ML20136F580
| ML20136F580 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde, Waterford  |
| Issue date: | 09/20/1984 |
| From: | Davis S Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20136F585 | List: |
| References | |
| NUDOCS 8412100492 | |
| Download: ML20136F580 (250) | |
Text
,. . . . . . .
k.*i}!.
e b
1 INSIGHTS GAINED FROM PR08A8ILISTIC RISK ASSESSMENTS f
Sarah M. Davis 1
Reliability and Risk Assessment Branch Division of Safety Technology i
Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission ;.
- September 20, 1984 1
4 s-W e
S E t
O r
l .
D 4
e l 0 l
_ f) '
L &
an n e -
l . ' r * .'e
- Table of Contents
- 1. Introduction 1.1 Purpose and Applications
- 1. 2 Sources, References, and Additional Sources i
1.3 Contents
- 2. Summary - Insights Gained From PRA Results 2.1 Human Error 2.2 Support Systems 2.3 Initiating Events ..
) 2.4 External Events
- 3. Insights into PRA Methodologies '
- 4. Measures of Contribution l 4.1 Cutset Evaluation 4.1 Importance Ranking -
Appendix A - Plant Specific Importance Ranking Res'ults '
t Appendix 8 - Discussions of Selected Topics - Insights Gained From PRA Results l
4 e
i j .
k l
e t
.- . . . . - . - - . - , . , , - . - . . , - . .-.-Q,,,,.. ., -,,n, , , , - -,--, - - , .--- -- - .
, .+ e * .' .
- i I
1.0 Introduction '
1.1 Purpose and Acolications The purpose of tnis report is to provide an update of the draft report j ,
" Insights Gained From Four Probabilistic Risk Assessments" issued in March 1983. .
The expansion of this report to include 15 PRAs is part of an ongoing i
effort in the Reliability and Risk Assessment Branch (RRA8), Division of Safety j Technology, NRR, of making available and using the information in
] Probabilistic Risk Assessments (PRAs) to highlight factors which have been :.
found to dominate the risk associated with operation of varying types of nuclear power plants.
This effort will also identify design' or operational
. practices which have been found to be important to safety in the types of plants which have been subjected to risk assessments. In addition, methodological differences will be noted. The evaluation of the impact of different treatments of methodological topics on the perception of plant vulnerabilities was undertaken in a separate program in RAA8, Insights on PRA Methodology.
Conclusions from this task comprise Section 3.0 of this report.
The focus of the report is en the PMs themselves. The purpose of this task e is, not a critique ef these studies., For the purpose of gleaning insights and calculating tap 6ctance measures, the assumptions and conclusions of the studies were accepted as valid with the intent to learn from these conclusions and ea-4
_____,,.r_._,. . _ , - - - - + ~ - -
-- - - - --- -~
i 2- -
i
! provide additional perspectives to the insights and inferences that can be I
! drawn and their applicability to reactor safety and the use of PRA in general.
j i
It is expected that this information will continue to aid in the assessment of safety issues in the absence of plant specific studies. This has already i
! been done in many areas such as the Systematic Evaluation Program invo i
! operating reactors and Severe Accident considerations in Environmental
, Statements for plants in the Ifcensing phase.
j- .
l This compliation of risk assessment information and insights can potenti : .
benefit both the industry and MC staff. Insights drawn from PMs done to
- data can be used by utilities to examine current plant design / operation in i
! order to identify any weaknesses or vulnerabilities found in plants with i similar char'acteristics.
This information can also be used as a checklist l
l for the conduct of future PMs to increase awareness of problems that have 1 already been identified and to systematically check the applicability to a j specific plant. '
i The methodology assessment provides an awareness of the ef*ws of the methodology on the PM results when structuring future PM studies. This assessment focuses on those aspects of the methodology to which the results 4 appear to be sensitive.
These insights can enable those performing PMs to 4 e l
5
. - - - - - + . - - - n--.- .- +..,,,-.n_-e-.-,,--..,,--,, , n nn n_,..--c,--, - , , . , -*,--,n,---------n-__m _n_
be aware of those areas of analysis where it may be beneficial to expend
- l resources and explore details of additional analyses. This can also aid in
. \
focusing the review oa the more sensitive areas. Some of the areas found to . .
j have a significant impact are system dependency analyses, human error .
evaluations and electrical systems analyses.
i 1
1 Another facet of the purpose of this ongoing effort is to increase awareness i
- and sensitivity of NRC staff to the importance of systems 'and components 4
j derived from PRA results. The availability of this collected information ,, :
1 j will hopefully serve to familiarize NRC staff reviews as to overall PRA i insights, both design and methodological nature, and aid the staff in a number of specific areas. The insights gained from PRAs may be useful in numerous ongoing technical activities and can also provide information to j
cognizant branches for the identification of generic safety issues. The J
i focus on importance which this effort provides can prove useful to plant i
project managers in the prioritization of plant specific work schedules for i
actions or modifications to operating reactors. In addition, these insights can be useful to resident inspectors for focusing activities on areas where i
i potential prehless or weaknesses have been identified in similar plants. .
i i The insights gained from mothedelop assessment can provide valuable t
guidance to ARAB enabling project managers for PRA reviews to focus the -
review on areas sensitive to methodological assumptions and aid in the
- interpretation and application of results. Cutsets derived or identified l
~
ag $
l.
t
. _ _ . _ . , _ . , . _ . - , _ _ _ . _ . . - - . --,_&..~.,.-.--...._....--...-- - . . - . . . . _ - _ . ~ , - , - . _ . _ _ . - _ _ . . . _ _ - - _ . , _ . - . . . . . . -
i " ,[ - . , ,l* .
4- -
I l in calculations of the i mportance ranking of systems and components can be
- used in evaluating new safety issues or proposed modifications of plants l >
through the processing and dissemination of information obtained from PRAs.
f For those plants subjected to extensive review,,the review process * .
elucidated some significant differences in identification and/or j
quantification of dominant accident sequences. Critiques and revised I ,
estimates of significant sequences are provided in WREG/CR-2934 (Indian l
Point Units 2 and 3)..WREG/CR-3300 (Zion), WREG/CR-3028 and W REG /CR-3493 - 4 (Limerick), and EGG-EA-5765 (8ig Rock . Point). for those PRAs which received extensive review by NRR staff.
Final results of the reviews were not i
)
i available during the conduct of the importance calculations and thus are not ,
{ reflected in the discussions of plant specific importance rankings. It :
l l
should be emphasized that this report is not intended to be a representation i 'of the current safety profile of the plants under consideration but rather a presentation of PRA results and insights derived from the conduct of such studies.
The inclusion of examples of modifications implemented by -
applicants / licensees and significant review findings is intended te illustrate the valuab.le information provided by PRAs and Pg4 reviews which leed'te a much deeper understanding of plant safety and areas of vulnerability as well as strength. , In many instances this provides a teel I with which to more readily identify cost-effective means of japroving plant -
safety.
These examples are, however, by no~means exhaustive and appropr, caution should be exercised in utilizing the information presented in this report.
O 9
'u- , - , ~ - ,-n,--- .r-.~,~ .,n-----,w,---. --e--ww--,,,--.r-,m.~n-m,.-,v~---- --r--~~+- --~,m e w,-,w,
i . . ,.
i l
- 1. 2 Sources of Material l
j .
i
'Along with the "PRAs themselves, a major source of information used in this report is DRAFT NUREG/CR-3495, " Calculation of Failure Importance Measures For I Basic Events and Plant Systems in Nuclear Power Plants", to be published later this year. The purpose of this project, done under contract to RRA8
- by Sandia National Laboratories, was to develop and utilize a methodology [
I i which extracts minimal cutsets from dominant accident sequences in order to t
examine and rank systems, components and failure modes as to their ; .
contribution to core melt frequency, release, and risk using various measures of importance and risk. (The definition and interpretation of these terms will be expanded more fully in later sections of this report.)
Other sources which contain cataloging of sequences, generic sequence ;
I development and insights are the Technical Reports from the Industry
{ Degrada'd Core Rulemaking Program (IDCOR) sponsored by the Nuclear Ind i
l the Draft Report For Comment, NUREG-1050, "Probabilistic Risk Assessment l (FRA):
.. . . . . Status Report and Guidance for Regulatory Application", published by
- -*- [
l Office af Nuclear Regulatory Research EPRI NP-3265 Interim Report, "A Review of Some Early Large-Scale Probabilistic Risk Assessments", and
]
reports from the eccident Sequence Evaluation Program, part of the Severe Accident Research Program.
These and' other documents and programs also .
provide perspectives'on the use of PRA and various insights of a global and plant specific nature.
l e "' #
._.-~-....-,,m - -,~.-,..- _._ -._,-._ m - _.___._~~ _.....__..-.-.__m.--__--,,_,. , _._. ,-..,-.,r.,,.. , . , , . _ , _ , ~ . . . . . ,_.
j J, * , .1 * '
l 6- ' '
- 1. 3 Contents of Recort .
i FB11owing this "section are Tables 1.1-1.3. Listed in Table 1.1 are the plants and program sponsors, with overall core seit frequency.as reported in the PRA i
and the date of publication., The PRAs are generally characterized by four 1 categories:
l I
{ WASH-1400 - The Reactor Safety Study (RSS), a pioneering program of a full-i .
blewn risk assessment using Surry 1 and Peach Botton 2 as representative '
of PWRs and BWRs, respectively. A critique of this documentation was i
performed by the Risk Assessment Review Gro'up (also known as the Lewis Committee Report) in NUREG/CR-0400. '
Reactor Safety Study Methodology Applicatiens Program RSSMAP) -
initiated after the RSS, these are truncated ~ WASH-1400-type evaluations __.
based on judgement and experience with analysis of accident sequences identified in WASH-1400. '
Interim Reliability Evaluation Program (IREP) - the Crystal River-3 Safety Study was the pilot effort in this program initiated in the year following the Three Mile Island accident. These snelyses were principally concerned with probability of core melt with no detailed review of containment failure or o'ffsite consequences. (The Calvert Cliffs 1 IREP report was not available when the calculations of importance ranking were performed and thus, was omitted from this analysis). '
.r_+ - . - - , _ . , , -e-i,e,,- - , . . g,.,- ,.,. , ,.,....y--. ..e+.v.,.w - , , . , ,. ,r ,, , -v , ,.+c, 9.,e, ,.iy , + ,. ,
- s. '
7 ,
Industry Sponsored PRAs - Those used in the importance ranUr2 work are full scope risk assessment employing various methodologies depending on 1 -
the authors and purpose of the study.
! Others have been received by HRC with reviews ongoing or not yet initiated l
l wtiich were not available for the task of importance calculations. They are
} Millstone 3, Shoreham, Midland, Seabrook, Yankee Rowe, and GESSAR (standardized BWR design).
1 -
Listed in Table 1.2 are the contributions to core melt frequency from sequence initiators for the 15 PRAs under consideration. This provides a general measure
~
of the contributions made by classes of sequences to core melt frequency 'for various types and designs of plants.
Following in Table 1.3 are some of the modifications made to these plants which would be expected to impact the dominant sequences initiated by the events listed in Table 1.2. Section 2.0, Summary Insights Gained from PRA Results, contains summary tables of in ,
gleaned from numerous PRAs in areas such as Human Error, Support System Importance, Initiating Events and External Event Analyses. Appendix B provides more detailed discussions of the background for selected items from ,
Section 2.0.
Section 3.0 provides a summary of " Insights into PRA .
Methodologies."
Section 4.0, Measures of Contribution, contains a discussion of methods for obtaining a quantitative estimate of the importance of system and component failures to overal1~ core melt frequency and risk, and specific
.results are' discussed for each plant in Appendix A.
e
- +- -m. . - , _,...~,,,_r_[.,,,_,_,,, , , , , _ , . , ., , . , . , ~ , , - . , , . .
l TABLE 1.1 *
' PLANT TYPE PRA NAME ESTIMATED CORE SCOPE SPONSOR MELT FREQUENCY AND DATE PUBLISHED i AS REPORTED IN PRA SURRY PWR
' NRC- 6 x 10 s/RY WASH-1400 INTE?NAL EVENTS ONLY 10/75 PEACH BOTTOM BWR NRC-2 ~3 x 10 5/RY INTERNAL EVENTS ONLY WASH-1400 ,
10/75 '
l SEQUOYAH 1 PWR NRC- ~6 x 10 s/RY INTERNAL EVENTS ONLY RSSMAP 2/81 OCONEE 3 PWR NRC- 8 x 10 s/RY INTERNAL EVENTS ONLY RSSMAP 4 5/81 GRAND GULF 1 BWR NRC-
~4 x 10.s/RY INTERNAL EVENTS ONLY RSSMAP
\ - 10/81 CALVERT CLIFFS PWR NRC-2 ~2 x 10 8/RY INTERNAL EVENTS ONLY RSSMAP '
5/82 1
CRYSTAL RIVER PWR NRC-3 ~4 x 10 */RY INTERNAL EVENTS ONLY IREP 12/81 ARKANSAS PWR. MRC-NUCLEAR ONE 5 x'10 5/RY INTERNAL EVENTS ONLY -
IREP '
6/82 BROWNS FERRY BWR iNRC-1 2 x 10 */RY INTERNAL EVENTS ONLY IREP 7/82 PILLSTONE 1 Blm NRC- 3 x 10-*/RY INTERNAL EVENTS ONLY IREP 5/83 -
BIG ROCK SWR POINT Il805TRY 1 x 10.s/RY INTERNAL AND EXTERNAL EVENTS 3/81 ZION PWR IlWUSTRY ~6 x 10 s/RY INTERNAL AND EXTERNAL -
1
- EVENTS 9/81 INDIAN POINT PWR 2 INDUSTRY ~5 x 10 */RY INTERNAL AND EXTERNAL.
EVENTS
. 4/82' e
..___.__r_
_ . , , . . _ ~ , . ..----.____.or-, ,,_-m. ,y. ,.m_.,. . . ,.,.~.,- y..,--r+'re+ v w- --+-+w +---*~w-- - - - - - - er+-++--*--
1
.g. -
TABLE 1.1 (CON'T.)
