ML20126K731
| ML20126K731 | |
| Person / Time | |
|---|---|
| Issue date: | 09/09/1980 |
| From: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| Shared Package | |
| ML20126K728 | List: |
| References | |
| RTR-NUREG-0660, RTR-NUREG-660 PROC-800909, NUDOCS 8105210092 | |
| Download: ML20126K731 (131) | |
Text
, ,
INTERIM RELIABILITY EVALUATION PROGRAM Phase II ,
t PROCEDURE AND SCHEDULE GUIDE !
l DRAFT REVISION 2 September 9,1980 Division of Systems and Reliability Research Office of Nuclear Regulatory Researen U.S. Nuclear Regulatory Commission
- 810 5 21009#'a-
I
- 1. INTRODUCTION The Interim Reliability Evaluation Program was conceived in the aftemath of the accident at Three Mile Island Unit 2 to address the concern that differences in the design and operation of nuclear power plants may have a significant influence on the course or
- likelihood of core-melt accidents.
The program is responsive to the TMI Action Plan (NUREG-0660),
Section IIC.
1.1 Objectives The Interim Reliability Evaluation Program is intenced to apply probabilistic safety analysis techniques to a numoer of
' nuclear power plants (ultimately all of them) with the following specific objectives: (1) Identify--in a preliminary way--
those accident sequences that dominate the contribution to the public health and safety risks originating in nuclear power plant accidents; (2) Develop a foundation for subsequent, more intensive, applications of probabilistic safety analysis or 1 risk assessment on the subject plants; (3) Expand the cadre of
' experienced practitioners of risk assessment methods witnin the NRC and the nuclear rawer industry; and (4) Evolve procedures f \
i j codifying the competent use of these techniques for use in t1e i
extension of IREP to all domestic light water reactor plants. j l
l I l l
l t_ _ _ . . _ . _ - -. ._ ,_
1.2 General . Assumptions and Scope Event-tree and fault-tree techniques will be employed to identify hypothetical accident sequences leading to core melt and assess their likelihood. Plant initial concitions will be confined to power generation. Consideration will be given to
--- the possibility of misaligned valves, switches, etc., and components out of service for test and maintenance at the time of the initiating event through the mechanism of unavailability calculations for components within the fault trees. Accicent scenarios will be pursued to a stable outcome: the identification of the approximate timing and magnitude of atmospneric releases, if any. Stable hot shutdown will be taken as successful core
'" cooling; such outcomes will not be pursued to cold shutdown.
l Excluded from consideration will be external events, earthquakes, fires, floods, and sabotage. Included will be random and common-cause equipment failure, operator and maintenance personnel errors of omission and commission. Operator corrective action during accidents will also be considered.
Component failures will be assumed to be binary: components either function normally or fail outright. partial failures such as degraded bus voltage will not be considered.
It is the objective of IREP to use fully realistic assumptions on failure likelihood, system failure criteria, accident phenomenology, and the prospects for operator corrective action. However, to avoid much unproductive work, an initial
i w
screening of accident sequences and their expected frequency of occurrence will be made with point estimate probabilities and the least conservative criteria readily available. Once candidates for the dominant sequences are thus identified, the conservatisms in the assumptions and data which influence the
~
course or likelihood of these sequences are to be re-examined and eliminated. The final report will inciuce a discussion of the residual uncertainties surrounding the results, including issues of completeness and mdeling appretimations as well as uncertainties originating in the f ailure rate data.
The scope of IREP team analyses do not embrace Original analyse:
of the thennal hydraulics of core uncovery, core meltdown phenomenology, of containment challenge by core melt accidents (e.g., MARCH-CORRAL runs) nor does it embrace offsite consecuence analysis. The endpoint of the IREP analyses will be the classification of accident sequences according to predicted frequency and a classification according to the approximate timing of core melt and the operability of active containment systems (isolation, sprays, fan coolers, etc.). This classification will allow the accident sequences to be identified--at least tentatively--with release categories by interpolation among the release category assignments made in prior risk assessments of the est nearly comparable plants that did include femal
. . , _ _ , . - _ . ~ . _ m- .- -. , , . . . . ,m,..,,.. . . , - , . ,.~.__,.y- , _ . . , _ _ . , . , . _ . . _ . , , . _ . , _ . _ , _ , . , . - , - - . . _ _ - , , . - . . -
i
-4 release category analysis, i.e., the Reactor Safety Study and the Methodology Applications Program Studies. A guidebook for this judgmental assignment of release categories is being prepared har use in IREP phase II and subsequent studies, i 2. IREP TASK ELEMENTS AND SCHEDULE Section 2.1 lists inputs to the IREP project teams. Section 2.2 tabulates task elements, required inputs and deliverable products.
Section 2.3 summarizes the schedule.
2.1 Inputs to IREP teams (supplier in parenthesis)
A. Generic Functional Event Trees and Event Tree Analysis Guide (NRC/Sandia)
B. Final Safety Analysis Report (Plant Owner)
C. EPRI NP-801 (Local IREP Contractor)
D. System Design and Operation Documentation (Plant Owner)
- System descriptions
- System diagrams
- - Procedures for operation, test and maintenance, f emergency procedures, etc.
E. Risk Assessment References (NRC/Sandia)
- IREP Procedure and Schedule Guide
- WASH-1400
(
1
%s
. , , . ,- . . . , - .- - , , - - n - -. , -
/ -
- IREP Fault Tree Guide
- Fault Tree Handbook
- Human Factors Handbook
- Release Category Identification Guide F. List of LERs Screened for Relevance as Potential Accident Precursors (NRC)
G. Component and Human Failure Rate Data Base and Quantification Guide (NRC/Sandia) 2.2 IREP Task Elements. Inputs, and Outputs Note that the following task list gives a mislead'ng impression that the tasks are secuential. In practice, it is excected that r,any tasks will be perfo rmed concurrently. Many tasks will also require several iterations; that is, a first approximation to the task will be prepared to enable the work to progress.
Then, as more understanding of the accident susceptibility of the plant is developed, it will commonly be necessary to revise earlier task products.
(
s.
_ - . . _ _ . _ . . m._,- . _. ._. , , , . _ , . . , , _ . . . . . . . . ,, _ -
1 l
l IREP 6-Plant Study Task List Task # Task Elements Recuired Inouts 1 Prepare a table showing the names of A. Generic event trees systens installed in the plant corre. B. FSAR spending to the functions in the generic event trees. List these sys tems. Product: la) function /
system index; lb) Front Line Systems List (FLSL).
- Assess generic list of transient ini- 8. FSAR tiators for applicability to the plant; C. Gereric Initiator draf t provisional list of transient or List (e.g. , EM:
active failure initiators. Product: NP-801)
F. Precursor LERs
- 2) Initiator List.
3 Prepare System Description Note Books lb. FLSL (SDNB) for each system in FLSL. B. FSAR Product: SDNS-FLSs.
1 4 Prepare a table listing each support 3. SDNS systen upon which the front line systems B. FSAR D.
(FLS List) depend. Product: 44) Table of FLS vs. Support Systems; db)
Support system list (SSL).
(
l
(
-- 1 1
Task # Task Elements Required inouts 5 Prepare System Description Note Books 3. SDNB-FLS for each system on the Support System 4., B, O List. P roduct: SDNB-SSs.
6 Group transient initiators having A, B, E, F common mitigation requirements in order 1., 2., 3.
ba avoid core melt. Total the expected frequency for each group. Product:
Table of grouped transient initiators with estimated frequency of occurrence.
7 Identify sites on the reactor cociant B, 0, E
'- pressure boundary where active failures, command faults, support system faults, human error or transients could induce a LOCA. Classify non-passive LOCA possibilities by causal mechanisms, loca-tien, effective break size, symptoms, and common-cause failure potential. Product:
~
7a) Draft table of hypothetical non-passive LOCAs, 7b) List of questions 63r further research to finalize 7a list.
(
e -- ~
,+.- w- wgr -- w- y gi-.- .g.- .y-- - . .%-, g --g .amr
u Recuired inputs Task # Task Elements 8 Classify all hypothetical LOCAs (passive B, D E, 7.
and non-passive) according to the number and kind of ECCS trains necessary to avoid core melt. Note special cases of
- passive LOCAs having peculiar synptoms or which have connon cause fault effects, e.g. , those which bypass containment. .
Group into classes those LOCAs having common mitigation requirements. Product:
8a) Draf t classification of LOCA initiators by mitigation requirements, 8b) List of cuestions for further research to finalize ,
1 l
Ga list. l Prepare an abbreviated fault tree B, D 9
analysis of transient initiators and 4. , 6. , 9.
active-failure LOCAs to identify which--
if any--faults in the support systems in the Support Systens List can cause l or increase the likelihood of initiating events. Product: 9a)
Initiator FTs; 9b) Table of Support system incident initiators.
~
, - - . _ - -, . . _ , - _ - , . -, , _ , - ,,_,_..,_,,-.,__,_,r._,.-,~...-._.,____,.__m_.-
, w.
Task # Task Element Required inputs 10 Tabulate success criteria for front line 1. , 2. , 3.
systems listed in Task l for the several A, 8 relevant initiating events. Also note where these criteria are suspected of .
,, being unnecessarily conservative.
Identify questions for further research to finalize the system success criteria.
Product: Table of FL System Success Criteria, 11 D5mmence collecting quescions and addi- Prior tasks tional plant data requirements to be I through 10 requested of licensee. Product: lla)
Letters to plant owner; lib) Initiate communications file and log book on consnunications with owner.
12 Transmit products of Tasks 1 through 11 Prior tasks to (1) NRC IREP project management. (2) I through 11 Sandia IREP project management, and (3) the plant owner for review and comment.
Include a brief analysis of manbours spent on each task and problems encoun-tered.
4
%r u -. y+-.~-n , , . . . , . . . . . . _ , _ , , , _ , . , . , , . , , ,,__ ,. , , , , , _ _ _ , _
r
%e Task # Task Element Recuired Inouts Adapt generic functional event trees 2. 10. , A 13 into plant specific systemic event trees har each group of initiating events. Product: Systemic Event Trees including explanatory text.
Develop statements of front line system 10., 13.
14 failure criteria and depict as fault tree top logic for each FLS. Product:
FT tops with explanatory text nor each FLS.
Prepare a tabular Failure Mode Effects 3. SONS-FLS
-- 15 Analysis 63r the points of interaction 4 Dependency Table between support systems and the front 5. SDNS-SS systems of Task 4 Product: FMEA.
16 Continue the development of the dependency 5. SDN8-SS table and the interaction FMEA to include D. Plant documentation interactions among support systems, e.g. ,
service water depends upon AC power and both may rcquire DC control power.
Products: 16a) Table of suppcrt system interdependencies; 16b) Additions, if any, to support system list; 16c) FMEA
' for interactions anong support systems.
l 1
Task El ments Required Inouts Task #
17- Transmit products of Tasks 12 through Prior tasks 15 and any revisions of Task 1 through 1 through 16 11 products to (1) NRC 1 REP project management, (2) Sandia IREP project i
management, and (3) the plant owner fo r review and comment.
18 Develop the fault trees for the front line 3. SONS-FLS 14 FT Tops systems into parent trees; i.e., extend the failure logic developed in Task 14 15. FMEA to individual trains or branches of the system. Develop train failure to distinguish faults in support systems (according to the FMEA of Task 15) .
from local faults of the system, but g not resolve local faults in these fault trees or pursue the development of support system faults at this time.
I Product: Parent Fault Trees for each s
system in FLSL.
Tabulate the local faults in the front 3. SDNB-FLS 19 line system fault trees which contribute 18. PFT to each composite local fault event in the parent trees developed above. Pro-(
- vide a preliminary quantification to e .
.?
E 1
~-
Task # Task Elements Recuired Incuts limit the development to potentially significant events only. Product:
Tabulated daughter trees.
20 For each support system, collect a list 15. FMEA of fault events appearing in the parent 18. FTs trees of the front line systems origi-nating in faults of the support system.
Add to the list the support system faults that are (or contribute to) initiating events. Develop fault tree top-logic (failure definition) for the support systems and tree segments to cover faults in support system branches.
Products: 20a) Table of support system fault citations in the initiator and front line system fault trees; 20b)
Additions to FL5 daughter tree tables; ,
. 20c) Connector tree segments for support systens fault trees; 20d)
Table of failure definitions for support systems; 20e) Top logic fault
[
trees for support systems.
6 I
a i
w Task Elements Recuired inputs Task #
21 If there were new additions to the 20b support system list in 20b, repeat those steps that develop this information, i.e .
Tasks 5, 6, 9,13,14, ... . and 20c.
'" Report results of Tasks 18 through 21 1 througn 21 22 and revisions of Tasks 1 through 16.
Revisions of Tasks 1 through 11 should reflect comments received.
23 Develop parent trees for support systems 16.
Product: SJpport system f ault trees. 20.
~<
21.
24 Tabulate the local faults in the compo- 23. 55 FTs site events of the support system fault D. Plant documentation trees (23) and provide a preliminary G. Data quantification to limit the development to potentially significant events.
Product: Daughter tree tables.
Develop dependency diagrams, one for each 15., D 25 support system, each showing all the 16.
front line systems, portraying the kinds 18.
of fault propagation into the front line 23.
systems from support systems using fault s tree notation. Product: System failure dependency tables.
i Task Elements Recuired Inouts Task #
Develop dependency diagrams for the 6. , 9.
26 initiating events showing transient and non-passive LOCA initiator groups and displaying a fault tree logic model of I
s how support system faults may cause or contribute to the occurrence of the initiating events. Product: Initiating event dependency diagrams.
Employ the dependency diagrams and event 25., 26., 13.
27 trees to prepare a table of accident sequences caused by support system faults. Product: Table of support system accident scenarios.
Re-examine system fault definitions and 18., 14., 13.
28 assumptions employed in the initial 19.
quantification of system and initiator 20. ,
fault trees for consistency. Revise 23.
i
' as necessary. Product: Statement of 24.
consistency of initial quantification 27.
with sequences. Revisions, where necessary, to products of tasks 13.,14. ,
- 18. ,19. , 20. , 23. , 24. , 27. , etc.
t
=
(
Task # Task Elements Recuired incuts 29 Formulate parent fault trees for each 13. , 18. ,19. , 20. ,
core melt accident sequence in the 23., 24.
systemic event trees by combining under an AND gate the initiating event g
and the several fault trees for the s postulated system failures in the sequence.
Obtain minimal cut sets and rank according to provisional quantification of initiating and local events. Truncate at 10-10/yr.
Further reduce the list of secuence minimal cut sets by eliminating tnose cut sets which are sufficient to cause a re severe sequences. Each cut set should be attributed to only one sequence.
Note cases in which the est severe sequence is ambiguous. Product: Ranked list of minimal cut sets for event sequences. ,
30-33 Examine and refine the sequence cut set lists and their quantification as follows:
30 - Verify the sequence cut sets 25., 26., 27., 29.
entailing support system faults by comparison with the dependency diagrams.
t.
Correct the dependency diagrams, fault, ,
or event trees as appropriate.
~v,- , v- ,- - , - - - .' - - . ,n- - , ,n. , - -, , - - - - - - , - - - - e -n
- Task # Task Elements Recuired Inouts 31 - Search for potential common-cause 3. , S. , D. ,19. , 24. , 29.
failures, particularly those due to human (maintenance or operator) error.
Revise assessed cut set frequency as i
appro pria te. Product: Revisions of prior products or annotations on the event sequence cut set list identifying bases for altered frecuency estimates, as a ppropria te.
22 - Re-rank cut set lists for eac-event sequence by expected frequency of occurrence. Truncate at 10~E/yr .
33 - Think through the chronology, 32 causality and accident processes implied by each sequence cut set in the truncated list to verify that the assumptions under-lying the event trees, fault trees and
~
'* probabilistic quantification are consistent. Look for comnon cause failure mechanisms that may have been missed previously. Revise prior work as appropriate.
N
+ ., , , . ..,..v.,- _ .-r . . - . - , .m., . . . , - , - , , , - - _ ,,,,m.- ,- ..-..--.. ----,
Task # Task Elements Required Inouts 34 Prepare logic diagrams of fault causa- 33., 32.
tion and descriptions of the sequence of events, symptoms, and expected outcome of the dominant accident sequences.
35 Trans.mit for review and comment the 1 through 34 results of Tasks 1 through 34, high-lighting revisions of tasks reported earlier.
36 Develop a cualitative list of singular 7., 9., 13., 25., 25.
initiating events with the potential to 33., 34 cause core melt without additional passive or random active failures.
Insofar as practical with the infor-mation at hand, include in-plant fires or floods. The ef fort should be scoped ,
to include accident susceptibility of
%- the kind revealed by the Browns Ferry fire, the NNI-Y bus fault at Rancho Seco, and the accident at TMI.
37 Re examine the quantification and 32. , 33. , 34. , etc .
assumptions underlying the identification I of the dominant sequences identified in
. - . . , . -.. ., ....-,c.-.n~. , , - . . . , , . . , , , _ . _ . . . _ . . . , , . - - - - , , . . ,, - - . . _ . _ . ,
Task # Task Elements Recuired Incuts Task 34. Discuss with plant operations pe rso nnel . Employ plant-specific failure rate data, where available, to refine the frequency estimate and discuss the sensi-tivity of the quantification to the phenomenological assumptions and failure ,
probabili ties. Describe the symptoms available to the operator and the opportunities for corrective action during the course of the accident.
Note the range of warning times between the diagnosis of the ac:icent and tne release from containment.
38 Prepare a draft of the final IREP study report and submit for review and comment.
p 39 Participate in a Research Review Group to assemble critical comments on the draf t report. Assist the plant owner in reviewing the draf t report.
40 Prepare and publish as a NUREG report the final edition of the plant-specific IREP study report, incorporating as
s Task i Task Elements Required Inouts appropriate the feedback from the Research Review Group, NRC and Sandia project management, and the plant owner's coffWnents.
s g -.
- , . . . - ~ . . _ , , , . . ~ , . . - , , _ . , , _ . ., _ .
