ML20132D145

From kanterella
Jump to navigation Jump to search
Final Review of Byron Limiting Condition for Operation Relaxation Study,Task 1, Interim Rept
ML20132D145
Person / Time
Site: Byron  Constellation icon.png
Issue date: 06/24/1985
From: Cho N
BROOKHAVEN NATIONAL LABORATORY
To: Spano A
Office of Nuclear Reactor Regulation
References
CON-FIN-A-3810 NUDOCS 8507010337
Download: ML20132D145 (28)
v  d  e


Text

_-

PDF r3 cs 5

. @-M-L6 [ [ i, BROOKHAVEN NATIONAL LABORATORY ASSOCIATED UNIVERSITIES, INC.

{~]{ Upton. Long Island. New York 11973 (516) 282' 2363 Department of Nuclear Energy FTS 666' June 24, 1985 Mr. Alfred Spano Reliability and Risk Assessment Branch l Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Phillips Building 7620 Norfolk Avenue Bethesda, MD 20814 Re: FIN 3810

Dear Mr. Spano:

I Enclosed is a final version of the letter report covering task 1 of the l

i Byron LCO review. Your comments on the draft are reflected, as are those of l the PETS project.  ;

i Sincerely yours,

/ (

j Robert Y ungblo l Risk Eva uation Group esc i

I Enc.

cc: W. Y. Kato (w/o enclosure)

R. A. Bari (w/o enclosure)

I\

r - _ _ _

FIN A-3810

,il r

Review of Byron LC0 Relaxation Study Task 1 Interim Report l

l-

[

N.Z. Cho, G.E. Bozoki, and R.W. Youngblood l

- Risk Evaluation Group .

June 1985 t

I Department of Nuclear Energy Brookhaven National Laboratory Upton, New York 11973

TABLE OF CONTENTS I

1

1. INTRODUCTION......................................................

2

2. SURVEY OF APPLICABLE METH0DS......................................

5 2.1 Mathods......................................................

2.2 Sample Problem............................................... 6 2.3 Results and Discussions...................................... 8 2.4 Conclusions.................................................. 10

3. APPROACH OF BYRON LC0 STUDY REVIEW................................ 16 3.1 Introduction................................................. 16 3.2 Sample Problem Insights...................................... 16 3.3 Issues Raised by PETS........................................ 17 1

3.4 Issues to be Conf ronted i n the Revi ew. . . . . . . . . . . . . . . . . . . . . . . . 19 3.5 System Model Val i dati on Templ ate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2

4. REFERENCES........................................................ 24

. 1

1. INTRODUCTION This is an interim report on a program which is currently in progress at Brookhaven National Laboratory (BNL) for the U.S. Nuclear Regulatory Commis-sion (NRC). The program is entitled " Review of WCAP-10526, Byron LC0 Relaxa-tion Study." This program is part of the NP,C's effort to respond to a 'recent request by the Commonwealth Edison Company. Commonwealth Edison has proposed that the allowed outage times (A0T's) for a number of systems in the Byron  !

Generating Station be increased from 3 days to 7 days. The proposal (l) t (WCAP-10526) uses the usual probabilistic risk assessment (PRA) methods, i.e.,

event / fault tree techniques, to conclude that the health and safety of the public would not be significantly affected by the proposed changes in A0T's.

The overall purpose of this project is to assess the methods used and to obtain an estimate of the change in risk involved in the Byron proposal.

This report describes work on Task 1: Survey of Applicable Methods, and discusses the proposed review approach and issues identified so far from the proposal. The report is organized as follows: Section 2.1 briefly describes the available methods and computer codes which are applicable to the A0T p roblem. Section 2.2 describes the sample problem designed to test the methods. Section 2.3 provides the results and conclusions of the sample j

problem exercise performed with the available methods. Finally, Section 3 - I discusses the general approach which will be taken in the review of the Byron LC0 Relaxation Study. It also provides several issues and observations so far identified in the review of the Study. It also includes the system model l

validation template and tentative milestones of the review.

k L

2

2. SURVEY OF APPLICABLE METHODS Technical specifications (TS) in a nuclear power plant are specific requirements on its day-to-day operation, designed to protect public health and ' safety. Two primary aspects of the TS are (1) limiting conditions of operation (LCO) with allowed outage times (A0T's) and (2) surveillance testing l intervals (STI 's ). TS are an important element of the existing regulatory framework which governs licensing and operation of nuclear power plants.

