ML20127F653
| ML20127F653 | |
| Person / Time | |
|---|---|
| Issue date: | 05/31/1985 |
| From: | Baranowski P Office of Nuclear Reactor Regulation, NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-44, REF-GTECI-EL, TASK-A-44, TASK-OR AB38-1-057, AB38-1-57, NUREG-1032, NUREG-1032-DRFT, NUREG-1032-DRFT-FC, NUDOCS 8506250217 | |
| Download: ML20127F653 (200) | |
Text
-
~
NUREG-1032 Evaluation of Station Blackout Accidents at Nuclear Power Plants Technical Findings Related to Unresolved Safety Issue A-44 Draft Report for Comment U.S. Nuclear Regulatory Commission 8Hl:::! ::l:";":d";n%"a"JP P. W. Baranowsky v# "*%,,
j N
g62g0 850531 1032 R PDR
4 NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013 7982
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Technical information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the N RC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
NUREG-1032 Evaluation of Station Blackout Accidents at Nuclear Power Plants Technical Findings Related to Unresolved Safety issue A-44 Draft Report for Comment Manuscript Completed: March 1985 Date Published: May 1985 P. W. Baranowsky Office of Nuclear Regulatory Research Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555
,f..
/
ABSTRACT
" Station Blackout," which is the complete loss of alternating current (AC) elec-trical power in a nuclear power plant, has been designated as Unresolved Safety Issue A-44.
Because many safety systems required for reactor core decay heat removal and containment heat removal depend on AC power, the consequences of a station blackout f.ould be severe.
This report documents the findings of techni-cal studies performed as part of the program to resolve this issue.
The impor-tant factors analyzed include:
the frequency of loss of offsite power; the pro-bab'ility that emergency or onsite AC power supplies would be unavailable; the capability and reliability of decay heat removal systems independent of AC power; and the likelihood that offsite power would be restored before systems that cannot operate for extended periods without AC power fail, thus resulting in core damage.
This report also addresses effects of different designs, loca-tions, and operational features on the estimated frequency of core damage re-sulting from station blackout events.
NUREG-1032 iii
TABLE OF CONTENTS P.ag.e ABSTRACT................................
iii LIST OF FIGURES vi LIST OF TABLES.............................
vii PREFACE ix ACKNOWLEDGMENTS.............................
xi 1 EXECUTIVE
SUMMARY
1-1 2 INTRODUCTION AND TECHNICAL APPROACH.................
2-1 3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION.............
3-1 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES..............
4-1 5 STATION BLACK 0UT FREQUENCY AND DURATION...............
5-1 6 ABILITY TO COPE WITH A STATION BLACK 0UT...............
6-1 7 ACCIDENT SEQUENCE ANALYSES 7-1 8 EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS 8-1 9 RELATIONSHIP OF OTHER SAFETY ISSUES TO STATION BLACK 0UT 9-1 9.1 Loss-of-Coolant Accidents 9-1 9.2 Anticipated Transients Without Scram..............
9-2 9.3 Extreme Internal Environment..................
9-3 9.4 Extreme Hazards 9-4 10 REFERENCES 10-1 APPENDIX A DEVELOPMENT OF LOSS OF 0FFSITE POWER FREQUENCY AND DURATION RELATIONSHIPS APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY:
MODELING AND ANALYSIS RESULTS APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK NUREG-1032 v
LIST OF FIGURES Figure Page 3.1 Diagram of offsite power system used in nuclear power plants.
3-2 3.2 Frequency of loss-of-offsite power events exceeding specified durations.......
3-5 3.3 Estimated frequency of loss-of-offsite power events exceeding specified durations for representative clusters 3-9 4.1 Simplified 1-of-2 onsite AC power distribution system.....
4-2 4.2 Onsite power system functional block diagram..
4-3 4.3 Histograms showing emergency diesel generator failure on demand for 1976 through 1982 4-7 4.4 Failure contribution by diesel generator subsystem......
4-9 4.5 Onsite AC system unavailability for 18 plants studied in NUREG/CR-2989.......................
4-11 4.6 Percentage of emergency diesel generator failures repaired vs. time since failure....................
4-14 4.7 Generic emergency AC power unavailability as a function of emergency diesel generator (EDG) reliability 4-16 4.8 Emergency AC power unavailability as a function of individual diesel generator running reliability.............
4-17 5.1 Estimated frequency of station blackout exceeding specified durations for several representative offsite power clusters 5-2 5.2 Estimated frequency of station blackout exceeding specified durations for several EDG reliability levels.........
5-3 E.3 Estimated frequency of station blackout exceeding specified durations for several emergency AC power configurations 5-4 7.1 Generic PWR event tree for station blackout 7-2 7.2 Generic BWR event tree for station blackout (BWR-2 or 3)...
7-3 7.3 Generic BWR event tree for station blackout (BWR-4, 5, or 6).
7-4 7.4 Time to core uncovery as a function of time at which turbine-driven auxiliary feedwater train fails........
7-8 7.5 PWR station blackout accident sequence............
7-10 7.6 BWR station blackout accident sequence............
7-12 8.1 Sensitivity of estimated station blackout-core damage fre-quency to offsite power cluster, AC-independent decay heat removal reliability, and station blackout coping capability..
8-3 8.2 Sensitivity of estimated station blackout-core damage fre-quency to EDG reliability, AC-independent decay heat removal reliability, and station blackout coping capability 8-4 8.3 Sensitivity of estimated station blackout-core damage fre-quency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability..........................
8-5 NUREG-1032 vi
c i
'l.
LIST OF FIGURES (Cont'd)
Figure P_ age 8.4 Sensitivity of estimated station blackout-core damage fre-quency 'to. reducing the coraan cause failure susceptibility of emergencycdiesel generators, their reliability, and station blackout coping capability..................
8-6 8.5 Estimated core damage frequency showing uncertainty range for four reference plants 8-9 LIST OF TABLES Table P_a_ge l '3 1.1 Summary of station blackout program technical results.....
1-2 3.1 Total losses of offsite power at U.S. nuclear power plant sites, 1968 through 1983....................
3-4 3.2 Characteristics of some loss-of-offsite power-event clusters that affect longer duration outages..............
3-10 4.1 Diesel generator start attempts,and failures for tests and actual demands..........;.............
4-6 4.2 Results of onsite power system reliability analysis reported in NUREG/CR-2989.'......................
4-12 6.1 Effects of station blackout on plant decay heat removal functions........... 6 6-2 6.2 Possible factors limiting the ability to cope with a station blackout event
.................,.s.
6-8 7.1 Estimated time to uncover core for station blackout sequences with initial failure of AC-independent decay heat, removal systems and/or reactor coolant leaks 7-7 7.2 Summary of potentially dominant core damage accident sequences........'.,.'.................
7-13 7.3 Containment ?ailure insights 7-16 7.4 Containment fission product release categories and failure mode probabilities for station blackout sequences.......
7-18 8.1 Sensitivity of estimathd core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.....
8-8 9.1 Coupling between external (and internal) events and potential plant failures 9-5 e
i
(
NUREG-1032 vit
PREFACE This report represents the culmination of several technical studies undertaken by Nuclear Regulatory Commission (NRC) staff and contractors to place a reli-ability and risk perspective on Unresolved Safety Issue A-44, Station Blackout.
The technical findings published in this draft are intended to document the basis for future NRC regulatory activities that will be the resolution of this safety issue.
The analyses, evaluations, and results presented are meant to provide a "best estimate" assessment of the major contributors to the frequency of station blackout and the probability of subsequent core damage.
Most results are presented as point estimates and are intended for use in the quantitative regu-latory analyses that will be used to support a proposed resolution of this issue.
The uncertainties in the quantitative analyses are large enough that rigorous application of these results should be made with caution.
- However, the staff believes that the qualitative insights and conclusions are correct and useful as guidance in determining what constitutes resolution of this issue.
The staff recognizes that any probabilistic safety analysis can benefit from the broadest review and comment.
This is especially important when such an analysis is to be the basis for resolution of an Unresolved Safety Issue.
P.W. Baranowsky NUREG-1032 ix
A 1
ACKNOWLEDGMENTS The preparation of this report involved the technical contribution, review, and comment of several individuals in addition to the principal author.
The con-tributions of the following NRC staff members are hereby acknowledged and appreciation given:
J. M. Assuncao S. A. Bernstein J. W. Johnson A. M. Kuritzky L. E. Lancaster D. W. Pyatt D. M. Rasmuson A. M. Rubin i
i 1
s
't NUREG-1032 xi
r
]
1 EXECUTIVE
SUMMARY
" Station blackout" is the complete loss of alternating current (AC) electrical power to the essential and nonessential switchgear buses in a nuclear power plant.
Because many safety systems required for reactor core cooling and l
1 containment heat removal depend on AC power, the consequences of a station I
blackout could be severe.
Existing regulations do not require explicitly that nuclear power plants be capable of withstanding a station blackout.
l In 1975, the Reactor Safety Study (NUREG-75/140) showed that station blackout could be an important contributor to the total risk from nuclear power plant j
accidents.
In addition, as operating experience accumulated, the concern arose that the reliability of both the onsite and offsite emergency AC power systems might be less than originally anticipated.
Thus, in 1979 the Commission desig-l nated station blackout as an Unresolved Safety Issue (USI); a Task Action Plan for its resolution (TAP A-44) was issued in July 1980, and work was begun to determine whether additional safety requirements were needed.
4 Technical studies performed to resolve this safety issue have identified the dominant factors affecting the likelihood of station blackout accidents at nuclear power plants.
A summary of the principal probabilistic results is in Table 1.1.
These results are based on operating experience; Fie results of
(
several plant-specific probabilistic safety studies; and reliability, accident sequence, and consequence analyses performed as part of TAP A-44.
The results show the following important characteristics of station blackout accidents:
i (1) The variability of estimated station blackout likelihood is potentially large, ranging from approximately 10 5 to 10 3 per reactor year.
A
" typical" estimated frequency is on the order of 10 4 per reactor year.
(2) The capability to restore offsite power in a timely manner (less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) can have a significant effect on accident consequences.
NUREG-1032 1-1
i Table 1.1 Summary of station blackout program technical results Parameter Value Operational Experience Loss of offsite power (occurrence per year)
Average 0.1 Range 0 to 0.4 Time to restore offsite power (hours)
Median 0.5 90% restored 3.0 Emergency diesel generator reliability (per demand)
Average 0.98 Range 0.9 to 1.0 Median emergency diesel generator repair 8
time (hours)
Analytical Results Estimated range of unavailability of 10 4 to 10 2 emergency AC power systems (per demand)
Estimated range of frequency of station blackout (per year) 10.s - 10 3 L
Estimated range of frequency of core damage as a result of station blackout (per year) 10 8 10 4 i
NUREG-1032 1-2
(3) The redundancy of onsite AC power systems and the reliability of indi-vidual power supplies have a large influence on the likelihood of station blackout events.
(4) The capability of the decay heat removal system to cope with long duration blackouts (greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) can be a dominant factor influencing the likelihood of core damage or core melt for the accident sequence.
(5) The estimated frequency of station blackout events that result in core damage or core melt can range from approximately 10 6 to greater than 10 4 per reactor year.
A " typical" core damage frequency estimate is on the order of 10 5 per reactor year.
(6)
Information currently available indicates that containment failure as a result of overpressure may follow a station-blackout-induced core melt.
Smaller, low-design pressure containments are most susceptible to early failure (possibly in less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />).
Some large, high-design pressure containments may not fail as a result of overpressure, or if they do fail, the failure time could be on the order of a day or more.
The losses of offsite power can be categorized as those resulting from (1) plant-centered faults, (2) utility grid blackouts, and (3) failures of offsite power sources induced by severe weather.
The industry average fre-quency of total losses of offsite power was determined to be about 0.1 per site / year, and the median restoration time was about one-half hour.
The fac-tors identified as affecting the frequency and duration of offsite power losses are (1) the design of preferred power distribution system, particularly the num-ber and independence of offsite power circuits from the point where they enter the site up to the safety buses (2) operations that can compromise redundancy or independence of multiple off-site power sources, including human error NUREG-1032 1-3
(3) the reliability and security of the power grid, and the ability to restore power to a nuclear plant site with a grid blackout (4) the hazard from, and susceptibility to, severe weather conditions that can cause loss of offsite power for extended periods A review of the design and operating experience, combined with a reliability analysis of the onsite emergency AC power system, has shown that there are a variety of potentially important causcs of failure.
The typical unavailability of a two-division emergency AC power system is about 10 3 per demand, and the typical failure rate of individual emergency diesel generators is about 2 x 10 2 per demand.
The factors identified as affecting emergency AC power system reliability during a loss of offsite power are (1) power supply configuration redundancy 3
(2) reliability of each power supply (3) dependence of the emergency AC power system on support or auxiliary cooling systems and control systems (4) vulnerability to common cause failures associated with design, operational, and environmental factors The likelihood that a station blackout will progress to core damage or core melt is dependent on the reliability and capability of decay heat removal systems that are not dependent on AC power.
If the capability is sufficient, additional time will be available to restore AC power to the many systems normally used to cool the core and remove decay heat.
The most important factors relating to decay heat removal during a station blackout are 4
(1) the starting reliability of systems required to remove decay heat and maintain reactor coolant inventory NUREG-1032 1-4
..- =
l (2) the capacity and ability to function of decay heat removal systems and auxiliary or support systems that must remain functional during a station blackout (e.g., DC power, condensate storage)
(3) for pressurized water reactors (PWRs) and for boiling water reactors (BWRs) without reactor coolant makeup capability during a station blackout, the magnitude of reactor coolant pump seal leakage (4) for BWRs that remove decay heat to the suppression pool, the ability to maintain suppression pool integrity and operate heat removal systems at high pool temperatures during recirculation On the basis of reviews of design, operation, and location factors, the staff determined that the expected core melt frequency from station blackout could be maintained around 10 s per reactor year or lower for all plants.
To reach this level of core melt frequency, a plant would have to be able to cope with sta-tion blackouts at least 4 and perhaps 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> long and have emergency diesel generator reliabilities of 0.95 per demand or better, with relatively low sus-ceptibility to common cause failures.
4 1
f a
NUREG-1032 1-5
2 INTRODUCTION AND TECHNICAL APPROACH
" Station blackout" refers to the complete loss of AC electrical power to the essential and nonessential buses in a nuclear power plant.
Station blackout involves the loss of offsite power concurrent with the failure of the onsite emergency AC power system.
Because many safety systems required for reactor core cooling, decay heat removal, and containment heat removal depend on AC power, the consequences of station blackout could be severe.
The concern about station blackout is based on accumulated operating experience regarding the reliability of AC power supplies.
A number of operating plants have experienced a total loss of offsite electrical power, and more such occur-rences are expected.
During these loss-of-offsite power events, onsite emer-gency AC power sources were available to supply the power needed by vital safety equipment.
However, in some instances one of the redundant emergency power supplies was unavailable, and in a few cases there was a complete loss of AC power. (During these events, AC power was restored in a short time without any serious consequences.)
In addition, there have been numerous instances at operating plants in which emergency diesel generators failed to start and run during surveillance tests.
For one of two plants evaluated, the Reactor Safety Study (NUREG-75/014) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents.
Although this total risk was found to be small, the relative importance of the station blackout event was established.
This finding, with the accumulated data on diesel generator failures, increased the concern about station blackout.
An anaiysis of the risk from station blackout involves an assessment of (1) the likelihood and duration of the loss of offsite power, (2) the reliability of onsite AC power systems, and (3) the potential for severe accident sequences after a loss of all AC power.
These topics were investigated under USI TAP A-44.
This plan included the following major tasks:
NUREG-1032 2-1
(1) Estimating the frequency of station blackout at operating U. S. nuclear power plants.
This analysis consisted of two parts estimating the frequency of loss of offsite power for various plant locations estimating the probability that the onsite AC power system will fail to supply AC power for core cooling (2) Determining plant responses to station blackout and the risk associated with station-blackout-initiated accident sequences.
The scope of this investigation included reviewing the shutdown cooling system design and assessing its capa-bility and reliability during a prolonged station blackout reviewing the containment design and its ability to withstand tempera-ture and pressure buildup during a prolonged loss of AC power estimating the probability of station blackout accident sequences The principal focus of TAP A-44 was the reliability of emergency AC power supplies.
This approach was taken for several reasons.
First, station black-out was identified as a USI primarily on the basis of the questions raised about the reliability of onsite emergency power supplies.
Second, if safety improvements are required, it is easier to analyze, identify, and implement them for the onsite AC power system than for the offsite AC power supplies or for the AC-independent decay heat removal system.
For example, offsite power reliability is dependent on a number of factors--such as regional electrical grid stability, weather phenomena, and repair and restoration capability--that are difficult to analyze and to control.
Also, the capability of a plant to withstand a station blackout depends on those decay heat removal systems, com-ponents, instruments, and controls that are independent of AC power.
These features vary from plant to plant; thus considerable effort is required to NUREG-1032 2-2
analyze all of them or to ensure that the plants indeed have that capability.
Third, significant progress has been made on improving operating PWRs by back-fitting the auxiliary feedwater system to make it independent of AC power.
In addition, under the TAP for USI A-45, " Shutdown Decay Heat Removal Require-ments," the adequacy of shutdown decay heat removal systems for nuclear power plants is being reviewed.
Thus, the reliability of emergency AC power supplies is of principal importance to USI A-44.
A preliminary screening analysis was done to identify plants most likely to suffer core damage as a result of a loss of all AC power.
The intent was to survey the frequency and implication of station blackout events in operating plants and identify any plants with especially high risk that might require further analysis or action on an urgent basis.
The initial results showed no such plants.
Following this initial analysis, station blackout events were evaluated in more detail.
Because the station blackout issue centers on concern about the relia-bility of AC power supplies, typical offsite and emergency AC power supplies were evaluated, and operating (failure) experience reviewed.
This effort was limited to power supply availability and did not include an evaluation of the adequacy of power distribution adequacy or power capacity requirements.
Information on loss of offsite power was collected from licensee event reports (LERs), responses to a Nuclear Regulatory Commission (NRC) questionnaire, and various reports prepared by utilities.
Most of the event descriptions in the LERs and in other documentation in the NRC files did not contain sufficient information to provide an accurate data base for estimating frequencies and durations of losses of offsite power.
For example, in one case a licensee reported that offsite power was restored in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; in fact one offsite power source was restored in 8 minutes, and all offsite power was restored in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
Because restoration of one source of offsite power terminates a loss of offsite power, the licensee's description was not accurate enough.
In some other cases, although offsite power was available to be reconnected, the plant operators did not reconnect it for some time af ter it was available because onsite power NUREG-1032 2-3
was available.
To obtain more accurate data, the NRC and Oak Ridge National Laboratory staff members worked closely with the Institute of Electrical and Electronics Engineers (IEEE) and the Electric Power Research Institute (EPRI).
These groups contacted utility engineers to get better descriptions of the causes and sequences of events, and the times and methods of restoring offsite power (Wycoff, 1984).
i To gain a perspective on consequences, station blackout event sequences and associated plant responses were analyzed.
The Interim Reliability Evaluation Program (IREP) was one source of information for developing the shutdown cooling reliability models and accident scenarios needed for this evaluation.
The following sections of this report summarize the results of the technical evaluations discussed above.
Details of the technical assessments are reported in NUREG/CR-2989, -3226, and -3992.
Technical evaluations in this report were derived from these references to coalesce that material and extend the analysis to obtain the broader insights and bases necessary to resolve the station black-out issue in an integral manner, considering plant differences.
These supple-mental analyses are described in Appendicies A, B, and C of this report.
NUREG-1032 2-4
i 3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION The offsite or preferred power system at nuclear power plants consists of the following major components:
two or more incoming power supplies from the grid one or more switchyards to allow routing and distribution of power within the plant one or more transformers to allow the reduction of voltage to levels needed for safety and non-safety systems within the plant distribution systems from the transformers to the switchgear buses Figure 3.1 provides an example of an offsite power system design used for nuclear power plants.
During normal operation, AC power is typically provided to the safety and non-safety buses from the main generator through the auxil-iary transformer; it may also be supplied directly through a startup trans-former.
A minimum of two preferred power supply circuits must be provided.
Sources of offsite power other than the grid may also be provided as alternate or backup sources of power.
These may include nearby (or onsite) gas turbine generators, fossil power plants, and hydroelectric power facilities.
A loss of offsite power is said to occur when all sources of offsite power become un-available, causing safety buses to become deenergized and initiating an under-voltage signal.
Some loss-of-offsite power transients will be very short--just long enough to allow switching from one failed source to another available source.
Because of the short duration of this type of loss-of-offsite power transient, it is not of concern relative to station blackout.
This type of loss-of-offsite power transient is better described as an interruption.
How-ever, if switching errors or failures of alternate sources of power compound the situation and longer term repair, restoration, or actuation of alternate NUREG-1032 3-1
il il JL di O
JL JL di di E
345 kV 138 kV E
A%MA MAM A%MA MAM MAM AAAA AAAA If If IP If lf y NC NC NONSAFETY NO NONSAFETY NO MAIN CLASS 1E CLASS 1E CLASS 1E CLASS 1E GENERATOR DIVISION 1 DIVISION 2 DIVISION 1 OlVISION '
I I
4 4
i 8
l L _ _ tuyOMA.7 c.TR A,NS{ER,,,
,________J L _ _ _ _ _^F2"ATLc LRANS,[E R _ _ _ _ _ j Figure 3.1 Diagram of offsite power system used in nuclear power plants 1
NUREG-1032 3-2
-4 power sources is required, the loss-of-offsite power transient can be signifi-cant.
This type of loss-of-offsite power event is referred to as a total loss of offsite power.
Although total loss of offsite power is relatively infrequent at nuclear power plants, it has happened a number of times, and a data base of information has l
been compiled (Wyckoff, 1984; NUREG/CR-3992).
Historically, a loss of offsite power occurs about once per 10 site years.
The typical duration of these events is on the order of one-half hour. However, at some power plants the frequency
]
of offsite power loss has been substantially greater than the average, and at other plants the duration of offsite power outages has greatly exceeded the norm.
Table 3.1 provides a summary of the data on total-loss-of-offsite power events through 1983.
Because design characteristics, operational features, and the location of nuclear power plants within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite power
~
events, it was necessary to analyze the generic data in more detail.
The data have been categorized into plant-centered events and area-or weather-related events.
Plant-centered events are those in which the design and operational characteristics of the plant itself play a role in the likelihood of the loss of offsite power.
Area-or weather-related events include those on which the reliability of the grid or external influences on the grid have an effect on the likelihood and duration of the loss of offsite power.
The data show that plant-centered events account for the majority of the loss-of-offsite-power events.
The area-or weather-related station blackouts, although of lesser frequency, typically account for the longer duration outages with storms being the major factor.
Figure 3.2 provides a plot of the frequency and dura-tion of loss-of-offsite power events due to plant-centered faults, grid black-out, and severe weather based on past experience at nuclear plant sites.
Appendix A to this report provides a more thorough discussion of the technical bases for the loss-of-offsite power frequency and duration characteristics discussed in the remainder of this section.
NUREG-1032 3-3
Table 3.1 Total losses of offsite power at U.S. nuclear power plant sites, 1968 through 1983*
Frequency of Causes of loss occurrence, Median of offsite power Number per site year **
duration, hr Plant-centered 30 0.056 0.3 Grid blackout 11 0.020 0.7 Severe storm 6
0.011 2.6 TOTAL 47 0.088 0.5
- Excludes sites with one offsite power connection (Humboldt Bay, Lacrosse, and Big Rock Point prior to March 1968) unless the event was grid-related, and eight events that have been classified as " interruptions" of offsite power supplies.
- Total site years through December 1983 = 533.
NUREG-1032 3-4
1 I
0.m Total r
I>
0.04 i3 e
o 5m 0.03 Plant -
~
8 Centered O
t O>0 D
0.02 0
E Grid u.
0.01 Severe Weather 0.00 0.1 1.0 10.0 DURATION (Hours)
Figure 3.2 Frequency of loss-of-offsite power events exceeding specified durations NUREG-1032 3-5
Plant-centered failures typically involve hardware failures, design deficien-cies, human errors (maintenance and switching), and localized weather-induced faults (lightning and ice) or combinations of these types of failure.
No strong correlation was found between the frequency of plant-centered loss-of-offsite power events and any particular design factor.
However, a modest cor-relation was observed between the duration of plant-centered loss-of-offsite-power events and the independence and redundancy of offsite power circuits at a site. In this regard, it has been observed that a site with several immediate and delayed access circuits will generally recover offsite power more promptly than a site with only the minimum requirements.
However, recovery from the relatively high frequency plant-centered faults can be accomplished within a few hours.
Plant location plays an important role in loss-of-offsite power events. Factors shown to be significant were (1) the reliability of the grid from which the nuclear power plant draws its preferred power supply and (2) the likelihood of severe weather that can cause damage to the grid distribution system and hence a loss of power to the plant.
Traditionally, analyses have focused on grid reliability as a dominant factor in estimating loss of offsite power at a plant site.
However, a review of the historical data shows that approximately 15% of all loss-of-offsite power events have been caused by grid problems, and, in fact, a large percentage of grid-related loss-of-offsite power events can be traced to one utility's system.
The grid reliability of that system dominates the data, distorting the perspective on the contribution of grid failure to loss-of-offsite power frequency.
This finding of overall grid reliability should not be unexpected when one recognizes that current distribution and dispatch systems are well coordinated.
Utilities shed loads when possible and generally protect their grid from overloads and faults that could cause grid loss in the various day-to-day operations.
Moreover, when there is a loss of power on the grid, the first activity that is usually undertaken is the resto-ration of power to the electric generation plants so that the grid may be re-stored with appropriate power supplies.
In fact, during the Northeast blackout of 1965, power was restored to a nuclear power plant in New England within about one-half an hour of the grid collapse, while power was not restored to the entire grid for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or more.
NUREG-1032 3-6
With the exception of a few utility systems, large grid disturbances are rela-tively infrequent, and, again with few exceptions, the duration of power outages at power plants as a result of grid disturbances is relatively short.
An identified weakness in a system is usually corrected as soon as practical; it is the unidentified weaknesses that result in grid failures.
In the absence of a historical trend, operating experience related to grid reliability is no'.
necessarily an indication of future problems unless a known weakness has not been corrected.
Because grids in the U.S. are generally very stable and system pland ng is directed at maintaining and improving that stability, grid relia-bility is usually not the principal indicator of the likelihood of loss of offsite power.
Severe weather, such as local or area-wide storms, can disrupt incoming power supplies to the plant.
In fact, a number of loss-of-offsite power events at nuclear power plants were weather-related.
These can be divided into two failure groups:
(1) those in which the weather caused the event but did not affect the time to restore power (2) those in which the weather initiated the event and caused adverse condi-tions over a sufficiently broad area such that power was not or could not be restored for a long time The first group includes lightning and most other weather events that are not too severe.
They can cause a loss of offsite power, but their severity gene-rally does not contribute in any significant way to long-duration losses of offsite power.
These types of weather-related losses of offsite power have been treated as either plant-centered or grid-related losses of offsite power.
The second group includes losses of offsite power as a result of severe weather such as hurricanes, high winds, snow and ice storms, and tornadoes.
The expected loss-of-offsite power frequency of this group is relatively small.
On the other hand, the likelihood of restoring offsite power quickly for this group is also relatively small.
Although it is expected that the actions of dispatch and plant personnel can influence substantially the duration of NUREG-1032 3-7 l
area-wide grid disturbances that cause a loss of offsite power, severe weather conditions--and the expected duration of the resulting loss-of-offsite power events--cannot be influenced in the same way.
Therefore, one would expect severe weather to dominate the restoration characteristics for long duration outages.
The redundancy, separation, and independence of the offsite power system may affect the likelihood of some weather-related losses such as those induced by tornado strikes.
The depth of this study has not been sufficient to show the effectiveness of these design considerations on reducing the likeli-hood of other types of weather-related outages.
There is a potentially large variation in the annual expected frequency of loss-of-offsite power events at different nuclear power plants, depending on their design and location.
A large variation also has been observed in the duration of loss-of-offsite power events at different nuclear power plants.
The expec-tion of long-duration outages is dominated by the likelihood of severe storms and, to a lesser extent, by the likelihood of grid blackout and the ability to restore power to the site during grid loss.
Grid-related losses are important only when the frequency of occurrence greatly exceeds the national average.
Appendix A describes the modeling and analyses performed by NRC staff to deter-mine the relationship between design and location and the frequency of and dura-tion of loss-of-offsite power events representative of most U.S. nyclear power plant sites.
Figure 3.3 provides a plot of the expected frequency and duration for loss of offsite power for site, design, grid, and weather characteristics that have been found to " cluster" reasonably well.
The factor that most predomi-nantly affects the characteristic groupings is severe weather.
Table 3.2 pro-vides a definition of the site characteristics that make up the loss-of-offsite-power clusters shown.
Appendix A includes additional discussion of the charac-teristics of these clusters.
NUREG-1032 3-8
l l
1::
j
.1 - :-
3 h
.~
~
g g '\\,%' W. 4 Offsite s
Power m
s Clusters
- - - * - - - - * - - - - + _ _ _
NA%.g O
'01 E
55 1
s,N
~ s ~~ - 6 a
s x
m N4 u.
% %~A, o
W
.001 3g
%,9 7 b
b
=
%g%
N2
.0001::
.00001 5
I I
I B
l 8
8 5
0 2
4 6
8 10 12 14 16 DURATION (Hours)
I i
Figure 3.3 Estimated frequency of loss-of-offsite power events exceeding specified durations for representative clusters NUREG-1032 3-9
Table 3.2 Characteristics of some loss-of-offsite power-event clusters j
that affect longer duration outages Cluster Characteristics 2
Offsite Power Design Group II, I2, or I3*; located in an area of very low severe weather hazards or susceptibility to severe weather hazards is very low 4
Moderate to high severe weather hazard area and susceptibility 5
Very high severe weather hazard area and susceptibility 7
Average grid reliability and combinations of offsite power system design and severe weather hazard / susceptibility that most closely approximate the national average for nuclear plants
- See Appendix A for definitions of Design Groups II, I2, and I3.
i i
NUREG-1032 3-10 t
l 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES The emergency AC power system provides an alternate or backup power supply to the offsite power sources.
Figure 4.1 is a simplified one line diagram of a typical emergency AC power system.
If the offsite power system is lost, an undervoltage condition will exist on the safety buses, causing actuation of the emergency AC power system.
The emergency AC power system provides sufficient functional capability and redundancy of the power requirements for the systems needed to mitigate the consequences of a design-basis accident.
This typically includes a requirement to actuate emergency AC power supplies and make them available for loading within about 10 seconds after receiving an actuation signal.
The emergency AC power system also meets the single-failure criterion when applied to design-basis accidents.
