ML20086S620
| ML20086S620 | |
| Person / Time | |
|---|---|
| Site: | Indian Point, 05000000 |
| Issue date: | 04/30/1981 |
| From: | Alesso H, Lim J, Rice T LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | NRC |
| Shared Package | |
| ML20083L077 | List: |
| References | |
| CON-FIN-A-0405, CON-FIN-A-405, FOIA-83-618 NUREG-CR-2050, UCRL-53024, NUDOCS 8403050029 | |
| Download: ML20086S620 (50) | |
Text
..
G' NUREG/CR-2050 UCRL-53024 m., f
,,cie.
Systems Interaction Evaluation Procedure for Application to Indian Point-3
~
7 l
J. J. Lim, H. P. Alesso, T. R. Rice, R. K. McCord, J. E. Kelly Prepared for U.S. Nuclear Regulatory Commission l
l l
LAWRENCE LIVERMORE LABORATORY g 3 g 29 831207 SHOLLYB3-618 PDR
~
a DISCLAl%1ER This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor say cgency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufac-turer, or otherwise, dos not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of t!.e United States Government or any agency thereof.
This work was supported by the United States Nuclear Regulatory Commission under a 31emorandum of Understanding with the United States Department of Energy, 1
Available from l
CPO Sales Program Division of Technical Information anJ Document Control U.S. Nuclear Regulatory Commission Washington, D.C.
20555 and National Technical Information Service Springfield, Virginia 22161 l
l i
~
~
~-p g
~_,
NUREG/CR-2050 UCRL.53024 AN Systems Interaction Evaluation Procedure for Application to Indian Point-3 Manuscript Completed: April 1981 Date Published:
Prepared by J. J. Lim. H. P. Alesso, T. R. Rice, R. K. McCord, J. E. Kelly l
Lawrence Livermore Laboratory 7000 East Avewe Livermore, CA 94550 l
Prepared for Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission l
Washington, D.C. 20555 l
NRC FIN No. A-0405 i
l l
l
,e p-e e-- g e.., - + - -, - -
-4'
w-
9._._
ABSTRACT This report presents a preliminary systems interaction (SI) evaluation procedure that will serve as a guideline for application at Indian Point-3 (IP-3). Undoubtedly, the experience and knowledge gained as a result of the plant evaluation will lead to modification and refinement of the LLNL SI procedure for subsequent use in other areas of the NRC Program.
The Diablo Canyon evaluation, based primarily on expert judgment during an on-site inspection, revealed about 1000 sis exclusively relating to seismic events. Any analysis broadening its scope beyond seismically induced sis (like ours) could therefore expect to find more than 1000 sis.
Our problem, therefore, is to strike a balance in the scope of our study in its application to IP-3.
We must keep the SI evaluation procedure track-able without greatly diminishing its thoroughness.
We present an SI evaluation procedure that uses risk assessment tech-niques coupled with operational experience and engineering judgment to iden-tify and evaluate sis that violate safet/ criteria and could lead to core damage. The sis we are coricorned with are of three types of dependent fail-uress (1) shared support systems, (2) shared environmental conditions, and (3) dynamic human error. We preview our procedure with a suggestion of eight items that should play a central role in any future guidelines:
(1) separation, (2) redundancy, (3) diversity, (4) quality assurance, (5) coincidence, (6) ocumunication, and (7) operator / instr mment interfacing, and (8) safety grade trains. We then present the LLNL three-step SI evaluation j
procedure with specific application to IP-3.
l
.M I
L 4
111 w
w wwww
,--d'yg f
y---
w
---,,-v y
,p
-y-d--
w-
-e v--
g 9---
=-m
.._....r.-...
l TABIE OF CONTENTS 1.
INTRODUCTION.
1 1.1 Objective of Report 1
1.2 Origin of Study 1
1.3 Statement of the Problem 2
1.4 Our Approach 3
1.5 Our Expectations for Results 5
1.6 Organization of Report 7
2.
STEP 1: IDElffIFYING SYSTMS INTERACTICat ACCIDENT SEQUENCES 9
2.1 Event Trees 9
2.2 Identifying and Grouping IP-3 Sequences.
10 2.3 Summary of Step 1 19 3.
STEP 2: IDENTIFYING IMPORTANT COMPONENTS 23 3.1 Overview.
23 3.2 Simple Fault Trees for Systems in Accident Sequences 23 3.3 Dependency Tables 25 4.
STEP 3: EVAIDATICN OF SYSTMS INTERACTIC2iS LEADING TO CORE DAV4GE 31 4.1 Esckground 31 4.2 Approach 32 4.3 Najor Inputs and Outputs 34 4.4 Information Flow in the Ranking Procedure.
36 4.5 Four Substeps of Otep 3 36 4.6 Illustrative Example 38 4.7 Summary of Evaluation Procedure 41 5.
CONCIDSION 43 RE1ERENCES 45 h
7
LIST OF ILLUSTRATIONS 1.
Simplified transient functional event tree for pressurized water reactor 11 2.
Class 1 transient syst2m event tree.
13 3.
Illustrative event tree for LOCA functions.
14 4.
Small-small LOCA event tree.
17 5.
Major inputs to ranking procedure.
35 6.
Flowchart showing major steps for ranking event sequences.
.37 LIST OF TABLES 1.
Systems interaction evaluation procedure 6
2.
LOCA functions versus LOCA mitigating systems.
16 3.
Transient-initiated core degradation sequences 18 4.
Transient-initiated sequences leading" to LOCA.
18 5.
San 11- - 11 IDCA sequences.
20 6.
Shared environmental conditions...
29 7.
Shared support systems 30 l
8.
Dynamic human error 30 l
ee b
i l
l l
vii l
Chapter 1 INTRODUCTION J
1.1 OBJECTIVE OF REPORT A systematic procedure for the identification and evaluation of systems interactions (sis) is being developed by the Lawrence Livermore National Laboratory (LLNL) for the Nuclear Regulatory Commission (NRC). Such a procedure is needed (1) by the licensee in the development and review of Ilant design, and (2) by the Nuclear Regulatory Commission in its subsequent assessment of the licensee submittal.
The objective of this report is to present a preliminary SI evaluation l
procedure that'will serve as a guideline for application at Indian Point-3 (IP-3).
Undoubtedly, the experience and knowledge gained as a result of the plant evaluatiert will lead to modification and refinement of the LLNL SI procedure for subsequent use in other areas of tne NRC Program.
(
Related SI studies are also being co'nducted at Sandia Laboratories (Albuquerque),-Battelle Memorial Institute, and Brookhaven National Laboratory. These efforts, along with the LLNL resuslts from IP-3, are
~
incended to contribute to future guidance and regulations addressing the SI issue.
1.2 QRIGIN OF STUDY The Office of Nuclear Reactor Regulation of the NRC is developing a program to define and subsequently implement SI regulatory requirements for light water reactors (INRs). The need to design LWRs against adverse sis was recognized and formally begt.n in May,1978.1 Assessments of Three Mile Island-2 ('IMI-2) and other recent events, including those at Browns Ferry-3 and Crystal River-3 have pointed to the need for increased review efforts in this area. Consequently, the NRC contracted with the Battelle Columbus / Pacific Northwest Laboratories,0 Brookhaven National 10 Laboratory,8 and Lawrence Livermore National Laboratory to review the U
state-of-the-art in sis. The three laboratories examined reported incidents from reactor operating experience, defined a set of criteria for SI, and l
evaluated existing and potential methodologies for the evaluation of sis. The l
l s
1
.gg e-
*,mee
-g__4 d
+-e t,wD gy-r-
,.,--w w
,e---
w--,----r,rv-,--,
r----
-,.eww---o-,
-et-
3 _, __
methods evaluated included some based primarily on risk assessment techniques and others based primarily on the expert judgment of a multidiscipled team after an on-site inspection.
As a result of the state-of-the-art review, the three laboratories unanimously recommended risk assessment techniques such as event tree / fault tree methods combined with walk-through inspections for identifying sis. Various ranking criteria were suggested for evaluating the sis once they were identified.
1.3 STATEMENT OF THE PROBIJM P
A systems interaction is a sequence of events leading to the violation of at least one vital safety criterion as a result of two or more component failures that are caused by a dependent failure (comunon-mode or common
~
cause).
The analysis of sis in nuclear power plants is an extrenely complex problem. There are mechanisms by which a single event can cause redundant equipment and systems to fail. Historically, this type of occurrence has been referred to as dependent failure. Dependency analysis involves system reliability analysis techniques concerned with multiple component failures. This kind of analys'is is essentially an extension of single failure analysis. In single-failure analysis, the analyst searches for a single component failure that will disable the system. In dependent failure analysis, however, the analyst searches for a single cause that will disable or degrade the system. The elusive nature of dependent failures requires thorough analysis techniques. Yet, the more thorough the analysis the more complex it is, with cost and time requirements tending to increase with 2
complexity. In addition, complexity is not a guarantee that all significant classes of dependencies have been found.,
~
It is difficult to prove that all contributions to system failure have been considered in an analysis. However, the important question is not whether all contributions have been included, but whether the significant contributions to risk have been included so that the results are insensitive to further contributions.