~
1 2.3 Schedule Each IREP Phase 11 study is anticipated to take nine nonths 'a produce a final report.
One of several ways to schedule the tasks to be performed is '
' An alternative might entail the concurrent suggested in Figure 1.
development of the FMEA Tasks 15 and 16 with the fault tree Tasks 18 through 24 k
e e'
, . . - . . - , . - , _ , , - . < - - . - ~ . - . - _ _ . . . , - -
-.\al-- ' W 4
__,________.l!
w t
_ _, _____.l___.___..ill 4 .
1:l i:, e c. ,
1l 8
tiill
~
. ..j _.
- l.
i .
v ._ 1 1l I 8I
' 8-S ! 1 e a3 H.
gj 18 lI s,h ,
I
^
h @
l s e ,, -
- c ,
me .1oo S
o 4 9 3l
- 6 o 8' *l111
'. 8!
- : ; 3 4) 46 Ci fj -
- ; e 3
, ts s, e, t- .
n c
.i: .) .i . 4 til 3 ._o
_ _ _ _ _ _ _ _ _ _p S
o 9 .
- 4 31 3:
%=r . Q d h o i .
t 4 4 6 9 9 tj Si:
Pt}ll 4 ti t t!
\
o a !
.s.'l
~
?
65 ; :
l I!: I! '
t, e i't if l e .
iI .,
l 3
. *t 6
f.
- 3. IREP TASK DESCRIPTIONS 3.1 Function / System Index and Front Line System List The effort to develop a simple, complete catalogue of accidents involving a reactor core is facilitated by distinguishing between front line systems and support systems. The front i
line systems list is a minimal list of systems whose operability completely defines the course of accidents with respect to the timing and magnitude of the release--if any--of radioactivity.
Support systems important to safety are those which affect the course of accidents only by way of their effect on tne operation of front line systems. Examples of front line systems include main and energency feedwater systems, energency core cooling
'- systems, containment sprays and fan coolers, and valves regulating flow across the reactor coolant pressure boundary or tne containment boundary. Examples of support systems include auxiliary AC and DC power systems, component cooling water systems, HVAC and instrument air systems. Some ambiguous cases are systems with both front line and support functions (e.g., an essential service water system which is part of the
'" ~
decay heat removal system--1.e., front line--as well as a heat sink for front line systems. Another ambiguous case is an actuation system whose classification as part of a front line system or as an independent support system is a largely semantic distinction.
w To keep the number of front line and support systems to a minimum it is commonly helpful to class actuation anc control systems as part of the front line system rather than as a separate support system provided that the actuation and control system serves only one front line system. On the other hand, if the actuation system initiates more than one front line system, e.g. , the Safety Features Actuation System, it is more convenient to treat it as a support system. By so dcing, the potential for multiple faults among the front line systems originating in a single failure of the actua:icn system can be treated explicitly in the dependency diagrans and the fault trees for the support systecs.
Flag those front line systems that nomally participate activel,,
in nomal power generation, e.g., the main feedwater system, from those which are nomally domant, e.g., the ECCS or auxiliary feedwater system. In most cases it will prove more convenient to treat the nomally operating systems in the fault trees for the initiating events rather than in the fault trees for the mitigating systems. However, do not forget to consider the possible restoration of these systems as a potential recovery mode in the later analyses of accident sequences.
3.2 Initiator List EPRI has classified and estimated generic occurrence rates for transient event initiators at nuclear power plants in EPR! NP-
' 801. This erk serves as a satisfactory starting point fror
which to estimate the types and frequencies of transients to I i
be expected in the subject plant. Tabulate which of the transients in the EPRI list are applicable to the plant, and indicate their generic occurrence frequency. Keep in mind that the plant in question may be susceptible to different
-/ kinds or frequencies of transients than the report suggests.
Consider the list of potential precursor LERs in this task.
In this and subsequent tasks, look for clues to modifications that may be needed to the transient initiator list and the assessed frequency of occurrence.
3.3 System Description Note Books--Front Line Systems The System Description Note Books--one for each of the front line systems--are intended to contain (1) a copy of a description of the system (perhaps a photocopy of the system description in the FSAR or from the operator training manual); (2) the principal diagrammatic documentation of the system, e.g., P&!D for mechanical systems; (3) an annotated index of relevant information in the supplied plant documentation, i.e., cross references to elenentary diagrams relevant to the system, to operating, maintenance and energency procedures, etc.; and (4)
Copies of letters, telecon memoranda, and interview notes in which the IREP team questions the operators, designers or builders about the details of the system design or operation.
- The SDNBs will continue to grow throughout the IREP study.
Every piece of information actually er. ployed in the IRio s tucy
i
~
results about the plant design or operations should either appear in the appropriate SDNB or should be traceable via the SONB and retrievable from the central IREP team file.
Four copies of the plant documentation and of the SDNBs are to se maintained throughout the study. They are to be located as follows:
- 1. Study team
- 2. NRC IREP project management
- 3. Sandia IREP project management 4 Utility (plant owner) office designated to track the IREP study.
~
Document control procedures are to be implemented *a assure that all four copies are updated and complete. Each addition or correction to the plant documentation or to an SDNS should be funneled through the IREP team Document Control Engineer (a designated member of the IREP team). The Document Control Engineer should issue revision pages as necessary to update the hour copies and a new cover sheet which indicates the latest revision of each page.
The initial preparation of the SONB described in Task 3 entails the collection of the system description, the principal diagrams, L
the first edition of the cross index to procedures and the current diagram file, the dissemination of the first set of l
i 1
I i
l l
four copies, and the initiation of the document control system.
It is expected that the entire IREP team participate in the development of the 50NBs. In fact, the initial perusal by the team members of the FSAR and the plant documentation to familiarize themselves with the plant should be combined with the exercise
-- of initiating the SDNBs as well as Tasks 1 and 2.
3.4 Support Systems List, Table of Front Line Systems vs. Support Systens In the course of reviewing the design and operation of tne front line systems, note each active support system, such as auxiliary essential AC power, non-essential AC power, DC power, control and actuation systems, HVAC systems, auxiliary cooling water systems, instrument air, etc., upon whien the front line systems depend. Document the survey of support systems in the fonn of 4a) a master list of all the support systems.upon which the front line systems depend, and 4b) a table or matrix with the names of the front line systems in the left hand column and the names of the support systems across the top. Enter check marks to note the dependencies identi fied.
Conventions involving the definition of system boundaries employed in the analysis should be recorded in the System Description Note Books for future reference. It will suffice to follow FSAR or other plant documentation conventions for the definition of systems.
It is not necessary to distinguish between system trains or divisions nor to distinguish between types of dependencies for the purpose of this expeditious task. However, this info rmation will be needed in the Failure Mode Effects Analysis Task, Task 15, and subsequent tasks. Therefore, clearly note in the J
System Description Note Books where this information can be retrieved when it is needed.
Treat the main feedwater system as a front-line system in this exercise to support subsequent tasks entailing the analysis of transients and non-passive failure LOCAs.
Where system operation recuires operator control, treat tne
' operators at a " support system." In ambiguous cases where tne functional dependency is in doubt--e.g., a front line system may or may not require operability of the compartnent HVAC--
assume the dependency is present and record the systen in the list and table with a question mark to note the ambiguity.
3.5 System Description Note Books - Support Systems For operators treated as a Follow the guidelines for Task 3.
" support system," record the references to the procedures or system descriptions describing the operator's role and responsi-bilities.
3.6 Group Transient Initiators Having Common Mitigation Requirements Some transients can be ridden through without a requirement
' for scram or for the initiation of standby cooling systems.
These are of no interest unless they deteriorate into scenarios 4
P
i in which the scram and/or the startup of backup cooling systems are necessary. Therefore, it generally suffices to limit the grouping to two classes: those in which the expeditious termination of criticality is required and/or those in which the delivery of main feedwater is interrupted for long enough to require the initiation of a backup cooling system to dissipate decay heat. A useful convention employed in the RSS is to distirguish transients in which the power conversion system (main steam, condenser, main feedwater, the turbine or the turbine bypass system, and the circulating water system) continues b) operate or trips off. That is, the power conversion system is said to be operable if the normal reactor heat
'" dissipation path via the circulating water system remains o perabl e.
Since the focus of the analysis is to give an initially broad catalogue of accident sequences leading to core melt, it is useful to employ a gross classification of transients. When in doubt, employ subgroups of transients within the coarser, i
broader classifications to denote collections of transients which are similar with respect to the demand for changes of state among the front line systems, but which differ in the timing of the demand, the options for recovery, or the severity of the effects of failures. It is not, however, necessary to develop this fine-structure of the transient initiator classification N
.. - .- = . .
\
i at this time. The fine-structure of the classification should be developed in an iterative fashion during the fault tree analysis of initiators.
Total the estimated frequency of occurrence for each transient group by adding the estimated frequencies of the constituent
~.
transient types from EPRI NP-801 and Task 2. Update the Task 2 Initiacor List if new insights developed in Task 6 suggest alterations.
3.7 Table of Non-hssive LOCA Initiators Survey the entics surface of the reactor coolart pressure boundary, as documented in P& ids and other plant documentatien, ,
in support of Tasks 7 and 8.
Task 7 is devoted to the identification of hypothetical non- l passive-failure LOCAs. Catalogue sites on the reactor coolant pressure boundary at which non-passive LOCAs are possible.
Examples of non-passive failures are externally operable valves where active failures, human error, command faults, etc. might result in breaches of the pressure boundary. No te in particular those sites at which transient-induced non-passive failure LOCA might take place, e.g., safety / relief i
valves, letdown lines, etc. Classify the hypothetical non-passive failure LOCAs in tabular fem distinguishing the imediate causal mechanisms, the break location, the range of possible effective break areas, the syectoms discernable by s .
I
t 4
the operators, and the common-cause failure possibilities.
Only the immediate or proximate cause need be identified in this task; subsequent tasks develop--in fault tree fonn--the root causes of these LOCAs. Synptom identification can be qua?itative, it is not expected that reactor coolant or containment atmosphere pressure temperature analyses be perfomed.
Highlight any clues available to the operators of the location or cause of the break. Note if the breach is potentially i sol a tabl e. Among the common-cause failure features to be considered are LOCAs that may affect the operability of one or more trains of ECCS, which may breach the containment pressure boundary, or which have unusual spptor:s (such as hign pressurizer level) that might confuse operators or affect the signature which actuates the engineered safety features actuation syste .
It is expected that the available plant documentation may prove insufficient to complete this task. If this is the case, collect a list of questions for the plant owner and/or for the IREP research program management to resolve ambiguities.
However, proceed as far as possible with the task at this time, using judgment as necessary to complete the catalogue in order to support successive tasks. Flag judgment calls for future verification or for use in documenting assumptions.
3.8 Classify all Hypothetical LOCAs by Mitigation Requirements e Group all hypothetical LOCAs (passive as well as non-passive) into classes sharing common mitigation requirements, i.e.,
whether or not reactor scram is required, whether or not feedwater (nonnal or emergency) is required, and the kind and number of trains of Emergency Core Cooling Systems required.
It is expected that most active and passive LOCAs can be grouped by effective break size. A few hypothetical LOCAs may
' also depend upon break location or upon common-cause failure po tential . Identify any groups or subgroups of LOCAs with particular mitigation problems such as:
- a. LOCAs for which recirculation may be compromised (blowdown outside of containment, blowdown may accumulate in a cavity that does not cccmunicate directly witn the ernergency surp,etc.).
- c. LOCAs which may intrinsically breach the containment barrier.
~ -
- e. LOCAs whose synptons rio mt trigger the Sa'ety Featuras t.ta*\k'*'st'='.
For each group or subgroup of passive failure LOCAs develop an estimate of expected frequency of occurrence following RSS practice. See also the quantification guide. fete if tnere is a subgroup of piping within each gevup wnica depends upon
i w
the operability of snubbers or sliding equipment mounts to accomodate themal expansion and contraction. Collect a list of questions to resolve ambiguities in this task, as outlined under Task 7.
- The objective of the IREP study is to use realistic analyses of equipment phenomenology. Thus it is unnecessary to employ licensing conservatism in the classification of LOCAs by mitigation requirements. However, realistic analyses of ECCS requirements may not be available. Generally it is more efficient, in this case, to proceed with the analysis employing the conservative licensing criteria to define ECCS requirerents, but to note instances of suspected consenatisms. As the w
analysis of accident likelihood and causation takes shape, i:
is then possible to estimate whether a less conservative definition of ECCS requirements muld make a significant difference in the assessed risk. In most cases, it will not make much difference in the estimated frequency of core melt 4 accidents whether realistic or conservative ECCS sufficiency assessments are employed. Thus, it may never be necessary to perfom the realistic LOCA analyses. In the unlikely case that the conservatisms are predicted to influence the risk significantly, the refinement of the ECCS success / failure criteria can be eamarked for follow-up wrk.
ftte that the lower bound on the break area for the class of
' smallest LOCAs may be significant. Small leaks and very small
line breaks are rather comren in reactor coolant systems.
Thus, the assessed frequency of occurrence of the smallest LOCA class is likely to be a sensitive function of the minimum break area. This may prove to be important to the risk.
Thus, some care should be taken in identifying the smallest LOCA sizes which wuld lead (realistically) to core melt if ECCS fails.
Document the results of Task 8 in a table listing LOCA groups classed according to mitigation requirements. It should display the estimated frequency of occurrence for passive-f ailure LOCAs and carry annotations for special cases. Al so document assumptions and collect tne questions #or furtner research to resolve ambiguities in the table.
3.9 Fault Tree Analysis of Transient and Non-Passive LOCA Initiato rs The objective of this task is to identify faults in the supcort systems which can cause or contribute to initiating events as well as degrade the reliability of systems called upon to respond to the initiating event.
Frequency estimates for transients without this common cause aspect will be obtained from actuarial data rather than synthesized with the fault trees from component failure rate data. Therefo re ,
there is no need to detail faults in these trees which do not also appear in support systems for the standby front line i
l 1
sys tems. The use of the fault tree approach is merely intended to provide a coherent, disciplined approach to the search for common elements contributing to both the initiator and the mitigation failure.
' The key to the efficient perfomance of this task is to trace fault propagation (in the reverse-causal direction) from the event initiators--transients or non-passive failure LOCA--to -
support systems belonging in the Support Systems List.
3.10 Success Criteria for Front Line Systems Tabulate the success criteria for the front line systems in tems of the number of trains of each system operable anc the
- 311owable delay in starting these trains for each di'stinct class of initiating events. Distinguish success criteria for the injection or early accident phase from the recirculation or later phase if different.
Follow the policy suggested under Task 8 with respect to ;
conservatism, i.e., realistic criteria are desirable, but use l
_ conservative criteria in cases in which the realistic success criteria are not readily obtainable. Where unquantified conservatism is suspected, note it for future reference.
The allowable start delays may be a sensitive function of the details of the accident sequence, and accurate realistic predictions of the point of no return are rarely available.
- It is not necessary to pin down these characteristic tines . -
l n
with much accuracy. These times will be employed to assess the window for operator corrective action to restore or initiate the function of those front line systems that do not start automatically or promptly. Since it is beyond the state-of-the-art to predict the probability of such operator success / failure within an order of magnitude, an uncertainty range on the allowable delay as large as a (multiplicative) factor of 3 (or 1/3) will not significantly affect the accuracy of the overall assessment. Therefore, an estimate of the allowable start delay that is no better than a ballpark estimate will generally suffice.
It is wrth noting cases in which a delayed start of a stancby front line system can potentially enange the course of an accident sequence even though the start is ultimately successful.
For example, a delayed start of emergency feedwater following a loss of main feedwater in a PWR may be successful with respect to sustaining an adequate heat sink for decay heat dissipation but it may open up the possibility of a transient-
- induced LOCA in the lifting of a pressurizer relief / safety valve. For this example of a PWR Emergency Feedwater System (EFS) there may even be three (or r, ore) c.rt tir.41 t irne u t roka w .
t) - delay time af ter which EFS start will not preclude openning a pressurizer relief / safety valve t 2 - delay time after which EFS start--by itself--cannot .
preciuce core melt
i t3 - delay time after which EFS start and HPI start cannot preclude core melt.
It is not intended that the IREP team analyses embrace original analyses of core damage phenomenology or resolve differences between a damaged core and a complete meltdown. Past risk assessments have clearly shown that the offsite risk is dominated ,
by full meltdown accompanied by gross contaiment failure.
Therefore, IREP is to focus on this severe end of the accident spectrum. In any case, our limited ability to predict human reliability or repair / restoration probabilities muld generally mask any " fine tuning" of tne success vs. failure criteria for delayed starts that distinguished between core camage and full mel tdown. The few exceptions to this generality are unlikely
- to be significant to the public health and safety risk, althougn they might be significant to the economic risk borne by the plant owner associated with TMI-like oute:mes.
Include success criteria for front line containment systems such as sprays, fan coolers, and the isolation system in the table of success criteria. Comments, footnotes or annotations should clearly spell out the assumptions. In addition, prepare a list of open questions necessary to resolve ambiguities in the success criteria. These will be reviewed as part of the review of the first interim report (see Task 12). IREP project l l
j management at the NRC, Sandia, and the plant owner's review group will arrive at a concensus on the dis;csition of these l 1
b a
- 37-t questions. Some may be answerable directly by one of these groups, others may be left as open issues to be explored by a sensitivity study on the IREP results. Still other questions that are likely to be important may be earmarked *sr concurrent research by the NRC Office of Nuclear Regulatory Research or s- by the plant owner. For example, in the Crystal River IREP study Florida Power Corporation requested of B&W seme analyses of allowable start delays for the Emergency Feedwater System.
3.11 Plant Data Requirements and Questions From time to time the IREP teams will identify a need for additional information on the design, function, operation, surveillance or maintenance of systems. Where practical, the ,
utility representative (s) on the IREP team should help te obtain this information directly to avoid unnecessary delays. -
The plant owner may choose to funnel such questions through one or a few identified points of contact. We anticipate that such data-gathering may be the critical path iten in some parts of the IREP schedule. Nevertheless, the team leader i
should screen and coordinate these requests to assure that no unnecessary burden is placed upon the owner. In addition, the requests for information as well as the supplied information should be logged and maintained under the document control system described in Task 3 to assure that proper records are kept. See also Task 10 description for issues relating to i system success vs. failure.
