ML20133B481
| ML20133B481 | |
| Person / Time | |
|---|---|
| Issue date: | 12/11/1996 |
| From: | James Shea NRC (Affiliation Not Assigned) |
| To: | Lochbaum D, Prevatte D AFFILIATION NOT ASSIGNED |
| References | |
| TAC-M88094, NUDOCS 9701030221 | |
| Download: ML20133B481 (3) | |
Text
Q
\\
I octigt 7 it s
UNITED STATES g
,g j
NUCLEAR REGULATORY COMMISSION 4
WASHINGTON, D.C. 20eeHlo01 e
- * *,o 4
December 11,'.1996 Mr. David A. Lochbaum 9309 P Willow Creek Drive Gaithersburg, MD 20879 Mr. Donald C. Prevatte 7924 Woodsbluff Run Fogelsville, PA 18051
SUBJECT:
SPENT FUEL POOL COOLING GENERIC REVIEW (TAC NO. M88094)
Gentlemen:
As I disr.ussed in my letter dated August 22, 1996, the NRC's Office for Analysis and Evalue. tion of'0perating Data (AE0D) has been conducting a review of loss of spent fuel pool cooling issues including a review of risk studies.
AE00 has recently completed that effort. The results of AE0D's review are I
documented in the two enclosed reports. is AE00's report
" Assessment of Spent Fuel Cooling," AE0D/S96-02, September 1996, as forwarded to the Office of Nuclear Reactor Regulation in a memorandum dated October 23 1
1996. is a probabilistic risk study prepared by Idaho National Engineering Laboratories, " Loss of Spent Fuel Pool Cooling PRA: Model and Results," INEL-96/0334, September 1996. These reports are provided for your information.
As noted in previous correspondence, the staff plans to conduct safety-enhancement, plant-specific backfit analyses for a number of operating reactors. The staff proposed a schedule for performance of these tasks to the Commission in a memorandum dated October 2, 1996 (Enclosure 3). The staff proposed to complete plant-specific reviews and appropriate regulatory analyses for seven lead plants by May 1997.
4 NO 030033
\\
3 NRG ELE CEHER COPY i
C + n -7 #t e 3D 9701030221 961211 PDR
~ VL@
J
j
. Messrs. Lochbaum and Prevatte '
~
4 If you have any additional comments oE questions, please do not hesitate to call me at.(301)-415-1428.
U Y
Sincerely,
/s/
[ ;;
' Joseph W. Sh'e', Project Manager a
- m.,
l, 1 3 Project Directorate I-2
""Divisionlof Reactor Projects - I/II m
[
?-
Offic,e. of Nuc1' ear' Reactor Regulation 1
es
>u:
Enclosures:
- 1. Memorandum to F. Miraglia from E. Jordan,
" Assessment or Spent Fuel Cooling,"
f dated October"M,*"1996
~
2.'" Loss ^of Spent F el Pool Cooling PRA:
__Model'and Results," INEL-96/0334, dated September 1996
- 3. Memorandum to the' Commission; from J.' Taylor, " Response to Staff Requirements Memorandum Dated August 27, 1996-Briefing on-Spent Fuel Pool Cooling Issues,"
dated October 2,-1996 Distribution (* w/ enclosure):
Docket File
- JZwolinski JIbarra, AE00 RZimmerman PUBLIC*
JStolz
.0GC LPrividy, RI PDI-2 Reading
- M0'Brien ACRS EKelly, RI SVarga JShea*
SJones LMarsh-0FFICE PO/PM PDL-[/ M P61-2/D i
NAME b
M0hiehN JShlzs DATE
[V I
) h6
[M(/96 1
/96
~
0FFICIAL RECORD COPY FILENAME: G:\\SHEA\\L&P1196.UPD
(
1 s
3 i
f.
j
Nessrs. Lochbaum and Prevatte !
f If you have any additional comments or questions, please do not hesitate to call me at (301)-415-1428.
Sinc ely, Jo ed W. Shea, Project Manager P ject Directorate I-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
Enclosures:
- 1. Memorandum to F. Miraglia from E. Jordan,
" Assessment of Spent Fuel Cooling,"
dated October 23, 1996 l
- 2. " Loss of Spent Fuel Pool Cooling PRA:
Model and Results," INEL-96/0334, dated September 1996
- 3. Memorandum to the Commission, from J. Taylor, " Response to Staff Requirements Memorandum Dated August 27, 1996-Briefing on Spent Fuel Pool Cooling Issues,"
dated October 2, 1996 I
l l
-)
d i
J p rae i
i y
UNITED STATES
~&
B NUCLEAR REGULATORY COMMISSION 1
I E
wasHINGTok. D.C. 20556-0001
...../
October 23, 1996 l
MEMORANDUM TO: Frank J. Miraglia, Acting Director Off' of N ear actor Regulation I
FROM:
d oc r l
Office Analysis and Evaluation j
of O rational Data
SUBJECT:
ASSESSMENT OF GPENT FUEL COOLING
{
i l
On February 10,1996, James M. Taylor, Executive Director for Operations, directed AEOD l
to perform an independent study of the likelihood and consequences of an extended loss of i
spent fuel pool (SFP) cooling. The completed study is attached. The study evaluated the i
SFP issues generically and consisted of six major tasks: (1) assessment of SFP 1
l configuration, (2) review of operating exoerience, (3) observations from site visits and interviews, (4) review of regulatory requirements and guidance, (5) performance of
)
l engineering assessments, and (6) assessment of risk.
The assessment found large variations in the designs and capabilities of SFPs and systems at individual nuclear plants. The operating experience review determined that loss of SFP cooling events are infrequent and the consequences of actual events have been small. The risk assessment indicates that the SFP events are not a dominant contributor to overall plant risk. However, because human error initiators and operator action required to detect and correct an error are subject to large uncertainties and because of the large variation in 1
design vulnerabilities, further plant specific actions may be warranted.
We believe that most of our findings and conclusions are compatible with those presented by NRR in the Spent Fuel Storage Pool Action Plan. However, based on operating experience, two factors are noted in the report which might require a change in emphasis in current NRC plans: (1) the frequency of loss of inventory events was relatively high comp 6ed to loss of cooling events, and (2) prompt core off-load leadeng to potential rect,ced time to boiling and more rapid boil-off of inventory if coohng is lost. The AEOD conclusions which focus on operator response to potential events are based on these two fa-tors - both factors contribute to less time available for operator response. Thus, our emphasis is on instrumentation to quickly alert operators, and effectiva procedures and training to facilitate prompt operator actions.
CONTACT:
Jose G. Ibarra, AEOD/SPD/RAB (301) 415-6345 4L: cur 177 p.pf-t
-=.
t F. Miraglia ;-.
j We believe a prompt information notice should be issued informing industry of:
1.
The importance of procedures and training to detect and respond to SFP loss of inventory and loss of cooling events, including those caused by loss of offsite power.
i The procedures and training need to address configuration controls which can 4
prevent and/or mitigate such events. The procedures and training should be consistent with the time frames over which SFP events can proceed at the soecific i
plant, recognizing the plant specific heat load and the possibility of loss of inventory due to cavity seal or gate failures.
2.
The importance of having reliable instrumentation to monitor SFP temperature and level and SFP area radiation, including during periods when offsite power has been lost, in order to detect SFP loss of coolr,nt inventory and loss of cooling events in a
]
timely manner.
j 3.
The importance of testing, maintenance, and configuration control of plant features such as reactor cavity seal or gate seals, or antisiphon devices for those plants where failures could potentiany cause loss of SFP coolant inventory sufficient to uncover the fuel or endanger makeup capability.
The issues in the attached report should be integrated into the ongoing efforts by NRR to address spent fuel pool issues in the formal regulatory process, in particular, the lessons of operating experience related to operator actions may need to be incorporated into the NRC inspection program. I am available to discuss with you issues raised by our report prior to our scheduled Commission briefing on November 14,1996.
j
Attachment:
As stated cc w/att.-
V.K. Chexal, EPRI Pat Lewis, INPO Debbie W. Queener, NOAC i
Distribution w/att.:
Public GLainas, NRR BMorris, RF.S DHickman File Center TMartin, NRR RSavio, ACRS PBaranowsky RAB R/F BBoger, NRR LSoffer, EDO SPD R/F AChaffee, NRR JWiggins, R-1 AEOD R/F RWessman, NRR AGibson, R-ll FGillespie, NRR f 4Mayfield, RES GGrant, R-ill BSheron, NRR FsEmrit, RES TGwynn, R IV RZimmerman, NRFI LL'hao, RES FCongel N
WHodges, RES KRaglin DOCUMENT NAME: C:WP51\\WPDOCS\\SFP\\MIRAGLIA.JGI To receive a copy of this document. Indicato in the hos: "C" =
weout seemmerwenctosure T e Copy weh suechmenWencamn T " 880 00PF r/
fA
.p OFFICE RAB Q <[ C D:SPDMf'g DQgOJJ D:AEOD DWF EJordan NAME Jibarraimmk CRossi 3
DATE 10Ay96 10/jf96 TDg/96 10/ /96 OmCIAL RECC RD COPY
c,.
4 p
1 i
AEOD/S96-02 4
1 4
i i
\\
1 1
4 AREERN OF SPENT FUEL COOLING
\\
j September 1996 4
2 6
4 A
i
)
i i
4 j
Prepared by:
3 Jose G. Ibarra i
William R. Jones l
George F. Lanik Hamid L. Ornstein l
Radanandan V. Pullani 2
3 4
i 1
4 4
s i
i
?
4 1
k l
4 t
i 4
i i
Reactor Analysis Branch Safety Programs Division Omce for Analysis and Evaluation l
of Operational Data
~m m
SFTU 4 5 v "
i 11g q-
4 CONTENTS 1
i i
i ABBREVIATIONS.......................................... vii 4
EXECUTIVE
SUMMARY
ix i
1 INTRODUCTION........................................
1 2 SPENT FUEL COOLING...................................
3 2.1 System Description.....................................
3 i
2.2 Imss 'of Spent Fuel Pool Coolant Inventory.......................
6 4
2.2.1 Cannarewt Systems 6
2.2.2 Gates and Scals...................................
7 2.2.3 Pool Structure or Liner..............................
8 1
2.2.4 Consequences of Loss of Spent Fuel Pool Coolant Inventory.......
8 l
2.3 Loss of Spent Fuel Pool Cooling.............................
9 i
2.3.1 Loss of Spent Fuel Pool Cooling System Flow................
9 2.3.2 Ineffective Spent Fuel Pool Heat Sink..................... 10 1
2.3.3 Consequences of Loss of SFP Cooling j
2.4 Preventing and Responding to Spent Fuel Pool Events................ 10 3 OPERATING EXPERIENCE................................. 12 3.1 Loss of Spent Fuel Pool Coolant Inventory....................... 12 3.1.1 Connected Systems 13 3.1.2 Gates and Scals................................... 15
)
3.1.3 Pool Structure or Liner.....................~......... 17 3.1.4 Spent Fuel Pool Make-up Capability...................... 18 3.1.5 Impact on Safety Equipment.........
18 j
3.2 Spent Fuel Pool Cooling.................................. 19 3.2.1 Loss of Spent Fuel Pool Cooling........................ 20 j
3.2.2 Ineffective Heat Sink............................... 20 l
4 4
3.3 Spent Fuel Pool Instrumentarian Ewh.....................
21 3.4 Ventilatian Events...................................... 21 3.5 Review of Foteign Operating Experience........................ 22 i
3.6 Operating Experience Review Findings......................... 23 i
4 OBSERVATIONS FROM THE SITE VISITS AND INTERVIEWS......... 25 5 REGULATORY REQUIREMENTS AND GUIDANCE 29 iii 4
4
\\
CONTENTS (cont.)
4 2
i TABLES j
]
3.1 Spent Fuel Pool Events 12 3.2 Ims of Coolant Inventory Events 13 3.3 Ims of Cooling Events 19 3.4 HVAC System Problems 21 4
3.5 Events at Foreign Plants.................................... 22 6.1 SFP Instri==eararian Sununary................................ 32 6.2 SFP Hesitup ralcularians 34 6.3 Radiation Shielding Farimates 35 7.1 Near-Boiling Frequencies 40 I
a I
1 1
i a
a e
1 Y
i i
ABBREVIATIONS 1
AEOD Analysis and Evaluation of Operational Data (NRC Office for)
BWR boiling-water reactor CDP core damage frequency CPR Code ofFedemiReguimions BCCS peergency core cooling system GDC General Design CJJes/ Criteria HVAC beating, ventilation, and air conditioning INEL Idaho National Engineering 14 oratory LOCA loss-of-coolant accident LOOP loss-of-offsite power NBP near-boiling frequency NRR Nuclear Reactor Regulation (NRC Office of)
NSSS nuclear steam supply system PNL Pacific Northwest Laboratory PRA probabilistic risk assessment PWR pressurized-water reactor RER residual heat removal SPP spent fuel pool SRP Srmadard Review Plan vii
I i
EXECUTIVE
SUMMARY
As directed by the Executive Director for Operations, the Office for Analysis and Evaluation i
of Operational Data (AEOD) has performed an independent assessment of the likelihood and j
consequences of an extended loss of spent fuel pool (SFP) cooling. The overall conclusions are that the typical plant may need improvements in SFP instrumentation, operator 1
}
prreertures and training, and configuration control.
Six site visits were corvhered to gain an understanding of the licensees' SFP physical j
configuration, practices, and operating procedures. Annenament found great variation in the j
designs and capabilities of SFPs and systems at individual nuclear plants.
l In November 1992, Mr. Donald Prevatte and Mr. David L--M-u anh=irmad a defects and noncompliance report on the hrehmans SFP to the U.S. Nuclear Regulatory Commission.
1 Mr. Prevatse and Mr. Iphhamn were lande,i to better understand their concerns. Their j
mport, which has paraarial generic implications, provided the imaars for the NRC and the 4
nuclear industry to take a closer look at the SFPs.
i
- AEOD reviewed the applicable SFP regulations and the NRC Standard Review Plan for the j
=ce*pr-e criteria and the applicable Regulatory Guides. Because of the evolution of the criteria and the different times that rer.ctors were licensed, the criteria to evaluate the SFP l
designs varies among the operating facilities.
i AEOD performed independent assessments of the electrical systems, mstrumentation, heat j
loads, and radiation. 'Ihese assessments were utilized to determme the typical SFP 1
configurations and potential problems.
3 Utilizing a previous Susquehanna risk analysis, Idaho National Engineering Laboratory performed model refinements that resulted in better estimates of near boiling frequencies.
No quantitative enrimare< of core damage were performed but the analysis provided qualitative insights for identification of improvements in the SFPs to lessen the risks of l
events.
I The conclusions are:
Review of more than 12 years of operating experience determined that loss of SFP coolant inventory greater than 1 foot has occurred at a rate of about 1 per 100 reactor years. Less of SFP cooling with a temperature increase greater than 20 "F has ecs.1.d at a rate of approximately 3 per 1000 reactor years. The consequences of these actual events have not been severe. However, evec:s have resulted in loss of several feet of SFP coolant level and have gow on in excess of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The primary cause of these events has been human error.
ix
~
i i
j 1
INTRODUCTION l
In recent years there have been several instances in which the adequacy of spent fu(.1 pool (SFP) cooling systems has been brought into question. For example, Mr. David Lochbaum and Mr. Donald Prevatte, former Susquehanna Steam Electric Station plant contractors, i
submitted a Title 10 of the Code of Federal Regulations (10 CFR) (Ref.1) Part 21 report (Ref. 2) on the adequacy of SFP cooling at Susquehanna. In addition, the j
agency has had correspondence on this topic with Mr. lochbaum and Mr. Prevatte, and reviewed and re to a petition from them under 10 CFR 2.206. As a result of the j
issues raised with respect to SFPs, on February 10,1996, the Newive Director for W regpessed that the Office for Analysis and Evaluation of Operational Data (AEOD) perform an bla:=ad-=* study of the likelihood of, and consequences of, an N loss of SFP cooling (Ref. 3). On Fetmaary 29,1996, AEOD provided a plan and acharhde (Ref. 4) to perform the k-M--
M study.
l l
The 10 CFR 21 report filed by Mr. lochbaum and Mr. Prevatte postulated loss of SFP 4
cooling resulting in boiling of the SFP, failure of emergency core cooling system (ECCS) j and other equipment due to steam releases and condensation of SFP vapors, reactor core j
heatup and damage, spent fuel heatup and damage, and large offsite radioactivity releases.
AEOD has completed the independent assessment. This study:
i l
Developed generic configurations delineating SFP equipment for a boiling-water reactor 1
(BWR) and a pressurized-water reactor (PWR) and utilized these generic configurations j
to assess the loss of SFP cooling and inventory.
l l
l Reviewed and nueued 12 years of operational experience for both domestic reactors i
and foreign reactors with designs similar to that of the US.
t i
Performed six site visits to gather information on SFP physical configuration, practices, and procedures; and conrhnart interviews with Mr. Inehhaum and Mr. Prevatte to 4
j better understand their 10 CFR 21 report.
i l
Reviewed applicable SFP regulations and the NRC Standard Review Plan (SRP) for the l
acceptance criteria and applicable Regulatory Guides.
i Performed iPe nuenamenn of electrical systems, instrumentation, heat loads, and radiation to better ucderstand the role of these issues to loss of SFP cooling.
i l
Contracted with Idaho National Engineermg Laboratory (INEL) to review existing risk j
analyses and use risk assessment techniques to evaluate the risk of losing SFP cooling and coolant inventory.
i i
I j
1 i
)
i i
l l
2 SPENT FUEL COOLING A survey of SFPs indicates that a wide variety of configurations exists. This section provides simplified general descriptions of SFP configurations; the descriptions may not i
apply to any specific SFP but are considered to be typical or " generic" PWR and BWR j
SFPs. Since most plants were built prior to issuance of specific NRC regulatory guid=c, diverse Milns would be expected. For purposes of this study, loss of spent fuel cooling is considered to include subcategories of loss of SFP coolant inventory and loss of SFP cooling; this convention will be used throughout. Potential problems with SFP coolant inventory and SFP cooling whick can lead to loss of spent fuel cooling are diarnamad. The potential caamagnaanan of loss of spent fuel cooling are canaidered. Once the problems have been identi5ed, possible approaches to prevention and response to loss of spent fuel Ma=
l aimmations are described.
j 2.1 System IMydon i
Fi ure 2.1 shows a generic PWR SFP and Figure 2.2 shows a generic BWR SFP. SFPs are j
F j
constmeted of reinforced concrete, several feet thick, with a stainless steel liner to prevent leakage and maintain water quality. The pools are designed to survive seismic events although the cooling system may not. For BWRs, the SFP is generally located within the reactor building. For PWRs, the SFP is located outside the coprainment but adjacent to it in l
a separate fuel handling building or within the auxiliary building. Typically, SFPs are about 40 feet deep and vary in width and length. The fuel is stored in stainless steel racks and submerged with approximately 23 feet of water above the top of the stored fuel. The water in the SFP of a BWR is demineralized water; whereas PWRs use borated water. In addition to cooling, SFP water inventory provides radiological shielding for pe:sonnel in the fuel pool area and adjacent areas. Each plant generally has Tachaiemi Specification requirements for water level and reactivity of the spent fuel stored in the SFP.
Each plant has a source of high purity water for make-up to the SFP. The preferred sources include: the refheling water storage tank for PWRs, and the candamente storage tank for BWRs. 'Ibe normal maksep is through a connection from the water somce to the suction of the SFP cooling systema punps or a water source. SpectSc plant make-up rates have a wide range. Incal valve operations are needed to initisse SFP maheep. Planes also have abernate awahada to provide s L.g if normal makeep is unavailable.1hese may include the service water system and the fire water system.
SFP coolant inay is cooled by a dedicated cooling system. As shown in Figures 2.1 and 2.2, SFP coolant is pumped through heat exchangers where sensible heat is transferred to an intermadiate cooling system which finally rejects heat to the plant's ultimate heat sink.
The SFP cooling system takes suction fmm the SFP through a *immer or strainer at an elevation such that a level change in the SFP would cause the pumps to lose r;uction and prevent further SFP coolant inventory loss through a break in the SFP cooling system piping.
The SFP cooling retum lines either discharge near the top of the SFP or have an g
l 3
l i
anangement to distribute coolant flow around the bottom of the fuel in the SFP. With a few 1
exceptions, SFP cooling piping which extends deep into the SFP is equipped with antisiphon i
devices (usually drilled holes) to prevent loss of SFP coolant inventory should a system misays or pipe break create an inadvertent siphon flow path. SFP pumps, heat e@=;-- i, and intermediate cooling systems are single train or redundant, dependent on the 3
plant. Many plants have the capability to align the residual heat removal (RHR) system to
)
remove heat from the SFP in the event that the normal SFP cooling system is unavailable.
Bach plant has a nonsafety-related system which is used to purify and clarify the SFP water.
j nis system is oAen integrated with the normal SFP cooling system. De system is typically j
made up of filters, ion exchangers, and other supporting equipment.
l i
Most plants have leak daar*ian systems to determine if leakage is occurring fran the SFP l
liner, spent fbel shipping cask pool, or from other portions of the fuel pool or reactor cavity strucane. De leak detection system is usually made up of several channals that can be 4
inanienrod individually or the design is such that leakage empties into drains which can be monitored and raurned to either sumps, liquid radioactive waste, cleanup or other collection systems. The SFP leak detection system can usually be isolated if rwauary to attempt to reduce SFP leakage.
During refueling operations, the refueling cavity above the reactor is filled to match the level in the SFP. Fuel is moved from the SFP to the reactor via transfer canals (BWRs) or transfer tubes (PWRs). For BWRs, the movable gates which separate the SFP and the transfer canal from the reactor cavity are several feet wide and extend approximately 24 feet down to provide an opening for fuel to be moved in a vertical position. Removal and replacement of the gates requires use of the plant traveling crane because of their size and weight. Rus, during refueling, a loss of water from the refueling cavity reia:in a drop in water level would also lower the water level in the TFP. Replacarnant of the gates to isolate the leak would be a major time-consuming operation.
For PWRs, the transfer tube provides for movement of the fuel in a horizontal position. De opening provides a much smaller flow path from the SFP to the reactor cavity than 'he movabic gases of a BWR. Also, a gate valve at the SFP end of the transfer tube can be closed fairly quickly to stop the flow path from the SFP to the reactor cavity.
Radbeling cavity seals are innallari between the reactor vessel flange and the hartain of the reactor cavity to inmintain a leak proof volume during refueling operations. Both PWRs and BWRs have drains in the refheling cavity area to allow draining of the cavity when the refueling is complete. Some plants have leak daartian systems to monitor the cavity seal.
BWRs and PWRs have indicators for temperature, level, and radiation instrumentation in the SFP area. Analog meters are generally not provided in the control room for SFP level and temperature. Control room annunciators for SFP parameters generally have more than one function (e.g., low SFP level and high SFP level) for each annunciator, and local conditions usually need to be investigated to determine the cause of SFP annunciator actuation. At 5
i 4
i i
1 l
piping, whether initiated due to a pipe break or configuration control problem, would be l
limited due to antisiphon devices. However, siphoning can occur if the antisiphon devices j
are incorrectly designed, are plugged, or otherwise fail. A recent survey of all power j
reacton conducted by NRR (Ref. 5) determined that some sites do not have antisiphon devices in potential siphon paths.
l During refueling operations, when a flow path exists to the reactor vessel, inventory loss j
through the RHR, chemical and volume control system, or reactor cavity drains would not be i
limited by the antisiphon devices; the same applies when the SFP is open to the spent fuel shipping cask pool drains. For these situations, for many designs, the extent of the inventory loss is limited.by internal weirs or drain path elevations which maintain level above the top of the stored fhet in the SFP.
