4 Figure 5.27. Event tree diagram of postulated ATWS accident sequences following

! a loss-of-offsite-power initiator.

80t:04 INJECTION COOLANT INJECTION INADVERTENT OPEAATION HEA7 AEMOVJ,L CONTROL RODS TWO OR ogg ADEO FETY FW OR W AMONATE HPCI C F AIL TO THREE SLC ES$URE ATEO W SNOT WM N I VALVES OR RCIC M T U TED INSERT SLC pyu, CONTROL RECLosE AUTOMAT. CONTINUE RHR$ RHR SEOUENCE LE VE L (PER PimePs FW DEGRADED 8CALLY TO RUN REACTOR CORE T,"CE K + T,*C, C l2 C2 W$ P@ u UR D Up W3 W gy 7,8C , OK -

0.01 [ 8 M 2 OK -

smo y g e gg g,y g,g ggi CLAs3 HI 2 504 y,4C,U,, 3,6Yt#8 Ct Ass ev N

T,"C,o 36M class iv I

Tg *C,U 2Axlf CLassen

, T, C,P OK -

I E' T,"C,8W2 O A Id class av 2 m te d

ui y,4C PU, 40Y'N class sv o., 2 110'3 4,0$8#

M o. i+

T,*C,Po CLAsssv N y,"c ,,u 32Xld class us to-* 44 T,"c,u 2.3 itso CLAssiv 155 M0" o.1 gc,, 2,6 mr1 com us Figure 5.28.

Event tree diagram of postulated ATWS accident sequences following an 10RV initiator.

t i

_ . _ _ _ _ _ _ _ _ m_. __ _ ___ _

l.O x 10-4 8.Oxfo-5 r

u

-5 2.4x 10

-5 l.5 x 10 CASEI CASE 2 CASE 3 CASE 4 Figure 5.29. Total core-damage frequency for the four cases.

BNL TOTAL

+4 10 W A SH- 1400 DEGRA D CO CONOITION LIMERICK TOTAL 16' -

I li<

W 5 16 ' - --

5 ram

=

.E gla' E

la- -

t l !

,6* \

CLASSI CLASS 11 CLASS 111 CLASSIV LOSS OF LOSS OF HEAT ATWS ATWS COOLANT REMOVAL R PABILI Y (CONTAINMENT FAILS

[VE" gEUP w MENT PRIOR TO CORE MELT)

I Figure 5.30. Summary of the accident sequence frequencies leading to degraded core conditions summed over all accident sequences within a class.

5-74 1

r___.___ __ __ _ _ _ . _

Containment Containment Containment Long Term Containment Pressure Loss of Over- Ove r- Makeup Over- Below Generalized Heat Pressure Pressure Water To Pressure Ultimate Sequen(.e Class of Removal Relief Relief Reactor Relief Following Designator Postulated -

Containment Initiated Controlled Cont. Failure Closed Vaporization Core Melt Initiator Mode 1 Mode 2* Mode 3 Mode 4 Mode 5 OK --

Mode 3 Class III Mode 3/5 Class IV Mode 3/4 Class IV Mode 2* Class IV

Mode 2/3 Class III w

Mode 2/3/5 Class IV Mode 1** Class IV Moae 1/3 Class !!!

Mode 1/3/5 Class IV Mode 2 is equivalent to Mode 1 in its impact on the containment.

The assumption used in the lgs and BNL Analysis is that containment failure leads to loss of long tenn coolant injection with a probability of one.

Figure 5.31. Bridge event tree providing the link between postulated transient and LOCA accident sequences which may result in containment overpressure and the containment event sequences following core melt-1 h

Table 5.1 Ranking of Limerick Core Damage Accident Sequences Accident Frequjncy % of Accident (yr, ) Frequjncy Sequence Total Sequence (yr, )

1)TUV E C1 5.97x10-6 40% 28) TguV 2.6x10-8 2)TpQUX C1 3.63x10-6 24% 29) T EgC uuR 2.43x10 8

3) T QUX T C1 7.73x10-7 5% 30) T PW E 2.39x10-8

4) T EUX C1 6.9x10-7 4% 31) T CpgPW2 2.08x10 8

5) TguX C1 6.80x10-7 4% 32) TpCC g2 2.02x10-8

6) T PWT C2 3.87x10-7 2% 33) S 2VX 1.6x10 8

7) TT CgPUI C3 2.70x10-7 I 2% 34) Tp CgUW12

8) T pg C UU R ' C3 2.36x10-7 2% 35)SgQUV 1.08x10 8 9)TgQUX C1 2.20x10-7 1% 36) T gQUV 8.44x10-9

10) TpCgW12 C4 1.85x10-7 1% 37) T PQW 7.85x10-9 T

11) TpCgPU C3 1.64x10-7 1% 38) T PQUX 7.81x10-9 T

12) T QWp C2 1.55x10-7 1% 39) T g ICgPU 7.08x10-9

13) T C WE g 12 C4 1.43x10-7 1% 40)TPUXE 6.8x10-9

14) TgCUX C1 1.40x10-7 1% 41) T EgC PU 6.78x10-9 15)TpQUV C1 1.40x10-7 1% 42) T C UTgH 6.64x10-9

_____..____.....-90%

16) Tp PW C2 1.40x10-7 43) T TgCD 6.64x10-9

17) T C ctg 2 1.01x10-7 44) TgCgPW2 18)TgW 6.83x10-8 45) TgCW g 12 5.67x10-9

19) AJ 6.40x10-8 46) T CUW g 5.59x10-9

20) Tg gCU 6.37x10-8 I 47)TE CgPU 21)TPUV E 5.97x10 8 48) T CUV g 5.38x10-9

22) Tg CW I 5.04x10-8 49)AC 4.0x10-9 23)TpPQW 3.69x10-8 50) Ty lC gUg

24) Tp QUXP 3.47x10-8 l

51) Ty CgD 3.74x10-9 l 25) T EW 3.51x10-8 52) T Tg CM 3.69x10-9 26)TT CgPWI 3.42x10-8 2 53) T QW T

27) T QUV T 2.97x10-8 54) Tg CI Cg2 2.42x10-9 l

l 5 75

Table 5.2 Frontline Systems and Support Systems FRONTLINE SUPPORT-SYSTEM DEPENDENCE SYSTEM SERVICE WATER DC POWER AC POWER ADS EDC125A EDC125B*

EDC125C*

EDC125D Feedwater WSWA EDC125A EOSP WSWB EDC125B EDC125C LPCI WSWA EDC125A EAC440A EACA WSWB EDC125B EAC440A EACB EDC125C EAC440C EACC EDC1250 EAC440D EACD LPCS WSWA EDC125A EAC440A EACA EDC125B EAC440B EACB EDC125C EAC440C EACC EDC125D EAC4400 EACD RHR WSWA EDC125A EAC440A EACA WSWA EDC125B EAC440B EACB EDC125C EAC440C EACC EDC125D EAC4400 EACD HPCI WSWC EDC125B EAC440B EDC125D RCIC WSWA EDC125A EAC440A SLC EDC125A EAC440A i EDC125B EAC440B EAC440C hSW = normal and emergency service water 4 EDC125 = loss of 125-V DC supply i EAC440 =. loss of 440-V AC power EOSP = loss of offsite AC power EAC = loss of the 4-V AC power The last letter of these symbols indentifies the particular train.

For auto initiation only, i

5-77

Table 5.3 Feedwater Transient CDFT Cutsets without

Support Systems Probability- Cutset (Accident Sequence)

-6 3.7x10 -

TF Q U X 1.6x10-7 TF Q -U -P .WUBPB 1.4x10-7 TF- Q U V

-1.4x10-7 TF -Q .P WQB

3.7x10'8 TF Q -U P WUBP 6.5x10-10 TF Q U -X -V -P WUBP 1.6x10-10 TF Q U -X -V P WUP 1

1 1

I 1

l-5-78

Table 5.4 Feedwater Transient CDFT Cutsets Probability Cutset

-1. 3.66E-06 TF FWPCS HPCIH RCICH X

2. 4.45E-07 TF EDC

3. 1.36E-07 TF -EAC -EDC -WSW FWRCS -RCICH FWPCSL RHRHU.BPB -P

4. 1.36E-07 TF -EAC -EDC -W SW FWPCS -HPCIH FWPCSL RHRHUBPB -P

5. 1.36E-07 TF FWPCS HPCIH RCICH ADSH

6. 1.34E-07 TF WSW ARC

7. 1.34E-07 TF EAC ARC

8. 1.32E-07 TF -EAC -EDC -WSW -FWPCS RHRHQB P

9. 1.18E-07 TF -EAC -EDC WSW -HPCIH -ARC RECOV

-p

10. 1.18E-07 TF -EAC -EDC WSW -RCICH -ARC REC 0V

-P

11. 1.15E-07 TF -EAC -EDC FWPCS -HPCIH -ARC FWPCSL RHRHUBPB -P

12. 1.15E-07 TF -EAC -EDC FWPCS -RCICH -ARC FWPCSL RHRHUBPB -P

13. 3.26E-08 TF -EAC -E DC -W SW FWPCS -RCICH RHRHUE P

14. 3.26E-08 TF -EAC -E DC -W S1 FWPCS -HPCIH RHRHUE P

15. 2.77E-08 TF -EAC -EDC FWPCS -HPCIH -ARC RHRHUE P

-RCICH -ARC RHRHUE

16. 2.77E-08 TF -EAC -EDC FWPCS P

17. 8. 57E-09 TF FWPCS HPCIH RCICH LPCIH LPCSH

18. 4.36E-09 TF WSW HPCIH RCICH

-ARC RECOV

19. 1.20E-09 TF -EAC -EDC WSW -RCICH P

-HPCIH -ARC RECOV

20. 1.20E-09 TF -EAC -EDC WSW P

HPCIH RCICH

21. 6.06E-10 TF -EAC -EDC -W SW FWPCS

-ADSH -LPCIH FWPCSL RHRHUPB -X -P HPCIH RCICH

22. 6.06E-10 TF -EAC -EDC -WSW FWPCS

-ADSH -LPC5H FWPCSL RHRHUPB -X -P 5-79

Table 5.5 Core-Damage Frequencies Including the Effect of ;

Support System Dependences l 2

Cy CII CIII Cry TT 4.11x10-6 4.68x10 !

Tp 5.28x10-6 4.98x10-7 TI 9.09x10-7 2.37x10 7 Tg 3.04x10-6 3.42x10-8 TE 6.90x10-6 3.25x10 8 A 3.20x10-8 3.2x10-9 4x10-9 Si 1.47x10-8 1.11x10-9 S2 1.76x10-8 2.27x10-9 1

l l

l

{

5-80

Table 5.6 System Unavailabilities Used in the Limerick PRA, the BNL Revisions, and the Reactor Safety Study (RSS)

Limeri ck RSS BNL

1. Feedwater (FW) 7.4x10-4 ----

7.5x10-4

2. High pressure coolant injection (HPCI) 7.0x10-2 9.8x10-2 1.2x10-1

3. Reactor core isolation cooling (RCIC) 7.0x10-2 8.0x10-2 7.0x10-2

4. Automatic depressurization (ADS) 7.5x10-5 5.0x10-3 1.8x10-4

5. Low pressure coolant injection (LPCI) 1.8x10-3 1.5x10-2 1.8x10-3

6. Low pressure core spray (LPCS) 2.6x10-3 9.5x10-4 2.6x10-3

7. Residual heat removal (RHR) 9.9x10-6 ----

9.9x10-6

8. Standby liquid control (SLC) 9.0x10-4 ----

2.1x10-3

9. Electric power system (EP) *

10. Service water (SW) *

See Table 5.7.

i l

- . .. ~

Table 5.7'SupportSystem-UnavailabilitiesUsed"inBNLR5 visions i

Systems Unavailabilities

Total loss of AC power for more than two hours

But less than four following an initiator 5x10-7 Total loss of AC power for more than four hours or total loss of DC power 2.5x10-7 l ' Total loss of service water 5x10-7 o

i i

i l

l l

ti 5-82 l . . . . - - - ...----

Table 5.8 " Basic" Event Probabilites for Turbine Trip Core-Damage Fault Tree _

First Moment of Number Name Unavailability 1 TT 8.17E+00 2 EAC 5.00E-07 3 EDC 2.50E-07 4 WSW 5.00E-07 5 FWPCS 2.00E-02 6 HPCIH 1.16E-01 7 RCICH 7.00E-02 8 ADSH 1.76E-04 9 ARC 1.50E-01 10 LPCIH 1.80E-03 11 LPCSH 2.60E-03 4

12 REC 0V 1.70E-01 13 FWPCSL 6.00E-02 14 RHRHUBPB 9.39E-06 I

15 RHRHUPB 7.99E-06 16 RHRHQB 9.39E-06 17 RHRHUBP 9.39E-06 18 RHRHUP 7.99E-06 19 X 6.00E-03 20 P 1.00E-02 i

5-83 I _-..

l Table 5.9 " Basic" Event Probabilities for Feedwater Core-Damage Fault Tree First Moment of Number Name. Unavailability _

1 TF 1.23E+00 2 EAC 5.00E-07 3 EDC 2.50E-07 4 WSW 5.00E-07 5 FWPCS 6.10E-01 6 HPCIH 1.16E-01 7 RCICH 7.00E-02 8 ADSH 1.76E-04 9 ARC 1.50E-01 10 LPCIH 1.80E-03 11 LPCSH 2.60E-03 12 REC 0V 1.70E-01 13 FWPCSL 1.90E-01 14 RHRHUBPB 9.39E-06 15 RHRHUPB 7.99E-06 16 RHRHQB 9.39E-06 17 RHRHUBP 9.39E-06 18 RHRHUP 7.99E-06 19 X 6.00E-03 20 P 1.00E-02 5-84

Table 5.10 " Basic" Event Probabilities for Loop Core-Damage Fault Tree

, First Homent of Number Name Unavailability 1 TE 1.70E-01 2 PCSH 4.80E-03 3 RHRH 4.50E-05 4 X 6.00E-03 5 VH 7.70E-05 6 L1 5.40E-01 7 CD 1.88E-03 8 D1 9.50E-01 9 L4 4.10E-01 10 D131 3.80E-03 11 D241 3.80E-03 12 UH 8.10E-03 12 ARC 1.50E-01 14 L2 4.60E-01 15 D2 6.95E-0'1 16 0132 6.95E-01 17 D242 6.95E-01 18 L3 6.80E-01 19 D3 7.12E-01 20 D133 7.12E-01 21 D243 7.12E-01 i

5-85 i

~

Table 5.11 " Basic" Event Probabilities for 10RV Core-Damage Fault Tree First Moment of Number Name Unavailability 1 TI 2.50E-01 2 CP 1.00E-02 3 X 6.00E-03 4 EAC 5.00E-07 5 EDC 2.50E-07 6 WSW 5.00E-07 7 ARC 1.50E-01 8 RCICH 3.16E-01 9 HPCIH- 3.16E-01 10 ADSH 1.76E-04 11 LPCIH 1.80E-03 12 LPCSH 2.60E-03 13 RCICHCPB 7.00E-02 14 HPCIHCPB 1.16E-01 15 RHRHCP 1.60E-04 16 REC 0V 1.70E-01 17 FWPCSCP 5.00E-01 18 RHRHUBCP 1.60E-04 19 FWPCSUSCP 5.00E-01 20 RHRHUCPB 7.99E-06 21 FWPCSUCPB 1.00E-01 22 RHRHUBCB 9.39E-06 23 FWPSUBCB 1.00E-01 1

5-86 L __ __ n

Table 5.12 " Basic" Event Probabilities for Manual Shutdown Core-Damage Fault Tree First Moment of Number Name Unavailability 1 TM 3.20E+00 2 X 2.00E-03

3 FWPCSU 7.10E-02 4 RHRHUB 9.90E-06 I

5 FWPCSUB 7.10E-02 6 FWPCS 7.00E-03 7 LPCIH 1.80E-03 8 LPCSH 2.60E-03 9 RCICH 7.00E-02 10 HPCIH 1.16E-01 11 RHRHU 8.50E-06 12 ADSH 1.76E-04 l

r l

i 5-87

Table 5.13 " Basic" Event Probabilities for Large LOCA Core-Damage Fault Tree First Moment of Number Name Unavailability __

! 1 C 1.00E-05 2 EAC 5.00E-07 3 EDC 2.50E-07

, 4 WSW 5.00E-07

! 5 LPCIH 1.80E-03 6 LPCIHL 1.80E-03 7 LPCSH 2.60E '

8 LPCSHL 2.60E-03 9 RHRH 1.57E-04 10 A 4.00E-04 1

l l

i 5-88 l

i

. - s

- - _. = - - _

Table 5.14 " Basic" Event -Probabilities for Medium LOCA Core-Damage Fault Tree First Moment of Number Name Unavailability 1 S1 2.00E-03 2 EAC 5.00E-07

, 3 EDC 2.50E-07 i

4 WSW 5.00E-07 5 FWPCS 9.99E-01

! 6 HPCIH 1.16E-01 7 ARC 1.50E-01 8 ADSH 1.76E-04 9 LPCIH 1.80E-03 10 LPCSH 2.60E-03 11 REC 0V 1.70E-01 12 RHRH 1.60E-04 13 FWPCSL 6.00E-02 14 X 1.50E-05 l

i l

l 5-89

Table 5.15 " Basic" Event Probabilities for Small LOCA Core-Damage Fault Tree First Moment of Number Name Unavailability _

1 S2 1.00E-02 2 EAC 5.00E-07 3 EDC 2.50E-07 4 WSW 5.00E-07 5 REC 0V 1.70E-01 6 ARC 1.50E-01 7 RHRHUB 9.39E-06 8 RHRHU 7.99E-06 9 FWPCSUB 9.10E-03 10 FWPCSU 9.10E-03 11 RCICH 7.00E-02 12 HPCIH 1.16E-01 13 FWPCS 1.60E-01 14 ADSH 1.76E-04 15 LPCIH 1.80E-03 16 LPCSH 2.60E-03 17 X 2.00E-03 5-90

Table 5.16 Turbine Trip CASES. C C C C CD 1 2 3 4

1. Limerick PRA 8.1x10-7 4.0x10- 4.8x10-7 5.3x10-8 1.7x10-6 Rev. 4

2. BNL MODIFICATIONS 5.6x10-0 6.8x10 7.2x10-7 1.0x10-7 7.1x10 6 IN F/T E/T & DEP.

) _ _ . _

, 3. -BNL INITIATORS 1.2x10-5 1.4x10-6 1.5x10-6 2.3x10-7 1.5x10-5 i l____

P Table 5.17 Feedwater, MSIV t

i

CASES C C C C CD 1 2 3 4

! 1. Limerick PRA 3.8x10-6 I 3.3x10-7 4.8x10-7 4.3x10-8 4.7x10-6

{ Rev. 4

2. BNL MODIFICATIONS 5.5x10-5 2.2x10-6 8.9x10-7 7.3x10-8 5.8x10" l

, IN F/T E/T & DEP.

3. -6 BNL INITIATORS 3.8x10 1.5x10 6.2x10-7 5.0x10-8 4.0x10-5 :

i \ ._

l

(-

i 5-91

, m . .-- ._.. .. . . . ---

1 Table 5.18 LOOP CASES Cy C C C CD 2 3 4

1. Limerick PRA 6.6x10-6 3.5x10-8 4.8x10-8 1.9x10-9 6.7x10-6 Rev. 4

2. BNL MODIFICATIONS 1.2x10-5 2.0x10-7 1.9x10-7 2.8x10-9 1.2x10-5 IN F/T E/T.8 DEP.

! 3. BNL INITIATORS 3.9x10-5 6.3x10-7 6.1x10-7 9.0x10-9 4.0x10-5 I

4 Table 5.19 10RV CASES Cy C C C CD 2 3 4

1. Limerick PRA 8.5x10-7 1.3x10-7 7.8x10-8 8.0x10-9 1.1x10-6 Rev. 4

2. BNL MODIFICATIONS 1.4x10-6 1.3x10-7 1. 7x10-7 6.8x10-9 1.7x10-6 IN F/T E/T & DEP.

-6 -8 -6

3. BNL INITIATORS 5.0x10 4.5x10-7 6.0x10-7 2.5x10 6.1x10 c

l 5-92

Table 5.20 Manual Shutdown CASES C C C C CD 1 2 3 4 l '. Limerick PRA' 2.3x10-7 7.8x10-10 2.3x10-7 Rev. 4

2. BNL MODIFICATIONS _4.0x10-7 1.6x10-8 4.2x10-7 IN F/T E/T & DEP,

3. BNL INITIATORS '4.0x10-7 1.6x10-8 4.2x10-7 4

Table 5.21 Large LOCA CASES C 1

C 2

C 3 C.

4 CD

1. Limerick PRA 6.4x10-8 3.2x10-9 4.0x10-9 7.1x10-8 Rev. 4

2. BNL MODIFICATIONS 6.4x10-0 4.2x10-9 -4.0x10-9 8.2x10-8

{ IN F/T E/T & DEP.

t

3. BNL INITIATORS 6.4x10-8 4.2x10-9 4.0x10-9 8.2x10-8 :

i l

l 5-93 I

Table 5.22 Medium LOCA CASES C; C C C CD 2 3 4

1. Limerick PRA 1.3x10-8 1.1x10-9 1.4x10-8 Rev. 4

2. BNL MODIFICATIONS 4.7x10-0 1.9x10-8 4.8x10-' l.9x10-10 7.1x10-8 1 IN F/T E/T & DEP.

l

-10

3. BNL INITIATORS 4.7x10-0 ,

1.9x10-8 4.8x10-9 1.9x10 7.1x10-8 l.

Table 5.23 Small LOCA CASES Cy C C C CD 2 3 4

1. Limerick PRA 1.7x10-8 3.5x10-10 1.7x10-8 Rev. 4

-8 -8

2. BNL MODIFICATIONS 2.9x10 2.0x10- 2.4x10-8 9.7x10-10 5.6x10 IN F/T E/T & DEP.

3. BNL INITIATORS 2.9x10-8 2.0x10-9 2.4x10-8 9.7x10-10 5.6x10-8 l

5-94

~

Table 5.24 TOTAL CASES C C C C CD 1 2 3 4

1. Limerick PRA 1.2x10-5 9.6x10-7 1.1x10-6 1.1x10-7 1.5x10-5 Rev. 4

-7

2. BNL MODIFICAT10NSI 7.5x10-5 3.3x10-6 2.0x10-6 1.9x10 8.0x10-5 IN F/T E/T & DEP.

-7

3. BNL INIT;ATORS ; 9.5x10-5 4.1x10-6 3.4x10-6 3.0x10 1.0x10-4 1

5-95 m

Table 5.25 Ranking of BNL and Limerick Sequences by Core-Damage Frequency BNL (1.0x10-4) Limerick (1.45x10-5)

Dominant Sequences

1) TpQUX 3.7x10-5 36.3% TEUV 6.0x10-6 40g

2) TEUV 3.2x10-5 31.4% Tp00X 3.6x10-6 24%

3) TEUX 8.6x10-6 8.4% TTQOX 7.7x10-7 1

4) TTQUX 8.0x10-6 7.8% TEUX 6.9x10-7

5) TguX 4.0x10-6 3.9% TguX 6.8x10-7 1

6) TT(DC) 2.0x10-6 2.0% TTPW 3.9x10-7

90% core damage

7) T pQW 1.3x10-6 1.3% TT ICMPU 2.7x10-7

8) TT(WSW) 1.2x10-6 1.2% T 2 p CguuR 2.4x10-7

9) TpQUV 1.1x10-6 1.1% TgQUX 2.2x10-7 I C PU 8.7x10-7 2 T pCWg

10) TT M 12 1.9x10-7

11) T TPW 7.7x10-7 Tp2CgPU 1.6x10-7

12) TW E 6.4x10-7 T pQW 1.6x10-7

13) TT(AC) 6.1x10 7 TCWE g 12 1.4x10-7 2 5.3x10-7

14) Tp CMUUg T gCUX 1.4x10-7

15) T C'UX I 5.0x10 7 TpQUV 1.4x10-7

16) TgW 4.3x10-7 ------------------------907. core damage 3

17) TE CWg 12 4.3x10-7 probability

18) Tg UV 3.6x10-7

19) TgQUX 3.6x10-7

20) Tr(DC) 3.1x10-7 4

21) T gCu g 2.9x10 7

22) TgC'W 1.8x10-7 5-96

1 4

. Table 5.26 Class I Dominant Sequences

1) TpQUX 3.7x10-5 l 2) TEUV 3.2xlo-5

3) TME 8.6x10-6

4) TTQUX 8.0x10 6

5) Tg uX 4.0x10-6 1

6) TT(DC) 2.0x10 6

7) Tp0VV 1.1x10-6

8) TT(AC) 6.1x10 7

9) TT(WSW) 6.1x10-7

10) TgC'UX 5.0x10 7

11) TgW 3.6x10-7

12) TgQUX 3.6x10 7 l 13) Ty(DC) 3.1x10-7

14) Tp(AC) 9.2x10 8 i

i i

5-97

n. . .

i i

1 Table 5.27 Class !! Dominant Sequences . ;

l-

?

1) Tp0W 1.3x10-6 l 2) T TPW 7.7x10 7

3) TW E 6.4x10-7 l 4) TT(WSW) 5.9x10 7 j 5) TgW 4.3x10-7 l 6) T pPW 1.2x10-7

! 7) Tr(WSW) 1.1x10-7

8) T TQW 9.4x10-8 l

f

}

i

)

i i

i I

l I i

i l

7 l

l 5-98

- . _n

t

) Table 5.28 Class III Dominant Sequences

1) TT I CMPU 8.7x10-7

2) TpCgu uR 5.3x10 7 I

3

3) TE CgW12 4.3x10-7 4

4) T gCU g 2.9x10-7

5) Tg Cg 4 C12 2.6x10-7 l 6) Tp 2C gPU 2.4x10-7 i

7) Tp Cg 2 W12 1.6x10-7 l 8) TTI CCg2 1.6x10-7

9) TE Cg 3 UUR 1.1x10-7

! 10) T IC T gPW2 6.6x10-8 2 4.3x10-8

11) Tp C CM2 4

12) Tg C PU g 3.2x10-8 3 C PU 2.4x10-8 4

13) TE M

14) TE CCg2 2.1x10-8 l

l l

}

1 l

5-99 t ._

Table 5.29 Class IV Dominant Sequences j

I

1) TT CD M 1.4x10-7

2) T 2C p gUD 4.0x10 8 2

3) Tp CgD 3.3x10-8 y PW2

4) T 4C g 2.0x10-8 )

I CR 1.5x10-8

5) TT E

6) TTI CU gH 1.4x10-8

7) Ty Cl PD M 1.3x10-8

8) TICM T g 7.5x10-9 I

9) TT CgR 7.4x10-9

10) T g4CD g 3.6x10-9 2 PD

11) Tp Cg 3.6x10-9

12) T p2 CgUg 3.3x10-9 3 3.0x10-9

13) TE CMPD

14) T 3C E gUD 2.7x10-9 3

' 15) TE CD M 2.7x10-3

16) T2CM p g 2.1x10-9 I 1.3x10-9

17) TT CMpug i

I 0

3 l

l 5-100

Table 5.30 . Uncertainty Measures for Transient Initiators and Manual Shutdown Initiator 5% Median Mean 95%

Turbine trip 5.49 7.96 8.17 11.55 MSIV 0.47 1.08 1.23 2.48 LOOP 0.02 0.11 0.17 0.48 10RV 0.02 0.17 0.25 0.63 Manual shutdown 0.85 2.56 3.20 7.68 Table 5.31 Core-Damage Frequency Distribution Point 5% Median Estimate 95% ___

Total Class I 4.7x10-6 3.3x10-5 9.5x10-5 3.3x10-4 Total Class II 4.5x10-7 2.3x10-6 4.1x10-6 1.1x10-5 Total Class III 2.6x10-7 1.6x10-6 3.3x10-6 1.1x10-5 Total Class IV 1.7x10-8 1.1x10-7 3.2x10-7 1.1x10-6 Total core-damage 6.6x10,6 3.7x10-5 1.0x10-4 3.3x10 4 l

l l

i 5-101

)

Table 5.32 Importance Ranking of Systems With Respect to Core-Damage Frequency System or Event Fussel-Vesely Importance Measure

1. High pressure coolant injection hardware 0.610 (HPClH)

2. Reactor core isolation cooling hardware 0.590 (RCICH)

3. Manual depressurization (X) 0.570

4. Loss of offsite power initiator (TE) 0.404

5. Feedwater and power conversion system 0.470 (FWPCS)

6. Loss of feedwater initiator (Tp ) 0.395

7. Dependent failure of all diesel generators 0.340 to start (CD)

8. Turbine trip initiator (TT) 0.147

9. S/R valves failure to reclose (P) 0.075

10. 10RV initiator (Tg) 0.060

11. Alternate room cooling (ARC) 0.053

12. Residual heat removal system (RHR) 0.041

13. Loss of DC power (EDC) 0.024

14. Automatic depressurization system hardware 0.021 (ADSH)

15. Service water system (WSW) 0.014

16. Loss of AC power (EAC) 0.008

17. Manual scram initiators (Tg) 0.004

18. Manual prevention of depressurization in ATWS (D) 0.002

19. Large LOCA initiator (A) 0.0008

20. Medium LOCA initiator (Si ) 0.0007

21. Low pressure coolant injection hardware 0.0006 (LPCIH) .

22. Low pressure core spray hardware (LPCSH) 0.0006

23. Small LOCA initiators (S2 ) 0.0005

24. Standby liquid control system (SLC) 0.0004 5-102

)

I Table 5.33 Effect of removal of the ATWS-3A modification on the frequencies of accident Classes I-IV, and core damage.

BNL-Revised BNL-Revised Frequencies Frequencies Accident with without %

Class ATWS-3A ATWS-3A Change I 9.5 x 10-5 9.5 x 10-5 0%

II 4.1 x 10-6 4.1 x 10-6 og III 3.4 x 10-6 3.6 x 10-5 +959%

1 IV 3.0 x 10-7 8.0 x 10-7 +167%

TOTAL 1.0 x 10-4 1.35 x 10-4 + 35%

I l

l i

i 5-103 l

Table 5.34 Effect of removal of the ATWS-3A modification on the expected acute fatalities.*

Expected BNL-Revised Release Acute Fatalities, Frequencies Risk Category ** Given Release Without A1WS-3A Without ATWS-3A CY4 75.4 3.6 x 10-7 2.7 x 10-5 C4Ye 68.9 1.6 x 10-7 1.2 x 10-5 C4 Y" 138.0 1.8 x 10-7 2.5 x 10-5 (Ct+C3 )a 212.0 1.3 x 10-7 2.8 x 10-5 Ca 2 79.5 2.1 x 10-8 1.7 x 10-6 Ca 4 94.3 8.0 x 10-9 7.5 x 10-7 (C1+C4 )sp' O.604 5.5 x 10-7 3.3 x 10-7 l

~

l

Expected acute fatalities without ATWS-3A: 9.5 x 10-5 Expected acute fatalities with ATWS-3A: 4.8 x 10-5 i

Expected acute fatalities per year of reacter operation.

- See Section 6 for a definition of release categories.

l 5-104

Table 5.35 Effect of removal of the ATWS-3A modification on the expected latent fatalities.*

Expected BNL-Revised Release latent Fatalities, Frequencies Risk Category ** Given Release Without ATWS-3A Without ATWS-3A CY 4 1.4 x 104 3.6 x 10-7 5.0 x 10-3 C4 Y' 1.4 x 104 1.8 x 10-7 2.5 x 10-3 C4 Y" 1.3 x 104 1.8 3. 10-7 2.3 x 10-3 (C1+C3 )a 2.1 x 104 1.3 x 10-7 2.8 x 10-3 Ca 2

1.8 x 104 2.1 x 10-8 3.7 x 10-4 Ca 4

1.8 x 104 8.0 x 10-9 1.5 x 10-4 (C-C)gy' 1 4 6.6 x 103 6.0 x 10-7 3.6 x 10-3 OPREL 2.2 x 103 1.0 x 10-4 2.2 x 10-1 Expected latent fatalities without ATWS-3A: 2.4 x 10-1 Expected latent fatalities with ATWS-3A: 1.8 x 10-1

Expected latent fatalities per year of reactor operation.

- See Section 6 for a defintion of release categories.

5-105

1 Table 5.36 Bridge tree event sequences impact.

i .

! Sequence Failure Mode Impact Time Frame i

None OK .NA Mode 1 CDR fails Delayed core melt 27 Hours

, Mode 2 COR fails Delayed core melt 27 Hours Mode 3 Coolant makeup Core melt (similar to TQUV) 2-10 Hours fails Mode 3/4* C0R fails to open Core melt (direct release) 2-10 Hours and coolant makeup fails Mode 5 Long-term makeup Potential direct release 2-10 Hours fails and contain- from containment following 4

ment integrity core melt fails l

Mode 4 is treated the same as Mode 3 e

i l-5-106

Table 5.37 Sumary of the calculated reductions in the frequency of a radioactive release due to the use of containment overpressure relief (reflected in the bridge tree)

CONTAINMENT FAILURE OF FAILURE OF FAILURE OF PRESSURE BELOW CONTAINMENT MAEUP WATER CONTAllMENT ULTIMATE OVERPRESSURE TO REACTOR OVERPRESSURE FOLLOWING TYPE OF SEQUENCE RELIEF MODE 3 REllEF TO CLOSE VAPORIZATION MODE 1,2 MODE 3 MODE 1/3 MODE 1+ MODE 3 Loss of Containment Heat Removal (TW) (5.3.1) 10 2 2x10-4 lx10-3 5x10-2 10-2 Y'

5 Failure to Scram w/ Loss of RHR (ATWS-W) (5.31) 3.6x10-2 .23* .3 5x10-2 10-2 Failure to Scram w/ Loss of SLC (ATWS-C 2 ) (5.31) 1 .23* .8 5x10-2 10-1 Failure to Scram w/ Loss of 1 SLC and 1 or 2 RHR (ATWS-Cl2) (5.31) 3.6x10-2 .23* .3 5x10-2 10-2

Loss of coolant makeup probability is the combination of the following:

a. Evaluated HPCI failure probability

b. Increased likelihood of exceeding the pressure trip setpoint of 50 psig (Actual) due to exceeding the containment pressure design point

c. Increased likelihood of the setpoint drifting low

- Mode 1/3 is the conditional probability of mode 3 occurring given that mode 1 (or mode 2) has occurred.