- - . - . , , - , - , ,w. . , .-w...w--,,, ,cw- r,,...-..v,v_,,,...w-,v-- -,,---,.,-,,..,,,.,c,--y .,---,w., - , , . , , , . . , , , , , - , . - . . -..v -, - , , - - ,
i 3.12 First Interim Report Transnit products of Tasks 1 through 11 to (1) NRC IREP project management, (2) Sandia IREP project management, and (3) the plant owner for review and comment. Include a brief analysis of manhours spent on each task and problems encountered.
%e '
3.13 Event Trees Adapt generic functional event trees into plant specific systemic event trees for each group of initiating events.
Product: Systemic Event Trees including explanatory text.
See also the IREP Event Tree Guide.
The generic functional event trees supplied to the IREP study
'" teams are intended to be a first cut at the functional event trees of the plant. Since the front line functions do not necessarily bear a one-to-one correspondence with the systems installed in the plant, a generic approach is generally feasible.
The systemic event trees are intended to correspond with installed systems or groups of systems.
Neither the functional nor the systemic event trees describe w
accidents in a chronological or root-causal sequence. Rather, they catalogue accidents according to (1) the class of initiating event and (2) the operability or inoperability of systems or functions. They are intended to define an abstract classification of accidents with just enough detail to identify roughly the magnitude and expected timing or radiological releases to tne 40no s phe re. The sequence of branch points in these trees may l
s conincidentally match the chronology of failure in some cases but the choice is principally governed by a desire to simplify the accident classification scheme as much as possible. This is done by selecting the sequence to take maximum advantage of the fact that for some accident scenarios the operability of s many of the front line systems is moot.
The systemic event trees--whose branch mints do correspond with distinct systems or groups of systems--serve as the jumping-off point for system reliability analysis. They serve to define the accident scenarios within which system rei;3cility is of interest. Tney help specify the fatiure criterion fc r each of the systems in the context of a particular class of accidents, and they define the window for cer:Tn cause failures that couple the initiating event with mitigating system failure or couple the failure of more than one mitigating system, including human error or support system faults.
To simplify the analysis, support system faults like loss of AC power are not to be shown on the functional or systemic
~ ~
event trees employed at this stage of the analysis. Only front line systems or functions are to be displayed. b ever, the systemic event trees may be redrawn at the conclusion of the analysis to display the support system faults so that the revised classification scheme for accident scenarios bears a simpler relationship with the risk-deminant secuences. Bo th styles of systemic accident classification are useful: tnese
T l
(
l with only front line systems more clearly delineate the factors j that directly influence the release of radiation; those with support systems shown more clearly delineate the causal grouping I
of accident scenarios.
i 3.14 Fault Tree Top Logic
Employ the systen success criteria. developed in Task 10 and the event trees developed in Task 13 to fonnulate system failure definitions for use in the fault tree analysis of the front line systems. Verify that the failure criterion is tne same har every instance in which the system appears in the event trees or define different criteria as necessary so that each event tree application is covered. Develop the fault trees 63r each variant and for each front line system to the extent necessary to portray the number of trains or divisions whose failure is sufficient to fail the system.
An example appears below:
Auxiliary feedwater system for a Westinghouse 4-loop pWR.
Success is 470 gpm delivered within T minutes (T depends upon the initiator) to any one or more steam generators. There are eight distinct flow paths (tw to each steam genera *.or) from three pumps. Each path nonna11y can provide 250 gpm. Thus, any two of the eight paths, delivering normal flow constitute success. The event tree calls for a failure to start or to sustain auxiliary feedwater for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
e
~ ' " " ' ~- 7. , , , _
(~
w Aux. FW System fails to deliver 470 gpm within T min and continue for 8 hr. Top event 7/8
( ....
- i I
Path 2 to Steam Gen. Path 1 to Steam Gen.
Path 1 to Steam Gen. B fails to deliver A fails to deliver A fails to deliver nominal flow witnin nominal flow within nominal flow witnin T min or fails in. T min or fails in-T min or fails in- service before 8 hr. service before 8 hr.
service before 8 hr. -- ~
Note 1. Be prepared, if necessary, to quantify separately failure w
to start and failure to run for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or to edit the cutset list to avoid counting spurious combinations of late start on some paths and later failure to run on others that at no time fail the entire system.
Note 2. Critical start times are tabluated below:
T Comments Seouence 1 to 2 min PNR'
- Feedwater transient without scram 2 to 8 min time to lif t Feedwater transient with scram PRZR valve 15 to 20 min PNR* for AFS Feedwater transient with scram restoration 20 to 30 min PNR* for AFS an Feedwater transient with scram HPI initiation
- PNR = estimated Point of No Return for the avoidance of core damage or melt,
~
s This example is purely hypothetical; the numbers cited are -ade up for the example.
= --
3.15 Interaction Failure Mode Effects Analysis The Failure Made Effects Analysis is a table with one entry row for each point of dependence of the front line systems on support systems, including humans. It is intended to summarize the assumptions or understanding to be used in the analysis of the fault propagation from the support system into the front line system. It is not intended to elaborate on fault propagation within the support systems "up stream" of the point of interaction, ,
as that will be dealt with in the support system fault trees.
However, it will be useful to trace faults beycnd su: port system cunponents that un1quely serve the particular front line system comperent, as their failure can be lumped with il
-- component failure. Column headings in the FMEA are:
- 1. Front line system component designation
- 2. kapport system
- 3. Support system division or train
- 4. Proximate support system component designation
- 5. Failure mode
- 6. Fault effect on front line component function
- 7. Fault detection interval s
P, . rou l t <11,irjnt, . t 1 <. . D.l ue , ,
- r p e <,en . . In.e<innen
. e 1,,n, control rocm vs. local, etc.)
- 9. Comments An example follows. ;
l 1
1
~
1
/ -
i i ,. ' - .
I i
I 4
t IstitElleet feel A (Infetti T
t front flee Systen_ Sussert System
[ Betectten 98agnestits ra===ets 5ystas 98v. famp. Systso Div. Comp. Faflere sbde f sult iffett l
senterrent fallere at ymp test p e r operability treet as part of Aflf5 A ter-IA E pur A breater All)I fall open local pump fallere I 1. fall open to start er run only B leP-It E pur B breater All)2 l (EI5a) 4 E pur A ties Ell e) rete soltage (ISR pngt (R annitor ESC partial failure noted for future T
- 2. NW5 A per-IA b) les voltage sessible enter psumet E/t 11 voltage, i B ler-It E pur 3 bus fl2 alarmed refereece--not Insraevt
- pursued la Iltip g pamp motor learnout shift smalk as essent for AC and 5tf5 sieppert N 3- Af W5 A ter-IA terK A to feeler 3A me heat removal systems of liWAC he tooler )$ no heat remuvat in 3-10 CSit* around local fa is t IOP-It OffAC B monitored bt out HI D t i
pamp bursunut in at pump test local lobe ell E985 header and N ,
- 4. Afw$ A ter-IA E985 A Sil feeler 511 loss of service temp gauge, pumps analtered Int 7
- B ler-Is (sus S Oil feeler 512 water flow l-) titta mone in Ce not tube all coole i tocol manuel valve =======
4 alignment chected
- in maintenance pro ,
j dere au but suit in periodic welt-are tes A13l low or resu wultage Precludes auto or peumpt (R manf ter III DC 'Iffect of 00 loss i S. Altts A NW-I A IK pur A les voltage--many on AC suit evaluateJ/
M S-lb DC pwr 9 tes 9132 low or reso voltage manualstast.as i B local effett on lamps out in (It here, local easter 1
l elseady susmlng tontruller lateftes ymmp on needs IK to trly or (Inse.
- tS89
- acantisusows servl(e hues s WP = suitar de tven gwp
g
(
( (
I 4
I .
i i
1 I
l Int (RAtll881 lI A IE8'IS INI I i
Supeert Srstes elegnestics tamments f remt f lee Systes _ f ault Ef fect metectlen Systen Div. temp. Fallere sende i Systs tiv. temp. states famy Ist shift thenge el leave er switch e) defeats awte end the(k list la CR Afif5 ter-IA le)remoteoperatorser la manual start
- 6. A maintenance personnel pq testseller
}
ib)(Roperators b) override ante stort la SER status lamp ITV AF flew geoge 55 - Ib lock rep lred blotted flow div A shift walk operaters and maintenance misalfpunent around la (A, valve
. Af wS A M 32 (closed) elfgeunent usuont- - the velve ally-personnel blotted flow div 8 tored ment cheth list M 31 operators and malatenance 51 (eace per Q R personnel shift)
- Closed for peep maintenance a
m "23 i
r----
e
t 3.16 Dependencies Among Support Systems Continue the development of the dependency table and the interaction FMEA to include interactions among support systems, e.g.. service water depends upon AC power and both may require DC control power. Products: 16a) table of support system
-- interdependencies; 16b) additions, if any, to support system list; 16c) FMEA for interactions among support systems. See foregoing comparable tasks for guidelines of metnods and scope.
3.17 3.18 Modular Fault Tree Development for Front Line Systems Develop the fault trees for the front line systems int: parent trees; i.e.. extend the failure logic developed in Task 14 to individual trains or branches of the system. Develop train failure to distinguish faults in support systems (according to the FMEA of Task 15) from local faults of the system, but do, not resolve local faults in these fault trees or pursue the
- development of support system faults at this time. Product:
parent fault trees for each system in FLSL. See also IREP Fault Tree Guide.
3.19 Tabulation of Local Faults The subtrees of the system fault trees which detail the fault events that can give rise to a common effect on tne function of a division or subdivision (segment) of a system will be
portrayed in a tabular form rather than drawn as part of a detailed fault tree.
A tabular fbreat produces a more compact representation than a drawn subtree and also enables the data normally displayed on 8 a FMEA and a quantification table to be combined with the s
fault tree documentation.
The composite events that are the endpoint of local fault resolution in the parent fault trees of task 18 have names like, " local faults functionally equivalent to a plug in pipe segment "G" and correction factors for common-cause failures local to tw more more branches upstream or downstrea:n of segment "G" that are also functionally equivalent to a plug in "G." This example is shown in the subsequent figures.
In most cases, the components giving rise to these composite !
fault events are functionally in series. A fault tree developing such composite events would be composed entirely of "0R" gates. The probabilities of the component failures in such a subtree are additive. Thus, the sum of the probabilities of these contributing events gives the correct first order approximation !
l to the probability of the composite event. This makes the tabular documentation of these subtrees particularly convenient.
A rule of thumb to assure that there are no errors in the logic of the parent fault tree reads as follows:
i w
-_ ._. , , . - _ , . ~ x , . . - - -
w
- 6. Quantification columns. These should be adapted on a case-by-case basis to the one (or several) evaluations of j the fault tree required in the screening of accident sequence likelihood.
Also suggest in notes attached to the table the refinements of w
the probabilistic quantification that may be needed if the composite event proves to be important, or in subsequent searches for common cause failures. Where a similar analysis applies to tw or nore identical tra:ns, show only one with the ecmponent designations for the other examoles in parenthesis.
An example is shown on the following page, w
3.20 System Failure Criteria and Ndeling for Support Systems For each support system, collect a list of fault event citations attributed to the particular support system appearing in the parent fault trees of all of the front line systems. Add to the list the fault event citations appearing in the fault trees of the initiating events. Check the list for completeness against the table of task 4a and the FMEA's of task 15. Fill in a table (one for each support system) listing the fault citations, the affected system, and the time-depencence of the faults, i.e., the critical outage times of interest, whether or not the fault produces a concurrent fault in the front line f
system, etc. Record all the information needed to select one i
or more failure criteria and probabilistic quantifications of the fault trees for the support systems.
l
(
t
{
~
8 3
F A
t n
e v
E t
A t -
l 0 u
a "
F A t
i e
s C 1
P D
M o
p m _
o _
C _
a ji ~ A n
i t
k
[(
n e
n s
i c
s o D
e l
b q a
T f
o 6 2 2 e F MFA l
p N5A m
a A x A E - 8 9 -
E 0 0 F l M 1 t
t I F n A A n e e m , m g
g ;
e i e
S S l 2 i 1 F F A I A
! 2
? 2 F
A
\
NA F g- j
( (-
'f
(. I, e l
l.
4 t
+
n i' I I
l Contributors to the Composite Fault Event AIIF-A(-8): " Faults Functionally Equivalent to a Plug in AFS *,egment G-A (G-8)*
i Quant ification Failure to Failure to i
- start with- start with-Failure to in 20 min & in 30 min S Type Detect ion Start ein Repair Probabillty start with- rwn for 12 run for 12 l
Cont rll.utor Code latersal Diagnostics Comments Q/d A'hr I min 20 min 30 min in I min hrs. hrs.
l
} a5ta les in Seg CT{C-8) 8
- 1. Pump Fallure A 1.'O Jay Flow gauge includes pump, 10' 1*b 10^1I O .?" .3 10-15 2 10- 1' l.9 10'31I MOP-1A(-18) test XI in CR setor, lesbe, &
i l>reaker faults
?. Man. Valve M cnce ser Flow gauge Maintenance 10'31 5 neg" 0 1 .I 10-31 5 9 10 1 9:10 1 M 3? or 33 swt 11 in CR tenevellability lef t closed (check i 115: ul _,
o.
& (Cf inJs- 5 o
e
! Q FaEl Y ops close Afl08 0 f.*r: wu ously 5tatus lamps Closed for test 10'*1' 10' /d .I .f1 .9 9 10 1 10'31 10' 1 and 109 ds>.'ayed IIf, XYY and to thentile ,
flow y M once swr Flow gauge Closed for con- 4 10' II neg" 0 4 .6 ?.4x10-511 1.6m10-511 1.6ml0'51I
- (Man. losed in Valve f & F lef t sWt XX in CR trol valve
, (c*eck nelntenance 11,t C) w _ _ _ _ l l'omicsite t went lo tals - 7:10'3 3.9:10'3 3.hml0 4 g 5 f6ites: *Mesallgrunent 0* es sal valves during the accident snay not le negligible if repairs are atteopted on this, stellar, or adjacent equlgenent y- g'during the eve .t . - (untrol valves or shutdown of MVP of critical duratinn during the event estimated to have a distrete prnbability of t e rgipus (Inst.*v i
10' - for sa sw N purposes. If the event proves to tie imgur tant. (ondition this .ig.erator errur probability usca the level of (nnfusion J in t he (It, oger* *! ' ' t y o f ins t rassent s, e ts . ble also tor s e lat ion i 6 th sisire.stor er rue s on utlies trains.
__ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . + <w $ <46-*, ._ ___ . _ _ _
~
The support systems comenly supply numerous diverse loads.
It is usually practical to draw a few subtrees for the branches of periferal distribution systems that attribute support system failures either to the particular. branch of the distribution system or to the core of the system. These " connector" tree w segments should also be drawn in parent tree style. Tn a t i s ,
use a single fault event for each group of component failures occurring in components effectively in series and wnich snare a common effect on the function of that system segment.
In some cases, the subtree describing faults in a particular branen of a support system may appear in only one form in one front-line system fault tree. If so, it may be more convenient to treat this subtree as part of the fault tree for the front line system. That is, append the subtree to the fault tree of the front line system. In many cases this can be accomplisned by adding on to one of the daughter tree tables for the front line system. Doing this is an optional matter of convenience.
The advantage in so doing is that it shortens the fault trees
% and simplifies the analysis of system reliability and of secuence likelihood. The disadvantage in so doing is the loss of the one-to-one correspondence between fault trees and systems. This may prove awkward in post-IREP applications of the fault trees. An example might be the local failure of a motor control center bus that serves only motor-operated
. . - - , - n.---,. , . . , , - - , - , - -
valves in a single front line system. Another example is a branch of the service water system serving one or a few room coolers serving only one system of interest.
As part of this task, tentatively define the one or several support system failure criteria and translate these into a skeletal fault tree structure. Unfortunately, it is not so easy to separate the " top logic" of support systems from the ..
basic tree development as it is with front line systems because of the diverse loads and interdependencies among these systems.
However, a systematic development of fault trees that traces fault origins in the reverse-causal direction is almost always
,, feasible.
Iterative analysis is particularly important with tasks 20, 21, 23, and 24 Only as the interdependence of support systems upon one another unfolds in the first pass through these tasks can one verify the completeness or adequacy of the fault trees for the support systems. These interdependencies can be anticipated with the aid of the FMEAs of task 16 for the first w
attempt, so that subsequent alterations can be minimized, but these tasks will require careful review after the first atte pt is carried through.
3.21 The initial efforts at drawing fault trees may develop additional infonnation on the interdependencies of support systems on one
%. ano ther. If there are new additions to the support systems list, extend the work of prior tasks to include these systecs.
I
)
/
3.22 Repo rtage 3.23 Support System Parent Trees Develop parent trees for the support systems in the style suggested under tasks 18 and 20.
Make liberal use of transfer syabols at intemediate peints of the parent fault tree of the core of each support system to avoid unnecessary replication of subtrees for different applications.
The parent fault tree style lends itself to the task of modeling support systems with many different cacs. In most cases, tne variety of conditionalities and criti :1 failure criteria can be accommodated by altering only the quantification or the
- structure of the daughter trees delineating the composite local fault events.
3.24 Tabulate the local faults (daughter trees) in the parent trees of the support systems as described under Tasks 19 and 20.
Provide initial quantifications in the table for use in detennining sufficient fault resolution in the trees and for use in the
[ screening assessment of sequence likalthood.
Once the daughter tree tables are complete, reexamine the wrk of tasks 16, 20, 21, 23 and 24 for consistency. Revise as necessary.
3.25 Dependency Diagrams Doctanent the dependency of the front line systems on sup;cr systens in a simplified fom using depencency diagra s similar
4
(
w to the example shown below. Draw one diagram for each support system. Show all of the front line systems on each diagram.