2.2.2 Gates and Seals A second classification of inventory loss is through movable gates or seals and, during refueling operations, the reactor cavity seal. As shown in Figures 2.1 and 2.2, both PWRs and BWRs have seals which keep water above the vessel in the refueling cavity during refueling. For BWRs, there are usually two seals required to keep refueling water above the reactor vessel; in Figure 2.2 these seals are referred to as the refueling seal and the cavity seal. Some plants use inflatable bladders to form a seal between the reactor vessel flange and the containment building (PWRs) or the drywell, and the reactor building (BWRs). In some BWRs, these cavity seals are perinanent spring steel bellows which are eWM to have little susceptibility to large leaks. There are several other types of seals used which do not rely on inflatable bladders. These include bolted cavity seal rings which use gaskets to seal between mating surfaces and perinanew seals which are welded in place. 'Ibese types of seals are not prone to rapidly developing large leaks.
'Ihe J dir.g cavity seal and movable gate seals at some plants are ' flatable seals of many m
different designs. Depending on physical r*5 of adjacent servetures, catastrophic fainme of an innatable seal could result in mpid loss of inventory. Bewever, the geometry of the A'",- between the SFP, adjacent cavities, reactor vessel, and connecting strucemes omst be considend in evaluating the vulnerability to loss of SFP coolant inventory due to inflatable seals. Many seal failmes will result in only timinad level loss because of the various physical configurations.
In BWRs, the bottom of the movable gate separating the reactor cavity from the SFP is generally above the top of the stored fuel so that for a loss of the cavity seal the level in the SFP will remain above the top of the fuel. Although the fuel would not immadiately uncover, SFP cooling would be lost due to SFP pumps tripping on loss of suction; and the remaining SFP coolant inventory would heat up to near boiling within a few hours. Also, because of reduced water level above the fuel, high radiation fields would inhibit access to the refueling floor. Plants which have gate bottoms or internal weirs which limit the draindown from cavity seal or gate seal failures to a level that would continue to provide 7
i
i 1
1 j
l..
j evaporation from the SFP. Various SFP equipment and ventilation configurations may allow
]
the water vapor to accumulate on and cause SFP cooling equipment to fail, further exacerbating the loss of inventory, i
j Where the SFP area @ric water vapor can be transported to areas which house other equipment important to safety, that equipment may be affected. This potential problem is important in some multiunit sites during and immediately following full core off-loads, where 3
j the fuel pool atmospheric water vapor from the unit refueling can be transported to areas housing safety equipment for the unit operating at or near full power. In this airnation, this transport could cause equipment required for a safe shutdown of the operating unit to be j
damsgod or to fail. ' Ibis issue is discussed in Section 7.2. Most plants have sufficient flood l
proesceion, v==ritanian and equipment separation so that this scenario is not a probism.
l However, according to the NRR sevey===ammenaar, eight==*inait slees may be susceptible to this anenario.
l 2.3 Imss of Spent Fuel Pool Cooling i
j Figure 2.3 also represents potential causes of loss of cooling to the SFP. Cooling can be lost i
by loss of SFP cooling flow or due to an ineffective SFP heat sink. Lesses of SFP cooling l
system flow can occur due to several mechanisms including: loss of electrical power to the SFP cooling pumps, pump failure, loss of suction due to loss of level, flow blockage or diversion in the SFP cooling system. Iosses of heat sink can occur due to operation with i
les than the required SFP cooling system complement or with heat loads in the SFP in
]
excess of the SFP cooling system design capability.
2.3.1 Ioss of Spent Fuel Pool Cooling System Flow All SFP cooling pumps are electrically powered. Imss of electrical power to these pumps results in loss of SFP cooling system flow. Imss of electrical power can occur due to losses of offsite power or human error in electrical alignments. Most SFP cooling system pumps have abe capability to be loaded on available on site power sources. 'Ibe NRR survey ausssement found that ibur SFPs did not have the capability to be cooled by systems which could be powered by on sine power sources.
'the likelihood of an neendad loss of SFP coolieg due to loss of electrical power to the pumps is fairly low due to the combination of available on site power, the niement, of workable procedures for power restoration, the general knowledge of the plant operations staff of the need to restore power and the time ava3able to restore power.
For other than loss.of electrical power, failure of both SFP cooling pumps is unlikely.
Except for situations where a full core has ber.n transferred to the SFP relatively soon after plant shutdown, a single SFP cooling pump generally provides sufficient cooling.
9
Preventing a loss of SFP coolant inventory due to gate seal failures or cavity seal failures relies on correct installation and testing of the seals, and testing and control of the air supply for the infla:able seals. Better seal performance could be achieved by seal replacement at intervals consistent with manufacturers recommendations or when iWon of seals shows evidence of aging, cracking, or tearing.
'Ibe response to loss of inventory events depends, first of all, on timely discovery of the event by the operator. The rate of loss of SFP coolant inventory can vary greatly depending on the cause; for example, water level drop from a reactor cavity seal failure can be quite rapid. 'Ibe reduction in level during these events is usually discovered either by direct observation by, operations staff in the spent fuel area or due to alarm aernarian in the control room. Reliable and accurate instruments and mammeimrars can alert the operator to a SFP event. If the operators are aware of a SFP event in a timely manner, the large volume of waser in the SFP will usually allow suf5cient oppornaity for operator response to diagnose and correct the problem.
Ry to loss of SFP cooling requires effective instrumentation, procedures and training.
Most operating situations would allow a relatively long time to respond to such an event.
However, following a full core off-load, the SFP could heat up to near boiling in a few hours. Operators would attempt to restore cooling either by correcting any problems with the SFP cooling system, or by initiating operation of backup cooling systems, if available.
As with prevention and response to SFP coolant inventory events, prevention and response to loss of SFP cooling is also largely dependent on configuration control and human performance. The prunary concern is to mamtmin electrical power to the equipment involved in SFP cooling.
11
1 i
Using the number of events found Table 3.2 Loss of Coolant Inventory Events i
during this study over a period of about l
12 years for which level drops could be Type of Evcet Actual
.hwr quantified, the frequency of loss of inventory events in which loss of more conomted systems 20 H
l.
than 1 foot occurred can be estimated to be on the order ofless than 1 per consguration control 16 2
'**C*U'7"*'3' WR r fer Tube 1
1 Piping 0
1 j
3.1.1 CanaertM Systems Paping Seismic Design 0
7
)
"Ibe majority oflosses of SFP coolant Gates and Semis 19 3
inventory through conacread systems ca 6
was due to configuration control g
Seal:
10 2
problems. 'Ihese connected systems 1
include: the SFP cooling and Pool structure or uner J
21
{
putification system, a spent fuel shipping cask pool, sources of make-up, Uner Laaks 7
1 I
the fuel transfer tube (s) (in PWRs), the W D' Ps 1
32 fuel transfer canal (in "WRs), and, Pool Seisde Design 0
2 during refueling, the Letor.
NUMBER OF OCCURRENCES NUMBER OF OCCURRENCES 8
to 7
8 '------------
g 5
g _____________
4 3
4 ~-~~~~---~~--
~~--~~
t s
a E
0 e
<1 1 TO 4 4 TO 8 8 TO 24
> 24
<3 3 TD ta ta 70 se'
> 80 DURATION (HRS)
LEVE1. DECREASE ONCHES)
Figure 3.1 Loss of Inventory Duration Figure 3.2 Loss of Inventory Levels Configuration Control Sixteen loss of SFP coolant inventory events were due to configuration control errors.
These events are about equally distributed between BWRs and' PWR3. Two recent configuration control events are described here.
13
j l
l l
i
'Ibe licensee determined that the minimum amount of water above top of active fuel in the
]
SFP would be about 13 feet if the operations staff failed to respond to two alarms.
l 1
i l
Another event at Davis Besse on Febmary 1,1982, (Ref.10) involved a temporary pump used to fill the SFP which created a siphon path when the pump was secured. In this j
event, about 21 feet 9 inches remained above the fuel.
1 j
One precursor event was reported in which antisiphon holes in the two SFP cooling return j
lines were not present even though 0.5-inch holes were previously thought to exist. Also, j
ihrther investigation indie=aad that the 0.5-inch holes would not have been adequate to stop a l
siphon given postulated faihees.
t l
Pressartmed Water Raneter Transfer Tobe Only one actual event was found in which the transfer tube actually leaked while closed. In
)
this event, the SFP end of the transfer tube was open and the flange on the containment end l
of the transfer tube leaked. AEOD was informed during some site visits that minor leakage j
through transfer tubes has occurred.
One site (Oconee Units 1 and 2) has a fuel transfer tube which has piping penetrations at a level 6 feet below the top of the spent fuel in the SFP. This penetration is used durmg
{
operation of the Oconee Standby Shutdown Facility. This facility has a mission time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Water is taken from the SFP through the transfer tube via the penetration and i
iP*M into the reactor coolant pump seals for cooling. In this design, conrimmt use of SFP coolant inventory for reactor coolant pump seals could have caused radiation doses in the j
SFP to reach high levels such that make-up to the SFP would be impossible. His problem j
has been corrected by adding remote make-up capability to the SFPs.
j Fiping W Piping Seiende Design i
j No actual events west found whric SFP system piping acmally leaked, causing a loss of SFP coolant inventory. However, there have been a variety of seismic piping design problems j
smported. The most prevalent type of problem involves use of the nanmmimmie SFP partScotion system for puriScation of the larse sources of tetheling water in both BWRs and 3
l in PWRs. Falkne of the nonseismic SFP purification system while enanarnad to the sefheling water somce could cause loss of this source as make-up to the SFP as well as j
compromise these sources as ECCS sources. In addition, other minor piping seismic dedsn problems were discovered and reported. Seismic analysis is discuaaad in Section 7.
i 3.1.2 Gates and Seals large losses of SFP coolant inventory have occurred through SFP gate seals. Also, there is a pae*= rial for large losses of SFP coolant inventory through reactor cavity seals.
15
canal gates. Subsequent corrective action included alternate supplies for attemate gate seals such that inner seals were supplied from one unit and outer seals were supplied from the j
other unit so that a degree of redundancy was established.
i 3.1.3 Pool Structure or Liner j
No events involving major SFP leakage have been reported. However, some events involved small leaks or;-431 leaks.
l l.
Dese were seso events involving leaking from the fuel pool liner, nese events generally l
involved relatively sanall leak rates (less than about 50 ganons per day). One event, j
involving amau tears in a PWR m6meling cavity seal, was also reponed. De events appear evenly spread.out over the review period. Dus, operating experience suggests that occurrence of SFP liner leakage is relatively low. However, Salem reported (Ref.12) a PWR design problem in which the SFP liner could buckle and leak at f
temperamres above 180 *F. His site is one of the sites which apparently does not have liner drainage isolation capability. Subsequent licensee analys s determined that the liner j
would not fail. De agency is currently evaluating the licensee's analysis.
j Iand Drops l
Only one event was found during the operating experience review in which the fuel pool i
liner was punctured by dropping a load into the SFP. His event at Hatch Unit 1 on' December 28,1994, involved a core shroud bolt which was dropped. An approximate l
0.7 gauons per minnea leak resuhed which was containad between the fuel pool liner and the l
concrete structure. De fuel pool level was restored and maintainad with normal make-up l
(Ref.13).
j i
[
nere wees no other examples of lands achially being dropped and dnauging the SFP.
However, these were unany sitnations (more than 30) involving loads heavier than aDowable beims anved or posentinny noved over the SFP. IJss than about 20 poseent of these events involved acmal downward anotion or drops or objecs (usnauy emel ---hu=9 imeo the SFP.
Although not jndged safety significant by tha==3ves, these events apresent continuing i
piecenore no poesseial SFP punceme events. %cy indicate that novament ofloads heavier j
than aHowed over the SFP is continuing even though the agency has taken steps to reduce the pecblem.
i i
Only two conditions were found related to seismic design problems with SFPs. One condition was related to block walls in the fuel handling building which could collapse during a seismic eve.nt. The walls were replaced. De other condition involved only the fuel racks.
j 17
)
N
4 l
3.2 Spent Fuel Pool Cooling i
i Table 3.3 Loss of Cooling Events j
Fifty-six events found during the operating experience review involved Type of Event Actual Precursor actual losses of SFP cooling. There i
were 22 precursor events which when l
coupled with additional failures or Cooline Flow 1Q 22
{
postulated events could result in losses j
of SFP cooling. Table 3.3 provides a SFP Pumps 39 8
j annmary of the numbers and types of Con 6 Mon Com!
't 0
j loss of SFP coohng events. Figures 3.3 j
and 3.4 provid'e an overview of the loss Loss of Pump Suction 4
0 Flow Blockage 1
0 of SFP cooling events for which Single SFP Pump Failure 5 12 P-e increase and duration could be quantified. 'Ibese figures indicate Heat Sink 6
2 j
that the losses of SFP cooling are infrequent. However, come events have j
lasted for significant time periods and four events have resulted in temperature increases of more that 20 'F. The low number of j
events found with small temperature increases may be due to a lack of reporting of such j
events.
i NUMBER OF OCCURRENCES NUMBER OF OCCURRENCES 1
25, 20, 22 l
ao
------------, g g ------;
i =em i
j 15
4e NHRS---- )
z jo[_..-.....
........ _ - ~ ~ - - -
so 1
n s'
. g.. r...,i s
s 3
s o
0
)
<1 1-4 4-s s - as
> ss o
07020 207040 40 T0 00 i
j DURATION (HRS)
TEMPERATURE INCREASE (DEG F)
]
Figure 3.3 Loss of Cooling Duration Figure 3.4 Loss of Cooling Temperatures 1
1 Using the runnher of events found dunng this study over a period of about 12 years for i
which temperature and duration could be quantified, the frequency of loss of SFP cooling
{
events in which a temperature increase of more than 20 *F occurred can be estimated to be on the order of about 2 to 3 per 1000 reactor years.
J f
1 j
19
)
i
)
3.3 Spent Fuel Pool Instrumentation Experience There have been several events involving losses of SFP coolant inventory or SFP cooling, where associated instrumentation was inoperable or failed prior to or during the events. In one event, a shared annunciator window was illuminated due to an instrumentation problem when the loss of inventory occurred. Since the window was already illuminated, the operations staff was not alerted to the loss of coolant inventory event when it began. While there have been relatively few of these instrumentation problems, they raise concerns about how SFP instrumentation is treated and regarded. Section 6.2 assesses SFP instrumentation.
3.4 V~*ilmtian Events SFP area heating, ventilatina, and air Table 3.4 HVAC System Problems l
Mitianing (HVAC) events were revbwed. Portions of these systems Type of Event Number would be needed if a postulated loss of spent fuel cooling with consequent Fuel Moved Over SFP / HVAC Inop 15 boiling and fuel failure were to occur.
Dampers 12 There were about 59 events. The Building Breaches 9
" M ved Over SFP / HVAC Inop 5
summary of the events is in Table 3.4.
Ineffic.ient Filters 5
HVAC Radiation Monitor 4
Most reported HVAC events had little Unable to Maintain Pressure 4
impact on SFP equipment related to SFP Hesters Inop 3
cooling. For example, the most Insumcient Flow 2
prominent type of event, moving fuel or Total 59 other loads over the SFP with the HVAC inoperable, is not important to SFP cooling equipment. Events related to breaches of buildings are events where doors were opened or panels were removed when they should not have been. Indication was generally received by the operations staff and the problem was corrected relatively rapidly.
Lower than required flow has not been a major problem with SFP equipment performance.
Generally, flows were near the required amount. Likewise, negative pressure problems generally did not involve significant deviations from requirements.
Problems with radiation monitors which actuate SFP HVAC have generally been identified quickly. Repair or compan==tary action was generally taken in a timely manner. Fdter efficiency problems have generally been minor.
Two types of conditions involving dampers and HVAC heaters are potential problem areas.
In the case of dampers, events indicate that sometimes the problem is difficult to identify and sometimes difficult to repair quickly. Heaters may be required to maintain relative humidity 21
i i
i and corrective actions should have been taken in compliance with procedures. The level dropped fmm about 34 feet above the fuel to about 18 feet above the fuel.
I One event involved a loss of SFP level because compressed air was lost to the gate seal between the SFP and the transfer canal. The gate between the SFP and the fuel transfer
]
canal was closed for work on the fuel transfer machine. Water passed through the fuel i
transfer tube to the containment. The fuel transfer tube could not be shut hecane the fuel transfer machine could not be moved to clear the isolation valve due to tools left in the l
machine when the area was vacated due to inco ning water from the SFP. Air was j
annannactad to the seal but excess air pressure caused the seal to burst increasing the flow j
rate to about 26,000 gaHons per hour. The operations staff was able to close off an area in i
the cantaimnant. This closure limiend the amount of volume which needed to be made up.
i About 211,000 gaHons of make-up water were needed to== lim the levels in the nantainment area, the fuel transfer canal, and SFP. This took about 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. One event involved loss of refueling water at a BWR when the rubber bellows seal bnween the drywell j
and the refueling cavity failed.
3.6 Operating Experience Review Findings lesses of SFP or refueling water inventory are dominated by events involving system or SFP configuration control problems due to human error. The second most prevalent cause of loss of SFP inventory is leaking inflatable gate seals generally due to loss of air to the seals locause of human error. Iosses of inventory from SFP gates due to leaking inflatable gate seals have generally been of greater magnitude than those due to configuration control problems. Ioss of inventory due to configuration control problems is more easily controlled by the operations staff than leaks from gates. However, configuration control problems seem to have taken longer to diagnose.
Pool leakage events do not appear to have cameri problems with long-term losses of spent fuel cooling. Inadvertent movement of heavier than allowed loads over SFPs is continuing even though the agency has taken steps to reduce this potass.
The most prevalent type of loss of cooling events involved loss of electrical power to the SFP cooling pumps, generaHy due to kanan error. The few losses of SFP cooling due to loss of SFP heat evd=6 cooling were also generaHy due to human error. Both types of events resulted in losses of about the same time frame and associated temperature rises. The evt.nts were evenly distributed between BWRs and PWRs.
While conditions have been reported suggesting the possibility of SFP boiling affecting other plant equipment important to safety, operating expenence does not provide insights into what is apparently a very complex issue.
Operating experience provides only limited insight into instrumentation problems. Several loss of level events have taken place while level instrumentation was inoperable or level 23
~
l 1
I 4
OBSERVATIONS FROM THE SITE VISITS AND INTERVIEWS
~
Six site visits were conducted to gain understanding of the licensees' SFP physical j
<= figurations, practices, and operating procedures. Site selection was a cross sampling of
{
j the industry that included BWRs and PWRs, large and small architect-engineer designs, l
shared and single pools, old and new designs and all four nuclear steam supply system l
vendor designs. The sites visited were: North Anna, South Texas Project, Susquehanna, i
" Dune Mile Island, River Bend, and Calvert Cliffs. In addition to the site visits, one trip was j
made to Pennsylvania Power and Light headquarters. Two more trips were taken to conduct I
inserviews. Mr. Prevane and Mr. Inehhanm were interviewed to better understand their l
concerns as dac=nensad in the 1992 harp *hanna 10 CFR 21 report, and to apply the generic impliciition of those concerns to the industry. 'Ihe following observations are from the slee visits and the interviews. These observations are a crowM and representative of the nuclear power industry.
Each site visit included a tour of the SFP, its associated equipment, spent fuel building, and j
the control room to see the SFP indications. This t.llowed the AEOD engineers the j
oppetunity to see the physical arrangement of the equipment in relation to other equipment j
and to the rest of the plant. The tours were conducted by licensee personnel who were j
intimately knowledgeable on the configuration and equipment. Indepth discussions were conducted with the licensees on the procedures and practices utilized for the SFP activities I
and the analyses that have been performed for the SFPs. Discussions were held with control l
room operators, outage planning engineen, probabilistic risk assessment (PRA) engmeers, systems engineers, maintenance engineers, nuclear engineers, and electrical and i
instrumentation engineers.
No two SFP physical configurations were the same with respect to the locations of the SFP pump rooms, heat exchangers, and local equipment control panels. Most pumps and associated equipment are located below the level of the SFP. Most SFP cooling pumps are provided safety-related power. Swi4 rooms were not in the vicinity of the SFPs. Very l
little equipment other than refueling equipment is located in the SFF area. Within the pool area there is generally no equipment important to safety to be damaged by the inadvertent i
boiling of the pool. The pools are divided into distinct mens that are used for --We parposes, such as cask loading.
i l
Water level and temperanut sensors are located in the pools. A very visible scale generally j
danten pool level. The water level sensor is aligned with a vertical plate indicatar. Power i
ta this sensor and to the temperature sensor is generally safety related, but the sensors j
themselves are not safety related nor are there rwhmdant instruments.
{
All the plants visited had once-through HVAC systems so that SFP atmosphere is not j
recirculated to other parts of the plant. Most plants had the capability to isolate the SFP i
area.
l 1
l 4
b i
)
Some utilities have used lessons from operating experience and have done a very good job in conecting problems through better analysis, good operator aids, training, and procedure i
revisions. Some utilities have a good system to evaluate industry experience.
l i
j 1he site visits identified events where ec==M systems could have caused loss of SFP
]
coolant inventory. Many events such as draindowns are not being reported through the senadard mechanisms that would allow for the standard analysis of the events. Therefore, the actual frequency of draindowns is higher than is typically==ignad in the risk analysis. The site visits also identified that little attantian is paid to the antisiphon devices. Very few sites i
perfanned testing or had analysis on the efficiency of the antisiphon devices.
1tese is a larse variation in utility practice regarding full core off-loads versus fuel shuffles.
{'
One plant visited that had been perfonning fhl! core off-loads now plans to do fuel shuffles instead. Another punt that had intandad to do fuel shuffles now routinely does full core l
off-leads.
j haaansibility for the SFP and its systems varies among licensees. Where all have SFP system engineers, responsibility does not necessarily reside with the system engineer. The j
individual in charge of the various aspects of the SFP could reside in the Operations, System i
Engineers, Maintenance, or Nuclear Engineering organintion. In some utilities, the
]
responsibility is shared between groups. With shared arrangements, the possibility always j
exists that, if one does not know the other's responsibility, issues could be dropped inadvertently. Regardless of responsibility, when refueling starts the Operation staff seem to l
have a very tight control of the SFP.
f j
1he newer designs have more of the better features such as safety-related power, analog
)
control room meters, more parameter indientars in the control room, more sources of water, l
sad generally better qualified equipment. However, some older plants have made j
improvesnents by addag indicators or annunciators in the control room, and supplying safety-reissed power to the SFP equipment. All of the sites visited are including the SFP j
system in the equipment covered by the Maintenance Rule.
i AB the plants vished had m.-k; of good practices. Some of the good practices observed i
in our visits, but not all in one plant, include:
l Using Heanead reactor operators and training thern for the disg outages.
l Wi=g SFP risk in the outage planning.
J h
Having SFP system power restored in the top level emergency operating procedures.
j Fonning a refueling team with formal structure.
Providing classroom and simulator training in preparation for the outage.
l l
l l
27 i
]
l l
5 REGULATORY REQUIREMENTS AND GUIDANCE i
Regulatory criteria for the design of SFPs have evolved from a case-by-case basis for the i
early plants to the present criteria. Today, secapenace criteria are specified by the guidance in the Standard Review Plan, NUREG-0800 (Ref.18); several Regulatory Guides; l
and the requirements in the General Design Criteria (GDC') of 10 CFR 50, Appandit A.
i nacanaa of the evolution of the criteria and the different times that reactors were licensed, the criteria to evaluate the SFP designs among the operating facilities varies. Generally, the newer the plant, the closer the design is to the specified SRP criteria. Final acceptability of l
the SFP da-i-a. as described in the applicant's safety analysis report, is based on certain l
GDC and Regulatcry Guides, and on inderandant cair=1=tiana and staffjudgement with i
respect to sysemn fksictions and component selection. AEOD did not attempt to review any l
existies sysian ardnet the criteria but did observe =haenneint variance in the designs.
i l
The SRP provides the g+%e criteria from the applicable GDC and regulations and j
acceptable methods that can be used to meet the criteria. There are two sections of the SRP j
that apply to the SFP; SRP Section 9.1.2, Spent Fuel Storage, and SRP Section 9.1.3, Spent Fuel Pool Cooling and Cleanup System. SRP Section 9.1.2 covers the acceptance criteria for the structural aspects of the pool for coolant inventory, reactivity control, and the monitoring instrumentation. SRP Section 9.1.3 covers the accapenace criteria for the SFP cooling system and coolant temperature control. Because the AEOD study dealt with the extended j
loss of SFP cooling, the AEOD study dealt more with the criteria in SRP Section 9.1.3.
