ML20127A363
Text
_ _ - _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _.
pte%*.
~~
/t,
\\
UNITED STATES 8
NUCLEAR REGULATORY COMMISSION
(.{i
,', j) wgg msmucrou. o. c.xiss
- 4. -
- s.
b['
NGV 1 6.1352 s
MEMORANDUM FOR:
Darrell G. Eisenhut, Director Division of Licensing Office of Nuclear Reactor Regulation FROM:
Stephen H. Hanauer, Director Division of Safety Technology Office of Nuclear Reactor Regulation
SUBJECT:
SHOREHAM PRA - REVIEW OF SUFFOLK COUNTY CONSULTANTS -
STAFF'S PRELIMINARY REVIEW Per your iemorandum to me dated September 29, 1982, we have reviewed applicable portions of the Suffolk County Consultant's (Future Resources Associates, Inc. - FRA) draft report and the draft Shoreham Probabilistic Risk Assessment (PRA) concerning the FRA's major finding that the PRA under-estimated the frequency of certain internal flooding accident sequences at elevation 8 by more than a factor of 1000.
Enclosed is our evaluation.
_. We limited our review of the Shoreham draft'PRA to these flooding sequences only. The frequency of internal flooding at elevation 8 of the Reactor ButleMg is dependent on the applicant's maintenance practices about which I
ther(~'il considerable uncertainty.
The very high value used by FRA for the i
maintenance frequency of the HPCI pump contributes to their higher estimate
. of core vulnerable frequency due to flood.
At this. time, we believe that flood accident sequences do not contribute to risk significantly. We believe that the FRA approach is too conservative
~
but that certain aspects of these flooding sequences should be analyzed *,
further by the applicant and submitted to the NRC for further review.
The applicant should verify:
(1) the'Shoreham plan,t potential for this flood,,
-(2) the potent.f al for a' flood-induced reactor set am, and (3) the expected probabilities of other events in this flooding sequence by assessing the maintenance procedures for ECCS and RCIC.
'We recommend that no action be taken at this time concerning the generic implications of this flood until the applicant has performed their analyses.
0 m
O g
- T c~2\\g Ltj Odl 4
6
I c.
2-At this time, we do not believe that there is a need to notify all Atomic Safety Licensing Boards regarding the FRA flood risk estimate for the Shoreham plant.
However, the Shoreham Board should be informed of the staff's initial evaluation of the FRA and PRA estimates of this flood risk.
Subsequent to the applicant's submittal of the final PRA, we' will review all the accident sequences and eport our findings. We will include.in our review the relation ~ ship of the frequency of the flood sequences.to total core vulnerable frequency for the Shoreham plant.
This review was performed in RRAB by E. Che111ah.
f h Step en H. Hanauer, Dir ctor Division of Safety Technology 6ffice of Nuclear Reactor Regulation,
Enclosure:
Evaluation of Flood Risk Predicted by FRA and PRA g
cc W closure:
(
H.DirEof yk.
E. Case H. Thompson R. Mattson R. Vollmer 1;.
s
' ~
- s N
t
)
%N s
a
.4
ENCLOSURE EhaluationoftheFloodRiskEstimate For the Shoreham Nuclear Power Station Future Resources Associates, Inc. (FRA) has recently completed a draft report of its review of the draft Shoreham Probabilistic Risk Assessment '(PRA). FR$
raises the concern that the dominant accident inholves flooding at Elthation
'(El.'8) of the Reactor Building (RS) and can lead to a " core-hulnerable" (thel
'PRA term for core-damage) state with a significantly higher frequency than is calculated in the PRA. FRA acknowledged that its estimates are rough because it
' has ng performed a complete risk analfsis to quantify the flood risk and its coptribu,ti,on'to the total core hulnerable frequency. We hahe rehiewed the
(
- pilegportions both of the FRA draft report " Review and Critique of Previous vrebabilistic Accident Assessments for the Shoreham Nuclear Power Station," dated Septad or 17, 1982 and of the draft Shoreham PRA.
The FRA Amoroach:
FRA's basic methodology for flood initiation at El. 8 of the AB is the combination of the four basic events (A, B, C and 0) shown in Table 1.
FRA has calculated the frequency of Ehents' A and B (on-line maintenance of HPCI pump requiring opening of the pump housing) based on the PRA's value*for HPCI systeni unavailability,
~ ' and, it has suggested values for the conditional probability of Event C (opera'or t
opens the isolati8n valhe inadvertently during maintenance) andEv'ent0(operator
~
~
failure to isolate 'the flood). According to FRA, a flood at E1. 8 can be mitigated 4-e e
e
... (
only by operator action (reclosing the isolation valve.F004.).
If the operator fails to isolate the flood, the water level will rise and the RCIC and LPCI pump components will be submerged and are assumed to be inoperable. Also FRA assumed' that the flooding causes the MSIV to close and is followed by a reactor trip leaving only the normally operating coolant make-up system (the condensate system).
Thus, FRA defines a core-vulnerable condition to result if Event'E (the operator
, erroneously isolates the power conversion system including the condensate system) occurs following a flood at E1. 8 of the RB.
FRA considers this a high stress condition for the operators with the flood progressing at E1. 8 and the reactor 0
tripped. They estimate a value of 1. x 10 per reactor year for the expec'ted frequency of the flood at E1. 8 of the RB (Sequence A, B C, 0), and a value of,
approximately 2.5 x 10f per reactor year' for the expected frequen'cy of a core
~
/
y
- m..
vulne'rSle condition resulting from the flood at E1. 8 of the RB (Se;.~
t quence A,B,C,0,'E).
Shoreham Oraft pRA Acoroach:
The draft PRA assumes that'the source for the flood is either the leakag of HFCI/RCIC suction piping or the on-line maintenance accident sequenci described by FRA. The PRA contains fault trees to quantify both' flood initiation events.
c 4
The PRA shows a value of 8.5 x 10 for flood initj,ation due to t,he pipe leakage k$
and 1 x 10-5 due to on-line maintenance of HPCI pump. According to the PRA, the flood can be mitigated either by the operator isolating the floN or by the operator reclosing valve (F010).
The PRA value for the conditional probability that a flood and a transient that induces MSIV closure will simultaneously occur is 0.1.
gh e
i u
~
' took the values for the individual Events B, C, 0 and E shown in the PRA and J
~
s calculated the expected frequencies of the scenarios defined by FRA.
In succary, we inferred that the PRA estimates 5.4 x 10'7 per reactor year foi flood frequency and about 6.5 x 10-8/ryforthecor'ehulnerablefrequency.
Staff
Conclusion:
The draft PRA and the preliminary FRA scenarios that define the cause of the'
-flood at EL. 8 of the RB seem reasonable (jointly events A,,B, C and D). It is important to note that we hahe not rehiewed all possible accident sequences a$d risks resulting from a flood at El. 8 of the RB to estimate a total flood risk.
Howther, we can review the final Shoreham PRA (when it is submitted) for flood risk.
I
(
.ie coErYbutions to the l'arge difference (a factor of 4000) in the flood risk estimates are due to:
(a) the FRA selection of a maintenance frequency of the HPCI pump that is a
.y factor of 100 higher, and
/
/
'(b) the FRA selection of human error, probabilities that are a factor of 40 higher.
FRA assumed a conservEtively high value of 0.2 for the int Events A and B.
Although we have not reviewed the Shoreham plant matntenance schedule and procedures, we believe that the high value for joint Events A and B is very conservative and'is not appropriate for a realistic estimate of risk due to the maintenance activities required for HPCI or RCIC pumps.
m a
f k--
u
v
~4~
-J The probability of the basic events such as " opening of pump housing" (Event B) and " inadvertent opening of isolation valve by human" (Event C) are also dependent on Shoreham plant maintenance procedures, and the human beh$vior during the maintenanc'e.
A large modeling uncertainty exists in assigning values to such errors, and FRA has in our opinion taken a hery conserhatihe bias.. FRA nas discussed hariotts
, halues for Ehent C, referring to the " Human Reliability Handbook" (fiUREG/CR-1278) b) ^'. S. Swain, et al, and selected the high value (90% upper bound).cf 0.02 per maintenance outage for Event C.
However, we believe that FRA sl1ould have used best estimates (mean values) for Events
, B, and C; not the upper bounds or, conservative values.
~'
-(
'iven th,e. f1'ood initiatio,n. FRA has assumed that all HPCI, RCIC, core. spray pumps n
w and LPCI pumps and their instrument racks will be submerged after abbut 30 minutes and the reactor will trip.
flo further design description is given by FRA in their report (or by PRA in theirs) to verify these assumptiens regarding flood induced interactions.
t!e are not aware of any reactor trip signal that would occur directlyhrem a -
flood at El. 8.
The FRA assumption that the trip would occur with probability 1.0 in 30 minutes may be conservative. flo basis is given for the PRA estimate for a probability of 0.1 for this.
Because of the time assumed by FRA to be available (at least 30 minutes) for the operator to mitigate the flood progression and to recover condensate syst'em, we feel that the high stress condition assumed by FRA during the flood and the reactor trip is conservative. A summary of the frequency and probability values used by the PRA and FRA along with the underlying differences is shown in Table 1.
3 I.
t
-S-
~
(
The PRA appears to 'have a better basis for the value it assigned to the individual events, but we do not have enough information to verify the basis.
We recommend that the applicant verify the PRA analysis of the Shoreham plant regarding: - (1) the potential for flooding at E1. 8 of the RB, (2) the potential for the flood-induced reactor scram assumed in the PRA anj by FR$
(the possible interactions should include hostile erivironments other than
' submergency, e.g., splashing, humidity, debris), and (3) the probabilities for each event in the scenarios based upon maintenance schedules and procedures for ECCS and RCIC system to select the most realistic values.
The applicant shculd report their results to the staff for review.
" The staff will evaluate the adequacy of the' revis'ed as:essment for the
(
6 frequalky o'f the flooding sequences at elevation 8, and the conditional probability
' of flood-induced reactor scram.
If the staff determines that the PRA values have been underestimated, then a basis may exist for subsequent regulatory
~.
actions with broader implications.
~~
d e
W
'e 1.
P-
ITEMIZATION OF MAJIR DIFF[KEES KTKEN TIE ANALYSES 0 t A W TK PRA REMAAKS
. SESIC-p*
(FACTOR Fat FREQKEY/PROBASILITY THE DiffEK M EVENTS EVENT DESERIPTION-
- e i.-i *.
tRA-PHA FRA/PRA)
A en-line Maintenance act of HPCI or RCIC Pump 1.08/ry Not shown 5>
IFCI or RCIC Pump is disassembled ehering oc-line maintenance 0.2 0.002 100 higher gf C.
Inadvertent opening of isolation valve 0.02 0.00I5 4 higher F004 by thanan 3/
4/.
v D
thman failure to isolate the flood O.25 0.054 5 higher 5/
6/
E Failure of Condensate-System 0.25 0.120 2 higher 5/
ll
~
~
(ABCD) fregsencyger flood at E1. 8
~
s1 x 10-3/ry s5.4 x 10-7 2000 higher
-8)
(ASCOE)
Freepsency of core-vulnerable condition M.5 x 10 ^/ry.
4.5 x 10 4000 higher 1/
- 0TEs if A freepsency v41me of 0,2 can.be inferreid; free.'the values' used by FRA for the" frequency
- reviewed the Shoreham plant meintenance schedule, the FRA value se
. 8 as flood.
Although we have not g and say be very conservative.
\\
2]; PRA did not estimate the frequency value of A.
s schedules and procedures. SAI selected the value for p(S).However, based upon a review of stellar plant mainte schedules and procedures to verify the,value.
We have not reviewed plant maintenance g
=.
I
i t'
}
. r.
~
p e
\\
...se'1 - ConLinued
.st J/ FA4 selected a conservative value (90% confidence (livel). FRA should have used some measure of the espec,ted value not a ilmiting value when combining the probability of eyespts. -
-l 4/
PRA value seems reasonable since PRAs reference is widely used and recognized by industry (NUREG/CR-1278).
~
5_/
FRA assumed 'a high stress condition and selected a value accordingly.
1 6/
The SAI has not considered the operator error'to leave the f100d unisolated a "high stress condition" because the operator has at Idast 30 minutes to isolate the flood before submergence of equipment at El. 8.
He consider this value appropriate.
7/
The SAI value seems reasonable considering that the condensate system is available to the operator and t
that he has about 30 minutes to provide primary coolant make-up to keep the core covered. This does not"seen 11ke a "high stress" situat.fon. The PRA _value seems reasonable considering the condenser' h' twell o
+'
ava!1ahl11ty for a ilmited time. tre expect that the laplementation of symptom orientated procedurbs could.
taprove the operators likelihood to recover coolant injection capabilities-from PCS.
8f Valu[sareleaseduponassumis.gP(A)sl/ry.
~
g/
Value is based en the assumption of flood-induced reactor trip.
Y Q4 t
s.
h s
'l i
Y t
)
s
~
~
\\
kt i
s
- w*
x 4 I
~
l J
3,[9'
~
T E
m
+
} gcA\\kQ t
, FistureRaoumuAmeiata,Inc.
0JAA. b yA
~
2000 CenterStreet Suite 418 Berkeley. CA 94704 415-526-5111 MA YCW.
.24 September 1982 M
{cm -
Mr. Harold R. Denton kMM Director, Office of Nuclear Reactor Regulation U.S. Ndclear Regulatory Comission Washington, DC 20555 g4%.*
e.
Dear Mr. Denton:
For the past three months my company has been analyzing the...........,uuur Power Station under contract to Suffolk County, New York. Specifically, we have been contracted to provide an independent opinion as to the validity of the reactor accident sequence probabilities and release magnitudes that are contained in a preliminary draft report carried out by Science Applications Inc. and supported by Shoreham's owner, Long Island Lighting Company, entitled "Probabi-listic Risk Assessment, Shoreham Nuclear Power Station". This draft PRA analysis, which we have reviewed, contains calculations of internal accident sequence probabilities, discussion of accident phenomena, and calculations of magnitudes of potential releases.