3 A probability-based analysis might not detect the significance of low-probability /high-consequence system failure modes or accident sequences.
Incorporating cnnsequences into the analysis avoids this problem and has the additional advantage of identifying high-risk sequences that deserve more i
attention.
f w--
,,._,y,-p.....,w.g9 9 9, %,
9 e-3
. = -
In a walk-through analysis, the analyst knows the plant well enough to evaluate the effect on the system of any damaged component or limited combinations of damaged components. The analyst " walks through" the actual plant, scale model, or blueprints, hypothesizing various accidents and estimating their effects.
Such an analysis 10 the most economical kind and does not need a logic model other than that in the mind of the analyst. Although this kind of analysis can uncover significant dependent failure, no guarantee of thoroughness is possible-particularly thoroughness involving the higher order combinations of components.13 A detailed analysis to obtain cosumon cause candidates is expensive because it requires the development a logic model. Although.this detailed approach is more complex, it is more thorough.
The Diablo Canyon evaluation, based primarily on expert judgment during an on-site inspection, revealed about 1000 sis exclusively relating to seismic events. Any analysis broadening its scope beyond seismically induced sis (like ours) could therefore expect to find more than 1000 sis.
Our problem, therefore, is to strike a balance in the scope of our study in its application to I?-3.
We must keep the SI evaluation procedure track-l
=
l able without greatly diminishing its thoroughness.
1.4 OUR APPROACH i
The LLNL SI evaluation procedure applies risk analysis techniques, coupled with operational experience and engineering judgment, to accomplish the following objectives:
1.
Identify sis that violate vital safety criteria, that lead to core damage, and that are a result of one or more of three types of interaction mechanisms:
(a) shared support systems, (b) shared environmental conditions, and (c) dynamic human errors.
2.
Evaluate the safety significance or associated rism of each SI identified.
In this SI study, we were limited to three types of dependent failures:
1 1.
Failures due to shared support systems (interconnected),
2.
Failures due to shared environmental conditions (nonconnected), or 3.
Failures due to dynamic human error.
3
'Y
~~
Shared support systems that lead to sis usually consist of commonalities in control power, motive power, actuation, cooling, or lubrication. Failures due to shared support systems have received considerable attention and will continue to be addressed in other related NRC studies such as IREP.11 However, failures resulting from shared environmental conditions such as fire, radiation, temperature conditions, fluid leakage, ventilation, and external events (e.g., earthquakes and hurricanes) must also be considered in SI evaluations.
The third type of dependency, which is more difficult to recognize and evaluate, is human factors. Human factors can be divided into dynamic and latent errors. Dynamic errors are participative actions taken during the accident sequence that exacerbate the casualty. Latent errors involve design, construction, amufacture, and maintenance factors as well as test procedures.
Their effects remain d. m ant until an accident sequence occurs when they cause an unexpected failure in system performance. Only dynamic human errors will be considered in this report in accordance with the NRC staff position
~
report.14 Indian Point-3 is a Westinghouse 4-loop pressurized water reactor with a rated capacity of 965 MW(e). All functional and safety systems are i
independent of other units en the site, with the exception of the common discharge canal.
This report presents the results of a study undertaken by LLNL to develop an SI evaluation procedure suitable foe immediate application to the Indian Point-3 (IP-3) plant. The study was part of the NRC program specifically requested in Section II.C.3 of the Action Plan in NUREG-0660.13 The Action Plan further stipulated that LIJEL would use the reccamendations from the state-of-the-art review in the development of the procedure. LLNL was also directed to follow the suggestion made by the Advisory Committee on Reactor Safeguards to include a two-part approach for the IP-3 SI evaluation: first, an FMEA for interconnected systems and second, a physical walk-through review of the plant for potential interactions between nonconnected systems.
Our SI evaluation procedure strives to identify and assess adverse sis 9 that violate at least ene vital safety criterion and subsequently lead to cors damage as a result of a depencer t (ccamon-mode or ccanon-cause) failure.
Our main concern is with sis that can lead to core damage. The NRC has provided four vital safety criteria necessary to prevent core damage 14:
4 Z '1.. Z Z
'. rz'J~ ' '..
1.
The ability to achieve and maintain the entire core subcritical; 2.
The ability to transfer decay heat from the reactor to the ultimate heat sink; 3.
The ability to maintain reactor coolant pressure boundary; and 4.
The ability to provide Engineered Safety Features.
In our procedure we find safety functions necessary to preclude core damage and relate them to vital safety criteria. Then, we translate these functions into their related safety systems. The accident sequences, as we find through the use of event trees, are the outcomes of sis that can lead to core damage.
we use simple fault trees to identify important components of the systems.
1 Component sets for the accident sequence are subsequently formed and placed in a dependency table. At this point, a series of walk-throughs of the facility must be undertaken by a multidisciplined team that uses engineering judgment to eliminate unnecessary cut sets and to provide likelihood values for the conditional failure of components for the dependency table. This information is the input to the final evaluation step that ranks the importance of the system interactions.
Our procedure is summarized in Table 1.
1.5 OUR EXPECTATIONS FOR RESULTS Based on operating experience and engineering judgment, some reasonable design and operational practices can be suggested. They provide partial insight lato what issues the final regulations on SI should address. It is known that using standard reliability engineering methods to design safety systems for nuclear reactors has resulted in very few system failures that can
{
be attributed to a single independent component fault or to random component faults. The high degree of redundancy in safety systems has led to the actual 16 reliability being limited by dependent failures. Several practices can M used in combination to provide a comprehensive defense against the dependent failures we are concerned with:
1.
Separation: The physical separation of systems, in particular those meant to be redundant to each other, is an obvious but vital criterion. Also included in this topic should be insulation of all kinds, such as electrical, thermal (firs resistant), radiation shielding, and resistance to corrosive leakage.
5
.7:... - - -;
-. =. - - -
';~7 3
t TABI.E 1.
Systems interaction evaluation procedure.
l Step Procedure 1
- a. Accumulate and organize complete information for each system safety postures o System description and diagram.
o System design criteria.
o System installation history.
l o System operations procedures.
- b. Accumulate and organize complete information for system safety requirements:
o Formal specifications and requirements o Results of studies for similar systems o File of known accident came histories
- c. Specify appropriate analyses to demonstrate system capability to meet all formal requirements:
o Subsystems analyses o subsystems combinations analyses o Specified accident / transient sequence analyses
- d. Generate and dissect conceptual major accident scenarios in event tree formats o Justify and document judgment decisions o specify accident sequence analyses where required
- e. Identify the accident sequences that lead to the undesira,ble event the core damage,
- f. Group SI accident sequences according to the severity of potential consequences.
- g. Reduce SI accident sequences on the basis of Boolean reduction within I
the consequence groupings derived.
2
- a. Identify simple fault trees for each system of concern as it is con-l sidered in isolation. All single, double, and triple-term minimual cut sets for ear.h system are found by Boolean reduction codes.
- b. Identify combinations of systems failures that lead to the complete accident sequence; identify combinations of component failures that lead to these combined systems failures. These component set failures are the sis.
- c. Review and correlate all results of individual analyses by conducting a walk-through by a multidisciplined team of experts with emphasis ons o completeness of dependency considerations o Consistent cross-analyses treatment of dependency /cosmon cause factors o Elimination of clearly impossible component sets.
3
- a. Evaluate the importance of these ccabined ccaponent failures by con-sidering the consequences of the resulting accident sequence; and the likelihood of the combined ccaponent failures due to shared support a
systems, environmental.causes and/or dynamic human errors.
- b. Provide a statement of the vulnerability of the plant to sis by l
ranking these combined component failures in order of importance (i.e., likelihood and consequence).
- c. Prepare final report on detailed SI found and ranked.
- d. Review final report to determine broad classes or types of SI found.
This review will aid in subsequent work in tne SI area in general.
6 1
+
fr m
we--
wr
'1
-am-e-e-M+-ev
-wt-
= *-- ' - - - - " -
- - - - - + -
---*r-
- -v'-P-
2.
Redundancy: Redundancy in support systems, such as control power, motive power, actuation, cooling, and lubrication, is necessary to decrease the dependence of the systems they support.
l 3.
Diversity: The use of elements that perform the same basic required operation, but are completely different in design, manufacture, or method of operation should also prove to be a desirable practice.
4.
Quality Assurance: Another obvious preferable practice is enhanced l
l scrutiny of construction, installation, maintenance, testing, and l
operations.
l i
5.
Coincidence: Redundant instrument channels placed in coincidence l
would result in slightly decreasing reliability but would also promote on-line testing and maintenance and reduce the number of I
spurious scrams.
l 6.
Communications: The need for administrative, procedural, and documented con aunications to be precise and clear is essential to I
reduce errors arising from dynamic human factors. In particular, procedures for multiple casualties that result from SI need to be axplicitly ineluded in reactor plant manuals.