In recent years, there has been growing interest in the nuclear community in reexamining the TS. One of the reasons is that a significant portion of reactor downtime (plant unavailability) is attributable to the strict TS.

Furthermore, it is generally believed that the TS were established not on a firm technical basis but rather in an ad hoc manner and. that the apparently strict TS may not necessarily enhance the public safety. In the debate regarding the merits -of relaxing the TS, the burden is however, primarily on the owners and operators of the plants to prove that the existing TS are "too strict." A difficulty in doing this arises from the fact that the decision makers (owners of the plants or regulators as appropriate) and the public are i not cognizant of the lower level measures, e.g., unavailability of certain components or systems, which are affected by the TS directly. In other words ,

the lower level measures do not convey direct meaning to them. On the other.

hand, higher level measures , e.g., fatalities from the accidents, property damage, cost, and core damage frequency, would have mor a direct meaning to them.- Thus, decisions based on higher level measures would be understood and 1 accepted more easily than those based on lower level measures. Another diffi-culty comes from lack of a decision framework in nuclear regulation: either "s tandard (criteria) setting" or " case-by-case" decision-making.(2) Stan-dard-setting categorizes options (e.g. , two testing procedures, existing and proposed) as " acceptable or not acceptable" whereas decision-making procedures attempt to order the available options according to their " attractiveness" and choose the most attractive one. The NRC's proposed safety goals and numerical guidelines (3) provide an example of standard-setting at a higher level.

Ref. 4 develops a method for setting reliability criteria at a lower level which are derived consistently from higher level criteria.

The higher level measures, e.g., core damage frequency and health risks ,

I

. are not directly " measurable." Thus, they must be evaluated by mathematical (deterministic and/or probabilistic) methods using various models. Here

3

) .

arises the importance of the chosen methods and models since the final decision would depend on them. The outcome of a decision based on a particular method could be different from a decision which was based on another method. This aspect is particularly relevant to the TS problem since various complex characteristics are inherent in the TS problem. Some.of the characteristics and issues that should be addressed in the TS problem are outlined in Ref. 5. In brief, allowed outage times (A0T's) and surveillance testing intervals (STI's) introduce into the TS problem a high degree of stochastic dependency among components and systems including the following:

(1) At test and repair times, the component exhibits discontinuities in its unavailability.

(2) The TS usually require staggered schedules in test and repair.

(3) The TS require the reactor be shut down if test or repair is not completed within a given A0T.

(4) During test and repairs in most of the systems, the logic (success criterion) of the system changes.

(5) For some systems, when a particular component or train is tested or repaired, the system is reconfigured involving a set of other compo-nents in the same system and/or in other systems in order to accom-plish the test and repair or to improve unavailability of the system during the test and repair.

(6) Frequent test and challenge of the component may degrade the compo-nent.

(7) Test and repair may introduce human errors into the state of the component affecting the component unavailability.

(8) Human errors during test and repair may affect the state of the system resulting in shutdown of the plant.

(9) A0T of a particular component may depend on states of other compo-nents.

(10) The TS problem increases desirability of modeling multiple states for components and system.

(11) Challenge rate is an integral element in evaluating effectiveness of one or a set of standby systems.

4 The available methods applicable to TS problem dealing with the aspects listed above invariably employ some kind of approximations. The degree of approximation varies according to the methods. Some approximations are intrinsic to particular methods because of fundamental assumptions in the methods while some approximations are made for numerical and computational efficiency.