The County's interest in these issues stems from their need to have an acceptable technical basis for their emergency planning activities.
In the course of our review, we have concluded that one type of accident involving internal flooding may lead to important plant damage states with a significantly h1gner probability than is calculated in the draft PRA.
Indeed, this group of sequences might, in our opinion, be among the domiaant sequences contributing to residual pub'ic risk at Shoreham.
The sequences under discussion were analyzed by SAI in the draft PRA, but we believe that because of an error the accident probabilities have been underestimated. The sequences involve routine on-line maintenance of important safety equipment at level 8, the bottom level of the
.Shoreham reactor building where much important safety equipment is located.
If during on-line maintenance there were to be an accidental opening of the isolation valve that separates the specific component being maintained from the rest of the system, then under some circumstances a local flood would result, which could become a serious and disabling flood if the isolation valve cannot be reclosed in adequate time. This flood, while it would disable emergency equipment, still would not cause an accident unless there were to be an additional loss of heat removal capability through loss of the power conversion system. The issue is how probable these types of sequences are.
We have done a rough calculation of our own of the likelihood of the sequences.
The results are found in our draft report (attached) prepared for suffolk County.
Section 3.3 and Appendix 0 of our report contain our technical discussion.
(However, a copy of SAI's draft PRA report on Shoreham is probably needed to put our discussion in the proper context.)
While we believe that this set of i
~@'**%
1 3ih i,
l 1
9 H.R. Denton page 2 24 September 1982 sequences could be an important contributor to overall residual risk at Shoreham, we have been unable to quantify the risks ourselves, because we haven't done a complete analysis (either probabilistic or deterministic),
nor were we able to test the sensitivity of our conclusions to various engineering assumptions. Furthermore, while we suspect that this issue might
)
be important also at other reactors, especially at other BWR-Mark 2 reactors with similar designs but possibly at other reactors too, we have not addressed that issue ourselves.
I do not believe that the internal flooding sequences under discussion have been adequately analyzed either deterministically or probabilistically.
It is possible, in fact, that Shoreham contains features not yet uncovered that would compound the s'everity of a minor internal flooding incident, turning a relatively benign event into one with severe consequences to the reactor of even to the public: for example, there may be operator procedures, hardware, or control system features that might erroneously isolate the power conversion system upon inception of some internal flooding scenarios, thereby compromising an important heat sink exactly when it is needed most.
If careful analysis reveals that these sequences pose problems not yet considered.
we can think of several easy fixes that could provide added protection to the utility's investment and to the public at relatively low cost.
In any event, I believe that the issue requires additional analysis which has been beyond the scope of my own company's work for Suffolk County.
If I can be on any assistance to NRC, please do not hesitate to contact me.
Sincerely yours, 3
Robert J. Budn tz President
Enclosure:
as stated cc:
F. Jones, Suffolk County R. DeYoung, NRC/IE 1
J
'.,, ;, ~ f
- i'*,
- ';~,
v g .. #
q' ", a :,-[
'q:'
[c '..
j ((h.
d i, k-b.
e.
.. Q.M. M,,.: a;i, p%y p. u;".,&g;%y *&,,. :.':'.
'e.
, a y n.. ::
t..;.
.e.
. a :W.
... x%,:..a;:&,7.<:y!R.+:m'arG: *
. m,.:; e.>
, M.m
... M n
- f;y,y,.Qq;:
M
.y '...
8
,o
.T:
4.
w.$ky.~.+h[kh[.s.a., w:.q.,e;w. m. ch p!'
.i
.c*
c ;g e.y.any.a.p,. : et;:
w:Sm.&,W,..frc W 9 u
' Ihhh'.' m h'.hIh hh Y.h,b~[h.y;k..]
IhN,t
- h
- w.;?..g,,f.yn
. m.:e\\.".'
- m.k ;&..n,y n :y.. v., f,,&p., p:tp.g;%
- .w. n w, &
... < m,u v
~
- m. 3.b.,).
3.. %@t..uM, ~:;gy.R.n3p g
w. %.%:U y %
- ;.c y.
,R.
y
,.(Qi
+..e6..yv.g. e m
.. :. c ;c. m.
..=
m' gw, EM.9 @e h.c... u,y'h.9:;'.; ;,.m. Oc[ 7.; u y.,, u,,...
y #-
v
..;.. p y w
w
/; ofMA A 1 I.1. ~. y
- q 7.. d.;,
WY.. p:;, * & i Q
- 4.,
%C y. := M 5
.- i
.c -
j d;W.. c M;. :;$,',U W W.m:/;Q y,yn,m y ?3.% % :
.Mn.m%MWn:W K.'.W.ThQuq..,ik.i
. G+5?
. _., G..h
's al.9
' U. M W j. %. Q D%WGMD.RNQ.fdk l
%MM.W4..,l&gg kWMV%s..q%w%w.u. VIEW AND CRITIQUE OF..c;aW,'M..e RE w.-c.;a + w.m
.-.,r.<m:
. &.a.d.
M s'.v; 4 'wm
.,2 a.1
-M~,gW.
dE yFl# PREVIOUS PROBABILISTIC ACCIDENT ASSESSMENTS FOR %'? W.M$ffd.bbM.
nNbM@.Yjk)g,UgMW'..WMm.'-*M*wW.Nw-e*~.'.v.l0CQ e.jp/r.$s
.W qpTHE SHOREHAM NUCLEAR POWER STATION h.Mg V,G g
ij M@N64< t;dG4'$h.QM;g5h om,v-w.cm,s MIN hheport onTaN bbI$$IM Ikhfhkkf5h kd h dR
-f O - M W b
[Q;px.p..wm dg%.gh..,
1 e
.m.w,3v:..:.+. we.:J.
y 14p" Consequence Assessment for,DdWSMiW*'DN28D,NA6%i Suffolk. County Radiological Emergency Response Plan N
8tM
$q I hcQ,Y53,DM6M%p
%VOLUMEI:
?
k f M'y 7 gh M % p@ Pre 4 y#
h N $ M M ! M.. q h. g f T d ! N. W M 3 MAIN REPORT.
$f NhdNMMM WM
. 3',M > %~9. f..r./.&r'p,9y%..Radiologica.% pared fog Q,%e?/ w$e,4.y+%n w'GR V%%,yf.,J.wp rggy g2ni l
M
. d. w.m. e.,,.,k.e,4%.,,
.p c
- en.
- ... mc,
.a
- 2P
. f, 2
A
. Q ;.w< a,2.;. Steering Committee,nse.. Plan... w.s.7 Cd..x AM l Emergency Respo 2
l
.-c. v.
Q r
w/
4
- 4. v.m
.n.4.< cq,i ~w ws.>
%g
.M,aa. 3.,9.x,? v; e v.,,,pa. m. we.gt.c,: @,4,.v,p e v.. m:
W'.W..m:-e/ +:;p%w:-
a
- 4. h,u n) g 7
dy,g;ww#c,'.*3 m
vx.ye 4
.y
- n. w
-r
.o pp..
3
'7%
Jo~~nes,.vChairman.m yp;.
n d4 y.- sm y
m.
w--
$ *gf Qj ts erm p G j h h..k p.%..
ffuN Mkh}jce of thECou'nty Ex~ecudE['s 4 NW Ng ibk{${SS Of
[b[iMggyh kr MCdustforSuffdlk'EMp; MM vM; n H;;LBEDensiniiBuirdingMg:=$1
. 4, a
Ni 4
44fi M N (f dh3 N Mh{h MfbkkIN!
b.Q.y@,M[M6@hkkg Ml k#-
, j.bh WN'pj.JhDhdd -
f-kSM
N 'Princip[al AuthorM".7"(y'<b"'pf'F IRobeit BudnitM(ld@ -
d in'dN6 MWp' 9fe$'M Q. '
e d:ti j3gpNS@>Q*I.dp%* *'ts g. 3,',.),J%." iffi.
, d' e
f? r; L
4 s
- ", @ M p.p u m i
n.,
^
s.9
+e p
to,yt, fg,Jy,6
.pa..7 g
- \\.
.., Peter R(.'Da%vfs e(ty
- 3 Wi-4
.3 t ;g.
84,p*4tgh.M&q C.g, g[f g{ g
~
JtariPhid
' HowardE.sws w%
g 87 M}.,d
.g.
+
%p
,3,. L.
D-we s LLamber
.n c6
%%o yt6q y
- a d.c % hwy
- Q'
,v, Contributing'Authorsj gs.g M..
sv C.$ 4 x.,#
a wA->p, m, '.w m
- sa y1 m
v;.
yJ m.s n 9,o gLm '
3' JMQ V M,f w
t.'M
?.
W
.n
. y%:'?;Q9,_Q!sy w %<-
1 x r.c 2
Dw
- e..g
.'Septymber 17'.1982% A p]g.g.
C -"
s
.v
~.
~
'*" '[
y y
g nN ;
m
?
- .4
' ykh w"
t.% -
~L ',
Q
- w
~
9 : w( W,g;. a%.,Jp
- p' 8,,
- 'y
~
g
.W mL It k.
A' M.,
.N s
v
.,u
-g y
gp 6 v
e U,$b [~,st@p.e.=.
tQ k;l a $$ $
[ '
D, t.g %
g
'N p
h4, ' Y h
3 J) lQ. +C.hh' G?.3 g} hh.Y.9%>
d 3
Q M
~
.a 1
' jd y
, c,,,
. mk m
&s,
~
w
%mw a.
w N.
K$MiW,&niuwd
_W_
A
'y.y ;
.tAMM Whw SM ?n uti.v:npMu%r,e[*:J.s%h$ hyal.a5@:&
a
.e
? r.,
i
.%w.mm by.mi.n w+m Y:wawy,y.cwp ~ m.:g.vn.w.tm$13."{gy v
n
- .,.m 14.
- p,yggggjpg,mgsw 2000 Canter.. Street 9 Suite.418 hBegy.,;.g'lCA 947tm t 415-526 5.
e e w m r.c g.y m g. p _ rkeley gg;.q,7 gg,g a Lem:-ce tm -. g
r 3
i l
O REVIEW AND CRITIQUE OF PREVIOUS PROBABILISTIC ACCIDENT ASSESSMENTS FOR 3
THE SHOREHAM NUCLEAR POWER STATION Report on Task 1 of the Project
" Consequence Assessment for Suffolk County Radiological Emergency Response Plan" VOLUME I:
MAIN REPORT Prepared for Radiological Emergency Response Plan 3
Steering Committee Frank Jones, Chairman Office of the County Executive County of Suffolk H. Lee Dennison Building Hauppauge, New York 11788 Robert J. Budnitz Principal Author 0
Peter R. Davis Stan Fabic Howard E. Lambert Contributing Authors O
September 17,1982 2
~
i Future Reaurcu A.uociates,Inc.
O 2000 Center Street Suite 418 Berkeley. CA 94704 415-526-5111
~~-
E
'o TABLE OF CONTENTS
- O 1.0 Introduction 1.1 Overall Conclusion 1.2 Limitations 1.3 Objective of the Report 1.4 Organization of the Report 1.5 Sumary of SAI's Results 2.0 Are All Important Accident Sequences Considered?
3.0 Are the SAI Calculations,of the Accident Probabilities Correct?
3.1 Methodology Considerations 3.2 Data Base Considerations 3.3 Specific Accident Sequences -- An Eclectic Review 3.4 Implications of the Review of Specific Accident Sequences
,)
4.0 Are the Accident Phenomena Within the Plant Treated Correctly?
4.1 Grouping of Accidents Into Classes 4.2 Review of Phenomena After Meltdown 4.3 Some Specific Issues Involving Meltdown and Related O
Phenomena 4.4 Core Vulnerability vs. Core Melt: Containment Event Trees o
4.5 Implications of the Review of In-Plant Phenomena g
O -
l
-)
TABLE OF CONTENTS.
(continued)
O 5.0 Sunnary and
Conclusions:
Are the Probabilities and Magnitudes of the Calculated Potential Radiation Releases Correct?
03 6.0 Acknowledgments 7.0 References g
Appendices A.
" Scope of Work," excerpts from the Contract between Suffolk County and Future Resources Associates, Inc.
B.
" Review of Within-Containment Phenomena and Containment Challenges," report by Dynatrek, Inc. under subcontract to this project
- )
C.
"A Selected Review of the PRA Prepared for the Shoreham Nuclear Power Station," report by.P. R. Davis prepared as. part of this project D.
" Internal Flooding Analysis," prepared by H. E. Lambert as part of this project 3
0 G
0 0
~
1 3
4 0
1.0 Introduction O
This report sumarizes the work carried out by Future Resources Associates, Inc. (FRA) under contract to Suffolk County, New York on the project entitled " Consequence Assessment for Suffolk County Radiological Emergency 3
Response Plan." The overall goal of the project is to provide Suffolk County with technical support in its development of an emergency response plan for the Shoreham Nuclear Power Station, in particular by providing O
technical input as to the probabilities, severities, and radiological dispersion characteristics of potential large accidents at Shoreham.
Shoreham is a boiling water reactor (BWR 4-Mark II) in final stages of O
construction on the north shore of Long Island, New York, with an electrical gross power rating of 846 megawatts. The reactor was manufactured by the General Electric Company and the architect-engineering 0
work has been done by Stone & Webste. The location of the reactor on Long Island and the site plan for the Shoreham facility.itself are shown on the next two pages: these are reproduced directly from Figures 2-1 and 2-3 of 3
the NRC's " Safety Evaluation Report" 'for Shoreham (Ref. 6).
j This project is a joint one involving a single unified scope of work under G
two contracts, one with FRA and the other one with Finlayson & Associates of Cerritos, California; under the arrangement with Suffolk County, Fred C.
Finlayson of Finlayson & Associates has assumed overall responsibility to
.)
l l
b l
l
G o
O O
U 0
d 0
G 1
~~
~ ~ ~
N "fq y ky----.
N NNW t
/
~4 8
d}
q l
' u~W~
A.
