ML20093H138
| ML20093H138 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 05/30/1984 |
| From: | Bernreuter D, Ariuska Garcia, Mckone T LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20093H124 | List: |
| References | |
| NUDOCS 8410160179 | |
| Download: ML20093H138 (357) | |
Text
.._ . _ .. ...~ .._. _ __ _ .._.
MAFT 7' .
x A REVIEW 0F THE MILLSTONE-3 PROBABILISTIC SAFETY STUDY Abel A. Garcia, Principal Investigator May 30, 1984 Prepared by A. A. Garcia T. E. McKone D. L. Bernreuter P. D. Smith Lawrence Livermore National Laboratory P. J. Amico Applied Risk Technology Corporation J. W. Reed M. W. McCann, Jr.
Jack R. Benjamin & Associates, Inc.
P. R. Davis G. Apostolakis Consultants Lawrence Livermore National Laboratory 7000 East Avenue Livermore, CA 94550 Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, DC 20555 1
1 8410160179 840926
! PDR ADOCK 05000423 A
PDR f ' % @ ,.3 ;' C .
Fl})"
c ... a
3 -
TABLE OF CONTENTS 1.0 Executive Summary 1 -1 2.0 Introduction 2-1 2.1 Background 2-1 2.2 Scope 2-1 3.0 Internal Eventi Analysis 3-1 3.1 Initiating Events 3-2 3.2 Event Trees 3-16 3.3 Success Criteria 3-45 3.4 Systems 3-52 3.5 Human Factors 3-124 3.6 Failure Data 3-132 3.7 Operating Experience Analysis 3-167 3.8 Analysis Codes 3-173 3.9 Accident Sequences 3-176 3.10 Dependencies 3-194 3.11 Ouantification 3-205 3.12 Requantification Sununary for the Internal Event Accident Sequences 3-210 4.0 External Event Analysis 4-1 4.1 Seismic 4-2 4.2 Fire 4-35 4.3 External Flooding 4-44 4.4 Internal Floods 4-47 4.5 Extreme Winds 4-54 4.6 Aircraft Accidents 4-57 5.0 Summary and Conclusions 5-1 5.1 Dominant Sequences Corresponding to Each Plant Damage State 5-1 5.2 Treatment of Uncertainties 5-15 5.3 Insights 5-26 Appendix Appendix A, Review of the Revised Millstone Unit 3 Probabilistic Safety Study Seismic Fragility, May 1984 Appendix 8, Review of the Millstone Unit 3 Probabilistic Safety Study Seismic Fragility, Wind, and External Flooding, December 1983
s
-1.0 Executive Sumary Lawrence Livermore National Laboratory (LLNL) has conducted a review of the Millstone Point Unit 3 Probabilistic Safety Study (MP-3 PSS) for the Office of Nuclear Reactor Regulation (NRR) of the U. S. Nuclear Regulatory Comission (MtC). The review was performed by a project team assembled for the purpose and composed of personnel from LLNL staff, subcontractors ano consultants. The review began in September 1983 and was completed in May 1984.
The objective of the project was to review those aspects of the MP-3 PSS leading to the estimates of the plant damage state frequencies and associated uncertainties to determine the accuracy of those estimates. The PSS results for core melt probabilities were 4.5 E-5/R-Y for internal events and
! 9.9 E-5/R-Y for external events. External events were dominated by contributions of 9.4 E-5/R-Y from seismic events and 4.8 E-6/R-Y for fires.
The review included a simplified re-evaluation and requantification of the internal event analysis, and estimates of the potential effects of changes to some of the external event analyses. The scope of the project did not include a review of offsite consequences, nor extensive requantification.
The review process included several meetings with the plant owner, and his subcontractors and consultants, two site visits and formal comunications, including detailed questions and answers.
A particularly difficult problem arose with respect to the seismic evaluation of the plant. About the time the MP-3 PSS was submitted to the NRC, NUSCO acknowledged that the evaluations of seismic hazard and seismic
. fragilities contained in the PSS were incorrect: they believed that both were excessively conservative and that the relatively high probability of core melt l due to seismic events, 9 E-5 per reactor-year, which dominated the total core melt probability, was due to these conservatisms. NUSCO, in fact, commissioned new analyses of both areas to remove the excessive conservatism.
I LLNL recognized early in the review that the seismic hazard evaluation in the PSS was not conservative - but optimistic, by perhaps an order of magnitude in the range of interest. In other words, our estimate of the probability of !
l l l
1
(
. 1
~
earthquakes was approximately a factor of ten larger than the PSS estimate and NUSCO expected their new estimate to be smaller than the PSS estimate - so that a significant difference would exist in the ultimate results. This issue was not resolved by our review because we did not review the revised seismic evaluation that NUSCO submitted to the NRC after the review project began.
The review covered all major areas of the plant analysis and evaluation in
. the PSS. This included initiating events, event trees, success criteria (for functions and systems) -fault trees, human factors, component and operating experience data and the treatment of uncertainty. The review of external i events included earthquakes, fires, external and internal flooding, extreme winds, aircraft accidents, hazardous materials, and turbine missiles. The -
review effort expended varied significantly in these areas, both because of the extent and detail of the analysis presented in the PSS, and because of the relative importances of the specific areas. More effort was expended on those areas that were, or had the potential of being, significant contributors to ;
core melt or public risk.
The scope of the review included an examination of several issues of particular concern to the NRC, including: (1) recirculation pump seal failure during station blackout, (2) depletion of station batteries during station blackout, (3) pressurized thermal shock, (4) steam generator tube rupture with
! stuck-open secondary steam relief valves, (5) anticipated transients without scram, and (6) stuck-open safety / relief valve. Some of these issues had an
! effect on system and/or sequence models, and on the requantification; others, l such as pressurized thermal shock, could not be completely evaluated. In this
) example, an assessment of the probability of core melt given the occurrence of pressurized thermal shock is well beyond the scope of the review and, very likely, beyond the present state-of-the-art.
i No significant omissions were found in terms of an overall contribution to i the core melt probability. Several significant omissions were found in terms of modeling errors that indicate an incomplete or different understanding of interactions between plant systems or between human beings (operators) and i plant systems: these are described in the internal events section. The l j 1-2 1
b -
problems with the seismic hazard evaluation described in an earlier paragraph are also due, at least in part, to models which are believed to be incomplete in terms of the range of expert opinion censidered.
- s
. The principal qualitative and quantitative conclusions of this review are briefly described in general terms in the following sections.
l.1 Internal Events The extent and type of internal event initiators and their treatment is reasonable and consistent with those considered in other PRA's.
Except for the V-sequence, the systems analysis is adequate and reasonably consistent with the state-of-the art. The use of the large event tree /small fault tree methodology, where the support states are defined for various conditions of initiating event occurrence and system or train availability, made the review and requantification more difficult. This was particularly true in the assessment of electrical systems and conunon-cause failures because ;
the process of evaluating the effect of a change in the model of a single component or a failure rate, for example, is not straightforward. This is largely due to the difficulty of identifying all of the places that a given component or fault tree enters into the larger model, i.e., where all of the
- interfaces are.
l l
The event tree and systems models were, with some exceptions, found to be reasonable and appropriate. Major human errors wEre included as events on the event trees in a consistent and correct manner; however, erroneous operator action due to incorrect interpretation of plant conditions (cognitive errors) l l
were not treated, and we added two actions of this type to the event trees. 1 I
i
)
- Success criteria for the various emergency functions were found to be reasonable. Several minor changes were made, with the most significant being rejection of an optimistic PSS assumption that any one out of four HPSI pumps is capable of providing high pressure injection during small LOCA events.
This success definition w'as revised to allow success for (a) cne out of two charging pumps alone, but to require (b) one out of two PORV's in combination with one out of two safety 16jection pumps.
1-3 o r
__ _ _ , __ . . , _ . ._ . . _ _ . . . _ . _ , _ . _ . _ . . _ , . . _ _ . _ _ , - _ _ , _ , _ . - . . _ . , _ _ _ _ . _ _ - _ ~
The sixteen system fault tree analyses in the PSS were found to be' ~~
reasonable and acceptable, with a few exceptions. A significant modeling error was identified in which the dependence on the vital DC system by the vital AC system, the main electrical system, and the emergency generator load '
sequencer was not included on the corresponding fault trees. We were unable to estimate the quantitative effect of this error due to its pervasiveness and the nature of the event tree / fault tree / support system model, which makes requantification almost impossible. 4 The review of the failure rate data used in the PSS consisted of a comparison of the individual component failure rates with other sources, a review of system failure rates and unavailabilities, and a review of the <
comon-cause failure assessment. Although we found notable differences with other sourc9s, none of the component data differences (except possibly diesel-generators) were judged to have significant impact on the core melt results. A simplified sensitivity evaluation for an increase by a factor of q five in the failure rate of the emergency power system (based on the changed j diesel-generator rate) indicates that: (a) the core melt frequency would increase by a factor of three over the PSS value for the first year or two of operation aad would be only slightly larger than the PSS value thereafter, (b) early fatality risk would not change, and (c) late fatality risk would 1 increase by about a factor of five for the first year or two and would increase by less than a factor of two thereafter. These results do not l consider changes made to the models in other parts of the review.
, The reviews of operational experience and analysis codes used in the PSS l found both to be reasonable and acceptable.
A review of severe accident sequence progression which included consideration of assumptions, analysis and predicted phenomena indicates that (a) the V-sequence evaluation in the PSS contains deficiencies which result in a conservative probability of core melt and public risk, and (b) many conservative assumptions were made in the PSS, but that none have a significant influence on the results with the possible exception of the V-sequence, which we did not completely re-evaluate. This sequence was found to be a major risk contributor which was not adequately evaluated in the study.
1-4
._,,-----s,, , , , , , , - - - - , - - , ---..,--.m---.,.,.w ,wa,,,.,- - ,e -v~,, ,,.m1,,mm,,e.n,~ . - ,,----.---,-------,,,,--,----n---,----------~~--n----- m
-Consideration and treatment of dependencies in the PSS was evaluated in ,
the review in three categories: common cause initiating events, intersystem dependencies, and intercomponent dependencies. Numerous conservatisms identified in the area of common cause initiating events appear to be largely insignificant. The review of intersystem dependencies identified the failure to treat loss of DC power in the support state analysis as a potentially significant deficiency if the auxiliary feedwater system requires DC power -
which NUSCO states is not necessary for successful AFW system operation. The intercomponent dependencies modeled in the PSS are judged to be reasonable and correct.
The overall quantification process used in the PSS is a natural product of the choice of methodology, i.e., the large event tree-small fault tree approach. No errors were found in the quantification process, however, we 4
were unable to review the specific procedures of the discrete probability l distribution (DPD) arithmetic used to propagate uncertainties because that ,
information was not provided in the PSS.
A simplified requantification of the internal event sequences incorporated all structural changes to the event trees and revised data for both components and human errors. Our estimates of the effect of these changes on the core '
melt probability is compared to the original PSS mean values on Table 1-1.
Although the revised total core melt probability is estimated to be larger by approximately a factor of two, it is important to note that this does not necessarily imply a similar increase in overall public risk. For example, the reduced frequency of the V-sequence, which dominated early fatality risk, will result in a reduction of overall risk for early fatalities.
i i
1-5 .
l
-___ _ - _ _--_ _ _ =. . .- . - _ - - . ~.
.k C
taste i-i ._
Plant Damage State Frequencies for Internal Events (perReactor-Year)
NAt 4 DESCRIPT!ON PSS REVIEW MEAN ESTIMATE
- r AEC LMGE LOCA, EARLY MELT 1.92E-06 8E-7 AEC' LARGE LOCA. EARLY MELT, FAILURE OF RECIRCULATION SPRAY 4.17E-09 --
AE LARGE LOCA, EARLY MELT, NO CONTAIMMENT COOLING 2.68E-09 ----
ALC LARGE LOCA, LATE MELT 5.44E-06 2E-6 ALC' LARGE LOCA, LATE MELT, FAILURE OF RECIRCULATION SPRAY 4.88E-07 1E-7 g ALC" LARGE LOCA, LATE MELT, FAILURE OF QUENCH SPRAY 3.42E-09 --
AL LARGE LOCA, LATE MELT, NO C3NTAIMMENT COOLING 3.36E-10 --
SEC SMALL LOCA. EARLY MELT 1.12E-06 2E-5 SEC' SMALL LOCA, EARLY MELT, FAILURE OF RECIRCULATION SPRAY 2.76E-09 --
SE SMALL LOCA, EARLY MELT, NO CONTAlletENT COOLING 1.17E-07 6E-6 S'EC INCORE INSTRLMENT TUSE LOCA, EARLY MELT ---- 4E-7 y S'E INCORE INSTRUMENT TUSE LOCA, EARLY MELT, NO CONT. COOLING 1.83E-09 ---
SLC SMALL LOCA, LATE MELT 9.81E-06 2E-5 SLC' SMALL LOCA, LATE MELT, FAILURE OF RECIRCULATION SPRAY 4.79E-07 1E-6 SLC" SMALL LOCA, LATE MELT, FAILURE OF @ENCH SPRAY 5.77E-08 ---
SL SMALL LOCA, LATE MELT, NO CONTAINMENT COOLING 2.73E-09 ----
S'l INCORE INSTRUMENT TU8E LOCA, LATE MELT 3.35E-10 IC-7 I TEC TRANSIENT EARLY MELT 1.81E-05 2E-5 TEC' TPANS!ENT, EARLY MLT, FAILURE OF RECIRCULATION SPRAY 3.46E-07 2E-7 TE TRANSIENT, EARLY PELT, M0 CONIAINMENT COOLING 5.31E-06 1E-6 TLC TRANSIENT, LATE MELT - - - - - - 4E-5 V2EC STEAM GENERATOR TU8E RUPTURE, STEAM LEAK, EARLY MELT 1.11E-07 4E-6 V2EC' SGTR, STEAM LEAK, EARLY MELT, FAILURE OF RECIRC. SPRAY 1.03E-09 3E-7 V2E SGTR, STEAM LEAK, EARLY MELT, M0 CONTAINMENT COOLING l.2 0 08 ----
V2LC SGTR, STEAM LEAK, LATE MELT 2.76E-09 2E-7 V2LC' SGTR, STEAM LEAK, LATE hlLT, FAILURE OF RECIRC. SPRAY 1.49E-10 ----
V2LC' SGTR, STEAM LEAK, LATE MELT, FAILURE OF QUENCH SPRAY 1.77E-11 ----
V2L SGTR, STEAM LEAK, LATE MELT, M0 CONTAINMENT COOLING 8.40E-13 ---
V INTERFACING SYSTEMS LOCA 1.90E-06 aE-7 TOTAL ** 4.53E-05 IE-4 The review estimates provided are preliminary estimates based on a number of simplifying assumptions and subject to a neber of limitations discussed in Section 5.1.1. The reader is crutioned to keep these assumptions and limitations in eind when considering the various potential topitcations of these results.
It is important to note that the increase in the plant damage state frequency does not necessarily imediately imply a corresponding increase in overall public risk. The reduction in the frequency of interfacing systems LOCA, which was a dominant contributor to early f atalttles risk, will result in a reduction in overall risk for early fatalities.
N
/- (, .
1.2 External Events The external event types considered in the PSS are earthquakes, fires, external and internal flooding, extreme winds, aircraft accidents, hazardous materials, and turbine missiles. This range of event types was judged to be reasonable and consistent with other PRAs anc with the suggestions made in the PRA Procedures Guide.
The approach to the evaluation of these events took the form of a screening evaluation to identify those significant enough to be considered for more detailed assessments. Only earthquakes and fires survived the screening and were subjected to detailed assessments.
The methodologies used in both the screening and detailed assessments are generally reasonable and consistent with the state-of-the-art. More detail is provided below for the various event types.
1.2.1 Earthquakes The methodology used for the evaluation of seismic events is generally consistent with the state-of-the-art of commercial PRAs, except for the evaluation of seismic hazard. A revised hazard evaluation would have the potential to overwhelm both the previously calculated seismic and total risk results. We recognize that this is partially due to a rapidly developing methodology for estimating seismic hazard that is generally producing results
! showing older hazard estimates for the eastern U.S. are too small.
The original fragility assessment submitted to NRC was conservative and also contained numerous conceptual and logical errors. The revised version, submitted in Amendment I to the PSS, is reasonable and consistent with the state-of-the-art in this field.
The methodology for identifying and selecting seismic-induced initiating events and estimating their probabilitir.s was not described. [ Itis considered likely that important initiating events were omitted and that the probabilitiesofthoseincludedareoptimistic.]
! 1-7 .
1
- . . - _ _ - - - - . . . . _ - _ - _ . . - , - . - . _ . - - - - - - - . . _ _ - _ _ - , - . _ . . . - ~. . - _ . , . . - _ ,
k The methodology used to condense the internal-initiated plant logic ~
models to seismic-initiated models was inadequately described and unconvincing.
The methodology used to assemble and evaluate the hazard, fragility and plant logic models contains extensive simplification which is believed to lead to optimistic accident frequency estimates. For example, correlation of seismic response was not included in calculations for initiating event probabilities, within the plant logic model, or in the uncertainty analysis. (
i 1.2.2 Fires The methodology used in the evaluation of fires contains several notable ;
errors. The screening process used was reasonable and complete. All fire areas deserving detailed analysis were identified. The fire frequencies in various compartments were estimated using acceptable methods and are reasonable. ,
j The analysis of loss of safety functions due to fires in critical areas i
is not rigorous and explicit, nor performed consistent with the j state-of-the-art; however, the effect of these deficiencies appears to be a conservative bias cf about one order of magnitude for the conditional fraction
- of fires that result in loss of safety functions.
The event tree analysis is reasonable, with one exception: the error rate for failure to switch control from the control room to the auxiliary
- shutdown panel (.001 per demand) is judged to be too low by about a factor of 200. A rate of about 0.23 per demand is suggested for this error. ,
The net effect of the two numerical changes suggested above is estimated as an increase of a factor of 6 in the core melt frequency, from 4.8 E-6 to 2.8 E-5 per reactor-year.
Several issues of potential significance were not addressed in the PSS, including: the impact of earthquakes or fires and fire protection systems; the effects of fire suppression agents on equipment; and the response of equipment and cables to high heat fluxes and temperatures. We consider the latter two issues beyond the present state-of-the-art.
1-8 l
- - _ - - . _ . . . - - ~ . . . . - . . ~ . - - - - - - - , . - . , . . , - - - - . - . . . . - . . , - - , - - - - - . ~ , - . . , - - - - - ,
l
~
1.2.3 External Flooding A qualitative screening analysis concluded that this event was an insignificant contributor to plant risk. No formal probabilistic analysis was performed and no point estimate values were provided to support or justify the conclusion. Although some of the judgments in the PSS are believed to be conservative, the absence of an uncertainty analysis is considered a serfous J omission. The large uncertainties which exist for water level exceeding the protected (water-tight) elevation of 25.5 feet above mean sea level indicate that there is a possibility of a mean frequency of core melt larger than 1 E-6 per reactor year.
The conclusion that the contribution from this event is insignificant relative to other hazards, in the absence of an uncertainty analysis, is judged to be inadequately justified and unacceptable.
1.2.4 Internal Flooding A qualitative screening analysis concluded that core melt induced by this ,
event has an estimated frequency of 8.5 E-7 per reactor year, and that it does
! not significantly contribute to plant risk. The analysis includes several l important conservative assumptions, including, for example, that all l components in a flood zone are disabled if a flood occurs in that zone.
Individual zones were assumed to have a flood frequency of 2 E-3 per reactor
- year, based on an unexplained derivation from WASH-1400 for breaks in pipes I
with a diameter greater than six inches, and no estimate was made of the i actual flood sources present in each zone.
! Inadvertent actuation of fire protection equipment was not considered, and reactor trip was assumed to follow any flood-induced initiating event.
Both assumptions are optimistic, but may not be significant.
l The conclusion that the contribution from this event is insignificant as a contributor to core melt, withou*. detailed assessments of flooding in the
! cable spreading and switch gear rooms, and in the absence of an uncertainty analysis, is judged to be inadequately justified and unacceptable.
1 I l 1-9 J l
1 l
l.2.5 Extreme Winds -
A qualitative screening analysis conclufed that wind effects are not significant contributors to plant risk. The basis for this finding is that the governing wind event is the occurrence of severe tornadoes, and all safety-related structures have been designed to resist tornado loads and resultant missiles for wind speeds up to 360 mph. The minimum thickness of reinforced concrete in the walls and roofs of these structures is two feet.
The site hazard for tornado winds exceeding 360 mph is given as 5.4 E-6 per year. We believe this figure to be conservative and that justification exists (not provided in the PSS) to show that this probability is less than 1 E-8 per year. This frequency of structural failure or missile-induced damage, given a 360 mph tornado, would be smaller than 0.1.
We agree that wind hazard is not a significant external event even though no fragility curves were developed, no systems anal.ysis was performed, and no j uncertainty analysis was included.
1.2.6 Aircraft Accidents A quantitative assessment of the frequency of onsite aircraft crashes was performed in accordance with the NRC Standard Review Plan. The total j frequency estimates for onsite accidents of 1.6 E-6 per year is dominated by a contribution of 1.2 E-6 per year from general aviation (light aircraft), whose damage potential is limited to the switchyard. The FSAR states that no increase in air traffic is projected in the vicinity of the site, but the PSS does not address this topic.
We judge the effective plant area and structures considered susceptible to damage by the various classes of aircraft to be reasonable and conservative. We also judge the analysis of crash frequencies to be conservative choices for the numbers and types of flights considered.
The conclusion that aircraft crashes are not significant contributors to core melt accidents, based on their low frequencies and the low likelihood of such an accident resulting in core melt, is judged to be reasonable and i
acceptable.
C 1 - 10 i
r- - - - - - -
) '
1.2.7 ' Hazardous Mateeials A qualitiative assessment of the potential for offsite and onsite incidents involving the transportation and storage of hazardous materials concluded that they were insignificant contributors to core melt.
The analysis considered road, rail and water transport routes, and
, offsite and onsite storage facilities and pipelines.
Numerical estimates of potential risk were made only for rail shipments of propane, which has a small contribution. All other potential sources were dismissed.
The conclusion that all of these accident types are relatively insignificant contributors to core melt is judged to be correct, but inadequately justified, particularly for accidents involving onsite storage of chlorine in railroad tank cars.
1.2.8 Turbine Missiles A qualitative assessment concluded that turbine missiles are not significant contributors to plant risk on the basis of their low frequencies.
In their analysis, the use of a probability of 1.4 E-8 per year of missile generating turbine failures supplied by GE results in a probability of significant damage to a critical structure or components of 2.5 E-10 per year. This low probability does not account for recent NRC concerns with stress corrosion cracking.
Acknowledging this concern, a second calculation was performed in the PSS using 1 E-4 per year for missile generating turbine failures, as recommended in NRC Regulatory Guide 1.115. The result is a probability of 1.8 E-6 per year for significant damage to critical structures or components, which the PSS judges to be acceptable due to conservatism in the overall analysis. We agree that this conclusion is reasonable.
i 1 - 11 e I __. __ . _ . - _ . - _ _ _ . . _ . _ - - _ - _ _ _ , _ _ - . _ ~ _ _ . _ _ . - - _ _ . _ _ __ _ _ - - - _ _ . - ~
-) .
2.0 Introduction ~
LLNL has conducted a review of the Millstone Unit 3 Probabilistic Safety Studyl (MP-3 PSS) for the Office of Nuclear Reactor Regulation (NRR) of the Nuclear Regulatory Commission (NRC). This project is one of several in a larger NRR probabilistic risk assessment (PRA) review program in which PRAs performed and submitted to the MtC by selected light water reactor plants in response to regulatory requests and/or requirements receive comprehensive review and evaluation.
2.1 Background
The roots of the PRA review program lie in the interest expressed in April 1980 by the Conunissioners of the NRC in determining if there were any candidates for special risk studies at plant sites which may be risk outliers. The staff performed limited generic risk analyses for plant sites within the U.S. based on (1) weighted population density within a 30 mile boundary about the site, (2) plant power level, and (3) stage of construc-tion. Three plant sites (Zion, Indian Point, Limerick) were found to have a weighted density factor 10 to 15 times higher than the median (SECY-81-25)2 These plants were required to perform a PRA. Eight were found to have a slightly lower weighted density factor (4 to 8 times the median), but only Millstone 3 and Bailey were in early construction stages where design modifications that might be suggested by PRA analysis would be most productive. On September 21,1981 (letter from H. Denton (NRC) to W. G. Counsil (NNECO), " Risk Evaluation - Millstone Unit No. 3") the staff requested Northeast Nuclear Energy Company to perform a PRA for Millstone 3.
NNECO performed the analysis and submitted a completed PSS to the NRC in August 1983.
i 2.2 Scope
! The objective of this project was to perform a review of those aspects of the Millstone-3 PSS leading to the estimates of the frequencies of each plant damage state and the associated uncertainty spread to determine the accuracy 2-l ,
i l
l of these estimates. The review cc
- methodology, assumptions, data, infor- -
mation, sources, models, plant un anding, completeness of the analysis and other areas where inconsistencies could affect the quantitative or qualitative ;
results. -
The scope of the analysis did not include extensive reevaluation or' requantification of plant damage state frequencies, nor a review of the consequence analysis included in the MP-3 PSS. ;
References d
1 l
l l
l 2-2 C
i l
j -
I 3.0 INTERNAL EVENTS ANALYSIS The evaluation of internal events in the MP-3 PSS uses the large event
', tree /small fault tree methodology, where support states are defined for various conditions of initiating event occurrence and system or train availability. The internal event initiating event evaluation is reported in PSS Section 1.1 and supported by PSS Appendices 1-A, and 1-0 through 1-F. The plant and systems analysis is described in PSS Sectiun 2, which constitutes a large fraction of the PSS, and supported by Appendices 2-A through 2-G, and 2-L. .
In very general terms, the internal event analysis is reasonable and
]
consistent with the state-of-the-art. Many minor deficiencies, both
! conservative'and optimistic, and a few significant errors were identified.
The V-sequence was found to be a major risk contributor not adequately evaluated in the study.
1 i
Our review, which covers the entire internal event analysis in the PSS, is described in the sections which follow. These address, respectively, the
! topics listed below in the noted sections: initiating events ( 3.1), event j trees ( 3.2), success criteria (%3.3), systems analysis (53.4), human factors
( 3.5), failure data ( 3.6), operating experience (%3.7) and analysis codes
. ( 3.8), severe accident sequence progression (53.9), dependencies ( 3.10), and
- the approach to quantification (53.11). We also performed a simplified requantification of internal events (43.12) as part of the review. The l requantification included most of the various changes made to the event tree models, and to the component and human error data during the course of our i review.
t
=
3-1
G l' 3.1 Initiating Events
{ The MP-3 PSS evaluated more'than sixty individual initiators in the process of defining a set of twenty-two classes of initiating events for the-study. .This section presents the results of a review of the completeness of l the set of initiators considered and 'of the frequency estimates assigned to 4 each.
t .
i 3.1.1 Completeness of Initiating Events Considered a
The PSS considered two general classes of initiating events, LOCAs and revious PRAs The LOCA c asses er ef ed b x ning those i AH 400
! (the Reactor Safety Study) and from an evaluation of the Millstone plant i design to determine if any special LOCA evaluations were required. The transients were developed primarily from the PWR transient list contained in EPRI NP-2230, ATWS: A Reappraisal, Part 3: Frequency of Anticipated i Transients. This list was augmented by the development of plant specific
! initiators which were selected because they had unique effects on the plant response following the occurrence of the initiator. The list of initiators j considered is consistent with those from previous PRAs, and the methodology used is consistent with those espoused in NUREG/CR-2728 the IREP Procedures f
j Guide)andNUREG/CR-2815(thedraftNREPProceduresGuide). No significant j internal initiators were identified as having been omitted from the evaluation.
l l Table 3.1.1 lists the 21 specific initiator classes which were used in the PSS. These classes were developed to represent differences in plant
- response to each initiator class. Most of the classes are reasonable and consistent with previous PRAs except for the division of the majority of the i anticipated transients into event classes 7 through 12. Although these j groupings represent differences in the initial phenomenology of transients, they do not represent differencer in the plant response or in their effects on mitigating systems. Further, these groupings do not account for the f possibility of the power conversion system (PCS) being available (see Section i 3.2.1.3). For these reasons, the events in these classes were regrouped for ~
l this review into two classes, one for loss of PCS and one for PCS available.
~
r These new classes are shown in Tables 3.1.2a and 3.1.2b and it is noted that some transients appear on both lists. These transients, while not 1 automatically failing PCS, result in significant, asynenetric perturbations which are more likely to fail the PCS than other transients. The probability
- . assignments for these transients were made on the basis that 50% of the time l these transients occurred the PCS would definitely fail and the other 50% of the time it would be available.
3.1.2 Frequency of Initiating Events A list of the final initiating event classes used in the PSS and their mean and median frequencies are shown in Table 3.1.3. These values are compared with point (or best) estimate values from either NUREG/CR-2787 (the
- ANO-1 IREP study) or from other sources recommended in the NREP Procedures Guide and presently available. The ANO-1 IREP study was used since it is the t a val es r used n he r va uation of t a dos n nt c t sequences for each plant damage state. The source of the point estimate
! values is also shown in the table. The remainder of this section discusses
! the methods used by the PSS to establish some of the values used in the study, and to explain the source of some of the point estimate values used in the requantification where the source of the values is not obvious and '
f straightforward.
I
- 3.1.2.1 Quantification Methods t
4 The PSS used very sophisticated calculational methods to develop ;
i frequencies for some of the initiating events. For the events involving pipe j breaks, they took the 5th and 95th percentile frequencies from WASH-1400 and 4
used them as the 20ther and 80ther percentiles of prior distributions for a Bayesian estimation of pipe failure rate distributions. Bayesian techniques
! were also utilized in the PSS for loss of offsite power, using the history of LOSP over the entire U.S. as the prior and the Millstone site specific data as
- the posterior. In the quantification of interfacing systems LOCA, the utilization of the log uniform distribution and discrete probability distribution (DPD) technique results in an unrealistically skewed ,
i 3-3
- (
1 distribution,.with the mean value being more than two orders of magnitude i higher than the median, and even slightly higher than the 90% confidence bound. This example demonstrates that the use of Bayesian techniques to j incorporate " plant specificity" may not be meaningful in data bases this !
small. The deviations which are credited to plant specific differences could also be caused by random distributions of occurrences within the general _
population.
3.1.2.2 Steam Generator Tube Rupture The point estimate for steam generator tube rupture (SGTR) was developed from actual operating data for Westinghouse reactors in the U.S. A review of available data on steam generator tube leaks found three SGTR events through early 1982. This represented a total of 212 reactor-years of operating experience. The point estimate value is essentially identical to the median value used in the PSS.
3.1.2.3 Steamline Breaks The PSS apparently made an error in its selection of data for the steamline break events. The PSS states that one of the causes of steamline break inside containment is ".. steam generator relief valve failures..." This is a reasonable statement since "inside containment" here refers to cases where the break path originates upstream of the main steam isolation valves, regardless of where the break ultimately discharges the steam. The concern is whether or not MSIV closure will terminate break flow as opposed to where the steam actually goes. However, in the quantification of steamline break events, event #29fromEPRINP-2230(suddenopeningofsteamreliefvalves)
- was added to the steamline break outside containment category. This event a logically belongs in the inside containment category, and it is the dominant contributor to the frequency of steamline breaks inside containment. The case of steamline break outside containment is dominated by large pipe breaks and
- would have a frequency identical to large LOCAs, which is consistent with assumptioris made in previous PRAs.
! 3-4
l 3.1.2.4 Anticipated Transients The discussion in Section 3.1.1 describes the regrouping of transient classes 7 through 12 into two classes representing the condition of the PCS iollowing the initiator. Tables 3.1.2a and 3.1.2b show the point estimate frequency calculations for these two classes. The frequencies for the individual transient types were taken directly from EPRI NP-2230. The frequency of events which appear in both classes was split equally between the classes. There is no significant difference between the total frequency of classes 7 through 12 from the PSS and the frequency of the two new classes developed here since the same basic data source was utilized for both.
3.1.2.5 Loss of Offsite Power The Bayesian treatment of this event in the PSS is judged to be reasonable. The historical frequency of LOSP events at the Millstone site
, (one event in thirteen years) cannot be statistically demonstrated to be significantly different from other sites in the region. On the other hand, there is sufficient evidence to suggest that the regional grid is a contributor to differences in LOSP frequency across the country. That is, statistical evidence show3 that plant location (in a regioital sense) does have an effect on LOSP frequency. Although it is by no means the only effect, it is one which has easily accessible data. The point estimate for the historical LOSP frequency for the nuclear sites in the Northeast Power Coordinating Council (from NUREG/CR-2815, the NREP Procedures Guide) is 0.3 LOSP events per year. The value for LOSP used in the PSS is 0.11, substantially lower but not unreasonably so, and there appears to be evidence to support this number. The PSS, however, did not provide adequate justification for the use of this lower number.
The recovery of offsite power values developed in the PSS were also reviewed. This analysis utilized data specifically pertaining to facilities l in the Northeast Power Coordinating Council. The PSS, however, did not include the 1976 event at Millstone Point which resulted in an extended loss of offsite power. They removed this event from the data base because they felt that improvements 'n switchyard design completely eliminated this ,
l l
l 3-5
_ (
4 ._
specific failure mode. In addition, the length of the outage reported for this event is noted to be conservative, because offsite power was recovered s earlier but the operators chose to stay on emergency power since it was available. The PSS values were compared with the recovery values developed j for the same site during the Millstone 1 IREP study which were taken directly l from EPRI NP-2301, " Loss of Offsite Power in Nuclear Power Plants: Data and q Analysis." Although the PSS values are somewhat more optimistic than the IREP
- values, they are surprisingly close, especially in the early time frame (less
- than a factor of two reaching about a factor of 2 at two hours and about a f actor of 5 at eight hours). Thus, the offsite power recovery values y developed in the PSS were judged to be acceptable, with recognition of the I fact that use of the EPRI/IREP values would affect the values of extended total station blackout sequences by factors of two to five.
3.1.2.6 Incore Instrument Tube Rupture i It is unclear how the PSS came up with its values for this event, other l than a statement that the values are based on WASH-1400 and utilize the Bayesian techniques previously discussed. We performed a simple bounding f calculation based on the assumption that each tube is a single pipe segment of l less than 3-inch diameter and thus has a failure rate of lE-9/hr (from WASH-1400). We estimated that there are approximately 40 such tubes. This l results in a frequency for the tune rupture event of approximately 4E-4/ year, j which we will use as our point estimate value. This is the same as the PSS l median value for this event.
l 3.1.2.7 InterfacingSystemsLOCA(EventV) l i
The PSS determined that the frequency of event V is dominated by the RHR i suction line valve failure and that injection line valve failure is not significant. This is logical since the injection lines contain three valves and the suction line only two. BothNUREG/CR-2787(ANO-1IREP)and NUREG/CR-2515(CrystalRiver-3SafatyStudy)concludedthatthesefrequencies were small. The Crystal River study estimated that the frequency of event V was approximately lE-9 per injection path for paths containing two check valves and a normally open motor operated valve which could be closed ,
3-6
4' following initial blowdown. Using the same method as used in the Crystal River study, we perfomed a simple bounding calculation of a point estimate of evt.nt V in the RHR suction line at Millstone. Using a failure rate of IE-7/hr for catastrophic internal leakage in a motor operated valve (from the NREP Procedures Guide), and assuming that the inboard valve must fail first before the outboard valve is exposed to high pressure, the frequency of event V is i estimated to be:
(IE-7/hr
- 8760hr/yr) * (1/2 yr
- IE-7/hr
- 8760hr/yr) = 4E-7/ year
! As previously stated, the presence of an additional valve in the injection i
paths would make the contribution to event V from these other paths j negligible. Thus our point estimate is based only on the RHR suction path.
, The sophistiaated treatment of this event in the PSS by the use of PDP l arithmetic is not considered justified since it results in a remarkably skewed j distribution for this event, as discussed in Section 3.1.2.1. Although this
! result is a consequence of the consistent application of the techniques l utilized throughout the study, which were based on the NREP procedures guide, l the result should have been recognized by the PSS study team as being i unrealistic. This particular case is clearly an exception to the general rule governing the use of a loguniform distribution, and a distribution should have i been found which had a lower mean/ median ratio and which did not place the j mean near the 90% confidence bound. This problem is particularly meaningful j in this case since this event is the dominant contributor to the final risk l results for internal events, so that the final risk curves for early j fatalities have the same distribution as this event. Thus, the conclusions
! drawn from the risk curves are driven solely by the statistical technique l utilized rather than the plant model itself: this fact alone argues for the i rejection of the PSS distribution. It was replaced with the above calculated j best estimate in our requentification.
! 3.1.2.8 Small LOCA i
l The PSS combined classical and Bayesian analysis to determine the frequency of the small LOCA event. Bayesian analysis was utilized to evaluate the frequency of random pipe breaks of this size range and classical analysis ,
l 3-7
- 4 e
i j wasutilizedtoevaluatethefrequencyofreactorcoolantpump(RCP) seal LOCAs, which also fall into this break size. The PS$ does not make clear <
}l where the data for the classical analysis comes from. It is clear, however, that this data does not agree with the estimate of RCP seal LOCAs from the AND-1 IREP study. Further, the Millstone plant has ioop isolation valves which could be used to isolate RCP seal LOCAs but they took no credit for this g I action even though procedure guidelines exist. Thus, we believe that a l different value for small LOCAs should be used. The basis for this value will
{ adjusted for recovery. The ANO-1 values are IE-3/ year and .02/ year <
[ respectively. An examination of the operator actions used in the PS$
} pertaining to small LOCAs reveals that, in general, the operator has on the
! order of 30 minutes to mitigate this event if the automatic systems fail.
l Thus, we conclude that if the operator can isolate the break within 30 g'
{ minutes, the small LOCA event will be terminated. This recovery would apply j only to TCP seal LOCAs, which would always occur between the loop isolation
- valves. Using the cognitive error model recommended in the NREP Procedures I
Guide (NUREG/CR-2815), the probability of the operator failing to diagnose and l take the proper action within 30 minutes is .01/ demand. Since the failure rates of the values per demand is approximately an order of magnitude lower than the operator error probability, the total failure probablity for this
- action can be estimated as .01. Thus, tha total frequency of small LOCAs is estimated to be
) F(5-LOCA)=1E-3+(.02)(.01)=IE-3 This value is used in the recalculation of plant damage state frequencies j contained herein. One additional important note is that it is not clear how l the ability of the operator to perform this action will be affected by the
- support system state. Therefore, this value will be used only for suppor t state number 1, where all support systems are available. For all other support states it will be assumed that at least one of the loop isolation valves cannot be closed and the frequency of small LOCAs will be estimated as
.02 for these support states. This conservative assumption is not believed to have a significant impact on the results.
3-8
= . .
h 1 -
3.1.3 Issues of Importance to the NRC In their instructions for this review, the NRC listad certain issues which were of concern to them. They wanted to know in what way these issues were treated in the PSS. Some of those issues were either treated or should have been treated in the initiati1g event analysis. This section discusses those issues.
3.1.3.1 Issues Directly Included as Initiating Events A number of the issues of concern were directly included in the analysis as initiating events. This was done in one of two ways. Some of the events became specific initiator classes. Other events were subsets of other i initiator classes and were therefore included as contributors to those classes. Whenever a comment in parentheses refers to "now..." it means that the event in question has been regrouped into one of the two new initiator classes discussed in Section 3.1.1. The events which become initiator classes are:
4 o Loss of DC Power o Loss of Instrument and Control Power o Steam Generator Tube Rupture
, o Loss of Service Water a TurbineTrip(nowdividedbetweenLossofPCSandPCS available) o Loss of Main Feed (now part of Loss of PCS)
Theeventswhichweresubsetsofanotherinitiatorclass(andwhich class)are i
o LossofComponentCoolingWater(LossofMainFeed) o Reactor Coolant Pump Seal Failure (Small LOCA) o BoronDilution(CorePowerExcursion,nowPCSavailable) o Excess Feedwater Flow (Primary / Secondary Power Mismatch, now Loss of PCS) o LossofInstrumentorControlAir(TurbineTrip,nowLossof o PCS) 3-9
- G 3.1.3.2 Loss of Component Cooling Water (CCW) t J
, Although this event was treated as part of another initiator class, further discussion is warranted. The CCW system.has been shown to be a significant dependency in previous PRAs because it usually serves to provide cooling to many key components and systems. At Millstone, however, the design is very different: first, Millstone has two CCW systems, one for the turbine plant (TPCCW) and one for the reactor plant (RPCCW); second, neither CCW system provides cooling to any safety related equipment. Unlike other designs, essential cooling to the safety related equipment is provided directly by the service water system without the use of an intermediate loop.
The TPCCW cools a number of components in the secondary cycle, but no safety related equipment would fail due to loss of this system so that this event has no effect worse than any loss of PCS event. The RPCCW likewise cools a number .
t of components in the primary system, but also likewise, no safety related equipment would fail due to loss of this system. Therefore, this event has no effect worse than any PCS available event.
3.1.3.3 Multiple Instrument Tube LOCA Below Core Level
- The PSS does not treat this event. It does treat the single tube LOCA as a special class of small LOCA. Since the small LOCA category ranges up to a _
two-inch equivalent diameter break, multiple breaks would still fall generally into the small LOCA class. However, no specific analysis was pecformed to determine if the behavior of multiple tube rupture events was essentially identical to the single tube events. This event has r.ot been modeled in previous PRAs, and it is beyond the scope of this review to perform a detailed analysis of these types of events. .
3.1.3.4 Pipe Breaks in the Auxiliary Building This class of events, as well as pipe breaks in all other plant areas, was evaluated in the external events portion of the PSS in the analysis of internal flooding mechanisms. Our review of these events is discussed in Section 4 of this report.
3 - 10
!T .
3.1.3.5 Loss of Ventilation in the Auxiliary Building Loss of ventilation events are not treated as initiators in the PSS. In general, previous PRAs have not considered these events as initiators. This approach is considered to be reasonable since ventilation losses to specific plant areas are not likely to result in plant trip and degradation of mitigating systems in ways not foreseen by other initiators. It is our judgment that the omission of this event as an initiator does not affect the study results.
References l
t l
o 3 - 11
1
- (
Table 3.1.1 Internal Initiating Events for Millstone Unit 3 ,
EVENT CLASS EVENT NAME G
1 Large LOCA 2 Medium LOCA 3 Small LOCA 4 Steam Generator Tube Rupture ,;
5 Steam Line Break Inside Containment 6 Steam Line Break Outside Containment 7 Loss of RCS Flow 8 Loss of Main Feedwater Flow 9 Primary to Secondary Power Mismatch 10 Turbine Trip 11 Reactor Trip 12 Core Power Excursion 13 Spurious Safety Injection 14 Loss of Offsite Power 15 Incore Instrument Tube Rupture 16 Special Large LOCA Initiators
- a. Interfacing Systems LOCA
- b. Catastrophic Reactor Vessel Rupture 17 Loss of a Single Service Water Train 18 Loss of a Single Vital DC Bus 19 Total loss of Vital DC Power 20 Loss of Vital AC Bus 120-VAC-1 or 120-VAC-2 21 Loss of Vital AC Bus 120-VAC-3 or 120-VAC-4 l
3 - 12
m n -
Table 3.1.2a PCS Available Transients for Millstone Unit 3 EPRI NP-2330 FREQUENCY Event No. TRANSIENT NAME (PERYEAR) 1 Loss of RCS Flow .39 2 Uncontrolled Rod Withdrawal .02 3 CRDM Problems and/or Rod Drop .65 4 Leakage From Control Rods .02 5 Leakage in Primary System .08 6 Low Pressurizer Pressure .03 7 Pressurizer Leakage ,
.01 8 High Pressurizer Pressure .03 11 CVCS Malfunction - Boron Dilution .04 12 Pressure / Temperature / Power Imbalance .16 13 Startup of Inactive Coolant Pump .00 14 Total Loss of RCS Flow .03 15 Loss or Reduction in Feedwater Flow (1 loop) (50%) .94 17 Full or Partial Closure of MSIV (1 loop) (50%) .12 19 Increase in Feedwater Flow (1 loop) (50%) .35 -
23 Loss of Condensate Pump (1 loop) (50%) .04 26 Steam Generator Leakage .04 27 Condenser Leakage _ .05
( 28 Miscellaneous Leakage in Secondary Systems .08 33 Turbine Trip, Throttle Valve Closure, EHC Problems 1.38 34 Generator Trip or Generator Caused Faults .38 36 Pressurizer Spray Failure .04 37 Loss of Power to Necessary Plant Systems (50%) .05 38 Spurious trips - Cause Unknown .14 39 Automatic Trip - No Transient Condition 1.55 40 Manual Trip - No Transient Condition .62 1
Total - PCS Available Transients 7.24 3 - 13
__- . _ ,__ -_. ._ _ _ ._. _ _.._. _._.-_ ,. _ . _ , _ .~. _ _ . _ _.~
_ .--.. - - - -- n . . . . -
. . _ _n_ -n
- C Table 3.1.2b Loss of PCS Transients For Millstone Unit 3 EPRI NP-2330 FREQUENCY Event No. TRANSIENT NAME (PER YEAR) 4 10 Containment Pressure Problems .01 15 Loss or Reduction in Feedwater Flow (1 loop) (50%) .94 16 Total Loss of Feedwater Flow (all loops) .15 .
17 Full or Partial Closure of MSIV (1 loop) (50%) .12 18 Closure of all MSIV .03 19 Increase in Feedwater Flow (1 loop) (50%) .35 20 Increase in Feedwater Flow (all loops) .01 ,
21 Feedwater Flow Instability - Operator Error .15 22 Feedwater Flow Instability - Misc. Mechanical Causes .21 23 Loss of Condensate Pump (1 loop) (50%) .04 24 Loss of Condensate Pumps (all loops) .00 25 Loss of Condenser Vacuum .20 30 Loss of Circulating Water .06 31 Loss of Component Cooling .00 37 Loss of Power to Necessary Plant Systems (50%) .05 Total - Loss of PCS Transients 2.32 l
o 3 - 14 l
- _ - _w - -
_.~.
l Table 3.1.5 Internal Initiating Event Frequencies for Millstone Unit 3 (Frequencies in Events Per Reactor Year)
EVENT FREQUENCIES POINT EST.
EVENT ,
EVENT NAME P55 Mean PS$ Median Point Est. SOURCE CLASS N
1 Large LOCA 3.88E-4 1.4E-4 IE-4 ANO-1 IREP 2 Medium LOCA 6.11E-4 , 2.56E-4 X-4 ANO-1 IREP 9.07E-3 2.3X-3 10-3 Section 3.1.2.8 t 3 Small LOCA 4 Steam Generator Tube Rupture 3.92E-2 1.3X -2 4E-2 Section 3.1.2.2 Steam Line Break Ingide Containment 3.88E-4 1.4E-4 4E-2 Section 3.1.2.3 5
3.78E-2 1.4E-2 IE-4 EPRI NP-2230 6 Steam Line Break Outside Containment 7 Loss of RCS Flow 4.91E-1 3.26E-11 7.29E-1 4.77E-1 i '
7.24* j 8 Loss of Main Feeduater Flow 9 Primary to Secondary Power Nismatch 3.83 2.53 Section 3.1.2.4 10 Turbine Trip 2.33 1.99 l 2.32 " ;
11 Reactor Trip 3.03 2.32 i 12 Core Power Excurston 7.18E-2 2.17E-24 4.99E-2 1.83E-2 6E-2 EPRI NP-2230 13 Spurious Safety injection 14 Loss of Offsite Power 1.1E-1 9.23E-2 1E-1 Section 3.1.2.5 15 Incore Instrument Tube Rupture 9.2E-4 4.37E-4 4E-4 Section 3.1.2.6 16 Special Large LOCA Initiators
- b. Catastrophic Reactor Vessel Rupture X-7 1E-7 IE-7 WASH-1400 17 Loss of a Single Service Water Train 1.27E-2 7.23E-3 IE-2 EPRI NP-2230 18 Loss of a Single Vital DC Bus 3.91E-3 2.79E-3 1.8E-2 ANO-1 IREP Total loss of Vital DC Power 1.4E-8 9.91E-9 ANO-1 IREP 19 20 Loss of Vital AC Sus 120-VAC-1 or 120-VAC-2 6.15E-2 1.72E-2 3.5E-2 AN0-1 IREP 21 Loss of Vital AC Bus 120-VAC-3 or 120-VAC-4 6.15E-2 1.72E-2 3.5E-2 ANO-1 IREP
- PCS Available Transients
"" Loss of PCS Transients l
l 3 - 15
_,y
__m ._ . . _ .m - . .- - . m. my -
g i
3.2 Event Trees The MP3 PSS constructed 22 event trees to represent plant response to the l initiators discussed in Section 3.1. We have reviewed these' trees to determine if they are a reasonable representation of that response. The assumptions which went into the tree construction were compared to assumptions used in previously performed PRAs. Where,there were notable differences, these differences were evaluated to determine if they were reasonable. Each of these differences is discussed in this section. Additionally, a number of issues of specific interest to the NRC were also examined.
3.2.1 General Event. Tree Findings This section presents the results of our evaluation for items which
- pertain to more than one event tree.
i 3.2.1.1 Treatment of Operator Action i
The event trees were constructed by including major operator actions as events on the trees. The inclusion of these actions for the purpose of crediting successful operator response to the mitigation of accident
! conditions was performed in a consistent and correct manner. However, the
, possibility of erroneous operator action due to incorrect interpretation of plant conditions was not treated. In particular, this pertains to the operator performing one of the major actions modeled during a sequence of events when the operator action is not required. Since these actions are called for in procedures, it certainly seems to be possible for this type of error to occur. For most of certainly seems to be possible for this type of error to occur. For most of the operator actions modeled, this is not a' problem since they involve backup methods of performing safety functions.
Performing these actions when they'are not required would not degrade performance of the function. However, there are two actions which involve shutting down or reducing flow from safety systems. Performing these actions at the improper time could result in a situation where there is insufficient core cooling. Thus, it was considered necessary to include two additional l actions on the event trees. e 3 - 16
o Operator Action OA-2-E, Improper Throttling of HPI: The operator has determined that he can conserve RWST inventory by reducing HPI flow. In performing this action he does not correctly l
determine how far he can throttle HPI, and he throttles it back too far resulting in insufficient injection flow. He fails to notice this in time and thus does not recover his error, ]
resulting in core melt. He also overrides quench spray l actuation to further conserve RWST inventory, resulting in the sprays being unavailable. This arror is applicable to Small LOCA and Incore Instrument Tube Rupture events. The event trees have been modified to incorporate this new event.
Figures 3.2-1 and 3.2-2 show the original trees from the PSS, and Figures 3.2-3 and 3.2-4 show the revised trees.
o Operator Action 0A-6-E, Erroneous Shutdown of HPI: The operator believes that a Spurious Safety Injection event has occurred -
and that auxiliary feedwater is operating. Following procedure, he shuts down the HPI system. He fails to notice his error in time and a core melt results. This event applies to the Spurious SI and Steainline Break (inside or outside -
- containment) events when auxiliary feedwater has failed, and also to a misdiagnosis of Small LOCA, Incore Instrument Tube Rupture, and Steam Generator Tube Rupture events. The event trees for these five initiators have been modified to incorporate this new event. These are shown, respectively, in Figures 3.2-10, 3.2-6, 3.2-3, 3.2-4 and 3.2-5.
3.2.1.2 Use of Secondary Depressurization The Millstone 3 PSS assumes that it is possible to provide safety injection during small and medium sized LOCA events when HPI is unavailable by 4
depressurizing the secondary and using Low Pressure Injection (Event 0A-1).
3 The phenomenology assumed is that by opening the secondary atmospheric relief valves, the increased heat removal rate will depressurize the primary sufficiently to allow the accumulators to inject, which will reduce pressure further until it is below the RHR pump discharge shutoff head. This method ,
3 - 17
_ d has not been credited in previous PRAs. However, calculations by Westinghouse published in WCAP-9754 have shown that this method will work and they have included instructions on performing it the Emergency Procedure Guidelines for this type of plant. This technique is considered viable, and we have no reason to believe that th'e Westinghouse calculations are incorrect. Thus, credit for this scenario is assumed to be justified. g 3.2.1.3 Availability of the Power Conversion System No credit is taken in the PSS for cooldown following plant trip using the .
l Power Conversion System (PCS)*. The assumption made is that whenever a plant trip occurs, the PCS will be caused to trip. Previous PRAs have determined that for some transients, the PCS will be available to provide the necessary cooling. Discussions with Millstone 3 operations personnel have verified that ,
- the PCS will often be available following plant trip. Not taking credit for
- this capability is a conservative assumption which will result in an overestimation of risk for these transients which do not affect secondary systems operation. A revised transient event tree is shown in Figure 3.2-7 to represent plant response to transients where the PCS remains available. The transients which fall into this class were discussed in Section 3.1.
The loss of feeawater event tree from the PSS shown in Figure 3.2-8 can be used to evaluate the loss of PCS events. This tree would be used not only to evaluate the event class referred to as loss of PCS, but also all other transient event classes which result in loss of PCS. In this case, these would be all of the other transient events included in the study (e.g., loss of offsite power, loss of service water, loss of an electrical bus, etc.).
3.2.1.4 Containment Spray Recirculation The PSS dces not consider that core melt may result from the failure to i provide containment cooling during recirculation. Previous PRAs have assumed 1
- The power conversion system is defined as the main steam, turbine or turbine
- bypass, main condensor, condensate, and feedwater systems operating at sufficient capacity to remove primary heat. -
l 3 - 18 L
_ .~ . .a . . w- - =:
l l 1 that even when core recirculation cooling is provided, in many cases it is still necessary to provide containment spray recirculation (CSR) in order to prevent containment overpressure failure. The failure of the containment in this way would result in recirculation sump steam flashing with associated cavitation and failure of all recirculation pumps, result'ng in core melt.
The PSS assumes that core recirculation alone is sufficient to prevent the addition of heat (i.e., steam) to the containment in amounts significant enough to cause containment rupture. This assumption was initially considered unjustified for sequences where all the heat is dumped to the containment prior to being transferred to the ultimate heat sink. However, NUSCO provided
- the reviewers with additional MARCH 1.1 calculations in response to questions about this scenario. These calculations showed that containment pressure would not exceed design for at least 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> for both large and small LOCAs with core recirculation and no sprays at all. The calculations were considered to provide adequate justification for the assumption, and no changes were made to the event trees. -
3.2.1.5 Primary Bleed and Feed (Once Through) Cooling In scenarios where auxiliary feedwater is needed for heat removal but is i unavailable, the PSS considers providing the necessary cooling by opening the primary power operated relief valves (PORVs) and using high pressure injection pumps to supply sufficient cooling flow to the core. This technique, referred to as bleed and feed, or once through cooling, has been determined to be a reasonable cooling method for certain PWRs. It has been shown not to apply in every case. In the case of Millstone 3 class plants, Westinghouse has j performed analysis which shows this method to be viable. The analysis has i been published in WCAP-9744. Westinghouse has included bleed and feed in the Emergency Procedure Guidelines for implementation in the plant procedures. It j is concluded that the credit taken in the Millstone 3 event trees for this cooling method (OA-3 for small I.0CAs and steamline breaks, OA-7 for transients) is appropriate.
~
3 - 19'
l 1
_. h 3.2.1.6 Conserving of RWST Inventory For small LOCAs and incore instrument tube rupture initiators, the PSS takes credit for the operator taking action to conserve RWST inventory when both high pressure injection and auxiliary feedwater are available, thus ,
extending the injection phase of the accident. This action, referred to as Controlled Primary Depressurization (OA-2), has the operator throttling back HPI in conjunction with depressurizing the secondary, which will reduce break flow and therefore the need for HPI flow. Further, the operator will act to shut down quench spray to further conserve RWST inventory. The combination of these two actions is assumed in the PSS to allow the cooldown of the core without the need for recirculation.
This action has not been credited in previous PRAs, and appears to be a somewhat optimistic view of the scenario. While the break flow is reduced, it
( is not apparent that the break flow can be terminated by this means.
j Therefore, although the injection phase can be ext' ended the need for
.I' recirculation is not completely eliminated. .This is especially true of the instrument tube rupture event, which would logically be expected to be below the core level so that it would be impossible to stop the break flow. At some point, the RWST will be depleted and reciroslation will be required to replenish the continued leakage from the break. The utility supplied additional information regarding this scenario, but it is insufficient to l
justify the sequence. The only information provided is an emergency procedure guioeline (EPG) which instructs the operator on how to perform this action.
The procedure by which this action is performed is very complex, and the EPG contains a number of caveats which indicate that there is no guarantee that recirculation can be avoideJ. Specifically, the EPG instructs the operator to abandon this procedure and switch immediately to recirculation if the RWST level reaches a certain point. It also instructs the operator to return to the LOCA procedure if certain conditions are not met. N6 csiculations were referenced which support the time frames specified by the utility regarding the extension of the injection phase beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Thus, it is considered that the only credit which is justified for this action is an extension of the time available for other operator actions and recovery actions. Therefore, l
3 - 20 ;
= - a l
the applicable trees, which are shown in Figures 3.2-3 and 3.2-4, have been modified to reflect the eventual need for recirculation during these event sequences.
l l
3.2.2 Specific Event Tree Findings ,
l This section presents review results applicable only to specific event trees.-
3.2.2.1 Steamline Breaks (Inside or-Outside Containment)
For stesmline breaks, the PSS assumes that the failure of main steam isolation (MSI) results in the failure of auxiliary feedwater. The basis for this assumption is unclear, and there seems to be no reasonable explanation for it. In most previous PRAs, main steam isolation has not been assumed to have any affect on the availability of safety systems and was considered only as a key part of the containment isolation system. In the case of auxiliary feedwater, the worst one could assume is that the failure of MSI could affect g
the availability of the steam turbine-driven AFW pump due to steam diversion, although this would be unlikely since very little steam is required to operate i this pump. Specifically, for the most likely break, a stuck open secondary steam relief valve, the flow diversion would be small enough that the steam i supply to the turbine wculd still be sufficient to provide the required feedwater flow regardless of the state of MSI. For the less likely case of a if none of the steam generators were isolated from the break. In either case, I
the ability of the motor-driven pumps to supply water to the steam generators would not reasonably be expected to be affected. As long as water is supplied in sufficient amounts, cooling will be established regardless of main steam isolation. This assumption is conservative and unjustified. The steamline break trees shown in Figure 3.2-6 have been modified to reflect this judgment.
3.2.2.2 Steam Generator Tube Rupture (SGTR)
The PSS gives credit for three alternate methods of cooling following SGTR if either high pressure injection or auxiliary feedwater are unavailable.
]
3 - 21
_ 4 Each of these methods requires operator action. When auxiliary feedwater is
- unavailable, the necessary cooling is provided by initiating bleed and feed .
i cooling as discussed in Section 3.2.1.5. When HPI is unavailable, it is required to find alternate means of maintaining primary inventory while AFW is
~
utilized for heat removal. One way to do this is to prevent inventory loss, as opposed to replenishing lost inventory. The PSS assumed this could be 4 accomplished in one of two ways. The preferred method is to use secondary _
depressurization to reduce the primary pressure to below that of the secondary
, in order to terminate the break flow (OA-4). Failing that, the primary could be depressurized directly by opening a PORY (OA-5), with the same overall j effect. The key to the use of these methods is performing the action quickly
-enough so that the break flow is terminated prior to core uncovery, thus eliminating the need to replenish inventory. If this is accomplished, cooling i can be performed by auxiliary feedwater through the unaffected steam l generators. These methods have been analyzed by Westinghouse and found to be viable, and they have been included in the Emergency Procedure Guidelines.
The credit given to these procedures in the event tree are considered to be reasonable and justified.
f Another assumption the PSS makes is that if HPI and AFW are both available following a SGTR Event, the event is terminated successfully without further action. This does not seem reasonable, since the primary would be kept at high pressure by the HPI pumps, and water would continuously be pumped out of the RCS and into the steam generator. Eventually, the RWST would empty with the RCS still at high pressure and no recirculation available. It seems that some additional operator action is required to gain control of the scenario following the start of HPI and AFW. Discussions with plant personnel
- indicated their agreement that some operator action is required. The
! emergency procedure guideline for this event instructs the operator to reduce pressure and terminate HPI flow. It does not imply that this is required to i prevent core melt, but is intended rather to reduce the release of primary
[ coolant (and thus radioactivity) through the secondary. The reviewers, however, consider this action to be ultimately required to prevent core melt due to pumping the entire contents of the RWST out of the containment. A new operator action has been defined to cover this case as described below.
3 - 22 I
l-_ - -
j
) -
o Operator Action 0A-10,-SGTR - Control HPI Flow: The operator takes i, manual control of the HPI flow, throttling it down to reduce the primary pressure to below the secondary pressure. When primary pressure is below secondary pressure, he terminates HPI.
Note: This action is similar to 0A-2, and therefore it is similarly accompanied by 0A-10-E, where the operator overthrottles HPI resulting in insufficient inventory.
4 The SGTR tree shown in Figure 3.2-5 has been modified to include this action.
3.2.2.3 Large LOCA The PSS assumes that high pressure injection (HPI) is sufficient to provide coolant injection for the large LOCA event. Previous PRAs have usually assumed that the HPI system is not capable of supplying this function for large breaks. Part of the reason is that these systems are usually not -
o sized to provide the amounts of flow required to replenish the coolant lost during large LOCAs.. This, however, is only a secondary concern. The major concern is that the HPI pumps are designed to provide flow against relatively high pressure. They utilize a lot of power to produce the required head.
When a pump of this type pumps against minimal or no head, as is the case for a large LOCA, the power which usually goes to overcoming the pressure at the
- pump discharge is converted to greatly increased flow. The tendency in this case is for the pump speed to increase, due to the decreased resistance, beyond the point at which the pump is still capable of drawing sufficient amounts of water through the suction lines. At this point, pump cavitation would occur and the pump would trip on low suction pressure or overspeed. If pump trips are not provided, the pumps would be destroyed. In either case, the pumps would not be able to provide coolant to the RCS. There is no reason to believe that the Millstone pumps are immune to this phenomenon, and the assumption that HPI could supply injection during large LOCAs is not I i justified. The event tree shown in Figure 3.2-1 has been modified to reflect this judgment.
O 1
3 - 23
i
~
j -
d
! In addition, the original event tree showed a decision point for event R-1, low pressure recirculation cooling in sequences where no injection )
- cooling was available. Due to the design of this plant, it is possible for
- this to occur. However, this does not change the outcome of the event, as can 1
i be seen on the tree. Regardless of the state of R-1, an early core melt still occurs. Although the presence of this decision point on the tree does not q
! impact the results of the study, it has been removed from our modified tree _l because it is meaningless.
3.2.2.4 Spurious Safety Iniection ,.
The use of operator action OA-7, primary t leed and feed, is incorrect on this tree. While bleed and feed cooling is valid for this event, OA-7 includes the unavailability of HPI in its unavailability value. The initiating event itself implies that HPI is already operating. Further, the other events on the tree, such as OA-6, assume that HPI is already operating.
! Thus, the proper event to use on the tree would be operator action 0A-3, primary bleed. This would serve to establish bleed and feed cooling. The
- modified event tree is shown in Figure 3.2-10.