In 1970, the AEC developed Regulatory Guide 1.13, " Design Objectives for Light-Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations," to provide specific marhnds Wie to the staff for preventing loss of water from the SFP, protecting fuel from a=ch==iemi damage, and providing capability for limiting the potential offsite exposures from a significant release of radiametivity from the fhel. 'Ibe other applicable Regulatory Guides, Regulatory Guide 1.26, "Quahty Group Classification and Standards for Water,
Seesm, and Ramancrive-Wasse raa*=i=% Ca==aaa==*= of Nuclear Power Plants,"
Regulatory Guide 1.29, " Seismic Design Classifb='iaa." Pj=g Guide 1.52, " Design, Testing, and Maineramare Criteria for Engineered-Safety-Feature Atmosphere Cleanup System Air Fikration and Adsorption Units of Light-Water-Cooled Nuclear Power Plants,"
and Regulatory Guide s.s, "Information Relevant to Ensuring That nec=parinnel Radiation Exposmes at Nuclear Power Stations Will Be As I.ow As Is Reasonably Achievable," were not h' i 4 specifically for the SFP but have some guidance that applies to the SFP.
SFP overall design requirements are in Appendix A, GDC 2,4, and 5. Criterion 2 states that structures, systems, and components important to safety shall be designed to withstand the effects of natural pt:enomena such as ear %"N, tornadoes, hurricanes, floods, and ta m a m i. Criterion 4 states that structures, systems, and components important to safety shall be designed to accommodate the effects of the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. Criterion 5 states that structures, systems, and components important to safety shall not be shared among nuclear 29
1 l
l 6
ENGINEERING ASSESSMENTS i.
i AEOD performed several engineering assessments in support of this study. The assessments l
included topics in the electrical system, instrumentation, heat load, and radiation areas. 'Ibe i
purpose of the electrical assessment was to understand the type of power supplies for SFP l
cooling system components, such as pumps, valves, and instrumentation. The instmmentation===acement included gathering of information on the type of instmmentation i
provided to monitor the system an-ers and desirable enhancemaats to the
{
instrumaatatian 'Ibe electrical and instrumentation samaatmant< were based on a review of system design data for a sample of plants and the results of the site visits.
l The heat load manaanmaar includes in<ispan< tant e=hilatiana on heat up ano ooiling of the SFP reenking from complete loss of cooling for a typical PWR and a BWR. 'Ihe calentatiaan asti==ta the time to reach boiling caantitians to determine if the time is naamistaat with the innin<try calculations. 'Ibe rantiatian mannanmaat presents the results of utility cabitatinat on
{
the radiation level that would exist for different SFP water levels. The details of the above assessments and the results are found in the following sections.
l 6.1 Electrical Assessment i
i Design features of spent fuel cooling systems of a representative sample of 14 plants were reviewed to understand the type of electrical power supplies to the SFP cooling systems at these plants. The review included representative samples of BWRs and PWRs and vendors (General Electric, Westinghouse, Combustion Engineering, and Babcock & Wilcox). The design features of electrical power supplies varied among different plant types and vendors, and sometimes even among plants designed by the same vendor.
'Ibe SFP pumps for approximately 80 percent of the plants reviewed are provided with qualified and fully intiepaanient Class IE power supplies. For these plants, the normal source of power is the offsite grid system and the emerEency source is the diesel generators. Imad shedding under I.OOP conditions is initiated by = '--w-T-relays. ARer the diesel generators have energized the emergency buses, the emergency loads are==*===rienHy started by the load sequencer. The SFP pumps are not ma*===ticany started, but need to be asumally started by the operator aRer all emergency loads are started.
The power supplies for the SFP pumps for the remaining plants reviewed arg Non-Class IE.
In the event of a I.OOP at these plants, the SFP cooling function will be lost.
'Ihc ' formation in the Faal Safety Analysis Report and other sources was insufficient to m
detennine the type of power supplies for the system valves and instrumentation, (i.e.,
whether or not they are Class IE, qualified, and redundant).
i The observations from the site visits on the type of power supplies to SFP pumps were in general agreement with those from the review. Most sites visited have Class IE power 31
i j
i i
4 l
The SFP level sensor has a narrow range, typically 4 feet, covering high and low alarm setpoints and the minimum Technical Specification level. The control room level indicator l
provided by this sensor is good only for this narrow range. Therefore, the control room l
indicatar cannot monitor level below this range and becomes useless for lower level l
conditions expected in case of a gross loss of SFP coolant inventory event.
l A direct indication in the control room of SFP level and temperature would be desirable to i
minimize operator response time for events involving rapid loss of SFP coolant inventory or j
loss of SFP cooling. The present design feature of local indication with a trouble alarm in i
the control room for these parameters may prove to be insufficient for quickly responding to events such as, full core off-load heat up due to loss of inventory. Lack of direct indicanon in the control room will complicate diagnosis of events. Typically an operator needs to be dispaehad to determine the cause of trouble, which is time consuming. Further, trending of SFP level and temperseme can be difficult, because the control room operators have to depend on infrequent local operator rounds (typically once in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />). The capability to trend the parameters allows the operator the opportunity to react more quickly to developing problems. Therefore, a direct indication of SFP level and temperature in the control room, consisting of analog readings and annunciators, would be a desirable safety enhancement.
For most plants reviewed, SFP pump discharge pressure is used as an indication of adequate system flow. Only a few plants employ direct flow measurement. In all cases, the pressure or flow is indicated locally. An abnormal pressure or flow would be annunciated in the control room for most plants, and on the local panel for others.
The SFP liners in almost all plants reviewed are provided with some form of local leakage detection. Abnormal leakage is alarmed only for a few plants, locally or in the control room. For other plants, an operator would periodically check the leakage iletection system for any indicarian of abnormal leakage.
Plants reviewed have various radiarian monitors which are part of a sepamte system from the SFP cooling system. Local area monitors are provided for personal safety in case of a need to evacusse the area. 'Ibe other monitors are part of the station radianian monitoring system.
These monitors alarm in the control room through the anunciator syseesn. In addirian the radiation manitars have analog meters and recording signals.
The newer plants have safety-related power to the SFP instrinnantarian, but the instrenanen themselves are not safety related. The older plants have neither the safety-related power supplies for the instrumentation, nor are the instrmnents safety-related. The plants in general, new and old, have no thaary for the SFP instmmentation.
6.3 Heat Load Annetament Independent calculations were performed by AEOD staff on the heat up and boiling of the SFP resulting from a complete loss of cooling. This study calculated the SFP heat up rate, 33
4 J
assessment of the South Texas plant also indicated that, if a full core had to be off-loaded i
durmg midcycle, boiling could begin about 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> after losing SFP cooling.
Although the estimate of time to reach the boiling point and time to boiling down to top of fuel could vary among plants, the results of the AEOD calculation are indicative of the typical order of magnitude estimate for U.S. plants. These estimates are consistent with the estimates that have been provided by several licensees.
6.4 Radiation Assessment 1
In addition to providing the Table 6.3 Radiation Shielding Estimates vehicle to reinec heat from the spent fuel, the water in the pool pg,,
mg m
m a relied upon to provide shielding for plant personnel.
susquehanna o inches single 250,000 Loss of SFP coolant inventory 5 inches multiple 100.000 with decreased SFP water levels 5 feet single 2.5 can result in excessively high 8.5 feet sWe a
radiation fields which would oconee i foot multiple 900.000 prevent entry into the SFP area.
The shielding effect of the water TMI1 6.5 feet single
.007 in the SFP increases exponentially With increasing Nonh Anna 7 feet single
<.05 water level. Table 6.3 shows the results of several licensees' calculations which indicate the effectiveness of the water shieldmg associated with spent fuel.
As shown on Table 6.3, the radiation dose level at the surface of an exposed spent fuel bundle was estimated to be 250,000 rem /hr. The same bundle would produce a radiation dose level of 2.5 rem /hr with the shielding of 5 feet of water. The radiation dose level from the same bundle would decrease to less than 20 mrem /hr with the shielding of 8.5 feet of water.
Each of the plants visited had radiation detectors in the SFP areas with control room and local monitors and alarms. Discussions with plant staff indic=*d hat the peraonnel were t
well trained and very knowledgeable in plant policies and regulatory aspects of radiation, radiation control, health physics, to ensure that the exposure of personnel to rw!inrion is maintained as low as reasonably achievable. At the plants visited little information was available to the operating staff to comprehend the radiation fields that would be present in the vicinity of the SFP durmg an accident. A comment expressed at several plants was that if things went bad the radiation monitors would go off and that was the signal to " clear out."
Recognizmg the need to add water to the SFP durmg an accident from the standpoints of fuel i
cooling and personnel habitability, many plants do have remote " alternate" or " emergency" 35
y i
j 7
RISK ASSESSMENT j
l Over the years, the SFP has not received the risk assessment attention that the reactor had 4
heranee early analysis put the risk of a SFP accident an order of maeaia* below a reactor l
event. Therefore, the analyses done for the SFP were limited. However, in recent years j
several issues have required that certain aspects of the SFP be studied further. INEL was contracted to review the previous SFP risk anne <=ments and to utilize the useful insights to assess the current risk of SFP accidents. In addition to those risk insights, INEL utilized the i
AEOD operating experience review, engineering analyses, site visits, and site interviews in
}
assessing the filnelihand of SFP events.
1 I
7.1 Existing Probabilistic Risk Anae== ment
'Ibe INEL study included the review of previous risk manamamenen that were relevant to SFPs.
j These included (1) NUREG/CR-4982, " Severe Accidents in Spent Fuel Pools in Support of l
Generic Safety Issue 82," (Ref.19); (2) NUREG-1353, ' Regulatory Analysis for j
the Resolution of Generic Issue 82, 'Beyond Design Basis Accidents in Spent Fuel Pools'"
(Ref. 20); and (3) " Risk Analysis for Spent Fuel Pool Cooling at Susquehanna Electric j
Power Station," (Ref. 21).
i l
7.1.1 NUREG/CR-4982, " Severe Accidents in Spent Fuel Pools in Support of Generic j
Safety Issue 82" i
NUREG/CR-4982 was an assessmer.t performed in 1987 of the likelihood and consequences I
of a severe accident in the SFP. NUREG/CR-4982 concluded that the risk estimates are l
quite uncertain and could potentially, under the worst case assumptions, be sipdGcent. The l
nameamment identified pa*-ari=1 mechanisms and conditions for failure of spent fuel cooling j
and enhaarinent release of fission products. Mill =tane Unit 1 and Ginna, two older designs, were the plants evaluated. Frequency estimates for loss of SFP coolant inventory initin M by l
loss of cooling, missiles, and paenmatic seal faihue were very low. However, the frequency
{
estimasas for loss of SFP coolant inventory due to strucmM faihue in a seismic event and i
heavy load drops were found to be quite uncertain. In the case of seismic events, both the l
seimnic hazard and strucaual fragilities contribuse to the uncertainty range. For heavy load j
drops, human error probabilities, structural damage potentials and recovery actions were the i
primary somces of uncertainties.
'Ibe conditions which could lead to falhue of the spent fuel Zircaloy cladding as a result of cladding rupture or as a result of a self-sustaining oxidation reaction were a ^". SFP v
fission product inventory was estimated and the releases and consequences for the various j
cladding failure scenanos were provided. Possible preventive or mitigative measures were j
qualitatively evaluated. NUREG/CR-4982 determined that the uncertamties in the risk j
estimate for a pool fire are large, and identified areas where additional evaluations are i
needed o reduce uncertainty.
t
.f j
37 i
i
j k
4
}
i i
Issues." 'Ibe PNL analysis was used to augment the deterministic analysis of the l
Susquehanna plant. From their deterministic analysis NRR found that " systems used to cool l
the spent fuel storage pool are adequate to prevent uw~atable challenges to safety-related
{
systems needed to protect the health and safety of the public during design basis accidents."
i Based upon the PNL analysis NRR indicated that " loss of SFP cooling events yEE =i a j
low safety significance challenge to the plant [Susquehanna] at the time the issue [Part il i
report] was brought to the staff's attention."
Although there may be large uncertainties associated with the absolute values and specific numerical results of the PNL analyses, much insight can be gained from the PNL analyses of l
the ^7^ = station. For example, the PNL analysis shows that the most significant risk l
toducsion could be achieved from three strategies:
i (1) installing SFP level and temperstme instr =naarmeian in the control room l
(2) enhancing SFP normal and off-normal pmcedures and training staff to be proficient j
(3) cross-ticing SFPs i
7.2 Risk Assessment 1
?
AEOD obtained technical assistance in the area of risk assessment from INEL. INEL
)
reviewed the PNL Susquehanna PRA, assessed the adequacy of the risk analysis, and j
addressed the adequacy and reasonableness of the===um,ations made. INEL extracted '
j insights from the PNL Susquehanna PRA and the other relevant PRAs in industry to assist in generically assessing the likelihood of loss of SFP cooling. Information from the AEOD i
reviews of operating experience, interviews, site visits, and iP3 SFP analyses was j
used to refine the developed PRA model. This study provided quanrirative estimarea of the l
NBF and qualitative discussions about the risk of losses of SFP cooling. The following l
sections provide the results and the insights obtained from these INEL efforts j
(Ref. 23).
j 7.2.1 Risk Assessment - Quantitative Results i
l INEL cormeted modeling problems identified in the PNL study. 'Ihe event and fault trees were infined to more accurasely describe current h=T=han== plant opeestions. To refine l
the event trees, INEL staff visiend PP&L engineering of5ces and the t=9=hanna station.
j ne event and fault trees were quantified using recent operating experience data supplied by l
AEOD. In performing the analyses, INEL also refined and updatixt the data and models that l
PNL had used to account for human performance.
s In some cases the modifications and improvements resulted in increases in the NBF in the SFP, which in turn would result in increased estimates of risk. Correcting the initiating event frequencies for station blackout, LOCA, seismic events, configuration control errors, i
and seal failures would tend to increase the NBF. Counterbalancing this, the study identified 1
39 i
i
o i
O l
s l
(3)
Effect of Mr. Lochbaum and Mr. Prevatte's 10 CFR 21 Report C+g=en of the analyses that were done for the Susquehanna plant as it existed at the time 4
of the 10 CFR 21 report and after corrective actions were taken revealed that the
)
improvements that were made in the areas of instrumentation, accident response procedures, operator training, and shutdown operations reduced the estimated NBF.
i Improvements in instrumentation consisted of providing reliable SFP leveI and temperature maairaring instruments in the control room.
Improvements,in operations and accident response prnrwinves involved:
venenarian syssun isolation inmalistian of drains in the stannthy gas tremtrnent system ntilitarian of the RHR system of the operating unit to cool the SFP verification that removal of cask storage pit gates results in effective heat transfer between the SFPs (4)
Dominant accident sequences For the Susquehanna plant, the PNL analysis found that the accident sequences which were the largest contributors to NBF were extended LOOP, and LOCA. 'Ibe extended LOOP is a dominant contributor because at the Susquehanna station the SFP cooling system pumps are not on the emergency busses. The original accident scenario raised in the 10 CFR 21 report did not appear to be a significant contributor to NBF. The INEL study found the dominant contributors to NBF were LOOP and SFP inventory loss.
(5)
Deviation from the modeled plant design Risk *=rimam frtun the SFP for the heerwhanna plant may be affected by changes planned i
for future refueling outages, which may represent major deviations from the models used by PNL and INEL. Some of those anticipated changes are:
I operation without the SFP cross-tied for the fbture dry cask storage operations
- =derina of refheling outage from 55 days to 35 days partial core off-loads taking place earlier in the outage a
(6)
Oprrating experience INEL found that SFP inventory losses such as draindowns or p== tic seal failures may be important contributors to NBF at the Susquehanna plant. In previous PRAs such events were either not modeled or their occurrence frequency was assumed to be very low; once every 10,000 reactor years.
41
~
l 8.1.2 Review of existing SFP risk assessments found that after correction for several problems in the analyses, the relative risk due to loss of spent fuel cooling is low in comparison with the risk of events not involving SFP. The revM 4-' ermined that the likelihood and consequences of loss of SFP cooling events va highly wpendent on human i
i performance and individual plant design features.
i The risk name<= ment identified loss of offsite power and loss of SFP coolant inventory i
as major contributors to near boiling frequency. LOOP was a major contributor i
largely because the analysis was based on the Susquehanna plant where the SFP cooling system is not connected to emergency power.
Human
- performance h the most important factor for both loss of spent fuel cooling l
j event initiators and recovery actions. Problems with configuration control caused i
most of the SFP events. Iack of automatic fnacriaan for de**erian and recovery from i
SFP events places full reliance on operator actions. The results of risk nececcments l
involving operator actions a:e sensitive to the level of adminierrative controls, i
instrumentation, procedures, and training provided to aid operator performance.
The impact of instrumentation, procedures, and training is dependent upon plant i
specific design features. The NRR survey of SFPs identified a wide range of plant i
design fearnres and specific limitations at existing plants. Plants which har Mentified i
limitations relating to configuration control, instrumentation, procedures, an6 training l
could reduce the risk of SFP events by relatively modest improvements in these areas.
j Modest improvements to instrumentation and operations made by Susquehanna resulted in reduced risk.
i l
8.1.31he need for specific corrective actions should he evaluated for those' plants where i
faihues of reactor cavity seal or gate seals, or ineffective maisiphon devices could pataarially cause loss of SFP coolant inventory sufficient to uncover the fuel or *adaager==%=
l capability.
l Review of the SFP risk name===ent identified Less of SFP coolant inventory as a j
i major contributor to near boiling frequency and review of operating experience and j
the aise visits identified that problems with configuration control, seals, and antisiphon devices were contributors to large losses of inventory.
I The risk name===ent identified that the near boiling frequency is sensitive to individual plant specific design features and human performance. Plant specific design features which impact the near boiling frequency include paaa==ric reactor cavity seals and i
gate seals and SFP geometry which might result in draindown to near or below the top
]
of the stored fuel.
i 1
i 43 J
i m
i i
4 4
1 j
i
- 15. Stolz, J.F., U.S. Nuclear Regulatory Commission, Letter to Byram, R.G.,
j l
Pennsylvania Power and Light Company, "Susquehanna Steam Electric Station, Units 1 and 2, Safety Evaluation Regarding less of Spent Fuel Pool Cooling Issues (TAC No l
M85337)," June 19,1995.
s I
j
- 16. Washington Public Power Supply System, Washington Nuclear Plant Unit 2, Licensee Event Repon 50-397/93-018, " Spent Fuel Pool Makeup Not Ad~=== to Mitigate l
Accident Conditions," May 28,1993.
J i
- 17. Nonheast Nuclear Energy C-aany, Millstone Unit 1, I M_- Event Report 50-245/93 011-02, " Spent Fuel Pool Cooling Capacity," July 25,1996.
l 18.
U.S. Nuclear Ped =*ary r'a==ianian, " Standard Review Plan," NUREG-0800, revised periodically.
J 19.
U.S. Nuclear Regulatory Commission, " Severe Accidents in Spent Fuel Pools in Support of Generic Issue 82," NUREG/CR-4982, July 1987.
i 20.
U.S. Nuclear Regulatory Commission, " Regulatory Analysis for the Resolution of Generic Issue 82, Beyond Design Basis Accidents in Spent Fuel Pools," NUREG-1353, April 1989.
i
- 21. Battelle Pacific Northwest Laboratory, Draft Report under NRC Contract l
DE-AC06-76RLO 1830, " Risk Analysis for Spent Fuel Pool Cooling at Susquehanna l
Electric Power Station," October 1994.
s l
22.
U.S. Nuclear Regulatory Commission, "An Assessment of Risks in U.S. Commercial l
Nuclear Power Plants," WASH-1400, October 1975.
- 23. Idaho National Engineering Labomtory, " loss of Spent Fuel Pool Cooling PRA:
}
Model and Results," INEL-96/0334, hpe-lwr 1996.
i 1
i l
i j
47
I i
INEL-96/0334 I
i 4
i Loss of Spent Fuel Pool Cooling PRA: Model and Results N. Slu S. Khericha S. Conroy S. Beck H. Blackman P
Published September 1996 Lockheed-Martin Idaho Technologies Co.
Idaho National Engineering Laboratory Idaho Falls, ID 83415 Prepared for the U.S. Nuclear Regulatory Commission Office for the Analysis and Evaluation of Operational Data under JCN E8238 Technical Monitor: J. Ibarra Ag e -i n e t t
9 e
Y e-e
.I i
i i
i I
k
?
6 I
I h
i t
f e
P r
i i
?
h 1
l l
I I
j.
C i
i I
L I
+
I 3
I l
9 i
k i
h ii p
l l
6 i
i r
I t
i
)
I f
(
11 1
l
.hE_.e
.AA.Js4M.*h.A.,M*
'hh---Mdhd-E* * ' "
**"M'
~~
d I
0 e
O I
' i i
1 t
f 1
i
[
t s
{
{
~'
i i
l h
I I
s i
h i
I b
t I
es 11
~.-..__
s ABSTRACT i
i This letter mport documents models for quantifying the likelihood of loss of spent fuel pool cooling; models for identifying post boiling scenarios that lead to com damage; qualitative and l
quantitative msults generated for a selected plant that account for plant design and operational j
practices; a comparison of these results and those generated from earlier studies; and a review of available data on spent fuel pool accidents. 'Ihe results of this study show that for a mpmsentative two-unit boiling water reactor, the annual probability of spent fuel pool boiling is 5 x 10-5 and the annual probability of flooding associated with loss of spent fuel pool cooling scenarios is 1 x 10.
Qualitative arguments are provided to show that the likelihood of core damage due to spent fuel j
pool boiling accidents is low for most U.S. commercial nuclear power plants. It is also shown that, depending on the design characteristics of a given plant, the likelihood of either: a) core i
damage due to spent fuel pool associated flooding, or b) spent fuel damage due to pool dryout, i
may not be negligible.
4 I
i i
f I
1 1
1 r
i i
l iii
l i
ACKNOWLEDGMENTS The authors gratefully acknowledge the support and guidance provided by J. Ibarra, H.
Ornstein, and W. Jones (U.S. Nuclear Regulatory Commission); and the excellent cooperation provided by C. Kukielka, R. Henry, D. Roth, and numerous other technical staff members of the Pennsylvania Power and Light Company. Support for a number of calculations and in fonnatting the risk models was provided by C. Smith and D. Judd (INEL), respectively. Helpful comments on this report were provided by T. Leahy and J. Bryce (INEL); J. Bryce also provided valuable i
project management support. This work was performed under DOE Contract Number DE-AC07-94ID13223.
i i
j iv
TABLE OF CONTENTS Abstract lii Acknowledgments iv Table of Contents v
1.
Introduction 1-1
1.1 Background
1-1 1.2 Objectives 1-1 1.3 Report Outline -
1-2 1.4 Summary of Results 1-3 2.
Model Summary 2-1 2.1 Modeling Approach 2-1 2.2 Initiating Events and Cases 2-2 2.3 Event Trees 2-3 2.4 Success Criteria 2-5 2.5 Fault Trees 2-5 2.6 Human Reliability Analysis 2-6 2.7 Basic Event Quantification 2-7 2.8 Key Modeling Simplifications and Limitations 2-7 3.
Pool Heatup Results 3-1 3.1 Pool Heatup: Instantaneous Fmquencies 3-1
3.2 PoolHeatup
AnnualProbability 3-3 3.3 Comparison with Earlier Studies 3-4 3.4 Remarks 3-5 3.4.1 Caveats 3-5 3.4.2 Model Capability to Treat Other Plants 3-6 4.