Fault tree or logic circuit notation is suggested for distinguishing the logical structure. Use a consistent notation convention throughout. Employ solid ifnes to trace concurrent faults
- (i.e., for cases in which an outage in the support system produces a concurrent outage in the front line system).
Employ dotted lines to show conditional, delayed effect, or intermittent, non-concurrent dependencies. Fo r exampl e , i f an auxiliary feedwater system depends upon service water as an alternate water supply if the condensate storage tank is depleted or depends upon room coolers for pump motor cooling only during longer-than-nomal duty cycles, disply the dependency with a dotted line. Employ a dot-dash notation for dependencies that are being eliminated through design changes nc: yet implemented. Use annotations to describe the circumstances in which the dotted line dependencies are realized. Use double lines to denote dependencies that can disable a train of a
, front line system even after the support system fault is repaired. For example, if an ECCS pump may seize if run without bearing lube oil cooling via the service water system, use a double dashed line to display this dependency on service water.
Resolve dependencies among the individual trains where feasible, s
but where cross ties make train identity ambiguous it is not .
ma necessary to segregate the trains, see, e.g., the treatment of the Nuclear Service Closed Cycle Cooling System (NSCCCS) in the attached example. -
The dependency diagrams are not intended to model the cependencies in the detail present in the event-tree / fault-tree work or in m.
the interaction FFEAs. They are useful, however, to give a simplified picture of the system interdependencies that may become important contributors to accidents. They are an aid to the qualitative identification of important causal mechanisms for serious accidents. They are an excellent communication aid with whien to describe methods and results. We expece that they will also prove to be useful in operator trainir; and as an operator aid for rapid diagnosis of multiple faults.
Include in the dependency diagrams not only the direct depencence of front line systems upon support systems but also the implicit dependencies that act on front line systems by way of depencencies i between the several support systems. For example, a particular i train of a front line system may not directly recuire DC power to start or run but it may depend upon a support system that does require DC power.
It may not prove feasible to include operators among the support systems $3r the purposes of direct or implicit dependency diagram documentation. 2 wever, the attempt to do so will be
, a useful aid in organi:ing task 31.
i a
- A. . ., ate: All inputs must.
fall to fall outpet h-OR Gate: will Any input fatilng fall output g
- ($ce Note 1)
REACTOR BUILDING REACTOR BUILDING LOW PRESSURE IIIGil PRESSURE EMERGENCY SPRAYS COOLING SYSTEl4 ECCS ECCS FEEDWATER SYSTEM
" . T ,
! RRS-A RBS-B RBCS LP-A LP-B llP-A IIP-B ELEC TURB h 'b b b b h b b b i - - - - s -r- , s BATT B (See Note 2) E
/ l , . .c '
T xe -
DllCCCS-A DHCCCS-B 11SCCCS ,
- O f\ f\ O .
-s _
4160 VAC-A 4160 VAC-B NOTES
- 1. Logic depends on LOCA size.
- 2. The dashed if nes Indicate existing dependencies in Crystal River-3 which Florida Power Corporation has comiitted to remove.
w e- ___m 'm-_ _______ _--. _-_ -2_ _ - _ _ - _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _
c.
The first attempt at drawing dependency diagrams may be done before or after the FMEA and fault tree tasks. However, the dependency diagrams ought not to be trusted as a basis har the FMEA or fault trees because they do not fully portray the details of the dependencies, and the dependency diagrams need to be reviewed for completeness after the fault trees are prepared.
3.25 Dependency Diagrams for Initiating Events Prepare dependency diagrams similar to those drawn in task 25 with initiating events in place of the front line systems.
Indicate each class of transient or non-passive failure LOCA w (grouped by distinct mitigation requirements).
3.27 Table of Accident Scenarios Based on Dependency Diagrams (27) and 3.28 and Reexamination of Fault Definitions and Assumptions (28)
It is useful to pull together the clues to some of the accident scenarios, based on the event trees and dependency diagrams, before a substantial investment in time is made in computer analysis of the event tree / fault tree models. Doing so helps to avoid the tendency to lose sight of the harest for the trees. One can employ these preliminary, qualitative results to search har phenomenological effects or common-cause failure mechanisms that may not be recorded in the fault trees or event trees, and whose discovery later in the analysis would require massive revisions of prior work.
l l
s Thinking through entire core melt accident scenarios can reveal problems that tend to be missed in classical ET/FT analysis. Fo r example, late in the analysis of Surry for WASH-1400 it was discovered that blowdown from a small break LOCA in the reactor cavity might accumulate there for some time before water spilled
- over into the emergency sump. The Surry design entailed the autostart of the containment spray recirculation system--wnien in Surry is independent of the spray injection system--at a fixed time delay af ter a safety features actuation signal.
Thus, the spray recirculation pumps might self-destruct by pumping on a dry sump for some small break LOCA scenarios.
Another such problem is tne effectiveness of containment atmosphere fan coolers after a colten core attacks the basemat.
The rapid generation of inert particulates from the core-concrete action may plug filters and deposite an insulating blanket on heat transfer surfaces. Such effects should be considered during the event tree construction phase. Howev e r ,
the search for such problems can be better-focused after the !
l fault trees and dependency diagrams have been constructed and ,
1 some of the causal mechanisms for core melt accidents have been identified. Also, employ the preliminary list of support-system fault accident scenarios to search for instances in which operator or maintenance errors on different systems may be correlated or share a common cause.
( %
Such searches for not-yet-modeled commn cause failure mechanisms must be repeated af ter the screening analysis of the ET/FT models, but the earlier these effects are discovered the less re-work of prior tasks will be required.
The exercise of identifying core melt accident scenarios from dependency diagraras will also be useful in communicating the results to those unf amiliar with event tree / fault tree techniques.
The effort to tabulate accident scenarios from the event trees and dependency diagrams is intended as a working technioue and not a finished product. Its scope need not be stancarti:ec.
The IREP teams should follow their own judgment on wnen to do w
it and how to scope it. However, a suggested scope is to consider:
- a. Single failures in support systems,
- b. Total failure of each individual support systen,
- c. Total failure of each individual support system plus a single failure elsewhere.
Employ the results to verify that the assumptions underlying the event trees, the fault tree logical structure and the quantification of the composite basic events (the daughter trees) is consistent with the energing picture of important accident scenarios (Task 28). It is also very important to verify that a consistent fault event desigration system te
( ~
used in all of the fault trees. One and the same failure appearing in two or more points in one or more fault trees must have an identical designation to assure that the cut set minimization process treats these as the same event.
3.29 Screening Evaluation of Accident Sequences Construct fault trees for the core melt accident sequences identified in the event trees. This can be done by combining under and "AND" gate the initiating event (or its fault tree from task 9) together with the parent fault trees for the front line systems whose failure is postulated in the event sequence. The fault trees of the support systems must be added as necessary to complete the fault trees of the front line systems where these fault trees have transfer symbols for faults originating in support systems. There should be one sequence fault tree for each branch of each event tree resulting in core melt.
l Obtain minimal cut set lists, cut set probabilities, and rank the cut set list in order of descending indicated probability.
The cut sets for each distinct accident sequence will not be mutually exclusive. There will be many instances in which a group of failures sufficient to cause a severe accident sequence will also be sufficient to cause less severe sequences, i.e.,
the same cut set may appear in more than one accident secuence.
- These cut sets should be attributed only to the most severe accuent sequence. !
l 1
1 i .
There are tw or more ways to weed cut cut sets that are sufficient to cause more severe sequences. One is to incor-porate "NOT" gates in the fault trees of the accident sequence to podel explicitly the non-failure of systems that are defined as being operable in a particular sequence. Another way is to
" find tne minimal cut sets (without "NOT-failed" system fault trees) for each sequence and delete cut sets for secuences l
l which recur in cut set lists for more severt or nore rapidly ;
evolving accidents. This may be done with a list-matching j
routine on a computer. Use wnichever method appears to be I
' most convenient.
)
The value of parent fault trees will become apparent in this exercise. It should obviate the need to shorten system fault
! trees by the use of " reduced" trees. The parent trees should be compact enough to pemit the entire parent trees to be employed without truncation. If the trees are too large to handle even in parent tree fonn, employ fault tree modularization techniques to replace the trees with more compact but femally equivalent, complete trees. This process replaces the composite l events with even larger assemblages of events--treated as a unit--under rules that assure that no logical or probabilistic error is introduced by the coalescence of fault events.
Computer codes are available to do this automatically, if necessary. A disadvantage in doing this if it is not necessary
- is that the composite fault events no longer bear a one-to-cre
~.
correspondence with failure modes of system segments. Thu s ,
it is more difficult to bring engineering judgments to bear on the results; system insights are harder to come by if fault tree modularization is carried beyond the level suggested for parent fault trees.
Once the event sequence cut sets have been edited to remove failure modes sufficient to cause more severe accidents, have been quantified according to the screening event probability estimates, and ordered by this primitive likelihood assessment, it is important to make some consistency checks to verify the accuracy and completeness of the tables:
- a. Verify that all sequences identified in task 27 are present;
- b. Verify that the symmetry in the plant hardware and functions (e.g., pairs of identical trains) are matched by corresponding symmetry in the event cut sets;
- c. Re-check to verify that fault event designations are
...,.....6,..,,i.. ..
- i ei .I ,
i t ,. I
- d. Otner verifications are suggestec in tasks 30, 33, etc.
4
v Criteria must be established to select which sequence cut sets are to be stud.ed in detail in subsequent tasks. The criteria should reduce the number of cut sets to a manageable level for case-by-case examination. At the same time the criterion should be selected to make it very unlikely that an important s accident scenario will be dismissed from furtner consideration.
These are sequences that appear to be improbable in the screening assessment but contain not-yet-modeled common cause failure mechanisms that couple the occurrence of several failures, thus making them substantially more likely that tne screening assessment suggests. In any case, the full cut set lists should be retrievable for future reference, s
The simplest and most primitive criterion is one based upon :ne frequency for the sequence obtained in the screening cuantification.
Such a simplistic criterion ought not to be set above 10-10/yr because for higher cutoff frequencies the likelihood of serious omissions becomes significant. We believe that the most ,
serious non-conservative misrepresentations of sequence likelinocc in the screening analysis originate in coupled operator errors during the accident. For example, an accident sequence in a PWR might enta1T a feedwater trip followed by a failure of auxiliary feedwater, high pressure safety injection, containment sprays and containment fan coolers. A contributor to this event is operators erroneously shutting off all four safety systems. The screening analysis will treat this as four
1 l
I I
s independent, individually unlikely operator errors. In fact, it may be a single operator error. Thus, the screening analysis may throw out this potentially important failure mode. Note that the coupling of operator errors in erroneously shutting down all trains of one safety system should already have been
' modeled in the system fault trees. }twever, the initial j quantification of the composite basic events cannot be expected to model. coupling of failures in different front line systems that does not originate in a comon support system failure.
Ar, ' provrent over the primitive screening criterion, anc one that pemits the number of sequence cut sets to te further recu:ec could be basec on a screening with all operator errors during the accident artificially set at a probability of one and a screening threshold of 10*9/yr.
If still further truncation is needed to reduce the number of sequence cut sets for case-by-case examination, employ a less stringent cutoff frequency for those accident secuences expected to produce mild outcomes. For example, one might use a screening with operator errors assigned a probability of one and the following table of screening thresholds:
Secuence Release Category
- Cutoff Frecuency 9
1-3 10 8 4, 5 10 7 6, 7 10-I
- PWR release categories from 'n'A5H-1400 i
I
s This proportions the thomughness of the subsequent studies to the severity of the sequence outcome.
Document the screening technique used to select which sequences are to be given detailed review in subsequent tasks.
- It is also important to check the convergence of the quantitative results. In every light-water reactor risk assessment performed so far, a handful of accident scenarios were clearly the dominant contributors to the risk; the grand total risk from the myriad low-probability accident scenarios was found to be very small compared with the risk posed by those few dominant sequences. We believe this to be a general characteristic of LWRs, but it has not been proven to be so. Therefore, it is important to verify that the total of the estimated frequency of all the sequence cut sets discarded in the screening process is very small compared with totaled frequency of accident scenarios that are to be carried forward in the analysis.
3.30 Verification of Sequence Cut Sets s Verify the sequence cut sets by comparison with the dependency diagrams, interaction FMEA, etc. Think through each cut set to verify that it will, in fact. cause all the system failures I postulated for that event sequence. Verify the completeness of the cut sets by comparing the accident scenarios predicted in task 27 with the cut sets. Each scenario predicted in task w 27 should appear in the cut set lists for one of the event
I 25 f tree branches. Some may be missing from the cut set-lists because they were screened out in task 29. Check to be sure that these genuinely have negligible probability.
3.31 Common Cause Failure Search Some kinds of common-cause failures or statistically correlated but distinct failures are already modeled in the screening quantification of the event sequence cut sets. Other kinds of <
common cause failures have not yet been considered. These must be dealt with in this task.
The kinds of common-cause or correlated faults that have been covered already include:
w
'- 1. Common-cause or correlated failures occurring in different trains of the same system. These should have been modeled explicitly in the screening quantification of the system fault trees.
- 2. Faults in more than one front line system originating in one or more failures within a common support system. The s.
incorporation of subtrees developing support system failures into the event sequence fault trees should cover such failure modes.
- 3. Faults in support systems which contribute to the initiating event as well as degrading the reliability of the mitigating sys tems. The inclusion of fault trees for the initiating i
l
l events which trace faults to the support systems should suffice to cover this class of common-cause failure j modes.
Although these three classes of common-caused failures should be incorporated in the screening analysis, it is wise to take this opportunity to verify that they are correctly treated during the case-by-case review.
M classes of common-cause failure that are not already treated correctly are:
- 1. Statistically Correlated Faults Occurring in different Syste-s
- That De Not Originate In a Hard-Wire: Dependency The most important examples of this are likely to be operator or maintenance ermrs. For example, the operators might misdiagnose an accident and shut down high pressure safety injection and also shut down contaiment sprays when both are actually needed, or a procedure for surveillance testing or maintenance could be ermneously applied
- affecting several systems.
- 2. Conditional Probabilities I
The context underlying the likelihood estimates for the composite fault events in the screening cuantification was conditioned upon the top event defini* ions for the individual front line systems. Scme care has beea, *akea in prior steps to assure that these too event cefiniticns o
l l
l correctly reflect the event tree sequences but even if this has been done without error, it cannot have been highly discriminating. In specific accident scenarios the fault event likelihood may be different.
Each event sequence cut set will have a probability given by a frequency 63r the initiating event multiplied by the pr0bacility of the failures, which, taken together, will give rise to tne particular accident of interest.
A sequence = /iinitiator P)P234 P P ...
where /t denotes a frequency and the P3 's denote the
, concurrent faults.
In the screening quantification, these probabilities have been selected to reflect the broad outlines of the accident sequences, i.e., to the event tree and to the system success vs. failure criteria. However, these checks cannot tailor the probability estimates to the specifics of a particular accident scenario.
This must be done now for the accident scenarios that may be dominant.
The revised frequency estimate for the potentially dominant event sequences should reflect the details and conditional probabilities for the concurrer.: faults that give rise to the accident sequence cut set.
i 69-It is also necessary to strip away any unnecessary conservatisms that may have been employed to simplify the screening of the hundred thousand or so accident scenarios energing from the event tree / fault tree analysis.
An example may help to visualize this task. The event tree may define this sequence as a very small LOCA followed by a failure of high pressure ECC recirculation, and of contairment spray recirculation. One of the many event sequence cut sets might attribute the sequence to the following faults: A loss of essential DC power in division 3 is responsible for a transient induced LOCA and defeats train B of many engineered
-- safety features including HPI and HPR, containment sprays, etc.
Train A of HPI and containment spray injection work properly, but cannot be switched into the recirculation mode due to a fault (plug) in the smnp-to-pump suction pipe segment.
Therefore, HPR and containment sprays fail in recirculation,
\
The likelihood estimates in the screening analysis will not have reflected the details of this scenario and may require changes. The likelihood that the DC bus fault may be repaired t
during the injection phase may not have been conditioned on the correct range of times before the point of no return. The distractions in the control room because of the DC bus fault and the consequent instrumentation faults will increase the I
4 likelihood of operator error in making up the correct valve alignment for recirculation at the appropriate time. Lights may be out in the auxiliary building handicapping manual fixes of misaligned valves, and so forth.
General guidelines hsr the conduct of this task are:
- 1. Proportion the effort to review the accident secuences to '
the likelihood and severity of the sequences. '
- 2. Consider all the permutations and comoinations of component f ailures or operator errors or chronological secuences o' cccurrence that are consistent with tne sequence cut set definition. Some of the composite fault events may contain active failures, passive failures, operator or maintenance errors that occur before, during or after the initiating event.
- 3. Entertain the hypothesis that there may be factors that make the occurrence of any two or more of the distinct l
failures in the sequence cut set more likely to occur concurrently than the random failure hypothesis would suggest. Search har causal mechanisms for such correlate- l I
failures and adjust the frequency estimate accordingly.
- 4. Eliminate unnecessary conservatisn in the frequency estimates and associated assumptions for the dominant risk secuences.
l 1
procedure to reduce the number of accident scenarios that require.this detailed, case-by-case review to a number small enough that a computerized search for common cause failures is not essential.
3.32 Ranking of Requantified Accident Scenarios Re-rank the accident sequence cut sets (detailed accident scenarios) in order of descending frecuency for eacn event tree branch. Prepare a description of the dominant accident secuences treating the details of tne enronology and causality of the most prominant sequences. 'de anticipate that a mere do:en or 50 sequences will te found to be responsible for more s
than 90% of the total likelihood ef severe-release accicents. ,
3.33 Revision of Event Trees, Fault Trees, and Screening Quantification it is quite likely that thorough review of tne potentially dominant accident sequence cut sets, performed in task 31, will expose omissions or errors in the event trees, fault trees, or the screening quantification. These should be corrected, not merely for future use but also to recheck the screening of the less likely sequences. It is not rare to discover new insights when the alterations are carried forward through the several tasks back to task 31. Thus , two o r mo re cycles of revision may be needed, although the extent of tne rewrk should converge rapidly.