PLANT TYPE PRA NAME ESTIMATED CORE SCOPE SPONSOR MELT FREQUENCY ANO DATE PUBLISHED AS REPORTED IN PRA '
INDIAN POINT PWR i
3 IN00STRY ~
2 x 10 */RY INTERNAL AND EXTERNAL i EVENTS 4/82 ,
LIMERICK 1 .BWR
' INDUSTRY ~
2 x 10.s/RY INTERNAL AND EXTERNAL EVENTS
' 3/81 REVISED AND EXPANDED .
TO INCLUDE EXTERNAL EVENTS
. 4/83 NOTE:
This table shows the estimated core melt frequency as reported in l each of the 15 Probabilistic Risk Assessments (PRAs). In many cases, this table. staff review resulted in revised estimates not reflected in For other cases, reviews are ongoing. Caution should ,
be exercised in viewing these results.
i t Many of the licensees / applicants made modifications to both .
hardware and procedural aspects of the design and operation of .
plants, frequency. which would be expected to impact the overall core melt There are large uncertainties associated with the values in this table and interplant comparisons cannot be appropriately made since the PRAs were performed under differing scopes, ,
methodologies, and assumptions and the results are presented by us varying measures (point estimates, medians, or means). '
l e
t 6
- - - . , - , , _ .,.#.. - - , _ , . . . , . . . , _ , _m. ,,,r..r..,_.~,,,_.._.-.-.e..-..,w_-...
n -
_. 4 _ _. m. m ._ 2 i*..
~
~ - .
t*
TABLE 1.2 e
SEQUENCE CONTRIBUTION TO CORE MELT FREQUENCY (GROUPED BY INITIATING EVENT * - -
ROUNDED TO NEAREST 5%)
I e PLANT NAME LOCA WINO OR TRANSIENT AWS FIRE SEISMIC TORNADO SURRY.1 65 25 10 PEACH BOTTOM 2 70 30 SEQUOYAH 1 95 5 ~
g_.c.. 0COMEE 3 70- 25
.. .. . ,5 I h, GRAND GULF 1 , 15 70 15 CALVERT CLIFFS 2 95 -
5 CRYSTAL RIVER 3 75 25 ARKANSAS NUCLEAR 25 70 5 ONE 1 BROWNS FERRY 1 75
~
25 MILLUONE 1 95 5
BIG ROCK POINT 55 15 '
5 25 ZION (1 AIS 2) 65 20 15 Mw Nm 2 m a e a u
. MMNM3 H -
n
. i LDERICK 1 100 e
e 0
0 9
, - , , _ , _ , . ,...--r,,. ...-..,.w_,-. .....--.,.r_ , . ~ , - , . , , . , _
..'
- 4. '
- 11 - .
I I
i TABLE 1.3 l
PLANT NAME 1 MODIFICATIONS ADORESSING 00MINANT SEQUENCES _
l I SURRY 1 The identification 'of the Interfacing LOCA (Event V)
~
as a dominant contributor to risk led to the requirement of the capability for the strategic testing of the check valves in high/ low pressure boundaries.
SEQUOYAH 1 Special administrative controls incorporated in new Technical Specifications addressed the identified.
1 problem peculiar to ice condense ~r containment designs. -
A more strategic testing procedure was instituted * '
for the check valves of concern in the interfacing systems LOCA event.
- OCONEE 3 The licensee took actions addressing Event V, eliminated the AC power dependency of the turbine driven train of the Emergency Feedwater System, instituted emergency procedures to prevent cavitation of ECCS pumps during certain postulated events, made modifications to the Instrumentation and Control System, and instituted preventive measures regarding the possibility of accident sequences induced by turbine building flooding.
CALVERT CLIFFS 2 The Auxiliary Feedwater system was modified to include automatic initiation logic and a third motor-driven EFW pump train was added (to both units) with the ability to valve in the motor-driven train from each unit'into the motor-driven train of the other unit.
CRYST _AL RIVER 3 The licensee made improvements to operator training and procedures for switchover from ECCS injection to l -
recirculation, removed the AC t_r.t ay of the turbine driven EFW pump and plans to institute -
procedures for local manual control of this pump and instituted testing procedures addressing Event V.
ARKANSAS NUCLEAR ONE-1 Modifications made during the course of the study included revised battery testing procedures, testing of actuation circuitry of switchgear room coolers and corrections in ECCS pump testing
, procedures.
_ - -.- - -- .- ,,,-..-+ -
..-,,y.-ce ,,,-,-y,--,,y,emy,,, ,,-- , , ,, , . . , . _ 4 y,, . ,c...-#. , , + , . .w,,--..,,_.g,.%_ _ , _ , ,
- l. . ,
I
.u.
- l TABLE 1.3, -(CON'T. )
t PLANT NAME l t MODIFICATIONS ADDRESSING DOMINANT SEQUENCES '
- MILLSTONE 1 l'
The licensee implemented changes addressi,ng insights gained through the risk assessment process: ,
Corrected single failure vulnerability in the LNP r
- (loss of normal power) logic; removed the AC power i dependency of the isolation condenser; and instituted procedural and equipment provisions for
! manual control of the normally closed valve in the isolation condenser. '
' BIG ROCK POINT .
Modifications made by the utility addressing the significant contributors to core melt based on their PRA included remotely operated make-up to the emergency condenser from the fire system; post-accident valve position (locks); early containment spray following a LOCA; additional isolation valves -
- on the primary coolant system; and high pressure recycle. .
IION During the staff review of the PRA the licensee i agreed to take the following actions: t
- Institute refill procedure of the RWST to accommodate the containment spray s i
Open PORY block valves.ystem.
Improved Safety System Room Cooler surveillance.
In addition, the staff modified Technical Specifi. cations decreasing the allowable outage time for two Auxiliary Feedwater pumps. <
'IMMAN POINT 2 .
The licensee proposed modifications to the control
- building roof and ceiling to accommodate high ,
seismic accelerations. -The staff established the meteorological bases for a technical specification requiring orderly anticipatory shutdown of Indian Point, Unit 2 when hurricanes are approaching the site. ,
IlWIAN POINT 3
, In accordance with existing re
! fire protection (Appendix R), gulations the staff imposed concerning the implementation of five interim actions to reduce risk of core melt from fire pending the licensee's Appendix R submittal. 'The interim. modifications involved the provision of an alternate power source to vulnerable shutdown related components.
w t
t
-,-aS- - +,,.,...a,. , ,, . - .c.,-, a, -m--,y- m,,g em---, -
TABLE 1.3, (CON'T.-)
PLANT NAME MODIFICATIONS ADDRESSING DOMINANT SEQUENCES 4
LIMERICK During the course of the Limerick PRA, the applicant took steps to implement the following:
Alternate 3A ATWS Fixes (plus modifications beyond those designated in Alternate 3A); modifications to the ADS air supply; modifications to RHR System; separate ECCS nozzles; and procedural changes to achieve an alternate method of room cooling for the i
G 6
e e
i -
O O
b 9
,- ,- , ,. , - - -~ , .-..y--,..,, - yg ,.-,, _,,, ,--.-,n-
1 i
-u-
- l 2.0 Summary-Insichts Gained From PRA Results f
i The structure of a PRA systematically leads to a set of accident sequences comprising an initiating event, a combination of system failures with a calculated estimate of the probability of occurrence and the asiociated plant damage state. In full scale PRAs, these results are used to estimate the probability of containment failure, the mode of failure, and the j
magnitude of a release to the environment following a breach or bypass of '
containment. The set of accident sequences considered " dominant" with respect to core melt are those sequences with probabilities of occurrence '
which constitute the major portion of the overall core melt probability'with the' remaining portion being the cumulative probabilities of a large number of sequences with significantly lower probabilities of occurrence. Sequences considered " dominant" to risk take into account the probability of occurrence and the estimated magnitude of release represented by their placement into defined release categories.
In the context of an accident sequence, system failure is not quantitatively defined as an overall unavailability of the system per se, but rather as a combination of cut sets that lead to fail're u of the system function. A cutset (or failure path) is the minimal. set of component. failures which disable the system from performing the required function (function being
, defined by system success criteria for the sequence). Thus, the combination S
, - , ,-,-..,,:,- --,-.---..--,-,,,..--.---n-r,-+,.--,,----- ,,,,vm,-,-,,,,-,--,. ann,w,wmw.-,,n+,.m, .rw,,, van, -.e-we.,,-n-,
- is -
. I j
i of cut sets are a prescribed set of failures and events which must occur for i
the accident sequence to take place.
Examination of dominant accident sequences and their cutsets in a PRA 4
provide plant specific insights into areas of vulnerability and weakness as well as strengths of design and operation for that plant. One method of obtaining insights in a quantitative manner is t, hat of importance ranking.
The insights into the relative importance of systems, components and basic events on a plant by plant basis are discussed in Appendix A. However, the .
i greatest value of the conduct and results of a PRA are the qualitative insights into plant design and operation which are gained that significantly 1
aid in our awareness and judgement regarding the factors vital to overall plant safety.
For this reason, some'of the insights gained in the process of Probabilistic Risk Assessment have been compiled in this report and are presented in tabular form in this section.
More detailed discussions 'of the background and effects of selected topics from this section are contained in Appendix B.
It has become apparent that as risk assessment techniques have evolved, areas of trivestigation have expanded and changed reflecting the attitude intrinsic to the methodology.
~
That is, the emphasis given possible failure modes, either by general assumptions or by methods of collecting data and calculating
/ probabilities, can greatly affect which factors of unavailability dominate the results. This is especially true in the area of quantifying the 4
' ' ~ ~ ' ' '" ^ ' ^
o 16 - -
probability of human error, the importance of support system dependencies, the selection of initiating events, and the inclusion of external events analyses.
Some of.the overall insights gained in these areas are presented in the following sections.
4 i
e
- e e
i e
o 9
e 9
I m
+ 4 ,
e *
.- s.---.,-.. - - . . . - . - - . . . . . .- -- - .. . - . - - , _ _ _-
.4- ,~ ,
l l .
l i 2.1 i Human Error, Recovery Actions and Procedures, Test and Maintenance l
Summary Table 1.
Potential causes of failure of manual switchover from ECCS injection, to i
l recirculation in PWRs (Generic Issue 24):
l l (a) Premature switchover causing pump cavitation (b) Failure to reinitiate safety injection pumps when needed in "
i conjunction with the high pressure pumps during recirculation '
(c) Incorrect reconfiguration of valves for recirculation phase..
2.
1 Potential causes of common cause failures due to human error:
(a) Redundant actuation circuitry fails due to miscalibration performed by the same individual on one. shift -
(b) Components left in the incorrect position following test or maintenance activities: .
(1) redundant actuation fails due to control switch being incorrectly l fte in manual mode.
3.
Failure to open drain valves between upper and lower containment areas in plant with an ice condenser containment so that discharged water does not reach sump for recirculation phase, thus failing ECCS recirculation ~.
S 0
)
G e
c.,, , - . - - .. - - - . w.,-._ --..,_.m - - - . . - . . . . . - . , . . . _ . . - e..,-- , , . . .. ,, +. . . _ . .-. .-m. ., - - - . . . . - - .- . - . . _ - . .-
18 - '
4.
Event V - Periodic t,esting of the integrity of the double isolation valves on the suction side of the RHR system can reduce the likelihood of 1
these valves rupturing sequentially over a period of time or operating cycles resulting in an interfacing system LOCA initiating event.
5.
Valve position indication may be misleading to the operator if it is not
]
directly off the stem, e.g., connected actuator subsequently becomes disengaged from the stem.
6.
Staggered testing and calibration of redundant trains of equipment reduces
' the potential for common cause failures (2.(a)) by the operator of not only actuation circuitry but other vital safety functions (e.g., DC Battaries see~ Support System summary).
i
- 7. .
i Lack of surveillance (either direct or indirect) or extended j
l surveillance pairiods for components, both active and passive, in vital
^
safety systems may increase the unreliability of the safety function.
The components most likely to elude surveillance are manual valves, as was mentioned, whose position or disc integrity may be important te a safety function. <
8.
Recovery Actions and Procedures: -
(a)
Reliance on the operator to establish high pressure cooling in the feed-and-bleed mode'following failure of the Emergency i
e
r' o . .
- n b ,
19 - ,
Feedwater System could potentially be alleviated by improving the reliability of the EFS or automating the High Pressure Recirculation System for loss of feedwater scenarios. Improved
, operator training may aid in reducing the likelihood of operator I
error in this action.
(b) Procedures and training for depressurizing the steam generators and using the condensate booster pumps (pressure 400-500 psi) in the event of loss of feedwater (both main and emergency feedwater) j greatly enhances the reliability of the* decay heat removal -
' . function following a reactor trip. ,
9 6
e i
1 l
l l
I
(
e e
e
- I I
e - w ,-nr- +-,---ww--- e-we,~ ,+e -- - y,,,e,-, . -_- -,--,------e... ,,w ,-, , - < . . . - - , - - --.em., --~,--,-,---,-w-.
. ' +
2.2 Support Svstems Summary Table !
- 1. ,
Cooling of both emergency feedwater pumps is supplied by an AC powered i
service water system, thus loss of al.1 AC disables both trains of emergency feedwater.
The pumps were modified to self-cooling designs. '
2.
DC bus supplies actuation power to the turbine driven emergency feedwater pump and a diesel generator (the breaker connecting the bus '
j fails to close). A single DC bus. failure disables two emergency feedwater pumps in the event of a loss of offsite power.
3.
Strippin'g vital loads from the safety buses on a safety injection j ,
signal (even though offsite powr has not been lost) and then reloading them sequentially on the bus reduces the reliability of the safety function.
- 4.
DC bus faults can cause a reactor trip initiating event with t
concomitant failure of multiple core and containment cooling system trains.
i 5.
Potential causes of DC battery failure or degradation:
i (a)
Common mode test or maintenance error (rectified by staggered testing) l
-. , - - - - -~, -, - ,,-n--,., -,.a_.,, c,-- , ,,.,.--,--,_,,--..-,,-n,.ns--e, . - - ,,. , - , , -w--., ,.,- - . - ,.v-., . , , , - , . , , ,, w, - - ,, , , -~,.---.mn,
~
4 21 - .
(b) Maintenance personnel may leave battery charger disconnected from - i bus following maintenance activities. During this time, loads s
will be supplied by the battery itself causing degradation in battery capability.
(c) Loss of ventilation in battery rooms :
(d) Excess voltage during equalizing charge (e) Following test or maintenance, jumpers may not be removed from cells._
4 6.
Failure of battery fails the Isolation Condenser return valve and a diesel generator emergency power train.