7.
operator-Instrument Interfacing: one of the most difficult design
~
practices that needs improvement is the operator-instrument interface. This improvement is difficult to achieve because the operator is usually saturated with indicacions during accident conditions. During complex SI conditions, he is often confronted with conflicting information. An effort to help resolve these l
conflicts is necessary, and steps to partially accomplish this goal should include the use of on-line decision aids.
8.
Safety crade Trains: No safety grade train should be dependent on a single nonsafety grade ccaponent.
l l
We expect these eight items to represent some of the generic remedy actions that will dominate in any future regulatory guidance concerning SI.
We anticipate finding sis at IP-3 that violate scae of these general practices, il.6 OItGANIZATION OF REPORT Chapter 1 has discussed the motivation for the initiation of this study and provided a perspective on the issues of concern in SI.
7
.o
.-aso....e..
e,a
.e
, e
.~..oa~
+ r e.
~ >
n, _
-m g.---
ann.,
wa.,-
e.
--n,
,-,-,,,ee-
m
-=.ae,
-w
-,-e--
=
Chapter 2 presents Step 1 of the LIRL three-step SI evaluation precedure.
Step 1 uses event trees to identify potential accident sequences that violate any of the vital safety criteria and subsequently lead to core damage. The results for the accident sequences for IP-3 are presented, and a preliminary grouping of these sequences is made according to consequences. Then, in Chapter 3, Step 2 identifies the important components of systems by using simple fault trees. Dependent failures among support systems, environmental conditions or dynamic human errors are identified in dependency tables,190fA, and walk-throughs for accident sequences that can potentially lead to core damage. Finally, Chapter 4 presents Step 3.
A simple structured ranking procedure to evaluate the sequences and find the most important ones makes up Step 3.
The evaluation procedure uses operator experience to select the likelihood of component failures and combines the numbers by very simple algorithms.
The conclusions are given in Chapter 5.
O d
6 8
Chapter 2 STEP 1.
IDENTIFYING SYSTEMS INTERACTION ACCIDENT SEQUENCES Step 1 is to be performed prior to a visit to the IP-3 plant. In our first effort at Step 1, we decided to mesh our identification and evaluation techniques for the sake of simplicity, efficiency, and to acquire a secure starting point. Werefore, we limited ourselves to seeking only sis that violate one of the four vital safety criteria and subsequently lead to core i
I damage. This is in effect a preliminary consequence grouping. Then, we l
l continued to perform broad accident sequence consequence grouping as we l
proceeded with our event tree analysis. In addition, we based our event tree effort on the earlier event tree work in the Reactor Safety Study.
2.1 EVENT TREE ANALYSIS l
Event tree analysis is an inductive logic technique that sequentially models the progress of events, both succe'ss and failure, leading from some initiating event to a series of logical outcomes. An event tree begins with an initiating failure, and it maps out a sequence of events on the system level tut forms a set of branches, each of which represents a specific accident sequence whose consequence relates directly to the events in the sequence.. Complete event ' zee analysis requires the identification of all possible initiating events and the development of an event tree for each.
l Event trees using successes and failures as basic events at the branching points tend to view overall consequences to the system level. Subsequent analysis requires fault trees that tend toward a greater degree of resolution, i.e.,
to the component level, and those fault trees will be used in Step 2.
The procedure is as follows:
1.
Use the Indian Point Unit 3 Final Facility Description and Safety Analysis Repor;: to provide information and background of the plant's safety functions, systems, and operations.
2.
Construct event trees of the IP-3 safety functions and then translate a
the functions into their appropriate systems. Use event trees to construct specified accident sequences to find all accident sequences that can lead to core damage.
9
, _ ~.,.
y _ _ _.
3.
Group accident sequences according to the severity of their potential consequences.
4.
Reduce the number of accident sequences for examination by limiting the scope of the effort through Boolean reduction of accident sequences within consequence groups.
To identify the SI accident sequences that lead to core damage, we must first determine the systems that protect the four vital safety criteria necessary to prevent core damage. The IP-3 Final Facility Description and Safety Analysis Report is used to determine the applicable frontline and i
backup systems. The SI accident sequences that may lead to potential core damage are then obtained by constructing two types of event trees: a transient event tree and a LOCA event tree. A transient event tree introduces the sequence of systems responding to the initiator event. A IOCA event tree then provides the subsequent systems sequence of IDCA mitigating systems.
Paths on the transient event tree have three possible outcomes:
(1) safe l
condition, (2) LOCA condition, or (3) core damage. Sequences of systems leading to core damage are SI sequences of concern; sequencee leading to a l
safe condition are eliminated frcs further consideration; and sequences resulting in ICCA conditions require further analysis to determine their eventual outccee. The sequences of sys'tems on the transient event tree that resulted in IDCA conditions now become the input into the IDCA event tree.
k The subsequent sequences in the IDCA event tree can conclude in one of two outcomes a safe condition or core damage. Additional SI sequences of concern that result in core damage are those obtained by merging the IDCA condition on the transient sequences event tree with the IDCA event tree.
Finally, there remain sequences en the IDCA event tree that can have an initiating IDCA condition other than one from the transient event tree that can lead to core damage. This is because the transient event tree considers only the pressurizer system as a source of amm11-asall IDCA. The remaining l
sequences are also of concern for SI if they lead to core damage.
2.2 IDErfIFYING AND GROUPING IP-3 SEQUENCES 9
To determine the systems required to prevent core damage for IP-3, event 17 tree methodology is applied. The Reactor Safety Study suggests the functional event tree for transient initiated events shown in Fig.1.
This 14 t
i
i functional event tree is also applicable in a general way to the IP-3 plant.
It should be i.oted from this tree that certain sequences can lead to a IDCA.
For this reason, a IDCA event tree is developed in addition to the transient tree.
In the transient function event tree (Fig. 2), four function headings are used. The first one is the transient initiator (T ) itself. The second y
pertains to reactor core subcriticality. The remaining two are concerned with the removal of decay heat from the reactor. These four functions can be l
replaced with the corresponding mitigating systems, i
l In going from the functional to the system event tree, the first three headings, i.e.,
transient, reactor core subcriticality and, Power Conversion System, (M) remain the same. The Power Ccnversion System (M) refers to the condensate and Main Feedwater System used in normal plant operation. This system is used to remove decay heat from the reactor by circulating water in the steam generators and removing the steam and condensing it.
The Auxiliary Feedwater System (L) serves the same purpose. If both M and L fail or if the Reactor Protection System (K) fails to make the reactor subcritical, the pressurizer power-operated relief valves (PORV) open (P). to relieve thes primary system overpressure. A safety relief valve is set at a higher pressure than the PORVs to act as a bac'kup. Q represents the reclosure of these valves given they have opened. If the valves are not reclosed, primary water could escape resulting in a IDCA. The Chemical Volume Control System (U) is used to maintain the core in a covered state and to add borated water to the primary system. The last system en the event tree is the Residual Heat Removal System (W), which is used to take the reactor from a hot shutdown to a cold shutdown. All the systems on the transient event tree are used to render l
the reactor subcritical, remove decay heat, prevent primary system overpressure, and maintain the core in a covered state. These are essentially the four vital safety criteria to prevent core damage. System success (operability) on the transient system event tree is denoted by the line over the letter.
l The event tree resulting accident sequences consist of 24 sequences,12 without core degradation (noted by N) and 12 with core degradation (denoted by "Y) in the right-hand column of Fig. 2.
Of the 12 with Y, six result in a small-stall IDCA. These six involve failure to reclose the PORVs and are particular to the pressuriser system. They made it necessary to develop a IDCA event tree. Figure 3 is the pipe break (IOCA) function event tree 12 w
wa
.=w
.e.
.e.
y---s-w-e,,.-.,we..
m.
w----.we=
==
=m--+-4.
e,
- e e-
w.g.
m,-
--r
--w,,yy_
.-y-p 4.-
p w--*., - ---
l
/
Vital safety criteria affected 1
3 3
2 2
1&2 3
AFWS Class 1 transient RPS PCS SSR S/RV-O S/RV-R CVCS RHRS
'geq.
T K
M L
P Q
U W
Sequence CM No.
3 O
T RMUW N
1 j
U T KMUW
'N
'2 3
U lT REU N
3 1
3 W
I l
g g
T KMLUW jN 4
3 lTj RMEUW lN 5
[
N l6 jT KM[U 3
- T ML 6 iY
- T Kf3LPOU l7 Success p
g lY
- 8 1
1 a
3 L
U
'T RMLPQU
'Y 9
1 j
T RMLP Y
10 j
g T KMP60W N
11 j
6 T KEF60W N
12 '
j U
i F
T KEP6U
'N 13 3
O T KUPOU' Y
14 1
g o,
j
'T KUPOV Y
15 1
j P
l Fillure.