3.2.2.5 Anticipated Transients Without Scram (ATWS)
We have reviewed the PSS analysis of ATWS within the context of the
! recently released NRC ATWS rule (Federal Register Notice SECY-83-293, Memo from J. M. Fenton to S. J. Chilk, 12/8/83). We have found a number of areas which we felt were improperly treated in the PSS, thus we felt it was necessary to construct a new ATWS event tree, which is shown in Figure 3.2-11. The justification for our version of the ATWS tree is discus, sed in the remainder of this section.
i The PSS took credit for operator action to manually trip the reactor if '
automatic trip failed. We believe it is valid to consider this type of j recovery, but disagree with the PSS assumption that it can be applied to all l RPS failures. We believe that this recovery can only be applied to electrical failures. Thus, we have divided RPS failures into electrical and mechanical 1
o.
3 - 24
-) -
as was done in the NRC ATWS rule (2E-5 and 1E-5 failure probability, respectively), and applied the operator recovery event RT3 to the electrical )
failures only.
t We than considered the occurrence of turbine trip as was done in the PSS. This was used to determine two things, the probability that very high pressure resulting in core melt would occur and whether there would be additional stress on the primary relief and safety valves. The PSS considered
! that the probability of extremely high pressure (represented by the event PL, which the ATWS rule refers to as event MTC) was the same for all cases. The NRC rule concluded that this was dependent on the occurrence of turbine trip.
We believe that the NRC position is more reasonable, and thus have used their position and values for this event (0.01 with turbine trip, 0.1 without turbine trip). The PSS also assumed that even when this extreme overpressure occurred, that it was still possible to prevent core melt. The NRC rule concluded that whenever extreme overpressure occurred, defined as exceeding Service Level C, core melt would result. While this is likely to be conservative, the uncertainty of RCS performance at these pressures _ leads us to conclude that this is the most reasonable assumption to mafe at this time.
Thus, all sequences on our tree where PL fails are core melt sequences.
4 l The PSS also assumes that it is possible, depending on plant conditions, to mitigate an ATWS with either auxiliary feedwater or high pressure injection. In sequences where auxiliary feedwater succeeds, the PSS simply
}
i ends the event with success. In the sequences where the initial power level
] is less than 25% or the moderator temperature coefficient is more negative than -5pcm/*F, and auxiliary feedwater is unavailable, the PSS assumes that it
{ is possible to effect reactor shutdown and cooling by using emergency boration
{ with PORVs locked open. This would provide boration to shut down the reactor simultaneously with bleed and feed cooling. This method has not been considered in other PRAs, and appears questionable since we wonder how much coolant can be pumped in under the conditions which would be present and how l l long it would take to effect the shutdown. This assumption takes an
! inordinately large amount of credit for the ability of HPI to provide flow at reactor pressure. It would seem that at best only the charging pumps would be i
capable of pumping anything at all, as the pressure should be too high for the 9
3 - 25 i
...-..r.,,_,. . _ _ , _ . _ _ - - - _ - , . - , _ _ . _ _ _ , _ , . . . , . . . . _ . . _ . , _ _ _ . _ _ _ _ . - . , , , , , . . _ . . _ . . _ _ _ _ _ . _ , _ _ _ _ _ . . . - . _ -
-m. _ a-
.~
i safety injection pumps. Also, there would be much greater amounts of heat to' be removed through the PORVs with makeup flow than for a normal bleed and feed scenario. It is not clear how this heat can be removed and the reactor shut
, down under these conditions without assistance from the auxiliary feedwater j system. The NRC rule states that both auxiliary feedwater and HPI are always required. It is our feeling that the NRC rule is again more realistic, since 6
-in all cases HPI/ emergency boration will eventaully be required to effect reactor shutdown, although this will not be required for a long time period unless there is a LOCA. Thus, our tree reflects the need for both systems to mitigate an ATWS (events AFl and 0A8). /
It was previously mentioned that the failure of turbine trip would affect the stress on the primary relief and safety valves. This is dealt with by
- using the PSS event PR for those sequences where turbin,e trip fails and ,
,i extreme pressure does not occur (event PL succeeds). This event changes the time frame for the need for HPI (event 0A8). As discussed above, 0A8 is
, normally not required for a long time period (> 60 mins. is a sufficient definition for the purpose of quantifying the operator error probability).
However, if a LOCA is present this time frame would be shortened to on the order of 20 minutes since a constant coolant loss would be taking place.
Event 0A8R represents this shortened time frame on the event tree. It is important to note that no mention was made of small LOCAs resulting from j relief valve failures when this additional stress is not present, i.e.,
resulting from the normal opening of the valves at the start of the event.
l That is because the PSS deals with the cause of LOCA directly on each l
initiator event tree prior to considering ATWS, and then branches to the small i LOCA event tree where ATWS is considered to be a core melt. This conservative assumption has no effect on the results and thus we determined that it would not be necessary to modify it.
l The remaining events in our tree are concerned with long term cooling.
They are modeled in the same way as other trees depending on whether the sequence resembles a transient or a LOCA. This is because once the initial I phase of an ATWS is over, the remainder of the sequence behaves like any other accident. The completed tree is shown in Figure 3.2-11.
o 3 - 26
i .
Sununary of Assumptions for ATWS Event Tree
- 1. RT3 operator recovery only applied to electrical RPS failures.
- 2. Turbine trip success / failure determines probability of extreme overpressure.
- 4. Turbine trip failure causes additional stress on primary relief valves (need to consider event PR-52).
- 6. If no LOCA (PR-S2 not considered or PR-52 success) need for HPI is long term (> 60 min.). If LOCA, need for-HPI is short term (-20 min.).
- 7. HPR required for LOCA only.
- 3.2.3 Issues of Importance to the NRC In their instructions for this review, the NRC listed certain issues which were of concern to them. They wanted to know how these issues were treated in the PSS. This section discusses the issues which affect the event tree analysis.
3.2.3.1 Recirculation Purap Seal Failure During Station Blackout This event is explicitly considered on the loss of offsite power event tree for support state 7. It is included in the frequency of consequential S2 LOCA and the failure probability has different values related to the length of the blackout: for less than one hour P(SW) = .0858, from one to two hours 3 - 27
.(
~
P(SW) = .164, and for greater than two hours P(S2) = 1.0.* In the PSS section on recovery, credit is taken for the capability of the seals to hold out even ;
longer, such that the probability of core uncovery in under 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> is only 2 percent (P(S2) = .02). The method of-treating this event is considered satisfactory, however the review of the quantification indicates that the values used are optimistic. The PSS obtained the initici values by apolying 4 the standard exponential failure rate equation, using a failure rate obtained from a Westinghouse internal letter. This information was not available to us, but the results obtained contradict the present NRC position on RCP seal failures, which is that Westinghouse tests performed through june 1983 have ,
failed to confirm the ability of the seals to survive, although they agree that there is insufficient information for a final judgment. The method utilized in the PSS to justify the 6.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> number appears inappropriate and arbitrary. It is stated in the PSS that 8 incidents of loss of seal cooling ,
i ranging in duration from 2 minutes to 65 minutes have occurred at operating nuclear plants without a seal failure. This is said to represent 66 0-ring hours without a failure. They also include tests on mainloop stop valve 0-rings, which they say are sufficiently similar, to bring the total to 186 0-ring hours without failure.
This treatment is considered to be completely unjustified. First, the inclusion of the stop valve 0-ring experience is unfounded. These 0-rings and their application are similar only in that they see the same temperature and pressure and are nominally of the same material. This is insufficient-justification for including them in the data base. Second, describing the RCP 0-ring data as "66 hours7.638889e-4 days <br />0.0183 hours <br />1.09127e-4 weeks <br />2.5113e-5 months <br /> without a failure" is simply wrong. This implies that data for 3 0-rings without cooling for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> each is the same as data
! for 1 0-ring without cooling for three hours. This treatment is then used to justify a distribution which will be used to quantify failure of 0-rings due to continuous loss of cooling. Since the whole problem of seal failure is based on continued exposure to heat and pressure without cooling, this type of
- The PSS calculated other numbers in addition to these, including a probability for the time period out to four hours. However, the values shown here were actually used in the initial quantification.
O 3 - 28
I i
analysis cannot be used. The fact is, no seal has survived such exposure for
. longer than 65 minutes without failure, and there is no reason.to believe that
-it is possible for a seal to survive for as long as 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without failure.
The probability of seal failure in the 1 to 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time frame should be consideredascertainty(P(S2)=1.0). Thus, a LOCA will occur if offsite power is not recovered after one hour without cooling. However, it is !
believed justified that core melt can be averted if power is recovered and HPI restored within two hours. This essentially eliminates sequence #11 on the Loss of Offsite Power (Support State 7) event tree (see Figure 3.2-9) since its probability goes to zero. This leaves the problem of determining a value to use for the probability of seal failure in the first hour. Utilizing the l Chi-squared zero failure technique used in IREP (see e.g., Millstone 1 IREP, NUREG/CR-3085, Chapter 4), it can be stated that the value lies somewhere I
between the zero failure value based on 8 trials (the number of loss of cooling events, and the value based on 1 trial (the number of events actually lasting 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />). These values are:
, P(S2(8)) = ((1/8)*l.386)/2 = .D9 s
and, P(S2)(1)) = ((1/l)*1.386)/2 = .7 For the purpose of the simplified requantification contained in this l
review, a simple average of these two numbers is taken to represent a reasonable approximation of the probability of seal failure in the first hour of loss of cooling, i.e., P(S2) = .4.
One additional modification to the event tree is required due to the
] consideration of RCP LOCA. The long term blackout sequences numbered 21-23 I should result in plant damage states SEC, SEC', and SE rather than TEC, TEC',
and TE as shown in the PSS. In these sequences, secondary cooling is available and the RCS is initially intact, which would normally result in a
! success sequence. Core melt results only because the extended blackout causes an RCP seal LOCA, so that the small LOCA plant damage states are appropriate.
The similar sequences numbered 43-48 remain assigned to the transient plant damage states because core melt in these sequences results from the lack of secondary cooling, regardless of the eventual occurrence of an RCP seal LOCA.
i 3 - 29
_.m_.__--_. _ . -- -
_ _ - ~
i
- (
3.2.3.2 Depletion of DC Batteries During Station Blackout ,
This event is included implicitly in the loss of offsite power event tree for support state 7. For events where the blackout lasts longer than two hours, a core melt is assumed. However, recovery of quench spray is considered as a means to reducing consequences. This recovery is limited to 4 the time period from two to eight hours, which corresponds to the estimated eight hour lifetime of DC batteries. Limiting the recovery of quench spray to eight hours therefore implicitly deals with the depletion of DC batteries in
- that time frame.
3.2.3.3 Pressurized Thermal Shock i
The PSS does not deal explicitly with the issue of pressurized thermal ,
shock, although sequences resulting in this event are included in the event trees. For example, sequence #2 on the spurious safety injection and
_ steamline break (inside and outside containment) trees, where the operator f ails < to control- HPI (OA-6), are pressurized thermal shock events. The PSS considers these sequences to be " success" and does not carry the analysis any further. Since the sequences exist it is possible to calculate the frequency
- of PTS from these 3.2-27 trees. However, the probability of core melt given PTS is not straightforward, and is not described in the PSS. It is beyond the scope of this review to attempt to determine this probability, so that only the frequency of PTS events can be determined from the PSS and not the frequency of PTS induced core melt.
3.2.3.4 Steam Generator Tube Rupture (SGTR) With Stuck Open Secondary Steam Relief Valves (SRVs)
This event is modeled directly on the SGTR event tree as the steam leak event. It explicitly models instances where the occurrence of a steam leak precludes preventing core melt. Also, in sequences where a core melt would occur regardless of the presence of a steam leak, the tree differentiates in the plant damage state. A core melt in conjunction with a steam leak will always result in an interfacing systems LOCA plant damage state, whereas
< without a steam leak the result will be either a transient or small LOCA plant c damage state.
3 - 30
~
3.2.3.5 Anticipated Transients Without Scram (ATWS)
The analysis of ATWS is handled explicitly on its own event tree as a l consequential event following each of the initiator classes. Each of the !
event trees for the various initiators has a branch for failure to scram which transfers to the ATWS tree.
3.2.3.6 Stuck Open Primary Safety / Relief Valve (S/RV) l The stuck open S/RV is dealt with explicitly on each non-LOCA event l
tree. It is included in the frequency calculation of consequential S2 LOCA
- j. and results'in a transfer to the small LOCA event tree whenever this branch occurs. The PSS uses a value of 3E-5 for the occurrence of this event.
This.value is based on three factors: (a) that the valves are demanded, (b) that at least one valve sticks open, and (c) that the operator fails to recover by closing the appropiate PORV block valve. The values used for these parameters have been. reviewed and found to be reasonable, thus.the ultimate, value used is valid except for ATWS_and total loss of all feedwater. 'In this .
situation, the only way to pre $ent core melt is to utilize feed-and-bleed, which would require the PORVs to be open anyway. The treatment of ATWS pressure relief on the ATWS tree, while being somewhat out of sequence, adequately represents the overall scenario of concern and thus no overall improvement on the answer would be attained through further modifications to the tree.
References d
.O 3 - 31
f.: . ?'! I!lll! ll l P .,
I 1 ,1 f
S S .
S S E E C - C -
C U c c S C" ce C e S aaS M% E
( f A A E f t n A A uE t A A i as8 5 6 3 4 . 1 S eo8 2 1 1 8 I s a2 2 3, _
,' x' 1" i' 3
3 nI e
S e
O r T
- t n
e _
v E
A C
O L
- t e
e g
e r p
L a
L 1
C -
C 2 4
3 e
r u
g i
4 F I
n
- m wI wsu
e . . .
3 ==
. U. B .B. . .
ao o.
IWWIoWWIougoWW.WWWWWWWWWW
- en eeneee-un,..~..e l
-- --- --- n Pt e
o E
== m. -- -- -- --
.4 o
g f" P=
0 0 CM CK L.
m W
< e y C"
W LL8 auf
. a b a
h S
- N I
N O, M 4 b s
3 CD
.e-1 M
M e-N e.
b a
t i
en t
3 - 33 1
r I . . . - . .- . ._. - - - -.- - - - - - -
-w - -- -
1 1
ria att S4 ftP2 AFI -
042 Os a2 a-3 Eontinued on Sheet 2 e
2 success j ,
3 Rc j
- l 4 me-s success l
, e sic' s
F st, e sucerss e sLe OA 3 l i io ste-ea succiss i w , la sic-u 33 st w se sec A l is we-as st R-1 er success OA 1 '
i is ste-R-1 ao success n as ste-i as st
, 23 sEc 24 sic' 2s sf
, a we er we-I as sr as sr
, M we si u c-32 sE
{
Figure 3.2-3 Small LOCA Event Tree (Sheet 1 of 2) 1 I
o ._ m
o 0A-6-E 0A-2*E QS R2 R3 1A Success 1B SLC 1C SLC' 1D Success 1E SLC" I
i 1F SL i
1G SEC
) u, From Sheet 1 1H SEC' i
' 11 SE 4
Event 0A-2 1J SEC i 1K SEC' IL SE 1
i Figure 3.2-3a Small LOCA Event Tree (Sheet 2 of 2) ,
ris .,4 s. .,2 u. ou os o.. .-2 a.3 Continued on Sheet 2 i 2 success j
. 3 ne l
l 4 sic'
- s sucetss e sLc-4
=
, esL 1 - 9 sWCLE55
! se ac
' l OA 3 e n sLc'
= *82 SUCCESS
) ,
53 sLC' j
n' e4 S*L IS S*L, w ,
se SEC 8 ,
ST SEC'
, u le S*E
- , N"I 19 SUCCESS I # #c i .
i OA 1 =
2i ac-D.1 22 SUCCESS j
- 23 nC*
- u. 34 3't 23 S'L 26 SEC af SEC' 29 S*E M MC e =
30 SEC*
31 S'E l 32 S*E 33 sEC !
{ ,
34 SEC' l i 3S S r 1
I l
Figure 3.2-4 Incore Instrument Tube Rupture Event Tree (Sheet 1 of 2) {
t
. 4 I .l l l, O ^ ^ L .a. ___A____
e s
OA-6-E DA-2-E QS DA9 R2 R3 1A Success 18 SLC l IC SLC'
- _ _ - 10 Success
- 1E SLC" I
i 1F S'L 1G S'l 1H S'EC
- w i l
From Sheet 1 .
n II S'EC' w
" Event 0A-2 1J S'E i , _
1K SEC
- IL SEC' i 1M S'E i
l l
?
l i .
Figure 3.2-4a Incore Instre:nents Tuba Repture Event Tree (Shee: E of 2)
usw s e-Ll4 til 4 DM lif'E ni (. Un't , gs ... -
DA 10 g4 Suag,g
- 0A 6E , is TA<-
l
- / C TL c. '
JD TL l L* V% LL r N I F v r a. c.!
l& vsL a IH VtGL l
lL V1. $W 17 vsL J SUCCESS J *iLC 4 RCf 1 Sucerss 6 RC#
i i i 7g e sucrfss e
9 v2LC 10 WJLC' il SUCCf$$
12 V 2L C
e3 th i 14 IEC 15 ffC8 -
w .
l .. er 3 IP v2EC
. t 10 V2fCe 89 126 l I 20 SUCCESS !
- 28 F2fC I 2J v2(C /
J3 W2E OA 5 25 V2[C i 26 V2EC8 , l 2F v2E l 29 V7EC j
'20 W2EC' ;
Jo V2C 31 IEC (
J2 ffC' '
JJ IE ,
34 V2EC 35 V2fC' M WM .
}
3F st 6 38 SEC 30 SEC' so se i figure 3.2-5 Steam Generator Tube Rupture Event Tree j
i t
i i e " ' 'I '
.________O..
~"
./ s/
i l
l l
l
- ris sa es. s. ,, ,, . 0A3 ,, ,,, ,,,
! , e sucers:
d suter:5
, J flHCets:
- I , e me
' s ke-1 i , 6 sdCffss OA6E ~l , -' SC-es
. , s rFC
\
se see
, se er w
I w
e t
i , . es tre
=
ee see j
as er
- as suteess-as ses f
4 as res-i at en se er N ets
" =
as tre-
- I ,, ,,
sa sa t
Figure 3.2-6 Steamline Break Inside (& Outside) Containment Event Tree .
I ,i i . ,
q l
i
< L
.i
- i l !
i t
i !
T I
'P
.t t
t i
F
, SBl SB0 S2 R11 PCS AFI OA7 OS R2 R3
- , lA Success !
1B Success 2 success I a ut b) '
4 SLC* I e s succt$s a ,
S SLC* !
CD a y gg
. tee ;
9 IEC' i i le if g i II AfWS i 12 52 1
13 500 14 SSR t
. i l i e
l -
l t 4
+
t i
I Fiaure 3.2-7 Power Conversion System Available' Event Tree l
s
. i I
1 l
f o < .s
^ _ A- '
as_.________. > N- -
4 4
4 %.
Y Y- Y se e et WW W uu e ue e y U U U U m *=
G.# g g w m. W. m. M S ew ,, em m a ( m m 9
+
em M #9 9 WD e& S S- S se - - N e.b a -
0%
r, Or e
1.
e p.
e
-- -- ==
41 g.
6$
w D' e
(Y of 4) m
>s L#J Y G O
1 o
er-b Q
% C#
- C)
O 1.
O
~$
O
.- CL.
> s.
o g
sn O
C d a
W 8
N e
q (b e
3 C7 r=
o e
S en S
e.
b f
5 I
1 3 - 41 l
___ j i
(!
Flo 4'I WI Ele [ I20 W3 52 OAF 08 e.2 4-3 i SUCCESS 2 SUCCESS DA 7' - -
- 4 SLC' S SUCCESS 8 SLC*
a vg 8 SEC
=
3 SEC' 40 St /
8i SUCCESS 12 SUCCESS
/ 13 SLC 7 : i4 me' IS SUCCESS le SLC*
=
ef SL IS WC 19 NC' 20 55
()g # ,
2155c 22 $ GC*
, 23 SE 24 SUCCESS 25 SUCCESS OA 7' 2F SLC*
~ -
, 29, SUCCESS
_ m ,
29 SLC* .
S ,
2 Mn
~
31 SEC
' I 32 SEC' I 33 SE 34 SUCCESS 3S SLC 36 SLC'
- 37 SUCCESS 38 SLC*
' J9 SL 40 SEC el SEC' I 42 ft 43 TEC i 44 TEC' 41 ft 05' ,
- 'EC
' 4F ftC' 40 ft 49 TEC I _ So ftt' 11 ft
$2 fte 53 TEC'
- 54 ft SS ft l l
! l Figure 3.2-9 Loss of Offsite Power (Support State 7) Event Tree 1
3 - 42 l
i l
l l
- I i
1 9
i .
l tea Sai see sa as, ,, OA6 OA3 .5 .., .., , ,,,,,,,
! a SUCCESS
, , a SUCCESS I . I ,
4 me
- s See w
a S SUCCESS
. 0A6E ,
r ste-
- w - as i fA etc .
l AA ste-
! l
- ' #4 sc 1
l , 48 tue J
4 5 ree-i I //5 is .
/dagus is sa se see is sei 4
4 I
i
.l 4
i b .
j Figure 3.2-10 Spurious Safety Injection Event Tree .i i
e
... . . . . ., ... .. ._. . - . - - . , _ . _ , - . ~ . . . _ = . . . - ~ - . . . _ . . . - , - . . . . . = - - -
. n ea, ens . :a se .<ansger . os . ea . as .
o . . . < .. . avs . er .
_ q i
a ..u..
- ssu 9 784 rsw a vs ,
y r,<.
eru*
s re i
rs=
,,su-
.s s<
e
,s s.u nr i ne ros-as ra O a u a.864
, ,a sas n
n us- -
I 3.u na
, > . s.c -
aa ss a s,c
' sWsn-ar se as voc I
- >> r,c As 78 M s8L
- s, sw
-r ,se.. :,,
, a rsa
- s, re -
y te w rac I
nsw N rf n sn
- - ,sw W Cf es s.ueu l , &J Tis r
e m-w rs M swuass 97 tea
. ,u..
wsum
, 89 SAL"
- p $L fa sse i
fJ ses.'
l n sc
- K 786
- s 3,c nn 1
se see ,
. _n see*
e se e, Figure 3.2-11 Anticipated Transient Without Scram (ATWS) Event Tree i
, , . --n,- .,,,-,--.--.,..~.-,-,-.---,..,------,,-.,-,+n.--n.---,n-3 - 44 - - - - - - - - - - - - - - - , - - - - - , , . - ~ - , - - . . - . . . - - . - . - - - - '
3 -
3.3 Success Criteria
! The success criteria used in the PSS for the functions of Emergency Core Cooling Early, Emergency Core Cooling Late, and Containment Heat Removal are shown in Table 3.3.1. Review of these criteria determined that they are for the most part reasonable. Where criteria used differed from criteria used in the past for similar reactors, examination of the bases of the criteria was undertaken to determine if they were valid. Some of these were discussed _in the section on event trees (Section 3.2). A summary of our findings for each function evaluated is discussed below.
3.3.1 Emergency Core Cooling Early 3.3.1.1 High Pressure Injection Ouring Large LOCA events The PSS assumes that HPI can be utilized for this function during large LOCA events. This is not consistent with previous PRAs and it is not considered lustified for the reasons discussed in Section 3.2.2.3.
l 3.3.1.2 High Pressure Injection During Medium LOCAs i
The PSS assumes that any one-out-of-four HPSI pumps are capable of providing this function during medium LOCA events. Previous PRAs for plants of this type have assumed that one-out-of-two charging pumps AND 1
one-out-of-two safety injection pumps are required for this function, based on analysis provided in plant FSARs. Plant specific calculations performed by Westinghouse ar.d documented in calculation number CN-PRA-83-022 determined
- that any one-out-of-four pumps is sufficient. The calculation appears to be reasonable in removing excess conservatisms in the analysis codes used for l
FSAR calculations. The PSS assumption is therefore considered reasonable and I
acceptable.
l 3.3.1.3 High Pressure Injection During Small LOCAs l
j The PSS assumes that any one-out-of-four HPSI pumps are capable of providing this function during small LOCA events. Based on the discussion 4
o 3 - 45
_ . _ _ _ _ _ _ _ _ _ . _ _ - = -
- 4 ab ,va, it seems reasonable on the surface that if this is true of the medium break, it should also be true of the small break. However, this does not .
account for the slower pressure drop for these breaks, which may keep the RCS
, pressure above the safety injection pump shutoff head. The PSS alludes to this by mentioning that for some small breaks the operator may have to depr2ssurize using a PORY if only a safety injection pump is available. j However, the PSS does not deal with this problem. In order to remove this Cptinistic assumption, it has been assumed that one-out-of-two charging pumps is sufficient but that one-out-of-two safety injection pumps is valid only in combination with one-out-of-two PORVs.
3.3.1.4 Secondary Depressurization and Low Pressure Injection On Table 3.3.1 for medium LOCA, small LOCA, and incore instrument tube rupture events, success criteria (b), (c), and (c) respectively refer to the
- use of secondary depressurization to reduce primary pressure. This is intended to allow the use of low pressure injection cooling in sequences that ,
wouldotherwiserequirehighpressureinq>ection. Although inconsistent wi'.re previous PRAs, these criteria are based on improved analysis and appear to be reasonable. Our reasoning is discussed in Section 3.2.1.2.
- 3.3.1.5 Bleed and Feed Cooling The PSS assumes that bleed and feed cooling can be utilized for small LOCAs, incore instrument tube rupture, steam generator tube rupture, steamline breaks, and transients. This is represented by criterion (b) on Table 3.3.1 i
- for each of these initiators. The success criteria presented appear to be reasonable. Our reasoning is discussed in Section 3.2.1.5.
3.3.1.6 Primary Depressurization for Steam Generator Tube Rupture Success criteria (c) and (d) on Table 3.3.1 for the SGTR initiator represent the PSS assumption that it is possible to depressurize the primary rapidly enough during this event to terminate break flow prior to core uncovery. This allows the use of auxiliary feedwater alone to provide the l 3 - 46
) -
required core cooling. This scenario has not been credited in previous PRAs, but there is sufficient justification to accept the success criteria presented. Our reasoning is discussed'in Section 3.2.2.2.
s 3.3.1.7 Main Steam Isolation During Steamline Breaks s
The PSS assumes that main steam isolation is required during steamline break events in order for auxiliary feedwater to function. This assumption is conservative for the reasons discussed in Section 3.2.2.1. Isolation is not required.
3.3.1.8 Power Conversion System During Transients The PSS assumes that the power conversion system is never available to provide cooling during transients. This assumption is conservative for the reasons discussed in Section 3.2.1.3. The PCS should be included as a valid success criteria.
3.3.2 Emergency Core Cooling Late The success criteria for this function are reasonable and consistent with the Plant FSAR and the corresponding early cooling success criteria, with one exception. The PSS assumes that it is possible to avoid recirculation for small LOCAs and incore instrument tube ruptures by conserving RWST inventory.
This is represented on Table 3.3.2 by late success criteria (a) and (c) respectively. These criteria allow late cooling to be provided by injection i
in the same manner as early cooling. This criteria are considered unjustified for the reasons discussed in Section 3.2.1.6.
3.3.3 Containment Heat Removal The success criteria for this function is reasonably consistent with the l plant FSAR and previous PRAs.
l l
3 - 47
_ (
3.3.4 Revised Success Criteria 4
The revised success criteria shown'in Table 3.3.2 are based on the discussions above. These' criteria are used for the requantification of the dominet core melt sequences. .
e-5
?
1
(
I h
e 6
4 l
l C
3 - 48
TASL2 3,3.1 i Millstone 3 PSS Functional Success Crit rfa .
Emergency Core Emergency Core Containment Initiator Cooling Early Coo 11pg Late Heat Rosewal Large (a) 1/2 LPSI + 3/3 ACC (a) 1/2 LPSR 1/2 CSR or 1 LOCA (b) 2/4 HPS! + 3/3 ACC (core melt only) l i
Medfus (a) 1/4 HPSI + 3/3 ACC (a) 1/2 HPSR Same or or LOCA (b) 1/3 AFWS + $$R + 1/2 LPSI (b) 1/3 AFWS + SSR + 1/2 LPSR
+ 3/3 ACC Smell (a) 1/4 HPSI + 1/3 AFWS (a) 1/4 HPSI + 1/3 4FWS + SSR Same or or LOCA (b) 1/4 HPSI + 2/2 PORY (b) 1/2 MPSR or or (c) 1/3 AFWS + SSR + 1/2 LPSI (c) 1/3 AFWS + $3R + 1/2 LPSR SGTR (s) 1/4 HPSI + 1/3 AFWS (a) 1/3 AFWS Same or or (b) 1/4 HPSI + 2/2 PORY (b) 1/2 MP$R or (c) 1/3 AFWS + SSR or (d) 1/3 MWS + 1/2 PORY Incore Instrument (a) 1/4 HPSI + 1/3 AFWS (a) 1/2 QS + 1/2 HPSR Same or or Tube Rupture (b) 1/4 HPSI. + 2/2 PORV (b) 1/2 05 + 1/3 AFWS + TdR
+ 1/2 LPSR or or (c) 1/3 AFWS + SSR + 1/2 LPSI (c) 1/4 HPSI + 1/3 AFWS + $$R Steam Line (a) 1/3 AFWS + MSI (a) 1/3 AFWS Same or or Breaks (b) 1/4 HPSI + 2/2 PORV (b) 1/2 HPSR Transients (a) 1/3 AFWS (a) 1/3 AFWS Same or or 4
(b) 1/4 HPSI + 2/2 PORY (b) 1/2 HPSR I
3 - 49 l
- - - - --- _ ~
TARLE 3,3,2 Revised Millstone 3 PSS F:s.:tional Success Crit *rf a Emergency Core Emer Core Containment Cooling Early Cool ng ste Heat Removal Initiator (a) 1/2 LPSR 1/2 CSR Lg L
(a) 1/2 LPSI + 3/3 ACC (core melt only)
(a)1/2HPSR Same Medium (a) 1/4 HPSI + 3/3 ACC or or LOCA (b) 1/3 AFWS + SSR + 1/2 LPSI (b) 1/3 AFWS + $3R + 1/2 LPSR
+ 3/3 ACC Same Small (a)1/2CP+1/3AFWS (a) 1/2 HPSR or or ,
LOCA (b) 1/2 $1P + 1/2 PORY + 1/3 AFWS (b) 1/3 AFWS + $$R + 1/2 LPSR or (c) 1/4 HPS! + 2/2 PORV or (d) 1/3 AFWS + $3R + 1/2 LPSI Same SGTR (a) 1/4 HPSI + 1/3 AFWS (a)1/3AFWS or or (b) 1/4 HPSI + 2/2 PORY (b) 1/2 HPSR or (c) 1/3 AFWS + $$R or (d) 1/3 AFWS + 1/2 PORY Same Incore Instrument (a) 1/4 HPSI + 1/3 AFWS (a) 1/2 QS + 1/2 HPSR or or Tube Rupture (b) 1/4 HPSI + 2/2 PORY (b) 1/2 OS + 1/3 AFWS + $3R or + 1/2 LPSR (c) 1/3 AFWS + $5R + 1/2 LPS!
(&) 1/3 AFWS Same Steam Line (a)1/3AFWS or or Breaks (b) 1/4 HPSI + 2/2 PORY (b) 1/2 HPSR (a)1/3AFWS Sase Transients (a) 1/3 AFWS or or (b) 1/4 HPS! + 2/2 PORY (b) 1/2 HPSR or or (c) PCS (c) PCS I
e l
I l C l
3 - 50 L
a -
This page intentionally left blank, s
o e
e i
)
1 ei
- _ - - - _ - - - - - - - _ - - -- - - - - - - - - - - 5 1
d 3.4 Systems H
This section provides the results of our review of system descriptions and system fault trees in the Millstone 3 PSS. The systems descriptions were reviewed with regard to whether the information provided enabled us to verify the fault tree analysis and system success criteria. The fault trees were [
reviewed with regard to their accuracy, validity and completeness in quantifying accident sequences.
There are 16 systems for which fault trees were used in the Millstone 3 -
PSS. A list of these systems and the system failure probabilities for the total system and redundant trains within the system under Support State 1 are provided in Table 3.4-1. The fault trees and descriptions of associated systems were provided in Volumes 4 and 5 (Section 2.3) of the PSS. The fault tree for the vital de system was included in Appendix 1-E of Volume 1.
Our review concentrates on those systems that provided important support functions and those system that were involved in high risk accident sequences. Ir. this regard, the following systems were found to be of particular importance:
Main Electrical Vital AC -
ESF Actuation Emergency Generator Load Sequencer Auxiliary Feedwater Quench Spray Service Water A system-specific review is provided in each of the 16 subsections below.
These' subsections are divided into three parts. The first part provides a system description based on the system descriptions in the PSS and the Millstone 3 FSAR. The second part discusses the system fault tree in light of the system description. Particular attention is given to the treatment of test and maintenance, human errors, and common cause failures.
3 - 52
Table 3.4-1 RESULTS OF THE SYSTEM FAULT TREE ANALYSIS 1 system Unava11ab111ty (1) j
- 1. Main Electrical 4.56 x 10-4
- 2. 120V AC 8.43 x 10-5 (per bus)
- 3. ESF Actuation 1.17 x 10-3 (per signal / train)
- 4. LoadSequencer(EGLS) 1.59 x 10-5 (per signal both trains)
- 5. Auxiliary Feedwater 6.8 x 10-5
- 6. High Pressure Injection 5.87 x 10-5 (for small & medium LOCAs)
- 7. Low Pressure Injection 1.74 x 10-4
- 8. Main Steam Isolation 8.197 x 10-4(2),1.5 x 10-5(3)
- 9. Quench Spray 3.2 x 10-4 10 Safety Injection Pump Cooling 7.32 x 10-3 (per train)
- 11. Charging Pump Cooling 5.32 x 10-4
- 12. Low Pressure Recirculation 3.0 x 10-3
! 13. High Pressure Recirculation 5.85 x 10-3 i
l 14. Containment Recirculation Spray 2 x 10-3
- 15. Service '.later 7.44 x 10-6(4)
- 16. Vital de 1.4 x 10-8/yr(4)
(1) These values are taken from the PSS. All values are failure on
! demand (except16.)
(2) For steam line breaks inside containment For steam line breaks outside containment For a 24 hr. period i
3 - 53
A Our evaluation in this part also considers consistency among the fault tree I components, the top event and the system success criteria. The last part of
- each subsection provides our conclusions and consnents on the system fault tree with regard to accuracy, validity and completeness.-
1 With some exceptions, we found the system fault trees in the Millstone 3 c PSS to be accurate, valid and complete. There was consistency between the system success criteria and the top event of each tree. The effects of test and maintenance, human error and common cause were included in almost all of the fault trees. Nevertheless, there were several minor and a few potentially .-
significant exceptions regarding accuracy, validity and completeness. Most would not contribute more than a few percent error to the overall frequency of core melt so the reader is referred to individual subsections for a discussion of the minor problems. The potentially significant errors are taken up in the paragraph below. ,
i An important dependence of the vital ac, main electrical system, and emergency generator load sequencer on the vital de system was not included in .
the corresponding fault trees. In the event of a loss of offsite power, the vital ac sjstem would initially be dependent upon the batteries in the vital
- de system. This is an apparently critical dependence, because the emergency diesels ceanot transmit power to the emergency bus unless the load sequencer is operating, but the sequencer requires vital ac to function. The real difficulty occurs in the individual fault trees for the vital ac and vital dc l system. The unavailability of each system is calculated assuming that ac power is available on the emergency bus. This makes the results invalid for those cases when no power is available on the emergency bus. Thus, the PSS i provides no estimate of the unavailability of the vital ac and vital de systems, on demand, for those cases in which offsite power is unavailable.
Yet, such a case is precisely when the unavailability of these systems is
- extremely important. The significance of this problem increases in light of the fact that loss-of-offsite-power-initiated sequences are responsible for almost 20% of the latent cancer risk. This issue is taken up in more detail in subsections 3.4.1, 3.4.2, 3.4.4 and 3.4.16 below.
l 3 - 54
Quantification of system failure with fault trees depends directly on the use and application of component failure data. 'However, the review of the.
validity of the Millstone 3 PSS failure' data is discussed in Section 3.5.
s 3.4.1 Main Electrical System 1
System Description
The main electrical system.is designed to provide a reliable source of power to the normal and emergency AC power system. The normal AC power system.
supplies power to non-safety related equipment that is necessary to support .
! power operation of the plant under normal conditions. During off-normal conditions the emergency power system is designed to provide power to safety I
systems that are required for plant shut-down and mitigation of postulated j accidents.
, The PSS and the FSAR indicate that, during normal plant operation, the main generator provides power to the electrical system through the normal i stationservicetransformer(NSST). However, information received during the j plant tour indicates that the offsite grid provides electrical system power to the NSST during normal operation -- a procedure that is typical of other plants. The NSST supplies power to the 4160 V emergency buses via the normal l buses 34A and 348. If the preferred source of offsite power is lost, the j system makes an automatic transfer to the reserve station service transformer ;
(RSST). The RSST provides power directly to the emergency buses 34C and 34D ;
- from an alternate offsite source. l j If both sources of offsite power are unavailable, the emergency AC power i system is designed to provide power directly to both emergency buses 34C and 340. This system consists of two diesel generators each of which is dedicated l to one emergency bus and is capable of providing all engineered safety feature l equipment and essential shutdown loads on that bus.
! I l A diagram of the main electrical system showing the link between the j offline and online portions of the emergency AC system is provided in Figure
[
3.4.1-1. .'
3 - 55
System Fault Tree The Fault tree for the main electrical system was used to model the unavailability of power on emergency buses 34C and 340. The structure of event trees and support states in the Millstone PSS requires that the unavailability of the main electrical system be m6 deled for three cases. ,
Case 1 models the unavailability of power on both buses (34C and 34D) when loss of offsite poweris the initiating event. Case 2 models random failures on a single bus that could lead to bus failure. The Case 2 model forms part of the input to the Case 1 model. The Case 2 model is also used to calculate .
the unavailability of the emergency bus in other fault trees and in the support state model. Case 3 is used to model unavailability of all ac power for an initiating event other than loss of offsite power. The probability of no power on buses 34C and 34D is calculated using both the probability of bus ,
failures and the probability of losing offsite power within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a postulated accident. Figure 3.4.1-2, which is taken directly from the Millstone PSS, was used to calculate the unavailability of offsite power.
Figure 3.4.1-3 shows a substantially reduced form of the Millstone PSS Fault tree used to calculate the unavailability of ac power on a single ac emergency bus. The circuit breaker referred to in this tree is the large breaker between the emergency generator and the emergency bus. The PSS Fault tree for this component is extremely detailed. Figure 3.4.1-4 provides a simplified f ault tree for the main electrical system and shows the relative positions of
, each of the three cases in the system logic.
Table 3.4.1-1 provides a summary of the system unavailability that was
- obtained in the PSS for each case and the dominant cut sets in each case. For Case 1 common cause failure of both emergency diesel generators is the dominant contributor, contributing 53 percent to total unavailability. the
! remainder of the unavailability is contributed by combinations of random failures in the emergency electrical equipment. However, none of these cut sets contributes more than 1 per cent each. The dominant cut set for Case 2 l 1s the failure of a diesel generator to start and run, contributing 16 per l cent to the total. The next most significant cut set for this case involves i mechanical f ailure of the circuit breaker and contributes about 2.4 percent.
Remaining cut sets contribute no more than 1 percent each. The dominant c 3 - 56
contribution to unavailability for Case 3 is loss of offsite power combined with common cause failure of both diesel generators. This cut set contributes
.57 percent of the total unavailability. No other cut set contributes more than 1 percent. s According to the Millstone PSS, the only significant common cause contribution to electrical system failure is that associated with the diesel generators. All'other components, such as wiring, circuit breakers, protective relays, etc. were determined to have common cause failure rates that were negligible when compared to their random failure rate. This was determined by examining common cause failures for components with and without aggregate control circuit failures. Comon cause calculations for diesel generators assume a binomial failure rate model.
The Millstone PSS found no credible human errors which could lead to j component unavailability in the main electrical system. The stated reason for this is that, aside from the emergency generators, the electrical system is in continuous use and thus not subjected to any formal tests. Each diesel generator and its associated control circuitry is tested monthly on a staggered basis. Operational tests are performed during refueling shutdown.
- No maintenance is scheduled for the electrical system during normal
. operation. Nonetheless, unscheduled maintenance on the diesel generators as a l
result of periodic testing is included in the calculation of their unavailability.
Comments on the Main Electrical System Fault Trees The fault trees for the main electrical system are, for the most part, accurate complete and valid. However, several notable exceptions require discussion.
One item of interest involves the circuit breaker between the diesel l generator and the corresponding emergency bus. Closure of this breaker requires that a trip coil be energized. This coil is energized by a trip contact that must be closed,either manually or automatically. According to the fault tree for this system (Figure 2.3.2.1-3 of the PSS), failure of this 3 - 57
-_. _=
_ d
--o- c @ -: _
a
.g, f:
q.c @ - --- g u __o-.c @ ---
si a
,,dj .-a;-c @ ==== j ,8
_.o-.c @ - . 116ll1; ri a ._l F.
i- 3c @ - ---
-4c a de @ - -- - -
, I
!I -c @ .
< @ .=.= i ll1 c I f)y -c @ . =: - _ _ _ _ _ _ _ _ _ _ _ _ _ _ . -
i et c @ == I 6l!!=* c @ . .= 1-c @ ~ =:=n <
-c @ - a=s 1 -c @ ----
4(~-p._lc @ =- -====: I c @ . ""d a
- -c @ l -c @ = .~t
- .c il; c @ - ..
l -c ,
- P1;jl 1-c @ = ==
- 3m c = .c @ -:==
- - '. l! I r-c c
c i il,td! ,' 3 !
-c
@ -- Ji' c gj::i I 3 8 Ii Il -c @
@' ""~ ~"
P.,
c ! I -c @ :=.::= ! I
-c gj %-1 != '=
l -c @ - = = 1; t;
+- ; '!
' I .c ,o
. I < J;pi w l 1 Pl;ljis i 5 g- q II Ml.~?.iE I' i lPi
-1 E
> i i ,
.1 k o
l l i
. ij 'rT II 1 l
,' l , lP4 i i 1 "'
l L,.__.
I .c s e .! - -
- !. ,in... i. ';
I :
i a l
-c 3p q ja 13 i i_ m
!,!!I
!, N I
- l <
Pl E
-c :P4hlI i i I. @~~==
l c :Pi : i- < @ . -== l!
r- l if3
'~""~'~"
X ~4 *Ek lp',J ><-lgl I
i f! -c l! <c @@@
i r :.
ill - al.g!j ijs ; c
_c * . i: -c @.
- :==
=::
i1 I !g! e : c @@"3CES: . . . . .
i
-c @ --o-...-
- l:j '"~3 Hi -c @ i @ .~ ""d d T.
411:
c @ ,- <'C @ ===
ap W
l .c g' . . . -
,i -c
-c @ .. -. . .
I @ - ::==
>;.I < ' ' ~ "
L il < @@ ' - ==
lF ;ly,l < @' .
" ' ~ ~ ~ l l.,ai .!n
~C @ ~
c @
,t!
i l;I: < @ =.=
iF l
- , 3 - ss
a -
t
- Loss of 0FFsk Paet on ytt 5.01
- 10~'/o t i
e
\. p, , , l6n Fms bqd/ y, .
l u a w c.
L +e,yud j from Tra s fo - ,v 3 j
FWluit.:
\
~
1.i10lv i.7 v10 '/yy I
f Faults ,a
[ Sull-s esST Fen.l Ja k)%T 1
l Feec(
- 1. I ,16' 4 l)r I.0 10/D I
I
\
e Figure 3.4.1-2 Fault tree used to calculate the probability of loss of offsite power. ,
3 - 59
l Loss of hersqwur .
P.oev.. sus 34c i
l.18 x !C'*/D
.-s s Circuir <(
Breakev Faits Genva %
I Foulls , , ,
fo opera k Fails
- 1. 0 < t o ' ' /D gg I.1is10'YD L 3 5 s 10 ' I/D
(
Figure 3.4.1-3 Reduced Fault tree for the loss of emergency power ,
on one of the two emergency buses. :
i Note 1: Failure rates for bus 34C are given as 7.3x10-8/hr. The l mission time used to calculate failure /D for this fault tree i is 28 hr. In Figure 3.4.1-2 the mission time used to -
i determine failure /D as a result of bus faults is 24 hr j giving a value of 17x10~6/D.
t I
3 - 60
~..
i l Los s aF kil
~
Ac. Power on blC. and VfD
- l. 37 s /0 lD Case 3 s
I s'
/
! Los s aF Loss aC Enregen, OFFsiu Poww M cv <~ sus s ou,(.) 2't h 3t/c , wet ly0 4.56 x IO'VD
- 2. 0 > 10 /D 0
[ Case L l Loss aF Eery u Cs+movt
%er av EwsPlc Cause asd 3u0 Frc~ Failyves ra dcase Ta, lave s
~
I O 2.6
- IO ll0
~
Loss o f ' las sF ,
lEneqeuu}5'It
~ Bus Powe r En,9e An S*I D Powy e .,
l.4 s 10* */D l.'t<10~1/D -
lCcts* *2 Figure 3,4,1-4 Simplified fault tree for the Main Electrical System.
3 - 61
- l Table 3.4.1-1 Dominant Cut Sets for Failure of the Main Electrical System I
J Dominant Cut Set Unavai' abil" ty (per cemanc )
Case 1 Both Emergency Buses Unavailable
- s Cosmon Cause 2.6 x 10-4 -
Random Failures 1.96 x 10-4 Total 4.56 x 10-4 .
Case 2 One Emergency Bus Unavailable
- Diesel generator failure 2.33 x 10-3 Circuit breaker failures 1.15 x 10-2 Total 1.4 x 10-2 Case 3 No AC Power Available on Either Emergency Bus **
Loss of offsite power combined with common
- cause failure of both diesel generators 7.80 x 10-8 Other failures 5.90 x 10-8 Total 1.37 x 10-7
- For a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, given loss of offsite power as an l initiating event (without consideration of recovery of offsite power).
i For a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, given offsite power initially available.
3 - 62
trip contact requires failure of both the automatic and the manual mode. The automatic trip contact requires a signal from the emergency generator load sequencer (EGLS) for operation. But the EGLS requires 120V ac to operate.
Nonetheless, the unavailability of EGLS used for this trip coil in the PSS is based on the overall unavailabiltiy of vital 120V ac when, in fact, during such an event, the only source of vital 120V ac would be from the 125V dc system.
Another item of concern involves the difference in system resolution for subsystems in the electrical systems fault tree. Diesel generator failure is modeled as a base event, but the circuit breaker between the generator and emergency bus is modeled in significant detail. No explanation is given for the large difference in resolution. If data was available on the overall failure rate for these breakers, it should have been used in preference to such modelling detail. Additionally, the fault tree reveals that the circuit breaker relies in part on the Emergency Generator Load Sequencer which is powered by the vital ac. There appears to be a dependence of the electrical system on itself via the load sequencer that is buried within a rather large fault tree. In cc.trast to the detailed analysis used for the diesel CB, the absence of CB, transformer, and transfer scheme failures in the LOP analysis indicate that this analysis may be optimistic.
l Human error should not have been excluded from the systems analysis for
- the main eletrical system. There are several licensee event reports (LER's) that suggest that human errors could lead to electrical system failures.
~
3.4.2 120V AC Vital Bus
System Description
The 120V ac vital o'us system is a safety related, voltage-regulated i support system. It supplies control and instrument power to the plant protection systems. The 120V ac vital bus is divided into four separate channels. Each vital bus or channel provides a unique source of power to a corresponding ESF or EGLS cabinet. Vital buses VIAC-1 and VlAC-2 supply power i
to ESF cabinets (trains A and B), respectively. Similarly, vital buses VIAC-3 O
3 - 63
I .-
and VIAC-4 provide power to EGLS cabinets (trains A and 8). These four vital !
buses appear as basic events in the ESF actuation system ar.d EGLS system fault .
trees.
In each channel, the 120V ac vital bus normally receives powcr from a j solid state inverter thfough a high speed static transfer switch. The j
{ primarysource of power to the inverter comes through a rectifier.frca 4 480V ;
l ac bus (one for each channel). If rectifier output is lost, a secondary DC !
l supply is available from the associated 125 V dc battery charger and/or battery. In the event of inverter loss, a third source of 120V ac vital power ,
j is provided through a O OV to 120V stepdown and regulating transformer from [
l the 480V emergency bus. A simple schematic for the VIAC-1 channel is provided in Figure 3.4.2.1.
) Voltage on each 120V ac vital bus is continuously monitored and oisplayed I l in the control room. It is stated that an alarm is sounded in the control i room on change of state in the static transfer switch due to loss of inverter ,
However, it is riot clear exactly what is scnsta by this alarm-I output.
system (i.e., voltage, current).
System Fault Tree
- The system fault tree for the 120V ac vital bus was used to determine the
! unavailability of 120V ac power on each channel. Because all four channels i l are assumed identical only one fault tree was developed. .
The unavailability of the V1AC-1 vital bus was calculated to be 8.4 x 10-5 Almost99%oftheunavailabilityiscontributedby9cutsets(4 i singles, 4 doubles, and 1 triple). Two singles contribute 66%. These are i
! failure of either the bypass switch or the static transfer switch. The third l l single cut set (which contributes 14%) comes from a fuse failure, but this j fuse was not identified in the schematic provided in the PSS for this system.
i A fourth single involves bus faults on the 120V ac bus and contributes about '
2% unavailability. The foue double cut sets involve failure of the regulating ,
transformer and some other component. These contribute about 16%. The final l
cutset is a triple that includes loss of off-site power, loss of on-site power
~
l 3 - 64
__._ .._.....__._,.._._2----- ._. __ --
l Emerge rey Out 34 C- f4. u, '/v .
a O
~a w v.icirv/vu v .
mm em
(
4
. )
) e c
'4MVae .
HMV*L ^ ^ bv1 l E**V) Mtf
~
i EWV}wy SesEYR E "'
auc pe a ue
?
g,;; >
f h
450'/
/ Joy y e ,
) Choric e ,
[] Alt
, 12SV de.
I
- I i N c. -
J Rect t ;
zuv
,; Vs I
st<<..?
St p s !,
},
) 4 ! A C ] 'l1 0 V e t \)ilul OU$
J I
l Figure 3.4.2-1 Schematic of the VIAC-1 Channel.
3 - 65
i Table 3.4.2-1 Dominant Cut Sets for the Unavailability at the 120V Vital AC Component Failures Cggggty
- Static transfer switch fails open. 2.8 x 10-5 ,
Rotary bypass switch transfers open 2.8 x 10-5 Fuse opens prematurely 1.2 x 10-5 Power Transformer Fails and Inverter fails 1.13 x 10-5 ,
Bus Faults on the vital 120 ac bus 2.0 x 10-6 Powertransformer(480/120) fails and Power transformer (4.16kv/480v) fails 1.3 x 10-6 Total 8.4 x 10-5 3 - 66
1
+
and loss of the 480/120V transformer. Because loss of power would not require unavailability of the transformer for system failure, this cut set points up an error in the structure of this fault tree. This error is-discussed below.
Table 3.4.2-1 lists the dominant cut sets that contribute to the unavailability of the vital ac on one channel.
Test and maintenance, common cause and human error are not modeled in the vital 120V ac fault tree. The system is in continuous use and there are no tests requiring any of its components to be taken out of service. All maintenance is performed during refueling outage. Unscheduled maintenance is supposed to be plerformed only with continuous power maintained to the vital bus through an alternate source. The PSS report states that no common cause failures were postulated fnr the vital ac because they were accounted for by comand faults that are included in pump and MOV start logic. It is also stated that no credible human errors that could contribute system unavailability.
Comments Our initial review of the vital 120V ac fault tree revealed several inaccuracies. In particular there was a problem in the representation of the system logic. Nonetheless, we estimated that these errors did not contribute more than a 10% error in the calculation of system unavailability. After discussing these problems with the Millstone team we received a revised fault tree which addressed these concerns. Nevertheless, the revised fault tree contained an error that was not in the original fault tree in that loss of power on bus 34C is no longer modelled in the system fault tree. Thus, the tree still does not fully model the unavailability of vital ac. However, our analysis of the fault tree reveals that, because system failure is dominated by switch, fuse, and transformer failures, this error does not contribute significantly to the estimate of this systems unavailability.
An important exclusion from this fault tree is the treatment of common
- cause failure. The PSS states that no comon cause failures were postulated 4
for the vital ac because such failures are included in those systems that
-depend on vital ac. However, such an assumption ignores the contribution of .
3 - 67
. c comon buses, common design errors, comon maintenance procedures, etc. to the set of common cause failures for this system.
- Failures in the vital ac system were not major contributors to risk in ;
the Millstone PSS. Nonetheless, the problems noted could become significant i for cases in which the probability of basic events'may have changed. Thus, the usefulness o'f this fault tree for uncertainty and sensitivity analyses may.
be limited until these problems can be corrected. '
3.4.3 Engineered Safety Features Actuation System
System Description
The Engineered Safety Features (ESF) actuation system examines selected plant parameters and determines whether predetermined protection. limits are being exceeded. The ESF actuation system consist of two separate sets of electronic circuitry. The first set is an analog portion consisting of three to four (depending on the system) redundant channels per system parameter.
The second set is made up of two redundant logic trains which process the analog inputs and actuate ESF equipment as required.
Each channel of the analog portion is connected to a separate and redundant sensor for the parameter of interest. This channel is made up of four major components: 1) the channel test switch, 2) the loop power supply,
- 3) the comparator and 4) the comparator trip switch. With the exception of the containment spray system, the comparator trip switch operates on the l "de-energize to actuate principle" so that the analog portion of the ESF
! actuation system cannot be disabled during test.
The output signals from the analog channels are transmitted to two separate and redundant logic trains corresponding to the separate safety system trains (Train A and Train B). The logic trains pass the channel output l through input relays to the logic cabinet. The logic cabinet uses 2/3 or 2/4 l logic to trip a relay driver which actuates the corresponding safety system.
I Each logic train is independently capable of actuating the required ESF equipment. ,
3 - 68
System Fault Tree The ESF actuation system was modeled to determine the unavailability of actuation signals on the final outputs. The Millstone team determined that amodel for the safety injection (SI) signal would adequately represent all other signals.
l The results of the fault tree quantification for the SI signal yield an l unavailability of 1.17 x 10-3/ demand per signal per train with a variance of l.53 x 10-6 The calculated unavailability for both trains (including comon cause failures) is 1.60 x 10-5/ demand per signal for both trains.
Almost 99 percent of the unavilability for a single train is contributed by five dominant cut sets. These single member cut sets are sunnarized in Table 3.4.3-1. I The dominant contributor to system unavailability is a bimonthly logic test which temporarily disables the system and makes up 29 per cent of the total. This is followed by failure of two different universal logic cards which respectively make up 14 and 27 per cent of the total. Failure of vital ac power supply and a relay driver comprise a respective 7 and 5 percent of the remaining contributions.
i Even though testing of the digital portion of the system makes a significant contribution to unavailability, testing on the analog portion does not. This is because the channel being testing is energized and thus in
" actuate" mode. The exception to this is the quench spray actuation which has a separate model for unavailability that is discussed in Section 3.4.9.
System unavailability due to maintenance is included in random hardware faults. l l
The common cause failure analysis is limited to command faults within the ESF sensors. According to the PSS this limitation is due to the diversity within the ESF which makes other common cause failures noncredible. Failure l
of the main electrical system and the emergency ac buses is treated as resulting in a dependent failure of both the ESF and ESF actuation system.
The authors of the Millstone PSS judged that the comon cause failures of both
-5 trains of the ESF actuation system occur at the rate of 1.5 x 10 per ,
l l
3 - 69
. .__ _ ~ _ _ . _ _ _ _ _. _ _ _ _ . _ ._
8 demand. This value is obtained from the overall reliability of the electrical portion at the Reactor Protection System as cited in NUREG 0460.
The Millstone PSS considers two sources of human errors that contribute
, to ESF actuation system unavailability. One source is associated with periodic testing of the analog portion of the system the other with periodic _
testing on the digital portion. In the analog portion, the quench spray
, sensor channels, because they are the only set of channels that do not operate on the "de-energize to actuate" principle, can contribute to unavailability
- from failure to restore the channels after testing. This source of human error is unique to the quench spray system and included in its fault tree.
For the digital portion of the ESF actuation system, test unavailability due to human error is insignificant compared to that contributed by the test itself.
O l
3 - 70
Table 3.4.3-1 Dominant Cut Sets for the Unavailability of an Actuation Signal on One Train of the ESF Actuation System Cohaponent Failure Probability (failure / demand)
Unavailability due to test of the 3.4 x 10-4 digital circuitry Improper operation of universal 3.2 x 10-4 logic card Improper output from the universal 1.6 x 10-4 logic card Relay contacts fail to transfer 1.0 x 10~4 Unavailability of 120V vital ac 8.4 x 10-5 Relay driver receives improper 5.3 x 10-5 output from one gate.
l Total 1.17 x 10-3 i
3 - 71
a Comments Our review of the fault tree for the ESF actuation system raised some concerns regarding its completeness, accuracy and validity in treating common cause failures. The calculated unavailability of both trains is dominated by common cause failure. But common cause failure is estimated from a value derived from NUREG-0460. There is limited consideration given to the validity of this value. Certainly, there is a great deal of uncertainty associated with a value obtained from a systems analysis of the reactor protection system at another plant. To be valid, it should be demonstrated that the ESF 1
actuation system at Millstone is essentially the same as the system from which the numerical failure rate has been obtained. ,
Unavailability, of a single train-is dominated by tests on the digital portion of the system. Thus, any errors in estimating the amount of time necessary for the test procedure could be important. In addition, the calculation of variance in system unavailability for the ESF actuation system .
.is not provided.
- 3.4.4 Emergency Generator Loading Sequencer (EGLS) System
System Description
The EGLS is a solid state digital system that is designed to sequence the reloading of ESF systems in order to prevent electrical system instability caused by motor starts when power from the diesels is transferred to the emergency bus. The system provides actuation signals to shed loads, <
temporarily block manual equipment starts, and sequentially load ESF equipment
- on buses 34C and 34D during emergency conditions. The overall sequencing system is comprised of two identical EGLS cabinets, Trains A and B, which are powered from separate 120V a
- vital buses, VIAC-3 and VIAC-4.
l The EGLS receives signals of bus undervoltage due to loss of power (LOP),
safetyinjection(SIS),containmentpressurechange(CDA), recirculation l
(RECIRC),reservebreaker(ARBKR),anddieselgeneratorbreaker(DGBKR) 0 3 - 72
l 3
~..
status. The EGLS automatically performs the functions of load shedding, load l blocking, and sequential load application under conditions of LOP, SIS with LOP, and CDA with LOP. Under the conditions of SIS without LOP and CDA without LOP, the EGLS does not introduce load shedding, load blocking or sequential load application into any of the control circuits of the engineered safety features (with the exception of the containment recirculation pumps which are always time delayed). An EGLS is provided for each emergency generator.
During the first 40 seconds, the EGLS sequences initiate damage mitigating loads automatically. After the first 40 seconds, the manual start block signal is removed and additional emergency bus loads may be started manually. Typical loads manually started are the pressurizer heaters, the fuel pool cooling pumps, and turbine protection equipment.
The EGLS has seven operating modes. Five of these modes are for plant emergency conditions which involve LOP. The other two are for plant emergency 7
conditions which do not involve a LOP. The modes are:
1 SIS only
- 3. LOP only
- 7. (CDA or SIS) with CDA, RECIRC, and LOP The modes are prioritized such that a CDA mode will always take precedence over an SIS mode when both inputs are present. A LOP mode will always take precedence over a non-LOP mode.
l l
In each of the LOP operating modes, the EGLS first recognizes a loss of l power on the plant safety buses and immediately generates LOP and Manual Start l
, Block (MSB) output signals to plant safety equipment. These signals l l . effectively strip the bus and temporarily inhibit the operator from restarting l any loads. This allows each diesel generator time to start, achieve proper j l
l l
3 - 73 l
__ .. - - - . -- .. - - . - .. - -J
c voltage and frequency, and be connected to its dedicated safety bus without j incurring adverse loading conditions. Upon. receiving a signal confirming that the DG BKR'has closed, the EGLS will begin generating time sequenced j " Safeguard Sequencer Start" (SSS) and Manual Trip Block (MTB) signals to plant l equipment. The SSS and MTB signals, once initiated, are maintained until the i EGLS is reset or a change in operating mode occurs. Should a SIS or CDA input y occur without a LOP, the appropriate SSS and MTB signals are generated l immediately without time sequencing. The MTB signal inhibits the operator i from tripping loads once they have been automatically started.
1 System Fault Tree The sequencer System Fault tree was used to determine the unavailability of one or both EGLS systems. This information was employed in the support states model as the unavailability of EGLS trains. It is also used as the unavailability of the EGLS signal for the diesel generator breaker in the main electrical system fault tree. Two fault trees are used to represent the seven sequencer modes. These two are the SIS signal only mode and the SIS with LOP
, mode. The quantified output of these fault trees is used to represent the operating mode unavailability of the sequencers.
In the " SIS only" operating mode, four dominant cut sets are reported to
! contribute 80 percent of the total availability of 8.2 x 10-4 . The remaining cut sets contribute less than 1 percent each. The dominant i contributor is stated to be failure of ac power which makes up 30 percent of l the total. Failure of sequencer input relays to energize reportedly contributes 25 percent. Failure of the sequencer output relay and failure of an input signal from the diesel generator auxiliary breaker contacts reportedly contribute 12.5 percent each.
In the " SIS with LOP" operating mode, approximately 94 percent of the total unavailability of 9.3 x 10-4 is stated to be due to four cut sets.
The. remaining sets contribute less than 1 percent each. For this mode the dominant contributor is input relay failure, which contributes 37.5 percent.
Another 30 percent is stated to be due to failure of the ac power supply.
Failures of the output relay and diesel generator auxiliary breaker contacts c contribute 12.5 percent each.
3 - 74
l s - 1 There are no test and maintenance procedures that are credited as contributors to system unavailability. The EGLS has two manual test modes and one automatic test mode. One of the manual tests, which is performed monthly, does not prevent the sequencer from responding.to accident signals. The other i
manual test is performed only during refueling outages. The automatic test sequence is performed at 30 second intervals and also does not inhibit accident signals. There is no scheduled maintenance on the sequencer.
Unavailability due to unscheduled maintenance is not included in the fault tree.
Two sources of common cause failure are considered for the sequencer.
One source is a dependent failure due to the loss of vital ac. The other is failures within the sequencer hardware. Thecommoncausefailureratebetheen both trains of EGLS actuation is judged to be 1.5 x 10-5 per demand. The justification for this value is the same as is used for the ESF actuation system. The justification is that the reactor protcction system (RPS) used in NUREG-0460 has an equal or greater diversity than the EGLS and thus deserves the same comon cause failure probability.
l Comments on the EGLS Fault Trees Our review at the EGLS fault tree reveals that to some extent it is invalid, inaccurate and incomplete. Several major problems were identified
! which make it difficult to assess the final top event unavailability without.
more information and a restructuring of the fault tree logic. Our concerns are enumerated below.
The major problem involves the failure to accurately model the dependence of a single sequencer on the corresponding vital ac and vital de systems. A major difficulty comes from the use of the output from the vital 120 ac fault tree as a substitute for the vital de failure. The fault tree model does not deal with the fact that, following a loss of power accident, the EGLS would be the primary initial support system and that for the first 10 to 40 seconds following this event, it would be functioning with ac power unavailable on buses 34C and 340. .
c l 3 - 75
i The unavailability of both EGLS cabinets is apparently dominated by comon cause failures. However, the common cause failure is based on the electrical portion of the reactor protection system (RPS) in NUREG-0460. This system was used to represent the EGLS because the RPS has an equal or greater diversity. This basis for sequencer common cause failure appears weak and optimistic. .