7.
Ventilation required for equipsient operability any fail in rooms with redundant equipment due to the thermostat never being checked or power
{ to ventilation system is not on an emergency power bus.
4
- 8.
- Diesel Generator may not operate following loss of offsite power due to i
loss of service water required to provide DG cooling free service water pump powered by emergency bus supplied by a failed diesel generator.
4
' 6 S. e Sight glass in air lock may not sustain as high an overpressure as the rest of the containment.
\ .
l e
e c
,-w .r-, ..c.,- ----i.e.+ -,m.,.,->,- ,.~,g. . , . , . . ,w ., , __ , - _ , . - . , . , , ,_,
, , , ,,e..,,, ,,.e----- ,. .,- - . , . , + , . - - , - - . , , , --- , yee- ,,wv.-,r.
o . .
. . . s.
22 -
10.
Fan coolers provide a redundant containment cooling function in many plants.
However, the fan coolers may fail in a post-core melt environment due to hydrogen burns failing electrical cabling or air borne particulates clogging fan filters.
11.
Failures in the Component Cooling Water System (CCW) have been identified as extremely important support system failures which have the potential of being an initiating event along with disabling mitigative systems required for that sequence. These aspects are discussed together in the next section on Initiating Events.
?
t e
[ muum o
e I
e I
a e
-,. -. .- . . , - , . _ , . - - , - . - , ~ , , , , . , ,
l * . . '
j I
23 -
- I i
2.3 Initiatino Events Summary Table l
l
- 1.
i A Component cooling Water System (CCW) pipe break causes loss of cooling to the reactor coolant pump seals and to the charging pumps which provide seal injection flow. Loss of seal cooling and injection flow may result in seal failure (i.e., small LOCA).
Core melt may ensue because the high head safety injection pumps (ECCS) also fail due to loss of CCW cooling. Thus, a single '.,
initiating event (loss of CCW) may directly result in core melt.
2.
Loss of cooling to reactor pump seals for short periods of time 1 (30 minutes to an hour) may result in' seal, failure even when the RCP pumps have been tripped. '
- 3. .
Auxiliary component cooling water pumps driven by the ECCS pump motors may reduce dependence of ECCS on the main CCW system.
1 4o .
The ability ta share CCW systems in multi unit sites may increase the reliability of CCW flow to safety systems.
- 5. .
Small break iCCAs appear to be dominated by RCP seal failure and steam generator tube ruptures in PWRs.
I 1
e
.________--.----,e + - - . , -- ,-.y -
,,._..-.,_.--..y . - _ _ , - , , - - - , , , , , ,
24 - '
l 6.
1 Small break LOCAs appear to be dominated by stuck open safety / relief valves in BWR.
7.
Depending on the location of small break LOCAs (e.g. , below reactor in pedestal cavity), the result may be to fail filling the i
sump prior to initiation of recirculation pumps due to flow path geosatry inside containment, thus failing ECCS recirculation.
- 8. Interfacing Systems LOCA:
The likelihood of this event can be j ,
substantially reduced through strategic testing of the valves at the high/ low pressure boundary. For many plants, the valves of concern are the check valves in the RHR or Low Pressure Injection
! lines.
However, from the Indian Point PRA, additional conditions have been recognized.
The motor-operated isolation valves in the
' RHR suction line may also be vulnerable,to an Interfacing Systems ,
LOCA event.
'On the other hand, since much of the piping and the
{
RHR heat exchanger are within containment, failure of the heat exchanger or piping in *.his area is ne longer a sequence which bypasses containment but rather a LOCA within containment that depends on the availability of emergency sitigative systems. This conf,iguration is somewhat unusual which underscores the importance -
of identifying plant-specific features which may render previously identified events less likely as well as . verifying the existence of vulnerabilities found in othe plants.
e 0
e
--.-~re,-n-e=+-. .-,.,- - . , , weww._.,..w- --re- -+---w-#~, ..eir,y----
.. .. l
- 2. 4 External Events Summary Table
( '
1.
During a severe seismic event, adjoining structures which are not j adequately separated or joined together could respond out of phase i
so that one or both structures fail, losing vital safety functions or equipment in one or both buildings. '
I 2.
During a severe seismic event, panels in hung ceilings in the
- control room could fail, incapacitating the reactor operators i
and/or the control room itself.
j 3.
The frequency of seismic events for many parts of the country is i
being reassessed and any be greater than previously thought.
4.
The damage zone of a fire may be much farger than the immediate fire area because of the hot gas layer that forms at the top of the room. Equipment or cabling located along the ceiling could
^t::; : .t.ly fail even though they are not in the direct fire path.
- 5. .
Hurricane and tornado winds have been identified as important contributors to loss of offsite power events with' intensities that may also daeage buildings and equipment.
e I
C e
- 4
.- . = _ . . - . . . . . . - . _ . - . . _ - . ...
8 26 - .
1 6.
A sivere seismic event resulting in failure of the service water systes disables the diesel generators thus resulting in loss of i
all emergency AC power.
4 i
4 h
i
?
t e
e A O I e O
i I
- i l .
. . - , --mm.,, . , ----n.~, ..
-,,r.-- , - , -, r,-,-- e,- , qr ,r--- --
w ,w,,w,-
. ,_ . . _ . . _ ~ _ -. -
III. Insichts Into PRA Methodolooies About 20 probabilistic risk analyses of nuclear power plants have been -
performed in the United States.
These analyses have been performed by different organizations using different, degrees of sophistication or detail
, in the various methodological topic areas encompassed by a probabilistic stu@.
The staff has sponsored a survey of six PRA studies to evaluate the impact of the level of effort (detail) expended in each topic area on the perception of plant vulnerability and/or core melt likelihood. The results of this survey are presented in " Insights into PRA Methodologies", NUREG/CR The various topics considered in the study and the suggested level of treatment for each of the topics is presented in Table 3.1.
Half of the i
topics wre considered to have a significant impact on the perception of plant vulnerabilities as noted by the asterisks (*) in Table 3.1.
4
'l e
i
( -
_,_,_..___,----d~-- - ~
O ir
- ,)
1 d.- : : ~
. : Vg
( .. . . -
- _ -}
e .g -.
2 2% &.*
i
' l }, ;( ,
- l 1 g 1 :
g'::
- }
>' 2 ' OT : it *: :.
21 r
- I 3 :.?
.3 : 7::
- : : km: ::: :
.I 1
- :- 2 : _ :: : ::- : I:- 1 -
(
=- ; : a r-: 2: := - : :r
== tr . ::: :- 3 5:.:: . t.-
t t- :
r .=--: :. -
- 5
- s ;.;:
as g: 1: r i
- 4- :: :
..: .4 :: >
3:::e 7:
r: :
.1 .:
.. 7
- J GGR Gt si G 3:11 GG G GS: G 3 .[ :7 1 i
- - t
. : : 1 -
I E .
l , :
- I.
1 g
r : ; -
- u. ..
e
. . 2_: . 3 . 1 g
I 13 e J T. T
- I I::
I I,
3
- y* -
T =
o- :1 g* .
4: 4 3
.* 11 . t: : .:
g .1 .E h: := -
T. .". S E: 8 . CL Gt K:.35 { $:3 E
- v.
- QJ-a La '
uw X .
. 3 & t a
- M. e
- m. 4
. .e
== Q.
- aE .
io.
.a 2
-6 oo
>w
. ..s:
23 Uw . 2::
- J 'd 5
7.,
- 2.
- r .
e= *
'O :) * .
-v _ : --
yI 3 J -
T,' I .
c- :
t 4 :: t! ! :
- is
- 5 2 3.g 4: is :a -
=f
= - ... :
. .f:: . : .- 2 7 .- -
el 1.s Aw
- 4 1
- 3. 1 1 II ,
2;aL *-
3I
=
- 22 - 4
=
- ...7. : : t'r .I -
=.
E.:
I
-, . 2. ._ _-- 1 :: :: -
4 3. 3.r .2* ;; .
o s. r . l .,s a
- _- .. .. 1 i.1:3 .s a, -
1
- a.:
g 3, lii ils{ i iG is . -
3 e s_ ._:.
as la
- -. II II li'.It .
3..
~. .. ,
.y
.. . .s..: - .
' .=
f.i i
! 1 I
,1' I II i :II 11
.3-:. 1.
- s.: I
- 3. -
4::
It
- . ** .. f!
.: .t : .
4
! .ITJ ; 2r I i
i
- 2. 1. 8 3 7T .I
.ga as -.. II T
- 1{ 1.: I.I r -
- 78. !. I #
1 222.
I 4:1 37 ::
- I :
3 1.
t
--. .. , a , . vl
- i l . . . . . . .
~ . . . .
H- :
- 5 I s' I
- s. .
These topics should be given careful consideration when performing a P also when reviewing a study.
I The suggested level of. effort to realize an i acceptable level of analysis is only significant for three topic areas, namely:
i .
- (a) System hardwired dependencies (b) Modeling of ac power systems (c) Human errors during an accident. '
) .
i .
Analysis of system hardwired depndencies and modeling of ac power syste
' are related topics that deal with auxiliary systems that support vital safety functions.
i Of concern are the potential cross-connections in the i
auxiliary system that effectively defeat redundancy in the safety functions.
The analysis require detailed fault trees that include these potential interdependencies and a Boolean reduction code capable of
! processing the large matrices *obtained. ,
1 .
The task could be reduced somewhat j
if a determination is made at the outset abut the realistic requirements I
with regard to auxiliary cooling either through direct coolers attached to a compenorrt er through reen cooling. '
(
Modeling of heen errors during an accident is concerned with depicting
~
realistic empectation of operator actions during an accident.
i These actions are those related to preexisting training and training and procedures and do not include randos acts.-
Although the suggested level of effort for this topic includes detailed task analyses to portray the actions of interest ,
..- the results are still highly dependent on the analyst's bias in assessing O
l
the performance shaping factors that impact the quantification of human errors.
This area deserves careful attention in the review process because
\
of this sensitivity.
Actuation and control logic and recovery of failed components or actions also have significant impact on the perceived plant vulnerabilities, but the study indicated that less detailed effort was required for these topics to achieve reasonable results. These topics are related to modeling of ac t
power and human actions during an accident and therefore should probably be
- considered as a package when deciding what level of effort.to devote to a PRA analysis. D A related topic, not directly addressed by the survey, is the treatment of ,
component operability under conditions beyond their design point. For example, do pumps fail if they don't have lube oil cooling or will equipment inside containment operate in a post core-melt environment. The sponsored reviews of PRA studies have shown that assumptions made in these stu' dies l regarding system / component success criteria have a significant impact on the .
PRA results.
Many of these sensitive areas have been highlighted in the previous insights section.
Because of this sensitivity te analyst's judgement on component operability, it is very tapertant that these assumptions be explicitly identified in the PRA studies along with '
justification and/or sensitivity studies to display the impact of the assumption. ,
I
..y--,--,,.--,----.-------,----,-.--,m---,,---n, --,..,--,,,----,.---,,,.--,------~-..-,,,.-.,n,-- . - , . . .,,n-- -- .,e -, .-.-, , -,
~
31 - *
( 4.0. Measures of Contribution i
' 4.1 Cut Set Evaluation l .
i To gain insight into the relative importance of particular system failures, it is possible' to review all the minimal cutsats (whic'h can number in the tens of thousands) vfa computerized search to determine which ones contain i
the system failures of interest. It is then possible to determine what '
! percentage of the plant's core melt frequency is contributed by sequences i
containing these system failures in the cut sets.
{
! As with " dominant" sequences, the dominant minimal cutsets, those which hase
! probabilities dominating a large portion of the sequence frequency, are cf primary importance. .
There may be system failures of interest in the remaining cut sets of a sequence, but they are of considerably lower l
probability and contribute significantly less to the seqwmco (customarily.
l below a prescribed low probability or. small contribution cutoff).
i ,
i
{
In order to focus on the important contributors identified, we restrict oser l attention to the dominant minimal cutsets of an accident sequence.
' Since -
P all elements in a sequence cutset contribute multiplicatively to the cut set, i
l it is not possible to attribute the precise contribution of system failure elements to overall core melt frequency.
However, the existence of a large p g#"
l -
,. 1 A
contribution to core melt frequency of sequences containing particular
! system failures would indicate that examination of the elements of those I
sequences may identify areas where reductions in core melt frequency or risk , .
are possible through various improvements.L s
i :
i.
f i .
l l
i 1
It is taportent to realize that "desinence" is arrived There are large uncertainties associated with sequences,et quantitatively. -
accurate sedelling and completenees issues. due to statistical, probabilities for do Therefore the estimated higher of other sequences. minent sequences or events may supp,ress the significance l of aquelly as thoselikely. sequences as dominant but aise the consideratio 4 &
p a.
- ' ~
- =
- s. .i. .
4.2 Importance Rankina A further method which can be used to arrive at the relative importance of '
particular systems is the application of importance measures.
An importance measure often used is the "Fussel-Vesely" measure of !
taportance.
The interpretation of the values given for each tem (system / basic event) is the probability that the defined term contributed to - :
r total core melt frequency, niven that a core melt has occurred. It is important to recall the definition of system in this context. It is not 1
- overall system unavailability but rather the probability that a combination of components in that system (defined by dominant'cutsats) have failed given -
that a core melt has occurred. In this way, we can get some measure of the relative importance of a system ar component but not the contri,bution to the coremeltfrequency,aspresentedinthecutsetapproachIboved As was previously mentioned' even when the dominant cut sets are identified for each
[
dominant sequence in a PRA, the most that can be said is that the component or system failure was contained in cut sets which contribute some percentage to I overall core melt.
Newever, this does not tell you namerically how big a part -
t was pi g ed by the failure of that esopenent er system within the cut set. It is for this ressen importance measures were developed, since an accident ,
sequence does not comprise a series of evere11 system failures but rather a series of cut sets er failure paths of system cesponents which lead to the plant damage state. }
- With both techniques, it is important to realize that the lack of appeararice of particular systems or events .may be due to deficient modelling and/or assumptions.
issue of completeness contributes to uncertainty.As with other assessment ',
O e
--,--+--.-ww . . , - - . - - , . , , , . ww _ --e,,.--r,,w..-w,--+.,~- -.-m,--e..r--,.,.,,r-,---,.w ,-,--ww----w- --*-w -t=--w y
'. . . "t.