+ Conditional failure probability of COR not reclosing given that coolant makeup to the core has failed.

Table 5.38 Effect of COR on TW sequences Reduction Through Frequency. Der Bridge Tree Frequency Contribution to Each Class Sequence Type Accident Sequence Reactor Year (see Table 5.37) I II 111 IV TW TyQW(Q) ----

4.2x10-8 ___. ..__

TTPW(P) 1.4x10-6 Mode 1(2x10-2)5)

Mode 1/3(2x10- ----

4.2x10-Il ---- -- -

TT(WSW)

Mode 3(1.9x10-4 4.0x10-10 __.. ..__ .___

Mode 3/4(1x10-5)) ---- ---- ---- 2.1x10-Il 7 T QW(Q) 1.6x10-6 Mode 1(2x10-2) ----

3.0x10-8 ____ ....

~

o T PW(P) Mode 1/3(2x10 1 '

3.0x10-II ---- ----

I (WSW) Mode 3(1.9x10 'l 2.9x10-10 _.__ .___ ....

Mode 3/4(1x10- ) ---- ---- ---- 1.5x10-Il TWE 6.4x10-7 Mode 1(2x10-2) ----

1.3x10-8 __.. ..._

Mode 1/3(2x10 'I ---- 1.3x10-Il ---- ----

Mode 3(1.9x10-j 1.2x10-10 .... __.. ....

Mode 3/4(1x10- ) ---- ---- ---- NEG TW3 6x10-7 Mode 1(2x10-2) ----

1.2x10-8 ____ ....

TgC 'W(C') Mode 1/3(2x10-55 ---- 1.2x10-Il ----- ----

4 1.1x10-10 .... ___. __._

Mode 3(1.9x105))I Mode 3/4(1x10- ---- ---- ---- 6.0x10-12 TOTAL 9.2x10-10 9.7x10-8 ----

a.2x10-Il L

Table 5.39 Effect of COR on ATWS-W sequences Reduction Through Frequency per Bridge Tree Frequency Contribution to Each Class Sequence Type Accident Sequence Reactor Year (see Table 5.37) I 11 111 IV ATWS-W (1.2 or Ty Cl PW2 M 6.6x10-8 Mode 1 (.04) ---- ---- ---- 2.6x10-9 3 SLC Pumps Mode 1/3 (.03) ---- ---- 2.0x10-9 -- -

Operating Mode 3 (.27) ---- ---- 1.8x10-8 ____

Mode 3/4 (.013) ---- ---- ---- 8.6x10-10 2

T 12 2.0.x10-7 Mode 1 (.04) ---- ---- ---- 8.0x10-9 T

W12 Mode 1/3 (.03) --- ---- 6.0x10-9 ----

T W2 Mode 3 (.27) ---- ---- 5.4x10-8 ....

2.6x10-9 7 TF 12W12 Mode 3/4 (.013) ---- ---- ----

o

T 4.6x10-7 Mode 1 (.04) ---- ---- ---- 1.8x10-8 12 T Mode 1/3 (.03) --- ---- 1.4x10-8 __..

W12 1

W2 Mode 3 (.27) ---- ---- 1.2x10-7 ----

Mode 3/4 (.013) --- ---- ---- 6.0x10-9 Tg4 CWg 12 3.8x10-8 Mode 1 (.04) ---- ---- ---- 1.5x10-9 4

Tg CgPW 2 Mode 1/3 (.03) --- ---- 1.1x10-9 ----

Mode 3 (.27) ---- ---- 1.0x10-8 .. .

. Mode 3/4 (.013) ---- ---- ---- 4.9x10-10 TOTAL

---- 2.3x10-7 4.0x10-8

Table 5.40 Ef fect of COR on ATWS-Cl2 and ATWS C2 sequences Reduction Through Frequency per Bridge Tree Frequency Contribution to Each Class Sequence Type Accioent Sequence Reactor Year (see Table 5.37) I II III IV ATWS-C2 (All TylCgC2 1.6x10-7 Mode 1 (.20) ---- ---- ----

3.2x10-8 reactivity Mode 1/3 (.72) ---- ----

1.2x10-7 ----

shutdown Mode 1/3/5 (.08) ---- ---- ---- 1.3x10-8 mechanisms Mode 3 (NEG) ---- ---- ---- ----

lost) Mode 3/4 (NEG) ---- ---- ---- ----

7 2

T pCCg2 4.3x10-8 Mode 1 (.20) ---- ---- ----

8.6x10-9 Mode 1/3 (.72) 3.1x10-8 g

Mode 1/3/5 (.08) ---- ---- ----

3.4x10-9 TE CgC2 2.1x10-8 Mode 1 (.20) ---- ---- ----

4.2x10-9 Mode 1/3 (.72) ---- ----

1.5x10-8 ____

Mode 1/3/5 (.08) ---- ---- ----

1.7x10-9 TCCg g 12 2.6x10-7 Mode 1 (.20) ---- ---- ----

5.2x10-8 Mode 1/3 (.72) ---- ---- 1.9x10-7 ----

Mode 1/3/5 (.08) ---- ---- ----

2.1x10-8 TOTAL 3.6x10-7 1.3x10-7 i

f I

Table 5.41 Effect of Inclusion of Containment Overpressure Relief System on the Frequency of Core-Damage BNL BNL f

Revised Revised Accident Frequencies Frequencies j Class Without COR With C0R l

I 9.45x10-5 g,45x10-5 i

i II 4.10x10-6 9.70x10-8 III 3.40x10-6 2.70x10-6 i

IV 3.00x10-7 4.5x10-7 TOTAL 1.02x10-4 9.77x10-5 I

E i

l 5-111

.-,.,,-7 g-.-gy-. . --m.-.m..._ , _.,.,mw .- , . .--g _g. ,,y,9 -. - w - - -y-- -,y . ,ym 3-

. = _ - -.

i i

l i

l Table 5.42 Effect of Inclusion of Containment Overpressure Relief System on the Expected Acute Fatalities Expected BNL Risk

Release Acute Fatalities, Frequencies With l Category

Given Release With C0R COR I

CY 4 75.4 2x10-7 1.51x10-5

C4 Y' 68.9 1x10-7 6.89x10-6

C4Y" 138 1x10-7 1.38x10-5

, (C1+C3 )a 212 9.7x10-8 2.06x10-5

, Ca 2 79.5 9.7x10-10 7.71x10-8 Ca 4 94.3 2.3x10-9 2.17x10-7

, (C1+C 4 )8u' O.604 2.4x10-7 1,45x10-7 Expected Acute Fatalities with C0R 5.68x10-5 Expected Acute Fatalities without COR 4.8x10-5

- *See Section 6 for a definition of release categories. .

l 5-112

Table 5.43 Effect of Inclusion of Containment Overpressure Relief System on the Expected Latent Fatalities Expected BNL Revised Risk Release Latent Fatalities, Frequencies With Category

Given Release With COR COR CY 4 1.4x104 2x10-7 2.8x10-3 C4 Y' 1.4x104 1x10-7 1.4x10-3 C4 Y" 1.29x104 1x10-7 1.29x10-3 (C1+C 3 )a 2.13x104 9.7x10-8 2.07x10-3 C2 1.77x104 9.7x10-10 1.72x10-5 Ca 4 1.84x104 2.3x10-9 4.23x10-5 (C1+C4 )Su' 6.62x103 2.4x10-7 1.59x10-3 i OPREL 2.16x103 7.5x10-5 1.62x10-1 Expected Latent Fatalities with C0R 1.71x10-1 l Expected Latent Fatalities without C0R 1.77x10-1

See Section 6 for a definition of release categories.

5-113 l

Appendix 5A Evaluation of LGS Systemic Fault Trees

'This appendix comprises a discussion of results generated by BNL in the evaluation of the LGS-PRA systemic fault trees. Two computer codes were used in the course of this review: the WAMBAM [A1] code and WAMCUT code [A2]. The WAMBAM code provides a means of evaluating fault tree top-event unavail-ability, whereas the WAMCUT code identifies in addition to the top-event probability higher order cutsets of the fault tree.

As a part of the LGS-PRA review on system unavailabilities, minimum cut-sets generated from the WAMCUT computer code were examined for the ten systems discussed in Section 5.2.4.

The feedwater system was reviewed and about 50% of the system un-availability was found to come from normally open high pressure steam motor operated valve HV-108 failing closed (FMV1080QI). This valve supplies high pressure steam to the feed pump turbine when low pressure steam is not avall-abl e . Table SA.1 enumerates the minimum cutsets of the HPCI system. Major contributors to its unavailability were found to be turbine failure to start and run (HTU002DYI) and HPCI in test and maintenance (HTM); other important component failures include lube oil cooler heat exchanger failure (HHE100HFI),

lube oil pump failure (HPM300PWI), and other motor-operated valve failures.

These were single element cutsets, i.e., the failure of if any one of these components would disable the HPCI system. Similar tables compiled for the other systems are presented in Tables SA.2 to 5A.7. It can be seen that for the RCIC system (Table 5A.2) there are many single-component cutsets of which the major contributors are mechanical failure of turbine to start and run (RTU002DWI), RCIC in test and maintenance (RTM), and failure of operator to i take manual control of HPCI (RHU500DXI).

As for the LPCI system (Table SA.3), human failures dominate the un-l l availability of the system namely, failure to manually open valves which l inject into the recirculation loop (DHU102DXI) and common mode miscalibration of differential pressure permissive channels (DHU919DXI). These channels 5-114 l

automatically open LPCI injection valves when the reactor pressure de-creases to their setpoint. The next lowest order cutset is the single-component failure of the loss of suppression pool. On Table 5A.4, minimum cutsets are listed for the LPCS system. For this system there are two single-component cutsets: the failure of pump room cooling (KRMCLCSA) and common mode miscalibration of pressure sensors which sense reactor pressure low enough to open the core spray injection valves (LHU512DXI). The RHR system has many components and serves different functions. The quantification of the RHR fault tree revealed three major contributors to the system unavailability (Table 5A.5). They include failure of both RHR loops during surveillances (DTM12), suppression pool unavailablity due to rupture (ZTK1000FI), and clogged heat exchangers (DHXCOMHEI).

BNL evaluation indicates that for the SLC system, three single-component failure cutsets constitute about 78% of the SLC system unavailability:

maintenance error (SHU001DXI), discharge line check valve failure (SCV007DPI),

and discharge line manual valve failure (SXV0360QI), (Table 5A.6). It appears that the failure of either of the valves on the discharge line contributes a disproportionate amount to the unavailability of the system, namely, about ,

67%.

A reduced list of minimum cutsets for the electric power system fault tree is given on Table 5A7. The highest-order cutset is a single-component cutset which comprises the loss of 4 KV Bus or switchgear (EBSD11DWI). Final-ly, for the ADS, the most prominent contributor to the system unavailability is operator error committed during test and maintenance that subsequently leads to valve failure (AHU111DXI). As a matter of fact, with a probability l cutoff of 1x10-9, BNL calculated AHU111DXI to be the only cutset.

5-115 Y

l able !>A. I lil'f.I syston cutsets.

I'robabi l i ty Cu t set.s

1. l.2x10-2 lilu0020Y1

2. 1.0x10-2 IITM

3. 4.0x10-3 tillL100lli 1

4. 3.7x10-3 HPM300DWI

5. 3.0::10-3 IlMV105DPI

6. 3.0x10-3 liMV006DPI ,

7. 3.0 x10-3 itMV112DPI

8. 3.0x10-3 tigy111gp]

9. 3.0x10-3 itMV0590PI 10, 3.0x10-3 HMV001DPI

11. 2.9x10-3 HPM001DWI 5-116

i Table SA.2 RCIC System Cutsets

1. 1.24x10-2 RTU0020WI-

2. 1.09X10-2 RTM -HTM *

3. 9.51x10-3 -HI RHU500DXI *

4. 4.00x10-3 THU800DXI

5. 3.00x10-3 RMV013DPI I

6. 3.00x10-3 RMV046001 I

7. 3.00x10-3 RMV045DPI

8. 2.00x10-3 RHU100DXI l 9. 1.30x10-3 RHU801DXI l 10. 1.00x10-3 RMV007 DOI

~

11. 1.00x10-3 RMV008D0I

12. 1.00x10-3 RMV112001

13. 1.00x10-3 RMV113001

14. 1.00x10-3 RMV084001

15. 1.00x10-3 RMV030D01

16. 1.00x10-3 RMV060001 i

17. 1.00x10-3 RTR1 j 18. 1.00x10-3 PDV01500I

! 19. 1.00x10-3 RMV012001

20. 1.00x10-3 FMV11B001

21. 1.00x10-3 RHV700DXI

22. 1.00x10-3 RHU802DXI

23. 1.00x10-3 RHU803DXI Negative signs denote NOT events.

i

r. ,

i 5-117 l

Table 5A.3 LPCI system cutsets.

Probability Cutsets

1. 1.8x10-3 DHU102DXI DHU919DXI

2. 1.0x10-6 tsp

3. 2.6x10-8 DPM02ADWI DHU9190XI DPM02BDWI

4. 2.2x10-8 DMV15ADPI D!-lU919DXI DPM02BDWI

5. 2.2x10-8 DPM02ADWI DHU919DXI DMV15BDPI

6. 1.8x10-8 DMV15ADPI DHU919DXI DMV15BDPI Table 5A.4 LPCS system cutsets.

Probability Cutsets

1. 2.0x10-3 LHU512DXI

2. 3.0x10-4 KRMCLCSA

3. 1.3x10-4 LTM12 -LTM1 -ECUM4 -HTM j 4. 1.3x10-5 LPM 01CDWI LPM 010DWI

5. 1.3x10-5 LPM 01CDWI LPM 01BDWI i 6. 1.3x10-5 LPM 01ADWI LPM 01DDWI

7. 1.3x10-5 LPM 01ADWI LPM 01BDWI

8. 1.0x10-5 LMV005DPI LPM 01DDWI

9. 1.0x10-5 LMV005DPI LPM 01BDWI i 10. 1.0x10-5 LPM 01CDWI LMV037DQI l 11 . 1.0x10-5 LPM 01ADWI LMV0370QI 1 Negative sign denote NOT event.

l l

l l 5-118 i

b

Table SA.5 RHR system cutsets.

i Probability Cutsets

1. 1.9x10-6 DTM12 -DTMI -LTM2 -LTM1 -ECUM4 -HTM

2. 1.0x10-6 DHXCOMHEI l 3. 1.0x10-6 ZTK100DFI

4. 7.5x10-7 DHURHR1 DHORHR2 DMURHR3 DHURHR4 Negative signs denote NOT events.

Table SA.6 SLC system cutsets.

Probability Cutsets

1. 4.7x10-4 SCV007DPI

2. 1.2x10-4 SXV036DQI

3. 1.0x10-4 SHU001DXI

! 4. 6.7x10-5 RTMAB -RTMAA

5. 5.0x10-5 STK211DFI

6. 3.3x10-5 STMABC -STMAA -STMBB

7. 1.0x10-5 SPP001DFI

8. 1.0x10-5 EOSP SLNTEMP

9. 1.0x10-5 STK213HWI

10. 1.0x10-5 STK212HWI

11. 3.6x10-6 NHUOO2DXI NHU001DXI SHUO02DXI

12. 1.0x10-6 SMV06ADQI SMV06BDQI

13. 1.0x10-6 STKTEMP SRMTEMP EOSP l

l Negative signs denote NOT events.

l l

i S-119

. .. _ - . .. - - = . _ _ . _

. - - - _ - , - - __.=._._= -

I i

Table 5A.7 Electric power system cutset.

i

. Probability Cutsets

1. 2.0x10-5 EBSD11DWI

2. 1.7x10-5 EDGREPA ED11CND EOSP FOSREC

3. 1.3x10-6 EDGREPA EBY1A1HWI EOSP FOSREC

4. 1.2x10-6 ECB5070WI EOSP EOSREC h

i i

f t

5-120

Appendix SB Evaluation of BNL Modified Systemic Fault Tree This appendix describes the results obtained from the quan'tification of the BNL modified systemic fault trees. Changes made to the LGS fault trees were discussed in Section 5.2.4. Cutsets will be presented for those systems where significant differences are noted. The same computer codes-WAMBAM and WAMCUT-were used to evaluate the BNL modified systemic fault trees.

The BNL-calculated minimum cutsets for the HPCI system were very similar to those obtained in the Limerick study. Table 58.1 shows that the orders of the cutsets were perturbed such that failure to restart during the second (HRS 2A) and the third tries (HRS 3A) made the contribution of those cutsets more pronounced. In addition, this illustrates the sensitive nature of the restart data used in quantification of the fault trees. For the LPCI and LPCS systems, minimal changes were noted; BNL's changes to the fault tree did not affect the unavailability of the systems as calculated in the LGS-PRA.

Similarly, the RHR system was evaluated and little effect in the system unavailability was observed. Calculation of the BNL-modified ADS fault tree reviewed the importance of the common mode failure cutset where the gas supply was contaminated (AAS111DWI) (Table 5B.2). This common mode gas supply

! failure is a single-element cutset and has about the same order of magnitude in unavailability as the ADS system. For the SLC, system evaluation of the revised trees produced two cutsets which were of higher magnitude than those i evaluated for the Limerick fault trees. They were the miscalibration of the j tank level (Misc) and common mode failure of miscalibration of sensors I (NHU001DXI) and (SHU002DXI), (Table 5B.3)

L l

5-121 s

Table 5B.1 Cutsets for BNL-Modified HPCI Systems Fault Tree Probability Cutsets

1. 1.9x10-2 HRS 2A (*)

2. 1.8x10-2 HRS 3A (*)

3. 1.7x10-2 HRS 2A (*)

/ 4. 1.7x10-2 HRS 3A (*)

5. 1.2x10-2 HTUOO2DYI

6. 1.0x10-2 HTM

7. 1.0x10-2 HHU7000XI

8. 4.0x10-3 HHE100HFI

9. 3.7x10-3 HPM300DWI

10. 3.0x10-3 HMV105DPI

11. 3.0x10-3 HMV006DPI

12. 3.0x10-3 HMV112DPI

13. 3.0x10-3 HMV111DPI

14. 3.0x10-3 HMV0590PI

15. 3.0x10-3 HMV001DPI

16. 2.9x10-3 HPM001DWJ l (*) Three Cutsets contain numerous not-events i

Table 5B.2 Cutsets for BNL-Modified ADS Systems Fault Tree 4

Probability Cutsets

1. 1.0x10-4 AAS111DWI r 2. 7.5x10-5 AHU111DXI l'

l i

I 5-122 l

Table SB.3 Cutsets for BNL-Modified 'SLC Systems fault tree 4

Probability Cutsets

1. 2.0x10-3 MISC

, 2. 1.8x10 NHU001DXI SHU002DXI

3. 4.7x10-4 5CV007DPI

4. 1.3x10-4 SXV036DQI

5. 1.0x10-4 SHU001DXI

6. 6.8x10-5 RTMAB -RTMAA

7. 5.0x10-5 STK211DFI

8. 3.4x10-5 STMABC -STMAA -STMBB 9.- 1.0x10-5 SPP0010FI

10. 1.0x10-5 EOSP SLNTEMP

11. 1.0x10-6 STK213HWI

12. 1.0x10-5 STK212HWI

13. 1.0x10-6 SMV06ADQI SMV06BDQI

14. 1.0x10-6 STKTEMP SRMTEMP EOSP o

[

5-123

. _ _ _ _ _ - . ~_. __,

Appendix SC Uncertainty Analysis This appendix presents the details of the uncertainty analysis performed in this revision of the LGS-PRA. In particular, the dominant sequences used in the uncertainty calculations of the frequencies of Classes I through IV and of core damage are presented, together with the corresponding functions and numerical data used in the SAMPLE computer code (see Reference 1 in Chapter 5).

The accident sequences used in the uncertainty analysis for accident Classes I through IV are given in Table SC.1. The Boolean expressions for each class were transformed to SAMPLE functions as required by the SAMPLE code.

The numerical values of the various variables are given in Tables SC.2 and SC.3.

In order to account for the fact that the unavailability of some systems is accident sequence dependent, it was assumed that the ratio of the various unavailabilities will remain constant and equal to the ratio of the base case.

For example, the unavailability of the Q function depends on the accident initiator. For the uncertainty calculations, it was assumed the unavail-ability of the Q function given an MSIV closure initiator will be the l

" independent" variable (that is characterized by a distribution) and that the unavailabilities of the Q function given other initiators will be a multiple l

! of the former. For example, l

l Qi = ri-Qp ,

where rj is equal to the ratio of the point estimates Qj over Qp, that is, rj = ,

F The numerical values of the various r-coefficients are directiy inserted in the expressions given in Tables SC.1. These expressions also include the numerical values of the probabilities to recover offsite and onsite power. :

i 5-124 l

l l

Table SC.1 Sample Functions for Classes I-IV j i

Class I Sample Function SAMPLE =

X(2fi(X(7)*X(6)*X(814X(6)*X(7)*X(9)*.125*X(10)*X(11)4 X(12)*X(13)+.25*X(10)*X(11)*X(13))+

'X (5 ) *TT0 0 383

X ( 6 ) *X (7)

X ( B I ) +

Xt3)*(X(6)*X(7)*X(8)*.033+.125*X(10)*X(11)+X(12)*X(13)+.25*

X(10)*X(11)*X(13)+.033*X(6)*X(7)*X(4) i X ( 4 ) * ( X ( 6 )

X ( 8 ) * . 3 33 + 4.12

X ( 6 )

X ( 8 )

X )(15) + X

'X (10 )~*X (11 ) +12. 35+X (6 ) *X (9) *X (15) ) i X (1) * ( 0.513*X (11 ) *X ( 6 ) + 0.164*X ( 11)

X i 1 3)*(1-X(6))+0.079*

X (11) * (1-X (13) ) * (1-X (6) ) + X (6) *X (8) + 0.00066*X(8)*X(13)*

(1.0-X(6))*(1.0-X(11))+ 3.2E-4*x (8) * (1. 0-X ( 6 ) ) * (1 0-X ( 13) ) *

(1.07X(111))

Class II Sample Function S AMPLE =X (2) * ( 0.19ex (7 ) *X (17) * (1. 0-X t 6) )

il . 0-X (161 ) + X (16 ) *X (17) +

0 ; 17 + X ( 1 P ) * ( 1. 0 -X ( 16 ) ) *-( r; 0 -X ( 13 ) ) ) i~

X(3)*(0 002*X(7)*X(17)*(1.0-X(16))*(1",0-X(6))+0.17*X(12)

(liOLX(6))*(1;0-X'(13T) m 16)*X(17)*11;0a0.033*X(7)))~

+X (1 ) * ( 0.332* (1. 0-X (16) ) *X (17) A 0. 0 35'il . 0-X (16) ) *X ( 7)

X (17)

~

+4.79*X(16)*X(17))~

+X(4)*(0.164*(1 0-X(151)*X(7)*X(17)+14.0*X(15)*X(7)*X(17)

+0.17*Xt12))+-'

X (5) * (8 15E-04*X (7) ) * (1.05*X (17) ) * (1 0-X ( 6) )

Class III Sample Function S AMPLE = . 7 91 *X (1) *X ( 5 ) *X ( 6 ) *X ( 7 ) +'.247* x ( 2 ) *X ( 5 )

X ( 8 ) .

.336*X (3) *X (5) *X (7) *X (9)T;839*x (4 f *x (5) *X (7) 4X (4 ) *X (5) *X (16)

+.753*X(3)*X(5)*X(6)*X(7)+.0079*X(3)*X(5)*X(8)+.00254*X(1)

X (5) *X (11 )~ +~.85'X (2 ) *X (5 ) *X~(7 ) .X ( 9 ) T. 02*X ( 1 ) *X (5 ) *X (6 ) *X (12)

+.0024*X (3) *X (5) *X (11) +.95*X (4) *X (5) *X (6) *X (7) + .93*X (2) *X (5)

~

X (6 ) *X ( 7 ) + . 014 *X ( 2 ) *X (5 )

X (11i 4.26* X i 2 ) *X ( 5 ) *X ( 6 )

X ( 12) +

( .0078eX(4)*X(5)*X(8) l Class IV Sample Function l

, S AMPLE =. 0 76*X (1) *X (5) *X (13) + .5+X (3 ) *X i5)

X ( 7) *X (13) + .061*

X(3)*X(5)*X(13)+;19*X-(4)*X(5)eX(6)*x(12)+3.7E-4*X(1).X(5)

X (14 ) +.07*X (1) *X (5) *X (6) *X (13 ) + 1. 04's (1) *X (5 ) *X (15)

+X (1) *X (17) *X (16 f+X~(1) *X (5) *X (16) 5-125

t -

i Table SC.2 SAMPLE Code Input Variables for Classes I and II Sample Code Event Error Variable Desi gnato_r_ Event Median Factor 1

X(1) TE Loss of offsite 1.10E-1 4.3 power X(2) Tp MSIV closure 1.08E+0 2.3 X(3) TT Turbine trip 7.96E+0 1.4 X(4) TI 10RV 1.70E-1 3.7 X(5) T Manual scram 2.56E+0 3 X(6) U High pressure 4.94E-3 5 systems X(7) Q Feedwater 5.83E-1 1.6 X(8) X Depressurization 2.28E-3 10 (manual)

X(9) A ADS Hardware 1.41E-4 3 X(10) TE LOP due to grid 3.80E-4 10 stability X(11) C D Common mode diesel 7.60E-4 10 failure X(12) WSW Service water 1.90E-7 10

' X(13) ARC Alternate room 9.15E-2 5 cooling X(14) L Low pressure 2.74E-6 5 systems X(15) C' Timely scram 3.80E-3 10 X(16) P S/R valves reclose 6.10E-3 5 X(17) R Residual heat re- 5.73E-6 5 moval t 5-126 l

t -

Table SC.3 SAMPLE Code Input Variables for Classes III and IV Sample Code Event Error l Variable Designator Event Median Factor X(1) TlT Turbine trip 7.20E+0 1.4 X(2) T3E Loss of offsite 1.10E-1 4.3 pcwer X(3) Tp 2 MSIV closure 1.77E+0 2.3 4

X(4) Tt 10RV 1.70E-1 3.7 X(5) Cg RPS mechanical 6.20E-6 5 X(6) P S/R valves reclose 6.20E-2 5 X(7) U HPCI or FW 1.30E-1 2.5 X(8) W12 One RHR 9.90E-1 1 X(9) UR RCIC 4.90E-1 1.5 X(10) C12 2 or 3 SLC pumps 8.00E-2 3 X(11) C2 One SLC pump 8.50E-1 1 X(12) W Both RHR 4.50E-1 1.5 X(13) D ADS not actuated 1.00E-2 10 auto.

X(14) Ug FW or HPCI does not 4.90E-1 1.5 continue to run X(15) M Adequate press. 6.20E-5 5 control X(16) R Recirculation pump 6.20E-5 5 trip X(17) CE RPS electrical 1.24E-5 5 5-127

-. ~_ _ - _~

t APPENDIX SD Importance Analysis The objective of this appendix is to present the principles of the importance analysis perfonned in this revision of the LGS-PRA. The purpose of importance analysis is to rank the various systems of a nuclear power plant according to their risk significance. In general, two types of risk measures can be used:

1) Frequency of core damage.

2) Some other undesired consequence such as health effects (early or la-tent fatalities, cancers, etc.) or various kinds of property damage.

The appendix is organized as follows. Section 1 introduces a matrix notation and defines the risk measure as a function of the basic inputs. Sec-tion 2 defines the importance measure and provides a way to calculate it.

Section 3 describes how the results of the importance analysis can be used for sensitivity analysis. Finally, Section 4 gives the details of the importance analysis of the systems of the Limerick Generating Station.

50.1. Matrix Notation Following a notation similar to that introduced by PLG and used in the Zion and Indian Point Probabilistic Safety Studies, the following vectors and matrices can be defined. Let xj (i=1,...,N) denote N levels of the undesired consequence that fonns the base of the risk criterion, (1) and wj(xj)(i=1,...,N) denote the frequency of the ith level of consequence }

x; the following row vector is then defined (2) w(x)=[wi(x1),w2(x2)> 'WN (xN)3 l

l l 5-128 L _ .

i Let Rr ( r=1,2, . . .K) denote the K types of radioactivity releases, each of which uniquely defines the probability that a particular level of consequence x will occur at a given site, (4) and s rn denote the conditional probability that, given release Rr , the nth level of consequencenx will occur; (5) then the following Site Matrix can be defined:

S=[srn]: KxN matrix. (6)

Let Dj (j=1,2,...,J) denote the J types of plant-damage states each of which uniquely defines the conditional probability that a particular radioactivity release R p will result, (7) and cjr denote the conditional probability that given plant-damage state j,

, the rth radioactivity release will result. (8)

The following Containment Matrix can then be defined:

_C_=[cj r]: dxK matrix .

(9)

Let l Ij (i=1,2,...,1) denote the I types of accident initiators each of which i

uniquely defines the conditional probability that a particular plant-damage state will result from the ac-cident, (10) and mij denote the conditional probability that ghen initiator Ij , the jth plant-damage state will result. (11) 5-129 l .

m ___ _ _ _ _ _

The following Plant-Damage Matrix can then be defined:

M_=[mjj ]: IxJ matrix .

(12)

Finally, let fj (i=1,2,...,I) denote the frequency of the ith accident initiator.

The following initiator row-vector can then be defined:

f=[f ,f >

t 2 f l ]: 1x! vector . (13)

Given these definitions, it can be shown that the consequence frequency vector w(x) is given by w(x)=f M C S .

(14)

In general, the importance or the relevant value of each level of undesired consequences,n x , can be expressed in tems of a scalar function u(xn ) that is called the " utility" of realizing this particular level of the consequence. The risk measure, with respect to the particular consequence x, is then defined as the expected value of the corresponding utility. Since the various consequences have been discretized, the risk measure is given by Rx w(x) u(x) , (15) where u(x) is an (Nx1) column vector with elements the utility of the nth level of consequence x.

If u(x) is a linear function of x, that is if u(x )=x n ,nthen Eq. (15) gives the risk measure as the expected value of consequence x.

Whenever the frequency of core damage (CD) is the consequence to be used as a risk measure, then the various " levels" of these consequences are represented by the plant-damage states. Furthemore, since each plant-damage ;

state is equivalent or has the same "value" with respect to this criterion, the utility vector u(CD) has all its elements equal to one. In this case, by virtue of Eqs. (14) and (15), it follows that RCD"f M_*1 >

where _1_ is a (Jx1) column vector with elements equal to unity.

5-130

For the purposes of the importance analysis, it suffices to define a (Jx1) column vector v with elements vj equal to the expected utility of the risk of the jth plant damage state with respect to consequence x. Then the risk measure R x can be written as [see Eqs. (14) and (15)]

Rx"f*M_*1 >

(17) where yT=[1,1,.. 1] if consequence x is the frequency of core damage, (17a) and v=C S u(x) if x is some other consequence. (17b)

Of course, other possibilities also exist for defining vector v. For example, one could define the relevant importance of each release category u(Rr ) (r=1,2,...,K) and then define v as y_=C_ u_(Rp ) .

(17c)

SD.2. Importance Measures The objective of importance analysis is to rank the various systems of a nuclear power piant with respect to a given risk criterion. A system of a nuclear power plant can affect the level of a consequence by affecting the course of the accident in two ways. First, it can influence the particular plant-damage state that will result from the accident. Second, it can influence the particular radioactivity release that will result from the particular plant-damage state. In this analysis, only systems that affect the plant damage states will be examined. These systems affect the probability with which a particular plant-damage state occurs through their probability of being available to mitigate and/or alter the course of the accident.

Let us consider the event " plant-damage j occurs given the ith accident initiator" and denote it by Djj. This event can be combined with the sure event that a particular system S will be either available or unavailable. The Boolean expression of this combination is then l

Djj=Djj(Sjj+Sjj)=DjjS jj+Djjl jj ,

(18) 5-131 n

where Sjj denotes the event " system S unavailable" and Sjj denotes the event " system S available." Since the two events in the right-hand side of Eq. (18) are mutually exclusive, it follows that Pr[Djj]=Pr[Djj jSjj]Pr[Sjj]+Pr[Djjl3q]pr[jj] , (14)

Using the matrix notation introduced in Section SD.1 [Eq. (11)], Eq. (19) can be written as mjj =mj j (1) *U j j+mj j (0)(1-Ujj ) (20) or mjj =[mj j (1)-mjj (0)] *U jj+mjj (0),

where mjj(1) is the probability of obtaining plant-damage state j, given initiator i and given that system S is unavailable, mjj(0) is the probability of obtaining plant-damage state j, given initiator i and given that system S is available, Ujj is the unavailability of system S, given initiator i and plant dam-age state j, and use of the fact Pr(Si j)=1-Ujj is made.

l It is important to consider the unavailability of system S with respect to the initiator and the plant-damage state because, in general, the unavail-ability of a system depends on the particular initiator and on the state of other systems that collectively define the plant-damage state J.

For example, the unavailability of the feedwater and power convertion system (FW/PCS) in the Limerick Generating Station depends on the particular l

initiator (turbine trip, feedwater loss, LOOP) and also on whether plant-dam-age state I (Class I accident) or II (Class II accident) is of interest.

I By defining matrices M_s and M(0), respectively, as Ms=[(mjj(1)-mjj(0))Ujj] (21) and M_(0)=[mjj(0)] , (22) l 5-132

~ . a

Eq. (17) can be written as Rx =f MS v+f M(0) v . (23)

The two terms in Eq. (23) give the parts of the risk measure, Rx , that depend and do not depend on the availability of system S, respectively.