Q._q --y-F, %-e W Q-h~ ' =
l h
Tf.f I
A L
yg*-
\\g'_
vn
+
-R
\\_..~f n,,2 A T 5 w*
ENE
~
g WNW (,y' A _~
q s
w
- \\
s f
,a' So ns *
=n
\\f "i r
h, g,,
- ('
r* #
$, 5
'\\
R to *
/i pf I
MuE
[S[f-ok
\\
ro / '
soi 40 6 d'-
y i
i,-
I*
l:
N c
(.(
L_
ESE
~
s f
- j..; (.
h, l~~~...
a
/
cE Figure 2-1 Area Within y
1 o
50 miles of Shoreham Sf te SE N
(reproduced directly from the NRC's 6
73
" Safety Evaluation Report" on 8
C.A g
Shoreham,NUREG-0420)
i 1
o 3
l0
.l (reproduced directly from NUREG-0420, the NRC's " Safety Evaluation Report" for the Shoreham plant)
O L0NG
/SLAND S00ND CH"
.O
\\\\+
i y
~
\\
i" 0'
- m
\\==
la
\\
ff s.
ux!$$$inc
.s l
- d
- }*AG
/)!
y/-y l
l C
y d *'
)
%f, o
.3
?
vd/
N
,y--
i)
E!
w 5u o
c o
p c ~4-q V
s i
o soo eco soo soo O
%g Figure 2-3 Plant Laycut J
-~
i 0
4 cocrdinate the two contract efforts. The unified scope of work of the two O
contracts is reproduced in Appendix A of this report, and covers four tasks. FRA, under the technical direction of Robert J. Budnitz, has been principally responsible for the work under Task 1, while Finlayson &
O Associates is principally responsible for Tasks 2 and 3; in each task the other party has played a supporting role. Task 4, involving project management, integration, documentation, and technology transfer, has been a O
shared responsibility.
The contract was signed in late June 1982, and work under it has taken 0
place predominantly in the months of June, July, and August,1982 with this report due in draft form on September 15.
O The review team made a site visit to the Shoreham plant in late June. Preliminary discussions of findings have taken place on an almost continuous basis, informally and verbally, between Dr. Budnitz and Dr.
3 Finlayson in order to assure that both parts of the overall project are integrated effectively. Both parties agree that the integration has been successfully accomplished.
3 The FRA responsibility within the study has been predominantly to carry out Task 1, " Review and Critique of Previous Probabilistic Risk Analysis," and this report covers the work that FRA has accomplished in carrying out Task
- 1. Task 1 has consisted largely of a review of the preliminary draft report coordinate the two contract efforts. The unified scope of -work of the two O
O 4v 9
-c,_
y y
---%.g
, -.,3-,-,,-,w
.- - e,
se
f
.O 5
.I entitled "Probabilistic Risk Assessment, Shoreham Nuclear Power Station,"
O that was carried out by the San Jose, California office of Science Applications, Inc. (SAI) for Long Island Lighting Company (LILCO), the owner of the Shoreham facility. To carry out this review task,'FRA has O
utilized a team of four individuals who possess expertise in various aspects of water reactor safety and in particular of probabilistic risk ssessment-(PRA). The FRA work has been led by Robert J. Budnitz, President of FRA, and has included Howard E. Lambert and Peter R. Davis, FRA consultants, and Stan Fabic of Dynatrek, Inc. (Rockville, MD), an FRA subcontractor.
0 The scope of the FRA work in Task 1 has been that of an independent review, which must be understood as quite different from an independent
~
O analysis of the potential accidents at the Shoreham plant. The purpose of the review has been to ascertain whether the PRA results obtained by SAI in their large and voluminous study are sufficiently reliable ~ to form an S
acceptable basis for the County's emergency planning work. Because the scope of. work has not included significant independent analysis, it is 4
important to realize that its conclusion cannot be considered as a
" stand-alone" conclusion. That is, it depends heavily upon the quality of the detailed work by SAI. This point was made in the original proposal to the County, where it was pointed out that "if major flaws are indentified
.Q in the earlier studies,... it may be necessary to devote a higher level.
of effort to this project." Thus the basis for the project has been an assumption that the SAI work under review is a credible effort, up to the O
standards of the state-of-the-art, and requiring no major upgrading. The 1
0 w
A 4
U.-.
4e-m g.
e.w+,e.m-3-, - -,
p------.
N C) 6 FRA team has attempted to challenge this assumption by carrying out a critical review with the intent to uncover facets of the SAI analysis that might contain inadequate methodology, inappropriate assumptions, errors of a
omission / commission, or biases.
O 1.1 Overall Conclusion 7
The assumption that the SAI work is basically sound has turned out to be correct, in the opinion of Future Resources Associates, and we believe that the following conclusion is essentially the most important overall sunnary 9'
of the results of our study: FRA concludes that the overall results of the Shoreham PRA, contained in the preliminary draft report by Science Applications, represent reasonable conclusions as to the likelihood and magnitude of releases from large accidents at the Shoreham reactor.
As discussed in the text below, we believe that the likelihood of core melt O
accidents is somewhat higher, and the magnitude of radiation releases somewhat smaller than foun'd by SAI. However, we believe that the differences should not cause Suffolk County to modify their emergency preparedness activities significantly compared to what they would do by using the SAI results directly as published. Subsidiary to this important conclusion are our conclusions that the methodology used in the G
SAI study is at the level of the state-of-the-art of reactor risk assessment at the present time, and that SAI's application of this methodology to Shoreham has geneelly been a competent one.
9 L) m w
gg, N
v
.au Ams'a.,e
= w er me e,
-+e
-w w
')
7 1.2 Limitations 0
There are limitations to our acceptance of the SAI study, and these are based on limitations within the study itself. The most important of these 3 -
study limitations, from the point of view of its applicability to the County's emergency planning needs, is the absence of any analysis of accidents arising from the set of " external initiating events" that could I
initiate accidents from outside the plant. Most important of these external initiators is earthquakes, with high winds (hurricanes, tornadoes) and floods also of possible concern.
In addition, internally-initiated 0
fires are not treated. Becaus,e these types cf accidents could be important
~
risk contributors, their omission means that neither LILCO nor the County has a fully satisf actory set of important accidents to use as a basis for O
emergency planning.
There are other limitations to the SAI study, including the approximations, 9
conservative in nature, as to the fission product source term; the way the very numerous accidents were grouped into classes for ease of treatment in the within-plant and containment phenomenological analysis; the absence of 4
a plant-specific failure data base (since Shoreham has not yet operated);
and other issues involving methodological approximations made by the study team. Fortunately, it is our view that none of these limitations, with-the 0
exception of the conservative approximations as to the fission product source term, is sufficiently important that it might significantly alter the substance of the County's emergency planning effort. In any event, 0
0 m
,,.,,,,3
-em
-. --+-
-- +-
!)
t 8
while we found a few places where the SAI report could be improved, we also I
- 0 believe that many of the report's limitations are not SAI's limitations per g but rather are limitations of the present state-of-the-art of PRA generally.
O Our own study within Future Resources Associates, unfortunately, has had limitations of its own. The most important of these has been the relatively O
short time period (about 2-1/2 months) and relatively small level of effort that has been devoted to the project. Although the contract has been sizable from Suffolk County's perspective, the total level of professional O
effort devoted to reviewing SAI's draft PRA report has been only a few percent of the effort that SAI spent on carrying out the PRA itself and, of course, such a few percent effort cannot reasonably be expected to study O
every facet of the. problem. This limitation is, however, balanced in part by the fact that the review team has had considerable experience in the PRA field, which has enabled the effort to be focused on what are thought G
to be the main issues.
Another limitation that hampered our group's work during the first month, 3
but was cleared up in mid-July, was a res'triction on us that effectively barred direct contact with the SAI PRA study team. After it was lifted, our interaction with the SAI team was a full and open tech'nical exchange of 3
questions and issues, at the level of professional mutual respect that we found refreshingly matter-of-fact. We wish to acknowledge SAI's full cooperation, for which we are grateful.
c)
-,m.
a e
e-.
0 9
There are substantial uncertainties associated with the numerical conclusions that SAI quotes in its report. The uncertainties arise from several sources, including the validity of the data base, approximations in the accident sequence fault-tree / event-tree modeling, uncertainties and gaps in our understanding of within-plant accident phenomena, and incomplete understanding of the role of human error and human ingenuity in reactor accidents. Our general view is that the treatment of uncertainty within SAI's study is a reasonable one, including as it does advanced methods for estimating contributions from various sources. We have concentrated on those uncertainties that could particularly affect what Suffolk County might do or decide in the context of its emergency response plan. The discussion in the main body of this report will be in that context.
O 1.3 Objective of the Recort Q
It is important to state clearly the objective of FRA's review work, which has been to orovide Suffolk County with an indeoendent technical O
opinion as to the probab'ilities and magnitudes of large potential accidents at Shoreham. FRA's work under Task 1 of its contract has concentrated on ascertaining, through independent technical review, whether the preliminary 9-draft version of the LILCO-supported probabilistic risk assessment carried out by SAI provides a technically sound basis for emergency response planning.
4 0
g
')
10 1.4 Organization of the Report O
The body of the report to follow will be organized generally along the lines of the scope of work (see Appendix A) for Task 1 of the overall 3
project.
The technical issues that we have covered within the SAI repo. t can be 3
conveniently separated into the following:
- Are all important potential accident sequences considered?
O
- Are the calculations of,the accident probabilities correct?
v'
- Are. the accident phenomena within the plant treated correctly?
- Are the magnitudes of the calculated potential radiation releases
')
correct?
3 The treatment of environmental transport of radioactive materials after release, and their impact on populations, is the subject of Tasks 2 and 3 of this study and is not covered in this report.
g 1.5 Summary of SAI's Results E)
Before continuing with the results of FRA's review, it is useful to reproduce here the main results of the SAI study, in tabular and figure form. These, on the following pages, are reproduced directly from the SAI t) 3 W
- -4M'9%
4 u__
~
.2v-,e---
er-e
9 11 l
i draft report. The first page reproduces SAI's Table 4.1 and Figure 4.1,.in
.f')
which the frequencies of-core vulnerable conditions are shown. Of particular interest.are the uncertainty ranges of the SAI results. The second page reproduces SAI's Table 4.2, which contains the detailed 3
numerical results for SAI's five accident classes. Core vulnerable frequencies are shown along with contingent probability of core melt, and the characteristics of the releases are also shown. The details of Table 4.2 will be discussed below in the body of our review.
, :)
O
-3 0
J 9
48-i uG
12
)
(reproduced directly from SAI's report on Shoreham)
DRAFT-PREUM' p****ay Table 4.1 SU.4tARY OF THE FREQUENCIES OF CORE VULNERABLE O
CONDITIONS BY ACCIDENT CLASS GENERALIZED CLA15 FRIQUENCY OF CQat VUtn(RAsLE CLA13 m
(PEA REACTOR TEAA)
O Loss of Coolant Mateup I
2.7t-5 Loss of Containment hat 2.11 5 Removal LOCA III 3.St.,7 ATV3 W/0 Poison Injection IV 5.1g.5 LOCA Qutside Containment V
2.0C.a
)
Total Core Vulnerable frequency 4.4t.5 (Per Ra Tr) 3 m3 A m si-i.
I coa.=,ss ss ri ac. m i d
u.
a e*
g n
I m5 n
O
^
U 5
m.s gT
~
n
~~
55 l
e s,. w1 g.
).
t a
x m-8 W
Ea-3 to-*.
m-to CLASS I class II CLASS !!! CLASS IV C1.A55 T l
?>
Figure 4.1 Sumary of Core Vulnerable Frequencios, including the Uncertainty Characterization 3
e n
s 13
)
1 i.
s e sl'.sl a l-e y
h a,s
's 's
's g
1
- e a
4 4
8'4 4
4 4
4 4
,a 4
4 4
8
. s t =s,s,s,a
,s
,s ?
s a
s g
s a
a
= s s
,)
g a
4 4 4
3 44 4
4 4
4 4
4 4
4 4
~~
sa s
a a sa s s s a
=,
e,
= s a
44 4.,
4 4
4 4 A
.I
., 's
's 's
's
's
's 's
's
's _'s's _'s's
's
- 4 4
4 4
4 4
3 4 4 4
4 4
4 4
4 8
O
=
v f
e e
a s s s
a a
a a
s s s s s
4 4
4 4 4
4.a 4
4
.a.a a
4 4
4 I
~
s s a
a a
s a
a s a
s s s
a 3
3 4
4 4 3
3
^
.& 3 J..&.&
A a
~
, j j_ s's 's s 's 's 's *: 's 's
=
e
's 's s 0
.a 4
_4 4 4.a.a.s.a 4.a.4 I
E 3
~
~
s W
s s
a s s s s a s s's s s e
J, s
w a a 4
4 4
4 4
4 4
4 44 a
2 4
s m,
I w
3 g
s.
a
- s. s a
s a
I sl:
3 s.
E a[ s.
3 8
8, 3
~
a g
G Et 3
2 i
8 I,
g o
I T
I T
s s
a N
-a s s
e a
1 a
=
E o
..i n
2g m1 s
a
- a. =.
s;: s 1 s s s s
- 1 s s
- s 1
g& 3 3
a
=
- =
3 0
m g'
ja'y g
i s
O E
E f
s gt i I
.I:
e a
V 3
ll gi %
2 3
ij t
i
, e
{.
d r-
= ~= 3
.,3
= =a 1
- 2 {
I -
3. =
as 2
a
.a.
3 m
g !:g s
s s
=5 d
s.3 o
v I
a
}8l Il s
E I :
3
'2
.g
]
3 M
- 9 3
a s..y 2 l
3-I g-J c.
o e
s.
a u
1 js!Ij 3
s #
2 v e s,.
-stis
- .
- r t
- r :.: ;
t :.
es.
~r.,.
-s i
I g,l,i j a !. * :a =s 3
3===' 1 2.i. i..i i. i i. i
- i. i. i. i..d. i. i assi 5
5 8
,1 3
I
- f..
f.
s a
=
i s, 3.1
- i. 3. 3,18 !.
1 I I ! I ll!
I I ! ! ! !I i !