Post-Heatup Accident Progression: Discussion 4-1 l
4.1 Post-Heatup Hazards 4-1 4.2 Heat and Steam 4-2 4.2.1 SpatialIsolation 4-2 4.2.2 EquipmentVulnerability 4-4 4.2.3 Hazard Mitigation 4-4 4.2.4 EquipmentRecovery 4-5 4.3 Flooding 4-5 4.3.1 SpatialIsolation 4-5 4.3.2 EquipmentVca. ability 4-5 4.3.3 Hazard Mitigation 4-5 4.3.4 EquipmentRecovery 4-6 4.4 Application to Base Case Plant 4-6 4.4.1 Heat and Steam Hazard 4-6 4.4.2 Flooding Hazard 4-6 v
i i
I TABLE OF CONTENTS (CONTINUED) i 5.
Risk Assessment Insights from Operational Data 5-1 5.1 Event Data 5-1 5.2 Mapping to Risk Model 5-2 5.3 On Reductions in Seal Failum Frequency 5-3 5.4 Concluding Remarks 5-4 l
6.
Refemnces 6-1 Anoendices A.
Model A-1 B.
Event Quantification B-1 C.
Human Reliability Analysis C-1 D.
Key Assumptions D-1 i
1 i
l i
i vi
y I
i 1.
INTRODUCTION
1.1 Background
In 1975, ti.e risk from spent fuel pools in nuclear power plants was analyzed using simple models and assessed to be very small (orders of magnitude lower in frequency) in comparison with the risk associated with core damage accident scenarios [1]. In the mid-1980's, changes in conditions (the onsite storage of fuel using high density storage racks) and new infonnation j
concerning the possibility of cladding fires in drained spent fuel pooh prompted a re-examination i
of spent fuel pool risk under Generic Issue 82. Based on value/ impact and cost-benefit analyses, it I
was determined that no actions wem required by the U.S. Nuclear Regulatory Commission (USNRC) [2]. In 1992, questions raised conceming a newly postulated accident scenario, in which boiling of the spent fuel pool leads to core damage, led to a new study, performed by the Pacific Northwest Laboratory (PNL) under the sponsorship of the USNRC, of the spent fuel' pool risk at the Susquehanna Steam Electric Station (SSES) [3). In a safety evaluation that referenced some of the results reported in Ref. 3. the USNRC staff concluded that " potential regulatory action based on safety concerns was notjustified at the SSES". [4].
More recently, the USNRC Office for Analysis and Evaluation of Operational Data (AEOD) has initiated a broader investigation of safety issues associated with spent fuel pools. The AEOD study involves the collection and analysis of event data and plant-specific information (e.g., on configurations, procedures, and training). As part of this study, the Idaho National Engineering Laboratory (INEL) has been tasked with providing a risk perspective to the investigation'. 'Ihe specific objectives of the INEL work are as follows:
' Assess the likelihood of the loss of spent fuel pool cooling for up to six different configurations.
Determine if the implications of operating experience are consistent with available risk insights and critically evaluate substantive differences.
Develop qualitative insights on risk associated with accident scenarios involving the loss of spent fuel pool cooling.
1.2' Objectives
'Ihe objectives of this letter report are to present:
a) the models used to quantify the likelihood of loss of spent fuel pool cooling; l
8 Note thar " risk", as deGned in Ref. 5, is a generic term treating both the likelihood and comequences of acculent scenanos. 'Ibe consequences (e.g., loss of spent fuel pool cooling) to be addressed in a particular study depend on the underlying purpose for the study.
l-1
b) the models used to delineate key post-loss of cooling scenarios and the qualitative impact of plant design and opuational features on the likelihood of core damage associated with these
- l scenarios; c) qualitative and quantitative msults generated for a selected plant design; and i
d) a comparison of these results and those generated from earlier studies [2,3].
l l
Note that an earlier letter report submitted to the NRC [6] documents a review of the models and results presented in Ref. 3; it also provides initial documentation of the models i
discussed in this repon. This report provides mom complete documentation of the models and the results genemted from these models.
l 1.3 Report Outline l
t Section 2 of this report outlines the event tree / fault tree model used to estimate the likelihood ofloss of spent fuel pool cooling and to ' delineate possible accident scenarios following
)
loss of cooling. 'Ihe purpose of the section is to provide a basis for interpreting the results in the following sections. The detailed model documentation is provided in Appendices A-D of the report.
I Section 3 provides the estimated near-boiling frequency (NBF) results for a base case plant (the base case is based upon the Susquehanna plant). The section also discusses how sensitivity analyses treating variations in plant design and operational practices can be performed using the model documented in this repon.
Section 4 presents a discussion on the factors that affect post-heatup accident progression.
'Ihe discussion derives the conditional core damage probability (given a spent fuel pool accident) that must be exceeded for a spent fuel pool. accident to be a significant contributor to core damage risk, and qualitatively addresses the effect of plant design features and operational practices which will contribute to this conditional core damage probability._
Finally, Section 5 presents risk assessment insights developed from a review of the AEOD database. These insights concern the degree to which the model documented in this repon reflects actual operating experience. Insights conceming earlier spent fuel pool modeling efforts are also drawn.
Appendix A of the repon documents the event tree / fault tree model developed in this study.
The initiating events, event trees, success criteria, and fault trees are presented. Appendix B presents the approach used to quantify basic events not treated in the human reliability analysis (HRA) and the values obtained. Appendix C presents the HRA, and Appendix D lists the key modeling assumptions.
1-2
1 I
1.4 Summary of Results He following conclusions regarding the likelihood of spent fuel pool boiling are based
{
upon the calculations and analysis summarized in Section 3 of the report.
l l
For the base case plant studied (a 2-unit boiling water reactor), the annual probability of spent fuel pool (SFP) boiling events is 5 x 104 The dominant contribution (56%) comes j
from scenarios initiated by a loss of offsite power (LOOP). The contribution from loss of SFP inventory events is also significant (31%).
i 4
I
{
ne instantaneous frequency of SFP boiling events during operation is 4 x 10 /yr. De 4
instantaneous fmquency during refueling is 1 x 10 /yr. The risk profile during operation is d
dominated by LOOP (66%); loss of inventory also contributes (28%). During refueling, the largest contribution comes from loss of inventory (45%). LOOP and loss of coolant accidents (LOCAs) also provide large contributions (25% and 22%, respectively).
k
. Major contributions to the likelihood of SFP boiling come from initiators involving: a) loss of inventory, and b) non-pipe break LOCAs during refueling. Dese initiators were not addressed in Ref. 3.
l He annual probability of flooding events associated with the SFP is 1 x 10. De annual 4
probability of flooding following a large seal failure is around 3 x 10.
4 l
. The annual probability of SFP events involving a large loss of inventory and boiling (but not necessarily boil-off) of the remaining inventory is 6 x 10. For single unit plants, 4
4 l
credit cannot be taken for the operators or makeup systems of the second unit and the probability may be a factor of 7 higher.
l Regarding the likelihood of core damage involving spent fuel pool initiators, note first that, i
assuming a base case (non-SFP associated) core damage frequency (CDF) of 5 x 10 /yr, the 4
j conditional probability of core damage given spent fuel pool boiling needs to be greater than 10 in 4
l ottier for the boiling scenario to be a visible (> 1%) contributor to core damage risk.' Similarly, j
the conditional probability of core damage due to flooding given an SFP event involving severe flooding needs to be greater than 2 x 10" in order for the flooding scenario to be a visible contributor to core damage risk. He following conclusions are based upon the discussion i
presented in Section 4 of this report.
For most,if not all, nuclear power plants, the conditional probability of core damage given 4
spent fuel pool boiling is likely to be smaller than 10. A small probability value is expected due to: a) the spatial separation of emergency core cooling system (ECCS) equipment (which implies that steam / heat must be carried to several rooms to create a 8 'Ihe CDF value used is roughly comet for the Grand Gulf boiling water reactor plant. Crhe CDF from the Susquehanna individual plant examination - IPE - is not used in this comparison, due to significant differences in methodology and quantification between the IPE and this study.) For plants with a higher core damage frequency, spent fuel pool accidents must have an even higher conditional core damage probability to be risk significant.
l-3
serious challenge to core cooling), b) the spatial separation of the spent fuel pool area from the ECCS equipment areas, c) the robustness of most nuclear power plant components with respect to the temperatures associated with spent fuel pool boiling, and d) the length of time available to the operators to mitigate SFP boiling (e.g., by diverting the resulting steam).
This conclusion may not be valid for plants with potentially sensitive equipment (e.g.,
l solid-state protection cabinets).
For plants with spent fuel pools housed in the same building (and above) the ECCS equipment areas, as is the situation in the base case plant, the conditional pmbability of core damage given SFP-associated flooding may be high enough to warrant additional investigation. In this case: a) the spatial separation may not be as effective as for the i
heat / steam transport scenario (the elevation boundaries may not be watertight), b) ECCS equipment are generally assumed to be vulnerable to immersion, c) the flooding times can be relatively rapid, especially in the case oflarge seal failures during refueling.
The above conclusions are the result of a limited scope study.
Key modeling simplifications are listed in Section 2; these include the simplified treatment of seal failures (the model treats only seal failures that lead to a loss of spent fuel pool inventory, but does not distinguish between different seals), the use of a simplified human reliability analysis method and the lack of a recovery analysis for dominant sequences. Key simplifications during quantification are discussed in Section 3.
These include the use of generic estimates 'for initiating event frequencies and basic event probabilities, the use of point-estimate calculations throughout, and the lack of any sensitivity analyses. It should also be noted that a number of initiating event frequency estimates are based on the events included in a June 13,1996 version of the SFP database being developed by AEOD; events added to the database after this date are not reflected in the analysis.
\\
I l-4
e i
2.
MODEL
SUMMARY
t This section summarizes the loss of spent fuel pool cooling (SFPC) model developed in this study. The description of the modeling approach and key assumptions is intended to provide a basis for interpreting the results in Sections 3 and 4.
The detailed model documentation is provided in Appendices A-D of the report.
Note that the model is based largely on the Susquehanna plant, a two-unit boiling water reactor with two spent fuel pools, a SFPC system powered off of a non-safety bus and cooled by non-safety service water, msidual heat removal (RHR) assist cooling as, backup to the SFPC system, and a safety-related emergency service water system to provide makeup when nonnal pool makeup is unavailable or inadequate. 'Ihe event tree models are generic enough to allow analyses of a variety of other plant configurations. _(For i
example, they can treat plants where the fuel pools are not cross-tied, as they are at Susquehanna.)
l However, the success criteria and the fault trees developed are intended to represent Susquehanna.
2.1 Modeling Approach The premise underlying the analysis is that events involving the loss of spent fuel pool cooling can, under some circumstances, lead to boiling of the pool. Funhermore, in a subset of these events, the consequences of these scenarios (e.g., steam release, water flooding) can affect emergency core cooling system (ECCS) equipment, and eventually lead to core damage. Even if -
core damage does not result, adverse consequences associated with the spent fuel are also potentially ofinterest [2].
This section summarizes the event trees and fault trees developed in this study. The staning point for model development was the model presented in Ref. 3. As discussed in Ref. 6, improvements have been made to improve the chronological representation of scenarios, to treat demands on operators and equipment due to core challenges during some scenarios (e.g., loss of offsite power), to increase the detail of the post boiling analysis, to conect some errors in quantification, and to reflect lessons leamed from AEOD's review of operating plant experience with spent fuel pool events.
It is useful to note that, with respect to scenarios that can affect the core, the modeling approach employed is analogous to that used in the analysis of the so-called extemal events (e.g.,
intemal fires). 'Ihis approach divides the accident scenario analysis into three portions: a) the quantitative hazard analysis (e.g., the frequency of fires of a given size in a given location), b) the equipment fragility analysis (e.g., the conditional probability of damage to a given set of equipment, given the fire), and c) the plant response analysis (e.g., the conditional probability of j
core damage, given the loss of the given set of equipment). In simplified mathematical form, CDF = [ Aj$,gj$cdij,ed (2.1)
J where 1; is the frequency of hazard scenario j, $, is the conditional probability of equipment damage, given hazard scenario j, and $, is the conditional probability of core damage, given equipramt damage and hazard scenario j.
2 j
In this study, it can be seen that corresponds to the near boiling frequency (NBF) associated with a given scenario; this is assessed quantitadvely. De term $,, on the other hand, l
is not quantified. (His term is highly dependent on the particular geometry, equipment layout, and j
ventilaticn conditions for the plant being analyzed. Furthe Tnore, the analysis of heat and mass transpon needed to suppon quantification is beyond the scope of this limited study.) Instead, qualitative issues affecting the likelihood of equipment damage am discussed. Note that the term
$, can be quantified using the intemal events model for the plant in question, as long as the likelihood of operator errors is not drastically affected by the spent fuel pool boiling event.
Regarding the panicular analysis approach employed, the SAPHIRE [7] software package is used to irnplement a fault tme hnking approach. He SAPHIRE database produced is not documented in this repon.
2.2 initiating Events and Cases t
ne inidating event categories and specific initiating events (acronyms in parentheses) treated in this study are as follows.
Loss of Spent Fuel Pool Cooling System (LSFPI, LSFP2, LSFP3) l Loss of Offsite Power (LP1, LP2, LP3)
Loss of Spent Fuel Pool Inventory (LINVC, LINCS, LINVR, LINRS) t.as of Primary Coolant (PLOCA, PLOCR)
Seismic Event (EQE) ne LSFPI initiating event covers a loss of the SFPC system for Case 1 (both units operating, as defined below); LSFP2 and LSFP3 cover Cases 2 and 3 (also defined below). nese events treat system loss due to hardware failures and human errors. They also include system loss due to loss of cooling to the SFPC heat exchangers and due to intemal flooding and fires.
Note that in principle, the loss of heat exchanger cooling, intemal flooding, and intemal fires should be treated as separate initiating events, since these causes for loss of SFPC might also affect other parts of the plant. (At Susquehanna, heat exchanger cooling is normally provided by a j
non-safety service water system.) Dese events are intendonally grouped with direct losses of SFPC because of the limited scope of this study, and because the results of Ref. 3 indicate that, at least in the case of Susquehanna, the contributions to risk from the loss of service water and internal flooding initiators are relatively small.
De LP1, LP2, and LP3 initiating events treat loss of offsite power (LOOP) events for Cases 1, 2, and 3 (defined below). Note that unlike the model in Ref. 3, the analysis of station blackout (SBO) events is integrated in the LOOP model.
2-2
De LINVC, LINCS, LINVR, and LINRS events include losses of inventory from l
leaks / breaks from the piping (including misalignments) or gates / seals. (LINVC and LINCS treat large and small leaks, respectively, when all units are operating - Case 1; LINVR and LINRS l
treat large and small leaks, respectively, where one unit is refueling - Cases 2 and 3.) Only leaks / breaks for which the outgoing flow rate exceeds the normal makeup flow rate am considered.
Losses ofinventory due to stmetural failure of the spent fuel pool boundary (e.g., due to missiles, heavy 1oad drops, thermal stresses) are not treated. This category of events may need to be re-examined, depending on the quantitative results of the models documented in this study.
The PLOCA and PLOCR events respectively cover primary system pipe break loss of coolant accidents (LOCAs)in an operating unit and non-pipe break LOCAs (e.g., maintenance-induced LOCAs) in a unit undergoing refueling. (PLOCA treats situations when all units are operating - Case 1; PLOCR treats situations where one unit is refueling - Cases 2 and 3.)
These events are of potential concern because, depending upon plant design, a LOCA can lead to a j
trip of the SFPC system, and because it creates a demand for the RHR system, which serves as an alternate cooling system for the spent fuel pool. In the case of LOCAs during refueling, the event also provides a potential means for quickly draining the spent fuel o001 down to the bottom of the transfer gate.
The EQE event covers seismically-induced losses of offsite power, SFPC piping integrity.
and spent fuel pool boundary integrity. Two classes of earthquakes are treated: those with peak ground acceleration (PGA) between 0.2g and 0.6g, and those with PGA above 0.6g.
The response of the plant to an initiating event depends on the operational states of the reactor units. The following different plant corfigurations (" cases") are analyzed in this study:
Case 1 - Both units operating.
Case 2 - Unit 2 operating, Unit I refueling (1/3 core offload).
Case 3 - Unit 2 operating, Unit I refueling (full core offload).
It should be recognized that although some of the event trees presented in the following section are used for a number of cases (e.g., the PLOCR event tree is common to Cases 2 and 3), a separate analysis may be performed for each initiating event / case combination. This allows for changes in top event success criteria and failure probabilities to represent differences between situations (e.g., reduced time to boil, increased presence of plant personnel on the refueling floor).
2.3 Event Trees Event trees are used to represent the sequence of events following an initiating event. In general, the structure and level of detail of the NBF trees developed in this study (see Appendix A) are similar to those of the event trees presented in Ref. 3. The three key differences are as follows.
1) nose trees that model initiators with potential direct impacts on the core (LOOP, seismic.
PLOCA) include a top event (UNREC) indicating if recovery is uncomplicated. Assuming 2-3 1
j that operators are generally more concerned with the core than the spent fuel pool, a complicated recovery can inhibit the operators from devoting sufficient resources to deal with the spent fuel pool in a timely fashion. Appendix B provides the operational definition for complicated scenarios used in this analysis.
i.
2) ne tmes explicitly allow for the possibility that operators will not respond to the initiating i
event until pool boiling occurs. This delay can be due to lack of awareness (e.g., failed 3
instrumentation) or distraction (e.g., due to a complicated recovery). Note that the AEOD database includes a number of events in which operator response was delayed for many 4
hours, sithough none were delayed to such an extent that pool boiling occurred.
I 3)
He LOOP, seismic, and primary LOCA trees represent the possibility of " direct'com j
damage" (i.e., core damage not due to the consequences of a spent fuel pool scenario) for
]
complicated scenarios. He purpose of this treatment is to ensure that any final core damage frequency estimates developed from the results of this study do not double count risk contributing scenarios. (Thus, for example, station blackout scenarios which lead j
dimetly to core damage are not included in the NBF estimation, even though they could lead to pool boiling.)
l-As an example, part of the NBF tree for the LP1 initiator is shown in Figure 2.1.
De i
event progression model underlying Figure 2.1 is' presented in Appendix A. In addition to top events representing the success / failure of systems and key operator actions, the figure shows a i
" flag" (non-probabilistic) top event (FVPWR) used to model the plant design, a top event to represent the current plant status (GSTAT), a top event used to model the fraction of times a given i
scenario is not complicated (UNREC), and a top event used to model the fraction of times a complicated scenario does not lead directly to core damage (NCD). De top events are defined in success terms; per the usual convention, a "Yes" answer to a given top event question selects the upper path at the corresponding event tme branching point.
l De post-heatup event tiees (PHETs) are presented in Appendix A. These trees treat the j
progression of selected accident scenarios past pool heatup; one or more separate trees are j
developed for each non-successful endstate of the NBF trees. (Multiple trees are required for endstates where steaming and flooding effects are of potential concem.)
They address the following issues: the spatial isolation of the spent fuel pool from other safety equipment, the vulnerability of exposed safety equipment to the hazards associated with the scenario (i.e., heat and humidity from pool boiling, water from losses of pool inventory), the ability of operators to dive:1 c
steam / water away from the safety equipment, and the recoverability of safety equipment affected by the steam / water.
As an example, the FPISI event tree, whose entry condition involves the bss of spent fuel pool cooling (from the SFPC system, the RHR system, or any other altemate cooling system) and subsequent pool boiling,is shown in Figure 2.2. As in the LPI tree, there is a flag event (FSPIS) modeling the plant design (in this case, the degree ofisolation of key ECCS equipment with regard to heat and steam from the spent fuel poc!). There is also a phenomenological top event (SSNV) which models the vulnerability of ECCS equipment to the heat and steam hazard, and two top events modeling the operator and system response.
2-4
The CDF event tme top events are not intended for fault tme analysis. Rather, they raise key questions whose answers can be used to identify entry states into an internal events tree.
(Again, this is analogous to the approach used in the analysis of such external events as fims and floods. For example, a fire in a given location may lead to damage of diffemnt sets of components, depending on the result of the competition between growth and suppression processes. A major part of the fire analysis is to define the likelihood of damage of different sets of components; this information is then fed into a conventional event tree model.)
2.4 Success Criteria b.
i De hardware success criteria developed for each event tree are presented in Appendix A.
De success criteria for operator action top events are implicitly defined; the human reliability analysis (HRA) is described in Appendix C.
An example set of success criteria is shown in Table 2.1. Rese criteria, which apply to the LOOP scenario, Case 1, are based on the analysis of Ref. 3, and are appropriate to the i
i Susquehanna plant. (In general, altemative success criteria will need to be developed when analyzing other plants.) It can be seen that the success criteria depend on the plant's electric power state during the scenario. While not shown (because the relevant portions of the event tme are not shown in Figure 2.1), the success criteria also depend on the status of the gates separating the two spent fuel pools.
2.5 Fault Trees l
Fault trees have been developed to describe how each of the top events in the model can occur. (A number of these are trivial-they have only a single basic event.) The complete set of fault trees is provided in Appendix A.
For the non-trivial fault trees, e.g., for treating the unavailability of the SFPC system and the RHR system (s), the models supporting Ref. 3 have been used as a starting point. Dese trees have been modified using a modeling approach similar in spirit to that used in developing Accident Sequence Precursor (ASP) models (see for example Ref. 8). Using this approach, components on a single pipe segment are generally grouped into super-components. In some cases, entire trains of equipment are treated with a single super-component. Also, a number of low probability failure modes (e.g., normally closed manual valves transferring open during the scenario) are omitted.
This simplified approach is judged to be adequate for tmating spent fuel pool scenarios whose risk, as shown in Ref. 3, tends to be dominated by human error contributions.
An example fault tree for top event R1 (modeling the failure of the Unit 1 RHR system to start and mn during a loss of spent fuel pool cooling system scenario, Case 1) is shown in Figure 2.3. (The simplified system piping and instmmentation diagram showing how the fault tree super-components are developed is shown in Figure 2.4.) It can be seen that tie tme includes common cause failure and human error basic events. (The scenario-dependence of human error is treated during the accident sequence analysis; mle sets specifying which human error probability is used under which conditions are developed by the analyst and used by SAPHIRE during quantification.) Note that the tme also includes a number of basic events modeling the closing of 2-5
i
+
normally open manual valves.
While not generally significant contributors to system unavailability, these failures are typically included in the ASP models.
1 l
From the accident sequence perspective, it is important to observe that only a single train of RHR is modeled. This is due to the assumption that one train of RHR is always reserved for standby core cooling.
t 2.6 ' Human Reliability Analysis l
In keeping with the simple modeling approach used in other parts of the analysis, a simple human reliability analysis (HRA) technique is employed. This technique, documented in Ref. 9, is i
a worksheet-based approach developed for the ASP program. A sample worksheet for a single action is shown in Figure 2.5. The analyst evaluates the following performance shaping factors i
(PSFs) relevant to a given action and modifies base human error probabilities (HEPs) based on the evaluation.
Complexity, stress, and workload Experience / training Procedures
&gonomics Fimess for duty j
Crew dynamics i
The first four PSFs are of special interest to this study, due to the nature of the spent fuel pool accident scenarios hypothesized. For example, some of the modeled actions (e.g., placing RHR in a spent fuel pool assist cooling mode) can be fairly complex and time consuming; I
variations in scenario timing, e.g., due to different decay heat loads, can affect the time available (which affects workload); procedures may not be well developed for some spent fuel pool scenarios because they have not received as much attention as direct core damaFe scenarios; and some of the needed accident mitigation equipment may not be accessible during the scenario (e.g.,
elevated radiation levels near the pool during a severe draining event). (The last problem can be.
considered, in a broad sense, as an ergonomics issue. Another important ergonomics issue l
concems the human-machine interface, as this affects how operators are informed of spent fuel pool conditions and how they manipulate components in response to their indications.)
he likelihood of failure of subsequent actions is treated using a second worksheet (see Figure 2.6). This worksheet addresses issues that could increase the dependency between actions.