T KUP Y
16 j
g T KM[PQUW N
17 j
U T KMEP60W K
3 jN l18 U
F
.T KMLP6U N
19 3
T KELPQU Y
'20 1
g a
3
~
U iT KMLPQU
- Y
'21 1
j M
P KUl[P Y
22
\\
iT KMLP Y
23 g
3 P
T KMLP iY
!24 j
\\
FIG. 2.
Class 1 transient system event tree.
s
- Tt = Transient Initiator; E = Reactor Protection System; M = Power Conver-sion System; L = Auxiliary Feedwater System and Secondary Steam Relief; P = Power Operated Relief Valves and Safety Relief Open; Q = Power Operated Relief Valves and Safety Relief Reclose; U = Chemical vblume Control System; and W = Residual Heat Removal System).
Although marked as core nelt, Sequences 8, 9, 14, 15, 20, and 21 realistically feed into the appropriate TACA event tree.
13 w--
y--w-9y--t-*
-MTiMWy W$
.y--
- -.hJ--
w.
,a-w
--...--.e.-.ww
>- +
-w--
ae.-
we
p-Vital safety criteria affected i
1 2&3 2
2&3 2
Sq.
S1 S2 S3 S4 SS i
'S6 i
i
,S7 i
,S8 S9 i
,S10
'S11 S12 S13 S14 S15 i
S16 S17 S18 S1,9 i
S20
,S21 g
l
,S22 S23 i
h24 S25 S26
'S27
,S28
,S29
,S30
,S31 M2 I
FIG. 3.
Illustrative event tree for LOCA functions.
a 14 w
---,*A e-
-r-
,--w m
---w-w
developed in the Reactor Safety Study and applicable to IP-3.
The 17 following functional headings are used:
1.
Pipe Break (PB) i 2.
Reactor Trip (RT) l 3.
Energency Core Coolant (ECC) 4.
Post-Accident Radioactivity Removal (PARR) l 5.
Post-Accident Heat Removal (PAHR) l 6.
Containment Integrity (CI)
These functions must be replaced with mitigating systems in order to l
develop a system event tree that is applicable to IP-3.
Table 2 displays the functions versus systems involved. The ordering of these systems on the i
system event tree may shif t when compared with the ordering of the function event tree. This change occurs because of system dependencies and the importance of timely initiation of the systems in the accident sequence.
Figure 4 shows the small-small LOCA system event tree. The acronyms used on l
the event tree are defined in Table 2.
Thirty-seven of the 42 accident sequcnces in Fig. 4 lead to core degradation. The remaining five are marked by asterisks.
The systems en the system event trees are the frontline systems of interest in this study and are applicable to IP-3.
Some of these systems will require supporting systems in order to function.
The transient and small-small IDCA event trees show that there are six transient-initiated accident sequences, six transient-initiated sequences resulting in a small-small LOCA, and 37 small-small ICCA-initiated sequences that lead to core degradation. These sequences will be of interest for further evaluation of SI.
The six transient-initiated sequences are shown in Table 3 where they are ranked into three groups. The critarion used was based on time available for operators to mitigate accident. With this criterion in mind, reactor sub-criticality becomes ' he most significant event followed by decay heat removal.
c The last two sequences (Group C) in Table 3 reflect failure of both; the first two (Group A) reflect failure to go subcritical only; and the last two (Group O C) involve failure to remove decay heat, but successful reactor scram.
Table 4 lists the six transient initiated sequences that result in an open pressure-operated relief valve (PORV). Te place a demand on the PORV to open, either a scram failure or failure to remove decay heat must have 15
~
SBLE 2.
LOCA functions versus IOCA mitigating systems.
Function System RT Reactor Protection System (K)
ECC Baergency Coolant Injection (D)
Energency Coolant Functionability (J)
Emergency Coolant Recirculation (H)
TARR Containment Fan Cooling System (C)
Containment Spray Injection System (C)
PAER From Primary Systems Auxiliary Feedwater System (L)
From Containment:
Containment Fan Cooling System (C) and (E)
Containment Spray Injection, System (C)
Containment Spray Recirculation System (G)
Residual Heat Removal System (F)*
CI This function will be handled as a containment failure.
"Refers to the heat removal capability of the heat exchangers rather than the core reflooding capability.
i e
N 16
' ~ ' ~^~-
g r
r.
,-,-----,-w
.m
.---r
-.. - - -...--m
~
{
.[
\\
\\
1 y
3 injection mode Recirculation mode Small-SSR CSIS &
small CFCS CFCS LOCA RPS AFWS (l)
ECl ECF (R)
RHRS CSRS ECR
- seq, i
S K
L C
D J
E F
G H
Sequence No.
2 Y,A E
S RECDIER*
1 S RECUJEH 2
7 G
S RECDIEFGR*
3
@. ;S R[CDJEFGH 4
i F
G
,S RECDIEFGR*
5 E
l
- S RECDJEFGH 6
g F
!S RECDIEFR 7
l H
g lS R[CDJEFH 8
!S RECDJE 9
C 1
F
.U S REC 5JEFG 10 i
E iG S RECDJEFG l11
(
F g
S RECUJEF l12 S RECDE 13 G
D g
S RECDEFG 14
'G L
S RECDEFG 15 F
l S RECDEF 16 N
i L
G S RCCD3FER*
17 l
F-
,Y S RECD 7FGH 18 l
7 G
S RCCD3FGR*
19
,Y S RECD 3FGH 20 g
F S R[CD3FR 21 H
S RECD 7FH 22 g
F S R[C5JFG 23 J
l Success R C
p
,S RECDJFG l24
,(y,y
- S RECUJF 25 g
F
'S RECDFG 26 D
,G S RECDFG 27 F
.S RECDF l28
'S RLCE 29 g
g F
S RLCEFG 30 l
E iG S RLCEFG 31 S RLCEF 32 U
F S RLCFG
'33 C
.G
.S KLCFG
'34
~~
F g
!S KLCF
~35 S KCE 36
}
6 F
S KCEFG 37 l
I E
.G S KCEFG 38 l
Failure K
F S KCEF 39 (No) '
F G
!S KCFG -
I40
~
U
'O
'S KCFG l41
'g p
3 S KCF
- 42 INo core. melt.'
S I
l FIG. 4.
anall-small IDCA event tree.
\\
../
' -s'.
17
~
i
<.-----.y-.
_,.w.--.#-
,e g_m ym.
TABLE 3.
Transient-initiated core degradation sequences.
Group A T ML y
Tpy Group B T KP y
T 10tP y
I l
Group C T lotL y
Tm y
l t
T2 ELE 4.
Tranoiant-initiated sequences leading to LOCA."
l l
- 10 T MLQU
-~
y
~
T KQ y
T KQU y
T lotQ y
T,10tQU 2
"Timse sequecces rettire further rdalyris before being input to the IDCA l
vevent tree.
l r
18 1, _ __ d <
! -- b - ~ - - ~ ' ' ' ~
' ~ 7 ' -'i
~2'
$[.
~
~
r
-. - ~.
l occurred. The four sequences with a scram failure correspond to Sequences 36 through 42 on the LOCA tree (Fig. 4). The two sequences with successful SCRAM i
but failure to remove decay heat correspond to Sequences 29 through 35.
In either case, the ECCS is not involved in the sequences. The primary system pressure is too high to effectively raflood the core after the water lose.
The 37 core degradation sequences on the TDCA event tree could be ranked in a manner similar to that of the transient sequences. One additional criterion could also be considered. Among all accident sequences having no failure to scram and no failure to remove decay heat, the sequences with failure to reflood the core are the most serious.
With all the above criteria, Sequences 36 through 42 are the most severe. The second group of sequences would be 29 through 35.
The remaining sequences would be in the third group. These sequences involve ECI, ECR, or heat removal from the water used in ECR.
Table 5 lists these groups. The system successes have not been included in Table 5.
A considerable amount of effort must still be expended in order to complete Step 1.
The accident sequences must be reduced to a manageable amount without significantly reducing the throughness of the evaluation i
procedure. 2b accomplish this, we propose to group all the accident sequences that lead to core damage into six to eight classes depending on the severity of the core damage involved. The amount of core damage can usually be mitigated if there is sufficient time for operators to intervene with corrective action; therefore, the speed at which the accident occurs will continue to be of utmost importance.* Once these general consequence classes of accident sequences have been found, we will campute a simple Boolean reduction within each class. Therefore, each consequence class will be most appropriately represented and the scope of the problem will be reasonably limited.
i 2.3 St304ARY OF STEP 1 In summary, Step 1 has identified SI accident sequences that violate svital safety critoria and would thereby result in core damage at IP-3.
- We recognise that our consequence grouping criteria are open to debate and that alternative criteria such as the radiation release categories in the RSS (Ref. 17) could be used.
19
.-__.-.----w-,-.
l t
TABLE 5.