The importance measure for system S is then defined as the ratio of the risk measure contributed by the unavailability of system S over the total risk measure. By virtue of Eq. (23) it follows that y

,_contributionofsystemStorisk,f_*[*y- _

(24) risk x This importance measure is called the Fussel-Vesely importance measure since it is very similar to the one introduced by them.

I A r.pecial case is worth mentioning at this point. If the unavailability of system S does not depend on the initiator i and on the plant-damage state j, or if the conditional probability mjj does not depend on the unavail-ability of system S (i.e., if mjj(1)=mjj(0) for some 1,j), then it follows that Ms=[(mjj(1)-mjjf0))] U=U M* , (25) where U is the common value of the unavailability and M* the matrix with elements [mjj(1)-mjj(0)]. Then by virtue of Eqs. (23) and (25) it follows that Rx "(f*M_* 1)U+(f_t(0) v) ,

or that du --

N 1 (26)

By virtue of Eqs. (24) to (26) it follows that BR aR x x au u R x a (e nR,) (27)

IFV " R du b(tnU) x

! U 5-133

In other wor'.s, the Fussel-Vesely importance measure is equivalent to the logarithmic derivative of the risk measure with respect to the system unavailability.

In this case, also, the Birnbaum importance measure is given by aR

I "

(

B " d t!

l In the general case, the partial derivative of the risk measure with re-spect to the conditional unavailability of the system Ujj is given by dR I=

B aui J. ' i dd if the Ujj values are different for different i and J.

If for some i's and j's the unavailability of the system is the same, it follows that [see Eqs. (23)]

dR Ig = =

fj m)jvj (30) 1 j where the summation in Eq. (30) is over those i and j for which Ujj has the same value.

5D.3. Sensitivity Analysis In several instances, it is desirable to assess the effect on the risk criterion of a change in the unavailability of a system. The results of the importance analysis can be used to accomplish such a task.

For example, to assess the value of the risk measure if the unavail-ability of a system is changed from Ujj to U'tj, Eq. (23) can be used. The element mjj of matrix MS is changed from mj j Vjj to mjjujj and the risk measure is recalculated by Eq. (23).

5-134

3-i

! 6.0 BINNING OF ACCIDENT SEQUENCES

-In this section we review the binning of accident sequences identified in

! the Limerick PRA. In Section 6.1, we briefly describe the actual binning process adopted in the PRA. This section is needed because the PRA does not clearly describe the binning procedure. We consider that it is important for the procedure actually used in the PRA to be clearly described so that the im-pact of our concerns in Section 6.2 can be quantified. However, it must be emphasized that in this section we restrict our review to only the binning

( procedure. For reference purposes we use the accident sequence frequencies, release categories, and consequence calculations as given in the PRA. We sim-

ply assess the appropriateness of the accident sequence classification, the

containment event trees, and the grouping of the various failure modes into the five release categories using the consequence analysis of the PRA. In Section 6.3 we compare the Limerick PRA binning with that used in the RSS.

Finally, in Section 6.4, we summarize the impact of our concerns on risk.

! 6.1 Description of LIMERICK PRA Binning i

The binning of accident sequences in the PRA is shown in Figure 6.1 and was done in three major steps:

1 1) First, core melt accident sequences from each event tree were placed into one of four generic accident sequence classes as described in Table 6.1. The decision as to which class a core melt sequence be-longed was made by considering the sequence impact on the containment and the potential for release of radioactive material.

2) Second, each generic accident sequence class was then coupled with 7 possible containment failure modes (CFM) reduced from 11 possible failure modes because of similar consequences (see p. 3-123 of the Limerick PRA). The coupling of 7 containment failures modes with 4 generic accident sequence classes resulted in 28 separate and dis-l tinct release categories, which we have reproduced in Table 6.2.

3) On the basis of an analysis of the 28 possible release categories,

~

i those categories with similar consequences were combined into the final binning of 6 release categories. Of these categories, five

, were calculated to contribute to risk and one did not (either i

i 6-1

4 SEVEN CLASS I TRANSIENT CLASSI RELEASE CATEGORIES k

\%

EVENT TREES \ \ FIVE RISK CONTRIBUTING CLASSH

\. CONTAINMENT N CMSSH

? RELEASE CATEGORIES (\

CATEGORIES EVENT TREE LOCA EVENT T TREES \ \

SEVEN CLASSM '\

CLASSM \

RELEASE CATEGORIES s \

_ 7., ONE NON-ATWS RISK CONTRIBUTING EVENT / CATEGORY TREES '

CONTAINMENT SEVEN CLASS H /

CLASS N : EVENTTREE > RELEASE CATEGORIES IDENTIFICATION REDUCTION OF CORE IDE NTIFICATION IDENTIFICATION OF FINAL RELEASE OF ACCIDENT , MELT SEQUENCES INTO_ 0F CONTAINMENT POTENTIAL RELE ASE CATEGORIZATION 4 y SEQUENCES FOUR GENERIC FAILURE MODES C ATEG ORI E S CLASSES Figure 6.1 Binning of Accident Sequences in the Limerick PRA.

l l

Table 6.1 Generic Accident Sequence Classes.*

Generic Accident Physical Basis System Level Contributing Sequence Designator for Classification Event Sequence Class I (C1) Relatively fast core melt; Transients involving loss of inventory makeup containment intact at core small LOCA events involving loss of inventory melt and at low pressure

~

makeup Class II (C2) Relatively slow core melt Transients or LOCAs involving loss of heat due to lower decay heat removal, inadvertent SRV opening accidents power; containment failed with inadequate heat removal capability Class III (C3) Relatively fast core melt; Transients involving loss of scram function containment intact at core and inability to provide coolant makeup, p melt, but at high internal large LOCAs with insufficient coolant makeup w pressure transient with loss of heat removal and long term loss of inventory makeup Class IV (C4) Relatively fast core melt; Transients involving loss of scram function containment fails prior to and loss of containment heat removal or all core melt due to over- reactivity control, but which have coolant pressure makeup capability

Reproduced from Table 3.3.1 of the Limerick PRA.

Table 6,2 Summary - Generic Accident Sequence / Release Path Combinations, i

l N

P A8 !TY CONTAINMENT BY CCNTAINMENT FAILURE MODE class ! CLASS !! class !!! CLASS !Y FAILURE MOCE a 1.2x10*8 9.6x10 10 1.1:10*8 1.3x10*I8 1.5m10'8 8.u' 2.5x10'8 1.9 10*8 2.2x10*8 2.5 10*I8 2.9 10'8 y .u 3.2x10*8 - 2.5x10*I 2.8a10'I 6.4x10'8 3.8x10-6 y' 2.8x10*8 2.1x10'I 2.4x10*I 5.6:10'8 3.3a10*8 l

y 3.1x10'I 2.4x10'8 2.7x10*8 6.3:10*8 3.7:10*I Cs.4c 9.7a10*I 7.5x10'8 8.5x10'8 2.5410*II 1.1310'8 C.4 5.2s10-6 4.0a10*I 4.6a10*I 2.5a10*II 6.1x10 4 l

0tA8tL1H 9.6x10*I 3

1.2x10-5 1.1x10*8 1.3:10'I 1.5:10-5

Reproduced from Table 3.5.14 of the Limerick PRA, which shows the probabilities used in the Limerick PRA for the seven containment failure modes (release path) for each of the four generic accident sequences.

i i 6-4

because of low probability of occurrence or low consequences). The

! final binning used in the PRA is shown in Table 6.3 with the corres-ponding PRA probabilities of occurrence.

In Table 6.3 we also include the consequences of the releases used in the Iimerick PRA. These normalized fatalities were given to BNL during a con-ference call on August 10, 1982, by GE staff. They represent consequence cal-culations averaged over a range of five years and are described in greater

detail in Section 7.1. If we use the probabilities in Table 6.2 and the con-tainment event trees in the Limerick PRA, the probability of the release cate-gories can be calculated. These probabilities are also included in Table 6.3.

If the probabilities and normalized means are multiplied together for each category in Table 6.3, their contribution to risk can be assessed. If all the categories are summed, a measure of risk at Limerick is obtained that is con-sistent with the PRA. The results are summarized below.

j Mean Acute Fatalities: 2.35 x 10-6 Mean Latent Fatalities: 3.48 x 10-4 The above value for mean latent fatalities was obtained by integrating the latent effects over 30 years and then dividing by 30_ to obtain an annual rate of latent effects after the accident is postulated to occur. We consider that fatalities integrated over 30 years should be used to display the latent effects. Consequently, it is relative to the following means that we measure f the impact of our changes to the Limerick PRA binning:

Mean Acute Fatalities: 2.35 x 10-6 Mean Latent Fatalities: 1.04 x 10-2 l

From an inspection of Table 6.3, it is clear that only three of the re-l lease categories correspond to unique generic accident sequence / release path combinations (namely, C4 Y, C4 Y' and C4 Y") whereas two of the release l categories (0XRE and OPREL) represent groups of generic accident sequence /

release path combinations. In Section 7, we discuss the appropriateness of combining the various release paths into the 0XRE and OPREL categories. How-ever, in this section we use the consequence analysis reported in the Limerick l

6-5 l

Table 6.3 Final Release Categories Used in the Limerick PRA.

Normalized Fatalities Percent of Release Category Total Releases Description Acute Latent OXRE 0.3% Includes steam explosions both in- 22.37 332.0 (4.35 x 10-8) vessel and ex-vessel, and H2 explo-sions for all four generic accident Classes I through IV C4Y" 0.04% This is a Class IV sequence (ATWS) 75.78 182.8 (6.3 x 10-9) which has a failed containment (suppression pool drained) prior to core melt C4Y 0.44% This is a Class IV sequence (ATWS) 11.02 127.8 (6.4 x 10-8) which has a failed containment prior to core melt. The failure of the con-tainment is assumed to occur in the drywell due to overpressure or a hy-

{ drogen burn C4Y' O.38% This is a Class IV sequence (ATWS) 3.56 93.26 (5.6 x 10-8) which has a failed containmcnt prior to core melt. The failure of the con-tainment is assumed to occur in the wetwell with the suppression pool l still available OPREL 47.5% Includes the following containment fail- 0.0 46.38 (6.98 x 10-6) ure modes for Classes I, II, and III a) overpressure or hydrogen burn which fails the containment in the drywell l

b) overpressure which fails the contain-ment in the wetwell region with the suppression pool still available

Table 6.3 (Cont.).

Nonnalized Fatalities

! Percent of Release Category Total Releases Description Acute Latent' OTHER 51.3% Includes the following: Not computed -

(7.53 x 10-6) assumed negligible a) Classes I, II, and III containment overpressure failures which have the suppression pool drained due to containment failure in the wetwell b) Classes I through IV containment leakage in which the standby gas treatment system operates

! c) Classes I through IV containment leakage in which the standby gas

. m treatment system fails NOTE:

Normalized fatalities are reported as an average of the five years (1972-1976) over which the PRA '

CRAC runs were made and are reported as given to BNL by LGS. The normalized value is the mean value computed assuming that the release has occurred.

PRA, which is limited to the use of the five release categories that contri-bute to risk in Table 6.3. We will briefly discuss the OXRE and OPREL release categories used in the Limerick PRA and how the lumping of the various acci-dent sequence / release path combinations into these categories could influence our assessment of the binning of accident sequences.

In Table 6.3 we note that the 0XRE category combines the probabilities associated with all steam explosions (both in-vessel and ex-vessel) and H 2 explosions for all four generic accident classes. In Section 7.1.2 (refer to Table 7.5), the radionuclide releases calculated in the Limerick PRA for steam and H2 explosions are given. The release parameters used for the 0XRE cate-gory in the LGS PRA are stated to correspond to containment failure via an ex-vessel steam explosion. The release parameters associated with this failure mode do not represent the most severe with regard to radionuclide releases.

For example, containment failure via steam explosions (generic Classes I and III) results in significantly higher releases of 1,2 Cs, Sr, and La. Al so, the warning times associated with containment failure via in-vessel steam ex-plosion failures are significantly shorter than the warning time calculated for containment failure used in the 0XRE category. The in-vessel steam explo-sion probabilities were calculated in the Limerick PRA to be significantly lower than the ex-vessel steam explosion probabilities. Consequently, when combining these probabilities into the OXRE category, release fraction para-meters typical of the less severe event were selected.

Later in this section (refer to Section 6.2.2), we change the probabili-ties associated with steam explosions. It should be noted that when we assess I.

the impact of these changes on risk, we follow the LGS PRA scheme in this sec-tion and assign the steam explosions to the 0XRE release category, which as noted above has been associated with an ex-vessel steam explosion. Conse-quently, the changes in risk associated with changes in steam explosion proba-l bilities as discussed later in this section have the above limitation. In Section 7, we calculate the risk associated with actual steam explosion re-lease parameters to better define the changes in risk.

In Table 6.3 we note that the OPREL category combines the probabilities associated with all overpressure failures (including H2 burns) in the dry-well and wetwell (with the suppression pool intact) for Classes I, II, and f

6-8

III. The release parameters used for the OPREL category correspond to radio-nuclide releases typical of containment failure by overpressurization in the drywell for Class I sequences. The release parameters associated with this failure mode were selected to represent the OPREL category because of the high probability of the event and also because the release fractions are rela-tively high. Later in this section, we change the probabilities of the fail-ure modes grouped into the OPREL category. When assessing the impact on risk of these changes, we have again restricted our analysis in this section to use of the consequences associated only with the OPREL releases. So again, this I

limitation must be noted when considering changes in risk in this section.

Finally on page 3-10 of the PRA, it is stated, "each coupled set of accident class and containment failure mode is cal-culated explicitly with CRAC rather than by force fitting accident se-quences with different times to core melt, different release fractions, and different containment failure times into the same category."

This reasoning was the basis for not smoothing the release category prob-abilities as was done in the RSS. From the above discussion, it is clear that six release categories do not retain enough detail . The impact of smoothing is further discussed in Section 6.3 of this review.

6.2 BNL Revisions In the previous section we described the binning of the accident se-quences in the Limerick PRA. In this section we discuss a number of our con-cerns related to the binning procedure. In particular, we attempt to quantify how these concerns could impact risk relative to the Limerick PRA risk calcu-lations.

6.2.1 Appropriateness of Accident Sequence Classification l

The PRA analyzed four " typical" accident sequences, one for each generic

! class, to represent the spectrum of physical phenomena. Each typical sequence was then coupled with the 7 containment failure modes to obtain release frac-tions for fission product radionuclides. The sequences in Table 6.4 were used

! to represent the generic accident classes.

6-9

Table 6.4 Accident Sequences Used to Represent the Generic Classes in the Limerick PRA.

Class Representative Sequence I TQUX II TW III ATWS - ECC injection failure IV ATWS - ECC injection success LOCAs were lumped into the same bin as transients for each of the four generic accident sequence classes. Although LOCAs represent a small percen-tage of each class (the AJ sequence in Class II has a probability of $7% of the Class II core melt probability, and the AC sequence in Class IV has a probability of S3% of its class), we made separate analyses of LOCAs since their potential impact on risk is higher. The specifics of the MARCH / CORRAL runs for the AJ and AC sequences are discussed in Section 7.3.1. Briefly, the release fractions for these sequences were larger than those of the release categories into which they were placed, primarily because there is no suppres-sion pool scrubbing of the fission products released during core melt for the large LOCA sequences. The transient sequences pass the melt release through the safety relief valves into the suppression pool and thereby benefit from pool scrubbing. We initially considered it inappropriate to place LOCAs into release categories represented by transients. The impact that this has on risk is discussed in Section 7.3.1. Briefly, the conclusion in Section 7.3.1 is that the mean latent and acute fatalities are similar for LOCAs and tran-sients. However, we estimated that the number of thyroid cancers would in-crease by a factor of about 2 for LOCAs relative to transients for both Class II and Class IV sequences.

It is concluded that the analysis of Class II accident sequences in the Limerick PRA is conservative. In both the Limerick PRA and the BNL assess-ment, it is assumed (consistent with the WASH-1400 assumption) that, for Class II loss-of-decay-heat-removal accidents, successful injection continues until the containn)ent reaches its failure pressure. In fact, because of environmen-tal effects, both the high pressure and low pressure injection functions would

( fail prior to containment failure. The following explains how these failures l occur:

6-10 i

L_ . -

a) The high pressure injection system would fail when the suppression pool temperature reaches 190*to 200 F. The failure mode would be either loss of required net positive suction head (NPSH) or loss of turbine lube oil cooling. (See Section 7.3.2.1 for further discus-sions on these failure modes).

b) The low pressure systems would fail because of the inability to main-tain the ADS valves open thus allowing the reactor vessel pressure to rise above the shutoff head of the low pressure ECCS pumps. The loss of the ability to maintain the ADS valves open would occur at a con-tainment pressure near 80 to 90 psig. The nitrogen pressure to the valves is approximately 105 psig, and it is assumed that a 20-psi dif-ferential is required to maintain the valves open.

This failure of injection results in a core meltdown in an intact con-tainment rather than in a failed containment as assumed in the PRA and by BNL.

The effect of removing this conservatism is described in Section 6.3.

6.2.2 Appropriateness of Containment Event Trees 6.2.2.1 Containment Event Tree Logic The method used in the PRA is to have one containment event tree for generic accident sequence Classes I through III and another tree for Class IV. The containment event tree for Classes I through III sequences is shown in Figure 6.2. The Class IV containment event tree is reproduced in Figure 6.3. We consider that the containment event tree in Figure 6.2 is logically appropriate for Classes I and III sequences. However, we are concerned about the split fractions used at some of the branch points. These concerns will be discussed later in the section. We consider that the use of the containment event trees in Figures 6.2 and 6.3 for Classes II and IV sequences to be in-appropriate. We suggest using the revised trees in Figures 6.4 and 6.5 for Classes II and IV sequences, respectively. These trees consider the following:

I

! a) The entrance to the containment tree is due to loss of containment heat removal rather than core melt.

b) If there is sufficient containment leakage to prevent overpressure failure, the coolant injection systems will most likely continue to 6-11

se a, og 80 at saps a0 se et CORE l!! OVERPM88UM IETesAil0E CONT ui CONTAWNENT CO*' " SJPPRES$10N CONTAlhafti b8 84TS A

g p gERP U Y mM "L'

UII TOPMVENT OVERPRE8800E FAEURE PML f AKURE LE nR l3l FRUM Hl MOUEBCE m Vt8sEL CONTAmmEsf FAEURE FAEUM gyggpggggggg FAEURE (WETWELLI N CFM N WTMT CATESMT IWETWELil lLARGEl y

Cm a p g y 6 y y'/y y~/y ya ,

On Om08 -

0510amELLI y 024T OvEareE88UM g,,

8 000 00 l'WIAP8f880M V 0222 GPML 081WETWELU l WETWELL IOI ,- 80E8 SUPPM88ee PSOL _

FAEUM OS 0222 A SmALL LEM -

I 81 m Oms SmAtt leu. _

m 85 MTS FAEUGE 08 h

N 4 ggg ggggg ggg ,

l82 ggg LAAGE LEM. 88TS WAGEOUATE

, O WEAP E880AE OPAEL SAI l la l8i ,

gggg IB8TAETARESUS gg,g ICOBOITISMLl SyERPRE8800E 083 EMASETIC

, gggg 020E OWERPRE88ME EMABETIC ggg

. Omle SVERPM88HE ll] CONTASWEET FAlLUM MAT MWE SCCURGEO P988 TO CRAE NELT. W i TutSE CASES (CLA88 9 ANS CLAS8 (VL THE COETAMAf t FA403E N00E8 AM ONLV USES AS MCNANISulFM OELEASE FRACTION KTEameAlltu.

Irl ASSUMES TNAT lir EIPLO$10W W CesTAMMIEET CAUSES OVERPM8800E FAEUM WITa smECT PATisWAV TO SUTSWE ATM08PWERE.

13l LEARAGE AT 24N VOLUME PERCEsT/ DAY.

141FAEURE STAe00T M8 TREATWef $YSTEM.

I Figure 6.2 Limerick PRA Containment Event Tree for Classes I, II, and III Event Sequences.

i M BAPIO M Hr M g me M M CSRE lli NO AAM gyggegE550M DETMATW4 M % lft CMT Esi C0eTAmufti SUPPRE5880s COSTAle#ERT M 58TS

" 7,,

Mu miPMauM . .00a0 a'uas g p "I#{

n C R$ W HI VII3IL IAEUI 70,Am T m.P.inUM ,=UM P= >=Mi ua ai ,=UM im siSMaa 0, C,,U 0, CO,,4,,,,,, C,,, ,m,,

CONTAlamEET FAILUAE OVERPRE880M FAKUM IWETWELLJ IWETWELLI lLAAGE) 0

, g Cm a s u v 6 y y'/ y 7"/y v6 e a <smi - -

0510ATWELLI nEePMssuRE v 04n g ORTWELL CO ,. g ,43 NEMM C4y' 0$lWETWILL) ] WETWELL jet ,. ggg SUPPRES$100 P90L C4 y*

FAILUM II A (0051 $NALL LEM 05 I l0I a, (gget SEALL LEM. _

4 = 18 *

$$T8 FAllUAE 88 A( ($3N1 LARSE LEM -

f g

102 m (10nl LARSE LEM. 8478 IRAGESUATE

, 00A00 SVE#PSESSURE C4, 13 ISO

,/ 03013 msTAsTANE0la$

lComelTIONALI SERE OVERPRES8UM BNI EMAGETIC

, p gggig OIRE OVERPRE5500E 0 001

, ggig ENERSETIC GIAE OVEAPMS$U#E Ill CMTASMOT FAILUM MAV NAVE SCCUSAf 8 P910A TO CORE MLT. m TMSE CASE 8 lCLA88 I ANO CLASS lVL TM CONTAmmist FAILUM N00E8 ARE OnLT U$ES AS MCNAut$38 FM MLEASE FRACTign NTEAuteATION

82) ASSUM3 TNAT 4 EIPLGB80N W CONTAm3EsT CAUSE8 SWERPRESSUM FAILURE WITil DGECT PATNWAT T0 0UT880E ATBOSPNERE.

pl LEMAGE AT 2450 VOLUME PE ACENT/ SAT.

jel F AtueE STanNT SAs TMATMsT 3flTEs.

Figure 6.3 Limerick PRA Containment Event Tree for Class IV Event Sequences.

s ,

V T .

Um . ne mq

. Gp A

gy e

a P

M Mtm m e

s e 5 8

1 1

2 , m Mm "

8

, i g 8 3

.m e m smm s

, . s E

C 'p g. a # , g a # y s. a- e MIG L

E N y y y y

'y '7 ,.

.. - *'y y y

~~

7 y y y a c n

w D" ES E S w T , , , T E T 9 ,1

, , , w P ' wwww' T T e u

q e -

S g t g n gy W e v

p ' ' ' E 0 0 0 1 1 1 yI i1 I

ll I

g s MNrngu M 8 a 8 s 0 g y

0 1

a 1 l C

L E g r S

SMa EA g n o U l y t

O f Ii E Se g M g ' ' '

e 0 0 1

0 1

e 1

r T

L E

S g

g t 85g E6 g g n VE WSp T t a e 0

g g ' ' ' v 3 0 O 0 1

E 1 I t

n ET 0C e

1 ST A y m E W R

l

~

n PL i PO y US SP 0 a i t n

o C

E L B LE d U y W e ALT I

l fE W 'y s MW i v

e R

. L l.

F E .

- N F SSE UPE # B

$ O WU S8 s MTT:T R E I

Le E E V

R P 4 _

0D 3

s 6 O

e r

u g

i y g F 3N 3C 3

(

n b c

NS LEM SUf4 '

Les8 ef CIERT it PSE- BO FAILUGE SUPPOESSION 3

R$ % N Cue MBT evte- W WETWELL PteL WTACT pee 88ust g,I I g 3EfenATigu Of M o Y'/7 7"/7

B # m' toy mie 10 8

7"# "

10 '

,,7,, ,

10 '

,,y,p 3,,,

10 8 Tey e sus Twy' Jose m yg IWY' # mag 4

m 10 '

twy' g' sees 10 '

,,y,,g 3.,s 10 8 try'-a mas 1.0 0.5 7" "'

10 : , T*v" u m i10 8 ,,y.,,

. 3,,,,

0.1 10 '

, .,g .

10 8 7,y .. me, 4 10

ma i

'??. .

Figure 6.5 BNL-Revised Containment Event Tree for Class IV Sequences.

operate and no core melt will result. The PRA conservatively ignored this.

c) The in-vessel and ex-vessel steam explosion probabilities have been increased to reflect a failed containment. Since the containment has already failed prior to core melt, the steam explosion probabilities do not have to also reflect the probability of failing the contain-ment.

d) The remaining probabilities are the same as those used in the PRA be- l cause they were considered appropriate. I Thus, the core melt designators used in the revised trees may now have two associated greek letters. The first would be the location of the contain-ment failure (y, y', y"), and the second would be present if a subsequent in-vessel or ex-vessel steam explosions, hydrogen burn, or hydrogen detonation occurred designated as a. 6 u, u', respectively.

These probability changes, or split fractions, in the revised trees can be summed to obtain new conditional probabilities for the seven containment failure modes. A new category in which there is sufficient leakage to prevent overpressurization failure and hence no core meltdown is also identified and its associated probability calculated. These conditional probabilities are given in Table 6.5 (Class II) and Table 6.6 (Class IV).

The revised conditional probabilities in Tables 6.5 and 6.6 result in the changes in the probabilities of the five release categories shown in Table 6.7 (see Table 6.3 for definitions of the contents of each release category):

Table 6.7 New Release Category Probabilities Associated with New Classes II and IV Event Trees.

o Probability as Used New Percent Release Category in the PRA Probability Change k

OXRE 4.35 x 10-8 1.08 x 10-7 +148.3%

OPREL 6.98 x 10-6 6.93 x 10-6 -0.72%

C4Y 6.4 x 10-8 5.84 x 10-8 -8.75%

C4Y' 5.6 x 10-8 5.16 x 10-8 -7.86%

C4y" 6.3 x 10-9 5.73 x 10-9 -9.05%

f 6-16 u

Table 6.5 BNL Revised Conditional Probabilities for Class II Event Sequences (Entrance to Trees via Loss of CHR).

PRA Probability New Probability of CFM* of CFM*

Leak sufficient to prevent .495 .5 overpressure and hence no core meltdown (6)

Overpressure drywell (Y) .247 .2205 Overpressure wetwell (Y') .222 .1985 Suppression pool failure (Y") .025 .022 In-vessel steam explosion (a) .001 .005 Ex-vessel steam explosion (s) .001 .05 H2 detonation (u') .001 .0004 H2 burn (u) .009 .004 i

CFM = Containment failure mode.

i 6-17 as . -

Table 6.6 BNL-Revised Conditional Probabilities for Class IV Event Sequences (Entrance to Trees via Loss of CHR).

PRA Probability New Probability of CFM* of CFM*

Leak sufficient to prevent <.0004 <.0004 overpressure and hence no core meltdown (6)

Overpressure drywell (Y) .5 .441 Overpressure wetwell (Y') .443 .397 Suppression pool failure (y") .05 .0441 In-vessel steam explosion (a) .001 .01 Ex-vessel steam explosion (8) .001 .1 H2 detonation (p') .001 .0008 H2 burn (p) .009 .008

(

\

CFM = Containment failure mode.

l 6-18

_ s_

Using the PRA normalized mean acute and latent fatalities, these changes result in the following changes to risk.

Percent PRA New Change Mean Acute Fatalities 2.35 x 10-6 3.68 x 10-6 +56.6 Mean Latent Fatalities 1.04 x 10-2 1.11 x 10-2 +6.6 As can be seen, the acute fatalities increase by 56.6% owing to the in-creased effect of the OXRE release category. The effect on latent fatalities is much smaller because of the fact that this measure of risk is dominated by the OPREL category, which has slightly decreased in probability because some probability was shifted to the 0XRE release category.

6.2.2.2 Branch Point Split Fractions - Containment Leakage In order to see how sensitive risk is to the assumption of containment leakage, the containment trees were revised. The probability of sufficient containment leakage existing to prevent a gross failure of the containment was changed to zero. One can argue that the justification for this is presented in Appendix J of the PRA where it is stated that none of the penetrations should leak below 155 psia. Table 6.8 summarizes the new containment failure probabilities. This gives the new probabilities for the release categories shown in Table 6.9.

Table 6.9 New Release Category Probabilities Associated with No Containment Leakage.

Release Probability Used New Percent Category in the PRA Probability Change 0XRE 4.35 x 10-8 4.35 x 10-8 o OPREL 6.98 x 10-6 1,42 x 10-5 +103 C4Y 6.4 x 10-8 6.4 x 10-8 0 C4Y' 5.6 x 10-8 5.6 x 10-8 o C4Y" 6.3 x 10-9 6.3 x 10-9 0 6-19 l

O

Table 6.8 Probabilities of Containment Failure Modes with No Containment Leakage.

Class I Class II Class III Class IV Leak sufficient to 0 0 0 0 prevent overpressure

( 6)

Overpressure drywell .494 ,494 .494 .05 (Y)

Overpressure wetwell .444 .444 .444 .443

( Y' )

Suppression pool .05 .05 .05 .05

failure (y")

In-vessel steam .001 .001 .001 .001 explosion (a)

! Ex-vessel steam .001 .001 .001 .001 explosion (S) i i

.001 .001 .001 .001

~

H2 detonation (u')

1:2 burr.(a) .009 .009 .009 <.009 l

6-20 e

Again, using the PRA values for normalized mean acute and latent fatali-ties, this change results in the following change to risk.

Percent PRA New Change Mean Acute Fatalities 2.35 x 10-6 2.35 x 10-6 0 Mean Latent Fatalities 1.04 x 10-2 2.06 x 10-2 +97.4 The above comparison indicates that by eliminating containment leakage, the mean latent fatalities would increase by a factor 42. The reason for no increase in acute fatalities is the fact that only the probability of the Ol'REL category changes. The OPREL category was calculated in the PRA to have zero normalized mean acute fatalities.

6.2.2.3 Branch Point Split Fractions - Loss of Suppression Pool In order to see how sensitive risk is to the assumption of the branch point split fraction between the y' (wetwell failure, suppression pool intact) and y" (wetwell failure resulting in loss of the suppression pool) containment failure modes, the containment trees were altered by reversing the probabili-ties of these occurrences. Thus, the Y' and Y" values of 0.9 and 0.1, respec-tively, were revised to 0.1 and 0.9, respectively, for all the PRA containment event trees. This changed the release category probabilities to those shown in Table 6.10.

Table 6.10 New Release Category Probabilities Associated with Loss of Suppression Pool .

Release Probabilities Used New Percent Category in the PRA Probability Change 0XRE 4.35 x 10-8 4.35 x 10-8 o OPREL 6.98 x 10-6 4.1 x 10-6 _41.3 C4Y 6.4 x 10-8 6.4 x 10-8 o C4 Y' 5.6 x 10-8 6.3 x 10-9 -88.8 C4 Y" 6.3 x 10-9 5.6 x 10-8 +788.9 Cl-C3 Y" 3.6 x 10-7 3.25 x 10-6 +802.8 6-21 l

J _ . _ . -- -_

Note that in Table 6.10 Cl-C3Y" releases, which were not included as re-leases that impact risk in the PRA are included here to show that these re-leases can no longer be ignored with the new value of the Y'/Y" branch point split fraction. In order to evaluate the risk impact in a simple, approximate way, the probability of these sequences have been added to the OPREL category probability. Thus, the OPREL probability used is 4.1 x 10-6 + 3.25 x 10-6 = 7.35 x 10-6, The following summarizes the effect on the mean acute and latent fatali-ties due to the changes 'n the release category probabilities in Table 6.10.

Percent PRA New Change Mean Acute Fatalities 2.35 x 10-6 5.94 x 10-6 +152.8 Mean Latent Fatalities 1.04 x 10-2 1,12 x 10-2 +7.5 As can be seen, the effect on the mean latent fatalities is minimal owing to the domination of the OPREL category. The major increase in mean acute fa-talities is due to the $800% change (a factor of N9) in the C4Y" Category.

6.2.2.4 BNL Suggested Containment Event Trees On the basis of the above concerns, we have constructed containment event trees which we consider more appropriate than those used in the PRA. The BNL suggested trees are included in Figures 6.6 through 6.8.

A single containment event tree was used for Classes I and III (refer to Figure 6.6) since entry to these trees means core melt has already occurred.

Class II (Figure 5.7) and Class IV (Figure 6.3) contairment event trees were generated with the reason for entry into these trees being loss of containment heat removal. g The following paragraphs describe the reasoning behind each of the fail-ure mode probabilities used in the BNL contairment trees. l 6.2.2.4.1 Classes I and III Containment Tree The probabilities for in-vessel (a) and ex-vessel (S) steam explosions, hydrogen burn (p), or hydrogen detonation (u') have been taken from the PRA.

l 6-22 l

l l u

Failure modes which have large uncertainty, in BNL's judgment, were given ,

a 50/50 probability at branch points. These failure modes include containment leakage (6), drywell (y) failure, wetwell failure (y') without loss M sup-pression pool and wetwell failure with loss of suppression pool (y"), and finally, given containment leakage, whether the leak is large (6d or not large (6). The effects of the uncertainty in the branch point probabilities are in-dicated by the analysis in Section 6.2.2.5.

The use of SGTS, given a large containment leak, has been precluded be-cause the leakage flow rate from the containment exceeds the capacity of the SGTS. The reasoning is consistent with RSS methodology.

6.2.2.4.2 Classes II and IV Containment Trees Entry to the tree is due to loss of containment heat removal . The con-tainment leakage (6), drywell (y) or wetwell (y') failure, and suppression pool failure (y") probabilities were chosen as described for the Classes I and III tree. The in-vessel steam explosion probably has been increased from the LGS-PRA valve of 10-3 to 10-2. The value of 10-2 was calculated by as-suming a 10-1 probability of a steam explosion and a 10-1 probability of failing the reactor vessel . Failure of the the containment is not required as a result of an in-vessel steam explosion since the containment has already failed from overpressurization. The ex-vessel steam explosion probability is set at 10-1 using the same reasoning and reorganizing that RPV failure has already occurred at this stage. Hydrogen burn (p) and hydrogen detonation (p') probabilities have been taken from the PRA since these valves were, in our opinion, conservative.