The methods reviewed and tested (using a sample problem) in this study are limited to those whose computer code implementations are available. These are: (1) " static" fault tree approach (6), (2) " time-dependent" unavailabil-ity analysis,(7) and (3) Markov analysis.(8) Other methods (9,10) which are potentially applicable to the TS problem are not reviewed here since it appears that they are still under development and computer codes implementing the methods are not available to the authors of this report.

5 2.1 METHODS The three methods tested by using a sample problem are the following (Detailed descriptions are available in the references):

1 o Static Fault Tree Approach (6,12) o Time-Dependent Unavailability Analysis (7,13,14) o Markov Analysis (8,15,16,17,18)

J -

-- - - .n-, -- . . . _ . - - , , -- - - - , , , , . , - , , - . . .

. 6 2.2 Sample Problem The sample problem devised in this study is to calculate core damage frequency from an accident sequence using the three methods in Section 2.1.

The . accident sequence consists of an initiator and failures of two frontline systems and a support system. The systems and failure data are abstracted from the Byron plant. However, the sequence is constructed only for the purpose of comparing the methods and thus does not necessarily represent any accident sequence appropriate to the Byron plant, per se.

Figure 2.1 represents the sample problem configuration in a reliability block diagram. Each block is a "supercomponent" consisting of several components in series. For example, Block 1 is composed of a pump and several ,

valves associated with the pump. Frontline system 1 (Fi ) consists of Blocks 1,_2 and 3. Similarly, frontline system 2 (F )2 consists of Blocks 4, 5 and 6.- The success criterion is 1-out-of-2 for both frontline systems. Blocks 7 and 8 consitute a support system. Frontline system 1, frontline system 2 and support system may represent the Auxiliary Feedwater System, Safety Injection System and Essential Service Water System, respectively.

The problem is characterized by the following:

1. The accident sequence is defined as TF Fi 2 where T is the initiating, event.
2. The two trains (blocks) in each system follow staggered testing schedules.
3. The testing schedules are consistent between the frontline systems and the support system. For example, test - of Block 1 is also staggered with test of Block 8.
4. The suction source (Block 3) for frontline system 1 is reconfigured during test and repair. That is, when Block 3 is under test or repair, the support system whose primary function is cooling of pumps in Blocks 1, 2, 4 and 5 is also used, if it is available, as a

the suction source in lieu of Block 3.

e

- 7

5. Test time of the suction source (Block 6) for frontline system 2 is negligibly short. .If test finds Block 6 is unavailable, the reactor is shut down immediately.
6. If repair of each block-is not completed within an A0T, the reactor is shut down.

8 2.3 Results and Discussions Tables 2.1 and 2.2 summarize the failure data and parameters associated with testing schedules used in the calculations. The static fault tree was quantified by the SETS code.(19) For time-dependent unavailability analy-sis, FRANTIC III(14) was used. For Markov analysis, the version of STAGEN and MARELA developed in Ref. 17 was modified for the sample problem.

Table 2.3 and Figure 2.2 show the results of sensitivity calculations obtained by varying A0Ts. In the case of unavailability of the combined sys-tems in the sequence, only time-averaged (for 360 days) values are included in the table and figure. FRANTIC III and STAGEN/MARELA calculate unavailabili-ties as functions of time in detail. In addition, STAGEN/MARELA also calcu-lates core damage probabilities and reactor shutdown probabilities as func-tions of time directly. In the case of Markov analysis, each block was modeled to be in three states, i.e., (1) operating, (2) failed, and (3) in repair, and it was assumed that, once the reactor makes a transition to the reactor shutdown state (without core damage), it is completely renewed and transferred to a system state in which every block is operable following an exponential distribution with mean time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