Emergency AC power is generally provided by diesel generator systems, although other sources such as gas turbine generators or hydroelectric power are used at some plants.
Because of the preponderance of diesel generator usage, that power supply type will be the principal focus of emergency AC power system discussions in this report.
Figure 4.2 identifies the typical subsystems and support systems that are needed for successful operation of the emergency diesel generator.
Emergency AC power systems typically consist of two diesel generators, either one of which is sufficient to meet AC power load requirements for a design-basis accident.
This configuration has been designated by its success criterion:
one out of two or more simply 1/2.
In some cases, three or four or more diesel generators are used at single-unit sites, and in others, diesel generators are shared at multi-unit sites.
These systems also can be described by their success criteria, or number of diesel generators required per number provided.
- However, for evaluating the station blackout issue, the success criterion will be defined as the number of diesel generators required to maintain a stable core cooling and decay heat removal condition with all offsite power sources unavailable.
NUREG-1032 4-1
.1_
MAIN O F F 5ITE MAIN OFFSITE UNIT POwtR UNIT POWER uw ww ww ww C8)
C3 C&
[3 EMERGENCY EMERCENCY susI BUS 2 wu wa IY(o,AL de0V TY PIC A L 480V SE R VICE LOAD
- S E R VIC E W AT E R 1 DGl OOI EMERGENCY-
@
- CLOSED BREAKER
- OPE N S RE AEER w *1RANSFORMER 4
Figure 4.1 Simplified 1-of-2 onsite AC power distribution system NUREG-1032 4-2
l
-q OC, -f EMERGENCY j
RRCD SEQUENCER DUS
\\
i s
ESFA!,,-
7.
POWER I
l 00 l
OUTPUT j
DnEAKER N
l i
I I
s
(
DIESEL GENEnATOR )
g ESFAS ESFAS g
/
w l
/\\A
/\\
FUEL Olt EXCITER g
COOLING LWEOL l
l RE A
R l
1 START SYSTEM i
SCAVENGING l
I a'a
... e.,
bovad:<y I
l OOVERNOR g
I I
EXHAUST i
l I
l SHUTDOWN l
l l
L_______________,.J Figure 4.2 Onsite power system functional block diagram
- ESFAS = engineered safety feature actuation system NUREG-1032 4-3
The emergency AC power configurations that exist in the U. S. have been identified as follows:
(1) Emergency AC power supplies dedicated to one unit 1/2 1/3 1/4 2/4 (2) Emergency AC power supplies shared between two units 1/2 2/3 2/4 2/5 3/5 (3) Emergency AC power supplies shared between three units 3/8 Although a closer review of emergency AC power supply requirements may produce some variations on these configurations, they represent a wide variety in system success criteria for reliability evaluations.
The design variability of emergency AC power systems is further complicated by dependencies on certain support systems that, by themselves, have a multitude of designs.
These support systems include cooling systems (air or water), DC power, and heating, ventilation, and air conditioning (HVAC) systems.
- Moreover, maintenance and testing activities vary considerably, which can affect the reli-ability of the emergency AC power system.
Emergency AC power systems can be considered in two separate parts:
power supplies and the power distribution system.
In general it has been found that the individual components of the emergency AC power distribution system from NUREG-1032 4-4 L
i the safety (switchgear) buses to the safety components are not significant con-tributors to the unavailability of AC power in regard to the station blackout issue.
This statement is true because many independent, separate, and diverse distribution system components must fail to cause loss of all AC power to the safety systems.
Although fires and earthquakes have the potential to cause such distribution system failures, these hazards have been studied as separate safety issues, and were not systematically assessed as part of the station blackout issue.
Substantial operating experience data were investigated to identify and esti-l mate important reliability characteristics of emergency diesel generators (NUREG/CR-2989).
Diesel generator reliability performance information was collected from 45 nuclear power plants with 86 diesel generators.
A summary of the emergency diesel generator statistical data collected is provided in Table 4.1.
In addition, information regarding diesel generator outages and downtime was obtained from responses to TMI Action Plan (NUREG-0737) items from i
licensees of plants with 58 diesel generators, and more than 1500' licensee event reports (LERs) covering the 5 year period from 1976 through 1980 were reviewed j
for failure information.
Analysis of this operating experience showed that, on the average, diesel generators failed to start, load, or continue running approx-4 imately 2 times out of every 100 demands.
It was also observed that during the i
actual loss-of-offsite power events through 1983 there were 19 instances in 2
which one or more diesel generators failed, operated in a degraded condition,
~ or were otherwise unavailable.
During most of these events, the degraded diesel generators were able to meet minimum performance requirements, and failed units were promptly restored to an operable condition.
And, from 1976 through 1982, there were 45 multiple diesel generator outages identified, of which 11 were classified as common cause failures.
Figure 4.3 provides histograms of emergency diesel generator failures on demand for 1976 through 1982.
Although the average failure on demand observed is about I
2 x 10 2, there is a significant spread from the highest to the lowest demand failure rate.
The average failure rate and range have not changed substantially l
during this period.
A review of the data has not identified any particular type of failure as the most dominant.
At least in part, the reasons for this are (1) there are several different types of diesel generators, with different sup-port and auxiliary system designs, operating at nuclear power plants, and l
NUREG-1032 4-5 I
Table 4.1 Diesel generator start attempts and failures for tests and actual demands
- No. of Auto-auto start Start No. of Fail-start fail-attempt No. of fail-ures per fail-ures per Unavail-Unavail-category demands ures demand ures demand able ability 0.006 Test 13,665 253 0.019 55 0.004 Loss of 100 5
0.05 3
0.03 3
0.03 offsite power **
All 539 14 0.026 5
0.009 3
0.006 emergency demands Failure to run:
2.4 x 10 3/hr***
- Summarizing the responses to diesel generator reliability questionnaires based on 45 nuclear power plants, with 86 diesel generators, for operating years 1976 through 1980.
- Updated from data reported in NUREG/CR-2989.
- Based on 314 attempts at scheduled run time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or more with 9 failures to run during these attempts.
1 NUREG-1032 4-6 l
L.
9 e
,a -
300 -
iOO -
90 -
90-90 -
_m-1976 m-1977 m-1978 s
m-m.
m.
2 0
m.
3 m-i m.
! m-M
! so-j so -
I e
m.
e a-m-1 f
m.
f m-~lg m-
=
m.
m-m-
i,
,0 w-w.
30 -
M.. M.,.
k.
06 Os 07 00 09 10 > 10 01 02 03 04 05 Os 07 OB 08 to > 10 A
i i. M.
0 01 02 03 04 05 08 07 00 09 10 > 10 01 G2 03 04 PROSABILITY Oc F A8LURf PROSA81UTY OF FAILURE PROBASILITY OF FAILURE 9
""1 100 -
100 -
a m.
iO.
s m-1979 m-1980 5
m-2 m-2 2
g m-
- m-a a
& ID -
Q 90- m g m.
g e-2 I m-i m-t t
m.
3 3
a-
. A. A.
A A 0
07 05 05 10 > 10 01 02 03 04 06 08 0'
08 GB 10 > 10 01 02 03 04 05 08 PROBAttuTY OF 8AILURE PROsABluTY OF FAILURE 300 -
300 -
m-so -
_ m-1981 m-1982 f
f O
M*
O M"
E E
g m.
j m-,
~
80 90-w e m-t a-fm-h m-1 m.
-1 m.
10 -
e e
to.
- 6..e s e
- r. 1 rm 0
01 m
=..O,
=
0.
,0 >,0 0,
m = 0 m =., m O.
10, 10 PROS AS8UTY OF FAILURE PROS AS4LITY OF F A6 LURE Figure 4.3 Histograms showing emergency diesel generator failure on demand for 1976 through 1982 NUREG-1032 4-7 l
(2) maintenance and test activities are not standardized within the nuclear in-dustry.
Figure 4.4 shows the percentage contribution of failure by subsystem.
In general, sufficient information was not available to add high confidence to the correlation of root failure causes with specific design and operational factors.
The data indicate that approximately 80% of the failures are the re-sult of hardware-related problems and 20% are the result of human error.
These statements are not meant to imply that any one particular diesel gene-rator is susceptible to all possible failure modes with equal importance.
It is more likely that a few specific defects may exist, and if these are not discovered and corrected, failures may occur.
The failures observed can be classified into three general types:
(1) design and hardware failures related to mechanical integrity or various failure modes in the diesel generator subsystems, such as fuel, cooling, starting, and actuation (2) operation and maintenance errors related to the correctness and adequacy of procedures or training, and human factors including the potential for errors of commission and omission (3) failures that occur in support systems, or at interfaces with support systems and other systems, that can involve DC control power, service (or raw) water cooling, environmental control (air temperature and quality),
and interface with the normal AC power system Multiple diesel generator failures can occur when a fault or degradation exists involving a common factor or dependency for two or more diesel generators.
Multiple failures may also occur as a result of design and operating deficien-cies similar to those previously mentioned, but in this case degradation or failure occurs concurrently in multiple diesel units.
For instance, a defec-tive crankshaft design may be such that mechanical failure is highly likely to occur after a certain amount of usage.
If two or more diesel generators reach As that usage level at nearly the same time, concurrent failures may result.
NUREG-1032 4-8
as
- f[ 1976-8o
~
E 30 y
, i!,..
jf
- i $i 1981-82 A
N;.'
6 2s x
g/'/
/
b
,A o
e 20 a:
/
/'l/
l M
?':
9 zo o
15 r
j q
q l g:
p//'
f
/~
)!!!,
s m
f,!!! ;
g
- i:
So
'/,x/.
/
b:::.
}8 '.:
':: i g:i -
7% //... :
yj
/
s E
- 7 L
- !!5i:
sjj.j h
/3 l
/: (!!!l
/7
]
_j 4+r / se r
o
/
/
O
.s O
~o e
p SUBSYSTEM Figure 4.4 Failure contribution by diesel generator subsystem NUREG-1032 4-9 l
i another example, defective maintenance procedures and training could result in human errors causing failure or simultaneous outages of two or more diesel units.
Another type of common cause failure is related to the existence of single point vulnerabilities.
Examples include a check valve in a header of a cooling water supply, the unrecognized dependence on an obscure single control circuit or element, and the use of common fuel supplies and containers.
Finally, common cause failures can be related to commonality of location with regard to environmental conditions for which adequate protection is not provided.
These conditions can include fire, flood, dust, corrosive elements in the air, or temperature and humidity extremes.
In' assessing the reliability of emergency AC power systems, consideration was given to the failure modes, causes, and failure rates derived from the opera-tional data.
Reliability analyses performed by Oak Ridge National Laboratory (0RNL) for 18 nuclear power plant AC power configurations and the plant-specific failure data were applied to derive typical system unavailability estimates.
Figure 4.5 shows a histogram of the onsite AC power results for the 18 plants studied. The results of this work, summarized in Table 4.2, show the diesel generator configuration studied, the calculated range of unavailability on demand, and the dominant failure causes for each group analyzed.
Not surpris-ingly, for the least redundant system configuration, the independent diesel generator failure likelihood is the most dominant failure factor.
As system redundancy is increased, common cause failures become more important.
Common cause failures involving hardware failure, human error, and dependent system failures were found to be important.
Although, for the most part, power supply outages resulting from testing and maintenance were not found to be large contributors to system unavailability, a few cases were identified in which extensive maintenance outages could cause significant system unavailability.
The quality of test and maintenance pro-cedures, however, can be an important factor affecting system reliability.
Lower than average huinan-error-related diesel generator failures were observed l
when procedures were clearly written and had a sufficient level of detail, in-cluding complete check lists so operations personnel could verify that normal values were properly indicated after maintenance, NUREG-1032 4-10 t
8-6-
$Z 5
n.
o 4-5 m
E D
2 2
l l
0
-[
4 4
1x10 3x10 1x10-3 3x10-3 1x10-2 3x10-2 1x10 UNAVAILABILTY Figure 4.5 Onsite AC system unavailability for 18 plants studied in NUREG/CR-2989 NUREG-1032 4-11
l Table 4.2 Results of onsite power system reliability analysis reported in NUREG/CR-2989 Diesel generator Range of system unavail-
' configuration ability per demand Dominant failure causes 2 of 3 4.2 x 10 3 to 4.8 x 10 2 Independent diesel failure; human error CCF*.
1 of 2-1.1 x 10 3 to 6.8 x 10 3 Independent diesel failure; human error CCF*.
T&M** outages.
2 of 4 3.7 x 10 4 to 1.7 x 10 3 Human error and hardware CCF*.
1 of 3 1.8 x 10 4 to 7.2 x 10 4 Human error, hardware, and service water CCF, independent diesel failure; DC power CCF*.
2 of 5 1.4 x 10 4 to 2.5 x 10 3 Human error, hardware, service water, and DC power CCF*.
- CCF = common cause failures
- T&M = test and maintenance NUREG-1032 4-12
The impact of dependent systems (such as service water cooling and direct cur-rent (DC) power) on the reliability of the emergency AC power system varies from plant to plant.
The ORNL analyses did not go into detail on the relia-bility of those support systems.
However, failures of dependent systems that affect the emergency AC power system seem to be dominated by single point pas-sive failures or human error.
A highly unreliable support system can cause a highly unreliable AC power system.
Because these support and auxiliary systems also tend to be important for the operation of decay heat removal systems--and to some extent for the supply of normal AC power from the offsite power sources--
single point vulnerabilities and human error failures in these systems have added importance.
Another potentially important reliability parameter involves the likelihood of a failed power supply (diesel) being restored to an operable state during a loss-of-AC power transient.
A histogram based on emergency diesel generator repair times following a failure is provided in Figure 4.6.
The median repair time is approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
These data represent an aggragate for all types of failure modes, and, for the most part, they represent repair times during non-emergencies.
Primarily these failures occurred during plant operation, but some occurred during plant shutdown.
It is difficult to determine whether these data over-estimate or under-estimate the diesel generator repair time anticipated during an emergency. There are reasons to believe that these data over-estimate the time required to repair a failed diesel generator during a station blackout.
Because the typical limiting condition for operation (LCO) for a single diesel generator out of service is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or more, there is no urgency to restore a failed diesel generator as l
quickly as would be the case during a loss of all AC power.
In addition, the LC0 may not have been ir. force if the plant were shutdown when a test failure occurred, which woulu ;iave lessened also the urgency for repair.
Moreover, if a failure did occur when alternate AC power sources were available, it might be seen as an opportune time to perform other routine maintenance on the failed diesel generator.
Conversely, the repair time could be under-estimated by virtue of the confusion that could occur during a station blackout event.
Under stress, human error is NUREG-1032 4-13
El '
' j; il l
i io
.k 1
=
e t
8 t
1
~
- HF.
I 3-5 1
9 at 13 35 2.
i.oo Time Since Diesel Generator Failure (liours)
Figure 4.6 Percentage of emergancy diesel generator failures repaired vs. time since failure Source:
NUREG/CR-2989 NUREG-1032 4-14
usually higher than it is under normal conditions.
The diesel failure problem would have to be diagnosed, needed equipment would have to be obtained, and cor-rect repair procedures would have to be followed; all this would have to be done under time constraints and pressure, without AC power available.
Also, main-tenance and operations personnel resources would be divided between activities 1
for restoring both offsite and emergency power supplies.
In addition to conducting the plant-specific analyses, ORNL constructed generic models for different emergency AC power configurations.
These generic models were used to estimate system reliability as a function of the important char-acteristics identified in the plant-specific analyses.
Typical system depend-encies and nominal values for common cause failures and procedural errors were assumed in the models, and sensitivity analyses were performed to determine the importance of all the factors considered.
Overall, the most important factors tended to be system redundancy and the reliability of emergency diesel genera-4 tors on demand.
Not surprisingly, it was found that common cause failure is most important in highly redundant system configurations with highly reliable (for independent failure causes) diesel generators.
Based on these considerations, the NRC staff performed additional analyses of emergency AC power system reliability to extend the quantitative results and further explore the sensitivities.
Figure 4.7 shows the effect of varying emergency diesel generator reliability on emergency AC power system reliability for several configurations both with and without common cause failure.
The sensitivities of system reliability estimates on variations in diesel generator running reliability are shown in Figure 4.8.
Additional results, parametric analyses, and details of the analytical model are provided in Appendix 8.
Thus, on the basis of a review of operating experience and reliability analyses, the following factors have been identified as being the largest contributors to AC power system availability:
(1) the configuration of the diesel generators in terms of the number avail-able and the number required for shutdown cooling NUREG-1032 4-15
With EDG Common Cause Failure
Without EDG Common Cause Failure Emergency AC Configuration (2 of 3)
-2 10 T
\\
m g
5 s
s N
~
\\
(1 of 2) g
~
3 N
5 N
N g
N N
o
\\
N.
\\
S N,
i
\\
>-o N
5
\\
E
\\
y 10 7
\\
w
~
(1 of 3) s T
j
%,,~~ ~.
% g
- euen g
=,,,
1 I
I I
0.92 0.94 0.96 0.98 EDG RELIABILITY Figure 4.7 Generic emergency AC power unavailability as a function of emergency diesel generator (EDG) reliability NUREG-1032 4-16
1 I
i i
i q
l Base Case Common Cause Failure to Run Rate
--- Common Cause Failure to Run Rate is 0 DURATION OF LOSS OFFSITE POWER IS 8 HOURS DURATION OF STATION BLACKOUT IS 4 HOURS 10'*
=f N
m N
5 N
q N
\\
z
\\ %
EDG 3
g
=,
CONFIGURATION 3:
.2 N
N\\
N 2of3 O4 N
E N \\
W E
N \\
b
\\
O'3 N
~
N 1 of 2 N
g
=
N l of 3 I
I I
10 C.980 0.984 0.988 0.992 0.996 1.000 EDG RUNNING RELIABILITY i
Figure 4.8 Emergency AC power unavailability as a function of individual diesel generator running reliability NUREG-1032 4-17
}
(2) the reliability of diesel generators or other power sources used in the emergency AC power system (3) the dependence of the AC power system on support or auxiliary systems used for actuation, control, or cooling (4) the vulnerability of the AC power system to common cause failure as a result of various design, human error, and internal or external environ-mental hazards In general, it has been ' observed that problems with onsite emergency AC power systems are very plant-specific, and improvement in system reliability wot:Id have to be developed on a plant-by plant basis.
NUREG-1032 4-18
5 STATION BLACK 0UT FREQUENCY AND DURATION There have been several incidents at nuclear power plants that could be classi-fled as precursors to station blackout.
In fact, there have been a few cases in which loss of offsite and emergency AC power supplies o'ccurred simultaneously.
However, none of these events progressed to be a significant safety concern.
Many of these incidents occurred when plants were shutdown or during refueling, when station blackout concerns are much reduced and the LCOs--in terms of num-bers of offsite and emergency AC power supplies available--are reduced.
The lack of a significant number of station blackout events is not surprising when one considers past frequency of loss-of-offsite power events and the re-liability record of emergency AC power systems.
As a result, it has been necessary to estimate station blackout frequency by combining loss-of-offsite-power-event frequency and duration correlations with the emergency AC power reliability models.
(Appendix B describes the methods used to derive station blackout frequency and duration estimates.)
Figures 5.1 through 5.3 give the results of sensitivity analyses performed to determine the effect of design, location, and amergency AC power supplies relia-bility.
Specifically, Figure 5.1 shows the effect of site location and offsite power system design as represented by offsite power clusters 2, 4, 5, and 7.
(These clusters are defined in Section 3 and Appendix A.) These clusters were combined with a typical, two-diesel generator, emergency AC power system with a diesel generator reliability of 0.975.
Cluster 7 is a close representation of the average of nuclear operating experience with regard to the frequency and duration of loss-of-offsite power events.
Cluster 5 represents sites with re-latively high severe weather hazards and susceptibility to failure from those hazards.
Cluster 4 has slightly lower severe weather hazards than cluster 5.
Cluster 2 represents the combination of the more reliable offsite power design features and sites with low severe weather hazards or low susceptibility to severe weather hazards.
The estimated frequency of longer duration station blackouts is dependent on the likelihood of the more damaging and extensive f
NUREG-1032 5-1 l
i i
1/2 EDG Configuration 0.975 EDG Reliability 4
10 4 10~5 B
Uej Offsite Power Cluster 6
-5 6s 8
10~e
~
o
$4
_4 E
bw
-7 10'7
-2 i
i 1
0 4
8 12 16 STATION BLACKOUT DURATION (Hours)
Figure 5.1 Estimated frequency of station blackout exceeding specified durations for several representative offsite power clusters NUREG-1032 5-2
I I
I Offsite Power Cluster 7 1/2 EDG Configuration 4
10 r
3>
bti 3m 10-8 g
E U
5 3
8 5
8 42 5
10-s EDG Reliability w
- 0.9
- 0.95
- 0.975 10-7
- 0.99 i
i 1
0 4
8 12 16 STATION BLACKOUT DURATION (Hours)
Figure 5.2 Estimated frequency of station blackout exceeding specified durations for several EDG reliability levels NUREG-1032 5-3
I I
I Offsite Power Cluster 7 4
- "* "IIY 10 1
10-8 r:>
L i
8 8
E e
UZ 10-6 wa0y AC Power u.
Configuration O
- 2/3 4
E P
-1/2 10'7
-1/3 0
4 8
12 16 STATION BLACKOUT DURATION (Hours)
Figure 5.3 Estimated frequency of station blackout exceeding specified durations for several emergency AC poster configurations NUREG-1032 5-4
losses of offsite power for which severe weather hazards have been identified as a principal contributor.
(Note:
Seismically induced loss of offsite power has not been included but could be accounted for through a hazard evaluation and fragility analysis; this consideration is discussed in Section 9.)
Figure 5.2 shows the effect of variations in emergency diesel generator reliabil-ity for the typical offsite system (cluster 7) and emergency AC power system (1/2 configuration).
The largest change in frequency per percentile change in diesel generator reliability is obtained when reliability levels are lowest (0.9).
This is somewhat of an artifact of the model in which common cause fail-ure rates are kept constant.
If there were no common cause failure contribu-tions, or if common cause failure were correlated with the independent failure rate of diesel generators (and it may be), the frequency reduction could be pro-portional to the square of the percentile change in diesel reliability for the configuration analyzed.
Figure 5.3 shows the effect of emergency AC power configuration and success criteria on station blackout frequency, using a diesel generator reliability of 0.975 and a generic common cause failure rate. Again the effect of common cause failures on system-reliability is to reduce the difference between the three configurations that would be expected from simple redundancy considerations.
The results of the station blackout analysis show that there is a potential for wide variation in frequency and duration, depending on location, design, and reliability.
(Additional results are in Appendix B.)
NUREG-1032 5-5 I
i 6 ABILITY TO COPE WITH A STATION BLACK 0UT Station blackout is a serious concern because it has a large effect on the avail-ability of systems for removing decay heat.
In both PWRs and BWRs, a substantial number of systems normally used to cool the reactor are lost when AC power is not available.
A loss of offsite power will usually result in the unavailability of the power conversion system and, in particular, an inability to operate the main feedwater system.
Power to reactor coolant system recirculation pumps will also be lost, requiring that natural circulation be used for cooling to shutdown con-ditions. When the loss of offsite power is compounded by a loss of the emer-gency AC power supplies, reactor core cooling and decay heat removal must be accomplished by a limited set of systems that are steam driven, passive, or have other dedicated (or alternate) sources of power.
Unless special provisions are made, the plant will have to be maintained in a " hot" mode (hot shutdown or possibly hot standby) until AC power is restored.
Table 6.1 lists which func-tions and systems for PWRs and BWRs would be lost and which would remain avail-able during a station blackout event.
Decay heat can be removed successfully, using the AC-independent systems identified, for a limited time, depending on functional capabilities, capacities, and procedural adequacy.
For PWRs, decay heat can be removed by use of a steam-driven or dedicated diesel-driven train of the auxiliary feedwater system (AFWS).
Decay heat would be re-jected to the environment by the atmospheric dump valves (ADVs) or, if necessary, by the steam generator relief valves.
Because residual heat removal systems, reactor coolant make-up systems, and systems to control reactivity through boration would be inoperable, the plant must be maintained in a hot condition.
The plant's operating state (primary coolant pressure and temperature) would be I
maintained by manual operation of the AFWS and atmospheric steam dump valves.
With primary coolant pumps unavailable, reactor core cooling would be achieved through natural circulation.
If the AFWS can remain operable, and if primary coolant inventory can be maintained at a level adequate to maintain the core cooling / heat transport NUREG-1032 6-1 i
Table 6.1 Effects of station blackout on plant decay heat removal functions Plant Functions (systems)
Functions (systems)
Type remaining lost PWR Shutdown heat removal Shutdown heat removal (motor-(steam-driven AFWS, ADVs) driven AFWS)
Long-term heat removal (RHR)
Instrumentation and control (DC power / converted AC Reactivity control (chemical power, compressed air volume and control system reservoir)
RCS makeup (high pressure injection system)
Pressure and temperature control (pressurizer heaters /
spray and pilot-operated relief valves)
Support systems (service / component cooling water systems, HVAC, station air compressors)
- BWR, Shutdown heat removal Long-term heat removal (RHR) 2/3 (isolation condenser, fire water system)
Reactor coolant system makeup (low pressure core spray system, feedwater coolant injection system)
Instrumentation and control Support systems (DC power / converted AC (service / component cooling power, compressed air water systems, HVAC, station reservoirs) air compressors)
- BWR, Shutdown heat removal and Long-term heat removal 4-6 reactor coolant system makeup (shutdown cooling system, (HPCI or HPCS/RCIC systems) low pressure coolant recirculation system, Instrumentation and control suppression pool cooling 4
(DC power / converted AC system) power, compressed air reserviors)
Support systems (service / component cooling water systems, HVAC, station air compressors)
NUREG-1032 6-2
loop to the steam generators, a PWR should be able to stay in this mode of decay heat removal for a substantial period of time.
The amount of time that decay heat removal can be maintained in a PWR is generally limited by primary pressure boundary leakage and the capacity of certain support or auxiliary systems.
The sources of potential leakage include reactor coolant pump seals, unisolated letdown lines, and a stuck-open pilot-operated relief valve (PORV).
With provisions for manual isolation of letdown lines and reduced frequency of PORV demands, the reactor coolant pump seal leakage rate is considered to be a potentially limiting factor for some designs.
If the leakage rate is low (on the order of several gallons per minute) this concern is negligible.
However, if seal leakage is on the order of 100 gpm or more, reactor coolant system inventory depletion will be a factor limiting decay heat removal for an extended period of time.
Natural circulation cooldown in PWRs has been successfully demonstrated by ac-tual operating experience.
The process becomes more difficult with AC power unavailable because reactor coolant makeup systems to accommodate system shrink-age and pressurizer heaters or sprays to help control primary system coolant conditions are inoperable.
Nevertheless, analytical evaluations (Fletcher, 1981) and experimental observations (Adams, et al. 1983) show that decay heat removal can be achieved with the operational limitations associated with a station black-out.
In fact, core cooling is expected to preclude core melting even with signifi-cant voiding in the primary coolant system if the steam generator is maintained as a heat sink.
To assess station blackout, BWRs have been divided into two functionally differ-ent classes:
(1) those that use an isolation condenser cooling system for decay heat removal and do not have a makeup capability independent of AC power (BWR-2 and -3 designs), and (2) those with a reactor core isolation cooling (RCIC) sys-tem and either a steam-turbine-driven high pressure coolant injection (HPCI) sys-tem or high pressure core spray (HPCS) system with a dedicated diesel, any of which is adequate to remove decay heat from the core and control water inventory conditions in the reactor vessel (BWR-4,
-5, and -6 designs).
Because BWRs are designed as natural circulation reactors, at least at reduced power levels, the loss of reactor coolant recirculation poses no special consideration.
- Moreover, NUREG-1032 6-3
reactivity control during cooldown is adequately maintained by control rod in-sertion, an action that would occur automatically on loss of all AC power.
The isolation condenser BWR has functional characteristics somewhat like that of a PWR during a station blackout in that normal makeup to the reactor coolant system is lost along with the residual heat removal (RHR) system.
The isolation condenser is essentially a passive system that is actuated by opening a conden-sate return valve; it transfers decay heat by natural circulation.
The shell side of the condenser is supplied with water from a diesel-driven pump.
- However, replenishment of the existing reservoir of water in the isolation condenser is not required until 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after actuation.
It may also be possible to remove decay heat from this class of BWRs by depressurizing the primary system and using a special connection for a fire water pump to provide reactor coolant makeup.
This alternative would require much greater operator involvement.
Some BWR-3 designs have added an RCIC system, giving makeup capability to the AC power-independent decay heat removal capability of the isolation condenser cooling systei...
A large source of uncontrolled primary coolant leakage will limit the time the isolation condenser cooling system can be effective.
If no source of makeup is provided, eventually enough inventory will be lo:t to uncover the core.
A stuck-open relief valve or the reactor coolant recirculation pump seal are potential sources of such leakage.
When isolation condenser cooling has been established, the need to maintain the operability of such auxiliary and support systems as DC power and compressed air is less for this type of BWR than it is for the PWR.
However, these systems would eventually be needed to recover from the transient.
BWRs with RCIC and HPCI or HPCS can establish decay heat removal by discharging steam to the suppression pool through relief valves and by making up lost coolant to the reactor vessel.
In these BWR designs, decay heat is not removed to the environment, but is stored in the suppression pool.
For this type of BWR design, long-term heat removal in the form of suppression pool cooling or residual heat removal using low pressure coolant injection and recirculation heat transport loops is lost during a station blackout.
The time that the plant can be main-tained in a safe condition without AC power recovery is determined, in part, by the maximum suppression pool temperature for which successful operation of decay NUREG-1032 6-4
heat removal systems can be ensured both during a station blackout event and when AC power is recovered.
At high suppression pool temperatures (around 200 F),
unstable condensation loads may cause loss of containment suppression pool integ-rity.
Another suppression pool temperature limitation to be considered is the qualification temperature on the RCIC or HPCI pumps to be used during recircula-tion.
Suppression pool temperatures may also be limited by net positive suction head (NPSH) requirements for pumps in systems required to effect recovery once AC power is restored.
In general, all light-water reactor (LWR) designs include the ability to remove
(
decay heat for some period of time.
The time depends on the capabilities and capacities of support systems, such as the quantity and availability of water required for decay heat rejection, the capacity of DC power supplies and compressed air reservoirs, and the potential degradation of components as a result of environmental conditions that arise when heating, ventilation, and air conditioning (HVAC) systems are not operating.
System capabilities and capacities are normally set so the system can provide its safety function during the spectrum of design-basis accidents and anticipated operational trarisients, which does not include station blackout.
Perhaps the most important support system for both PWRs and BWRs is the DC power supply.
During a station blackout, unless special emergency systems are pro-vided, battery charging capability is lost.