3.34 Failure Mode Logic Diagrams A useful technique to document the causal mechanisms underlying the dominant accident sequences is the construction of logic diagrams depicting fault propagation through the network of sys tems. An example from the Crystal River IREP study is attached. These should be prepared for each of the dominant causal mechanisms to illustrate the verbal description called for in task 32.
3.35 Repo rtage 3.36 Single Point Failures Sufficient to Cause Core Damage The objective of this task is to focus attention upon nose singular, root-cause failures wnich might realistically give rise to core damage or meltdown without the coincidental occurrence of any other improbable faults. The concept of these singular causes of core damage differs in several respects from the " single failure" criterion employed in licensing.
The " single failure" criterion stipulates that no active engineered safety feature may be designeo in such a way that the failure of an active component can defeat the safety function. It does not embrace passive failures, human errors, failures in non-safety-grade equipment, nor does it consider the common-causation of the initiating event. The conceot employed here is restricted to those singular failures that can precipitate (or be) the initiating event and oefeat all
(
the functions--whether safety grade or not--which would nomally be expected to prevent core damage _ following the initiating event. The root causes are not limited to active failures but rather can embrace any kind of internal or external fault event. Examples of such singular causes of possible core damage include:
- 1. Gross reactor vessel rupture,
- 2. Gross plant damage from external events such as missiles, earthquakes, floods, or successful sabotage,
- 3. A severe in-plant flood or fire, e.g., a more severe version of the Browns Ferry fire.
4 A control systen power supply fault that causes a loss of main feedwater, blinds the autostart system for emergency feedwater, and blinds the operators to the need to start backup cooling systems, e.g., a more severe variant of the Rancho Seco " light bulb" incident, and
- 5. A system interaction involving a vent header fault wnien could precipitate a feedwater trip and cause one or both scram discharge volunes of a BWR to be filled with water, e.g., a more severe variant of the Browns Ferry scram problem.
There is a sense in which the accident at Three Mile Island Unit 2 is a sixth example. The operators at TMI had been instructed not to pemit the pressurizer to go water-solid,
- 1
~
without warning them that a high pressurizer level is synotomatic of a pressurizer vapor space LOCA as well as being symptomatic of an over-full reactor coolant system. With those procedures and operator training in-place, any pressuri:er vapor space LOCA could have given rise to a TNI-like outcome withcut any s other failure than the operators following their instructions.
Note that some of these examples fall within the IREP scope for event-tree, fault-tree analysis and should be revealed by '
the prior analyses, whereas others are not. Examples 4, 5, and 6 should be identified in the principal IEEP st dies if the plant is susceptible to these scenarios, wne eas exa oles 1, 2, and 3 involve failure mechanisms outside the IRED scoce.
s The burden of this task is to re-examine the event-tree, fault-tree results to verify that any and all vulnerabilities in the plant to core damage from the kind of single failure suggested in examples 4, 5, and 6 have been identified, to tabulate these single-failure scenarios, and to add to the table any others outside the IREP scope that the team may have
~
identified incidentally in the process of perfonning the other IREP tasks. It is not expected that the IREP teams exoand the scope of the ET-FT analysis to address external events, fires, floods, or sabotage.
A suggested discipline for perfonning this task is as follows:
First, broadly classify the distinct routes to core damage in the plant. The broad classification might lock seme:ning like this:
1 l
( l l
- 2. ATVS alone or in conjunction with mitigation failure leading to core damage,
- 3. Feedwater failure together with backup cooling water system failures leading to core damage.
Second, postulate for each of these broadly-defined avenues to core damage that both the initiating event and the failure of the backup systems that are capable--in principle--of preventing '
core damage, originate from a single root-cause event. Cl a s si fy and characterize the hypothetical comon cause failure meenanisms that could give rise to these core damage scenarios. Third, investigate the design and procedural documentation of the o
plant to determine whether any of these comon cause failure mechanisms could be realized at the plant.
For example, the LOCA plus ECCS failure avenue might be investigated as follows: LOCAs can be classified according to whether or not there is a concurrent triggering event. Those without a concurrent trigger could fail ECCS from a common cause only
- through the effects of the LOCA, i.e., the LOCA must be intrinsically vulnerable to mitigation failure, perhaps because of its location (vessel rupture, blowdown outside containment so that ECCS recirculation cannot succeed), because of its symptoms (a
" signature" that fails to trigger ESFAS and/or confuses operators),
or because of its effects (LOCA-induced missiles, jet impingement,
(
if any, that fail ECCS systems). For those LOCAs that have a concurrent triggering event (earthquake or transient-induced LOCA, etc.) there are potentially common cause failures originating in the trigger event affecting ECCS to be considered as well.
This process of wrking from the abstract and femally complete toward the specific, by alternating analysis and synthesis, can be extended until all the hypothetical singles are classifiec and found either (i) to exist in the plant, (ii) not to exist in the plant, or (iii) whose existence rests upon ambiguous accident phenomenology.
Although this task is something of a digression from tne main thrust of IREP studies, there are several reasons why we feel that the time and effort is warranted:
- 1. Susceptibilities to core damage from a singular root cause afford less opportunity for discovery through precursor events than do accident scenarios caused by multiple failures. Then, too, most of the core severe incidents that have occurred in commercial power reactors
' have had this single-cause characteristic. Therefo re ,
l these singles deserve particular attention in predictive safety analyses like IREP.
- 2. The simplicity intrinsic to accident scenarios with a single root cause pemits an independent check to be mace of the completeness and accuracy of the event tree, fault I
l l
tree analyses for singles that can reveal ermrs or omissions in the main body of IREP work.
- 3. The expertise developed by the IREP team on the susceptibility of the plant to severe accidents may dissipate after the teams are disbanded. Therefore, particularly significant safety insights discovered by the team should be re;ceted--
to the extent practical--in the published report even for those insights outside the principal IRED scope. The rest important of these cut-of-scoce safety insignts are likely to involve single ;cint vulnerabilities to core dsmage.
' The reportage of the single root-cause core carage study in the main IREP study can be fulfilled by an annotated list of single fault scenarios. The notes should identify the assumptions and briefly describe the fault propagation by which the single root cause initiates the disturbance and defeats the mitigating functions. In addition, a brief description of the logical development should be reported in an appendix. The methodology suggested above for an independent search for singles is expe rimental . Experiences with its use should be reported to ,
the IREP project management for use in improving the procedure guide.
3.37 Review and Doctanentation of Dominant Accident Sequences This is the final task before the preparation of the draf t of the final report. It should incluce the following elements:
- 1. Discussion of the dominant accident sequences with the plant operators, operations management, and utility staff engineers.
- 2. Requantification of the more prominant sequences (dominant and contributory sequences) with plant-specific failure rate data where feasible.
- 3. Uncertainty analysis for dominant sequences.
4 Sensitivity analysis for dominant sequences..
- 5. Description of the symctom profile (" signature") of the cominant sequences.
- 6. Description of the options available to the operators to repair failed systems or otherwise prevent or mitigate the dominant sequences.
- 7. Discussion of the range of warning times for implementation of the energency plan.
- 8. Drafting of systemic event trees including support systems to portray the causality of the more prominant accident sequences.
- 9. Discussion of the additional research necessary to resolve ambiguities in the identification and quantification of the dominant accident sequences.
It is important to present and discuss the dominant sequences with the plant operators, operations management, and the plant owner's staff engineers. Their review of the IREP results may reveal errors or unnecessary conservatisns in the principal results. It is particularly likely that they can shed light on the conduct of critical procedures or supply plant-specific f ailure rate data with which to refine the frequency estimates for the dominant sequences.
It may prove to be convenient to conduct these reviews at tne plant site and to take this opportunity to develop--with the help of the plant ooerators--descriptions of the symptom profile that will emerge in the control room during the dominant accident sequences. Describe the hypothetical success paths by which operators might nip the dominant accidents in the bud, e.g., repair. Develop a brief discussion of the pros and cons of the several tactics the operators might e ploy to deal with the developing accident. Is it plausible or likely that the operators might misconstrue the accident and develop an i
erroneous hypothesis of what needs to be done? What range of warning times will be available for public protective action between the diagnosis of the severity of the situation and the occurrence of the major release of radiation? Following the collection of critical plant-specific failure rate data and discussions with owner's personnel, some further analysis will be necessary. Wherever feasible, use the plant-specific
_ - - - - - _ _ _ - . _ . _ _ - _ _ _ _ - - - . - . - . _ - - . - - . - - _ - _ _ . _ . . - _ _ - . . . _ . . . _ . - - - - - - - - . _ - . _ - _ _ _ . _ _ . - _ . _ = _ _ _ _ _ . - . - - - - _ _ - - _ _ _ _ _ _ _ - - - - -
s failure rate data to refine the probability estimates for the dominant sequences. Perform a sensitivity study to assess the importance of the fault events appearing in the dominant and contributory sequences to the overall risk. Also estimate the importance of several distinct classes of fault events:
- l. passive failures,
- 2. random active failures,
- 3. common-cause ecuf pent failures, 4 mainter,ance and c::erator errors occurring before tre initiating event,
- 5. ooerator errors and conversely ocerator corrective action during the incident.
The uncertainty analysis for the dominant secuences snculd include not merely the assessment of the statistical uncertainty originating in imprecisely known fault event likelihood but also a discussion of the modeling approximations and phenocenological assumptions which also contribute to uncertainty. Include in the report of the uncertainty analysis the team's best judgrent
" of the completeness with which the dominant sequences have been identified. The report should include a brief discussion of any further research that may be needed to resolve significant modeling uncertainties affecting the dominant accident secuences.
Finally, it may prove to be useful to draf t event trees at tne system level which incorporate support system failures to sic ,
I in the documentation of the results. Such trees are awkward to work with in analysis compared with event trees that depict only front line systems; however, ever.t trees showing support systems provide a classification scheme and graphical depiction that better reflects the principal causal mechanisms underlying e important secuences.
3.38 Draf t Report Prepare a draft edition of the final report for use in peer review of the technical and editorial content. A more cetailed guide will be prepared for text scope and format. Howeve r, *e expect that the main report will adnere closely to tne task products, with the system fault trees and the details of :ne quantification reserved for appendices.
3.39 Report Review An NRC Research Review Group will be constituted to assemble constructive criticism of the draf t. The plant owr.er's review will constitute a second independent peer review. The IREP team will be expected to present and discuss their work at each of the two review group meetings. The review groups will have at least 2 weeks to study the draft before the review group meetings. Each review group will be expected to prepare a written critique within 2 weeks of the review group meeting.
Generally, these are prepared in draft form before the review group meeting and edited into final form in the 2 weeks following e
m , ~ m .-,,+,e.,-- -,,,-------,,,.,--~,-.-.e--r-.,-.---.ne-a -. a .-7.-, . -
l I
l i
the review meeting. Experience has shown that the IREP team itself will be able to identify many shortcomings in this j draf t report so that we can expect them to be largely occupied l
l by revisions during the review period. The team should also make itself available--at least by telephone--to answer questions by the review group members. NRC and Sandia IREP project management will conduct a ifmited tecnnical and thorough editorial review.
3.40 Final Report The IREP team should prepare a final report in the format of a NUREG document. All cenments received from the review grouos that affect the character, likelihood, or selection of the dominant accident sequences should be addressed. Comments that do not bear upon the dominant sequences should be addressed insofar as time and resources pennit.
N D
. . , , . . ,- -- , - ,n. . .. - - . - . - . , , - .-
l iSc r IREP EVENT TREE METHODOLOGY t
Introduction The proposed IREP event tree methouology is the subject of this chapter. Many of the event tree definitions and terus useu in this chapter are similar to that used in WASH-1400, Appencix
- 1. For that reason it is suggested that the reader review that d
material as a prerequisite.
The type of reactor accicents of concern in the IRCP are core meltdown' accidents initiated by a variety of transients and LOCA's. It is also a goal of IREP to rank these core melt accidents in terms of expected frequency and consequence severity.
The consequences associated with a core melt acciuent cepenw not only on the initiating event bct also on which safet; systems succeeded or failed during the accident and ti.e approx;-
mate time at which they failed; i.e., the accident se q ue nc e .
Event trecs are the structures from which accident sequen-ces are derived. Two event tree types, used in succession, pro-duce the couplete accident sequences. The system event tree interrelates the initiating event and the safety system failare
' events and results in system accicent sequences. The contain:..ent event trees relate the possible responses of the containraent to .
the accident phenomenology associated with e6ch systew 6ccicent sequence. The resulting containment failure modes are adoed to the system accicent sequences to form the complete accident l
sequences.
U
4 This chapter is divided into the following event tree topics:
1.0 Event Tree Construction 2.0 Event Tree Initiating Events 3.0 Development of Event Tree Heading Failure Definitions 4.0 Display of Dominant Accident Sequences 5.0 Accident Process Analysis of Event Tree Sequences These topics represent the ma]or IREP event tree" analysis steps. The first four topics are concerned with the construc-tion ano utilization of system event trees to deter:aine syste6 accident sequences for the IREP plant. The last topic is con-cernea with classifying these accident sequences in terms of conse-l quence severity and use is made of the containment event tree. 1 A discussion of each of these ma]or analysis steps with appro- l priate illustrative examples is presented first followed by a summary list of proceaures.
1.0 Event Tree Construction The first step in modeling core melt accidents over the /
full range of consequence severity is to construct a functional event tree. Construction of a functional event tree requires the determination of the functions the plant systems perfuru to either successfully mitigate a LUCA or transient, or lessen the consequences of a core melt if mitigation of the LOCA or transient is unsuccessful. These functions will now be dis-l cussed.
1.1.1 LOCA Functional Event Tree Construction In response to a LOCA, reactor systems perform the fol-lowing basic functions:
A) reactor suberiticality B) emergency core cooling t
- ~- - -
C) radioactivity removal,from the containment atmosphere t
D) containment overpressure protection due to steam evolu-tion Except for reactor suberiticality, which must be performed immediately after the LOCA, the other functions must be continuously performed for an extended period of time (weeks). In order to estimate the consequences (defined in terms of radioactivity
- release) of a particular LOCA accident sequence, it is important to know which functions failed and the time at which they failed. The timing consideration can be hanaled to a certain .
extent by splitting functions B through D into in]ection anc recirculation phases and splitting the recirculation phase of functions B anc D into an early recirculation phase anc late recirculation phase. The f unctions now becoroc:
A) reactor suberiticality B) emergency core cooling during ingection phase C) radioactivity removal during injection phase D) containment overpressure protection curing injection phase E) emergency core cooling during recirculation phase
- F) radioactivity removal during recirculation phase s
G) containraent overpressure protection during recirculation ;
phase Containten; l containment overpressure protection during late i 1
recirculation phase > heat
- emergency core cooling during late recirculation reueval i
(phase 1
l 1
l
s The last two functions can be replaced by a single containment heat removal function; since, if containment heat removal fails to be initiated during the late recirculation phase, both of ,
1 these functions fail. This is because the containraent will '
eventually fail due to overpressurization followed by"an assui..cu failure of the emergency core cooling function due to pump cavi-tation.1 There are, therefore, three time frames modelec by the above set of functions. These time f rataes represent relative rather than absolute time f rames (e .g. , depe nding on the LOC A size, the injection phase may range from approximately 30 minutes to several hours). It is assumed that if a function succeeds at the start of a time frame, it will continue tc te successful throughout the time f rame. This is equivalent to saying that the failure probscilities of the systems which comprise the functions are dominated by their unavailability (e.g., failure to start or change state) rather than the unreliability (e.g., failure to continue successful operation).
A functional LOCA event tree can be constructec by making these eight f unctions the event tree heauings anc incorporating i the functional interdependencies into the event tree structure. l I
)
The tunctional intercependencies are incorporateu into tha event tree structure by removing success /f ailure decision points l l
st appropriate places in the tree. The following criteria should be utilized for removing decision points:
. l It should be noted that whether or not the pumps will actua11S f ail cue to cavitation depends upon the temperature of tne con-the ti e tainment sump watar or vapor suppression poc1 water at of containme nt failure.
l
- 1) Function X succeeds / fails by definition due to success /
-failure of function (s) Y, 2, etc.
2). Function X fails due to the expected system physical processes (e.g. system thermohydraulic dynamics) associated with the accident sequence.
- 3) Success / failure of function X does not matter due to the type of initiating event or the success /f ailure of function (s) Y, Z, etc.
. As an example, let us construct the large LOC A f unctional event tree for the Oconee reactor studied in the RSSNAP. .
Table 1 lists the eight functions and the correspondin; plant systems required to perform the functions. Figure 1, .the f unctional LOCA tree, depicts the inter-depencencies between these functions along with a table which lists the fun:tiens which f ailed in each sequence. The intercependencies reflected in the tree structure result from application of criteria one and three given above. Application of criterion three was usec in eliminating the success / failure choice for reactor suberiticality. For a large LOCA the voids created in the reactor core during the blowdown will automatically render the reactor suberitical and success / failure of the system which provides the reactor suberiticality function does not saatter.
The remaining interdependencies reflected in the tree structure result from application of Criterion 1. For er, ample, no success /f ailure choice is given for containment heat retaoval on sequence seven since for this sequence containment heat removal tne would be defined as succeeced cue to the oefinea success of RSCS. This is because it is known that containment overpressare
g- *-
a 0 J
TAltli 1 Alternate Equipment success Crschinatione For Functione Incorporatet I n
- s ' %- *. wi e
- t/M:A 1: vent tree Late sectreutation Phase Rectreulation Injection t*hase Ph e_s e containment Conteinnent Post Accident Containment
' LDCA Reactor overg.ree s er e Prse Arct tent roergency tverpressure tie S t Suberitleattty rmergency ~
l*rotect s tyn Rasj tO4e!t t w i t y Site t tere a ore t't.it ec e l. e F 4.t l 34e-* t w a t y pec=>ve t Removal fua eil Cooling t hs
- in steen ContIng Due ten %*e.em 1.volutinn t'wot ut t .n 1/2 CSNS t/2 C5m3 tfith
(*t.0 I/3 tilgh t/2 Contain- I/7 C".ts 1/2 Lf'#5 t/? Contain- 1, PRS tient ft?) eso syege,e ..ent sprey t*s es eu s e ment Spr-s y " Cnchanger A IDCA ffee le.1 injects.n i.ectre. <sa In ge -t t..n Ic ns) .
t esi.: s I te:S s) .in' ..a t /3 einCS an.t I/2 I/1 pea.