~
34 - .
l The analysis performed by Sandia National Laboratories under contract to '
RRA8 examined 13 PRAs1(15 plants) in order to rank basic events / component failures by their calculated measure of importance. Before discussing the results, a very important point concerning the use of importance measures is necessary.
While a " system" may have the highest measure of importance and thus has the potential to yield the highest relative decrease in core melt i
frequeccy from an increase in availability, practically speaking, the achievability of that increase must be considered. A system with a high measure of importance may itself already have a high reliability. Further 1
methods of increasing its reliability may introduce additional complexity and new failure modes (common cause failures for example) so that the modifications may not introduce the expected reduction in core melt frequency and may therefore not be the most effecient allocation of resources to increase safety.
Keeping this in mind, it is still -useful to examine the results of l
importance ranking and failure modes of systems in the dominant sequences as 1
! presented in the PRAr subjected to this type of analysis. This infersegion is provided for each plant in Appendix A. .
i l,
, . I s
I s
' ~ -
- - l
._,,m, 4,,..,..- ..~m_,. , - , - . - - , , , _ - - , . ,,,.,,.,_,....._%,. w- ,e.,.,. - , , . . . . -....,,._,-.-,-.,-,.-,b
3, ., i 35 - -
i APPENDIX A i
f Plant Specific Importance Rankino Results Surry STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Westinghouse 3 Dry, 775 RSS Subatmospheric ;
(WASH-1400)
] Since detailed information on the dominant sequence cutsats were not : .
published in WASH-1400, the events that were ranked are general in nature, i e., system level terms.
With respect to core melt frequency, the initiating events, small and medium LOCA and loss of offsite power transients, are dominant along with six basic j
events which contribute adre thsn 10 percent to core melt frequency. Small LOCAs are ranked first'followed by the High Pressure Injection System and Auxiliary Feedwater System.
The HPIS failure is dominated by single and double hardware failures and AFWS failure is dominated by failures due to test and maintenance in the turbine driven train. ' Diesel fail.ures (w non-recovery) are followed by huaan errors in aligning the Low and High Pressure Recirculation systems in importance.
Three sequences dominate risk (in this case defined by those sequences which result in. releases in PWR categories 1, 2 and 3). .
O O
,w-,-,--,=m----,- -.-,-,-...-,,-_.,,.v..,n.., - -n_. -. ,.. g.n - - . , e+,,,,, .,gm.-,,.,m, ,.ma o ev,-.a,--y ,eg,-, m9.-- e,, ar-. ,,,-y,
. 0 3 .
.36 - .
i Event V, the interfacing ' systems LOCA, dominated by test and maintenance errors, is ranked first and is the most dominant basic event since it results in a release probability of 1 in category 2. Improved procedures and check valve testing capability have contributed to the reduction of the Event V sequence probability since. the identification of this sequenc.e Event V is esentially a LOCA which bypasses containment, thus resulting in a ;
release directly to the environment. :
I l
The second is Station Blackout (TMLB) which is dominated by the LOSP transient, failure of emergency AC power and non-recovery of offsite AC '
power.
The importances of AFWS, Recovery and AC power are, equal because sequence TMLB has only one cutset.
The severity Bf the release is due to the fact that there are no heat removal or containment cooling systems available.
. The third _ sequence is a small LOCA'with failure of the Containment Spray Injection System, dominated by human error faults during test and maintenance.
Its importance measure is less than one half of Event V, but it results in a category 3 rel' ease. The failure of CSIS results in insufficent water in the sump at the time the CSRS is initiated, thus the ~
spray pumps would fail.
With the sprays not available to provide overpressure protection, the containment fails and, in the case of Surry, the ECCS pumps no longer have adequate not positive suction head to continue operating.
This is a sequence that is dependent on the containment and NPSH requirements of the ECCS pumps specific to a plant. '
O
-,s e o e , ---- ~ - , - - - , -,n-, - -- --w, -- A
i - '., -
l Peach Bottom STEAM PLANT GENERATOR VENDOR MWe PRA 4 LOOPS CONTAINMENT 4
RATING STUOY General Mark I Electric 1065 RSS l -
(WASH-1400)
As with Surry, detailed cutsats were not presented in the Peach Bottom I
' analysis in WASH-1400.
The events ranked are on the system level.
1 ,,
Two sequences dominate both measures of importance, core melt frequency and risk (core melt with release) the remaining dominant sequences are all at least two orders of magnitude less than the frequencies of TW, failure of decay heat _ removal given a transient and TC, the ATWS. - '
l i Failure of decay heat removal is dominated by failure of the Low Pressure
- Injection System in the Residual Heat Removal mode induced by failure of the' High Pressure Service Water System to provide cooling to the RHR heat exchangers.
i Though the initiating transients were combined in the modelling of transient sequences in the Peach Gottaa analysis, by considering the fraction of transients with loss Of offsite power assumed for this task, the
{ transients without loss of offsite power were dominant with regard to core-melt frequency (renked higher than transients with LDSP).
t 9
w m. .
9
o 38 - -
\ -
t TC, fai. lure to achieve subcriticality following a transient event, is dominated by tihe human error of failure of the operator to manually scram upon failure of the Reactor Protection System and mechanical failure of i RPS.
I Though the probability of the operator error is four orders of magnitude higher than failure of the RPS, they are ranked equally since both appear in only one cutset. ~
l .
s 4
+
m e
e h
e e
b O
w.
4
.n, .,n. ,, . , . , - . . . , - - , -
.n.... - - . . . . - - ,. ,., , ,, -. , -- t . - , , - , , . - , - . , ,,
l i
l Sequoyah l
Y STEAM -
PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Ice Condenser 1148 RSSMAP
~
The Sequoyah study was first performed under RSSMAP and does not contain as auch detail regarding cutsets as later RSSMAP studies.
The LOCA (small and medium) are among the most important basic events since all but one dominant sequence, Event V, is initiated by a LOCA. Thus, every cutset includes a LOCA initiator.
With regard to core melt frequency, sequences initiated by LOCAs followed by
- failure of ECCS recirculation, ECCS injection, and a common mode failure of recirculation including containment sprays are ranked in importance first, l
- second and third respectively. ' Event V is last, with regard to core melt j frequency.
l t
1 ECCS recirculation failure is dominated by two human errors: the operator fails' to open valves in suction lines to Low Pressure Recirculation System pumps discharge (failure to realign correctly) and operator failure to
. realign LPRS and HPRS for hot leg injection af'ter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. It is questionable whether the second operator error truly constitutes failure of recirculation. Hot leg injection is assumed to be needed within the first-
- . . - . . - - - - . . . y n ,n.., .. , . -n . -, --w ., . . ._..,-...-,,,.,-n. - -.
.-. ' .-. a- - . ~ . v-.,.
. - .- . . =
40 . .
day following a cold leg break in order to flush the accumulation of boron, i
residue and debris.
' Hot leg injection may not be needed for all small LOCA break sizes and there was no determination of the break size which necessitate this action. The remaining failure of HPRS is insufficient ventilation air to the charging pumps during recirculation. !
i Failure of ECCS injection following a LOCA is dominated by combinations of f
hardware failures in the charging lines or pumps of HPIS and hardware failures in safety injection lines or pumps of +Ae HPIS.
- i .
i The human error associated with the common mode failure of rec
.! discussed in Section II is ranked equally with human errors on the basic i
j event level.
i i
This common mode contributor to failure of ECCS recirculati and containment spray recirculation is caused by the failure to open the drains between the upper and lower containment compartments -following maintenance and refueling operations.
i In this way, water collects in the upper compartment rather than flowing down to the containment sump thus i failing to provide coolant for recirculation and damaging ECCS and CSRS
! pumps by cavitation.
f
- With regard to ri,sk, both the LOCA followed by common mode failure of recirculation (SHF) and Event V (interfacing systems LOCA) were assigned to 1 release category 2 with ap ' robability of 1.'
Ranked in terms of basic
. events,.the small LOCA is ranked first, followed by human error associated with common mode failure of upper compartment drain, and Event V.
G .
I e
- . , . , - .,,--.-y,,-,-e _-,,,---e-,-,,-,-,.,-,- ,,%.c...,,,-,,,-3s-.,.g- p,,,,, , , ,_-~--e, .-,.-rew -y,-,-gi-,re.. -s,.-,. ,- ,,,,...,-e
o ..
41 - .
Special administrative controls have been incorporated in the Technical Specifications for Sequoyah addres. sing the identified drain blockage problem, unique to ice condenser plants.
Capability and a more strategic testing procedure for check valves in the pressure boundry have been instituted to address the interfacing systems i LOCA event.
l l
l O
e 0
e l .
L * *
.i . . , -
. Oconee 3 f
STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Babcock 2 Dry .
and 886 ASSMAP Wilcox i- .
I Eight sequences are dominant with respect to core melt frequency. Transient !-
initiated sequences dominste with frequencies which differ by 'small factors (2 or less). Three sequences initiated by small and medium LOCAs are in the same range.
At the system level, operator errors are ranked first, with respect to core melt frequency. The four events are about equal in importance. These are:
(1) failure of Low Pressure Injection System due to test valves left incorrectly positioned, (2) failure of operator to tilgn NPRS ts LPRS discharge for recirculation mode, - '
(3) failure of operator to open sump valves for recirculation mode, and (4) failure of operator to init.iate High Pressure Injection System 4 following an ATWS event.
- l 9
9
~
i ,
The human errors in aligning ECCS systems dominate because the next t events in order of importance are transient initiators and event Q, Pressurizer Safety / Relief Valve (S/RV) fails to reclose. - Thus two of th
, dominant sequences are transient induced LOCAs with event Q appea every cutset for these sequences.
These events are followed by failure of the Low Pressure Service Water System (LPSW) due to hardware failures pump in each of two trains.
Along with small LOCA and transient initiators non recovery of the Power Conversion System and failure of the Reactor Protection System are followed with importance measures very close '
together.
Though -- the operator failing, to initiate HPIS following mechanical
, failure of the RPS is ranked first with other human errors, the HPIS j
availability may be much lower following very high reactor coolant syst .
pressures during an ATWS sequence.
Though the HEP assigned to this manual
) .
action is high (about .1) it is also questionable'that, successful actuatio I
would be possible or t' hat subcriticality would be achieved in time to prevent plant damage.
l The remaining failures with lower importance ranking ,
involve hardware failures in Low Pressure Injection ,System Engineered Safeguards Actuation Devices System and ECCS and containment Sp i
Recirculation which include the same hardware faults as those during injection phase plus failure of the sump valves to open for the '
recirculation phase.
Recall, that human error failing ECCS injection and recirculation are ranked the highest of basic events.
This means that these systems are important, but treating the human as a system or a subsystem results in this failure mode (human error) being ranked first, even thoug the remainder of the system failure contributions are ranked much lower (hardware failures). -
a m- ___--_._._._.___________.s_.__ --------_w.--y-. e-w_e-,-we-_--_-_--_ise-- a vw w ,mm , ,,,e.,.,,,-.-.-w ,=.yvi,=.r-w*eerte-wtv--v -vvw-e,-we-wr"-e--ev=y--f-v+w w sg-ye+vw--
f . . .
j . . --.
M- .
i 1
~
l With respect to risk, most of the eight sequences still dominate with the addition of Event V which becomes a dominant contributor to risk though it was not dominant to core melt. Also, the medium LOCA followed by failure of i
ECCS injection sequence is no longer dominant (with respect to risk).
i Three additional points should be made.
, (1) Reactor Coolant Pump seal failures were not included.in this analysis.
Were they to be considered, the frequency of small LOCAs could be -
l greater than that assumed for this study. However, there could be additional recovery actions to be considered in a requentification of l these small L6CA sequences. .
i i
(2) During the course of the study, the licensee modified the AFWS by i
removingtheACpowerdependencyoftheturbinedrivenpump. In -
~
addition, Oconee has a back-up system to the AFWS, the High Head Auxiliary Service Water System with a dedicated AC and DC power source
{ independent of emergency AC power sources for other systems.
l (3) .For emergency AC power, Oconee can utilize either of two hydro generators.
, 0conee also has backup from one of two turbine generators which are available for long term operation. This contributes to the absenceofastationblackoutscenarioasadominantaccihntseqvence
, , in this analysis (i.e., the sequence contributed slightly less than 55 to overall core melt frequency). -
4
-.,..,n-
45 - .
EFWS and HPI primarily fail due to hardware failures of the Low
, Pressure Service Wat.er System, not loss of all AC power.
I t 1
4 l
}
I i
g e e
l ,
e O
l .
I 6
( 6 .
e 1 -
t 8 9 8
e
- , a-- , - ----
n.- - , - - ,, , , . - _,
,. . .o a *s s ^ .
l i i
. - g. .
f' t
Grand Gulf i r t
STEAM !
PLANT GENERATOR VENDOR MWe PRA 1- LOOPS CONTAINMENT RATING STUOY l General Mark III i
Electric 1250 RSSMAP i
j Five sequences contribute 5% or more to overall core melt frequency, four transient initiated sequences and one LOCA initiat'ed sequence. With respect ' , . '.
t to core melt frequency and risk (rankings are essentially the same) the systes level terms are dominated by failure of the Standby Service Water j
1 System (SSWS), recovery actions by plant personnel, transient initiators and i
! unrecovery of offsite power and mechanical failure of the RPS. The i
l remaining system terms are dominated by hardware failures, such as the case i of the Residual Heat Removal System (RHRS). ,
The SSWS supplies cooling to tho' RHRS heat exchangers.
Four of the dominant s'quences e involve failure of
.the RHRS to remove heat from the suppressior. pool or the containment.
(Recovery terms are expressed in a general nature - failure to correct test or maintenance faults or other corrective actions within 28-30 ho Inspection of the systes level cutsets shows that SSWS failures are in most of the Ii:utset3 of these sequences, with only a few cutsets containing R harthsare failures.
So the high importance of SSWS reflects the heavy dependence of RHR$ success upon SSWS success.
SSWS failure is dominated by valve and pump failures in both,of the SSWS trains. Operator errors, test 0
_~_____._____._.~-,_-___-,__._...._,-._.._,-,__,.__. . _ _ _ ,,_. _ . ._[._-._
. . :. l l
i and maintenance faults, and hardware faults have been combined together in e
the definition of these events. Thus, the actual amount of importance due to human versus hardware faults cannot be determined by importance l
calculations.
i l i
}
For both events, failure of a safety / relief valve to ressat and mechanical failure'of the'RPS, failure probabilities were taken directly from WASH-1400.
i l
For PHRS and the Reactor Core isolation Cooling System (RCICS), failures are '
j defined by general terms as combinations of control circuit, hardware and' maintenance faults leading to, system unavailability.