There are many aspects of the load sequencer operations which are not addressed in the PSS. In particular the loading sequencer performs functions which raise questions relative to the possibility of exacerbating accident conditions. The sequencer strips loads on plant safety buses when it receives a loss of offsite power signal. During subsequent diesel' generator startup, it blocks manual starts of safety equipment. When the diesel generator breaker closes, the sequencer begins to load the safety buses with safety equipment in a timed sequence, and initiates manual trip blocks so that the equipment cannot be tripped. The system fault tree does not address the following concerns:
o can the load sequencer fail after stripping and blocking manual starts to safety equipment ? This could lead to serious consequences.
o If the diesels fail to start (after the sequencer strips and blocks loads), how does the operator reload safety buses if offsite power is recovered? Can the sequencer fail in a manner that would prevent this?
o It may become desirable for the operator to trip safety equipment or optimize the configuration or to shut off partially failed equipment. Can he override the sequencer manual trip block?
o Can the Manual Trip Block signal fail "on"? If it does, what happens?
C 3 - 76
w.g As a final point, we note that the dominant cutsets described in the text do not correspond to those provided in the computer-output listing. However, the same total unavailability is reported in both places.
3.4.5 Auxiliary Feedwater System _ _ _
t
System Description
The Auxiliary Feedwater System (AFWS) is an engineered safeguards system which is designed to provide a supply of high-pressure feedwater to the secondary side of the steam generators, for reactor coolant system (RCS) heat removal following a loss of normal feedwater. The AFWS also provides this cooling function in the event of a main steam line break, feedwater line break, small break loss of coolant accident (LOCA), loss of power, or low-low
, steam generator water level conditions. In addition, the AFWS is designed to respond to all of the above conditions whether or not all ac power is available.
The AFWS consists of two motor-driven auxiliary feedwater pumps, one turbine driven auxiliary feedwater pump, and the associated controls, piping and valves necessary to perform the RCS heat removal function. Each auxiliary feedwater pump normally takes suction from the demineralized water storage tank (DWST). The DWST, which is sized at 340,000 usable gallons, has sufficient capacity to provide the short term safety grade source of auxiliary feedwatar for the steam generators. An additional source of 200,000 gallons of water is provided to the auxiliary feedwater pumps by the condensate storage tank. This non-safety grade source of water is connected to each pump suction line through normally closed air-operated valves. The long term safety grade source of auxiliary feedwater is provided by the service water system.
The AFWS is normally lined up to all four steam generators through normally-open motor-operated control valves. In the event of an AFWS demand the minimum success criteria stated in the PSS is that one of the three auxiliary feedwater pumps start and run. Redundant piping flow paths from the pumps to the steam generators provide at least two of the steam generators .
3 - 77
(
with the required flow even if only one pump is available for service. Each of the two motor driven pumps is capable of feeding two steam generators while the tubine-driven pump is capable of feeding all four steam generators.
System Fault iree ,
c The auxiliary feedwater system fault tree was used to assess the failure of the system to meet its success criteria for a period of twenty-four hours following any postulated accident or transient. System success is defined as delivering 235 GPM of auxiliary feedwater to at least three of four steam generators following all accident transients.
The auxiliary feedwater system fault trees (with and without a faulted steam generator) were quantified for six cas:s in order to , represent the effects of the plant support states:
Case A Scth trains of AC Power Available - No Faulted Steam Generator (Addresses support states 1 and 5)
Case B One Train of AC Power Available or Equivalent - No Faulted Steam Generator
- (Addresses support states 2, 3 and 6)
Cas C No AC Power Available - No Faulted Steam Generator (Addresses suport state 7).
Case D: Turbine-Oriven AFWS Pump Train Not Available and Both Trains of AC Power Recovered - No Faulted Steam Generator (Addresses support state 7 for loss of offsite power as the initiating event)
Case E: Both Trains of AC Power Available or Equivalent - One Faulted Steam Generator (Addresses support states 2, 3, 6 and 7) 3 - 78 i _ __ _ _ _ . _ . . . _ - . _ _ _ . _ _ _ . -
Tabla 3.4.5-1 summarizes the unavailabilities of the auxiliary feedwater system for each support state with/without a faulted steam generator. For support state 8, both ESF actuation Trains A and B are assumed to be unavailable. Thus, AFWS unavailability is 1.0 by definition. Table 3.4.5-2 lists the dominant contributors for each of the six cases A through F.
The cosmon cause failure analysis for the AFWS used a binomial failure rate model. The analysis treated the turbine-driven auxiliary feedwater pump as a diverse system with respect to the motor-driven auxiliary feedwater pump trains. Analyses were performed for both those accidents and transients that do not require a steam generator to be isolated and those that do require isolation. A total of seven comon cause analyses were performed. Those are:
- 1) No faulted steam generator, both emergency ac buses available.
- 2) No faulted steam generator, one emergency ac bus available.
- 3) No faulted steam generator, no emergency buses available.
- 4) No faulted steam generator, loss of turbine-driven auxiliary pump.
- 5) One faulted steam generator, both emergency ac buses available.
- 6) One faulted steam generator, one emergency ac bus available.
- 7) One faulted steam generator, no emergency bus available, i
Comments on the AFWS Fault Tree i
. In general, we found the fault trees for this system to be accurate coniplete and valid. Nonetheless, we noted issues of concern regarding i success criteria and the overall unavailability of the system. One issue is I that the auxiliary feedwater unavailability probability (6.8 x 10-5/ demand) i appears optimistic. Other assessments have derived values 5 to 10 times i
greater for similar systems, and even higher failure rates may be expected i early in life. A further discussion of this matter is provided in Section ;
3.6. A second issue is whether the trains can meet the success criteria phen l pumping aginst the steam generator relief valve set pressure (a condition which exists for some important accident sequences). Nonetheless, the Al WS should be designed to pump against relief pressure and the licensee has to demonstrate this capability through preservice and periodic testing.
O 3 - 79
f I
Table 3.4.5-1 Sumary of Unavailability Results for the Atxiliary Feedwater System. -
Support State Status of Steam Generators System unavailability Case c (failure / demand) 01 None Isolated 6.8 x 10-5 A 01 Steam Generator "A" Isolated 4.94 x 10-4 E 02 None Isolated 5.9 x 10-4 8 02 Steam Generator "A: Isolated 4.53 x 10-2 p 03 None Isolated 5.9 x 10-4 8 03 Steam Generator "A: Isolated 4.53 x 10-2 p 04 None Isolated 1.0 -
04 Steam Generator "A: Isolated 1.0 -
05 None Isolated 6.8 x 10-0 A 05 Steam Generator "A" Isolated 4.94 x 10-4 E 06 None Isolated 5.9 x 10-4 8 06 Steam Generator "A" Isolated 4.53 x 10-2 p 07 None Isolated 4.52 x 10-2 C 07 None Isolated *2.77 x 10-4 0 07 Steam Generator "A" Isolated 4.53 x 10-2 p 08 None Isolated 1.0 -
l 08 Steam Generator "A" Isolated 1.0 -
- *For support state 07 with loss of offsite power as the initiating event and recovery of offsite power occurring within one hour.
. s. __
l Table 3.4.5-2 Dominant Contributors to Unavailability for Cases A-F 1
Case Dominant Contributors A Common Cause 96%
B Motor drive pump "A: and turbine driven pump both fail 37%
Pump "A" actuation logic and turbine pump fail 16%
Common Cause 1G%
C Turbine driven pump failure 90%
0 Common Cause 54%
Random Failures in
- the motor driven pumps 46%
E Failure of Pump "B" and steam pump 64%
Common Cause 13%
F Turbine driven pump failure 90%
W 3 - 81
,._g. _
g 6
~
3.4.6 High Pressure Safety Injection System ,
d t
System Description
The High Pressure Safety Injection System (HPSI) provides reactor core cooling and shutdown capability by injecting borated water into the reactor (
vessel following a loss of cooling accident (LOCA). The HPSI system, in conjunction with the low pressure safety injection system and the recirculation cooling system, must provide adequate cooling and makeup to the reactor core for sufficient time to mitigate the effects of any postulated LOCAs.
The major components of the HPSI system are three charging and two HPSI pumps, along with the associated piping, values and control circuitry. Two of the three charging pumps are normally used for the Chemical and Volume Control System. These two pumps are rotated on a monthly basis so that one pump is always operating. When the safeguards actuation signal ("S" signal) is received, the injection mode of operation is automatically initiated. The non-operating charging pump is started and both it and the running pump are realigned to take cuction from the refueling water storage tank (RWST),
discharging into the reactor coolant system cold legs (cne in each of the four RCS loops). During normal plant operation, the two HPSI pumps are not in
- operation but are prealigned to the RWST. When the "S" signal is received, I
both pumps start, taking suction from the RWST and discharging to the RCS cold legs. The "S" signal comes from the ESF Actuation Cabinet.
System Fault Tree 4
.l 4 The fault tree for the HPSI system is used for three classes of accidents
- large, medium and small LOCAs. The success criterion for a large LOCA specified that 2 of 4 charging or HPSI pumps be available. The success criterion for a small or medium LOCA specified that 1 of 4 charging or HPSI pumps be available. The system fault tree was used to quantify the probability of failing to achieve the success criteria for the three LOCA classes in each of eight support states. The results of these calculations l
are provided in Table 3.4.6-1. Six fault tree calculations were used to .
l 3 - 82
-l l
~
. . ~ .
l 1
I Table 3.4.6-1 High ."ressure Safety Injection System Unavailability Results i
System Unavailability (Maan Values)
Support States Large LOCA Medium and Small LOCA (HP-1) (HP-2) per demand per demand 1 1.12 x 10-4 5.87 x 10-5 2 5.19 x 10-2 7.01 x 10-4 3 1.0 1.0 4 1.0 1.0 5 1.38 x 10-4 5.88 x 10-5 6 5.19 x 10-2 7.01 x 10-4 7 1.0 1.0 8 1.0 1.0 l
I l
t I
l 3 - 83 l
Tabl3 3.4.6 2 High Pressure Safety Injection Sy' stem Domizant Contributors -
I Hypothetical Accident System Unavailability Dominant Contributor Percent Contribution (failure / demand) (failere/ demand)
Large LOCA (HP-1) a-c power available 1.12 x 10~4 7.47 x 10-5 Common Cause Failure 67 loss of one bus 5.lg x 10-2 2.38 x 10-2 51 and Chg Cooling 46 l loss of offsite a-c power 1.38 x 10'4 8.27 x 10-5 Common Cause Failure 60 Medium and Small LOCA (HP-2) '
ac power available 5.87 x 10-5 5.87 x 10-5 Common Cause Failure 100 loss of one bus 7.01 x 10~4 1.42 x 10~4 SI and Chg Cooling 20 loss of offsite ac power 5.88 x 10-5 5.88 x 10-5 Common Cause Failure 100 l
4 C
3 - 84
7 ,
obtain the sixteen valves shown in Table 3.4.6-1. Table 3.4.6-2 lists the dominant cut sets in each of these six cases and the percentage of the cutset contribution to overall unavailability. l The effects of common cause failures, test and maintenance unavailability, and human errors were all included in the HPSI fault tree.
Common cause failure was modeled using a binomial failure rate model. The 4
only human error that was included was failure to restore equipment after test and maintenance. These failures were included along with random equipment failures.
Comments on the HPSI Fault Tree
. Our review of the HPSI fault tree indicates no major problems with regard to validity, accuracy and completeness. The HPSI fault trees indicate that, for small, medium and large LOCA, the unavailability in support states 1 and 5 is dominated by common cause failures. Unavailability in support states 2 and 6 is dominated by the unavailability of the oil cooling system for the charging and SI pumps. In support states 3, 4, 7, and 8 the HPSI system unavailability is 1 due to dependent failures.
1 4
lI One item of concern is the vague description of success criteria. It.is stated that 2 of 4 charging or HPSI pumps are required for a large LOCA and 1 of 4 charging or HPSI pumps are required for a medium LOCA. It is not clear, under this criterion whether 2 charging pumps or 1 chargine pump and 1 HPSI
! pump are the minimum requirement for system success in a large LOCA.
Similarly, it is equally unclear whether the success criteria imply that I
- charging pump is sufficient to mitigate a medium LOCA. Also there is no l consideration given to pump "run-out."
i -3.4.7 Low Pressure Safety Injection System l
System Description
The low pressure safety injectijon (LPSI) system is designed to provide a large volume of water to the cold legs of the reactor coolant system (RCS) in .
l 3 - 85
1 l
~ . ,
the event of a loss of coolant accident (LOCA). In the first phase of l emergency core cooling (ECC), borated water from the RWST and the accumulators ,.
is delivered to the RCS cold legs. When the water level in the RWST reaches the low-low level limit, the LPSI system terminates injection and the second phase of ECC begins. This phase involves the recirculation of borated water s from the containment sump to the RCS cold legs by the residual heat removal 4 (RHR) pumps.
i
] The LPSI ystem consists of the accumulators, the RHR pumps, and the associated valves, orifices, piping and supporting circuitry. There are four .
independent accumulator trains each of which is dedicated to one of the four reactor coolant system loops. The two RHR pumps are included in two redundant and independent trains. Each train delivers water to all four RCS loops.
i System Fault Tree i
, The LPSI system fault tree was used to calculate the probability of system failure based on two system success criteria. The first criterion is associated with the large LOCA, vessel rupture, or interfacing systems LOCA initiating events. Water must be delivered from three accumulators and at least one full capacity RHR pump. System failure occurs when either one i accumulator fails to discharge into an unbroken loop or when both RHR pumps fail to deliver water to three intact RCS loops. The second criterion is j associated with the medium LOCA initiating event and requires that one out of two full capacity RHR pumps deliver to two intact cold legs.
I Compatability with the support states model required that the LPSI system fault tree be quantified for two cases. Case 1 addresses situations in which both trains of ac power are available and corresponds to support states 1 and
- 5. Case 2 addresses situations in which only one train of ac power is available and corresponds to support states 2 and 6. The LPSI system is ~
unavailable in support states 3, 4, 7, and 8.
The LPSI system unavailability and dominant cut set contributions for cases 1 and 2 are summarized in Table 3.4.7-1. When both trains of ac power j
are available (case 1), unavailability of the accumulators is the dominant cut g
! set, contributing 92 percent of the overall system unavailability. '
3 - 86 l
i Table 3.4.7-1 Dominant Contributors to LPSI System Unavailability Components Failure Probability (perdemand)
Case 1: Both AC Trains Available Accumulator check valves 1.9 x 10-3(92%)
Connon cause 1.6 x 10~4( 7%)
s Total 2.1 x 10~3(100%)
Case 2: One AC Train Available Circuit breaker on pump fails to close 2.1 x 10-3(31%)
Accumulator check valves 1.9 x 10~3(29%)
Accumulator check valves 1.4 x 10-3(21%)
Other check valves 6.4 x 10~4(10%)
Total 6.7 x 10~ (100%)
l l
3 - 87
l I
Common cause failures contribute approximately 7 percent. When only one train of ac-power is available (Case 2), 32 percent of the system failure 7 l probability is attributed to spurious closure of the actuation circuit of the
. motor-operated valve in the pump miniflow line. Failure of accumulator check '
valves contributes approximately 29 percent. Hardware faults of the RHR pump
, contribute 21 percent. Failure of the check valves in the suction and g discharge lines of the RHR pump account for 10 percent of the failure probability.
Test and maintenance unavailability, corunon cause failures and human g error are all included in the system fault tree. A test unavailability analysis is not included in the LPSI fault tree, because it is stated that tests do not make the system unavailable. Components outside of containment that can be isolated and tested for failure are maintained on an unscheduled ,
i basis. Thus, maintenance unavailability calculations have been done for check i
valves, air-operated valves, motor-operated valves and the RHR pumps. A common cause failure analysis was performed for the two RHR pumps and the motor-operated isolation valves in the pumps' miniflow lines. The connon cause failure calculations were based on a binomial failure rate model. Human errors that were given credit for system failure involve failures to restore i
the RHR pumps and vital motor-operated and air-operated valves following test ano maintenance.
Comments on the LPSI System Fault Tree In general, the LPSI system fault tree appears to be accurate, complete and valid. Nonetheless, with regard to the long and short-term system success criteria there are issues that may require additional analysis.
The LPSI system is defined as including the RHR pumps and the accumulators. The success criterion is stated to be three accumulators and one RHR pump for the large LOCA, a vessel rupture or an interfacing systems LOCA (Event V). According to this criterion, the system is modeled as failed ,
when one of three accumulators fails even when two RHR pumps are available. l It is not likely that failure of a single accumulator would result in a core melt when one or more RHR pumps is operating. The fact that accumulator O
3 - 88
) _
failure appears to dominate LPSI failure could make this criterion an important conservatism. However, The LPIS is not a contributor to any risk at Millstone 3. Thus, this conservatism is not likely to be significant.
Nonetheless, it should be recognized that for Event V the accumulators are of little use and the operation of the RHR system is not sufficient for success against this sequence. Finally, it is also speculative whether one RHR pump could prevent core melt for a rupture low in' the reactor vessel.
The requirement for long-term operation of the RHR is not considered in the fault tree analysis. For long-term decay heat removal, the RHR may have to operate several weeks. However, this would be the case only if the plant were not restarted. Additionally, the active components of the RHR are outside the containment where maintenance and repair could be readily performed. Thus, failure of the RHR in extended cooling mode is not likely to be a significant risk contributor.
3.4.8 Main Steam Isolation System
System Description
The main steam isolation (MSI) system is designed to prevent uncontroled blowdown of the steam generators in the event of a steamline break. The system consists of one 30 inch steam-operated "Y" pattern globe valve per loop, for a total of four valves. The valves are located in the main steam piping downstream of the main steam safety and relief valves, in the main steam valve building. ;
The main steam isolation trip valves are designed to close within 5 seconds of receipt of a steamline isolation signal for all values of pressure l l differential across the valve. They are designed to fail in the closed position upon loss of electrical power or steam header pressure and are spring loaded in the close direction. Main steamline header pressure acts as the operating medium for both the opening and closing operations of the valves.
An external nitrogen supply is used for operation and testing of the valves when steamline header pressure is below approximately 185 psig.
! 3 - 89
(
Each main steam isolation trip valve is controlled by redundant pairs of solenoid valves (a set of train A and train B solenoid valves). Opening and ,
closing sets of solenoid valves pressurize and vent the bottom and top of the valve operating piston compartment.
System Fault Tree i The MSI system fault tree was used to determine the probability of failing to achieve the system success criteria following a postulated steamline break. Two types of steamline break are considered, a steamline break inside containment and a steamline break outside of conta.inment. For a steamline break inside containment the success criterion is closure of the MSI valve on the faulted steam generator /steamline or the closure of 3 out of 3 MSI valves on the unfaulted steam generator /steamlines. For a steamline break outside of containment the success criterion is closure of any 3 out of 4 MSI valves. Because the MSI system fails safe upon loss of power and does not
- depend on service water, the support states that relate to ESF electric power 4
and service water supply are not addressed in the MSI failure analysis.
The calculated unabailability for the MSI system is:
i Case Mean System Unavailability Variance (failure / demand)
Steamline break 8.2 x 10-4 7.1 x 10-7 l inside containment Steamline break 1.5 x 10-3 4.9 x 10-6 outside containment The dominant contributor to total uravailability in both cases is common cause failures. Common cause contributes 92 percent of the total mean unavailability for steamline breaks inside containment and 91 percent for steamline break outside containment.
i C
3 - 90
I Comments on the MSI System Fault Tree No problems in terms of accuracy, completeness and validity were found with the MSI system fault tree. System failure is dominated by common cause contributions. The common cause failure analysis employs the binomial failure rate model, which is described in Appendix 2-C of the PSS and reviewed in Section 3.10 of this report. A separate common cause analysis was performed for each success criterion.
3.4.9 Quench Spray System
System Description
The quench spray system is. designed to provide rapid short-term quenching of steam released from pipe breaks within containment. The system consists of two identical trains each of which contain a quench spray pump. These pumps ,
feed two ring headers near the containment dome. The quench spray pumps take suction from the refueling water storage tank (RWST).
The quench spray system is initiated by a containment depressurization 4
actuation (CDA) signal that results from coincident high containment pressure signals. The quench spray system is automatically terminated by a low level switch in the RWST. Na0H is added to the spray water in order to maintain a minimum pH and thus prevent long-term corrosion of stainless steel inside the containment once quench spray has been actuated.
4 The quench spray system in conjunction with the containment recirculation '
l system is used to maintain the integrity of the containment structure.
Following a major primary or secondary pipe rupture inside containment, the system returns the containment to subatmospheric pressure by removing heat
, from the containment atmosphere. Figure 3.4.9-1 provides a schematic view of the quench spray system.
l O
3 - 91
i.
S_YMBOtS l
j -{><}-- sAre wave j l F wcnnine entrice M- manuaLv cLesso wavs j -0=0--a' = vaue -C 4 -- M e"!="v'i' -{><}-- .0...Lv . van b- c*cz v*ve -l ! h- Ella' Y'd"!EilY : -l M F- M H "si'Ja % "
L O - Locus ==
p_ g racLc .j p gry eeznavso i
t I
~ l l
ggume i I
Lo
-l ggAsc I l
! I INSIDE CONTAINMENT l
siwsn g STRUCTURE 1
I ournen sPaAv MAI S 41 i Magg,"^* ain I FHW[
! L. '
e . lW A
i
-( i .l.rul. -
'a
.i l s g .. . i i
- i
. r N h JL I I -ana aan N D 4 'D HOTE I b I i D 4 D i
hf g UPU UWU I
l
. moms i {_ {g
[
I gg 3 IO N
$,r
~
?, 7 . l* B NOTES i 3 s yfur. ORAIN. Alle LEAKAE West 5TeatN8 LIE 28, NOT 900WII I
~ 70 ComfAlmutu? . s VALtT IS CLDEES IRNIING ticeWa .* AP.T WAAilell
- j. RECWCEAHOW 3 s $PCCTACLE Ft.AllGE IS AT SPEN POSif aGal (tJHlW4 NORasAL PLAls? ePg3Afteg i
Figure 3.4.9-1 Quench Spray System i
.i
. ____ o. n , _ _ a ____ -
. ~
- +%
System Fault Tree The quench spray fault tree models the capability of the two pumps to start and run and the availability of various valves to open on demand. In preparing the system Fault tree the Millstone team gave consideration to the impact of independant component failures, test and maintenance, common cause failure and human errors. We have reviewed the fault tree and found it to be accurate, complete and valid with minor exceptions discussed below.
- The quench spray system fault tree was quantified for two cases in order to represent the effects of the eight plant support states. These cases are
j Case A: Two trains of ac power available, corresponding to support states 1 and 5.
Case B: One train of ac power available, corresponding to support states 2 i
er.d 6.
For support states 3, 4, 7 and 8 the quench spray system is unavailable (Q=1). For case A the unavailability of the quench spray is 3.2 x 10-4 with a variance of 1.0 x 10~7 and for case B the calculated unavailability is i 8.2 x 10-3 with a variance of 5.6 x 10-5, i
I When both trains of ac power are available, the dominant contributor to j quench spray unavailability is common cause failures. Common cause makes up
! 70 percent of the system unavailability. Most of this is associated with l common mode failures of both pumps to start and includes factors such as j common design errors, connon actuating logic and connon test and maintenance
- procedures. Much of the remaining connon cause unavailability comes from the
! two motor-operated discharge values (M0V34A and M0V348.) Other contributors to overall unvailability are ESF logic (9%), pump faults (3%), and failures in the motor-ooerated discharge values (2%). The residual unavailability comes from cross-train component failures.
When only one train of the Quench Sprasy System is available the major contributors to unavailability are pump failure to start (28%), pump hardware a 3 - 93
j l
faults-(17%),' motor-operateddischargevaluefailuretoopen(26%),
motor-operated disicharge value failure to remain open (12%) and check value :
failures (12.7). Tahia 3.4.9-1 summarizes the major contributors to quench spray system unavailability for Cases A and B.
Four sets of connon cause failure are used to calculate the connon cause- -
unavailability of the quench spray system. These are
- 1) Failure of the quench spray pumps in the A and B train to start
, 2) Failure of the quench spray pumps in the A and B train to run.
- 3) Failure of the motor-operated valves in the A and B train to open and allow spray discharge through the ring headers. j
- 4) Failure of the motor-operated valves in the A and B trains to remain open.
. Common cause calculations for the quench spray system assume a binomial failure rate model. This failure rate model is described in' Appendix 2-C of the Millstone PSS and reviewed in Section 3.10 of this report. Contributions to each failure mode from actuation logic are included in the individual I binomial failure rates for the components.
4 Two additional comon cause failures were considered, but judged by the PSS authors to be insignificant contributors to unavailability. These are
- 1) freezing of the RWST and quench spray lines and 2) common cause failures of pairs of check valves.
i There are three human errors which are included in the quench system
, fault tree as contributors to system unavailability. These are 1) failure to properly close the gate valves (valves 36 and 37 on figure 3.4.9-1) in the pump test line following test or maintenance, 2) failure to restore the
' locked open gate valves (28 and 29) following tests of the motor-operated j L discharge valves (40 and 41), and 3) failure to restore the quench spray actuation of the ESF logic follow its test. c 3 - 94
I j
l Table 3.4.9-1 Quench Spray Unavailability Dominant Contributors Unavailability (failure / demand)
CASE A Common Cause 2.24 x 10~4 ESF Actuation Logic 3.00 x 10-5 Pump Faults 9.60 x 10-6 Faults in one of the motor operated values M0V34A MOV348 and in one pump in an opposite train 9.8 x 10-6 Faults in the M0V34A and MOV34B 6.4 x 10-6 Other Faults 4.0 x 10-5 Total 3.2 x 10-4 CASE B Pump failure to start 2.3 x 10-3
. Failure of motor-operated 3.13 x 10-3 valve M0V34A to open Pump hardware faults 1.40 x 10-3 Failure of motor-operated 9.84 x 10-4 valve to remain open l Check valve faults 9.84 x 10-4 Other faults 4.02 x 10-4 Total 8.2 x 10-3 3 - 95
1 e.q Comments on the Quench Spray Fault Tree (
Our review of the quench spray system fault tree indicates that it is accurate, complete and valid with only minor reservations. One question is why the effect of test and maintenance on the motor operated discharge valves 4
MOV34A and M0V348 (valves 40 and 41 on the P and ID) was not modeled in the fault tree. Another concern involves the exclusion of freezing RWST and quench spray lines and comon cause failures of pairs of check valves from the list of categories. There have been licensee event. reports that involve e freezing of the RWST lines. However, our major concern is not that these could be significant contributors to risk but that the authors judged these modes as insignificant contributors without demonstrating this quantitatively. Finally,. it is of interest that failure of RWST cooling water is not modeled. It seems clear that, a'lthough this system is not necessary for proper functioning of the RWST, it's failure would effect containment ~
performance during LOCA accidents. We feel that some estimate of chilled water system availability would be useful in making an accurate assessment of damage states or accident recovery.
l 3.4.10 Safety Injection Pump Cooling System
System Description
The purpose of the safety injection pump cooling system is to cool the bearing oil of the safaty injection pumps. It is a safety related system and a critical support system for the High Pressure Safety Injection System. The i system is made up of two safety injection pump cooling pumps, two safety injection pump oil coolers, two heat exchangers, and a shared cooling surge tank. Each safety injection pump has dedicated cooling pump, heat exchanger and oil cooler. The heat exchanger interfaces with the service water system.
the surge tank is supplied by the reactor plant component cooling water.
Normally, the safety injection pump cooling system is not in operation. It is designed to start automatically when the associated safety injection pump starts.
O 3 - 96
1 System Fault Tree
~
The system fault tree was used to model the unavailability of safety injection pump cooling in a single train. The calculated unavailability of each train is 7.32 x 10-3 per demand. Pump faults contribute 96 percent of I the overall system unavailability. Furthermore, actuation system faults are j associated with 36 percent of the unavailability, loss of control power to the pump circuit breaker contributes 32 percent and hardware faults contribute 20 percent. Residual unavailability for each train is due to piping faults, heat exchanger faults and check valve faults. Table 3.4.10-1 summarizes the dominant cut sets that contribute to overall unavailability of the safety injection pump cooling system. '
Unavailability of both pump cooling systems is only a consideration when ac power and service water is available to both trains. In this case common cause f ailure dominates the calculated unavailability of both systems. The common cause unavailability contribution from the safety injection pump cooling system to the high presure safety injection system is calculated to be 1.43 x 10-4 The safety injection pump cooling pumps are tested monthly on a staggered basis. However, the system is not unavailable during tests. All components that can be isolated and are outside containment are maintained as necessary on an unscheduled basis. Maintenance unavailability estimates for the high pressure injection system includes contributions from maintenance on the safety injection pump cooling system.
Consideration of human errors resulted in the conclusion that no human errors were judged credible for the safety injection pump cooling system.
Comments Our review of the safety injection pump cooling system revealed no significant ommissions or problems. Nonetheless, the fault tree was remiss in some general areas. Pump capacities, water source requirements and power requirements were not fully described. The system success criteria were not -
! 3 - 97
[ 1
f i
Table 3.4.10-1 Dominant Cut Sets for the Safety Injection Pump Cooling System 4
Component Cut Set Probability (failure / demand) 4 Motor dirven pump actuation circuit fault 2.6 x 10-3 Loss of control power to circuit breaker e or pump 2.34 x 10-3 Failure of Motor driven pump to start and run 1.49 x 10-3 ,
Failures of bus circuit breaker 2.43 x 10-4 Check valve failure 3.2 x 10-4 Motor driven pump trip circuit faults 2.34 x 10-4 Other faults 1.3 x 10-5 Total 7.32 x 10-3 d
3 - 98
. -- - n = ~ _. -
n -
-fully described. Table 2.23.2.10.3-1 lists the mission time for the motor operated pump as 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. However, the basis for this value is not presented. It should be noted that failure of this system when both trains are avaliable is dominated by common cause failures.
3.4.11 Charging Pump Cooling __ __ . _
System Description
The charging pump cooling system is a safety-related system that cools gear and bearing oil of the charging pumps. This system is essential for the operating of the charging pumps and thus necessary to mitigate the consequences of a loss of coolant accident. The system consists of two I charging pump cooling pumps, two heat exchangers which transfer heat from the cooling system to the service water, three charging pump oil coolers, and a shared surge tank. One of the cooling pumps is normally running while the other is on standby. In the event of' a safety injectijon signal or loss of
- power signal, the standby pump automatically starts. In addition, when the standby pump is running, the isolation valves are aligned so that each cooling i pump and heat exchanger is dedicated to one charging pump.
I j
System Fault Tree l
The system Fault tree was used to model the effect of charging pump
! cooling system unavailability on the unavailability of the high pressure safety injection system (HPSI). One Fault tree was used for both trains of
! the charging pump cooling system. However, different calculations were used for component unavailabilities in the train of charging pump cooling in which the cooling pump is operating (train A) and the standby train (train B). For loss of offsite power events (Support State 5) both systems were modeled in standby.
, The calculated unavailability for the operating train was calculated to be 5.3 x 10~4 per demand. The dominant cutsets for this train are listed in Table 3.4.11-1. Check valve faults contribute 60 percent to unavailability and failures of the motor-driven pump pump to run contribute 28 percent. .
l 3 - 99
Unavailability of the standby train was determined to be 1.2 x 10-2 ,
The dominant cutsets for this system are also listed in Table 3.4.11-1. .
-Ninety eight percent of the unavailability is due to faults in the motor-driven pump. These are further composed of 41 percent contribution from circuit faults, 22 percent from actuation system faults, 20 percent from loss of central power to the pump circuit breakaer, 13 percent from pump hardware faults and 2 percent from circuit breaker hardware faults.
Comon cause failures are determined for Support States 1 and 5 (AC and service water available to both trains). For all other Support States only .
I one train of charging pump coding is available. The common cause calculations for the charging pump cooling system assume a Binomial Failure Rate Model.
For Support State 1 (all systems available) the calculated unavailability of both cooling trains 's 3.6 x 10-6 The unavailability for Support State 4 (loss of offsite power) is 5.4 x 10-5, The charging pump cooling pumps are tested monthly on a staggered basis.
All isolable components outside of centainment are assumed to be maintained as necessary on an unscheduled basis. The cooling system unavailability as a result of maintenance has been incorpocrated into the maintenance unavailability of the charging pumps.
No human errors were judged to be credible for the charging plump cooling system.
i Coments Our review of the charging pump cooling system fault tree identified some l
items of note. There is an inconsistency in the faulure probability listed in l the input table and the value listed for the same component in the list of cut sets. The pump trip circuit for both the operating and standby pumps is calculated to have a component failure probability of 2.34 x 10~4 .
Nonetheless, the cutsets for this component list its failure probability as 4.01 x 10-5 for the operating train and 4.83 x 10~3 for the standby train. The reason for the difference is not discussed.
C 3 - 100
3 Table 3.11-1 Dominant Cut sets for the Charging Pump Cooling System Component Failure Probability (failure / demand)
Operating Train -
Check valve failure to operate 3.2 x 10-4 Motor driven pump failure to run 1.46 x 10-4 Trip circuit faults on motor driven pump 4.01 x 10-5 Loss of central power to circuit breaker 1.95 x 10-5 on motor-driven pump Total 5.3 x 10-4 Standby Train Trip circuit faults on motor-driven pump 4.83 x 10-3 Actuation system faults for motor-driven 2.6 x 10-3 pump
)
Loss of control power to circuit breaker on 2.34 x 10-3 motor-driven pump Motor driven pump failure to start and run 1.49 x 10-3 Bus circuit breaker failure to close 3.38 x 10-4 i
Check valve failure 3.4 x 10-4 Total 1.19 x 10-2 3 - 101
_ _ _ . . _ _ _ _ _ . _ . _ _ . ~ _ , . , _ ._ _._.
- I 4
It should be noted that for the charging pump cooling system the i unavailability of both trains due to random failures is greater than that due j
. to common cause. For Support State 5 (no offsite power), the unavailability l of both trains of the charging pump cooling system due to random failures is
. 1.42 x 10-4 which is roughly a factor of two larger than the common cacse unavailability (5.40x10-5). When offsite power is available (Support State 1) the unavailability of both trains due to random failures is 6.3 x 10-6 and that due to conunon cause is 3.6 x 10-6, 1.4.12 Low Pressure Recirculation System
System Description
1 The low pressure recirculation system is an engineered safeguards system which is designed to provide long-term core coverage and decay heat removal following a medium or large LOCA.
The low pressure recirculation system becomes functional in the latter phase of a LOCA. The system is designed to operate in two modes, spray mode and safety injection mode. The system takes suction from the containment sump and pumps it through coolers (cooled by service water) to the contanment recirculation headers (spray mode) and/or to the reactor coolant system l (safety injection mode). The spray mode of operation is actuated automatically on high-high containment pressure. The safety injection mode of operation is actuated manually from the main control board. The system then remains in long-term operation after an accident until terminated by administrative control.
System Fault Tree The fault tree was developed in accordance with the system success criteria which require delivery of coolant flow from one containment i
recirculation pump to at least one intact reactor coolant loop following a large or medium LOCA.
C 3 - 102 l
_ . _ _ _ _ . . _ _ _ _ , _ _ _ _ _ _ ~ . _ _
n .
--n,.,,_
i
[
Operator action is required to isolate flow to the spray headers, secure the refueling water storage tank (RWST), and align valves for injection to the reactorcoolantsystem(RCS). These operator actions have been explicitly modeled in the fault tree.
The low pressure recirculation system fault tree was quantified for two cases in order to represent the effects of the eight support states. Case 1 addresses situations in which both trains of ac power are available and corresponds to support states 1 and 5. Case 2 addresses situations in which only one train of ac power is available and corresponds to support states 2 and 6. For cases corresponding to support states 3, 4, 7 and 8 the low pressure recirculation system is unavailable. Table 3.4.12-1 summarizes the calculated unavailability of this system for each of the eight support states.
The calculated system unavailability for case 1 is 3.0 x 10-3 Common cause failure is the dominant contributor and accounts for 18 percent of the total unavailability. The dominant random failure contributor was found to be plugging of the service water motor-operated butterfly valves. Coincident failure of these valves accounts for 6 percent of the total system unavailability. The remaining unavailability is made up of hundreds of two-element cut sets.
The calculated system unavailability for Case 2 is 4.9 x 10-2 Of this approximately 26 percent is due to the single failure of a motor-operated service water isolation valve on one of the containment cooling heat exchangers. The unavailability of this valve is the result of flow tests l during refueling. Local faults of other valves account for an additional 33 percent of system unavailability.
Contributions from test and maintenance, common cause failure and human error were included in the system fault tree.
Coments No significant problems were found regarding the accuracy, completeness
- and validity of the fault tree analysis for the low pressure recirculation ,
system.
3 - 103
7 Table 3.4.12-1 Low Pressure Recirculation System Unavailability Results u
Support State System Unavailability (failure / demand) 1 3.0 x 10-3 ,
4 l 2 4.9 x 10-2 .
i 3 ,
1.0 4 1.0 1 5 3.0 x 10-3 6 4.9 x 10-2 1 7 ,
1.0 8 1.0 i
1 1
1 i
C 3 - 104
3.4.13 High Pressure Recirculation System
System Description
High pressure recirculation is an operational mode in which the charging and safety injection pumps are aligned in series, or " piggy-back operation",
with the containment recirculation system (CRS) pumps. These engineered safeguards systems act to maintain long-term reactor coolant system inventory while removing decay heat during recovery from a small or medium sized LOCA.
The recirculation pumps take suction from water in the containment sump and pump it through heat exchangers to the suction of the high pressure pumps, which inject to the RCS. Alignment of valves and starting of the low pressure pumps is performed manually at the main control board when indications of low-low RWST level and automatic shutoff of the RHR pumps are received.
System Fault Tree The fault tree for the high pressure recirculation system (HPRS) was used to calculate its unavailability in terms of the system success criterion.
This criterion specifies that coolant flow be delivered to two of three intact reactor coolant loops from one of four pumps (two charging pumps and two HPSI pumps) by taking suction from one of two recirculation pumps. Component unavailability for system operation was analyzed for the initial phase of coolant recirculation following a LOCA. The analysis assumed a total run time of twenty-four hours just prior to recirculation switch-over to the hot legs of the reactor coolant system. The analysis also assumed successful operation l of the HPSI pump during the injection phase of emergency core cooling.
Operator action is required to initiate H.P. injection recirculation flow. The operator has to isolate flow to the spray headers from the two recirculation pumps and align the discharge of these pumps to the suction of the charging and safety injection pumps. This is accomplished by opening isolation valves in the cross-connect lines that link the suction lines of the i charging pumps with those of the safety injection pumps. At the same time, l 3 - 105
_ ___________.._____..L___
l the operator must close isolation valves that tie the suction of these pumps 1 to the refueling water storage tank (RWST). The closing and opening of the isolation valves by the operator was modeled in the system fault trees. l The HPRS system fault tree was quantified for two cases in order to represent the effects of the eight support states. Case 1 addresses ,
situations in which both trains of ESF ac power and both trains of service water are available and corresponds to support states 1 and 5. Case two addresses situations in which only one train of ESF ac power is available and corresponds to support states 2 and 6. The HPRS is unavailable in support ,
states 3, 4, and 8. Table 3.4.13-1 sunnarizes the calculated unavailability of the HPRS for each of the eight supprot states.
The calcualated system unavailability for case 1 is 5.85 x 10-3 per demand. Common cause is the dominant contributor, making up approximately 30 percent of the total. Random failures of motorized valves in the service water system is the next most dominant contributor. At least one of these valves must open to admit service water into its associated containment i
recirculation cooler. Coincident failure of both valves failing closed accounts for 3 percent of total system unavailability. Mechanical failure of either valve coincident with failure of some other HPRS component accounts for i an aoditional 10 percent of total system unavailability. The remaining i unavailability is made-up of hundreds of two element cut sets.
The calculated system unavailability for case 2 is 5.84 x 10-2 per l demand. Approximately 19 percent of the total is due to the single failure of a motor-operated service water isolation valve on one of the contanment ,
l cooling heat exchangers. An additional 32 percent of system unavailability is due to failure of any one of seven motorized valves in the system to change j state to its required accident position. The residual system unavailability i
is made up of other single component random failures including failure of the containment spray pump to start and run and failure of an operator to open two motorized valves.
[
C 3 - 106
.=
l i
Comments on the HPRS System Fault Tree In general, the fault tree for the HPRS system was accurate, complete and valid. Nonetheless, there are some potential problems concerning the assumptions made in the common cause calculations. These assumptions require scrutiny since comon cause is a major contributor to system unavailability.
The common cause failure analysis for the HPRS system required an understanding of which permulations of components (or trains) are common and which are diverse. In order to carry out the analysis the PSS makes the following asumptions regarding the commonality of components:
- 1. The HPSI pump trains are claimed to be diverse from the charging pump trains because the charging pumps are operating type pumps whereas the HPSI pumps are standby type pumps. It is not clear why this makes them diverse.
- 2. Motor-operated gate valves (MOGV) are assumed to be connon.
- 3. Motor-operated globe valves (MOGLV) are assumed to be common.
- 4. Motor-operated butterfly valves (MOBV) are assumed to be common.
- 5. Motor-operated gate, globe and butterfly valves are assumed diverse from each other.
- 6. No comon cause potential is assumed to exist between containment recirculation pumps and either HPSI or charging pumps because of the significant differences in the pump design. However, this assumption does not recognize such things as common environment or common maintenance errors.
- 7. No common cause potential is assumed to exist for redundant pairs of check valves failing to open in high pressure systems. Licensee event reports indicate that this may not be the case.
l I
3 - 107
- i Table 3.4.13-1 High Pressure Recirculation System Unavailability Results Support State System Unavailability (failure / demand) 4 i 1 5.85 x 10-3 2 5.84 x 10-2 3 1.0 4 1.0 5 5.85 x 10-3 6 5.84 x 10-2 i
7 1.0 8 1.0 1
1 I
i i
3 - 108
. , . n . . n, .,
a 4
. 1
- 8. The contribution to conunon cause failure due to plugging of the sump screens was assumed to be negligible when compared to other conunon cause contributors.
In general no supportive basis was given for these assumptions. Several of these assumptions are questionable. In particualr, consideration should be given to common cause failures in check valves. The most likely cause for such failures would appear.to be corrosion effects or design defects both of which are potentially conunon cause effects. Such a problem has been found on at least one occasion.
3.4.14 Containment Recirculation Spray Sygem
System Description
l The containment recirculation spray system is designed to provide long term removal of heat from the containment atmosphere following a LOCA or steam line break inside containment. This system operates in conjunction with the quench spray system to restore the containment to subatmospheric pressure.
The containment recirculation spray system consists of two 100-percent capacity trains which are each connected to both of the ring spray headers inside containment. Each train has two of the following items: a normally open containment sump suction isolation valve, a recirculation pump, a heat exchanger, and a normally open spray header isolation valve. Pump operation and valve opening is automatically actuated on high-3 containment pressure after a five minute time delay. This delay is provided to ensure an adequate supply of water in the sump for pump operation.
1 System Fault Tree The system fault tree was used to calculate the failure to achieve the l system success criteria which is to deliver sufficient recirculation flow to 1 of 2 containment spray headers.
~
i 3 - 109 t
i The effects of test and maintenance and common cause are considered in the fault tree model. The analysis assumes that testing will not contribute /
to system unavailability of the containment recirculation spray. This is based on the observation that sufficient time will be available, between the onset of an accident and the time when the system is actually needed, for an operator to remove a component from test and place it in the required c operating mode. The only maintenance included in the system fault tree is that of the recirculation pumps. Connon cause failures are modeled using the Binomial Failure Rate Model.
The system fault tree was quantified for two cases in order to represent the effects of the eight plant support states. Case 1 addresses situations in which both trains of ac power are av;silable and corresponds to support states 1 and 5. Case 2 addresses situations in which only one train of ac c power is available and corresponds to support states 2 and 6. The Containment recirculation spray system is unavailable in Support States 3, 4, 7 and 8.
Table 3.4.14-1 sunnarizes the calculated unavailabilities of the recirculation spray system for each support states.
In case 1 the dominant contributor to system unavailability is common cause, accounting for 28 percent of the total. The dominant random failure contributor to system unavailability was found to be local faulats resulting in plugging of service water motor-operated valves. Coincident failure of these valves accounts for 8 percent of the total system unavailability. The residual unavailability is made up of hundreds of two element cutsets, such as failure of a plump in one train while a motor-operated valve in the opposite train fails to open.
l In Case 2 the dominant contributor to system unavailability is failure of i the service water containment cooler isolation valve, accounting for 34 percent of the total system unavailability. The large unavailability associated with this valve results from the length of the interval between flow tests. The valve is only tested during refueling outage.
l
~
l 3 - 110
_. __ .. _ . _ .v- _n -
+
3 .-
( .-
Comments on the System Fault Tree i
For the most part, the containment recirculation spray system fault tree was found to be accurate, complete and valid. Failure of this system when both trains are available is dominated by connon cause failures. However, in the discussion of connon cause failures in the PSS, the plugging failure of containment sprays was identified as a noncredible event and thus not included in the analysis. It is of concern that this exclusion was made without providing a qualitative or quantitative analysis which would indicate why
- connon cause plugging is not a contributor to system failure.
l l,
4 i
I i
i
- 0 3 - 111
4 Table 3.4.14-1 Containment Recirculation Spray System Unavailability Results Support State System Unavailability (failure / demand) 4 1 2.0 x 10-3 2 3.8 x 10-2 I
3 1.0 ,
1 4 1.0 5 2.0 x 10-3 6 3.8 x 10-2
! 7 1.0 i
8 1.0 l
l l
0 t
3 - 112
_ . _ _ - . _ _m _ _ . _ _ . -
) _
3.4.15 Service Water System l
System Description i The Service Water System (SWS) is a major plant support system. It cools a number of important emergency and normal system heat loads. The systems relying on the service water system for cooling include:
Auxiliary Feedwater Emergency Makeup Charging Pump Cooling System Containment Recirculation Coolers Containment Recirculation Pump Vent Units Control Building Chillwater Backup Control Building Air Conditioning Water Chillers ,
Emergency Diesel Generator Coolers Emergency Diesel Generator Coolers Emergency Spent Fuel Pool Makeup Lube Water to Circulating Water Pumps MCC and Rod Control Area Air Conditioning Units Post Accident Liquid Sample Cooler RHR Pump Vent Units RPCC Heat Exchangers Safety Injection Pump Cooling Service Water Pumps Lubricating Water TPCC heat Exchangers The Service Water System consists of two trains each of which contains an inservice pump and a standby pump. The standby pumps are blocked on the !
discharge side by normally closed motor operated valves. Each pump is used in the service mode 50 percent of the time and in the standby mode the remainder of the time. If an inservice pump fails, the drop in pressure downstream of i the pump is sensed and the corresponding standby pump is automatically started. The MOV downstream of the standby pump receives an opening signal as j well. )
l 3 - 113
i 4 .
s -
System Fault Tree The Service Water System Fault Tree was used to calculate the probability that the system fails to feed emergency loads. The fault tree model includes
- the effects of maintenance and cosmon cause failures on system unavailability.
Test unavailability was not modeled because there are no formal tests on the ;
system. Connon cause failures are modeled using the Binomial Failure Rate Model. The study identified no human errors that could significantly compromise system availability.
c The service water fault tree was quantified for four cases. These four cases and the calculated unavailability for each case is sunnarized in Table 3.4.15-1.
For cases 1 and 3 the dominant contributor to system unavailability is I
strainer plugging due to common cause. This failure is responsible for essentially 100% of the system unavailability in these two cases.
The dominant contributor to system unavailability for Case 2 is also strainer plugging, responsible for 30 percent of the unavailability. The j remainder of the unavailability is attributable to a number of random failure cut sets, none of which contributes msore than 8 1 percent to the total unavailability.
i The dominant cut set for Case 3 is the random failure loss of de control power to the pumps circuit breakers lwhich prevents both pumps from starting.
i This contributes 67 percent of the total unavailability. The residual unavailability is made up of many cut sets each of which contributes no more than four percent. Connon cause failure due to strainer plugging is responsible for four percent of the unavailability.
Connents on the Service Water System Fault Tree t
Our review of the service water system fault tree identified a number or concern regarding the accuracy, completeness and validity of the analysis.
These concerns are enumerated in the paragraphs below. ,
i 3 - 114
s, - - .- -- . . . - - -n,..
~
Table 3.4.15-1 System Unavailabilities for Service Water System Descrip. tion Unavailability (failure / demand)
Case 1: AC Power Available to Both Buses 7.44 x 10-6 Offsite Power Available to.Both Buses Case 2: AC Power Available to Both Buses 2.47 x 10-5 Offsite Power Available to Both Buses One Train of Service Water Available Case 3: AC Power Available to Both Buses 7.44 x 10-6 No Offsite Power Available Case 4: AC Power Available to One Bus 1.80 x 10-4 No Offsite Power Available One Train of Servcie Water Available 1
l l
i i
i i
l 3 - 115 i
i On Page 2.3.3.15-2, it is stated that the " potential diversion paths" to turbine plant and reactor plant component cooling heat exchangers are not ,
considered the SWS fault tree. They are stated to be included in the
" recirculation cooling system fault tree". It is not clear what " diversion flow" means, or its consequence. Further, there is no fault tree analysis provided for any system entitled " recirculation cooling". ,
It is stated on Page 2.3.3.15-2 that "significant potential for blockage ,
of the (SWS) strainers exists upstream of the service water pumpe". Indeed, strainer plugging was subsequently found to be the iaajor contributor to SWS i failure for Case 1, 2 and 3. However, on Pg. 1-D-4 (App. 1-D, Vol. 2), the common cause strainer plugging failure was ruled out, apparently based on (1) automatic backwash capability, (2) high pressure differential alarms in the control room, and (3) greatly reduced intake water flow should one train fail. The probability of total loss of the service water system was subsequently determined to be 8.68 x 10-12/hrinAppendixl-D(Pg.1-0-5).
However, the results in Table 2.4.15-1 indicate that the failure rate is 3.1 x 10-7/hr (assuming a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time).
The SWS failure considered in Section 2.3.3.15 was only for the case where SWS is required after an accident has been initiated by other means. A 24-hour mission time was assumed, yielding a failure rate of (3.1 x 10-7/hr)
(24 hr) = 7.44 x 10-6 Actually, the mission time required could be much l longer sinca core cooling is needed for several weeks if the plant remains in a shut down condition following sustained power operation.
Anotner concern regards the failure to treat (SWS) failure as an initiating event in light of the fault tree results. If SWS fails, the plant would trip, and it appears the only available core heat removal system is auxiliary feedwater M there are no dependencies between SWS and AFS (see also Pg.1-0-5). While there appear to be no direct dependencies, this shoulr' be
- clearly demonstrated. For example, the SWS provides cooling for the component coolingsystem(perFig. 2.3.3.15.2-1) which in some plants provides cooling to AFS pumps, lubricating oil, or pump rooms. We did not identify dependencies of this type in mp.3.
' C 3 - 116
In any event, the possibility of SWS failure was considered in Appendix' l-0 and dismissed due to the extremely low probability (based on the 9.68 x 10-12/hrfailurerate)andindependencefromtheAFS. If the Section 2.3.3.15 failure rate of 3.1 x 10~7/hr is used, the annual failure probability is 2.72 x 10-2/yr. If the AFS is assumed to be independent of 4
the SWS, the core melt probability would be:
(2.71 x 10-2)(6.8 x 10-5) = 1.8 x 10-6/yr.
This result would not be a dominant contributor to the core melt probability (total = 4.5 x 10-5), but it could be to latent fatality risk, although it is doubtful if the number of latent fatalities could approach the number computed for the V-sequence with a probability of 1.9 x 10-0/yr. This assumes, of course, that there are no SWS-AFS dependencies, and that the AFS failure probability is correctly assessed in Section 2.3.3.5. As indicated i previously, the AFS failure probability appears optimistic, especially early in the plant operating life.
1 Also at issue in this asssessment is the choice of a realistic valve for service water failure given the substantial difference between the results in Appendix l-0 and the result in Section 2.3.15. In attempting to resolve this issue we reviewed a recent CRNL report on service water system events.(2) l In the ORNL report, 16 events involving nervice water systems were found, including two events involving strainer plugging, during the January 1979 f through June 1981 time period. In one case, total loss of service water did l occur, but the function was eventually restored by use of other systems. The
- clogging whether or not self-cleaning mechanisms are used. These results would tend to indicate a failure rate closer to the Section 2.3.3.15 value l than Appendix l-0. Thus, since the service water system cools a large number
- of normally operating and emergency equipment, sustained SWS failure could initiate a core melt if either auxiliary feedwater fails independently of a l reactor coolant pump seal LOCA occurs as a result of the SWS failure (see Section 3.6.2 for additional discussion).
l l
r 3 - 117 i
o
_ (
3.4.16 Vital DC System The fault tree was not formally included in the main text of the Millstone PSS. However, a fault tree for this system was developed in Appendix I-E for input to the initiating events analysis. We are reviewing this system here because it is an important support system for the loss of 4 offsite power and because the results of the vital de fault tree are u nd in other fault trees as a basic event.
Syr, tem Description q The vital de buses provide essential de loads to normal and safety related equipment. The dc power system has 6 separate systems -- two normal de power systems serving nonsafety related loads and four Class IE de power j systems serving safety related loads.
The Class IE de power is divided into four separate channels. Two channels are devoted exclusively to supplying power to an associated 120 ac vital bus, VIAC-3 and VIAC-4, in the event of a loss of power on these buses. The other two channels, in addition to being able to supply vital 120 ac buses VIAC-1 and VIAC-2, also supply other safety related de loads. The redundancy of the system is such that modeling the failure of the two de buses supplying VIAC-1 and VIAC-2 essentially corresponds to a model of the f ailure of all de power.
The class IE 125V dc power system equipment for each channel consists of one operating battery charger, one spare battery charger shared by two channels of the same train, one 125V de battery, and one distribution switchboard. On each of the two channels that also supply other safety related de loads, additional distribution panels are included. Figure 3.4.16-1 provides a simplified line drawing of the vital dc bus 125-VDC-1 that was used for the system fault tree.
The source of power to each of the four Class IE 125V dc bus channels is supplied from either its associated battery charger or battery. The battery charger is powered by the emergency 480V buscorresponding to that train. Each 3 - 118
~ - -
1 l
set of two 125V dc buses has one spare battery charger to serve as a backup for the two operating battery chargers. This spare battery charger is connected to both buses of the set through normally opened circuit breakiers, which are key-interlocked to prevent inadvertent interconnection of both j emergency 125V de buses. The spare battery charger is powered from the associated train emergency 480V ac bus.
System Fault Tree The system fault tree model was used to quantify the frequency of failure of a single dc bus and the frequency of total de power failure. The fault tree model including the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission failure rates is shown in Figure 3.4.16-2. The fault tree calculation provided a failure probability of 5.36 x 10-6/ day for losing a single bus. The fraquency of losing any one of the ,
two most critical DC buses (125 - VDC-1 and 125 - VOC-2) was quantified by
- doubling the failure probability of a single bus. This gives a failure frequency of 3.91 x 10-3/yr for losing cae of the two critical buses.
The frequency of losing the entire vital de power system was defined in the Millstone PSS as the frequency of losing a second vital de source given that the other vital de source is already in an unavailable state. This failure rate is ca,1culated using a time-dependent reliability model which includes a time-dependent recovery model. The recovery model assumes there is a 0.34 probability that a single channael will be recovered within 20 minutes and probability of 1.0 that a single channel will be recovered within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The calculated frequency for losing all dc power is 1.4 x 10~0/yr.
This model treated the two channels as completely independent. No allowance was made for comon cause f ailures. In addition, the system fault tree for vital de does not account for unavailability due to test and maintenance or I human error. The exclusion of these factors limits the utility of the fault tree for estimating the frequency of damge states initiated by vital dc failures. Because of the modeling uncertainty involved in the vital de fault tree, it is possible that vital de failures could be a significant but unquantified contibutor to core melt.
3 - 119
9 .,7 .
^' '
h ,
t > ,
l a
~ Comments on the Vital dc Fault Tree i
Our review of the de fault tree revealed potentially significant problems .
regarding the accuracy, completeness and validity of the system fault tree.
These concerns are enumerated in the paragraphs below.
Our major concern involves the failure of the fault tree to model the ;
unavailability on demand, given that there has been a loss of offsite poser.
The fault tree (figure 3.4.16-2) models the availability of dc power given that ac power is available in the vital ac. The structure of the tree does not allow the determination of dc unavailability given loss of offsite power.
l During the first few seconds of this event the portion of the vital de system that includes the batteries and the components that transmit power from the dc bus to the vital ac bus and the EGLS is a crucial subsystem whose failure could rapidly lead to potentially serious damage states (see Section 3.4.4).
Another issue is the optimistic treatment of the failure rate for both de l channels. Two rather speculative assumptiens lead to a result of 1.4 x ,
10-8/yr which is quite low for the frequency of losing the entire dc system. One assumption is that there is no allowance made for common casse failures in the dc system. The second involves rather optimistic value for the recovery of a single channel once it has failed. In our view, a more i realistic value for the failure rate of the two safety-related de channals l would be on the order of 10-5 However, becasue of the limits on the scope i
of our review, we were not able to requantify the damage state frequencies l using this value.
l l 3.4.17 General Comments Regarding the Millstone 3 System Fault Trees In the preceeding subsections, we have provided a review of the systems i descriptions and system fault trees from the Millstone 3 PSS. In general we have found the fault trees to be accurate, complete and valid. Never the less, as was stated at the outset, there are some notable exceptions and these have been identified and discussed system by system. In addition to our system specific comments we have also developed a number of general comments that apply to the system analysis in general. These consnents are taken up in the paragraphs below. c 3 - 120
125V D.C . 125 -V DC - I
[] BATTERY INVERTER 1 CHAR GER -
l VITAL AC BUS 120 -V AC - l .
4 i
125V DIST. PANEL i
[] [] [] []
i i
RP55 I D.C . DIST.
PNLS l
- F-~
7 i 1 , , , , I
! I i 1
I _ _ _ _ l I _ _ _ _ i
- I __ __ __ __
[
! I MCC I I !
I I j L_ 34C SWGR CONTROL POWER j l
1 i
I l
i l
[ Figure 3.4.16-1 Simplified Diagrau of Vital DC Bus 125-VDC-1 l
3 - 121 l
L_
._ l s
Le*O D.C. PWR TO CNTL CNT ~
FOR RPS (h GDCRPS*F I I ,
D.C. DIST. PNL BUS FAULTS L /O D.C .
BKR OPENS . ON DIST. POWER FROM
, PRE M ATURELY PNL MAIN BUS CDCBRKOP CBUSPNLF th GMBUSDCF 9.lX 10 -7 i.75X 10 -6
.~
l l TIE BKR FROM M AIN D.C. L/O D.C.
MAIN BUS OPENS BUS FAULTS POWER ON PREMATURELY MAIN BUS CTBKR*OP CMDCBUgF be CDCMBUSF 9.lXIO *7 1.75X IO - , , , ,
l BATTERY B'ATTERY CHAR GER FAILS FAILS CBATCHRF CBATTRYF 7.7XIO -4 2.4XIO -5 l
l Figure 3.4.16-2 Fault Tree Model of Loss of Vital DC Bus l
3 - 122 i
I 3 -
l In general, we found system hardware and operational mode descriptions to be inadequate. Pump capacities, water source capacities, and power requirements are generally not provided.. System success criteria are not always complete and nomenclature is sometimes inconsistent.
4 The report gives almost no consideration to time-dependent failures. The problem of higher system failure rates that are experienced early in the plant life (" wear-in" failures) is not addressed in the report. An example of particular relevance in this regard is the auxiliary feedwater (AF) system.
The NRC has determined that well-designed, mature AF systems may have failure rates as low as 10-5 per year, while newer systems may have failure rates as high as 10-3 per year.
A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was assumed in the determination of system success. This value appears to be adequate for many systems. Nevertheless, it should be recognized that forced-convection cooling may be required for several weeks after shutdown to remove decay heat. This means that some systems, such as the RHR system and the Service Water System, may be needed for extended periods. Appendix 1-A briefly considers accidents initiated from shutdown, but failure of heat removal systems is not included. The neglect of this issue deserves note as potentially limiting the completelness of the analysis.
Finally, many conservative assumptions were included in the systems analysis. Several of these are described on pages 2.3-3 and 4 of the i Millstone PSS. We have not focused on these assumptions in our review nor have we attenpted to quantify their impact on the results. Nevertheless, it is important that we acknolwedge their existence.
References for Section 3.4 (1) Wear-in Swing Check Valves, Pea r Reactor Events, USNRC, Vol. 4, No. 1, May, 1982.
(2) Evaluation of Events Involving Service Water Systems in Nuclear Power Plants, NUREG/CR-2797, J. A. Haried, ORNL, November 1982. j 3 - 123 I 1
l l
3.5 HUMAN FACTORS l
I l The PSS considered a number of human actions in the analysis of Millstone
! Unit 3. These can be generally categorized into two' types: actions in
- response to accident conditions and actions related to the unavailability of l an individual component. Actions of the first type were included in the event ,
trees. There are several different kinds. The major actions were direct operator response in accordance with procedures to diagnose the plant conditions and perform the necessary actions to assure the performance of each safety function. Such included manual backup actuation of systems as ,
l ,
required, which was included in the quantification of the top event to which l
it applied, and recovery of failed systems where possible, which was added to the event sequence analysis in a special additional step following the initial quantification.
Human actions of the second type are actions related to the unavailability of an individual component, due either to a failure to restore a component to service following test or maintenance, or to an error of omission or connission in the operation of a component in response to an accident. These actions were modeled directly in each system fault tree and were thus part of the system unavailability. We have reviewed the human factors analysis and have concluded that it was generally performed in a reasonable and consistent manner in keeping with the methods suggested in the NREP Procedures Guide, NUREG/CR-2815. A few things which should have been analyzed differently are discussed later in this section. In addition, it was necessary to add three operator actions to the analysis The need for these actions is discussed in Sections 3.2.1.1 and 3.2.2.2, and their quantification, when not obvious, is discussed in this section. The review results are shown in Tables 3.5.1 and 3.5.2. Where there is a number in the l
" Review Assessment" column of the tables, that number was used in any sequence requantification subsequently performed.
3.5.1 Operator Actions Modeled on the Event Trees The PSS assumed that essentially all of these actions are dominated by cognitive error as opposed to procedural error. That is, the failure of the ,
3 - 124
, _- n= _ _
~
operator to make the correct diagnosis of the plant conditions and determine.
correctly given that the diagnosis is made. In general, this appears to be a sound assumption. Although there are no specific procedures for this plant.
the Westinghouse Emergency Procedure Guidelines which pertain to these actions were reviewed, and run-throughs of selected operator actions were performed with plant operators in the control room. Almost without exception, the manipulative actions which the operator is required to make are simple, few in number (usually from 1 to 4), and are performed on no more than two control panels using indicators which are also on those panels. These observations support the assumption that cognitive errors are dominant. The PSS generally utilized the cognitive error model in the NREP procedures guide for quantifying these errors, although there are some exceptions. The following sections discuss these differences. The time frames allocated to perform the various operator actions were also reviewed, since these form the basis for obtaining the quantitative values from the cognitive error model. These time frames are in keeping with those used in previous PRAs, which have shown that most operator responses are required in the 20-30 minute time frame. Those events in the PSS with shorter or longer time frames appear to be reasonable.
The PSS and review values for these events are shown in Table 3.5.1.