The results for static fault tree approach and Markov analysis include

. reconfiguration of Block 3 during test and repair. The FRANTIC results, how-ever, do not represent the reconfiguration exactly. It seems that a minor modification of the FRANTIC III code would enable reconfiguration to be taken into account. Such a modification of the code was not, however, within the scope of this study. Two sets of results are instead provided for FRANTIC III calculations: one for no reconfiguation of Block 3 during test and repair, and another for zero test and repair duration (equivalent to no unavailability during test and repair) of Block 3. To incorporate reconfiguration correctly in the FRANTIC calculation will involve generating new minimal cut sets by taking into account the resulting new system structure and related human failures. The new minimal cut sets should then be used only during test and rep, air by FRANTIC. There may be situations, depending upon the problem and data, that the rare-event approximation usually employed in current PRAs will

9 not be accurate enough (in the conservative side) if it is used also in the FRANTIC calculation, especially for test and repair phase. Therefore, in the FRANTIC calculations for the sample problem in this study, the min cut upper bound (20) was used to reduce over-estimation in the unavailability.

It is observed from Table 2.3 and Figure 2.2 that for the range of A0T's considered, Markov analyis gives smaller unavailabilities and core damage probabilities than the other two methods. If reconfiguration is not consid-ered in the FRANTIC calculation, FRANTIC results are the most conservative.

However, if zero test and repair duration is assumed in the FRANTIC calcula-tion, static fault tree results become the most conservative. The static fault tree results are always conservative compared to the Markov analysis results.

The differences in core damage frequency and in unavailability (as far as time-averaged unavailability is concerned) between the static fault tree and FRANTIC results are not considered significant while the corresponding differ-ences beteen the static fault tree and Markov results are considered subtan-tial. This is due to the fact that the Markov analysis models stochastic dependency better than the other two methods and that multiple states in the Markov analysis allows more realistic modeling of component and system dynamic behavior, including renewal aspects of system challenges and inter-system state transitions. FRANTIC (and Markov analysis) of course provides not only time-averaged unavailabilities but also detailed unavailabilities as functions of time which cannot be obtained by the static fault tree approach.

It is also noted from Figure 2.2 that all curves exhibit convexity as expected (only degrees of the convexity are different among the curves).

10 2.4 Conclusions Although the sample problem used is not a detailed model, it contains most of the important and essential characteristics that should be addressed in the TS problem. Thus, the trends observed in the results are expected to be indicative of the real situation.

The results obtained in this section using three methods give useful insights and lend confidence to the conclusion that static fault tree approach can be used by NRC for the A0T problem when the quantified higher level meas-ures, e.g., core damage frequency, are unequivocally below the criteria. How-ever, when the higher level measures corresponding to the proposed A0Ts are in the range of the criteria, the Markov analysis or the time-dependent unavaila-bility analysis would be attractive to owners of the plants who bear the burden of proof in A0T relaxation.

The weak convexity of the results suggests a way to perform sensitivity studies with regard to A0Ts. They can be done simply by linearly interpo-lating two results obtained from small and large A0Ts, e.g., 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> and 168 hours0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br />.

1

F 11 1 ___________-.n_

__1_ 3 i

i f

2  :

7 .- , ,

' t

' i

}..a e

I 8 -- J 4

6 5 -

Figure 2.1 Block configuration of a sample problem.

a*

l l

l

12 Table 2.1 FAILURE DATA USED IN THE SAMPLE PROBLEM Independent Common Cause Test Humar. Error Test Human Error Failure Rate Failure Rate

  • Causing Failure Not Detecting Block (per hour) (per hour) Failure 1 1.66(-5) 5.29(-7) 1.00(-3) 1.00(-3) 2 7.31(-5) 1.00(-3) 1.00(-3) 3 3.87(-7) 1.00(-3) 1.00(-3) 4 1.03(-6) 3.50(-7) 1.00(-3) 1.00(-3) 5 1.03(-6) 1.00(-3) 1.00(-3) 6 1.85(-7) 1.00(-3) 1.00(-3) 7 2.40(-5) 3.29(-8) 1.00(-3) 1.00(-3) 8 2.40(-5) 1.00(-3) 1.00(-3)
  • Common cause failure rates between blocks 1 and 2, blocks 4 and 5, and blocks 7 and 8, respectively.