Emergency AC Power is dominated by failures of both diesel generators.It '
4 should be noted that the diesel generators for Grand Gulf are the subject of a Task Force investigating the reliability of diesel generators made by Transamerican DeLeval, Inc.
I The conclusions of this Task Force could affect the assessment of emergency. AC power availability for Grand Gulf. However, Grand Gulf has installed, in addition to the diasal generators, three gas l
turbines, where two of three provide adequeta power for plant shutdown.
e l
l . .
1
- p. W "
,~. ,
4 4
,.-,.m.-_. - . - ,_ ,, -- .. ,,. . . . , , . . . , . _ . ,_.,_.m__ ..,., m,_, ._. ._. ., , , - . . . - . . , . . . -
l 48 - .
Calvert Cliffs 2 i
STEAM i PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY i
combustion 2 Ory Engineering 850 RSSMAP
- i 1
i Three sequences dominate the core melt frequency. All three sequences are ,
i transient initiated (as were all sequences discussed as dominant sequences I
in the PRA). Those transient initiated sequences with failure of all ;
secondary cooling contribute over 905 to overall cora melt frequency. The '
system level importance ranking results, not suprisingly, show th&t only '
three system level components are significant: the Auxiliary Feedwater System (AFWS), operator errors and the Power Conversion System. All.other '
systems have a very small contribution to core melt frequency.
In many of the subevents of AFWS failure, the operator errors and hardware f l
faults are combined into one unavailability, so it is not readily apparent in the importance results as to what amount is due to o':erator error and that which is due to hardware faults. However, the single most dominant subevent is operator failure to manually initiate AFWS. The remaining portion of the unavailabilfty is due to failure check valves, nn.nual valves, control valves, motor operated valves and the AFWS turbine pump. However, as noted, a term for human error has been bumped with these unavailabilities to yield a single value.
p#
L
,.-,,,a .n- -n--. -..,--n,. . . . - - , , - v,-- ,,----,,-,r - ----,---,-~-,-v .nm- - , - - - -,,m----r, -,-------m- -,+,-m-, e,-------,----n--w---re.,-- r---r-.rvw---o--e-me--------,-
Following these terms and t.navailability of the PCS, with much smaller measures of contribution, are transient initiators and' failure of emergency AC power due to both diesel generators failing from maintenance and start failures and a failure of a control valve in the Salt Water System, which provides jacket cooling to the diesels. The only other human error 4 identified in event ranking is that of the operator failing to restore AFWS l by opening manual bypass valves in steam admission line (given that other i
failures have not made this action impossible or ineffective).
1 The same three sequences dominate risk with the addition of one other I
j sequence.
i Hardware and operator faults .in the AFWS still dominate all, other j
events with significant contribution to plant risk by the PCS faults. The i
inclusion of the fourth sequence, that in which failure of PCS and AFWS is i .
followed by failure of the containment fans and sprays, accounts for a small but significant importance of the DC Power System. This fault is a miscalibration of the battery charger charging rate, which allows the batteries to degrade and fail when demanded. This fault is actually a human I
i error, though it is modelled as a DC Power System fault. It is ' independent of all other system faults and operator actions.
This study was based on an AFWS which has since been upgraded. The original system was a manually opera W two-train system. The upgraded system is an automatically initiated system with two steam driven pumps and one electric pump (there were only two steam driven pumps at the time of the study) with
~
the option of valving in the motor-operated train a of tho' AFWS of Unit 1 into
/*#
6 L e
.. . , i 50 - .
the motor driv'en train of Unit 2 by operator action. It was estimated to reduce the overall core melt frequency by an order of magnitude. The Calvert Cliffs, Unit 1 IREP study is expected to provide a more detailed, up-to-date assessment of the Calvert Cliffs Units which are essentially identical .
t e
D e
e e
9 m
en e
e *
~
1 . .
p@
0 e
O l
O j
[ ,. _ . , _. , , _ _ - - -
, , - - - * ~ ' ' ' '
.. . .. i l
1 l
l
)
Crystal River 3 i
l i
' STEAM PLANT GENERATOR
! VENDOR MWe PRA LOOPS CONTAIMMENT I .
RATING STUOY
- , Babcock 2 Dry 1 and 906 IREP j Wilcox '
i l
Of the set of sequences designated as dominant in the Crystal River-3 (CR-3) ,
l study, only three contribute 5% or more to core melt frequency. Two are !
l initiated by small LOCAs, and one is initiated by a loss of offsite power
]
! . [
i .
l The system level importance ranking results for both core melt and risk show that small LOCAs are the most important initiating events with operator i errors dominating system failures with an importance measure equal to that.
- of the small LOCA (see Section II.A-Human Error). The DC and emergency AC power systems have significant contribution with hardware failure of the c 1
Emergency Feedwater System ranked last with a small importance measure.
i i
l The three dominant operator errors involve improper operstar actions during switchover from injection to recirculation mode of emergency core cooling or during the recirculation phase. All actions which must take place to d'
f*
" ~
o e---r, . --,c-.--.w- _
ym
! . . i i
switchover to recirculation are manual actions versus some plants where some valves receive automatic signals for change of state based on level
,indicatcrs. -
l 1
{ A relatively high probability of error is attached to the performance of actions under accident conditions and in consideration of the quality and clarity of emergency procedures.
- Specifically, the operator is subject to I any of several errors
- -
! (1) premature swit,chover, where the operator reconfigures for
.l recirculation too soon causing pump cavitation due to insufficient not positive suction head, .
i l . .
t (2) after terminating the low pressure injection pumps (which initiate upon the same actuation signal that startes the high pressure j
l pumps), the operator fails to reinitiate the low pressure pumps for recirculation during which time the high pressure pumps take suction from the low pressure pumps discharge, or, e
-(3) the operator incorrectly reconfigures the systems for-recirculation. .
F,or emergency AC power, the individual diesel generator unavailabilities are
-the same.
However, diesel generator 8 is dependent on the 8 battery in the -
OC system.
The breaker connecting diesel train 8 to the bus would not'close with failure of the DC train 8. In addition, the turbine' driven emergency l .
i feedwater pump, which has a DC powered control valve would also be rendered i inoperable by failure of ba t.tery B. .Thus, with failure of battery 8 plus simultaneous failure of diesel generator A, emergency cooling is dependent '
j on the availability of emergency AC power from Crystal River fossil units 1
! and 2. The loss.of offsite power initiated sequence frequency would be
. [<
higher without the two fossil units available at the site.
It should be noted that the frequency of small LOCAs did not include L consideration of RCP seal failures nor were they considered in the Station
- l Blackout scenarios. These sequence frequencies could possibly be higher if l
- RCP seal failura contribution were included as an initiator or subsequent ;
j failure to loss of all AC power. However, some changes have occurred since ;
i the study, such as post-TMI staffing requirements and improved emergency l procedure which would affect the calculated human error probabilities.
I i '
l, l
l i -
(
l 1
e a
8
-. - .~ -..
- ~ , . ..,-.-..--.m., ..-,,..-..,_.--.-.e------ .---,.-,#- , ---.y.,,- ._- ------ - .- - . . -., . , ., , --.
l
~ .
Arkansas Nuclear One 1 i
i . .
l i
STEAM
! PLANT GENERATOR We !
E!ggR E CONTAINMENT PRA i l RATING- STUOY l
! Babcock 2 Ory
! and 820 IREP !
j Wilcox '
. i i
i of the fourteen sequences designated as dominant in the ANO-1 study, nine . i sequences contributed 5% or more to overall core melt frequency. .All of j
these ANO-1 sequences have frequencies fairly close in value to each other, i
I Therefore, many system level terms have similar importance measures.
i t
'OC power is ranked highest a mong system level terms with the highest ,
importance measure.
Seven other system terms have relatively significant l contributions. .
~. .
l l The DC power system is a two division system with two normal battery I
1 chargers (one, standby) and no ability to cross-tie DC buses.
Cross-tied DC ,
busest allows transferring a bus faults, a common mode failure discussed in NUREG-0646, "A Probabilistic Safety Analysis of DC Power Supply Requirement for Nuclear Power Plants." OC power system failure 'is dominated by the single most dominant basic event, a conson mode failure caused by human error during test and maintenance.
Previous to the AND-1 stu@, testin6 O
e l
l ..
a
. , o
- I
! procedures allowed both batteries to be tested on the same day by the same .
4 personnel. As a result of the ANO-1 study, quarterly tests of the two 1
j station batteries are now required to be performed on a staggered basis, one ,
battery every six weeks. In addition, the DC (and AC) switchgear room
} cooler actuation circuitry is now required to undergo a complete test. The ;
j previous test procedure omitted a portion of the circuitry. Another i l potential problem was identified concerning the actual energy capacity of f 4
the station batteries. The DC system is powered from the AC system through t !
j the battery charges. Although the battery output voltage is monitored, it f
j is not clear whether this reflects the discharge voltage of the battery
}
j itself or that which the charger is supplying. This monitoring may not 1
} adequately characterize b6t..ury status (see Section II, Summary Insights, ;
l (8) Support Systems). '
\. -
+
Following a loss of offsite power transient in importance and equal to the i
i basic event Q, failure of, pressurizer relief valves to reseat, is the .
} transient initiator of a loss of a DC bus (see Section II, (B) and (C)). '
Failure of this bus results in multiple failures of accident mitigating j systems:
I l
(1) fails 2 of 3 High Pressure Injection System pumps, .
.t (2) fails 2 of 4 Reactor Building Coeling system fans, o
- e
_.--___a-_. ..a-.-.._,.-..--
l
) -
i (3) falis1of2EmergencyFeedwaterSystemTurbinePumpflowcontrol
! valves, and (4) fails EFS motor-driven pump.
The detailed modelling of the DC power system in the ANO-1 study resulted in
! the identification of the large importance of the DC power system as both an initiator and contributor to accident sequences with regard to core melt.
I -
Following hardware failures in the EFS in importance are small LOCAs and operator errors.. The reliability of the EFS affects the need for an i
I operator action, failu're of which is one of the dominant operator error terms.
Because of the importance of the EFS in mitigating transients such as loss-1 of all AC power and loss of AC or DC bus event, the licensee took actions to improve the EFS reliability by modifying the check valve configuration to I
the condensate storage tank and improved the starting precedure for the I emergency diesel generator so that it can be manually started in the event of loss of DC power.
i These modifications were made for the intaria period until the resolution of the generic program regarding modifications ta l upgrade Emergency Feedwater Systems.
- The improved reliability of the EFS would hopefully minimize the reliance on operator actions for certain
- sequences.
i
- In this case, the operator error is failure t9 provide heat removal upon failure of the EFS by initiating the HPI pump in the ,
feed-and-bleed mode.
This operator error probability was considered optimistic
57 - ,
in the ANO-1 study due to the assumption of a longer time frame for the I i
operator to successfully establish feed-and-bleed. Both sequence and core :
melt frequency are sensitive to this error and thus could likely be higher than those calculated in the study. i In addition to other modifications for the interim, the licensee has implemented ATOG (Abnormal Transient Operating Guidelines) and modified the operator training program Wich could afd in minimizing this human error.
The only other dominant human error is failure of the operator to initiate HPI,following failure of the Reactor Protection System. *
(See the discussion for Oconee 3 concerning the probability and -
effectiveness of this action.) -
The small LOCA frequency is dominated by Reactor Coolant Pump Seal failures.
However, there were six RCP seal failures at AND-1 over a 34 year I,eriod which were not included in the RCP seal failure frequency in the IREP '
study.
Since sequences involving small LOCAs are important contributors to core melt, the overall core melt frequency could potentially be higher than that calculated in the study. To improve RCP seal performance, the licensee j initiated a RCP seal upgrade program that includes modifying internal parts and
! controlled bleed-off flew rste'. This is aise an interim measure pending the l
l
! resel,ution and recommendations from Generic Issue 25, Reacter Caelant pump Se
! Failures. (See Section II, (C).) >
,i The High Pressure Injection System and Reacter Building Spray Injection i
- O: ten-fellow-in 1mportance and share two basic events wherein pipe segment er valve faults result in failure of suction to HPIS pumps and 1 of 2 2851 pumps.
?
-u. -
With regard to risk, the same basic elements dominate with the replacement of the EFS as the highest ranking system. DC power no longer dominates due to the relatively low probability of severe release (Category 2) of the loss of offsite power initiated sequence with subsequent failure of DC power by the dominant common mode failure. This common mode failure term appears only j in this sequence.
1 1
4 e e
1 l
i g*
- a l
S
. . . . . , i 1 l 59 - -
2 i if
! Browns Ferry 1 i
i !
i 1 STEAM PLANT GENERATOR MWe l-VENDOR E CONTAIMMENT g PRA M j i General Mark I 1094 t Electric IREP i
{i
. Due to the absence of sequence fault trees and cutsets in the Browns Ferry 1 1
l (BF-1) study, meaningful importance ranking was difficult to perform.
- 1.
Minimal cutsets were derived from simplified sequence logic diagrams and l
, system unavailability cutsets.
The results of this importance ranking .
i should be viewed with this severe Itaitation in sind. It is evident in that' t
i i two of the three sequences which dominate core melt frequency (and risk) are ;
i
! transient initiated with failures of the Residual Heat Removal System
{ (RHRS).
These two sequences account for over 80 percent of core melt' I. t I
frequency, yet the importance calculations performed on'the derived minimal cutsets result in a suspiciously small importance measure.
i The three seguences are transient initiated, two by loss of the Power '
i Conversion system (PCS), one by less of offsite power. t i'
\
- The system level.results show only two systems, along with the transient j .
initiators, with significant importance, the Reacter Protection System (RPS) l -
l.
S 9
0
---,__.--,,----+.--,,,.,.a .,,,.,.,,w-------,,,, .,-_,,nn ,,,-.n---.w,wn ,,n_---,,n,-,,,, ,-.ama- , ww-.,- , - wn, -,.r-mn-m,--
. -~
and emergency AC power.
Failure of RPS consists of only one event, the frequency of failure to scram taken from NUREG-0460, " Anticipated Transients Without Scram For Light Water Reactors," following a loss of offsite power.