3.5.1.1 Operator Action 0A-1 The correct value for this event from the NREP guide is 1E-1. The PSS value used appears to be simply a data transposition error.
3.5.1.2 Operator Action 0A-8 The PSS value of IE-2 for 0A-8 is not consistent with the value from the NREP guide. The NREP value of lE-3 should be used instead, because this event is inoependent of other events on the tree and there is ample time (> 60 min.) to perform the action. No review is required for associated action 0A-8' because it was rejected in the event tree review in Section 3.2.2.5.
O 3 - 125
_ d 3.5.1.3 Operator Action OA-9 The PSS modified the NREP value because the operator even though he has thirty minutes to diagnose the location of the LOCA, even though he only has ten minutes from the time quench spray fails until he must override the recirculation signal. This modification is considered to be unjustified since j the cognitive error model is not based on the time from the start of the event. It is based on the amount of time the operator has to diagnose a situation from the onset of conditions which would tend to lead him to the diagnosis. In this case, review of the Emergency Procedure Guideline shows ,
that the diagnosis of, and response to, this situation begins with the occurrence of the CDA signal followed by the continued increase in pressure resulting from the failure of quench spray. The unmodified NREP value of SE-1 should be used for this event. ,
3.5.1.4 Operator Action OA-2-E This new action (see Section 3.2.1.1) is assumed to be procedural in nature as opposed to cognitive, because it results not from misdiagnosing the situation, but rather from the improper performance of the procedure. This procedure is the exception to the rule that operator actions are simple.
Review of the guideline for this procedure indicated that it could be quite complex. This error is considered recoverable, however, based on the feedback provided to the operator through the procedures. The NREP screening value of lE-3 for procedural errors with recovery possible has been assigned to this error.
3.5.1.5 Operator Action 0A-6-E This new action (see Section 3.2.1.1) is somewhat unique in that it actually consists of two separate but related cognitive errors. The first error consists of the operator misdiagnosing the initial plant condition and initiating operator action OA-6. The second cognitive error consists of the operator failing to diagnose his first error and reversing his action. This action has been evaluated using the NREP model for congitive errors as applied to both of the errors involved in 0A-6-E. The first error is evaluated to be 3 - 126
-m - _
equal to the probability of failing to perform OA-6 in 30 minutes. That is,-
the error of failing to perform OA-6 is nominally equivalent to the error of performing 0A-6 when not required. The 30 minute time frame is chosen because ;
it represents the best estimate of operator response time for .the OA-6 <
! actions, which gives a failure probability of lE-2. The actual time frame the operator will believe he has will depend on exactly what he misdiagnoses the plant conditions to be. Once he has performed this action the cognitive error
" clock" starts again. And the operator has a certain amount of time to interpret the information feedback from the control room instruments. The i
review estimate of this time is on the order of 30 minutes. This was chosen because 30 minutes was used for other similar actions, that is, actions which represent the actuation of systems to restore the core cooling function, e.g.,
0A-1, 0A-3, OA-4, and 0A-7. The NREP cognitive error value for failure to act within 30 minutes is lE-2. Thus, the total probability of error becomes the probability of misdiagnosing the situation and performing 0A-6 times the probability of failing to recognize the error, or:
P(0A-6-E) = P(0A-6) x P(FTR/0A-6) = .01 X .01 = lE-4 3.5.1.6 Operator Actions in RT-3 and RT-4 The PSS used a value of lE-2 for the failure of the operator to act to m'anually scram the reactor within the first minute of an initiator. This value is substantially lower than the NREP value, which assumes no action is i
possible within the first minute. However, the use of this value for this particular action is judged to be reasoncble. As stated in the PSS, the
.i operator is highly sensitized to the need to hit the manual scram button following a trip signal. Additionally, we note that the cognitive error model is a tool for estimating the probability of proper diagnosis of a situation.in ;
a given time frame. In this case, no diagnosis takes place. The operator merely automatically responds to an annunciation of a trip condition without !
any attempt to determine the whys and wherefores. The action is instinctive as opposed to cognitive. Thus, that the estimate of one failure in 100 demands is judged to be a reasonable, if not conservative, estimate of failure to perform this action.
O
, _ _ -3127_ _ . . _ _ _ _ . _ _ . - _ . _ _ _ _ _ . . _ _
l d
3.5.2 Operator Actions Modeled on the Fault Trees r
The PSS included two generic types'of operator errors in the fault tree analysis, errors in response to accidents and errors in failing to restore components after test or maintenance acts. These errors are shown in Table 3.5.2 with the human error probabilities used in the PSS and the results of 4 our review of these values.
3.5.2.1 Failure to Restore Following Test or Maintenance The PSS evaluated these errors using the THERP methodology from NUREG/CR-1278. The use of this methodology is considered inappropriate for this analysis. The THERP system quantifies procedural errors by a detailed analysis of the procedural and decision-making steps the operator must follow in the course of performing a specific act. It was not possible to do this for the PSS since there are no actual procedures available for Millstone.
Therefore, the PSS designed its trees based on their perception of what the procedures would be like. In doing so, they did not rigorously model all of the steps the operator has to deal with. Even if it had been possible to do this, a simpler screening calculation is more easily justified. A reevaluation of these errors was performed using the IREP methodology described explained in the Millstone 1 IREP study (NUREG/CR-3085). A full discussion is not necessary here, but the expression for unavailability reduces to:
P(Error) = P(error per act) x (frac +. ion of time error exists) time between status checks
= (0.01) x time between manipulations The calculation for errors numbered 2 and 3, which pertain to monitored components checked each shift (every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), is straightforward and is performed for components manipulated monthly and quarterly, which should suffice for most ESF components. The results are:
l P(monthly) = (0.01) x (8 hrs / 720 hrs) = lE-4
- P(quarterly) = (0.01) x (8 hrs / 2160 hrs) = 3E-5 l
3 - 128 I
~
- "**e l The calculation for error number 1, which is for unmonitored components, must be made on a per component basis using reasonable assumptions regarding the
~
ratio of checks to manipulations. The conservative screening value of 0.01 could be used as a scoping value. s 3.5.2.2 Errors in Response to Accident Conditions The PSS used the screening value for procedural errors with recovery potential from the NREP guide (lE-3). This value is reasonable, but it is noted that there may be errors which fall into this class for which there is no recovery potential. For example, failing to open a pump suction valve prior to starting a pump may result in irrepairable damage to the pump in a very short time period, resulting in no chance for recovery. Each error so modeled in the fault trees must be evaluated individually to determine if recovery is viable. If recovery is not possible, the NREP screening value of iE-2 should be used.
(
I W
3 129
- -e
- 4 f ~~
TABLE 3.5.1 HUMAN ERROR PROSA81 LIT 1[5 FOR OPERATOR ACTIONS IN EVENT TREES Operator Applicable Time Dominant Human Error Review
, Action Event Trees or Analysts Available Failure Probability Assessment GA-1 ET03, ET15 30 C 1 x 10-2 OK OA-l' ET02 20 'C 2 x 10*I IE-1 (see Sec. 3.5.1.1)
GA-2 ET03 ET15 N 30 C 1 x 10-2 OK s
04-3 ET03, E706 ET15 30 C 1 x 10-2 OK OA-4 ET04 30 -
C 1 x 10-2 OK -
GA-5 E704 10 C 5 x 10-1 OK QA-6 ETOS
' Support States 1, 5 30 C 1 x 10-2 OK Support States 2, 3, 4, 6 60 C 1 x 10-3 OK QA-6' ET36. ET13 Support States 1, 5 20 C 1 x 10-1 OK ',
Support States 2, 3, 4, 6 30 C 1 x 10*2 OK QA-7 ET07 - ET21 (ET14A) 30 C 1 x 10-2 OK 0A-7' ET148 30 C 1 x 10-2 og 0A-8 ET22 60 C 1 x 10-2 IE-3 (see Sec. 3.5.1.2) 04-8' ET22 10 C 1 x 10*I NA (see Sec. 3.5.1.2) 04-9 ETIS 10 C 1 x 10*I K-1 (see Sec. 3.5.1.3) 0A-10 60 C NA 1E-3 (NREP)
OA-2-E NA P NA 1E-3 (see Sec. 3.5.1.4)
OA-6-E 30 C NA 1E-4 (see Sec. 3.5.1.5)
RT-3 ET22 1 C 1 x 10-2 OK RT4 ET22 1 C 1 x 10-2 og R-1 ET01'- ET04 60 C 1 x 10-3 OK R-2 ET02 - ET15. ET22 60 C 1 x 10-3 OK 05' ET148' 60 C 1 x 10-3 OK E5F ESF Recovery, Section 2.2.6 30 C 1 x 10-2 OK 51 SI Recovery, Section 2.2.3.4 NA C 1 x 10-1 OK 581 Consequential 581, Section 2.2.3.5 30 C 1 x 10-2 og 580 Consequential 580, Section 2.2.3.5 30 C 1 x 10-2 OK 52 Consequential 52, Section 2.2.3.5 10 C 5 x 10-1 OK SEQ Fire Analysis, Section 2.5 NA P 1 x 10-3 ,_
HP-2 Recovery Analysis, Section 3.0 NA C 1 x 10-2 og OA 3 Recovery Analysis, Section 3.0 NA C 1 x 10-2 OK AFR Recovery Analysis, Section 3.0 60 C 1 'x 10*3 OK l c 3 - 130
e .-
i l
3 -
TABLE 3.5.2 - - - .
MMAN ERROR PROBABILITIES FOR FAULT TREE ANALYSIS HIMAN ERROR RATE l
of Error ' Operator Error System Per Demand Assessment
- j
- 1. Omission Failure to restore a manual All ESF 1 x 10*4 0.1 x Time t man tons valve to normal position Systems 'N After test or maintenance act.
- 2. Omission Failure to restore a setor- All ESF 1 x 10-5 1E-4 (monthly) driven pusy or an air or Systems 3E-5 (quarterly) motor operated valve to normel position after test or maintenance act.
- 3. Omission Failure to restore an A11 ESF 1 x 10*I 1E-4 (monthly) alarmed motor-driven pusp Systess 3E-4 (quarterly) or an air or motor operated valve to normal position after test or maintenance act.
4 Procedural Error of omission / commission All ESF **1 x 10-3 OK (see Sec. 3.5.2.2)
Error /With in operation of air-or Systess Recovery motor-operated valve required for accident mitigation. -
5 Procedural Error or omission / commission All ESF **1 x 10*3 OK (see Sec. 3.5.2.2)
Error /With in operation of motor- or Systema Recovery turbine-driven pump required for accident mitigation.
- See Section 3.5.2.1
- Data Source: NREP - U.S. Nuclear Regulatory Cossnission.
- National Reliability Evaluation Program (NREP)
Proce'dures Guide " NUREG/CR-2815 BNL-NUREG-51559 Review Draft, June 21, 1982.
l l
l O
3 - 131
m __ _ -- -- -
3.6 Failure Data This section presents the results of a review of the failure (and ]
l unavailability) rates used in the MP-3 PSS. The review consisted of: (1) a l comparison of the individual random component failure rates with similar rates from other sources, (2) a review of the system failure probabilities and ,
unavailabilities, and (3) a review of the common cause failure assessment.
These subjects are considered in separate subsections, following.
3.6.1 Random Component Failure Rates ,
. It should be noted that most of the MP-3 PSS component failure rates were, according to the MP-3 report, derived from a data base for Millstone-3 which was developed by Westinghouse Nuclear Technology Division (WNTD). This. data base is described as proprietary, was not provided as part of the MP-3 PSS documentation, and was not included in this review. The data are stated (pg. 2-A-2) to be based extensively on Westinghouse nuclear plant experience which covers the time period of 1972 through 1981 and contains over "200 years" (we assume this should be 200 reactor-years) of plant operation.
The use of a data base derived extensively from Westinghouse operating plants can provide valid component failure rates for the Millstone-3 plant.
4 However, use of such data does not necessarily assure that the derived rates are applicable to MP-3, nor can it be concluded that this data base is the most applicable of the available data. Most safety system components are procured by the architect-engineer and are not the direct responsibility of the vendor. Thus, Westinghouse plants can have a variety of components supplied by different manufacturers with different procurement specifications and different failure rates. One of the most significant parameters j influencing component failure rates is the manufacturer of the component.
The MP-3 PSS random component failure rates are given in Appendix 2-A, Section 2, Volume 6. This Appendix also provides the assumptions which were used in deriving the rates. These assumptions were reviewed, an'd the following comments were developed. Each coment includes an assessment of the influence of the discrepancy, when appropriate. 0 3'- 132
-..9 e--.e, w ,,-- * , - -- . , - - - , -,
I 1
l . 4
- \
I i
i 1. Pg. 2-A Under subsection A.2.1, it is stated that, for the purpose of deriving a failure rate for motor-driven auxiliary feedwater pumps, "It was assumed that the ' fails-to-operate' failure rate would be similar to ,
tha't for pumps classified as alternating pumps; i.e., component cooling and service water pumps. These alternating pumps are assumed to operate l
50 percent of the plant operation time." This statement implies that one of the motor-driven auxiliary feedwater pumps was assumed to be operating at all times that the plant was in operation. However, auxiliary feedwater pumps are actually used only during plant startup and shutdown, and on those relatively rare occasions when main feed-water is. lost, and when tested. Thus, this assumption is invalid and would produce an optimistic failure rate when used in conjunction with Equation 2-A-3, Pg.
2-A-3.
The influence of this assumption is not c pected to be great, since auxiliary feedwater failures are typically dominated by failure to start of multiple pumps. A further discussion of auxiliary feedwater failure is provided in Section 3.6.2 following.
- 2. Pg. 2-A The turbine-driven auxiliary feedwater pump, according to item 3.1, was assumed to operate 10% of the total plant operating time. This seems excessively long (876 hrs per year) for reasons stated in 1 above (and also since the turbine-driven pump cannot be used for startup) and would produce an optimistic failure rate.
1 For reasons stated in 1 preceding, this assumption is not expected to have a significant influence on the overall results of the PSS.
- 3. Pg. 2-A The containment spray pump failure rate (item 4.1) "...is derived from the ' fails during operation'. mode of the service water and component cooling water pumps." The meaning of this statement is not clear.
l The remainder of the review of random component failures consisted of comparing the rates provided in Tables 2-A-2 (fluid system components) and 2-A-3 (electrical / electronic system components) contained in Appendix 2-A, ;
3 - 133 l
4 Vol. 6, with other rates. The MP-3 PSS values in these tables were compared with the NRC-developed values as contained in the NREP(I) and IREP(2)
,procedure gu ides, and with values contained in the Zion PRA(3), a recent industry-sponsored PRA for a Westinghouse plant similar to MP-3.
Table 3.6-1 provides the quantitative comparison for fluid systems and j Table 3.6-2 for electrical / electronic systems. The first. column lists all the component types which were included in Table 2-A-2 of the MP-3 PSS, in the same order. The second column gives the system (s) for which the corresponding component failure rates were used, and the third column is the failure mode (s) ;
for the component. The next three columns provide the values used for the MP-3 PSS, NREP/IREP, and Zion PRA. The NREP and IREP values were combined since they are essentially identical. In a few cases, only IREP values (taken from Appendix C of the Millstone Unit 1 IREP study (4)) were available. -
These cases are. identified in the comments (last) column.
All values in Tables 3.6-1 and -2 are mean values. The IREP data, which are given as median values in Reference 4, were converted to mean values by using the conversion relationship in Appendix C of the NREP Guide (I) for loguniform distributions. The NREP/IREP values are also essentially identical to corresponding values used in WASH-1400. The NREP values are all given as hourly rates, while many MP-3 PSS values are on a demand basis. The NREP hourly rates were converted to demand rates assuming a monthly test interval.
Tables 3.6-3 provides a listing of the MP-3 PSS values which were significantly different from the NREP/IREP values. The measure of significance was somewhat arbitrarily selected as a f actor of 5. In other words, any MP-3 PSS value which was a factor of 5 greater or less than the NREP/IREP value appears in Table 3.6-3. It is considered that differences less than a factor of 5 are probably not significant in most, if not all, cases. The first column in Table 3.6-3 lists the component and failure mode, and the second column provides the factor of difference in terms NREP Value of the ratio . In other words, a column 2 value of 5 means that MP-3 PSS Value the failure rate used in NREP/IREP is 5 times greater than the corresponding 4
3 - 134
) Tabl3 3.6-1 -
- COMPARISON OF CtMPONENT FAILLNtE RATE DATA - FLUID SYSTEM COMPONENTS component rallure Failures per Hour or Demated Type System Mode _w-3 rss str/ Intr Lion PRA Comments
- b. Transfers 4.92E-7/hr IE-7/hr NG(I) '
Open
- 2. Check Valve All ESF Systems a. Failure to 3.20E-4/D 7E-5/D(M) 4.32E-5/D Operate on Demand
- b. Failure to 1.56E-5/hr 2E-6/hr 8.38E.7/hr seat
- 3. Spring Loaded All ESF Systems a. Premature 1.90E-6/hr NG 1.65E-6/hr Zion value Safety Valve Opening includes leakage
- b. Failure to 2.98E-3/D NG NG Reclose
- 4. Motor Operated All ESF Systems a. Failure to 2.6M-3/D 4E-3/D(M) 1.55E-3/D Valve except Cont. Spray operate on ar.d CVCS Demand
- b. Transfers 4.57E-6/hr 1E-7/hr 3.14E-8/hr Zion value includes Open excessive leakage
- c. Transfers 2.15E-6/hr 2E-7/hr NG Closed
- 5. Motor Operated Containment Spray a. Failure to 9.54E-4/D 4E-3/D(M) 2.26E-5/D(M) Zion value for all Valve Operate on motor operated Demand valves
. Open the same as item 4
- c. Transfers 2.15E-6/hr 2E-7/hr NG Same as above Closed O
3 - 135
- - - - - - . - _ , _ _ . . -. m. - -m Tabla 3.6-1 (Contirued) -
~~
CDMPAR150N OF COMP 0NENT FAILtftE RATE DATA - FLU:D SYSTEM COMPONENTS Lamponent ratlure ra1tures per Hour or Demend Type System Mode w -3 ras nutr/txtr Lion rxA Comments
- b. Transfers 4.30E-6/hr lE-7/hr NG Open
- c. Transfers 1.37E-6/hr 2E-7/hr 1.12E.7/hr Closed
- b. Fails During 1.69E-5/hr 1E-4/hr 9.87E-5/hr Run Operation
- 8. Motor Driven Safety Injection a. Failure to 1.34E-3/D 4E-3/D(M) 7.21E-4/D Fump Start on Demand
- b. Fails During 4.86E-5/hr IE-4/hr 1.55E-5/hr Run Operation !
- 9. Motor Driven Residual Heat a. Failure 1.34E-3/D 4E-3/D(M) 7.21E-4/D Pump Removal Start on Demand
- b. Fatis During 6.90E-5/hr 1E-4/hr 2.53E-6/hr Run Operation
- 10. Motor Driven Service Water a. Failure to 1.34E-3/D 4E-3/D(M) 7.21E-4/D Pump Start ori Demand
- b. Fails During 2.47E-5/hr 1E-4/hr 1/32E-6/hr Run Operation 4
i l
3 - 136
___-._. m_- __~__._m Tab 13 3.5-1 (Continued) -
~
COMPARISON OF COMPONENT FAILLRE RATE DATA - FLUID SYSTEM COMP 0NENTS component rasture ratiures oer nour or oemand Type System Mode w -J rss nutr/sntr Lion ruA Comments
- 11. Motor Driven Containment Spray a. Failure to 1.34E-3/D 4E-3/D(M) 7.21E-4/D Pump Start on Demand
- b. Fails During 1.69E-5/hr 1E-4/hr .1.5E-5/hr Run Operation
- 12. Turbine Auxiliary a. Failure to 2.58E-2/D 4E-2/D(M) 2.29E-2/D Driven Pump Feedwater Start on Demand
- b. Fails During 6.15E-4/hr 2E-5/hr 7.6M-6/hr Run Operation
- 13. Isolation Main Steam a. Failure to 4.6X-3/D 4E-3/D(M) NG MP-3 PSS value Valve Operate on assumed the same Demand as item 6
- b. Transfer 1.37E-6/hr IE-7/hr NG Same as above Closed
- 14. Heat Exchanger All ESF Systems a. External 1.00E-6/hr X-6/hr 7.1X-7/hr MP-3 PSS value Leakage stated te be from NREP
- b. Tube Side 8.50E-9/hr 4E-9/hr a(2)
Plugged (IREP)
- 15. Motor-Operated Chemical and a. Failure- to 5.74E-4/D 4E-3/D(M) 3.72E-3/D Valve Volume Control Jperate on System Demand
- b. Transfers 1.58E-5/hr IE-7/hr 3.14E-8/hr Zion PGA value Open includes excessive leakage
l c>
l 3 - 137
-m.-- . _. _
Tabla 3.5-1(Continued) -
COMPARISON OF COMPONENT FAILURE RATE DATA - FLUID SYSTEM COMPONENTS Geoponent Failure -Failures per Hour or Demand Type System Mode w -3 rss suiar/ Intr Lton rRA Comuments
- 16. Pipe Section All ESF Systems a. Ruptures / 8.50E.g/hr 4E-g/hr 8.6E-g/hr MP-3 P55 value stated W in Plugged to be from WASH-1400 diameter 4
>3" in Plugged diameter
- 18. Storage Tank All ESF Systems a. Ruptures 8.00E-10/hr 4E-10/hr NG MP-3 P55 value assumed the same as item 17 Ig. Flow / Metering All ESF Systems a. Ruptures 2.70E-8/hr 3E.8/hr NG Orifice
- b. Plugged 3.70E-4/0 2E-4/D(M) NG
- 20. Strainer All ESF Systems a. Plugged 1.00E-5/hr 3E-5/hr NG MP-3 PSS value stated to be from INtEP
- 21. Air Operated All ESF Systems a. Failure to 4.63E-3/D 4E-3/D(M) NG MP-3 PSS value Check Valve Operate on assumed the same Demand as item 6
- b. Failure to 1.55E-5/hr 2E-6/hr NG Same as above Seat
- 22. Air Operated All ESF Systems a. Failure to 4.63E-3/hr 4E-3/D(M) NG Same as above Three Way Bypass on Bypass Valve Demand
- b. Transfers 1.37E-6/hr 2E-7/hr NG Same as above Closed
- c. Transfers 4.30E-6/hr lE-7/hr NG Same as above Open 4
C 3 - 138
, , _ .. : .._,_-g.
l l
I
} Tabla 3.61_ (Continued)
COMPARIS0N OF COMONENT FAILLRE RATE 0ATA - FLUID SYSTEM COMPONENTS ,
l
~
ranure ran ures oer nour or pesane Type- . - - - . System Mode nr-s ru marnuar con rum Comeents
- 23. Butterfly All ESF Systems a. Failure to 2.64E-3/D 4E-3/D(M) M MP-3 P55 value Valve Operate on assumed to be the Demand .
same as item 6
- b. Transfers 2.15E-6/hr 2E-7/hr M Same as above Closed
- c. Transfers 1.52E-5/hr IE-7/hr NG j Open '
- 24. Valve Limit All ESF Systees a. Failure to 1.00E-4/D 2E-3/D(M) M MP-3 PSS value Switch Operate. stated to be '
Properly from NREP l
- 25. Valve Tocque All ESF Systems a. Failure to 1.00E-4/D 7E-5/D(M) M MP-3 P55 value Switch . Operate stated to be Properly from istEP
- b. Contacts 2.70E-8/hr 2E-8/hr M W -3 P55 value Short (IREP) stated to be from idASH-1400 NOTES and footnotes:
- 1. All NREP/IREP demand values were computed from hourly rates assuming monthly testing.
- 2. These cases are Some identified Zionby hourly (rates were converted to demand rates assuming monthly testing.
/0 M).
- 3. Zion PRA values are from updated, plant specific values given in Table 1.3.1-5 (Vol. 3).
(1) NG = cot give (2) s = negligible I
I l
l 3 - 139 l
-_ n. ~ - :
(
Tabla 3.6-2
' ~~
COMPAAISO4 0F COMPONENT FAILURE RATE DATA - ELEC1RICAL/ ELECTRONIC SYSTEM COMPONENTS l l
component ratiure Failures per Hour or Demand Type System Mode ~nr-3 rss inttr/IRgr zien PRA Comments
, Demand
! . b. Fails During NG X-3/hr 5.97E-3/hr '
i Run Operation
Power Close on Demand
- b. Failus a to 1.58E-4/D 4E-3/D(M)5.31E-4/D
- Open on i Dessad - --
- c. Transfers 1.52E-6/hr M-5/hr 2.32xE 7/hr Open
- 3. Main and AC Electrical a. Fails During 2.80E-6/hr 6E-7/hr 1.7M-6/hr Auxiliary Power Operation Transformer
- 4. ESF Auxiliary AC Electrical a. Fatis During 2.80E-6/hr 6E-7/hr 1.7X-6/hr Power Trans. Power Operation forner
- 6. Storage DC Electrical a. Fails During 1.00E-6/hr 2E-6/hr 7.61E-8/hr MP-3 P55 values Battery Power Operation stated to be from (WetCell) NREP
I e
l l
3 - 140
Tab 12 3.5-2 (Continued) - .
COWARISON OF COMPONENT FAILJRE RATE DATA - ELECTRICAL / ELECTRONIC SYSTEM COMPONENTS --
_ ri rallure ra11ures ser nour or pomano Type System Mode w-s ru marnur.r non ru Comments )
- 8. Metal-Enclosed DC Electrical a. Open Circuit 1.6E-8/hr X-8/hr NGII) '
Power b. Bus-to- 5.60E-8/hr M-8/hr NG Ground Short l
- 9. Metal-Enclosed AC Electrical a. Open Circuit 1.68E-8/hr X4/hr 1.91E-8/hr MP-3 PSS value Bus Pouer assumed the same as item 8
- b. Bus-to- 5.60E4/hr M-4/hr NG W -3 PSS value Ground Short assumed the same as item 8
- 10. Undervoltage AC Electrical a. Fails to 4.0X-6/D 1E-3/D(M)6.28E-6/D NREP/lREP value Relay Pouer Trip on based on solid Demand state devices
- 11. Overcurrent AC Electrical a. Fails to 4.DX4/D 1E-3/D(M) 6.28E4/D Same as above Relay Power Trip on Demand
- 12. Underfrequency AC Electrical a. Fails to 4.0X4/D 1E-3/D(M) 6.28E-6/D Same as above Relay Power Trip on Demand
- 13. Trip / Bypass Reactor Protection a. Falls to 3.38E-4/D 4E-3/D(M) 9.79E-3/D
- Breaker System Open on Demand 1
- 14. DC Master Reactor Protection a. Failure to 1.00E-4/D 1E-3/D(M) NG MP-3 PSS value Relay and ESF Actuation Operate on stated to be r
Demand from NREP i
- b. Contacts 1.20E-7/hr IE-7/hr 2.4X-7/hr MP-3 PSS value Transfer (IREP) stated to be Open from idASH-1400
- c. Contacts 2.70E-8/hr 2E4/hr NG Same as above Transfer Closed i
i i
7 I
S 3 - 141
Tabla 3.6-2(Continued) .
COpFARISON OF COMPONENT FAILURE RATE DATA - ELECTRICAL / ELECTRONIC SYSTEM COMPONENTS . _ _ _
E ;: :7. Failure ratiures per nour or pesana Type System Mode w-3 ras instriantr zion riut Comments
- 15. DC Slave ESF Actuation a. Failure to 1.00E-4/D 1E-3/D(M)NG MP-3 PSS value l Relay Operate on - assumed the same Demand as item 14 '
- b. Contacts 1.20E-7/hr IE-7/hr NG Transfer (IREP)
Open.
4 c. Contacts 2.70E-8/hr 2E-8/hr NG Transfer (IREP)
Closed
- 16. Control Cable / Reactor Protection a. Line-to-line 2.70E-8/hr 3E-8/hr 3.22E-6/hr MP-3 PSS value Wiring and ESF Actuation Short stated to be
-~. from IdASH-1400
- b. Line-to- 8.00E-7/hr IE-4/hr 7.52-6/hr Same as above Ground Short
, c. Open Circuit 3.70E-6/hr 1E-5/hr NG Smie as above
+
Relay Operate on assumed the same Demand as item 14
- b. Contacts 1.20E-7/hr 1E-7/hr 2.43E-7/hr Same as above Transfer (IREP)
Open
- c. Contacts 2.70E-8/hr 2E-8/hr NG Same as above
! Transfer (IREP)
Closed
- 18. AC Output ESF Actuation a. Fatiureto 1.00E-4/D 1E-3/D(M) NG Same as above Latching Operate on Relay Demand I
i J
k l
1 I
l 4
l I
O 3 - 142
. . . _ . . . . _ _ _ . . , . _, . _ _ _ _ . . . . , _ , , _ . . _ .-__..-._-.,,,_...,_.-._____.m.
. , . , _ _ . . , . _ - - . , _ , , ~ _ ~ _ . . _ . _ _ . _ _ _ , _ , _ , . . - . _ _ . . . . --
Tab 12 3.6 2 (Continued) ,
, COWARISON W CINFOIENT FAILURE RATE DATA - ELECTRICAL / ELECTRONIC SYSTEM COW 0ENTS . . .
- Failures per Hour or DeBano C :; Failure Type System Mode w-3 ras instriassar z1on rua comments 18.(Continued) b. Contacts 1.20E-7/hr IE-7/hr 2.43-7/hr MP-3 P55 value Transfer (IREP) assumed the same Open as item 14
- c. Contacts 2.70E-4/hr. 2E-8/hr. NG Same as above Transfer (IREP)
Closed
- 19. Control ESF Actuation a. All Modes 1.00E-6/hr 6E-7/hr NG MP-3 P55 value Transformer stated to be from NREP
- 20. Pressure Reactor Protection a. Fails to 6.52E-5/hr GE-5/hr NG i Transmitter and ESF Actuation Provide (IREP)
Proper Output
- 21. Water Level Reactor Protection a. Fails to 4.29E-5/hr 6E-5/hr 1.66E-6/hr Transmitter and ESF Actuation Provide (IREP)
Proper Output
- 22. Temperature Reactor Protection a. Fails to 4.83E-6/hr GE-5/hr NG
- Transmitter and ESF Actuation Provide (IREP) i Proper Output i 23. Flow Reactor Protection a. Fails to 3.86E-5/hr 6E-5/hr NG Transmitter and ESF Actuation Provide (IREP)
Proper Output i
- 24. Temperature Reactor Protection a. Falls to 8.33E-6/hr 6E-5/hr NG Element (RTD) and ESF Actuatica Provide (IREP)
Proper Output 4
4 I
i i
1 O.
l 3 - 143 i
L. - . _ _ _ , _ . , _ _ , _ , _ _ _ _
Tabl33.6-2(Continued) . ,
C0frAR150R OF COMPONENT FAILURE RATE DATA - ELECTRICAL / ELECTRONIC SYSTEM COMPONENTS --
Gosponent failure Peilures oer Mour or pesar.J Type System Mode w-3 ru nucrnuar v on ruA Comments
- 25. Differential Reactor Protection a. Fails to 6.52E-5/hr 6E-5/hr NG Pressure and E5F Actuation Provide (IREP)
Transmitter Proper Output
- 26. Analog Process- Reactor Protection a. Fails to 7.75E-7/hr 3E 6/hr NG ing Module and ESF Actuation Provide Proper Output
- 27. Comparator Reactor Protection a. Fails High 2.40E-6/hr NG (81 stable) and ESF Actuation Output.
- b. Fails Low 1.65E-6/hr NG Output _
l 28. Manual Switch Reactor Protection c. Short Across 4.04E-7/hr 2E-8/hr s(2) Zion PRA value (Pushbutton) and ESF Actuation Contacts 'IREP) (negligible) based on engineering Judgment
- 29. Manual Switch Reactor Protection a. Short Across 1.70E-4/hr 2E-8/hr a Same as above (Rotary) and ESF Actuation Contacts (IREP)
- b. Contacts 1.70E-6/hr 1E-7/hr NG Fall Open (IREP)
- 30. Fuse All Electrical a. Open pre- 4.37E-7/hr 3E-6/hr 8.32E.7/hr Zion PRA value Systems maturely stated to be l for ESF DC power fuse
- 31. Loop Power Reactor Protection a. Fails to 2.97E-6/hr 6E.7/hr NG NREP/IREP value for
[ Supply and ESF Actuation Provide transformers l Proper Output J
9 3 - 144
Tab 123.5-2(Continued)
.) ,
~
COWAR150N OF COMPONENT FAILURE RATE DATA - ELECTRICAL / ELECTRONIC SYSTDI COMPONENTS _
C G - _.3 Failure Failures per Hour or Demand Type System Mode W -3 P55 NRLP/lREP Zion PRA Comuments
- 32. Radiation Reactor Protection a. Falls to 1.06E-5/hr 6E-5/hr NG
. Monitor and ESF Actuation Provide (IREP)
Proper Output NOTES and footnotes:
~;, 1. All NREP/1 REP deeand values were computed from hourly rates assueing monthly testing.
> 2. Some Zion hourly rates were converted to demand rates assuming monthly testing. These cases are identifiedby/D(M).
- 3. Zion PRA values are from updated, plart specific values given in Table 1.5.1-5 (Vol. 3).
(1) NG = not given (2) e = negligible i
l I
l l -
3 - 145
e+g rate in the MP-3 PSS. A total of 23 component failure modes in the PSS were found to vary by more than a factor of 5 from the NREP/IREP values. This .
represents 23% of the total component failure modes in Table 3.6-1. Numbers l in the second column less than 0.2 (or 1/5) indicate that the MP-3 PSS values
- are greater than (or conservative with respect to) the NREP/IREP values.
Numbers greater than 5 indicate that the MP-3 values are less than (or optimisticwithrespectto)theNREP/IREPvalues.
As Table 3.6-3 indicates for fluid system components, four MP-3 PSS values i
were more than a factor of S greater than the NREP/IREP values, while four ;
rates were less (by >5) than the NREP/IREP values. For electrical /
electronic system components, the majority (12 of 16) of the MP-3 PSS values are lower than the NREP/IREP values, indicating an optimistic bias with respect to the NREP/IREP values.
Table 3.6-4 provides a similar comparison between the MP-3 PSS values and values used in the Zion PRA. (It should be noted that the Zion PRA did not .
provide values for a number of the MP-3 PSS entries in the Tables 3.6-1 and
-2). ThemajorityoftheMP-3PSSvalues,asshowninTable3.6-4are conservative (greater) than the equivalent values used in Zion. Of the 20 i entries, Zion failure rates are smaller than the PSS values on 13 cases, f
It is difficult to draw conclusions regarding the validity of the MP-3 PSS failure rates based on these comparisons. Since the data base used for the MP-3 was not available for review, the validity and robustness of the data could not be ascertained. It was considered significant that so many of the MP-3 rates varied by large amounts from the NREP/IREP values. These variations did show a trend to be on the optimistic side, but the trend was not strong.
l c
3 - 146
- . -- -- .~. - .- . . - _.
) -
o_
Table 3.6-3 I
COMPARISON OF MP-3 PSS AND NREP COMPONENT FAILURE RATES 2
NREP Value Component and Failure Mode MP-3 PSS Value __
Fluid System Components
- 1. Manual valve transfers closed 0.1
- 2. Check valve fails to seat 0. l '
- 3. MOV transfers open 0.02
- 4. Motor driven AF pump fails to run 5.92
- 5. Motor driven CS pump fails to run 5.92
- 6. Turbine driven AF pump fai_ls to run 0.03
- 8. Valve limit switch fails to operate 20.
Electrical / Electronic System Components
- 9. Diesel generator fails to start 8.5
- 10. Bus feed breaker fails to close 11.8
- 11. Bus feed breaker fails to open 25.
i 12. Bus feed breaker transfers open 20.
- 13. Battery charger fails to operate 0.02 2
- 14. Undervoltage relay fails to trip 250.
I
- 15. Overcurrent relay fails to trip 250.
- 16. Underfrequency relay fails to trip 250.
- 17. Trip breaker fails to open 10.
- 18. Relay fails to operate 10.
. 19. Temperature transmitter fails 12.
- 20. Temperature element fails 7.
- 21. Manual pushbutton short 0.05
- 22. Manual rotary switch short 0.012
- 23. Manual rotary switch contacts fail open 0.067
- 24. Fuse opens prematurely 7.
- 25. Radiation monitor fails 6.
IMillstone-3 PSS value is conservative if ratio is less than 1. O
~2NREP values are essentially identical to IREP values. Where only the NREP value was available, or both values were available, the NREP value was used.
Where only the IREP value was available it was used.
m
1
~
Table 3.6-4 4
COMPARISON OF MP-3 PSS AND ZION PRA COMPONENT FAILURE RATESI Zion Value Component and Failure Mode MP-3 PSS Value
-- I
- Fluid-System Components --- -
- 1. Manual valve transfers closed 0.03
- 2. Check valve fails to operate 0.14
- 3. Check valve fails to seat 5.34
- 4. MOV transfers open 0.007
- 5. MOV(containmentspray)failstooperate 0.023 .
- 6. Air-operated valve transfers closed 0.083
. 7. Motor-driven AF pump fails to run 5.84
- 8. Motor-driven RHR pump fails to run 0.037
- 9. Motor-driven SWS pump fails to run 0.053
- 10. Turbine-driven AF pump fails to run '
0.012
- 11. M0V (CVCS) fails to operate 6.5
- 13. Diesel generator fails to start 7.8
- 14. Bus feed breaker transfers open 0.153
- 15. Storage battery fails to operate 0.076
- 16. Battery charger fails to operate 0.018
- 17. Trip / bypass breaker (RPS) fails to open 28.9
- 18. Control cable / wiring short (line to line) 119.
- 19. Control cable / wiring short (line to ground) 9.4
- 20. Water level transmitter output failure 0.039 T
IMillstone-3 PSS value is conservative if ratio is less than 1.
I C
3 - 148
a..-,~.. --_....dl
- - ~ , - - - - - - , - ^
l A further extension of the comparisons was undertaken to determine which MP-3 variations were significantly different in the same direction with respect to both the Zion PRA and NREP/IREP data. Table 3.6-5 provides the results of this comparison. As shown in the table, a total of eight component failure rates were found. One-half of the MP-3 rates are optimistic with respect to the other failure rates, and one-half are conservative.
Generally, system failures are dominated by active components which are required to change state when the system receives a command to operate.
Passive component failures (check valves, etc), active components which fail by incorrect transfer (M0 valves, etc), and active components which start 4 (pumps, motors, etc.) but fail to sustain operation, usually are not dominant contributors. In Table 3.6-5 the only components which meet these general criteria as potentially significant component failures are CVCS MOV fails to operate, diesel generators (fail to start),'and trip / bypass breaker (RPS) fails to open. The battery chargers are normally operating and no change of state is required. Furthermore, battery chargers do not appear as risk dominantcomponents(seeSection ). Thus, lowering their failure rate to 4
be consistent with NREP/IREP and Zion PRA values would make their already negligible contribution to risk even lower. The CVCS MOV failures are not l expected to be dominant contributors since the CVCS is not a safety system and is not typically involved in initiating or terminating dominant accident sequences. As shown ir. Section , the CVCS does not appear in any of the dominant sequences for any of the risk indices. The RPS relay failure would appear to be significant only in terms of influencing the probability of failure to scram. The RPS system (scram) failure probability was not considered in the MP-3 fault tree assessments (Section 2.3), rather it appears that a scram failure value of 3.0x10-5 was adopted based on NUREG-0460 reconnendations (Section 2). Thus, the RPS relay failure rate does not appear to be a significant issue.
This leaves only the diesel generators as both " outliers" with respect to the NREP/IREP and Zion data and potentially significant contributors to risk.
Diesel generator failures were found to be one of the more significant l
components in terms of influence on latent fatality risks, and a lesser, but 3 - 149 l
0
- ~ .
Table 3.6-5 1
MP-3 COMPONENT FAILURE RATES SIGNIFICANTLY DIFFERENT THAN I
BOTH NREP AND ZION PRA VALUES NREP Value2 Zion Value Component and Failure Mode MP-3 P55 Value MP-3 P55 Value 16
. Fluid System Components
- 1. Manual valve transfers closed 0.1 0.03 ,
- 2. MOV transfers open 0.02 0.007
- 3. Motor-driven AF pump fails to run 5.92 ,
5.84
-4. Turbine-driven AF pump fails to run 0.03 0.01 2
- 6. Diesel generator fails to start 8.5 7.8 -
e
- 7. Battery charger fails to operate 0.02 0.018
- 8. Trip / bypass breaker (RPS) fails 10. 28.9 to open I
Millstone-3 PSS value is conservative if ratio is loss than 1.
2 NREP values are essentially identical to 01% us. es. Where only the NREP value was available, or both values were F,at'. . V , the NREP value was used.
Where only the IREP value was available it was used.
l O
3 - 150
-notnegligible,influenceoncoremeltprobability(Sect. ). Because of this significance and the optimistic failure rate (compared to other sources) given to diesels in the MP-3 PSS, the issue of diesel generator failure rates (to start and assume load) was given rather comprehensive consideration, as described in the following subsection.
3.6.2 System Failures This subsection provides the results of a review of the MP-3 PSS system failure rates. The first part of the review consisted of screening the MP-3 values against independent assessments for similar systems to determine if large discrepancies existed. This was followed by an evaluation to determine if the system failure rate discrepancies found had the potential for
$ influencing any of the risk indices (core melt, early fatalities, late fatalities) computed for the MP-3 plant. If such a potential was found, an attempt was made to requantify the risk indices to assess the potential impact of the apparent discrepancies.
It should be emphasized that the use of alternate failure rate assessments for the MP-3 systems does not imply that they are more applicable. The basis for and validity of these assessments need to be considered and judgment used in reaching conclusions regarding realistic failure rates. Such rates are, of course, unknown and must be estimated. Frequently it is difficult to judge which value is a better estimate.
A second evaluation of the validity of the MP-3 system f ailure rates was also performed by reviewing the fault trees'used for system failure i quantification. The results of this review is presented in Section 3.4 and l will not be considered further here.
The alternate sources of system failure rates were selected to provide a diverse spectrum from available literature. Accordingly, the following sources were used:
3 - 151
i
- Se'quoyah RSSMAP PRA - An NRC-sponsored PRA for.a Westinghouse plant similar in many respects to MP-3.
- - ORNL: Accident Precursor Study - A study which used generic PWR LER data to estimate system failure rates for PWRs. .
Reactor Safety Study - An NRC-sponsored PRA which is frequently used '
- as the baseline to compare with other studies. ,
Various other sources for individual systems.
! Table 3.6-6 lists the systems which were determined to be important to safety in the MP-3 PSS. These systems represent all of those which were.
analyzed by fault trees in Section 2.3 of the MP-3 PSS. The first column
- lists the 15 systems considered, and the remaining columns provide failure rates from the various sources as identified at the top of each column. The first column of failure rates is from the MP-3 PSS. Comparable failure rates.
j for a few systems could not be found readily in the'11terature, but for all 11:
l of the systems, some comparison values were found. -
In reviewing the Table 3.3-6 comparisons, it is apparent that some of the -
j MP-3 values are outside of the range provided by other sources and others are questionable. For all of these cases, the MP-3 values are smaller optimistic i
than the comparable values. Each of the systems will be considered separately, with substantially more discussion provided for HP-3 failure rates which seem to be inconsistent with other rates. In all cases, the rates quoted are for j no degradation of support equipment. Other qualifications on the values are
! provided in the notes at the bottom of Table 3.6-6 and are discussed further,
! as appropriate, in the discussion of each system.
l
! 1. Main electrical system, onsite emergency power - The MP-3 value for this system is lower than any other in Table 3.6-6, from a factor of I
1 i
i .
3 - 152 L - _, . - - . _ - - . - . . .. . . - . - - ----. . . - - -
Tah13 3.5-6 .
CIplPARIS0N OF SYSTEN FAILINtt RATE 5 Failures Rate System W-3 P55 RSS Zion PIIA Sequoyah(9) Other
- a. Onsite emergency 1.1E-3 to 6.8E-3 II4)
'I power l
- 2. 12ov Ac 8.4x-5(2)
- 3. E5F Actuation 1.6E-5 6.7E.5 5 7E-5 1
- 4. Loading Sequencer 1.59E-5 I3I
- 5. Aux 111ery Feeduater 6.8E-5 3.7E-5 4.2E-6 S-5 1.1E-3III, 3.4E-4 I8)
- 6. High Pressure Injection 5.87E-5(16) 6.3E-3 1.4E-6 58I 3.5E-3 1.3E-3(7) 7.4E-9(10) l
- 7. Low Pressure Injection 1.74E-4 4.2E-3 4.7E-4 1.9E-3
- 8. Main Steam Isolation I 8.2E-4") 1.2E-3III 1.5E-4(5) i I
O 3 - 153
Tabla 3.5-4(Continued) .
q COMPARISON OF SYSTEM FAILURE RATES' Failures Rate System W-3 P55 RSS Zion PRA Sequoyah(9) Other t
- 9. Quench Spray 3.2E-4 2.4E-3 5.5E-5 1.7E,-3
- 10. Safety Injection Pump 7.32E-3(2)
Cooling
- 11. Charging P g Cooling 5.3E-4 ._
1E. Low Pressure Recirculation 3.0E-3 8.8E-3 5.2E-3 4.6E-3
- 13. High Pressure 5.85E-3 9.0E-3 3.8E-4 8E-3 Recirculation
- 14. Containment Recirculation 2E-3 1.6E-3 Spray
- 15. Service Water 7.44E-6(6) 2.2E-8(6) 2.?E-5/yr(15)
(
l l
i
(
i O
l 3 - 154 l
7._...
Tabla 3.6-6
~
COMPARISON OF SYSTEM FAILURE RATES , . _ _
l l
1 NOTES:
- 1. Per bus 9. . Medius LOCA (2 of 4 pumps)
- 2. Per train 10. Small LOCA () of 4 pumps)
- 3. Both trains 11. Has inter-unit bus ties 1 of 2 oiesels 4 Steam line break inside containment 12. No load sequencer, 1 of 2 diesels with swing unit
- 5. Steam line break outside containment 13.
Oneofthree(ytesels
- 6. Durin a 24 14 Battle paper J 7 ORE krecur-hr period ) 15. From 0conee RSSMAP PRA(8)_ ) of 2 pumps
- 8. Ebasco St
)StudytS 16. Medium and sas11 LOCAs i
1 4
i f
1 i
i -
3 - 155 l
p .- .
about 2 for the Zion PRA value, to about 20 for the RSS value. The most comprehensive assessment of onsite emergency power reliability was performed by Battle, et al.I7) , and the range of values found (for 1 of 2 diesels, the MP-3 configuration) was 2 to 15 times higher than MP-3.
Because of these differences, a review of the basis for the MP-3 value was performed, and the results are summarized herein. q
- The MP-3 value for loss of onsite emergency power (4.56E-4) is dominated (as would be expected) by the common cause failure of both diesel generators. This contribution was assessed at 2.59E-4 (Table 2.3.3.1-3, Pg. 2.3.3.1-48) which represents about 60% of the total. The comon cause f ailure assessment was performed using the Binomial Failure Rate model.
The single diesel failure rate used in the MP-3 BFR model was 2.33E-3.
Thus, the MP-3 common cause quantification corresponds to a 8-factor of about 0.1, a reasonable-value. The S-factor model is equivalent to the-Binominal Failure Rate model for two redundant trains or ~
componentsO3) . However, the value of 2.33E-3 for a single diesel generator failure is not consistent with other results. Single diesel generator failure rates have consistently been found to be in the range of 1 to 10E-2(7,H,12) ,
The basis for the MP-3 diesel generator failure rate is given in Appendix 2-E of the MP-3 PSS (Vol. 6, Sect. 2). This appendix derives the single diesel generator failure rate based on a large number of tests on the MP-3 diesel units and similar tests. A total of 300 tests were said to have been performed on the MP-3 diesel generators, and additional tests
- (totaling 1,839) were used to establish the failure rate. The test details in Appendix 2-E are very sketchy. It is merely stated that the
, 300 MP-3 tests "were performed under conditions which rigorously stressed l the diesels under numerous load conditions." It is not stated whether,
! and to what extent, " prepping" (pre-lubing, pre-warming, pre-checking) of
- the diesels was performed prior to testing, whether the tests were under
" fast start" conditions which would exist under actual demands, time interval between tests, whether the other tests (other than the 300 MP-3) l were under the same " rigorous" conditions, and what other measures and considerations were employed to assure that the test data represents ,
3 - 156
2
=~
" field" conditions. In view of this lack of information regarding the
. . tests, it was not possible to evaluate the validity of the MP-3 diesel.
generator failure rate based on the tests. However, the derivation of the f ailure rate given that the test data are applicable does appear valid.
Other investigators (7,14) have concluded that reliability improvements s
below about 1x10-2 are probably not readily acnievable for diesel generators. Further, Reference 12 indicates that Fairbanks-Morse diesels (the manufacturer of.the MP-3 units) have a somewhat worse than average failure rate, ud larger units (the MP-3 units, at 5000 kW, are among the largest used at nuclear plants) tend to be less reliable.
l In view of these considerations, it seems highly unlikely that a failure rate of less than about 2x10-2/dc:nand can be achieved for diesel generators at the MP-3 site unless extraordinary measures have been taken to improve reliability.
If a value of 2x10~ / demand were substituted for the MP-3 rate of 2.33x10-3 the probability of onsite emergency power failure would be about 2.2x10-3 assuming the same relative common cause contribution and that the other contributors to the failure probability remain the same.
This represents about a factor of 5 increase in the MP-3 value. The
- significance of this increase is assessed later in this section.
l 2. 120V AC System - No comparable failure rates for this system could be readily found in the open literature. A review of the fault tree i
quantification for the derivation of this value is given in Section 3.4.
It should be noted that failure of the 120V AC system does not appear as a risk contributor for any of the risk indices (Sect. ).
- 3. ESF Actuation - The MP-3 result for the probability of ESF actuation failure (1.6E-5) is about a factor of four less than the equivalent value l
from the RSS and less than a factor of four less than the Sequoyah value.
l This is considered reasonable agreement. Further, since ESF actuation failures do not appear in any of the risk dominant accident sequences j (Sect. ), a factor of four (or even greater) increase would have an insignificant effect on the risk results. .
3 - 157
i l
- 4. Load Sequencer - No values in the open literature could be readily found to compare with the MP-3 failure rate for the emergency diesel generator loading sequencer. However, the value appears reasonable, and loading sequencer failures are not among risk dominant systems (Sect. -).
Further, since the loading sequencers are a part of the emergency onsite power system, the MP-3 failure rate for the sequencers would have to be z
raised by over an order of magnitude to become a contributor to emergency power failure.
- 5. Auxiliary Feedwater - The MP-3 auxiliary feedwater system failure rate was assessed to be 6.8E-5 per demand. This value is, as shown in Table 3.6-6, somewhat higher than the RSS, Zion, and Sequoyah assessments (all have similar systems, consisting of two 50% capacity motor-driven pumps and a 100% steam turbine-driven pump). However, more recent assessments (shown in the other" column of Table 3.6-6) indicate significantly higher failure rates, being 5 (for the Ebasco study) to 16 (for the ORNL precursor study) times higher than the MP-3 rate. It should be noted, however, that the ORNL assessment is for all auxiliary feedwater systems (including designs other than MP-3) based entirely on LER data. It appears, based on the comparison, that the MP-3 value is not unreasonable for a mature system.
However, for the first year or two of operation, the NRC has estimated, based on LER data, that the auxiliary feed-water f ailure rate may be in the range of 10~4 to 10-3/ demand, corresponding to the Ebasco(6) and ORNL Precursor Study (5) values. It therefore seems appropriate to examine the risk impact of assuming a factor of 10 increase in the MP-3 auxiliary feedwater system value to determine the potential significance during the first years of operation. This impact is evaluated later in this section.
I 1
- 6. High Pressure Injection System - MP-3 PSS failure rate assessed for the HPIS is lower than all Table 3.6-6 values except for Zion. However, there l are significant differences for the success criteria and the system designs assumed for the RSS and Sequoyah PRAs. In the RSS, the Surry plant HPIS consists of (App. II, Ref. 16) three charging pumps, one of which is required to operate for success during small and medium LOCAs.
In the Sequoyah study (Sect. B.9, Ref. 9), the HPIS consists of two ,
3 - 158
- * + = .
I charging pumps plus two safety injection pumps. For success, at least one pump from each system is assumed to be required. In the MP-3 PSS, the l HPIS is described as including three charging pumps (one-of which is in a standby condition) and two safety injection pumps. According to the PSS l (Table 2.3.3.6.2-1), only one pump of the four available-(the standby pump is not considered available under LOCA conditions) is required for success. In view of these differer.ces, the MP-3 HPSI failure rate does not seem unreasonable. Further, the Zion HPIS design is similar to MP-3 (two independent systems of two pumps each) and success for small LOCAs is one of any four pumps (Sect. 11-4.5.2.3.1). In this instance, the Zion PRA assesses the failure rate (Table 3.6-6) at 7.4E-9, well below the MP-3 value.
- 7. Low Pressure Injection-System - The MP-3 LPIS failure rate is lower than all other values, ranging from a factor of 2.6 lower than Zion to a factor of 23 less than the RSS.
The LPIS is needed as a safety injection system only for large break LOCAs. In this case, the accumulators are also required, such that the success criteria becomes operation of both systems. It is thus important to consider both systems iri combination. Table 3.6-7 provides a comparison between Zion, the RSS, and the MP-3 failure rates for these systems (Sequoyah does not ave the same accumulator system design).
As shown in Table 3.6-7, the failure rates for the systems considered in combination are quite similar, with the MP-3 PSS value being between Zion i
and RSS. It should also be noted that neither the LPIS nor the accumulator system is a risk dominant system (see Sect. ).
9 O
3 - 159
= -
a.
~
Table 3.6-7 COMPARISON OF LOW PRESSURE SAFETY INJECTION SYSTEM FAILURE RATES Failure Rate System MP-3 PSS Zion PRA RSS LPIS 1.7E-4 4.7E-4 4.2E-3 Accumulator 1.9E-3 7.2E-4 9.5E-4 TOTAL 2.lE-3 1.2E-3 5.2E-3 s
It is concluded that the MP-3 assessment of LPIS failure is acceptable within the context of the system influence on overall risk results.
- 8. Main Steam Isolation - The Main Steam Isolation System (MSIV) f ailure rate assessed in the PSS is somewhat lower (for inside containment steam line breaks) than the only other value found (ORNL Precursor Study). This difference is less than a factor of 2, however, which is not considered significant.
For breaks outside containment, the difference is somewhat more significant, with the MP-3 value a factor of 8 less than the Precursor assessment, which does not distinguish as a function of steam line break location. These differences are not considered significant since a factor of 10 increase in MSIV failure rate would only raise the CMP by 30% and would have an even less significant effect on early and late fatalities (Sect. ).
- 9. Quench Spray - The MP-3 quench spray design is very similar to the l containment spray injection designs for the RSS and Sequoyah plants. The i
MP-3 qu'ench spray failure rate is between the Zion value and the RSS and ORNLprecursorvalues(whichareroughlyequivalent). The largest disparity is between the RSS and MP-3 values, with the MP-3 rate being about a factor of 8 less than the RSS. However, the RSS failure rate included a large contribution (over 40%) from failure of the Consequence C
I 3 - 160
t i, -
_. i Limiting Control System which monitors plant parameters and actuates the containment spray injection system. The equivalent MP-3 system (designated ESF Actuation Syst_em) is considered in the event trees as a separate failure. In view of these differences, the MP-3 value seecs reasonable.
- 10. Safety Injection Pump Cooling System - No independent failure rate values for this system were found in documents reviewed for the comparison.
- 11. Charging Pump Cooling System - No independent failure rate values for this system were found in documents reviewed for the comparison.
- 12. Low Pressure Recirculation System - The MP-3 PSS assessment of the LPRS failure rate corresponds very closely to all other values in Table 3.6-6 and is therefore considered reasonable.
- 13. High Pressure Recirculation System - The MP-3 PSS value for the HPRS is very nearly the same as the RSS and Sequoyah results and is therefore q considered reasonable.
! 14. Containment Recirculation Spray System - The MP-3 PSS value is comparable to the Zion rate. No other equivalent rates were found. The MP-3 rate is also comparable tc those of other recirculation systems considered previously. It is therefore concluded that the MP-3 CRSS failure rate is reasonable.
- 15. Service Water System - The MP-3 service water failure was assessed for the j 24-hour period following the initiation of an accident during which
- service water is assumed to be required to maintain cooling of essential safety equipment. The MP-3 SWS failure rate is much higher than Zion (a factor of 338) and also higher than the equivalent Oconee RSSMAP(0) rate by a factor of 100 (obtained by converting the Oconee yearly rate to a 24-hour rate). However, for the 24-hour period assumed as the mission time, the failure probability is so low that SWS failure does not contribute to any dominant accident sequence. Therefore, assuming a lower rate would have no effect on the probability of any risk dominant sequence. ,
3 - 161
g 4
t N
It is of interest to note that a second independent assessment of SWS failure is included in the MP-3 PSS in Appendix l-D. This failure rate .
was assessed in the context of SWS failure as an initiating event. Since the service water system cools a large number of both normally operating and emergency equipment (see Sect. 9.2 of Ref. 15 for details), sustained SWS failure would appear to lead to core melt if either auxiliary a feedwater fails independently or a reactor coolant pump seal LOCA occurs as a result of the SWS failure.
The Appendix 2-F assessment of SWS concludes that the failure rate of the s SWS is 8.68E-12/hr., much lower than the Table 3.6-6 rate (taken from Sect. 2.3 of the PSS) which would be 3.lE-7/hr. Further, the Appendix 2-F assessment concludes that simultaneous plugging of the SWS inlet screens is not a credible event, while Sect. 2.3 assumes that this failure mode is 3 the only credible failure mode. If the Section 2.3 rate is used to compute an annual frequency of SWS failure as an initiating event, a value of 2.7E-3/yr is obtained, compared to 7.6E-8/yr based on the Appendix l-0. This is a very large discrepancy of potentially significant proportions especially if reactor pump seal LOCAs are likely as a result of SWS failure. It should be noted that the Section 2.3 rate of 2.7E-3yr is considerably higher than the Oconee assessment from Table 3.6-6. A recent assessment of events in service water systems (6) inoicates that a number of problems have occurred, including a complete failure (which was recovered in time to preclude serious consequences) in approximately 200 reactor-years of experience surveyed.
In discussing this issue with NUSCo in December 1983, it was pointed out by NUSCO that the Section 2.3 assessment includes no credit for recovery of the SWS in the event of screen plugging, while Appendix 1-D discusses the basis for and quantifies credit for screen plugging recovery.
Furthermore, NUSCo contended that SWS failure would not result in reactor pump seal failure since the component cooling water system could be drained for an extended length of time providing sustained cooling to the
! reactor pump seals by maintaining flow through the heat exchanger which provides cooling to the seal coo'ing system. This means that core melt from SWS failure would not likely occur unless auxiliary feedwater failure also occurs.
3 - 162
l On balance, it appears that SWS failure is not risk significant either as an initiating event or as a support system failure following other initiating events.
3.6.3 Requantification of Accident Sequences Based on System Failure Rate Revisions This section provides an estimate of the change'in risk as a result of revisions to the MP-3 PSS system failure rates which appear justified based on the preceding discussion. Two such changes are considered: (1) an increase of a factor of 5 in the emergency power system failure rate based on a revised failure rate for the diesel generators, and (2) an increase of a factor of 10 3
in the auxiliary feedwater system failure rate which is judged to apply only to the first year or two of operation.
Table 3.6-8 provides the results of the requantification. The results indicate that the core melt probability would be increased about a factor of 3
) over the MP-3 PSS value for the first year or two of operation and would be only slightly higher thereafter. The early fata;11ty risk would not be changed for any of the proposed revisions. The late fatality risk would increase about a factor of 5.5 for the first year or two and would remain less than a factor of 2 higher-thereafter.
It should be emphasized that these changes are valid only if the revisions i are considered separately; that is, no other changes suggested elsewhere in j this review are considered.
(
I O
4 3 - 163 l
l Table 3.6-8 !
REQUANTIFICATION OF RISK BASED ON REVISIONS TO SYSTEM FAILURE RATES
! Risk III I System Failure Rates Early Late j Emergency Auxiliary Core Melt Fatalities Fatalities Power Feeawater Probability (2100) (21000)
, 1. Current MP-3 PS$ 4.5bE-4 6.8E-5 4.5E-5 1.9E-6 9E-9
- 2. Revised diesel 2E-3 6.8E-5 5.1E-5 1.9E-6 1.5E-8 generator failure rate w
e
- 3. Same as~ 2 above with 2E-3 6.8E-4 1.3E-4 1.9E-6 5.0E-8 revisg(i AFS failure a ratel i
(I) Based on results from Table V-1 of the MP-3 PSS.
j (2) Estimated to apply only to the first year or two of operation.
l 4
1 I
i
.I
. l
e REFERENCES
- 1. National Reliability Evaluation Program (NREP) Procedures Guide, NUREG/CR-2815, Final Draft, September 9, 1982.
- 2. IREP Guide
- 3. Zion Probabilistic Safety Study, Connonwealth Edison Co., Copyright 1981.
- 4. Interim Reliability Evaluation Program: Analysis of the Millstone Point Unit i Nuclear Power Plant, NUREG/CR-3085. February 1983. -
- 5. Precursors to Potential Severe Core Damage Accidents: 1969-1979 A Status Report, NUREG/CR-2497, J. W. Minarick and C. A. Kukielka, June 1982.
i
- 6. Auxiliary Feedwater Systems Reliability, J. J. Raney, Ebasco Services, Inc., presented at International Meeting on Thermal Nuclear Reactor
. Safety, August 29-September 2, 1982, Chicago, IL, NUREG CP-0027.
- 7. Reliability of the Emergency AC Power System at Nuclear Power Plants, R.
E. Battle, et al., presented at International Meeting on Thermal Nuclear
- 8. Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant, NUREG/CR-1659, G. J. Kolb, et al., Sandia Laboratories, May 1981.
j 9. Reactor Safety Study Methodology Applications Program: Sequoyah #1 PWR t Power Plant, NUREG/CR-1659, D. D. Carlson, et al., Sandia Laboratories, February 1981.
I
- 10. PRA Procedures Guide NUREG/CR-2300, January 1983. ,
l 11. Reactor Safety Study, WASH-1400, USNRC, October 1975.
3 - 165
i
+
0
- 12. Data Summaries of Licensee Event Reports of Diesel Generators at U.S. I
~
Commercial Nuclear Power Plants, NUREG/CR-1362, J. P. Poloski and W. H. ,
Sullivan, EG&G Idaho, Inc., March 1980.
- 13. Data Analysis Using the Binomial Failure Rate Connon Cause Model, NUREG/CR-3437, C. L. Atwood, EG&G Idaho, September 1983. c
- 14. Enhancement of On-Site Emergency Diesel Generator Reliability,
, NUREG/CR-0660, G. L. Boner and H. W. Hanners, University of Dayton,
- February 1979. ,
- 15. Millstone Unit 3 Final Safety Analysis Report.
- 16. Evaluation of Events Involving Service Water Systems in Nuclear Power c Plants, NUREG/CR-2797, J. A. Haried, ORNL, November 1982.
l i
t i
O
~
3 - 166
l i
3.7 Operating Experience Analysis The use of failure data derived from operating experience is vital to the validity of any PRA analysis. In the Millstone PSS operating experience provided an important source of input for determining the frequency of initiating events, random failure rates, and operator errors. This section provides a review of the use of operating experience by the Millstone team in each of these areas.