9 mall-maall LOCA sequences.
i l
SECAY HEAT CORE REFICOD SCRAM FAILURE REMOVAL FAILURE FAILURE x
L a
xE LE m
KEG LEG Ga
)
KEF LEG EG l
XCG IEG J
I KCF IEF JE JEG JEF D
i DE DEC DEF CH CGH CF CFE CJ CJG CJF CD CDG GF 1
=
I' 5
20 S
y w
.m, w
g
-w.-g-e-wr+e-a,--
8 J:
.--e.w-e--
um er-mw---
en-
=
w-
-.--r
..~
. ~. - -.
The transient system event tree and the IDCA systum event tree resulted in three categories of SI accident sequences. The first category is listed in Table 3 and consists of SI accident sequences that lead to core damage without a IDCA. The second category consists of SI accident sequences that lead to core damage due to a small-small LOCA (Table 5) initiated from failure of the pressuriser related systems (Table 4).
(In effect this :aeans that one must multiply the list in Table 4 times the list in Table 5 to obtain all the involved accident sequences.) The third category consists of accident sequences that lead to core damage due to a small-small IDCA (Table 5) initiated by a failure of any IDCA-related system other than the pressurizer-related systems already considered in the second category. The scope of our study is limited to the first two categories. The next substep is to reduce the number of accident sequences involved by consequence grouping and Boolean reduction though this is not carried out here.
Notice that we have already made some preliminary ranking efforts by grouping SI accident sequences in Tables 3 and 5.
This will be useful during the subsequent evaluation of identified Sis. Chapter 4 presents a simple likelihood ranking scheme to evaluate the relative importance of the identific.d sis within the first two categories.
.6 21
~.
a ww,
,,w g
]
~
^
. - ~
r-Chaptur 3 STEP 2: IDENTIFYING IMPORTArt COMPONENTS 3.1 OVERVIDi e
Step 2 of the SI evaluation procedure is divided into three substeps, the first two of which are completed before a multidisciplined team of experts makes a site visit.
The first substep determines the important components of the individual systems and combines them into minimal sets of ccaponents for groups of systems that could cause the SI accident sequences that can lead co core damage.
The second substep consists of creating a matrix of important individual i
caponents (for a_ny, of the systems under consideration) versus potential causes of m failure for the components. A preliminary plant walk-through by a multidisciplined team of experts then follows. This walk-through assists in eliminating causes of fail'ure that are* clearly not credible.
The third substep consists of using the knowledge gained from Substep 2 in the form of FMEh, and tables and to form dependence tables. These tables are matrixes of important component sets that are sis resulting in accident sequences versus potential causes of dependent failure.
A third and final walk-through is necessary to allow experts to decide on likelihood values for the conditional probability of failure as suggested in Chapter 4.
Although three visits are suggested, the effort could be consolidated into two walk-throughs.
3.2 SIMPLE FAULT TREES FOR SYSTEMS IN ACCIDENT SEQUENCES Step 2 in our procedure requires the construction of simplified fault trees for the frontline systems that appear in the SI accident sequences in Step 1.
The fault trees are constructed in a reduced form, that is, only in suf ficient detail to reveal the one, two, and three-term minimum cut sets of
- the system as it appars in isolation. For example, an SI accident sequence identified in Step 1 was T ML, which is simultaneous failure of the Power Conversion System, the Auxiliary Feedwater System, and the Steam Relief Valve 23 e a
,ee-,
---..m
---.--w-%..m-==...wway-**
-w.e a-o m.
M***
=+8'=*
e**e'#
Ne>w*
during a transient. The reduced fault trees for the Power Conversion System and the Auxiliary Feedwater System for IP-3 have been prepared although they are not presented in this report. This is the extent of our current analysis on IP-3.
Our objective is to find all the one, two, and three-term minimum cut sets from the simple fault trees we construct and take the Boolean product of these terms along with the product of the failure of the Steam Relief Valve to form the accident sequence important component sets.
Consider the following example:
From the reduced fault tree for the Main Feedwater System for IP-3, the cut set (TURBINE PUMP A). (TURBINE POMP B). (MOTOR PUMP) is a minimal three-component cut set of the main feedwater system. Failure of these three components results in M in the accident sequences.
Similarly the auxiliary feedwater system can be failed by failure of the secondary storage tank and service water. Therefore, L can be represented by the following cut set (ammam4RY STORAGE SNK). (SERVICE WATER)
For the accident sequence 'DtL, the following important component cut set results:
(T ) (TURBINE PUMP A). (TURBINE POMP B) (MOTOR PUMP). (SECONDARY STORAGE y
TANK). (SERVICE WATER)
This sequence may appear to be unwieldy; however, if the transient initiator was Loss of Station Power, the resulting SI accident sequence would be (SECONDARY STORAGE MNK) (SERVICE WATER) 0 The Loes of Station Power would fail the condensate and condensate booster pumps in the main feedwater as well as the motor-driven pumps in the auxiliary feedwater system.
24 y
7
+-
r-'
T T r-7r-r pw u u w-w
- - = = * - - -
r--
w-
---u--+--
-y.
L 3.3 DEPDIDENCY TABLES The second substep of Step 2 is a generic analysis that involves reviewing the minimal cut sets from a fault tree for dependencier among the basic failure events. A standard checklist of potential linking characteristics is used. Subsequently, the results can be used to identify new modes of overall failure by Boolean transformation of the minimal cut sets to accczemodate these dependencies. A major portion of this technique is qualitative.
Generic analysis is performed on the component level. Starting from a list of basic events frcus minimal cut sets, the analyst identifies common linkages. One such checklist identifies major generic cause categories:
1.
Mechanical / Thermal 2.
Electrical / Radiation 3.
Chemical / Miscellaneous The classification of sis by type is useful to guide the analysts in choosing the columns of the dependency table. Systems interactions of interest may be placed in three broad categories depending on whether the event is caused by shared support system dependency, by shared environmental conditions external to the affected system (s), or by dynamic human error. A further breakdown is possible by considering shared environmental conditions separately. This would be in accordance with a nonconnected dependence analysis. However, by first finding the SI accident sequ6ncess for the nonconnected dependence analysis, we differ from earlier efforts.12 l
Shared support systems SI events can be caused by a malfunction in systems that are connected (1) because they share components or (2) because they are linked. Possible functional links between systems include electrical, hydraulic, pneumatic, and mechanical connections. Examples of shared support system adverse sis are the Crystal River 3 'I loss of reactor 7
coolant and the Browns Ferry 3 ' partial loss of scram capability.
Shared environnantal SI events (scuetimes referred to as physical, non-connected, ( c spatial) are common-cause events often initiated by phenomena Usuch as earthquakes, fires, floods, missiles, and abnormal environmental conditions within the plant. These types of SIa are characteristic c" systems sharing a ocumen space, which allows an initiating event to link the systems within that space. These events lend themselves to inspection methods such as 25
.. 3 -.
walk-throughs. Some examples of external SI events are the Browns Ferry 1 and 2 fire and the postulated Hosgri event involving an earthquake at Diablo Canyon.
Dynamic human error may be postulated when an initiating event affects plant instruments such that the operator is misled into performing an unsafe act. We refer to such cases as having an element of human error although the operator's actions are not exactly at fault. A dynamic human error may often be part of the failure effects rather than the initiating event.
The various options of dependent failures just described form the headings on the dependency tables and the SI accident sequences important l
component sets form the rows as follows:
Dependency Shared t
Support Shared Dynamic Systems Environment Human Error Important SI Component Cut Sets S1 S2 S3 S4...
A B
C D...
El H2 H3...
abcd Once the important component cut sets for a particular SI accident sequence are determined, a new solution will be obtained. That solution will provide new minimal cut sets treating each linking characteristic as an independent event. For example, assume that one had the cut set a
b c
d e
in which, a, b, c, d, and e are each component failures making up an accident sequence and that the FMEA information gathered on a preliminary walk-through gave linking characteristics as follows:
Incation (L1), Actuation a
=
Location (L1), Actuation, ac Power b
=
Incation (L1), ac Power, dc Power c
=
Location (L1), ac Power, dc Power d
=
Iocation (L1), ac Power, dc Power e
=
0New cut sets would be determined as follows (terms in brackets indicate which events are not replaced by a single SI event) r 26 m-aw,..
v.
,,m__
y
__.m_.
,,___m_,
v 7 em
.. _ _ _ ~..
Number of New cut sets Indepcndent Events Location L1 (a, b, c, d, e) 1 a x AC Power (b, c, d, e) 2 Actuition (a, b) x DC Power (c, d, e) 2 a x b x DC Power (c, d, e) 3 Note:
The other combinations of failure which are subsets of the ones given above are also generated, e.g.,
Location L1 (c, d, e) x AC Power.
The same cut set that once appeared to consist of five " independent" failures may now occur in a number of different ways, one of which consists of only one independent event (Location L1) and others which are less than five events.
The most significant potential interactions involve all the events of a cut set.