6.2.2.4.3 BNL Containment Event Tree Results On the far right side of each containment event tree (Figures 6.6 through 6.8) is the release category in which each sequence has been placed. The re-sulting conditional probabilities for each release category, by class of gen-eric accident sequences, are given in Table 6.11. Note that the conditional probabilities per accident class do not sum to unity. The balance of the probabilities were assumed to have insignif Mant impact on risk.

6-23

NO SAPIO NO 4 b0 ut 80 mg 30 40 #APS I CON E SUALITAT!vt CORE lli SWERPRE130F1 GET0mATEe ,8I CasTAedsfui $UPPtE1888 C0eTammEST B0 8873 g,g,,,gg3 g SEOMtCE PROSASLITY CHAGACTiti$TC$ BELIASE MLT 8 200CES Te rtivtei OWIRPMSSUM paggy P00L f Astusi LIAA i31 FAstuall4g g yggggg ,,gg Of tf5 af C0eTAtmiti CATEste?

C0eTammEuf fatutt DVERPSE18UM IAEUM (wErgEul (WETWELLI lLA#GE] ,

IAKUM m0M CN a y y p* g y o y fy y .e j, zjg ,

N 00 - ~

05lcevettu , Syr evEePMisus' OPML gg seveELL 8.5 OfikPMS3URE v, 0 1235 OPtEL SS(WETWELLI I WITWELL I8I y" 0 1236 $UPPM554e P0m GreEL fAEBRE A I I $5ALL LE AA

$5 I & 0 0247 SmALL LE44 gpagt SS gggg gggggg

$ 0 247 LAAGE LEAA OPML At g 33

, SWR OWERPSES$URE OP#EL I

Ch e is 101 .

gg, affasTAeE0us gggg N ItosmisonAu Ortseafssunt 8 83 g g, EDEACETC

, OARE MEtP9E5500E 083 , gg, EeEACETE ggg avEePeE5 suet ill CONTAestai f ALLURE MAT BAWE SCCU4MO Peet il CSAE MLT. th

> TNOSE CASES ICLASS 3 And CLASS ltVt TWE CONTASMEST f Aguet MODES ARE DELT U5ES A3 NECNAtl588 Fee MLE AEE FGACTNE MTEameAfl0IL

12) AS5uuES TNAT 4 EXPL85108 m CONTAestaf CAWE5 0vte*eE0000E '

FAILUM WITN amECT PATNWAT 16 001580E ATE 10SPWEM.

13l LEAA ACE AT 24N VOLUut PE ACEST/Of f.

l4l f AlltiRE ST Aste? 048 TM4TEEST STlTEs.

Figure 6.6 BNL-Suggested Containment Event Tree for Classes I and III Event Sequences.

LSSS W CIEsf 9 M f AILUM SUPPRE8888 gigm STEM " SEWEsti gy CM VERT ens. W WETWEE1 reat mTKT DPLS888 8W88 EIPLO880s PMS$Utf 6 y'/ y y"/ y a # #_ #'

fry 22 5 GPREL gg , Twy , M GPGEL

'8' r.y.,- mer ==

ic i rey-p apers 0:sE is , ,, ,,,

r.y- .iin wat

> TDy' , Ni 0F31L g,

T ru 38 '

r.y .,- ami ==

m 18 '

,y a sini um io n ,,y min my- .iin ==L to i I18 ' m y .y. mai ==

es is i ,,,, .

is ' ,,,,, min e5 3 ,a 3 I= =*

me Figure 6.7 BNL-Suggested Containment Event Tree for Class II Event Sequences.

\

/

N LEM 9mMG LOSS OF CIEET TO PSE- M f AE8N NPPENW E8 Gr N ELI8E Cut I WeiOUES. m WETWELL PteL WiaCT ,,I g NTORATies W Cf3 CATEMBf Pus ==

6 y'ly y"ly a p u e' wy mi c.y to ' "" " **7 to ' % ,. ,,, ,,,,

> I*'

m y-p asas ess 10 '

wV me cay' is ' "V* " V cn 10 '_

,j,,, ,,,, ,,,,

N 10 ' wf-p mere uns it ' _ ,f., ,, ,,

3 my" am c.y"

'O ' s "T~~# " "'7" i is i m y".y> Non ==

N tvy"-$ N414 NN 10 '

wy", men esas 0.

Two ains sere usII Figure 6.8 BNL-Suggested Containment Event Tree for Class IV Event Sequences.

Table 6.11 Release Category Conditional Probabilities for BNL Suggested Containment Event Trees.

Class OPREL OXRE C4Y C4Y' C4 Y" I 0.7747 .003 0 O O II 0.4451 .0549 0 0 0 III 0.7747 .003 0 0 0 IV 0 .1098 .445 .2226 .2226 6.2.2.5 Containment Tree Uncertainties This section attempts to establish an upper and lower bound associated with containment tree split fraction uncertainties. Two cases are considered, one in which the most pessimistic values are used and one in which the most optimistic values are used. The cases are based on the BNL Containment Trees of Section 6.2.2.4.

6.2.2.5.1 Optimistic Cases a) Classes I and III - ex-vessel (8) and in-vessel (a) steam explosion and hydrogen burn (p) and detonation (p') split fractions from the PRA are used. Only 10% of containment failures are due to overpressure. Of these overpressure failures, only 10% are in the wetwell (y') with 90% in the drywell (Y). Of the 10% wetwell failure, only 10% of those result in loss of the suppression pool (y"). Fina'ily,100% of the containment leakage (6) is filtered by the SGTS.

b) Class II - equivalent values ". om Classes I and III described above were used.

I c) Class IV - similar to Class II but with no leakage assumed because of the rapid pressurization in the containment during ATW3 with successful injection.

l This optimistic analysis resulted in conditional probabilities for each of the release categories by class of generic accident sequence as shown in Table 6.12.

I 6-27 l x . ,

Table 6.12 Optimistic Release Category Conditional Probabilities.

Class OPREL 0XRE C4Y C4Y' C4 Y' I 0.108 .003 0 0 0 II 0.01 .003 0 0 0 III 0.108 .003 0 0 0 IV 0 .003 0.897 0.09 .01 1

6.2.2.5.2 Pessimistic Cases a) Classes I and III - ex-vessel (S) and in-vessel (a) staam explosions and hydrogen burn (p) and detonation (p') used the split fractions from Section 6.2.2.4 of this report. Ninety percent of containment failures were due to overpressure. Of these overpressure failures, 90% are in the wetwell (y') with the ren.aining 10% in the drywell (y). Of the wetwell failures, 90% are assumed to cause loss of the suppression pool (Y"). No filtering of the containment leakage by the SGTS was assumed.

b) Classes II and IV - equivalent values from Classes I and III as described above were used.

This pessimistic analysis resulted in conditional probabilities for each of the calease categories by class of generic accident sequence as shown in Table 6.13.

l l

Table 6.13 Pessimistic Release Category Conditional Probabilities.

l Class OPREL OXRE C4y C4y' C4Y" I 0.997 0.003 0 0 0 II 0.801 0.099 0 0 0 III 0.997 0.003 0 0 0 IV 0 0.110 .089 .080 .721 6-28

~ n

The pessimistic and optimistic containment failure mode probabilities are coupled with the core-damage frequency of each of the four generic accident sequence classes to obtain the probability of each release category (Table 6.14). Note that the core-damage frequencies used here are those of the LGS PRA and not the values obtained by BNL in Section 5.

Table 6.14 Containment Event Tree Results for Optimistic and Pessimistic Conditional Probabilities.

Release Probability Used BNL-Suggested Optimistic Pessimistic Category in PRA Results Case Case 0XRE 4.35x10-8 1.06x10-7 4.35x10-8 3.12x10-6 OPREL 6.98x10-6 1.06x10-5 1.42x10-6 1.38x10-5 C4Y 6.4x10-8 5.79x10-8 1.17x10-7 1.16x10-8 C4Y' 5.6x10-8 2.69x10-8 1.17x10-8 1.04x10 -8 C4Y" 6.3x10-9 2.89x10-8 1.3x10"9 9.37x10 -8 4

4 Using the PRA values for normalized mean acute and latent fatalities and for the core damage frequency,- the ranges of risk shown in Table 6.15 were obtained.

Table 6.15 Comparison of Limerick PRA and BNL Risk Measures Based on Limerick PRA Core Damage Frequency and Consequence Model.

( PRA BNL-Suggested i Results Optimistic Results' Pessimistic Uncertainty

Mean 2.35x10-6 2.4x10-6 4,gxig-6 7.7x10-5 -51%, +1,470%

Acute Fatalities Mean 1.04x10-2 2.9x10-3 1.63x10-2 1.98x10 82%, +21%

Latent Fatalities 6-29 l

The BNL optimistic results for mean acute fatalities are greater than the LGS PRA results because BNL included the contribution to risk from containment leakage with failure of the SGTS. The PRA did not include these sequences (see Table 6.3) .

6.2.3 Appropriateness of Release Categories As shown in Table 6.2, 51.3% of the core melt sequences are placed in a category which was assumed to have,no impact on risk. These sequences include the following:

1 a) Classes I, II, and III containment overpressure failures, which have the suppression pool drained because of containment failure in the wetwell . These sequences are approximately 2.5% of the total core melt probability. This was reported to be ignored because of low probability. This is felt to be incorrect for the following reason.

Class IV sequences with the same failure mode are 0.04% of the total core melt probability but are 20% of the total contribution to acute fatalities. This cannot be accepted without further justification as to why these failure modes do not contrioute to risk.

b) Classes I through IV sequences with excessive containment leakage (wh}ch prevents a gross failure) and failure of the SGTS. These se-quences are approximately 7.7% of the total core melt probability.

c) Classes I through IV sequences with excessive containment leakage (which prevents gross failure) in which the SGTS functions properly.

l These sequences are approximately 43.9% of the total core melt probability.

Both b) and c) above have been evaluated by assuming that there is no ex-cessive containment leakage; thus all containment failures are due to gross overpressure in the drywell or wetwell, or to failure of the suppression pool.

In Section 6.2.2, we have shown that lumping these sequences into the OPREL release category would increase the risk of latent fatalities by a factor of s ?. .

The grouping of the releases into the six assumed in the PRA is felt to result in loss of important detail, which would have been retained if more l CRAC runs had been used.

i l

6-30 l

~ .

6.3 Comparison with RSS Comparison of the Limerick PRA binning with that used in RSS is difficult since the specific methods used in each case were different. Some differences are sumarized below; a) The in-vessel steam explosion release fractions used in the Limerick PRA decreased the tellurium fraction from 0.7 to 0.5 and the lantha-num fraction from .005 to .003. This reduction would have the effect of reducing fatalities in the 0XRE release category. However, the Limerick PRA also assigned these fractions to other core melt se-quences (i .e., ex-vessel steam explosion and hydrogen detonation con-tainment failures); this assignment is conservative and thus tends to counter the effect of the above release fraction reductions.

b) The RSS did not account for the possibility of containment failures due to hydrogen burns or detonations in the BWR analysis because the containment was inerted. The Limerick containment will also be in-erted; however, in the Limerick PRA the period of time during which the containment is not inerted (startup and shutdown) was also con-sidered. It was assumed that given a core melt during this period of time, failure would occur via H2 detonation. This is a conserva-tive approach.

c) As discussed in Section 6.1, the PRA did not utilize the technique of smoothing to account for the fact that a given accident sequence

- will in reality have a spectrum of releases and hence a distribution of release fractions for each isotope. The following table shows the effect on risk (using the initial assumptions and methods of the PRA) due to smoothing between release categories within a single generic accident sequence class for all four of the classes used in the PRA.

It was felt that the details gained by using many event trees re-sulted in correctly defining which class an accident sequence be-longed in. However, the uncertainty in the containment failure mode probability was large enough to consider smoothing of the probabili-ties of a sequence in the varicus release categories. The results are summarized below:

6-31

Mean Mean Acute Fatalities Latent Fatalities Not smoothed 2.35 x 10-6 1.04 x 10-2 Smoothed 1.3 x 10-5 3.39 x 10-2

% Increase +453% + 225%

Thus smoothing, when applied to the Limerick PRA release categories, increases the acute fatalities by a factor of 5.5 and latent fatali-ties by a factor of 3.25.

d) The Limerick PRA used a probability of steam explosion of 10-3 for both in-vessel and ex-vessel steam explosions. The RSS used a proba-bility of 10-2 for both types. The BNL revision described in Sec-tion 6.2.2 used a probability of 10-2 for an in-vessel steam explo-sion and 10-1 for an ex-vessel steam explosion. This was based on the following:

1) The probability of a steam explosion is 10-1

2) The probability that the vessel fails is 10-1, given that a steam explosion has occurred.

e) The Limerick PRA assumed that 10% of the core material was involved j in a steam explosion for all core melt sequences. This tends to slightly reduce the iodine and tellurium release fractions and in-i j creases the ruthenium release fraction. This assumption, which has no counterpart in RSS, is discussed further in section 7.

f) One of the assumptions used in the LGS-PRA (and the BNL analysis) which is consistent with the RSS is that the low pressure injection could continue until the containment failed (155 psia at LGS) for Class II loss-of-decay-heat-removal sequences. This is a conserva-tive approach since in reality the ADS valves and the MSRVs could not be held open with nitrogen pressure because of the increased contain-ment pressure. As described in Section 6.2.1, this effectively fails I

the LP ECCS and results in core melt into an intact containment in-stead of a failed containment. Thus, if this conservatism is re-moved, the use of one containment tree for Classes I, II, and III 6-32

is acceptable. This would change the BNL-suggested results in Table 6.15 to those values shown in Table 6.16.

Table 6.16 Comparison of Limerick PRA and BNL Risk Measures Assuming Core Melt into an Intact Containment for Class II Sequences.

BNL-Suggested Results from Revised PRA Results Table 6.15 Suggested Mean 2.35x10-6 4.9x10-6 4.2x10 -6 Acute Fatalities Mean 1.04x10-2 1.63x10-2 1.62x10 -2 Latent Fatalities Thus, the actual approach used by BNL would tend to overestimate acute fatalities by $17% and latent fatalities by s1% because of the increased probability assigned to the 0XRE release category.

6.4 Summary We reviewed the accident sequence classification used in the Limerick PRA and initially concluded that it may not be appropriate to place LOCAs into release categories representative of transients. Section 7.3.1 assesses the impact that reallocating LOCAs into separate release categories would havc on risk.

The containment event trees used in the Limerick PRA were reviewed in detail. In particular, three of our major concerns, namely, event tree logic, containment leakage, and loss of suppression pool, were quantitatively assessed. The following conclusions can be drawn from our calculations.

a) Increasing the in-vessel steam explosion probability from 10-3 to 10-2, and the ex-vessel steam explosion probability from 10-3 to 10-1, to account for an already failed contaiment has an effect of increasing acute fatalities by a factor of $1.5 and latent fatalities 6-33

l by a factor of S1.1. It was assumed that the probabil .i' of a steam explosion is 10-1 and the probability of reactor vessel failure given a steam explosion is 10-1 These are the RSS assumptions.

b) Setting the leakage probability of the containment to zero in order to force each containment failure to be due to gross overpressure (given that steam explosions or hydrogen detonations or burns have l

not already failed it) has no effect on mean acute fatalities since I

the PRA shows no mean acute fatalities in the release category OPREL.

i j It does, however, increase the risk of mean latent fatalities by a l factor of N2. This gives one a measure for the efficacy of the SGTS.

c) Setting the branch point split fraction for loss of the suppression pool (given a containment failure in the wetwell) to 0.9 (the PRA used 0.1) increases the risk of mean acute fatalities by a factor of s2.5 and mean latent fatalities by a factor of $1.1. The impact on acute fatalities is due to the increase in the C Y" 4 release Cate-gory probability.

l 6-34

r

, 7. CORE MELTDOWN MODELING AND CONTAINMENT FAILURE MODES In this section we review the core meltdown modeling and the detemination

, of fission product source tems in the Limerick PRA. In the preceding section it was noted that for each generic accident class, a " typical" accident was selected to represent the class. This accident was then analyzed to determine j potential containment failure modes. Once these failure modes were estab-lished, appropriate fission product releases were calculated. These releases were in turn translated into consequences. It is the first two stages of this three-stage process that are reviewed in detail in this section.

i An in-depth review of the consequence (site) model used in the Limerick PRA is outside the scope of our review. The detemination of consequences in this section is for the purpose of assigning a measure of importance (in tems of risk to the public) to the various accident sequences and containment fail-ure modes. This measure is a useful way of ranking the relative importance of our concerns regarding the core meltdown modeling and fission product release fractions used in the Limerick PRA. The consequence model used in the PRA is based on the RSS model, but with changes to reflect population and meteorology appropriate to the Limerick site.

j During an NRC review of our draft report, it was noted that site specific j evacuation models are now available. If the site specific evacuation model is applied to the Limerick site, it calculates higher acute fatalities than if the RSS model is used. Although a detailed review of the siting model is out-side the scope of our review, we consider uncertainties associated with the evacuation model to be of such importance that we include an assessment of how the evacuation model can affect risk in Section 8. However, in this section,

we use only the RSS consequence model and the accident sequence frequencies

! consistent with the PRA. In this way, we are restricting our assessment (in this section) to the appropriateness of the Limerick PRA core meltdown mod-l eling and fission product source tems. ,

, In Section 7.1 we describe the calculations performed in the Limerick l PRA. This description is necessary because the discussion in Revision 4 of the PRA does not clearly describe how the consequence analysis was actually l performed. It is essential that each stage of the analysis be carefully documented so that differences between the PRA and BNL calculations are 7-1

clearly identified. In Section 7.2 independent audit calculations are de-scribed and compared with the analysis performed for the Limerick PRA. In Section 7.3 an attempt is made to quantify uncertainties in the analysis and how they affect risk. Finally, in Section 7.4, differences between the BNL analysis and the analysis in the Limerick PRA are summarized.

7.1 Description of the Limerick PRA Analysis In Section 3.5 of the Limerick PRA the accident sequences were quantified and dominant contributors identified. In particular, in Section 3.5.4 of the PRA, the containment event trees were quantified. This quantification relied i heavily on a description of core meltdown phenomena given in Appendix H of the PR% and on an analysis of the BWR Mark II containment capability given in Ap-pendix I of the PRA.

The radioactive release fractions associated with the failure modes iden-tified for the dominant accident sequences were discussed in Section 3.6 of the PRA. These release fractions were detennined from the coupled calcula-tions of the INCOR (Appendix C of the PRA) and CORRAL (1)(Appendix D of the PRA)computercodes. The INCOR code predicts the degradation of the reactor core and its eventual release from the reactor vessel onto the diaphragm floor. The code also calculates the thennodynamic conditions in the contain-ment building during core degradation, as well as the release of the contain-ment atmosphere to the environment after the containment is predicted to fail.

The CORRAL code uses the INCOR predictions and calculates the concentration of the fission products in the various compartments as a function of time. The final results from CORRAL are predictions of the releases from containment of the fission product species. Section 3.7 of the PRA describes how the output from the CORRAL code is used to calculate the consequences associated with the release of the fission product species. TheCRAC(2)computercode(referto Appendix E of the PRA) was used to calculate the offsite consequences.

In the following sections, the above three-stage computational procedure is described in detail. In Section 7.1.1, the determination of the contain-ment building response using the INCOR code is discussed. The use of the CORRAL code to calculate the magnitude of the fission product releases is de-scribed in Section 7.1.2. Finally, in Section 7.1.3, the consequence analysis using the CRAC code is examined.

7-2

7.1.1 Containment Response INCOR is a system of codes developed to predict the response of reactor containment buildings to a spectrum of postulated core meltdown accidents.

The main elements of the INCOR system are shown schematically in Figure 7.1.

The various elements used in the INCOR system are described in detail in Ap-pendix C of the PRA. Briefly, the 80lL(3) code calculates water boil-otf, core uncovery, and core meltdown within the reactor pressure vessel . The PVMELT program predicts the melt-through of the pressure vessel by the core l

debris. The interactions of the core debris with concrete after vessel fail-ure are determined by the INTER (4) code. Each of these computer codes is called sequentially as the core meltdown proceeds. They, in turn, provide H2 0, H 2, CO, and C02 (C0 and CO2 only from INTER) source terms to the containment response model, CONTEMPT-LT.(5) The CONTEMPT-LT code is a long-running version of the CONTEMPT (6) code.

BNL was not provided with a copy of INCOR and thus a review of the code was not possible. However, BNL does have the MARCH (7) code, which is simi-lar to INCOR. In Table 7.1, the MARCH and INCOR codes are compared. A num-ber of the major subcodes (BOIL and INTER) are identical in the two systems.

The melt-through of a pressure vessel by the core debris is modeled in HEAD in the MARCH code and in PVMELT in the INCOR code. ~ The MACE subroutine in MARCH predicts the containment response, whereas in INCOR the CONTEMPT-LT code is used. Basically, both systems have similar modeling capabilities with the exception of the HOTDROP model in MARCH. This subroutine models the interac-tion of core debris exiting the reactor vessel with water. The model predicts rapid energy exchange between the core debris and water. This results in rapid steam generation with attendant rapid pressurization of the containment.

The INCOR system does not have an equivalent model (refer to Table 7.1). The BNL audit calculations were done using the MARCH code and differences between MARCH and INCOR predictions are discussed in Section 7.2.1 The INCOR code was used to calculate the conditions in the containment building and the timing of key events during core meltdown for the four gene-ric accident classes. A description of the sequences analyzed and the results of the INCOR calculations were presented in Appendix C of the PRA. The con-ditions in the containment building for the four classes are summarized in 7-3 l

B0IL PVMELT INTER CORE UNC0VERY AND PRESSURE VESSEL CORE-CONCRETE

' MELTDOWN MELT THROUGH INTERACTION FRSS AND ENERGY FLOWS u

\

CONTEMPT-LT HEAT TRANSFER AND ATMOSPHERE EXCHANGE l

u CONTAINMENT CONDITIONS (REACTOR VESSEL, DRYWELL, WETWELL, MISC. COMPARTMENTS)

Figure 7.1 Diagrammatic Representation of INCOR Organization.

(Reproduced from the Limerick PRA).

74

Table 7.1 Comparison of IN00R and MARCH Computer Codes.

Modeled in Subroutine Phenomena INCOR MARCH Rapid primary system depressurization -

INITIAL i

i t

Slower primary system depressurization, COIL B0ll core uncovery, and meltdowr,

, Pressure vessel melt-through PVMELT HEAD Core debris / water interactions -

HOTDROP in cavity Core debris / concrete interactions INTER INTER Containment response characteristics CONTEMPT-LT MACE i

l 7-5

Table 7.2. The timing of key events during core meltdown are summarized in Table 7.3. Detailed pressure / temperature histories were also provided in Appendix C of the PRA. These are used in Section 7.2.1 as a comparison against the BNL audit calculations. In the following sections the INCOR analyses for the four generic accident classes are discussed.

7.1.1.1 Class I This accident class comprises sequences with loss of coolant makeup to the reactor vessel . Following accident initiation, the reactor successfully scrams, ECCS is lost, feedwater to the reactor pressure vessel (RPV) is lost, and the MSIVs are closed. Boil-off of the primary system water occurs at the setpoint of the relief valves. An alternative scenario was also considered which results in depressurization of the primary system prior to reactor ves-sel n'elt-through. After the core is predicted to melt, most of the molten core is predicted to be released from the ruptured RPV. The analysis in Ap-pendix H of the PRA considered both high and low pressure discharge of the core debris from the vessel . The Appendix H analysis indicated that the dis-persal forces associated with a hig5 pressure discharge would influence the movement of only a small fraction of the core debris exiting the vessel. It was further concluded that most of the' molten core debris would distribute it-self on the diaphragm floor and the principle mechanism for the distribution would be spreading due to the gravitational head.

The calculations indicated that the molten core materials would spread across the entire diaphragm floor in 1 to 2 minutes. Calculations were also performed to show that the molten core woul<i melt through equipment and floor drain covers in the diaphragm floor within about 6 minutes. Consequently, it was concluded:

"that melt-through of the annular plate forming the diaphragm seal is a longer time than that required for discharge of the core mat-erial and distribution of this material around the drywell floor.

Consequently, since the material is distributed in this time frame, and has begun to solidify as a result of conduction into the concrete and radiation to upper structures in the drywell, the amount of mat-erial available for flowing through these melt-through locations is quite limited and thus the amount of material being transported into the wetwell region is itself quite limited."

7-6

Tablo 7.2 Sumary cf Containment Conditicns for the Dominant Accident S qu:nces .

SU ERATWtt 45 g T '3;V Loss of a25 11 PS! Yes subcooled 5A!

I ory t i

Ig TV Containment 6.1 140751 1 4 , 7 ho Saturation l 5A!

!ne'$r psi l !

ATWS C L' 30t 25-f,5 PSI fes Saturation 5A! .

Ill 2 M'#g j Inventory gy ATW5-C I 5 30s 140P51 14,7 No Saturation MRC/Battelle 2 l Increase osi i Table 7.3 Summary of Containment Events Developed from the INCOR Analysis for the Radionuclide Release Fraction Calculations.

CLASS CONTAINMENT DIAPHRAGM FLOOR CONTAINMENT FAILURE TI!!E FAILURE TIME FAILURE TIME CALCULATED BY INCOR CALCULATED BY USED IN ANALYSIS

INCOR TQUV 6 hr (small radius) 6 hr (small radius)

(Cl) 6.5 hr(large radius) 6.5 hr(large radius) 6.5 hr T14 30 hr 43.3 hr Failure prior to (C2) core melt ATWS 6 hr (small radius) 6 hr (small radius)

(C3) 6.5 hr(large radius) 6.5 hr(small radius) 6.5 hr ATWS (C4) 40 min 6.5-7 hr Failure prior to core melt

INCOR analyzed two cases for the Class 1 and Class 3 sequences. Small-radius class denotes the molten core staying inside the pedestal region, while the large-radius indicates the molten core flows through the doorway and covers. the entire diaphragm floor. However, for the release fraction calculations,only the large-radius case is analyzed.

7-7 .

I

The Appendix H calculations were used to support the INCOR calculations in which the core debris was assumed to be spread across the diaphragm floor.

Because of uncertainty associated with how far the core debris would spread, two calculations were performed; the first assumed the core debris to interact with the concrete only inside the pedestal wall, and the second assumed inter-action with the entire diaphragm floor. The retention of the core debris on the diaphragm floor (as opposed to it failing penetrations and being released rapidly into the suppression pool) was based on the discussion in Appendix H of the PRA. The results of the above scenario are sumarized in Tables 7.2 and 7.3. The core is calculated to begin melting s1.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after reactor scram, and the RPV fails at around 4.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . INCOR predicts that 70 cm of the diaphragm floor will be penetrated between 6 to 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram, depending on how far the core debris spreads across the floor. The floor is assumed to fail at this point together with the containment building.

Note that at no time is the suppression pool calculated to be saturated.

The BNL audit calculations were perfonned relative to the above accident scenario. A comparison of the te sets of calculations is presented in Sec-tion 7.2.1.1. This accident scenario assumes that the core debris is distrib-uted on the diaphragm floor. However, in an NRC request (8) for information dated July 29, 1982, an alternative scenario was suggested. In particular, question PRA H.08(8) asked how much the Limerick PRA conclusions would change if the diaphragm floor gave way or the floor and equipment drains failed early such that a larger fraction of the core debris reaches the sup-pression pool shortly after vessel failure. The concern was that ex-vessel steam explosions, damage to the pedestal, or steam spikes could fail contain-ment shortly after vessel failure.

PECo and their consultants responded to question PRA H.08 at a meeting held in Bethesda on September 3,1982. The formal response is contained in Revision 5 to the PRA. Basically, PECo considers that the original PRA as-sumption, in which the core debris was assumed to be retained on the dia- i phragm floor, is conservative (in this context, conservative means predicting an early containment failure). If most of the molten core materials pass through the " melt-through locations" and fall into the suppression pool, there will be vigorous interaction of the core debris with water but not enough 7-8

mixing to generate a significant steam explosion. Steaming rates will be high but can be condensed by heat structures and the suppression pool water. This would also result in rapid quenching of the core debris in the suppression pool without significant pressurization of the containment building. The core debris will be fragmented into particles that vill allow a coolable debris bed to form. All of the suppression pool water must then be heated to saturation before further pressurization of the contaiment can occur. After the pool is saturated, the water will boil-off at a rate corresponding to the decay heat.

Pressurization of contaiment will occu,r on a very long time scale and the failure pressure of the building may never be reached.

If significant quantities of core debris pass through the diaphragm floor shortly after vessel failure, the subsequent debris / water interactions could have potentially important implications. If the interactions result in con-taiment failure, the fission product releases could be higher than calculated for the 6- to 6.5-hour failure time assumed in the PRA. However, if the con-tainment is not failed during the initial debris / water interactions and fails on a very long time scale (or never fails), the fission product releases will be significantly lower tnan those calculated in the PRA. Because of the un-certainty associated with ex-vessel core debris behavior, we consider now both of the above extremes affect risk in Section 7.3.4 of this report.

7.1.1.2 Class II This accident class describes sequences with loss of contaiment heat re-moval. If decay heat cannot be removed from the' containment building, it is calculated to fail in approximately 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . At containment failure, ECCS coolant injection is conservatively assumed lost as in the RSS, and the se-quences proceed to core meltdown. Note that the suppression pool is calcula-ted to be saturated and that core meltdown occurs in a failed containment. In the original INCOR calculations reported in the PRA, the molten core from the ruptured RPV is again assumed to drop onto the diaphragm floor and to interact I

with the entire surface area of the floor.

7.1.1.3 C1 ass III This accident class assumes an ATWS with loss of coolant injection prior to containment failure. The MSIVs are assumed closed and feedwater to the RPV is lost. The INCOR code was modified to maintain that part of the core which 7-9

i is covered at 30% power while allowing the uncovered portion of the core to follow the decay power. The core melt occurs because of loss of coolant in-ventory and prior to containment failure. Also, the suppression pool is sat-urated prior to core melt. RHR operation has a negligible effect on the time to saturation of the suppression pool. The original PRA calculations again assume that the core drops onto the diaphragm floor and interacts with the concrete. Results for the above scenario are summarized in Tables 7.2 and 7.3. INCOR calculates the start of core melting at *0.9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months after accident initiation. The vessel fails at 4.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and containment fails at between 6 to 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months depending on how far the core materials spread across the dia-phragm floor. The BNL audit calculations are based on the above scenario, and a comparison of the calculations is given in Section 7.2.1.3.

The alternative scenario proposed in NRC question PRA H.08(8) (and de-scribed in Section 7.1.1.1) would be expected to significantly influence the consequences reported in the PRA for this class. An early release of the mol-ten core materials into a saturated suppression pool would be expected to pro-duce vigorous steaming rates. If the pool is saturated, the potential for condensing the steam is much less than for Class I sequences. Consequently, significant steam pressurization of the containment could occur during core debris / water interactions shortly after vessel failure for Class III sequen-ces.

7.1.1.4 Class IV The final accident class assumes an ATWS with successful coolant injection but without adequate containment heat removal, which leads to containment overpressurization failure prior to core melt. The results of the analysis are summarized in Tables 7.2 and 7.3. This scenario leads to rapid contain-ment pressurization and failure at approximately 40 minutes. At containment failure, injection fails and core melting starts at s1.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The RPV fails at approximately 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The BNL audit calculations in Section 7.2.1.4 are compared with the above scenario.

7.1.2 Release Categories The release of the fission product species from the reactor containment building to the environment was calculated in the Limerick PRA either by the SAI-REACT MARK II model or by the CORRAL code. The CORRAL code was used in 7-10

the RSS and the code is operational at BNL. The SAI-REACT MARK II model was not made available to BNL and thus a detailed review of the model was not pos-sible. However, it is stated in the PRA, that the REACT calculations were used only* as a comparison against the CORRAL calculations. The BNL audit calculations (refer to Section 7.2.2.) were performed using the CORRAL code.

The radionuclide release fractions are determined for each of the con-tainment failure modes from the coupled calculations of INCOR and CORRAL and from the assumptions considered in the RSS. In Section 6 of this report, it was noted that seven containment failure modes were identified together with four generic accident classes. This leads to potentially twenty-eight separ-ate possible release categories. The probabilities associated with each of the containment failures (as reported in the Limerick PRA) are given in Table 6.2. Taole 7.4 summarizes how release fractions for each of the 28 contain-ment failure modes were obtained, either by calculation, extrapolation or di-rectly from RSS. Table 7.5 gives the release fractions for the 28 failure modes. This table appears in Revision 5 of the Limerick PRA and was provided by PECo at the September 3 meeting. Table 7.5 is important and BNL audit cal-culations will be compared to the release fractions quoted in this table in Section 7.2.2 of this report.

Appendix D of the PRA described in detail the SAI-REACT MARK II and COR-RAL models. It is not necessary to report the description of these models here but, from necessity, some of the model assumptions will be discussed as part of our audit calculations. As a point of reference, four basic mech-anisms for release of radioactivity were considered in the Limerick PRA,

namely, GAP RELEASE - Occurs when the eladding ruptures and fission products are released to the reactor coolant system.

MELT RELEASE - Occurs when the fuel reaches its melting point, resulting in volatilization of fission products from the melting core.

Note that the REACT model was also used to estimate the slow leakage cases and the effect of the secondary containment.

7-11 i

Table 7.4 Release Term Calculations Requirements (a) in the Limerick PRA.