The Millstone 3 plant is still in the final stages of construction, so we have no data on failures at Millstone 3. Thus, failure data must generally come from industry-wide sources. But operating experience has told us that some failure and unavailability rates can vary widely from plant to plant, and we do not know whether Millstone will be above or below average.
Nevertheless, recent advances have been made by the industry in identifying below-average design, maintenance, test and operation procedures. This has come about through study of LERs and more attention to the plant specific causes of system and component failures. To the extent that these activities
- represent improvements, a new plant such as Millstone 3 can and would be expected to take advantage of this experience to improve its performance over the average performance of plants already running.
- 3.7.1 Initiating Events Twenty-two initiating events are identified in the Millstone PSS as events that could lead to core damage. Since Millstone 3 is not an operating plant, no plant-specific operating experience is available for incorporation into the i data analysis for initiating events. However, site-specific information was used for the loss of offsite power event. Estimates of initiating event
! frequency distributions were based largely on PWR experience. Sources used in
, this analysis include an Electric Power Research Institute (EPRI) compilation of transient data,U ) an Oak' Ridge National Laboratory (ORNL) report on loss
! of offsite power experience,(2) and WASH-1400.(3)
I i i
I R
3 - 167
4 A Bayesian analysis was performed in order to estimate the loss of offsite power frequency for Millstone 3. We reviewed this calculation and conclude that it could be optimistic. The analysis uses data on the loss of offsite power at all U.S. reactors. The method used matches the moments of this population data to the moments of an assumed lognormal prior distribution.
The Millstone site-specific data (1 loss of offsite power in 7 years) is then ,
incorporated to form a posterior distribution that is used as the event frequency. The difficulty with this analysis is that the use of all U.S.
reactors as a prior distribution could be optimistic. The loss of power occurrence for plants on the Northeast Inter-tie, which sees a higher incidence of hurricanes and other severe weather might be a more appropriate choice for the prior distribution or at least for the Bayesian update. We estimate that, if performed in this manner, the calculated frequency of loss of offsite power would increase by as much as a factor of two. -
For those initiating events in which the PWR population provided data points- s classical statistics treatment was used to estimate the frequency of the particular initiating event. In these cases, the initiating event frequency was treated as a random variable whose distribution reflects inherent plant-to-plant variability. The distributions are assumed lognormal. The initiating events for which this classical treatment was used are listed in Table 3.7-1.
For those initiating events in which available data were limited (those events which have not occurred) a Bayesian appproach was used to estimate the distribution for the frequency of an initiating event. A prior distribution was developed based on WASH-1400 distributions. These distributions were then updated, based on the observation of zero occurrences in 213 years of U.S. PWR operating experience. The resulting distribution was used to estimate the frequency cf a particular initiating event. This approach was used in both the Indian Point (4) and Zion (5) PRA studies. The initiating events that were given a Baysian treatment are listed in Table 3.7-1.
3 - 168
1
. l Table 3.7-1 Dependence of Millstone Initiating Events on Operating Experience l
Initiating Events That Use Site-Specific Operating Experience:
Loss of Offsite Power Initiating Events that use a Classical Treatment of operating experience data:
Small LOCA Steam Generator Tube Rupture Steamline Break Outside Containment Loss of Reactor Coolant System Flow Loss of Main Feedwater Flow Primary to Secondary Power Mismatch Turbine Trip Reactor Trip Core Power Excursion Spurious Safety Injection Initiating Events that use a Bayesian Treatment of operating experience data:
Unique Initiating Events:
Special large LOCA iniators Loss of a single service water train Loss of a single vital DC Bus Total loss of vital DC power Loss of vital AC Bus 120-VAC-1 or 120-VAC-2 Loss of vital AC Bus 120-VAC-3 or 120-VAC-4 ATWS .
3 - 169
C
~~
The remaining initiating events were considered unique to the Millstone 3 plant,.thus no data exist. The estimate of the initiating event frequency in each case was based on a specific analysis for that system.
Aside from our concern that the loss of offsite power may be underestimated by a factor of two, we found no major concerns regarding the ,
i operational data analysis for initiating events. However, one item of minor i concern is the use of classical estimation for events which have had a small and perhaps statistically insignificant number of occurrences, such as small LOCAs and steam tube rupture. For these cases the use of classical estimation .-
for event frequency could lead to optimistic results relative to the Bayesian estimate.
3.7.2 Component Failures .
! Component failure rate data as used in the Millstone 3 PSS was obtained from three sources, WASH-1400(2) , NREP(0) and Westinghouse Nuclear 4 Technology Division (WNTD) data base. Most of the component failure rates were derived from WNTD. This data base is described as proprietary and is not
- provided as part of the Millstone 3 PSS documentation. This data base is
- described as being based extensively on Westinghouse nuclear plant experience and contains over 200 reactor years of plant operating. Additional discussion of component failure rate data is provided in Section 3.6 (Failure Data).
l l
3.7.3 Human Errors i
Human error is another area in which the use of operating experience is both a necessity and a source of potentially large uncertainties. In treating humanerror,theMillstonePSSteamhasusedNUREG/CR-1278(7)formostof its human factors failure data. Although this document has industry-wide l acceptance in general, the data in it contains a great deal of uncertainty.
In particular, the failure data are lumped into broad categories whose applicability to specific situations at Millstone 3 is only approximate. In addition, it is of course not known how Millstone's operators will respond compared to industry averages.
l i
l 3 - 170 l - - - - - . - - -
Additional discussion of human error failure data and its use in Millstone accident sequences is provided in Section 3.5.
3.7.4 Concluding Remarks on Operating Data Analysis Despite the limitations discussed above it is our conclusion that the Millstone 3 PSS under review has used state-of-the-art data bases generally.
There are cases where we have reservations about specific numerical values.
It appears that the value used for loss-of-offsite power based on operating
- j. experience may underestimate this occurrence by as much as a factor of two.
The use of classical statistics for estimating the frequency of events such as
. steam generator tube rupture, for which there have only been a handful of occurrences, is likely to provide results that are at best highly
, speculative. These events could have received a better analysis.
Nonetheless, we conclude that the operating experience analysis provides a generally acceptable basis for estimating accident probabilities at Millstone 3.
f r
1 4
l 1
i .
e 3 - 171
~ . ._ ___ - -
- i References for Section 3.7.
- 1. Electric Power Research Institute, "ATWS: A Reappraisal, Part III.
Frequency of Anticipated Transients," EPRI NP-2230, January 1982.
- 2. Clark, F. H., " Loss of Offsite Power Experience," unpublished report, ,
1981.
- 3. U. S. Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of Accident Risks at U. S. Nuclear Power Plants," WASH-1400 ,
(NUREG-75/014), October 1975.
- 4. Power Authority of the State of New York and Consolidated Edison Company of New York Inc., " Indian Point Probabilistic Safety Study",1982.
- 5. Commonwealth Edison Company, " Zion Probabilistic Safety Study", 1982.
- 6. "NationalReliabilityEvaluationProgram(NREP)ProceduresGuide,"
NUREG/CR-2815, September 1982.
- 7. Swain, A.D. and H. E. Guttman, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278, April 4
1980.
i t
3 - 172
1
. - 1
~.
3.8 Analysis Codes 3.8.1 Introduction This section discusses the computer codes that were used to quantify fault trees for the Millstone 3 PSS, since these were the only accident sequence probability codes described in the study. The PSS does not describe any computer codes that were used to quantify the overall damage state probabilities even though it is likely that some computer analysis was used forthisprocess(seeSection3.11). This section does not include a discussion of codes used for accident analysis -- i.e. C0CO-class 9, CORCON-M001, and MODMESH. These codes are discussed in Section 3.9.
The WAM series codes, WAMBAM and WAMCUT, were used in the Millstone PSS for fault tree quantification. These codes were used to determine minimal cut sets for each fault free. Minimal cut sets give all the unique combinations of primary events that cause system failure, and are used to calculdte the system unavailability for all support states. WAMBAM was used for preliminary point estimate calculations of system unavailability and failure probability.
WAMCUT was used to derive cutsets and to develop the appropriate uncertainty values.
In general, fault tree analysis codes provide two approaches for
- calculating minimal cut sets. One is deterministic; the other is a Monte
! Carlo approach. The deterministic method uses Boolean-algebra principles to l sort through the fault tree structure, which is first encoded in a suitable format. This method is rigorous and accurate, but can consume a great deal of
, computer storage and processing time. The Monte Carlo approach randomly selects the events in the fault-tree and combines them to test whether the fault tree logic is satisfied. When an event combination has been selected that satisfies the logic, a cut set has been established. This method is less accurate but often faster in terms of computer time. Both WAMBAM and WAMCUT use a deterministic approach for calculating cut sets.
3 - 173
~L.. \
l l
3.8.2 WAMBAM WAMBAM is designed to calculate the point probabilities for top events in a fault tree. It actually consists of three codes: WAM, WAMTAP, and BAM.
The cut set evaluation is carried out in BAM (Boolean Arithmetic Model). WAM and WAMTAP serve as input preprocessors for BAM. The WAM preprocessor is 4
designed to ease the input description of the fault tree and the event Probabilities. If requested, the input to BAM can be saved and subsequently modified by WAMTAP. WAMTAP allows the probability of single or grouped primary events to be changed for sensitivity studies. 9 The evaluation code BAM calculates the probabilities of all operating and nonoperating states for a system. Operations within a system are modeled as gates on a fault tree. The probability of the top event is computed by 9 forming a truth table, each line of which represents a product term (P-term) event disjoint from all other P-terms. The product of the probabilities of l the event in each P-term gives the probability of the P-term, and the union of the applicable P-term, and the union of the applicable P-term gives the ,
probability of the top event. BAM reduces storage requirements by eliminating low-probability paths at an intermediate stage of the processing and at the
- same time keeps track of the total of the discarded paths.
3.8.3 WAMCUT WAMCUT was used in the Millstone PSS to derive cut sets and to develop l appropriate uncertainty values. WAMCUT is designed to obtain minimal cut sets and to quantify the top events of fault trees. It consists of two parts: WAM and CUT. WAM is a preprocessor that reads the fault tree description and l checks for logic and syntax errors. CUT is the cut-cet finder routine that
! takes the restructured input fault tree from WAM and finds the cut sets of each gate, working from the bottom to the top of the tree. the output of this code includes a list of cut sets and the probability of each. Also included is the variance of each cut set. The deterministic approach for finding cut sets is similar to WAMBAM.
o
, 3 - 174 f
WAMCUT also eliminates low probability paths at an intermediate stage of processing. The system fault trees for Millstone were quantified with WAMCUT using a specified cut off value (typically lE-7). Only cut sets whose probabilities are greater than or equal to the cut off valve were analyzed.
3.8.4 Comments
. There are some minor limitations to the use of WAMCUT in the Millstone PSS. Some codes offer the ability to move replicated events up'as far as possible toward the top of the fault tree without violating Boolean-algebra
. rules. . The use of such an option in applying WAMCUT to Millstone fault trees might have eliminated some of the inaccuracies that have been noted above.
Also, WAMCUT does not provide failure probabilities for intermediate gates in the fault tree. This information would have been useful for. auditing these trees. Finally, one can question whether eliminating cut sets on the basis of.
! probability without considering variance would limit the ability of an uncertainty analysis to incorporate those events which have a low probability
- but large variance.
t References for Section 3.8 1
i i
l l
i l
3 - 175
m -
} -
-3.9 Accident-Sequences This section provides the results of a review of the MP-3 PSS assessment of the progression of. accident sequences. The review encompassed an
. examination of assumptions, analysis, and predicted phenomena associated with the progression of severe accidents as considered in the PSS. The review is limited to considerations of accident progression within the primary system i and reactor vessel cavity. It does not consider other phenomena in the containment such as H combustion, overpressure failure, and basemat 2
j penetration.
I
- A discussion of accident sequence analysis occurs in Section 4. Volume 8 l of the MP-3 PSS and related appendices in Volumes 8 and 9 (Appendices 4-A through4-N). In addition, as part of the accident sequences review, Section l
3 (" Analysis of Recoverable Degraded Core Cooling Sequences") and the related Appendix 3-A ("In-Vessel Debris Coolability") was reviewed.
} Emphasis in this review was placed on those accident sequences which were
! found to be risk dominant as well as phenomena and assumption expected to have l a significant potential for controlling risk, based on previous PRA results and severe accident research. It should bc noted that much of the phenomena
) ,
! associated with the progression of severe accidents is not well understood.
Thus, considerable engineering judgment is required in estimating the realistic progression of such accidents, and disagreement exists among
! investigators. (On-going research is expected to help resolve much of the uncertainty.) In the discussion which follows, an' attempt has been made to' clearly delineate those issues which are subject to differences in judgement -
and those for which some data base exists. -
The format of this section consists of: (1) a listing of significant consnents generated as the result of the review, (2) a listing of conservative assumptionsandanalysisasdescribedinthePSS,and(3)asummaryevaluation which attempts to develop an overall conclusion regarding the significance and implications of individual elements in (1) and (2). The conservative assumptions are listed and evaluated in order to provide additional perspective, c 3 - 176
3.9.1 Coassents on MP-3 PSS Assessment of Accident Sequences This subsection provides comunents on Section 4 of the MP-3 PSS, as follows:
- 1. Pg. 4.2 Failure of containment isolation is considered as a containment failure mode. The probability of such a failure is quantified in Section 4.7.1 where a value of 10-4/ demand is assigned. While.the PSS argues that operation of a sub-atmospheric containment precludes the possibility of significant pre-existing undetected penetration openings, very litle justification is given for the 10-4 value. No fault tree is provided, and very little description is given of the isolation system.
While such a low failure rate may be justified, it cannot be evaluated from information provided. In view of the very important role long-term containment integrity assumes in the MP-3 PSS and considering the rather poor experience which has been observed with penetration / isolation systems (1,2) , it appears that further analysis'to justify the low failure rate is required (Reference 2 suggests a general failure rate for PWRs of 0.1 for leakage being beyond technical specification limits). -
3
- 2. Pg. 4.2-8,9 - A discussion of the likelihood and consequences of water being in the lower vessel cavity during the discharge of molten core material from the reactor vessel is included here. However, no consideration of the possibility that the contents of the shield tank could be oischarged to this cavity is included. The shield tank is supported by a skirt extending to the region beneath the reactor vessel.
It seems possible that thermal attack of this skirt by the discharge and accumulation of molten core material could fail the shield tank, allowing the contents to mix with the molten debris. This could increase the hydrogen generation for some scenarios and contribute to steam pressure spikes in the containment. The prospect of the failure of the shield tank skirt is discussed in Section 4.3, but no consideration of shield tank ;
failure is included. l l
- 3. Section 4.3.1.3 - In this section, the core overheating and melting process is discussed. On Page 4.3-7 and 8, it _is postulated that control !
rod materials would m'elt first and flow to the lower core regions, ,
3 - 177
_ _ _ - . , _ _ n ., - _ . .n , --- ,-
~~ l 1
resolidify, blocking channels and enhancing the nonuniform nature of the i core heatup process by blocking fluid flow (and, therefore, cooling) to j the hotter core core regions. It has been demonstrated experimentally (for example, Ref. 3) that the silver in the control rods would likely be released early (by rupture of the stainless clad) in the heat up process and that the silver would probably dissolve in the zircaloy cladding, <
destroying its integrity and causing the formation of undefined geometries in the core. This scenario is different from the process postulated in the MP-3 PSS and may influence subsequent assumptions regarding coherency of core heatup. c
- 4. Pg. 4.3-14,15 - Arguments are provided here to establish that significant pressurization of the reactor coolant system under high pressure degraded
, core conditions would not occur. The conclusion is based on CHF (critical .
- heat flux) correlations and steaming rates which are described to be very sensitive to pressure. Recent Sandia results(4) have indicated that "the increase in the (heated debris bed) coolability 1.imit with increasing pressure is much less than predicted by the current models. This result means that pressurized cores have considerably lower coolability limits under reflooding than had been previously thought." The implication of this result on the MP-3 PSS analysis here (and also in Appendix 3-A, In-Vessel Debris Coolability) is not clear, but the models used may be inaccurate.
l
- 5. Pg. 4.3-30,31 - It is argued here that an " offset" in the instrument tunnel leading out of the reactor vessel cavity would preclude the discharge of molten material from the cavity to the containment floor
~
(such an occurrence was postulated for Zion (5) , creating a large steam pressure spike in the containment). Figure 4.1-4 and 4.1-6 are referenced to support this assessment. However, these figures do not appear to show any " offset". Further, during the plant visit in October.1983, such a configuration was not apparent. In any case, more quantitative
, justification, with some analysis, seems required to support this assumption, which could be important relative to the assessment of ,
containment integrity.
I r
3 - 178
k
~_
- 6. Section 4.3.1.5 - This section covers the failure scenarios postulated for ,
the reactor vessel during core melt progression. However', there is no 4
consideration here (and none could be found elsewhere in the PSS) of the potential for primary system failures preceding reactor vessel melt-through. Such failures could have a significant impact on containment response and source terms. The most likely conditions for such failures are during accidents wherein the primary system pressure remains at or near the pressurizer relief valve setpoint. (Manyimportant sequencesresultintheseconditions.) Under these conditions, the entire primary system will be heated due to natural convection o steam through i the core. Additional heating would occur from release of ..ot hydrogen gas after metal-water reaction commences. Eventually, some parts of the primary system may become hot enough to fail under the elevated pressure conditions. Steam generator tubes may be susceptible to such failure,
- particularly if some are in a degraded condition. Such failures would be particularly onerous since a fission product pathway directly to the atmosphere (through the steam generator relief valves-) could result.
In a recent analysis (6) , the possibility of such failures was examined.
Steam generator tube failures as well as primary piping and reactor vessel ruptures.were examined. It was concluded that failure of the main coolant pipes would occur when the maximum cladding temperature reached a rather modest 1300*K for the station blackout accident scenario. (This calculation presumably assumed no prior degradation of steam generator tubes.) It was further concluded that the steam generator tubes would be the likely failure point if the secondary side were in a depressurized condition (which could occur from a stuck open relief valve or from operator action in efforts to cool the primary system).
- j. The Reference 6 calculations have not been reviewed as part of this effort. However, the results suggest a potentially significant failure mode which should receive further consideration. Overpressure spikes when molten core material drops into residual water in the reactor vessel lower plenum could also contribute to these failures.
[
3 - 179 i .
.'~'.....'.."'........Z..~..E_..T._._.'...LZ l . _ < : _ '. __ " " " _ ' ' ' ' '
' i. 2__..... 2 i
1
- 7. Section 4.3 - The MP-3 PSS analysis used Westinghouse codes for assessing the containment thermal-hydraulic conditions. In particular, "C0CO-Class 9" (Pg. 4.3-49), "CORCON-M001, Westinghouse Version", and "MODMESH" were useo .or various pnases of the accident. These codes are not described in [
detail in the MP-3 PSS, and very little information was provided to verify _
their capability. They do not appear to have been subjected to extensive ,
peer review or to have been assessed against experimental data. As a i result, the results have not been, and probably cannot be, fully evaluated as part of this review. While no obvious problems appear to exist, it is '
not possible to conclude that the analyses are valid. [
- 8. Pg. 4.4 It is stated here that containment electrical penetration integrity was " conservatively" assessed to be maintained up to .
temperatures of 400*F "as the lower bound". Reference is made to tests of .
CONAX penetrations (the MP-3 type) in which 400*F temperatures were -
withstood for several days. There is no referenced literature or test j details, however, from which to evaluate this result. In a recent l report (2) , it was concluded that CONAX penetrations should withstand at a
least 340*F for several days, and that leakage is unlikely up to at least 350*F. While these results are not necessarily inconsistent with the MP-3 "
assessment, they do not support the 400*F value as a consertative lower bound. -
The penetration failure temperature could be important since the results described on Page 4.4-37 (with incorrect figures referenced) show
}
temperatures approaching and exceeding 400*F.
J
- 9. General - There appears to be an inconsistent and somewhat confusing discussion at various locations in Section 4 with respect to the .
operability of the recirculation spray system without previous operation l of the quench spray. On Page 2.2.7-1 it states, unequivocally, that .
recirculation spray failure was assumed if quench spray failed. However, <
on Page 4.4-15 recirculation spray is considered operable for "T" sequences, and on Page 4.4-27 recirculation spray only cases are
~
considered for sequences AEC", ALC", SEC", SLC", and TEC". Furthermora, it is stated that for these sequences, the accumulator water would be ,
4 3 - 180 m - W.. . . . . . . . . ' .
available for these sequences when recirculation spray is actuated, but this water would not be available until after RV failure (and subsequent depressurization) and then only if accumulator water is vaporized and condensed on the containment walls. The question of sufficient NPSH for these sequences appears not to be addressed.
.10. Pg.-4.4 The production of C0 is mentioned here as a by-product of the concrete erosion process, but the combustion of CO as an additional energy source to the containment is not considered here or elsewhere in the PSS.
- 11. Pg. 4.7 It is stated here that the Millstone Unit 3 containment "is an open volume with no regularly spaced objects to generate strong turbulence." This assessment is used to argue that hydrogen detonation is not credible. Based on a tour of the Millstone 3 unit, just the opposite impression was obtained regarding objects in the containment; i.e., there I appeared to be many objects of various size, some regularly spaced, especially in the lower regions of the containment where the hydrogen is.
expected to be released. ,
- 12. General - Analysis of Recoverable Degraded Core Cooling Sequences Section 3, Voi, 7) - This section, in general, appears to be reasonable. While several questionabis and insufficiently justified assumptions appear to have been made, none of these seem overly significant. Further, the PSS consideration of recoverable core cooling sequences has very little significance to the results. For example, no change was made to the early fatalities since these are cominateo by the V-sequence which was 'xcluded from consideration (see following coment). The late fatality risk is also not significantly influenced since the major contributor is the V-sequence. The crre melt probability was only reduced by 36% due to consideration of recoverable degraded core cooling sequences as shown by Table 3.3-3(Pg.3.3-9).
I
- 13. General - There is no consideration in Section 3 of a recoverable degraded core condition in conjunction with the V-sequence accident scenario.- In view of the fact that the V-sequence accident was found to overwhelm
-(99.8% of total) all other contributors to latent fatality risk and is .
3 - 181
- t. _ (
also the single more dominant contributor to early fatalities, this omission seems significant. Further, there appear to be opportunities to interrupt the progression of the V-sequence accident and restore adequate core cooliig.
In view of the extraordinarily significant contribution of the V-sequence 4 to public risk as assessed in the PSS (see Section ), a rather comprehensive review of the accident and the corresponding PSS analysis was undertaken. Several deficiencies were found in the PSS assessment, one of the most significant of which is a misleading protrayal of the <
results and an unrealistic assessment of the accident probability distribution. These problems are considered at length in Section 3.1 and will not be repeated here. Additional apparent deficiencies in the PSS relative to the assessment of the V-sequence accident are described below: ,
- a. There appear to be discrepancies in the pipe and valve configuration assumed in the PSS for the RHR suction. This portion of the RHR system was found to dominate the probability of a V-sequence accident. The assessment of the V-sequence probability for this case is provided in Section 1.1.2.1.7 (Vol. 2) of the PSS. The configuration used in the assessment is reproduced as Figure 3.9-1.
O 3 - 182
]
}
i i
lI k HIGil LOW PRESSURE j ll l
PRESSURE PIPING PIPING sl Ful LMJ II x MV870lc gl2 klV8701 A ll T
/ 7' LC
/
'i
- l 11 I
Il l' g
i ll r
' INSIDE OU TSIDE CONTAINMENT ll CONTAINMENT E
ll I l
11 ii MV8702C
@ IMl !!
(
MV87028 PIB f
11
. ll 2 l
1; Figure 3.9-1 MP-3 PSS Diagram of RHR Suction i.
{
,i 4l
. E.
l 1
/
According to the Section 1.1.2.1.7 description, the accident would i occur upon failure of both valves in either pump suction line. The transition from high pressure to low pressure pipe is shown on Figure 3.9-1. Thus, rupture could occur inside the containment, but this is conservatively assumed not to occur in the PSS. (Ruptureinside containment would not lead to severe offsite consequences since the z containment barrier is not breeched.
Sased on an actual P&ID drawing (S&W drawing #12179-EM-ll2A-1),
Figure 3.9-2 has been prepared. This drawing indicates that a third ;
valve (MV8702A and B) exists in both RHR suction lines. Based on other plant designs, it seems likely that the transition from high to low pressure pipe would occur at the location of these valves rather than inside the containment. If this is the case, the probability of ,
the V-sequence accident would be reduced dramatically since a third valve, normally locked closed, would have to fail. (TheS&Wdrawing does not indicate the design pressure transition point.) If low pressure pipe is located between the inside and outside valves (as implied by the PSS assessment), then there is a possibility of a rupture outside containment. However, depending on relative pipe segment lengths inside and outside the containment, the probability of an outside rupture would be reduced over the PSS value.
- b. The PSS description of the progression of the V-Sequence accident is very sketchy, and some of the results seem unusual. If the accident were to occur, it appears that the pipe would rupture in the RHR pump cubicle. Following rupture, a high energy blowdown process would ,
ensue. This would likely cause pipe whipping and the generation of high velocity debris in the pump cubicle. It seems these occurrences could disable the operation of the RHR pumps even though they would be commanded to start following the rupture. Further, the high temperature steam environment would likely cause the pumps to fail.
If they were to operate under these conditions, they would very likely become flooded from the large amounts of water discharged to the area (from blowdown, accumulator discharge, HPIS, drain from the RWST to the break, and LPIS flow). J l
I 3 - 184 l l
I
. i
/ OUTSIDE INSIDE Refueling N CUNIAINMENI CONTAINKtNI Water .
% kJ kJ
.k J / fmm j r3 gg g 3 N rimary system
. M( 87018 MV 8701A MV 8701C 7
3SIL V1 High Pressure
\
Injection / ,
I 1
X Q[p133 MV 8812A
{MV8812B .
PIB .
! kJ /
5 kJ kJ
/ F1 i FT FT Nprimary system MV 8702Al MV 8702B MV 8702C .
Figure 3.9-2. MP-3 Simplified RHR System from S&W D-? wing No.12179-EM-112A-1 (4/14/82) ;
l 1
If the LPIS pumps were to fail, the core would very likely remain cooled from operation of the HPIS. The HPIS run-out flow, assuming operation of both charging and safety injection pumps, is 1700 gpm (Table 4.1-1,Pg.4.1-4). This is more than adequate to maintain
. core cooling. (In fact, the PSS states on Pg. 2.2-25 that one high pressure safety injection pump is sufficient to recover from a 6" ,
6 LOCA.) Assuming a refueling water storage tank volume of 1.2 x 10 gallons (Table 4.1-1, Pg. 4.1-13), the core would remain cool for 11.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> if the drain from the RWST to the break location is either negligible or terminated by operator closure of valves MV8812A and j MV88128 (see Fig. 3.9-2). If the operator throttles down the HPIS flow to conserve RWST water, an even longer time for sustained core cooling could be realized for this scenario. Table IV-5, Pg. IV-31, indicates a radionuclide release time of 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> for t,he r V-sequence. This'value was apparently derived based on full capacity operation of the LPIS which would empty the RWST in about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
- c. The scenarios described previously for the V-sequence suggest that the accident could be terminated or mitigated. (Noneofthese possibilities were explored in the PSS.) Since about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may exist before core uncovery occurs, it seems reasonable that an alternate source of water supply to the RWST could be obtained. If so, the HPIS could provide core cooling indefinitely, provided that these pumps do not beccme flooded from water injected into the LPIS pump cubicle.
It also seems likely that the LPIS rupture may become submerged early l in the scenario due to the large amounts of water delivered to the
! LPIS pump cubicle (see b. above). If core melt occurs while the pipe is submerged, a large fraction of the radionuclides released from the core would be expected to be secured in the water, greatly reducing the source term assumed in the PSS (Table IV-5, Pg. IV-31) for this l accident. Since only small floor drains were found in the LPIS pump cubicle during the plant tour in December 1983, it seems likely that the pipe rupture location would be submerged unless large openings exist in the pump cubicle below the rupture sensitive piping, o allowing spillover into adjacent areas. l 3 - 186
- u _ mum m y
The preceding discussion suggests that the V-sequence accident is a s complex event with many possible outcomes depending on assumptions made and operator actions taken. Figure 3.9-3 qualitatively depicts these alternatives in event tree format. As indicated by the figure, some 20 different outcomes appear feasible. Of these 20, some 17 would appear to result in lower offsite consequences (and therefore lower risk) than assumed in the PSS due to either sustained core cooling, delayed melt, or removal of radionuclides from a submerged rupture. The only scenario apparently considered in the PSS is No. 9 )
in Figure 3.9-3. Quantification of the event tree in Figure 3.9-3 )
would require additional effort and detailed knowledge of plant design features.
3.9.2 Conservatisms in the MP-3 PSS Assessment of Accident Sequences )
Table 3.9.1 provides a list of conservative assumptions which were found in reviewing the PSS assessment of accident sequences. As indicated in the
- third column, none of the conservatisms were found to have a large influence on the results, although in three cases the significance was undetermined.
l i
3 - 187
- v. ,
j e ?: ; err l- RWS7 drain A*.tz..;ze Rupture *
nated by Op stopped date: Source Mder Water
- 1) OK
- 2) late melt. low consequences
- 3) late melt, high consep ences
- 4) OK
- 5) intermediate melt, low conse-quences
- 6) intermediate melt, high conse-
. quences .
7'l OK ,
8h early melt, low consequences !
i
- 9) early melt, high consequences
- 10) OK i
'11) late melt, low consequences w -
_-12) late melt, hjgh consequences ' f 8 .
-13) OK
, 14) intennedtate melt, low conse- '
quences
- 15) intermediate melt, high conse-quences
- 16) OK
- 17) early melt low consequences
- 18) early melt, high consequences
- 19) very early melt, low consequence
- 20) very early melt, high consequ[ tac '
Figure 3.9-3. Exarr.ple Event Tree for V-Sequence ,
_ _. s , , m :
- a. h 4 g. mem3 Table 3.9-1
~
CONSERVATIVE ASSUMPTIONS USED In MP-3 PSS ACCIDENT SEQUENCE ANALYSIS Item Location Significance
- 1. Zircaloy oxidation proceeds to comple- Vol. 8. Pg. 4.3-6 Does not appear significant since tion prior to core slump. hydrogen combustion contribution to risk is not significant.
- 2. Computed concrete basemat penetration Vol. 8. Pg. 4.3-30 Not significant.
higher than expected due to different concrete type , etc.
- 3. Containment pressure from core steaming Vol. 8. Pg. 4.3-32 Does not appear significant since due to assumption regarding high heat containment overpressure failures sinks. from steam are not risk dominant.
4 Electrical penetration capability Vol. 8. Pg. 4.4-4 Does not appear to be a conservatism assessed at 400"F. as claimed (see comment 9 of this section).
- 5. Basemat penetration assumed to occur Vol. 8. Pg. 4.4-4 Does not appear significant.
when core melt reaches " popcorn" con-crete. Allows maximum time for over-pressure failure.
- 6. 20% of unreacted zirconium reacts at Vol. 8. Pg. 4.4-7 Not significant since large LOCAs are core slump for large break LOCAs. not risk contibutors.
- 7. Core concrete reaction begins insnedi- Vol. 8. Pg. 4.4-8 Unknown ately after bolloff of RV cavity water (no heatup period).
- 8. Conservative estimate of adiabatic Vol. 8. Pg. 4.4-9 Unknown burn pressure, l
3 - 189
, - , - . . . . . . , . . , ~ ~ , - . . . . . - . . ._ n . -,
1 l
Tabla 3.g-1(Continued)
Item Location Significance
- g. No credit taken for operator to resume - Vol. 8. Pg. 4.4-11 Probably not significant. Sequences ECC injection after recirculation affected are not risk significant.
failure.
- 10. Late predicted containment failures Vol. 8. Pg. 4.4-21 undetermined. Late containment fall.
(exceeding 1 day) are modeled as ures are significant contributors to 1-day failures. late fatalities, but the influence of containment failure time on risk (for late failures) is not known (see Note (1)below). ,
(1) According to Volume 1 (Pg. V-1) of the P55, all dominant contributors (45) to the risk of latent fatalities except the V-sequence (a 27.95 contributor) involve plant dancge state TE. A cording to Volume 8 (Pg. 4.4-25), the best estimate containment failure time for the most likely TE damage state is 2-1/2 days. However, the release time for Release Category M7 (which includes t%e TE sequences according to Table V-3, pg . V-25. Vol.1) is 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> according to Table IV-5 Pg. IV-33. These values are ,
inconsistent, and the origin and significance of the different failure times (including the 1 day modeling -
assumption in 10 above) was not evaluated further.
l j
i e
l l
O 3 - 190
.. .. v .... , .
3.9.3 Conclusions The major findings from review of the PSS assessment of accident sequences are as follows: i
- 1. No consideration is included of primary system failure prior to vessel melt-through. Consideration of these failure modes would tend to increase risks.
- 2. The V-sequence accident is inadequately considered in terms of opportunities for terminating and mitigating the accident. Consideration of these factors would tend to decrease risks.
3.. The remaining deficiencies: ,
Inadequate support for containment isolation failure probability, Lack of consideration of shield tank water being available to the RV cavity, No consideration of interaction between control rod materials and cladding, Influence of recent core coolability limit experimental results, Inadequate justification for assuming no discharge of molten debris in containment, Lack of assessment for codes used in core melt progression calculations, a
Electrical penetration failure assumptions appear nonconservative, Inconsistent assessment of cperability of containment recirculation sprays, No consideration of C0 combustion, Insufficient justification for assumption of no containment turbulence generation, Lack of justification for some degraded core cooling recovery -
assumptions, l
l l
3 - 191 .
_ t
. do not appear significant in terms of having the potential for influencing the PSS risk results as they currently' exist.
- 4. Kane of the conservatisms found in the PSS assessment of accident sequences were datermined to be significant. The significance of three conservatisms was not determined. ,
e 1
l l
i l
I 3 - 192
% e .< e l
l l
REFERENCES
- 1. 0;ata Summaries of Licensee Event Reports of Primary Containment Penetrations at U.S. Connercial Nuclear-Power Plants NUREG/CR-1730, D. W.
Sams and M. Trojovsky, EG&G Idaho, September 1980.
- 2. " Primary Containment Leakage Integrity: Availability and Review of Failure Experience", M. B. Weinstein, Nuclear Safety, Vol. 21-5, September-October 1980.
- 3. Influence of Variable Physical Process Assumptions on Core-Melt Aerosol Release, G..W. Parker, et al., ORNL.
- 4. Weekly Information Report - Week Ending September 9, 1983, to NRC Commissioners from T. A. Rehm, Enclosure E, September 9, 1983.
- 5. Zion Probabilistic Safety Study, Copyright 1981, Commonwealth Edison Co.
- 6. RELAP 5 Station Black-Out Transient Analysis in a PWR, L. Winters, Energieonderzoek Centrum Nederland, July 1982.
l I
3 - 193
, i 3.10 Dependencies This section presents the results of a review of the consideration and treatment of dependencies in the MP-3 PSS. The actual meaning of
" dependencies" is somewhat vague and occasionally inconsistent within the risk assessment community. Generally, dependencies can be defined as initiating events or system and component failures which are related to or have a detrimental influence on the probability of successive failures. Failures involving dependencies have been found to be very important to nuclear reactor risks, both in PRA studies and in actual accidents. The TMI-2 and Brown's Ferry accidents are examples of actual occurrences which have involved dependencies.
It is usu, ally convenient and useful to subdivide the general area of dependencies into more explicit sub-issues. The subdivision chosen for the purposes of the MP-3 review was that recently proposed by Fleming, et al.(4) In this case, three subdivisions are used, defined as follows:
- 1. Common cause Initiating Event - In this case, an initiating event occurs which simultaneously causes multiple system failures and/or degrades systems, increasing their unavailability. The most dramatic examples of this type of dependency are external events, such as earthquakes, which can cause multiple system degradations. However, some important internal initiating events, such as loss of offsite power, can represent important internal initiating events with dependencies.
l l 2. Intersystem Dependency - In this case, a system failure occurs which causes the simultaneous degradation (either failure or an increase in unavailability) of other systems. An example of such a failure would be theservicewatersystem(seeSect.3.6)whichcausestheeventuallossof numerous components which depend on SWS for cooling.
- 3. Intercomponent Dependency (Common Cause Failure) - This dependency involves the simultaneous (or near simultaneous) failure of components l from the same cause. This type of dependency is often referred to as common cause failure, a term which will be used in the remainder of this c i
3 - 194
%mm ummmmmu a section. 'An example of. common cause failure would be the simultaneous failure to start of pumps in a multi-train system due to seized pump shafts from excessive corrosion. In the MP-3 PSS, these three types of dependencies are not all considered separately. Rather, a discussion of each type is considered in various locations, wit! special cases of each type also considered. These discussions include the following:
Vol. 3, Part 1 of 4, Section 2, " Plant and Systems Analysis" (particularly Sections 2.2.1, 2.2.3, and 2.2.5),
Vol. 6, Appendix 2-C, "Comon Cause Failure Analysis",
a Vol. 6, Appendix 2-F, " Analysis of Common Cause Service Water Strainer Plugging",
a Vol. 6, Appendix 2-G, " Analysis of Common Cause Actuating System Logic Unavailability".
The remainder of this section evaluates separately the three types of dependencies as considered in the MP-3 PSS. External events and related dependenceis are excluded here, but are considered in Section 4 of tnis report.
3.10.1 Common Cause Initiating Event Considerable attention has been given to initiating event dependencies for r internal events since the publication of the Reactor Safety Study (12) , and the MP-3 PSS appears to adequately recognize the role of such dependencies ano appropriately consider them as described in Section 2, Vol. 3, with the following exception:
l l
- It was assumed that the power conversion system would be isolated and unavailable for all transient initiating events. This is a conservative assumption which is considered further in Section 3.1.
In actuality, it appears that the PCS would be available for many transients and could serve as a system for core cooling. .
3 - 195
(
i In reviewing Section 2.2, a nummber of inconsistencies and errors were )
found which appear to be minor. They are as follows:
- 1. Figure 2.2.3.2 There appears to be an incorrect double entry (" Failure of Either Pressurizer PORV Block Valve to Open") on this fault tree.
C
- 2. Page 2.2 The quantity Q (TK) in Equation 2.2.3.3-2 is not defined, andthequantityQ(TR)isnotinEquation2.2.3.3-2.
- 3. Page 2.2-50. Item 7 - Pressure relief failure during ATWS is stated to be dominated by failure of pressurizer reliitf valves to close. It is not clear how this failure causes failure of the overpressure function.
- 4. Page 2.2 For support state 7, it appears that a probability of 1.0 e was assumed for restoration of ac power after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This seems optimistic and does not agree with values on page 2.2-58 or page 2.2-69.
- 5. Page 2.2 It is stated here that "..only the loss of offsite power initiator was adjudged to have the potential for initiating an accident i and then influencing the accident progression sequence." The interfacing systems LOCA accident initiator is an even more important example of this type, wherein the LPIS is failed and the containment is bypassed.
- 6. Table 2.2.1.3.1-1 (Pg. 2.2-76) - Does not include the support systems which provide pump room cooling or lube oil and lube oil cooling for any plant systems. It is not clear that these support systems have been determined to be unnecessary for the plant systems. They have been found to be important in other PRAs.
l 7. Item 3 on Page 2.2.7.1 Indicates that cooling is necessary for high ,
pressure injection pumps. However, no such dependency is indicated in Table 2.2.1.3.1-1 on Page 2.2-76.
l l
j 3 - 196
._ _ = _ -
Vm m'i%?w i .
l
- 8. On Page 2.2.714B A loss of ac power scenario is described, with operation of the steam generator PORVs in conjunction with the turbine-driven AFW pump utilized to depressurize the primary system.
However, on page 2.2.7.148-2 it is stated that "...potentially the steam generator PORVs would be disabled by the loss of ac power...".
A number of conservative assumptions were found in the review of Section 2.2 even though on Page 2.2-24 it is stated that "The ultimate objective...is to present realistic estimates of public risk...". These can tend to bias the risk towards a high value and should be considered for proper perspective in PRA reviews. These conservatisms are listed in Table 3.10-1. The table includes the location in the PSS where the conservatism is described and an assessment of the potentia 1' significance.
w 3 - 197
=- . . _ . . . _ ,.. _ - . _ . - - , _ , _ . . _
l I
Tab 12 3.10-1 .
CONSEAVATISMS ~
Item Location Significance Comments
- 1. Using 8
- support states" to Vol. 3 Pg. 2.2-12 Undetermined 8 support states conserva-represent all combinations tively used to bound 72 states of support systems. initially identified.
- 2. Several actuation signals, Vol. 3 Pg. 2.2-19 Could be significant Pg. 2.2-20 lists examples of plant systems, and operator these.
actions not modeled. +
- 3. Some success criteria Vol. 3. Pg. 2.2-23 Probably not significant utilized conservative since important sequences
, F5AR analysis. utad realistic analysis.
4 PORV block valves assumed Vol. 3. Pg. 2.2-32 251 reduction in failure During Plant tour of Octs we closed during operation. and Pg. 2.2-52 of feed and bleed. 1983 PORV block valves were stated to remain open during operation. ,
- 5. Failure of RT-4 (manual Vol. 3. Pg. 2.2-4g Appears not significant.
orautomaticreactortrip) results in core melt.
- 6. All three pressurizer Vol. 3. Pg. 2.2-50 Not significant (ATWS relief valves assumed to sequences do not lift during ATWS. contribute to risk).
I
- 7. Operator assumed to Vol. 3. Pg. 2.2-59 Appears not significant.
isolate PORV in 10 min.
- 8. For non-LOOP transients Vol. 3. Pg. 2.2 60 Not significant.
and support state 7. DCP seal LOCA occurs.
1 i
J A
1 i
1 1
3 - 198
.. z.-- = x.=- = . .. _ = .. c ._. .. a ._ _ . . .: :. . .. a _. _: =.z ms =m t
0 Table 3.10-1 (Continued)
CONSERVATISMS Item Location Significance Comments
- 9. Credit not taken for Vol. 3 Pg. 2.2.7.1-4 Probably not significant to intermittent quench spray public risk since operation operation to preserve of quench spray delays or R5WT inventory. eliminates containment failure.
- 10. Accumulator failure Vol. 3, Pg. 2.2.7.1-5 Not significant large Large LOCA does have a minor causes core melt for LOCA accidents not risk contribution to core melt large break LOCA. Significant. (See Section -).
- 11. If containment spray Vol. 3, Pg. 2.2.7.1 6 Could be significant, but Pg. 4.4-27 of the MP-3 P55 l injection and quench it does not appear this indicates recirculation spray f ail, neither LPR5 asse ption was retained. spray is operable in the or C5A5 can succeed. absence of previous containment spray injection.
- 12. Accumulator failure Vol. 3 Pg. 2.2.7.2-7 Not significant to public Medium LOCA with accumulator causes core melt for risk since medium LOCAs f ailure not a dominant medium break LOCAs. are not risk significant. sequence for core melt.
1 i
3 - 199
~ '
- t
.~
l 3.10.2 Intersystem Dependency I
This subsection provides a brief overview of-the results of an assessment of the MP-3 PSS method of accounting for intersystem dependencies.
The Millstone-3 PSS uses support states to represent the dependencies of (
front-line systems on support systems. A major assumption in this method is that no subtle interfaces or interactions within or between the various support system trains exist. That is, the support system trains are truly
, independent and affect only the associated front-line system trains. This is ,
the design philosophy for the plant. However, other studies which have done more rigorous analysis of support system interfaces through the propagation of i
the connections through detailed fault tree models,- e.g. - the Interim Reliabi,lity Analysis Program (IREP) studies, have shown that this assumption -
- is not always valid. While there are no obviotis deficiencies in this area in the PSS, it is beyond the scope of this review to invest the required effort to determine if any subtle dependencies exist which were missed. There is no easy way to determine if anything of significance was omitted. This would require using fully integrated fault trees for each accident sequence or performing a separate component level systems interaction study.
Another problem area comes from the need to combine the many different.
l possible support states into a much smaller number of simplified support states. These simplified support states consist of collections of actual i
support states which are similar in their effect on the plant response, but not completely identical. The assumption made in the analysis is that they are similar enough to be treated equally and that the effects of any
- simplified support state on the plant response are taken to be the effects of ,
the most limiting actual support state in the group. This may add an element of conservatism in the analysis. However, this is a simplification which may or may not be valid and which is beyond the scope of this review to evaluate.
In either case, it can be stated that this treatment does not accurately represent the various possible effects and conditions steuning from the dependence of front-line systems on support systems.
3 - 200
~
wm M ..
~ ;
The above discussion points out problems with the support state method of analysis which would apply to any study which utilized it. As stated, it is not possible within the scope and time available to perform this review to determine if any of these problems are significant to the PSS. It is important to note, however, that other studies have demonstrated the potential ;
for errors to be introduced in this way. Support system interfaces have been j shown to be very important to risk and sometimes very subtle in nature. The support state method tends to treat these interfaces in a less rigorous manner than the use of fully integrated fault tree analysis. The use of the support
'. state method may inject additional uncertainty into the PSS.
As far as the application of the support state method in the PSS is
- concerned, the potential loss of dc power was not treated in the support states utilized. Although electric power was selected as one"of the support systems, the concentration was on the unavailability of the main ac engineered safety features busses. The effect of losing one de power train can be more far-reaching than the loss of an ac train in that it causes more equipment failures. Additionally, the loss of some or all de power following a loss of
) offsite power will have a significant effect on recovery of offsite power due to the unavailability of various control room indications and control circuits for breaker manipulations. It is generally assumed that in the total absence of de power it is not possible to recover ac power in any reas::nable amount of time. Although loss of de power is treated as an initiating event, its lack of treatment in the support state analysis is a deficiency in the PSS. In examining the significance of this deficiency, it has been concluded that the omission is probably not significant if the turbine-driven auxiliary feedwater pump can suc.cessfully operate without de power as maintained by the applicant during a meeting at NUSCo headquarters in December 1983.
j 3.10.3 Common Cause Failure Analysis The MP-3 PSS employed the Binominal Failure Rate model to assist in j quantifying the contribution of common cause failures to system failure l rates. Comon cause f ailures have long been recognized to have a very
- important impact on nuclear power plant system failure rates. This occurs because many of these systems have redundant trains, each of which are .
l l
l 3 - 201
(
generally of high reliability. Under these circumstances, common cause failures are almost always dominant contributors to system failures. Since .
conson cause failures have been very rare at nuclear plants, there is generally insufficient data to permit a direct quantification of connon cause failure contributions. As a result, various mathematical models have been proposed, and quantification of connon cause failures in probabilistic risk <
assessments remains an uncertain and somewhat controversial area.
Of various models to quantify common cause failures, two are generally preferred by the reactor risk assessment connunityIII. These are the ;
s-factor model and the Binominal Failure Rate (BFR) model. These two models dre similar, and for two redundant train systems they produce equivalent results. The BFR is somewhat more sophisticated and generally represents the state of the art in common cause failure modeling. Much literature is i available(1,2,3) which describe models. Thus, a detailed description will
- not be provided here.
It is important to recognize that the BFR and 8-factor models do not produce common cause failure rates from strictly random failure rates.
Instead, they require input from the analyst on the potential for comon cause failures. This is obtained usually by examination of data to determine which observed failure mechanisms contained the potential for common cause failure, or by actual use of common cause failure data if available. (Forexample,for a three-train system, connon cause failures of two trains can be input to the BFR model in order to compute the common cause rate for three trains.) These data can be from identical systems or, if data are sparse, may be inferred from data on similar systems. In any case, considerable judgement is frequently required on the part of the analyst in inputting data (or 1
i assumptions related to data) to the BFR or in deriving a value for a for the l S-factor model. As a result, significantly different results can be obtained by different analysts for the same system with the same model. Thus, while use of the BFR for common cause failures in the MP-3 PSS represents a generally acceptable state-of-the-art model, its use does not necessarily assure that common cause failures have been realistically estimated.
C 3 - 202 L
er- d=--=n-ernweemamre a=*%-2-e.amandsM 1 -
A general description of the MP-3 PSS common cause failure assessment is discussed in Appendix 2-C. This description appears adequate and includes a consideration of the important aspects of common cause failures. The Appendix includes a description of the BFR model and provides data used to quantify the comon cause contribution.
Two specific comon cause assessments are provided in the MP-3 PSS as indicated previously. These are common cause service water strainer plugging (Appendix 2-5) and best estimate comon cause actuating logic unavailability.
The SWS failure assessment and related implications are discussed in Section 3.6 of this report. Based on that discussion, it appears that SWS comon cause failure is not of cor.cern for the MP-3 plant. The assessment of actuating system logic appears reasonable.
In sumary, it is concluded that the MP-3 PSS common cause failure models are reasonable and valid. The actual quantification of comon cause failures is discussed, as part of the overall assessment of systera failures, in Sections 3.4 and 3.6 of this report.
S 3 - 203
--_..7 l
1 h
\
REFERENCES
- 1. PRA Procedures Guide, NUREG/CR-2300, Final-Report, January 1983.
- 2. Data _ Analysis Using the Binomin31 Failure Rate Connon Cause Model, NUREG/CR-3437, C. L. Atwood, EG&G Idaho, September 1983. r
- 3. Estimators for the Binomial Fdilure Rate Connon Cause Model, NUREG/CR-1401, C. L. Atwood, EG&G Idaho, April 1980.
- 4. "On the Analysis of Dependent Failures in Risk Assessment and Reliability Evaluation", K. N. Fleming, et al., Nuclear Safety, September-October 1983 (Vol.24-5),pg.637.
i
+
e 4 o
'3 - 204
.- mw l
m.+.
p 3.11 Quantification The purpose of this section is to review and summarize the approach used in the Millstone 3 PSS to quantify the frequency of the plant damage states using the results of the event tree, support state and fault tree models. The results of the quantification were assembled into the combined internal plant damage state matrix - referred to as the "M matrix." Each entry in the M matrix represents a conditional probability of a plant damage state given a particular initiator. The event tree for each initiating event was quantified eight times, once for each support state. Also considered is the propagation of uncertainty through the quantification process.
3.11.1 Development of Quantitative Results in the Millstone 3 PSS Plant system event trees were quantified by combining results into an internal plant damage state matrix - the M matrix. Each sequence in an event tree was assigned a plant damage state. Often several sequences in an event tree can lead to the same plant damage state. For a particular initiating event and support state, the probabilities of event tree sequences having the same plant damage state were sunened tngether. The sum is the conditional probability of a plant damage state given a particular initiator and support state. This sum was multiplied by its corresponding support state probability (or split fraction). The resulting products for each support state were added
! together for each event tree. The final values obtained in this process are l the conditional probabilities of plant damage states for a given initiator.
This process produces the entries in the M matrix. Each entry in the M matrix ;
corresponds to a specific damage state and initiating event. The entries of i 4
the M matrix as calculated in the Millstone PSS are provided in Table 3.11.1.
J 3.11.2 Quentification of Uncertainties Uncertainty analysis involves the estimation of uncertainties in the input l of event and fault tree models used to describe plant behavior and the propa-
! gation of these uncertainties through the trees. The authors of the Millstone PSS state that their study " attempts to better account for overall uncertain-ties by formally recognizing and propagating uncertainties originating from . l 1
3 - 205
= - -
(
..." 1) initiator frequencies, 2) system unavailability 3) core melt frequency, 4) frequency of containment failure, 5) uncertainties in fission productsourcetermsand6)uncertaintiesinpublicconsequences. Our objectives in this' review limit us to consideration of uncertainties in the first four categories. In general, we found the propagation of uncertainties from variances in individual component failure rates, to system failure more a traceable then the propagation from fault trees to event tress and plant damage states. .
The frequencies of initiating events at Millstone 3 were described by the ,
mean and variance of an assumed lognormal distribution. The frequency of connon transients was obtained using classical estimation methods. In these cases, the initiating event frequency was treated as a random variable, the distribution of wnich reflects inherent plant-to-plant variability. The s distribution parameters for these events were obtained by matching the moments-of the population data to the moments of a lognormal distribution. For those events which have not occurred, a Baysian approach was used. A distribtution is established which represents the prior state of knowledge abcut the frequency of a particular event. This distribution is then revised, via Bayes' theoram, to reflect observed operatiing experience. The resulting distributions are fit to a lognormal distribution in order to obtain uncertainty parameters. -
System unavailability (failure / demand) was calculated from the system fault trees using the WAMCUT computer code. The WAMCUT code uses the method of moments to propagate variance of individual components to an overall variance in system unavailability. The method of moments uses the moments of component distributions to determine the moments of this system distribution.
Random component failures and the variance in these failures were obtained primarily from the proprietary Westinghouse Data Base.
Discrete probability distribution (DPD) arithmetic was used to determine the variance in the plant damage states. Uncertainty in the frequency of core melt was obtained by propagating the variance in top events through event trees using DPD arithmetic. The uncertainty in the frequency of containment failure was treated using DPD arithmetic with input variances propagated from o y 3 - 206
the fault and event tree models combined with best estimate uncertainties derived from engineering judgement. According to the PSS, a discussion of the J overall uncertainty analysis is provided in Appendix L. However, regarding 1 the use of DPD arithmetic, all that was provided was a tutorial on DPD arithmetic taken word for word from a paper by Kaplan. No description was provided for how DPD arithmetic was used for Millstone 3. We were, thus, unable to review the specific procedures used to propagate uncertainties using DPD arithmetic for the PSS.
l l
l l
l 3 - 207
_7_- _
- (
TABLE 3.11-1 -
lettameL ptAWf Omew $7 Aft ISf0!I (nl*
PLAsf Omeet STAMS EC EC' E ALC ALC' AL C* AL ' EC E C' E $*t fettteters RC EC' RC* E l'L ftC ftt' ft VIC TE C' 95 VRC TRC* TE C* TIL T Success Large LOCA 1.95 3 4.14 4 2.65 4 3. 711 3 4.0E.4 2.69t.4' N.2E.7 0 0 0 0 0 0 0 0 0 0 0 8 0 0 4 0 0 0 0 0 9.94 1 neefse LOCA l.91 3 4.15 4 2.6e1 4 6.55 3 4.91t 4 3.05 6 2.45 7 0 0 0 0 (
0 e e e 0 0 e e 0 0 0 0 0 4 0 0 9.9E.1 Sas11 LOCA 0 0 8 0 0 0 0 9.75 6 2.85 8 1.9E.6 0 1.84 4 8.1E.6 7.30t.4 2.7E.9 0 0 0 0 0 0 0 0 0 0 0 0 1.0 Stem Genereter 0 0 0 0 0 0 0 6.55 4 1.4E.8 1.E.6 m Tees auptore 1.2st.5 6.93t.7 L24 4 3.92 9 0 1.ast.5 2.0E.7 3.0E.7 2.05 6 2.65 4 3.2E .7 7.04 0 3.aE.9 4.90t .10 2. 84t .l t 8 1.0 5temitne treat 0 0 0 0 0 0 0 2.98t.10 7.40t.13 5.80t tl 0 Instes Centalment 1.0E .5 1.0E.6 0.611 4 4.14t.9 0 8.7tt .5 2.918 7 s.80t.6 0 0 0 0 0 0 0 0 1.0 Stemitae treet 0 0 0 0 0 0 0 2.94t.10 7.80t .13 5.80t.t! 0 Outstee Centalment 2.2E.5 !.45 6 0.881 0 4.30t 9 0 6. 6E.5 3.311 7 1.Ct.6 0 0 0 0 0 0 0 0 1.0
- These are tenettional core salt protett11ttes and 331 to asittp1ted ty tas feittattag enest frogseacy to calcolate core melt frogseary.
tattleters Att ACC
- At ALC ALC' ALC" AL EC EC' E $'t EC SLC ' SLC' E 5'L TEC ftC' T1 V2tC VitC' v2t ??tt v2tC' v2tC* v2t v hccess Less of seacter 0 0 0 0 0 0 0 6.56t.0 1.41t.10 0.1 2 -31 0 Coelant Cyttam Flow 6.64t.7 3.9E -0 1.24 9 6.37t.11 0 2.18t 4 7.19E .9 2.20E.7 0 0 0 0 0 0 0 0 1.0 Less of mate 0 0 0 0 0 0 0 6.54t 0 1.41t.10 8.1E.11 0 Feedheter S.84.7 3.9E.4 1.27t.9 6.37t.11 0 2.1st4 7.19t .9 2.20t.7 0 0 0 0 0 0 0 0 1.0 Prteary to Secondary 0 0 0 0 0 0 0 4.56t.4 1.41t.10 0.1K.11 0 Power utamatch 5.60t.7 3.9EJ 1.27E.9 6.37t.11 0 2.lat4 7.19t.9 2.2E .7 0 0 0 0 4 0 0 0 1.0 furtine frep 0 0 0 0 0 0 0 6.56t 4 1.415 10 8.1K.11 0
- 5. set.7 3.9E .4 1.27t-9 6.37t.Il 0 2.1st a 7.19t.9 2.2E.7 0 0 0 0 3 0 0 0 1.0 teacter Trip 9 0 0 0 0 0 0 6.5M 4 1.41t.10 0.1E.11 0 5.68t .7 3.9E-8 8.27t 9 6.371 11 0 2.Itt.8 7.19t 9 2.2E.7 0 0 0 0 0 0 0 0 1.0 Care Penee 0 0 0 0 0 0 0 4.54t .8 1.41t.10 0.1 K .11 0 Escurstea l.6et.7 3.9E .8 1.27t.9 6.37t.II O 2.lat4 7.19E .9 2.28t.7 0 0 0 0 0 0 0 0 1.0
- C These are tenettional core melt protablittles and g to setttplied by tne tattletint event freewency to calculate core melt fregnewy.
3 - 208
~
TABLE 3.11-1 ._
IWiennL Mast SaumE Statt puntell tal*
RAsf Sanset statts leftteters EC- M C* E RC RC' R C* 4 EC . EC' N 11 SLC RC' R C* R 5 *L Tit itC' ft VEC VE C*
TE VEC TR C' v&C* V1 ? Success Seertees Sofety 0 0 0 0- 0 0 0 8.85 0 1.45 10 0.35 11 0 latestles S.M.7 3.M 0 8.23 0 L35 11 0 2.35 6 7.15 0 2.M.7 0 0 0 0 0 0 0 0 1.0 Loss of Offsete 0 0 0 0 0 0 0 1.95 7 4.2E.10 3.42 7 0 ponec 4.05 7 5.85 0 2.23 30 1. M -88 8 7.9E.8 1.05 4 1.5E.8 0 0 0 0 0 0 0 0 1.0 facere testemmat 0 0 0 0 0 0 0 9. 7E.4 f.5E.8 0 I.9E.8 Tate no tere 1.85 4 S.15 4 4.55 0 0 3.4at.7 0 0 0 0 0 0 0 0 0 0 0 1.0 laterfectag Systes 0 0 0 0 0 0 0, 0 0 0 0 LOCA v.Somose 0 0 0 0 0* 0 0 0 0 0 0 0 0 0 0 1.0 0 These are comettfonal care melt protestitttes ans 333, he seltspited by tse Insttattag ewat fremency to calculate core seit freeenEy. a e
3 - 209
g- - .. ... . .
_ (
3.12 Requantification Summary for the Internal Event Accident Sequences <
A simplified requantification of the internal event accident sequences contained in the new/ revised event trees presented in Section 3.2 was performed as a part of this review. 4 This section provides a summary of the input data used in the requantification and an annotated set of the event trees from Section 3.2 which show the numbers used for specific events in all' sequences whose <
frequency of occurrence was evaluated as greater than or equal to lE-7 per year.
The results presented here are necessarily based on many assumptions and <
subject to many qualifications. The reader is referred to Section 3.2 for a detailed discussion of the event trees, and to other sections of this report '
for additional information on initiating events, data, etc. That information is not repeated here.
The reader is cautioned to keep in mind that the support state metnodology used in the MP-3 PSS requires an evaluation of each event tree for each applicable support state. In most cases here, one or two support states (typically the support states numbered I and 2 in the PSS) are so dominant that it is unnecessary to evaluate the others. In the event trees presented in this section, we have adopted a convention to simplify the presentation of results: unless otherwise noted, numbers shown above an event line are for support state 1 and numbers below the line are for support state 2. Where an ambiguity might occur, the support state is identified.
The five tables and 11 annotated event trees which are shown on the following pages are listed below for the convenience of the reader.
Table Content 3.12-1 Initiating Event Frequencies 3.12-2 Support State Probabilities 3.12-3 System Failure and Human Error Event Probabilities e 3 - 210
7 _
Table Content
. 3.12-4 Offsite Power Recovery Factors 3.12-5 System Failure and Human Error Event Probabilities for the ATWS Event Tree
- ) Figure Event Tree l l
3.12-1 Large LOCA 3.12-2 Medium LOCA 3.12-3 Small LOCA 3.12-4 Incore Instrument Tube Rupture 3.12-5 Steam Generator Tube Rupture 3.12-6 Steamline Break Inside (& Outside) Containment 3.12-7 Power Conversion System Available 3.12-8a Loss of Power Conversion System (Support States 1,2) 3.12-8b Loss of Power Conversion System (Support States 5,6) 3.12-8c ' Loss of a Single DC Bus 3.12-8d Loss of Vital AC Bus 1 or 2 3.12-8e Loss of Vital AC Bus 3 or 4 3.12-8f Loss of a Single Service Water Train 3.12-9 Loss of Offsite Power (Support State 7) 3.12-10 Spurious Safety Injection 3.12-11 Anticipated Transients Without Scram i
l 3 - 211
Table 3.12-1. Initiating Event Frequencies l (Source: Table 3.1-3, Fifth Column) l 4
'i Event- Point Estimate Class Event Name Frequency (per year) 1 Large LOCA lE-4 2 Medium LOCA 3E-4 4 3 Small LOCA lE-3*
4 Steam Generator Tube Rupture 4E-2 5 Steamline Break Inside Containment 4E-2 _
6 Steamline Break Outside Containment IE-4 ,
7 PCS Available 7.24 8 Loss of PCS 2.32 13 Spurious Safety Infection 6E-2 14 Loss of Offsite Power l E-1 15 Incore Instrument Tube Rupture 4E-4 16a Interfacing Systems LOCA 4E-7 17 Loss of a Single Service Water Train IE-2 18 Loss of a Single Vital DC Bus 1.8E-2 19 Total Loss of Vital DC Power c 20 Loss of Vital AC Bus 120-VAC-1 or -2 3.5E-2 21 Loss of Vital AC Bus 120-VAC-3 or -4 3.5E-2
- Support state 1 only, 2E-2 for all other states.
i o
3 - 212
p ,,- - - - - .. . .-
.-- - . _ _ , . . . - . , , . , , - , , , .. n. . .
Tabla 3.12-2 Support State Probattltties '
( O ct M111stute taitt 3 P55 Tables 2.2.6.1-1 through 2.2 6.1-7 encept as noted) -
suppert state Probability
_ Initiator Type 1 2 3 4 5 6 7 8 Non support System l Nelated l .996 .004 2.6E-7 1.6E-7 3E-4 4.9E4 6.5E-8 9.6E-11 1
Loss of Offsite Power l N/A N/A N/A N/A .958* .04* .002* 3.6E-7 t
Loss of Single Service l Water Train N/A .999 4.5E-5 1.6E-7 N/A 3.1E-4 1.6E4 3.6E-11 Loss of $1n91 e Vital DC Bus N/A .999 1.6E-5 1.2E-5 N/A 3.1E-4 1.6E4 7E-9 Loss of Single Vital AC Bus (120 VAC-1 or -2) N/A .999 1.6E-5 1.2E-5 N/A 3.1E-4 1.6E4 7E-9 Loss of $1ngle Vital AC Bus (120 VAC-3 or -4) N/A .999 2.7E-5 1.6E-7 N/A 3.1E-4 1.6E4 9.6E-11
- Revised - see Section 3.6 e
3 - 213
r ..