Therefore, the capability of the DC system to provide power needed for instrumentation and control can be a sig-nificant time constraint on the ability of a olant to cope with a station black-out.
DC power systems are generally designed for a certain capacity in the event of a design-basis accident with battery charging unavailable.
However, the sys-tem loads required for decay heat removal during a total loss of AC power are somewhat less than the expected design-basis accident loads on the DC power sys-tem.
Therefore, most DC power systems in operation today have the capacity to last longer during a station blackout than they would be expected to last dur-ing a design-basis accident.
Another important factor in regard to decay heat removal during station blackout is the capacity of the condensate storage tank.
Normally, this tank contains a sufficient amount of water to cool the reactor until the RHR system can be placed NUREG-1032 6-5 4
in operation.
Because the RHR system is not available when all AC power is lost, the ability to cope with statian blackout is a function of the condensate storage tank capacity.
The ability to provide makeup to the condensate storage tank with systems and/or components that are independent of station AC power would extend this potentially limiting factor.
Also, during a station blackout, there may be need to operate some pneumatic valves, such as the steam relief valve.
Because AC power is not available, the station air compressors will be lost.
For this reason, local air reservoirs
)
are normally provided to permit the valves to be operated for a limited number of cycles.
After the air supply is exhausted, these valves may have to be operated manually by the operations staff, or additional portable air tanks would have to be connected.
During a station blackout, normal plant HVAC would be unavailable.
The equipment needed to operate during a station blackout and that required for recovery from a station blackout would have to operate in environmental conditions (e.g.,
temperature, pressure, humidity) that could occur as a result of the blackout.
Otherwise, failures of necessary equipment could lead to loss of core cooling and decay heat removal during the blackout or failure to recover from the event when AC power is restored.
The instrumentation and control elements of compo-nents required during station blackout are the most likely to be impacted by adverse environments.
However, only limited equipment in the control room would have to be operable, thus limiting equipment generated heat loads in that loca-tion.
The same would be true for equipment in auxiliary buildings and inside containment, although sensible heat from preexisting sources could be consider-able.
For control rooms and auxiliary buildings, opening doors should allow enough heat to escape to maintain equipment in an acceptable operating environ-ment.
Temperature sensitive equipment located in normally enclosed cabinets that rely on HVAC systems to remove heat generated during normal operation could be subject to failure or degradation unless ventilation is provided.
Most equip-ment in containment is designed to function in the more limiting environment associated with a design-basis loss-of-coolant accident, and therefore, could be expected to function during a station blackout.
NUREG-1032 6-6
Table 6.2 summarizes the design-related factors that have been identified as potentially limiting the capability of LWRs to cope with a station blackout.
Actions necessary to operate systems that are needed to establish and maintain decay heat removal and fully recover from a station blackout would not be routine.
The operator would have somewhat less information and operational flexibility than is normally available during most other transients requiring reactor cooldown.
On the other hand, the loss of all AC power is an easily diagnosed occurrence, although it is not always easily corrected.
Operational staff activities would have to be directed at both reactor decay heat removal requirements and the restoration of AC power.
These activities would include manual operations within the control room to control the rate of core decay heat removal and special operations outside the control room.
The latter would include repairing failed components, isolating sources of reactor coolant leakage, conserving DC power through load stripping, making available alternate makeup water supplies, hooking up compressed air bottles, and possibly starting local manual operation of some components.
The success of these acti-vities would require preplanning, training, and procedures.
In addition, ade-quate lighting and communication would be required.
Where local access is necessary, security and working environment (pressure, temperature, humidity, and radiation) could be limiting factors.
In PWRs, operators must control the rate at which the AFWS removes heat from the steam generators to maintain the proper pressure and temperature balance within the primary coolant system.
This balance then allows adequate natural circulation and the maintainance of adequate water level in the pressurizer.
Although analytical and experimental evidence suggests that natural circulation and adequate decay heat removal can be maintained when pressurizer level is lost (and, in fact, when a two phase flow mixture exists in the reactor coolant system up to the point the reactor core is uncovered), these conditions would complicate the recovery process and add to the difficulty of operator recovery actions.
In BWRs, the isolation condenser appears to need less operator attention.
However, operators would have to ensure that automatic depressurization does NUREG-1032 6-7
Table 6.2 Possible factors limiting the ability to cope with a station blackout event Type of plant Limiting factor PWR BWR 2/3 BWR 4/5/6 RCS pump seal leakage X
X RCS letdown / makeup and water X
X chemistry control lines Stuck-open relief valve X
X DC battery capacity (instrumenta-X X
X tion and control)
Compressed air (valve control)
X X
X Decay heat i moval water supply X
X X
(condensate, firewater)
Operating er.vironment (temperature)
Control room X
X X
(instrumentation and control)
Containment X
(suppression pool, wetwell, drywell)
Auxiliary building X
X (AFWS/ room)
(HPCI/RCIC room)
NUREG-1032 6-8
not occur and that the makeup system to the isolation condenser is operating properly within approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the loss of AC power.
In BWRs with HPCI or HPCS and RCIC, the operator must control both pressure and the level of reactor coolant in the vessel.
This requires actuation of both makeup and relief systems.
In all LWRs, operators would have to be prepared to deal with the effects of the loss and restoration of AC power on plant control and safety system set points to limit additional transient complications and ensure operability of AC powered cooling systems.
i NUREG-1032 6-9 L
7 ACCIDENT SEQUENCE ANALYSES Accident sequence analyses have been performed to determine the accident pro-gression characteristics (Fletcher, 1981; NUREG/CR-1988, Schultz and Wagoner, 1982; and NUREG/CR-2182) and likelihood (NUREG/CR-3226) of a station blackout.
Using fault trees and event trees, these analyses have identified functional and system failure characteristics of accident sequences.
Reactor coolant sys-tem transient response analyses were used (1) to determine the capability of a plant to cope with station blackout and (2) for potentially important functional failures during a station blackout, to estimate how much time would be available for AC power recovery before core damage and core melt.
Considering the decay heat removal system capability requirements and the asso-ciated systems' reliability, failure modes, and failure causes, three phases of a station blackout transient were identified.
The first phase includes the need for promptly actuating decay heat removal systems and the potential for a station blackout induced loss-of-coolant accident (LOCA), either of which can result in a loss of core cooling within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
The second phase lasts up to approximately 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and includes operational limitations in the capability of continued decay heat removal considering limited capacities (such as DC power, condensate storage tank) or interactive failure (for example, high temperature effects due to loss of HVAC), and the potential for reactor coolant loss (such as, through pump seal leakage).
During this period, the running reliability of the system is less important than the successful initial actuation of the AC-independent decay heat removal systems.
The third phase involves the need to eventually recover AC power and establish a stable, control-lable mode of decay heat removal.
As discussed above, considering the systems and functions available for the dif-ferent PWR and BWR designs resulted in the development of three event trees for the identification of station blackout accident sequences.
Figure 7.1 shows the event tree for PWRs; Figure 7.2 shows it for BWRs that use an isolation conden-ser; and Figure 7.3 for BWRs that have AC-independent makeup systems (RCIC, HPCS, NUREG-1032 7-1
$ 2 hrs.
2-12 hrs.
>{2->24 hrs.
a e
u o
9 3
O OO 3
W N.J G
J 58 JMS 5
Ogs sa U
Cm sa85 H50 Um Eug ou e
.8
- s 5
o5
- se' 5%"
05 82=
5 55 J2 "O
JgMW "M
8 SE m
M N
W W
(Lgl (0:1 (81)
(L 3 (0 8 (821 183) 2 2
ggg)
-Success TN B3 CD
-Fallure Small LOCA TMQ Bg OR 2
TM02 2 CD B
TM L 81 M
2
__ TN L 822 CD TMBo-Small LOCA TML 0 ag OR 2 2 TML 02 2 CD 2 8 Small LOCA TM01 o OR B
TM0gB1 CD TML B g0 TM L} B 1 CD Small LOCA TML 0gBo OK 1
TM Lg og B3 CD Figure 7.1 Generic PWR event tree for station blackout Source:
NUREG/CR-3226 NUREG-1032 7-2
I 5
M 3
0-2 hre.
2-12 hrs.
>12->24 hrs.
M A
E i
8
.88 i
ebe z
=
oE SEE U
"Sg p"ia:
EM:
"I Bau W
W" u
u e'
S S
U e
.S
- iu E
>E g
3884 EM 255.
"du EM M*"
s 88 M**5 0 uU 8505 Oz5 ud 004 8
SU a
<m oaun a~e
<m
<an m
mo
^
au-u (TMBo) tut) (Ogi tagi tu l (02) ta t in3) a a
THB0 0K TM81 OK TM82 OK
-Succese g
Small IECA TM0381 OK l
TM02 2 CD 8
TMU 821 OK TMU 522 CD TMs TMU 0 ag OK Small IACA 22 TMU 02 2 CD 2 8 Small tECA TM01 0 OK 8
TM0g Bg CD OK TMUgB0 TMUgB1 CD TMU 01so OK Small LOCA 1
TMU10181 CD Figure 7.2 Generic BWR event tree for station blackout (BWR-2 or 3)
Source:
NUREG/CR-3226 NUREG-1032 7-3
>12->24 hrs.
2-12 hr e 8 2 hre, N
No Uo U
dj a
E a5 2
8588 EB8 2
ak>
U S OSE NOO d
!"E OM" "I
84M E
WE 0
N U
.2 2
- E c
-e.
sn x=-
88 W$
$$5h
$5h 45 W$$
0 O
se tuin toti (Bri tu l (021 182:
(B2:
a TMBo OK gngo)
TMBg OK OK TMB3
.. )
I 3
-Success small IDCA TMQ281 OK Small TMQ2 2 OK B
LOCA TM02 3 CD B
TMU B OK 23 TMU B22 CD TM B o-Small IDCA TMU 028g OK 2
TMU 02 2 CD 2 B Small LOCA TMQ1 0 OK B
Small (DCA TMQ1 1 OK 8
Small TMQgBy OK J~
LOCA l
TMQt 3 CD B
Small LOCA TM01 20 B1 OK TM01 2 2 CD UB THUgBo OK CD TMU 813 Small LOCA TMU 01Do OK 1
TMugOgBt CD Figure 7.3 Generic BWR event tree for station blackout (BWR-4, 5, or 6)
Source:
NUREG/CR-3226 NUREG-1032 7-4
~
HPCI).
The event trees are characterized not only by the systemic and func-tional considerations important to station blackout accident sequences, but also by the phases of the transient that would affect the plant response and system operability for station blackouts of various durations.
The event trees show the loss of all AC power as the initiating event and proceed through decay heat removal, reactor coolant inventory (integrity), and restoration of AC power i
to enable operation of the normal decay heat removal and makeup systems.
The accident sequence logic is similar for PWRs and those isolation-condenser BWRs that do not have the capability to make up lost reactor coolant during a station blackout.
These plants are susceptible to degraded core cooling as a result of relatively small losses of reactor coolant. The accident sequence logic is some-what different for BWRs with reactor coolant makeup available during a station blackout.
Most losses of reactor coolant caused by station blackout can be accommodated by the available reactor coolant injection systems.
Reactor cool-I ant loss equivalent to that lost because of a stuck-open relief valve can be accommodated by the RCIC systems.
The HPCI or HPCS system can provide adequate makeup to cope with larger leaks.
All of the LWRs encompassed by the accident logic models are subject to the operational limitations for the longer duration blackouts as described previously in Section 6.
The event trees end with a sequence outcome state designated as "0K," meaning that stable, long-term core cooling is achieved or achievable, or "CD," meaning that an inadequate core cooling state is reached and some reactor core damage can be expected.
For the latter case, core damage can be expected to proceed to core melt if effective and timely measures to restore AC power and core cooling are not taken or available.
The potential difference between an acci-dent sequence that ends in core damage and one that leads to core melt is deter-mined by evaluating the likelihood of restoring core cooling and the cooling effectiveness from the onset of core damage to the time when irrevocable core melting has begun.
This latter time in the accident sequence progression is not l
well known because there are significant uncertainties in the modeling of core l
melt phenomena.
It has been estimated that the time between the onset of core damage and time that a core melt would penetrate the reactor vessel is on the order of 1 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (NUREG/CR-1988, -2128).
Considering the low probability that AC power would be restored during this time period and the uncertainty in modeling this accident process, including the ability to terminate a core melt NUREG-1032 7-5
4 s
in progress, it has been assumed that core melt would be the likely final out-come in accident sequences that progress to core damage.
Detailed plant transient response analyses were performed to cover the spectrum of sequences identified in the event trees (NUREG/CR-2181).
The purposes of this work were (1) to better understand accident progression characteristics re-lated to the timing of events and physical parameter values during the transient, and (2) to determine success states for systems, trains, components, and opera-tor actions during station blackout sequences.
The sequences were divided into three groups:
(1) failure of AC-independent decay heat removal with reactor coolant leakage less than Technical Specification upper limits i
(2) failure of reactor coolant system integrity (liquid or steam leaks) with i
AC-independent decay heat removal systems operable (3) failure of AC-independent decay heat removal systems with loss of reactor coolant system integrity Variations in system failure and actuation time, reactor coolant leak rate, and operator actions were analyzed to determine both the potential for sequence outcomes with adequate (or inadequate) core cooling and the time in which AC power must be recovered to avoid core damage.
l Table 7.1 shows the estimated time of core uncovery for station blackout se-quences with AC-independent decay heat removal systems not available.
Plants with Babcock and Wilcox (B&W)-type nuclear steam supply systems (NSSS), which i
have a small steam generator secondary water inventory and, thus, the smallest heat capacity, would require the most prompt recovery to avoid core damage for this particular sequence.
For these plants, core uncovery was estimated to occur within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
For plants with Westinghouse or Combustion-Engineering i
NSSS designs, core uncovery would take about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, as it would for a BWR-4 plant. Figure 7.4 shows how the core uncovery time is extended for sequences in which decay heat removal is initially successful but fails later during the accident.
Estimates of the time core uncovery would take with a stuck-open i
NUREG-1032 7-6
,--~-,-.-,.-,m--,-,,-..,
-,__-.w.___-___..-.y
Table 7.1 Estimated time to uncover core for station blackout sequences with initial failure of AC-independent decay heat removal systems and/or reactor coolant leaks l
Sequence Core uncovery time (seconds)
AFW failure 2715 6200 5800 Stuck-open PORV 3190 5040 100 gpm total leak 21070 27950 rate from reactor coolant pump seals AFW failure and 2480 4800 stuck-open PORV BWRs GE HPCI/RCIC failure 2300 HPCI/RCIC failure and 1680 stuck-open SRV Source:
Fletcher, 1981 NUREG-1032 7-7
1 l
6 F
g u
5
=
~
bo 4
8o E
8 3
B&W e
3 2
Assuming loss of offsite power, failure of all g
2 diesel generators, technical specification leakage, turbine-driven auxiliary feedwater ll (AFW) initially operates then fails at a later C
time.
I I
I I
O O
5 10 15 20 25 Time of failure of turbine-driven AFW (Hours)
Figure 7.4 Time to core uncovery as a function of time at which turbine-driven auxiliary feedwater train fails Source:
Fletcher, 1981 NUREG-1032 7-8
relief valve and other types or reactor coolant leakage are also provided in Table 7.1.
For BWRs with RCIC available (or HPCI or HPCS), adequate reactor coolant makeup is provided to maintain core cooling even with a stuck-open relief valve.
The core uncovery time for PWRs would not be significantly shortened if a relief valve sticks open coincident with the loss of the steam turbine-driven train of the AFWS.
This is because loss of the AFWS for decay heat removal usually results in primary system pressure relief, which removes decay heat almost equivalent to the energy loss of a stuck-open relief valve with AC-independent decay heat removal available.
If a relief valve sticks open in a BWR without RCIC or in cases when the AC-independent decay heat removal systems are unavailable, the core uncovery time would be somewhat shortened.
Complete accident progression analyses have been performed for several key station blackout sequences starting with the loss of offsite power through to core melt and containment failure.
A time line presentation of a PWR sequence in which AFWS operation is initially successful but fails several hours into the transient is provided in Figure 7.5.
Station blackout occurs at zero hours (to).
After the initial fluctuations in reactor coolant system pressure, core outlet temperature, pressurizer level, core flow, and steam generator level, a i
relatively stable period of decay heat removal with primary coolant natural cir-culation follows.
When AFW makeup to the steam generator becomes unavailable in about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (t ), the steam generator level begins to drop, causing de-i creased heat transport from the primary coolant system.
As the steam generator dries out and heat transfer to the secondary system ceases, reactor coolant pressure and core outlet temperature rise.
The reactor coolant temperature in-crease combined with some voiding causes the pressurizer level to rise, and there is relief to the containment.
Continued voiding in the primary system affects natural circulation flow, but core cooling is adequate to prevent melt-ing until the core is uncovered (t ) at about 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />.
At this point, the pres-2 surizer level has dropped because most of the primary system is voided.
Within about 2 more hours (ta) the core has melted and penetrated the reactor vessel, causing a containment pressure and temperature spike because of the rapid in-flux of steam and noncondensable gases from the melt.
If containment survives that spike, the continued release of decay heat and the generation of combustible l
and non-combustible gas will continue to load the containment.
Containment fail-ure by overpressure in this sequence occurs about 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> into the accident.
NUREG-1032 7-9
Delayed failure of AFWS (or DC power depletion) 1 Reactor Coolant System Pressure L
Pressurizer Level
(
Core Flow k
Core Outlet Temperature Steam Generator [
Level Containment Pressure Containment Temperature 7
I f
f Time (hrs) 0 4
8 12 16 20 t
t t2 t
t o
i 4
3 Time Sequence Event to Loss of all AC power t
AFWS fails (or DC power depleted) i t2 Core uncovery begins t3 Reactor vessel penetration t
Containment failure 4
Figure 7.5 PWR station blackout accident sequence NUREG-1032 7-10
1 Figure 7.6 shows a BWR station blackout accident sequence progression.
In this scenario for a BWR with Mark I containment, station blackout occurs at time zero (to).
The reactor coolant system pressure and level are maintained within limits by RCIC and/or HPCI and relief valve actuations, which also transfers decay heat to the suppression pool.
Both the suppression pool and drywell tem-perature begin to rise slowly; the latter is more affected by natural convec-tion heat transport from the hot metal (vessel and piping) of the primary system.
After 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, when AC power restoration is not expected, the operator begins a controlled depressurization of the primary system to about 100 psi.
This also causes a reduction in reactor coolant temperature from about 550 F to 350 F, which will reduce the heat load to the drywell as primary system metal compo-nents are also cooled.
The suppression pool temperature increase is only slightly faster than it would have been without depressurization.
Drywell pres-sure is also slowly increasing.
At about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, DC power supplies are de-pleted, and HPCI and RCIC are no longer operable.
Primary coolant heatup fol-lows, with increases in pressure and level until the safety-relief valve set point is reached.
Continued core heatup causes continued release of steam; this eventually depletes the primary coolant inventory to the point that the level falls and the core is uncovered, about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after loss of makeup (t ).
2 l
Core temperature then begins to rise rapidly, resulting in core melt and vessel penetration within another 2 or 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (ta).
During the core melt phase, containment pressure and temperature rise considerably so that--nearly coinci-1 dent with vessel penetration--containment failure occurs, either by loss of electrical penetration integrity (shown at t ) or by containment over pressure 4
shortly thereafter, around 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> into the accident.
Estimates of the likelihood of these accident sequences were made to identify a,
the potentially dominant contributors to the station blackout accident sequences j
Table 7.2 summarizes the results for the typical PWR and BWR.
These results have been modified to account for better estimates of loss-of-offsite power frequency and duration derived since NUREG/CR-3226 was completed i
(see Appendix A).
In addition to identifying the dominant accident sequences i
and their likelihoods, the table also shows the major factors affecting the accident sequence frequency.
For PWRs, an important contributor to the estimate of the likelihood core damage is the ability to restore AC power before the DC power needed to run the auxiliary feedwater system is lost or the condensate NUREG-1032 7-11 O
RCIC/HPCI available, controlled depressurization Reactor Vessel Pressure Reactor Vessel Level Core Temperature Suppression Pool Temperature Drywell Temperature
[
Drywell Pressure l
l 1
7 Time (hrs) 0 4
8 12 16 t3 t t2 o
ti t
4 Time Sequence Event t
Loss of all AC power o
DC power (batteries) depleted t3 Core uncovery begins t2 Reactor vessel penetration t3 t
Containment failure 4
Figure 7.6 BWR station blackout accident sequence NUREG-1032 7-12
l Table 7.2 Summary of potentially dominant core damage accident sequences Si Time in which AC power h
Generic raust be recovered Typical core
-plant Sequence DHR system / component contributors to avoid core damage, hr damage frequency PWR TML B Steam driven AFWS unavailable 1 to 2 5 x 10 6 i i (all)
TML B DC power or condensate exhausted 4 to 16 1 x 10 5 2 2 TMQ2B Reactor coolant pump seal leak 4 to 16 1 x 10 5 2
BWR TMU B Isolation condenser unavailable 1 to 2 2 x 10 6 1 i w/ isolation condenser TMQ18 Stuck-open relief valve 1 to 2 3 x 10 6 1
TMQ2 2 Reactor coolant pump seal leak 4 to 16 2 x 10 5 B
"L BWR TMU B HPCI/RCIC unavailable 1 to 2 2 x 10 8 1 i w/HPCI-w RCIC TMU B DC power or condensate exhausted, 4 to 16 2 x 10 5 2 2 component operability limits exceeded (HPCI/RCIC)
BWR TMU B HPCS/RCIC unavailable 1 to 2 5 x 10 7 i i w/HFCS-RCIC TMU B HPCS unavailable, DC power or 4 to 16 1 x 10 8 22 condensate exhausted, component operability limits exceeded (RCIC)
storage tank supplies are depleted.
Another important contributor is the integ-rity of the reactor coolant system considering potential leaks from the reactor coolant pump seals following a station blackout.
If reactor coolant pump seals leak and there is no way to supply makeup water to the reactor coolant system, the core will be uncovered.
If reactor coolant pump seal leakage is large (more than 100 gpm per pump), the core could be uncovered within a few hours.
Smaller leak rates (a few gpm per pump) are not a limiting factor.
Adequate coolant inventory would be available to allow continued core cooling for a day or more without the need for makeup if other limitations (e.g., DC power) did not exist.
The analyses performed for this program (NUREG/CR-3226) showed the reactor core was uncovered in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, using the reactor coolant seal leakage information currently available (a leak rate of about 10 to 20 gpm per pump).
For BWRs with isolation condensers, a similar dominant failure mode exists. The failure of the DC power system is less important because the isolation condenser system operates passively once it is activated; little operator action is neces-sary thereafter.
However, reactor coolant pump seal failure could cause deple-tion of reactor coolant inventory and, because the isolation condenser BWR typically does not have an AC power-independent makeup system, the reactor core could be uncovered.
This sequence was estimated to result in core damage in about 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
BWRs with HPCI and RCIC are capable of coping with reac-tor coolant system leaks equivalent to that resulting from a stuck-open relief valve.
However, they are subject to the effects of DC power depletion and other interactive failures associated with the lack of the ventilation system to main-tain HPCI and RCIC room temperature, and suppression pool heat up phenomena that can result in a loss of core cooling in about 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
For this type of plant, unattenuated suppression pool temperature increases during a station blackout transient can be a problem because of the potential for un-stable condensation phenomena.
These phenomena could cause containment struc-tural failure, with the potential for subsequent loss of reactor coolant from the suppression pool resulting in loss of recirculation capability.
Perhaps more important is the effect that high suppression pool temperature would have on HPCI pumps during recirculation.
These pumps are not usually qualified for operation with fluid temperatures in excess of 160*F.
In addition, NPSH re-quirements may not be satisfied if suppression pool temperatures exceed 200*F.
NUREG-1032 7-14
For BWRs with HPCS, which has its own AC and DC power systems, both the effects of depletion of the DC supply and reactor coolant leakage are minimal contri-butors to sequence core melt probability.
However, suppression pool temperature limitations may cause some equipment operability problems during longer dura-tion station blackouts.
In all of the accident sequences evaluated for this program, the early failure of decay heat removal because of the initial unreliability of these systems was a relatively small, but not insignificant, contributor to core melt frequency.
This is not surprising, because, since the accident of Three Mile Island Unit 2 (TMI-2), most nuclear power plants have been required to have at least one AC-power-independent decay heat removal train available.
However, very little has been done at nuclear power plants to determine the capability and reliabil-ity of systems during a sustained loss of AC power.
Thus, it is not inconsis-tent that most of the dominant failure modes that have been identified are associated with the inability to operate decay heat removal systems because of support system failures or capacity limits on support and auxiliary systems needed to maintain decay heat removal during station blackout.
With the consideration of containment failure, station blackout events can re-present an important contributor to reactor risk.
In general, active contain-ment systems are unavailable during a station blackout event.
These systems are usually required for pressure suppression through steam condensation to maintain the containment pressure below the appropriate limits and for the re-moval of radioactivity from the containment atmosphere following an accident.
The time to containment failure after the onset of core damage and the contain-ment failure mode is an important factor in determining fission product release and ultimately public risk.
Table 7.3 summarizes containment failure insights derived from the analyses performed for this program and from a survey of analyses performed for other programs.
It shows the different types of containment, the estimated time of containment failure following the onset of core damage, and the containment failure mode.
The most recent estimates of containment performance derived from ongoing severe accident research by both NRC (NUREG-0900) and the Industry Dograded Core Rulemaking Program (IDCOR, 1984) may be cause for revision of the NUREG-1032 7-15
i I
i Table 7.3 Containment failure insights Approximate time to containment failure following onset of Most probable containment Containment-type core damage failure modes Ice condenser 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Hydrogen burn, steam spike 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Overpressure At or following AC Hydrogen burn recovery
- 27.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> See IDCOR, 1984 Subatmospheric 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Hydrogen burn,. steam spike or small dry 6-12 hours Overpressure Following AC recovery
- Hydrogen burn large dry 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> Overpressure Following AC recovery
- Hydrogen burn 32 hours3.703704e-4 days <br />0.00889 hours <br />5.291005e-5 weeks <br />1.2176e-5 months <br /> See IDCOR, 1984 Mark I, Mark II 2-4 hours Electrical penetration failure 4-8 hours Overpressure 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> See IDCOR, 1984 Mark III 10-15 hours Overpressure 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> following AC Hydrogen burn recovery
- 47 hours5.439815e-4 days <br />0.0131 hours <br />7.771164e-5 weeks <br />1.78835e-5 months <br /> See IDCOR, 1984
- Depends on accident management strategy for hydrogen control.
i i
l NUREG-1032 7-16 i
containment performance insights derived just a few years ago.
For the large, i
dry PWR containment, long-term overpressure is the most likely failure mode.
Yet some evidence exists that some very strong large dry containments may not fail as a result of overpressure in station blackout accidents, because they can withstand the overpressure transient.
The smaller PWR containments--like the subatmospheric or the ice condenser designs with lower design pressure and smaller volume--are less capable of handling the pressure transient and poten-tial hydrogen burn associated with a station blackout core melt accident.
In NUREG/CR-3226, it was estimated that the containment would fail in about 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for several possible reasons including hydrogen burn, steam pressure spike, or containment overpressure as a result of noncondensables and noncondensed i
steam.
However, the recent IDCOR results show containment failure times of more than 1 day.
l The BWR Mark I and II containments offer some pressure suppression capability during a station blackout accident, but after a core melt, they may fail by one of two modes.
Either mechanical or electrical fixtures in the penetrations may fail because (1) they are not designed for the pressure and temperature that will follow, or (2) ultimately (in about 5 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), overpressure of the con-j tainment will occur.
(IDCOR estimates a Mark I containment will fail in about 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />.) Because these containments are generally inerted, hydrogen burn is not considered a likely failure mode.
For Mark III containments, which are low pressure, large volume containments, failure in 10 to 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> has been estimated in NUREG/CR-3226, principally by overpressure.
The IDCOR estimate is 47 hours5.439815e-4 days <br />0.0131 hours <br />7.771164e-5 weeks <br />1.78835e-5 months <br /> for this type of containment.
One item of interest should be noted for both the ice condenser containment and the Mark III containment, where hydrogen ignitors must be installed to meet hy-l drogen rule requirements and the post-Construction Permit Manufacturing Licensee (CPML) rule.
For these containments, there is the potential that an inactive ignitor could be turned on following the restoration of AC power at a time when the hydrogen concentration is essentially at an explosive level.
However, this potential problem can be mitigated through proper procedures and by instructing the operators on how to control the hydrogen burning with ignitor systems follow-ing the restoration of AC power.
l NUREG-1032 7-17 l
1
-,=
,.,e-,--,-r-ge.,.
.-,-,.----.~..,---,_,,.,.7-
,,,,,_,n-.mw n.-,.n_
.. _ - -., - - -.. - - - - - -,. - - - -., - -. ~.. -..
Table 7.4 correlates the fission product release categories with the containment types and failure modes identified in Table 7.3.
Table 7.4 also provides the doses estimated to result from station blackout accidents for the various different containment designs, including recent IDCOR estimates.
Substantial uncertainties exist regarding fission product transport in contain-ment during a core melt.
However, based on an understanding of the fission product transport process as known today, it can be seen that station blackout accidents can potentially result in substantial fission product releases.
- Again, the reader is cautioned that ongoing research could cause substantial revision of these fission product release fractions shown in Table 7.4.
NUREG-1032 7-18
Table 7.4 Containment fission product release categories and failure mode probabilities for station blackout sequences Release category Containment type, failure probability, and mode
- BWR Mark I Ice Sub-atmos-Large dry-Large dry-1, 2/3 condenser pheric wet cavity dry cavity 1
10 4 10 4(a) 10 4(a) 10 4(a) 10 4(a) 2 0.2(y')
0.1(6,)
0.3(6,)
0.2(6,)
3 0.8(y) 0.99(6 )
0.9(6 )
0.2(6 )
0.2(6 )
0 1
1 1
10 2(p) 10.a(p) 7.3 x 10 a(p) 7.3 x 10 a(p) 4 0.6(c) 6 Total 5.5 x 106/
5.3 x 108 5.4 x 106 4.9 x 106 2.1 x 108 person-4.5 x 108
- rems, to 50 mi 8.2 x 105 10COR 1.3 x 107/
7.3 x 105 results 2.4 x 104
- Containment Failure Modes a - steam explosion y' - overpressure, direct atmospheric release y - overpressure, release through reactor building verpressure, late 6
1 6 - overpressure resulting from steam spike at the time of vessel melt through e
6 - overpressure with core debris bed fragmentation 0
p - containment leakage c - base mat melt through NUREG-1032 7-19
f 8 EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS The important factors that affect the probability of station blackout accidents have been identified, on the basis of the previous work presented on dominant j
station blackout accident sequences.