- i-a 3
.f }: 3 I
- 233<
1 s
=
ijss i
E!
?
e e
a s
3:{]i.
,45..'e,g}
3 i
8 i
4 4
4 g,
3
.s
=
'c 3
5 t e.
- ja:
ss 2 5 y
. s s a g a. =a:!
j e
e j i j a. ;s r
s ej gi l
_ si a
s s
a s
s
} i. f t
- e 4
j 4 33 4
4 4
a i
a.
.asaa:
ga
] I ;
- }- }- } _i -:%. }.j }
j:, .g-2 s a s s i 1 1 1 1 1 1 a: a: 53 s! 1_isi3 O. E1 33 44444&44&O&34444444444 l )
3 14 2.0 Are All Important Accident Sequences Considered? O The answer to this question, as mentioned above in the introduction to this report, is negative. In particular, there has been no treatment of g internally-initiated fires, nor of any externally-initiated events, the most important of which are earthquakes, floods, and high winds (hurricanes, tornadoes). These omissions are discussed in the SAI report .:) (P.1-13), and were beyond the scope of that study. The implications of these omissions will be discussed below, but first we will consider whether any important internally-initiated accidents (besides fires) seem to have ?) been omitted. On this latter point, we have concluded that the SAI draft report has .) apparently considered all of what the reactor safety community considers the important internally-initiated accidents. Specifically, we have not found any internally-initiated sequences likely to contribute significantly -OF to the overall risks that have been omitted. Of course, the unconscious omission of important sequences known to others d) in the reactor safety community would be quite unlikely in a study of. this kind... the safety community maintains close enough and open enough communications that any new or unusual accident sequences would almost n) surely have cometo the attention of the study team or its outside consultants. So our conclusion comes as no surprise. t3 This observation of the apparent completeness within SAI's draft ' report does not mean that there are ng important sequences omitted. It only s) A w-
O-15 means that we are unaware of any, nor do we believe that anyone else in the G reactor safety community has thought of any. The strength of our i convictions about completeness is based on the general observations that, I I over nearly a decade of time since the initial probabilistic accident I:) delineation work of WASH-1400 (Ref. 1), there has been hardly any addition to the list of important internally-initiated accidents that WASH-1400 considered. But, on the other hand, who knows whether or when a new 0 sequence will arise, either from operating experience or from analysis? The grouping into sequences that the SAI team used is discussed in detail O in Section 4.1 later in this report. The five classes are described in SAI's Table 3.3.1, which is reproduced on the next page. It is important to recognize in this connection, however, that the-approximately 1600 reactor years of commercial nuclear power operating experience worldwide without a serious accident leading to off-site consequences is a statistically significant data base providing evidence that the ' result for Shoreham is unlikely to underestimate the probability of serious accidents by a laroe factor, unless Shoreham is somehow very 0 untypical in its risk profile of the entire group of reactors; of course, it is just this question that is being addressed by the Shoreham-specific risk assessment. J3 Returning to the known " external" omissions (fires, ecrthquakes, high winds, floods), the SAI team acknowledged in their report (P.1-13) that 3 .3
= ~ . ' ~ ~ i. 16 4 - 9 D (reproduced directly from the Shoreham PRA by SAI) Table 3.3.1 O GENERIC ACCIDENT SEQUENCE CLASSES stata C aCC : tnt swes1 CAL sasts system Llyn. atretstatativt stoutnct Otst:.u :a fan CusstfrCATIOR C37t!BUTMG EVENT stOuthCE stm Enct FOR Cuss Class 1 (C1) salatively fast care melts Transients invetving less of Transient with less of )- sentainment intact at care inventary noteues ses11 hign end.los pressure - melt and at Isu pressure e shall LOCA events involving CSGIant mete 4e less of inventary meteus; transtents involving less of serem function and ineellity to prestes suffittent caelant meteve O Class !! (C2) Relatively stem core melt Transients er LOCAs involving Transtant with loss of "~"c s i due u le or s uar u t ten of contat-ent nut re. russuai nu t m evei n eener; tentalruient fatted sevel ginaevertent sAV seering
- / '+ ' -
prior to sere melt accidents witR inadeguate nest removal tageti11ty i ., -~. Class !!! (C2) nelattvely fast care melt; Large LOCAs attn insufficient Lage LOCA wita less
- e, tentatrument intatt at Care Caelant matevE trenstants with of ou pressure tC3 melt but at htgn internal less of neat reeval and long.
3 tore less of inventary noteue pressure Spv fattures atta insufftstent ecolant asteve Claes IV (Ca) selatively fast care ment Transtants tevolving less of Treasient witn failure containment falls prior te scree functten and less of of R7s and fatture er tort sett the la everpressure contatment neat reevel er all of sLC3 reettivity centrett trenstents '9' witA less af scree function fellemed by actuated sacrossuri. satten LOCAs outside containment with LOCA in main steen Class V (Cs) Relatively fast care melts. insufficient coolant makeus to Itnes with fallere sentatraent fatled from ini atten of aesteent due to sere;tpv fattures ahttA result of M5tv closure and eeutament fattures ta taneetate tentatrument fatture less of ECC3 O 3 9 -t
ee Y re Apme s lS 17 i l these were consciously and specifically excluded. The reasons for the omission are probably a combination of two things: first is the fact that treating external events and fires in a PRA is considerably different than treating internal initiators, requiring a different methodology, large 9 additional manpower resources 'different in character from the rest of the study, and yielding results of even greater uncertainty than the uncertainty in the rest of the PRA analysis. These large uncertainties are D because the methodologies ar'e immature and the data base weak. Second, the SAI study team believed when the project began in 1980 that these external events and fires were not_ as important contributors to risk as O internally-initiated accidents, nor as amenable to cost-beneficial risk reduction (Ref. 2). In the intervening two years, our ability to analyze the risk contribution from fires and externally-initiated events has advanced considerably. Benchmarks of this advance include the recent publication by Pickard, Lowe, & Garrick of seismic and fire PRAs at both the Zion and Indian Point reactor stations (each a two-unit station with Westinghouse PWR's); the completion of an important NRC-sponsored seismic methodology development effort, the Seismic Safety Margin Research Program at Lawrence Livermore National Laboratory; and the inclusion by consensus within the draft PRA Procedures Guide (Ref. 3) of an " acceptable" methodology for PRA analysis O of earthquake-and fire-initiated accidents. With these methodological advances have come the first probability-based insights into the quantitative contribution to risk from these sources, albeit with very 0 3 .1 --n - +, -a,e.--
4 g j. O~ 18 i large uncertainties and important conservatisms in the analyses. To the O surprise of some in the reactor community, the Zion and Indian Point studies have told us that neither earthquakes nor fires can be neglected as I contributors at those power. stations to overall public risk. Their 30 apparent preeminence at Zion and Indian Point is partially because internally-initiated accidents were found to be much less important than was found in WASH-1400. D Fortunately for the purposes of this report, one member of the PRA review team (Budnitz) has recently been reviewing the Indian Point PRA 0 specifically from the perspect,ive of the risk posed by earthquakes and high winds (but not fires). His basic conclusion vis-a-vis earthquake-initiated and wind-initiated accidents at Indian Point is that the O methodology is clearly adequate to tell us what types of accident sequences are likely to be of most concern, and whether these initiators pose important safety-problems (at Indian Point, they do,). But the 3 methodologies do not seem to be mature enough to provide reliable cuantitative calculations of the probability of core melt... thus any j numerical comparison of internally-initiated core melt frequencies or O public risks with those from earthquakes and winds is of little value. l An important observation from the Indian Point study is that accidents O initiated by earthquakes and winds seem to involve phenomena quite similar to those involved in the ensemble of internally-initiated accidents: that is, the accident phenomena themselves do not seem to form a different set l O l l t i s
x. O 19. of phenomena that must be considered separately in the sense of comprising O different types of releases. If this observation is generally valid, then the main impact on overall PRA results would be to increase the probability of releases already treated in the analysis, with less impact on the spectrum of releases and consequences. What insights about Shoreham can be obtained by transfer to Shoreham of our recent increased understanding of externally-initiated accidents at other plants? Unfortunately, not much. This is in part because there is not yet available any external-events PRA analysis for any BWR reactor (the PWR's 0 analyzed to date are in detail not remotely similar to the Shoreham design), and in part because the accident-initiating events found to be important at Zion and Indian Point are quite site-and design-specific in O detail, involving features that are unlikely to be reflected at another plant. Much thought has been given by the PRA review team as to why useful insights applicable to Shoreham cannot be reliably gained from studying external-events PRA analyses at other reactors. Our negative conclusion arises basically from our belief that if earthquakes, high winds, or fires give rise to important accident sequences at Shoreham, the sequences themselves are likely to be idiosyncratic to Shoreham, or in some cases possibly generic to BWR's (or BWR Mark II reactors) as a class. Absent any specific analysis, we conclude that the contribution of these sources to residual public risk from Shoreham is simply not quantitatively known, in terms of either probability or character of consequences. O " ' **
- RT.* W[ * *** ? ),*
~ m
i@ 20 The' insight (at the PWR's studied elsewhere) that the accident phenomena 9 are not qualitatively different in kind from those arising from internal sources is, of course, a reasonable one consistent with the intuition of most students of the problem. If this insight were to hold at Shoreham, O then emergency response plans based on accident scenarios from internal initiators would likely afford reasonable protection from these other types of accidents as well, provided that the special external circumstances 0 surrounding a large earthquake or hurricane are adequately included in any -l response plans, but the "if" in this proposition could be a weak reed. O .O 6 '3 9, ~ ~,..,.~..,,...y.
"*f" e w m o 0 21 3.0 Are the SAI Calculations of the Accident Probabilities Correct? GP To answer this question, the FRA team reviewed the methodology used by the SAI analysts, considered the validity of the numerical data base, and 9 repeated selected calculations to ascertain how sensitive some of the results were. Because the numerical quantification of literally hundreds of sequences, within many different event trees, was beyond our capability, 3 we are not able to affirm the specific validity of each SAI accident sequence. However, we believe that such a detailed review has not been necessary to satisfy Suffolk County's objective. 0 3.1 Methodology Considerations d) The methodology of the SAI analysis includes numerous advances over the WASH-1400 analysis of Peach Bottom in 1973-1974. We concur in the 3 judgments of the SAI team that the use of these advances improves the analysis. An example of the different approach taken at Shoreham is the incorporation of certain important support systems (such as instrument air, O AC power, DC battery power) consistently within the fault trees rather than having some of these in the event trees, as in WASH-1400. This approach allows for easier analysis, but carries with it an increased risk that CD common dependencies might be missed through oversight if the analyst gets sloppy or forgetful. We believe that SAI's approach is a valid one, which can produce valid results if executed with care. c, [ l 0 m,-......- -... 7...
... - ~ _ _ . L.. . ~ ~. e-s O 22 y Another advance is the differentiation id the Shoreham study between 3 accidentsidadingtoa" core-vulnerable"conditionandthosethatproceed further to " core melting." In the WASH-1400 approach, any accident proceeding as far as what SAI here calls a " core-vulnerable" condition was assumed to proceed all the way to " core melt"; that is, there' was no differentiation in WASH-1400 between the two conditions and the more conservative approach was taken. The v.eason for this was that in 1973-74 there was no existing niethodology for consistently calculating the ~ differentiation between these two conditions, and the WASP-1400 study team was not able to develop one within the resources and technical knowledge of the time. Now, eight years later, this differentiation is feasible, and the SAI analysts have developed it further and applied it in the Shoreham analysis. O i j' In our opinion, this differentiation is an 'advan:e: it was understood in t. the WASH-1400 period that the conservative; core me.it assumption was not +' e 3 v correct, and the Three Mile Island acc,ipent told ut, this as well. (The TMI accident, if treated with the WASH-1400' methodology, is called a, full " core ( I melt," although it was certainly not.) For purposes of comparison,-the 3 probability of " core-vulnerable" conditions at Shor ham is what should be ,e compared to " core melt" in WASH-1400. The lumerical results of the S hreham analysis show that the fraction of " core-iulnerable" sequences that proceed i 'O 'i to " core melt" ranges from several percent (fo'r what are called Class I and r /,- .+: II events) to 100% (for the Class y cedegory). In Section 4.4 below, we L will < discuss in detail the question of 'whether SAI's quantitative Q j conclusions in this. area are valid. ,.4 ii /, 1 l / !c t h .,,w...,=...-m-u .,,2., g y.