T212 3.12-3 . System F.;11ure and Mumon Error Event Probabilities (Soure;t Nt11 stone teilt 3 P55 Tables 2.2.3.2-1 through 2.2.3.5-1 except as noted) ~
(
Support State System / Event 1 2 3 4 5 6 7 3 0A-1 I .02 .02 1.0 1.0 .02 .026 1.0 1.0 l OA-1 * .1 .1 1.0 1.0 .1 .1 1.0 1.0 OA-2 .01 .01 1.0 1.0 .01 .01 1.0 ' 1.0 OA-2-EIII .001 .001 0.0 0.0 .001 .001 0.0 0.0
.03 .03 1.0 1.0 1.0 1.0 OA-3 .03 1.0 OA-4 .02 .02 1.0 1.0 .02 .02 1.0 1.0 f I
OA-5 I .5 .5 1.0 1.0 .5 1.0 1.0 1.0 OA4 .01 .001 1.0 1.0 .01 .001 1.0 1.0 OA-4 * .1 .01 1.0 1.0 .1 .01 1.0 1.0 OA 4-E(II IE-4 IE-4 0.0 0.0 1E-4 1E-4 0.0 0.0 4 OA-7 .03 .03(2) 1.0 1.0 0.3 i.0 1.0 1.0 CA-7* ! N/A N/A N/A N/A N/A N/A 0.01 N/A i
0A-8(1) .001 .001' 1.0 1.0 .001 .001 1.0 1.0 l
OA-9(1) .5 .5 0.0 0.0 .5 .5 0.0 0.0 OA-10(l) I .001 .001 0.0 0.0 .001 .001 0.0 0.0 l
ACC 2E-3 2E-3 2E-3 2E-3 2E-3 2E-3 2E-3 2E-3 2
LP 2E-4 SE-3 1.0 1.0 2 E-4 SE-3 1.0 1.0 HP-1 IE4 SE-2 1.0 1.0 1E-4 SE-2 1.0 1.0 l
l O
3 - 214
1 3 Tabla 3.12-3 System F211ere and manen Error Event P*obabilities (Continued) -
(Source: Millstone lhtt 3 P55 Tables 2.2.3.2-1 through 2.2.3.51 except as noted) ._
Support State
System / Event 1 2 3 4 5 6 7 8 i MP-2 l .6E-5 7E-4 1.0 1.0 6E-5 7E-4 1.0 1.0 l
AF-1 1 7E-5 GE-4 6E-4 1.0 7E-5 GE-4 SE-2 1.0 AF-2 SE-4 SE-2 SE-2 1.0 SE-4 SE-2 $E-2 1.0 AF-3 i N/A N/A N/A N/A N/A N/A 3E-4 N/A 05 3E-4 8E-3 1.0 1.0 3E-4 8E-3 1.0 1.0 05lW-2 ,
7E-4 SE-3 1.0 1.0 7E-4 SE-3 1.0 1.0 R1 4E-3 5E-2 1.0 1.0 4E-3 6E-2 1.0 1.0 R2 7E-3 6E-2 1.0 1.0 7E-3 6E-2 1.0 1.0 R-210A-2 2E-2 7E-2 1.0 1.0 2E-2 7E-2 1.0 1.0 R-3 l 2E-3 4E-2 1.0 1.0 2E-3 4E-2 1.0 1.0 l
R-31R-1 l 1 E-1 SE-2 1.0 1.0 1 E-1 SE-2 1.0 1.0 l
R-31R-2 1 7E-2 SE-2 1.0 1.0 7E-2 SE-2 1.0 1.0 1
R-31R-2 + 0A-2 3E-2 4E-2 1.0 1.,0 3E-2 4E-2 1.0 1.0 RT-1. RT-2 3E-5 3E-5 3E-5 3E-5 3E-5 3E-5 3E-5 3E-5 RT-3 .01 .01 .01 .01 ' .01 .01 .01 .01 l SA 2E-6 2E-6 2E-6 2E4 2E4 2E-6 2E-6 2E-6
\ 1 TK l 2E-8 2E4 2E4 2E-8 2E-8 2E4 2E-8 2E-8 ll i
O 3 - 21 5
~
Tab 13 3.12-3 System Failure and Itsson Error Event Probabilities (Centinued) (
(Source: Millstone lhtt 3 P55 Tables 2.2.3.2-1 through 2.2.3.51 encept as noted) __
Support State Sntes/ Event 1 2 3 4 5 6 7 8 1
SL SE-3 5E-3 5E-3 5E-3 SE-3 5E-3 SE-3 5E-3 SLl(AF-2 + 0A-3) .1 .1 .1 .1 .1 .1 .1 .1 52 3E-5 3E-5 3E-5 3E-5 3E-5 3E-5 ' 1.0 1.0 580 SE-4 SE-4 SE-4 SE-4 0.0 0.0 0.0 0.0 58! 2.2E-4 2.2E-4 2.2E-4 2.2E-4 .024 .024 .024 .024 l
k Footnotes:
(1) From Table 3.5.1 (2) 1.0 for Loss of a Single Vital DC Sus initiator (from PSS)
(3) 4 f f offsite power restored within one hour (Section 3.2.3.1)
C l o l
3 - 216 ,
I
l Table 3.12-4 Offsite Power Recovery Factors (Source: Millstone Unit 3 PSS, Section 2.2.6.1.1)
Failure to
' Recovery Time Recover Probability 0 - 1/2 hr .33 1/2 - 1 hr .65 1 - 2 hr .59 2 - 8 hr .23 4
I i
l I
i 3 - 217
- (
~
l Table 3.12-5 System Failure and Human Error I Probabilities for the ATWS Event Tree Event Probability Scurce RPS (M) 1E-5' ATWS Rule RPS(E) 2E-5 ATWS Rule /
RT3 .01 Table 3.5-1 TT .1 PSS Table 2.2.3.4-1 PL (MTC-OP) .01 ATWS Rule C PL (MTC-0PlTT) .1 ATWS Rule AF1 7E-5 PSS Table 2.2.3.3-1 PR (S2) .3 PSS Table 2.2.3.4-1 .
0AB (HPI) .001 Table 3.5.1 OA8R (HPI) .1 Section 3.2.2.5 05 3E-4 PSS Table 2.2.3.3-1 R2 7E-3 PSS Table 2.2.3.3-2 R3 2E-3 PSS Table 2.2.3.3-2 R3lR2 7E-2 PSS Table 2.2.3.3-2 4
h 3 - 218
l ras ,, ace y es ,,, a-s s success I rosa;
- Mc (UL) 4f-y
- cs s-t> l ne. ) 2 uc*
(Jr-s j .
fif4)
- segetst
[0E'3) (<'E.g) s uc*
(,cE;.w) : frE-s) *u (sc.x; ca 0
3 m
- * *C 5 f2 C-s ) se Me.
~#A c4 g_,,
' fd'E- 5) f3 E ~4) er a jg:ProLTsfert 1 ~*2 **Mefss))ag_q fih-4) I
,','} I ('E -1) * * *c '
OE -4) Caoq)
(32 v> en-> E tre-s, r.aF-9) ,'$',~ly' as u
/
sutoar ca ss, 22 w J l'4 T
- 2.-
f Figure 3.12-1 Large LOCA Event Tree .*
1
4 g
o, si 3, W4
"' w 4 !
1., 4 m, I stc = =
8
=
8t lonRL=v2= vin.tvXvv=c ====w== '..
- ~ ~ - - - - - - s :: e : e s t e r s 22 '
? 44 33 www 4s
? ' S' O244 07 4;
r w u m r
su st t k w=
sw e>- 4 se.
-^ s, s s g
?
d i t- N a ,
.$d .$d' E5i.k!
m *
> m s,p
- 1 a. ,
9,w?. -
44 ws == w ,
$D %" D D DD E D
LaJ 3 h . .
?b b 4*
b ( a E
N i
s4 s5
\ L m S 3 m' u
v w w .
% E, K 'eJe 4
(ms
- 1 MD 44 et 1 b
= .
- m s OS 4
%s C
3 - 220
t Ft3 #8' ,, ,,, ari *** ,,, ...
Continued on Sheet 2
[#M (AG'~%) =
(3 g.2 )
, , $52) 4E-$
(, a l) (;g. ;}
(7f >) '
(Vf_ i)
< nos (353) $$*"9 ^
, success (gE-3) (2 E->) ; (yg.>} e ne*
(1E-5) ,n c y a ->>
e sucetst
('f-3 ) , me OA 3 i
f4 E->> ; (15->) se uc' (3 6 -V) c.rE->> _
(qg*g) - is wecen w (tE->> 1nE-s) in me=
, (GG-1) (GE L) ; ca >>
cro-~)
,, n u I'05) -
' ra r-31 s< we
.N. is wei f
- S) ',gDy3 rus-2) is u g_1 er weetn OA 1 fYS ' ne nc rr,rju (12-4) se At*
/2 f -4) f,w) ,, enn (lf 3) f$~' E si ata
\
Cs t -%)
\ f/E-t) 33 K (4.f 5) '
(sm-u) as us
< 7E-'I) ( {y; (fg-4)
- ra s-1) f 4'~ *]
a< ws' p o t)' *1 *
{16-S) crE-s) ****
(, oz) (004) ; (A E-% ) st ses' (ME- >) _ se n p s.c) * *)
,,g,,,, y ",," ,
(764) 73g -q)
' (2 E-3) n we' (4 E-d _ sa n (15-3) ss5& l.0') f2S~N 3Sq q (oz) {f G C *?)
t cy gure s --;_, ,'
s-.a n ;_c g ive-t Tree (Sneet 1 or 2,I a
0A-6-E 0A-2-E QS R2 R3 1A Success
~Y
' (16 3) 18 SLCVu"a')]sE C
f 7E >J 1CSLC'4CM1)/E.c (6 6 ->-) *D 2 C-7 c.rt ->) 10 Success
, C 5 E 4) lE SLC"
/96-3) ( 7 c.3J g f7E-t) IF SL (4E-2) I crS >)
1G SEC (tsJ) a s.f w
// f-3 ) / 3 E 2-) 1H SEC' (s.r.7) 4 E-7 From Sheet 1 " # # *)
i I') f 3 '~Y) 1I SE U Event 0A-2 (J E -s)
^' 1J SEC (s.rs) a t-6
(/64) (2 f 4) 1K SEC' (3 E 4) f Y' * *) 3L Sg
( I E- v) ~
r/S-3) l 1
Ffgure 3.12-3a Small LOCA Event Tree (Sheet 2 of 2)
I 1 f o , -
_ ______m_-_--__
Fes esa 54 ** ! MI 042 Os 049 4-2 4-3 Continued on Sheet 2 i a sucetst (3 E-1) 3 %c
(.s t) cis -2) , R.~ ,')
-
- uc' c . ,9 f.r) 5 success (76-4) (.r) a stem (SE-3) (_ ( (.2E-ag fl' c ~1E -1) _ ' 'l,L
<.c s .ss I7E-3) , se sLc OA 3
(,g).
(st-1)'f;f**),.nc* s2 sectiss (12 4) (.5) (7LS } ,
' 3 'L c '
%gcy) ae-v (. f> <u-v f;i rj ;;;;;
ta ( f) es sec 4
[-O h ; (.2E-sJ er sece m iH-b ,e s.g l 0 *[.03) (r.7f 4)
- E-3) R-1 to success (4f-3) ; O E -')
a* sLc
-0A 1 rse >> se uc' r.,y .D 1 !** * *) as secuss (if 4) (. c) tyt-1) 33 'Lc*
<"->> 'se- > , F n : 2 ,
l (.,,
//,6-1 ) C 5) as ste r.o w) ; ra r-s i ,, ,,,,
(VE-<// (7!-Y) ( * *) (G E *) ' -9L se s t (fE-3) , , , ,
- r.1 r-s) se uce (4E4){.0o4) (st -4) l 'f E- >> a, s.e (AE-L ) ( 9 2 -3) sa ,.g
(? E -!U ss ste
} (7E-4) , : (2 E-D se sec*
( ?E-6) l(3 f-4) ' 4 E ') as s r i
(VE - 3)
Figure 3.12-4 Incore Instrument Tube Ruoture Event Trat (Sh*et 1 of 2) -
L 7 77 -
6 E .
E 3 A E 1 V .l
)2 /
)2 S )3 5 S S T-U s S s ( (
(5 s e(
s c
- e c C 'C *
. c C C c "C 'L* L E E E C C E u L L uL E E S S S S S S S 'S 'S 'S S S 'S A 8 C D E 1Y1 G H 1 J K L R 1 1 1 '1 1 1 1 l 1 1
)
2
~ f o
U*
)> )2
~
O~ )1 V - )x )1.
2
' - - . t EE ' EE fg e r' "
3 R 3 V y e
( cs T h f I (3 { S
(
g' ,i g1 e
e r
T
)y ) )
x 7]* ~
' t n
- - ~ e 2
R 5f f v (7 fr f (7 I E e
- r t
u p
u R
9
) ] e A f. b O
( ]" f' T
u s
t n
) e
) ). )s m 3
)Y)b u
r S 4_ g E t
Q gE f E s n
3 f J f 3 / I
( f I f f ( e r
o c
I n
)
E 2
- 3 N -
a A
- E-
/
E' 4
0 f I 2 1
3
) e E
4 )4 r u
~ -
- g 6
E E i l / F A
0 f f 1
t 2
_ e -
e A h G S
t
_. m n o e r v
_ F E w'$
IIP 2 AF2 0A4 OA3 SL QS R2 R3 ET4 RT4 SA OA 6E 1 ,,g.,, s (YSZ)*E*Y"Y Ss 3 - r (.ov) (.?.c E-7) (t6-3) I ,fjEj), 5 *) s g ._ c (,,_,y 3 g.y ss Y n f.s") f2 G E-') ) { SEA) r i (pE-U f4E->}
o p w c! '
[gg .33 n G6 & 4 yyL H yz sc. (55.1) 46 A
~fVE-3)
'~
ffE~#b ! f5E 4)
(/E -'l) seY)- $ yf se,qssVy MC! IS)IE 'i7 (SE-3) .
's u r (3513 ft'7,(n2)s'i
(,y g -. ,) , g ee-: )
es e->)
(7E-4) 5 5#rFS*
(.PE-3) (7t.3 ) , s stes (4E -L) ' hp,*[j .' .5'.,,,,,
(7E~5) '***
(SE 3) (7, g.,y. I ( > E -s) se sace (gg 4) (SE-3) og 4) '#E*') es sucerss ti e-1) '*****
{f[ 3)
(EE-3) f 0' *N) (,, , 9 cst- s-)
. ,x ne etc (SS2)4E-7)(U#)*S*I I (DE-B) es egge
" (,5) (3[-4) M* ') ne et
- (OC-3) 89 enc
[*0 ' (5E-3) , I (1G-3) en race G
m (SE -3) l (3 2-4) l 'IE * *) ee en (J E-3) ao sucetss 28 ent (SE -3) I (AE-11 ag enge (c,; 6 4) <<4t s) , , , ,
/~ f) (SE.-1) (#E - 3) as success OA 5 as one
(.f) Iff-3) l ras -3) 3. ,ne.
( 07) (SE 3) (C,6-4) c 4 E -s) ,, ,,,
(f 6-S) ( ot) (!E \) a, ,nc (76'/) ( (g g spy $'!,**'**** ,
(9 E 3) se rec
- o ;
- f2E-51 sa sten l s
((,f U)
I (3g sl) C 4 E-*) s, gg (gg -5)
N~O ** '
(SE - >) :,,,_ ,
f 2 l) t vE s) u un (2 E 6) (SE 3) r(95 A ) ,, y G E-t-) ,, ,,e '
I~IE"N l (2 E-b) se sece (JE-4)
(7E-L) (4e x1 ao u (TG T l Figure .i.i2-5 Steam Generator Tuba Rapture Event T'ree a
u
l res sa ere sa wa wa sas OA3 ., .., .., , ,,,
( o /) 4 success
( e* e) a sacerss pry) , a me (ss1) /C-7,(ssa)16~7 ~
CSE-x)','; '), '***
c5 e.4) , e sucerss OA6E %'"
(fE-3) lhE-V ' (7E-M Cb * **) ' cre->> l , (,,gy;g g.7(592)aE-7 c.s - , : o -n .. ,,..
(.a s) 1 (J E.48) ( VE ->) ,, ,,
w (5fA); I ~N s
(C6 -X)
N m
te VEC QE -4.) , ; fat-s) ,g ,ges l Cte-4) l (3 2 -4) . (VE.u) 3,pg l ffE-3) g, suggggg l'
(4E-r) '
(1E~'/)
( 5t d) .
- ra 5-s) as fit 3e ,gg, cs E -1.) l ft, c 4) (VE >) sr og (2G-4 ) (8 6-3) se sq
(~ 04) ( A E- 4) se sqq f.cy) (~,co</) (7E -k ) m : (2 2-3) so tres
( 75 -!*) l[0 $~0 I 'IM 3s ft (36-.r) (TE 3.) as sa l (3 E.s) l Figure 3.12-6 Steamline Break Inside (& Outside) Containment Event Tree
't i
__ __ n - ~. -
s SB) S2 g;; PCS AF) %7 OS' gg R3 r 1) 1A Success ca.aj 18 Success .
2 Success y /7t9) EAhfhQtE-s.
) ,hl$f}
e ne.
s sneers,
' ef,,y f4 E 4) ,
(%4) 8 me= -
O " L*) I<>s.3y ' ers 2j ,*
(65-9
" M -'!) * * ' '
g,3,j ' ,er,E ~'/"") se-y '.
c.o y $$ l ~1) se er . l (3cs) l$$2', as aru, f7. W) <se .i> l,;f, -n
' 88 st i3 500 M ") r.**1) ,,g ,, /ss .v) 84 ggg O E )
Figure 3,3,__7 P wer Conversion System Availabie Event Tree
/
O __
wa ris sai see sa era si ear ,s .., .3 e as a success cyg-s) , s ne iss2)If-L}AtA) SC-7 w e mee (4g,#) c4 s.. z) = # ("9Er
~*) )
, s success to /7#-3) (PS-g) l(14-3) ,
e nca
@ (t,e-4) c 4 4 - a.) - (f' *n
"-E-*)
- )
/oU l ra e ij e see cssz)st-LfsN22 7
(.ov c6,s 4) c ar ->> , , , ,
(3 E-S) {! E-S) " * ' *
(q.ny (In 5) c3 E- S) ,,
(SE 4) r3 E.S)
(-1J')f*d4) (2 E.4) (Se O (AE4) l**
Figure 3.12-8a Loss of Power Conversion System (Support States 1,2) Event Tree 1
f a ... .
1 t
a i
1 I
try 3,, , ae' .. ,,, , a .3
- sueeres a succtss (1E-a) : r,r-u w tc.c-wy
- KC' f f E -a.) "
- [3 6-4) '
I (yg, g f5E' ) (7En) . r, < , eg N
@ {fE-4) c c. ,
.K
{far.~ sy i
f.og) ' '
- Ch)
- E -T l
sop p r*7A7e y * *} l' f ~) ll" ^*) s tre, DE-F) , f,s
(, g _,y
- r. ) (.n) na sa l
l'O C31)f.e4) (a y.4) fg ,
(3E S) ****
88 ses
(.t c- v)
N[
SuPMrp b 4
1 Figure 3.12-8b Loss of Offsf te Power (Support State 5 & 6) Event Tree i
/
l 1
1 i
l erif s. s sa .. .,. , .s ... ... , ,,,
2 suCCtts
, a ac ,
e aca
, s success
, y l , e aca o c/,E-V) '
'a e ste(S2)&f-l*
c f. ,) 'p,,_,)
, (, , _ ,3 s ree'G5>))2 E-7iE-se et cssy r3s r) " "'"' t sa sa r3e_rg
( ' ') {sE-e '* ***
(2 E -4)
B F.2 SS3 9 f. os) { /. 4 E ~ C) ( L E -4)
SSq 4 (,or) t' /. 1 E S) = l E-7 t' TC)
Figure 3.12-8c Loss of a Single DC Bus Event Tree
- 1 i
o -
+ _ _~__-_-____n_ __
i i
1 t
I i
l l
4 1 .
j I
Er2O Set See $2 ein we SAF et e-3 a.3 e guests 2 Sutetst
, a%e(ss>)JE-L
" (c,E->) '
e ne*($C3) IC-Y e ,
(JE -2) ggg 1
, y cfC-Q I - ***'
cit-4) l" *)
cct-1) , e (ssa) IG-L l .
" u g_,, e ree*
C "3) ee se (514) it ~ 7 (EE-U 88 4'us
(,y_,y O E-s) na ss
(.ot) (SS4) sa ses
- i. .
(.lE 4) l l
ss3
- C
- 7) O.s e c) < s r-v)
\' ss el m (.0,) (1 2 E -5) =. p g. y ME) j -
i Figure 3.12-8d Loss of Vital AC Bus 1 or 2 Event Tree f
c o
- s. s. s 4
,4, % ~.
1 RR 7w w
E 23
- 3 v
(
eL u. eL I 11v**% *WerezzIs-
-~ ....... ...
2 2 7 .
4 m w w s
. Y Y g I.
.., w u v st >-
. % 9
.- .-~ '% y c,
- m e m
es
, DN i ta t $s $%s w y s
+
3 na. . m o
M g s
' Q\
v %% E ce m, a e% r -
- 9 . -
4 0 %. s% 3 o -
\) >
C. UY o w . . N C e> 3 e
m .a a, c5 I
. . . n w ~
C d o
e L c
g >
$ a l
3 C1 w "
S .
2i 3
4 N .
N.
er n
.a0 %
4 -%
1 3 - 232
i
! rid sei sea sa .,, ,, ,, ,, ,,, ,,,
. s===
i l , a sentess sehss ) 7E-7 l w *"**
{'84) ' rs e->J s success E! (f E-3) I , e aca (66 */)
SS >) , "* ' *l *n e ree Or>J */f-7
- r. o s)
(yg.sj
" m .x) ** *t 1I 48 tis
/ { f.5) 93 st
! GE-K)
} ( *2) <ss I) ea see ne see
< n-4) i j .BTW SS 3 m (.o v) ( Y. 47 f - S') ( l E -+)
^
1 55Y 4 ( M) (f.{r E * ?]
l - .
l Figure 3.12-8f Loss of a Single Service Water Train Event Tree
- i . I
^
d
?
rge n's WI Ele [ite ,W3 92[.d) OAP es 4-2 R*: a sucetss 2 sweets:
e.3r) OA 7, .
c>e s; , r 7 s '> == <
4 ste' gg y ,4) _ s success
(.4) a ste
i(? E-3) , ( 7 e >) , 36 e ste(SS7) 12 ~
- (1 E-3) f.ol) (') 6-4) s sucs so st il succtss
- t2 sucetss
~~
OA 7' I7 #'O : / 76 >> Ns i is succtss .
/.O (3gA)b61),f2E->) is seca
.1 su
(*s$-}
i
.. ste(ss7)> G-7
[.0/) l ( 16-3 ) i, ste' (3 E 4) ao sg og/(.77) 2src.Of7)16-f
( Y>) 11 E '-)
22 sgc.
[= 1 Y 23 $ C[.157)(j 04
[.b 24 success 2s succes!.
3' c OA 7 t
(, E-3) lf7 e >) 2r ste' (3 E,4) 2e succtss
[.8/) ( 7 E -3) , 29 socd
,g 31 see
(, 3[) [ O' I f L E *' ) 32 stc'
/36d) 33 st g 34 success 4 --
3s sLc S.MpE 7 ( 7 E -3) l / h E L )se soc'
$(y g,4) 37 succtss
[$ $' # * * *
(;</[)
() 0-0 g ,y 0 ste
[,43) 1 H( 2 d-s>_ . ste.
l'( 3#-d 2 st
<3 rec (ss,)!!*
(,41) l ( 2 p_ ,3 ) ,, 7gg,
[*fg) (4 E 'I) as et 05'(,y) <s 'ne(3ss) n?-(
[.59] f 28)
-- (2 E -3)
<r rge.
.. re us,) 3e -
49 tre
(* b5) _
l f2 E-3) so rgge (3 E 4) ,, ,e b 6"-b s2 'tc
- f. f) y (2 E-3) g3 pgg, GM)
I.
/3 f 'd s. rt ss et Figure 3.12-9 Loss of Offsite Power (Support State 7) Event Tree .
3 - 234 1
l I ris sei soo sa are we OA6 OA3 es e.: e-a , m.,
A success i a success
/YE 'kl
- RC
" x (2 E >)
, men
' OE-4)4g,g.y) "#~ " * '*ct**'
OA6E C TE- 3) (2E-5) '***
i u c' ->> ; -(.,g-~4 ,, ,,, ess.o ic- r c.,} l r.tF-O 4 A race (yE f} c.*s) NE- *) ne se i
! {G6-4) '(3 E '*' -') 4) gg use ctM) ( 1E-Si ny rues c/C 4) ( 3 E *l) ( 4E->) sto se
{ (3 E-S) (! C-n 4 asus
\ l*#'l (3E-f ) f3 C~5) 83 S3 Q g ../) t3x-1) ee see
( 0') (.0"") (.a E 4) {SE -4) es ses
(? E ")
i 4
l Figure 3.12-10 Spurious Safety Injection Event Tree
.l' O
8 . Ea4 .aIs'as . nts . vt . m.ek **
ass . cE .j'd,$ . os e n . n. M'$ d s aus. ass 4-a e ao \
' s e. us
, e ves-
- J' TSS# ,
3c+ -
y res 7 g (~ ,
. 2 E-7 erm"
.1 _ ' * "Y q rr 3,6.$
= sen
'#I I1 E -3 *,, ses o !
3E-4 :s sr ';-
,3s uau i ' **-
.de / .1 E- 3 ,
1E-f a re
.of a s-sou oAg4 se sas 1
7F-3 ,? E-L*g ,,,
i 3 E -V , 4.ue i7s-3 i
's sa.'"
i 3 7 E-2. u st aa sac,
- I 3g j M 2wses*
,1 at st 3 T*L
- )g.[ ,1
- E- 3 ,, rn o 3 c_ -4 ,,
1 ao ses
./ ;3 ,,3 ,,,,
3 e, -4 -5 JA 488ddrJf a re.
d'l ! 1 E 3 y re,,o 3E-4 y r, at ret
.1 nE f ,3 E-Y
- te-3 ,,,,,
m rr
- su 15~f
- si ,*3 es csca 3g,9 w se em s-o.u
,7 w ,,.
.ooI ? :. E -3 w ,,,..
3 E -4 er ve i / u r.aus g 2 -b a ***
cAte- w -3 , 7 E -2. , ,,
,9
" 5 = 's 3 E '/
7E-3 a sac.*
- 3 I 7 E- 1. ,, u
,9
-a ses 3 E-T
. l ,i 3 r -y ! 1 E-3 h ,,,,
-sv sa
- sr 786
'l 16 -) M ,, ,,,.
3 E-V <7 rr n see iE ~j
' 1 E 3 g su.
.I s s 'f on se .
l Figure 3.12-11 Anticipated Transient Without Scram (ATWS) Event Tree - ;
3 , 236
! t i 1 l I
~
3 -
l 4.0 External Event Analysis
-) The approach to the evaluation of external events taken in the MP-3 PSS included a screening analysis of a number of external events to identify those whose frequency of occurrence and consequences were significant enough to warrant additional detailed assessments. The screening evaluation reported in
, PSS secticn 1.2 addresses earthquakes, fires, external flooding, internal flooding, extreme winds, aircraft accidents, hazardous materials, and turbine missiles. Only earthquakes and fires survived the screening analysis and were subjected to detailed assessments, which are reported in PSS Section 2.5.
?
Our review covers each of these subjects in the sections which follow.
In general, the range of external event types considered in the PSS is reasonable and consistent with the external events assessed in other PRAs as well as those suggested by the PRA Procedures Guide.
The methodologies used h: these assessments are also generally reasonable and consistent with the state-of-the-art: notable exceptions are described in the text of this chapter.
We have numerous disagreements with the application and execution of the selected methodologies, both in the screening evaluation and in the detailed assessments. These areas of disagreement concern completeness, conceptual and logical errors, data, and the treatment of uncertainty. Examples of both conservative and optimistic treatment of the parameters are described below.
In particular, important areas of disagreement exist in the evaluation of seismic events, external flood, and fire which are considered likely to significantly increase the calculated core melt frequency for these events.
4-1
(
~
4.1 Seismic Events
- The methodology used in the PSS for the evaluation of seismic events is generally consistent with the state of the art of commercial PRAs, except for 4 the evaluation of fragility. The methodology used, however, is not found to be acceptable.
I We have numerous disagreements with the methodology used to develop the (
hazard function (s). We find that the mean and median values of these functions are optimistic, and that the uncertainty is underestimated.
Numerous conceptual and logical errors in the fragility assessment led us to develop a lack of confidence in the adequacy of this analysis, in spite of many conservative assumptions that are evident, chiefly in the structural fragilities. Our concerns oo further than these conservatisnm, which were acknowledged in the PSS and with which we generally agree.
The PSS did not provide an adequate description of the methodology used to identify or estimate the probability of initiating events. We believe that important initiating events may have been omitted from the PSS and that the probabilities of those included may be optimistic.
The methodology used to condense the internal-initiated plant logic models to the seismic-initiated plant logic models was difficult to follow and unconvincing.
We have numerous points of disagreement with the calculational methodology l used to assemble hazard, fragility and plant logic models:
1
- The evaluation of seismic hazard and fragility contained in the PSS were subsequently redone by NUSCO contractors. The review of the original hazard evaluation is described in this section: the revised evaluation was not included in the scope of the review. Both fragility evaluations were reviewed. The reports of these reviews are included here in Appendices A and B, for the revised and original evaluations, respectively.
4-2 C
3 .
Correlation ~ of seismic response was not included in the calculation of --
initiating event probabilities, which leads to optimistic estimates of these probabilities.
Correlation of seismic response of components in the plant logic model was not included in the calculation, which leads to optimistic estimates of the probabilities of core melt and radioactive releases.
s Correlation was not included in the uncertainty analysis, which leads to an optimistic estimate of uncertainty.
The uncertainty analysis was performed only on the dominant seismic accident sequences which were based on simplified plant logic models from the internal-initiated analysis, so that both the results and the uncertainties are likely to be optimistic.
The uncertainty calculation did not include the sampling error that results from the use of a five-element vector in the DPD arithmetic, so that the uncertainty results are optimistic. -
The methodology used in the dominance study included only random variability in the fragilities. It did not include the total variability; f.e., randomness plus uncertainty, thus making the results unconvincing.
The results of the dominance study are seriously flawed by limitations in the state-of-the-art of fragility assessment. Uncertainties in fragilities make it difficult to conclude that the correct conclusions can be drawn from simple dominance studies.
4.1.1 Seismic Hazard Assessment 4.1.1.1 Introduction The seismic hazard curves used in the Millstone PSS were developed in Appendix l-B of the PSS Report by Oames and Moore. For ease of reference this Appendix will be referred to as the "D&M Report". The seismic hazard analysis presented in the D&M Report contains a number of errors in the sense that the text does not appear to agree with the calculation. In addition the D&M 4-3 o 1
l
Report does not contain sufficient information to allow an adequate evaluation -
)
of the results presented on their own merit. To overcome this difficulty, an independent seismic hazard analysis was performed for the Millstone site. It was possible to do this in a timely and cost effective manner because Millstone was one of the sites examined in an earlier seismic hazard evaluation for SEP plant sites (Bernreuter(1981a)). Consequently the input data needed to perform a seismic hazard analysis was available.
This section first discusses the review of the DB,M Report and describes its major deficiencies. This is followed by a brief discussion of our I
independent hazard analysis for the Millstone site and the implications of this analysis for the PSS.
4.1.1.2 Seismic Hazard Model The seismic hazard model used in the D&M Report is the model described in McGuire (1976). The McGuire seismic hazard model is a typical seismic hazard analysis model and incorporates the usual assumptions. While some of the basic assumptions, e.g., that earthquakes occur in time around the site as a Poisson process, are questionable; they are generally made in analyses of this type and sufficient data does not exist to allow the use of more realistic models.
In a probabilistic analysis, one of the most important and most difficult tasks is incorporating the uncertainty in our knowledge about the key input parameters of the model being used to assess the seismic hazard at a site.
The major difference between the 08,M Report and the SEP study (Bernreuter (1981)) lies in the treatment of uncertainty, i.e., how uncertainty bounds are obtained and how uncertainty entered into the analysis. In the SEP study ten
- . experts were used to provide a range of input data. This resulted in ten different overall earthquake occurrence models-including models very similar to those used in the D&M Report. Examination of the data provided in Tera (1980) and Bernreuter (1981b) shows that significant differences about all of the input parameters exist between the experts used in the SEP study. A new study (Bernreuter et al.,1984) currently in progress at LLNL for NRC-while 4-4
- l still in its pralisinary stage-rectnfirms the conclusicn that there is ~_.
- significant difference between experts about the zonation and choice of seismicity parameters for the EUS. -
The use of Eq. (1) in the D&M Report relating magnitude to intensity is not appropriate. The relation given, I M = 1 + 0.67 I, (1) l was derived for the western U.S. (WUS) and the magnitude M is the local (California) magnitude defined by Richter. In the eastern U.S. (EUS) bodywave m or ne second L wave magnitude is generally used, and the relation b g I, = 2gg - 3.5 developed by Nuttli is often used.
4.1.1.3 Seismic Source Zones ,
One major weakness of the D&M Report is the limited number of zonations
~
considered in the analysis. Only four sets of zones were considered. As o noted in the previous section, there is a considerable difference of opinion as to how the EUS should be zoned. This is particularly true for New England. The geometry of the problem (i.e. the shape of the source zones) is a relatively unimportant parameter other than~ how it affects the choice of the seismicity parameters ured for a given zone. The judgement of the adequacy of the zonation cannot be uncoupled from the assignment of seismicity parameters.
The weights assigned seem a bit strange -(.2, .34, .23 & .23), and they are not justified in the report, but this is only a minor consideration as they are nearly equally weighted.
4.1.1.4 Seismicity Parameters Three parameters are required to define the earthquake recurrence model for each zone:
4-5
A, = number of earthquakes occurring larger than some minimum 1 magnitude M,.
b = slope of the relation logN = a - b(M or I) (2)
M u
= largest earthquake that can occur in any given zone.
The hazard curve is relatively sensitive to changes in any of these parameters.
One of the important parameters is Mu . The text on page 5 of the Dr.M Report suggests that M was taken as a MM Intensity of IX and a magnitude of u
6.25. However use of I, = IX in Eq. (1) would lead to a magnitude of 7.0.
It would appear that a different relation was used to convert epicentral intensity into magnitude, but no explanation is provided. -
t Another problem is that the ground motion models used in the analysis are all in terms of magnitude. However the activity rates and the b parameter of Eq. (2) are expressed in terms of intensity. It is not clear where and how the transformation to magnitude was made. A significant difference in the i results can occur depending on when and/or where in the analysis the transformation is made.
No information is presented to allow an assessment of the activity rates
! presented in Table I of the D&M Report. Our experience has shown us that estimating both the activity rate and the b parameters for any given zone is difficult because of l
Differences in historical catalogs, and o
o Judgement as to how to correct for the incompleteness of the historical record.
Such factors can easily lead to differences of factors of 2-4 in the activity rates. Although not explicity stated, no uncertainty seems to have been assumed for the rate parameter in the analysis. This in our view is an unacceptable assumption.
c.
4-6
4.1.1.5 Ground Motion Models 1
'Only two ground motion models were used. The first model is attributed to Nutt11 and Herrmann (Eq. (3) of the OtM Report) and it appears to be in error. Because no Nuttli & Herrmann citation appears in the reference list it is not possible to confirm this relative to the particular Nuttli & Herrmann ground motion model used. However, Nuttli consistently models the ground motion relation, e.g. Nuttli (1979,1981), in the form 1
A(R,f) = A,(f) R-5/6 exp(-yR) (N) which is consistent with accepted theoretical models. For the EUS this leads to values of y on the order of 0.003. If Eq. (3) of the DtM report is converted to the form of Eq. (N) the y value would be 0.0074 - much higher (optimistic) than is generally accepted.
The text of the OtM Report states that when R was less than 15km, peak acceleration apwas limited to a constant value equal to the smaller value obtained from OliM Eqs. (3) and (4). The problem with this is that for Eq. (3) apscales as exp(1.15 mbLg) and for Eq. (4) o ap = exp(.933 mgg)
Clearly a major problem quickly arises in that a significant discontinuity would occur. Although the ground motion plot shown in Figure 5 of the OtiM Report shows no such discontinuity, it is evident that the limiting R is much larger than 15km. It is not clear what model was used and what the basis is for the model used. The Of,M model, however, effectively reduces the seismic hazard con.puted for the Millstone site.
The other model used is the Campbell model. It is a reasonable model similar to the Nuttli-Herrmann model. However, neither the Nuttli-Herrmann model nor the Campbell model are based directly on EUS data. In fact, both
- were derived using the same set of semi-theoretical assumptions. We therefore find it surprising that none of the many other approaches to developing EUS ground motion models (e.g. see Bernreuter (1981a)) were used. Figure 4.1-1 ci 4-7
- .... n a- - -
= - - -
0 shows a comparison of the results from a wide variety of models that use -
various acceptable alternatives. By acceptable, we mean that the methodology / data used to arrive at the model is reasonable and (at least for the set of models compared in Figure 4.1-1) at least one member of a panel of ,
experts in modeling of EUS ground motion deemed the model a possible
- alternative. See Bernreuter et al. (1984) for further discussion. This
! figure, which shows peak ground acceleration vs epicentral distance for the magnitude values of 5 and 7, illustrates that there is considerable uncertainty in the ground motion modeling process and supports the point that the +20% factor used in the Of M analysis is low. The models used in the 08,M study are (in our opinion) two of the "better" EUS ground motion models. But as noted in Section 4.1.2 one element of a probabilistic analysis is to ensure that the uncertainty has been bounded and included in the analysis. This has not been accomplished in the DtM selection of ground motion models.
There is also a question concerning the use of " sustained" acceleration as the appropriate measure of ground motion. We note that the study by Nuttli (1979) which examined the concept of sustained acceleration did not find that it improved the correlation between observed damage and the ground motion parameter used.
4.1.1.6 OtM Results l
l The final hazard curves used in the PSS analysis are based on 36 runs-4 u/b values and a variation of +20% in the ground motion maps, 3 sets of M model. In our opinion these 36 hazard curves do not adequately bound the
{
l a
4-8
. e _
t 4
- to ,.
~
10 -
s
- s . l
~Nm m\ %, %'^%A co: N'- -Y's t' T*g N s M SN h, 10 < - - -
N N % _2- U
, - h'.w %sg -
I e, N
\
gh ,*g\
'_- N
. -. d% %---- _ . g g,
N r- s v,.g,,,e, x v',:
N H- '~'h's- 4 "h NN \ 'k%h
\. .
=_.1 1
'*M%N Ahy, s \%w\ ns d 10 -
int,=S s N 'g . s, y9=
u ...a . yP
< O*'% %s .
g
- 4.w v::..Q'g s
<.u WS.'0'gA' 3
,w w a 'Q, QS %ky 3 9,\\-
O t.,
10 - Y ,
\ .
~.y\
1
- i t
-1 * ' ' - '
'i 10 o - N to o o o o DISTANCE Figure 4.1-1 Possible Ground Motion Models for the Eastern United States -
9 1
4-9 i . .
L - -- _ -._______.-___-. ___ _ . . _ _ _ _ _ _ __ . _ _
- e. -- -n ~. . __ _
=
_ i uncertainty. Considerable variation should have been applied to the rate of -
earthquake occurrence in each zone, a much larger variation in the ground motion models should have been used and additional zonations considered. In addition, there is some question about the " correctness" of the analysis as it is not clear what equations were used.
The real problem does not lie in possible errors that have been made or in the particular choice of any one set of parameters of the hazard model. It is in the very limited set of models used. The results of the SEP Study (Ref.
4.1-2) show that there is a much larger uncertainty about the seismic hazard in New England than obtained by D&M. It is of some interest to note that the latest USGS Study, Algermissen et al. (1982), would put the 2500 year return period peak ground acceleration at about 0.25g, or 0.2g sustained. Although this estimate of the hazard is at the upper bound of the D&M hazard curves
, shown in Fig.1.2.1-1 of the PSS, it is in reasonable agreement with the results of the SEP study, as described below.
l 4.1.1.7 Comparison to the SEP Results Because of the deficiencies of the.D&M analysis outlined above, the median seismic hazard curve obtained from the D&M analysis is sigr.ificantly lower than the seismic hazard estimate obtained in the USGS's most recent study. In order to evaluate these differences, it was necessary to perform a limited seismic hazard analysis for the Millstone site. We used the zonations and seismicity parameters provided by the SEP/EUS seismicity panel and a " correct" version of D&M's Eq. (3) for sustained acceleration:
ina s= 1.06 + 1.15 mb - 0.83331nR - 0.005R R > 10 km j and for R less than 10km as I*b ,R) = asI*b ,10)
Some members of the SEP panel provided their models in terms of intensity. We replaced m b with I gin these models using the relation In=2mb - 3.5 a
i 4 - 10
Figure 4.1-2 is a plot of the resulting hazard curves for all the SEP seismicity experts. Figure 4.1-2 also shows two points for approximate
" sustained" acceleration estimated from the maps in the USGS report by Algermissen et al. It is seen that the USGS's results are in reasonable 1 agreement with the results obtained using the SEP seismicity experts' models.
It must be noted that the USGS study used a significantly different ground ;
motion model. It is difficult to assess exactly what hazard curve would be obtained from the USGS study if the same ground motion model as used in our study was used: It is most likely that the resulting hazard curve would be higher because no random uncertainty was used in the USGS model. In addition, j Bernreuter et al. (1984) compares the preliminary results from a new panel of 1 experts to the results obtained for the SEP Study. The agreement between these two studies is excellent.
Figure 4.1-3 shows the median curve from Figure 4.1-2 plotted on PSS Figure 1.2.1-1. Also shown is the spread of our curves at 0.6g from Figure 4.1-2. It is seen from this figure that the 08,M results are within the spread of the SEP results, but on the low side. It is not possible to determine exactly where the 08M median curve lies relative to the SEP and USGS results
~
because the 08.M curves are not equally weighted and the probabilities are not
- given on the various hazard curves. The OleM median appears to be about a factor of 5 low compared to the SEP median. A reasonably complete uncertainty analysis would spread out the scatter in the curves even more. This increase in uncertainty in the seismic hazard is considered unlikely, however, to have much effect on the median curve, but it could have significant effect on the risk, as it is generally found in such analyses that an increase in uncertainty increases the risk.
4 - 11
J D ,,.
, ~%
n m
n ~. - , . .
m.. ..
. . . ~
, , _ ~ . . . .. ,
..r . . .~
q p ' luut.
%( g ( %a. a - ).5 -$*9u-s ud . Q ub &t .r 8 r 6. 8 F M-* . e= >-4 uk .a.m aa.s v tsj. r ama *s t. . Ar. furekh $ 6. aw.m s- - en E- L eth-8 9
- . '." _li IL4-t -MM, M**' ****- N.
4' -t- ? i- WT
'***. # *- F ' "F i
.- ._ _m._, , . -' . .
2-,- -.h - = = = ,m- -==
- t % =M. -
ur--e 4=_' - - -
s i
,u 1 _ - ... .
ehb . sma . g-e .
.- =.-
. p. e ,4 4. -
' .. , - - = .
g . e,se .,s-r g r* i4 4. r g 3.y .- 1g L L 6 G.J .aala = 1.e- _- h &. % se+ 1.-6 46 e- 4.-,
i LLa.4 be. Q % %ss ba.assa.sr an.af. [ .1s,a. -emersa [-er a. -, sesim$m 6- j - i-6.( , .'h rte a _ swarm.a_ $ Q , es .s;-(; -hart. aca. 29 -seFasr a-3--- 4 4 t '-
~
-l MT-~ 4"E *I - 'T'I' *" " ~ 5#i # M-~b 5 5'-~ ~
N#- F 3"% ' ' i"** ' - ' * -=T-~'~ '*
5 = E=#4 WMh tM MM J'
' 't- = E==" s t- t-e3r J.l.l _ - _2 -n- i--MiM M !M-HE
--b.m q ::;--+- w c - -
g m u...y _._m
.g ,- - -- - _
- n. . m. . . x=
G \
- Approximate Result - USGS
' -3 , m _ m -H- -
i jo i i s, 3 m , m, m ,
m,. _
r i
~ . . ~: . __._ , .&
9 . - a s _. . - .s .. .. . , . . , . _
l' a == . -*. rm e h==* +-* s.L- La +. 6w w -*-s +-+-s- r +-.a.M a .r e a ! 1 .+s .f--. WM1..t6*- = X,- . e / e-,-+
^
os .
y = *es tr *-*' ,1= =-s ort.- - AMW %3- 7 =4 3* *- 'he # r- M- r-*d " ' 8* * -8** L *"**-i-
- tr**r*+' -f k"3E-V * ' - - * - * - M +-*' ,
i g =W%bM S ':kWTJ % L4-E -s*W---t!:" :-fi L e --iT b -r ~ T N' dt-bW =EMP ~;" - = -H-#
! : EN M%.4 s @W EDY * #
~ M NME E: 5 5 -- -
.' .m.. .
i + i... t -, _u u f.4 ._ 1 x.. , _ .
. . . . . . , , . . - i I
, A 4
' . es m P >
4F E** ..-.IN' LLTg g i .4 . 4. T - N' i rv. & M e i==s-ir LM 6 6 s- I. v. -se.4J i 6:4- a e , .Eir im J
E"' ** W -14*fr M . -s-W5M1 e s M'V ,, r w -MM --i ==m ._-t- *i-4===< g.ar w _ I *i.r- t 4 1444m (
EM g _A aug 5,g gg g -pi;3 4yy4g%_
Ay 4-? gg --n -._i,- _
.6 g4 LM- g ;
l 3
~l_ =.-A
~
"' N -i, 'r
! I=-C-e- MNW W- NF"=' = =Eh"it- f -' ' ~~ ' _ - _~ -
l
?? W
~
2 --*
- -Qt AM5i"%2N u --
- : me .: w m
4.
im s,m
- x . _- -
v m . ws . .
g I7h,.' ] N I I I I I
,L,3 , 1g k I I t
1 I I f 7 f96 X,, &
I
'L' 'k,k' n I I
h.(
I I h'E l i I
I I
I i I I I 7hp.. J f 1 1 I -
i l h
u3h=t L'
-k ,. k, h 3 g 3 i i < , E m.I i i e m i i i e i i w x
g m. p , .
.e.. 4 .ex n . .- x .w m - *n . . . . . . - A -
ik ._ -u .
g i=se gr n 6. ;- . imam _ , g sr .e. <3 6 -e- ew .a p. 2nqgg_N-s N . 'hg% as e . .w A .r 4m a . ame- e g-a.: s *7>
4i'- --i* f 8ND Af -N_ **'"""-'** 1D - @-\' \M#
^
O ~*- N[ a. .- am _i-n. mA% M y '-k- d'8. "'f- **L O g ." '- 'ES re-- EEM.Y NM _* 4W% RAW- P :- --V(__N ,NQJ-3 i 7--- -h468=xr-b 3==a-M u :------ --
=.= =_ m,,; n ~--
-: r-g C . _ _
_. .__m-- ._ .- a. M -
4 - , -- A --
g re . an.s er e- ..n. -
s 4 i-- - . , , - - a ..,9 - ,qp : y 'eg 7. %_A ,._A.c===, y. . . a -
r . - N ac art i F- 5. :-a- c- .u -+. - dF% 1 r-=rs- w.w.y .> .. , - - 'k-. -c n; y = r. N-% uw,c, . _=. ,=4A=4 e6- e' 30 4
hEd-9E*-I.h 8'. --'*r" d**1'- %*- 6" 8@N-" 3 -*-** r -
-h*%d-N Y "M 'N-~~3 % iL ~
Er -ar r4. ser=
x . .
- _; m. ,-
_ _-- _ +""8--'_W--*
~.x a-.__m L
_-_ m'-'__
5
-~
- - _=
'__xN i r... '*_-"h --
-mm g
. _ _x .~
C - -
' ' ' ~
s '-\
._=L m-hl
's-h.M m
L. W Mk. .
M I Mi I .1L A I 'h F-g ,, 6 i . mn : i cx i i 1 (g -
f ,
1 I i i h
s
]
i I
i M
i s
..P,qm L I
i
\I
,i .%,,, ,i I
i n 2, w- _ _ , . m,_,,_,_, , , - , , _ _ _ _ , , , _ _ , . .. _i,_ ,r__.,, _ . , _ . . ,
. mm . ,.m,. ,, , _
OI g -er E . . - - , _ - - - a,
'. g,aar -- -- - --w rr es_ a. * ===- -assem
.=% AN aa_%e .e-==-_s-i; o , _ . _ - _ . _w.=_ .. .
_m,. e _s-e - m +-- mm.-
E O -C Z_- -M M WM FM Q- --M- "= ' i . - _ - hW MM Z g*
u . G.,
L.
g -- -- - - --- .- ---
- - - - 9M. b--- - - -
2 -
. = -
1 _
m...-
- c. -
- _ ~ _ -- -
3 _ - . . . . - - - -- -
,_..,. - _. .s ._ . .. _. w _. _ .-- , ,, x~
en- m,,,,,- , , , , , , _y.+ is r; .,,,nH. -3 .4_ ; ,g E 1,. _, ,s.g .. n : h.w.- n_ w. mer mena- eiC%N i a . 4 - %a f$*N yg,
,,Q
] _--=~_=
= = = , .
.-9-K'-----'
-._ ===--f_- =-r_,=_r..-
__ __ _ r_ _. ed-__s._ _
w y
- m r-c_ m- _=- := =_=_w-,=
~ _. . _
L. _. . ,:== r
.__ ==_.._..
._,--A N u e., -N 4
C _.-,,---* ~_~~4-_. .-'T~_"'L*
_..m, e> g . . - _ - -- . - - _ _ . - -__g__
4_
u _. :_x---- - ---
4 _ _ _ _: _:- _ _ . _ _ _ . _ _ _ _ ._ _ _ _._ _ _ , _ _ _ _
9 .a . "_ _ _ _ _ _ _ __ ~
3 d
Gw z -
-?4 _
u1 1 1 h. '
n i 1 A I a a l I . I . . I I T I I 1 . 1 . J l i I 1 . ! l .
- I i f I & 5 l l l l t l I ! l E I l i% l l 1 1 1 t ! I. i i l I l l e ! l s I i i 1 e u i 6 I 4 1
\ s i 4 e l i e I f g
, _ . . . . . . . -_._. . . , _ . , .__ _ . _ . - __ ._ _ ~.. . . - . _ m _. __ m . _
j g ..ne um.ra.rr i sa.s..a:y_- -dr _= -ume 6.4.wa-Q3= ,_,_e_ mt_in-m m:E e- gua i . ._3p:mz 2. m_ _a - a --sa _s -v maa.a.s s+ a m . . 1t_ uv aM .
~
'*- h-
' _ _ . "E___.
y .Z 2'---"E" --
- ' _ _ . "'..N____2__._. __ .__ _ _ _ . _ _ _ . _ ._-
- -_ - :' '-.-_%-- ' _ .. ".M_ _4 i__--~_~~~ .--M " $5N g __ _ . . _ _ _ -___ . w-- -- -
_ _ . _ . - - - - - _ . C~_- .._T --,- - . -
$ _ _ - _ . _ aum-___- -
m == m . - - . -===-a==_ .
p e p. _rr - 4 ,- _
_ we--r um == = _--=g-=es*.-A u== es .-e .- =_ t. _ 3 = wwn -
3 vussi mi .aw h- F - ~ ~ [ Zaus.a.mummEP - + - - = - - = =
-wim.i-Ji-+-ins.Me5E W - i ^ __ us.h i'- 4 'untimmi7-5s 'i.m iEEur. ---#~-2'i"* '
- 45'ziin su
^
- S ^ '.__D N_ 2_' _-- i_ -'_- I .882 m____--_--'
~
'.?? _-2_-i-- <- A n '-_ *r==:' .j .
_r _N.
- i---...--
-E_.-, N T ".*_
_ _ . m._ ,_ __
3 _. __ _ . _ _ _ . _ _ __ __._. ._- _
_ __ __ V___ . . _
- * - * " * * " ,m_.,. . _ . _ _L ' + 7 T_____ _ . ' _
m s
k I I I 'L 1 I 7
. I
- 1 I
i
[ l a 1 I ! l
! l i I I i
! I i I
i I I 1 I I 1 f I 1
. ! I i 1 I I I i t I I i
I
. I l f i'm' I l is*e a a I
g } I I I I I I I f i r i I n o as as as a4 o.5 a6 Sustained acceleration - sa - 9'S Figure 4.1-2 SEP Experts Sustained Acceleration Results -
Based on " Corrected" Dames and Moore Ground Motion Model 4 - 12
., o.
Approximate Median SEP Curve Approximate USGS f
.ovi .
v.o-< '
5.o-4 .
s s.o-4 _
~~~
2.o-4 i.o-4 .
3,,
T.o-s 5.o-s ie .
j s.o-s 3 2.o-5 ld E . o .
I .o-s ,
I y F.o-6 s 5 5.o-6
- = . Median g s. -6 .V SEP Curve W 2 0-6 '
I!i g i.o-6 ,
r.o-r .
_ 8 w.
s.o-r _
O s.o-r 2.o-F 8.o 7 . .
7.o-8 ,
s.o-8 s.o-s
~
2.o-a .
s.o-8 e 7 7 9 ?
- d o o a i
o i t a a o a a CRoVND ACCELERATION (C)
Figure 4.1-3 Comparisen of Hazard Curves Generated by SEP Experts, Dames and Moore, and USGS Approaches O
4 - 13
. t
~
4.1.2 Soismic-Induced Initiating Events . _ .
The MP-3 PSS evaluated seismic-induced initiating events which were ,
believed to be " credibly postulated to occur as a result of an earthquake ,
within the acceleration range of interest (0.17g to 0.80g)." The set of these events is a subset of the two general classes of initiating events (LOCA's and transients) considered in the internal event analysis.
i The events considered were of two types: those which occur as a result of.
seismic-induced failures of plant structures and equipment, i.e., large LOCA, small LOCA and ATWS; and transients induced by the seismic event as a result of ground motion or failure of nonseismically qualified systems. These latter transients were modeled as a single " limiting" transient, which was assumed to occur if none of the other initiators occurred.
Initiators excluded from the analysis included SGTR, streamline break and interfacing system LOCA--on the b' asis of high seismic capacities associated with items that would be required to fail to result in these initiators.
The paragraphs below describe several concerns regarding the initiating.
event selection process in the PSS.
4.1.2.1 Steam Generator U-Tube Rupture *
The initiating event of steam generator U-tube rupture is discussed in PSS Section 2.5.1.2.1. It.is stated there that the mean conditional probability of seismic-induced U-tube rupture is about 0.01 at 0.75g, and considering the low probability of a 0.75g earthquake the conclusion was reached that detailed modeling of steam generator U-tube rupture is unwarranted. Although we have not seen detailed stress analysis results (and thus cannot be entirely sure of some of our assumptions), we nevertheless suggest that this conclusion be re-examined.
The basis for this suggestion is the following. We do not know the number of U-tubes in the four steam generators at MP-3 but for the purpose of our This section addresses the SGTR analysis presented in the original PSS, i.e., prior to the revision of the fragility analysis.
4 - 14
discussion we will assume there are 24,000. The conditional probability of 0.01 referred to above can then have two interpretations:
- 1. Each of the 24,000 U-tubes has a probability of failure of 0.01.
- 2. 240 of the 24,000 U-tubes fail'(24,000 x 0.01 = 240).
Using the second interpretation, at lower accelerations than 0.75g fewer than 240 U-tubes would fail. We understand that if as few as 20 U-tubes fail then HPIS and LPIS May not be effective if at the same time a LOCA occurs and )
a core melt could occur. Since this occurs during an earthquake at the same time we expect a transient to be in progress.
We believe that (1) the U-tube initiator should be included in the PSS, (2) the fragility values for U-tubes should include any effects of degraded capacity due to corrosion, denting, radiation, etc. and (3) a justification should be provided f or not combining U-tube rupture with LOCAs.
If we use the analfsis in PSS Section 5.2, but assume FCEE = 1.0 to '
account for U-tube degradation, we~ obtain a conditional probability of failure of U-tubes of about 0.002 at the SSE acceleration. (As noted elsewhere in our
., review, we do not accept the argument in the PSS that seismic-induced failures are impossible at or below the SSE acceleration.) This analysis suggests that 0.002 x 24,000 = 48 U-tubes might fail at the SSE acceleration. Since U-tube failures from normal operation have been a common problem it does not appear to be unreasonable to expect that failures due to the effects of earthquakes could also occur. This crude analysis suggests that a more careful analysis of the possibility and implications of seismic-initiated U-tube rupture should be performed.
Finally, we do not agree with the analysis of the probability of failure for U-tube rupture in PSS Section 2.5.1.2.1. These calculations should use total variability rather than just random variability. By so doing, the conditional probability of failure at 0.75g becomes about 0.04 rather than 0.01, for example. (Here we used the total variability of 0.64 from Table 2-28 of PSS Appendix 2-I.)
4 - 15 c
4.1.2.2 Direct and Indirect Reactor Vessel Rupture (RVR) -
i l Seismic-initiated RVR was not included in the analysis or discussed in the PSS. This failure could occur due to direct causes, such as stress in the i primary piping, as well as indirect causes, such as support failure (see Ravindra et al.). !
i The PSS should provide justification for not including this initiator in I their analysis.
4.1.2.3 Loss of Coolant Accidents The PSS does not clearly describe the process used to estimate LOCA initiating event probabilities. This is a difficult problem because of the large amount of piping in the primary system. It is also difficult because, for example, the simultaneous failure of a number of small pipes can be equivalent to a large LOCA. This manner of having the equivalent of a large or medium LOCA does not appear to have been included in the PSS.
The manner of estimating LOCA Initiating events was not explicitly described in the PSS. The logical descriptions and probability estimates should include the various ways that multiple failures might lead to medium and large LOCAs as well as RVR.
i 4.1.2.4 General i special effort should be placed on seismic initiating events in the PSS. This effort would seek to identify all the possible specific and unique
-ways that an earthquake might initiate an accident. More effort in this area may result in the conclusion that the initiating event conditional
- probabilities are larger than presently estimated in the PSS.
The key consideration is the capability of an earthquake to cause the simultaneous upset or failure of a large number of components. For example, what are the recovery steps required if a large number of relays, etc., need to be manually reset even assuming they are not damaged? The data observed l 4 - 16 c
.u_ _
- a -- 2 from the performance of operators at conventional power plants that l experienced an earthquake is that in some cases it took a few hours to restart an undamaged plant while in other cases only a few minutes were required (Yanev and Swan).
4.1.3 Seismic Fragility The review of seismic fragilities was performed by our subcontractor, Jack R. Benjamin & Associates. During the course of this review, we learned that NNECO had concluded their fragility assessment was unsatisfactory, and that they were conducting a complete reassessment of these fragilities. Their
- submittal of a completely new fragility assessment to NRC in March 1984 made j- necessary a new review, which was completed in early May 1984.
The results of our review of the new fragility assessment, which are generally favorable, are contained in Appendix A.
The results of our review of the original fragility assessment, which are
- generally not favorable, are contained in Appendix B. They are provided here
~
only to complete the dcicumentation of the review effort that was performed.
Additional observations and comments provided in the discussion below are primarily applicable to the original fragility assessment.
4.1.3.1 General Coments Our overall impression of the seismic fragility analysis is that many of the median fragility values are conservative. However, numerous conceptual and philosophical errors were encountered and this led us to develop a lack of confidence that the fragility analysis was properly performed. Although there was evidence of considerable effort the final fragility results are not consistent with the state-of-the-art.
If a number of median fragilities are found to be conservative and if
- these conservatisms exist for key components in dominant accident sequences then we might expect that the removal of these conservatisms would lead to a l 4 - 17 .
I
~
downward revision of the estimates of the probability of core melt in the --
PSS. Even if we had revised fragility estimates it would be a significant calculational effort to foll.ow these revisions through the analysis (and this is beycnd the scope of our review).
We will make a crude estimate of the possible effects of conservatism in the fragility estimates in the PSS. Our starting point is the median core melt acceleration that we estimate from Table 4-1.
TABLE 4-1 Mean Core Melt Fragility Conditional Probability Acceleration of Core Melt 0.185 0.087 0.25 0.354 0.35 0.706 0.45 0.886 0.55 0.994
- 0.65 0.993 0.75 0.999 0.80 1.0
- This is the PSS value, but it is an error.
4 - 18 C
._.__ _ u . _ _ -w .
Table 4-1 was obtained from PSS Table 7.5.1-2. The median core melt value from Table 4-1 is about 0.3g. The median of 0.3g intersects the second highest seismicity curve in PSS Figure 1.2.1-1 at about the median core melt probability in the PSS. We assume that the conservatisms in fragility lead to a factor of 2 on the median core melt we estimated from Table 4-1. That is, we assume that the median core melt occurs at 0.6g or at about three times the SSE g-l avel . Following the second highest curve in PSS Figure 1.2.1-1 from a
0.3g to 0.6g we find less than an order of magnitude difference in probability. We estimate that the median annual probability of core melt in the PSS will be reduced by abaut a factor of five when conservatisms in fragility are removed.
Although the variabilities (randomness and uncertainty) of the PSS estimates of fragility were obtained in an incorrect manner the final numerical values are consistent with results from other commercial PRA
)
studies. However, we believe that the uncertainty values in the PSS and other commercial PRA studies are too low.
One effect of an increase in uncertainty in fragility estimates is an
~
' increase in uncertainty in estimates of the probabilty of core melt.
We will use available results from the SSMRP (Bohn et al.) to estimate the effect of an increase in uncertainty in fragility estimates. Table 4-2 summarizes key results on uncertainties.
TABLE 4-2. Summary of Results on Annual Probability of Seismic-Induced Core Melt.
Quantity MP-3 PSS SSMRP 95% Confidence Level 1.5 E-4 2E-3 Mean 9.4E-5 2E-4 Median 9.1E-5 3E-5 5% Confidence level 5.1E-5 lE-7 i 4 - 19 '
l l
l I
. (
As shown in Table' 4-2 the difference between the high and the low value is ~~
about a factor of 3 in the PSS and 20,000 in the SSMRP. Note that the SSMRP results include the effects of uncertainty in the seismic hazard as well as fragility (as do the PSS results). These results are used in Section 4.1.3.2 -
i below to provide guidance on estimates of uncertainty.
Another effect of an increase in uncertainty in estimates of fragility is to increase the estimated median probability of core melt. We assume that this increase in core melt probability is relatively small in the PSS and is included in our estimates in other areas.
4.1.3.2 Specific Coments c PSS Appendix 2-J states that since structures and components were designed deterministically to withstand the SSE: (1) there is a cutoff value below which failure will not occur under seismic conditions, and (2) this value is the SSE acceleration of 0.17g.
No justification is provided for either of these assumptions and there are a number of reasons to question them. For example:
o Design and construction errors are not explicitly included in the PSS..
l o The spectra used to design MP-3 are not an envelope of all possible spectra and have a probability of being exceeded.
o Some components (but not all) are seismically qualified by testing.