9 l

I l

_ .. _ _ . ____..._ ._~ . . _ _ _ _ . _ . . _ . _ _ _ . _ _ . . _ _ . _ _ _ _ . . _

' 13 Table 2.2 TESTING SCHEDULES ASSUMED IN THE SAMPLE PROBLEM

. Block Mean time Mean Time Starting Test to Test To Repair Test Time Interval (Hours ) (Hours) (Days) (Days) 1 2 19 15 30 2 2 19 30 30 3 2 19 15 15 4 2 19 15 90 5 2 19 60 90 6 0 0 15 45 7 2 19 15 30 8 2 19 30 30 4

. 14 Table 2.3 AVERAGE UNAVAILABILITY AND CORE DAMAGE PROBABILITY AT ONE YEAR USING 3 INITIATORS PER YEAR A0T(Hours) Average Unavailability Core Damage Probability Static Static Fault Tree FRANTIC Markov Fault Tree FRANTIC Markov 19 1.64(-4) 1.68(-4)* 1.12(-4) 4.92(-4) 5.04(-4)* 3.31(-4) 1.43(-4)# 4.29(-4)#

34 1.70(-4) 1.74(-4) 1.18(-4) 5.10(-4) 5.22(-4) 3.47(-4) 1.50(-4) 4.50(-4) 72 1.86(-4) 1.92(-4) 1.33(-4) 5.58(-4) 5.76(-4) 3.94(-4) 1.67(-4) 5.01(-4) 168 2.26(-4) 2.42(-4) 1.79(-4) 6.78(-4) 7.26(-4) 5.30(-4) 2.18(-4) 6.54(-4)

  • No reconfiguration of Block 3 during test and repair
  1. Zero test and repair time (duration) for Block 3 h

l l

i1 g

y t

i e

gy l

ac mn ae qia b

l Du ee q qiava rr n oF U C .

~ T 0

A f

o

- 0 s 6 n 1

i o

t c

n u

F 0

4 s 1 a

- y c

n e

u q

0

~ 2 1

e r

F eg a

0 ) m 0 s a 1 r D u

o e r

H o

(

C T

0 d 0 A n 8 a

z. . + .

t y

i

- ._ l i

b 0 a

.e _

6 l e i r a T v a

t n l U u

a 0 e F*# 4 g CC '

a cII v - _ -

iTTo . - r ,

  • r tNNk = _

e v

aAAr

/

A tRRa SFFM

,ABCD

'f/

B A

=*

c D

=

BAc D 0

2 2

2 e

  • - - r u

j , g g =>

g 4 h faEg; i 0

sJ 0 F .

7 5 4 3 # 2 }

1 0 x

rI l!; ,i l ! i, i ,lll ,  !

16  !

3. APPROACH OF THE BYRON LC0 STUDY REVIEW 3.1 Introduction The major objective of the review is to concur with or modify the West-inghouse estimate of the change in core damage frequency associated with the change in A0T's. Subsidiary objectives are to display various sensitivities of the results. A number of issues arise in connection with model complete-ness and in connection with approximation and assumption made in evaluating the risk. Some of these issues have been discussed above. Others have been discussed in the course of another BNL project being carried out under the sponsorship of the Division of Risk Analysis and Operations.

This section reviews these issues and relates them to how the project is to be carried out and what is to be provided. Section 3.2 recapitulates some of the results of the sample problem. Section 3.3 reviews some of the results of the PETS program. Section 3.4 sketches the important aspects of the review.

3.2 Sample Problem Insights The sample problem was designed as an accident-sequence-level problem.

More than one frontline system was involved, and shared support system inter-dependence was displayed. The resulting cut sets highlighted the crucial.

importance of the support systems. They also suggest that joint maintenance acts not prohibited by TS can be important. These considerations indicate that a certain class of sensitivity studies is important if the results are to be properly understood. The sample problem was also crafted with a view towards making the results of Markov, FRANTIC, and static calculations mean-ingfully intercomparable.