- eer t/1 W6Cs tourang late
,,c,,c, ,6 ,eg i
j e.e I s til .lg . e to
,ao,,,, ,,cg,c, tsne f
ant ce.oter ,
i pite:*.1 reensure 3.has. t l 2/2 ca t nectec.
( I.l* MS I i
8 9
l
( X x x C 4 R' 'S 1 S X X S X X X X X R1R S S X X X S X X X X X X X X x x l ^ E X X E X X X X X x x G~
- E
-lr I C C X X X X C X X X X X X X X x x CCR _
C C C X X X X X X x x _
RRI t U U U X X x C0I S S 5 X X X X X x x CCI 0 1 2 3 4 S 6 7 8 9 0 1
^ 2 3 4 s 6 7 8 9 1 1 1 1 1 I 1 1 1 1 2 2 1
I t.
i
' +- r
e S
t e =' i. ,
v G
t s
t' aj t
a L, E l
Q' r
a c' a t ni t :
nW '
i i.
- i. e I
5 4
9 ce 1
( m~
- i. w i .
i i is i
F o
% c SP
.. i
- n. wO t
S w C m a. t i
1 .
u o t r -
1 5
E cx t
c p.
X o. u r -
t a, To m
P r
t oi n am i
1 t
y r
s e i
i.t i
j i
3 i o.m.
t F
G ,
,m i
S I , . <. .
G - t a
r s o #
te j
- c. ,
G - n 8W aw i s
a T .t K nt a no 5i i, e 7,i
!8 _
, 3., = n _
.e 2 n a
ia' T@Olll2 N M a*=u mg
l l
1 I
l
( succeeded. This is because it is known that containment over-pressure during recirculation succeeded due to the success et the RBCS only, since the CSRS failed'to provide radioactivity removal in this sequence.
It can be noted from Figure 1 that ECI failure i plies ECR failure. This is consistent with the approach taken in WASH-1400. By glancing at Table 1, it is seen that ECI could fail due to failure of the accumulators only. If this failure mode occurs, ECR would not be precluded. If it is determinec that ECR success given ECI f ailure has a significant ef f ect on accident consequences, then a succest/ failure choice for ECR given ECI failure should be incorporated into the event tree structure.
~
1.1.2 Transient Functional Event Tree Construct 1on In response to a transient, the reactor systems perferr.,the f ollowing f unctions curing the early phase of reactor shutuow:.:
A) reactor suberiticality B) initial core cooling C) reactor coolant systera overpressure protection Reactor suberiticality must be achievec immediately following the transient. RCS overpressure protection is necessary if, for a given transient, the plant design requires it or if a delay is experiencec in achieving initial core cooling. It should be noted that one additional function, RCS inventory control, could be in-cluded in the above list as being requireo if an RCS safety or relief valve f ailed to reclose af ter perfortaing its RCS overpressure pro-tection function. However, an accident sequence with a stuck cie' .
I
)
1 3
l l
l
, . ~ . . - .,- - ..y, . - . . - . ,
safety or relief valve constitutes a small LOCA and can therefore By making f be transferred to the LOCA tree and treated as such.
this transfer the functions and corresponding systems required to mitigate these transient induced LOCA's are made more explicit. 4 I
The functions stated klave are required to bring the plant
,, l j
to a hot shutdown condition. Since a PWR can be maintained in a I
I hot shutdown condition without threatening a core melt for an extended period of time (provided enough stored cooling water is available), the above functions are an adequate representation l for the important PWR functions.1 In the case of a B'.iR, however, .
a hot shutdown concition cannot be maintained for as long as a is activated. Tne PWR unless a long term core cooling syster.,
reason for this is that the heat sink f or tne systei..s per f or::.:ng the initial core cooling function at a PWit can be the atr..ospbc v whereas the heat sink for the similar SWR system is a close sys-If long ter:..
tem such as the suppression pool or condenser.
cooling of these closed systems is not achieved, then the c]re woulo eventually overheat and melt and/or the containment would overpressure and fail. It is, therefore, necessary to censider the following function for a BWR:
D) long term core cooling (BWR only) .
- If successf ul mitigation of the transient cannot be achieveu snd a core melt ensues, the following plant functions can aic in lessening the conquences of the accident:
l it shoulc be noted that at some PWR power plants, the function cooiins of initial core cooling can be provicec by injecting water directly into the RCS and allowing it to boiloff into thrc.9h the con-the rcd safety or relief valves and discharging tainment.
If this cooling method is utilized for an extenced
[ ' period, then the function of containment overpressure prctec :cn
/
' cue to steam evolution must also be provided. .
_9
E) radioactivity removal from the containment g
a tmosphere F) containment overpressure protection due to steam evolution
- ~
A f unctional transient event tree can be constructed by tree heacings making these 5 PWR and 6 BWR f unctions the event and incorporating the functional interdepencencies into the J
event tree structure. Each core melt sequence on the event tree would be characterized by a different combination of succeeded and failed functions.
As an example, let us construct the transient functional event tree for tne Oconee reactor. Table 2 lists the 5 PWh functions and the corresponcing plant systen.s required to perform these functions. Figure 2, the fun:tional transient tree, depicts the interccpendencies between these functions in along with a table which lists the functions which failed each sequence.
Before discussing the cepencencies cepicted on the tree, l
an explanation of the events which appear before anc after the Reactor Coolant System Overpressure Protection (RCSOP) heacing is in order.
As mentioned earlier, the requirement for the RCSOP f unction depends on the type of initiating event anc/or if initial core cooling has been delayed. These cases are The event explicitly covered by the inclusion of this event.
after RCSOP is included to identify the transient induced LOCA sequences discussed earlier.
tree struct;re The cependencies incorporated into the event result fror,. application of all three criteria presentec in tne
e- *~
'hble .
Alternate Dpipnent Success Conhirntions for ihnctions Incorporateri Into Oconee Trartsient FNent Tree Containment Reactor Overpressure Ontant Post-Accident System (IKS) Prot ection The to Steam twilmetivity Overpressure FKS INolution Removal Protection Intejrity Suberiticality (bre Cboling All Safety / 1/3 Reactor 1/2 Containment RPS Stxress 1/3 Safety / Spray Systen 1 6 Control Ib1 Relief Valves Relief Valves thallclifv3 Gmups Insertel ik se at. Onlirvj System w/ Recirculation Ibwer Obnversion Open When Into Core by the "bevuikel Fan Trains Reactor Prutection System or or
& System (RIS) j Onervjency Feehrater y Systeti 1/2 Containment or Spray Systen Iligh flea <1 Auxiliary w/ Recirculation Service Water Syston or .
1/3 Iligh Pressure Injection Systna RPS Failure .
, ther Conversion l Syst on l or i linergeen y Feolet er Syst on anel 1/3 Ili ih Pressure in ji i t is wi *;y*eient - -
t .. ______________ __i_________________._._-____--__._____--_--- e
, ! .li ;' ,re I e"l8 1I
- X X X X X X X X X X X ('
X X V sX X S X X '
l' i '
)
l 5E X X X X X f E X X X E X X X 5M
- !- [ J _
( CS _
l CS 1 X X X ( T ._
,l C C X X 1 X X X UA >
.e _
0 (
t X i X X 1 1 1 1 x 1 l 5 5 2 3 4 6 -
1 23 4 5 6 8 9 0 1 2 3 4 5 6 7 6 91 0 212 1
2 2 2 ; 2 1 1 1 1 1 1 1 1
"~
m "-- " - ~ ~ Il s
m A A
- A
- C C -
C s..
'~
o~
oO TL oO TL oO TL
.. I L i- _
, f ,,. -
. Il
.i-m t.-
- t. . .-
t l
".., . h
>1
) '.
(
+) l , -
- et -(
1 l s
) ' .
. e an
- -t no g
- , .. I 1 I LoN LoN oc
'r, o
. III i O t
L cr -
no
, tn uf
. oa r n,tn e
~ . t e
~
, 't sde i ei i nr eT
. l s Cl n st Coa , nn
' a
- I rre
- ttc "'
i f n a -
- I o gl
- cnp -
n - i yl e 2 f )l ok e h \ 1 roa r ey~ a *
( ect u 7iI,od v @*#ocoN- $mdocoN- epr
- > t f g na" ?- _
- *. 4l~ , !: , ,j ; .* :!2 ' ;,: 4 ': ' !!' ' .! I~ 3 i
previous section. Examples of how these three criteria were incorporated into the tree structure are the following:
Criterion 1) Radioactivity removal is by definition failed it containment overpressure fails due to the defined failure of the CSIS. .This is because it is known that the CSIS faileo if containment overpressure failed. Criterion 2) The RCS overpressure valves will not reclose given failure of reactor
(
suberiticality and initial core cooling. This is because the RCS pressure will equilibrate at a level at or above the
, . pressurizer relief valve reclosare setpoint and will remain there throughout core meltdown. Criterion 3) As mentioned previously, radioactivity removal is an important mitigating function in core melt accident sequences only. For non-core melt sequences, therefore, the success / failure o: tnis func-tion uoes not matter.
Adaitional explanation is in cruer concerning the " note 1,"
depicted in Figure 2. Given success of initial core cooling if the flow rates of the main or auxiliary feedwater systems are not properly controlled and too much cooling is provided to the secondary side of the steam generators, a rapid RCS cooldown transient would ensue. Following RCS depressurizatien, due to the shrink of the RCS coolant, the high pressure in3ection system would be demanded at the Oconee plant. If actuation occurs, the pressurizer relief valves could be cemanded and thus create a potential for a LOCA if they do not reclose.
This particular sequence coulc be racoelee as part of the exts tin, sequence 3. When transferring to the small LOCA tree, the hign pressure injectier. system anu auxiliary feecwuter syster., wo.lc
_ . _ e be defined as operating (success). However, if actuation coes i
not occur, a potential exists for emptying the pressurizer due If this occurs, to the continued shrink of the RCS coolant.
pressure control of the HCS is lost, which could ultimately result in a saturatec RCS. If forcea RCS circulation is lost (as would be the case for a loss of offsite power transient) and the RCS is saturated, natural circulation would also be lost at the Oconee plant. The core would then lose stea:..
generator ecoling and RCS inventory would boil off eventually leading to a core meltdown. This latter case is not modeled Since it is a by any event tree sequence presentec thus far.
special case, it does not warrant a separate event tree and is discussed here for coupleteness.
1.1.3 LCCA and Transient Systercic Event Tree Construct;;r s
It can be no'ec from the functional event trec exauples given in the previous sections, that in general there is not a one to one tree anu corresponcence between the f unctions raodeled on the event the plant systeus required to perform these functions. Because of this the same system may appear in the cefinitions of more than one functional event tree heading. It is often desiracle to decouple the functional event tree headings such that each heading represents a major plant system or group of plant systems (i.e., " front line systems"). (A front line system is defined as the system described in the plant FSAR which performs the LOCA and transient functions l A front line system does described in the previous sections.
not include support systems common to many front line systems such :
j as electric powe r systems , component cooling water systems, ,
1 J
l
(
instrument air systems, etc.) This type of event tree is known as a systemic event tree and the tree structure would reflect interdependencies between major plant systems rather than plant functions.
The LOCA and transient systemic event trees for the Oconee The event tree headings plant are pres'ented in Figures 3 and 4.
The represent the major systems described in the Oconee FSAR.
system event tree headings are listed in the approximate order they will be called upon during a LOC A on transient accident se-The event tree structure reflects the application of tne quence. '
criteria presented in Section 1.1.1 (replace the wora "fanction" with " system"). Also depicted on these figures are tables w'..icn list the functions which failec in each sequence.
functional anc sys-If one compares the LOCA and transient temic event trees it can be noteu that the system trees centuin These adcitional sc-a greater number of accioent sequences.
so-quences result from the fact that several syste.m accicent se-quences may be represented by a single functional accident quence. Each functional accident sequence represents a unique set of succeeded and failed functions whereas each system acci-dent sequence may not.
For example, sequences 8 anc 17 on the s
LOCA systemic event tree are modeled by the single sequence 4 on the LOCA functional event tree.
1.2 Procedure Procedure for Functional Event Tree Constructl'on
- 1. LOCA functional event tree construction.
/
. ; 1.i ~
X X X X XXXX 1
X X X X X X X X ' j Cl R X X '
i X X X X X X X X X X X"X I.X X X X
] t RRR ,
X X ,X XX X__X X X X X X S .u_
S COR l
- ; i S
i S
S 1 , l S
X X X X E X XX X "X_X, _
i X X X X X E C S X X E X 'C CCR E S_
E C _l C
. C U X X XX XXX X d: C '
C U ,+ ,l C U S C S RRI U 0 3
S i XX X 1
.$1 1 t ' -
OI X X e p
fi t
, l X X X - e
.a '
i~ } .i!
X X X X .
r CCI j ;, ,
~ - l T
i
~ - .
I
,;.ii
[ [ '
t n
R3 ~ _ " or
_ . " t v
.e e r r a ' 6 e c' c .
a' t n 8 a oy D c c c c c v.
c e a 8 "* m r r a o e t
" 'S
- cs nu r v v T C C" 'l c ' t c
uI t
u o
e = :
t 8
i t
8 s o m s 3 e 5 e 2 2 2 2 r e.
o e ot n 3 3
- s s a t
s e ,
t s 0
2 8
3 '2 2 s 2 e.]S t
- ' 7 i 3 3
- i
- n o
n
- 2 3 8
- _ y S
E c A s C m
e c c 8 t I. L O.
I
( lI g8 .
a 1.- *_ e s n 5 n R m "__ n e p a * "
- E n e n N a _
FL ~ o r
Ii ijI I_ c yt yi lI O
) .
I Y t Y ,
rc
- a , Y Y : I ' .
Ir sc r
1 Y
-g'
{I- d 1
,s e
t~
Jl e lg r
_ i
_ r 7 F t s y , F J y
a F i
~ sF { :i-II
- c ,
ll
'l lI
- 5 o D
, 3 s
t 5 ,
i e o t vl r
( ,
l1 y 1
u s. i Y v
j' se ur t 9 a C
lI d g 2.
9f I o -
e e 1 s t r c l
s a ne ep c e ts te
!i e i _* .
t dt e 3= e s
aa
- s. 6e 1. eo-t e e m
. cm 3tt
. P e ee f e r
. o. s o Sc s o
' ln_ t e t g ,.
e
=-
Se c
c u
s a
e t s l nQ e
gQ
-1
'sma'
9%
i
' 'O '
0 E
D to in
.elC x x x K x x x x x & N X x x x J
K% _
x x 2 x x x xla uo e, , m,, m, , m, m,, m..x -
x e.
W W W W W W 4 x xxx x xx x 9i.9 h.,
x k x x U, , x xx x u, !
to o n. U, , U. , U, , U, , U, , U. -
D j .'r D D D D D x x x x x x x x x x x xg D D m m m m xx x x x < x x m ax xx x
- cr m m , i *.
x xx x x xx x x x x x x j x j x K xx x xk l h EZ i l 1 1 i l 15 i 'a~'c O I.
6 .~ a- "g s Is's s I' r I ~8.,# 6 c .~ .~ I,,=t;rSsIae~I'.5a <
9 r a rr a a a z z r - .
P
,, K EEE E ; *r a a a3a as s
- ;; t;; i ;; ; ;; L
- - r.- I r. l -e 6
~
g g gg g gg aL na e e -
e
- e. . .
o a e ce e e e o -
-- - -- _ - - ~ ~
- 9. - . . * .
~~~~~~~~~~-e
.. o - .
- -- -- - o. .. l ".' ,
,e n e e ee me .- t:
s .
' ' l' I
- 5 i j } li
r L . .
o oc o
- f. . . .
oL i
c, i ec
. .ti.
cp o Ic
.. I ck, 1
L'..cp c, ; .i
"( ,, a w 1., t, o l. et c CF lo ic
- l ' I 8 fIv-f _.I ', _ _) L.J ___., . .
I
, L_ i i , l l o e o ', e o e c m' c, I e o e e ', e o i io ll g,,1 , , _-
1 i, l
0 g
1 4
I 8
e 4 ,
I E D I !
'a* s i m D ' 1,
" i i
, i e O O O O O o .
Dn, e
o e O
.ma asu
- 9 9 e e
[ 1 9
6\ 5
%Q 0 0 & th gm a a th !
d> '
'4 th g
"s I*
8l =-
r 7.
't 0 A '
I i' De d be .e ,' 'l )
g =d bil g l g
l
...si
.L' a s .
= s "T.*.a
. 5, C
e
.P b
W a I , !
.i rd ::. # .
- i i., W- 4 "
- =s m
e
_ _ _ . . . , _ . - l
- 1) reactor suberiticality
- 2) emergency core cooling
- 3) radioactivity removal frou containfent atmosphere
- 4) containment overpressure protection cue to steam evolution
- 5) post LOCA containment heat reuoval.
- b. Deteruine the minimum number of ESF systeus/sub-systems which are required to successfully perfora.
these functions. The FSAR usually states success criteria for a variety of LOCA sizes. Discuss the FSAR success criteria with the reactor vendur
' or other sources and determine if it is overly conservative. FSAR criteria need not be used if sufficient documentation is available supporting an alternate criteria.
- c. For fonctions 2 through 4, determine if cifferent success criteria are required for the in3ection ans recirculation phases.
- d. The five functions listed above becoue eight func-tions due to the split of 2 through 4, into in]ection and recirculation phases. These eight functions Wila comprise the event tree headings. (Refer to Oconee LOCA tree example given in this section. )
l I
- e. Incorporate functional interdependencies inte the event tree structure by applying the criteria pre-sented in Section 1.1.1.