His study treats multiple unit actions (e.g., failure of operators at Unit 2 to restore spent fuel pool j
makeup using Unit 2 systems, given that operators at Unit I have failed using the Unit I systems) using the worksheet. (In general, the result is that there is a moderate level of dependency between actions.)
4 The base HEPs and the modification factors used in this procedure are derived from the j
i widely used Technique for Human Error Rate Prediction (THERP) [10] methodology. Thus, the approach does not represent a fundamentally different approach to dealing with human errors; 2-6
rather, it is a consistent, psychology-and human factors-based compilation which allows relatively quick (if sometimes conservative) estimates of HEPs under a wide variety of conditions.
2.7 Basic Event Quantification As indicated earlier, the fault trees used in this study are super-component based. The unavailability of a given super-componentis approximated as the sum of the unavailabilities of the j
components contained in the super-component definition. The base component unavailabilities, in.
turn, are the same generic values used in the ASP models [11,12]. The basic events and associated unavailabilities used in this study (including a breakdown into components where relevant) are j
i listed in Appendix B.
In some cases, the basic event values (e.g., for the relative frequency of SFPC system leaks versus SFP boundary leaks) are derived. The estimation process used for each of these values is presented in Appendix B.
\\
2.8 Key Modeling Simplifications and Limitations Because of the limited scope of this study, a simplified approach has been used in the modeling. Attempts have been made to ensure, where appropriate, that the simplifications have been applied uniformly across the initiating events analyzed, in order to avoid distonion of the computed risk profile. However, some distortion is inevitable.
Some of the key modeling simplifications are as follows. (Caveats due to simplifications in the quantification process are discussed in Section 3.)
De loss of inventory models distinguish between losses of inventory from the spent fuel pool cooling system and those from the spent fuel pool (via seal failures), but do not treat the precise location of the leak. (For example, if a loss of inventory due to seal failure occurs, the model does not address which seal has failed.)
Recovery analysis has not been performed for any of the dominant sequences or cutsets.
(Such an analysis treats operator actions in restoring unavailable equipment.)
A simplified HRA method (described in Section 2.6 above) has been used. His method does not require a formal task analysis, and is not sensitive to the detailed characteristics of available operating procedures.
De same HRA models have been employed for the two refueling cases (Cases 2 and 3).
De time windows used are appropriate for Case 3 (full core discharge).
The PLOCR model, which treats a LOCA during refueling, treats all LOCAs as being relatively large (e.g., the equivalent diameter of an RHR pipe).
It has been assumed that when plant recovery from a LOCA, LOOP, or eanhquake is complicated, the operators will not deal with a loss of spent fuel pool cooling until near 2-7
o
. boiling conditions develop. (A " complicated recovery" is defined as a plant recovery giver, j
one or more of the following conditions: offsite power is unavailable and one or more emergency diesel generators are unavailable; one or more relief valves is failed open or closed; high pressure coolant injection is unavailable; RHR is unavailable; an earthquake with peak ground acceleration greater than 0.2g has occurred. Details on the modeling of complicated recovery are provided in Appendix B.)
In sequences where the operator response to a loss of spent fuel pool cooling is greatly p
delayed,it has been assumed that RHR assist cooling will not be employed because of the length of time required to establish this mode of cooling. This assumption is based on an estimate of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> provided for Susquehanna; for other plants, the time required may be sufficiently less that RHR assist cooling could become a viable option.
It can be seen that some of these simplifying assumptions tend to make the model predictions more costservative. 'Ihe degree of conservatism cannot be determined without more detailed study or at least some sensitivity studies. Both of these options were not pursued due to the limited scope of the project.
i f
2-8
9 l
Tabk: 2.1 - Success Criteria for LPl (Case 1, Pools Cross-Connected)
DGs Available Offsite Power SRIO2 LSIO2 ALT C All Early recovery 2 of 6 SFPC pumps or 2 of 6 SFPC pumps Any available alternate I train RHR in any unit coolina system All Late recovery I train RHR in any unit 2 of 6 SFPC pumps Any available alternate coolina system All None I train RHR in any unit Not modeled Any available alternate coolina system Some Early recovery 2 of 6 SFPC pumps or 1 2 of 6 SFPC pumps Any available alternate train RHR in any unit cooling system Some Late recovery Not modeled 2 of 6 SFPC pumps Any available alternate coolina system Some None Not modeled Not modeled Any available alternate coolina system None Early recovery Not modeled 2 of 6 SFPC pumps Any available alternate coolina system l
I i
l l
l 2-9
0 m
9 0"
e-n N
e-e erEnerBe-e:Een-No Senemenenermeer-E Nn n
Nn N e e
o ene e t t t t t t t t e n t t t t t t t t t t t t t t t t t t t t t t t t e s s.
5 "NO 'OE b 8 0nE e=e----
EN NhN NNN MMb N
M u
r a
Q1 4
ist a
9 I
S
.g m
'.I_
-D a
1v
]l s.
.s C_
UC t
a C.
2 l
?!
=
a}f 8
- i g
s hi E s
m 1% E f
b l
a L
4 1
Oo I-l E
N y
g 2
8 I
fi no E
=
.3 a:
d h
i- -
Ij s
I h
V 0
N
{j,.
=
s E
,o I
ti 3
=
i.g jfs b
e V
NNNYY C
V S
YYYYY 1 2345 Q
E S
d R
e e
e r
rev V
T o
t c
S n
e S
e r
v S
E S
p u
ta c
I M
I n
t mo so ais M
P er t e Sv T
I id S
S IPF 2
2 e
e V
t r
ol u
nb N
g o
S i
r is e F
ln S
Su Sv l
)
S S
a S
i I
ton-P pop SiF S
to (S P
glot lo i Fissxe ro 1
fCg S
sP n i
I rFl eS o P
o F
fs c n o a n r
T g
O e
O 9
lol 3,4-l l0,l
~
~Oli 13 ll
- I, j
Ik
- #!O!
- j,O'i
'l i
- l1!Ol 3
=
h L
!:,bO
- li!Ol
=m g
.g
~ gi 1
~ Oh s.
iii g:l
.n yQ,
$O!
-1, I
RIRI-PSF-CC-DISA
...... wh
....... vy
_f wah.
7,
(/y RIRI-PSF-CC-DISB s
j g-U RIIRI-XVMCC-SUC S 2 w -2%
_.)
\\V
V l. :
's RilRI-XVM OO-Ol7A F'
LA F'
RilRI-XVM OO-SIPI Rimi-XVM4)OAA 3 r g
l RIRI MDP-IC-1 A l
- Q4:!
Riml IITX-IC-I A
~-'
1 7 h::
X RIRI MDP-IC-1C
' i 1 P Rimi-xvu-ooac j (
w2 VR N
N w,
r, NI X
Figure 2.4 - Simplified Piping Diagram, RilR System t
l J
l Plant:
Sceneno:
Sequence Nussber:
Cutset:
Task Error
Description:
Ensamms Raspanse eaad quae earne high threat'D_xpansive tune iquae tune 5 5
2 2
& stress t
i
- 1. Cosuplemity, stress.
and workload jinadequaetime se Iow threat
- f use time i 1
& strens expnasive time 1 1
poor training 10 10 low expen.ence
- 2. Expenenecaraining lugh expenence good training 0.5 0.5 l
procedwes absent 10 10
- 3. Procedure <procedwes present poorprocedures 5 5
1 goodprocedwes 1 1
i i
5 5
old plam < poor ergonomics good ergonotrucs 1
1 3
3 retrofit plant (poor ergomonues
- 4. bgonomics good ergonomics 0.7 0.7 2
2 new plant < poor ergomonucs good ergamonues 0.4 0.4 unfit 25 25
- 5. Fitness fcr esty 10 10
- 6. Crew dymannes < poor crew dynamics good crew dymanucs I
Congdsamy. Exponemos/ Procedures Ergonomes Fases Caw seems, sad naams tw dynamuce Task Portion Pr~*=eine Failwe Probabihty
- .10 E-2 a a
a a
a
=
Response Failwe Probabdity Response-10 E-3 s a
a a
a a
=
+
Tuk Felure Probalmhty Without Formal Dependence 1
i Figure 2.5 - ASP HRA Worksheet (Sheet 1 of 2) i 2 14
1 l
i DEPENDENCY CONDITION TABLE l.
Condition Crew System Location Time Cues Dependency Number of Number (same or (same or (same or (close in (additional Human Action l
different) different) different) time or not or not Failures l
close in additional) time l
i complete if this 1
s s
s c
2 s
s s
e m
We 3
s s
s ac a
moderate erroris the l
4 s
s d
c high 5
s s
d ne na moderase thirderror 6
s s
d ne a
low l
l 7
s d
s c
moderase in the 8
s d
s ne na low 9
s d
s nc a
low sequenx 10 s
d d
c mnderme I
11 s
d d
nc na low then the 12 s
d d
ne a ~
low 1
13 d
s s
c moderate ir. ira y l
14 d
s s
nc na low 15 d
s s
nc a
zero is moderate.
16 d
s d
c zero l
17 d
s d
nc na zero if it is the 18 d
s d
ne a
r.so i
19 d
d s
c low fourth error 20 d
d s
ne na zere.
21 d
d s
ne a
zero J- ;- - h-y 22 d
d d
c zero 23 d
d d
ne na zero is high 24 d
d d
nc a
zero i
l Using N= Task Failure Probability Without Formal Dependence (calculated on previous page):
For Complete Dependence the probability of failure is 1.
i For High D*e the probability of failure is (1+Ny2
)
For Modenne Dependence the probability of failure is (1+6N)n For low D* the probability of failure is (1+19N)/20 For Zero Dependene the probability of failure is N i
))/__ =
Task Failure Probability With (1 + (
FormalN drv i
l Figure 2.6 - ASP HRA Worksheet (page 2 of 2) t 2-15
3.
POOL HEATUP RESULTS 3.1 Pool Heatup: Instantaneous Frequencies As shown in the example LPl event tree shown in Figure 2.1, a loss of spent fuel pool cooling accident can lead to a number of diffemnt endstates, depending on the sequence of events comprising the accident. The endstates defined in this study are:
FPISI - Spent fuel pool boiling FPIS2 - Spent fuel pool heatup (cooling restored late)
FPIS3 - Spent fuel pool steaming (alternate cooling employed in " feed and boil")
FPSF1 - Spent fuel pool boiling; flooding from loss ofinventory or LOCA FPSF2 - Spent fuel pool heatup; flooding from loss of inventory or LOCA FPSF3 - Spent fuel pool steaming; flooding from loss of inventory or LOCA CD - Direct core damage (damage not caused by spent fuel pool heatup)
OK - Success state FPISI and FPSF1 are the most significant spent fuel pool-related endstates from the standpoint of SFP-heatup induced challenges to other plant systems; the other endstates am included in case a plant has a special vulnerability to steam or hot air (e.g., if solid state protection system cabinets can be exposed to the steam / hot air). From the standpoint of flooding following a loss of inventory or LOCA event, the FPSF2 and FPSF3 endstates also are potentially important.
Table 3.1 shows the initiating event frequencies used in this study; Table 3.2 shows the resulting frequencies for each of the endstates for Cases 1, 2, and 3. (Recall that in Case 1, both units are operating; in Case 2. Unit 1 is refueling and has offloaded 1/3 of its core; and in Case 3.
Unit 1 is refueling and has offloaded its entim core.) It is important to note that even though the units of the frequencies shown are per year, these are instantaneous (and not annuahzed) frequencies. Thus, the Case j probability of Endstate i occurring over an arbitrary time interval
[0,t]is given by:
P{Endstate i in (0,t]I Case j} = l-e* - Aij t (3.1) where A is the appropriate frequency obtained from Table 3.2. (The approximation on the right g
hand side of Eq. 3.1 is reasonable as long as (t < 0.1.) In order to obtain the annual probability of endstate i, the contributions from each case are weighted and summed. 'Ihe results of this weighting and summing are provided in the next section.
It should also be noted that the dimet core damage (CD) endstate frequencies are underestimated for some scenarios. Because this endstate is being treated only to ensure that scenarios which lead to core damage before pool boiling are excluded from the analysis, the CD endstate was not modeled for some sequences where SFP cooling is assured. The CD endstate frequencies are provided for accounting purposes only, and should not be interpmted as representing the total core damage frequency.
3-1
e Table 3.2 shows that for Case 1 (both units operating), three initiating events contribute almost 90% of the frequency of SFP boiling (i.e., endstates FPISI and FPSF1); they are loss of offsite power (LP1), small loss of inventory (LINCS), and large loss of inventory (LINVC).
Desc contribute 66%,17%, and 11%, respectively, to the frequency of boiling. For Cases 2 and 3 (one unit refueling), four initiating events contribute over 90% to the frequency of boiling: loss of offsite power (LP2 and LP3),large loss ofinventory (LINVR), primary LOCA during refueling (PLOCR), and smallloss ofinventory (LINRS). The contriSutions to the pool boiling frequency from each of these initiators ranges from 20 to 25% For all cases, the loss of the spent fuel pool cooling system (LSFP1, LSFP2, and LSFP3) initiator and the seismic (EQE) initiator are visible but not large contributors.
It can be seen in Table 3.2 that the relative contribution of LOOP to the pool boiling frequency is significantly higher for Case 1 than for Cases 2 and 3. This is not because the absolute frequency of LOOP-induced pool boiling changes, but rather because the instantaneous frequencies of the other contributing initiators (loss of inventory, LOCA) are significantly lower during operation than during refueling. (See Table 3.1.)
Note that the earthquake contribution is low because most eanhquakes large enough to cause problems with the spent fuel pool are large enough to be a significant hazard to the rest of the plant. (De endstates FPISI and FPSF1 only include scenarios involving pool boiling but not direct core damage.) Similarly, a number of imponant PLOCR-initiated scenarios involve direct core damage, and do not contribute to the FPISI and FPSF1 endstates.
Note also that the results for the 1/3 core discharge (Case 2) and the full core discharge (Case 3) are only slightly different. This is due to the dominance of human error as a contributor to failure and a modeling simplification mentioned in Section 2.8: the Case 3 time windows used for the different human actions were employed for Case 2 as welt This simplification was made to reduce modeling effort; a deeper investigation of the different contributions of different refueling strategies should be conducted for this issue.
Tables 3.3a through 3.3d list the Case 1 and Case 3 cutsets for the FPISI and FPSF1 4
cadstates which have instantaneous frequencies greater than 1.0 x 10 /yr. (De results for Case 2 are very similar to those for Case 3.) Bese tables show the instantaneous cutset frequency, the percent contribution of the cutset to the total endstate instantaneous frequency, the initiating event, the subsequent basic event successes and failures, and some notes on the cutsets.
For both endstates, it can be seen that very few hardware-related basic events are included in the top cutsets. Most of the basic events involve the failure of operators / plant personnel to perform a required action; also included are basic events modeling the failure to recover offsite power.
Table 3.3a lists the dominant FPISI cutsets for Case 1. Seven LOOP scenarios contribute over 50% of the totalinstantaneous FPIS1 frequency; these scenarios involve situadons where the two spent fuel pools are isolated (so SFP cooling must be restored in both units) and where the operators fail to respond early enough to employ RHR in the SFP cooling assist mode. Two loss ofinventory scenarios contribute more than 10% to the FPISI frequency. One scenario involves 3-2
P the operators failing to respond early and failing to provide makeup late. The other scenario involves failure to provide makeup after the leak has been isolated.
Table 3.3b lists the dominant FPISI cutsets for Case 3. Two of the most important cutsets involve a small loss of inventory followed by fcilure of the operators to nide makeup; they contribute over 25% of the endstate frequency. De seven LOOP scenarios, weh also contribute more than 25%, are similar to the scenarios discussed in Case 1; they involve failure of the operators to respond early.
He single dominant FPSF1 cutset for Case 1 is shown in. able 3.3c De cutset involves failure io isolate a large leak in SFP cooling system and failure to provide makeup.
De two dominant FPSF1 cutsets for Case 3 are shown in Table 3.3d.
Both cutsets involve failure of isolation and failure to provide makeup. It should be noted that, as shown in Appendix C, the human error probability used for these cutsets takes credit for the presence of a second unit and operating crew (the reduction factor is 0.14, or about In). For a single unit plant, or for a multi-unit plant where the spent fuel pools are not cross-connected, such credit may not be taken. The instantaneous frequency of endstate FPSF1 during refueling may then be 2.6 x 10"/yr.
Even after weighting the frequency to account for the fraction of time the plant is undergoing refueling, the resulting annual probability of endstate FPSF1 (which involves boiling in a drained 8
pool) is on the order of 3 x 10. His is higher than the total probability of pool draining 4
employed in Ref. 2 (around 7 x 10, as shown in Table 3.7). It therefore appears that for a number of plants, the probability of cladding fires may be higher than the value used in Ref. 2.
3.2 Pool Heatup: Annual Probability Eq. (3.1) provides the probability of observing a particular endstate in a specified period of time when the plant is in a given configuration (as modeled by Cases 1 through 3). To estimate the probability of observing a particular endstate in one year, the following equation is used:
P{Endstate i in 1 year} = Aii(1-$,)+ Am$,
(3.2) where, as before, A is the frequency of Endstate i for Case j, k = 2 or 3 (depending on whether y
the plant performs 1/3 or full core offloads during refueling), and $, is the average fraction of time the plant is in a refueling outage.' Note that this model assumes that one unit is always operating over the year. It therefore does not treat situations when both units are in an outage, nor does it treat situations where one unit is in a non-refueling outage.
It is not believed that these simplifications will greatly distort the results, due to the relatively small amount of time multi-unit plants would be undergoing simultaneous outages (under normal circumstances), and due to the lower heat loads associated with outages. However, as implied by the results of recent shutdown risk assessments [15,16), the risk from these situations may not be negligible. Additional analysis is needed to determine the quantitative significance of these simplifications.
' To make the units consistent, the right hand side of Eq. (3.2) can be multiplied by 1 year.
3-3
i The results for endstates FPISI and FPSF1 (where the SFP is boiling) obtained assuming an 18-month refueling cycle and a 2-month refueling outage are shown in Table 3.4. De results associated with a 1-month refueling outage are shown in Table 3.5. (These latter results assume that the model parameters, e.g., the failure rates, do not change significantly as the outage time
' decreases.) Not surprisingly, both annualized risk profiles closely resemble the risk profile for Case 1. However, the contribution for primary LOCA has become more imponant, due to its imponance during refueling.
Only three initiators are modeled as being able to lead to flooding: a loss of inventory, a j
primary LOCA during refueling (i.e., a LOCA in a connected system - a "J LOCA", or a maintenance-induced LOCA - a "K LOCA"), or an eanhquake. The annual probabilities for endstates involving flooding (i.e. FPSF1, FPSF2, and FPSF3) are shown in Table 3.6. Both the relatively high total probability (nearly 1 x 10') and the risk profile (a large contribution from primary LOCAs) are notable.
3.3 Comparison With Earlier Studies The results of an earlier NRC report on spent fuel pool risk (which focused on scenarios involving pool drainage and consequent zircaloy cladding fires) [2] and of an NRC-sponsored investigation of the risk at Susquehanna [3] are shown in Tables 3.7 through 3.10. (Table 3.9 provides the annualized frequencies obtained from Ref. 3; Table 3.10 presents the instantaneous frequencies, which can be compared with the results of this study shown in Table 3.2.)
Comparing Table 3.4 (this study) with the BWR "Best-Estimate" column in Table 3.7 (Ref. 2), it can be seen that the results of this study are higher by nearly an order of magnitude.
(Note that Table 3.4 addresses spent fuel pool boiling; Table 3.7 addresses a complete loss of spent fuel pool inventory.) Perhaps more imponantly, the dominant contributors are quite different.
In Ref. 2, the endstate frequency is dominated by seismic contributions. In this study, the canhquake contribution is relatively unimponant. His difference arises because: a) this study estimates much higher contributions for other initiators, as discussed below, and b) this study excludes the pool boiling contribution due to eanhquakes that are severe enough to cause core damage, regardless of their impact on the spent fuel pool. Note that the sum of the combined CD, 4
FPIS1, and FPSF1 frequencies in Table 3.2 is 7.3 x 10 /yr; this is quite comparable to the value 4
of 6.7 x 10 /yr reported in Ref. 2.
Regarding the contribution from loss of inventory events, Ref. 2 reduces the empirical frequency of pneumatic seal failures (around 0.01/yr) by a factor of 1000 to arrive at an estimated frequency of severe pneumatic seal failures. As discussed in Section 5 of this repon, there seems to be little evidence to suppon such a reduction; this repon uses empirically estimated generic initiating event frequencies for losses of inventory, which include seal failures. (Details on the initiating event frequencies used in this study are provided in Appendix B.) Note that while this 4
study's predicted annual probability of 4.6 x 10 for endstate FPSF1 (loss of inventory events 4
only)is comparable to that of Ref. 2 (6.7 x 10 ), the probability of endstate FPSF1 may increase by nearly an order of magnitude for single unit plants (see Section 3.1).
3-4
a 1
i.
1 Regarding the contribution from LOOP events, this initiating event was not modeled explicitly in Ref. 2.
i 4
To compare the results of this study with those of Ref. 3, Table 3.4 can be compared with Table 3.9. It can be seen that the total frequencies of pool boiling differ only by about a factor of
- 2. Furthermore, the contributions from the different initiators are comparchie. (Note that this 4
study treats LOOP, Extended LOOP, and station blackou: using a single initiating event; the combined NBF of 1.1 x 10/yr in Table 3.9 compares reasonably well with the pool boiling i
frequency of 2.7 x 105 reported in Table 3.4 for LOOP events.) The most significant difference concerns the loss ofinventory initiating event; this event is an important contributor in this study, but is not treated in Ref. 3. Another difference concerns the LOCA initiator, Ref. 3 does not treat special LOCAs during shutdown'(the "J" LOCAs, i.e., LOCAs in connected systems, and the "K" LOCAS, i.e., maintenance-indumd LOCAs). As a result, Ref. 3 underestimates the LOCA contribution to pool boiling frequency. A third significant difference concerns the LOCA with LOOP initiator. As discussed in Ref. 6, the treatment in Ref. 3 is inconect and is overly conservative. 'Ihis study does not treat the LDCA with LOOP initiator explicitly because of its very low probability.
It should be pointed out that while the overall pool boiling frequency results of this study are numerically comparable to those of Ref. 3, the modeling approaches employed are quite.
different. In Ref. 3, non-conservatisms in initiating event frequency estimates (e.g., for station blackout and for earthquakes) are balanced by quite conservative human error probabilities, by not deducting contributions from " direct core damage scenarios" (i.e., scenarios that lead to core damage directly regardless of the behavior of the spent fuel pool), and by not allowing credit for alternative cooling systems. This study eliminates the non-conservatisms in initiating event frequencies, but also employs more realistic human error probabilities, deducts contributions from direct core damage scenarios, and allows credit for altemative cooling systems. As it turns out, these modeling differences do not lead to significantly different bottom line results for the Susquehanna plant; however, they may lead to different results when applied to a different plant with different systems and operating practices.
It should also be noted that there is significant flooding potential associated with some of the scenarios treated in this study. This hazard is not treated in either Refs. 2 or 3. In principle, SFP-initiated flooding scenarios should be treated in standard intemal flooding analyses.
However, most of these analyses have been performed for operating units (i.e., for Case 1) only; the results of this study indicate that a significant flooding risk may arise during refueling, due to the higher (instantaneous) frequency of loss of inventory events. Note also that conventional flooding studies are not likely to address scenarios involving a combination of pool boiling and plant flooding (i.e., scenarios leading to endstate FPSF1).
3.4 Remarks 3.4.1 Caveats The results presented in the preceding sections should be employed with caution for a number of reasons. First, the initiating event frequencies for loss of the SFPC system and for 3-5
I o
a losses ofinventory are based on an early version of the AEOD database (dated June 13,1996). A number ofevents have been added to the database since that date; the estimates for these initiating event frequencies may therefore be low.