13 23 Still another methodological advance is in the way uncertainties are !3 estimated. Since the WASH-1400 team pioneered with their analysis, a variety of different methods have arisen for getting a numerical handle on these uncertainties. The approach taken by SAI in the Shoreham study is to 3 use Monte Carlo methods to model how much difference in the final results would arise from various changes at the front end, or in the data base. This seems to be a reasonable approach, and its conclusions are also quite '3 reasonable (see Table 3.8.1 on Page 3-172 of the SAI main report), but we did not review it in detail because of our judgment that the conclusions were reasonable. C) Of course, there are still methodological problems that temper the confidence we might have as to the validity of PRA results for frequency ') of, say, core-vulnerable or core melt states. Among these are a variety of issues in the arena of human factors, and these methodological issues stand apart from issues of human error quantification, about which we will say more below as part of our discussion of the error data base. A key example of methodological inadequacies is the failure of PRA methods gen'erally to consider adequately the ability of reactor operators to cope, through improvisation and ingenuity outside of standard procedures, with accident sequences as they develop in real time. The coping must surely 0 allow operators to terminate some sequences successfully that otherwise would develop further into high-risk accidents. Yet we do not know how much difference this inadequacy makes to the final results. On the other l C) 4 .. ~
D 24 side of the same coin is the possibility that even well-trained operators, 3 being fallible humans like the rest of us, might significantly aggravate a sequence that in the standard PRA analysis is terminated successfully without damage. 0 + j Another methodological limitation in a related arena is the present inability to model control system failures well enough. The '4 event-tree / fault-tree approach intrinsically views accidents-through the concept of system functional failures caused by underlying component and support system failures or unavailabilities. In its present state of C) maturity, the methodology can only incorporate control system failures through ac! hoc analysis of when, and how, multiple component system failures might arise from control system failures. While this ad hoc f3 analysis is probably adequate for most sequences, we do not know whether it does acceptably well when " time is of the essence," that is when rapidly developing events, especially in the early stages of some accident classes, O could severely tax the operators' capabilities or the resilience of some components. 43 Time sequencing issues also underlie uncertainties in event tree delineation (and, to a lesser degree, fault-tree delineation). The event trees are written down in a time-ordered fashion, but issues can rise of ' 6) 'which failure occurs first" and of whether recovery might occur later in a sequence. Again, whether this set of issues makes a significant difference to the final results is not known, although our experience leads us to " '3 expect that differences are unlikely to be large. \\; 4 L ..r;.,....:........,,...,........:..
a N 25 ,0 As described in the NRC's PRA Procedures Guide, quality assurance is very t important in the generation and analysis of fault trees. For example, if the same event appearing in two or more places in a fault tree were ' :J mis-typed when entered into a computer, one can make an error as large as a factor of 100 (usually non-conservatively) in computing accident probabili. ties. (Such numerical errors would probably show up, of course, in t) the final analysis.) It is important to note that we did not check SAI's fault trees, nor did we run an independent computer analysis of their fault trees. i O None of these methodological limitations is 'special to the Shoreham PRA analysis by SAI: all are generally shared by other PRA studies on other 3 reactors. Indeed, progress is gradually improving our confidence that -these limitations are not important enough to invalidate our confidence in the conclusions of PRA... but they do t'emper our confidence, in an 0 unquantifiable way. The tenor of the above discussion reveals our overall conclusion about the 3 methodology used by SAI in the Shoreham analysis. That conclusion is that the SAI methodology, though it suffers from some generic 1, imitations I-common to all reactor safety PRA's to date, nevertheless represents the 'O present state-of-the-art; it includes.important methodological advances in some areas. We believe that it is an acceptable basis for estimating the probabilities of the important internally-initiated accident sequences at O Shoreham. i 0 L
,. ~.. I i ? 26 3.2 Data Base Considerations .O The validity of the failure data base is vital to the validity of any PRA analysis. A couple of issues in our present case represent limitations that might be important. First and foremost, the Shoreham reactor is still 'in final stages of construction, so we have no data on failures at Shoreham:- the failure data must generally come from industry-wide sources. O But operating experience has told us that some failure and unavailability rates can vary widely from plant to plant, and we don't know whether Shoreham will be above or below average. O The other side of this coin is that significant advances have been made recently in identifying below-average design, maintenance, aN test "m practices, by study of LERs and plant-specific attention to determining root causes of system.and component failures. To the extent that these activities represent improvements, a new plant such as Shoreham can take 0 advantage of this experience to improve its performance over the average performance of plants already running. O Human error quantification is the other arena where data base issues seem to represent a limitation. The SAI study team has used the accepted industry-wide reference for most of its human factors failure data (Ref. O 4), but these are widely understood to contain large uncertainties. In particular, the failure data are lumped into broad categories whose applicability to specific sequence situations at Shoreham must surely be only approximate. Also, how Shoreham's operators will behave, c'ompared to industry averages, is of course not known. O i -*w?. m.... ..y......,,,,,,,
~ ,A ) 27 Despite the limitations just discussed, it is our conclusion that the O Shoreham PRA analysis under review has used state-of-the art data bases generally. We have found some specific cases (see below) where we do not agree with certain specific numerical values, but we conclude that the data '3 used are a generally acceptable basis for estimating accident probabilities at Shoreham. 0 3.3 Specific Accident Seouences -- An Eclectic Critioue O To review quantitaticely all of the important accident sequences that SAI quantified in its Shoreham analysis was not possible (and in our opinion not necessary) within the scope of this report. We took the approach of studying what SAI wrote down in their event-tree delineation, and using our experience and judgment to ascertain whether the approach and results were roughly congruent with our expectations. This is what characterized our 4 accident-sequence review. This activity consumed a reasonable fraction of all the effort spent on this project. In the course of it we found that most of what we studied l was unarguably consistent with our experience and understanding, while l there were only a few cases to the contrary (albeit important cases). For example, we have already. mentioned above that we examined the list of I internal accioent initiators to ascertain whether SAI had left out any from the list that we would have used, and we indicated that they had not O l
- )
e.-..-om...-. ...-..n...__
7..... 4. . a - - ;- 28 i (except fires). We also attempted to look at some of the numerical values O that SAI used in order to see whether they agreed with our collective i experience. In the course of this review, we found ourselves comfortable with almost all of the numbers we examined, the exceptions being noted 9 below. Perhaps the most important part of the PRA analysis where we find that our 'O review does not agree with the SAI draft report concerns their analysis of internal flooding (their section 3.4.4.1 and Appendix G).,' In particular, consider the situationin which portions of crucial safety systems are O disassembled for routine maint,enance during plant operation. 'If during this disassembly the valved-off component is accidentally reconnected to its pipe (such as accidentally opening a motor-operated valve that has been G closed to allow the maintenance), then release of water through the opened valve will occur. If the mistake is not prompcly corrected by re-closing the opened valve, an internal flood can result; such a flood at " Level 8" D inside the reactor building can quickly inundate several pieces of critical safety equipment, and its analysis as a special issue was deemed so important that an entire Appendix G is devoted to it by SAI. 3 A detailed numerical analysis of this issue, by H. E. Lambert of our review team, is presented in Appendix 0 to this report. We will briefly discuss O here the main issues and conclusion. We believe that SAI's analysis contains some errors that underestimate the internal flood frequency, the correction of which would raise the core-vulnerable frequencies for Classes S I and II. l E O. m +
- w we = *.. '. =....,,..,,....,,,
.( s a n O j 29 l-The events leading up to a disabling ficod are as follows: I O Event A: On-line maintenance of some critical system Event B: During maintenance, the system is disassembled Event C: - Inadvertent opening of isolation valve, causing the flood Event D: Failure to reclose valve within specified time period ~J. Event E: Operator erroneously isolates the power conversion system during flooding causing the accident because the heat sink is lost We believe that the initiating event is Event C: -the occurrence together of Events A and B defines a vulnerable system state that permits C to initiate the fl Jd. Because Event C is an initiating event, we must compute its frecuency, and also the failure on demand of Event D. g Event C's frequency (in units of events per year, or the like) must include the pre-existing presence of the vulnerability-inducing states A and B. The units of the events, in the calculation, should be maintenance acts per ) year (Event A); probability of system disassembly given maintenance (Event B); conditional probability of inadvertent isolation valve opening given maintenance with disassembly (Event C); conditional probability of failure ) on demand to reclose the opened valve (Event,D); and conditional probability of erroneous operator isolation of the power conversion system (Event E), which then would initiate the accident. We believe that SAI has j ) incorrectly used system unavailability Event A, and that their r calculated resultTs about a factor f 100 ower than the value we obtain, ~~ I all of which is explained in more deta n Appendix 0 to this report. g 3 D 4 ---.y,,- .7 4 t w y --w-.- r w--- -s- + ,<sw-o-,--- .m,e o-,e.a,e v
. ~.. . -. ~. ~... ....-..t... e_... Q. 30 In addition, we believe that the SAI team has used an incorrect value for 9 the Event D failure (probability to reclose the accidentally open valve): _-== SAI uses' O.05,for this probability whereas their primary reference source (Ref. 4) uses 0.25, if one accepts that there will be highly stressful ') conditions during the period when the operator action will be required (see Appendix D for details). } An important assumption made y AI.is that flooding to the six-foot level will not result in automatic closure of the MSIV's. (SAI does assume, however, that reactor trip will occur.) It is important to verify that the assumption regarding automatic MSIV closure is true. Otherwise the power conversion system is lost and the only normally available coolant makeup system is the condensate system. In this case the accident frequency caused by flooding would increase by an additional factor of about 10, and a design change might be necessary to overcome the problem just discussed. 5 If our flooding analysis is correct, then the internal flooding accident frequencies are at least of the order of a few times 10-5 oer reactor year, and as described in our Appendix D could be much higher, depending 9 upon how human error rates are quantified. These accident sequences then become dominant for both Class I and Class II ty1e accidents. 04 There is another part of the SAI analysis where our review team disagrees with the SAI work. Our difference of opinion enters critically into a key class of accident sequences, the so-called ATWS group (Anticipated O D N ' %
- 1**
O -= e. e * - d-e se, go "-r-1 w s n n, .e, , n .,,m, w
O 31 Transients Without SCRAM), which comprise Class IV of the five classes into 3 which SAI grouped the Shoreham accidents. These sequences arise when one of several anticipated transients cannot be properly controlled because the " SCRAM" system (which inserts the control rods) fails to. shut down the 0 chain 'eaction. If this event were to occur, back-up engineered functions r are brought into action to bring the reactor to safe shutdown: these are discussed on pages 3-94 ff. of the SAI report and include the alternate rod O insertion system; the standby liquid control system to inject baron poison into the core; trip of the recirculation pumps; and operator procedures. Of course, the critical failure that drives this sequence is the failure r O to SCRAM on demand, for which there are essentially no empirical data upon which to base an analysis. O The SAI report selects as its value for failure to SCRAM on demand the likelihood 3 x 10-5 (about one failure in 33,000 demands). In its discussion (see p. B-111 ff), the report points out that "Tne calculation 3 of Scram system reliability has been an issue which has taken on botn technical and philosophical aspects over the last seven years." This is because within the regulatory arena the issue of whether reactors are 9 adequately safe against ATWS events has been one of the most hotly-contested issues in recent years, whose regulatory resolution is still not complete. Unfortunately, there is also no consensus in the safety corrrnunity about how to go about calculating the value for this failure nor about which value should be used in analyses such as the Shoreham case. O O s .....s z. .,e
- . : ve..
++ye-****= 4.~ ++ w.3
~ ' .f* i ,J 32 1 While admitting that the situation requires a good deal of judgment, we l0 believe that the value chosen..by SAI is too high, by a factor in the range of 3 to 10... that is, we would have chosen a value of 1 x 10-5 to 3 x ? 10-6 instead of their 3 x 10-5 This judgment, based upon nearly a 0 decade of study of the issue, cannot be defended analytically; but we do h believe that the 3 x 10-5 value, which SAI seems to state (p. B-115) is .i j chosen with a conservative bias, is too high. (Of course, we are aware that certain industry calculations fall in the range of 10, or l sometimes much smaller.) i The impact of this judgment on. SCRAM failure probability is practically linear in the results of core-vulnerable and core-melt frecuency for Class IV. However, even though our best judgment would lower the likelihood of ~ Class IV accidents, we believe that it is prudent for Suffolk County to .se its emergency planning on the Class IV core melt values as quoted in the SAI draft report... this approach takes cognizance of the .3 ~ observation that our difference of opinion with SAI is a purely judgmental ~ one. O There were other areas that we reviewed which are important to the SAI analysis. For example, as part of our review we studied the discussion on l success criteria found on pp.1-22 to 1-27 of the SAI draf t report. It 0 is clear that in any analysis of accident sequences, whether the outcome is " successful" (that is, leads to an adequately cooled core without vulnerability to core melt) depends crucially on whether the design t0 ? 3 l I . ~,,... ~ e _e -n4 ,4 .-,,o
^ O. 33 requires, say, all 4 low-pressure pumps or, say, only 1 out of 4 to cope 9 with a large LOCA. The success criteria chosen by the SAI analysis team have been taken, according to their report, from manufacturer's (GE's) reports and analyses, and the report comments (page 1-22) that "it is 0 believed tha't the success criteria so defined tend to be conservative." We were not able to assess this claim independently, although it makes some sense to us because the postulated conditions in the GE analysis are i P limited in a conservatively biased direction. We wish to call attention to i this observation as a possible source of uncertainty in the SAI results, which if corrected would lower their calculated core melt values. .g We also looked at the way human errors are incorporated into the component and system failures. Here our understanding is that the SAI team has 'I basically relied on the standard data source, the work by Swain and Guttmann (Ref.4), for the human failure data. Since this is the standard work and there is no better source at the present time, we have no quarrel 3 with the SAI team's decision here, but we feel it important to point out that there are very large uncertainties in tt$e values for human failures that Swain and Guttma,nn quote. Even in the situations in which these O values are applicable, there are large variations in the error rates from l one human to another, but the stickier problem is that the actual environments in which the human errors will occur $eactor accidents are not ' O those in which the error rates used are necessarily directly applicable. l Of course, this is a problem that is generic to reactor PRAs as a class, and not special to the Shoreham effort under review here. But again we G 0 r
~ 34 wish to call attention to this issue as a source of possible high '3 uncertainty in the SAI results. Certain other assumptions, necessary in the SAI analysis in most cases for 'a' want of any better approach, merit brief discussion. On page 1-30, for example, the SAI report says that "The failure of display of information to the operator is treated as a random independent failure or set of failures and is not dependent on the accident sequence." The limitations in this assumption are clear: that is, independence is obviously not fully true for some sequences, but we understand (and concur with) the reasons why the assumption is made-Also (p.1-28), "The maintenance contributions in the fault tree model are modeled as mutually exclusive among certain systems consistent with the Limiting Conditions of Operation. An example of this would be that HPCI is not allowed in maintenance if RCIC is unavailable." While this seems reasonable, it is clearly non-conservative to some degree, since LCOs are not always obeyed. Another guideline used in the SAI ~ analysis (p.1-28) is that " Plant components are presumed to meet all performance requirements consistent with licensing." This assumption implies that, although a component or system might be unavailable, if it 9~ is operating it will perform essentially at least as well as the licensing requirement. Again, this reasonable approach contains some i (unquantifiable) error. 9 4) ll r ~~ - -<- ~
~ l0 35 I i 3.4 Implications of the Review of Specific Accident Sequences ,9 Our review of specific accident sequences described in the SAI draft PRA i report has resulted in several specific comments that have been discussed IiG in sections 3.1 - 3.3 just above. Here we will cons ~ider the implications fj. of these findings for Suffolk County's emergency planning activities. i jQ Our most important quantitative finding is an apparent error in the SAI calculation of the probability of severe internai flooding: we have l discussed this in section 3.3 and in Appendix 0 of this report. p ur 0 interpretation of the frequency of flooding at elevation 8 of the reactor ilding is correct, then the f quency of core-vulnerable conditions in accidenk: Classes I and II is raised considerably: mostly in Class I in our 1 opinion, with some effect on Class II as well. The SAI report gives as its best-estimate for core-vulnerable frequency in Classes I and II the following: 3 Class I 2.7 x 10-5 per year Class II 1.1 x 10-5 per year 0 The conditional probabilities of core melt are given as 7% and 8% for these two classes, respectively. -O If our analysis is correct, these care-vulnerable frequencies would be considerably higher. Because we have not been able to carry out a complete O systems analysis, we believe that our choosing a number and sticking to it '3
7 .~ O 36 1 as "our value" is inappropriate: we believe it is more appropriate that 9 AltCO and SAI carry out a proper analysis. We not only believe that the - core-vulnerable numbers will rise, but also that the conditional probability of core melt might increase: to be precise, if flooding 0 dominates Classes'I and II, then the flooding sequences should be used as the basis for computing the conditional probabilities, with the possibility that core-melt might be mcre probable than 7-8% given the amount of equipment taken out of service by a flood at elevation 8. With these provisos, we believe that it is prudent for Suffolk County to use a number in the range of 10-4 per year as the likelihood of core melt from both Class I and Class II: use of this value as input to the planning basis for the County emergency planning activities will prudently 0 allow the County to protect against accidents at Shoreham within Classes 1 II. Also, because no core-vulnerable / core-melt analysis has been done for j these internal flooding sequences, we believe it is prudent to ignore this factor for the time being in these classes. (As it turns out, using these higher values probably makes almost no difference to the Suffolk County emergency planning activities, because Classes I and II dominate the accident planning basis one way or the other.) For the other accident Classes, tne only one where we believe the SAI O results are probably not correctly representative of the real accident frequency is Class IV (the ATWS accident group). However, as discussed earlier, even though our best estimate would lower the SAI values for G k k.h 9 g 4 M Sp 9 g hg ye .gg g, g ,a.,-- ,--v.-e-,--,,-..