- f. Characterize each accident sequence by determining
~
which functions have succeeded and failed in eac'.i accident sequence. (This will be used later during the analysis of these sequences for core meltdown physical processes.)
- 2. Transient functional event tree construction.
- 1) reactor suberiticality
- 2) initial core cooling ,
f
- 3) RCS overpressare protection
- 4) long term core cooling ( 3'J R o n l f )
- 5) radioactivity removal from the containment ,
atmosphere
- 6) containment overpressure protection due to steam evolution.
- b. Same as Part 1-b.
- c. These functions will comprise the event tree headings. Add the "RCS overpressure requirement" and "RCS overpressure valves reclose" headings before and after the RCS overpressere protection heading. (Refer to Oconee transient event tree example given in this section.)
- d. Same as Part 1-e.
- e. Same as Part 1-f.
i 3 LOCA systemic event tree construction.
Determine the " major" FSAR LOCA systems. " Major" a.
systems are those which perform the eight LOCA functions given in 1-d and do not inclu3e support systems (e.g., electric power, component cooling, These systems will comprise the event tree etc.),
headings.
- b. Place these systems in the approximate order they will be called upon during a LOCA. .
- c. Incorporate systemic interdependencies into the event tree structure by applying the criteria presented in Section 1.1.1. (Replace the word
" function" with " system.")
Q
- d. Determine which functions have succeeded and failed in each accident sequence. (This will be used to identify the LOCA system accident sequences with their equivalent LOCA functional accident sequences.)
- 4. Transient systemic event tree construction.
" Major" systems are those which perform the transient functions given in 2-a and do not include support systems. These systems will comprise the event tree headings. Add the "SR/ Demand" and "SR/VR" headings before and after the "SR/VO" heading.
i
\
b.-d. Same as 3-b through 3-d. Replace the word "LOCA" with " transient."
2.0 Event tree Initiating Events 2.1 Discussion In the preceding section, the generic PWR ano BAE LOCA ano transient functions were identified and examples were given which identified the plant systems to the appropriate functions. The question which is now asked is how will various size LOCA's ano different types of transient initiators affect the performance et these systems. After answering this question, it becomes clear which LOCA and transient initiators must be considered.
For the plants studies in the RSS, it was determined that three ranges of RCS LOCA sizes must be considered as initia: Ing events. Three sizes were chosen since the LCCA mitigation rey;;re-ments (ECCS, reactor protection system, and auxiliary feedwater system) were a function of the size of the LOCA. However, the) ocula be grouped into three categories for which the raitigation requirements were the same for each category. In a similar manner, each IRCP plant will have to be evaluated to cetera.ine which LOCA range sizes must be considered. Also important is the location of the break (e.g., a colo leg break may require a different set of ECCS subsystems than a hot leg break).
Direct use of the RbS LOCA sizes for the IREP plant without a prior evaluation would be incorrect.
Transient initiators considered in the RSS were of three ma]ct types. These were reactor shutdowns caused by a loss of offsite power, loss of the power conversion system (e.g., heat re3ection to l
?
the condenser via the main steam, bypass to concenser and main feedwater loop) caused by other than a loss of offsite power, anc other shutdowns in which the power conversion system is initially !
available. These transient initiators were assessed to adequately
~
4'-9, I 4-12 represent a spectrum of LWR transients (RSS, Table I l f or PWR's and BWR's respectively) in terms of their effects on ,
l the mitigating systems. (For example, a loss of offsite power ,
l 4
requires the operation of an emergency AC power system to operate l
various components of the mitigating systems whereas shutdowns I with offsite power available do not require emergency power.)
Subsequent to the publishing of the RSS new transient initiator data sources, which supercede Tacles I 4-9, I 4-12, have been made available. One of the most notable sources is "EPK:-:4F5:.
ATWS: A Reappraisal, Part III, Frequency of Anticipated Trans-w ients." This cata source shoulc be exas..inec for caen suu3cet !
init:6tcr plant to deterinine what types of adcitional transient shoulu be considereu. ( A listing ano cescription of tne Pha ens BWR transients which appear in this document are presentec in Appencix 1.) 1 froc l EPRI NP-801 serves as a satisfactory starting point which to estimate the types and frequencies of transients to te !
~
It does not, however, indichte :
expected in the subject plant. 1 the specific cause of the transient. For example, PWR transient 36 indicates a transient can be caused by a loss of power to a necessary plant system. It does not indicate the specific type etc.)
of power f ailure (e.g. , Train A Vital AC, Train B 125 V DC, or what effect these power f ailures have on the saf ety syste:..s l
1 1
1
which must respond to the transient (e.g., the auxiliary feedwater
- One metho.:
system may lose the use of an electric driven pump).
of identifying all such plant specific transients is to cevelve an initiating event fault tree. ~
The top event of an initiating event fault tree would be la-beled ' Requirement for a Reactor Shutdown." The second level of the tree woulc be a listing of the reactor scram signals, deo-sequent levels of the fault tree would be developec such that all subsystem and/or component failures which cause a reactor scram signal are identified. The plant LER's should be reviewec .
so that any peculiar initiating events can also be modeleJ on the tree. Special attention should be t a'r.e n in develeping thosc areas of the fault tree where it is notec that the initiatir.;
event could also significantly degrade the reliability of any of the safety systems which must respond tc the reactor shut-down.
One additional initiating event which should be considered V in is the extra-containtaent or interf acing system LOCA (event the RSS). This initiator is actually a complete accicent sequence, since no reactor systems are available to mitigate this initiat;n An assessment of all low pressure piping that interface
. event.
with the high pressure RCS, and which lead outside containment, shculd isolatva be made to determine if the frequency of failure of the '
valve (s) is quantitatively significant ( 1 x 16- //yr.J.
The methods used in quantifying this initiating event have been ciscussed for a variety of isolation valve configuration RSS MAP and f s and isolation valve test procedures in the RSS, (
I i
"PWR Sensitivity to Alterations in the Interf acing j EPRI NP-262 System LOCA."
2.2 Procedure Procedure for Selecting Event Tree Initiating Events
'~
- 1. LOCA initiating events selection Select RCS LOCA break size ranges. A separate break a.
size range should be considered if a unique combin-
- ation of ECCS subsystems or other ESF systems are required to mitigate a LOCA within a certain break size range, A separate break
location should be considered if a unique cer.0:n-ation of ECCS subsysteus or other EaF systems are required to mitigate a LOCA at a certain break location.
- 2. Interfecing system LOCA initiating events selecticn
- a. Identify low pressure piping which interfaces with the high pressure RCS and lead outside containment.
Assess if isolation valve (s) failure is quantitatively sig nif icant ( - 1 x 10-7/yr.).
- 3. Transient initiating events selection s
- a. Reactor trips caused by a loss of offsite power will be studied.
- b. Loss of power conversion system reactor trips causec by other than a loss of offsite power will be studied,
- c. Reactor trips with the power conversion systei..
initially available will be studied.
O
l 1
- d. Review EPRI-NPB01 and determine what types of j
additional transient initiating events should be considered.
- e. Develop an initiating event fault tree to a level such that all the specific subsystem and/or cot..ponent failures which cause a transient are identified.
Check the initiators identifieu in the fault tree with the general initiators describec in EFRI-NF301 and plant specific LER's to assure cor..pleteness.
3.0 Development of Event Tree Headinc Failure Definitions 3.1 Discussion After completing tne construction of the functional anc initiating events will ec system event trees and determining which
- studied, the next task of the event tree analysis team is to develop event tree heading failure definitions, which will instr.::
the fault tree team moceling these events how to structure their fault trees.
These definitions, in general, depend upon the type of initiating event anc on the success or f ailure of ot:.er functions which appear in an accident sequence.
In the previous sections, the functional event tree heacin, failure (or success) definitions were discussed to a limited extent.
l Definitions in those sections were limited to determining what This is the proper first 1
combinations of systems were required.
understana:
step, but in orcer to complete the definition, one must implemente:
- 1) the procedures which dictate how the systems will be
- 2) the expected physical process dynamics for each se=uence.
Examples of why this understanding is important follow.
Consider an accident sequence in which the containment over-o Following a pressure function is performed by a spray system.
large LOCA, the containment pressure would rapidly rise and the spray system would be called upon to start automatically when the actuation set point is reached. The role of the cont [ol rooi.,
operator would be to verify that the sprays had started and were performing as designed. However, following a small LOCA, the
- containment pressure would rise more slowly such that the operatcr woulo have time to implement a staall LOCA er.iergency proceuure.
Let us assume that one step in the procedure was for the operator .
to bypass the automatic LOCA circuitry and take manual control cf the systems, If at a later time, the pressure in containment finally reached the point where sprays were requireo, they woulc have to be manually initiated. The event tree should incorporate O
this subtlety into the containment overpressure event / containment spray system definition so that credit for an automatic start is not given for the small LOCA situation.
A classic example of how the acccident sequence physical pro-cesses can affect the event tree heading / system fatlure definition is the accident sequence that occurrred at Three Mile Island.
That. accident sequence was initiated by a loss of main feedwater, followed by a failure of a pressurizer relief valve to reclose anc initial success of core cooling through the operation of the high pressure injection system (HPIS). The operator at a later time essentially terminated the HPIS because a high pressurizer level to drive the pressurizer solic was indicated and he did not want (prior to TMI operators were trained to avoid a solic pressurizer).
I I
1
It is evident that the knowledge of whether or not the pressurizer is solid is crucial to the formulation of the correct HPIS failure definition for this sequence. This is an example of how an operator error which occurs during the course of an accident
~
affects the event tree heading /systeu failure detinit1on. In order to assess other similar types of operator errors, the the analyst must be aware of the control room incications wnich operator is relying upon to make decisions and how these decisions will affect the availability of the safety systeus responding tc the accident.
As a third example, consider a PWR accident sequence which is initiated by a loss of main feedwater an: followed by a fail-ure of the reactor subcriticality function (ATWS). Tne initial physical process associated with this accident would be that tne pressurizer would become water solic and a large quantity of water would be passed through the relief valves. The RCS systec pressure woulo eventually be recuced until the closure set point of the relief valves was reached. If they fail to reclose, a small LOCA woulu exist. Since the pressurizer relief valves are designed to pass steam rather than water, the valve reclosure f ailure probability woulo be expected to be substantially higher in ATWS sequences over what it would be for sequences in which only steam was relieved. It would be the responsibility of the event tree team to incorporate this subtlety into the RCSOP valves closed event definition so that a proper assessment of the valve closure f ailure probability could be made.
w l r
s i -As a tinal example, assume that the above describec ATW5 occurs and the initial core cooling function is called upon. I Since an ATWS is a rapid transient,'if' initial core cooling is it must be going.to have any affect on mitigating the accident, "
initiated immediately . It will be recalled from the example discussed in Section 1 that a success mode of initial core cooling Given an ATWS, this was.to restore the' main feedwater system.
s be considered. The event would take too much time and could not f ailure uefinition for initial core cooling given an ATWS, must therefore include this subtlety.
The examples above attest to the fact that the event tree behavior team must have a good overall understanding of the plant if the correct event tree heauing failure acfinitions are to be be completely developed. To gain this understancing, the team must
%- ~
familiar with the plant procedures and the expected physical Mach c processes for each accident sequence on the event tree.
this can be learned by reading the plant operating, abnormal, or tree emergency procedures, which discuss either the total event sequence or portions of that sequence. What cannot be learned !
from the procedures should be asked of the control room operatcrs at the initial plant visit. A good portion of the expectec !
physice.1 processes associated with each sequence can also be However, 1:
learned from discussion with control room operators.
would not be expected that the operators could give a complete description, especially if the nultiple system f ailures have covered by any occurred and the plant is operating in a mode not then a cc:..pute r
- proceuure. If a complete cescription is requirec, i
model which simulates the physical process dynamics of the IREP 4
plant accident sequence would have to be utilized. Such a com-poter model will most likely be supplied by the reactor vendor.
3.2 Procedure Procedure for Developing Event Tree Heaaing Fai[ure De:initic:
1 Ref er to Functional Event Construction Procedure ior determining the combinations of ESF systelas requireu to perform the LOCA and transient functions.
- 2. Develop a top level f ault tree depicting these req;;reacnts (see Figure 5 for an example) . .
- 3. Review operating, abnormal operating, or emergency procedures associated with ea:h event tree sequence er portion of each sequence, if available. If not ava;1aLlu, discuss expected operator a:ti:ns witn the control ro;;.
operators.
- 4. Uncerstano the expected physical processes associeteu with each accident sequence.
- a. Discuss with control roor. operators to gain a general descripti- .
- b. If description is not complete, then utilize a computer model which simulates the physical processes of the IREP plant. An adequate model should be available at the reactor vendor.
- 5. From the knowledge gained in steps 3 and 4, modify the top level fault tree failure definition, if necessary.
These modifications shoula apear as " notes" on the t0E level tree (see Figure 5 for example).
i
)
4.0 Display of Dominant Accident Sequences t
- 4.1 Discussion The functional and systemic event tree methodology discusseu thus f ar provides a consistent approach for modeling the accident
. sequences for all the IREP plants. These trees will be used as an integral part of the procedure used in assessing the dominant accident sequences.
d Based on the event heading failure cefinitions discussed in the previous sections, fault trees will be developed to determine the various f ailure taedes which can cause the function anu syste:.
event heading failure. As a general case, the function and system ovents are not indepenaent (e.g., due to subsystei..s anu tree f unctio:
components which are common to mere than one event or front line system). Because of this, a ecmplement of the event
'" heading fault tree must be created to determine the success ccces which can cause event heacing success. Each sequence will be I
initiating quantified by combining and Boolean reduction of the event fault tree and the functional or systemic fault trees an6 associated with each sequence. The result of
' success trees" this procedure will be separate cut set equations representing failures the minimma combination of system and/or component which-will cause the occurrence of each functional or systemic accident sequence. (This procedure is discussed in detail in the The sequence paper entitled " Accident Sequence Quantification.")
l cut sets will then be quantified by assigning the appropriate literals (e.9., a cut set l
f ailure probabilities to the cut set such as AB has two literals) and the dominant cut sets in each accident sequence will be identifiec.
- g. I-
, I t _
Containment Overpressure During Injection Phase Fails Following a Small LOCA O
T
'l i
1 Failure of 3 of 3 Failure of 2 of 2 Containment Spray i
Containment' Fan Injection System Pump Trains Cooler Trains 4
f From Containment-From Containment Spray Injection System Pan Cooler System f Faul t Tree u Fault Tree I
tbtes: 1)
Fan cooler system will start automatically, but Any is manually shutdown restart would have after to containment pressure is reduced below 4 psig.
be done manually (Emergency Procedure XY7.).
2)
Containment spray system must be manually started since manual shutdown of the f an cooler system deactivates aut omatic start circuitry.
1 Figure 5 Top level f aul t tree for the containment The plant overpressure depicted in thisprotection example function performs in response to a small LOCA.
this function with either 1 of 2 containment spray trains or 1 of 3*
containment fan cooler trains.
f r.
l
Besides its usefulness as a tool as part of the sequence quantification procedure, event trees are also useful der dis-play &ag- tools in showing important interdependencies between the systems and system components required to respond to an initiating event. The functional event trees ciscussed in Sectrb'ns 1.1.1 and 1.1.2 hide many of these interdependencies, since several systems and system components are generally a part of the definition of a single functional event tree heading. The systemic event trees ciscussed in Section 1.1.3 display intercependencies between systems the front line plant systems but hide the effects of suppert '
which are common to more than one front line system. It wculd be desirable, to construct an event tree which explicitly displays these type of interdepenconcies.
Such an event tree could be constructed based on inforr..ati::
contained within the list of dominant functional accident s e q ;e r. cc cut sets, 1 cut sets. Af ter caref ul exalaination of the cominant will become apparent which systems, support systems, or syste-components are the most important. These would be designatec as the event tree headings and the dependencies between them incer-The resulting event tree poratec into the event tree structure.
would provide an excellent means of summarizing anc displaying the most important accident sequences in ter:.s of the critical systems, subsystems, and system components.
(An alternate method of displaying the most important accident Examples of these sequences is to use a system dependency diagram.
types of diagrams can be found in the main body of the Crystal River risk analysis.)
-4.2 Procedure Procedure for Display of Dominant Accident Sequences
- 1. Identify dominant cut sets for each functional or systeute accident sequence.
- 2. Examine the literals of the dominant cut sets' to deter:..ine what are the systems and/or components which have failed.
- 3. If the literal is a couponent, identif y the syster,.( s ) it s
is a part of.
- 4. Create a system / system component event tree by making and the important systems / components the tree headings, incorporating into the event tree structure, depencencies between them. i Tree Core Meltccwr. Sequcncti 5.0 Accicent Process Analysis of tvent
- 5.1 Discussion After the quantiiication of the event tree core melt accicent sequences is completed, those with the highest probability will Tne be analyzec in terms of core meltoown accident processes.
of the appropriate output of this analysis will be an assessment failure mode probability containment f ailure moces, containment for eacr. of and radioactive material release category placement these. sequences.
This will be done primarily by comparing these accident sequences with similar sequences which were generated as part of the RSS and RSSMAP programs.
For each plant studied in IREP, an assessment of which of the six plants studied in the RSS and RSSMAP most closely resemblen the study plant, in terms of system and containment design features, will be made. After this assessment, the accident sequences for the two plants will be compared and sequ'ences with the identical combination of succeeded and failed functions will be identified. Once this identification has been paue, the appropriate containment failure modes, containment failure moce probabilities, anc release category placer.ient for the IxtP plant accident sequence will also be identified.
The results of the core meltcown accident process analysis for the Ocor.ee LOCA and transient accident sequences is given in Tables 3 and 4. The containment failure modes which apply to tne Oconee reactor are defined by the containment event treo depicted in Figure 6. Similar tables of results and containment event trees will be provided for the remaining RSS and RSSMAP plants at a (Surry , Peach Bottom, Sequoyah, Calvert Clif f s, Grand Gulf) later date.