This would indicate that a potential exists for a single failure that would cmpecaise the performance of a given plant function. The 9
l i
e6 i
l 1
l t
Y 27
._ppp
..p.,w,2
-e.-
-Weg
-um4D m=
prevention of single failures is the philosophy that dominates this work and its completeness in the evaluation of potential single failures is of principal importance. New cut sets generated by the potential interaction solution of the tree will then be reviewed if they consist of one independent l
event. The single independent failure cut set would be retained for futher review while others would not.
The cut sets so retained would then be analyzed to determine whether an interaction potential truly existed. This involved a detailed walk-through of both the components involved and the potential interactions.
Tables 6, 7, aad 8 give a sample of generic dependencies that shonld be
. considered in forming a dependency table.
Af ter a preliminary effort to find accident sequence cut sets for the dependency tables, a preliminary walk-through inspection of IP-3 will be necessary. A walk-through of the IP-3 facility will be performed by an interdisciplinary team of experienced engineers as described in Section 2.4.
During the inspection, all possible interactions will be postulated for
~
equipment that might affect the system using the criteria as described in Section 2.
Conisideration will be given to local equipment arrangements and geometry and to the possible results of thesa failures. The interaction team, after identifying all possible interactions, will utilize the established criteria l
l to determine if these interactions are credible. Once the field system evaluation has been completed the following information will be documented:
1.
Location of the potential interaction 2.
Components and systems involved 3.
Working criteria section used for the evaluation (which includes the type of interaction)
The team members are required to have considerable experiencce on IP-3 or similar plant experience in their area of assignment. Experienced in-house individuals should be readily available. Specialized consultants, architect-engineers, and NSSS suppliers should siso be used to supplement the in-house experience. The team should also include the following discipline
' supervisors and their staffs:
l 28
__-y-~_...,_r..,,
y_-_..
m
v TABLE 6.
Shared environmental conditions.
Generic Cause Example Sources Impact (I)
Pipe whip, water ht:ener, missiles, earthquakes, structural failure.
Vibration (v)
Machinery in motion, earthquake.
Pressure (P),
Explosion, out-of-tolerance system changes (pump overspeed, flow blockage).
Grit (G)
Airborne dust, metal fragments generated by moving parts with inadequate tolerances, crystallized boric acid from chemical control system.
Moisture (M) -
Condensation, pipe rupture, rainwater.
Stress (S)
Thermal stress at welds of dissimilar metals, thermal stresses and bending moments caused by high conductivity and density of liquid sodium, i
Temperature (T)
Fire, lightning, welding equipment, cooling system faults, electrical short circuits.
i Freezing (F)
Liquid sodiua solidifying, water freezing.
l I
Electromagnetic Welding equipment, rotating electrical machinery, interference (E);
lightning, power supplies, transmission ]ines.-
Radiation damage (R)
Neutron sources,, charged particle radiation.
Conducting medium (M) Moisture, conductive gases.
Out-of-tulerance Power surge.
voltage (V)
Out-of-tolerance Short circuit, power surge, current (I)
Corrosion, acid (A)
Boric acid from neutron control system, acid used in maintenance for removing rust and cleaning.
Corrosion, In a water medium or around high temperature metals oxidation (0)
(for example, filaments).
Other chemical Galvanic corrosion; complex interactions actions of fuel reactions (R) cladding, water, oxide fuel, and fission products; leaching of carbon from stainless steel by sodium.
Carbonization (C)
Hydrocarbon (hydraulic fluid, lubricating oils, diesel fuel) in liquid sodium.
a Biological (B)
Poisonous gases, explosions, missiles hazards.
l l
l t
29
+ _.,
ec,....+,
y m_._-
,g_y,
_y,m%,,
,,.m
,p
,___.,,-,y
-n._,-__
e-a-
g *a m e E M -u Ph.@M ha 44,- *
- -e*we84=*4 64.W3
-en-<
+.m-
+w a-t TABLE 7.
Shared support systems.
Symbol Generic Support Function 31 AC Power S2 DC Power S3 Actuation Air S4 Lubrication S5 Service Water Cooling S6 Instrument Air S7 Instrument and Control TABLE 8.
Dynamic human error.
Symbol Generic Human Error El Manual Control Error H2 Automatic Control Interference E3 Interlock Defecting Error H4 Error Due to Conflicting Instrument Information 1.
Mechanical Systems 2.
Piping Supports 3.
Instrumentation and Control 4.
Electrical 5.
Civil / Structural 6.
Heating, Ventilating, and Air Conditioning 7.
Programs 8.
Startup/ Systems This preliminary walk-through will eliminate cut sets that the multi-disciplined team finds to be insignificant on the basis of their operational experience and engineering judgment. A reevaluation of cut sets will be conducted offsite and preparations made for a second visit. The second-visit l
will be required to inspect all remaining cut sets and provide' likelihood values for individual ccamponent failure in accordance with Section 2.4.
l 30 t
l I
.---..~...
~. -._ __.,_,.. ___.._._ ____
.-. ~ ~..,.,.._
m.
~
Chapter 4 STEP 3: EVALUATION OF SYSTEMS INTERACTIONS LEADING TO CORE DAMAGE i
4.1 BACKGROUND
Step 1 identified the accident sequences resulting in core melt and established a consequence grouping of the accident sequences according to the time available for operator response. Steps 1 and 2 together identified important caponents fr a the syatans of interest along with the important sets of these components, which are minimal cut sets for the accident sequences. The accident sequences are the results of sis, and the caponent sets are the components whose joint failures define these sis. Step 2 also provided a component dependency table, that describes the vulnerability of each component to failure-causing events such as environmental problems and dynamic human errors.
In Step 3, the component dependency table is quantified through on-site assessments of component failure probabilities given these causal events.
(We henceforth drop the modifier "important" for components and component sets.)
This table and the definitions of the component sets are then used to derive a quantified dependency table for the components sets whose elements are ccaponent set failure probabilities given casual event. These probabilities are combined with simple.assessmentis of usual event frequencies to derive relative probabilities of sis, defined as joint failure of all components in the component sets. Finally, these probabilities are combined with the consequence grouping for the associated accident sequences to obtain an overall importance rankir.g for the sis. This process is described in detail below.
The component failure probability assessments are obtained during a site visit. On-site inspection is also used to check the credibility of the quanitified dependency table for the component sets. The remaining tasks of this step can be ccepleted off-site.
Our procedure for accomplishing this has three important characteristics:
0 1.
Simplicity. It does not rewire a computer.
2.
Structure. The problem is divided into subproblems so that the input requirements are compatible with the knowledge of experts.
31
. ~.. -.....-
-w
--w p p -
-q q-W- W FM yt q w-ry4,-
p 4.,@ 77FS @d. -
c-- - ----- -* -*
-e--,e,-
-vw.-,-
. i-,,- - - ----
,c 3.
Intermediate results. The procedure produces a series of results.
Early results and additional input data are used to derive later results. If no credible additional input data are available for later results, the earlier results are still of interest.
4.2 APPROACH The first task in Step 3 is to quantify the component dependency table.
This task requires that experts with operating experience assess the conditional probability of a single component failure given a specific conditioning event (such as extreme heat or excessive moisture). The conditioning events are also known as causal events. This assessment is merely a rough measure of vulnerablity, and it should be within the qualifications of the experts.
i The second task is to determine the failure probabilities of the component sets. This is accceplished in,two steps. First, a quantified component set dependency table is constructed using the quantified component
~
dependency table and the list of important component sets developed in Steps 1 Then, we must aggregate over tie causes of failure for a single and 2.
l ccuponent set to obtain a failure probability (frequency) for the set. This requires the more difficult assessment of the likelihood of the causal events, but if this can be done, the probability of a component set ft.11ure can be written P(CS) =SunP(CSlQ) P(Qg),
g i t j
where CS denotes a component set failure, P(CS) denotas the probability of a component set failure, and Q is the occurrence of the i-th causal event.
This is the expansion rule of probability, which states that the probability of a component set failure is equal to the sum over causal events of the conditional probability of the component set failure, given a causal event, I
times the probability of the causal event. Table 6 shows the set of causal
.. events.
9
'We have reduced the problem to assessing P(Q ). From this point, we could take two paths. The first involves frequencies of root causes, such as 32 lw
~.
, _. :--:--..,__=--.=-=_ : -- -: : - - : = _- - _-_-_ - -
floods and earthqua! es.
We would use the expansion rule of probability to determine P(Q ) as the sum over all root causes of the probability of Q,
i g
g given a root cause, times the probability (frequency) of the root cause.
However, these root cause probabilities could only be established through a study of greater scope than the current one.
In this study, we take an alternative path in which we determine relative probabilities of component set failures by substituting for P(Q ) the relative frequency of the conditioning event Q. This is sufficient since all that is required for a g
j ranking according to likelihood is the relative likelihood (frequency) of failure of component sets. These relative frequencies will be assessed on the basis of operator experience.
l The ranking procedure has been divided into meaningful subproblems so that, if the later inputs are not available, early results will still be meaningful. If operators are not comfortable assessing relative frequencies of causal events, the component sets can still be ranked on the basis of their l
conditional failure probabilities. For example, this procedur's would point out the most important sis due to humidity' problems, or the most important sis due to manual control errors (Table 6). However, if the relative frequencies of causal events can be assessed, we can aggregate over au causal events to I
find the sis that are most critical overan.