-= .x. .l-m,,,,,,_,,,, ! O 37 i-core-vulnerable frequency by a factor of about 3 to 10, we recommend that Suffolk C ty use the SAI values as a prudent planning basis. 9 Our review revealed some important cualitative conclusions that should be me in ad. Most important of these is that we have found the SAI O analysis of a. de t_sec'ir.es and.the.f r probabilities to be on the whole a fully competent, state-of-the-art analysis. Also, we believe that there are major uncertainties in the results of these analyses today, not only 9 the analyses by SAI but analyses by all teams that carry out reactor PRA3: we have touched on some of the underlying reasons for these in earlier discussion. Nevertheless, we believe that the SAI group has taken some a care to understand and quote *the ranges of their uncertainties, and we find their uncertainty analysis for the accident sequences acceptable. O 3 3 0 .) m,.
.e O e 38 I 4.0 Are the Accident Phenomena Within the Plant Treated Correctly? {jg The approach taken by our review team-in reviewing the accident phenomena parts of the SAI draft PRA was to ascertain whether the analytical methods bh I employed are reasonably consistent with the present state-of-the-art .I t methods now used for these calculations. Members of the FRA team are quite
- i familiar with the level of understanding within the broader reactor safety G
connunity about these phenomena, including a recognition of the significant limitations to our present understanding. I 1 :-) i The basic conceptual problem being addressed here is as follows: we postulate the unlikely situation that the Shoreham reactor has reached a l physical state in which a core-degradation accident is underway. The !q ll accident sequence that has led to this physical state is assumed to be understood, in the sense that the event-tree / fault-tree analysis has revealed to us a specific sequence of equipment failures and human errors leading up to the-onset of core degradation. (It is not necessary for the purposes of this part of the' analysis to know the probability of the sequence.) The problem is to attain acceptable understanding of the C physical sequence of events following the equipment failures modeled in the event-tree / fault-tree analysis, beginning with the onset of core degradation and continuing through until the reactor core is either 0 securely cooled, or has melted (wholly or partially), releasing a fraction of its fission products to the reactor vessel, the containment structures, and possibly the environment. 0 0 '*f* en sa ey y,. s. a x
- I l
39 In order to carry out Quantitative calculations of the phenomena, one jO requires a variety of data, some conceptual understanding of the physical and chemical events, and a calculational model embodying this l understanding. The calculational model should incorporate not only the l0 physical reality of the~ reactor plant itself, but also the functioning (correct or degraded) of various engineered systems within the plant. {O In an ideal analysis, it would be desirable to calculate the sequence of f phenomena for every important accident sequence that follows core e degradation. Unfortunately, though every accident sequence is different
- 0 from every other one, such a massive effort would be beyond the cal:ulational ability of any team of analysts today. Also, because our understanding of thse phenomena is limited it would not make much sense to O
model each specific sequence separately: differences among similar sequences are far less significant than uncertainties in our understanding. G For these reasons, PRA analysts generally have grouped the numerous accident sequences beyond. core degradation into categories, each category being treated separately in the calculation o'f core degradation / melt ' 0 phenomena. This grouping allows the analysts to treat a tractable' set of issues, with the limitation that errors and uncertainties are introduced because of the approximate nature of the categorization process. O ~ Each group of accidents is characterized by a set of conditions: examples include high or low pressure within the reactor vessel; containment O O .,9__,r. -*e-,.-
_.~. a m .g. (.,, 19 40 integrity intact or already failed before the onset of core degradation; O time elapsed since SCRAM; various engineered safety systems either available or failed; and so on. The challenge is to develop an acceptably accurate quantitative analysis of I j what happens to the core and its fission products, and how, and in what i ~ sequence, and under what phyhsical-chemical conditions. The result of the 0 analysis should be a quantification of fission product releases from the plant in terms of species, quantities, times of release, physical-chemical conditions of the release (energy of the release, physical f.orm, etc.), and 0 some measure of the confidence.of one's conclusions. FRA's purpose in this review has been to develop an understanding of what 0 the SAI analysis team has done in the course of their work, so as to ascertain whether their results form an acceptable basis for the calculation of offsite consequences: if the SAI calculations do form such 3 an acceptable basis, then Suffolk County's emergency response plan can utilize them. D The approach taken by the SA! analysis team was to utilize a well-known, widely used, and well-documented set of computer-based models known as the MARCH-CORRAL code package. These codes, originally developed under AEC/NRC 0 sponsorship for the 1973-74 WASH-1400 analysis, have been the main method of analysis of these phenomena ever since. However, it is widely known that these codes contain important approximation ~s, omissions, and other O .) O O W*' g + - v ..g. ,--+~,egi. =w=,c-.--v,. ,-ye-s,,.., --,-w, -,-+m--- --r+- - - - - - - - - - - - ~ - -
_.. _. +.. ..w. r ?O 41 h limitations that make their modeling of physical reality less than precisely correct, and indeed the limitations of MARCH and CORRAL have been ,) j a continuing subject of research, analysis, and discussion in the reactor safety community for much of the last decade. In addition.to the e [3 . MARCH-CORRAL codes, the calculations of the accident phenomena require l various types of input data, the most important of which are the fission-product release fractions or partition fractions in various stages of the postulated accidents. Examples include information about fission a f product releases from the fuel pins during fuel melting; fission product i partitioning in a water / steam environment as a function of pressure, + temperature, and other conditions; and fission product plateout, transport, g and the like in the airborne s' tate. The' MARCH-CORRAL code requires data such as these essentially as parametric input to its modeled calculations. O The SAI analysis team made modifications to parts of MARCH and CORRAL in order to tailor the code to the Shoreham reactor, and to incorporate some recent insights about various phenomena. These modifications do not g substantially modify the basic operating philosophy of the codes, nor their major limitations. 0 4.1 Grouping of Accidents into Classes .) One important question that we have looked at is whether the grouping of accidents into five classes by the SAI team is reasonable. The five Classes can be briefly characterized as: 3 3 ~" ,y.,.
- ^
.~..- -
t _..2 ' 4) 42 f Class I-Loss of Coolant Makeup Accidents q3 - Class II Loss of Containment Heat Removal Accidents Class III Large LOCAs Class IV ATWS (Anticipated Transients Without Scram) without Poison Injection Class V LOCAs Outside Containment (including .) Interfacing Systems Accidents) All accidents leading to and beyond core-vulnerable conditions are placed in one of these five Classes, and the five Classes are dealt with . a separately in the subsequent (MARCH-CORRAL type) analysis. We have studied the validity of this approximation, and find the grouping by SAI to be i fully acceptable. We believe that some differences exist among accidents that are grouped by SAI into a common Class, an example being the variety of accidents grouped under Class II in which containment residual heat removal fails: the very long time that it takes for the Class II accidents d) to evolve is characteristic of the Class as a whole, but differences in detail emerge depending on which safety systems fail in which order. However, in this case (as generally), we believe that the grouping is a 'D reasonable approach. Our reasoning is that the uncertainties in the phenomena are sufficiently great as to overwhelm any additional "information" that might have been gained by a grouping into more numerous a Classes; and that the choice of specific sequences within each Class to serve as the model for each Class is also reasonable. S ) An important issue is the time duration between initiation of the accidents and the eventual release of fission products to the environment: this will differ from Class to Class substantially. We have studied the general () i b -m- ,e r --.-----w---,,- m. e.-e-n
... ~. -u grouping from this perspective, because of a concern that perhaps there O could be mis-classification from the perspective of time evolution. We tend to affirm that the time evolution of the Classes is reasonably consistent with our experience: for example, the Class II accidents evolve 1 very slowly compared to the other Classes, and we believe that all of the accidents grouped into Class II behave in this way. This conclusion allows us to deal with all of these accidents together in discussing their 4 emergency-planning implications in the context of Suffolk County's needs. O 4.2 Review of Phenomena After. Meltdown The approach we have taken for ascertaining whether the SAI meltdown '3 analysis of each accident Class seemed reasonable was in part the use of subjective judgment based on the experience and knowledge of the reviewers, and in part some independent calculations of a few of the phenomena 3 involved. These independent calculations, carried out by Dr. Fabic, tend to support the validity of the SAI conclusions for many of the important post-meltdown phenomena, with some exceptions that will be discussed next. O I A general elevation-view drawing of the Shoreham reactor and containment O building is shown on the next page,. reproduced directly from the NRC Safety Evaluation Report for Shoreham (Ref. 6). The main important features to 'G Q
- r. -
..w_,- a-- ~ u ...-.a-e '4
- - ~.
2...., w = 44
- j) 4 k
9 P^ L
- 6 i.
3 O h l s6s amat a mr< L' T [ 2 le 9 !gg,y I .3 .m. .,g. r r. u -< "as.*I.Il**. f A m. 3 <'.aem WWEb P H 16 F,* ( f i.. 1
- t g,t r=,==,
t,. 7 ) [ I 9 i te f' i a +' 3.h LO . 3 ~ j W i T. "'$, /p s% iil'( D ':] -. 3 !p 'l4 i?/ C'* n_ 2 I g"w-. s i j gq 'j 1 1 e e ..se e ur um n4 E i e ' t *,.] j '. P.7 - P,. y .f 9 .'* j i,2j Y;' '*r 's .J -5 + 7 6ess i e6a = M E p 9 u.e* poseg; l a. I t J i sem e. s d i l, l 1 7$ k U_ h# y p, ),:.*; ;4 'e***
- Mf-w
'3 F'gure 6-1 i t Shoreham Mark II Containment (reproduced directly from the Shoreham " Safety Evaluation Report" by NRC, NUREG-0420) 4
n m. .s.. e a 'W 45 concentrate on for our discussion below are the location of the suppression .-) pool at the bottom of the building, and the downcomers penetrating the drywell floor below the reactor itself. 3 That the MARCH code (which models the highly complex processes involved in a meltdown) has deficiencies is, as mentioned above, well known. In Appendix B, some of these are discussed by Dr. Fabic, and his discussion g will be excerpted here, as follows: "In the course of the SASA (Severe Accident Sequence Analysis) calculations being performed by the Oak Ridge National Laboratory (ORNL) for the USNRC as applied to BWRs, the ORNL engineers have also come to the conclusion that MARCH has many deficiencies. Out of 21 listed inadequacies, we 3 shall extract only a few: Modeling of heat transfer to upper and lower BWR vessel internals 0 Modeling of core collapse Failure of bottom head via control rod drive tube penetration not considered 3) ~ i Suppression pool and wetwell/drywell interaction Rod-to-rod radiation heat transfer not included I Vessel water level calculation does not include variable flow
- )
areas l Fuel pin melt / slump / freeze phenomena are not mechanistically modeled." Q l 3 l '- ~
- e s
...,,.o..
.l= 3 46 Dr. Fabic (Appendix B) also discussed the reasons why the MARCH code .O contains extensive simplifications: 1 3-j "The extensive simplifications in the code were introduced for two reasons: (1) to produce a tool useful for probabilistic risk j assessment which requires many computer runs for exploration of consequences of various bounding assumptions. Hence, computational economy must have been one of the principal goals; (2) to produce a tool amenable to accepting some of the major uncertainties as input ! 3 assumptions that could be changed from run to run. These stem from the relatively poor knowledge of various thermohydraulic processes that involve melt propagation and the attendant heat and mass .) transfer in complex geometries. The pertinent empirical base lags far behind the existing empirical base collected in the course of reactor safety research for situations that do not involve a 3~ degraded core. However, the word ' uncertainty' is also used here to imply simplifications one needs to make to intentionally bypass the detailed calculations that would cause the code to become long a running." Despite these limitations within MARCH, the conclusion of the FRA review c, team is that the code has been applied by the SAI team in a competent and conscientious manner. Our analysis of their description of their MARCH runs, the way they have thought about issues involved in MARCH, and their .O 4 ,y.