CONTA!hMENT FAILURE MDOES RADICACT!YE RELEASE FRACTIONS Designator Gescription Class I (C1) Class 11 (C2) Class !!! (C3) Class IV (C4) a Steam explosion in vessel Note f Note f Note f Note f 8 Steam explosion in containment Note f Note f Note f Note f p' H2 esplosion induced contairment failure Note e Note e Note e Note e p H2 deflagration sufficient to cause containment overpressure failure Note b Note b Note b Note g 4 Overpressuregmallleaks (Ag = 0.05 ft.) x x x Note h y Overpressure failure (AR = 2.0 ft2 )

Release through drywell X X X Mote 9 y' Overpressure failure (An = 2.0 ftI )

Release through wetwell break ' Note b Note b Note b Mote h y' Overpressure failure (AR = 2.0 ft2 )

Wetwell pool drained I 1 I Note h C

Overpressure (Ag = 0.2 ft $)large leak X X X Note h Cc Overpressure. large leak. SGT3 failure (Ag = 0.2 ft2) Note c Note c Note C Note c sc Overpressure, small leak. $GTS failure (Ag = 0.05 ft2) Note d Note d Note d Note d (4)g, .X".under the heading indicates that a calculation of release fraction must be made for the particular accident involving a BWR/4 with a Park !! contaltm'ent; all other cases can either be j extrapolated from the set of calculations or can be extracted directly from wA5H-1400.

(b)Can be extrapolated from y release by assuming a different decontsmination factor for t***e s s eo 6.e 5 The principal difference between y and y' is that the y' release occurs with much of j the release passing through the suppression pool. The y release occurs with much of the release occurring through the drywell.

ICI Can be extrapolated frem equivalent C case by not using decontamination factor for SGTS (affects only

( portion of release flow).

(d)Can be extrapolated frca equivalent 4 case by not using decontamination factor for SGTS (affect's a_11 l

of release flow).

I'I Will be assumed to be equivalent to a 8 failure and same release fraction will be used.

j III Release fractions will be extracted directly fra WASH-1400 since the pmomenological nature of the accident does not change.

I9I Release fractions similar to those developed by the NRC using March-Corral are used in the character 124 tion of Class IV radtoactive release fractions for y'.

(h) Extrapolated from the Class !. !!. !!! results.

7-12

Table 7.5 Radionuclide R21raso Parameters and Release Fractions fcr Dominant Accident Sequence Classes and Containment Failure Modes in the Limerick PRA.

b'tagtes CCNTA!WmT E CaacI "I ,,,,,, trat erU3 aunatice 1Mt toe Ettvattes tatas, le g,3 l gg,,*C% 1 f tg,y le g,3 SPg ,y Esg ,3 la,F twgf etttAst OF ofttA14 (VACUATICA 0F a(LEA $( R(LEA $t 3 .

emel,P stesteCf (nr) (ne) (nr) (feet) (14 I?J/Mr)

M S Steen C3.23 3.0 e.5 1.e e2 EM t.e s.ao 0.42 0.50 e 05 0.50 3. tele *I

, .e,s..is. e, n.e e.s s.e u sw i.e o.en e.se e.at e.n o.4e s' se-2 and c. s.e e.s 1.s e2 in s.. e.en e.ie e.se e.n e.se 4.o.tr8 geydroeen L 9elsene pote.etere used for 99t:

.e,ieese. c,.c,.c3 .c. [... .. s i.e a in i.e 0. ro 0.0s e. 30 - e.cor o.se i.e to-S i enn vo *eleee *ereset=* eed 'er *"nr erpeelt Cg IF.fr 1.0 ... et are i.e 0.11 0.00 0.o16 e.ote 1. omi n*3 3. 0=1d ]

3 eed este.11 C, 37.e 3.0 T.e 82 n.e 3.0 e.06 e.ct) - 4.4 . 3=to*3 0.069 4.7 ele ovestsees.te C3 7.e 2.. 4.0 83 12e 1.0 0.04 0.024 0.073 2.7 10*I 8.4mle*I ' t.1=10 fe&Iere v' is.iaise es3.c v.e i.e ... es ne i.. e.e e. ors e.iu ...etrI e.n. i.3.ie

-I bydeesee g C 3

37.e 3.0 7.4 83 3.0 pet setselete4. to: one11er thee Caf M Y Releese paresetere esed for (4f; pf fattese C4 l1.5 2.. L.e 42 3.e 1.0 0.261 0.102 4.8 34 0.029 0.095 5,311o l

pene a.

sett M t' telease serosetore esed fer C6# t 18eteelt Cg l 1.5 3.8 1.. 82 8.. 1.0 . e.of e.09 0.20 0.c14 e.eBe 6.imt N l

tion.

pense

s. nett th '" "v* estesse poseneters osed fee refs 3

less of Cg l 3.5 2.0 1.e e 3.0 1.0 0.73 0.70 e. 51 0.09 0.11 7.entf l

.e,,,u.see ps.1 pries te melt 5.? See v*

toe. .e e,.c3 v.e n.e . e ne .e. .et.eio a. =ene, im.a c=-

Peel Cg 37.0 3.0 7.0 e 3.e 1.0 0.n 0.37 e.$ o.e4 e.es 6.2stS *I teste. Q soufs e,.c3 v.e s .. ... en ne ..t.eteia, mi eeoine, i ee e ;ie, c2, C.

C2'#4 37.0 . 2. . 7o e3 8.e e.73 1.9310-2 ,, g ,g,-3 g, ,,,,-7 g,,,gg.) 3,3,g,.3 g,,, g, .4 teeke L l sten SCTS Cg.C3 7.. 3.. ..e e2 120 set setseleted, but so.11er thee t,4.C3.c4 C2.Cg 37.. T.e et e.73 2.Fe10*I d 4.6 ale* ' 1.6 ate *I -5 3.. t.e 9.4 e t e 3.3 at e S.sete (n) Smetades,3a Sa (s) testedes L . T.1s ft. Co. Pr. 54. 8 . Pe.

9 So. E=. Pts (b) 1.stedeo I (elementel). Se (h) The five seees see S. CRAC L) testedes ca. an (t) taso gre. mesdens satiussee u) Instedes te, se, st (j) seesttle been eene ret etene stee

(:) testedee see s.

(f) lestedee Se. Rh. pd. Me. Te I

i

(

7-13 s m

0XIDATION RELEASE - occurs when part of the molten core drops into the suppression pool, causing a steam explosion which disperses the hot core particles to the containment atmosphere.

VAPORIZATION RELEASE - occurs when the molten core drops into the dia-phragm floor and interacts with concrete, generating gases at the molten core / concrete interface.

These mechanisms are similar to those postulated in the RSS; however, the GAP release in the Limerick PRA was combined with the melt release for sim-plicity.

One important point that must be emphasized at this stage relates to the suppression pool decontamination factors (DFs) assumed in the PRA. Appendix D of the PRA indicates that the DFs shown in Table 7.6 were used in their anal-ysis. (Note that these DFs apply only to elemental iodine and the particu-lates. Organic iodine and noble gases are not subject to pool DFs).

2 Table 7.6 Pool Decontamination Factors Reported in the Limerick PRA.**

Meltdown Vessel Failure Conditions Release and Vaporization Containment failure at 100 10*

1 end of release Containment failure 10* 10" initiates release

Suppression pool considered saturated.

- Reproduced from Appendix D of the Limerick PRA.

Table 7.6 implies that a DF of 100 was used in the PRA if the pool was I

calculated to be subcooled and a DF of 10 if the pool was saturated. In addi-tion, it is stated in Appendix D that all non-iodine isotopes were treated the same as in the RSS, which took no credit for saturated pool scrubbing. This implies that the DF of 10 for the saturated pool applies only to iodine. This saturated pool scrubbing for iodine is a departure from the RSS analysis.

l l

7-14 l

- By comparing Tables 7.2 and 7.6, we attempted to determine the pool DFs used in the Limerick PRA for each of the accident sequences. Table 7.2 im-plies that for Classes II, III, and IV sequences the suppression pool would be saturated so that from Table 7.6 it would appear that all fission product species were subjected to a pool DF of 1, except for iodine, which would be subjected to a DF of 10. For Class 1 sequences, Table 7.2 implies that the suppression pool would be subcooled during the MELT release and saturated dur-ing the VAPORIZATION release. Consequently, from Table 7.6, all the fission product species released during the MELT release would be' subject to a pool DF of 100. However, all fission prodcct species released during the VAPORIZATION release would be subject to a pool DF of 1, except for iodine, which would be subjected to a pool DF of 10.

However, the above interpretation of the pool DFs used in the Limerick PRA is incorrect. At a meeting held in Bethesda on September 3,1982, we were informed that the information in Appendix D of the Limerick PRA is misleading.

The CORRAL model used for the PRA includes the primary system as distinct vol-ume. The model, therefore, predicts that some of the fission product species released during the MELT release would be retained in the primary system until after failure of the reactor vessel. For Class 1 sequences, fission products released after vessel failure are subjected to much lower pool DFs than those released prior to vessel failure. In our audit calculations (refer to Section 7.2.2), we attempt to model this primary system holdup. However, the CORRAL model in use at BNL does not model the primary system as a distinct volume.

Consequently, we had to estimate the holdup of fission products by comparison with MARCH predictions of H2 retention in the primary system.

1 An inconsistency regarding the pool DFs used in the Limerick PRA was l discovered only after our draft report was reviewed by PECo and their consul-l tants. Apparently (in spite of a very specific statement on page D-8 of the Limerick PRA to the contrary), the DF of 10 for a saturated pool was applied to all particulate fission product species (in addition to elemental iodine) in the CORRAL calculations performed for the Limerick PRA. Our audit calcu-l lations, in Saction 7.2.2, were based on Appendix D, which states that only j the iodine was subjected to a DF of 10 for a saturated pool . The saturated pool scrubbing of all fission product species is consequently not modeled in our audit calculations.

7-15 i

, e

7.1.3 Consequences Analysis The detennination of consequences due to the release of radioactive mat-erial into the environment was performed using the CRAC (calculations of reac-tor accident consequences) code. This code was developed for the Reactor Safety Study (RSS). The input to the calculation was based to a large extent on the model used in the RSS. Only site-specific data, such as weather and population distribution around the site, were altered to reflect the Limerick site. In addition, the leakage parameters were altered from those used in the RSS to reflect the accident scenarios peculiar to the Limerick plant. Weather data were collected for five years (1972-1976) and thus, for each release category considered, five CRAC calculations of the consequences were carried out. However, CRAC calculations were reported for only those sequences which either had a high probability of occurring, or were judged to have severe consequences.

Table 7.5 summarizes the release fractions used in the Limerick PRA for the 28 release categories. The release categories in Table 7.5 were ulti-mately reduced to five for the final CRAC analysis (a sixth category was as-sumed not to influence risk). The grouping is shown in Table 7.7. One can see that there is a one-to-one correspondence for three release categories, i .e. , Cl ass IV-Y, -Y' , and -Y" . However, release categories 0XRE and OPREL are a composite of various containment failure modes. Release category 0XRE l combines all the in-vessel and ex-vessel steam explosions and hydrogen detona-tion failure modes. Release category OPREL combines drywell and wetwell over-pressurization failures and H2 burn failures for Classes I, II, and III.

Note that over 50% of the total probability associated with the containment l

fcilure is allocated to a category that is assumed to have no influence on l risk. Overpressurization failure of the wetwell (assuming the suppression pool to drain) for Classes I, II, and III are allocated to this category.

Also, all leakage failures (small and large leaks with and without the SGTS for all classes) are allocated to this category. In Section 6 we reviewed the above binning used in the PRA and performed sensitivity studies to assess the appropriateness of the containment event trees.

l On the basis of the five release categories in Table 7.7, their corres-ponding releases (refer to Table 7.5), and the five sets of weather data, 25 CRAC calculations were carried out. In these calculations, unit probability 7-16

. m

Table 7.7 Release Categories Used in the Limerick PRA Consequence Analysis.

Release Containment Failure Percentage Categories Modes (from Table 7.4) Probability of Total C4Y Y,p - Class IV 6.4 (-8)* 0.44 C4Y' Y' - Class IV 5.6(-8) 0.38 C4Y" Y" - Class IV 6.3 (-9) 0.04 l

/ a - Class I, Class II, Class III, Class IV, 0XRE q su' - Class I, Class II, 4.35 (-8) 0.30 l

i

( Class III, Class IV. I l

/ y,p - Class I, Class II, OPREL /

Y' - Class I, Class II, 6.98(-6) 47.48 I

\

Class III i l

l l

Allocated to a 1

[ y" - Class I, Class II, 7.55 (-6) 51.36 category that Class III l is assumed not q i

to influence Ec,6c - All Classes risk

( E ,6 - All Classes TOTAL 1.47 (-5) 100

6.4 (-8) = 6.4 x 10-8, 7-17 y

l The results of these con-was assumed, i.e., that the accident had happened.

Table 7.8 shows sequence calculations are reproduced on Table 7.8 and 7.9.

the 25 means for acute f atalities and Table 7.9 shows the 25 mea The means for each category averaged over the five years are also fatalities.

A comparison of the two tables shows the greater

! given in Tables 7.8 and 7.9.

sensitivity of acute fatalities to variations in the weather data compared to latent f atalities.

In Tables 7.10 and 7.11, the normalized means areFrom multiplied by the this product probability for each release category given in the LGS PRA.

it is possible to estimate which release category is the primary contributor to risk. The values for mean latent fatalities obtained from GE in Tab were obtained by surmiing the fatalities over 50 years and then dividing by 30.

We consider that the total fatalities summed over 30 years should be used to Consequently, it is relative to the column in determine the latent effects.

Table 7.11, which sums the fatalities over 30 years, that we measure the im-pact of our changes to the Limerick core meltdown modeling and fission pr source terms.

From Table 7.11 it isAnclear that OPREL contributes 92% to the t inspection of Table 6.2 indicates that of latent fatalities in the PRA. Thus, over-Class I sequences contribuie to 86% of the probability of OPREL.

pressurization f ailure of tne drywell or wetwell for Class I sequences com-Table 7.10 shows prise the largest contributor (79%) to latent fatalities.

that release category OXRE is an important contributor to acute fatalities Class I also contributes 84% to the probability of OXRE and thus in the PRA.

35% to acute fatalities. The other dominant contributor (59%) to acute f atal-Recall that Class IV sequences comprise ATWS sequences ities is Class IV.

with successful coolant injection, which result in core melt into a failed containment.

7-18 e

4 4

i

, Table 7.E* Acute Fatalities.

(Normalized Means) ,

4 i

. Year Release Category 1972 1973 1974 1975 1976 Average C4Y 8.48 11.8 6.11 19.2 -9.51 11.02 C4Y' 2.32 5.11 1.63 5.66 3.06 3.556 C4Y" 53.7 85.4 85.6 100.5 53.7 75.78 0XRE 9.32 12.6 13.7 5.64 70.6 22.37 a

OPREL 0 0 0 0 0 0 1

Data provided by GE staff during a conference call on August 10, 1982.

i I

i l

i I

l l

l 7-19

& - -a=-,i L &

1 Table 7.9* Latent Fatalities.

(Normalized Means)

Year Release r

Category 1972 1973 1974 1975 1976 Average C4Y 115.0 133.0 133.0 136.0 122.0. 127.8 C4Y' 85.1 96.0 99.7 99.5 86.0 93.26 C4Y" 167.0 191.0 190.0 187.0 179.0 182.8 OXRE 306.0 345.0 332.0 367.0 310.0 332.0 OPREL 43.2 49.2 44.9 51.6 43.0 46.38 a

Data provided by GE staff during a conference call on August 10, 1982.

4 7-20

Table 7.10 Acute Fatalities.

(Total Risk)

, Normalized Release Probability Means Means by Percentage Category (from Table 7.7) (from Table 7.8) Category of Total,_

C4Y 6.4 (-8)* 11.02 0.705(-6) 29.9 C4Y' 5.6 (-8) 3.556 0.199 (-6) 8.5 C4Y" 6.3 (-9) 75.78 0.477 (-6) 20.3 0XRE 4.35 (-8) 22.37 0.973 (-6) 41.3 OPREL 6.98 (-6) - - -

TOTAL 2.35 (-6) 100

6.4 (-8) = 6.4 x 10-8, 1

i

'I 7-21 l

Table 7.11 Latent Fatalities.

(Total Risk)

Means by

. Nonnalized Category Release Probability Means Means by Summed Over Percentage Category (from Table 7.7) (from Table 7.9) Category 30 Years of Total C4Y 6.4 (-8)* 127.8 0.032 (-4) 0.25 (-3) 2.35 C4Y' 5.6(-8) 93.26 0.052 (-4) 0.16(-3) 1.49 C4Y" 6.3 (-9) 182.8 0.012 (-4) 0.04 (-3) 0.34 OXRE 4.35 (-8) 332.0 0.14 (-4) 0.42(-3) 4.02 OPREL 6.98 (-6) 46.38 3.196(-4) 9.59 (-3) 91.79 TOTAL 3.48 (-4) 1.04 (-2) 100.0

6.4 (-8) = 6.4 x 10-8,

7.2 Audit Calculations In this section we compare our containment failure mode and consequence analysis with the analysis reported in the Limerick PRA. In Section 7.1 of this report, the calculations performed in the Limerick PRA and the mathemati-cal models used were discussed. The section was subdivided into discussions related to the determination of the containment building response, release fractions, and consequences. The same format will be used in this section.

In Section 7.2.1, the response of the containment building to the four acci-dent classes is calculated using the MARCH (7) code. The fission product release fractions are determined using the CORRAL (1) code in Section 7.2.2.

Finally, the consequence analysis using the CRAC(2) code is described in Section 7.2.3.

7.2.1 MARCH Analysis Four typical sequences are used in the Limerick PRA, each represen-ting one of the four generic accident sequence classes; TQUX, TW, ATWS-III, ATWS-IV. The Limerick PRA analyzes the containment response for each of these sequences using the INCOR system of codes. INCOR was described in Sec-tion 7.1.1 of this report. It was also noted that BNL does not have INCOR so that it was necessary to use the MARCH code to perform our audit calculations.

MARCH and INCOR have similarities that were noted in Section 7.1.1.

The MARCH code also requires many of the same input parameters as the INCOR system of codes. However, there are a number of differences in the in-put parameters and we will highlight these differences for the individual se-quences discussed below. Wherever possible we have compared pressure and tem-perature time histories with those presented in the PRA. On occasions we pre-sent additional figures to highlight a. point in the discussion.

7.2.1.1 Class I l The Limerick PRA describes this Class as follows:

"The Class I (C1) events can be characterized as transients involving loss of coolant makeup to the reactor core. For the Lfmerick analy-I sis, these events are found to have the highest calculated frequency of occurrence. They involve successtul control rod insertion; l

l 7-23

' n m_ _- _ _ _ _ _ _ _ _ _ _ _

however, there is postulated to be a loss of both high pressure and low pressure injection. The physics model used in the consequence calcula-tion represents the sequence designated TQUV. The CONTEMPT calculation (see Section 3.6 and Appendix C of the PRA) for this sequence is then used to characterize the response for all of the sequences grouped together in Class I."

There is another family of sequences, TQUX, which has frequency of oc-currence comparable with the TQUV family. The difference between the two se-quences is the failure to manually depressurize the pressure vessel for TQUX compared to the failure of the low pressure coolant makeup system to function for TQUV. We have modeled both of these sequences.

Some of the more important input assumptions are indicated in Table 7.12.

In Table 7.13 the results of the BNL audit calculations are compared with the Limerick PRA results. Detailed pressure / temperature histories are compared for the two sets of calculations in Figures 7.2 to 7.5. The Limerick analy-i sis, although designated above as TQUV, was actually modeled as TQUX (reactor

pressure vessel remains at high pressure until vessel failure, see Figure 7.4). BNL results for both TQUX and TQUV sequences are included in Table 7.13.

The TQUX 1 case was based on input data to the INCOR code reported in Appendix C of the Limerick PRA. However, because of differences in the mod-eling of the two codes, briefly discussed in Section 7.1.1, there are signi-ficant differences in the timing of key events (Table 7.13) and the predicted containment presnre histories (Figure 7.2). These differences do not nec-essarily result in significantly different predictions of fission product release fractions. This is discussed in detail in Section 7.2.2.1 but is ba- '

sically because both codes predict similar times from vessel failure to con-tainment f ailure (refer to Table 7.13) . This time has an important influence on the concentration of airborne fission products at containment failure and hence the release fractions. However, the differences in the MARCH and INCOR predictions are significant and are discussed below.

l From an inspection of Table 7.13 and Figure 7.2 it is clear that a major difference between MARCH and INCOR is the time predicted for the core debris 7-24

_ m

Table 7.12 Highlights of MARCH Input Data for Class 1 Sequences.

1. Only 2 compartments modeled, wetwell and drywell .

2. No coolant injection.

! 3. No H2 burning or detonation.

4. 8 heat sinks used in MARCH instead of the 17 used in INCOR.

5. Heat transfer coefficient between steel and concrete = 2 or 100.*

6. Pool decontamination factor, DCF = 100,10, or 1.

7. Wetwell compartment volume is airspace only [VC(2)=155,000 ft].

8. Containment failure occurs when penetration of diaphragm floor 170 cm or containment pressure 1155 psia.*

9. Containment leakage taken as 1/2% volume / day.

10. Vessel depressurization occurs at 60 minutes for TQUV using five safety relief valves. For TQUX, no depressurization.*

11. Equivalent clad thickness includes zirconium from fuel channels.

12. Core slumps when 80% of core is melted.

13. HOTDROP subroutine made inactive by setting NCAV=0,* but IH0T=100.

! 14. INTER initial metal and oxide temperatures calculated by MARCH and considerably lower than those assumed in the Limerick PRA.

15. Core debris assumed retained inside pedestal (except for Case 4

TQUX).

l

Discussed in greater detail in text.

l 7-25 1

n .

to penetrate the reactor pressure vessel. INCOR predicts a significantly longer time to fail the RPV than the MARCH code predicts (almost 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months vs only 25 minutes). Both codes predict similar times to the start of core melt-ing and core slump so that differences in the timing of subsequent events are largely due to differences in the timing of RPV failure. The very long time for the core debris to penetrate the RPV predicted by INCOR and reported in Appendix C of the PRA is not consistent with the discussion in Appendix H of the PRA. In Appendix H, local failure of penetrations in the bottom of the RPV is suggested as a failure mechanism. This mechanism results in a very rapid failure of the RPV on a considerably shorter time scale than the 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months predicted by INCOR. On the basis of the discussion in Appendix H of the PRA and on our MARCH calculations, we consider the long times for RPV failure pre-dicted by INCOR to be inappropriate.

Another difference between MARCH and INCOR predictions relates to the pressure rises at core slump and RPV failure. MARCH predicts higher pressure rises at these times than INCOR. The difference is due to different assump-tions regarding metal oxidation and hence H2 production. In INCOR, no addi-tional metal oxidation was modeled after the core slumps until the RPV head fails and core / concrete interactions begin almost 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months later. This is il-lustrated by the horizontal pressure response between core slump and RPV head l failure for the Limerick PRA calculations in Figure 7.2. MARCH continues to l oxidize metal during in-vessel core slumping, and the pressure rise associated with the BNL calculations in Figure 7.2 is a result of additional H2 pro-l duction. These differences in H2 production between MARCH and INCOR do not significantly influence the containment failure mode analysis at Limerick be-l cause the containment is inert and the H2 partial pressures do not at this stage challenge the containment integrity. However, a better definition of this phenomenon may be needed if a mitigation feature such as filtered venting t

were to be considered.

Table 7.13 also includes the results from five additional TQUX calcula-tions in which selected input parameters in MARCH were varied. The additional cases were calculated to show the sensitivity of the predicted containment

pressure / temperature response to variations in selected MARCH input para-l meters. Although these input parameters resulted in significant differences 1

i l

l 7-26 l

_ _ n J

Table 7.13 Camparison of BNL and Limerick PRA Analysis of the Class I Sequences.

BNL Analysis Key Analysis in Events Limerick PRA TQUX I TQUV TQUX 2 3 4 5 6 TQUX TQUX TQUX TQUX Start of core 1.3 1.75 1.65 1.75 1.75 1.75 1.75 1.75 melt (hours)

Core slump 2.5 2.43 3.08 2.43 2.43 2.43 2.43 2.45 (hours)

Vessel head 4.3 2.85 3.71 2.85 2.85 2.85 2.55 2.73 f ailure (hours)

Start of core / 4.3 3.18* 3.71 2.85 2.85 2.85 2.55 2.73

% concrete inter-g actions (hours)

Time of contain- 6.5 5.65** 6.12** 5.23** 5.33** 3.03*** 5.46** 3.96***

ment failure (hours)

Pressure at 88 118 113 135 124 155 136 155 containment f ailure (psia)

20-min delay before INTER begins is due to 10-min time steps in HOTDROP (2 time steps).

This delay is ignored in CORRAL.

- Time that the core debris penetrates 70 cm of diaphragm floor causing collapse of floor and containment failure.

- *** Containment fails because of overpressurization before core debris penetrates diaphragm floor.

1 in pressure / temperature histories, these differences do not. translate into significantly different release fractions. Consequently, the CORRAL calcula-tions in Section 7.2.2.1, which were based on MARCH case TQUX I , are also representative of the range of MARCH cases considered below.

Case TQUX2 is the same as TQUX1 except IH0T=2 to avoid the 20-minute delay in subroutine H0TDROP caused by IH0T=100. Case TQUX3 is the same as case TQUX2 except for the change in the interfacial heat transfer coeffi-4 cient between the steel liner and the concrete containment wall (HIF = 100 instead of 2). Although the results shown in the table are hardly changed, I the drywell temperatures are more than 200*F cooler than in TQUX2 (see Figure 7.3a). The enhanced heat conduction from the steel liner to the con-crete is .most noticeable during the rapid heatup of the drywell during the core-concrete interactions. ,

Case TQUX4 is the same as TQUX2 except that the radius to which the molten core is allowed to spread on the diaphragm floor is increased from 308.6 cm (molten core retained inside pedestal) to 617.2 cm (half the radius of the diaphragm floor). Instead of the containment failing because the core debris penetrates 70 cm into the pedestal floor, it fails because of over-i pressure. Apparently, the greater contact area between the core debris and concrete allows the release of more noncondensibles and heat to the drywell l during the core-concrete interactions. Very large drywell temperatures are calculated (5900*F) just before containment failure (see Figure 7.3a).

Case TQUXS is the same as case TQUX2 except the vessel head thickness has been artificially set to 0.1 ft to simulate the timing of a local failure of one of the control rod penetrations in the bottom of the pressure vessel.-

The longer time to penetrate 70 cm of the diaphragm floor is due to the lower temperatures of debris exiting the failed pressure vessel . The rapid vessel-failure time for this case means that the core debris does not have enough 7

time to heat up in the bottom of the reactor vessel to the relatively high ,

i temperatures predicted in the other cases.

Case TQUX6 is the same as TQUX2 except the suppression pool decontam-ination factor in MARCH is changed from DCF = 100 to DCF = 1. The suppression pool no longer absorbs the fission products (fps) and thus their decay heat energy is added to the containment air space (see Figure 7.3.). This case l

l 7-28

T 14a0 70 cm concrete penetration vD I l $ 3240~

oxide molten 70 cm concrete penetration o

l' LIMERICK PRA iOOo- RPV head failure

' ~ CALCULATION sao- o h ,

/

2.

v core slump 1 ll /

% c0.0- lI 2 ft2 hole in 9 l

$ drywell u 40o. o ll j melt begins I g

o g BNL AUDIT f-- ~s ~~~jl k 20.0-

. _ k ,, core lumpRPV ll head failure CALCULATION melt b no , , , , , , , , , , , ,

00 50.0 100.0 150.0 200.0 250.0 300.0 350.0 4000 450.0 500.0 550.0 600.0 650.0 TIME - (MINUTE) l l

Figure 7.2 Containment Pressure History for Class 1 l (Case TQUXI).

P l

7-29

l 1000 0 C TQUX4

- 900.0 - R=617.2cm

@ a) Drywell TQUX2 8000-g R=308.6CM

< 3 m *~ '

TQUX C

3

,-] HIF=100 600 0- /

I E--

I e Z I g

500.0 - 1

, j rsd~~_ -

g 400.0 - j

/

O 2 ~ 300.0 - '

O U

d_ s #

200.0 -

200 0 , , , , , ,

00 50.0 100.0 150.0 200.0 250.0 300.0 3$00 4$0.0 4$0.0 500.0 TIME - (MINUTE) 800.0 C

o* 6 TQUX N0- b) Wetwell /

$ A /

s< 600.0 -

c:

w Q. 500 0-2 m

E--

400 0-

$ 4 2 300 0 - ,' \ ^

@ ,' '4'%~~~__

g 2000- g ,I' -

o ,- 2 100.0 -.

00 , , , , , ,

00 50 0 100.0 150.0 200 0 250 0 300 0 3$00 4$00 4$00 500 0 TlME - (MINUTE)

Figure 7.3 Containment Temperature History for Class I, 7-30

1200 , ,

I lfCore Slump I

I E

l S, I r.

- -- RPV g ' Failure m

$ 1100 - -

E l

E cc

BNL Audit Calculation Limerick PRA Calculation 1000 ' ' ' ' ' '

0 50 100 150 200 250 300 350 Time (Minutes)

Figure 7.4 RPV Pressure History for Class 1 (Case TQUX).

175 i - i - - -

Core Slump / RPV Failure, , , ,

165 -

'g -

!l l C f

~

w 155 - 1

/

ll -

s l I

D /

@ 145

, ' \ ore C Melt l'N RPV -

s- / Failure W /

a 135 -

f -

g /

a. I g 125 -

j

/ -

/

0! I w

g 115 -

BNL Audit E5 Limerick PRA -

105 -

95 - ' ' ' ' '

0 50 100 150 200 250 300 350 Time (Minutes)

Figure 7.5 Suppression Pool Temperature for Class 1 (Case TQUXI ).

. 7-31

- - , - y.

was performed to examine the sensitivity of the containment pressure / tem-perature response to changes in the suppression pool decontamination factors.

Unfortunately the MARCH code is restricted to using only one pool DF during the analysis of a particular accident sequence. However, we noted in Section 7.1.2 that in the Limerick PRA a significantly smaller pool DF was assumed after vessel failure than before failure. The MARCH code obviously cannot be used to model a variable pool DF so that cases TQUX6 and TQUX2 are in-tended to bound the atmospheric pressure / temperature responses that might be )

expected from the range of pool DFs assumed in the Limerick PRA. It can be noted from Table 7.13 that by assuming no pool scrubbing (i.e., a DF=1) the fission products added to the atmosphere s'Jnificantly increase the rate of pressurization of the containm nt and reduce the time to containment failure.

This is not of course consistent with the CORRAL assumptions regarding pool scrubbing in Section 7.2.2.1. Case TQUX6 is included as a bounding calcu-lation and represents a limiting pressure / temperature response.

7.2.1.2 Class II This class is described in Chapter 3 of the Limerick PRA as follows:

"For Class II (C2), the sequence modeled is a transient with long-term loss of heat removal (TW). For Limerick, this sequence involves the failure of the power conversion system and of the RHR system. Also included in this class are other sequences, such as LOCAs accompanied by a failure of the con-tainment heat removal systems, and inadvertently open relief valves with fail-ure to remove heat from containment. The key feature in this class is that the containment is assumed to fail prior to core melt, but after a lengthy period of time into the accident. Postulated core melt begins with a rela-tively low decay heat source, leading to a slower core melt than anticipated for Classes I, III, or IV, but with a failed containment."

In Table 7.14, the results of the BNL audit calculations and the Limerick PRA are compared. In our modeling of TW, the high pressure ECC switches its suction from the condensate storage tank (CST) to the suppression pool at N50 minutes because of a high suppression pool level and fails at 510 min because of pool heatup (temperature > 200 F). See the discussion on the overheating of the lube oil in Section 7.3.2.1. The low pressure pumps start at 510 min (TW=TWLP). ECC pumps are throttled back when the total water mass in the 7-32

a d Table 7.14 Comparison of BNL and Limerick PRA Analysis of the Class II Sequences.

l I

Analysis BNL Analysis in Limerick j Key Events PRA TWLP TWLPI TWLP2

! Containment failure (hr) 30 29.2 29.2 29.2 1

Core melt begins (hr) 36.6 35.6 35.6 36.0 Core melt ends (hr) 39.0 38.3 38.2 38.6 Vessel head fails (hr) 40.8 45.0* 42.9 38.7 Z = 70-cm penetration (hr) 43.3 49.3 47.4 47

The long time for head failure in TWLP is due to the long time it takes the core to heat up to 3700 F from 970*F and is probably an artifact of MARCH modeling approy.imations. Compare this time with the other cases.

t i

7-33 1

160.0 E l LJ 140.0 -

0: 1 D TWLP; 2 f t 2 hole e

120.0 -

( g

,TWLP 2 ,.2 ft hole

c. f IND- -

LIMERICK PRA s_.

Z t .208 ft2 hole

$ ,g _

HPCI off, I

E*

a: ADS-LPCI on I

I, corRPVfails) e0.0 -

o slump,l o p l f

g a 40.0- { Core melt

\

+ (-

'6b f}/

o

" *"~

\

\ -.__ __1. .k#

_.k____

core slump 3 RPV failt 0.0 . . . . ..