Second, the results are based on generic data which may or may not be applicable to a specific plant being analyzed. In panicular, the loss of inventory model employs industry-wide statistics to estimate the frequencies of SFPC system and SFP boundary failures during operation and refueling. However, there are wide variations in seal design; one design may allow large leaks on failure, while another may not. A rigorous, mechanMdly based analysis of the severity-dependent likelihood of seal faihues would be extremely helpful in addressing this issue.
Third, again in regard to the loss of inventory model, the available data for large seal failures are both sparse and uncenain. Different interpretations of the event narratives might lead to large changes in the estimated frequency of pool boiling and, perhaps more importantly, significant changes in the risk rankings of scenarios. A formal sensitivity analysis idendfying key risk parameters (beyond basic events) and assumptions and determining the impact of changes in these parameters is outside the bounds of this limited scope study. Such an analysis should be performed before the results of this study are used in any decision suppon activities.
Finally, as a related point, the calculations performed in this analysis employ point estimates throughout. No attempt has been made to deal with uncertainties. An uncertainty analysis is a valuable tool for placing analysis results in context, as well as for identifying areas where additional modeling effons may be useful. Again, an uncertainty analysis should be performed before the results of this study are used in any decision suppon activities.
3.4.2 Model Capability to Treat Other Plants The results reported in Sections 3.1 and 3.2 are appropriate for plants whose design and operational practices are similar to those of the Susquehanna plant. However, the model used to generate these results is more general; with relatively simple changes in event tree top event success criteria, system fault trees, and/or basic event probabilities, a number of different plants can be modeled without a great deal of effon. Some of the different situations that can be treated are as follows.
1)
A one-unit plant. Some of the modeling changes involved ensure that: a) the event tree top events modeling the fuel pool gate status are always failed, b) the top events modeling the cooling systems for the second unit are always failed, c) credit is not taken in the human reliability analysis for the actions of the second unit's crew (e.g., in establishing makeup during a loss of inventory scenario), and d) the initiating event PLOCA is not analyzed for Case 3 (since there is no fuelin the core).
2)
Plants with a two-train SFPC system powered from safety buses. (Susquehanna has 3 trains powered from a non-safety bus.) 'Ihe modeling changes here would involve:
a) using fault trees appropriate for two-train systems, b) using common cause failure models appropriate for two-train systems, and c) ensuring that the event tree top event 3-6
. -. ~
e l
~
I
~
FVPWR (a flag event modeling the availability of vital power to the SFPC system) is set to "true".
1 3)
Plants with different mactor cavity seal designs. As discussed in the preceding section, a generic statistical analysis has been used to estimate the frequency of large seal failures.
The results of a design-specific reliability analysis could be used to replace this generic
{
estimate in the fault trees for top event LKSFP.
I 4)
Plants which do not routinely leave their spent fuel pools cross-connected. (Susquehanna currently leaves its pools cross-connected.) Similar to the first sensitivity study, this
{
involves modeling changes that ensure that the event tree top events modeling the fuel pool gate status are always failed.
i 5)
Plants which have different maintenance policies for the diesel generators, SFPC system, i
and RHR system. For example, some plants may elect to perform all SFPC system 3-maintenance prior to a refueling outage. Such a situation is simply modeled by increasing the maintenance unavailability of the SFPC system for Case 1 and reducing it for Cases 2 and 3.
4 i
6)
Plants having potential instrumentation problems (e.g., vulnerability to hazards associated with spent fuel pool heatup, lack of redundancy, poor accessibility, poor readout design).
i This problem can be treated in the fault tree for top event OER by: a) adding basic events 1
for instrumentation failures, and b) modifying the HRA to account for a poor human-i machine interface (poor ergonomics).
)
7)
Plants with different refueling policies (i.e., discharge of 1/3 of the core instead of the full core). As mentioned in Section 3.1, the current HRA model is not sensitive to the l
differences between the twn policies. Case-depe ident modifications of the time windows for operator actions are needed to make the human error probabilities case-sensitive.
l 3-7
Table 3.1 - Initiating Event Frequencies (Instantaneous)
Initiating Event Description Frequency Uw)
Source LSFPI Loss of SFPC system, Case 1 2.4E 2 Data (see App. B)
LSFP2 Loss of SFPC system, Case 2 2.8E 1 Data (see App. B)
LSFP3 Loss of SFPC system, Case 3 2.8E-1 Data (see App. B)
LPI Loss of offsite power Case 1 8.0E-2 Ref.14 LP2 loss of offsite power, Case 2 8.0E-2 Ref.14 LP3 Imss of offsite power. Case 3 8.0E-2 Ref.14 LINVC Larne loss of inventory, Case 1 2.0E-3 Data (see App. B)
LINCS Small loss of inventory, Case 1 5.0E-3 Data (see App.B)
LINVR Imae loss of inventory, Cases 2 and 3 2.0E 2 Data (see App. B)
LINRS Small loss of inventory, Cases 2 and 3 3.0E 2 Data (see App. B)
PLOCA Pnmary LOCA, Case 1 1.5E-2 Ref. 8 PLOCR Primary LOCA, Cases 2 and 3 1.2E-1 Ref.15,16 (see App. B)
EOE Seismic event (0.2g < PGA s 0.6a)'
l.2E-4 Ref.17
' Earthquakes with PGA > 0.6g are for the purposes of this analysis, assumed to lead directly to core damage (with frequency 3.2E4/yr).
3-8
Tabic 3.2 - Instantaneous Frequencies of Endstates (/yr)
CD*
l FPISI l
FPIS2 l FPIS3 l FPSF1 l FPSF2 l FPSF3 l Total l
Boil l % Boil Case 1 LSFPI 6.2E-07 8.6E-05 7.7E-06 9.4E-05 6.2E-07 i
LPI 1.4E-06 2.7E-05 3.6E-03 2.4E-04 3.9E-03 2.7E-05 66 LINVC 2.2E-06 9.7E-05 1.2E-06 2.2E-06 1.3E-04 2.3E-04 4.4E-06 11 LINCS 6.7E-06 3.lE-04 3.8E-06 7.4E-08 1.2E-05 3.3E-04 6.8E-06 17 PLOCA 8.7E-09 9.5E-07 1.3E-04 1.2E-05 1.4E-04 9.5E-07 2
EOE 6.lE-06 1.2E-06 5.5E-06 6.4E-08 1.lE-04 1.2E-04 1.3E-06 3
Total Case 1 7.5E-06 3.9E-05 4.2E-03 2.7E-04 2.3E-06 1.4E-04 1.lE-04 4.8E-03 4.lE-05 100 Case 2 LSFP2 7.3E-06 1.0E-03 9.0E-05 1.lE-03 7.3E-06 7
LP2 1.5E-06 2.8E-05 3.7E-03 2.4E-04 4.0E-03 2.8E-05 25 LINVR 4.6E-06 1.6E-05 1.9E-07 2.3E-05 1.3E-03 1.3E-03 2.8E-05 25 LINRS 2.2E-05 1.5E-04 1.7E-06 8.5E-08 5.8E-05 1.7E-10 2.3E-04 2.2E-05 20 PLOCR 2.3E-05 1.lE-05 1.2E-02 1.6E-03 1.4E-05 5.4E-03 1.9E-02 2.5E-05 22 EOE 6.iE-06 1.2E-06 5.5E-06 6.4E-08 1.lE-04 1.2E-04 13E-06 I
Total Case 2 3.lE-05 7.4E-05 1.7E-02 1.9E-03 3.7E-05 1.4E-03 5.5E-03 2.6E-02 1.lE-G8 100 Case 3
.LSFP3 8.3E-06 1.lE-03 1.0E-04 1.2E-03 8.3E-06 7
LP3 1.5E-06 2.9E-05 3.7E-03 2.4E-04 4.0E-03 2.9E-05 26 LINVR 4.6E-06 1.6E-05 1.9E-07 2.3E-05 13E-03 1.3E-03 2.8E-05 24 LINRS 2.2E-05 1.5E-04 1.7E-06 8.5E-08 5.8E-05 1.7E-10 2.3E-04 2.2E-05 20 PLOCR 1.lE-05 1.2E-02 1.6E-03 1.4E-05 5.4E-03 1.9E-02 2.5E-05 22 EOE 6.lE-06 1.2E-06 5.5E-06 6.4E-08 1.lE-04 1.2E-04 1.3E-06 1
Total Case 3 7.6E-06 7.6E-05 1.7E-02 19E-03 3.7E-05 1.4E4)3 5.5E-03 2.6E-02 1.lE-04 100
'Emisuse provided for accounting purposes only; frequencies listed do not provide total core darnage frequency
1 l
Table 3.3a - Dominant Cutsets, Endstate FPIS1 (SFP Boiling), Case 1 l
% Total Rwy E
Cutset Elements (Successes and Failures)
{
8.20 3.19E-06 LPI
/DGIN2, /EPWR, ALT XHE XM-SFPL, SFP-OPEN-GATE, SFP-XHE-l XE-LP, SFP2 XHE-XM LSFP, /UNREC01 4
8.20 3.19E-06 LPI
/DGIN2, /EPWR, ALT-XHE XM SFPL, SFP-OPEN-GATE, SFP-XHE-XE-LP, SFPI XHE-XM-LSFP, /UNREC01 I
8.15 3.17E-06 LP1
/GSTAT, /DGIN2, ALT XHE-XM SFPP, EPWR-XHE EA-REC, LPWR-l XHE-LA REC, SFP-XHE-XE LP. /UNRECO2 7 92 3.08E-06 LINCS
/AISOL, LMKUP-XHE-XA-SFP, SFP-XHE-XE LINVC, /LKSMC l
7.34 2.86E-06 LP1
/DGIN2, /EPWR, ALT XHE XM SFPL, /NCD-DGAL, SFP-OPEN-GATE, SFP2-XHE-XM-LSFP, UNREC XHE-RECV-1 7.34 '
2.86E-06 LPI
/DGIN2, /EPWR, ALT XHE XM SFPL, /NCD-DGAL, SFP-OPEN-GATE. SFPI XHE XM-LSFP. UNREC-XHE-RECV-1 i
7,30 2.84E-06 LPI
/GSTAT, /DGIN2, ALT XHE-XM-SFPP, EPWR XHE-EA-REC, LPWR.
i XHE-LA REC, /NCD-DGAL, UNREC XHE-RECV-2 4.78 1.86E-06 LINCS
/AISOL, /OERLINVC, MKP XHE-XA-CSMIS, /LKSMC
]
4.17 1.62E-06 LP1
/DGIN2, ALT-XHE-XM-SFPP,EPWR XHE-EA-REC, LPWR XHE LA-REC, RHRI TRNS-UA TM, /OER-LP, SFP-OPEN-GATE, /UNREC02 j
2.99 1.16E-06 EOE ALT-XHE-XM-SFPL, /NDSFP-EO, /NLEAK EO. /NCD-EO, R1TRUE l
2.77 1.08E-06 LINVC
/AISOL, LMKUP-XHE-XA-SFP, SFP-XHE-XE-LINVC, /LKL CC 69.19 (Total) 1 i
3-10 i
s i
l Table 3.3b - Dominant Cutsets, Endstate FPISI (SFP Boiling), Case 3 t
% Total Frequency IE Cutset Elements (Successes and Failures) 20.95 1.59E-05 LINRS
/AISOL, /OERLINVR, MKP-XHE-XA RSMIS, /LKSMR 9.42 7.17E-06 LSFP3
/FGATE. ALT-XHE-XM-SFPL, SFPOPEN-GATE, SFP XHE XE-UR, i
SFPI XHE-XM LSFP 7.88 6.00E-06 PLOCR SFP-MKUP ECCS-F, /NCDPLOCR, TGATE-STAT, MKP XHE-XA-l CSMIS 5.20 3.96E-06 LINRS
/MISLSFLE, /OERLINVR, MKP XHE-XA-RSMIS, LKSMR 4.23 3.22E 06 LP3
/EPWR, ALT XHE XM SFPL, SFP-OPEN-GATE, SFP-XHE-XE LP,
[
SFP2 XHE-XM-LSFP, /UNREC01 4.23 3.22E-06 LP3
/EPWR, ALT-XHE-XM-SFPL, SFP-OPEN-GATE, SFP-XHE XE-LP, 4
SFPI XHE XM-LSFP /UNREC01 4.21 3.20E-06 LP3
/GSTAT, ALT XHE-XM SFPP, EPWR-XHE-EA-REC, LPWR XHE LA-REC, SFP-XHE-XE-LP, /UNREC02 3.79 2.88E-06 LP3
/EPWR, ALT-XHE-XM SFPL, /NCD-DGAL, SFP-OPEN-GATE, SFP2-XHE-XM-LSFP UNREC XHE-RECV-1 3.79 2.88E-06 LP3
/EPWR, ALT-XHE-XM SFPL, /NCD-DGAL, SFP-OPEN-GATE, SFPI-XHE XM-LSFP, UNREC XHE-RECV 1 j
3.77 2.87E 06 LP3
/GSTAT, ALT XHE-XM-SFPP, EPWR XHE EA-REC, LPWR XHE-LA-REC, /NCD-DGAL, UNREC XHE-RECV-2 l
3.76 2.86E-06 LINVR
/OERLINVR, /MISLLGE, MKP-XHE-XA-RLGIS, LKLGR 2.15 1.64E 06 LP3 ALT XHE-XM-SFPP. EPWR XHE-EA REC. LPWR-XHE-LA-REC, RHRI TRNS UA TM. /OER-LP, SFP-OPEN-GA'IE, /UNRECO2 1.%
1.49E-06 LINVR
/AISOL, /OERLINVR, MKP-XHE XA RLGIS, /LKLGR 1.85 1.41E-06 LINRS
/AISOL, MUES XHE-XA-LSFP, SFP-XHE XE-LINVR, /LKSMR l
1.53 1.16E-06 EOE ALT XHE-XM SFPL, /NDSFP-EO, /NLEAK-EO, /NCD-EO, R1TRUE 1.44 1.09E-06 PLOCR ALT XHE-XM-SFP, RHRI TRNS-UA-TM, SFPI-XHE XM-SFP,
/NCDPLOCR, TGATE-STAT 80.15 (Total) 3-11
l Table 3.3c - Dominant Cutsets, Endstate FPSF1 (SFP Boiling + Flooding), Case 1
% Total Requency E
Cutset Elements (Successes and Failures) 76.78 1.81E-06 LINVC
/OERLINVC, MKP-XHA XA-CLNIB, LKLGC, MISLLGE 76.78 (Total)
Table 3.3d - Dominant Cutsets, Endstate FPSF1 (SFP Boiling + Flooding), Case 3
% Total Frequency E
Cutset Elements (Successes and Failures) 61.45 2.26E-05 LINVR
/OERLINVR, MISLLGE, MVf-XHE XA-RLNIB, LKLGR 36.72 1.35E-05 PLOCR
/NCDPLOCR, TGATE-ST AT, MKP-XHA-XA-CLGNI, ILOC 98.17 (Total) l i
i l
l I
I a
3-12
l l
l i
Table 3.4 - Annual Probability of Spent Fuel Pool Boiling By Initiator
[
(18-month refueling cycle,2-month refueling outage)
Boiling +
i Boiling Flooding (FPISI)
(FPSF1)
Total
% Total Loss of SFP cooling system 1.4E-06 0.0E+00 1.4E-06 3
l Loss of offsite power 2.7E-05 0.0E+00 2.7E-05 56
[
f Loss ofinvent8d(Large) 2.5E-06 4.5E-06 7.0E-06 14 Loss ofinventdryNSmall) 8.4E-06 7.5E-08 8.5E-06 17 I
Primary LOCA 2.lE-06 1.6E-06 3.6E-06 7
Earthquake 1.2E-06 6.4E-08 1.3E-06 3
i Total 4.3E-05 6.2E-06 4.9E-05 100 i
Table 3.5 - Annual Probability of Spent Fuel Pool Boiling By Initiator (18-month refueling cycle,1 month refueling outage)
Boiling +
Boiling Flooding (FPISI)
(FPSF1)
Total
% Total Loss of SFP cooling system 9.9E-07 0.0E+00 9.9E-07 2
l Loss of offsite power 2.7E-05 0.0E+00 2.7E-05 60 Loss ofinventory (Large) 2.3E-06 3.4E-06 5.7E-06 13 Loss ofinventory (Small) 7.6E-06 7.5E-08 7.6E-06 17 Pdmary LOCA 1.5E-06 7.8E-07 2.3E-06 5
)
)
Eanhquake 1.2E-06 6.4E-08 1.3E-06 3
Total 4.1E-05 4.3E-06 4.5E-05 100 l
l 1
L I
I I
3-13
. -= -
.~.. _ --. _.
i a
r i
L r
i f
- Table 3.6 - Annual Probability of Flooding Associated with SFP By Initiator (18-month refueling cycle,2-month mfueling outage)
Flooding (FPSF1, FPSF2, FPSF3)
% Total l
Loss of SFP cooling system 0.0E+00 0
l Loss of offsite power 0.0E+00 0
Loss ofinventory (Large) 2.6E-04 27
)
Loss ofinventory (Small) 1.7E-05 2
l Primary LOCA 6.0E-04 60 l
Earthquake 1.1E-04 11 Total 9.9E-04 100 l
i i
Table 3.7 - SFP Accident Frequencies, Generic Issue 82 Analysis [2]
Accident Seouenz Best Estimate Uota Bound Best Esumate Upper Bound Structural Failures Missiles 1.0E-8 1.0E-7 1.0E 8 1.0E-7 Aircraft crashes 6.0E-9 2.0E-8 6.0E-9 2.0E-8 Heavyload drop 3.1E-8 3.1E-7 3.1E-8 3.1E-7 Seismic 1.8E-6 '
6.7E-6 Pnemnare Seal Failures 3.0E-8 5.0E-7 3.0E-8 5.0E-7 Inadvenent Dramane 1.2E-8 1.0E-7 1.2E-8 1.0E-7 Loss of Cooling and Makeup
- 6.0E-8 1.4E-6 6.0E-8 1.4E-6 j
TOTAL 1.9E-6 6.8E-6 I
Cladding Fire Probability l
1.0 l
l 0.25 l
' Adapted from Table 4.7.1, Ref. 2.
i
'All frequencies in events /yr.
' Includes beyond design basis seismic induced loss of cooling and makeup.
1
)
)
3-14
e Table 3.8 - Susquehanna Annualized Initiating Event Frequencies (Ref. 3) i Initiating Event Freauency Uyr)
Loss of SFPC 1.57E-4 LOOP 7.00E-2 Extended LOOP 7.00E-3 SBO 2.73E-8 LOCA 3.67E 3 j
Floodina 3.90E-3 Loss of SWS 2.00E-3 Fipe Break 3.40E-3 i
Seismic (PGA < 0.62) 8.55E-6 Seismic (PG A 2 0.6g) 4.20E-7 LOCA w/ LOOP 2.57E-4 Table 3.9 - Susquehanna Annualized NBF, As-Fixed Conditions (Ref. 3)
Annualized Fmauency Uyr)
Initiating Event Case 1 Case 2 Case 3 Case 4 Total
% Total Loss of SFPC
- 1. lE-7 1.9E-8 5.0E-8 4.6E-8 2.3E-7 1.1 LOOP 5.5E-7 7.9E-8 8.5E-7 4.6E 7 1.9E-6 9.3 Extended LOOP 3.0E 6 4.0E-7 3.5E-6 2.1E-6 9.0E-6 43.2 SBO 4.0E-9 5.0E-10 1.1E-9 7.lE-10 6.2E-9 0.0 LOCA 1.5E-6 1.7E 7 1.6E-6 1.1E-6 4.3E-6 20.7 Flooding 2.8E-7 3.8E-8 3.8E-7 2.3E-7 9.3E-7 4.5 Loss of SWS 3.5E-8 5.0E-9 5.4E-8 2.9E-8 1.2E.7 0.6 j
Pipe Break 2.5E-7 3.3E-8 3.3E-7 2.0E 7 8.lE-7 3.9 Seismic (PGA < 0.6g) 1.2E-7 1.6E-8 6.9E-8 4.4E-8 2.5E 7 1.2 Seismic (PG A 2 0.6g) 3.1E 7 3.8E-8 4.6E-8 3.1E-8 4.2E-7 2.0 LOCA w/ LOOP 1.6E-6 9.6E-8 6.9E-7 4.6E 7 2.8E-6 13.6 Total 7.7E-6 9.0E 7 7.6E-6 4.7E-6 2.1E 5 100.0 Case 1 = Both units operaung Case 2 = One unit operating, one unit shutdown, fuel not completely offloaded, RHR out of service part of the time Case 3 = One unit operating, one unit refueling,1 SFPC pump required to maintain T < 200*F Case 4 = One unit operating, one unit refueling,2 SFPC pumps required to maintain T < 200*F 3-15
Table 3,10 - Susquehanna Instantaneous NBF, As-Fixed Conditions (Ref. 3)
Instantaneous Frequency Uvr)
Initiating Event Case 1 Case 2 Case 3 Case 4 Loss of SFPC 1.5E-07 2.1E 07 4.6E-07 6.3E-07 LOOP 7.6E-07 8.7E-07 7.8E-06 6.3E-06 Extended LOOP 4.1E-06 4.4E-06 3.2E-05 2.9E-05 SBO 5.5E-09 5.5E-09 1.0E-08 9.7E-09 LOCA 2.1E 06 1.9E-06 1.5E-05 1.5E-05 Floodma 3.9E-07 4.2E-07 3.5E-06 3.2E-06 less of SWS 4.8E 08 5.5E-08 4.9E-07 4.0E-07 Pipe Break 3.4E 07 3.6E-07 3.0E-06 2.7E-06 Seismic (PGA < 0.6g) 1.7E 07 1.8E-07 6.3E-07 6.0E-07 Seismic (PGA 2 0.6g) 4.3E-07 4.2E-07 4.2E-07 4.2E-07 LOCA w/ LOOP 2.2E-06 1.1E-06 6.3E-06 6.3E-06 Total l 1.lE-05 9.8E-06 6.9E-05 6.4E-05 Case 1 = Both units operating Case 2 = One unit operating, one unit shutdown, fuel not completely offloaded. RHR out of service part of the time Case 3 = One unit operating, one unit refueling,1 SFPC pump required to maintain T < 200*F Case 4 = One unit operating, one unit refueling,2 SFPC pumps required to maintain T < 200*F l
3-16
4.
POST-HEATUP ACCIDENT PROGRESSION: DISCUSSION 4.1 Post-Heatup Hazards During a loss of spent fuel pool cooling scenario, hazards to the rest of the plant can arise due to: the cause of the scenario (e.g., flooding water from a loss of inventory event); the plant response to the event (e.g., pool makeup water flowing through an unisolated leak); and the direct consequences of the scecario (e.g., heat and steam released during pool boiling). These hazards can be grouped into two estegories based on their transport mechanisms: heat / steam and flooding.
(Radiation, while a hazard to plant personnel attempting to mitigate the scenario, is a lesser hazard with respect to equipment performance during the course of the accident. Fires and their associated consequences are also not treated in this study; zirealoy cladding fires following a complete loss of spent fuel pool inventory are addressed in Ref. 2. Note that, as discussed in Section 3.1, the likelihood of these scenarios in single unit plants may be higher than estimated in Ref. 2.)
The following sections provide general qualitative discussions of the heat / steam and flooding hazards from the standpoint of their ability to initiate a core damage scenario, followed by discussions specific to the base case plant analyzed in this study. Note that a given hazard will be a potential problem to the core only if:
a) isolation is failed, i.e., there exists a pathway that allows movement of the hazard from the spent fuel area to vital safety equipment; b) vital safety equipment functionality is lost due to the effects of the hazard; c) operator hazard mitigation efforts fail, i.e., operators do not isolate or divert the hazard from the areas housing the vital safety equipment; and i
d) operator efforts to recover failed equipment are unsuccessful.
It is important to recall that, per Eq. 2.1, a release of steam, heat, or water does not guarantee ECCS equipment damage. Even if some ECCS equipment are damaged, core damage is not guaranteed. Altemative equipment / systems and operator recovery actions may need to fail before core damage occurs.