Thus, the sample exercise has shown that:

1. Little is lost for present purposes in the static approach as opposed to the Markov or FRANTIC approaches, given the failure models implicit in the sample problem.
2. Sequence level cut sets show that the support systems are crucial.
3. Pair importances show that conjunctions of maintenance acts which are not specifically forbidden may nevertheless be important.

I t

l

17

^

.3.3 Issues Raised by PETS

! The PETS program considers generic as well as specific issues including

]- some of which go far beyond issues of technical content. Many issues raised by PETS bear on these more nearly philosophical questions. Such issues are-4 outside the scope of the present project. Rather, we will try to charac-

} terize the accuracy of the ~ Westinghouse calculation to assess the change in l risk indices and to provide a variety of importance measures which serve to illuminate the results and characterize their sensitivity to certain para-meters.

i Following is an annotated summary of issues considered important by i PETS. These were covered in a. March 19 letter from J.L. Boccio (BNL) to R.C.

Robinson (NRC). As noted above, some PETS issues are out of our scope.

4 Others are subsumed under rubric of issues associated with Pair Importances.

These are implicit in the deliverables discussed'in the next subsection.

j 1. How system reconfiguration was treated.

j Given maintenance procedures, a check will be made to see whether main-3 tenance on a given block has logical implications beyond unavailability of the block itself, and if so, whether this is reflected in the plant model.

l , 2. Whether the use of truncated sets of minimal cut sets influences the out--

come.

This will be clarified to the extend possible by explicit calculation and

bounding arguments. The issue will arise more explicitly in the BNL review than. in the original report, which did not develop accident sequence cut

]

sets.
3. Impact of human error and common cause failures.

I Human error and common cause failure are important topics in any PRA j related activity. However, given that a particular component has failed and under repair, special questions are important; there is a special class of 3

human errors to consider, and an enhanced expectation of failures of other l components in response to whatever root cause was responsible for the initial

{ failure. Sensitivity analysis will highlight areas in which the possibilities of such mechanisms for failure are worth ruling out by later analyses.

I 1

! l 1

. . - - _ - - , , . ,. ,,,-- - ,.-- .- ...- - .~_ _ . _ ,, _ - - _ - _ . _ - . - , - , -

18

4. The sensitivity of the results to enhanced probabilities of certain con-junctions of events: pai rs of allowed maintenance acts, or more generally, failure events which markedly increase the risk if they occur in conjunction with a maintenance act.

As for other related questions, exploration of pair importances is expected t'o show which of these is potentially most important to risk, and correspondingly deserve closer scrutiny.

5. Effect of A0T on High Consequence Scenarios.

Relating A0T to actual risk is the burden assumed in the Byron submit-tal. The present review will focus on the front end systems analysis; how-ever, sensitivity considerations will reflect the relatively high potential importance of components involved in high consequence, nominally low probabil-ity scenarios.

- 19 ,

3.4 Issues to be Confronted in the Review There is a natural functional approach to organizing the issues outlined above. There are three types of issues: those which are policy issues, and will not be decided at BNL; those which apply to the completeness of individ-ual system models; and those which arise in connection with the overall re-sults. Table 3.4.1 lists issues which should be dealt with before "requanti-fication," and those which should be dealt with after requantification.

"Requantification" is our term for obtaining and quantifying a new sequence-level Boolean expression for core damage, reflecting any necessary changes in logic or parameterization. Clearly, individual fault trees should be restruc-tured before relinking is undertaken, and this is reflected in Table 3.4.1 in the issues which are called out under "Before Requantification."

Table 3.4.2 calls out products which are considered to be necessary inputs to an NRC decision. There will always remain questions associated with physical root causes and human error possibilities, which can only be dealt with given information and resources which go far beyond those of the present review. However, given the results to be provided, one can assess the impact of such questions.