+ 3 47 conclusions has left us with both a confident feeling about what the SAI analysts have done and a heightened appreciation of the approximations inherent in the MARCH modeling. 4 O One of the important areas of disagreement concerns the mechanism of melt-through of the molten core as it penetrates the bottom head of the reactor pressure vessel (RPV). Again we quote from Appendix B, Dr. Fabic's report (the abbreviation "CRD" means " control rod drives"): i "We do not believe that the RPV bottom head would fail in either of 9 the two ways described.in the Shoreham PRA: structural failure of the vessel wall due to elevated pressure and temperature or the wall melt-through when the RPV pressure is low.
- "Instead, we agree with the scenario described by R. Henry of Fauske Associates, Inc. (see item 8 in Section 1.1) wherein the relatively thin metal that seals the CRD tube, or the CRD tube itself, is much more likely to fail first upon contact with the melt.
"The melt is very unlikely to reach the bottom head in a coherent fashion (gross slumping). It is more plausible to consider downward streaming of melt around the vessel axis. That melt will not attack 9 the CR0 tube as long as there is some water left in the lower plenum. If the amount of steam generation caused by quenching of melt is insufficient to stop further melting (a likely case), O Y '*
- "T*
W p aM =$ e - ga g , y a , gg ,4,, , -, - ~ = -
i ~ ~ o 48 1 increased amount of debris will accumulate on the bottom portion of 0 the RPV and it would eventually remelt the fraction of debris that t was frozen by the liquid--which by now has evaporated. This whole process could be delayed significantly if the CRD cooling water were O continuously supplied. I i ~ " Eventually, one or more CR0 tubes would fall and the debris 9 discharge into the CR0 room would commence." Following the failure of the CRD tubes, another key question is how fast O the melt will pour or stream through these CR0 channels. Dr. Fabic calculates (Appendix 8) that under the conditions likely to be present, only a very few seconds (perhaps less than 5 seconds) would elapse before O as much as 50% of the melted metal would flow out of the lower vessel openings. In this scenario, there is no outright structural failure of the vessel wall, nor wall melt-through per j!e. However, as the melt penetrates the CR0 tubes, significant enlargement of these penetrations will occur by ablation. If this is true, then only a small fraction of the melted core will remain in the bottom head, and that fraction will be the core material that has not melted, or has re-frozen at the bottom. Whether the flow through the CRD openings is pressure-driven or gravity-driven will make a difference, but should not make a very large difference to the phenomena in this process, which will be quite fast. O G 4 >s g - og e , + .,4
.. ~,. 43 49 The next issue involves where the core debris streaming through the CRD 0 openings will go. With a large amount of CR0 hardware in the way (essentiall hanging down in large massive metallic drive channels below the lower head), and with such a fast outflow, it seems unlikely that the F CRD hardware will melt before the core material has passed through, which in turn indicates that the core material will reach the drywell floor only 4 after being significantly broken up and " sprayed about" by the CR0 e hardware. However, an important insight (see Appendix B) is the conclusion. i that most of the core will go down into the drywell area just below the reactor pressure vessel (RPV) head, with rather little of it going into the O~ annular outside region of the drywell floor. Once the level of core melt debris on the drywell floor exceeds the height above the floor (about 3.5 inches) of the downcomer top flanges, the molten debris will start pouring 0 down the four downcomers that are located within the area of drywell floor just below. the RPV: we find that it is unlikely that much of the melt will go down the numerous downcomer channels in the outer annular region, since O the melt will go down these four inner downcomers promptly. Our analysis indicates that this will occur rather quickly, most likely within about 5 minutes af ter RPV breach.
- 3 Once the debris begins pouring down the downcomers into the deep wetwell, we studied whether steam produced by the molten material would produce I
enough countercurrent flow upward to impede further melt from penetrating downward. Our calculations (see Appendix B) seem to indicate that this phenomenon will not occur. O 1 a s e. ws-~ y ,. - - -. ~- -e.,- ,y- .., h n. - - - - ,--[ -.I- mb...,--r-----
/ 'I
- r I-f
%e,, 1-O ( i 50 I f-l In the.sc'enario described above, almost all of> the melt will end,up in the 8 wetwell almost all of the, time. Appendix B discusses why we are reasonablf i e s confident of this conclusion'. It appears thbt there is only ia limited range of conditions where melt will 'pt.,t mosi:1y be quenched in the wetwell. / The implications of this quenching ar\\ " of course, that significant removal ,s, 0 e, 4 'i '- of fission products in the wetwell water would occur, lowering by large i factors the amounE of fission products ' ocher than noble gases available in s s ,i< f O the gaseous phase fer atmospheric release through an ultimate containment O breach. 3, t, ,,l l,. O Perhaps the most isoportant cor)clusions from Dr. Fabic's analysis' f.k Appendix B are/that vessel failure will probably take place through the CR0 .e. channels; that discharge from the vessel to the drywell will be very rapid 0 (less than h minute), and discharge from the drywell to the s{Jppression .l' pool will also'be fast (less than, say,10 minutes);- that core malt t \\ matirf al will nearly always end up in the wetwelf,, where significant i O removal of fission p oducts will oci:ur; and that there is little time for b ] debris-concrete interaction <on the drywell floor, and too low a temperature \\ > - ' \\ for that interaction to occur on the wetwell floor. ( ' 3 \\ s \\ All in al', the picture painted by our analysis is that the SAI results on t core-melt behavior and fission [ product releaN are likely to be conservative (that is, too high values for r lease', too much i i core-concrete interaction) compared to what we believe to be the real y phenomena. 5 O / a i f / ,./s. ~.. f 4.,._ m
~' V ~ 51 In particular, we expect that for two of the classes of accidents (Class I* .? and Class III**), there will be significant delay _ in the containment rupture time, and perhaps no containment rupture at all, depending on specific containment heat-leakage properties that we have not specifically U addressed and that are both complicated and scenario-specific. Also, there will be quite large decontamination factors for fission products released in the wetwell pool, leaving the gaseous fission products released directly from the melted fuel pins as the principal airborne species available for release from the containment after breach. Unfortunately, we are not able, to' quantify the extent of this conservatism. The phenomena that we believe will occur differ from those modeled in the SAI draft report in several areas, but almost always in the " conservative direction," meaning that if our analysis is a better representation, then the accidents will be less severe. We believe that much remains to be done before a reliable calculation of these phenomena can be carried out: some research on specific phenomena must be performed; some improved modeling of the. sequence and character of the events must be accomplished; and some better data on specific coefficients must be obtained, for a variety of physical and chemical interactions. Class I involves accidents where failure of core cooling g, with the_RPV at high pressure after a transient or ' small-break LOCA results in core degradation, with an intact containment until after core melt. Class III involves accidents such as a large-break LOCA o inside containment where RPV depressurization occurs prior to cora degradation, with an intact containment until after core melt. 3 t- _r+ e ,es e g
%k. 3 52 4.3 Some Specific Issues Involving Meltdown and Related C Phenomena In the course of our review of the meltdown part of the draf t PRA on I' Shoreham, a number of specific issues arose that we believe are worth discussing within this report. These are technical issues that could affect the overall " bottom line" conclusions of the SAI study. For each we will indicate what our own conclusions are as to the impact of the issue vis-a-vis Suffolk County's application of the PRA results for emergency response planning. Q The first issue is the magnitude of fission product releases from the fuel. In Table D-3 (page 0-9) of the SAI draf t report, a list is given of release 2 fractions from the fuel to the primary reactor system during core meltdown. The table is reproduced on the next page. Shown in the table are two values for the release fraction for each isotope: or.e is the value used in the 1973-74 WASH-1400 analysis (Ref.1), and the other is the more recent value found in NRC report NUREG-0772 (Ref. 5), which contains a discussion of recent understanding of fission product behavior in core-melt accidents. The SAI report states (p. D-7) that they have used an average of the two madr.1 estimates (WASH-1400 vs. NUREG-0772), in view of uncertainties in our knowledge. While tnis averaging does not make very much difference to most of the release values, the value for tellurium is quite different in the two models: WASH-1400 assumed that only 15% of the tellurium escapes from the fuel, while NUREG-0772 believes the correct value is 100%. While we do O ~ l s
,O,- 1, 1 10 53 1 l tuced directly from the Shoreham PRA by SAI) Table D.3 RELEASE FE TO REACTOR PRIMARY SYSTEM DURING CORE NELTDOWN i {0 Fission Group RSS NUREG-0772 1 l Xe, Kr .9 1.0 I, Br .9 1.0
- .9 Cs, Rb
.81 1.0 I t Te .15 1.0 j Sr .10 .3
- O Ba
.10 .5 .03 .02 i a u Nt .003 .03 L, .003 .003 "J
- Inc s $b, Se
- Inc s Mo, Pd, Rh. Tc 3
Inc-s Nd, Eu, Y. Ca. Pr, Pm, Sm, Np, Pu NOTE:
- S" is " Reactor Safety Study", Re;
- ort WASH-1400 O
o ) .n
.. G, !) 54 i [ not know which is correct (that awaits further experiments that have not yet been done), we believe after study of the NUREG-0772 arguments that the lower figure is more likely to be correct for tellurium, which would slightly decrease the offsite releases and doses. The effect is a small one generally, but not so small as to be negligible. SAI's draf t analysis also states (page D-7) that 90% of the iodine is O released from the primary system as Csl (cesium iodide), which is a major departure from the WASH-1400 assumption that iodine was released 100% in elemental form. This makes a significant difference because the Csl is soluble while the elemental iodine, in gaseous form, was a key contributor to offsite doses in WASH-1400. We tend to agree with the recent arguments that elemental iodine is not a likely form for that element in these "') accidents, and believe that SAI's assumption is a reasonable one. However, there are still important uncertainties in our knowledge of what precisely happens to the iodine during the accidents under consideration. The reactor safety community will require some experiments, some modeling, and considerable discussion (all of which is underway) before this important issue is resolved and a consensus reached on it. Q Another issue involves whether there would be zirconium-water reactions within the reactor vessel af ter the fuel has melted but before the melt O penetrates the bottom head: SAI assumed (page C-23) that in a melted state the Zr-water reaction would not occur, and has explained their assumption (Ref. 2) as being due to the presence of a molten pool at the bottom of the O 3
G, 55 lower vessel head, covered by a crust at the interface between molten and 0 solid fuel. This crust would inhibit Zr-water interactions, according to the SAI opinion. While this scenario seems reasonable, the generation of zero Zr-water reaction seems too extreme, because surely some of the O zirconium will be in contact with water or steam during parts of the meltdown process. This issue needs more analysis, in our view. We haye no way of quantifying whether the Ir-water reaction is miniscule or only O "small," but we do concur that it is unlikely to be "large" in te - sense of comprising any reasonable fraction of the total zirconium in the fuel cladding. Thus we do not think this issue should have any important impact O on the overall results of SAI's analysis. Another issue that we have studied is whether there will be rapid ') degradation of the concrete walls of the drywell during core-melt accidents, which might lead to carbon-dioxide evolution, high pressures building up inside, and ultimate pressure failures of containment. First, O we should point out that in our own analysis, almcst all of the melt goes directly from the bottom vessel head to the CR0 room floor to the suppression pool; almost none goes to the annular drywell floor (see O Appendix B). However, for this discussion we will assume that we are considering melted core on the drywell floor. When our concern with the issue of drywell concrete degredation was raised with the SAI analysis O team, their response (Ref. 2) was that only for the Class III sequences would a sufficiently high temperature occur in the drywell, and these sequences produced very short thermal transients. If this is true, the O -m =
- - w i
,;) SS [ f decomposition temperature would be reached only for a very thin layer near 7-the surface of the concrete. We have not been able ourselves to calculate any sufficiently detailed numerical values for the temperature transients, I nor can we find them in the draft SAI report. However, based on our U experien::e with this issue, and' our understanding of the phenomena that will occur during melting and core transport from vessel to drywell to wetwell, we believe that this concern is not likely to be a major one: O specifically, we believe that even if significant core melt were to reach the drywell annulus,.it is quite unlikely that this concrete-degradation effect will produce enough non-condensible gas to challenge containment '-) earlier than it is challenged,in the scenarios set down by SAI in their report. O We have also been concerned that containment integrity might be compromised by pre-existing containment leaks, that might not have been considered properly in the SAI analysis. Also, we were concerned with failures of O penetrations at high temperatures. While SAI confirmed (Ref. 2) that this latter problem was not explicitly considered in the PRA, they believe that the former is adequately analyzed within the containment event trees. We 0 are not convinced that the analysis incorporates either of these issues quantitatively; however, we believe that containment leakage is not as important an issue for the Shoreham BWR as it appears to be for many other O reactors (in particular, for many of the PWRs), because the effective fission product removal action of the suppression pool provides such large reductions for the most likely accident classes. Thus the issue probably O does not introduce major additional pathways to the environment r*ven if it has not been thoroughly considered in the SAI analysis. 3 ~ -e w< s e,..
(0 1 57 O One of the key issues that has,been an outstanding concern for many years in consideration of core-melt accidents is " debris-bed coolability," which is a shorthand phrase for the question of whether, if a bed of core rubble Q were to form from molten-then-solidified core material, that bed can be cooled adequately. Another question is whether steam, generated in.and j 'around the debris bed as it is cooled, can provide enough additional pressure to pose a challenge to containment. First, we must clarify that we are concerned here with cooling a debris bed on the drywell floor; we have no concern with cooling the later debris bed under many feet of suppression ' C) pool water, although ultimately af ter many days the pool water would boil away and the issue would arise again. The SAI response to our inquiry on this subject (see Appendix C) is reasonable,.nd is congruent with our own (Y judgment on the matter. However, it must be emphasized that while our judgment and that of the SAI group agree, the entire subject of debris beds is still one where everybody's conclusions are highly speculative; in our D view the safety connunity as a whole doesn't have enough experimental data, nor modeling talent, to put this issue to rest at this time. Fortunately, the issue is not believed by our group to pose significant additional risk 3 potential, for the following reasons which are quoted here from Mr. Davis' discussion in Appendix C: O "Upon further consideration of this issue, it is considered not to be significant in terms of the potential for risk increase for the following reasons: O i i s e-q n w-g y ~.
sw-g* g . - ~. ~.