To provide a risk perspective, typical at-pov/cr core damage frequencies estimated without consideration of scenarios involving the spent fuel pool generally fall in the range of 10 to 10" per 4
reactor year for intemal events; extemal events contributions can be of similar magnitude. The results of two shutdown risk analyses (intemal events) indicate that the annualized frequency of core damage during shutdown may be lower than the at-pow:r value.
estimates an annual core damage frequency of 2 x 10 /yr for Grand Gulf, Unit I during a refueling 4
outage [15); NUREG/CR-6144 estimates an annual core damage frequency of 5 x 10 /yr for 4
Surry, Unit I during mid-loop operations [16]; the comparable at-power values are 4 x 10 /yr and 4 x 10 /yr, respectively.) The instantaneous frequencies, obtained by dividing the shutdown 4
4-1
i values by the fraction of time the plant is in shutdown, may be comparable to or greater than the at-i power values.
I 4
The total pool boiling annual probabilities reported in Section 3 are around 5 x 10.
d Assuming a baseline (non-SFP) core damage frequency of around 5 x 10 /yr, it can be seen that the combined failure probability of safety barriers (a)-(d) listed above and of the safety systems not 4
}
damaged by the spent fuel pool scenario needs to be greater than around 10 in order for spent fuel pool-initiated scenarios to be visibi, (:> 1%) contributors to core damage risk. Because the l
unavailability of a typical safety system is around 10, this implies that the boiling associated with a severe spent fuel pool accident must damage most of the plant's ECCS equipment with high j
probability in order for the accident to affect core damage frequency.
1 l
Table 4.1 shows the impacts of the initiating events on the post-boiling safety barriers.
(These are impacts beyond those associated with the heat / steam release from a postulated boiling j
spent fuel pool, e.g., limited room access.) It can be seen that for the dominant contributors to j
pool boiling (LOOP, loss of inventory), two of the safety barriers are unaffected. The third and fourth barriers can be affected, but, in the case of LOOP, some of the effects may actually be i'
positive.
f The pieceding discussion applies to the risk associated with spent fuel pool accidents affecting core cooling. Scenarios involving spent fuel pool dryout and subsequent cladding fires j
do not require the failure of multiple engineered barriers to cause problems; they only require that pool boiling continue long enough that dryout conditions are reached. Because pool boil-off times i
are greatly reduced in cases where the pool has lost a large amount of inventory, the scenarios of i
special concern involve endstate FPSF1. Table 3.4 shows that the annual probability of FPSF1 is
]
around 6 x 10 ; this is comparable to the best-estimate probability for BWR pool draining reponed 4
l in Ref. 2 (although the dominant contributors to this probability differ greatly from those reported -
j.
in Ref. 2). Based on the value-impact analysis of Ref. 2,it might be argued therefore that the risk l
is not high enough to implement any of the altematives identified in Ref. 2.
However, as discussed in Section 3.1, the results of this study are based on a two-unit plant with a connected j
spent fuel pool. If credit is not taken for the makeup systems associated with the second unit, the j
estimated annual probability of endstate FPSF1 could be a factor of 7 higher (based on the HRA i
method used in this study). Additionalinvestigation is needed to determine if the risk from this scenano is mdeed significant.
4.2 Host and Steam J
4.2.1 Spatial isolation Heat and/or steam from the spent fuel pool has the potential to damage ECCS equipment through direct and indirect pathways. Two direct pathways are:
transport through open air passages to the equipment; and transport through the plant heating, ventilation, and air-conditioning (HVAC) systems.
4-2
4 Given the compartmentalization typical of commercial nuclear power plant designs, the first mechanism is not likely to be a significant contributor to risk.' However, as seen in numerous external events analyses, plant layouts and communication paths between compartments (intended or otherwise) tend to be highly plant specific. A plant walkdown is needed to confum that this mechanism is not important for a given plant.
The second mechanism can potentially lead to widespread effects throughout the affected plant. Depending on the alignment of the ventilation system at the time of the accident, operator actions may be needed to isolate the spent fuel pool area from key equipment areas. (Tripping the ventilation system should greatly reduce the rate of heat / steam transport, but may not entirely prevent it.) Given the length of time available to the operators, the likelihood of failure is expected 2
to be small. (For example, assuming that the need for action is obvious, the time available is expansive, stress is high, experience is low but the required actions are not especially difficult, procedures are available but not very specific, and the plant has a retrofit control system with good ergonomics, use of the worksheet shown in Figure 2.5 leads to a nominal estimate of 7 x 10.)
Again, due to plant-to-plant variations in design, a plant specific analysis is needed to dc:smine if this expectation is met for a given plant.
An indirect pathway for equipment loss due to heat / steam release from the spent fod pool involves the plant's fire protection systems. As discussed in Ref.18, steam can lead to the undesired actuation of a fire protection system through moisture intrusion into a fhe protection system controller, activation of heat / smoke detectors, or melting of fusible links. Of 67 Licensee Event Reports on steam release events reviewed in Ref.18, four involved actuations of the fue protection system. Three events involved smoke detector actuation in the same room as the steam release; the other event involved melting of a fusible link in the same room as the steam release, moisture ingress into a controller, and the actuation of the fire protection system in an adjacent room. (It is not clear if any of these four events involved steam of the quality that would be released from a spent fuel pool boiling at atmospheric pressure.) Ref.18 estimates the generic probability of equipment damage, given actuation of a fue suppression system, for different suppression system types:
Water:
0.27/ actuation CO:
0.015/ actuation 2
Halon:
0.0054/ actuation (The estimates for CO and Halon are based on zero observed events in the database.)
2 Of course, the probability of equipment damage is expected to vary as a function of equipment type and design. If the probability of fue protection system actuation given exposure to a steam release is on the order of 10 and the probability of equipment damage is also on the order of 10', then the combined probability of equipment damage due to a steam-initiated fire
' Intervening barriers, e.g., fire doors, can be failed of course, but the likelihood of such failures woukt have to be counted against the 10' margin discussed in the preceding section.
8 Utility calculations for Susquehanna indicate that even if the HVAC system continues to run, environmental qualification temperatures - around 104*F - will not be exceeded for at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after the start of boiling.
4-3 l
l
?
[
I suppression system actuation will be around 10. Because: a) this indirect pathway still requires
{
4 the transport of heat / steam to a fire protection system controller, heat detector, or sprinkler head; b) multiple ECCS components must be damaged to seriously challenge core cooling; and c) these l
components are generally well separated and are not vulnerable to a single suppression system actuadon,it is not expected that this pathway, by itself, will be a significant contributor to risk for l
most initiators. (The canhquake initiator may provide an exception, since severe eanhquakes can l
trigger fire suppression systems [18). However, this is not a spent fuel pool issue.)
4.2.2 Equipment Vulnerability l
l Most of the equipment in a nuclear power plant is relatively robust with respect to heated environments. For example, Ref.19 reports the results of full-scale fire tests, in which electrical i
cables were exposed to a severe fire environment. The cable temperatures at which electrical
- failure occurred ranged from 420*F to 860*F. Ref. 20 notes that the stanurd design temperature of electrical cabinets is 120*C, i.e., about 250*F. These temperatums are above the temperature l
expected of steam leaving a boiling spent fuel pool.
Two groups of components that may be vulnerable to the temperatures associated with steam released from the spent fuel pool are:
a sensitive electronic equipment, e.g., solid-state components in advanced protection system cabinets equipment tripped or isolated by local high temperature signals (e.g., RCIC and HPCI turbines).
Long term exposures to elevated temperatures present possible problems for major components (e.g.,large pumps). Extended losses of room cooling have been shown to be visible risk contributors in some risk studies. However, the likelihood of such extended exposures is not expected to be very high because of the time available for operators to mitigate the event. (Note also that in all of the scenarios contributing to the FPIS1 and FPSF1 endstates, either offsite or emergency diesel generator power is available.)
Aside from temperature issues, the vulnerability of equipment to a steam environment is less clear. Sensitive electronic equipment can be affected by elevated humidity levels, and it may be possible for steam condensation on electrical equipment (e.g., aging cables) to cause problems.
Ref. 21 notes that the switchgear at Susquehanna are rated for 90% relative humidity, but argues that such a humidity level cannot be achieved within the switchgear cabinets, due to the elevated temperatures within the cabinets. Further investigation on the mechanism of failure is needed to validate this argument.
4.2.3 Hazard Mitigation In the case of the heat / steam hazard, midgation involves either the isolation of the spent fuel pool area from other key plant areas, or the active diversion of steam. Manual operator actions will be required; the likelihood of success depends on the same factors routinely considered in human i
4-4
~l
i i
~
reliability analyses, e.g., accessibility and availability of equipment, quality of procedures and q
training, and time available. Note that the mitigadon effons can be affected by the characteristics of the initiating event, as shown in Table 4.1.
4.2.4 Equipment Recovery If ineparable damage has not occurred, equipment lost during the scenario may be i
j recovered in many cases simply by allowing the affected equipment to cool / dry off. (Equipment i
recovery is not an issue, of course, if hazard mitigation efforts are not successful.) For example, j
in the case of HPCI/RCIC room temperature isolatior signals, the signal can be reset once the 4
]
temperature level drops. As in the case of hazard mitigation, manual actions will be required.
j -
'Ihese actions can be affected by the initiating event, as shown in Table 4.1.
j 4.3 Flooding i
- Ihe treatment of SFP-initiated flooding scenarios is similar to the treatment of other internal i
flooding scenarios in conventional analyses [22]. Thus, the discussion on safety barriers (a)-(d) identified in Section 4.1 is straightforward. Note that in principle, SFP-initiated floods should be j
treated in standard internal flooding analyses. However, most of these analyses have been perfonned for operating units (i.e., for Case 1) only; the results of this study indicate that a j
i significant flooding risk may arise during refueling, due to the higher (instantaneous) frequency of
]
loss ofinventory events. ' Note also that conventional flooding studies are not likely to address scenarios involving a combination of pool boiling and plant flooding (i.e., scenarios leading to endstate FPSF1).
I 4.3.1 Spatial isolation For a flooding event to seriously challenge the ECCS function, there must be a path from i
the source of the flooding to multiple ECCS equipment areas. This path can include non-watertight doors (e.g., fire doors) and drainage systems (water may back up through drains if anti-bacidlow 4
devices are not installed or functioning).
4.3.2 Equipment Vulnerability J
1 It can be assumed that most electncal equipment is vulnerable to flooding, as long as um i
i~
water level rises high enough to immerse key component parts. In addition, some equipment j
(e.g., electrical panels) may be vulnerable to water spray or dripping.
4.3.3 Hazard Mitigation l
Unlike the heat / steam hazard, flooding may occur relatively rapidly, especially in the case of large seal failures. Noting that the FPSF1 endstate is only anived at in scenarios where the i
operators have failed to isolate the flood, the likelihood of success of funher mitigation effons may I
be relatively low.
s 4
4-5 4
i
i i
D 4.3.4 Equipment Recovery In conventional flooding analyses, credit is not usually taken for recovery of equipment damaged by a flood.
4.4 Application to Base Casa Plant i
This section applies the preceding discussion points to the base case plant, which is largely j
based on the Susquehanna Steam Electric Station (SSES).' The information underlying the application is drawn from a limited walkdown' of the SSES and from discussions with Pennsylvania Power and Light Co. staff.
4.4.1 Heat and Steam Hazard 1
Noting that the conditional probability of core damage given spent fuel pool boiling must be on the order of 10 or higher for' spent fuel pool boiling accidents to become imponant contributors to risk, it does not appear that spent fuel pool boiling accidents are imponant contributors at the base case plant. The reasons for this conclusion are as follows.
While transport of heat and steam throughout key areas of the plant is possible (via the HVAC system in recimulation mode), the length of time mquired for significant room heatup (see Footnote 2) greatly mduces the likelihood of operator failure.
Transpon of significant amounts of heat and steam from the spent fuel pool area to areas housing ECCS equipment via open air passages (as opposed to transport through the HVAC system) appears to be very unlikely, due to the separation of the spent fuel pool area from other parts of the reactor building and the fact that the spent fuel pool area is significantly higher than the ECCS equipment areas.
The only ECCS equipment with potential vulnerability to the elevated temperatures caused by the postulated pool boiling and steam transpon appear to be the HPCI and RCIC turbines (which are isolated on high room temperature - 167'F - signals).
'Ihe plant has provisions to diven steam through the standby gas treatment system, should 1
pool boiling occur.
4.4.2 Flooding Hazard In contrast with the heat / steam hazard, the flooding hazard associated with cenain loss of spent fuel pool cooling accidents is more difficult to dismiss as a risk contributor.
3 The base case analysis employs genene estimates for initiating event frequencies and does not necessarily reflect SSES-specinc design or operational details.
- The walkdown covered major ECCS equipment and areas. but did not cover cable routings, the fire protection system or penetrations.
4-6
~
l The hequency of flooding is greater than the frequency of boiling. The annual flooding I
4 probability may be on the order of 10, as shown in Table 3.6.
Focusing or large seal failares alone, the cutset results for endstates FPSF1, FPSF2, and FPSF3 can be used to j
show that the annual probability of flooding is around 3 x 10". Using this latter value, scenarios with a 2 x 10" conditional probability of core damage could be visible risk contributors.
"Ihe boundaries between elevations in the reactor building are not necessarily watenight.
As indicated by conversations with utility staff, it is pabably fair to assume that, at least in the case of a failure of the inflatable seal between the reactor cavity and the reactor building during refueling, all flood water will eventually end up in the bottom floor of the reactor i
building (where the major ECCS equipment are housed). It is not clear that all flood water will end up in the reactor building sump (as assumed in Ref. 3). Note also that the room i
drains on the bottom floor employ normally closed manual valves instead of check valves.
While the valve positions are checked every refueling outage, there is a possibility that the valves could be mispositioned, providing a flow path from the sump to each affected room.
Forlarge flooding events, the time available to take mitigative actions may be significantly l
less than for room heatup events.
The above reasons do not guarantee that the conditional core damage probability is greater l
than 2 x 10", but they do indicate that funher investigation of the flooding hazard may be needed.
i Note that the Individual Plant Examination for the SSES indicates that the core damage frequency due to flooding during normal operations is around 4% of the total core damage frequency (23]; it is not clear from available documentation that the analysis addresses floods involving the spent fuel pool.
9
)
4-7
Table 4.1 - Post-Boiling Impacts for Initiating Event Classes Post-Boiling Imnaru Sri Ewa Hand Falmpment Initiating Event Class Isolanon Vulnerability Mitigation -
Recovery Other I ms of SFPC system Loss of offsite power (1,2)
(1)
Loss ofinventory (3)
(3)
For unisolated leaks, low pool inventory reduas boil-off time; mcreases impur-e of claddag fire issue P.;.ssy LOCA g
(3)
(3)
For unisolated leaks, low pool inventory reduces boil-off time; increases importance of claddag fire issue Eanhquake (4)
(5)
(1, 2, 3, 6)
(1,3)
For unisolated leaks. Iow pool inventory reduces boil-off time; increases importance of clartrl=ig fire issue N(YES-1)
Power may be unavailable to vanous systems. (Endstates include contribuuons fnxn scenanos where either diesel generators an: av power has been recovered. In all cases, some power is availabic; stapon blackout scenarios provide a direct challenge to the core, i spent fuel pool.)
2)
Imss of power may actually be beneficial from the standpoint of circulation of heat / steam by the ventilation systems.
3)
Flooding may inhibit access to different areas of the plant.
4)
Severe seismic events might affect bamers that ordinarily prevent the passage of steam,inot air or water to odier areas of the plant.
5)
Seismic events might distort or damage electrical cabmet boundanes and increase the vulnerabdity of electncal equipment enclosed in th 6)
Seismic events niight fail eqinpment used to mitigase hazards (e.g., dampers, forced ventilation systems).
l 5.
RISK ASSESSMENT INSIGHTS FROM OPERATIONAL DATA i
In order to gain additional insights conceming the risk associated with spent fuel pools, operational data collected by the AEOD were reviewed. The primary objective of the review was to identify issues that should be addressed in the risk model (e.g., observed initiators, representative sequences of events). A secondary objective was to develop, where possible, quantitative insights relevant to the risk model. This section summarizes the results of the review.
5.1 Event Data Table 5.1 provides a bmakdown of reponed spent fuel pool events included in the AEOD database by event type. (This breakdown is cunent as of June 13,1996;it has been changed since i
then.) Both actual occunences and potential events' are shown.
The AEOD database covers events reported over the period 1976 through June,1996.
Table 5.2 shows a breakdown of the events by year, (The total number shown is less than that shown in Table 5.1, since a number of events in Table 5.1 are included in multiple event type categories.) It can be seen that the annual number of events increases about halfway through the time period.
l Two key classes of events of interest to this study involve loss of spent fuel pool cooling and loss of spent fuel pool inventory. The loss of cooling events for which severity information am available are listed in Table 5.3. The loss of inventory events for which severity information am available are listed in Table 5.4. Table 5.4 distinguishes between the events that involved the failure of inflatable seals from other losses ofinventory.
'Ihe loss of cooling events primarily resulted from loss of electrical power to the SFPC pumps, and/or fmm engineered safety features (ESP) actuations causing the load shed of the pumps. In most cases, plant staff quickly restored SFPC. In those cases where the cooling loss was extended, lack of operator awareness was often the cause. In none of the reported events did the cooling loss result in pool temperatures exceeding the plant Technical Specification limits (where applicable) or approaching boiling conditions.
From the standpoint of a risk assessment, the Wolf Creek event (September 30,1994) is one of the more notable loss of SFPC events. In this event, the entire reactor core had ba offloaded to the SFP and the plant staff calculated the time to boil to be about 5.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
significant portion of the 'A' train systems were out of service for maintenance, including t'ae component cooling water (CCW) required for the 'A' train SFPC heat exchanger. The ' A' emergency diesel generator (EDG) was also out of service for testing. While in this condition, the operators discovered smoke emanating from the 'B' train SFPC pump inboard bearing, ar.d were forced to secure the pump. In 18 minutes, the operators wem able to restore the 'A' CCW train to
' Potential event: involve either: a) conditions which degraded the ability of the plant to respond to an initiating event, or b) bypothesized scenanos which have become potentially important due to the acquisition of new knowledge (e.g., concerning accident phenomenology or plant conditions).
5-1
service and stan the 'A' SFPC pump. Later, during subsequent post-maintenance testing of the -
'A' train EDG, the diesel's exciter transformer failed and caught fire. With no backup power available to the only opemble SFPC pump (the 'A' pump), the licensee began seeking ways to temporarily supply emergency power to the pump in case offsite power failed. Fortunately, this did not occur in the two days it took to restore the EDG.
De loss of inventory events primarily resulted from loss of inflatable seals (usually from loss of air) or from system alignment problems. Not all of the reports specified the amount or duration of the inventory loss. Of those that reported the amount of inventory lost, the scenarios ranged from small leaks to large rapid losses.
De largest loss ofinventory event in the database is the well-known Haddam Neck event (August 21,1984). During that event, the refueling cavity seal failed while the cavity was filled.
Within 20 minutes, 200,000 gallons of water spilled through to the lower containment levels.
Preparations had been undenvay for opening the fuel transfer tube, but the tube was shut at the time of the event. Had the transfer tube been open, the SFP could have been drained leaving spent fuel partially uncovered.
Comparing the event categorization of Table 5.1 with the INEL SFP model documented in Appendix A, it can be shown that almost all of the categories and subcategories ait explicitly treated in the model (through the identification and quantification of initiating events).
De exception is the "Other" category, which involves events outside the bounds of the study (e.g.,
boron dilution events in PWRs).
5.2 Mapping to Risk Model ne risk model deals with the failure of mitigating systems (the safety barriers) as well as with initiating events. To determine if the risk model addresses observed combinations ofinitiating event / safety barrier failures, the events in the AEOD database were teviewed to determine how they would map to the risk model. (nis mapping procedure is similar in spirit to that performed in the accident sequence precursor-ASP-program for reactor incidents. The only difference is that the analysis performed in this study is qualitative; no effort is made to determine "how close" an event came to spent fuel pool boiling. Of course, the quantitative models developed in this study could be applied for this purpose.)
De results of the mapping analysis are shown in Tables 5.5 and 5.6. Table 5.5 shov/s the mapping of actual and potential events to the irJtiating events defined in Section 2.2. (De nuniber in parentheses corresponds to events which cccurred in the time period 1987 - June 1996.) It can i
be seen that the loss of spent fuel pool cooling and loss of inventory initiating events appear to be the most likely. However, it should be cautioned that the database is focused on spent fuel pool issues. Thus, for example, loss of offsite power events for which spent fuel pool impacts have not been reported are not included in the database.
i Table 5.6 shows, for events which had impacts or potential impacts beyond the initiating event, the event tree top events potentially affected (but not usually failed). Comparing Tables 5.5 and 5.6, it can be seen that most of the event sequences did not progress beyond the initiating l
5-2
l i
~
l event. Most events were quickly identified and conected by plant staff prior to significant consequences to the spent fuel pool. Of those that progressed beyond the initiating event, most j
. involved indication or operator awareness issues. Except for the previously mentioned Wolf Creek loss of spent fuel pool cooling event, all of the actual events (and most of the potential events)
+
listed in Table 5.6 are explicitly tmated in the risk model. 'Ihe Wolf Creek event is not completely treated because the SFPC and RHR fault tree models developed in this repon do not explicitly treat loss of AC power. While this is a weakness in the fault trees, it should be pointed out that the
[
likelihood of a concurrent LOOP is generally lower by an order of magnitude or more than the j
human error and common cause failure probabilities included in the fault trees.
5.3 On Reductions in Seal Failure Frequency i
i i
In Ref.13, it is estimated that " advances in seal design, increased awareness and surveillance" willlead to a factor of 10 reduction in the frequency of seal failure. However, Table 5.4 shows that 6 seal failure events have occuned in the time period (1976 - 1986) and 5 have 1
l occurred in the period (1987 -June,1996). Counting the events for which severity data were not 4
found, the respeedve numbers are 7 and 8.
Since the number of operating reactors has not changed dramatically since 1976, there appears to be little support for the proposed reduction.
i j
Ref.13 also estimates the fraction of serious seal failures (i.e., failures with the potendal to j
quickly drain the pool) to be about 0.01. 'Ihe evidence provided by the AEOD database is less conclusive here. Whde one out of the 11 seal failure events in Table 5.4 was a rapid, large draining event (the Haddam Neck event),it has been argued that this was an event associated with a unique design. Without this event, the statistical evidence does not support large estimates for 4
the frequency of severe seal failures. (Of course,it also does not provide strong evidence that the failure frequency is as small as 0.01.) ~ A more thorough investigation of seal designs, operational 1'
practices (including inspection, testing, and maintenance), failure mechanisms, and fadure recovery resources and practices is needed to provide a technically based estimate of severe seal failure frequencies.
i 5.4 Concluding Remarks As r. result of this review of the AEOD database, the following conclusions relevant to the constme: ion and evaluation of the risk model can be drawn.
I While a number of events relevant to the loss of spent fuel pool cooling are included in the i
AEOD database, none of these events resulted in substantial heating of the pool or
[
uncovering of the fuel. ('Ihere has been at least one "near miss" - the Haddam Neck seal failure event.) 'Ihis implies that the frequency of significant loss of cooling should be less 4
than 10 /ry.
'Ihe INEL risk model documented in the repon appendices explicitly treats most of the events included in the database.
Almost all of the categories and subcategories of events included in the AEOD database are explicitly treated in the model. 'Ihe categories and subcategories not 5-3
1 i
i treated are either not dimetly m!evant to the loss of spent fuel pool cooling issue or appear to be probabilistically dominated by categories / subcategories with the same impact.
All of the relevant events can be mapped to the initiating events treated in the risk model.
Of the events whi:h appamntly affected safety barriers treated in the event trees, most can be directly treated by the model.
ne Wolf Creek event provides one exception, because LOOP events subsequent to a loss of spent fuel pool cooling have not been explicitly treated.