It is emphasized that the major goal of the project is a careful charac-

- terization of the bottom line; the sensitivity items such as uncertainty

  • analysis will be provided as time and resources permit. It is noted that the review cannot easily go where the submittal itself does not provide source material; nevertheless an effort will be made to provide the kind of sensitiv-ity information necessary for an informed decision.

l

20 Table 3.4.1 Points to be Addressed Before Requantification:

1. Whether reconfiguration has been satisf actorily addressed.
2. Whether omissions identified in the Sandia review of ZPSS are properly considered.
3. Whether critical parameters have been quantified appropriately.

Issues to be Addressed During Requantification:

1. Estimate of effects of new A0Ts on core damage frequency (individually and collectively).
2. Significant event pairs highlighted to demonstrate what events (human errors, other component failures) occurring in conjunction with a maintenance act are especially risk-significant and correspondingly warrant special attention.

u

21 Table 3.4.2 PRODUCTS OF REQUANTIFICATION Conditional Probabilities to be Provided:

Birnbaum Importances Pair Birnbaum Importances Risk per A0T for 3 and 7 days outages Cumulative risk, given assumptions about frequency of maintenance Minimal Cut Sets to be Provided:

Those containing A0T components at the:

1. System level
2. Accident sequence level, for dominant accident sequences Consideration of Effect of Parameter Uncertainties on Indicated Risk Indices:

Pair Importance Information Regarding: components and human errors which are risk-significant in conjunction with a maintenance act.

0

- - - , , ,.,-nn . , - , - - - - - , - - ~ , . . . - . , . . - . , , , , . , , - - - - - - - - .- - - - - - - -

22 3.5 System Model Validation Template The following steps are to be performed in essentially the indicated order. Performed for each system, these steps are intended to demonstrate that it is reasonable to link the indicated system model into accident sequence models.

(A) Establish basic applicability of the functional model. Review the fol-lowing items:

1. Logic (careful assessment, including success criteria)
2. Data (limited review of critical parameters)
3. Support System Dependences
4. Human Error Modeling (limited review)
5. Common Cause Failures (careful review of modeling)
6. Check whether applicable system-level findings of Sandia review are reflected (B) Check to see whether Tech Specs are adequately reflected at system level.
1. Are configurations and maintenance acts which are allowed by TS actually included in the model?

(C) Reconfiguration Options: 1. Based on maintenance procedures, is reconfiguration

~

modeled?

2. Based on segmentation and assumptions, is reconfigura-tion modeled?

(D) System Level Cut set Review Review dominant system-level cut sets for validity Importance Measures Individual importance measures Pair importance measures (E) Summarize findings of system level review, identify critical information needs

. Table 3.5.1 provides milestones of the review envisioned by the NRC and BNL staff.

23 Table 3.5.1 TENTATIVE MILESTONES OF THE REVIEW 6/7 System-level Results for Two Systems 6/13 Presentation of Interim Results to NRC Staff 6/26 Meeting at Pitt'sburgh with utility and Westinghouse to discuss questions of methodology, assumptions, and data, and information requests 7/17 Presentation of more interim (system-level) results to NRC staff (8 systems altogether) 8/14 Meet at Bethesda with utility and Westinghouse to discuss results 9/15 Informal Draft Report to NRC 9/27 Formal Draft to NRC 11/20 NRC comments to BNL 12/27 Final Report to NRC l