The principal parts of the station blackout sequence include:
the likelihood or frequency of loss of offsite power; the 4
i probability that the emergency or onsite AC power supplies will be unavailable; the capability and reliability of decay heat removal systems that must function during a loss of AC power; and the likelihood that a source of offsite power will be restored before the core is damaged as a result of the loss of core cooling and the failure of systems that cannot operate without AC power.
Reactor type, by itself, has not been found to be a dominant factor in determining like-lihood of core damage as a result of station blackout because the capabilities of auxiliary and support systems needed for decay heat removal during station blackout can vary considerably (and still meet current safety requirements).
The important factors in determining the likelihood of core damage as a result of station blackout are reliability of the AC power system (offsite and onsite) j i
and the performance of these auxiliary systems (DC power, compressed air), as well as such plant characteristics as pump seal design, natural circulation capability, and suppression pool temperature effects.
Because of these differences, core damage frequency estimates for station blackout accident sequences could vary considerably.
Therefore, the NRC staff t
l analyzed the sensitivity of core damage frequency estimates to design varia-i tions different from the reference plant analyses performed by Sandia National Laboratories (NUREG/CR-3226).
The models used were based on insights obtained from previous studies; they are described in Appendix C.
Station blackout sequences were divided into two groups.
The first included sequences involving the failure of AC-independent decay heat removal and, for plants without AC-independent makeup, loss of reactor coolant integrity at the onset of or soon f
j after a station blackout.
For these early core cooling failure sequences, AC i
power must be restored in 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to avoid core damage and ultimately core l
melt.
The second group of sequences identified included failures during an extended station blackout of 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or more.
These failures include a l
i 1
NUREG-1032 8-1
)
I
smaller rate of reactor coolant loss, support system capacity limitations (e.g.,
batteries, make up water inventory, compressed air), and other station blackout capability limitations in decay heat removal systems (e.g., natural circulation and suppression pool temperature limitations).
Several sensitivity analyses have been performed by NRC staff to evaluate varia-tions in LWR plant designs for both decay heat removal capability and system reliability, including offsite power.
Because the ability to cope with a station blackout may vary considerably, results are provided to show the effect of limi-tations in maintaining decay heat removal during station blackouts of 2 to 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.
First, Figure 8.1 shows the sensitivity to offsite power system design and location as represented by different offsite power groups (clusters).
The importance of higher frequency and long duration losses of offsite power can be seen.
It is also worthwhile to note that the highly reliable (redundant) AC-independent decay heat removal systems provide added value when ability to cope for long durations exists and very low core melt frequencies are estimated.
Figure 8.2 shows the relationship between various emergency diesel generator l
reliability levels and estimated core damage frequency.
A combination of reason-ably good diesel generator reliability and the ability to cope with a several hour station blackout results in estimated core damage frequencies on the order of 10 8 per year or less.
The effect of a plant's emergency AC power configura-tion is shown in Figure 8.3.
A substantial difference in core damage frequency may exist between plants with three emergency diesel generators, depending on the minimum number (1 or 2) needed to maintain core cooling and decay heat removal during a loss of offsite power.
Again, frequencies drop rapidly as station blackout coping capabilities extend to cover longer AC power outages.
Figure 8.4 shows the variations in emergency diesel generator failure rate from both independent and common causes.
In this figure, common cause failures in support systems (e.g., service water, DC pner) are estimated on the basis of the industry experience (see Appendix B).
'hese results show that estimated core damage frequency can be kept low by maintaining highly reliably emergency AC power systems.
Estimated core damage frequencies as low as 10 8 per year may be possible if the emergency AC power system is maintained in a high state of operational reliability, and there is some capability of coping with an unlikely station blackout.
NUREG-1032 8-2
10**
l l
l 1/2 AC Configuration 0.975 EDG Reliability AC-Independent DHR System 1 Train
--2 Trains
=
j 10 s
\\
Offsite Power Cluster N
x\\
u b:)
10.s N
\\
N i
\\
N N
i N
2 10*7 N %
10.s l
l l
0 4
8 12 16 STATION BLACKOUT CAPABILITY (Hours)
F10ure 8.1 Sensitivity of estimated station blackout-core dama00 frequency to offsite power cluster, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-3
Offsite Power Cluster 7 j
j l
1/2 AC Power Configuration AC Independent DHR System y
1 Train
-- 2 Trains i
N EDG Reliability E
10-8 i
\\\\
N o
h
\\\\
N 0.9 a
N O
0.95 10.e U
\\
O.975 K
\\
0.99 Ns N N 10 7 I
I I
O 4
8 12 16 STATION BLACKOUT CAPADILITY (Hours)
Figure 8.2 Sensitivity of estimated station blackout-core damage frequency to emergency diesel Generator reliability, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-4 1
Offsite Power Cluster 7 l
l l
0.975 EDG Reliability 10 4 AC Independent DHR System 1 Train
--2 Trains f
10-8 5
0 E
AC Power Configuration a
\\\\
i
\\
N 2/3 y
S E
jo.s i
4 1/2 lE<
\\
N 8
8i N
1/3 h
10-7 N N i
I i
I I
1 io.s 12 16 0
4 8
STATION BLACKOUT CAPABILITY IHours) figure 8.3 Sensitivity of estimated station blackout-core damage frequency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability NUREG 1032 8-5
Offsite Power Cluster 7 l
l l
1/2 AC Configuration AC-Independent DHR System 1 Train
--2 Trains 10 5
,a J.
b 0
5 25 c.
5 E.E a:
ea E
b g
Q b
O 5
e a
- 0.975 1
Nominal 10.e
- 0.99 l
w 0
- 0.975 1
\\N c
\\N%.
1
- 0.99
- 0.975
\\-
10*7 0
- 0.99 I
I I
O 4
8 12 16 STATION BLACKOUT CAPABILITY IHours)
Figure 8.4 Sensitivity of estimated station blackout-core damage frequency to reducing the common cause failure susceptibility of emergency diesel generators, their reliability, and station blackout coping capability l
l NUREG-1032 8-6
The results described above and additional sensitivity analyses can be used to assess the effectiveness of certain strategies in dealing with station blackout concerns.
For instance, if PWR reactor coolant pump seals were known to fail I
early during station blackout, and the reactor coolant system leakage were the factor limiting the ability to cope with station blackout, core damage could l
occur 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the loss of AC power, even if the AC-independent decay heat removal system (the AFWS) were operating properly.
Table 8.1 has l
been developed from the sensitivity analyses to show the effect of providing a i
"fix" to maintain reactor coolant pump seal integrity to allow successful core
)
cooling for station blackouts of 4 and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
l 1
l The results provided up to this time represent point estimates of probability or, more properly, frequency.
NUREG/CR-3226 shows the effect of using log nor-mal distributions to represent basic event probabilities on mean probability 4
j estimates, calculated medians, and uncertainty ranges.
When that work was com-l pleted, the magnitude of the uncertainty in the loss of offsite power frequency j
and duration estimates was not known.
Because the uncertainty bounds are now l
perceived to exceed those used in NUREG/CR-3226, the accident sequence uncer-l tainty ranges derived using the most recent uncertainty estimates for loss of
]
offsite power frequency may be larger than previously estimated.
The loss of offsite power frequency and duration estimates are most uncertain for the j
very low frequency, long duration losses of offsite power.
The uncertainty on I
the probability of accident sequences which result from the shorter duration losses of offsite power should not be significantly different from the previous i
estimates, i
l i
Some typical station blackout core damage probabilities and uncertainty ranges representing a 90% confidence interval have been provided in Figure 8.5 for l
reference.
The sequ:nce mean is typically 3 to 8 times larger than the point l
l estimate and the upper and lower bounds are typically within a factor of 5 to 20 of the median estimate.
The large difference in point estimate and mean can be attributed to the use of a log-normal distribution.
When sequences are i
J combined into a single core damage probability, the proportional distance i
between mean and point estimate tends to decrease somewhat.
i i
l i
NUREG-1032 8-7 i
i l
Table 8.1 Sensitivity of estimated core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Estimated core damage frequency (per reactor year)
Cluster 1/2 configuration EDGR* = 0.025 EDGR = 0.05 2 to 4 hr 4 to 8 hr 2 to 4 hr 4 to 8 hr 2
2.8E-6 1.2E-6 6.2E-6 2.5E-6 7
1.3E-5
'6.0E-6 2.8E-5 1.3E-5 5
1.7E-5 1.5E-5 3.6E-5 3.0E-5 1/3 configuration 2
8.3E-7 3.4E-7 7
3.7E-6 1.7E-6 5
4.6E-6 4.0E-6
- EDGE = emergency diesel generator unreliability (i.e., failure rate per demand)
NUREG-1032 88
PWR with 1 steam BWR with 1 BWR with BWR with Driven AFW Train isolation Condenser HPCl/RCIC HPCS/RCIC 10 3 E
4
> 10 5
(I ti Il g
=
El o
U e
o
()
o E
o o
h 10~5 O
II
~~
t >
tl 0
O o
Il g
[I o
o o
0 aC
( >
{104 O
y o
oO Sy E
g 10 Upper 96% Confidence Limit Mean Median 4 > Point Valve g
-- L wer 5% Confidence Limit 10 E
E E
E E
E E
E E
E T
r er 6
i er i
5 i
5 2
2 2
5 2
2 2
2 2
2 H
H H
P H
H H
H H
F ACCIDENT SEQUl:NCES Figure 8.5 Estimated core damage frequency showing uncertainty range for four reference p. ants Source:
NUREG/CR-3226 NUREG-1032 8-9
A measure of risk associated with station blackout accidents can be obtained by multiplying the estimated core damage likelihood by the estimated dose due -
to containment failure during a station blackout accident.
The recovery of AC power during the accident would provide the potential for terminating core damage prior to core melt and the potential for reducing fission product re-leases by delaying containment failure or actuation of containment sprays prior to containment failure.
Some perspectives on estimated risk are provided in Appendix C.
NUREG-1032 8-10
l 9 RELATIONSHIP 0F OTHER SAFETY ISSUES TO STATION BLACK 0UT The implications of station blackout on several other safety issues were re-viewed for significance.
These include:
loss-of-coolant-accident initiators; anticipated transients without scram; external hazards, such as seismic events and severe weather; and internal hazards associated with fire or extreme environ-ments, such-as flooding or high steam temperature resulting from pipe breaks within the plant.
In general, it was concluded that if the likelihood of sta-tion blackout were independent of any of these other safety considerations, the potential risk of a station blackout concurrent with one of those other safety concerns is very small.
However, if as a result of common cause failure or in-teractive failure, the initiation of an accident by one of those other mechanisms described causes a station blackout, then the safety implications of those safety issues on station blackout are fairly large.
Each of these safety issues is dis-cussed separately below.
9.1 Loss-of-Coolant Accidents Loss-of-coolant accidents (LOCAs) induced by a station blackout transient have already been included in the accident sequence analyses described in Section 7 above; these will not be discussed further here.
LOCAs concurrent with a loss of offsite power are usually included in the design basis of nuclear power plants in accordance with the general design criteria of Appendix A to 10 CFR 50.
The likelihood of a LOCA followed by and concurrent with a station blackout has been considered and is discussed below.
Although no strong coupling could be found between the initiation of a LOCA and a subsequent failure of the offsite or onsite AC power system, one potential mechanism has been identified.
If a LOCA were to occur at a nuclear power plant, the reactor would trip; subsequently the turbine generator would be tripped and a grid instability could follow, or the site could be isolated by switching ac-tiivities in the switchyard to provide onsite safety-related or alternative sources of preferred power to the emergency power safety buses.
Historical ex-perience collected about loss-of-of fsite power events at nuclear power plants NUREG-1032 9-1
suggests that given a transient or an accident situation that would cause a trip of the turbine generator, the likelihood of a failure of the offsite power supply is on the order of 10 4 to 10 2, depending on the strength of the grid and the offsite power design at the site.
Estimated LOCA frequencies range from 10 2 per reactor year for small loss-of-coolant accidents down to less than 10 4 per reactor year for large diameter pipe breaks.
The frequency of small LOCAs is dominated by pump seal LOCAs on pressurized water reactors and stuck open safety-relief valves on boiling water reactors, situations that do not require rapid actuation of AC powered emergency safety feature equipment and that have been addressed previously.
The most likely small LOCA that has not been incorporated in the station black-out accident analyses is a small pipe break (less than 2 inches in diameter) with a frequency of about 10 3 per reactor year.
The low LOCA frequency combined with the likelihood of losing offsite power on turbine generator trip results in an estimated frequency of occurrence ranging from 10 5 per reactor year to 10 7 per reactor year.
When this frequency is combined with a conservative estimate of emergency AC power system unreliability of 10 2 per demand, it is easily shown that accident sequences of this type re-present a small element of reactor risk (less than 10 7 per reactor year).
The variability of the frequency of station blackout caused by a LOCA could be as much as two orders of magnitude higher and still represent one of the smaller station blackout accident threats.
Although, at this higher level, these acci-dents could represent a noticeable fraction of reactor risk.
Large pipe break LOCAs with initiating frequencies on the order of 10 4 per reactor year Combined with the probability of subsequent failure of all AC power do not appear to represent an appreciable fraction of accident likelihood or public risk, at least in comparison to other station blackout sequences.
9.2 Anticipated Transients Without Scram Another safety consideration that was investigatea is anticipated transients without scram.
In this case, the ant.icipated transient is a lost, of offsite If the probability of a loss of offsite power is taken as the generic power.
, average, 0.1 per year, and the probability of reactor scram failure is taken as NUREG-1032 9-2 m
the historical average, about 10 4 per demand, then the probability of a loss of offsite power followed by a failure to scram is about 10 5 This is a level of accident sequence likelihood that might be considered important.
- However, in order for station blackout to occur, the onsite emergency AC power system must also fail.
In the worst case, one might find an unreliability of the emer-gency AC power system of about 10 2 per demand.
Thus, the frequency of an anti-cipated transient without scram involving loss of offsite power and a failure of the onsite emergency AC power system is on the order of 10 7 per reactor year or less.
Even if the level of uncertainty were an order of magnitude higher, this accident sequence would not be of concern in comparison to the dominant station blackout accident sequences that have been identified.
9.3 Extreme Internal Environment A safety area in which there does appear to be a potential for station blackout type accident sequences being induced by other causes involves fire and other extreme environments internal to a nuclear power plant.
The concern associated with internal environmental hazards is that their occurrence can represent a common cause accident initiator that also affects the ability to cope with the incident.
Specifically of concern is the likelihood of a fire, flood, or other extreme environmental conditions generated by internal events that would cause a loss of all AC power.
In general, for this to occur portions of AC power systems must be in a common location where these hazards are present, or protection barriers and AC power system design requirements must be insufficient to control the spread or failure resulting from these hazards.
Therefore, the likelihood of internal hazards causing a station-blackout-type accident is heavily depen-dent on the plant's design and, in particular, on the location of equipment.
If separation and internal environmental protection barriers are maintained, or adequate AC system design is provided, the likelihood of these internal environ-mental hazards causing a station, blackout-type accident would be very small, probably less than 10 8 per reactor year.
On the other hand, if commonality of location or a lack of protection exists at a plant, then the safety signific-ance of these internal hazards would have to be evaluated for plant damage susceptibility and likelihood of occurrence.
The frequency of occurrence of these hazards can be as high as once per one hundred to once per one thousand NUREG-1032 9-3 l
reactor years.
Therefore, the vulnerability to station-blackout-type accidents due to these hazards can be of concern.
9.4 External Hazards Another potentially significant safety consideration that could be related to station blackout involves external hazards to the plant, particularly those resulting from seismic and weather-induced failures.
To date, a seismically induced loss of offsite power has not been observed at a nuclear power plant.
Failure of offsite power because of severe weather has been observed at nuclear power plants; in fact, severe weather was included as a major factor in deter-mining the likely duration of an extended offsite power outage at nuclear power plants, as described in Section 3.
The greatest potential for safety signifi-cance exists where there is a direct coupling or common cause failure associated between a transient-initiating external hazard causing loss of offsite power and the reliability of the onsite and offsite power systems.
It can be expected that significant seismic and severe weather events will cause a loss of the offsite power system.
On the other hand, the plant, and in particular the emergency AC power system, is typically designed to withstand, or is protected from the effects of, these severe phenomena.
Therefore, for severe external hazards that are within the design basis of the plant, the failure of the emergency AC power system can be considered as an independent failure event.
For example, if the likelihood of a safe shutdown earthquake that could cause a loss of offsite power were approximately 10 3 per year or less, and one assumes that it would take approximately 8 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore offsite power from such an incident, then a typical estimate of core damage or core melt frequency due to a safe shutdown earthquake and a station blackout would be about 10 6 per reactor year or less.
For severe weather, the likelihood of the weather-induced failure of the offsite power system could be as high as 10 2 per year, and the outage could be expected to be on the order of several hours.
- Again, if the severe weather event is within the design basis of the plant, the like-lihood of a weather-induced station blackout accident causing core damage or core melt would be on the order of 10 5 per reactor year.
Table 9.1 provides a summary of the typical internal and external accident hazards of a nuclear power plant and identifies some potential points of failure NUREG-1032 9-4
l l
Table 9.1 Coupling between external (and internal) events and potential plant failures Event Potential plant " weakness" f
Seismic Switchyard, control, non-seismically designed equipment Fire, flood Areas with multiple divisions, inadequate protection barriers Severe weather Transmission lines and towers, switchyard, non-safety structures
+
s 1
5 i
NUREG-1032 9-5
_ _~
that could result in a coupling between these accident initiators and a station 3
blackout.
If such interactions or points of commonality do not exist, then it is concluded that the contribution of these accident initiators to station blackout accident sequences results in core melt frequencies that are no larger, and probably much less, than those previously considered.
NUREG-1032 9-6
10 REFERENCES Adams, J. P., et al., " Natural Circulation Cooling Characteristics During PWR Accident Simulations," Second National Topical Meeting on Nuclear Reactor Ther-mal Hydraulics, January 11 to 14, 1983.
Fletcher, C.
D., "A Revised Summary of PWR Loss of Offsite Power Calculations,"
EGG-CAAD-5553, EG&G Idaho, Inc., September 1981.
Industry Degraded Core Rulemaking Program (IDCOR), IDCOR Technical Summary Report,
" Nuclear Power Plant Resnonae to Severe Accidents," published by Technology for Energy Corp., Knoxville, Tennessee, November 1984.
Schultz, R.
R., and S. R. Wagoner, "The Station Blackout Transient at the Browns Ferry Unit One Plant A Severe Accident Sequence Analysis," EGG-NTAP-6002, EG&G Inc., September 1982.
U. S. Nuclear Regulatory Commission, NUREG-75/140 " Reactor Safety Study," Octo-ber 1975 (formerly WASH-1400).
--, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.
--, NUREG-0900, " Nuclear Power Plant Severe Accident Research," January 1983.
--, NUREG/CR-1988, F. E. Haskin, W. B. Murfin, J. B. Rivard, and J. L. Darby,
" Analysis of a Hypothetical Core Meltdown Accident Initiated by Loss of Offsite Power for the Zion 1 Pressurized Water Reactor," December 1981.
--, NUREG/CR-2182, D. H. Cook S. R. Greene, R. M. Herrington, S. A. Hodge, and i
D. D. Yue, " Station Blackout at Browns Ferry Unit One - Accident Sequence Analy-sis," November 1981.
--, NUREG/CR-2989, R. E. Battle and D. J. Campbell, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
NUREG-1032 10-1
=
--, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., " Station Blackout Accident Analyses (Part of NRC~ Task Action Plan A-44)," May 1983.
--, NUREG/CR-3992, R. E. Battle, " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
W'ckoff, H., " Losses of Offsite Power at U. S. Nuclear Power Plants--All Years y
Through 1983," NSAC/80, Electric Power Research Institute, May 1984.
l t
1 i
i 7
l n
W t
t r
1 I
NUREG-1032 10-2 k
f l
I APPENDIX A DEVELOPMENT OF LOSS OF 0FFSITE POWER FREQUENCY'AND DURATION RELATIONSHIPS J
i 2
i J
l 1
i i
J 4
i~
1 i
i i
1.
T 4
.l NUREG-1032 Appendix A
, -, _ _ -,,,,,. ~ _ - _ _ _ _ _ _ _. -, _ _. _ - _ - -
TABLE OF CONTENTS Page INTRODUCTION..........................................................
A-1 LOSS OF OFFSITE POWER FROM PLANT-CENTERED CAUSES......................
A-5 GRID-RELATED LOSS OF 0FFSITE POWER....................................
A-12 LOSS OF 0FFSITE POWER DUE TO SEVERE WEATHER...........................
A-19 GENERIC LOSS-OF-0FFSITE-POWER CORRELATIONS............................
A-34 REFERENCES............................................................
A-41 LIST OF FIGURES A.1 Frequency of loss-of-offsite power events exceeding specified durations.........................................................
A-4 A.2a Estimated frequency of occurrence of plant-centered losses of offsite power exceeding specified durations......................
A-11 A.2b 90% confidence limits for two categories of plant-centered losses of offsite power..........................................
A-13 A.3 Trend of plant-centered losses of offsite power (greater than 30 minutes duration) through 1983................................
A-14 A.4 Restoration probability for grid-related losses of offsite power.
A-18 A.5 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified durations......................
A-21 A.6 Weather hazard expectation histograms............................
A-26 A.7 Restoration probability for severe-weather-induced losses of offsite power....................................................
A-30 A.8 Estimated frequency of occurrence of severe-storm-induced losses of offsite power exceeding specified durations...................
A-32 A.9 Estimated frequency of losses of offsite power exceeding specified durations for Indian Point.........................................
A-36 A.10 Estimated frequency of losses of offsite power exceeding specified durations for Zion.....................................
A-37 A.11 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham.................................
A-38 A.12 Estimated frequency of losses of offsite power exceeding specified durations for Millstone 3..............................
A-39 A.13 Estimated frequency of losses of offsite power exceeding specified durations for Limerick.................................
A-40 A.14 Estimated frequency of occurrence of losses of offsite power exceeding specified durations for nine offsite power clusters....
A-42 LIST OF TABLES A.1 Summary of loss-of-offsite power experience......................
A-3 A.2 Definitions of offsite power system design factors...............
A-6 A.3 Mean time to restore offsite power and statistical test values for plant design groupings.......................................
A-9 2
NUREG-1032 A-lii
t I
\\
TABLE OF CONTENTS (Continued) 1 Page l
r A.4 Data used for plant-centered loss-of-offsite power-duration l
curve fits.......................................................
A-10 A.5 Grid-related loss-of-offsite power frequency versus duration, through December 1983..................................
A-16 A.6 Grid reliability / recovery........................................
A-20 A.7 Severe-weather-induced losses of offsite power used in the analysis.........................................................
A-23 A.8 Severe-weather-induced loss-of-offsite power frequency / recovery..
A-31 A.9 Extremely severe-weather-induced loss-of-offsite power frequency.
A-33 A.10 Cluster correlation factors......................................
A-43 A.11 Identification of grid, offsite power system design, severe weather, and extremely severe weather factors included in nine cluster groups...................................................
A-44 NUREG-1032 A-iv
4 s
APPENDIX A DEVELOPMENT OF LOSS OF 0FFSITE POWER FREQUENCY AND DURATION RELATIONSHIPS INTRODUCTION This appendix provides the details and results of analyses performed by NRC staff to develop the cause, frequency, and duration relationships for loss of offsite power at nuclear power plants.
The purpose of this work was to develop generic loss of offsite power relationships that would allow differentiation of plant design, operational, and location factors that can significantly affect the expected frequency and duration of loss of offsite power events.
Within this study, the loss of offsite power has been defined as the interruption of the preferred power supply to the essential and nonessential switchgear buses neces-sitating or resulting in the use of emergency AC power supplies.
A total loss of offsite power is said to have occurred when non-emergency AC power sources become unavailable requiring some diagnosis or special recovery actions includ-I ing correcting switching errors, fixing or bypassing faulted equipment, or other-wise making available an alternate standby source of non-emergency AC power.
Although total loss of offsite power is a relatively infrequent occurrence at
{
nuclear power plants, it has happened a number of times, and a data base of information has been compiled (Wyckoff, 1984; NUREG/CR-3992).
From these data and a review of relevant design and operational characteristics, the frequency and duration relationships for loss-of-offsite power events at nuclear power plants have been developed.
Historically, a loss of offsite power has occurred with a frequency of about once per 10 site year 3.
The typical duration of these events has been on the order of one-half hour.
However, at some power plants the frequency of loss of offsite power has been substantially higher than the average, and in other instances the duration of offsite power outages has been NUREG-1032 A-1
- - - = _ _
much longer than the norm.
In some cases, licensees have and are taking correc-tive action to limit the recurrence of these longer and more frequent losses of 4
offsite power.
A summary of the data on the total loss-of-offsite power events is provided in Table A.1.
Because design characteristics, operational features, and the loca-tion of nuclear power plants within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite-power events, it was necessary to analyze the nuclear industry experience in more detail.
The data have been categorized into plant-centered events and j
area-or we'ather-related events.
Plant-centered events are those in which the design and operational characteristics of the plant itself play a role in the likelihood or duration of the loss-of-offsite power event.
Area or weather effects include the reliability of the grid and external influences on the grid or at the site (such as severe weather) that have an effect on the likelihood l
and duration of the loss of offsite power.
The data show that plant-centered l
events account for the majority of the loss of offsite power events.
Although i
the area-blackout-and weather-related events, are less frequent, they typically i
account for the longer duration outages, with storms the major contributor to i
long outages.
Figure A.1 provides a plot of the frequency and duration of loss-of-offsite-I power events resulting from plant-centered faults, grid blackout, and severe weather, based on past experience at nuclear plant sites.
The curves were l
developed by fitting data to a two parameter Weibull function of the following form:
s t
0 1) 1 j
-(a t j
l ALOP (t) = ALOP '
1 i
i i
l where ALOPi(t) is the frequency of losses of offsite power of type "1," which are equal to or greater than duration "t."
That is, the recovery time equals I
or exceeds "t" hours.
The term A is the frequency of occurrence of losses LOPi I
of offsite power of type "i," which have greater than zero duration.
Parameters i
i NUREG-1032 A-2 i
l
l' Table A.1 Summary of loss-of-offsite power experience
- No. of events Frequency per Category
(>
hr) site year (>
hr)
Plant-centered 30 0.056 (15)
(0.028)
Grid 11 0.020 i
(4)
(0.009)
Weather 6
0.011 (5)
(0.009) i Total 47 0.088 (24)
(0.047) 4 j
Interruptions 8
0.015 (0)
(0) 1 Total + interruptions 55 0.103 j
(25)
(0.047) 1
- Data through 1983 excluding sites with one offsite power connection (Humbolt Bay, Lacrosse, and Big Rock Point prior to March 1968).
Number of site years i
through December 1983 is 533.
)
i r
-4 l
l l
1 i
1 i
NUREG-1032 A-3
..y_,.,
_,_,..---.._..-_..--s-
_.-,-.,yy
.._-,___--.._-,,_,,._,,,.%-.,,,,...,-.__mm__,-,.,e,__...m._. - -t
I i
Data O Total 0.05 Total 6 Plant Centered y Grid a
O severe Weather b 0.04 is O
5%
wy Plant -
6 w
Centered E
- s 0.03 Oo O
b b
5 g 0.02 E
+
A Grid u.
0.01 O severe 4
Weather O
1 0 00 0.1 1.0 10.0 i
DURATION l Hours) l Figure A.1 Frequency of loss-of-offsite power events exceeding specified durations i
l I
NUREG-1032 A~
l
[
aj and p are curve-shaping constants that vary according to the data being j
curve fitted.
LOSS OF 0FFSITE POWER FROM PLANT-CENTERED CAUSES Plant-centered failures typically involve hardware failures, design deficiencies, human errors (in maintenan e and switching), localized weather-induced faults (lightning), or combinations of these failure types.
Plant-centered failures can be recovered by switching or repairing faulted equipment at the site.
For the plant-centered losses, an attempt was made to determine any correlation between offsite power design characteristics and frequency and duration of los-ses of offsite power.
Two offsite power design features were identified as potentially significant with regard to frequency and duration of loss of off-site power:
(1) the independence of incoming offsite power sources and (2) the f
number of immediate and delayed access circuits and their transfer schemes to the Class 1E buses.
Table A.2 defines the design differences associated with these features.
The designs of offsite power sources were further subdivided into groups, and the number of shutdown sources were subdivided into different possible design combinations (NUREG/CR-3992).
The relationship between the listed design features and the frequency of loss of offsite power was analyzed using the Failure Rate Analysis Code (FRAC)
(NUREG/CR-2434) to correlate loss-of-offsite power frequency with various i
design features.
These analyses showed no statistically significant correla-tions between frequency of plant-centered losses of offsite power and the design features analyzed.
An analysis was also performed to determine if a statistically significant rela-tionship exists between offsite power design characteristics and the duration of losses of offsite power.
An analysis of covariance was performed to deter-mine if there is a relationship between frequency and duration, using the gen-l eralized linear model (GLM) procedure of the Statistical Analysis System (SAS)
(SAS Institute, 1979)).
The Type IV sum of squares was used for all calcula-tions.
No s'atistically significant relationship between frequency and i
~
NUREG-1032 A-5 l
Table A.2 Definitions of offsite power system design factors Major design factor Design features A.
Independence of offsite power 1.
All offsite power sources are sources to the nuclear power connected to the plant through plant one switchyard.
2.
All offsite power sources are connected to the plant through 9
two or more switchyards, and the switchyards are electrically connected.
3.
All offsite power sources are connected to the plant through two or more switchyards or separate incoming transmission lines, but at least one of the AC sources is electrically i
independent of the others.
B.
Automatic and manual transfer 1.
If the normal source of AC power schemes for the Class 1E buses fails, there are no automatic when the normal source of AC transfers and one or more manual l
power fails and when the backup transfers to preferred or alter-sources of offsite power fail nate offsite power sources.
2.
If the normal source of AC power fails, there is one automatic transfer but no manual transfers to prefer-red or alternate off-site power sources, a.
All of the Class 1E buses in a unit are connected to the same preferred power source after the automatic transfer of power sources.
b.
The Class 1E buses in a unit are connected to separate offsite power sources after the auto-matic transfer of power sources.
3.
After loss of the normal AC power source, there is one auto-matic transfer.
If this source fails, there may be one or more manual transfers of power sources to preferred or alter-nate offsite power sources.
NUREG-1032 A-6
4 Table A.2 (continued)
Major design factor Design features a.
All of the Class 1E buses in a unit are connected to one preferred power source after the first automatic
- transfer, b.
The Class 1E buses in a unit are connected to sepa-rate offsite power sources after the first automatic transfer.
t 4.