The possibility exists that a weak component exists in the plant, j PSS Appendix 2-I states that "...this review is confined to plant elements i having safety related functions..." Justification for this restrictive assumption is considered necessary in view of the pervasive effect of an earthquake.
The fragility values in the PSS are based on the concept of " sustained peak" rather than " instrumental peak" acceleration. The sustained peak concept is used to modify the hazard curves. While we do not disagree with 4 - 20 O
the basic idea behind this concept, we do question the practice of applying a single factor at the level of the hazard curves. The factor is applied to the fragility of every component regardless of whether the component is a structure, mechanical system or component or item of electrical equipment, or whether the anticipated failure mode is brittle, ductile, functional or structural. The use of sustained peak acceleration in the PSS should be justified.
The discussion of uncertainty in PSS estimates of fragility is focussed primarily on developing the uncertainty values. There is relatively little discussion concerning interpretation of the uncertainties developed or the use i
of uncertainties in calculations. For example, there is no discussion of possible correlation of uncertainty or how correlation might affect the estimates of core melt in the PSS: it may be reasonable to assume that correlation exists between uncertainties in estimates of structural fragilities or between uncertainties in estimates of electrical fragilities.
t A thorough discussion of the meaning, interpretation and use of uncertainty in I
estimates of fragility would be useful.
Correlation is discussed in the PSS at another level, see PSS Section 2.5.1.2.1 for example. It is stated there that the assumption of perfect correlation is made for s ismic-induced failures of identically manufactured and physically proximate components and that this is recognized to be a conservative approach. We note that correlation may also exist in estimates of fragility through the estimates of dynamic response and that this can occur for components that are not in physical proximity. This aspect of ,
correlation, discussed further in Section 4.1.4, should be included in the PSS.
The uncertainty in estimates of fragility that are developed appear to address only uncertainty for the specific component. This uncertainty would be used to describe the uncertainty in estimates of the probability of failure of the specific component, for example. However, the primary intended use of fragilities in the PSS is in event-tree / fault-tree models of accident sequences in order to estimate the probability of these sequences. In such a case there is an additional uncertainty in how well these models estimate these probabilities. This uncertainty has been called modeling uncertainty 4 - 21 c j
(Smith and Dong). One way to include modeling uncertainty-is to introduce it ~~
into the uncertainty in fragility. This issue is not addressed in the PSS. -
The PSS should describe how this modeling uncertainty is included. If it is not now included, it should be included in future estimates of seismic-induced core melt.
The fragilities in the PSS do not appear to include the effects of seismic-induced environmental conditions. For example, if the earthquake ,
induces a LOCA or other failure, the resulting steam, internal flooding, temperature or fire environment may induce failures in components that were not damaged directly by the earthquake vibrations. We recognize that this is a complex issue for which there is no simple solution. However, it is common for an earthquake to start a fire, for example. At a minimum this issue should be addressed through a close examination of the initiating events and accident sequences and by modification of fragilities as appropriate. This examination should be thoroughly documented. In addition, initiating sequences should be identified that specifically account for seismic-induced -
environmental conditions. These sequences should also be thoroughly documented and discussed and the rationale provided for not quantifying any that are not included in the calculations. Conversely, the fragilities should also reflect any degradation due to environmental effects that exist prior to the earthquake.
On PSS page 2-I-58 the failure mode of electrical relay unrecoverable chatter or circuit breaker trip is identified. The circumstances under which relay chatter, for example, leads to an unrecoverable state need to be much more carefully described. For example, conventional power plants that experienced an earthquake appear to have encountered some difficulty with relay chatter or breaker trip at accelerations of about 0.35g (Yanev et al.)
which is a lower value than any of the MGACs in Table 2-28 of PSS Appendix 2-1 except for offsite power.
4 - 22
-m 4.1.4 Seismic Core Melt Models The modeling of seismic-induced accident sequences was performed through the use of logic diagrams and construction of a plant-level fault tree. An approach was taken in which perfect correlation among identical components in close proximity to one another was assumed. The PSS acknowledges, and we agree, that this approach is conservative. - The consideration of random failures in the seismic sequences was performed in simplified fashion, whereby
. two criteria were used to screen random failures to identify those with potential significant impact. The first criterion requires that the random failure must be significant relative to all relevant seismic-induced failures; the second criterion requires that the random failure contribute to a core melt accident progression that also involves at least one seismic-induced failure beyond the seismic-induced initiating event. The application of these criteris resulted in limiting consideration of random failures to pressurizer relief and safety valves and to operations requiring human action (e.g., feed and bleed).
l There is a striking difference in the PSS in that the event-tree /
fa' ult-tree models used for seismic initiators are much coarser than the models used for internal (random) initiators. This difference raises the question as to whether model (in) completeness has any effect on the estimates of seismic-iniated core melt in the PSS. This issue is of particular concern for seismic initiators since the possibility exists for simultaneous failure of large numbers of components when an earthquake simultaneously threatens the entire plant. This consideration affects logical descriptions of initiating events and accident sequences as well as their quantification.
Explicit direct quantification of the effects of model completeness would require substantial effort and is outside the scope of our review; however, it is possible to obtain insight on the effects of model completeness from two independent evaluations of Zion Unit 1. These results are available because:
o Seismic PRAs were performed on this plant as part of the SSMtP and as l
part of a PRA sponsored by the utility.
l l
4 - 23 .
s w a o The event-tree / fault-tree models used in' the SSMP' Ne much more -
detailed than those used in the study sponsored by the utility. -
. (This difference in levle of detail is similar to the difference
. Y between the internal and external event models for MP-3 in the PSS.)
'4_
The major._ differences.in the SSM P and utility studies of Zion ~ar'e:
o Differencis in the level of detail of seismic analysis. '
o DifferencesinfragiliIycurves.
Differences in hazard curves.
~
o
~
o Differences in the level,of detail in event-tree / fault-tree models.
9 -
While both the SSMP and utility studies found essentially the same .,
! dominant accident secuences, there is nevertheless more than an orde'r of .
[ magnitude difference in the median annual core melt probability: 3E-5 for $heI SSMRP and 2E-6 for the utility 5tudy, or a factor of 15. There is a factor of._
, 40 on the means.
We will now use (1) this difference (the SSMRP found that the median annual core melt probability for Zion Unit 1 was 15 times larger than was found in the utility study), (2) available 'SSMRP results and (3) the above list of the four factors that might have contributed to the difference in (1) to provide an estimate of the effect of model completeness on the estimates of seismic-induced core melt in the PSS.
l l
l For Zion Unit.1, it is relatively easy to provide some insight on the effect of model completeness because only the fragility for the service water pumps contributad in any significant way to core melt in the study sponsored by the utility. _ This means that if we use SSMRP inputs (seismic analysis, fragility and hazard curves) to estimate the probability of fcilure of the service water pumps (th'at is, the probability of core melt in the utility '
study) and compare this with the SSMRP probability of core melt we will obtain -
some measure of the effect of model completeness.
\ t ,
u 4 - 24
_. ._ _. .__ _ ,a 3 _
~ A minor complication in this comparison is that the two studies used fragilities for two different components to reflect loss of service water !
pumps. In the utility study the fragility of the service water pumps was used. In the SSMRP the fragility used was'for the crib house pump enclosure roof - the collapse of which was assumed to result in failure of the service water pumps.
Using SSMRP inputs the median ' annual probability of roof-induced failure of the service water pumps was found to be 2E-6. For the reasons described above this is interpreted to mean that the utility study of Zion would have found the median annual probability of core melt to be about 2E-6 if SSMtP inputs were used in all areas except the level of detail in event-tree /
fault-tree models. Coincidentally, this is the same value that was found in the utility study.
The difference between the two median probabilities of core melt (2E-6 for the utility study versus 3E-5 for the SSMRP) is thus found to be due to model completeness. That is, if more detailed models were used in the utility study of Zion the median annual probability of core melt would be found to be larger than the 2E-6 that was found--by as much as a factor of 15.
. Since we have not performed a detailed comparison of the SSMRP and utility seismic PRA studies on Zion, the factor of 15 should thus be considered preliminary and a result of crude estimates and gross simplifications. It is
- our best estimate at his time.
- Since PRAs are highly plant- and site-specific, we should also not discount the possibility that even if 15 is the appropriate factor for Zion Unit 1, it may not be the appropriate factor for MP-3 because the utility j studies on Zion and Millstone may be based on different assumptions and conservatisms whose effects may be significant enough to make the applicability of the above factor of 15 questionable. For example, in the j utility study on Zion the issue of model completeness is coupled with the
! assumed truncation of the hazard curves at the upper acceleration levels.
j Explicit direct quantification of the effects of this issue on the PSS estimates of core melt probability would require substantial effort and is outside the scope of our review.
4 - 25 .
n :-
Nevertheless, w'e estimate that the)effect of model' incompleteness in the -
PSS is an increase in' the median annual probability of core n.elt by an order )
of magnitude.
As discussed elsewhere in our review, other. issues lead us to both
- crease and decrease the estimates of core melt probability in the PSS. This order-of-magnitude estimate should thus be specifically noted to apply only to the model completeness issue addressed in this section and not overall.
ThemodelcohletenessissueinthePSSshouldbeaddressedinthe following explicit way.
The calculations should be organized to demonstrate that the figure of merit (core melt, risk, etc.) does not change significantly if. additional components, sequences, etc. are included in the calculations. The effects of -
uncertainties should be included in these calculations, but a complete uncertainty analysis is not required.
One relatively simple way to do this is to base the calculational demonstration on the mean figure of merit. In these calculations the random and uncertainty variabilities are combined in the hazard and fragility inputs to the calculation. Thus a single hazard curve is developed where this single curve combines the variabilities associated with the hazard. Similarly a single fragility curve is developed for each cor.1ponent and this single curve also combines the variabilities. Combining the two types of variabilities in this way has a nuraber of advantages:
4 o The issue of uncertainty is explicitly addressed. .
i o The calculations are relatively simple, o The growth of the figure of merit is based on a statistic (the mean) that has an easily interpreted and relatively stable meaning.
l l As a final check the mean figure of merit obtained in the abcve manner should be compared with the mean obtained when the random and uncertainty variabilities are entered into the calculations separately.
4 - 26 9
. - - - - - - - -3 ,h
~
~
A separate demonstration calculation may be required for each figure of merit. This is because the sequences that dominate core melt may not be the same ones that dominate risk, for example.
The model completeness issue is also directly related to the issue of estimates of uncertainty because crude models may lead to underestimation of l the uncertainty. This may partly explain why the uncertainties in core melt probability in PSS Section 2.5.1.3 are so low (see Table 4-2). As described on PSS page 7.5-4, uncertainties are propagated through only the dominant external risk sequences. l The model completeness issue is addressed in PSS Section 2.5.1.2.1. Model completeness is also coupled with another issue - the manner in which correlation is introduced into the calculations.
In PSS Section 2.5.1.2.1 the following statement is made on correlation (on page 2.5-4):
... the assumption of perfect correlation among the seismic-induced failures of identically manufactured and physically proximate components permits condensation of the system fault trees to reflect these dependencies."
On page 2.5-8 this statement is modified to exclude physical proximity, but this may be an oversight and 't is not important to our point here.
The major problem with the above-quoted definition of how correlation was treated in the PSS is that this treatment does not go far enough. We could find no further discussion of correlation and thus we assume that this definition is a complete description of the approach to correlation in the PSS.
The aspect of correlation that is apparently omitted is the fact that correlation also arises as a result of the common dynamic response environment that occurs because the earthquake simultaneously excites all components of.a l Plant. While this source of correlation will be observed for components that are in physical proximity it will also be observed for other conditions, see Fig. 9.2 of Bohn et al .
4 - 27 .
7 In the PSS the primary way that correlation was used was in construction ' ' ~
(condensation) of the system fault-trees. The primary way that response correlation enters into the results .is in the quantification of fault-trees (and event-trees if they exist). ,
1 This quantification is discussed in Chapter 9 of Bohn et al. Briefly, the major error probably arises in those logic expressions that contain a " logic ANO" (see PSS Section 2.5.1.2.2). . The problem is that ignoring the response 1 l.
correlation can lead to underestimation in the quantification of logical ,
expressions.
Explicit direct quantification of the effects of response correlation would require substantial effort and is outside the scope of our review. This quantification should be explicitly described in detail and included in the PSS.
However, for the purposes of this review we will estimate the effects of l
response correlation in Section 4.1.5. As noted above this issue is coupled I
with our estimates of the effects of model completeness. We assume that the quantitative effects of response correlation are included in our above -
estimate of an order-of-magnitude increase in median annual probability of core melt.
4.1.5 Sensitivity Studies j The PSS is incomplete because it does not include the results of sufficiently deep sensitivity studies. Sensitivity studies are required to l (1) provide an understanding of which elements of the analysis and the plant are important to the analysis results, (2) assess whether it is reasonable l that these elements are the important ones and thus assess the reasonableness
- of the analysis, (3) refine the analysis of the important elements and provide
!, a convincing demonstration of the robustness of the initial results or a revision of them, (4) identify any inconsistencies in the analysis and (5) identify where design, c nstruction, maintenance, etc., errors would be most important.
{
l 4 - 28 i 0
.-. _ - - - - _ . - - , - . . . _ _ . - _ - . - - ~ . . - _ _ - _ . . , _ . _ . . _ .
PSS Section 7.5.1 presents some results of sensitivity or dominance studies; however, these results may be of limited use because they are so-called mean results. This means that they are based on a mean hazard curve and presumably on median fragilities or on fragilities with only random variabilities included (the analysis is not clear on this point). As discussed in Section 4.1.4 of our review the dominance studies should be based on analyses that include the total (random plus uncertainty) variability.
However, even this approach is not a completely satisfactory solution to the problem. -
The basic problem is that the true value of the probability of core melt is unknown, as shown in Table 4-2. The meaning of the SSPRP results in Table 4-2 is something like the following: "We do not know what the annual probability of seismic-induced core melt is, but we have approximately 90%
confidence that it is between 1E-7 and 2E-3. Its median value is approximately 3E-5 and its mean value is approximately 2E-4."
Since we do not know the true value of the annual probability of core melt we must be very careful when we make statements like ".. 26 percent of the core melt frequency is attributable to the TE damage states." (See PSS page 7.5-2.) The fundamental issue is: How do we confidently make quantitative statements of how much something (the TE damage states in the example) contributes to a quantity (the annual frequency of core melt in the example) whose value is unknown?
The Millstone PSS needs to be expanded to include a much more thoughtful and complete study of dominance, importance and sensitivity.
4.1.6 Overall Quantitative Assessment This section provides an overall quantitative assessment of our findings on core melt probability in the previous sections.
We summarize our findings as follows:
In Section 4.1.1 we found that the median seismic hazard was low by a o
factor of about five.
4 - 29 .
~"
o In Section 4.1'.2 we found apparent deficiencies in initiating events in the PSS but did not estimate their possible effect on core melt.
o In Section 4.1.3 we found. apparent conservatisms in the fragilities and estimated that their removal would reduce the median annual probability of core melt by a factor of about five.
o In Section 4;1.4 we found deficiencies in the treatment of model p detail and response correlation and estimated that their combined effect would lead to an increae in the median annual probability of core melt by a factor of about ten.
o in Section 4.1.5 we found deficiencies in the sensitivity studies in the PSS but did not find that they would lead to a significant change in core melt probability.
If we assume that the above factors are multiplicative we obtain the following result: -
~
9.1E-5 x (5) x (1/5) x (10) = 1E-3.
0 1
That is, given the multiplicative assumption we find that the median I
annual probability of seismic-induced core melt for f!P-3 is about 1E-3. This is about 30 times the SSMRP median of 3E-S on Zion Unit 1. At about 0.6g (the approximate acceleration that is assumed to dominate core melt) the SSMRP hazard curve has a median value of about 4E-5. The results from Section 4.4.1 i indicate that at about 0.6g the median hazard at MP-3 has a probability of about 2E-5. The closeness of these two hazard probabilities suggests that the factor of 30 is not a result of differences in the hazard at the two sites.
This suggests that the factor of 30 is a result of differences in the two plants (Millstone Unit 3 and Zion Unit 1). The structures at Zion are founded on soil whila most of the structures at MP-3 are founded on rock. Although the effects of soil-structure interaction might be expected to result in a lower probability of core melt at Zion compared to MP-3, our opinion is that it would not lead to a factor of 30 on the medians. Since HP-3 is a newer plant than Zion, our first reaction is that it is not reasonable that there 4 - 30 c.
._ ~____u. .- . - . --
+ .. .
= ,
e..g.
should be a factor of 30 as we have estimated. However, we are not entirely sure that our reaction is valid. For example, this may simply be a reflection l
of the true uncertainties. That is, the medians are only estimates. As another example, the utility and SSMPR studies on Zion Unit 1 found a difference in medians of a factor of 15. There are, therefore, three possible conclusions:
- 1. The median annual probability of core melt at MP-3.is greater than the value of 9.lE-5 found in the PSS and the true value may be about lE-3.
- 2. The multiplicative assumption is not valid. That is, it is not valid to multiply the factors as we have done. A more comprehensive and refined approach is required to assess the combined overall effect of the identified issues and thereby provide a valid estimate of the median annual probability of core melt at MP-3.
- 3. The analyses that led to the individual factors are too crude and simplified and, as a result, the factors are in error.
Although we do not know which one or combination of these conclusions is correct, we are more confident in our estimates of the uncertainty in the annual probability of core melt. The SSMRP results from Table 4-2 lead us to estimate that if the median annual probability of core melt is found to be on the order of IE-5 then the 90% confidence interval is about lE-3 to lE-7.
Note that this confidence interval is specifically stated to apply only to a median that is on the order of IE-5.
l l
[
4 - 31 .
This page intentionally left blank.
O i
c 4 - 32
REFERENCES 4.1-1. S. T. Algermissen, D. M. Perkins, P. C. Theuhaus, S. L. Hanson and B.
L. Bender (1982), "Probabilistic Estimates of Maximum Acceleration ,
and Yelocity in the Contiguous United States." USGS, Open File l Report 82-1033.
4.1-2. D. L. Bernreuter (1981a), " Seismic Hazard Analysis: Application of Methodology, Results and Sensitivity Studies." Vol. 4 of NUREG/CR-1582.
4.1-3. D. L. Bernreuter (1981b) " Seismic Hazard Analysis: Review Panel, Ground Motion Panel, and Feedback Results", Vol. 5 of NUREG/CR-1582.
4 .1. 4 . - D. L. Bernreuter, J. Savy, R. Mensing and D. Chung (1984), " Seismic Hazard Characterization of the EUS: Methodology and Interim Results for Ten Sites," NUREG/CR-3756.
4.1-5. R. K. McGuire, " Fortran Computer Program for Seismic Risk Analysis",
U.S. Geological Survey File Report 76-67, 1976.
4.1-6. O. W. Nuttli, "The Relation of Sustained Maximum Ground Acceleration and Velocity to Earthouake Intensity and Magnitude," Report 16 of State-of-the-Art for Assessing Earthquake Hazards in the United States, U.S. Army Corps of Engineers Waterways Experiment Stations, Vicksburg, Miss., Misc. Paper S-73-1, November 1979.
4.1-7. 3. W. Nuttli, " Similarities and Differences Between Western and Eastern U.S. Earthquakes, and Their Consequences for Earthquake Engineering," to be published in Earthquakes and Earthquake Engineering: The Eastern U.S. , Kr.oxville, Tenn. ,1981.
4.1-8. TERA Corporation, " Seismic Hazard Analysis: Solicitation of Expert Opinion, U.S. Nuclear Regulatory Commission, Washington, D.C.,
L NUREG/CR-1592, vol. 3,1980.
~
4 - 33
G 4.1-9 P. D. Smith, R. G. Dong, Seismic Safety Margins Research Program (Phase I) Interim Definition of Terms, Lawrence.Livermore National Laboratory, Livermore, California, UCRL-53001, December 1980. _l 4.1-10 M. P. Bohn, L. C. Shieh, J. E. Wells, L. C. Cover, D. L. Bernreuter, J.- C. Chen, J. J. Johnson, S. E. Bumpus, R. W. Mensing, W. J. O'Connell, D. A. Lappa, Application of the SSMRP Methodology to the Seismic Risk at the Zion Nuclear Power Plant, Lawrence Livermore National Laboratory, Liversere, California, UCRL-53483 (also i published by the U.S. Nuclear Regulatory Commission, NUREG/CR-3428)
May 1983.
4.1-11 P. E. Yaney, S. W. Swan, Program for the Development of an Alternative Approach to Seismic Equipment Oualification, Volume 1:
Pilot Program Report, Volume 2: Pilot Program Appendices, E0E, Inc.,
San Francisco, California,1982.
4.1-12 M. K. Ravindra, R. D. Campbell, R. P. Kennedy, H. Banon, Probability of Seismic-Induced DEG8 in RCL Piping, Proceedings of the 4th ASCE Specialty Conference on Probabilistic Mechanics and Structural Reliability, Berkeley, California, January 11-13, 1984 4 - 34 .
r
(
. - _ __ m. _m _ _ ._- -
.- __ . _ , - _. m - - .
4.2 Fire Events This review is limited to an evaluation of the methodology for the assessment of risks from fires at Millstone Unit 3 nuclear power generation station. The validity of the event trees for the plant response given a fire
~
has not been examined. Furthermore, the statements of the Millstone 3 PSS concerning the contents of various compartments and fire areas have not been verified.
It is convenient to conduct the evaluation of the analysis in terms of its
~
three major parts, i.e.,
I. The identification and screening of critical areas. The areas of the plant are screened to identify a limited number in which a fire can cause an initiating event (IE) and, at the same time, affect the performance of safety systems. The frequency of fires in these areas is assessed and a detailed analysis is performed. This part is contained in PSS Section 1.2.2.
II. The analysis of the fires in the critical areas. This part includes 4 the effects of detection and suppression on the growth of fires, as well as- the identification of the impact of the fires on plant systems, and is contained in PSS Section 2.5.2.1.
III. Event tree analysis. This part includes the analysis of accident sequences induced by the fires. It produces the frequencies of l relevant plant states and of core melt. It is found in PSS Section 2.5.2.2.
i 4.2.1 Overall Assessment Regarding the methodology and its implementation, we find that:
- 1. The screening process (Part I) is reasonable and complete. All fire areas warranting detailed analysis and evaluation have been identified. The frequencies of fires in various compartments are estimated using acceptable methods and are reasonable.
4 - 35
l _ (
I 2. The analysis of the loss of safety functions due to fires in the critical areas (Part II) is not rigorous and explicit. Cable routing and room configurations are neither used nor given. Thrrmal models for fire propagation are not used, as is done in other PRAs, e.g.,
Indian Point [2], Limerick [3], and Seabrook [4]. This lack of detail, however, appears to lead the PSS to conservative values for the conditional frequency of losing all the safety functions that ,
depend on a critical area (PSS Table 2.5.3.1-3). This issue is discussed further in Section 4.2.2.1 of this review.
- 3. The event tree analysis (Part III) is reasonable (assuming the system unavailabilities are reasonable), with one exception. The error rate for the failure of the operators to switch control of the plant from the control room to the auxiliary shutdown panel is too low (see Section4.2.2.2).
- 4. The method of combining histograms two at a time leads to erroneous estimation of uncertainties, when dependencies are present (see Section4.2.2.3).
- 5. The following items have not been addressed in.the PSS:
- a. The impact of earthquakes on fires and fire protection systems, e.g., fires started by earthquakes, sprinkler systems activated by earthquakes, etc.
- b. Effects of the suppression agents on equipment.
- c. Issues related to the response of equipment and cables to high heat fluxes and temperatures, e.g., fire barrier degradation, effects of hot-gas layers on cables, etc. (see comment #2 above).
4 - 36
m m _ -
%m__ _a : .m
=-%
3
-It should be pointed out, however, that items (a) and (b) are beyond the state of the art and no PRA has addressed them yet.
I 6.- The impact on the numerical results of the conservatism noted in l coment #2 and optimism noted in comment #3 above has been assessed in a crude sensitivity analysis in Section 4.2.2.4 It is found that the mean frequencies of plant damage state TE and core melt could be raised from 1.39E-6 per reactor year and 4.80E-6/ry, respectively to 2.46E-5/ry and 2.80E-5/ry, respectively. This shows that the mean core melt frequency could be underestimated by the PSS by as much as a factor of roughly 6, (see Table 4.2-1).
4.2.2 Discussion of Findings 1
4.2.2.1 Thermal Models Most major PRAs, e.g., those for Zion, Indian Point, Limerick and Seabrook, use the thermal models of References 5-8. The principal tool in I
this approach is the computer program COMPBRN, which, essentially, begins with the burning fuel element, which releases heat at a certain rate, then transmits this heat by convection and/or radiation to other elements, e.g.,
cables, and finally calculates the ignition time of these elements. Typical ca3es that have been analyzed this way include vertical fire propagation within a stack of horizontal cable trays, horizontal propagation across the width of a horizontal tray, and fire propagation among a group of separated trays when an external exposure fire is present. Special models have been developed for situations that do not fall in the preceding classes, e.g., for cabinets exposed to fires, for fire barriers, etc.
This approach requires knowledge of the location of the cable trays and cabinets, as well as of their contents, in order to assess the impact of the fire. The importance. of transient fuels, the exact location of the fire within the room, and the impact of special measures, like the installation of fire barriers, are some of the issues that are addressed in this approach.
The detection and suppression times are represented by probability distributions that are combined with the results of the thermal models to produce the fraction of fires that cause damage [9].
4 - 37
i
- i Table 4.2-1 Results of the Sensitivity Analysis (All Frequencies are Per Reactor Year)
PSS Modified Results Contribution to TE from the control 1.222E-6 2.444E-5 room, instrument rack room and cable spreading room Contribution to TE from other areas 1.68E-7 1.68E-7 Total TE frequency 1.39E-6 2.46E-5 Total core melt frequency 4.80E-6 2.80E-5 Percent contribution of TE to 29% 88%
core melt frequency l
r 4 - 38 ~
3 This approach is not followed in the PSS. Cable tray configurations are not presented although it is claimed on p. 2.5-23 that they have been used.
The notions of the total safety loss and partial safety loss are introduced to indicate whether all the safety functions or only part of them (in a fire area) have not been lost. The impact of detection and suppression is assessed using event trees.
The lack of detail has led the PSS to values for the conditional fraction of fires that cause safety loss that are high (the mean values reported in PSS Table 2.5.2.1-3 are in the neighborhood of 0.1).
As an example, we use the cable spreading room (CSR). The fraction of fi-es causing a safety loss given a fire in the CSR is given as 9.25E-2 (PSS Table 2.5.2.1-3). This number is derived from the event tree of PSS Figure 2.5.2.1.2-1 which assesses the impact of the detection and suppression capabilities in the room. Even though the Indian Point-3 PRA does not follow the methodology of the Millstone 3 PSS, we can derive the corresponding number for the CSR by multiplying the mean value of the fraction of CSR fires that are "large and near the center of the northern wall" (0.026) with the mean value of the conditional frequency of fire propagation (0.44, the result of COMPBRN and the detection and suppression distributions). The result is 1.1E-2, i .e., nearly an order of magnitude smaller than the PSS number. The main reason is that the Indian Point PRA has taken advantage of the fact that only fires "near the center of the northern wall" within the CSR can cause significant damage. Recent evidence [10] suggests that even COMPBRN may be too conservative in some cases, so that the mean value of the conditional frequency of fire propagation may, in fact, be lower than 0.44. It appears, therefore, reasonable to say that the Indian Point number is roughly one order of magnitude lower than that of the PSS.
4.2.2.2 Human Error Rate The human error rate of 0.001 (error factor of 3) for failure to switch control to the auxiliary shutdown panel (event SEO) is not adequately justified and is too low. Furthermore, the distribution of this rate appears to be too narrow. It is explained on PSS p. 2-0-8 that the procedure for transferring of control to the ASP will be practiced on a regular basis by the
~
4 - 39
l f
operations personnel; therefore, "the NREP screening value for human errors ,
occurring within a procedural framework where recovery is possible at the point of erroneous action is used to estimate the HEP for this analysis,"
This argument, however, ignores the fact that the switching would have to take place under accident conditions during which the stress on the operators would be high.
A similar human error is analyzed in Section 9.4.6.4.2 of the Seabrook PRA[4]. It is stated there that the " stress level is deemed to be high because of the ... very confusing conditions in the control room." The mean value of 0.23 is proposed for this error rate (the 5th percentile is assessed to be on the order of 0.02, still substantially higher than the values of the MP-3 PSS).
4.2.2.3 Method of Calculation When the uncertainties are propagated through a function (by DPD, Monte Carlo, or any other method), the dependencies between events must be correctly accounted for. This does not seem to be the case here, where the histograms are combined two at a time. For example, on PSS p. 2.5-30, DE2 = and 50HHL are dependent (through 50), but they do not appear to be treated as such. The impact of this omission is not expected to be largc, because of the simplicity of the expressions that are calculated.
An interesting argument appears on PSS p. 2.5-31. There seems to be an attempt here to justify the difference between the " point" estimate and the mean of the histogram that is calculated using DPD arithmetic. This is unnecessary. The point estimate calculations usually ignore various dependencies which OPD can easily handle (but, unfortunately, not here, as indicated earlier). Furthermore, there is no reason to increase the upper tail of a histogram in order to make the probabilities add up to unity. A simple renormalization would be sufficient. Again, the impact of this practice is expected to be minor.
4 - 40 =
_,c : a __. 11 . __
m- .
_ _a __
3 -
4.2.2.4 Sensitivity Analysis We assess here the ' impact on the numerical results of the PSS of the two major findings of this review. In Section 4.2.2.1 we argued that the '
conditional fractions of total safety loss are roughly one order of magnitude I too high. In Section 4.2.2.2 we found that the human error rate SE0 could be too low by roughly a factor of 200 (all our values are mean values). The plant damage state that is affected the most by these two findings is TE (see PSS Figure 2.5.2.2.2-1 ) , to which fires in the control room, instrument rack r
room and cable spreading room are the major contributors. To do a crude sensitivity analysis, we assume that the combined impact of these two findings
,' is to increase the contribution to TE from these three fire zones by a factor of 20.
In PSS Table 2.5.2.3-1 we find that the contribution to TE from these three rooms is 4.54E-7 + 1.52E-7 + 6.16E-7 = 1.222E-6 per reactor year.
Therefore, the contribution from other areas to TE is 1.39E 1.222E-6 =
1.68E-7/ry.
The new contribution from the CR, IRR and CSR is 1.222E-6 x 20 =
2.444E-5/ry and the new total frequency of TE is 2.444E-5 + 1.68E-7 = 2.46E-5 per reactor year.
The mean core melt frequency is reported in PSS Table 2.5.2.3-1 as 4.80E-6 per reactor year. Of this,1.39E-6 (29%) is due to TE and 3.41E-6 (71%) is due to other plant damage states (the dominant one being TEC). With the new numbers the total core melt frequency is 2.46E-5 + 3.41E-6 =
2.80E-5/ry. The dominant plant state is now TE (87.8%). We note that the core melt frequency has been increased by a factor of about 6. These results are sumarized in Table 4.2-1.
l It should be noted that the contribution from zones other than the CR, IRR, and CSR would actually be smaller, because only the conservative number of the PSS appear there, and not SEO, assuming, of course, that the unavailabilities of the system listed in PSS Table 2.5. 2. 2.1 -1 are accurate.
l l
~
l 4 - 41
. i
~
This crude sensitivity analysis addresses only the two identified issues. An accurate reassessment must consider the full distributions and not only mean values. Furthermore, this analysis does not include the impact of the items that are beyond the state of the art (listed under comment #5 of Section2). Since no PRA has attempted to investigate them, it is difficult to assess their significance.
Finally, we note that the PSS analysis has addressed the is.ae of major fires that could, in combination with other failures, lead to core melt. In fact, it is stated on PSS p.1.2-7 that " critical" areas are of Type 0, i.e.,
areas where a fire can cause an _ initiating event and fail engineered safeguards. . While it is reasonable to consider only the " critical" areas in the fire analysis, fires in areas of the "B" and "C" types should be _ included in the calculations of frequencies of initiating events and system ,
unavailabilities. We are unable to judge whether these fires have been so included.
4.2.3 References
- 1. Probabilistic Risk Assessment, Zion Nuclear Power Plant, Commonwealth Edison Co., Chicago, September 1981.
- 2. Indian Point Probabilistic Safety Study, Pcwer Authority of the State of New York, Consolidated Edison Company of New York, Inc ,
1982.
- 3. Severe Accident Risk Assessment. Limerick Generating Station, Prepared for Philadelphia Electric Company by NUS Corporation, April 1983.
- 4. Seabrook Station Probabilistic Safety Assessment, Prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company by Pickard, Lowe and Garrick, Inc., 1983. ,
4 - 42 e
c _ ._ --=- . -
- - = , = - =:____ _
- 5. N. O. Siu, Probabilistic Models for the Behavior of Compartment Fires, NUREG/CR-2269, August 1981.
- 6. N. O. Siu, COMP 8RN-A Computer Code for Modeling Compartment Fires, NUREG/CR-3239, May 1983.
- 7. N. O. Siu, and G. Apostolakis, "Probabilistic Models for Cable Tray Fires", Reliability Engineering, 3:213-227, May 1982.
- 8. N. O. Siu, " Physical Models for Compartment Fires", Reliability Engiineering, 3:229-252, May 1982.
- 9. G. Apostolskis, M. Kazarians, D. C. Bley, " Methodology for Assessing the Risk from Cable Fires", Nuclear Safety, 23:391-407, July-August 1982.
- 10. G. Chung, N. O. Siu and G. Apostolakis, COMPBRN II: Code Description and Simulation of Experiments, Draft Report, UCLA-ENG-8404, University of California, Los Angeles, March 1984.
4 - 43
r 4.3 External Flooding
- In Section 1.2.3 of the Millstone PSS, it is concluded that external flooding is an insignificant contributor to plant risk. Only two sources of external flooding are considered to potentially impact the Millstone site:
tidal flooding and intense precipitation. Since there are no major rivers or streams in the vicinity of Millstone Point, river flooding and dam failure are not considered applicable to the site. Tsunamis are also excluded since there is an extremely low probability that these events will occur along the North Atlantic coast line.
The justification for excluding external flooding from the formal risk analysis is made on a qualitative basis. No formal probabilistic analysis was performed. Tidal flooding and intense precipitation are based on the effects of the Probable Maximum Hurricane (PMH) and the Probable Maximum Precipitation (PMP),respectively. No probability values are given; however, these events are judged to have a point estimate frequence of occurrence between IE-6 to lE-4 per year. This estimate is based on an approximate analysis using available hurricane hazard data in the vicinity of the Millstone site (Refs.
4.3-1 and 4.3-2) .
The description of the calculations, which were conducted to obtain the maximum wave runup and standing wave height due to the PMH and the flood depth due to the PMP, are contained in the FSAR (Ref. 4.3-3). It is apparent from the description given that conservatisms were included in the calculations (e.g., the most severe combination of hurricane parameters were used to represent the PMH and the site yard drains were considered ineffective in the PMP analysis). However, the amount of additional conservatism is not known.
It is not necessarily true that single extreme events are the only circumstances that contribute to the risk. Also, the PMH and PMP may be correlated since the PMP could be caused by the PMH.
- This section is reproduced here from Appendix 8, with minor editorial changes, for the convenience of the reader.
4 - 44 c
~ ._ - . . ,., == -_ . ~, _
l
'WM
^
In contrast to the seismic analysis, the external flooding analysis did not explicitly consider the uncertainty (which is large) in the underlying parameters and models. Even at the 100-year storm level, the coefficient of variation on water depth is expected to be approximately 0.2 to 0.3. Thus, j the conclusion that external flooding has a very low frequency of occurence is not convincing without some formal quantification of the hazard.
In including the effect of uncertainties in the external flood analysis, a distribution on the frequency of occurrence can be obtained. The present analysis implies that the frequency of flooding above the protected elevation is small. However, the margin of safety above the PMH and PMP design elevation is also small (less than 1 foot for the PMH and less than an inch for the PMP).
As an example, the point estimate for the PMH might be lE-5 per year; however, because of the large uncertainties that are present, there is a small but finite probability that the frequency of the PMH is 1E-4 per year or i larger. Similarly, it can be argued that there is a potential hurricane bigger than the PMH which could produce a wave runup which exceeds the j water-tight -%vation of 25.5 feet msl (mean sea level). The point estimate for this event might be on the order of lE-6 per year; however, due to uncertainty there also is a small but finite probability that is is IE-5 per year or larger. Proceeding in this manner, it can be shown that including uncertainty will result in a family of hazard curves which may increase the i mean frequency of water depth above the value obtained using only a single point estimate value (i .e., the 'PMH). In order to evaluate the implications of a water level greater than 25.5 feet msl, it is necessary to either conservatively assume core melt or to develop event trees, fault trees, and equipment fragilities to systematically incorporate the unique features of the plant into the uncertainty analysis.
In summary, a formal analysis should be conducted which provides frequencies of occurrence and includes uncertainty in the external flood models and parameters. Because of the large uncertainties which exist for external flood, there is the possibility that the mean frequency of core melt 4 - 45 ,
l l . . . _ . . -
h h larger than IE-6. In order to conclude that the contribution from external flooding is insignificant relative to other hazards, a complete statement of the probability distribution on frequency of occurrence should be provided.
References 4.3-1. Pickard, Lowe, and Garrick, " Indian Point Probabilistic Safety Study," Prepared for Consolidated Edison Company of New York, Inc.,
and Power Authority of the State of New York, Copyright 1982.
4.3-2. Batts, M. E. et al., " Hurricane Wind Speeds in the United State," NBS Building Science Series 124, National Bureau of Standards, May 1980.
4.3.3. Northeast Utilities Service Company, " Final Safety Analysis Report, Millstone Nuclear Power Station Unit 3," 1983.
o 4 - 46 .
aa wa -
- m. .-
- -n - - - -
~_
4.4 INTERNAL FLOODS This section describes the review of methods and procedures used in the Millstone 3 PSS for assessing the consequences of reactor accidents involving internal floods. The conclusion of this review is that the flood analysis is incomplete and the results of the analysis are speculative. A major limitation of the analysis is the absence of calculations for flow rates, drainage rates, and flood levels. Instead, the PSS presents a qualitative treatment of flood hazard and concludes that internal flooding is not a significant contributor to core melt. A particular concern is that the approach used could downgrade the importance of flooding in some zones, such as the switchgear and cable-spreading rooms.
The PRA procedures guide l states that, for some nuclear power plants, internal floods can be an important cause of multiple dependent failures.
This guide proposes that a flood risk analysis consist of a hazard assessment, a component fragility evaluation, a plant system repsonse assessment, and a release frequency analysis. The hazard assessment involves both a qualitative evaluation in which specific flood scenarios are selected for quantification and a quantitative assessment that provides an estimate of the frequency of specific damage states. The flood hazard assessment is conceptually similar to a fire hazard assessment. However, according to the procedures guide, significant among the distinctions between these assessments are that sources of flooding should be 'nore easily and completely enumerated and that floods are more likely to propagate.
~
Overview of the Millstone 3 Internal Flood Analysis The risk assessmeat of internal flooding for Millstone 3 consisted of a qualitative evaluation, in which specific scenarios were seiected for further evaluation, and a quantitative evaluation, in which the frequency of exceeding various accident consequences was estimated. The qualitative analysis
, involved an evaluation of floor plans at various elevations to determine the critical safety-related components or systems that would be affected by a single flooding event. In order to conduct this analysis, buildings and 4 - 47 l
\
n . . ..
l facilities at the Millstone 3 site were divided into " flood zones." According to the PSS, the flood zones were established using fire boundary areas but fire boundary areas "did not constitute the sole basis for establishment of a
- flood zone." Watever additional criteria were used to establish these zones were not discussed in the PSS.
- The established flood zones were reviewed for possible sources of internal ,
flooding. Table 4.4-1 provides a list of plant systems considered credible
. flood sources in the PSS. Each source was assumed to have a flooding frequency of 2x10-3/yr. It is stated that this is derived from the WASH-1400 estimate for the frequency of a pipe break greater than 6 inches. A postulated flood was assumed to disable all components within the flood zone coresponding to the source. Consideration was also given to progressive flooding, in which sufficient water is discharged in one zone to flow to and affect safety equipment in an adjacent zone. Where the potential exists for progressive flooding, all components in the progressively flooded zone are also assumed to be disabled.
If the loss of all components within a flooded zone would not initiate a transient or LOCA or if no safe shutdown equipment was destroyed, that flood zone is removed from further analysis. Flood zones not removed by this screening process were subjected to further analysis. This consisted of
- multiplying the unavailability (2x10-3/yr) of the systems disabled by flooding by the unavailability of redundant or alternate systems that could
- _ substitute for the flood-damaged systems in preventing core damage. The l- latter unavailabilities were taken from the results of the plant event and fault tree analyses.
The procedures described above were used to determine that core melt induced by internal flooding has an estimated frequency of 8.5x10 /yr.
The PSS further concludes, based on the analysis, that internal flooding does not significantly contribute to overall plant risk.
1 l
4 - 48 a l
. _-.- uw - . .a - - .: w-.. - =
3 __
Table 4.4-1 Plant Syste;ns Considered as Credible Flood Sources.
- 1. Main Feedwater System
- 2. Auxiliary Feedwater System
- 3. Service Water System
- 4. Chemical and Volume Control System
- 5. Reactor Plant Component Cooling Water Systein
- 6. Turbine Plant Component Cooling Water System
- 7. Chilled Water System
- 8. Site Fire Protection System
- 9. High Pressure Safety Injection System 10 Low Pressure Safety Injection System
- 11. Condensate and Demineralized Water Storage System
- 12. Boron Recovery System
- 13. Gaseous Waste Disposal System
- 14. Circulating Water System 4 - 49 I
g;
_ t State-of-the-Art in Flood Risk Analysis The most extensive analysis system currently available for assessing the risks associated with internal floods is the ESP-NOAH code package.2 The flood risk analysis methods in this package are designed to identify and quantify flood impacts by using the results of the plant's systems failure analysis. ESP identifies accident sequences and systems that can contribute to plant risk as result of floods. The input to ESP consists of accident sequences and system failure probabilities obtained from the fault and event tree analysis, engineering criteria describing system susceptibility to flooding, and the flood probabilities. ESP screens the accident sequences based on the engineering criteria and determines important system failures and accident sequences along with a quantitative estimate of each sequence's contibution to overall flood risk. The important system failures identified by ESP are candidates for a more detailed systems analysis using NOAH.
The NOAH program also uses system fault trees as input to make a quantitative flood risk assessment. Other inputs to NOAH include flood level increments within the plant (discretized flood level profile) and the effective elevation of each component in a fault tree (component vulnerability elevation). With this information NOAH simulates the flooding of components in the fault tree. The output of this simulation is the order of component submersion and the flooded minimal cut sets, if any exist. If no flooded minimal cut sets exist, NOAH determines partially flooded minimal cut sets.
These cut sets represent the system failure modes during flooding and provide input to the quantitative evaluation of system failure probability as a function of flood level.
Coments on the Internal Flooding Analysis in the Millstone PSS Each zone containing a flood source is assumed to have a flood frequency of 2x10-3/yr. The basis for selecting this value is quite weak. It was stated to be derived from a WASH-1400 estimate for breaks in pipes with a diameter greater than six inches. This approach provides no estimate of the actual flood sources present in each zone. As far as we can determine, WASH-1400 only provides pipe break frequencies per hour per pipe segment as a 4 - 50 -
_ __ w_ .__a4 _ 1 # _ _ _ o %
~
function of pipe size. The PSS'does not make clear how this information could be used to calculate or estimate this -" generic" value for flood frequency.
The only apparent way that flood frequencies could be calculated from WASH-1400 data is to count all pipe segments in a zone in each size category and use the pipe segment failure frequencies together with flow capacities to calculate the annual probability of exceeding a given flood hazard in each zone. The simplistic approach actually employed in the PSS leaves doubt as to whether the analysis is capable of screening the potentially important flood sources in the Millstone plant.
Inadvertent actuation of fire protection equipment was not considered as a potential flooding source. Excluding such sources is likely to make the results optimistic, since fire sprinklers generally spray directly onto components so that significant water heights may not be necessary to cause equipment failures. However, some consideration of this problem should be and usually is taken up durina plant design.
The PSS made the conservative assumption that all components in a flood zone are disabled if a flood occurs in that zone.
! It is stated in the PSS that the ficoding analysis includes ruptures of l pipes, tanks, or vessels. However, the review found no tanks or vessels used l as flood sources. The RWST was included in the analysis, but only in terms of the pipes that lead from it, not rupture of the vessel itself. The PSS states j that flooding caused by overfilling of tanks is bounded by the effects of pipe breaks. This assumption was used without even a qualitative justification,
, which we believe diminishes the value of the analysis. -
i Although the PSS deals with progressive flooding (from one zone to another), it is difficult to determine the modeling assumptions used to treat this process. In particular it is difficult to establish what criteria were used to decide when progressive flooding occurs. A review of the progressive flooding tables in the PSS reveals that progressive flooding was considered between some, but not all, adjacent zones connected by a door. Similarly, progressive flooding to zones directly below a flooded zone was assessed in some cases but not in others. There were also cases in which flooding occurs 4 - 51
g-- --
s - '
between zones with coninon walls but no door. The PSS stites that a progressive flood will occur when the water level in a particular zonc reaches -
5 feet. This is baseh on'the assumption that the fire boundary can withstand a differential pressure of 2' psid. This assumption appears reasonable even though no actual boundary analysis was performed. Nevertheless, the procedure used to determined if'a' flood could reach this height was not described. The only relevant informatiNincluded'was that closed systems (such as component
~
cooling) did not contain enough water to cause progressive flooding -- a reasonable assumption. It could not be determined from the PSS what analysis a was used to determine the volume of water released in flooding by sources '
other than closed systems, s.*
The PSS assumes that a reactor trip occurs following any flood-induced initiating event. This appears to be an optimistic assumption. However, it is not likely that the implications of this assumption are significant.
4 The PSS assumes that if a flood in a given zone does not initiate a l transient or LOCA (by impacting a component necessary for normal operation) or disable safe shutdown equipment, then that zone can be eliminated from further consideration. Because it implies that a plant continues to run during a flood, this assumption is questionable. Futhermore , it excludes from the analysis those zones that contain important safety equipment not directly necessary for normal operation or shutdown. It may be more y reasonable to assume that operators would be required to shut down when significant flooding is discovered in any area of the plant. "
The analysis of flooding in the switchgear and cable-spreading rooms '
indicates that core melt induced by flooding in these areas has a frequency of' about lx10-6 per year. Because of the large uncertainty in the screening analysisperformedforMillstoAePSSinternalflooding, a frequency of this magnitude should suggest the need for additional analysis. However, no l
further analysis was perforned. Instead, the authors reduced the frquency by multiplying with the factor 0.7, which is described as the probability of damaging all cables in the rooms The basis of this factor is not described or justified. Futhermore, the results of the flooding analysis strongly suggest that internal flooding can not simply oe dismissed as comparable to fires as a cause of core melt, contrary to the conclusions of the PSS.
4 - 52 \ -
. - . - - . - - -- - - - - - . . ~ _ . - _ . - - - - . - . . . - ---, . - ..
c.__. . .- . _- _
_ _ _ _ _ _,=_m a .
l Conclusions The internal flooding analysis performed in the Millstone PSS can be characterized as a predominatt:1y qualitative screening analysis with nunbers attached to reflect the authors best estimates. The process results in an j estimated frequency of internal flood-induced core melt of 10-6 per year. l The simplistic approach leads us to question whether the analysis is capable of screening the potentially important flood sources in the Millstone plant.
In addition, the uncertainties inherent in the analysis indicate that the results could be in error by orders of magnitude. The results of the screening analysis would have to be at least an order of magnitude lower to allow internal flooding to be dismissed as a contributor to core melt risk.
In our opinion, internal flooding in the cable-spreading and switchgear rooms should have been assessed in more detail using realistic flow rates, drainage rates and flood levels instead of arbitrary values.
References for Section 4.4 4
- 1. U. J,. Nuclear Regulatory Commission, "PRA Procedures Guide,"
NUREG/CR-2300. (1982).
- 2. D. P. Wagner, M. L. Casada, and J. B. Fussell, " Flood Risk Analysis Methodology Development Project Final Report," NUREG/CR-2678 (ORNL/TM-8314), (1983).
i 1
4
~
4 - 53
~
~
4.5 Extreme Winds
- PSS Section 1.2.5 concludes that wind does not contribute significantly to plant risk. The governing wind event at the Millstone site is the occurrence of severe tornados. In general, the effects of tornados, hurricanes, and extratropical cyclopes (i.e., normal winter storms and thunderstorms) should be considered in the wind risk analysis. As discussed below, it is agreed that tornado effects, which pctentially create much larger loads, do not contribute significantly to plant risk; thus, the effects of other wind Icads are implicitly included.
It is stated that all Millstone Unit 3 safety-related structures are of reinforced concrete construction with wall thicknesses of at least two feet.
Except for some of the Ouench Spray system components, all other safety-related components are contained in safety-related structures (Ref.
4.5-1, Table 3.2-1 ).
Based on the analysis described in Section 1.2.5.1.1 of the Millstone 3 PSS, it is stated that the frequency of exceeding the design tornado wind speed of 360 mph is approximately 5.4E-6 per year. It is believed that this value is very conservative as discussed below.
At the Indian Point site, which is approximately 100 miles away and which is in an area with higher tornado activity based on historic data, the mean maximum tornado wind speed at the 1E'-7 per year frequency level is 230 mph with an 80 percent confidence range of 170 to 340 mph (Ref. 4.5-2). Other independent point estimates for the Indian Point ite at this frecuency level
, are 236 mph and 200 mph (Ref. 4.5-3). Note that these results are significant
! since the reported mean rate of tornado occurrence in the Millstone Unit 3 PSS
-is 1.87E-4 per square mile per year, which is lower than the value of 2.4E-4 per square mile per year used in the Indian Point study (Ref. 4.5-2).
t
- This section is reproduced here from Appendix B, with minor editorial changes, for the convenience of the reader.
4 - 54 -
n ,
m.______ _. = -_-.
__ ,< m m _ _
sm __q A recenc technical paper by Twisdale gives velocity frequency curves for four regions of the contiguous U.S. (Ref. 4.5-4). None of the curves extend beyond 300 mph. Finally, using an approach developed by Reinhold (Ref.
4.5-5), the mean frecuency using a tornado occurrence rate of 1.87E-4 per square mile per year was found to be less than IE-8 per year. It is concluded that the mean frequency of occurrence of tornados with maximum wind speeds equal to or greater than 360 mph is less than lE-8 per year.
On the capacity side of the problem, all safety-related structures are designed, using code procedures and allowable strength values, to resist wind speeds of 360 mph and associated tornado missiles. From a probabilistic viewpoint, the frequency of structural failure or missile-induced damage given a 360 mph tornado would be one to two order of magnitude lower than the frequency of the tornado occurrence.
Because of the extremely low mean frequencies of failure (i.e., on the order of IE-9 to lE-10 per year), it can be safely concluded that tornado (and hence other lesser wind types) effects are not :ignificant. Even considering the contribution of uncertainty it is unlikely that the effects of wind would contribute significantly to the plant risk.
References 4.5-1. Northeast Utilities Service Company, " Final Safety Analysis Report, Millstone Nuclear Power Station Unit," 1983.
4.5-2. Pickard, Lowe, and Garrick, " Indian Point Probabilistic Safety Study," Prepared for Consolidated Edison Company of New York, Inc.,
and Power Authority of the State of New York, Copyright 1982.
4.5-3. Kolb, G. J., et al., " Review and Evaluation of the Indian Point Probabilistic Safety Study," Prepared for U.S. Nuclear Regulatory Connission, NUREG/CR-2934, December 1982.
I 4 - 55 I
4.5-4. Twisdale, L. A., and W. L. Dunn, "Probabilistic Analysis of Tornado Wind Risks," Journal of the Structural Division, ASCE, Vol.109, No.
2, February 1983.
4.5-5. Reinhold, T. A., and B. Ellingwood " Tornado Damage Risk i
Assessment," NUREG/CR-2944, Brookhaven National Laboratory, September 1982.
1 4
1 9
l c
4 - 56
.a n _n-- -- - - .
4.6 Aircraft Accidents The PSS analysis of onsite aircraft crashes is presented in PSS Section 1.2.6.2. It includes a quantitative assessment of crash frequency performed in accordance with NRC Standard Review Plan Section 3.5.1.6. The results of this assessment include the following total frequency estimates for three classes of aircraft:
l General Aviation 1.5E-6/yr Comercial Aviation 1.2E-7/yr Military Aviation 3.4 E-9/yr These numbers were calculated by considering aircraft operations at two nearby airports and aircraft traffic (inflight) accidents in three nearby federal ,
airways.
Aircraft operations were considered at the New London - Waterford Airport, which services only general aviation, and at the Groton - New London Airport, which services general, commercial, and military aviation.
The effective plant area susceptible to damage from general aviation was taken to include only the Unit 3 switchyard and determined to be 4.6E-3 square miles. The effective plant area susceptible to damage from commercial and military aviation was taken to include the containment structure, auxiliary building, control building, ESF building, main steam buildino, emergency generator enclosure, and the Unit 3 switchyard. This area was determined to be 9.5E-3 square miles. These choices and areas are considered reasonable and conservative.
The results of the quantitative assessment of airport operations were crash frequencies of:
4 - 57
General Aviation New London -
Waterford 2.5E-7/yr Groton 1.2E-6/yr Commercial (Groton) 1.1 E-7/yr Military (Groton) 3.4E-9/yr Consideration of potential in-flight accidents in the three nearb.v federal airways which could result in onsite aircraft crashes used an effective plant area of 9.5E-3 square miles (the figure for commercial and military aircraft) and yielded the following crash frequencies:
Airway V-16 1.1 E-8/yr Airway V-58 5.5E-10/yr Airway V-374 1.5 E-10/yr The overall results are consistent with the one-paragraph discussion of l
aircraft hazards in FSAR Section 3.5.1.6, which states that "A study of the probability of aircraft which use nearby airports and airways colliding with the safety related structures of the Millstone site ... concludes that the aircraft accident probability would be less than 1.3E-7 per year for a number of years since no increase in air traffic is projected in the vicinity o.f the site." The PSS, however, does not include any discussion of projected air traffic.
The PSS analysis of crash frequencies is judged to be conservative, based on their selection of conservative parameter values made in the screening evaluation for the numbers and types of flights considered. Although there is a brief discussion of the types of accident sequences that could be initiated by an onsite aircraft crash, no risk values were computed or presented in the PSS.
The most likely cause of an onsite crash identified in the evaluation is due to general aviation, with a frequency of 1.5E-6/yr. The dominant' L
contribution (1.2E-6/yr) to this frequency comes from operations at the Groton Airport. Such an accident is considered to have the potential of initiating a loss of offsite power accident sequence, but other (random) failures in the i
4 - 58 e l
y - w - -.a__w - - -
-s _an 1 =- - = w :. . . ~-
plant would be required to result in a core melt accident. In effect, the high predicted frequency of onsite crashes for these relatively lightweight aircraft is offset a lower conditional probability of core melt, given an accident initiated by this type of aircraft.
An onsite crash by a heavier commercial or military aircraft has the potential to initiate a greater variety of accident sequences, but these crashes have an order-of-magnitude smaller frequency of occurrence so that they are not significant contributors to core melt accidents.
The PSS analysis of onsite aircraft crashes concludes that such accidents do not contribute significantly to plant risk on the basis of their low frequencies and the low likelihood of such an accident resulting in a core melt. We agree that this conclusion is reasonable.
References 4.6-1. Northeast Utilities, Millstone Unit 3, Final Safety Analysis Report, 1982.
4 .6 -2. U.S. Nuclear Regulatory Commission, Standard Review Plan, Section 3.5.1.6, Rev. 2, July 1981.
4 - 59
f
- i 4.7 Hazardous Materials This section provides a review of the Millstone 3 PSS treatment of
- offsite and onsite incidents involving transportation and storage facilities-
- for hazardous materials. Transportation facilities considered in the PSS were
- road, rail and waterway traffic routes. Also considered were onsite storage j facilities and nearby gas and oil pipelines. The conclusion of the PSS was that none of the sources of hazardous material would pose significant risk to the plant in terms of potential core melt initiation. This conclusion seems reasonable, based on the results of other PRA studies. Nevertheless, the Millstone 3 PSS arrived at this conclusion using a limited and somewhat arbitrary analysis for screening potential risk contributors.
4.7.1 Identification and Screening of Hazardous Materials Initiators The potential for core melt initiated by onsite or offsite sources of hazardous materials was assessed by considering road, rail and water transport routes and onsite and offsite storage facilities and pipelines.
Highway routes proximate to the Millstone site reported in the PSS include Interstate 95, which passes within_ four miles; U.S. Highway 1, passing within three miles; and State Highway 156 within 1.5 miles. The PSS concludes that, because of the distance between the plant and these routes, no accident involving explosions or toxic materials could impact the plant. The PSS makes j no estimate of the frequency of accidents on these routes or of the amount of attenuation provided by atmospheric dispersion. Our own estimate reveals that i under adverse conditions (F stability,1 m/s wind velocity) the atmosphere would dilute a toxic substance released on any of these routes by at least a i f actor of 104 before the plume reach:d the plant.
Onsite transport of hazardous materials to Millstone is stated to involve truck-size quantities of hydrogen, sulfuric acid and sodium hydroxide. Two of these materials (sulfuric acid, sodium hydroxide) are shipped to the plant every six weeks. The PSS concludes that onsite road transportation would not i pose significant risk to the plant. No estimate of accident frequencies or consequences was made to suppcet this conclusion.
4 - 60 "
i L
l I. - - , . . - - ..
. - . . . _ _. , , ~ .
j The Millstone site is traversed by the Conrail / Amtrak rail system. )
Eighteen passenger trains and one freight train pass daily along tracks near l the site. The PSS estimated the probability of rail shipment accidents and the consequent potential for missile generation, unconfined vapor cloud explosion and control room uninhabitability. The aggregate frequency of such accidents is estimated to be 8.2E-7 per year. Damage to safety-related structures as a result of railroad accident missiles is estimated to be no greater than 2.0E-8/yr. The unconfined vapor cloud explosion is estimated to have a frequency of 8.4E-9/yr. Control room habitability following a release of propane is determined to be a sub-lethal I9.3 g/m3 . However, the inflammability of this concentration within the control room is not discussed. Because of these low (and, judging from the use of two and three significant figure:. highly accurate) estimated frequencies, railroad accidents are judged to be insignificant contributors to plant risk.
1 Water traffic on Long Island Sound in the vicinity of the site is stated to average twelve ships per day. It is stated that no oil barges pass within two miles of the site. No consideration is given to other hazardous material transportation on the sound. Consideration is given to possible damage of the service water pumphouse by runaway barges, but it is found that the service pumps would not be impaired by this event. Thus, it is concluded that waterway traffic does not contribute significantly to plant risk. Again, no quantitative estimates were made to support this conclusion.
Hydrogen and liquid chlorine are stated to be the only hazardous materials stored onsite in quantities greater than 100 pounds. The PSS, using information in the FSAR [2], concludes that the hydrogen storage facility poses a negligible hazard. However, no quantitative estimate of explosion probability was made in support of this conclusion.
According to the PSS, chlorine is stored in two railroad tank cars approximately 1400 feet from the Unit 3 control room air intakes. An analysis performed in the FSAR [2] shows that the control room could be made uninhabitable if one of these tank cars were to rupture. To mitigate the consequences of this event, a chlorine detection system has been planned for Unit 3. This system is described as providing warning and an automatic 4 - 61
changeover to a closed air' recirculation system for the control room. The PSS states that, because chlorine tank ruptures are rare and because of the mitigating features, the storage of chlorine onsite does not contribute significantly to plant risk. Again, no quantitative estimate of the frequency of hazard occurrence is used to support this-conclusion. As a minimum, some estimate of both tank rupture frequency and the expected infiltration rate into the control room (during closed circulation mode) should have been provided. The NRC staff has found that large discrepancies exist between the leak-tightness of control ventilation systems as specifi-' in designs and that measured in actual operating plants [3].
It was reported in the PSS that no major gas transmission lines pass within five miles of the Millstone site, that the nearest gas distribution line is approximately three miles from the site, and that there are no oil transmission or distribution lines located within five miles of the site. On the basis of this information, it is concluded that pipelines do not pose a credible risk to the plant. We concur.
4.7.2 Comments In reviewing the treatment of hazardous materials as contributors to plant risk at Millstone III, we applied three questions:
- 1. Was consideration given to all potential sources?
l 2. What screening criteria were used to identify important contributors?
- 3. Were these screening criteria applied appropriately?
The answer to the first question is that the PSS did not make clear what procedure was used to ensure that all potential external events were considered and that all the significant ones were selected for detailed risk studies. In applying the second question, we found no well-defined screening criteria for eliminating insignificant contributors to risk. Yet all sources 4 - 62 -
7-
__7 - _ _ . - - _ _ _ _._ - . - - . - = - ___ ..
-3= %4- _,- ng. cus of hazardous material on and near the Millstone site were determined to be insignificant contributors to risk in the PSS. The only source for which a numerical estimate of potential risk was made was rail shipments of propane.
In this case, the numerical estimate reveals that indeed the source is a small contribution. However, we are asked to accept thc PSS judgment that all other sources are insignificant risk contributors. Finally, because the screening criteria were not explicitly stated, it was not possible to determine whether they were app!ied appropriately or consistently.
4.7.3 References
- 1. U.S. Nuclear Regulatory Commission, "PRA Procedures Guide", U.S. NRC Report NUREG/CR-2300, 1983.
- 2. Northeast Utilities," Final Safety Analysis Report for Millstone Nuclear Power Station Unit 3".
- 3. Personal Communication with Kazimieras Campe.
l 1
i 4 - 63
4.8 Turbine Missiles The PSS analysis of the contribution to core melt probability from accidents that produce turbine missiles is presented in PSS Section 1.2.8.
The material presented is essentially a summary of FSAR Sections 3.5.1.3, 3.5.2 and 3.5.3. The PSS and PSAR state that the probability estimates were developed using the approach described by Bush [1] in which the following expression is evaluated:
P4 = P1 x P2 x P3 where Pl - frequency of missile generating turbine failures per year of turbine operation P2 - conditional probability of a missile striking a critical structure or component, given missile generation P3 - conditional probability of a missile causing significant damage, given that it strikes a critical structure or component.
Two mechanisms for turbine failure are considered: ductile fracture of rotating turbine parts under abnormal overspeed conditions, and br ttle fracture at or near operating speed caused by material defects or stress corrosion cracking. The source of the P1 probability used in the PSS calculations, however, is a Memo Report [2] from the turbine vendor (GE) that does not consider stress corrosion cracking. The probability values are (only the 30-yr numbers are presented in the report):
Per 30-yr Plant Life Per Yr l
Brittle fracture (rated speed failure) 2.6E-7 8.7E-9 Ductile fracture (overspeed failure) 1.5E-7 5.0E-9 t
Total fracture 4.1E-7 1.4E-8 4 - 64 -
The probability of missile strike (P2) was calculated using a computer program which was not described.
The probability of the missile causing significant damage (P3) was evaluated using criteria from Bush [1].
The overall results for P4 is a total probability of damage of 7.5E-9 for the 30-year life of the plant, or 2.5E-10/ year, based on the total P1 probability of 4.1E-7/ plant life provided by GE. This low probability does not account for recent NRC concerns with stress corrosion cracking.
l The review identified two areas of concern in the PSS analysis. These are !