0.0 500.0 1000.0 1500.0 2000.0 2500.0 3000.0 TIME - (MINUTE) l l

l Figure 7.6 Containment Pressure History for Class II.

l (Class TW) 7-34

i i i i i i i . i 395 - -

-Containment Failure C 345

',- 's ss o_ , s RPV Head Failure g 295 - HPCI Off ,

~ ~~ ~

'/ 's -

$ ADS, LPCI on ,/ 's, W

x 245 -

/

/ -

? W '

N -j 195 - ,/ -

w -

- Limerick PRA Y

y 145 -

~~~~~~~~~

95 '

0 5 10 15 20 25 30 35 40 45 TIME (HOURS)

Figure 7.7 Containment Temperature History for Class II ,

(Case TW).

I

pressure vessel exceeds N600,000 lb, hence keeping the water level steady and considerably above the core.

Eventually, the containment pressure exceeds 155 psia as steam passed through the SRVs heats up the pool to saturation at about 520 min and then passes the decay heat mostly to the containment atmosphere. Injection is as-sumed to fail when contaiment fails. Two containment failure break areas were used in the PRA which corresponded to the two values listed in Table 3.5.13 on page 3-123 and Table C-1 on page C-28 (see also page C-44, note 11) l of the Limerick PRA. From a comparison of our calculations and those in the ;

PRA (refer to Figures 7.6 and 7.7), it is apparent that a break area of 0.208 ft2 was used in the PRA. The timing of the key events following containment failure are listed in Table 7.14.

Case TWLP is described above. Case TWLPI is similar to Case TWLP ex-cept that the pool DF is changed from 10 to 1.0 to assess the influence on the pressure / temperature response of the containment to the different DFs assumed in the CORRAL analysis (refer to Section 7.2.2).

Case TWLP2 is the same as Case TWLP except that the equivalent hole size in the contaiment was set equal to .208 ft2 as explained above. The relatively long time taken to penetrate 70 cm of concrete is related to the very rapid failure of the RPV, which is responsible for relatively low tem-perature core debris exiting the RPV and hence the slower concrete penetra-tion. See Section 7.3.5 for revised timing for contaiment overpressure for the TWLP sequence if an actinide decay model is incorporated in the MARCH analysis.

An interesting variation of the TWLP sequence is the TWHP sequence for which the RPV remains at high pressure until containment failure. Here it is assumed that either the ADS fails or the operator does not activate the ADS before the containment pressure rises above the set point for preventing ADS, l which is assumed to be 48 psia. Then, assuming a) the reactor remains at the high pressure set poir.t of the SRVs and b) the high pressure injection pumps continue to function until containment failure. The TWHP sequence results in a slower pressure build up in containment than for the TWLP sequence. Con-taiment failure is thus delayed by several hours in the TWHP sequence rela-tive to the TWLP sequence.

l l

l 7-36

7.2.1.3 Class III In this transient initiated accident sequence, the control rods fail to insert followed by poison injection failure. The recirculation pumps trip and the feedwater flow is stopped bringing the power level down to an assumed 30%

very quickly. The high pressure injection systems are modeled to come on with flows of 600 gpm (RCIC) and 5600 gpm (HPCI). At 4.5 minutes, the high pres-sure pump suction is automatically switched from the CST to the suppression pool because of high water level in the suppression pool (ECCRC = 0.850).

These high pressure systems will subsequently fail either because of high suppression pool pressure (Limerick PRA assumption) or high (200 F) suppres-sion pool temperatures (BNL assumption). The high pool temperature causes the ECC turbine lubricating oil, which is cooled by the suppression pool water, to break down causing the turbine to seize. The BNL analysis has the ECC pumps failing at 15 minutes because of this loss of lube oil cooling. Other impor-tant MARCH input data for the ATWS-III sequence are

- Fourteen safety relief valves operate compared to four for Class I.

- MARCH modeling simulates 30% power for the fraction of the core that is covered and ANS standard decay power for the uncovered part.

A HOTDROP calculation is included but the amount of water on the diaphragm floor is so small that essentially no time delay is observed.

- Molten core materials are retained inside pedestal wall.

A comparison of the BNL audit calculations for the above sequence with the Limerick PRA results is given in Table 7.15. The containment pressure histories for the two calculations are given in Figure 7.8.

I 7-37 l

l

160 0

+ overpressure (z=69cm)

^ 140.6 - ?

5 m

2 ft hole in drywell 120.0 -

RPV failure w y (z=70cm) LIMERICK PRA E

1000- core slump -

xide a-molten ,'

g 80.0- , ,e y core melt r

y 80.0-I <

p ,/ ,/

0 4a0- __ f d \

g __ _..__ _________ l

200'.lL { _ _ ,

core melt core slump RPV failure no . . . . . . . . .. . . .

0.0 50.0 100.0 150.0 200.0 250.0 300.0 350.0 400.0 450.0 500.0 550.0 600.0 650.0 TlME - (MINUTE)

Figure 7.8 Containment Pressure History for Class III (Case ATWS-III).

7-38

a

! Table -7.15 Comparison of BNL and Limerick PRA Analysis -

for Class III.

BNL Analysis Analysis in .

-1

. Key Events- Limerick PRA- ATWS-III ATWS-III

' Core melt begins (hr) 0.85- 0.78 0.76

(

Core melt ends (hr) 2.5 2.30 2.22 l

! Vessel head' failure .(hr) 4.3 2.55 2.47

[ INTER begins (hr) 4.3 _ 2.55 2.47 Containment failure (hr) 6.5 4.45*- 3.83**

t-i

Containment fails because'of overpressure (155 psia) just before 70 cm of l concrete penetration is reached (70 cm of concrete is penetrated at 4.58 l

hr).

I ** Time that the core debris penetrates 70 cm of diaphragm floor causing floor

collapse and containment failure.

In Case ATWS-IIII , the DF in MARCH is reduced from 10.0 to 1~to again reflect the different pool DFs assumed in the CORRAL analysis (refer to Sec-tion 7.2.2).

The MARCH 1.1 code, which was used to perform the above calculations, and the INCOR code do not include the contribution to decay heat from actinide.

l decay. The consequences of this omission will be discussed in Section 7.3.5.

f

! 7.2.1.4 Class IV I The MARCH modeling for the ATWS Class IV sequence differs from the ATWS

' Class III modeling only in the following respects:

fl a) The high pressure injection is allowed to stay on even after the

[

suppression pool temperature exceeds 200*F [the ECC turns off when j the containment fails .a MARCH parameter option (ICBRK = 0)].

7-39 l - . . . - . . . . . . . - . . _ _ _ ._ _ ___. _ _ _ _ . _ _ . .

b) The choice of containment break area is 5 ft2 in order to prevent the containment from appreciably overshooting the 155 psia failure pressure. The Limerick PRA used a 3.14-ft2 hole size.

The BNL audit calculations for the above sequence are compared with the Limerick PRA results in Table 7.16. In Figure 7.9, we compare the contain-ment pressure histories for the two calculations.

Table 7.16 Comparison of BNL and Limerick PRA Analyses for Class IV.

BNL Analysis Analysis in Key Events Limerick PRA ATWS-IV ATWS-IV Containment fails (hr) 0.67 0.67 0.67 Core melt begins (hr) 1.2 1.25 1.25 Core melt ends (hr) 2.2 2.7 2.7 Vessel head fails (br) 4.0 2.97 2.95 Time for 70-cm. penetration 6.5 6.97 7.03 of floor (hr)*

Limerick assumed the molten core to spread over the entire diaphragm floor. BNL assumed the core materials to be confined to the pedestal region.

Case ATWS-IVI is the same as Case ATWS-IV except the suppression pool decontamination factor DCF in MARCH was set equal to 1 for a saturated pool as discussed under the ATWS-III sequence. This change was made for case ATWS-IV1 but has little effect on the timing of the events because the fis-sion products exit the containment before they can accumulate in the contain-ment airspace.

The relatively long delay in penetrating 70 cm of the diaphragm floor (4 hr) may be an artifact of the INTER modeling rather than a realistic esti-mate. INTER calculates that the oxide portion of the molten core is solid for about 100 minutes. It is after the oxide becomes molten that significant 7-40

1 160 0

\ containment failure g 1400- - .- LIMERICK PRA BNL 120.0 -

U m

$ 100.0 -

E g 80.0-E k so.o- i RPV failure S

y o 49g_ l core slump l E d I f p

~ ~ l f l 20D' J ~ ~ -k- ,, ~_

l oo so' .o 150.0 150 0 250.0 250.0 350.0 350.0 450.0 4500 ' bdo.o 5$00 650.0 650.0 TIME - (MINUTE)

Figure 7.9 Containment Pressure History for Class IV.

(Case ATW-IV)

, 50 0 l

7 6 -------- Limerick PRA Analysis E Z O Vertical Penetration /

l < 400-J f i E E '

/

l I

E x ~

5 BNL Analysis /

/

M -

C 30 0- (;

W b $ ~

f M /

N U

Z 20 0-b2: /

/

' O o /

$ U Z #

a O /

< U /

O a /

p 10.0 - < /

g g RADIAL S

' VERTICAL

> $ l 0.0 . . . ,. .

00 50 0 100 0 150.0 200.0 250 0 350.0 350 0 450.0 4500 TIME - (MINUTE)

Figure 7.10 Diaphragm Floor Penetration Histories for Class IV.

(Class ATWS-IV)

vertical penetration begins (refer to Figure 7.10). Figure 7.10 shows a com-parison of the BNL and Limerick penetration rates. This is discussed further in the CORRAL section.

7.2.2 CORRAL Analysis The CORRAL code has been used by BNL and in the Limerick PRA. In CORRAL, four distinct core release mechanisms are separately followed during the course of a meltdown accident, i.e., GAP, MELT, 0XIDATION, and f

VAPORIZATION. The four release mechanisms are shown schematically in Figure 7.11 (note that the 0XIDATION release was assumed to result from a steam ex-plosion in the RSS). The GAP release is modeled as a single event and is as-sumed to occur at accident initiation. The MELT release is divided into 10 equally sized releases evenly spaced between the time of core melt to the time of core slump. The timing of core melt and slumping were taken directly from the MARCH analysis. The 0XIDATION release is modeled as a single event and chosen to occur either at cor.tainment failure to model the suppression pool flashing release (if applicable), or at RPV head failure to model the oxida-tion of that fraction of the core debris assumed to fall into the suppression pool. The VAPORIZATION release is divided into 20 parts,10 releases of ex-ponentially decreasing magnitude in the first 1/2 hour followed by 10 more re-leases during the next 1-1/2 hours, also of exponentially decreasing magni-tude. The VAPORIZATION release is assumed to start at vessel failure when core / concrete interactions begin. The core release fractions used in the Limerick PRA and adopted by us for input to CORRAL were obtained from the RSS.

Table 7.17 is reproduced from the RSS and indicates the fraction of fission products released owing to the release mechanisms noted above. The fractional release of fission products indicated in Table 7.17 would be input to CORRAL using the schematic indicated in Figure 7.11.

For our purposes, we use the 0XIDATION release to model either the i

OXIDATION release when a fraction of the core is assumed to drop into the sup-pression pool, or a 15% suppression pool FLASH release when the containment fails for TQUX and ATWS-III sequm:ces. Neither of these release mechanisms can be modeled in MARCH without code modifications. The OXIDATION release affects only the Kr, Xe, 1 , Te, 2 and Ru releases as assumed in WASH-1400.

The FLASH release equally affects all the isotopes in the suppression pool.

7-43

Table 7.17- Fission Product Release Source Summary -

Best Estimate Total Core Release Fractions.

Fissicn Gap Release Reitdown Release Vaporization Release Steam Explosion Product - Fraction Fraction Fraction (d) Fraction (e)

Xe, Kr 0.030 0.870 0.100 (X) (Y) 0.90 I, Br 0.017 0.883 0.100 (X) (Y) 0.90 Co, Rb 0.050 0.760 0.190 --

TeI *I 0.0001 0.150 0.850 (X) (Y) (0.60)

Sr, Ba 0.000001 0.100 0.010 --

DI 0.030 Ru --

0.050 (X) (Y) (0.90)

La II --

0.003 3.010 --

(a) Includes se, Sb (b) Includes Mo, Pd, Rh, Tc (c) Includes Nd, Eu, Y , Ce , Pr , Pm, Sm, Np , Pu, - Z r , Nb (d) Exponential loss over 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months with halftime of 30 minutes. If a steam explosion occurs prior to this, only the core fraction not involved in the steam explosion can experience vaporization.

(e) X = Fraction of core involved in the steam explosion. Y = Fraction of inven-tory remaining for release by oxidation.

Geo new=

Stum Empeem 1D -

a:

0.75 -

t 3

e 3 oso -

2 3

1 0.25 - Men Rehm Vaponasten Remen I 1D I= ca I . os 11lll11llll linJ,,,,1iiii , , , ,

t t t t c 1 2 3 Time. Hours Figure 7.11 Typical Sequence of Spike Fission Product Releases for Postulated Accidents.

7-44

i

' The thermodynamics of each of the sequences modeled in MARCH, i .e., inter-compartment flows, leakages, pressures, temperatures, etc., and the timing of key events such as core melting and core-concrete interaction are used as in-put data for CORRAL. In addition, parameters related to removal processes, for example, settling of particles and plateout of the 12 vapor, are also ,

input.

The CORRAL model used at BNL did not include the primary system as a distinct volume. This means that fission products released during GAP and MELT, while the core is still in the reactor pressure vessel, have to be input directly to the apropriate containment volume modeled in CORRAL. This model cannot mechanistically calculate retention of the fission products released during the GAP and MELT stages in the primary system. We noted in Section 7.1.2 that the CORRAL model used for the Limerick PRA did include the primary system as a distinct volume and consequently primary system retention of the fission products was explicitly calculated. These fission products were even-tually assumed to be released to containment after vessel failure. There was no permanent retention of fission products in the primary system assumed in the LGS PRA or in the BNL analysis. The above difference between the CORRAL models used at BNL and in the LGS PRA has an important effect on determining the eventual fission product release fractions. Although the BNL model cannot explicitly calculate fission product retention, we attempt to assess its im-pact in the following section.

Another important aspect of the BNL model relates to pool decontamination factors. In CORRAL, if flow between compartments goes via the suppression pool, the effect of pool scrubbing can be calculated directly by subjecting the flowing fission products to an appropriate pool decontamination factor.

However, as the primary system is not modeled as a volume in the BNL CORRAL l model, fission products released during the GAP-and MELT stages have to be in-l put directly into the appropriate containment volumes. For LOCAs, the release i is directly to the drywell airspace so that the core release fraction in Table 7.17 can be used directly. However, for transients, the release is via the SRVs, through the suppression pool, and into the wetwell airspace. Thus, the GAP and MELT releases are subject to pool scrubbing. This pool scrubbing is modeled in the BNL CORRAL model by simply dividing the core release fractions l in Table 7.17 by the appropriate pool DF.

7-45 u

Each of the four generic sequences (Classes I, II, III, and IV) have been modeled in CORRAL to obtain release fractions for the eight isotopic categories. These release fractions together with plume infomation (height and energy) and timing (warning time, duration of release, time of release),

constitute a very important part of the input data to the CRAC consequence model, (refer to Section 7.2.3). The following sections discuss each of the four typical sequences (TQUX/TQUV, TW, ATWS-III and ATWS-IV) representing the four generic classes. Only containment overpressurization failure in the drywell is modeled in the audit calculations for Classes I, II, and III. For Class IV, overpressurization failures in the wetwell and the drywell are considered .

7.2.2.1 Class I The BNL analysis used the TQUX sequence to calculate releases for this class. During our modeling of the Class 1 sequence, we were particularly concerned with the following phenomena:

- Retention of fission products in the primary system until RPV head failure.

- The 10% 0XIDATION released assumed in the LGS PRA at RPV head failure.

- The 15% release due to suppression pool flashing at contaiment failure in the LGS PRA.

- VAPORIZATION release timing and particulate size.

- Intercompartmental flow.

Retention of fission products in the primary system until after RPV head failure can have a significant effect on releases. To detemine the percent of fission products retained in the RPV, we assumed that the TQUX sequence re-leases its fission products to the suppression pool in the same proportion as it releases hydrogen. MARCH calculates the amount of hydrogen generated in the pressure vessel that is released through the SRVs as they perfom their function of limiting the pressure in the vessel. For TQUX, 530% of the hydro-gen passes through the pool while 70% remains behind. We further assume that there will be no water in the reactor vessel head at core slump to prevent the ,

large vaporization from driving out the fps. Nor do we account for trapping '

7-46

1 l

l of the fps on the surfaces of the vessel internals, i.e., dryers or separa-tors. The results then represent an upper bound on the early releases for this scenario. The fps retained in the primary system until vessel failure were modeled in' CORRAL as an oxidation belease after vessel failure.

The Limerick PRA models 10% of the corium falling into the suppression pool and allows the fission products (FP) contained in the 10% to be released to the suppression pool, scrubbed, and then released to the wetwell airspace.

We have conservatively modeled this release to eventually enter the drywell airspace without pool scrubbing. The effect of this 0XIDATION release is neg-ligible for all isotopic groups except Ru, where it adds an extra 14% to the final release fraction.

In discussions with PECo, it was mentioned that 15% of the suppression pool is assumed to flash during contaiment failure and consequently 15% of each of the isotopic groups contained in the suppression pool would be re-leased to the contaiment atmosphere at the time of contaiment failure. BNL confirms that 15% of the pool would flash if it were at saturation temperature corresponding to the containment failure pressure (155 psia). However, nci-ther MARCH nor the Limerick PRA predict a saturated pool for this accident class. This flashing release (which may overestimate the FP release, at least for particulates) was analyzed. Pool flashing releases fission products partly into the drywell via the downcmers and partly into the wetwell . These two separate cases were modeled as a 15% 0XIDATION release and then averaged.

We have found that the timing of the VAPORIZATION release relative to containment failure can have a large impact on the fracticn of particulates 4

released from the containment before they settle. It is not difficult to ob-tain large increases (factor of S10) in the particulate releases, especially in four isotopic categories (Te, Ba, Ru, La) simply by adjusting the VAPORIZA-TION timing relative to contalment failure. Furthemore, the particulate size was chosen to match the RSS, but a CORRAL run using smaller particles of 3 micreeters and 1 micrmeter (instead of the RSS values of 15 and 5 nicro-meters) increased the particulate releases by factors of between 15 and 25.

Neither of these two effects (the timing of the VAPORIZATION release or the particle size) would affect the FLASHING release from the pool, which domi-nates the total releases for the 1,2Cs, and Ba categories.

7-47 o

Still another modeling consideration that can affect the release terms is the set of intercompartment flow data chosen from the MARCH run. It is possible to trap fission products in the air space in the wetwell during the VAPORIZATION release when the flow is predominantly from drywell to wetwell through the downcomers. Postulating a containment failure in the drywell, as we have done for these runs, will initially limit the FP releases to the con-tents of the drywell . As the containment blowdown continues, more and more of the fps will flow into the drywell from the wetwell through the vacuum )

breakers, but the time delay and the limited flow reduces the ultimate re-lease for some of the particulates compared to a wetwell containment failure.

A wetwell failure was simulated in a CORRAL run leading to $10% increases in the particulate releases.

On the basis of the above modeling considerations, the release fractions shown in Table 7.18 were determined. The release fractions were based on holding up approximately 70% of the GAP and MELT releases in the primary sys-tem until after vessel failure. In addition, at the time of vessel failure, a 10% 0XIDATION release was included in the release fractions. Decontamination factors of 100 (before vessel failure) and 10 (after vessel failure) were as-sumed for suppression pool scrubbing. Two sets of release fractions are in-cluded in Table 7.18 for Class 1. The first assumes flashing of the suppres-sion pool at containment failure (consistent with the LGS PRA assumption).

The second assumes no flashing of the suppression pool and was used in our

! consequence calculations in Section 7.2.3.

7.2.2.2 Class II The CORRAL calculation for the TW Class II sequence was based on MARCH case TWLP2 (refer to Table 7.14). This run assumed a 0.208-ft2 hole in the containment. The release fractions calculated for this sequences are in-l cluded in Table 7.18. The large differences between the BNL analysis and the PRA results for the Cs and Ba groups may be explained by hold up in the RPV, which was not modeled in the BNL calculation.

For the TWHP sequence, the releases and the timing were calculated to be similar to the TWLP sequence. Therefore, the consequences should also be sim-ilar for these two sequences, j 7-48 i

a

Table 7.18 Comparison of Release Parameters from BNL and PRA.

Class I - y Class II - y Class III - y RNL* BNL** PRA BNL PRA BNL PRA Xe-Kr .939 .939 1.0 1.0 1.0 1.0 1.0 0.0 0.0 0.0 01 0.0 0.0 .007 0.0 I 0.049 .0093 .11 .156 .06 .122 .04 Cs 0.055 .020 .09 .258 .023 .0542 .024 Te 0.058 .046 .016 421 .4 .185 .073 Ba 0.006 .0017 .01 .027 0063 .00361 .0027 Ru 0.004 .0030 .003 .070 .069 .0169 .0086 La 0.00074 .00061 .0003 .0054 .0047 .00238 .00091 Time of 5.23 5.23 7.0 43.46 37.0 4.45 7.0 release (hr)

Duration 2.0 2.0 2.0 2.0 2.0 2.0 2.0 of re-lease (hr)

Wa rning 3.48 3.48 6.0 6.8 7.0 3.67 6.0 time (hr)

Energy of 8.4E+6 8.4E+6 8.4E+6 7.0E+4 7.0E+4 8.4E+6 8.4E+6 i

release (cal /s) l Height of 25.0 25.0 25.0 25.0 25.0 25.0 25.0 release (m)

With suppression pool flashing at containment failure.

- Without suppression pool flashing at containrent failure.

7-49 I En

Table 7.18 (Cont.)

f Class IV - Y Class IV-Y' Class IV-Y" BNL PRA BNL PRA BNL PRA Xe-Kr 1.0 1.0 1.0 1.0 1.0 1.0 01 0.0 0.0 0.0 0.0 0.0 0.0 I .154 .261 .098 .07 .708 .73 Cs .749 .202 .749 .09 .749 .70 Te .747 .434 .757 .20 .757 .55 Ba .0859 .029 .0859 .016 .0859 .09 Ru .110 .095 .11 .088 .11 .12 La .0103 .00523 .0103 .006 .0103 .007 Time of 1.5 1.5 1.5 1.5 1.5 1.5 release (hr)

Duration 2.0 2.0 2.0 2.0 2.0 2.0 of re-lease (hr)

Warning 1.0 1.0 1.0 1.0 1.0 1.0 time (hr)

Energy of 7.0E+4 7.0E+4 7.0E+4 7.0E+4 7.0E+4 7.0E+4 ,

release (cal /s)

Height of 25.0 25.0 25.0 25.c 0.0 0.0 release (m)

Estima ted .

t 7-50 a

7.2.2.3 Class III The release fractions calculated for Class III sequences are shown in Table 7.18. The main difference between the CORRAL modeling of the ATWS-III sequence and the TQUX sequence, besides differences in the timing of the re-leases, is that the ATWS-III suppression pool is assumed to be saturated for all the releases and not just the VAPORIZATION release. For all the particu-

! late release categories, we are about a factor of 2 larger than the Limerick PRA, which may also be explained by hold up in the RPV in the Limerick analysis.

7.2.2.4 Class IV The CORRAL run for the ATWS-IV sequence (refer to Table 7.18) is similar to that for ATWS-III except for the timing of the key events. An OXIDATION re-lease of 10% of the core is included in CORRAL. This release alters only the Ru category significantly. A comparison with the Limerick PRA reveals differ-ences for all categories except I2 . For most particulates, our values are a factor of 2 to 3 greater than the PRA values. This may be due in part to the larger containment leakage used in the BNL calculations, which reduces the time for settling of the particles.

The Limerick PRA obtains an iodine release of 26% for ATWS-IV (C 4 -y).

This value at first seemed inconsistent with the modeling of this sequence as described in the Limerick PRA. Our reasoning went as follows: N90% of the iodine is released during the GAP and MELT release, all of which, presumably, is scrubbed by the suppression pool with a DF of 10. Therefore, only 9% of this release can escape to the atmosphere. Assuming that all of the VAP0 RIZA-TION release escapes as well places a maximum iodine release at 19%. Includ-ing a 10% 0XIDATION release does not alter the numbers since what is released by oxidation can no longer be released by vaporizatinn.

It is now apparent (refer to Section 7.1.2) that by modeling the RPV as a separate compartment in CORRAL fission products were predicted to be retained in the RPV in the LGS PRA. The remaining airborne fps are then released to the drywell when the RPV fails. Therefore, less than 90% of the CAP and MELT releases are scrubbed by the suppression pool . We have noted above that pri-mary system retention of the fission products is not explicitly modeled in the 7-51

BNL CORRAL model. However, we can estimate how such a modeling change would alter the calculated releases. The particulate releases would be almost un-changed because of the large leak rate to the atmosphere. The 12 release would increase because there is no scrubbing of the retained portion and be-cause there is little plateout in the containment owing to small temperature differences.

For the C4Y' release, a failure in the wetwell airspace implies that 1

fission products in the drywell will have to pass through the suppression pool '

prior to release to the outside environment. Based on the description of pool scrubbing in the PRA, we assumed a pool DF of 10 for iodine and unity for par-ticulates in our original CORRAL calculations reported in the BNL draft re-port. During a review of our draft report by PECo and their consultants, it was noted that the DF of 10 for a saturated pool was applied tc all particu-late fission product species. We did not have time to recalculate the release fractions for C Y';

4 however, we would expect that the particulate releases in Table 7.18 would reduce by about a factor of 2. The impact of the above on latent fatalities would be minimal (refer to Section 7.3.6) because of the dominance of the OPREL category. However, the impact on acute fatalities would be more important because of the greater contribution of C 4Y' (refer to Section 7.3.6).

The C4 Y" release, i .e., draining of the suppression pool before melt-down, gives an indication of the overall effects of settling on the particles released from the core and the overall effect of plateout on I2 released from the core. One sees from the Limerick PRA release values (compare Tables 7.17 and 7.18) that plateout or settling reduces the GAP + MELT + VAPORIZATION releases by less than a factor of 2 before these releases escape to the atmos-phere. In our modeling, owing to the assumed larger break in the containment, l less reduction is expected and about 75% of the particulates escape from the l containment. Therefore, we estimate that the particulate releases should be similar for the Y and Y" failure modes. However, since there is no suppres-sion pool scrubbing for the 1" failure mode, the iodine release will be sig-nificantly higher than the Y failure mode.

l 7-52 l

7.2.3 CRAC Analysis The determination of consequences in this report is for the purpose of assigning a measure to the various accident scenarios reported in the PRA and any new accident scenarios which may be generated at BNL. This measure will be used to rank the relative seriousness of the postulated accidents and even-l tually by multiplying the consequence by a probability of occurrence of the scenario a measure of risk will result. In this way the relative risk of the accident scenarios can be determined in terms of risk to the public living around the reactor site. The consequences which will eventually be used as a measure will be latent fatalities, acute fatalities, and, in selected cases, thyroid cancers.

The detailed consequence analysis used in the PRA is described in Section

! 7.1.1. These results were presented primarily for purposes of comparison to

BNL results. This section is divided into two subsections. The BNL results and a discussion of the difference between them and the PRA results will be presented in Section 7.2.3.1. The final Section 7.2.3.2 will consist pri-marily of a presentation of the results of BNL consequence calculations using release fractions determined by the methods outlined above in Sections 7.2.1 and 7.2.2.

l 7.2.3.1 BNL Calculations Using Limerick Release Fractions In order to benchmark the BNL version of the CRAC code and the GE version used in the Limerick PRA, the five release categories outlined in 7.1.1 were reanalyzed using the input data from the PRA and the BNL CRAC code. Precise agreement between these two calculations was not expected since the two codes j are different versions of the original CRAC code. In addition, corrections and updates have been made to the various versions of CRAC over the years, which are not necessarily the same in both versions of the code. The compari-son thus serves as a measure of the difference between the codes and will be l used to relate additional BNL calculations to the PRA calculations. Before

! discussing the results of these calculations, a major difference between the evacuation models in the codes will be outlined.

There were two commonly used evacuation models in the original CRAC code.

The first model allows for a constant velocity of the evacuees radially out-ward from the plant. In this model, the assumption is made that innediately 7-53

i upon receiving a warning that an accident has occurred, the evacuation starts.

j' The evacuees keep moving until overtaken by the cloud or until they reach the >

evacuation radius. If they are overtaken by the cloud, they are exposed for four hours to the cloud and ground. The second model assumes a constant ac- ,

celeration rather than velocity. The ' remainder of the model is the same.

! A third evacuation model developed by'Sandia allows for detailed tracking- q

j. between the evacuees and the active cloud. The movament of the evacuees is ]

radially outward at a constant velocity; however, in this scheme, there are

~

. nine possible interactions between the cloud and the evacuees, shown graphi-cally on Figure 7.12 in a schematic representation of a distance time plot of

evacuees, the front of th6 cloud, and the back of the cloud. In addition to the evacuee / cloud interaction model, there is the possibility of allowing

! people to be sheltering, rather than evacuating. Sheltering is allowed beyond the evacuation radius and up to the sheltering radius. The above three evac-uation models are usually referred to as schemes 1, 2, and 3. In the BNL CRAC

- calculations reported in this section, scheme 1 was used since it was used in 1 I the PRA and is consistent with the RSS model. The BNL input parar.eters 'are i tabulated in Table 7.19.

l The remainder of the input to CRAC was obtained from the Limerick input

! data tape as supplied by PECo. The check calculations were carried out using l only meteorological data from 1975, and not for the remaining four years.

Thus any comparison should be made with this year. .Furthennore, the meteoro-I logical data file corresponding to measurements made at 30 ft only were used.

l- Tables 7.20 and 7.21 compare the mean values for latent and acute fatal-ities as computed by BNL with those supplied by PECo (refer to Section 7.1.3).

It can be seen that the means computed using the BNL model are all higher than the PRA means and also that the 0XRE category leads to the largest number of latent fatalities while OPREL leads to the smallest number. However, because of its relatively high probability, the OPREL category poses the greatest risk to the public in terms of latent fatalities. The BNL CRAC model increases i total latent fatalities by a factor of s2.7 compared with the risk curves pre-f sented in the Limerick PRA. The acute fatalities are dominated by the C 4Y"

! category. The largest difference between the BNL calculations and the LGS PRA

}

I 7-54

,- , , - , . , . - - - - - - , e . . - - . -,,.,--e ,,,,c ,. , . , , ,,--w.._--,,.m----,--,m._, ,--

A' / B', / C' g

\ Front of /

/[ A[/

o Cloud / /! /

I , 'i /yg!o' f spatial interval [

[

f /

ta j /

M M / ////

/ llBack of

/

Cloud

// /

)F/p F ///l&

IU f

i[ B/ C TIME

1) (A, A' ) : People travel in front of cloud

2) (A, B'): Cloud overtakes people

3) (A, C'): Cloud overtakes and passes people

4) (B, A'): People escape from under cloud I

5) (B, B'): People travel under cloud

6) (B, C') : Cloud passes people

7) (C, A'): People overtake and pass cloud-

8) ~ (C, B'): People overtake cloud

9) (C, C'): People travel behind cloud Figure 7.12 Distance-Time Diagram for Evacuees and Cloud.

7-55

~

l

> Table 7.19 Evacuation Models Parameters.

Maximum distance (m) _4.04 E+4

. Evacuation velocity (m/s) .536 Time log before evacuation (hr) 0.0 Radius of circular area evacuated (m) 8.0 E+3 Angle of evacuation 45.0 Evacuation cost (0) 95.0 Criteria of duration of release 3.0 Distance moved by evacuees (m) 2.42 E+4 Sheltering radius (m) 1.61 E+4-Evacuation scheme 1.0 Cloud shielding (stationary) .71 (moving) .71 (sheltering) .71 (no emergency) .71 Ground shielding (stationary) .29 (moving) .29 (sheltering) .29 (no emergency) .29 Breathing rate (stationary) 2.66 E-4 (moving) 2.66 E-4 (sheltering) 2.66 E-4 .

(no emergency) 2.66 E-4 -

n, 7-56 m

calculations is seen to be for the 0XRE sequence. This is partially due to the fact that the BNL calculation was carried out using meteorological data taken at 30 feet, dile the corresponding calculations in the LGS PRA were based on data taken at 175 feet. This difference was estimated to reduce the calculated acute fatalities by only 1%. Finally, the total risk from acute fatalities is seen to be approximately 3 times greater when using the BNL CRAC code.

7.2.3.2 BNL Calculations Using BNL Release Fractions l In this seccion, the consequences of the release fractions as deter-l mined by BNL calculations (outlined above in Sections 7.2.1 and 7.2.2) are l di scussed . These calculations use the same BNL CRAC model (scheme 1) outlined l

i above in Section 7.2.3.1. The only change from the previous section is in the containment LEAKAGE input, which will reflect the new release fractions. All parameters in this input section are computed using the MARCH and CORRAL codes, with the exception of four numbers. The values which have to be chosen are duration of release, warning time, energy of plume at time of release, and height of release. In general, these values are carried over from the PRA, as they appeared reasonable. However, for the Class I sequences, the warning time is taken from the start of core melt to the time of containment failure directly fraa our MARCH analysis. These are the times that we assumed the operators would notify the authorities of an impending accident. This crite-

, rion will be applied unifonnly to all accident scenarios analyzed.

1 Table 7.18 shows the release fractions, timing, energy of release, and height of release for the various BNL calculations. Also shown are the cor-responding PRA values. The consequences of these releases are shown on Tables