If the normal source of AC power 4
fails, there is an automatic transfer to a preferred source r
of power.
If this preferred j
source of power fails, there is an automatic transfer to another source of offsite power.
a.
All of the Class IE buses in a unit are connected to the same preferred power source after the first j
automatic transfer, b.
The Class 1E buses in a unit are connected to sepa-rate offsite power sources after the first automatic transfer of power sources.
4 1
i
\\
l NUREG-1032 A-7 6
t
duration was found.
Thus, no additional covariance analyses were run.
Subse-quently, the data for all of the different design factors were analyzed to check for any statistical interactions using analysis of variance.
One data point--a 5.83-hour restoration time for an event at the Calvert Cliffs plant on April 13, 1978--was found to cause a strong interaction.
Without that event, there was no significant interaction.
The Calvert Cliffs event involved a latent design flaw that has since been corrected; it is not expected to typify future occurrences with regard to design feature, type of failure, or duration.
With the data " corrected," the independence of offsite power sources was found to be a statistically significant determinant of the restoration time associated with plant-centered losses of offsite power.
The number and type of transfer schemes were found to be less significant.
It was concluded that various com-binations of these design features could be used to define a set of design characteristics with a statistically different recovery time for plant-centered losses of offsite power.
On the basis of this analysis and a review of the design features, the staff concluded (1) that plants with switchyard designs that are normally operated as an interconnected system could be separated, as a group, from those with designs offering electrical independence, and (2) that sites with two or more alternate offsite power circuits (immediate or delayed access) in addition to the normally energized power circuit to the Class 1E buses (off-site or unit generator source) could be grouped.
Table A.3 shows design combi-nations obtained with the mean time to repair (MTTR) values for each group and the statistical test values that were derived for this grouping.
Other groupings can be derived that are both statistically significant and physi-cally valid.
However, data limitations and small differences in HTTR that occur for more detailed breakdowns suggest that the design groups obtained represent a reasonable and valid compromise between completely generic and more design-specific breakdowns.
A plant-centered loss-of-of fsite power-frequency-vs.-duration curve was devel-oped for each of the four design groups by fitting the corresponding data to a two parameter Weibull distribution.
A list of the data used for each curve fit is given in Table A.4.
The actual curves generated by this analysis are in Fig-ure A.2a.
The curves show the probability and frequency of events that exceed a NUREG-1032 A-8
Table A.3 Mcan time to restore offsite power and statistical test values for plant design groupings Group Design Mean time to restore designation features
- offsite power (hrs) 11 A3 and (83, B4 or B2b) 0.13 I2 A3 and (81 or B2a) 0.21 13 (Al or A2) and (B3, B4, or B2b) 0.50 I4 (Al or A2) and (B1 or B2a) 0.97 Statistical Test Values Design Test factor F value Pr F Test for A
7.01 0.0132 interaction B
1.67 0.2062 A*B 0.85 0.3637 Test for A
6.92 0.0135 main effects B
2.68 0.1125
- A1, A2, A3, B1, B2, 83, and B4 are defined in Table A.2.
Note:
Frequency of plant-centered loss-of-offsite power events was 0.056 per site year.
NUREG-1032 A-9
Table A.4 Data used for plant-centered loss of-offsite power-duration curve fits
- Group Site Date Duration (hr)
Il Fitzpatrick 10/04/78 0.004 Oconee 01/04/74 0.013**
Fitzpatrick 03/27/79 0.05 Millstone 07/21/76 0.08 Indian Point 2,3 06/03/80 0.50***
12 Nine Mile Point 11/17/73 0.003 Haddam Neck 07/19/72 0.017 Haddam Neck 07/15/69 0.15**
Haddam Neck 06/26/76 0.27 Haddam Neck 08/19/74 0.33 Haddam Neck 04/27/68 0.48 13 Davis Besse 11/29/77 0.002**
Oyster Creek 09/08/73 0.003**
Point Beach 04/27/74 0.02**
Brunswick 2 03/25/75 0.07 Monticello 04/27/81 0.25 Beaver Valley 07/28/78 0.28 Davis Besse 10/15/79 0.43 Ginna 03/14/71 0.50 Quad Cities 06/22/82 0.57 Ginna 10/21/73 0.67 Prairie Island 07/15/80 1.03 Quad Cities 11/06/77 1.15 Arkansas-1 09/16/78 1,48 I4 San Onofre 11/22/80 0.004 Fort Calhoun 08/22/77 0.015 Palisades 09/24/77 0.50 Farley 09/16/77 0.90 Fort Calhoun 02/21/76 0.90 Palisades 09/02/71 0.93 Indian Point 06/03/80 1.75***
Farley 10/08/83 2.75
- Not included in the duration analysis were the Palisades events of 11/25/77 and 12/11/77 (recurring failures), the Calvert Cliffs event of 04/13/78 (outlier), the Big Rock Point event of 11/25/72 (insufficient plant design information), and the Crystal River event of 06/16/81, the Vermont Yankee event of 12/17/72, and the Turkey Point event of 04/04/79 (incomplete reporting of duration).
- For events with unspecified durations of less than 1 minute, durations were assigned to facilitate the statistical analysis.
- The Indian Point event of 06/03/80 lasting 1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />, included in Group 14, is also included as a 0.50 hour5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> event in Group 11 on the basis that had the available gas turbine been employed, offsite power would most likely have been recovered in approxi-mately 30 minutes.
NUREG-1032 A-10
- -.. ~ -
0.06 xm 1.0 o
a NOw N
0.05 0.9 i
ew 0.8 3:oc.
I W
0M i
t- 0.7 us g
u.
E P
O o
3 z 0.6 E
ES o
11 I2 13 14 0.03 >
y y 0.s i
i e
o a
w Z
w g 0.4 E
OR i
3 5 03
)
1 mo c:
i, 0.2 G.
0.01 l
\\\\
s%
0.1 s % \\ %
1 l
I I
I I I III I
I I I I III I
I I I I III 0
O 0.01 0.1 1.0 10 DURATION (hours) i Figure A.2a Estimated frequency of occurrence of plant-centered losses of offsite power exceeding specified durations (for offsite power groups as shown in Table A.3) i i
- _ = _ - _
1 specified duration.
Figure A.2b shows the 90% confidence limits for two of the correlations (Il and I4) derived using the extreme value theory.
It was recognized that some of the loss-of-offsite-power events represented a lack of experience and, as experience is gained and problems are solved, the expected frequency could drop.
Figure A.3 shows the actual and median smoothed plot of time between loss-of-offsite power events as a function of the event number.
The first data point is the time in site years between the first recorded loss of offsite power and the second occurrence.
The trend appears to show an increase in time between failures, or decrease in frequency.
Visual inspection of the plot of the median smoothed time between failures indicates a reasonable break point at about the 7th occurrence, which roughly corresponds
{
to January 1978.
An analysis of variance showed that the mean loss-of-offsite power frequency as a result of plant-centered events from 1978 to 1983 was statistically different--showing a decrease of 30%--from the previous level for events lasting one-half hour or longer.
It should be noted, however, that with the removal of the occurrence of just one event in 1977, statistical support to this trend would drop substantially.
The effect of experience was also evaluated through an attempt to correlate plant
)
age and frequency of loss of offsite power.
Visual examination of these data indicated a rather random frequency of occurrence based on plant age.
The staff has concluded that there probably has been some decrease of the loss-1 of-offsite power frequency for plant-centered events at nuclear power plants as total nuclear power plant operating experience has increased, but that some addi-l tional time and evaluation will be needed to definitively show the permanence of such an observation.
Nonetheless, the loss-of-offsite power frequency esti-i mates provided later in this appendix are based on the reduced frequency of plant-centered events (0.04 per site year versus the actually observed frequency of l
0.056 per site year) obtained as a current best estimate.
GRID-RELATED LOSS OF 0FFSITE POWER I
l Grid reliability has traditionally been the most prominant factor associated with a loss of offsite power at nuclear power plants.
Yet, the historical data NUREG-1032 A-12 L
E.
i 8.
e 3
/
'G t
/
o 7
/
/
/
/
/
/
8
=1
/
/,
/
/
y e
ik
/
f 00
/
/
3 88
/
/
5
- '=s y
/
/
y
/+
- /
2 Eitt
/
+
+
t? ??
/
l j
m
,,o o
i r
addd
/
/
/
~
Iaa
/
/
~
/,
2 j,
/
e n
m
-~
/
lbb
$~
E 5
/
l
/
j
/
fi-5
?
l4+
/
,/
/
10 2
~
/
/
/
d*~
8 g
I
/
/
f i
/
/
a
/
/
/
8
/
/
/
m
/
r T 3
=
j j
7
/
/
f
.5
- /
/
/
I I
21
/
/
8 s
/
/
~
t E?
i
/
o D
e*
g
/
=
v 10 f
M a.3
/
e
/
g a
8 i
- /
4 4
/
i i
i i
i i
i E
4 i
i O
~
n
~
O=
O O
O 6
6 6
0 C
H3 Mod 311SJJO DNIH0J93H 10N JO AAMIGV90HJ u
l NUREG-1032 A-13
~
)no i
t 0
a 0
m 0
r 1
1 3
i u
2 d
1 se t
0 u
I 1
n a
i t
m aD R
0 8
I d
E 3
e B
h M
n to a
o U
h I 6 N t
m S
TN r
n E
e a
I 4 V t
id E
a e
e M
rg 2
(
I rew 0
o I
p e
t is f
fo fo s
2 e
I 1
sso l
0 I
1 der a
e t
R t
a I
8 E
n D
B e
la M
c u
t U
-t 6 N n
c I
A T
a3 N
l3 E
p9 I
4 V 1
E f
oh g du I
2 no er rh Tt O
0 m
0 3
3 0
1 i
1 A
i:M25 $e3' 6 z23::Om a.2G e
a rug i
F 5=?EwN
>O*
show that losses of offsite power as a result of grid-related problems account for no more than 20% of all losses of offsite power.
Attempts to find charac-teristics to classify site, design, and location features that affect the expec-ted frequency of grid loss have not been successful.
An investigation into the various utility transmission and distribution system reliability characteristics was beyond the scope of this study.
Such a study is likely to involve an ex-tensive state-of-the-art analysis of grid stability, the results of which would be of questionable validity considering limitations on current methodology.
In its place a more pragmatic and experience-based approach to estimating nuclear plant site susceptibility to grid loss was taken.
Both frequency of grid loss and time to restore power were considered.
It was recognized that the Florida Power and Light (FPL) grid has represented the upper end of utility grid failure frequency during the past 10 to 15 years, although some recent improvements seem to have been effective.
Very few other nuclear plant sites have experienced even one or two loss-of-offsite power events as a result of grid blackout.
The great inajority of nuclear power plants have not experienced grid failure.
A systemic weakness identified after a grid fail-ure is usually corrected as soon as possible.
Thus, it is usually a new and l
previously unidentified systemic weakness that results in future failures.
Therefore, in the absence of known and uncorrected systemic weaknesses, the occa-sional, non-recurring type of grid failure may not be a good indicator of future trends within a utility system.
With this in mind, the FPL experience was sepa-rated from the balance of the U.S. nuclear utility experience to estimate grid-failure frequency.
Because a set of design or location factors could not be identified that could effectively differentiate the expected reliability of the l
various utility grids, grid reliability was categorized by failure frequency ranges characteristic of past experience.
The FPL experience suggests an upper cnd to the grid-failure frequency of once per 2 to 4 site years, although there have been recent improvements.
In a few utility systems, the occasional grid failures have occurred at a frequency of about once per 10 to once per 20 site-years.
The national average is about once per 100 site years, excluding FPL experience.
Table A.5 lists grid-related losses of offsite power and site-specific frequencies calculated from the data.
Two grid undervoltage events are discussed in a footnote to the table.
Although these events were not counted as NUREG-1032 A-15
Table A.5 Grid-related loss-of-offsite power frequency versus duration, through December 1983 Date of Duration Site frequency Site occurrence (hours)
(per year)
Turkey Point 04/03/73 0.30 0.446 (5 events in 04/04/73 0.25 11.4 site years) 04/25/74 0.33 06/28/74 0.18 05/16/74*
1.03 05/16/77*
2.00 Indian Point 11/19/65 0.15 (3 events in 07/20/72 0.92 20 site years) 07/13/77 6.47 St. Lucie 05/16/77***
0.33 0.260 (2 events in 05/16/77***
1.50 7.7 site years) 05/14/78 0.13 l
Yankee Rowe 11/19/65 0.65 0.044 (1 event in 22.5 site years) l 0 (no events in 47 sites nonet 3.5 to 23.4 site-years)
Total for 0.020 (11 events in 52 sites (539 site years)
Total 0.008 (4 events in excluding FPL (520 site years)
- The Turkey Point events of 05/16/77 were counted as one event for frequency j
calculations.
- Actual duration not reported.
)
- The St. Lucie events of 05/16/77 were counted as one event for frequency calculations.
tThe undervoltage event at Millstone on 07/21/76 was treated as a plant-centered design problem; the undervoltage event at Quad Cities on 02/13/78 was treated as a degredation w'ith a useable offsite power source available throughout the incident.
NUREG-1032 A-16
h 1
grid failures, offsite power sources were momentarily unavailable during these ovents.
Two factors which have been identified as significant in determining the dura-tion of grid-related losses of offsite power at nuclear power plant sites are:
i (1) the availability of adequate restoration procedures and (2) the availabil-ity of " black start" power sources that are able to supply power to a nuclear power plant in isolation of a grid disturbance.
Both of these factors can contribute to a significant reduction in the expected duration of grid-related l
losses of offsite power, as reported in the Indian Point Safety Study (PASNY, I
1982).
In 1981 the NRC sent a generic letter (NRC, 1981) to all nuclear power i
plant licensees requesting them to develop and implement procedures to enhance restoration of offsite power.
Responses to that generic letter have indicated that power could be preferentially restored to many nuclear power plant sites within 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, even if the grid remained in a blackout condition.
i I
The time to restore offsite power following a grid-failure can be estimated by past experience.
However, if an appropriate set of procedures are provided and power sources are available and capable of supplying power during grid blackout, a more prompt recovery may be possible.
Human reliability and the availability of alternate power sources may limit the recovery potential to as low as 60%
recovery in about an hour.
If multiple reliable sources of power that can be isolated from a blacked-out grid are available, the potential may be as high as 95% recovery in less than one-half hour.
For this study, an offsite power-rostoration likelihood of 80% within one-half hour of a grid failure was assumed for the analysis of plant sites with enhanced recovery capabilities (e.g., pro-COdures and at least one power source available for prompt recovery).
The rocovery probabilities for grid-related losses of offsite power were developed by fitting past operating data to a two parameter Weibull distribution.
The data used in the curve fit are provided in Table A.5.
Figure A.4 provides a curve showing the probability of not restoring offsite power versus the duration of losses of offsite power as a result of grid blackouts.
It also shows the potential for improvement with enhanced recovery capability over past operating experience.
i NUREG-1032 A-17 I
S
~
4 L
og e
u C,o 3
$Z f~
Og cob
/
t 8;t: i
/
.B y
. o
/
8 8.E M
/
g am
/
4 s
O O'O
/ pn*
E To s
4 E
/
A s
o
/
/
m o
s
/
e o
/,*
/
/
/
/
/
o
/
/
s
/
a*,*#
V
/
w
/
A E
p*
5
/
- p **
o****
E s
U
/
4 4'"
'C s# s ' #p*,
/
A 4
/
E
/
y 8
/
",e#
/
/
o
/
/
/
y
/
p*,
9
/ *,#
'E
'~
/
o
,E
=
/,"
3 Ea S
ft k
~
mm C
O
'a"
~
2 3
m CC 4
k L
i i
i i
i i
I I
I I
O 3
- ?
O o
P A
4 R
R e
o o
o o
o o
o o
o a
U3 mod 311SJJO DNIUO1S3H 10N JO Ailll0V90Hd NUREG-1032 A-18
Gs s
s 3
4.
s q
The correlations for grid reliability and offsite poker? bdsforation werC s
~
3 ;
developed by combining the 6ccurrence frequencies reprssentative of operating experience and the calculated recovery probabilities.
TableA.6providdtd'the grid failure frequency and duration groups obtained.
Fig'ure.A.5showsthd' dis-crete loss-of-offsite power frequency and duration curves corresponding to the
\\
'M groups identified in Table A.6.
4 s
,4 3
LOSS OF 0FFSITE POWER DUE '10 SEVERE WEATHER T
1 $
Severe weather conditions,iuch as lo, cal or area-wids storms,,have caused lossesofoffsitepowerat.nuclearpoQarp? ants.
Weatiier-related causes of s
offsitepowerfailurehave'ta.Endividcc.intotwogrotIps'
/
a those for which the weathe' caused the event but did not affect (1) r the time to restore power
.x t
(2) thosd'forwhichtheweatherinitiatedtheeventlandcreated condilions so that povi@(was not or could not have been restored for-e.long time j
1 per 60 site years and
< 1 per 30 site years (0.03/ site year)
G3
> 1 per 20 site years and
< 1 per 6 site years T0.1/siteyear)
G4 Greater than or equal to 1 per 6 site years (0.3/ site year)
Recovery (R)
Recovery from grid blackout group (R)
Recovery capability R1 Plant has capability and procedures to recover offsite (non-emergency) AC power to the site within 1/2 hour following a grid blackout.
R2 All other plants not in R1.
Grid reliability / recovery (GR)
Grid reliability /
Grid reliability Recovery from grid recovery group (GR) group (G) blackout group (R)
GR1 G1 R1 GR2 G2 R1 GR3 G3 R1 GR4 G4 R1 GR5 G1 R2 GR6 G2 R2 GR7 G3 R2 NUREG-1032 A-20
j i
i
~*
I I
I I
Note:
Grid Reliability /
Recovery Groups GR 1 - GR 7 0.05 Are Defined in Table A.6 GR4
)
GR3 GR7 0.04 W*
iis e
E 0.03 U
5 3
8 5
0.02 GR6 GR2 0.01 - GRS GR1 l
I l
0.00 0.1 0.3 1.0 3.0 10.0 DURATION (Hours)
Figure A.5 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified durations NUREG-1032 A-21
modes associated with severe weather-related power losses.
Although utilities and regional power pools normally keep extensive data on transmission line, terminal, and customer outages from all causes, including weather, little infor-mation has been obtainable that can be used to derive the likelihood of loss of all offsite power at nuclear plants or for similarly designed incoming trans-mission lines and switchyards at non-nuclear plants.
In light of this limita-tion, the objective of this study was to derive some general frequency and duration characteristics that could be applied to the design and location of nuclear power plant offsite power systems generically or on a case-by-case basis, considering specific susceptibility to the various weather hazards.
The approach taken was to develop a range of loss-of-offsite power frequency and duration relationships based on weather hazard rate and past operating experience.
First, data for all loss-of-offsite power events involving both partial or total failures were reviewed.
Weather-related total loss-of-offsite power events and significant partial loss-of-offsite power events, such as those causing the complete loss of power to or from a switchyard, were included.
These data are provided in Table A.7.
Here again, as with grid reliability experience, this data base is too small to be used to derive plant location and design-dependent conclusions regarding the expected frequency of loss of offsite power as a result of severe weather.
r Normally, regression analyses would be used to correlate failure rate, design factors, and weather hazards.
However, the losses of offsite power are so rare that the available data are too limited to take such an approach.
The method taken to correlate loss-of-offsite power frequency to weather hazards is a simplified approach similar to that taken to correlate transmission line and terminal outage data to exposure to various types of weather (Lauby et al.,
1984). It has been assumed that the frequency of loss of offsite power as a result of severe weather events is proportional to the weather hazard rates at a site.
The weather hazard rate is a measure of the frequency of conditions that have the potential to cause loss of offsite power.
The following weather hazard rate indicators were selected:
I NUREG-1032 A-22
Table A.7 Severe-w*sther-induced losses of offsite power used in the analysis Site Date Duration (hours)
Weather type Total Losses of Offsite Power Point Beach 02/05/71 0.13 Snow / ice Fort St. Vrain 05/17/83 1.75 Snow / ice Pilgrim 05/10/77 2.67 Snow / ice Dresden 1 11/12/65 4.00 Tornado Millstone 3 08/10/76 5.00 Hurricane Pilgrim 02/06/78 8.90 Snow / ice Major Partial Losses of Offsite Power Browns Ferry 03/01/80 Snow / ice D. C. Cook 02/04/78 Snow / ice Pilgrim 10/12/82 Hurricane San Onofre 02/24/69 Hurricane Arkansas Nuclear One 02/22/75 Tornado Arkansas Nuclear One 04/07/80 Tornado Browns Ferry 04/03/74 Tornado NUREG-1032 A-23
(1) snow / ice:
inches of snowfall per year (2) tornado:
frequency of tornadoes per square mile per year (3) hurricane and wind:
frequency of storms per year with wind speeds exceed-ing approximately 75 mph These factors are called indicators because no mechanistic cause and effect analysis has been performed.
Rather, it has been observed that losses of off-site power have occurred when these types of weather conditions were present.
f Storms are classified as hurricanes when wind speeds reach 75 mph.
The fre-quency of this wind speed was used as a correlation point to determine the i
variability of hurricanes and high wind hazards at various locations (sites).
i By dividing the number of losses of offsite power which have occurred by the cumulative historical weather hazards for each weather type at nuclear power plant sites, an offsite power failure proportionality factor for each weathur type was derived.
This process can be represented as follows:
I N
P i
9=
INji where t
Pg = the proportionality factor for weather type "i" Ng = the observed number of offsite power losses as a result of weather type "i" Hji = the cumulative weather hazard factor for weather type "i" at site "j" Hjj = hjj j
At where jj = the weather hazard rate for type "i" weather at site "j" h
i NUREG-1032 A-24
\\
j = the cumulative site years since commercial operation began at At site "j" The expectation frequency of loss of offsite power can then be computed by I
bji = Pj jj h
l where S is the estimated frequency of loss of offsite power at site "j" for jj l
weather type "i", and P and h are defined as before.
j jj On the basis of data from Table A.7 and cumulative weather hazards for U.S. nuclear plant sites through 1983, the following weather-induced failure proportionality 5
factors were derived:
i j
P3fg = 1.8 x 10 4/ inches of snowfall i
PH/W = 2.6 x 10 2/ incident PT = 27 square miles (for single right-of-way) 4 where subscripts S/I = snow / ice, H/W = hurricanes / wind, and T = tornadoes.
The i.
weather hazard factors for each site were derived from National Weather Service data (NUREG/CR-2639, -2890; Vigansky, 1980; National Oceanic and Atmospheric Administration, 1980) where available.
If data for a particular weather type at a site were not available, the operating experience for that site was not included in the estimates.
t Normally this type of correlation would be supported by a statistical validity test.
As pointed out previously, because there have only been a few weather-related losses of offsite power at nuclear plants, the statistical validity could not be ascertained.
However, as a test of the reasonableness of this i
formulation, a plot of cumulative weather hazard factor for each site (H )j versus total cumulative weather hazard factor tabulated for all applicable nuclear plant sites (IH ) was made, and the severe weather-related operating j
experience for both total and major partial loss of offsite power events was identified.
A comparison was also made of the number of sites falling within f
subdivisions of the range of cumulative weather hazard factors.
This informa-l tion is provided in Figure A.6, where the number of losses of offsite power l
NUREG-1032 A-25
SNOW / ICE
~
10,M 20 47 1P 2
7,500 15 t4 I
"y e=
10 5,000 U
I f
IP E
E=
-q 2.500
=
5 1
m-.
j 0---
0 10' 10 10 2
3 Hs HURRICANE / WIND > 75 mph TORNADOES 20 20 20 0.100
~
1T 2P IT H
15 15 15 0.075 t4 t1 Z
I I
e e
-4 l
j 10
- 10 0.050 10 7 7
i a
i y
3 E
E
=
E E
s s
2 5
2 5
5 0.025
==== q
. = =
0---
0 0
0.000 L
i 0.1 1.0 10
- 10-3 10 2 HH HT l
Figure A.6 Weather hazard expectation histograms NUREG-1032 A-26 L
1 i
I followed by a "T" represent total losses of offsite power and those folluwed by i
a "P" represent major partial losses of offsite power.
Because frequency of q
loss of offsite power as a result of weather has been assumed to be proportional to the magnitude of weather hazards, the occurrence of weather-related losses j
of offsite power should favor the sites with the highest cumulative weather hazard.
In general it does.
4 The events identified in Table A.7 are typified by durations of several hours.
I The failures are somewhat localized, able to be isolated, or repairable with l
modest effort, Design factors such as transmission line right-of-way separation, j
structural strength of transmission and switchyard components, insulation from
)
effects of adverse environments, and operational factors related to repair capa-f bility or use of alternate, available power sources will impact the likelihood and duration of loss-of-offsite power events of this type.
Events of this type will be referred to as severe weather events throughout this appendix.
1 l
None of the events identified in Table A.7 involved tornado or hurricane /high j
wind conditions that severely damaged structural elements of all transmission i
and/or switchyard components of sources of offsite power to the plant.
Although such an occurrence is rarely expected, many hours or days could be required to repair and restore offsite power.
The frequency of these more extreme weather-related power losses can be esti-l mated by determining the frequency of weather conditions that are severe enough to damage all offsite power sources.
The same design factors noted above for the more repairable loss of offsite power events will determine the suscepti-bility, and thus frequency, or hazard rate, of weather conditions that could result in area-wide transmission and/or switchyard failures.
Based on the National Electric Safety Code, power plant transmission systems should be designed for wind speeds on the order of 125 mph.
High wind speeds could cause extensive power trant. mission losses, although this will vary, depending on the specific design.
Another potential hazard, tornado (es), must strike all rights-of-way or switchyards with sufficient intensity to damage the minimum number of components required to supply offsite power in order to cause a long duration loss of offsite power.
The probability of equipment failure given the occur-rence of these extreme weather conditions is assumed to be unity, or nearly so; NUREG-1032 A-27
i thus the likelihood of loss of offsite power can be approximated by the fre-quency of occurrence of the extreme weather condition.
The frequencies of the extreme hurricane (known as great hurricanes) and high winds are available from National Weather Service data.
To estimate the frequency of single or multiple tornado strikes damaging all transmission lines or switchyards requires modeling of the offsite power trans-mission line geometry (Anders, Dandeno, and Neudorf, 1984; Teles, Anderson and Landgren, 1980) and using site / area data for tornado frequency, intensity, and direction.
This type of m m istic, probabilistic analysis was not performed as part of this work.
A simpler, bounding type of rpproach was used.
The tornado-related loss of offsite power frequency for a single right-of way derived previously was used.
However, using this approach, for some sites, the frequency of tornado-caused losses of offsite power could be overestimated by an order of magnitude or more.
When the tornado frequency is low, as it is at most sites, l
this estimate will not make a noticeable difference in the computation of total loss-of-offsite power frequency.
For sites in relatively high tornado frequency locations, the results may be more appropriately treated as a high, rather than a best, estimate.
For purposes of this work, the low estimated frequency of tornado-caused losses of offsite power was taken as " negligible" compared to the high estimate.
This lower estimate would be indicative of sites with trans-mission line rights of-way spreading out in directions obtuse to each other.
I Events of the types discussed in the preceding two paragraphs are referred to as extreme weather events throughout this appendix.
Although the frequency of these extremely severe weather events could be as high as 0.01 per site year, it will more typically be less than 0.001 per site year.
l The time necessary to restore a source of offsite power for weather-related failures will depend on the severity of damage caused by the event.
Major structural damage can typically require 8 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or longer for repair.
Data obtained from the Mid-America Interpool Network (MAIN) and the Mid-Continental Area Power Pool (MAPP) (MAIN, 1983; MAPP, 1983) indicate that it takes on the order of 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to restore transmission or terminal point outages that resulted from severe weather.
For this study, nuclear power plant outage time data for losses of offsite power that resulted from severe weather NUREG-1032 A-28
tere used to estimate restoration likelihood for the less-than-catastrophically-damaging weather events.
Data for total loss-of-offsite power events were fitted to a two parameter Weibull distribution and used to generate the restoration likelihood curve shown in Figure A.7.
Also shown in Figure A.7 is an " enhanced" recovery curve that can be used to differentiate plants with practicable power restoration procedures for these weather types.
The applicability of enhanced recovery would depend on the capability and procedures to restore power within about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for a given weather hazard.
An estimate of the total severe weather-related frequency of loss of offsite power was derived by summing the values for each weather hazard type at all e
nuclear plant sites.
Plant-specific design or procedural details can affect the estimated frequency of weather-related losses of offsite power.
Therefore, an attempt was made to derive the range of possibilities rather than to provide site-specific estimates.
It should be noted, however, that, because of a lack i
of data, not all weather hazards could be accounted for at every site.
- Moreover, some weather data extrapolations were necessary when data from weather stations 4
near a site were not available.
The frequency range derived was large, and determining where a particular site / design combination would fall in that range requires evaluation of the site-specific details identified previously.
For the purpose of this work, the range was subdivided into groups with approximately a factor of 3 difference in median frequency.
The subranges so derived are provided in Table A.8.
This partitioning allowed generic evaluation of the effects of severe weather hazard on loss-of-offsite power frequency while at the same time providing perspective on the potential for plant-specific differ-onces.
Figure A 8 shows the severe weather frequency and duration combinations corresponding to the groups defined in Table A.8.
For losses of offsite power caused by extremely severe weather such as great hurricanes, very high winds (greater than 125 mph), and major damage from tor-nadoes, restoration of offsite power was not assumed to occur before 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the start of the outage.
The frequency breakdowns, derived in a manner similar 1) that for severe weather, are provided in Table A.9.
Again it must be noted that a site-specific assessment of the susceptibility to these weather l
hazards must be performed to determine the site-specific expectation frequency.