An important assumption is that the causal events are assumed to be
(
l disjointed; the probability of simultaneous occurrence is zero. This excludes I
complex accident sequences. For example, although an earthquake could cause both an impact problem (broken support) and a moisture problem (broken pipe),
use of the list of causal events in Table 6 precludes the simultaneous consideration of impact and moisture problems. Of course, such joint events could be included at the price of making the assessment of the relative frequencies of the causal events more difficult.
Another simplification is that we do not consider the frequency of root cause occurrence, as mentioned above. However, our use of relative frequencies of causal events, assessed on the basis of operator experience, should make the results meaningful.
U At the start of the ranking precedure au potential-interactions are f'
considered global--e.g., if an the components in a ccamponent set are subject to flooding, regardless of their physical location, they represent a potential SI.
However, it'seems clear on both frequency-of-occurrence grounds and f
I f
33 i
i i
F i'"
wvm-ab.70-g r
4 N*^
scope-of-analysis grounds that local effects should be the focus of the analysis. Therefore, the sis are sorted according to wheti.. the associated causal events are local or global. Local sis are considered more important.
For example, components subject to flooding that are in the same physical location represent a more seriqua potential SI than if they were physically separated.
4.3 MAJOR INPUTS AND OUTPUTS The major inputs and outputs for the ranking procedure are shown in Fig. 5.
The inputs come from Steps 1 and 2 and the quantification of the
(
component dependency table, and they correspond to the terms on the right of the expansion rule above. The output corresponds to the term on the left.
l The key input to the ranking procedure is II, the conditional probability of single-component failure given a causal event. A simplifying assumption l
makes this assessment procedure feasible; probabilities are limited to a few t
l discrete levels:
Very unlikely Probability = 0 Reasonable chance Probability = 0.5 Very likely
' Probability = 1.0.
An alternative would be to use four discrete levels such as "very unlikely,"
l
" moderately likely," " highly likely," and " virtually certain." The key point is to limit the probabilities to a few discrete values to simplify the assessment process.
Input I3, the relative frequency of causal events, is required to compute the unconditional relative failure probabilities of the component sets. This input is labeled " assumptions about" in Fig. 5 to emphasize the use of judgmental values. It is important to recognize that operating personnel may l
have limited expertise in assessing the frequency of causal events. A potentially fruitful area for future work would be to review previous risk analysis studies as well as Licensee Event Reports to develop data to support l
the estimates of causal event frequencies.
l We now describe the ranking procedure in more detail.
34 a-
-r
=v
-w%
--e,---+-----%-4
c
--,,,----- + -, - -
---,---w--
r
4.4 INFGtMATIGI FIDW IN THE RANKING PROCEDURE Figure 6 shows the four intermediate steps required to get from the inputs to the output. The result of each step provides information that is interesting in itself and is used as input to the next step. working from the I
top down, each intermediate step provides finer groupings of the component sets, at the expense of requiring more input data or expert judgment.
This structure has implications for the use of expert opinion. Expert consensus for the initial inputs Il should be relatively easy to achieve.
However, concensus on input I2 may be more difficult to obtain, and concensus l
on input I3 may be even more elusive. The hierarchical structure of the flow chart facilitates sensitivity analyses to determine if differences in expert opinion have significant impact on the output. Suppose, for example, that there is no concensus on the assumptions to use in I3, but that there is concensus on Il and I2.
Then an analysis should be carried out to determine the sensitivity of the outputs R3 to the, assumptions I3.
4.5 POUR SUBSTEPS OF STEP 3 Steps 1 and 2 provide an initial grouping of the component sets by a l
measure of the consequences of joint failure. Step 2 also provides a dependency table for the components and a list of important component sets.
with this information, Step 3a constructs a qeantified dependency table for the component sets by simply checking the list of component sets against the quantified dependency table for individual components. This table gives the probability of component set failure given each causal event. The ccuputational rules are based on the following assumptions:
1.
Causal events are assumed to be disjointed, i.e., a flooding event and a fire event can not occur simultaneously.
l 2.
Causal events are global, i.e.,
if flooding occurs in one area it will' occur in all areas simultaneously.
(
3.
Component failures given causal event are conditionally independent, i.e., the probability that ccaponent A fails given flooding is the same whether or not it is known that component B failed from the flooding.
36
=...:
T = : -- :
= =.--,..-. ~~--
r l
/
/'
- j List of component sets 4
A1 Group component sets l
by response time R1 Event sequences grouped y
_by r.e.sponse time I
Probability of Compute probability single-component failure
' of component failure given causal event given causal events R2 Probability of component set failure given causal events, 1 globalimpact 13
~ -- A3-~
r Sum over Assumptions about relativ:
' frequency of causal events !
causal events lid
' Relative likelihood iof components set failure t
given global impact q
A4
~
l--.q nputs A = Analysis :
lUse expert judgment R = Ranking to identify local,mpacts _
i s
iR4 Relative likelihood of component set failure v
y givenlocalimpact FIG. 6.
Flowchart showing major steps for ranking event sequences.
37
.. _. ~. _ _. _... _. _ _ _ _. _.. _ _. _ _. _ _ _ _. _... _ _ _. _ _ _
l 4.
Probabilities are assessed as p = 0, p = 0.5, or p = 1.0.
The conditional failure probability of a component set, given a causal event, is the product of the corresponding single-component conditional failure probabilities.
At this point, the intermediate results R1 show the failure probability of each component set, given both the causal event and the assumption of global impacts. Step 3b combines these failure probabilities (one for each l
causal event) for each component set into an overall, relativo failure i
probability for the component set. The rule for combination is no more than i
(
the the expansion rule defined above. It requires only a hand calculator.
Step 3b results in a single relative failure probability for each I
component set, given the assumption of global impacts. At this stage, there may be many component sets (potential sis) with the same importance rank. For example, it is possible that all components are subject to damage by missiles or falling objects; therefore, many potential sis involving missiles are identified.
Step 3c groups the sis according to the consequence grouping defined in Step 1.
Thus, within each consequence group, sis '(component. sets) are ranked according to probability of occurrence.
Finally, Step 3d asks experts to assess which potential sis represent local effects. Those that' represent local effects are more important (i.e.,
more likely) than those that represent global effects. This is a judgmental process. The results R4 frcm this step give the relative likelihood ranking I
of component sets failures, classified according to local or global effects, within each consequence group.
4.6 IIJRSTRATIVE EXAMPLE This section illustrates the elements of Fig. 6 with this simple example in which the vital components are control rods (c), motor (m), pump (p), valve i
(v), and diesel (d). The causal events are moisture, impact, and dynamic human error.
0 j
Input II.-Let the component sets for system failure bet c, de, av, and p.
38 v-ww-ww-e9-
9 Input I2.-A site visit yields the probability of component failure given the causal events:
Causal events Component _
Moisture Impact.
Human Control rods (c) 0 1.0 1.0 Motor (a) 1.0 1.0 1.0 Pump (p) 0 0.5 0
Valve (v) 0 0.5 1.0 Diesel (d) 0.5 0.5 1.0 Step 3a.--Combining Input I2 and Results R1, the conditional probability of failure for the components ' sets given the causal events is as follows:
Causal Events Ccumponent Set' Moisture Impact Human c
0
- 1. 0 1.0 dv 0
0.25 1.0 av 0
0.5 1.0 p
0 0.5 0
Input I3, Step 3b, Result R2.-Assume that moisture and impact causes occur with the same frequency and human causes occur with ten times greater frequency. The output R2, the relative likelihood of component set failure given only the global impact assumption, is as follows:
Ccasonent Set Relative Likelihood of Failure i
c 1.10 av 1.05 de 1.0250 p
0.05 Input I4, Step 3c.-We assume that loss of control rods disables the Reactor Protection System, leaving little time to respond, while the other components interfere with the Decay Heat Removal System, leaving more time to 39 t-T9-P-'9
-+
'F-P w t a Jewe sw-e e= + - + - - - -+:7
--c-->-
w-.wm-e e-
-e-e3
-wwe---
w+e
-w*-e--aw*
-y t'--*ew-e w-we e-
e----ww--w-
respond. Thus, the consequence grouping of Step 1 and the relative likelihoods from Step 3b imply the following ranking within the consequence groups:
Group A Group B c
my de p
Step 3d, Output R3.-Experts familiar with the plant decide that MV is a local SI since the motor and valve are adjacent to each other and a cor. fused operator could shut both down. However, dv is a global SI since the diesel ar.d valve are not located close to each other; operator error is unlikely because the operator is never supposed to shut down the diesels during an abnormal condition. The sis denoted by c and p are local because they involve just one component.