! 7.22 and 7.23, which give both latent fatalities and acute fatalities for BNL release parameters and the PRA release parameters. From the comparison, it can be seen that the consequences from the BNL releases are always more severe except for the latent fatalities associated with the OPREL release.

Table 7.22 shows the probability-weighted latent fatality means by cate-l gory for the various sequences, as detennined by the BNL CRAC code using both BNL release parameters and PRA release parameters. These are summed and total risk results are given. From this table it is seen that the decrease in risk I

7-57 m

resulting from the releases computed by BNL is approximately a factor of 2, with the OPREL category being the dominant contributor to risk in both cases.

This is due to the relatively high probability of occurrence of the OPREL category. However, this calculation assumes that the suppression pool does not flash when the contaiment building fails for Class I sequences. We have noted above that the suppression pool is significantly subcooled at contain-ment failure and that it is physically impossible for the pool to flash. We j have also noted above that in the Limerick PRA, the suppression pool was as- ;

sumed to flash, which results in the higher latent fatalities in Table 7.22 for the OPREL category.

Table 7.23 shows the probability-weightad acute fatalities means by category for the various sequences. These are summed to yield the total risk.

The ratio between these two total risks is seen to be approximately 2, with the C4Y' and C 4 Y categories being the dominant contributor to the risk in both cases. The BNL calculated release fractions result in higher acute fa-talities than the release fractions in the Limerick PRA.

i l

l l

l 7-58

Table 7.20 Comparison Between PRA and BNL Calculations.

Latent Fatalities (for the Year 1975)

Limerick PRA** Results Probabilities From Table 7.9 BNL*** Results Based on Sequence Limerick PRA Mean Risk Mean Risk C4 Y 6.4E-8* 4080 2.61E-4 10200 6.53E-4 C4Y' 5.6E-8 2985 1.67E-4 8040 4.5E-4 C4Y" 6.3E-9 5610 3.53E-5 12400 7.81E-5 OXRE 4.35E-8 11010 4.79E-4 18700 8.13E-4 OPREL 6.98E-6 1548 1.08E-2 4330 3.02E-2 TOTALS 1.175E-2 3.22E-2

-~-.

6.4E-8 = 6.4 x 10-8,

- PRA releases and PRA CRAC calculations.

- - PRA releases and BNL CRAC calculations.

t i

l 7-59

Table 7.21 Comparison Between PRA and BNL Calculations.

4 Acute Fatalities (for the Year 1975) )

l Limerick PRA Results***

Probabilities from Table 7.8 BNL Results***

Based on Sequence Limerick PRA Means Risk Means Risk C4Y 6.4E-8* 19.2 1.23E-6 26.7 1.71E-6 C4Y' 5.6E-8* 5.66 3.17E-7 14.8 7.95E-7 C4Y" 6.3E-9 100.5 6.33E-7 107.0 6.74E-7 0XRE.. 4.35E-8 5.64 2.45E-7 96.7 4.21E-6 OPREL 6.98E-6 - - - -

TOTALS 2.424E-6 7.38E-6

6.4E-8 = 6.4x10-8,

- PRA releases and PRA CRAC calculations.

l

- - PRA releases and BNL CRAC calculations.

1 l

7- 60 m

Table 7.22 Comparison Between PRA and BNL Calculations.

Latent Fatalities (for the Year 1975)

Based **

Limerick PRA Release Fractions BNL Results***

Probabilities Based on Limerick Sequence PP.A Means Risk Means Risk CY 6.4E-8* 10200 6.53E-4 14000 8.96E-4 4

C4 Y' 5.6E-8 8040 4.50E-4 14000 7.84E-4 C4Y" 6.3E-9 12400 7.81E-5 12900 8.13E-5 0XRE 4.35E-8 18700 8.13E-4 18700 8.13E-4 OPREL 6.98E-6 4330 3.02E-2 2160t 1.51E-2 Total Risk 3.22E-2 1.77E-2

6.4E-8 = 6.4 x 10-8,

- PRA release fractions with BNL CRAC calculations.

- - BNL release fractions with BNL CRAC calculations.

l tAssumes no suppression pool flasting at containment failure.

l l

7-61

l Table 7.23 Comparison Between PRA and BNL Calculations.

Acute Fatalities (for the Year 1975)

)

l Based ** on Limerick PRA Release BNL Results***

I Fractions l Probabilities j Based on l Sequence PRA Means Risk Means Risk CY4 6.4E-8* 26.7 1.71E-6 75.4 4.83E-6 C4Y' 5.6E-8 14.2 7.95E-7 68.9 3.86E-6 C4Y" 6.3E-9 107.0 6.74E-7 138.0 8.69E-7 0XRE 4.35E-8 96.7 4.21E-6 SS.7 4.21E-6 OPREL 6.98E-6 - - - -

l Total Risk 7.38E-6 1.38E-5

6.4E-8 = 6.4 x 10-8,

- PRA release fractions with BNL CRAC calculations.

- - BNL release fractions with BNL CRAC calculations.

7-62

7.3 Quantification of Uncertainties In Section 3.8 of the Limerick PRA, an attempt was made to characterize uncertainties in the analysis. Several areas of uncertainty related to the containment failure mode and consequence analysis were identified. These areas were graded as having a minor effect, moderate effect, or significant effect. We have reproduced these uncertainties in Table 7.24 (minor effect),

j Table 7.25 (moderate effect) and Table 7.26 (significant effect). The PRA l identifies only pool decontamination factors (refer to Table 7.30) as having a significant effect on early fatalities. The determination of the release fractions and the mode of RPV failure were graded as having a moderate in-fluence. Core meltdown phenomena were considered to have only a minor effect on uncertainty. This last conclusion is in sharp contrast to our findings, which we develop in detail below. The uncertainties identified in the PRA (refer to Tables 7.24 to 7.26) were not quantified but it was concluded that they would be approximately of the same order of magnitude as the uncertain-ties in the accident sequence frequencies. Figure 3.8.3 of the PRA indicates that the uncertainty band associated with early fatalities is approximately a factor of 115.

In Section 7.2 the BNL audit calculations were discussed. These calcu-lations were performed using mathematical models different from those used in the PRA. The calculated release fractions were different and these dif-ferences did translate into changes in the risk associated with individual categories.

A comparison between the consequence model (CRAC) used at BNL and in the PRA highlighted differences in the calculated risk. The BNL CRAC model in-creased total mean acute and latent fatalities by a factor of approximately 3

, relative to the PRA calculations. The BNL calculated release fractions in-creased total mean acute fatalities by a factor of about 2 but decreased total l mean latent fatalities by approximately 50%.

In this section we attempt to quantify some of the uncertainties identi-fied in the PRA (refer to Tables 7.24-7.26) and also address a number of BNL concerns. Initially in Section 7.3.1, we assess the impact on risk of not combining LOCAs with transients. In Section 7.3.2, we discuss the impact of failure of the high pressure ECCS due to lube oil overheating during Class II 7-63

Table 7.24* Summary of Areas of Uncertainty Having a Minor Effect on the LGS Early Fatality CCDF.

Subject Assumption Used in LGS Analysis Methodology:

Degraded core leads The assumption used in WASH-1400 and in the LGS directly to core melt analysis is that once a core loses identified methods of cooling, it will melt. This may be conservative.

Accident sequences /.ccident sequences are characterized by the most characterization severe conditions associated with the event.

There may be conservatisms in the sequence evaluation.

Constant wind direction The wind direction is assumed constant through-in the CRAC code out the accident sequence.

Equipment:

CRD injection water Because of their relatively small capacity, the CRD pumps are not included in the ar.alysis.

There are, however, some conditions which would benefit from the CRD pump flow:

Manual shutdowns with gradual power reductions Injection after decay heat has been reduced Containment:

Containment failure Lower pressures than used for containment failure lead to:

a. shorter retention time for fission products

b. shifting of Class III events to Class IV Molten core reaction An area of uncertainty is the deposition of '

molten core after it fails the RPV. It is uncertain what portion of the molten core may:

- drop onto the diaphragm floor in one coherent mass

Reproduced from Table 3.8.1 of the Limerick PRA.

7-64

Table 7.24 (cont.)

Subject Assumption used in the LGS Analysis I

Molten core reaction - fragment and disperse around containment from (cont.) blowdown of RPV if a large blowdown force occurs

- stay inside the pedestal region of the i diaphragm floor l

l

- melt through the diaphragm floor vents and drop into the suppression pool causing steam explosion (s) .

Molten core In some of the dominant sequences, the oxide layer is predicted to freeze. The implication of this layer is uncertain. In the Limerick

! analysis, the vaporization release period is considered to occur whether or not the oxide layer freezes; therefore, the radioactivity release fractions are larger for those cases with the oxide layer freezing.

Release Fraction

REACT / CORRAL model

Melt release The REACT model assumed that only 50% of the available radionuclides could be released. This assumed to cover plateout, etc. This has little effect since the bulk of the material release

occurs from the vaporization release.

Ex-Plant Effects:

Plume dispersion The model used to define the narrowness of the plume as it traverses large distances (s20 miles) has not been verified experimentally.

Evacuation model The assumption that large numbers of people can be informed, motivated, and actually move away from a site has not been demonstrated for a large metropolitan area.

Shielding An appreciable portion of the effects on the

, public comes from gamma ray cloudshine. The I degree of shielding is a function of the loca-tion of the population and the type of struc-tures they occupy.

7-65

Table 7.25* Summary of Areas of Uncertainty Having a Moderate Effect on the LGS Early Fatality CCDF.

Subject Assumption used in LGS Analysis Data:

Meteorological data A five year sample of data (1972-1976) is used i to characterize the LGS weather patterns. Sharp I changes in future weather patterns are not l included.

I Containment: ,

RPV failure The manner in which the RPV fails is uncertain.

The INCOR method, modeled for a PWR, assumes that the RPV ruptures from the stress of the molten core rather than melting through. This model allows the entire bottom head of the ves-sel to fail at one instant. Other methods as-sume failure from melting, but the manner of melting is also uncertain.

Release Fraction REACT / CORRAL Model:

Radioactive releases Both REACT and CORRAL use the WASH-1400 values for best estimate percent releases for each group of radionuclides. These values are uncer-tain, and recent experimental data indicate the larger numbers are conservative and the low es-timates may be low. Group 4, tellurium, is especially considered to be uncertain since its release in WASH-1400 is for LOCA events. This directly effects the amount of the release, for it determines the cladding reaction, which de-termines the amount of tellurium that will be rel eased . The values for tellurium fran WASH-1400 used in the Limerick analysis may be overestimated.

Ex-Plant Effects:

Threshold effect in early The applicability of a given threshold L fatalities strongly dependent upon the health of a person and the degree of medical attention received once exposed. In addition, changes in the threshold may affect the calculated number of early fatalities.

Reproduced from Table 3.8.2 of the Limerick PRA.

7-66

l l

Table 7.25 (cont.)

Subject Assumption Used in LGS Analysis Duration of radionuclide The release of all the radionuclides calculated release by CORRAL to escape for each containment failure mode and accident sequence is assumed to occur over a 30-minute period. This is longer than the WASH-1400 3-minute " puff"; however, the actual release for most accident sequences may

be even longer.

1 Table 7.26* Summary of Areas of Uncertainty Having a Potentially Significant Effect on the LGS Early Fatality CCDF.

Subject Assumption Used in LGS Analysis Containment:

Decontamination Despite continued research into the behavior of factors different radionuclide species under postulated accident conditions, there is insufficient ex-perimental information available to precisely define the decontamination factors. The values utilized in the LGS analysis appear to be conservative.

Reproduced from Table 3.8.3 of the Limerick PRA.

l l

1 7-67 i

and IV sequences. The effects of an alternative core meltdown scenario are assessed in Section 7.3.3. The impact of actinide decay is described in Sec-tion 7.3.4. In Section 7.3.5 the impact on risk of steam explosions is dis-cussed. Finally, we attempt to define an uncertainty band in Section 7.3.6.

7.3.1 Appropriateness of Combining LOCAs with Transient In reviewing the appropriateness of the binning of accident sequences, it was noted that the transport of fission product radionuclides was markedly I different between transients and LOCAs (see Section 6.2.1). There are LOCAs in all four generic accident sequence Classes I through IV. These sequences are small fractions of the total core melt frequency. The fraction of each accident sequence class that is due to LOCAs -is given below (based on the PRA 4 results):

Class % of Class that is due to LOCAs I < 0.3%

II 6.7%

III < 0.2%

IV 3.1%

Based upon the small fraction of Classes I and III that are LOCAs, only Class II and Class IV LOCAs were analyzed to assess the impact on the release frac-tions. In the Class II sequence (designated AJ) a large LOCA occurs followed by successful coolant injection. However, the containment heat removal func-tion fails and the containment slowly pressurizes and fails at 155 psia. The containment failure is assumed to cause a loss of injection and subsequent core melt. This is the conservative assumption used in the PRA because there is some probability that injection would successfully continue following con-tainment overpressure failure. In the Class IV sequence (designated AC) there is a failure to scram following a large LOCA. Again, successful coolant in-jection prevents core overheating and loss of containment heat removal causes containment fail'ure because of overpressurization. Upon containment failure, the coolant injection is assumed to fail and the core subsequently melts.

7-68 I

l

New release fractions for the Class 11 and Class IV LOCAs are calculated in l Section 7.3.1.1. The impact on risk is assessed in Section 7.3.1.2.

7.3.1.1 Determination of Release Fractions Of the Class 11 sequence frequency 6.7% comes from a large LOCA, denoted here as TWAJ. The MARCH modeling for this sequence includes the following assumptions:

Containment heat removal function is unavailable from start of j accident.

- Blowdown to the drywell occurs within one minute, raising the pressure l

to 440 psia. Blowdown data are obtained from the FSAR.

l

- Rapid reflood of the vessel occurs with the low and high head ECC pumos.

- Slow pressurization of the containment occurs followed by failure of containment at a pressure of 155 psia and depressurization through a 2-ft2 hole in the drywell . If a 0.208-ft2 hole were used, then little change from the audit Class II consequences would result.

- The DF of the pool was assumed to be 10 for elemental iodines, which is the same as in the audit calculations.

i The timing for the key events from the MARCH calculation is shown in Table 7.27.

Table 7.27 Timing of Key Events for Class II Large LOCA.

Event TWAJ i Containment failure (hr) 24.9 Core melt begins (hr) 28.5 l Core melt ends (hr) 30.43 l

j Head failure (hr) 31.58 l

7 Time to penetrate 36.1 70 cm of diaphragm floor (hr) l 7-69 l , - - . _ _ _ _ . .-- . . _ ~ . _ . . - - - . . . --

Although these timing points are similar to the TW sequence (refer to Table 7.14), the consequences are not similar because of the lack of scrubbing of the iodine, which is released to the drywell through the large pipe break and then directly to the environment. If we had assumed a Y' containment failure in the wetwell, then the fission products initially released to the drywell would be scrubbed by the suppression pool before escaping to the en-vironment resulting in lower release fractions.

For the CORRAL calculations of the Class II LOCA, the timing of the MELT release as well as the thermocynamic conditions in containment were ob-tained from MARCH in the usual way. The calculated release fractions are shown in Table 7.28. The VAPORIZATION release, starting at head failure, was the same as the RSS release. Scrubbing of the iodine by the suppression pool was only included in the flow from drywell to wetwell . The OXIDATION release was not included in the CORRAL run, but its impact was estimated from the TW run and added to the CORRAL releases.

The release categories calculated fce a Class IV LOCA-ATWS are shown in Table 7.28. Basically, the same blowdown data were used as in the Class II LOCA, but the core power was assumed to remain at 30% until the core uncovered and then the uncovered portion followed the decay. heat curve. When contain-ment fails owing to overpressure, ECC injection was assumed to also fail .

The main difference between the release fractions calculated for tran-sients and LOCAs is the' quantity of iodine released. Very little of the io-dine release during LOCAs would be scrubbed in contrast to $90% scrubbing for transients. This increased iodine release would result in an increase in thy-roid cancers.

7.3.2 Equipment Survivability There are two generic accident sequence classes (II and IV) for which the LGS-PRA used high pressure injection as the successful injection mode in the event trees. The following sections briefly describe why this is in-appropriate.

7.3.2.1 Class II Class II accident sequences involve transients or LOCAs with loss of containment heat removal. Either the high pressure or the low pressure ECCS 7-70

Table 7.28 Comparison of Release Parameters of Classes II and IV LOCAs and Transients.

Class II Class IV Transients LOCA* Transients LOCA*

l Xe-Kr 1.0 1.0 1.0 1.0 l 01 .008 .008 0.0 .007

! I .150 .823 .154 .823 l Cs .549 .687 .749 .75 l Te .7 64 .83 .747 .75 Ba .060 .078 .086 .086 Ru .132 .139 .110 .11 La .01 .01 .010 .01 is assumed to function for these sequences. Both high pressure systems, HPCI an RCIC, are steam turbine driven pumps with the turbine lube oil system cooled via diverted pump discharge water. Thus, when the suppression pool water reaches a temperature greater than 200*F, the lube oil will also be at a temperature greater than 200*F. Convers?tions with a turbine manufacturer (Terry Turbine, Inc.) indicated that at lube oil temperatures greater than 180*F to 200*F, the oil will rapidly break down causing the turbine shaft bearings to fail. Some sequences, as presented in the PRA for Class II (see Figure C.11 on page C-31), have the high pressure system operating for approx-imately 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . At approximately 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months after accident initiation, the suppression pool water, which is being pumped into the reactor vessel via HPCI or RCIC, is greater than 200 F. In fact, at 30 hr the PRA shows a pool tem-perature near 350*F. In order to properly represent these sequences, BNL has defined two Classes, namely, Class II-high pressure and Class II-low pressure sequences. For Class II-high pressure sequences, the high pressure ECCS is failed when the suppression po01 reaches 200*F and the low pressure systems are postulated to be unavailable. For Class II-low pressure sequences, at the time of high pressure ECCS failure due to high suppression pool temperature, the ADS and LP ECCS are postulated to be operable. Owing to loss of contain-ment heat removal, these low pressure sequences result in a slow overpressuri-zation failure of the containment and subsequent core melt.

7-71

Thu:, Class II-high pressure sequences are now represented by a core melt in an intact containment, which more closely resembles Class I sequences. The Class II sequences shown in Table 7.29 were further analyzed to determine which of them should be transferred to Class I. Because of.the low failure rate of the low pressure systems, an insignificant transfer from Class II to Class I would result.

Table 7.29 Class II Sequences That May Be Inappropriately Binned.

Sequence PRA Probability TT QW (Q) 2.7 x 10-9 TT PQW(PQ) 7.8 x 10-9 TF QW (Q) 1.6 x 10-7 TF PQW (PQ) 3.7 x 10-8 TI W 6.8 x 10-8 TT C'W (C') 5 x 10-8 S1 QW (Q) 1 x 10-9 TOTAL 3.27 x 10-7 An additional concern is related to the operability of the MSRVs in the manual r. ode with containment pressure above 100 psig. BNL has not accounted for this fact in its analysis because it has no effect on core melt frequency and only a minor effect on the risk presented by LGS. This concern was dis-cussed more fully in Section 6.3 of this report. This effect would effec-tively cause all Class II sequences to result in a melt in an intact contain- l ment as opposed to a failed containment.

7.3.2.2 Class IV Class IV accident sequences involve transients with loss of scram func-tion and loss of containment heat removal but having coolant makeup capabil-ity. As described in the discussion for Class II sequences, when the 7-72

I suppression pool reaches 200*F, the HPCI and RCIC are assumed to fail owing to loss of lube oil cooling. For sequences in which the high pressure ECCS func-tions, the suction for the pumps switches from the condensate storage tank to the suppression pool when the suppression pool level increases approximately 5 l inches. This occurs within 5 minutes from the start of the transient. In less than 20 minutes, the suppression pool has reached 200*F. The sequences, as presented in the PRA (see Figure C.13 on page C-32), allows the high pres-sure system to function until the containment fails (approximately 40 minutes) at which point the suppression pool has reached approximately 370'F. In order to properly represent these sequences, BNL has split them into two cases. In one case, the high pressure system is failed prior to containment failure, thus placing these sequences in Class III rather than Class IV. Class III se-quences are those in which the core melts in an intact containment. The other group remains in Class IV as presented in the PRA. The Class IV sequences j shown in Table 7.30 should be transferred to Class III because of the above

! reasons.

Table 7.30 Class IV Sequences That May Be Inappropriately Binned.

Sequence PRA Probability Ty2 Cg PW2 6.8 x 10-9 Tp2 CM W12 3.6 x 10-8 Tp2 Cg U W12 2.4 x 10-9 TF3 Cg P W2 4.9 x 10-9 TE3 CM PW12 2.8 x 10-9 3

TE Cg U W12 1.4 x 10-9 TE4 CM UW12 5 x 10-10 l TI CM W12 1.1 x 10-9 4

TI Cg PW2 6.4 x 10-9 TOTAL 6.23 x 10-8 7-73 l

Thus, Class III and IV probabilities for core melt would change as shown below:

Class PRA Revised % Change III 1.1 x 10-6 1.2 x 10-6 +6 ,

IV 1.3 x 10-7 6.8 x 10-8 -48 The procedure used in the PRA is thus conservative since the consequences l I

from Class IV are worse than those for Class III.

7.3.3 Early Release of Core Debris into Suppression Pool In Section 7.1.1.1 we noted that an alternative core meltdown scenario was suggested in NRC question PRA H.08 that is a significant departure from the analysis described in the PRA. This new scenario was proposed late in our review but we consider it to be of such importance that we have attempted to assess how it might impact risk. In view of the time limitations, it was nec-essary to restrict our analysis to the Class I sequence. Initially, we re-calculated the Class I scquence using MARCH, assuming that all of the core de-bris passes through the diaphragm floor after RPV failure. This core debris was then brought into thermal equilibrium with the %8x106 lb of water pre-sent in the suppression pool at that time. There is communication between the inside and outside of the pedestal wall (in the wetwell) via eleven 2-ft-diameter holes and a doorway. This calculation assumes that this is a suffi-cient flow area to allow vigorous circulation and condensation of the steam by the bulk of the suppression pool water. The MARCH calculations indicated that the pool remained subcooled even when the core debris was completely quenched.

The MARCH analysis of this new scenario is shown in Figure 7.13. The contain-ment pressure appears to be leveling off after about 2 days at s95 psia which is well below the predicted failure pressure of the Limerick containment. I C,onsequently, on the basis of the above assumptions, containment failure by overpressurization would be on a very long time scale for Class I sequences.

This would have a very significant impact by reducing the risk associated with Class I sequences.

However, we are concerned about including all of the suppression pool water in the initial energy balance as the core debris drops into the pool.

7-74

100 . i 2

G e.

W 8

N O h E 50 -

2 f

8 l 10 i i j 0 1000 2000 2800 l TIME (filNUTES) i i

i l

Figure 7.13 Containment Pressure History for Class I Sequence Assuming New Core Melt Scenario.

e An alternative scenario assumes that most of the core debris would fall through the diaphragm floor inside the pedestal region. This in turn implies that the core debris would initially contact only the water in the suppression pool inside the pedestal wall, approximately 500,000 lb of water compared with about 8 x 106 lb in the entire suppression pool. This alternative scenario might involve pressurization of the wetwell air space by the core debris / water interactions inside the pedestal wall . If the rate of steam production could be relieved through the vacuum breakers, then pressurization of the drywell could occur without significant condensation of the steam in the bulk of the suppression pool. Condensation on the surface of the suppression pool is not a very efficient mechanism for absorbing the steam that would result from the core debris / water interactions.

In order to assess the impact of this alternative scenario, some very simple hand calculations were performed. The total internal energy associated with 100% of the core debris was assumed to be brought into thermal equilib-rium with two quantities of water, namely, a) the quantity of water in the suppression pool inside the pedestal wall (500,000 lb),

b) the quantity of water just sufficient to bring the core debris temperature down to the pool temperature (225,000 lb).

The quantities of steam resulting from the above calculations were then added to the wetwell and drywell airspaces without further condensation in the suppression pool to give an upper bound on the pressurization that might be achieved as a result of the initial core debris / water interactions. The cal-culations were repeated assuming that only 50% of the core materials drop into the suppression pool. The results are given in Table 7.31.

The results of the calculations in Table 7.31 mean that we cannot ignore the possibility that the steaming rates associated with the initial core de-i bris/ water interactions could pose an overpressurization threat to the con-tainment. Clearly, further detailed calculations are needed to quantify the containment pressure history during the initial interactions of the core de-bris with the suppression pool water.

7-76

Table 7.31 Potential Containment Pressurization During Core Debris / Water Interactions.

Containment Pressure (psia)

Quantity of Water Interacting with 100% of the with 50% of the with Corg Debris, lb core debris core debris 225,000 270 160 500,000 200 130 l

l l

An additional consideration that could also affect our analysis of Class I sequences is that, for the sequences in which depressurization of the reac-tor vessel fails, the high primary system pressure prevents low pressure ECC >

injection. As t'n e core debris penetrates the vessel and depressurizes the primary system, the low pressure ECC systems could inject up to 50,000 gpm of water into the RPV. The impact of this water flow on the ex-vessel core melt-down progression has yet to be determined and was neglected in the PRA. Note that these sequences represent a large fraction of the Class I probability.

i We feel that this effect should be further analyzed. However, we have deter-mined that the influence on risk of this water flow is within the band of un-certainty established in Section 7.3.6.

7.3.3.1 Determination of Release Fractions In view of the uncertainty associated with the containment pressure his-tory during the initial interactions of the core debris and water, two lim-iting calculations were performed. The first assumes that the containment l fails as a result of the steaming rates associated with the initial core de-bris/ water interactions at vessel failure. A second case assumes that the containment failure does not occur at vessel failure.

l If the containment fails during core debris / water interactions shortly l

after RPV failure, the release fractions could be significantly increased.

l The combination of a large 0XIDATION release immediately followed by a failed containment would mainly enhance the release of Te and Ru. If hold up of fis-sion products in the primary system is assumed until RPV failure occurs, then large releases of 12 and particulates would also be expected. A CORRAL cal-culation was therefore performed based on the following assumptions:

7-77 a,

a) hold up of 70% of all fission products in the RPV until head failure; b) large 0XIDATION release due to the large quantity of core debris falling into the suppression pool leading directly to containment failure; c) no flashing of the pool. l The release fractions obtained from CORRAL are included in Table 7.32.

An estimate was made of the release fractions that might be appropriate I to the scenario in which containment failure is prevented. We assume fission product release from the containment to be via leakage and assume that the SGTS removes the particulates. This results in the very low release fractions included in Table 7.32.

Table 7.32 Comparison Between Release Parameters for Early Release of Core Debris into Suppression Pool (TQUX).

Fission Product Early Release Through Failure SGTS Xe-Kr .863 0.991 01 .0061 .0066 I .421 0.0 Cs .379 0.0 Te .104 0.0 Ba .047 0.0 Ru .017 0.0 La .0014 0.0 Time of release (hr) 3.0 5.32 ;

Duration of release (hr) 2.0 2.0 Warning time (br) 1.25 3.48 l

Energy of release (cal /s) 8.4E+6 8.4E+6 Height of release (m) 25 25 I

l 7-78 sa_

7.3.3.2 Impact on Risk Based on the above release fractions, two further consequence calcula-tions were perfonr.ed. The results are included in Table 7.33. If one assumes l

an early failure of containment, the latent fatalities are increased by ap-l proximately 4 and the thyroid cancers by approximately 15. Also, the early l failure assumption results in acute fatalities for this sequence. Note that our audit calculations predicted no acute fatalities. However, if we assume that containment failure is on a very long time frame, then risk is reduced dramatically. There are obviously no early fatalities and latent fatalities decrease by a factor of about 140.

l l

Table 7.33 Comparison of Consequences for Early Release of Core Debris into Suppression Pool .

Latent Thyroid Acute Sequence Fatalities Cancers Fatalities TQUX 2160 104 -

Early failure 9420 1510 1.4 of containment No fail 15.8 1.5 -

7.3.4 Impact of Actinide Decay l

MARCH 1.1 utilizes the decay heat curve from the 1973 ANSI Standard.(9)

For a sensitivity study, a new decay heat curve, based on ANSI /ANS-5.1-1979, (10) was substituted. This curve is similar to the new decay heat curve which is to be used in MARCH 2.0. The major difference in the new decay heat curve is the inclusion of decay heat power from U-239 and Np-239. An addi-l tional difference is the inclusion of the effect of neutron capture in fission I

products during reactor operation. Calculations were performed to measure the effect of this new decay heat curve on the integrated energy added to the con-tainment up to 105 seconds (27.7 hr). The added energy is approximately 7-79 n __ _ _-.

227,above that of the old decay heat curve. The major effect is due to the heat added by Np-239 which has a relatively long half-life of 2.35 days; this accounts for approximately 17% of the additional energy. The remaining 5% is due to the inclusion of the effect of neutron capture in fission products.

This added energy has a major impact on the time to containment over-pressure failure in Class II sequences (TW). Figure 7.14 shows two TW MARCH calculations using the two decay heat curves discussed above. The new decay heat curve predicts a containment failure time of $29.5 hr, about 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months j earlier than when the MARCH 1.1 decay heat curve is used. This earlier failure would also shorten the time to core melt, vessel failure, and core /

concrete interactions which could aggravate the consequences for TW. Further-more, the earlier containment failure also decreases the probability of re-storing the containment heat removal systems.

7.3.5 Impact of Steam Explosions on Risk In Section 7.1 we discussed the containment failure mode and consequence analysis in the LGS-PRA. In Table 7.10 we indicated the contribution of the five release categories used in the PRA to acute fatalities, and it is clear from that table that the 0XRE release category contributes 41% to acute fatal-ities. The 0XRE release category combines the probabilities of steam explo-sions and H2 detonations. From Table 6.2, it may be noted that steam ex-plosion probabilities contribute 66% to the total probability of the 0XRE category. Consequently, steam explosions contribute 27% to acute fatalities.

Note that the above calculations were provided to BNL by GE staff and are based on the accident sequence frequencies, containment event trees and con-tainment failure mode and consequence analysis in the LGS-PRA. Also, the i

consequences were based on in CRAC Qalculations using weather data for five years (1972-1976).

In Section 7.2.3.1 we benchmarked the consequence analysis in the LGS-PRA against calculations using the BNL version of the CRAC code. The same five release categories and their associated probabilities identified in the LGS PRA wer'e used in the CRAC calculations. The results of these CRAC calcula-tions, using weather data only from 1975, are indicated in Table 7.21 (for acute fatalities). The 0XRE release category contributes to 57% of the acute fatalities if the BNL version of the CRAC code is used. From Table 6.2 it can 7-80

160 , ,

/l

with actinide decay f'I

/ I

$ 120 -

without actinide / l p decay /

l

~

/ \

d / '

5 '

l0 80 #

e / -

' \

/ g w /

/

\

~ E / \

~ s N $ 40 -

s' \ ~

5 u

/

\

N 0 i n 0 1000 2000 2400 TIME (MINUTES)

Figure 7.14 Comparison of Pressure Histories of Class II Sequences With and Without Actinide Decay.

be concluded that steam explosions contribute to 38% of all acute fatalities.

However, in Section 6 we expressed concern regarding the binning of all steam explosion failure modes into the 0XRE release category. We also revised the probability of steam explosions for those accident classes in which the core melts down into a failed containment (namely, Classes II and IV). In this section, we assess the effect of steam explosions only on acute fatalities since latent fatalities are dominated by the CPREL category.

I To determine the validity of binning all the steam explosion releases l into the 0XRE release, the following procedure was adopted. Mean acute and latent fatalities were determined for the four components comprising the 0XRE release, i.e., (C +C 3 1)a, C 2 , C 4a and (C 1+C2+C3 +C 4 )Bu'. These determina-tions were carried out using the LGS-PRA release parameters and the BNL CRAC code. The mean values determined in this manner were then multiplied by the LGS-PRA determined probabilities associated with the respective release. This multiplication results in the risk for a particular release.

Table 7.34 compares the calculated acute fatalities based on the original binning procedure in the LGS-PRA with acute fatalities determined by using the four individual steam explosion release parameters. From an inspection of Ta-ble 7.34, it is apparent that the increase in acute fatalities calculated when using the four individual steam explosion release catego' ries is only about 10%. It appears that the binning procedure adopted in the LGS-PRA is reason-able based on the probabilities calculated in the LGS-PRA.