I NUREG-1032 A-29 i
n -... - -. - -..,.. _ _ _. _, -. - - _ _ _ _ - - -
_____-_--.__,__n.
E=
0 1.0 E;
U A Data 0.9 N
A \\
N
\\
\\
e
\\
\\
g 0.8 g
o
's
\\
\\
cL s
\\
\\
Normal Recovery au g
\\
A
{ 0.7 S
g g
's
\\
$ 0.6 s
\\
\\
g a
=
\\
\\
E 90% Confidence en g
\\
E 0.5 g
\\
Limits for Normal
\\
Recovery p
a E
N
\\
A g
o 0.4 g
U Enhanced
\\
\\
k 2
Recovery
\\
02 N\\
a
\\
8
\\\\
\\
\\
O_2 g\\\\
\\
N, N
\\,
0.1
's \\
's,\\
'I
I 0
O.1 1.0 10 100 DURATION (hourst Figure A.7 Restoration probability for severe-weather-induced losses of offsite power
- _ = _ _ _ _
Table A.8 Severe-weather-induced loss-of-offsite power frequency / recovery Severe-weather-induced loss-of-offsite power frequency (S)
Frequency of severe weather-induced Frequency group (S) loss of offsite power 51 Less than 1 per 350 site years (0.002/ site year) 52
> 1 per 350 site years and
< 1 per 120 site years (0.005/ site year)
S3 Greater than or equal to 1 per 120 site years (0.015/ site years)
Recovery (R)
Recovery from severe-weather-induced loss-of-offsite power groups (R)
Recovery capability R1 Plant has capability and procedures to recover offsite (non-emergency) AC power to the site within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following a severe-weather-induced loss of offsite power, R2 All other plants not in R1 Severe-weather-induced loss-of-offsite power frequency / recovery (SR)
Severe-weather-induced loss-of-offsite power frequency / recovery group (SR)
Frequency group (S)
Recovery group (R)
SR1 51 R1 SR2 S2 R1 SR3 S3 R1 SR4 S1 R2 SRS S2 R2 SR6 S3 R2 NUREG-1032 A-31
1 r
0.020 g
[
{
l Note:
See Table A.8 for Definitions of SRI.SR8 0.015
=
f SR6 6
5 t
E-0.010 U
SR5 8
E 0.005 SR 3 SR 2 SR 4 0.000 0.1 0.3 1.0 30 10.0 i
DUR ATION (Hours) t I
Figure A,8 Estimated frequency of occurrence of severe-storm-induced losses of offsite power exceeding specified durations l
l NUREG-1032 A-32
Table A.9 Extremely severe-weather-induced loss-of-offsite power frequency Extremely severe-weather-induced Frequency groups (SS) loss-of-offsite power frequency SS1 Less than 1 per 3500 site years (0.0002/ site year)
SS2
> 1 per 3500 site years and
< 1 per 1200 site years (0.0005/ site year)
SS3
> 1 per 1200 site years and
< 1 per 350 site years (0.0015/ site year)
SS4
> 1 per 350 site years and
< 1 per 120 site years (0.005/ site year) i SS5 Greater than or equal to 1 per 120 site years (0.015/ site year) f NUREG-1032 A-33
GENERIC LOSS-OF-OFFSITE-POWER CORRELATIONS Combinations of design, grid, and weather factors derived in the previous sec-tions provide a wide spectrum of possibilities for loss-of offsite power fre-quency and duration.
Each of these factors was subdivided to account for known or hypothetical but reasonable differences in frequency and duration; typically, a factor of 2 to 5 difference was maintained for these subdivisions.
The intent was to develop a discrete set of frequency and duration groups that could account for actual and potential differences in both design and location (grid and weath-er) for the spectrum of nuclear power plant sites.
The frequency of losses of offsite power lasting duration "t" or longer can be estimated by appropriate combination of the correlations that were developed in this appendix and can be represented by the following equation i
LOP (t) = I (t) + GR (t) + SR (t)
- SSI A
j j
k where I (t) = the plant-centered loss of offsite power frequency correlation g
defined in Table A.3 and Figure A.2, corrected to initial frequency of 0.04 per site year GR (t) = the grid-related loss-of-offsite power frequency correlation j
defined in Table A.6 and Figure A.5 SR (t) = the severe weather-related loss-of-offsite power frequency k
correlation defined in Table A.8 and Figure A.8 SSj = the e<tremely severe-weather-related loss-of-offsite power frequency defined in Table A.9 The identification of the 1 factor is the most straightforward because it is 9
based on configuration.
As a first cut, the appropriate GR) factor can be identified by dividing nuclear sites in the U.S. Into two categories:
(1) FPL sites, GR7, and (2) all other sites representing average frequency expection of NUREG-1032 A-34
c e
grid failure, GR1 or GR2.
The SR and SS) factors are not so easily identified k
because both design specifics and hazard rate must be determined.
It is possi-ble, however, to bracket these factors with a range that can be used to judge importance of station blackout considerations using hazard rates and proportion-f I
ality factors for severe weather, and using the upper range of the estimated l
failure rate for extreme weather hazards.
l A test of the loss-of-offsite power correlations that were developed was made i
by comparison with plant-specific results from published probabilistic risk assessments (PRAs).
Figures A.9 through A.13 provide these comparisons.
With the exception of the Zion PRA and Indian Point PRAs, giving credit for nearby I
t j
gas turbine generators, the results show reasonable agreement.
The cross-i l
hatched areas represent the high and low estimate for extreme-weather-related
[
j losses of offsite power, except for Indian Point where site historic grid fail-
[
ure frequency and generic estimates were used to develop the ranges.
The dif-
}
E ferences with the Zion PRA results could stem from one of several possibilities:
j design and procedural factors are more reliable than assumed in the comparison; I
the Zion PRA results are optimistic; or the models and correlations derived for l
generic analyses have limitations when applied to some plant-specific cases.
{
j The difference with the Indian Point PRA results can be attributed to the high
)
availability associated with nearby gas turbine generators.
The utility has i
j placed special emphasis--including technical specifications--to maintain these l
j alternate power supplies in a high reliability state.
Because of these consider-1 l
ations, a generic analysis must be used with caution in plant-specific appli-I
{
cations.
However, the generic models can usually provide good " ball park" l
l results for generic applications and perspectives.
Clearly the more details 7
available and included in the models regarding design, procedures, alternate I
power sources, and protection provided from severe weather conditions, the more likely that the generic results will closely equate to plant-specific results, f
t j
The development of a more limited number of generic loss-of-offsite-power fre-i i
quency,and duration relationships that could be used for regulatory analysis I
involved the clustering of the site / design factors to determine if combinations l
of these factors could be grouped into a more limited, but still representative, f
)
set.
A set of nine cluster groups was derived from the set of site / design j
l possibilities using the Fastelus procedure of the SAS package (SAS Institute,
[
l NUREG-1032 A-35 l
{
.i
)
0 10 ~ ~~ ~ ~ ~
~ ~~
Without use of nearby 0.08 gas turbine generators Indian Point PH A (means) c.
s indian Point PHA (medians)
U 2
5 Model Hange S
l cc" 0.04
%*g\\
With use of
~
%g'%,
nearby gas turbine generators lg.
senhan (means) i Point PHA (medians)
U Mode 0.00 1.0 2.0 4.0 80
1 DUP ATlON (Hoursi Figure A.9 Estimated frequency of losses of offsite power exceeding specified durations for Indian Point NUREG-1032 A-36
1 0 06 l
I i
I>
t 0.04 b
r, i
O god ggDN g
'%,g g
/ o * *,*,,
' " *"" = = =
\\t
==
1\\
9%>
= = = = = = = = = ==
\\
d\\*"'\\
\\
s g
OMg3
%9 gA bA D
OURATION (Hourst Figure A.10 Estimated frequency of losses of offsite power exceeding specified durations for Zion NUREG-1032 A-37
0 06 i
1r 09 g
r, 5
/poieb'"' gek t
- g
%k
""#* S.ce o#
o#
t i
33 AA s9 wD i
psou \\" "'
Figure A.11 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham gg.#
g-9
- 0. h 0.04 t4 0.03 5
Millstone 3 PRA
,E 0.02 4
4 4*n n
%*g h,n% %*%
0.01
'm.
Model Range
%,,**=
- =
0.00 1.0 2.0 4.0 8.0 16.0 DURATION (Hours)
Figure A.12 Estimated frequency of losses of offsite power exceeding specifled durations for Millstone 3 NUREG-1032 A-39
ame 0.04 0.03 pLimerick PRA 3
I b
t't t
n.
i n
5 0.02 h 4 g u
n n
h, (g
t,%
3 Model Range
%g*
O li E
t n
u.
t l n'n**=
9 l
g%' l y t,
i
,"n 0.01
a,,,-
t, n
n si,h 4
==,,i 0.00 I
i i
1.0 2.0
- 0 8.0 16.0 DURATION (Hours)
Figure A.13 Estimated frequency of losses of offsite power exceeding specified durations for Limerick NUREG-1032 A-40
\\
l l
1979).
To limit the number of cluster groups, the clustering had to be based i
on loss of offsite power durations of 4 to 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.
Figure A.14 provides a plot of the cluster gr3ups derived from this analysis, and Table A.10 identifies
]
the factors that can be in each cluster group.
Grid reliability groups were j
j limited to 1, 2, and 7 to generate the clusters.
Table A.11 identifies combi-
)
nations of each of the four factors (GR, I, SR, and SS) included in the nine i
]
cluster groups.
For example, a plant with GR1, II, SR1 and SS2 would be in f
l cluster group 2.
1 i
f j
Because design, grid, and weather all play a role in the frequency and duration r
a relationship for each cluster, it is difficult to generalize about the dominant l
factors affecting loss of offsite power.
It is possible to say that the higher
[
frequency at longer duration groups (clusters) are most heavily influenced by j
weather hazard susceptibility.
It is also reasonable to speculate that perhaps
- )
no known nuclear plant has the combination of fte, location and design features I
which would result in the highest frequency and duration correlation developed
]
in this study (e.g., cluster 9).
l REFERENCES i
Anders, G.
J., P. L. Dandeno, and E. E. Neudorf, " Computation of Frequency of l
Right-of-Way losses Due to Tornadoes," Paper 84WM0402, IEEE Winter Power Meeting,
{
(
Dallas, Texas, January 1984.
Lauby, M. G., et al., " Effects of Pooling Weather Associated MAPP Bulk Transmis-sfon Outage Data on Calculated Forced Outage Rates," Paper 84WM0410, presented at IEEE Winter Power Meeting, Dallas, Texas, January 1984, i
MAIN Transmission Outage Task Force, " Summary of MAIN Transmission Line Perfor-cance for the Year 1982, 345 KV and 765 KV," September 1983.
MAPP Transmission Reliability Task Force, "Mid-Continent Area Power Pool Bulk Transmission System Outage Report (January 1977 - December 1982)," July 1983.
National Oceanic and Atmospheric Administration, comparative climatic Data for the United States through 1980, 1980.
l NUREG-1032 A-41 i
l
1c:.
T
.1 E
8 g
5
\\
s's(*:[g N
Offsite 4
Power E
-4 Cluster g
y ___ g -
g c 5,9
=
n.
s
' " - -e..,,
4.,
N 6
-Qg,
- w
,, * - -- -
- 4,8
~
~
'-Q '-
M'*::.%
g
.001 s
N
,,,' s.,
- o. 6
~
o No
-a w
F s
-o
o 3 4
~
I o2 5
.0001 g
1 W
.00001 0
2 4
6 8
10 12 14 16 DURATION (Hours) l Figure A.14 Estimated frequency of occurrence of losses of offsite power exceeding specified durations for nine offsite power clusters l
NUREG-1032 A-42 L
1 Table A.10 Cluster correlation factors s
I Frequency-duration Cluster correlation group l
1 2
3 4
5 6
7 8
9
?
4 I
j GR 1
X X
X X
X X
X 1
2 X
X X
X X
X X
7 X
X
\\
4 l
1 1
X X
X X
X X
X i
i 4
t 2
X X
X X
X X
X l
l I
l 3
X X
X X
X X
X X
1 l
4 X
X X
i I
l SR 1
X X
X X
X X
X 1
I 2
X X
X X
X X
X l
3 X
X X
X X
X 4
X X
X X
X X
l 5
X X
X X
X X
X 6
X X
X t
SS 1
X X
X X
2 X
X X
i 3
X X
X
[
4 X
X 5
X x
NUREG-1032 A-43 l
J
Table A.11 Identification of grid (GR), offsite power system design (I),
severe weather (SR), and extremely severe weather (SS) factors included in nine cluster groups Cluster Group 1 Cluster Group 2 (Cont'd)
Cluster Group 3 (Cont'd)
GR I
SR SS GR I
SR SS GR I
SR SS 1
1 1
1 2
1 3
1 1
3 5
1 1
1 2
1 2
1 4
1 1
3 5
2 1
2 1
1 2
1 4
2 2
1 3
2 1
2 2
1 2
2 1
2 2
1 5
1 2
1 1
1 2
2 2
2 2
1 5
2 2
1 2
1 2
2 3
1 2
2 3
2 2
2 1
1 2
2 4
1 2
2 5
1 2
2 2
1 2
2 4
2 2
2 5
2 2
3 1
1 2
3 1
2 Cluster Greup 2 2
3 2
1 2
3 2
2 2
3 3
1 GR I
SR SS Cluster Group _3 2
3 3
2 2
3 4
1 1
1 1
2 GR I
SR SS 2
3 4
2 1
1 2
2 2
3 5
1 1
1 3
2 1
1 3
1 2
3 5
2 1
1 4
1 1
1 5
1 1
1 4
2 1
1 5
2 Cluster Group _4 1
2 1
2 1
2 3
2 GR I
SR SS i
1 2
2 2
1 2
5 1
1 2
3 1
1 2
5 2
I I
I 4
1 2
4 1
1 3
1 2
1 2
4 2
1 3
2 2
1 1
2 4
1 3
1 1
1 3
3 1
1 1
3 4
1 3
2 1
1 3
3 2
1 1
4 4
2 1
1 2
1 3
4 1
1 1
5 4
2 1
2 2
1 3
4 2
1 1
6 3
l t
i 1
NUREG-1032 A-44 l
Table A.11 (Cont'd) i Cluster Group 4 (Cont'd)
Cluster Group 4 (Cont'd)
Cluster Group 5 GR I
SR SS GR I
SR SS GR I
SR SS 1
1 6
4 2
1 5
4 1
1 1
5 1
2 1
4 2
1 6
3 1
1 2
5 1
2 2
4 2
1 6
4 1
1 3
5 1
2 3
4 2
2 1
4 1
1 4
5 l
1 2
4 4
2 2
2 4
1 1
5 5
1 2
5 4
2 2
3 4
1 1
6 5
1 2
6 3
2 2
4 4
1 2
1 5
i 1
2 6
4 2
2 5
4 1
2 2
5 1
3 1
4 2
2 6
3 1
2 3
5 l
1 3
2 4
2 2
6 4
1 2
4 5
1 3
3 4
2 3
1 4
1 2
5 5
1 3
4 4
2 3
2 4
1 2
6 5
1 3
5 4
2 3
3 4
1 3
1 5
1 3
6 3
2 3
4 4
1 3
2 5
1 3
6 4
2 3
5 4
1 3
3 5
1 4
1 4
2 3
6 3
1 3
4 5
1 4
2 4
2 3
6 4
1 3
5 5
1 4
3 3
2 4
1 4
1 3
6 5
1 4
3 4
2 4
2
.4 1
4 1
5 1
4 4
3 2
4 3
3 1
4 2
5 i
1 4
4 4
2 4
3 4
1 4
3 5
1 4
5 3
2 4
4 3
1 4
4 5
1 4
5 5
2 4
4 4
1 4
5 5
1 4
6 3
2 4
5 3
1 4
6 5
1 4
6 4
2 4
5 4
2 1
1 5
2 1
1 4
2 4
6 3
2 1
2 5
2 1
2 4
2 4
6 4
2 1
3 5
2 1
3 4
2 1
4 5
2 1
4 4
2 1
5 5
2 1
6 5
NUREG-1032 A 45
Table A.11 (Cont'd)
Cluster Group 5 (Cont'd)
Cluster Group 6 (Cont'd)
Cluster Group 6 (Cont'd)
GR I
SR SS GR I
SR SS GR I
SR SS 2
2 1
5 1
2 1
3 2
3 2
3 2
2 2
5 1
2 2
3 2
3 3
3 2
2 3
5 1
2 3
3 2
3 4
3 2
2 4
5 1
2 4
3 2
3 5
3 2
2 5
5 1
2 5
3 2
2 6
5 1
3 1
3 Cluster Group 7 2
3 1
5 1
3 2
3 2
3 2
5 1
3 3
3 GR I
SR SS 2
3 3
5 1
3 4
3 2
3 4
5 1
3 5
3 1
1 6
1 2
3 5
5 2
1 1
3 1
1 6
2 2
3 6
5 2
1 2
3 1
2 6
1 2
4 1
5 2
1 3
3 1
2 6
2 2
4 2
5 2
1 4
3 1
3 6
1 2
4 3
5 2
1 5
3 1
3 6
2 2
4 4
5 2
2 1
3 1
4 1
1 2
4 5
5 2
2 2
3 1
4 1
2 2
4 6
5 2
2 3
3 1
4 1
3 2
2 4
3 1
4 2
1 Cluster Group 6 2
2 5
3 1
4 2
2 2
3 1
3 1
4 2
3 GR I
SR SS 2
3 2
3 1
4 3
1 2
3 3
3 1
4 3
2 1
1 1
3 2
3 4
3 1
4 4
1 1
1 2
3 2
3 5
3 1
4 4
2 1
1 3
3 2
2 5
3 1
4 5
1 1
1 4
3 2
3 1
3 1
4 5
2 1
1 5
3 1
4 6
1 NUREG-1032 A-46
^
~~~,
s -,
is. '
j h
1
/
s, Tah!$A.11(Cont'd)
\\
/
Cluster Group 7'-(Cont'd)
Cluster Group 8 (Cont'd) e.
Cluster Group 9 l'
e
,i GR I
SR SS GR I
SR SS GR I
SR SS i,
s
^
1 4
6 2
7 1
4 4
7 1
1 5
k1 5.
4 7
1,7 2 5
\\
2 1
6 1
a s4 -
s 2
1 6
2 72 1 ' 6-3 7-1 3
5 2
2 6
1 7
1 6
4 7
1 4
5 2
2 6
2 7
2 in
'4' 7
1 5
5 2
3 6
1 7=
2 2
4 7
'l 6
5 i
2 3
6 2
7
'2 3
4, 7,
42' 1 5
7 2
4 4=
7 2
2 5"-
2 4
1 1
2 4
1 2
7 2
5 4
7 2
3 5'
2 4
1 3
7 2
6 3
7 2
4 51
~
2 4
2 1
7 2
6 4
7 2
5 5
?
2 4
2 2
7 3
1 4
7 2
6 5
i.
2 4
2 3
7, 3
2 4
\\,,
7 3
1 5
2 4
3 1
7 3
3 4
7 3
2 5,;
2 4
3 2
7 3
~4) 4 7
3 3
5 2
4 4
1 7
3' / 5 4
7 3
4 S
2 4
4 2
7 3
6
~3 7
3 5
5 2
4 5
1 7
37.I6 4
7 3
6 5
2 4
5 2
7 4
1 4
e.
7 4_1,5 2
4 6
1 7
4 2
4 7
4-
'2 5 -
2 4
6 2
7 4
3 3
7
,4 3
5 x
7 4
3 4
7 4
4 Sr Cluster Group 8 7
4
' 4' '
3" 7
4 5
5
~
7-a 4
4 4
'7 4
6 5
GR I
SR SS 7
4
' E.
3 7
4 5'
4 7
1 1
4 7
4 6
"3 7
1 2
4 7
4 6
4 7
1 3
4 r.
NUREG-1032 A-47
Power Authority of the State of New York and Consolidated Edison Company of New York (PASNY), " Indian Point Probabilistic Safety Study," 1982.
SAS Institute, Inc., "SAS Users Guide 1979 Edition," 1979.
Teles, J.
E., S. W. Anderson, and G. L. Landgren, " Tornadoes and Transmission Reliability Planning," in Proc. American Power Conference, Vol. 42, 1980.
U.S. Nuclear Regulatory Commission Generic Letter 81-04, " Emergency Procedures and Training for Station Blackout Events," February 25, 1981.
--, NUREG/CR-2434, H. F. Monty, R. J. Beckman, C. R. McIntear, " FRAC (Failure Rate Analysis Code):
A Computer Program for Analysis of Variance of Failure Rates," March 1982.
--, NUREG/CR-2639, M. J. Changery, " Historical Extreme Winds of the United States - Atlantic and Gulf of Mexico Coastlines," May 1982.
--, NUREG/CR-2890, M. J. Changery, " Historical Extreme Winds of the United States - Great Lakes and Adjacent Regions," August 1982.
--, NUREG/CR-3992, R. E. Battle, " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
Vigansky, H. W., " General Summary of Tornadoes,1980," in Climatological Data, National Summary, National Oceanic and Atmospheric Administration, Vol. 31, No. 13, 1980.
Wyckoff, H., " Losses of Offsite Power at U.S. Nuclear Power Plants All Years Through 1983," NSAC/80, Electric Power Research Institute, May 1984.
i NUREG-1032 A-48
APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY:
MODELING AND ANALYSIS RESULTS e
l NUREG-1032 Appendix B
TABLE OF CONTENTS P_ag_e ELEMENTS OF EMERGEN Y AC POWER RELIABILITY MODEL.......................
B-1 COMMON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM..................
B-6 EMERGENCY AC POWER RELIABILITY EVALUATION..............................
B-10 STATION B LAC K0UT FR EQUENCY.............................................
B-19 REFERENCES.............................................................
B-27 LIST OF FIGURES B.1 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure to start for three emergency AC configurations.......................................
B-14 B.2 Emergency AC power' unavailability as a function of loss-of-offsite power duration and four station blackout durations........
B-15 B.3 Emergency AC power unavailability as a function of individual EDG reliability and comon cause failure to start..................
B-16 B.4 Emergency AC power unavailability as a function of individual diesel generator running reliability..............................
B-17 B.5 Emergency AC power unavailability as a function of repair time for independent diesel generator faults...........................
B-18 B.6 Estimated range of emergency AC power system reliability for different diesel generator configurations.........................
B-20 B.7 Estimated station blackout frequency as a function of blackout duration.................................................
B-23 B.8 Estimated station blackout frequency as a function of blackout duration for clusters 2, 4, and 7 (for 1/2 EDG configuration).....
B-24 B.9 Estimated range of station blackout frequency as a function of blackout duration for four offsite power clusters.................
B-25 B.10 Sensitivity of estimated station blackout frequency to diesel generator failure-to-start and failure-to-run values..............
B-26 LIST OF TABLES B.1 Areas of potential common cause failure..............
B-7 B.2 Emergency diesel generator common cause failures B-8 B.3 Common cause failure rate parameter estimates...........
B-11 NUREG-1032 B-iii
t APPENDIX B I
EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY:
MODELING AND ANLYSIS RESULTS In this appendix, the details and results of emergency AC power system relia-bility analyses and station blackout frequency / duration estimates are provided.
The models and analysis results were developed to confirm and extend the find-ings of a previous study (NUREG/CR-2989) and to be used in regulatory analyses.
Modeling has been done at a generic level, but it could be made plant-specific by adjusting failure rate parameters to reflect site location, system design, and operational factors.
The term generic, as used here, is meant to imply that the insights derived are generally applicable to a large number of plants.
Modeling and component failure rate variations are used to account for plant differences in design and operational features that are most important to sys-tem reliability.
Sensitivity analyses were used to explore the effect of design and operational differences on system reliability for a realistic spectrum of differences.
ELEMENTS OF EMERGENCY AC POWER RELIABILITY MODEL The diesel generators--including all the subsystems and the auxiliary systems required to start, load, and run the diesels--are the components that have the highest impact on system reliability.
Specifically the following have been identified as the largest contributors to AC power system availability:
l (1) diesel generator configuration (2) reliability of each diesel generator (3) vulnerability to common cause failure NUREG-1032 B-1
l (4) support / auxiliary system dependence In general, the details of the emergency AC power distribution system design from the Class 1E engineered safety feature buses to the safety system compo-nents using emergency AC power have not been found to be important contributors to system unreliability.
With this in mind, emergency diesel generators, DC i
power supplies, and service water cooling systems were the principal system elements included in the emergency AC power reliability models.
A relatively high level (super component) modeling approach was used that could account for major differences in equipment configuration and support system dependencies while using support system reliability estimates developed in other studies.
Three generic emergency AC power system designs were selected as roughly repre-senting the spectrum of operating nuclear plant systems.
These systems are de-scribed by the number of diesel generators in the system and the number required to maintain core cooling during a loss of offsite power.
These generic systems have been designated 2/3, 1/2, and 1/3, indicating the number of diesel genera-tors required per number available.
Some other configurations do exist, but, emergency AC power system reliability is generally encompassed and well charac-terized by the three systems modeled especially if the variability of failure rates of the major components and auxiliary systems is accounted for.
Configur-ations with a higher degree of redundancy and/or diversity are the exception, 4
not the rule, in current U.S. designs.
The simplified reliability logic models l
for the generic configurations were developed from fault trees and insights on l
what factors are important contributors to AC system reliability.
The simplified l
logic models are provided below:
1 REAC1/2 = 1 - PEAC1/2
= 1 - (PEDG + PCCF2/2)
I REAC1/3 = 1 - PEAC1/3
= 1 - (PEDG + 3PEDG CCF2/3 + PCCF3/3)
P REAC2/3 = 1 - PEAC2/3
=1-(3PEDG + 3PCCF2/3 + PCCF3/3 l
- NUREG-1032 B-2
Where R is the AC power reliability of an "i" out of "j" diesel generator EACi/j system, and PEACi/j is the probability that "i" out of "j" diesels will fail or be unavailable when required, P is the probability that a single diesel gen-EDG erator will fail or be unavailable when required, and P is the probability CCFi/j that "i" out of "j" diesel generators will fail and be unavailable as a result of common causes when required.
A more complete logic model can be developed using Markov modeling techniques (Husseing, 1982) when failure and repair rates are exponentially distributed in time.
However, the simplifications inherent to the models used are in keeping with the approach of accounting for dominant factors affecting system reliability.
Both random independent component failures and common cause or dependent fail-ures are included in the model.
Failure mode considerations included hardware faults and human errors for start and run failures, component repair, and com-ponent out-of-service time for maintenance.
The least detailed level of model-ing was at the support systems, which vary considerably in design.
These sys-tems have been modeled in detail in several probabilistic risk assessments (PRAs).
The reliabilities of the support systems were treated as a super com-ponent or undeveloped event in the logic models with a failure rate indicative of results from other studies (NUREG/CR-3226).
Failure to run was treated as a constant failure rate process, and emergency diesel generator repair was treated as a constant repair rate process.
With these approximations, the probability that a diesel generator will be unavail-able for I hours during a loss of offsite power lasting T is given by SB LOP RfI PEDG = PFTS SB e
l
t+rg[r A
t A
i
+
A e
FTR e'i R g
R dt FTR 0
NUREG-1032 B-3
where T is the mean repair time and A is the failure-to-run rate.
The R
FTR failure to start probability, PFTS, includes the standby demand failure like-lihood of the emergency diesel generator to start and load, plus the unavail-ability because of scheduled and unscheduled maintenance, and the probability that auxiliary systems will fail or be unavailable (out of service) at the time of the demand.
Although the second term of the equation can be integrated easily, the integral is mainteined for applications relating to estimating sta-tion blackout frequency and duration to follow.
because of The probabi~lity of failure to start, load, and run for a time ISB common cause failures is developed similarly to that for independent failures.
It is given by:
SBf'CCFR PEDGCCF = PCCFTS e
I I
-(t+I A
t I
SB CCFR dt A
e CCFTR e
CCFTR do Here, P represents the common cause failure-to-start probability, ACCFTR CCFTS is the associated represents the common cause failure-to-run rate, and ICCFR repair time constant.
For simplicity, the repair rate for auxiliary systems that are required for successful diesel operation has been assumed to be approximately equal to that of the emergency diesel generator.
Double component out-of-service conditions limited by technical specification were eliminated from the final expression through inspection.
However, the possibility of such outages occurring as a result of human errors or simultaneous failures was treated as a common cause unavailability contributor.
Recall that the unreliability of a two diesel generator system was approximated by i
l PEAC1/2 % EDG + PCCF2/2 P
l l
[
NUREG-1032 B-4 L
where PEDG = F1+F2+F3 This approximation can be expanded by setting I
F1=PhTS e SB R I
~I
A F2=PFTS FTR I
e SB R A
r LOP ISB/1 2 e (t2+ISB) I A
t R dt eAFTR 1 dt t
F3*
A e
FTR FTR 2
y
'O A0 with SBf'CCFR PCCF2/2 = PCCFTS2/2 e
FILOP ISB g (t + ISB)f*CCFRdt A
t
+
A e
CCFTR2/2 CCFTR2/2 Jo and PFTS
- OEDG1 + UEDG1 + PDC 1 + P3py PCCFTS
- OCCF2/2 + UCCF 2/2 + PDCCCF + PSWCCF where Q is the probability of a diesel generator failing on demand, U EDG1 EDG1 is the maintenance unavailability of the diesel generator, P is the proba-DC1 bility of DC power supply failure causing a diesel to fail on demand, and P 4
391 is the probability of a service water system failure causing a diesel generator failure on demand.
Terms with subscript CCF represent common cause failure contributions.
The term (UEDG1) is not allowed.
It is accounted for in the term U I"
CCF2/2' a similar manner, the correlations for three diesel generator systems requiring one or two diesels for success can be derived.
NUREG-1032 B-5
COMMON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM There has been a concern for years that the reliability of redundant systems may be limited by single point and common causes of failure resulting in simul-taneous unavailability of two or more trains.
Several techniques for modeling and quantifying the major contributors and their likelihood have been, and con-tinue to be, developed.
Some of these techniques are aimed at a qualitative evaluation of common cause failure potential (Rasmuson, 1982), while others are primarily used to estimate common cause failure likelihood (Fleming and Raabe, 1978).
Existing techniques have been used in this study to model and quantify common cause failures on a generic level, with sensitivity analyses used to evaluate realistic variations in common cause failure likelihood and the effect on emergency AC power reliability.
Emergency diesel generator operating experience for the years 1976 through 1980 was reviewed and documented in NUREG/CR-2989.
Other reviews (EPRI, 1982, and Steverson and Atwood, 1981) also show relevant operating experience and analysis of common cause failures of emergency diesel generators.
Based on information from these sources and a limited re-review of common cause candidate licensee event reports (LERs), an updated list and classification of multiple emergency diesel generator failures and outages has been prepared.
When enough informa-tion exists, the common cause failures can usually be identified as falling into i
one of four groups:
(1) design / hardware, (2) operations / maintenance, (3) sup-port systems / dependencies, and (4) external environment.
A further breakdown of this classification scheme is provided in Table 8.1.
The list of common l
cause failure candidates taken from LERs is in Table B.2.
In NUREG/CR-2989 these were classified somewhat more generally in two broad categories of hard-ware and human-error-related failures.
These two categories were then classi-fied more specifically into generic and plant-specific design groups and into j
generic human error or plant procedure-specific human error.
Common cause failure rates were estimated in NUREG/CR-2989 using the binomial failure rate (BFR) computer code (Atwood and Smith, 1982).
The estimated common cause failure rates varied by about an order of magnitude depending on plant design and procedural dependencies.
If individual emergency diesel generator NUREG-1032 B-6 l
Table B.1 Areas of potential common cause failure Common.cause.