The dominant fault of the emergency AC power system was taken from the discussion of the sequence initiated by loss of offsite power. This is a combination of three diesel generators failing, however, no description or quantification was given for this event.
Looking over the Boolean terms, it may be useful to note the failure modes of the RHRS.
They are in order of the attempted importance rr.nking:
, Isolation Signal Faults - RHRS Control Circuit Faults no output RHRS Reactor Core Isolation Cooling System Contral Circuit faults Failure of Inboard Torus Cooling Valves Operator errors of fa'11ure to manually initiate Shutdown Cecling Mode of bR
, Residual Heat Removal Service Water System interface faults Emergency Equipment Cooling Water System Motor Control Circuit faults 4
- ~ , - - ,
61 - -
Millstone 1 1
STEAM
- PLANT GENERATOR i MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY l
General Mark I i
652 IREP Electric i
j 4
In the Millstone 1 study, loss of offsite power transient initiated sequences i
comprised 85% of overall core melt frequency, .other transients 14% and LOCA -
initiated sequences comprised only 1%. Of the 11 sequences designated as dominant in the study, 8 contributed 5% or more to core melt frequency and an addition 3, just under the 3% cutoff, contributed to risk so that 10 sequences were analyzed in the importance calculations.
Seven sequences dominated core melt frequency with six of the seven 1
initiated by loss of offsite power followed by failure to cool the core at high pressures.
The other dominant sequence was initiated by loss of the Power Con' version System followed by a failure to scram. -
The system level importance results.are in agreement with the mejor engineering insights summarized in the PRA. The highest ranking event is .
etwieusly the loss of offsite power initiating event followed by: .
9 0
4
~.
' ~
failure to recover offsite power with one-half hour
, s failure of emergehey AC power systems operator failure to manually depressurize the Reactor Coolant System failure of a safety / relief'va7ve to reclose j * ,
failure of the Isolation Condenser.
With progressively smaller importance measures are:
failure of Feedwater Coolant Injection System (FWCI) i
- Service Water System faults' failure of the Reactor Protection System.
s '
M111 stone's high pressure emergency cooling systems are highly dependent the gas turbine emergency power source which has a relatively low reliability. '
l Since the Automatic Pressure Relief system is such that it is actuated o during a LOCA, for transient initiated events, the operator must manually i
depressurize the RCS upon failure of the high pressure coolig systems to allow the low pressure systems to' operate.
It is noted in the PftA that the enEm procedure is poorly written and confusing, thus a high failure probability was assumed for this task.
This deficiency in the procedures was subsequently. corrected. '
k '
Adding to the importance of emergency AC power is the dependency of the Lo Pressure Coolant Injection System on both the diesel and gas turbino trains t
v .
n %
~~. i5
.;
- 1 .
7 1r iep1 4-wr r,-w-M --ev e -P - %-- -Ne> 3-4-*-'*+- A-- T - <--=* g--e-+-- ew w- - -*v'
~'
of emergency AC power.
Also, the Isolation Condenser Make Up System is failed upon loss of the gas turbine generator, which in turn fails the Isolation Condenser. ,
At the basic event level, emergency AC power is dominated by failure of the diesel generator and by several circuit breaker failures which prevent the loading of emergency AC loads onto the gas turbine buses. -
l 1
In addition to contributions from hardware failures, actuation circuitry -
failures and a small contribution from test and maintenance errors by which pressure sensors fail the FWCI, Service Water System faults fail cooling to the FWCI pumps.
Also, failure of the SWS heat exchangers fail cooling to the Diesel Generator.
One of the contributors to the station blackout scenarios was a pair of
~
single failures in the loss of normal power (LNP) logic which caused the LNP -
signal to fail to reset after tripping key breakers, preventing the i emergency generators from picking up emergency equipment leads.
1
' Subsequently, the licensee redesigned part of LNP logic to alJoineta the single failures.
m i
In addition, the AC dependency of.tho'IC makeup valve *was removed, thus removing this failure mode of the Isolation Condenser and the licensee
~ instituted procedural and equipment provisions for the operator to take l
,- , .~ - - - - -- - - - - - - - - - - --- - --
.g. .
il i
manual control of the IC return valve to allow for recovery of its DC power source, Battery A, fails.
With regard to risk, the ATWS sequence has the highest importance and o two of the six LOSP initiated sequences resulted in a core melt at high RCS pressure and are dominan't to risk.
The Millstone PRA assigns a much higher probability of containment failure due to in-vessel steam explosions at low pressures than at high pressures.
Therefore, low pressure sequences tend to dominate risk (which 1mplies that the operator successfully depressurized the RCS) and emergency AC power is important due to the dependency of the LPCI on the diesel and gas turbine trains.
However, for low pressure sequences, recovery of offsite power must take place in a period of 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> rather than the short time frame for high pressure sequences (about is to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />).
e 9
I e
e e
e e
e
.~ + , - , - -- . - , . . _ . _ , . - - - ,-,,.,m, + , - . -,-, ,, ~, .... -- e e , e _ ,
Big Rock Point l
STEAM I
^
PLANT GENERATOR -
VEND 0R MWe PRA i LOOPS CONTAINMENT RATING STUDY
{
i General Pre-Mark -
i 75 Independent l Electric .
{ Consumers Power Company L
Sequence fault trees and cutsets were not published in,the Big Rock Point ,
(BRP) PRA.
Cutsets were developed for this analysis from descriptions ..
- t of the dominant accident sequences and are of a very general nature. The cutsets are essentially at the event tree level (i.e., combinations of l
systans failures not refined further to the component level).
1 l
Five sequences dominate core melt frequency. These sequences are initiated by a steam line break, interfacing systems LOCA, fire, loss of offsitie power and loss of instrument air. ~
I The system level importance results are essentially'the same as basic event importances.
Only operator errors and fire events have more than one basic i event.
T I
The most dominant basic event is failure of a safety / relief valve to reseat. This is followed by fire and operator error. '
I
. l I
_._ _- _I
I 66 - -
Fire ,in the Cable Penetration Area (inside containment) which affects all safety system cables is the initiating event with the only subsequent failure of fire being suppressed manually. . !
The dominant operator error is the failure to send someone into the containment to open a valve which is part of the fire protection system but is being used to supply makeup water to the emergency condenser. If someone is sent in, there is still a probability of the valve not opening, reflected !
by the importance value of this valve which enables successful operation of '
the emergency condenser. The other operator error is failure of the i
operator to switch the domineralized water pump over to emergency AC power ,
after loss of offsite power or loss of instrument air.
The remaining events of significance are not discussed or quantified in the PRA, however, some are listed below: '
( . Interfacing System LOCA due to fail'ure of a single valve isolation .
line in recirculation and shutdown cooling systes -
Failure of operator to manually close main steem isolation valve Loss of and failure to restore instament air '
I Failure of Post Incident System in the event of an Interfacing Systems LOCA below the core due to valves being in the wrong 1 position. .
.-.---,-+-..--ew,- - .,.-e ., ,- ---e.--,- .---ww-.--+-+ ,----e
e .
- 67 - - .
With regard to risk, most events are less importznt to risk than core melt !
due'to the large fraction of release category probabilities in law risk release categories. Only the fire events have a high probability for ,
i release'in category 3. (Release categories were redefined in the BRP study i
due to the uniqueness of the plant in consideration of its size and location.) There is essentially negligible risk associated with the BRP sequences.
As a result of the PRA, the licensee did, however, make modifications to reduce the probability of core melt and plant damage:
I (1) Remotely operat'ed fire water supply valve to the emergency '
cond2nser, (2) Post-Incident System modifications such that the eight manual valves can only be locked in'the correct position, (3) Early Enclosure Spray elimination of a 15 minute ' delay so that enclosure sprq can automatically actuate during a safety valve opening event or steam line break in containment to avoid degraciation of essential equipment due to excessive temperature, (4) Procedure changes to permit High Pressure Recycle using the main feedwater system which will lessen the dependence on the RDS, and (5) Additional 1 solation valves on the Primary Coolant System.
O
-* w -=*---m-yww, e-yw- - a e yv
- 68 - .
! 1 Zion 1 and 2 STEAM '
! PLANT >
GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Ory 1100 Independent for Commonwealth Edison by Pickard Lowe
& Garrick, Inc.
Sequence fault trees or cutsats were not published in the Zion PRA so that .
the information used for this importance ranking task =was . derived from sequence definitions and system descriptions. There were a large number of i dominant sequences for Zion with frequencies very close together and with the exception of one sequence', these frequencies are all below 10.s. Since only 4 sequences contributed 5% or more to core melt, this cut-off l
probability excluderd many sequences from the importance analysis so the
! cumulative effect of many lower frequency sequences is not reflected in this analysis.
One other point of difference in this PRA is the study's contention that the containment will not fail following every core melt.
Therefore, these four sequences dominate core melt frequency for this analysis, but only 1 of the 4 dominates core melt with ' release or risk.
O .
..,e #"*
>f .m*
m m
/.
_._,_,,--.,_--...-..,-,--r - -' ,-ey, , , - - . , - , . _ - - . - - , , - * * - , - . . - - - - r ..-~,.,rm-
l
,ss - .
i Three sequences are LOCA initiated (small, medium and large) followed by failure of recirculation cooling. The fourth is initiated by a seismic event which indicues loss of all AC power. Only this sequence results in containment failure and a release.
With respect to core melt, system level results are dominated by operator error, the small LOCA initiator, Residual Heat Removal System and the seismic event. With progressively smaller impo'rtance measures are the i
medium and large LOCA initiators, combinations of hardware failures and .
trains or pumps out for maintenance for the Charging Pumps and Safety
- Injection Pumps and Containment Sump blockage.
l The two dominant human errors are failure of the operator to manually switch over to recirculation at the proper time or to stop the Refueling Water Storage. Tank (RWST) Pump at Low-Low level. given a medium or large LOCA. The short time frame for the medium and large LOCA' creates a more stressful environment for the operator, thus having a higher failure probability.
However, the frequencies of medium and large LOCAs are one and two orders of magnitude smaller, respeci.ively, than that for small LOCAs.
The dominant failure modes of the RHR$ are somewhat vaguely defined in the Zion study, but basically involve combinations of RHR Pump under. maintenance with hardware failures of both trains of RHR so that pumps or motor-operated valves-fail-on demand.
O a-. . ... .-,-- ., -a...-, ,- - . , - , , . - - - - - - , , , . ---.---,,--,-,,,,,,,.---nn,-.,-.-~~., ~ . - , , + , - - , - - - - , - .--,.,,,,,.,e-,,--
. -__ - ... . - - ~ . - - . - .
1 The seismic event dominates core melt and risk and contains only two elements, the seismic event initiator and loss of all AC power. However, looking at the seismic core melt fault tree branch expansion, a Reactor Coolant Pump Seal failure will follow due to loss of service water components through failure of the pumps (directly or " indirectly" by
- collapse. of Crib house pump enclosure roof or unavailability of the water supply from the seismic event). Similarly for diesel generator failure, the failures can be direct, loss of DC start power or " indirectly" by Auxiliary '
Suilding concrete Shear Wall failure. Direct failures and Auxiliary '
, , i Building Shear Wall failures contribute to failure of onsite AC power cables.
It should be noted that the single failure of the Auxiliary Building Concrete Shear Wall fails both onsite AC power cables and offsite AC power cables.
!l RCP seal failures were not included in the small LOCA data base though it was a contention of the study that the high frequency assumed for small LOCA initiators (3.5 x 10.a/ reactor year) implicitly accounted for this concern. ,
Event V, the ~ interfacing systems LOCA was recognized as a contributor to risk due to the potential of a large release outside of containment. The licensee did institute strategic check valve testing during the course of the study. .
~
9
_ _ _ _ _ _ _ _ _ _ - - - - - . , , , -- - - - . - - . - - .-----.,.--w ,-.._-.w ._-.- .,my .cr, ,,, , ,,y-, ,_,_
71 - ,
l Indian Point 2 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Dry 873 Independent for Power Authority of New York and Consolidated Edison by PL&G, In@
.I Sequence fault trees and cutsats were not published in the Indian Point 1'
(IP2) PRA. Basic events were developed from sequence definitio'ns and system descriptions. -
[ .
Core Malt with Release is dominated by external events. The sequences are a seismic event resulting in loss of AC power, fire in the electrical tunnel or switchgear room, and loss of all AC power due to hurricane winds. The fire and seismic initiated events are of approximately equal importance.
Since the values of basic events in these sequences were not included in the PRA, they were modelled as one event sequence for this analysis. However, same subsequent failures ~and failure modes were discussed.
O G
~
l .
b O
=. - - -
~
~ .
The primary hazards in the seismic and hurricane events are loss of offsite power due to the intensity of the event and loss of control and/or auxiliary
} AC power.
Loss of control power may occur due to the failure of panels -in the ceiling of t$e centrol room during a seismic event which incapacitates the operators or the control room itself. Loss of onsite AC power can result from severs winds stripping away sheet metal building cover thus exposing the diesel generators.
i It was recognized that a fire in any of three locations (the Auxiliary Building i end of the electrical tunnel, the Control Building end of the tunnel, or the 1
switchgear room) not only fails control power, but could also fail power to the Charging Pumps, Containment Spray Pumps, Auxiliary Feedwater System, Safety
) InjectionPumpsandComponentCoolingNater, pumps. It was recognized that a i
fire of this kind results in a small LOCA due to reactor coolant pump seal i
failures and subsequent core melt due to the loss of high pressure safety injection. .
i The same sequences along with another fire initiated sequence and loss of offsite power initiated sequence dominate core melt frequency:
Fire in the e'lectrical tunnel right stack which would result in core melt due to RCP seal failure LOCA, determined in the study to result in ne release to the environment due to the availability of containment cooling, and
+M
- 73 - '
k
, Loss of offsite power and failure of emergency AC power. However, a gas turbine generator is available and can be started within hour thus providing power to containment coolin'g systems. The study concluded that core melt would occur but with no release to the environment.
Containment integrity was enhanced by features such as the large volume, high failure pressure, and the makeup of the containment material (basaltic
. concrete basemat which releases less gas upon contact with molten fuel than i
the more common limestone concrete and thus leads to lower post-selt-down containment pressure.)