)
For those events which correlate to one of the initiating events modeled in this report, very few of the safety barriers modeled by the event tme top events have been seriously degraded (or even challenged).
j The database appears to indicate that the frequency of reported seal failures has mmained relatively constant over time. Also, while it does not pmclude small-valued estimates (0.01 or less) foi the frequency of serious seal failures,it does not support these estimates either.
I
.i 3
I
\\
]
Table 5.1 - Breakdown of AEOD Database Events Counts
- Type of Event Actual Potential Total Type #*
Loss of Water 46 47 93 Gates Leak 10 2
12 1
TransferTube Leaks 0
0 0
2 Pool Leaks 9
1 10 3
Pool Seismically Damaged 0
8 8
4 Anti-Siphon Device Fails 1
1 2
5 Refuel Cavity SerJ Leaks 2
0 2
6 Loss of Coolable Geometry 0
0 0
7 Drop of" Penetrating" Load 5
30 35 8
Pipe Problems 0
3 3
9 Alignment Problems 19 1
20 23 System Interaction 0
1 1
31 Loss ofMakeup Capability 0
6 6
Valve Problems 0
1 1
12 Pipe Problems 0
4 4
13 LOOP w/ Failure to Restom 0
1 1
14 Loss of Cooline 58 36 94 Pumps Stop (Loss Electric Power) 38 9
47 15 Pump Problems 5
15 20 33 Heat Exchangers Fail 0
1 1
16 Loss of HX Cooling 8
4 12 17 Pipe Problems 1
I 2
18 Alignment Problems 2
0 2
25 Inadeauate Cooling 0
6 6
28 ESF Isolation Loss of Cooline 4
0 4
29 loss ofNon-SFP Eauipment 4
2 6
Boiling 0
0 0
20 Flooding 4
0 4
21 Susauchanna Effect 0
2 2
24 Oder 16 45 61 Ventilation 5
24 29 26 Criticality 0
18 18 27 Loss of Monitoring Capability 0
3 3
32 Other 11 0
11 30
- Count as of 6/13/96; revisions have been made since then.
'" Type" field coded in AEOD database.
' Total count = 260; total number of events = 245 (some events am in multiple categories).
5-5
. -.. ~ _
- -. = -..
- - _ ~
~
i Table 5.2 - Breakdown of AEOD Database Events By Year Year Number
=
not known 2
1976 1
f 1980 3
1981 7
1982 6
I 1983 5
1984 8
1985 11 1986 7
1987 15 1988 17 1989 20 1990 14 1991 15 1992 20 1993 20 1994 21 1995 36 1996*
17 Total 245
'As of June,1996 l
i 1
l i
l 5-6
Table 5.3 - Loss of SFP Cooling Events' d
Date Duration Hestup Plant (y/m/d)
(br)
('F)
Notes Point Beach 1 81/01/02 0.03 Haddam Neck 87/08/14 1.3 6
Browns Ferry 1 87/12/04 0.10 Peach Bottom 2 87/12/30 1+
Haddam Nedc 90/06/08 0.42 Duane Amold 90/07/09 minutes Turkey Point 4 91/03/13 1.5 3
Indian Point 2 91/06/22 0.60 i
1 Turkey Point 4 91/06/26 1
0 HaMam Neck 91/07/17 8
3 Turkev Point 3 91/07/24 0.32 1
HaMam Neck 91/08/14 10.5 3
HaMam Neck 91/09/20 6
HaMam Neck 92/01/31 1.5 Nine Mile 1 92/02/21 0.25 HaMam Neck 92/02/22 1.67 Comanche Peak 1 92/05/11 17 5
i Indian Point 2 92/06/19 0.17 FitzPatrick 92/06/23 7.5 7
Millstone 2 92/07/06 1.5 4
Cooper 93/03/28 0.17 3
Cooper 93/05/14 0.25 0
South Texas 2 93/06/14 13 19 Haddam Neck 93/06/22 0.05 HaMam Nedc 93/06/26 0.67 4
i Duane Amold 93/08/13 6
7 Partial loss LaSalle 2 93/09/14 5
5 i
FarleY 2 93/10/05 3
40 i
Salem 1 93/10/21 0.08 Heddam Neck 94/04/23 13+
7 Seabrook 1 94/08/11 24 30 WolfCreek 94/09/30 0.30 Time to boil = 5.8 br Inchan Point 3 95/02/27 2.25 Diablo Canyon 1 95/10/21 8
20 San Onofre 1 95/10/25 0.33 1
Estimated time Limerick 1 96/02/20 0.87 2
HaMam Neck 96/03/01 32 16
- Includes only the 37 events for which severity information is available; database includes 56 loss of SFPC events.
5-7
=.
Table 5.4 - Loss of SFP Inventory Events
- Date Duration Amount Seal Rfig Est Plant (y/m/d)
(br)
(gal / ft)
Fall?
Otg?'
Stre' Notes Davis Besse 82/02/01 M
Below TSL' Salem 1 82/02/01 0.33 23,000 / -
S Est. 20 hrs drainage time',
connected to Rx cavity Troian 82/06/10 Y
L 15" below TSL: fsst WolfCreek 87/12/22 Y
S 22 ft above TAl" Hams 89/01/17
-/5 N
L Sounds fast. easily fixed 4
Clinton 89/02/03
- / 0.42 Y
M I
Millstone 2 92/07/06
- / 1.2 N
L Sounds fast, easily fixed La Salle 2 93/01/01 Y
S Smallleak Indian Point 1 94/05/18 N
S Small leak Hatch 1 94/12/28 N
S Small leak San Onofre 1 95/05/16 N
S Small leak Braidwood 1,2 95/05/30 3,000 / 0.25 N
Duane Amold 95/06/14 N
3 5" below TSL Cooper 95/10/31 10,000 / 0.1 Y
S Est. 26 hrs drainage time, connected to Rx cavity Arkansas 2 96/03/20 900 / 0.13 N
S Troian 80/05/22 Y
Y 10" below TSL Arkansa' 2 81/0';/15
-/2 Y
Hmklarr. Neck 84/08/21 0.33 200,000 / -
Y Y
L Refueling cavity loss only San O sofre 2 84/10/02 0.70
- / 1.7 Y
S Est. 8 hrs drenage time; no fuel in SFP Secuoyah1,2 85/12/18 1
-/2 Y
'Y Hatch 1 86/12/02 24
-/5.5 Y
N S
Surry 1 88/05/17 25,800 / -
Y Y
WolfCreek 91/09/23 4
Y Y
S Below TSL C==*
93/10/26 20,000 / -
Y Y
L Peak 1 Hope Creek 94/04/13 20,000 / -
Y Y
22 ft above TAF
!a<hn Point 2 95/01/20
- / 3+
Y N
20 ft above TAF
- Includes only the 26 events for which severity information is available; database has 29 loss of inventory events.
De database contains 4 additional seal failures for which severity informauon was not found: San Onofre (November 5,1984), Surry (October 2,1988), Point Beach (September 30,1992), and San Onofre (April 12,1995).
% event occur during a refueling outage?
- Estimates are based on interpretation of event narratives. Estimated size is large if operators have a small amount of time to isolate the leak and small if they have an expansive amount of time. Note that the rate of level drop during a small leak may still be great enough to dommate boiling as a mechanism for inventory loss, at least tmtil the maximum leveldrop occurs.
" Technical Specification Limit
- Top of Active Fuel 5-8
I Table 5.5 - Mapping of AEOD Database Events to Initiating Events Event Counts' Initiating Event Actual Potential Total Loss of spent fuel pool cooling (LOSFP) 56 (53) 23 (21) 79 (74)
Iess of offsite power (LP1, LP2, LP3) 4 (4) 14 (4) 18 (8)
IAss ofinventory (LINVC, LINVR) 30 (20) 13 (6) 43 (26)
Primary LOCA (PLOCA, PLOCR) 0 (0) 1 (1) 1 (1)
Seismic (EQE) 0 (0) 10 (7) 10 (7)
Total 89 (77) 78 (66) 106 (85)
' Numbers in parentheses represent events occurring in the time period 1987 - June,1996 i
a i
l i
5-9
4 Table 5.6 - Mapping of AEOD Database Events to Initiating Events and Top Events Dale Actual /
i Plant (y/m/d)
Potential IE' Top Events
- Notes la Salle 93/01/01 A
LOINV OER Indication Trojan 80/05/22 A
LOINV OER Indiation
{
Trojan 82/06/10 A
LOINV OER Indication WolfCreek 87/12/22 A
LDINV OER f**
WolfCnek 91/09/23 A
LOINV OER Indicanon Nine Mile 92/02/21 A
LOSFP SI,RI.LSI Ultimate heat sink, RHR OOS Seabrook 94/08/11 A
LOSFP OER Awareness South Texas 93/06/14 A
LOSFP OER Awareness WolfCreek 94/09/30 A
LOSFP S1,R1,LSI SFPC system (1 train), RHR OOS WNP 93/04/28 P
Ocx) nee 96/01/08 P
LOINV ERMUP, LTMUP Makeup Catawba 88/01/09 P
- LOINV, ALT-C, ERMUP, Altemate cooling, makeup LOSFP LTMUP Cook 96/04/14 P
LOOP DGIN2, DG102 Diesel generators Davis Besse 96/04/03 P
LOOP DGIN2, DG102 Diesel generators Diablo Canyon 9142/13 P
LOOP DGIN2, DGIO2 Diesel generators i
Susquehanna 92/10/20 P
Susquehaimaissues Arkansas 96/05/22 P
LOSFP Si,LSI Heatload Millstone 93/09/17 P
LOSFP S1,LSI Heatload Nine Mile 96/03/28 P
LOSFP S1,LSI Heatload Oysier Creek 83/12/23 P
LOSFP S1,LSI Spent fuel pool cooling l
River Bend 91/04/15 P
LOSFP OER Appendix R, indication j
San Onofre 90/04/24 P
LOSFP S1,LSI Heatload WNP 90/20/24 P
LOSFP Appendix R i
Diablo Canyon 91/04/10 P
Seismic LTMUP Allemale cooling, makeup Millstone 95/05/17 P
Seismic L'IMUP Makeup I
WNP 89/08/11 P
Seismic Appendix R
'IE = initiating event, LOINV = loss of inventory, LOSFP = loss of spent fuel pool cooling system, LOCA = loss of coolant accident, LOOP = loss of offsite power Tee Appendix A for definition of top events Top events affected (but not necessarily failed) 5-10
.~ -
l j.
6.
REFERENCES 1.
U.S. Nucicar Regulatory Commission, Reactor Safety Study (WASH-1400), NUREG 75/014, 1975.
i 2.
U.S. Nuclear Regulatory Commission, Regulatory Analysis for the Resolution of Generic
\\-
Issue 82, "Beyond Design Basis Accidents in Spent Fuel Pools", NUREG-1353,1989.
3.
T.V. Vo, T.R. Blackburn, T.M. Mitts, H.K. Phan, Risk Analysis for Spent Fuel Fool Cooling at Susquehanna Electric Power Station (Draft Report), Pacific Northwest Laboratory, prepared for the U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation under Contract DE-AC06-76RLO 1830, October 1994.
4.
U.S. Nuclear Regulatory Commission, FinalSafety Emluation by the Ofice of Nuclear Reactor Regulation Regarding Loss of Spent Fuel Pool Cooling Events, Susquehanna Steam Electric Station, Units 1 and 2, Pennsylvania Power and Light Company, Docket Nos. 50-387 and 50-388,1995.
5.
S. Kaplan and B.J. Garrick, "On the Quantitative Definition of Risk, Risk Analysis,1, Il-27 (1981).
6.
N. Siu, S. Khericha, S. Conroy, S. Beck, l.oss of Spent Fuel Pool Cooling PRA: Interim letter Report, Idaho' National Engineering Laboratory, prepared for the U.S. Nuclear Regulatory Commission Office of Analysis and Evaluation of Operational Data under JCN E8238, July 1996.
7.
K.D. Russell, et al., Systems Analysis Programs for Hands-on integrated Reliability Evaluations (SAPHIRE), Version 5.0: Technical Reference Manual, NUREGICR-6116, July 1994.
8.
J.A. Schroeder, Simpirfied Plant Risk Modelfor Susquehanna 1 & 2 (ASP BWR C),
Rev. 2, prepared for the U.S. Nuclear Regulatory Commission rader JCN W6467-5, 1995.
9.
H.S. Blackman and J.C. Byers, ASP Human Reliability Methodology Development, draft report prepared for the U.S. Department of Energy under DOE Idaho Operations Office Contract DE-AC07-94ID13223. Idaho National Engineering b x>ratory,1995.
10.
A.D. Swain, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278,1983.
11.
M.T. Drouin, F.T. Harper, and A.L Camp, Analysis of Core Damage Frequency from Internal Events: Methodology Guidelines, NUREGICR-4550, Vol.1,1987.
6-1
d J.
}
e 12.
A. Mosleh, Procedure for Analysis of Common-Cause Failures in Probabilistic Safety Analysis, NUREG/CR-5801,1993.
13.
V.L. Sailor, et al, Severe Accidents in Spent Fuel Pools in Support of Generic Safety Issue 82, NUREG/CR-4982,1987.
14.
J.W.
Minarick, " Revised LOOP Recovery and PWR Seal LOCA Models,"
ORNUNRC/LTR-89/11, technical letter report prepamd for the U.S. Nuclear Regulatory Commission, August 1989.
l l 5.
J. Dasby, et al, Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Grand Gulf, Unit 1, NUREGICR-6143,1994.
16.
T.L. Chu, et al, Evaluadon of Potendal Severe Accidents During Low Power and Shutdown Operations at Grand Gulf: Unit 1, NUREGICR-6144,1994.
17.
P. Sobel, Revised Livermore Seismic Hazard Estimatesfor 69 Nuclear Power Plant Sites East of the Rocky Mountains, Draft Reportfor Comment, NUREG-1488,1993.
18.
J. Lambright, et al, Evaluation of Generic Issue 57: Effects of Fire Protection System Actuation on Safety-Related Equipment, NUREGICR-5580,1992.
l 19.
D.D. Cline, W.A. vonRiesemann, and J.M. Chavez, Investigation of Twenty Foot Separation Distance as a Fire Protection Method as Specified in 10CFR50, Appendix R, NUREG/CR-3192,1983.
20.
Pickard, Lowe and Garrick, Inc., Indian Point Probabilisic Safety Study, performed for Consolidated Edison Co. and the Power Authority of the State of New York,1982.
21.
C. Kukielka and J.J. Winders, Jr., " Impact of High Temperatum and Humidity on 4160V Switch Gear Operation," Pennsylvania Power & Light Co. Study EC-RISK-1047. Rev. O,
- 1994, 22.
American Nuclear Society and Institute of Electrical and ' Electronics Engineers, PRA Procedures Guide, NUREG/CR-2300,1982.
23.
C.A. Boschetti, et al, Susquehanna Steam Electric Station Individual Plant Examination, Pennsylvania Power & Light Co., NPE-91-001,1991.
6-2
pmafog t
UNITED STATES
,y 3
g j
NUCLEAR REGULATORY COMMISSION 2
WASHINGTON, D.C. 30666 4 001
\\*****/
October 2, 1996 MEMORANDUM TO: Chairman Jackson Comissioner Rogers Comissioner Dicus Comissioner Diaz i
Comissioner McGaffiga J
FROM:
James M. Taylor Executive Direc for perations
SUBJECT:
RESPONSE TO STA REQUIREMENTS MEMORANDUM DATED AUGUST 27, 1996 - BRIEFING ON SPENT FUEL POOL COOLING ISSUES On August 1,1996, the staff briefed the Cemission on spent fuel pool cooling i
issues. On August 27, 1996, the Commission requested additional information on these issues and asked the staff to provide information on schedules or completion dates for certain spent fuel related activities. These requests are being tracked on the Chairman's Tracking List, Items II.M.5 and II.M.6.
This memorandum addresses those questions and provides the schedular information requested by the Commission.
l 1.
How much of the reactivity margins depends on Boraflex and degradation t
of Boraflex as opposed to other factors?
A 5 percent subtriticality margin (i.e., an effective neutron multiplication factor, k,,,, no greater than 0.95) is required for both BWR and PWR spent fuel pools.
For pools which contain Boraflex, this margin is typically i
determined assuming a small amount of Boraflex degradation and no credit for soluble boron in the pool water. The amount of Boraflex loss which can be accommodated varies from plant to plant and depends on items such as the spacing between the fuel assemblies and the remaining reactivity of the fuel assemblies after irradiation in the reactor.
In a PWR pool, soluble boron is present in the water. The total reactivity worth of the soluble boron and the Boraflex is about 30 percent delta-k and, in fact, there is normally limit even with complete loss sufficient soluble boron to meet the 0.95 k,,, d in a BWR pool, the 0.95 k,,,
of Boraflex. Because soluble boron is not use limit would be challenged with a limited amount of Boraflex degradation.
Substantial Boraflex degradation in a BWR would be required to result in
~
criticality.
The staff has recently issued Generic letter 96-04, "Boraflex Degradation in Spent Fuel Pool Storage Racks," requesting all licensees that use Boraflex in their fuel storage racks to assess the capability of the Boraflex to maintain a 5 percent suberiticality margin and describe proposed actions if this CONTACT: Steve Jones, NRR 415-2833
)
4t'e" Myg
e The Commissioners subcriticality margin cannot be maintained because of current or projected l
future Boraflex degradation.
Potential actions to compensate for the reactivity increase due to Boraflex degradation are increasing the spacing i
between stored fuel assemblies (e.g., "checkerboarding"), crediting the 1
reactivity decrease associated with fuel burnup, crediting soluble boron, or i
inserting additional neutron absorber materials into the storage racks.
Responses to the generic letter are due by October 25, 1996.
1 l
2.
Have any of the utilities had to replace the Boraflex or part of it?
j Does it require replacing the whole rack?
I The staff is not aware of any utility that had to replace the Boraflex or part of it. However, licensees for several utilities have reracked their pools and i
have chosen to use other neutron poisons instead of Boraflex.
Because the j
Boraflex used in most fuel storage racks is held in place by a' stainless steel cover that is tack welded at several locations along its length to the i
structural portion of the rack that forms a wall of the storage cell, the i
Boraflex cannot be easily replaced. Therefore, if the neutron-absorbing i
material degrades to the extent that replacement is necessary, rack replacement would likely be the least complicated and most economical means of resolving the degraded condition.
3.
Does the generic letter allow you to deal adequately with all of the remaining fuel activity concerns?
Yes, the generic letter is adequate. However, the staff will continue to monitor operating experience to assure that spent fuel pool reactivity issues are understood and appropriately addressed.
i 4.
How are non-power reactors affected?
l Non-Power Reactors (NPRs) have small amounts of spent fuel on~ site ~1n storage racks. This is because most NPRs consume small amounts of fuel during l
operation (many NPRs have lifetime or near lifetime cores). Because all j
licensed NPRs have agreements with the U.S. Department of Energy (DOE) for disposal of spent fuel, fuel is returned periodically to DOE for those few facilities that produce spent fuel on a regular basis and from all NPRs at the and of facility life.
Consequently, NPRs do not have the large fuel inventories of conrnercial power reactors, and NPRs do not generally require the high-density storage and the attendant neutron absorbing materials, such 1
as Boraflex, that have become common at commercial power reactors. At most non-power reactors (NPRs), fuel is stored in racks along the sides of the same pool that houses the reactor. A few NPRs (e.g., Georgia Tech, the National Institute of Standards and Technology (NIST), and the Massachusetts Institute of Technology) have separate pools with fuel storage racks.
4 4
Fuel at most NPRs can be cooled in air immediately after shutdown.
For higher power NPRs (more than 2 megawatts (MW) of licensed thermal power level), the fuel must be kept covered with water for a relatively short period of time after reactor shutdown so that the melting temperature of the fuel cladding cannot be reached.
For example, NIST fuel requires only about two-and-a-half 1
i e
i e
The Comissioners
- i hours of water coverage to preclude reaching the melting temperature of the aluminum cladding, about 1100' F (note that the NIST NPR at 20 MW is the highest powered NPR that is currently licensed by the NRC). The low decay
]
heat rate that permits air cooling also prevents significant heating of the pool water.
i i
All NPR fuel storage pools ensure that adequate water level is maintained by j
alerting operators to level problems through alarms (e.g., level and radiation) and design features to prevent water loss. Because the decay heat generation within the fuel is low enough to preclude cladding damage if water i
level falls below the top of the fuel, the main purpose of maintaining the i
water level is to ensure that enough water remains to serve as a radiation j
shielding. Generally, NPR pools were designed to comply with the local uniform building code. Some of the higher power NPRs were designed to higher j
seismic standards. The staff concludes that these stanoards provide adequate j
protection from water loss at NPRs.
f All NPRs are designed to prevent stored fuel from reaching criticality. The
{
configuration of the storage racks and the number of fuel elements needed to reach a critical condition make this accident highly unlikely (i.e., more than i
four to seven fuel elements falling together from the fuel storage racks into a nearly optimum configuration is not considered credible). The use of solid 1
poison materials is not comon at NPRs. For those few that utilize solid
{
poison material, the staff verified that material other than Boraflex is used.
t On the basis of this information, the staff concludes that the issues i
investigated for fuel storage at operating commercial power reactors have been j
acceptably addressed for NPRs.
5.
Provide schedules or completion dates for the following activities:
i a) Revise the Standard Review Plan: October 1998 The staff intends to revise the fuel storage pool design guidance documents j
.(Regulatory Guide 1.13 and Sections 9.1.2 and 9.1.3 of the Standard Review i
Plan) with the benefit of insights from the proposed rulemaking for shutdown j
and fuel storage pool operations and from the plant-specific regulatory 1
analyses involving fuel pool related design features. The content of the fuel i
pool operations rule will affect revisions to these guidance documents because of the interface between operational capability and design. The rule is currently scheduled to be published for comment in early 1997. The staff expects the regulatory analyses to provide a clear perspective of the safety significance of specific design attributes. As described in paragraph (b) below, we plan on completing the regulatory analyses in May 1997.
Additionally, the priority given to the rulemaking and regulatory analyses is supported by the safety benefits of these actions because of their effect on currently operating reactors. The staff plans to complete draft revisions to the guidance documents in the fourth quarter of 1997. The staff selected the final completion date of October 1998 to allow for public comment and review by the Advisory Committee on Reactor Safeguards and the Committee to Review Generic Requirements (CRGR).
l
i The Commissioners b) Complete reaulatory analysis: May 1997 The staff proposed plant-specific evaluations and regulatory analyses to examine the potential for safety-enhancement backfits at plants with low 1
values of design fuel pool decay heat removal capability or rare fuel pool related design features.
Completion of this examination in the scheduled period will require assembly of a multi-disciplinary team, including individuals familiar with fuel pool design features, probabilistic risk assessment, and instrumentation, to investigate seven sites (Dresden, Hatch, Indian Point 2, Oconee, Robinson, Salem, and Surry). These seven sites have extreme examples of the design features that require further evaluation and which may necessitate a plant-specific backfit. Therefore, the staff expects to quickly identify those design features, if any, for which a backfit may be justified.
For design features where backfits are supported, additional facilities with that design feature will be evaluated. The end product in May 1997 will be a regulatory analysis for each supported plant-specific backfit and a summary report describing the basis for no regulatory action for the remaining areas.
c) Comolete enhancements at 22 affected sites:
Auaust 1997 The staff based the implementation date of August 1997 on review of the plant-i specific backfits applicable to multiple plants by CRGR, issuance of letters to the affected licensees, the potential for appeal of the backfit by the affected licensees, and potential issuance of an order to implement the backfit. Completion may be reached much earlier if the regulatory analyses i
fail to support implementation of the proposed backfits or if licensees voluntarily implement changes to design or operation that alleviate the concern. This completion date does not include the time necessary for physical implementation of backfits by the licensee nor any staff action to verify implementation of the backfit. These schedules will be determined at the time the letters are drafted to affected licensees, and the schedules will be affected by the safety significance and extent of the changes.
cc:
/