Types of failure group potential failures DESIGN / HARDWARE Mechanical / structural design inadequacy Subsystems (fuel, cooling, start, actuation)
Environment (normal)
OPERATIONS / MAINTENANCE.
Inadequate procedures Errors of ommission/ commission Wrong procedure DEPENDENCE / SUPPORT SYSTEMS
' DC control power Service water cooling EDG room HVAC Electrical interface EXTERNAL Fire Flood Severe weather Seismic Other internal environmental extremes l-l' l
-NUREG-1032 B-7 w-w
--u-we-e-n-.-m-
-e, a
a
-+--
.e
Table B.2 Emergency diesel generator (EDG) common cause failures Plant (number Date of LER Description of EDGs) event number of event Common cause failure to start (CCFTS)
Brunswick 1, 2 01/04/77 77001 All four EDGs started, but two (4) tripped off because of low lube oil pressure.
Calvert Cliffs 11/04/76 76044 Service water outlet valve was 1, 2 (3) closed, causing service water relief valve to lift.
Crystal River 3 01/04/79 Ventilation system failed because (2) of excessively high room tempera-ture, and EDGs failed to start.
Dresden 2, 3 10/23/81 81033 Service vcter check valve failed, (3) causing high service water tem-perature, and two EDGs tripped.
Millstone 2 (2) 05/15/77 77020 Both EDG fuel supply valves were found closed.
Peach Bottom 06/13/77 77026 One EDG was out of service for 2, 3 (4) maintenance.
The air-start com-pressor tripped on overload, and two EDGs failed to start.
Air tank ties were left open and check valves leaked.
Prairie Island 12/09/77 77042 The operator failed to reset the 1, 2 (2) safety injection start relays before stopping the EDGs.
This resulted in starting failures for both EDGs.
Salem 1 (3) 07/30/77 77059 Two EDGs failed to start because of a leak of lubrication in the fuel rack linkage, which result-ing in linkage binding.
Salem 1 (3) 10/08/80 80060 All three EDGs failed to start because of a misaligned service water valve.
The operator disabled service water from train 2 while train 1 was down for maintenance.
NUREG-1032 B-8
Table B.2 (continued)
Plant (number Date of LER Description of EDGs) event number of event Common cause failure to run (CCFTR)
FitzPatrick (4) 11/17/76 76078 The fuel oil transfer pump would not operate.
Yankee Rowe (3) 08/02/77 77042 Cooling water radiator tubes were plugged by sludge, causing two EDGs to fail to run.
I l
l NUREG-1032 B-9
I reliability is maintained at or above industry average levels, common cause failure contributed on the order of one-half the system unavailability for the less redundant configurations and most of the unavailability for the more redun-dant designs, especially when demand failure rates are low (<0.03).
At lower reliability levels, independent diesel generator failures are the major contri-butor to the unavailability of the onsite AC power system.
A technique that has been used to estimate the likelihood of emergency diesel generator common cause failure is the beta factor method (Fleming, 1975) and its extension known as the multiple Greek letter (MGL) method (Fleming and Kalinowski, 1983).
This method was used to estimate common cause failure rates from the updated LER review.
Table B.3 provides the MGL parameter estimates and common cause failure rate estimates that were derived by the MGL method.
It also compares these estimates with " generic" rates derived in NUREG/CR-2989 using the BFR method.
Differences result more from data classification than from analytical method.
EMERGENCY AC POWER RELIABILITY EVALUATION The reliability estimates for the generic emergency AC power systems were derived for instantaneous availability on demand and mission reliability.
(The latter is the likelihood that emergency AC power will be available for a speci-fied mission length, such as the duration of a loss-of-offsite power event or for the duration of a test.) System reliability analysis parameters were selected to represent the average of the operating reactor population as well as the variations within that population.
The population average and ranges for the system reliability analysis parameters are described below.
(1) Emergency Diesel Generator Failure To Start Based on data reported in NUREG/CR-2989, the failure rate can vary con-siderably from plant to plant.
The following failure rates have been identified:
NUREG-1032 B-10
l Table B.3 Common cause failure rate parameter estimates Results of BFR results MGL analysis (NUREG/CR-2989)
N CCFTS(2) = 0.019
- SFTS, FTS 9+UCC2 = 5.0 x 10 4 7.1 x 10" PCC2
- OFTS 0 N
_ CCFTS(3) _ 0.17 yFTS N
CCFTS 9+UCC3 = 8.9 x 10 5 1.8 x 10 4 PCC3
- YFTSOFTS 0
Y PCC2/3
- 2 FTS pFTS O+UCC2/3 = 2.6 x 10 4 5.6 x 10 4 D
pFTR = 0.02 ACC2
- OFTR FTR = 4.8 x 10 5/hr 0
A YFTR = 0 FTR FTR FTR = 0 ACC3
- Y O
A 1 yFTR 0
A
= 2.4 x 10 5/hr 0
ACC2/3
- 2 FTR FTR "CCFTS = 9 NFTS = 465 NCCFTS (>3) = 1 NCCFTR = 2 NFTR = 100 NCCFTR(h)=0 P
O J
NUREG-1032 B-11
Probability of failure / demand Average 0.02 High 0.08 Low 0.005 (2) Emergency Diesel Generator Failure To Run A constant failure rate of 0.0024 per hour was estimated in NUREG/CR-2989.
A range of 0.001 to 0.01 is reasonably representative of other published estimates (EPRI, 1982).
(3) Emergency Diesel Generator Repair Time Approximately 50% of all diesel generator failures reported in NUREG/
CR-2989 were repaired within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
If two diesel generators failed as a result of independent causes, and operators could diagnose the problems to select the quickest possible repair, in 50% of these cases one of two diesel generators would be ropaired in approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
These two cases have been used as representative of the repair rate.
(4) Common Cause Failure Common cause failure rates were obtained from NUREG/CR-2989 for diesel generator hardware and human-error-related causes; however only failure-to-start estimates were made in that study.
Subsequently, the MGL method has been used to estimate generic common cause failure rates for both l
failure to start and failure to run.
Human errors causing a simultaneous out-of-service state for two or more diesel generators were included in 1
estimates of failure to start. The MGL estimates are consistent with the generic estimates made in NUREG/CR-2989.
The common cause failure rates, for support systems--such as DC power, service water and component cooling water--were obtained from NUREG/CR-3226.
NUREG-1032 B-12
(5) Common Cause Failure Repair Rates for Components and Subsystems 4
When the inadvertent removal from service of more than two diesel gener-
~
ators is excluded, the failure mode and repair rates appear similar to
}
those for independent failure causes.
In this case, however, the same repair time could be expected for both units.
For inadvertent removal from service, repair (or restoration) can be accomplished usually in less i
j than 1 hcur and many times even more promptly (within minutes).
Repair rates for hardware failure and maintenance outages have been based on median repair times of 2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
The effect of system reliability parameter variations covering the realistic 2
range was analyzed to determine the sensitivity within the generic models and j
the variability that is possible in plant-specific cases.
The following factors i
were analyzed to determine the sensitivity of emergency AC power reliability:
(1) emergency AC power system configuration (2) diesel generator failure to start and to run (3) diesel generator repair time i
l (4) common cause failure rate to start and to run
]
(5) common cause failure repair rate (6) duration of emergency AC power failure and mission (loss of offsite power) length The results of the sensitivity analyses are provided in Figures B.1 through B.S.
The sensitivity results are generally comparable to those obtained in NUREG/CR-2989 and several PRAs.
Figure B.1 shows that the starting reliability of emergency diesel generators is j
most important when lower than average diesel generator performance exists or when system configurations represent nominal redundancy (e.g., 2/3 and 1/2).
NUREG-1032 B-13
l I
I I
I Common Cause Failure to Start
~
--- 3x Base Value
~
Base Value (6.6 x 10'#)
- -- 1/3x Base Value DURATION OF LOSS OF OFFSITE POWER IS 0 HOURS DURATION OF STATION BLACKOUT IS 0 HOURS
\\\\\\x N
s 10
\\
~~
~
E N N.
N
\\
5 NN
\\
\\ N a
N N
N a
N g\\
\\
CONFl ATION
\\
N
\\
k
\\
2of3
-N 5
NN
\\
\\
o i
N N
\\
\\
w
__ N N
.3
\\g 1 of 2 g
N N
g\\
g
\\
\\
\\
l of 3 N
N.N %
l l
4 I
I I
I I
,o 0.90 0.92 0.94 0.96 0.96 1.00 INDIVIDUAL EDG RELIABILITY Figure B.1 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure to start for three emergency AC configurations NUREG-1032 8-14
' I I
I I
I I
I I
I I
I 1 of 2 EDG CONFIGURATION 0 hrs
-- 1 of 3 EDG CONFIGURATION 2 hrs
~
4 hrs N
2 m
5 R
4 10
8 hrs-
~
g g
n.
U 4
~
2 hrs
~
j w
/
0
/
Y p
b
/
p#
4 hrs
/
/
/
/
Y
/
/
/
Y
/
f
/
/
/
/
/
8 hrs
/
/
/
/
/
/
/
I i
I I
I 10 0
2 4
6 8
10 12 14 16 18 20 22 24 LOSS OFFSITE POWER DURATION (hrs)
Figure B.2 Emergency AC power unavailability as a function of loss-of-offsite power duration for four station blackout durations NUREG-1032 B-15 l
10' l
1 I
I
~
Common Cause
~
Failure to Start
~
--- 3x Base Value
~
Base Value (6.6 x 10 )
- -- 1/3x Base Value DURATION OF LOSS OFFSITE POWER IS 8 HOURS N
DURATION OF STATION BLACKOUT IS 4 HOURS g
NN NDN
\\\\
2 10 N
\\
N
\\
N s
5 s
N
\\
N N
N E
s g
\\
\\
a N
N, N
z
\\
\\
\\
EDG E
\\'N 3
N N CONFIGURATION NN
\\
\\
\\
\\
2of3 -
\\
E N
s N
\\
\\
\\
10 '
N N
N
%\\
[\\
N 1 of 2 g
i N,N w%- --. s ~ -----.\\
N
-.-A i
\\ N 1
%,N N N
\\
l of 3 N
l 10.
I I
I I
i 0.90 0.92 0.94 0.96 0.98 1.00 INDIVIDUAL EDG RELIABILITY Figure 8.3 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure to start NUREG-1032 B-16 1
(
I I
I I
I I
I I
I I
Common Cause Failure to Run
--- 3x Base Value
~3 Base Value (2.4 x 10 per hour)
--- 1/3 Base Value DURATION OF LOSS OFFSITE POWER IS 8 HOURS DURATION OF STATION BLACKOUT IS 4 HOURS
-2
~
10
's.N E
N N
d
\\
% \\
EDG 8D 5
CONFIGURATION R
N N
\\
N N
z g
[
g%
\\ 2cf3 N
Wit N
N 2
N N
\\
l 0
\\
4 U
N N
z N
g 10
\\ 1 of 2
~
~
w N
N N
N g
_ l of 3 4
I I
I I
I I
I I
I I
10 0.900 0.084 0.988 0.992 0.996 1.000 INDIVIDUAL DIESEL GENERATOR RUNNING RELIABILITY Figure B.4 Emergency Al power unavailability as a function of individual diesel generator running reliability NUREG-1032 B-17
l I
I I
i
-2 10 DURATION OF LOSS OFFSITE POWER IS 8 HOURS DURATION OF STATION BLACKOUT IS 4 HOURS 1 cf 2 EDG CONFIGURATION N
E m
h Repair Time for Common Cause Faults g
4 8 hrs
- p-4 hrs z
y
/p
- p=== 2 hrs w
5
/
4
/
p#
2 10
~
o p
g
/s z
E 5
l l
i i
l 10 0
2 4
6 8
10 12 REPAIR TIME FOR INDEPENDENT DIESEL GENERATOR FAULTS (hrs)
I t
l Figure B.5 Emergency AC power unavailability as a function of repair time for independent diesel generator faults l
NUREG-1032 B-18
Common cause failures dominate system failure probability when individual diesel reliability levels are above average or when a higher level of redundancy (e.g.,
1/3) is introduced.
Also note that for the 1/3 configuration, common cause
{
failure of support systems (e.g., service water, DC power) that are held con-stant in these analyses constrain the potential unavailability levels that can be achieved through improved diesel generator performance.
Figure B.2 shows the effect of mission duration and mission success.
For a longer mission time (longer duration of loss of offsite power), the chance of mission success (operation without failure) decreases.
But, as the success criterion is eased (the duration of unavailability is less than 2, 4, or 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), the mission reliability improves.
There is a factor of four difference in unreliability as system success criteria change from an unavailability of 2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an 8-hour loss of offsite power.
The cases analyzed in Figure B.1 have been re-analyzed in Figure B.3.
The latter analyses includes a mission time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and an unavailabiity success criterion of not greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
A similar analysis was performed to evaluate the sensitivity of running reliability (failure-to-run rate), the results of which are shown in Figure B.4.
Common cause failure to run is seen as a lesser but not insignificant contributor to system unreliability than the failure-to-start common cause failure.
The results are not overly sensitive to repair rates within the ranges identified, as evidenced by results provided in Figure 8.5.
Within the reliability performance ranges identified, there is potential for significant disparity of emergency AC power system reliability for any of the configurations analyzed.
Figure B.6 shows the estimated range of emergency AC power unavailability obtained by using combina-tions of above and below average reliability performance parameters.
STATION BLACK 0UT FREQUENCY Station blackout has been defined as the loss of all ac power supplies from both offsite and safety-related sources.
Also, a station blackout must exist for sufficient time to incur core damage and resultant potential risk.
There-fore, station blackout models incorporate duration as a parameter in frequency estimates.
Although in some instances it is possible to have a station black-out initiated by failure of, or operational errors associated with, DC control power, this type of event is more rare than the station blackout sequence beginning with loss of offsite power and followed by failure of the safety-related AC power supplies.
DC power reliability is the subject of another NUREG-1032 B-19
4 10 High Values 5 Diesel ljty 4 > Base Values Rel a Parameters Low Values 4
10'*
C s
m 5
4 o
g z
3 5
m o
O4 t>
0
$o Ez 3
w
,g g
l
~
I 10 20f3 1 of 2 1 of 3 DIESEL GENERATOR CONFIGURATION Figure B.6 Estimated range of emergency AC power system reliability for different diesel generator configurations NUREG-1032 B-20
generic safety issuc, designated A-30, " Adequacy of Safety-Related DC Power Supplies."
Station blackout frequency estimates can be made by combining the loss-of-offsite power models developed in Appendix A with the emergency AC power relia-bility models of this appendix.
Recall that the loss-of-offsite power frequency and duration correlation derived in Appendix A was a two parameter Weibull function of the form ALOP (t) = ALOP
- where ALOP, o, and p are constants that can be derived for a specific combina-tion of site location and design feate es.
Subscripts have been dropped for convenience.
The frequency of a station blackout is derived by combining the loss-of-offsite power duration (repair) frequency with the rate of emergency AC power system failures of duration I ver the time period of interest for SB which a loss of offsite and emergency AC power can occur.
This is the same I
general approach that has been taken in other studies (Evans and Parry, 1983; PASNY, 1982) to estimate the frequency of total losses of offsite and emergency AC power for risk analysis.
For the 1/2 emergency diesel generator configura-tion, the equation for tha frequency of a station blackout lasting I SB longer can be written as
^ SB1/2 (ISB)
- ALOP (ISB}PhTS*~
SB[I
+ALOP (ISB) PCCFTS2/2 CCFR e
ILOP ISB
- (t + ISB)[I
~A t
e FTR e R
SB)A
+2P A
o NUREG-1032 B-21
-(t p
y+ISBf*R A
t
-t FTR 2 e f* LOP ISB f LOP ISBA e
I
+2 FTR dt 2 J0 dt1 ALOP (t ) AFTR dt e
M 1 y
y I
- (t + I A
LOP (t+ISB)A I
+
A e
CCFTR e SB CCFR dt CCFTR In a similar manner, the station blackout frequency equations for three diesel generator systems requiring one or two diesels for success can be derived.
Analyses have been performed to estimate station blackout frequencies and dura-tions to study the sensitivity of these estimates to uncertainty in certain dominant factors.
As a starting point, each loss of offsite power cluster cor-relation from Appendix A was combined with the emergency AC power system reli-ability models using nominal parameter values for emergency diesel failure to start and run, repair, and common cause failure rates.
Then the estimated fre-quency of a station blackout lasting from 0 to 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> or longer was calcula-ted.
The results for the 2/3, 1/2, and 1/3 diesel generator configurations are shown in Figure B.7.
This figure shows that wide variations in station blackout frequency are possible depending on diesel generator configuration and relia-bility, plant offsite power system design, grid reliability, and susceptibility to severe weather hazards.
As a sensitivity, two modified cluster correlations were developed with higher than nominal grid unreliability; they were combined with the 1/2 emergency AC power configuration model and produce the results in Figure B.8.
Several analyses were performed to demonstrate the sensitivity of station blackout frequency estimates to variations in emergency diesel generator fail-ure rate for both independent and common cause failures.
Figure B.9 shows the effect of above average and below average failure rate estimates for the 1/2 configuration and several representative loss-of-offsite power frequency cor-relations.
The 1/3 configuration has been similarly analyzed, and the results are provided in Figure B.10.
l l
NUREG-1032 B-22 L
10-3 Cluster 8 Cluster 9 10-4 N
\\
N N
N N N
s I \\
\\
N
\\
\\
N U
b k
\\
\\
N Offsite
(
g
@}
\\
N Power w
10-5 k
\\
\\
N Cluster g
g
\\
~~
s sg N
s s-t DS
\\
N OE.
k
\\
N s s N
\\s, Y'N
\\
\\
N 5
mz
-\\
's, N N
s,N s
z~
\\
's N4 0
s
\\s N
\\
I-10-6
\\
's,'
N,'N,N h
's M
\\
\\
%\\
'\\
k'k 5
N 7
s
'% g
's, s,
'N
's N
6 s,
10-7
\\
7
'%y ss
'N*
's N2 s
s
's
'\\'
1 of 2 3
---2 of 3 DG Configuration s,'s
's\\s\\
......-1 of 3 s,2 s's 7
2 s
i i
i 10-8 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 STATION BLACKOUT DURATION (hrs)
Figure B.7 Estimated station blackout frequency as a function of blackout duration NUREG-1032 B-23
10 1
I 4
10 g
1'N sg
' 's i N
!ss N
i 4 's \\
\\%
\\
s s
\\ \\, \\
2 s
\\,
{
10 7 % \\ \\g%
\\
5 2
o ss N
- \\\\
\\
d
%\\
s N
s
%g O
\\
\\
\\
E g 'g g
=
ss s N
3
\\ \\gs N
O
'g% 'g
\\
'gg'g's g
OFFSITE
'% s's N
POWER m
N CLUSTER 10 ' 7 zo N
h 4
s
% g
% g 7
10 7
- g GR7
- g' s's GR3
- /
.G R1, 2
'%g' 2
10 '
I I
0 2
4 6
8 10 12 14 16 DU R ATION (hrs)
Figure B.8 Estimated station blackout frequency as a function of blackout duration for clusters 2, 4, and 7 (for 1/2 EDG configuration)
NUREG-1032 B-24
m.
i I
t 10.
j
}
1 r 3x Base Diesel Generator Reliability
/
V Parameters
~
't p 15ase Value
> for Fr,ilure 1.
to Start and FaPurs to Run i
%x Base 4
3
~
. l\\
1 r
m.
Cluster 8 t
S 4
e 10 1
t.
>-3 11 0
o t t m- -
m
$ 10' {
\\
',/
~
e
~
~~
O$ site Power
>\\
\\
m o
Cluster
~~
4
~ ;
4 E
t.
t t
y 10
'I
^
~.
t 2
+
,i 1 of 2 Diesel Generator Configuation 10 E t
i i
i I
I I
- I I
0 2
4 6
8 10 12 14
\\S W
20 DURATION OF STATION BLACKOUT (hours)
Figure B.9 Estimated range of = station blackout frequency as a function of' blackout duration for four'offsite power clusters
/
NUREG-1032 B-25
. i 1
2
104 Offsite Power Cluster
=2:
7 b
10-4 b
\\ \\N o
s z
N N N us 6
s's' D
N (Offsite Power Cluster, d_
N N
Multiplier for DG Values)
EE N
- u. f 10-5 N,,'*
>- a 6
N Do
,'s u
(
'%,N.
N (5,3)
's, g \\g oy 5-N' s\\
en E 10-6 N
N N (4,3)
Z-9
\\
r r
N (5,1/3)
\\,\\
N,%
(7,3) 10-7
'N (4,1/3)
(2,3) h(2,1/3)
(7.1/3) i i
i I
10-8 I
I I
I i
i i
i i
I 0
2 4
6 8
10 12 14 16 STATION BLACKOUT DURATION (hrs)
Figure B.10 Sensitivity of estimated station blackout frequency to diesel generator failure-to-start and failure-to-run values NUREG-1032 B-26
REFERENCES Atwood, C.
L., and W. J. Smith, " User's Guide to BFR, a Computer Code Based on the Binomial Failure Rate Common-Cause Model," EG&G Idaho Inc., EGG-FA-5502, July 1982.
Electric Power Research Institute (EPRI), " Diesel Generator Reliability at Nuclear Power Plants:
Data and Preliminary Analysis," EPRI NP-2433, June 1982.
Evans, M. G. K., and G. W. Parry, "Quantification of the Contribution to Light Water Reactor Core Melt Frequency of Loss of Offsite Power," in Reliability Engineering, 6:43-45, 1983.
Fleming, K. N., "A Reliability Model for Redundant Safety Systems," in Procedings on the Sixth Annual Pittsburg Conference on Modeling and Simulation, April 24, 1975.
Fleming, K. N. and A. M. Kalinowski, "An Extension of the Beta Factor Method to Systems with High Levels of Redundancy," Pickard, Lowe and Garrick, Inc.,
PLG-0289, June 1983.
Fleming, K. N. and P. H. Raabe, "A Comparison of Three Methods for Quantitative Analysis.of Common Cause Failures," U.S. Department of Energy Report GA-A-14568, General Atomic Company, National Technical Information Service, May 1978.
Husseing, A. A., et al., " Unavailability of Redundant Diesel Generators in Nuclear Power Plants," in Reliability Engineering, 3:109-169, 1982.
Power Authority of the State of New York and Consolidated Edison Company of New York (PASNY), " Indian Point Probabilistic Safety Study," 1982.
Rasmuson, D. M., et al., "Use of COMCAN III in System Design and Reliability Analysis," EG&G Idaho, Inc., EGG-2187, October 1982.
NUREG-1032 B-27
Steverson, J. A., and C. L. Atwood, " Common Cause Failure Rate Estimates for Diesel Generators in Nuclear Power Plants," EG&G Idaho, Inc. EGG-M-00681, 4
National Technical Information Service, September 1981.
U.S. Nuclear Regulatory Commission, NUREG/CR-2989, R. E. Battle and D. J. Campbell, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
--, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., " Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
I l
i j
i i
NUREG-1032 B-28
APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK NUREG-1032 Appendix C
TABLE OF CONTENTS PBM STATION BLACK 0UT CORE DAMAGE LIKELIH00D..........................
C-1 STATION BLACK 0UT RISK............................................
C-15 REFERENCES.......................................................
C-17 LIST OF FIGURES Figure C.1 Station blackout risk perspective for different containments................................................
C-18 LIST OF TABLES Table C.1 Summary of potentially dominant core damage accident sequences..........................................
C-2 C.2 Decay heat removal failure probability for loss of core cooling early during station blackout..................
C-6 C.3 Estimated frequency of early core cooling failure during station blackout, per reactor year...................
C-7 C.4 Tabulated estimated values of total core damage frequency for station blackout accidents as a function of emergency diesel generator configuration, EDG unreliability, offsite power cluster, and ability to cope with station blackout....
C-9 C.5 Comparison of results with NUREG/CR-3226....................
C-16 NUREG-1032 C-iii
s APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK This appendix provides a description of the simplified method used to estimate station blackout core damage likelihood, and risks from station blackout tran-sients.
The models and results are generic in nature and intended for use in regulatory analyses.
The station blackout frequency estimation models described in Appendix B of this report were integrated into sequences involving failure of decay' heat removal systems with AC power unavailable, thus allowing the esti-mation of the frequency of core damage as a result of station blackout events.
When core damage proceeds to core melt and containment failure, fission products may be released to the environs, causing risk to public health and safety.
The likelihood of station blackout transients involving core damage and the dominant accident sequences have been identified by Kolaczkowski and Payne in NUREG/CR-3226, using event tree and fault tree analyses of several typical plant designs.
However, the variability of station blackout frequency and dura-tion was not evaluated systematically as part of that work.
In this appendix, the station blackout models have been combined with the decay heat removal and core cooling failure sequences to obtain a more complete evaluation of the sen-sitivity of station blackout core damage likelihood and risk estimates to varia-tions in plant design.
STATION BLACK 0UT CORE DAMAGE LIKELIHOOD The dominant station blackout sequences are provided in Table C.1.
Both pres-surized water reactors (PWRs) and boiling water reactors (BWRs) have sequences that involve early core cooling failure (essentially on demand) and time-dependent failures related to capacity, capability, and transient phenom-enological conditions associated with a loss of all AC power.
For the dominant NUREG-1032 C-1
s Table C.1 Summary of potentially dominant core damage accident sequences AC recovery Generic DHR system / component time to avoid plant type Sequence contributors core damage, hr PWR TML 8 Steam-driven AFWS unavailable 1 to 2 1 1 (all)
TML B DC power or condensate exhausted 4 to 16 2 2 TMQ2B RCS pump seal leak 4 to 16 2
BWR TMui 1 Isolation condenser unavailable 1 to 2 B
w/ isolation condenser TMQi 1 Stuck open relief valve 1 to 2 B
TMQ2 2 RCS pump seal leak 4 to 16 B
BWR TMutB HPCS/RCIC unavailable 1 to 2 i
w/HPCS-RCIC TMU B DC power or condensate exhausted, 4 to 16 2 2 component operability limits exceeded (HPCI/RCIC)
BWR TMu1B HPCS/RCIC unavailable, 1 to 2 1
w/HPCS-RCIC TMU B HPCS unavailable, DC power or 4 to 16 2 2 condensate exhausted, component operability limits exceeded (RCIC)
Notes:
DHR = decay heat removal HPCI = high pressure coolant inspection AFWS = auxiliary feedwater system RCIC = reactor core isolation cooling RCS = reactor coolant system HPCS = high pressure core spray NUREG-1032 C-2
l accident sequences, the core damage times have been characterized as falling into two groups:
(1) a core damage time of 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the early core cooling failure types of sequences, or (2) core damage in the 2 to 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> range for the sequences involving capability and capacity limitations causing loss of core cooling during extended blackouts.
Sequences involving longer duration blackouts than these have not been found to be nearly as important.
Thermal hydraulic analyses have been performed to determine event timing for both types of sequences (Fletcher, 1982; Schultz and Wagoner, 1981).
In gen-eral, it has been estimated that it will take between 1 and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to uncover 1
the reactor core following a station blackout and loss of all core cooling, and perhaps another 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reactor core to melt and penetrate the reactor vessel after the core is uncovered.
If decay heat removal is initially successful during station blackout and then is lost several hours into the transient because of design limitations, the time to core uncovery and melt will be somewhat extended as a result of lower primary coolant temperatures 1
and reduced decay heat levels.
The dominant accident sequences were modeled as either an early core cooling failure or as a subsequent loss of core cooling.
In the former case, the like-lihood of the accident sequence is given by the probability of a station black-out combined with the probability of failure to maintain adequate core cooling or decay heat removal by AC-independent means long enough to cause core damage.
For PWRs and most BWR-2 and -3 plants that do not have a makeup capability inde-pendent of AC power, there are two paths to inadequate core cooling early during station blackout.
The first involves failure of the turbine-driven train of 1
the auxiliary feedwater system in PWRs or failure of the isolation condenser in the BWR-2 and -3 plants.
Because neither of these reactor types has a makeup capability independent of AC power, the core will be uncovered early by a major loss of reactor coolant system (RCS) integrity such as a stuck-open relief value or gross failure of reactor coolant pump seals, either of which could result in leak rates upwards of several hundred gpm.
BWRs with reactor core isolation I
cooling (RCIC) systems, steam turbine-driven high pressure coolant injection (HPCI) systems, or high pressure core spray (HPCS) systems with a dedicated diesel generator can cool the reactor core and have the potential to make up NUREG-1032 C-3
=_
4 1
l losses of coolant equal to or greater than those identified above.
The latter type of sequence was modeled as the likelihood of a station blackout of a dura-tion sufficient to exceed core cooling systems capabilities and allow core damage to occur.
If decay heat removal is initially successful, if reactor coolant leakage rates do not exceed makeup capability, and if primary coolant inventory requirements are met, operators should be able to establish a rela-tively stable decay heat removal mode.
However, decay heat removal capability during longer blackouts may be limited by the capacity of support systems such as DC power or compressed air, by reactor coolant leakage when makeup is unavail-able or insufficient, or by thermal limitations on component operability as a result of the loss of heating, ventilation, and air conditioning systems.
In light of the above discussion, the general form of the core damage accident likelihood equation considering both early phase and longer term decay heat removal failure is as follows:
SB(t ) (PDHR/SB + PLOCA/SB) + PSB(t )
(1)
PSBCD = P l
2 where P is the probability of core damage due to station blackout, PSB(t )
t SBCD is the probability of a st tion blackout of duration t, and t is a time i
i i
sufficient for core damage to occur if all decay heat removal capability is lost at the onset of a station blackout.
P is the probability of decay DHR/SB heat removal failure on demand given station blackout.
P is the LOCA/SB
[
probability of a station-blackout-induced loss of reactor coolant integrity SB(t ) is the probability of a that would cause an early core cooling loss.
P 2
l station blackout of duration t, where t2 is a time sufficient for core 2
l damage to occur because decay heat removal capability limits are exceeded c
l during an extended duration station blackout.
I i
In terms of the notation used to describe the dominant accident sequences for the various type of light water reactors (LWRs) identified in Table C.1, the equation can be written as follows:
NUREG-1032 C-4
for PWRs:
PSBCD = TMB (L i
i + Q1) + TMB2 (2) for BWR 2/3s:
PSBCD = TMB (U 1
1 + Qi) + TMB2 (3) for BWR 4/5/6s:
PSBCD = TMB U + TMB (4) 1 1 2
The probabilities for (L 2 + Q2), (U2 + Q2), and U2 have been set equal to 1.0, because the time of B2 was selected to represent loss of decay heat removal capability as a result of design limitations.
The probability contribution to Q1 from reactor coolant pump seals degradation during station blackout is not well known.
Based on material reviewed in NUREG/CR-3226, the impact of reactor coolant pump seal leakage was assumed to represent a potential limit on the TMB type of sequences.