- O 58 I
"1.If containment failure has not occurred at the time debris bed O coeling occurs, most of the fission products (which are released dur 1g the initial meltdown phase) will be securely trapped in l the suppression pool water. Thus, the possibility of containment 3 failur
- rom a steam pressure surge upon debris bed cooling would not c..
e a large fission product release. O "2.If containment failure occurs before debris bed cooling, the major consequences of the accident would be underway, and the added fission product release would likely not be significant. O "3. A steam pressure surge sufficient to challenge containment integrity requires a large amount of water delivered to the bed and intimate mixing. It is not likely that a high volume water source would be available since most such sources within the containment must previously have been asssumed failed or degraded to cause the accident to progress through core meltdown." 4<4 Core Vulnerability vs. Core Melt: Containment Event Trees .3 In section 3.1 (above), we commented favorably on the methodological advance employed by SAI in the Shoreham study in which an accident that O proceeds to a " core-vulnerable" state is differentiated from one that proceeds further to a " core melt" state. As discussed earlier, this differentiation was not made in the WASH-1400 analysis, and yet it is -O .) .-e
, ~
- O' 59 clearly important to recognize that only a fraction of " core-vulnerable" O
accidents proceed to " core melt," an example of one that stopped short being the Three Mile Island accident of 1979. 3 The SAI report finds, for the five Classes of accidents considered, the following conditional probability that a core melt will follow: Conditional Probability of Melt, Given Class Core Vulnerable State 9 I 8% II 7% III 84% IV 43% V 100% O The way these conditional probabilities were calculated in the Shoreham PRA analysis represents an advance over earlier probabilistic reactor analyses. The effort consisted of the development of very complex containment event trees (CETs) that considered the large variety of engineered safety features and phenomena that are brought into play during the time period af ter a core-vulnerable condition is reached. Of course, seme assumptions 3 are necessary to simplify the problem, and the SAI analysis team made several of them. We have studied them in the SAI draf t report (see the list on p.1-19, pages H-11 to H-13, H-48 to H-56, and Table H.7), and find O them generally reasonable, although the analytical basis for the specific numbers is weak. 7 We believe that there are major uncertainties in the CET analysis, but our study of the SAI discussion leads us to believe that the SAI analysts were aware of these and handled them ecceptably. For example, a key limitation O is that there are essentially no data on the relative likelihoods of containment failure modes of different sizes and types that would result O
e ,O 60 t overpressure (see page H-50). Another example is that, although the U analysis correctly differentiates between containment overpressure failures near the to: as opposed to near the bottom of the containment (a failure near the bottom, although very unlikely, could compromise the suppression pool), their treatment is obviously an approximate one. We believe that the point of departure of the SAI treatment is proper. They start by differentiating among. th, ee situations: those in which the 9 core is vulnerable to melting in an intact containment; those in which containment may be vulnerable first while the core is still adequately '( cooled; and those involving containment bypass. These three topologically i different states are then treated separately in the quantification process. We also endorse the approach taken in the draf t SAI report to consolidation of tne release end-states. This consolidation has the effect of grouping numerous different accidents and treating each group singly, which l-l') inevitably implies loss of detail in the interest of calculational tractability. The SAI report ackncwledges this issue (p. H-51), and statas 4 that the approximations made are conservative in nature. We affirm that l this is probably correct but have not reviewed the details sufficiently to have an independent view of whether this is always true (see Table H.8, 1
- p. H-106 for details).
O 9 To mention other technical issues, we believe that the treatment of the steam explosion issue is a reasonable one. Also, the discussion on G
s O 61 quantification of the CETs recognizes explicitly some concerns that clearly affect the quality of the results (see Table H.6, p. H-57 to H-60). The O SAI analysts have explicitly differentiated among various qualities of their supporting data, have given not only their best point estimates but 10%-90% bounds for their results, and have documented their main ) assumptions. Again, however, as elsewhere in this review there was no way that our review effort could examine the (literally, hundreds of) detailed numbers in the CET quantification. ,3 Our failure to review these conditional probabilities quantitatively is not very troublesome to us, because we are of the opinion (a cualitative O opinion, however) that the val,ues quoted are reasonably within the range that we would expect. Furthermore, we'believe that the inclusion or exclusion of the SAI conditional probability factors does not make any C important difference to what Suffolk County will do in its emergency planning activities. Therefore, and because we are uncertain as to the quantitative validity of the results, we believe that it is prudent for the O County to ignore these factors in its planning, and ts take the core-vulnerable figures, as modified by our recommendations for Classes I aad II, as the planning basis for emergency preparedness. O Our rationale for recommending the exclusion of these factors is as follows: for Classes I and II, we have already recomended that the O County assume that the core-melt values lie in the range of about 10'4/ year, taking into account our improved analysis of internal flooding; for the internal-flooding sequences there does not exist a valid O O
- ss 6e so 6
m
.~ e
- O 62 core-vulnerable / core-melt analysis, and we believe that our recommended
! -} numbers are in any event only a rough ' estimate. For Classes III and V, the SAI factors are so close to unity-(84% and 100%, respectively) that there is no difference. For Class IV, the SAI factor is 43%, within 4 0 about a factor of 2 of unity, but for this class we believe that the core-vulnerable number could be too high by a factor of 3 to 10 because of sal's use of too high a value for failure of SCRAM on demand: so for Class IV the inclusion or exclusion of a 43% factor is practically like splitting hairs. O For all thcse reasons, we believe that omitting the core-vulnerable / core-melt factors froni Suffolk County's planning basis is the prudent choice: the factors have no reasonable basis for the internal-flooding sequences and make essentially no difference in the other Classes. 4.5 Implications of the Review of In-Plant Phenoneqa D Our review of in-plant accident phenomena described in the SAI draft PRA report has resulted in a collection of specific comments and retharks that 9 are covered in the earlier sections (4.1 - 4.4) of this chapter. It is important to describe the context in which these comments are to be understood. We believe that the present state-of-the-art of probabilistic - O analysis of in-plant phenomena is not very well advanced. In particular, our underlying understanding is inadequate for some phenomena (fer o 0 "*N4*B e w-= e. _.,m
' () 63 1 example, core melting itself, core penetration of the vessel, debris bed !O formation and coolability, aerosol plateout, core-concrete interactions); for the performance of some key systems (for example, containment failure mechanisms, effectiveness of suppression pool heat removal n mechanisms, efficacy of active aerosol removal systems); and for the time-sequence and duration of some events during the accident (for example, duration of meltdown itself, pressure buildup). <3 Given the paucity of experimental information, only limited applicability of the data that do exist, and calculational intractability of models 0 complex enough to contain detailed differential effects, it is no surprise that differences of opinion exist within the professional community. Some of these differences are reflected in our comments above. What is important to leave with the reader of this report is that we do not believe ~ that there are important differences between what SAI has accomplished and documented and our own view about release magnitudes: ' differer ces of O interpretation, differences in level of detail, differences in selecting experimental data or modeling approximations seem in every case to produce effects on the final PRA results that are within the quoted uncertainties O of the SAI analysis. If there is one overriding impression that our review team is lef t with in the af termath of this in-plant phenomena review effort, it is that the magnitudes of the radioactive releases are likely, in actual accidents, to .9 Cp s m -h =re.- _.w -.re 4 = -. =,.
O 64 be smaller than are calculated in the SAI draft report. This is due to O the inherent introduction of numerous conservatisms in the analysis. Paramount among these are conservatisms in the description of removal mechanisms that will keep important fission products within the reactor building, for which incomplete credit has been taken in the analysis. Examples include the likelihood that bottom-head penetration may not even occur at all for some scenarios, either because melting will be incomplete, or heat transfer larger, or CRD cooling water available (see our Appendix B); the analysis of suppression pool decontamination factors (see our Appendix C); and the various assumptions that SAI has made on containment i O failure mechanisms themselves.. We are unable to quantify the extent of these conservatisms in the in-plant phenomena analysis; indeed, we believe that it will be several years from now before enough research hss been carried out to enable a consensus to be reached on these issues. For this reason, we believe it imprudent to take account of them for the purposes of advising Suffolk County's emergency preparedness effort. However, it is important that the reader understand our view that the SAI radiation release results, taken at face value and considering their large cuoted uncertainties, are more likely to be too high (that is, to represent accidents more severe than actual) than too low. O O O u m_, a ,a, .as-o
g., ._._ a a.. ... y. .j. 65 i 5.0 Sumary and
Conclusions:
Are the Probabilities and .i9 Magnitudes of the Calculated Radiation Releases Correct? i j In earlier sections we have already given our sumary conclusions as to the O correctness of the probabilities of the accident sequences (Section 3.4) and the magnitudes of the calculated releases (Section 4.5). Here we will i L sumarize our findings, and discuss their implications when applied to i !O Suffolk County's emergency planning activities. Concerning the SAI calculation of accident probabilities, we have found l !O two important differences between our analysis and the SAI analysis. They were noted in Section 3.4, as follows: First, we believe that due to an error in the SAI treatment of internal flooding, the contribution of G. internal flooding to Class I and II accidents has been underestimated.' While we are unable to provide our own analysis of the internal flooding accidents, we recomend that Suffolk County use, as a basis for their 3 emergency planning effort, values of about 10-4 per reactor year for the frequency of core melt for both Classes I and II. Second, we believe that Class IV accidents will occur less frequently than. the SAI report claims, 3 because we believe the SAI report has used too high a value for the failure on demand of the SCRAM system. However, we recomend that the County should use the SAI results for Class IV as their planning basis. We O recomend that the County use all other values for core-vulnerable and core-melt frequencies directly as found in the SAI draft report. O Q hS %MT 9' h w
m , g m,, l. 10 66 Concerning the SAI calculation of magnitudes of radiation releases from 0 Shoreham, our review has left us with the strong impression, which is supported by the discussion in our Chapter 4, that the releases calculated in SAI's study are more likely to be toO high than too low (that is, we 3 -believe that their calculation has con 5cevatisms within it). We have been unable to quanti.fy the magnitude of these conservatisms, and in fact we do not believe that it is possible to do so at the present time, because of O insufficient information about the phenomena that characterize accidents of the type under discussion. However, we believe that the conservatisms could amount to large factors of reduction for some accident types, O particularly those important a,ccidents (albeit, in an absolute sense quite rare accidents) where the melted core would pass into the Shoreham pressure suppression pool. In our opinion the suppression pool, and the way the C' Shoreham design provides for prompt passage of melted core material to it in these unlikely accidents, will be very effective in fission-product remov al. The substance of our remarks here is our opinion that the removal '} effec'tiveness of the pool may be even greater than the SAI analysts have used in their calculations. O Thus we arrive at the following overview of our cenclusions as to the probabilities and magnitudes of SAI's calculated radiation releases from accidents at Shoreham. We believe that the Class I and II accident groups O have higher probabilities than are found in the SAI report, because of internal flooding accidents; and we believe that the magnitudes of the releases are likely to be lower than SAI has calculated. 0 0 .~;. +
n. ....~._.
- C) 67 The implications for Suffolk County's emergency planning effort will depend 6) upon what the County planners decide to do with our findings. We believe that the implications for the County of higher core-melt probabilities in Classes I and II would be minor because these classes already dominate the
'd composite offsite doses from Shoreham, even if SAI's lower numbers are used. If the County planners use the composite dose-distance curves as ~ their planning basis, increasing the absolute probabilities of these curves
- 3 changes nothing that the County will do or decide. Concerning the magnitudes of the releases, use of substantially smaller releases would have a major effect on the County's planning effort; however, we recommend C) that the County utilize the SA( draf t results as their planning basis because we cannot quantify the degree of conservatism in them.
S = 3 0 O O O + = m =
t ()- 63 9 6.0 ACKNOWLEDGMENTS, The authors wish to acknowledge the advice and assistance of Fred C. () Finlayson, our collaborator on this project without whose help the work could not have been accomplished. Fred has also served in a liaison capacity with Suffolk County throughout this work. We also acknowledge O Christopher McMurray, counsel to Suffolk County, for much assistance. We have benefitted from important interactions with Robert Erdmann and Edward Burns of Science Applications, Inc. and Voyin Joksimovich of NUS r) Corporation, who have explained parts of the SAI report to us. Finally, our interactions with Suffolk County itself, through Frank Jones and Patricia Dempsey, have been smooth and successful throughout. - c) 3 D 9 3 3 i 5 e -*e'N*
- g. %4 9 #
ee e m =e-e-o-
..m. -;,. e... ~..:-. l-i:O 69 i 7.0 References i 4 The primary reference used in this report is the probabilistic risk j assessment carried out by Science Applications, Inc. on the Shoreham Plant. f The reference is: 9 Science Applications, Inc. (San Jose, California), "Probabilistic Risk Assessment, Shoreham Nuclear Power Station, Long Island Lighting Company," Preliminary Draft Report SAI-001-83-SJ, March 1982 The following are referred to by number in the text: g 1. U. S. Nuclear Regulatory Commission, " Reactor Safety Study," Report WASH-1400, October 1975 2. Letter, E. T. Burns (of Science Applications) to R. J. Budnitz .) (of Future Resources Associates), dated 2 August 1982, on the subiect " Responses to questions generated during July 16, 1982 meeting" 3. "PRA Procedures Guide, A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," 0 prepared by the American Nuclear Society and the Institute of Electrical and Electronic Engineers, Report NUREG/CR-2300, Review Draft, dated April 5, 1982 4 A. D. Swain and H. E. Guttmann, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," Report NUREG/CR-1278, April 1980 g 5. U. S. Nuclear Regulatory Commission, " Technical Bases for Estimating Fission Product Behavior During LWR Accidents," Report NUREG-0772, June 1981 6. U. 5. Nuclear Regulatory Commission, " Safety Evaluation Report ~3 Related to the Operation of Shoreham Nuclear Power Station, Unit No.1," Report NUREG-0420, Acril 1981 b O O 6 9r *. + -e se,.,rez e. .ww ev. ..}}