These results give the final ranking *of sis within the consequence groups:
Group A Group B c (local) av (local) p (local) dv (global) l The analysis is cmpleted by subjective evaluation of these results. For example, the possibility of a control rod event c is not considered serious l
becaose it is a well-known risk and operators are trained not to interfer with the operation of the Reactor Protection System. The possibility of a pump i
failure (event p) is not considered serious because, while it is a local effect, it has a very low probability of occurence. The possibility of a diesel / valve SI is not considered serious because it is a global SI.
The only serious potential SI-involves the common failure of the motor and valve "through impact or through human error.
40
-t v-*-w-
4.7 StBSIARY OF EVALUATION PPOCEDURE The objectives of this SI evaluation procedure are as follows:
1.
To identify sis that lead to core damage by violating one or more vital safety criteria; 2.
To rank these sis in order of importance; and 3.
To accomplish the first two objectives with a methodology that gives understandable results, that is compatible with the available expertise, and that is within the scope of this study.
The importance of an event is normally its probability of occurrence times the consequences of its occurrence. However, there is a danger in using a strictly numerical importance measure when many elements can not be evaluated precisely within the scope of this study. Therefore, we have designed a hierarchical importance ranking and structured our definitions of probability and consequence accordingly.
We define the consequence of an SI in terms of the time available for operator response, resulting in a rough classification of the sis of interest into three consequence groups.. The shorter the available response time, the
- greater the consequence of an SI.
This is a reasonable definition of consequence because all sis we are cons'idering lead to the same result--core damage. The assumption underlying this definition is that the probability of preventing the core damage once the SI sequence is under way depends only on the time available for operator response. Given this assumption, the only other way to differentiate according to consequence among the sis is by the cost of the response, which is a secondary consideration.
We have broken the " probability of occurrence" issue into two parts:
(1) relative likelihood given global causes, and (2) differentiation between local and global causes. The local / global differentiation is given greater weight than differences in the relative likelihoods of two sis given that a global cause occurs. The motivation for this is that the difference in the likelihood of occurrence between a global cause (such as flooding throughout the plant) and a local cause (flooding within one given area) is much greater Utnan the difference in likelihood of two sis, given that such a global event occura.
The result of the three-step procedure is the identification and classification of sis corresponding to failures of important component sets.
41
--~_.
u -
~.
The first level of classification is by the consequence of the resulting SI.
The next level of classification occurs within each consequence group. It is a qualitative differentiation based on the location of the components in a component set. The final level of differentiation is within each local or global group of sis. This is a differentiation by the relative likelihood of failure of an entire component set, found by aggregating over all failure-causing events. This process uses the relative likelihoods of the causal events and the probabilities of component set failures, given that the causal events actually occur.
l The scope of the procedures is summarized as'follows:
Step Limitation 1
a.
Only sis that lead to oore damage considered.
b.
The accident sequences consider only IOCAs caused by pressurizer system related problem.
c.
The number of accident sequences is reduced by consequence grouping and subsequent Boolean reduction within each group.
2.
a.
Only one-and two-term minimum cut sets of simple fault trees of r
systems in isolation are considered.
i b.
Important component sets are* eliminated if they are found to be l
noncredible on the basis of the judgment of a multidisciplined team of experts.
c.
Only three types of dependent failure were considered: shared l
support systems; shared environmental conditions; and dynamic
(
human error 3.
a.
The three valued (0, 1/2, 1) likelihood values of conditi m i probability of failure of components is based on the judgment of a multidisciplined team of experts.
~
l l
9 42
... -. - -. n - _ _ _
Chapter 5 CONCIRSION We have presented a systems interaction (SI) evaluation procedure that uses risk assessment techniques coupled with operational experience and engineering judgment to identify and evaluate sis that violate safety criteria and could lead to core damage. The SI we were concerned with were of three types of dependent failures:
(1) shared support systems, (2) shared environ-mental conditions, and (3) dynamic human error. We previewed our procedure with a suggestion of eight items that should play a central role in any future guide 11 ness (1) separation, (2) redundancy, (3) diversity, (4) quality assurance, (5) coincidence, (6) coemunication, and (7) operator / instrument interfacing and (8) safety grade trains. We then presented the LIMI, three-step SI evaluation procedure with specific application to the Indian Point-3 (IP-3) facility.
Step 1 identified potential SI accident sequences that violated vital l
safety criterion and could lead to core dimage by using event tree analysis.
These sequencois were grouped by consequence specifically for IP-3.
Step 2 identified the SI accident sequence important components of the systems by-using simple fault trees. We then sugg'ested that dependent failures due to l
support systems, environmental conditions, or dynamic human error could be identified through dependency tables, FMrA, and walk-throughs. Finally, Step 3 presented a simple structural ranking procedure for finding the most important SI accident component sets. These evalustion procedures will rest heavily on operator experience.
mO I
l l
9 43
. ~ _
3 REFERENCES 1.
G. Boyd et al., Sandia National Laboratories, " Final Report, Phase I, Systems Interaction Methodology Applications Program," U.S. Nuclear R63ulatory Commission Report NUREG/CR-1321 (SAND 80-0884), April 1980.
2.
G. Lanik, U.S. Nuclear Regulatory Commission,'" Report on the Interim aguipment and Procedures at Browns Ferry to Detect Water in the Scram Discharge Volume," September 1980.
3.
U.S. Nuclear Reguitory Commission, Verbatim Transcript of Advisory l
i Committee on Reactor Safeguards, Fluid Dynamics Snhittee Meeting, Tuesday, August 19, 1980, Inglewood, California.
4.
C. Michelson, OAFJD, memorandum to H. R. Denton, NRR, " Potential for Unacceptable Interaction Between the Control Rod Drive System and Non-Essential Control Air System at the Browns Ferry Nuclear Plant,"
August 18,/1980.
5.
S. Rubin and G. Lanik, U.S. Nuclear Regulatory Commission, " Report on the l
Browns Ferry 3, Partial Failure to Scram Event on June 28, 1980,",
July 30,1980 (with Executive Summary).
6.
U.S. Nuclear Regulatory Commission, " Transient Response of Babcock &
Wilcox - Designed Reactors," U.S.' Nuclear Regulatory Commission Report NUREG-0667, May 1980.
7.
Nuclear Safety Analysis Center and Institute of Nuclear Power Operations, "Anaylsis and Evaluation of Crystal River Unit 3 Incident," Joint NSAC/INPO Report NSAC-3/INPO-1, March 1980.
8.
P. Cybulskis et al., Battelle Memorial Institute, "Revew of Systems Interaction Methodologies," U. S. Nuclear Regulatory Commission Report NUREG/CR-1896, January 1981.
9.
A. Buslik, I. Papazoglou, and R. Bari, Becokhaven National Laboratory,
~
" Review and Evaluation of Systems Interactions Methods," U. S. Nuclear Regulatory Cammission Report NUREs'/CR-1901, January 1981.
10.
J. J. Lim, R. E. McCord, T. R. Rice, and J. E. Kell., Lawrence Livermore National Laboratory, " Systems Interaction: State-of-the-Art Review and l
Methods Evaluation," U. S. Nuclear Regulatory Commission Report l
NUREG/CR-1859, January 1981.
11.
U.S. Nuclear Regulatory Commission, " Interim Reliability Evaluation Program, Phase II, Procedure and Schedule Guide," Draft 2, September 9, l
1980.
45
,a~w-'w-
. ~
l l
12.
Pacific Gas & Electric Co., " Description of the Systems Interaction Program for Seismically-Induced Events, Diablo Canyon Units 1 and 2, U. S. Nuclear Regulatory Ceaunission Report Nureg 0695, October 1980.
13.
U.S. Nuclear Reguitory Connaission, "NRC Action Plan Developed as a Result i
of the 1MI-2 Accient," U. S. Nuclear Regulatory Commission Report NURBG-0660, Vols. 1 and 2, May 1980.
14.
Staff Susumary Letter Report frees F. D. Coffman and B. Hardin, "The Systems Interaction Branch Approach to Systems Interaction INR's," NRC, February 1981.
15.
D. M. Rasmuson, G. R. Burdick, and J. R. Wilson, " Common Cause Failure Analysis Techniques: A Review and Comparative Evaluation," EG&G Idaho, Inc., TREE 1349, Sept.1979.
16.
E. W. Hagen, "Fr==an-Mode / Common-Cause Failure: A Review," Nuclear Safety, Vol. 21, No. 2, March - April 1980.
17.
U.S. Nuclear Regulatory Commission, " Reactor Safety Study," WASH 1400 (NUREG 75/014), October, 1975.
e
.8 V
46 ry
.w e -
v'-e-y r
ww w
--m w
ww r
sr-s.
I l
Technical Information Department Lawrence Livermore Laboratory i
University of California Livermore, California 94550 6
8 e
a h
t 4
3 i
1 J
4 l
l l
I a
1 9
0 4
e
..s.~
--m..
W
, e ?."
N@
=
OH Z
C
A R.9MV v
wC W
33 Z
O e.
+ -. -.. - e a
. ww.
.,