2 The TMB portion of equations 2, 3 and 4 above can be estimated from the first i
term failure-to-start portion of the station blackout equations in Appendix B.
The TMB term of these equations can be estimated from the complete station 2
blackout equations in Appendix B.
Probability estimates for L, U i
1 and Qi were derived from NUREG/CR-3226 and are summarized in Table C.2.
Estimated values of the early loss of core cooling term of equations 2, 3, and 4 are provided in Table C.3.
This table shows the sensitivity of the estimated frequency of early core cooling failure during station blackout on loss-of-offsite power characteristics (clusters 1 through 9), emergency AC power unre-liability (EDGR) (i.e., failures per demand) and decay heat removal unreliability (DHR).
The second term estimates of equations 2, 3, and 4 are the same as the station blackout frequency and duration assessments provided previously, given that t is defined.
Because the capability limitations vary from plant to plant, 2
so will t.
Some example estimates for the total core damage frequencies given 2
capacity limitations which equate to station blackout durations of 2, 4, 8, and 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> are provided in Table C.4. These estimates include the early core cool-ing failure frequencies from Table C 3.
The results in Tables C.3 and C.4 show that the frequency and duration probabil-ities of offsite power failures, emergency AC power configuration, and NUREG-1032 C-5
_y
-v-,-
-=v-v-----
'--r----=--
Table C.2 Decay heat removal failure probability for loss of core cooling early during station blackout Probability of System / train / component failure Auxiliary feedwater systems 1 steam turbine-driven train 0.04 2 steam turbine-driven trains 0.002 Isolation condenser 0.01 Stuck-open SRV (BWR) 0.025 HPCI/RCIC 0.005 HPCS/RCIC 0.001 l
NUREG-1032 C-6
E Table C.3 Esticated frequency of early core cooling failure A
during station blackout, par rsactor year *
?
h Cluster to DHR EDGR 1
2 3
4 5
6 7
8 9
(1/2 EDG configuration)
' O.1 1.1(-6) 1.4(-6) 3.1(-6) 7.5(-6) 1.3(-5) 2.0(-6) 6.6(-6) 1.1(-5) 2.6(-5) 0.05- < 0.05 3.8(-7) 4.9(-7) 1.0(-6) 2.6(-6) 4.5(-6) 7.0(-7) 2.3(-6) 4.3(-6) 9.9(-6) l 0.025 1.8(-7) 2.2(-7) 4.8(-7) 1.3(-6) 2.2(-6) 3.3(-7) 1.1(-6) 2.1(-6) 5.1(-6)
,0.01 1.0(-7) 1.3(-7) 2.8(-7) 7.4(-7) 1.3(-6) 1.9(-7) 6.1(-7) 1.4(-6) 3.4(-6)
I 0.1 2.3(-7) 2.8(-7) 6.1(-7) 1.5(-6) 2.5(-6) 4.0(-7) 1.3(-6) 2.4(-6) 5.3(-6) 0.01-0.05 7.7(-8) 9.7(-8) 2.1(-7) 5.3(-7) 9.1(-7) 1.4(-7) 4.6(-7) 8.5(-7) 2.0(-6) 3.5(-8) 4.4(-8) 9.6(-8) 2.5(-7) 4.4(-7) 6.6(-8) 2.1(-7) 4.2(-7) 1.0(-6)
(0.025 0.01 2.0(-8) 2.6(-8) 5.6(-8) 1.5(-7) 2.7(-7) 3.9(-8) 1.2(-7) 2.7(-7) 6.8(-7) n 0.1 1.1(-7) 1.4(-7) 3.1(-7) 7.5(-7) 1.3(-6) 2.0(-7) 6.6(-7) 1.2(-6) 2.6(-6) 0.005 4 0.05 3.8(-8) 4.9(-8) 1.0(-7) 2.6(-7) 4.5(-7) 7.0(-8) 2.3(-7) 4.3(-7) 9.9(-7) 0.025 1.8(-8) 2.2(-8) 4.8(-8) 1.3(-7) 2.2(-7) 3.3(-8) 1.1(-7) 2.1(-7) 5.1(-7)
,0.01 1.0(-8) 1.3(-8) 2.8(-8) 7.4(-8) 1.3(-7) 1.9(-8) 6.1(-8) 1.4(-7) 3.4(-7)
(2/3 EDG configuration)
O.1 3.3(-6) 4.2(-6) 9.1(-6) 2.2(-5) 3.7(-5) 3.5(-5) 7.8(-5) 0.05-4 0.05 1.1(-6) 1.4(-6) 3.0(-6) 7.6(-6) 1.3(-5) 1.2(-5) 2.8(-5) 0.025 4.8(-7) 6.1(-7) 1.3(-6) 3.4(-6) 6.2(-6) 5.8(-6) 1.4(-5)
,0.01 2.6(-7) 3.3(-7) 7.2(-7) 1.9(-6) 3.5(-6) 3.5(-6) 8.9(-6)
' O.1 6.7(-7) 8.4(-7) 1.8(-6) 4.4(-6) 7.4(-6) 6.9(-6) 1.6(-5) 0.01
+ 0.05 2.2(-7) 2.8(-7) 6.0(-7) 1.5(-6) 2.6(-6) 2.4(-6) 5.7(-6) 0.025 9.6(-8) 1.2(-7) 2.6(-7) 6.9(-7) 1.2(-6) 1.2(-6) 2.8(-6) i0.01 5.2(-8) 6.6(-8) 1.4(-7) 3.8(-7) 7.1(-7) 7.0(-7) 1.8(-6) 0.1 3.3(-7) 4.2(-7) 9.1(-7) 2.2(-6) 3.7(-6) 3.5(-6) 7.8(-6) 0.005 $ 0.05 1.1(-7) 1.4(-7) 3.0(-7) 7.6(-7) 1.3(-6) 1.2(-6) 2.8(-6) 0.025 4.8(-8) 6.1(-8) 1.3(-7) 3.4(-7) 6.2(-7) 5.8(-7) 1.4(-6)
,0.01 2.6(-8) 3.3(-8) 7.7(-8) 1.9(-7) 3.5(-7) 3.5(-7) 8.9(-7)
- Numbers in parentheses indicate exponent of base 10 (e.g., 1.1(-6) = 1.1 x 10 8).
g Table C.3 (continued)
Mi T
Cluster O
M DHR EDGR 1
2 3
4 5
6 7
8 9
(1/3 EDG Configuration)
(
0.1 1.6(-7) 1.8(-7) 4.3(-7) 1.1(-6) 1.8(-6) 2.8(-7) 9.2(-7) 1.7(-6) 3.9(-6) 0.05
< 0.05 5.2(-8) 6.6(-8) 1.4(-7) 3.5(-7) 6.1(-7) 9.4(-8) 3.1(-7) 6.3(-7) 1.5(-6) 0.025 3.3(-8) 4.2(-8) 9.1(-8) 2.2(-7) 3.8(-7) 6.0(-8) 2.0(-7) 4.3(-7) 1.0(-6) 0.01 2.8(-8) 3.6(-8) 7.7(-8) 1.9(-7) 3.1(-7) 5.0(-8) 1.7(-7) 3.7(-7) 9.0(-7) 0.1 3.1(-8) 3.9(-8) 8.5(-8) 2.1(-7) 3.6(-7) 5.6(-8) 1.8(-7) 3.4(-7) 7.9(-7) 0.01,
0.05 1.0(-8) 1.3(-8) 2.8(-8) 7.1(-8) 1.2(-7) 1.9(-8) 6.1(-8) 1.3(-7) 3.0(-7) 0.25 6.7(-9) 8.4(-9) 1.8(-8) 4.5(-8) 7.5(-8) 1.2(-8) 3.9(-8) 8.6(-8) 2.1(-7)
,0.01 5.7(-9) 7.1(-9) 1.5(-8) 3.7(-8) 6.2(-8) 1.0(-8) 3.3(-8) 7.4(-8) 1.8(-7) r 1.0(-8) 1.8(-8) 4.3(-8) 1.1(-7) 1.8(-7) 2.8(-8) 9.2(-8) 1.7(-7) 3.9(-7) 0.005-)0.1 9
0.05 5.2(-9) 6.6(-9) 1.4(-8) 3.5(-8) 6.1(-8) 9.4(-9) 3.1(-8) 6.3(-8) 1.5(-7) m 0.025 3.3(-9) 4.2(-9) 9.1(-9) 2.2(-8) 3.8(-8) 6.0(-9) 2.0(-8) 4.3(-8) 1.0(-7) 0.01 2.8(-9) 3.6(-9) 7.7(-9) 1.9(-8) 3.1(-8) 5.0(-9) 1.7(-8) 3.7(-8) 9.0(-8) t
Table C.4 Tabulated estimated values of total core damage frequency (per reactor year) for station blackout accidents as a func-tion of emergency diesel generator (EDG) configuration, EDG unreliability (EDGR), offsite power cluster, and ability to cope with station blackout
- 1/2 EDG configuration EDGR = 0.1 t(hr)
Offsite power cluster 1
2 3
4 5
0 3.2( 4) 2.8(-4) 4.3(-4) 4.8(-4) 7.2(-4) 2
- 2. 3( -5) 2.8(-5) 6.1(-5) 1.5(-4) 2.5(-4) 4 7.3(-6) 1.0(-5) 2.2(-5) 7.6(-5) 1.5(-4) 8 1.4-2.4(-6) 2.2-3.4(-6) 4.5-2.3(-6) 2.5-3.1(-5) 6.4-7.6(-5) 16 1.9-12(-7) 2.9-16(-7) 5.8-34(-7) 3.9-11(-6) 1.4-2.5(-5) 6 7
8 9
0 4.4(-4) 5.9(-4) 1.7(-3) 2.0(-3) 2 4.0(-5) 1.3(-4) 2.4(-4) 5.3(-4) 4 1.9(-5) 5.2(-5) 9.5(-5) 2.5(-4) 8 5.7(-6)-7.5(-6) 1.2-1.8(-5) 2.4-3.4(-5) 7.6-10(-5) 16 9.4-27(-7) 1.4-7.3(-6) 3.2-14(-6) 1.1-3.5(-5)
EDGE = 0.05 Offsite power cluster 1
2 3
4 5
0 1.0(-4) 9.2(-5) 1.4(-4) 1.6(-4) 2.5(-4) 2 7.7(-6) 9.7(-6) 2.1(-5) 5.3(-5) 9.1(-5) 4 2.5(-6) 3.5(-6) 7.6(-6) 2.7(-5) 5.5(-5) 8 4.9-8.2(-7) 3.6(-12(-7) 1.6-2.5(-6) 8.9-11(-6) 2.3-2.8(-5) 16 6.5-41(-8) 1.0-5.4(-7) 1.9-11(-7) 1.4-3.7(-6) 5.0-9.1(-6) 6 7
8 9
0 1.4(-4) 2.0(-4) 5.9(-4) 7.1(-4) 2 1.4(-5) 4.6(-5) 8.5(-5) 2.0(-4) 4 6.6(-6) 1.8(-5) 3.5(-5) 9.7(-5) 8 2.1-2.7(-6) 4.0-6.1(-6) 8.8-13(-6) 2.9-3.8(-5) 16 3.4-9.7(-7) 4.8-28(-7) 1.2-5.0(-6) 4.2-13(-6)
- Numbers in parentheses indicate exponent of base 10 (e.g., 3.2(-4) = 3.2 x 10 4).
NUREG-1032 C-9 i
Table C.4 (continued) t(hr) 1/2 EDG Configuration EDGE = 0.025 Offsite power cluster 1
2 3
4 5
0 4.6(-5) 4.1(-5) 6.2(-5) 7.0(-5) 1.2(-4) 2 3.5(-6) 4.4(-6) 4.6(-6) 2.5(-5) 4.4(-5) 4 1.2(-6) 1.6(-6) 3.5(-6) 1.3(-5) 2.7(-5) 8 2.3-4.0(-7) 3.5-5.5(-7) 7.3-12(-7) 4.2-5.4(-6) 1.2-1.3(-5) 16 3.1-19(-8) 4.7-25(-8) 8.9-53(-8) 6.8-19(-7) 2.5-4.5(-6) 6 7
8 9
C 6.4(-5) 8.9(-5) 2.7(-4) 3.4(-4) 2 6.6(-6) 2.1(-5) 4.2(-5) 1.0(-4) 4 3.1(-6) 8.4(-6) 1.8(-5) 5.1(-5) 8 9.9-13(-7) 1.9-2.9(-6) 4.6-6.5(-6) 1.6-2.1(-5) 16 1.6-4.6(-7) 2.3-12(-7) 6.1-25(-7) 2.2-6.9(-6)
EDGE = 0.01 Offsite power cluster 1
2 3
4 5
0 2.7(-5) 2.4(-5) 3.6(-5) 4.1(-5) 6.9(-5) 2 2.9(-6) 2.6(-6) 5.6(-6) 1.5(-5) 2.7(-5) 4 6.7(-7) 9.5(-7) 2.1(-6) 7.6(-6) 1.6(-5) 8 1.3-2.2(-7) 2.1-3.3(-7) 4.3-6.8(-7) 2.5-3.2(-6) 7.1-8.2(-6) 16 1.8-11(-8) 2.8-14(-8) 5.4-31(-8) 4.1-11(-7) 1.5-2.7(-6) 6 7
8 9
0 3.7(-5) 5.2(-5) 1.6(-4) 2.2(-4) 2 3.9(-6) 1.2(-5) 2.7(-5) 6.8(-5) 4 1.9(-6) 4.9(-6) 1.2(-5) 3.5(-5) 8 5.9-7.6(-7) 1.1-1.7(-6) 3.1-4.3(-6) 1.1-1.4(-5) 16 9.8-27(-8) 1.3-6.8(-7) 4.0-16(-7) 1.5-4.6(-6)
NUREG-1032 C-10 L
Table C.4 (continued) t(hr) 2/3 EDG Configuration EDGN = 0.1 Offsite power cluster 1
2 3
4 5
0 9.4(-4) 8.3(-4) 1.3(-3) 1.5(-3) 2.1(-3) 2 6.7(-5) 8.4(-5) 1.8(-4) 4.4(-4) 7.4(-4) 4 2.2(-5) 3.0(-5) 6.5(-5) 2.2(-4) 4.5(-4) 8 4.0-7.1(-6) 6.4-10(-6) 1.3-2.1(-5) 7.3-9.3(-5) 1.9-2.2(-4) 16 5.6-35(-7) 8.5-46(-7) 1.7-9.9(-6) 1.2-3.1(-5) 4.1-7.4(-5) 6 7
0 1.3(-3) 1.7(-3) 2 1.2(-4) 3.9(-4) 4 5.5(-5) 1.6(-4) 8 1.7-2.2(-5) 3.4-5.2(-5) 16 2.8-8.1(-6) 4.1-2.2(-6)
EDGR - 0.05 Offsite power cluster 1
2 3
4 5
0 3.0(-4) 2.7(-4) 4.1(-4) 5.0( 4) 7.2(-4) 2 2.2(-5) 2.8(-5) 6.0(-5) 1.5(-4) 2.6(-4) 4 7.2(-6) 1.0(-5) 2.2-2.5(-5) 7.8(-5) 1.6(-4) 8 1.4-2.4(-6) 2.2-3.5(-6) 4.5-7.2(-6) 2.5-3.3(-5) 6.8-8.0(-5) 16 1.9-12(-7) 2.9-16(-7) 5.7-33(-7) 4.1-11(-6) 1.5-2.6(-5) 6 7
0 4.1(-4) 5.7(-4) 2 4.1(-5) 1.3(-4) 4 1.9(-5) 5.2(-5) 8 6.0-7.8(-6) 1.2-1.8(-5) 16 9.8-28(-7) 1.4-7.3(-6)
NUREG-1032 C-11 i
Table C.4 (continued) t(hr) 2/3 EDG configuration EDG5 = 0.025 Offsite power cluster 1
2 3
4 5
0 1.2(-4) 1.1(-4) 1.7(-4) 2.2(-4) 3.2(-4) 2 9.6(-6) 1.2(-5) 2.6(-5) 6.9(-5) 1.2(-4) 4 3.2(-6) 4.5(-6) 9.7(-6) 3.6(-5) 7.6(-5)
{
8 6.2-11(-7) 9.7-16(-7) 2.0-3.2(-6) 1.1-1.5(-5) 3.2-3.8(-5) i 16 8.4-52(-8) 1.4-6.8(-7) 2.5-14(-7) 1.9-4.9(-6) 6.9-13(-6) 6 7
0 1.7(-4) 2.4(-4) 2 1.8(-5) 5.8(-5) 4 8.6(-6) 2.3(-5) 8 2.7-3.6(-6) 5.1-7.7(-6) 16 4.5-13(-7) 6.2-32(-7)
EDGN = 0.01 Offsite power cluster 1
2 3
4 5
0 6.7(-5) 6.0(-5) 9.4(-5) 1.2(-4) 1.8(-4) 2 5.2(-6) 6.6(-6) 1.4(-5) 3.8(-5) 1.8(-4) 4 1.7(-6) 2.5(-6) 5.3(-6) 2.00(-5) 1.8(-4) 8 3.4-5.7(-7) 5.4-8.3(-7) 1.1-1.7(-6) 6.7-8.4(-6) 1.9-2.2(-5) 16 4.6-28(-8) 7.1-37(-8) 1.4-7.9(-7) 1.1-2.8(-6) 4.1-7.2(-6) 6 7
0 9.3(-5) 1.3(-4) 2 1.0(-5) 3.1(-5) 4 4.8(-6) 1.3(-5) 8 1.6-2.0(-6) 2.8-4.3(-6) 16 2.6-7.2(-7) 3.4-18(-7)
NUREG-1032 C-12 J
Table C.4 (continued) t(hr) 1/3 EDG Configuration EDGR = 0.1 Offsite power cluster 1
2 3
4 5
0 4.3(-5) 3.8(-5) 5.9(-5) 7.1(-5) 1.0(-4) 2 3.1(-6) 3.9(-6) 8.5(-6) 2.1(-5) 3.6(-5) 4 1.0(-6) 1.4(-6) 3.1(-6) 1.1(-5) 2.2(-5) 8 2.0-2.4(-7) 3.1-4.7(-7) 6.3-10(-7) 3.5-4.5(-6) 9.2-11(-6) 16 2.6-17(-8) 3.9-20(-8) 4.1-47(-8) 5.6-16(-7) 2.0-3.6(-6) 6 7
8 9
0 6.0(-5) 8.1(-5) 2.4(-4) 2.9(-4) 2 5.6(-6) 1.8(-5) 3.4(-5) 7.9(-5) 4 2.6(-6) 7.3(-6) 1.4(-5) 3.8(-5) 8 8.2-11(-7) 1.6-2.4(-6) 3.5-5.1(-7) 1.2-1.5(-5) 16 1.4-4.0(-7) 2.0-10(-7) 4.7-20(-7) 1.7-5.2(-6)
EDGR = 0.05 Offsite power cluster 1
2 3
4 5
0 1.4(-5) 1.3(-5) 2.0(-5) 2.3(-5) 3.4(-5) 2 1.0(-6) 1.3(-6) 2.8(-6) 7.1(-6) 1.2(-5) 4 3.4(-7) 4.7(-7) 1.0(-6) 3.6(-6) 7.4(-6) 8 6.5-11(-8) 1.0-1.6(-7) 2.1-3.4(-7) 1.2-1.5(-6) 3.1-3.7(-6) 16 8.9-5.0(-9) 1.4-7.3(-8) 2.7-15(-8) 1.9-5.0(-7) 6.7-12(-7) 6 7
8 9
0 2.0(-5) 2.7(-5) 8.3(-5) 1.0(-4) 2 1.9(-6) 61.(-6) 1.3(-5) 3.0(-5) 4 8.8(-7) 2.4(-6) 5.3(-6) 1.5(-5) 8 2.7-3.6(-7) 5.4-8.2(-7) 1.3-1.9(-6) 4.6-6.0(-6) 16 4.5-13(-8) 6.5-34(-8) 1.8-7.5(-7) 6.6-20(-7)
NUREG-1032 C-13 L
Table C.4 (continued) t(hr) 1/3 EDG configuration EDGR = 0.025 Offsite power cluster 1
2 3
4 5
0 9.4(-6) 8.3(-6) 1.3(-5) 1.5(-5) 2.2(-5) 2 6.7(-7) 8.4(-7) 1.8(-6) 4.5(-6) 7.5(-6) 4 2.2(-7) 3.0(-7) 6.5(-7) 2.3(-6) 4.6(-6) 8 4.1-7.1(-8) 6.4-10(-8) 1.3-2.2(-7) 7.4-9.4(-7) 1.9-2.3(-6) 16 5.6-35(-9) 8.6-46(-9) 1.7-9.9(-8) 1.2-3.2(-7) 4.2-7.6(-7) 6 7
8 9
0 1.3(-5) 1.7(-5) 5.5(-5) 7.0(-5) 2 1.2(-6) 3.9(-6) 8.6(-6) 2.1(-5) 4 5.5(-7) 1.6(-6) 3.6(-6) 1.0(-5) 8 1.8-2.3(-7) 3.4-5.2(-7) 9.3-13(-7) 3.2-4.2(-6) 16 2.8-8.2(-8) 4.1-22(-8) 1.2-5.1(-7) 4.6-14(-7)
EDGR = 0.01 Offsite power cluster 1
2 3
4 5
0 5.1(-6) 7.2(-6) 1.1(-5) 1.3(-5) 1.8(-5) 2 5.7(-7) 7.1(-7) 1.5(-6) 3.7(-6) 6.2(-6) 4 1.8(-7) 2.5(-7) 5.5(-7) 1.9(-6) 3.8(-6) 8 3.5-6.0(-8) 5.4-8.6(-8) 1.1-1.8(-7) 6.1-7.8(-7) 1.6-1.9(-6) 16 4.7-30(-9) 7.2-40(-9) 1.4-8.4(-8) 9.7-27(-8) 3.4-6.2(-7) 6 7
8 9
0 1.1(-5) 1.5(-5) 4.8(-5) 6.0(-5) 2 1.0(-6) 3.3(-6) 7.4(-6) 1.8(-5) 4 4.6(-7) 1.3(-6) 3.1(-6) 9.0(-6) 8 1,4-1.9(-7) 2.9-4.4(-7) 8.0-11(-7) 2.8-3.6(-6) 16 2.3-6.8(-8) 3.5(-19(-8) 1.1-4.4(-7) 4.0-12(-7)
reliability of the diesels are the most important factors in limiting the likeli-hood of core damage.
These results also show that the likelihood of significant core damage may exist at some plants if the capability to cope with station black-out of modest durations (2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) does not exist.
Moreover, the results show that the demand reliability of AC-independent decay heat removal systems is important, but it is not the most dominant factor in limiting the like li-hood of core damage for station blackout.
The point estimates obtained from NUREG/CR-3226 and a comparable plant design analyzed in this study are shown in Table C.5.
The differences in results pri-marily result from lower loss of offsite power frequencies supported by most recent evaluations of the data (see Appendix A).
The results provided up to this time represent point estimates of probability per year or, more properly, frequency.
The effect on the mean probability I
estimates of using log-normal distributions to represent basic event probabil-ities, calculated medians, and uncertainty ranges was shown in NUREG/CR-3226.
The sequence mean estimates derived in that document were typically 3 to 8 times l
larger than the point estimates, and the upper and lower bounds were typically j
within a factor of 5 to 20 of the median estimates.
The large difference bet-ween point estimates and means can be attributed to the use of a log-normal distribution.
The potential effect of operator error causing loss of decay heat removal has not been found to be a large contributor, if adequate training and procedures exist.
Another consideration that has not been found to be a significant factor is the difference in time to core uncovery on loss of all decay heat removal.
STATION BLACK 0UT RISK The potential risk associated with station blackout accidents can be estimated by extending the core damage probabilistic results through to accident conse-quence estimates.
The potential for terminating core damage before core melt and coping with core melt prior to containment failure is currently a matter of extensive research and evaluation.
In most probabilistic risk assessments (PRAs),
the probability of core damage has been equated with core melt.
Acknowledging NUREG-1032 C-15
Table C.5 Comparison of results with NUREG/CR-3226 Core damage frequency (per reactor year)
Plant type and sequence NUREG/CR-3226 NUREG-1032 PWR with one steam-driven AFW train TML B 5 x 10 8 3 x 10 6 i 1 TMB (L2 + Q2) 2 x 10 5 4 x 10 6 2
BWR with isolation cooling TM(U1 + Qt)Bi 5 x 10 6 3 x 10 8 TMQ2B 2 x 10 5 4 x 10 8 2
BWR with HPCI/RCIC TMU B 2 x 10 6 6 x 10 7 1 i TMU B 2 x 10 5 4 x 10 6 22 BWR with HPCS/RCIC TMU B 5 x 10 7 3 x 10 7 t 1 TMU B 1 x 10 8 2 x 10 8 2 2 Note:
All 8 sequences except the BWR with HPCS/RCIC are assumed to result 2
in loss of core cooling and decay heat removal in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> from the start of station blackout for the NUREG-1032 results.
Core damage frequencies in this table (NUREG-1032 column) are based on offsite power cluster 7, 1/2 diesel generator configuration and 0.975 diesel generator reliability.
I i
l NUREG-1032 C-16 l
)
that this is a possible conservative assumption, to estimate risk in these PRAs, containment failure modes and probabilities are applied as if the core has melted.
This type of approach was taken to develop a risk perspective on station black-out.
However, the potential for accident management and revised consequence estimates emanating from current research are also considered.
The risk of a station blackout accident can be estimated by the product of the core damage frequency and consequence of the accident.
Figure C.1 shows the sensitivity of station blackout accident risks to containment type and effective-ness.
Risks are highest in sequences in which core damage occurs after a station blackout and then proceeds to core melt and containment failure without actuation of containment sprays (PWR, BWR Mark III) or when suppression pool scrubbing is ineffective (BWR Mark I, II, III).
With the actuation of contain-ment sprays before containment failure (if AC power is restored after core melt),
risks are reduced noticeably for plants with limited capability of coping with station blackout (less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />).
With effective fission product scrubbing by BWR suppression pools, risks are even further reduced.
However, suppression pool bypass or less effective scrubbing could cause less apparent risk reduction than indicated here.
REFERENCES Fletcher, C. D., "A Revised Summary of PWR Loss-of-Offsite-Power Calculations,"
EG&G Idaho, Inc., EGG-CAAD-5553, September 1981.
Schultz, R. R. and S. R. Wagoner, "The Station Blackout Transient at Browns Ferry Unit One plant, A Severe Accident Sequence Analysis," EG&G Idaho, Inc.,
EGG-NTAP-6002, September 1982.
V. S. Nuclear Regulatory Commission, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., " Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
NUREG-1032 C-17 L
w
- - No sprays with
\\
AC recovery Sprays actuated on AC recovery gg Suppression pool scrubbing D
(
X Scrubbing and sprays
\\%g
\\
\\
hN N
N %\\
N s N
N %g s s%
2 10
\\
g
\\
u, e,,,y,,,,,,,,,y,
N N
N
%~J % ",' 1 L"" '""
7
\\
Substmospheric ta
\\
Ice Condenser
[
Subatmospheric
{
\\
3
\\
' N '**,,**ii "d'"
M N
c; g
Mark lit
(
g N
b g
N E
b Large Dry (dry cavity) lE Large Dry (dry cavityl 1
3 10
,2 E
- Mark i tr 11 Mark til n
X " %
- Mark 111 0
I I
I 10 O
4 8
12 16 20 24 Capability of Coping with Station Blackout (hrs)
Figure C.1 Station blackout risk perspective for different containments NUREG-1032 C-18 J
^
(
g,Poaa=
u s. =ucum mut.Toa, co. oM i
oo uM..a,u..
, r,oc..m.,....,,
Ei.YJ/*
BIBUOGRAPHIC DATA SHEET NUREG-103 a ft SEE INSTRUCTIONS ON T t pavtast 2 TITLE Amea $uefiTLE 3 LE AVE BLANE Evaluation of ation Blackout Accidents at Nuclear Power
/
/
Plants--Technic Findings Related to Unresolved Safety Issue A-44
/ / ' ^ " " " ' * "'" "
l 1985 Draft Reonrt fnr ninent M""
Marcf
. tui oaisi
/
6 OATE REroRT 155uto P. W. Baranowsky l1985
, e t A ORMiesG ORGANt2 ATION NAME AND MAI G ADDRESS,,acher le cem, e epJECTiT A5E % ORE UNIT NUM8ER Office of Nuclear Regul ory Research
/JSI A-44 Office of Nuclear Reacto Regulation 7~ oa ca * * ' *u""
U. S. Nuclear Regulatory C ission
[
Washington, DC 20555 j
0f5 c N fTuIlYar [eg"u S r[ R search Office of Nuclear Reactor Regul tion Draft Technical Report U. S. Nuclear Regulatory Commiss n
.. eaioo coviano r,-
m.,
Washington, DC 20555 n iu,,aWic A. oTu
" Station Blackout," which is the complet loss Ff alternating current (AC) electrical power in a nuclear power plants, has been esi nated as Unresolved Safety Issue A-44.
Because many safety systems required for re c r core decay heat removal and contain-ment heat removal depend on AC power, the co ;equences of a station blackout could be severe. This report documents the findings technical stuoies performed as part of the program to resclve this issue. The mp tant factors analyzed include:
the frequency of loss of offsite power; the pr babi ty that emergency or onsite AC power supplies would be unavailable; the capabi ity an (reliability of decay heat removal systems independent of AC power; and th ikelihodqthatoffsitepowerwouldbe restored before systems that cannot op ate for extqnded periods without AC power fail, designs, locations, and operational f atures on the e, esses effects of different thus resulting in core damage. This r port also addrstimated frequency of core damage resulting from station blacko t events.
i4 OOCUMt %T AN ALYSit -. K E
- WWORDS DISCRi,YORS it Av AsiatiLif y UEITm"Eed Unresolved Safety Issue A-4 Station Blackout Availability 16 SECunity CLASSiPICATION t rag saye, oeci.... on= iNo o """'
Unclassified t rA4 report, Unc1assified i n NuM... o., Acu 14,mic t L.
UNITED STATES n, coa
.t NUCLEAR RECULATORY COMMISSION postaos e mes eneo WASHINGTON, D.C. 20566 wfs7c.
P:00 447 fee. G47 OFFICIAL SUSINESS PENALTY FOR PRIVATE USE, $300 1 : 0 5 ' '.. U 7 9 6 7 7 1 1 A ril 15' U5 r+'
f4 L " - ! !V t'F TIPC PCLICi E U >.
' r> i 4-F n '. U f t e
-$L1 s.
,, ? E H I i. C. T O ?
i.C ECi
j J
.