~
l .
l t
e f
e I
l l
1 N
O
- -- - - - - . - -,g, ,----, ,-.,p--,-uw-,-n,eg 9 rv <-r---,--- - - -w-., , ,- . --,-.,,m,-- - ~ s ,en s > , - ~w y-w-, e 4---, , --,,-
. I 74 -
. - l Indian Point 3 8
STEAM '
PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Dry 965 Independent for Power
, Authority of New York and Consolidated Edison by PL&G, Inc.
l' Only one sequence was determined to be important to core melt with release.
Similar to the fire sequence for Indian Point 2, this sequence is initiated by a fire in either the switchgear room or the cable spreading room. These initiators can result in a failure of power to the Charging Pumps, the Containment Sp'ay Pumps, the Component Cooling Pumps and the Safety Injection .
Pumps.
A small LOCA in the reactor coolant pump seals would result and the, ;
loss of the containment sprays and fans would result in containment .
failure. This sequence dominates risk with a probability of 1 in PWR release category 2.
Threer additional sequences contributed over 5% to core melt frequency but were detamined to result in no release to the environment. These sequences are initiated by LOCAs (small, medium and large) followed by failure of ~
l l
pme e
9
. b
- - - - - - - - - - - _ _ _ - _ _ -_,,-,-n..--,.,..,,-n-,,-ac-- --n+--..--.w.,-e.e ,--w., n,._, ,.en,m-.,n., , , , . ,---~~,,,,,,,-,,,-,-,-,e,,,n,. - , - -
I
- ys . I i
I recirculation core cooling, either in the low pressure or'high pressure j mode.
l The Recirculation System is described as one system in the IP3 study, l
so no division of basic events in Low Pressure or High Pressure systems was i made.
The small LOCA is ranked first of the basic events. The Recirculation System failure is dominated by a term defined as failure of
! all three Safety Injection pumps followed.by a term which was a factor calculate'd to account for undetermined unavailability of all SI pumps and -
motor-operated valves due to errors in design, iostallation, or manufacturing. These are followed by terms with much smaller importance measures most involving hardware failure of recirculation pumps and operator error in switching or failure to switch to the Residual Heat Removal pumps.
Fire in the switchgear room or tunnel entrance of the cable room is followed by operator error. The operator error term is dominated by failure to
, initiate switchover to recirculation mode following.a LOCA. -
Interfacing Systems LOCA in the RHR suction line was identified as important to risk. ,
+
e e
. - . , . . --m, -w.-,-,.w.w..w..-,e-,,w.,,,,mw e.,- ywe w,e-y,.v-, wwv,., ,w v.-~~ar--, W ,,-yw-,,-,--,-,w.w,v-,
r .
76 -
Liinerick STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUOY General Mark II -
1055 Independent by GE and SAI, Inc.
for Philadelphia Electric Company This analysis was based on an early version of the Limerick PRA study.
- Limitations in the content and format of this study resulted in the derived cutsets and events being of a ve'ry general nature with a virtual one to one correlation between event tree terms, system terms and basic events. There was no sequence by sequence description and the quantification of the events on the event tree was not shown. In addition, the frequency of each accident sequence was divided among several containment failure modes specific to the Limerick study. There'was an attempt,- though, of, correlating these categories to WASH-1400 BWR release categories.
i Three sequences contributed 5% or more to overall core melt frequency. With respdct to core melt and risk, they are ranked in the same order as are the system level terms. All three are transient initiated sequences.
. The first is a loss of offsite power transient, the .second a transient involving main steam isolation valve closure and the third is a turbine trip. Loss of s
P
- "~
p.. M *~
y e
- . l
, ,o ;.. '
offsite power is followed by failure of High and Low Pressure Injection Systems.
MSIV closure is followed by loss of the Feedwater System or the Condenser and failure of HPIS and the Automatic Depressurization System.
t' The turbine trip is followed by failure of the FWS, the HPIS and the ADS.
Failure of HPIS is ranked first, . defined only by failure of the High Pressure Coolant Injection System or failure of the Reactor Core Isolation Cooling System.
J These are followed by the loss of offsite power transient, Low Pressure s
' Emergency Core Cooling System availability, Feedwater recovery, timely i
actuation of the ADS, MSIV closure and subsequent feedwater loss, and the turbine trip. All of the systems (and basic events) identified have f significant contributions to core melt. However, no further system or event importance insights could be derived and 'no quantification or descr.iption of
!' system failures were given.
However, during the course of the Limerick PRA, a number of design and precedural weaknesses were identified and the applicant has taken steps to imple' ment the following:
Alternate 3K ATWS Fixes (includes alternate rod insertion, l
recirculation pump trip, feedwater runback, screm volume instrumentation, MSIV isolation setpoint change and automatic Standby Liquid Contio1 System along with the installation of a 3d SLC pump),
l
~
l .
78 -
Modifications to the ADS air supply system (added redundant solenoids),
l Modifications to RHR System (added crossover valves for the Service Water System, and .
Procedural changes to achieve an alternate method of room cooling for the HPCI and RCIC pump rooms.
I I
i g ene '
O 4
e O
e O
e
- W _ ' y me *
.c --
.m*
- m
- *=6 -p
+ - .- .- . - - - , - - .. ,4-. . - , , , ----c , .--.-e.. , y--c,-.. y -- - , . . - - , . - - , - - - + 4.- , , , , . - ,. .,
1 3
Appe.ndix B Discussions of Selected Topics - Insights Gained From PRA Results 4
B.1 Human Error - !
l I
An area which is sensitive to the structure of the analysis, to both the assumptions of the study and the bias of the analyst, is human error.
~
It has been playing an increasingly large role in risk assessment, -
especially in the years following the accident at Three Mile Island 2.
l It has been necessary at the same time to focus research on the i
techniques of quantification of human error probabilities. The work done for NRC by Sandia Laboratories (Handbook of Human Reliability i
Analysis With Emphasis on Nuclear Power Plant Applications, by ,
A. D. Swain and H. E. Guttman (NUREG/CR-1278) prov. ides a much needed.
methodology for quantifying human error. However, there is still a l great deal of subjectivity in the" inclusion of the human ir. a system model and the calculated probability of error and research is continuing i
with the purpose of improving the methodology of calculating human error tontribution to accident sequences. For example, the treatment of human error in the Crystal River 3 Safety Study results in operator error being ;
the dominant failure mode of the s'afety injection systems.- A relatively' high probability of error is attached to' the performance of actions under. '
_w ~ . _ _ , , _ . . . _ . , _ , . _ _ , ,.,,. .. ~
9 80 -
accident conditions. Specifically, the operator is subject to any of several errors in the manual switchover from the injection phase to the recirculation phase and during the phases themselves:.
i Premature Switchover - the operator reconfigures for recirculation too 'soon causing pump cavitation due to insufficient not positive i
suction head. -
After terminating injection pumps, the operator fails to manually '
reinitiate injection when required. i
~
~
The operator incorrectly reconfigures the system for recirculation. (See discussion of Crystal River-3 Importanca Ranking) 1 Since these particular operator errors appear in many PRAs of plants with manual switchover, improved training and procedures, which were j
instituted for CR-3 operators, and. automatic switchover from injection to recirculation are being considered in Generic Issue 24 - Automatic
-Emergency Core Cooling System Switch to Recirculation .
i However, the rise to dominance of sequences involving the failure of emergency core cooling systems due to operator error is not'the only impact of the estimated high probability of human error. As implied by
, , .~ -
.=
- j i
81 -
l j their designation, " dominant" accident sequences are those with
\
probabilities of occurrence writch are above those of other sequences.
Sometimes the difference is great and the cut-off probrl'11ty value-is clear. In other cases, the dominant sequences cumulatively dominate the total probability of core melt, but the differer.ce between
- particular " dominant" sequences and other sequences can be small. In this case, the ECCS failure sequences are, for the most part, driven to dominance by the operator error contribution. It is therefore important to realize that the appearance of other sequences as dominant may be suppressed largely because of the assumption and calculation of the probability of human error. Investigation through sensitivity and '
uncertainty analyses may be particularly important in cases such as t
this. ,
For the reference PWR in WAS,H-1400, Surry, and a few others, the human t
error contributions were principally in the areas of test and maintenance activities and common cause failures. The test and <
maintenance contributions included actual downtime and components.left in the incorrect position following test or maintenance. Th'e common 1cause failures were often associated with incorrect calibrations performed on similar components. The.se contributions highlight the need for explicit proced'ures and independent checks.
l The common mode contribution from operator error in the ccntrol room was also included but with a lower estimated probability. There has since been work to 6
e
- , p--- , - - , - , - - a-- . . , - , , -e - -,- - ,e. -,n ,w-.ea --v--, --_- , _ - - , ,e,, ,.. e , -m-r- -. -v-s
~
, support an increase in the probability of human error in the control room when taking into account the quality of emergency procedures and the stressful environment of accident conditions. Emergency Procedure i
Guidelines (EPGs) should be of substantial value in this area.
As a result of the Sequoyah risk assessment performed as part of RSSMAP, a vulnerability which can be induced by human error and particular to the design (ice condenser containment) was identified.
It is a common mode' failure which results in the failure of the i EmergencyCoreCoolingRecirculationSystem(ECCS)andtheContainment Spray Recirculation System (CSS). Between the upper and lower containment compartments are two drains which are closed during refueling.
I If these drains are inadvertently left cloised or become clogged, water that has been sprayed into the upper compartment will be prevented from returning to the sump. Eventually all the water would be transferred
' ' ~ ,
to the upper compartment thus emptying the sump. In the recirculation phase both the ECCS and the CSS take suction froa the sump and would,
. therefore, be failed when the switchover occurs. This failure mode.
results in dominent accident sequences accounting for 705 of the total
. probability of release in category 2 and 105 of the category 3 '
probability of rolesee. These sequences point out the need for stringent checking procedures and fault detection capabilities. The need for strategic testing procedur'es is itxiicated by the fact that the Interfacing Systems LOCA (check valve failures causing the high e
- 0 e
l 1 .
l pressure primary coolant to fail the low pressure piping outside t containment) remains an important sequence for Sequoyah as well as other plants. The emphasis given failure modes resulting from test '
1 and maintenance actions and procedures is evident in the number of sequences and release categories dominated by these failure modes.
f t
j !
i The ability of the operator to recover and correct events leading to an accident sequence is another controversial and evolving part of the
{
analysis of the role of the human in accident sequences. These activities range from the operator establishing the feed-and-bleed mode of high f
pressure injection to the operator manually opening valves or, upon observation of parameters, displayed in~ the control room, manuaily actuating a system or component that was supposed to have received a f signal for automatic actuation.' This is illustrated in the ANO-1 IREP i
i study where the probability of the operator establishing feed-and-bleed I S
within 20 minutes (for a Babcock and Wilcox plant) of the transient '
- initiating event and failure of Emergency Feedwater System was ,
j optimistic in light of other human error probability (NEP) analyses for
- this action. The overall core melt probability was found to be i
f msitive to the values assumed for this and other HEPs and others which i
implies the possibility of certain sequences and overall core melt frequency being greater due to the uncertainty in assessing operator ;
error probabilities. ' Improving the reliability of the EFW system.
automating the high pressure recirculation system, or improving operator.
e w_,nv.,,,-,, ,..-nm,.,,....n-w-,-,. p..v-me~,----- - - - - - . , , . . - ,,+,g-.--n,--
~
. . . - ~
p' 84 -
training are potential ways of minimizing the HEPs in dominant accident sequences and thus reduce overall core melt frequency.
t The treatment of human error was a point of discussion in the WASH-1400 and other.PRA critiques and, as has been mentioned, techniques to quantify human error probability are still being refined. However, the assessments of human error contributio'n in these studies do point out the effect of assumptions and perceptions on the failure modes which dominate accident sequences. '
e e
9 0
s S
O l
\ -
I
..... \'
B.2 Support Systems An area that is invest'igated as,part of determining failure modes for f
hardware components is that of dependency, especially undesirable 1 dependency of redundant components on a common support system. A prime l
example is the dependency identified in the Crystal River 3 Safety Study
[
of the AC power dependency of the two emergency feedwater pumps via their cooling medium, the Nuclear Services Closed Cycle Cooling System. Once !
i recognized, Florida Power Corporation proposed self-cooling designs for - '
each pump to eliminate this dependency. This AC dependency through various i support systems was found in other plants as well. The discovery of
, specific, not readily apparent hardware faults (system failures induced by .
support system faults, for example) through rigorous risk assessment y techniques (fault trees, FMEAs, etc.) is one of the primary objectives of a risk assessment. Obviously, there is a trade-off between resources and i
time and the rigor of the risk assessment methodology which most enter into the selection of the type of risk assessment to be performed, in general.
This issue is addressed in Insights Into MA Methodelegies.
Section III.
It has been found that another support electric power system, nomal and emergency DC power, has the potential of significantly contributing to accident sequences leading to core melt. ,
l 1
'l
,,.,,%-. ----*~e' " " ~ ' ' * - * - * * ' ' ' ' ' ' - ' " ' '
1; -
- u. '
86 -
i In assessing the contribution of DC Power System failures to the core melt frequency or potential risk of nuclear power plants, several l elements must be considered. Considering the DC power system alone, it is 9 '
clear that the system function is of high importance. Since most plants e i
rely heavily on DC power for plant instrumentation and control, during normal operation, a failure in the DC power system would create an unstable f condition, thus potentially becoming an accident initiating event. In ;
accident conditions initiated by another event, subsequent DC power t
failures can affect the progression, timing, and severity of an accident. '
i The treatment of DC power systems in PRAs have varied widely from j
very poor and cur'scry to much more detailed and thorough. Thus, i
the validity of conclusions drawn from the presentation of only numerical results would be highly questionable. Specific examples of DC '
i power system treatment in some PRAs may prow.ide a context for any numerical ,
importance results and to illustrate the effects that assumptions, methodology and review may have on. the depiction of the DC power system 4
importance. -
Tor example, the original Zion safety Stu# analyzed the DC power system which'has two divisions per unit in addition to a fifth diesel generator, battery, and emergency DC bus which are shared i
by the two uni.ts. A loss of DC bus initiated sequence was modelled and quantified in the PRA.
l It was not found to be a e
4 eo m a
, . - - . - ..--<.-,..-.--,---,--.-r.,, ,,---,--,.-.,,n,----.a--- n .--,,,---,--~...-.,wn,-,.,,, -,,,,~.-.--.n.--n- A ,,, - - , - , - - , . . ~ -
4 significant contributor (thus the cutsets of this sequence would l
not be considered " dominant" cutsets). Upon review, a DC l
dependency of the PORVs was identified which would then constitute -
- part of sequence which contributed ~14% to the estimated overall core melt frequency.. Upon further review and analysis, it was
, found that appropriate operator recovery actions could reduce this contribution to about 2%. It should be noted that the Zion Safety Study DC power system modelling did not contain consideration of failures due to common cause or human error. Therefore, while the '-
i i
examination of PRA results in this report does provide us with insights, it is possible that many PRAs have understated the relative importance of DC power.
l Because of the int.insic importance of electrical power to plant safety functions, these uncertainties should be considered in evaluating results.