24

4. REFERENCES
1. Butler, J.C. et al., " Byron Generating Station Limiting Conditions for Operation Relaxation Program," Westinghouse Electric Corporation, WCAP-10526, Volumes 1 and 2, April 1984.
2. Fischhoff, B., " Standard Setting Standards: A Systematic Approach to Managing Public Health and Safety Risks," Decision Research, NUREG/CR-3508, February 1984.
3. U.S. Nuclear Regulatory Comission, " Safety Goals for Nuclear Power Plant Operation," NUREG-0880, Revision 1, May 1981
4. Cho, N.Z., Papazoglou, I. A., Bari, R. A. and El-Bassioni, A., "A Decision-Theoretic Methodology for Reliability and Risk Allacation in Nuclear Power Plants ," Paper No. 14, Proceedings of the International ANS/ ENS Topical Meeting on Probabilistic Safety Methods and Applications, Volume 1, February 1985, San Francisco, CA.
5. Boccio, J.L. , Fragola , J.R. , Hall, R.E. , Lofgren, E.V., Samanta, P.K. and Vesely, W.E., " Program Plan for a Procedure for Evaluating Technical Specifications (PETS)," Brookhaven National Laboratory, October 1984.
6. Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants , U.S. Nuclear Regulatory Commission, NUREG-75/014 (WASH-1400), October 1975.
7. Vesely, W.E. and Goldberg, F.F. , " FRANTIC - A Computer Code for Time Dependent Unavailability Analysis ," NUREG-0193, October 1977.
8. Howard, R., " Dynamic Probabilistic Systems," Volumes I and II, John Wiley and Sons, Inc., New York, 1971.
9. Lewis, E.E. and Olvey, L.A. "Markov Monte Carlo Unavailability Analysis, Trans. Am. Nucl . Soc. , 47, 329 (1984).
10. Bus 11k, A.J., " Monte Carlo Methods for the Reliability Analysis of Markov Systems," Paper No.178, Proceedings of the International ANS/ ENS Topical Meeting on Probabilistic Safety Methods and Applications, Volume 3, February 1985, San Francisco, CA.
11. Vesely, W.E., Gaertner, J.P. and Wagner, D.P., " Methodology for Risk-Based Analysis of Technical Specifications," Paper No. 32, ibid.,

Volume 1.

12. American Nuclear Society, and Institute of Electrical and Electronics Engineers, "A PRA Procedures Guide," NUREG/CR-2300, January 1983.

r

13. Vesely, W.E. , Goldberg, F.F. , Powers , J.T. , Dickey, J.M. , Smith , J.M. and Hall, R.E., " FRANTIC II - A Computer Code for Time Dependent Unavail-ability Analysis," Brookhaven National Laboratory, NUREG/CR-1924, BNL-NUREG-51355, April 1981.

n-o , 25

14. Ginzburg, T. and Powers , J.T., " FRANTIC III - A Computer Code for Time-Dependent Reliability Analysis (User 's Manual)," Brookhaven National Laboratory, Draft, April 1984.
15. Papazoglou, I.A. and Gyftopoulos, E.P., "Markov Processes for Reliability Analyses of Large Systems," IEEE Trans. Reliability, R-26, 232, (1977).
16. Papazoglou, I.A. and Sun, Y.H., " Risk Evaluation of Generic Fluid Systems ," Brookhaven National Laboratory, NUREG/CR-3528, Review Draft, July 1982.
17. Papazoglou, I. A. and Cho, N.Z., " Review and Assessment of Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protec-tion Instrumentation System," Brookhaven National Laboratory, BNL-NUREG-51780, April 1984.
18. Papazoglou,'I. A. , Bozoki, G. and Sun, Y.-H. , "Probabilistic Evaluation of Limiting Conditions of Operations Outage Times for Diesel Generators ,"

Brookhaven National Laboratory, BNL-NUREG-51781, May 1984.

19. Worrell, R.B. and Stack, D.W., "A SETS User's Manual for the Fault Tree Analyst," Sandia National Laboratories, NJREG/CR-0465, SAND 77-2051, November 1978.
20. Barlow, R. E. and Proschan, F., " Statistical Theory of Reliability and Life Testing," Holt, Rinehart and Winston, Inc., New York,1975.

$

Retrieved from "https://kanterella.com/w/index.php?title=ML20132D145&oldid=2885483"