Several notes are in order concerning the use of Tables 3 and 4. Firstly, the 6 containment failure mode probacility must be supplied by the IREP team since its value is a f unction of the containment isolation system design for the particular IREP plant. f 1
Secondly, transient accident sequences involving a stuck open pressurizer relief valve (e.g. sequences 3 and 13 in Figure 4) should be treated as a LOCA with a size corresponding to the valve discharge area. Whether or not the main or auxiliary
l i
a w
l l
I l
.=
> un. e.
w e - _
en g e. e.
O. e.
- e. e. e. en. . en. e. e.
- * = = q g
- q ,
g # = * = w Ot C e
" CC e
e b > _
w . . c-c. e _* CC q .c q w *
- . 8 s w 4 . . .
g p a d e v e F4 em um N
- e. e. em. e. e.
e
- N. * = en. N. N.
A u w a A A
A A A A A A A A A A A u vi
. y, g
", 6 . . . - . .
ie =c64
.e -. r ; >
c w I <
=
e cc e e w-a N
--e n ,
M
,e -- - - - -
.2 (
ea w T
E" - - -
o e w b v W o
o a e
o -
o O
' oo -
o o a o
o - o e
- o e e.
a C a c. c.
en o o O o. o. o. o. o. "c. o. .' o. e. c. c. o. o. c.
c w
.2 y,
e e e e a O 5 e e a U e c e e e sh %d a
e e aw O
.e. e. e e e e e e e d e e e e e e e N
e *e N N
-s g on e e N N N N N N N 9e N N N N
- 4e wj e wl a ei a ={ wI wl wi
- e. wl e wl a vl a 3 se e o o e o e o e o e o e o c et
- Y e e c
4 6 M M M M e E g,
d U me M M M M M M M M
> w X u
M M e
I u M M M M M M e a W2 wO M
- s. M M M
> M p
Mc
.s -
d 6.
a 5
l M l M N N l
=
(
- I
( I -
TABLE 4 i
Sununary of the Transient Initiated Core Meltdown j Accident Process Analysis for the Oconee Plant a
4 i
CORE MELT RELEASE CATEGORY TRANSIENT EVENT 1
TREE FAILED FUNCTIONS 3 4 5 6 7 CO RRi 1 2 RS CC RCSOP a.00( 7.5 8 E.5 4
X X a.0001_ 7._ 5_
8 c.5 X
X X a.OOOI 4.5 8 d.5 X
! 0 m f g 8 d.5
' \ a . 0001_ 7.5 X X /
a.0001 7.5 8 _f . 5
' X X __
I l
l '.
I l
l i
i
a 1
.f CCtCCEC COtCCEC cot".ADEC w%WC CDh" REC FMILTI 3Y M GE E7NFZ %I E7NFC BY W RE DUE TO HYDFCGC; O'GFCS5'J- LA.SE MAT ,
g VEssn, F 4 ~'I h TJ XAi 5.7.CN3 17./CIOt?
D AM EXPLD6 ION 0 a 0 ) 6 I i
_s k3 o
o .
FIGURE 6. ON CCtCAINMDC EVCC TrIE
=
feedwater systems are operating in these sequences can be ignorec, since they do not significantly affect the core meltdown accicent processes. And finally, analysis of the IREP plant may yielc important accident sequences which do not correspond to any of the exact combinations of failed functions presentec in Tables 3 and 4. If this occurs Sandia National Laboratory personnel should be notified to determine if additional accicent processes analysis of these sequences is required.
5.2 Procedure for Accident Process Analysis of Event Tree Ccre Meltdown Secuences .
- 1. Compare the IREP plant design with the plant designs studied in the RSS and RSSMAP. This shculd include cenparisons Of:
a, containment designs (e.g., vcluue, design press;re, structural design, degree of compartmentalization, O
potential for water entrapment underneath reactor vessel, etc.).
- b. ESF system designs (e.g., types of systems which perform the event tree functions, flow rates, heat removal rates, actuation setpoints, etc.)
- 2. Based on this comparison, identify whien RSS or RS5MAF plant most closely resembles the IREP plant.
- 3. Compare accident sequences and identify those with the identical combination of failed functions.
- 4. Sequences with an identical combination of failed f unctions shoulo have similar containment failure modes, containment failure mode probabilities and radioactive release category placements.
1 Appendix 1
(
PWR Transients PWR Transient Category Definitions I
- 1. Loss of RCS Flow (1 Loop) i This transient occurs when an inadvertent hardware or human error interrupts the flow in one loop of the reactor coolant l system.
- 2. Uncontrolled Rod Withdrawal This transient occurs when one or more control rocs are withdrawn inadvertently.
- 3. 'CRDM Problems and/or Rod Drop This transient occurs when f ailures in the control roc crive mechanism (CRDM) occur whichTne lead to out-of-tolerance transient may incluceconc -
crc;_-
tions in the primary systen.. of the ping of one or more control rods into the core as part CRDM f ailure.
- 4. Leakage From Control Rods This transient occurs when primary system leakage arcanc the control rod drive mechanism is er.cessive and reactor snatccwr required.
- 5. Leakage in Primary System This transient occurs when primary system leakage through various piping components is excessive and reactor shutdown ;
required. This transient does not include:
- 4 - Leakage from control rods
- 7 - Pressurizer leakage 626 - Steam generator leakage
- 6. _High or Low Pressurizer Pressure This transient occurs when the pressurizer pressure is outside of the required operating limits.
- 7. Pressuriser Leakage This transient occurs when pressurizer components allow
/
' excessive primary systen leakage and reactor shutdown is required.
l
+ - - - w +.,-r-+e--- - - , - - - , , ~ , , ., -
~
- 8. Pressurizer Relief or Safety Valve Opening This transient occurs when haruware or operator error results .
in inadvertent opening of pressurizer relief or safety valve:
9 Inadvertent Safety Injection Signal This transient occurs when hardware or operator error initiates
~~
a safety injection.
- 10. Containment Pressure Problems This transient occurs when hardware or operator error resc1:s in containment pressure exceeding limits.
- 11. CVCS Malfunction-Boron Dilution This transient occurs when hardware or operator reactor power is error results affected.
in a CVCS malfunction such that
- 12. Pressure. Temperature, Power Imbalance Tnis transient occurs when various primary systems signals indicate pressure, temperature or power im: ;ances.
- 13. Startup of Inactive Coc12nt Pump pump is started
- 'Thisantransient occurs when an idle ecclant improper power anc flow condition.
at
- 14. Total Loss of RCS Flow This transient occurs when a hardware or operator error causes a loss of reactor coolant system flow.
- 15. Loss or Reduction in Feedwater Flow (1 Loop)
This transient occurs when one feeowater pump tripsin or feed-wnen another occurrence results in an overall cecrease water flow.
O 16 . -
Total Loss of Feedwater Flow ( All Loops)
Thisfransientoccurswhenasimultaneouslossofallmain feedwater occurs, excluding that due to loss of station power (definition #35).
- 17. Full or Partial Closure of MSIV (1 Loop)
This transient occurs closes, the when oneopen, rest remaining mainorsteam isolation valve the partial (MSIV) closure of one or more MSIV occurs.
l
- 18. Closure of All MSIV This transient occurs wnen any one of various steam line or nuclear system malfunctions requires termination Theofclosuresteau flow from the vessel, or by operator action.
of one MSIV may cause an immediate closure of all other MSIVs; this occurrence is also includea in this transientHowe definition.
,of another initiator is not included.
- 19. Increase in Feedwater Flow (1 Loop) in feedwater flow e This transient occurs when an increase occurs in one loop.
- 20. Increase in Feedwater Flow (All Loops)
This transient occurs when an increase in feedwater flow occurs in more than one loop. .
- 21. Feedwater Flow Instability-Operator Error occurs when feedwater is being contro11ec and excessive This transient manually, usually during startup or shutdown, or insufficient feeawater flow occurs.
- 22. Feedwater Flow instability-Miscellaneous Mechanical Causes occurs when excessive or insufficient fece-This transientwater flow results from haroware failures in the fee system.
- 23. Loss of Concensate Pumps (1 Loop) redacing This transient occurs when one condensate pump fails, feedwater flow.
- 24. Loss of Concensate Pumps (All Loops)
This transient occurs when all condensate pumps fail, causing
' a loss of feeawater flow.
- 25. Loss of Condenser vacuum This transient occurs when either a complete loss or decrease in condenser vacuum results from a hardware or human er)
- 26. Steam Generator Leakage to secon:-
This transient occurs when excessive primary systera ary leakage occurs in the steam generator.
~
1 l
l v- e --r-- y- -
-e-- -
yv +ef m w- pa++v on- y -
9 -c--ae- y w-
1
- 27. Condensor Leakage
-- This transient occurs when excessive secondary systeu leaka3e l occurs in the condenser.
- 28. Miscellaneous Leakage in Secondary bysteu This transient occurs when excessive leakage occurs in the secondary system, other than the condenser (see-definition l
927). 1
- 29. Sudcen Opening of Steam Relief Valves This transient occurs when a secondary system steam relief
-- valve opens inadvertently, causing an unacceptably low pressure in the secondary system.
- 30. Loss of Circulating Water This transient occurs when circulating water is not availacle to the plant.
- 31. Loss of Component Cooling This transient occurs when excessive temperature of critical coinponents is a result of a loss or decrease in couponent cooling water flow.
- 32. Loss of Service Water System This transient occurs when the service water syste!.. fal.s to perform its function.
- 33. Turbine Trip, Throttle Valve Closure, EHC Problems This transient occurs when a turbine trip occurs, or ii turbine problems occur which in effect decrease steam flow to the' turbine, causing a rapic change in the amount of energy removec frora the primary sys ter...
- 34. Generator Trip or Generator Caused Faults Tnis transient occurs when the generator is trit}ed oae to electrical grid disturbances or generator faults.
- 35. Loss of Station Power This transient occurs when all power to the plant from external sources (the grid or a dedicated transmission line to another plant) is lost.
l l
l 1
I l
,- - 36. Loss of Power to Necessary Plant Systens .
)
This transient occurs when power is lost to a component or shutdown is necessary.
l l
group of components such that plantinclude loss of power to those components wh It does not failure causes another defined transient to occur.
- 37. Spurious Auto Trip-No Transient Condition ,,
This transient occurs when an auto scram is initiated by a hardware failure in instrumentation or logic circuits and no out-of-tolerance condition exists.
J 38. Auto / Manual Trip Due to Operator Error This transient occurs when an auto scrau or manual scra:., is initiated by human error and no out-of-tolerance condition exists.
- 39. Manual Trip Due.to False Signals This. transient occurs when an operator initiates a sera!..
baseu on information frot.. erroneous instrumentation.
- 40. Spurious Trips-Cause Unknown Tnis transient occurs when a scra::, occurs anu no cat-ci-tolerance concition can be detected, ner ca;se of scra:.
de te rminec .
- 41. Fire Within Plant This transient occurs when a plant shutdown is necessitatec by a fire in some part of the plant.
I k
BWR Transients BWR Transient Category Definitions -
- 1. Electric Load Rejection The electric load rejection transient occurs when electrical grid disturbances result in significant loss of load on the generator.- Also includeu are intentional generator trips.
O,
- 2. Electric Load Rejection with Turbine Bypass Valve Failure The transient is identical to el except that the turbine bypass valves do not open simultaneously with shutdown of the turbine. , .
- 3. Turbine Trip A turbine trip transient occurs when any one of a nutter of turbine or nuclear system malfunctions requires the turcine be shut down.
Turbine trips which occur as a byprodact of other transients
' such as loss of condenser vacuum or reactor high level trip are not included. Intentional turbine trips are 61so inclaueo.
- 4. Turbine Trip with Turbine Bypass Valve Failure This transient is identical to 43 except that the turbine bypass fail to open.
- 5. Main Steam Isolation Valve (MSIV) Closure The MSIV closure transient occurs when any one of various j steam line and nuclear system r.alf unctions requires ter:.1-nation of steam flow from the vessel, or by operator action.
a 6.~ Inadvertent Closure of one MSIV This transient occurs when only one MSIV closes, the rest remaining open, due to operator or equipruent error.
- 7. Partial MSIV Closure This transient occurs when partial closure of one or n. ore main steam isolation valves results from a hardware or human error.
. _ . . . _ ,_ ~._ . _
, 8. Loss of Normal Condenser Vacuuu l This transient occurs when either a complete loss or decrease in condenser vacuum results from a hardware or human error.
- 9. Pressure Regulator Fails Open This transient occurs when either the controlling pressure regulator or backup regulator fails in an open direction.
The f ailure causes a decreasing coolant inventory as the mass flow of water entering the vessel decreases.
- 10. Pressure Regulator Fails Closed This transient occurs when either the controlling pressure regulator or backup regulator f ails in a closed direction.
This failure causes increasing pressure and thus decreasing steam flow from the vessel.
- 11. Inadvertent Opening of a Sa ety/ Relief Valve (Stuck)
This transient occurs when a safety / relief valve sticks open.
Due to an operator or equipment error a single safety /rcliet valve can be opened, increasing steau flow frou the vessel.
If the valve cannot be closed, a scram is initiated. Le Tnis transient only includes those openings which cannot subsequently closed before a scram occurs.
- 12. Turbine Bypass Fails Open The transient occurs when equipment or operator error rescits in inadvertent or excessive opening of turbine bypass valves so as to decrease vessel level.
- 13. Turbine Bypass or Control valves cause Increase Pressure (closed)
This transient occurs when either operator error or equipment failure causes the turbine bypass or control valves to close, resulting in increased system pressure.
. 14. Recirculation Control Failure-Increasing Tiow This transient occurs when a failure of a flow controller, l either in one loop or the master flow controller, causes an increasing flow in the core,
- 15. Recirculation Control Failure-Decreasing Flow This transient occurs when any flow controller failure causes
! a decreased flow to the core.
w
- 16. Trip of One Recirculation Pump
' This transient occurs when one recirculator pump trips due to a hardware or human error.
- 17. Trip of All Recirculation Pumps This transient occurs when the simultaneous loss ,of all recirculation pumps occur.
- 18. Abnormal Startup of Idle Recirculation Pump This transient occurs when an iole recirculation pump The is started at an improper power and flow condition.if the loop d increased flow could cause a flux spike, or, in the pun.p loop to has been idle so as to allow coolant cool, core inlet subcoolinj.
- 19. Recirculation Pump Seizure This transient occurs when the failure of a recirculation no coast down occurs, and a sudden flow punip is such that decrease is experiencec.
- 20. Feedwater-Increasing Flow at Power occurs when any event causes increasing This transient feedwater ficw at power. Excluded (see ite: 26) are s
increasing flow events during startup or shutoown, when manual feedwater centrol is being utilized.
- 21. Loss of Feedwater Heater This transient occurs when the loss of feedwater heating is such that the reactor vessel receives feedwater cool enough to exceed core scram parameters.
- 22. Loss of All Feedwater Flow This main transient feedwater occurs when the flow, excluding thatsimultaneous due to loss of loss of ull
' station power (see item 31), occurs.
Trip of one Feedwater Pump (or condensate pump) l l
23.
This transient occurs when the loss of one feedwater pump or condensate pump is such that a partial loss of feedwater is experienced.
- 24. Feedwater-Low Flow This transient occurs when any plant occurrence causes decreasing feedwater flow at power. Excluded are events c at low powe r ( se e item 2 5 ) .
l !
- 25. Low Feecwater Flow During Startup or Shutoown This transient. occurs when any event results in low feecwater flow at essentially zero power; this cefinition incluces only startup or shutdown operations.
2 6 '. High Feedwater Flow During Startup or Shutdown ..
This transient occurs when excessive feedwater flow occurs during startup or shutdown. The reactor is essentially at zero power.
, 27. Rod Withdrawal at Power This transient occurs when one or more rods are withdrawn inadvertently in the power range of plant operation.
- 28. High Flux Due to Rod Withdrawal At Startup This transient occurs when inadvertent withdrawal of a red
- causes a local power increase.
- 29. Inadvertent Insertion of Rod or Rods This transient occurs when any malfunction causes an inadvertent insertion of rod or rods during power operation.
- 30. De tectec Fault in Reactor Protection byste...
This transient occurs when a scram is initiated dueAntc an inuicated fault in the reactor protection syste.6.
example is the indication of a high level in the scram discharge volunie.
- 31. Loss of Offsite Power This transient occurs when all power to the plant from external sources (the grid or dedicated transmission lines to another plant) is lost. This event requires the plant emergency power sources to be available.
- 32. Loss of Auxiliary Power (Loss of Auxiliary Transformer)
This transient occurs when the loss of incoming power to a plant results from onsite failures such as the loss of an auxiliary transformer.
l l
i
=
t l 47-
-- - . . ~ . , . _ _
- 33. Inadvertent Startup of.EPCI/HPCSi weter Flc This transient occurs when any of the! systems supplying high pressure colo water to the vessel inadvertettly -
a:: c'.L c start up.
- 34. Scram.Due to Plant Occurrences 3.cr F1 i i
This transient occurs when a scram, either automatic or raanual, ;
is initiated by an occurrence which does.not cause an out of l tolerance condition in the primary systep,-but requires shut- fire, ;
down. Examples are turbine vibration, off-gas explosion,
~
excess conductivity of reactor coolant, etc.
., 1 ~~- s.11 at
- 35 Spurious Trip via Instrumentation, RPS Fault
. ".1 UC This transient occurs when a scram resu,ltiny troi.i hardwure failure or human error in instrumentation or logic circuits 14), '. I occurs. h:
- 36. Manual Scram-No Out-of-Tolerance Condi, tion 2,
. .. <.1 pos ,
This transient occurs when a manual initiation of a scran.,
either purposely or by error, occurs and strere are no out-of-tolerance conditions. - :(
-<-c
- 37. Cause Unknown i.
This transient occurs when a scram. accans,.rbut the cause was not determinable. ;r i ? .! Orr u . -:a is..: an 3 .3 " r.c
.. : r. : ..
'! O. C* Io
. - - e c.
.3 ('
r.t )
me- Co-4 y o:C f"Om T.5 : : rt
=
~48-P00R ORIGINAL.