The above discussions were based on probabilities as determined by the LGS-PRA. In Chapter 6 of this report, an alternative set of probabilities has been determined, and these can be used to determine the change, if any, of the risk profile. In carrying out this analysis, one of the set of means has to be redetermined to reflect an alternative ex-vessel steam explosion scenario. 1 The scenario in question is the (C +C 1 +C 2 3+C4 )su sequence, which in the BNL analysis would be characteristic of an ex-vessel steam explosion, involving j only 10% of the core material . Thus, the release fractions of tellurium and

. ruthenium in the 0XRE release were reduced to reflect this situation. The re-sults of these calculations are shown in Table 7.35. In the case of acute fa-talities it is clear that the (C +C )a 1 sequence 3 now becomes the dominant contributor to risk with C 4 Y following.

7-82

f Table 7.34 Effect of Steam Explosion Binning on Risk.

Acute Fatalities (for the Year 1975)

Binning Based on Probabilities Binning Used in PRA Four Components Sequence Based on of OXRE PRA Means Risk Means Risk CY4 6.4E-8 75.4* 4.83E-6 75.4* 4.38E-6 C4 Y' 5.6E-8 68.9* 3.86E-6 68.9* 3.86E-6 C4Y" 6.3E-9 138.0* 8.69E-7 138.0* 8.69E-7 (C3+C g )a 1.31E-8 h 212.0** 2.78E-6 Ca2 9.6E-10 96.7*** 4.21E-6 79.5** 7.63E-8 Ca4 1.3E-10 k 94.3** 1.23E-8 (C1+C2 2.98E-8 96.7** 2.80E-6

+C3+C 4 )Sp' j l

TOTAL 1.38E-5 1.52E-5

Based on BNL release fractions and BNL CRAC code.

- Based on LGS-PRA release fractions and BNL CRAC code.

- - Based on LGS-PRA release category OXRE and the BNL CRAC code.

t 7-83 i

From an inspection of Table 7.35 it is apparent that in-vessel steam explosions now account for about 50% of the risk from acute fatalities. Al -

though the BNL review significantly increased the probability of ex-vessel steam explosions, their impact on acute fatalities is now relatively small (approximately 1%) because the release parameters used in our analysis assumed that only 10% of the core debris is involved in the explosion. However, the in-vessel steam explosion release parameters and their conditional probabili-ties (refer to Chapter 6) remained unchanged in the BNL review. The increased j probability of these releases in Table 7.35 is due entirely to the increased frequencies of the accident sequences is determiried in Chapter 5.

7.3.6 Uncertainty Band In this section we attempt to establish an uncertainty band associated with core meltdown phenomena and the determination of release categories.

This uncertainty band is based on the analyses reported in Sections 7.3.1 through 7.3.5 above. Table 7.36 indicates our present estimate of the band of uncertainty in this area of the Limerick PRA. We consider mean acute fatali-ties and mean latent fatalities.

The upper and lower uncertainty bounds in Table 7.36 indicate that the present BNL audit calculations are significantly closer to the upper bound than to the lower bound for latent fatalities. The upper bound was determined by assuming that most of the core debris falls into the suppression pool after vessel failure and that the resulting rapid steaming fails containment. In addition, we must also assume that most of the fission products associated with the melt release are discharged from the primary system after RPV failure and shortly before containment failure. These assumptions correspond to the early containment failure case considered in Section 7.3.3. This case applies primarily to Class I sequences and increases the mean latent fatalities to 9420 and the mean acute fatalities to 1.4 (note that in the audit calcula-tions, this category was calculated to have zero acute fatalities). The upper bound in Table 7.36 wcs primarily obtained by increasing the risk associated with Class I sequences as described above. The remaining release categories were not changed. We consider this upper bound calculation to be extremely conservative.

7-84

Table 7.35 Effect on Risk of BNL Changes in Steam Explosion Probabilities.

Acute Fatalities (for the Year 1975) l Probabilities Based on Sequences BNL Review Means Risk l

CY 4 1.4E-7 75.4* 1.06E-5 C4Y' 7.1E-8 68.9* 4.89E-6 C4Y" 7.1E-8 138.0* 9.79E-6 (C3+C y )a 9.8E-8 212.0** 2.08E-5 .

Ca 2 2.1E-8 79.5** 1.67E-6 Ca 4 3.2E-9 94.3** 3.02E-7 (C+C+C+C)Su' 1 2 3 4 4.3E-7 0.604*** 2.59E-7 i

TOTAL 4.84E-5

Based on BNL release fractions and BNL CRAC code.

i ** Based on LGS-PRA release fractions and BNL CRAC code.

~

j ***BNL-modified ex-vessel steam explosion release.

i I

7-85

, _ _ . _ _ . , . - . , ,_.m +, . __-

The lower bound in Table 7.36 is based on the no fail case considered in Section 7.3.3 for Class I sequences. There are no acute fatalities for this case (refer to Table 7.33) and latent fatalities decrease by a factor of about 150. We did not reduce the risk associated with the OXRE and Y" release Cate-gories, but the Classes II, III, and IV-Y and -Y' release categories were re-duced by a factor of 3 to reflect the higher suppression pool decontamination factors suggested by the recent GE experiments. The lower bound could change j because we have not had time to assess the uncertainties in the Classes II, III, and IV sequences with the same degree of detail that has been devoted to Class I.

Table 7.36 Uncertainty Bands Associated with Core Meltdown Phenomena and Fission Product Behavior.*

V'an Mean Acute Fatalities Latent Fatalities Upper estimate 2.38 (-5) 6.83 (-2)

BNL audit calculations 1.38 (-5) 1.77 (-2)**

(BNL CRAC model, BNL release fractions)

Lower estimate 4.2 (-6) 1.22 (-3)

- Assumes no flashing of the suppression pool at containment failure for Class I sequences.

Based on Accident Sequence Probabilities and Containment Event Trees in LGS-PRA.

1 In summarizing this section on uncertainties, it is clear that core meltdown phenemona are the single biggest contributor to the uncertainty band. This is'in direct contrast to the PRA in which it was concluded that core meltdown phenemona would have only a minor effect on uncertainty.

7.4 Summary Initially, in this section, we described how the failure mode and con-sequence analysis in the Limerick PRA was actually performed. This was 7-86

necessary because the procedure adapted by PECo was not clearly described in the PRA. Indeed, the scrutability of this area of the PRA is one of our con-cerns. It was late into our review before we determined exactly how the prob-abilities of the various failure modes were allocated to the release cate-gories used in the consequence analysis. It was impossible to find this out from a reading of the PRA, and several meetings and conference calls were needed. The PRA could benefit greatly from a more detailed and accurate des-l cription of this area of analysis.

l In Section 7.2 BNL audit calculations were described. In Table 7.37 we compare the results of the audit calculations with the PRA analysis. We con-sider mean acute and latent fatalities. Note that in the PRA the consequence analysis was averaged over five years. We did not consider it necessary to also perform audit calculations for each of the five years. We selected the meteorological for 1975 as being a relatively conservative (i.e., increased risk) year. The PRA consequence analysis for 1975 is therefore also included in Table 7.37 and it is relative to these values that we compared our audit calculations. Note that the 1975 values are slightly higher than the average values but very close. Calculations were performed using the release cate-gories in the PRA with the BNL version of the CRAC code and the results are also presented in Table 7.37. The BNL CRAC model increases total mean latent and acute fatalities by a factor of approximately 3. The results of calcula-tions using BNL determined release fractions and the BNL CRAC model are also included in Table 7.37. The total mean latent fatalities are reduced by about a factor of 2 in the BNL calculations because we assumed that the suppression pool does not flash at containment failure for Class I sequence. It was noted in Section 7.2 that the pool would be subcooled for Class I sequences at con-tainment failure so that flashing of the pool was not physically possible.

The mean acute fatalities increase by a factor of about 2 and are unaffected by assumptions about pool flashing.

In Section 7.3 we attempted to quantify uncertainties in this area of the Limerick PRA. We assessed the impact on risk of not combining LOCAs with transients (PRA assumptions). New LOCA release categories were obtained, which raise the possibility of increased thyroid cancers because of increased todine release. However, as LOCAs represent a relatively small fraction of 7-87 I

the total probability, the increased risk, when multiplied by the appropriate probabilities, would not significantly alter total risk.

Generic accident sequence Classes II and IV use high pressure injection as the successful injection mode in the transient event. We questioned this assumption because high lube oil temperatures could make the pumps inoperative for certain sequences. It was concluded that certain Class II and Class IV sequences should be reassigned but that the procedure adapted in the PRA was conservative because the sequences were binned into a more severe release category then we would have selected.

Table 7.37 Summary of the BNL and PRA Consequence Analysis.

Acute Latent PRA consequences 2.35 x 10-6 1.04 x 10-2 (averaged over 5 years)

PRA consequences - 1975 2.42 x 10-6 le16 x 10-2 PRA releases */BNL CRAC-1975 7.38 x,10-6 3.22 x 10-2 BNL releases */BNL CRAC-1975 1.38 x 10-5 1.77 x 10-2**

With PRA Accident Class Probabilities.

- Assumes no flashing .of the suppression pool at containment failure for Class I sequences.

One of the more important considerations in Section 7.3 relates to the core meltdown phenomena. An alternative scenario has been proposed, which is a significant departure from the original PRA assumptions. The new scenario l assumes that a higher fraction of the core debris passes through the diaphragm floor after vessel failure than assumed in the PRA. The result could be no failure of the containment building for Class I sequences. This results in a

, factor of about 150 reduction in the mean latent fatalities for this particu-lar category. However, the alternative scanario might also result in 7-88 f

contairment failure closer to vessel failure due to the core debris interac-tions with the suppressica pool water. This has the potential for increasing acute andlatent fatalities by factor of about 3. This limiting assumption regarding early containment failure was used to determine the upper uncer-tainty bound.

Finally in Section 7.3, we attempted to define the uncertainty band asso-ciated with core meltdown phenomena and fission product behavior. Our present estimate of the error band is shown in Table 7.36. Note that the upper bound increases risk by only S3 relative to our audit calculations while the uncer-tainty associated with reducing risk is a factor of $15 for latent fatalities.

7.5 References for Section 7

1. R. J. Burian and P. Cybulskis, " CORRAL 2 User's Manual," Battelle Columbus Laboratories, Columbus, Ohio (January 1977).

?. " Reactor Safety Study: An Assessment of Accident Risk in U.S. Commer-cial Nuclear Power Plants," WASH-1400 (NUREG-75/104), USNRC (1975) Ap-pendix VI, p. 13-49.

3. Roger 0. Wooton, "B0Ill, A Computer Program to Calculate Core Heatup and Meltdown in a Coolant Boiloff Accident," Battelle's Columbus Laboratories (March 1975).

4. Walter B. Harfin, "A Preliminary Model for Core / Concrete Interactions,"

Report SAND 77-0370, Sandia Laboratories, Albuquerque, New Mexico (August 1977).

5. D. W. Hargroves and L. J. Metcalfe, CONTEMPT-LT/028: "A Computer Program for Predicting Containment Pressure-Temperature Response to a Loss of I

Coolant Accident," EG8G Idaho, Inc./USNRC Report NUREG/CR-0255 (TREE-1279) (March 1979).

L

6. L. J. Metcalfe et al., " Contempt 4/ MOD 2 A Multicompartment Containment System Analysis Program," TREE-NUREG-1202.

7. R. O. Wooton and H. I. Avci, " MARCH Code Description and User's Manual ,"

Battelle Columbus Laboratories /USNRC Report NUREG/CR-1711 (October 1980).

7-89

8. Memorandum to Albert Schwencer -(NRC, Chief, Licensing Branch #2 DL) from Ashok C. Thadani (NRC, Chief, Reliability & Risk Assessment Branch, DST),

July 29, 1982. Docket Nos. 50-352, 50-353.

9. American Nuclear Society Proposed Standard ANS-5.1, " Decay Energy Release Rates Following Shutdown of Uranium - Fueled Thermal Reactors," October 1971, revised October 1973. ,

10. ANSI /ANS-5.1 (1979), " Decay Heat Power in Light Water Reactors," (August i

1979).

7-90

8.0 ASSEMBLY OF RESULTS AND REASSESSMENT OF RISK In this section the main results of Sections 2-7 are brought together.

Section 8.1 summarizes the LGS risk computation process; Section 8.2 compares the LGS and BNL components that contribute to base case estimates of risk; Sec-tion 8.3 addresses uncertainties in the base case estimates. In Section 7 we noted that an in-depth review of the consequence model used in the LGS-PRA is outside the scope of our review. Consequently, the assembly of results and I assessment of risk in Sections 8.1 to 8.3 de not reflect uncertainties asso-ciated with the site model (CRAC). However, the consequences of severe acci-dents are sensitive to the assumed evacuation model,and for this reason the impact of an alternative evacuation model is examined in Section 8.4.

8.1 Description of How Risk Is Compaf.ed in the LGS PRA The LGS PRA begins its calculation of risk by first determining the frequencies (per year) of twelve selected accident-initiating events. On the basis of these accident-ir.itiating events, core-damage accident sequences are developed and quantified. At this point in the analysis, the LGS PRA has de-termined the frequency (per year) of cach accident sequence (conbination of ac-cident initiators and plant systems malfunctions) that could lead to core dam-age. The total core-damage frequency is obtained by summing the contributions from each accident sequence.

In order to determine offsite health consequences from these accidents, the LGS PRA uses the following procedure.

1) Each sequence is placed in one of four accident classes (Classes I -

IV). Class I describes accident sequences for which the reactor suc-cessfully scrams, but core meltdown occurs in an intact containment building. Class II describes accident sequences for which the reactor successfully scrams, but core meltdown occurs after the containment building fails. Classes III and IV correspond to Classes I and II, respectively, except that the reactor does not scram for Classes III l and IV. The total frequency of each class has been tabulated in the l LGS PRA by summing the frequencies of the accident sequences that are i

assigned to each class.

1 8-1

2) Five radionuclide release categories are defined (0PREL, OXRE, C4Y, C4Y', C4Y") in terms of the composition, quantity, timing, energy, and height of the releases. The (conditional) probability that a given accident class will result in one of these five ralease categories is then detennined.

3) The frequency (per year) of each release category is obtained by sum- ]

ming the products of the conditional probabilities (detennined in Step j

2) with the frequencies of the corresponding accident classes (deter-mined in Step 1).

4) The average number of acute (or latent) fatalities is determined by evaluating the average number of acute (or latent) fatalities that would be obtained for each of the five releases (defined in Step 2),

then multiplying each of the,se consequences by its frequency (deter-mined in Step 3), and finally summing these contributions, by release categories, to obtain the expected nurrber of acute (or latent) fatalities per year.

The LGS PRA displays, in addition to the expected acute and latent fatal-ities (per year of reactor operation), the complementary cumulative distribu-tion function (CCCF) for acute and latent fatalities. The CCDF gives the fre-quency (per year) that a given number of fatalities occurs or is exceeded. The CCDF can be obtained in the above process, if Step 4 is replaced by a detennina-tion of the conditional probability that a given number of fatalities occur or is exceeded for a given release category. This number is then used in place of the expected number of fatalities in Step 4 and the remainder of the calculation proceeds as before. CCDFs are also calculated in the BNL analysis, and the re-sults are given in this section.

The above process is shown schematically in Figure 8.1 and in a precise mathematical form in Table 8.1.

8.2 Comparison of LGS and BNL Results In this section, the various parameters which comprise the computation of risk are gathered from Sections 2 to 7 and compared with the results from the LGS PRA. As discussed in Section 7.3.5, the BNL analysis included a refinement of the release categories for steam explosions in order to obtain a more repre-sentative binning. Accordingly, the 0XRE release category has been replaced by 8-2

categories applicable to the various accident classes (see Table 8.1). Table 8.2 (taken from Table 4.1) gives the comparison of the frequencies of the ini-l tiating events as determined in the LGS PRA and in the BNL review. Table 8.3 l

gives a comparison (from Table 5.24) of the total core-damage frequency and of the core-damage frequency by accident class. Table 8.4 gives the conditional probabilities of the release categories for each accident class as suggested by BNL. Table 8.5 gives these conditional probabilities as they were determined in the LGS PRA. Note that, although we have given the probabilities of all of the steam explosion release categories identified in the PRA, those probabilities were actually combined by PECo (in their final consequence analysis) into the OXRE release category.

From Table 8.1, the frequency of each release category can now be deter-mined by simple (matrix) multiplication. Table 8.6 provides a comparison of the frequencies of the release categories as given in the LGS PRA and in the BNL re-view.

As noted in Section 7.2.3, the LGS PRA offsite consequence analysis con-siderad weather data for a five-year period and obtained an average result. The BNL analysis, on the other hand, considered data from only one of these years, 1975. Table 8.7 shows a comparison of average acute and latent fatalities per release category including the LGS PRA results for 1975, the LGS PRA average re-sult for the five-year period (1972-1977), and the BNL results for the 1975 weather data. Finally, Table 8.8 shows the comparison of the average (per year) acute and latent fatalities for 1975 and the LGS PRA results for the five year period.

l 8.3 Analysis of Uncertainties In this section, the uncertainties in various parameters related to risk are discussed. These are based on the uncertainties in the frequencies of the accident classes as discussed in Section 5, the uncertainties in the accident binning and containment event tree analysis as discussed in Section 6, and the uncertainties in the core meltdown phenomenology and offsite consequence analy-sis as discussed in Section 7.

i 8.3.1 Recapitulation of Intermediate Results l

In Section 5, the uncertainty distribution for the total core damage fre-quency was presented as well as the uncertainty distributions for the core 8-3

damage frequencies for each accident class. These are reproduced here as Table 8.9.

In Section 6, the uncertainties in the conditional probabilities of the five release categories, given a particular accident class, were developed. The results for the suggested, optimistic, and pessimistic contairunent matrices are shown in Tables 8.4, 8.10, and 8.11, respectively. Then, an assessment was made of the change in risk that would result if these contairinent matrices were sub-stituted for the matrix suggested in the LGS PRA. Note that in this calcula-tion, the LGS PRA values for core-damage frequencies and acute (and latent) fatalities per release category were used.

This can be expressed in the matrix language of Table 8.1 in the fol-lowing way. Let RL , HL, C L, PL denote the matrices that correspond to the values used in the LGS PRA. Then, RL=HLLL CP. Furthermore, let CB A

CB U ,CB denote the transposed matrices defined in Tables 8.4, 8.10, and 8.11, respectively. .Then, the optimistic, suggested, and pessimistic values given in Table 6.15 correspond to H CLB A PL , H LBLC P , and H CLB Pt , respectively.

Similarly, the corresponding values in Table 6.14 for the frequencies of the release categories are just CB PL , C BL P , and CBU P-L In Section 7, the uncertainties in the average number of acute and latent fatalities per release categories were assessed. These parameters can be codi-fied into the fonn of the matrix H of Table 8.1. The Upper Estimate, BNL Audit Calculation, and Lower Estimate of average frequency of acute and latent fatali-ties shown in Table 7.36 correspond to computations of the matrix products H

B CLL P , HBLL C P , and H B CLL P , respectively. HB U, HB , and HB are given

)

here in Table 8.12.

{

8.3.2 Uncertainty in Risk l The uncertainty in risk as calculated by BNL can be expressed in tenns of matrices H, C, and P and the probabilities assigned to the upper, lower, and central estimates of each of these matrices.

For the P matrix, we obtain the following matrices based on the BNL results of Section 5:

1 8-4

1 l 4 9.5x10-5 3.3x10-4 l

f.7x10-6 4.5x10-7 4.1x10-6 1.1x10-5 PA=

B PB= Pu.

B 2.6x10-7 3.3x10-6 1.1x10-5 1.7x10-9 3.2x10-7 1,1xio-6 The probabilities of P BU, PB , and PBA are pu =0.05, p=0.9, and p 1=0.05, respectively.

The containnent matrices CBU, CB , and CBA are given in Tables 8.11, 8.4, and 8.10, respectively, and have been given probabilities cu=0.2, c=0.6, and c1 =0.2, respectively.

1 1 Similarly, the upper, central, and lower values for the H matrices are given in Table 8.12 and have been given probabilities of hu=0.1, h=0.7, and hl=0.2, respectively.

While the uncertainty in the P matrix is based, to a large extent, on statistical uncertainties in data, the uncertainty in the H and C matrices are, of necessity, based on subjective evaluations. They were obtained by averaging the independent probability assignments of five of the BNL reviewers for the upper, central and lower estimates of C and H.

l There are twenty-seven combinations of the products of H, C, and P, and a probability (equal to the product of the three individual probabilities) can be assigned to each of these products. The resulting distribution can then be di-rectly used to display the uncertainty in the expected value and in the CCDF of acute and latent fatalities. The results are displayed in Figures 8.2 and 8.3.

8.4 Site Sensitivity Analysis In this section, the sensitivity of selected consequences to changes in the evacuation model are discussed. The consequences to be considered are latent fatalities, acute fatalities, and thyroid cancers. The sensitivity to the evacu-ation model will be detennined for the five release categories used in the BNL l audit calculations in Section 7.2. It was noted in Section 7.2.3 that the RSS l

l 8-5

used an evacuation scheme denoted as 1 in the CRAC computer code. Evacuation Scheme 1 was used by BNL in all of Section 7 consequence calculations. In this section we also assess the impact of using evacuation Scheme 3, which was also described in Section 7.2.3.

The input parameters for the evacuation schemes are shown on Table 8.14.

It is seen that the important parameters which are different for these two schemes are the evacuation distance, velocity, and delay time. The distance of Scheme 3 is 10 miles while 25 miles was chosen for Scheme 1. A speed of approx-imately 1.5 mph was used in Scheme 3; this corresponds to approximately 1.2 mph for Scheme 1. Finally, the delay time was increased from zero to 2 hr for Scheme 3. The remaining changes were felt to be of lesser importance. The five release categories used in this study were C4Y, C4Y', C4Y", OPREL, and OXRE.

The release fractions corresponded to those presented in the LGS-PRA.

It is seen from Table 8.14 that the latent fatalities and the thyroid can-cers are essentially unaffected by the different evacuation schemes. How-ever, in the case of acute fatalities, shown on Table 8.15, it is seen that the difference between the two calculations are large. This indicates the high sen-sitivity of acute fatalities to the evacuation scheme. Finally, it sho'uld be noted that no acute fatalities were calculated for either evacuation scheme for OPREL, which has the highest frequency of occurrence.

8-6

l Select and Quantify Accident Initiators 1

1 \

Develop and Quantify Core- Detennine Damage Accidenr. Sequer.ces Frequency of Core Damage if Group Accident Sequences in Four Classes and Obtain Frequency of each Class I

V Define Radionuclide Release Categories and Determine Condi-I tional Probability That Each Class Will Lead to Each Release if Determine Average

Acute and latent Fatalities for Each Release Cate-gory and Then Compute Frequency of Average Acute and Latent Fatalities

See text for discussion of CCDFs Figure 8.1 Schematic Flow Diagram for Determination of Risk.

8-7

10-5_

10-6, m BNL 95%

i i

BNL POINT ESTIMATE x

Al d 10-7 % RSS-BWR E N W N

! w LGS-PRA

= N 10~8~ s y BNL- 5%

\

" \

N s

10'9~

j AOUTE FATALITIES. X 10-1C 2 3 100 101 10 10 Figure 8.2 Complementary Cumulative Distribution Function for Acute Fatalities.

8-8

BNL 951 10'4 .

BNL-POINT ESTIMATE j

_ * % R$$ 'BWRN N

N N

10-5 LGS-PRA \

- _ y BNL 51

\

x, s \

\

10-6 @~ \

N \

L \

S s\

i3

\

s ;

10-7 --!

S 5

LATENT FATALITIES, X (IN 30 YEARS) 10-8 10 0

l0 I th2 f03 104 Figure 8.3 Complementary Cumulative Distribution Functions for Latent Fatalities.

8-9

Table 8.1 Mathenatical Computation Of Risk Definitions f(i) = frequency of initiator i (per year) l P(Dji) = conditional probability of core damage sequence D, given initiator i P(D) = frequency of core-damage sequence D (per year)

PT0TAL = total core-damage frequency (per year)

P(CLj) = frequency of accident class j (per year)

P(RlCLj) k = conditional probability of release category k, given accident class j P(Rk ) = frequency of release category k a(Rk ) (or t(R k)) = average

number of acute (or latent) fatalities for release category k A (or L) = frequency of average

acute (or. latent) fatalities (per year)

LGS-PRA BNL R

CLt = Class I R1 = OPREL 1 = OPREL CL2 = Class II R2 = 0XRE R2 a = (C3+C1)a CL3 = Class III R3 = C4Y R2b = C2a CL4 = Class IV R4 = C4Y ' R2 c = C4a R5 = C4Y" R2d = (C1+C2+C3+C4)6u' i

R3 = C4Y R4 = C4Y '

R5 = C4Y "

^

Note: The corresponding CCDFs can be substituted here to obtain a different display of risk.

8-10

Table 8.1 Mathematical Computation of Risk (Cont.)

Mathematical Computations 12

, P(D) =

P(Dli)f(i) i=1 f

PTOTAL

=

P(D) (Sum D over all sequences)

D P(CLj) =

P(D) (Sum D over set in Class j; j=I, II, III, D c CL .

J l

4 P(Rk ) = P(Rk lCLj) P(CLj) j=1 M

3 A =

a(Rk ) P(Rk )

k=1 l 5, for LGS PRA

> M=

M i 8, for BNL L

={k=1 f(Rk ) P(Rk ) j Matrix Notation The above equations can be trivially cast into matrix form by defining the P(CLj) to be the elements of a 4x1 matrix P; defining the P(Rk lCLj) to be the elements of a Mx4 matrix C; defining a 2xM matrix H with a(Rk ) as the upper row of elements and with f(Rk ) as the lower row of elements; defining a 2x1 matrix R with elemen'ts A and L. Thus, we have R = HCP (Average Fatalities) = (Average Fatalities / Release Category) x (Release Category / Accident Class) x (Frequency of Accident Class) 8-11

1 I

Table 8.2 Frequency of Initiating Events (per year),

t EVENT LGS PRA Blil REVIEW Transients 9.08 13.02 Turbine trip 3.98 8.17 MSIV closure 1.i 8 1.23 Loss of offsite power 0.053 0.17 10RV 0.07 0.25 Manual shutdowns 3.2 3.20 LOCAS Large 4x10 4 4x10-4 Medium 2x10 3 2x10-3 Small 1x10 2 1x10-2 ATWS 5.92 9.82 Turbine trip F 7 3Y MSIV closure 2.2 2.01 Loss of offsite power 0.053 0.17 10RV 0.07 0.25 i

l 1

8-12

r l

Table 8.3 FreqJenCy Cf Core Damcge (per year).

LGS PRA BNL REVIEW Class I 1.2x10-5 9.5x10-6 Class II 9.6x10-7 4.1x10-6 C1 ass III 1.1x10-6 3.4x10-6 Class IV 1.1x10-7 3.0x10-7 Total 1.5x10-5 1.0x10-4

) -

8-13

Table 8.4 BNL Suggested Conditional Probabilities of Release Categories for Each Accident Class.

I II III IV

.775 .445 .775 0 R1 I

.001 0 .001 0 Ra 2

0 .005 0 0 R2b 0 0 0 .010 R2c CB"

.002 .050 .002 .101 R2d 0 0 0 .445 R3 0 0 0 .223 R4 0 0 0 .223 R5 Table 8.5 LGS PRA Conditional Probabilities of Release Categories for Each Accident Class.

I II III IV

.478 .478 .478 0 OPREL

.001 0 .001 0 R2a 0 .001 0 0 R2b R2 = 0XRE CL= 0 0 0 .001 R2c

.002 .002 .002 .002 R2d 0 0 0 .509 C4Y }

0 0 0 .443 C4Y' 0 0 0 .050 C4Y" 8-14

l l

I I

Table 8.6 Conparison of PRA and BNL Release Category Frequencies.

Release Categories LGS PRA BNL REVIEW 09PEL 6.98x10-6 7.70x19-5 R2a* 1.31x10-9 9.3x10-8 P2b* 9.6x10-10 2.1x10-8 R2c* i.3x10-10 3.2x10-9 R2d* 2.98x10-8 4.3x10-7 C4Y 6.4x10-8 1.42x10-7 C4Y' 5.6x10-8 7.14x10-8 C4Y" 6.3x10-9 7.14x10-8

Note: In the LGS-PRA the probabilities associated with release categories R R2b, R2c, and R2d were combined into release category 8-15

s Table 8.7 Comparison of PRA and BNL Consequences by Release Category.

LGS PRA LGS PRA BNL REVIEW (five-year weather data) (1975 weather data) (1975 weather data)

Acute Latent '

Acute Latent Acute Latent OPREL 0 1.39E+3 0 1.55E43 0 2.16E+3 R2a* 22.4 9.96E+3 5.6 1.10E+4 212.0 2.13E+4 R2b* 22.4 9.96E+3 5.6 1.iOE+4 79.5 1.77E+4 R2c* 22.4 9.96E+3 5.6 1,10E+4 93.4 1.84E+4 R2d* 22.4 9.96E+3 5.6 1.10E+4 0.6 6.62E+3 C4Y 11 3.83E+3 19.2 4.08E+3 75.4 1.40E+4 C4Y' 3.6 2.80E+3 5.7 2.99E+3 69.0 1.40E+4 C4Y" 75.8 5.48E+3 100.5 5.61E+3 138.0 1.29E+4

Note: In the LGS-PRA the probabilities associated with release categories (

R2a, R2b, R2c, and R2d were combined into release category T OXRE; hence, using our matrix notation, the consequences are identical.

O o

8-16

i

(

)

l Table 8.8 Comparison of PRA and BNL Average Acute and latent Fatalities (per year).

Acute. Latent LGS PRA ,

(average weather 2.4x10-6 1.0x10-2 data)

LGS (1975 weather 2.4x10-6 1.2x10-2 data)

BNL REVIEW *

(1975 weather 4.8x10-5 1.8x10-1 data)

BNL frequency, release fractions, and CRAC calculations.

\

1 8-17

r e

Table 8.9 Core-Damage Frequency Distri'o ution.

Point 5% Median Estimate 95%

Total Class I 4.7x10-6 3.3x10-5 9.5x10*S 3.3x10-4 Total Class II 4.5x10-7 2.3x10-6 4,1gjg-G 1.1x10 5 Total Class III 2.6x10-7 1.6x10-6 3.4x10-6 1,1xig-5 Total Class IV 1.7 x10-8 1.1x10-7 3. 0x10- 7 1.1x10 6 Total core damage 6.6x10-6 3,7ylo-5 1.0x10-4 3.3x?O-4

?

4 9

8-18

/

\

Table 8.10 BNL Optimistic Case Conditional Probabilities of Release Categories for Each Accident Class.

1 I II III IV I .108 .010 .108 0 R1 l

.001 0 .001 0 R2a 0 .001 0 0 R2b 0 0 0 .001 R2c

.002 .002 .00? .002 92d 0 0 0 .9G0 R3 0 0 0 .090 R4 0 0 0 .G10 R5 t

Table 8.11 BNL Pessimistic Case Conditional Probabilities of Release Categories for Each Accident Class.

I II III IV

.997 .801 .997 0 R1

.001 0 .001 0 R2a 0 .009 0 0 R2b C"=

B 0 0 0 .010 R2c

.002 .090 .002 .100 R2d 0 0 0 .089 R3 0 0 0 .080 R4 0 0 0 .721 R5 8-19

Table 8.12 H Matrices Used in the Computations for Table 7.36.

For the Upper Estimate R1 R2a R2b R2c R2d R3 R4 R5 A 212.0 79.5 94.3 .604 75.4 68.9 138.0

[1.43 H""

B L 9.42E+3 2.13E+4 1.77E+4 1.84E44 6.62E+3 1.40E+4 1.40E+4 1.29E+4) l For the BNL Audit Calculation A / 0 212.0 79.5 94.3 .604 75.4 68.9 138.0 E$ HB" L 2.16E+3 2.13E+4 1.77E+4 1.84E+4 6.62E+3 1.40E+4 1.40E+4 1.29E+4/

For the Lower Estimate A 0 212.0 79.5' 94.3 .604 0 0 0 H "

B L k1.58E+1 2.13E+3 1.77E+4 1.84E+4 6.62E+3 4.67E+3 4.67E+3 1.29E+4)

l Table 8.13 Comparison of Evacuation Models.

Scheme 1 Scheme 3 Maximun distance (n) 4.04E+4 1.61E+4 Evacuation velocity (m/s) .536 .67 Time lag before evanuatier (hr) 0.0 2.0 '

Radius of circular area evacuated (m) 8.CE+3 8.0E+3 Angle of evacuation 45.0 90.0 Evacuation cost (r.) 95.0 245.0 Criteria of duration of release (m) 3.G 3.0 Distarce moved by evacuees (m) 4.91E+4 2.42E+4 Sheltering radius (m) 4.1E+4 I.61E+4 Evacuation scheme 1.0 3.0 Cloud shielding (stationary) . '71 .75 (noving) .71 1.0 (shdterir.9) .71 ,

.75 (no emergency) .71 .76 Ground shielding (stationary) .29 .33 (moving) .29 .5 (sheltering) .29 .33 (no emergency) .29 .33 Breathing rate (stationary) 2.66E-4 2.66E-4 (moving) 2.66E-4 2.66E-4 (sheltering) 2.66E-4 2.66E-4 (no emergency) 2.66E-4 2.66E-4 8-21

\

Table 8.14 Comparison of Latent Fatalities and Thyroid Cancers for Different Evacuation Schemes.

Schene 1 Scheme 3 4

Latent

Thyroid latent Thyroid Sequence Fatalities Cancers Fatalities Carcers ,

C4Y 1.40E+4 1.25E+3 1.44E+4 1.3CE+3 C4Y' 1.40E+4 1.25E+3 1.43E+4 1 26E+3 C4Y" 1.29E+4 2.21E+3 1.31E+4 2.17E+3 0XRE 1.87E+4 1.37E+3 1.89E44 1.38E+3 2.16E+3 1.04E+2 OPREL 1.75E+3 9.29E+1 Table 8.15 Comparison of Acute Fatalities for Di~fferent Evacuation ~ Schemes.***

Sequence Scheme 1** Scheme 3 C4Y 75 1110 C4Y' 69 1090 C4Y" 138 1240 OXRE 97 231 OPREL - -

0btained from Table 7.22 in Section 7.2.

- 0btained from Table 7.23 in Section 7.2.

- - Table 8.6 gives the frequency of each sequence. 1 1

8-22 4

e

l U.S. NUCLE AR REGULATORY COMMISSION UR[G)bR302$

BIBLIOGRAPHIC DATA SHEET BNL-NUREG-51600

0. TIT LE AN D SUBTITLE (Add Volume No., of apprtverate) 2. (Leave blank 1 A Review of the Limerick Generating Station Probabilistic Risk Assessment 3. RECIPIENT'S ACCESSION NO.

7. AUTHORtS) 5. DATE REPORT COMPLE TED I.A. Papazoglou, R. Karol, K. Shiu, S. Fiannan, MONTH l YEAR L. Lederman, H. Ludewig, W.T. Pratt, R.A. Bari February 1983

9. PERFORMING ORGANIZATION NAME AND MAILING ADDRESS (include lip Codel DATE REPORT ISSUED PAONTH l YEAR Brookhaven National Laboratory Fahrnarv 1QR1 Upton, NY 11973 s (tem uni *i

8. (Leau ! Nank) 12 SPONSORING ORGANIZATION N AME AND malt .ING ADDRESS (inctuor /.o C3*) p ,

Division of Safety Technology Office of Nuclear Reactor Regalation ! U. CJitTRACT NO.

U.S. Nuclear Regulatory Commission A3393 Washington, DC 20555 -

13. TYPE OF REPORT PE %OO COVE AED (inclusera dafril Probabilistic Risk Assessment

19. S.JPPLEVENTARY NOTES 14 (L a* * *

J Pertains to Docket 50. 50-352 _._

16. ABSTR ACT (200 words or less)

A review of the Probabilistic Risk Assessment of the Limerick Generating Station was conducted with the broad objective of evaluating its risk in relation to those identified in the Reactor Safety Study (WASH-1400). The review included a technical assessment of the assumptions and methods used in the Limerick study. It also included a re-evaluation of the main results within the scope and general methodological framework of the study.

This included both qualitative and quantitative analyses of accident initiators, data s

bases, accident sequences which result in core damage, core melt phenomena, fission i product behavior, and offsite consequences. Specific comparisons were made between the Limerick study, the Brookhaven review, and the WASH-1400 reactor for the core damage -

grequency and the average grequencies of acute and latent fatalities. The effect of uncertainties was considered throughout the review process and the uncertainty bands for the risk indices were quantified.

}

i i

l 17. KEY WORDS AND DOCUMENT AN ALYSIS 1 74 DE SC RIP TO RS t

i I

l l

i 17b (DENTIF IE RS OPE N EN DE D TE RMS

18. AV AILABILITY ST ATE MENT 19. SE CURI T Y C LASS ITms reporrt 21 NO OF P AGES Un act d Unlimited 20 se Cu an < u ass < r .i o,,i 22 Price Unclassified s NRC FORM 335 17 77)

_ _ _ _ _ . _ . _ _ _ _ . _ _ _ _

ML20071E002

Contents

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

1.1 Background

Subject:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20071E002

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

1.1 Background

Subject:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search