9 i
Keeping this in mind, it may still prove helpful to examine the results of importance ranking and failure modes of the DC power system as presented in the PRAs analyzed. Of the 15 PRAs, only'a few plants contained DC power in the importance rankings. At this
" point, it does not aposer that the absence of DC power in the rankings indicates negligible importance of DC power systems but rather indicates that closer attention should be given to modelling of CC power and the effects of DC Power System faults.
9 e
4 0
e W
O
. ;, . ?. -
~
88 -
The ANO-1 study.. in our judgement, contains a more thorough and i
! careful analysis of DC power than previous risk assessments. The t
system consists df two divisions with two normal battery chargers j (one standby) and no ability to cross-tie DC buses.* For ANO-1, the rank of the importance measure of the DC power system reflects i the high contribution of cutsets containing DC power failures. The DC failure elements of the dominant cutsets were combinations of local i faults of DC buses and batteries, but were dominated by a common mode
+
failure of both station batteries.
However in the ANO-1 report, j failure of a single DC bus treated as an accident initiator, was
! identified as important since this can cause a reactor trip initiating s
l event with concomitant failure of several safety system trains.
l I *
(
- Results in N'JREG-0666,, "A Probabilistic Safety Analysis of DC Power !
. Supply Requirements Nr Nuclear Power Plants" indicatled that, one of the l . 1 t.
l
- potential causes for failure of multiple station batteries war, a common mode test and maintenance error. This possibility was found to exist at o'
- t.
Cross-tied DC buses which ' allow transferring $d bus faults was a common mode failure discussed in NUREG-0666. ThereduedebiliptNro.ss-tisbuses e
,3 i
is also true for Zion where interlocks minimize tts likelihood of this ' '
occurrence. ,
h 9
.\ ) ,
i
. ' ( j
, ; V t
n 1
,h
- . . . . - - - - - - - - - - - - - - ~ - - - - - - ~ ~ ~ ' ' ~ * ~ " ~ ~ ~ " ~ ~ ~ ~ ~ * ~ ~ ' ~ ~
,e n.
\ l l the ANO-1 plant and as a result of the ANO-1 IREP study, quarterly tests l of the two station batteries are now required to be performed on a staggered basis, i.e. , one battery every six weeks. (See ANO-1 Importance Ranking) Previously, the procedure allowed both batteries
{
to be tested on the same day by the same personnel In addition AC and DC switchgear room cooler actuation circuitry are now required to l undergo a complete test. The previous test procedure omitted a portion l
- of the circuitry. Another potential problem was identified concerning the actual energy capacity of the station batteries. Normally, the DC -
l
! system is powered from the AC system through the battery chargers. '
j Unless the AC supply is interrupted, the capacity of the batteries
. is ambiguous.
i Although the battery output voltage is monitored,
'it is not clear whether this reflects the discharge voltage of the battery itsel or that which the charger is supplying. This i monitoring may not adequately characterize battery status.
The Crystal River-3 (CR-3) Safety Stu@ analysis considered DC power only in the context of a failure event - --, r t'to loss of AC power (effsite). The OC power system is a two train system ,
with two normel battery chargers (one stanstry). Though many areas of potential degredstion er failure were noted, they were not modelled and quantified due to the assumption that.an operating - -
system is constantly monitored and failures would be detected l
9 4
6 9
=_..._-.m. - ,..__.,_,_,,,__._..,#._,.~- ,.._,_,,,,.,_,m_,.,,,._,,_,,.,_,%.__.,m., .,,,,_,.,,,,,_,,,v.,,..,,.,c, , - , , . , , , , .
v quickly. Potential degradation or failure could occur in various ;
ways:
l l
l Work on a charger requires that it be disconnected from the l
DC bus. Maintenance personnel may leave the switch, which disconnects charger from the_ b'us, in the "off" position.
However, when maintenance is being performed on a charger, the spare charger is switched on line. After work is i
i completed, the original charger might not be placed back on
- line even though the spare charger has been disconnected.
This condition can be discovered during daily check of charging, voltage. During the time a battery is not on float . ,
charge, loads will be suppifed by the battery itself causing degradation in battery capability.
Battieries are housed in rooms requiring ventilation. Loss ~of ventilation can cause batteries to fail or, degrade and s .
possibly a significant (explosive) mixture of hydrogen can develop if charging continues after loss of ventilation.
t
. During. equalizing charge, excess voltage may be applied and possibly severely damage the battery.
During tests for grounds, all'or part of the battery may be taken off line (momentarily).
l l l
'~
, - , e -,. , ,-a , w en- m - e- m-- , ----,,e . --e- e <-,- + --awear,---.e,ww
~
Cells may be jumpered for test or maintenance and jumpers may 1 no't be removed which could degrade battery capability.
These and,any other common mode or human error failures were not explicitly modelled in the DC power system analysis nor was the ability to cross-tie buses addressed. '
Realizing that the role of DC Power may have been understated in the modelling, the importance measure for DC power at'CR-3 was '. '
ranked fifth of six events. This is due entirely to the j
ioentification of a DC power dependency involved in a dominant sequence which contributed ~15% to the estimated core melt' :
frequency. The sequence is initiated by a loss of offsite power (with no recovery modelled). In the sequence cutset, the CR-3 DC power system is completely characterized by battery ll. Failure of battery B fails both the 8 diesel generator (the breaker connecting the bus fails to diose) and the turbine driven '
emergency feesheeter pump. itith simultaneoes failure of diesel A, '
emergency. cooling is W en the availability'of emergency AC 9 ewer from the Crystal iiver Fossil, Units 1 and 2 at the site.
~
For this less of offsite power case, the unavailability of the batteries dominates the unavailability of each DC-t' rain. Though ,
discharge (by contact making ammeters) and charging current are checked each shift, voltage, specific gravity. and electrolyte level O
- - - ' * - ^ ^ ^ ^
. %, o ;O h of each battery cell are measure once each quarter. Pilot cells
- are checked weekly.
l The Millstone 1 DC power system is composed of two systems, the 125 volt DC station battery system and the +24 volt DC system.
The normal source of +24 volt DC power when AC is available is
- through the battery chargers, one of which is connected to each of four batteries. There are no ties or cross connections.
Considering the A0 and DC power systems as being dependent on each '
other, the three battery chargers and their associated AC feeds were deliberately left out of the DC power fault tree. DC power was ranked last out of the 12 front line and support systems with regard to importance to core me,1t frequency. Though it was determined in the Millstone study that loss of a DC bus.would not cause a reactor trip, thus not contribute to accident initiation, an important DC dependency was identified. The dependency of the Isolation Condenser (IC) on a single DC power source contributed to certain station blackout scenarios. The reason for this is that the IC return valve gets its power from DC battery A, as do
-all the breakers on the diesel generator emergency power train .
Thus, failure of battery A fails both the IC and the diesel train. This combined with the gas turbine train failure, disables all AC power in the plant plus the DC powered IC. (This fault was rectified by the utility, See Millstone 1 Importance Ranking).
m
S '-
- v .
l 93
.l In the case of the Limerick PRA, the DC power system was not identified as a significant contributor to core melt frequency nor did it,show up in the importance measure ranking. In this case, !
4 the lack of dominant cutsets containing DC power failures may not be due to poor modelling but rather due to the design of the DC
, power system at Limerick. Limerick has a highly redundant system
, with four divisions, four diesels, and four batteries per plant.
In addition, the probability of recovery of AC power at various times during-the sequence was modelled.
1 l
In our judgement, the review of results of PRAs indicate the potential for DC power system failures having high importance and significantly contributing to accident scenarios 1eading to core -
4 melt on a plant specific basis. Much more attention should be given to the modelling of DC power systems in PRAs and the effects of the modelling should be carefully reviewed and analyzed. This is especially true in looking for DC power failures as initiating P
events, DC dependencies of front line mitigating systems or components, test and maintenance practices, human errors and common mode failures as well as design or hardware faults.
l The focus on support system dependencies.has widened greatly due to the.
increasing awareness of the importance and e'ffects o,f support system ;
faults and failures on normally operating and emergency systems.
e
- d'
- M-l Additional areas are receiving a greater degree of investigation such as Heating and Ventilation Systems and cooling / Service Water Systems.
Heating and ventilation can be vital to sustain an environment in which components are operable, especially in consideration of the mission time for various accident scenarios. FailureofCoolingWatakand-Service Water Systems can themselves be accident initiating events while simultaneously failing mitigative systems. For example, failure of component Cooling Water not only contributes to failure modes of i ECCS pumps but may also induce a Reactor Coolant Pump Seal LOCA (see --
section B.3, Initiating Events, for discussion regarding RCP seal 2
i failure LOCAs). This ia in addition to the significant role cooling'/
service water systems play in accident scenarios resulting from other.
l initiating events (transients and-LOCAs). This is illustrated by the contribution to failure of decay heat removal from failures-in the Residual. Heat Removal Service Water System in the Browns Ferry results, as well as for other plants, and other events such as failure of diesel ~
generator cooling, pump cooling, and room cooling. The importance of cooling water systems is discussed further in the following section, 5.3, on initiating events.
O e
o I
-emae
- w-g- - -r e -- ,,., ,,%-,as e-,we- wes.,w-m-v,w -. ->W-, e----g ,,v..--- *- 9.,gm-3 -mes.eene.a-er va,p.,--y.-gwie.,.,----g-,-ww-=--m=,.aywr-dwwa--y.gg--v-ww-r-yeg ey-Ae,-- --+-sa-ogw v ev y-p--g-
z -p- -
l l B.3 Initiating Events As mentioned in the previous section, there has been an increasing awareness of the failure of support systems having the potential to initiate an accident sequence. As seen in the results of the ANO-1 IREP analysis, four dominant sequences, with respect to both core melt and risk,
- are transients initiated by an Engineered Safeguards DC buses. This is an example of the initiating event of a sequence contributing to the failure of -
i mitigating systems for that sequence. The list of mitigating events considered in PRA has expanded to those which, alone or in combination with other system failures, disable systems needed to mitigate the accident-sequence events, i
) Another area which has come into recognition as an important contributor l and initiator of accident sequences is that of Reactor Coolant Pump Seal .
failures. Seal failures can occur as a result of failures in support systems (i.e., Component Cooling, Seal Injection Pumps) and can also be the primary initiating event.' Seal, failure has resulted in a loss of primen coolant to the containment at flow rates greater than nomal i 1aakaup capacity of the plant, thus, constituting a small LOCA. With l
small LOCAs often being a major contributor to core melt frequenc'y, l
the added consideration of seal failures may well add to sequence and ov'erall cero melt frequency. In the All0-1 results, an RCP seal i
LOCA initiated sequence was ranked second with regard to core melt
, a 6
,..mgy, , .,,,., ,~.,. y--nr--g+4, fI8-W*-*--M-T**-"'-e'---
.} .
l
. .g. -
frequency. A point of discussion in the ANO-1 Insights review is :
the absence in the small LOCA data base of several seal failures '
experienced at ANO-1. It follows that loss of component cooling, I as mention in section B, Support Systems, can also.be considered an initiating event. In the Zion and Indian Point PRAs and reviews, loss of CCWS 'causes small LOCA 3d disables injection. The information gleaned from these PRAs resulted in the identification of this issue as a Generic Issue 23 with a safety priority ranking of "high." RCP seal failures are also receiving more attention in Station Blackout *
(Loss of normal AC and emergency AC power) sequences since the loss of i seal injection due to loss of component cooling could result in a
! small LOCA with no AC powered containment cooling systems available.
In some plants, such as Zion, loss of service water is also a focus of support system failure initiating event since service water provides ,
cooling for both the component cooling water and the diesel generators.
With concomitant loss of offsite power, it again becomes a case of a 4
small LOCA (RCP seal failures) with no AC powered ECCS or containment cooling systems.
These are a few examples of tacreased ausreness of potential accident initiators which may degrade mitigating systems gleaned t
from informatiert derived from system analyses and fault trees performed during'the course of PRAs.
l .
. c '
sx , . V 1
97 -
i t
B.4 External Events '
i One of the most obvious changes in PRAs is the increased and detailed attention given to accident sequences intiated by
. external events.(earthquake, fire, flood (internal as well as external i
flooding are considered in external events), tornadoes, etc.).
j i
Many of the early PRA programs concentrated exclusively on internal i
initiators, primarily LOCAs and transients. The most recent industry i
sponsored PRAs have included external events analyses, 'though the greatest uncertainty is associated with these analyses. We are i
_ still on the learning csrve of quantifying the frequency and consequences of these events, though some have been foci of much -
)p work to date, as in the case of fire for example. Fire was found to be-
,i a dominant contributor to core melt and risk in the Indian Point j
f PRA, emphasizing the importance of fire protec} ion and separation of '
d redundant systems and components such as electrical cables.
ll l
Seismic initiated sequences are important in both Zion and Indian Point PRAs, inducing loss pf .AC power for Zion. The primary
-hazards identified in the seismic and hurricane events for Indian Point
- loss of offsite power due to the intensity of the event and loss of 2 control power or emergency.AC power., Loss of control power may occur
'due to the failure of panels in the ceiling of the control room during a_ seismic event which incapacitates the operators or the control room itself.
' Loss of onsite AC power can result from severe winds stripping away sheet metal building cover thus exposing the diesel generators.
5 0
9 e--r ,e ww_.-, -,-w-, ,e-,,,en.w-e--v-r-- ,,e--n- -- - ,---n--w-, , , .ees,-m-w,w.,--,wm--ww,-n.-,n.--ee ,--w ~,w,w -,,,-o,e,,.,e,,,,e----o,,,,-w---%+-,v,w~e-,,-~e -,4