(1) the effect of stress corrosion cracking on the P1 probability and (2) the l assumption that one and only one turbine wheel fractures during an incident.
The PSS acknowledges that the first concern exists and provides a
" bounding" calculation for P4 using the P1 value of IE-4 recommended in NRC Reg. Guide 1.115 which results in a turbine missile damage frequency of "only slightly above 1E-6/yr," which the PSS judges to be acceptable due to the conservatism in the overall analysis. (The P4 value is 1.8E-6/yr, based on the P2 and P3 numbers shown in the PSS.)
We note that the use of a Pl value of 1E-4/yr produces a P4 value not in compliance with Reg. Guide 1.115, although this point is not important to this review. It is not clear, however, whether or not lE-4/yr is an appropriate P1 value to use in this analysis. Given the current state of the art in this area, ed in the absence of better information regarding the value of P1, we would agree that the current PSS results for P4 are reasonable and acceptable.
The assumption that one and only one turbine wheel fractures during an incident is considered realistic, although the PSS provides no discussion or justification for it.
The PSS analysis of turbine missiles concludes that they do not si5nificantly contribute to overall plant risk on the basis of their low frequencies. We agree that this conclusion is reasonable.
4 - 65 -
REFERENCES .
4 .8 -1. Bush, S.H., " Probability of Damage to Nuclear Components Due to Turbine Failure," Nuclear Safety, Vol 14, No. 3, May-June 1973.
4.8-2. General Electric Company, Hypothetical Turbine Missiles - Probability of Occurrence, Memo Report, March 1973, cited in G.C.L. Yeh,
" Probability and Containmnet of Turbine Missiles," Nuclear Engineering and Design, Vol. 37, 1976.
4.8-3 Northeast Utilities, Millstone Unit 3 Final Safety Analysis Report, 1982.
4 - 66
5.0 Summary and Conclusions 5.1 Dominant Sequences Corresponding to Each Plant Damage State 5.1.1 Internal Events A simplified requentification was performed for the internal event sequences affected by the findings of the review. The requantification process used. and the results are presented.-in this section.
9 All of the suggested modifications"to the internal events analysis that are described in Chapter 3 have been included in this simplified l
requantification. The' results should be used with care with due consideration j given to potential shortcomings in these results arising from the necessarily simplified methoos used to perform the requantification. The following assumptions and limitations are applicable and should be kept in mind when the results are examined.
o lhe initiating event categories and frequencies used are the revised events and frequencies discussed in Section 3.1 and summarized on Table 3.1.1 under the column titled " Point Est."
o Requantification is based on the revised event trees presented in Section 3.2. Event probabilities are generally taken from the PSS, except for system failure and human error events, and for the recirculation pump seal LOCA during station blackout (event S2 for support state 7) as described in Section 3.2.3.1.
o With two exceptions, the models and data used in the PSS to assess
- system failure probabilities and support state probabilities were evaluated as reasonable and used in the requantification.
j The first exception is for LOSP in support states 6 and 7, where l the data used in the PSS for diesel-generators was evaluated as optimistic, as discussed in Section 3.6. Using the revised i
! 5-1 l
l
, -, - ,-- - - - - , - , -w -- , ,- - - , - - - - - - , n 4 - - , . - - - - . - - , , - , - - - - - - - - - - -
~
diesel-generator data,'the support state failure probabilities changed from 0.014 to 0.04 for support state 6 and from 0.00018
'to 0.002 for support state 7.
The second exception concerns a modeling deficiency involving 4 the DC batteries, the vital AC power supplies, and the emergency-generator load sequencers. The deficiency, which is particularly important during LOSP events, is discussed in Sections 3.4 and 3.10. The requantification did not treat this issue because the significant effort that would have been required is'outside the scope of this review. This is a limitation on the results of the requantification.
, o The operator action failure probabilities used are the revised and appended values discussed in Section 3.5 and summarized in Table
, 3.5.1 in the column titled " Review Assessment".
l o All of the requantification effort was performed and checked by hand. No independent review of these results has been performed.
o In order to perform the requantification in a time frame and level of effort in keeping with the scope of the review, it was necessary to l
truncate the analysis at lE-7/ Reactor-year for any given sequence.
Thus, no sequences of lower frequency are accounted for. This means two things: First, plant damage state frecuencies around lE-7 have inherently greater uncertainty than those of higher freauency since truncated sequences could contribute significantly to the,n. Second, plant damage states which have no review estimate value given are not necessarily lower than lE-7; they simply do not have any sequences of IE-7 or greater contributing to them.- These limitations must be kept in mind when using the requantification results.
l l
5-2
3 -
~~
5.1.2 Requantification Results s The results of the requantification discussed above are presented in this section. It is very important to remember that these results should not be .
presented without reference to the assumptions and limitations discussed in Section 5.1.1. Table 5.1.1 presents the review requantification estimate for each plant damage state and compares it to the mean value from the MP-3 PSS.
Table 5.1.2 presents the dominant sequences whose frequency is at least IE-7/ Reactor-year for each plant damage state as determined by the requantification. The format of the sequence representation is the same as in the PSS. A legend to aid in interpreting the sequence representations is provided at the end of the table. The remainder of this section discusses the reasons for the major differences between the PSS mean and the review point estimate in certain plant damage states.
5.1.2.1 Small LOCA with Early Core Melt The principal reason for the increase in the frequency of these plant damage states (SEC, SE) is the transfer of long term station blackout sequences with secondary cooling states from the equivalent plant damage states (TEC, TE). This is discussed in Section 3.2.3.1. Other changes made prior to this transfer also had an effect on these plant damage states. These two damage states, and SEC', were affected by the reduction of the small LOCA frequency (see Section 3.1.2.8) and the inclusion of operator error 0A-2-E (see Sections 3.2.1.1 and 3.5.1.4). The net effect of these two changes was insignificant, as they essentially offset one another. The reevaluation of ATWS, which is discussed in detail in Section 3.2.2.5, resulted in increasing the frequency of damage state SEC by a factor of three. Although many of the ATWS modifications had an effect, the increase is due mostly to the assumption that RCS pressure in excess of Service Level C results in core melt. This increase in SEC from ATWS is not important in the final result since its contribution is not significant compared to the contribution from the long term station blackout sequences.
5-3
l
~
{
5.1.2.2 Incore Instrument Tube Rupture with Early Core Melt .
The principal reason for the increase in the frequency of this plant j
-damage state (5'EC) is our inclusion of the procedural error 0A-2-E. This '
error, which was not considered in the PSS, accounts f'or the operator overthrottling the high pressure injection system when he tries to take control of it during these sequences. Our evaluation is discussed in detail _ . .
in Sections 3.2.1.1 and 3.5.1.4.
5.1.2.3 Small LOCA with late Core Melt The principal reason for the increase in the frequency of these plant
, damage states (SLC, SLC', S'L) is our rejection of the PSS assumption that it is possible to avoid the need for recirculation by conserving RWST inventory for these events.- A detailed discussion of this subject is contained in eye.n s cr a an set of core sequences and the PSS r irculat o I
failure probability was high enough to raise the frequency of these damage states.
5.1.2.4 Transients with Early Core Melt The principal reason for the frequency of these plant damage states (TEC, TE) either remaining the same or decreasing is the transfer of some of the
- long term station blackout sequences, which would have been dominant contributors, to the small LOCA plant damage states (SEC, SE) as described in Section 5.1.2.1 and discussed in Section 3.2.3.1. It is important to note, however, that the frequency of the sequences which were transferred to other plant damage states, and the frequency of the loss of offsite power sequences
-which remain in the TEC and TE plant damage states increased due to our reanalysis. The remainder of this section discusses the reasons for the increase, and thus also applies to plant damage states SEC and SE.
I There are two principal reasons for the increase in the frequency of the long term station blackout sequences. The first is the increase in the support state 6 and 7 probabilities discussed in Sections 5.1.1 and 3.6. The ,
5-a
. . - . - . . . ~ - - = , - . - - . -- . - - - . . - - - - - - -- ----
second is the changs in' the recirculation pump seal failure probability discussed in Section 3.2.3.1. These items in combination contribute most of the increase in the frequency of these sequences. It is important to note that the modeling deficiency concerning loss of offsite power dicussed in Section 5.1.1 might have caused a greater increase in the frequency of these sequences if it could have been treated in the review. It is also worth noting that the use of unmodified EPRI recovery factors for loss of offsite power (rather than the PSS modified values) with the assumption that RCP seal LOCA occurs at 30 minutes would have resulted in additional increases in the frequency of three of the four plant damage states affected by these sequences. Damage state SEC would have increased by an additional 25%, which would not have affected our results; damage state TE would have increased by an additional factor of two, to 2E-6; and damage state SE would have increased by an additional factor of three, to 6E-6.
5.1.2.5 Transients with late Core Melt The principal reason for the increase in the frequency of this plant damage state (TLC) is inclusion of operator action OA-10 for steam generator tube rupture events. This action represents a requirement that the operator must act to reduce primary system pressure by controlling HPI flow for steam generator tube rupture events where both auxiliary feedwater and high pressure injection are functioning. This requirement, which was not considered in the PSS, is evaluated and discussed in detail in Section 3.2.2.2.
5.1.2.6 Steam Generator Tube Rupture with Steam Leak and Early Core Melt The principal reason for the increase in the frequency of these plant damage states (V2EC, V2EC') is inclusion of operator action OA-6-E. This error, which was not considered in the PSS, accounts for the operator misdiagnosing the plant conditions and terminating hioh pressure injection when it should not be terminated. The error is evaluated and discussed in detail in Sections 3.2.1.1 and 3.5.I.5. -
5-5
(
5.1.2.7 Steam Generator Tube Rupture with Steam Leak and Late Core Melt The principal reason for the increase in the frequency of this plant damage state (V2LC) is the same as for transients with late core melt (see Section 5.1.2.5 above).
l 5.1.2.8 Interfacing Systems LOCA l
C The principal reason for the decrease in the frequency of this plant damage state (V) is requantification of the initiator frequency, which is evaluated and discussed in detail in Section 3.1.2.7.
i This reanalysis does not irclude the considerations discussed in Section 3.9, which would reduce interfacing systems LOCA probability even further. It is important to note, however, that the overall results of the requantification effort shown in Table 5.1-1, which show a higher probability of core melt, do not imediately imply a greater risk to the public. The reduction in the probability of the interfacing systems LOCA is expected to result in a reduction in the overall risk for early fatalities in spite of the significant increase in the overall core melt probability.
5.1.3 External Events The external event analysis presented in the PSS was not as detailed as the internal event analysis. Although, in general terms, the range of' external event types considered is reasonable and consistent, detailed evaluations were performed only for earthquakes and fires: all other external events were dismissed on the basis of screening evaluations.
l The seismic evaluation presented in the PSS was completely revised by Amendment 2 to the PSS. Both the seismic hazard and seismic fragility assessments were extensively revised. The original core melt probability due to seismic events of 9.4E-5 per reactor was the dominant contributor to core melt events from all causes. The revised probability of 1.7E-5 per reacter year, which has not been completely reviewed, would still be a significant contributor to core melt events. A detailed description of the findings of a review of the new results being performed by NRC personnel will be included in the final review report. -
! 5-6 l
_- v. . - _ _ _ _ -_ -.m.-_,_
~
)
h .
Fire events bere estimated to contribute 4.8E-6 per reactor year, or about 5% of the. total core melt probability in the PSS. A simplified 7 requantification based on a sensitivity analysis resulted in an increase in
, this contribution of a facator of about 6 to 2.8E-5 per reactor year.
\
The remaining external events considered in the PSS were evaluated as j insignificant in their evaluation. Our review generally agreed with this finding, but had significant disagreewnts with the absence of justification for several, as outlined below.
o External flooding needs to have an uncertainty assessment performed. The margin of safety above design flood elevations is too small.
o Intarnal flooding needs to have an uncertainty assessment performed. The estimated frequency is too large to dismiss without considering uncertainty.
o Extreme winds are insignificant contributors to core melt.
o Aircraft accidents are insignificant contributors to core melt.
o The evaluation of hazardous materials may show them to be insignificant, but additional justification is required for several,
, including onsite chlorine storage and onsite transportation of various toxic materials, o Turbine missiles are insignificant contributors to core melt.
l
~
5-7
TABLE 5.1.1 Plant Damage State Frequencies for Internal Events (perReactor-Year)
NAME DESCRIPTION PSS REVIEW MEM EST1 MATE
- AEC LARGE LOCA, EARLY MELT 1.92E-0.6 8E-7 AEC' LARGE LOCA. EARLY MELT, FAILURE OF RECIRCULATION SPRAY 4.17E-09 ----
AE LARGE LOCA. EARLY MELT, NO CQNTAINMENT COOLING 2.68E-09 ---
ALC LARGE LOCA, LATE MELT 5.44E-06 2E-6 ALC' . LARGE LOCA, LATE MELT, FAILURE OF RECIRCULATION SPRAY 4.88E-07 ._ IE-7
?LC" LARGE LOCA, LATE MELT, FAILURE OF QWNCH SPRAY 3.42E-09 ---
AL LARGE LOCA, LATE MELT, NO CONTAIMENT COOLING 3.36E-10 ---
SEC SMALL LOCA, EARLY MELT 1.12E-06 2E-5 SEC' SMALL LOCA. EARLY MELT, FAILURE OF RECIRCULATION SPRAY 2.76E-09 - - -
SE SMALL LOCA. EARLY MELT, NO CONTAI M ENT C00 LING 1.17E-07 6E-6 S'EC INCORE INSTRUMENT TUBE LOCA EARLY MELT ------ 4E-7 S'E INCORE INSTRUMENT TUBE LOCA. EARLY MELT, NO CONT. COOLING 1.83E-09 --
SLC SMALL LOCA, LATE MELT 9.81E-06 2E-5 SLC' SMALL LOCA, LATC MELT, FAILURE OF RECIRCULATION SPRAY 4.79E-07 IE-6 SLC' SMALL LOCA, LATE MELT, FAILURE OF QUENCH SPRAY 5.77E-08 ----
l SL SMALL LOCA, LATE MELT, NO CONTAINMENT COOLING 2.73E-09 ----
S'L INCORE INSTRUMENT TUBE LOCA, LATE MELT 3.35E-10 lE-7 TEC TRANS!ENT, EARLY MELT 1.81E-05 2E-5 l TEC' TRANSIENT, EARLY MELT, FAILURE OF RECIRCULATION SPRAY 3.46E-07 2E-7 TE TRANSIENT, EARLY MELT, NO CONTAINMENT COOLING 5.31E-06 1E-6 TLC TRANSIENT, LATE MELT - - - - - - - 4E-5 V2EC STEAM GENERATOR TUBE RUPTURE, STEAM LEM, EARLY MELT 1.11E-07 4E-6 V2EC' SGTR, STEAM LEAK, EARLY MELT, FAILURE OF RECIRC. SPRAY 1.03E-09 3E 7 V2E SGTR, STEAM LEAK, EARLY MELT, NO CONTAl MENT COOLING 1.29E-08 ---
V2LC SGTR, STEAM LEAK, LATE MELT 2.76E-09 2E-7 V2LC' SGTR, STEAM LEAK, LATE MELT, FAILURE OF RECIRC. SPRAY 1.49E-10 - - -
V2LC' SGTR, STEAM LEAK, LATE MELT, FAILURE OF QUENCH SPRAY 1.77E-11 ----
V2L SGTR, STEAM LEAK, LATE MELT, NO CONTAINMENT COOLING 8.40E-13 ----
V INTERFACING SYSTEMS LOCA 1.90E-06 4E-7 TOTAL ** 4.53E-05 lE-4
- The review estimates provided are preliminary estimates based an a number of simplifying assumptions and subject to a number of liettations discussed in Section 5.1.1. The reader is cautioned to keep these assumptions and limitations in mind when consioering the various potential implications of these results.
- It is important to note that the increase in the plant damage state frequency does not necessarily inusediately imply a corresponding increase in overall public risk. The reduction in the frequency of interfacing systems LOCA, which was a dominant contributor to early f atalities risk, will result in a l reduction in overall risk for early fatalities.
l t
C
! 5-8 i _ _ _ , _
r -. _ _ ___ - ,_-- _ __- _ . _ -. _ -- -
~ _ . - . - .
TABLE 5.1.2 Dominant Sequences By Plant Damage State (All Values per Reactor-Year)
Plant Damage State Dominant Sequences Name Frequency Name Frequency _
AEC 8E-7 E2(1)/ACC 6E-7 El(1)/ACC 2E-7 ALC 2E-6 E2(1)/R2 2E-6 El(1)/R1 4E-7 ALC' 1E-7 E2(1)/R2/R3 1E-7 SEC 2E-5 E14(7)/E60/E120 2E-5 E3(1)/0A2E 1E-6 E7(1)/RPS(M)/TT/PL 7E-7 E7(1)/RPS(M)/PL 7E-7 E7(1)/RPS(M)/TT/PR/0A8R 2E-7 E8(1)/RPS(M)/7/PL 2E-7 E8(1)/RPS(M)/PL 2E-7 E14(7)/E60/0A7' 2 E-7
. E3(1 )/0A6E 1E-7 E14(7)/52/0A7' 1E-7 SE 6E-6 E14(7)/E60/E120/0S' 6E-6 1
S'EC 4 E-7 E15(1)/0A2E 4E-7 5-9 I
m. v, -- - --+w-- , e e,. , , , - - -, -en ,, ----- y -
TABLE 5.1.2 (cont.)
Dominant Sequences By Plant Damage State (All Values per Reactor-Year)
Plant Damage State Dominant Sequences Name Frequency Name Frequency i
SLC 2E-5 E3(1)/R2 SE-6 E3(2)/R2 SE-6 E15(1)/R2 3E-6 E20(2)/AF1/R2 3E-6 E21(2)/AF1/R2 3E-6 E7(2)/PCS/AF1/R2 1E-6 E8(1)/AF1/R2 1E-6 E17(2)/AF1/R2 7E-7 ES(2)/AF2/R2 SE-7 E4(2)/AF2/R2 SE-7 E7(1)/PCS/AF1/R2 4 E-7 E8(2)/AF1/R2 3E-7 E14(7)/ erg /S2/R2 1E-7 E5(1)/AF2/R2 1E-7 E4(1)/AF2/R2 1E-7
'SLC' lE-6 E3(1)/R2/R3 SE-7 E3(2)/R2/R3 2E-7 E15(1)/R2/R3 2E-7 l E20(2)/AF1/R2/R3 1E-7 E21 (2)/AF1/R2/R3 1E-7 S'l 1E-7 E15(1)/QS/0A9 1E-7 S - 10 <
._ _ _ . .. . . __ __ q. ., , _ . ,m # 3 TABLE 5.1.2 (cont. )
Dominant Sequences By Plant Damage State (All Values per Reactor-Year)
Plant Damage State Dominant Sequences Name Frequency Name' Frequency TEC 2E-5 E18(2)/AF1/0A7 6E-6 E8(1)AF1/0A7 SE-6 E7(1)/PCS/AF1/0A7 2E-6 E20(2)/AFl/0A7 1E-6 E21(2)/AF1/0A7 1E-6 E14(7)/AF1/E60/E120 1E-6 E14(7)/AF1/E60 8E-7
! E14(6)/AF1/0A7 8E-7 ES(1)/AF2/0A3 6E-7
, E4(1)/AF2/0A3' 6E-7 E7(2)/PCS/AF1/0A7 SE-7 E17(2)/AF1/0A7 4E-7 ES(2)/AF2/0A3 2E-7 E8(2)/AF1/0A7 2E-7 E4(2)/AF1/0A3' 2E-7 E13(1)/AF1/0A3 1E-7 TEC' 2E-7 E18(2)/AF1/0A7/R3 2E-7 i TE 1E-6 E20(4)/AF1/0A7/OS 8E-7 E14(7)/AF1/E60/E120/0S' 3E-7
~
5 - 11
~ ,
TA8LE 5.1.2 (cont.)
Dominant Sequences By Plant Damage State (All Values per Reactor-Year)
Plant Damage State Dominant Sequences Name Frequency Name Frequency i
TLC 4 E-5 E4(1)/0A10 4E-5 E4(2)/0A10 2E-7 V2EC 4E-6 E4(1)/0A6E 4E-6 V2EC' 3E-7 E4(1)/0A6E/R3 3E-7 V2LC 2E-7 E4(1)/0A10/SL 2E-7 V 4E-7 E16 4E-7 5 - 12 e
, _ - - - -- - - . . _ - - _ ~ - . _ . - .
-.=.; . - - - - - - - _ = - . = _ - - = - = . - . - -
TABLE 5.1.2 (cont. )
Dominant Sequences By Plant Damage State i
LEGEND I
Initiating Events El Large LOCA E2 Medium LOCA E3 Small LOCA E4 Steam Generator Tube Rupture E5 Steamline Break Inside Containment E7 Power Conversion System Available E8 Loss of Power Conversion System E13 Spurious Safety Injection E14 Loss of Offsite Power EIS Incore Instrument Tube Rupture E16 Interfacing Systems LOCA E17 Loss of a Single Service Water Train E18 Loss of a Single Vital DC Bus E20 Loss of Vital AC Bus 120-VAC-1 or 120-VAC-2 E21 Loss of Vital AC Bus 120-VAC-3 or 120-VAC-4 Support States (1) All support systems available .
(2) One support train unavailable (4) All ESF signals unavailable (5) LOSP, all support systems available (6) LOSP, one support train unavailable (7) LOSP, both support trains unavailable 5 - 13
TABLE 5.1.2 (cont.)
Dominant Sequences By Plant Damage State LEGEND (Continued)
Events ACC Failure of Accumulators AFl Failure of Auxiliary Feedwater AF2 Failure of Auxiliary Feedwater (SGTR and Steamline Breaks)
E60 Failure to Restore Offsite Power in 1 Hour E120 Failure to Restore Offsite Power in 1-2 Hours OA2E Operator Overthrottles HPI Resulting in Inadequate Flow OA3 Operator Fails to Establish Primary Bleed 0A6E Operator Erroneously Terminates High Pressure Injection 0A7 Operator Fails to Establish Primary Bleed and Feed 0A8R Operator Fails to Establish HPI During ATWS Consequential LOCA 0A9 Operator Fails to Delay Recirculation When Sump Empty A010 Operator Fails to Control HPI During SGTR PCS Failure of Power Conversion System PL ATWS Pressure Spike Exceeds Service Level C (Unfavorable MTC)
PR Consequential LOCA Due to Moderate ATWS Pressure Spike QS Failure of Quench Spray OS' Failure to Recover Quench Spray - Failure to Restore OSP in 2-8 Hours RPS(M) Failure to Scram - Mechanical Failure of RPS R1 Failure of Low Pressure Recirculation R2 Failure of High Pressure Recirculation R3 Failure of Containment Spray Recirculation S2 Consequential Small LOCA SL Consequential Steamline Leak (Break)
TT ATWS Turbine Trip Fails 5 - 14 -
_~ s _ .;, _ n u_w v - -- - n ma ~r- g n. e m,,
7 5.2 Treatment of Uncertainties This section reviews the quantification and propagation of uncertainties in the Millstone-3 PSS. Consideration is given to the methods used to identify, quantify and propagate uncertainties. The PRA procedures guide l states that:
Uncertainty analysis is an integral part of a risk assessment regardless of scope. There are uncertainties in every step of a PRA, and some of them may be large. Whether qualitative or quantitative in nature, the analysis considers uncertainties in the data base, uncertainties arising from assumptions in modeling, and
., the completeness of the analysis. To the extent possible, these uncertainties are propagated through the analysis. Wher- Sis is impractical, a sensitivity analysis provides insight intt, t e possible range of results.
Ideally, the treatment of uncertainty in a PRA should include three elements - (1) random variability in component performance data, (2) inaccuracies in the models used to assess system performance and (3) failure to include all the important sequences (completeness). The uncertainty contributed by random variability consists of plant-to-plant variations and the random distribution of component failure data. Uncertainty contributed by model errors results from the aggregation of entities and processes into state variables and functions, and the exclusion of other entities and processes -
procedures that inevitably undercut the accuracy of a model. Completeness uncertainties are related to the inability of the analyst to fully evaluate all contributions to risk. The Millstone PSS addressed all three elements of uncertainty. However, the attention given to completeness was quite limited when compared to the treatment of parameter and modeling errors.
The PRA procedures Guide suggests that each type of uncertainty (i.e.,
parameter, modeling and completeness) can be characterized either qualitatively or quantitatively. The extent to which uncertainty is quantified defines four levels of uncertainty analysis. The first level consists of a qualitative treatment of all three uncertainty elements. The 2
Limerick PRA provides an example of this level of analysis. The second level is characterized by a quantitative treatment of data uncertainty and a qualitative treatment of modeling and completeness uncertainties as was done 3
i in the German Risk Study . The third level involves quotitative treatment 5 - 15
(
~
of data and modeling uncertainty with qualitative treatment of completeness 1
errors. The fourth level includes a quantitative' treatment of all three uncertainty types. This type of uncertainty analysis was attempted in the '
Zion Study. The Millstone-3 PSS can be characterized as providing quantitative treatment of parameter and modeling uncertainty with limited qualitative treatment of completeness uncertainties. The Hillstone-3 PSS treated uncertainties for both internally and externally initiated events. In ,
general, the treatment of uncertainties for internally initiated events involved more detail and rigor than that for externally initiated events. To some extent, this is because much of the uncertainty in the internal events results from random variability in failure. Propagating these variations through fault and event trees is a straightforward process. In contrast, much of the uncertainty in the external events analysis results from uncertainties in the models and questions of completeness. The uncertainty analysis in the-PSS is encunbered by the limited consideration given to questions of completeness in the external events analysis.
5.2.1 Treatment of Uncertainties for Internal Events The Millstone-3 PSS treats uncertainties in the estimates of risks contributed by internal events using a combination of what the authors call the method of moments
- and discrete probability distribution (OPO) arithmetic. The PSS identifies and propagates uncertainties originating from the following sources:
i
. 1) initiating event frecuencies ,
- 2) system unavailabilities,
- 3) frequency of core melt,
- 4) frequency of containment failure,
- 5) uncertainties in fission product source terms, and
- 6) uncertainties in public consecuences, given a release.
- The procedure described in the PSS as the method of moments is simply elementary probability theory of functions of random variables.
5 - 16 .
- _ . - ~ = . .. - w . . -- -
~
~ l Table 5.2.1 provides a summary of each source of uncertainty and how it was treated in the PSS. Discussion of these sources of uncertainties and comments about their treatment is provided in the following paragraphs.
The frequencies of initiating events at Millstone-3 were described by the mean and variance of.an assumed log normal distribution. The frequency of conunon transients was obtained using classical estimation methods. In these cases, the initiating event frequency was treated as a. random variable, whose distribution reflects inherent plant-to-plant variability. The distribution parameters for these events were obtained by matching the moments of the population data to the moments of a lognormal distribution. For those events which have not occurred, a Bayesian approach was used. A distribution was established to represent the prior state of knowledge about the frequency of a
, particular event. This distribution was then revised, via Baye's thr:orem, to reflect observed operating experience The resulting distributions were fit to a legnormal distribution in order to obtain uncertainty parameters.
- System unavailability (failure / demand) was calculated from the system f ault trees using the WAMCUT computer code. The WAMCUT code uses the method of moments to propagate variance of individual components to an overall variance in system unavailability. The method of moments uses the moments of component distributions to determine the moments of the system distribution.
Random component failures and the variance in these failures were obtained l primarily from a proprietary Westinghouse Data Base.
l l
l Uncertainty in the frequency of core melt was obtained by propagating the variance of top event unavailabilities through the event trees using DPD arithmetic. The top event unavailabilities or system unavailabilities for l each event tree were quantified using system fault trees. Each top event mean unavailability has an associated variance. The top event unavailabilities are multiplied through the event trees to obtain the probability of each event trec sequence for each support state. The resulting damage state probabilities were then multiplied by the corresponding support state
- l. probability. Uncertainty in the damage state frequency (i..e., core melt) was obtained by propagating top event variances through the event trees using DPD arithmetic. ,
5 - 17 *
- i
~_
Table 5.2-1
-Sources of Uncertainty and Their Treatment in the M111 stone-3 PSS.
Source of Type of Treatment Uncertainty Uncertainty
- 1. Initiating event frequencies data /model calcule.ted variance
- 2. System unavailabilities model method of moments
- 3. Frequency of core melt model DPD arithmetic
- 4. Frequency of containment failure
- a. material and construction random engineering judgment variations
- b. model uncertainty model engineering judgment
- 5. Release fraction
- a. fission product source term model DPD arithmetic attenuation by primary " source term DPD" system and containment
- b. consequence analysi: model DPD arithmetic
" site DPD" 5 - 18 o
3 ..
The uncertainty in the frequency of containment failure was treated using DPD arithmetic with input variances propagated from the fault and event tree models combined with best estimate uncertainties derived from engineering judgment. In PSS Appendix 4-F, a best estimate mechanistic analysis was used to identify containment failure modes and determine internal pressures at which these failure modes would occur. Included in this assessment was an uncertainty analysis of the mean predicted failure pressure for each failure mode. The PSS states that the sources of uncertainty considered in this analysis include contributions from " workmanship quality assurance, and construction variances in addition to the variances due to material strengths". However, our review indicates that these sources of uncertainty were treated in a limited and somewhat arbitrary manner. The total uncertainty associated with the estimated nominal failure pressure was divided into a random uncertainty and a systematic uncertainty. lhe variations that were assumed to contribute to uncertainty in the estimated failure' pressure :
are material property variations, cc'istruction variations and the analysis method employed. For material property variations the systematic uncertainty was taken as zero and the random variability was derived from structural failure tests. Construction variations were assumed to be strictly due to random variations (systematic uncertainty again equal to 0) and arbitrarily assigned variables in the range + 2 to 4 percent were used as coefficients of random variability. Uncertainty contributed by the model employed is assumed to be due to systematic uncertainty and based on the author's belief that the estimated failure pressure is within one standard deviation of the actual value. Itisnotclearhowtheuncertainties contributed by workmanship and quality assurance were included in the analysis.
Uncertainties in the fission product source were treated using discrete probability distribution (DPD) arithmetic. Fissien products released from the overheated core or core debris were modeled using the CORRAL-2 code, which calculates the cumulative release fraction to the containment as a function of time for various damage states. According to the PSS, roughly 30 CORRAL-2 runs corresponding to individual plant damage states were performed. The fission product releases were then grouped into 13 release categories.
However, release fractions calculated by CORRAL-2 do not model attenuation of 5 - 19
. ~
fission product releases within the primary coolant system nor account for all removal processes within the containment atmosphere. Because the PSS
, considered these exclusions overly conservative, DPD arithmetic was used to '
convert the point estimate release fractions into discrete probability distributions which reflect judgments about the uncertainties that result from these exclusions. In general, this appears to be a reasonable approach to the l prooiem. The procedure they followed is very similar to that used in both the Sizewell-B study5 and the Zion Study4 , where reduction factors are calculated at successi*ie transport stages within the primary coolant system for each accident sequence._ The reduction factors are obtained from a series of simple deterministic calculations applied to the attenuation of radionuclides in the cooling system and reactor containment building. The associated probabilities are obtained by considering variations in the l
parameters used in these calculations. This approach appears to be a reasonable way of treating this type of uncertainty.
Using information from the Sizewell-B study, the Millstone-3 PSS multiplied the point estimate release fractions for each release category by the factors 1 1/2,1/4,1/10, and 1/100; each factor is assigned a probability of being realized. Tho resulting table of values is referred to as the '
discrete probability distribution for that release fraction. Table 5.2-2 provides a list of the DPDs constructed for the 7 release categories that are dominant contributors to risk at Millstone-3. It is noteworthy that the resulting DPD shown in this table for release category M-2 is bimodal. This result also appears in the Sizewell B study. It is not clear why the DPD for this release category should be distributed this way. Also given in this table is the effective release fraction which corresponds to the mean of the DPD. In effect, this is the ratio of the source term derived from the DPD analysis to the source without the DPD analysis. Thus, the use of DPD arithmetic to treat uncertainty in the source term results in a reduction of the source term for each category. These reductions are based on Sizewell-B probabilities which were derived using a combination of simple calculations and engineering judgment.
In addition to DPDs for the fission product source term, another DPD was generated to reflect uncertainty in the consequence analysis. In the Millstone-3 PSS, this was referred to as the " site DPD". The site DPDs were l 5 - 20 o
Table 5.2-2 Discrete Probability Distributions for the Major Release Categories (Source Term DPD) l Release Fraction Relative to CORRAL Point Estimate = 1 1/2 1/4 1/10 1/100 I
Effective l Release Category Probabilities Release 1 l Fraction
{
\
M-1A 0.17 0.55 0.28 0.0 0.0 .52 M-2 0.25 0.0 0.25 0.5 0.0 .36 M-3 0.0 0.0 0.06 0.63 0.31 .081 M -4 0.4 0.6 0.0 0.0 0.0 .70 M-5 0.0 0.0 0.05 0.64 0.31 .080 M-6 0.11 0.14 0.27 0.48 0.0 .30 M7 0.0 0.0 0.0 0.11 0.89 .020 5 - 21
(
strictly' subjective as opposed to the source DPDs, which were based on calculations - although (according to the British report) rather crude.
calculations. After considering the effects of uncertainties in.radionuclide deposition, population evacuation, and other aspects of the dose calculations, the PSS made the following judgments about the magnitude of the results:
- a. Probability of underestimating doses by a factor of 2 equals .1
- b. Probability that the computed doses are correct equals .35
- c. Probabilities that the calculated doses overestimate actual doses by factors of 2 and 10 have the respective values .45 and .l.
The PSS assumes that this representation of the uncertainty in dose also reflects the uncertainty in the resulting consequences. The DPD estimates for uncertainty in the site doses and consequences at Millstone-3 are the same as those used for the Indian Point ar., Zion Assessment studies. Nevertheless, it should be recognized that this approach to treating uncertainty in consequences is rather arbitrary and could have been made more rigorous. In particular, quantitative estimates of uncertainty can be obtained by examining the random variability and modeling uncertainty in the environmental transport and dose response models that were used for the PSS.
The " source term" DPD and " site" OPD were combined to form another DPD for release fractions and this was the actual input to the consequence analysis. Using this process, each release category was represented by six sets of release fracticns with relative source term magnitudes of 2,1,1/2, 1/4 1/10 1/100 times the point estimate value. Associated with each relative source t.erm magnitude is a " weighting" used in the quantification of risk uncertainty. This weighting is derived from the combined " source" and " site" DPD. The 50 and 90 percent risk curves reported in the Millstone-3 PSS reflect the relative source terms with their associated weights. The point estimate curves in the PSS reflect release categories with a relative source magnitude of 1. Although it is difficult to determine what effect the use of 5 - 22 0
_- w _- .. -_----- - - - - . - = - >
a the DPD treatment has on the overall results, we estimate that the latent cancer consequences are reduced by 68% relative to the point estimate when the combined source and site DPD is applied. This estimate is based on the fact that 99% of the latent cancers are due to the V-sequence, which corresponds to release category M1-A. ,
5.2.2 Treatment of thcertainties for External Events.
The Millstone-3 PSS reviewed earthquakes, fires, external flooding, inter.al flooding, extreme winds, aircraft accidents, hazardous materials, and turbine missiles as external initiators that could contribute significantly to plant risk.. Of these events only fires and seismic events were found to be important to risk. The selection of these two external events for detailed analysis was based on a preliminary screening of all external events. This screening used estimates of frequency and consequences as a basis for excluding external events that were not considered tos ' e significant risk contributors. Since fires and earthquakes were the only events selected for detailed analysis, these were the only events for which the uncertainty in the analysis was treated. Thus, there was no formal treatment in the PSS of the uncertainty associated with risks contributed by external flooding, internal flooding, extreme winds, aircraft accidents, hazardous materials and turbine missiles.
The treatment of uncertainties in the analysis of earthquakes and fires was quite limited in scope relative to the internal events analysis. In both cases the uncertainty analysis was limited to dominant accident sequences of the plant logic models which were . implified versions of the plant logic models used for the internally-initiated events analysis. The external events analysis uses the same combined " source" and " site" SPD as the internal event analysis. Only the frequencies of the damage states leading to release categories are modified to reflect the different initiators. Specific discussion of the treatment of uncertainties in the seismic and fire analysis is provided in sections 4.1 and 4.2.
i 5 - 23
~
~ 4 5.2.3 Comment on the Treatment of Uncertainties The task of identifying, quantifying, and propagating cncertainty in a PRA can be both amorphous and formidable. There is not yet.an established
~
literature on this subject. For this reason, the Millstone-3 PSS should be commended for dealing with the difficult task of quantifying uncertainties.
However, it should also be recognized that several aspects of the uncertainty analysis in the PSS were incomplete or questionable. The propagation of 4
randori variability through fault and event trees is consistent with the state
, of the art. Uncertainty arising from modeling assumptions was treated using DPD arithmetic. The PSS made extensive use of OPD arithmetic to confront the .
i problem of quantifying the andeler's opinions about uncertainties in the areas of containment failure pressure, radionuclide source terms and public health consequences. However, little effort was made to treat uncertainty arising from the completeness of the analysis. In addition, the PSS did not attempt to quantify uncertainties contributed by initiating events that were excluded l from further analysis by a screening calculation. This is a consistent problem in the external events analysis. As an example, because a rough point estimate of the risk contributed by some external events (i.e, internal flooding, external flooding, hazardous materials) indicated that their risk was low, they received no detailed analysis. Thus, no uncertainty analysis was performed for these initiators. However, these events might become
- i
- nportant contributors to risk when uncertainties about frequency of occurrence and propagation sequences are considered. A more complete treatment of uncertainties should include additional work on the contribution to risk of these excluded events. In particular, the analysis performed for est at a d p ten al arge u ta nt ht re d tai e an sso f internal flooding should have been included.
I C
5 - 24 0
References for Section 5.2
- 1. U.S. Nuclear Regulatory Comission, "PRA Procedures Guide," NUREG/CR-2300 (January,1983).
- 2. Philadelphia Electric Company, "Probabilistic Risk Assessment, Limerick Generating Station," U.S. Nuclear Regulatory Consnission Docket Numbers
. 50-352, 50-353 (1981).
- 3. Electric Power Research Institute, " German Risk Study - Main Report: A Study of the Risk Due to Accidents in Nuclear Power Plants," English Translation, NP-1804-SR, Palo Alto, California (1981).
- 4. Commonwealth Edison Company, " Zion Probabilistic Safety Study," Chicago, Illinois (1981).
- 5. M.R. Hayns, F. Abbey, P.N. Clough, I.H. Dunbar and D.H. Walker, "The Technical Basis of ' Spectral Source Terms' for Assessing Uncertainties in Fission Product Release During Accidents in PWRs with Special Reference to Sizewell-B" United Kingdom Atomic Energy Authority Safety and Reliability Directorate Report SRD-R256 (November 1982).
i 5 - 25 l l
l 5.3 Insights The insights gained from the review and requantification of the MP-3 PSS are separately described for internal and external events in the following s ections. Since the requantification effort covered only internal events, the insights described for external events - particularly for seismic initiators -
are necessarily more Ifmited in their overall usefulness. They nevertheless provide a relatively concise description of general observations about the PSS i
made in the course of the review.
5.3.1 Internal Event Insights The description of internal event insights is divided into two sections:
one to describe overall sensitivity perspectives; a second to provide concise descriptions of specific insights.
I
! General Sensitivity Perspectives 5.3.1.1 Valuable insights into the important and unimportant ' elements' of a
- nuclear powerplant can be obtained by a relative evaluation of pertinent PRA results in a broad perspective which considers the objectives and intended use of the study. This type of evaluation can identify the elements that are I
driving the results as well as those that have insignificant influence, so that it can assist in focussing a PRA review on those elements with significant influence on risk. This section describes the sensitivity perspectives for internal events obtained by employing this method early in the review.
5 - 26 o
- ._- . . . - . -.- .-. .- ~ - - . - - - - _ _-
- ~. -
, . = =-s+
. : n: =mam
~
First, a review of the objectives and intended use of the PSS. The
- rimary objectives of the PSS are 'toII )
- '
- 1. Characterize public risk from MP-3 from internal and external events.
- 2. Compare risks from internal events to those predicted by the Reactor Safety Study.
- 3. Develop tools to support management decisions for improvir.g safety.
The first objective implies that the emphasis in the study (and the review) should be more on public risk assessment and less on core melt probability. As is the case in most PRAs, the dominant core melt sequences in the PSS are not the same sequences which contribute to risk, although some j interesting overlap exists.
l The second and third objectives are not particularly germane to the l technical details of the study. The second objective is merely a comparison 1
4 which is provided in PSS Volume 1. The last objective implies that the review should assure that the study be accurate on a relative, basis. In other words, it should not contain discrepancies or outliers which would inspire management I
decisions that are ineffective (or worse, detrimental) with respect te improving plant safety.
The PSS results contained in PSS Volume 1 describe the dominant accident sequences in terms of three indices: core melt probability, early fatalities
(>100), and late fatalities (>1000). These internal event results are presented in PSS Table V-1. Each of these three indices will be considered
! separately, as follows:
l 1
I
~
i 5 - 27
- 1. Core Melt Probability A somewhat unusual result (compared to other PRAs) in the PSS with respect to the dominant core melt accident sequences is that a relatively large number of sequences contribute to the core melt probability, with the largest contributor being only 8.5% of the total (Sequence #1, PSS Table V-1 ) . This result, singularly, does not imply or suggest that the PSS is flawed. However, it provides a basis for several interesi.ing implications, and it also tends to make determinations of the significance of changes or errors more complicated and uncertain than would be the case if only a few sequences were dominant.
A large number of small contributors to a total immediately suggests two conclusions: (1) the value of any single contributor would have to be increased by a large amount to have a significant influence on the total, and (2) the elimination of (or a significant reduction in the value of) any single contributor has essentially no impact. To quantitatively illustrate the first point, the probability of the largest contributor in the PSS to core melt probability would have to be increased by a factor of 13 to cause a (very modest) factor of 2 increase in total CMP. Conversely, if the most dominant contributor were eliminated, the total CMP would retain over 90% of its l
previous value. These results further imply that any new sequence (overlooked in the PSS) which might be derived from the review must have a probability over ten times greater than the largest existing sequence to approach a factor of 2 increase in CMP.
In view of these circumstances, it is helpful to examine the elements (initiating events, system failures, and unavailabilities) which make up the dominant sequences in order to determine if a method could be devised to ascertain their individual risk significance. Table 5.3-1 is the first step in this process. The table shows all elements which appear in the ten sequences which dominate (all greater than 3%) the core melt probability. The first row shows the accident sequence number (corresponding to the rank with respect to core melt from PSS Table V-1). The second row gives the percent 5 - 28 -
. . _ . = xw .: .- _- - - - _
- - _ : _,g contribution to the total CMP represented by each sequence. The remaining 20 rows list all elements that appear in the 10 sequences. The first 10 elements (rows) are initiating events, while the second 10 are consequential failures and system failures. From this matrix, some qualitative perspectives begin to emerge with respect to the risk dominant elements in the ten sequences. For ext.mple, high pressure recirculation (ECCS) failure appears in four sequences, as does auxiliary feedwater failure. Diesel generator failures appear only once.
In order to quantify the relative risk significance of each Table 5.3-1 element, Table 5.3-2 was formulated. The 20 elements are listed in the first column, separated between initiating events and subsequent failures. The second column is a relative contribution percentage which is~ obtained by summing the percentage CMP contribution from the accident sequences in which the element appears. For example, losc of off-site power (LOOP) has a relative contribution of 7.2%, which is the sum of the overall contribution 'to CMP in Table 5.3.1 for accident sequences 5 (3.6%) and 8 (3.6%) in which LOOP appears.
The next step is to formulate a generalized relationship which equates the increase in CMP as a function of increase in the probability of an element. This is a trivial exercise which results in the following:
ACMP, = 1 + (Fj - 1)R (1 )
where ACMP 9
= factor of increase in the total core melt probability F
9
= factor of increase in the probability of the element under consideration
=
R the fractional contribution (% + 100) of each element determined by summing the fractional can'ribution of all j sequences in which it appears.
5 - 29
h
. i Conversely, the factor of reduction in CMP is obtained by:
ACMP r = 1 - R(1 + 1/Fr ) (2) where the subscript r denotes reduction factor.
e o
5 - 30 ,
_ _ . s _=_... _ .._ . w . 1. __ , _. - .;....__
- , c m _,_, % _ _ .%
Table 5.3-1 Matria of Elements from core Melt Probability Dominant Accident Sequences lAccidentSequenceno. l l' 2 3 l4 5 l6 I
7 l8 l9 10 l l
I i l Contribution l L , , ,
I l I to CMP (5) 11 8.5 4.9 l 4.4 , 4.4 4.2 i 3.6 13.6 1 3.4 1 3.1 13.0 l
l L uge LOCA X Medium LOCA X 1
X l Small LOCA l
I X .l l Steen Line Break (Inside) l l 1 I ll 1 ,
I I I I I I gISteamLineBreak(Outside) l l .
l l l ; I i 1, l l l l l 1 w
{ , Event V l
l l
l I I l
I X 1 l l l l l l l l 1 I I I I I I Il y 11 ll DC Bus 1 or 2 l l X l l l l l%l -
l l
- AC Bus 1 or 2 X e
AC Bus 3 or 4 X LOOP I X l l High Pressure Rectreulation I X X i X l I X l 1 1 1 1 l l Low Pressure Recirculation ,
I l l X l 1 i i l I I l l 1 1 I l Auntitary Feedweter I X 1X X 1 1X l l l l 1 I l' I I I l I l Feed and Bleed l I I i l 1 X X 1 E I steam Line Isolation X ESF Bus i X E Diesel Generator I
~ m I
h Quenen Spray I
i i I i
! i l I X i i i l, I I
i I
l l 6. Hour Offsite AC Recovery l l l l l [ X l As4 l l l 1 l I I I I I I I l l l l 1 l Controlled P.S. Depress. I l l l l [ t [ l X l [
- 1. I 1 1 I I I I l 1 l l I t
l i
O 5 - 31
' ~
Ta613 5.3-2 contr h tion to CMP fran Dominant Accident Sequence Elements ~
Relative CMP Increase Factor From Element Contr h tion (1) 10 m Element Increase Medium LOCA 8.5 1.76 LOOP l 7.2 l 1.65' I 1 l DC Bus 1 or 2 l 4.9 l 1.44 Il I l i I i l l ,, 1 AC Bus 1 or 2 l 4.4 1 1.40 1
- 1 I 4.4 1.40 t l1l AC Bus 3 or 4 l l l
l L 4.2 l 1.38 F V ,
- SteamLineBreak(in) 3.6 1.32 3.4 1.31 3 'SteamLineBreak(out) 3.1 1.28 .-
1SmallLOCA I l 1 , I I Large LOCA '
3.0 1.27 i High Pressure l Recirculation 20.4 l 2.83 l 1 l Auxiliary Feeduater 17.3 2.56 .
l l Feed and 81eed 11.9 2.07 I ESF Bus 3.6 1.32
- Quench Spray 3.6 1.32 i ! 1.32
- - 6 Hour Recovery 3.6 ,
. Diesels 3.6 .
1.37 1 C,$lI Steam Line Isolation l 1 3.4 l
l 1.31 l
l I
l *i l i l i 1 Control P.S. Depress. I 3.1 :I 1.28 l l l
l l Low Pressure l ,
l l Recirculation 1 3.0 1 1.27 I I I I l I 5 - 32
An example serves to illustrate use of the formulas. For this example, it is assumed that the failure of both diesel generator units at Millstone 3 could be a factor or 10 higher than used in the PSS. To determine the sensitivity of CMP to this change, equation (1) is used, which yields: ,
ACMP, = 1 + (10 - 1)0.036 = 1.324.
Thus, the new core melt orobability would be (1.324)(4.5 x 10-5) = 5.96 x 10 This is a very small increase from which it can be tentatively concluded that CMP is not significantly influenced by increases in diesel generator failure.
(How this change might affect risk is a different matter which will be considered later.)
The last column in Table 5.3-2 shows the increase in CMP for a factor of ~
10 increase in the probability of each of the elements. The elements are ranked in order of their influence on CMP for initiating events and system unavailability. It is of interest to note that three elements, high pressure recirculation, auxiliary feedwater, and feed and bleed have a more significant influence on CMP than the most dominant accident sequence (represented by medium LOCA at 8.57.).
Caution is necessary in applying the method. The probabilities of some of the system failures are dependent on the initiating event. In these cases, the system failure rate sensitivities to CMP need to be computed on an individual accident sequence basis with appropriate adjustments made to the probability of each sequence. This can still be accomplished using Formula 1 and inputting appropriate values for each accident sequence or group of sequences.
The discussion thus far has addressed only CMP sensitivities. The procedure developed for CMP, however, also applies directly to the risk probabilities, as presented in the following section.
5 - 33 .
4
- 2. Late (Latent) Fatality Risk The distribution of dominant accident sequences contributing to late fatality risk (>.1000 fatalities) follows a different pattern than .the CMP .
sequences. Two sequences dominate (46.3% of the total) and eight sequences have smaller contributions =(0.7 to 8.0% of the total). The sequences listed in Table V-1 sum to about 80% of the total late fatality risk (> 1000 fatalities ). According to PSS Figure V-2, the probability of exceeding 1000 fatalities is about 9E-9.
Table 5.3-3 shows a matrix in which the 10 accident sequences dominating late fatality risk have been arranged like the CMP sequences considered previously in Table 5.3.1 in order to determine the contribution from accident sequence elements. The first row is the rank of each sequence relative to its contribution to late fatalities. The second row is the percent contribution of each sequence to the total. The third row identifies each sequence by the same number used in PSS Table V-1. (This is also the rank of each sequence relative to contribution to CMP.) The following 18 rows list every element found in the 10 sequences, with the initiating events (first 7 rows) separatcd from system failures (remaining rows). The table illustrates that loss of off-site power is the most frequent accident initiator, and quench spray failure is the most frequent system failure.
The quantitative significarce of the elements is shown in Table 5.3-4 The second column of this table shows the percent relative contribution of each element found by summing the contribution of each accident sequence in which the element exists, identical to the procedure used in the CMP assessment. The last column shows the risk increase factor for the total latent risk from a factor of 10 increase in the probability of each element.
Table 5.3-4 displays some interesting information. For example, there are no elements which stand out as dominant contributors, although five (> 3.00 in last column) have a significantly greater contribution than the rest. It is also of interest to note that the largest contributor (quench spray) does not appear in either of the two dominant sequences. (A corollary is that this element has a more significant influence on early fatality risk than either of the two dominant accident sequences.) Comparing Table 5.3-4 with Table 5.3-2 shows that some elements are significant contributors to both CMP and late 5 - 34 c
Table 5.3-3 Matria of Elements from Late Fatality Risk Dominant Accident Sequences Rank l 1 12 3 i 4 5 6 l7 l8 l I 9 l10 i i i Percent Contributton l l l ll ll l l l ll l 1 to Late Fatality Risk (1) I 27.9 1 18.4 'I 8.0 1 6.9 I 5.4 1 4.1 1 2.7 l 2.1 1.2 10.7 I l l I I I I I I l l l 1 I i - 1 I Reference 3 ember i 5 6 19 20 25 31 40 46 70 54 s
$nall LOCA I I I I Event V I I X g Primary to Sec. Mtsmatch Reactor Trip i i X 1 X l ll E I 'I l l l 31TurbineTrip 1 I l l l I I l' I :I 1 I I I I I I I
I i l L(WP 1 l X l i l l I I I I -1 l l .
1 I I I I ll l l AC Bus 1 or 2 l I 1, X l 1 6. Hour Offsite AC Recovery X Olesel Generator X
'l ESF Cabinets X X X Opposite ESF Train i X l l l l 1 I; Aust11ary Feedwater i I X X I X l l' X 1
- I l l l l 1 l i i [:, Feed and Bleed i l I lX X lX l I l-1 =l l I I I I i 1 I g' High Press. Injection X X X ll 1 j' High Press. Recirculation I El I
- a. Quenen Spray X X X X X X X 1
l Cont.RecirculationSpray I X l i ,
I l l l l Sec. Cepress. and LPI i l l l l 1 I i 1 l 1X l i I l I l I i i l l 1 9
5 - 35a
Tah13 5.3-4 Centrhtion to Latent FItality Risk from lkeinant Accident Sequence Elements I i ll Relative l Risk Increase Factor From Element Contrhtion (1) I 10 m Element Increase v 27.9 3.51 1 LOOP 23.9 I 3.15 g AC Bus 1 or 2 9.2 1.83 ll I g
. Pri to Sec. Mismatch l 3.6 1.77 l IIReactorTrip l 7.5 1 1.55 il 1 l3l$asilLOCA 5.5 1.50 11 , I Turbine Trip 4.8 1.43 Quench Spray 29.9 3.69 Availiary Feedwater l 25.6 3.30 i Feed and Bleed 24.4 3.20 1 l Diesels 1 18.4 2.66 1
16 Nr Offsite AC Recow. I 18.4 l 2.66 I I I I l l t i ESF Cabinets i 16.0 2.44 l 2i l l l w% ESF Train 8.0 -
1.72 I I
i l
l% High Pressure I g Injection 5.5 1.50 -
kcond. Dep. and LPI 5.5 1 1.50 _
Cont. Recirt. Spray 1.2 1.11 0 1 l l High Pressure Recirculation ,
1.2 1.11 h l I i i I O
5 - 35b
4
- f fatality risk, while others are not. For example, loss of off-site power (LOOP) ranks second in importance as an initiating event for both CMP and late fatality risk. Auxiliary feedwater ranks high in both tables as an important i
system, which would be expected given that LOOP is a significant initiating
. event. The failure of diesel generators is twice as significant with respect l
to late fatalities as it was for CMP, although it is still not one of the top elements.
- 3. Early Fatality Risk (> 100)
Another result of the Millstone 3 PSS is the overwhelming dominance of one accident, the V-sequence, to the risk of early fatalities (> 100). Although the V-sequence has been found to be a dominant single contributor in other PRA studies (e.g., Indian Point III, Surry, Sizewell), it has not prev 1cus1y been I found to dominate to the extent found in the Millstone PSS. PSS Tab!e V-1 (Amendment 1, September 7,1983) shows that the V-sequence contributes 99.8%
[ to the risk of early fatalities (> 100). All other sequences listed are l shown as contributing less than 0.1%. If the remaining contribution to early fatalities (0.2%) was embodied in a single sequence, the probability of (or l
consequences from) that sequence would have to be raised by a factor of 500 to
! equal the contribution of the V-sequence. Since the V-sequence involves no ,
system failures beyond the initiating event, the sensitivity of early I fatalities is a linear function of the V-sequence probability.
1 l
l
[ t 5 - 36 -
1- .
5.3.1.2 ' Specific Internal Event Insights Specific insights gained from the internal event review and requantification are briefly described in the following paragraphs. The )
listing of necessity cannot be all-inclusive: only those which were judged to I be significant are included.
- 1. The steam generator tube rupture event is the single largest identifiable contributor to core melt frequency (approximately 40%). Virtually all of this contribution is due to the operator failing to take control of HPI and reduce primary pressure, resulting in all the coolant being lost into the secondary system.
- 2. Loss of offsite power contributes about 30% of the total core melt frequency. Almost all of this contribution is due to extended station blackout (failure of all onsite AC with failure to recover offsite power '
within two hours, in time to prevent core melt), which results in reactor coolant pump seal LOCA with failure of all ECC systems.
i i
In addition, these station blackout sequences contribute about 85% of' the~
j total frequency of "potantial high risk" plant damage states (early melt I
with no containment cooling). Almost all of this contribution is due to the failure to recover offsite power extending past eight hours.
t
- 3. Small LOCA contributes about 10% of the total core melt frequency. Almost I
all of this contribution is due to failure of high pressure recirculation following a small LOCA induced by a random pipe break.
- 4. Plant damage state V (interfacing systems LOCA), the potentially most risk significant plant damage state by virtue of its exceedingly high consequences, contributes less than 1% to the total core melt frequency.
S. The results are extremely uncertain where human actions are cancerned.
. The plant lacks precise operating procedures because it is still too early in the plant's construction for the procedures to exist. Thus, it was 5 - 37 a
-e-, -
- e --,w , -- - --_-,m,w,-,- <e- --, -- e,v--,---r--,,-----w-,-w-,.---.,,v- ,,,-----g -n -
g,-e-g-s--,- w w -v --m--,own,,-- s -o--w-- -- ---
necessary to use screening estimates of human error' probability throughout the analysis, based on rough procedure guidelines. Those dominant sequences containing human errors should be requantified after procedures become available.
- 6. Random (or spontaneous) small LOCAs caused by failure of reactor coolant pump seals, which have been shown to be large contributors to core melt frequency for other PWRs, are not a major contributor at this plant. The presence of loop stop (isolation) valves, which allows the operator to isolate these LOCAs, is responsible for this result.
- 7. Approximately 25% of the total core melt frequency involves the failure of support systems either as an initiator or folic, wing initiators other than LOSP. Of the 15% which involve support system initiators other than LOSP, the contributions were split relatively evenly between (in order of
- dominance) loss of a single vital DC bus, loss of 120V vital AC bus 1 or l 2, and loss of 120V vital AC bus 3 or 4. Of the 10% which involve support
! system failure subsequent to an initiating event other than LOSP, the dominant contributor is failure of control logic (either loss of a single ESF cabinet or loss of a single EGLS cabinet).
- 8. The results are subject to the limitation that the support state method used is highly dependent on the ability of the analysts to recognize any subtle interfaces or interactions within or between the systems, without the help of an integrated fault tree / event tree model. We found that it is extremely difficult, if not impossible, to verify that all of these subtleties have been properly treated (see Section 3.10.2).
- 9. In general, the results are insensitive to the selection of means or l
medians for the presentation of the results, with the notable exception of I event V. This stems from an unrealistic failure rate distribution for the disc rupture failure mode for valves, which was evaluated in the PSS by using the same .cenniques as for other ccmponents. This illustrates the importance of applying judgment in areas where the use of a standard technique yields an answer contradictory to common sense. These areas must be separately reviewed and evaluated to determine if the answer has 5 - 38 c
3 -
~
an underlying valid and r:asonablo basis, or whether it is an artifact of --
an-inappropriate appliation of a specific or general method.
)
5.3.2 External Event Insights The insights obtained from the review of the external event analysis are described in the filowing paragraphs. Most of these insights are general and, therefore, of limited usefulness, since most of the external events did not receive detailed analysis in the PSS.
No significant insights are included for seismic events because the review and evaluation of major changes to the seismic hazard analysis and the overall effect of these changes and a revised fragility analysis is being performed by NRC. The final report is expected to include the results of this review and evaluation.
5.3.2.1 Earthquakes Amendment 2 to the PSS provided a completely reyised seismic analysis based on revised hazard and fragility assessments. The revised core melt
~
probability is 1.7E-5 per reactor year, a factor of 5.5 smallkr than the original PSS value of 9.4E-5 per reactor year. The new results are reported to be dominated by contributions from plant damage states TE (44.9%) and SE (42.5%).
5.3.2.2 Fires Fire events in the PSS contributed 4.8E-6 (5%) to the total core melt probability. Plant damage state TE was the single largest contributor, providing about 291 of the core melt probability due to fire events. Fires in the control rooi , instrument rack room, and cable spreading room were the major contributors to plant damage state TE, with about 88% of the total TE probability.
The contribution to TE from the control room, instrument rack room, and cable spreading room was increased by a factor of 20 in a simplified 5 - 39
sensitivity analysis in this review to account for the combination of (a) a -
human error rate used in the PSS that is too low by a factor of about 200 and (b) an assumption concerning total loss of safety functions that is too high by a factor of about 10. This increased the core melt probability due to fire by a factor of about six, increased the contribution from TE to about 88%, and increased the contribution to TE from the three rooms noted above to about 99%. Considered alone, i.e., without changes to the internal event analysis, etc., this increased frequency of fire events contributes about 17% to the total core melt probability.
5.3.2.3 External Flooding The margin of safety abnve the design elevation for tidal flooding resulting from the Probable Maximum Hurricane (PMH) is less than one foot.
The margin of safety above the design elevation for flooding resulting from a Probable Maximum Precipitation (PMP) event is less than one inch..
If uncertainty had been considered in the analysis, the coefficient of variation on water depth, which we would expect to be approximately 0.2 to 0.3 at the 100-year storm level, may change the conclusion that external flooding has a sufficiently low frequency of occurence to be dismissed as a significant contributor to the core melt probability. This issue should be addressed in the PSS.
5.3.2.4 Internal Flood,ss The absence of an uncertainty analysis in this evaluation is not justified, given an estimated frquency of internal flood-induced core aelt of 8.7E-7 per reactor year.
5.3.2.5 Extreme Winds Structural failure or missile-induced damage from winds as severe as a 360 moh tornado are considered very unlikely and, therefore, insignificant contributort to core melt. The principal reasons for this finding are (1) a 5 - 40
.I ,
4 IMAGE EVALUATION $$
////
g,%g%#.
+ .
I 1.0 lfM En 1 5 88 llE I.I !. EIS l.8 i.25 i.4 i.6 4 150mm >
4 6" >
+d.p 3,,,, % x
/A < g ,. y 4 u $>**
o_ ,
.$ . o
=
E b
8N+f++@
, IMAGE EVALUATION TEST TARGET (MT-3)
,[,/
ss g$ #'4 F k// 5,,
E m=
1.0 P=
u ru,Mgn Du -
E In " "
l,1 i m E=M
~
I.8 I.25 1.4 1.6 4 150mm >
4 6" >
i A\
.g ,,,,,,,. #g*4 4%
4 ;;
er
r l
) -
l relatively low likelihood of high winds and (2) protection of safety-related i equipment in safety related structures having reinforced concrete walls and roofs at least two feet thick.
5.3.2.6 Aircraft Accidents Aircraft accidents are considered insignificant contributors to core melt on the basis of their low frequencies.
The dominant contribution to onsite aircraft crashes is due to general aviation operations at the Groton-New London Airport, with a predicted frequency of 1.2E-6 per reactor year. This accident could initiate a loss of offsite power event.
Onsite crashes by heavier commercial or military aircraft have a predicted frequency of 1.2E-7 per reactor year. Those accidents have the potential to initiate a larger variety of accidents because they could penetrate some safety-related structures.
5.3.2.7 Hazardous Materials s The control room could be made uninhabitable in the event of the rupture of either of the two railroad tank cars used for onsite storage of chlorine locateo approximately 1400 feet from the control room air intakes. A chlorine detection system has been planned to provide warning and automatic changeover to a closed air recirculation system for the control room.
5.3.2.8 Turbine Missiles The turbine missile damage frequency calculated in the PSS using information supplied by GE for turbine failure was 2.5E-10 per reactor year.
This did not consider stress-corrosion cracking of turbine wheels. A separate PSS calculation, using the turbine failure rate of IE-4 per reactor year recomended in NRC's Reg. Guide 1.115 results in the significantly higher turbine missile damage frequency of 1.8E-6 per reactor year.
5 - 41 -
. __ _. . ___ _ _ _ _ _ _ _ _ . _ . _ _ _ _ . _ ~ . _ _ _ _ _ _ , , - _ _
l 4
I References
- 1. Final Report of the Level 3 Review Board on the Millstone Point Unit 3 Probabilistic Safety Study, August 1983.
4 4
S l
l l
l t
l l
5 - 42 -
I
, . . - . . . , . _ . . , _ . - . . . . . _ _ , _ . . . . . . . _ , - , , , - , , , . . , . . _ , . - - - . . , - , - . - ~ . , ------.---+.e- . - , . - . ~ . - - - - . - - .